Date: Thu, 3 Mar 2022 19:25:53 GMT From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: ae66cffc19f3 - main - security/openssh-portable: Update to 8.9p1 Message-ID: <202203031925.223JPrKW004544@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=ae66cffc19f357cbd51d5841c9b110a9ffd63e32 commit ae66cffc19f357cbd51d5841c9b110a9ffd63e32 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2022-03-03 18:27:34 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2022-03-03 19:25:36 +0000 security/openssh-portable: Update to 8.9p1 - Unbreak GSSAPI [1] - rc.d/openssh: Allow modifying host key generation [2] Changes: https://www.openssh.com/txt/release-8.9 PR: 259909 [1] PR: 202169 [2] Submitted by: Rick Miller [1] Submitted by: Chad Jacob Milios [2] --- security/openssh-portable/Makefile | 8 ++--- security/openssh-portable/distinfo | 8 +++-- .../files/extra-patch-gssapi-auth2-gss.c | 19 +++++++++++ .../files/extra-patch-gssapi-sshconnect2.c | 12 ------- security/openssh-portable/files/extra-patch-hpn | 16 ++++----- .../openssh-portable/files/extra-patch-tcpwrappers | 12 +++---- security/openssh-portable/files/openssh.in | 39 +++++++++++++++------- .../files/patch-platform-tracing.c | 25 -------------- security/openssh-portable/files/patch-ssh-agent.c | 22 ++++++------ 9 files changed, 80 insertions(+), 81 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index aa173a32ce63..578274ed6edb 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,8 +1,8 @@ # Created by: dwcjr@inethouston.net PORTNAME= openssh -DISTVERSION= 8.8p1 -PORTREVISION= 2 +DISTVERSION= 8.9p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -100,7 +100,7 @@ PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi -BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. +#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue @@ -114,7 +114,7 @@ PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_S # Bump this when updating the patch location GSSAPI_UPDATE_DATE= 20200607 PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-auth2-gss.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c .endif diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index f08db16ada6a..3d0367adc20e 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,3 +1,5 @@ -TIMESTAMP = 1634059537 -SHA256 (openssh-8.8p1.tar.gz) = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9 -SIZE (openssh-8.8p1.tar.gz) = 1815060 +TIMESTAMP = 1646332316 +SHA256 (openssh-8.9p1.tar.gz) = fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7 +SIZE (openssh-8.9p1.tar.gz) = 1820282 +SHA256 (openssh-8.9p1-gsskex-all-20141021-debian-rh-20200607.patch) = 0e53e7d26c54713afdb6bca7c6034ab1b2b35483270feaa5e7665ceda9867f16 +SIZE (openssh-8.9p1-gsskex-all-20141021-debian-rh-20200607.patch) = 127245 diff --git a/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c new file mode 100644 index 000000000000..3f9694c8d466 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c @@ -0,0 +1,19 @@ +--- auth2-gss.c.orig 2022-03-03 10:56:35.668672000 -0800 ++++ auth2-gss.c 2022-03-03 11:03:16.048838000 -0800 +@@ -59,7 +59,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct + * The 'gssapi_keyex' userauth mechanism. + */ + static int +-userauth_gsskeyex(struct ssh *ssh) ++userauth_gsskeyex(struct ssh *ssh, const char *method) + { + Authctxt *authctxt = ssh->authctxt; + int r, authenticated = 0; +@@ -373,6 +373,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh + + Authmethod method_gsskeyex = { + "gssapi-keyex", ++ NULL, + userauth_gsskeyex, + &options.gss_authentication + }; diff --git a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c deleted file mode 100644 index 7cb08ee12a5e..000000000000 --- a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c +++ /dev/null @@ -1,12 +0,0 @@ -Avoid free(const char*) ---- sshconnect2.c.orig 2020-11-19 14:56:54.387846000 -0800 -+++ sshconnect2.c 2020-11-19 14:57:04.445045000 -0800 -@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh) - /* Fall back to specified host if we are using proxy command - * and can not use DNS on that socket */ - if (strcmp(gss_host, "UNKNOWN") == 0) { -- gss_host = authctxt->host; -+ gss_host = xstrdup(authctxt->host); - } - } else { - gss_host = xstrdup(authctxt->host); diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index ed7a78ab71a0..907775d94642 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -309,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o free(cipher_list); return 0; } ---- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700 -@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques +--- work/openssh/clientloop.c.orig 2022-02-23 03:31:11.000000000 -0800 ++++ work/openssh/clientloop.c 2022-03-02 12:53:47.624273000 -0800 +@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques sock = x11_connect_display(ssh); if (sock < 0) return NULL; @@ -327,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new(ssh, "x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); -@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ - __func__, ssh_err(r)); - return NULL; - } +@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ + else + debug2_fr(r, "ssh_agent_bind_hostkey"); + +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + c = channel_new(ssh, "authentication agent connection", @@ -342,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new(ssh, "authentication agent connection", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, -@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, +@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, } debug("Tunnel forwarding using interface %s", ifname); diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers index ba8cc71ea828..ba7d2834a16a 100644 --- a/security/openssh-portable/files/extra-patch-tcpwrappers +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -83,11 +83,9 @@ index 0ade557..045f149 100644 /* Log the connection. */ laddr = get_local_ipaddr(sock_in); -diff --git configure.ac configure.ac -index f48ba4a..66fbe82 100644 ---- configure.ac.orig 2019-04-17 15:52:57.000000000 -0700 -+++ configure.ac 2019-07-02 20:58:48.627832000 -0700 -@@ -1494,6 +1494,62 @@ else +--- configure.ac.orig 2022-02-23 03:31:11.000000000 -0800 ++++ configure.ac 2022-03-02 12:47:49.958341000 -0800 +@@ -1599,6 +1599,62 @@ else AC_MSG_RESULT([no]) fi @@ -150,11 +148,11 @@ index f48ba4a..66fbe82 100644 # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -5245,6 +5301,7 @@ echo " PAM support: $PAM_MSG" +@@ -5593,6 +5649,7 @@ echo " PAM support: $PAM_MSG" echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" +echo " TCP Wrappers support: $TCPW_MSG" - echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " libldns support: $LDNS_MSG" + echo " Solaris process contract support: $SPC_MSG" diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in index ee179b28faba..fc9e5f26402a 100644 --- a/security/openssh-portable/files/openssh.in +++ b/security/openssh-portable/files/openssh.in @@ -22,6 +22,15 @@ load_rc_config ${name} : ${openssh_enable:="NO"} : ${openssh_skipportscheck="NO"} +: ${openssh_dsa_keygen_enable="YES"} +: ${openssh_dsa_keygen_flags=""} +: ${openssh_rsa_keygen_enable="YES"} +: ${openssh_rsa_keygen_flags=""} +: ${openssh_ecdsa_keygen_enable="YES"} +: ${openssh_ecdsa_keygen_flags=""} +: ${openssh_ed25519_keygen_enable="YES"} +: ${openssh_ed25519_keygen_flags=""} + command=%%PREFIX%%/sbin/sshd extra_commands="configtest reload keygen" start_precmd="${name}_checks" @@ -33,10 +42,16 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"} openssh_keygen() { - if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \ - -f %%ETCDIR%%/ssh_host_rsa_key -a \ - -f %%ETCDIR%%/ssh_host_ecdsa_key -a \ - -f %%ETCDIR%%/ssh_host_ed25519_key ]; then + local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519= + checkyesno openssh_dsa_keygen_enable || skip_dsa=y + checkyesno openssh_rsa_keygen_enable || skip_rsa=y + checkyesno openssh_ecdsa_keygen_enable || skip_ecdsa=y + checkyesno openssh_ed25519_keygen_enable || skip_ed25519=y + + if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \ + \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \ + \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \ + \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then return 0 fi @@ -50,8 +65,8 @@ openssh_keygen() echo "You already have a DSA host key" \ "in %%ETCDIR%%/ssh_host_dsa_key" echo "Skipping protocol version 2 DSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t dsa \ + elif checkyesno openssh_dsa_keygen_enable; then + %%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_keygen_flags \ -f %%ETCDIR%%/ssh_host_dsa_key -N '' fi @@ -59,8 +74,8 @@ openssh_keygen() echo "You already have a RSA host key" \ "in %%ETCDIR%%/ssh_host_rsa_key" echo "Skipping protocol version 2 RSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t rsa \ + elif checkyesno openssh_rsa_keygen_enable; then + %%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_keygen_flags \ -f %%ETCDIR%%/ssh_host_rsa_key -N '' fi @@ -68,8 +83,8 @@ openssh_keygen() echo "You already have a Elliptic Curve DSA host key" \ "in %%ETCDIR%%/ssh_host_ecdsa_key" echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t ecdsa \ + elif checkyesno openssh_ecdsa_keygen_enable; then + %%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_keygen_flags \ -f %%ETCDIR%%/ssh_host_ecdsa_key -N '' fi @@ -77,8 +92,8 @@ openssh_keygen() echo "You already have a Elliptic Curve ED25519 host key" \ "in %%ETCDIR%%/ssh_host_ed25519_key" echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t ed25519 \ + elif checkyesno openssh_ed25519_keygen_enable; then + %%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_keygen_flags \ -f %%ETCDIR%%/ssh_host_ed25519_key -N '' fi } diff --git a/security/openssh-portable/files/patch-platform-tracing.c b/security/openssh-portable/files/patch-platform-tracing.c deleted file mode 100644 index 54f6db4421ad..000000000000 --- a/security/openssh-portable/files/patch-platform-tracing.c +++ /dev/null @@ -1,25 +0,0 @@ ---- platform-tracing.c.orig 2021-09-26 07:03:19.000000000 -0700 -+++ platform-tracing.c 2021-10-15 10:08:20.537813000 -0700 -@@ -16,6 +16,10 @@ - - #include "includes.h" - -+#if defined(HAVE_PROCCTL) -+#include <string.h> -+#include <unistd.h> -+#endif - #include <sys/types.h> - #ifdef HAVE_SYS_PROCCTL_H - #include <sys/procctl.h> -@@ -40,8 +44,9 @@ platform_disable_tracing(int strict) - /* On FreeBSD, we should make this process untraceable */ - int disable_trace = PROC_TRACE_CTL_DISABLE; - -- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict) -- fatal("unable to make the process untraceable"); -+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict) -+ fatal("unable to make the process untraceable: %s for pid %d", -+ strerror(errno), (int)getpid()); - #endif - #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) - /* Disable ptrace on Linux without sgid bit */ diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index de53881aa541..2937b4a7d2f9 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700 -@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; +--- ssh-agent.c.orig 2022-02-23 03:31:11.000000000 -0800 ++++ ssh-agent.c 2022-03-02 12:50:47.745853000 -0800 +@@ -189,11 +189,28 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Refuse signing of non-SSH messages for web-origin FIDO keys */ static int restrict_websafe = 1; @@ -27,17 +27,19 @@ disconnected. static void close_socket(SocketEntry *e) { + size_t i; + int last = 0; -+ + + if (e->type == AUTH_CONNECTION) { + debug("xcount %d -> %d", xcount, xcount - 1); + if (--xcount == 0) + last = 1; + } ++ close(e->fd); sshbuf_free(e->input); sshbuf_free(e->output); -@@ -181,6 +198,8 @@ close_socket(SocketEntry *e) +@@ -206,6 +223,8 @@ close_socket(SocketEntry *e) memset(e, '\0', sizeof(*e)); e->fd = -1; e->type = AUTH_UNUSED; @@ -46,7 +48,7 @@ disconnected. } static void -@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd) +@@ -1707,6 +1726,10 @@ new_socket(sock_type type, int fd) debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); @@ -57,7 +59,7 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1360,7 +1383,7 @@ static void +@@ -1999,7 +2022,7 @@ static void usage(void) { fprintf(stderr, @@ -66,7 +68,7 @@ disconnected. " [-P allowed_providers] [-t life]\n" " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" " [-t life] command [arg ...]\n" -@@ -1394,6 +1417,7 @@ main(int ac, char **av) +@@ -2033,6 +2056,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -74,7 +76,7 @@ disconnected. platform_disable_tracing(0); /* strict=no */ -@@ -1405,7 +1429,7 @@ main(int ac, char **av) +@@ -2044,7 +2068,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); @@ -83,7 +85,7 @@ disconnected. switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1454,6 +1478,9 @@ main(int ac, char **av) +@@ -2093,6 +2117,9 @@ main(int ac, char **av) fprintf(stderr, "Invalid lifetime\n"); usage(); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202203031925.223JPrKW004544>