From owner-svn-ports-all@freebsd.org Sun Nov 11 20:21:07 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C391111230CD; Sun, 11 Nov 2018 20:21:06 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 784696C395; Sun, 11 Nov 2018 20:21:05 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5953816EDB; Sun, 11 Nov 2018 20:21:05 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wABKL5LU099732; Sun, 11 Nov 2018 20:21:05 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wABKL4fL099723; Sun, 11 Nov 2018 20:21:04 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <201811112021.wABKL4fL099723@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Sun, 11 Nov 2018 20:21:04 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r484765 - in head/security/openssh-portable: . files X-SVN-Group: ports-head X-SVN-Commit-Author: bdrewery X-SVN-Commit-Paths: in head/security/openssh-portable: . files X-SVN-Commit-Revision: 484765 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 784696C395 X-Spamd-Result: default: False [-106.88 / 200.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; ALLOW_DOMAIN_WHITELIST(-100.00)[FreeBSD.org]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; HAS_XAW(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; DMARC_NA(0.00)[FreeBSD.org]; RCVD_COUNT_THREE(0.00)[4]; MX_GOOD(-0.01)[cached: mx1.FreeBSD.org]; NEURAL_HAM_SHORT(-1.00)[-0.999,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; IP_SCORE(-3.77)[ip: (-9.91), ipnet: 2610:1c1:1::/48(-4.93), asn: 11403(-3.90), country: US(-0.09)] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Nov 2018 20:21:07 -0000 Author: bdrewery Date: Sun Nov 11 20:21:03 2018 New Revision: 484765 URL: https://svnweb.freebsd.org/changeset/ports/484765 Log: Update to 7.9p1. - Fixes build on 12, head, and openssl-devel. - GSSAPI and HPN are currently marked BROKEN as I don't want to block the main update for anyone. http://www.openssh.com/txt/release-7.8 http://www.openssh.com/txt/release-7.9 MFH: 2018Q4 (due to being broken on 12+head) Added: head/security/openssh-portable/files/patch-serverloop.c - copied, changed from r484764, head/security/openssh-portable/files/patch-misc.c Deleted: head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 head/security/openssh-portable/files/patch-misc.c Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/extra-patch-hpn-compat head/security/openssh-portable/files/extra-patch-tcpwrappers head/security/openssh-portable/files/patch-auth2.c head/security/openssh-portable/files/patch-session.c Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Sun Nov 11 19:58:53 2018 (r484764) +++ head/security/openssh-portable/Makefile Sun Nov 11 20:21:03 2018 (r484765) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.7p1 -PORTREVISION= 6 +DISTVERSION= 7.9p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -26,9 +26,6 @@ CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwor ETCOLD= ${PREFIX}/etc -BROKEN_SSL= openssl111 -BROKEN_SSL_REASON_openssl111= error: OpenSSL >= 1.1.0 is not yet supported - FLAVORS= default hpn default_CONFLICTS_INSTALL= openssl-portable-hpn hpn_CONFLICTS_INSTALL= openssh-portable @@ -70,10 +67,10 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 11.3.2 +X509_VERSION= 11.5 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue -X509_PATCHFILES= ${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-7.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509 MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal @@ -98,7 +95,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} -#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. +BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. # Patch from: # https://sources.debian.org/data/main/o/openssh/1:7.7p1-2/debian/patches/gssapi.patch # which was originally based on 5.7 patch from @@ -113,7 +110,7 @@ PATCHFILES+= openssh-7.7p1-gsskex-all-20141021-debian- # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} -#BROKEN= HPN: Not yet updated for ${DISTVERSION} and disabled in base +BROKEN= HPN: Not yet updated for ${DISTVERSION} yet. PORTDOCS+= HPN-README HPN_VERSION= 14v15 HPN_DISTVERSION= 7.7p1 Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Sun Nov 11 19:58:53 2018 (r484764) +++ head/security/openssh-portable/distinfo Sun Nov 11 20:21:03 2018 (r484765) @@ -1,7 +1,7 @@ -TIMESTAMP = 1524589531 -SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f -SIZE (openssh-7.7p1.tar.gz) = 1536900 -SHA256 (openssh-7.7p1+x509-11.3.2.diff.gz) = f0549007b2bdb99c41d83e622b6504365a3fa0a5ac22e3d0755c89cb0e29a02f -SIZE (openssh-7.7p1+x509-11.3.2.diff.gz) = 492142 +TIMESTAMP = 1541877994 +SHA256 (openssh-7.9p1.tar.gz) = 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad +SIZE (openssh-7.9p1.tar.gz) = 1565384 +SHA256 (openssh-7.9p1+x509-11.5.diff.gz) = 1d15099ce54614f158f10f55b6b4992d915353f92a05e179a64b0655650c00bb +SIZE (openssh-7.9p1+x509-11.5.diff.gz) = 594995 SHA256 (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = c58f10ed5d9550e6e4ac09898a1aa131321e69c4d65a742ab95d357b35576ef4 SIZE (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = 27251 Modified: head/security/openssh-portable/files/extra-patch-hpn-compat ============================================================================== --- head/security/openssh-portable/files/extra-patch-hpn-compat Sun Nov 11 19:58:53 2018 (r484764) +++ head/security/openssh-portable/files/extra-patch-hpn-compat Sun Nov 11 20:21:03 2018 (r484765) @@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options { NULL, oBadOption } }; ---- servconf.c.orig 2017-10-02 12:34:26.000000000 -0700 -+++ servconf.c 2017-10-12 12:20:19.089884000 -0700 -@@ -618,6 +618,10 @@ static struct { - { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, +--- servconf.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ servconf.c 2018-11-10 11:32:09.835817000 -0800 +@@ -645,6 +645,10 @@ static struct { { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, { "rdomain", sRDomain, SSHCFG_ALL }, + { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, Modified: head/security/openssh-portable/files/extra-patch-tcpwrappers ============================================================================== --- head/security/openssh-portable/files/extra-patch-tcpwrappers Sun Nov 11 19:58:53 2018 (r484764) +++ head/security/openssh-portable/files/extra-patch-tcpwrappers Sun Nov 11 20:21:03 2018 (r484765) @@ -85,11 +85,11 @@ index 0ade557..045f149 100644 laddr = get_local_ipaddr(sock_in); diff --git configure.ac configure.ac index f48ba4a..66fbe82 100644 ---- configure.ac -+++ configure.ac -@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey], - ] - ) +--- configure.ac.orig 2018-10-16 17:01:20.000000000 -0700 ++++ configure.ac 2018-11-10 11:29:32.626326000 -0800 +@@ -1493,6 +1493,62 @@ else + AC_MSG_RESULT([no]) + fi +# Check whether user wants TCP wrappers support +TCPW_MSG="no" @@ -150,11 +150,11 @@ index f48ba4a..66fbe82 100644 # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -4803,6 +4859,7 @@ echo " KerberosV support: $KRB5_MSG" +@@ -5305,6 +5361,7 @@ echo " PAM support: $PAM_MSG" + echo " OSF SIA support: $SIA_MSG" + echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" + echo " libldns support: $LDNS_MSG" Modified: head/security/openssh-portable/files/patch-auth2.c ============================================================================== --- head/security/openssh-portable/files/patch-auth2.c Sun Nov 11 19:58:53 2018 (r484764) +++ head/security/openssh-portable/files/patch-auth2.c Sun Nov 11 20:21:03 2018 (r484765) @@ -5,31 +5,32 @@ Changed paths: Apply class-imposed login restrictions. ---- auth2.c.orig 2017-03-19 19:39:27.000000000 -0700 -+++ auth2.c 2017-03-20 11:52:27.960733000 -0700 -@@ -47,6 +47,7 @@ - #include "key.h" +--- auth2.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ auth2.c 2018-11-10 11:35:07.816193000 -0800 +@@ -48,6 +48,7 @@ + #include "sshkey.h" #include "hostfile.h" #include "auth.h" +#include "canohost.h" #include "dispatch.h" #include "pathnames.h" - #include "buffer.h" -@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32 - Authmethod *m = NULL; + #include "sshbuf.h" +@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct char *user, *service, *method, *style = NULL; int authenticated = 0; + double tstart = monotime_double(); +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; + const char *from_host, *from_ip; -+ + + from_host = auth_get_canonical_hostname(ssh, options.use_dns); + from_ip = ssh_remote_ipaddr(ssh); +#endif - ++ if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32 + +@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } @@ -55,5 +56,5 @@ Apply class-imposed login restrictions. +#endif /* HAVE_LOGIN_CAP */ + /* reset state */ - auth2_challenge_stop(authctxt); + auth2_challenge_stop(ssh); Copied and modified: head/security/openssh-portable/files/patch-serverloop.c (from r484764, head/security/openssh-portable/files/patch-misc.c) ============================================================================== --- head/security/openssh-portable/files/patch-misc.c Sun Nov 11 19:58:53 2018 (r484764, copy source) +++ head/security/openssh-portable/files/patch-serverloop.c Sun Nov 11 20:21:03 2018 (r484765) @@ -9,21 +9,21 @@ Submitted upstream, no reaction. Submitted by: delphij@ [rewritten for 7.4 by bdrewery@] ---- misc.c.orig 2017-01-12 11:54:41.058558000 -0800 -+++ misc.c 2017-01-12 11:55:16.531356000 -0800 -@@ -56,6 +56,8 @@ - #include - #endif +--- serverloop.c.orig 2018-11-10 11:38:16.728617000 -0800 ++++ serverloop.c 2018-11-10 11:38:19.497300000 -0800 +@@ -55,6 +55,8 @@ + #include + #include +#include + + #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" - #include "misc.h" - #include "log.h" -@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a, - int - bind_permitted(int port, uid_t uid) + #include "packet.h" +@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid) { + if (use_privsep) + return 1; /* allow system to decide */ - if (port < IPPORT_RESERVED && uid != 0) + int ipport_reserved; +#ifdef __FreeBSD__ Modified: head/security/openssh-portable/files/patch-session.c ============================================================================== --- head/security/openssh-portable/files/patch-session.c Sun Nov 11 19:58:53 2018 (r484764) +++ head/security/openssh-portable/files/patch-session.c Sun Nov 11 20:21:03 2018 (r484765) @@ -10,9 +10,9 @@ Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ session.c 2018-04-03 13:56:49.599400000 -0700 -@@ -982,6 +982,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +--- session.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ session.c 2018-11-10 11:45:14.645263000 -0800 +@@ -1020,6 +1020,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -22,7 +22,7 @@ Sponsored by: DARPA, NAI Labs #endif /* Initialize the environment. */ -@@ -1003,6 +1006,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1041,6 +1044,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * } #endif @@ -32,7 +32,7 @@ Sponsored by: DARPA, NAI Labs #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1020,11 +1026,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1058,11 +1064,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -58,7 +58,7 @@ Sponsored by: DARPA, NAI Labs #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1044,15 +1060,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1082,14 +1098,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ @@ -70,11 +70,10 @@ Sponsored by: DARPA, NAI Labs - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); -- - /* Set custom environment options from pubkey authentication. */ - if (options.permit_user_env) { - for (n = 0 ; n < auth_opts->nenv; n++) { -@@ -1331,7 +1341,7 @@ do_setusercontext(struct passwd *pw) + if (s->term) + child_set_env(&env, &envsize, "TERM", s->term); + if (s->display) +@@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid,