From owner-svn-ports-all@freebsd.org Tue Aug 18 15:42:54 2015 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14DC69BC16C; Tue, 18 Aug 2015 15:42:54 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0345318ED; Tue, 18 Aug 2015 15:42:54 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t7IFgrg0095320; Tue, 18 Aug 2015 15:42:53 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t7IFgqU5095316; Tue, 18 Aug 2015 15:42:52 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <201508181542.t7IFgqU5095316@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Tue, 18 Aug 2015 15:42:52 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r394608 - in head/security/openssh-portable: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2015 15:42:54 -0000 Author: bdrewery Date: Tue Aug 18 15:42:52 2015 New Revision: 394608 URL: https://svnweb.freebsd.org/changeset/ports/394608 Log: - Update to OpenSSH 7.0p1 - Update X509 patch to 8.5 Changes: http://www.openssh.com/txt/release-7.0 Deleted: head/security/openssh-portable/files/patch-auth2-chall.c Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/extra-patch-hpn head/security/openssh-portable/files/patch-servconf.c Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Tue Aug 18 15:41:06 2015 (r394607) +++ head/security/openssh-portable/Makefile Tue Aug 18 15:42:52 2015 (r394608) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 6.9p1 -PORTREVISION= 2 +DISTVERSION= 7.0p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -60,9 +60,9 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 8.4 +X509_VERSION= 8.5 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 -X509_PATCHFILES= ${PORTNAME}-6.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-7.0p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Tue Aug 18 15:41:06 2015 (r394607) +++ head/security/openssh-portable/distinfo Tue Aug 18 15:42:52 2015 (r394608) @@ -1,8 +1,8 @@ -SHA256 (openssh-6.9p1.tar.gz) = 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe -SIZE (openssh-6.9p1.tar.gz) = 1487617 -SHA256 (openssh-6.9p1+x509-8.4.diff.gz) = 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb -SIZE (openssh-6.9p1+x509-8.4.diff.gz) = 425687 -SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8 -SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825 +SHA256 (openssh-7.0p1.tar.gz) = fd5932493a19f4c81153d812ee4e042b49bbd3b759ab3d9344abecc2bc1485e5 +SIZE (openssh-7.0p1.tar.gz) = 1493376 SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531 +SHA256 (openssh-7.0p1+x509-8.5.diff.gz) = 6000557f1ddae06aff8837d440d93342a923fada571fec59fc5dedf388fb5f9e +SIZE (openssh-7.0p1+x509-8.5.diff.gz) = 411960 +SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8 +SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825 Modified: head/security/openssh-portable/files/extra-patch-hpn ============================================================================== --- head/security/openssh-portable/files/extra-patch-hpn Tue Aug 18 15:41:06 2015 (r394607) +++ head/security/openssh-portable/files/extra-patch-hpn Tue Aug 18 15:42:52 2015 (r394608) @@ -447,9 +447,9 @@ diff -urN -x configure -x config.guess - echo "" ---- work.clean/openssh-6.8p1/kex.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/kex.c 2015-04-03 17:06:44.032682000 -0500 -@@ -587,6 +587,13 @@ +--- work.clean/openssh-6.8p1/kex.c.orig 2015-08-11 01:57:29.000000000 -0700 ++++ work.clean/openssh-6.8p1/kex.c 2015-08-17 17:02:06.770901000 -0700 +@@ -652,6 +652,13 @@ kex_choose_conf(struct ssh *ssh) int nenc, nmac, ncomp; u_int mode, ctos, need, dh_need, authlen; int r, first_kex_follows; @@ -463,10 +463,10 @@ diff -urN -x configure -x config.guess - if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 || (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) -@@ -635,6 +642,17 @@ - if ((r = choose_comp(&newkeys->comp, cprop[ncomp], - sprop[ncomp])) != 0) +@@ -709,6 +716,17 @@ kex_choose_conf(struct ssh *ssh) + peer[ncomp] = NULL; goto out; + } +#ifdef NONE_CIPHER_ENABLED + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); + if (strcmp(newkeys->enc.name, "none") == 0) { @@ -548,9 +548,9 @@ diff -urN -x configure -x config.guess - /* OLD API */ extern struct ssh *active_state; #include "opacket.h" ---- work.clean/openssh-6.8p1/readconf.c 2015-04-01 22:07:18.135435000 -0500 -+++ work/openssh-6.8p1/readconf.c 2015-04-03 15:10:44.188916000 -0500 -@@ -154,6 +154,12 @@ +--- work/openssh-6.9p1/readconf.c.orig 2015-07-27 13:32:13.169218000 -0500 ++++ work/openssh-6.9p1/readconf.c 2015-07-27 13:33:00.429332000 -0500 +@@ -153,6 +153,12 @@ typedef enum { oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, @@ -563,10 +563,10 @@ diff -urN -x configure -x config.guess - oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, -@@ -276,6 +282,16 @@ - { "fingerprinthash", oFingerprintHash }, +@@ -277,6 +283,16 @@ static struct { { "updatehostkeys", oUpdateHostkeys }, { "hostbasedkeytypes", oHostbasedKeyTypes }, + { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, +#ifdef NONE_CIPHER_ENABLED + { "noneenabled", oNoneEnabled }, + { "noneswitch", oNoneSwitch }, @@ -580,7 +580,7 @@ diff -urN -x configure -x config.guess - { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } -@@ -917,6 +933,44 @@ +@@ -906,6 +922,44 @@ parse_time: intptr = &options->check_host_ip; goto parse_flag; @@ -625,7 +625,7 @@ diff -urN -x configure -x config.guess - case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; multistate_ptr = multistate_yesnoask; -@@ -1678,6 +1732,16 @@ +@@ -1665,6 +1719,16 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; @@ -642,7 +642,7 @@ diff -urN -x configure -x config.guess - options->proxy_use_fdpass = -1; options->ignored_unknown = NULL; options->num_canonical_domains = 0; -@@ -1838,6 +1902,35 @@ +@@ -1826,6 +1890,35 @@ fill_default_options(Options * options) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) options->server_alive_count_max = 3; @@ -1199,9 +1199,9 @@ diff -urN -x configure -x config.guess - debug("Authentication succeeded (%s).", authctxt.method->name); } ---- work.clean/openssh-6.8p1/sshd.c.orig 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/sshd.c 2015-05-06 13:29:02.129507000 -0500 -@@ -430,8 +430,13 @@ sshd_exchange_identification(int sock_in +--- work.clean/openssh-6.8p1/sshd.c.orig 2015-08-17 17:01:06.925269000 -0700 ++++ work.clean/openssh-6.8p1/sshd.c 2015-08-17 17:05:40.008253000 -0700 +@@ -438,8 +438,13 @@ sshd_exchange_identification(int sock_in minor = PROTOCOL_MINOR_1; } @@ -1216,7 +1216,7 @@ diff -urN -x configure -x config.guess - *options.version_addendum == '\0' ? "" : " ", options.version_addendum, newline); -@@ -1149,6 +1154,10 @@ server_listen(void) +@@ -1162,6 +1167,10 @@ server_listen(void) int ret, listen_sock, on = 1; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; @@ -1227,7 +1227,7 @@ diff -urN -x configure -x config.guess - for (ai = options.listen_addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -1189,6 +1198,13 @@ server_listen(void) +@@ -1202,6 +1211,13 @@ server_listen(void) debug("Bind to port %s on %s.", strport, ntop); @@ -1241,9 +1241,9 @@ diff -urN -x configure -x config.guess - /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { error("Bind to port %s on %s failed: %.200s.", -@@ -2132,6 +2148,11 @@ main(int ac, char **av) - remote_ip, remote_port, - get_local_ipaddr(sock_in), get_local_port()); +@@ -2130,6 +2146,11 @@ main(int ac, char **av) + cleanup_exit(255); + } +#ifdef HPN_ENABLED + /* set the HPN options for the child */ @@ -1251,21 +1251,23 @@ diff -urN -x configure -x config.guess - +#endif + /* - * We don't want to listen forever unless the other side - * successfully authenticates itself. So we set up an alarm which is -@@ -2531,6 +2552,12 @@ do_ssh2_kex(void) - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; + * We use get_canonical_hostname with usedns = 0 instead of + * get_remote_ipaddr here so IP options will be checked. +@@ -2564,6 +2585,14 @@ do_ssh2_kex(void) + struct kex *kex; + int r; + +#ifdef NONE_CIPHER_ENABLED -+ } else if (options.none_enabled == 1) { ++ if (options.none_enabled == 1) { + debug ("WARNING: None cipher enabled"); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE; ++ } +#endif - } - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); ++ + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( + options.kex_algorithms); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal( --- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 +++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 @@ -127,6 +127,20 @@ Modified: head/security/openssh-portable/files/patch-servconf.c ============================================================================== --- head/security/openssh-portable/files/patch-servconf.c Tue Aug 18 15:41:06 2015 (r394607) +++ head/security/openssh-portable/files/patch-servconf.c Tue Aug 18 15:42:52 2015 (r394608) @@ -1,6 +1,6 @@ ---- servconf.c.orig 2015-03-22 23:58:50.869706000 -0500 -+++ servconf.c 2015-03-22 23:59:46.645390000 -0500 -@@ -81,6 +81,7 @@ +--- servconf.c.orig 2015-08-17 20:37:29.913831000 -0700 ++++ servconf.c 2015-08-17 20:37:29.950132000 -0700 +@@ -57,6 +57,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" @@ -8,25 +8,16 @@ static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); -@@ -216,7 +217,7 @@ fill_default_server_options(ServerOption +@@ -193,7 +194,7 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) - options->use_pam = 0; + options->use_pam = 1; - /* X.509 Standard Options */ - #ifdef OPENSSL_FIPS -@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption - if (options->key_regeneration_time == -1) - options->key_regeneration_time = 3600; - if (options->permit_root_login == PERMIT_NOT_SET) -- options->permit_root_login = PERMIT_YES; -+ options->permit_root_login = PERMIT_NO; - if (options->ignore_rhosts == -1) - options->ignore_rhosts = 1; - if (options->ignore_user_known_hosts == -1) -@@ -287,7 +288,7 @@ fill_default_server_options(ServerOption + /* Standard Options */ + if (options->protocol == SSH_PROTO_UNKNOWN) +@@ -242,7 +243,7 @@ fill_default_server_options(ServerOption if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) @@ -35,9 +26,9 @@ if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) -@@ -333,7 +334,11 @@ fill_default_server_options(ServerOption - if (options->gss_cleanup_creds == -1) - options->gss_cleanup_creds = 1; +@@ -288,7 +289,11 @@ fill_default_server_options(ServerOption + if (options->gss_strict_acceptor == -1) + options->gss_strict_acceptor = 0; if (options->password_authentication == -1) +#ifdef USE_PAM + options->password_authentication = 0; @@ -47,8 +38,8 @@ if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) -@@ -396,7 +401,7 @@ fill_default_server_options(ServerOption - options->fingerprint_hash = SSH_FP_HASH_DEFAULT; +@@ -412,7 +417,7 @@ fill_default_server_options(ServerOption + /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX;