Date: Mon, 29 Feb 2016 18:36:58 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r409823 - in head/security/openssh-portable: . files Message-ID: <201602291836.u1TIawTQ048995@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Mon Feb 29 18:36:57 2016 New Revision: 409823 URL: https://svnweb.freebsd.org/changeset/ports/409823 Log: - Update to 7.2p1 - Mark X509 and KERB_GSSAPI as BROKEN. Changelog: http://www.openssh.com/txt/release-7.2 With help from: brnrd Deleted: head/security/openssh-portable/files/extra-patch-hostkeyalg_plus Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/extra-patch-hpn head/security/openssh-portable/files/extra-patch-ldns head/security/openssh-portable/files/patch-servconf.c head/security/openssh-portable/files/patch-ssh-agent.1 head/security/openssh-portable/pkg-plist Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Mon Feb 29 18:35:00 2016 (r409822) +++ head/security/openssh-portable/Makefile Mon Feb 29 18:36:57 2016 (r409823) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.1p2 +DISTVERSION= 7.2p1 PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 @@ -68,6 +68,7 @@ X509_PATCHFILES= ${PORTNAME}-7.0p1+x509- # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 SCTP_PATCHFILES= ${PORTNAME}-6.8p1-sctp-2573.patch.gz:-p1 SCTP_CONFIGURE_WITH= sctp +SCTP_BROKEN= SCTP does not apply with 7.2+ MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:${PORTSDIR}/security/heimdal @@ -92,6 +93,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_ # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} +BROKEN= KERN_GSSAPI does not yet apply with 7.2+ # 7.1 patch taken from # http://sources.debian.net/data/main/o/openssh/1:7.1p2-2/debian/patches/gssapi.patch # which was originally based on 5.7 patch from @@ -117,13 +119,11 @@ CONFIGURE_LIBS+= -lutil CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hostkeyalg_plus:-p1 - # Keep this last EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum .if ${PORT_OPTIONS:MX509} -BROKEN= Patch does not apply with 7.1 +BROKEN= X509 does not apply with 7.1+ . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= X509 patch and HPN patch do not apply cleanly together . endif Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Mon Feb 29 18:35:00 2016 (r409822) +++ head/security/openssh-portable/distinfo Mon Feb 29 18:36:57 2016 (r409823) @@ -1,5 +1,5 @@ -SHA256 (openssh-7.1p2.tar.gz) = dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd -SIZE (openssh-7.1p2.tar.gz) = 1475829 +SHA256 (openssh-7.2p1.tar.gz) = 973cc37b2f3597e4cf599b09e604e79c0fe5d9b6f595a24e91ed0662860b4ac3 +SIZE (openssh-7.2p1.tar.gz) = 1499707 SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531 SHA256 (openssh-7.0p1+x509-8.5.diff.gz) = 6000557f1ddae06aff8837d440d93342a923fada571fec59fc5dedf388fb5f9e Modified: head/security/openssh-portable/files/extra-patch-hpn ============================================================================== --- head/security/openssh-portable/files/extra-patch-hpn Mon Feb 29 18:35:00 2016 (r409822) +++ head/security/openssh-portable/files/extra-patch-hpn Mon Feb 29 18:36:57 2016 (r409823) @@ -447,29 +447,18 @@ diff -urN -x configure -x config.guess - echo "" ---- work.clean/openssh-6.8p1/kex.c.orig 2015-08-11 01:57:29.000000000 -0700 -+++ work.clean/openssh-6.8p1/kex.c 2015-08-17 17:02:06.770901000 -0700 -@@ -652,6 +652,13 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; - int r, first_kex_follows; -+#ifdef NONE_CIPHER_ENABLED -+ /* XXX: Could this move into the lower block? */ -+ int auth_flag; -+ -+ auth_flag = ssh_packet_authentication_state(ssh); -+ debug ("AUTH STATE IS %d", auth_flag); -+#endif - - if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 || - (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) -@@ -709,6 +716,17 @@ kex_choose_conf(struct ssh *ssh) +--- work.clean/openssh-7.2p1/kex.c.orig 2016-02-25 19:40:04.000000000 -0800 ++++ work.clean/openssh-7.2p1/kex.c 2016-02-29 08:02:25.565288000 -0800 +@@ -822,6 +822,20 @@ kex_choose_conf(struct ssh *ssh) peer[ncomp] = NULL; goto out; } +#ifdef NONE_CIPHER_ENABLED + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); + if (strcmp(newkeys->enc.name, "none") == 0) { ++ int auth_flag; ++ ++ auth_flag = ssh_packet_authentication_state(ssh); + debug("Requesting NONE. Authflag is %d", auth_flag); + if (auth_flag == 1) { + debug("None requested post authentication."); @@ -478,13 +467,13 @@ diff -urN -x configure -x config.guess - + } + } +#endif - debug("kex: %s %s %s %s", + debug("kex: %s cipher: %s MAC: %s compression: %s", ctos ? "client->server" : "server->client", newkeys->enc.name, ---- work.clean/openssh-6.8p1/packet.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/packet.c 2015-04-03 16:10:57.002066000 -0500 -@@ -2199,6 +2199,24 @@ - } +--- work.clean/openssh-7.2p1/packet.c.orig 2016-02-25 19:40:04.000000000 -0800 ++++ work.clean/openssh-7.2p1/packet.c 2016-02-29 08:05:15.744201000 -0800 +@@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod + return 0; } +#ifdef NONE_CIPHER_ENABLED @@ -506,10 +495,10 @@ diff -urN -x configure -x config.guess - +#endif + #define MAX_PACKETS (1U<<31) - int - ssh_packet_need_rekeying(struct ssh *ssh) -@@ -2207,6 +2225,12 @@ - + static int + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +@@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh + /* Peer can't rekey */ if (ssh->compat & SSH_BUG_NOREKEY) return 0; +#ifdef NONE_CIPHER_ENABLED @@ -518,9 +507,9 @@ diff -urN -x configure -x config.guess - + return 1; + } +#endif - return - (state->p_send.packets > MAX_PACKETS) || - (state->p_read.packets > MAX_PACKETS) || + + /* + * Permit one packet in or out per rekey - this allows us to --- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500 @@ -188,6 +188,11 @@ @@ -1110,8 +1099,8 @@ diff -urN -x configure -x config.guess - } if (roaming_atomicio(vwrite, connection_out, client_version_string, strlen(client_version_string)) != strlen(client_version_string)) ---- work.clean/openssh-7.1p2/sshconnect2.c.orig 2016-01-13 17:10:45.000000000 -0800 -+++ work.clean/openssh-7.1p2/sshconnect2.c 2016-01-19 17:49:17.929000000 -0800 +--- work.clean/openssh-7.2p1/sshconnect2.c.orig 2016-02-25 19:40:04.000000000 -0800 ++++ work.clean/openssh-7.2p1/sshconnect2.c 2016-02-29 08:06:31.134954000 -0800 @@ -80,6 +80,14 @@ extern char *client_version_string; extern char *server_version_string; @@ -1127,7 +1116,7 @@ diff -urN -x configure -x config.guess - /* * SSH2 key exchange -@@ -153,13 +161,16 @@ order_hostkeyalgs(char *host, struct soc +@@ -153,14 +161,17 @@ order_hostkeyalgs(char *host, struct soc return ret; } @@ -1137,6 +1126,7 @@ diff -urN -x configure -x config.guess - ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) { - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + char *s; struct kex *kex; int r; @@ -1145,7 +1135,7 @@ diff -urN -x configure -x config.guess - xxx_host = host; xxx_hostaddr = hostaddr; -@@ -232,6 +243,9 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho packet_send(); packet_write_wait(); #endif @@ -1155,9 +1145,9 @@ diff -urN -x configure -x config.guess - } /* -@@ -416,6 +430,29 @@ ssh_userauth2(const char *local_user, co +@@ -404,6 +418,29 @@ ssh_userauth2(const char *local_user, co pubkey_cleanup(&authctxt); - dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); + ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); +#ifdef NONE_CIPHER_ENABLED + /* Modified: head/security/openssh-portable/files/extra-patch-ldns ============================================================================== --- head/security/openssh-portable/files/extra-patch-ldns Mon Feb 29 18:35:00 2016 (r409822) +++ head/security/openssh-portable/files/extra-patch-ldns Mon Feb 29 18:36:57 2016 (r409823) @@ -35,9 +35,9 @@ be verified, OpenSSH will print a messag +# VerifyHostKeyDNS yes # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h ---- ssh_config.5 2013-10-03 08:15:03.621130815 -0500 -+++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500 -@@ -1246,7 +1246,10 @@ The argument must be +--- ssh_config.5.orig 2016-02-25 19:40:04.000000000 -0800 ++++ ssh_config.5 2016-02-29 07:57:41.763889000 -0800 +@@ -1715,7 +1715,10 @@ or .Dq ask . The default is @@ -46,6 +46,6 @@ be verified, OpenSSH will print a messag +if compiled with LDNS and +.Dq no +otherwise. - Note that this option applies to protocol version 2 only. .Pp See also VERIFYING HOST KEYS in + .Xr ssh 1 . Modified: head/security/openssh-portable/files/patch-servconf.c ============================================================================== --- head/security/openssh-portable/files/patch-servconf.c Mon Feb 29 18:35:00 2016 (r409822) +++ head/security/openssh-portable/files/patch-servconf.c Mon Feb 29 18:36:57 2016 (r409823) @@ -38,12 +38,3 @@ if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) -@@ -412,7 +417,7 @@ fill_default_server_options(ServerOption - - /* Turn privilege separation on by default */ - if (use_privsep == -1) -- use_privsep = PRIVSEP_NOSANDBOX; -+ use_privsep = PRIVSEP_ON; - - #define CLEAR_ON_NONE(v) \ - do { \ Modified: head/security/openssh-portable/files/patch-ssh-agent.1 ============================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.1 Mon Feb 29 18:35:00 2016 (r409822) +++ head/security/openssh-portable/files/patch-ssh-agent.1 Mon Feb 29 18:36:57 2016 (r409823) @@ -10,8 +10,8 @@ disconnected. .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s --.Op Fl Dd -+.Op Fl Ddx +-.Op Fl \&Dd ++.Op Fl \&Ddx .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash .Op Fl t Ar life Modified: head/security/openssh-portable/pkg-plist ============================================================================== --- head/security/openssh-portable/pkg-plist Mon Feb 29 18:35:00 2016 (r409822) +++ head/security/openssh-portable/pkg-plist Mon Feb 29 18:36:57 2016 (r409823) @@ -1,5 +1,3 @@ -@comment slogin must be deleted first -bin/slogin bin/scp bin/sftp bin/ssh @@ -23,7 +21,6 @@ man/man1/ssh-keygen.1.gz man/man1/ssh-keyscan.1.gz man/man1/scp.1.gz man/man1/ssh.1.gz -man/man1/slogin.1.gz man/man5/moduli.5.gz man/man5/ssh_config.5.gz man/man5/sshd_config.5.gz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602291836.u1TIawTQ048995>