svn commit: r468998 - in head/security/openssh-portable: . files

Bryan Drewery bdrewery at FreeBSD.org
Thu May 3 23:39:12 UTC 2018 

Author: bdrewery
Date: Thu May  3 23:39:10 2018
New Revision: 468998
URL: https://svnweb.freebsd.org/changeset/ports/468998

Log:
  - Add XMSS option to enable experimental key support added in 7.7 [1]
  - Bring in upstream patches post 7.7 to fix various issues [2]:
    b81b2d120e9c8a83489e241620843687758925ad - Fix tunnel forwarding broken in 7.7p1
    341727df910e12e26ef161508ed76d91c40a61eb - don't kill ssh-agent's listening socket entriely if we fail to accept a connection
    85fe48fd49f2e81fa30902841b362cfbb7f1933b - don't free the %C expansion, it's used later for LocalCommand
    868afa68469de50d8a43e5daf867d7c624a34d20 - Disable SSH2_MSG_DEBUG messages for Twisted Conch clients
    f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 - Omit 3des-cbc if OpenSSL built without DES
  
  PR:		227758 [1]
  Submitted by:	IWAMOTO Kouichi <sue at iwmt.org> [1]
  PR:		227551 [2]
  Reported by:	rozhuk.im at gmail.com [2]
  Obtained from:	upstream mirror https://github.com/openssh/openssh-portable [2]

Added:
  head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb   (contents, props changed)
  head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b   (contents, props changed)
  head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20   (contents, props changed)
  head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad   (contents, props changed)
  head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6   (contents, props changed)
Modified:
  head/security/openssh-portable/Makefile

Modified: head/security/openssh-portable/Makefile
==============================================================================
--- head/security/openssh-portable/Makefile	Thu May  3 23:33:40 2018	(r468997)
+++ head/security/openssh-portable/Makefile	Thu May  3 23:39:10 2018	(r468998)
@@ -3,7 +3,7 @@
 
 PORTNAME=	openssh
 DISTVERSION=	7.7p1
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -31,7 +31,7 @@ BROKEN_SSL_REASON_openssl-devel=	error: OpenSSL >= 1.1
 
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
-			LDNS NONECIPHER
+			LDNS NONECIPHER XMSS
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
@@ -45,6 +45,7 @@ HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
 NONECIPHER_DESC=	NONE Cipher support
+XMSS_DESC=		XMSS key support (experimental)
 
 OPTIONS_SUB=		yes
 
@@ -193,6 +194,9 @@ post-patch:
 	    ${WRKSRC}/sshd_config.5
 	@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT	"${VERSION_ADDENDUM_DEFAULT}"' >> \
 		${WRKSRC}/version.h
+
+post-configure-XMSS-on:
+	@${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
 
 post-install:
 	${MV} ${STAGEDIR}${ETCDIR}/ssh_config \

Added: head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb	Thu May  3 23:39:10 2018	(r468998)
@@ -0,0 +1,35 @@
+From 341727df910e12e26ef161508ed76d91c40a61eb Mon Sep 17 00:00:00 2001
+From: "djm at openbsd.org" <djm at openbsd.org>
+Date: Mon, 9 Apr 2018 23:54:49 +0000
+Subject: [PATCH] upstream: don't kill ssh-agent's listening socket entriely if
+ we
+
+fail to accept a connection; bz#2837, patch from Lukas Kuster
+
+OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f
+---
+ ssh-agent.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git ssh-agent.c ssh-agent.c
+index 2a4578b03..68de56ce6 100644
+--- ssh-agent.c
++++ ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.228 2018/02/23 15:58:37 markus Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.229 2018/04/09 23:54:49 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo at cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
+@@ -909,9 +909,8 @@ after_poll(struct pollfd *pfd, size_t npfd)
+ 		/* Process events */
+ 		switch (sockets[socknum].type) {
+ 		case AUTH_SOCKET:
+-			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&
+-			    handle_socket_read(socknum) != 0)
+-				close_socket(&sockets[socknum]);
++			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0)
++				handle_socket_read(socknum);
+ 			break;
+ 		case AUTH_CONNECTION:
+ 			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&

Added: head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b	Thu May  3 23:39:10 2018	(r468998)
@@ -0,0 +1,24 @@
+From 85fe48fd49f2e81fa30902841b362cfbb7f1933b Mon Sep 17 00:00:00 2001
+From: "djm at openbsd.org" <djm at openbsd.org>
+Date: Sat, 14 Apr 2018 21:50:41 +0000
+Subject: [PATCH] upstream: don't free the %C expansion, it's used later for
+
+LocalCommand
+
+OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1
+---
+ ssh.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git ssh.c ssh.c
+index d3619fe29..9c011dd7e 100644
+--- ssh.c
++++ ssh.c
+@@ -1323,7 +1323,6 @@ main(int ac, char **av)
+ 		    (char *)NULL);
+ 		free(cp);
+ 	}
+-	free(conn_hash_hex);
+ 
+ 	if (config_test) {
+ 		dump_client_config(&options, host);

Added: head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20	Thu May  3 23:39:10 2018	(r468998)
@@ -0,0 +1,36 @@
+From 868afa68469de50d8a43e5daf867d7c624a34d20 Mon Sep 17 00:00:00 2001
+From: "djm at openbsd.org" <djm at openbsd.org>
+Date: Mon, 16 Apr 2018 22:50:44 +0000
+Subject: [PATCH] upstream: Disable SSH2_MSG_DEBUG messages for Twisted Conch
+ clients
+
+without version numbers since they choke on them under some circumstances.
+https://twistedmatrix.com/trac/ticket/9422 via Colin Watson
+
+Newer Conch versions have a version number in their ident string and
+handle debug messages okay. https://twistedmatrix.com/trac/ticket/9424
+
+OpenBSD-Commit-ID: 6cf7be262af0419c58ddae11324d9c0dc1577539
+---
+ compat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git compat.c compat.c
+index 861e9e21f..1c0e08732 100644
+--- compat.c
++++ compat.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: compat.c,v 1.106 2018/02/16 04:43:11 dtucker Exp $ */
++/* $OpenBSD: compat.c,v 1.107 2018/04/16 22:50:44 djm Exp $ */
+ /*
+  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
+  *
+@@ -128,6 +128,8 @@ compat_datafellows(const char *version)
+ 					SSH_OLD_DHGEX },
+ 		{ "ConfD-*",
+ 					SSH_BUG_UTF8TTYMODE },
++		{ "Twisted_*",		0 },
++		{ "Twisted*",		SSH_BUG_DEBUG },
+ 		{ NULL,			0 }
+ 	};
+ 

Added: head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad	Thu May  3 23:39:10 2018	(r468998)
@@ -0,0 +1,32 @@
+From b81b2d120e9c8a83489e241620843687758925ad Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm at mindrot.org>
+Date: Fri, 13 Apr 2018 13:38:06 +1000
+Subject: [PATCH] Fix tunnel forwarding broken in 7.7p1
+
+bz2855, ok dtucker@
+---
+ openbsd-compat/port-net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git openbsd-compat/port-net.c openbsd-compat/port-net.c
+index 7050629c3..bb535626f 100644
+--- openbsd-compat/port-net.c
++++ openbsd-compat/port-net.c
+@@ -185,7 +185,7 @@ sys_tun_open(int tun, int mode, char **ifname)
+ 	else
+ 		debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
+ 
+-	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
++	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL)
+ 		goto failed;
+ 
+ 	return (fd);
+@@ -272,7 +272,7 @@ sys_tun_open(int tun, int mode, char **ifname)
+ 			goto failed;
+ 	}
+ 
+-	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
++	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL)
+ 		goto failed;
+ 
+ 	close(sock);

Added: head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6	Thu May  3 23:39:10 2018	(r468998)
@@ -0,0 +1,24 @@
+From f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker at dtucker.net>
+Date: Thu, 19 Apr 2018 09:53:14 +1000
+Subject: [PATCH] Omit 3des-cbc if OpenSSL built without DES.
+
+Patch from hongxu.jia at windriver.com, ok djm@
+---
+ cipher.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git cipher.c cipher.c
+index 578763616..a72682a82 100644
+--- cipher.c
++++ cipher.c
+@@ -82,7 +82,9 @@ struct sshcipher {
+ 
+ static const struct sshcipher ciphers[] = {
+ #ifdef WITH_OPENSSL
++#ifndef OPENSSL_NO_DES
+ 	{ "3des-cbc",		8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
++#endif
+ 	{ "aes128-cbc",		16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
+ 	{ "aes192-cbc",		16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
+ 	{ "aes256-cbc",		16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },

More information about the svn-ports-head mailing list