- Add XMSS option to enable experimental key support added in 7.7 [1]

- Bring in upstream patches post 7.7 to fix various issues [2]: b81b2d120e9c8a83489e241620843687758925ad - Fix tunnel forwarding broken in 7.7p1 341727df910e12e26ef161508ed76d91c40a61eb - don't kill ssh-agent's listening socket entriely if we fail to accept a connection 85fe48fd49f2e81fa30902841b362cfbb7f1933b - don't free the %C expansion, it's used later for LocalCommand 868afa68469de50d8a43e5daf867d7c624a34d20 - Disable SSH2_MSG_DEBUG messages for Twisted Conch clients f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 - Omit 3des-cbc if OpenSSL built without DES PR: 227758 [1] Submitted by: IWAMOTO Kouichi <sue@iwmt.org> [1] PR: 227551 [2] Reported by: rozhuk.im@gmail.com [2] Obtained from: upstream mirror https://github.com/openssh/openssh-portable [2]
svn path=/head/; revision=468998
2018-05-03 23:39:10 +00:00 · 2018-05-03 23:39:10 +00:00 · a68f18cd9b · 2021-03-31 03:12:20 +00:00
commit a68f18cd9b
parent 0f793e052c
6 changed files with 157 additions and 2 deletions
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -3,7 +3,7 @@

 PORTNAME=	openssh
 DISTVERSION=	7.7p1
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@ -31,7 +31,7 @@ BROKEN_SSL_REASON_openssl-devel=	error: OpenSSL >= 1.1.0 is not yet supported

 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
-			LDNS NONECIPHER
+			LDNS NONECIPHER XMSS
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
@ -45,6 +45,7 @@ HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
 NONECIPHER_DESC=	NONE Cipher support
+XMSS_DESC=		XMSS key support (experimental)

 OPTIONS_SUB=		yes

@ -194,6 +195,9 @@ post-patch:
 	@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT	"${VERSION_ADDENDUM_DEFAULT}"' >> \
 		${WRKSRC}/version.h

+post-configure-XMSS-on:
+	@${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
+
 post-install:
 	${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
 	    ${STAGEDIR}${ETCDIR}//ssh_config.sample
--- a/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb
+++ b/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb
@ -0,0 +1,35 @@
+From 341727df910e12e26ef161508ed76d91c40a61eb Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 9 Apr 2018 23:54:49 +0000
+Subject: [PATCH] upstream: don't kill ssh-agent's listening socket entriely if
+ we
+
+fail to accept a connection; bz#2837, patch from Lukas Kuster
+
+OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f
+---
+ ssh-agent.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git ssh-agent.c ssh-agent.c
+index 2a4578b03..68de56ce6 100644
+--- ssh-agent.c
+++ ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.228 2018/02/23 15:58:37 markus Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.229 2018/04/09 23:54:49 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -909,9 +909,8 @@ after_poll(struct pollfd *pfd, size_t npfd)
+ 		/* Process events */
+ 		switch (sockets[socknum].type) {
+ 		case AUTH_SOCKET:
+-			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&
+-			    handle_socket_read(socknum) != 0)
+-				close_socket(&sockets[socknum]);
+			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0)
+				handle_socket_read(socknum);
+ 			break;
+ 		case AUTH_CONNECTION:
+ 			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&
--- a/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b
+++ b/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b
@ -0,0 +1,24 @@
+From 85fe48fd49f2e81fa30902841b362cfbb7f1933b Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 14 Apr 2018 21:50:41 +0000
+Subject: [PATCH] upstream: don't free the %C expansion, it's used later for
+
+LocalCommand
+
+OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1
+---
+ ssh.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git ssh.c ssh.c
+index d3619fe29..9c011dd7e 100644
+--- ssh.c
+++ ssh.c
+@@ -1323,7 +1323,6 @@ main(int ac, char **av)
+ 		    (char *)NULL);
+ 		free(cp);
+ 	}
+-	free(conn_hash_hex);
+ 
+ 	if (config_test) {
+ 		dump_client_config(&options, host);
--- a/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20
+++ b/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20
@ -0,0 +1,36 @@
+From 868afa68469de50d8a43e5daf867d7c624a34d20 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 16 Apr 2018 22:50:44 +0000
+Subject: [PATCH] upstream: Disable SSH2_MSG_DEBUG messages for Twisted Conch
+ clients
+
+without version numbers since they choke on them under some circumstances.
+https://twistedmatrix.com/trac/ticket/9422 via Colin Watson
+
+Newer Conch versions have a version number in their ident string and
+handle debug messages okay. https://twistedmatrix.com/trac/ticket/9424
+
+OpenBSD-Commit-ID: 6cf7be262af0419c58ddae11324d9c0dc1577539
+---
+ compat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git compat.c compat.c
+index 861e9e21f..1c0e08732 100644
+--- compat.c
+++ compat.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: compat.c,v 1.106 2018/02/16 04:43:11 dtucker Exp $ */
+/* $OpenBSD: compat.c,v 1.107 2018/04/16 22:50:44 djm Exp $ */
+ /*
+  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
+  *
+@@ -128,6 +128,8 @@ compat_datafellows(const char *version)
+ 					SSH_OLD_DHGEX },
+ 		{ "ConfD-*",
+ 					SSH_BUG_UTF8TTYMODE },
+		{ "Twisted_*",		0 },
+		{ "Twisted*",		SSH_BUG_DEBUG },
+ 		{ NULL,			0 }
+ 	};
+ 
--- a/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad
+++ b/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad
@ -0,0 +1,32 @@
+From b81b2d120e9c8a83489e241620843687758925ad Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 13 Apr 2018 13:38:06 +1000
+Subject: [PATCH] Fix tunnel forwarding broken in 7.7p1
+
+bz2855, ok dtucker@
+---
+ openbsd-compat/port-net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git openbsd-compat/port-net.c openbsd-compat/port-net.c
+index 7050629c3..bb535626f 100644
+--- openbsd-compat/port-net.c
+++ openbsd-compat/port-net.c
+@@ -185,7 +185,7 @@ sys_tun_open(int tun, int mode, char **ifname)
+ 	else
+ 		debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
+ 
+-	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
+	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL)
+ 		goto failed;
+ 
+ 	return (fd);
+@@ -272,7 +272,7 @@ sys_tun_open(int tun, int mode, char **ifname)
+ 			goto failed;
+ 	}
+ 
+-	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
+	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL)
+ 		goto failed;
+ 
+ 	close(sock);
--- a/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6
+++ b/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6
@ -0,0 +1,24 @@
+From f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Thu, 19 Apr 2018 09:53:14 +1000
+Subject: [PATCH] Omit 3des-cbc if OpenSSL built without DES.
+
+Patch from hongxu.jia at windriver.com, ok djm@
+---
+ cipher.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git cipher.c cipher.c
+index 578763616..a72682a82 100644
+--- cipher.c
+++ cipher.c
+@@ -82,7 +82,9 @@ struct sshcipher {
+ 
+ static const struct sshcipher ciphers[] = {
+ #ifdef WITH_OPENSSL
+#ifndef OPENSSL_NO_DES
+ 	{ "3des-cbc",		8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
+#endif
+ 	{ "aes128-cbc",		16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
+ 	{ "aes192-cbc",		16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
+ 	{ "aes256-cbc",		16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },