MFH: r484765 r484823 r484824

Update to 7.9p1.

- Fixes build on 12, head, and openssl-devel.
- GSSAPI and HPN are currently marked BROKEN as I don't want to block
  the main update for anyone.

  http://www.openssh.com/txt/release-7.8
  http://www.openssh.com/txt/release-7.9

- Fix HPN for 7.9p1
- DOCS is required for HPN but it's not exclusively a flavor so needs to be
  in the default list.
- Fix a build-time OpenSSL version comparison [1]

PR:		233157 [1]
Reported by:	Robert Schulze <rs@bytecamp.net> [1]
Obtained from:	upstream c0a35265907533be10ca151ac797f34ae0d68969 [1]

- Update KERB_GSSAPI for 7.9p1

Approved by:	portmgr (implicit)

security/openssh-portable/Makefile

@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	7.7p1
-PORTREVISION=	6
+DISTVERSION=	7.9p1
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -26,20 +26,16 @@ CONFIGURE_ARGS=		--prefix=${PREFIX} --with-md5-passwords \
 
 ETCOLD=			${PREFIX}/etc
 
-BROKEN_SSL=	openssl-devel
-BROKEN_SSL_REASON_openssl-devel=	error: OpenSSL >= 1.1.0 is not yet supported
-
 FLAVORS=			default hpn
 default_CONFLICTS_INSTALL=	openssl-portable-hpn
 hpn_CONFLICTS_INSTALL=		openssh-portable
 hpn_PKGNAMESUFFIX=		-portable-hpn
 
-OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
+OPTIONS_DEFINE=		DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
 			LDNS NONECIPHER XMSS
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 .if ${FLAVOR:U} == hpn
-OPTIONS_DEFINE+=	DOCS
 OPTIONS_DEFAULT+=	HPN NONECIPHER
 .endif
 OPTIONS_RADIO=		KERBEROS
@@ -70,10 +66,10 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		11.3.2
+X509_VERSION=		11.5
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
 X509_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-x509-glue
-X509_PATCHFILES=	${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES=	${PORTNAME}-7.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 MIT_LIB_DEPENDS=		libkrb5.so.3:security/krb5
 HEIMDAL_LIB_DEPENDS=		libkrb5.so.26:security/heimdal
@@ -113,7 +109,7 @@ PATCHFILES+=	openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:g
 
 # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
-#BROKEN=			HPN: Not yet updated for ${DISTVERSION} and disabled in base
+#BROKEN=			HPN: Not yet updated for ${DISTVERSION} yet.
 PORTDOCS+=		HPN-README
 HPN_VERSION=		14v15
 HPN_DISTVERSION=	7.7p1

security/openssh-portable/distinfo

@@ -1,7 +1,7 @@
-TIMESTAMP = 1524589531
-SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f
-SIZE (openssh-7.7p1.tar.gz) = 1536900
-SHA256 (openssh-7.7p1+x509-11.3.2.diff.gz) = f0549007b2bdb99c41d83e622b6504365a3fa0a5ac22e3d0755c89cb0e29a02f
-SIZE (openssh-7.7p1+x509-11.3.2.diff.gz) = 492142
-SHA256 (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = c58f10ed5d9550e6e4ac09898a1aa131321e69c4d65a742ab95d357b35576ef4
-SIZE (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = 27251
+TIMESTAMP = 1541877994
+SHA256 (openssh-7.9p1.tar.gz) = 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
+SIZE (openssh-7.9p1.tar.gz) = 1565384
+SHA256 (openssh-7.9p1+x509-11.5.diff.gz) = 1d15099ce54614f158f10f55b6b4992d915353f92a05e179a64b0655650c00bb
+SIZE (openssh-7.9p1+x509-11.5.diff.gz) = 594995
+SHA256 (openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz) = a9fe46bc97ebb6f32dad44c6e62e712b224392463b2084300835736fe848eabc
+SIZE (openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz) = 27612

security/openssh-portable/files/extra-patch-hpn

@@ -1064,9 +1064,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  #define SSHBUF_REFS_MAX		0x100000	/* Max child buffers */
  #define SSHBUF_MAX_BIGNUM	(16384 / 8)	/* Max bignum *bytes* */
  #define SSHBUF_MAX_ECPOINT	((528 * 2 / 8) + 1) /* Max EC point *bytes* */
---- work/openssh-7.7p1/sshconnect.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/sshconnect.c	2018-06-26 15:55:19.103812000 -0700
-@@ -337,7 +337,32 @@ check_ifaddrs(const char *ifname, int af, const struct
+--- work/openssh/sshconnect.c.orig	2018-10-16 17:01:20.000000000 -0700
++++ work/openssh/sshconnect.c	2018-11-12 09:04:24.340706000 -0800
+@@ -327,7 +327,32 @@ check_ifaddrs(const char *ifname, int af, const struct
  }
  #endif
  
@@ -1096,10 +1096,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
 +/*
-  * Creates a (possibly privileged) socket for use as the ssh connection.
+  * Creates a socket for use as the ssh connection.
   */
  static int
-@@ -359,6 +384,11 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+@@ -349,6 +374,11 @@ ssh_create_socket(struct addrinfo *ai)
  	}
  	fcntl(sock, F_SETFD, FD_CLOEXEC);
  
@@ -1109,9 +1109,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
  	/* Bind the socket to an alternative local IP address */
- 	if (options.bind_address == NULL && options.bind_interface == NULL &&
- 	    !privileged)
-@@ -637,8 +667,14 @@ static void
+ 	if (options.bind_address == NULL && options.bind_interface == NULL)
+ 		return sock;
+@@ -608,8 +638,14 @@ static void
  send_client_banner(int connection_out, int minor1)
  {
  	/* Send our own protocol version identification. */
@@ -1128,8 +1128,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	if (atomicio(vwrite, connection_out, client_version_string,
  	    strlen(client_version_string)) != strlen(client_version_string))
  		fatal("write: %.100s", strerror(errno));
---- work/openssh-7.7p1/sshconnect2.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/sshconnect2.c	2018-06-27 17:11:17.543893000 -0700
+--- work/openssh/sshconnect2.c.orig	2018-10-16 17:01:20.000000000 -0700
++++ work/openssh/sshconnect2.c	2018-11-12 09:06:06.338515000 -0800
 @@ -81,7 +81,13 @@
  extern char *client_version_string;
  extern char *server_version_string;
@@ -1144,7 +1144,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  /*
   * SSH2 key exchange
   */
-@@ -154,14 +160,17 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
+@@ -154,10 +160,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
  	return ret;
  }
  
@@ -1154,16 +1154,18 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
  {
 -	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
- 	char *s;
+ 	char *s, *all_key;
  	struct kex *kex;
  	int r;
- 
-+	memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
-+
+@@ -165,6 +172,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_shor
  	xxx_host = host;
  	xxx_hostaddr = hostaddr;
  
-@@ -409,6 +418,30 @@ ssh_userauth2(const char *local_user, const char *serv
++	memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+ 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
+ 		fatal("%s: kex_names_cat", __func__);
+ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
+@@ -412,6 +420,30 @@ ssh_userauth2(const char *local_user, const char *serv
  
  	if (!authctxt.success)
  		fatal("Authentication failed.");

security/openssh-portable/files/extra-patch-hpn-compat

@@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well.
  
  	{ NULL, oBadOption }
  };
---- servconf.c.orig	2017-10-02 12:34:26.000000000 -0700
-+++ servconf.c	2017-10-12 12:20:19.089884000 -0700
-@@ -618,6 +618,10 @@ static struct {
- 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
+--- servconf.c.orig	2018-10-16 17:01:20.000000000 -0700
++++ servconf.c	2018-11-10 11:32:09.835817000 -0800
+@@ -645,6 +645,10 @@ static struct {
  	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
  	{ "rdomain", sRDomain, SSHCFG_ALL },
+ 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
 +	{ "noneenabled", sUnsupported, SSHCFG_ALL },
 +	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
 +	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },

security/openssh-portable/files/extra-patch-tcpwrappers

@@ -85,11 +85,11 @@ index 0ade557..045f149 100644
  	laddr = get_local_ipaddr(sock_in);
 diff --git configure.ac configure.ac
 index f48ba4a..66fbe82 100644
---- configure.ac
-+++ configure.ac
-@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey],
- 	]
- )
+--- configure.ac.orig	2018-10-16 17:01:20.000000000 -0700
++++ configure.ac	2018-11-10 11:29:32.626326000 -0800
+@@ -1493,6 +1493,62 @@ else
+ 	AC_MSG_RESULT([no])
+ fi
  
 +# Check whether user wants TCP wrappers support
 +TCPW_MSG="no"
@@ -150,11 +150,11 @@ index f48ba4a..66fbe82 100644
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -4803,6 +4859,7 @@ echo "                 KerberosV support: $KRB5_MSG"
+@@ -5305,6 +5361,7 @@ echo "                       PAM support: $PAM_MSG"
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
- echo "                 Smartcard support: $SCARD_MSG"
- echo "                     S/KEY support: $SKEY_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
  echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
- echo "  Solaris process contract support: $SPC_MSG"
+ echo "                   libldns support: $LDNS_MSG"

security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb

@@ -1,35 +0,0 @@
-From 341727df910e12e26ef161508ed76d91c40a61eb Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Mon, 9 Apr 2018 23:54:49 +0000
-Subject: [PATCH] upstream: don't kill ssh-agent's listening socket entriely if
- we
-
-fail to accept a connection; bz#2837, patch from Lukas Kuster
-
-OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f
----
- ssh-agent.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git ssh-agent.c ssh-agent.c
-index 2a4578b03..68de56ce6 100644
---- ssh-agent.c
-+++ ssh-agent.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: ssh-agent.c,v 1.228 2018/02/23 15:58:37 markus Exp $ */
-+/* $OpenBSD: ssh-agent.c,v 1.229 2018/04/09 23:54:49 djm Exp $ */
- /*
-  * Author: Tatu Ylonen <ylo@cs.hut.fi>
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -909,9 +909,8 @@ after_poll(struct pollfd *pfd, size_t npfd)
- 		/* Process events */
- 		switch (sockets[socknum].type) {
- 		case AUTH_SOCKET:
--			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&
--			    handle_socket_read(socknum) != 0)
--				close_socket(&sockets[socknum]);
-+			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0)
-+				handle_socket_read(socknum);
- 			break;
- 		case AUTH_CONNECTION:
- 			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&

security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b

@@ -1,24 +0,0 @@
-From 85fe48fd49f2e81fa30902841b362cfbb7f1933b Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Sat, 14 Apr 2018 21:50:41 +0000
-Subject: [PATCH] upstream: don't free the %C expansion, it's used later for
-
-LocalCommand
-
-OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1
----
- ssh.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git ssh.c ssh.c
-index d3619fe29..9c011dd7e 100644
---- ssh.c
-+++ ssh.c
-@@ -1323,7 +1323,6 @@ main(int ac, char **av)
- 		    (char *)NULL);
- 		free(cp);
- 	}
--	free(conn_hash_hex);
- 
- 	if (config_test) {
- 		dump_client_config(&options, host);

security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20

@@ -1,36 +0,0 @@
-From 868afa68469de50d8a43e5daf867d7c624a34d20 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Mon, 16 Apr 2018 22:50:44 +0000
-Subject: [PATCH] upstream: Disable SSH2_MSG_DEBUG messages for Twisted Conch
- clients
-
-without version numbers since they choke on them under some circumstances.
-https://twistedmatrix.com/trac/ticket/9422 via Colin Watson
-
-Newer Conch versions have a version number in their ident string and
-handle debug messages okay. https://twistedmatrix.com/trac/ticket/9424
-
-OpenBSD-Commit-ID: 6cf7be262af0419c58ddae11324d9c0dc1577539
----
- compat.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git compat.c compat.c
-index 861e9e21f..1c0e08732 100644
---- compat.c
-+++ compat.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: compat.c,v 1.106 2018/02/16 04:43:11 dtucker Exp $ */
-+/* $OpenBSD: compat.c,v 1.107 2018/04/16 22:50:44 djm Exp $ */
- /*
-  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
-  *
-@@ -128,6 +128,8 @@ compat_datafellows(const char *version)
- 					SSH_OLD_DHGEX },
- 		{ "ConfD-*",
- 					SSH_BUG_UTF8TTYMODE },
-+		{ "Twisted_*",		0 },
-+		{ "Twisted*",		SSH_BUG_DEBUG },
- 		{ NULL,			0 }
- 	};
- 

security/openssh-portable/files/patch-auth2.c

@@ -5,31 +5,32 @@ Changed paths:
 
 Apply class-imposed login restrictions.
 
---- auth2.c.orig	2017-03-19 19:39:27.000000000 -0700
-+++ auth2.c	2017-03-20 11:52:27.960733000 -0700
-@@ -47,6 +47,7 @@
- #include "key.h"
+--- auth2.c.orig	2018-10-16 17:01:20.000000000 -0700
++++ auth2.c	2018-11-10 11:35:07.816193000 -0800
+@@ -48,6 +48,7 @@
+ #include "sshkey.h"
  #include "hostfile.h"
  #include "auth.h"
 +#include "canohost.h"
  #include "dispatch.h"
  #include "pathnames.h"
- #include "buffer.h"
-@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32
- 	Authmethod *m = NULL;
+ #include "sshbuf.h"
+@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct
  	char *user, *service, *method, *style = NULL;
  	int authenticated = 0;
+ 	double tstart = monotime_double();
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
 +	const char *from_host, *from_ip;
-+
+ 
 +	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
 +	from_ip = ssh_remote_ipaddr(ssh);
 +#endif
- 
++
  	if (authctxt == NULL)
  		fatal("input_userauth_request: no authctxt");
-@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32
+ 
+@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct
  		    "(%s,%s) -> (%s,%s)",
  		    authctxt->user, authctxt->service, user, service);
  	}
@@ -55,5 +56,5 @@ Apply class-imposed login restrictions.
 +#endif  /* HAVE_LOGIN_CAP */
 +
  	/* reset state */
- 	auth2_challenge_stop(authctxt);
+ 	auth2_challenge_stop(ssh);
  

security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad

@@ -1,32 +0,0 @@
-From b81b2d120e9c8a83489e241620843687758925ad Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Fri, 13 Apr 2018 13:38:06 +1000
-Subject: [PATCH] Fix tunnel forwarding broken in 7.7p1
-
-bz2855, ok dtucker@
----
- openbsd-compat/port-net.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git openbsd-compat/port-net.c openbsd-compat/port-net.c
-index 7050629c3..bb535626f 100644
---- openbsd-compat/port-net.c
-+++ openbsd-compat/port-net.c
-@@ -185,7 +185,7 @@ sys_tun_open(int tun, int mode, char **ifname)
- 	else
- 		debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
- 
--	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
-+	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL)
- 		goto failed;
- 
- 	return (fd);
-@@ -272,7 +272,7 @@ sys_tun_open(int tun, int mode, char **ifname)
- 			goto failed;
- 	}
- 
--	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
-+	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL)
- 		goto failed;
- 
- 	close(sock);

security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969

@@ -0,0 +1,19 @@
+commit c0a35265907533be10ca151ac797f34ae0d68969
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Oct 22 11:22:50 2018 +1100
+
+    fix compile for openssl 1.0.x w/ --with-ssl-engine
+
+    bz#2921, patch from cotequeiroz
+
+--- openbsd-compat/openssl-compat.c.orig	2018-11-12 12:52:26 UTC
++++ openbsd-compat/openssl-compat.c
+@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
+ 	ENGINE_load_builtin_engines();
+ 	ENGINE_register_all_complete();
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10001000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	OPENSSL_config(NULL);
+ #else
+ 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |

security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6

@@ -1,24 +0,0 @@
-From f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 Mon Sep 17 00:00:00 2001
-From: Darren Tucker <dtucker@dtucker.net>
-Date: Thu, 19 Apr 2018 09:53:14 +1000
-Subject: [PATCH] Omit 3des-cbc if OpenSSL built without DES.
-
-Patch from hongxu.jia at windriver.com, ok djm@
----
- cipher.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git cipher.c cipher.c
-index 578763616..a72682a82 100644
---- cipher.c
-+++ cipher.c
-@@ -82,7 +82,9 @@ struct sshcipher {
- 
- static const struct sshcipher ciphers[] = {
- #ifdef WITH_OPENSSL
-+#ifndef OPENSSL_NO_DES
- 	{ "3des-cbc",		8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-+#endif
- 	{ "aes128-cbc",		16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
- 	{ "aes192-cbc",		16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
- 	{ "aes256-cbc",		16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },

security/openssh-portable/files/patch-serverloop.c

@@ -9,21 +9,21 @@ Submitted upstream, no reaction.
 Submitted by:   delphij@
 [rewritten for 7.4 by bdrewery@]
 
---- misc.c.orig	2017-01-12 11:54:41.058558000 -0800
-+++ misc.c	2017-01-12 11:55:16.531356000 -0800
-@@ -56,6 +56,8 @@
- #include <net/if.h>
- #endif
+--- serverloop.c.orig	2018-11-10 11:38:16.728617000 -0800
++++ serverloop.c	2018-11-10 11:38:19.497300000 -0800
+@@ -55,6 +55,8 @@
+ #include <unistd.h>
+ #include <stdarg.h>
  
 +#include <sys/sysctl.h>
 +
+ #include "openbsd-compat/sys-queue.h"
  #include "xmalloc.h"
- #include "misc.h"
- #include "log.h"
-@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a, 
- int
- bind_permitted(int port, uid_t uid)
+ #include "packet.h"
+@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid)
  {
+ 	if (use_privsep)
+ 		return 1; /* allow system to decide */
 -	if (port < IPPORT_RESERVED && uid != 0)
 +	int ipport_reserved;
 +#ifdef __FreeBSD__

security/openssh-portable/files/patch-session.c

@@ -10,9 +10,9 @@ Reviewed by:    ache
 Sponsored by:   DARPA, NAI Labs
 
 
---- session.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ session.c	2018-04-03 13:56:49.599400000 -0700
-@@ -982,6 +982,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+--- session.c.orig	2018-10-16 17:01:20.000000000 -0700
++++ session.c	2018-11-10 11:45:14.645263000 -0800
+@@ -1020,6 +1020,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	struct passwd *pw = s->pw;
  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
  	char *path = NULL;
@@ -22,7 +22,7 @@ Sponsored by:   DARPA, NAI Labs
  #endif
  
  	/* Initialize the environment. */
-@@ -1003,6 +1006,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1041,6 +1044,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	}
  #endif
  
@@ -32,7 +32,7 @@ Sponsored by:   DARPA, NAI Labs
  #ifdef GSSAPI
  	/* Allow any GSSAPI methods that we've used to alter
  	 * the childs environment as they see fit
-@@ -1020,11 +1026,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1058,11 +1064,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
  #endif
  	child_set_env(&env, &envsize, "HOME", pw->pw_dir);
@@ -58,7 +58,7 @@ Sponsored by:   DARPA, NAI Labs
  #else /* HAVE_LOGIN_CAP */
  # ifndef HAVE_CYGWIN
  	/*
-@@ -1044,15 +1060,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1082,14 +1098,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  # endif /* HAVE_CYGWIN */
  #endif /* HAVE_LOGIN_CAP */
  
@@ -70,11 +70,10 @@ Sponsored by:   DARPA, NAI Labs
  
 -	if (getenv("TZ"))
 -		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
--
- 	/* Set custom environment options from pubkey authentication. */
- 	if (options.permit_user_env) {
- 		for (n = 0 ; n < auth_opts->nenv; n++) {
-@@ -1331,7 +1341,7 @@ do_setusercontext(struct passwd *pw)
+ 	if (s->term)
+ 		child_set_env(&env, &envsize, "TERM", s->term);
+ 	if (s->display)
+@@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw)
  	if (platform_privileged_uidswap()) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,