From b22d50c0e14b2570ec609f94aadde5ff5d8192b5 Mon Sep 17 00:00:00 2001 From: Bryan Drewery Date: Mon, 12 Nov 2018 21:06:47 +0000 Subject: [PATCH] MFH: r484765 r484823 r484824 Update to 7.9p1. - Fixes build on 12, head, and openssl-devel. - GSSAPI and HPN are currently marked BROKEN as I don't want to block the main update for anyone. http://www.openssh.com/txt/release-7.8 http://www.openssh.com/txt/release-7.9 - Fix HPN for 7.9p1 - DOCS is required for HPN but it's not exclusively a flavor so needs to be in the default list. - Fix a build-time OpenSSL version comparison [1] PR: 233157 [1] Reported by: Robert Schulze [1] Obtained from: upstream c0a35265907533be10ca151ac797f34ae0d68969 [1] - Update KERB_GSSAPI for 7.9p1 Approved by: portmgr (implicit) --- security/openssh-portable/Makefile | 16 ++++----- security/openssh-portable/distinfo | 14 ++++---- .../openssh-portable/files/extra-patch-hpn | 34 +++++++++--------- .../files/extra-patch-hpn-compat | 8 ++--- .../files/extra-patch-tcpwrappers | 18 +++++----- ...h-341727df910e12e26ef161508ed76d91c40a61eb | 35 ------------------ ...h-85fe48fd49f2e81fa30902841b362cfbb7f1933b | 24 ------------- ...h-868afa68469de50d8a43e5daf867d7c624a34d20 | 36 ------------------- security/openssh-portable/files/patch-auth2.c | 23 ++++++------ ...h-b81b2d120e9c8a83489e241620843687758925ad | 32 ----------------- ...h-c0a35265907533be10ca151ac797f34ae0d68969 | 19 ++++++++++ ...h-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 | 24 ------------- .../{patch-misc.c => patch-serverloop.c} | 20 +++++------ .../openssh-portable/files/patch-session.c | 21 ++++++----- 14 files changed, 95 insertions(+), 229 deletions(-) delete mode 100644 security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb delete mode 100644 security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b delete mode 100644 security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 delete mode 100644 security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad create mode 100644 security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969 delete mode 100644 security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 rename security/openssh-portable/files/{patch-misc.c => patch-serverloop.c} (71%) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 945c4678350f..331b757939c5 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.7p1 -PORTREVISION= 6 +DISTVERSION= 7.9p1 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -26,20 +26,16 @@ CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ ETCOLD= ${PREFIX}/etc -BROKEN_SSL= openssl-devel -BROKEN_SSL_REASON_openssl-devel= error: OpenSSL >= 1.1.0 is not yet supported - FLAVORS= default hpn default_CONFLICTS_INSTALL= openssl-portable-hpn hpn_CONFLICTS_INSTALL= openssh-portable hpn_PKGNAMESUFFIX= -portable-hpn -OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ +OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ LDNS NONECIPHER XMSS OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS .if ${FLAVOR:U} == hpn -OPTIONS_DEFINE+= DOCS OPTIONS_DEFAULT+= HPN NONECIPHER .endif OPTIONS_RADIO= KERBEROS @@ -70,10 +66,10 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 11.3.2 +X509_VERSION= 11.5 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue -X509_PATCHFILES= ${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-7.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509 MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal @@ -113,7 +109,7 @@ PATCHFILES+= openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:g # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} -#BROKEN= HPN: Not yet updated for ${DISTVERSION} and disabled in base +#BROKEN= HPN: Not yet updated for ${DISTVERSION} yet. PORTDOCS+= HPN-README HPN_VERSION= 14v15 HPN_DISTVERSION= 7.7p1 diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index aa8795c30a97..175e6b005eda 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,7 +1,7 @@ -TIMESTAMP = 1524589531 -SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f -SIZE (openssh-7.7p1.tar.gz) = 1536900 -SHA256 (openssh-7.7p1+x509-11.3.2.diff.gz) = f0549007b2bdb99c41d83e622b6504365a3fa0a5ac22e3d0755c89cb0e29a02f -SIZE (openssh-7.7p1+x509-11.3.2.diff.gz) = 492142 -SHA256 (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = c58f10ed5d9550e6e4ac09898a1aa131321e69c4d65a742ab95d357b35576ef4 -SIZE (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = 27251 +TIMESTAMP = 1541877994 +SHA256 (openssh-7.9p1.tar.gz) = 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad +SIZE (openssh-7.9p1.tar.gz) = 1565384 +SHA256 (openssh-7.9p1+x509-11.5.diff.gz) = 1d15099ce54614f158f10f55b6b4992d915353f92a05e179a64b0655650c00bb +SIZE (openssh-7.9p1+x509-11.5.diff.gz) = 594995 +SHA256 (openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz) = a9fe46bc97ebb6f32dad44c6e62e712b224392463b2084300835736fe848eabc +SIZE (openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz) = 27612 diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index aed0663d5fbb..67c15eb80ce9 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -1064,9 +1064,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */ #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */ #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */ ---- work/openssh-7.7p1/sshconnect.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/sshconnect.c 2018-06-26 15:55:19.103812000 -0700 -@@ -337,7 +337,32 @@ check_ifaddrs(const char *ifname, int af, const struct +--- work/openssh/sshconnect.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ work/openssh/sshconnect.c 2018-11-12 09:04:24.340706000 -0800 +@@ -327,7 +327,32 @@ check_ifaddrs(const char *ifname, int af, const struct } #endif @@ -1096,10 +1096,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#endif + +/* - * Creates a (possibly privileged) socket for use as the ssh connection. + * Creates a socket for use as the ssh connection. */ static int -@@ -359,6 +384,11 @@ ssh_create_socket(int privileged, struct addrinfo *ai) +@@ -349,6 +374,11 @@ ssh_create_socket(struct addrinfo *ai) } fcntl(sock, F_SETFD, FD_CLOEXEC); @@ -1109,9 +1109,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#endif + /* Bind the socket to an alternative local IP address */ - if (options.bind_address == NULL && options.bind_interface == NULL && - !privileged) -@@ -637,8 +667,14 @@ static void + if (options.bind_address == NULL && options.bind_interface == NULL) + return sock; +@@ -608,8 +638,14 @@ static void send_client_banner(int connection_out, int minor1) { /* Send our own protocol version identification. */ @@ -1128,8 +1128,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o if (atomicio(vwrite, connection_out, client_version_string, strlen(client_version_string)) != strlen(client_version_string)) fatal("write: %.100s", strerror(errno)); ---- work/openssh-7.7p1/sshconnect2.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/sshconnect2.c 2018-06-27 17:11:17.543893000 -0700 +--- work/openssh/sshconnect2.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ work/openssh/sshconnect2.c 2018-11-12 09:06:06.338515000 -0800 @@ -81,7 +81,13 @@ extern char *client_version_string; extern char *server_version_string; @@ -1144,7 +1144,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* * SSH2 key exchange */ -@@ -154,14 +160,17 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd +@@ -154,10 +160,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd return ret; } @@ -1154,16 +1154,18 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) { - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; - char *s; + char *s, *all_key; struct kex *kex; int r; - -+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); -+ +@@ -165,6 +172,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_shor xxx_host = host; xxx_hostaddr = hostaddr; -@@ -409,6 +418,30 @@ ssh_userauth2(const char *local_user, const char *serv ++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); + if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) + fatal("%s: kex_names_cat", __func__); + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); +@@ -412,6 +420,30 @@ ssh_userauth2(const char *local_user, const char *serv if (!authctxt.success) fatal("Authentication failed."); diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index a036a09c938c..ef921659d14b 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well. { NULL, oBadOption } }; ---- servconf.c.orig 2017-10-02 12:34:26.000000000 -0700 -+++ servconf.c 2017-10-12 12:20:19.089884000 -0700 -@@ -618,6 +618,10 @@ static struct { - { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, +--- servconf.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ servconf.c 2018-11-10 11:32:09.835817000 -0800 +@@ -645,6 +645,10 @@ static struct { { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, { "rdomain", sRDomain, SSHCFG_ALL }, + { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers index ad552ca607d1..a7d9c229b670 100644 --- a/security/openssh-portable/files/extra-patch-tcpwrappers +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -85,11 +85,11 @@ index 0ade557..045f149 100644 laddr = get_local_ipaddr(sock_in); diff --git configure.ac configure.ac index f48ba4a..66fbe82 100644 ---- configure.ac -+++ configure.ac -@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey], - ] - ) +--- configure.ac.orig 2018-10-16 17:01:20.000000000 -0700 ++++ configure.ac 2018-11-10 11:29:32.626326000 -0800 +@@ -1493,6 +1493,62 @@ else + AC_MSG_RESULT([no]) + fi +# Check whether user wants TCP wrappers support +TCPW_MSG="no" @@ -150,11 +150,11 @@ index f48ba4a..66fbe82 100644 # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -4803,6 +4859,7 @@ echo " KerberosV support: $KRB5_MSG" +@@ -5305,6 +5361,7 @@ echo " PAM support: $PAM_MSG" + echo " OSF SIA support: $SIA_MSG" + echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" + echo " libldns support: $LDNS_MSG" diff --git a/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb b/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb deleted file mode 100644 index d17acd109fb9..000000000000 --- a/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb +++ /dev/null @@ -1,35 +0,0 @@ -From 341727df910e12e26ef161508ed76d91c40a61eb Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Mon, 9 Apr 2018 23:54:49 +0000 -Subject: [PATCH] upstream: don't kill ssh-agent's listening socket entriely if - we - -fail to accept a connection; bz#2837, patch from Lukas Kuster - -OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f ---- - ssh-agent.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git ssh-agent.c ssh-agent.c -index 2a4578b03..68de56ce6 100644 ---- ssh-agent.c -+++ ssh-agent.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: ssh-agent.c,v 1.228 2018/02/23 15:58:37 markus Exp $ */ -+/* $OpenBSD: ssh-agent.c,v 1.229 2018/04/09 23:54:49 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -909,9 +909,8 @@ after_poll(struct pollfd *pfd, size_t npfd) - /* Process events */ - switch (sockets[socknum].type) { - case AUTH_SOCKET: -- if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 && -- handle_socket_read(socknum) != 0) -- close_socket(&sockets[socknum]); -+ if ((pfd[i].revents & (POLLIN|POLLERR)) != 0) -+ handle_socket_read(socknum); - break; - case AUTH_CONNECTION: - if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 && diff --git a/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b b/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b deleted file mode 100644 index 5a414eceb025..000000000000 --- a/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b +++ /dev/null @@ -1,24 +0,0 @@ -From 85fe48fd49f2e81fa30902841b362cfbb7f1933b Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Sat, 14 Apr 2018 21:50:41 +0000 -Subject: [PATCH] upstream: don't free the %C expansion, it's used later for - -LocalCommand - -OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1 ---- - ssh.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git ssh.c ssh.c -index d3619fe29..9c011dd7e 100644 ---- ssh.c -+++ ssh.c -@@ -1323,7 +1323,6 @@ main(int ac, char **av) - (char *)NULL); - free(cp); - } -- free(conn_hash_hex); - - if (config_test) { - dump_client_config(&options, host); diff --git a/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 b/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 deleted file mode 100644 index f6a571efb999..000000000000 --- a/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 +++ /dev/null @@ -1,36 +0,0 @@ -From 868afa68469de50d8a43e5daf867d7c624a34d20 Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Mon, 16 Apr 2018 22:50:44 +0000 -Subject: [PATCH] upstream: Disable SSH2_MSG_DEBUG messages for Twisted Conch - clients - -without version numbers since they choke on them under some circumstances. -https://twistedmatrix.com/trac/ticket/9422 via Colin Watson - -Newer Conch versions have a version number in their ident string and -handle debug messages okay. https://twistedmatrix.com/trac/ticket/9424 - -OpenBSD-Commit-ID: 6cf7be262af0419c58ddae11324d9c0dc1577539 ---- - compat.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git compat.c compat.c -index 861e9e21f..1c0e08732 100644 ---- compat.c -+++ compat.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: compat.c,v 1.106 2018/02/16 04:43:11 dtucker Exp $ */ -+/* $OpenBSD: compat.c,v 1.107 2018/04/16 22:50:44 djm Exp $ */ - /* - * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. - * -@@ -128,6 +128,8 @@ compat_datafellows(const char *version) - SSH_OLD_DHGEX }, - { "ConfD-*", - SSH_BUG_UTF8TTYMODE }, -+ { "Twisted_*", 0 }, -+ { "Twisted*", SSH_BUG_DEBUG }, - { NULL, 0 } - }; - diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c index 39d6b12e44c2..f808c3830f36 100644 --- a/security/openssh-portable/files/patch-auth2.c +++ b/security/openssh-portable/files/patch-auth2.c @@ -5,31 +5,32 @@ Changed paths: Apply class-imposed login restrictions. ---- auth2.c.orig 2017-03-19 19:39:27.000000000 -0700 -+++ auth2.c 2017-03-20 11:52:27.960733000 -0700 -@@ -47,6 +47,7 @@ - #include "key.h" +--- auth2.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ auth2.c 2018-11-10 11:35:07.816193000 -0800 +@@ -48,6 +48,7 @@ + #include "sshkey.h" #include "hostfile.h" #include "auth.h" +#include "canohost.h" #include "dispatch.h" #include "pathnames.h" - #include "buffer.h" -@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32 - Authmethod *m = NULL; + #include "sshbuf.h" +@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct char *user, *service, *method, *style = NULL; int authenticated = 0; + double tstart = monotime_double(); +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; + const char *from_host, *from_ip; -+ + + from_host = auth_get_canonical_hostname(ssh, options.use_dns); + from_ip = ssh_remote_ipaddr(ssh); +#endif - ++ if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32 + +@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } @@ -55,5 +56,5 @@ Apply class-imposed login restrictions. +#endif /* HAVE_LOGIN_CAP */ + /* reset state */ - auth2_challenge_stop(authctxt); + auth2_challenge_stop(ssh); diff --git a/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad b/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad deleted file mode 100644 index 0ba52bdc25f5..000000000000 --- a/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad +++ /dev/null @@ -1,32 +0,0 @@ -From b81b2d120e9c8a83489e241620843687758925ad Mon Sep 17 00:00:00 2001 -From: Damien Miller -Date: Fri, 13 Apr 2018 13:38:06 +1000 -Subject: [PATCH] Fix tunnel forwarding broken in 7.7p1 - -bz2855, ok dtucker@ ---- - openbsd-compat/port-net.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git openbsd-compat/port-net.c openbsd-compat/port-net.c -index 7050629c3..bb535626f 100644 ---- openbsd-compat/port-net.c -+++ openbsd-compat/port-net.c -@@ -185,7 +185,7 @@ sys_tun_open(int tun, int mode, char **ifname) - else - debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd); - -- if (ifname != NULL && (*ifname = strdup(ifr.ifr_name))) -+ if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL) - goto failed; - - return (fd); -@@ -272,7 +272,7 @@ sys_tun_open(int tun, int mode, char **ifname) - goto failed; - } - -- if (ifname != NULL && (*ifname = strdup(ifr.ifr_name))) -+ if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL) - goto failed; - - close(sock); diff --git a/security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969 b/security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969 new file mode 100644 index 000000000000..2f7f72882af9 --- /dev/null +++ b/security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969 @@ -0,0 +1,19 @@ +commit c0a35265907533be10ca151ac797f34ae0d68969 +Author: Damien Miller +Date: Mon Oct 22 11:22:50 2018 +1100 + + fix compile for openssl 1.0.x w/ --with-ssl-engine + + bz#2921, patch from cotequeiroz + +--- openbsd-compat/openssl-compat.c.orig 2018-11-12 12:52:26 UTC ++++ openbsd-compat/openssl-compat.c +@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void) + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + +-#if OPENSSL_VERSION_NUMBER < 0x10001000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + OPENSSL_config(NULL); + #else + OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | diff --git a/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 b/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 deleted file mode 100644 index 388b51df1121..000000000000 --- a/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 +++ /dev/null @@ -1,24 +0,0 @@ -From f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 Mon Sep 17 00:00:00 2001 -From: Darren Tucker -Date: Thu, 19 Apr 2018 09:53:14 +1000 -Subject: [PATCH] Omit 3des-cbc if OpenSSL built without DES. - -Patch from hongxu.jia at windriver.com, ok djm@ ---- - cipher.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git cipher.c cipher.c -index 578763616..a72682a82 100644 ---- cipher.c -+++ cipher.c -@@ -82,7 +82,9 @@ struct sshcipher { - - static const struct sshcipher ciphers[] = { - #ifdef WITH_OPENSSL -+#ifndef OPENSSL_NO_DES - { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, -+#endif - { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc }, - { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc }, - { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, diff --git a/security/openssh-portable/files/patch-misc.c b/security/openssh-portable/files/patch-serverloop.c similarity index 71% rename from security/openssh-portable/files/patch-misc.c rename to security/openssh-portable/files/patch-serverloop.c index 9ce31ea43fa6..1b081327d1f5 100644 --- a/security/openssh-portable/files/patch-misc.c +++ b/security/openssh-portable/files/patch-serverloop.c @@ -9,21 +9,21 @@ Submitted upstream, no reaction. Submitted by: delphij@ [rewritten for 7.4 by bdrewery@] ---- misc.c.orig 2017-01-12 11:54:41.058558000 -0800 -+++ misc.c 2017-01-12 11:55:16.531356000 -0800 -@@ -56,6 +56,8 @@ - #include - #endif +--- serverloop.c.orig 2018-11-10 11:38:16.728617000 -0800 ++++ serverloop.c 2018-11-10 11:38:19.497300000 -0800 +@@ -55,6 +55,8 @@ + #include + #include +#include + + #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" - #include "misc.h" - #include "log.h" -@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a, - int - bind_permitted(int port, uid_t uid) + #include "packet.h" +@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid) { + if (use_privsep) + return 1; /* allow system to decide */ - if (port < IPPORT_RESERVED && uid != 0) + int ipport_reserved; +#ifdef __FreeBSD__ diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index cf6a50c65c0d..1caf32b53b77 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -10,9 +10,9 @@ Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ session.c 2018-04-03 13:56:49.599400000 -0700 -@@ -982,6 +982,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +--- session.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ session.c 2018-11-10 11:45:14.645263000 -0800 +@@ -1020,6 +1020,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -22,7 +22,7 @@ Sponsored by: DARPA, NAI Labs #endif /* Initialize the environment. */ -@@ -1003,6 +1006,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1041,6 +1044,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * } #endif @@ -32,7 +32,7 @@ Sponsored by: DARPA, NAI Labs #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1020,11 +1026,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1058,11 +1064,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -58,7 +58,7 @@ Sponsored by: DARPA, NAI Labs #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1044,15 +1060,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1082,14 +1098,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ @@ -70,11 +70,10 @@ Sponsored by: DARPA, NAI Labs - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); -- - /* Set custom environment options from pubkey authentication. */ - if (options.permit_user_env) { - for (n = 0 ; n < auth_opts->nenv; n++) { -@@ -1331,7 +1341,7 @@ do_setusercontext(struct passwd *pw) + if (s->term) + child_set_env(&env, &envsize, "TERM", s->term); + if (s->display) +@@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid,