From b2611c3baac0e4208c3633951ad9b8bee3d7a3f5 Mon Sep 17 00:00:00 2001 From: Bryan Drewery Date: Mon, 12 Nov 2018 21:55:57 +0000 Subject: [PATCH] MFH: r484842 - Fix X509 build after r484765 openssl fix - Fix patch URL for KERB_GSSAPI - Add FLAVORs for x509 and gssapi since they are distinct types of OpenSSH rather than feature flags. Approved by: portmgr (implicit) --- security/openssh-portable/Makefile | 26 +++++++++++-- ...-c0a35265907533be10ca151ac797f34ae0d68969} | 0 .../files/extra-patch-x509-glue | 39 ------------------- .../openssh-portable/files/patch-session.c | 7 +--- 4 files changed, 24 insertions(+), 48 deletions(-) rename security/openssh-portable/files/{patch-c0a35265907533be10ca151ac797f34ae0d68969 => extra-patch-c0a35265907533be10ca151ac797f34ae0d68969} (100%) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 331b757939c5..b3c2d2a95fad 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -26,10 +26,18 @@ CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ ETCOLD= ${PREFIX}/etc -FLAVORS= default hpn -default_CONFLICTS_INSTALL= openssl-portable-hpn -hpn_CONFLICTS_INSTALL= openssh-portable +FLAVORS= default hpn gssapi x509 +default_CONFLICTS_INSTALL= openssh-portable-hpn openssh-portable-gssapi \ + openssh-portable-x509 +hpn_CONFLICTS_INSTALL= openssh-portable openssh-portable-gssapi \ + openssh-portable-x509 hpn_PKGNAMESUFFIX= -portable-hpn +gssapi_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \ + openssh-portable-x509 +gssapi_PKGNAMESUFFIX= -portable-gssapi +x509_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \ + openssh-portable-gssapi +x509_PKGNAMESUFFIX= -portable-x509 OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ @@ -38,6 +46,12 @@ OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS .if ${FLAVOR:U} == hpn OPTIONS_DEFAULT+= HPN NONECIPHER .endif +.if ${FLAVOR:U} == gssapi +OPTIONS_DEFAULT+= KERB_GSSAPI MIT +.endif +.if ${FLAVOR:U} == x509 +OPTIONS_DEFAULT+= X509 +.endif OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support @@ -87,9 +101,13 @@ ETCDIR?= ${PREFIX}/etc/ssh PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex +# Upstream OpenSSL fix but does not apply for x509 patch. +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 + # X509 patch includes TCP Wrapper support already .if ${PORT_OPTIONS:MX509} EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} +EXTRA_PATCHES:= ${EXTRA_PATCHES:N${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969} .endif # Must add this patch before HPN due to conflicts @@ -104,7 +122,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif -PATCHFILES+= openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex +PATCHFILES+= openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz:-p1:gsskex .endif # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 diff --git a/security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969 b/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 similarity index 100% rename from security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969 rename to security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 diff --git a/security/openssh-portable/files/extra-patch-x509-glue b/security/openssh-portable/files/extra-patch-x509-glue index 21a08e6e8f2a..03e410e4bfb0 100644 --- a/security/openssh-portable/files/extra-patch-x509-glue +++ b/security/openssh-portable/files/extra-patch-x509-glue @@ -1,42 +1,3 @@ ---- session.c.orig 2017-10-12 11:52:52.953370000 -0700 -+++ session.c 2017-10-12 11:53:40.793055000 -0700 -@@ -1062,36 +1062,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); - --#ifdef __ANDROID__ --{ --#define COPY_ANDROID_ENV(name) { \ -- char *s = getenv(name); \ -- if (s) child_set_env(&env, &envsize, name, s); } -- -- /* from /init.rc */ -- COPY_ANDROID_ENV("ANDROID_BOOTLOGO"); -- COPY_ANDROID_ENV("ANDROID_ROOT"); -- COPY_ANDROID_ENV("ANDROID_ASSETS"); -- COPY_ANDROID_ENV("ANDROID_DATA"); -- COPY_ANDROID_ENV("ASEC_MOUNTPOINT"); -- COPY_ANDROID_ENV("LOOP_MOUNTPOINT"); -- COPY_ANDROID_ENV("BOOTCLASSPATH"); -- -- /* FIXME: keep android property workspace open -- * (see openbsd-compat/bsd-closefrom.c) -- */ -- COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE"); -- -- COPY_ANDROID_ENV("EXTERNAL_STORAGE"); /* ??? */ -- COPY_ANDROID_ENV("SECONDARY_STORAGE"); /* ??? */ -- COPY_ANDROID_ENV("SD_EXT_DIRECTORY"); /* ??? */ -- -- /* may contain path to custom libraries */ -- COPY_ANDROID_ENV("LD_LIBRARY_PATH"); --#undef COPY_ANDROID_ENV --} --#endif -- - /* Set custom environment options from pubkey authentication. */ - if (options.permit_user_env) { - for (n = 0 ; n < auth_opts->nenv; n++) { --- sshd_config.5.orig 2017-10-12 11:51:06.638814000 -0700 +++ sshd_config.5 2017-10-12 11:51:33.780459000 -0700 @@ -1682,7 +1682,57 @@ is set to diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index 1caf32b53b77..7d9ca879e664 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -50,7 +50,7 @@ Sponsored by: DARPA, NAI Labs + *environ = NULL; + (void) setusercontext(lc, pw, pw->pw_uid, + LOGIN_SETENV|LOGIN_SETPATH); -+ copy_environment(environ, &env, &envsize); ++ copy_environment_blacklist(environ, &env, &envsize, NULL); + for (var = environ; *var != NULL; ++var) + free(*var); + free(environ); @@ -58,7 +58,7 @@ Sponsored by: DARPA, NAI Labs #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1082,14 +1098,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1082,11 +1098,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ @@ -70,9 +70,6 @@ Sponsored by: DARPA, NAI Labs - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); - if (s->term) - child_set_env(&env, &envsize, "TERM", s->term); - if (s->display) @@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP