diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 6d3a77d..4c0c4a9 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,7 +1,5 @@ -# Created by: dwcjr@inethouston.net - PORTNAME= openssh -DISTVERSION= 9.0p1 +DISTVERSION= 9.2p1 PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security @@ -10,6 +8,7 @@ PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH +WWW= https://www.openssh.com/portable.html LICENSE= OPENSSH LICENSE_NAME= OpenSSH Licenses @@ -109,13 +108,15 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. -GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-1 +GSSAPI_DEBIAN_VERSION= 9.2p1 +GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-2 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex # Bump this when updating the patch location GSSAPI_UPDATE_DATE= 20220203 -PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex +#GSSAPI_DISTVERSION= 9.0p1 +PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-auth2-gss.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 9f50039..fbd9733 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1654549050 -SHA256 (openssh-9.0p1.tar.gz) = 03974302161e9ecce32153cfa10012f1e65c8f3750f573a73ab1befd5972a28a -SIZE (openssh-9.0p1.tar.gz) = 1822183 -SHA256 (openssh-9.0p1-gsskex-all-20141021-debian-rh-20220203.patch) = d2f4c7bb1bc33540605a3bb0c9517d7b4ed2f5d77c24f7afcd64891be59f4ed2 -SIZE (openssh-9.0p1-gsskex-all-20141021-debian-rh-20220203.patch) = 127245 +TIMESTAMP = 1676575062 +SHA256 (openssh-9.2p1.tar.gz) = 3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46 +SIZE (openssh-9.2p1.tar.gz) = 1852380 +SHA256 (openssh-9.2p1-gsskex-all-20141021-debian-rh-20220203.patch) = acf9b12d68eeeae047d1042954473f859c10a7c2a4b5d9dc54fcbbd5e30a3a58 +SIZE (openssh-9.2p1-gsskex-all-20141021-debian-rh-20220203.patch) = 131618 diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd index a8e9505..7bb88b2 100644 --- a/security/openssh-portable/files/extra-patch-blacklistd +++ b/security/openssh-portable/files/extra-patch-blacklistd @@ -351,15 +351,15 @@ if (use_privsep) { if (privsep_preauth(ssh) == 1) ---- Makefile.in.orig 2020-11-16 16:27:13.408700000 -0800 -+++ Makefile.in 2020-11-16 16:28:28.083007000 -0800 -@@ -180,6 +180,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) +--- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700 ++++ Makefile.in 2022-10-09 10:50:06.401377000 -0700 +@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ @UNSUPPORTED_ALGORITHMS@ +LIBSSH_OBJS+= blacklist.o + - all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS) + all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) $(LIBSSH_OBJS): Makefile.in config.h --- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800 diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index 907775d..1f25a20 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -131,9 +131,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + (tasota@gmail.com) an NSF REU grant recipient for 2013. + This work was financed, in part, by Cisco System, Inc., the National + Library of Medicine, and the National Science Foundation. ---- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700 -@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann +--- channels.c.orig 2023-02-02 04:21:54.000000000 -0800 ++++ channels.c 2023-02-03 10:45:34.136793000 -0800 +@@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels * /* Setup helper */ static void channel_handler_init(struct ssh_channels *sc); @@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* -- channel core */ void -@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in +@@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in c->local_window = window; c->local_window_max = window; c->local_maxpacket = maxpack; @@ -156,8 +156,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c->remote_name = xstrdup(remote_name); c->ctl_chan = -1; c->delayed = 1; /* prevent call to channel_post handler */ -@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, - FD_SET(c->sock, writeset); +@@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int + fatal_fr(r, "channel %i", c->self); } +#ifdef HPN_ENABLED @@ -185,9 +185,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#endif + static void - channel_pre_open(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) -@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c) + channel_pre_listener(struct ssh *ssh, Channel *c) + { +@@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c) c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { @@ -220,7 +220,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c->local_consumed = 0; } return 1; -@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis +@@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis return addr; } @@ -238,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o static int channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, struct Forward *fwd, int *allocated_listen_port, -@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int +@@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int } /* Allocate a channel number for the socket. */ @@ -248,15 +248,15 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + * window size. + */ + if (!hpn_disabled) -+ c = channel_new(ssh, "port listener", type, sock, sock, -1, -+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, ++ c = channel_new(ssh, "port listener", type, sock, sock, ++ -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); + else +#endif - c = channel_new(ssh, "port listener", type, sock, sock, -1, + c = channel_new(ssh, "port-listener", type, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "port listener", 1); -@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ +@@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; @@ -268,7 +268,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + 0, "X11 inet listener", 1); + else +#endif - nc = channel_new(ssh, "x11 listener", + nc = channel_new(ssh, "x11-listener", SSH_CHANNEL_X11_LISTENER, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, --- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700 diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index c47d0a1..6f6a0e1 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well. ------------------------------------------------------------------------ ---- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700 -+++ readconf.c 2021-04-27 11:25:24.222034000 -0700 -@@ -316,6 +316,12 @@ static struct { - { "proxyjump", oProxyJump }, - { "securitykeyprovider", oSecurityKeyProvider }, +--- readconf.c.orig 2023-02-03 11:17:45.506822000 -0800 ++++ readconf.c 2023-02-03 11:30:14.894959000 -0800 +@@ -323,6 +323,12 @@ static struct { { "knownhostscommand", oKnownHostsCommand }, + { "requiredrsasize", oRequiredRSASize }, + { "enableescapecommandline", oEnableEscapeCommandline }, + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, @@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well. { NULL, oBadOption } }; ---- servconf.c.orig 2020-02-13 16:40:54.000000000 -0800 -+++ servconf.c 2020-03-21 17:01:18.011062000 -0700 +--- servconf.c.orig 2023-02-02 04:21:54.000000000 -0800 ++++ servconf.c 2023-02-03 11:31:00.387624000 -0800 @@ -695,6 +695,10 @@ static struct { - { "rdomain", sRDomain, SSHCFG_ALL }, - { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, - { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, + { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, + { "channeltimeout", sChannelTimeout, SSHCFG_ALL }, + { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata deleted file mode 100644 index bf38892..0000000 --- a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata +++ /dev/null @@ -1,43 +0,0 @@ -commit fc3c19a9fceeea48a9259ac3833a125804342c0e -Author: Ed Maste -Date: Sat Oct 6 21:32:55 2018 +0000 - - sshd: address capsicum issues - - * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in - capability mode. - * Cache timezone data via caph_cache_tzdata() as we cannot access the - timezone file. - * Reverse resolve hostname before entering capability mode. - - PR: 231172 - Submitted by: naito.yuichiro@gmail.com - Reviewed by: cem, des - Approved by: re (rgrimes) - MFC after: 3 weeks - Differential Revision: https://reviews.freebsd.org/D17128 - -Notes: - svn path=/head/; revision=339216 - -diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c -index 5f41d526292b..f728abd18250 100644 ---- sandbox-capsicum.c -+++ sandbox-capsicum.c -@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$"); - #include - #include - #include -+#include - - #include "log.h" - #include "monitor.h" -@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box) - struct rlimit rl_zero; - cap_rights_t rights; - -+ caph_cache_tzdata(); -+ - rl_zero.rlim_cur = rl_zero.rlim_max = 0; - - if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) diff --git a/security/openssh-portable/files/patch-platform-tracing.c b/security/openssh-portable/files/patch-platform-tracing.c deleted file mode 100644 index 160def2..0000000 --- a/security/openssh-portable/files/patch-platform-tracing.c +++ /dev/null @@ -1,21 +0,0 @@ ---- platform-tracing.c.orig 2022-03-07 14:48:27.152541000 -0800 -+++ platform-tracing.c 2022-03-07 14:56:33.402458000 -0800 -@@ -32,6 +32,9 @@ - #include - #include - #include -+#if defined(HAVE_PROCCTL) -+#include -+#endif - - #include "log.h" - -@@ -42,7 +45,7 @@ platform_disable_tracing(int strict) - /* On FreeBSD, we should make this process untraceable */ - int disable_trace = PROC_TRACE_CTL_DISABLE; - -- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict) -+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict) - fatal("unable to make the process untraceable: %s", - strerror(errno)); - #endif diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index 2937b4a..9fc1abc 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2022-02-23 03:31:11.000000000 -0800 -+++ ssh-agent.c 2022-03-02 12:50:47.745853000 -0800 -@@ -189,11 +189,28 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; +--- ssh-agent.c.orig 2023-02-02 04:21:54.000000000 -0800 ++++ ssh-agent.c 2023-02-03 10:55:34.277561000 -0800 +@@ -188,11 +188,28 @@ static int restrict_websafe = 1; /* Refuse signing of non-SSH messages for web-origin FIDO keys */ static int restrict_websafe = 1; @@ -39,7 +39,7 @@ disconnected. close(e->fd); sshbuf_free(e->input); sshbuf_free(e->output); -@@ -206,6 +223,8 @@ close_socket(SocketEntry *e) +@@ -205,6 +222,8 @@ close_socket(SocketEntry *e) memset(e, '\0', sizeof(*e)); e->fd = -1; e->type = AUTH_UNUSED; @@ -48,7 +48,7 @@ disconnected. } static void -@@ -1707,6 +1726,10 @@ new_socket(sock_type type, int fd) +@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd) debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); @@ -59,16 +59,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1999,7 +2022,7 @@ static void +@@ -1990,7 +2013,7 @@ usage(void) usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" + "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" - " [-P allowed_providers] [-t life]\n" - " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" - " [-t life] command [arg ...]\n" -@@ -2033,6 +2056,7 @@ main(int ac, char **av) + " [-O option] [-P allowed_providers] [-t life]\n" + " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n" + " [-P allowed_providers] [-t life] command [arg ...]\n" +@@ -2024,6 +2047,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -76,7 +76,7 @@ disconnected. platform_disable_tracing(0); /* strict=no */ -@@ -2044,7 +2068,7 @@ main(int ac, char **av) +@@ -2035,7 +2059,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); @@ -85,7 +85,7 @@ disconnected. switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -2093,6 +2117,9 @@ main(int ac, char **av) +@@ -2084,6 +2108,9 @@ main(int ac, char **av) fprintf(stderr, "Invalid lifetime\n"); usage(); } diff --git a/security/openssh-portable/pkg-descr b/security/openssh-portable/pkg-descr index 2a378e7..d9dee49 100644 --- a/security/openssh-portable/pkg-descr +++ b/security/openssh-portable/pkg-descr @@ -11,5 +11,3 @@ The portable OpenSSH follows development of the official version, but releases are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1). The official OpenBSD source will never use the 'p' suffix, but will instead increment the version number when they hit 'stable spots' in their development. - -WWW: https://www.openssh.com/portable.html