kiwi/klara-ww2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssh 9-2

Browse Source
This commit is contained in:
Xavier Beaudouin
2024-10-07 16:14:21 +02:00
parent 457a80ca77
commit 317bd8d30d
9 changed files with 53 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
security/openssh-portable/Makefile
View File

@ -1,7 +1,5 @@
# Created by: dwcjr@inethouston.net
PORTNAME= openssh
DISTVERSION= 9.0p1
DISTVERSION= 9.2p1
PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security
@ -10,6 +8,7 @@ PKGNAMESUFFIX?= -portable
MAINTAINER= bdrewery@FreeBSD.org
COMMENT= The portable version of OpenBSD's OpenSSH
WWW= https://www.openssh.com/portable.html
LICENSE= OPENSSH
LICENSE_NAME= OpenSSH Licenses
@ -109,13 +108,15 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
. endif
# - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
# pull from.
GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-1
GSSAPI_DEBIAN_VERSION= 9.2p1
GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-2
# - Debian does not use a versioned filename so we trick fetch to make one for
# us with the ?<anything>=/ trick.
PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
# Bump this when updating the patch location
GSSAPI_UPDATE_DATE= 20220203
PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
#GSSAPI_DISTVERSION= 9.0p1
PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-auth2-gss.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c

10
security/openssh-portable/distinfo
View File

@ -1,5 +1,5 @@
TIMESTAMP = 1654549050
SHA256 (openssh-9.0p1.tar.gz) = 03974302161e9ecce32153cfa10012f1e65c8f3750f573a73ab1befd5972a28a
SIZE (openssh-9.0p1.tar.gz) = 1822183
SHA256 (openssh-9.0p1-gsskex-all-20141021-debian-rh-20220203.patch) = d2f4c7bb1bc33540605a3bb0c9517d7b4ed2f5d77c24f7afcd64891be59f4ed2
SIZE (openssh-9.0p1-gsskex-all-20141021-debian-rh-20220203.patch) = 127245
TIMESTAMP = 1676575062
SHA256 (openssh-9.2p1.tar.gz) = 3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46
SIZE (openssh-9.2p1.tar.gz) = 1852380
SHA256 (openssh-9.2p1-gsskex-all-20141021-debian-rh-20220203.patch) = acf9b12d68eeeae047d1042954473f859c10a7c2a4b5d9dc54fcbbd5e30a3a58
SIZE (openssh-9.2p1-gsskex-all-20141021-debian-rh-20220203.patch) = 131618

8
security/openssh-portable/files/extra-patch-blacklistd
View File

@ -351,15 +351,15 @@
if (use_privsep) {
if (privsep_preauth(ssh) == 1)
--- Makefile.in.orig 2020-11-16 16:27:13.408700000 -0800
+++ Makefile.in 2020-11-16 16:28:28.083007000 -0800
@@ -180,6 +180,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS)
--- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700
+++ Makefile.in 2022-10-09 10:50:06.401377000 -0700
@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S
FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
@UNSUPPORTED_ALGORITHMS@
+LIBSSH_OBJS+= blacklist.o
+
all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS)
all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
$(LIBSSH_OBJS): Makefile.in config.h
--- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800

32
security/openssh-portable/files/extra-patch-hpn
View File

@ -131,9 +131,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ (tasota@gmail.com) an NSF REU grant recipient for 2013.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
--- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700
+++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700
@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
--- channels.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ channels.c 2023-02-03 10:45:34.136793000 -0800
@@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels *
/* Setup helper */
static void channel_handler_init(struct ssh_channels *sc);
@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* -- channel core */
void
@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
@@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
c->local_window = window;
c->local_window_max = window;
c->local_maxpacket = maxpack;
@ -156,8 +156,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c->remote_name = xstrdup(remote_name);
c->ctl_chan = -1;
c->delayed = 1; /* prevent call to channel_post handler */
@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
FD_SET(c->sock, writeset);
@@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int
fatal_fr(r, "channel %i", c->self);
}
+#ifdef HPN_ENABLED
@ -185,9 +185,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
+
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
channel_pre_listener(struct ssh *ssh, Channel *c)
{
@@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
@ -220,7 +220,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c->local_consumed = 0;
}
return 1;
@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
@@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
return addr;
}
@ -238,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
static int
channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
struct Forward *fwd, int *allocated_listen_port,
@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
@@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
}
/* Allocate a channel number for the socket. */
@ -248,15 +248,15 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ * window size.
+ */
+ if (!hpn_disabled)
+ c = channel_new(ssh, "port listener", type, sock, sock, -1,
+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ c = channel_new(ssh, "port listener", type, sock, sock,
+ -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "port listener", 1);
+ else
+#endif
c = channel_new(ssh, "port listener", type, sock, sock, -1,
c = channel_new(ssh, "port-listener", type, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
0, "port listener", 1);
@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
@@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
@ -268,7 +268,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ 0, "X11 inet listener", 1);
+ else
+#endif
nc = channel_new(ssh, "x11 listener",
nc = channel_new(ssh, "x11-listener",
SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
--- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700

20
security/openssh-portable/files/extra-patch-hpn-compat
View File

@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well.
------------------------------------------------------------------------
--- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700
+++ readconf.c 2021-04-27 11:25:24.222034000 -0700
@@ -316,6 +316,12 @@ static struct {
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
--- readconf.c.orig 2023-02-03 11:17:45.506822000 -0800
+++ readconf.c 2023-02-03 11:30:14.894959000 -0800
@@ -323,6 +323,12 @@ static struct {
{ "knownhostscommand", oKnownHostsCommand },
{ "requiredrsasize", oRequiredRSASize },
{ "enableescapecommandline", oEnableEscapeCommandline },
+ { "hpndisabled", oDeprecated },
+ { "hpnbuffersize", oDeprecated },
+ { "tcprcvbufpoll", oDeprecated },
@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well.
{ NULL, oBadOption }
};
--- servconf.c.orig 2020-02-13 16:40:54.000000000 -0800
+++ servconf.c 2020-03-21 17:01:18.011062000 -0700
--- servconf.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ servconf.c 2023-02-03 11:31:00.387624000 -0800
@@ -695,6 +695,10 @@ static struct {
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
+ { "noneenabled", sUnsupported, SSHCFG_ALL },
+ { "hpndisabled", sDeprecated, SSHCFG_ALL },
+ { "hpnbuffersize", sDeprecated, SSHCFG_ALL },

43
security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
View File

@ -1,43 +0,0 @@
commit fc3c19a9fceeea48a9259ac3833a125804342c0e
Author: Ed Maste <emaste@FreeBSD.org>
Date: Sat Oct 6 21:32:55 2018 +0000
sshd: address capsicum issues
* Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
capability mode.
* Cache timezone data via caph_cache_tzdata() as we cannot access the
timezone file.
* Reverse resolve hostname before entering capability mode.
PR: 231172
Submitted by: naito.yuichiro@gmail.com
Reviewed by: cem, des
Approved by: re (rgrimes)
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D17128
Notes:
svn path=/head/; revision=339216
diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
index 5f41d526292b..f728abd18250 100644
--- sandbox-capsicum.c
+++ sandbox-capsicum.c
@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <capsicum_helpers.h>
#include "log.h"
#include "monitor.h"
@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
struct rlimit rl_zero;
cap_rights_t rights;
+ caph_cache_tzdata();
+
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)

21
security/openssh-portable/files/patch-platform-tracing.c
View File

@ -1,21 +0,0 @@
--- platform-tracing.c.orig 2022-03-07 14:48:27.152541000 -0800
+++ platform-tracing.c 2022-03-07 14:56:33.402458000 -0800
@@ -32,6 +32,9 @@
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
+#if defined(HAVE_PROCCTL)
+#include <unistd.h>
+#endif
#include "log.h"
@@ -42,7 +45,7 @@ platform_disable_tracing(int strict)
/* On FreeBSD, we should make this process untraceable */
int disable_trace = PROC_TRACE_CTL_DISABLE;
- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
fatal("unable to make the process untraceable: %s",
strerror(errno));
#endif

24
security/openssh-portable/files/patch-ssh-agent.c
View File

@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
--- ssh-agent.c.orig 2022-02-23 03:31:11.000000000 -0800
+++ ssh-agent.c 2022-03-02 12:50:47.745853000 -0800
@@ -189,11 +189,28 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
--- ssh-agent.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ ssh-agent.c 2023-02-03 10:55:34.277561000 -0800
@@ -188,11 +188,28 @@ static int restrict_websafe = 1;
/* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int restrict_websafe = 1;
@ -39,7 +39,7 @@ disconnected.
close(e->fd);
sshbuf_free(e->input);
sshbuf_free(e->output);
@@ -206,6 +223,8 @@ close_socket(SocketEntry *e)
@@ -205,6 +222,8 @@ close_socket(SocketEntry *e)
memset(e, '\0', sizeof(*e));
e->fd = -1;
e->type = AUTH_UNUSED;
@ -48,7 +48,7 @@ disconnected.
}
static void
@@ -1707,6 +1726,10 @@ new_socket(sock_type type, int fd)
@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd)
debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
(type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
@ -59,16 +59,16 @@ disconnected.
set_nonblock(fd);
if (fd > max_fd)
@@ -1999,7 +2022,7 @@ static void
@@ -1990,7 +2013,7 @@ usage(void)
usage(void)
{
fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
" [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
" [-t life] command [arg ...]\n"
@@ -2033,6 +2056,7 @@ main(int ac, char **av)
" [-O option] [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
" [-P allowed_providers] [-t life] command [arg ...]\n"
@@ -2024,6 +2047,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
@ -76,7 +76,7 @@ disconnected.
platform_disable_tracing(0); /* strict=no */
@@ -2044,7 +2068,7 @@ main(int ac, char **av)
@@ -2035,7 +2059,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
@ -85,7 +85,7 @@ disconnected.
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -2093,6 +2117,9 @@ main(int ac, char **av)
@@ -2084,6 +2108,9 @@ main(int ac, char **av)
fprintf(stderr, "Invalid lifetime\n");
usage();
}

2
security/openssh-portable/pkg-descr
View File

@ -11,5 +11,3 @@ The portable OpenSSH follows development of the official version, but releases
are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1).
The official OpenBSD source will never use the 'p' suffix, but will instead
increment the version number when they hit 'stable spots' in their development.
WWW: https://www.openssh.com/portable.html