kiwi/klara-ww2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssh 9-2

Browse Source
This commit is contained in:
Xavier Beaudouin
2024-10-07 16:14:21 +02:00
parent 457a80ca77
commit 317bd8d30d
9 changed files with 53 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
security/openssh-portable/Makefile
View File

@ -1,7 +1,5 @@
# Created by: dwcjr@inethouston.net
PORTNAME= openssh PORTNAME= openssh
DISTVERSION= 9.0p1 DISTVERSION= 9.2p1
PORTREVISION= 0 PORTREVISION= 0
PORTEPOCH= 1 PORTEPOCH= 1
CATEGORIES= security CATEGORIES= security
@ -10,6 +8,7 @@ PKGNAMESUFFIX?= -portable
MAINTAINER= bdrewery@FreeBSD.org MAINTAINER= bdrewery@FreeBSD.org
COMMENT= The portable version of OpenBSD's OpenSSH COMMENT= The portable version of OpenBSD's OpenSSH
WWW= https://www.openssh.com/portable.html
LICENSE= OPENSSH LICENSE= OPENSSH
LICENSE_NAME= OpenSSH Licenses LICENSE_NAME= OpenSSH Licenses
@ -109,13 +108,15 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
. endif . endif
# - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
# pull from. # pull from.
GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-1 GSSAPI_DEBIAN_VERSION= 9.2p1
GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-2
# - Debian does not use a versioned filename so we trick fetch to make one for # - Debian does not use a versioned filename so we trick fetch to make one for
# us with the ?<anything>=/ trick. # us with the ?<anything>=/ trick.
PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
# Bump this when updating the patch location # Bump this when updating the patch location
GSSAPI_UPDATE_DATE= 20220203 GSSAPI_UPDATE_DATE= 20220203
PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex #GSSAPI_DISTVERSION= 9.0p1
PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-auth2-gss.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-auth2-gss.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c

10
security/openssh-portable/distinfo
View File

@ -1,5 +1,5 @@
TIMESTAMP = 1654549050 TIMESTAMP = 1676575062
SHA256 (openssh-9.0p1.tar.gz) = 03974302161e9ecce32153cfa10012f1e65c8f3750f573a73ab1befd5972a28a SHA256 (openssh-9.2p1.tar.gz) = 3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46
SIZE (openssh-9.0p1.tar.gz) = 1822183 SIZE (openssh-9.2p1.tar.gz) = 1852380
SHA256 (openssh-9.0p1-gsskex-all-20141021-debian-rh-20220203.patch) = d2f4c7bb1bc33540605a3bb0c9517d7b4ed2f5d77c24f7afcd64891be59f4ed2 SHA256 (openssh-9.2p1-gsskex-all-20141021-debian-rh-20220203.patch) = acf9b12d68eeeae047d1042954473f859c10a7c2a4b5d9dc54fcbbd5e30a3a58
SIZE (openssh-9.0p1-gsskex-all-20141021-debian-rh-20220203.patch) = 127245 SIZE (openssh-9.2p1-gsskex-all-20141021-debian-rh-20220203.patch) = 131618

8
security/openssh-portable/files/extra-patch-blacklistd
View File

@ -351,15 +351,15 @@
if (use_privsep) { if (use_privsep) {
if (privsep_preauth(ssh) == 1) if (privsep_preauth(ssh) == 1)
--- Makefile.in.orig 2020-11-16 16:27:13.408700000 -0800 --- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700
+++ Makefile.in 2020-11-16 16:28:28.083007000 -0800 +++ Makefile.in 2022-10-09 10:50:06.401377000 -0700
@@ -180,6 +180,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) @@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S
FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
@UNSUPPORTED_ALGORITHMS@ @UNSUPPORTED_ALGORITHMS@
+LIBSSH_OBJS+= blacklist.o +LIBSSH_OBJS+= blacklist.o
+ +
all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS) all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
$(LIBSSH_OBJS): Makefile.in config.h $(LIBSSH_OBJS): Makefile.in config.h
--- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800 --- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800

32
security/openssh-portable/files/extra-patch-hpn
View File

@ -131,9 +131,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ (tasota@gmail.com) an NSF REU grant recipient for 2013. + (tasota@gmail.com) an NSF REU grant recipient for 2013.
+ This work was financed, in part, by Cisco System, Inc., the National + This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation. + Library of Medicine, and the National Science Foundation.
--- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700 --- channels.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700 +++ channels.c 2023-02-03 10:45:34.136793000 -0800
@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann @@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels *
/* Setup helper */ /* Setup helper */
static void channel_handler_init(struct ssh_channels *sc); static void channel_handler_init(struct ssh_channels *sc);
@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* -- channel core */ /* -- channel core */
void void
@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in @@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
c->local_window = window; c->local_window = window;
c->local_window_max = window; c->local_window_max = window;
c->local_maxpacket = maxpack; c->local_maxpacket = maxpack;
@ -156,8 +156,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c->remote_name = xstrdup(remote_name); c->remote_name = xstrdup(remote_name);
c->ctl_chan = -1; c->ctl_chan = -1;
c->delayed = 1; /* prevent call to channel_post handler */ c->delayed = 1; /* prevent call to channel_post handler */
@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, @@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int
FD_SET(c->sock, writeset); fatal_fr(r, "channel %i", c->self);
} }
+#ifdef HPN_ENABLED +#ifdef HPN_ENABLED
@ -185,9 +185,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif +#endif
+ +
static void static void
channel_pre_open(struct ssh *ssh, Channel *c, channel_pre_listener(struct ssh *ssh, Channel *c)
fd_set *readset, fd_set *writeset) {
@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c) @@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
c->local_maxpacket*3) || c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) && c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) { c->local_consumed > 0) {
@ -220,7 +220,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c->local_consumed = 0; c->local_consumed = 0;
} }
return 1; return 1;
@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis @@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
return addr; return addr;
} }
@ -238,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
static int static int
channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
struct Forward *fwd, int *allocated_listen_port, struct Forward *fwd, int *allocated_listen_port,
@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int @@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
} }
/* Allocate a channel number for the socket. */ /* Allocate a channel number for the socket. */
@ -248,15 +248,15 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ * window size. + * window size.
+ */ + */
+ if (!hpn_disabled) + if (!hpn_disabled)
+ c = channel_new(ssh, "port listener", type, sock, sock, -1, + c = channel_new(ssh, "port listener", type, sock, sock,
+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "port listener", 1); + 0, "port listener", 1);
+ else + else
+#endif +#endif
c = channel_new(ssh, "port listener", type, sock, sock, -1, c = channel_new(ssh, "port-listener", type, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
0, "port listener", 1); 0, "port listener", 1);
@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ @@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
*chanids = xcalloc(num_socks + 1, sizeof(**chanids)); *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
for (n = 0; n < num_socks; n++) { for (n = 0; n < num_socks; n++) {
sock = socks[n]; sock = socks[n];
@ -268,7 +268,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ 0, "X11 inet listener", 1); + 0, "X11 inet listener", 1);
+ else + else
+#endif +#endif
nc = channel_new(ssh, "x11 listener", nc = channel_new(ssh, "x11-listener",
SSH_CHANNEL_X11_LISTENER, sock, sock, -1, SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
--- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700 --- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700

20
security/openssh-portable/files/extra-patch-hpn-compat
View File

@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well.
------------------------------------------------------------------------ ------------------------------------------------------------------------
--- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700 --- readconf.c.orig 2023-02-03 11:17:45.506822000 -0800
+++ readconf.c 2021-04-27 11:25:24.222034000 -0700 +++ readconf.c 2023-02-03 11:30:14.894959000 -0800
@@ -316,6 +316,12 @@ static struct { @@ -323,6 +323,12 @@ static struct {
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
{ "knownhostscommand", oKnownHostsCommand }, { "knownhostscommand", oKnownHostsCommand },
{ "requiredrsasize", oRequiredRSASize },
{ "enableescapecommandline", oEnableEscapeCommandline },
+ { "hpndisabled", oDeprecated }, + { "hpndisabled", oDeprecated },
+ { "hpnbuffersize", oDeprecated }, + { "hpnbuffersize", oDeprecated },
+ { "tcprcvbufpoll", oDeprecated }, + { "tcprcvbufpoll", oDeprecated },
@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well.
{ NULL, oBadOption } { NULL, oBadOption }
}; };
--- servconf.c.orig 2020-02-13 16:40:54.000000000 -0800 --- servconf.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ servconf.c 2020-03-21 17:01:18.011062000 -0700 +++ servconf.c 2023-02-03 11:31:00.387624000 -0800
@@ -695,6 +695,10 @@ static struct { @@ -695,6 +695,10 @@ static struct {
{ "rdomain", sRDomain, SSHCFG_ALL }, { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, { "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
+ { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL },
+ { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL },
+ { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL },

43
security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
View File

@ -1,43 +0,0 @@
commit fc3c19a9fceeea48a9259ac3833a125804342c0e
Author: Ed Maste <emaste@FreeBSD.org>
Date: Sat Oct 6 21:32:55 2018 +0000
sshd: address capsicum issues
* Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
capability mode.
* Cache timezone data via caph_cache_tzdata() as we cannot access the
timezone file.
* Reverse resolve hostname before entering capability mode.
PR: 231172
Submitted by: naito.yuichiro@gmail.com
Reviewed by: cem, des
Approved by: re (rgrimes)
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D17128
Notes:
svn path=/head/; revision=339216
diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
index 5f41d526292b..f728abd18250 100644
--- sandbox-capsicum.c
+++ sandbox-capsicum.c
@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <capsicum_helpers.h>
#include "log.h"
#include "monitor.h"
@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
struct rlimit rl_zero;
cap_rights_t rights;
+ caph_cache_tzdata();
+
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)

21
security/openssh-portable/files/patch-platform-tracing.c
View File

@ -1,21 +0,0 @@
--- platform-tracing.c.orig 2022-03-07 14:48:27.152541000 -0800
+++ platform-tracing.c 2022-03-07 14:56:33.402458000 -0800
@@ -32,6 +32,9 @@
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
+#if defined(HAVE_PROCCTL)
+#include <unistd.h>
+#endif
#include "log.h"
@@ -42,7 +45,7 @@ platform_disable_tracing(int strict)
/* On FreeBSD, we should make this process untraceable */
int disable_trace = PROC_TRACE_CTL_DISABLE;
- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
fatal("unable to make the process untraceable: %s",
strerror(errno));
#endif

24
security/openssh-portable/files/patch-ssh-agent.c
View File

@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected. disconnected.
--- ssh-agent.c.orig 2022-02-23 03:31:11.000000000 -0800 --- ssh-agent.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ ssh-agent.c 2022-03-02 12:50:47.745853000 -0800 +++ ssh-agent.c 2023-02-03 10:55:34.277561000 -0800
@@ -189,11 +189,28 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -188,11 +188,28 @@ static int restrict_websafe = 1;
/* Refuse signing of non-SSH messages for web-origin FIDO keys */ /* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int restrict_websafe = 1; static int restrict_websafe = 1;
@ -39,7 +39,7 @@ disconnected.
close(e->fd); close(e->fd);
sshbuf_free(e->input); sshbuf_free(e->input);
sshbuf_free(e->output); sshbuf_free(e->output);
@@ -206,6 +223,8 @@ close_socket(SocketEntry *e) @@ -205,6 +222,8 @@ close_socket(SocketEntry *e)
memset(e, '\0', sizeof(*e)); memset(e, '\0', sizeof(*e));
e->fd = -1; e->fd = -1;
e->type = AUTH_UNUSED; e->type = AUTH_UNUSED;
@ -48,7 +48,7 @@ disconnected.
} }
static void static void
@@ -1707,6 +1726,10 @@ new_socket(sock_type type, int fd) @@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd)
debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
(type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
@ -59,16 +59,16 @@ disconnected.
set_nonblock(fd); set_nonblock(fd);
if (fd > max_fd) if (fd > max_fd)
@@ -1999,7 +2022,7 @@ static void @@ -1990,7 +2013,7 @@ usage(void)
usage(void) usage(void)
{ {
fprintf(stderr, fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" - "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" + "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
" [-P allowed_providers] [-t life]\n" " [-O option] [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
" [-t life] command [arg ...]\n" " [-P allowed_providers] [-t life] command [arg ...]\n"
@@ -2033,6 +2056,7 @@ main(int ac, char **av) @@ -2024,6 +2047,7 @@ main(int ac, char **av)
/* drop */ /* drop */
setegid(getgid()); setegid(getgid());
setgid(getgid()); setgid(getgid());
@ -76,7 +76,7 @@ disconnected.
platform_disable_tracing(0); /* strict=no */ platform_disable_tracing(0); /* strict=no */
@@ -2044,7 +2068,7 @@ main(int ac, char **av) @@ -2035,7 +2059,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
seed_rng(); seed_rng();
@ -85,7 +85,7 @@ disconnected.
switch (ch) { switch (ch) {
case 'E': case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg); fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -2093,6 +2117,9 @@ main(int ac, char **av) @@ -2084,6 +2108,9 @@ main(int ac, char **av)
fprintf(stderr, "Invalid lifetime\n"); fprintf(stderr, "Invalid lifetime\n");
usage(); usage();
} }

2
security/openssh-portable/pkg-descr
View File

@ -11,5 +11,3 @@ The portable OpenSSH follows development of the official version, but releases
are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1). are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1).
The official OpenBSD source will never use the 'p' suffix, but will instead The official OpenBSD source will never use the 'p' suffix, but will instead
increment the version number when they hit 'stable spots' in their development. increment the version number when they hit 'stable spots' in their development.
WWW: https://www.openssh.com/portable.html