kiwi/klara-ww2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

9.6 fails -> 9.3

Browse Source
This commit is contained in:
Xavier Beaudouin
2024-10-07 16:27:41 +02:00
parent c469356292
commit ce9923924e
7 changed files with 77 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
security/openssh-portable/Makefile
View File

@ -1,5 +1,5 @@
PORTNAME= openssh
DISTVERSION= 9.6p1
DISTVERSION= 9.3p2
PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES= security
@ -21,9 +21,9 @@ USES= alias autoreconf compiler:c11 cpe localbase ncurses \
pkgconfig ssl
GNU_CONFIGURE= yes
CONFIGURE_ARGS= --prefix=${PREFIX} \
--without-zlib-version-check \
--with-ssl-engine \
--with-mantype=man
--with-mantype=man \
--with-Werror
ETCOLD= ${PREFIX}/etc
@ -108,8 +108,8 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
. endif
# - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
# pull from.
GSSAPI_DEBIAN_VERSION= 9.6p1
GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-3
GSSAPI_DEBIAN_VERSION= 9.4p1
GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1
# - Debian does not use a versioned filename so we trick fetch to make one for
# us with the ?<anything>=/ trick.
PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex

10
security/openssh-portable/distinfo
View File

@ -1,5 +1,5 @@
TIMESTAMP = 1706059638
SHA256 (openssh-9.6p1.tar.gz) = 910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c
SIZE (openssh-9.6p1.tar.gz) = 1857862
SHA256 (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 03a32678a96cfd274482378d0d2889709018c403e40207b8d5dca41b7e9941bd
SIZE (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 131920
TIMESTAMP = 1695396338
SHA256 (openssh-9.3p2.tar.gz) = 200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8
SIZE (openssh-9.3p2.tar.gz) = 1835850
SHA256 (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 9492c1db4307aa3fe6e12d77fff01376bf275af2980ae55b926a505aae9e9b14
SIZE (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 131674

16
security/openssh-portable/files/extra-patch-blacklistd
View File

@ -277,9 +277,9 @@
--- auth2.c.orig 2020-11-16 17:10:36.772062000 -0800
+++ auth2.c 2020-11-16 17:12:04.852943000 -0800
@@ -58,6 +58,7 @@
#endif
#include "monitor_wrap.h"
#include "digest.h"
#include "kex.h"
+#include "blacklist_client.h"
/* import */
@ -317,7 +317,7 @@
@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt,
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh->kex && ssh->kex->failed_choice) {
if (ssh && ssh->kex && ssh->kex->failed_choice) {
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
ssh_packet_clear_keys(ssh);
errno = oerrno;
@ -372,12 +372,12 @@
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
--- sshd_config.5.orig 2023-12-18 15:59:50.000000000 +0100
+++ sshd_config.5 2024-01-06 16:36:17.025742000 +0100
@@ -1855,6 +1855,20 @@ This option may be useful in conjunction with
is to never expire connections for having no open channels.
This option may be useful in conjunction with
.Cm ChannelTimeout .
--- sshd_config.5.orig 2020-11-16 16:57:58.533307000 -0800
+++ sshd_config.5 2020-11-16 17:00:02.635070000 -0800
@@ -1703,6 +1703,20 @@ for authentication using
.Cm TrustedUserCAKeys .
For more details on certificates, see the CERTIFICATES section in
.Xr ssh-keygen 1 .
+.It Cm UseBlacklist
+Specifies whether
+.Xr sshd 8

44
security/openssh-portable/files/extra-patch-hpn
View File

@ -309,50 +309,50 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
free(cipher_list);
return 0;
}
--- work/openssh/clientloop.c.orig 2023-12-18 06:59:50.000000000 -0800
+++ work/openssh/clientloop.c 2024-01-08 16:27:47.806586000 -0800
@@ -1813,6 +1813,15 @@ client_request_x11(struct ssh *ssh, const char *reques
--- work/openssh/clientloop.c.orig 2022-02-23 03:31:11.000000000 -0800
+++ work/openssh/clientloop.c 2022-03-02 12:53:47.624273000 -0800
@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques
sock = x11_connect_display(ssh);
if (sock < 0)
return NULL;
+#ifdef HPN_ENABLED
+ /* again is this really necessary for X11? */
+ if (!options.hpn_disabled)
+ c = channel_new(ssh, "x11-connection",
+ c = channel_new(ssh, "x11",
+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+ options.hpn_buffer_size,
+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+ else
+#endif
c = channel_new(ssh, "x11-connection",
c = channel_new(ssh, "x11",
SSH_CHANNEL_X11_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
@@ -1848,6 +1857,14 @@ client_request_agent(struct ssh *ssh, const char *requ
@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ
else
debug2_fr(r, "ssh_agent_bind_hostkey");
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
+ c = channel_new(ssh, "agent-connection",
+ c = channel_new(ssh, "authentication agent connection",
+ SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
+ "authentication agent connection", 1);
+ else
+#endif
c = channel_new(ssh, "agent-connection",
c = channel_new(ssh, "authentication agent connection",
SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
@@ -1876,6 +1893,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
}
debug("Tunnel forwarding using interface %s", ifname);
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
+ c = channel_new(ssh, "tun-connection", SSH_CHANNEL_OPENING, fd, fd, -1,
+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ else
+#endif
c = channel_new(ssh, "tun-connection", SSH_CHANNEL_OPENING, fd, fd, -1,
c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
--- work/openssh/compat.c.orig 2021-04-15 20:55:25.000000000 -0700
@ -421,9 +421,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
echo ""
--- work/openssh/kex.c.orig 2023-12-18 06:59:50.000000000 -0800
+++ work/openssh/kex.c 2024-01-08 16:24:07.547292000 -0800
@@ -1252,6 +1252,20 @@ kex_choose_conf(struct ssh *ssh, uint32_t seq)
--- work/openssh/kex.c.orig 2021-04-15 20:55:25.000000000 -0700
+++ work/openssh/kex.c 2021-04-28 14:38:31.761909000 -0700
@@ -960,6 +960,20 @@ kex_choose_conf(struct ssh *ssh)
peer[ncomp] = NULL;
goto out;
}
@ -444,7 +444,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
@@ -1462,7 +1476,7 @@ kex_exchange_identification(struct ssh *ssh, int timeo
@@ -1170,7 +1184,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
@ -452,13 +452,13 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ const char *version_addendum, int hpn_disabled)
{
int remote_major, remote_minor, mismatch, oerrno = 0;
size_t len, n;
@@ -1479,8 +1493,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
size_t len, i, n;
@@ -1187,8 +1201,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
sshbuf_reset(our_version);
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
+ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s%s\r\n",
- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
+ hpn_disabled ? "" : SSH_HPN,
@ -1269,11 +1269,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
--- work/openssh/version.h.orig 2023-12-18 06:59:50.000000000 -0800
+++ work/openssh/version.h 2024-01-08 16:22:25.632475000 -0800
--- version.h.orig 2023-07-18 23:31:34.000000000 -0700
+++ version.h 2023-07-21 07:27:08.311422000 -0700
@@ -4,3 +4,4 @@
#define SSH_PORTABLE "p1"
#define SSH_PORTABLE "p2"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+#define SSH_HPN "-hpn14v15"
--- work/openssh/kex.h.orig 2019-07-10 17:35:36.523216000 -0700

16
security/openssh-portable/files/extra-patch-hpn-compat
View File

@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well.
------------------------------------------------------------------------
--- readconf.c.orig 2023-12-19 17:09:41.366788000 -0800
+++ readconf.c 2023-12-19 17:10:24.155247000 -0800
@@ -329,6 +329,12 @@
--- readconf.c.orig 2023-02-03 11:17:45.506822000 -0800
+++ readconf.c 2023-02-03 11:30:14.894959000 -0800
@@ -323,6 +323,12 @@ static struct {
{ "knownhostscommand", oKnownHostsCommand },
{ "requiredrsasize", oRequiredRSASize },
{ "enableescapecommandline", oEnableEscapeCommandline },
{ "obscurekeystroketiming", oObscureKeystrokeTiming },
{ "channeltimeout", oChannelTimeout },
+ { "hpndisabled", oDeprecated },
+ { "hpnbuffersize", oDeprecated },
+ { "tcprcvbufpoll", oDeprecated },
@ -31,9 +31,9 @@ r294563 was incomplete; re-add the client-side options as well.
{ NULL, oBadOption }
};
--- servconf.c.orig 2023-12-19 17:11:52.320491000 -0800
+++ servconf.c 2023-12-19 17:12:43.950318000 -0800
@@ -693,6 +693,10 @@
--- servconf.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ servconf.c 2023-02-03 11:31:00.387624000 -0800
@@ -695,6 +695,10 @@ static struct {
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },

24
security/openssh-portable/files/patch-ssh-agent.c
View File

@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
--- ssh-agent.c.orig 2023-12-18 06:59:50.000000000 -0800
+++ ssh-agent.c 2023-12-19 17:16:22.128981000 -0800
@@ -196,11 +196,28 @@
--- ssh-agent.c.orig 2023-02-02 04:21:54.000000000 -0800
+++ ssh-agent.c 2023-02-03 10:55:34.277561000 -0800
@@ -188,11 +188,28 @@ static int restrict_websafe = 1;
/* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int restrict_websafe = 1;
@ -39,7 +39,7 @@ disconnected.
close(e->fd);
sshbuf_free(e->input);
sshbuf_free(e->output);
@@ -213,6 +230,8 @@
@@ -205,6 +222,8 @@ close_socket(SocketEntry *e)
memset(e, '\0', sizeof(*e));
e->fd = -1;
e->type = AUTH_UNUSED;
@ -48,7 +48,7 @@ disconnected.
}
static void
@@ -1893,6 +1912,10 @@
@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd)
debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
(type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
@ -59,7 +59,7 @@ disconnected.
set_nonblock(fd);
if (fd > max_fd)
@@ -2184,7 +2207,7 @@
@@ -1990,7 +2013,7 @@ usage(void)
usage(void)
{
fprintf(stderr,
@ -68,15 +68,15 @@ disconnected.
" [-O option] [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
" [-P allowed_providers] [-t life] command [arg ...]\n"
@@ -2218,6 +2241,7 @@
@@ -2024,6 +2047,7 @@ main(int ac, char **av)
/* drop */
(void)setegid(getgid());
(void)setgid(getgid());
+ (void)setuid(geteuid());
setegid(getgid());
setgid(getgid());
+ setuid(geteuid());
platform_disable_tracing(0); /* strict=no */
@@ -2229,7 +2253,7 @@
@@ -2035,7 +2059,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
@ -85,7 +85,7 @@ disconnected.
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -2280,6 +2304,9 @@
@@ -2084,6 +2108,9 @@ main(int ac, char **av)
fprintf(stderr, "Invalid lifetime\n");
usage();
}

17
security/openssh-portable/files/patch-ssh_config Normal file
View File

@ -0,0 +1,17 @@
--- UTC
r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines
Document the FreeBSD default for CheckHostIP, which was changed in
rev 1.2 of readconf.c.
--- ssh_config.orig 2010-01-12 01:40:27.000000000 -0700
+++ ssh_config 2010-09-14 16:14:13.000000000 -0600
@@ -27,7 +27,7 @@
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
-# CheckHostIP yes
+# CheckHostIP no
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask