openssh 8.8

security.old/openssh-portable/distinfo

@@ -1,5 +0,0 @@
-TIMESTAMP = 1605552780
-SHA256 (openssh-8.4p1.tar.gz) = 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24
-SIZE (openssh-8.4p1.tar.gz) = 1742201
-SHA256 (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 15139c42894dd0ebd182608ecd7151a9eef6158aed30c676e7685e8407c6d1cb
-SIZE (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 126748

security.old/openssh-portable/files/extra-patch-libfido2-configure.ac

@@ -1,16 +0,0 @@
-Workaround libfido2 package having a libfido2.pc that requires libcrypto
-even with base OpenSSL which does not provide the proper pc file.
-
---- configure.ac.orig	2020-11-19 14:21:03.890890000 -0800
-+++ configure.ac	2020-11-19 14:21:57.061193000 -0800
-@@ -3256,8 +3256,8 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_interna
- 		fi
- 	fi
- 	if test "x$use_pkgconfig_for_libfido2" = "xyes"; then
--		LIBFIDO2=`$PKGCONFIG --libs libfido2`
--		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
-+		LIBFIDO2="-lfido2 -lcrypto"
-+		#CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
- 	else
- 		LIBFIDO2="-lfido2 -lcbor"
- 	fi

security.old/openssh-portable/files/patch-auth.c

@@ -1,21 +0,0 @@
---- UTC
-r100838 | fanf | 2002-07-28 19:36:24 -0500 (Sun, 28 Jul 2002) | 7 lines
-Changed paths:
-   M /head/crypto/openssh/auth.c
-
-Use login_getpwclass() instead of login_getclass() so that the root
-vs. default login class distinction is made correctly.
-
-PR:             37416
-
---- auth.c.orig	2010-08-12 11:33:01.000000000 -0600
-+++ auth.c	2010-09-14 16:14:12.000000000 -0600
-@@ -594,7 +594,7 @@
- 	if (!allowed_user(pw))
- 		return (NULL);
- #ifdef HAVE_LOGIN_CAP
--	if ((lc = login_getclass(pw->pw_class)) == NULL) {
-+	if ((lc = login_getpwclass(pw)) == NULL) {
- 		debug("unable to get login class: %s", user);
- 		return (NULL);
- 	}

security.old/openssh-portable/files/patch-readconf.c

@@ -1,22 +0,0 @@
---- UTC
-base defaults
-
-r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
-   M /head/crypto/openssh/myproposal.h
-   M /head/crypto/openssh/readconf.c
-   M /head/crypto/openssh/servconf.c
-
-Apply FreeBSD's configuration defaults.
-
---- readconf.c.orig	2014-07-17 23:11:26.000000000 -0500
-+++ readconf.c	2014-11-03 16:45:05.188796445 -0600
-@@ -1934,7 +1946,7 @@ fill_default_options(Options * options)
- 	if (options->batch_mode == -1)
- 		options->batch_mode = 0;
- 	if (options->check_host_ip == -1)
--		options->check_host_ip = 1;
-+		options->check_host_ip = 0;
- 	if (options->strict_host_key_checking == -1)
- 		options->strict_host_key_checking = 2;	/* 2 is default */
- 	if (options->compression == -1)

security/openssh-portable/Makefile

@@ -1,9 +1,8 @@
 # Created by: dwcjr@inethouston.net
-# $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	8.4p1
-PORTREVISION=	3
+DISTVERSION=	8.8p1
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -17,9 +16,9 @@ LICENSE_NAME=	OpenSSH Licenses
 LICENSE_FILE=	${WRKSRC}/LICENCE
 LICENSE_PERMS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 
-CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-*
+CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel
 
-USES=			alias autoreconf compiler:c11 localbase ncurses \
+USES=			alias autoreconf compiler:c11 cpe localbase ncurses \
 			pkgconfig ssl
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS=		--prefix=${PREFIX} \
@@ -29,6 +28,8 @@ CONFIGURE_ARGS=		--prefix=${PREFIX} \
 
 ETCOLD=			${PREFIX}/etc
 
+CPE_VENDOR=		openbsd
+
 FLAVORS=			default hpn gssapi
 default_CONFLICTS_INSTALL=	openssh-portable-hpn openssh-portable-gssapi \
 				openssh-portable-x509
@@ -88,8 +89,6 @@ BSM_CONFIGURE_ON=	--with-audit=bsm
 FIDO_U2F_LIB_DEPENDS=	libfido2.so:security/libfido2
 FIDO_U2F_CONFIGURE_ON=	--with-security-key-builtin
 FIDO_U2F_CONFIGURE_OFF=	--disable-security-key
-# Until https://reviews.freebsd.org/D27289 is committed
-FIDO_U2F_EXTRA_PATCHES=	${FILESDIR}/extra-patch-libfido2-configure.ac
 
 BLACKLISTD_EXTRA_PATCHES=	${FILESDIR}/extra-patch-blacklistd
 
@@ -100,8 +99,8 @@ ETCDIR?=		${PREFIX}/etc/ssh
 PATCH_SITES+=	http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
 
 # Must add this patch before HPN due to conflicts
-.if ${PORT_OPTIONS:MKERB_GSSAPI}
-#BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
+.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
+BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
@@ -190,10 +189,15 @@ VERSION_ADDENDUM_DEFAULT?=	${OPSYS}-${PKGNAME}
 CFLAGS+=	${CFLAGS_${CHOSEN_COMPILER_TYPE}}
 CFLAGS_gcc=	-Wno-stringop-truncation -Wno-stringop-overflow
 
+SSH_ASKPASS_PATH?=	${LOCALBASE}/bin/ssh-askpass
+
 post-patch:
 	@${REINPLACE_CMD} \
 	    -e 's|install: \(.*\) host-key check-config|install: \1|g' \
 	    ${WRKSRC}/Makefile.in
+	@${REINPLACE_CMD} \
+	    -e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \
+	    ${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac
 	@${REINPLACE_CMD} \
 	    -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config

security/openssh-portable/distinfo

@@ -0,0 +1,3 @@
+TIMESTAMP = 1634059537
+SHA256 (openssh-8.8p1.tar.gz) = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9
+SIZE (openssh-8.8p1.tar.gz) = 1815060

security/openssh-portable/files/extra-patch-blacklistd

@@ -1,5 +1,5 @@
---- blacklist.c.orig	2020-11-16 16:45:24.799150000 -0800
-+++ blacklist.c	2020-11-16 16:45:20.000470000 -0800
+--- blacklist.c.orig	2021-04-28 13:37:52.679784000 -0700
++++ blacklist.c	2021-04-28 13:56:45.677805000 -0700
 @@ -0,0 +1,92 @@
 +/*-
 + * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -75,7 +75,7 @@
 +	default:
 +		imlevel = SYSLOG_LEVEL_DEBUG2;
 +	}
-+	do_log(imlevel, message, args);
++	do_log2(imlevel, message, args);
 +}
 +
 +void
@@ -157,9 +157,9 @@
 +
 +
 +#endif /* BLACKLIST_CLIENT_H */
---- servconf.c.orig	2020-11-16 15:52:13.175438000 -0800
-+++ servconf.c	2020-11-16 15:52:15.812142000 -0800
-@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions *options)
+--- servconf.c.orig	2021-04-15 20:55:25.000000000 -0700
++++ servconf.c	2021-04-28 13:36:19.591999000 -0700
+@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options)
  	options->max_sessions = -1;
  	options->banner = NULL;
  	options->use_dns = -1;
@@ -167,7 +167,7 @@
  	options->client_alive_interval = -1;
  	options->client_alive_count_max = -1;
  	options->num_authkeys_files = 0;
-@@ -432,6 +433,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options)
  		options->max_sessions = DEFAULT_SESSIONS_MAX;
  	if (options->use_dns == -1)
  		options->use_dns = 0;
@@ -176,15 +176,15 @@
  	if (options->client_alive_interval == -1)
  		options->client_alive_interval = 0;
  	if (options->client_alive_count_max == -1)
-@@ -528,6 +531,7 @@ typedef enum {
- 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
+@@ -506,6 +509,7 @@ typedef enum {
+ 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
  	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
  	sBanner, sUseDNS, sHostbasedAuthentication,
 +	sUseBlacklist,
- 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
- 	sHostKeyAlgorithms,
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
+ 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
  	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
-@@ -658,6 +662,8 @@ static struct {
+@@ -642,6 +646,8 @@ static struct {
  	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
  	{ "banner", sBanner, SSHCFG_ALL },
  	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
@@ -193,7 +193,7 @@
  	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
  	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
  	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
-@@ -1708,6 +1714,10 @@ process_server_config_line_depth(ServerOptions *option
+@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option
  		intptr = &options->use_dns;
  		goto parse_flag;
  
@@ -204,7 +204,7 @@
  	case sLogFacility:
  		log_facility_ptr = &options->log_facility;
  		arg = strdelim(&cp);
-@@ -2841,6 +2851,7 @@ dump_config(ServerOptions *o)
+@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o)
  	dump_cfg_fmtint(sCompression, o->compression);
  	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
  	dump_cfg_fmtint(sUseDNS, o->use_dns);
@@ -322,28 +322,28 @@
  			ssh_packet_clear_keys(ssh);
  			errno = oerrno;
  			logdie("Unable to negotiate with %s: %s. "
---- sshd.c.orig	2020-11-16 15:52:45.846609000 -0800
-+++ sshd.c	2020-11-16 15:56:34.401305000 -0800
-@@ -131,6 +131,7 @@
+--- sshd.c.orig	2021-08-19 21:03:49.000000000 -0700
++++ sshd.c	2021-09-10 10:37:17.926747000 -0700
+@@ -123,6 +123,7 @@
  #include "version.h"
  #include "ssherr.h"
  #include "sk-api.h"
 +#include "blacklist_client.h"
+ #include "srclimit.h"
+ #include "dh.h"
  
- #ifdef LIBWRAP
- #include <tcpd.h>
-@@ -388,6 +389,8 @@ grace_alarm_handler(int sig)
+@@ -366,6 +367,8 @@ grace_alarm_handler(int sig)
  		kill(0, SIGTERM);
  	}
  
 +	BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, the_active_state, "ssh");
 +
- 	/* XXX pre-format ipaddr/port so we don't need to access active_state */
  	/* Log error and exit. */
- 	sigdie("Timeout before authentication for %s port %d",
-@@ -2290,6 +2293,9 @@ main(int ac, char **av)
+ 	if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0)
+ 		cleanup_exit(255); /* don't log in privsep child */
+@@ -2225,6 +2228,9 @@ main(int ac, char **av)
  	if ((loginmsg = sshbuf_new()) == NULL)
- 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
  	auth_debug_reset();
 +
 +	if (options.use_blacklist)

security/openssh-portable/files/extra-patch-hpn

@@ -131,8 +131,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 (tasota@gmail.com) an NSF REU grant recipient for 2013. 
 +	 This work was financed, in part, by Cisco System, Inc., the National 
 +         Library of Medicine, and the National Science Foundation. 
---- work/openssh-7.7p1/channels.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/channels.c	2018-06-27 16:37:07.663857000 -0700
+--- work/openssh/channels.c.orig	2021-04-15 20:55:25.000000000 -0700
++++ work/openssh/channels.c	2021-04-28 14:35:20.732518000 -0700
 @@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
  /* Setup helper */
  static void channel_handler_init(struct ssh_channels *sc);
@@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  /* -- channel core */
  
  void
-@@ -392,6 +398,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
+@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
  	c->local_window = window;
  	c->local_window_max = window;
  	c->local_maxpacket = maxpack;
@@ -156,7 +156,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	c->remote_name = xstrdup(remote_name);
  	c->ctl_chan = -1;
  	c->delayed = 1;		/* prevent call to channel_post handler */
-@@ -1059,6 +1068,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
+@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
  	FD_SET(c->sock, writeset);
  }
  
@@ -187,7 +187,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  static void
  channel_pre_open(struct ssh *ssh, Channel *c,
      fd_set *readset, fd_set *writeset)
-@@ -2158,21 +2191,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
  	    c->local_maxpacket*3) ||
  	    c->local_window < c->local_window_max/2) &&
  	    c->local_consumed > 0) {
@@ -203,27 +203,24 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		}
 +#endif
  		if (!c->have_remote_id)
- 			fatal(":%s: channel %d: no remote id",
- 			    __func__, c->self);
+ 			fatal_f("channel %d: no remote id", c->self);
  		if ((r = sshpkt_start(ssh,
  		    SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
 -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
 +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
  		    (r = sshpkt_send(ssh)) != 0) {
- 			fatal("%s: channel %i: %s", __func__,
- 			    c->self, ssh_err(r));
+ 			fatal_fr(r, "channel %i", c->self);
  		}
- 		debug2("channel %d: window %d sent adjust %d",
- 		    c->self, c->local_window,
--		    c->local_consumed);
+ 		debug2("channel %d: window %d sent adjust %d", c->self,
+-		    c->local_window, c->local_consumed);
 -		c->local_window += c->local_consumed;
-+		    c->local_consumed + addition);
++		    c->local_window, c->local_consumed + addition);
 +		c->local_window += c->local_consumed + addition;
  		c->local_consumed = 0;
  	}
  	return 1;
-@@ -3354,6 +3398,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
+@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
  	return addr;
  }
  
@@ -241,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  static int
  channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
      struct Forward *fwd, int *allocated_listen_port,
-@@ -3494,6 +3549,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
+@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
  		}
  
  		/* Allocate a channel number for the socket. */
@@ -259,7 +256,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		c = channel_new(ssh, "port listener", type, sock, sock, -1,
  		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
  		    0, "port listener", 1);
-@@ -4631,6 +4697,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
+@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
  	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
  	for (n = 0; n < num_socks; n++) {
  		sock = socks[n];
@@ -358,21 +355,21 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
  	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
  	c->datagram = 1;
---- work.clean/openssh-6.8p1/compat.c	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/compat.c	2015-04-03 16:39:57.665699000 -0500
-@@ -177,6 +177,14 @@
- 			debug("match: %s pat %s compat 0x%08x",
+--- work/openssh/compat.c.orig	2021-04-15 20:55:25.000000000 -0700
++++ work/openssh/compat.c	2021-04-28 14:37:33.129317000 -0700
+@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
+ 			debug_f("match: %s pat %s compat 0x%08x",
  			    version, check[i].pat, check[i].bugs);
- 			datafellows = check[i].bugs;	/* XXX for now */
+ 			ssh->compat = check[i].bugs;
 +#ifdef HPN_ENABLED
 +			/* Check to see if the remote side is OpenSSH and not HPN */
 +			if (strstr(version,"OpenSSH") != NULL &&
 +			    strstr(version,"hpn") == NULL) {
-+				datafellows |= SSH_BUG_LARGEWINDOW;
++				ssh->compat |= SSH_BUG_LARGEWINDOW;
 +				debug("Remote is NON-HPN aware");
 +			}
 +#endif
- 			return check[i].bugs;
+ 			return;
  		}
  	}
 --- work/openssh/compat.h.orig	2015-05-29 03:27:21.000000000 -0500
@@ -387,8 +384,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  void     enable_compat13(void);
  void     enable_compat20(void);
---- configure.ac.orig	2020-03-22 11:06:53.034550000 -0700
-+++ configure.ac	2020-03-22 11:07:10.017487000 -0700
+--- work/openssh/configure.ac.orig	2020-03-22 11:06:53.034550000 -0700
++++ work/openssh/configure.ac	2020-03-22 11:07:10.017487000 -0700
 @@ -4778,6 +4778,25 @@ AC_ARG_WITH([maildir],
      ]
  ) # maildir
@@ -424,9 +421,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  echo ""
  
---- work.clean/openssh-7.2p1/kex.c.orig	2016-02-25 19:40:04.000000000 -0800
-+++ work.clean/openssh-7.2p1/kex.c	2016-02-29 08:02:25.565288000 -0800
-@@ -907,6 +907,20 @@ kex_choose_conf(struct ssh *ssh)
+--- work/openssh/kex.c.orig	2021-04-15 20:55:25.000000000 -0700
++++ work/openssh/kex.c	2021-04-28 14:38:31.761909000 -0700
+@@ -960,6 +960,20 @@ kex_choose_conf(struct ssh *ssh)
  			peer[ncomp] = NULL;
  			goto out;
  		}
@@ -447,22 +444,22 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		debug("kex: %s cipher: %s MAC: %s compression: %s",
  		    ctos ? "client->server" : "server->client",
  		    newkeys->enc.name,
-@@ -1108,7 +1122,7 @@ send_error(struct ssh *ssh, char *msg)
+@@ -1170,7 +1184,7 @@ send_error(struct ssh *ssh, char *msg)
   */
  int
  kex_exchange_identification(struct ssh *ssh, int timeout_ms,
 -    const char *version_addendum)
 +    const char *version_addendum, int hpn_disabled)
  {
- 	int remote_major, remote_minor, mismatch;
+ 	int remote_major, remote_minor, mismatch, oerrno = 0;
  	size_t len, i, n;
-@@ -1125,8 +1139,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
+@@ -1187,8 +1201,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
  	sshbuf_reset(our_version);
  	if (version_addendum != NULL && *version_addendum == '\0')
  		version_addendum = NULL;
 -	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
 +	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n",
- 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ 	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 +#ifdef HPN_ENABLED
 +	    hpn_disabled ? "" : SSH_HPN,
 +#else
@@ -470,7 +467,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
  	    version_addendum == NULL ? "" : " ",
  	    version_addendum == NULL ? "" : version_addendum)) != 0) {
- 		error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
+ 		oerrno = errno;
 --- work/openssh-7.7p1/packet.c.orig	2018-04-01 22:38:28.000000000 -0700
 +++ work/openssh-7.7p1/packet.c	2018-06-27 16:42:42.739507000 -0700
 @@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
@@ -527,9 +524,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  #if !defined(WITH_OPENSSL)
  # undef BIGNUM
  # undef EC_KEY
---- work/openssh-7.7p1/readconf.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/readconf.c	2018-06-27 16:58:41.109275000 -0700
-@@ -66,6 +66,9 @@
+--- work/openssh/readconf.c.orig	2021-09-08 09:56:20.567664000 -0700
++++ work/openssh/readconf.c	2021-09-08 09:57:31.560617000 -0700
+@@ -67,6 +67,9 @@
  #include "uidswap.h"
  #include "myproposal.h"
  #include "digest.h"
@@ -539,23 +536,23 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  /* Format of the configuration file:
  
-@@ -167,6 +170,12 @@ typedef enum {
+@@ -168,6 +171,12 @@ typedef enum {
  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
  	oVisualHostKey,
- 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+ 	oKexAlgorithms, oIPQoS, oRequestTTY, oSessionType, oStdinNull,
 +#ifdef HPN_ENABLED
 +	oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
 +#endif
 +#ifdef NONE_CIPHER_ENABLED
 +	oNoneSwitch, oNoneEnabled, 
 +#endif
+ 	oForkAfterAuthentication, oIgnoreUnknown, oProxyUseFdpass,
  	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
  	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
- 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -304,6 +313,16 @@ static struct {
- 	{ "updatehostkeys", oUpdateHostkeys },
- 	{ "hostbasedkeytypes", oHostbasedKeyTypes },
- 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+@@ -316,6 +325,16 @@ static struct {
+ 	{ "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */
+ 	{ "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
+ 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
 +#ifdef NONE_CIPHER_ENABLED
 +	{ "noneenabled", oNoneEnabled },
 +	{ "noneswitch", oNoneSwitch },
@@ -568,8 +565,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
  	{ "ignoreunknown", oIgnoreUnknown },
  	{ "proxyjump", oProxyJump },
- 
-@@ -962,6 +981,44 @@ parse_time:
+ 	{ "securitykeyprovider", oSecurityKeyProvider },
+@@ -1125,6 +1144,44 @@ parse_time:
  		intptr = &options->check_host_ip;
  		goto parse_flag;
  
@@ -614,7 +611,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	case oVerifyHostKeyDNS:
  		intptr = &options->verify_host_key_dns;
  		multistate_ptr = multistate_yesnoask;
-@@ -1833,6 +1890,16 @@ initialize_options(Options * options)
+@@ -2386,6 +2443,16 @@ initialize_options(Options * options)
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->request_tty = -1;
@@ -628,10 +625,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	options->tcp_rcv_buf_poll = -1;
 +	options->tcp_rcv_buf = -1;
 +#endif
- 	options->proxy_use_fdpass = -1;
- 	options->ignored_unknown = NULL;
- 	options->num_canonical_domains = 0;
-@@ -1979,6 +2046,34 @@ fill_default_options(Options * options)
+ 	options->session_type = -1;
+ 	options->stdin_null = -1;
+ 	options->fork_after_authentication = -1;
+@@ -2557,6 +2624,34 @@ fill_default_options(Options * options)
  		options->server_alive_interval = 0;
  	if (options->server_alive_count_max == -1)
  		options->server_alive_count_max = 3;
@@ -908,23 +905,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  .It Fl r
  Recursively copy entire directories when uploading and downloading.
  Note that
---- work.clean/openssh-6.8p1/sftp.c	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/sftp.c	2015-04-03 17:16:00.959795000 -0500
-@@ -71,7 +71,11 @@
- #include "sftp-client.h"
- 
- #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
-+#ifdef HPN_ENABLED
-+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
-+#else
- #define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
-+#endif
- 
- /* File to read commands from */
- FILE* infile;
---- work/openssh-7.7p1/ssh.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/ssh.c	2018-06-27 17:05:30.011979000 -0700
-@@ -954,6 +954,14 @@ main(int ac, char **av)
+--- work/openssh/ssh.c.orig	2021-04-15 20:55:25.000000000 -0700
++++ work/openssh/ssh.c	2021-04-28 14:51:04.682167000 -0700
+@@ -1027,6 +1027,14 @@ main(int ac, char **av)
  			break;
  		case 'T':
  			options.request_tty = REQUEST_TTY_NO;
@@ -939,12 +922,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  			break;
  		case 'o':
  			line = xstrdup(optarg);
-@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
- 	    NULL, fileno(stdin), &command, environ);
+@@ -2056,6 +2064,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
+ 	    NULL, fileno(stdin), command, environ);
  }
  
 +static void
-+hpn_options_init(void)
++hpn_options_init(struct ssh *ssh)
 +{
 +	/*
 +	 * We need to check to see if what they want to do about buffer
@@ -969,7 +952,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	else
 +		options.hpn_buffer_size = 2 * 1024 * 1024;
 +
-+	if (datafellows & SSH_BUG_LARGEWINDOW) {
++	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
 +		debug("HPN to Non-HPN Connection");
 +	} else {
 +		int sock, socksize;
@@ -1018,7 +1001,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  /* open new channel for a session */
  static int
  ssh_session2_open(struct ssh *ssh)
-@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh)
+@@ -2082,9 +2162,17 @@ ssh_session2_open(struct ssh *ssh)
  	if (!isatty(err))
  		set_nonblock(err);
  
@@ -1036,7 +1019,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		window >>= 1;
  		packetmax >>= 1;
  	}
-@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh)
+@@ -2093,6 +2181,12 @@ ssh_session2_open(struct ssh *ssh)
  	    window, packetmax, CHAN_EXTENDED_WRITE,
  	    "client-session", /*nonblock*/0);
  
@@ -1046,12 +1029,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		debug ("Enabled Dynamic Window Scaling");
 +	}
 +#endif
- 	debug3("%s: channel_new: %d", __func__, c->self);
+ 	debug3_f("channel_new: %d", c->self);
  
  	channel_send_open(ssh, c->self);
-@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
+@@ -2108,6 +2202,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in
  {
- 	int devnull, id = -1;
+ 	int r, id = -1;
  	char *cp, *tun_fwd_ifname = NULL;
 +
 +#ifdef HPN_ENABLED
@@ -1060,7 +1043,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 * might open channels that use the hpn buffer sizes.  We can't send a
 +	 * window of -1 (the default) to the server as it breaks things.
 +	 */
-+	hpn_options_init();
++	hpn_options_init(ssh);
 +#endif
  
  	/* XXX should be pre-session */
@@ -1136,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		sshpkt_fatal(ssh, r, "banner exchange");
  
  	/* Put the connection into non-blocking mode. */
---- sshconnect2.c.orig	2020-02-13 16:40:54.000000000 -0800
-+++ sshconnect2.c	2020-03-22 11:10:01.017282000 -0700
-@@ -83,7 +83,13 @@
+--- work/openssh/sshconnect2.c.orig	2021-08-19 21:03:49.000000000 -0700
++++ work/openssh/sshconnect2.c	2021-09-08 10:02:03.037982000 -0700
+@@ -84,7 +84,13 @@
  extern char *client_version_string;
  extern char *server_version_string;
  extern Options options;
@@ -1152,28 +1135,29 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  /*
   * SSH2 key exchange
   */
-@@ -156,10 +162,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
+@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
  	return ret;
  }
  
 +static char *myproposal[PROPOSAL_MAX];
 +static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
  void
- ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+     const struct ssh_conn_info *cinfo)
  {
 -	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
  	char *s, *all_key;
  	int r, use_known_hosts_order = 0;
  
-@@ -183,6 +190,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr 
- 		fatal("%s: kex_assemble_namelist", __func__);
+@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr 
+ 		fatal_fr(r, "kex_assemble_namelist");
  	free(all_key);
  
 +	memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
  	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
- 		fatal("%s: kex_names_cat", __func__);
- 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
-@@ -435,6 +443,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+ 		fatal_f("kex_names_cat");
+ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
+@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
  
  	if (!authctxt.success)
  		fatal("Authentication failed.");
@@ -1200,13 +1184,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		}
 +	}
 +#endif
-+
- 	debug("Authentication succeeded (%s).", authctxt.method->name);
- }
- 
---- work/openssh/sshd.c.orig	2020-11-10 21:36:31.340159000 -0800
-+++ work/openssh/sshd.c	2020-11-10 21:37:10.097038000 -0800
-@@ -1065,6 +1065,10 @@ listen_on_addrs(struct listenaddr *la)
+ 	if (ssh_packet_connection_is_on_socket(ssh)) {
+ 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
+ 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+--- work/openssh/sshd.c.orig	2021-09-08 10:00:01.411822000 -0700
++++ work/openssh/sshd.c	2021-09-08 10:03:02.820813000 -0700
+@@ -1042,6 +1042,10 @@ listen_on_addrs(struct listenaddr *la)
  	int ret, listen_sock;
  	struct addrinfo *ai;
  	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1217,7 +1200,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  	for (ai = la->addrs; ai; ai = ai->ai_next) {
  		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1110,6 +1114,13 @@ listen_on_addrs(struct listenaddr *la)
+@@ -1087,6 +1091,13 @@ listen_on_addrs(struct listenaddr *la)
  
  		debug("Bind to port %s on %s.", strport, ntop);
  
@@ -1231,7 +1214,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		/* Bind the socket to the desired port. */
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
  			error("Bind to port %s on %s failed: %.200s.",
-@@ -1753,6 +1764,15 @@ main(int ac, char **av)
+@@ -1760,6 +1771,15 @@ main(int ac, char **av)
  	/* Fill in default values for those options not explicitly set. */
  	fill_default_server_options(&options);
  
@@ -1244,10 +1227,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	}
 +#endif
 +
- 	/* challenge-response is implemented via keyboard interactive */
- 	if (options.challenge_response_authentication)
- 		options.kbd_interactive_authentication = 1;
-@@ -2220,6 +2240,11 @@ main(int ac, char **av)
+ 	/* Check that options are sensible */
+ 	if (options.authorized_keys_command_user == NULL &&
+ 	    (options.authorized_keys_command != NULL &&
+@@ -2216,6 +2236,11 @@ main(int ac, char **av)
  	    rdomain == NULL ? "" : "\"");
  	free(laddr);
  
@@ -1259,7 +1242,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	/*
  	 * We don't want to listen forever unless the other side
  	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2233,7 +2258,7 @@ main(int ac, char **av)
+@@ -2229,7 +2254,7 @@ main(int ac, char **av)
  		alarm(options.login_grace_time);
  
  	if ((r = kex_exchange_identification(ssh, -1,
@@ -1268,7 +1251,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		sshpkt_fatal(ssh, r, "banner exchange");
  
  	ssh_packet_set_nonblocking(ssh);
-@@ -2397,6 +2422,11 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2392,6 +2417,11 @@ do_ssh2_kex(struct ssh *ssh)
  	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
  	struct kex *kex;
  	int r;
@@ -1278,7 +1261,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +                debug ("WARNING: None cipher enabled");
 +#endif
  
- 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
  	    options.kex_algorithms);
 --- work.clean/openssh-6.8p1/sshd_config	2015-04-01 22:07:18.248858000 -0500
 +++ work/openssh-6.8p1/sshd_config	2015-04-01 22:16:49.932279000 -0500

security/openssh-portable/files/extra-patch-hpn-compat

@@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well.
 
 ------------------------------------------------------------------------
 
---- readconf.c.orig	2020-03-21 16:51:23.450425000 -0700
-+++ readconf.c	2020-03-21 17:00:01.827757000 -0700
-@@ -310,6 +310,12 @@ static struct {
- 	{ "ignoreunknown", oIgnoreUnknown },
+--- readconf.c.orig	2021-04-27 11:24:15.916596000 -0700
++++ readconf.c	2021-04-27 11:25:24.222034000 -0700
+@@ -316,6 +316,12 @@ static struct {
  	{ "proxyjump", oProxyJump },
  	{ "securitykeyprovider", oSecurityKeyProvider },
+ 	{ "knownhostscommand", oKnownHostsCommand },
 +	{ "hpndisabled", oDeprecated },
 +	{ "hpnbuffersize", oDeprecated },
 +	{ "tcprcvbufpoll", oDeprecated },

security/openssh-portable/files/openssh.in

@@ -1,7 +1,5 @@
 #!/bin/sh
 
-# $FreeBSD$
-#
 # PROVIDE: openssh
 # REQUIRE: DAEMON
 # KEYWORD: shutdown

security/openssh-portable/files/patch-platform-tracing.c

@@ -0,0 +1,25 @@
+--- platform-tracing.c.orig	2021-09-26 07:03:19.000000000 -0700
++++ platform-tracing.c	2021-10-15 10:08:20.537813000 -0700
+@@ -16,6 +16,10 @@
+ 
+ #include "includes.h"
+ 
++#if defined(HAVE_PROCCTL)
++#include <string.h>
++#include <unistd.h>
++#endif
+ #include <sys/types.h>
+ #ifdef HAVE_SYS_PROCCTL_H
+ #include <sys/procctl.h>
+@@ -40,8 +44,9 @@ platform_disable_tracing(int strict)
+ 	/* On FreeBSD, we should make this process untraceable */
+ 	int disable_trace = PROC_TRACE_CTL_DISABLE;
+ 
+-	if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
+-		fatal("unable to make the process untraceable");
++	if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
++		fatal("unable to make the process untraceable: %s for pid %d",
++		    strerror(errno), (int)getpid());
+ #endif
+ #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ 	/* Disable ptrace on Linux without sgid bit */

security/openssh-portable/files/patch-session.c

@@ -13,18 +13,18 @@ to the child process.
 Reviewed by:    ache
 Sponsored by:   DARPA, NAI Labs
 
---- session.c.orig	2020-09-27 00:25:01.000000000 -0700
-+++ session.c	2020-11-19 14:41:50.745308000 -0800
-@@ -946,7 +946,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
+--- session.c.orig	2021-04-15 20:55:25.000000000 -0700
++++ session.c	2021-04-27 13:11:13.515917000 -0700
+@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
  }
  #endif /* HAVE_ETC_DEFAULT_LOGIN */
  
 -#if defined(USE_PAM) || defined(HAVE_CYGWIN)
 +#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP)
  static void
- copy_environment_blacklist(char **source, char ***env, u_int *envsize,
-     const char *blacklist)
-@@ -1056,7 +1056,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+ copy_environment_denylist(char **source, char ***env, u_int *envsize,
+     const char *denylist)
+@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  # endif /* HAVE_CYGWIN */
  #endif /* HAVE_LOGIN_CAP */
  
@@ -34,7 +34,7 @@ Sponsored by:   DARPA, NAI Labs
  		snprintf(buf, sizeof buf, "%.200s/%.50s",
  		    _PATH_MAILDIR, pw->pw_name);
  		child_set_env(&env, &envsize, "MAIL", buf);
-@@ -1067,6 +1068,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  
  	if (getenv("TZ"))
  		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
@@ -48,7 +48,7 @@ Sponsored by:   DARPA, NAI Labs
 +		environ = xmalloc(sizeof(char *));
 +		*environ = NULL;
 +		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV);
-+		copy_environment_blacklist(environ, &env, &envsize, NULL);
++		copy_environment_denylist(environ, &env, &envsize, NULL);
 +		for (var = environ; *var != NULL; ++var)
 +			free(*var);
 +		free(environ);
@@ -58,7 +58,7 @@ Sponsored by:   DARPA, NAI Labs
  	if (s->term)
  		child_set_env(&env, &envsize, "TERM", s->term);
  	if (s->display)
-@@ -1285,7 +1303,7 @@ do_nologin(struct passwd *pw)
+@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw)
  #ifdef HAVE_LOGIN_CAP
  	if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
  		return;
@@ -67,7 +67,7 @@ Sponsored by:   DARPA, NAI Labs
  #else
  	if (pw->pw_uid == 0)
  		return;
-@@ -1373,7 +1391,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw)
  	if (platform_privileged_uidswap()) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,

security/openssh-portable/files/patch-ssh-agent.c

@@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.c.orig	2020-09-27 00:25:01.000000000 -0700
-+++ ssh-agent.c	2020-11-09 09:07:10.924940000 -0800
-@@ -171,15 +171,34 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+--- ssh-agent.c.orig	2021-04-15 20:55:25.000000000 -0700
++++ ssh-agent.c	2021-04-27 11:47:59.362589000 -0700
+@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
  /* Refuse signing of non-SSH messages for web-origin FIDO keys */
  static int restrict_websafe = 1;
  
@@ -35,20 +35,21 @@ disconnected.
 +			last = 1;
 +	}
  	close(e->fd);
- 	e->fd = -1;
- 	e->type = AUTH_UNUSED;
  	sshbuf_free(e->input);
  	sshbuf_free(e->output);
- 	sshbuf_free(e->request);
+@@ -181,6 +198,8 @@ close_socket(SocketEntry *e)
+ 	memset(e, '\0', sizeof(*e));
+ 	e->fd = -1;
+ 	e->type = AUTH_UNUSED;
 +	if (last)
 +		cleanup_exit(0);
  }
  
  static void
-@@ -961,6 +980,10 @@ new_socket(sock_type type, int fd)
- {
- 	u_int i, old_alloc, new_alloc;
+@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd)
  
+ 	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
+ 	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
 +	if (type == AUTH_CONNECTION) {
 +		debug("xcount %d -> %d", xcount, xcount + 1);
 +		++xcount;
@@ -56,7 +57,7 @@ disconnected.
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1261,7 +1284,7 @@ static void
+@@ -1360,7 +1383,7 @@ static void
  usage(void)
  {
  	fprintf(stderr,
@@ -65,7 +66,7 @@ disconnected.
  	    "                 [-P allowed_providers] [-t life]\n"
  	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
  	    "                 [-t life] command [arg ...]\n"
-@@ -1295,6 +1318,7 @@ main(int ac, char **av)
+@@ -1394,6 +1417,7 @@ main(int ac, char **av)
  	/* drop */
  	setegid(getgid());
  	setgid(getgid());
@@ -73,7 +74,7 @@ disconnected.
  
  	platform_disable_tracing(0);	/* strict=no */
  
-@@ -1306,7 +1330,7 @@ main(int ac, char **av)
+@@ -1405,7 +1429,7 @@ main(int ac, char **av)
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
@@ -82,7 +83,7 @@ disconnected.
  		switch (ch) {
  		case 'E':
  			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1355,6 +1379,9 @@ main(int ac, char **av)
+@@ -1454,6 +1478,9 @@ main(int ac, char **av)
  				fprintf(stderr, "Invalid lifetime\n");
  				usage();
  			}

security/openssh-portable/files/patch-ssh_config.5

@@ -1,21 +1,7 @@
 --- UTC
-r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines
-
-Document the FreeBSD default for CheckHostIP, which was changed in
-rev 1.2 of readconf.c.
 
 --- ssh_config.5.orig	2020-11-16 11:53:55.871161000 -0800
 +++ ssh_config.5	2020-11-16 12:43:41.763006000 -0800
-@@ -420,8 +420,7 @@ or
- .Cm no .
- .It Cm CheckHostIP
- If set to
--.Cm yes
--(the default),
-+.Cm yes ,
- .Xr ssh 1
- will additionally check the host IP address in the
- .Pa known_hosts
 @@ -434,6 +433,8 @@ in the process, regardless of the setting of
  If the option is set to
  .Cm no ,

security/openssh-portable/files/patch-sshd.8

@@ -24,13 +24,3 @@ Document FreeBSD/port-specific paths
  (unless root).
  .It
  Changes to run with normal user privileges.
-@@ -407,7 +408,8 @@
- exists, runs it; else if
- .Pa /etc/ssh/sshrc
- exists, runs
--it; otherwise runs xauth.
-+it; otherwise runs
-+.Xr xauth 1 .
- The
- .Dq rc
- files are given the X11

security/openssh-portable/files/patch-sshd.c

@@ -33,8 +33,8 @@ of short-living parent. Only mark the master process that accepts
 connections, do not protect connection handlers spawned from inetd.
 
 
---- sshd.c.orig	2010-04-15 23:56:22.000000000 -0600
-+++ sshd.c	2010-09-14 16:14:13.000000000 -0600
+--- sshd.c.orig	2021-04-27 11:49:55.540744000 -0700
++++ sshd.c	2021-04-27 11:50:20.239225000 -0700
 @@ -46,6 +46,7 @@
  
  #include <sys/types.h>
@@ -43,7 +43,7 @@ connections, do not protect connection handlers spawned from inetd.
  #include <sys/socket.h>
  #ifdef HAVE_SYS_STAT_H
  # include <sys/stat.h>
-@@ -83,6 +84,13 @@
+@@ -85,6 +86,13 @@
  #include <prot.h>
  #endif
  
@@ -56,24 +56,13 @@ connections, do not protect connection handlers spawned from inetd.
 +
  #include "xmalloc.h"
  #include "ssh.h"
- #include "ssh1.h"
-@@ -1877,6 +1885,10 @@
- 	/* Reinitialize the log (because of the fork above). */
- 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
- 
-+ 	/* Avoid killing the process in high-pressure swapping environments. */
-+ 	if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
-+ 		debug("madvise(): %.200s", strerror(errno));
-+
- 	/* Chdir to the root directory so that the current disk can be
- 	   unmounted if desired. */
- 	if (chdir("/") == -1)
-@@ -1995,6 +2007,29 @@
- 	signal(SIGCHLD, SIG_DFL);
- 	signal(SIGINT, SIG_DFL);
+ #include "ssh2.h"
+@@ -2007,7 +2015,30 @@ main(int ac, char **av)
+ 	for (i = 0; i < options.num_log_verbose; i++)
+ 		log_verbose_add(options.log_verbose[i]);
  
 +#ifdef __FreeBSD__
-+	/*
+ 	/*
 +	 * Initialize the resolver.  This may not happen automatically
 +	 * before privsep chroot().
 +	 */
@@ -95,6 +84,18 @@ connections, do not protect connection handlers spawned from inetd.
 +#endif
 +#endif
 +
++	/*
+ 	 * If not in debugging mode, not started from inetd and not already
+ 	 * daemonized (eg re-exec via SIGHUP), disconnect from the controlling
+ 	 * terminal, and fork.  The original process exits.
+@@ -2022,6 +2053,10 @@ main(int ac, char **av)
+ 	}
+ 	/* Reinitialize the log (because of the fork above). */
+ 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
++
++ 	/* Avoid killing the process in high-pressure swapping environments. */
++ 	if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
++ 		debug("madvise(): %.200s", strerror(errno));
+ 
  	/*
- 	 * Register our connection.  This turns encryption off because we do
- 	 * not have a key.
+ 	 * Chdir to the root directory so that the current disk can be

security/openssh-portable/files/patch-sshd_config

@@ -1,5 +1,5 @@
---- sshd_config.orig	2013-02-11 18:02:09.000000000 UTC
-+++ sshd_config	2013-05-13 06:46:45.153627197 -0500
+--- sshd_config.orig	2021-08-19 21:03:49.000000000 -0700
++++ sshd_config	2021-09-07 12:34:49.372652000 -0700
 @@ -10,6 +10,9 @@
  # possible, but leave them commented.  Uncommented options override the
  # default value.
@@ -10,7 +10,7 @@
  #Port 22
  #AddressFamily any
  #ListenAddress 0.0.0.0
-@@ -50,8 +53,7 @@
+@@ -37,8 +40,7 @@
  #PubkeyAuthentication yes
  
  # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -20,34 +20,30 @@
  
  #AuthorizedPrincipalsFile none
  
-@@ -68,11 +70,11 @@
+@@ -53,8 +55,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  
 -# To disable tunneled clear text passwords, change to no here!
 -#PasswordAuthentication yes
-+# Change to yes to enable built-in password authentication.
++# To enable tunneled clear text passwords, change to yes here!
 +#PasswordAuthentication no
  #PermitEmptyPasswords no
  
--# Change to no to disable s/key passwords
-+# Change to no to disable PAM authentication
- #ChallengeResponseAuthentication yes
- 
- # Kerberos options
-@@ -85,7 +87,7 @@
+ # Change to no to disable s/key passwords
+@@ -70,7 +72,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  
 -# Set this to 'yes' to enable PAM authentication, account processing,
 +# Set this to 'no' to disable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
- # be allowed through the ChallengeResponseAuthentication and
+ # be allowed through the KbdInteractiveAuthentication and
  # PasswordAuthentication.  Depending on your PAM configuration,
-@@ -94,12 +96,12 @@
+@@ -79,12 +81,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
- # and ChallengeResponseAuthentication to 'no'.
+ # and KbdInteractiveAuthentication to 'no'.
 -#UsePAM no
 +#UsePAM yes
  

security/openssh-portable/files/patch-sshd_config.5

@@ -1,16 +1,5 @@
 --- sshd_config.5.orig	2017-03-19 19:39:27.000000000 -0700
 +++ sshd_config.5	2017-03-20 11:48:37.553620000 -0700
-@@ -373,7 +373,9 @@ By default, no banner is displayed.
- .It Cm ChallengeResponseAuthentication
- Specifies whether challenge-response authentication is allowed (e.g. via
- PAM or through authentication styles supported in
--.Xr login.conf 5 )
-+.Xr login.conf 5 ) .
-+See also
-+.Cm UsePAM .
- The default is
- .Cm yes .
- .It Cm ChrootDirectory
 @@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
  The list of available key types may also be obtained using
  .Qq ssh -Q key .