diff options
author | Bryan Drewery <bdrewery@FreeBSD.org> | 2021-04-28 20:15:54 +0000 |
---|---|---|
committer | Bryan Drewery <bdrewery@FreeBSD.org> | 2021-04-29 16:05:55 +0000 |
commit | de9fffcec89b58fb6f77b72a55975eccb01eb480 (patch) | |
tree | 5ea27c3f83d0d0e0acc587fac85272e2ec9cafaf | |
parent | fbb6fe4a914bbf3d07cd407018c200bbe2a006ff (diff) | |
download | ports-de9fffcec89b58fb6f77b72a55975eccb01eb480.tar.gz ports-de9fffcec89b58fb6f77b72a55975eccb01eb480.zip |
security/openssh-portable: Update to 8.6p1
- gssapi is disabled for now.
Changes:
- https://www.openssh.com/txt/release-8.5
- https://www.openssh.com/txt/release-8.6
Submitted by: Yasuhiro Kimura [earlier version][1]
PR: 254389 [1]
-rw-r--r-- | security/openssh-portable/Makefile | 8 | ||||
-rw-r--r-- | security/openssh-portable/distinfo | 8 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-blacklistd | 44 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn | 144 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn-compat | 8 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-auth.c | 21 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-readconf.c | 22 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-session.c | 20 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh-agent.c | 27 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh_config.5 | 14 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-sshd.c | 43 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-zz-8.4-CVE-2021-28041 | 32 |
12 files changed, 143 insertions, 248 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index fe9226f480f1..e9ac6fb39f13 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,8 +1,8 @@ # Created by: dwcjr@inethouston.net PORTNAME= openssh -DISTVERSION= 8.4p1 -PORTREVISION= 4 +DISTVERSION= 8.6p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -99,8 +99,8 @@ ETCDIR?= ${PREFIX}/etc/ssh PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex # Must add this patch before HPN due to conflicts -.if ${PORT_OPTIONS:MKERB_GSSAPI} -#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. +.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi +BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index b1c3c22bc242..209322451613 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,5 +1,3 @@ -TIMESTAMP = 1605552780 -SHA256 (openssh-8.4p1.tar.gz) = 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 -SIZE (openssh-8.4p1.tar.gz) = 1742201 -SHA256 (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 15139c42894dd0ebd182608ecd7151a9eef6158aed30c676e7685e8407c6d1cb -SIZE (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 126748 +TIMESTAMP = 1619547768 +SHA256 (openssh-8.6p1.tar.gz) = c3e6e4da1621762c850d03b47eed1e48dff4cc9608ddeb547202a234df8ed7ae +SIZE (openssh-8.6p1.tar.gz) = 1786328 diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd index 539b68c535ac..92e0fc35903e 100644 --- a/security/openssh-portable/files/extra-patch-blacklistd +++ b/security/openssh-portable/files/extra-patch-blacklistd @@ -1,5 +1,5 @@ ---- blacklist.c.orig 2020-11-16 16:45:24.799150000 -0800 -+++ blacklist.c 2020-11-16 16:45:20.000470000 -0800 +--- blacklist.c.orig 2021-04-28 13:37:52.679784000 -0700 ++++ blacklist.c 2021-04-28 13:56:45.677805000 -0700 @@ -0,0 +1,92 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -75,7 +75,7 @@ + default: + imlevel = SYSLOG_LEVEL_DEBUG2; + } -+ do_log(imlevel, message, args); ++ do_log2(imlevel, message, args); +} + +void @@ -157,9 +157,9 @@ + + +#endif /* BLACKLIST_CLIENT_H */ ---- servconf.c.orig 2020-11-16 15:52:13.175438000 -0800 -+++ servconf.c 2020-11-16 15:52:15.812142000 -0800 -@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions *options) +--- servconf.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ servconf.c 2021-04-28 13:36:19.591999000 -0700 +@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options) options->max_sessions = -1; options->banner = NULL; options->use_dns = -1; @@ -167,7 +167,7 @@ options->client_alive_interval = -1; options->client_alive_count_max = -1; options->num_authkeys_files = 0; -@@ -432,6 +433,8 @@ fill_default_server_options(ServerOptions *options) +@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options) options->max_sessions = DEFAULT_SESSIONS_MAX; if (options->use_dns == -1) options->use_dns = 0; @@ -176,15 +176,15 @@ if (options->client_alive_interval == -1) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) -@@ -528,6 +531,7 @@ typedef enum { - sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, +@@ -506,6 +509,7 @@ typedef enum { + sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, + sUseBlacklist, - sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, - sHostKeyAlgorithms, + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms, + sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, -@@ -658,6 +662,8 @@ static struct { +@@ -642,6 +646,8 @@ static struct { { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, @@ -193,7 +193,7 @@ { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL }, -@@ -1708,6 +1714,10 @@ process_server_config_line_depth(ServerOptions *option +@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option intptr = &options->use_dns; goto parse_flag; @@ -204,7 +204,7 @@ case sLogFacility: log_facility_ptr = &options->log_facility; arg = strdelim(&cp); -@@ -2841,6 +2851,7 @@ dump_config(ServerOptions *o) +@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(sUseDNS, o->use_dns); @@ -322,17 +322,17 @@ ssh_packet_clear_keys(ssh); errno = oerrno; logdie("Unable to negotiate with %s: %s. " ---- sshd.c.orig 2020-11-16 15:52:45.846609000 -0800 -+++ sshd.c 2020-11-16 15:56:34.401305000 -0800 -@@ -131,6 +131,7 @@ +--- sshd.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ sshd.c 2021-04-28 13:37:18.741786000 -0700 +@@ -123,6 +123,7 @@ #include "version.h" #include "ssherr.h" #include "sk-api.h" +#include "blacklist_client.h" + #include "srclimit.h" + #include "dh.h" - #ifdef LIBWRAP - #include <tcpd.h> -@@ -388,6 +389,8 @@ grace_alarm_handler(int sig) +@@ -366,6 +367,8 @@ grace_alarm_handler(int sig) kill(0, SIGTERM); } @@ -341,9 +341,9 @@ /* XXX pre-format ipaddr/port so we don't need to access active_state */ /* Log error and exit. */ sigdie("Timeout before authentication for %s port %d", -@@ -2290,6 +2293,9 @@ main(int ac, char **av) +@@ -2209,6 +2212,9 @@ main(int ac, char **av) if ((loginmsg = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); auth_debug_reset(); + + if (options.use_blacklist) diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index c447b94cb48e..258b36150078 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -131,8 +131,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + (tasota@gmail.com) an NSF REU grant recipient for 2013. + This work was financed, in part, by Cisco System, Inc., the National + Library of Medicine, and the National Science Foundation. ---- work/openssh-7.7p1/channels.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/channels.c 2018-06-27 16:37:07.663857000 -0700 +--- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700 @@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann /* Setup helper */ static void channel_handler_init(struct ssh_channels *sc); @@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* -- channel core */ void -@@ -392,6 +398,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in +@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in c->local_window = window; c->local_window_max = window; c->local_maxpacket = maxpack; @@ -156,7 +156,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c->remote_name = xstrdup(remote_name); c->ctl_chan = -1; c->delayed = 1; /* prevent call to channel_post handler */ -@@ -1059,6 +1068,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, +@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, FD_SET(c->sock, writeset); } @@ -187,7 +187,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o static void channel_pre_open(struct ssh *ssh, Channel *c, fd_set *readset, fd_set *writeset) -@@ -2158,21 +2191,32 @@ channel_check_window(struct ssh *ssh, Channel *c) +@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c) c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { @@ -203,27 +203,24 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + } +#endif if (!c->have_remote_id) - fatal(":%s: channel %d: no remote id", - __func__, c->self); + fatal_f("channel %d: no remote id", c->self); if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || (r = sshpkt_send(ssh)) != 0) { - fatal("%s: channel %i: %s", __func__, - c->self, ssh_err(r)); + fatal_fr(r, "channel %i", c->self); } - debug2("channel %d: window %d sent adjust %d", - c->self, c->local_window, -- c->local_consumed); + debug2("channel %d: window %d sent adjust %d", c->self, +- c->local_window, c->local_consumed); - c->local_window += c->local_consumed; -+ c->local_consumed + addition); ++ c->local_window, c->local_consumed + addition); + c->local_window += c->local_consumed + addition; c->local_consumed = 0; } return 1; -@@ -3354,6 +3398,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis +@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis return addr; } @@ -241,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o static int channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, struct Forward *fwd, int *allocated_listen_port, -@@ -3494,6 +3549,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int +@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int } /* Allocate a channel number for the socket. */ @@ -259,7 +256,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new(ssh, "port listener", type, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "port listener", 1); -@@ -4631,6 +4697,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ +@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; @@ -358,21 +355,21 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; ---- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500 -@@ -177,6 +177,14 @@ - debug("match: %s pat %s compat 0x%08x", +--- work/openssh/compat.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/compat.c 2021-04-28 14:37:33.129317000 -0700 +@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) + debug_f("match: %s pat %s compat 0x%08x", version, check[i].pat, check[i].bugs); - datafellows = check[i].bugs; /* XXX for now */ + ssh->compat = check[i].bugs; +#ifdef HPN_ENABLED + /* Check to see if the remote side is OpenSSH and not HPN */ + if (strstr(version,"OpenSSH") != NULL && + strstr(version,"hpn") == NULL) { -+ datafellows |= SSH_BUG_LARGEWINDOW; ++ ssh->compat |= SSH_BUG_LARGEWINDOW; + debug("Remote is NON-HPN aware"); + } +#endif - return check[i].bugs; + return; } } --- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500 @@ -424,9 +421,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o echo "" ---- work.clean/openssh-7.2p1/kex.c.orig 2016-02-25 19:40:04.000000000 -0800 -+++ work.clean/openssh-7.2p1/kex.c 2016-02-29 08:02:25.565288000 -0800 -@@ -907,6 +907,20 @@ kex_choose_conf(struct ssh *ssh) +--- work/openssh/kex.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/kex.c 2021-04-28 14:38:31.761909000 -0700 +@@ -960,6 +960,20 @@ kex_choose_conf(struct ssh *ssh) peer[ncomp] = NULL; goto out; } @@ -447,22 +444,22 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o debug("kex: %s cipher: %s MAC: %s compression: %s", ctos ? "client->server" : "server->client", newkeys->enc.name, -@@ -1108,7 +1122,7 @@ send_error(struct ssh *ssh, char *msg) +@@ -1170,7 +1184,7 @@ send_error(struct ssh *ssh, char *msg) */ int kex_exchange_identification(struct ssh *ssh, int timeout_ms, - const char *version_addendum) + const char *version_addendum, int hpn_disabled) { - int remote_major, remote_minor, mismatch; + int remote_major, remote_minor, mismatch, oerrno = 0; size_t len, i, n; -@@ -1125,8 +1139,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo +@@ -1187,8 +1201,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo sshbuf_reset(our_version); if (version_addendum != NULL && *version_addendum == '\0') version_addendum = NULL; - if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", + if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +#ifdef HPN_ENABLED + hpn_disabled ? "" : SSH_HPN, +#else @@ -470,7 +467,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#endif version_addendum == NULL ? "" : " ", version_addendum == NULL ? "" : version_addendum)) != 0) { - error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); + oerrno = errno; --- work/openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700 @@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) @@ -527,9 +524,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o #if !defined(WITH_OPENSSL) # undef BIGNUM # undef EC_KEY ---- work/openssh-7.7p1/readconf.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/readconf.c 2018-06-27 16:58:41.109275000 -0700 -@@ -66,6 +66,9 @@ +--- work/openssh/readconf.c.orig 2021-04-28 13:58:36.413806000 -0700 ++++ work/openssh/readconf.c 2021-04-28 14:39:31.145856000 -0700 +@@ -67,6 +67,9 @@ #include "uidswap.h" #include "myproposal.h" #include "digest.h" @@ -539,7 +536,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* Format of the configuration file: -@@ -167,6 +170,12 @@ typedef enum { +@@ -168,6 +171,12 @@ typedef enum { oLocalCommand, oPermitLocalCommand, oRemoteCommand, oVisualHostKey, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, @@ -552,10 +549,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, -@@ -304,6 +313,16 @@ static struct { - { "updatehostkeys", oUpdateHostkeys }, - { "hostbasedkeytypes", oHostbasedKeyTypes }, - { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, +@@ -312,6 +321,16 @@ static struct { + { "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */ + { "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms }, + { "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */ +#ifdef NONE_CIPHER_ENABLED + { "noneenabled", oNoneEnabled }, + { "noneswitch", oNoneSwitch }, @@ -568,8 +565,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#endif { "ignoreunknown", oIgnoreUnknown }, { "proxyjump", oProxyJump }, - -@@ -962,6 +981,44 @@ parse_time: + { "securitykeyprovider", oSecurityKeyProvider }, +@@ -1091,6 +1110,44 @@ parse_time: intptr = &options->check_host_ip; goto parse_flag; @@ -614,7 +611,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; multistate_ptr = multistate_yesnoask; -@@ -1833,6 +1890,16 @@ initialize_options(Options * options) +@@ -2262,6 +2319,16 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; @@ -631,7 +628,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o options->proxy_use_fdpass = -1; options->ignored_unknown = NULL; options->num_canonical_domains = 0; -@@ -1979,6 +2046,34 @@ fill_default_options(Options * options) +@@ -2432,6 +2499,34 @@ fill_default_options(Options * options) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) options->server_alive_count_max = 3; @@ -908,23 +905,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o .It Fl r Recursively copy entire directories when uploading and downloading. Note that ---- work.clean/openssh-6.8p1/sftp.c 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/sftp.c 2015-04-03 17:16:00.959795000 -0500 -@@ -71,7 +71,11 @@ - #include "sftp-client.h" - - #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ -+#ifdef HPN_ENABLED -+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ -+#else - #define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ -+#endif - - /* File to read commands from */ - FILE* infile; ---- work/openssh-7.7p1/ssh.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/ssh.c 2018-06-27 17:05:30.011979000 -0700 -@@ -954,6 +954,14 @@ main(int ac, char **av) +--- work/openssh/ssh.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/ssh.c 2021-04-28 14:51:04.682167000 -0700 +@@ -1027,6 +1027,14 @@ main(int ac, char **av) break; case 'T': options.request_tty = REQUEST_TTY_NO; @@ -939,12 +922,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o break; case 'o': line = xstrdup(optarg); -@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes - NULL, fileno(stdin), &command, environ); +@@ -2056,6 +2064,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes + NULL, fileno(stdin), command, environ); } +static void -+hpn_options_init(void) ++hpn_options_init(struct ssh *ssh) +{ + /* + * We need to check to see if what they want to do about buffer @@ -969,7 +952,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + else + options.hpn_buffer_size = 2 * 1024 * 1024; + -+ if (datafellows & SSH_BUG_LARGEWINDOW) { ++ if (ssh->compat & SSH_BUG_LARGEWINDOW) { + debug("HPN to Non-HPN Connection"); + } else { + int sock, socksize; @@ -1018,7 +1001,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* open new channel for a session */ static int ssh_session2_open(struct ssh *ssh) -@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh) +@@ -2082,9 +2162,17 @@ ssh_session2_open(struct ssh *ssh) if (!isatty(err)) set_nonblock(err); @@ -1036,7 +1019,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o window >>= 1; packetmax >>= 1; } -@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh) +@@ -2093,6 +2181,12 @@ ssh_session2_open(struct ssh *ssh) window, packetmax, CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); @@ -1046,12 +1029,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + debug ("Enabled Dynamic Window Scaling"); + } +#endif - debug3("%s: channel_new: %d", __func__, c->self); + debug3_f("channel_new: %d", c->self); channel_send_open(ssh, c->self); -@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw) +@@ -2108,6 +2202,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in { - int devnull, id = -1; + int r, id = -1; char *cp, *tun_fwd_ifname = NULL; + +#ifdef HPN_ENABLED @@ -1060,7 +1043,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + * might open channels that use the hpn buffer sizes. We can't send a + * window of -1 (the default) to the server as it breaks things. + */ -+ hpn_options_init(); ++ hpn_options_init(ssh); +#endif /* XXX should be pre-session */ @@ -1136,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o sshpkt_fatal(ssh, r, "banner exchange"); /* Put the connection into non-blocking mode. */ ---- sshconnect2.c.orig 2020-02-13 16:40:54.000000000 -0800 -+++ sshconnect2.c 2020-03-22 11:10:01.017282000 -0700 -@@ -83,7 +83,13 @@ +--- work/openssh/sshconnect2.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/sshconnect2.c 2021-04-28 14:51:57.237202000 -0700 +@@ -84,7 +84,13 @@ extern char *client_version_string; extern char *server_version_string; extern Options options; @@ -1152,28 +1135,29 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* * SSH2 key exchange */ -@@ -156,10 +162,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd +@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd return ret; } +static char *myproposal[PROPOSAL_MAX]; +static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT }; void - ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) + ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, + const struct ssh_conn_info *cinfo) { - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; char *s, *all_key; int r, use_known_hosts_order = 0; -@@ -183,6 +190,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr - fatal("%s: kex_assemble_namelist", __func__); +@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr + fatal_fr(r, "kex_assemble_namelist"); free(all_key); + memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) - fatal("%s: kex_names_cat", __func__); - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); -@@ -435,6 +443,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, + fatal_f("kex_names_cat"); + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); +@@ -489,6 +497,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, if (!authctxt.success) fatal("Authentication failed."); diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index a02b674ff8b0..c47d0a1d3b5d 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well. ------------------------------------------------------------------------ ---- readconf.c.orig 2020-03-21 16:51:23.450425000 -0700 -+++ readconf.c 2020-03-21 17:00:01.827757000 -0700 -@@ -310,6 +310,12 @@ static struct { - { "ignoreunknown", oIgnoreUnknown }, +--- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700 ++++ readconf.c 2021-04-27 11:25:24.222034000 -0700 +@@ -316,6 +316,12 @@ static struct { { "proxyjump", oProxyJump }, { "securitykeyprovider", oSecurityKeyProvider }, + { "knownhostscommand", oKnownHostsCommand }, + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, diff --git a/security/openssh-portable/files/patch-auth.c b/security/openssh-portable/files/patch-auth.c deleted file mode 100644 index f9fba8b6ebc8..000000000000 --- a/security/openssh-portable/files/patch-auth.c +++ /dev/null @@ -1,21 +0,0 @@ ---- UTC -r100838 | fanf | 2002-07-28 19:36:24 -0500 (Sun, 28 Jul 2002) | 7 lines -Changed paths: - M /head/crypto/openssh/auth.c - -Use login_getpwclass() instead of login_getclass() so that the root -vs. default login class distinction is made correctly. - -PR: 37416 - ---- auth.c.orig 2010-08-12 11:33:01.000000000 -0600 -+++ auth.c 2010-09-14 16:14:12.000000000 -0600 -@@ -594,7 +594,7 @@ - if (!allowed_user(pw)) - return (NULL); - #ifdef HAVE_LOGIN_CAP -- if ((lc = login_getclass(pw->pw_class)) == NULL) { -+ if ((lc = login_getpwclass(pw)) == NULL) { - debug("unable to get login class: %s", user); - return (NULL); - } diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c deleted file mode 100644 index 8d98c57c2f82..000000000000 --- a/security/openssh-portable/files/patch-readconf.c +++ /dev/null @@ -1,22 +0,0 @@ ---- UTC -base defaults - -r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/myproposal.h - M /head/crypto/openssh/readconf.c - M /head/crypto/openssh/servconf.c - -Apply FreeBSD's configuration defaults. - ---- readconf.c.orig 2014-07-17 23:11:26.000000000 -0500 -+++ readconf.c 2014-11-03 16:45:05.188796445 -0600 -@@ -1934,7 +1946,7 @@ fill_default_options(Options * options) - if (options->batch_mode == -1) - options->batch_mode = 0; - if (options->check_host_ip == -1) -- options->check_host_ip = 1; -+ options->check_host_ip = 0; - if (options->strict_host_key_checking == -1) - options->strict_host_key_checking = 2; /* 2 is default */ - if (options->compression == -1) diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index 84c78b3f9526..b0b9e08008f8 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -13,18 +13,18 @@ to the child process. Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ session.c 2020-11-19 14:41:50.745308000 -0800 -@@ -946,7 +946,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui +--- session.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ session.c 2021-04-27 13:11:13.515917000 -0700 +@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui } #endif /* HAVE_ETC_DEFAULT_LOGIN */ -#if defined(USE_PAM) || defined(HAVE_CYGWIN) +#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP) static void - copy_environment_blacklist(char **source, char ***env, u_int *envsize, - const char *blacklist) -@@ -1056,7 +1056,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char * + copy_environment_denylist(char **source, char ***env, u_int *envsize, + const char *denylist) +@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ @@ -34,7 +34,7 @@ Sponsored by: DARPA, NAI Labs snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); child_set_env(&env, &envsize, "MAIL", buf); -@@ -1067,6 +1068,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char * if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); @@ -48,7 +48,7 @@ Sponsored by: DARPA, NAI Labs + environ = xmalloc(sizeof(char *)); + *environ = NULL; + (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV); -+ copy_environment_blacklist(environ, &env, &envsize, NULL); ++ copy_environment_denylist(environ, &env, &envsize, NULL); + for (var = environ; *var != NULL; ++var) + free(*var); + free(environ); @@ -58,7 +58,7 @@ Sponsored by: DARPA, NAI Labs if (s->term) child_set_env(&env, &envsize, "TERM", s->term); if (s->display) -@@ -1285,7 +1303,7 @@ do_nologin(struct passwd *pw) +@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw) #ifdef HAVE_LOGIN_CAP if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0) return; @@ -67,7 +67,7 @@ Sponsored by: DARPA, NAI Labs #else if (pw->pw_uid == 0) return; -@@ -1373,7 +1391,7 @@ do_setusercontext(struct passwd *pw) +@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index 547c8e4958e2..de53881aa541 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ ssh-agent.c 2020-11-09 09:07:10.924940000 -0800 -@@ -171,15 +171,34 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; +--- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700 +@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Refuse signing of non-SSH messages for web-origin FIDO keys */ static int restrict_websafe = 1; @@ -35,20 +35,21 @@ disconnected. + last = 1; + } close(e->fd); - e->fd = -1; - e->type = AUTH_UNUSED; sshbuf_free(e->input); sshbuf_free(e->output); - sshbuf_free(e->request); +@@ -181,6 +198,8 @@ close_socket(SocketEntry *e) + memset(e, '\0', sizeof(*e)); + e->fd = -1; + e->type = AUTH_UNUSED; + if (last) + cleanup_exit(0); } static void -@@ -961,6 +980,10 @@ new_socket(sock_type type, int fd) - { - u_int i, old_alloc, new_alloc; +@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd) + debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : + (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); + if (type == AUTH_CONNECTION) { + debug("xcount %d -> %d", xcount, xcount + 1); + ++xcount; @@ -56,7 +57,7 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1261,7 +1284,7 @@ static void +@@ -1360,7 +1383,7 @@ static void usage(void) { fprintf(stderr, @@ -65,7 +66,7 @@ disconnected. " [-P allowed_providers] [-t life]\n" " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" " [-t life] command [arg ...]\n" -@@ -1295,6 +1318,7 @@ main(int ac, char **av) +@@ -1394,6 +1417,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -73,7 +74,7 @@ disconnected. platform_disable_tracing(0); /* strict=no */ -@@ -1306,7 +1330,7 @@ main(int ac, char **av) +@@ -1405,7 +1429,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); @@ -82,7 +83,7 @@ disconnected. switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1355,6 +1379,9 @@ main(int ac, char **av) +@@ -1454,6 +1478,9 @@ main(int ac, char **av) fprintf(stderr, "Invalid lifetime\n"); usage(); } diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5 index 36bfa04c25f1..8c0e2bf1d5be 100644 --- a/security/openssh-portable/files/patch-ssh_config.5 +++ b/security/openssh-portable/files/patch-ssh_config.5 @@ -1,21 +1,7 @@ --- UTC -r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines - -Document the FreeBSD default for CheckHostIP, which was changed in -rev 1.2 of readconf.c. --- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800 +++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800 -@@ -420,8 +420,7 @@ or - .Cm no . - .It Cm CheckHostIP - If set to --.Cm yes --(the default), -+.Cm yes , - .Xr ssh 1 - will additionally check the host IP address in the - .Pa known_hosts @@ -434,6 +433,8 @@ in the process, regardless of the setting of If the option is set to .Cm no , diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c index c165453ece16..6374e22bbacc 100644 --- a/security/openssh-portable/files/patch-sshd.c +++ b/security/openssh-portable/files/patch-sshd.c @@ -33,8 +33,8 @@ of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. ---- sshd.c.orig 2010-04-15 23:56:22.000000000 -0600 -+++ sshd.c 2010-09-14 16:14:13.000000000 -0600 +--- sshd.c.orig 2021-04-27 11:49:55.540744000 -0700 ++++ sshd.c 2021-04-27 11:50:20.239225000 -0700 @@ -46,6 +46,7 @@ #include <sys/types.h> @@ -43,7 +43,7 @@ connections, do not protect connection handlers spawned from inetd. #include <sys/socket.h> #ifdef HAVE_SYS_STAT_H # include <sys/stat.h> -@@ -83,6 +84,13 @@ +@@ -85,6 +86,13 @@ #include <prot.h> #endif @@ -56,24 +56,13 @@ connections, do not protect connection handlers spawned from inetd. + #include "xmalloc.h" #include "ssh.h" - #include "ssh1.h" -@@ -1877,6 +1885,10 @@ - /* Reinitialize the log (because of the fork above). */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); - -+ /* Avoid killing the process in high-pressure swapping environments. */ -+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) -+ debug("madvise(): %.200s", strerror(errno)); -+ - /* Chdir to the root directory so that the current disk can be - unmounted if desired. */ - if (chdir("/") == -1) -@@ -1995,6 +2007,29 @@ - signal(SIGCHLD, SIG_DFL); - signal(SIGINT, SIG_DFL); + #include "ssh2.h" +@@ -2007,7 +2015,30 @@ main(int ac, char **av) + for (i = 0; i < options.num_log_verbose; i++) + log_verbose_add(options.log_verbose[i]); +#ifdef __FreeBSD__ -+ /* + /* + * Initialize the resolver. This may not happen automatically + * before privsep chroot(). + */ @@ -95,6 +84,18 @@ connections, do not protect connection handlers spawned from inetd. +#endif +#endif + ++ /* + * If not in debugging mode, not started from inetd and not already + * daemonized (eg re-exec via SIGHUP), disconnect from the controlling + * terminal, and fork. The original process exits. +@@ -2022,6 +2053,10 @@ main(int ac, char **av) + } + /* Reinitialize the log (because of the fork above). */ + log_init(__progname, options.log_level, options.log_facility, log_stderr); ++ ++ /* Avoid killing the process in high-pressure swapping environments. */ ++ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) ++ debug("madvise(): %.200s", strerror(errno)); + /* - * Register our connection. This turns encryption off because we do - * not have a key. + * Chdir to the root directory so that the current disk can be diff --git a/security/openssh-portable/files/patch-zz-8.4-CVE-2021-28041 b/security/openssh-portable/files/patch-zz-8.4-CVE-2021-28041 deleted file mode 100644 index 4ac4a7061cb6..000000000000 --- a/security/openssh-portable/files/patch-zz-8.4-CVE-2021-28041 +++ /dev/null @@ -1,32 +0,0 @@ -untrusted comment: verify with openbsd-68-base.pub -RWQZj25CSG5R2lgsgSLgQjjy3/BFahe7C64NJOej05Naf0mm//TKykuXL7pxOVsY5rnXH0A6vBdO5UNx7PkuTxLOACHx5xV7Gws= - -OpenBSD 6.8 errata 015, March 4, 2021: - -Double free in ssh-agent(1) - -Apply by doing: - signify -Vep /etc/signify/openbsd-68-base.pub -x 015_sshagent.patch.sig \ - -m - | (cd /usr/src && patch -p0) - -And then rebuild and install ssh (as well as ssh-agent) - cd /usr/src/usr.bin/ssh - make obj - make clean - make - make install - -Index: usr.bin/ssh/ssh-agent.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/ssh-agent.c,v -diff -u -p -u -r1.264 ssh-agent.c ---- ssh-agent.c 18 Sep 2020 08:16:38 -0000 1.264 -+++ ssh-agent.c 3 Mar 2021 01:08:25 -0000 -@@ -567,6 +567,7 @@ process_add_identity(SocketEntry *e) - goto err; - } - free(ext_name); -+ ext_name = NULL; - break; - default: - error("%s: Unknown constraint %d", __func__, ctype); |