Update to 7.7p1

- Update x509 patch to 11.3 - Remove SCTP option as it has not had a patch available since 7.2. Changes: https://www.openssh.com/txt/release-7.7 Notable changes: * ssh(1)/sshd(8): Drop compatibility support for some very old SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The support in question isn't necessary for RFC-compliant SSH implementations.
author: Bryan Drewery <bdrewery@FreeBSD.org> 2018-04-05 18:20:50 +0000
committer: Bryan Drewery <bdrewery@FreeBSD.org> 2018-04-05 18:20:50 +0000
commit: 804e4b49f3c7657b80a9585205f0cae8565897a7 (patch)
tree: a0dbf7e5881e386a4d2264b118005c59bd1cd469 /security
parent: 6b53aeb15f80bda7a098a0eee3f44cba73eb7943 (diff)
download: ports-804e4b49f3c7657b80a9585205f0cae8565897a7.tar.gz
ports-804e4b49f3c7657b80a9585205f0cae8565897a7.zip
7 files changed, 141 insertions, 187 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 53cf89817772..5ce3cc692f59 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	7.6p1
-PORTREVISION=	3
+DISTVERSION=	7.7p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -31,7 +31,7 @@ BROKEN_SSL_REASON_openssl-devel=	error: OpenSSL >= 1.1.0 is not yet supported
 
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
-			SCTP LDNS NONECIPHER
+			LDNS NONECIPHER
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
@@ -41,7 +41,6 @@ KERB_GSSAPI_DESC=	Kerberos/GSSAPI patch (req: GSSAPI)
 HPN_DESC=		HPN-SSH patch
 LDNS_DESC=		SSHFP/LDNS support
 X509_DESC=		x509 certificate patch
-SCTP_DESC=		SCTP support
 HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
@@ -62,17 +61,10 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		11.0
+X509_VERSION=		11.3
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
 X509_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-x509-glue
-X509_PATCHFILES=	${PORTNAME}-7.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509
-
-# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
-# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
-#SCTP_PATCHFILES=	${PORTNAME}-7.2_p1-sctp.patch.gz:-p1
-SCTP_BROKEN=		Does not apply to 7.6+
-SCTP_CONFIGURE_WITH=	sctp
-SCTP_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-sctp:-p1
+X509_PATCHFILES=	${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 MIT_LIB_DEPENDS=		libkrb5.so.3:security/krb5
 HEIMDAL_LIB_DEPENDS=		libkrb5.so.26:security/heimdal
@@ -136,10 +128,6 @@ EXTRA_PATCHES+=		${FILESDIR}/extra-patch-version-addendum
 BROKEN=		X509 patch and HPN patch do not apply cleanly together
 .  endif
 
-.  if ${PORT_OPTIONS:MSCTP}
-BROKEN=		X509 patch and SCTP patch do not apply cleanly together
-.  endif
-
 .  if ${PORT_OPTIONS:MKERB_GSSAPI}
 BROKEN=		X509 patch incompatible with KERB_GSSAPI patch
 .  endif
@@ -222,6 +210,7 @@ test: build
 		TEST_SHELL=${SH} \
 		SUDO="${SUDO}" \
 		LOGNAME="${LOGNAME}" \
+		TEST_SSH_TRACE=yes \
 		PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
 		${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
 
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 22bf6d8421e7..8ab91f2b30d1 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,7 +1,5 @@
-TIMESTAMP = 1507833573
-SHA256 (openssh-7.6p1.tar.gz) = a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723
-SIZE (openssh-7.6p1.tar.gz) = 1489788
-SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
-SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
-SHA256 (openssh-7.6p1+x509-11.0.diff.gz) = bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e
-SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219
+TIMESTAMP = 1522788732
+SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f
+SIZE (openssh-7.7p1.tar.gz) = 1536900
+SHA256 (openssh-7.7p1+x509-11.3.diff.gz) = 57be0d0028863f1f690b8b4ccae7583c0f8dd8ed2c688a912b25832bf7f9b185
+SIZE (openssh-7.7p1+x509-11.3.diff.gz) = 488467
diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat
index 97644213a647..a036a09c938c 100644
--- a/security/openssh-portable/files/extra-patch-hpn-compat
+++ b/security/openssh-portable/files/extra-patch-hpn-compat
@@ -33,10 +33,10 @@ r294563 was incomplete; re-add the client-side options as well.
  };
 --- servconf.c.orig	2017-10-02 12:34:26.000000000 -0700
 +++ servconf.c	2017-10-12 12:20:19.089884000 -0700
-@@ -566,6 +566,10 @@ static struct {
- 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+@@ -618,6 +618,10 @@ static struct {
  	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
  	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
+ 	{ "rdomain", sRDomain, SSHCFG_ALL },
 +	{ "noneenabled", sUnsupported, SSHCFG_ALL },
 +	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
 +	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers
index 14a0452bdefa..ad552ca607d1 100644
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@@ -35,15 +35,15 @@ index 289e13d..e6a900b 100644
  .Xr sshd_config 5 ,
 diff --git sshd.c sshd.c
 index 0ade557..045f149 100644
---- sshd.c
-+++ sshd.c
+--- sshd.c.orig	2018-04-04 15:34:54.865684000 -0700
++++ sshd.c	2018-04-04 15:40:20.964130000 -0700
 @@ -1,4 +1,4 @@
--/* $OpenBSD: sshd.c,v 1.421 2014/03/26 19:58:37 tedu Exp $ */
+-/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */
 +/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */
  /*
   * Author: Tatu Ylonen <ylo@cs.hut.fi>
   * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -123,6 +123,13 @@
+@@ -131,6 +131,13 @@
  #include "version.h"
  #include "ssherr.h"
  
@@ -57,10 +57,11 @@ index 0ade557..045f149 100644
  /* Re-exec fds */
  #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
  #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
-@@ -1971,6 +1978,24 @@ main(int ac, char **av)
- #ifdef SSH_AUDIT_EVENTS
- 	audit_connection_from(remote_ip, remote_port);
+@@ -2072,6 +2079,25 @@ main(int ac, char **av)
  #endif
+ 
+ 	rdomain = ssh_packet_rdomain_in(ssh);
++
 +#ifdef LIBWRAP
 +	allow_severity = options.log_facility|LOG_INFO;
 +	deny_severity = options.log_facility|LOG_WARNING;
diff --git a/security/openssh-portable/files/extra-patch-x509-glue b/security/openssh-portable/files/extra-patch-x509-glue
index c7057ec24704..5ff2eefcbf4d 100644
--- a/security/openssh-portable/files/extra-patch-x509-glue
+++ b/security/openssh-portable/files/extra-patch-x509-glue
@@ -1,6 +1,6 @@
 --- session.c.orig	2017-10-12 11:52:52.953370000 -0700
 +++ session.c	2017-10-12 11:53:40.793055000 -0700
-@@ -1045,36 +1045,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1062,36 +1062,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	if (getenv("TZ"))
  		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
  
@@ -34,114 +34,124 @@
 -}
 -#endif
 -
- 	/* Set custom environment options from RSA authentication. */
- 	while (custom_environment) {
- 		struct envstring *ce = custom_environment;
+ 	/* Set custom environment options from pubkey authentication. */
+ 	if (options.permit_user_env) {
+ 		for (n = 0 ; n < auth_opts->nenv; n++) {
 --- sshd_config.5.orig	2017-10-12 11:51:06.638814000 -0700
 +++ sshd_config.5	2017-10-12 11:51:33.780459000 -0700
-@@ -1641,52 +1641,7 @@ is set to
+@@ -1682,7 +1682,57 @@ is set to
  then the pre-authentication unprivileged process is subject to additional
  restrictions.
  The default is
 -.Cm sandbox .
--.It Cm VACertificateFile
--File with X.509 certificates in PEM format concatenated together.
--In use when
--.Cm VAType
--is set to
--.Cm ocspspec .
--The default value is
--.Sq
--..
--(empty).
--Certificates from that file explicitly trust
--.Sq "OCSP Responder"
--public key.
--They are used as trusted certificates in addition to certificates from
--.Cm CACertificateFile
--and
--.Cm CACertificatePath
--to verify responder certificate.
--.It Cm VAType
--Specifies whether
--.Sq "Online Certificate Status Protocol"
--(OCSP) is used to validate X.509 certificates.
--Accepted values are case insensitive:
--.Bl -tag -offset indent -compact
--.It none
--do not use OCSP to validate certificates;
--.It ocspcert
--validate only certificates that specify
--.Sq "OCSP Service Locator"
--URL;
--.It ocspspec
--use specified in the configuration
--.Sq "OCSP Responder"
--to validate all certificates.
--.El
--The default is
--.Cm none .
--.It Cm VAOCSPResponderURL
--.Sq "Access Location"
--/
--.Sq "OCSP Service Locator"
--URL of the OCSP provider. In use when
--.Cm VAType
--is set to
--.Cm ocspspec .
 +.Cm no .
- .It Cm VersionAddendum
- Optionally specifies additional text to append to the SSH protocol banner
- sent by the server upon connection.
-@@ -1737,6 +1692,51 @@ the wildcard address.
- By default,
- sshd binds the forwarding server to the loopback address and sets the
- hostname part of the
-+.It Cm VACertificateFile
-+File with X.509 certificates in PEM format concatenated together.
-+In use when
-+.Cm VAType
-+is set to
-+.Cm ocspspec .
-+The default value is
-+.Sq
-+..
-+(empty).
-+Certificates from that file explicitly trust
-+.Sq "OCSP Responder"
-+public key.
-+They are used as trusted certificates in addition to certificates from
-+.Cm CACertificateFile
-+and
-+.Cm CACertificatePath
-+to verify responder certificate.
-+.It Cm VAType
-+Specifies whether
-+.Sq "Online Certificate Status Protocol"
-+(OCSP) is used to validate X.509 certificates.
-+Accepted values are case insensitive:
-+.Bl -tag -offset indent -compact
-+.It none
-+do not use OCSP to validate certificates;
-+.It ocspcert
-+validate only certificates that specify
-+.Sq "OCSP Service Locator"
-+URL;
-+.It ocspspec
-+use specified in the configuration
-+.Sq "OCSP Responder"
-+to validate all certificates.
-+.El
++.It Cm VersionAddendum
++Optionally specifies additional text to append to the SSH protocol banner
++sent by the server upon connection.
 +The default is
 +.Cm none .
-+.It Cm VAOCSPResponderURL
-+.Sq "Access Location"
-+/
-+.Sq "OCSP Service Locator"
-+URL of the OCSP provider. In use when
-+.Cm VAType
-+is set to
-+.Cm ocspspec .
++.It Cm X11DisplayOffset
++Specifies the first display number available for
++.Xr sshd 8 Ns 's
++X11 forwarding.
++This prevents sshd from interfering with real X11 servers.
++The default is 10.
++.It Cm X11Forwarding
++Specifies whether X11 forwarding is permitted.
++The argument must be
++.Cm yes
++or
++.Cm no .
++The default is
++.Cm no .
++.Pp
++When X11 forwarding is enabled, there may be additional exposure to
++the server and to client displays if the
++.Xr sshd 8
++proxy display is configured to listen on the wildcard address (see
++.Cm X11UseLocalhost ) ,
++though this is not the default.
++Additionally, the authentication spoofing and authentication data
++verification and substitution occur on the client side.
++The security risk of using X11 forwarding is that the client's X11
++display server may be exposed to attack when the SSH client requests
++forwarding (see the warnings for
++.Cm ForwardX11
++in
++.Xr ssh_config 5 ) .
++A system administrator may have a stance in which they want to
++protect clients that may expose themselves to attack by unwittingly
++requesting X11 forwarding, which can warrant a
++.Cm no
++setting.
++.Pp
++Note that disabling X11 forwarding does not prevent users from
++forwarding X11 traffic, as users can always install their own forwarders.
++.It Cm X11UseLocalhost
++Specifies whether
++.Xr sshd 8
++should bind the X11 forwarding server to the loopback address or to
++the wildcard address.
++By default,
++sshd binds the forwarding server to the loopback address and sets the
++hostname part of the
+ .It Cm VACertificateFile
+ File with X.509 certificates in PEM format concatenated together.
+ In use when
+@@ -1735,56 +1785,6 @@ URL of the OCSP provider. In use when
+ .Cm VAType
+ is set to
+ .Cm ocspspec .
+-.It Cm VersionAddendum
+-Optionally specifies additional text to append to the SSH protocol banner
+-sent by the server upon connection.
+-The default is
+-.Cm none .
+-.It Cm X11DisplayOffset
+-Specifies the first display number available for
+-.Xr sshd 8 Ns 's
+-X11 forwarding.
+-This prevents sshd from interfering with real X11 servers.
+-The default is 10.
+-.It Cm X11Forwarding
+-Specifies whether X11 forwarding is permitted.
+-The argument must be
+-.Cm yes
+-or
+-.Cm no .
+-The default is
+-.Cm no .
+-.Pp
+-When X11 forwarding is enabled, there may be additional exposure to
+-the server and to client displays if the
+-.Xr sshd 8
+-proxy display is configured to listen on the wildcard address (see
+-.Cm X11UseLocalhost ) ,
+-though this is not the default.
+-Additionally, the authentication spoofing and authentication data
+-verification and substitution occur on the client side.
+-The security risk of using X11 forwarding is that the client's X11
+-display server may be exposed to attack when the SSH client requests
+-forwarding (see the warnings for
+-.Cm ForwardX11
+-in
+-.Xr ssh_config 5 ) .
+-A system administrator may have a stance in which they want to
+-protect clients that may expose themselves to attack by unwittingly
+-requesting X11 forwarding, which can warrant a
+-.Cm no
+-setting.
+-.Pp
+-Note that disabling X11 forwarding does not prevent users from
+-forwarding X11 traffic, as users can always install their own forwarders.
+-.It Cm X11UseLocalhost
+-Specifies whether
+-.Xr sshd 8
+-should bind the X11 forwarding server to the loopback address or to
+-the wildcard address.
+-By default,
+-sshd binds the forwarding server to the loopback address and sets the
+-hostname part of the
  .Ev DISPLAY
  environment variable to
  .Cm localhost .
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index cb99bbc1bfee..cf6a50c65c0d 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -10,9 +10,9 @@ Reviewed by:    ache
 Sponsored by:   DARPA, NAI Labs
 
 
---- session.c	2013-03-14 19:22:37 UTC
-+++ session.c
-@@ -985,6 +985,9 @@ do_setup_env(Session *s, const char *she
+--- session.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ session.c	2018-04-03 13:56:49.599400000 -0700
+@@ -982,6 +982,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	struct passwd *pw = s->pw;
  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
  	char *path = NULL;
@@ -22,7 +22,7 @@ Sponsored by:   DARPA, NAI Labs
  #endif
  
  	/* Initialize the environment. */
-@@ -1006,6 +1009,9 @@ do_setup_env(Session *s, const char *she
+@@ -1003,6 +1006,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	}
  #endif
  
@@ -32,7 +32,7 @@ Sponsored by:   DARPA, NAI Labs
  #ifdef GSSAPI
  	/* Allow any GSSAPI methods that we've used to alter
  	 * the childs environment as they see fit
-@@ -1023,11 +1029,21 @@ do_setup_env(Session *s, const char *she
+@@ -1020,11 +1026,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
  #endif
  	child_set_env(&env, &envsize, "HOME", pw->pw_dir);
@@ -58,7 +58,7 @@ Sponsored by:   DARPA, NAI Labs
  #else /* HAVE_LOGIN_CAP */
  # ifndef HAVE_CYGWIN
  	/*
-@@ -1047,15 +1063,9 @@ do_setup_env(Session *s, const char *she
+@@ -1044,15 +1060,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  # endif /* HAVE_CYGWIN */
  #endif /* HAVE_LOGIN_CAP */
  
@@ -71,10 +71,10 @@ Sponsored by:   DARPA, NAI Labs
 -	if (getenv("TZ"))
 -		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
 -
- 	/* Set custom environment options from RSA authentication. */
- 	while (custom_environment) {
- 		struct envstring *ce = custom_environment;
-@@ -1334,7 +1344,7 @@ do_setusercontext(struct passwd *pw)
+ 	/* Set custom environment options from pubkey authentication. */
+ 	if (options.permit_user_env) {
+ 		for (n = 0 ; n < auth_opts->nenv; n++) {
+@@ -1331,7 +1341,7 @@ do_setusercontext(struct passwd *pw)
  	if (platform_privileged_uidswap()) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,
diff --git a/security/openssh-portable/files/patch-upstream-servconf.c b/security/openssh-portable/files/patch-upstream-servconf.c
deleted file mode 100644
index 2937550161a9..000000000000
--- a/security/openssh-portable/files/patch-upstream-servconf.c
+++ /dev/null
@@ -1,44 +0,0 @@
-commit 7c9613fac3371cf65fb07739212cdd1ebf6575da
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Oct 4 18:49:30 2017 +0000
-
-    upstream commit
-    
-    fix (another) problem in PermitOpen introduced during the
-    channels.c refactor: the third and subsequent arguments to PermitOpen were
-    being silently ignored; ok markus@
-    
-    Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
-
-diff --git servconf.c servconf.c
-index 2c321a4a..95686295 100644
---- servconf.c
-+++ servconf.c
-@@ -1,5 +1,5 @@
- 
--/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */
-+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
- /*
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-  *                    All rights reserved
-@@ -1663,9 +1663,9 @@ process_server_config_line(ServerOptions *options, char *line,
- 		if (!arg || *arg == '\0')
- 			fatal("%s line %d: missing PermitOpen specification",
- 			    filename, linenum);
--		i = options->num_permitted_opens;	/* modified later */
-+		value = options->num_permitted_opens;	/* modified later */
- 		if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
--			if (*activep && i == 0) {
-+			if (*activep && value == 0) {
- 				options->num_permitted_opens = 1;
- 				options->permitted_opens = xcalloc(1,
- 				    sizeof(*options->permitted_opens));
-@@ -1683,7 +1683,7 @@ process_server_config_line(ServerOptions *options, char *line,
- 			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
- 				fatal("%s line %d: bad port number in "
- 				    "PermitOpen", filename, linenum);
--			if (*activep && i == 0) {
-+			if (*activep && value == 0) {
- 				options->permitted_opens = xrecallocarray(
- 				    options->permitted_opens,
- 				    options->num_permitted_opens,
author	Bryan Drewery <bdrewery@FreeBSD.org>	2018-04-05 18:20:50 +0000
committer	Bryan Drewery <bdrewery@FreeBSD.org>	2018-04-05 18:20:50 +0000
commit	804e4b49f3c7657b80a9585205f0cae8565897a7 (patch)
tree	a0dbf7e5881e386a4d2264b118005c59bd1cd469 /security
parent	6b53aeb15f80bda7a098a0eee3f44cba73eb7943 (diff)
download	ports-804e4b49f3c7657b80a9585205f0cae8565897a7.tar.gz ports-804e4b49f3c7657b80a9585205f0cae8565897a7.zip