git: de9fffcec89b - main - security/openssh-portable: Update to 8.6p1
Bryan Drewery
bdrewery at FreeBSD.org
Thu Apr 29 16:07:18 UTC 2021
The branch main has been updated by bdrewery:
URL: https://cgit.FreeBSD.org/ports/commit/?id=de9fffcec89b58fb6f77b72a55975eccb01eb480
commit de9fffcec89b58fb6f77b72a55975eccb01eb480
Author: Bryan Drewery <bdrewery at FreeBSD.org>
AuthorDate: 2021-04-28 20:15:54 +0000
Commit: Bryan Drewery <bdrewery at FreeBSD.org>
CommitDate: 2021-04-29 16:05:55 +0000
security/openssh-portable: Update to 8.6p1
- gssapi is disabled for now.
Changes:
- https://www.openssh.com/txt/release-8.5
- https://www.openssh.com/txt/release-8.6
Submitted by: Yasuhiro Kimura [earlier version][1]
PR: 254389 [1]
---
security/openssh-portable/Makefile | 8 +-
security/openssh-portable/distinfo | 8 +-
.../openssh-portable/files/extra-patch-blacklistd | 44 +++----
security/openssh-portable/files/extra-patch-hpn | 144 +++++++++------------
.../openssh-portable/files/extra-patch-hpn-compat | 8 +-
security/openssh-portable/files/patch-auth.c | 21 ---
security/openssh-portable/files/patch-readconf.c | 22 ----
security/openssh-portable/files/patch-session.c | 20 +--
security/openssh-portable/files/patch-ssh-agent.c | 27 ++--
security/openssh-portable/files/patch-ssh_config.5 | 14 --
security/openssh-portable/files/patch-sshd.c | 43 +++---
.../files/patch-zz-8.4-CVE-2021-28041 | 32 -----
12 files changed, 143 insertions(+), 248 deletions(-)
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index fe9226f480f1..e9ac6fb39f13 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,8 +1,8 @@
# Created by: dwcjr at inethouston.net
PORTNAME= openssh
-DISTVERSION= 8.4p1
-PORTREVISION= 4
+DISTVERSION= 8.6p1
+PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -99,8 +99,8 @@ ETCDIR?= ${PREFIX}/etc/ssh
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
# Must add this patch before HPN due to conflicts
-.if ${PORT_OPTIONS:MKERB_GSSAPI}
-#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
+.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
+BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
# Needed glue for applying HPN patch without conflict
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index b1c3c22bc242..209322451613 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,5 +1,3 @@
-TIMESTAMP = 1605552780
-SHA256 (openssh-8.4p1.tar.gz) = 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24
-SIZE (openssh-8.4p1.tar.gz) = 1742201
-SHA256 (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 15139c42894dd0ebd182608ecd7151a9eef6158aed30c676e7685e8407c6d1cb
-SIZE (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 126748
+TIMESTAMP = 1619547768
+SHA256 (openssh-8.6p1.tar.gz) = c3e6e4da1621762c850d03b47eed1e48dff4cc9608ddeb547202a234df8ed7ae
+SIZE (openssh-8.6p1.tar.gz) = 1786328
diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd
index 539b68c535ac..92e0fc35903e 100644
--- a/security/openssh-portable/files/extra-patch-blacklistd
+++ b/security/openssh-portable/files/extra-patch-blacklistd
@@ -1,5 +1,5 @@
---- blacklist.c.orig 2020-11-16 16:45:24.799150000 -0800
-+++ blacklist.c 2020-11-16 16:45:20.000470000 -0800
+--- blacklist.c.orig 2021-04-28 13:37:52.679784000 -0700
++++ blacklist.c 2021-04-28 13:56:45.677805000 -0700
@@ -0,0 +1,92 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -75,7 +75,7 @@
+ default:
+ imlevel = SYSLOG_LEVEL_DEBUG2;
+ }
-+ do_log(imlevel, message, args);
++ do_log2(imlevel, message, args);
+}
+
+void
@@ -157,9 +157,9 @@
+
+
+#endif /* BLACKLIST_CLIENT_H */
---- servconf.c.orig 2020-11-16 15:52:13.175438000 -0800
-+++ servconf.c 2020-11-16 15:52:15.812142000 -0800
-@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions *options)
+--- servconf.c.orig 2021-04-15 20:55:25.000000000 -0700
++++ servconf.c 2021-04-28 13:36:19.591999000 -0700
+@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options)
options->max_sessions = -1;
options->banner = NULL;
options->use_dns = -1;
@@ -167,7 +167,7 @@
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
options->num_authkeys_files = 0;
-@@ -432,6 +433,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options)
options->max_sessions = DEFAULT_SESSIONS_MAX;
if (options->use_dns == -1)
options->use_dns = 0;
@@ -176,15 +176,15 @@
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
-@@ -528,6 +531,7 @@ typedef enum {
- sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
+@@ -506,6 +509,7 @@ typedef enum {
+ sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
sBanner, sUseDNS, sHostbasedAuthentication,
+ sUseBlacklist,
- sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
- sHostKeyAlgorithms,
+ sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
+ sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
-@@ -658,6 +662,8 @@ static struct {
+@@ -642,6 +646,8 @@ static struct {
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
@@ -193,7 +193,7 @@
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
-@@ -1708,6 +1714,10 @@ process_server_config_line_depth(ServerOptions *option
+@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option
intptr = &options->use_dns;
goto parse_flag;
@@ -204,7 +204,7 @@
case sLogFacility:
log_facility_ptr = &options->log_facility;
arg = strdelim(&cp);
-@@ -2841,6 +2851,7 @@ dump_config(ServerOptions *o)
+@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
dump_cfg_fmtint(sUseDNS, o->use_dns);
@@ -322,17 +322,17 @@
ssh_packet_clear_keys(ssh);
errno = oerrno;
logdie("Unable to negotiate with %s: %s. "
---- sshd.c.orig 2020-11-16 15:52:45.846609000 -0800
-+++ sshd.c 2020-11-16 15:56:34.401305000 -0800
-@@ -131,6 +131,7 @@
+--- sshd.c.orig 2021-04-15 20:55:25.000000000 -0700
++++ sshd.c 2021-04-28 13:37:18.741786000 -0700
+@@ -123,6 +123,7 @@
#include "version.h"
#include "ssherr.h"
#include "sk-api.h"
+#include "blacklist_client.h"
+ #include "srclimit.h"
+ #include "dh.h"
- #ifdef LIBWRAP
- #include <tcpd.h>
-@@ -388,6 +389,8 @@ grace_alarm_handler(int sig)
+@@ -366,6 +367,8 @@ grace_alarm_handler(int sig)
kill(0, SIGTERM);
}
@@ -341,9 +341,9 @@
/* XXX pre-format ipaddr/port so we don't need to access active_state */
/* Log error and exit. */
sigdie("Timeout before authentication for %s port %d",
-@@ -2290,6 +2293,9 @@ main(int ac, char **av)
+@@ -2209,6 +2212,9 @@ main(int ac, char **av)
if ((loginmsg = sshbuf_new()) == NULL)
- fatal("%s: sshbuf_new failed", __func__);
+ fatal_f("sshbuf_new failed");
auth_debug_reset();
+
+ if (options.use_blacklist)
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index c447b94cb48e..258b36150078 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -131,8 +131,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ (tasota at gmail.com) an NSF REU grant recipient for 2013.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
---- work/openssh-7.7p1/channels.c.orig 2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/channels.c 2018-06-27 16:37:07.663857000 -0700
+--- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700
++++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700
@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
/* Setup helper */
static void channel_handler_init(struct ssh_channels *sc);
@@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* -- channel core */
void
-@@ -392,6 +398,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
+@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
c->local_window = window;
c->local_window_max = window;
c->local_maxpacket = maxpack;
@@ -156,7 +156,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c->remote_name = xstrdup(remote_name);
c->ctl_chan = -1;
c->delayed = 1; /* prevent call to channel_post handler */
-@@ -1059,6 +1068,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
+@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
FD_SET(c->sock, writeset);
}
@@ -187,7 +187,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
-@@ -2158,21 +2191,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
@@ -203,27 +203,24 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ }
+#endif
if (!c->have_remote_id)
- fatal(":%s: channel %d: no remote id",
- __func__, c->self);
+ fatal_f("channel %d: no remote id", c->self);
if ((r = sshpkt_start(ssh,
SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
(r = sshpkt_send(ssh)) != 0) {
- fatal("%s: channel %i: %s", __func__,
- c->self, ssh_err(r));
+ fatal_fr(r, "channel %i", c->self);
}
- debug2("channel %d: window %d sent adjust %d",
- c->self, c->local_window,
-- c->local_consumed);
+ debug2("channel %d: window %d sent adjust %d", c->self,
+- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
-+ c->local_consumed + addition);
++ c->local_window, c->local_consumed + addition);
+ c->local_window += c->local_consumed + addition;
c->local_consumed = 0;
}
return 1;
-@@ -3354,6 +3398,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
+@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
return addr;
}
@@ -241,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
static int
channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
struct Forward *fwd, int *allocated_listen_port,
-@@ -3494,6 +3549,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
+@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
}
/* Allocate a channel number for the socket. */
@@ -259,7 +256,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c = channel_new(ssh, "port listener", type, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
0, "port listener", 1);
-@@ -4631,6 +4697,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
+@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
@@ -358,21 +355,21 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
---- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500
-@@ -177,6 +177,14 @@
- debug("match: %s pat %s compat 0x%08x",
+--- work/openssh/compat.c.orig 2021-04-15 20:55:25.000000000 -0700
++++ work/openssh/compat.c 2021-04-28 14:37:33.129317000 -0700
+@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
+ debug_f("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- datafellows = check[i].bugs; /* XXX for now */
+ ssh->compat = check[i].bugs;
+#ifdef HPN_ENABLED
+ /* Check to see if the remote side is OpenSSH and not HPN */
+ if (strstr(version,"OpenSSH") != NULL &&
+ strstr(version,"hpn") == NULL) {
-+ datafellows |= SSH_BUG_LARGEWINDOW;
++ ssh->compat |= SSH_BUG_LARGEWINDOW;
+ debug("Remote is NON-HPN aware");
+ }
+#endif
- return check[i].bugs;
+ return;
}
}
--- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500
@@ -424,9 +421,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
echo ""
---- work.clean/openssh-7.2p1/kex.c.orig 2016-02-25 19:40:04.000000000 -0800
-+++ work.clean/openssh-7.2p1/kex.c 2016-02-29 08:02:25.565288000 -0800
-@@ -907,6 +907,20 @@ kex_choose_conf(struct ssh *ssh)
+--- work/openssh/kex.c.orig 2021-04-15 20:55:25.000000000 -0700
++++ work/openssh/kex.c 2021-04-28 14:38:31.761909000 -0700
+@@ -960,6 +960,20 @@ kex_choose_conf(struct ssh *ssh)
peer[ncomp] = NULL;
goto out;
}
@@ -447,22 +444,22 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
-@@ -1108,7 +1122,7 @@ send_error(struct ssh *ssh, char *msg)
+@@ -1170,7 +1184,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- const char *version_addendum)
+ const char *version_addendum, int hpn_disabled)
{
- int remote_major, remote_minor, mismatch;
+ int remote_major, remote_minor, mismatch, oerrno = 0;
size_t len, i, n;
-@@ -1125,8 +1139,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
+@@ -1187,8 +1201,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
sshbuf_reset(our_version);
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
+ hpn_disabled ? "" : SSH_HPN,
+#else
@@ -470,7 +467,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
- error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
+ oerrno = errno;
--- work/openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700
+++ work/openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700
@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
@@ -527,9 +524,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
#if !defined(WITH_OPENSSL)
# undef BIGNUM
# undef EC_KEY
---- work/openssh-7.7p1/readconf.c.orig 2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/readconf.c 2018-06-27 16:58:41.109275000 -0700
-@@ -66,6 +66,9 @@
+--- work/openssh/readconf.c.orig 2021-04-28 13:58:36.413806000 -0700
++++ work/openssh/readconf.c 2021-04-28 14:39:31.145856000 -0700
+@@ -67,6 +67,9 @@
#include "uidswap.h"
#include "myproposal.h"
#include "digest.h"
@@ -539,7 +536,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* Format of the configuration file:
-@@ -167,6 +170,12 @@ typedef enum {
+@@ -168,6 +171,12 @@ typedef enum {
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
@@ -552,10 +549,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -304,6 +313,16 @@ static struct {
- { "updatehostkeys", oUpdateHostkeys },
- { "hostbasedkeytypes", oHostbasedKeyTypes },
- { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+@@ -312,6 +321,16 @@ static struct {
+ { "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */
+ { "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
+ { "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
+#ifdef NONE_CIPHER_ENABLED
+ { "noneenabled", oNoneEnabled },
+ { "noneswitch", oNoneSwitch },
@@ -568,8 +565,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
-
-@@ -962,6 +981,44 @@ parse_time:
+ { "securitykeyprovider", oSecurityKeyProvider },
+@@ -1091,6 +1110,44 @@ parse_time:
intptr = &options->check_host_ip;
goto parse_flag;
@@ -614,7 +611,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns;
multistate_ptr = multistate_yesnoask;
-@@ -1833,6 +1890,16 @@ initialize_options(Options * options)
+@@ -2262,6 +2319,16 @@ initialize_options(Options * options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->request_tty = -1;
@@ -631,7 +628,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
options->proxy_use_fdpass = -1;
options->ignored_unknown = NULL;
options->num_canonical_domains = 0;
-@@ -1979,6 +2046,34 @@ fill_default_options(Options * options)
+@@ -2432,6 +2499,34 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
@@ -908,23 +905,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
.It Fl r
Recursively copy entire directories when uploading and downloading.
Note that
---- work.clean/openssh-6.8p1/sftp.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/sftp.c 2015-04-03 17:16:00.959795000 -0500
-@@ -71,7 +71,11 @@
- #include "sftp-client.h"
-
- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
-+#ifdef HPN_ENABLED
-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
-+#else
- #define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
-+#endif
-
- /* File to read commands from */
- FILE* infile;
---- work/openssh-7.7p1/ssh.c.orig 2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/ssh.c 2018-06-27 17:05:30.011979000 -0700
-@@ -954,6 +954,14 @@ main(int ac, char **av)
+--- work/openssh/ssh.c.orig 2021-04-15 20:55:25.000000000 -0700
++++ work/openssh/ssh.c 2021-04-28 14:51:04.682167000 -0700
+@@ -1027,6 +1027,14 @@ main(int ac, char **av)
break;
case 'T':
options.request_tty = REQUEST_TTY_NO;
@@ -939,12 +922,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
break;
case 'o':
line = xstrdup(optarg);
-@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
- NULL, fileno(stdin), &command, environ);
+@@ -2056,6 +2064,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
+ NULL, fileno(stdin), command, environ);
}
+static void
-+hpn_options_init(void)
++hpn_options_init(struct ssh *ssh)
+{
+ /*
+ * We need to check to see if what they want to do about buffer
@@ -969,7 +952,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
-+ if (datafellows & SSH_BUG_LARGEWINDOW) {
++ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1018,7 +1001,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* open new channel for a session */
static int
ssh_session2_open(struct ssh *ssh)
-@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh)
+@@ -2082,9 +2162,17 @@ ssh_session2_open(struct ssh *ssh)
if (!isatty(err))
set_nonblock(err);
@@ -1036,7 +1019,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
window >>= 1;
packetmax >>= 1;
}
-@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh)
+@@ -2093,6 +2181,12 @@ ssh_session2_open(struct ssh *ssh)
window, packetmax, CHAN_EXTENDED_WRITE,
"client-session", /*nonblock*/0);
@@ -1046,12 +1029,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ debug ("Enabled Dynamic Window Scaling");
+ }
+#endif
- debug3("%s: channel_new: %d", __func__, c->self);
+ debug3_f("channel_new: %d", c->self);
channel_send_open(ssh, c->self);
-@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
+@@ -2108,6 +2202,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in
{
- int devnull, id = -1;
+ int r, id = -1;
char *cp, *tun_fwd_ifname = NULL;
+
+#ifdef HPN_ENABLED
@@ -1060,7 +1043,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ * might open channels that use the hpn buffer sizes. We can't send a
+ * window of -1 (the default) to the server as it breaks things.
+ */
-+ hpn_options_init();
++ hpn_options_init(ssh);
+#endif
/* XXX should be pre-session */
@@ -1136,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
sshpkt_fatal(ssh, r, "banner exchange");
/* Put the connection into non-blocking mode. */
---- sshconnect2.c.orig 2020-02-13 16:40:54.000000000 -0800
-+++ sshconnect2.c 2020-03-22 11:10:01.017282000 -0700
-@@ -83,7 +83,13 @@
+--- work/openssh/sshconnect2.c.orig 2021-04-15 20:55:25.000000000 -0700
++++ work/openssh/sshconnect2.c 2021-04-28 14:51:57.237202000 -0700
+@@ -84,7 +84,13 @@
extern char *client_version_string;
extern char *server_version_string;
extern Options options;
@@ -1152,28 +1135,29 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/*
* SSH2 key exchange
*/
-@@ -156,10 +162,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
+@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
return ret;
}
+static char *myproposal[PROPOSAL_MAX];
+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
void
- ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+ const struct ssh_conn_info *cinfo)
{
- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
char *s, *all_key;
int r, use_known_hosts_order = 0;
-@@ -183,6 +190,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
- fatal("%s: kex_assemble_namelist", __func__);
+@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
+ fatal_fr(r, "kex_assemble_namelist");
free(all_key);
+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
- fatal("%s: kex_names_cat", __func__);
- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
-@@ -435,6 +443,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+ fatal_f("kex_names_cat");
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
+@@ -489,6 +497,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat
index a02b674ff8b0..c47d0a1d3b5d 100644
--- a/security/openssh-portable/files/extra-patch-hpn-compat
+++ b/security/openssh-portable/files/extra-patch-hpn-compat
@@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well.
------------------------------------------------------------------------
---- readconf.c.orig 2020-03-21 16:51:23.450425000 -0700
-+++ readconf.c 2020-03-21 17:00:01.827757000 -0700
-@@ -310,6 +310,12 @@ static struct {
- { "ignoreunknown", oIgnoreUnknown },
+--- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700
++++ readconf.c 2021-04-27 11:25:24.222034000 -0700
+@@ -316,6 +316,12 @@ static struct {
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
+ { "knownhostscommand", oKnownHostsCommand },
+ { "hpndisabled", oDeprecated },
+ { "hpnbuffersize", oDeprecated },
+ { "tcprcvbufpoll", oDeprecated },
diff --git a/security/openssh-portable/files/patch-auth.c b/security/openssh-portable/files/patch-auth.c
deleted file mode 100644
index f9fba8b6ebc8..000000000000
--- a/security/openssh-portable/files/patch-auth.c
+++ /dev/null
@@ -1,21 +0,0 @@
---- UTC
-r100838 | fanf | 2002-07-28 19:36:24 -0500 (Sun, 28 Jul 2002) | 7 lines
-Changed paths:
- M /head/crypto/openssh/auth.c
-
-Use login_getpwclass() instead of login_getclass() so that the root
-vs. default login class distinction is made correctly.
-
-PR: 37416
-
---- auth.c.orig 2010-08-12 11:33:01.000000000 -0600
-+++ auth.c 2010-09-14 16:14:12.000000000 -0600
-@@ -594,7 +594,7 @@
- if (!allowed_user(pw))
- return (NULL);
- #ifdef HAVE_LOGIN_CAP
-- if ((lc = login_getclass(pw->pw_class)) == NULL) {
-+ if ((lc = login_getpwclass(pw)) == NULL) {
- debug("unable to get login class: %s", user);
- return (NULL);
- }
diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c
deleted file mode 100644
index 8d98c57c2f82..000000000000
--- a/security/openssh-portable/files/patch-readconf.c
+++ /dev/null
@@ -1,22 +0,0 @@
---- UTC
-base defaults
-
-r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
- M /head/crypto/openssh/myproposal.h
- M /head/crypto/openssh/readconf.c
- M /head/crypto/openssh/servconf.c
-
-Apply FreeBSD's configuration defaults.
-
---- readconf.c.orig 2014-07-17 23:11:26.000000000 -0500
-+++ readconf.c 2014-11-03 16:45:05.188796445 -0600
-@@ -1934,7 +1946,7 @@ fill_default_options(Options * options)
- if (options->batch_mode == -1)
- options->batch_mode = 0;
- if (options->check_host_ip == -1)
-- options->check_host_ip = 1;
-+ options->check_host_ip = 0;
- if (options->strict_host_key_checking == -1)
- options->strict_host_key_checking = 2; /* 2 is default */
- if (options->compression == -1)
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index 84c78b3f9526..b0b9e08008f8 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -13,18 +13,18 @@ to the child process.
Reviewed by: ache
Sponsored by: DARPA, NAI Labs
---- session.c.orig 2020-09-27 00:25:01.000000000 -0700
-+++ session.c 2020-11-19 14:41:50.745308000 -0800
-@@ -946,7 +946,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
+--- session.c.orig 2021-04-15 20:55:25.000000000 -0700
++++ session.c 2021-04-27 13:11:13.515917000 -0700
+@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
}
#endif /* HAVE_ETC_DEFAULT_LOGIN */
-#if defined(USE_PAM) || defined(HAVE_CYGWIN)
+#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP)
static void
- copy_environment_blacklist(char **source, char ***env, u_int *envsize,
- const char *blacklist)
-@@ -1056,7 +1056,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+ copy_environment_denylist(char **source, char ***env, u_int *envsize,
+ const char *denylist)
+@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
@@ -34,7 +34,7 @@ Sponsored by: DARPA, NAI Labs
snprintf(buf, sizeof buf, "%.200s/%.50s",
_PATH_MAILDIR, pw->pw_name);
child_set_env(&env, &envsize, "MAIL", buf);
-@@ -1067,6 +1068,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
@@ -48,7 +48,7 @@ Sponsored by: DARPA, NAI Labs
+ environ = xmalloc(sizeof(char *));
+ *environ = NULL;
+ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV);
-+ copy_environment_blacklist(environ, &env, &envsize, NULL);
++ copy_environment_denylist(environ, &env, &envsize, NULL);
+ for (var = environ; *var != NULL; ++var)
+ free(*var);
+ free(environ);
@@ -58,7 +58,7 @@ Sponsored by: DARPA, NAI Labs
if (s->term)
child_set_env(&env, &envsize, "TERM", s->term);
if (s->display)
-@@ -1285,7 +1303,7 @@ do_nologin(struct passwd *pw)
+@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw)
#ifdef HAVE_LOGIN_CAP
if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
return;
@@ -67,7 +67,7 @@ Sponsored by: DARPA, NAI Labs
#else
if (pw->pw_uid == 0)
return;
-@@ -1373,7 +1391,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw)
if (platform_privileged_uidswap()) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index 547c8e4958e2..de53881aa541 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
---- ssh-agent.c.orig 2020-09-27 00:25:01.000000000 -0700
-+++ ssh-agent.c 2020-11-09 09:07:10.924940000 -0800
-@@ -171,15 +171,34 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+--- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700
++++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700
+@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
/* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int restrict_websafe = 1;
@@ -35,20 +35,21 @@ disconnected.
+ last = 1;
+ }
close(e->fd);
- e->fd = -1;
- e->type = AUTH_UNUSED;
sshbuf_free(e->input);
sshbuf_free(e->output);
- sshbuf_free(e->request);
+@@ -181,6 +198,8 @@ close_socket(SocketEntry *e)
+ memset(e, '\0', sizeof(*e));
+ e->fd = -1;
+ e->type = AUTH_UNUSED;
+ if (last)
+ cleanup_exit(0);
}
static void
-@@ -961,6 +980,10 @@ new_socket(sock_type type, int fd)
- {
- u_int i, old_alloc, new_alloc;
+@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd)
+ debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
+ (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
+ if (type == AUTH_CONNECTION) {
+ debug("xcount %d -> %d", xcount, xcount + 1);
+ ++xcount;
@@ -56,7 +57,7 @@ disconnected.
set_nonblock(fd);
if (fd > max_fd)
-@@ -1261,7 +1284,7 @@ static void
+@@ -1360,7 +1383,7 @@ static void
usage(void)
{
fprintf(stderr,
@@ -65,7 +66,7 @@ disconnected.
" [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
" [-t life] command [arg ...]\n"
-@@ -1295,6 +1318,7 @@ main(int ac, char **av)
+@@ -1394,6 +1417,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
@@ -73,7 +74,7 @@ disconnected.
platform_disable_tracing(0); /* strict=no */
-@@ -1306,7 +1330,7 @@ main(int ac, char **av)
+@@ -1405,7 +1429,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
@@ -82,7 +83,7 @@ disconnected.
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1355,6 +1379,9 @@ main(int ac, char **av)
+@@ -1454,6 +1478,9 @@ main(int ac, char **av)
fprintf(stderr, "Invalid lifetime\n");
usage();
}
diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5
index 36bfa04c25f1..8c0e2bf1d5be 100644
--- a/security/openssh-portable/files/patch-ssh_config.5
+++ b/security/openssh-portable/files/patch-ssh_config.5
@@ -1,21 +1,7 @@
--- UTC
-r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines
-
-Document the FreeBSD default for CheckHostIP, which was changed in
-rev 1.2 of readconf.c.
--- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800
+++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800
-@@ -420,8 +420,7 @@ or
- .Cm no .
- .It Cm CheckHostIP
- If set to
--.Cm yes
--(the default),
-+.Cm yes ,
- .Xr ssh 1
- will additionally check the host IP address in the
- .Pa known_hosts
@@ -434,6 +433,8 @@ in the process, regardless of the setting of
If the option is set to
.Cm no ,
diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c
index c165453ece16..6374e22bbacc 100644
--- a/security/openssh-portable/files/patch-sshd.c
+++ b/security/openssh-portable/files/patch-sshd.c
@@ -33,8 +33,8 @@ of short-living parent. Only mark the master process that accepts
connections, do not protect connection handlers spawned from inetd.
---- sshd.c.orig 2010-04-15 23:56:22.000000000 -0600
-+++ sshd.c 2010-09-14 16:14:13.000000000 -0600
+--- sshd.c.orig 2021-04-27 11:49:55.540744000 -0700
++++ sshd.c 2021-04-27 11:50:20.239225000 -0700
@@ -46,6 +46,7 @@
#include <sys/types.h>
@@ -43,7 +43,7 @@ connections, do not protect connection handlers spawned from inetd.
#include <sys/socket.h>
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
-@@ -83,6 +84,13 @@
+@@ -85,6 +86,13 @@
#include <prot.h>
#endif
@@ -56,24 +56,13 @@ connections, do not protect connection handlers spawned from inetd.
+
#include "xmalloc.h"
#include "ssh.h"
- #include "ssh1.h"
-@@ -1877,6 +1885,10 @@
- /* Reinitialize the log (because of the fork above). */
- log_init(__progname, options.log_level, options.log_facility, log_stderr);
-
-+ /* Avoid killing the process in high-pressure swapping environments. */
-+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
-+ debug("madvise(): %.200s", strerror(errno));
-+
- /* Chdir to the root directory so that the current disk can be
- unmounted if desired. */
- if (chdir("/") == -1)
-@@ -1995,6 +2007,29 @@
- signal(SIGCHLD, SIG_DFL);
- signal(SIGINT, SIG_DFL);
+ #include "ssh2.h"
+@@ -2007,7 +2015,30 @@ main(int ac, char **av)
+ for (i = 0; i < options.num_log_verbose; i++)
+ log_verbose_add(options.log_verbose[i]);
+#ifdef __FreeBSD__
-+ /*
+ /*
+ * Initialize the resolver. This may not happen automatically
+ * before privsep chroot().
+ */
@@ -95,6 +84,18 @@ connections, do not protect connection handlers spawned from inetd.
+#endif
+#endif
+
++ /*
+ * If not in debugging mode, not started from inetd and not already
+ * daemonized (eg re-exec via SIGHUP), disconnect from the controlling
+ * terminal, and fork. The original process exits.
+@@ -2022,6 +2053,10 @@ main(int ac, char **av)
+ }
+ /* Reinitialize the log (because of the fork above). */
+ log_init(__progname, options.log_level, options.log_facility, log_stderr);
++
++ /* Avoid killing the process in high-pressure swapping environments. */
++ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
++ debug("madvise(): %.200s", strerror(errno));
+
/*
- * Register our connection. This turns encryption off because we do
- * not have a key.
+ * Chdir to the root directory so that the current disk can be
diff --git a/security/openssh-portable/files/patch-zz-8.4-CVE-2021-28041 b/security/openssh-portable/files/patch-zz-8.4-CVE-2021-28041
deleted file mode 100644
index 4ac4a7061cb6..000000000000
--- a/security/openssh-portable/files/patch-zz-8.4-CVE-2021-28041
+++ /dev/null
@@ -1,32 +0,0 @@
-untrusted comment: verify with openbsd-68-base.pub
-RWQZj25CSG5R2lgsgSLgQjjy3/BFahe7C64NJOej05Naf0mm//TKykuXL7pxOVsY5rnXH0A6vBdO5UNx7PkuTxLOACHx5xV7Gws=
-
-OpenBSD 6.8 errata 015, March 4, 2021:
-
-Double free in ssh-agent(1)
-
-Apply by doing:
- signify -Vep /etc/signify/openbsd-68-base.pub -x 015_sshagent.patch.sig \
- -m - | (cd /usr/src && patch -p0)
-
-And then rebuild and install ssh (as well as ssh-agent)
- cd /usr/src/usr.bin/ssh
- make obj
- make clean
- make
- make install
-
-Index: usr.bin/ssh/ssh-agent.c
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/ssh-agent.c,v
-diff -u -p -u -r1.264 ssh-agent.c
---- ssh-agent.c 18 Sep 2020 08:16:38 -0000 1.264
-+++ ssh-agent.c 3 Mar 2021 01:08:25 -0000
-@@ -567,6 +567,7 @@ process_add_identity(SocketEntry *e)
- goto err;
- }
- free(ext_name);
-+ ext_name = NULL;
- break;
- default:
- error("%s: Unknown constraint %d", __func__, ctype);
More information about the dev-commits-ports-all
mailing list