- Update to 8.2p1

Release notes: https://www.openssh.com/txt/release-8.2

security/openssh-portable/Makefile

@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	8.1p1
+DISTVERSION=	8.2p1
 PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security
@@ -116,7 +116,7 @@ EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
 # pull from.
-GSSAPI_DEBIAN_SUBDIR=	${DISTVERSION}-1
+GSSAPI_DEBIAN_SUBDIR=	${DISTVERSION}-4
 # - Debian does not use a versioned filename so we trick fetch to make one for
 # us with the ?<anything>=/ trick.
 PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex

security/openssh-portable/distinfo

@@ -1,5 +1,5 @@
-TIMESTAMP = 1576982938
-SHA256 (openssh-8.1p1.tar.gz) = 02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff
-SIZE (openssh-8.1p1.tar.gz) = 1625894
-SHA256 (openssh-8.1p1-gsskex-all-20141021-debian-rh-20190719.patch) = 7875fe41ce090ba2bb3d76c396f9e6de863fbad34235bf97a4012d2f949909fb
-SIZE (openssh-8.1p1-gsskex-all-20141021-debian-rh-20190719.patch) = 128409
+TIMESTAMP = 1584982081
+SHA256 (openssh-8.2p1.tar.gz) = 43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671
+SIZE (openssh-8.2p1.tar.gz) = 1701197
+SHA256 (openssh-8.2p1-gsskex-all-20141021-debian-rh-20190719.patch) = b035f62000190a2c77257db76b3751acf0e018dc20d55e07a8c3c9702de04989
+SIZE (openssh-8.2p1-gsskex-all-20141021-debian-rh-20190719.patch) = 125954

security/openssh-portable/files/extra-patch-hpn

@@ -387,9 +387,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  void     enable_compat13(void);
  void     enable_compat20(void);
---- work.clean/openssh-6.8p1/configure.ac	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/configure.ac	2015-04-03 16:36:28.916502000 -0500
-@@ -4238,6 +4238,25 @@
+--- configure.ac.orig	2020-03-22 11:06:53.034550000 -0700
++++ configure.ac	2020-03-22 11:07:10.017487000 -0700
+@@ -4778,6 +4778,25 @@ AC_ARG_WITH([maildir],
      ]
  ) # maildir
  
@@ -415,10 +415,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
  	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
  	disable_ptmx_check=yes
-@@ -4905,6 +4924,8 @@
- echo "                  BSD Auth support: $BSD_AUTH_MSG"
- echo "              Random number source: $RAND_MSG"
+@@ -5459,6 +5478,8 @@ echo "              Random number source: $RAND_MSG"
  echo "             Privsep sandbox style: $SANDBOX_STYLE"
+ echo "                   PKCS#11 support: $enable_pkcs11"
+ echo "                  U2F/FIDO support: $enable_sk"
 +echo "                       HPN support: $HPN_MSG"
 +echo "                NONECIPHER support: $NONECIPHER_MSG"
  
@@ -1136,9 +1136,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		cleanup_exit(255); /* error already logged */
  
  	/* Put the connection into non-blocking mode. */
---- work/openssh/sshconnect2.c.orig	2018-10-16 17:01:20.000000000 -0700
-+++ work/openssh/sshconnect2.c	2018-11-12 09:06:06.338515000 -0800
-@@ -81,7 +81,13 @@
+--- sshconnect2.c.orig	2020-02-13 16:40:54.000000000 -0800
++++ sshconnect2.c	2020-03-22 11:10:01.017282000 -0700
+@@ -83,7 +83,13 @@
  extern char *client_version_string;
  extern char *server_version_string;
  extern Options options;
@@ -1152,7 +1152,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  /*
   * SSH2 key exchange
   */
-@@ -154,16 +160,18 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
+@@ -156,10 +162,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
  	return ret;
  }
  
@@ -1163,16 +1163,17 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  {
 -	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
  	char *s, *all_key;
- 	int r;
+ 	int r, use_known_hosts_order = 0;
  
- 	xxx_host = host;
- 	xxx_hostaddr = hostaddr;
+@@ -183,6 +190,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr 
+ 		fatal("%s: kex_assemble_namelist", __func__);
+ 	free(all_key);
  
 +	memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
  	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
  		fatal("%s: kex_names_cat", __func__);
  	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
-@@ -422,6 +430,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -435,6 +443,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
  
  	if (!authctxt.success)
  		fatal("Authentication failed.");

security/openssh-portable/files/extra-patch-hpn-compat

@@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well.
 
 ------------------------------------------------------------------------
 
---- readconf.c.orig	2017-10-12 12:18:59.927293000 -0700
-+++ readconf.c	2017-10-12 12:19:45.048532000 -0700
-@@ -305,6 +305,12 @@ static struct {
- 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+--- readconf.c.orig	2020-03-21 16:51:23.450425000 -0700
++++ readconf.c	2020-03-21 17:00:01.827757000 -0700
+@@ -310,6 +310,12 @@ static struct {
  	{ "ignoreunknown", oIgnoreUnknown },
  	{ "proxyjump", oProxyJump },
+ 	{ "securitykeyprovider", oSecurityKeyProvider },
 +	{ "hpndisabled", oDeprecated },
 +	{ "hpnbuffersize", oDeprecated },
 +	{ "tcprcvbufpoll", oDeprecated },
@@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well.
  
  	{ NULL, oBadOption }
  };
---- servconf.c.orig	2018-10-16 17:01:20.000000000 -0700
-+++ servconf.c	2018-11-10 11:32:09.835817000 -0800
-@@ -645,6 +645,10 @@ static struct {
- 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
+--- servconf.c.orig	2020-02-13 16:40:54.000000000 -0800
++++ servconf.c	2020-03-21 17:01:18.011062000 -0700
+@@ -695,6 +695,10 @@ static struct {
  	{ "rdomain", sRDomain, SSHCFG_ALL },
  	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
+ 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
 +	{ "noneenabled", sUnsupported, SSHCFG_ALL },
 +	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
 +	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },

security/openssh-portable/files/patch-ssh-agent.1

@@ -4,8 +4,8 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.1.orig	2015-05-29 03:27:21.000000000 -0500
-+++ ssh-agent.1	2015-06-02 09:45:37.025390000 -0500
+--- ssh-agent.1.orig	2020-02-13 16:40:54.000000000 -0800
++++ ssh-agent.1	2020-03-21 17:03:22.952068000 -0700
 @@ -43,7 +43,7 @@
  .Sh SYNOPSIS
  .Nm ssh-agent
@@ -14,13 +14,13 @@ disconnected.
 +.Op Fl \&Ddx
  .Op Fl a Ar bind_address
  .Op Fl E Ar fingerprint_hash
- .Op Fl t Ar life
-@@ -128,6 +128,8 @@
+ .Op Fl P Ar provider_whitelist
+@@ -125,6 +125,8 @@ A lifetime specified for an identity with
  .Xr ssh-add 1
  overrides this value.
  Without this option the default maximum lifetime is forever.
 +.It Fl x
 +Exit after the last client has disconnected.
- .El
- .Pp
- If a commandline is given, this is executed as a subprocess of the agent.
+ .It Ar command Op Ar arg ...
+ If a command (and optional arguments) is given,
+ this is executed as a subprocess of the agent.

security/openssh-portable/files/patch-ssh-agent.c

@@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.c.orig	2017-10-02 12:34:26.000000000 -0700
-+++ ssh-agent.c	2017-10-12 11:31:40.908737000 -0700
-@@ -162,15 +162,34 @@ static long lifetime = 0;
+--- ssh-agent.c.orig	2020-02-13 16:40:54.000000000 -0800
++++ ssh-agent.c	2020-03-21 17:04:44.305866000 -0700
+@@ -167,15 +167,34 @@ static long lifetime = 0;
  
  static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
  
@@ -45,7 +45,7 @@ disconnected.
  }
  
  static void
-@@ -745,6 +764,10 @@ new_socket(sock_type type, int fd)
+@@ -875,6 +894,10 @@ new_socket(sock_type type, int fd)
  {
  	u_int i, old_alloc, new_alloc;
  
@@ -56,16 +56,16 @@ disconnected.
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1007,7 +1030,7 @@ static void
+@@ -1170,7 +1193,7 @@ static void
  usage(void)
  {
  	fprintf(stderr,
 -	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
 +	    "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
- 	    "                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
+ 	    "                 [-P provider_whitelist] [-t life] [command [arg ...]]\n"
  	    "       ssh-agent [-c | -s] -k\n");
  	exit(1);
-@@ -1039,6 +1062,7 @@ main(int ac, char **av)
+@@ -1202,6 +1225,7 @@ main(int ac, char **av)
  	/* drop */
  	setegid(getgid());
  	setgid(getgid());
@@ -73,7 +73,7 @@ disconnected.
  
  	platform_disable_tracing(0);	/* strict=no */
  
-@@ -1049,7 +1073,7 @@ main(int ac, char **av)
+@@ -1213,7 +1237,7 @@ main(int ac, char **av)
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
@@ -82,7 +82,7 @@ disconnected.
  		switch (ch) {
  		case 'E':
  			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1092,6 +1116,9 @@ main(int ac, char **av)
+@@ -1256,6 +1280,9 @@ main(int ac, char **av)
  				fprintf(stderr, "Invalid lifetime\n");
  				usage();
  			}