- Update to 8.4p1 (skipped 8.3)

- https://www.openssh.com/txt/release-8.3 - https://www.openssh.com/txt/release-8.4 PR: 239807, 250319 Sponsored by: Dell EMC
svn path=/head/; revision=555512
2024-12-02 01:20:54 +00:00 · 2020-11-16 19:39:34 +00:00 · 2020-11-16 19:39:34 +00:00 · b773b7cade · 2021-03-31 03:12:20 +00:00
commit b773b7cade
parent 4c20854241
4 changed files with 52 additions and 52 deletions
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -2,8 +2,8 @@
 # $FreeBSD$

 PORTNAME=	openssh
-DISTVERSION=	8.2p1
-PORTREVISION=	2
+DISTVERSION=	8.4p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@ -99,12 +99,12 @@ EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
 # pull from.
-GSSAPI_DEBIAN_SUBDIR=	${DISTVERSION}-4
+GSSAPI_DEBIAN_SUBDIR=	${DISTVERSION}-2
 # - Debian does not use a versioned filename so we trick fetch to make one for
 # us with the ?<anything>=/ trick.
 PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
 # Bump this when updating the patch location
-GSSAPI_UPDATE_DATE=	20190719
+GSSAPI_UPDATE_DATE=	20200607
 PATCHFILES+=	openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
 .endif

@ -206,10 +206,11 @@ post-install:

 test: build
 	cd ${WRKSRC} && ${SETENV} -i \
-		OBJ=${WRKDIR} ${MAKE_ENV} \
+		OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \
 		TEST_SHELL=${SH} \
 		SUDO="${SUDO}" \
 		LOGNAME="${LOGNAME}" \
+		HOME="${HOME}" \
 		TEST_SSH_TRACE=yes \
 		PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
 		${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@ -1,5 +1,5 @@
-TIMESTAMP = 1584982081
-SHA256 (openssh-8.2p1.tar.gz) = 43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671
-SIZE (openssh-8.2p1.tar.gz) = 1701197
-SHA256 (openssh-8.2p1-gsskex-all-20141021-debian-rh-20190719.patch) = b035f62000190a2c77257db76b3751acf0e018dc20d55e07a8c3c9702de04989
-SIZE (openssh-8.2p1-gsskex-all-20141021-debian-rh-20190719.patch) = 125954
+TIMESTAMP = 1605552780
+SHA256 (openssh-8.4p1.tar.gz) = 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24
+SIZE (openssh-8.4p1.tar.gz) = 1742201
+SHA256 (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 15139c42894dd0ebd182608ecd7151a9eef6158aed30c676e7685e8407c6d1cb
+SIZE (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 126748
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@ -685,12 +685,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	int64_t rekey_limit;
 	int	rekey_interval;
 	int	no_host_authentication_for_localhost;
--- work/openssh/scp.c.orig	2019-12-20 18:52:08.907088000 -0800
-+++ work/openssh-8.1p1/scp.c	2019-12-20 18:51:55.186005000 -0800
-@@ -1239,7 +1239,7 @@ sink(int argc, char **argv, const char *src)
+--- work/openssh/scp.c.orig	2020-09-27 00:25:01.000000000 -0700
+++ work/openssh/scp.c	2020-11-10 10:31:03.060729000 -0800
+@@ -1246,7 +1246,7 @@ sink(int argc, char **argv, const char *src)
 	off_t size, statbytes;
 	unsigned long long ull;
- 	int setimes, targisdir, wrerrno = 0;
+ 	int setimes, targisdir, wrerr;
 -	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
 +	char ch, *cp, *np, *targ, *why, *vect[1], buf[COPY_BUFLEN], visbuf[COPY_BUFLEN];
 	char **patterns = NULL;
@ -1079,9 +1079,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 #define SSHBUF_REFS_MAX		0x100000	/* Max child buffers */
 #define SSHBUF_MAX_BIGNUM	(16384 / 8)	/* Max bignum *bytes* */
 #define SSHBUF_MAX_ECPOINT	((528 * 2 / 8) + 1) /* Max EC point *bytes* */
--- work/openssh/sshconnect.c.orig	2018-10-16 17:01:20.000000000 -0700
-+++ work/openssh/sshconnect.c	2018-11-12 09:04:24.340706000 -0800
-@@ -355,7 +355,32 @@ check_ifaddrs(const char *ifname, int af, const struct
+--- work/openssh/sshconnect.c.orig	2020-09-27 00:25:01.000000000 -0700
+++ work/openssh/sshconnect.c	2020-11-10 21:35:40.945330000 -0800
+@@ -361,7 +361,32 @@ check_ifaddrs(const char *ifname, int af, const struct
 }
 #endif
 
@ -1114,7 +1114,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  * Creates a socket for use as the ssh connection.
  */
 static int
-@@ -377,6 +402,11 @@ ssh_create_socket(struct addrinfo *ai)
+@@ -383,6 +408,11 @@ ssh_create_socket(struct addrinfo *ai)
 	}
 	fcntl(sock, F_SETFD, FD_CLOEXEC);
 
@ -1126,14 +1126,14 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	/* Bind the socket to an alternative local IP address */
 	if (options.bind_address == NULL && options.bind_interface == NULL)
 		return sock;
-@@ -1280,7 +1310,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const
+@@ -1289,7 +1319,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const
 	lowercase(host);
 
 	/* Exchange protocol version identification strings with the server. */
-	if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0)
-+	if (kex_exchange_identification(ssh, timeout_ms, NULL,
-+	    options.hpn_disabled) != 0)
- 		cleanup_exit(255); /* error already logged */
+-	if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
+	if ((r = kex_exchange_identification(ssh, timeout_ms, NULL,
+	    options.hpn_disabled)) != 0)
+ 		sshpkt_fatal(ssh, r, "banner exchange");
 
 	/* Put the connection into non-blocking mode. */
 --- sshconnect2.c.orig	2020-02-13 16:40:54.000000000 -0800
@ -1204,9 +1204,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	debug("Authentication succeeded (%s).", authctxt.method->name);
 }
 
--- work/openssh-7.7p1/sshd.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/sshd.c	2018-06-27 17:13:03.176633000 -0700
-@@ -957,6 +957,10 @@ listen_on_addrs(struct listenaddr *la)
+--- work/openssh/sshd.c.orig	2020-11-10 21:36:31.340159000 -0800
+++ work/openssh/sshd.c	2020-11-10 21:37:10.097038000 -0800
+@@ -1065,6 +1065,10 @@ listen_on_addrs(struct listenaddr *la)
 	int ret, listen_sock;
 	struct addrinfo *ai;
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@ -1217,7 +1217,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 
 	for (ai = la->addrs; ai; ai = ai->ai_next) {
 		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1002,6 +1006,13 @@ listen_on_addrs(struct listenaddr *la)
+@@ -1110,6 +1114,13 @@ listen_on_addrs(struct listenaddr *la)
 
 		debug("Bind to port %s on %s.", strport, ntop);
 
@ -1229,9 +1229,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
 		/* Bind the socket to the desired port. */
- 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+ 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
 			error("Bind to port %s on %s failed: %.200s.",
-@@ -1645,6 +1656,15 @@ main(int ac, char **av)
+@@ -1753,6 +1764,15 @@ main(int ac, char **av)
 	/* Fill in default values for those options not explicitly set. */
 	fill_default_server_options(&options);
 
@ -1247,7 +1247,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	/* challenge-response is implemented via keyboard interactive */
 	if (options.challenge_response_authentication)
 		options.kbd_interactive_authentication = 1;
-@@ -2090,6 +2110,11 @@ main(int ac, char **av)
+@@ -2220,6 +2240,11 @@ main(int ac, char **av)
 	    rdomain == NULL ? "" : "\"");
 	free(laddr);
 
@ -1259,17 +1259,16 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	/*
 	 * We don't want to listen forever unless the other side
 	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2102,7 +2127,8 @@ main(int ac, char **av)
- 	if (!debug_flag)
+@@ -2233,7 +2258,7 @@ main(int ac, char **av)
 		alarm(options.login_grace_time);
 
-	if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
-+	if (kex_exchange_identification(ssh, -1, options.version_addendum,
-+	    options.hpn_disabled) != 0)
- 		cleanup_exit(255); /* error already logged */
+ 	if ((r = kex_exchange_identification(ssh, -1,
+-	    options.version_addendum)) != 0)
+	    options.version_addendum, options.hpn_disabled)) != 0)
+ 		sshpkt_fatal(ssh, r, "banner exchange");
 
 	ssh_packet_set_nonblocking(ssh);
-@@ -2264,6 +2290,11 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2397,6 +2422,11 @@ do_ssh2_kex(struct ssh *ssh)
 	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
 	struct kex *kex;
 	int r;
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@ -8,11 +8,11 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.

--- ssh-agent.c.orig	2020-02-13 16:40:54.000000000 -0800
-+++ ssh-agent.c	2020-03-21 17:04:44.305866000 -0700
-@@ -167,15 +167,34 @@ static long lifetime = 0;
- 
- static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+--- ssh-agent.c.orig	2020-09-27 00:25:01.000000000 -0700
+++ ssh-agent.c	2020-11-09 09:07:10.924940000 -0800
+@@ -171,15 +171,34 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ /* Refuse signing of non-SSH messages for web-origin FIDO keys */
+ static int restrict_websafe = 1;
 
 +/*
 + * Client connection count; incremented in new_socket() and decremented in
@ -45,7 +45,7 @@ disconnected.
 }
 
 static void
-@@ -875,6 +894,10 @@ new_socket(sock_type type, int fd)
+@@ -961,6 +980,10 @@ new_socket(sock_type type, int fd)
 {
 	u_int i, old_alloc, new_alloc;
 
@ -56,16 +56,16 @@ disconnected.
 	set_nonblock(fd);
 
 	if (fd > max_fd)
-@@ -1170,7 +1193,7 @@ static void
+@@ -1261,7 +1284,7 @@ static void
 usage(void)
 {
 	fprintf(stderr,
 -	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
 +	    "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
- 	    "                 [-P provider_whitelist] [-t life] [command [arg ...]]\n"
- 	    "       ssh-agent [-c | -s] -k\n");
- 	exit(1);
-@@ -1202,6 +1225,7 @@ main(int ac, char **av)
+ 	    "                 [-P allowed_providers] [-t life]\n"
+ 	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
+ 	    "                 [-t life] command [arg ...]\n"
+@@ -1295,6 +1318,7 @@ main(int ac, char **av)
 	/* drop */
 	setegid(getgid());
 	setgid(getgid());
@ -73,16 +73,16 @@ disconnected.
 
 	platform_disable_tracing(0);	/* strict=no */
 
-@@ -1213,7 +1237,7 @@ main(int ac, char **av)
+@@ -1306,7 +1330,7 @@ main(int ac, char **av)
 	__progname = ssh_get_progname(av[0]);
 	seed_rng();
 
-	while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
-+	while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) {
+-	while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
+	while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) {
 		switch (ch) {
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1256,6 +1280,9 @@ main(int ac, char **av)
+@@ -1355,6 +1379,9 @@ main(int ac, char **av)
 				fprintf(stderr, "Invalid lifetime\n");
 				usage();
 			}