security/openssh-portable: sync with upstream
Taken from: HardenedBSD
This commit is contained in:
parent
8186db386c
commit
c9fc0f6048
|
@ -41,7 +41,6 @@ x509_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \
|
||||||
openssh-portable-gssapi
|
openssh-portable-gssapi
|
||||||
x509_PKGNAMESUFFIX= -portable-x509
|
x509_PKGNAMESUFFIX= -portable-x509
|
||||||
|
|
||||||
gssapi_BROKEN= GSSAPI not yet updated for ${DISTVERSION}
|
|
||||||
x509_BROKEN= X509 not yet updated for ${DISTVERSION} - Does anyone use this? Contact maintainer bdrewery@FreeBSD.org
|
x509_BROKEN= X509 not yet updated for ${DISTVERSION} - Does anyone use this? Contact maintainer bdrewery@FreeBSD.org
|
||||||
OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
|
OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
|
||||||
HPN X509 KERB_GSSAPI \
|
HPN X509 KERB_GSSAPI \
|
||||||
|
@ -103,7 +102,7 @@ ETCDIR?= ${PREFIX}/etc/ssh
|
||||||
|
|
||||||
.include <bsd.port.pre.mk>
|
.include <bsd.port.pre.mk>
|
||||||
|
|
||||||
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
|
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
|
||||||
|
|
||||||
# X509 patch includes TCP Wrapper support already
|
# X509 patch includes TCP Wrapper support already
|
||||||
.if ${PORT_OPTIONS:MX509}
|
.if ${PORT_OPTIONS:MX509}
|
||||||
|
@ -113,16 +112,19 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
|
||||||
# Must add this patch before HPN due to conflicts
|
# Must add this patch before HPN due to conflicts
|
||||||
.if ${PORT_OPTIONS:MKERB_GSSAPI}
|
.if ${PORT_OPTIONS:MKERB_GSSAPI}
|
||||||
#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
|
#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
|
||||||
# Patch from:
|
|
||||||
# https://sources.debian.org/data/main/o/openssh/1:7.7p1-2/debian/patches/gssapi.patch
|
|
||||||
# which was originally based on 5.7 patch from
|
|
||||||
# http://www.sxw.org.uk/computing/patches/
|
|
||||||
# It is mirrored simply to apply gzip -9.
|
|
||||||
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
|
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
|
||||||
# Needed glue for applying HPN patch without conflict
|
# Needed glue for applying HPN patch without conflict
|
||||||
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
|
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
|
||||||
. endif
|
. endif
|
||||||
PATCHFILES+= openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz:-p1:gsskex
|
# - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
|
||||||
|
# pull from.
|
||||||
|
GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-3
|
||||||
|
# - Debian does not use a versioned filename so we trick fetch to make one for
|
||||||
|
# us with the ?<anything>=/ trick.
|
||||||
|
PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
|
||||||
|
# Bump this when updating the patch location
|
||||||
|
GSSAPI_UPDATE_DATE= 20190719
|
||||||
|
PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
|
||||||
.endif
|
.endif
|
||||||
|
|
||||||
# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
|
# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
|
||||||
|
|
|
@ -3,5 +3,5 @@ SHA256 (openssh-8.0p1.tar.gz) = bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0
|
||||||
SIZE (openssh-8.0p1.tar.gz) = 1597697
|
SIZE (openssh-8.0p1.tar.gz) = 1597697
|
||||||
SHA256 (openssh-7.9p1+x509-11.5.diff.gz) = 1d15099ce54614f158f10f55b6b4992d915353f92a05e179a64b0655650c00bb
|
SHA256 (openssh-7.9p1+x509-11.5.diff.gz) = 1d15099ce54614f158f10f55b6b4992d915353f92a05e179a64b0655650c00bb
|
||||||
SIZE (openssh-7.9p1+x509-11.5.diff.gz) = 594995
|
SIZE (openssh-7.9p1+x509-11.5.diff.gz) = 594995
|
||||||
SHA256 (openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz) = a9fe46bc97ebb6f32dad44c6e62e712b224392463b2084300835736fe848eabc
|
SHA256 (openssh-8.0p1-gsskex-all-20141021-debian-rh-20190719.patch) = 6e07d74626915246d500eeaf9bfb23b1329d6e204d81ba67c09c9c237626c250
|
||||||
SIZE (openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz) = 27612
|
SIZE (openssh-8.0p1-gsskex-all-20141021-debian-rh-20190719.patch) = 128374
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
--- sshconnect2.c.orig 2016-01-19 18:10:12.550854000 -0800
|
--- sshconnect2.c.orig 2019-07-19 11:53:14.918867000 -0700
|
||||||
+++ sshconnect2.c 2016-01-19 18:10:27.290409000 -0800
|
+++ sshconnect2.c 2019-07-19 11:53:16.911086000 -0700
|
||||||
@@ -160,11 +160,6 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -159,11 +159,6 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
|
||||||
struct kex *kex;
|
char *s, *all_key;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
-#ifdef GSSAPI
|
-#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
- char *orig = NULL, *gss = NULL;
|
- char *orig = NULL, *gss = NULL;
|
||||||
- char *gss_host = NULL;
|
- char *gss_host = NULL;
|
||||||
-#endif
|
-#endif
|
||||||
|
@ -12,13 +12,46 @@
|
||||||
xxx_host = host;
|
xxx_host = host;
|
||||||
xxx_hostaddr = hostaddr;
|
xxx_hostaddr = hostaddr;
|
||||||
|
|
||||||
@@ -199,6 +194,9 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -197,6 +192,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
+ char *orig = NULL, *gss = NULL;
|
+ char *orig = NULL, *gss = NULL;
|
||||||
+ char *gss_host = NULL;
|
+ char *gss_host = NULL;
|
||||||
+
|
+
|
||||||
if (options.gss_keyex) {
|
if (options.gss_keyex) {
|
||||||
/* Add the GSSAPI mechanisms currently supported on this
|
/* Add the GSSAPI mechanisms currently supported on this
|
||||||
* client to the key exchange algorithm proposal */
|
* client to the key exchange algorithm proposal */
|
||||||
|
--- readconf.c.orig 2019-07-19 12:13:18.000312000 -0700
|
||||||
|
+++ readconf.c 2019-07-19 12:13:29.614552000 -0700
|
||||||
|
@@ -63,11 +63,11 @@
|
||||||
|
#include "readconf.h"
|
||||||
|
#include "match.h"
|
||||||
|
#include "kex.h"
|
||||||
|
+#include "ssh-gss.h"
|
||||||
|
#include "mac.h"
|
||||||
|
#include "uidswap.h"
|
||||||
|
#include "myproposal.h"
|
||||||
|
#include "digest.h"
|
||||||
|
-#include "ssh-gss.h"
|
||||||
|
|
||||||
|
/* Format of the configuration file:
|
||||||
|
|
||||||
|
--- servconf.c.orig 2019-07-19 12:14:42.078398000 -0700
|
||||||
|
+++ servconf.c 2019-07-19 12:14:43.543687000 -0700
|
||||||
|
@@ -54,6 +54,7 @@
|
||||||
|
#include "sshkey.h"
|
||||||
|
#include "kex.h"
|
||||||
|
#include "mac.h"
|
||||||
|
+#include "ssh-gss.h"
|
||||||
|
#include "match.h"
|
||||||
|
#include "channels.h"
|
||||||
|
#include "groupaccess.h"
|
||||||
|
@@ -64,7 +65,6 @@
|
||||||
|
#include "auth.h"
|
||||||
|
#include "myproposal.h"
|
||||||
|
#include "digest.h"
|
||||||
|
-#include "ssh-gss.h"
|
||||||
|
|
||||||
|
static void add_listen_addr(ServerOptions *, const char *,
|
||||||
|
const char *, int);
|
||||||
|
|
Loading…
Reference in New Issue