- Update to 6.5

  ChangeLog: http://www.openssh.org/txt/release-6.5

- Update X509 patch to 7.8
- Update LIB_DEPENDS to new format
- Revert r328706 and re-enable privilege separation sandboxing by default
  as the issue causing crashes has been fixed upstream
- capsicum(4) is now enabled upstream. A local patch is added to fix an issue
  with it [1]
- KERB_GSSAPI is marked BROKEN. It does not build.
  This patch lacks an upstream and I have no way to test it. It needs
  a non-trivial amount of refactoring for 6.5 as the key handling API
  has changed quite a bit.

Submitted by:	pjd@ [1]

9 files changed, 89 insertions, 51 deletions

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 4636e7cd7e57..d0cb8e91cd1a 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	6.4p1
+DISTVERSION=	6.5p1
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
@@ -12,8 +12,8 @@ PKGNAMESUFFIX?=	-portable
 MAINTAINER=	bdrewery@FreeBSD.org
 COMMENT=	The portable version of OpenBSD's OpenSSH
 
-#LICENSE=	BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style
-#LICENSE_FILE=	${WRKSRC}/LICENCE
+#LICENSE=      BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style
+#LICENSE_FILE= ${WRKSRC}/LICENCE
 
 CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.*
 
@@ -79,21 +79,20 @@ LPK_CONFIGURE_ON=	--with-ldap=yes \
 LPK_USE=		OPENLDAP=yes
 
 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		7.6
+X509_VERSION=		7.8
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-X509_PATCHFILES=	openssh-6.4-x509-glue.patch \
-			${PORTNAME}-6.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES=	${PORTNAME}-6.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
-SCTP_PATCHFILES=	${PORTNAME}-sctp-2329.patch.gz
+SCTP_PATCHFILES=	${PORTNAME}-6.5p1-sctp-2329.patch.gz
 SCTP_CONFIGURE_WITH=	sctp
 
 # Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
-KERB_GSSAPI_PATCHFILES=	openssh-6.3p1-gsskex-all-20110125.patch.gz
+KERB_GSSAPI_PATCHFILES=	openssh-6.5p1-gsskex-all-20110125.patch.gz
 
 
-MIT_LIB_DEPENDS=		krb5.3:${PORTSDIR}/security/krb5
-HEIMDAL_LIB_DEPENDS=		krb5.26:${PORTSDIR}/security/heimdal
+MIT_LIB_DEPENDS=		libkrb5.so.3:${PORTSDIR}/security/krb5
+HEIMDAL_LIB_DEPENDS=		libkrb5.so.26:${PORTSDIR}/security/heimdal
 
 PAM_CONFIGURE_WITH=	pam
 TCP_WRAPPERS_CONFIGURE_WITH=	tcp-wrappers
@@ -104,11 +103,15 @@ BSM_CONFIGURE_ON=	--with-audit=bsm
 
 .include <bsd.port.pre.mk>
 
+.if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN=		KERB_GSSAPI Patch is not updated for 6.5 and upstream has not been active since 2001.
+.endif
+
 # http://www.psc.edu/index.php/hpn-ssh
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
 PORTDOCS+=		HPN-README
 HPN_VERSION=		14v2
-HPN_DISTVERSION=	6.3p1
+HPN_DISTVERSION=	6.5p1
 PATCH_SITES+=		${MASTER_SITE_SOURCEFORGE:S/$/:hpn/}
 PATCH_SITE_SUBDIR+=	hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
 PATCHFILES+=		${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index e02e3181a283..2112530b0ea0 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,14 +1,12 @@
-SHA256 (openssh-6.4p1.tar.gz) = 5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2
-SIZE (openssh-6.4p1.tar.gz) = 1201402
-SHA256 (openssh-6.3p1-hpnssh14v2.diff.gz) = 23ae9307b58629ccf76a8ed5d9cf7215a45d6b7533d6b17eef17279fb9c48dca
-SIZE (openssh-6.3p1-hpnssh14v2.diff.gz) = 24450
-SHA256 (openssh-6.3p1+x509-7.6.diff.gz) = d9e5f37c1a7750c19895f71d9b54e35afb6e7a45511b828e9da51252d0946460
-SIZE (openssh-6.3p1+x509-7.6.diff.gz) = 219962
-SHA256 (openssh-6.4-x509-glue.patch) = 8a199b3e6fe031775531c82e7a2d18fe468c1193c9d90ba17554ba9de2834876
-SIZE (openssh-6.4-x509-glue.patch) = 1219
-SHA256 (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 9dac542ed23f1ee330ddb03a34825f04abea726d227e9433f970e9a24325d767
-SIZE (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 23486
+SHA256 (openssh-6.5p1.tar.gz) = a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027
+SIZE (openssh-6.5p1.tar.gz) = 1293187
+SHA256 (openssh-6.5p1-hpnssh14v2.diff.gz) = be6915130f2b1aad00235e02d55b67114dbb517b13d04d52a8abac9343166efd
+SIZE (openssh-6.5p1-hpnssh14v2.diff.gz) = 24534
+SHA256 (openssh-6.5p1+x509-7.8.diff.gz) = b096ff7569e9ea3601673383540a986ce87636a984cc605a60dc53574888b992
+SIZE (openssh-6.5p1+x509-7.8.diff.gz) = 225483
+SHA256 (openssh-6.5p1-gsskex-all-20110125.patch.gz) = dd3b0f383a58e490f735646ae27f3dd05db96446e2e4ae8e753b64eee7f46582
+SIZE (openssh-6.5p1-gsskex-all-20110125.patch.gz) = 23516
 SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
 SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
-SHA256 (openssh-sctp-2329.patch.gz) = 1c460d6173c87313691ca279ac120959c3693a0570657514f1dcadcff5f405cb
-SIZE (openssh-sctp-2329.patch.gz) = 8706
+SHA256 (openssh-6.5p1-sctp-2329.patch.gz) = 07acf0c6e6be493dbcf6fb166b846eef99256f6f60f0feb3451522147a1d9464
+SIZE (openssh-6.5p1-sctp-2329.patch.gz) = 8722
diff --git a/security/openssh-portable/files/extra-patch-hpn-build-options b/security/openssh-portable/files/extra-patch-hpn-build-options
index c4551a51e756..235db7f624a7 100644
--- a/security/openssh-portable/files/extra-patch-hpn-build-options
+++ b/security/openssh-portable/files/extra-patch-hpn-build-options
@@ -36,13 +36,13 @@
  
 --- readconf.c.orig	2013-10-11 09:24:10.812126846 -0500
 +++ readconf.c	2013-10-11 09:19:12.295135966 -0500
-@@ -251,12 +251,16 @@ static struct {
- 	{ "kexalgorithms", oKexAlgorithms },
- 	{ "ipqos", oIPQoS },
- 	{ "requesttty", oRequestTTY },
+@@ -268,12 +268,16 @@ static struct {
+ 	{ "canonicalizehostname", oCanonicalizeHostname },
+ 	{ "canonicalizemaxdots", oCanonicalizeMaxDots },
+ 	{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
 +#ifdef NONECIPHER
  	{ "noneenabled", oNoneEnabled },
-         { "noneswitch", oNoneSwitch },
+ 	{ "noneswitch", oNoneSwitch },
 +#endif
 +#ifdef HPN
  	{ "tcprcvbufpoll", oTcpRcvBufPoll },
@@ -53,7 +53,7 @@
  	{ "ignoreunknown", oIgnoreUnknown },
  
  	{ NULL, oBadOption }
-@@ -1417,12 +1421,20 @@ fill_default_options(Options * options)
+@@ -1739,12 +1743,20 @@ fill_default_options(Options * options)
  		options->server_alive_interval = 0;
  	if (options->server_alive_count_max == -1)
  		options->server_alive_count_max = 3;
diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in
index 32b8b3519ad3..22b3801571ba 100644
--- a/security/openssh-portable/files/openssh.in
+++ b/security/openssh-portable/files/openssh.in
@@ -38,7 +38,8 @@ openssh_keygen()
 	if [ -f %%ETCSSH%%/ssh_host_key -a \
 	    -f %%ETCSSH%%/ssh_host_dsa_key -a \
 	    -f %%ETCSSH%%/ssh_host_rsa_key -a \
-	    -f %%ETCSSH%%/ssh_host_ecdsa_key ]; then
+	    -f %%ETCSSH%%/ssh_host_ecdsa_key -a
+	    -f %%ETCSSH%%/ssh_host_ed25519_key ]; then
 		return 0
 	fi
 
@@ -83,6 +84,15 @@ openssh_keygen()
 		%%PREFIX%%/bin/ssh-keygen -t ecdsa \
 			-f %%ETCSSH%%/ssh_host_ecdsa_key -N ''
 	fi
+
+	if [ -f %%ETCSSH%%/ssh_host_ed25519_key ]; then
+		echo "You already have a Elliptic Curve ED25519 host key" \
+			"in %%ETCSSH%%/ssh_host_ed25519_key"
+		echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
+	else
+		%%PREFIX%%/bin/ssh-keygen -t ed25519 \
+			-f %%ETCSSH%%/ssh_host_ed25519_key -N ''
+	fi
 }
 
 openssh_check_same_ports(){
diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c
index 1066aa8ed0d2..9f2b6369dd66 100644
--- a/security/openssh-portable/files/patch-readconf.c
+++ b/security/openssh-portable/files/patch-readconf.c
@@ -26,10 +26,10 @@ Submitted by:   delphij@
  #include <sys/stat.h>
  #include <sys/socket.h>
 +#include <sys/sysctl.h>
+ #include <sys/wait.h>
  
  #include <netinet/in.h>
- #include <netinet/in_systm.h>
-@@ -265,7 +266,19 @@ add_local_forward(Options *options, cons
+@@ -282,7 +283,19 @@
  	Forward *fwd;
  #ifndef NO_IPPORT_RESERVED_CONCEPT
  	extern uid_t original_real_uid;
@@ -50,7 +50,7 @@ Submitted by:   delphij@
  		fatal("Privileged ports can only be forwarded by root.");
  #endif
  	options->local_forwards = xrealloc(options->local_forwards,
-@@ -1281,7 +1294,7 @@ fill_default_options(Options * options)
+@@ -1607,7 +1620,7 @@
  	if (options->batch_mode == -1)
  		options->batch_mode = 0;
  	if (options->check_host_ip == -1)
diff --git a/security/openssh-portable/files/patch-sandbox-capsicum.c b/security/openssh-portable/files/patch-sandbox-capsicum.c
new file mode 100644
index 000000000000..3f91db8d3469
--- /dev/null
+++ b/security/openssh-portable/files/patch-sandbox-capsicum.c
@@ -0,0 +1,17 @@
+--- sandbox-capsicum.c.orig	2014-01-25 16:39:53.000000000 -0600
++++ sandbox-capsicum.c	2014-02-02 20:14:02.881233373 -0600
+@@ -94,10 +94,12 @@ ssh_sandbox_child(struct ssh_sandbox *bo
+ 		fatal("can't limit stderr: %m");
+ 
+ 	cap_rights_init(&rights, CAP_READ, CAP_WRITE);
+-	if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
++	if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1 &&
++	    errno != ENOSYS)
+ 		fatal("%s: failed to limit the network socket", __func__);
+ 	cap_rights_init(&rights, CAP_WRITE);
+-	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
++	if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1 &&
++	    errno != ENOSYS)
+ 		fatal("%s: failed to limit the logging socket", __func__);
+ 	if (cap_enter() < 0 && errno != ENOSYS)
+ 		fatal("%s: failed to enter capability mode", __func__);
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
index 55363fb67186..67e45e98a1fe 100644
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -39,3 +39,12 @@
  	if (options->kbd_interactive_authentication == -1)
  		options->kbd_interactive_authentication = 0;
  	if (options->challenge_response_authentication == -1)
+@@ -335,7 +339,7 @@
+ 		options->version_addendum = xstrdup("");
+ 	/* Turn privilege separation on by default */
+ 	if (use_privsep == -1)
+-		use_privsep = PRIVSEP_NOSANDBOX;
++		use_privsep = PRIVSEP_ON;
+ 
+ #ifndef HAVE_MMAP
+ 	if (use_privsep && options->compression == 1) {
diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c
index 422d49a735b1..9f4c84f4d88d 100644
--- a/security/openssh-portable/files/patch-sshd.c
+++ b/security/openssh-portable/files/patch-sshd.c
@@ -42,7 +42,7 @@ connections, do not protect connection handlers spawned from inetd.
  #include <sys/socket.h>
  #ifdef HAVE_SYS_STAT_H
  # include <sys/stat.h>
-@@ -83,6 +83,13 @@
+@@ -83,6 +84,13 @@
  #include <prot.h>
  #endif
  
@@ -56,18 +56,18 @@ connections, do not protect connection handlers spawned from inetd.
  #include "xmalloc.h"
  #include "ssh.h"
  #include "ssh1.h"
-@@ -1823,6 +1824,10 @@
+@@ -1877,6 +1885,10 @@
  	/* Reinitialize the log (because of the fork above). */
  	log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
-+	/* Avoid killing the process in high-pressure swapping environments. */
-+	if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
-+		debug("madvise(): %.200s", strerror(errno));
++ 	/* Avoid killing the process in high-pressure swapping environments. */
++ 	if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
++ 		debug("madvise(): %.200s", strerror(errno));
 +
- 	/* Initialize the random number generator. */
- 	arc4random_stir();
-
-@@ -1864,6 +1871,29 @@
+ 	/* Chdir to the root directory so that the current disk can be
+ 	   unmounted if desired. */
+ 	if (chdir("/") == -1)
+@@ -1995,6 +2007,29 @@
  	signal(SIGCHLD, SIG_DFL);
  	signal(SIGINT, SIG_DFL);
  
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index b6a6013d2390..773f90d667f0 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -10,7 +10,7 @@
  #Port 22
  #AddressFamily any
  #ListenAddress 0.0.0.0
-@@ -37,7 +40,7 @@
+@@ -41,7 +44,7 @@
  # Authentication:
  
  #LoginGraceTime 2m
@@ -19,7 +19,7 @@
  #StrictModes yes
  #MaxAuthTries 6
  #MaxSessions 10
-@@ -46,8 +49,7 @@
+@@ -50,8 +53,7 @@
  #PubkeyAuthentication yes
  
  # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -29,7 +29,7 @@
  
  #AuthorizedPrincipalsFile none
  
-@@ -64,11 +66,11 @@
+@@ -68,11 +70,11 @@
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  
@@ -44,16 +44,16 @@
  #ChallengeResponseAuthentication yes
  
  # Kerberos options
-@@ -81,7 +83,7 @@
+@@ -85,7 +87,7 @@
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  
--# Set this to 'yes' to enable PAM authentication, account processing, 
+-# Set this to 'yes' to enable PAM authentication, account processing,
 +# Set this to 'no' to disable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will 
+ # and session processing. If this is enabled, PAM authentication will
  # be allowed through the ChallengeResponseAuthentication and
  # PasswordAuthentication.  Depending on your PAM configuration,
-@@ -90,19 +92,19 @@
+@@ -94,12 +96,12 @@
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
@@ -67,12 +67,13 @@
 +#X11Forwarding yes
  #X11DisplayOffset 10
  #X11UseLocalhost yes
- #PrintMotd yes
+ #PermitTTY yes
+@@ -107,7 +109,7 @@
  #PrintLastLog yes
  #TCPKeepAlive yes
  #UseLogin no
 -UsePrivilegeSeparation sandbox		# Default for new installations.
-+#UsePrivilegeSeparation yes
++#UsePrivilegeSeparation sandbox
  #PermitUserEnvironment no
  #Compression delayed
  #ClientAliveInterval 0