- Update to 6.3p1

Changelog: http://www.openssh.org/txt/release-6.3 - Use options helpers where possible - Use upstream patch mirror for x509 and HPN - Update HPN patch to v14 and use upstream version - Add option NONECIPHER to allow disabling NONE in HPN patch - Update x509 patch from 7.4.1 to 7.6 - Add support for LDNS and enable by it and VerifyHostKeyDNS/SSHFP by default. See http://lists.freebsd.org/pipermail/freebsd-security/2013-September/007180.html which describes this change, but is supported on releases before 10 as well with LDNS option. - Update SCTP to patchlevel 2329 - Update recommendation on secure usage of SSH - Add pkg-message warning about ECDSA key possibly being incorrect due to previously being written as DSA by the rc script and fixed in r299902 in 2012
svn path=/head/; revision=330200
2013-10-13 02:20:07 +00:00 · 2013-10-13 02:20:07 +00:00 · 9a7dab4b5a · 2021-03-31 03:12:20 +00:00
commit 9a7dab4b5a
parent 5504410d20
9 changed files with 342 additions and 119 deletions
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -2,8 +2,7 @@
 # $FreeBSD$

 PORTNAME=	openssh
-DISTVERSION=	6.2p2
-PORTREVISION=	5
+DISTVERSION=	6.3p1
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
@ -33,8 +32,8 @@ MAKE_ENV+=	SUDO="${SUDO}"

 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN LPK X509 KERB_GSSAPI \
-			OVERWRITE_BASE SCTP AES_THREADED
-OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS HPN
+			OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
+OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
@ -42,18 +41,84 @@ BSM_DESC=		OpenBSM Auditing
 KERB_GSSAPI_DESC=	Kerberos/GSSAPI patch (req: GSSAPI)
 HPN_DESC=		HPN-SSH patch
 LPK_DESC=		LDAP Public Key (LPK) [OBSOLETE]
+LDNS_DESC=		SSHFP/LDNS support
 X509_DESC=		x509 certificate patch
 SCTP_DESC=		SCTP support
 OVERWRITE_BASE_DESC=	OpenSSH overwrite base
 HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
-AES_THREADED_DESC=	Threaded AES-CTR [HPN/Experimental]
+AES_THREADED_DESC=	Threaded AES-CTR
+NONECIPHER_DESC=	NONE Cipher support

+OPTIONS_SUB=		yes
 PLIST_SUB+=		MANPREFIX=${MANPREFIX}

+LDNS_CONFIGURE_WITH=	ldns
+LDNS_LIB_DEPENDS=	libldns.so:${PORTSDIR}/dns/ldns
+LDNS_EXTRA_PATCHES=	${FILESDIR}/extra-patch-ldns
+LDNS_CFLAGS=		-I${LOCALBASE}/include
+LDNS_CONFIGURE_ON=	--with-ldflags='-L${LOCALBASE}/lib'
+
+# http://www.psc.edu/index.php/hpn-ssh
+HPN_EXTRA_PATCHES=	${FILESDIR}/extra-patch-hpn-window-size
+HPN_CONFIGURE_WITH=		hpn
+NONECIPHER_CONFIGURE_WITH=	nonecipher
+AES_THREADED_CONFIGURE_WITH=	aes-threaded
+
+# See http://code.google.com/p/openssh-lpk/wiki/Main
+# and svn repo described here:
+# http://code.google.com/p/openssh-lpk/source/checkout
+# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
+LPK_PATCHFILES=		${PORTNAME}-lpk-6.3p1.patch.gz
+LPK_CPPFLAGS=		-I${LOCALBASE}/include
+LPK_CONFIGURE_ON=	--with-ldap=yes \
+			--with-ldflags='-L${LOCALBASE}/lib' \
+			--with-cppflags='${CPPFLAGS}'
+LPK_USE=		OPENLDAP=yes
+
+# See http://www.roumenpetrov.info/openssh/
+X509_VERSION=		7.6
+X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
+X509_PATCHFILES=	${PORTNAME}-6.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+
+# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
+SCTP_PATCHFILES=	${PORTNAME}-sctp-2329.patch.gz
+SCTP_CONFIGURE_WITH=	sctp
+
+# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
+KERB_GSSAPI_PATCHFILES=	openssh-6.3p1-gsskex-all-20110125.patch.gz
+
+
+MIT_LIB_DEPENDS=		krb5.3:${PORTSDIR}/security/krb5
+HEIMDAL_LIB_DEPENDS=		krb5.26:${PORTSDIR}/security/heimdal
+
+PAM_CONFIGURE_WITH=	pam
+TCP_WRAPPERS_CONFIGURE_WITH=	tcp-wrappers
+
+LIBEDIT_CONFIGURE_WITH=	libedit
+BSM_CONFIGURE_ON=	--with-audit=bsm
+
+
+PORTDOCS=	*
+
 .include <bsd.port.pre.mk>

+# http://www.psc.edu/index.php/hpn-ssh
+.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
+HPN_VERSION=		14v2
+PATCH_SITES+=		${MASTER_SITE_SOURCEFORGE:S/$/:hpn/}
+PATCH_SITE_SUBDIR+=	hpnssh/HPN-SSH%20${HPN_VERSION}%20${DISTVERSION}/:hpn
+PATCHFILES+=		${PORTNAME}-${DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
+EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-build-options
+# Remove HPN if only AES requested
+.  if !${PORT_OPTIONS:MHPN}
+EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-no-hpn
+.  endif
+.endif
+
+PATCH_SITES+=		http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn
+
 .if ${OSVERSION} >= 900000
 CONFIGURE_LIBS+=	-lutil
 .endif
@ -66,14 +131,10 @@ EXTRA_PATCHES+=		${FILESDIR}/extra-patch-sshd-utmp-size
 .endif

 .if ${PORT_OPTIONS:MX509}
-.  if ${PORT_OPTIONS:MHPN}
+.  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
 BROKEN=		X509 patch and HPN patch do not apply cleanly together
 .  endif

-.  if ${PORT_OPTIONS:MAES_THREADED}
-BROKEN=		X509 patch and AES_THREADED patch do not apply cleanly together
-.  endif
-
 .  if ${PORT_OPTIONS:MSCTP}
 BROKEN=		X509 patch and SCTP patch do not apply cleanly together
 .  endif
@ -92,44 +153,30 @@ BROKEN=		X509 patch incompatible with KERB_GSSAPI patch
 BROKEN=		KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
 .endif

+.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
+IGNORE=		You have selected HEIMDAL_BASE but do not have heimdal installed in base
+.endif
+
+.if ${PORT_OPTIONS:MPAM} && !exists(/usr/include/security/pam_modules.h)
+IGNORE=		Pam must be installed in base
+.endif
+
+.if ${PORT_OPTIONS:MTCP_WRAPPERS} && !exists(/usr/include/tcpd.h)
+IGNORE=		Required /usr/include/tcpd.h missing
+.endif
+
 .if defined(OPENSSH_OVERWRITE_BASE)
 PORT_OPTIONS+=		OVERWRITE_BASE
 .endif

-.if ${PORT_OPTIONS:MPAM} && exists(/usr/include/security/pam_modules.h)
-CONFIGURE_ARGS+=	--with-pam
-.endif
-
-.if ${PORT_OPTIONS:MTCP_WRAPPERS} && exists(/usr/include/tcpd.h)
-CONFIGURE_ARGS+=	--with-tcp-wrappers
-.endif
-
-.if ${PORT_OPTIONS:MLIBEDIT}
-CONFIGURE_ARGS+=	--with-libedit
-.endif
-
-.if ${PORT_OPTIONS:MBSM}
-CONFIGURE_ARGS+=	--with-audit=bsm
-.endif
-
 .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
-CONFIGURE_ARGS+=	--with-kerberos5
-.  if ${PORT_OPTIONS:MMIT}
-LIB_DEPENDS+=		krb5.3:${PORTSDIR}/security/krb5
-.  elif ${PORT_OPTIONS:MHEIMDAL}
-LIB_DEPENDS+=		krb5.26:${PORTSDIR}/security/heimdal
-.  elif ${PORT_OPTIONS:MHEIMDAL_BASE}
-.	if !exists(/usr/lib/libkrb5.so)
-IGNORE=		You have selected HEIMDAL_BASE but do not have heimdal installed in base
-.	else
+.	if ${PORT_OPTIONS:MHEIMDAL_BASE}
+.		if ${PORT_OPTIONS:MKERB_GSSAPI}
 CONFIGURE_LIBS+=	-lgssapi_krb5
-.	endif
-.  endif
-
-# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
-.	if ${PORT_OPTIONS:MKERB_GSSAPI}
-PATCHFILES+=		openssh-6.2p2-gsskex-all-20110125-2.patch.gz
-PATCH_DIST_STRIP=
+.		endif
+CONFIGURE_ARGS+=	--with-kerberos5=/usr
+.	else
+CONFIGURE_ARGS+=	--with-kerberos5=${LOCALBASE}
 .	endif
 .	if ${OPENSSLBASE} == "/usr"
 CONFIGURE_ARGS+=	--without-rpath
@ -145,52 +192,10 @@ IGNORE=	KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
 CONFIGURE_ARGS+=	--with-ssl-dir=${OPENSSLBASE}
 .endif

-# http://www.psc.edu/index.php/hpn-ssh
-.if ${PORT_OPTIONS:MHPN}
-HPN_VERSION=		13v14
-PATCHFILES+=		${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz
-EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-window-size
-PATCH_DIST_STRIP=
-.endif
-
-# http://www.psc.edu/index.php/hpn-ssh
-.if ${PORT_OPTIONS:MAES_THREADED}
-AES_THREADED_VERSION=		v14
-PATCHFILES+=		${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz
-PATCH_DIST_STRIP=
-.endif
-
-# See http://code.google.com/p/openssh-lpk/wiki/Main
-# and svn repo described here:
-# http://code.google.com/p/openssh-lpk/source/checkout
-# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
 .if ${PORT_OPTIONS:MLPK}
-PATCHFILES+=		${PORTNAME}-lpk-6.2p1.patch.gz
-USE_OPENLDAP=		yes
-CPPFLAGS+=		-I${LOCALBASE}/include
-CONFIGURE_ARGS+=	--with-ldap=yes \
-			--with-ldflags='-L${LOCALBASE}/lib' \
-			--with-cppflags='${CPPFLAGS}'
 CONFIGURE_LIBS+=	-lldap
 .endif

-# See http://www.roumenpetrov.info/openssh/
-.if ${PORT_OPTIONS:MX509}
-X509_VERSION=		7.4.1
-PATCH_SITES+=		http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-PATCHFILES+=		${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509
-PATCH_DIST_STRIP=	-p1
-PLIST_SUB+=		X509=""
-.else
-PLIST_SUB+=		X509="@comment "
-.endif
-
-# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
-.if ${PORT_OPTIONS:MSCTP}
-PATCHFILES+=		${PORTNAME}-sctp-2163.patch.gz
-CONFIGURE_ARGS+=	--with-sctp
-.endif
-
 EMPTYDIR=		/var/empty

 .if ${PORT_OPTIONS:MOVERWRITE_BASE}
@ -201,17 +206,14 @@ NO_MTREE=		yes
 ETCSSH=			/etc/ssh
 USE_RCORDER=		openssh
 PLIST_SUB+=		NOTBASE="@comment "
-PLIST_SUB+=		BASE=""
 PLIST_SUB+=		BASEPREFIX="${PREFIX}"
 .else
 ETCSSH=			${PREFIX}/etc/ssh
 USE_RC_SUBR=		openssh
 PLIST_SUB+=		NOTBASE=""
-PLIST_SUB+=		BASE="@comment "
 .endif

 # After all
-PATCH_SITES+=		http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509
 SUB_LIST+=		ETCSSH="${ETCSSH}"
 CONFIGURE_ARGS+=	--sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR}
 .if !empty(CONFIGURE_LIBS)
@ -222,7 +224,10 @@ RC_SCRIPT_NAME=		openssh

 post-patch:
 	@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
-	@${REINPLACE_CMD} -e 's|install: \(.*\) host-key check-config|install: \1|g' ${WRKSRC}/Makefile.in
+	@${REINPLACE_CMD} \
+	    -e 's|install: \(.*\) host-key check-config|install: \1|g' \
+	    -e 's|-lpthread|${PTHREAD_LIBS}|' \
+	    ${WRKSRC}/Makefile.in
 	@${REINPLACE_CMD} -e 's|/usr/X11R6|${LOCALBASE}|' \
 			${WRKSRC}/pathnames.h ${WRKSRC}/sshd_config.5 \
 			${WRKSRC}/ssh_config.5
@ -252,6 +257,10 @@ pre-install:
 post-install:
 	${INSTALL_DATA} ${WRKSRC}/ssh_config.out ${STAGEDIR}${ETCSSH}/ssh_config-dist
 	${INSTALL_DATA} ${WRKSRC}/sshd_config.out ${STAGEDIR}${ETCSSH}/sshd_config-dist
+.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
+	${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
+.endif

 test:	build
 	(cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@ -1,14 +1,12 @@
-SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b
-SIZE (openssh-6.2p2.tar.gz) = 1182922
-SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b
-SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984
-SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9
-SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908
-SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae
-SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496
-SHA256 (openssh-6.2p2-gsskex-all-20110125-2.patch.gz) = 597634f1a9e624b928f0ae647ec2ffba641f94a3ecad1161bce8fb2512c476b8
-SIZE (openssh-6.2p2-gsskex-all-20110125-2.patch.gz) = 24205
-SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24
-SIZE (openssh-lpk-6.2p1.patch.gz) = 17881
-SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03
-SIZE (openssh-sctp-2163.patch.gz) = 6764
+SHA256 (openssh-6.3p1.tar.gz) = aea575ededd3ebd45c05d42d0a87af22c79131a847ea440c54e3fdd223f5a420
+SIZE (openssh-6.3p1.tar.gz) = 1201101
+SHA256 (openssh-6.3p1-hpnssh14v2.diff.gz) = 23ae9307b58629ccf76a8ed5d9cf7215a45d6b7533d6b17eef17279fb9c48dca
+SIZE (openssh-6.3p1-hpnssh14v2.diff.gz) = 24450
+SHA256 (openssh-6.3p1+x509-7.6.diff.gz) = d9e5f37c1a7750c19895f71d9b54e35afb6e7a45511b828e9da51252d0946460
+SIZE (openssh-6.3p1+x509-7.6.diff.gz) = 219962
+SHA256 (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 9dac542ed23f1ee330ddb03a34825f04abea726d227e9433f970e9a24325d767
+SIZE (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 23486
+SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
+SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
+SHA256 (openssh-sctp-2329.patch.gz) = 1c460d6173c87313691ca279ac120959c3693a0570657514f1dcadcff5f405cb
+SIZE (openssh-sctp-2329.patch.gz) = 8706
--- a/security/openssh-portable/files/extra-patch-hpn-build-options
+++ b/security/openssh-portable/files/extra-patch-hpn-build-options
@ -0,0 +1,142 @@
+--- sshconnect2.c.orig	2013-10-11 08:52:17.836129741 -0500
+++ sshconnect2.c	2013-10-11 08:53:05.776132295 -0500
+@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co
+                 }
+         }
+ 
+#ifdef AES_THREADED
+         /* if we are using aes-ctr there can be issues in either a fork or sandbox
+          * so the initial aes-ctr is defined to point to the original single process
+          * evp. After authentication we'll be past the fork and the sandboxed privsep
+@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co
+                 cipher_reset_multithreaded();
+                 packet_request_rekeying();
+         }
+#endif
+ 
+ 	debug("Authentication succeeded (%s).", authctxt.method->name);
+ }
+--- sshd.c.orig	2013-10-11 08:52:17.848126748 -0500
+++ sshd.c	2013-10-11 08:53:25.929132033 -0500
+@@ -2186,6 +2186,7 @@ main(int ac, char **av)
+ 
+ 	/* Start session. */
+ 
+#ifdef AES_THREADED
+ 	/* if we are using aes-ctr there can be issues in either a fork or sandbox
+          * so the initial aes-ctr is defined to point ot the original single process
+ 	 * evp. After authentication we'll be past the fork and the sandboxed privsep
+@@ -2201,6 +2202,7 @@ main(int ac, char **av)
+ 		cipher_reset_multithreaded();
+ 		packet_request_rekeying();
+ 	}
+#endif
+ 
+ 	do_authenticated(authctxt);
+ 
+--- readconf.c.orig	2013-10-11 09:24:10.812126846 -0500
+++ readconf.c	2013-10-11 09:19:12.295135966 -0500
+@@ -251,12 +251,16 @@ static struct {
+ 	{ "kexalgorithms", oKexAlgorithms },
+ 	{ "ipqos", oIPQoS },
+ 	{ "requesttty", oRequestTTY },
+#ifdef NONECIPHER
+ 	{ "noneenabled", oNoneEnabled },
+         { "noneswitch", oNoneSwitch },
+#endif
+#ifdef HPN
+ 	{ "tcprcvbufpoll", oTcpRcvBufPoll },
+ 	{ "tcprcvbuf", oTcpRcvBuf },
+ 	{ "hpndisabled", oHPNDisabled },
+ 	{ "hpnbuffersize", oHPNBufferSize },
+#endif
+ 	{ "ignoreunknown", oIgnoreUnknown },
+ 
+ 	{ NULL, oBadOption }
+@@ -1417,12 +1421,20 @@ fill_default_options(Options * options)
+ 		options->server_alive_interval = 0;
+ 	if (options->server_alive_count_max == -1)
+ 		options->server_alive_count_max = 3;
+#ifdef NONECIPHER
+ 	if (options->none_switch == -1)
+#endif
+ 		options->none_switch = 0;
+#ifdef NONECIPHER
+ 	if (options->none_enabled == -1)
+#endif
+ 		options->none_enabled = 0;
+#ifdef HPN
+ 	if (options->hpn_disabled == -1)
+ 	        options->hpn_disabled = 0;
+#else
+	options->hpn_disabled = 1;
+#endif
+ 	if (options->hpn_buffer_size > -1)
+ 	{
+ 	  /* if a user tries to set the size to 0 set it to 1KB */
+--- servconf.c.orig	2013-10-11 09:24:44.734138483 -0500
+++ servconf.c	2013-10-11 09:25:50.777137928 -0500
+@@ -305,10 +305,16 @@ fill_default_server_options(ServerOption
+ 		options->permit_tun = SSH_TUNMODE_NO;
+ 	if (options->zero_knowledge_password_authentication == -1)
+ 		options->zero_knowledge_password_authentication = 0;
+#ifdef NONECIPHER
+ 	if (options->none_enabled == -1) 
+#endif
+ 		options->none_enabled = 0;
+#ifdef HPN
+ 	if (options->hpn_disabled == -1) 
+ 		options->hpn_disabled = 0;
+#else
+	options->hpn_disabled = 1;
+#endif
+ 
+ 	if (options->hpn_buffer_size == -1) {
+ 		/* option not explicitly set. Now we have to figure out */
+--- configure.ac.orig	2013-10-12 17:17:41.525139481 -0500
+++ configure.ac	2013-10-12 17:18:35.610130039 -0500
+@@ -3968,6 +3968,34 @@
+     ]
+ ) # maildir
+ 
+#check whether user wants HPN support
+HPN_MSG="no"
+AC_ARG_WITH(hpn,
+	[  --with-hpn             Enable HPN support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(HPN,1,[Define if you want HPN support.])
+		HPN_MSG="yes"
+	fi ]
+)
+#check whether user wants NONECIPHER support
+NONECIPHER_MSG="no"
+AC_ARG_WITH(nonecipher,
+	[  --with-nonecipher             Enable NONECIPHER support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.])
+		NONECIPHER_MSG="yes"
+	fi ]
+)
+#check whether user wants AES_THREADED support
+AES_THREADED_MSG="no"
+AC_ARG_WITH(aes-threaded,
+	[  --with-aes-threaded             Enable AES_THREADED support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.])
+		AES_THREADED_MSG="yes"
+	fi ]
+)
+
+ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
+ 	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
+ 	disable_ptmx_check=yes
+@@ -4636,6 +4664,9 @@
+ echo "                  BSD Auth support: $BSD_AUTH_MSG"
+ echo "              Random number source: $RAND_MSG"
+ echo "             Privsep sandbox style: $SANDBOX_STYLE"
+echo "                       HPN support: $HPN_MSG"
+echo "                NONECIPHER support: $NONECIPHER_MSG"
+echo "              AES_THREADED support: $AES_THREADED_MSG"
+ 
+ echo ""
+ 
--- a/security/openssh-portable/files/extra-patch-hpn-no-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn-no-hpn
@ -0,0 +1,32 @@
+--- sshd_config.orig	2013-10-12 06:40:05.766128740 -0500
+++ sshd_config	2013-10-12 06:40:06.646129924 -0500
+@@ -125,20 +125,6 @@
+ # override default of no subsystems
+ Subsystem	sftp	/usr/libexec/sftp-server
+ 
+-# the following are HPN related configuration options
+-# tcp receive buffer polling. disable in non autotuning kernels
+-#TcpRcvBufPoll yes
+- 
+-# disable hpn performance boosts
+-#HPNDisabled no
+-
+-# buffer size for hpn to non-hpn connections
+-#HPNBufferSize 2048
+-
+-
+-# allow the use of the none cipher
+-#NoneEnabled no
+-
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ #	X11Forwarding no
+--- version.h.orig	2013-10-12 06:42:19.578133368 -0500
+++ version.h	2013-10-12 06:42:28.581136160 -0500
+@@ -3,5 +3,4 @@
+ #define SSH_VERSION	"OpenSSH_6.3"
+ 
+ #define SSH_PORTABLE	"p1"
+-#define SSH_HPN         "-hpn14v2"
+-#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--- a/security/openssh-portable/files/extra-patch-ldns
+++ b/security/openssh-portable/files/extra-patch-ldns
@ -0,0 +1,51 @@
+r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
+Changed paths:
+   M /head/crypto/openssh/readconf.c
+   M /head/crypto/openssh/ssh_config
+   M /head/crypto/openssh/ssh_config.5
+
+Change the default value of VerifyHostKeyDNS to "yes" if compiled with
+LDNS.  With that setting, OpenSSH will silently accept host keys that
+match verified SSHFP records.  If an SSHFP record exists but could not
+be verified, OpenSSH will print a message and prompt the user as usual.
+
+--- readconf.c	2013-10-03 08:15:03.496131082 -0500
+++ readconf.c	2013-10-03 08:15:22.716134315 -0500
+@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
+ 		options->rekey_limit = 0;
+ 	if (options->rekey_interval == -1)
+ 		options->rekey_interval = 0;
+#if HAVE_LDNS
+	if (options->verify_host_key_dns == -1)
+		/* automatically trust a verified SSHFP record */
+		options->verify_host_key_dns = 1;
+#else
+ 	if (options->verify_host_key_dns == -1)
+ 		options->verify_host_key_dns = 0;
+#endif
+ 	if (options->server_alive_interval == -1)
+ 		options->server_alive_interval = 0;
+ 	if (options->server_alive_count_max == -1)
+--- ssh_config	2013-10-03 08:15:03.537131330 -0500
+++ ssh_config	2013-10-03 08:15:22.755131175 -0500
+@@ -44,5 +44,6 @@
+ #   TunnelDevice any:any
+ #   PermitLocalCommand no
+ #   VisualHostKey no
+#   VerifyHostKeyDNS yes
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
+--- ssh_config.5	2013-10-03 08:15:03.621130815 -0500
+++ ssh_config.5	2013-10-03 08:15:22.851132133 -0500
+@@ -1246,7 +1246,10 @@ The argument must be
+ or
+ .Dq ask .
+ The default is
+-.Dq no .
+.Dq yes
+if compiled with LDNS and
+.Dq no
+otherwise.
+ Note that this option applies to protocol version 2 only.
+ .Pp
+ See also VERIFYING HOST KEYS in
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@ -41,8 +41,8 @@
 +		    LOGIN_SETENV|LOGIN_SETPATH);
 +		copy_environment(environ, &env, &envsize);
 +		for (var = environ; *var != NULL; ++var)
-+			xfree(*var);
-+		xfree(environ);
+			free(*var);
+		free(environ);
 +		environ = senv;
 #else /* HAVE_LOGIN_CAP */
 # ifndef HAVE_CYGWIN
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@ -90,13 +90,3 @@ disconnected.
 		default:
 			usage();
 		}
-@@ -1348,8 +1376,7 @@
- 	if (ac > 0)
- 		parent_alive_interval = 10;
- 	idtab_init();
-	if (!d_flag)
-		signal(SIGINT, SIG_IGN);
-+	signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
- 	signal(SIGPIPE, SIG_IGN);
- 	signal(SIGHUP, cleanup_handler);
- 	signal(SIGTERM, cleanup_handler);
--- a/security/openssh-portable/pkg-message
+++ b/security/openssh-portable/pkg-message
@ -10,6 +10,6 @@ the base system.  Please be aware of this when upgrading your
 OpenSSH port, and if truly necessary, re-enable remote root login
 by readjusting this option in your sshd_config.

-Users are encouraged to create single-purpose users with ssh keys
-and very narrowly defined sudo privileges instead of using root
-for automated tasks.
+Users are encouraged to create single-purpose users with ssh keys, disable
+Password auth with 'PasswordAuthentication no' and define very narrow sudo
+privileges instead of using root for automated tasks.
--- a/security/openssh-portable/pkg-plist
+++ b/security/openssh-portable/pkg-plist
@ -12,14 +12,15 @@ bin/ssh-keyscan
 %%NOTBASE%%@exec if [ -f %D/etc/sshd_config -a ! -f %D/etc/ssh/sshd_config ]; then ln %D/etc/sshd_config %D/etc/ssh/sshd_config ; fi
 %%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi
 %%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi
-%%BASE%%@cwd /
+%%OVERWRITE_BASE%%@cwd /
 etc/ssh/ssh_config-dist
 etc/ssh/sshd_config-dist
-%%BASE%%@cwd %%BASEPREFIX%%
+%%OVERWRITE_BASE%%@cwd %%BASEPREFIX%%
 %%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_config ]; then cp -p %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config ; fi
 %%NOTBASE%%@exec if [ ! -f %D/etc/ssh/sshd_config ]; then cp -p %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config ; fi
 %%NOTBASE%%%%X509%%@dirrmtry etc/ssh/ca
 %%NOTBASE%%@dirrmtry etc/ssh
+@exec if [ -f %D/etc/ssh_host_ecdsa_key ] && grep -q DSA %D/etc/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/etc/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/etc/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
 sbin/sshd
 libexec/sftp-server
 libexec/ssh-keysign