From 35fbd73e89b879c24b0683b9faaaf38505131d43 Mon Sep 17 00:00:00 2001
From: Britney Fransen <brfransen@gmail.com>
Date: Wed, 5 Aug 2015 14:51:38 +0000
Subject: openssh: update to 6.9p1

---
 abs/core/openssh/PKGBUILD                   | 30 +++++++----
 abs/core/openssh/dispatch.patch             | 81 +++++++++++++++++++++++++++++
 abs/core/openssh/error.patch                | 25 +++++++++
 abs/core/openssh/keyboard-interactive.patch | 52 ++++++++++++++++++
 abs/core/openssh/sshd.conf                  |  1 +
 abs/core/openssh/sshdgenkeys.service        | 10 ++--
 6 files changed, 186 insertions(+), 13 deletions(-)
 create mode 100644 abs/core/openssh/dispatch.patch
 create mode 100644 abs/core/openssh/error.patch
 create mode 100644 abs/core/openssh/keyboard-interactive.patch
 create mode 100644 abs/core/openssh/sshd.conf

diff --git a/abs/core/openssh/PKGBUILD b/abs/core/openssh/PKGBUILD
index 63b69d3..6f891ae 100644
--- a/abs/core/openssh/PKGBUILD
+++ b/abs/core/openssh/PKGBUILD
@@ -1,11 +1,11 @@
-# $Id: PKGBUILD 199078 2013-11-08 16:53:32Z bisson $
+# $Id$
 # Maintainer: Gaetan Bisson <bisson@archlinux.org>
 # Contributor: Aaron Griffin <aaron@archlinux.org>
 # Contributor: judd <jvinet@zeroflux.org>
 
 pkgname=openssh
-pkgver=6.4p1
-pkgrel=1
+pkgver=6.9p1
+pkgrel=2
 pkgdesc='Free version of the SSH connectivity tools'
 url='http://www.openssh.org/portable.html'
 license=('custom:BSD')
@@ -14,23 +14,33 @@ makedepends=('linux-headers')
 depends=('krb5' 'openssl' 'libedit' 'ldns')
 optdepends=('xorg-xauth: X11 forwarding'
             'x11-ssh-askpass: input passphrase in X')
-source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"
+validpgpkeys=('59C2118ED206D927E667EBE3D3E5F56B6D920D30')
+source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc}
+        'keyboard-interactive.patch'
         'sshdgenkeys.service'
         'sshd@.service'
         'sshd.service'
         'sshd.socket'
+        'sshd.conf'
         'sshd.pam')
-sha1sums=('cf5fe0eb118d7e4f9296fbc5d6884965885fc55d'
-          '6df5be396f8c593bb511a249a1453294d18a01a6'
+sha1sums=('86ab57f00d0fd9bf302760f2f6deac1b6e9df265' 'SKIP'
+          'ef9e9327a943839abb3d202783b318e9cd2bdcd5'
+          'cc1ceec606c98c7407e7ac21ade23aed81e31405'
           '6a0ff3305692cf83aca96e10f3bb51e1c26fccda'
           'ec49c6beba923e201505f5669cea48cad29014db'
           'e12fa910b26a5634e5a6ac39ce1399a132cf6796'
+          'c9b2e4ce259cd62ddb00364d3ee6f00a8bf2d05f'
           'd93dca5ebda4610ff7647187f8928a3de28703f3')
 
 backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
 
 install=install
 
+prepare() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+	patch -p1 -i ../keyboard-interactive.patch
+}
+
 build() {
 	cd "${srcdir}/${pkgname}-${pkgver}"
 
@@ -56,9 +66,10 @@ build() {
 check() {
 	cd "${srcdir}/${pkgname}-${pkgver}"
 
-	make tests ||
-	grep $USER /etc/passwd | grep -q /bin/false
-	# connect.sh fails when run with stupid login shell
+	make tests || true
+	# hard to suitably test connectivity:
+	# - fails with /bin/false as login shell
+	# - fails with firewall activated, etc.
 }
 
 package() {
@@ -73,6 +84,7 @@ package() {
 	install -Dm644 ../sshd@.service "${pkgdir}"/usr/lib/systemd/system/sshd@.service
 	install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service
 	install -Dm644 ../sshd.socket "${pkgdir}"/usr/lib/systemd/system/sshd.socket
+	install -Dm644 ../sshd.conf "${pkgdir}"/usr/lib/tmpfiles.d/sshd.conf
 	install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
 
 	install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
diff --git a/abs/core/openssh/dispatch.patch b/abs/core/openssh/dispatch.patch
new file mode 100644
index 0000000..9350d8f
--- /dev/null
+++ b/abs/core/openssh/dispatch.patch
@@ -0,0 +1,81 @@
+From 639d6bc57b1942393ed12fb48f00bc05d4e093e4 Mon Sep 17 00:00:00 2001
+From: djm@openbsd.org <djm@openbsd.org>
+Date: Fri, 01 May 2015 07:10:01 +0000
+Subject: upstream commit
+
+refactor ssh_dispatch_run_fatal() to use sshpkt_fatal()
+ to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
+
+Improves error messages on TCP connection resets. bz#2257
+
+ok dtucker@
+---
+diff --git a/dispatch.c b/dispatch.c
+index afe6182..aac933e 100644
+--- a/dispatch.c
++++ b/dispatch.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: dispatch.c,v 1.26 2015/02/12 20:34:19 dtucker Exp $ */
++/* $OpenBSD: dispatch.c,v 1.27 2015/05/01 07:10:01 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  *
+@@ -137,22 +137,6 @@ ssh_dispatch_run_fatal(struct ssh *ssh, int mode, volatile sig_atomic_t *done,
+ {
+ 	int r;
+ 
+-	if ((r = ssh_dispatch_run(ssh, mode, done, ctxt)) != 0) {
+-		switch (r) {
+-		case SSH_ERR_CONN_CLOSED:
+-			logit("Connection closed by %.200s",
+-			    ssh_remote_ipaddr(ssh));
+-			cleanup_exit(255);
+-		case SSH_ERR_CONN_TIMEOUT:
+-			logit("Connection to %.200s timed out while "
+-			    "waiting to read", ssh_remote_ipaddr(ssh));
+-			cleanup_exit(255);
+-		case SSH_ERR_DISCONNECTED:
+-			logit("Disconnected from %.200s",
+-			    ssh_remote_ipaddr(ssh));
+-			cleanup_exit(255);
+-		default:
+-			fatal("%s: %s", __func__, ssh_err(r));
+-		}
+-	}
++	if ((r = ssh_dispatch_run(ssh, mode, done, ctxt)) != 0)
++		sshpkt_fatal(ssh, __func__, r);
+ }
+diff --git a/packet.c b/packet.c
+index 4922573..a7727ef 100644
+--- a/packet.c
++++ b/packet.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: packet.c,v 1.208 2015/02/13 18:57:00 markus Exp $ */
++/* $OpenBSD: packet.c,v 1.212 2015/05/01 07:10:01 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -1920,9 +1920,19 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
+ 		logit("Connection closed by %.200s", ssh_remote_ipaddr(ssh));
+ 		cleanup_exit(255);
+ 	case SSH_ERR_CONN_TIMEOUT:
+-		logit("Connection to %.200s timed out while "
+-		    "waiting to write", ssh_remote_ipaddr(ssh));
++		logit("Connection to %.200s timed out", ssh_remote_ipaddr(ssh));
+ 		cleanup_exit(255);
++	case SSH_ERR_DISCONNECTED:
++		logit("Disconnected from %.200s",
++		    ssh_remote_ipaddr(ssh));
++		cleanup_exit(255);
++	case SSH_ERR_SYSTEM_ERROR:
++		if (errno == ECONNRESET) {
++			logit("Connection reset by %.200s",
++			    ssh_remote_ipaddr(ssh));
++			cleanup_exit(255);
++		}
++		/* FALLTHROUGH */
+ 	default:
+ 		fatal("%s%sConnection to %.200s: %s",
+ 		    tag != NULL ? tag : "", tag != NULL ? ": " : "",
+--
+cgit v0.9.2
diff --git a/abs/core/openssh/error.patch b/abs/core/openssh/error.patch
new file mode 100644
index 0000000..1616ba3
--- /dev/null
+++ b/abs/core/openssh/error.patch
@@ -0,0 +1,25 @@
+From 4d24b3b6a4a6383e05e7da26d183b79fa8663697 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Thu, 19 Mar 2015 22:11:59 +0000
+Subject: remove error() accidentally inserted for debugging
+
+pointed out by Christian Hesse
+---
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index b379f05..d39d491 100644
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -153,10 +153,8 @@ mm_request_receive(int sock, Buffer *m)
+ 	debug3("%s entering", __func__);
+ 
+ 	if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
+-		if (errno == EPIPE) {
+-			error("%s: socket closed", __func__);
++		if (errno == EPIPE)
+ 			cleanup_exit(255);
+-		}
+ 		fatal("%s: read: %s", __func__, strerror(errno));
+ 	}
+ 	msg_len = get_u32(buf);
+--
+cgit v0.9.2
diff --git a/abs/core/openssh/keyboard-interactive.patch b/abs/core/openssh/keyboard-interactive.patch
new file mode 100644
index 0000000..4adafeb
--- /dev/null
+++ b/abs/core/openssh/keyboard-interactive.patch
@@ -0,0 +1,52 @@
+From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 18 Jul 2015 07:57:14 +0000
+Subject: upstream commit
+
+only query each keyboard-interactive device once per
+ authentication request regardless of how many times it is listed; ok markus@
+
+Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
+---
+ auth2-chall.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/auth2-chall.c b/auth2-chall.c
+index ddabe1a..4aff09d 100644
+--- a/auth2-chall.c
++++ b/auth2-chall.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */
++/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */
+ /*
+  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2001 Per Allansson.  All rights reserved.
+@@ -83,6 +83,7 @@ struct KbdintAuthctxt
+ 	void *ctxt;
+ 	KbdintDevice *device;
+ 	u_int nreq;
++	u_int devices_done;
+ };
+ 
+ #ifdef USE_PAM
+@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
+ 		if (len == 0)
+ 			break;
+ 		for (i = 0; devices[i]; i++) {
+-			if (!auth2_method_allowed(authctxt,
++			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++			    !auth2_method_allowed(authctxt,
+ 			    "keyboard-interactive", devices[i]->name))
+ 				continue;
+-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++			if (strncmp(kbdintctxt->devices, devices[i]->name,
++			    len) == 0) {
+ 				kbdintctxt->device = devices[i];
++				kbdintctxt->devices_done |= 1 << i;
++			}
+ 		}
+ 		t = kbdintctxt->devices;
+ 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+-- 
+cgit v0.11.2
+
diff --git a/abs/core/openssh/sshd.conf b/abs/core/openssh/sshd.conf
new file mode 100644
index 0000000..ca2a393
--- /dev/null
+++ b/abs/core/openssh/sshd.conf
@@ -0,0 +1 @@
+d /var/empty 0755 root root
diff --git a/abs/core/openssh/sshdgenkeys.service b/abs/core/openssh/sshdgenkeys.service
index 8c27d71..1d01b7a 100644
--- a/abs/core/openssh/sshdgenkeys.service
+++ b/abs/core/openssh/sshdgenkeys.service
@@ -2,12 +2,14 @@
 Description=SSH Key Generation
 ConditionPathExists=|!/etc/ssh/ssh_host_key
 ConditionPathExists=|!/etc/ssh/ssh_host_key.pub
-ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
-ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
-ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
-ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
 ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
 ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
 
 [Service]
 ExecStart=/usr/bin/ssh-keygen -A
-- 
cgit v0.12