Revert "openssh: security 7.3p1 -> 7.4p1"

This reverts commit 277080fea0d2cf5017e4179a23e370307502c677.

I had tested the server on my physical machine before pushing,
but the openssh test got broken so something is clearly wrong.
http://hydra.nixos.org/build/45500080

3 files changed, 52 insertions, 2 deletions

diff --git a/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch b/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch
new file mode 100644
index 000000000000..665eff864530
--- /dev/null
+++ b/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch
@@ -0,0 +1,37 @@
+diff --git a/kex.c b/kex.c
+index 50c7a0f..823668b 100644
+--- a/kex.c
++++ b/kex.c
+@@ -419,6 +419,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
+ 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		return r;
++        if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
++          return r;
+ 	kex->done = 1;
+ 	sshbuf_reset(kex->peer);
+ 	/* sshbuf_reset(kex->my); */
+diff --git a/packet.c b/packet.c
+index d6dad2d..f96566b 100644
+--- a/packet.c
++++ b/packet.c
+@@ -38,7 +38,7 @@
+  */
+ 
+ #include "includes.h"
+- 
++
+ #include <sys/param.h>	/* MIN roundup */
+ #include <sys/types.h>
+ #include "openbsd-compat/sys-queue.h"
+@@ -1907,9 +1907,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 			return r;
+ 		return SSH_ERR_PROTOCOL_ERROR;
+ 	}
+-	if (*typep == SSH2_MSG_NEWKEYS)
+-		r = ssh_set_newkeys(ssh, MODE_IN);
+-	else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
++	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+ 		r = ssh_packet_enable_delayed_compress(ssh);
+ 	else
+ 		r = 0;
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index ce323bae4e78..064f68947b80 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -29,11 +29,11 @@ stdenv.mkDerivation rec {
   # Please ensure that openssh_with_kerberos still builds when
   # bumping the version here!
   name = "openssh-${version}";
-  version = "7.4p1";
+  version = "7.3p1";
 
   src = fetchurl {
     url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
-    sha256 = "1l8r3x4fr2kb6xm95s7kjdif1wp6f94d4kljh4qjj9109shw87qv";
+    sha256 = "1k5y1wi29d47cgizbryxrhc1fbjsba2x8l5mqfa9b9nadnd9iyrz";
   };
 
   prePatch = optionalString hpnSupport
@@ -44,11 +44,13 @@ stdenv.mkDerivation rec {
 
   patches =
     [
+      ./RH-1380296-NEWKEYS-null-pointer-deref.patch
       ./locale_archive.patch
       ./fix-host-key-algorithms-plus.patch
 
       # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
       ./dont_create_privsep_path.patch
+      ./fix-CVE-2016-8858.patch
     ]
     ++ optional withGssapiPatches gssapiSrc;
 
diff --git a/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch b/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch
new file mode 100644
index 000000000000..e526161083c0
--- /dev/null
+++ b/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch
@@ -0,0 +1,11 @@
+diff -u -r1.126 -r1.127
+--- ssh/kex.c	2016/09/28 21:44:52	1.126
++++ ssh/kex.c	2016/10/10 19:28:48	1.127
+@@ -461,6 +461,7 @@
+ 	if (kex == NULL)
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;