git: 75f9d5c7e36b - stable/13 - ssh: update to OpenSSH 9.1p1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 26 Oct 2022 16:43:14 UTC
The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=75f9d5c7e36b452f4f76356dfeb8bba51d64e51b commit 75f9d5c7e36b452f4f76356dfeb8bba51d64e51b Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-10-19 14:27:11 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-10-26 16:42:37 +0000 ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3) --- crypto/openssh/.depend | 5 +- crypto/openssh/.git_allowed_signers | 5 + crypto/openssh/.git_allowed_signers.asc | 16 + crypto/openssh/.github/configs | 75 +- crypto/openssh/.github/configure.sh | 2 +- crypto/openssh/.github/run_test.sh | 14 + crypto/openssh/.github/setup_ci.sh | 63 +- crypto/openssh/.github/workflows/c-cpp.yml | 60 +- crypto/openssh/.github/workflows/selfhosted.yml | 12 +- crypto/openssh/.github/workflows/upstream.yml | 13 +- crypto/openssh/.skipped-commit-ids | 1 + crypto/openssh/ChangeLog | 15789 +++++++++---------- crypto/openssh/INSTALL | 7 +- crypto/openssh/LICENCE | 1 + crypto/openssh/Makefile.in | 67 +- crypto/openssh/PROTOCOL | 65 +- crypto/openssh/PROTOCOL.agent | 6 +- crypto/openssh/PROTOCOL.key | 12 +- crypto/openssh/README | 2 +- crypto/openssh/README.md | 8 +- crypto/openssh/addr.c | 4 +- crypto/openssh/auth.c | 155 +- crypto/openssh/auth.h | 26 +- crypto/openssh/auth2-hostbased.c | 7 +- crypto/openssh/auth2-passwd.c | 10 +- crypto/openssh/auth2-pubkey.c | 357 +- crypto/openssh/auth2-pubkeyfile.c | 501 + crypto/openssh/authfd.c | 3 +- crypto/openssh/authfile.c | 19 +- crypto/openssh/channels.c | 43 +- crypto/openssh/channels.h | 4 +- crypto/openssh/cipher-ctr.c | 146 - crypto/openssh/cipher.c | 13 - crypto/openssh/clientloop.c | 14 +- crypto/openssh/compat.c | 15 +- crypto/openssh/config.h | 46 +- crypto/openssh/configure.ac | 313 +- crypto/openssh/contrib/redhat/openssh.spec | 2 +- crypto/openssh/contrib/suse/openssh.spec | 2 +- crypto/openssh/int32_minmax.inc | 0 crypto/openssh/krl.c | 4 +- crypto/openssh/misc.c | 43 +- crypto/openssh/misc.h | 4 +- crypto/openssh/moduli | 801 +- crypto/openssh/moduli.5 | 9 +- crypto/openssh/moduli.c | 14 +- crypto/openssh/monitor.c | 2 +- crypto/openssh/monitor_wrap.c | 2 +- crypto/openssh/monitor_wrap.h | 4 +- crypto/openssh/mux.c | 11 +- crypto/openssh/openbsd-compat/Makefile.in | 10 +- crypto/openssh/openbsd-compat/arc4random.c | 284 +- crypto/openssh/openbsd-compat/arc4random.h | 79 + crypto/openssh/openbsd-compat/arc4random_uniform.c | 64 + crypto/openssh/openbsd-compat/bsd-asprintf.c | 1 + crypto/openssh/openbsd-compat/bsd-getentropy.c | 82 + crypto/openssh/openbsd-compat/bsd-misc.c | 12 + crypto/openssh/openbsd-compat/bsd-timegm.c | 82 + crypto/openssh/openbsd-compat/getcwd.c | 5 +- crypto/openssh/openbsd-compat/openbsd-compat.h | 23 +- crypto/openssh/openbsd-compat/openssl-compat.h | 25 - crypto/openssh/packet.c | 4 +- crypto/openssh/readconf.c | 60 +- crypto/openssh/readconf.h | 12 +- crypto/openssh/readpass.c | 5 +- crypto/openssh/regress/agent-ptrace.sh | 2 +- crypto/openssh/regress/envpass.sh | 67 +- crypto/openssh/regress/forward-control.sh | 51 +- crypto/openssh/regress/misc/fuzz-harness/Makefile | 5 +- .../regress/misc/fuzz-harness/authkeys_fuzz.cc | 81 + crypto/openssh/regress/misc/sk-dummy/sk-dummy.c | 2 +- crypto/openssh/regress/multiplex.sh | 16 +- crypto/openssh/regress/scp.sh | 27 +- crypto/openssh/regress/scp3.sh | 6 + crypto/openssh/regress/sftp-cmds.sh | 7 +- crypto/openssh/regress/test-exec.sh | 41 +- .../openssh/regress/unittests/misc/test_convtime.c | 64 +- crypto/openssh/sandbox-capsicum.c | 4 + crypto/openssh/sandbox-seccomp-filter.c | 15 +- crypto/openssh/scp.1 | 5 +- crypto/openssh/scp.c | 12 +- crypto/openssh/servconf.c | 19 +- crypto/openssh/servconf.h | 3 +- crypto/openssh/serverloop.c | 5 +- crypto/openssh/sftp-client.c | 215 +- crypto/openssh/sftp-client.h | 26 +- crypto/openssh/sftp-common.c | 18 +- crypto/openssh/sftp-common.h | 5 +- crypto/openssh/sftp-server-main.c | 2 - crypto/openssh/sftp-server.c | 94 +- crypto/openssh/sftp-usergroup.c | 239 + crypto/openssh/sftp-usergroup.h | 25 + crypto/openssh/sftp.1 | 11 +- crypto/openssh/sftp.c | 204 +- crypto/openssh/sk-api.h | 6 +- crypto/openssh/sk-usbhid.c | 115 +- crypto/openssh/sk_config.h | 1 + crypto/openssh/ssh-add.c | 6 +- crypto/openssh/ssh-agent.c | 24 +- crypto/openssh/ssh-ed25519.c | 8 +- crypto/openssh/ssh-keygen.1 | 224 +- crypto/openssh/ssh-keygen.c | 186 +- crypto/openssh/ssh-keyscan.1 | 10 +- crypto/openssh/ssh-pkcs11-helper.8 | 23 +- crypto/openssh/ssh-sk-helper.8 | 23 +- crypto/openssh/ssh-sk-helper.c | 3 +- crypto/openssh/ssh-sk.c | 7 +- crypto/openssh/ssh-xmss.c | 4 +- crypto/openssh/ssh.1 | 12 +- crypto/openssh/ssh.c | 30 +- crypto/openssh/ssh_config.5 | 25 +- crypto/openssh/ssh_namespace.h | 3 +- crypto/openssh/sshbuf-getput-basic.c | 2 +- crypto/openssh/sshbuf-getput-crypto.c | 2 +- crypto/openssh/sshbuf.c | 9 +- crypto/openssh/sshbuf.h | 2 +- crypto/openssh/sshconnect.c | 6 +- crypto/openssh/sshconnect2.c | 74 +- crypto/openssh/sshd.8 | 12 +- crypto/openssh/sshd.c | 34 +- crypto/openssh/sshd_config | 2 +- crypto/openssh/sshd_config.5 | 24 +- crypto/openssh/sshkey.c | 96 +- crypto/openssh/sshkey.h | 3 +- crypto/openssh/sshlogin.c | 1 + crypto/openssh/version.h | 6 +- crypto/openssh/xmss_hash.c | 5 +- secure/lib/libssh/Makefile | 2 +- secure/usr.bin/sftp/Makefile | 3 +- secure/usr.sbin/sshd/Makefile | 2 +- 130 files changed, 11440 insertions(+), 10371 deletions(-) diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend index cd38d15f8f52..fca83a67c970 100644 --- a/crypto/openssh/.depend +++ b/crypto/openssh/.depend @@ -27,6 +27,7 @@ auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-co auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h monitor_wrap.h misc.h servconf.h auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth2-pubkey.o: pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h +auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h log.h ssherr.h misc.h compat.h sshkey.h digest.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfile.h match.h auth2.o: digest.h auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h compat.h log.h ssherr.h atomicio.h misc.h @@ -39,7 +40,6 @@ cipher-aes.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-co cipher-aesctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher-aesctr.h rijndael.h cipher-chachapoly-libcrypto.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher-chachapoly.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h sshbuf.h cipher-chachapoly.h chacha.h poly1305.h -cipher-ctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h misc.h sshbuf.h ssherr.h digest.h openbsd-compat/openssl-compat.h cleanup.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h clientloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h packet.h dispatch.h sshbuf.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h @@ -122,7 +122,8 @@ sftp-glob.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-com sftp-realpath.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sftp-server-main.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h sftp.h misc.h xmalloc.h sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshbuf.h ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h -sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h pathnames.h misc.h utf8.h sftp.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h +sftp-usergroup.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h log.h ssherr.h xmalloc.h sftp-common.h sftp-client.h openbsd-compat/glob.h sftp-usergroup.h +sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h pathnames.h misc.h utf8.h sftp.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h sftp-usergroup.h sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sntrup761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h srclimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h addr.h canohost.h log.h ssherr.h misc.h srclimit.h xmalloc.h diff --git a/crypto/openssh/.git_allowed_signers b/crypto/openssh/.git_allowed_signers new file mode 100644 index 000000000000..0313c1ecd17f --- /dev/null +++ b/crypto/openssh/.git_allowed_signers @@ -0,0 +1,5 @@ +dtucker@dtucker.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKecyjh9aNmD4rb8WblA8v91JjRb0Cd2JtkzqxcggGeG +djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBLnJo3ZVDENYZGXm5uO9lU7b0iDFq5gHpTu1MaHPWTEfPdvw+AjFQQ/q5YizuMJkXGsMdYmblJEJZYHpm9IS7ZkAAAAEc3NoOg== +djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBJoAXBTQalfg+kC5wy1vE7HkIHtVnmV6AUuuIo9KQ1P+70juHwvsFKpsGaqQbrHJkTVgYDGVP02XHj8+Fb18yBIAAAAEc3NoOg== +djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBH+z1I48s6ydOhP5SJmI02zVCLf0K15B+UMHgoTIKVfUIv5oDoVX7e9f+7QiRmTeEOdZfQydiaVqsfi7qPSve+0AAAAEc3NoOg== +djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBPM4BmUg/fMnsl42JwktTekk/mB8Be3M+yK2ayg6lqYsqEri8yhRx84gey51OHKVk1TwlGbJjcMHI4URreDBEMQAAAAEc3NoOg== diff --git a/crypto/openssh/.git_allowed_signers.asc b/crypto/openssh/.git_allowed_signers.asc new file mode 100644 index 000000000000..5fc6118ca9a6 --- /dev/null +++ b/crypto/openssh/.git_allowed_signers.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmMMMiIACgkQKj9BTnNg +YLpyGhAAhZ1RxmD62JnT0gnor1aD0inq1fGPRadaFvXH2OScPcxXMIZWx+otnyZ/ +H9s0bIti42dPHqurgh92KS2mDGVIW8Y8MvxFUr678+hdem1U7Xvjoo0uaveNhJhe +GxuQDOvXKRmmfL2c6w3wnFChFA1o3K+JNshjCHhWz7u6+UmY0Q9yIxqbSi+vmEPP +NfWPfGdu4h8r7q11UgTxRSUQkfZXMqpBtb367B9BLduGuKRFKEJNyi6WpjBrqy38 +BvEbAaL52KX8hEp3TKMjo38RbOK+veSoPV5zlLui0WlEwwasgljal3f4RkqCAJob +hqpFJRogM5XNnA2e68TDTf3buJ3wRRjuK39/CusOJz5v4i6+VCdte+BET1Y4gD6y +v8KV4pRyumcdbN3khFUkmaQsjo+fyQjWNrgOvv60J2xUWZdchn8lxHOxrfRVKnOi +BD4bdks7tPQY/XsS5GNJIp21Ji9HGyBajjHo0BlesLodw7FEOf6YE18A3n9qzosR +RliuP4Hs/Z4sCUuDTbpKtQiUVs40kBbkhEL8kS8FsXz3VO89hAWaUqNUYom8AkKv +nfDjrZDBLXuVj1Mi8qNPXxqrB/1Cza2/W4U7SK4TlMFXfoXXWxxhefN5vIdMhAJB +u9Mdz1pY9mowKbd0c0dR+3fauvjM133dzKuyeDHMqDa5JPyd59o= +=kgnS +-----END PGP SIGNATURE----- diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs index 871a3d414d94..6bf1ab27f0ca 100755 --- a/crypto/openssh/.github/configs +++ b/crypto/openssh/.github/configs @@ -10,6 +10,8 @@ config=$1 +unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO + TEST_TARGET="tests" LTESTS="" SKIP_LTESTS="" @@ -32,7 +34,9 @@ case "$config" in TEST_TARGET=t-exec ;; cygwin-release) - CONFIGFLAGS="--with-libedit --with-xauth=/usr/bin/xauth --disable-strip --with-security-key-builtin" + # See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD + CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin" + CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip" ;; clang-12-Werror) CC="clang-12" @@ -41,6 +45,57 @@ case "$config" in CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter" CONFIGFLAGS="--with-pam --with-Werror" ;; + *-sanitize-*) + case "$config" in + gcc-*) + CC=gcc + ;; + clang-*) + # Find the newest available version of clang + for i in `seq 10 99`; do + clang="`which clang-$i 2>/dev/null`" + [ -x "$clang" ] && CC="$clang" + done + ;; + esac + # Put Sanitizer logs in regress dir. + SANLOGS=`pwd`/regress + # - We replace chroot with chdir so that the sanitizer in the preauth + # privsep process can read /proc. + # - clang does not recognizes explicit_bzero so we use bzero + # (see https://github.com/google/sanitizers/issues/1507 + # - openssl and zlib trip ASAN. + # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow. + case "$config" in + *-sanitize-address) + CFLAGS="-fsanitize=address -fno-omit-frame-pointer" + LDFLAGS="-fsanitize=address" + CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"' + CONFIGFLAGS="" + TEST_TARGET="t-exec" + ;; + clang-sanitize-memory) + CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer" + LDFLAGS="-fsanitize=memory" + CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"' + CONFIGFLAGS="--without-openssl --without-zlib --without-shadow" + TEST_TARGET="t-exec" + ;; + *-sanitize-undefined) + CFLAGS="-fsanitize=undefined" + LDFLAGS="-fsanitize=undefined" + ;; + *) + echo unknown sanitize option; + exit 1;; + esac + features="--disable-security-key --disable-pkcs11" + hardening="--without-sandbox --without-hardening --without-stackprotect" + privsep="--with-privsep-user=root" + CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep" + # Because we hobble chroot we can't test it. + SKIP_LTESTS=sftp-chroot + ;; gcc-11-Werror) CC="gcc" # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled @@ -107,14 +162,15 @@ case "$config" in # Valgrind slows things down enough that the agent timeout test # won't reliably pass, and the unit tests run longer than allowed # by github so split into three separate tests. - tests2="rekey integrity try-ciphers sftp" - tests3="krl forward-control sshsig agent-restrict kextype" + tests2="rekey integrity try-ciphers" + tests3="krl forward-control sshsig agent-restrict kextype sftp" tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent" case "$config" in valgrind-1) # All tests except agent-timeout (which is flaky under valgrind) - #) and slow ones that run separately to increase parallelism. - SKIP_LTESTS="agent-timeout ${tests2} ${tests3} ${tests4}" + # and hostbased (since valgrind won't let ssh exec keysign). + # Slow ones are run separately to increase parallelism. + SKIP_LTESTS="agent-timeout hostbased ${tests2} ${tests3} ${tests4}" ;; valgrind-2) LTESTS="${tests2}" @@ -201,10 +257,13 @@ case "${TARGET_HOST}" in ;; esac -# Unless specified otherwise, build without OpenSSL on Mac OS since -# modern versions don't ship with libcrypto. case "`./config.guess`" in +*cygwin) + SUDO="" + ;; *-darwin*) + # Unless specified otherwise, build without OpenSSL on Mac OS since + # modern versions don't ship with libcrypto. LIBCRYPTOFLAGS="--without-openssl" TEST_TARGET=t-exec ;; @@ -227,5 +286,5 @@ if [ -x "$(which plink 2>/dev/null)" ]; then export REGRESS_INTEROP_PUTTY fi -export CC CFLAGS LTESTS SUDO +export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL diff --git a/crypto/openssh/.github/configure.sh b/crypto/openssh/.github/configure.sh index 502bf5f0d407..bd0037702d6a 100755 --- a/crypto/openssh/.github/configure.sh +++ b/crypto/openssh/.github/configure.sh @@ -18,4 +18,4 @@ if [ "x$LDFLAGS" != "x" ]; then fi echo ./configure ${CONFIGFLAGS} -./configure ${CONFIGFLAGS} +./configure ${CONFIGFLAGS} 2>&1 diff --git a/crypto/openssh/.github/run_test.sh b/crypto/openssh/.github/run_test.sh index adf2568ad1e2..8eeaf5e9b09d 100755 --- a/crypto/openssh/.github/run_test.sh +++ b/crypto/openssh/.github/run_test.sh @@ -6,6 +6,20 @@ set -ex +# If we want to test hostbased auth, set up the host for it. +if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then + sshconf=/usr/local/etc + hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null + echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null + $SUDO mkdir -p $sshconf + $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf + $SUDO make install + for key in $sshconf/ssh_host*key*.pub; do + echo `hostname` `cat $key` | \ + $SUDO tee -a $sshconf/ssh_known_hosts >/dev/null + done +fi + output_failed_logs() { for i in regress/failed*; do if [ -f "$i" ]; then diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh index a3bb8587eab1..044c4d1292b1 100755 --- a/crypto/openssh/.github/setup_ci.sh +++ b/crypto/openssh/.github/setup_ci.sh @@ -1,17 +1,30 @@ #!/bin/sh +PACKAGES="" + . .github/configs $@ case "`./config.guess`" in +*cygwin) + PACKAGER=setup + echo Setting CYGWIN sustem environment variable. + setx CYGWIN "binmode" + chmod -R go-rw /cygdrive/d/a + umask 077 + PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core" + PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel" + ;; *-darwin*) + PACKAGER=brew brew install automake exit 0 ;; +*) + PACKAGER=apt esac TARGETS=$@ -PACKAGES="" INSTALL_FIDO_PPA="no" export DEBIAN_FRONTEND=noninteractive @@ -19,7 +32,17 @@ export DEBIAN_FRONTEND=noninteractive set -ex -lsb_release -a +if [ -x "`which lsb_release 2>&1`" ]; then + lsb_release -a +fi + +# Ubuntu 22.04 defaults to private home dirs which prevent the +# agent-getpeerid test from running ssh-add as nobody. See +# https://github.com/actions/runner-images/issues/6106 +if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then + echo ~ is not executable by nobody, adding perms. + chmod go+x ~ +fi if [ "${TARGETS}" = "kitchensink" ]; then TARGETS="krb5 libedit pam sk selinux" @@ -27,16 +50,24 @@ fi for flag in $CONFIGFLAGS; do case "$flag" in - --with-pam) PACKAGES="${PACKAGES} libpam0g-dev" ;; - --with-libedit) PACKAGES="${PACKAGES} libedit-dev" ;; + --with-pam) TARGETS="${TARGETS} pam" ;; + --with-libedit) TARGETS="${TARGETS} libedit" ;; esac done for TARGET in $TARGETS; do case $TARGET in - default|without-openssl|without-zlib|c89|libedit|*pam) + default|without-openssl|without-zlib|c89) # nothing to do ;; + clang-sanitize*) + PACKAGES="$PACKAGES clang-12" + ;; + cygwin-release) + PACKAGES="$PACKAGES libcrypt-devel libfido2-devel libkrb5-devel" + ;; + gcc-sanitize*) + ;; clang-*|gcc-*) compiler=$(echo $TARGET | sed 's/-Werror//') PACKAGES="$PACKAGES $compiler" @@ -47,6 +78,15 @@ for TARGET in $TARGETS; do heimdal) PACKAGES="$PACKAGES heimdal-dev" ;; + libedit) + case "$PACKAGER" in + setup) PACKAGES="$PACKAGES libedit-devel" ;; + apt) PACKAGES="$PACKAGES libedit-dev" ;; + esac + ;; + *pam) + PACKAGES="$PACKAGES libpam0g-dev" + ;; sk) INSTALL_FIDO_PPA="yes" PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev" @@ -99,9 +139,16 @@ if [ "yes" = "$INSTALL_FIDO_PPA" ]; then sudo apt-add-repository -y ppa:yubico/stable fi -if [ "x" != "x$PACKAGES" ]; then - sudo apt update -qq - sudo apt install -qy $PACKAGES +if [ "x" != "x$PACKAGES" ]; then + case "$PACKAGER" in + apt) + sudo apt update -qq + sudo apt install -qy $PACKAGES + ;; + setup) + /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,` + ;; + esac fi if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml index b778c9804203..3cd1188fc572 100644 --- a/crypto/openssh/.github/workflows/c-cpp.yml +++ b/crypto/openssh/.github/workflows/c-cpp.yml @@ -2,9 +2,11 @@ name: C/C++ CI on: push: - branches: [ master, ci ] + branches: [ master, ci, V_9_0 ] + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ] pull_request: branches: [ master ] + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ] jobs: ci: @@ -13,11 +15,13 @@ jobs: fail-fast: false matrix: # First we test all OSes in the default configuration. - os: [ubuntu-20.04, ubuntu-18.04, macos-10.15, macos-11.0] + os: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022] configs: [default] # Then we include any extra configs we want to test for specific VMs. # Valgrind slows things down quite a bit, so start them first. include: + - { os: windows-2019, configs: cygwin-release } + - { os: windows-2022, configs: cygwin-release } - { os: ubuntu-20.04, configs: valgrind-1 } - { os: ubuntu-20.04, configs: valgrind-2 } - { os: ubuntu-20.04, configs: valgrind-3 } @@ -30,6 +34,10 @@ jobs: - { os: ubuntu-20.04, configs: clang-10 } - { os: ubuntu-20.04, configs: clang-11 } - { os: ubuntu-20.04, configs: clang-12-Werror } + - { os: ubuntu-20.04, configs: clang-sanitize-address } + - { os: ubuntu-20.04, configs: clang-sanitize-undefined } + - { os: ubuntu-20.04, configs: gcc-sanitize-address } + - { os: ubuntu-20.04, configs: gcc-sanitize-undefined } - { os: ubuntu-20.04, configs: gcc-7 } - { os: ubuntu-20.04, configs: gcc-8 } - { os: ubuntu-20.04, configs: gcc-10 } @@ -44,9 +52,9 @@ jobs: - { os: ubuntu-latest, configs: libressl-2.8.3 } - { os: ubuntu-latest, configs: libressl-3.0.2 } - { os: ubuntu-latest, configs: libressl-3.2.6 } - - { os: ubuntu-latest, configs: libressl-3.3.4 } - - { os: ubuntu-latest, configs: libressl-3.4.1 } - - { os: ubuntu-latest, configs: libressl-3.5.0 } + - { os: ubuntu-latest, configs: libressl-3.3.6 } + - { os: ubuntu-latest, configs: libressl-3.4.3 } + - { os: ubuntu-latest, configs: libressl-3.5.3 } - { os: ubuntu-latest, configs: openssl-master } - { os: ubuntu-latest, configs: openssl-noec } - { os: ubuntu-latest, configs: openssl-1.0.1 } @@ -55,30 +63,37 @@ jobs: - { os: ubuntu-latest, configs: openssl-1.1.0h } - { os: ubuntu-latest, configs: openssl-1.1.1 } - { os: ubuntu-latest, configs: openssl-1.1.1k } - - { os: ubuntu-latest, configs: openssl-1.1.1m } + - { os: ubuntu-latest, configs: openssl-1.1.1n } + - { os: ubuntu-latest, configs: openssl-1.1.1p } - { os: ubuntu-latest, configs: openssl-3.0.0 } - - { os: ubuntu-latest, configs: openssl-3.0.1 } + - { os: ubuntu-latest, configs: openssl-3.0.5 } - { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch - { os: ubuntu-latest, configs: openssl-3.0 } # stable branch - - { os: ubuntu-18.04, configs: pam } - - { os: ubuntu-18.04, configs: krb5 } - - { os: ubuntu-18.04, configs: heimdal } - - { os: ubuntu-18.04, configs: libedit } - - { os: ubuntu-18.04, configs: sk } - - { os: ubuntu-18.04, configs: selinux } - - { os: ubuntu-18.04, configs: kitchensink } - - { os: ubuntu-18.04, configs: without-openssl } - - { os: macos-10.15, configs: pam } - - { os: macos-11.0, configs: pam } + - { os: ubuntu-22.04, configs: pam } + - { os: ubuntu-22.04, configs: krb5 } + - { os: ubuntu-22.04, configs: heimdal } + - { os: ubuntu-22.04, configs: libedit } + - { os: ubuntu-22.04, configs: sk } + - { os: ubuntu-22.04, configs: selinux } + - { os: ubuntu-22.04, configs: kitchensink } + - { os: ubuntu-22.04, configs: without-openssl } + - { os: macos-11, configs: pam } + - { os: macos-12, configs: pam } runs-on: ${{ matrix.os }} steps: + - name: set cygwin git params + if: ${{ startsWith(matrix.os, 'windows') }} + run: git config --global core.autocrlf input + - name: install cygwin + if: ${{ startsWith(matrix.os, 'windows') }} + uses: cygwin/cygwin-install-action@master - uses: actions/checkout@v2 - name: setup CI system - run: ./.github/setup_ci.sh ${{ matrix.configs }} + run: sh ./.github/setup_ci.sh ${{ matrix.configs }} - name: autoreconf - run: autoreconf + run: sh -c autoreconf - name: configure - run: ./.github/configure.sh ${{ matrix.configs }} + run: sh ./.github/configure.sh ${{ matrix.configs }} - name: save config uses: actions/upload-artifact@v2 with: @@ -89,9 +104,10 @@ jobs: - name: make run: make -j2 - name: make tests - run: ./.github/run_test.sh ${{ matrix.configs }} + run: sh ./.github/run_test.sh ${{ matrix.configs }} env: TEST_SSH_UNSAFE_PERMISSIONS: 1 + TEST_SSH_HOSTBASED_AUTH: yes - name: save logs if: failure() uses: actions/upload-artifact@v2 @@ -102,3 +118,5 @@ jobs: config.log regress/*.log regress/valgrind-out/ + regress/asan.log.* + regress/msan.log.* diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml index ec2c29825c85..c4bd1d9b24f7 100644 --- a/crypto/openssh/.github/workflows/selfhosted.yml +++ b/crypto/openssh/.github/workflows/selfhosted.yml @@ -2,7 +2,8 @@ name: C/C++ CI self-hosted on: push: - branches: [ master, ci ] + branches: [ master, ci, V_9_0 ] + paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ] jobs: selfhosted: @@ -17,15 +18,15 @@ jobs: matrix: os: - aix51 + - ARM - ARM64 - alpine - - bbone - debian-i386 + - debian-riscv64 - dfly30 - dfly48 - dfly58 - dfly60 - - fbsd6 - fbsd10 - fbsd12 - fbsd13 @@ -58,7 +59,6 @@ jobs: - { os: dfly48, configs: pam } - { os: dfly58, configs: pam } - { os: dfly60, configs: pam } - - { os: fbsd6, configs: pam } - { os: fbsd10, configs: pam } - { os: fbsd12, configs: pam } - { os: fbsd13, configs: pam } @@ -72,11 +72,11 @@ jobs: # - { os: sol11, configs: sol64-pam } - { os: win10, configs: cygwin-release } steps: + - name: shutdown VM if running + run: vmshutdown - uses: actions/checkout@v2 - name: autoreconf run: autoreconf - - name: shutdown VM if running - run: vmshutdown - name: startup VM run: vmstartup - name: configure diff --git a/crypto/openssh/.github/workflows/upstream.yml b/crypto/openssh/.github/workflows/upstream.yml index b91083c65184..3cec069ede74 100644 --- a/crypto/openssh/.github/workflows/upstream.yml +++ b/crypto/openssh/.github/workflows/upstream.yml @@ -3,6 +3,7 @@ name: Upstream self-hosted on: push: branches: [ master, ci ] + paths: [ '**.c', '**.h', '.github/**' ] jobs: selfhosted: @@ -14,7 +15,7 @@ jobs: fail-fast: false matrix: os: [ obsdsnap, obsdsnap-i386 ] - configs: [ default, without-openssl ] + configs: [ default, without-openssl, ubsan ] steps: - uses: actions/checkout@v2 - name: shutdown VM if running @@ -24,13 +25,15 @@ jobs: - name: update source run: vmrun "cd /usr/src && cvs up -dPA usr.bin/ssh regress/usr.bin/ssh" - name: make clean - run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean" + run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean && cd /usr/src/regress/usr.bin/ssh && make obj && make clean" - name: make - run: vmrun "cd /usr/src/usr.bin/ssh && if test '${{ matrix.configs }}' = 'without-openssl'; then make OPENSSL=no; else make; fi" + run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.configs }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac" - name: make install run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install" - - name: make tests - run: vmrun "cd /usr/src/regress/usr.bin/ssh && make obj && make clean && if test '${{ matrix.configs }}' = 'without-openssl'; then make SUDO=sudo OPENSSL=no; else make SUDO=sudo; fi" + - name: make tests` + run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.configs }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac" + env: + SUDO: sudo timeout-minutes: 300 - name: save logs if: failure() diff --git a/crypto/openssh/.skipped-commit-ids b/crypto/openssh/.skipped-commit-ids index c606eaee6c51..b639678939dd 100644 --- a/crypto/openssh/.skipped-commit-ids +++ b/crypto/openssh/.skipped-commit-ids @@ -24,6 +24,7 @@ d9b910e412d139141b072a905e66714870c38ac0 Makefile.inc cc12a9029833d222043aecd252d654965c351a69 moduli-gen Makefile 7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b moduli update 6b52cd2b637f3d29ef543f0ce532a2bce6d86af5 makefile change +f9a0726d957cf10692a231996a1f34e7f9cdfeb0 moduli update Old upstream tree: diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog index 063b54769d53..02e11b023ca0 100644 --- a/crypto/openssh/ChangeLog +++ b/crypto/openssh/ChangeLog @@ -1,11889 +1,11314 @@ -commit 94eb6858efecc1b4f02d8a6bd35e149f55c814c8 +commit 0ffb46f2ee2ffcc4daf45ee679e484da8fcf338c Author: Damien Miller <djm@mindrot.org> -Date: Wed Apr 6 10:47:48 2022 +1000 +Date: Tue Oct 4 01:51:42 2022 +1100 - update version numbers for release + update .depend -commit 8e4a8eadf4fe74e65e6492f34250f8cf7d67e8da +commit 657e676ff696c7bb787bffb0e249ea1be3b474e1 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Oct 4 01:45:52 2022 +1100 + + update release notes URL + +commit f059da2b29840c0f048448809c317ce2ae014da7 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Oct 4 01:45:41 2022 +1100 + + crank versions in RPM spec files + +commit b51f3f172d87cbdb80ca4eb7b2149e56a7647557 Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Apr 4 22:45:25 2022 +0000 +Date: Mon Sep 26 22:18:40 2022 +0000 - upstream: openssh-9.0 + upstream: openssh-9.1 - OpenBSD-Commit-ID: 0dfb461188f4513ec024c1534da8c1ce14c20b64 + OpenBSD-Commit-ID: 5a467b2ee81da01a86adf1ad93b62b1728494e56 -commit a9f23ea2e3227f406880c2634d066f6f50fa5eaa -Author: naddy@openbsd.org <naddy@openbsd.org> -Date: Thu Mar 31 17:58:44 2022 +0000 +commit 4cf8d0c0f3030f594a238bab21a0695735515487 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Sep 21 22:26:50 2022 +0000 - upstream: ssh: document sntrup761x25519-sha512@openssh.com as - - default KEX + upstream: Fix typo. From AlexanderStohr via github PR#343. - OpenBSD-Commit-ID: 12545bfa10bcbf552d04d9d9520d0f4e98b0e171 + OpenBSD-Commit-ID: a134c9b4039e48803fc6a87f955b0f4a03181497 -commit 9ec2713d122af79d66ebb9c1d6d9ae8621a8945f -Author: naddy@openbsd.org <naddy@openbsd.org> -Date: Thu Mar 31 17:27:27 2022 +0000 +commit 8179fed3264d5919899900ed8881d5f9bb57ca33 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 19 21:39:16 2022 +0000 - upstream: man pages: add missing commas between subordinate and - - main clauses + upstream: add RequiredRSASize to the list of keywords accepted by - jmc@ dislikes a comma before "then" in a conditional, so leave those - untouched. + -o; spotted by jmc@ - ok jmc@ + OpenBSD-Commit-ID: fe871408cf6f9d3699afeda876f8adbac86a035e + +commit 5f954929e9f173dd1e279e07d0e8b14fa845814d +Author: Damien Miller <djm@mindrot.org> +Date: Mon Sep 19 20:59:34 2022 +1000 + + no need for glob.h here - OpenBSD-Commit-ID: 9520801729bebcb3c9fe43ad7f9776ab4dd05ea3 + it also causes portability problems -commit 3741df98ffaaff92b474ee70d8ef276b5882f85a -Author: Darren Tucker <dtucker@dtucker.net> -Date: Mon Apr 4 23:52:11 2022 +1000 +commit 03d94a47207d58b3db37eba4f87eb6ae5a63168a +Author: Damien Miller <djm@mindrot.org> +Date: Mon Sep 19 20:59:04 2022 +1000 - Disable security key on fbsd6 test host. + avoid Wuninitialized false positive in gcc-12ish -commit 32c12236f27ae83bfe6d2983b67c9bc67a83a417 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Mon Apr 4 15:16:51 2022 +1000 +commit 9d952529113831fb3071ab6e408d2726fd72e771 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 19 10:46:00 2022 +0000 - Specify TEST_SHELL=bash on AIX. + upstream: use users-groups-by-id@openssh.com sftp-server extension - The system shells cause the agent-restrict test to fail due to some - quoting so explicitly specify bash until we can get configure to - autmatically work around that. + (when available) to fill in user/group names for directory listings. + Implement a client-side cache of see uid/gid=>user/group names. ok markus@ + + OpenBSD-Commit-ID: f239aeeadfa925a37ceee36ee8b256b8ccf4466e -commit 90452c8b69d065b7c7c285ff78b81418a75bcd76 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 23:38:44 2022 +1100 +commit 8ff680368b0bccf88ae85d4c99de69387fbad7a6 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 19 10:43:12 2022 +0000 - Only return events from ppoll that were requested. + upstream: sftp client library support for - If the underlying system's select() returns bits that were not in the - request set, our ppoll() implementation can return revents for events - not requested, which can apparently cause a hang. Only return revents - for activity in the requested event set. bz#3416, analysis and fix by - yaroslav.kuzmin at vmssoftware com, ok djm@ + users-groups-by-id@openssh.com; ok markus@ + + OpenBSD-Commit-ID: ddb2f33a2da6349a9a89a8b5bcb9ca7c999394de -commit 6c49eb5fabc56f4865164ed818aa5112d09c31a8 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 23:21:40 2022 +1100 +commit 488f6e1c582212c2374a4bf8cd1b703d2e70fb8b +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 19 10:41:58 2022 +0000 - Only run regression tests on slow VMs. + upstream: extend sftp-common.c:extend ls_file() to support supplied + + user/group names; ok markus@ + + OpenBSD-Commit-ID: c70c70498b1fdcf158531117e405b6245863bfb0 -commit f67e47903977b42cb6abcd5565a61bd7293e4dc3 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 23:21:06 2022 +1100 +commit 74b77f7497dba3a58315c8f308883de448078057 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 19 10:40:52 2022 +0000 - Increase test timeout to allow slow VMs to finish + upstream: sftp-server(8): add a "users-groups-by-id@openssh.com" + + extension request that allows the client to obtain user/group names that + correspond to a set of uids/gids. + + Will be used to make directory listings more useful and consistent + in sftp(1). + + ok markus@ + + OpenBSD-Commit-ID: 7ebabde0bcb95ef949c4840fe89e697e30df47d3 -commit 02488c1b54065ddc4f25835dbd2618b2a2fe21f5 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 16:27:38 2022 +1100 +commit 231a346c0c67cc7ca098360f9a554fa7d4f1eddb +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 19 08:49:50 2022 +0000 - Use bash or ksh if available for SH in Makefile. + upstream: better debugging for connect_next() + + OpenBSD-Commit-ID: d16a307a0711499c971807f324484ed3a6036640 -commit 34c7018c316af4773e432066de28d0ef9d0888cd -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 14:56:54 2022 +1100 +commit 1875042c52a3b950ae5963c9ca3774a4cc7f0380 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Sep 17 10:34:29 2022 +0000 - Set Makefile SHELL as determined by configure. + upstream: Add RequiredRSASize for sshd(8); RSA keys that fall - This should improve compatibility for users with non-POSIX shells. If - using Makefile.in directly (eg make -f Makefile.in distprep) then SHELL - will need to be specified on the command line (along with MANFMT in that - particular case). ok djm@ + beneath this limit will be ignored for user and host-based authentication. + + Feedback deraadt@ ok markus@ + + OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1 -commit 5b054d76402faab38c48377efd112426469553a0 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Apr 1 13:16:47 2022 +1100 +commit 54b333d12e55e6560b328c737d514ff3511f1afd +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Sep 17 10:33:18 2022 +0000 - Skip slow tests on (very) slow test targets. *** 29142 LINES SKIPPED ***