openssh: update to OpenSSH v8.7p1

Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985 (cherry picked from commit 1926107) (cherry picked from commit f448c3e) (cherry picked from commit 1f290c7) (cherry picked from commit 0f9bafd) (cherry picked from commit adb56e5) (cherry picked from commit 576b581) (cherry picked from commit 1c99af1) (cherry picked from commit 87152f3) (cherry picked from commit 172fa4a)
emaste · Feb 7, 2022 · c7d1ed4 · c7d1ed4
1 parent 14da1cc
commit c7d1ed4
Show file tree

Hide file tree

Showing 540 changed files with 54,057 additions and 25,588 deletions.
diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend
diff --git a/crypto/openssh/.github/ci-status.md b/crypto/openssh/.github/ci-status.md
@@ -0,0 +1,4 @@
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml)
+[![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml)
+[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
@@ -0,0 +1,170 @@
+#!/bin/sh
+#
+# usage: configs vmname test_config (or '' for default)
+#
+# Sets the following variables:
+# CONFIGFLAGS           options to ./configure
+# SSHD_CONFOPTS         sshd_config options
+# TEST_TARGET           make target used when testing.  defaults to "tests".
+# LTESTS
+
+config=$1
+
+TEST_TARGET="tests"
+LTESTS=""
+SKIP_LTESTS=""
+SUDO=sudo	# run with sudo by default
+TEST_SSH_UNSAFE_PERMISSIONS=1
+
+CONFIGFLAGS=""
+LIBCRYPTOFLAGS=""
+
+case "$config" in
+    default|sol64)
+	;;
+    c89)
+	CC="gcc"
+	CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
+	CONFIGFLAGS="--without-openssl --without-zlib"
+	TEST_TARGET=t-exec
+	;;
+    kitchensink)
+	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
+	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
+	CONFIGFLAGS="${CONFIGFLAGS} --with-cflags=-DSK_DEBUG"
+	;;
+    hardenedmalloc)
+	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
+	;;
+    kerberos5)
+	CONFIGFLAGS="--with-kerberos5"
+	;;
+    libedit)
+	CONFIGFLAGS="--with-libedit"
+	;;
+    pam-krb5)
+	CONFIGFLAGS="--with-pam --with-kerberos5"
+	SSHD_CONFOPTS="UsePam yes"
+	;;
+    *pam)
+	CONFIGFLAGS="--with-pam"
+	SSHD_CONFOPTS="UsePam yes"
+	;;
+    libressl-*)
+	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
+	;;
+    openssl-*)
+	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
+	;;
+    selinux)
+	CONFIGFLAGS="--with-selinux"
+	;;
+    sk)
+	CONFIGFLAGS="--with-security-key-builtin"
+        ;;
+    without-openssl)
+	LIBCRYPTOFLAGS="--without-openssl"
+	TEST_TARGET=t-exec
+	;;
+    valgrind-[1-4]|valgrind-unit)
+	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
+	CONFIGFLAGS="--without-sandbox --without-hardening"
+	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
+	TEST_TARGET="t-exec USE_VALGRIND=1"
+	TEST_SSH_ELAPSED_TIMES=1
+	export TEST_SSH_ELAPSED_TIMES
+	# Valgrind slows things down enough that the agent timeout test
+	# won't reliably pass, and the unit tests run longer than allowed
+	# by github so split into three separate tests.
+	tests2="rekey integrity"
+	tests3="krl forward-control sshsig"
+	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment"
+	case "$config" in
+	    valgrind-1)
+		# All tests except agent-timeout (which is flaky under valgrind)
+		#) and slow ones that run separately to increase parallelism.
+		SKIP_LTESTS="agent-timeout ${tests2} ${tests3} ${tests4}"
+		;;
+	    valgrind-2)
+		LTESTS="${tests2}"
+		;;
+	    valgrind-3)
+		LTESTS="${tests3}"
+		;;
+	    valgrind-4)
+		LTESTS="${tests4}"
+		;;
+	    valgrind-unit)
+		TEST_TARGET="unit USE_VALGRIND=1"
+		;;
+	esac
+	;;
+    *)
+	echo "Unknown configuration $config"
+	exit 1
+	;;
+esac
+
+# The Solaris 64bit targets are special since they need a non-flag arg.
+case "$config" in
+    sol64*)
+	CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
+	LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
+	;;
+esac
+
+case "${TARGET_HOST}" in
+    dfly58*|dfly60*)
+	# scp 3-way connection hangs on these so skip until sorted.
+	SKIP_LTESTS=scp3
+	;;
+    hurd)
+	SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
+	;;
+    minix3)
+	CC="clang"
+	LIBCRYPTOFLAGS="--without-openssl"
+	# Minix does not have a loopback interface so we have to skip any
+	# test that relies on it.
+	TEST_TARGET=t-exec
+	SKIP_LTESTS="addrmatch cfgparse key-options reexec agent connect"
+	SKIP_LTESTS="$SKIP_LTESTS keyscan rekey allow-deny-users connect-uri"
+	SKIP_LTESTS="$SKIP_LTESTS knownhosts-command sftp-uri brokenkeys"
+	SKIP_LTESTS="$SKIP_LTESTS exit-status login-timeout stderr-data"
+	SKIP_LTESTS="$SKIP_LTESTS cfgmatch forward-control multiplex transfer"
+	SKIP_LTESTS="$SKIP_LTESTS cfgmatchlisten forwarding reconfigure"
+	SUDO=""
+	;;
+    nbsd4)
+	# System compiler will ICE on some files with fstack-protector
+	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening"
+	;;
+    sol10|sol11)
+	# sol10 VM is 32bit and the unit tests are slow.
+	# sol11 has 4 test configs so skip unit tests to speed up.
+	TEST_TARGET="tests SKIP_UNIT=1"
+	;;
+    win10)
+	# No sudo on Windows.
+	SUDO=""
+	;;
+esac
+
+# If we have a local openssl/libressl, use that.
+if [ -z "${LIBCRYPTOFLAGS}" ]; then
+	# last-match
+	for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
+		if [ -x ${i}/bin/openssl ]; then
+			LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
+		fi
+	done
+fi
+
+CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
+
+if [ -x "$(which plink 2>/dev/null)" ]; then
+	REGRESS_INTEROP_PUTTY=yes
+	export REGRESS_INTEROP_PUTTY
+fi
+
+export CC CFLAGS LTESTS SUDO TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS
diff --git a/crypto/openssh/.github/configure.sh b/crypto/openssh/.github/configure.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+. .github/configs $1
+
+set -x
+./configure ${CONFIGFLAGS}
diff --git a/crypto/openssh/.github/run_test.sh b/crypto/openssh/.github/run_test.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+. .github/configs $1
+
+[ -z "${SUDO}" ] || ${SUDO} mkdir -p /var/empty
+
+set -ex
+
+output_failed_logs() {
+    for i in regress/failed*; do
+        if [ -f "$i" ]; then
+            echo -------------------------------------------------------------------------
+            echo LOGFILE $i
+            cat $i
+            echo -------------------------------------------------------------------------
+        fi
+    done
+}
+trap output_failed_logs 0
+
+if [ -z "${LTESTS}" ]; then
+    make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}"
+else
+    make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}"
+fi
+
+if [ ! -z "${SSHD_CONFOPTS}" ]; then
+    echo "rerunning t-exec with TEST_SSH_SSHD_CONFOPTS='${SSHD_CONFOPTS}'"
+    if [ -z "${LTESTS}" ]; then
+        make t-exec SKIP_LTESTS="${SKIP_LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
+    else
+        make t-exec SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
+    fi
+fi
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
@@ -0,0 +1,115 @@
+#!/bin/sh
+
+case $(./config.guess) in
+*-darwin*)
+	brew install automake
+	exit 0
+	;;
+esac
+
+TARGETS=$@
+
+PACKAGES=""
+INSTALL_FIDO_PPA="no"
+
+#echo "Setting up for '$TARGETS'"
+
+set -ex
+
+lsb_release -a
+
+if [ "${TARGETS}" = "kitchensink" ]; then
+	TARGETS="kerberos5 libedit pam sk selinux"
+fi
+
+for TARGET in $TARGETS; do
+    case $TARGET in
+    default|without-openssl|without-zlib|c89)
+        # nothing to do
+        ;;
+    kerberos5)
+        PACKAGES="$PACKAGES heimdal-dev"
+        #PACKAGES="$PACKAGES libkrb5-dev"
+        ;;
+    libedit)
+        PACKAGES="$PACKAGES libedit-dev"
+        ;;
+    *pam)
+        PACKAGES="$PACKAGES libpam0g-dev"
+        ;;
+    sk)
+        INSTALL_FIDO_PPA="yes"
+        PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev"
+        ;;
+    selinux)
+        PACKAGES="$PACKAGES libselinux1-dev selinux-policy-dev"
+        ;;
+    hardenedmalloc)
+        INSTALL_HARDENED_MALLOC=yes
+       ;;
+    openssl-noec)
+	INSTALL_OPENSSL=OpenSSL_1_1_1k
+	SSLCONFOPTS="no-ec"
+	;;
+    openssl-*)
+        INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-)
+        case ${INSTALL_OPENSSL} in
+          1.*)	INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
+          3.*)	INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
+        esac
+        PACKAGES="${PACKAGES} putty-tools"
+       ;;
+    libressl-*)
+        INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
+        case ${INSTALL_LIBRESSL} in
+          master) ;;
+          *) INSTALL_LIBRESSL="v$(echo ${TARGET} | cut -f2 -d-)" ;;
+        esac
+        PACKAGES="${PACKAGES} putty-tools"
+       ;;
+    valgrind*)
+       PACKAGES="$PACKAGES valgrind"
+       ;;
+    *) echo "Invalid option '${TARGET}'"
+        exit 1
+        ;;
+    esac
+done
+
+if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
+    sudo apt update -qq
+    sudo apt install software-properties-common
+    sudo apt-add-repository ppa:yubico/stable
+fi
+
+if [ "x" != "x$PACKAGES" ]; then 
+    sudo apt update -qq
+    sudo apt install -qy $PACKAGES
+fi
+
+if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
+    (cd ${HOME} &&
+     git clone https://github.com/GrapheneOS/hardened_malloc.git &&
+     cd ${HOME}/hardened_malloc &&
+     make -j2 && sudo cp libhardened_malloc.so /usr/lib/)
+fi
+
+if [ ! -z "${INSTALL_OPENSSL}" ]; then
+    (cd ${HOME} &&
+     git clone https://github.com/openssl/openssl.git &&
+     cd ${HOME}/openssl &&
+     git checkout ${INSTALL_OPENSSL} &&
+     ./config no-threads shared ${SSLCONFOPTS} \
+         --prefix=/opt/openssl &&
+     make && sudo make install_sw)
+fi
+
+if [ ! -z "${INSTALL_LIBRESSL}" ]; then
+    (mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
+     git clone https://github.com/libressl-portable/portable.git &&
+     cd ${HOME}/libressl/portable &&
+     git checkout ${INSTALL_LIBRESSL} &&
+     sh update.sh && sh autogen.sh &&
+     ./configure --prefix=/opt/libressl &&
+     make -j2 && sudo make install)
+fi