ssh: Update to OpenSSH 9.4p1

Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation
toor1245 · Aug 11, 2023 · 535af61 · 535af61
2 parents 6b40505 + 78f3053
commit 535af61
Show file tree

Hide file tree

Showing 94 changed files with 8,883 additions and 8,229 deletions.
diff --git a/crypto/openssh/.github/ci-status.md b/crypto/openssh/.github/ci-status.md
@@ -6,6 +6,6 @@ master :
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
 [![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
 
-9.2 :
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_2)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_2)
-[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_2)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_2)
+9.3 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_3)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_3)
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
@@ -81,7 +81,8 @@ case "$config" in
 	    CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
 	    LDFLAGS="-fsanitize=memory"
 	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
-	    CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
+	    CONFIGFLAGS="--without-zlib --without-shadow"
+	    LIBCRYPTOFLAGS="--without-openssl"
 	    TEST_TARGET="t-exec"
 	    ;;
 	*-sanitize-undefined)
@@ -139,6 +140,10 @@ case "$config" in
 	CONFIGFLAGS="--with-pam"
 	SSHD_CONFOPTS="UsePam yes"
 	;;
+    boringssl)
+	CONFIGFLAGS="--disable-pkcs11"
+	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
+	;;
     libressl-*)
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
 	;;
@@ -209,13 +214,15 @@ esac
 # The Solaris 64bit targets are special since they need a non-flag arg.
 case "$config" in
     sol64*)
-	CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
-	LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
+	CONFIGFLAGS="--target=x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
+	LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64 --with-rpath=-Wl,-rpath,"
 	;;
 esac
 
 case "${TARGET_HOST}" in
     aix*)
+	CONFIGFLAGS="--disable-security-key"
+	LIBCRYPTOFLAGS="--without-openssl"
 	# These are slow real or virtual machines so skip the slowest tests
 	# (which tend to be thw ones that transfer lots of data) so that the
 	# test run does not time out.
@@ -240,7 +247,8 @@ case "${TARGET_HOST}" in
 	SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
 	;;
     minix3)
-	LIBCRYPTOFLAGS="--without-openssl --disable-security-key"
+	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
+	LIBCRYPTOFLAGS="--without-openssl"
 	# Minix does not have a loopback interface so we have to skip any
 	# test that relies on one.
 	# Also, Minix seems to be very limited in the number of select()
@@ -264,7 +272,8 @@ case "${TARGET_HOST}" in
 	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
 	;;
     openwrt-*)
-	CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
+	CONFIGFLAGS="${CONFIGFLAGS} --without-zlib"
+	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET="t-exec"
 	;;
     sol10|sol11)
@@ -278,7 +287,8 @@ case "${TARGET_HOST}" in
 	;;
 esac
 
-case "`./config.guess`" in
+host=`./config.guess`
+case "$host" in
 *cygwin)
 	SUDO=""
 	# Don't run compat tests on cygwin as they don't currently compile.
@@ -289,17 +299,34 @@ case "`./config.guess`" in
 	# modern versions don't ship with libcrypto.
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
+	case "$host" in
+	*-darwin22.*)
+		# sudo -S nobody doesn't work on macos 13 for some reason.
+		SKIP_LTESTS="agent-getpeereid" ;;
+	esac
 	;;
 esac
 
-# If we have a local openssl/libressl, use that.
+# Unless specifically configured, search for a suitable version of OpenSSL,
+# otherwise build without it.
 if [ -z "${LIBCRYPTOFLAGS}" ]; then
+	LIBCRYPTOFLAGS="--without-openssl"
 	# last-match
-	for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
+	for i in /usr /usr/local /usr/local/ssl /usr/local/opt/openssl; do
+		ver="none"
 		if [ -x ${i}/bin/openssl ]; then
-			LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
+			ver="$(${i}/bin/openssl version)"
 		fi
+		case "$ver" in
+			none) ;;
+			"OpenSSL 0."*|"OpenSSL 1.0."*|"OpenSSL 1.1.0"*) ;;
+			"LibreSSL 2."*|"LibreSSL 3.0."*) ;;
+			*) LIBCRYPTOFLAGS="--with-ssl-dir=${i}" ;;
+		esac
 	done
+	if [ "${LIBCRYPTOFLAGS}" = "--without-openssl" ]; then
+		TEST_TARGET="t-exec"
+	fi
 fi
 
 CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"

diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
@@ -4,7 +4,9 @@ PACKAGES=""
 
  . .github/configs $@
 
-case "`./config.guess`" in
+host=`./config.guess`
+echo "config.guess: $host"
+case "$host" in
 *cygwin)
 	PACKAGER=setup
 	echo Setting CYGWIN system environment variable.
@@ -124,6 +126,10 @@ for TARGET in $TARGETS; do
         esac
         PACKAGES="${PACKAGES} putty-tools"
        ;;
+    boringssl)
+        INSTALL_BORINGSSL=1
+        PACKAGES="${PACKAGES} cmake ninja-build"
+       ;;
     valgrind*)
        PACKAGES="$PACKAGES valgrind"
        ;;
@@ -199,3 +205,12 @@ if [ ! -z "${INSTALL_LIBRESSL}" ]; then
          ./configure --prefix=/opt/libressl && make -j2 && sudo make install)
     fi
 fi
+
+if [ ! -z "${INSTALL_BORINGSSL}" ]; then
+    (cd ${HOME} && git clone https://boringssl.googlesource.com/boringssl &&
+     cd ${HOME}/boringssl && mkdir build && cd build &&
+     cmake -GNinja  -DCMAKE_POSITION_INDEPENDENT_CODE=ON .. && ninja &&
+     mkdir -p /opt/boringssl/lib &&
+     cp ${HOME}/boringssl/build/crypto/libcrypto.a /opt/boringssl/lib &&
+     cp -r ${HOME}/boringssl/include /opt/boringssl)
+fi
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -13,7 +13,14 @@ jobs:
       fail-fast: false
       matrix:
         # First we test all OSes in the default configuration.
-        target: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022]
+        target:
+          - ubuntu-20.04
+          - ubuntu-22.04
+          - macos-11
+          - macos-12
+          - macos-13
+          - windows-2019
+          - windows-2022
         config: [default]
         # Then we include any extra configs we want to test for specific VMs.
         # Valgrind slows things down quite a bit, so start them first.
@@ -43,33 +50,27 @@ jobs:
           - { target: ubuntu-20.04, config: gcc-11-Werror }
           - { target: ubuntu-20.04, config: pam }
           - { target: ubuntu-20.04, config: kitchensink }
-          - { target: ubuntu-20.04, config: hardenedmalloc }
+          - { target: ubuntu-22.04, config: hardenedmalloc }
           - { target: ubuntu-20.04, config: tcmalloc }
           - { target: ubuntu-20.04, config: musl }
+          - { target: ubuntu-latest, config: boringssl }
           - { target: ubuntu-latest, config: libressl-master }
-          - { target: ubuntu-latest, config: libressl-2.2.9 }
-          - { target: ubuntu-latest, config: libressl-2.8.3 }
-          - { target: ubuntu-latest, config: libressl-3.0.2 }
           - { target: ubuntu-latest, config: libressl-3.2.6 }
           - { target: ubuntu-latest, config: libressl-3.3.6 }
           - { target: ubuntu-latest, config: libressl-3.4.3 }
           - { target: ubuntu-latest, config: libressl-3.5.3 }
           - { target: ubuntu-latest, config: libressl-3.6.1 }
-          - { target: ubuntu-latest, config: libressl-3.7.0 }
+          - { target: ubuntu-latest, config: libressl-3.7.2 }
           - { target: ubuntu-latest, config: openssl-master }
           - { target: ubuntu-latest, config: openssl-noec }
-          - { target: ubuntu-latest, config: openssl-1.0.1 }
-          - { target: ubuntu-latest, config: openssl-1.0.1u }
-          - { target: ubuntu-latest, config: openssl-1.0.2u }
-          - { target: ubuntu-latest, config: openssl-1.1.0h }
           - { target: ubuntu-latest, config: openssl-1.1.1 }
           - { target: ubuntu-latest, config: openssl-1.1.1k }
           - { target: ubuntu-latest, config: openssl-1.1.1n }
           - { target: ubuntu-latest, config: openssl-1.1.1q }
-          - { target: ubuntu-latest, config: openssl-1.1.1s }
+          - { target: ubuntu-latest, config: openssl-1.1.1t }
           - { target: ubuntu-latest, config: openssl-3.0.0 }
-          - { target: ubuntu-latest, config: openssl-3.0.5 }
           - { target: ubuntu-latest, config: openssl-3.0.7 }
+          - { target: ubuntu-latest, config: openssl-3.1.0 }
           - { target: ubuntu-latest, config: openssl-1.1.1_stable }
           - { target: ubuntu-latest, config: openssl-3.0 }  # stable branch
           - { target: ubuntu-22.04, config: pam }
@@ -82,6 +83,7 @@ jobs:
           - { target: ubuntu-22.04, config: without-openssl }
           - { target: macos-11, config: pam }
           - { target: macos-12, config: pam }
+          - { target: macos-13, config: pam }
     runs-on: ${{ matrix.target }}
     steps:
     - name: set cygwin git params

diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -25,9 +25,9 @@ jobs:
           - debian-i386
           - dfly30
           - dfly48
-          - dfly58
           - dfly60
           - dfly62
+          - dfly64
           - fbsd10
           - fbsd12
           - fbsd13