ssh: update to OpenSSH 9.2p1

Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
freebsd · Feb 6, 2023 · f374ba4 · f374ba4
2 parents 70efe1a + 7ee8117
commit f374ba4
Show file tree

Hide file tree

Showing 131 changed files with 15,622 additions and 13,755 deletions.
diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend
diff --git a/crypto/openssh/.github/ci-status.md b/crypto/openssh/.github/ci-status.md
@@ -1,4 +1,10 @@
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml)
-[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml)
-[![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml)
+master :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:master)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:master)
+[![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml?query=branch:master)
+[![CIFuzz](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml)
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
+
+9.1 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_1)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_1)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_1)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_1)
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
@@ -9,10 +9,13 @@
 # LTESTS
 
 config=$1
+if [ "$config" = "" ]; then
+	config="default"
+fi
 
 unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
 
-TEST_TARGET="tests"
+TEST_TARGET="tests compat-tests"
 LTESTS=""
 SKIP_LTESTS=""
 SUDO=sudo	# run with sudo by default
@@ -108,7 +111,7 @@ case "$config" in
     kitchensink)
 	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
 	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
-	CONFIGFLAGS="${CONFIGFLAGS} --with-cflags=-DSK_DEBUG"
+	CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
 	;;
     hardenedmalloc)
 	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
@@ -141,6 +144,11 @@ case "$config" in
 	;;
     openssl-*)
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
+	# OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
+	# fallback.  See https://bugzilla.mindrot.org/show_bug.cgi?id=3483
+	if [ "$config" = "openssl-1.1.1" ]; then
+		SKIP_LTESTS="reexec"
+	fi
 	;;
     selinux)
 	CONFIGFLAGS="--with-selinux"
@@ -152,7 +160,7 @@ case "$config" in
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
-    valgrind-[1-4]|valgrind-unit)
+    valgrind-[1-5]|valgrind-unit)
 	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
 	CONFIGFLAGS="--without-sandbox --without-hardening"
 	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
@@ -161,16 +169,19 @@ case "$config" in
 	export TEST_SSH_ELAPSED_TIMES
 	# Valgrind slows things down enough that the agent timeout test
 	# won't reliably pass, and the unit tests run longer than allowed
-	# by github so split into three separate tests.
-	tests2="rekey integrity try-ciphers"
+	# by github so split into separate tests.
+	tests2="integrity try-ciphers"
 	tests3="krl forward-control sshsig agent-restrict kextype sftp"
 	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
+	tests5="rekey"
 	case "$config" in
 	    valgrind-1)
-		# All tests except agent-timeout (which is flaky under valgrind)
+		# All tests except agent-timeout (which is flaky under valgrind),
+		# connection-timeout (which doesn't work since it's so slow)
 		# and hostbased (since valgrind won't let ssh exec keysign).
 		# Slow ones are run separately to increase parallelism.
-		SKIP_LTESTS="agent-timeout hostbased ${tests2} ${tests3} ${tests4}"
+		SKIP_LTESTS="agent-timeout connection-timeout hostbased"
+		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
 		;;
 	    valgrind-2)
 		LTESTS="${tests2}"
@@ -181,6 +192,9 @@ case "$config" in
 	    valgrind-4)
 		LTESTS="${tests4}"
 		;;
+	    valgrind-5)
+		LTESTS="${tests5}"
+		;;
 	    valgrind-unit)
 		TEST_TARGET="unit USE_VALGRIND=1"
 		;;
@@ -210,6 +224,10 @@ case "${TARGET_HOST}" in
 	TEST_TARGET="t-exec TEST_SHELL=bash"
 	SKIP_LTESTS="rekey sftp"
 	;;
+    debian-riscv64)
+	# This machine is fairly slow, so skip the unit tests.
+	TEST_TARGET="t-exec"
+	;;
     dfly58*|dfly60*)
 	# scp 3-way connection hangs on these so skip until sorted.
 	SKIP_LTESTS=scp3
@@ -227,12 +245,15 @@ case "${TARGET_HOST}" in
 	# test that relies on one.
 	# Also, Minix seems to be very limited in the number of select()
 	# calls that can be operating concurrently, so prune additional tests for that.
-	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse connect
-	    connect-uri exit-status forward-control forwarding hostkey-agent
-	    key-options keyscan knownhosts-command login-timeout multiplex
+	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
+	    connect connect-uri exit-status forwarding hostkey-agent
+	    key-options keyscan knownhosts-command login-timeout
 	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
 	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
 	    transfer"
+	# Unix domain sockets don't work quite like we expect, so also skip any tests
+	# that use multiplexing.
+	T="$T connection-timeout dynamic-forward forward-control multiplex"
 	SKIP_LTESTS="$(echo $T)"
 	TEST_TARGET=t-exec
 	SUDO=""
@@ -260,6 +281,8 @@ esac
 case "`./config.guess`" in
 *cygwin)
 	SUDO=""
+	# Don't run compat tests on cygwin as they don't currently compile.
+	TEST_TARGET="tests"
 	;;
 *-darwin*)
 	# Unless specified otherwise, build without OpenSSL on Mac OS since

diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
@@ -139,16 +139,29 @@ if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
     sudo apt-add-repository -y ppa:yubico/stable
 fi
 
-if [ "x" != "x$PACKAGES" ]; then
+tries=3
+while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
     case "$PACKAGER" in
     apt)
 	sudo apt update -qq
-	sudo apt install -qy $PACKAGES
+	if sudo apt install -qy $PACKAGES; then
+		PACKAGES=""
+	fi
 	;;
     setup)
-	/cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`
+	if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then
+		PACKAGES=""
+	fi
 	;;
     esac
+    if [ ! -z "$PACKAGES" ]; then
+	sleep 90
+    fi
+    tries=$(($tries - 1))
+done
+if [ ! -z "$PACKAGES" ]; then
+	echo "Package installation failed."
+	exit 1
 fi
 
 if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then

diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -2,11 +2,9 @@ name: C/C++ CI
 
 on:
   push:
-    branches: [ master, ci, V_9_0 ]
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
   pull_request:
-    branches: [ master ]
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
 
 jobs:
   ci:
@@ -15,104 +13,109 @@ jobs:
       fail-fast: false
       matrix:
         # First we test all OSes in the default configuration.
-        os: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022]
-        configs: [default]
+        target: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022]
+        config: [default]
         # Then we include any extra configs we want to test for specific VMs.
         # Valgrind slows things down quite a bit, so start them first.
         include:
-          - { os: windows-2019, configs: cygwin-release }
-          - { os: windows-2022, configs: cygwin-release }
-          - { os: ubuntu-20.04, configs: valgrind-1 }
-          - { os: ubuntu-20.04, configs: valgrind-2 }
-          - { os: ubuntu-20.04, configs: valgrind-3 }
-          - { os: ubuntu-20.04, configs: valgrind-4 }
-          - { os: ubuntu-20.04, configs: valgrind-unit }
-          - { os: ubuntu-20.04, configs: c89 }
-          - { os: ubuntu-20.04, configs: clang-6.0 }
-          - { os: ubuntu-20.04, configs: clang-8 }
-          - { os: ubuntu-20.04, configs: clang-9 }
-          - { os: ubuntu-20.04, configs: clang-10 }
-          - { os: ubuntu-20.04, configs: clang-11 }
-          - { os: ubuntu-20.04, configs: clang-12-Werror }
-          - { os: ubuntu-20.04, configs: clang-sanitize-address }
-          - { os: ubuntu-20.04, configs: clang-sanitize-undefined }
-          - { os: ubuntu-20.04, configs: gcc-sanitize-address }
-          - { os: ubuntu-20.04, configs: gcc-sanitize-undefined }
-          - { os: ubuntu-20.04, configs: gcc-7 }
-          - { os: ubuntu-20.04, configs: gcc-8 }
-          - { os: ubuntu-20.04, configs: gcc-10 }
-          - { os: ubuntu-20.04, configs: gcc-11-Werror }
-          - { os: ubuntu-20.04, configs: pam }
-          - { os: ubuntu-20.04, configs: kitchensink }
-          - { os: ubuntu-20.04, configs: hardenedmalloc }
-          - { os: ubuntu-20.04, configs: tcmalloc }
-          - { os: ubuntu-20.04, configs: musl }
-          - { os: ubuntu-latest, configs: libressl-master }
-          - { os: ubuntu-latest, configs: libressl-2.2.9 }
-          - { os: ubuntu-latest, configs: libressl-2.8.3 }
-          - { os: ubuntu-latest, configs: libressl-3.0.2 }
-          - { os: ubuntu-latest, configs: libressl-3.2.6 }
-          - { os: ubuntu-latest, configs: libressl-3.3.6 }
-          - { os: ubuntu-latest, configs: libressl-3.4.3 }
-          - { os: ubuntu-latest, configs: libressl-3.5.3 }
-          - { os: ubuntu-latest, configs: openssl-master }
-          - { os: ubuntu-latest, configs: openssl-noec }
-          - { os: ubuntu-latest, configs: openssl-1.0.1 }
-          - { os: ubuntu-latest, configs: openssl-1.0.1u }
-          - { os: ubuntu-latest, configs: openssl-1.0.2u }
-          - { os: ubuntu-latest, configs: openssl-1.1.0h }
-          - { os: ubuntu-latest, configs: openssl-1.1.1 }
-          - { os: ubuntu-latest, configs: openssl-1.1.1k }
-          - { os: ubuntu-latest, configs: openssl-1.1.1n }
-          - { os: ubuntu-latest, configs: openssl-1.1.1p }
-          - { os: ubuntu-latest, configs: openssl-3.0.0 }
-          - { os: ubuntu-latest, configs: openssl-3.0.5 }
-          - { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch
-          - { os: ubuntu-latest, configs: openssl-3.0 }          # stable branch
-          - { os: ubuntu-22.04, configs: pam }
-          - { os: ubuntu-22.04, configs: krb5 }
-          - { os: ubuntu-22.04, configs: heimdal }
-          - { os: ubuntu-22.04, configs: libedit }
-          - { os: ubuntu-22.04, configs: sk }
-          - { os: ubuntu-22.04, configs: selinux }
-          - { os: ubuntu-22.04, configs: kitchensink }
-          - { os: ubuntu-22.04, configs: without-openssl }
-          - { os: macos-11, configs: pam }
-          - { os: macos-12, configs: pam }
-    runs-on: ${{ matrix.os }}
+          - { target: windows-2019, config: cygwin-release }
+          - { target: windows-2022, config: cygwin-release }
+          - { target: ubuntu-20.04, config: valgrind-1 }
+          - { target: ubuntu-20.04, config: valgrind-2 }
+          - { target: ubuntu-20.04, config: valgrind-3 }
+          - { target: ubuntu-20.04, config: valgrind-4 }
+          - { target: ubuntu-20.04, config: valgrind-5 }
+          - { target: ubuntu-20.04, config: valgrind-unit }
+          - { target: ubuntu-20.04, config: c89 }
+          - { target: ubuntu-20.04, config: clang-6.0 }
+          - { target: ubuntu-20.04, config: clang-8 }
+          - { target: ubuntu-20.04, config: clang-9 }
+          - { target: ubuntu-20.04, config: clang-10 }
+          - { target: ubuntu-20.04, config: clang-11 }
+          - { target: ubuntu-20.04, config: clang-12-Werror }
+          - { target: ubuntu-20.04, config: clang-sanitize-address }
+          - { target: ubuntu-20.04, config: clang-sanitize-undefined }
+          - { target: ubuntu-20.04, config: gcc-sanitize-address }
+          - { target: ubuntu-20.04, config: gcc-sanitize-undefined }
+          - { target: ubuntu-20.04, config: gcc-7 }
+          - { target: ubuntu-20.04, config: gcc-8 }
+          - { target: ubuntu-20.04, config: gcc-10 }
+          - { target: ubuntu-20.04, config: gcc-11-Werror }
+          - { target: ubuntu-20.04, config: pam }
+          - { target: ubuntu-20.04, config: kitchensink }
+          - { target: ubuntu-20.04, config: hardenedmalloc }
+          - { target: ubuntu-20.04, config: tcmalloc }
+          - { target: ubuntu-20.04, config: musl }
+          - { target: ubuntu-latest, config: libressl-master }
+          - { target: ubuntu-latest, config: libressl-2.2.9 }
+          - { target: ubuntu-latest, config: libressl-2.8.3 }
+          - { target: ubuntu-latest, config: libressl-3.0.2 }
+          - { target: ubuntu-latest, config: libressl-3.2.6 }
+          - { target: ubuntu-latest, config: libressl-3.3.6 }
+          - { target: ubuntu-latest, config: libressl-3.4.3 }
+          - { target: ubuntu-latest, config: libressl-3.5.3 }
+          - { target: ubuntu-latest, config: libressl-3.6.1 }
+          - { target: ubuntu-latest, config: libressl-3.7.0 }
+          - { target: ubuntu-latest, config: openssl-master }
+          - { target: ubuntu-latest, config: openssl-noec }
+          - { target: ubuntu-latest, config: openssl-1.0.1 }
+          - { target: ubuntu-latest, config: openssl-1.0.1u }
+          - { target: ubuntu-latest, config: openssl-1.0.2u }
+          - { target: ubuntu-latest, config: openssl-1.1.0h }
+          - { target: ubuntu-latest, config: openssl-1.1.1 }
+          - { target: ubuntu-latest, config: openssl-1.1.1k }
+          - { target: ubuntu-latest, config: openssl-1.1.1n }
+          - { target: ubuntu-latest, config: openssl-1.1.1q }
+          - { target: ubuntu-latest, config: openssl-1.1.1s }
+          - { target: ubuntu-latest, config: openssl-3.0.0 }
+          - { target: ubuntu-latest, config: openssl-3.0.5 }
+          - { target: ubuntu-latest, config: openssl-3.0.7 }
+          - { target: ubuntu-latest, config: openssl-1.1.1_stable }
+          - { target: ubuntu-latest, config: openssl-3.0 }  # stable branch
+          - { target: ubuntu-22.04, config: pam }
+          - { target: ubuntu-22.04, config: krb5 }
+          - { target: ubuntu-22.04, config: heimdal }
+          - { target: ubuntu-22.04, config: libedit }
+          - { target: ubuntu-22.04, config: sk }
+          - { target: ubuntu-22.04, config: selinux }
+          - { target: ubuntu-22.04, config: kitchensink }
+          - { target: ubuntu-22.04, config: without-openssl }
+          - { target: macos-11, config: pam }
+          - { target: macos-12, config: pam }
+    runs-on: ${{ matrix.target }}
     steps:
     - name: set cygwin git params
-      if: ${{ startsWith(matrix.os, 'windows') }}
+      if: ${{ startsWith(matrix.target, 'windows') }}
       run: git config --global core.autocrlf input
     - name: install cygwin
-      if: ${{ startsWith(matrix.os, 'windows') }}
+      if: ${{ startsWith(matrix.target, 'windows') }}
       uses: cygwin/cygwin-install-action@master
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@main
     - name: setup CI system
-      run: sh ./.github/setup_ci.sh ${{ matrix.configs }}
+      run: sh ./.github/setup_ci.sh ${{ matrix.config }}
     - name: autoreconf
       run: sh -c autoreconf
     - name: configure
-      run: sh ./.github/configure.sh ${{ matrix.configs }}
+      run: sh ./.github/configure.sh ${{ matrix.config }}
     - name: save config
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@main
       with:
-        name: ${{ matrix.os }}-${{ matrix.configs }}-config
+        name: ${{ matrix.target }}-${{ matrix.config }}-config
         path: config.h
     - name: make clean
       run: make clean
     - name: make
       run: make -j2
     - name: make tests
-      run: sh ./.github/run_test.sh ${{ matrix.configs }}
+      run: sh ./.github/run_test.sh ${{ matrix.config }}
       env:
         TEST_SSH_UNSAFE_PERMISSIONS: 1
         TEST_SSH_HOSTBASED_AUTH: yes
     - name: save logs
       if: failure()
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@main
       with:
-        name: ${{ matrix.os }}-${{ matrix.configs }}-logs
+        name: ${{ matrix.target }}-${{ matrix.config }}-logs
         path: |
           config.h
           config.log

diff --git a/crypto/openssh/.github/workflows/cifuzz.yml b/crypto/openssh/.github/workflows/cifuzz.yml
@@ -0,0 +1,32 @@
+name: CIFuzz
+on:
+  push:
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+  pull_request:
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+
+jobs:
+  Fuzzing:
+    if: github.repository != 'openssh/openssh-portable-selfhosted'
+    runs-on: ubuntu-latest
+    steps:
+    - name: Build Fuzzers
+      id: build
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'openssh'
+        dry-run: false
+        language: c++
+    - name: Run Fuzzers
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'openssh'
+        fuzz-seconds: 600
+        dry-run: false
+        language: c++
+    - name: Upload Crash
+      uses: actions/upload-artifact@main
+      if: failure() && steps.build.outcome == 'success'
+      with:
+        name: artifacts
+        path: ./out/artifacts