From 668d270a6c77e8b5a1da26ecad2e6de9f62c8fe4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 6 Mar 2024 10:33:20 +1100 Subject: [PATCH 01/13] add a --without-retpoline configure option discussed with deraadt and dtucker a while ago --- configure.ac | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index fda092830..c1af4b423 100644 --- a/configure.ac +++ b/configure.ac @@ -149,6 +149,7 @@ fi use_stack_protector=1 use_toolchain_hardening=1 +use_retpoline=1 AC_ARG_WITH([stackprotect], [ --without-stackprotect Don't use compiler's stack protection], [ if test "x$withval" = "xno"; then @@ -159,6 +160,11 @@ AC_ARG_WITH([hardening], if test "x$withval" = "xno"; then use_toolchain_hardening=0 fi ]) +AC_ARG_WITH([retpoline], + [ --without-retpoline Enable retpoline spectre mitigation], [ + if test "x$withval" = "xno"; then + use_retpoline=0 + fi ]) # We use -Werror for the tests only so that we catch warnings like "this is # on by default" for things like -fPIE. @@ -216,8 +222,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) if test "x$use_toolchain_hardening" = "x1"; then - OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang - OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) @@ -240,6 +244,10 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then esac OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero]) fi + if test "x$use_retpoline" = "x1"; then + OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt]) + fi AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset]) saved_CFLAGS="$CFLAGS" From d52b6509210e2043f33e5a1de58dd4a0d5d48c2a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 6 Mar 2024 11:31:36 +1100 Subject: [PATCH 02/13] disable RSA tests when algorithm is not supported Unbreaks "make test" when compiled --without-openssl. Similar treatment to how we do DSA and ECDSA. --- regress/Makefile | 55 ++++++++++++++++++++++++++++++------------------ 1 file changed, 35 insertions(+), 20 deletions(-) diff --git a/regress/Makefile b/regress/Makefile index ca9c66e19..8628ddd28 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -156,29 +156,38 @@ TEST_SSH_SSHKEYGEN?=ssh-keygen CPPFLAGS=-I.. t1: - ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv - tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv - ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv - awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv - ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \ + ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \ + tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv ; \ + ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \ + awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv ; \ + ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \ + fi t2: - cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out - chmod 600 $(OBJ)/t2.out - ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \ + cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out ; \ + chmod 600 $(OBJ)/t2.out ; \ + ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub ; \ + fi t3: - ${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out - ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \ + ${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out ; \ + ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub ; \ + fi t4: - ${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\ - awk '{print $$2}' | diff - ${.CURDIR}/t4.ok + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \ + ${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\ + awk '{print $$2}' | diff - ${.CURDIR}/t4.ok ; \ + fi t5: - ${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\ - awk '{print $$2}' | diff - ${.CURDIR}/t5.ok - + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \ + ${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\ + awk '{print $$2}' | diff - ${.CURDIR}/t5.ok ; \ + fi t6: set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \ ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 ; \ @@ -188,11 +197,15 @@ t6: fi $(OBJ)/t7.out: - ${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@ + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \ + ${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@ ; \ + fi t7: $(OBJ)/t7.out - ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null - ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \ + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null ; \ + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null ; \ + fi $(OBJ)/t8.out: set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ @@ -224,8 +237,10 @@ t10: $(OBJ)/t10.out ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null t11: - ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\ - awk '{print $$2}' | diff - ${.CURDIR}/t11.ok + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \ + ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\ + awk '{print $$2}' | diff - ${.CURDIR}/t11.ok ; \ + fi $(OBJ)/t12.out: ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -C 'test-comment-1234' -f $@ From 242742827fea4508e68097c128e802edc79addb5 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 6 Mar 2024 00:31:04 +0000 Subject: [PATCH 03/13] upstream: wrap a few PKCS#11-specific bits in ENABLE_PKCS11 OpenBSD-Commit-ID: 463e4a69eef3426a43a2b922c4e7b2011885d923 --- ssh-agent.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ssh-agent.c b/ssh-agent.c index 7347aaee5..4f2af3caf 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.304 2023/12/18 15:58:56 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.305 2024/03/06 00:31:04 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -250,6 +250,7 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs) free(dcs); } +#ifdef ENABLE_PKCS11 static void dup_dest_constraint_hop(const struct dest_constraint_hop *dch, struct dest_constraint_hop *out) @@ -289,6 +290,7 @@ dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs) } return ret; } +#endif /* ENABLE_PKCS11 */ #ifdef DEBUG_CONSTRAINTS static void @@ -1522,6 +1524,7 @@ no_identities(SocketEntry *e) sshbuf_free(msg); } +#ifdef ENABLE_PKCS11 /* Add an identity to idlist; takes ownership of 'key' and 'comment' */ static void add_p11_identity(struct sshkey *key, char *comment, const char *provider, @@ -1548,7 +1551,6 @@ add_p11_identity(struct sshkey *key, char *comment, const char *provider, idtab->nentries++; } -#ifdef ENABLE_PKCS11 static void process_add_smartcard_key(SocketEntry *e) { From c47e1c9c7911f38b2fc2fb01b1f6ae3a3121a838 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 6 Mar 2024 02:59:59 +0000 Subject: [PATCH 04/13] upstream: fix memory leak in mux proxy mode when requesting forwarding. found by RASU JSC, reported by Maks Mishin in GHPR#467 OpenBSD-Commit-ID: 97d96a166b1ad4b8d229864a553e3e56d3116860 --- channels.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/channels.c b/channels.c index 6862556be..ece8d30d6 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.436 2024/01/09 22:19:00 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.437 2024/03/06 02:59:59 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -3245,9 +3245,8 @@ channel_proxy_downstream(struct ssh *ssh, Channel *downstream) goto out; } /* Record that connection to this host/port is permitted. */ - permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "", -1, - listen_host, NULL, (int)listen_port, downstream); - listen_host = NULL; + permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "", + -1, listen_host, NULL, (int)listen_port, downstream); break; case SSH2_MSG_CHANNEL_CLOSE: if (have < 4) From 9b3f0beb4007a7e01dfedabb429097fb593deae6 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 7 Mar 2024 17:18:14 +1100 Subject: [PATCH 05/13] Prefer openssl binary from --with-ssl-dir directory. Use openssl in the directory specified by --with-ssl-dir as long as it's functional. Reported by The Doctor. --- configure.ac | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index c1af4b423..82e8bb7c1 100644 --- a/configure.ac +++ b/configure.ac @@ -2743,7 +2743,15 @@ AC_ARG_WITH([ssl-dir], else CPPFLAGS="-I${withval} ${CPPFLAGS}" fi - openssl_bin_PATH="${PATH}${PATH_SEPARATOR}${withval}/bin${PATH_SEPARATOR}${withval}/apps" + dnl Ensure specified openssl binary works, eg it can + dnl find its runtime libraries, before trying to use. + if test -x "${withval}/bin/openssl" && \ + "${withval}/bin/openssl" version >/dev/null 2>&1; then + openssl_bin_PATH="${withval}/bin${PATH_SEPARATOR}${PATH}" + elif test -x "${withval}/apps/openssl" && \ + "${withval}/apps/openssl" version >/dev/null 2>&1; then + openssl_bin_PATH="${withval}/apps${PATH_SEPARATOR}${PATH}" + fi fi ] ) From 2f9d2af5cb19905d87f37d1e11c9f035ac5daf3b Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 8 Mar 2024 11:34:10 +0000 Subject: [PATCH 06/13] upstream: Invoke ProxyCommand that uses stderr redirection via $TEST_SHELL. Fixes test when run by a user whose login shell is tcsh. Found by vinschen at redhat.com. OpenBSD-Regress-ID: f68d79e7f00caa8d216ebe00ee5f0adbb944062a --- regress/dynamic-forward.sh | 9 +++++---- regress/test-exec.sh | 5 ++++- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 5a4aa6d8e..85901eaa6 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.15 2023/01/06 08:50:33 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.17 2024/03/08 11:34:10 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -20,6 +20,7 @@ start_ssh() { arg="$2" n=0 error="1" + # Use a multiplexed ssh so we can control its lifecycle. trace "start dynamic -$direction forwarding, fork to background" (cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config ${REAL_SSH} -vvvnNfF $OBJ/ssh_config -E$TEST_SSH_LOGFILE \ @@ -56,9 +57,9 @@ check_socks() { for s in 4 5; do for h in 127.0.0.1 localhost; do trace "testing ssh socks version $s host $h (-$direction)" - ${REAL_SSH} -q -F $OBJ/ssh_config \ - -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \ - somehost cat ${DATA} > ${COPY} + ${REAL_SSH} -q -F $OBJ/ssh_config -o \ + "ProxyCommand ${TEST_SHELL} -c '${proxycmd}${s} $h $PORT 2>/dev/null'" \ + somehost cat ${DATA} > ${COPY} r=$? if [ "x$expect_success" = "xY" ] ; then if [ $r -ne 0 ] ; then diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 5ab4cb5d5..ad627941f 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.107 2024/02/19 09:25:52 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.108 2024/03/08 11:34:10 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -104,6 +104,9 @@ DBCLIENT=/usr/local/bin/dbclient DROPBEARKEY=/usr/local/bin/dropbearkey DROPBEARCONVERT=/usr/local/bin/dropbearconvert +# So we can override this in Portable. +TEST_SHELL="${TEST_SHELL:-/bin/sh}" + # Tools used by multiple tests NC=$OBJ/netcat # Always use the one configure tells us to, even if that's empty. From cd82f7526e0481720567ae41db7849ab1c27e27b Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 8 Mar 2024 22:16:32 +0000 Subject: [PATCH 07/13] upstream: skip more whitespace, fixes find-principals on allowed_signers files with blank lines; reported by Wiktor Kwapisiewicz OpenBSD-Commit-ID: b3a22a2afd753d70766f34bc7f309c03706b5298 --- sshsig.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sshsig.c b/sshsig.c index d50d65fe2..470b286a3 100644 --- a/sshsig.c +++ b/sshsig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshsig.c,v 1.34 2023/12/08 09:18:39 markus Exp $ */ +/* $OpenBSD: sshsig.c,v 1.35 2024/03/08 22:16:32 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -746,7 +746,7 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line, *keyp = NULL; cp = line; - cp = cp + strspn(cp, " \t"); /* skip leading whitespace */ + cp = cp + strspn(cp, " \t\n\r"); /* skip leading whitespace */ if (*cp == '#' || *cp == '\0') return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */ From a6a740a4948d10a622b505135bb485c10f21db5e Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 9 Mar 2024 05:12:13 +0000 Subject: [PATCH 08/13] upstream: avoid logging in signal handler by converting mainloop to ppoll() bz3670, reported by Ben Hamilton; ok dtucker@ OpenBSD-Commit-ID: e58f18042b86425405ca09e6e9d7dfa1df9f5f7f --- ssh-agent.c | 42 +++++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/ssh-agent.c b/ssh-agent.c index 4f2af3caf..d35741a86 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.305 2024/03/06 00:31:04 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.306 2024/03/09 05:12:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -162,6 +162,8 @@ int max_fd = 0; pid_t parent_pid = -1; time_t parent_alive_interval = 0; +sig_atomic_t signalled = 0; + /* pid of process for which cleanup_socket is applicable */ pid_t cleanup_pid = 0; @@ -2062,7 +2064,7 @@ after_poll(struct pollfd *pfd, size_t npfd, u_int maxfds) } static int -prepare_poll(struct pollfd **pfdp, size_t *npfdp, int *timeoutp, u_int maxfds) +prepare_poll(struct pollfd **pfdp, size_t *npfdp, struct timespec *timeoutp, u_int maxfds) { struct pollfd *pfd = *pfdp; size_t i, j, npfd = 0; @@ -2128,14 +2130,8 @@ prepare_poll(struct pollfd **pfdp, size_t *npfdp, int *timeoutp, u_int maxfds) if (parent_alive_interval != 0) deadline = (deadline == 0) ? parent_alive_interval : MINIMUM(deadline, parent_alive_interval); - if (deadline == 0) { - *timeoutp = -1; /* INFTIM */ - } else { - if (deadline > INT_MAX / 1000) - *timeoutp = INT_MAX / 1000; - else - *timeoutp = deadline * 1000; - } + if (deadline != 0) + ptimeout_deadline_sec(timeoutp, deadline); return (1); } @@ -2155,17 +2151,16 @@ void cleanup_exit(int i) { cleanup_socket(); +#ifdef ENABLE_PKCS11 + pkcs11_terminate(); +#endif _exit(i); } static void cleanup_handler(int sig) { - cleanup_socket(); -#ifdef ENABLE_PKCS11 - pkcs11_terminate(); -#endif - _exit(2); + signalled = sig; } static void @@ -2209,10 +2204,11 @@ main(int ac, char **av) char pidstrbuf[1 + 3 * sizeof pid]; size_t len; mode_t prev_mask; - int timeout = -1; /* INFTIM */ + struct timespec timeout; struct pollfd *pfd = NULL; size_t npfd = 0; u_int maxfds; + sigset_t nsigset, osigset; /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); @@ -2448,13 +2444,25 @@ skip: ssh_signal(SIGHUP, cleanup_handler); ssh_signal(SIGTERM, cleanup_handler); + sigemptyset(&nsigset); + sigaddset(&nsigset, SIGINT); + sigaddset(&nsigset, SIGHUP); + sigaddset(&nsigset, SIGTERM); + if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1) fatal("%s: pledge: %s", __progname, strerror(errno)); platform_pledge_agent(); while (1) { + sigprocmask(SIG_BLOCK, &nsigset, &osigset); + if (signalled != 0) { + logit("exiting on signal %d", (int)signalled); + cleanup_exit(2); + } + ptimeout_init(&timeout); prepare_poll(&pfd, &npfd, &timeout, maxfds); - result = poll(pfd, npfd, timeout); + result = ppoll(pfd, npfd, ptimeout_get_tsp(&timeout), &osigset); + sigprocmask(SIG_SETMASK, &osigset, NULL); saved_errno = errno; if (parent_alive_interval != 0) check_parent_exists(); From 26b09b45fec7b88ba09042c09be4157e58e231e2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 10 Mar 2024 16:24:57 +1100 Subject: [PATCH 09/13] quote regexes used to test for algorithm support Fixes test failures on Solaris 8 reported by Tom G. Christensen --- regress/Makefile | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/regress/Makefile b/regress/Makefile index 8628ddd28..c9a495f6f 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -156,7 +156,7 @@ TEST_SSH_SSHKEYGEN?=ssh-keygen CPPFLAGS=-I.. t1: - set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \ + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \ ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \ tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv ; \ ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \ @@ -165,31 +165,31 @@ t1: fi t2: - set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \ + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \ cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out ; \ chmod 600 $(OBJ)/t2.out ; \ ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub ; \ fi t3: - set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \ + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \ ${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out ; \ ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub ; \ fi t4: - set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \ + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \ ${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\ awk '{print $$2}' | diff - ${.CURDIR}/t4.ok ; \ fi t5: - set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-rsa ; then \ + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \ ${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\ awk '{print $$2}' | diff - ${.CURDIR}/t5.ok ; \ fi t6: - set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \ + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \ ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 ; \ ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2 ; \ chmod 600 $(OBJ)/t6.out1 ; \ @@ -197,23 +197,23 @@ t6: fi $(OBJ)/t7.out: - set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \ + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \ ${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@ ; \ fi t7: $(OBJ)/t7.out - set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \ + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \ ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null ; \ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null ; \ fi $(OBJ)/t8.out: - set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ + set -xe ; if ssh -Q key | grep -q "^ssh-dss" ; then \ ${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@ ; \ fi t8: $(OBJ)/t8.out - set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ + set -xe ; if ssh -Q key | grep -q "^ssh-dss" ; then \ ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null ; \ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null ; \ fi @@ -237,7 +237,7 @@ t10: $(OBJ)/t10.out ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null t11: - set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \ + set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \ ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\ awk '{print $$2}' | diff - ${.CURDIR}/t11.ok ; \ fi From 8fc109cc614954a8eb2738c48c0db36a62af9a06 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 11 Mar 2024 12:59:26 +1100 Subject: [PATCH 10/13] Test against current OpenSSL and LibreSSL releases. Add LibreSSL 3.9.0, bump older branches to their respective current releases. --- .github/workflows/c-cpp.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml index f4423dfa9..edb88f23c 100644 --- a/.github/workflows/c-cpp.yml +++ b/.github/workflows/c-cpp.yml @@ -62,17 +62,18 @@ jobs: - { target: ubuntu-latest, config: libressl-3.5.3 } - { target: ubuntu-latest, config: libressl-3.6.1 } - { target: ubuntu-latest, config: libressl-3.7.2 } - - { target: ubuntu-latest, config: libressl-3.8.2 } + - { target: ubuntu-latest, config: libressl-3.8.3 } + - { target: ubuntu-latest, config: libressl-3.9.0 } - { target: ubuntu-latest, config: openssl-master } - { target: ubuntu-latest, config: openssl-noec } - { target: ubuntu-latest, config: openssl-1.1.1 } - { target: ubuntu-latest, config: openssl-1.1.1t } - { target: ubuntu-latest, config: openssl-1.1.1w } - { target: ubuntu-latest, config: openssl-3.0.0 } - - { target: ubuntu-latest, config: openssl-3.0.12 } + - { target: ubuntu-latest, config: openssl-3.0.13 } - { target: ubuntu-latest, config: openssl-3.1.0 } - - { target: ubuntu-latest, config: openssl-3.1.4 } - - { target: ubuntu-latest, config: openssl-3.2.0 } + - { target: ubuntu-latest, config: openssl-3.1.5 } + - { target: ubuntu-latest, config: openssl-3.2.1 } - { target: ubuntu-latest, config: openssl-1.1.1_stable } - { target: ubuntu-latest, config: openssl-3.0 } # stable branch - { target: ubuntu-latest, config: openssl-3.2 } # stable branch From 3876a3bbd2ca84d23ba20f8b69ba83270c04ce3a Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 11 Mar 2024 04:59:47 +0000 Subject: [PATCH 11/13] upstream: openssh-9.7 OpenBSD-Commit-ID: 618ececf58b8cdae016b149787af06240f7b0cbc --- version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.h b/version.h index a4b7b594c..052a5817b 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.100 2023/12/18 14:48:44 djm Exp $ */ +/* $OpenBSD: version.h,v 1.101 2024/03/11 04:59:47 djm Exp $ */ -#define SSH_VERSION "OpenSSH_9.6" +#define SSH_VERSION "OpenSSH_9.7" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE From 282721418e6465bc39ccfd39bb0133e670ee4423 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 11 Mar 2024 16:20:08 +1100 Subject: [PATCH 12/13] crank RPM spec versions --- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 0524a72b4..b2309716f 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%global ver 9.6p1 +%global ver 9.7p1 %global rel 1%{?dist} # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index b5082f0d5..7dbe4db6e 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 9.6p1 +Version: 9.7p1 URL: https://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz From 86bdd3853f4d32c85e295e6216a2fe0953ad93f0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 11 Mar 2024 16:20:49 +1100 Subject: [PATCH 13/13] version number in README --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 327562671..89981ef6f 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See https://www.openssh.com/releasenotes.html#9.6p1 for the release +See https://www.openssh.com/releasenotes.html#9.7p1 for the release notes. Please read https://www.openssh.com/report.html for bug reporting