From 727d4dbac07be7459d640b7a636659b3a6fb64eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= <marcandre.moreau@gmail.com>
Date: Mon, 12 Feb 2024 18:18:08 -0500
Subject: [PATCH 1/7] fix resource.h file encoding (#716)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Marc-André Moreau <mamoreau@devolutions.net>
---
 contrib/win32/openssh/resource.h | Bin 812 -> 390 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/contrib/win32/openssh/resource.h b/contrib/win32/openssh/resource.h
index 3c7d7cdea0fa139e16caad54b7749f021f4807d7..7097a903fe7582c58ac03bedba1e68f1937b7f19 100644
GIT binary patch
literal 390
zcmZ|J&uWA)5C-tOPch(eVO8i0SThHyCX4^*o`S2Bk`f{q-L@?I?u~6PyKHkA_`Y9;
ziK5Ge3(4?+oFUJ0tgqJ~ilEfPJh@3N&}p~!2D04_-pJD2FEoO-gIPxcr48*j-#VY3
zzTix=)05rLgHMC4;q<w{NUC4W0_WbW<Uma`So(nJ^iIR#HWq|hc?IdAZd#TLne$G(
zAlq_#Q&gBT!Hc7;kL9x{>LB#Bwgl4ul^kCiSz#^ODnr?&MT_wFk~n!_Gf|c)XSWod
f;`krUn@SXSI`R6!YJVW!F9!HIgY2kP5dMyDpJZ{m

literal 812
zcmb7?K}*9x5QX1a@INeg6pRJ`KumfFwy89x=qcDXkxFSHX{sXrb@kg_3(-TU4BMTV
z&b;^XlCRG|f!>K!6BUXz)Ga4<S*l10Ri+Q(R42>^G8${8g=%fpa4PNS&FD31^{6#f
zq;taPNu@TNn*NS^NpD4G!Bk6CQde}=WEUNV94tRQ*Bdi?s+!&kz73N#2nRj(KI8`F
zrCyyPi(bLof^HS=owk;4<5;(#7^m)qd#kyg`ES8&)4{XIXYf`|ZN+4WLz(WB<5A*V
zOJJRm-QZR1cKybtXJ^W6$n=EWksk0q<9DoUIwNw=>z~0oW}Pa2xC?fMx<^AHi<7aF
zlSSkON<t8Fa`Pt!y42uk<OtL;5yBSt;u>9nY~z3EDNitU&)cWkfa=kY^~5`A-$g&J
R^{4BJ{Z^OmU3;eA^*82mbb0^)


From 5622b51825b997bc5a958923f837bd1442fa05d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= <marcandre.moreau@gmail.com>
Date: Mon, 12 Feb 2024 18:26:32 -0500
Subject: [PATCH 2/7] fix freezero duplicate symbol (#718)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Marc-André Moreau <mamoreau@devolutions.net>
---
 contrib/win32/openssh/openbsd_compat.vcxproj         | 1 +
 contrib/win32/openssh/openbsd_compat.vcxproj.filters | 3 +++
 contrib/win32/win32compat/misc.c                     | 9 ---------
 3 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/contrib/win32/openssh/openbsd_compat.vcxproj b/contrib/win32/openssh/openbsd_compat.vcxproj
index db3bf6e83..340088be1 100644
--- a/contrib/win32/openssh/openbsd_compat.vcxproj
+++ b/contrib/win32/openssh/openbsd_compat.vcxproj
@@ -58,6 +58,7 @@
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-waitpid.c" />
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\daemon.c" />
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\dirname.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\freezero.c" />
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\explicit_bzero.c" />
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\fake-rfc2553.c" />
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\fmt_scaled.c" />
diff --git a/contrib/win32/openssh/openbsd_compat.vcxproj.filters b/contrib/win32/openssh/openbsd_compat.vcxproj.filters
index 81175da16..8b6432b9f 100644
--- a/contrib/win32/openssh/openbsd_compat.vcxproj.filters
+++ b/contrib/win32/openssh/openbsd_compat.vcxproj.filters
@@ -75,6 +75,9 @@
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\dirname.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\freezero.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\explicit_bzero.c">
       <Filter>Source Files</Filter>
     </ClCompile>
diff --git a/contrib/win32/win32compat/misc.c b/contrib/win32/win32compat/misc.c
index 2467ddffe..fd9e29e98 100644
--- a/contrib/win32/win32compat/misc.c
+++ b/contrib/win32/win32compat/misc.c
@@ -1512,15 +1512,6 @@ w32_ctime(const time_t* sourceTime)
 	return ctime_s(destTime, 26, sourceTime) == 0 ? destTime : NULL;
 }
 
-void
-freezero(void *ptr, size_t sz)
-{
-	if (ptr == NULL)
-		return;
-	explicit_bzero(ptr, sz);
-	free(ptr);
-}
-
 int 
 setenv(const char *name, const char *value, int rewrite)
 {

From 607df771b2085f793e1dc393ec445eac2d66da5e Mon Sep 17 00:00:00 2001
From: Tess Gauthier <tessgauthier@microsoft.com>
Date: Mon, 18 Mar 2024 14:58:04 -0300
Subject: [PATCH 3/7] Delete contrib/win32/openssh/DockerFile (#722)

---
 contrib/win32/openssh/DockerFile | 10 ----------
 1 file changed, 10 deletions(-)
 delete mode 100644 contrib/win32/openssh/DockerFile

diff --git a/contrib/win32/openssh/DockerFile b/contrib/win32/openssh/DockerFile
deleted file mode 100644
index 639061284..000000000
--- a/contrib/win32/openssh/DockerFile
+++ /dev/null
@@ -1,10 +0,0 @@
-# escape=`
-#0.3.6 (no powershell 6)
-FROM balu1202/openssh-dockerbuildimage-ltsc2019-new:latest
-
-SHELL ["PowerShell.exe", "-command"]
-RUN Set-ExecutionPolicy Unrestricted
-
-COPY ./OpenSSH-build.ps1 /OpenSSH-build.ps1
-
-ENTRYPOINT ["powershell", "-executionpolicy", "unrestricted"]

From 3af5ef810df09a53fc3b9fe47db7fccb26d18c40 Mon Sep 17 00:00:00 2001
From: Tess Gauthier <tessgauthier@microsoft.com>
Date: Mon, 22 Apr 2024 14:27:03 -0400
Subject: [PATCH 4/7] remove manifest files from msi (#726)

---
 contrib/win32/install/client.wxs  | 1 -
 contrib/win32/install/product.wxs | 6 +-----
 contrib/win32/install/server.wxs  | 1 -
 contrib/win32/install/shared.wxs  | 9 ---------
 4 files changed, 1 insertion(+), 16 deletions(-)

diff --git a/contrib/win32/install/client.wxs b/contrib/win32/install/client.wxs
index 8918abd18..4277a8f05 100644
--- a/contrib/win32/install/client.wxs
+++ b/contrib/win32/install/client.wxs
@@ -3,7 +3,6 @@
         <!-- KeyPath is necessary for multi-file components to identify the key file - preferrably versioned. -->
         <ComponentGroup Id="Client" Directory="INSTALLFOLDER">
             <ComponentGroupRef Id="Shared" />
-            <ComponentGroupRef Id="Manifest" />
             <Component>
                 <File Name="ssh.exe" KeyPath="yes" />
             </Component>
diff --git a/contrib/win32/install/product.wxs b/contrib/win32/install/product.wxs
index 9a47e4cb0..e7a283d80 100644
--- a/contrib/win32/install/product.wxs
+++ b/contrib/win32/install/product.wxs
@@ -38,11 +38,7 @@
 
         <Directory Id="TARGETDIR" Name="SourceDir">
             <Directory Id="$(var.ProgramFilesFolder)" Name="Program Files">
-                <Directory Id="INSTALLFOLDER" Name="OpenSSH" >
-                    <Directory Id="MANIFESTFOLDER" Name="_manifest" >
-                        <Directory Id="SPDXFOLDER" Name="spdx_2.2" />
-                    </Directory>
-                </Directory>
+                <Directory Id="INSTALLFOLDER" Name="OpenSSH" />
             </Directory>
         </Directory>
     </Product>
diff --git a/contrib/win32/install/server.wxs b/contrib/win32/install/server.wxs
index e63b36449..87da7c738 100644
--- a/contrib/win32/install/server.wxs
+++ b/contrib/win32/install/server.wxs
@@ -3,7 +3,6 @@
         <!-- KeyPath is necessary for multi-file components to identify the key file - preferrably versioned. -->
         <ComponentGroup Id="Server" Directory="INSTALLFOLDER">
             <ComponentGroupRef Id="Shared" />
-            <ComponentGroupRef Id="Manifest" />
             <Component>
                 <File Name="sftp-server.exe" KeyPath="yes" />
             </Component>
diff --git a/contrib/win32/install/shared.wxs b/contrib/win32/install/shared.wxs
index d2b3793f1..5c4eaec03 100644
--- a/contrib/win32/install/shared.wxs
+++ b/contrib/win32/install/shared.wxs
@@ -70,15 +70,6 @@
             </Component>
         </ComponentGroup>
 
-        <ComponentGroup Id="Manifest" Directory="SPDXFOLDER">
-             <Component>
-                <File Name="manifest.spdx.json" Source="_manifest\spdx_2.2\manifest.spdx.json" KeyPath="yes" />
-            </Component>
-            <Component>
-                <File Name="manifest.spdx.json.sha256" Source="_manifest\spdx_2.2\manifest.spdx.json.sha256" KeyPath="yes" />
-            </Component>
-        </ComponentGroup>
-
         <!-- Automatically add custom actions if referencing the Shared component group. -->
         <SetProperty Id="SetPrivilegesOnSshAgent" Value="&quot;[SystemFolder]sc.exe&quot; privs ssh-agent SeAssignPrimaryTokenPrivilege/SeTcbPrivilege/SeBackupPrivilege/SeRestorePrivilege/SeImpersonatePrivilege" Sequence="execute" Before="SetPrivilegesOnSshAgent" />
         <CustomAction Id="SetPrivilegesOnSshAgent" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="check" Impersonate="no" />

From b89ee6aa372f03fd10ae13e5af23b44be4456c79 Mon Sep 17 00:00:00 2001
From: Steve Lee <slee@microsoft.com>
Date: Mon, 29 Apr 2024 08:43:53 -0700
Subject: [PATCH 5/7] fix how build script finds repo root (#729)

Co-authored-by: Steve Lee (POWERSHELL HE/HIM) (from Dev Box) <slee@ntdev.microsoft.com>
---
 contrib/win32/openssh/OpenSSH-build.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/win32/openssh/OpenSSH-build.ps1 b/contrib/win32/openssh/OpenSSH-build.ps1
index 2cfeff5cf..22c6794a8 100644
--- a/contrib/win32/openssh/OpenSSH-build.ps1
+++ b/contrib/win32/openssh/OpenSSH-build.ps1
@@ -1,7 +1,7 @@
 [cmdletbinding()]
 # PowerShell Script to clone, build and package PowerShell from specified fork and branch
 param (    
-    [string] $repolocation = "$pwd\openssh-portable",
+    [string] $repolocation = "$PSScriptRoot\..\..\..",
     [string] $destination = "$env:WORKSPACE",
     [ValidateSet('x86', 'x64', 'arm64', 'arm')]
     [String]$NativeHostArch = 'x64',        

From afe9007141a284fe9fa47553fddb05aca0c1b80c Mon Sep 17 00:00:00 2001
From: Tess Gauthier <tessgauthier@microsoft.com>
Date: Tue, 7 May 2024 11:52:20 -0400
Subject: [PATCH 6/7] remove HAVE_FREEZERO from preprocessor definitions (#730)

---
 contrib/win32/openssh/config.h.vs | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/contrib/win32/openssh/config.h.vs b/contrib/win32/openssh/config.h.vs
index d19b10758..abb2229c2 100644
--- a/contrib/win32/openssh/config.h.vs
+++ b/contrib/win32/openssh/config.h.vs
@@ -1698,7 +1698,7 @@
 
 #define HAVE_BZERO 1
 #define PATH_MAX 32768
-#define S_IFIFO        0x1000  
+#define S_IFIFO        0x1000
 #define HAVE_EXPLICIT_BZERO
 #define HAVE_MBTOWC 1
 #define HAVE_LLABS 1
@@ -1713,7 +1713,7 @@
 #define __STDC__ 1
 
 #define umac128_new umac_new
-#define umac128_update umac_update 
+#define umac128_update umac_update
 #define umac_final umac128_final
 #define umac_delete umac128_delete
 
@@ -1727,7 +1727,6 @@
 #define _PATH_LS			"dir"
 #define _PATH_DEVNULL "NUL"
 #define FORK_NOT_SUPPORTED
-#define HAVE_FREEZERO
 #define FILESYSTEM_NO_BACKSLASH
 #define HAVE_LOCALTIME_R
 #define HAVE_DECL_MEMMEM 0

From 661803c9ec4d7dee6574eb6ff0c85b2b7006edb1 Mon Sep 17 00:00:00 2001
From: Andrew <anmenaga@microsoft.com>
Date: Tue, 7 May 2024 13:15:28 -0700
Subject: [PATCH 7/7] Allow SID strings in sshd_config (#724)

* SIDs in sshd_config

* add #include <Sddl.h> to servconf.c

---------

Co-authored-by: Tess Gauthier <tessgauthier@microsoft.com>
---
 contrib/win32/win32compat/win32_groupaccess.c | 27 +++++++
 servconf.c                                    | 72 +++++++++++++++++++
 2 files changed, 99 insertions(+)

diff --git a/contrib/win32/win32compat/win32_groupaccess.c b/contrib/win32/win32compat/win32_groupaccess.c
index a8beecdd0..4d2faa402 100644
--- a/contrib/win32/win32compat/win32_groupaccess.c
+++ b/contrib/win32/win32compat/win32_groupaccess.c
@@ -190,6 +190,29 @@ check_group_membership(const char* group)
 {
 	PSID sid = NULL;
 	BOOL is_member = 0;
+	char* utf8_group_name = NULL;
+	
+	// it can be a SID string; if it is - use localized name for that SID
+	wchar_t* group_utf16 = utf8_to_utf16(group);
+	if (ConvertStringSidToSidW(group_utf16, &sid) != 0) {
+		WCHAR group_name[UNLEN + 1];
+		DWORD group_name_length = UNLEN + 1;
+		WCHAR domain_name[DNLEN + 1] = L"";
+		DWORD domain_name_size = DNLEN + 1;
+		SID_NAME_USE account_type = 0;
+		if (LookupAccountSidW(NULL, sid, group_name, &group_name_length,
+			domain_name, &domain_name_size, &account_type) != 0) {
+			utf8_group_name = utf16_to_utf8(group_name);
+			debug3_f("'%s' is translated to '%s'", group, utf8_group_name);
+			group = utf8_group_name;
+		} else {
+			debug3_f("LookupAccountSid failed for '%s'", group);
+		}
+	}
+	else
+	{
+		debug3_f("'%s' not recognized as SID", group);
+	}
 	
 	if ((sid = get_sid(group)) == NULL) {
 		error("unable to resolve group %s", group);
@@ -202,6 +225,10 @@ check_group_membership(const char* group)
 cleanup:
 	if (sid)
 		free(sid);
+	if (group_utf16)
+		free(group_utf16);
+	if (utf8_group_name)
+		free(utf8_group_name);
 	return is_member? 1: 0;
 }
 
diff --git a/servconf.c b/servconf.c
index 8d402054a..8e2f8971f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -11,6 +11,10 @@
  */
 
 #include "includes.h"
+#ifdef WINDOWS
+#include <LM.h>
+#include <Sddl.h>
+#endif // WINDOWS
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -1827,6 +1831,34 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 		uintptr = &options->num_allow_users;
  parse_allowdenyusers:
 		while ((arg = argv_next(&ac, &av)) != NULL) {
+#ifdef WINDOWS
+			// it can be a SID string; if it is - use localized name for that SID
+			PSID Sid = NULL;
+			char* utf8_user_name = NULL;
+			wchar_t* arg_utf16 = utf8_to_utf16(arg);
+			if (ConvertStringSidToSidW(arg_utf16, &Sid) != 0) {
+				WCHAR user_name[UNLEN + 1];
+				DWORD user_name_length = UNLEN + 1;
+				WCHAR domain_name[DNLEN + 1] = L"";
+				DWORD domain_name_size = DNLEN + 1;
+				SID_NAME_USE account_type = 0;
+				if (LookupAccountSidW(NULL, Sid, user_name, &user_name_length,
+					domain_name, &domain_name_size, &account_type) != 0) {
+					utf8_user_name = utf16_to_utf8(user_name);
+					debug3_f("'%s' is translated to '%s'", arg, utf8_user_name);
+					arg = utf8_user_name;
+				} else {
+					debug3_f("LookupAccountSid failed for '%s'", arg);
+				}
+
+				if (Sid)
+					LocalFree(Sid);
+			}
+			else
+			{
+				debug3_f("'%s' not recognized as SID", arg);
+			}
+#endif // WINDOWS
 			if (*arg == '\0' ||
 			    match_user(NULL, NULL, NULL, arg) == -1)
 				fatal("%s line %d: invalid %s pattern: \"%s\"",
@@ -1835,6 +1867,12 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 				continue;
 			opt_array_append(filename, linenum, keyword,
 			    chararrayptr, uintptr, arg);
+#ifdef WINDOWS
+			if (utf8_user_name)
+				free(utf8_user_name);
+			if (arg_utf16)
+				free(arg_utf16);
+#endif // WINDOWS
 		}
 		break;
 
@@ -1851,10 +1889,44 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 			if (*arg == '\0')
 				fatal("%s line %d: empty %s pattern",
 				    filename, linenum, keyword);
+#ifdef WINDOWS
+			// it can be a SID string; if it is - use localized name for that SID
+			PSID Sid = NULL;
+			char* utf8_group_name = NULL;
+			wchar_t* arg_utf16 = utf8_to_utf16(arg);
+			if (ConvertStringSidToSidW(arg_utf16, &Sid) != 0) {
+				WCHAR group_name[UNLEN + 1];
+				DWORD group_name_length = UNLEN + 1;
+				WCHAR domain_name[DNLEN + 1] = L"";
+				DWORD domain_name_size = DNLEN + 1;
+				SID_NAME_USE account_type = 0;
+				if (LookupAccountSidW(NULL, Sid, group_name, &group_name_length,
+					domain_name, &domain_name_size, &account_type) != 0) {
+					utf8_group_name = utf16_to_utf8(group_name);
+					debug3_f("'%s' is translated to '%s'", arg, utf8_group_name);
+					arg = utf8_group_name;
+				} else {
+					debug3_f("LookupAccountSid failed for '%s'", arg);
+				}
+
+				if (Sid)
+					LocalFree(Sid);
+			}
+			else
+			{
+				debug3_f("'%s' not recognized as SID", arg);
+			}
+#endif // WINDOWS
 			if (!*activep)
 				continue;
 			opt_array_append(filename, linenum, keyword,
 			    chararrayptr, uintptr, arg);
+#ifdef WINDOWS
+			if (utf8_group_name)
+				free(utf8_group_name);
+			if (arg_utf16)
+				free(arg_utf16);
+#endif // WINDOWS
 		}
 		break;