merge latestw_all

contrib/win32/install/server.wxs

@@ -49,6 +49,7 @@
                     Protocol="tcp"
                     Port="22"
                     Scope="any"
+                    Profile="private"
                     />
             </Component>
             <Component>

contrib/win32/openssh/paths.targets

@@ -7,8 +7,8 @@
     <LibreSSLVersion>3.7.2.0</LibreSSLVersion>
     <ZLibVersion>1.2.13</ZLibVersion>
     <fido2Version>1.13.0</fido2Version>
-    <!--libcbor version is not used in the bulid; it is needed for pipeline compliance tasks-->
-    <libcborVersion>0.10.1</libcborVersion>
+    <!--libcbor version is not used in the build; it is needed for pipeline compliance tasks-->  
+    <libcborVersion>0.10.1</libcborVersion> 
     <LibreSSL-Path>$(SolutionDir)\LibreSSL\sdk\</LibreSSL-Path>
     <LibreSSL-x86-Path>$(SolutionDir)\LibreSSL\bin\desktop\x86\</LibreSSL-x86-Path>
     <LibreSSL-x64-Path>$(SolutionDir)\LibreSSL\bin\desktop\x64\</LibreSSL-x64-Path>

contrib/win32/openssh/version.rc

@@ -51,8 +51,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 9,2,0,0
- PRODUCTVERSION 9,2,0,0
+ FILEVERSION 9,2,2,0
+ PRODUCTVERSION 9,2,2,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -67,7 +67,7 @@ BEGIN
     BEGIN
         BLOCK "040904b0"
         BEGIN
-            VALUE "FileVersion", "9.2.0.0"
+            VALUE "FileVersion", "9.2.2.0"
             VALUE "ProductName", "OpenSSH for Windows"
             VALUE "ProductVersion", "OpenSSH_9.2p1 for Windows"
         END

contrib/win32/win32compat/ssh-agent/connection.c

@@ -143,6 +143,7 @@ process_request(struct agent_connection* con)
 		r = process_unsupported_request(request, response, con);
 		break;
 	case SSH2_AGENTC_ADD_IDENTITY:
+	case SSH2_AGENTC_ADD_ID_CONSTRAINED:
 		r =  process_add_identity(request, response, con);
 		break;
 	case SSH2_AGENTC_REQUEST_IDENTITIES:

contrib/win32/win32compat/ssh-agent/keyagent-request.c

@@ -224,6 +224,64 @@ process_unsupported_request(struct sshbuf* request, struct sshbuf* response, str
 	return r;
 }
 
+static int
+parse_key_constraint_extension(struct sshbuf *m)
+{
+	char *ext_name = NULL, *skprovider = NULL;
+	int r;
+
+	if ((r = sshbuf_get_cstring(m, &ext_name, NULL)) != 0) {
+		error_fr(r, "parse constraint extension");
+		goto out;
+	}
+	debug_f("constraint ext %s", ext_name);
+	if (strcmp(ext_name, "sk-provider@openssh.com") == 0) {
+		if ((r = sshbuf_get_cstring(m, &skprovider, NULL)) != 0) {
+			error_fr(r, "parse %s", ext_name);
+			goto out;
+		}
+		if (strcmp(skprovider, "internal") != 0) {
+			error_f("unsupported sk-provider: %s", skprovider);
+			r = SSH_ERR_FEATURE_UNSUPPORTED;
+			goto out;
+		}
+	} else {
+		error_f("unsupported constraint \"%s\"", ext_name);
+		r = SSH_ERR_FEATURE_UNSUPPORTED;
+		goto out;
+	}
+	/* success */
+	r = 0;
+ out:
+	free(ext_name);
+	return r;
+}
+
+static int
+parse_key_constraints(struct sshbuf *m)
+{
+	int r;
+	u_char ctype;
+
+	while (sshbuf_len(m)) {
+		if ((r = sshbuf_get_u8(m, &ctype)) != 0) {
+			error("get constraint type returned %d", r);
+			return r;
+		}
+		switch (ctype) {
+		case SSH_AGENT_CONSTRAIN_EXTENSION:
+			if ((r = parse_key_constraint_extension(m)) != 0)
+				return r;
+			break;
+		default:
+			error("Unknown constraint %d", ctype);
+			return SSH_ERR_FEATURE_UNSUPPORTED;
+		}
+	}
+
+	return 0;
+}
+
 int
 process_add_identity(struct sshbuf* request, struct sshbuf* response, struct agent_connection* con) 
 {
@@ -242,12 +300,18 @@ process_add_identity(struct sshbuf* request, struct sshbuf* response, struct age
 	blob = sshbuf_ptr(request);
 	if (sshkey_private_deserialize(request, &key) != 0 ||
 	   (blob_len = (sshbuf_ptr(request) - blob) & 0xffffffff) == 0 ||
-	    sshbuf_peek_string_direct(request, &comment, &comment_len) != 0) {
+	    sshbuf_get_cstring(request, &comment, &comment_len) != 0) {
 		debug("key add request is invalid");
 		request_invalid = 1;
 		goto done;
 	}
 
+	if ((r = parse_key_constraints(request)) != 0) {
+		if (r != SSH_ERR_FEATURE_UNSUPPORTED)
+			request_invalid = 1;
+		goto done;
+	}
+
 	memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES));
 	sa.nLength = sizeof(sa);
 	if ((!ConvertStringSecurityDescriptorToSecurityDescriptorW(REG_KEY_SDDL, SDDL_REVISION_1, &sa.lpSecurityDescriptor, &sa.nLength)) ||

contrib/win32/win32compat/termio.c

@@ -263,6 +263,22 @@ int
 syncio_close(struct w32_io* pio)
 {
 	debug4("syncio_close - pio:%p", pio);
+
+	/*
+	* Wait for io write operation that is called by worker thread to terminate
+	* to avoid the write operation being terminated prematurely by CancelIoEx.
+	* If you see any process waiting here indefinitely - its because no one
+	* is draining from other end of the pipe. This is an unfortunate
+	* consequence that should otherwise have very little impact on practical
+	* scenarios.
+	*/
+	if (pio->write_details.pending) {
+		WaitForSingleObject(pio->write_overlapped.hEvent, INFINITE);
+
+		/* drain queued APCs */
+		SleepEx(0, TRUE);
+	}
+
 	CancelIoEx(WINHANDLE(pio), NULL);
 
 	/* If io is pending, let worker threads exit. */
@@ -279,10 +295,10 @@ syncio_close(struct w32_io* pio)
 
 		WaitForSingleObject(pio->read_overlapped.hEvent, INFINITE);
 	}
-	if (pio->write_details.pending)
-		WaitForSingleObject(pio->write_overlapped.hEvent, INFINITE);
+
 	/* drain queued APCs */
 	SleepEx(0, TRUE);
+
 	/* TODO - fix this, closing Console handles is interfering with TTY/PTY rendering */
 	if (FILETYPE(pio) != FILE_TYPE_CHAR)
 		CloseHandle(WINHANDLE(pio));

openbsd-compat/arc4random.c

@@ -97,6 +97,7 @@ _rs_init(u_char *buf, size_t n)
 {
 	if (n < KEYSZ + IVSZ)
 		return;
+}
 
 #ifndef WITH_OPENSSL
 #ifdef WINDOWS

ssh-sk.c

@@ -133,7 +133,7 @@ sshsk_open(const char *path)
 		goto fail;
 #endif
 	}
-	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
+	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { // CodeQL [SM01925]: upstream code that permits user input to specify external provider is by design, but only accessible via CLI parameter
 		error("Provider \"%s\" dlopen failed: %s", path, dlerror());
 		goto fail;
 	}