Merge remote-tracking branch 'upstream-openssh-portable/master' into sync-with-upstream-2

2024-02-20 11:50:49 -05:00 · 2024-02-20 11:50:49 -05:00 · c02b47e35d
parent 915c6e367c ee6d932acb
commit c02b47e35d
8 changed files with 97 additions and 55 deletions
--- a/.skipped-commit-ids
+++ b/.skipped-commit-ids
@ -1,3 +1,4 @@
+509bb19bb9762a4b3b589af98bac2e730541b6d4	clean sshd random relinking kit
 5317f294d63a876bfc861e19773b1575f96f027d	remove libssh from makefiles
 a337e886a49f96701ccbc4832bed086a68abfa85	Makefile changes
 f2c9feb26963615c4fece921906cf72e248b61ee	more Makefile
--- a/configure.ac
+++ b/configure.ac
@ -2802,8 +2802,8 @@ if test "x$openssl" = "xyes" ; then
 			AC_MSG_RESULT([$ssl_header_ver])
 		],
 		[
-			AC_MSG_RESULT([not found])
-			AC_MSG_ERROR([OpenSSL version header not found.])
+			AC_MSG_RESULT([failed])
+			AC_MSG_ERROR([OpenSSL version test program failed.])
 		],
 		[
 			AC_MSG_WARN([cross compiling: not checking])
--- a/kex.h
+++ b/kex.h
@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.121 2023/12/18 14:45:49 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.122 2024/02/02 00:13:34 djm Exp $ */

 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@ -109,10 +109,10 @@ enum kex_exchange {
 #define KEX_INIT_SENT			0x0001
 #define KEX_INITIAL			0x0002
 #define KEX_HAS_PUBKEY_HOSTBOUND	0x0004
-#define KEX_RSA_SHA2_256_SUPPORTED 	0x0008 /* only set in server for now */
-#define KEX_RSA_SHA2_512_SUPPORTED 	0x0010 /* only set in server for now */
-#define KEX_HAS_PING		 	0x0020
-#define KEX_HAS_EXT_INFO_IN_AUTH 	0x0040
+#define KEX_RSA_SHA2_256_SUPPORTED	0x0008 /* only set in server for now */
+#define KEX_RSA_SHA2_512_SUPPORTED	0x0010 /* only set in server for now */
+#define KEX_HAS_PING			0x0020
+#define KEX_HAS_EXT_INFO_IN_AUTH	0x0040

 struct sshenc {
 	char	*name;
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@ -1,24 +1,47 @@
-#	$OpenBSD: putty-ciphers.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $
+#	$OpenBSD: putty-ciphers.sh,v 1.13 2024/02/09 08:56:59 dtucker Exp $
 #	Placed in the Public Domain.

 tid="putty ciphers"

-if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
-	skip "putty interop tests not enabled"
-fi
+puttysetup

-# Re-enable ssh-rsa on older PuTTY versions.
-oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
-if [ "x$oldver" = "xyes" ]; then
-	echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
-	echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
-fi
+cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy_bak

-for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
-	verbose "$tid: cipher $c"
+# Since there doesn't seem to be a way to set MACs on the PuTTY client side,
+# we force each in turn on the server side, omitting the ones PuTTY doesn't
+# support.  Grepping the binary is pretty janky, but AFAIK there's no way to
+# query for supported algos.
+macs=""
+for m in `${SSH} -Q MACs`; do
+	if strings "${PLINK}" | grep -E "^${m}$" >/dev/null; then
+		macs="${macs} ${m}"
+	else
+		trace "omitting unsupported MAC ${m}"
+	fi
+done
+
+ciphers=""
+for c in `${SSH} -Q Ciphers`; do
+	if strings "${PLINK}" | grep -E "^${c}$" >/dev/null; then
+		ciphers="${ciphers} ${c}"
+	else
+		trace "omitting unsupported cipher ${c}"
+	fi
+done
+
+for c in default $ciphers; do
+    for m in default ${macs}; do
+	verbose "$tid: cipher $c mac $m"
 	cp ${OBJ}/.putty/sessions/localhost_proxy \
 	    ${OBJ}/.putty/sessions/cipher_$c
-	echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+	if [ "${c}" != "default" ]; then
+		echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+	fi
+
+	cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy
+	if [ "${m}" != "default" ]; then
+		echo "MACs $m" >> ${OBJ}/sshd_proxy
+	fi

 	rm -f ${COPY}
 	env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
@ -27,6 +50,6 @@ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
 		fail "ssh cat $DATA failed"
 	fi
 	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+    done
 done
 rm -f ${COPY}
-
--- a/regress/putty-kex.sh
+++ b/regress/putty-kex.sh
@ -1,28 +1,36 @@
-#	$OpenBSD: putty-kex.sh,v 1.9 2021/09/01 03:16:06 dtucker Exp $
+#	$OpenBSD: putty-kex.sh,v 1.11 2024/02/09 08:56:59 dtucker Exp $
 #	Placed in the Public Domain.

 tid="putty KEX"

-if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
-	skip "putty interop tests not enabled"
-fi
+puttysetup

-# Re-enable ssh-rsa on older PuTTY versions.
-oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
-if [ "x$oldver" = "xyes" ]; then
-	echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
-	echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
-fi
+cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy_bak

-for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
-	verbose "$tid: kex $k"
-	cp ${OBJ}/.putty/sessions/localhost_proxy \
-	    ${OBJ}/.putty/sessions/kex_$k
-	echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
+# Enable group1, which PuTTY now disables by default
+echo "KEX=dh-group1-sha1" >>${OBJ}/.putty/sessions/localhost_proxy

-	env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
-	if [ $? -ne 0 ]; then
-		fail "KEX $k failed"
+# Grepping algos out of the binary is pretty janky, but AFAIK there's no way
+# to query supported algos.
+kex=""
+for k in `$SSH -Q kex`; do
+	if strings "${PLINK}" | grep -E "^${k}$" >/dev/null; then
+		kex="${kex} ${k}"
+	else
+		trace "omitting unsupported KEX ${k}"
 	fi
 done

+for k in ${kex}; do
+	verbose "$tid: kex $k"
+	cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy
+	echo "KexAlgorithms ${k}" >>${OBJ}/sshd_proxy
+
+	env HOME=$PWD ${PLINK} -v -load localhost_proxy -batch -i ${OBJ}/putty.rsa2 true \
+	    2>${OBJ}/log/putty-kex-$k.log
+	if [ $? -ne 0 ]; then
+		fail "KEX $k failed"
+	fi
+	kexmsg=`grep -E '^Doing.* key exchange' ${OBJ}/log/putty-kex-$k.log`
+	trace putty: ${kexmsg}
+done
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@ -1,18 +1,9 @@
-#	$OpenBSD: putty-transfer.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $
+#	$OpenBSD: putty-transfer.sh,v 1.12 2024/02/09 08:47:42 dtucker Exp $
 #	Placed in the Public Domain.

 tid="putty transfer data"

-if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
-	skip "putty interop tests not enabled"
-fi
-
-# Re-enable ssh-rsa on older PuTTY versions.
-oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
-if [ "x$oldver" = "xyes" ]; then
-	echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
-	echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
-fi
+puttysetup

 if [ "`${SSH} -Q compression`" = "none" ]; then
 	comp="0"
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.105 2023/10/31 04:15:40 dtucker Exp $
+#	$OpenBSD: test-exec.sh,v 1.107 2024/02/19 09:25:52 dtucker Exp $
 #	Placed in the Public Domain.

 #SUDO=sudo
@ -843,7 +843,11 @@ case "$SCRIPT" in
 *)		REGRESS_INTEROP_PUTTY=no ;;
 esac

-if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
+puttysetup() {
+	if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
+		skip "putty interop tests not enabled"
+	fi
+
 	mkdir -p ${OBJ}/.putty

 	# Add a PuTTY key to authorized_keys
@ -876,9 +880,24 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
 	echo "ProxyTelnetCommand=${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy
 	echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy

+	PUTTYVER="`${PLINK} --version | awk '/plink: Release/{print $3}'`"
+	PUTTYMINORVER="`echo ${PUTTYVER} | cut -f2 -d.`"
+	verbose "plink version ${PUTTYVER} minor ${PUTTYMINORVER}"
+
+	# Re-enable ssh-rsa on older PuTTY versions since they don't do newer
+	# key types.
+	if [ "$PUTTYMINORVER" -lt "76" ]; then
+		echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
+		echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
+	fi
+
+	if [ "$PUTTYMINORVER" -le "64" ]; then
+		echo "KexAlgorithms +diffie-hellman-group14-sha1" \
+		    >>${OBJ}/sshd_proxy
+	fi
 	PUTTYDIR=${OBJ}/.putty
 	export PUTTYDIR
-fi
+}

 REGRESS_INTEROP_DROPBEAR=no
 if test -x "$DROPBEARKEY" -a -x "$DBCLIENT" -a -x "$DROPBEARCONVERT"; then
--- a/servconf.c
+++ b/servconf.c
@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.403 2023/10/11 22:42:26 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.404 2024/02/20 04:10:03 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@ -1949,7 +1949,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 		arg = argv_assemble(1, &arg); /* quote command correctly */
 		arg2 = argv_assemble(ac, av); /* rest of command */
 		xasprintf(&options->subsystem_args[options->num_subsystems],
-		    "%s %s", arg, arg2);
+		    "%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
 		free(arg2);
 		argv_consume(&ac);
 		options->num_subsystems++;