tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-09-26 03:18:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream-openssh-portable/master' into sync-with-upstream-2

Browse Source
This commit is contained in:
Tess Gauthier 2024-02-20 11:50:49 -05:00
commit c02b47e35d
8 changed files with 97 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.skipped-commit-ids
View File

@ -1,3 +1,4 @@
509bb19bb9762a4b3b589af98bac2e730541b6d4 clean sshd random relinking kit
5317f294d63a876bfc861e19773b1575f96f027d remove libssh from makefiles 5317f294d63a876bfc861e19773b1575f96f027d remove libssh from makefiles
a337e886a49f96701ccbc4832bed086a68abfa85 Makefile changes a337e886a49f96701ccbc4832bed086a68abfa85 Makefile changes
f2c9feb26963615c4fece921906cf72e248b61ee more Makefile f2c9feb26963615c4fece921906cf72e248b61ee more Makefile

4
configure.ac
View File

@ -2802,8 +2802,8 @@ if test "x$openssl" = "xyes" ; then
AC_MSG_RESULT([$ssl_header_ver]) AC_MSG_RESULT([$ssl_header_ver])
], ],
[ [
AC_MSG_RESULT([not found]) AC_MSG_RESULT([failed])
AC_MSG_ERROR([OpenSSL version header not found.]) AC_MSG_ERROR([OpenSSL version test program failed.])
], ],
[ [
AC_MSG_WARN([cross compiling: not checking]) AC_MSG_WARN([cross compiling: not checking])

10
kex.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.h,v 1.121 2023/12/18 14:45:49 djm Exp $ */ /* $OpenBSD: kex.h,v 1.122 2024/02/02 00:13:34 djm Exp $ */
/* /*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -109,10 +109,10 @@ enum kex_exchange {
#define KEX_INIT_SENT 0x0001 #define KEX_INIT_SENT 0x0001
#define KEX_INITIAL 0x0002 #define KEX_INITIAL 0x0002
#define KEX_HAS_PUBKEY_HOSTBOUND 0x0004 #define KEX_HAS_PUBKEY_HOSTBOUND 0x0004
#define KEX_RSA_SHA2_256_SUPPORTED 0x0008 /* only set in server for now */ #define KEX_RSA_SHA2_256_SUPPORTED 0x0008 /* only set in server for now */
#define KEX_RSA_SHA2_512_SUPPORTED 0x0010 /* only set in server for now */ #define KEX_RSA_SHA2_512_SUPPORTED 0x0010 /* only set in server for now */
#define KEX_HAS_PING 0x0020 #define KEX_HAS_PING 0x0020
#define KEX_HAS_EXT_INFO_IN_AUTH 0x0040 #define KEX_HAS_EXT_INFO_IN_AUTH 0x0040
struct sshenc { struct sshenc {
char *name; char *name;

51
regress/putty-ciphers.sh
View File

@ -1,24 +1,47 @@
# $OpenBSD: putty-ciphers.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $ # $OpenBSD: putty-ciphers.sh,v 1.13 2024/02/09 08:56:59 dtucker Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="putty ciphers" tid="putty ciphers"
if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then puttysetup
skip "putty interop tests not enabled"
fi
# Re-enable ssh-rsa on older PuTTY versions. cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy_bak
oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
if [ "x$oldver" = "xyes" ]; then
echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
fi
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do # Since there doesn't seem to be a way to set MACs on the PuTTY client side,
verbose "$tid: cipher $c" # we force each in turn on the server side, omitting the ones PuTTY doesn't
# support. Grepping the binary is pretty janky, but AFAIK there's no way to
# query for supported algos.
macs=""
for m in `${SSH} -Q MACs`; do
if strings "${PLINK}" | grep -E "^${m}$" >/dev/null; then
macs="${macs} ${m}"
else
trace "omitting unsupported MAC ${m}"
fi
done
ciphers=""
for c in `${SSH} -Q Ciphers`; do
if strings "${PLINK}" | grep -E "^${c}$" >/dev/null; then
ciphers="${ciphers} ${c}"
else
trace "omitting unsupported cipher ${c}"
fi
done
for c in default $ciphers; do
for m in default ${macs}; do
verbose "$tid: cipher $c mac $m"
cp ${OBJ}/.putty/sessions/localhost_proxy \ cp ${OBJ}/.putty/sessions/localhost_proxy \
${OBJ}/.putty/sessions/cipher_$c ${OBJ}/.putty/sessions/cipher_$c
echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c if [ "${c}" != "default" ]; then
echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
fi
cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy
if [ "${m}" != "default" ]; then
echo "MACs $m" >> ${OBJ}/sshd_proxy
fi
rm -f ${COPY} rm -f ${COPY}
env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
@ -27,6 +50,6 @@ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
fail "ssh cat $DATA failed" fail "ssh cat $DATA failed"
fi fi
cmp ${DATA} ${COPY} || fail "corrupted copy" cmp ${DATA} ${COPY} || fail "corrupted copy"
done
done done
rm -f ${COPY} rm -f ${COPY}

44
regress/putty-kex.sh
View File

@ -1,28 +1,36 @@
# $OpenBSD: putty-kex.sh,v 1.9 2021/09/01 03:16:06 dtucker Exp $ # $OpenBSD: putty-kex.sh,v 1.11 2024/02/09 08:56:59 dtucker Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="putty KEX" tid="putty KEX"
if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then puttysetup
skip "putty interop tests not enabled"
fi
# Re-enable ssh-rsa on older PuTTY versions. cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy_bak
oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
if [ "x$oldver" = "xyes" ]; then
echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
fi
for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do # Enable group1, which PuTTY now disables by default
verbose "$tid: kex $k" echo "KEX=dh-group1-sha1" >>${OBJ}/.putty/sessions/localhost_proxy
cp ${OBJ}/.putty/sessions/localhost_proxy \
${OBJ}/.putty/sessions/kex_$k
echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true # Grepping algos out of the binary is pretty janky, but AFAIK there's no way
if [ $? -ne 0 ]; then # to query supported algos.
fail "KEX $k failed" kex=""
for k in `$SSH -Q kex`; do
if strings "${PLINK}" | grep -E "^${k}$" >/dev/null; then
kex="${kex} ${k}"
else
trace "omitting unsupported KEX ${k}"
fi fi
done done
for k in ${kex}; do
verbose "$tid: kex $k"
cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy
echo "KexAlgorithms ${k}" >>${OBJ}/sshd_proxy
env HOME=$PWD ${PLINK} -v -load localhost_proxy -batch -i ${OBJ}/putty.rsa2 true \
2>${OBJ}/log/putty-kex-$k.log
if [ $? -ne 0 ]; then
fail "KEX $k failed"
fi
kexmsg=`grep -E '^Doing.* key exchange' ${OBJ}/log/putty-kex-$k.log`
trace putty: ${kexmsg}
done

13
regress/putty-transfer.sh
View File

@ -1,18 +1,9 @@
# $OpenBSD: putty-transfer.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $ # $OpenBSD: putty-transfer.sh,v 1.12 2024/02/09 08:47:42 dtucker Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="putty transfer data" tid="putty transfer data"
if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then puttysetup
skip "putty interop tests not enabled"
fi
# Re-enable ssh-rsa on older PuTTY versions.
oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
if [ "x$oldver" = "xyes" ]; then
echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
fi
if [ "`${SSH} -Q compression`" = "none" ]; then if [ "`${SSH} -Q compression`" = "none" ]; then
comp="0" comp="0"

25
regress/test-exec.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: test-exec.sh,v 1.105 2023/10/31 04:15:40 dtucker Exp $ # $OpenBSD: test-exec.sh,v 1.107 2024/02/19 09:25:52 dtucker Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
#SUDO=sudo #SUDO=sudo
@ -843,7 +843,11 @@ case "$SCRIPT" in
*) REGRESS_INTEROP_PUTTY=no ;; *) REGRESS_INTEROP_PUTTY=no ;;
esac esac
if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then puttysetup() {
if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
skip "putty interop tests not enabled"
fi
mkdir -p ${OBJ}/.putty mkdir -p ${OBJ}/.putty
# Add a PuTTY key to authorized_keys # Add a PuTTY key to authorized_keys
@ -876,9 +880,24 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
echo "ProxyTelnetCommand=${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy echo "ProxyTelnetCommand=${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy
echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy
PUTTYVER="`${PLINK} --version | awk '/plink: Release/{print $3}'`"
PUTTYMINORVER="`echo ${PUTTYVER} | cut -f2 -d.`"
verbose "plink version ${PUTTYVER} minor ${PUTTYMINORVER}"
# Re-enable ssh-rsa on older PuTTY versions since they don't do newer
# key types.
if [ "$PUTTYMINORVER" -lt "76" ]; then
echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
fi
if [ "$PUTTYMINORVER" -le "64" ]; then
echo "KexAlgorithms +diffie-hellman-group14-sha1" \
>>${OBJ}/sshd_proxy
fi
PUTTYDIR=${OBJ}/.putty PUTTYDIR=${OBJ}/.putty
export PUTTYDIR export PUTTYDIR
fi }
REGRESS_INTEROP_DROPBEAR=no REGRESS_INTEROP_DROPBEAR=no
if test -x "$DROPBEARKEY" -a -x "$DBCLIENT" -a -x "$DROPBEARCONVERT"; then if test -x "$DROPBEARKEY" -a -x "$DBCLIENT" -a -x "$DROPBEARCONVERT"; then

4
servconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.403 2023/10/11 22:42:26 djm Exp $ */ /* $OpenBSD: servconf.c,v 1.404 2024/02/20 04:10:03 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -1949,7 +1949,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
arg = argv_assemble(1, &arg); /* quote command correctly */ arg = argv_assemble(1, &arg); /* quote command correctly */
arg2 = argv_assemble(ac, av); /* rest of command */ arg2 = argv_assemble(ac, av); /* rest of command */
xasprintf(&options->subsystem_args[options->num_subsystems], xasprintf(&options->subsystem_args[options->num_subsystems],
"%s %s", arg, arg2); "%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
free(arg2); free(arg2);
argv_consume(&ac); argv_consume(&ac);
options->num_subsystems++; options->num_subsystems++;