Merge 10.0p2

.git_allowed_signers

@@ -1,7 +1,11 @@
-[email protected] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKecyjh9aNmD4rb8WblA8v91JjRb0Cd2JtkzqxcggGeG
+[email protected] valid-before="20241206" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKecyjh9aNmD4rb8WblA8v91JjRb0Cd2JtkzqxcggGeG
 [email protected] [email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDV81zWQ1+XVfWH5z4L4klDQ/z/6l2GLphfSTX/Rmq6kL5H8mkfzUlryxLlkN8cD9srtVJBAmwJWfJBNsCo958YAAAAEc3NoOg==
+[email protected] [email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIElSYahCw60CGct39Eg9EY8OLV9Ppr7tsudvSiMyNHOhAAAABHNzaDo=
 
 [email protected] [email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBLnJo3ZVDENYZGXm5uO9lU7b0iDFq5gHpTu1MaHPWTEfPdvw+AjFQQ/q5YizuMJkXGsMdYmblJEJZYHpm9IS7ZkAAAAEc3NoOg==
 [email protected] [email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBJoAXBTQalfg+kC5wy1vE7HkIHtVnmV6AUuuIo9KQ1P+70juHwvsFKpsGaqQbrHJkTVgYDGVP02XHj8+Fb18yBIAAAAEc3NoOg==
 [email protected] [email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBH+z1I48s6ydOhP5SJmI02zVCLf0K15B+UMHgoTIKVfUIv5oDoVX7e9f+7QiRmTeEOdZfQydiaVqsfi7qPSve+0AAAAEc3NoOg==
 [email protected] [email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBPM4BmUg/fMnsl42JwktTekk/mB8Be3M+yK2ayg6lqYsqEri8yhRx84gey51OHKVk1TwlGbJjcMHI4URreDBEMQAAAAEc3NoOg==
+
+[email protected] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/L8E1DfiZ9cHzygqx0IzRCSAlmh4tXH7mZPwWZEY1L
+

.github/ci-status.md

@@ -6,6 +6,10 @@ master :
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
 [![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
 
+9.9 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_9)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_9)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_9)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_9)
+
 9.8 :
 [![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8)
 [![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8)

.github/configs

@@ -129,13 +129,21 @@ case "$config" in
     kitchensink)
 	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
 	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
+	CONFIGFLAGS="${CONFIGFLAGS} --with-linux-memlock-onfault"
 	CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
 	;;
     hardenedmalloc)
 	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
 	;;
     tcmalloc)
 	CONFIGFLAGS="--with-ldflags=-ltcmalloc"
+	# tcmalloc may, depending on the stacktrace generator it uses, create
+	# pipe(2) fds during shared library initialisation. These will later
+	# get clobbered by ssh/sshd calling closefrom() and chaos will ensue.
+	# Tell tcmalloc to use an unwinder that doesn't pull this stuff.
+	TCMALLOC_STACKTRACE_METHOD=generic_fp
+	TEST_SSH_SSHD_ENV="TCMALLOC_STACKTRACE_METHOD=generic_fp"
+	export TCMALLOC_STACKTRACE_METHOD TEST_SSH_SSHD_ENV
 	;;
     krb5|heimdal)
 	CONFIGFLAGS="--with-kerberos5"
@@ -161,6 +169,9 @@ case "$config" in
 	CONFIGFLAGS="--disable-pkcs11"
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
 	;;
+	aws-lc)
+	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/aws-lc --with-rpath=-Wl,-rpath,"
+	;;
     libressl-*)
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
 	;;
@@ -181,13 +192,13 @@ case "$config" in
 	CONFIGFLAGS="--with-selinux"
 	;;
     sk)
-	CONFIGFLAGS="--with-security-key-builtin"
+	CONFIGFLAGS="--with-security-key-builtin --with-security-key-standalone"
         ;;
     without-openssl)
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
-    valgrind-[1-5]|valgrind-unit)
+    valgrind-[1-4]|valgrind-unit)
 	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
 	CONFIGFLAGS="--without-sandbox --without-hardening"
 	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
@@ -197,10 +208,9 @@ case "$config" in
 	# Valgrind slows things down enough that the agent timeout test
 	# won't reliably pass, and the unit tests run longer than allowed
 	# by github so split into separate tests.
-	tests2="integrity try-ciphers"
+	tests2="integrity try-ciphers rekey"
 	tests3="krl forward-control sshsig agent-restrict kextype sftp"
 	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
-	tests5="rekey"
 	case "$config" in
 	    valgrind-1)
 		# All tests except agent-timeout (which is flaky under valgrind),
@@ -220,9 +230,6 @@ case "$config" in
 	    valgrind-4)
 		LTESTS="${tests4}"
 		;;
-	    valgrind-5)
-		LTESTS="${tests5}"
-		;;
 	    valgrind-unit)
 		TEST_TARGET="unit USE_VALGRIND=1"
 		;;
@@ -270,6 +277,10 @@ case "${TARGET_HOST}" in
 	# Native linker is not great with PIC so OpenSSL is built w/out.
 	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
 	;;
+    fbsd14-ppc64)
+	# Disable security key tests for bigendian interop test.
+	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
+	;;
     hurd)
 	SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
 	;;
@@ -300,8 +311,20 @@ case "${TARGET_HOST}" in
 	# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
 	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
 	;;
+    openwrt-mipsel)
+	# Test most of the flags that OpenWRT sets for their package build.
+	# We only do this on one OpenWRT target for better coverage.
+	# The installed shared libraries installed by default are stripped and
+	# can't be linked to on the target systems.
+	OPENWRT_FLAGS="--disable-strip --disable-lastlog
+	   --disable-utmp --disable-utmpx --disable-wtmp --disable-wtmpx
+	   --with-stackprotect --with-cflags-after=-fzero-call-used-regs=skip"
+	CONFIGFLAGS="${CONFIGFLAGS} $(echo ${OPENWRT_FLAGS}) --without-zlib --disable-security-key"
+	LIBCRYPTOFLAGS="--without-openssl"
+	TEST_TARGET="t-exec"
+	;;
     openwrt-*)
-	CONFIGFLAGS="${CONFIGFLAGS} --without-zlib"
+	CONFIGFLAGS="${CONFIGFLAGS} --without-zlib --disable-security-key"
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET="t-exec"
 	;;

.github/run_test.sh

@@ -33,17 +33,31 @@ output_failed_logs() {
 }
 trap output_failed_logs 0
 
+env=""
+if [ ! -z "${SUDO}" ]; then
+    env="${env} SUDO=${SUDO}"
+fi
+if [ ! -z "${TCMALLOC_STACKTRACE_METHOD}" ]; then
+    env="${env} TCMALLOC_STACKTRACE_METHOD=${TCMALLOC_STACKTRACE_METHOD}"
+fi
+if [ ! -z "${TEST_SSH_SSHD_ENV}" ]; then
+    env="${env} TEST_SSH_SSHD_ENV=${TEST_SSH_SSHD_ENV}"
+fi
+if [ ! -z "${env}" ]; then
+    env="env${env}"
+fi
+
 if [ -z "${LTESTS}" ]; then
-    make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}"
+    ${env} make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}"
 else
-    make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}"
+    ${env} make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}"
 fi
 
 if [ ! -z "${SSHD_CONFOPTS}" ]; then
     echo "rerunning t-exec with TEST_SSH_SSHD_CONFOPTS='${SSHD_CONFOPTS}'"
     if [ -z "${LTESTS}" ]; then
-        make t-exec SKIP_LTESTS="${SKIP_LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
+        ${env} make t-exec SKIP_LTESTS="${SKIP_LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
     else
-        make t-exec SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
+        ${env} make t-exec SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
     fi
 fi

.github/setup_ci.sh

@@ -14,7 +14,7 @@ case "$host" in
 	echo Removing extended ACLs so umask works as expected.
 	setfacl -b . regress
 	PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core"
-	PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel"
+	PACKAGES="$PACKAGES,make,openssl,libssl-devel,zlib-devel"
 	;;
 *-darwin*)
 	PACKAGER=brew
@@ -142,6 +142,10 @@ for TARGET in $TARGETS; do
         INSTALL_BORINGSSL=1
         PACKAGES="${PACKAGES} cmake ninja-build"
        ;;
+    aws-lc)
+        INSTALL_AWSLC=1
+        PACKAGES="${PACKAGES} cmake ninja-build"
+        ;;
     putty-*)
 	INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
 	PACKAGES="${PACKAGES} cmake"
@@ -240,6 +244,15 @@ if [ ! -z "${INSTALL_BORINGSSL}" ]; then
      cp -r ${HOME}/boringssl/include /opt/boringssl)
 fi
 
+if [ ! -z "${INSTALL_AWSLC}" ]; then
+    (cd ${HOME} && git clone --depth 1 --branch v1.46.1 https://github.com/aws/aws-lc.git &&
+     cd ${HOME}/aws-lc && mkdir build && cd build &&
+     cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF .. && ninja &&
+     mkdir -p /opt/aws-lc/lib &&
+     cp ${HOME}/aws-lc/build/crypto/libcrypto.a /opt/aws-lc/lib &&
+     cp -r ${HOME}/aws-lc/include /opt/aws-lc)
+fi
+
 if [ ! -z "${INSTALL_ZLIB}" ]; then
     (cd ${HOME} && git clone https://github.com/madler/zlib.git &&
      cd ${HOME}/zlib && ./configure && make &&

.github/workflows/c-cpp.yml

@@ -3,9 +3,9 @@ name: C/C++ CI
 on:
   workflow_dispatch: # disable for win32-openssh fork
   # push:
-  #   paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
+  #  paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yml' ]
   # pull_request:
-  #   paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
+  #  paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yml' ]
 
 jobs:
   ci:
@@ -16,11 +16,13 @@ jobs:
       matrix:
         # First we test all OSes in the default configuration.
         target:
-          - ubuntu-20.04
           - ubuntu-22.04
-          - macos-12
+          - ubuntu-latest
+          - ubuntu-22.04-arm
+          - ubuntu-24.04-arm
           - macos-13
           - macos-14
+          - macos-15
           - windows-2019
           - windows-2022
         config: [default]
@@ -29,34 +31,36 @@ jobs:
         include:
           - { target: windows-2019, config: cygwin-release }
           - { target: windows-2022, config: cygwin-release }
-          - { target: ubuntu-20.04, config: valgrind-1 }
-          - { target: ubuntu-20.04, config: valgrind-2 }
-          - { target: ubuntu-20.04, config: valgrind-3 }
-          - { target: ubuntu-20.04, config: valgrind-4 }
-          - { target: ubuntu-20.04, config: valgrind-5 }
-          - { target: ubuntu-20.04, config: valgrind-unit }
-          - { target: ubuntu-20.04, config: c89 }
-          - { target: ubuntu-20.04, config: clang-6.0 }
-          - { target: ubuntu-20.04, config: clang-8 }
-          - { target: ubuntu-20.04, config: clang-9 }
-          - { target: ubuntu-20.04, config: clang-10 }
-          - { target: ubuntu-20.04, config: clang-11 }
-          - { target: ubuntu-20.04, config: clang-12-Werror }
-          - { target: ubuntu-20.04, config: clang-sanitize-address }
-          - { target: ubuntu-20.04, config: clang-sanitize-undefined }
-          - { target: ubuntu-20.04, config: gcc-sanitize-address }
-          - { target: ubuntu-20.04, config: gcc-sanitize-undefined }
-          - { target: ubuntu-20.04, config: gcc-7 }
-          - { target: ubuntu-20.04, config: gcc-8 }
-          - { target: ubuntu-20.04, config: gcc-10 }
+          - { target: ubuntu-22.04, config: c89 }
+          - { target: ubuntu-22.04, config: clang-11 }
+          - { target: ubuntu-22.04, config: clang-12-Werror }
+          - { target: ubuntu-22.04, config: clang-14 }
+          - { target: ubuntu-22.04, config: clang-sanitize-address }
+          - { target: ubuntu-22.04, config: clang-sanitize-undefined }
+          - { target: ubuntu-22.04, config: gcc-9 }
           - { target: ubuntu-22.04, config: gcc-11-Werror }
           - { target: ubuntu-22.04, config: gcc-12-Werror }
-          - { target: ubuntu-20.04, config: pam }
-          - { target: ubuntu-20.04, config: kitchensink }
+          - { target: ubuntu-22.04, config: gcc-sanitize-address }
+          - { target: ubuntu-22.04, config: gcc-sanitize-undefined }
           - { target: ubuntu-22.04, config: hardenedmalloc }
-          - { target: ubuntu-20.04, config: tcmalloc }
-          - { target: ubuntu-20.04, config: musl }
+          - { target: ubuntu-22.04, config: heimdal }
+          - { target: ubuntu-22.04, config: kitchensink }
+          - { target: ubuntu-22.04, config: krb5 }
+          - { target: ubuntu-22.04, config: libedit }
+          - { target: ubuntu-22.04, config: pam }
+          - { target: ubuntu-22.04, config: selinux }
+          - { target: ubuntu-22.04, config: sk }
+          - { target: ubuntu-22.04, config: valgrind-1 }
+          - { target: ubuntu-22.04, config: valgrind-2 }
+          - { target: ubuntu-22.04, config: valgrind-3 }
+          - { target: ubuntu-22.04, config: valgrind-4 }
+          - { target: ubuntu-22.04, config: valgrind-unit }
+          - { target: ubuntu-22.04, config: without-openssl }
+          - { target: ubuntu-latest, config: gcc-14 }
+          - { target: ubuntu-latest, config: clang-15 }
+          - { target: ubuntu-latest, config: clang-19 }
           - { target: ubuntu-latest, config: boringssl }
+          - { target: ubuntu-latest, config: aws-lc }
           - { target: ubuntu-latest, config: libressl-master }
           - { target: ubuntu-latest, config: libressl-3.2.6 }
           - { target: ubuntu-latest, config: libressl-3.3.6 }
@@ -65,18 +69,20 @@ jobs:
           - { target: ubuntu-latest, config: libressl-3.6.1 }
           - { target: ubuntu-latest, config: libressl-3.7.2 }
           - { target: ubuntu-latest, config: libressl-3.8.4 }
-          - { target: ubuntu-latest, config: libressl-3.9.1 }
+          - { target: ubuntu-latest, config: libressl-3.9.2 }
+          - { target: ubuntu-latest, config: libressl-4.0.0 }
           - { target: ubuntu-latest, config: openssl-master }
           - { target: ubuntu-latest, config: openssl-noec }
           - { target: ubuntu-latest, config: openssl-1.1.1 }
           - { target: ubuntu-latest, config: openssl-1.1.1t }
           - { target: ubuntu-latest, config: openssl-1.1.1w }
           - { target: ubuntu-latest, config: openssl-3.0.0 }
-          - { target: ubuntu-latest, config: openssl-3.0.13 }
+          - { target: ubuntu-latest, config: openssl-3.0.15 }
           - { target: ubuntu-latest, config: openssl-3.1.0 }
-          - { target: ubuntu-latest, config: openssl-3.1.5 }
-          - { target: ubuntu-latest, config: openssl-3.2.1 }
-          - { target: ubuntu-latest, config: openssl-3.3.0 }
+          - { target: ubuntu-latest, config: openssl-3.1.7 }
+          - { target: ubuntu-latest, config: openssl-3.2.3 }
+          - { target: ubuntu-latest, config: openssl-3.3.2 }
+          - { target: ubuntu-latest, config: openssl-3.4.0 }
           - { target: ubuntu-latest, config: openssl-1.1.1_stable }
           - { target: ubuntu-latest, config: openssl-3.0 }  # stable branch
           - { target: ubuntu-latest, config: openssl-3.1 }  # stable branch
@@ -92,19 +98,18 @@ jobs:
           - { target: ubuntu-latest, config: putty-0.78 }
           - { target: ubuntu-latest, config: putty-0.79 }
           - { target: ubuntu-latest, config: putty-0.80 }
+          - { target: ubuntu-latest, config: putty-0.81 }
+          - { target: ubuntu-latest, config: putty-0.82 }
+          - { target: ubuntu-latest, config: putty-0.83 }
           - { target: ubuntu-latest, config: putty-snapshot }
           - { target: ubuntu-latest, config: zlib-develop }
-          - { target: ubuntu-22.04, config: pam }
-          - { target: ubuntu-22.04, config: krb5 }
-          - { target: ubuntu-22.04, config: heimdal }
-          - { target: ubuntu-22.04, config: libedit }
-          - { target: ubuntu-22.04, config: sk }
-          - { target: ubuntu-22.04, config: selinux }
-          - { target: ubuntu-22.04, config: kitchensink }
-          - { target: ubuntu-22.04, config: without-openssl }
-          - { target: macos-12, config: pam }
+          - { target: ubuntu-latest, config: tcmalloc }
+          - { target: ubuntu-latest, config: musl }
+          - { target: ubuntu-22.04-arm, config: kitchensink }
+          - { target: ubuntu-24.04-arm, config: kitchensink }
           - { target: macos-13, config: pam }
           - { target: macos-14, config: pam }
+          - { target: macos-15, config: pam }
     runs-on: ${{ matrix.target }}
     steps:
     - name: set cygwin git params