Merge to release version of OpenSSH 9.8

This will be HPN-SSH 18.5.

Author: rapier1

.github/configs

@@ -210,6 +210,7 @@ case "$config" in
 		# and hostbased (since valgrind won't let ssh exec keysign).
 		# Slow ones are run separately to increase parallelism.
 		SKIP_LTESTS="agent-timeout connection-timeout hostbased"
+		SKIP_LTESTS="$SKIP_LTESTS penalty-expire"
 		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5} ${tests6} ${tests7}"
 		;;
 	    valgrind-2)
@@ -297,7 +298,7 @@ case "${TARGET_HOST}" in
 	    hostkey-agent key-options keyscan knownhosts-command login-timeout
 	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
 	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
-	    transfer"
+	    transfer penalty penalty-expire"
 	SKIP_LTESTS="$(echo $T)"
 	TEST_TARGET=t-exec
 	SUDO=""

.github/workflows/c-cpp.yml

@@ -102,7 +102,6 @@ jobs:
 #          - { target: macos-12, config: pam }
 #          - { target: macos-13, config: pam }
 #          - { target: macos-14, config: pam }
->>>>>>> master
     runs-on: ${{ matrix.target }}
     steps:
     - uses: actions/checkout@main

.gitignore

@@ -1,18 +1,14 @@
 Makefile
 buildpkg.sh
 config.h
-config.h.in
 config.h.in~
 config.log
 config.status
-configure
-aclocal.m4
 openbsd-compat/Makefile
 openbsd-compat/regress/Makefile
 openssh.xml
 opensshd.init
 survey.sh
-**/*.0
 **/*.o
 **/*.lo
 **/*.so
@@ -48,3 +44,13 @@ hpnssh-keysign
 hpnssh-pkcs11-helper
 hpnssh-sk-helper
 hpnsshd
+!regress/misc/fuzz-harness/Makefile
+!regress/unittests/sshsig/Makefile
+tags
+
+# Ignored on main branch
+config.h.in
+configure
+aclocal.m4
+ChangeLog
+**/*.0

README

@@ -1,4 +1,4 @@
-See https://www.openssh.com/releasenotes.html#9.7p1 for the release
+See https://www.openssh.com/releasenotes.html#9.8p1 for the release
 notes.
 
 Please read https://www.openssh.com/report.html for bug reporting

auth-pam.c

@@ -67,11 +67,6 @@
 #include <pam/pam_appl.h>
 #endif
 
-#if !defined(SSHD_PAM_SERVICE)
-extern char *__progname;
-# define SSHD_PAM_SERVICE		__progname
-#endif
-
 /* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
 #ifdef PAM_SUN_CODEBASE
 # define sshpam_const		/* Solaris, HP-UX, SunOS */
@@ -105,6 +100,7 @@ extern char *__progname;
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
+#include "srclimit.h"
 
 extern ServerOptions options;
 extern struct sshbuf *loginmsg;
@@ -171,13 +167,13 @@ sshpam_sigchld_handler(int sig)
 			return;
 		}
 	}
-	if (WIFSIGNALED(sshpam_thread_status) &&
-	    WTERMSIG(sshpam_thread_status) == SIGTERM)
-		return;	/* terminated by pthread_cancel */
-	if (!WIFEXITED(sshpam_thread_status))
-		sigdie("PAM: authentication thread exited unexpectedly");
-	if (WEXITSTATUS(sshpam_thread_status) != 0)
-		sigdie("PAM: authentication thread exited uncleanly");
+	if (sshpam_thread_status == -1)
+		return;
+	if (WIFSIGNALED(sshpam_thread_status)) {
+		if (signal_is_crash(WTERMSIG(sshpam_thread_status)))
+			_exit(EXIT_CHILD_CRASH);
+	} else if (!WIFEXITED(sshpam_thread_status))
+		_exit(EXIT_CHILD_CRASH);
 }
 
 /* ARGSUSED */
@@ -694,6 +690,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
 	const char **ptr_pam_user = &pam_user;
 	int r;
 
+	if (options.pam_service_name == NULL)
+		fatal_f("internal error: NULL PAM service name");
 #if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
 	/* Protect buggy PAM implementations from excessively long usernames */
 	if (strlen(user) >= PAM_MAX_RESP_SIZE)
@@ -715,9 +713,10 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
 		pam_end(sshpam_handle, sshpam_err);
 		sshpam_handle = NULL;
 	}
-	debug("PAM: initializing for \"%s\"", user);
-	sshpam_err =
-	    pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
+	debug("PAM: initializing for \"%s\" with service \"%s\"", user,
+	    options.pam_service_name);
+	sshpam_err = pam_start(options.pam_service_name, user,
+	    &store_conv, &sshpam_handle);
 	sshpam_authctxt = authctxt;
 
 	if (sshpam_err != PAM_SUCCESS) {

clientloop.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
 /*
  * Author: Tatu Ylonen <[email protected]>
  * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
@@ -614,8 +614,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
 		if (timespeccmp(&now, &chaff_until, >=)) {
 			/* Stop if there have been no keystrokes for a while */
 			stop_reason = "chaff time expired";
-		} else if (timespeccmp(&now, &next_interval, >=)) {
-			/* Otherwise if we were due to send, then send chaff */
+		} else if (timespeccmp(&now, &next_interval, >=) &&
+		    !ssh_packet_have_data_to_write(ssh)) {
+			/* If due to send but have no data, then send chaff */
 			if (send_chaff(ssh))
 				nchaff++;
 		}

configure.ac

@@ -2078,8 +2078,12 @@ AC_ARG_WITH([security-key-builtin],
 
 enable_dsa=
 AC_ARG_ENABLE([dsa-keys],
-	[  --disable-dsa-keys      disable DSA key support [no]],
-	[  enable_dsa="$enableval" ]
+	[  --enable-dsa-keys       enable DSA key support [no]],
+	[
+		if test "x$enableval" != "xno" ; then
+			enable_dsa=1
+		fi
+	]
 )
 
 AC_SEARCH_LIBS([dlopen], [dl])
@@ -3215,8 +3219,9 @@ if test "x$openssl" = "xyes" ; then
 			AC_MSG_RESULT([no])
 		]
 	)
+
 	openssl_dsa=no
-	if test -z "$enable_dsa" || test "x$enable_dsa" = "xyes"; then
+	if test ! -z "$enable_dsa" ; then
 		AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [
 			AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [],
 			    [ openssl_dsa=yes ],
@@ -3226,22 +3231,12 @@ if test "x$openssl" = "xyes" ; then
 		    [ #include <openssl/opensslconf.h> ]
 		)
 		AC_MSG_CHECKING([whether to enable DSA key support])
-		if test -z "$enable_dsa"; then
-			if test "x$openssl_dsa" = "xno"; then
-				AC_MSG_RESULT([not supported by OpenSSL])
-			else
-				AC_MSG_RESULT([yes])
-				AC_DEFINE([WITH_DSA], [1],
-				   [DSA keys enabled by default])
-			fi
+		if test "x$openssl_dsa" = "xno"; then
+			AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
 		else
-			if test "x$openssl_dsa" = "xno"; then
-				AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
-			else
-				AC_MSG_RESULT([yes])
-				AC_DEFINE([WITH_DSA], [1],
-				   [DSA keys explicitly enabled])
-			fi
+			AC_MSG_RESULT([yes])
+			AC_DEFINE([WITH_DSA], [1],
+			   [DSA keys explicitly enabled])
 		fi
 	fi
 fi

contrib/redhat/openssh.spec

@@ -1,4 +1,4 @@
-%global ver 9.7p1
+%global ver 9.8p1
 %global rel 1%{?dist}
 
 # OpenSSH privilege separation requires a user & group ID

contrib/suse/openssh.spec

@@ -13,7 +13,7 @@
 
 Summary:	OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:		openssh
-Version:	9.7p1
+Version:	9.8p1
 URL:		https://www.openssh.com/
 Release:	1
 Source0:	openssh-%{version}.tar.gz

hpnssh-add.1

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-add.1,v 1.86 2023/12/19 06:57:34 jmc Exp $
+.\"	$OpenBSD: ssh-add.1,v 1.87 2024/06/17 08:30:29 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <[email protected]>
 .\" Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2023 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt HPNSSH-ADD 1
 .Os
 .Sh NAME
@@ -67,10 +67,9 @@ When run without arguments, it adds the files
 .Pa ~/.ssh/id_rsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ecdsa_sk ,
-.Pa ~/.ssh/id_ed25519 ,
-.Pa ~/.ssh/id_ed25519_sk ,
+.Pa ~/.ssh/id_ed25519
 and
-.Pa ~/.ssh/id_dsa .
+.Pa ~/.ssh/id_ed25519_sk .
 After loading a private key,
 .Nm
 will try to load corresponding certificate information from the
@@ -318,13 +317,12 @@ the built-in USB HID support.
 .El
 .Sh FILES
 .Bl -tag -width Ds -compact
-.It Pa ~/.ssh/id_dsa
 .It Pa ~/.ssh/id_ecdsa
 .It Pa ~/.ssh/id_ecdsa_sk
 .It Pa ~/.ssh/id_ed25519
 .It Pa ~/.ssh/id_ed25519_sk
 .It Pa ~/.ssh/id_rsa
-Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
+Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
 authenticator-hosted Ed25519 or RSA authentication identity of the user.
 .El
 .Pp