openssh: Update to 9.9p2

This release exists primarily to fix two security bugs. The fixes have been independently imported into FreeBSD. This import serves to update the ssh and sshd version number. A few minor bug fixes are also included; see the upstream release notes for full details of the 9.9p2 release (https://www.openssh.com/releasenotes.html). Sponsored by: The FreeBSD Foundation (cherry picked from commit 0ae642c7dd0c2cfd965a22bf73876cd26cceadd2) Approved by: re (accelerated MFC)
2026-02-18 18:20:26 -05:00 · 2025-02-19 19:33:38 +00:00 · 2025-02-19 19:33:38 +00:00 · 059b786b7d
commit 059b786b7d
parent 802386cd37
19 changed files with 289 additions and 2100 deletions
--- a/crypto/openssh/.github/ci-status.md
+++ b/crypto/openssh/.github/ci-status.md
@ -6,10 +6,6 @@ master :
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
 [![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)

-9.8 :
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8)
-[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8)
-
-9.7 :
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7)
-[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7)
+9.9 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_9)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_9)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_9)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_9)
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
--- a/crypto/openssh/README
+++ b/crypto/openssh/README
@ -1,4 +1,4 @@
-See https://www.openssh.com/releasenotes.html#9.9p1 for the release
+See https://www.openssh.com/releasenotes.html#9.9p2 for the release
 notes.

 Please read https://www.openssh.com/report.html for bug reporting
--- a/crypto/openssh/config.h
+++ b/crypto/openssh/config.h
@ -1406,9 +1406,6 @@
 /* define if you have struct timeval */
 #define HAVE_STRUCT_TIMEVAL 1

-/* Define to 1 if you have the 'swap32' function. */
-/* #undef HAVE_SWAP32 */
-
 /* Define to 1 if you have the 'sysconf' function. */
 #define HAVE_SYSCONF 1

--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@ -2069,7 +2069,6 @@ AC_CHECK_FUNCS([ \
 	strtoll \
 	strtoul \
 	strtoull \
-	swap32 \
 	sysconf \
 	tcgetpgrp \
 	timegm \
--- a/crypto/openssh/contrib/redhat/openssh.spec
+++ b/crypto/openssh/contrib/redhat/openssh.spec
@ -1,4 +1,4 @@
-%global ver 9.9p1
+%global ver 9.9p2
 %global rel 1%{?dist}

 # OpenSSH privilege separation requires a user & group ID
--- a/crypto/openssh/contrib/suse/openssh.spec
+++ b/crypto/openssh/contrib/suse/openssh.spec
@ -13,7 +13,7 @@

 Summary:	OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:		openssh
-Version:	9.9p1
+Version:	9.9p2
 URL:		https://www.openssh.com/
 Release:	1
 Source0:	openssh-%{version}.tar.gz
--- a/crypto/openssh/defines.h
+++ b/crypto/openssh/defines.h
@ -646,6 +646,32 @@ struct winsize {
 # endif /* WORDS_BIGENDIAN */
 #endif /* BYTE_ORDER */

+#ifndef HAVE_ENDIAN_H
+# define openssh_swap32(v)					\
+	(uint32_t)(((uint32_t)(v) & 0xff) << 24 |		\
+	((uint32_t)(v) & 0xff00) << 8 |				\
+	((uint32_t)(v) & 0xff0000) >> 8 |			\
+	((uint32_t)(v) & 0xff000000) >> 24)
+# define openssh_swap64(v)					\
+	(uint64_t)((((uint64_t)(v) & 0xff) << 56) |		\
+	((uint64_t)(v) & 0xff00ULL) << 40 |			\
+	((uint64_t)(v) & 0xff0000ULL) << 24 |			\
+	((uint64_t)(v) & 0xff000000ULL) << 8 |		\
+	((uint64_t)(v) & 0xff00000000ULL) >> 8 |		\
+	((uint64_t)(v) & 0xff0000000000ULL) >> 24 |		\
+	((uint64_t)(v) & 0xff000000000000ULL) >> 40 |		\
+	((uint64_t)(v) & 0xff00000000000000ULL) >> 56)
+# ifdef WORDS_BIGENDIAN
+#  define le32toh(v) (openssh_swap32(v))
+#  define le64toh(v) (openssh_swap64(v))
+#  define htole64(v) (openssh_swap64(v))
+# else
+#  define le32toh(v) ((uint32_t)v)
+#  define le64toh(v) ((uint64_t)v)
+#  define htole64(v) ((uint64_t)v)
+# endif
+#endif
+
 /* Function replacement / compatibility hacks */

 #if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO))
--- a/crypto/openssh/gss-serv.c
+++ b/crypto/openssh/gss-serv.c
@ -29,6 +29,7 @@
 #ifdef GSSAPI

 #include <sys/types.h>
+#include <sys/param.h>

 #include <stdarg.h>
 #include <string.h>
--- a/crypto/openssh/kexmlkem768x25519.c
+++ b/crypto/openssh/kexmlkem768x25519.c
@ -1,4 +1,4 @@
-/* $OpenBSD: kexmlkem768x25519.c,v 1.1 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: kexmlkem768x25519.c,v 1.2 2024/10/27 02:06:59 djm Exp $ */
 /*
 * Copyright (c) 2023 Markus Friedl.  All rights reserved.
 *
@ -34,6 +34,9 @@
 #include <stdbool.h>
 #include <string.h>
 #include <signal.h>
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif

 #include "sshkey.h"
 #include "kex.h"
--- a/crypto/openssh/libcrux_mlkem768_sha3.h
+++ b/crypto/openssh/libcrux_mlkem768_sha3.h
@ -1,4 +1,5 @@
-/*  $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */
+/*  $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */
+
 /* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */

 /*
@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
 // CORE STUFF (conversions, endianness, ...)

 static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
+  v = htole64(v);
  memcpy(buf, &v, sizeof(v));
 }
 static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
  uint64_t v;
  memcpy(&v, buf, sizeof(v));
-  return v;
+  return le64toh(v);
 }

 static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
  uint32_t v;
  memcpy(&v, buf, sizeof(v));
-  return v;
+  return le32toh(v);
 }

 static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
--- a/crypto/openssh/loginrec.c
+++ b/crypto/openssh/loginrec.c
@ -614,7 +614,7 @@ line_abbrevname(char *dst, const char *src, int dstsize)
 ** into account.
 **/

-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
+#if defined(USE_BTMP) || defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)

 /* build the utmp structure */
 void
@ -698,7 +698,7 @@ construct_utmp(struct logininfo *li,
 	}
 # endif
 }
-#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */
+#endif /* USE_BTMP || USE_UTMP || USE_WTMP || USE_LOGIN */

 /**
 ** utmpx utility functions
@ -723,7 +723,7 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
 void
 construct_utmpx(struct logininfo *li, struct utmpx *utx)
 {
-# ifdef HAVE_ADDR_V6_IN_UTMP
+# ifdef HAVE_ADDR_V6_IN_UTMPX
 	struct sockaddr_in6 *sa6;
 #  endif
 	memset(utx, '\0', sizeof(*utx));
@ -769,7 +769,7 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx)
 	if (li->hostaddr.sa.sa_family == AF_INET)
 		utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
 # endif
-# ifdef HAVE_ADDR_V6_IN_UTMP
+# ifdef HAVE_ADDR_V6_IN_UTMPX
 	/* this is just a 128-bit IPv6 address */
 	if (li->hostaddr.sa.sa_family == AF_INET6) {
 		sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
--- a/crypto/openssh/misc.c
+++ b/crypto/openssh/misc.c
@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.197 2024/09/25 01:24:04 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
@ -107,6 +107,27 @@ rtrim(char *s)
 	}
 }

+/*
+ * returns pointer to character after 'prefix' in 's' or otherwise NULL
+ * if the prefix is not present.
+ */
+const char *
+strprefix(const char *s, const char *prefix, int ignorecase)
+{
+	size_t prefixlen;
+
+	if ((prefixlen = strlen(prefix)) == 0)
+		return s;
+	if (ignorecase) {
+		if (strncasecmp(s, prefix, prefixlen) != 0)
+			return NULL;
+	} else {
+		if (strncmp(s, prefix, prefixlen) != 0)
+			return NULL;
+	}
+	return s + prefixlen;
+}
+
 /* set/unset filedescriptor to non-blocking */
 int
 set_nonblock(int fd)
--- a/crypto/openssh/misc.h
+++ b/crypto/openssh/misc.h
@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: misc.h,v 1.110 2024/09/25 01:24:04 djm Exp $ */

 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -56,6 +56,7 @@ struct ForwardOptions {
 char	*chop(char *);
 void	 rtrim(char *);
 void	skip_space(char **);
+const char *strprefix(const char *, const char *, int);
 char	*strdelim(char **);
 char	*strdelimw(char **);
 int	 set_nonblock(int);
--- a/crypto/openssh/mlkem768.sh
+++ b/crypto/openssh/mlkem768.sh
@ -1,9 +1,10 @@
 #!/bin/sh
-#       $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $
+#       $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $
 #       Placed in the Public Domain.
 #

-WANT_LIBCRUX_REVISION="origin/main"
+#WANT_LIBCRUX_REVISION="origin/main"
+WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35"

 FILES="
 	libcrux/libcrux-ml-kem/cg/eurydice_glue.h
@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))'
 echo '#define KRML_HOST_EPRINTF(...)'
 echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
 echo
+
 for i in $FILES; do
 	echo "/* from $i */"
 	# Changes to all files:
@ -56,11 +58,16 @@ for i in $FILES; do
 	    -e 's/[	 ]*$//' \
 	    $i | \
 	case "$i" in
-	# XXX per-file handling goes here.
+	*/libcrux-ml-kem/cg/eurydice_glue.h)
+		# Replace endian functions with versions that work.
+		perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1  v = htole64(v);\n\2/' |
+		perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
+		perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
+		;;
 	# Default: pass through.
 	*)
-	    cat
-	    ;;
+		cat
+		;;
 	esac
 	echo
 done
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.392 2024/09/26 23:55:08 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -713,7 +713,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
    struct passwd *pw, const char *host_arg, const char *original_host,
    int final_pass, int *want_final_pass, const char *filename, int linenum)
 {
-	char *arg, *oattrib, *attrib, *cmd, *host, *criteria;
+	char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria;
 	const char *ruser;
 	int r, this_result, result = 1, attributes = 0, negate;

@ -734,7 +734,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,

 	debug2("checking match for '%s' host %s originally %s",
 	    full_line, host, original_host);
-	while ((oattrib = attrib = argv_next(acp, avp)) != NULL) {
+	while ((attrib = argv_next(acp, avp)) != NULL) {
+		attrib = oattrib = xstrdup(attrib);
 		/* Terminate on comment */
 		if (*attrib == '#') {
 			argv_consume(acp);
@ -780,9 +781,23 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
 			    this_result ? "" : "not ", oattrib);
 			continue;
 		}
+
+		/* Keep this list in sync with below */
+		if (strprefix(attrib, "host=", 1)  != NULL ||
+		    strprefix(attrib, "originalhost=", 1) != NULL ||
+		    strprefix(attrib, "user=", 1) != NULL ||
+		    strprefix(attrib, "localuser=", 1) != NULL ||
+		    strprefix(attrib, "localnetwork=", 1) != NULL ||
+		    strprefix(attrib, "tagged=", 1) != NULL ||
+		    strprefix(attrib, "exec=", 1) != NULL) {
+			arg = strchr(attrib, '=');
+			*(arg++) = '\0';
+		} else {
+			arg = argv_next(acp, avp);
+		}
+
 		/* All other criteria require an argument */
-		if ((arg = argv_next(acp, avp)) == NULL ||
-		    *arg == '\0' || *arg == '#') {
+		if (arg == NULL || *arg == '\0' || *arg == '#') {
 			error("Missing Match criteria for %s", attrib);
 			result = -1;
 			goto out;
@ -859,6 +874,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
 		    criteria == NULL ? "" : criteria,
 		    criteria == NULL ? "" : "\"");
 		free(criteria);
+		free(oattrib);
+		oattrib = attrib = NULL;
 	}
 	if (attributes == 0) {
 		error("One or more attributes required for Match");
@ -868,6 +885,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
 out:
 	if (result != -1)
 		debug2("match %sfound", result ? "" : "not ");
+	free(oattrib);
 	free(host);
 	return result;
 }
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.419 2024/09/25 01:24:04 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@ -1047,7 +1047,7 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
    int line, struct connection_info *ci)
 {
 	int result = 1, attributes = 0, port;
-	char *arg, *attrib;
+	char *arg, *attrib = NULL, *oattrib;

 	if (ci == NULL)
 		debug3("checking syntax for 'Match %s'", full_line);
@ -1061,7 +1061,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
 	}

-	while ((attrib = argv_next(acp, avp)) != NULL) {
+	while ((oattrib = argv_next(acp, avp)) != NULL) {
+		attrib = xstrdup(oattrib);
 		/* Terminate on comment */
 		if (*attrib == '#') {
 			argv_consume(acp); /* mark all arguments consumed */
@ -1076,27 +1077,46 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 			    *arg != '\0' && *arg != '#')) {
 				error("'all' cannot be combined with other "
 				    "Match attributes");
-				return -1;
+				result = -1;
+				goto out;
 			}
 			if (arg != NULL && *arg == '#')
 				argv_consume(acp); /* consume remaining args */
-			return 1;
+			result = 1;
+			goto out;
 		}
 		/* Criterion "invalid-user" also has no argument */
 		if (strcasecmp(attrib, "invalid-user") == 0) {
-			if (ci == NULL)
+			if (ci == NULL) {
+				result = 0;
 				continue;
+			}
 			if (ci->user_invalid == 0)
 				result = 0;
 			else
 				debug("matched invalid-user at line %d", line);
 			continue;
 		}
+
+		/* Keep this list in sync with below */
+		if (strprefix(attrib, "user=", 1) != NULL ||
+		    strprefix(attrib, "group=", 1) != NULL ||
+		    strprefix(attrib, "host=", 1) != NULL ||
+		    strprefix(attrib, "address=", 1) != NULL ||
+		    strprefix(attrib, "localaddress=", 1) != NULL ||
+		    strprefix(attrib, "localport=", 1) != NULL ||
+		    strprefix(attrib, "rdomain=", 1) != NULL) {
+			arg = strchr(attrib, '=');
+			*(arg++) = '\0';
+		} else {
+			arg = argv_next(acp, avp);
+		}
+
 		/* All other criteria require an argument */
-		if ((arg = argv_next(acp, avp)) == NULL ||
-		    *arg == '\0' || *arg == '#') {
+		if (arg == NULL || *arg == '\0' || *arg == '#') {
 			error("Missing Match criteria for %s", attrib);
-			return -1;
+			result = -1;
+			goto out;
 		}
 		if (strcasecmp(attrib, "user") == 0) {
 			if (ci == NULL || (ci->test && ci->user == NULL)) {
@ -1119,7 +1139,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				match_test_missing_fatal("Group", "user");
 			switch (match_cfg_line_group(arg, line, ci->user)) {
 			case -1:
-				return -1;
+				result = -1;
+				goto out;
 			case 0:
 				result = 0;
 			}
@ -1155,7 +1176,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				result = 0;
 				break;
 			case -2:
-				return -1;
+				result = -1;
+				goto out;
 			}
 		} else if (strcasecmp(attrib, "localaddress") == 0){
 			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
@ -1180,13 +1202,15 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				result = 0;
 				break;
 			case -2:
-				return -1;
+				result = -1;
+				goto out;
 			}
 		} else if (strcasecmp(attrib, "localport") == 0) {
 			if ((port = a2port(arg)) == -1) {
 				error("Invalid LocalPort '%s' on Match line",
 				    arg);
-				return -1;
+				result = -1;
+				goto out;
 			}
 			if (ci == NULL || (ci->test && ci->lport == -1)) {
 				result = 0;
@ -1214,16 +1238,21 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				debug("user %.100s matched 'RDomain %.100s' at "
 				    "line %d", ci->rdomain, arg, line);
 		} else {
-			error("Unsupported Match attribute %s", attrib);
-			return -1;
+			error("Unsupported Match attribute %s", oattrib);
+			result = -1;
+			goto out;
 		}
+		free(attrib);
+		attrib = NULL;
 	}
 	if (attributes == 0) {
 		error("One or more attributes required for Match");
 		return -1;
 	}
-	if (ci != NULL)
+ out:
+	if (ci != NULL && result != -1)
 		debug3("match %sfound", result ? "" : "not ");
+	free(attrib);
 	return result;
 }

--- a/crypto/openssh/ssh_namespace.h
+++ b/crypto/openssh/ssh_namespace.h
@ -991,6 +991,7 @@
 #define strdelim_internal			Fssh_strdelim_internal
 #define strdelimw				Fssh_strdelimw
 #define strnvis					Fssh_strnvis
+#define strprefix				Fssh_strprefix
 #define strvis					Fssh_strvis
 #define strvisx					Fssh_strvisx
 #define subprocess				Fssh_subprocess
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@ -2,7 +2,7 @@

 #define SSH_VERSION	"OpenSSH_9.9"

-#define SSH_PORTABLE	"p1"
+#define SSH_PORTABLE	"p2"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE

 #define SSH_VERSION_FREEBSD	"FreeBSD-20250219"