upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-04 06:15:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/crypto/openssh/.github/configs
Ed Maste 802386cd37 openssh: Update to 9.9p1 
Highlights from the release notes are reproduced below.  Bug fixes and
improvements that were previously merged into FreeBSD have been elided.

See the upstream release notes for full details of the 9.9p1 release
(https://www.openssh.com/releasenotes.html).

---

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.

Potentially-incompatible changes
--------------------------------

 * ssh(1): remove support for pre-authentication compression.

 * ssh(1), sshd(8): processing of the arguments to the "Match"
   configuration directive now follows more shell-like rules for
   quoted strings, including allowing nested quotes and \-escaped
   characters.

New features
------------

 * ssh(1), sshd(8): add support for a new hybrid post-quantum key
   exchange based on the FIPS 203 Module-Lattice Key Enapsulation
   mechanism (ML-KEM) combined with X25519 ECDH as described by
   https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
   This algorithm "mlkem768x25519-sha256" is available by default.

 * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
   included in core dump files for most of their lifespans. This is
   in addition to pre-existing controls in ssh-agent(1) and sshd(8)
   that prevented coredumps. This feature is supported on OpenBSD,
   Linux and FreeBSD.

 * All: convert key handling to use the libcrypto EVP_PKEY API, with
   the exception of DSA.

Bugfixes
--------

 * sshd(8): do not apply authorized_keys options when signature
   verification fails. Prevents more restrictive key options being
   incorrectly applied to subsequent keys in authorized_keys. bz3733

 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
   prompts. Helps the user know what's going on when ssh-keygen is
   invoked via other tools. Requested in GHPR503

 * ssh(1), ssh-add(1): make parsing user@host consistently look for
   the last '@' in the string rather than the first. This makes it
   possible to more consistently use usernames that contain '@'
   characters.

 * ssh(1), sshd(8): be more strict in parsing key type names. Only
   allow short names (e.g "rsa") in user-interface code and require
   full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725

 * ssh-keygen(1): clarify that ed25519 is the default key type
   generated and clarify that rsa-sha2-512 is the default signature
   scheme when RSA is in use. GHPR505

---

Reviewed by:	jlduran (build infrastructure)
Reviewed by:	cy (build infrastructure)
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48947

(cherry picked from commit 3d9fd9fcb4)

Approved by:	re (accelerated MFC)
2025-02-20 12:50:31 -05:00

369 lines
11 KiB
Bash
Executable file
Raw Permalink Blame History

#!/bin/sh
#
# usage: configs vmname test_config (or '' for default)
#
# Sets the following variables:
# CONFIGFLAGS options to ./configure
# SSHD_CONFOPTS sshd_config options
# TEST_TARGET make target used when testing. defaults to "tests".
# LTESTS
config=$1
if [ "$config" = "" ]; then
config="default"
fi
unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
TEST_TARGET="tests compat-tests"
LTESTS=""
SKIP_LTESTS=""
SUDO=sudo # run with sudo by default
TEST_SSH_UNSAFE_PERMISSIONS=1
# Stop on first test failure to minimize logs
TEST_SSH_FAIL_FATAL=yes
CONFIGFLAGS=""
LIBCRYPTOFLAGS=""
case "$config" in
default|sol64)
;;
c89)
# If we don't have LLONG_MAX, configure will figure out that it can
# get it by setting -std=gnu99, at which point we won't be testing
# C89 any more. To avoid this, feed it in via CFLAGS.
llong_max=`gcc -E -dM - </dev/null | \
awk '$2=="__LONG_LONG_MAX__"{print $3}'`
CPPFLAGS="-DLLONG_MAX=${llong_max}"
CC="gcc"
CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
CONFIGFLAGS="--without-zlib"
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
;;
cygwin-release)
# See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
;;
clang-12-Werror)
CC="clang-12"
# clang's implicit-fallthrough requires that the code be annotated with
# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
CONFIGFLAGS="--with-pam --with-Werror"
;;
*-sanitize-*)
case "$config" in
gcc-*)
CC=gcc
;;
clang-*)
# Find the newest available version of clang
for i in `seq 10 99`; do
clang="`which clang-$i 2>/dev/null`"
[ -x "$clang" ] && CC="$clang"
done
;;
esac
# Put Sanitizer logs in regress dir.
SANLOGS=`pwd`/regress
# - We replace chroot with chdir so that the sanitizer in the preauth
# privsep process can read /proc.
# - clang does not recognizes explicit_bzero so we use bzero
# (see https://github.com/google/sanitizers/issues/1507
# - openssl and zlib trip ASAN.
# - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
case "$config" in
*-sanitize-address)
CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
LDFLAGS="-fsanitize=address"
CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
CONFIGFLAGS=""
TEST_TARGET="t-exec"
;;
clang-sanitize-memory)
CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
LDFLAGS="-fsanitize=memory"
CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
CONFIGFLAGS="--without-zlib --without-shadow"
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET="t-exec"
;;
*-sanitize-undefined)
CFLAGS="-fsanitize=undefined"
LDFLAGS="-fsanitize=undefined"
;;
*)
echo unknown sanitize option;
exit 1;;
esac
features="--disable-security-key --disable-pkcs11"
hardening="--without-sandbox --without-hardening --without-stackprotect"
privsep="--with-privsep-user=root"
CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
# Because we hobble chroot we can't test it.
SKIP_LTESTS=sftp-chroot
;;
gcc-11-Werror)
CC="gcc-11"
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
# -Wunused-result ignores (void) so is not useful. See
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
CONFIGFLAGS="--with-pam --with-Werror"
;;
gcc-12-Werror)
CC="gcc-12"
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
# -Wunused-result ignores (void) so is not useful. See
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
CONFIGFLAGS="--with-pam --with-Werror"
;;
clang*|gcc*)
CC="$config"
;;
kitchensink)
CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
;;
hardenedmalloc)
CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
;;
tcmalloc)
CONFIGFLAGS="--with-ldflags=-ltcmalloc"
;;
krb5|heimdal)
CONFIGFLAGS="--with-kerberos5"
;;
libedit)
CONFIGFLAGS="--with-libedit"
;;
musl)
CC="musl-gcc"
CONFIGFLAGS="--without-zlib"
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET="t-exec"
;;
pam-krb5)
CONFIGFLAGS="--with-pam --with-kerberos5"
SSHD_CONFOPTS="UsePam yes"
;;
*pam)
CONFIGFLAGS="--with-pam"
SSHD_CONFOPTS="UsePam yes"
;;
boringssl)
CONFIGFLAGS="--disable-pkcs11"
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
;;
libressl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
;;
putty-*)
CONFIGFLAGS="--with-plink=/usr/local/bin/plink --with-puttygen=/usr/local/bin/puttygen"
# We don't need to rerun the regular tests, just the interop ones.
TEST_TARGET=interop-tests
;;
openssl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
# OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
# fallback. See https://bugzilla.mindrot.org/show_bug.cgi?id=3483
if [ "$config" = "openssl-1.1.1" ]; then
SKIP_LTESTS="reexec"
fi
;;
selinux)
CONFIGFLAGS="--with-selinux"
;;
sk)
CONFIGFLAGS="--with-security-key-builtin"
;;
without-openssl)
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
;;
valgrind-[1-4]|valgrind-unit)
# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
CONFIGFLAGS="--without-sandbox --without-hardening"
CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
TEST_TARGET="t-exec USE_VALGRIND=1"
TEST_SSH_ELAPSED_TIMES=1
export TEST_SSH_ELAPSED_TIMES
# Valgrind slows things down enough that the agent timeout test
# won't reliably pass, and the unit tests run longer than allowed
# by github so split into separate tests.
tests2="integrity try-ciphers rekey"
tests3="krl forward-control sshsig agent-restrict kextype sftp"
tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
case "$config" in
valgrind-1)
# All tests except agent-timeout (which is flaky under valgrind),
# connection-timeout (which doesn't work since it's so slow)
# and hostbased (since valgrind won't let ssh exec keysign).
# Slow ones are run separately to increase parallelism.
SKIP_LTESTS="agent-timeout connection-timeout hostbased"
SKIP_LTESTS="$SKIP_LTESTS penalty-expire"
SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
;;
valgrind-2)
LTESTS="${tests2}"
;;
valgrind-3)
LTESTS="${tests3}"
;;
valgrind-4)
LTESTS="${tests4}"
;;
valgrind-unit)
TEST_TARGET="unit USE_VALGRIND=1"
;;
esac
;;
zlib-develop)
INSTALL_ZLIB=develop
CONFIGFLAGS="--with-zlib=/opt/zlib --with-rpath=-Wl,-rpath,"
;;
*)
echo "Unknown configuration $config"
exit 1
;;
esac
# The Solaris 64bit targets are special since they need a non-flag arg.
case "$config" in
sol64*)
CONFIGFLAGS="--target=x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64 --with-rpath=-Wl,-rpath,"
;;
esac
case "${TARGET_HOST}" in
aix*)
CONFIGFLAGS="--disable-security-key"
LIBCRYPTOFLAGS="--without-openssl"
# These are slow real or virtual machines so skip the slowest tests
# (which tend to be thw ones that transfer lots of data) so that the
# test run does not time out.
# The agent-restrict test fails due to some quoting issue when run
# with sh or ksh so specify bash for now.
TEST_TARGET="t-exec unit TEST_SHELL=bash"
SKIP_LTESTS="rekey sftp"
;;
debian-riscv64)
# This machine is fairly slow, so skip the unit tests.
TEST_TARGET="t-exec"
;;
dfly58*|dfly60*)
# scp 3-way connection hangs on these so skip until sorted.
SKIP_LTESTS=scp3
;;
fbsd6)
# Native linker is not great with PIC so OpenSSL is built w/out.
CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
;;
hurd)
SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
;;
minix3)
CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
# Unix domain sockets don't work quite like we expect, so also
# disable FD passing (and thus multiplexing).
CONFIGFLAGS="${CONFIGFLAGS} --disable-fd-passing"
LIBCRYPTOFLAGS="--without-openssl"
# Minix does not have a loopback interface so we have to skip any
# test that relies on one.
# Also, Minix seems to be very limited in the number of select()
# calls that can be operating concurrently, so prune additional tests for that.
T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
connect connect-uri dynamic-forward exit-status forwarding
forward-control
hostkey-agent key-options keyscan knownhosts-command login-timeout
reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
transfer penalty penalty-expire"
SKIP_LTESTS="$(echo $T)"
TEST_TARGET=t-exec
SUDO=""
;;
nbsd4)
# System compiler will ICE on some files with fstack-protector
# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
;;
openwrt-*)
CONFIGFLAGS="${CONFIGFLAGS} --without-zlib"
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET="t-exec"
;;
sol10|sol11)
# sol10 VM is 32bit and the unit tests are slow.
# sol11 has 4 test configs so skip unit tests to speed up.
TEST_TARGET="tests SKIP_UNIT=1"
;;
win10)
# No sudo on Windows.
SUDO=""
;;
esac
host=`./config.guess`
case "$host" in
*cygwin)
SUDO=""
# Don't run compat tests on cygwin as they don't currently compile.
TEST_TARGET="tests"
;;
*-darwin*)
# Unless specified otherwise, build without OpenSSL on Mac OS since
# modern versions don't ship with libcrypto.
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
# On some OS X runners we can't write to /var/empty.
CONFIGFLAGS="${CONFIGFLAGS} --with-privsep-path=/usr/local/empty"
case "$host" in
*-darwin22.*)
# sudo -S nobody doesn't work on macos 13 for some reason.
SKIP_LTESTS="agent-getpeereid" ;;
esac
;;
esac
# Unless specifically configured, search for a suitable version of OpenSSL,
# otherwise build without it.
if [ -z "${LIBCRYPTOFLAGS}" ]; then
LIBCRYPTOFLAGS="--without-openssl"
# last-match
for i in /usr /usr/local /usr/local/ssl /usr/local/opt/openssl; do
ver="none"
if [ -x ${i}/bin/openssl ]; then
ver="$(${i}/bin/openssl version)"
fi
case "$ver" in
none) ;;
"OpenSSL 0."*|"OpenSSL 1.0."*|"OpenSSL 1.1.0"*) ;;
"LibreSSL 2."*|"LibreSSL 3.0."*) ;;
*) LIBCRYPTOFLAGS="--with-ssl-dir=${i}" ;;
esac
done
if [ "${LIBCRYPTOFLAGS}" = "--without-openssl" ]; then
TEST_TARGET="t-exec"
fi
fi
CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
if [ -x "$(which plink 2>/dev/null)" ]; then
REGRESS_INTEROP_PUTTY=yes
export REGRESS_INTEROP_PUTTY
fi
export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
Reference in a new issue View git blame Copy permalink