ssh: Update to OpenSSH 9.5p1

Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit edf8578) (cherry picked from commit b24ca3caa7524e650550d8a2ee1637e6efcb87f1) Approved by: re (gjb)
CTSRD-CHERI · Dec 20, 2023 · 0c943c4 · 0c943c4
1 parent f7d00f1
commit 0c943c4
Show file tree

Hide file tree

Showing 52 changed files with 1,639 additions and 1,600 deletions.
diff --git a/crypto/openssh/.github/ci-status.md b/crypto/openssh/.github/ci-status.md
@@ -6,6 +6,10 @@ master :
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
 [![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
 
+9.4 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_4)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_4)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_4)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_4)
+
 9.3 :
 [![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_3)
 [![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_3)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_3)
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
@@ -30,6 +30,13 @@ case "$config" in
     default|sol64)
 	;;
     c89)
+	# If we don't have LLONG_MAX, configure will figure out that it can
+	# get it by setting -std=gnu99, at which point we won't be testing
+	# C89 any more.  To avoid this, feed it in via CFLAGS.
+	llong_max=`gcc -E -dM - </dev/null | \
+	    awk '$2=="__LONG_LONG_MAX__"{print $3}'`
+	CPPFLAGS="-DLLONG_MAX=${llong_max}"
+
 	CC="gcc"
 	CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
 	CONFIGFLAGS="--without-zlib"
@@ -205,6 +212,10 @@ case "$config" in
 		;;
 	esac
 	;;
+    zlib-develop)
+	INSTALL_ZLIB=develop
+	CONFIGFLAGS="--with-zlib=/opt/zlib --with-rpath=-Wl,-rpath,"
+	;;
     *)
 	echo "Unknown configuration $config"
 	exit 1

diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
@@ -133,6 +133,8 @@ for TARGET in $TARGETS; do
     valgrind*)
        PACKAGES="$PACKAGES valgrind"
        ;;
+    zlib-*)
+       ;;
     *) echo "Invalid option '${TARGET}'"
         exit 1
         ;;
@@ -214,3 +216,9 @@ if [ ! -z "${INSTALL_BORINGSSL}" ]; then
      cp ${HOME}/boringssl/build/crypto/libcrypto.a /opt/boringssl/lib &&
      cp -r ${HOME}/boringssl/include /opt/boringssl)
 fi
+
+if [ ! -z "${INSTALL_ZLIB}" ]; then
+    (cd ${HOME} && git clone https://github.com/madler/zlib.git &&
+     cd ${HOME}/zlib && ./configure && make &&
+     sudo make install prefix=/opt/zlib)
+fi
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -73,6 +73,7 @@ jobs:
           - { target: ubuntu-latest, config: openssl-3.1.0 }
           - { target: ubuntu-latest, config: openssl-1.1.1_stable }
           - { target: ubuntu-latest, config: openssl-3.0 }  # stable branch
+          - { target: ubuntu-latest, config: zlib-develop }
           - { target: ubuntu-22.04, config: pam }
           - { target: ubuntu-22.04, config: krb5 }
           - { target: ubuntu-22.04, config: heimdal }

diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -40,6 +40,8 @@ jobs:
           - obsd67
           - obsd69
           - obsd70
+          - obsd72
+          - obsd73
           - obsdsnap
           - obsdsnap-i386
           - openindiana
@@ -76,6 +78,7 @@ jobs:
           - { target: ARM64, config: default, host: ARM64 }
           - { target: ARM64, config: pam, host: ARM64 }
           - { target: debian-riscv64, config: default, host: debian-riscv64 }
+          - { target: obsd-arm64, config: default, host: obsd-arm64 }
           - { target: openwrt-mips, config: default, host: openwrt-mips }
           - { target: openwrt-mipsel, config: default, host: openwrt-mipsel }
     steps: