Merge upstream V8_6

Mine02C4 · Apr 21, 2021 · 9230781 · 9230781
2 parents e2287c5 + e869682
commit 9230781
Show file tree

Hide file tree

Showing 100 changed files with 1,999 additions and 1,148 deletions.
diff --git a/.depend b/.depend
diff --git a/.github/configs b/.github/configs
@@ -56,22 +56,38 @@ case "$config" in
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
-    valgrind-1)
+    valgrind-[1-4]|valgrind-unit)
 	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
 	CONFIGFLAGS="--without-sandbox --without-hardening"
 	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
+	TEST_TARGET="t-exec USE_VALGRIND=1"
+	TEST_SSH_ELAPSED_TIMES=1
+	export TEST_SSH_ELAPSED_TIMES
 	# Valgrind slows things down enough that the agent timeout test
 	# won't reliably pass, and the unit tests run longer than allowed
-	# by github.
-	TEST_TARGET="t-exec USE_VALGRIND=1"
-	SKIP_LTESTS="agent-timeout rekey try-ciphers cert-userkey integrity"
-	;;
-    valgrind-2)
-	CONFIGFLAGS="--without-sandbox --without-hardening"
-	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
-	# The rekey test takes >30 min so run separately.
-	TEST_TARGET="t-exec USE_VALGRIND=1"
-	LTESTS="rekey try-ciphers cert-userkey integrity"
+	# by github so split into three separate tests.
+	tests2="rekey integrity"
+	tests3="krl forward-control sshsig"
+	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment"
+	case "$config" in
+	    valgrind-1)
+		# All tests except agent-timeout (which is flaky under valgrind)
+		#) and slow ones that run separately to increase parallelism.
+		SKIP_LTESTS="agent-timeout ${tests2} ${tests3} ${tests4}"
+		;;
+	    valgrind-2)
+		LTESTS="${tests2}"
+		;;
+	    valgrind-3)
+		LTESTS="${tests3}"
+		;;
+	    valgrind-4)
+		LTESTS="${tests4}"
+		;;
+	    valgrind-unit)
+		TEST_TARGET="unit USE_VALGRIND=1"
+		;;
+	esac
 	;;
     *)
 	echo "Unknown configuration $config"

diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh
@@ -39,7 +39,7 @@ for TARGET in $TARGETS; do
         ;;
     sk)
         INSTALL_FIDO_PPA="yes"
-        PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev"
+        PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev"
         ;;
     selinux)
         PACKAGES="$PACKAGES libselinux1-dev selinux-policy-dev"

diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
@@ -20,6 +20,9 @@ jobs:
         include:
           - { os: ubuntu-20.04, configs: valgrind-1 }
           - { os: ubuntu-20.04, configs: valgrind-2 }
+          - { os: ubuntu-20.04, configs: valgrind-3 }
+          - { os: ubuntu-20.04, configs: valgrind-4 }
+          - { os: ubuntu-20.04, configs: valgrind-unit }
           - { os: ubuntu-20.04, configs: pam }
           - { os: ubuntu-20.04, configs: kitchensink }
           - { os: ubuntu-20.04, configs: hardenedmalloc }
@@ -46,18 +49,18 @@ jobs:
       run: ./.github/configure.sh ${{ matrix.configs }}
     - name: make
       run: make -j2
-    - name: install moduli
-      run: sudo sh -c "mkdir -p /usr/local/etc/; cp moduli /usr/local/etc/"
     - name: make tests
       run: ./.github/run_test.sh ${{ matrix.configs }}
       env:
         SUDO: sudo
         TEST_SSH_UNSAFE_PERMISSIONS: 1
-    - name: save regress logs
+    - name: save logs
       if: failure()
       uses: actions/upload-artifact@v2
       with:
-        name: ${{ matrix.os }}-${{ matrix.configs }}-regress-logs
+        name: ${{ matrix.os }}-${{ matrix.configs }}-logs
         path: |
+          config.h
+          config.log
           regress/*.log
           regress/valgrind-out/
diff --git a/.github/workflows/selfhosted.yml b/.github/workflows/selfhosted.yml
@@ -41,26 +41,18 @@ jobs:
       run: vmstartup
     - name: configure
       run: vmrun ./.github/configure.sh ${{ matrix.configs }}
-    - name: save config files
-      if: failure()
-      uses: actions/upload-artifact@v2
-      with:
-        name: ${{ matrix.os }}-${{ matrix.configs }}-config-files
-        path: |
-          config.h
-          config.log
     - name: make
       run: vmrun make
-    - name: install moduli
-      run: vmrun "sudo mkdir -p /usr/local/etc/; sudo cp moduli /usr/local/etc/"
     - name: make tests
       run: vmrun ./.github/run_test.sh ${{ matrix.configs }}
-    - name: save regress logs
+    - name: save logs
       if: failure()
       uses: actions/upload-artifact@v2
       with:
-        name: ${{ matrix.os }}-${{ matrix.configs }}-regress-logs
+        name: ${{ matrix.os }}-${{ matrix.configs }}-logs
         path: |
+          config.h
+          config.log
           regress/*.log
           regress/valgrind-out/
     - name: shutdown VM

diff --git a/.skipped-commit-ids b/.skipped-commit-ids
@@ -22,6 +22,7 @@ d9b910e412d139141b072a905e66714870c38ac0	Makefile.inc
 52ff0e3205036147b2499889353ac082e505ea54	moduli update
 07b5031e9f49f2b69ac5e85b8da4fc9e393992a0	Makefile.inc
 cc12a9029833d222043aecd252d654965c351a69	moduli-gen Makefile
+7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b	moduli update
 
 Old upstream tree:
 

diff --git a/Makefile.in b/Makefile.in
@@ -16,6 +16,7 @@ sysconfdir=@sysconfdir@
 piddir=@piddir@
 srcdir=@srcdir@
 top_srcdir=@top_srcdir@
+abs_top_srcdir=@abs_top_srcdir@
 
 DESTDIR=
 VPATH=@srcdir@
@@ -271,12 +272,8 @@ clean:	regressclean
 	rm -f regress/mkdtemp$(EXEEXT)
 	rm -f regress/unittests/test_helper/*.a
 	rm -f regress/unittests/test_helper/*.o
-	rm -f regress/unittests/sshbuf/*.o
-	rm -f regress/unittests/sshbuf/test_sshbuf$(EXEEXT)
-	rm -f regress/unittests/sshkey/*.o
-	rm -f regress/unittests/sshkey/test_sshkey$(EXEEXT)
-	rm -f regress/unittests/sshsig/*.o
-	rm -f regress/unittests/sshsig/test_sshsig$(EXEEXT)
+	rm -f regress/unittests/authopt/*.o
+	rm -f regress/unittests/authopt/test_authopt$(EXEEXT)
 	rm -f regress/unittests/bitmap/*.o
 	rm -f regress/unittests/bitmap/test_bitmap$(EXEEXT)
 	rm -f regress/unittests/conversion/*.o
@@ -287,6 +284,14 @@ clean:	regressclean
 	rm -f regress/unittests/kex/test_kex$(EXEEXT)
 	rm -f regress/unittests/match/*.o
 	rm -f regress/unittests/match/test_match$(EXEEXT)
+	rm -f regress/unittests/misc/*.o
+	rm -f regress/unittests/misc/test_misc$(EXEEXT)
+	rm -f regress/unittests/sshbuf/*.o
+	rm -f regress/unittests/sshbuf/test_sshbuf$(EXEEXT)
+	rm -f regress/unittests/sshkey/*.o
+	rm -f regress/unittests/sshkey/test_sshkey$(EXEEXT)
+	rm -f regress/unittests/sshsig/*.o
+	rm -f regress/unittests/sshsig/test_sshsig$(EXEEXT)
 	rm -f regress/unittests/utf8/*.o
 	rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
 	rm -f regress/misc/sk-dummy/*.o
@@ -304,12 +309,8 @@ distclean:	regressclean
 	rm -f regress/mkdtemp
 	rm -f regress/unittests/test_helper/*.a
 	rm -f regress/unittests/test_helper/*.o
-	rm -f regress/unittests/sshbuf/*.o
-	rm -f regress/unittests/sshbuf/test_sshbuf
-	rm -f regress/unittests/sshkey/*.o
-	rm -f regress/unittests/sshkey/test_sshkey
-	rm -f regress/unittests/sshsig/*.o
-	rm -f regress/unittests/sshsig/test_sshsig
+	rm -f regress/unittests/authopt/*.o
+	rm -f regress/unittests/authopt/test_authopt
 	rm -f regress/unittests/bitmap/*.o
 	rm -f regress/unittests/bitmap/test_bitmap
 	rm -f regress/unittests/conversion/*.o
@@ -320,6 +321,14 @@ distclean:	regressclean
 	rm -f regress/unittests/kex/test_kex
 	rm -f regress/unittests/match/*.o
 	rm -f regress/unittests/match/test_match
+	rm -f regress/unittests/misc/*.o
+	rm -f regress/unittests/misc/test_misc
+	rm -f regress/unittests/sshbuf/*.o
+	rm -f regress/unittests/sshbuf/test_sshbuf
+	rm -f regress/unittests/sshkey/*.o
+	rm -f regress/unittests/sshkey/test_sshkey
+	rm -f regress/unittests/sshsig/*.o
+	rm -f regress/unittests/sshsig/test_sshsig
 	rm -f regress/unittests/utf8/*.o
 	rm -f regress/unittests/utf8/test_utf8
 	(cd openbsd-compat && $(MAKE) distclean)
@@ -484,14 +493,16 @@ uninstall:
 
 regress-prep:
 	$(MKDIR_P) `pwd`/regress/unittests/test_helper
-	$(MKDIR_P) `pwd`/regress/unittests/sshbuf
-	$(MKDIR_P) `pwd`/regress/unittests/sshkey
-	$(MKDIR_P) `pwd`/regress/unittests/sshsig
+	$(MKDIR_P) `pwd`/regress/unittests/authopt
 	$(MKDIR_P) `pwd`/regress/unittests/bitmap
 	$(MKDIR_P) `pwd`/regress/unittests/conversion
 	$(MKDIR_P) `pwd`/regress/unittests/hostkeys
 	$(MKDIR_P) `pwd`/regress/unittests/kex
 	$(MKDIR_P) `pwd`/regress/unittests/match
+	$(MKDIR_P) `pwd`/regress/unittests/misc
+	$(MKDIR_P) `pwd`/regress/unittests/sshbuf
+	$(MKDIR_P) `pwd`/regress/unittests/sshkey
+	$(MKDIR_P) `pwd`/regress/unittests/sshsig
 	$(MKDIR_P) `pwd`/regress/unittests/utf8
 	$(MKDIR_P) `pwd`/regress/misc/sk-dummy
 	[ -f `pwd`/regress/Makefile ] || \
@@ -577,6 +588,18 @@ regress/unittests/bitmap/test_bitmap$(EXEEXT): ${UNITTESTS_TEST_BITMAP_OBJS} \
 	    regress/unittests/test_helper/libtest_helper.a \
 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
+UNITTESTS_TEST_AUTHOPT_OBJS=\
+	regress/unittests/authopt/tests.o \
+	auth-options.o \
+	$(SKOBJS)
+
+regress/unittests/authopt/test_authopt$(EXEEXT): \
+    ${UNITTESTS_TEST_AUTHOPT_OBJS} \
+    regress/unittests/test_helper/libtest_helper.a libssh.a
+	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_AUTHOPT_OBJS) \
+	    regress/unittests/test_helper/libtest_helper.a \
+	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
 UNITTESTS_TEST_CONVERSION_OBJS=\
 	regress/unittests/conversion/tests.o
 
@@ -620,6 +643,20 @@ regress/unittests/match/test_match$(EXEEXT): \
 	    regress/unittests/test_helper/libtest_helper.a \
 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
+UNITTESTS_TEST_MISC_OBJS=\
+	regress/unittests/misc/tests.o \
+	regress/unittests/misc/test_parse.o \
+	regress/unittests/misc/test_expand.o \
+	regress/unittests/misc/test_convtime.o \
+	regress/unittests/misc/test_argv.o
+
+regress/unittests/misc/test_misc$(EXEEXT): \
+    ${UNITTESTS_TEST_MISC_OBJS} \
+    regress/unittests/test_helper/libtest_helper.a libssh.a
+	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_MISC_OBJS) \
+	    regress/unittests/test_helper/libtest_helper.a \
+	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
 UNITTESTS_TEST_UTF8_OBJS=\
 	regress/unittests/utf8/tests.o
 
@@ -654,14 +691,16 @@ regress-binaries: regress-prep $(LIBCOMPAT) \
 	$(SK_DUMMY_LIBRARY)
 
 regress-unit-binaries: regress-prep $(REGRESSLIBS) \
-	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
-	regress/unittests/sshkey/test_sshkey$(EXEEXT) \
-	regress/unittests/sshsig/test_sshsig$(EXEEXT) \
+	regress/unittests/authopt/test_authopt$(EXEEXT) \
 	regress/unittests/bitmap/test_bitmap$(EXEEXT) \
 	regress/unittests/conversion/test_conversion$(EXEEXT) \
 	regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \
 	regress/unittests/kex/test_kex$(EXEEXT) \
 	regress/unittests/match/test_match$(EXEEXT) \
+	regress/unittests/misc/test_misc$(EXEEXT) \
+	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
+	regress/unittests/sshkey/test_sshkey$(EXEEXT) \
+	regress/unittests/sshsig/test_sshsig$(EXEEXT) \
 	regress/unittests/utf8/test_utf8$(EXEEXT) \
 
 tests:	file-tests t-exec interop-tests unit
@@ -673,6 +712,7 @@ unit: regress-unit-binaries
 	$(MAKE) \
 		.OBJDIR="$${BUILDDIR}/regress" \
 		.CURDIR="`pwd`" \
+		OBJ="$${BUILDDIR}/regress" \
 		$@ && echo $@ tests passed
 
 interop-tests t-exec file-tests: regress-prep regress-binaries $(TARGETS)
@@ -699,6 +739,7 @@ interop-tests t-exec file-tests: regress-prep regress-binaries $(TARGETS)
 		TEST_SSH_PKCS11_HELPER="$${BUILDDIR}/ssh-pkcs11-helper" \
 		TEST_SSH_SK_HELPER="$${BUILDDIR}/ssh-sk-helper" \
 		TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server" \
+		TEST_SSH_MODULI_FILE="$(abs_top_srcdir)/moduli" \
 		TEST_SSH_PLINK="plink" \
 		TEST_SSH_PUTTYGEN="puttygen" \
 		TEST_SSH_CONCH="conch" \

diff --git a/README b/README
@@ -1,4 +1,4 @@
-See https://www.openssh.com/releasenotes.html#8.5p1 for the release notes.
+See https://www.openssh.com/releasenotes.html#8.6p1 for the release notes.
 
 Please read https://www.openssh.com/report.html for bug reporting
 instructions and note that we do not use Github for bug reporting or

diff --git a/addrmatch.c b/addrmatch.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: addrmatch.c,v 1.16 2021/01/09 11:58:50 dtucker Exp $ */
+/*	$OpenBSD: addrmatch.c,v 1.17 2021/04/03 06:18:40 djm Exp $ */
 
 /*
  * Copyright (c) 2004-2008 Damien Miller <[email protected]>
@@ -76,7 +76,7 @@ addr_match_list(const char *addr, const char *_list)
 			break;
 		} else if (r == 0) {
 			if (addr != NULL && addr_netmatch(&try_addr,
-                           &match_addr, masklen) == 0) {
+			    &match_addr, masklen) == 0) {
  foundit:
 				if (neg) {
 					ret = -1;

diff --git a/audit-bsm.c b/audit-bsm.c
@@ -129,7 +129,7 @@ static AuditInfoTermID ssh_bsm_tid;
  * getaudit_addr() is only present on IPv6 capable machines.
  */
 #if defined(HAVE_AUG_GET_MACHINE) || !defined(HAVE_GETAUDIT_ADDR)
-extern int 	aug_get_machine(char *, u_int32_t *, u_int32_t *);
+extern int aug_get_machine(char *, u_int32_t *, u_int32_t *);
 #else
 static int
 aug_get_machine(char *host, u_int32_t *addr, u_int32_t *type)
@@ -183,41 +183,41 @@ getacna(char *auditstring, int len)
 	scf_value_t *value = NULL;
 	int ret = 0;
 
+	/*
+	 * The man page for getacna on Solaris 10 states we should return -2
+	 * in case of error and set errno to indicate the error. We don't
+	 * bother with errno here, though, since the only use of this function
+	 * below doesn't check for errors anyway.
+	*/
 	handle = scf_handle_create(SCF_VERSION);
 	if (handle == NULL) 
-	        return -2; /* The man page for getacna on Solaris 10 states
-			      we should return -2 in case of error and set
-			      errno to indicate the error. We don't bother
-			      with errno here, though, since the only use
-			      of this function below doesn't check for errors
-			      anyway. 
-			   */
+		return -2;
 
 	ret = scf_handle_bind(handle);
 	if (ret == -1) 
-	        return -2;
+		return -2;
 
 	property = scf_property_create(handle);
 	if (property == NULL) 
-	        return -2;
+		return -2;
 
 	ret = scf_handle_decode_fmri(handle, 
-	     "svc:/system/auditd:default/:properties/preselection/naflags",
-				     NULL, NULL, NULL, NULL, property, 0);
+	    "svc:/system/auditd:default/:properties/preselection/naflags",
+	    NULL, NULL, NULL, NULL, property, 0);
 	if (ret == -1) 
-	        return -2;
+		return -2;
 
 	value = scf_value_create(handle);
 	if (value == NULL) 
-	        return -2;
+		return -2;
 
 	ret = scf_property_get_value(property, value);
 	if (ret == -1) 
-	        return -2;
+		return -2;
 
 	ret = scf_value_get_astring(value, auditstring, len);
 	if (ret == -1) 
-	        return -2;
+		return -2;
 
 	scf_value_destroy(value);
 	scf_property_destroy(property);
@@ -280,9 +280,10 @@ bsm_audit_record(int typ, char *string, au_event_t event_no)
 	(void) au_write(ad, AUToReturnFunc(typ, rc));
 
 #ifdef BROKEN_BSM_API
-	/* The last argument is the event modifier flags. For
-	   some seemingly undocumented reason it was added in
-	   Solaris 11. */
+	/*
+	 * The last argument is the event modifier flags. For some seemingly
+	 * undocumented reason it was added in Solaris 11.
+	 */
 	rc = au_close(ad, AU_TO_WRITE, event_no, 0);
 #else
 	rc = au_close(ad, AU_TO_WRITE, event_no);