Merge pull request #3286 from citrus-it/sshr44

openssh - update from 9.0p1 to 9.3p2 (r151044)
omniosorg · Jul 20, 2023 · 0b86cb0 · 0b86cb0
2 parents 02da1f1 + 9267cab
commit 0b86cb0
Show file tree

Hide file tree

Showing 24 changed files with 193 additions and 193 deletions.
diff --git a/build/openssh/build.sh b/build/openssh/build.sh
@@ -13,12 +13,12 @@
 # }}}
 #
 # Copyright 2015 OmniTI Computer Consulting, Inc.  All rights reserved.
-# Copyright 2022 OmniOS Community Edition (OmniOSce) Association.
+# Copyright 2023 OmniOS Community Edition (OmniOSce) Association.
 
 . ../../lib/build.sh
 
 PROG=openssh
-VER=9.0p1
+VER=9.3p2
 PKG=network/openssh
 SUMMARY="OpenSSH Client and utilities"
 DESC="OpenSSH Secure Shell protocol Client and associated Utilities"

diff --git a/build/openssh/patches/0001-Skip-config-check.patch b/build/openssh/patches/0001-Skip-config-check.patch
@@ -10,10 +10,10 @@ Subject: [PATCH 01/34] Skip config check
 # they are not suitable in a build system.  This is for Solaris only, so we
 # will not contribute back this change to the upstream community.
 #
-diff -wpruN '--exclude=*.orig' a~/Makefile.in a/Makefile.in
+diff -wpruN --no-dereference '--exclude=*.orig' a~/Makefile.in a/Makefile.in
 --- a~/Makefile.in	1970-01-01 00:00:00
 +++ a/Makefile.in	1970-01-01 00:00:00
-@@ -386,7 +386,16 @@ install-nokeys: $(CONFIGFILES) $(MANPAGE
+@@ -382,7 +382,16 @@ install-nokeys: $(CONFIGFILES) $(MANPAGE
  install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
 
  check-config:

diff --git a/build/openssh/patches/0002-PAM-Support.patch b/build/openssh/patches/0002-PAM-Support.patch
@@ -10,10 +10,10 @@ Subject: [PATCH 02/34] PAM Support
 #
 
 *** orig/servconf.c	Mon Dec  5 17:23:03 2011
-diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 --- a~/servconf.c	1970-01-01 00:00:00
 +++ a/servconf.c	1970-01-01 00:00:00
-@@ -277,7 +277,12 @@ fill_default_server_options(ServerOption
+@@ -280,7 +280,12 @@ fill_default_server_options(ServerOption
 
  	/* Portable-specific options */
  	if (options->use_pam == -1)
@@ -26,7 +26,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c
 
  	/* Standard Options */
  	if (options->num_host_key_files == 0) {
-@@ -1328,8 +1333,17 @@ process_server_config_line_depth(ServerO
+@@ -1398,8 +1403,17 @@ process_server_config_line_depth(ServerO
  	switch (opcode) {
  	/* Portable-specific options */
  	case sUsePAM:

diff --git a/build/openssh/patches/0003-lastlogin.patch b/build/openssh/patches/0003-lastlogin.patch
@@ -3,10 +3,10 @@ From: oracle <solaris@oracle.com>
 Date: Mon, 3 Aug 2015 14:34:41 -0700
 Subject: [PATCH 03/34] lastlogin
 
-diff -wpruN '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5
+diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5
 --- a~/sshd_config.5	1970-01-01 00:00:00
 +++ a/sshd_config.5	1970-01-01 00:00:00
-@@ -1485,8 +1485,8 @@ Specifies whether
+@@ -1568,8 +1568,8 @@ Specifies whether
  .Xr sshd 8
  should print the date and time of the last user login when a user logs
  in interactively.
@@ -17,7 +17,7 @@ diff -wpruN '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5
  .It Cm PrintMotd
  Specifies whether
  .Xr sshd 8
-@@ -1954,7 +1954,8 @@ This file should be writable by root onl
+@@ -2074,7 +2074,8 @@ This file should be writable by root onl
  .El
  .Sh SEE ALSO
  .Xr sftp-server 8 ,

diff --git a/build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch b/build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch
@@ -3,10 +3,10 @@ From: oracle <solaris@oracle.com>
 Date: Mon, 3 Aug 2015 14:35:34 -0700
 Subject: [PATCH 06/34] GSS store creds for Solaris
 
-diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac
+diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -1111,6 +1111,9 @@ mips-sony-bsd|mips-sony-newsos4)
+@@ -1151,6 +1151,9 @@ mips-sony-bsd|mips-sony-newsos4)
  		],
  	)
  	TEST_SHELL=$SHELL	# let configure find us a capable shell
@@ -16,7 +16,7 @@ diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac
  	;;
  *-*-sunos4*)
  	CPPFLAGS="$CPPFLAGS -DSUNOS4"
-diff -wpruN '--exclude=*.orig' a~/gss-serv-krb5.c a/gss-serv-krb5.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/gss-serv-krb5.c a/gss-serv-krb5.c
 --- a~/gss-serv-krb5.c	1970-01-01 00:00:00
 +++ a/gss-serv-krb5.c	1970-01-01 00:00:00
 @@ -109,7 +109,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
@@ -48,7 +48,7 @@ diff -wpruN '--exclude=*.orig' a~/gss-serv-krb5.c a/gss-serv-krb5.c
  };
 
  #endif /* KRB5 */
-diff -wpruN '--exclude=*.orig' a~/gss-serv.c a/gss-serv.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/gss-serv.c a/gss-serv.c
 --- a~/gss-serv.c	1970-01-01 00:00:00
 +++ a/gss-serv.c	1970-01-01 00:00:00
 @@ -319,22 +319,66 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
@@ -118,10 +118,10 @@ diff -wpruN '--exclude=*.orig' a~/gss-serv.c a/gss-serv.c
  }
 
  /* This allows GSSAPI methods to do things to the child's environment based
-diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 --- a~/servconf.c	1970-01-01 00:00:00
 +++ a/servconf.c	1970-01-01 00:00:00
-@@ -590,7 +590,11 @@ static struct {
+@@ -605,7 +605,11 @@ static struct {
  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
@@ -133,10 +133,10 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c
  	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
  #else
  	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
-diff -wpruN '--exclude=*.orig' a~/sshd.c a/sshd.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd.c a/sshd.c
 --- a~/sshd.c	1970-01-01 00:00:00
 +++ a/sshd.c	1970-01-01 00:00:00
-@@ -2269,9 +2269,23 @@ main(int ac, char **av)
+@@ -2291,9 +2291,23 @@ main(int ac, char **av)
 
  #ifdef GSSAPI
  	if (options.gss_authentication) {

diff --git a/build/openssh/patches/0007-DTrace-support-for-SFTP.patch b/build/openssh/patches/0007-DTrace-support-for-SFTP.patch
@@ -3,18 +3,18 @@ From: oracle <solaris@oracle.com>
 Date: Mon, 3 Aug 2015 14:35:43 -0700
 Subject: [PATCH 07/34] DTrace support for SFTP
 
-diff -wpruN '--exclude=*.orig' a~/Makefile.in a/Makefile.in
+diff -wpruN --no-dereference '--exclude=*.orig' a~/Makefile.in a/Makefile.in
 --- a~/Makefile.in	1970-01-01 00:00:00
 +++ a/Makefile.in	1970-01-01 00:00:00
-@@ -102,6 +102,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -103,6 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
  	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
  	ssh-ed25519-sk.o ssh-rsa.o dh.o \
  	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
 +	sftp_provider.o \
  	ssh-pkcs11.o smult_curve25519_ref.o \
  	poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
  	ssh-ed25519.o digest-openssl.o digest-libc.o \
-@@ -130,7 +131,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+@@ -131,7 +132,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
  	srclimit.o sftp-server.o sftp-common.o \
  	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
  	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
@@ -23,17 +23,17 @@ diff -wpruN '--exclude=*.orig' a~/Makefile.in a/Makefile.in
 
  SFTP_CLIENT_OBJS=sftp-common.o sftp-client.o sftp-glob.o
 
-@@ -150,7 +151,8 @@ SKHELPER_OBJS=	ssh-sk-helper.o ssh-sk.o
+@@ -151,7 +152,8 @@ SKHELPER_OBJS=	ssh-sk-helper.o ssh-sk.o
 
  SSHKEYSCAN_OBJS=ssh-keyscan.o $(SKOBJS)
 
 -SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o
 +SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o sftp_provider.o
 +ROOTDLIBDIR64=$(DESTDIR)/usr/lib/dtrace/64
 
- SFTP_OBJS=	sftp.o progressmeter.o $(SFTP_CLIENT_OBJS)
+ SFTP_OBJS=	sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)
 
-@@ -268,9 +270,22 @@ $(CONFIGFILES): $(CONFIGFILES_IN)
+@@ -264,9 +266,22 @@ $(CONFIGFILES): $(CONFIGFILES_IN)
  moduli:
  	echo
 
@@ -57,18 +57,18 @@ diff -wpruN '--exclude=*.orig' a~/Makefile.in a/Makefile.in
  	rm -f regress/check-perm$(EXEEXT)
  	rm -f regress/mkdtemp$(EXEEXT)
  	rm -f regress/unittests/test_helper/*.a
-@@ -432,6 +447,7 @@ install-files:
+@@ -428,6 +443,7 @@ install-files:
  	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
  	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
  	$(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
 +	mkdir -p $(ROOTDLIBDIR64) && cp $(srcdir)/sftp64.d $(ROOTDLIBDIR64)/
 
  install-sysconf:
  	$(MKDIR_P) $(DESTDIR)$(sysconfdir)
-diff -wpruN '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
 --- a~/sftp-server.c	1970-01-01 00:00:00
 +++ a/sftp-server.c	1970-01-01 00:00:00
-@@ -55,6 +55,9 @@
+@@ -56,6 +56,9 @@
 
  #include "sftp.h"
  #include "sftp-common.h"
@@ -78,7 +78,7 @@ diff -wpruN '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
 
  char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
 
-@@ -794,14 +797,17 @@ process_read(u_int32_t id)
+@@ -803,14 +806,17 @@ process_read(u_int32_t id)
  	u_int32_t len;
  	int r, handle, fd, ret, status = SSH2_FX_FAILURE;
  	u_int64_t off;
@@ -97,7 +97,7 @@ diff -wpruN '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
  	if ((fd = handle_to_fd(handle)) == -1)
  		goto out;
  	if (len > SFTP_MAX_READ_LENGTH) {
-@@ -820,6 +826,9 @@ process_read(u_int32_t id)
+@@ -829,6 +835,9 @@ process_read(u_int32_t id)
  		    strerror(errno));
  		goto out;
  	}
@@ -107,7 +107,7 @@ diff -wpruN '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
  	if (len == 0) {
  		/* weird, but not strictly disallowed */
  		ret = 0;
-@@ -832,11 +841,18 @@ process_read(u_int32_t id)
+@@ -841,11 +850,18 @@ process_read(u_int32_t id)
  		status = SSH2_FX_EOF;
  		goto out;
  	}
@@ -126,7 +126,7 @@ diff -wpruN '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
  	if (status != SSH2_FX_OK)
  		send_status(id, status);
  }
-@@ -848,14 +864,17 @@ process_write(u_int32_t id)
+@@ -857,14 +873,17 @@ process_write(u_int32_t id)
  	size_t len;
  	int r, handle, fd, ret, status;
  	u_char *data;
@@ -145,7 +145,7 @@ diff -wpruN '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
  	fd = handle_to_fd(handle);
 
  	if (fd < 0)
-@@ -868,7 +887,13 @@ process_write(u_int32_t id)
+@@ -877,7 +896,13 @@ process_write(u_int32_t id)
  			    strerror(errno));
  		} else {
  /* XXX ATOMICIO ? */
@@ -159,7 +159,7 @@ diff -wpruN '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
  			if (ret == -1) {
  				status = errno_to_portable(errno);
  				error_f("write \"%.100s\": %s",
-diff -wpruN '--exclude=*.orig' a~/sftp64.d a/sftp64.d
+diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp64.d a/sftp64.d
 --- a~/sftp64.d	1970-01-01 00:00:00
 +++ a/sftp64.d	1970-01-01 00:00:00
 @@ -0,0 +1,56 @@
@@ -219,7 +219,7 @@ diff -wpruN '--exclude=*.orig' a~/sftp64.d a/sftp64.d
 +	sfi_pathname = copyinstr((uintptr_t)*(uint64_t *)copyin(
 +	    (uintptr_t)&s->sftp_pathname, sizeof (uint64_t)));
 +};
-diff -wpruN '--exclude=*.orig' a~/sftp_provider.d a/sftp_provider.d
+diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp_provider.d a/sftp_provider.d
 --- a~/sftp_provider.d	1970-01-01 00:00:00
 +++ a/sftp_provider.d	1970-01-01 00:00:00
 @@ -0,0 +1,61 @@
@@ -284,7 +284,7 @@ diff -wpruN '--exclude=*.orig' a~/sftp_provider.d a/sftp_provider.d
 +#pragma D attributes Private/Private/Unknown provider sftp function
 +#pragma D attributes Private/Private/ISA provider sftp name
 +#pragma D attributes Evolving/Evolving/ISA provider sftp args
-diff -wpruN '--exclude=*.orig' a~/sftp_provider_impl.h a/sftp_provider_impl.h
+diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp_provider_impl.h a/sftp_provider_impl.h
 --- a~/sftp_provider_impl.h	1970-01-01 00:00:00
 +++ a/sftp_provider_impl.h	1970-01-01 00:00:00
 @@ -0,0 +1,73 @@

diff --git a/build/openssh/patches/0008-Add-DisableBanner-option.patch b/build/openssh/patches/0008-Add-DisableBanner-option.patch
@@ -1,7 +1,7 @@
-diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
 --- a~/readconf.c	1970-01-01 00:00:00
 +++ a/readconf.c	1970-01-01 00:00:00
-@@ -164,6 +164,9 @@ typedef enum {
+@@ -163,6 +163,9 @@ typedef enum {
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
  	oHashKnownHosts,
@@ -21,7 +21,7 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c
  	{ "tunnel", oTunnel },
  	{ "tunneldevice", oTunnelDevice },
  	{ "localcommand", oLocalCommand },
-@@ -924,6 +930,17 @@ parse_multistate_value(const char *arg,
+@@ -922,6 +928,17 @@ parse_multistate_value(const char *arg,
  	return -1;
  }
 
@@ -39,9 +39,9 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c
  /*
   * Processes a single option line as used in the configuration files. This
   * only sets those values that have not already been set.
-@@ -2191,6 +2208,13 @@ parse_pubkey_algos:
- 			*charptr = xstrdup(arg);
- 		break;
+@@ -2188,6 +2205,13 @@ parse_pubkey_algos:
+ 		intptr = &options->required_rsa_size;
+ 		goto parse_int;
 
 +#ifdef DISABLE_BANNER
 +	case oDisableBanner:
@@ -53,7 +53,7 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c
  	case oDeprecated:
  		debug("%s line %d: Deprecated option \"%s\"",
  		    filename, linenum, keyword);
-@@ -2426,6 +2450,9 @@ initialize_options(Options * options)
+@@ -2424,6 +2448,9 @@ initialize_options(Options * options)
  	options->stdin_null = -1;
  	options->fork_after_authentication = -1;
  	options->proxy_use_fdpass = -1;
@@ -74,11 +74,11 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c
  	if (options->fingerprint_hash == -1)
  		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
  #ifdef ENABLE_SK_INTERNAL
-diff -wpruN '--exclude=*.orig' a~/readconf.h a/readconf.h
+diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.h a/readconf.h
 --- a~/readconf.h	1970-01-01 00:00:00
 +++ a/readconf.h	1970-01-01 00:00:00
-@@ -177,6 +177,9 @@ typedef struct {
- 	char   *known_hosts_command;
+@@ -181,6 +181,9 @@ typedef struct {
+ 	int	enable_escape_commandline;	/* ~C commandline */
 
  	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
 +#ifdef DISABLE_BANNER
@@ -87,7 +87,7 @@ diff -wpruN '--exclude=*.orig' a~/readconf.h a/readconf.h
  }       Options;
 
  #define SSH_PUBKEY_AUTH_NO	0x00
-@@ -217,6 +220,12 @@ typedef struct {
+@@ -221,6 +224,12 @@ typedef struct {
  #define SSH_STRICT_HOSTKEY_YES	2
  #define SSH_STRICT_HOSTKEY_ASK	3
 
@@ -100,7 +100,7 @@ diff -wpruN '--exclude=*.orig' a~/readconf.h a/readconf.h
  const char *kex_default_pk_alg(void);
  char	*ssh_connection_hash(const char *thishost, const char *host,
      const char *portstr, const char *user);
-diff -wpruN '--exclude=*.orig' a~/ssh_config.5 a/ssh_config.5
+diff -wpruN --no-dereference '--exclude=*.orig' a~/ssh_config.5 a/ssh_config.5
 --- a~/ssh_config.5	1970-01-01 00:00:00
 +++ a/ssh_config.5	1970-01-01 00:00:00
 @@ -611,6 +611,14 @@ If set to a time in seconds, or a time i
@@ -118,10 +118,10 @@ diff -wpruN '--exclude=*.orig' a~/ssh_config.5 a/ssh_config.5
  .It Cm DynamicForward
  Specifies that a TCP port on the local machine be forwarded
  over the secure channel, and the application
-diff -wpruN '--exclude=*.orig' a~/sshconnect2.c a/sshconnect2.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/sshconnect2.c a/sshconnect2.c
 --- a~/sshconnect2.c	1970-01-01 00:00:00
 +++ a/sshconnect2.c	1970-01-01 00:00:00
-@@ -85,6 +85,10 @@ extern char *client_version_string;
+@@ -84,6 +84,10 @@ extern char *client_version_string;
  extern char *server_version_string;
  extern Options options;
 
@@ -132,7 +132,7 @@ diff -wpruN '--exclude=*.orig' a~/sshconnect2.c a/sshconnect2.c
  /*
   * SSH2 key exchange
   */
-@@ -594,8 +598,28 @@ input_userauth_banner(int type, u_int32_
+@@ -585,8 +589,28 @@ input_userauth_banner(int type, u_int32_
  	if ((r = sshpkt_get_cstring(ssh, &msg, &len)) != 0 ||
  	    (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0)
  		goto out;