Update to OpenSSH v8.9.0

- Build only for iOS platforms as MacOSX still has some compatibility issues we need to fix. #2
blinksh · Sep 11, 2024 · 5e0db87 · 5e0db87
1 parent 5f0e66a
commit 5e0db87
Show file tree

Hide file tree

Showing 8 changed files with 357 additions and 104 deletions.
diff --git a/Sources/openssh-apple/main.swift b/Sources/openssh-apple/main.swift
@@ -5,17 +5,17 @@ OutputLevel.default = .error
 
 enum Config {
   static let opensshOrigin = "https://github.com/openssh/openssh-portable.git"
-  static let opensshBranch = "V_8_6"
-  static let opensshVersion = "8.6.0"
+  static let opensshBranch = "V_8_9"
+  static let opensshVersion = "8.9.0"
 
   static let opensslLibsURL       = "https://github.com/blinksh/openssl-apple/releases/download/v1.1.1k/openssl-libs.zip"
   static let opensslFrameworksURL = "https://github.com/blinksh/openssl-apple/releases/download/v1.1.1k/openssl-dynamic.frameworks.zip"
 
   static let frameworkName = "OpenSSH"
 
-  static let platforms: [Platform] = Platform.allCases
-  // static let platforms: [Platform] = [.iPhoneOS]
-  // static let platforms: [Platform] = [Platform.Catalyst]
+  //static let platforms: [Platform] = Platform.allCases
+  static let platforms: [Platform] = [.iPhoneOS, .iPhoneSimulator]
+  //static let platforms: [Platform] = [Platform.MacOSX]
 }
 
 extension Platform {
@@ -32,11 +32,11 @@ extension Platform {
 try? sh("rm -rf openssh-portable")
 try sh("git clone --depth 1 \(Config.opensshOrigin) --branch \(Config.opensshBranch)")
 try sh("LC_CTYPE=C find ./openssh-portable -type f -exec sed -i '' -e 's/__progname/blink__progname/' {} \\;")
-try sh("cp -f readpass.c sshkey.h authfd.h log.c ssh-sk-helper.c misc.c openssh-portable/")
 try sh("LC_CTYPE=C find ./openssh-portable -type f -exec sed -i '' -e 's/ssh_init(/openssh_init(/' {} \\;")
 try sh("LC_CTYPE=C find ./openssh-portable -type f -exec sed -i '' -e 's/ssh_free(/openssh_free(/' {} \\;")
 try sh("LC_CTYPE=C find ./openssh-portable -type f -exec sed -i '' -e 's/match_pattern_list(/openssh_match_pattern_list(/' {} \\;")
 try sh("LC_CTYPE=C find ./openssh-portable -type f -exec sed -i '' -e 's/match_hostname(/openssh_match_hostname(/' {} \\;")
+try sh("cp -f authfd.h log.c misc.c readpass.c ssh-sk-helper.c ssh-sk.h sshkey.h openssh-portable/")
 
 try download(url: Config.opensslLibsURL)
 try? sh("rm -rf openssl")
@@ -278,4 +278,4 @@ let releaseMD =
     | \(xcframeworkdStaticZipName)  | \(try sha(path: xcframeworkdStaticZipName))  |
   """
 
-try write(content: releaseMD, atPath: "release.md")
+try write(content: releaseMD, atPath: "release.md")
diff --git a/authfd.h b/authfd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.h,v 1.49 2020/06/26 05:03:36 djm Exp $ */
+/* $OpenBSD: authfd.h,v 1.51 2021/12/19 22:10:24 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <[email protected]>
@@ -18,13 +18,30 @@
 
 #include <sys/types.h>
 
+struct sshbuf;
+struct sshkey;
+
 /* List of identities returned by ssh_fetch_identitylist() */
 struct ssh_identitylist {
 	size_t nkeys;
 	struct sshkey **keys;
 	char **comments;
 };
 
+/* Key destination restrictions */
+struct dest_constraint_hop {
+	char *user;	/* wildcards allowed */
+	char *hostname; /* used to matching cert principals and for display */
+	int is_ca;
+	u_int nkeys;	/* number of entries in *both* 'keys' and 'key_is_ca' */
+	struct sshkey **keys;
+	int *key_is_ca;
+};
+struct dest_constraint {
+	struct dest_constraint_hop from;
+	struct dest_constraint_hop to;
+};
+
 int	ssh_get_authentication_socket(int *fdp);
 int	ssh_get_authentication_socket_path(const char *authsocket, int *fdp);
 void	ssh_close_authentication_socket(int sock);
@@ -33,18 +50,25 @@ int	ssh_lock_agent(int sock, int lock, const char *password);
 int	ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);
 void	ssh_free_identitylist(struct ssh_identitylist *idl);
 int	ssh_add_identity_constrained(int sock, struct sshkey *key,
-	    const char *comment, u_int life, u_int confirm, u_int maxsign,
-	    const char *provider);
+    const char *comment, u_int life, u_int confirm, u_int maxsign,
+    const char *provider, struct dest_constraint **dest_constraints,
+    size_t ndest_constraints);
 int	ssh_agent_has_key(int sock, const struct sshkey *key);
 int	ssh_remove_identity(int sock, const struct sshkey *key);
 int	ssh_update_card(int sock, int add, const char *reader_id,
-	    const char *pin, u_int life, u_int confirm);
+	    const char *pin, u_int life, u_int confirm,
+	    struct dest_constraint **dest_constraints,
+	    size_t ndest_constraints);
 int	ssh_remove_all_identities(int sock, int version);
 
 int	ssh_agent_sign(int sock, const struct sshkey *key,
 	    u_char **sigp, size_t *lenp,
 	    const u_char *data, size_t datalen, const char *alg, u_int compat);
 
+int	ssh_agent_bind_hostkey(int sock, const struct sshkey *key,
+    const struct sshbuf *session_id, const struct sshbuf *signature,
+    int forwarding);
+
 /* Messages for the authentication agent connection. */
 #define SSH_AGENTC_REQUEST_RSA_IDENTITIES	1
 #define SSH_AGENT_RSA_IDENTITIES_ANSWER		2
@@ -78,6 +102,9 @@ int	ssh_agent_sign(int sock, const struct sshkey *key,
 #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
 
+/* generic extension mechanism */
+#define SSH_AGENTC_EXTENSION			27
+
 #define	SSH_AGENT_CONSTRAIN_LIFETIME		1
 #define	SSH_AGENT_CONSTRAIN_CONFIRM		2
 #define	SSH_AGENT_CONSTRAIN_MAXSIGN		3

diff --git a/log.c b/log.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: log.c,v 1.58 2021/04/15 16:24:31 markus Exp $ */
+/* $OpenBSD: log.c,v 1.60 2021/09/16 15:11:19 djm Exp $ */
 /*
  * Author: Tatu Ylonen <[email protected]>
  * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
@@ -346,6 +346,7 @@ do_log(LogLevel level, int force, const char *suffix, const char *fmt,
 	int pri = LOG_INFO;
 	int saved_errno = errno;
 	log_handler_fn *tmp_handler;
+	const char *progname = argv0 != NULL ? argv0 : blink__progname;
 
 	if (!force && level > log_level)
 		return;
@@ -403,16 +404,18 @@ do_log(LogLevel level, int force, const char *suffix, const char *fmt,
 		tmp_handler(level, force, fmtbuf, log_handler_ctx);
 		log_handler = tmp_handler;
 	} else if (log_on_stderr) {
-		snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
+		snprintf(msgbuf, sizeof msgbuf, "%s%s%.*s\r\n",
+		    (log_on_stderr > 1) ? progname : "",
+		    (log_on_stderr > 1) ? ": " : "",
 		    (int)sizeof msgbuf - 3, fmtbuf);
 		(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
 	} else {
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
-		openlog_r(argv0 ? argv0 : blink__progname, LOG_PID, log_facility, &sdata);
+		openlog_r(blink__progname, LOG_PID, log_facility, &sdata);
 		syslog_r(pri, &sdata, "%.500s", fmtbuf);
 		closelog_r(&sdata);
 #else
-		openlog(argv0 ? argv0 : blink__progname, LOG_PID, log_facility);
+		openlog(blink__progname, LOG_PID, log_facility);
 		syslog(pri, "%.500s", fmtbuf);
 		closelog();
 #endif
@@ -466,10 +469,11 @@ sshlogv(const char *file, const char *func, int line, int showfunc,
 	const char *cp;
 	size_t i;
 
-	snprintf(tag, sizeof(tag), "%.48s:%.48s():%d",
-	    (cp = strrchr(file, '/')) == NULL ? file : cp + 1, func, line);
+	snprintf(tag, sizeof(tag), "%.48s:%.48s():%d (pid=%ld)",
+	    (cp = strrchr(file, '/')) == NULL ? file : cp + 1, func, line,
+	    (long)getpid());
 	for (i = 0; i < nlog_verbose; i++) {
-		if (match_pattern_list(tag, log_verbose[i], 0) == 1) {
+		if (openssh_match_pattern_list(tag, log_verbose[i], 0) == 1) {
 			forced = 1;
 			break;
 		}
@@ -493,4 +497,4 @@ sshlogdirect(LogLevel level, int forced, const char *fmt, ...)
 	va_start(args, fmt);
 	do_log(level, forced, NULL, fmt, args);
 	va_end(args);
-}
+}