external/openssh: update to 6.8p1.
In preparation for some updates to external/openssh to make it work with
BoringSSL, this change updates the code to a recent version. The current
version (5.9p1) is coming up on four years old now.
* Confirmed that f5c67b478bef9992de9e9ec91ce10af4f6205e0d matches
OpenSSH 5.9p1 exactly (save for the removal of the scard
subdirectory).
* Downloaded openssh-6.8p1.tar.gz (SHA256:
3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e)
and verified with PGP signature. (I've verified Damien's key in
person previously.)
* Applied changes between f5c67b478bef9992de9e9ec91ce10af4f6205e0d and
OpenSSH 5.9p1 to 6.8p1 and updated the build as best I can. The
ugliest change is probably the duplication of umac.c to umac128.c
because Android conditionally compiles that file twice. See the
comment in those files.
Change-Id: I63cb07a8118afb5a377f116087a0882914cea486
diff --git a/Makefile.in b/Makefile.in
index 3be3aa6..40cc7aa 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.325 2011/08/05 20:15:18 djm Exp $
+# $Id: Makefile.in,v 1.365 2014/08/30 06:23:07 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@@ -29,6 +29,7 @@
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
+TEST_SHELL=@TEST_SHELL@
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
@@ -37,13 +38,15 @@
-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
-D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
- -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
+ -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
+K5LIBS=@K5LIBS@
+GSSLIBS=@GSSLIBS@
SSHLIBS=@SSHLIBS@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
@@ -61,17 +64,34 @@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
- canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
+LIBOPENSSH_OBJS=\
+ ssh_api.o \
+ ssherr.o \
+ sshbuf.o \
+ sshkey.o \
+ sshbuf-getput-basic.o \
+ sshbuf-misc.o \
+ sshbuf-getput-crypto.o \
+ krl.o \
+ bitmap.o
+
+LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+ authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
+ canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
- compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
- log.o match.o md-sha256.o moduli.o nchan.o packet.o \
+ compat.o crc32.o deattack.o fatal.o hostfile.o \
+ log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
- atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
+ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
- kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
- msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
- schnorr.o ssh-pkcs11.o
+ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
+ ssh-pkcs11.o smult_curve25519_ref.o \
+ poly1305.o chacha.o cipher-chachapoly.o \
+ ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
+ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
+ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
@@ -83,14 +103,14 @@
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
- auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
- monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
- auth-krb5.o \
+ auth2-none.o auth2-passwd.o auth2-pubkey.o \
+ monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
- sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o
+ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
+ sandbox-seccomp-filter.o sandbox-capsicum.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@@ -109,6 +129,7 @@
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
+ -e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
@@ -118,6 +139,8 @@
-e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
FIXPATHSCMD = $(SED) $(PATHSUBS)
+FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
+ @UNSUPPORTED_ALGORITHMS@
all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
@@ -126,7 +149,7 @@
$(SSHDOBJS): Makefile.in config.h
.c.o:
- $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
+ $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
$(LIBCOMPAT): always
@@ -138,10 +161,10 @@
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -181,9 +204,10 @@
manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
fi; \
if test "$(MANTYPE)" = "man"; then \
- $(FIXPATHSCMD) $${manpage} | $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
+ $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \
+ $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
else \
- $(FIXPATHSCMD) $${manpage} > $@; \
+ $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
fi
$(CONFIGFILES): $(CONFIGFILES_IN)
@@ -194,9 +218,28 @@
moduli:
echo
+# special case target for umac128
+umac128.o: umac.c
+ $(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
+ -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
+ -Dumac_update=umac128_update -Dumac_final=umac128_final \
+ -Dumac_delete=umac128_delete
+
clean: regressclean
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
rm -f *.out core survey
+ rm -f regress/unittests/test_helper/*.a
+ rm -f regress/unittests/test_helper/*.o
+ rm -f regress/unittests/sshbuf/*.o
+ rm -f regress/unittests/sshbuf/test_sshbuf
+ rm -f regress/unittests/sshkey/*.o
+ rm -f regress/unittests/sshkey/test_sshkey
+ rm -f regress/unittests/bitmap/*.o
+ rm -f regress/unittests/bitmap/test_bitmap
+ rm -f regress/unittests/hostkeys/*.o
+ rm -f regress/unittests/hostkeys/test_hostkeys
+ rm -f regress/unittests/kex/*.o
+ rm -f regress/unittests/kex/test_kex
(cd openbsd-compat && $(MAKE) clean)
distclean: regressclean
@@ -205,6 +248,18 @@
rm -f Makefile buildpkg.sh config.h config.status
rm -f survey.sh openbsd-compat/regress/Makefile *~
rm -rf autom4te.cache
+ rm -f regress/unittests/test_helper/*.a
+ rm -f regress/unittests/test_helper/*.o
+ rm -f regress/unittests/sshbuf/*.o
+ rm -f regress/unittests/sshbuf/test_sshbuf
+ rm -f regress/unittests/sshkey/*.o
+ rm -f regress/unittests/sshkey/test_sshkey
+ rm -f regress/unittests/bitmap/*.o
+ rm -f regress/unittests/bitmap/test_bitmap
+ rm -f regress/unittests/hostkeys/*.o
+ rm -f regress/unittests/hostkeys/test_hostkeys
+ rm -f regress/unittests/kex/*.o
+ rm -f regress/unittests/kex/test_kex
(cd openbsd-compat && $(MAKE) distclean)
if test -d pkg ; then \
rm -fr pkg ; \
@@ -319,6 +374,11 @@
else \
./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
fi ; \
+ if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \
+ echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \
+ else \
+ ./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \
+ fi ; \
if [ -z "@COMMENT_OUT_ECC@" ] ; then \
if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
@@ -332,6 +392,7 @@
./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
+ ./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
uninstallall: uninstall
@@ -371,12 +432,117 @@
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-tests interop-tests: $(TARGETS)
+regress-prep:
+ [ -d `pwd`/regress ] || mkdir -p `pwd`/regress
+ [ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
+ [ -d `pwd`/regress/unittests/test_helper ] || \
+ mkdir -p `pwd`/regress/unittests/test_helper
+ [ -d `pwd`/regress/unittests/sshbuf ] || \
+ mkdir -p `pwd`/regress/unittests/sshbuf
+ [ -d `pwd`/regress/unittests/sshkey ] || \
+ mkdir -p `pwd`/regress/unittests/sshkey
+ [ -d `pwd`/regress/unittests/bitmap ] || \
+ mkdir -p `pwd`/regress/unittests/bitmap
+ [ -d `pwd`/regress/unittests/hostkeys ] || \
+ mkdir -p `pwd`/regress/unittests/hostkeys
+ [ -d `pwd`/regress/unittests/kex ] || \
+ mkdir -p `pwd`/regress/unittests/kex
+ [ -f `pwd`/regress/Makefile ] || \
+ ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
+
+regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
+ $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
+ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
+ $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
+ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c
+ $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
+ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+UNITTESTS_TEST_HELPER_OBJS=\
+ regress/unittests/test_helper/test_helper.o \
+ regress/unittests/test_helper/fuzz.o
+
+regress/unittests/test_helper/libtest_helper.a: ${UNITTESTS_TEST_HELPER_OBJS}
+ $(AR) rv $@ $(UNITTESTS_TEST_HELPER_OBJS)
+ $(RANLIB) $@
+
+UNITTESTS_TEST_SSHBUF_OBJS=\
+ regress/unittests/sshbuf/tests.o \
+ regress/unittests/sshbuf/test_sshbuf.o \
+ regress/unittests/sshbuf/test_sshbuf_getput_basic.o \
+ regress/unittests/sshbuf/test_sshbuf_getput_crypto.o \
+ regress/unittests/sshbuf/test_sshbuf_misc.o \
+ regress/unittests/sshbuf/test_sshbuf_fuzz.o \
+ regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o \
+ regress/unittests/sshbuf/test_sshbuf_fixed.o
+
+regress/unittests/sshbuf/test_sshbuf$(EXEEXT): ${UNITTESTS_TEST_SSHBUF_OBJS} \
+ regress/unittests/test_helper/libtest_helper.a libssh.a
+ $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
+ regress/unittests/test_helper/libtest_helper.a \
+ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+UNITTESTS_TEST_SSHKEY_OBJS=\
+ regress/unittests/sshkey/test_fuzz.o \
+ regress/unittests/sshkey/tests.o \
+ regress/unittests/sshkey/common.o \
+ regress/unittests/sshkey/test_file.o \
+ regress/unittests/sshkey/test_sshkey.o
+
+regress/unittests/sshkey/test_sshkey$(EXEEXT): ${UNITTESTS_TEST_SSHKEY_OBJS} \
+ regress/unittests/test_helper/libtest_helper.a libssh.a
+ $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
+ regress/unittests/test_helper/libtest_helper.a \
+ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+UNITTESTS_TEST_BITMAP_OBJS=\
+ regress/unittests/bitmap/tests.o
+
+regress/unittests/bitmap/test_bitmap$(EXEEXT): ${UNITTESTS_TEST_BITMAP_OBJS} \
+ regress/unittests/test_helper/libtest_helper.a libssh.a
+ $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_BITMAP_OBJS) \
+ regress/unittests/test_helper/libtest_helper.a \
+ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+UNITTESTS_TEST_KEX_OBJS=\
+ regress/unittests/kex/tests.o \
+ regress/unittests/kex/test_kex.o \
+ roaming_dummy.o
+
+regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \
+ regress/unittests/test_helper/libtest_helper.a libssh.a
+ $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_KEX_OBJS) \
+ regress/unittests/test_helper/libtest_helper.a \
+ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+UNITTESTS_TEST_HOSTKEYS_OBJS=\
+ regress/unittests/hostkeys/tests.o \
+ regress/unittests/hostkeys/test_iterate.o
+
+regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
+ ${UNITTESTS_TEST_HOSTKEYS_OBJS} \
+ regress/unittests/test_helper/libtest_helper.a libssh.a
+ $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_HOSTKEYS_OBJS) \
+ regress/unittests/test_helper/libtest_helper.a \
+ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+REGRESS_BINARIES=\
+ regress/modpipe$(EXEEXT) \
+ regress/setuid-allowed$(EXEEXT) \
+ regress/netcat$(EXEEXT) \
+ regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
+ regress/unittests/sshkey/test_sshkey$(EXEEXT) \
+ regress/unittests/bitmap/test_bitmap$(EXEEXT) \
+ regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \
+ regress/unittests/kex/test_kex$(EXEEXT)
+
+tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
BUILDDIR=`pwd`; \
- [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
- [ -f `pwd`/regress/Makefile ] || \
- ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \
- TEST_SHELL="@TEST_SHELL@"; \
+ TEST_SSH_SCP="$${BUILDDIR}/scp"; \
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
@@ -391,7 +557,6 @@
TEST_SSH_CONCH="conch"; \
TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
- TEST_SSH_SHA256="@TEST_SSH_SHA256@" ; \
cd $(srcdir)/regress || exit $$?; \
$(MAKE) \
.OBJDIR="$${BUILDDIR}/regress" \
@@ -399,7 +564,8 @@
BUILDDIR="$${BUILDDIR}" \
OBJ="$${BUILDDIR}/regress/" \
PATH="$${BUILDDIR}:$${PATH}" \
- TEST_SHELL="$${TEST_SHELL}" \
+ TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
+ TEST_SSH_SCP="$${TEST_SSH_SCP}" \
TEST_SSH_SSH="$${TEST_SSH_SSH}" \
TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \
@@ -414,7 +580,7 @@
TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
TEST_SSH_ECC="$${TEST_SSH_ECC}" \
- TEST_SSH_SHA256="$${TEST_SSH_SHA256}" \
+ TEST_SHELL="${TEST_SHELL}" \
EXEEXT="$(EXEEXT)" \
$@ && echo all tests passed
@@ -439,4 +605,3 @@
if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
sh buildpkg.sh; \
fi
-