ssh: update to 9.8p1 (build infrastructure)
Needs ReviewPublic
Actions

Authored by emaste on Mon, Feb 10, 8:17 PM.

Details

Reviewers: None
Commits: rG0fdf8fae8b56: openssh: Update to 9.8p1

Summary

9.8p1 adds sshd-session; update our Makefiles to match, regen config.h etc.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

emaste created this revision.Mon, Feb 10, 8:17 PM

Herald added a subscriber: jonathan. · View Herald TranscriptMon, Feb 10, 8:17 PM

emaste requested review of this revision.Mon, Feb 10, 8:17 PM

emaste added subscribers: des, jlduran.Mon, Feb 10, 8:21 PM

emaste added inline comments.

crypto/openssh/config.h
1765	I'm not yet sure why this changed
1878	And not sure why this changed
secure/libexec/sshd-session/Makefile
7–20	This is very close to the original sshd SRCS.
28–30	This should be removed
36–37	Oops, accidentally commented these out -- I believe that sshd-session (and sshd previously) do not require ldns to link.

sshd-session fixups

emaste added a parent revision: D48910: ssh: Disable DSA keys.Mon, Feb 10, 8:23 PM

emaste added a parent revision: D48915: ssh: update to 9.8p1.Mon, Feb 10, 8:37 PM

emaste added a parent revision: D48916: ssh: diff against 9.8p1.

Will take a second look (more closely) tomorrow.
Nice!

crypto/openssh/config.h
1765	https://github.com/openssh/openssh-portable/commit/8d0e46c1ddb5b7f0992591b0dc5d8aaa77cc9dba
1878	Not sure why, but it should be `const`.

emaste added a subscriber: kevans.Tue, Feb 11, 3:04 AM

emaste added inline comments.

crypto/openssh/config.h

1878

from config.log:

configure:18735: checking whether snprintf can declare const char *fmt
configure:18753: cc -c -g -O2 -pipe -Wunknown-warning-option -Wno-error=format-truncation -Qunused-arguments -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wmisleading-indentation -Wbitwise-instead-of-logical -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fzero-call-used-regs=used -ftrivial-auto-var-init=zero -mretpoline -fno-builtin-memset -fstack-protector-strong  conftest.c >&5
conftest.c:256:5: error: expected identifier or '('
  256 | int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
      |     ^
/usr/include/ssp/stdio.h:88:33: note: expanded from macro 'snprintf'
   88 | #define snprintf(str, len, ...) __extension__ ({        \
      |                                 ^
1 error generated.

CC @kevans in case he has any insight

kevans added inline comments.Tue, Feb 11, 3:27 AM

crypto/openssh/config.h
1878	Hmm, that's not great. They check hardening flags early on and add -D_FORTIFY_SOURCE=2 in there before running other tests, apparently, but we left a bunch of these as inline macros to diverge not-so-much from NetBSD.

jlduran added inline comments.Tue, Feb 11, 3:57 AM

crypto/openssh/config.h
1878	Nothing like first hand insight. I just `const`'ified : const char *_ssp_str = (str); In include/ssp/stdio.h, and works as expected. Not seeing this bit on NetBSD. Maybe I'm missing something. I'll continue tomorrow, thank you!

kevans added inline comments.Tue, Feb 11, 4:35 AM

crypto/openssh/config.h
1878	That shouldn't actually fix this specific problem, but it's probably a good change to make anyways; feel free to slap a Reviewed-by: kevans on it and push it forward if the installed header passes the tests in lib/libc/tests/secure, though I imagnie we have a few other candidates that one could sneak in at the same time. The build error is from trying to expand the macro in the middle of a declaration, though. Maybe I was wrong about how their configure script works and emaste has some CFLAG pollution that got in there?