openssh: Update to latest git and enable security key support - oasis - Own branch of Oasis Linux (upstream: <https://git.sr.ht/~mcf/oasis/>)

commit: 2e9b607d05081b5ebe68af664971e1c4f68ca90b
parent c2e4d05a2baf81e0f6b26fd932cfc963de6c88f3
Author: Michael Forney <mforney@mforney.org>
Date:   Sun,  3 Nov 2019 12:29:48 -0800

openssh: Update to latest git and enable security key support

Diffstat:
M pkg/openssh/config.h 12 +++++++++++-
M pkg/openssh/gen.lua 16 ++++++++++------
A pkg/openssh/patch/0002-Allow-security-key-provider-to-be-built-in.patch 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M pkg/openssh/ver 2 +-

4 files changed, 86 insertions(+), 8 deletions(-)
diff --git a/pkg/openssh/config.h b/pkg/openssh/config.h
@@ -7,6 +7,7 @@
 #define _PATH_SSH_KEY_SIGN "/libexec/ssh-keysign"
 #define _PATH_SSH_PIDDIR "/run"
 #define _PATH_SSH_PKCS11_HELPER "/libexec/ssh-pkcs11-helper"
+#define _PATH_SSH_SK_HELPER "/libexec/ssh-sk-helper"
 #define _PATH_SSH_PROGRAM "/bin/ssh"
 #define _PATH_XAUTH "/dev/null/xauth"
 
@@ -52,7 +53,8 @@
 /* #undef DISABLE_UTMPX */
 #define DISABLE_WTMP 1
 #define DISABLE_WTMPX 1
-#define ENABLE_PKCS11 /**/
+/* #undef ENABLE_PKCS11 */
+#define ENABLE_SK /**/
 /* #undef FFLUSH_NULL_BUG */
 /* #undef FILESYSTEM_NO_BACKSLASH */
 /* #undef FSID_HAS_VAL */
@@ -126,6 +128,7 @@
 #define HAVE_DECL_READV 1
 /* #undef HAVE_DECL_SETAUTHDB */
 #define HAVE_DECL_SHUT_RD 1
+#define HAVE_DECL_UINT32_MAX 1
 #define HAVE_DECL_WRITEV 1
 #define HAVE_DECL__GETLONG 0
 #define HAVE_DECL__GETSHORT 0
@@ -140,6 +143,7 @@
 #define HAVE_DIRENT_H 1
 #define HAVE_DIRFD 1
 #define HAVE_DIRNAME 1
+#define HAVE_DLOPEN 1
 #define HAVE_DSA_GENERATE_PARAMETERS_EX 1
 #define HAVE_DSA_GET0_KEY 1
 #define HAVE_DSA_GET0_PQG 1
@@ -189,6 +193,8 @@
 /* #undef HAVE_FLOATINGPOINT_H */
 #define HAVE_FLOCK 1
 /* #undef HAVE_FMT_SCALED */
+#define HAVE_FNMATCH 1
+#define HAVE_FNMATCH_H 1
 #define HAVE_FREEADDRINFO 1
 #define HAVE_FREEZERO 1
 #define HAVE_FSBLKCNT_T 1
@@ -286,6 +292,7 @@
 #define HAVE_LINUX_SECCOMP_H 1
 #define HAVE_LLABS 1
 #define HAVE_LOCALE_H 1
+#define HAVE_LOCALTIME_R 1
 /* #undef HAVE_LOGIN */
 /* #undef HAVE_LOGIN_CAP_H */
 /* #undef HAVE_LOGIN_GETCAPBOOL */
@@ -348,6 +355,7 @@
 #define HAVE_READPASSPHRASE_H 1
 #define HAVE_REALLOC 1
 #define HAVE_REALLOCARRAY 1
+#define HAVE_REALPATH 1
 #define HAVE_RECALLOCARRAY 1
 #define HAVE_RECVMSG 1
 #define HAVE_RLIMIT_NPROC /**/
@@ -449,6 +457,7 @@
 #define HAVE_STRUCT_SOCKADDR_IN6 1
 #define HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID 1
 #define HAVE_STRUCT_SOCKADDR_STORAGE 1
+#define HAVE_STRUCT_STATFS_F_FILES 1
 #define HAVE_STRUCT_STATFS_F_FLAGS 1
 #define HAVE_STRUCT_STAT_ST_BLKSIZE 1
 #define HAVE_STRUCT_STAT_ST_MTIM 1
@@ -663,4 +672,5 @@
 #endif
 /* #undef malloc */
 /* #undef realloc */
+/* #undef realpath */
 /* #undef socklen_t */
diff --git a/pkg/openssh/gen.lua b/pkg/openssh/gen.lua
@@ -68,18 +68,20 @@ lib('libssh.a', [[
 	log.c match.c moduli.c nchan.c packet.c
 	readpass.c ttymodes.c xmalloc.c addrmatch.c
 	atomicio.c dispatch.c mac.c misc.c utf8.c
-	monitor_fdpass.c rijndael.c ssh-dss.c ssh-ecdsa.c ssh-rsa.c dh.c
+	monitor_fdpass.c rijndael.c ssh-dss.c ssh-ecdsa.c ssh-ecdsa-sk.c
+	ssh-rsa.c dh.c
 	msg.c progressmeter.c dns.c entropy.c gss-genr.c umac.c umac128.c
 	ssh-pkcs11.c smult_curve25519_ref.c
 	poly1305.c chacha.c cipher-chachapoly.c
-	ssh-ed25519.c digest-openssl.c digest-libc.c hmac.c
+	ssh-ed25519.c ssh-sk.c digest-openssl.c digest-libc.c hmac.c
 	sc25519.c ge25519.c fe25519.c ed25519.c verify.c hash.c
 	kex.c kexdh.c kexgex.c kexecdh.c kexc25519.c
 	kexgexc.c kexgexs.c
 	sntrup4591761.c kexsntrup4591761x25519.c kexgen.c
-	platform-pledge.c platform-tracing.c platform-misc.c
+	sftp-realpath.c platform-pledge.c platform-tracing.c platform-misc.c
 	libopenbsd-compat.a
 	$builddir/pkg/(libressl/libcrypto.a.d zlib/libz.a)
+	$builddir/pkg/(libfido2/libsk-libfido2.a.d)
 ]])
 
 exe('ssh', [[
@@ -91,7 +93,6 @@ file('bin/ssh', '755', '$outdir/ssh')
 
 cc('sftp-server.c')
 cc('sftp-common.c')
-cc('sftp-realpath.c')
 
 exe('sshd', [[
 	sshd.c auth-rhosts.c auth-passwd.c
@@ -104,7 +105,7 @@ exe('sshd', [[
 	monitor.c monitor_wrap.c auth-krb5.c
 	auth2-gss.c gss-serv.c gss-serv-krb5.c
 	loginrec.c auth-pam.c auth-shadow.c auth-sia.c md5crypt.c
-	sftp-server.c.o sftp-common.c.o sftp-realpath.c.o
+	sftp-server.c.o sftp-common.c.o
 	sandbox-null.c sandbox-rlimit.c sandbox-systrace.c sandbox-darwin.c
 	sandbox-seccomp-filter.c sandbox-capsicum.c sandbox-pledge.c
 	sandbox-solaris.c uidswap.c
@@ -124,7 +125,10 @@ file('bin/ssh-agent', '755', '$outdir/ssh-agent')
 exe('ssh-keygen', {'ssh-keygen.c', 'sshsig.c', 'libssh.a.d'})
 file('bin/ssh-keygen', '755', '$outdir/ssh-keygen')
 
-exe('sftp-server', {'sftp-common.c.o', 'sftp-server.c.o', 'sftp-realpath.c.o', 'sftp-server-main.c', 'libssh.a.d'})
+exe('ssh-sk-helper', {'ssh-sk-helper.c', 'libssh.a.d'})
+file('libexec/ssh-sk-helper', '755', '$outdir/ssh-sk-helper')
+
+exe('sftp-server', {'sftp-common.c.o', 'sftp-server.c.o', 'sftp-server-main.c', 'libssh.a.d'})
 file('libexec/sftp-server', '755', '$outdir/sftp-server')
 
 exe('sftp', {'sftp.c', 'sftp-client.c', 'sftp-common.c.o', 'sftp-glob.c', 'libssh.a.d'})
diff --git a/pkg/openssh/patch/0002-Allow-security-key-provider-to-be-built-in.patch b/pkg/openssh/patch/0002-Allow-security-key-provider-to-be-built-in.patch
@@ -0,0 +1,64 @@
+From fc95498df16315eac1ebe62db51ea33b96ce6b52 Mon Sep 17 00:00:00 2001
+From: Michael Forney <mforney@mforney.org>
+Date: Sun, 3 Nov 2019 11:24:13 -0800
+Subject: [PATCH] Allow security key provider to be built-in
+
+---
+ ssh-sk.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/ssh-sk.c b/ssh-sk.c
+index 122a1e2b..ca16a187 100644
+--- a/ssh-sk.c
++++ b/ssh-sk.c
+@@ -84,16 +84,22 @@ sshsk_open(const char *path)
+ 		error("%s: strdup failed", __func__);
+ 		goto fail;
+ 	}
+-	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
+-		error("Security key provider %s dlopen failed: %s",
+-		    path, dlerror());
+-		goto fail;
+-	}
+-	if ((ret->sk_api_version = dlsym(ret->dlhandle,
+-	    "sk_api_version")) == NULL) {
+-		error("Security key provider %s dlsym(sk_api_version) "
+-		    "failed: %s", path, dlerror());
+-		goto fail;
++	if (strcmp(path, "builtin") == 0) {
++		ret->sk_api_version = sk_api_version;
++		ret->sk_enroll = sk_enroll;
++		ret->sk_sign = sk_sign;
++	} else {
++		if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
++			error("Security key provider %s dlopen failed: %s",
++			    path, dlerror());
++			goto fail;
++		}
++		if ((ret->sk_api_version = dlsym(ret->dlhandle,
++		    "sk_api_version")) == NULL) {
++			error("Security key provider %s dlsym(sk_api_version) "
++			    "failed: %s", path, dlerror());
++			goto fail;
++		}
+ 	}
+ 	version = ret->sk_api_version();
+ 	debug("%s: provider %s implements version 0x%08lx", __func__,
+@@ -104,12 +110,12 @@ sshsk_open(const char *path)
+ 		    (u_long)SSH_SK_VERSION_MAJOR);
+ 		goto fail;
+ 	}
+-	if ((ret->sk_enroll = dlsym(ret->dlhandle, "sk_enroll")) == NULL) {
++	if (ret->dlhandle && (ret->sk_enroll = dlsym(ret->dlhandle, "sk_enroll")) == NULL) {
+ 		error("Security key  provider %s dlsym(sk_enroll) "
+ 		    "failed: %s", path, dlerror());
+ 		goto fail;
+ 	}
+-	if ((ret->sk_sign = dlsym(ret->dlhandle, "sk_sign")) == NULL) {
++	if (ret->dlhandle && (ret->sk_sign = dlsym(ret->dlhandle, "sk_sign")) == NULL) {
+ 		error("Security key provider %s dlsym(sk_sign) failed: %s",
+ 		    path, dlerror());
+ 		goto fail;
+-- 
+2.23.0
+
diff --git a/pkg/openssh/ver b/pkg/openssh/ver
@@ -1 +1 @@
-8.1p1 r0
+8.1p1-60-gb236b27d r0

M	pkg/openssh/config.h	12	+++++++++++-
M	pkg/openssh/gen.lua	16	++++++++++------
A	pkg/openssh/patch/0002-Allow-security-key-provider-to-be-built-in.patch	64	++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M	pkg/openssh/ver	2	+-