Merge branch 'latestw_all' into merge-9.8

PowerShell · Aug 2, 2024 · 9a0bf7d · 9a0bf7d
2 parents 6384372 + 57149fe
commit 9a0bf7d
Show file tree

Hide file tree

Showing 15 changed files with 105 additions and 82 deletions.
diff --git a/contrib/win32/install/client.wxs b/contrib/win32/install/client.wxs
@@ -3,7 +3,6 @@
         <!-- KeyPath is necessary for multi-file components to identify the key file - preferrably versioned. -->
         <ComponentGroup Id="Client" Directory="INSTALLFOLDER">
             <ComponentGroupRef Id="Shared" />
-            <ComponentGroupRef Id="Manifest" />
             <Component>
                 <File Name="ssh.exe" KeyPath="yes" />
             </Component>

diff --git a/contrib/win32/install/product.wxs b/contrib/win32/install/product.wxs
@@ -38,11 +38,7 @@
 
         <Directory Id="TARGETDIR" Name="SourceDir">
             <Directory Id="$(var.ProgramFilesFolder)" Name="Program Files">
-                <Directory Id="INSTALLFOLDER" Name="OpenSSH" >
-                    <Directory Id="MANIFESTFOLDER" Name="_manifest" >
-                        <Directory Id="SPDXFOLDER" Name="spdx_2.2" />
-                    </Directory>
-                </Directory>
+                <Directory Id="INSTALLFOLDER" Name="OpenSSH" />
             </Directory>
         </Directory>
     </Product>

diff --git a/contrib/win32/install/server.wxs b/contrib/win32/install/server.wxs
@@ -3,7 +3,6 @@
         <!-- KeyPath is necessary for multi-file components to identify the key file - preferrably versioned. -->
         <ComponentGroup Id="Server" Directory="INSTALLFOLDER">
             <ComponentGroupRef Id="Shared" />
-            <ComponentGroupRef Id="Manifest" />
             <Component>
                 <File Name="sftp-server.exe" KeyPath="yes" />
             </Component>

diff --git a/contrib/win32/install/shared.wxs b/contrib/win32/install/shared.wxs
@@ -70,15 +70,6 @@
             </Component>
         </ComponentGroup>
 
-        <ComponentGroup Id="Manifest" Directory="SPDXFOLDER">
-             <Component>
-                <File Name="manifest.spdx.json" Source="_manifest\spdx_2.2\manifest.spdx.json" KeyPath="yes" />
-            </Component>
-            <Component>
-                <File Name="manifest.spdx.json.sha256" Source="_manifest\spdx_2.2\manifest.spdx.json.sha256" KeyPath="yes" />
-            </Component>
-        </ComponentGroup>
-
         <!-- Automatically add custom actions if referencing the Shared component group. -->
         <SetProperty Id="SetPrivilegesOnSshAgent" Value="&quot;[SystemFolder]sc.exe&quot; privs ssh-agent SeAssignPrimaryTokenPrivilege/SeTcbPrivilege/SeBackupPrivilege/SeRestorePrivilege/SeImpersonatePrivilege" Sequence="execute" Before="SetPrivilegesOnSshAgent" />
         <CustomAction Id="SetPrivilegesOnSshAgent" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="check" Impersonate="no" />

diff --git a/contrib/win32/openssh/DockerFile b/contrib/win32/openssh/DockerFile
diff --git a/contrib/win32/openssh/OpenSSH-build.ps1 b/contrib/win32/openssh/OpenSSH-build.ps1
@@ -1,7 +1,7 @@
 [cmdletbinding()]
 # PowerShell Script to clone, build and package PowerShell from specified fork and branch
 param (    
-    [string] $repolocation = "$pwd\openssh-portable",
+    [string] $repolocation = "$PSScriptRoot\..\..\..",
     [string] $destination = "$env:WORKSPACE",
     [ValidateSet('x86', 'x64', 'arm64', 'arm')]
     [String]$NativeHostArch = 'x64',        

diff --git a/contrib/win32/openssh/config.h.vs b/contrib/win32/openssh/config.h.vs
@@ -1728,7 +1728,6 @@
 #define _PATH_LS			"dir"
 #define _PATH_DEVNULL "NUL"
 #define FORK_NOT_SUPPORTED
-#define HAVE_FREEZERO
 #define FILESYSTEM_NO_BACKSLASH
 #define HAVE_LOCALTIME_R
 #define HAVE_DECL_MEMMEM 0

diff --git a/contrib/win32/openssh/openbsd_compat.vcxproj b/contrib/win32/openssh/openbsd_compat.vcxproj
@@ -58,6 +58,7 @@
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-waitpid.c" />
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\daemon.c" />
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\dirname.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\freezero.c" />
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\explicit_bzero.c" />
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\fake-rfc2553.c" />
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\fmt_scaled.c" />

diff --git a/contrib/win32/openssh/openbsd_compat.vcxproj.filters b/contrib/win32/openssh/openbsd_compat.vcxproj.filters
@@ -75,6 +75,9 @@
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\dirname.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\freezero.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
     <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\explicit_bzero.c">
       <Filter>Source Files</Filter>
     </ClCompile>

diff --git a/contrib/win32/openssh/resource.h b/contrib/win32/openssh/resource.h
diff --git a/contrib/win32/win32compat/misc.c b/contrib/win32/win32compat/misc.c
@@ -1512,15 +1512,6 @@ w32_ctime(const time_t* sourceTime)
 	return ctime_s(destTime, 26, sourceTime) == 0 ? destTime : NULL;
 }
 
-void
-freezero(void *ptr, size_t sz)
-{
-	if (ptr == NULL)
-		return;
-	explicit_bzero(ptr, sz);
-	free(ptr);
-}
-
 int 
 setenv(const char *name, const char *value, int rewrite)
 {

diff --git a/contrib/win32/win32compat/win32_groupaccess.c b/contrib/win32/win32compat/win32_groupaccess.c
@@ -190,6 +190,29 @@ check_group_membership(const char* group)
 {
 	PSID sid = NULL;
 	BOOL is_member = 0;
+	char* utf8_group_name = NULL;
+
+	// it can be a SID string; if it is - use localized name for that SID
+	wchar_t* group_utf16 = utf8_to_utf16(group);
+	if (ConvertStringSidToSidW(group_utf16, &sid) != 0) {
+		WCHAR group_name[UNLEN + 1];
+		DWORD group_name_length = UNLEN + 1;
+		WCHAR domain_name[DNLEN + 1] = L"";
+		DWORD domain_name_size = DNLEN + 1;
+		SID_NAME_USE account_type = 0;
+		if (LookupAccountSidW(NULL, sid, group_name, &group_name_length,
+			domain_name, &domain_name_size, &account_type) != 0) {
+			utf8_group_name = utf16_to_utf8(group_name);
+			debug3_f("'%s' is translated to '%s'", group, utf8_group_name);
+			group = utf8_group_name;
+		} else {
+			debug3_f("LookupAccountSid failed for '%s'", group);
+		}
+	}
+	else
+	{
+		debug3_f("'%s' not recognized as SID", group);
+	}
 
 	if ((sid = get_sid(group)) == NULL) {
 		error("unable to resolve group %s", group);
@@ -202,6 +225,10 @@ check_group_membership(const char* group)
 cleanup:
 	if (sid)
 		free(sid);
+	if (group_utf16)
+		free(group_utf16);
+	if (utf8_group_name)
+		free(utf8_group_name);
 	return is_member? 1: 0;
 }
 

diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
@@ -97,44 +97,6 @@ _rs_init(u_char *buf, size_t n)
 {
 	if (n < KEYSZ + IVSZ)
 		return;
-}
-
-#ifndef WITH_OPENSSL
-#ifdef WINDOWS
-#include <Wincrypt.h>
-static void
-getrnd(u_char *s, size_t len) {
-	HCRYPTPROV hProvider;
-	if (CryptAcquireContextW(&hProvider, 0, 0, PROV_RSA_FULL, 
-		CRYPT_VERIFYCONTEXT | CRYPT_SILENT) == FALSE ||
-	    CryptGenRandom(hProvider, len, s) == FALSE ||
-	    CryptReleaseContext(hProvider, 0) == FALSE)
-		fatal("%s Crypto error: %d", __func__, GetLastError());
-}
-
-#else /* !WINDOWS */
-# ifndef SSH_RANDOM_DEV
-#  define SSH_RANDOM_DEV "/dev/urandom"
-# endif /* SSH_RANDOM_DEV */
-static void
-getrnd(u_char *s, size_t len)
-{
-	int fd, save_errno;
-	ssize_t r;
-	size_t o = 0;
-
-#ifdef HAVE_GETRANDOM
-	if ((r = getrandom(s, len, 0)) > 0 && (size_t)r == len)
-		return;
-#endif /* HAVE_GETRANDOM */
-
-	if ((fd = open(SSH_RANDOM_DEV, O_RDONLY)) == -1) {
-		save_errno = errno;
-		/* Try egd/prngd before giving up. */
-		if (seed_from_prngd(s, len) == 0)
-			return;
-		fatal("Couldn't open %s: %s", SSH_RANDOM_DEV,
-		    strerror(save_errno));
 
 	if (rs == NULL) {
 		if (_rs_allocate(&rs, &rsx) == -1)
@@ -144,8 +106,6 @@ getrnd(u_char *s, size_t len)
 	chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8);
 	chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ);
 }
-#endif /* !WINDOWS */
-#endif /* WITH_OPENSSL */
 
 static void
 _rs_stir(void)
@@ -290,4 +250,4 @@ arc4random_buf(void *_buf, size_t n)
 	}
 	explicit_bzero(&r, sizeof(r));
 }
-#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
+#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
diff --git a/openbsd-compat/timingsafe_bcmp.c b/openbsd-compat/timingsafe_bcmp.c
@@ -27,10 +27,6 @@ timingsafe_bcmp(const void *b1, const void *b2, size_t n)
 	int ret = 0;
 
 	for (; n > 0; n--) {
-#ifdef WINDOWS
-		if (*p1 == '\r' && *(p1 + 1) == '\n' && *p2 == '\n')
-			p1++;
-#endif // WINDOWS
 		ret |= *p1++ ^ *p2++;
 	}
 

diff --git a/servconf.c b/servconf.c
@@ -11,6 +11,10 @@
  */
 
 #include "includes.h"
+#ifdef WINDOWS
+#include <LM.h>
+#include <Sddl.h>
+#endif // WINDOWS
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -1802,6 +1806,34 @@ process_server_config_line_depth(ServerOptions *options, char *line,
  parse_allowdenyusers:
 		/* XXX appends to list; doesn't respect first-match-wins */
 		while ((arg = argv_next(&ac, &av)) != NULL) {
+#ifdef WINDOWS
+			// it can be a SID string; if it is - use localized name for that SID
+			PSID Sid = NULL;
+			char* utf8_user_name = NULL;
+			wchar_t* arg_utf16 = utf8_to_utf16(arg);
+			if (ConvertStringSidToSidW(arg_utf16, &Sid) != 0) {
+				WCHAR user_name[UNLEN + 1];
+				DWORD user_name_length = UNLEN + 1;
+				WCHAR domain_name[DNLEN + 1] = L"";
+				DWORD domain_name_size = DNLEN + 1;
+				SID_NAME_USE account_type = 0;
+				if (LookupAccountSidW(NULL, Sid, user_name, &user_name_length,
+					domain_name, &domain_name_size, &account_type) != 0) {
+					utf8_user_name = utf16_to_utf8(user_name);
+					debug3_f("'%s' is translated to '%s'", arg, utf8_user_name);
+					arg = utf8_user_name;
+				} else {
+					debug3_f("LookupAccountSid failed for '%s'", arg);
+				}
+
+				if (Sid)
+					LocalFree(Sid);
+			}
+			else
+			{
+				debug3_f("'%s' not recognized as SID", arg);
+			}
+#endif // WINDOWS
 			if (*arg == '\0' ||
 			    match_user(NULL, NULL, NULL, arg) == -1)
 				fatal("%s line %d: invalid %s pattern: \"%s\"",
@@ -1811,6 +1843,12 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 				continue;
 			opt_array_append(filename, linenum, keyword,
 			    chararrayptr, uintptr, arg);
+#ifdef WINDOWS
+			if (utf8_user_name)
+				free(utf8_user_name);
+			if (arg_utf16)
+				free(arg_utf16);
+#endif // WINDOWS
 		}
 		if (!found) {
 			fatal("%s line %d: no %s specified",
@@ -1833,10 +1871,43 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 				fatal("%s line %d: empty %s pattern",
 				    filename, linenum, keyword);
 			found = 1;
+			// it can be a SID string; if it is - use localized name for that SID
+			PSID Sid = NULL;
+			char* utf8_group_name = NULL;
+			wchar_t* arg_utf16 = utf8_to_utf16(arg);
+			if (ConvertStringSidToSidW(arg_utf16, &Sid) != 0) {
+				WCHAR group_name[UNLEN + 1];
+				DWORD group_name_length = UNLEN + 1;
+				WCHAR domain_name[DNLEN + 1] = L"";
+				DWORD domain_name_size = DNLEN + 1;
+				SID_NAME_USE account_type = 0;
+				if (LookupAccountSidW(NULL, Sid, group_name, &group_name_length,
+					domain_name, &domain_name_size, &account_type) != 0) {
+					utf8_group_name = utf16_to_utf8(group_name);
+					debug3_f("'%s' is translated to '%s'", arg, utf8_group_name);
+					arg = utf8_group_name;
+				} else {
+					debug3_f("LookupAccountSid failed for '%s'", arg);
+				}
+
+				if (Sid)
+					LocalFree(Sid);
+			}
+			else
+			{
+				debug3_f("'%s' not recognized as SID", arg);
+			}
+#endif // WINDOWS
 			if (!*activep)
 				continue;
 			opt_array_append(filename, linenum, keyword,
 			    chararrayptr, uintptr, arg);
+#ifdef WINDOWS
+			if (utf8_group_name)
+				free(utf8_group_name);
+			if (arg_utf16)
+				free(arg_utf16);
+#endif // WINDOWS
 		}
 		if (!found) {
 			fatal("%s line %d: no %s specified",