diff --git a/libs/libssh/Makefile b/libs/libssh/Makefile index ae2099430..d747bfa2d 100644 --- a/libs/libssh/Makefile +++ b/libs/libssh/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libssh -PKG_VERSION:=0.9.4 -PKG_RELEASE:=3 +PKG_VERSION:=0.9.5 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://www.libssh.org/files/0.9/ -PKG_HASH:=150897a569852ac05aac831dc417a7ba8e610c86ca2e0154a99c6ade2486226b +PKG_HASH:=acffef2da98e761fc1fd9c4fddde0f3af60ab44c4f5af05cd1b2d60a3fa08718 PKG_MAINTAINER:=Mislav Novakovic PKG_LICENSE:=LGPL-2.1-or-later BSD-2-Clause diff --git a/libs/libssh/patches/0001-libcrypto-compat-add-extra-functions.patch b/libs/libssh/patches/0001-libcrypto-compat-add-extra-functions.patch deleted file mode 100644 index 53ceebe12..000000000 --- a/libs/libssh/patches/0001-libcrypto-compat-add-extra-functions.patch +++ /dev/null @@ -1,73 +0,0 @@ -From ce7de0261f0c1f1640da5673dd24939a37e33bd9 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Thu, 23 Jan 2020 18:53:06 -0800 -Subject: [PATCH 1/2] libcrypto-compat: add extra functions - -Changed the define to compare OPENSSL_API_COMPAT instead of version as -OpenSSL can be compiled in different ways. One is to disable all -deprecated APIs. - -Added extra functions. The next commit will switch to them. - -Signed-off-by: Rosen Penev ---- - src/libcrypto-compat.c | 14 ++++++++++++++ - src/libcrypto-compat.h | 8 +++++++- - 2 files changed, 21 insertions(+), 1 deletion(-) - -diff --git a/src/libcrypto-compat.c b/src/libcrypto-compat.c -index 048d1781..3604763f 100644 ---- a/src/libcrypto-compat.c -+++ b/src/libcrypto-compat.c -@@ -280,6 +280,11 @@ void EVP_MD_CTX_free(EVP_MD_CTX *ctx) - OPENSSL_free(ctx); - } - -+int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) -+{ -+ EVP_CIPHER_CTX_init(ctx); -+} -+ - HMAC_CTX *HMAC_CTX_new(void) - { - HMAC_CTX *ctx = OPENSSL_zalloc(sizeof(HMAC_CTX)); -@@ -394,3 +399,12 @@ int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) - } - return 1; - } -+ -+const char *OpenSSL_version(int type) -+{ -+ return SSLeay_version(type); -+} -+unsigned long OpenSSL_version_num(void) -+{ -+ return SSLeay(); -+} -diff --git a/src/libcrypto-compat.h b/src/libcrypto-compat.h -index bda0473e..44e14801 100644 ---- a/src/libcrypto-compat.h -+++ b/src/libcrypto-compat.h -@@ -34,6 +34,8 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx); - EVP_MD_CTX *EVP_MD_CTX_new(void); - void EVP_MD_CTX_free(EVP_MD_CTX *ctx); - -+int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx); -+ - HMAC_CTX *HMAC_CTX_new(void); - int HMAC_CTX_reset(HMAC_CTX *ctx); - void HMAC_CTX_free(HMAC_CTX *ctx); -@@ -44,6 +46,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); - void DH_get0_key(const DH *dh, - const BIGNUM **pub_key, const BIGNUM **priv_key); - int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); -+ -+const char *OpenSSL_version(int type); -+unsigned long OpenSSL_version_num(void); -+ - #endif /* OPENSSL_VERSION_NUMBER */ - - #endif /* LIBCRYPTO_COMPAT_H */ --- -2.24.1 - diff --git a/libs/libssh/patches/0002-libcrypto-remove-deprecated-API-usage.patch b/libs/libssh/patches/0002-libcrypto-remove-deprecated-API-usage.patch deleted file mode 100644 index 7b0626d1a..000000000 --- a/libs/libssh/patches/0002-libcrypto-remove-deprecated-API-usage.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 73f0e186964126c9e2bfba43488f543ace54746b Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Thu, 23 Jan 2020 18:54:51 -0800 -Subject: [PATCH 2/2] libcrypto: remove deprecated API usage - -EVP_CIPHER_CTX_init was replaced with _reset. - -Removed EVP_CIPHER_CTX_cleanup. The successive _free call handles that. - -Removed old SSLeay function usage. - -Signed-off-by: Rosen Penev ---- - src/libcrypto.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/src/libcrypto.c b/src/libcrypto.c -index b3792264..7ce7d93a 100644 ---- a/src/libcrypto.c -+++ b/src/libcrypto.c -@@ -541,7 +541,7 @@ static int evp_cipher_set_encrypt_key(struct ssh_cipher_struct *cipher, - int rc; - - evp_cipher_init(cipher); -- EVP_CIPHER_CTX_init(cipher->ctx); -+ EVP_CIPHER_CTX_reset(cipher->ctx); - - rc = EVP_EncryptInit_ex(cipher->ctx, cipher->cipher, NULL, key, IV); - if (rc != 1){ -@@ -574,7 +574,7 @@ static int evp_cipher_set_decrypt_key(struct ssh_cipher_struct *cipher, - int rc; - - evp_cipher_init(cipher); -- EVP_CIPHER_CTX_init(cipher->ctx); -+ EVP_CIPHER_CTX_reset(cipher->ctx); - - rc = EVP_DecryptInit_ex(cipher->ctx, cipher->cipher, NULL, key, IV); - if (rc != 1){ -@@ -657,7 +657,6 @@ static void evp_cipher_decrypt(struct ssh_cipher_struct *cipher, - - static void evp_cipher_cleanup(struct ssh_cipher_struct *cipher) { - if (cipher->ctx != NULL) { -- EVP_CIPHER_CTX_cleanup(cipher->ctx); - EVP_CIPHER_CTX_free(cipher->ctx); - } - } -@@ -1481,11 +1480,11 @@ int ssh_crypto_init(void) - if (libcrypto_initialized) { - return SSH_OK; - } -- if (SSLeay() != OPENSSL_VERSION_NUMBER){ -+ if (OpenSSL_version_num() != OPENSSL_VERSION_NUMBER){ - SSH_LOG(SSH_LOG_WARNING, "libssh compiled with %s " - "headers, currently running with %s.", - OPENSSL_VERSION_TEXT, -- SSLeay_version(SSLeay()) -+ OpenSSL_version(OpenSSL_version_num()) - ); - } - #ifdef CAN_DISABLE_AESNI --- -2.24.1 - diff --git a/libs/libssh/patches/0003-CVE-2020-16135.patch b/libs/libssh/patches/0003-CVE-2020-16135.patch deleted file mode 100644 index f480e83ed..000000000 --- a/libs/libssh/patches/0003-CVE-2020-16135.patch +++ /dev/null @@ -1,165 +0,0 @@ -From 1493b4466fa394b321d196ad63dd6a4fa395d337 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 3 Jun 2020 10:04:09 +0200 -Subject: [PATCH 1/4] sftpserver: Add missing NULL check for ssh_buffer_new() - -Thanks to Ramin Farajpour Cami for spotting this. - -Fixes T232 - -Signed-off-by: Andreas Schneider ---- - src/sftpserver.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/sftpserver.c b/src/sftpserver.c -index 5a2110e5..b639a2ce 100644 ---- a/src/sftpserver.c -+++ b/src/sftpserver.c -@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { - - /* take a copy of the whole packet */ - msg->complete_message = ssh_buffer_new(); -+ if (msg->complete_message == NULL) { -+ ssh_set_error_oom(session); -+ sftp_client_message_free(msg); -+ return NULL; -+ } -+ - ssh_buffer_add_data(msg->complete_message, - ssh_buffer_get(payload), - ssh_buffer_get_len(payload)); --- -GitLab - - -From dbfb7f44aa905a7103bdde9a198c1e9b0f480c2e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 3 Jun 2020 10:05:51 +0200 -Subject: [PATCH 2/4] sftpserver: Add missing return check for - ssh_buffer_add_data() - -Signed-off-by: Andreas Schneider ---- - src/sftpserver.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/sftpserver.c b/src/sftpserver.c -index b639a2ce..9117f155 100644 ---- a/src/sftpserver.c -+++ b/src/sftpserver.c -@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { - return NULL; - } - -- ssh_buffer_add_data(msg->complete_message, -- ssh_buffer_get(payload), -- ssh_buffer_get_len(payload)); -+ rc = ssh_buffer_add_data(msg->complete_message, -+ ssh_buffer_get(payload), -+ ssh_buffer_get_len(payload)); -+ if (rc < 0) { -+ ssh_set_error_oom(session); -+ sftp_client_message_free(msg); -+ return NULL; -+ } - - ssh_buffer_get_u32(payload, &msg->id); - --- -GitLab - - -From 65ae496222018221080dd753a52f6d70bf3ca5f3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 3 Jun 2020 10:10:11 +0200 -Subject: [PATCH 3/4] buffer: Reformat ssh_buffer_add_data() - -Signed-off-by: Andreas Schneider ---- - src/buffer.c | 35 ++++++++++++++++++----------------- - 1 file changed, 18 insertions(+), 17 deletions(-) - -diff --git a/src/buffer.c b/src/buffer.c -index a2e6246a..476bc135 100644 ---- a/src/buffer.c -+++ b/src/buffer.c -@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) - */ - int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) - { -- buffer_verify(buffer); -+ buffer_verify(buffer); - -- if (data == NULL) { -- return -1; -- } -+ if (data == NULL) { -+ return -1; -+ } - -- if (buffer->used + len < len) { -- return -1; -- } -+ if (buffer->used + len < len) { -+ return -1; -+ } - -- if (buffer->allocated < (buffer->used + len)) { -- if(buffer->pos > 0) -- buffer_shift(buffer); -- if (realloc_buffer(buffer, buffer->used + len) < 0) { -- return -1; -+ if (buffer->allocated < (buffer->used + len)) { -+ if (buffer->pos > 0) { -+ buffer_shift(buffer); -+ } -+ if (realloc_buffer(buffer, buffer->used + len) < 0) { -+ return -1; -+ } - } -- } - -- memcpy(buffer->data+buffer->used, data, len); -- buffer->used+=len; -- buffer_verify(buffer); -- return 0; -+ memcpy(buffer->data + buffer->used, data, len); -+ buffer->used += len; -+ buffer_verify(buffer); -+ return 0; - } - - /** --- -GitLab - - -From df0acab3a077bd8ae015e3e8b4c71ff31b5900fe Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 3 Jun 2020 10:11:21 +0200 -Subject: [PATCH 4/4] buffer: Add NULL check for 'buffer' argument - -Signed-off-by: Andreas Schneider ---- - src/buffer.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/buffer.c b/src/buffer.c -index 476bc135..ce12f491 100644 ---- a/src/buffer.c -+++ b/src/buffer.c -@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) - */ - int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) - { -+ if (buffer == NULL) { -+ return -1; -+ } -+ - buffer_verify(buffer); - - if (data == NULL) { --- -GitLab - diff --git a/libs/libssh/patches/0004-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch b/libs/libssh/patches/0004-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch deleted file mode 100644 index 8dd50bae0..000000000 --- a/libs/libssh/patches/0004-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 6417f5a3cac8537ac6f6ff7fc1642dfaa0917fb4 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Thu, 16 Apr 2020 11:13:34 +0200 -Subject: [PATCH] channels: Avoid returning SSH_AGAIN from - ssh_channel_poll_timeout() - -This addresses a regression introduced in 3bad0607, partially fixed in 022409e9, -but the function was still able to return SSH_AGAIN, which was not expected by -callers. - -Based on discussion in [1] and [2] - -[1] https://gitlab.com/libssh/libssh-mirror/-/merge_requests/101 -[2] https://www.libssh.org/archive/libssh/2020-03/0000029.html - -Signed-off-by: Jakub Jelen -Reviewed-by: Anderson Toshiyuki Sasaki ---- - src/channels.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/channels.c b/src/channels.c -index bcc1c207..9fe309d0 100644 ---- a/src/channels.c -+++ b/src/channels.c -@@ -3116,6 +3116,12 @@ int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr) - session->session_state == SSH_SESSION_STATE_ERROR) { - rc = SSH_ERROR; - goto out; -+ } else if (rc == SSH_AGAIN) { -+ /* If the above timeout expired, it is ok and we do not need to -+ * attempt to check the read buffer. The calling functions do not -+ * expect us to return SSH_AGAIN either here. */ -+ rc = SSH_OK; -+ goto out; - } - len = ssh_buffer_get_len(stdbuf); - if (len > 0) { --- -2.26.2 -