libssh: update to 0.9.5

It seems none of the patches apply/are needed. Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years ago · 32f3eb298a
--- a/libs/libssh/Makefile
+++ b/libs/libssh/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=libssh
 PKG_VERSION:=0.9.4
 PKG_RELEASE:=3
 PKG_VERSION:=0.9.5
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://www.libssh.org/files/0.9/
 PKG_HASH:=150897a569852ac05aac831dc417a7ba8e610c86ca2e0154a99c6ade2486226b
 PKG_HASH:=acffef2da98e761fc1fd9c4fddde0f3af60ab44c4f5af05cd1b2d60a3fa08718

 PKG_MAINTAINER:=Mislav Novakovic <mislav.novakovic@sartura.hr>
 PKG_LICENSE:=LGPL-2.1-or-later BSD-2-Clause
--- a/libs/libssh/patches/0001-libcrypto-compat-add-extra-functions.patch
+++ b/libs/libssh/patches/0001-libcrypto-compat-add-extra-functions.patch
@ -1,73 +0,0 @@
 From ce7de0261f0c1f1640da5673dd24939a37e33bd9 Mon Sep 17 00:00:00 2001
 From: Rosen Penev <rosenp@gmail.com>
 Date: Thu, 23 Jan 2020 18:53:06 -0800
 Subject: [PATCH 1/2] libcrypto-compat: add extra functions

 Changed the define to compare OPENSSL_API_COMPAT instead of version as
 OpenSSL can be compiled in different ways. One is to disable all
 deprecated APIs.

 Added extra functions. The next commit will switch to them.

 Signed-off-by: Rosen Penev <rosenp@gmail.com>
 ---
 src/libcrypto-compat.c | 14 ++++++++++++++
 src/libcrypto-compat.h |  8 +++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

 diff --git a/src/libcrypto-compat.c b/src/libcrypto-compat.c
 index 048d1781..3604763f 100644
 --- a/src/libcrypto-compat.c
 +++ b/src/libcrypto-compat.c
@@ -280,6 +280,11 @@ void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
     OPENSSL_free(ctx);
 }
 
 +int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx)
 +{
 +	EVP_CIPHER_CTX_init(ctx);
 +}
 +
 HMAC_CTX *HMAC_CTX_new(void)
 {
     HMAC_CTX *ctx = OPENSSL_zalloc(sizeof(HMAC_CTX));
@@ -394,3 +399,12 @@ int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
     }
     return 1;
 }
 +
 +const char *OpenSSL_version(int type)
 +{
 +    return SSLeay_version(type);
 +}
 +unsigned long OpenSSL_version_num(void)
 +{
 +    return SSLeay();
 +}
 diff --git a/src/libcrypto-compat.h b/src/libcrypto-compat.h
 index bda0473e..44e14801 100644
 --- a/src/libcrypto-compat.h
 +++ b/src/libcrypto-compat.h
@@ -34,6 +34,8 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
 EVP_MD_CTX *EVP_MD_CTX_new(void);
 void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
 
 +int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx);
 +
 HMAC_CTX *HMAC_CTX_new(void);
 int HMAC_CTX_reset(HMAC_CTX *ctx);
 void HMAC_CTX_free(HMAC_CTX *ctx);
@@ -44,6 +46,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
 void DH_get0_key(const DH *dh,
                  const BIGNUM **pub_key, const BIGNUM **priv_key);
 int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
 +
 +const char *OpenSSL_version(int type);
 +unsigned long OpenSSL_version_num(void);
 +
 #endif /* OPENSSL_VERSION_NUMBER */
 
 #endif /* LIBCRYPTO_COMPAT_H */
 -- 
 2.24.1

--- a/libs/libssh/patches/0002-libcrypto-remove-deprecated-API-usage.patch
+++ b/libs/libssh/patches/0002-libcrypto-remove-deprecated-API-usage.patch
@ -1,63 +0,0 @@
 From 73f0e186964126c9e2bfba43488f543ace54746b Mon Sep 17 00:00:00 2001
 From: Rosen Penev <rosenp@gmail.com>
 Date: Thu, 23 Jan 2020 18:54:51 -0800
 Subject: [PATCH 2/2] libcrypto: remove deprecated API usage

 EVP_CIPHER_CTX_init was replaced with _reset.

 Removed EVP_CIPHER_CTX_cleanup. The successive _free call handles that.

 Removed old SSLeay function usage.

 Signed-off-by: Rosen Penev <rosenp@gmail.com>
 ---
 src/libcrypto.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

 diff --git a/src/libcrypto.c b/src/libcrypto.c
 index b3792264..7ce7d93a 100644
 --- a/src/libcrypto.c
 +++ b/src/libcrypto.c
@@ -541,7 +541,7 @@ static int evp_cipher_set_encrypt_key(struct ssh_cipher_struct *cipher,
     int rc;
 
     evp_cipher_init(cipher);
 -    EVP_CIPHER_CTX_init(cipher->ctx);
 +    EVP_CIPHER_CTX_reset(cipher->ctx);
 
     rc = EVP_EncryptInit_ex(cipher->ctx, cipher->cipher, NULL, key, IV);
     if (rc != 1){
@@ -574,7 +574,7 @@ static int evp_cipher_set_decrypt_key(struct ssh_cipher_struct *cipher,
     int rc;
 
     evp_cipher_init(cipher);
 -    EVP_CIPHER_CTX_init(cipher->ctx);
 +    EVP_CIPHER_CTX_reset(cipher->ctx);
 
     rc = EVP_DecryptInit_ex(cipher->ctx, cipher->cipher, NULL, key, IV);
     if (rc != 1){
@@ -657,7 +657,6 @@ static void evp_cipher_decrypt(struct ssh_cipher_struct *cipher,
 
 static void evp_cipher_cleanup(struct ssh_cipher_struct *cipher) {
     if (cipher->ctx != NULL) {
 -        EVP_CIPHER_CTX_cleanup(cipher->ctx);
         EVP_CIPHER_CTX_free(cipher->ctx);
     }
 }
@@ -1481,11 +1480,11 @@ int ssh_crypto_init(void)
     if (libcrypto_initialized) {
         return SSH_OK;
     }
 -    if (SSLeay() != OPENSSL_VERSION_NUMBER){
 +    if (OpenSSL_version_num() != OPENSSL_VERSION_NUMBER){
         SSH_LOG(SSH_LOG_WARNING, "libssh compiled with %s "
             "headers, currently running with %s.",
             OPENSSL_VERSION_TEXT,
 -            SSLeay_version(SSLeay())
 +            OpenSSL_version(OpenSSL_version_num())
         );
     }
 #ifdef CAN_DISABLE_AESNI
 -- 
 2.24.1

--- a/libs/libssh/patches/0003-CVE-2020-16135.patch
+++ b/libs/libssh/patches/0003-CVE-2020-16135.patch
@ -1,165 +0,0 @@
 From 1493b4466fa394b321d196ad63dd6a4fa395d337 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@cryptomilk.org>
 Date: Wed, 3 Jun 2020 10:04:09 +0200
 Subject: [PATCH 1/4] sftpserver: Add missing NULL check for ssh_buffer_new()

 Thanks to Ramin Farajpour Cami for spotting this.

 Fixes T232

 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
 ---
 src/sftpserver.c | 6 ++++++
 1 file changed, 6 insertions(+)

 diff --git a/src/sftpserver.c b/src/sftpserver.c
 index 5a2110e5..b639a2ce 100644
 --- a/src/sftpserver.c
 +++ b/src/sftpserver.c
@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
 
   /* take a copy of the whole packet */
   msg->complete_message = ssh_buffer_new();
 +  if (msg->complete_message == NULL) {
 +      ssh_set_error_oom(session);
 +      sftp_client_message_free(msg);
 +      return NULL;
 +  }
 +
   ssh_buffer_add_data(msg->complete_message,
                       ssh_buffer_get(payload),
                       ssh_buffer_get_len(payload));
 -- 
 GitLab


 From dbfb7f44aa905a7103bdde9a198c1e9b0f480c2e Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@cryptomilk.org>
 Date: Wed, 3 Jun 2020 10:05:51 +0200
 Subject: [PATCH 2/4] sftpserver: Add missing return check for
 ssh_buffer_add_data()

 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
 ---
 src/sftpserver.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

 diff --git a/src/sftpserver.c b/src/sftpserver.c
 index b639a2ce..9117f155 100644
 --- a/src/sftpserver.c
 +++ b/src/sftpserver.c
@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
       return NULL;
   }
 
 -  ssh_buffer_add_data(msg->complete_message,
 -                      ssh_buffer_get(payload),
 -                      ssh_buffer_get_len(payload));
 +  rc = ssh_buffer_add_data(msg->complete_message,
 +                           ssh_buffer_get(payload),
 +                           ssh_buffer_get_len(payload));
 +  if (rc < 0) {
 +      ssh_set_error_oom(session);
 +      sftp_client_message_free(msg);
 +      return NULL;
 +  }
 
   ssh_buffer_get_u32(payload, &msg->id);
 
 -- 
 GitLab


 From 65ae496222018221080dd753a52f6d70bf3ca5f3 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@cryptomilk.org>
 Date: Wed, 3 Jun 2020 10:10:11 +0200
 Subject: [PATCH 3/4] buffer: Reformat ssh_buffer_add_data()

 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
 ---
 src/buffer.c | 35 ++++++++++++++++++-----------------
 1 file changed, 18 insertions(+), 17 deletions(-)

 diff --git a/src/buffer.c b/src/buffer.c
 index a2e6246a..476bc135 100644
 --- a/src/buffer.c
 +++ b/src/buffer.c
@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
  */
 int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
 {
 -  buffer_verify(buffer);
 +    buffer_verify(buffer);
 
 -  if (data == NULL) {
 -      return -1;
 -  }
 +    if (data == NULL) {
 +        return -1;
 +    }
 
 -  if (buffer->used + len < len) {
 -    return -1;
 -  }
 +    if (buffer->used + len < len) {
 +        return -1;
 +    }
 
 -  if (buffer->allocated < (buffer->used + len)) {
 -    if(buffer->pos > 0)
 -      buffer_shift(buffer);
 -    if (realloc_buffer(buffer, buffer->used + len) < 0) {
 -      return -1;
 +    if (buffer->allocated < (buffer->used + len)) {
 +        if (buffer->pos > 0) {
 +            buffer_shift(buffer);
 +        }
 +        if (realloc_buffer(buffer, buffer->used + len) < 0) {
 +            return -1;
 +        }
     }
 -  }
 
 -  memcpy(buffer->data+buffer->used, data, len);
 -  buffer->used+=len;
 -  buffer_verify(buffer);
 -  return 0;
 +    memcpy(buffer->data + buffer->used, data, len);
 +    buffer->used += len;
 +    buffer_verify(buffer);
 +    return 0;
 }
 
 /**
 -- 
 GitLab


 From df0acab3a077bd8ae015e3e8b4c71ff31b5900fe Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@cryptomilk.org>
 Date: Wed, 3 Jun 2020 10:11:21 +0200
 Subject: [PATCH 4/4] buffer: Add NULL check for 'buffer' argument

 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
 ---
 src/buffer.c | 4 ++++
 1 file changed, 4 insertions(+)

 diff --git a/src/buffer.c b/src/buffer.c
 index 476bc135..ce12f491 100644
 --- a/src/buffer.c
 +++ b/src/buffer.c
@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
  */
 int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
 {
 +    if (buffer == NULL) {
 +        return -1;
 +    }
 +
     buffer_verify(buffer);
 
     if (data == NULL) {
 -- 
 GitLab

--- a/libs/libssh/patches/0004-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch
+++ b/libs/libssh/patches/0004-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch
@ -1,41 +0,0 @@
 From 6417f5a3cac8537ac6f6ff7fc1642dfaa0917fb4 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 16 Apr 2020 11:13:34 +0200
 Subject: [PATCH] channels: Avoid returning SSH_AGAIN from
 ssh_channel_poll_timeout()

 This addresses a regression introduced in 3bad0607, partially fixed in 022409e9,
 but the function was still able to return SSH_AGAIN, which was not expected by
 callers.

 Based on discussion in [1] and [2]

 [1] https://gitlab.com/libssh/libssh-mirror/-/merge_requests/101
 [2] https://www.libssh.org/archive/libssh/2020-03/0000029.html

 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 ---
 src/channels.c | 6 ++++++
 1 file changed, 6 insertions(+)

 diff --git a/src/channels.c b/src/channels.c
 index bcc1c207..9fe309d0 100644
 --- a/src/channels.c
 +++ b/src/channels.c
@@ -3116,6 +3116,12 @@ int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr)
         session->session_state == SSH_SESSION_STATE_ERROR) {
         rc = SSH_ERROR;
         goto out;
 +    } else if (rc == SSH_AGAIN) {
 +        /* If the above timeout expired, it is ok and we do not need to
 +         * attempt to check the read buffer. The calling functions do not
 +         * expect us to return SSH_AGAIN either here. */
 +        rc = SSH_OK;
 +        goto out;
     }
     len = ssh_buffer_get_len(stdbuf);
     if (len > 0) {
 -- 
 2.26.2