LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

libssh: updated to 0.9.3 

This updates the library to address several CVEs, add modern
crypto, and eliminate legacy patches.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
lilik-openwrt-22.03
Nikos Mavrogiannopoulos 5 years ago
parent
cfda983bec
commit
424c011895
18 changed files with 13 additions and 678 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +5
    -4
      libs/libssh/Makefile
  2. +0
    -83
      libs/libssh/patches/0001-misc-Add-strndup-implementation-if-not-provides-by-t.patch
  3. +0
    -24
      libs/libssh/patches/0002-packet-Add-missing-break-in-ssh_packet_incoming_filt.patch
  4. +0
    -24
      libs/libssh/patches/0003-server-Set-correct-state-after-sending-INFO_REQUEST-.patch
  5. +0
    -37
      libs/libssh/patches/0004-messages-Check-that-the-requested-service-is-ssh-con.patch
  6. +0
    -72
      libs/libssh/patches/0005-examples-Explicitly-track-auth-state-in-samplesshd-k.patch
  7. +0
    -22
      libs/libssh/patches/0006-server-Fix-compile-error.patch
  8. +0
    -24
      libs/libssh/patches/0007-gssapi-Set-correct-state-after-sending-GSSAPI_RESPON.patch
  9. +0
    -24
      libs/libssh/patches/0008-libcrypto-Fix-memory-leak-in-evp_final.patch
  10. +0
    -83
      libs/libssh/patches/0009-threads-Use-new-API-call-for-OpenSSL-CRYPTO-THREADID.patch
  11. +8
    -19
      libs/libssh/patches/001-compile.patch
  12. +0
    -43
      libs/libssh/patches/0010-pki_crypto-Don-t-use-deprecated-function-with-newer-.patch
  13. +0
    -29
      libs/libssh/patches/0011-pki_crypto-Avoid-segfault-with-OpenSSL-1.1.0.patch
  14. +0
    -36
      libs/libssh/patches/0012-pki_crypto-Avoid-potential-memory-leak.patch
  15. +0
    -65
      libs/libssh/patches/0013-crypto-Fix-compilation-for-OpenSSL-without-deprecate.patch
  16. +0
    -22
      libs/libssh/patches/002-disable-libssp.patch
  17. +0
    -39
      libs/libssh/patches/010-openssl-11-deprecated.patch
  18. +0
    -28
      libs/libssh/patches/020-openssl-threads.patch

+ 5
- 4
libs/libssh/Makefile View File

@ -11,16 +11,17 @@ PKG_LICENSE:=LGPL-2.1-or-later BSD-2-Clause
PKG_MAINTAINER:=Mislav Novakovic <mislav.novakovic@sartura.hr>
PKG_NAME:=libssh
PKG_VERSION:=0.7.6
PKG_RELEASE:=4
PKG_VERSION:=0.9.3
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://www.libssh.org/files/0.7/
PKG_HASH:=1d607d3859274f755942324afb0f887ee22edd157f9596a2e69e3a28ec6d1092
PKG_SOURCE_URL:=https://www.libssh.org/files/0.9/
PKG_HASH:=2c8b5f894dced58b3d629f16f3afa6562c20b4bdc894639163cf657833688f0c
PKG_CPE_ID:=cpe:/a:libssh:libssh
CMAKE_INSTALL:=1
CMAKE_BINARY_SUBDIR:=build
PKG_BUILD_PARALLEL:=1
PKG_USE_MIPS16:=0


+ 0
- 83
libs/libssh/patches/0001-misc-Add-strndup-implementation-if-not-provides-by-t.patch View File

@ -1,83 +0,0 @@
From f81ca6161223e3566ce78a427571235fb6848fe9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 29 Aug 2018 18:41:15 +0200
Subject: [PATCH 1/8] misc: Add strndup implementation if not provides by the
OS
Fixes T112
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 247983e9820fd264cb5a59c14cc12846c028bd08)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
ConfigureChecks.cmake | 1 +
config.h.cmake | 3 +++
include/libssh/priv.h | 4 ++++
src/misc.c | 21 +++++++++++++++++++++
4 files changed, 29 insertions(+)
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -115,6 +115,7 @@ endif (NOT WITH_GCRYPT)
check_function_exists(isblank HAVE_ISBLANK)
check_function_exists(strncpy HAVE_STRNCPY)
+check_function_exists(strndup HAVE_STRNDUP)
check_function_exists(strtoull HAVE_STRTOULL)
if (NOT WIN32)
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -103,6 +103,9 @@
/* Define to 1 if you have the `strncpy' function. */
#cmakedefine HAVE_STRNCPY 1
+/* Define to 1 if you have the `strndup' function. */
+#cmakedefine HAVE_STRNDUP 1
+
/* Define to 1 if you have the `cfmakeraw' function. */
#cmakedefine HAVE_CFMAKERAW 1
--- a/include/libssh/priv.h
+++ b/include/libssh/priv.h
@@ -43,6 +43,10 @@
# endif
#endif /* !defined(HAVE_STRTOULL) */
+#if !defined(HAVE_STRNDUP)
+char *strndup(const char *s, size_t n);
+#endif /* ! HAVE_STRNDUP */
+
#ifdef HAVE_BYTESWAP_H
#include <byteswap.h>
#endif
--- a/src/misc.c
+++ b/src/misc.c
@@ -1028,6 +1028,27 @@ int ssh_match_group(const char *group, c
return 0;
}
+#if !defined(HAVE_STRNDUP)
+char *strndup(const char *s, size_t n)
+{
+ char *x = NULL;
+
+ if (n + 1 < n) {
+ return NULL;
+ }
+
+ x = malloc(n + 1);
+ if (x == NULL) {
+ return NULL;
+ }
+
+ memcpy(x, s, n);
+ x[n] = '\0';
+
+ return x;
+}
+#endif /* ! HAVE_STRNDUP */
+
/** @} */
/* vim: set ts=4 sw=4 et cindent: */

+ 0
- 24
libs/libssh/patches/0002-packet-Add-missing-break-in-ssh_packet_incoming_filt.patch View File

@ -1,24 +0,0 @@
From e4c6d591df6a9c34c1ff3ec9f367c7257122bef3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 17 Oct 2018 07:23:10 +0200
Subject: [PATCH 2/8] packet: Add missing break in ssh_packet_incoming_filter()
CID 1396239
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit fe618a35dc4be3e73ddf29d0c4a96b98d3b9c48f)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/packet.c | 1 +
1 file changed, 1 insertion(+)
--- a/src/packet.c
+++ b/src/packet.c
@@ -285,6 +285,7 @@ static enum ssh_packet_filter_result_e s
(session->dh_handshake_state != DH_STATE_FINISHED))
{
rc = SSH_PACKET_DENIED;
+ break;
}
rc = SSH_PACKET_ALLOWED;

+ 0
- 24
libs/libssh/patches/0003-server-Set-correct-state-after-sending-INFO_REQUEST-.patch View File

@ -1,24 +0,0 @@
From 734e3ce6747a5ed120b93a1ff253b3fde5f20024 Mon Sep 17 00:00:00 2001
From: Meng Tan <mtan@wallix.com>
Date: Wed, 17 Oct 2018 14:50:08 +0200
Subject: [PATCH 3/8] server: Set correct state after sending INFO_REQUEST (Kbd
Interactive)
Signed-off-by: Meng Tan <mtan@wallix.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 4ea46eecce9f4e676150fe27fec34e1570b70ace)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/server.c | 1 +
1 file changed, 1 insertion(+)
--- a/src/server.c
+++ b/src/server.c
@@ -976,6 +976,7 @@ int ssh_message_auth_interactive_request
msg->session->kbdint->prompts = NULL;
msg->session->kbdint->echo = NULL;
}
+ msg->session->auth.state = SSH_AUTH_STATE_INFO;
return rc;
}

+ 0
- 37
libs/libssh/patches/0004-messages-Check-that-the-requested-service-is-ssh-con.patch View File

@ -1,37 +0,0 @@
From 3fe7510b261098e3937ab5417935916a46e6727b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Fri, 19 Oct 2018 11:40:44 +0200
Subject: [PATCH 4/8] messages: Check that the requested service is
'ssh-connection'
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 9c200d3ef4f62d724d3bae2563b81c38cc31e215)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/messages.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/src/messages.c
+++ b/src/messages.c
@@ -649,6 +649,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_
ssh_message msg = NULL;
char *service = NULL;
char *method = NULL;
+ int cmp;
int rc;
(void)user;
@@ -675,6 +676,13 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_
service, method,
msg->auth_request.username);
+ cmp = strcmp(service, "ssh-connection");
+ if (cmp != 0) {
+ SSH_LOG(SSH_LOG_WARNING,
+ "Invalid service request: %s",
+ service);
+ goto end;
+ }
if (strcmp(method, "none") == 0) {
msg->auth_request.method = SSH_AUTH_METHOD_NONE;

+ 0
- 72
libs/libssh/patches/0005-examples-Explicitly-track-auth-state-in-samplesshd-k.patch View File

@ -1,72 +0,0 @@
From acb0e4f401440ca325e441064d2cb4b896fb9a3d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 17 Oct 2018 17:32:54 +0200
Subject: [PATCH 5/8] examples: Explicitly track auth state in
samplesshd-kbdint
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 0ff566b6dde5cd27653aa35280feceefad5d5224)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
examples/samplesshd-kbdint.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/examples/samplesshd-kbdint.c
+++ b/examples/samplesshd-kbdint.c
@@ -23,6 +23,7 @@ clients must be made or how a client sho
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
+#include <stdbool.h>
#define SSHD_USER "libssh"
#define SSHD_PASSWORD "libssh"
@@ -36,6 +37,7 @@ clients must be made or how a client sho
#endif
static int port = 22;
+static bool authenticated = false;
#ifdef WITH_PCAP
static const char *pcap_file = "debug.server.pcap";
@@ -61,11 +63,20 @@ static void cleanup_pcap(void) {
#endif
-static int auth_password(const char *user, const char *password){
- if(strcmp(user, SSHD_USER))
+static int auth_password(const char *user, const char *password)
+{
+ int cmp;
+
+ cmp = strcmp(user, SSHD_USER);
+ if (cmp != 0) {
return 0;
- if(strcmp(password, SSHD_PASSWORD))
+ }
+ cmp = strcmp(password, SSHD_PASSWORD);
+ if (cmp != 0) {
return 0;
+ }
+
+ authenticated = true;
return 1; // authenticated
}
#ifdef HAVE_ARGP_H
@@ -200,6 +211,7 @@ static int kbdint_check_response(ssh_ses
return 0;
}
+ authenticated = true;
return 1;
}
@@ -328,7 +340,7 @@ int main(int argc, char **argv){
/* proceed to authentication */
auth = authenticate(session);
- if(!auth){
+ if (!auth || !authenticated) {
printf("Authentication error: %s\n", ssh_get_error(session));
ssh_disconnect(session);
return 1;

+ 0
- 22
libs/libssh/patches/0006-server-Fix-compile-error.patch View File

@ -1,22 +0,0 @@
From 7ad80ba1cc48f7af1f192692d100a6255d97b843 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 24 Oct 2018 19:57:17 +0200
Subject: [PATCH 6/8] server: Fix compile error
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/server.c
+++ b/src/server.c
@@ -976,7 +976,7 @@ int ssh_message_auth_interactive_request
msg->session->kbdint->prompts = NULL;
msg->session->kbdint->echo = NULL;
}
- msg->session->auth.state = SSH_AUTH_STATE_INFO;
+ msg->session->auth_state = SSH_AUTH_STATE_INFO;
return rc;
}

+ 0
- 24
libs/libssh/patches/0007-gssapi-Set-correct-state-after-sending-GSSAPI_RESPON.patch View File

@ -1,24 +0,0 @@
From 103973215443f6e02e010114a3f7ac19eb6f3c8c Mon Sep 17 00:00:00 2001
From: Meng Tan <mtan@wallix.com>
Date: Thu, 25 Oct 2018 17:06:06 +0200
Subject: [PATCH 7/8] gssapi: Set correct state after sending GSSAPI_RESPONSE
(select mechanism OID)
Signed-off-by: Meng Tan <mtan@wallix.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit bce8d567053232debd6ec490af5a7d27e1160f39)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/gssapi.c | 1 +
1 file changed, 1 insertion(+)
--- a/src/gssapi.c
+++ b/src/gssapi.c
@@ -120,6 +120,7 @@ static int ssh_gssapi_send_response(ssh_
ssh_set_error_oom(session);
return SSH_ERROR;
}
+ session->auth_state = SSH_AUTH_STATE_GSSAPI_TOKEN;
packet_send(session);
SSH_LOG(SSH_LOG_PACKET,

+ 0
- 24
libs/libssh/patches/0008-libcrypto-Fix-memory-leak-in-evp_final.patch View File

@ -1,24 +0,0 @@
From 9d5cf209df4c260546e1468cc15fbbbfba3097c6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Sat, 27 Oct 2018 22:15:56 +0200
Subject: [PATCH 8/8] libcrypto: Fix memory leak in evp_final()
Fixes T116
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit a2807474621e51b386ea26ce2a01d2b1aa295c7b)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/libcrypto.c | 1 +
1 file changed, 1 insertion(+)
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -165,6 +165,7 @@ void evp_update(EVPCTX ctx, const void *
void evp_final(EVPCTX ctx, unsigned char *md, unsigned int *mdlen)
{
EVP_DigestFinal(ctx, md, mdlen);
+ EVP_MD_CTX_free(ctx);
}
#endif

+ 0
- 83
libs/libssh/patches/0009-threads-Use-new-API-call-for-OpenSSL-CRYPTO-THREADID.patch View File

@ -1,83 +0,0 @@
From a8523d83c242c6f71dbf69fab0ca91d768e78f05 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Sun, 6 Nov 2016 12:07:32 +0100
Subject: [PATCH] threads: Use new API call for OpenSSL CRYPTO THREADID
BUG: https://red.libssh.org/issues/222
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
ConfigureChecks.cmake | 4 ++++
config.h.cmake | 3 +++
src/threads.c | 19 +++++++++++++++++--
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
index 0a53c5b1..43179d8f 100644
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -95,6 +95,10 @@ if (OPENSSL_FOUND)
set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
check_function_exists(CRYPTO_ctr128_encrypt HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT)
+
+ set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+ set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
+ check_function_exists(CRYPTO_THREADID_set_callback HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK)
endif()
if (CMAKE_HAVE_PTHREAD_H)
diff --git a/config.h.cmake b/config.h.cmake
index 3e7f7939..b87fea5c 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -79,6 +79,9 @@
/* Define to 1 if you have the `CRYPTO_ctr128_encrypt' function. */
#cmakedefine HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT 1
+/* Define to 1 if you have the `CRYPTO_THREADID_set_callback' function. */
+#cmakedefine HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK 1
+
/* Define to 1 if you have the `snprintf' function. */
#cmakedefine HAVE_SNPRINTF 1
diff --git a/src/threads.c b/src/threads.c
index 7f3a304e..062c3b84 100644
--- a/src/threads.c
+++ b/src/threads.c
@@ -116,6 +116,15 @@ static void libcrypto_lock_callback(int mode, int i, const char *file, int line)
}
}
+#ifdef HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK
+static void libcrypto_THREADID_callback(CRYPTO_THREADID *id)
+{
+ unsigned long thread_id = (*user_callbacks->thread_id)();
+
+ CRYPTO_THREADID_set_numeric(id, thread_id);
+}
+#endif /* HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK */
+
static int libcrypto_thread_init(void){
int n=CRYPTO_num_locks();
int i;
@@ -127,8 +136,14 @@ static int libcrypto_thread_init(void){
for (i=0;i<n;++i){
user_callbacks->mutex_init(&libcrypto_mutexes[i]);
}
- CRYPTO_set_id_callback(user_callbacks->thread_id);
- CRYPTO_set_locking_callback(libcrypto_lock_callback);
+
+#ifdef HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK
+ CRYPTO_THREADID_set_callback(libcrypto_THREADID_callback);
+#else
+ CRYPTO_set_id_callback(user_callbacks->thread_id);
+#endif
+
+ CRYPTO_set_locking_callback(libcrypto_lock_callback);
return SSH_OK;
}
--
2.19.1

+ 8
- 19
libs/libssh/patches/001-compile.patch View File

@ -1,27 +1,16 @@
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -35,10 +35,6 @@ include(DefineInstallationPaths)
include(DefineOptions.cmake)
include(CPackConfig.cmake)
-# disallow in-source build
-include(MacroEnsureOutOfSourceBuild)
-macro_ensure_out_of_source_build("${PROJECT_NAME} requires an out of source build. Please create a separate build directory and run 'cmake /path/to/${PROJECT_NAME} [options]' there.")
-
# search for libraries
if (WITH_ZLIB)
find_package(ZLIB REQUIRED)
diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
index c8bb2aa..344ba59 100644
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -5,7 +5,6 @@ include(CheckFunctionExists)
include(CheckLibraryExists)
include(CheckTypeSize)
include(CheckCXXSourceCompiles)
include(CheckStructHasMember)
-include(TestBigEndian)
set(PACKAGE ${APPLICATION_NAME})
set(VERSION ${APPLICATION_VERSION})
@@ -276,6 +275,8 @@ if (WITH_GSSAPI AND NOT GSSAPI_FOUND)
set(PACKAGE ${PROJECT_NAME})
set(VERSION ${PROJECT_VERSION})
@@ -465,6 +464,8 @@ if (WITH_GSSAPI AND NOT GSSAPI_FOUND)
endif (WITH_GSSAPI AND NOT GSSAPI_FOUND)
# ENDIAN
@ -29,7 +18,7 @@
- test_big_endian(WORDS_BIGENDIAN)
-endif (NOT WIN32)
+if (WITH_BIG_ENDIAN)
+ set(WORDS_BIGENDIAN 1)
+ set(WORDS_BIGENDIAN 1)
+else (WITH_BIG_ENDIAN)
+ set(WORDS_BIGENDIAN 0)
+ set(WORDS_BIGENDIAN 0)
+endif (WITH_BIG_ENDIAN)

+ 0
- 43
libs/libssh/patches/0010-pki_crypto-Don-t-use-deprecated-function-with-newer-.patch View File

@ -1,43 +0,0 @@
From 8d5cf617d53d0545a0d141abf94396c28ca7e736 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Sun, 29 Oct 2017 16:06:14 +0100
Subject: [PATCH] pki_crypto: Don't use deprecated function with newer
OpenSSL
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
src/pki_crypto.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 9e27436c..34d6e81c 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -451,11 +451,24 @@ int pki_key_generate_rsa(ssh_key key, int parameter){
int pki_key_generate_dss(ssh_key key, int parameter){
int rc;
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+ rc = DSA_generate_parameters_ex(key->dsa,
+ parameter,
+ NULL, /* seed */
+ 0, /* seed_len */
+ NULL, /* counter_ret */
+ NULL, /* h_ret */
+ NULL); /* cb */
+ if (rc != 1) {
+ return SSH_ERROR;
+ }
+#else
key->dsa = DSA_generate_parameters(parameter, NULL, 0, NULL, NULL,
NULL, NULL);
if(key->dsa == NULL){
return SSH_ERROR;
}
+#endif
rc = DSA_generate_key(key->dsa);
if (rc != 1){
DSA_free(key->dsa);
--
2.19.1

+ 0
- 29
libs/libssh/patches/0011-pki_crypto-Avoid-segfault-with-OpenSSL-1.1.0.patch View File

@ -1,29 +0,0 @@
From ab67e42d6a0529f5fb81ee86049bf10abe99f839 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 7 Nov 2017 09:38:40 +0100
Subject: [PATCH] pki_crypto: Avoid segfault with OpenSSL 1.1.0
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
src/pki_crypto.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 34d6e81c..30f49a81 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -452,6 +452,10 @@ int pki_key_generate_rsa(ssh_key key, int parameter){
int pki_key_generate_dss(ssh_key key, int parameter){
int rc;
#if OPENSSL_VERSION_NUMBER > 0x10100000L
+ key->dsa = DSA_new();
+ if (!key->dsa) {
+ return SSH_ERROR;
+ }
rc = DSA_generate_parameters_ex(key->dsa,
parameter,
NULL, /* seed */
--
2.19.1

+ 0
- 36
libs/libssh/patches/0012-pki_crypto-Avoid-potential-memory-leak.patch View File

@ -1,36 +0,0 @@
From c39f7578765859d7416e4140c92d034c8cae3341 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 8 Nov 2017 15:35:08 +0100
Subject: [PATCH] pki_crypto: Avoid potential memory leak
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
src/pki_crypto.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 30f49a81..d9f7753a 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -453,7 +453,7 @@ int pki_key_generate_dss(ssh_key key, int parameter){
int rc;
#if OPENSSL_VERSION_NUMBER > 0x10100000L
key->dsa = DSA_new();
- if (!key->dsa) {
+ if (key->dsa == NULL) {
return SSH_ERROR;
}
rc = DSA_generate_parameters_ex(key->dsa,
@@ -464,6 +464,8 @@ int pki_key_generate_dss(ssh_key key, int parameter){
NULL, /* h_ret */
NULL); /* cb */
if (rc != 1) {
+ DSA_free(key->dsa);
+ key->dsa = NULL;
return SSH_ERROR;
}
#else
--
2.19.1

+ 0
- 65
libs/libssh/patches/0013-crypto-Fix-compilation-for-OpenSSL-without-deprecate.patch View File

@ -1,65 +0,0 @@
From 8349ff1ec3d001aa85cc94a9004509cca8ebf036 Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Wed, 7 Nov 2018 17:17:53 -0800
Subject: [PATCH] crypto: Fix compilation for OpenSSL without deprecated
APIs
Added missing bn.h include.
Made engine.h include conditional, otherwise it would fail.
DSA_generate_parameters was deprecated long before 1.1.0.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
src/libcrypto-compat.c | 5 ++++-
src/libcrypto-compat.h | 1 +
src/pki_crypto.c | 2 +-
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/libcrypto-compat.c b/src/libcrypto-compat.c
index 4b1f36a5..b8b4f11a 100644
--- a/src/libcrypto-compat.c
+++ b/src/libcrypto-compat.c
@@ -8,9 +8,12 @@
*/
#include <string.h>
-#include <openssl/engine.h>
#include "libcrypto-compat.h"
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+
static void *OPENSSL_zalloc(size_t num)
{
void *ret = OPENSSL_malloc(num);
diff --git a/src/libcrypto-compat.h b/src/libcrypto-compat.h
index 21542c65..00e4f2a3 100644
--- a/src/libcrypto-compat.h
+++ b/src/libcrypto-compat.h
@@ -10,6 +10,7 @@
#include <openssl/dh.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#include <openssl/bn.h>
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index d9f7753a..c1aac409 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -451,7 +451,7 @@ int pki_key_generate_rsa(ssh_key key, int parameter){
int pki_key_generate_dss(ssh_key key, int parameter){
int rc;
-#if OPENSSL_VERSION_NUMBER > 0x10100000L
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
key->dsa = DSA_new();
if (key->dsa == NULL) {
return SSH_ERROR;
--
2.19.1

+ 0
- 22
libs/libssh/patches/002-disable-libssp.patch View File

@ -1,22 +0,0 @@
--- a/cmake/Modules/DefineCompilerFlags.cmake
+++ b/cmake/Modules/DefineCompilerFlags.cmake
@@ -1,7 +1,6 @@
# define system dependent compiler flags
include(CheckCCompilerFlag)
-include(CheckCCompilerFlagSSP)
if (UNIX AND NOT WIN32)
#
@@ -21,11 +20,6 @@ if (UNIX AND NOT WIN32)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIC")
endif (WITH_FPIC)
- check_c_compiler_flag_ssp("-fstack-protector" WITH_STACK_PROTECTOR)
- if (WITH_STACK_PROTECTOR)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector")
- endif (WITH_STACK_PROTECTOR)
-
if (CMAKE_BUILD_TYPE)
string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE_LOWER)
if (CMAKE_BUILD_TYPE_LOWER MATCHES (release|relwithdebinfo|minsizerel))

+ 0
- 39
libs/libssh/patches/010-openssl-11-deprecated.patch View File

@ -1,39 +0,0 @@
--- a/src/dh.c
+++ b/src/dh.c
@@ -131,11 +131,15 @@ int ssh_get_random(void *where, int len, int strong){
return 1;
#elif defined HAVE_LIBCRYPTO
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (strong) {
return RAND_bytes(where,len);
} else {
return RAND_pseudo_bytes(where,len);
}
+#else
+ return RAND_bytes(where,len);
+#endif
#endif
/* never reached */
@@ -198,7 +202,9 @@ int ssh_crypto_init(void) {
}
bignum_bin2bn(p_group14_value, P_GROUP14_LEN, p_group14);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OpenSSL_add_all_algorithms();
+#endif
#endif
@@ -219,8 +225,10 @@ void ssh_crypto_finalize(void) {
#ifdef HAVE_LIBGCRYPT
gcry_control(GCRYCTL_TERM_SECMEM);
#elif defined HAVE_LIBCRYPTO
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
+#endif
#endif
ssh_crypto_initialized=0;
}

+ 0
- 28
libs/libssh/patches/020-openssl-threads.patch View File

@ -1,28 +0,0 @@
--- a/src/threads.c
+++ b/src/threads.c
@@ -106,6 +106,8 @@ static int libgcrypt_thread_init(void){
static void **libcrypto_mutexes;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
static void libcrypto_lock_callback(int mode, int i, const char *file, int line){
(void)file;
(void)line;
@@ -160,6 +162,16 @@ static void libcrypto_thread_finalize(void){
}
+#else
+
+static int libcrypto_thread_init(void){
+ return SSH_OK;
+}
+
+static void libcrypto_thread_finalize(void){
+}
+#endif
+
#endif
/** @internal

Write Preview
Loading…
Cancel
Save