This updates the library to address several CVEs, add modern crypto, and eliminate legacy patches. Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>lilik-openwrt-22.03
@ -1,83 +0,0 @@ | |||||
From f81ca6161223e3566ce78a427571235fb6848fe9 Mon Sep 17 00:00:00 2001 | |||||
From: Andreas Schneider <asn@cryptomilk.org> | |||||
Date: Wed, 29 Aug 2018 18:41:15 +0200 | |||||
Subject: [PATCH 1/8] misc: Add strndup implementation if not provides by the | |||||
OS | |||||
Fixes T112 | |||||
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> | |||||
(cherry picked from commit 247983e9820fd264cb5a59c14cc12846c028bd08) | |||||
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | |||||
--- | |||||
ConfigureChecks.cmake | 1 + | |||||
config.h.cmake | 3 +++ | |||||
include/libssh/priv.h | 4 ++++ | |||||
src/misc.c | 21 +++++++++++++++++++++ | |||||
4 files changed, 29 insertions(+) | |||||
--- a/ConfigureChecks.cmake | |||||
+++ b/ConfigureChecks.cmake | |||||
@@ -115,6 +115,7 @@ endif (NOT WITH_GCRYPT) | |||||
check_function_exists(isblank HAVE_ISBLANK) | |||||
check_function_exists(strncpy HAVE_STRNCPY) | |||||
+check_function_exists(strndup HAVE_STRNDUP) | |||||
check_function_exists(strtoull HAVE_STRTOULL) | |||||
if (NOT WIN32) | |||||
--- a/config.h.cmake | |||||
+++ b/config.h.cmake | |||||
@@ -103,6 +103,9 @@ | |||||
/* Define to 1 if you have the `strncpy' function. */ | |||||
#cmakedefine HAVE_STRNCPY 1 | |||||
+/* Define to 1 if you have the `strndup' function. */ | |||||
+#cmakedefine HAVE_STRNDUP 1 | |||||
+ | |||||
/* Define to 1 if you have the `cfmakeraw' function. */ | |||||
#cmakedefine HAVE_CFMAKERAW 1 | |||||
--- a/include/libssh/priv.h | |||||
+++ b/include/libssh/priv.h | |||||
@@ -43,6 +43,10 @@ | |||||
# endif | |||||
#endif /* !defined(HAVE_STRTOULL) */ | |||||
+#if !defined(HAVE_STRNDUP) | |||||
+char *strndup(const char *s, size_t n); | |||||
+#endif /* ! HAVE_STRNDUP */ | |||||
+ | |||||
#ifdef HAVE_BYTESWAP_H | |||||
#include <byteswap.h> | |||||
#endif | |||||
--- a/src/misc.c | |||||
+++ b/src/misc.c | |||||
@@ -1028,6 +1028,27 @@ int ssh_match_group(const char *group, c | |||||
return 0; | |||||
} | |||||
+#if !defined(HAVE_STRNDUP) | |||||
+char *strndup(const char *s, size_t n) | |||||
+{ | |||||
+ char *x = NULL; | |||||
+ | |||||
+ if (n + 1 < n) { | |||||
+ return NULL; | |||||
+ } | |||||
+ | |||||
+ x = malloc(n + 1); | |||||
+ if (x == NULL) { | |||||
+ return NULL; | |||||
+ } | |||||
+ | |||||
+ memcpy(x, s, n); | |||||
+ x[n] = '\0'; | |||||
+ | |||||
+ return x; | |||||
+} | |||||
+#endif /* ! HAVE_STRNDUP */ | |||||
+ | |||||
/** @} */ | |||||
/* vim: set ts=4 sw=4 et cindent: */ |
@ -1,24 +0,0 @@ | |||||
From e4c6d591df6a9c34c1ff3ec9f367c7257122bef3 Mon Sep 17 00:00:00 2001 | |||||
From: Andreas Schneider <asn@cryptomilk.org> | |||||
Date: Wed, 17 Oct 2018 07:23:10 +0200 | |||||
Subject: [PATCH 2/8] packet: Add missing break in ssh_packet_incoming_filter() | |||||
CID 1396239 | |||||
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> | |||||
(cherry picked from commit fe618a35dc4be3e73ddf29d0c4a96b98d3b9c48f) | |||||
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | |||||
--- | |||||
src/packet.c | 1 + | |||||
1 file changed, 1 insertion(+) | |||||
--- a/src/packet.c | |||||
+++ b/src/packet.c | |||||
@@ -285,6 +285,7 @@ static enum ssh_packet_filter_result_e s | |||||
(session->dh_handshake_state != DH_STATE_FINISHED)) | |||||
{ | |||||
rc = SSH_PACKET_DENIED; | |||||
+ break; | |||||
} | |||||
rc = SSH_PACKET_ALLOWED; |
@ -1,24 +0,0 @@ | |||||
From 734e3ce6747a5ed120b93a1ff253b3fde5f20024 Mon Sep 17 00:00:00 2001 | |||||
From: Meng Tan <mtan@wallix.com> | |||||
Date: Wed, 17 Oct 2018 14:50:08 +0200 | |||||
Subject: [PATCH 3/8] server: Set correct state after sending INFO_REQUEST (Kbd | |||||
Interactive) | |||||
Signed-off-by: Meng Tan <mtan@wallix.com> | |||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org> | |||||
(cherry picked from commit 4ea46eecce9f4e676150fe27fec34e1570b70ace) | |||||
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | |||||
--- | |||||
src/server.c | 1 + | |||||
1 file changed, 1 insertion(+) | |||||
--- a/src/server.c | |||||
+++ b/src/server.c | |||||
@@ -976,6 +976,7 @@ int ssh_message_auth_interactive_request | |||||
msg->session->kbdint->prompts = NULL; | |||||
msg->session->kbdint->echo = NULL; | |||||
} | |||||
+ msg->session->auth.state = SSH_AUTH_STATE_INFO; | |||||
return rc; | |||||
} |
@ -1,37 +0,0 @@ | |||||
From 3fe7510b261098e3937ab5417935916a46e6727b Mon Sep 17 00:00:00 2001 | |||||
From: Andreas Schneider <asn@cryptomilk.org> | |||||
Date: Fri, 19 Oct 2018 11:40:44 +0200 | |||||
Subject: [PATCH 4/8] messages: Check that the requested service is | |||||
'ssh-connection' | |||||
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> | |||||
(cherry picked from commit 9c200d3ef4f62d724d3bae2563b81c38cc31e215) | |||||
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | |||||
--- | |||||
src/messages.c | 8 ++++++++ | |||||
1 file changed, 8 insertions(+) | |||||
--- a/src/messages.c | |||||
+++ b/src/messages.c | |||||
@@ -649,6 +649,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_ | |||||
ssh_message msg = NULL; | |||||
char *service = NULL; | |||||
char *method = NULL; | |||||
+ int cmp; | |||||
int rc; | |||||
(void)user; | |||||
@@ -675,6 +676,13 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_ | |||||
service, method, | |||||
msg->auth_request.username); | |||||
+ cmp = strcmp(service, "ssh-connection"); | |||||
+ if (cmp != 0) { | |||||
+ SSH_LOG(SSH_LOG_WARNING, | |||||
+ "Invalid service request: %s", | |||||
+ service); | |||||
+ goto end; | |||||
+ } | |||||
if (strcmp(method, "none") == 0) { | |||||
msg->auth_request.method = SSH_AUTH_METHOD_NONE; |
@ -1,72 +0,0 @@ | |||||
From acb0e4f401440ca325e441064d2cb4b896fb9a3d Mon Sep 17 00:00:00 2001 | |||||
From: Andreas Schneider <asn@cryptomilk.org> | |||||
Date: Wed, 17 Oct 2018 17:32:54 +0200 | |||||
Subject: [PATCH 5/8] examples: Explicitly track auth state in | |||||
samplesshd-kbdint | |||||
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> | |||||
(cherry picked from commit 0ff566b6dde5cd27653aa35280feceefad5d5224) | |||||
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | |||||
--- | |||||
examples/samplesshd-kbdint.c | 20 ++++++++++++++++---- | |||||
1 file changed, 16 insertions(+), 4 deletions(-) | |||||
--- a/examples/samplesshd-kbdint.c | |||||
+++ b/examples/samplesshd-kbdint.c | |||||
@@ -23,6 +23,7 @@ clients must be made or how a client sho | |||||
#include <stdlib.h> | |||||
#include <string.h> | |||||
#include <stdio.h> | |||||
+#include <stdbool.h> | |||||
#define SSHD_USER "libssh" | |||||
#define SSHD_PASSWORD "libssh" | |||||
@@ -36,6 +37,7 @@ clients must be made or how a client sho | |||||
#endif | |||||
static int port = 22; | |||||
+static bool authenticated = false; | |||||
#ifdef WITH_PCAP | |||||
static const char *pcap_file = "debug.server.pcap"; | |||||
@@ -61,11 +63,20 @@ static void cleanup_pcap(void) { | |||||
#endif | |||||
-static int auth_password(const char *user, const char *password){ | |||||
- if(strcmp(user, SSHD_USER)) | |||||
+static int auth_password(const char *user, const char *password) | |||||
+{ | |||||
+ int cmp; | |||||
+ | |||||
+ cmp = strcmp(user, SSHD_USER); | |||||
+ if (cmp != 0) { | |||||
return 0; | |||||
- if(strcmp(password, SSHD_PASSWORD)) | |||||
+ } | |||||
+ cmp = strcmp(password, SSHD_PASSWORD); | |||||
+ if (cmp != 0) { | |||||
return 0; | |||||
+ } | |||||
+ | |||||
+ authenticated = true; | |||||
return 1; // authenticated | |||||
} | |||||
#ifdef HAVE_ARGP_H | |||||
@@ -200,6 +211,7 @@ static int kbdint_check_response(ssh_ses | |||||
return 0; | |||||
} | |||||
+ authenticated = true; | |||||
return 1; | |||||
} | |||||
@@ -328,7 +340,7 @@ int main(int argc, char **argv){ | |||||
/* proceed to authentication */ | |||||
auth = authenticate(session); | |||||
- if(!auth){ | |||||
+ if (!auth || !authenticated) { | |||||
printf("Authentication error: %s\n", ssh_get_error(session)); | |||||
ssh_disconnect(session); | |||||
return 1; |
@ -1,22 +0,0 @@ | |||||
From 7ad80ba1cc48f7af1f192692d100a6255d97b843 Mon Sep 17 00:00:00 2001 | |||||
From: Andreas Schneider <asn@cryptomilk.org> | |||||
Date: Wed, 24 Oct 2018 19:57:17 +0200 | |||||
Subject: [PATCH 6/8] server: Fix compile error | |||||
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> | |||||
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | |||||
--- | |||||
src/server.c | 2 +- | |||||
1 file changed, 1 insertion(+), 1 deletion(-) | |||||
--- a/src/server.c | |||||
+++ b/src/server.c | |||||
@@ -976,7 +976,7 @@ int ssh_message_auth_interactive_request | |||||
msg->session->kbdint->prompts = NULL; | |||||
msg->session->kbdint->echo = NULL; | |||||
} | |||||
- msg->session->auth.state = SSH_AUTH_STATE_INFO; | |||||
+ msg->session->auth_state = SSH_AUTH_STATE_INFO; | |||||
return rc; | |||||
} |
@ -1,24 +0,0 @@ | |||||
From 103973215443f6e02e010114a3f7ac19eb6f3c8c Mon Sep 17 00:00:00 2001 | |||||
From: Meng Tan <mtan@wallix.com> | |||||
Date: Thu, 25 Oct 2018 17:06:06 +0200 | |||||
Subject: [PATCH 7/8] gssapi: Set correct state after sending GSSAPI_RESPONSE | |||||
(select mechanism OID) | |||||
Signed-off-by: Meng Tan <mtan@wallix.com> | |||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org> | |||||
(cherry picked from commit bce8d567053232debd6ec490af5a7d27e1160f39) | |||||
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | |||||
--- | |||||
src/gssapi.c | 1 + | |||||
1 file changed, 1 insertion(+) | |||||
--- a/src/gssapi.c | |||||
+++ b/src/gssapi.c | |||||
@@ -120,6 +120,7 @@ static int ssh_gssapi_send_response(ssh_ | |||||
ssh_set_error_oom(session); | |||||
return SSH_ERROR; | |||||
} | |||||
+ session->auth_state = SSH_AUTH_STATE_GSSAPI_TOKEN; | |||||
packet_send(session); | |||||
SSH_LOG(SSH_LOG_PACKET, |
@ -1,24 +0,0 @@ | |||||
From 9d5cf209df4c260546e1468cc15fbbbfba3097c6 Mon Sep 17 00:00:00 2001 | |||||
From: Andreas Schneider <asn@cryptomilk.org> | |||||
Date: Sat, 27 Oct 2018 22:15:56 +0200 | |||||
Subject: [PATCH 8/8] libcrypto: Fix memory leak in evp_final() | |||||
Fixes T116 | |||||
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> | |||||
(cherry picked from commit a2807474621e51b386ea26ce2a01d2b1aa295c7b) | |||||
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | |||||
--- | |||||
src/libcrypto.c | 1 + | |||||
1 file changed, 1 insertion(+) | |||||
--- a/src/libcrypto.c | |||||
+++ b/src/libcrypto.c | |||||
@@ -165,6 +165,7 @@ void evp_update(EVPCTX ctx, const void * | |||||
void evp_final(EVPCTX ctx, unsigned char *md, unsigned int *mdlen) | |||||
{ | |||||
EVP_DigestFinal(ctx, md, mdlen); | |||||
+ EVP_MD_CTX_free(ctx); | |||||
} | |||||
#endif | |||||
@ -1,83 +0,0 @@ | |||||
From a8523d83c242c6f71dbf69fab0ca91d768e78f05 Mon Sep 17 00:00:00 2001 | |||||
From: Andreas Schneider <asn@cryptomilk.org> | |||||
Date: Sun, 6 Nov 2016 12:07:32 +0100 | |||||
Subject: [PATCH] threads: Use new API call for OpenSSL CRYPTO THREADID | |||||
BUG: https://red.libssh.org/issues/222 | |||||
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> | |||||
--- | |||||
ConfigureChecks.cmake | 4 ++++ | |||||
config.h.cmake | 3 +++ | |||||
src/threads.c | 19 +++++++++++++++++-- | |||||
3 files changed, 24 insertions(+), 2 deletions(-) | |||||
diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake | |||||
index 0a53c5b1..43179d8f 100644 | |||||
--- a/ConfigureChecks.cmake | |||||
+++ b/ConfigureChecks.cmake | |||||
@@ -95,6 +95,10 @@ if (OPENSSL_FOUND) | |||||
set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) | |||||
set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY}) | |||||
check_function_exists(CRYPTO_ctr128_encrypt HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT) | |||||
+ | |||||
+ set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) | |||||
+ set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY}) | |||||
+ check_function_exists(CRYPTO_THREADID_set_callback HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK) | |||||
endif() | |||||
if (CMAKE_HAVE_PTHREAD_H) | |||||
diff --git a/config.h.cmake b/config.h.cmake | |||||
index 3e7f7939..b87fea5c 100644 | |||||
--- a/config.h.cmake | |||||
+++ b/config.h.cmake | |||||
@@ -79,6 +79,9 @@ | |||||
/* Define to 1 if you have the `CRYPTO_ctr128_encrypt' function. */ | |||||
#cmakedefine HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT 1 | |||||
+/* Define to 1 if you have the `CRYPTO_THREADID_set_callback' function. */ | |||||
+#cmakedefine HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK 1 | |||||
+ | |||||
/* Define to 1 if you have the `snprintf' function. */ | |||||
#cmakedefine HAVE_SNPRINTF 1 | |||||
diff --git a/src/threads.c b/src/threads.c | |||||
index 7f3a304e..062c3b84 100644 | |||||
--- a/src/threads.c | |||||
+++ b/src/threads.c | |||||
@@ -116,6 +116,15 @@ static void libcrypto_lock_callback(int mode, int i, const char *file, int line) | |||||
} | |||||
} | |||||
+#ifdef HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK | |||||
+static void libcrypto_THREADID_callback(CRYPTO_THREADID *id) | |||||
+{ | |||||
+ unsigned long thread_id = (*user_callbacks->thread_id)(); | |||||
+ | |||||
+ CRYPTO_THREADID_set_numeric(id, thread_id); | |||||
+} | |||||
+#endif /* HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK */ | |||||
+ | |||||
static int libcrypto_thread_init(void){ | |||||
int n=CRYPTO_num_locks(); | |||||
int i; | |||||
@@ -127,8 +136,14 @@ static int libcrypto_thread_init(void){ | |||||
for (i=0;i<n;++i){ | |||||
user_callbacks->mutex_init(&libcrypto_mutexes[i]); | |||||
} | |||||
- CRYPTO_set_id_callback(user_callbacks->thread_id); | |||||
- CRYPTO_set_locking_callback(libcrypto_lock_callback); | |||||
+ | |||||
+#ifdef HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK | |||||
+ CRYPTO_THREADID_set_callback(libcrypto_THREADID_callback); | |||||
+#else | |||||
+ CRYPTO_set_id_callback(user_callbacks->thread_id); | |||||
+#endif | |||||
+ | |||||
+ CRYPTO_set_locking_callback(libcrypto_lock_callback); | |||||
return SSH_OK; | |||||
} | |||||
-- | |||||
2.19.1 | |||||
@ -1,43 +0,0 @@ | |||||
From 8d5cf617d53d0545a0d141abf94396c28ca7e736 Mon Sep 17 00:00:00 2001 | |||||
From: Andreas Schneider <asn@cryptomilk.org> | |||||
Date: Sun, 29 Oct 2017 16:06:14 +0100 | |||||
Subject: [PATCH] pki_crypto: Don't use deprecated function with newer | |||||
OpenSSL | |||||
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> | |||||
--- | |||||
src/pki_crypto.c | 13 +++++++++++++ | |||||
1 file changed, 13 insertions(+) | |||||
diff --git a/src/pki_crypto.c b/src/pki_crypto.c | |||||
index 9e27436c..34d6e81c 100644 | |||||
--- a/src/pki_crypto.c | |||||
+++ b/src/pki_crypto.c | |||||
@@ -451,11 +451,24 @@ int pki_key_generate_rsa(ssh_key key, int parameter){ | |||||
int pki_key_generate_dss(ssh_key key, int parameter){ | |||||
int rc; | |||||
+#if OPENSSL_VERSION_NUMBER > 0x10100000L | |||||
+ rc = DSA_generate_parameters_ex(key->dsa, | |||||
+ parameter, | |||||
+ NULL, /* seed */ | |||||
+ 0, /* seed_len */ | |||||
+ NULL, /* counter_ret */ | |||||
+ NULL, /* h_ret */ | |||||
+ NULL); /* cb */ | |||||
+ if (rc != 1) { | |||||
+ return SSH_ERROR; | |||||
+ } | |||||
+#else | |||||
key->dsa = DSA_generate_parameters(parameter, NULL, 0, NULL, NULL, | |||||
NULL, NULL); | |||||
if(key->dsa == NULL){ | |||||
return SSH_ERROR; | |||||
} | |||||
+#endif | |||||
rc = DSA_generate_key(key->dsa); | |||||
if (rc != 1){ | |||||
DSA_free(key->dsa); | |||||
-- | |||||
2.19.1 | |||||
@ -1,29 +0,0 @@ | |||||
From ab67e42d6a0529f5fb81ee86049bf10abe99f839 Mon Sep 17 00:00:00 2001 | |||||
From: Jakub Jelen <jjelen@redhat.com> | |||||
Date: Tue, 7 Nov 2017 09:38:40 +0100 | |||||
Subject: [PATCH] pki_crypto: Avoid segfault with OpenSSL 1.1.0 | |||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com> | |||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org> | |||||
--- | |||||
src/pki_crypto.c | 4 ++++ | |||||
1 file changed, 4 insertions(+) | |||||
diff --git a/src/pki_crypto.c b/src/pki_crypto.c | |||||
index 34d6e81c..30f49a81 100644 | |||||
--- a/src/pki_crypto.c | |||||
+++ b/src/pki_crypto.c | |||||
@@ -452,6 +452,10 @@ int pki_key_generate_rsa(ssh_key key, int parameter){ | |||||
int pki_key_generate_dss(ssh_key key, int parameter){ | |||||
int rc; | |||||
#if OPENSSL_VERSION_NUMBER > 0x10100000L | |||||
+ key->dsa = DSA_new(); | |||||
+ if (!key->dsa) { | |||||
+ return SSH_ERROR; | |||||
+ } | |||||
rc = DSA_generate_parameters_ex(key->dsa, | |||||
parameter, | |||||
NULL, /* seed */ | |||||
-- | |||||
2.19.1 | |||||
@ -1,36 +0,0 @@ | |||||
From c39f7578765859d7416e4140c92d034c8cae3341 Mon Sep 17 00:00:00 2001 | |||||
From: Jakub Jelen <jjelen@redhat.com> | |||||
Date: Wed, 8 Nov 2017 15:35:08 +0100 | |||||
Subject: [PATCH] pki_crypto: Avoid potential memory leak | |||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com> | |||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org> | |||||
--- | |||||
src/pki_crypto.c | 4 +++- | |||||
1 file changed, 3 insertions(+), 1 deletion(-) | |||||
diff --git a/src/pki_crypto.c b/src/pki_crypto.c | |||||
index 30f49a81..d9f7753a 100644 | |||||
--- a/src/pki_crypto.c | |||||
+++ b/src/pki_crypto.c | |||||
@@ -453,7 +453,7 @@ int pki_key_generate_dss(ssh_key key, int parameter){ | |||||
int rc; | |||||
#if OPENSSL_VERSION_NUMBER > 0x10100000L | |||||
key->dsa = DSA_new(); | |||||
- if (!key->dsa) { | |||||
+ if (key->dsa == NULL) { | |||||
return SSH_ERROR; | |||||
} | |||||
rc = DSA_generate_parameters_ex(key->dsa, | |||||
@@ -464,6 +464,8 @@ int pki_key_generate_dss(ssh_key key, int parameter){ | |||||
NULL, /* h_ret */ | |||||
NULL); /* cb */ | |||||
if (rc != 1) { | |||||
+ DSA_free(key->dsa); | |||||
+ key->dsa = NULL; | |||||
return SSH_ERROR; | |||||
} | |||||
#else | |||||
-- | |||||
2.19.1 | |||||
@ -1,65 +0,0 @@ | |||||
From 8349ff1ec3d001aa85cc94a9004509cca8ebf036 Mon Sep 17 00:00:00 2001 | |||||
From: Rosen Penev <rosenp@gmail.com> | |||||
Date: Wed, 7 Nov 2018 17:17:53 -0800 | |||||
Subject: [PATCH] crypto: Fix compilation for OpenSSL without deprecated | |||||
APIs | |||||
Added missing bn.h include. | |||||
Made engine.h include conditional, otherwise it would fail. | |||||
DSA_generate_parameters was deprecated long before 1.1.0. | |||||
Signed-off-by: Rosen Penev <rosenp@gmail.com> | |||||
--- | |||||
src/libcrypto-compat.c | 5 ++++- | |||||
src/libcrypto-compat.h | 1 + | |||||
src/pki_crypto.c | 2 +- | |||||
3 files changed, 6 insertions(+), 2 deletions(-) | |||||
diff --git a/src/libcrypto-compat.c b/src/libcrypto-compat.c | |||||
index 4b1f36a5..b8b4f11a 100644 | |||||
--- a/src/libcrypto-compat.c | |||||
+++ b/src/libcrypto-compat.c | |||||
@@ -8,9 +8,12 @@ | |||||
*/ | |||||
#include <string.h> | |||||
-#include <openssl/engine.h> | |||||
#include "libcrypto-compat.h" | |||||
+#ifndef OPENSSL_NO_ENGINE | |||||
+#include <openssl/engine.h> | |||||
+#endif | |||||
+ | |||||
static void *OPENSSL_zalloc(size_t num) | |||||
{ | |||||
void *ret = OPENSSL_malloc(num); | |||||
diff --git a/src/libcrypto-compat.h b/src/libcrypto-compat.h | |||||
index 21542c65..00e4f2a3 100644 | |||||
--- a/src/libcrypto-compat.h | |||||
+++ b/src/libcrypto-compat.h | |||||
@@ -10,6 +10,7 @@ | |||||
#include <openssl/dh.h> | |||||
#include <openssl/evp.h> | |||||
#include <openssl/hmac.h> | |||||
+#include <openssl/bn.h> | |||||
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); | |||||
int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); | |||||
diff --git a/src/pki_crypto.c b/src/pki_crypto.c | |||||
index d9f7753a..c1aac409 100644 | |||||
--- a/src/pki_crypto.c | |||||
+++ b/src/pki_crypto.c | |||||
@@ -451,7 +451,7 @@ int pki_key_generate_rsa(ssh_key key, int parameter){ | |||||
int pki_key_generate_dss(ssh_key key, int parameter){ | |||||
int rc; | |||||
-#if OPENSSL_VERSION_NUMBER > 0x10100000L | |||||
+#if OPENSSL_VERSION_NUMBER > 0x00908000L | |||||
key->dsa = DSA_new(); | |||||
if (key->dsa == NULL) { | |||||
return SSH_ERROR; | |||||
-- | |||||
2.19.1 | |||||
@ -1,22 +0,0 @@ | |||||
--- a/cmake/Modules/DefineCompilerFlags.cmake | |||||
+++ b/cmake/Modules/DefineCompilerFlags.cmake | |||||
@@ -1,7 +1,6 @@ | |||||
# define system dependent compiler flags | |||||
include(CheckCCompilerFlag) | |||||
-include(CheckCCompilerFlagSSP) | |||||
if (UNIX AND NOT WIN32) | |||||
# | |||||
@@ -21,11 +20,6 @@ if (UNIX AND NOT WIN32) | |||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIC") | |||||
endif (WITH_FPIC) | |||||
- check_c_compiler_flag_ssp("-fstack-protector" WITH_STACK_PROTECTOR) | |||||
- if (WITH_STACK_PROTECTOR) | |||||
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector") | |||||
- endif (WITH_STACK_PROTECTOR) | |||||
- | |||||
if (CMAKE_BUILD_TYPE) | |||||
string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE_LOWER) | |||||
if (CMAKE_BUILD_TYPE_LOWER MATCHES (release|relwithdebinfo|minsizerel)) |
@ -1,39 +0,0 @@ | |||||
--- a/src/dh.c | |||||
+++ b/src/dh.c | |||||
@@ -131,11 +131,15 @@ int ssh_get_random(void *where, int len, int strong){ | |||||
return 1; | |||||
#elif defined HAVE_LIBCRYPTO | |||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L | |||||
if (strong) { | |||||
return RAND_bytes(where,len); | |||||
} else { | |||||
return RAND_pseudo_bytes(where,len); | |||||
} | |||||
+#else | |||||
+ return RAND_bytes(where,len); | |||||
+#endif | |||||
#endif | |||||
/* never reached */ | |||||
@@ -198,7 +202,9 @@ int ssh_crypto_init(void) { | |||||
} | |||||
bignum_bin2bn(p_group14_value, P_GROUP14_LEN, p_group14); | |||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L | |||||
OpenSSL_add_all_algorithms(); | |||||
+#endif | |||||
#endif | |||||
@@ -219,8 +225,10 @@ void ssh_crypto_finalize(void) { | |||||
#ifdef HAVE_LIBGCRYPT | |||||
gcry_control(GCRYCTL_TERM_SECMEM); | |||||
#elif defined HAVE_LIBCRYPTO | |||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L | |||||
EVP_cleanup(); | |||||
CRYPTO_cleanup_all_ex_data(); | |||||
+#endif | |||||
#endif | |||||
ssh_crypto_initialized=0; | |||||
} |
@ -1,28 +0,0 @@ | |||||
--- a/src/threads.c | |||||
+++ b/src/threads.c | |||||
@@ -106,6 +106,8 @@ static int libgcrypt_thread_init(void){ | |||||
static void **libcrypto_mutexes; | |||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L | |||||
+ | |||||
static void libcrypto_lock_callback(int mode, int i, const char *file, int line){ | |||||
(void)file; | |||||
(void)line; | |||||
@@ -160,6 +162,16 @@ static void libcrypto_thread_finalize(void){ | |||||
} | |||||
+#else | |||||
+ | |||||
+static int libcrypto_thread_init(void){ | |||||
+ return SSH_OK; | |||||
+} | |||||
+ | |||||
+static void libcrypto_thread_finalize(void){ | |||||
+} | |||||
+#endif | |||||
+ | |||||
#endif | |||||
/** @internal |