summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormingli.yu@windriver.com <mingli.yu@windriver.com>2016-07-19 15:13:09 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-07-26 08:56:29 +0100
commit2f6bbc7006f2b34ab533d3582f28323330c7195d (patch)
treebd3fa2fad81b6c6823d680288f08a27032b5885d
parent2c2f22a5338ce8b71b6d939ca42d47b314391908 (diff)
downloadpoky-2f6bbc7006f2b34ab533d3582f28323330c7195d.tar.gz
openssh: conditional compile DES code.
After openssl disabled DES, openssh fails to build for some DES codes are not wrapped in conditional compile statement "#ifndef OPENSSL_NO_DES" and "#endif". (From OE-Core rev: cd9c62461e837967dd29a532d32990c23350acf8) Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch116
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch70
-rw-r--r--meta/recipes-connectivity/openssh/openssh_7.2p2.bb2
3 files changed, 188 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
new file mode 100644
index 0000000000..26193c2e53
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
@@ -0,0 +1,116 @@
1From 1cd94ed4750d5392cf3c09ed64d2c162a0833bdb Mon Sep 17 00:00:00 2001
2From: Haiqing Bai <Haiqing.Bai@windriver.com>
3Date: Fri, 18 Mar 2016 15:49:31 +0800
4Subject: [PATCH 2/3] remove des in cipher.
5
6Upstream-status: Pending
7
8Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
9
10---
11 cipher.c | 18 ++++++++++++++++++
12 1 file changed, 18 insertions(+)
13
14diff --git a/cipher.c b/cipher.c
15index 02dae6f..63d3c29 100644
16--- a/cipher.c
17+++ b/cipher.c
18@@ -53,8 +53,10 @@
19
20 #ifdef WITH_SSH1
21 extern const EVP_CIPHER *evp_ssh1_bf(void);
22+#ifndef OPENSSL_NO_DES
23 extern const EVP_CIPHER *evp_ssh1_3des(void);
24 extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
25+#endif /* OPENSSL_NO_DES */
26 #endif
27
28 struct sshcipher {
29@@ -79,13 +81,17 @@ struct sshcipher {
30
31 static const struct sshcipher ciphers[] = {
32 #ifdef WITH_SSH1
33+#ifndef OPENSSL_NO_DES
34 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
35 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
36+#endif /* OPENSSL_NO_DES */
37 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
38 #endif /* WITH_SSH1 */
39 #ifdef WITH_OPENSSL
40 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
41+#ifndef OPENSSL_NO_DES
42 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
43+#endif /* OPENSSL_NO_DES */
44 { "blowfish-cbc",
45 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
46 { "cast128-cbc",
47@@ -163,8 +169,10 @@ cipher_keylen(const struct sshcipher *c)
48 u_int
49 cipher_seclen(const struct sshcipher *c)
50 {
51+#ifndef OPENSSL_NO_DES
52 if (strcmp("3des-cbc", c->name) == 0)
53 return 14;
54+#endif /* OPENSSL_NO_DES */
55 return cipher_keylen(c);
56 }
57
58@@ -201,11 +209,13 @@ u_int
59 cipher_mask_ssh1(int client)
60 {
61 u_int mask = 0;
62+#ifndef OPENSSL_NO_DES
63 mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
64 mask |= 1 << SSH_CIPHER_BLOWFISH;
65 if (client) {
66 mask |= 1 << SSH_CIPHER_DES;
67 }
68+#endif /*OPENSSL_NO_DES*/
69 return mask;
70 }
71
72@@ -546,7 +556,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
73 switch (c->number) {
74 #ifdef WITH_OPENSSL
75 case SSH_CIPHER_SSH2:
76+#ifndef OPENSSL_NO_DES
77 case SSH_CIPHER_DES:
78+#endif /* OPENSSL_NO_DES */
79 case SSH_CIPHER_BLOWFISH:
80 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
81 if (evplen == 0)
82@@ -569,8 +581,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
83 break;
84 #endif
85 #ifdef WITH_SSH1
86+#ifndef OPENSSL_NO_DES
87 case SSH_CIPHER_3DES:
88 return ssh1_3des_iv(&cc->evp, 0, iv, 24);
89+#endif /* OPENSSL_NO_DES */
90 #endif
91 default:
92 return SSH_ERR_INVALID_ARGUMENT;
93@@ -594,7 +608,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
94 switch (c->number) {
95 #ifdef WITH_OPENSSL
96 case SSH_CIPHER_SSH2:
97+#ifndef OPENSSL_NO_DES
98 case SSH_CIPHER_DES:
99+#endif /* OPENSSL_NO_DES */
100 case SSH_CIPHER_BLOWFISH:
101 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
102 if (evplen <= 0)
103@@ -609,8 +625,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
104 break;
105 #endif
106 #ifdef WITH_SSH1
107+#ifndef OPENSSL_NO_DES
108 case SSH_CIPHER_3DES:
109 return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);
110+#endif /* OPENSSL_NO_DES */
111 #endif
112 default:
113 return SSH_ERR_INVALID_ARGUMENT;
114--
1151.9.1
116
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
new file mode 100644
index 0000000000..bd02028816
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
@@ -0,0 +1,70 @@
1From 04cfd84423f693d879dc3ffebb0f6fe2680c254f Mon Sep 17 00:00:00 2001
2From: Haiqing Bai <Haiqing.Bai@windriver.com>
3Date: Fri, 18 Mar 2016 15:59:21 +0800
4Subject: [PATCH 3/3] remove des in pkcs11.
5
6Upstream-status: Pending
7
8Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
9
10---
11 pkcs11.h | 8 ++++++++
12 1 file changed, 8 insertions(+)
13
14diff --git a/pkcs11.h b/pkcs11.h
15index b01d58f..98b36e6 100644
16--- a/pkcs11.h
17+++ b/pkcs11.h
18@@ -342,9 +342,11 @@ typedef unsigned long ck_key_type_t;
19 #define CKK_GENERIC_SECRET (0x10)
20 #define CKK_RC2 (0x11)
21 #define CKK_RC4 (0x12)
22+#ifndef OPENSSL_NO_DES
23 #define CKK_DES (0x13)
24 #define CKK_DES2 (0x14)
25 #define CKK_DES3 (0x15)
26+#endif /* OPENSSL_NO_DES */
27 #define CKK_CAST (0x16)
28 #define CKK_CAST3 (0x17)
29 #define CKK_CAST128 (0x18)
30@@ -512,6 +514,7 @@ typedef unsigned long ck_mechanism_type_t;
31 #define CKM_RC2_CBC_PAD (0x105)
32 #define CKM_RC4_KEY_GEN (0x110)
33 #define CKM_RC4 (0x111)
34+#ifndef OPENSSL_NO_DES
35 #define CKM_DES_KEY_GEN (0x120)
36 #define CKM_DES_ECB (0x121)
37 #define CKM_DES_CBC (0x122)
38@@ -525,6 +528,7 @@ typedef unsigned long ck_mechanism_type_t;
39 #define CKM_DES3_MAC (0x134)
40 #define CKM_DES3_MAC_GENERAL (0x135)
41 #define CKM_DES3_CBC_PAD (0x136)
42+#endif /* OPENSSL_NO_DES */
43 #define CKM_CDMF_KEY_GEN (0x140)
44 #define CKM_CDMF_ECB (0x141)
45 #define CKM_CDMF_CBC (0x142)
46@@ -610,8 +614,10 @@ typedef unsigned long ck_mechanism_type_t;
47 #define CKM_MD5_KEY_DERIVATION (0x390)
48 #define CKM_MD2_KEY_DERIVATION (0x391)
49 #define CKM_SHA1_KEY_DERIVATION (0x392)
50+#ifndef OPENSSL_NO_DES
51 #define CKM_PBE_MD2_DES_CBC (0x3a0)
52 #define CKM_PBE_MD5_DES_CBC (0x3a1)
53+#endif /* OPENSSL_NO_DES */
54 #define CKM_PBE_MD5_CAST_CBC (0x3a2)
55 #define CKM_PBE_MD5_CAST3_CBC (0x3a3)
56 #define CKM_PBE_MD5_CAST5_CBC (0x3a4)
57@@ -620,8 +626,10 @@ typedef unsigned long ck_mechanism_type_t;
58 #define CKM_PBE_SHA1_CAST128_CBC (0x3a5)
59 #define CKM_PBE_SHA1_RC4_128 (0x3a6)
60 #define CKM_PBE_SHA1_RC4_40 (0x3a7)
61+#ifndef OPENSSL_NO_DES
62 #define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8)
63 #define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9)
64+#endif /* OPENSSL_NO_DES */
65 #define CKM_PBE_SHA1_RC2_128_CBC (0x3aa)
66 #define CKM_PBE_SHA1_RC2_40_CBC (0x3ab)
67 #define CKM_PKCS5_PBKD2 (0x3b0)
68--
691.9.1
70
diff --git a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
index 01b5d500f3..21eefab8ff 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
@@ -23,6 +23,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
23 file://add-test-support-for-busybox.patch \ 23 file://add-test-support-for-busybox.patch \
24 file://run-ptest \ 24 file://run-ptest \
25 file://CVE-2015-8325.patch \ 25 file://CVE-2015-8325.patch \
26 file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
27 file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
26 " 28 "
27 29
28PAM_SRC_URI = "file://sshd" 30PAM_SRC_URI = "file://sshd"