summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh
diff options
context:
space:
mode:
authorDengke Du <dengke.du@windriver.com>2017-01-22 02:12:40 -0500
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-01-26 10:44:28 +0000
commitd742290d8497d6d3abecc12462c65cb3cbdf4cb0 (patch)
treec0f06f19dc7f054da08f79681d35c53827e0ed4f /meta/recipes-connectivity/openssh
parent543d0b0d1b44bcf12d433b1a1ae7134ca11c25e5 (diff)
downloadpoky-d742290d8497d6d3abecc12462c65cb3cbdf4cb0.tar.gz
openssh: upgrade to 7.4p1
1. Drop CVE patch: fix-CVE-2016-8858.patch, because the version 7.4p1 have been fixed it. 2. Rebase the remaining patchs on the version 7.4p1. (From OE-Core rev: b648b382046bd94f0cf5fe0aa4b77ab250f126cd) Signed-off-by: Dengke Du <dengke.du@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch39
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch39
-rw-r--r--meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch12
-rw-r--r--meta/recipes-connectivity/openssh/openssh_7.4p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_7.3p1.bb)5
4 files changed, 28 insertions, 67 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch b/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
deleted file mode 100644
index b26ee81b9a..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
+++ /dev/null
@@ -1,39 +0,0 @@
1Fix CVE-2016-8858 of openssh
2
3Backport patch from upstream and drop the change of comment which can NOT be applied.
4
5Upstream-Status: Backport [ https://anongit.mindrot.org/openssh.git/commit/?id=ec165c3 ]
6CVE: CVE-2016-8858
7
8Signed-off-by: Kai Kang <kai.kang@windriver.com>
9---
10From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
11From: "markus@openbsd.org" <markus@openbsd.org>
12Date: Mon, 10 Oct 2016 19:28:48 +0000
13Subject: [PATCH] upstream commit
14
15Unregister the KEXINIT handler after message has been
16received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
17allocation of up to 128MB -- until the connection is closed. Reported by
18shilei-c at 360.cn
19
20Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
21---
22 kex.c | 3 ++-
23 1 file changed, 2 insertions(+), 1 deletion(-)
24
25diff --git a/kex.c b/kex.c
26index 3f97f8c..6a94bc5 100644
27--- a/kex.c
28+++ b/kex.c
29@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
30 if (kex == NULL)
31 return SSH_ERR_INVALID_ARGUMENT;
32
33+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
34 ptr = sshpkt_ptr(ssh, &dlen);
35 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
36 return r;
37--
382.10.1
39
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
index 2773c14e5a..1098b972ce 100644
--- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
@@ -1,18 +1,19 @@
1From d7eb26785ad4f25fb09fae46726ab8ca3fe16921 Mon Sep 17 00:00:00 2001 1From 27740c918fe5d78441bcf69e7d2eefb23ddeca4c Mon Sep 17 00:00:00 2001
2From: Haiqing Bai <Haiqing.Bai@windriver.com> 2From: Dengke Du <dengke.du@windriver.com>
3Date: Mon, 22 Aug 2016 14:11:16 +0300 3Date: Thu, 19 Jan 2017 03:00:08 -0500
4Subject: [PATCH] Remove des in cipher. 4Subject: [PATCH 1/3] Remove des in cipher.
5 5
6Upstream-Status: Pending 6Upstream-Status: Pending
7 7
8Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> 8Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
9Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> 9Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
10Signed-off-by: Dengke Du <dengke.du@windriver.com>
10--- 11---
11 cipher.c | 18 ++++++++++++++++++ 12 cipher.c | 18 ++++++++++++++++++
12 1 file changed, 18 insertions(+) 13 1 file changed, 18 insertions(+)
13 14
14diff --git a/cipher.c b/cipher.c 15diff --git a/cipher.c b/cipher.c
15index 031bda9..6cd667a 100644 16index 2def333..59f6792 100644
16--- a/cipher.c 17--- a/cipher.c
17+++ b/cipher.c 18+++ b/cipher.c
18@@ -53,8 +53,10 @@ 19@@ -53,8 +53,10 @@
@@ -25,8 +26,8 @@ index 031bda9..6cd667a 100644
25+#endif /* OPENSSL_NO_DES */ 26+#endif /* OPENSSL_NO_DES */
26 #endif 27 #endif
27 28
28 struct sshcipher { 29 struct sshcipher_ctx {
29@@ -79,15 +81,19 @@ struct sshcipher { 30@@ -88,15 +90,19 @@ struct sshcipher {
30 31
31 static const struct sshcipher ciphers[] = { 32 static const struct sshcipher ciphers[] = {
32 #ifdef WITH_SSH1 33 #ifdef WITH_SSH1
@@ -39,14 +40,14 @@ index 031bda9..6cd667a 100644
39 # endif /* OPENSSL_NO_BF */ 40 # endif /* OPENSSL_NO_BF */
40 #endif /* WITH_SSH1 */ 41 #endif /* WITH_SSH1 */
41 #ifdef WITH_OPENSSL 42 #ifdef WITH_OPENSSL
42 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
43+#ifndef OPENSSL_NO_DES 43+#ifndef OPENSSL_NO_DES
44 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
44 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, 45 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
45+#endif /* OPENSSL_NO_DES */ 46+#endif /* OPENSSL_NO_DES */
46 # ifndef OPENSSL_NO_BF 47 # ifndef OPENSSL_NO_BF
47 { "blowfish-cbc", 48 { "blowfish-cbc",
48 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, 49 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
49@@ -171,8 +177,10 @@ cipher_keylen(const struct sshcipher *c) 50@@ -180,8 +186,10 @@ cipher_keylen(const struct sshcipher *c)
50 u_int 51 u_int
51 cipher_seclen(const struct sshcipher *c) 52 cipher_seclen(const struct sshcipher *c)
52 { 53 {
@@ -57,7 +58,7 @@ index 031bda9..6cd667a 100644
57 return cipher_keylen(c); 58 return cipher_keylen(c);
58 } 59 }
59 60
60@@ -209,11 +217,13 @@ u_int 61@@ -230,11 +238,13 @@ u_int
61 cipher_mask_ssh1(int client) 62 cipher_mask_ssh1(int client)
62 { 63 {
63 u_int mask = 0; 64 u_int mask = 0;
@@ -71,7 +72,7 @@ index 031bda9..6cd667a 100644
71 return mask; 72 return mask;
72 } 73 }
73 74
74@@ -553,7 +563,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) 75@@ -606,7 +616,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
75 switch (c->number) { 76 switch (c->number) {
76 #ifdef WITH_OPENSSL 77 #ifdef WITH_OPENSSL
77 case SSH_CIPHER_SSH2: 78 case SSH_CIPHER_SSH2:
@@ -79,20 +80,20 @@ index 031bda9..6cd667a 100644
79 case SSH_CIPHER_DES: 80 case SSH_CIPHER_DES:
80+#endif /* OPENSSL_NO_DES */ 81+#endif /* OPENSSL_NO_DES */
81 case SSH_CIPHER_BLOWFISH: 82 case SSH_CIPHER_BLOWFISH:
82 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 83 evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
83 if (evplen == 0) 84 if (evplen == 0)
84@@ -576,8 +588,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) 85@@ -629,8 +641,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
85 break; 86 break;
86 #endif 87 #endif
87 #ifdef WITH_SSH1 88 #ifdef WITH_SSH1
88+#ifndef OPENSSL_NO_DES 89+#ifndef OPENSSL_NO_DES
89 case SSH_CIPHER_3DES: 90 case SSH_CIPHER_3DES:
90 return ssh1_3des_iv(&cc->evp, 0, iv, 24); 91 return ssh1_3des_iv(cc->evp, 0, iv, 24);
91+#endif /* OPENSSL_NO_DES */ 92+#endif /* OPENSSL_NO_DES */
92 #endif 93 #endif
93 default: 94 default:
94 return SSH_ERR_INVALID_ARGUMENT; 95 return SSH_ERR_INVALID_ARGUMENT;
95@@ -601,7 +615,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) 96@@ -654,7 +668,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
96 switch (c->number) { 97 switch (c->number) {
97 #ifdef WITH_OPENSSL 98 #ifdef WITH_OPENSSL
98 case SSH_CIPHER_SSH2: 99 case SSH_CIPHER_SSH2:
@@ -100,19 +101,19 @@ index 031bda9..6cd667a 100644
100 case SSH_CIPHER_DES: 101 case SSH_CIPHER_DES:
101+#endif /* OPENSSL_NO_DES */ 102+#endif /* OPENSSL_NO_DES */
102 case SSH_CIPHER_BLOWFISH: 103 case SSH_CIPHER_BLOWFISH:
103 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 104 evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
104 if (evplen <= 0) 105 if (evplen <= 0)
105@@ -616,8 +632,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) 106@@ -675,8 +691,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
106 break; 107 break;
107 #endif 108 #endif
108 #ifdef WITH_SSH1 109 #ifdef WITH_SSH1
109+#ifndef OPENSSL_NO_DES 110+#ifndef OPENSSL_NO_DES
110 case SSH_CIPHER_3DES: 111 case SSH_CIPHER_3DES:
111 return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24); 112 return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24);
112+#endif /* OPENSSL_NO_DES */ 113+#endif /* OPENSSL_NO_DES */
113 #endif 114 #endif
114 default: 115 default:
115 return SSH_ERR_INVALID_ARGUMENT; 116 return SSH_ERR_INVALID_ARGUMENT;
116-- 117--
1172.1.4 1182.8.1
118 119
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
index 815af422ff..47dc73ba10 100644
--- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
@@ -1,12 +1,12 @@
1From 04cfd84423f693d879dc3ffebb0f6fe2680c254f Mon Sep 17 00:00:00 2001 1From e816fc06e4f8070b09e677ead4d21768784e4c99 Mon Sep 17 00:00:00 2001
2From: Haiqing Bai <Haiqing.Bai@windriver.com> 2From: Dengke Du <dengke.du@windriver.com>
3Date: Fri, 18 Mar 2016 15:59:21 +0800 3Date: Thu, 19 Jan 2017 03:21:40 -0500
4Subject: [PATCH 3/3] remove des in pkcs11. 4Subject: [PATCH 2/3] remove des in pkcs11.
5 5
6Upstream-Status: Pending 6Upstream-Status: Pending
7 7
8Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> 8Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
9 9Signed-off-by: Dengke Du <dengke.du@windriver.com>
10--- 10---
11 pkcs11.h | 8 ++++++++ 11 pkcs11.h | 8 ++++++++
12 1 file changed, 8 insertions(+) 12 1 file changed, 8 insertions(+)
@@ -66,5 +66,5 @@ index b01d58f..98b36e6 100644
66 #define CKM_PBE_SHA1_RC2_40_CBC (0x3ab) 66 #define CKM_PBE_SHA1_RC2_40_CBC (0x3ab)
67 #define CKM_PKCS5_PBKD2 (0x3b0) 67 #define CKM_PKCS5_PBKD2 (0x3b0)
68-- 68--
691.9.1 692.8.1
70 70
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
index 94eb0ed208..3b3d667a68 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
@@ -25,13 +25,12 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
25 file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ 25 file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
26 file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ 26 file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
27 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ 27 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
28 file://fix-CVE-2016-8858.patch \
29 " 28 "
30 29
31PAM_SRC_URI = "file://sshd" 30PAM_SRC_URI = "file://sshd"
32 31
33SRC_URI[md5sum] = "dfadd9f035d38ce5d58a3bf130b86d08" 32SRC_URI[md5sum] = "b2db2a83caf66a208bb78d6d287cdaa3"
34SRC_URI[sha256sum] = "3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc" 33SRC_URI[sha256sum] = "1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1"
35 34
36inherit useradd update-rc.d update-alternatives systemd 35inherit useradd update-rc.d update-alternatives systemd
37 36