openssh: upgrade to 7.4p1

1. Drop CVE patch: fix-CVE-2016-8858.patch, because the version 7.4p1 have been fixed it. 2. Rebase the remaining patchs on the version 7.4p1. (From OE-Core rev: b648b382046bd94f0cf5fe0aa4b77ab250f126cd) Signed-off-by: Dengke Du <dengke.du@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Dengke Du <dengke.du@windriver.com> 2017-01-22 02:12:40 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-01-26 10:44:28 +0000
commit: d742290d8497d6d3abecc12462c65cb3cbdf4cb0 (patch)
tree: c0f06f19dc7f054da08f79681d35c53827e0ed4f /meta/recipes-connectivity
parent: 543d0b0d1b44bcf12d433b1a1ae7134ca11c25e5 (diff)
download: poky-d742290d8497d6d3abecc12462c65cb3cbdf4cb0.tar.gz
4 files changed, 28 insertions, 67 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch b/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
deleted file mode 100644
index b26ee81b9a..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Fix CVE-2016-8858 of openssh
-Backport patch from upstream and drop the change of comment which can NOT be applied.
-Upstream-Status: Backport [ https://anongit.mindrot.org/openssh.git/commit/?id=ec165c3 ]
-CVE: CVE-2016-8858
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
-From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
-From: "markus@openbsd.org" <markus@openbsd.org>
-Date: Mon, 10 Oct 2016 19:28:48 +0000
-Subject: [PATCH] upstream commit
-Unregister the KEXINIT handler after message has been
-received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
-allocation of up to 128MB -- until the connection is closed. Reported by
-shilei-c at 360.cn
-Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
---
- kex.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/kex.c b/kex.c
-index 3f97f8c..6a94bc5 100644
--- a/kex.c
-+++ b/kex.c
-@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
-        if (kex == NULL)
-                return SSH_ERR_INVALID_ARGUMENT;
- 
-+       ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
-        ptr = sshpkt_ptr(ssh, &dlen);
-        if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
-                return r;
-- 
-2.10.1
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
index 2773c14e5a..1098b972ce 100644
--- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
@@ -1,18 +1,19 @@
-From d7eb26785ad4f25fb09fae46726ab8ca3fe16921 Mon Sep 17 00:00:00 2001
+From 27740c918fe5d78441bcf69e7d2eefb23ddeca4c Mon Sep 17 00:00:00 2001
-From: Haiqing Bai <Haiqing.Bai@windriver.com>
+From: Dengke Du <dengke.du@windriver.com>
-Date: Mon, 22 Aug 2016 14:11:16 +0300
+Date: Thu, 19 Jan 2017 03:00:08 -0500
-Subject: [PATCH] Remove des in cipher.
+Subject: [PATCH 1/3] Remove des in cipher.
 Upstream-Status: Pending
 Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
 Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Signed-off-by: Dengke Du <dengke.du@windriver.com>
 ---
 cipher.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 diff --git a/cipher.c b/cipher.c
-index 031bda9..6cd667a 100644
+index 2def333..59f6792 100644
 --- a/cipher.c
 +++ b/cipher.c
 @@ -53,8 +53,10 @@
@@ -25,8 +26,8 @@ index 031bda9..6cd667a 100644
 +#endif /* OPENSSL_NO_DES */
 #endif
 
- struct sshcipher {
+ struct sshcipher_ctx {
-@@ -79,15 +81,19 @@ struct sshcipher {
+@@ -88,15 +90,19 @@ struct sshcipher {
 
 static const struct sshcipher ciphers[] = {
 #ifdef WITH_SSH1
@@ -39,14 +40,14 @@ index 031bda9..6cd667a 100644
 # endif /* OPENSSL_NO_BF */
 #endif /* WITH_SSH1 */
 #ifdef WITH_OPENSSL
-        { "none",       SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
 +#ifndef OPENSSL_NO_DES
+        { "none",       SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
        { "3des-cbc",   SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
 +#endif /* OPENSSL_NO_DES */
 # ifndef OPENSSL_NO_BF
        { "blowfish-cbc",
                        SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
-@@ -171,8 +177,10 @@ cipher_keylen(const struct sshcipher *c)
+@@ -180,8 +186,10 @@ cipher_keylen(const struct sshcipher *c)
 u_int
 cipher_seclen(const struct sshcipher *c)
 {
@@ -57,7 +58,7 @@ index 031bda9..6cd667a 100644
        return cipher_keylen(c);
 }
 
-@@ -209,11 +217,13 @@ u_int
+@@ -230,11 +238,13 @@ u_int
 cipher_mask_ssh1(int client)
 {
        u_int mask = 0;
@@ -71,7 +72,7 @@ index 031bda9..6cd667a 100644
        return mask;
 }
 
-@@ -553,7 +563,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
+@@ -606,7 +616,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
        switch (c->number) {
 #ifdef WITH_OPENSSL
        case SSH_CIPHER_SSH2:
@@ -79,20 +80,20 @@ index 031bda9..6cd667a 100644
        case SSH_CIPHER_DES:
 +#endif /* OPENSSL_NO_DES */
        case SSH_CIPHER_BLOWFISH:
-                evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+                evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
                if (evplen == 0)
-@@ -576,8 +588,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
+@@ -629,8 +641,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
                break;
 #endif
 #ifdef WITH_SSH1
 +#ifndef OPENSSL_NO_DES
        case SSH_CIPHER_3DES:
-                return ssh1_3des_iv(&cc->evp, 0, iv, 24);
+                return ssh1_3des_iv(cc->evp, 0, iv, 24);
 +#endif /* OPENSSL_NO_DES */
 #endif
        default:
                return SSH_ERR_INVALID_ARGUMENT;
-@@ -601,7 +615,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
+@@ -654,7 +668,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
        switch (c->number) {
 #ifdef WITH_OPENSSL
        case SSH_CIPHER_SSH2:
@@ -100,19 +101,19 @@ index 031bda9..6cd667a 100644
        case SSH_CIPHER_DES:
 +#endif /* OPENSSL_NO_DES */
        case SSH_CIPHER_BLOWFISH:
-                evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+                evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
                if (evplen <= 0)
-@@ -616,8 +632,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
+@@ -675,8 +691,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
                break;
 #endif
 #ifdef WITH_SSH1
 +#ifndef OPENSSL_NO_DES
        case SSH_CIPHER_3DES:
-                return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);
+                return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24);
 +#endif /* OPENSSL_NO_DES */
 #endif
        default:
                return SSH_ERR_INVALID_ARGUMENT;
 -- 
-2.1.4
+2.8.1
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
index 815af422ff..47dc73ba10 100644
--- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
@@ -1,12 +1,12 @@
-From 04cfd84423f693d879dc3ffebb0f6fe2680c254f Mon Sep 17 00:00:00 2001
+From e816fc06e4f8070b09e677ead4d21768784e4c99 Mon Sep 17 00:00:00 2001
-From: Haiqing Bai <Haiqing.Bai@windriver.com>
+From: Dengke Du <dengke.du@windriver.com>
-Date: Fri, 18 Mar 2016 15:59:21 +0800
+Date: Thu, 19 Jan 2017 03:21:40 -0500
-Subject: [PATCH 3/3] remove des in pkcs11.
+Subject: [PATCH 2/3] remove des in pkcs11.
 Upstream-Status: Pending
 Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+Signed-off-by: Dengke Du <dengke.du@windriver.com>
 ---
 pkcs11.h | 8 ++++++++
 1 file changed, 8 insertions(+)
@@ -66,5 +66,5 @@ index b01d58f..98b36e6 100644
 #define CKM_PBE_SHA1_RC2_40_CBC                (0x3ab)
 #define CKM_PKCS5_PBKD2                        (0x3b0)
 -- 
-1.9.1
+2.8.1
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
index 94eb0ed208..3b3d667a68 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
@@ -25,13 +25,12 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
           file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
           file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
-           file://fix-CVE-2016-8858.patch \
           "
 PAM_SRC_URI = "file://sshd"
-SRC_URI[md5sum] = "dfadd9f035d38ce5d58a3bf130b86d08"
+SRC_URI[md5sum] = "b2db2a83caf66a208bb78d6d287cdaa3"
-SRC_URI[sha256sum] = "3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc"
+SRC_URI[sha256sum] = "1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1"
 inherit useradd update-rc.d update-alternatives systemd
author	Dengke Du <dengke.du@windriver.com>	2017-01-22 02:12:40 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-01-26 10:44:28 +0000
commit	d742290d8497d6d3abecc12462c65cb3cbdf4cb0 (patch)
tree	c0f06f19dc7f054da08f79681d35c53827e0ed4f /meta/recipes-connectivity
parent	543d0b0d1b44bcf12d433b1a1ae7134ca11c25e5 (diff)
download	poky-d742290d8497d6d3abecc12462c65cb3cbdf4cb0.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch b/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch deleted file mode 100644 index b26ee81b9a..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch +++ /dev/null
@@ -1,39 +0,0 @@
1	Fix CVE-2016-8858 of openssh
2
3	Backport patch from upstream and drop the change of comment which can NOT be applied.
4
5	Upstream-Status: Backport [ https://anongit.mindrot.org/openssh.git/commit/?id=ec165c3 ]
6	CVE: CVE-2016-8858
7
8	Signed-off-by: Kai Kang <kai.kang@windriver.com>
9	---
10	From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
11	From: "markus@openbsd.org" <markus@openbsd.org>
12	Date: Mon, 10 Oct 2016 19:28:48 +0000
13	Subject: [PATCH] upstream commit
14
15	Unregister the KEXINIT handler after message has been
16	received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
17	allocation of up to 128MB -- until the connection is closed. Reported by
18	shilei-c at 360.cn
19
20	Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
21	---
22	kex.c \| 3 ++-
23	1 file changed, 2 insertions(+), 1 deletion(-)
24
25	diff --git a/kex.c b/kex.c
26	index 3f97f8c..6a94bc5 100644
27	--- a/kex.c
28	+++ b/kex.c
29	@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
30	if (kex == NULL)
31	return SSH_ERR_INVALID_ARGUMENT;
32
33	+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
34	ptr = sshpkt_ptr(ssh, &dlen);
35	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
36	return r;
37	--
38	2.10.1
39


diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch index 2773c14e5a..1098b972ce 100644 --- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch +++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
@@ -1,18 +1,19 @@
1	From d7eb26785ad4f25fb09fae46726ab8ca3fe16921 Mon Sep 17 00:00:00 2001	1	From 27740c918fe5d78441bcf69e7d2eefb23ddeca4c Mon Sep 17 00:00:00 2001
2	From: Haiqing Bai <Haiqing.Bai@windriver.com>	2	From: Dengke Du <dengke.du@windriver.com>
3	Date: Mon, 22 Aug 2016 14:11:16 +0300	3	Date: Thu, 19 Jan 2017 03:00:08 -0500
4	Subject: [PATCH] Remove des in cipher.	4	Subject: [PATCH 1/3] Remove des in cipher.
5		5
6	Upstream-Status: Pending	6	Upstream-Status: Pending
7		7
8	Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>	8	Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
9	Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>	9	Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
		10	Signed-off-by: Dengke Du <dengke.du@windriver.com>
10	---	11	---
11	cipher.c \| 18 ++++++++++++++++++	12	cipher.c \| 18 ++++++++++++++++++
12	1 file changed, 18 insertions(+)	13	1 file changed, 18 insertions(+)
13		14
14	diff --git a/cipher.c b/cipher.c	15	diff --git a/cipher.c b/cipher.c
15	index 031bda9..6cd667a 100644	16	index 2def333..59f6792 100644
16	--- a/cipher.c	17	--- a/cipher.c
17	+++ b/cipher.c	18	+++ b/cipher.c
18	@@ -53,8 +53,10 @@	19	@@ -53,8 +53,10 @@
@@ -25,8 +26,8 @@ index 031bda9..6cd667a 100644
25	+#endif /* OPENSSL_NO_DES */	26	+#endif /* OPENSSL_NO_DES */
26	#endif	27	#endif
27		28
28	struct sshcipher {	29	struct sshcipher_ctx {
29	@@ -79,15 +81,19 @@ struct sshcipher {	30	@@ -88,15 +90,19 @@ struct sshcipher {
30		31
31	static const struct sshcipher ciphers[] = {	32	static const struct sshcipher ciphers[] = {
32	#ifdef WITH_SSH1	33	#ifdef WITH_SSH1
@@ -39,14 +40,14 @@ index 031bda9..6cd667a 100644
39	# endif /* OPENSSL_NO_BF */	40	# endif /* OPENSSL_NO_BF */
40	#endif /* WITH_SSH1 */	41	#endif /* WITH_SSH1 */
41	#ifdef WITH_OPENSSL	42	#ifdef WITH_OPENSSL
42	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
43	+#ifndef OPENSSL_NO_DES	43	+#ifndef OPENSSL_NO_DES
		44	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
44	{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },	45	{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
45	+#endif /* OPENSSL_NO_DES */	46	+#endif /* OPENSSL_NO_DES */
46	# ifndef OPENSSL_NO_BF	47	# ifndef OPENSSL_NO_BF
47	{ "blowfish-cbc",	48	{ "blowfish-cbc",
48	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },	49	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
49	@@ -171,8 +177,10 @@ cipher_keylen(const struct sshcipher *c)	50	@@ -180,8 +186,10 @@ cipher_keylen(const struct sshcipher *c)
50	u_int	51	u_int
51	cipher_seclen(const struct sshcipher *c)	52	cipher_seclen(const struct sshcipher *c)
52	{	53	{
@@ -57,7 +58,7 @@ index 031bda9..6cd667a 100644
57	return cipher_keylen(c);	58	return cipher_keylen(c);
58	}	59	}
59		60
60	@@ -209,11 +217,13 @@ u_int	61	@@ -230,11 +238,13 @@ u_int
61	cipher_mask_ssh1(int client)	62	cipher_mask_ssh1(int client)
62	{	63	{
63	u_int mask = 0;	64	u_int mask = 0;
@@ -71,7 +72,7 @@ index 031bda9..6cd667a 100644
71	return mask;	72	return mask;
72	}	73	}
73		74
74	@@ -553,7 +563,9 @@ cipher_get_keyiv(struct sshcipher_ctx cc, u_char iv, u_int len)	75	@@ -606,7 +616,9 @@ cipher_get_keyiv(struct sshcipher_ctx cc, u_char iv, u_int len)
75	switch (c->number) {	76	switch (c->number) {
76	#ifdef WITH_OPENSSL	77	#ifdef WITH_OPENSSL
77	case SSH_CIPHER_SSH2:	78	case SSH_CIPHER_SSH2:
@@ -79,20 +80,20 @@ index 031bda9..6cd667a 100644
79	case SSH_CIPHER_DES:	80	case SSH_CIPHER_DES:
80	+#endif /* OPENSSL_NO_DES */	81	+#endif /* OPENSSL_NO_DES */
81	case SSH_CIPHER_BLOWFISH:	82	case SSH_CIPHER_BLOWFISH:
82	evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);	83	evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
83	if (evplen == 0)	84	if (evplen == 0)
84	@@ -576,8 +588,10 @@ cipher_get_keyiv(struct sshcipher_ctx cc, u_char iv, u_int len)	85	@@ -629,8 +641,10 @@ cipher_get_keyiv(struct sshcipher_ctx cc, u_char iv, u_int len)
85	break;	86	break;
86	#endif	87	#endif
87	#ifdef WITH_SSH1	88	#ifdef WITH_SSH1
88	+#ifndef OPENSSL_NO_DES	89	+#ifndef OPENSSL_NO_DES
89	case SSH_CIPHER_3DES:	90	case SSH_CIPHER_3DES:
90	return ssh1_3des_iv(&cc->evp, 0, iv, 24);	91	return ssh1_3des_iv(cc->evp, 0, iv, 24);
91	+#endif /* OPENSSL_NO_DES */	92	+#endif /* OPENSSL_NO_DES */
92	#endif	93	#endif
93	default:	94	default:
94	return SSH_ERR_INVALID_ARGUMENT;	95	return SSH_ERR_INVALID_ARGUMENT;
95	@@ -601,7 +615,9 @@ cipher_set_keyiv(struct sshcipher_ctx cc, const u_char iv)	96	@@ -654,7 +668,9 @@ cipher_set_keyiv(struct sshcipher_ctx cc, const u_char iv)
96	switch (c->number) {	97	switch (c->number) {
97	#ifdef WITH_OPENSSL	98	#ifdef WITH_OPENSSL
98	case SSH_CIPHER_SSH2:	99	case SSH_CIPHER_SSH2:
@@ -100,19 +101,19 @@ index 031bda9..6cd667a 100644
100	case SSH_CIPHER_DES:	101	case SSH_CIPHER_DES:
101	+#endif /* OPENSSL_NO_DES */	102	+#endif /* OPENSSL_NO_DES */
102	case SSH_CIPHER_BLOWFISH:	103	case SSH_CIPHER_BLOWFISH:
103	evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);	104	evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
104	if (evplen <= 0)	105	if (evplen <= 0)
105	@@ -616,8 +632,10 @@ cipher_set_keyiv(struct sshcipher_ctx cc, const u_char iv)	106	@@ -675,8 +691,10 @@ cipher_set_keyiv(struct sshcipher_ctx cc, const u_char iv)
106	break;	107	break;
107	#endif	108	#endif
108	#ifdef WITH_SSH1	109	#ifdef WITH_SSH1
109	+#ifndef OPENSSL_NO_DES	110	+#ifndef OPENSSL_NO_DES
110	case SSH_CIPHER_3DES:	111	case SSH_CIPHER_3DES:
111	return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);	112	return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24);
112	+#endif /* OPENSSL_NO_DES */	113	+#endif /* OPENSSL_NO_DES */
113	#endif	114	#endif
114	default:	115	default:
115	return SSH_ERR_INVALID_ARGUMENT;	116	return SSH_ERR_INVALID_ARGUMENT;
116	--	117	--
117	2.1.4	118	2.8.1
118		119


diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch index 815af422ff..47dc73ba10 100644 --- a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch +++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
@@ -1,12 +1,12 @@
1	From 04cfd84423f693d879dc3ffebb0f6fe2680c254f Mon Sep 17 00:00:00 2001	1	From e816fc06e4f8070b09e677ead4d21768784e4c99 Mon Sep 17 00:00:00 2001
2	From: Haiqing Bai <Haiqing.Bai@windriver.com>	2	From: Dengke Du <dengke.du@windriver.com>
3	Date: Fri, 18 Mar 2016 15:59:21 +0800	3	Date: Thu, 19 Jan 2017 03:21:40 -0500
4	Subject: [PATCH 3/3] remove des in pkcs11.	4	Subject: [PATCH 2/3] remove des in pkcs11.
5		5
6	Upstream-Status: Pending	6	Upstream-Status: Pending
7		7
8	Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>	8	Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
9		9	Signed-off-by: Dengke Du <dengke.du@windriver.com>
10	---	10	---
11	pkcs11.h \| 8 ++++++++	11	pkcs11.h \| 8 ++++++++
12	1 file changed, 8 insertions(+)	12	1 file changed, 8 insertions(+)
@@ -66,5 +66,5 @@ index b01d58f..98b36e6 100644
66	#define CKM_PBE_SHA1_RC2_40_CBC (0x3ab)	66	#define CKM_PBE_SHA1_RC2_40_CBC (0x3ab)
67	#define CKM_PKCS5_PBKD2 (0x3b0)	67	#define CKM_PKCS5_PBKD2 (0x3b0)
68	--	68	--
69	1.9.1	69	2.8.1
70		70


diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.4p1.bb index 94eb0ed208..3b3d667a68 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.4p1.bb
@@ -25,13 +25,12 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
25	file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \	25	file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
26	file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \	26	file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
27	file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \	27	file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
28	file://fix-CVE-2016-8858.patch \
29	"	28	"
30		29
31	PAM_SRC_URI = "file://sshd"	30	PAM_SRC_URI = "file://sshd"
32		31
33	SRC_URI[md5sum] = "dfadd9f035d38ce5d58a3bf130b86d08"	32	SRC_URI[md5sum] = "b2db2a83caf66a208bb78d6d287cdaa3"
34	SRC_URI[sha256sum] = "3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc"	33	SRC_URI[sha256sum] = "1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1"
35		34
36	inherit useradd update-rc.d update-alternatives systemd	35	inherit useradd update-rc.d update-alternatives systemd
37		36