diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch | 189 |
1 files changed, 189 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch new file mode 100644 index 0000000000..c899056337 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch | |||
@@ -0,0 +1,189 @@ | |||
1 | From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Fri, 1 Oct 2021 16:35:49 +1000 | ||
4 | Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough | ||
5 | |||
6 | ok dtucker | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d] | ||
9 | CVE: CVE-2023-38408 | ||
10 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
11 | --- | ||
12 | ssh-pkcs11-client.c | 16 ++++++++-------- | ||
13 | ssh-pkcs11.c | 26 +++++++++++++------------- | ||
14 | 2 files changed, 21 insertions(+), 21 deletions(-) | ||
15 | |||
16 | diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c | ||
17 | index 8a0ffef..41114c7 100644 | ||
18 | --- a/ssh-pkcs11-client.c | ||
19 | +++ b/ssh-pkcs11-client.c | ||
20 | @@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) | ||
21 | return (ret); | ||
22 | } | ||
23 | |||
24 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
25 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
26 | static ECDSA_SIG * | ||
27 | ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, | ||
28 | const BIGNUM *rp, EC_KEY *ec) | ||
29 | @@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, | ||
30 | sshbuf_free(msg); | ||
31 | return (ret); | ||
32 | } | ||
33 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
34 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
35 | |||
36 | static RSA_METHOD *helper_rsa; | ||
37 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
38 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
39 | static EC_KEY_METHOD *helper_ecdsa; | ||
40 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
41 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
42 | |||
43 | /* redirect private key crypto operations to the ssh-pkcs11-helper */ | ||
44 | static void | ||
45 | @@ -233,10 +233,10 @@ wrap_key(struct sshkey *k) | ||
46 | { | ||
47 | if (k->type == KEY_RSA) | ||
48 | RSA_set_method(k->rsa, helper_rsa); | ||
49 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
50 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
51 | else if (k->type == KEY_ECDSA) | ||
52 | EC_KEY_set_method(k->ecdsa, helper_ecdsa); | ||
53 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
54 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
55 | else | ||
56 | fatal("%s: unknown key type", __func__); | ||
57 | } | ||
58 | @@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void) | ||
59 | if (helper_rsa != NULL) | ||
60 | return (0); | ||
61 | |||
62 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
63 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
64 | int (*orig_sign)(int, const unsigned char *, int, unsigned char *, | ||
65 | unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; | ||
66 | if (helper_ecdsa != NULL) | ||
67 | @@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void) | ||
68 | return (-1); | ||
69 | EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); | ||
70 | EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); | ||
71 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
72 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
73 | |||
74 | if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) | ||
75 | fatal("%s: RSA_meth_dup failed", __func__); | ||
76 | diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c | ||
77 | index a302c79..b56a41b 100644 | ||
78 | --- a/ssh-pkcs11.c | ||
79 | +++ b/ssh-pkcs11.c | ||
80 | @@ -78,7 +78,7 @@ struct pkcs11_key { | ||
81 | |||
82 | int pkcs11_interactive = 0; | ||
83 | |||
84 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
85 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
86 | static void | ||
87 | ossl_error(const char *msg) | ||
88 | { | ||
89 | @@ -89,7 +89,7 @@ ossl_error(const char *msg) | ||
90 | error("%s: libcrypto error: %.100s", __func__, | ||
91 | ERR_error_string(e, NULL)); | ||
92 | } | ||
93 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
94 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
95 | |||
96 | int | ||
97 | pkcs11_init(int interactive) | ||
98 | @@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id) | ||
99 | |||
100 | static RSA_METHOD *rsa_method; | ||
101 | static int rsa_idx = 0; | ||
102 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
103 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
104 | static EC_KEY_METHOD *ec_key_method; | ||
105 | static int ec_key_idx = 0; | ||
106 | -#endif | ||
107 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
108 | |||
109 | /* release a wrapped object */ | ||
110 | static void | ||
111 | @@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, | ||
112 | return (0); | ||
113 | } | ||
114 | |||
115 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
116 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
117 | /* openssl callback doing the actual signing operation */ | ||
118 | static ECDSA_SIG * | ||
119 | ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, | ||
120 | @@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, | ||
121 | |||
122 | return (0); | ||
123 | } | ||
124 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
125 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
126 | |||
127 | /* remove trailing spaces */ | ||
128 | static void | ||
129 | @@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key) | ||
130 | return (0); | ||
131 | } | ||
132 | |||
133 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
134 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
135 | static struct sshkey * | ||
136 | pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
137 | CK_OBJECT_HANDLE *obj) | ||
138 | @@ -802,7 +802,7 @@ fail: | ||
139 | |||
140 | return (key); | ||
141 | } | ||
142 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
143 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
144 | |||
145 | static struct sshkey * | ||
146 | pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
147 | @@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
148 | #endif | ||
149 | struct sshkey *key = NULL; | ||
150 | int i; | ||
151 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
152 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
153 | int nid; | ||
154 | #endif | ||
155 | const u_char *cp; | ||
156 | @@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
157 | key->type = KEY_RSA; | ||
158 | key->flags |= SSHKEY_FLAG_EXT; | ||
159 | rsa = NULL; /* now owned by key */ | ||
160 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
161 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
162 | } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) { | ||
163 | if (EVP_PKEY_get0_EC_KEY(evp) == NULL) { | ||
164 | error("invalid x509; no ec key"); | ||
165 | @@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
166 | key->type = KEY_ECDSA; | ||
167 | key->flags |= SSHKEY_FLAG_EXT; | ||
168 | ec = NULL; /* now owned by key */ | ||
169 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
170 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
171 | } else { | ||
172 | error("unknown certificate key type"); | ||
173 | goto out; | ||
174 | @@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, | ||
175 | case CKK_RSA: | ||
176 | key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj); | ||
177 | break; | ||
178 | -#ifdef HAVE_EC_KEY_METHOD_NEW | ||
179 | +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) | ||
180 | case CKK_ECDSA: | ||
181 | key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj); | ||
182 | break; | ||
183 | -#endif /* HAVE_EC_KEY_METHOD_NEW */ | ||
184 | +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ | ||
185 | default: | ||
186 | /* XXX print key type? */ | ||
187 | key = NULL; | ||
188 | -- | ||
189 | 2.41.0 | ||