1 files changed, 189 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
new file mode 100644
index 0000000000..c899056337
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
@@ -0,0 +1,189 @@
+From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 1 Oct 2021 16:35:49 +1000
+Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough
+ok dtucker
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11-client.c | 16 ++++++++--------
+ ssh-pkcs11.c        | 26 +++++++++++++-------------
+ 2 files changed, 21 insertions(+), 21 deletions(-)
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index 8a0ffef..41114c7 100644
+--- a/ssh-pkcs11-client.c
+++ b/ssh-pkcs11-client.c
+@@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+        return (ret);
+ }
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+     const BIGNUM *rp, EC_KEY *ec)
+@@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+        sshbuf_free(msg);
+        return (ret);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ static RSA_METHOD      *helper_rsa;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static EC_KEY_METHOD   *helper_ecdsa;
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ /* redirect private key crypto operations to the ssh-pkcs11-helper */
+ static void
+@@ -233,10 +233,10 @@ wrap_key(struct sshkey *k)
+ {
+        if (k->type == KEY_RSA)
+                RSA_set_method(k->rsa, helper_rsa);
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+        else if (k->type == KEY_ECDSA)
+                EC_KEY_set_method(k->ecdsa, helper_ecdsa);
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+        else
+                fatal("%s: unknown key type", __func__);
+ }
+@@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void)
+        if (helper_rsa != NULL)
+                return (0);
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+        int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
+            unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
+        if (helper_ecdsa != NULL)
+@@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void)
+                return (-1);
+        EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
+        EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+        if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
+                fatal("%s: RSA_meth_dup failed", __func__);
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index a302c79..b56a41b 100644
+--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
+@@ -78,7 +78,7 @@ struct pkcs11_key {
+ int pkcs11_interactive = 0;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static void
+ ossl_error(const char *msg)
+ {
+@@ -89,7 +89,7 @@ ossl_error(const char *msg)
+                error("%s: libcrypto error: %.100s", __func__,
+                    ERR_error_string(e, NULL));
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ int
+ pkcs11_init(int interactive)
+@@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id)
+ static RSA_METHOD *rsa_method;
+ static int rsa_idx = 0;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static EC_KEY_METHOD *ec_key_method;
+ static int ec_key_idx = 0;
+-#endif
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ /* release a wrapped object */
+ static void
+@@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
+        return (0);
+ }
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ /* openssl callback doing the actual signing operation */
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+@@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
+        return (0);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ /* remove trailing spaces */
+ static void
+@@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
+        return (0);
+ }
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static struct sshkey *
+ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+     CK_OBJECT_HANDLE *obj)
+@@ -802,7 +802,7 @@ fail:
+        return (key);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ static struct sshkey *
+ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ #endif
+        struct sshkey           *key = NULL;
+        int                      i;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+        int                      nid;
+ #endif
+        const u_char            *cp;
+@@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+                key->type = KEY_RSA;
+                key->flags |= SSHKEY_FLAG_EXT;
+                rsa = NULL;     /* now owned by key */
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+        } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
+                if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
+                        error("invalid x509; no ec key");
+@@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+                key->type = KEY_ECDSA;
+                key->flags |= SSHKEY_FLAG_EXT;
+                ec = NULL;      /* now owned by key */
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+        } else {
+                error("unknown certificate key type");
+                goto out;
+@@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
+                case CKK_RSA:
+                        key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
+                        break;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+                case CKK_ECDSA:
+                        key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
+                        break;
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+                default:
+                        /* XXX print key type? */
+                        key = NULL;
+--
+2.41.0

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch new file mode 100644 index 0000000000..c899056337 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
@@ -0,0 +1,189 @@
	1	From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001
	2	From: Damien Miller <djm@mindrot.org>
	3	Date: Fri, 1 Oct 2021 16:35:49 +1000
	4	Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough
	5
	6	ok dtucker
	7
	8	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d]
	9	CVE: CVE-2023-38408
	10	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
	11	---
	12	ssh-pkcs11-client.c \| 16 ++++++++--------
	13	ssh-pkcs11.c \| 26 +++++++++++++-------------
	14	2 files changed, 21 insertions(+), 21 deletions(-)
	15
	16	diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
	17	index 8a0ffef..41114c7 100644
	18	--- a/ssh-pkcs11-client.c
	19	+++ b/ssh-pkcs11-client.c
	20	@@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char from, u_char to, RSA *rsa, int padding)
	21	return (ret);
	22	}
	23
	24	-#ifdef HAVE_EC_KEY_METHOD_NEW
	25	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	26	static ECDSA_SIG *
	27	ecdsa_do_sign(const unsigned char dgst, int dgst_len, const BIGNUM inv,
	28	const BIGNUM rp, EC_KEY ec)
	29	@@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char dgst, int dgst_len, const BIGNUM inv,
	30	sshbuf_free(msg);
	31	return (ret);
	32	}
	33	-#endif /* HAVE_EC_KEY_METHOD_NEW */
	34	+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
	35
	36	static RSA_METHOD *helper_rsa;
	37	-#ifdef HAVE_EC_KEY_METHOD_NEW
	38	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	39	static EC_KEY_METHOD *helper_ecdsa;
	40	-#endif /* HAVE_EC_KEY_METHOD_NEW */
	41	+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
	42
	43	/* redirect private key crypto operations to the ssh-pkcs11-helper */
	44	static void
	45	@@ -233,10 +233,10 @@ wrap_key(struct sshkey *k)
	46	{
	47	if (k->type == KEY_RSA)
	48	RSA_set_method(k->rsa, helper_rsa);
	49	-#ifdef HAVE_EC_KEY_METHOD_NEW
	50	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	51	else if (k->type == KEY_ECDSA)
	52	EC_KEY_set_method(k->ecdsa, helper_ecdsa);
	53	-#endif /* HAVE_EC_KEY_METHOD_NEW */
	54	+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
	55	else
	56	fatal("%s: unknown key type", __func__);
	57	}
	58	@@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void)
	59	if (helper_rsa != NULL)
	60	return (0);
	61
	62	-#ifdef HAVE_EC_KEY_METHOD_NEW
	63	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	64	int (orig_sign)(int, const unsigned char , int, unsigned char *,
	65	unsigned int , const BIGNUM , const BIGNUM , EC_KEY ) = NULL;
	66	if (helper_ecdsa != NULL)
	67	@@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void)
	68	return (-1);
	69	EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
	70	EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
	71	-#endif /* HAVE_EC_KEY_METHOD_NEW */
	72	+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
	73
	74	if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
	75	fatal("%s: RSA_meth_dup failed", __func__);
	76	diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
	77	index a302c79..b56a41b 100644
	78	--- a/ssh-pkcs11.c
	79	+++ b/ssh-pkcs11.c
	80	@@ -78,7 +78,7 @@ struct pkcs11_key {
	81
	82	int pkcs11_interactive = 0;
	83
	84	-#ifdef HAVE_EC_KEY_METHOD_NEW
	85	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	86	static void
	87	ossl_error(const char *msg)
	88	{
	89	@@ -89,7 +89,7 @@ ossl_error(const char *msg)
	90	error("%s: libcrypto error: %.100s", __func__,
	91	ERR_error_string(e, NULL));
	92	}
	93	-#endif /* HAVE_EC_KEY_METHOD_NEW */
	94	+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
	95
	96	int
	97	pkcs11_init(int interactive)
	98	@@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id)
	99
	100	static RSA_METHOD *rsa_method;
	101	static int rsa_idx = 0;
	102	-#ifdef HAVE_EC_KEY_METHOD_NEW
	103	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	104	static EC_KEY_METHOD *ec_key_method;
	105	static int ec_key_idx = 0;
	106	-#endif
	107	+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
	108
	109	/* release a wrapped object */
	110	static void
	111	@@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
	112	return (0);
	113	}
	114
	115	-#ifdef HAVE_EC_KEY_METHOD_NEW
	116	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	117	/* openssl callback doing the actual signing operation */
	118	static ECDSA_SIG *
	119	ecdsa_do_sign(const unsigned char dgst, int dgst_len, const BIGNUM inv,
	120	@@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
	121
	122	return (0);
	123	}
	124	-#endif /* HAVE_EC_KEY_METHOD_NEW */
	125	+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
	126
	127	/* remove trailing spaces */
	128	static void
	129	@@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey **keysp, int nkeys, struct sshkey *key)
	130	return (0);
	131	}
	132
	133	-#ifdef HAVE_EC_KEY_METHOD_NEW
	134	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	135	static struct sshkey *
	136	pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
	137	CK_OBJECT_HANDLE *obj)
	138	@@ -802,7 +802,7 @@ fail:
	139
	140	return (key);
	141	}
	142	-#endif /* HAVE_EC_KEY_METHOD_NEW */
	143	+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
	144
	145	static struct sshkey *
	146	pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
	147	@@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
	148	#endif
	149	struct sshkey *key = NULL;
	150	int i;
	151	-#ifdef HAVE_EC_KEY_METHOD_NEW
	152	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	153	int nid;
	154	#endif
	155	const u_char *cp;
	156	@@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
	157	key->type = KEY_RSA;
	158	key->flags \|= SSHKEY_FLAG_EXT;
	159	rsa = NULL; /* now owned by key */
	160	-#ifdef HAVE_EC_KEY_METHOD_NEW
	161	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	162	} else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
	163	if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
	164	error("invalid x509; no ec key");
	165	@@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
	166	key->type = KEY_ECDSA;
	167	key->flags \|= SSHKEY_FLAG_EXT;
	168	ec = NULL; /* now owned by key */
	169	-#endif /* HAVE_EC_KEY_METHOD_NEW */
	170	+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
	171	} else {
	172	error("unknown certificate key type");
	173	goto out;
	174	@@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
	175	case CKK_RSA:
	176	key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
	177	break;
	178	-#ifdef HAVE_EC_KEY_METHOD_NEW
	179	+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
	180	case CKK_ECDSA:
	181	key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
	182	break;
	183	-#endif /* HAVE_EC_KEY_METHOD_NEW */
	184	+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
	185	default:
	186	/* XXX print key type? */
	187	key = NULL;
	188	--
	189	2.41.0