From e4ac4b116cca421d55c845cdcf5d018ae20561de Mon Sep 17 00:00:00 2001 From: Sudip Mukherjee Date: Sat, 2 Sep 2023 15:24:15 +0100 Subject: openssh: upgrade to v9.4p1 Changes: Update sha256sum Remove backported patch (From OE-Core rev: 51a6e56fcb28ec97ba3a4b40bbcd3d64e6d390d5) Signed-off-by: Sudip Mukherjee Signed-off-by: Richard Purdie --- .../7280401bdd77ca54be6867a154cc01e0d72612e0.patch | 994 --------------------- meta/recipes-connectivity/openssh/openssh_9.3p2.bb | 176 ---- meta/recipes-connectivity/openssh/openssh_9.4p1.bb | 175 ++++ 3 files changed, 175 insertions(+), 1170 deletions(-) delete mode 100644 meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch delete mode 100644 meta/recipes-connectivity/openssh/openssh_9.3p2.bb create mode 100644 meta/recipes-connectivity/openssh/openssh_9.4p1.bb (limited to 'meta/recipes-connectivity') diff --git a/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch b/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch deleted file mode 100644 index 4c8aa085f3..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch +++ /dev/null @@ -1,994 +0,0 @@ -From 7280401bdd77ca54be6867a154cc01e0d72612e0 Mon Sep 17 00:00:00 2001 -From: Damien Miller -Date: Fri, 24 Mar 2023 13:56:25 +1100 -Subject: [PATCH] remove support for old libcrypto - -OpenSSH now requires LibreSSL 3.1.0 or greater or -OpenSSL 1.1.1 or greater - -with/ok dtucker@ - -Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7280401bdd77ca54be6867a154cc01e0d72612e0] -Comment: Hunks are refreshed. -Signed-off-by: Riyaz Khan - ---- - .github/workflows/c-cpp.yml | 7 - - INSTALL | 8 +- - cipher-aes.c | 2 +- - configure.ac | 96 ++--- - openbsd-compat/libressl-api-compat.c | 556 +-------------------------- - openbsd-compat/openssl-compat.h | 151 +------- - 6 files changed, 40 insertions(+), 780 deletions(-) - -diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml -index 3d9aa22dba5..d299a32468d 100644 ---- a/.github/workflows/c-cpp.yml -+++ b/.github/workflows/c-cpp.yml -@@ -47,9 +47,6 @@ jobs: - - { target: ubuntu-20.04, config: tcmalloc } - - { target: ubuntu-20.04, config: musl } - - { target: ubuntu-latest, config: libressl-master } -- - { target: ubuntu-latest, config: libressl-2.2.9 } -- - { target: ubuntu-latest, config: libressl-2.8.3 } -- - { target: ubuntu-latest, config: libressl-3.0.2 } - - { target: ubuntu-latest, config: libressl-3.2.6 } - - { target: ubuntu-latest, config: libressl-3.3.6 } - - { target: ubuntu-latest, config: libressl-3.4.3 } -@@ -58,10 +55,6 @@ jobs: - - { target: ubuntu-latest, config: libressl-3.7.0 } - - { target: ubuntu-latest, config: openssl-master } - - { target: ubuntu-latest, config: openssl-noec } -- - { target: ubuntu-latest, config: openssl-1.0.1 } -- - { target: ubuntu-latest, config: openssl-1.0.1u } -- - { target: ubuntu-latest, config: openssl-1.0.2u } -- - { target: ubuntu-latest, config: openssl-1.1.0h } - - { target: ubuntu-latest, config: openssl-1.1.1 } - - { target: ubuntu-latest, config: openssl-1.1.1k } - - { target: ubuntu-latest, config: openssl-1.1.1n } -diff --git a/INSTALL b/INSTALL -index 68b15e13190..f99d1e2a809 100644 ---- a/INSTALL -+++ b/INSTALL -@@ -21,12 +21,8 @@ https://zlib.net/ - - libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto - is supported but severely restricts the available ciphers and algorithms. -- - LibreSSL (https://www.libressl.org/) -- - OpenSSL (https://www.openssl.org) with any of the following versions: -- - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 -- --Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to --1.1.0g can't be used. -+ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater -+ - OpenSSL (https://www.openssl.org) 1.1.1 or greater - - LibreSSL/OpenSSL should be compiled as a position-independent library - (i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" -diff --git a/cipher-aes.c b/cipher-aes.c -index 8b101727284..87c763353d8 100644 ---- a/cipher-aes.c -+++ b/cipher-aes.c -@@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, - - static int - ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, -- LIBCRYPTO_EVP_INL_TYPE len) -+ size_t len) - { - struct ssh_rijndael_ctx *c; - u_char buf[RIJNDAEL_BLOCKSIZE]; -diff --git a/configure.ac b/configure.ac -index 22fee70f604..1c0ccdf19c5 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then - #include - #define DATA "conftest.ssllibver" - ]], [[ -- FILE *fd; -- int rc; -+ FILE *f; - -- fd = fopen(DATA,"w"); -- if(fd == NULL) -+ if ((f = fopen(DATA, "w")) == NULL) - exit(1); --#ifndef OPENSSL_VERSION --# define OPENSSL_VERSION SSLEAY_VERSION --#endif --#ifndef HAVE_OPENSSL_VERSION --# define OpenSSL_version SSLeay_version --#endif --#ifndef HAVE_OPENSSL_VERSION_NUM --# define OpenSSL_version_num SSLeay --#endif -- if ((rc = fprintf(fd, "%08lx (%s)\n", -+ if (fprintf(f, "%08lx (%s)", - (unsigned long)OpenSSL_version_num(), -- OpenSSL_version(OPENSSL_VERSION))) < 0) -+ OpenSSL_version(OPENSSL_VERSION)) < 0) -+ exit(1); -+#ifdef LIBRESSL_VERSION_NUMBER -+ if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0) -+ exit(1); -+#endif -+ if (fputc('\n', f) == EOF || fclose(f) == EOF) - exit(1); -- - exit(0); - ]])], - [ -- ssl_library_ver=`cat conftest.ssllibver` -+ sslver=`cat conftest.ssllibver` -+ ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'` - # Check version is supported. -- case "$ssl_library_ver" in -- 10000*|0*) -- AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")]) -- ;; -- 100*) ;; # 1.0.x -- 101000[[0123456]]*) -- # https://github.com/openssl/openssl/pull/4613 -- AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")]) -+ case "$sslver" in -+ 100*|10100*) # 1.0.x, 1.1.0x -+ AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")]) - ;; - 101*) ;; # 1.1.x -- 200*) ;; # LibreSSL -+ 200*) # LibreSSL -+ lver=`echo "$sslver" | sed 's/.*libressl-//'` -+ case "$lver" in -+ 2*|300*) # 2.x, 3.0.0 -+ AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")]) -+ ;; -+ *) ;; # Assume all other versions are good. -+ esac -+ ;; - 300*) - # OpenSSL 3; we use the 1.1x API - CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" -@@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then - CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" - ;; - *) -- AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")]) -+ AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")]) - ;; - esac -- AC_MSG_RESULT([$ssl_library_ver]) -+ AC_MSG_RESULT([$ssl_showver]) - ], - [ - AC_MSG_RESULT([not found]) -@@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then - - case "$host" in - x86_64-*) -- case "$ssl_library_ver" in -+ case "$sslver" in - 3000004*) - AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) - ;; -@@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then - #include - #include - ]], [[ --#ifndef HAVE_OPENSSL_VERSION_NUM --# define OpenSSL_version_num SSLeay --#endif - exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1); - ]])], - [ -@@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then - ) - ) - -- # LibreSSL/OpenSSL 1.1x API -+ # LibreSSL/OpenSSL API differences - AC_CHECK_FUNCS([ \ -- OPENSSL_init_crypto \ -- DH_get0_key \ -- DH_get0_pqg \ -- DH_set0_key \ -- DH_set_length \ -- DH_set0_pqg \ -- DSA_get0_key \ -- DSA_get0_pqg \ -- DSA_set0_key \ -- DSA_set0_pqg \ -- DSA_SIG_get0 \ -- DSA_SIG_set0 \ -- ECDSA_SIG_get0 \ -- ECDSA_SIG_set0 \ - EVP_CIPHER_CTX_iv \ - EVP_CIPHER_CTX_iv_noconst \ - EVP_CIPHER_CTX_get_iv \ - EVP_CIPHER_CTX_get_updated_iv \ - EVP_CIPHER_CTX_set_iv \ -- RSA_get0_crt_params \ -- RSA_get0_factors \ -- RSA_get0_key \ -- RSA_set0_crt_params \ -- RSA_set0_factors \ -- RSA_set0_key \ -- RSA_meth_free \ -- RSA_meth_dup \ -- RSA_meth_set1_name \ -- RSA_meth_get_finish \ -- RSA_meth_set_priv_enc \ -- RSA_meth_set_priv_dec \ -- RSA_meth_set_finish \ -- EVP_PKEY_get0_RSA \ -- EVP_MD_CTX_new \ -- EVP_MD_CTX_free \ -- EVP_chacha20 \ - ]) - - if test "x$openssl_engine" = "xyes" ; then -@@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then - ] - ) - -- # Check for SHA256, SHA384 and SHA512 support in OpenSSL -- AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512]) -+ # Check for various EVP support in OpenSSL -+ AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20]) - - # Check complete ECC support in OpenSSL - AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) -diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c -index 498180dc894..59be17397c5 100644 ---- a/openbsd-compat/libressl-api-compat.c -+++ b/openbsd-compat/libressl-api-compat.c -@@ -1,129 +1,5 @@ --/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */ --/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */ --/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */ --/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */ --/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */ --/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ --/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -- * All rights reserved. -- * -- * This package is an SSL implementation written -- * by Eric Young (eay@cryptsoft.com). -- * The implementation was written so as to conform with Netscapes SSL. -- * -- * This library is free for commercial and non-commercial use as long as -- * the following conditions are aheared to. The following conditions -- * apply to all code found in this distribution, be it the RC4, RSA, -- * lhash, DES, etc., code; not just the SSL code. The SSL documentation -- * included with this distribution is covered by the same copyright terms -- * except that the holder is Tim Hudson (tjh@cryptsoft.com). -- * -- * Copyright remains Eric Young's, and as such any Copyright notices in -- * the code are not to be removed. -- * If this package is used in a product, Eric Young should be given attribution -- * as the author of the parts of the library used. -- * This can be in the form of a textual message at program startup or -- * in documentation (online or textual) provided with the package. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * 1. Redistributions of source code must retain the copyright -- * notice, this list of conditions and the following disclaimer. -- * 2. Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in the -- * documentation and/or other materials provided with the distribution. -- * 3. All advertising materials mentioning features or use of this software -- * must display the following acknowledgement: -- * "This product includes cryptographic software written by -- * Eric Young (eay@cryptsoft.com)" -- * The word 'cryptographic' can be left out if the rouines from the library -- * being used are not cryptographic related :-). -- * 4. If you include any Windows specific code (or a derivative thereof) from -- * the apps directory (application code) you must include an acknowledgement: -- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -- * -- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -- * SUCH DAMAGE. -- * -- * The licence and distribution terms for any publically available version or -- * derivative of this code cannot be changed. i.e. this code cannot simply be -- * copied and put under another distribution licence -- * [including the GNU Public Licence.] -- */ -- --/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */ --/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */ --/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ --/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -- * project 2000. -- */ --/* ==================================================================== -- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * -- * 1. Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * -- * 2. Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in -- * the documentation and/or other materials provided with the -- * distribution. -- * -- * 3. All advertising materials mentioning features or use of this -- * software must display the following acknowledgment: -- * "This product includes software developed by the OpenSSL Project -- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -- * -- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -- * endorse or promote products derived from this software without -- * prior written permission. For written permission, please contact -- * licensing@OpenSSL.org. -- * -- * 5. Products derived from this software may not be called "OpenSSL" -- * nor may "OpenSSL" appear in their names without prior written -- * permission of the OpenSSL Project. -- * -- * 6. Redistributions of any form whatsoever must retain the following -- * acknowledgment: -- * "This product includes software developed by the OpenSSL Project -- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -- * -- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -- * OF THE POSSIBILITY OF SUCH DAMAGE. -- * ==================================================================== -- * -- * This product includes cryptographic software written by Eric Young -- * (eay@cryptsoft.com). This product includes software written by Tim -- * Hudson (tjh@cryptsoft.com). -- * -- */ -- --/* $OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $ */ - /* -- * Copyright (c) 2018 Theo Buehler -+ * Copyright (c) 2018 Damien Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above -@@ -147,192 +23,7 @@ - #include - #include - --#include --#include --#include --#include - #include --#ifdef OPENSSL_HAS_ECC --#include --#endif --#include -- --#ifndef HAVE_DSA_GET0_PQG --void --DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) --{ -- if (p != NULL) -- *p = d->p; -- if (q != NULL) -- *q = d->q; -- if (g != NULL) -- *g = d->g; --} --#endif /* HAVE_DSA_GET0_PQG */ -- --#ifndef HAVE_DSA_SET0_PQG --int --DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) --{ -- if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) || -- (d->g == NULL && g == NULL)) -- return 0; -- -- if (p != NULL) { -- BN_free(d->p); -- d->p = p; -- } -- if (q != NULL) { -- BN_free(d->q); -- d->q = q; -- } -- if (g != NULL) { -- BN_free(d->g); -- d->g = g; -- } -- -- return 1; --} --#endif /* HAVE_DSA_SET0_PQG */ -- --#ifndef HAVE_DSA_GET0_KEY --void --DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) --{ -- if (pub_key != NULL) -- *pub_key = d->pub_key; -- if (priv_key != NULL) -- *priv_key = d->priv_key; --} --#endif /* HAVE_DSA_GET0_KEY */ -- --#ifndef HAVE_DSA_SET0_KEY --int --DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) --{ -- if (d->pub_key == NULL && pub_key == NULL) -- return 0; -- -- if (pub_key != NULL) { -- BN_free(d->pub_key); -- d->pub_key = pub_key; -- } -- if (priv_key != NULL) { -- BN_free(d->priv_key); -- d->priv_key = priv_key; -- } -- -- return 1; --} --#endif /* HAVE_DSA_SET0_KEY */ -- --#ifndef HAVE_RSA_GET0_KEY --void --RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) --{ -- if (n != NULL) -- *n = r->n; -- if (e != NULL) -- *e = r->e; -- if (d != NULL) -- *d = r->d; --} --#endif /* HAVE_RSA_GET0_KEY */ -- --#ifndef HAVE_RSA_SET0_KEY --int --RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) --{ -- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) -- return 0; -- -- if (n != NULL) { -- BN_free(r->n); -- r->n = n; -- } -- if (e != NULL) { -- BN_free(r->e); -- r->e = e; -- } -- if (d != NULL) { -- BN_free(r->d); -- r->d = d; -- } -- -- return 1; --} --#endif /* HAVE_RSA_SET0_KEY */ -- --#ifndef HAVE_RSA_GET0_CRT_PARAMS --void --RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, -- const BIGNUM **iqmp) --{ -- if (dmp1 != NULL) -- *dmp1 = r->dmp1; -- if (dmq1 != NULL) -- *dmq1 = r->dmq1; -- if (iqmp != NULL) -- *iqmp = r->iqmp; --} --#endif /* HAVE_RSA_GET0_CRT_PARAMS */ -- --#ifndef HAVE_RSA_SET0_CRT_PARAMS --int --RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) --{ -- if ((r->dmp1 == NULL && dmp1 == NULL) || -- (r->dmq1 == NULL && dmq1 == NULL) || -- (r->iqmp == NULL && iqmp == NULL)) -- return 0; -- -- if (dmp1 != NULL) { -- BN_free(r->dmp1); -- r->dmp1 = dmp1; -- } -- if (dmq1 != NULL) { -- BN_free(r->dmq1); -- r->dmq1 = dmq1; -- } -- if (iqmp != NULL) { -- BN_free(r->iqmp); -- r->iqmp = iqmp; -- } -- -- return 1; --} --#endif /* HAVE_RSA_SET0_CRT_PARAMS */ -- --#ifndef HAVE_RSA_GET0_FACTORS --void --RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) --{ -- if (p != NULL) -- *p = r->p; -- if (q != NULL) -- *q = r->q; --} --#endif /* HAVE_RSA_GET0_FACTORS */ -- --#ifndef HAVE_RSA_SET0_FACTORS --int --RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) --{ -- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) -- return 0; -- -- if (p != NULL) { -- BN_free(r->p); -- r->p = p; -- } -- if (q != NULL) { -- BN_free(r->q); -- r->q = q; -- } -- -- return 1; --} --#endif /* HAVE_RSA_SET0_FACTORS */ - - #ifndef HAVE_EVP_CIPHER_CTX_GET_IV - int -@@ -392,249 +83,4 @@ EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len) - } - #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ - --#ifndef HAVE_DSA_SIG_GET0 --void --DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) --{ -- if (pr != NULL) -- *pr = sig->r; -- if (ps != NULL) -- *ps = sig->s; --} --#endif /* HAVE_DSA_SIG_GET0 */ -- --#ifndef HAVE_DSA_SIG_SET0 --int --DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) --{ -- if (r == NULL || s == NULL) -- return 0; -- -- BN_clear_free(sig->r); -- sig->r = r; -- BN_clear_free(sig->s); -- sig->s = s; -- -- return 1; --} --#endif /* HAVE_DSA_SIG_SET0 */ -- --#ifdef OPENSSL_HAS_ECC --#ifndef HAVE_ECDSA_SIG_GET0 --void --ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) --{ -- if (pr != NULL) -- *pr = sig->r; -- if (ps != NULL) -- *ps = sig->s; --} --#endif /* HAVE_ECDSA_SIG_GET0 */ -- --#ifndef HAVE_ECDSA_SIG_SET0 --int --ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) --{ -- if (r == NULL || s == NULL) -- return 0; -- -- BN_clear_free(sig->r); -- BN_clear_free(sig->s); -- sig->r = r; -- sig->s = s; -- return 1; --} --#endif /* HAVE_ECDSA_SIG_SET0 */ --#endif /* OPENSSL_HAS_ECC */ -- --#ifndef HAVE_DH_GET0_PQG --void --DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) --{ -- if (p != NULL) -- *p = dh->p; -- if (q != NULL) -- *q = dh->q; -- if (g != NULL) -- *g = dh->g; --} --#endif /* HAVE_DH_GET0_PQG */ -- --#ifndef HAVE_DH_SET0_PQG --int --DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) --{ -- if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) -- return 0; -- -- if (p != NULL) { -- BN_free(dh->p); -- dh->p = p; -- } -- if (q != NULL) { -- BN_free(dh->q); -- dh->q = q; -- } -- if (g != NULL) { -- BN_free(dh->g); -- dh->g = g; -- } -- -- return 1; --} --#endif /* HAVE_DH_SET0_PQG */ -- --#ifndef HAVE_DH_GET0_KEY --void --DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) --{ -- if (pub_key != NULL) -- *pub_key = dh->pub_key; -- if (priv_key != NULL) -- *priv_key = dh->priv_key; --} --#endif /* HAVE_DH_GET0_KEY */ -- --#ifndef HAVE_DH_SET0_KEY --int --DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) --{ -- if (pub_key != NULL) { -- BN_free(dh->pub_key); -- dh->pub_key = pub_key; -- } -- if (priv_key != NULL) { -- BN_free(dh->priv_key); -- dh->priv_key = priv_key; -- } -- -- return 1; --} --#endif /* HAVE_DH_SET0_KEY */ -- --#ifndef HAVE_DH_SET_LENGTH --int --DH_set_length(DH *dh, long length) --{ -- if (length < 0 || length > INT_MAX) -- return 0; -- -- dh->length = length; -- return 1; --} --#endif /* HAVE_DH_SET_LENGTH */ -- --#ifndef HAVE_RSA_METH_FREE --void --RSA_meth_free(RSA_METHOD *meth) --{ -- if (meth != NULL) { -- free((char *)meth->name); -- free(meth); -- } --} --#endif /* HAVE_RSA_METH_FREE */ -- --#ifndef HAVE_RSA_METH_DUP --RSA_METHOD * --RSA_meth_dup(const RSA_METHOD *meth) --{ -- RSA_METHOD *copy; -- -- if ((copy = calloc(1, sizeof(*copy))) == NULL) -- return NULL; -- memcpy(copy, meth, sizeof(*copy)); -- if ((copy->name = strdup(meth->name)) == NULL) { -- free(copy); -- return NULL; -- } -- -- return copy; --} --#endif /* HAVE_RSA_METH_DUP */ -- --#ifndef HAVE_RSA_METH_SET1_NAME --int --RSA_meth_set1_name(RSA_METHOD *meth, const char *name) --{ -- char *copy; -- -- if ((copy = strdup(name)) == NULL) -- return 0; -- free((char *)meth->name); -- meth->name = copy; -- return 1; --} --#endif /* HAVE_RSA_METH_SET1_NAME */ -- --#ifndef HAVE_RSA_METH_GET_FINISH --int --(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa) --{ -- return meth->finish; --} --#endif /* HAVE_RSA_METH_GET_FINISH */ -- --#ifndef HAVE_RSA_METH_SET_PRIV_ENC --int --RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, -- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) --{ -- meth->rsa_priv_enc = priv_enc; -- return 1; --} --#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ -- --#ifndef HAVE_RSA_METH_SET_PRIV_DEC --int --RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, -- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) --{ -- meth->rsa_priv_dec = priv_dec; -- return 1; --} --#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ -- --#ifndef HAVE_RSA_METH_SET_FINISH --int --RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) --{ -- meth->finish = finish; -- return 1; --} --#endif /* HAVE_RSA_METH_SET_FINISH */ -- --#ifndef HAVE_EVP_PKEY_GET0_RSA --RSA * --EVP_PKEY_get0_RSA(EVP_PKEY *pkey) --{ -- if (pkey->type != EVP_PKEY_RSA) { -- /* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */ -- return NULL; -- } -- return pkey->pkey.rsa; --} --#endif /* HAVE_EVP_PKEY_GET0_RSA */ -- --#ifndef HAVE_EVP_MD_CTX_NEW --EVP_MD_CTX * --EVP_MD_CTX_new(void) --{ -- return calloc(1, sizeof(EVP_MD_CTX)); --} --#endif /* HAVE_EVP_MD_CTX_NEW */ -- --#ifndef HAVE_EVP_MD_CTX_FREE --void --EVP_MD_CTX_free(EVP_MD_CTX *ctx) --{ -- if (ctx == NULL) -- return; -- -- EVP_MD_CTX_cleanup(ctx); -- -- free(ctx); --} --#endif /* HAVE_EVP_MD_CTX_FREE */ -- - #endif /* WITH_OPENSSL */ -diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h -index 61a69dd56eb..d0dd2c3450d 100644 ---- a/openbsd-compat/openssl-compat.h -+++ b/openbsd-compat/openssl-compat.h -@@ -33,26 +33,13 @@ - int ssh_compatible_openssl(long, long); - void ssh_libcrypto_init(void); - --#if (OPENSSL_VERSION_NUMBER < 0x1000100fL) --# error OpenSSL 1.0.1 or greater is required -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) -+# error OpenSSL 1.1.0 or greater is required - #endif -- --#ifndef OPENSSL_VERSION --# define OPENSSL_VERSION SSLEAY_VERSION --#endif -- --#ifndef HAVE_OPENSSL_VERSION --# define OpenSSL_version(x) SSLeay_version(x) --#endif -- --#ifndef HAVE_OPENSSL_VERSION_NUM --# define OpenSSL_version_num SSLeay --#endif -- --#if OPENSSL_VERSION_NUMBER < 0x10000001L --# define LIBCRYPTO_EVP_INL_TYPE unsigned int --#else --# define LIBCRYPTO_EVP_INL_TYPE size_t -+#ifdef LIBRESSL_VERSION_NUMBER -+# if LIBRESSL_VERSION_NUMBER < 0x3010000fL -+# error LibreSSL 3.1.0 or greater is required -+# endif - #endif - - #ifndef OPENSSL_RSA_MAX_MODULUS_BITS -@@ -68,25 +55,6 @@ void ssh_libcrypto_init(void); - # endif - #endif - --/* LibreSSL/OpenSSL 1.1x API compat */ --#ifndef HAVE_DSA_GET0_PQG --void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, -- const BIGNUM **g); --#endif /* HAVE_DSA_GET0_PQG */ -- --#ifndef HAVE_DSA_SET0_PQG --int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); --#endif /* HAVE_DSA_SET0_PQG */ -- --#ifndef HAVE_DSA_GET0_KEY --void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, -- const BIGNUM **priv_key); --#endif /* HAVE_DSA_GET0_KEY */ -- --#ifndef HAVE_DSA_SET0_KEY --int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); --#endif /* HAVE_DSA_SET0_KEY */ -- - #ifndef HAVE_EVP_CIPHER_CTX_GET_IV - # ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV - # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv -@@ -101,112 +69,5 @@ int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, - const unsigned char *iv, size_t len); - #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ - --#ifndef HAVE_RSA_GET0_KEY --void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, -- const BIGNUM **d); --#endif /* HAVE_RSA_GET0_KEY */ -- --#ifndef HAVE_RSA_SET0_KEY --int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); --#endif /* HAVE_RSA_SET0_KEY */ -- --#ifndef HAVE_RSA_GET0_CRT_PARAMS --void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, -- const BIGNUM **iqmp); --#endif /* HAVE_RSA_GET0_CRT_PARAMS */ -- --#ifndef HAVE_RSA_SET0_CRT_PARAMS --int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); --#endif /* HAVE_RSA_SET0_CRT_PARAMS */ -- --#ifndef HAVE_RSA_GET0_FACTORS --void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); --#endif /* HAVE_RSA_GET0_FACTORS */ -- --#ifndef HAVE_RSA_SET0_FACTORS --int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); --#endif /* HAVE_RSA_SET0_FACTORS */ -- --#ifndef DSA_SIG_GET0 --void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); --#endif /* DSA_SIG_GET0 */ -- --#ifndef DSA_SIG_SET0 --int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); --#endif /* DSA_SIG_SET0 */ -- --#ifdef OPENSSL_HAS_ECC --#ifndef HAVE_ECDSA_SIG_GET0 --void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); --#endif /* HAVE_ECDSA_SIG_GET0 */ -- --#ifndef HAVE_ECDSA_SIG_SET0 --int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); --#endif /* HAVE_ECDSA_SIG_SET0 */ --#endif /* OPENSSL_HAS_ECC */ -- --#ifndef HAVE_DH_GET0_PQG --void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, -- const BIGNUM **g); --#endif /* HAVE_DH_GET0_PQG */ -- --#ifndef HAVE_DH_SET0_PQG --int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); --#endif /* HAVE_DH_SET0_PQG */ -- --#ifndef HAVE_DH_GET0_KEY --void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); --#endif /* HAVE_DH_GET0_KEY */ -- --#ifndef HAVE_DH_SET0_KEY --int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); --#endif /* HAVE_DH_SET0_KEY */ -- --#ifndef HAVE_DH_SET_LENGTH --int DH_set_length(DH *dh, long length); --#endif /* HAVE_DH_SET_LENGTH */ -- --#ifndef HAVE_RSA_METH_FREE --void RSA_meth_free(RSA_METHOD *meth); --#endif /* HAVE_RSA_METH_FREE */ -- --#ifndef HAVE_RSA_METH_DUP --RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); --#endif /* HAVE_RSA_METH_DUP */ -- --#ifndef HAVE_RSA_METH_SET1_NAME --int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); --#endif /* HAVE_RSA_METH_SET1_NAME */ -- --#ifndef HAVE_RSA_METH_GET_FINISH --int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa); --#endif /* HAVE_RSA_METH_GET_FINISH */ -- --#ifndef HAVE_RSA_METH_SET_PRIV_ENC --int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, -- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); --#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ -- --#ifndef HAVE_RSA_METH_SET_PRIV_DEC --int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, -- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); --#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ -- --#ifndef HAVE_RSA_METH_SET_FINISH --int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)); --#endif /* HAVE_RSA_METH_SET_FINISH */ -- --#ifndef HAVE_EVP_PKEY_GET0_RSA --RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); --#endif /* HAVE_EVP_PKEY_GET0_RSA */ -- --#ifndef HAVE_EVP_MD_CTX_new --EVP_MD_CTX *EVP_MD_CTX_new(void); --#endif /* HAVE_EVP_MD_CTX_new */ -- --#ifndef HAVE_EVP_MD_CTX_free --void EVP_MD_CTX_free(EVP_MD_CTX *ctx); --#endif /* HAVE_EVP_MD_CTX_free */ -- - #endif /* WITH_OPENSSL */ - #endif /* _OPENSSL_COMPAT_H */ diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p2.bb b/meta/recipes-connectivity/openssh/openssh_9.3p2.bb deleted file mode 100644 index 5fb2dccdfc..0000000000 --- a/meta/recipes-connectivity/openssh/openssh_9.3p2.bb +++ /dev/null @@ -1,176 +0,0 @@ -SUMMARY = "A suite of security-related network utilities based on \ -the SSH protocol including the ssh client and sshd server" -DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ -Ssh (Secure Shell) is a program for logging into a remote machine \ -and for executing commands on a remote machine." -HOMEPAGE = "http://www.openssh.com/" -SECTION = "console/network" -LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT" -LIC_FILES_CHKSUM = "file://LICENCE;md5=072979064e691d342002f43cd89c0394" - -DEPENDS = "zlib openssl virtual/crypt" -DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" - -SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ - file://sshd_config \ - file://ssh_config \ - file://init \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ - file://sshd.socket \ - file://sshd@.service \ - file://sshdgenkeys.service \ - file://volatiles.99_sshd \ - file://run-ptest \ - file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ - file://sshd_check_keys \ - file://add-test-support-for-busybox.patch \ - file://7280401bdd77ca54be6867a154cc01e0d72612e0.patch \ - " -SRC_URI[sha256sum] = "200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8" - -CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." - -# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 -# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded -CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \ -Red Hat Enterprise Linux 7 and when running in a Kerberos environment" - -CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries." - -PAM_SRC_URI = "file://sshd" - -inherit manpages useradd update-rc.d update-alternatives systemd - -USERADD_PACKAGES = "${PN}-sshd" -USERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" -INITSCRIPT_PACKAGES = "${PN}-sshd" -INITSCRIPT_NAME:${PN}-sshd = "sshd" -INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9" - -SYSTEMD_PACKAGES = "${PN}-sshd" -SYSTEMD_SERVICE:${PN}-sshd = "sshd.socket" - -inherit autotools-brokensep ptest - -PACKAGECONFIG ??= "" -PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" -PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" -PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" -PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" - -EXTRA_AUTORECONF += "--exclude=aclocal" - -# login path is hardcoded in sshd -EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ - --without-zlib-version-check \ - --with-privsep-path=${localstatedir}/run/sshd \ - --sysconfdir=${sysconfdir}/ssh \ - --with-xauth=${bindir}/xauth \ - --disable-strip \ - " - -# musl doesn't implement wtmp/utmp and logwtmp -EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog" - -# Since we do not depend on libbsd, we do not want configure to use it -# just because it finds libutil.h. But, specifying --disable-libutil -# causes compile errors, so... -CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" - -# passwd path is hardcoded in sshd -CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" - -# We don't want to depend on libblockfile -CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" - -do_configure:prepend () { - export LD="${CC}" - install -m 0644 ${WORKDIR}/sshd_config ${B}/ - install -m 0644 ${WORKDIR}/ssh_config ${B}/ -} - -do_compile_ptest() { - oe_runmake regress-binaries regress-unit-binaries -} - -do_install:append () { - if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then - install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd - sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config - fi - - if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then - sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config - fi - - install -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd - rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin - rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} - install -d ${D}/${sysconfdir}/default/volatiles - install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd - install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} - - # Create config files for read-only rootfs - install -d ${D}${sysconfdir}/ssh - install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly - sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - - install -d ${D}${systemd_system_unitdir} - install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir} - install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir} - install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir} - sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ - -e 's,@SBINDIR@,${sbindir},g' \ - -e 's,@BINDIR@,${bindir},g' \ - -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ - ${D}${systemd_system_unitdir}/sshd.socket ${D}${systemd_system_unitdir}/*.service - - sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ - ${D}${sysconfdir}/init.d/sshd - - install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys -} - -do_install_ptest () { - sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh - cp -r regress ${D}${PTEST_PATH} - cp config.h ${D}${PTEST_PATH} -} - -ALLOW_EMPTY:${PN} = "1" - -PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" -FILES:${PN}-scp = "${bindir}/scp.${BPN}" -FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" -FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" -FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" -FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" -FILES:${PN}-sftp = "${bindir}/sftp" -FILES:${PN}-sftp-server = "${libexecdir}/sftp-server" -FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" -FILES:${PN}-keygen = "${bindir}/ssh-keygen" - -RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server" -RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" -# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies -RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils openssl-bin" - -RPROVIDES:${PN}-ssh = "ssh" -RPROVIDES:${PN}-sshd = "sshd" - -RCONFLICTS:${PN} = "dropbear" -RCONFLICTS:${PN}-sshd = "dropbear" - -CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config" -CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config" - -ALTERNATIVE_PRIORITY = "90" -ALTERNATIVE:${PN}-scp = "scp" -ALTERNATIVE:${PN}-ssh = "ssh" - -BBCLASSEXTEND += "nativesdk" diff --git a/meta/recipes-connectivity/openssh/openssh_9.4p1.bb b/meta/recipes-connectivity/openssh/openssh_9.4p1.bb new file mode 100644 index 0000000000..3f232a839d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh_9.4p1.bb @@ -0,0 +1,175 @@ +SUMMARY = "A suite of security-related network utilities based on \ +the SSH protocol including the ssh client and sshd server" +DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \ +Ssh (Secure Shell) is a program for logging into a remote machine \ +and for executing commands on a remote machine." +HOMEPAGE = "http://www.openssh.com/" +SECTION = "console/network" +LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT" +LIC_FILES_CHKSUM = "file://LICENCE;md5=072979064e691d342002f43cd89c0394" + +DEPENDS = "zlib openssl virtual/crypt" +DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \ + file://sshd_config \ + file://ssh_config \ + file://init \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://sshd.socket \ + file://sshd@.service \ + file://sshdgenkeys.service \ + file://volatiles.99_sshd \ + file://run-ptest \ + file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ + file://sshd_check_keys \ + file://add-test-support-for-busybox.patch \ + " +SRC_URI[sha256sum] = "3608fd9088db2163ceb3e600c85ab79d0de3d221e59192ea1923e23263866a85" + +CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." + +# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 +# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded +CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \ +Red Hat Enterprise Linux 7 and when running in a Kerberos environment" + +CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries." + +PAM_SRC_URI = "file://sshd" + +inherit manpages useradd update-rc.d update-alternatives systemd + +USERADD_PACKAGES = "${PN}-sshd" +USERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" +INITSCRIPT_PACKAGES = "${PN}-sshd" +INITSCRIPT_NAME:${PN}-sshd = "sshd" +INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9" + +SYSTEMD_PACKAGES = "${PN}-sshd" +SYSTEMD_SERVICE:${PN}-sshd = "sshd.socket" + +inherit autotools-brokensep ptest + +PACKAGECONFIG ??= "" +PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" +PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" +PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" +PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" + +EXTRA_AUTORECONF += "--exclude=aclocal" + +# login path is hardcoded in sshd +EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ + --without-zlib-version-check \ + --with-privsep-path=${localstatedir}/run/sshd \ + --sysconfdir=${sysconfdir}/ssh \ + --with-xauth=${bindir}/xauth \ + --disable-strip \ + " + +# musl doesn't implement wtmp/utmp and logwtmp +EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog" + +# Since we do not depend on libbsd, we do not want configure to use it +# just because it finds libutil.h. But, specifying --disable-libutil +# causes compile errors, so... +CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no" + +# passwd path is hardcoded in sshd +CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd" + +# We don't want to depend on libblockfile +CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" + +do_configure:prepend () { + export LD="${CC}" + install -m 0644 ${WORKDIR}/sshd_config ${B}/ + install -m 0644 ${WORKDIR}/ssh_config ${B}/ +} + +do_compile_ptest() { + oe_runmake regress-binaries regress-unit-binaries +} + +do_install:append () { + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then + install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd + sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config + fi + + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then + sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config + fi + + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd + rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin + rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} + install -d ${D}/${sysconfdir}/default/volatiles + install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd + install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} + + # Create config files for read-only rootfs + install -d ${D}${sysconfdir}/ssh + install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly + sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + + install -d ${D}${systemd_system_unitdir} + install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir} + install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir} + install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir} + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ + -e 's,@SBINDIR@,${sbindir},g' \ + -e 's,@BINDIR@,${bindir},g' \ + -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ + ${D}${systemd_system_unitdir}/sshd.socket ${D}${systemd_system_unitdir}/*.service + + sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ + ${D}${sysconfdir}/init.d/sshd + + install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys +} + +do_install_ptest () { + sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh + cp -r regress ${D}${PTEST_PATH} + cp config.h ${D}${PTEST_PATH} +} + +ALLOW_EMPTY:${PN} = "1" + +PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" +FILES:${PN}-scp = "${bindir}/scp.${BPN}" +FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" +FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" +FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" +FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" +FILES:${PN}-sftp = "${bindir}/sftp" +FILES:${PN}-sftp-server = "${libexecdir}/sftp-server" +FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" +FILES:${PN}-keygen = "${bindir}/ssh-keygen" + +RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server" +RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" +# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies +RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils openssl-bin" + +RPROVIDES:${PN}-ssh = "ssh" +RPROVIDES:${PN}-sshd = "sshd" + +RCONFLICTS:${PN} = "dropbear" +RCONFLICTS:${PN}-sshd = "dropbear" + +CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config" +CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config" + +ALTERNATIVE_PRIORITY = "90" +ALTERNATIVE:${PN}-scp = "scp" +ALTERNATIVE:${PN}-ssh = "ssh" + +BBCLASSEXTEND += "nativesdk" -- cgit v1.2.3-54-g00ecf