3 files changed, 188 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
new file mode 100644
index 0000000000..26193c2e53
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
@@ -0,0 +1,116 @@
+From 1cd94ed4750d5392cf3c09ed64d2c162a0833bdb Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Fri, 18 Mar 2016 15:49:31 +0800
+Subject: [PATCH 2/3] remove des in cipher.
+Upstream-status: Pending
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ cipher.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+diff --git a/cipher.c b/cipher.c
+index 02dae6f..63d3c29 100644
+--- a/cipher.c
+++ b/cipher.c
+@@ -53,8 +53,10 @@
+ 
+ #ifdef WITH_SSH1
+ extern const EVP_CIPHER *evp_ssh1_bf(void);
+#ifndef OPENSSL_NO_DES
+ extern const EVP_CIPHER *evp_ssh1_3des(void);
+ extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
+#endif /* OPENSSL_NO_DES */
+ #endif
+ 
+ struct sshcipher {
+@@ -79,13 +81,17 @@ struct sshcipher {
+ 
+ static const struct sshcipher ciphers[] = {
+ #ifdef WITH_SSH1
+#ifndef OPENSSL_NO_DES
+        { "des",        SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
+        { "3des",       SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
+#endif /* OPENSSL_NO_DES */
+        { "blowfish",   SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
+ #endif /* WITH_SSH1 */
+ #ifdef WITH_OPENSSL
+        { "none",       SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+#ifndef OPENSSL_NO_DES
+        { "3des-cbc",   SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+#endif /* OPENSSL_NO_DES */
+        { "blowfish-cbc",
+                        SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
+        { "cast128-cbc",
+@@ -163,8 +169,10 @@ cipher_keylen(const struct sshcipher *c)
+ u_int
+ cipher_seclen(const struct sshcipher *c)
+ {
+#ifndef OPENSSL_NO_DES
+        if (strcmp("3des-cbc", c->name) == 0)
+                return 14;
+#endif /* OPENSSL_NO_DES */
+        return cipher_keylen(c);
+ }
+ 
+@@ -201,11 +209,13 @@ u_int
+ cipher_mask_ssh1(int client)
+ {
+        u_int mask = 0;
+#ifndef OPENSSL_NO_DES
+        mask |= 1 << SSH_CIPHER_3DES;           /* Mandatory */
+        mask |= 1 << SSH_CIPHER_BLOWFISH;
+        if (client) {
+                mask |= 1 << SSH_CIPHER_DES;
+        }
+#endif /*OPENSSL_NO_DES*/
+        return mask;
+ }
+ 
+@@ -546,7 +556,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
+        switch (c->number) {
+ #ifdef WITH_OPENSSL
+        case SSH_CIPHER_SSH2:
+#ifndef OPENSSL_NO_DES
+        case SSH_CIPHER_DES:
+#endif /* OPENSSL_NO_DES */
+        case SSH_CIPHER_BLOWFISH:
+                evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+                if (evplen == 0)
+@@ -569,8 +581,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
+                break;
+ #endif
+ #ifdef WITH_SSH1
+#ifndef OPENSSL_NO_DES
+        case SSH_CIPHER_3DES:
+                return ssh1_3des_iv(&cc->evp, 0, iv, 24);
+#endif /* OPENSSL_NO_DES */
+ #endif
+        default:
+                return SSH_ERR_INVALID_ARGUMENT;
+@@ -594,7 +608,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
+        switch (c->number) {
+ #ifdef WITH_OPENSSL
+        case SSH_CIPHER_SSH2:
+#ifndef OPENSSL_NO_DES
+        case SSH_CIPHER_DES:
+#endif /* OPENSSL_NO_DES */
+        case SSH_CIPHER_BLOWFISH:
+                evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+                if (evplen <= 0)
+@@ -609,8 +625,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
+                break;
+ #endif
+ #ifdef WITH_SSH1
+#ifndef OPENSSL_NO_DES
+        case SSH_CIPHER_3DES:
+                return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);
+#endif /* OPENSSL_NO_DES */
+ #endif
+        default:
+                return SSH_ERR_INVALID_ARGUMENT;
+-- 
+1.9.1
diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
new file mode 100644
index 0000000000..bd02028816
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
@@ -0,0 +1,70 @@
+From 04cfd84423f693d879dc3ffebb0f6fe2680c254f Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Fri, 18 Mar 2016 15:59:21 +0800
+Subject: [PATCH 3/3] remove des in pkcs11.
+Upstream-status: Pending
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ pkcs11.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/pkcs11.h b/pkcs11.h
+index b01d58f..98b36e6 100644
+--- a/pkcs11.h
+++ b/pkcs11.h
+@@ -342,9 +342,11 @@ typedef unsigned long ck_key_type_t;
+ #define CKK_GENERIC_SECRET     (0x10)
+ #define CKK_RC2                        (0x11)
+ #define CKK_RC4                        (0x12)
+#ifndef OPENSSL_NO_DES
+ #define CKK_DES                        (0x13)
+ #define CKK_DES2               (0x14)
+ #define CKK_DES3               (0x15)
+#endif /* OPENSSL_NO_DES */
+ #define CKK_CAST               (0x16)
+ #define CKK_CAST3              (0x17)
+ #define CKK_CAST128            (0x18)
+@@ -512,6 +514,7 @@ typedef unsigned long ck_mechanism_type_t;
+ #define CKM_RC2_CBC_PAD                        (0x105)
+ #define CKM_RC4_KEY_GEN                        (0x110)
+ #define CKM_RC4                                (0x111)
+#ifndef OPENSSL_NO_DES
+ #define CKM_DES_KEY_GEN                        (0x120)
+ #define CKM_DES_ECB                    (0x121)
+ #define CKM_DES_CBC                    (0x122)
+@@ -525,6 +528,7 @@ typedef unsigned long ck_mechanism_type_t;
+ #define CKM_DES3_MAC                   (0x134)
+ #define CKM_DES3_MAC_GENERAL           (0x135)
+ #define CKM_DES3_CBC_PAD               (0x136)
+#endif /* OPENSSL_NO_DES */
+ #define CKM_CDMF_KEY_GEN               (0x140)
+ #define CKM_CDMF_ECB                   (0x141)
+ #define CKM_CDMF_CBC                   (0x142)
+@@ -610,8 +614,10 @@ typedef unsigned long ck_mechanism_type_t;
+ #define CKM_MD5_KEY_DERIVATION         (0x390)
+ #define CKM_MD2_KEY_DERIVATION         (0x391)
+ #define CKM_SHA1_KEY_DERIVATION                (0x392)
+#ifndef OPENSSL_NO_DES
+ #define CKM_PBE_MD2_DES_CBC            (0x3a0)
+ #define CKM_PBE_MD5_DES_CBC            (0x3a1)
+#endif /* OPENSSL_NO_DES */
+ #define CKM_PBE_MD5_CAST_CBC           (0x3a2)
+ #define CKM_PBE_MD5_CAST3_CBC          (0x3a3)
+ #define CKM_PBE_MD5_CAST5_CBC          (0x3a4)
+@@ -620,8 +626,10 @@ typedef unsigned long ck_mechanism_type_t;
+ #define CKM_PBE_SHA1_CAST128_CBC       (0x3a5)
+ #define CKM_PBE_SHA1_RC4_128           (0x3a6)
+ #define CKM_PBE_SHA1_RC4_40            (0x3a7)
+#ifndef OPENSSL_NO_DES
+ #define CKM_PBE_SHA1_DES3_EDE_CBC      (0x3a8)
+ #define CKM_PBE_SHA1_DES2_EDE_CBC      (0x3a9)
+#endif /* OPENSSL_NO_DES */
+ #define CKM_PBE_SHA1_RC2_128_CBC       (0x3aa)
+ #define CKM_PBE_SHA1_RC2_40_CBC                (0x3ab)
+ #define CKM_PKCS5_PBKD2                        (0x3b0)
+-- 
+1.9.1
diff --git a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
index 01b5d500f3..21eefab8ff 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
@@ -23,6 +23,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://add-test-support-for-busybox.patch \
           file://run-ptest \
           file://CVE-2015-8325.patch \
+           file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
+           file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
           "
 PAM_SRC_URI = "file://sshd"

diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch new file mode 100644 index 0000000000..26193c2e53 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch
@@ -0,0 +1,116 @@
		1	From 1cd94ed4750d5392cf3c09ed64d2c162a0833bdb Mon Sep 17 00:00:00 2001
		2	From: Haiqing Bai <Haiqing.Bai@windriver.com>
		3	Date: Fri, 18 Mar 2016 15:49:31 +0800
		4	Subject: [PATCH 2/3] remove des in cipher.
		5
		6	Upstream-status: Pending
		7
		8	Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
		9
		10	---
		11	cipher.c \| 18 ++++++++++++++++++
		12	1 file changed, 18 insertions(+)
		13
		14	diff --git a/cipher.c b/cipher.c
		15	index 02dae6f..63d3c29 100644
		16	--- a/cipher.c
		17	+++ b/cipher.c
		18	@@ -53,8 +53,10 @@
		19
		20	#ifdef WITH_SSH1
		21	extern const EVP_CIPHER *evp_ssh1_bf(void);
		22	+#ifndef OPENSSL_NO_DES
		23	extern const EVP_CIPHER *evp_ssh1_3des(void);
		24	extern int ssh1_3des_iv(EVP_CIPHER_CTX , int, u_char , int);
		25	+#endif /* OPENSSL_NO_DES */
		26	#endif
		27
		28	struct sshcipher {
		29	@@ -79,13 +81,17 @@ struct sshcipher {
		30
		31	static const struct sshcipher ciphers[] = {
		32	#ifdef WITH_SSH1
		33	+#ifndef OPENSSL_NO_DES
		34	{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
		35	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
		36	+#endif /* OPENSSL_NO_DES */
		37	{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
		38	#endif /* WITH_SSH1 */
		39	#ifdef WITH_OPENSSL
		40	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
		41	+#ifndef OPENSSL_NO_DES
		42	{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
		43	+#endif /* OPENSSL_NO_DES */
		44	{ "blowfish-cbc",
		45	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
		46	{ "cast128-cbc",
		47	@@ -163,8 +169,10 @@ cipher_keylen(const struct sshcipher *c)
		48	u_int
		49	cipher_seclen(const struct sshcipher *c)
		50	{
		51	+#ifndef OPENSSL_NO_DES
		52	if (strcmp("3des-cbc", c->name) == 0)
		53	return 14;
		54	+#endif /* OPENSSL_NO_DES */
		55	return cipher_keylen(c);
		56	}
		57
		58	@@ -201,11 +209,13 @@ u_int
		59	cipher_mask_ssh1(int client)
		60	{
		61	u_int mask = 0;
		62	+#ifndef OPENSSL_NO_DES
		63	mask \|= 1 << SSH_CIPHER_3DES; /* Mandatory */
		64	mask \|= 1 << SSH_CIPHER_BLOWFISH;
		65	if (client) {
		66	mask \|= 1 << SSH_CIPHER_DES;
		67	}
		68	+#endif /OPENSSL_NO_DES/
		69	return mask;
		70	}
		71
		72	@@ -546,7 +556,9 @@ cipher_get_keyiv(struct sshcipher_ctx cc, u_char iv, u_int len)
		73	switch (c->number) {
		74	#ifdef WITH_OPENSSL
		75	case SSH_CIPHER_SSH2:
		76	+#ifndef OPENSSL_NO_DES
		77	case SSH_CIPHER_DES:
		78	+#endif /* OPENSSL_NO_DES */
		79	case SSH_CIPHER_BLOWFISH:
		80	evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
		81	if (evplen == 0)
		82	@@ -569,8 +581,10 @@ cipher_get_keyiv(struct sshcipher_ctx cc, u_char iv, u_int len)
		83	break;
		84	#endif
		85	#ifdef WITH_SSH1
		86	+#ifndef OPENSSL_NO_DES
		87	case SSH_CIPHER_3DES:
		88	return ssh1_3des_iv(&cc->evp, 0, iv, 24);
		89	+#endif /* OPENSSL_NO_DES */
		90	#endif
		91	default:
		92	return SSH_ERR_INVALID_ARGUMENT;
		93	@@ -594,7 +608,9 @@ cipher_set_keyiv(struct sshcipher_ctx cc, const u_char iv)
		94	switch (c->number) {
		95	#ifdef WITH_OPENSSL
		96	case SSH_CIPHER_SSH2:
		97	+#ifndef OPENSSL_NO_DES
		98	case SSH_CIPHER_DES:
		99	+#endif /* OPENSSL_NO_DES */
		100	case SSH_CIPHER_BLOWFISH:
		101	evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
		102	if (evplen <= 0)
		103	@@ -609,8 +625,10 @@ cipher_set_keyiv(struct sshcipher_ctx cc, const u_char iv)
		104	break;
		105	#endif
		106	#ifdef WITH_SSH1
		107	+#ifndef OPENSSL_NO_DES
		108	case SSH_CIPHER_3DES:
		109	return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);
		110	+#endif /* OPENSSL_NO_DES */
		111	#endif
		112	default:
		113	return SSH_ERR_INVALID_ARGUMENT;
		114	--
		115	1.9.1
		116


diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch new file mode 100644 index 0000000000..bd02028816 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch
@@ -0,0 +1,70 @@
		1	From 04cfd84423f693d879dc3ffebb0f6fe2680c254f Mon Sep 17 00:00:00 2001
		2	From: Haiqing Bai <Haiqing.Bai@windriver.com>
		3	Date: Fri, 18 Mar 2016 15:59:21 +0800
		4	Subject: [PATCH 3/3] remove des in pkcs11.
		5
		6	Upstream-status: Pending
		7
		8	Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
		9
		10	---
		11	pkcs11.h \| 8 ++++++++
		12	1 file changed, 8 insertions(+)
		13
		14	diff --git a/pkcs11.h b/pkcs11.h
		15	index b01d58f..98b36e6 100644
		16	--- a/pkcs11.h
		17	+++ b/pkcs11.h
		18	@@ -342,9 +342,11 @@ typedef unsigned long ck_key_type_t;
		19	#define CKK_GENERIC_SECRET (0x10)
		20	#define CKK_RC2 (0x11)
		21	#define CKK_RC4 (0x12)
		22	+#ifndef OPENSSL_NO_DES
		23	#define CKK_DES (0x13)
		24	#define CKK_DES2 (0x14)
		25	#define CKK_DES3 (0x15)
		26	+#endif /* OPENSSL_NO_DES */
		27	#define CKK_CAST (0x16)
		28	#define CKK_CAST3 (0x17)
		29	#define CKK_CAST128 (0x18)
		30	@@ -512,6 +514,7 @@ typedef unsigned long ck_mechanism_type_t;
		31	#define CKM_RC2_CBC_PAD (0x105)
		32	#define CKM_RC4_KEY_GEN (0x110)
		33	#define CKM_RC4 (0x111)
		34	+#ifndef OPENSSL_NO_DES
		35	#define CKM_DES_KEY_GEN (0x120)
		36	#define CKM_DES_ECB (0x121)
		37	#define CKM_DES_CBC (0x122)
		38	@@ -525,6 +528,7 @@ typedef unsigned long ck_mechanism_type_t;
		39	#define CKM_DES3_MAC (0x134)
		40	#define CKM_DES3_MAC_GENERAL (0x135)
		41	#define CKM_DES3_CBC_PAD (0x136)
		42	+#endif /* OPENSSL_NO_DES */
		43	#define CKM_CDMF_KEY_GEN (0x140)
		44	#define CKM_CDMF_ECB (0x141)
		45	#define CKM_CDMF_CBC (0x142)
		46	@@ -610,8 +614,10 @@ typedef unsigned long ck_mechanism_type_t;
		47	#define CKM_MD5_KEY_DERIVATION (0x390)
		48	#define CKM_MD2_KEY_DERIVATION (0x391)
		49	#define CKM_SHA1_KEY_DERIVATION (0x392)
		50	+#ifndef OPENSSL_NO_DES
		51	#define CKM_PBE_MD2_DES_CBC (0x3a0)
		52	#define CKM_PBE_MD5_DES_CBC (0x3a1)
		53	+#endif /* OPENSSL_NO_DES */
		54	#define CKM_PBE_MD5_CAST_CBC (0x3a2)
		55	#define CKM_PBE_MD5_CAST3_CBC (0x3a3)
		56	#define CKM_PBE_MD5_CAST5_CBC (0x3a4)
		57	@@ -620,8 +626,10 @@ typedef unsigned long ck_mechanism_type_t;
		58	#define CKM_PBE_SHA1_CAST128_CBC (0x3a5)
		59	#define CKM_PBE_SHA1_RC4_128 (0x3a6)
		60	#define CKM_PBE_SHA1_RC4_40 (0x3a7)
		61	+#ifndef OPENSSL_NO_DES
		62	#define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8)
		63	#define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9)
		64	+#endif /* OPENSSL_NO_DES */
		65	#define CKM_PBE_SHA1_RC2_128_CBC (0x3aa)
		66	#define CKM_PBE_SHA1_RC2_40_CBC (0x3ab)
		67	#define CKM_PKCS5_PBKD2 (0x3b0)
		68	--
		69	1.9.1
		70


diff --git a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb index 01b5d500f3..21eefab8ff 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
@@ -23,6 +23,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
23	file://add-test-support-for-busybox.patch \	23	file://add-test-support-for-busybox.patch \
24	file://run-ptest \	24	file://run-ptest \
25	file://CVE-2015-8325.patch \	25	file://CVE-2015-8325.patch \
		26	file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
		27	file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
26	"	28	"
27		29
28	PAM_SRC_URI = "file://sshd"	30	PAM_SRC_URI = "file://sshd"