2 files changed, 172 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch
new file mode 100644
index 0000000000..ead3256915
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch
@@ -0,0 +1,171 @@
+From 881d9c6af9da4257c69c327c4e2f1508b2fa754b Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:46:12 +0000
+Subject: [PATCH] upstream: apply destination constraints to all p11 keys
+Previously applied only to the first key returned from each token.
+ok markus@
+OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
+CVE: CVE-2023-51384
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ ssh-agent.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 98 insertions(+), 4 deletions(-)
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 19eeaae..4dbb4f3 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -249,6 +249,90 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs)
+        free(dcs);
+ }
+static void
+dup_dest_constraint_hop(const struct dest_constraint_hop *dch,
+    struct dest_constraint_hop *out)
+{
+       u_int i;
+       int r;
+
+       out->user = dch->user == NULL ? NULL : xstrdup(dch->user);
+       out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname);
+       out->is_ca = dch->is_ca;
+       out->nkeys = dch->nkeys;
+       out->keys = out->nkeys == 0 ? NULL :
+           xcalloc(out->nkeys, sizeof(*out->keys));
+       out->key_is_ca = out->nkeys == 0 ? NULL :
+           xcalloc(out->nkeys, sizeof(*out->key_is_ca));
+       for (i = 0; i < dch->nkeys; i++) {
+               if (dch->keys[i] != NULL &&
+                   (r = sshkey_from_private(dch->keys[i],
+                   &(out->keys[i]))) != 0)
+                       fatal_fr(r, "copy key");
+               out->key_is_ca[i] = dch->key_is_ca[i];
+       }
+}
+
+static struct dest_constraint *
+dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs)
+{
+       size_t i;
+       struct dest_constraint *ret;
+
+       if (ndcs == 0)
+               return NULL;
+       ret = xcalloc(ndcs, sizeof(*ret));
+       for (i = 0; i < ndcs; i++) {
+               dup_dest_constraint_hop(&dcs[i].from, &ret[i].from);
+               dup_dest_constraint_hop(&dcs[i].to, &ret[i].to);
+       }
+       return ret;
+}
+
+#ifdef DEBUG_CONSTRAINTS
+static void
+dump_dest_constraint_hop(const struct dest_constraint_hop *dch)
+{
+       u_int i;
+       char *fp;
+
+       debug_f("user %s hostname %s is_ca %d nkeys %u",
+           dch->user == NULL ? "(null)" : dch->user,
+           dch->hostname == NULL ? "(null)" : dch->hostname,
+           dch->is_ca, dch->nkeys);
+       for (i = 0; i < dch->nkeys; i++) {
+               fp = NULL;
+               if (dch->keys[i] != NULL &&
+                   (fp = sshkey_fingerprint(dch->keys[i],
+                   SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
+                       fatal_f("fingerprint failed");
+               debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys,
+                   dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]),
+                   dch->keys[i] == NULL ? "" : " ",
+                   dch->keys[i] == NULL ? "none" : fp,
+                   dch->key_is_ca[i]);
+               free(fp);
+       }
+}
+#endif /* DEBUG_CONSTRAINTS */
+
+static void
+dump_dest_constraints(const char *context,
+    const struct dest_constraint *dcs, size_t ndcs)
+{
+#ifdef DEBUG_CONSTRAINTS
+       size_t i;
+
+       debug_f("%s: %zu constraints", context, ndcs);
+       for (i = 0; i < ndcs; i++) {
+               debug_f("constraint %zu / %zu: from: ", i, ndcs);
+               dump_dest_constraint_hop(&dcs[i].from);
+               debug_f("constraint %zu / %zu: to: ", i, ndcs);
+               dump_dest_constraint_hop(&dcs[i].to);
+       }
+       debug_f("done for %s", context);
+#endif /* DEBUG_CONSTRAINTS */
+}
+ static void
+ free_identity(Identity *id)
+ {
+@@ -520,13 +604,22 @@ process_request_identities(SocketEntry *e)
+        Identity *id;
+        struct sshbuf *msg, *keys;
+        int r;
+-       u_int nentries = 0;
+       u_int i = 0, nentries = 0;
+       char *fp;
+        debug2_f("entering");
+        if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL)
+                fatal_f("sshbuf_new failed");
+        TAILQ_FOREACH(id, &idtab->idlist, next) {
+               if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT,
+                   SSH_FP_DEFAULT)) == NULL)
+                       fatal_f("fingerprint failed");
+               debug_f("key %u / %u: %s %s", i++, idtab->nentries,
+                   sshkey_ssh_name(id->key), fp);
+               dump_dest_constraints(__func__,
+                   id->dest_constraints, id->ndest_constraints);
+               free(fp);
+                /* identity not visible, don't include in response */
+                if (identity_permitted(id, e, NULL, NULL, NULL) != 0)
+                        continue;
+@@ -1235,6 +1328,7 @@ process_add_identity(SocketEntry *e)
+                sshbuf_reset(e->request);
+                goto out;
+        }
+       dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
+        if (sk_provider != NULL) {
+                if (!sshkey_is_sk(k)) {
+@@ -1414,6 +1508,7 @@ process_add_smartcard_key(SocketEntry *e)
+                error_f("failed to parse constraints");
+                goto send;
+        }
+       dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
+        if (e->nsession_ids != 0 && !remote_add_provider) {
+                verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
+                    "providers is disabled", provider);
+@@ -1449,10 +1544,9 @@ process_add_smartcard_key(SocketEntry *e)
+                        }
+                        id->death = death;
+                        id->confirm = confirm;
+-                       id->dest_constraints = dest_constraints;
+                       id->dest_constraints = dup_dest_constraints(
+                           dest_constraints, ndest_constraints);
+                        id->ndest_constraints = ndest_constraints;
+-                       dest_constraints = NULL; /* transferred */
+-                       ndest_constraints = 0;
+                        TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
+                        idtab->nentries++;
+                        success = 1;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 7ad9bced1b..3860899540 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://CVE-2023-38408-0004.patch \
           file://fix-authorized-principals-command.patch \
           file://CVE-2023-48795.patch \
+           file://CVE-2023-51384.patch \
           "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch new file mode 100644 index 0000000000..ead3256915 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch
@@ -0,0 +1,171 @@
		1	From 881d9c6af9da4257c69c327c4e2f1508b2fa754b Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Mon, 18 Dec 2023 14:46:12 +0000
		4	Subject: [PATCH] upstream: apply destination constraints to all p11 keys
		5
		6	Previously applied only to the first key returned from each token.
		7
		8	ok markus@
		9
		10	OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
		11
		12	CVE: CVE-2023-51384
		13
		14	Upstream-Status: Backport
		15	https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
		16
		17	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		18	---
		19	ssh-agent.c \| 102 +++++++++++++++++++++++++++++++++++++++++++++++++---
		20	1 file changed, 98 insertions(+), 4 deletions(-)
		21
		22	diff --git a/ssh-agent.c b/ssh-agent.c
		23	index 19eeaae..4dbb4f3 100644
		24	--- a/ssh-agent.c
		25	+++ b/ssh-agent.c
		26	@@ -249,6 +249,90 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs)
		27	free(dcs);
		28	}
		29
		30	+static void
		31	+dup_dest_constraint_hop(const struct dest_constraint_hop *dch,
		32	+ struct dest_constraint_hop *out)
		33	+{
		34	+ u_int i;
		35	+ int r;
		36	+
		37	+ out->user = dch->user == NULL ? NULL : xstrdup(dch->user);
		38	+ out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname);
		39	+ out->is_ca = dch->is_ca;
		40	+ out->nkeys = dch->nkeys;
		41	+ out->keys = out->nkeys == 0 ? NULL :
		42	+ xcalloc(out->nkeys, sizeof(*out->keys));
		43	+ out->key_is_ca = out->nkeys == 0 ? NULL :
		44	+ xcalloc(out->nkeys, sizeof(*out->key_is_ca));
		45	+ for (i = 0; i < dch->nkeys; i++) {
		46	+ if (dch->keys[i] != NULL &&
		47	+ (r = sshkey_from_private(dch->keys[i],
		48	+ &(out->keys[i]))) != 0)
		49	+ fatal_fr(r, "copy key");
		50	+ out->key_is_ca[i] = dch->key_is_ca[i];
		51	+ }
		52	+}
		53	+
		54	+static struct dest_constraint *
		55	+dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs)
		56	+{
		57	+ size_t i;
		58	+ struct dest_constraint *ret;
		59	+
		60	+ if (ndcs == 0)
		61	+ return NULL;
		62	+ ret = xcalloc(ndcs, sizeof(*ret));
		63	+ for (i = 0; i < ndcs; i++) {
		64	+ dup_dest_constraint_hop(&dcs[i].from, &ret[i].from);
		65	+ dup_dest_constraint_hop(&dcs[i].to, &ret[i].to);
		66	+ }
		67	+ return ret;
		68	+}
		69	+
		70	+#ifdef DEBUG_CONSTRAINTS
		71	+static void
		72	+dump_dest_constraint_hop(const struct dest_constraint_hop *dch)
		73	+{
		74	+ u_int i;
		75	+ char *fp;
		76	+
		77	+ debug_f("user %s hostname %s is_ca %d nkeys %u",
		78	+ dch->user == NULL ? "(null)" : dch->user,
		79	+ dch->hostname == NULL ? "(null)" : dch->hostname,
		80	+ dch->is_ca, dch->nkeys);
		81	+ for (i = 0; i < dch->nkeys; i++) {
		82	+ fp = NULL;
		83	+ if (dch->keys[i] != NULL &&
		84	+ (fp = sshkey_fingerprint(dch->keys[i],
		85	+ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
		86	+ fatal_f("fingerprint failed");
		87	+ debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys,
		88	+ dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]),
		89	+ dch->keys[i] == NULL ? "" : " ",
		90	+ dch->keys[i] == NULL ? "none" : fp,
		91	+ dch->key_is_ca[i]);
		92	+ free(fp);
		93	+ }
		94	+}
		95	+#endif /* DEBUG_CONSTRAINTS */
		96	+
		97	+static void
		98	+dump_dest_constraints(const char *context,
		99	+ const struct dest_constraint *dcs, size_t ndcs)
		100	+{
		101	+#ifdef DEBUG_CONSTRAINTS
		102	+ size_t i;
		103	+
		104	+ debug_f("%s: %zu constraints", context, ndcs);
		105	+ for (i = 0; i < ndcs; i++) {
		106	+ debug_f("constraint %zu / %zu: from: ", i, ndcs);
		107	+ dump_dest_constraint_hop(&dcs[i].from);
		108	+ debug_f("constraint %zu / %zu: to: ", i, ndcs);
		109	+ dump_dest_constraint_hop(&dcs[i].to);
		110	+ }
		111	+ debug_f("done for %s", context);
		112	+#endif /* DEBUG_CONSTRAINTS */
		113	+}
		114	static void
		115	free_identity(Identity *id)
		116	{
		117	@@ -520,13 +604,22 @@ process_request_identities(SocketEntry *e)
		118	Identity *id;
		119	struct sshbuf msg, keys;
		120	int r;
		121	- u_int nentries = 0;
		122	+ u_int i = 0, nentries = 0;
		123	+ char *fp;
		124
		125	debug2_f("entering");
		126
		127	if ((msg = sshbuf_new()) == NULL \|\| (keys = sshbuf_new()) == NULL)
		128	fatal_f("sshbuf_new failed");
		129	TAILQ_FOREACH(id, &idtab->idlist, next) {
		130	+ if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT,
		131	+ SSH_FP_DEFAULT)) == NULL)
		132	+ fatal_f("fingerprint failed");
		133	+ debug_f("key %u / %u: %s %s", i++, idtab->nentries,
		134	+ sshkey_ssh_name(id->key), fp);
		135	+ dump_dest_constraints(__func__,
		136	+ id->dest_constraints, id->ndest_constraints);
		137	+ free(fp);
		138	/* identity not visible, don't include in response */
		139	if (identity_permitted(id, e, NULL, NULL, NULL) != 0)
		140	continue;
		141	@@ -1235,6 +1328,7 @@ process_add_identity(SocketEntry *e)
		142	sshbuf_reset(e->request);
		143	goto out;
		144	}
		145	+ dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
		146
		147	if (sk_provider != NULL) {
		148	if (!sshkey_is_sk(k)) {
		149	@@ -1414,6 +1508,7 @@ process_add_smartcard_key(SocketEntry *e)
		150	error_f("failed to parse constraints");
		151	goto send;
		152	}
		153	+ dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
		154	if (e->nsession_ids != 0 && !remote_add_provider) {
		155	verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
		156	"providers is disabled", provider);
		157	@@ -1449,10 +1544,9 @@ process_add_smartcard_key(SocketEntry *e)
		158	}
		159	id->death = death;
		160	id->confirm = confirm;
		161	- id->dest_constraints = dest_constraints;
		162	+ id->dest_constraints = dup_dest_constraints(
		163	+ dest_constraints, ndest_constraints);
		164	id->ndest_constraints = ndest_constraints;
		165	- dest_constraints = NULL; /* transferred */
		166	- ndest_constraints = 0;
		167	TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
		168	idtab->nentries++;
		169	success = 1;
		170	--
		171	2.40.0


diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb index 7ad9bced1b..3860899540 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
34	file://CVE-2023-38408-0004.patch \	34	file://CVE-2023-38408-0004.patch \
35	file://fix-authorized-principals-command.patch \	35	file://fix-authorized-principals-command.patch \
36	file://CVE-2023-48795.patch \	36	file://CVE-2023-48795.patch \
		37	file://CVE-2023-51384.patch \
37	"	38	"
38	SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"	39	SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
39		40