diff options
Diffstat (limited to 'recipes-connectivity/openssh/openssh')
7 files changed, 346 insertions, 8 deletions
diff --git a/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch new file mode 100644 index 0000000..df64a14 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch @@ -0,0 +1,99 @@ +From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001 +From: Yuanjie Huang <yuanjie.huang@windriver.com> +Date: Wed, 24 Aug 2016 03:15:43 +0000 +Subject: [PATCH] Fix potential signed overflow in pointer arithmatic + +Pointer arithmatic results in implementation defined signed integer +type, so that 's - src' in strlcpy and others may trigger signed overflow. +In case of compilation by gcc or clang with -ftrapv option, the overflow +would lead to program abort. + +Upstream-status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608] + +Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> +--- + openbsd-compat/strlcat.c | 8 ++++++-- + openbsd-compat/strlcpy.c | 8 ++++++-- + openbsd-compat/strnlen.c | 8 ++++++-- + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c +index bcc1b61..e758ebf 100644 +--- a/openbsd-compat/strlcat.c ++++ b/openbsd-compat/strlcat.c +@@ -23,6 +23,7 @@ + + #include <sys/types.h> + #include <string.h> ++#include <stdint.h> + + /* + * Appends src to string dst of size siz (unlike strncat, siz is the +@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz) + s++; + } + *d = '\0'; +- +- return(dlen + (s - src)); /* count does not include NUL */ ++ /* ++ * Cast pointers to unsigned type before calculation, to avoid signed ++ * overflow when the string ends where the MSB has changed. ++ */ ++ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */ + } + + #endif /* !HAVE_STRLCAT */ +diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c +index b4b1b60..b06f374 100644 +--- a/openbsd-compat/strlcpy.c ++++ b/openbsd-compat/strlcpy.c +@@ -23,6 +23,7 @@ + + #include <sys/types.h> + #include <string.h> ++#include <stdint.h> + + /* + * Copy src to string dst of size siz. At most siz-1 characters +@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz) + while (*s++) + ; + } +- +- return(s - src - 1); /* count does not include NUL */ ++ /* ++ * Cast pointers to unsigned type before calculation, to avoid signed ++ * overflow when the string ends where the MSB has changed. ++ */ ++ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */ + } + + #endif /* !HAVE_STRLCPY */ +diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c +index 93d5155..9b8de5d 100644 +--- a/openbsd-compat/strnlen.c ++++ b/openbsd-compat/strnlen.c +@@ -23,6 +23,7 @@ + #include <sys/types.h> + + #include <string.h> ++#include <stdint.h> + + size_t + strnlen(const char *str, size_t maxlen) +@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen) + + for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--) + ; +- +- return (size_t)(cp - str); ++ /* ++ * Cast pointers to unsigned type before calculation, to avoid signed ++ * overflow when the string ends where the MSB has changed. ++ */ ++ return (size_t)((uintptr_t)cp - (uintptr_t)str); + } + #endif +-- +1.9.1 + diff --git a/recipes-connectivity/openssh/openssh/init b/recipes-connectivity/openssh/openssh/init index 70d4a34..1f63725 100644 --- a/recipes-connectivity/openssh/openssh/init +++ b/recipes-connectivity/openssh/openssh/init @@ -41,7 +41,7 @@ check_privsep_dir() { } check_config() { - /usr/sbin/sshd -t || exit 1 + /usr/sbin/sshd -t $SSHD_OPTS || exit 1 } check_keys() { diff --git a/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch b/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch new file mode 100644 index 0000000..c47ccf4 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-cipher.patch @@ -0,0 +1,119 @@ +From 27740c918fe5d78441bcf69e7d2eefb23ddeca4c Mon Sep 17 00:00:00 2001 +From: Dengke Du <dengke.du@windriver.com> +Date: Thu, 19 Jan 2017 03:00:08 -0500 +Subject: [PATCH 1/3] Remove des in cipher. + +Upstream-status: Pending + +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> +Signed-off-by: Dengke Du <dengke.du@windriver.com> +--- + cipher.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/cipher.c b/cipher.c +index 2def333..59f6792 100644 +--- a/cipher.c ++++ b/cipher.c +@@ -53,8 +53,10 @@ + + #ifdef WITH_SSH1 + extern const EVP_CIPHER *evp_ssh1_bf(void); ++#ifndef OPENSSL_NO_DES + extern const EVP_CIPHER *evp_ssh1_3des(void); + extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); ++#endif /* OPENSSL_NO_DES */ + #endif + + struct sshcipher_ctx { +@@ -88,15 +90,19 @@ struct sshcipher { + + static const struct sshcipher ciphers[] = { + #ifdef WITH_SSH1 ++#ifndef OPENSSL_NO_DES + { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, + { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, ++#endif /* OPENSSL_NO_DES */ + # ifndef OPENSSL_NO_BF + { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, + # endif /* OPENSSL_NO_BF */ + #endif /* WITH_SSH1 */ + #ifdef WITH_OPENSSL ++#ifndef OPENSSL_NO_DES + { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, ++#endif /* OPENSSL_NO_DES */ + # ifndef OPENSSL_NO_BF + { "blowfish-cbc", + SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, +@@ -180,8 +186,10 @@ cipher_keylen(const struct sshcipher *c) + u_int + cipher_seclen(const struct sshcipher *c) + { ++#ifndef OPENSSL_NO_DES + if (strcmp("3des-cbc", c->name) == 0) + return 14; ++#endif /* OPENSSL_NO_DES */ + return cipher_keylen(c); + } + +@@ -230,11 +238,13 @@ u_int + cipher_mask_ssh1(int client) + { + u_int mask = 0; ++#ifndef OPENSSL_NO_DES + mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ + mask |= 1 << SSH_CIPHER_BLOWFISH; + if (client) { + mask |= 1 << SSH_CIPHER_DES; + } ++#endif /*OPENSSL_NO_DES*/ + return mask; + } + +@@ -606,7 +616,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) + switch (c->number) { + #ifdef WITH_OPENSSL + case SSH_CIPHER_SSH2: ++#ifndef OPENSSL_NO_DES + case SSH_CIPHER_DES: ++#endif /* OPENSSL_NO_DES */ + case SSH_CIPHER_BLOWFISH: + evplen = EVP_CIPHER_CTX_iv_length(cc->evp); + if (evplen == 0) +@@ -629,8 +641,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len) + break; + #endif + #ifdef WITH_SSH1 ++#ifndef OPENSSL_NO_DES + case SSH_CIPHER_3DES: + return ssh1_3des_iv(cc->evp, 0, iv, 24); ++#endif /* OPENSSL_NO_DES */ + #endif + default: + return SSH_ERR_INVALID_ARGUMENT; +@@ -654,7 +668,9 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) + switch (c->number) { + #ifdef WITH_OPENSSL + case SSH_CIPHER_SSH2: ++#ifndef OPENSSL_NO_DES + case SSH_CIPHER_DES: ++#endif /* OPENSSL_NO_DES */ + case SSH_CIPHER_BLOWFISH: + evplen = EVP_CIPHER_CTX_iv_length(cc->evp); + if (evplen <= 0) +@@ -675,8 +691,10 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) + break; + #endif + #ifdef WITH_SSH1 ++#ifndef OPENSSL_NO_DES + case SSH_CIPHER_3DES: + return ssh1_3des_iv(cc->evp, 1, (u_char *)iv, 24); ++#endif /* OPENSSL_NO_DES */ + #endif + default: + return SSH_ERR_INVALID_ARGUMENT; +-- +2.8.1 + diff --git a/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch b/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch new file mode 100644 index 0000000..6281861 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/openssh-7.1p1-conditional-compile-des-in-pkcs11.patch @@ -0,0 +1,70 @@ +From e816fc06e4f8070b09e677ead4d21768784e4c99 Mon Sep 17 00:00:00 2001 +From: Dengke Du <dengke.du@windriver.com> +Date: Thu, 19 Jan 2017 03:21:40 -0500 +Subject: [PATCH 2/3] remove des in pkcs11. + +Upstream-status: Pending + +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +Signed-off-by: Dengke Du <dengke.du@windriver.com> +--- + pkcs11.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/pkcs11.h b/pkcs11.h +index b01d58f..98b36e6 100644 +--- a/pkcs11.h ++++ b/pkcs11.h +@@ -342,9 +342,11 @@ typedef unsigned long ck_key_type_t; + #define CKK_GENERIC_SECRET (0x10) + #define CKK_RC2 (0x11) + #define CKK_RC4 (0x12) ++#ifndef OPENSSL_NO_DES + #define CKK_DES (0x13) + #define CKK_DES2 (0x14) + #define CKK_DES3 (0x15) ++#endif /* OPENSSL_NO_DES */ + #define CKK_CAST (0x16) + #define CKK_CAST3 (0x17) + #define CKK_CAST128 (0x18) +@@ -512,6 +514,7 @@ typedef unsigned long ck_mechanism_type_t; + #define CKM_RC2_CBC_PAD (0x105) + #define CKM_RC4_KEY_GEN (0x110) + #define CKM_RC4 (0x111) ++#ifndef OPENSSL_NO_DES + #define CKM_DES_KEY_GEN (0x120) + #define CKM_DES_ECB (0x121) + #define CKM_DES_CBC (0x122) +@@ -525,6 +528,7 @@ typedef unsigned long ck_mechanism_type_t; + #define CKM_DES3_MAC (0x134) + #define CKM_DES3_MAC_GENERAL (0x135) + #define CKM_DES3_CBC_PAD (0x136) ++#endif /* OPENSSL_NO_DES */ + #define CKM_CDMF_KEY_GEN (0x140) + #define CKM_CDMF_ECB (0x141) + #define CKM_CDMF_CBC (0x142) +@@ -610,8 +614,10 @@ typedef unsigned long ck_mechanism_type_t; + #define CKM_MD5_KEY_DERIVATION (0x390) + #define CKM_MD2_KEY_DERIVATION (0x391) + #define CKM_SHA1_KEY_DERIVATION (0x392) ++#ifndef OPENSSL_NO_DES + #define CKM_PBE_MD2_DES_CBC (0x3a0) + #define CKM_PBE_MD5_DES_CBC (0x3a1) ++#endif /* OPENSSL_NO_DES */ + #define CKM_PBE_MD5_CAST_CBC (0x3a2) + #define CKM_PBE_MD5_CAST3_CBC (0x3a3) + #define CKM_PBE_MD5_CAST5_CBC (0x3a4) +@@ -620,8 +626,10 @@ typedef unsigned long ck_mechanism_type_t; + #define CKM_PBE_SHA1_CAST128_CBC (0x3a5) + #define CKM_PBE_SHA1_RC4_128 (0x3a6) + #define CKM_PBE_SHA1_RC4_40 (0x3a7) ++#ifndef OPENSSL_NO_DES + #define CKM_PBE_SHA1_DES3_EDE_CBC (0x3a8) + #define CKM_PBE_SHA1_DES2_EDE_CBC (0x3a9) ++#endif /* OPENSSL_NO_DES */ + #define CKM_PBE_SHA1_RC2_128_CBC (0x3aa) + #define CKM_PBE_SHA1_RC2_40_CBC (0x3ab) + #define CKM_PKCS5_PBKD2 (0x3b0) +-- +2.8.1 + diff --git a/recipes-connectivity/openssh/openssh/run-ptest b/recipes-connectivity/openssh/openssh/run-ptest index 3e725cf..36a3d2a 100755 --- a/recipes-connectivity/openssh/openssh/run-ptest +++ b/recipes-connectivity/openssh/openssh/run-ptest @@ -3,5 +3,42 @@ export TEST_SHELL=sh cd regress -make -k .OBJDIR=`pwd` .CURDIR=`pwd` tests \ +sed -i "/\t\tagent-ptrace /d" Makefile +make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ | sed -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' + +SSHAGENT=`which ssh-agent` +GDB=`which gdb` + +if [ -z "${SSHAGENT}" -o -z "${GDB}" ]; then + echo "SKIP: agent-ptrace" + exit +fi + +useradd openssh-test + +eval `su -c "${SSHAGENT} -s" openssh-test` > /dev/null +r=$? +if [ $r -ne 0 ]; then + echo "FAIL: could not start ssh-agent: exit code $r" +else + su -c "gdb -p ${SSH_AGENT_PID}" openssh-test > /tmp/gdb.out 2>&1 << EOF + quit +EOF + r=$? + if [ $r -ne 0 ]; then + echo "gdb failed: exit code $r" + fi + egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null /tmp/gdb.out + r=$? + rm -f /tmp/gdb.out + if [ $r -ne 0 ]; then + echo "FAIL: ptrace agent" + else + echo "PASS: ptrace agent" + fi + + ${SSHAGENT} -k > /dev/null +fi +userdel openssh-test + diff --git a/recipes-connectivity/openssh/openssh/sshd@.service b/recipes-connectivity/openssh/openssh/sshd@.service index bb2d68e..9d83dfb 100644 --- a/recipes-connectivity/openssh/openssh/sshd@.service +++ b/recipes-connectivity/openssh/openssh/sshd@.service @@ -4,7 +4,9 @@ Wants=sshdgenkeys.service After=sshdgenkeys.service [Service] -ExecStart=-@SBINDIR@/sshd -i +Environment="SSHD_OPTS=" +EnvironmentFile=-/etc/default/ssh +ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID StandardInput=socket StandardError=syslog diff --git a/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/recipes-connectivity/openssh/openssh/sshdgenkeys.service index d65086f..148e6ad 100644 --- a/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ b/recipes-connectivity/openssh/openssh/sshdgenkeys.service @@ -1,11 +1,22 @@ [Unit] Description=OpenSSH Key Generation -ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key -ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key -ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key -ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key +RequiresMountsFor=/var /run +ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key +ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key +ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key +ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key +ConditionPathExists=!/etc/ssh/ssh_host_rsa_key +ConditionPathExists=!/etc/ssh/ssh_host_dsa_key +ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key +ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key [Service] -ExecStart=@BINDIR@/ssh-keygen -A +Environment="SYSCONFDIR=/etc/ssh" +EnvironmentFile=-/etc/default/ssh +ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR +ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa +ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa +ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa +ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519 Type=oneshot RemainAfterExit=yes |