jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch
+994
View File
@@ -0,0 +1,994 @@
From 7280401bdd77ca54be6867a154cc01e0d72612e0 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Fri, 24 Mar 2023 13:56:25 +1100
Subject: [PATCH] remove support for old libcrypto
OpenSSH now requires LibreSSL 3.1.0 or greater or
OpenSSL 1.1.1 or greater
with/ok dtucker@
Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7280401bdd77ca54be6867a154cc01e0d72612e0]
Comment: Hunks are refreshed.
Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
---
.github/workflows/c-cpp.yml | 7 -
INSTALL | 8 +-
cipher-aes.c | 2 +-
configure.ac | 96 ++---
openbsd-compat/libressl-api-compat.c | 556 +--------------------------
openbsd-compat/openssl-compat.h | 151 +-------
6 files changed, 40 insertions(+), 780 deletions(-)
diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
index 3d9aa22dba5..d299a32468d 100644
--- a/.github/workflows/c-cpp.yml
+++ b/.github/workflows/c-cpp.yml
@@ -47,9 +47,6 @@ jobs:
- { target: ubuntu-20.04, config: tcmalloc }
- { target: ubuntu-20.04, config: musl }
- { target: ubuntu-latest, config: libressl-master }
- - { target: ubuntu-latest, config: libressl-2.2.9 }
- - { target: ubuntu-latest, config: libressl-2.8.3 }
- - { target: ubuntu-latest, config: libressl-3.0.2 }
- { target: ubuntu-latest, config: libressl-3.2.6 }
- { target: ubuntu-latest, config: libressl-3.3.6 }
- { target: ubuntu-latest, config: libressl-3.4.3 }
@@ -58,10 +55,6 @@ jobs:
- { target: ubuntu-latest, config: libressl-3.7.0 }
- { target: ubuntu-latest, config: openssl-master }
- { target: ubuntu-latest, config: openssl-noec }
- - { target: ubuntu-latest, config: openssl-1.0.1 }
- - { target: ubuntu-latest, config: openssl-1.0.1u }
- - { target: ubuntu-latest, config: openssl-1.0.2u }
- - { target: ubuntu-latest, config: openssl-1.1.0h }
- { target: ubuntu-latest, config: openssl-1.1.1 }
- { target: ubuntu-latest, config: openssl-1.1.1k }
- { target: ubuntu-latest, config: openssl-1.1.1n }
diff --git a/INSTALL b/INSTALL
index 68b15e13190..f99d1e2a809 100644
--- a/INSTALL
+++ b/INSTALL
@@ -21,12 +21,8 @@ https://zlib.net/
libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto
is supported but severely restricts the available ciphers and algorithms.
- - LibreSSL (https://www.libressl.org/)
- - OpenSSL (https://www.openssl.org) with any of the following versions:
- - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
-
-Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to
-1.1.0g can't be used.
+ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater
+ - OpenSSL (https://www.openssl.org) 1.1.1 or greater
LibreSSL/OpenSSL should be compiled as a position-independent library
(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC"
diff --git a/cipher-aes.c b/cipher-aes.c
index 8b101727284..87c763353d8 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
static int
ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
- LIBCRYPTO_EVP_INL_TYPE len)
+ size_t len)
{
struct ssh_rijndael_ctx *c;
u_char buf[RIJNDAEL_BLOCKSIZE];
diff --git a/configure.ac b/configure.ac
index 22fee70f604..1c0ccdf19c5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then
#include <openssl/crypto.h>
#define DATA "conftest.ssllibver"
]], [[
- FILE *fd;
- int rc;
+ FILE *f;
- fd = fopen(DATA,"w");
- if(fd == NULL)
+ if ((f = fopen(DATA, "w")) == NULL)
exit(1);
-#ifndef OPENSSL_VERSION
-# define OPENSSL_VERSION SSLEAY_VERSION
-#endif
-#ifndef HAVE_OPENSSL_VERSION
-# define OpenSSL_version SSLeay_version
-#endif
-#ifndef HAVE_OPENSSL_VERSION_NUM
-# define OpenSSL_version_num SSLeay
-#endif
- if ((rc = fprintf(fd, "%08lx (%s)\n",
+ if (fprintf(f, "%08lx (%s)",
(unsigned long)OpenSSL_version_num(),
- OpenSSL_version(OPENSSL_VERSION))) < 0)
+ OpenSSL_version(OPENSSL_VERSION)) < 0)
+ exit(1);
+#ifdef LIBRESSL_VERSION_NUMBER
+ if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0)
+ exit(1);
+#endif
+ if (fputc('\n', f) == EOF || fclose(f) == EOF)
exit(1);
-
exit(0);
]])],
[
- ssl_library_ver=`cat conftest.ssllibver`
+ sslver=`cat conftest.ssllibver`
+ ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'`
# Check version is supported.
- case "$ssl_library_ver" in
- 10000*|0*)
- AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
- ;;
- 100*) ;; # 1.0.x
- 101000[[0123456]]*)
- # https://github.com/openssl/openssl/pull/4613
- AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
+ case "$sslver" in
+ 100*|10100*) # 1.0.x, 1.1.0x
+ AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")])
;;
101*) ;; # 1.1.x
- 200*) ;; # LibreSSL
+ 200*) # LibreSSL
+ lver=`echo "$sslver" | sed 's/.*libressl-//'`
+ case "$lver" in
+ 2*|300*) # 2.x, 3.0.0
+ AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")])
+ ;;
+ *) ;; # Assume all other versions are good.
+ esac
+ ;;
300*)
# OpenSSL 3; we use the 1.1x API
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
@@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
;;
*)
- AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
+ AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")])
;;
esac
- AC_MSG_RESULT([$ssl_library_ver])
+ AC_MSG_RESULT([$ssl_showver])
],
[
AC_MSG_RESULT([not found])
@@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then
case "$host" in
x86_64-*)
- case "$ssl_library_ver" in
+ case "$sslver" in
3000004*)
AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
;;
@@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
]], [[
-#ifndef HAVE_OPENSSL_VERSION_NUM
-# define OpenSSL_version_num SSLeay
-#endif
exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
]])],
[
@@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then
)
)
- # LibreSSL/OpenSSL 1.1x API
+ # LibreSSL/OpenSSL API differences
AC_CHECK_FUNCS([ \
- OPENSSL_init_crypto \
- DH_get0_key \
- DH_get0_pqg \
- DH_set0_key \
- DH_set_length \
- DH_set0_pqg \
- DSA_get0_key \
- DSA_get0_pqg \
- DSA_set0_key \
- DSA_set0_pqg \
- DSA_SIG_get0 \
- DSA_SIG_set0 \
- ECDSA_SIG_get0 \
- ECDSA_SIG_set0 \
EVP_CIPHER_CTX_iv \
EVP_CIPHER_CTX_iv_noconst \
EVP_CIPHER_CTX_get_iv \
EVP_CIPHER_CTX_get_updated_iv \
EVP_CIPHER_CTX_set_iv \
- RSA_get0_crt_params \
- RSA_get0_factors \
- RSA_get0_key \
- RSA_set0_crt_params \
- RSA_set0_factors \
- RSA_set0_key \
- RSA_meth_free \
- RSA_meth_dup \
- RSA_meth_set1_name \
- RSA_meth_get_finish \
- RSA_meth_set_priv_enc \
- RSA_meth_set_priv_dec \
- RSA_meth_set_finish \
- EVP_PKEY_get0_RSA \
- EVP_MD_CTX_new \
- EVP_MD_CTX_free \
- EVP_chacha20 \
])
if test "x$openssl_engine" = "xyes" ; then
@@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then
]
)
- # Check for SHA256, SHA384 and SHA512 support in OpenSSL
- AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
+ # Check for various EVP support in OpenSSL
+ AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20])
# Check complete ECC support in OpenSSL
AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c
index 498180dc894..59be17397c5 100644
--- a/openbsd-compat/libressl-api-compat.c
+++ b/openbsd-compat/libressl-api-compat.c
@@ -1,129 +1,5 @@
-/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */
-/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */
-/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */
-/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */
-/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */
-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */
-/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */
-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2000.
- */
-/* ====================================================================
- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-/* $OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $ */
/*
- * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
+ * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -147,192 +23,7 @@
#include <stdlib.h>
#include <string.h>
-#include <openssl/err.h>
-#include <openssl/bn.h>
-#include <openssl/dsa.h>
-#include <openssl/rsa.h>
#include <openssl/evp.h>
-#ifdef OPENSSL_HAS_ECC
-#include <openssl/ecdsa.h>
-#endif
-#include <openssl/dh.h>
-
-#ifndef HAVE_DSA_GET0_PQG
-void
-DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
-{
- if (p != NULL)
- *p = d->p;
- if (q != NULL)
- *q = d->q;
- if (g != NULL)
- *g = d->g;
-}
-#endif /* HAVE_DSA_GET0_PQG */
-
-#ifndef HAVE_DSA_SET0_PQG
-int
-DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-{
- if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) ||
- (d->g == NULL && g == NULL))
- return 0;
-
- if (p != NULL) {
- BN_free(d->p);
- d->p = p;
- }
- if (q != NULL) {
- BN_free(d->q);
- d->q = q;
- }
- if (g != NULL) {
- BN_free(d->g);
- d->g = g;
- }
-
- return 1;
-}
-#endif /* HAVE_DSA_SET0_PQG */
-
-#ifndef HAVE_DSA_GET0_KEY
-void
-DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key)
-{
- if (pub_key != NULL)
- *pub_key = d->pub_key;
- if (priv_key != NULL)
- *priv_key = d->priv_key;
-}
-#endif /* HAVE_DSA_GET0_KEY */
-
-#ifndef HAVE_DSA_SET0_KEY
-int
-DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
-{
- if (d->pub_key == NULL && pub_key == NULL)
- return 0;
-
- if (pub_key != NULL) {
- BN_free(d->pub_key);
- d->pub_key = pub_key;
- }
- if (priv_key != NULL) {
- BN_free(d->priv_key);
- d->priv_key = priv_key;
- }
-
- return 1;
-}
-#endif /* HAVE_DSA_SET0_KEY */
-
-#ifndef HAVE_RSA_GET0_KEY
-void
-RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
-{
- if (n != NULL)
- *n = r->n;
- if (e != NULL)
- *e = r->e;
- if (d != NULL)
- *d = r->d;
-}
-#endif /* HAVE_RSA_GET0_KEY */
-
-#ifndef HAVE_RSA_SET0_KEY
-int
-RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
-{
- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL))
- return 0;
-
- if (n != NULL) {
- BN_free(r->n);
- r->n = n;
- }
- if (e != NULL) {
- BN_free(r->e);
- r->e = e;
- }
- if (d != NULL) {
- BN_free(r->d);
- r->d = d;
- }
-
- return 1;
-}
-#endif /* HAVE_RSA_SET0_KEY */
-
-#ifndef HAVE_RSA_GET0_CRT_PARAMS
-void
-RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
- const BIGNUM **iqmp)
-{
- if (dmp1 != NULL)
- *dmp1 = r->dmp1;
- if (dmq1 != NULL)
- *dmq1 = r->dmq1;
- if (iqmp != NULL)
- *iqmp = r->iqmp;
-}
-#endif /* HAVE_RSA_GET0_CRT_PARAMS */
-
-#ifndef HAVE_RSA_SET0_CRT_PARAMS
-int
-RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
-{
- if ((r->dmp1 == NULL && dmp1 == NULL) ||
- (r->dmq1 == NULL && dmq1 == NULL) ||
- (r->iqmp == NULL && iqmp == NULL))
- return 0;
-
- if (dmp1 != NULL) {
- BN_free(r->dmp1);
- r->dmp1 = dmp1;
- }
- if (dmq1 != NULL) {
- BN_free(r->dmq1);
- r->dmq1 = dmq1;
- }
- if (iqmp != NULL) {
- BN_free(r->iqmp);
- r->iqmp = iqmp;
- }
-
- return 1;
-}
-#endif /* HAVE_RSA_SET0_CRT_PARAMS */
-
-#ifndef HAVE_RSA_GET0_FACTORS
-void
-RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
-{
- if (p != NULL)
- *p = r->p;
- if (q != NULL)
- *q = r->q;
-}
-#endif /* HAVE_RSA_GET0_FACTORS */
-
-#ifndef HAVE_RSA_SET0_FACTORS
-int
-RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
-{
- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL))
- return 0;
-
- if (p != NULL) {
- BN_free(r->p);
- r->p = p;
- }
- if (q != NULL) {
- BN_free(r->q);
- r->q = q;
- }
-
- return 1;
-}
-#endif /* HAVE_RSA_SET0_FACTORS */
#ifndef HAVE_EVP_CIPHER_CTX_GET_IV
int
@@ -392,249 +83,4 @@ EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len)
}
#endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
-#ifndef HAVE_DSA_SIG_GET0
-void
-DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
-{
- if (pr != NULL)
- *pr = sig->r;
- if (ps != NULL)
- *ps = sig->s;
-}
-#endif /* HAVE_DSA_SIG_GET0 */
-
-#ifndef HAVE_DSA_SIG_SET0
-int
-DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
-{
- if (r == NULL || s == NULL)
- return 0;
-
- BN_clear_free(sig->r);
- sig->r = r;
- BN_clear_free(sig->s);
- sig->s = s;
-
- return 1;
-}
-#endif /* HAVE_DSA_SIG_SET0 */
-
-#ifdef OPENSSL_HAS_ECC
-#ifndef HAVE_ECDSA_SIG_GET0
-void
-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
-{
- if (pr != NULL)
- *pr = sig->r;
- if (ps != NULL)
- *ps = sig->s;
-}
-#endif /* HAVE_ECDSA_SIG_GET0 */
-
-#ifndef HAVE_ECDSA_SIG_SET0
-int
-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
-{
- if (r == NULL || s == NULL)
- return 0;
-
- BN_clear_free(sig->r);
- BN_clear_free(sig->s);
- sig->r = r;
- sig->s = s;
- return 1;
-}
-#endif /* HAVE_ECDSA_SIG_SET0 */
-#endif /* OPENSSL_HAS_ECC */
-
-#ifndef HAVE_DH_GET0_PQG
-void
-DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
-{
- if (p != NULL)
- *p = dh->p;
- if (q != NULL)
- *q = dh->q;
- if (g != NULL)
- *g = dh->g;
-}
-#endif /* HAVE_DH_GET0_PQG */
-
-#ifndef HAVE_DH_SET0_PQG
-int
-DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-{
- if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL))
- return 0;
-
- if (p != NULL) {
- BN_free(dh->p);
- dh->p = p;
- }
- if (q != NULL) {
- BN_free(dh->q);
- dh->q = q;
- }
- if (g != NULL) {
- BN_free(dh->g);
- dh->g = g;
- }
-
- return 1;
-}
-#endif /* HAVE_DH_SET0_PQG */
-
-#ifndef HAVE_DH_GET0_KEY
-void
-DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
-{
- if (pub_key != NULL)
- *pub_key = dh->pub_key;
- if (priv_key != NULL)
- *priv_key = dh->priv_key;
-}
-#endif /* HAVE_DH_GET0_KEY */
-
-#ifndef HAVE_DH_SET0_KEY
-int
-DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
-{
- if (pub_key != NULL) {
- BN_free(dh->pub_key);
- dh->pub_key = pub_key;
- }
- if (priv_key != NULL) {
- BN_free(dh->priv_key);
- dh->priv_key = priv_key;
- }
-
- return 1;
-}
-#endif /* HAVE_DH_SET0_KEY */
-
-#ifndef HAVE_DH_SET_LENGTH
-int
-DH_set_length(DH *dh, long length)
-{
- if (length < 0 || length > INT_MAX)
- return 0;
-
- dh->length = length;
- return 1;
-}
-#endif /* HAVE_DH_SET_LENGTH */
-
-#ifndef HAVE_RSA_METH_FREE
-void
-RSA_meth_free(RSA_METHOD *meth)
-{
- if (meth != NULL) {
- free((char *)meth->name);
- free(meth);
- }
-}
-#endif /* HAVE_RSA_METH_FREE */
-
-#ifndef HAVE_RSA_METH_DUP
-RSA_METHOD *
-RSA_meth_dup(const RSA_METHOD *meth)
-{
- RSA_METHOD *copy;
-
- if ((copy = calloc(1, sizeof(*copy))) == NULL)
- return NULL;
- memcpy(copy, meth, sizeof(*copy));
- if ((copy->name = strdup(meth->name)) == NULL) {
- free(copy);
- return NULL;
- }
-
- return copy;
-}
-#endif /* HAVE_RSA_METH_DUP */
-
-#ifndef HAVE_RSA_METH_SET1_NAME
-int
-RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
-{
- char *copy;
-
- if ((copy = strdup(name)) == NULL)
- return 0;
- free((char *)meth->name);
- meth->name = copy;
- return 1;
-}
-#endif /* HAVE_RSA_METH_SET1_NAME */
-
-#ifndef HAVE_RSA_METH_GET_FINISH
-int
-(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa)
-{
- return meth->finish;
-}
-#endif /* HAVE_RSA_METH_GET_FINISH */
-
-#ifndef HAVE_RSA_METH_SET_PRIV_ENC
-int
-RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
- const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
-{
- meth->rsa_priv_enc = priv_enc;
- return 1;
-}
-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
-
-#ifndef HAVE_RSA_METH_SET_PRIV_DEC
-int
-RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
- const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
-{
- meth->rsa_priv_dec = priv_dec;
- return 1;
-}
-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
-
-#ifndef HAVE_RSA_METH_SET_FINISH
-int
-RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
-{
- meth->finish = finish;
- return 1;
-}
-#endif /* HAVE_RSA_METH_SET_FINISH */
-
-#ifndef HAVE_EVP_PKEY_GET0_RSA
-RSA *
-EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
-{
- if (pkey->type != EVP_PKEY_RSA) {
- /* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */
- return NULL;
- }
- return pkey->pkey.rsa;
-}
-#endif /* HAVE_EVP_PKEY_GET0_RSA */
-
-#ifndef HAVE_EVP_MD_CTX_NEW
-EVP_MD_CTX *
-EVP_MD_CTX_new(void)
-{
- return calloc(1, sizeof(EVP_MD_CTX));
-}
-#endif /* HAVE_EVP_MD_CTX_NEW */
-
-#ifndef HAVE_EVP_MD_CTX_FREE
-void
-EVP_MD_CTX_free(EVP_MD_CTX *ctx)
-{
- if (ctx == NULL)
- return;
-
- EVP_MD_CTX_cleanup(ctx);
-
- free(ctx);
-}
-#endif /* HAVE_EVP_MD_CTX_FREE */
-
#endif /* WITH_OPENSSL */
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 61a69dd56eb..d0dd2c3450d 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -33,26 +33,13 @@
int ssh_compatible_openssl(long, long);
void ssh_libcrypto_init(void);
-#if (OPENSSL_VERSION_NUMBER < 0x1000100fL)
-# error OpenSSL 1.0.1 or greater is required
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+# error OpenSSL 1.1.0 or greater is required
#endif
-
-#ifndef OPENSSL_VERSION
-# define OPENSSL_VERSION SSLEAY_VERSION
-#endif
-
-#ifndef HAVE_OPENSSL_VERSION
-# define OpenSSL_version(x) SSLeay_version(x)
-#endif
-
-#ifndef HAVE_OPENSSL_VERSION_NUM
-# define OpenSSL_version_num SSLeay
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x10000001L
-# define LIBCRYPTO_EVP_INL_TYPE unsigned int
-#else
-# define LIBCRYPTO_EVP_INL_TYPE size_t
+#ifdef LIBRESSL_VERSION_NUMBER
+# if LIBRESSL_VERSION_NUMBER < 0x3010000fL
+# error LibreSSL 3.1.0 or greater is required
+# endif
#endif
#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
@@ -68,25 +55,6 @@ void ssh_libcrypto_init(void);
# endif
#endif
-/* LibreSSL/OpenSSL 1.1x API compat */
-#ifndef HAVE_DSA_GET0_PQG
-void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
- const BIGNUM **g);
-#endif /* HAVE_DSA_GET0_PQG */
-
-#ifndef HAVE_DSA_SET0_PQG
-int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-#endif /* HAVE_DSA_SET0_PQG */
-
-#ifndef HAVE_DSA_GET0_KEY
-void DSA_get0_key(const DSA *d, const BIGNUM **pub_key,
- const BIGNUM **priv_key);
-#endif /* HAVE_DSA_GET0_KEY */
-
-#ifndef HAVE_DSA_SET0_KEY
-int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
-#endif /* HAVE_DSA_SET0_KEY */
-
#ifndef HAVE_EVP_CIPHER_CTX_GET_IV
# ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV
# define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv
@@ -101,112 +69,5 @@ int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx,
const unsigned char *iv, size_t len);
#endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
-#ifndef HAVE_RSA_GET0_KEY
-void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
- const BIGNUM **d);
-#endif /* HAVE_RSA_GET0_KEY */
-
-#ifndef HAVE_RSA_SET0_KEY
-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-#endif /* HAVE_RSA_SET0_KEY */
-
-#ifndef HAVE_RSA_GET0_CRT_PARAMS
-void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
- const BIGNUM **iqmp);
-#endif /* HAVE_RSA_GET0_CRT_PARAMS */
-
-#ifndef HAVE_RSA_SET0_CRT_PARAMS
-int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
-#endif /* HAVE_RSA_SET0_CRT_PARAMS */
-
-#ifndef HAVE_RSA_GET0_FACTORS
-void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
-#endif /* HAVE_RSA_GET0_FACTORS */
-
-#ifndef HAVE_RSA_SET0_FACTORS
-int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
-#endif /* HAVE_RSA_SET0_FACTORS */
-
-#ifndef DSA_SIG_GET0
-void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-#endif /* DSA_SIG_GET0 */
-
-#ifndef DSA_SIG_SET0
-int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-#endif /* DSA_SIG_SET0 */
-
-#ifdef OPENSSL_HAS_ECC
-#ifndef HAVE_ECDSA_SIG_GET0
-void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-#endif /* HAVE_ECDSA_SIG_GET0 */
-
-#ifndef HAVE_ECDSA_SIG_SET0
-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-#endif /* HAVE_ECDSA_SIG_SET0 */
-#endif /* OPENSSL_HAS_ECC */
-
-#ifndef HAVE_DH_GET0_PQG
-void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
- const BIGNUM **g);
-#endif /* HAVE_DH_GET0_PQG */
-
-#ifndef HAVE_DH_SET0_PQG
-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-#endif /* HAVE_DH_SET0_PQG */
-
-#ifndef HAVE_DH_GET0_KEY
-void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
-#endif /* HAVE_DH_GET0_KEY */
-
-#ifndef HAVE_DH_SET0_KEY
-int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
-#endif /* HAVE_DH_SET0_KEY */
-
-#ifndef HAVE_DH_SET_LENGTH
-int DH_set_length(DH *dh, long length);
-#endif /* HAVE_DH_SET_LENGTH */
-
-#ifndef HAVE_RSA_METH_FREE
-void RSA_meth_free(RSA_METHOD *meth);
-#endif /* HAVE_RSA_METH_FREE */
-
-#ifndef HAVE_RSA_METH_DUP
-RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
-#endif /* HAVE_RSA_METH_DUP */
-
-#ifndef HAVE_RSA_METH_SET1_NAME
-int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
-#endif /* HAVE_RSA_METH_SET1_NAME */
-
-#ifndef HAVE_RSA_METH_GET_FINISH
-int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa);
-#endif /* HAVE_RSA_METH_GET_FINISH */
-
-#ifndef HAVE_RSA_METH_SET_PRIV_ENC
-int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
- const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
-
-#ifndef HAVE_RSA_METH_SET_PRIV_DEC
-int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
- const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
-
-#ifndef HAVE_RSA_METH_SET_FINISH
-int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa));
-#endif /* HAVE_RSA_METH_SET_FINISH */
-
-#ifndef HAVE_EVP_PKEY_GET0_RSA
-RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
-#endif /* HAVE_EVP_PKEY_GET0_RSA */
-
-#ifndef HAVE_EVP_MD_CTX_new
-EVP_MD_CTX *EVP_MD_CTX_new(void);
-#endif /* HAVE_EVP_MD_CTX_new */
-
-#ifndef HAVE_EVP_MD_CTX_free
-void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
-#endif /* HAVE_EVP_MD_CTX_free */
-
#endif /* WITH_OPENSSL */
#endif /* _OPENSSL_COMPAT_H */
poky/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
+47
View File
@@ -0,0 +1,47 @@
Adjust test cases to work with busybox.
- Replace dd parameter "obs" with "bs".
- Replace "head -<num>" with "head -n <num>".
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Upstream-Status: Pending
Index: openssh-7.6p1/regress/cipher-speed.sh
===================================================================
--- openssh-7.6p1.orig/regress/cipher-speed.sh
+++ openssh-7.6p1/regress/cipher-speed.sh
@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for
printf "%-60s" "$c/$m:"
( ${SSH} -o 'compression no' \
-F $OBJ/ssh_proxy -m $m -c $c somehost \
- exec sh -c \'"dd of=/dev/null obs=32k"\' \
+ exec sh -c \'"dd of=/dev/null bs=32k"\' \
< ${DATA} ) 2>&1 | getbytes
if [ $? -ne 0 ]; then
Index: openssh-7.6p1/regress/transfer.sh
===================================================================
--- openssh-7.6p1.orig/regress/transfer.sh
+++ openssh-7.6p1/regress/transfer.sh
@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY} || fail "corrupted
for s in 10 100 1k 32k 64k 128k 256k; do
trace "dd-size ${s}"
rm -f ${COPY}
- dd if=$DATA obs=${s} 2> /dev/null | \
+ dd if=$DATA bs=${s} 2> /dev/null | \
${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
Index: openssh-7.6p1/regress/key-options.sh
===================================================================
--- openssh-7.6p1.orig/regress/key-options.sh
+++ openssh-7.6p1/regress/key-options.sh
@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
fi
sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
- from=`head -1 $authkeys | cut -f1 -d ' '`
+ from=`head -n 1 $authkeys | cut -f1 -d ' '`
verbose "key option $from"
r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
if [ "$r" = "true" ]; then
poky/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+111
View File
@@ -0,0 +1,111 @@
From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
From: Yuanjie Huang <yuanjie.huang@windriver.com>
Date: Wed, 24 Aug 2016 03:15:43 +0000
Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
Pointer arithmatic results in implementation defined signed integer
type, so that 's - src' in strlcpy and others may trigger signed overflow.
In case of compilation by gcc or clang with -ftrapv option, the overflow
would lead to program abort.
Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Complete the fix
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
openbsd-compat/strlcat.c | 10 +++++++---
openbsd-compat/strlcpy.c | 8 ++++++--
openbsd-compat/strnlen.c | 8 ++++++--
3 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
index bcc1b61..124e1e3 100644
--- a/openbsd-compat/strlcat.c
+++ b/openbsd-compat/strlcat.c
@@ -23,6 +23,7 @@
#include <sys/types.h>
#include <string.h>
+#include <stdint.h>
/*
* Appends src to string dst of size siz (unlike strncat, siz is the
@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
/* Find the end of dst and adjust bytes left but don't go past end */
while (n-- != 0 && *d != '\0')
d++;
- dlen = d - dst;
+ dlen = (uintptr_t)d - (uintptr_t)dst;
n = siz - dlen;
if (n == 0)
@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
s++;
}
*d = '\0';
-
- return(dlen + (s - src)); /* count does not include NUL */
+ /*
+ * Cast pointers to unsigned type before calculation, to avoid signed
+ * overflow when the string ends where the MSB has changed.
+ */
+ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */
}
#endif /* !HAVE_STRLCAT */
diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
index b4b1b60..b06f374 100644
--- a/openbsd-compat/strlcpy.c
+++ b/openbsd-compat/strlcpy.c
@@ -23,6 +23,7 @@
#include <sys/types.h>
#include <string.h>
+#include <stdint.h>
/*
* Copy src to string dst of size siz. At most siz-1 characters
@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
while (*s++)
;
}
-
- return(s - src - 1); /* count does not include NUL */
+ /*
+ * Cast pointers to unsigned type before calculation, to avoid signed
+ * overflow when the string ends where the MSB has changed.
+ */
+ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */
}
#endif /* !HAVE_STRLCPY */
diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
index 7ad3573..7040f1f 100644
--- a/openbsd-compat/strnlen.c
+++ b/openbsd-compat/strnlen.c
@@ -23,6 +23,7 @@
#include <sys/types.h>
#include <string.h>
+#include <stdint.h>
size_t
strnlen(const char *str, size_t maxlen)
@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
;
-
- return (size_t)(cp - str);
+ /*
+ * Cast pointers to unsigned type before calculation, to avoid signed
+ * overflow when the string ends where the MSB has changed.
+ */
+ return (size_t)((uintptr_t)cp - (uintptr_t)str);
}
#endif
--
2.17.1
poky/meta/recipes-connectivity/openssh/openssh/init
+90
View File
@@ -0,0 +1,90 @@
#! /bin/sh
set -e
PIDFILE=/var/run/sshd.pid
# source function library
. /etc/init.d/functions
# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon
test -x /usr/sbin/sshd || exit 0
( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
if test -f /etc/default/ssh; then
. /etc/default/ssh
fi
[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
mkdir -p $SYSCONFDIR
check_for_no_start() {
# forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then
echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)"
exit 0
fi
}
check_privsep_dir() {
# Create the PrivSep empty dir if necessary
if [ ! -d /var/run/sshd ]; then
mkdir /var/run/sshd
chmod 0755 /var/run/sshd
fi
}
check_config() {
/usr/sbin/sshd $SSHD_OPTS -t || exit 1
}
export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
case "$1" in
start)
check_for_no_start
echo "Starting OpenBSD Secure Shell server: sshd"
@LIBEXECDIR@/sshd_check_keys
check_privsep_dir
start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
echo "done."
;;
stop)
echo -n "Stopping OpenBSD Secure Shell server: sshd"
start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd
echo "."
;;
reload|force-reload)
check_for_no_start
@LIBEXECDIR@/sshd_check_keys
check_config
echo -n "Reloading OpenBSD Secure Shell server's configuration"
start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd
echo "."
;;
restart)
@LIBEXECDIR@/sshd_check_keys
check_config
echo -n "Restarting OpenBSD Secure Shell server: sshd"
start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd
check_for_no_start
check_privsep_dir
sleep 2
start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
echo "."
;;
status)
status /usr/sbin/sshd
exit $?
;;
*)
echo "Usage: /etc/init.d/ssh {start|stop|status|reload|force-reload|restart}"
exit 1
esac
exit 0
poky/meta/recipes-connectivity/openssh/openssh/run-ptest
Executable
+45
View File
@@ -0,0 +1,45 @@
#!/bin/sh
export TEST_SHELL=sh
export SKIP_UNIT=1
cd regress
sed -i "/\t\tagent-ptrace /d" Makefile
make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \
| sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g'
SSHAGENT=`which ssh-agent`
GDB=`which gdb`
if [ -z "${SSHAGENT}" -o -z "${GDB}" ]; then
echo "SKIP: agent-ptrace"
exit
fi
useradd openssh-test
eval `su -c "${SSHAGENT} -s" openssh-test` > /dev/null
r=$?
if [ $r -ne 0 ]; then
echo "FAIL: could not start ssh-agent: exit code $r"
else
su -c "gdb -p ${SSH_AGENT_PID}" openssh-test > /tmp/gdb.out 2>&1 << EOF
quit
EOF
r=$?
if [ $r -ne 0 ]; then
echo "gdb failed: exit code $r"
fi
egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null /tmp/gdb.out
r=$?
rm -f /tmp/gdb.out
if [ $r -ne 0 ]; then
echo "FAIL: ptrace agent"
else
echo "PASS: ptrace agent"
fi
${SSHAGENT} -k > /dev/null
fi
userdel openssh-test
poky/meta/recipes-connectivity/openssh/openssh/ssh_config
+50
View File
@@ -0,0 +1,50 @@
# $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Include /etc/ssh/ssh_config.d/*.conf
Host *
ForwardAgent yes
ForwardX11 yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
poky/meta/recipes-connectivity/openssh/openssh/sshd
+10
View File
@@ -0,0 +1,10 @@
#%PAM-1.0
auth include common-auth
account required pam_nologin.so
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
session required pam_loginuid.so
poky/meta/recipes-connectivity/openssh/openssh/sshd.socket
+11
View File
@@ -0,0 +1,11 @@
[Unit]
Conflicts=sshd.service
Wants=sshdgenkeys.service
[Socket]
ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
ListenStream=22
Accept=yes
[Install]
WantedBy=sockets.target
poky/meta/recipes-connectivity/openssh/openssh/sshd@.service
+10
View File
@@ -0,0 +1,10 @@
[Unit]
Description=OpenSSH Per-Connection Daemon
After=sshdgenkeys.service
[Service]
Environment="SSHD_OPTS="
EnvironmentFile=-/etc/default/ssh
ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS
StandardInput=socket
KillMode=process
poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+79
View File
@@ -0,0 +1,79 @@
#! /bin/sh
generate_key() {
local FILE=$1
local TYPE=$2
local DIR="$(dirname "$FILE")"
mkdir -p "$DIR"
rm -f ${FILE}.tmp
ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
# Atomically rename file public key
mv -f "${FILE}.tmp.pub" "${FILE}.pub"
# This sync does double duty: Ensuring that the data in the temporary
# private key file is on disk before the rename, and ensuring that the
# public key rename is completed before the private key rename, since we
# switch on the existence of the private key to trigger key generation.
# This does mean it is possible for the public key to exist, but be garbage
# but this is OK because in that case the private key won't exist and the
# keys will be regenerated.
#
# In the event that sync understands arguments that limit what it tries to
# fsync(), we provided them. If it does not, it will simply call sync()
# which is just as well
sync "${FILE}.pub" "$DIR" "${FILE}.tmp"
mv "${FILE}.tmp" "$FILE"
# sync to ensure the atomic rename is committed
sync "$DIR"
}
# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
if test -f /etc/default/ssh; then
. /etc/default/ssh
fi
[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
mkdir -p $SYSCONFDIR
# parse sshd options
set -- ${SSHD_OPTS} --
sshd_config=/etc/ssh/sshd_config
while true ; do
case "$1" in
-f*) if [ "$1" = "-f" ] ; then
sshd_config="$2"
shift
else
sshd_config="${1#-f}"
fi
shift
;;
--) shift; break;;
*) shift;;
esac
done
HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
for key in ${HOST_KEYS} ; do
[ -f $key ] && continue
case $key in
*_rsa_key)
echo " generating ssh RSA host key..."
generate_key $key rsa
;;
*_ecdsa_key)
echo " generating ssh ECDSA host key..."
generate_key $key ecdsa
;;
*_ed25519_key)
echo " generating ssh ED25519 host key..."
generate_key $key ed25519
;;
esac
done
poky/meta/recipes-connectivity/openssh/openssh/sshd_config
+119
View File
@@ -0,0 +1,119 @@
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable keyboard-interactive authentication (beware issues
# with some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
poky/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
+9
View File
@@ -0,0 +1,9 @@
[Unit]
Description=OpenSSH Key Generation
RequiresMountsFor=/var /run
[Service]
ExecStart=@LIBEXECDIR@/sshd_check_keys
Type=oneshot
RemainAfterExit=yes
Nice=10
poky/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
+2
View File
@@ -0,0 +1,2 @@
d root root 0755 /var/run/sshd none
f root root 0644 /var/log/lastlog none
poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+176
View File
@@ -0,0 +1,176 @@
SUMMARY = "A suite of security-related network utilities based on \
the SSH protocol including the ssh client and sshd server"
DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \
Ssh (Secure Shell) is a program for logging into a remote machine \
and for executing commands on a remote machine."
HOMEPAGE = "http://www.openssh.com/"
SECTION = "console/network"
LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT"
LIC_FILES_CHKSUM = "file://LICENCE;md5=072979064e691d342002f43cd89c0394"
DEPENDS = "zlib openssl virtual/crypt"
DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
file://sshd_config \
file://ssh_config \
file://init \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
file://sshd.socket \
file://sshd@.service \
file://sshdgenkeys.service \
file://volatiles.99_sshd \
file://run-ptest \
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
file://sshd_check_keys \
file://add-test-support-for-busybox.patch \
file://7280401bdd77ca54be6867a154cc01e0d72612e0.patch \
"
SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
PAM_SRC_URI = "file://sshd"
inherit manpages useradd update-rc.d update-alternatives systemd
USERADD_PACKAGES = "${PN}-sshd"
USERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
INITSCRIPT_PACKAGES = "${PN}-sshd"
INITSCRIPT_NAME:${PN}-sshd = "sshd"
INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9"
SYSTEMD_PACKAGES = "${PN}-sshd"
SYSTEMD_SERVICE:${PN}-sshd = "sshd.socket"
inherit autotools-brokensep ptest
PACKAGECONFIG ??= ""
PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
EXTRA_AUTORECONF += "--exclude=aclocal"
# login path is hardcoded in sshd
EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
--without-zlib-version-check \
--with-privsep-path=${localstatedir}/run/sshd \
--sysconfdir=${sysconfdir}/ssh \
--with-xauth=${bindir}/xauth \
--disable-strip \
"
# musl doesn't implement wtmp/utmp and logwtmp
EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
# Since we do not depend on libbsd, we do not want configure to use it
# just because it finds libutil.h. But, specifying --disable-libutil
# causes compile errors, so...
CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no"
# passwd path is hardcoded in sshd
CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
# We don't want to depend on libblockfile
CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
do_configure:prepend () {
export LD="${CC}"
install -m 0644 ${WORKDIR}/sshd_config ${B}/
install -m 0644 ${WORKDIR}/ssh_config ${B}/
}
do_compile_ptest() {
oe_runmake regress-binaries regress-unit-binaries
}
do_install:append () {
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
fi
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
fi
install -d ${D}${sysconfdir}/init.d
install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
install -d ${D}/${sysconfdir}/default/volatiles
install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
# Create config files for read-only rootfs
install -d ${D}${sysconfdir}/ssh
install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
install -d ${D}${systemd_system_unitdir}
install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir}
install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir}
install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
-e 's,@SBINDIR@,${sbindir},g' \
-e 's,@BINDIR@,${bindir},g' \
-e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
${D}${systemd_system_unitdir}/sshd.socket ${D}${systemd_system_unitdir}/*.service
sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
${D}${sysconfdir}/init.d/sshd
install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
}
do_install_ptest () {
sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh
cp -r regress ${D}${PTEST_PATH}
cp config.h ${D}${PTEST_PATH}
}
ALLOW_EMPTY:${PN} = "1"
PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
FILES:${PN}-scp = "${bindir}/scp.${BPN}"
FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
FILES:${PN}-sftp = "${bindir}/sftp"
FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
FILES:${PN}-keygen = "${bindir}/ssh-keygen"
RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils openssl-bin"
RPROVIDES:${PN}-ssh = "ssh"
RPROVIDES:${PN}-sshd = "sshd"
RCONFLICTS:${PN} = "dropbear"
RCONFLICTS:${PN}-sshd = "dropbear"
CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
ALTERNATIVE_PRIORITY = "90"
ALTERNATIVE:${PN}-scp = "scp"
ALTERNATIVE:${PN}-ssh = "ssh"
BBCLASSEXTEND += "nativesdk"