diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch | 189 |
1 files changed, 189 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch new file mode 100644 index 0000000000..c899056337 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch @@ -0,0 +1,189 @@ +From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Fri, 1 Oct 2021 16:35:49 +1000 +Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough + +ok dtucker + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-pkcs11-client.c | 16 ++++++++-------- + ssh-pkcs11.c | 26 +++++++++++++------------- + 2 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c +index 8a0ffef..41114c7 100644 +--- a/ssh-pkcs11-client.c ++++ b/ssh-pkcs11-client.c +@@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + return (ret); + } + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static ECDSA_SIG * + ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + const BIGNUM *rp, EC_KEY *ec) +@@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + sshbuf_free(msg); + return (ret); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + static RSA_METHOD *helper_rsa; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static EC_KEY_METHOD *helper_ecdsa; +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + /* redirect private key crypto operations to the ssh-pkcs11-helper */ + static void +@@ -233,10 +233,10 @@ wrap_key(struct sshkey *k) + { + if (k->type == KEY_RSA) + RSA_set_method(k->rsa, helper_rsa); +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + else if (k->type == KEY_ECDSA) + EC_KEY_set_method(k->ecdsa, helper_ecdsa); +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + else + fatal("%s: unknown key type", __func__); + } +@@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void) + if (helper_rsa != NULL) + return (0); + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + int (*orig_sign)(int, const unsigned char *, int, unsigned char *, + unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; + if (helper_ecdsa != NULL) +@@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void) + return (-1); + EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); + EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) + fatal("%s: RSA_meth_dup failed", __func__); +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index a302c79..b56a41b 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -78,7 +78,7 @@ struct pkcs11_key { + + int pkcs11_interactive = 0; + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static void + ossl_error(const char *msg) + { +@@ -89,7 +89,7 @@ ossl_error(const char *msg) + error("%s: libcrypto error: %.100s", __func__, + ERR_error_string(e, NULL)); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + int + pkcs11_init(int interactive) +@@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id) + + static RSA_METHOD *rsa_method; + static int rsa_idx = 0; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static EC_KEY_METHOD *ec_key_method; + static int ec_key_idx = 0; +-#endif ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + /* release a wrapped object */ + static void +@@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, + return (0); + } + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + /* openssl callback doing the actual signing operation */ + static ECDSA_SIG * + ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, +@@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, + + return (0); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + /* remove trailing spaces */ + static void +@@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key) + return (0); + } + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static struct sshkey * + pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + CK_OBJECT_HANDLE *obj) +@@ -802,7 +802,7 @@ fail: + + return (key); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + static struct sshkey * + pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + #endif + struct sshkey *key = NULL; + int i; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + int nid; + #endif + const u_char *cp; +@@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + key->type = KEY_RSA; + key->flags |= SSHKEY_FLAG_EXT; + rsa = NULL; /* now owned by key */ +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) { + if (EVP_PKEY_get0_EC_KEY(evp) == NULL) { + error("invalid x509; no ec key"); +@@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + key->type = KEY_ECDSA; + key->flags |= SSHKEY_FLAG_EXT; + ec = NULL; /* now owned by key */ +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + } else { + error("unknown certificate key type"); + goto out; +@@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, + case CKK_RSA: + key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj); + break; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + case CKK_ECDSA: + key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj); + break; +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + default: + /* XXX print key type? */ + key = NULL; +-- +2.41.0 |