diff options
Diffstat (limited to 'poky/meta/recipes-connectivity')
22 files changed, 1562 insertions, 327 deletions
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-avoid-start-failure-with-bind-user.patch b/poky/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch index ec1bc7b567..ec1bc7b567 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-avoid-start-failure-with-bind-user.patch +++ b/poky/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/poky/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch index 4c10f33f04..4c10f33f04 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/0001-named-lwresd-V-and-start-log-hide-build-options.patch +++ b/poky/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/bind-ensure-searching-for-json-headers-searches-sysr.patch b/poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch index f1abd179e8..f1abd179e8 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/bind9 b/poky/meta/recipes-connectivity/bind/bind/bind9 index 968679ff7f..968679ff7f 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/bind9 +++ b/poky/meta/recipes-connectivity/bind/bind/bind9 diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/conf.patch b/poky/meta/recipes-connectivity/bind/bind/conf.patch index aa3642acec..aa3642acec 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/conf.patch +++ b/poky/meta/recipes-connectivity/bind/bind/conf.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/generate-rndc-key.sh b/poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh index 633e29c0e6..633e29c0e6 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/generate-rndc-key.sh +++ b/poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/init.d-add-support-for-read-only-rootfs.patch b/poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch index 11db95ede1..11db95ede1 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/init.d-add-support-for-read-only-rootfs.patch +++ b/poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/make-etc-initd-bind-stop-work.patch b/poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch index 146f3e35db..146f3e35db 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/make-etc-initd-bind-stop-work.patch +++ b/poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.13/named.service b/poky/meta/recipes-connectivity/bind/bind/named.service index cda56ef015..cda56ef015 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.13/named.service +++ b/poky/meta/recipes-connectivity/bind/bind/named.service diff --git a/poky/meta/recipes-connectivity/bind/bind_9.18.13.bb b/poky/meta/recipes-connectivity/bind/bind_9.18.19.bb index 8617137e87..6936c1c6ad 100644 --- a/poky/meta/recipes-connectivity/bind/bind_9.18.13.bb +++ b/poky/meta/recipes-connectivity/bind/bind_9.18.19.bb @@ -4,7 +4,7 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system" SECTION = "console/network" LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=d8cf7bd9c4fd5471a588e7e66e672408" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c7a0b6d9a1b692a5da9af9d503671f43" DEPENDS = "openssl libcap zlib libuv" @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "3b06b6390c1012dd3956b1479c73b2097c0b22207817e2e8aae352fd20e578c7" +SRC_URI[sha256sum] = "115e09c05439bebade1d272eda08fa88eb3b60129edef690588c87a4d27612cc" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # follow the ESV versions divisible by 2 @@ -39,7 +39,7 @@ PACKAGECONFIG[readline] = "--with-readline=readline,,readline" PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit" PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2" -EXTRA_OECONF = " --disable-devpoll --disable-auto-validation --enable-epoll \ +EXTRA_OECONF = " --disable-auto-validation \ --with-gssapi=no --with-lmdb=no --with-zlib \ --sysconfdir=${sysconfdir}/bind \ --with-openssl=${STAGING_DIR_HOST}${prefix} \ diff --git a/poky/meta/recipes-connectivity/connman/connman.inc b/poky/meta/recipes-connectivity/connman/connman.inc index d7af94f792..7487ca0d0c 100644 --- a/poky/meta/recipes-connectivity/connman/connman.inc +++ b/poky/meta/recipes-connectivity/connman/connman.inc @@ -27,6 +27,7 @@ EXTRA_OECONF += "\ --enable-ethernet \ --enable-tools \ --disable-polkit \ + --runstatedir=/run \ " # For smooth operation it would be best to start only one wireless daemon at a time. # If wpa-supplicant is running, connman will use it preferentially. diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch new file mode 100644 index 0000000000..04fd9b1f85 --- /dev/null +++ b/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch @@ -0,0 +1,284 @@ +From e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 Mon Sep 17 00:00:00 2001 +From: Jeffrey Bencteux <jeffbencteux@gmail.com> +Date: Mon, 28 Aug 2023 15:35:19 +0000 +Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check +set*id() return values + +Several setuid(), setgid(), seteuid() and setguid() return values +were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially +leading to potential security issues. + +Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com> +Signed-off-by: Simon Josefsson <simon@josefsson.org> + +CVE: CVE-2023-40303 + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + ftpd/ftpd.c | 10 +++++++--- + src/rcp.c | 39 +++++++++++++++++++++++++++++++++------ + src/rlogin.c | 11 +++++++++-- + src/rsh.c | 25 +++++++++++++++++++++---- + src/rshd.c | 20 +++++++++++++++++--- + src/uucpd.c | 15 +++++++++++++-- + 6 files changed, 100 insertions(+), 20 deletions(-) + +diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c +index 92b2cca..009f3f1 100644 +--- a/ftpd/ftpd.c ++++ b/ftpd/ftpd.c +@@ -862,7 +862,9 @@ end_login (struct credentials *pcred) + char *remotehost = pcred->remotehost; + int atype = pcred->auth_type; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); ++ + if (pcred->logged_in) + { + logwtmp_keep_open (ttyline, "", ""); +@@ -1151,7 +1153,8 @@ getdatasock (const char *mode) + + if (data >= 0) + return fdopen (data, mode); +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); + s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0); + if (s < 0) + goto bad; +@@ -1978,7 +1981,8 @@ passive (int epsv, int af) + else /* !AF_INET6 */ + ((struct sockaddr_in *) &pasv_addr)->sin_port = 0; + +- seteuid ((uid_t) 0); ++ if (seteuid ((uid_t) 0) == -1) ++ _exit (EXIT_FAILURE); + if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0) + { + if (seteuid ((uid_t) cred.uid)) +diff --git a/src/rcp.c b/src/rcp.c +index 75adb25..f913256 100644 +--- a/src/rcp.c ++++ b/src/rcp.c +@@ -345,14 +345,23 @@ main (int argc, char *argv[]) + if (from_option) + { /* Follow "protocol", send data. */ + response (); +- setuid (userid); ++ ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + source (argc, argv); + exit (errs); + } + + if (to_option) + { /* Receive data. */ +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + sink (argc, argv); + exit (errs); + } +@@ -537,7 +546,11 @@ toremote (char *targ, int argc, char *argv[]) + if (response () < 0) + exit (EXIT_FAILURE); + free (bp); +- setuid (userid); ++ ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + } + source (1, argv + i); + close (rem); +@@ -630,7 +643,12 @@ tolocal (int argc, char *argv[]) + ++errs; + continue; + } +- seteuid (userid); ++ ++ if (seteuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT + sslen = sizeof (ss); + (void) getpeername (rem, (struct sockaddr *) &ss, &sslen); +@@ -643,7 +661,12 @@ tolocal (int argc, char *argv[]) + #endif + vect[0] = target; + sink (1, vect); +- seteuid (effuid); ++ ++ if (seteuid (effuid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ + close (rem); + rem = -1; + #ifdef SHISHI +@@ -1441,7 +1464,11 @@ susystem (char *s, int userid) + return (127); + + case 0: +- setuid (userid); ++ if (setuid (userid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } ++ + execl (PATH_BSHELL, "sh", "-c", s, NULL); + _exit (127); + } +diff --git a/src/rlogin.c b/src/rlogin.c +index aa6426f..9bf9645 100644 +--- a/src/rlogin.c ++++ b/src/rlogin.c +@@ -647,8 +647,15 @@ try_connect: + /* Now change to the real user ID. We have to be set-user-ID root + to get the privileged port that rcmd () uses. We now want, however, + to run as the real user who invoked us. */ +- seteuid (uid); +- setuid (uid); ++ if (seteuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } ++ ++ if (setuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + + doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ + +diff --git a/src/rsh.c b/src/rsh.c +index 2d622ca..7b9cf22 100644 +--- a/src/rsh.c ++++ b/src/rsh.c +@@ -276,8 +276,17 @@ main (int argc, char **argv) + { + if (asrsh) + *argv = (char *) "rlogin"; +- seteuid (getuid ()); +- setuid (getuid ()); ++ ++ if (seteuid (getuid ()) == -1) ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } ++ ++ if (setuid (getuid ()) == -1) ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } ++ + execv (PATH_RLOGIN, argv); + error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); + } +@@ -541,8 +550,16 @@ try_connect: + error (0, errno, "setsockopt DEBUG (ignored)"); + } + +- seteuid (uid); +- setuid (uid); ++ if (seteuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } ++ ++ if (setuid (uid) == -1) ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } ++ + #ifdef HAVE_SIGACTION + sigemptyset (&sigs); + sigaddset (&sigs, SIGINT); +diff --git a/src/rshd.c b/src/rshd.c +index d1c0d0c..19d9a60 100644 +--- a/src/rshd.c ++++ b/src/rshd.c +@@ -1847,8 +1847,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + pwd->pw_shell = PATH_BSHELL; + + /* Set the gid, then uid to become the user specified by "locuser" */ +- setegid ((gid_t) pwd->pw_gid); +- setgid ((gid_t) pwd->pw_gid); ++ if (setegid ((gid_t) pwd->pw_gid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setegid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } ++ ++ if (setgid ((gid_t) pwd->pw_gid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setgid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } ++ + #ifdef HAVE_INITGROUPS + initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ + #endif +@@ -1870,7 +1880,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + } + #endif /* WITH_PAM */ + +- setuid ((uid_t) pwd->pw_uid); ++ if (setuid ((uid_t) pwd->pw_uid) == -1) ++ { ++ rshd_error ("Cannot drop privileges (setuid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + /* We'll execute the client's command in the home directory + * of locuser. Note, that the chdir must be executed after +diff --git a/src/uucpd.c b/src/uucpd.c +index 107589e..34be165 100644 +--- a/src/uucpd.c ++++ b/src/uucpd.c +@@ -252,7 +252,12 @@ doit (struct sockaddr *sap, socklen_t salen) + snprintf (Username, sizeof (Username), "USER=%s", user); + snprintf (Logname, sizeof (Logname), "LOGNAME=%s", user); + dologin (pw, sap, salen); +- setgid (pw->pw_gid); ++ ++ if (setgid (pw->pw_gid) == -1) ++ { ++ fprintf (stderr, "setgid() failed"); ++ return; ++ } + #ifdef HAVE_INITGROUPS + initgroups (pw->pw_name, pw->pw_gid); + #endif +@@ -261,7 +266,13 @@ doit (struct sockaddr *sap, socklen_t salen) + fprintf (stderr, "Login incorrect."); + return; + } +- setuid (pw->pw_uid); ++ ++ if (setuid (pw->pw_uid) == -1) ++ { ++ fprintf (stderr, "setuid() failed"); ++ return; ++ } ++ + execl (uucico_location, "uucico", NULL); + perror ("uucico server: execl"); + } +-- +2.40.0 diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch deleted file mode 100644 index 49d319f59d..0000000000 --- a/poky/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 7d39930468e272c740b0eed3c7e5b7fb3abf29e8 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Wed, 5 Aug 2020 10:36:22 -0700 -Subject: [PATCH] ftpd,telnetd: Fix multiple definitions of errcatch and not42 - -This helps fix build failures when -fno-common option is used - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - ftpd/extern.h | 2 +- - ftpd/ftpcmd.c | 1 + - telnetd/utility.c | 2 +- - 3 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/ftpd/extern.h b/ftpd/extern.h -index ab33cf3..91dbbee 100644 ---- a/ftpd/extern.h -+++ b/ftpd/extern.h -@@ -90,7 +90,7 @@ extern void user (const char *); - extern char *sgetsave (const char *); - - /* Exported from ftpd.c. */ --jmp_buf errcatch; -+extern jmp_buf errcatch; - extern struct sockaddr_storage data_dest; - extern socklen_t data_dest_len; - extern struct sockaddr_storage his_addr; -diff --git a/ftpd/ftpcmd.c b/ftpd/ftpcmd.c -index beb1f06..d272e9d 100644 ---- a/ftpd/ftpcmd.c -+++ b/ftpd/ftpcmd.c -@@ -106,6 +106,7 @@ - #endif - - off_t restart_point; -+jmp_buf errcatch; - - static char cbuf[512]; /* Command Buffer. */ - static char *fromname; -diff --git a/telnetd/utility.c b/telnetd/utility.c -index e7ffb8e..46bf91e 100644 ---- a/telnetd/utility.c -+++ b/telnetd/utility.c -@@ -63,7 +63,7 @@ static int ncc; - static char ptyibuf[BUFSIZ], *ptyip; - static int pcc; - --int not42; -+extern int not42; - - static int - readstream (int p, char *ibuf, int bufsize) --- -2.28.0 - diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch new file mode 100644 index 0000000000..f4252b5f34 --- /dev/null +++ b/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch @@ -0,0 +1,258 @@ +From 9122999252c7e21eb7774de11d539748e7bdf46d Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <simon@josefsson.org> +Date: Tue, 29 Aug 2023 06:42:11 +0000 +Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit. + +CVE: CVE-2023-40303 + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + src/rcp.c | 42 ++++++++++++++++++++++++------------------ + src/rlogin.c | 12 ++++++------ + src/rsh.c | 26 +++++++++++++------------- + src/rshd.c | 24 ++++++++++++------------ + src/uucpd.c | 16 ++++++++-------- + 5 files changed, 63 insertions(+), 57 deletions(-) + +diff --git a/src/rcp.c b/src/rcp.c +index 7018e35..e504f8a 100644 +--- a/src/rcp.c ++++ b/src/rcp.c +@@ -347,9 +347,10 @@ main (int argc, char *argv[]) + response (); + + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + source (argc, argv); + exit (errs); +@@ -358,9 +359,10 @@ main (int argc, char *argv[]) + if (to_option) + { /* Receive data. */ + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + sink (argc, argv); + exit (errs); +@@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[]) + free (bp); + + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + } + source (1, argv + i); + close (rem); +@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[]) + } + + if (seteuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (seteuid() failed)"); ++ } + + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT + sslen = sizeof (ss); +@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[]) + sink (1, vect); + + if (seteuid (effuid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (seteuid() failed)"); ++ } + + close (rem); + rem = -1; +@@ -1465,9 +1470,10 @@ susystem (char *s, int userid) + + case 0: + if (setuid (userid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, ++ "Could not drop privileges (setuid() failed)"); ++ } + + execl (PATH_BSHELL, "sh", "-c", s, NULL); + _exit (127); +diff --git a/src/rlogin.c b/src/rlogin.c +index 9bf9645..a0c1237 100644 +--- a/src/rlogin.c ++++ b/src/rlogin.c +@@ -648,14 +648,14 @@ try_connect: + to get the privileged port that rcmd () uses. We now want, however, + to run as the real user who invoked us. */ + if (seteuid (uid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); ++ } + + if (setuid (uid) == -1) +- { +- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); +- } ++ { ++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); ++ } + + doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ + +diff --git a/src/rsh.c b/src/rsh.c +index 7b9cf22..c8f50d3 100644 +--- a/src/rsh.c ++++ b/src/rsh.c +@@ -278,14 +278,14 @@ main (int argc, char **argv) + *argv = (char *) "rlogin"; + + if (seteuid (getuid ()) == -1) +- { +- error (EXIT_FAILURE, errno, "seteuid() failed"); +- } +- ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } ++ + if (setuid (getuid ()) == -1) +- { +- error (EXIT_FAILURE, errno, "setuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } + + execv (PATH_RLOGIN, argv); + error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); +@@ -551,14 +551,14 @@ try_connect: + } + + if (seteuid (uid) == -1) +- { +- error (EXIT_FAILURE, errno, "seteuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "seteuid() failed"); ++ } + + if (setuid (uid) == -1) +- { +- error (EXIT_FAILURE, errno, "setuid() failed"); +- } ++ { ++ error (EXIT_FAILURE, errno, "setuid() failed"); ++ } + + #ifdef HAVE_SIGACTION + sigemptyset (&sigs); +diff --git a/src/rshd.c b/src/rshd.c +index 707790e..df43edf 100644 +--- a/src/rshd.c ++++ b/src/rshd.c +@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + + /* Set the gid, then uid to become the user specified by "locuser" */ + if (setegid ((gid_t) pwd->pw_gid) == -1) +- { +- rshd_error ("Cannot drop privileges (setegid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setegid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + if (setgid ((gid_t) pwd->pw_gid) == -1) +- { +- rshd_error ("Cannot drop privileges (setgid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setgid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + #ifdef HAVE_INITGROUPS + initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ +@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) + #endif /* WITH_PAM */ + + if (setuid ((uid_t) pwd->pw_uid) == -1) +- { +- rshd_error ("Cannot drop privileges (setuid() failed)\n"); +- exit (EXIT_FAILURE); +- } ++ { ++ rshd_error ("Cannot drop privileges (setuid() failed)\n"); ++ exit (EXIT_FAILURE); ++ } + + /* We'll execute the client's command in the home directory + * of locuser. Note, that the chdir must be executed after +diff --git a/src/uucpd.c b/src/uucpd.c +index 29cfce3..afe24f3 100644 +--- a/src/uucpd.c ++++ b/src/uucpd.c +@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen) + dologin (pw, sap, salen); + + if (setgid (pw->pw_gid) == -1) +- { +- fprintf (stderr, "setgid() failed"); +- return; +- } ++ { ++ fprintf (stderr, "setgid() failed"); ++ return; ++ } + #ifdef HAVE_INITGROUPS + initgroups (pw->pw_name, pw->pw_gid); + #endif +@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen) + } + + if (setuid (pw->pw_uid) == -1) +- { +- fprintf (stderr, "setuid() failed"); +- return; +- } ++ { ++ fprintf (stderr, "setuid() failed"); ++ return; ++ } + + execl (uucico_location, "uucico", NULL); + perror ("uucico server: execl"); +-- +2.40.0 diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch deleted file mode 100644 index a91913cb51..0000000000 --- a/poky/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch +++ /dev/null @@ -1,25 +0,0 @@ -tftpd: Fix abort on error path - -When trying to fetch a non existent file, the app crashes with: - -*** buffer overflow detected ***: -Aborted - - -Upstream-Status: Submitted [https://www.mail-archive.com/bug-inetutils@gnu.org/msg03036.html https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91205] -Signed-off-by: Ricardo Ribalda Delgado <ricardo@ribalda.com> -diff --git a/src/tftpd.c b/src/tftpd.c -index 56002a0..144012f 100644 ---- a/src/tftpd.c -+++ b/src/tftpd.c -@@ -864,9 +864,8 @@ nak (int error) - pe->e_msg = strerror (error - 100); - tp->th_code = EUNDEF; /* set 'undef' errorcode */ - } -- strcpy (tp->th_msg, pe->e_msg); - length = strlen (pe->e_msg); -- tp->th_msg[length] = '\0'; -+ memcpy(tp->th_msg, pe->e_msg, length + 1); - length += 5; - if (sendto (peer, buf, length, 0, (struct sockaddr *) &from, fromlen) != length) - syslog (LOG_ERR, "nak: %m\n"); diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb b/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb index 6519331141..032c0d6b24 100644 --- a/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb +++ b/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb @@ -21,6 +21,8 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ file://tftpd.xinetd.inetutils \ file://inetutils-1.9-PATH_PROCNET_DEV.patch \ file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \ + file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \ + file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \ " inherit autotools gettext update-alternatives texinfo diff --git a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb index e802bcee18..a4030b7b32 100644 --- a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb +++ b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb @@ -5,8 +5,8 @@ SECTION = "network" LICENSE = "PD" LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04" -SRCREV = "22a5de3ef637990ce03141f786fbdb327e9c5a3f" -PV = "20221107" +SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe" +PV = "20230416" PE = "1" SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main" diff --git a/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch b/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch new file mode 100644 index 0000000000..4c8aa085f3 --- /dev/null +++ b/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch @@ -0,0 +1,994 @@ +From 7280401bdd77ca54be6867a154cc01e0d72612e0 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Fri, 24 Mar 2023 13:56:25 +1100 +Subject: [PATCH] remove support for old libcrypto + +OpenSSH now requires LibreSSL 3.1.0 or greater or +OpenSSL 1.1.1 or greater + +with/ok dtucker@ + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7280401bdd77ca54be6867a154cc01e0d72612e0] +Comment: Hunks are refreshed. +Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com> + +--- + .github/workflows/c-cpp.yml | 7 - + INSTALL | 8 +- + cipher-aes.c | 2 +- + configure.ac | 96 ++--- + openbsd-compat/libressl-api-compat.c | 556 +-------------------------- + openbsd-compat/openssl-compat.h | 151 +------- + 6 files changed, 40 insertions(+), 780 deletions(-) + +diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml +index 3d9aa22dba5..d299a32468d 100644 +--- a/.github/workflows/c-cpp.yml ++++ b/.github/workflows/c-cpp.yml +@@ -47,9 +47,6 @@ jobs: + - { target: ubuntu-20.04, config: tcmalloc } + - { target: ubuntu-20.04, config: musl } + - { target: ubuntu-latest, config: libressl-master } +- - { target: ubuntu-latest, config: libressl-2.2.9 } +- - { target: ubuntu-latest, config: libressl-2.8.3 } +- - { target: ubuntu-latest, config: libressl-3.0.2 } + - { target: ubuntu-latest, config: libressl-3.2.6 } + - { target: ubuntu-latest, config: libressl-3.3.6 } + - { target: ubuntu-latest, config: libressl-3.4.3 } +@@ -58,10 +55,6 @@ jobs: + - { target: ubuntu-latest, config: libressl-3.7.0 } + - { target: ubuntu-latest, config: openssl-master } + - { target: ubuntu-latest, config: openssl-noec } +- - { target: ubuntu-latest, config: openssl-1.0.1 } +- - { target: ubuntu-latest, config: openssl-1.0.1u } +- - { target: ubuntu-latest, config: openssl-1.0.2u } +- - { target: ubuntu-latest, config: openssl-1.1.0h } + - { target: ubuntu-latest, config: openssl-1.1.1 } + - { target: ubuntu-latest, config: openssl-1.1.1k } + - { target: ubuntu-latest, config: openssl-1.1.1n } +diff --git a/INSTALL b/INSTALL +index 68b15e13190..f99d1e2a809 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -21,12 +21,8 @@ https://zlib.net/ + + libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto + is supported but severely restricts the available ciphers and algorithms. +- - LibreSSL (https://www.libressl.org/) +- - OpenSSL (https://www.openssl.org) with any of the following versions: +- - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 +- +-Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to +-1.1.0g can't be used. ++ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater ++ - OpenSSL (https://www.openssl.org) 1.1.1 or greater + + LibreSSL/OpenSSL should be compiled as a position-independent library + (i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" +diff --git a/cipher-aes.c b/cipher-aes.c +index 8b101727284..87c763353d8 100644 +--- a/cipher-aes.c ++++ b/cipher-aes.c +@@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + + static int + ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, +- LIBCRYPTO_EVP_INL_TYPE len) ++ size_t len) + { + struct ssh_rijndael_ctx *c; + u_char buf[RIJNDAEL_BLOCKSIZE]; +diff --git a/configure.ac b/configure.ac +index 22fee70f604..1c0ccdf19c5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then + #include <openssl/crypto.h> + #define DATA "conftest.ssllibver" + ]], [[ +- FILE *fd; +- int rc; ++ FILE *f; + +- fd = fopen(DATA,"w"); +- if(fd == NULL) ++ if ((f = fopen(DATA, "w")) == NULL) + exit(1); +-#ifndef OPENSSL_VERSION +-# define OPENSSL_VERSION SSLEAY_VERSION +-#endif +-#ifndef HAVE_OPENSSL_VERSION +-# define OpenSSL_version SSLeay_version +-#endif +-#ifndef HAVE_OPENSSL_VERSION_NUM +-# define OpenSSL_version_num SSLeay +-#endif +- if ((rc = fprintf(fd, "%08lx (%s)\n", ++ if (fprintf(f, "%08lx (%s)", + (unsigned long)OpenSSL_version_num(), +- OpenSSL_version(OPENSSL_VERSION))) < 0) ++ OpenSSL_version(OPENSSL_VERSION)) < 0) ++ exit(1); ++#ifdef LIBRESSL_VERSION_NUMBER ++ if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0) ++ exit(1); ++#endif ++ if (fputc('\n', f) == EOF || fclose(f) == EOF) + exit(1); +- + exit(0); + ]])], + [ +- ssl_library_ver=`cat conftest.ssllibver` ++ sslver=`cat conftest.ssllibver` ++ ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'` + # Check version is supported. +- case "$ssl_library_ver" in +- 10000*|0*) +- AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")]) +- ;; +- 100*) ;; # 1.0.x +- 101000[[0123456]]*) +- # https://github.com/openssl/openssl/pull/4613 +- AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")]) ++ case "$sslver" in ++ 100*|10100*) # 1.0.x, 1.1.0x ++ AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")]) + ;; + 101*) ;; # 1.1.x +- 200*) ;; # LibreSSL ++ 200*) # LibreSSL ++ lver=`echo "$sslver" | sed 's/.*libressl-//'` ++ case "$lver" in ++ 2*|300*) # 2.x, 3.0.0 ++ AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")]) ++ ;; ++ *) ;; # Assume all other versions are good. ++ esac ++ ;; + 300*) + # OpenSSL 3; we use the 1.1x API + CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" +@@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then + CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" + ;; + *) +- AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")]) ++ AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")]) + ;; + esac +- AC_MSG_RESULT([$ssl_library_ver]) ++ AC_MSG_RESULT([$ssl_showver]) + ], + [ + AC_MSG_RESULT([not found]) +@@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then + + case "$host" in + x86_64-*) +- case "$ssl_library_ver" in ++ case "$sslver" in + 3000004*) + AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) + ;; +@@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then + #include <openssl/opensslv.h> + #include <openssl/crypto.h> + ]], [[ +-#ifndef HAVE_OPENSSL_VERSION_NUM +-# define OpenSSL_version_num SSLeay +-#endif + exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1); + ]])], + [ +@@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then + ) + ) + +- # LibreSSL/OpenSSL 1.1x API ++ # LibreSSL/OpenSSL API differences + AC_CHECK_FUNCS([ \ +- OPENSSL_init_crypto \ +- DH_get0_key \ +- DH_get0_pqg \ +- DH_set0_key \ +- DH_set_length \ +- DH_set0_pqg \ +- DSA_get0_key \ +- DSA_get0_pqg \ +- DSA_set0_key \ +- DSA_set0_pqg \ +- DSA_SIG_get0 \ +- DSA_SIG_set0 \ +- ECDSA_SIG_get0 \ +- ECDSA_SIG_set0 \ + EVP_CIPHER_CTX_iv \ + EVP_CIPHER_CTX_iv_noconst \ + EVP_CIPHER_CTX_get_iv \ + EVP_CIPHER_CTX_get_updated_iv \ + EVP_CIPHER_CTX_set_iv \ +- RSA_get0_crt_params \ +- RSA_get0_factors \ +- RSA_get0_key \ +- RSA_set0_crt_params \ +- RSA_set0_factors \ +- RSA_set0_key \ +- RSA_meth_free \ +- RSA_meth_dup \ +- RSA_meth_set1_name \ +- RSA_meth_get_finish \ +- RSA_meth_set_priv_enc \ +- RSA_meth_set_priv_dec \ +- RSA_meth_set_finish \ +- EVP_PKEY_get0_RSA \ +- EVP_MD_CTX_new \ +- EVP_MD_CTX_free \ +- EVP_chacha20 \ + ]) + + if test "x$openssl_engine" = "xyes" ; then +@@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then + ] + ) + +- # Check for SHA256, SHA384 and SHA512 support in OpenSSL +- AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512]) ++ # Check for various EVP support in OpenSSL ++ AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20]) + + # Check complete ECC support in OpenSSL + AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) +diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c +index 498180dc894..59be17397c5 100644 +--- a/openbsd-compat/libressl-api-compat.c ++++ b/openbsd-compat/libressl-api-compat.c +@@ -1,129 +1,5 @@ +-/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */ +-/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */ +-/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */ +-/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */ +-/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */ +-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ +-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) +- * All rights reserved. +- * +- * This package is an SSL implementation written +- * by Eric Young (eay@cryptsoft.com). +- * The implementation was written so as to conform with Netscapes SSL. +- * +- * This library is free for commercial and non-commercial use as long as +- * the following conditions are aheared to. The following conditions +- * apply to all code found in this distribution, be it the RC4, RSA, +- * lhash, DES, etc., code; not just the SSL code. The SSL documentation +- * included with this distribution is covered by the same copyright terms +- * except that the holder is Tim Hudson (tjh@cryptsoft.com). +- * +- * Copyright remains Eric Young's, and as such any Copyright notices in +- * the code are not to be removed. +- * If this package is used in a product, Eric Young should be given attribution +- * as the author of the parts of the library used. +- * This can be in the form of a textual message at program startup or +- * in documentation (online or textual) provided with the package. +- * +- * Redistribution and use in source and binary forms, with or without +- * modification, are permitted provided that the following conditions +- * are met: +- * 1. Redistributions of source code must retain the copyright +- * notice, this list of conditions and the following disclaimer. +- * 2. Redistributions in binary form must reproduce the above copyright +- * notice, this list of conditions and the following disclaimer in the +- * documentation and/or other materials provided with the distribution. +- * 3. All advertising materials mentioning features or use of this software +- * must display the following acknowledgement: +- * "This product includes cryptographic software written by +- * Eric Young (eay@cryptsoft.com)" +- * The word 'cryptographic' can be left out if the rouines from the library +- * being used are not cryptographic related :-). +- * 4. If you include any Windows specific code (or a derivative thereof) from +- * the apps directory (application code) you must include an acknowledgement: +- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" +- * +- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- * +- * The licence and distribution terms for any publically available version or +- * derivative of this code cannot be changed. i.e. this code cannot simply be +- * copied and put under another distribution licence +- * [including the GNU Public Licence.] +- */ +- +-/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */ +-/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */ +-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ +-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +- * project 2000. +- */ +-/* ==================================================================== +- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. +- * +- * Redistribution and use in source and binary forms, with or without +- * modification, are permitted provided that the following conditions +- * are met: +- * +- * 1. Redistributions of source code must retain the above copyright +- * notice, this list of conditions and the following disclaimer. +- * +- * 2. Redistributions in binary form must reproduce the above copyright +- * notice, this list of conditions and the following disclaimer in +- * the documentation and/or other materials provided with the +- * distribution. +- * +- * 3. All advertising materials mentioning features or use of this +- * software must display the following acknowledgment: +- * "This product includes software developed by the OpenSSL Project +- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" +- * +- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +- * endorse or promote products derived from this software without +- * prior written permission. For written permission, please contact +- * licensing@OpenSSL.org. +- * +- * 5. Products derived from this software may not be called "OpenSSL" +- * nor may "OpenSSL" appear in their names without prior written +- * permission of the OpenSSL Project. +- * +- * 6. Redistributions of any form whatsoever must retain the following +- * acknowledgment: +- * "This product includes software developed by the OpenSSL Project +- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" +- * +- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +- * OF THE POSSIBILITY OF SUCH DAMAGE. +- * ==================================================================== +- * +- * This product includes cryptographic software written by Eric Young +- * (eay@cryptsoft.com). This product includes software written by Tim +- * Hudson (tjh@cryptsoft.com). +- * +- */ +- +-/* $OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $ */ + /* +- * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> ++ * Copyright (c) 2018 Damien Miller <djm@mindrot.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -147,192 +23,7 @@ + #include <stdlib.h> + #include <string.h> + +-#include <openssl/err.h> +-#include <openssl/bn.h> +-#include <openssl/dsa.h> +-#include <openssl/rsa.h> + #include <openssl/evp.h> +-#ifdef OPENSSL_HAS_ECC +-#include <openssl/ecdsa.h> +-#endif +-#include <openssl/dh.h> +- +-#ifndef HAVE_DSA_GET0_PQG +-void +-DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +-{ +- if (p != NULL) +- *p = d->p; +- if (q != NULL) +- *q = d->q; +- if (g != NULL) +- *g = d->g; +-} +-#endif /* HAVE_DSA_GET0_PQG */ +- +-#ifndef HAVE_DSA_SET0_PQG +-int +-DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) +-{ +- if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) || +- (d->g == NULL && g == NULL)) +- return 0; +- +- if (p != NULL) { +- BN_free(d->p); +- d->p = p; +- } +- if (q != NULL) { +- BN_free(d->q); +- d->q = q; +- } +- if (g != NULL) { +- BN_free(d->g); +- d->g = g; +- } +- +- return 1; +-} +-#endif /* HAVE_DSA_SET0_PQG */ +- +-#ifndef HAVE_DSA_GET0_KEY +-void +-DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) +-{ +- if (pub_key != NULL) +- *pub_key = d->pub_key; +- if (priv_key != NULL) +- *priv_key = d->priv_key; +-} +-#endif /* HAVE_DSA_GET0_KEY */ +- +-#ifndef HAVE_DSA_SET0_KEY +-int +-DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) +-{ +- if (d->pub_key == NULL && pub_key == NULL) +- return 0; +- +- if (pub_key != NULL) { +- BN_free(d->pub_key); +- d->pub_key = pub_key; +- } +- if (priv_key != NULL) { +- BN_free(d->priv_key); +- d->priv_key = priv_key; +- } +- +- return 1; +-} +-#endif /* HAVE_DSA_SET0_KEY */ +- +-#ifndef HAVE_RSA_GET0_KEY +-void +-RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) +-{ +- if (n != NULL) +- *n = r->n; +- if (e != NULL) +- *e = r->e; +- if (d != NULL) +- *d = r->d; +-} +-#endif /* HAVE_RSA_GET0_KEY */ +- +-#ifndef HAVE_RSA_SET0_KEY +-int +-RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) +-{ +- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) +- return 0; +- +- if (n != NULL) { +- BN_free(r->n); +- r->n = n; +- } +- if (e != NULL) { +- BN_free(r->e); +- r->e = e; +- } +- if (d != NULL) { +- BN_free(r->d); +- r->d = d; +- } +- +- return 1; +-} +-#endif /* HAVE_RSA_SET0_KEY */ +- +-#ifndef HAVE_RSA_GET0_CRT_PARAMS +-void +-RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, +- const BIGNUM **iqmp) +-{ +- if (dmp1 != NULL) +- *dmp1 = r->dmp1; +- if (dmq1 != NULL) +- *dmq1 = r->dmq1; +- if (iqmp != NULL) +- *iqmp = r->iqmp; +-} +-#endif /* HAVE_RSA_GET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_SET0_CRT_PARAMS +-int +-RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) +-{ +- if ((r->dmp1 == NULL && dmp1 == NULL) || +- (r->dmq1 == NULL && dmq1 == NULL) || +- (r->iqmp == NULL && iqmp == NULL)) +- return 0; +- +- if (dmp1 != NULL) { +- BN_free(r->dmp1); +- r->dmp1 = dmp1; +- } +- if (dmq1 != NULL) { +- BN_free(r->dmq1); +- r->dmq1 = dmq1; +- } +- if (iqmp != NULL) { +- BN_free(r->iqmp); +- r->iqmp = iqmp; +- } +- +- return 1; +-} +-#endif /* HAVE_RSA_SET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_GET0_FACTORS +-void +-RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) +-{ +- if (p != NULL) +- *p = r->p; +- if (q != NULL) +- *q = r->q; +-} +-#endif /* HAVE_RSA_GET0_FACTORS */ +- +-#ifndef HAVE_RSA_SET0_FACTORS +-int +-RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) +-{ +- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) +- return 0; +- +- if (p != NULL) { +- BN_free(r->p); +- r->p = p; +- } +- if (q != NULL) { +- BN_free(r->q); +- r->q = q; +- } +- +- return 1; +-} +-#endif /* HAVE_RSA_SET0_FACTORS */ + + #ifndef HAVE_EVP_CIPHER_CTX_GET_IV + int +@@ -392,249 +83,4 @@ EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len) + } + #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ + +-#ifndef HAVE_DSA_SIG_GET0 +-void +-DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +-{ +- if (pr != NULL) +- *pr = sig->r; +- if (ps != NULL) +- *ps = sig->s; +-} +-#endif /* HAVE_DSA_SIG_GET0 */ +- +-#ifndef HAVE_DSA_SIG_SET0 +-int +-DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) +-{ +- if (r == NULL || s == NULL) +- return 0; +- +- BN_clear_free(sig->r); +- sig->r = r; +- BN_clear_free(sig->s); +- sig->s = s; +- +- return 1; +-} +-#endif /* HAVE_DSA_SIG_SET0 */ +- +-#ifdef OPENSSL_HAS_ECC +-#ifndef HAVE_ECDSA_SIG_GET0 +-void +-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +-{ +- if (pr != NULL) +- *pr = sig->r; +- if (ps != NULL) +- *ps = sig->s; +-} +-#endif /* HAVE_ECDSA_SIG_GET0 */ +- +-#ifndef HAVE_ECDSA_SIG_SET0 +-int +-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) +-{ +- if (r == NULL || s == NULL) +- return 0; +- +- BN_clear_free(sig->r); +- BN_clear_free(sig->s); +- sig->r = r; +- sig->s = s; +- return 1; +-} +-#endif /* HAVE_ECDSA_SIG_SET0 */ +-#endif /* OPENSSL_HAS_ECC */ +- +-#ifndef HAVE_DH_GET0_PQG +-void +-DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +-{ +- if (p != NULL) +- *p = dh->p; +- if (q != NULL) +- *q = dh->q; +- if (g != NULL) +- *g = dh->g; +-} +-#endif /* HAVE_DH_GET0_PQG */ +- +-#ifndef HAVE_DH_SET0_PQG +-int +-DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +-{ +- if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) +- return 0; +- +- if (p != NULL) { +- BN_free(dh->p); +- dh->p = p; +- } +- if (q != NULL) { +- BN_free(dh->q); +- dh->q = q; +- } +- if (g != NULL) { +- BN_free(dh->g); +- dh->g = g; +- } +- +- return 1; +-} +-#endif /* HAVE_DH_SET0_PQG */ +- +-#ifndef HAVE_DH_GET0_KEY +-void +-DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) +-{ +- if (pub_key != NULL) +- *pub_key = dh->pub_key; +- if (priv_key != NULL) +- *priv_key = dh->priv_key; +-} +-#endif /* HAVE_DH_GET0_KEY */ +- +-#ifndef HAVE_DH_SET0_KEY +-int +-DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) +-{ +- if (pub_key != NULL) { +- BN_free(dh->pub_key); +- dh->pub_key = pub_key; +- } +- if (priv_key != NULL) { +- BN_free(dh->priv_key); +- dh->priv_key = priv_key; +- } +- +- return 1; +-} +-#endif /* HAVE_DH_SET0_KEY */ +- +-#ifndef HAVE_DH_SET_LENGTH +-int +-DH_set_length(DH *dh, long length) +-{ +- if (length < 0 || length > INT_MAX) +- return 0; +- +- dh->length = length; +- return 1; +-} +-#endif /* HAVE_DH_SET_LENGTH */ +- +-#ifndef HAVE_RSA_METH_FREE +-void +-RSA_meth_free(RSA_METHOD *meth) +-{ +- if (meth != NULL) { +- free((char *)meth->name); +- free(meth); +- } +-} +-#endif /* HAVE_RSA_METH_FREE */ +- +-#ifndef HAVE_RSA_METH_DUP +-RSA_METHOD * +-RSA_meth_dup(const RSA_METHOD *meth) +-{ +- RSA_METHOD *copy; +- +- if ((copy = calloc(1, sizeof(*copy))) == NULL) +- return NULL; +- memcpy(copy, meth, sizeof(*copy)); +- if ((copy->name = strdup(meth->name)) == NULL) { +- free(copy); +- return NULL; +- } +- +- return copy; +-} +-#endif /* HAVE_RSA_METH_DUP */ +- +-#ifndef HAVE_RSA_METH_SET1_NAME +-int +-RSA_meth_set1_name(RSA_METHOD *meth, const char *name) +-{ +- char *copy; +- +- if ((copy = strdup(name)) == NULL) +- return 0; +- free((char *)meth->name); +- meth->name = copy; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET1_NAME */ +- +-#ifndef HAVE_RSA_METH_GET_FINISH +-int +-(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa) +-{ +- return meth->finish; +-} +-#endif /* HAVE_RSA_METH_GET_FINISH */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_ENC +-int +-RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) +-{ +- meth->rsa_priv_enc = priv_enc; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_DEC +-int +-RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) +-{ +- meth->rsa_priv_dec = priv_dec; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ +- +-#ifndef HAVE_RSA_METH_SET_FINISH +-int +-RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) +-{ +- meth->finish = finish; +- return 1; +-} +-#endif /* HAVE_RSA_METH_SET_FINISH */ +- +-#ifndef HAVE_EVP_PKEY_GET0_RSA +-RSA * +-EVP_PKEY_get0_RSA(EVP_PKEY *pkey) +-{ +- if (pkey->type != EVP_PKEY_RSA) { +- /* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */ +- return NULL; +- } +- return pkey->pkey.rsa; +-} +-#endif /* HAVE_EVP_PKEY_GET0_RSA */ +- +-#ifndef HAVE_EVP_MD_CTX_NEW +-EVP_MD_CTX * +-EVP_MD_CTX_new(void) +-{ +- return calloc(1, sizeof(EVP_MD_CTX)); +-} +-#endif /* HAVE_EVP_MD_CTX_NEW */ +- +-#ifndef HAVE_EVP_MD_CTX_FREE +-void +-EVP_MD_CTX_free(EVP_MD_CTX *ctx) +-{ +- if (ctx == NULL) +- return; +- +- EVP_MD_CTX_cleanup(ctx); +- +- free(ctx); +-} +-#endif /* HAVE_EVP_MD_CTX_FREE */ +- + #endif /* WITH_OPENSSL */ +diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h +index 61a69dd56eb..d0dd2c3450d 100644 +--- a/openbsd-compat/openssl-compat.h ++++ b/openbsd-compat/openssl-compat.h +@@ -33,26 +33,13 @@ + int ssh_compatible_openssl(long, long); + void ssh_libcrypto_init(void); + +-#if (OPENSSL_VERSION_NUMBER < 0x1000100fL) +-# error OpenSSL 1.0.1 or greater is required ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) ++# error OpenSSL 1.1.0 or greater is required + #endif +- +-#ifndef OPENSSL_VERSION +-# define OPENSSL_VERSION SSLEAY_VERSION +-#endif +- +-#ifndef HAVE_OPENSSL_VERSION +-# define OpenSSL_version(x) SSLeay_version(x) +-#endif +- +-#ifndef HAVE_OPENSSL_VERSION_NUM +-# define OpenSSL_version_num SSLeay +-#endif +- +-#if OPENSSL_VERSION_NUMBER < 0x10000001L +-# define LIBCRYPTO_EVP_INL_TYPE unsigned int +-#else +-# define LIBCRYPTO_EVP_INL_TYPE size_t ++#ifdef LIBRESSL_VERSION_NUMBER ++# if LIBRESSL_VERSION_NUMBER < 0x3010000fL ++# error LibreSSL 3.1.0 or greater is required ++# endif + #endif + + #ifndef OPENSSL_RSA_MAX_MODULUS_BITS +@@ -68,25 +55,6 @@ void ssh_libcrypto_init(void); + # endif + #endif + +-/* LibreSSL/OpenSSL 1.1x API compat */ +-#ifndef HAVE_DSA_GET0_PQG +-void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, +- const BIGNUM **g); +-#endif /* HAVE_DSA_GET0_PQG */ +- +-#ifndef HAVE_DSA_SET0_PQG +-int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); +-#endif /* HAVE_DSA_SET0_PQG */ +- +-#ifndef HAVE_DSA_GET0_KEY +-void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, +- const BIGNUM **priv_key); +-#endif /* HAVE_DSA_GET0_KEY */ +- +-#ifndef HAVE_DSA_SET0_KEY +-int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); +-#endif /* HAVE_DSA_SET0_KEY */ +- + #ifndef HAVE_EVP_CIPHER_CTX_GET_IV + # ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV + # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv +@@ -101,112 +69,5 @@ int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, + const unsigned char *iv, size_t len); + #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ + +-#ifndef HAVE_RSA_GET0_KEY +-void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, +- const BIGNUM **d); +-#endif /* HAVE_RSA_GET0_KEY */ +- +-#ifndef HAVE_RSA_SET0_KEY +-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); +-#endif /* HAVE_RSA_SET0_KEY */ +- +-#ifndef HAVE_RSA_GET0_CRT_PARAMS +-void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, +- const BIGNUM **iqmp); +-#endif /* HAVE_RSA_GET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_SET0_CRT_PARAMS +-int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); +-#endif /* HAVE_RSA_SET0_CRT_PARAMS */ +- +-#ifndef HAVE_RSA_GET0_FACTORS +-void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); +-#endif /* HAVE_RSA_GET0_FACTORS */ +- +-#ifndef HAVE_RSA_SET0_FACTORS +-int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); +-#endif /* HAVE_RSA_SET0_FACTORS */ +- +-#ifndef DSA_SIG_GET0 +-void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +-#endif /* DSA_SIG_GET0 */ +- +-#ifndef DSA_SIG_SET0 +-int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); +-#endif /* DSA_SIG_SET0 */ +- +-#ifdef OPENSSL_HAS_ECC +-#ifndef HAVE_ECDSA_SIG_GET0 +-void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +-#endif /* HAVE_ECDSA_SIG_GET0 */ +- +-#ifndef HAVE_ECDSA_SIG_SET0 +-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); +-#endif /* HAVE_ECDSA_SIG_SET0 */ +-#endif /* OPENSSL_HAS_ECC */ +- +-#ifndef HAVE_DH_GET0_PQG +-void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, +- const BIGNUM **g); +-#endif /* HAVE_DH_GET0_PQG */ +- +-#ifndef HAVE_DH_SET0_PQG +-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); +-#endif /* HAVE_DH_SET0_PQG */ +- +-#ifndef HAVE_DH_GET0_KEY +-void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); +-#endif /* HAVE_DH_GET0_KEY */ +- +-#ifndef HAVE_DH_SET0_KEY +-int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); +-#endif /* HAVE_DH_SET0_KEY */ +- +-#ifndef HAVE_DH_SET_LENGTH +-int DH_set_length(DH *dh, long length); +-#endif /* HAVE_DH_SET_LENGTH */ +- +-#ifndef HAVE_RSA_METH_FREE +-void RSA_meth_free(RSA_METHOD *meth); +-#endif /* HAVE_RSA_METH_FREE */ +- +-#ifndef HAVE_RSA_METH_DUP +-RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); +-#endif /* HAVE_RSA_METH_DUP */ +- +-#ifndef HAVE_RSA_METH_SET1_NAME +-int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); +-#endif /* HAVE_RSA_METH_SET1_NAME */ +- +-#ifndef HAVE_RSA_METH_GET_FINISH +-int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa); +-#endif /* HAVE_RSA_METH_GET_FINISH */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_ENC +-int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ +- +-#ifndef HAVE_RSA_METH_SET_PRIV_DEC +-int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, +- const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ +- +-#ifndef HAVE_RSA_METH_SET_FINISH +-int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)); +-#endif /* HAVE_RSA_METH_SET_FINISH */ +- +-#ifndef HAVE_EVP_PKEY_GET0_RSA +-RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); +-#endif /* HAVE_EVP_PKEY_GET0_RSA */ +- +-#ifndef HAVE_EVP_MD_CTX_new +-EVP_MD_CTX *EVP_MD_CTX_new(void); +-#endif /* HAVE_EVP_MD_CTX_new */ +- +-#ifndef HAVE_EVP_MD_CTX_free +-void EVP_MD_CTX_free(EVP_MD_CTX *ctx); +-#endif /* HAVE_EVP_MD_CTX_free */ +- + #endif /* WITH_OPENSSL */ + #endif /* _OPENSSL_COMPAT_H */ diff --git a/poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_9.3p2.bb index d3dedd1a5a..558e027f5d 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb +++ b/poky/meta/recipes-connectivity/openssh/openssh_9.3p2.bb @@ -24,8 +24,9 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ + file://7280401bdd77ca54be6867a154cc01e0d72612e0.patch \ " -SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8" +SRC_URI[sha256sum] = "200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8" # This CVE is specific to OpenSSH with the pam opie which we don't build/use here CVE_CHECK_IGNORE += "CVE-2007-2768" diff --git a/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch index 0b7abc3a11..502a7aaf32 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch +++ b/poky/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -1,6 +1,6 @@ -From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001 +From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> -Date: Tue, 14 Sep 2021 12:18:25 +0200 +Date: Tue, 30 May 2023 09:11:27 -0700 Subject: [PATCH] Configure: do not tweak mips cflags This conflicts with mips machine definitons from yocto, @@ -9,20 +9,23 @@ e.g. Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Alexander Kanavin <alex@linutronix.de> + +Refreshed for openssl-3.1.1 +Signed-off-by: Tim Orling <tim.orling@konsulko.com> --- Configure | 10 ---------- 1 file changed, 10 deletions(-) -Index: openssl-3.0.4/Configure -=================================================================== ---- openssl-3.0.4.orig/Configure -+++ openssl-3.0.4/Configure -@@ -1423,16 +1423,6 @@ if ($target =~ /^mingw/ && `$config{CC} +diff --git a/Configure b/Configure +index 4569952..adf019b 100755 +--- a/Configure ++++ b/Configure +@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) push @{$config{shared_ldflag}}, "-mno-cygwin"; } -if ($target =~ /linux.*-mips/ && !$disabled{asm} -- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { +- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { - # minimally required architecture flags for assembly modules - my $value; - $value = '-mips2' if ($target =~ /mips32/); diff --git a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch deleted file mode 100644 index 33b0bb6c79..0000000000 --- a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch +++ /dev/null @@ -1,226 +0,0 @@ -From 2017771e2db3e2b96f89bbe8766c3209f6a99545 Mon Sep 17 00:00:00 2001 -From: Pauli <pauli@openssl.org> -Date: Wed, 8 Mar 2023 15:28:20 +1100 -Subject: [PATCH] x509: excessive resource use verifying policy constraints - -A security vulnerability has been identified in all supported versions -of OpenSSL related to the verification of X.509 certificate chains -that include policy constraints. Attackers may be able to exploit this -vulnerability by creating a malicious certificate chain that triggers -exponential use of computational resources, leading to a denial-of-service -(DoS) attack on affected systems. - -Fixes CVE-2023-0464 - -Reviewed-by: Tomas Mraz <tomas@openssl.org> -Reviewed-by: Shane Lontis <shane.lontis@oracle.com> -(Merged from https://github.com/openssl/openssl/pull/20570) - -Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545] -CVE: CVE-2023-0464 -Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> - ---- - crypto/x509/pcy_local.h | 8 +++++++- - crypto/x509/pcy_node.c | 12 +++++++++--- - crypto/x509/pcy_tree.c | 36 ++++++++++++++++++++++++++---------- - 3 files changed, 42 insertions(+), 14 deletions(-) - -diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h -index 18b53cc..cba107c 100644 ---- a/crypto/x509/pcy_local.h -+++ b/crypto/x509/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+ /* The number of nodes in the tree */ -+ size_t node_count; -+ /* The maximum number of nodes in the tree */ -+ size_t node_maximum; -+ - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; -@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree); -+ X509_POLICY_TREE *tree, -+ int extra_data); - void ossl_policy_node_free(X509_POLICY_NODE *node); - int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); -diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c -index 9d9a7ea..450f95a 100644 ---- a/crypto/x509/pcy_node.c -+++ b/crypto/x509/pcy_node.c -@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, - X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree) -+ X509_POLICY_TREE *tree, -+ int extra_data) - { - X509_POLICY_NODE *node; - -+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ -+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) -+ return NULL; -+ - node = OPENSSL_zalloc(sizeof(*node)); - if (node == NULL) { - ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); -@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - node->data = data; - node->parent = parent; -- if (level) { -+ if (level != NULL) { - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { - if (level->anyPolicy) - goto node_error; -@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - } - -- if (tree) { -+ if (extra_data) { - if (tree->extra_data == NULL) - tree->extra_data = sk_X509_POLICY_DATA_new_null(); - if (tree->extra_data == NULL){ -@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - } - -+ tree->node_count++; - if (parent) - parent->nchild++; - -diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c -index fa45da5..f953a05 100644 ---- a/crypto/x509/pcy_tree.c -+++ b/crypto/x509/pcy_tree.c -@@ -14,6 +14,17 @@ - - #include "pcy_local.h" - -+/* -+ * If the maximum number of nodes in the policy tree isn't defined, set it to -+ * a generous default of 1000 nodes. -+ * -+ * Defining this to be zero means unlimited policy tree growth which opens the -+ * door on CVE-2023-0464. -+ */ -+#ifndef OPENSSL_POLICY_TREE_NODES_MAX -+# define OPENSSL_POLICY_TREE_NODES_MAX 1000 -+#endif -+ - static void expected_print(BIO *channel, - X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, - int indent) -@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - return X509_PCY_TREE_INTERNAL; - } - -+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ -+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; -+ - /* - * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. - * -@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - if ((data = ossl_policy_data_new(NULL, - OBJ_nid2obj(NID_any_policy), 0)) == NULL) - goto bad_tree; -- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { -+ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { - ossl_policy_data_free(data); - goto bad_tree; - } -@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - * Return value: 1 on success, 0 otherwise - */ - static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, -- X509_POLICY_DATA *data) -+ X509_POLICY_DATA *data, -+ X509_POLICY_TREE *tree) - { - X509_POLICY_LEVEL *last = curr - 1; - int i, matched = 0; -@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); - - if (ossl_policy_node_match(last, node, data->valid_policy)) { -- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) -+ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) - return 0; - matched = 1; - } - } - if (!matched && last->anyPolicy) { -- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) -+ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) - return 0; - } - return 1; -@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - * Return value: 1 on success, 0 otherwise. - */ - static int tree_link_nodes(X509_POLICY_LEVEL *curr, -- const X509_POLICY_CACHE *cache) -+ const X509_POLICY_CACHE *cache, -+ X509_POLICY_TREE *tree) - { - int i; - -@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); - - /* Look for matching nodes in previous level */ -- if (!tree_link_matching_nodes(curr, data)) -+ if (!tree_link_matching_nodes(curr, data, tree)) - return 0; - } - return 1; -@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; -- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { -+ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { - ossl_policy_data_free(data); - return 0; - } -@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, - /* Finally add link to anyPolicy */ - if (last->anyPolicy && - ossl_policy_level_add_node(curr, cache->anyPolicy, -- last->anyPolicy, NULL) == NULL) -+ last->anyPolicy, tree, 0) == NULL) - return 0; - return 1; - } -@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, - extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS - | POLICY_DATA_FLAG_EXTRA_NODE; - node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, -- tree); -+ tree, 1); - } - if (!tree->user_policies) { - tree->user_policies = sk_X509_POLICY_NODE_new_null(); -@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) - - for (i = 1; i < tree->nlevel; i++, curr++) { - cache = ossl_policy_cache_set(curr->cert); -- if (!tree_link_nodes(curr, cache)) -+ if (!tree_link_nodes(curr, cache, tree)) - return X509_PCY_TREE_INTERNAL; - - if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) --- -2.25.1 - diff --git a/poky/meta/recipes-connectivity/openssl/openssl_3.1.0.bb b/poky/meta/recipes-connectivity/openssl/openssl_3.1.2.bb index b319c66044..d55695dba4 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl_3.1.0.bb +++ b/poky/meta/recipes-connectivity/openssl/openssl_3.1.2.bb @@ -12,14 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ file://fix_random_labels.patch \ - file://CVE-2023-0464.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "aaa925ad9828745c4cad9d9efeb273deca820f2cdcf2c3ac7d7c1212b7c497b4" +SRC_URI[sha256sum] = "a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539" inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -119,7 +118,7 @@ do_configure () { target=linux-ppc64le ;; linux-riscv32) - target=linux-generic32 + target=linux-latomic ;; linux-riscv64) target=linux-generic64 @@ -138,7 +137,9 @@ do_configure () { fi # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. - HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ + PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)" + test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!" + HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \ perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target perl ${B}/configdata.pm --dump } |