diff --git a/openssh-7.3p1-openssl-1.1.0.patch b/openssh-7.3p1-openssl-1.1.0.patch index 70284dd..5062e6d 100644 --- a/openssh-7.3p1-openssl-1.1.0.patch +++ b/openssh-7.3p1-openssl-1.1.0.patch @@ -156,7 +156,7 @@ diff -up openssh/dh.c.openssl openssh/dh.c dh_new_group_asc(const char *gen, const char *modulus) { DH *dh; -+ BIGNUM *p, *g; ++ BIGNUM *p = NULL, *g = NULL; - if ((dh = DH_new()) == NULL) - return NULL; @@ -225,7 +225,7 @@ diff -up openssh/digest-openssl.c.openssl openssh/digest-openssl.c } struct ssh_digest_ctx * -@@ -118,8 +118,9 @@ ssh_digest_start(int alg) +@@ -118,8 +118,10 @@ ssh_digest_start(int alg) if (digest == NULL || ((ret = calloc(1, sizeof(*ret))) == NULL)) return NULL; ret->alg = alg; @@ -234,6 +234,7 @@ diff -up openssh/digest-openssl.c.openssl openssh/digest-openssl.c + ret->mdctx = EVP_MD_CTX_new(); + if (ret->mdctx == NULL || + EVP_DigestInit_ex(ret->mdctx, digest->mdfunc(), NULL) != 1) { ++ EVP_MD_CTX_free(ret->mdctx); free(ret); return NULL; } @@ -730,7 +731,7 @@ diff -up openssh/kexgsss.c.openssl openssh/kexgsss.c diff -up openssh/libcrypto-compat.c.openssl openssh/libcrypto-compat.c --- openssh/libcrypto-compat.c.openssl 2017-09-26 13:19:31.798249703 +0200 +++ openssh/libcrypto-compat.c 2017-09-26 13:19:31.798249703 +0200 -@@ -0,0 +1,546 @@ +@@ -0,0 +1,428 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * @@ -1013,27 +1014,6 @@ diff -up openssh/libcrypto-compat.c.openssl openssh/libcrypto-compat.c + *priv_key = dh->priv_key; +} + -+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) -+{ -+ /* If the field pub_key in dh is NULL, the corresponding input -+ * parameters MUST be non-NULL. The priv_key field may -+ * be left NULL. -+ */ -+ if (dh->pub_key == NULL && pub_key == NULL) -+ return 0; -+ -+ if (pub_key != NULL) { -+ BN_free(dh->pub_key); -+ dh->pub_key = pub_key; -+ } -+ if (priv_key != NULL) { -+ BN_free(dh->priv_key); -+ dh->priv_key = priv_key; -+ } -+ -+ return 1; -+} -+ +int DH_set_length(DH *dh, long length) +{ + dh->length = length; @@ -1179,108 +1159,11 @@ diff -up openssh/libcrypto-compat.c.openssl openssh/libcrypto-compat.c + return pkey->pkey.rsa; +} + -+EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len) -+{ -+ EVP_CIPHER *cipher = OPENSSL_zalloc(sizeof(EVP_CIPHER)); -+ -+ if (cipher != NULL) { -+ cipher->nid = cipher_type; -+ cipher->block_size = block_size; -+ cipher->key_len = key_len; -+ } -+ return cipher; -+} -+ -+void EVP_CIPHER_meth_free(EVP_CIPHER *cipher) -+{ -+ OPENSSL_free(cipher); -+} -+ -+int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len) -+{ -+ cipher->iv_len = iv_len; -+ return 1; -+} -+ -+int EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags) -+{ -+ cipher->flags = flags; -+ return 1; -+} -+ -+int EVP_CIPHER_meth_set_init(EVP_CIPHER *cipher, -+ int (*init) (EVP_CIPHER_CTX *ctx, -+ const unsigned char *key, -+ const unsigned char *iv, -+ int enc)) -+{ -+ cipher->init = init; -+ return 1; -+} -+ -+int EVP_CIPHER_meth_set_do_cipher(EVP_CIPHER *cipher, -+ int (*do_cipher) (EVP_CIPHER_CTX *ctx, -+ unsigned char *out, -+ const unsigned char *in, -+ size_t inl)) -+{ -+ cipher->do_cipher = do_cipher; -+ return 1; -+} -+ -+int EVP_CIPHER_meth_set_cleanup(EVP_CIPHER *cipher, -+ int (*cleanup) (EVP_CIPHER_CTX *)) -+{ -+ cipher->cleanup = cleanup; -+ return 1; -+} -+ -+int EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher, -+ int (*ctrl) (EVP_CIPHER_CTX *, int type, -+ int arg, void *ptr)) -+{ -+ cipher->ctrl = ctrl; -+ return 1; -+} -+ -+int (*EVP_CIPHER_meth_get_init(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx, -+ const unsigned char *key, -+ const unsigned char *iv, -+ int enc) -+{ -+ return cipher->init; -+} -+ -+int (*EVP_CIPHER_meth_get_do_cipher(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx, -+ unsigned char *out, -+ const unsigned char *in, -+ size_t inl) -+{ -+ return cipher->do_cipher; -+} -+ -+int (*EVP_CIPHER_meth_get_cleanup(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *) -+{ -+ return cipher->cleanup; -+} -+ -+int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, -+ int type, int arg, -+ void *ptr) -+{ -+ return cipher->ctrl; -+} -+ -+int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) -+{ -+ return ctx->encrypt; -+} -+ +#endif /* OPENSSL_VERSION_NUMBER */ diff -up openssh/libcrypto-compat.h.openssl openssh/libcrypto-compat.h --- openssh/libcrypto-compat.h.openssl 2017-09-26 13:19:31.798249703 +0200 +++ openssh/libcrypto-compat.h 2017-09-26 13:19:31.798249703 +0200 -@@ -0,0 +1,98 @@ +@@ -0,0 +1,59 @@ +#ifndef LIBCRYPTO_COMPAT_H +#define LIBCRYPTO_COMPAT_H + @@ -1313,7 +1196,6 @@ diff -up openssh/libcrypto-compat.h.openssl openssh/libcrypto-compat.h +void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); +int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); +void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); -+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); +int DH_set_length(DH *dh, long length); + +const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx); @@ -1337,44 +1219,6 @@ diff -up openssh/libcrypto-compat.h.openssl openssh/libcrypto-compat.h + +RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); + -+EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len); -+void EVP_CIPHER_meth_free(EVP_CIPHER *cipher); -+ -+int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len); -+int EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags); -+int EVP_CIPHER_meth_set_init(EVP_CIPHER *cipher, -+ int (*init) (EVP_CIPHER_CTX *ctx, -+ const unsigned char *key, -+ const unsigned char *iv, -+ int enc)); -+int EVP_CIPHER_meth_set_do_cipher(EVP_CIPHER *cipher, -+ int (*do_cipher) (EVP_CIPHER_CTX *ctx, -+ unsigned char *out, -+ const unsigned char *in, -+ size_t inl)); -+int EVP_CIPHER_meth_set_cleanup(EVP_CIPHER *cipher, -+ int (*cleanup) (EVP_CIPHER_CTX *)); -+int EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher, -+ int (*ctrl) (EVP_CIPHER_CTX *, int type, -+ int arg, void *ptr)); -+ -+int (*EVP_CIPHER_meth_get_init(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx, -+ const unsigned char *key, -+ const unsigned char *iv, -+ int enc); -+int (*EVP_CIPHER_meth_get_do_cipher(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx, -+ unsigned char *out, -+ const unsigned char *in, -+ size_t inl); -+int (*EVP_CIPHER_meth_get_cleanup(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *); -+int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, -+ int type, int arg, -+ void *ptr); -+ -+#define EVP_CIPHER_CTX_reset(c) EVP_CIPHER_CTX_init(c) -+ -+int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx); -+ +#endif /* OPENSSL_VERSION_NUMBER */ + +#endif /* LIBCRYPTO_COMPAT_H */ @@ -2652,7 +2496,7 @@ diff -up openssh/sshkey.h.openssl openssh/sshkey.h diff -up openssh/ssh-pkcs11-client.c.openssl openssh/ssh-pkcs11-client.c --- openssh/ssh-pkcs11-client.c.openssl 2017-09-19 06:26:43.000000000 +0200 +++ openssh/ssh-pkcs11-client.c 2017-09-26 13:19:31.803249734 +0200 -@@ -143,12 +143,14 @@ pkcs11_rsa_private_encrypt(int flen, con +@@ -143,12 +143,16 @@ pkcs11_rsa_private_encrypt(int flen, con static int wrap_key(RSA *rsa) { @@ -2665,6 +2509,8 @@ diff -up openssh/ssh-pkcs11-client.c.openssl openssh/ssh-pkcs11-client.c - RSA_set_method(rsa, &helper_rsa); + if (helper_rsa == NULL) { + helper_rsa = RSA_meth_dup(RSA_get_default_method()); ++ if (helper_rsa == NULL) ++ error("RSA_meth_dup failed"); + RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper"); + RSA_meth_set_priv_enc(helper_rsa, pkcs11_rsa_private_encrypt); + } @@ -2684,6 +2530,14 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c char *keyid; int keyid_len; }; +@@ -183,6 +183,7 @@ pkcs11_rsa_finish(RSA *rsa) + if (k11->provider) + pkcs11_provider_unref(k11->provider); + free(k11->keyid); ++ RSA_meth_free(k11->rsa_method); + free(k11); + } + return (rv); @@ -326,13 +326,21 @@ pkcs11_rsa_wrap(struct pkcs11_provider * k11->keyid = xmalloc(k11->keyid_len); memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); @@ -2721,7 +2575,7 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c f = p->function_list; session = p->slotinfo[slotidx].session; -@@ -512,10 +521,14 @@ pkcs11_fetch_keys_filter(struct pkcs11_p +@@ -512,10 +521,16 @@ pkcs11_fetch_keys_filter(struct pkcs11_p if ((rsa = RSA_new()) == NULL) { error("RSA_new failed"); } else { @@ -2733,6 +2587,8 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c - rsa->e = BN_bin2bn(attribs[2].pValue, + rsa_e = BN_bin2bn(attribs[2].pValue, attribs[2].ulValueLen, NULL); ++ if (rsa_n == NULL || rsa_e == NULL) ++ error("BN_bin2bn failed"); + if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) == 0) + error("RSA_set0_key failed"); }