rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Address issues of another PR#48 review

Browse Source
This commit is contained in:
Jakub Jelen 2017-10-18 14:48:25 +02:00
parent c08aa4b8b1
commit e0e7ed914b
1 changed files with 19 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
openssh-7.3p1-openssl-1.1.0.patch
View File

@ -156,7 +156,7 @@ diff -up openssh/dh.c.openssl openssh/dh.c
dh_new_group_asc(const char *gen, const char *modulus) dh_new_group_asc(const char *gen, const char *modulus)
{ {
DH *dh; DH *dh;
+ BIGNUM *p, *g; + BIGNUM *p = NULL, *g = NULL;
- if ((dh = DH_new()) == NULL) - if ((dh = DH_new()) == NULL)
- return NULL; - return NULL;
@ -225,7 +225,7 @@ diff -up openssh/digest-openssl.c.openssl openssh/digest-openssl.c
} }
struct ssh_digest_ctx * struct ssh_digest_ctx *
@@ -118,8 +118,9 @@ ssh_digest_start(int alg) @@ -118,8 +118,10 @@ ssh_digest_start(int alg)
if (digest == NULL || ((ret = calloc(1, sizeof(*ret))) == NULL)) if (digest == NULL || ((ret = calloc(1, sizeof(*ret))) == NULL))
return NULL; return NULL;
ret->alg = alg; ret->alg = alg;
@ -234,6 +234,7 @@ diff -up openssh/digest-openssl.c.openssl openssh/digest-openssl.c
+ ret->mdctx = EVP_MD_CTX_new(); + ret->mdctx = EVP_MD_CTX_new();
+ if (ret->mdctx == NULL || + if (ret->mdctx == NULL ||
+ EVP_DigestInit_ex(ret->mdctx, digest->mdfunc(), NULL) != 1) { + EVP_DigestInit_ex(ret->mdctx, digest->mdfunc(), NULL) != 1) {
+ EVP_MD_CTX_free(ret->mdctx);
free(ret); free(ret);
return NULL; return NULL;
} }
@ -730,7 +731,7 @@ diff -up openssh/kexgsss.c.openssl openssh/kexgsss.c
diff -up openssh/libcrypto-compat.c.openssl openssh/libcrypto-compat.c diff -up openssh/libcrypto-compat.c.openssl openssh/libcrypto-compat.c
--- openssh/libcrypto-compat.c.openssl 2017-09-26 13:19:31.798249703 +0200 --- openssh/libcrypto-compat.c.openssl 2017-09-26 13:19:31.798249703 +0200
+++ openssh/libcrypto-compat.c 2017-09-26 13:19:31.798249703 +0200 +++ openssh/libcrypto-compat.c 2017-09-26 13:19:31.798249703 +0200
@@ -0,0 +1,546 @@ @@ -0,0 +1,428 @@
+/* +/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * + *
@ -1013,27 +1014,6 @@ diff -up openssh/libcrypto-compat.c.openssl openssh/libcrypto-compat.c
+ *priv_key = dh->priv_key; + *priv_key = dh->priv_key;
+} +}
+ +
+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
+{
+ /* If the field pub_key in dh is NULL, the corresponding input
+ * parameters MUST be non-NULL. The priv_key field may
+ * be left NULL.
+ */
+ if (dh->pub_key == NULL && pub_key == NULL)
+ return 0;
+
+ if (pub_key != NULL) {
+ BN_free(dh->pub_key);
+ dh->pub_key = pub_key;
+ }
+ if (priv_key != NULL) {
+ BN_free(dh->priv_key);
+ dh->priv_key = priv_key;
+ }
+
+ return 1;
+}
+
+int DH_set_length(DH *dh, long length) +int DH_set_length(DH *dh, long length)
+{ +{
+ dh->length = length; + dh->length = length;
@ -1179,108 +1159,11 @@ diff -up openssh/libcrypto-compat.c.openssl openssh/libcrypto-compat.c
+ return pkey->pkey.rsa; + return pkey->pkey.rsa;
+} +}
+ +
+EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len)
+{
+ EVP_CIPHER *cipher = OPENSSL_zalloc(sizeof(EVP_CIPHER));
+
+ if (cipher != NULL) {
+ cipher->nid = cipher_type;
+ cipher->block_size = block_size;
+ cipher->key_len = key_len;
+ }
+ return cipher;
+}
+
+void EVP_CIPHER_meth_free(EVP_CIPHER *cipher)
+{
+ OPENSSL_free(cipher);
+}
+
+int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len)
+{
+ cipher->iv_len = iv_len;
+ return 1;
+}
+
+int EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags)
+{
+ cipher->flags = flags;
+ return 1;
+}
+
+int EVP_CIPHER_meth_set_init(EVP_CIPHER *cipher,
+ int (*init) (EVP_CIPHER_CTX *ctx,
+ const unsigned char *key,
+ const unsigned char *iv,
+ int enc))
+{
+ cipher->init = init;
+ return 1;
+}
+
+int EVP_CIPHER_meth_set_do_cipher(EVP_CIPHER *cipher,
+ int (*do_cipher) (EVP_CIPHER_CTX *ctx,
+ unsigned char *out,
+ const unsigned char *in,
+ size_t inl))
+{
+ cipher->do_cipher = do_cipher;
+ return 1;
+}
+
+int EVP_CIPHER_meth_set_cleanup(EVP_CIPHER *cipher,
+ int (*cleanup) (EVP_CIPHER_CTX *))
+{
+ cipher->cleanup = cleanup;
+ return 1;
+}
+
+int EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher,
+ int (*ctrl) (EVP_CIPHER_CTX *, int type,
+ int arg, void *ptr))
+{
+ cipher->ctrl = ctrl;
+ return 1;
+}
+
+int (*EVP_CIPHER_meth_get_init(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx,
+ const unsigned char *key,
+ const unsigned char *iv,
+ int enc)
+{
+ return cipher->init;
+}
+
+int (*EVP_CIPHER_meth_get_do_cipher(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx,
+ unsigned char *out,
+ const unsigned char *in,
+ size_t inl)
+{
+ return cipher->do_cipher;
+}
+
+int (*EVP_CIPHER_meth_get_cleanup(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *)
+{
+ return cipher->cleanup;
+}
+
+int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
+ int type, int arg,
+ void *ptr)
+{
+ return cipher->ctrl;
+}
+
+int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx)
+{
+ return ctx->encrypt;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER */ +#endif /* OPENSSL_VERSION_NUMBER */
diff -up openssh/libcrypto-compat.h.openssl openssh/libcrypto-compat.h diff -up openssh/libcrypto-compat.h.openssl openssh/libcrypto-compat.h
--- openssh/libcrypto-compat.h.openssl 2017-09-26 13:19:31.798249703 +0200 --- openssh/libcrypto-compat.h.openssl 2017-09-26 13:19:31.798249703 +0200
+++ openssh/libcrypto-compat.h 2017-09-26 13:19:31.798249703 +0200 +++ openssh/libcrypto-compat.h 2017-09-26 13:19:31.798249703 +0200
@@ -0,0 +1,98 @@ @@ -0,0 +1,59 @@
+#ifndef LIBCRYPTO_COMPAT_H +#ifndef LIBCRYPTO_COMPAT_H
+#define LIBCRYPTO_COMPAT_H +#define LIBCRYPTO_COMPAT_H
+ +
@ -1313,7 +1196,6 @@ diff -up openssh/libcrypto-compat.h.openssl openssh/libcrypto-compat.h
+void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); +void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); +int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); +void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
+int DH_set_length(DH *dh, long length); +int DH_set_length(DH *dh, long length);
+ +
+const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx); +const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx);
@ -1337,44 +1219,6 @@ diff -up openssh/libcrypto-compat.h.openssl openssh/libcrypto-compat.h
+ +
+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); +RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
+ +
+EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len);
+void EVP_CIPHER_meth_free(EVP_CIPHER *cipher);
+
+int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len);
+int EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags);
+int EVP_CIPHER_meth_set_init(EVP_CIPHER *cipher,
+ int (*init) (EVP_CIPHER_CTX *ctx,
+ const unsigned char *key,
+ const unsigned char *iv,
+ int enc));
+int EVP_CIPHER_meth_set_do_cipher(EVP_CIPHER *cipher,
+ int (*do_cipher) (EVP_CIPHER_CTX *ctx,
+ unsigned char *out,
+ const unsigned char *in,
+ size_t inl));
+int EVP_CIPHER_meth_set_cleanup(EVP_CIPHER *cipher,
+ int (*cleanup) (EVP_CIPHER_CTX *));
+int EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher,
+ int (*ctrl) (EVP_CIPHER_CTX *, int type,
+ int arg, void *ptr));
+
+int (*EVP_CIPHER_meth_get_init(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx,
+ const unsigned char *key,
+ const unsigned char *iv,
+ int enc);
+int (*EVP_CIPHER_meth_get_do_cipher(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx,
+ unsigned char *out,
+ const unsigned char *in,
+ size_t inl);
+int (*EVP_CIPHER_meth_get_cleanup(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *);
+int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
+ int type, int arg,
+ void *ptr);
+
+#define EVP_CIPHER_CTX_reset(c) EVP_CIPHER_CTX_init(c)
+
+int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx);
+
+#endif /* OPENSSL_VERSION_NUMBER */ +#endif /* OPENSSL_VERSION_NUMBER */
+ +
+#endif /* LIBCRYPTO_COMPAT_H */ +#endif /* LIBCRYPTO_COMPAT_H */
@ -2652,7 +2496,7 @@ diff -up openssh/sshkey.h.openssl openssh/sshkey.h
diff -up openssh/ssh-pkcs11-client.c.openssl openssh/ssh-pkcs11-client.c diff -up openssh/ssh-pkcs11-client.c.openssl openssh/ssh-pkcs11-client.c
--- openssh/ssh-pkcs11-client.c.openssl 2017-09-19 06:26:43.000000000 +0200 --- openssh/ssh-pkcs11-client.c.openssl 2017-09-19 06:26:43.000000000 +0200
+++ openssh/ssh-pkcs11-client.c 2017-09-26 13:19:31.803249734 +0200 +++ openssh/ssh-pkcs11-client.c 2017-09-26 13:19:31.803249734 +0200
@@ -143,12 +143,14 @@ pkcs11_rsa_private_encrypt(int flen, con @@ -143,12 +143,16 @@ pkcs11_rsa_private_encrypt(int flen, con
static int static int
wrap_key(RSA *rsa) wrap_key(RSA *rsa)
{ {
@ -2665,6 +2509,8 @@ diff -up openssh/ssh-pkcs11-client.c.openssl openssh/ssh-pkcs11-client.c
- RSA_set_method(rsa, &helper_rsa); - RSA_set_method(rsa, &helper_rsa);
+ if (helper_rsa == NULL) { + if (helper_rsa == NULL) {
+ helper_rsa = RSA_meth_dup(RSA_get_default_method()); + helper_rsa = RSA_meth_dup(RSA_get_default_method());
+ if (helper_rsa == NULL)
+ error("RSA_meth_dup failed");
+ RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper"); + RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper");
+ RSA_meth_set_priv_enc(helper_rsa, pkcs11_rsa_private_encrypt); + RSA_meth_set_priv_enc(helper_rsa, pkcs11_rsa_private_encrypt);
+ } + }
@ -2684,6 +2530,14 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c
char *keyid; char *keyid;
int keyid_len; int keyid_len;
}; };
@@ -183,6 +183,7 @@ pkcs11_rsa_finish(RSA *rsa)
if (k11->provider)
pkcs11_provider_unref(k11->provider);
free(k11->keyid);
+ RSA_meth_free(k11->rsa_method);
free(k11);
}
return (rv);
@@ -326,13 +326,21 @@ pkcs11_rsa_wrap(struct pkcs11_provider * @@ -326,13 +326,21 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
k11->keyid = xmalloc(k11->keyid_len); k11->keyid = xmalloc(k11->keyid_len);
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
@ -2721,7 +2575,7 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c
f = p->function_list; f = p->function_list;
session = p->slotinfo[slotidx].session; session = p->slotinfo[slotidx].session;
@@ -512,10 +521,14 @@ pkcs11_fetch_keys_filter(struct pkcs11_p @@ -512,10 +521,16 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
if ((rsa = RSA_new()) == NULL) { if ((rsa = RSA_new()) == NULL) {
error("RSA_new failed"); error("RSA_new failed");
} else { } else {
@ -2733,6 +2587,8 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c
- rsa->e = BN_bin2bn(attribs[2].pValue, - rsa->e = BN_bin2bn(attribs[2].pValue,
+ rsa_e = BN_bin2bn(attribs[2].pValue, + rsa_e = BN_bin2bn(attribs[2].pValue,
attribs[2].ulValueLen, NULL); attribs[2].ulValueLen, NULL);
+ if (rsa_n == NULL || rsa_e == NULL)
+ error("BN_bin2bn failed");
+ if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) == 0) + if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) == 0)
+ error("RSA_set0_key failed"); + error("RSA_set0_key failed");
} }