jeans/motioneyeos
jeans/motioneyeos
1
0
Fork 0
mirror of https://github.com/motioneye-project/motioneyeos.git synced 2025-07-24 11:46:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #24 from ccrisan/fix-ssl-timeouts

Browse Source 
Fix SSL timeouts
This commit is contained in:
Calin Crisan 2019-02-22 09:47:19 +02:00 committed by GitHub
commit 2a863ae6aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 1170 additions and 627 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
package/libopenssl/0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
View File

@ -1,27 +1,31 @@
From 389efb564fa1453a9da835393eec9006bfae2a52 Mon Sep 17 00:00:00 2001
From d8f104bffb0c4acb8c5fcdf49628f7d02ed48f7f Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 16 May 2015 18:53:51 +0200
Subject: Dont waste time building manpages if we're not going to use em.
Subject: [PATCH] Dont waste time building manpages if we're not going to use
em.
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
[Gustavo: update for parallel-build]
[rebased on openssl-1.1.0h]
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
Makefile.org | 2 +-
Configurations/unix-Makefile.tmpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.org b/Makefile.org
index 60f07cc..976ceaf 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -527,7 +527,7 @@ dist:
dist_pem_h:
(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 40cf2c3..777d9ca 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -268,7 +268,7 @@ list-tests:
@echo "Tests are not supported with your chosen Configure options"
@ : {- output_on() if !$disabled{tests}; "" -}
-install: install_docs install_sw
+install: install_sw
-install: install_sw install_ssldirs install_docs
+install: install_sw install_ssldirs
uninstall: uninstall_docs uninstall_sw
install_sw:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
--
1.9.1
2.16.3

29
package/libopenssl/0002-Reproducible-build-do-not-leak-compiler-path.patch Normal file
View File

@ -0,0 +1,29 @@
From b70be8c65365a8fc564226360d45adbbb29fc0af Mon Sep 17 00:00:00 2001
From: Peter Seiderer <ps.report@gmx.net>
Date: Tue, 24 Oct 2017 16:58:32 +0200
Subject: [PATCH] Reproducible build: do not leak compiler path
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Rebased on openssl-1.1.1.a]
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
crypto/build.info | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/build.info b/crypto/build.info
index 2c619c6..49ca6ab 100644
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
DEPEND[cversion.o]=buildinf.h
-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$$(basename $(CC)) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
DEPEND[buildinf.h]=../configdata.pm
GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
--
2.20.1

450
package/libopenssl/0002-cryptodev-Fix-issue-with-signature-generation.patch
View File

@ -1,450 +0,0 @@
From 90fd7e8f1a316cda86ee442b43fcd7d5e5baeede Mon Sep 17 00:00:00 2001
From: Gustavo Zacarias <gustavo@zacarias.com.ar>
Date: Sat, 16 May 2015 18:55:08 +0200
Subject: cryptodev: Fix issue with signature generation
Forward port of 0001-cryptodev-Fix-issue-with-signature-generation.patch
from http://rt.openssl.org/Ticket/Display.html?id=2770&user=guest&pass=guest
It was originally targetted at 1.0.2-beta3.
Without this patch digest acceleration via cryptodev is broken.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
---
crypto/engine/eng_cryptodev.c | 195 +++++++++++++++++++++++++++++++-----------
1 file changed, 146 insertions(+), 49 deletions(-)
diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index 926d95c..7021d9a 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -2,6 +2,7 @@
* Copyright (c) 2002 Bob Beck <beck@openbsd.org>
* Copyright (c) 2002 Theo de Raadt
* Copyright (c) 2002 Markus Friedl
+ * Copyright (c) 2012 Nikos Mavrogiannopoulos
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -72,7 +73,6 @@ struct dev_crypto_state {
struct session_op d_sess;
int d_fd;
# ifdef USE_CRYPTODEV_DIGESTS
- char dummy_mac_key[HASH_MAX_LEN];
unsigned char digest_res[HASH_MAX_LEN];
char *mac_data;
int mac_len;
@@ -189,8 +189,10 @@ static struct {
static struct {
int id;
int nid;
- int keylen;
+ int digestlen;
} digests[] = {
+#if 0
+ /* HMAC is not supported */
{
CRYPTO_MD5_HMAC, NID_hmacWithMD5, 16
},
@@ -198,15 +200,15 @@ static struct {
CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, 20
},
{
- CRYPTO_RIPEMD160_HMAC, NID_ripemd160, 16
- /* ? */
+ CRYPTO_SHA2_256_HMAC, NID_hmacWithSHA256, 32
},
{
- CRYPTO_MD5_KPDK, NID_undef, 0
+ CRYPTO_SHA2_384_HMAC, NID_hmacWithSHA384, 48
},
{
- CRYPTO_SHA1_KPDK, NID_undef, 0
+ CRYPTO_SHA2_512_HMAC, NID_hmacWithSHA512, 64
},
+#endif
{
CRYPTO_MD5, NID_md5, 16
},
@@ -214,6 +216,15 @@ static struct {
CRYPTO_SHA1, NID_sha1, 20
},
{
+ CRYPTO_SHA2_256, NID_sha256, 32
+ },
+ {
+ CRYPTO_SHA2_384, NID_sha384, 48
+ },
+ {
+ CRYPTO_SHA2_512, NID_sha512, 64
+ },
+ {
0, NID_undef, 0
},
};
@@ -288,13 +299,14 @@ static int get_cryptodev_ciphers(const int **cnids)
static int nids[CRYPTO_ALGORITHM_MAX];
struct session_op sess;
int fd, i, count = 0;
+ unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN];
if ((fd = get_dev_crypto()) < 0) {
*cnids = NULL;
return (0);
}
memset(&sess, 0, sizeof(sess));
- sess.key = (caddr_t) "123456789abcdefghijklmno";
+ sess.key = (void*)fake_key;
for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
if (ciphers[i].nid == NID_undef)
@@ -327,18 +339,19 @@ static int get_cryptodev_digests(const int **cnids)
static int nids[CRYPTO_ALGORITHM_MAX];
struct session_op sess;
int fd, i, count = 0;
+ unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN];
if ((fd = get_dev_crypto()) < 0) {
*cnids = NULL;
return (0);
}
memset(&sess, 0, sizeof(sess));
- sess.mackey = (caddr_t) "123456789abcdefghijklmno";
+ sess.mackey = fake_key;
for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
if (digests[i].nid == NID_undef)
continue;
sess.mac = digests[i].id;
- sess.mackeylen = digests[i].keylen;
+ sess.mackeylen = 8;
sess.cipher = 0;
if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
@@ -424,14 +437,14 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
cryp.ses = sess->ses;
cryp.flags = 0;
cryp.len = inl;
- cryp.src = (caddr_t) in;
- cryp.dst = (caddr_t) out;
+ cryp.src = (void*) in;
+ cryp.dst = (void*) out;
cryp.mac = 0;
cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
if (ctx->cipher->iv_len) {
- cryp.iv = (caddr_t) ctx->iv;
+ cryp.iv = (void*) ctx->iv;
if (!ctx->encrypt) {
iiv = in + inl - ctx->cipher->iv_len;
memcpy(save_iv, iiv, ctx->cipher->iv_len);
@@ -483,7 +496,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
if ((state->d_fd = get_dev_crypto()) < 0)
return (0);
- sess->key = (caddr_t) key;
+ sess->key = (void*)key;
sess->keylen = ctx->key_len;
sess->cipher = cipher;
@@ -749,16 +762,6 @@ static int digest_nid_to_cryptodev(int nid)
return (0);
}
-static int digest_key_length(int nid)
-{
- int i;
-
- for (i = 0; digests[i].id; i++)
- if (digests[i].nid == nid)
- return digests[i].keylen;
- return (0);
-}
-
static int cryptodev_digest_init(EVP_MD_CTX *ctx)
{
struct dev_crypto_state *state = ctx->md_data;
@@ -769,7 +772,6 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
printf("cryptodev_digest_init: Can't get digest \n");
return (0);
}
-
memset(state, 0, sizeof(struct dev_crypto_state));
if ((state->d_fd = get_dev_crypto()) < 0) {
@@ -777,8 +779,8 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
return (0);
}
- sess->mackey = state->dummy_mac_key;
- sess->mackeylen = digest_key_length(ctx->digest->type);
+ sess->mackey = NULL;
+ sess->mackeylen = 0;
sess->mac = digest;
if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) {
@@ -794,8 +796,8 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
size_t count)
{
- struct crypt_op cryp;
struct dev_crypto_state *state = ctx->md_data;
+ struct crypt_op cryp;
struct session_op *sess = &state->d_sess;
if (!data || state->d_fd < 0) {
@@ -804,7 +806,7 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
}
if (!count) {
- return (0);
+ return (1);
}
if (!(ctx->flags & EVP_MD_CTX_FLAG_ONESHOT)) {
@@ -828,9 +830,9 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
cryp.ses = sess->ses;
cryp.flags = 0;
cryp.len = count;
- cryp.src = (caddr_t) data;
+ cryp.src = (void*) data;
cryp.dst = NULL;
- cryp.mac = (caddr_t) state->digest_res;
+ cryp.mac = (void*) state->digest_res;
if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
printf("cryptodev_digest_update: digest failed\n");
return (0);
@@ -844,8 +846,6 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
struct dev_crypto_state *state = ctx->md_data;
struct session_op *sess = &state->d_sess;
- int ret = 1;
-
if (!md || state->d_fd < 0) {
printf("cryptodev_digest_final: illegal input\n");
return (0);
@@ -859,7 +859,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
cryp.len = state->mac_len;
cryp.src = state->mac_data;
cryp.dst = NULL;
- cryp.mac = (caddr_t) md;
+ cryp.mac = (void*)md;
if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
printf("cryptodev_digest_final: digest failed\n");
return (0);
@@ -870,7 +870,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
memcpy(md, state->digest_res, ctx->digest->md_size);
- return (ret);
+ return 1;
}
static int cryptodev_digest_cleanup(EVP_MD_CTX *ctx)
@@ -921,8 +921,8 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
digest = digest_nid_to_cryptodev(to->digest->type);
- sess->mackey = dstate->dummy_mac_key;
- sess->mackeylen = digest_key_length(to->digest->type);
+ sess->mackey = NULL;
+ sess->mackeylen = 0;
sess->mac = digest;
dstate->d_fd = get_dev_crypto();
@@ -947,32 +947,116 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
const EVP_MD cryptodev_sha1 = {
NID_sha1,
- NID_undef,
+ NID_sha1WithRSAEncryption,
SHA_DIGEST_LENGTH,
+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
+ EVP_MD_FLAG_DIGALGID_ABSENT|
+#endif
EVP_MD_FLAG_ONESHOT,
cryptodev_digest_init,
cryptodev_digest_update,
cryptodev_digest_final,
cryptodev_digest_copy,
cryptodev_digest_cleanup,
- EVP_PKEY_NULL_method,
+ EVP_PKEY_RSA_method,
SHA_CBLOCK,
- sizeof(struct dev_crypto_state),
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
};
-const EVP_MD cryptodev_md5 = {
+static const EVP_MD cryptodev_sha256 = {
+ NID_sha256,
+ NID_sha256WithRSAEncryption,
+ SHA256_DIGEST_LENGTH,
+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
+ EVP_MD_FLAG_DIGALGID_ABSENT|
+#endif
+ EVP_MD_FLAG_ONESHOT,
+ cryptodev_digest_init,
+ cryptodev_digest_update,
+ cryptodev_digest_final,
+ cryptodev_digest_copy,
+ cryptodev_digest_cleanup,
+ EVP_PKEY_RSA_method,
+ SHA256_CBLOCK,
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+};
+
+static const EVP_MD cryptodev_sha224 = {
+ NID_sha224,
+ NID_sha224WithRSAEncryption,
+ SHA224_DIGEST_LENGTH,
+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
+ EVP_MD_FLAG_DIGALGID_ABSENT|
+#endif
+ EVP_MD_FLAG_ONESHOT,
+ cryptodev_digest_init,
+ cryptodev_digest_update,
+ cryptodev_digest_final,
+ cryptodev_digest_copy,
+ cryptodev_digest_cleanup,
+ EVP_PKEY_RSA_method,
+ SHA256_CBLOCK,
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+};
+
+static const EVP_MD cryptodev_sha384 = {
+ NID_sha384,
+ NID_sha384WithRSAEncryption,
+ SHA384_DIGEST_LENGTH,
+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
+ EVP_MD_FLAG_DIGALGID_ABSENT|
+#endif
+ EVP_MD_FLAG_ONESHOT,
+ cryptodev_digest_init,
+ cryptodev_digest_update,
+ cryptodev_digest_final,
+ cryptodev_digest_copy,
+ cryptodev_digest_cleanup,
+ EVP_PKEY_RSA_method,
+ SHA512_CBLOCK,
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+};
+
+static const EVP_MD cryptodev_sha512 = {
+ NID_sha512,
+ NID_sha512WithRSAEncryption,
+ SHA512_DIGEST_LENGTH,
+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
+ EVP_MD_FLAG_DIGALGID_ABSENT|
+#endif
+ EVP_MD_FLAG_ONESHOT,
+ cryptodev_digest_init,
+ cryptodev_digest_update,
+ cryptodev_digest_final,
+ cryptodev_digest_copy,
+ cryptodev_digest_cleanup,
+ EVP_PKEY_RSA_method,
+ SHA512_CBLOCK,
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+};
+
+static const EVP_MD cryptodev_md5 = {
NID_md5,
- NID_undef,
+ NID_md5WithRSAEncryption,
16 /* MD5_DIGEST_LENGTH */ ,
+#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT)
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|
+ EVP_MD_FLAG_DIGALGID_ABSENT|
+#endif
EVP_MD_FLAG_ONESHOT,
cryptodev_digest_init,
cryptodev_digest_update,
cryptodev_digest_final,
cryptodev_digest_copy,
cryptodev_digest_cleanup,
- EVP_PKEY_NULL_method,
+ EVP_PKEY_RSA_method,
64 /* MD5_CBLOCK */ ,
- sizeof(struct dev_crypto_state),
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
};
# endif /* USE_CRYPTODEV_DIGESTS */
@@ -992,6 +1076,18 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
case NID_sha1:
*digest = &cryptodev_sha1;
break;
+ case NID_sha224:
+ *digest = &cryptodev_sha224;
+ break;
+ case NID_sha256:
+ *digest = &cryptodev_sha256;
+ break;
+ case NID_sha384:
+ *digest = &cryptodev_sha384;
+ break;
+ case NID_sha512:
+ *digest = &cryptodev_sha512;
+ break;
default:
# endif /* USE_CRYPTODEV_DIGESTS */
*digest = NULL;
@@ -1022,7 +1118,7 @@ static int bn2crparam(const BIGNUM *a, struct crparam *crp)
return (1);
memset(b, 0, bytes);
- crp->crp_p = (caddr_t) b;
+ crp->crp_p = (void*) b;
crp->crp_nbits = bits;
for (i = 0, j = 0; i < a->top; i++) {
@@ -1277,7 +1373,7 @@ static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen,
kop.crk_op = CRK_DSA_SIGN;
/* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */
- kop.crk_param[0].crp_p = (caddr_t) dgst;
+ kop.crk_param[0].crp_p = (void*)dgst;
kop.crk_param[0].crp_nbits = dlen * 8;
if (bn2crparam(dsa->p, &kop.crk_param[1]))
goto err;
@@ -1317,7 +1413,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
kop.crk_op = CRK_DSA_VERIFY;
/* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */
- kop.crk_param[0].crp_p = (caddr_t) dgst;
+ kop.crk_param[0].crp_p = (void*)dgst;
kop.crk_param[0].crp_nbits = dlen * 8;
if (bn2crparam(dsa->p, &kop.crk_param[1]))
goto err;
@@ -1398,9 +1494,10 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
goto err;
kop.crk_iparams = 3;
- kop.crk_param[3].crp_p = (caddr_t) key;
- kop.crk_param[3].crp_nbits = keylen * 8;
+ kop.crk_param[3].crp_p = (void*) key;
+ kop.crk_param[3].crp_nbits = keylen;
kop.crk_oparams = 1;
+ dhret = keylen / 8;
if (ioctl(fd, CIOCKEY, &kop) == -1) {
const DH_METHOD *meth = DH_OpenSSL();
@@ -1470,7 +1567,7 @@ void ENGINE_load_cryptodev(void)
put_dev_crypto(fd);
if (!ENGINE_set_id(engine, "cryptodev") ||
- !ENGINE_set_name(engine, "BSD cryptodev engine") ||
+ !ENGINE_set_name(engine, "cryptodev engine") ||
!ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
!ENGINE_set_digests(engine, cryptodev_engine_digests) ||
!ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
--
1.9.1

27
package/libopenssl/0003-Introduce-the-OPENSSL_NO_MADVISE-to-disable-call-to-.patch Normal file
View File

@ -0,0 +1,27 @@
From 1281ffc7959bd2070563e17a52ee4424196d885c Mon Sep 17 00:00:00 2001
From: Patrick Havelange <patrick.havelange@essensium.com>
Date: Wed, 23 Jan 2019 12:21:21 +0100
Subject: [PATCH] Introduce the OPENSSL_NO_MADVISE to disable call to madvise()
Upstream: https://github.com/openssl/openssl/pull/8089
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
---
crypto/mem_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c
index 9e0f670..32c7282 100644
--- a/crypto/mem_sec.c
+++ b/crypto/mem_sec.c
@@ -485,7 +485,7 @@ static int sh_init(size_t size, int minsize)
if (mlock(sh.arena, sh.arena_size) < 0)
ret = 2;
#endif
-#ifdef MADV_DONTDUMP
+#if defined(MADV_DONTDUMP) && !defined(OPENSSL_NO_MADVISE)
if (madvise(sh.arena, sh.arena_size, MADV_DONTDUMP) < 0)
ret = 2;
#endif
--
2.17.1

26
package/libopenssl/0003-Reproducible-build-do-not-leak-compiler-path.patch
View File

@ -1,26 +0,0 @@
From 875fcad2ad84877763cba86c1265b57679b878b0 Mon Sep 17 00:00:00 2001
From: Peter Seiderer <ps.report@gmx.net>
Date: Tue, 24 Oct 2017 16:58:32 +0200
Subject: [PATCH] Reproducible build: do not leak compiler path
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
crypto/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index 7869996..7e63291 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -55,7 +55,7 @@ top:
all: shared
buildinf.h: ../Makefile
- $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
+ $(PERL) $(TOP)/util/mkbuildinf.pl "$$(basename $(CC)) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl
$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
--
2.11.0

46
package/libopenssl/0004-apps-ocsp.c-Use-the-same-HAVE_FORK-NO_FORK-as-in-spe.patch Normal file
View File

@ -0,0 +1,46 @@
From 4c992673890f1d1ecb9aa46112b2ca80db016b67 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Mon, 12 Nov 2018 18:16:27 +0100
Subject: [PATCH] apps/ocsp.c Use the same HAVE_FORK / NO_FORK as in speed.c
This allows the user to override our defaults if needed, and in a
consistent manner.
Partial fix for #7607
Upstream: https://github.com/openssl/openssl/pull/7624
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
---
apps/ocsp.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 7fd78624bb..315b072932 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -36,7 +36,21 @@ NON_EMPTY_TRANSLATION_UNIT
# include <openssl/x509v3.h>
# include <openssl/rand.h>
-# if defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_NO_SOCK) \
+#ifndef HAVE_FORK
+# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
+# define HAVE_FORK 0
+# else
+# define HAVE_FORK 1
+# endif
+#endif
+
+#if HAVE_FORK
+# undef NO_FORK
+#else
+# define NO_FORK
+#endif
+
+# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
&& !defined(OPENSSL_NO_POSIX_IO)
# define OCSP_DAEMON
# include <sys/types.h>
--
2.17.1

62
package/libopenssl/0005-Revert-Reduce-stack-usage-in-tls13_hkdf_expand.patch Normal file
View File

@ -0,0 +1,62 @@
From 56e0f123dc17cb99f50efbae4bbbab77f360818f Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 3 Dec 2018 18:14:57 +0000
Subject: [PATCH] Revert "Reduce stack usage in tls13_hkdf_expand"
This reverts commit ec0c5f5693e39c5a013f81e6dd9dfd09ec65162d.
SSL_export_keying_material() may use longer label lengths.
Fixes #7712
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7755)
(cherry picked from commit ed371b8cbac0d0349667558c061c1ae380cf75eb)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
ssl/tls13_enc.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index b6825d20c2..f7ab0fa470 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -13,14 +13,7 @@
#include <openssl/evp.h>
#include <openssl/kdf.h>
-/*
- * RFC 8446, 7.1 Key Schedule, says:
- * Note: With common hash functions, any label longer than 12 characters
- * requires an additional iteration of the hash function to compute.
- * The labels in this specification have all been chosen to fit within
- * this limit.
- */
-#define TLS13_MAX_LABEL_LEN 12
+#define TLS13_MAX_LABEL_LEN 246
/* Always filled with zeros */
static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
@@ -36,15 +29,14 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
const unsigned char *data, size_t datalen,
unsigned char *out, size_t outlen)
{
- static const unsigned char label_prefix[] = "tls13 ";
+ const unsigned char label_prefix[] = "tls13 ";
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
int ret;
size_t hkdflabellen;
size_t hashlen;
/*
- * 2 bytes for length of derived secret + 1 byte for length of combined
- * prefix and label + bytes for the label itself + 1 byte length of hash
- * + bytes for the hash itself
+ * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
+ * prefix and label + bytes for the label itself + bytes for the hash
*/
unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
+ sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
--
2.20.1

426
package/libopenssl/0006-Fix-some-SSL_export_keying_material-issues.patch Normal file
View File

@ -0,0 +1,426 @@
From db860ea3dcf56a1993c66da22bd44460d7ac4914 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 4 Dec 2018 08:37:04 +0000
Subject: [PATCH] Fix some SSL_export_keying_material() issues
Fix some issues in tls13_hkdf_expand() which impact the above function
for TLSv1.3. In particular test that we can use the maximum label length
in TLSv1.3.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7755)
(cherry picked from commit 0fb2815b873304d145ed00283454fc9f3bd35e6b)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
doc/man3/SSL_export_keying_material.pod | 3 +-
ssl/ssl_locl.h | 2 +-
ssl/statem/extensions.c | 2 +-
ssl/statem/statem_clnt.c | 2 +-
ssl/statem/statem_srvr.c | 2 +-
ssl/tls13_enc.c | 73 +++++++++++++++++--------
test/sslapitest.c | 48 ++++++++++++----
test/tls13secretstest.c | 2 +-
8 files changed, 92 insertions(+), 42 deletions(-)
diff --git a/doc/man3/SSL_export_keying_material.pod b/doc/man3/SSL_export_keying_material.pod
index abebf911fc..4c81a60ffb 100644
--- a/doc/man3/SSL_export_keying_material.pod
+++ b/doc/man3/SSL_export_keying_material.pod
@@ -59,7 +59,8 @@ B<label> and should be B<llen> bytes long. Typically this will be a value from
the IANA Exporter Label Registry
(L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>).
Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard
-to be used without registration.
+to be used without registration. TLSv1.3 imposes a maximum label length of
+249 bytes.
Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and
above. Attempting to use it in SSLv3 will result in an error.
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 70e5a1740f..307131de93 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2461,7 +2461,7 @@ __owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md,
const unsigned char *secret,
const unsigned char *label, size_t labellen,
const unsigned char *data, size_t datalen,
- unsigned char *out, size_t outlen);
+ unsigned char *out, size_t outlen, int fatal);
__owur int tls13_derive_key(SSL *s, const EVP_MD *md,
const unsigned char *secret, unsigned char *key,
size_t keylen);
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 63e61c6184..716d6d23e0 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1506,7 +1506,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
/* Generate the binder key */
if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
- hashsize, binderkey, hashsize)) {
+ hashsize, binderkey, hashsize, 1)) {
/* SSLfatal() already called */
goto err;
}
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 5a8f1163df..a0e495d8e8 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2740,7 +2740,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
PACKET_data(&nonce),
PACKET_remaining(&nonce),
s->session->master_key,
- hashlen)) {
+ hashlen, 1)) {
/* SSLfatal() already called */
goto err;
}
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index e7c11c4bea..a8e862ced5 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -4099,7 +4099,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
tick_nonce,
TICKET_NONCE_SIZE,
s->session->master_key,
- hashlen)) {
+ hashlen, 1)) {
/* SSLfatal() already called */
goto err;
}
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index f7ab0fa470..c3021d18aa 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -13,7 +13,7 @@
#include <openssl/evp.h>
#include <openssl/kdf.h>
-#define TLS13_MAX_LABEL_LEN 246
+#define TLS13_MAX_LABEL_LEN 249
/* Always filled with zeros */
static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
@@ -22,30 +22,47 @@ static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
* Given a |secret|; a |label| of length |labellen|; and |data| of length
* |datalen| (e.g. typically a hash of the handshake messages), derive a new
* secret |outlen| bytes long and store it in the location pointed to be |out|.
- * The |data| value may be zero length. Returns 1 on success 0 on failure.
+ * The |data| value may be zero length. Any errors will be treated as fatal if
+ * |fatal| is set. Returns 1 on success 0 on failure.
*/
int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
const unsigned char *label, size_t labellen,
const unsigned char *data, size_t datalen,
- unsigned char *out, size_t outlen)
+ unsigned char *out, size_t outlen, int fatal)
{
- const unsigned char label_prefix[] = "tls13 ";
+ static const unsigned char label_prefix[] = "tls13 ";
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
int ret;
size_t hkdflabellen;
size_t hashlen;
/*
- * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
- * prefix and label + bytes for the label itself + bytes for the hash
+ * 2 bytes for length of derived secret + 1 byte for length of combined
+ * prefix and label + bytes for the label itself + 1 byte length of hash
+ * + bytes for the hash itself
*/
unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
+ sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
- + EVP_MAX_MD_SIZE];
+ + 1 + EVP_MAX_MD_SIZE];
WPACKET pkt;
if (pctx == NULL)
return 0;
+ if (labellen > TLS13_MAX_LABEL_LEN) {
+ if (fatal) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
+ ERR_R_INTERNAL_ERROR);
+ } else {
+ /*
+ * Probably we have been called from SSL_export_keying_material(),
+ * or SSL_export_keying_material_early().
+ */
+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
+ }
+ EVP_PKEY_CTX_free(pctx);
+ return 0;
+ }
+
hashlen = EVP_MD_size(md);
if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
@@ -59,8 +76,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
|| !WPACKET_finish(&pkt)) {
EVP_PKEY_CTX_free(pctx);
WPACKET_cleanup(&pkt);
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
- ERR_R_INTERNAL_ERROR);
+ if (fatal)
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
+ ERR_R_INTERNAL_ERROR);
+ else
+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -74,9 +94,13 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
EVP_PKEY_CTX_free(pctx);
- if (ret != 0)
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
- ERR_R_INTERNAL_ERROR);
+ if (ret != 0) {
+ if (fatal)
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
+ ERR_R_INTERNAL_ERROR);
+ else
+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
+ }
return ret == 0;
}
@@ -91,7 +115,7 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
static const unsigned char keylabel[] = "key";
return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
- NULL, 0, key, keylen);
+ NULL, 0, key, keylen, 1);
}
/*
@@ -104,7 +128,7 @@ int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
static const unsigned char ivlabel[] = "iv";
return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
- NULL, 0, iv, ivlen);
+ NULL, 0, iv, ivlen, 1);
}
int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
@@ -114,7 +138,7 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
static const unsigned char finishedlabel[] = "finished";
return tls13_hkdf_expand(s, md, secret, finishedlabel,
- sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);
+ sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1);
}
/*
@@ -177,7 +201,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
if (!tls13_hkdf_expand(s, md, prevsecret,
(unsigned char *)derived_secret_label,
sizeof(derived_secret_label) - 1, hash, mdlen,
- preextractsec, mdlen)) {
+ preextractsec, mdlen, 1)) {
/* SSLfatal() already called */
EVP_PKEY_CTX_free(pctx);
return 0;
@@ -337,7 +361,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
hashlen = (size_t)hashleni;
if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
- secret, hashlen)) {
+ secret, hashlen, 1)) {
/* SSLfatal() already called */
goto err;
}
@@ -517,7 +541,8 @@ int tls13_change_cipher_state(SSL *s, int which)
early_exporter_master_secret,
sizeof(early_exporter_master_secret) - 1,
hashval, hashlen,
- s->early_exporter_master_secret, hashlen)) {
+ s->early_exporter_master_secret, hashlen,
+ 1)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err;
@@ -604,7 +629,7 @@ int tls13_change_cipher_state(SSL *s, int which)
resumption_master_secret,
sizeof(resumption_master_secret) - 1,
hashval, hashlen, s->resumption_master_secret,
- hashlen)) {
+ hashlen, 1)) {
/* SSLfatal() already called */
goto err;
}
@@ -624,7 +649,7 @@ int tls13_change_cipher_state(SSL *s, int which)
exporter_master_secret,
sizeof(exporter_master_secret) - 1,
hash, hashlen, s->exporter_master_secret,
- hashlen)) {
+ hashlen, 1)) {
/* SSLfatal() already called */
goto err;
}
@@ -738,10 +763,10 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
|| EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
|| !tls13_hkdf_expand(s, md, s->exporter_master_secret,
(const unsigned char *)label, llen,
- data, datalen, exportsecret, hashsize)
+ data, datalen, exportsecret, hashsize, 0)
|| !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
sizeof(exporterlabel) - 1, hash, hashsize,
- out, olen))
+ out, olen, 0))
goto err;
ret = 1;
@@ -797,10 +822,10 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
|| EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
|| !tls13_hkdf_expand(s, md, s->early_exporter_master_secret,
(const unsigned char *)label, llen,
- data, datalen, exportsecret, hashsize)
+ data, datalen, exportsecret, hashsize, 0)
|| !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
sizeof(exporterlabel) - 1, hash, hashsize,
- out, olen))
+ out, olen, 0))
goto err;
ret = 1;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 108d57e478..a4bbb4fead 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -4028,20 +4028,25 @@ static int test_serverinfo(int tst)
* no test vectors so all we do is test that both sides of the communication
* produce the same results for different protocol versions.
*/
+#define SMALL_LABEL_LEN 10
+#define LONG_LABEL_LEN 249
static int test_export_key_mat(int tst)
{
int testresult = 0;
SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
- const char label[] = "test label";
+ const char label[LONG_LABEL_LEN + 1] = "test label";
const unsigned char context[] = "context";
const unsigned char *emptycontext = NULL;
unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
+ size_t labellen;
const int protocols[] = {
TLS1_VERSION,
TLS1_1_VERSION,
TLS1_2_VERSION,
+ TLS1_3_VERSION,
+ TLS1_3_VERSION,
TLS1_3_VERSION
};
@@ -4058,7 +4063,7 @@ static int test_export_key_mat(int tst)
return 1;
#endif
#ifdef OPENSSL_NO_TLS1_3
- if (tst == 3)
+ if (tst >= 3)
return 1;
#endif
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
@@ -4076,33 +4081,52 @@ static int test_export_key_mat(int tst)
SSL_ERROR_NONE)))
goto end;
+ if (tst == 5) {
+ /*
+ * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
+ * go over that.
+ */
+ if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
+ sizeof(ckeymat1), label,
+ LONG_LABEL_LEN + 1, context,
+ sizeof(context) - 1, 1), 0))
+ goto end;
+
+ testresult = 1;
+ goto end;
+ } else if (tst == 4) {
+ labellen = LONG_LABEL_LEN;
+ } else {
+ labellen = SMALL_LABEL_LEN;
+ }
+
if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
sizeof(ckeymat1), label,
- sizeof(label) - 1, context,
+ labellen, context,
sizeof(context) - 1, 1), 1)
|| !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
sizeof(ckeymat2), label,
- sizeof(label) - 1,
+ labellen,
emptycontext,
0, 1), 1)
|| !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
sizeof(ckeymat3), label,
- sizeof(label) - 1,
+ labellen,
NULL, 0, 0), 1)
|| !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
sizeof(skeymat1), label,
- sizeof(label) - 1,
+ labellen,
context,
sizeof(context) -1, 1),
1)
|| !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
sizeof(skeymat2), label,
- sizeof(label) - 1,
+ labellen,
emptycontext,
0, 1), 1)
|| !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
sizeof(skeymat3), label,
- sizeof(label) - 1,
+ labellen,
NULL, 0, 0), 1)
/*
* Check that both sides created the same key material with the
@@ -4131,10 +4155,10 @@ static int test_export_key_mat(int tst)
* Check that an empty context and no context produce different results in
* protocols less than TLSv1.3. In TLSv1.3 they should be the same.
*/
- if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
+ if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
sizeof(ckeymat3)))
- || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
- sizeof(ckeymat3))))
+ || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
+ sizeof(ckeymat3))))
goto end;
testresult = 1;
@@ -5909,7 +5933,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_custom_exts, 3);
#endif
ADD_ALL_TESTS(test_serverinfo, 8);
- ADD_ALL_TESTS(test_export_key_mat, 4);
+ ADD_ALL_TESTS(test_export_key_mat, 6);
#ifndef OPENSSL_NO_TLS1_3
ADD_ALL_TESTS(test_export_key_mat_early, 3);
#endif
diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
index 724c170c56..66a0582887 100644
--- a/test/tls13secretstest.c
+++ b/test/tls13secretstest.c
@@ -236,7 +236,7 @@ static int test_secret(SSL *s, unsigned char *prk,
}
if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
- gensecret, hashsize)) {
+ gensecret, hashsize, 1)) {
TEST_error("Secret generation failed");
return 0;
}
--
2.20.1

15
package/libopenssl/libopenssl.hash
View File

@ -1,10 +1,5 @@
# From https://www.openssl.org/source/openssl-1.0.2p.tar.gz.sha256
sha256 50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00 openssl-1.0.2p.tar.gz
# From https://www.openssl.org/source/openssl-1.0.2p.tar.gz.sha1
sha1 f34b5322e92415755c7d58bf5d0d5cf37666382c openssl-1.0.2p.tar.gz
# Locally computed
sha256 eddd8a5123748052c598214487ac178e4bfa4e31ba2ec520c70d59c8c5bfa2e9 openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
sha256 147c3eeaad614c044749ea527cb433eae5e2d5cad34a78c6ba61cd967bfbe01f openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
sha256 30cb49489de5041841a74da9155cd4fabfbce33237262ba7cd23974314ae2956 openssl-1.0.2a-parallel-symlinking.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
sha256 deaf6f3af41874ecc6d63841ea14b8e6c71cea81d4a511a754bc90c9a993147f openssl-1.0.2d-parallel-build.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
sha256 c8f60f4842bbad0353f5d81620e72b168b5638ca3a0a999f5da113b22491612e LICENSE
# From https://www.openssl.org/source/openssl-1.1.1a.tar.gz.sha256
sha256 fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41 openssl-1.1.1a.tar.gz
# License files
sha256 350c7817af2ef980d3f3922bc5e0bb6a9d9f6cc21e784a699bcd2a31c74a84b1 LICENSE

65
package/libopenssl/libopenssl.mk
View File

@ -4,8 +4,8 @@
#
################################################################################
LIBOPENSSL_VERSION = 1.0.2p
LIBOPENSSL_SITE = http://www.openssl.org/source
LIBOPENSSL_VERSION = 1.1.1a
LIBOPENSSL_SITE = https://www.openssl.org/source
LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
LIBOPENSSL_LICENSE = OpenSSL or SSLeay
LIBOPENSSL_LICENSE_FILES = LICENSE
@ -15,26 +15,40 @@ HOST_LIBOPENSSL_DEPENDENCIES = host-zlib
LIBOPENSSL_TARGET_ARCH = generic32
LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS)
LIBOPENSSL_PROVIDES = openssl
LIBOPENSSL_PATCH = \
https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2d-parallel-build.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-symlinking.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
# relocation truncated to fit: R_68K_GOT16O
ifeq ($(BR2_m68k_cf),y)
# relocation truncated to fit: R_68K_GOT16O
LIBOPENSSL_CFLAGS += -mxgot
# resolves an assembler "out of range error" with blake2 and sha512 algorithms
LIBOPENSSL_CFLAGS += -DOPENSSL_SMALL_FOOTPRINT
endif
ifeq ($(BR2_USE_MMU),)
LIBOPENSSL_CFLAGS += -DHAVE_FORK=0
LIBOPENSSL_CFLAGS += -DHAVE_FORK=0 -DOPENSSL_NO_MADVISE
endif
ifeq ($(BR2_PACKAGE_HAS_CRYPTODEV),y)
LIBOPENSSL_CFLAGS += -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS
LIBOPENSSL_DEPENDENCIES += cryptodev
endif
# fixes the following build failures:
#
# - musl
# ./libcrypto.so: undefined reference to `getcontext'
# ./libcrypto.so: undefined reference to `setcontext'
# ./libcrypto.so: undefined reference to `makecontext'
#
# - uclibc:
# crypto/async/arch/../arch/async_posix.h:32:5: error: unknown type name ucontext_t
#
ifeq ($(BR2_TOOLCHAIN_USES_MUSL),y)
LIBOPENSSL_CFLAGS += -DOPENSSL_NO_ASYNC
endif
ifeq ($(BR2_TOOLCHAIN_HAS_UCONTEXT),)
LIBOPENSSL_CFLAGS += -DOPENSSL_NO_ASYNC
endif
# Some architectures are optimized in OpenSSL
# Doesn't work for thumb-only (Cortex-M?)
ifeq ($(BR2_ARM_CPU_HAS_ARM),y)
@ -65,11 +79,13 @@ define HOST_LIBOPENSSL_CONFIGURE_CMDS
./config \
--prefix=$(HOST_DIR) \
--openssldir=$(HOST_DIR)/etc/ssl \
--libdir=/lib \
no-tests \
no-fuzz-libfuzzer \
no-fuzz-afl \
shared \
zlib-dynamic \
)
$(SED) "s#-O[0-9]#$(HOST_CFLAGS)#" $(@D)/Makefile
$(SED) "s#-O[0-9s]#$(HOST_CFLAGS)#" $(@D)/Makefile
endef
define LIBOPENSSL_CONFIGURE_CMDS
@ -80,18 +96,21 @@ define LIBOPENSSL_CONFIGURE_CMDS
linux-$(LIBOPENSSL_TARGET_ARCH) \
--prefix=/usr \
--openssldir=/etc/ssl \
--libdir=/lib \
$(if $(BR2_TOOLCHAIN_HAS_LIBATOMIC),-latomic) \
$(if $(BR2_TOOLCHAIN_HAS_THREADS),threads,no-threads) \
$(if $(BR2_STATIC_LIBS),no-shared,shared) \
$(if $(BR2_PACKAGE_HAS_CRYPTODEV),enable-devcryptoeng) \
no-rc5 \
enable-camellia \
enable-mdc2 \
enable-tlsext \
no-tests \
no-fuzz-libfuzzer \
no-fuzz-afl \
$(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
$(if $(BR2_STATIC_LIBS),no-dso) \
)
$(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
$(SED) "s#-O[0-9]#$(LIBOPENSSL_CFLAGS)#" $(@D)/Makefile
$(SED) "s#-O[0-9s]#$(LIBOPENSSL_CFLAGS)#" $(@D)/Makefile
$(SED) "s# build_tests##" $(@D)/Makefile
endef
@ -112,7 +131,7 @@ define LIBOPENSSL_BUILD_CMDS
endef
define LIBOPENSSL_INSTALL_STAGING_CMDS
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) INSTALL_PREFIX=$(STAGING_DIR) install
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) install
endef
define HOST_LIBOPENSSL_INSTALL_CMDS
@ -120,7 +139,7 @@ define HOST_LIBOPENSSL_INSTALL_CMDS
endef
define LIBOPENSSL_INSTALL_TARGET_CMDS
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) INSTALL_PREFIX=$(TARGET_DIR) install
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
rm -rf $(TARGET_DIR)/usr/lib/ssl
rm -f $(TARGET_DIR)/usr/bin/c_rehash
endef
@ -135,16 +154,6 @@ endef
LIBOPENSSL_POST_INSTALL_STAGING_HOOKS += LIBOPENSSL_FIXUP_STATIC_PKGCONFIG
endif
ifneq ($(BR2_STATIC_LIBS),y)
# libraries gets installed read only, so strip fails
define LIBOPENSSL_INSTALL_FIXUPS_SHARED
chmod +w $(TARGET_DIR)/usr/lib/engines/lib*.so
for i in $(addprefix $(TARGET_DIR)/usr/lib/,libcrypto.so.* libssl.so.*); \
do chmod +w $$i; done
endef
LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_INSTALL_FIXUPS_SHARED
endif
ifeq ($(BR2_PACKAGE_PERL),)
define LIBOPENSSL_REMOVE_PERL_SCRIPTS
$(RM) -f $(TARGET_DIR)/etc/ssl/misc/{CA.pl,tsget}
@ -162,7 +171,7 @@ endif
ifneq ($(BR2_PACKAGE_LIBOPENSSL_ENGINES),y)
define LIBOPENSSL_REMOVE_LIBOPENSSL_ENGINES
rm -rf $(TARGET_DIR)/usr/lib/engines
rm -rf $(TARGET_DIR)/usr/lib/engines-1.1
endef
LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_REMOVE_LIBOPENSSL_ENGINES
endif

44
package/openssh/0001-fix-pam-uclibc-pthreads-clash.patch
View File

@ -1,44 +0,0 @@
When PAM is enabled, openssh makes its own static versions of pthreads
functions. But when built with a uclibc toolchain, pthreads.h gets
indirectly included. The clashing exported and static definitions of
the pthreads functions then cause a compile error. This patch fixes
the problem by changing the static pthread function names with macros
when the static functions are defined.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
diff -urN openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
--- openssh-6.1p1.orig/auth-pam.c 2009-07-12 08:07:21.000000000 -0400
+++ openssh-6.1p1/auth-pam.c 2012-09-15 19:49:47.677288199 -0400
@@ -166,6 +166,7 @@
sigdie("PAM: authentication thread exited uncleanly");
}
+#define pthread_exit pthread_exit_AVOID_UCLIBC_PTHREAD_CLASH
/* ARGSUSED */
static void
pthread_exit(void *value)
@@ -173,6 +174,7 @@
_exit(0);
}
+#define pthread_create pthread_create_AVOID_UCLIBC_PTHREAD_CLASH
/* ARGSUSED */
static int
pthread_create(sp_pthread_t *thread, const void *attr,
@@ -200,6 +202,7 @@
}
}
+#define pthread_cancel pthread_cancel_AVOID_UCLIBC_PTHREAD_CLASH
static int
pthread_cancel(sp_pthread_t thread)
{
@@ -207,6 +210,7 @@
return (kill(thread, SIGTERM));
}
+#define pthread_join pthread_join_AVOID_UCLIBC_PTHREAD_CLASH
/* ARGSUSED */
static int
pthread_join(sp_pthread_t thread, void **value)

39
package/openssh/0001-upstream-disallow-empty-incoming-filename-or-ones-th.patch Normal file
View File

@ -0,0 +1,39 @@
From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 16 Nov 2018 03:03:10 +0000
Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
to the
current directory; based on report/patch from Harry Sintonen
OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status (openssh-portable): commit 6010c0303a422
scp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/scp.c b/scp.c
index 60682c68769b..4f3fdcd3db89 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
SCREWUP("size out of range");
size = (off_t)ull;
- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ if (*cp == '\0' || strchr(cp, '/') != NULL ||
+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
run_err("error: unexpected filename: %s", cp);
exit(1);
}
--
2.20.1

49
package/openssh/0002-fix-howmany-include.patch
View File

@ -1,49 +0,0 @@
Update patch from 2fea21799223d41605556858a95b55e69e9960ca to openssh
version 6.8p1
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
diff -Nura openssh-6.8p1.orig/openbsd-compat/bsd-poll.c openssh-6.8p1/openbsd-compat/bsd-poll.c
--- openssh-6.8p1.orig/openbsd-compat/bsd-poll.c 2015-03-18 07:11:46.184620677 -0300
+++ openssh-6.8p1/openbsd-compat/bsd-poll.c 2015-03-18 07:12:29.120094555 -0300
@@ -19,6 +19,7 @@
#include "includes.h"
#if !defined(HAVE_POLL)
+#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#ifdef HAVE_SYS_SELECT_H
diff -Nura openssh-6.8p1.orig/sshd.c openssh-6.8p1/sshd.c
--- openssh-6.8p1.orig/sshd.c 2015-03-18 07:11:46.187620780 -0300
+++ openssh-6.8p1/sshd.c 2015-03-18 07:13:11.889562735 -0300
@@ -44,6 +44,7 @@
#include "includes.h"
+#include <sys/param.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
diff -Nura openssh-6.8p1.orig/ssh-keyscan.c openssh-6.8p1/ssh-keyscan.c
--- openssh-6.8p1.orig/ssh-keyscan.c 2015-03-18 07:11:46.180620539 -0300
+++ openssh-6.8p1/ssh-keyscan.c 2015-03-18 07:13:32.092256248 -0300
@@ -9,6 +9,7 @@
#include "includes.h"
+#include <sys/param.h>
#include <sys/types.h>
#include "openbsd-compat/sys-queue.h"
#include <sys/resource.h>
diff -Nura openssh-6.8p1.orig/ssh-pkcs11-helper.c openssh-6.8p1/ssh-pkcs11-helper.c
--- openssh-6.8p1.orig/ssh-pkcs11-helper.c 2015-03-18 07:11:46.182620608 -0300
+++ openssh-6.8p1/ssh-pkcs11-helper.c 2015-03-18 07:13:43.620651993 -0300
@@ -17,6 +17,7 @@
#include "includes.h"
+#include <sys/param.h>
#include <sys/types.h>
#ifdef HAVE_SYS_TIME_H
# include <sys/time.h>

275
package/openssh/0002-upstream-Sanitize-scp-filenames-via-snmprintf.-To-do.patch Normal file
View File

@ -0,0 +1,275 @@
From 5979bdfeca813dd7e997a1edb0f928d77ce70304 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Wed, 23 Jan 2019 08:01:46 +0000
Subject: [PATCH] upstream: Sanitize scp filenames via snmprintf. To do this we
move
the progressmeter formatting outside of signal handler context and have the
atomicio callback called for EINTR too. bz#2434 with contributions from djm
and jjelen at redhat.com, ok djm@
OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status (openssh-portable): backported from commit 8976f1c4b27
---
atomicio.c | 20 ++++++++++++++-----
progressmeter.c | 53 ++++++++++++++++++++++---------------------------
progressmeter.h | 3 ++-
scp.c | 1 +
sftp-client.c | 16 ++++++++-------
5 files changed, 51 insertions(+), 42 deletions(-)
diff --git a/atomicio.c b/atomicio.c
index f854a06f5f50..d91bd7621c12 100644
--- a/atomicio.c
+++ b/atomicio.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
+/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
/*
* Copyright (c) 2006 Damien Miller. All rights reserved.
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
res = (f) (fd, s + pos, n - pos);
switch (res) {
case -1:
- if (errno == EINTR)
+ if (errno == EINTR) {
+ /* possible SIGALARM, update callback */
+ if (cb != NULL && cb(cb_arg, 0) == -1) {
+ errno = EINTR;
+ return pos;
+ }
continue;
- if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
#ifndef BROKEN_READ_COMPARISON
(void)poll(&pfd, 1, -1);
#endif
@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
res = (f) (fd, iov, iovcnt);
switch (res) {
case -1:
- if (errno == EINTR)
+ if (errno == EINTR) {
+ /* possible SIGALARM, update callback */
+ if (cb != NULL && cb(cb_arg, 0) == -1) {
+ errno = EINTR;
+ return pos;
+ }
continue;
- if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
#ifndef BROKEN_READV_COMPARISON
(void)poll(&pfd, 1, -1);
#endif
diff --git a/progressmeter.c b/progressmeter.c
index fe9bf52e4c90..add462dde500 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
+/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
/*
* Copyright (c) 2003 Nils Nordman. All rights reserved.
*
@@ -31,6 +31,7 @@
#include <errno.h>
#include <signal.h>
+#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
@@ -39,6 +40,7 @@
#include "progressmeter.h"
#include "atomicio.h"
#include "misc.h"
+#include "utf8.h"
#define DEFAULT_WINSIZE 80
#define MAX_WINSIZE 512
@@ -61,7 +63,7 @@ static void setscreensize(void);
void refresh_progress_meter(void);
/* signal handler for updating the progress meter */
-static void update_progress_meter(int);
+static void sig_alarm(int);
static double start; /* start progress */
static double last_update; /* last progress update */
@@ -74,6 +76,7 @@ static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
static int win_size; /* terminal window size */
static volatile sig_atomic_t win_resized; /* for window resizing */
+static volatile sig_atomic_t alarm_fired;
/* units for format_size */
static const char unit[] = " KMGT";
@@ -126,9 +129,17 @@ refresh_progress_meter(void)
off_t bytes_left;
int cur_speed;
int hours, minutes, seconds;
- int i, len;
int file_len;
+ if ((!alarm_fired && !win_resized) || !can_output())
+ return;
+ alarm_fired = 0;
+
+ if (win_resized) {
+ setscreensize();
+ win_resized = 0;
+ }
+
transferred = *counter - (cur_pos ? cur_pos : start_pos);
cur_pos = *counter;
now = monotime_double();
@@ -158,16 +169,11 @@ refresh_progress_meter(void)
/* filename */
buf[0] = '\0';
- file_len = win_size - 35;
+ file_len = win_size - 36;
if (file_len > 0) {
- len = snprintf(buf, file_len + 1, "\r%s", file);
- if (len < 0)
- len = 0;
- if (len >= file_len + 1)
- len = file_len;
- for (i = len; i < file_len; i++)
- buf[i] = ' ';
- buf[file_len] = '\0';
+ buf[0] = '\r';
+ snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
+ file_len * -1, file);
}
/* percent of transfer done */
@@ -228,22 +234,11 @@ refresh_progress_meter(void)
/*ARGSUSED*/
static void
-update_progress_meter(int ignore)
+sig_alarm(int ignore)
{
- int save_errno;
-
- save_errno = errno;
-
- if (win_resized) {
- setscreensize();
- win_resized = 0;
- }
- if (can_output())
- refresh_progress_meter();
-
- signal(SIGALRM, update_progress_meter);
+ signal(SIGALRM, sig_alarm);
+ alarm_fired = 1;
alarm(UPDATE_INTERVAL);
- errno = save_errno;
}
void
@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
bytes_per_second = 0;
setscreensize();
- if (can_output())
- refresh_progress_meter();
+ refresh_progress_meter();
- signal(SIGALRM, update_progress_meter);
+ signal(SIGALRM, sig_alarm);
signal(SIGWINCH, sig_winch);
alarm(UPDATE_INTERVAL);
}
@@ -286,6 +280,7 @@ stop_progress_meter(void)
static void
sig_winch(int sig)
{
+ signal(SIGWINCH, sig_winch);
win_resized = 1;
}
diff --git a/progressmeter.h b/progressmeter.h
index bf179dca6518..8f6678060195 100644
--- a/progressmeter.h
+++ b/progressmeter.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
+/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
/*
* Copyright (c) 2002 Nils Nordman. All rights reserved.
*
@@ -24,4 +24,5 @@
*/
void start_progress_meter(const char *, off_t, off_t *);
+void refresh_progress_meter(void);
void stop_progress_meter(void);
diff --git a/scp.c b/scp.c
index 4f3fdcd3db89..4a342a63873c 100644
--- a/scp.c
+++ b/scp.c
@@ -585,6 +585,7 @@ scpio(void *_cnt, size_t s)
off_t *cnt = (off_t *)_cnt;
*cnt += s;
+ refresh_progress_meter();
if (limit_kbps > 0)
bandwidth_limit(&bwlimit, s);
return 0;
diff --git a/sftp-client.c b/sftp-client.c
index 4986d6d8d291..2bc698f868bc 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
{
struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
- bandwidth_limit(bwlimit, amount);
+ refresh_progress_meter();
+ if (bwlimit != NULL)
+ bandwidth_limit(bwlimit, amount);
return 0;
}
@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m)
iov[1].iov_base = (u_char *)sshbuf_ptr(m);
iov[1].iov_len = sshbuf_len(m);
- if (atomiciov6(writev, conn->fd_out, iov, 2,
- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
+ if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
+ conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
sshbuf_len(m) + sizeof(mlen))
fatal("Couldn't send packet: %s", strerror(errno));
@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
if ((r = sshbuf_reserve(m, 4, &p)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (atomicio6(read, conn->fd_in, p, 4,
- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
+ if (atomicio6(read, conn->fd_in, p, 4, sftpio,
+ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
if (errno == EPIPE || errno == ECONNRESET)
fatal("Connection closed");
else
@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (atomicio6(read, conn->fd_in, p, msg_len,
- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
+ if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
+ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
!= msg_len) {
if (errno == EPIPE)
fatal("Connection closed");
--
2.20.1

186
package/openssh/0003-upstream-check-in-scp-client-that-filenames-sent-dur.patch Normal file
View File

@ -0,0 +1,186 @@
From f853123eda6b279a87be48e18bbea8dec82a94f2 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sat, 26 Jan 2019 22:41:28 +0000
Subject: [PATCH] upstream: check in scp client that filenames sent during
remote->local directory copies satisfy the wildcard specified by the user.
This checking provides some protection against a malicious server
sending unexpected filenames, but it comes at a risk of rejecting wanted
files due to differences between client and server wildcard expansion rules.
For this reason, this also adds a new -T flag to disable the check.
reported by Harry Sintonen
fix approach suggested by markus@;
has been in snaps for ~1wk courtesy deraadt@
OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status (openssh-portable): backported from commit 8976f1c4b2
---
scp.1 | 12 +++++++++++-
scp.c | 37 +++++++++++++++++++++++++++++--------
2 files changed, 40 insertions(+), 9 deletions(-)
diff --git a/scp.1 b/scp.1
index 0e5cc1b2d675..397e7709195a 100644
--- a/scp.1
+++ b/scp.1
@@ -18,7 +18,7 @@
.Nd secure copy (remote file copy program)
.Sh SYNOPSIS
.Nm scp
-.Op Fl 346BCpqrv
+.Op Fl 346BCpqrTv
.Op Fl c Ar cipher
.Op Fl F Ar ssh_config
.Op Fl i Ar identity_file
@@ -208,6 +208,16 @@ to use for the encrypted connection.
The program must understand
.Xr ssh 1
options.
+.It Fl T
+Disable strict filename checking.
+By default when copying files from a remote host to a local directory
+.Nm
+checks that the received filenames match those requested on the command-line
+to prevent the remote end from sending unexpected or unwanted files.
+Because of differences in how various operating systems and shells interpret
+filename wildcards, these checks may cause wanted files to be rejected.
+This option disables these checks at the expense of fully trusting that
+the server will not send unexpected filenames.
.It Fl v
Verbose mode.
Causes
diff --git a/scp.c b/scp.c
index 4a342a63873c..7b0a08efb274 100644
--- a/scp.c
+++ b/scp.c
@@ -94,6 +94,7 @@
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
+#include <fnmatch.h>
#include <limits.h>
#include <locale.h>
#include <pwd.h>
@@ -375,14 +376,14 @@ void verifydir(char *);
struct passwd *pwd;
uid_t userid;
int errs, remin, remout;
-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
+int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
#define CMDNEEDS 64
char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */
int response(void);
void rsource(char *, struct stat *);
-void sink(int, char *[]);
+void sink(int, char *[], const char *);
void source(int, char *[]);
void tolocal(int, char *[]);
void toremote(int, char *[]);
@@ -421,8 +422,9 @@ main(int argc, char **argv)
addargs(&args, "-oRemoteCommand=none");
addargs(&args, "-oRequestTTY=no");
- fflag = tflag = 0;
- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
+ fflag = Tflag = tflag = 0;
+ while ((ch = getopt(argc, argv,
+ "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1) {
switch (ch) {
/* User-visible flags. */
case '1':
@@ -501,9 +503,13 @@ main(int argc, char **argv)
setmode(0, O_BINARY);
#endif
break;
+ case 'T':
+ Tflag = 1;
+ break;
default:
usage();
}
+ }
argc -= optind;
argv += optind;
@@ -534,7 +540,7 @@ main(int argc, char **argv)
}
if (tflag) {
/* Receive data. */
- sink(argc, argv);
+ sink(argc, argv, NULL);
exit(errs != 0);
}
if (argc < 2)
@@ -792,7 +798,7 @@ tolocal(int argc, char **argv)
continue;
}
free(bp);
- sink(1, argv + argc - 1);
+ sink(1, argv + argc - 1, src);
(void) close(remin);
remin = remout = -1;
}
@@ -968,7 +974,7 @@ rsource(char *name, struct stat *statp)
(sizeof(type) != 4 && sizeof(type) != 8))
void
-sink(int argc, char **argv)
+sink(int argc, char **argv, const char *src)
{
static BUF buffer;
struct stat stb;
@@ -984,6 +990,7 @@ sink(int argc, char **argv)
unsigned long long ull;
int setimes, targisdir, wrerrno = 0;
char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
+ char *src_copy = NULL, *restrict_pattern = NULL;
struct timeval tv[2];
#define atime tv[0]
@@ -1008,6 +1015,17 @@ sink(int argc, char **argv)
(void) atomicio(vwrite, remout, "", 1);
if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
targisdir = 1;
+ if (src != NULL && !iamrecursive && !Tflag) {
+ /*
+ * Prepare to try to restrict incoming filenames to match
+ * the requested destination file glob.
+ */
+ if ((src_copy = strdup(src)) == NULL)
+ fatal("strdup failed");
+ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
+ *restrict_pattern++ = '\0';
+ }
+ }
for (first = 1;; first = 0) {
cp = buf;
if (atomicio(read, remin, cp, 1) != 1)
@@ -1112,6 +1130,9 @@ sink(int argc, char **argv)
run_err("error: unexpected filename: %s", cp);
exit(1);
}
+ if (restrict_pattern != NULL &&
+ fnmatch(restrict_pattern, cp, 0) != 0)
+ SCREWUP("filename does not match request");
if (targisdir) {
static char *namebuf;
static size_t cursize;
@@ -1149,7 +1170,7 @@ sink(int argc, char **argv)
goto bad;
}
vect[0] = xstrdup(np);
- sink(1, vect);
+ sink(1, vect, src);
if (setimes) {
setimes = 0;
if (utimes(vect[0], tv) < 0)
--
2.20.1

4
package/openssh/openssh.hash
View File

@ -1,4 +1,4 @@
# From http://www.openssh.com/txt/release-7.8 (base64 encoded)
sha256 1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca openssh-7.8p1.tar.gz
# From http://www.openssh.com/txt/release-7.9 (base64 encoded)
sha256 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad openssh-7.9p1.tar.gz
# Locally calculated
sha256 05a4c25ef464e19656c5259bd4f4da8428efab01044f3541b79fbb3ff209350f LICENCE

19
package/openssh/openssh.mk
View File

@ -4,13 +4,14 @@
#
################################################################################
OPENSSH_VERSION = 7.8p1
OPENSSH_VERSION = 7.9p1
OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
OPENSSH_LICENSE_FILES = LICENCE
OPENSSH_CONF_ENV = LD="$(TARGET_CC)" LDFLAGS="$(TARGET_CFLAGS)"
OPENSSH_CONF_OPTS = \
--sysconfdir=/data/etc \
--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
--disable-lastlog \
--disable-utmp \
--disable-utmpx \
@ -18,8 +19,8 @@ OPENSSH_CONF_OPTS = \
--disable-wtmpx \
--disable-strip
define OPENSSH_USERS
sshd -1 sshd -1 * - - - SSH drop priv user
define OPENSSH_PERMISSIONS
/var/empty d 755 root root - - - - -
endef
ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
@ -56,12 +57,24 @@ else
OPENSSH_CONF_OPTS += --without-selinux
endif
ifeq ($(BR2_PACKAGE_SYSTEMD_SYSUSERS),y)
define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
$(INSTALL) -m 0644 -D package/openssh/sshd-sysusers.conf \
$(TARGET_DIR)/usr/lib/sysusers.d/sshd.conf
endef
else
define OPENSSH_USERS
sshd -1 sshd -1 * /var/empty - - SSH drop priv user
endef
endif
define OPENSSH_INSTALL_INIT_SYSTEMD
$(INSTALL) -D -m 644 package/openssh/sshd.service \
$(TARGET_DIR)/usr/lib/systemd/system/sshd.service
mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
ln -fs ../../../../usr/lib/systemd/system/sshd.service \
$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/sshd.service
$(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
endef
define OPENSSH_INSTALL_INIT_SYSV

1
package/openssh/sshd-sysusers.conf Normal file
View File

@ -0,0 +1 @@
u sshd - "SSH drop priv user" /var/empty