mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2024-09-20 11:23:16 +00:00
main/libssh2: backport disable DSA
openssh server no longer builds with DSA so the tests were failing. Backport the upstream fix that also removes DSA from libssh2.
This commit is contained in:
parent
a4aeb9b40b
commit
d77f5d8e90
2 changed files with 188 additions and 1 deletions
|
@ -1,7 +1,7 @@
|
|||
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
|
||||
pkgname=libssh2
|
||||
pkgver=1.11.0
|
||||
pkgrel=2
|
||||
pkgrel=3
|
||||
pkgdesc="library for accessing ssh1/ssh2 protocol servers"
|
||||
url="https://libssh2.org/"
|
||||
arch="all"
|
||||
|
@ -11,6 +11,7 @@ checkdepends="bash"
|
|||
subpackages="$pkgname-dbg $pkgname-static $pkgname-dev $pkgname-doc"
|
||||
source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz
|
||||
add-strict-KEX-to-fix-CVE-2023-48795-Terrapin-Attack.patch
|
||||
disable-DSA-by-default.patch
|
||||
"
|
||||
|
||||
# secfixes:
|
||||
|
@ -59,4 +60,5 @@ package() {
|
|||
sha512sums="
|
||||
ef85e152dc252bd9b1c05276972b9c22313f5d492743dde090235742746d67f634f2a419eff9162132e2274c8582113b75279b074e0c7b34b2526b92fd1a1e8e libssh2-1.11.0.tar.gz
|
||||
5a3fc886962032d4f0a244942c0db216bb108d57ac79f454ec05527e76a744689a5dc89d6d20b5abc2a0b75144d7c2eb95286f23190ecaf9bbb456fb14922125 add-strict-KEX-to-fix-CVE-2023-48795-Terrapin-Attack.patch
|
||||
826761d2d1cc0115f7b82ea3608ed57de98a39c219a819a86475c15fa37ca1d30e9d027e76c59b65ce45d8b52588330c81e89dbc006949c242ff11eb3c76bace disable-DSA-by-default.patch
|
||||
"
|
||||
|
|
185
main/libssh2/disable-DSA-by-default.patch
Normal file
185
main/libssh2/disable-DSA-by-default.patch
Normal file
|
@ -0,0 +1,185 @@
|
|||
From b7ab0faa70567a789419798fe079f5678ad4e156 Mon Sep 17 00:00:00 2001
|
||||
From: Viktor Szakats <commit@vsz.me>
|
||||
Date: Tue, 30 Jul 2024 20:00:05 +0200
|
||||
Subject: [PATCH] disable DSA by default
|
||||
|
||||
Also:
|
||||
- add `LIBSSH2_DSA_ENABLE` to enable it explicitly.
|
||||
- test the above option in CI.
|
||||
- say 'deprecated' in docs and public header.
|
||||
- disable DSA in the CI server config.
|
||||
(OpenSSH 9.8 no longer builds with it by default)
|
||||
https://www.openssh.com/txt/release-9.8
|
||||
Patch-by: Jose Quaresma
|
||||
- disable more DSA code when not enabled.
|
||||
|
||||
Fixes #1433
|
||||
Closes #1435
|
||||
---
|
||||
.github/workflows/ci.yml | 2 +-
|
||||
RELEASE-NOTES | 2 +-
|
||||
docs/libssh2_knownhost_add.3 | 2 +-
|
||||
docs/libssh2_knownhost_addc.3 | 2 +-
|
||||
docs/libssh2_session_hostkey.3 | 2 +-
|
||||
include/libssh2.h | 4 ++--
|
||||
src/crypto_config.h | 2 +-
|
||||
src/hostkey.c | 4 ++++
|
||||
src/knownhost.c | 16 ++++++++++------
|
||||
tests/openssh_server/sshd_config | 2 +-
|
||||
10 files changed, 23 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/docs/libssh2_knownhost_add.3 b/docs/libssh2_knownhost_add.3
|
||||
index fa55a4e30b..c881e36f67 100644
|
||||
--- a/docs/libssh2_knownhost_add.3
|
||||
+++ b/docs/libssh2_knownhost_add.3
|
||||
@@ -49,7 +49,7 @@ LIBSSH2_KNOWNHOST_KEYENC_RAW or LIBSSH2_KNOWNHOST_KEYENC_BASE64.
|
||||
|
||||
The key is using one of these algorithms:
|
||||
LIBSSH2_KNOWNHOST_KEY_RSA1, LIBSSH2_KNOWNHOST_KEY_SSHRSA or
|
||||
-LIBSSH2_KNOWNHOST_KEY_SSHDSS.
|
||||
+LIBSSH2_KNOWNHOST_KEY_SSHDSS (deprecated).
|
||||
|
||||
\fIstore\fP should point to a pointer that gets filled in to point to the
|
||||
known host data after the addition. NULL can be passed if you do not care about
|
||||
diff --git a/docs/libssh2_knownhost_addc.3 b/docs/libssh2_knownhost_addc.3
|
||||
index 94a6665469..5a1b8c5605 100644
|
||||
--- a/docs/libssh2_knownhost_addc.3
|
||||
+++ b/docs/libssh2_knownhost_addc.3
|
||||
@@ -54,7 +54,7 @@ LIBSSH2_KNOWNHOST_KEYENC_RAW or LIBSSH2_KNOWNHOST_KEYENC_BASE64.
|
||||
|
||||
The key is using one of these algorithms:
|
||||
LIBSSH2_KNOWNHOST_KEY_RSA1, LIBSSH2_KNOWNHOST_KEY_SSHRSA or
|
||||
-LIBSSH2_KNOWNHOST_KEY_SSHDSS.
|
||||
+LIBSSH2_KNOWNHOST_KEY_SSHDSS (deprecated).
|
||||
|
||||
\fIstore\fP should point to a pointer that gets filled in to point to the
|
||||
known host data after the addition. NULL can be passed if you do not care about
|
||||
diff --git a/docs/libssh2_session_hostkey.3 b/docs/libssh2_session_hostkey.3
|
||||
index 8892ba5903..4190843d81 100644
|
||||
--- a/docs/libssh2_session_hostkey.3
|
||||
+++ b/docs/libssh2_session_hostkey.3
|
||||
@@ -16,7 +16,7 @@ Returns a pointer to the current host key, the value \fIlen\fP points to will
|
||||
get the length of the key.
|
||||
|
||||
The value \fItype\fP points to the type of hostkey which is one of:
|
||||
-LIBSSH2_HOSTKEY_TYPE_RSA, LIBSSH2_HOSTKEY_TYPE_DSS, or
|
||||
+LIBSSH2_HOSTKEY_TYPE_RSA, LIBSSH2_HOSTKEY_TYPE_DSS (deprecated), or
|
||||
LIBSSH2_HOSTKEY_TYPE_UNKNOWN.
|
||||
|
||||
.SH RETURN VALUE
|
||||
diff --git a/include/libssh2.h b/include/libssh2.h
|
||||
index 7167380124..8b16dd2e3c 100644
|
||||
--- a/include/libssh2.h
|
||||
+++ b/include/libssh2.h
|
||||
@@ -502,7 +502,7 @@ typedef struct _LIBSSH2_POLLFD {
|
||||
/* Hostkey Types */
|
||||
#define LIBSSH2_HOSTKEY_TYPE_UNKNOWN 0
|
||||
#define LIBSSH2_HOSTKEY_TYPE_RSA 1
|
||||
-#define LIBSSH2_HOSTKEY_TYPE_DSS 2
|
||||
+#define LIBSSH2_HOSTKEY_TYPE_DSS 2 /* deprecated */
|
||||
#define LIBSSH2_HOSTKEY_TYPE_ECDSA_256 3
|
||||
#define LIBSSH2_HOSTKEY_TYPE_ECDSA_384 4
|
||||
#define LIBSSH2_HOSTKEY_TYPE_ECDSA_521 5
|
||||
@@ -1147,7 +1147,7 @@ libssh2_knownhost_init(LIBSSH2_SESSION *session);
|
||||
#define LIBSSH2_KNOWNHOST_KEY_SHIFT 18
|
||||
#define LIBSSH2_KNOWNHOST_KEY_RSA1 (1<<18)
|
||||
#define LIBSSH2_KNOWNHOST_KEY_SSHRSA (2<<18)
|
||||
-#define LIBSSH2_KNOWNHOST_KEY_SSHDSS (3<<18)
|
||||
+#define LIBSSH2_KNOWNHOST_KEY_SSHDSS (3<<18) /* deprecated */
|
||||
#define LIBSSH2_KNOWNHOST_KEY_ECDSA_256 (4<<18)
|
||||
#define LIBSSH2_KNOWNHOST_KEY_ECDSA_384 (5<<18)
|
||||
#define LIBSSH2_KNOWNHOST_KEY_ECDSA_521 (6<<18)
|
||||
diff --git a/src/crypto_config.h b/src/crypto_config.h
|
||||
index 5934e140b6..885a6a918d 100644
|
||||
--- a/src/crypto.h
|
||||
+++ b/src/crypto.h
|
||||
@@ -20,7 +20,7 @@
|
||||
#define LIBSSH2_HMAC_RIPEMD 0
|
||||
#endif
|
||||
|
||||
-#ifdef LIBSSH2_NO_DSA
|
||||
+#if !defined(LIBSSH2_DSA_ENABLE)
|
||||
#undef LIBSSH2_DSA
|
||||
#define LIBSSH2_DSA 0
|
||||
#endif
|
||||
diff --git a/src/hostkey.c b/src/hostkey.c
|
||||
index 40302f67ce..99eaf3e07f 100644
|
||||
--- a/src/hostkey.c
|
||||
+++ b/src/hostkey.c
|
||||
@@ -1416,9 +1416,11 @@ static int hostkey_type(const unsigned char *hostkey, size_t len)
|
||||
static const unsigned char rsa[] = {
|
||||
0, 0, 0, 0x07, 's', 's', 'h', '-', 'r', 's', 'a'
|
||||
};
|
||||
+#if LIBSSH2_DSA
|
||||
static const unsigned char dss[] = {
|
||||
0, 0, 0, 0x07, 's', 's', 'h', '-', 'd', 's', 's'
|
||||
};
|
||||
+#endif
|
||||
static const unsigned char ecdsa_256[] = {
|
||||
0, 0, 0, 0x13, 'e', 'c', 'd', 's', 'a', '-', 's', 'h', 'a', '2', '-',
|
||||
'n', 'i', 's', 't', 'p', '2', '5', '6'
|
||||
@@ -1441,8 +1443,10 @@ static int hostkey_type(const unsigned char *hostkey, size_t len)
|
||||
if(!memcmp(rsa, hostkey, 11))
|
||||
return LIBSSH2_HOSTKEY_TYPE_RSA;
|
||||
|
||||
+#if LIBSSH2_DSA
|
||||
if(!memcmp(dss, hostkey, 11))
|
||||
return LIBSSH2_HOSTKEY_TYPE_DSS;
|
||||
+#endif
|
||||
|
||||
if(len < 15)
|
||||
return LIBSSH2_HOSTKEY_TYPE_UNKNOWN;
|
||||
diff --git a/src/knownhost.c b/src/knownhost.c
|
||||
index 5eba6a108c..79500ec555 100644
|
||||
--- a/src/knownhost.c
|
||||
+++ b/src/knownhost.c
|
||||
@@ -779,18 +779,20 @@ static int hostline(LIBSSH2_KNOWNHOSTS *hosts,
|
||||
}
|
||||
key_type_len = key - key_type_name;
|
||||
|
||||
- if(!strncmp(key_type_name, "ssh-dss", key_type_len))
|
||||
- key_type = LIBSSH2_KNOWNHOST_KEY_SSHDSS;
|
||||
- else if(!strncmp(key_type_name, "ssh-rsa", key_type_len))
|
||||
- key_type = LIBSSH2_KNOWNHOST_KEY_SSHRSA;
|
||||
+ if(!strncmp(key_type_name, "ssh-ed25519", key_type_len))
|
||||
+ key_type = LIBSSH2_KNOWNHOST_KEY_ED25519;
|
||||
else if(!strncmp(key_type_name, "ecdsa-sha2-nistp256", key_type_len))
|
||||
key_type = LIBSSH2_KNOWNHOST_KEY_ECDSA_256;
|
||||
else if(!strncmp(key_type_name, "ecdsa-sha2-nistp384", key_type_len))
|
||||
key_type = LIBSSH2_KNOWNHOST_KEY_ECDSA_384;
|
||||
else if(!strncmp(key_type_name, "ecdsa-sha2-nistp521", key_type_len))
|
||||
key_type = LIBSSH2_KNOWNHOST_KEY_ECDSA_521;
|
||||
- else if(!strncmp(key_type_name, "ssh-ed25519", key_type_len))
|
||||
- key_type = LIBSSH2_KNOWNHOST_KEY_ED25519;
|
||||
+ else if(!strncmp(key_type_name, "ssh-rsa", key_type_len))
|
||||
+ key_type = LIBSSH2_KNOWNHOST_KEY_SSHRSA;
|
||||
+#if LIBSSH2_DSA
|
||||
+ else if(!strncmp(key_type_name, "ssh-dss", key_type_len))
|
||||
+ key_type = LIBSSH2_KNOWNHOST_KEY_SSHDSS;
|
||||
+#endif
|
||||
else
|
||||
key_type = LIBSSH2_KNOWNHOST_KEY_UNKNOWN;
|
||||
|
||||
@@ -1026,10 +1028,12 @@ knownhost_writeline(LIBSSH2_KNOWNHOSTS *hosts,
|
||||
key_type_name = "ssh-rsa";
|
||||
key_type_len = 7;
|
||||
break;
|
||||
+#if LIBSSH2_DSA
|
||||
case LIBSSH2_KNOWNHOST_KEY_SSHDSS:
|
||||
key_type_name = "ssh-dss";
|
||||
key_type_len = 7;
|
||||
break;
|
||||
+#endif
|
||||
case LIBSSH2_KNOWNHOST_KEY_ECDSA_256:
|
||||
key_type_name = "ecdsa-sha2-nistp256";
|
||||
key_type_len = 19;
|
||||
diff --git a/tests/openssh_server/sshd_config b/tests/openssh_server/sshd_config
|
||||
index 1069566f2a..5cd2b89816 100644
|
||||
--- a/tests/openssh_server/sshd_config
|
||||
+++ b/tests/openssh_server/sshd_config
|
||||
@@ -1,4 +1,4 @@
|
||||
HostKeyAlgorithms +ssh-rsa
|
||||
-PubkeyAcceptedKeyTypes +ssh-rsa,ssh-dss,ssh-rsa-cert-v01@openssh.com
|
||||
+PubkeyAcceptedKeyTypes +ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
||||
MACs +hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
|
||||
Ciphers +3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
|
Loading…
Reference in a new issue