main/libssh2: backport disable DSA

openssh server no longer builds with DSA so the tests were failing. Backport the upstream fix that also removes DSA from libssh2.
2024-09-20 11:23:16 +00:00 · 2024-08-05 13:04:13 +02:00 · 2024-08-05 13:04:13 +02:00 · d77f5d8e90
commit d77f5d8e90
parent a4aeb9b40b
2 changed files with 188 additions and 1 deletions
--- a/main/libssh2/APKBUILD
+++ b/main/libssh2/APKBUILD
@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libssh2
 pkgver=1.11.0
-pkgrel=2
+pkgrel=3
 pkgdesc="library for accessing ssh1/ssh2 protocol servers"
 url="https://libssh2.org/"
 arch="all"
@ -11,6 +11,7 @@ checkdepends="bash"
 subpackages="$pkgname-dbg $pkgname-static $pkgname-dev $pkgname-doc"
 source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz
 	add-strict-KEX-to-fix-CVE-2023-48795-Terrapin-Attack.patch
+	disable-DSA-by-default.patch
 	"

 # secfixes:
@ -59,4 +60,5 @@ package() {
 sha512sums="
 ef85e152dc252bd9b1c05276972b9c22313f5d492743dde090235742746d67f634f2a419eff9162132e2274c8582113b75279b074e0c7b34b2526b92fd1a1e8e  libssh2-1.11.0.tar.gz
 5a3fc886962032d4f0a244942c0db216bb108d57ac79f454ec05527e76a744689a5dc89d6d20b5abc2a0b75144d7c2eb95286f23190ecaf9bbb456fb14922125  add-strict-KEX-to-fix-CVE-2023-48795-Terrapin-Attack.patch
+826761d2d1cc0115f7b82ea3608ed57de98a39c219a819a86475c15fa37ca1d30e9d027e76c59b65ce45d8b52588330c81e89dbc006949c242ff11eb3c76bace  disable-DSA-by-default.patch
 "
--- a/main/libssh2/disable-DSA-by-default.patch
+++ b/main/libssh2/disable-DSA-by-default.patch
@ -0,0 +1,185 @@
+From b7ab0faa70567a789419798fe079f5678ad4e156 Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Tue, 30 Jul 2024 20:00:05 +0200
+Subject: [PATCH] disable DSA by default
+
+Also:
+- add `LIBSSH2_DSA_ENABLE` to enable it explicitly.
+- test the above option in CI.
+- say 'deprecated' in docs and public header.
+- disable DSA in the CI server config.
+  (OpenSSH 9.8 no longer builds with it by default)
+  https://www.openssh.com/txt/release-9.8
+  Patch-by: Jose Quaresma
+- disable more DSA code when not enabled.
+
+Fixes #1433
+Closes #1435
+---
+ .github/workflows/ci.yml         |  2 +-
+ RELEASE-NOTES                    |  2 +-
+ docs/libssh2_knownhost_add.3     |  2 +-
+ docs/libssh2_knownhost_addc.3    |  2 +-
+ docs/libssh2_session_hostkey.3   |  2 +-
+ include/libssh2.h                |  4 ++--
+ src/crypto_config.h              |  2 +-
+ src/hostkey.c                    |  4 ++++
+ src/knownhost.c                  | 16 ++++++++++------
+ tests/openssh_server/sshd_config |  2 +-
+ 10 files changed, 23 insertions(+), 15 deletions(-)
+
+diff --git a/docs/libssh2_knownhost_add.3 b/docs/libssh2_knownhost_add.3
+index fa55a4e30b..c881e36f67 100644
+--- a/docs/libssh2_knownhost_add.3
+++ b/docs/libssh2_knownhost_add.3
+@@ -49,7 +49,7 @@ LIBSSH2_KNOWNHOST_KEYENC_RAW or LIBSSH2_KNOWNHOST_KEYENC_BASE64.
+ 
+ The key is using one of these algorithms:
+ LIBSSH2_KNOWNHOST_KEY_RSA1, LIBSSH2_KNOWNHOST_KEY_SSHRSA or
+-LIBSSH2_KNOWNHOST_KEY_SSHDSS.
+LIBSSH2_KNOWNHOST_KEY_SSHDSS (deprecated).
+ 
+ \fIstore\fP should point to a pointer that gets filled in to point to the
+ known host data after the addition. NULL can be passed if you do not care about
+diff --git a/docs/libssh2_knownhost_addc.3 b/docs/libssh2_knownhost_addc.3
+index 94a6665469..5a1b8c5605 100644
+--- a/docs/libssh2_knownhost_addc.3
+++ b/docs/libssh2_knownhost_addc.3
+@@ -54,7 +54,7 @@ LIBSSH2_KNOWNHOST_KEYENC_RAW or LIBSSH2_KNOWNHOST_KEYENC_BASE64.
+ 
+ The key is using one of these algorithms:
+ LIBSSH2_KNOWNHOST_KEY_RSA1, LIBSSH2_KNOWNHOST_KEY_SSHRSA or
+-LIBSSH2_KNOWNHOST_KEY_SSHDSS.
+LIBSSH2_KNOWNHOST_KEY_SSHDSS (deprecated).
+ 
+ \fIstore\fP should point to a pointer that gets filled in to point to the
+ known host data after the addition. NULL can be passed if you do not care about
+diff --git a/docs/libssh2_session_hostkey.3 b/docs/libssh2_session_hostkey.3
+index 8892ba5903..4190843d81 100644
+--- a/docs/libssh2_session_hostkey.3
+++ b/docs/libssh2_session_hostkey.3
+@@ -16,7 +16,7 @@ Returns a pointer to the current host key, the value \fIlen\fP points to will
+ get the length of the key.
+ 
+ The value \fItype\fP points to the type of hostkey which is one of:
+-LIBSSH2_HOSTKEY_TYPE_RSA, LIBSSH2_HOSTKEY_TYPE_DSS, or
+LIBSSH2_HOSTKEY_TYPE_RSA, LIBSSH2_HOSTKEY_TYPE_DSS (deprecated), or
+ LIBSSH2_HOSTKEY_TYPE_UNKNOWN.
+ 
+ .SH RETURN VALUE
+diff --git a/include/libssh2.h b/include/libssh2.h
+index 7167380124..8b16dd2e3c 100644
+--- a/include/libssh2.h
+++ b/include/libssh2.h
+@@ -502,7 +502,7 @@ typedef struct _LIBSSH2_POLLFD {
+ /* Hostkey Types */
+ #define LIBSSH2_HOSTKEY_TYPE_UNKNOWN            0
+ #define LIBSSH2_HOSTKEY_TYPE_RSA                1
+-#define LIBSSH2_HOSTKEY_TYPE_DSS                2
+#define LIBSSH2_HOSTKEY_TYPE_DSS                2  /* deprecated */
+ #define LIBSSH2_HOSTKEY_TYPE_ECDSA_256          3
+ #define LIBSSH2_HOSTKEY_TYPE_ECDSA_384          4
+ #define LIBSSH2_HOSTKEY_TYPE_ECDSA_521          5
+@@ -1147,7 +1147,7 @@ libssh2_knownhost_init(LIBSSH2_SESSION *session);
+ #define LIBSSH2_KNOWNHOST_KEY_SHIFT        18
+ #define LIBSSH2_KNOWNHOST_KEY_RSA1         (1<<18)
+ #define LIBSSH2_KNOWNHOST_KEY_SSHRSA       (2<<18)
+-#define LIBSSH2_KNOWNHOST_KEY_SSHDSS       (3<<18)
+#define LIBSSH2_KNOWNHOST_KEY_SSHDSS       (3<<18)  /* deprecated */
+ #define LIBSSH2_KNOWNHOST_KEY_ECDSA_256    (4<<18)
+ #define LIBSSH2_KNOWNHOST_KEY_ECDSA_384    (5<<18)
+ #define LIBSSH2_KNOWNHOST_KEY_ECDSA_521    (6<<18)
+diff --git a/src/crypto_config.h b/src/crypto_config.h
+index 5934e140b6..885a6a918d 100644
+--- a/src/crypto.h
+++ b/src/crypto.h
+@@ -20,7 +20,7 @@
+ #define LIBSSH2_HMAC_RIPEMD 0
+ #endif
+ 
+-#ifdef LIBSSH2_NO_DSA
+#if !defined(LIBSSH2_DSA_ENABLE)
+ #undef LIBSSH2_DSA
+ #define LIBSSH2_DSA 0
+ #endif
+diff --git a/src/hostkey.c b/src/hostkey.c
+index 40302f67ce..99eaf3e07f 100644
+--- a/src/hostkey.c
+++ b/src/hostkey.c
+@@ -1416,9 +1416,11 @@ static int hostkey_type(const unsigned char *hostkey, size_t len)
+     static const unsigned char rsa[] = {
+         0, 0, 0, 0x07, 's', 's', 'h', '-', 'r', 's', 'a'
+     };
+#if LIBSSH2_DSA
+     static const unsigned char dss[] = {
+         0, 0, 0, 0x07, 's', 's', 'h', '-', 'd', 's', 's'
+     };
+#endif
+     static const unsigned char ecdsa_256[] = {
+         0, 0, 0, 0x13, 'e', 'c', 'd', 's', 'a', '-', 's', 'h', 'a', '2', '-',
+         'n', 'i', 's', 't', 'p', '2', '5', '6'
+@@ -1441,8 +1443,10 @@ static int hostkey_type(const unsigned char *hostkey, size_t len)
+     if(!memcmp(rsa, hostkey, 11))
+         return LIBSSH2_HOSTKEY_TYPE_RSA;
+ 
+#if LIBSSH2_DSA
+     if(!memcmp(dss, hostkey, 11))
+         return LIBSSH2_HOSTKEY_TYPE_DSS;
+#endif
+ 
+     if(len < 15)
+         return LIBSSH2_HOSTKEY_TYPE_UNKNOWN;
+diff --git a/src/knownhost.c b/src/knownhost.c
+index 5eba6a108c..79500ec555 100644
+--- a/src/knownhost.c
+++ b/src/knownhost.c
+@@ -779,18 +779,20 @@ static int hostline(LIBSSH2_KNOWNHOSTS *hosts,
+         }
+         key_type_len = key - key_type_name;
+ 
+-        if(!strncmp(key_type_name, "ssh-dss", key_type_len))
+-            key_type = LIBSSH2_KNOWNHOST_KEY_SSHDSS;
+-        else if(!strncmp(key_type_name, "ssh-rsa", key_type_len))
+-            key_type = LIBSSH2_KNOWNHOST_KEY_SSHRSA;
+        if(!strncmp(key_type_name, "ssh-ed25519", key_type_len))
+            key_type = LIBSSH2_KNOWNHOST_KEY_ED25519;
+         else if(!strncmp(key_type_name, "ecdsa-sha2-nistp256", key_type_len))
+             key_type = LIBSSH2_KNOWNHOST_KEY_ECDSA_256;
+         else if(!strncmp(key_type_name, "ecdsa-sha2-nistp384", key_type_len))
+             key_type = LIBSSH2_KNOWNHOST_KEY_ECDSA_384;
+         else if(!strncmp(key_type_name, "ecdsa-sha2-nistp521", key_type_len))
+             key_type = LIBSSH2_KNOWNHOST_KEY_ECDSA_521;
+-        else if(!strncmp(key_type_name, "ssh-ed25519", key_type_len))
+-            key_type = LIBSSH2_KNOWNHOST_KEY_ED25519;
+        else if(!strncmp(key_type_name, "ssh-rsa", key_type_len))
+            key_type = LIBSSH2_KNOWNHOST_KEY_SSHRSA;
+#if LIBSSH2_DSA
+        else if(!strncmp(key_type_name, "ssh-dss", key_type_len))
+            key_type = LIBSSH2_KNOWNHOST_KEY_SSHDSS;
+#endif
+         else
+             key_type = LIBSSH2_KNOWNHOST_KEY_UNKNOWN;
+ 
+@@ -1026,10 +1028,12 @@ knownhost_writeline(LIBSSH2_KNOWNHOSTS *hosts,
+         key_type_name = "ssh-rsa";
+         key_type_len = 7;
+         break;
+#if LIBSSH2_DSA
+     case LIBSSH2_KNOWNHOST_KEY_SSHDSS:
+         key_type_name = "ssh-dss";
+         key_type_len = 7;
+         break;
+#endif
+     case LIBSSH2_KNOWNHOST_KEY_ECDSA_256:
+         key_type_name = "ecdsa-sha2-nistp256";
+         key_type_len = 19;
+diff --git a/tests/openssh_server/sshd_config b/tests/openssh_server/sshd_config
+index 1069566f2a..5cd2b89816 100644
+--- a/tests/openssh_server/sshd_config
+++ b/tests/openssh_server/sshd_config
+@@ -1,4 +1,4 @@
+ HostKeyAlgorithms +ssh-rsa
+-PubkeyAcceptedKeyTypes +ssh-rsa,ssh-dss,ssh-rsa-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes +ssh-rsa,ssh-rsa-cert-v01@openssh.com
+ MACs +hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
+ Ciphers +3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com