package/libssh2: update the patches to be applied with fuzz 0

passgat · RomainNaour · commit 4ac1b91806cb · 2024-07-03T22:12:02.000+02:00
Commit 8f88a64 ("support/scripts/apply-patches.sh: set the maximum fuzz factor to 0") reduced the fuzz factor. Due to this change, libssh2 fails to build with output: Applying 0002-src-add-strict-KEX-to-fix-CVE-2023-48795-Terrapin-Attack.patch using patch: patching file src/kex.c Hunk #1 succeeded at 3037 (offset 5 lines). Hunk #2 succeeded at 3062 (offset 5 lines). Hunk buildroot#3 succeeded at 3315 (offset 5 lines). Hunk #4 succeeded at 3406 (offset 5 lines). Hunk buildroot#5 succeeded at 3440 (offset 5 lines). Hunk buildroot#6 succeeded at 3476 (offset 5 lines). Hunk #7 succeeded at 3489 (offset 5 lines). Hunk #8 succeeded at 3523 (offset 5 lines). Hunk buildroot#9 succeeded at 3569 (offset 5 lines). Hunk buildroot#10 succeeded at 3591 (offset 5 lines). Hunk buildroot#11 succeeded at 3633 (offset 5 lines). Hunk #12 succeeded at 3654 (offset 5 lines). Hunk #13 succeeded at 3687 (offset 5 lines). Hunk buildroot#14 succeeded at 3709 (offset 5 lines). Hunk buildroot#15 succeeded at 3892 (offset 5 lines). Hunk #16 succeeded at 3918 (offset 5 lines). Hunk #17 succeeded at 3967 (offset 5 lines). patching file src/libssh2_priv.h Hunk #1 succeeded at 699 (offset -37 lines). Hunk #2 succeeded at 873 (offset -38 lines). Hunk buildroot#3 succeeded at 914 (offset -38 lines). Hunk #4 succeeded at 1149 (offset -38 lines). patching file src/packet.c Hunk #1 succeeded at 605 (offset -19 lines). Hunk #2 succeeded at 656 (offset -19 lines). Hunk buildroot#3 succeeded at 1404 (offset -23 lines). Hunk #4 succeeded at 1474 (offset -23 lines). patching file src/packet.h Hunk #1 FAILED at 72. 1 out of 1 hunk FAILED -- saving rejects to file src/packet.h.rej This commit refreshes the package patches on the current package version. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Romain Naour <romain.naour@smile.fr>
diff --git a/package/libssh2/0002-src-add-strict-KEX-to-fix-CVE-2023-48795-Terrapin-Attack.patch b/package/libssh2/0002-src-add-strict-KEX-to-fix-CVE-2023-48795-Terrapin-Attack.patch
@@ -1,4 +1,4 @@
-From d34d9258b8420b19ec3f97b4cc5bf7aa7d98e35a Mon Sep 17 00:00:00 2001
+From 3a80751dce7b7d98b9d9006fb37213a1e4af7ac5 Mon Sep 17 00:00:00 2001
 From: Michael Buckley <michael@buckleyisms.com>
 Date: Thu, 30 Nov 2023 15:08:02 -0800
 Subject: [PATCH] src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack"
@@ -15,6 +15,8 @@ Closes #1291
 
 Upstream: https://github.com/libssh2/libssh2/commit/d34d9258b8420b19ec3f97b4cc5bf7aa7d98e35a
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Dario: make the patch to be applied with fuzz factor 0]
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
 ---
  src/kex.c          | 63 +++++++++++++++++++++++------------
  src/libssh2_priv.h | 18 +++++++---
@@ -25,10 +27,10 @@ Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
  6 files changed, 149 insertions(+), 32 deletions(-)
 
 diff --git a/src/kex.c b/src/kex.c
-index 8e7b7f0af3..a7b301e157 100644
+index d4034a0a953e..b4b748cac4ee 100644
 --- a/src/kex.c
 +++ b/src/kex.c
-@@ -3032,6 +3032,13 @@ kex_method_extension_negotiation = {
+@@ -3037,6 +3037,13 @@ kex_method_extension_negotiation = {
      0,
  };
  
@@ -42,15 +44,15 @@ index 8e7b7f0af3..a7b301e157 100644
  static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = {
  #if LIBSSH2_ED25519
      &kex_method_ssh_curve25519_sha256,
-@@ -3050,6 +3057,7 @@ static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = {
+@@ -3055,6 +3062,7 @@ static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = {
      &kex_method_diffie_helman_group1_sha1,
      &kex_method_diffie_helman_group_exchange_sha1,
      &kex_method_extension_negotiation,
 +    &kex_method_strict_client_extension,
      NULL
  };
  
-@@ -3302,13 +3310,13 @@ static int kexinit(LIBSSH2_SESSION * session)
+@@ -3307,13 +3315,13 @@ static int kexinit(LIBSSH2_SESSION * session)
      return 0;
  }
  
@@ -68,7 +70,7 @@ index 8e7b7f0af3..a7b301e157 100644
  {
      unsigned char *s;
      unsigned char *end_haystack;
-@@ -3393,7 +3401,7 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session,
+@@ -3398,7 +3406,7 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session,
          while(s && *s) {
              unsigned char *p = (unsigned char *) strchr((char *) s, ',');
              size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
@@ -77,7 +79,7 @@ index 8e7b7f0af3..a7b301e157 100644
                  const LIBSSH2_HOSTKEY_METHOD *method =
                      (const LIBSSH2_HOSTKEY_METHOD *)
                      kex_get_method_by_name((char *) s, method_len,
-@@ -3427,9 +3435,9 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session,
+@@ -3432,9 +3440,9 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session,
      }
  
      while(hostkeyp && (*hostkeyp) && (*hostkeyp)->name) {
@@ -90,7 +92,7 @@ index 8e7b7f0af3..a7b301e157 100644
          if(s) {
              /* So far so good, but does it suit our purposes? (Encrypting vs
                 Signing) */
-@@ -3463,6 +3471,12 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
+@@ -3468,6 +3476,12 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
  {
      const LIBSSH2_KEX_METHOD **kexp = libssh2_kex_methods;
      unsigned char *s;
@@ -103,7 +105,7 @@ index 8e7b7f0af3..a7b301e157 100644
  
      if(session->kex_prefs) {
          s = (unsigned char *) session->kex_prefs;
-@@ -3470,7 +3484,7 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
+@@ -3475,7 +3489,7 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
          while(s && *s) {
              unsigned char *q, *p = (unsigned char *) strchr((char *) s, ',');
              size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
@@ -112,7 +114,7 @@ index 8e7b7f0af3..a7b301e157 100644
              if(q) {
                  const LIBSSH2_KEX_METHOD *method = (const LIBSSH2_KEX_METHOD *)
                      kex_get_method_by_name((char *) s, method_len,
-@@ -3504,9 +3518,9 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
+@@ -3509,9 +3523,9 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
      }
  
      while(*kexp && (*kexp)->name) {
@@ -125,7 +127,7 @@ index 8e7b7f0af3..a7b301e157 100644
          if(s) {
              /* We've agreed on a key exchange method,
               * Can we agree on a hostkey that works with this kex?
-@@ -3550,7 +3564,7 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session,
+@@ -3555,7 +3569,7 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session,
              unsigned char *p = (unsigned char *) strchr((char *) s, ',');
              size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
  
@@ -134,7 +136,7 @@ index 8e7b7f0af3..a7b301e157 100644
                  const LIBSSH2_CRYPT_METHOD *method =
                      (const LIBSSH2_CRYPT_METHOD *)
                      kex_get_method_by_name((char *) s, method_len,
-@@ -3572,9 +3586,9 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session,
+@@ -3577,9 +3591,9 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session,
      }
  
      while(*cryptp && (*cryptp)->name) {
@@ -147,7 +149,7 @@ index 8e7b7f0af3..a7b301e157 100644
          if(s) {
              endpoint->crypt = *cryptp;
              return 0;
-@@ -3614,7 +3628,7 @@ static int kex_agree_mac(LIBSSH2_SESSION * session,
+@@ -3619,7 +3633,7 @@ static int kex_agree_mac(LIBSSH2_SESSION * session,
              unsigned char *p = (unsigned char *) strchr((char *) s, ',');
              size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
  
@@ -156,7 +158,7 @@ index 8e7b7f0af3..a7b301e157 100644
                  const LIBSSH2_MAC_METHOD *method = (const LIBSSH2_MAC_METHOD *)
                      kex_get_method_by_name((char *) s, method_len,
                                             (const LIBSSH2_COMMON_METHOD **)
-@@ -3635,8 +3649,9 @@ static int kex_agree_mac(LIBSSH2_SESSION * session,
+@@ -3640,8 +3654,9 @@ static int kex_agree_mac(LIBSSH2_SESSION * session,
      }
  
      while(*macp && (*macp)->name) {
@@ -168,7 +170,7 @@ index 8e7b7f0af3..a7b301e157 100644
          if(s) {
              endpoint->mac = *macp;
              return 0;
-@@ -3667,7 +3682,7 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+@@ -3672,7 +3687,7 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
              unsigned char *p = (unsigned char *) strchr((char *) s, ',');
              size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
  
@@ -177,7 +179,7 @@ index 8e7b7f0af3..a7b301e157 100644
                  const LIBSSH2_COMP_METHOD *method =
                      (const LIBSSH2_COMP_METHOD *)
                      kex_get_method_by_name((char *) s, method_len,
-@@ -3689,8 +3704,9 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+@@ -3694,8 +3709,9 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
      }
  
      while(*compp && (*compp)->name) {
@@ -189,23 +191,23 @@ index 8e7b7f0af3..a7b301e157 100644
          if(s) {
              endpoint->comp = *compp;
              return 0;
-@@ -3871,6 +3887,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+@@ -3876,6 +3892,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
                  session->local.kexinit = key_state->oldlocal;
                  session->local.kexinit_len = key_state->oldlocal_len;
                  key_state->state = libssh2_NB_state_idle;
 +                session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
                  session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
                  session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
                  return -1;
-@@ -3896,6 +3913,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+@@ -3901,6 +3918,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
                  session->local.kexinit = key_state->oldlocal;
                  session->local.kexinit_len = key_state->oldlocal_len;
                  key_state->state = libssh2_NB_state_idle;
 +                session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
                  session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
                  session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
                  return -1;
-@@ -3944,6 +3962,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+@@ -3949,6 +3967,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
          session->remote.kexinit = NULL;
      }
  
@@ -214,10 +216,10 @@ index 8e7b7f0af3..a7b301e157 100644
      session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
  
 diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
-index 7660366954..18d9ab2130 100644
+index 82c3afe250b0..ee1d8b5c2b9b 100644
 --- a/src/libssh2_priv.h
 +++ b/src/libssh2_priv.h
-@@ -736,6 +736,9 @@ struct _LIBSSH2_SESSION
+@@ -699,6 +699,9 @@ struct _LIBSSH2_SESSION
      /* key signing algorithm preferences -- NULL yields server order */
      char *sign_algo_prefs;
  
@@ -227,15 +229,15 @@ index 7660366954..18d9ab2130 100644
      /* (remote as source of data -- packet_read ) */
      libssh2_endpoint_data remote;
  
-@@ -908,6 +911,7 @@ struct _LIBSSH2_SESSION
+@@ -870,6 +873,7 @@ struct _LIBSSH2_SESSION
      int fullpacket_macstate;
      size_t fullpacket_payload_len;
      int fullpacket_packet_type;
 +    uint32_t fullpacket_required_type;
  
      /* State variables used in libssh2_sftp_init() */
      libssh2_nonblocking_states sftpInit_state;
-@@ -948,10 +952,11 @@ struct _LIBSSH2_SESSION
+@@ -910,10 +914,11 @@ struct _LIBSSH2_SESSION
  };
  
  /* session.state bits */
@@ -251,7 +253,7 @@ index 7660366954..18d9ab2130 100644
  
  /* session.flag helpers */
  #ifdef MSG_NOSIGNAL
-@@ -1182,6 +1187,11 @@ ssize_t _libssh2_send(libssh2_socket_t socket, const void *buffer,
+@@ -1144,6 +1149,11 @@ ssize_t _libssh2_send(libssh2_socket_t socket, const void *buffer,
  int _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
                            key_exchange_state_t * state);
  
@@ -264,10 +266,10 @@ index 7660366954..18d9ab2130 100644
  const LIBSSH2_CRYPT_METHOD **libssh2_crypt_methods(void);
  const LIBSSH2_HOSTKEY_METHOD **libssh2_hostkey_methods(void);
 diff --git a/src/packet.c b/src/packet.c
-index eccb8c56a8..6da14e9fa1 100644
+index b5b41981a108..35d4d39eff87 100644
 --- a/src/packet.c
 +++ b/src/packet.c
-@@ -624,14 +624,13 @@ packet_authagent_open(LIBSSH2_SESSION * session,
+@@ -605,14 +605,13 @@ authagent_exit:
   * layer when it has received a packet.
   *
   * The input pointer 'data' is pointing to allocated data that this function
@@ -284,7 +286,7 @@ index eccb8c56a8..6da14e9fa1 100644
  {
      int rc = 0;
      unsigned char *message = NULL;
-@@ -676,6 +675,70 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+@@ -657,6 +656,70 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
          break;
      }
  
@@ -355,7 +357,7 @@ index eccb8c56a8..6da14e9fa1 100644
      if(session->packAdd_state == libssh2_NB_state_allocated) {
          /* A couple exceptions to the packet adding rule: */
          switch(msg) {
-@@ -1364,6 +1427,15 @@ _libssh2_packet_ask(LIBSSH2_SESSION * session, unsigned char packet_type,
+@@ -1341,6 +1404,15 @@ _libssh2_packet_ask(LIBSSH2_SESSION * session, unsigned char packet_type,
  
              return 0;
          }
@@ -371,7 +373,7 @@ index eccb8c56a8..6da14e9fa1 100644
          packet = _libssh2_list_next(&packet->node);
      }
      return -1;
-@@ -1425,7 +1497,10 @@ _libssh2_packet_require(LIBSSH2_SESSION * session, unsigned char packet_type,
+@@ -1402,7 +1474,10 @@ _libssh2_packet_require(LIBSSH2_SESSION * session, unsigned char packet_type,
      }
  
      while(session->socket_state == LIBSSH2_SOCKET_CONNECTED) {
@@ -384,22 +386,22 @@ index eccb8c56a8..6da14e9fa1 100644
              return ret;
          else if(ret < 0) {
 diff --git a/src/packet.h b/src/packet.h
-index 1d90b8af12..955351e5f6 100644
+index 79018bcf1d55..6ea100a5cfb3 100644
 --- a/src/packet.h
 +++ b/src/packet.h
-@@ -72,6 +72,6 @@ int _libssh2_packet_burn(LIBSSH2_SESSION * session,
+@@ -71,6 +71,6 @@ int _libssh2_packet_burn(LIBSSH2_SESSION * session,
  int _libssh2_packet_write(LIBSSH2_SESSION * session, unsigned char *data,
                            unsigned long data_len);
  int _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
 -                        size_t datalen, int macstate);
 +                        size_t datalen, int macstate, uint32_t seq);
  
- #endif /* LIBSSH2_PACKET_H */
+ #endif /* __LIBSSH2_PACKET_H */
 diff --git a/src/session.c b/src/session.c
-index 35e7929fe7..9d89ade8ec 100644
+index a4d602bad002..f4bafb57b2a6 100644
 --- a/src/session.c
 +++ b/src/session.c
-@@ -469,6 +469,8 @@ libssh2_session_init_ex(LIBSSH2_ALLOC_FUNC((*my_alloc)),
+@@ -464,6 +464,8 @@ libssh2_session_init_ex(LIBSSH2_ALLOC_FUNC((*my_alloc)),
          session->abstract = abstract;
          session->api_timeout = 0; /* timeout-free API by default */
          session->api_block_mode = 1; /* blocking API by default */
@@ -408,7 +410,7 @@ index 35e7929fe7..9d89ade8ec 100644
          session->packet_read_timeout = LIBSSH2_DEFAULT_READ_TIMEOUT;
          session->flag.quote_paths = 1; /* default behavior is to quote paths
                                            for the scp subsystem */
-@@ -1223,6 +1225,7 @@ libssh2_session_disconnect_ex(LIBSSH2_SESSION *session, int reason,
+@@ -1186,6 +1188,7 @@ libssh2_session_disconnect_ex(LIBSSH2_SESSION *session, int reason,
                                const char *desc, const char *lang)
  {
      int rc;
@@ -417,18 +419,18 @@ index 35e7929fe7..9d89ade8ec 100644
      BLOCK_ADJUST(rc, session,
                   session_disconnect(session, reason, desc, lang));
 diff --git a/src/transport.c b/src/transport.c
-index 21be9d2b80..a8bb588a4b 100644
+index 6d902d3372b4..3b30ff848726 100644
 --- a/src/transport.c
 +++ b/src/transport.c
-@@ -186,6 +186,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
+@@ -187,6 +187,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
      struct transportpacket *p = &session->packet;
      int rc;
      int compressed;
 +    uint32_t seq = session->remote.seqno;
  
      if(session->fullpacket_state == libssh2_NB_state_idle) {
          session->fullpacket_macstate = LIBSSH2_MAC_CONFIRMED;
-@@ -317,7 +318,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
+@@ -318,7 +319,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
      if(session->fullpacket_state == libssh2_NB_state_created) {
          rc = _libssh2_packet_add(session, p->payload,
                                   session->fullpacket_payload_len,
@@ -437,7 +439,7 @@ index 21be9d2b80..a8bb588a4b 100644
          if(rc == LIBSSH2_ERROR_EAGAIN)
              return rc;
          if(rc) {
-@@ -328,6 +329,11 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
+@@ -329,6 +330,11 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
  
      session->fullpacket_state = libssh2_NB_state_idle;
  
@@ -449,7 +451,7 @@ index 21be9d2b80..a8bb588a4b 100644
      return session->fullpacket_packet_type;
  }
  
-@@ -1093,6 +1099,10 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session,
+@@ -1091,6 +1097,10 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session,
  
      session->local.seqno++;
  
@@ -460,3 +462,6 @@ index 21be9d2b80..a8bb588a4b 100644
      ret = LIBSSH2_SEND(session, p->outbuf, total_length,
                         LIBSSH2_SOCKET_SEND_FLAGS(session));
      if(ret < 0)
+-- 
+2.43.0
+
