1 |
commit: 5b085b63dd4fd0a5ef43144ca3f23bb2cf88a4d1 |
2 |
Author: Craig Andrews <candrews <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Nov 2 16:46:01 2018 +0000 |
4 |
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Nov 2 19:50:53 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b085b63 |
7 |
|
8 |
sys-auth/pam_ssh_agent_auth: 0.10.3 version bump |
9 |
|
10 |
Include OpenSSL 1.1.1 support patch |
11 |
Add -9999 live ebuild |
12 |
Update metadata to reference github project site |
13 |
|
14 |
Closes: https://bugs.gentoo.org/669758 |
15 |
Signed-off-by: Craig Andrews <candrews <AT> gentoo.org> |
16 |
Package-Manager: Portage-2.3.51, Repoman-2.3.11 |
17 |
(cherry picked from commit 1bd6acd801306f1dadb54637f1e838c0c6dad6a5) |
18 |
Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org> |
19 |
|
20 |
sys-auth/pam_ssh_agent_auth/Manifest | 1 + |
21 |
.../pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch | 1244 ++++++++++++++++++++ |
22 |
sys-auth/pam_ssh_agent_auth/metadata.xml | 1 + |
23 |
.../pam_ssh_agent_auth-0.10.3.ebuild | 51 + |
24 |
.../pam_ssh_agent_auth-9999.ebuild | 48 + |
25 |
5 files changed, 1345 insertions(+) |
26 |
|
27 |
diff --git a/sys-auth/pam_ssh_agent_auth/Manifest b/sys-auth/pam_ssh_agent_auth/Manifest |
28 |
index 10e261a8104..1b1fdc46d1c 100644 |
29 |
--- a/sys-auth/pam_ssh_agent_auth/Manifest |
30 |
+++ b/sys-auth/pam_ssh_agent_auth/Manifest |
31 |
@@ -1,4 +1,5 @@ |
32 |
DIST pam_ssh_agent_auth-0.10.2.tar.bz2 246412 BLAKE2B 3adf2bcc76559733f997744c95c660c67010b124db6e811559625a2ad7cbc7339d43d22dd5144135ae36ab90fdeb3c80c887e3157241936ceeb6026c8aa298fe SHA512 b4b9bc4486d873f236f7c54874c996e24f344f889dfda3beadb12b97cbb89078028a103a4a7175cd919fb0a12fd5bcefef50420510ae5eff9252e494e0124b38 |
33 |
+DIST pam_ssh_agent_auth-0.10.3.tar.bz2 1066393 BLAKE2B 07b113d05e09f770d63dbea813ea644199d2b103f9c6d7e5960bfad37cb181ce5a5f111f72e0274c0335e4c217ccd19bd53d61af23f8bc6aff14c1995fc4edc9 SHA512 d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66 |
34 |
DIST pam_ssh_agent_auth-0.9.2.tar.bz2 237156 BLAKE2B b9d09920e10b454ea739e44c38daba6a509fbd4a96f01e26a82e0a8c58b696806b1f3ea95d53c10b55ed01e5804dfb687dd4545b87d85fa4f6a474548c3666d5 SHA512 e710a4dff315c8d79c5d5edc4ebe1629a8fc6d09651813fd4792a2021e7c2d5768d6b7e8539801e31b947cc30817f32375d751fc396707fc4f257df4f33cd408 |
35 |
DIST pam_ssh_agent_auth-0.9.3.tar.bz2 239596 BLAKE2B 7be6af1c78457e082d34f5df406fccf74fbda48d1fe87be0592b927ea296b6db3cf1f9a58bcdd61c50556ffc53c16276dc87e5970d9caa0e51fb520e0473240b SHA512 c2304dcf623858339b5fd77bcf64e9c980a3ee241384b9125d64ba6ab9539a65eacbd3576b31a94bb390e4c089e702f9df2963119250b773bd8be872ae63a050 |
36 |
DIST pam_ssh_agent_auth-0.9.4.tar.bz2 239250 BLAKE2B fee1e009a5374126db0b0df9f05436521e215933ed2eabdcd1983e6372fc7160c6a6c53d07b9ddc7bdd8b9529a27c7da4ef35aad2c80ea1ef2f895f3fb237135 SHA512 3d469e85bf7c49dcf9345c63678ebe050db4d15447592bc337bfc762f2337f92cebd7e840fc12d7be94acf1aa47b0272efe2c1688888ecd8f9daf63549520792 |
37 |
|
38 |
diff --git a/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch b/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch |
39 |
new file mode 100644 |
40 |
index 00000000000..a422cd5e479 |
41 |
--- /dev/null |
42 |
+++ b/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch |
43 |
@@ -0,0 +1,1244 @@ |
44 |
+From eef90424a0545b7b0125dfaf5e3cef3c5248ada0 Mon Sep 17 00:00:00 2001 |
45 |
+From: Guido Falsi <mad@××××××××.net> |
46 |
+Date: Sat, 20 Oct 2018 14:29:43 +0200 |
47 |
+Subject: [PATCH 1/2] Adapt to OpenSSL 1.1.1. |
48 |
+ |
49 |
+The FreeBSD operating system is migrating to OpenSSL 1.1.1 and I have created this set of patches to make pam_ssh_agent_auth compile with it. |
50 |
+ |
51 |
+The patch comments out some parts of include files which are not actually used and reference now opaque OpenSSL internals. |
52 |
+ |
53 |
+I also have migrated the source files to use accessors to use the OpenSSL objects. |
54 |
+ |
55 |
+The patch works on FreeBSD head (will be 12.0) but the --without-openssl-header-check argument is required in configure there. |
56 |
+--- |
57 |
+ authfd.c | 50 ++++++++++++++++++++ |
58 |
+ bufbn.c | 4 ++ |
59 |
+ cipher.h | 6 ++- |
60 |
+ kex.h | 9 +++- |
61 |
+ key.c | 133 ++++++++++++++++++++++++++++++++++++++++++++++++++-- |
62 |
+ ssh-dss.c | 51 ++++++++++++++++---- |
63 |
+ ssh-ecdsa.c | 40 ++++++++++++---- |
64 |
+ ssh-rsa.c | 22 +++++++-- |
65 |
+ 8 files changed, 287 insertions(+), 28 deletions(-) |
66 |
+ |
67 |
+diff --git a/authfd.c b/authfd.c |
68 |
+index 7b96921..35f8de1 100644 |
69 |
+--- a/authfd.c |
70 |
++++ b/authfd.c |
71 |
+@@ -372,6 +372,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio |
72 |
+ case 1: |
73 |
+ key = pamsshagentauth_key_new(KEY_RSA1); |
74 |
+ bits = pamsshagentauth_buffer_get_int(&auth->identities); |
75 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
76 |
+ pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->e); |
77 |
+ pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->n); |
78 |
+ *comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL); |
79 |
+@@ -379,6 +380,15 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio |
80 |
+ if (keybits < 0 || bits != (u_int)keybits) |
81 |
+ pamsshagentauth_logit("Warning: identity keysize mismatch: actual %d, announced %u", |
82 |
+ BN_num_bits(key->rsa->n), bits); |
83 |
++#else |
84 |
++ pamsshagentauth_buffer_get_bignum(&auth->identities, RSA_get0_e(key->rsa)); |
85 |
++ pamsshagentauth_buffer_get_bignum(&auth->identities, RSA_get0_n(key->rsa)); |
86 |
++ *comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL); |
87 |
++ keybits = BN_num_bits(RSA_get0_n(key->rsa)); |
88 |
++ if (keybits < 0 || bits != (u_int)keybits) |
89 |
++ pamsshagentauth_logit("Warning: identity keysize mismatch: actual %d, announced %u", |
90 |
++ BN_num_bits(RSA_get0_n(key->rsa)), bits); |
91 |
++#endif |
92 |
+ break; |
93 |
+ case 2: |
94 |
+ blob = pamsshagentauth_buffer_get_string(&auth->identities, &blen); |
95 |
+@@ -422,9 +432,15 @@ ssh_decrypt_challenge(AuthenticationConnection *auth, |
96 |
+ } |
97 |
+ pamsshagentauth_buffer_init(&buffer); |
98 |
+ pamsshagentauth_buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE); |
99 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
100 |
+ pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(key->rsa->n)); |
101 |
+ pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->e); |
102 |
+ pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->n); |
103 |
++#else |
104 |
++ pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(RSA_get0_n(key->rsa))); |
105 |
++ pamsshagentauth_buffer_put_bignum(&buffer, RSA_get0_e(key->rsa)); |
106 |
++ pamsshagentauth_buffer_put_bignum(&buffer, RSA_get0_n(key->rsa)); |
107 |
++#endif |
108 |
+ pamsshagentauth_buffer_put_bignum(&buffer, challenge); |
109 |
+ pamsshagentauth_buffer_append(&buffer, session_id, 16); |
110 |
+ pamsshagentauth_buffer_put_int(&buffer, response_type); |
111 |
+@@ -501,6 +517,7 @@ ssh_agent_sign(AuthenticationConnection *auth, |
112 |
+ static void |
113 |
+ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) |
114 |
+ { |
115 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
116 |
+ pamsshagentauth_buffer_put_int(b, BN_num_bits(key->n)); |
117 |
+ pamsshagentauth_buffer_put_bignum(b, key->n); |
118 |
+ pamsshagentauth_buffer_put_bignum(b, key->e); |
119 |
+@@ -509,6 +526,16 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) |
120 |
+ pamsshagentauth_buffer_put_bignum(b, key->iqmp); /* ssh key->u */ |
121 |
+ pamsshagentauth_buffer_put_bignum(b, key->q); /* ssh key->p, SSL key->q */ |
122 |
+ pamsshagentauth_buffer_put_bignum(b, key->p); /* ssh key->q, SSL key->p */ |
123 |
++#else |
124 |
++ pamsshagentauth_buffer_put_int(b, BN_num_bits(RSA_get0_n(key))); |
125 |
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_n(key)); |
126 |
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_e(key)); |
127 |
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_d(key)); |
128 |
++ /* To keep within the protocol: p < q for ssh. in SSL p > q */ |
129 |
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_iqmp(key)); /* ssh key->u */ |
130 |
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_q(key)); /* ssh key->p, SSL key->q */ |
131 |
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_p(key)); /* ssh key->q, SSL key->p */ |
132 |
++#endif |
133 |
+ pamsshagentauth_buffer_put_cstring(b, comment); |
134 |
+ } |
135 |
+ |
136 |
+@@ -518,19 +545,36 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) |
137 |
+ pamsshagentauth_buffer_put_cstring(b, key_ssh_name(key)); |
138 |
+ switch (key->type) { |
139 |
+ case KEY_RSA: |
140 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
141 |
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->n); |
142 |
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->e); |
143 |
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->d); |
144 |
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->iqmp); |
145 |
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->p); |
146 |
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->q); |
147 |
++#else |
148 |
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_n(key->rsa)); |
149 |
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_e(key->rsa)); |
150 |
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_d(key->rsa)); |
151 |
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_iqmp(key->rsa)); |
152 |
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_p(key->rsa)); |
153 |
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_q(key->rsa)); |
154 |
++#endif |
155 |
+ break; |
156 |
+ case KEY_DSA: |
157 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
158 |
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->p); |
159 |
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->q); |
160 |
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->g); |
161 |
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->pub_key); |
162 |
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->priv_key); |
163 |
++#else |
164 |
++ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_p(key->dsa)); |
165 |
++ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_q(key->dsa)); |
166 |
++ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_g(key->dsa)); |
167 |
++ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_pub_key(key->dsa)); |
168 |
++ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_priv_key(key->dsa)); |
169 |
++#endif |
170 |
+ break; |
171 |
+ } |
172 |
+ pamsshagentauth_buffer_put_cstring(b, comment); |
173 |
+@@ -610,9 +654,15 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) |
174 |
+ |
175 |
+ if (key->type == KEY_RSA1) { |
176 |
+ pamsshagentauth_buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY); |
177 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
178 |
+ pamsshagentauth_buffer_put_int(&msg, BN_num_bits(key->rsa->n)); |
179 |
+ pamsshagentauth_buffer_put_bignum(&msg, key->rsa->e); |
180 |
+ pamsshagentauth_buffer_put_bignum(&msg, key->rsa->n); |
181 |
++#else |
182 |
++ pamsshagentauth_buffer_put_int(&msg, BN_num_bits(RSA_get0_n(key->rsa))); |
183 |
++ pamsshagentauth_buffer_put_bignum(&msg, RSA_get0_e(key->rsa)); |
184 |
++ pamsshagentauth_buffer_put_bignum(&msg, RSA_get0_n(key->rsa)); |
185 |
++#endif |
186 |
+ } else if (key->type == KEY_DSA || key->type == KEY_RSA) { |
187 |
+ pamsshagentauth_key_to_blob(key, &blob, &blen); |
188 |
+ pamsshagentauth_buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); |
189 |
+diff --git a/bufbn.c b/bufbn.c |
190 |
+index 6a49c73..4ecedc1 100644 |
191 |
+--- a/bufbn.c |
192 |
++++ b/bufbn.c |
193 |
+@@ -151,7 +151,11 @@ pamsshagentauth_buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) |
194 |
+ pamsshagentauth_buffer_put_int(buffer, 0); |
195 |
+ return 0; |
196 |
+ } |
197 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
198 |
+ if (value->neg) { |
199 |
++#else |
200 |
++ if (BN_is_negative(value)) { |
201 |
++#endif |
202 |
+ pamsshagentauth_logerror("buffer_put_bignum2_ret: negative numbers not supported"); |
203 |
+ return (-1); |
204 |
+ } |
205 |
+diff --git a/cipher.h b/cipher.h |
206 |
+index 49bbc16..64f59ca 100644 |
207 |
+--- a/cipher.h |
208 |
++++ b/cipher.h |
209 |
+@@ -59,15 +59,18 @@ |
210 |
+ #define CIPHER_DECRYPT 0 |
211 |
+ |
212 |
+ typedef struct Cipher Cipher; |
213 |
+-typedef struct CipherContext CipherContext; |
214 |
++// typedef struct CipherContext CipherContext; |
215 |
+ |
216 |
+ struct Cipher; |
217 |
++/* |
218 |
+ struct CipherContext { |
219 |
+ int plaintext; |
220 |
+ EVP_CIPHER_CTX evp; |
221 |
+ Cipher *cipher; |
222 |
+ }; |
223 |
++*/ |
224 |
+ |
225 |
++/* |
226 |
+ u_int cipher_mask_ssh1(int); |
227 |
+ Cipher *cipher_by_name(const char *); |
228 |
+ Cipher *cipher_by_number(int); |
229 |
+@@ -88,4 +91,5 @@ void cipher_set_keyiv(CipherContext *, u_char *); |
230 |
+ int cipher_get_keyiv_len(const CipherContext *); |
231 |
+ int cipher_get_keycontext(const CipherContext *, u_char *); |
232 |
+ void cipher_set_keycontext(CipherContext *, u_char *); |
233 |
++*/ |
234 |
+ #endif /* CIPHER_H */ |
235 |
+diff --git a/kex.h b/kex.h |
236 |
+index 8e29c90..81ca57d 100644 |
237 |
+--- a/kex.h |
238 |
++++ b/kex.h |
239 |
+@@ -70,7 +70,7 @@ enum kex_exchange { |
240 |
+ #define KEX_INIT_SENT 0x0001 |
241 |
+ |
242 |
+ typedef struct Kex Kex; |
243 |
+-typedef struct Mac Mac; |
244 |
++// typedef struct Mac Mac; |
245 |
+ typedef struct Comp Comp; |
246 |
+ typedef struct Enc Enc; |
247 |
+ typedef struct Newkeys Newkeys; |
248 |
+@@ -84,6 +84,7 @@ struct Enc { |
249 |
+ u_char *key; |
250 |
+ u_char *iv; |
251 |
+ }; |
252 |
++/* |
253 |
+ struct Mac { |
254 |
+ char *name; |
255 |
+ int enabled; |
256 |
+@@ -95,11 +96,13 @@ struct Mac { |
257 |
+ HMAC_CTX evp_ctx; |
258 |
+ struct umac_ctx *umac_ctx; |
259 |
+ }; |
260 |
++*/ |
261 |
+ struct Comp { |
262 |
+ int type; |
263 |
+ int enabled; |
264 |
+ char *name; |
265 |
+ }; |
266 |
++/* |
267 |
+ struct Newkeys { |
268 |
+ Enc enc; |
269 |
+ Mac mac; |
270 |
+@@ -126,7 +129,9 @@ struct Kex { |
271 |
+ int (*host_key_index)(Key *); |
272 |
+ void (*kex[KEX_MAX])(Kex *); |
273 |
+ }; |
274 |
++*/ |
275 |
+ |
276 |
++/* |
277 |
+ Kex *kex_setup(char *[PROPOSAL_MAX]); |
278 |
+ void kex_finish(Kex *); |
279 |
+ |
280 |
+@@ -152,6 +157,8 @@ kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *, |
281 |
+ void |
282 |
+ derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]); |
283 |
+ |
284 |
++*/ |
285 |
++ |
286 |
+ #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) |
287 |
+ void dump_digest(char *, u_char *, int); |
288 |
+ #endif |
289 |
+diff --git a/key.c b/key.c |
290 |
+index 107a442..aedbbb5 100644 |
291 |
+--- a/key.c |
292 |
++++ b/key.c |
293 |
+@@ -77,15 +77,21 @@ pamsshagentauth_key_new(int type) |
294 |
+ case KEY_RSA: |
295 |
+ if ((rsa = RSA_new()) == NULL) |
296 |
+ pamsshagentauth_fatal("key_new: RSA_new failed"); |
297 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
298 |
+ if ((rsa->n = BN_new()) == NULL) |
299 |
+ pamsshagentauth_fatal("key_new: BN_new failed"); |
300 |
+ if ((rsa->e = BN_new()) == NULL) |
301 |
+ pamsshagentauth_fatal("key_new: BN_new failed"); |
302 |
++#else |
303 |
++ if (RSA_set0_key(rsa, BN_new(), BN_new(), NULL) != 1) |
304 |
++ pamsshagentauth_fatal("key_new: RSA_set0_key failed"); |
305 |
++#endif |
306 |
+ k->rsa = rsa; |
307 |
+ break; |
308 |
+ case KEY_DSA: |
309 |
+ if ((dsa = DSA_new()) == NULL) |
310 |
+ pamsshagentauth_fatal("key_new: DSA_new failed"); |
311 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
312 |
+ if ((dsa->p = BN_new()) == NULL) |
313 |
+ pamsshagentauth_fatal("key_new: BN_new failed"); |
314 |
+ if ((dsa->q = BN_new()) == NULL) |
315 |
+@@ -94,6 +100,12 @@ pamsshagentauth_key_new(int type) |
316 |
+ pamsshagentauth_fatal("key_new: BN_new failed"); |
317 |
+ if ((dsa->pub_key = BN_new()) == NULL) |
318 |
+ pamsshagentauth_fatal("key_new: BN_new failed"); |
319 |
++#else |
320 |
++ if (DSA_set0_pqg(dsa, BN_new(), BN_new(), BN_new()) != 1) |
321 |
++ pamsshagentauth_fatal("key_new: DSA_set0_pqg failed"); |
322 |
++ if (DSA_set0_key(dsa, BN_new(), NULL) != 1) |
323 |
++ pamsshagentauth_fatal("key_new: DSA_set0_key failed"); |
324 |
++#endif |
325 |
+ k->dsa = dsa; |
326 |
+ break; |
327 |
+ case KEY_ECDSA: |
328 |
+@@ -118,6 +130,7 @@ pamsshagentauth_key_new_private(int type) |
329 |
+ switch (k->type) { |
330 |
+ case KEY_RSA1: |
331 |
+ case KEY_RSA: |
332 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
333 |
+ if ((k->rsa->d = BN_new()) == NULL) |
334 |
+ pamsshagentauth_fatal("key_new_private: BN_new failed"); |
335 |
+ if ((k->rsa->iqmp = BN_new()) == NULL) |
336 |
+@@ -130,14 +143,30 @@ pamsshagentauth_key_new_private(int type) |
337 |
+ pamsshagentauth_fatal("key_new_private: BN_new failed"); |
338 |
+ if ((k->rsa->dmp1 = BN_new()) == NULL) |
339 |
+ pamsshagentauth_fatal("key_new_private: BN_new failed"); |
340 |
++#else |
341 |
++ if (RSA_set0_key(k->rsa, NULL, NULL, BN_new()) != 1) |
342 |
++ pamsshagentauth_fatal("key_new: RSA_set0_key failed"); |
343 |
++ if (RSA_set0_crt_params(k->rsa, BN_new(), BN_new(), BN_new()) != 1) |
344 |
++ pamsshagentauth_fatal("key_new: RSA_set0_crt_params failed"); |
345 |
++ if (RSA_set0_factors(k->rsa, BN_new(), BN_new()) != 1) |
346 |
++ pamsshagentauth_fatal("key_new: RSA_set0_factors failed"); |
347 |
++#endif |
348 |
+ break; |
349 |
+ case KEY_DSA: |
350 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
351 |
+ if ((k->dsa->priv_key = BN_new()) == NULL) |
352 |
+ pamsshagentauth_fatal("key_new_private: BN_new failed"); |
353 |
++#else |
354 |
++ if (DSA_set0_key(k->dsa, NULL, BN_new()) != 1) |
355 |
++ pamsshagentauth_fatal("key_new_private: DSA_set0_key failed"); |
356 |
++#endif |
357 |
+ break; |
358 |
+ case KEY_ECDSA: |
359 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
360 |
+ if (EC_KEY_set_private_key(k->ecdsa, BN_new()) != 1) |
361 |
+ pamsshagentauth_fatal("key_new_private: EC_KEY_set_private_key failed"); |
362 |
++#else |
363 |
++#endif |
364 |
+ break; |
365 |
+ case KEY_ED25519: |
366 |
+ RAND_bytes(k->ed25519->sk, sizeof(k->ed25519->sk)); |
367 |
+@@ -195,14 +224,26 @@ pamsshagentauth_key_equal(const Key *a, const Key *b) |
368 |
+ case KEY_RSA1: |
369 |
+ case KEY_RSA: |
370 |
+ return a->rsa != NULL && b->rsa != NULL && |
371 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
372 |
+ BN_cmp(a->rsa->e, b->rsa->e) == 0 && |
373 |
+ BN_cmp(a->rsa->n, b->rsa->n) == 0; |
374 |
++#else |
375 |
++ BN_cmp(RSA_get0_e(a->rsa), RSA_get0_e(b->rsa)) == 0 && |
376 |
++ BN_cmp(RSA_get0_n(a->rsa), RSA_get0_n(b->rsa)) == 0; |
377 |
++#endif |
378 |
+ case KEY_DSA: |
379 |
+ return a->dsa != NULL && b->dsa != NULL && |
380 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
381 |
+ BN_cmp(a->dsa->p, b->dsa->p) == 0 && |
382 |
+ BN_cmp(a->dsa->q, b->dsa->q) == 0 && |
383 |
+ BN_cmp(a->dsa->g, b->dsa->g) == 0 && |
384 |
+ BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; |
385 |
++#else |
386 |
++ BN_cmp(DSA_get0_p(a->dsa), DSA_get0_p(b->dsa)) == 0 && |
387 |
++ BN_cmp(DSA_get0_q(a->dsa), DSA_get0_q(b->dsa)) == 0 && |
388 |
++ BN_cmp(DSA_get0_g(a->dsa), DSA_get0_g(b->dsa)) == 0 && |
389 |
++ BN_cmp(DSA_get0_pub_key(a->dsa), DSA_get0_pub_key(b->dsa)) == 0; |
390 |
++#endif |
391 |
+ case KEY_ECDSA: |
392 |
+ return a->ecdsa != NULL && b->ecdsa != NULL && |
393 |
+ EC_KEY_check_key(a->ecdsa) == 1 && |
394 |
+@@ -231,7 +272,7 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type, |
395 |
+ u_int *dgst_raw_length) |
396 |
+ { |
397 |
+ const EVP_MD *md = NULL; |
398 |
+- EVP_MD_CTX ctx; |
399 |
++ EVP_MD_CTX *ctx; |
400 |
+ u_char *blob = NULL; |
401 |
+ u_char *retval = NULL; |
402 |
+ u_int len = 0; |
403 |
+@@ -252,12 +293,21 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type, |
404 |
+ } |
405 |
+ switch (k->type) { |
406 |
+ case KEY_RSA1: |
407 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
408 |
+ nlen = BN_num_bytes(k->rsa->n); |
409 |
+ elen = BN_num_bytes(k->rsa->e); |
410 |
+ len = nlen + elen; |
411 |
+ blob = pamsshagentauth_xmalloc(len); |
412 |
+ BN_bn2bin(k->rsa->n, blob); |
413 |
+ BN_bn2bin(k->rsa->e, blob + nlen); |
414 |
++#else |
415 |
++ nlen = BN_num_bytes(RSA_get0_n(k->rsa)); |
416 |
++ elen = BN_num_bytes(RSA_get0_e(k->rsa)); |
417 |
++ len = nlen + elen; |
418 |
++ blob = pamsshagentauth_xmalloc(len); |
419 |
++ BN_bn2bin(RSA_get0_n(k->rsa), blob); |
420 |
++ BN_bn2bin(RSA_get0_e(k->rsa), blob + nlen); |
421 |
++#endif |
422 |
+ break; |
423 |
+ case KEY_DSA: |
424 |
+ case KEY_ECDSA: |
425 |
+@@ -273,11 +323,14 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type, |
426 |
+ } |
427 |
+ if (blob != NULL) { |
428 |
+ retval = pamsshagentauth_xmalloc(EVP_MAX_MD_SIZE); |
429 |
+- EVP_DigestInit(&ctx, md); |
430 |
+- EVP_DigestUpdate(&ctx, blob, len); |
431 |
+- EVP_DigestFinal(&ctx, retval, dgst_raw_length); |
432 |
++ /* XXX Errors from EVP_* functions are not hadled */ |
433 |
++ ctx = EVP_MD_CTX_create(); |
434 |
++ EVP_DigestInit(ctx, md); |
435 |
++ EVP_DigestUpdate(ctx, blob, len); |
436 |
++ EVP_DigestFinal(ctx, retval, dgst_raw_length); |
437 |
+ memset(blob, 0, len); |
438 |
+ pamsshagentauth_xfree(blob); |
439 |
++ EVP_MD_CTX_destroy(ctx); |
440 |
+ } else { |
441 |
+ pamsshagentauth_fatal("key_fingerprint_raw: blob is null"); |
442 |
+ } |
443 |
+@@ -457,10 +510,17 @@ pamsshagentauth_key_read(Key *ret, char **cpp) |
444 |
+ return -1; |
445 |
+ *cpp = cp; |
446 |
+ /* Get public exponent, public modulus. */ |
447 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
448 |
+ if (!read_bignum(cpp, ret->rsa->e)) |
449 |
+ return -1; |
450 |
+ if (!read_bignum(cpp, ret->rsa->n)) |
451 |
+ return -1; |
452 |
++#else |
453 |
++ if (!read_bignum(cpp, RSA_get0_e(ret->rsa))) |
454 |
++ return -1; |
455 |
++ if (!read_bignum(cpp, RSA_get0_n(ret->rsa))) |
456 |
++ return -1; |
457 |
++#endif |
458 |
+ success = 1; |
459 |
+ break; |
460 |
+ case KEY_UNSPEC: |
461 |
+@@ -583,10 +643,17 @@ pamsshagentauth_key_write(const Key *key, FILE *f) |
462 |
+ |
463 |
+ if (key->type == KEY_RSA1 && key->rsa != NULL) { |
464 |
+ /* size of modulus 'n' */ |
465 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
466 |
+ bits = BN_num_bits(key->rsa->n); |
467 |
+ fprintf(f, "%u", bits); |
468 |
+ if (write_bignum(f, key->rsa->e) && |
469 |
+ write_bignum(f, key->rsa->n)) { |
470 |
++#else |
471 |
++ bits = BN_num_bits(RSA_get0_n(key->rsa)); |
472 |
++ fprintf(f, "%u", bits); |
473 |
++ if (write_bignum(f, RSA_get0_e(key->rsa)) && |
474 |
++ write_bignum(f, RSA_get0_n(key->rsa))) { |
475 |
++#endif |
476 |
+ success = 1; |
477 |
+ } else { |
478 |
+ pamsshagentauth_logerror("key_write: failed for RSA key"); |
479 |
+@@ -675,10 +742,17 @@ pamsshagentauth_key_size(const Key *k) |
480 |
+ { |
481 |
+ switch (k->type) { |
482 |
+ case KEY_RSA1: |
483 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
484 |
+ case KEY_RSA: |
485 |
+ return BN_num_bits(k->rsa->n); |
486 |
+ case KEY_DSA: |
487 |
+ return BN_num_bits(k->dsa->p); |
488 |
++#else |
489 |
++ case KEY_RSA: |
490 |
++ return BN_num_bits(RSA_get0_n(k->rsa)); |
491 |
++ case KEY_DSA: |
492 |
++ return BN_num_bits(DSA_get0_p(k->dsa)); |
493 |
++#endif |
494 |
+ case KEY_ECDSA: |
495 |
+ { |
496 |
+ int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(k->ecdsa)); |
497 |
+@@ -769,17 +843,29 @@ pamsshagentauth_key_from_private(const Key *k) |
498 |
+ switch (k->type) { |
499 |
+ case KEY_DSA: |
500 |
+ n = pamsshagentauth_key_new(k->type); |
501 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
502 |
+ if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || |
503 |
+ (BN_copy(n->dsa->q, k->dsa->q) == NULL) || |
504 |
+ (BN_copy(n->dsa->g, k->dsa->g) == NULL) || |
505 |
+ (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) |
506 |
++#else |
507 |
++ if ((BN_copy(DSA_get0_p(n->dsa), DSA_get0_p(k->dsa)) == NULL) || |
508 |
++ (BN_copy(DSA_get0_q(n->dsa), DSA_get0_q(k->dsa)) == NULL) || |
509 |
++ (BN_copy(DSA_get0_g(n->dsa), DSA_get0_g(k->dsa)) == NULL) || |
510 |
++ (BN_copy(DSA_get0_pub_key(n->dsa), DSA_get0_pub_key(k->dsa)) == NULL)) |
511 |
++#endif |
512 |
+ pamsshagentauth_fatal("key_from_private: BN_copy failed"); |
513 |
+ break; |
514 |
+ case KEY_RSA: |
515 |
+ case KEY_RSA1: |
516 |
+ n = pamsshagentauth_key_new(k->type); |
517 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
518 |
+ if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || |
519 |
+ (BN_copy(n->rsa->e, k->rsa->e) == NULL)) |
520 |
++#else |
521 |
++ if ((BN_copy(RSA_get0_n(n->rsa), RSA_get0_n(k->rsa)) == NULL) || |
522 |
++ (BN_copy(RSA_get0_e(n->rsa), RSA_get0_e(k->rsa)) == NULL)) |
523 |
++#endif |
524 |
+ pamsshagentauth_fatal("key_from_private: BN_copy failed"); |
525 |
+ break; |
526 |
+ case KEY_ECDSA: |
527 |
+@@ -881,8 +967,13 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen) |
528 |
+ switch (type) { |
529 |
+ case KEY_RSA: |
530 |
+ key = pamsshagentauth_key_new(type); |
531 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
532 |
+ if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->e) == -1 || |
533 |
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->n) == -1) { |
534 |
++#else |
535 |
++ if (pamsshagentauth_buffer_get_bignum2_ret(&b, RSA_get0_e(key->rsa)) == -1 || |
536 |
++ pamsshagentauth_buffer_get_bignum2_ret(&b, RSA_get0_n(key->rsa)) == -1) { |
537 |
++#endif |
538 |
+ pamsshagentauth_logerror("key_from_blob: can't read rsa key"); |
539 |
+ pamsshagentauth_key_free(key); |
540 |
+ key = NULL; |
541 |
+@@ -894,10 +985,17 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen) |
542 |
+ break; |
543 |
+ case KEY_DSA: |
544 |
+ key = pamsshagentauth_key_new(type); |
545 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
546 |
+ if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->p) == -1 || |
547 |
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->q) == -1 || |
548 |
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->g) == -1 || |
549 |
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) { |
550 |
++#else |
551 |
++ if (pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_p(key->dsa)) == -1 || |
552 |
++ pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_q(key->dsa)) == -1 || |
553 |
++ pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_g(key->dsa)) == -1 || |
554 |
++ pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_pub_key(key->dsa)) == -1) { |
555 |
++#endif |
556 |
+ pamsshagentauth_logerror("key_from_blob: can't read dsa key"); |
557 |
+ pamsshagentauth_key_free(key); |
558 |
+ key = NULL; |
559 |
+@@ -1015,6 +1113,7 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp) |
560 |
+ } |
561 |
+ pamsshagentauth_buffer_init(&b); |
562 |
+ switch (key->type) { |
563 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
564 |
+ case KEY_DSA: |
565 |
+ pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key)); |
566 |
+ pamsshagentauth_buffer_put_bignum2(&b, key->dsa->p); |
567 |
+@@ -1027,6 +1126,20 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp) |
568 |
+ pamsshagentauth_buffer_put_bignum2(&b, key->rsa->e); |
569 |
+ pamsshagentauth_buffer_put_bignum2(&b, key->rsa->n); |
570 |
+ break; |
571 |
++#else |
572 |
++ case KEY_DSA: |
573 |
++ pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key)); |
574 |
++ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_p(key->dsa)); |
575 |
++ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_q(key->dsa)); |
576 |
++ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_g(key->dsa)); |
577 |
++ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_pub_key(key->dsa)); |
578 |
++ break; |
579 |
++ case KEY_RSA: |
580 |
++ pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key)); |
581 |
++ pamsshagentauth_buffer_put_bignum2(&b, RSA_get0_e(key->rsa)); |
582 |
++ pamsshagentauth_buffer_put_bignum2(&b, RSA_get0_n(key->rsa)); |
583 |
++ break; |
584 |
++#endif |
585 |
+ case KEY_ECDSA: |
586 |
+ { |
587 |
+ size_t l = 0; |
588 |
+@@ -1138,14 +1251,20 @@ pamsshagentauth_key_demote(const Key *k) |
589 |
+ case KEY_RSA: |
590 |
+ if ((pk->rsa = RSA_new()) == NULL) |
591 |
+ pamsshagentauth_fatal("key_demote: RSA_new failed"); |
592 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
593 |
+ if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL) |
594 |
+ pamsshagentauth_fatal("key_demote: BN_dup failed"); |
595 |
+ if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL) |
596 |
+ pamsshagentauth_fatal("key_demote: BN_dup failed"); |
597 |
++#else |
598 |
++ if (RSA_set0_key(pk->rsa, BN_dup(RSA_get0_n(k->rsa)), BN_dup(RSA_get0_e(k->rsa)), NULL) != 1) |
599 |
++ pamsshagentauth_fatal("key_demote: RSA_set0_key failed"); |
600 |
++#endif |
601 |
+ break; |
602 |
+ case KEY_DSA: |
603 |
+ if ((pk->dsa = DSA_new()) == NULL) |
604 |
+ pamsshagentauth_fatal("key_demote: DSA_new failed"); |
605 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
606 |
+ if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL) |
607 |
+ pamsshagentauth_fatal("key_demote: BN_dup failed"); |
608 |
+ if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL) |
609 |
+@@ -1154,6 +1273,12 @@ pamsshagentauth_key_demote(const Key *k) |
610 |
+ pamsshagentauth_fatal("key_demote: BN_dup failed"); |
611 |
+ if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) |
612 |
+ pamsshagentauth_fatal("key_demote: BN_dup failed"); |
613 |
++#else |
614 |
++ if (DSA_set0_pqg(pk->dsa, BN_dup(DSA_get0_p(k->dsa)), BN_dup(DSA_get0_q(k->dsa)), BN_dup(DSA_get0_g(k->dsa))) != 1) |
615 |
++ pamsshagentauth_fatal("key_demote: DSA_set0_pqg failed"); |
616 |
++ if (DSA_set0_key(pk->dsa, BN_dup(DSA_get0_pub_key(k->dsa)), NULL) != 1) |
617 |
++ pamsshagentauth_fatal("key_demote: DSA_set0_key failed"); |
618 |
++#endif |
619 |
+ break; |
620 |
+ case KEY_ECDSA: |
621 |
+ pamsshagentauth_fatal("key_demote: implement me"); |
622 |
+diff --git a/ssh-dss.c b/ssh-dss.c |
623 |
+index 9fdaa5d..1051ae2 100644 |
624 |
+--- a/ssh-dss.c |
625 |
++++ b/ssh-dss.c |
626 |
+@@ -48,37 +48,53 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp, |
627 |
+ { |
628 |
+ DSA_SIG *sig; |
629 |
+ const EVP_MD *evp_md = EVP_sha1(); |
630 |
+- EVP_MD_CTX md; |
631 |
++ EVP_MD_CTX *md; |
632 |
+ u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN]; |
633 |
+ u_int rlen, slen, len, dlen; |
634 |
+ Buffer b; |
635 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
636 |
++ const BIGNUM *r, *s; |
637 |
++#endif |
638 |
+ |
639 |
+ if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) { |
640 |
+ pamsshagentauth_logerror("ssh_dss_sign: no DSA key"); |
641 |
+ return -1; |
642 |
+ } |
643 |
+- EVP_DigestInit(&md, evp_md); |
644 |
+- EVP_DigestUpdate(&md, data, datalen); |
645 |
+- EVP_DigestFinal(&md, digest, &dlen); |
646 |
++ md = EVP_MD_CTX_create(); |
647 |
++ EVP_DigestInit(md, evp_md); |
648 |
++ EVP_DigestUpdate(md, data, datalen); |
649 |
++ EVP_DigestFinal(md, digest, &dlen); |
650 |
+ |
651 |
+ sig = DSA_do_sign(digest, dlen, key->dsa); |
652 |
+ memset(digest, 'd', sizeof(digest)); |
653 |
++ EVP_MD_CTX_destroy(md); |
654 |
+ |
655 |
+ if (sig == NULL) { |
656 |
+ pamsshagentauth_logerror("ssh_dss_sign: sign failed"); |
657 |
+ return -1; |
658 |
+ } |
659 |
+ |
660 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
661 |
+ rlen = BN_num_bytes(sig->r); |
662 |
+ slen = BN_num_bytes(sig->s); |
663 |
++#else |
664 |
++ DSA_SIG_get0((const DSA_SIG *)sig, (const BIGNUM **)r, (const BIGNUM **)s); |
665 |
++ rlen = BN_num_bytes(r); |
666 |
++ slen = BN_num_bytes(s); |
667 |
++#endif |
668 |
+ if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) { |
669 |
+ pamsshagentauth_logerror("bad sig size %u %u", rlen, slen); |
670 |
+ DSA_SIG_free(sig); |
671 |
+ return -1; |
672 |
+ } |
673 |
+ memset(sigblob, 0, SIGBLOB_LEN); |
674 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
675 |
+ BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen); |
676 |
+ BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen); |
677 |
++#else |
678 |
++ BN_bn2bin(r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen); |
679 |
++ BN_bn2bin(s, sigblob+ SIGBLOB_LEN - slen); |
680 |
++#endif |
681 |
+ DSA_SIG_free(sig); |
682 |
+ |
683 |
+ if (datafellows & SSH_BUG_SIGBLOB) { |
684 |
+@@ -110,11 +126,14 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, |
685 |
+ { |
686 |
+ DSA_SIG *sig; |
687 |
+ const EVP_MD *evp_md = EVP_sha1(); |
688 |
+- EVP_MD_CTX md; |
689 |
++ EVP_MD_CTX *md; |
690 |
+ u_char digest[EVP_MAX_MD_SIZE], *sigblob; |
691 |
+ u_int len, dlen; |
692 |
+ int rlen, ret; |
693 |
+ Buffer b; |
694 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
695 |
++ BIGNUM *r, *s; |
696 |
++#endif |
697 |
+ |
698 |
+ if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) { |
699 |
+ pamsshagentauth_logerror("ssh_dss_verify: no DSA key"); |
700 |
+@@ -157,6 +176,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, |
701 |
+ /* parse signature */ |
702 |
+ if ((sig = DSA_SIG_new()) == NULL) |
703 |
+ pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_new failed"); |
704 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
705 |
+ if ((sig->r = BN_new()) == NULL) |
706 |
+ pamsshagentauth_fatal("ssh_dss_verify: BN_new failed"); |
707 |
+ if ((sig->s = BN_new()) == NULL) |
708 |
+@@ -164,18 +184,33 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, |
709 |
+ if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) || |
710 |
+ (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) |
711 |
+ pamsshagentauth_fatal("ssh_dss_verify: BN_bin2bn failed"); |
712 |
++#else |
713 |
++ if ((r = BN_new()) == NULL) |
714 |
++ pamsshagentauth_fatal("ssh_dss_verify: BN_new failed"); |
715 |
++ if ((s = BN_new()) == NULL) |
716 |
++ pamsshagentauth_fatal("ssh_dss_verify: BN_new failed"); |
717 |
++ if (DSA_SIG_set0(sig, r, s) != 1) |
718 |
++ pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_set0 failed"); |
719 |
++ if ((BN_bin2bn(sigblob, INTBLOB_LEN, r) == NULL) || |
720 |
++ (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, s) == NULL)) |
721 |
++ pamsshagentauth_fatal("ssh_dss_verify: BN_bin2bn failed"); |
722 |
++ if (DSA_SIG_set0(sig, r, s) != 1) |
723 |
++ pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_set0 failed"); |
724 |
++#endif |
725 |
+ |
726 |
+ /* clean up */ |
727 |
+ memset(sigblob, 0, len); |
728 |
+ pamsshagentauth_xfree(sigblob); |
729 |
+ |
730 |
+ /* sha1 the data */ |
731 |
+- EVP_DigestInit(&md, evp_md); |
732 |
+- EVP_DigestUpdate(&md, data, datalen); |
733 |
+- EVP_DigestFinal(&md, digest, &dlen); |
734 |
++ md = EVP_MD_CTX_create(); |
735 |
++ EVP_DigestInit(md, evp_md); |
736 |
++ EVP_DigestUpdate(md, data, datalen); |
737 |
++ EVP_DigestFinal(md, digest, &dlen); |
738 |
+ |
739 |
+ ret = DSA_do_verify(digest, dlen, sig, key->dsa); |
740 |
+ memset(digest, 'd', sizeof(digest)); |
741 |
++ EVP_MD_CTX_destroy(md); |
742 |
+ |
743 |
+ DSA_SIG_free(sig); |
744 |
+ |
745 |
+diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c |
746 |
+index efa0f3d..c213959 100644 |
747 |
+--- a/ssh-ecdsa.c |
748 |
++++ b/ssh-ecdsa.c |
749 |
+@@ -41,22 +41,27 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, |
750 |
+ { |
751 |
+ ECDSA_SIG *sig; |
752 |
+ const EVP_MD *evp_md = evp_from_key(key); |
753 |
+- EVP_MD_CTX md; |
754 |
++ EVP_MD_CTX *md; |
755 |
+ u_char digest[EVP_MAX_MD_SIZE]; |
756 |
+ u_int len, dlen; |
757 |
+ Buffer b, bb; |
758 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
759 |
++ BIGNUM *r, *s; |
760 |
++#endif |
761 |
+ |
762 |
+ if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) { |
763 |
+ pamsshagentauth_logerror("ssh_ecdsa_sign: no ECDSA key"); |
764 |
+ return -1; |
765 |
+ } |
766 |
+ |
767 |
+- EVP_DigestInit(&md, evp_md); |
768 |
+- EVP_DigestUpdate(&md, data, datalen); |
769 |
+- EVP_DigestFinal(&md, digest, &dlen); |
770 |
++ md = EVP_MD_CTX_create(); |
771 |
++ EVP_DigestInit(md, evp_md); |
772 |
++ EVP_DigestUpdate(md, data, datalen); |
773 |
++ EVP_DigestFinal(md, digest, &dlen); |
774 |
+ |
775 |
+ sig = ECDSA_do_sign(digest, dlen, key->ecdsa); |
776 |
+ memset(digest, 'd', sizeof(digest)); |
777 |
++ EVP_MD_CTX_destroy(md); |
778 |
+ |
779 |
+ if (sig == NULL) { |
780 |
+ pamsshagentauth_logerror("ssh_ecdsa_sign: sign failed"); |
781 |
+@@ -64,8 +69,14 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, |
782 |
+ } |
783 |
+ |
784 |
+ pamsshagentauth_buffer_init(&bb); |
785 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
786 |
+ if (pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->r) == -1 || |
787 |
+ pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->s) == -1) { |
788 |
++#else |
789 |
++ DSA_SIG_get0(sig, &r, &s); |
790 |
++ if (pamsshagentauth_buffer_get_bignum2_ret(&bb, r) == -1 || |
791 |
++ pamsshagentauth_buffer_get_bignum2_ret(&bb, s) == -1) { |
792 |
++#endif |
793 |
+ pamsshagentauth_logerror("couldn't serialize signature"); |
794 |
+ ECDSA_SIG_free(sig); |
795 |
+ return -1; |
796 |
+@@ -94,11 +105,14 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, |
797 |
+ { |
798 |
+ ECDSA_SIG *sig; |
799 |
+ const EVP_MD *evp_md = evp_from_key(key); |
800 |
+- EVP_MD_CTX md; |
801 |
++ EVP_MD_CTX *md; |
802 |
+ u_char digest[EVP_MAX_MD_SIZE], *sigblob; |
803 |
+ u_int len, dlen; |
804 |
+ int rlen, ret; |
805 |
+ Buffer b; |
806 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
807 |
++ BIGNUM *r, *s; |
808 |
++#endif |
809 |
+ |
810 |
+ if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) { |
811 |
+ pamsshagentauth_logerror("ssh_ecdsa_sign: no ECDSA key"); |
812 |
+@@ -127,8 +141,14 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, |
813 |
+ |
814 |
+ pamsshagentauth_buffer_init(&b); |
815 |
+ pamsshagentauth_buffer_append(&b, sigblob, len); |
816 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
817 |
+ if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) || |
818 |
+ (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1)) |
819 |
++#else |
820 |
++ DSA_SIG_get0(sig, &r, &s); |
821 |
++ if ((pamsshagentauth_buffer_get_bignum2_ret(&b, r) == -1) || |
822 |
++ (pamsshagentauth_buffer_get_bignum2_ret(&b, s) == -1)) |
823 |
++#endif |
824 |
+ pamsshagentauth_fatal("ssh_ecdsa_verify:" |
825 |
+ "pamsshagentauth_buffer_get_bignum2_ret failed"); |
826 |
+ |
827 |
+@@ -137,16 +157,18 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, |
828 |
+ pamsshagentauth_xfree(sigblob); |
829 |
+ |
830 |
+ /* sha256 the data */ |
831 |
+- EVP_DigestInit(&md, evp_md); |
832 |
+- EVP_DigestUpdate(&md, data, datalen); |
833 |
+- EVP_DigestFinal(&md, digest, &dlen); |
834 |
++ md = EVP_MD_CTX_create(); |
835 |
++ EVP_DigestInit(md, evp_md); |
836 |
++ EVP_DigestUpdate(md, data, datalen); |
837 |
++ EVP_DigestFinal(md, digest, &dlen); |
838 |
+ |
839 |
+ ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa); |
840 |
+ memset(digest, 'd', sizeof(digest)); |
841 |
++ EVP_MD_CTX_destroy(md); |
842 |
+ |
843 |
+ ECDSA_SIG_free(sig); |
844 |
+ |
845 |
+ pamsshagentauth_verbose("ssh_ecdsa_verify: signature %s", |
846 |
+ ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error"); |
847 |
+ return ret; |
848 |
+-} |
849 |
+\ No newline at end of file |
850 |
++} |
851 |
+diff --git a/ssh-rsa.c b/ssh-rsa.c |
852 |
+index d05844b..9d74eb6 100644 |
853 |
+--- a/ssh-rsa.c |
854 |
++++ b/ssh-rsa.c |
855 |
+@@ -40,7 +40,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, |
856 |
+ const u_char *data, u_int datalen) |
857 |
+ { |
858 |
+ const EVP_MD *evp_md; |
859 |
+- EVP_MD_CTX md; |
860 |
++ EVP_MD_CTX *md; |
861 |
+ u_char digest[EVP_MAX_MD_SIZE], *sig; |
862 |
+ u_int slen, dlen, len; |
863 |
+ int ok, nid; |
864 |
+@@ -55,6 +55,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, |
865 |
+ pamsshagentauth_logerror("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid); |
866 |
+ return -1; |
867 |
+ } |
868 |
++ md = EVP_MD_CTX_create(); |
869 |
+ EVP_DigestInit(&md, evp_md); |
870 |
+ EVP_DigestUpdate(&md, data, datalen); |
871 |
+ EVP_DigestFinal(&md, digest, &dlen); |
872 |
+@@ -64,6 +65,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, |
873 |
+ |
874 |
+ ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa); |
875 |
+ memset(digest, 'd', sizeof(digest)); |
876 |
++ EVP_MD_CTX_destroy(md); |
877 |
+ |
878 |
+ if (ok != 1) { |
879 |
+ int ecode = ERR_get_error(); |
880 |
+@@ -107,7 +109,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, |
881 |
+ { |
882 |
+ Buffer b; |
883 |
+ const EVP_MD *evp_md; |
884 |
+- EVP_MD_CTX md; |
885 |
++ EVP_MD_CTX *md; |
886 |
+ char *ktype; |
887 |
+ u_char digest[EVP_MAX_MD_SIZE], *sigblob; |
888 |
+ u_int len, dlen, modlen; |
889 |
+@@ -117,9 +119,17 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, |
890 |
+ pamsshagentauth_logerror("ssh_rsa_verify: no RSA key"); |
891 |
+ return -1; |
892 |
+ } |
893 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
894 |
+ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { |
895 |
++#else |
896 |
++ if (BN_num_bits(RSA_get0_n(key->rsa)) < SSH_RSA_MINIMUM_MODULUS_SIZE) { |
897 |
++#endif |
898 |
+ pamsshagentauth_logerror("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits", |
899 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
900 |
+ BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); |
901 |
++#else |
902 |
++ BN_num_bits(RSA_get0_n(key->rsa)), SSH_RSA_MINIMUM_MODULUS_SIZE); |
903 |
++#endif |
904 |
+ return -1; |
905 |
+ } |
906 |
+ pamsshagentauth_buffer_init(&b); |
907 |
+@@ -161,12 +171,14 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, |
908 |
+ pamsshagentauth_xfree(sigblob); |
909 |
+ return -1; |
910 |
+ } |
911 |
+- EVP_DigestInit(&md, evp_md); |
912 |
+- EVP_DigestUpdate(&md, data, datalen); |
913 |
+- EVP_DigestFinal(&md, digest, &dlen); |
914 |
++ md = EVP_MD_CTX_create(); |
915 |
++ EVP_DigestInit(md, evp_md); |
916 |
++ EVP_DigestUpdate(md, data, datalen); |
917 |
++ EVP_DigestFinal(md, digest, &dlen); |
918 |
+ |
919 |
+ ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa); |
920 |
+ memset(digest, 'd', sizeof(digest)); |
921 |
++ EVP_MD_CTX_destroy(md); |
922 |
+ memset(sigblob, 's', len); |
923 |
+ pamsshagentauth_xfree(sigblob); |
924 |
+ pamsshagentauth_verbose("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : ""); |
925 |
+ |
926 |
+From 4dc87369134f215378042ec4d971a4fe48d1a02b Mon Sep 17 00:00:00 2001 |
927 |
+From: Guido Falsi <mad@××××××××.net> |
928 |
+Date: Wed, 24 Oct 2018 20:36:15 +0200 |
929 |
+Subject: [PATCH 2/2] Check against the correct OPENSSL_VERSION_NUMBER |
930 |
+ |
931 |
+Alexey Dokuchaev (a fellow FreeBSD developer) pointed out to me the opaque structures were introduced in 1.1.0-pre |
932 |
+5, so the correct OPENSSL_VERSION_NUMBER to discriminate is 0x10100005L. |
933 |
+--- |
934 |
+ authfd.c | 12 ++++++------ |
935 |
+ bufbn.c | 2 +- |
936 |
+ key.c | 36 ++++++++++++++++++------------------ |
937 |
+ ssh-dss.c | 10 +++++----- |
938 |
+ ssh-ecdsa.c | 8 ++++---- |
939 |
+ ssh-rsa.c | 4 ++-- |
940 |
+ 6 files changed, 36 insertions(+), 36 deletions(-) |
941 |
+ |
942 |
+diff --git a/authfd.c b/authfd.c |
943 |
+index 35f8de1..01d1d89 100644 |
944 |
+--- a/authfd.c |
945 |
++++ b/authfd.c |
946 |
+@@ -372,7 +372,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio |
947 |
+ case 1: |
948 |
+ key = pamsshagentauth_key_new(KEY_RSA1); |
949 |
+ bits = pamsshagentauth_buffer_get_int(&auth->identities); |
950 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
951 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
952 |
+ pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->e); |
953 |
+ pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->n); |
954 |
+ *comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL); |
955 |
+@@ -432,7 +432,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth, |
956 |
+ } |
957 |
+ pamsshagentauth_buffer_init(&buffer); |
958 |
+ pamsshagentauth_buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE); |
959 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
960 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
961 |
+ pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(key->rsa->n)); |
962 |
+ pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->e); |
963 |
+ pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->n); |
964 |
+@@ -517,7 +517,7 @@ ssh_agent_sign(AuthenticationConnection *auth, |
965 |
+ static void |
966 |
+ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) |
967 |
+ { |
968 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
969 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
970 |
+ pamsshagentauth_buffer_put_int(b, BN_num_bits(key->n)); |
971 |
+ pamsshagentauth_buffer_put_bignum(b, key->n); |
972 |
+ pamsshagentauth_buffer_put_bignum(b, key->e); |
973 |
+@@ -545,7 +545,7 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) |
974 |
+ pamsshagentauth_buffer_put_cstring(b, key_ssh_name(key)); |
975 |
+ switch (key->type) { |
976 |
+ case KEY_RSA: |
977 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
978 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
979 |
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->n); |
980 |
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->e); |
981 |
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->d); |
982 |
+@@ -562,7 +562,7 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) |
983 |
+ #endif |
984 |
+ break; |
985 |
+ case KEY_DSA: |
986 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
987 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
988 |
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->p); |
989 |
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->q); |
990 |
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->g); |
991 |
+@@ -654,7 +654,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) |
992 |
+ |
993 |
+ if (key->type == KEY_RSA1) { |
994 |
+ pamsshagentauth_buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY); |
995 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
996 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
997 |
+ pamsshagentauth_buffer_put_int(&msg, BN_num_bits(key->rsa->n)); |
998 |
+ pamsshagentauth_buffer_put_bignum(&msg, key->rsa->e); |
999 |
+ pamsshagentauth_buffer_put_bignum(&msg, key->rsa->n); |
1000 |
+diff --git a/bufbn.c b/bufbn.c |
1001 |
+index 4ecedc1..b4754cc 100644 |
1002 |
+--- a/bufbn.c |
1003 |
++++ b/bufbn.c |
1004 |
+@@ -151,7 +151,7 @@ pamsshagentauth_buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) |
1005 |
+ pamsshagentauth_buffer_put_int(buffer, 0); |
1006 |
+ return 0; |
1007 |
+ } |
1008 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1009 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1010 |
+ if (value->neg) { |
1011 |
+ #else |
1012 |
+ if (BN_is_negative(value)) { |
1013 |
+diff --git a/key.c b/key.c |
1014 |
+index aedbbb5..dcc5fc8 100644 |
1015 |
+--- a/key.c |
1016 |
++++ b/key.c |
1017 |
+@@ -77,7 +77,7 @@ pamsshagentauth_key_new(int type) |
1018 |
+ case KEY_RSA: |
1019 |
+ if ((rsa = RSA_new()) == NULL) |
1020 |
+ pamsshagentauth_fatal("key_new: RSA_new failed"); |
1021 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1022 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1023 |
+ if ((rsa->n = BN_new()) == NULL) |
1024 |
+ pamsshagentauth_fatal("key_new: BN_new failed"); |
1025 |
+ if ((rsa->e = BN_new()) == NULL) |
1026 |
+@@ -91,7 +91,7 @@ pamsshagentauth_key_new(int type) |
1027 |
+ case KEY_DSA: |
1028 |
+ if ((dsa = DSA_new()) == NULL) |
1029 |
+ pamsshagentauth_fatal("key_new: DSA_new failed"); |
1030 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1031 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1032 |
+ if ((dsa->p = BN_new()) == NULL) |
1033 |
+ pamsshagentauth_fatal("key_new: BN_new failed"); |
1034 |
+ if ((dsa->q = BN_new()) == NULL) |
1035 |
+@@ -130,7 +130,7 @@ pamsshagentauth_key_new_private(int type) |
1036 |
+ switch (k->type) { |
1037 |
+ case KEY_RSA1: |
1038 |
+ case KEY_RSA: |
1039 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1040 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1041 |
+ if ((k->rsa->d = BN_new()) == NULL) |
1042 |
+ pamsshagentauth_fatal("key_new_private: BN_new failed"); |
1043 |
+ if ((k->rsa->iqmp = BN_new()) == NULL) |
1044 |
+@@ -153,7 +153,7 @@ pamsshagentauth_key_new_private(int type) |
1045 |
+ #endif |
1046 |
+ break; |
1047 |
+ case KEY_DSA: |
1048 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1049 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1050 |
+ if ((k->dsa->priv_key = BN_new()) == NULL) |
1051 |
+ pamsshagentauth_fatal("key_new_private: BN_new failed"); |
1052 |
+ #else |
1053 |
+@@ -162,7 +162,7 @@ pamsshagentauth_key_new_private(int type) |
1054 |
+ #endif |
1055 |
+ break; |
1056 |
+ case KEY_ECDSA: |
1057 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1058 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1059 |
+ if (EC_KEY_set_private_key(k->ecdsa, BN_new()) != 1) |
1060 |
+ pamsshagentauth_fatal("key_new_private: EC_KEY_set_private_key failed"); |
1061 |
+ #else |
1062 |
+@@ -224,7 +224,7 @@ pamsshagentauth_key_equal(const Key *a, const Key *b) |
1063 |
+ case KEY_RSA1: |
1064 |
+ case KEY_RSA: |
1065 |
+ return a->rsa != NULL && b->rsa != NULL && |
1066 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1067 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1068 |
+ BN_cmp(a->rsa->e, b->rsa->e) == 0 && |
1069 |
+ BN_cmp(a->rsa->n, b->rsa->n) == 0; |
1070 |
+ #else |
1071 |
+@@ -233,7 +233,7 @@ pamsshagentauth_key_equal(const Key *a, const Key *b) |
1072 |
+ #endif |
1073 |
+ case KEY_DSA: |
1074 |
+ return a->dsa != NULL && b->dsa != NULL && |
1075 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1076 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1077 |
+ BN_cmp(a->dsa->p, b->dsa->p) == 0 && |
1078 |
+ BN_cmp(a->dsa->q, b->dsa->q) == 0 && |
1079 |
+ BN_cmp(a->dsa->g, b->dsa->g) == 0 && |
1080 |
+@@ -293,7 +293,7 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type, |
1081 |
+ } |
1082 |
+ switch (k->type) { |
1083 |
+ case KEY_RSA1: |
1084 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1085 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1086 |
+ nlen = BN_num_bytes(k->rsa->n); |
1087 |
+ elen = BN_num_bytes(k->rsa->e); |
1088 |
+ len = nlen + elen; |
1089 |
+@@ -510,7 +510,7 @@ pamsshagentauth_key_read(Key *ret, char **cpp) |
1090 |
+ return -1; |
1091 |
+ *cpp = cp; |
1092 |
+ /* Get public exponent, public modulus. */ |
1093 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1094 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1095 |
+ if (!read_bignum(cpp, ret->rsa->e)) |
1096 |
+ return -1; |
1097 |
+ if (!read_bignum(cpp, ret->rsa->n)) |
1098 |
+@@ -643,7 +643,7 @@ pamsshagentauth_key_write(const Key *key, FILE *f) |
1099 |
+ |
1100 |
+ if (key->type == KEY_RSA1 && key->rsa != NULL) { |
1101 |
+ /* size of modulus 'n' */ |
1102 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1103 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1104 |
+ bits = BN_num_bits(key->rsa->n); |
1105 |
+ fprintf(f, "%u", bits); |
1106 |
+ if (write_bignum(f, key->rsa->e) && |
1107 |
+@@ -742,7 +742,7 @@ pamsshagentauth_key_size(const Key *k) |
1108 |
+ { |
1109 |
+ switch (k->type) { |
1110 |
+ case KEY_RSA1: |
1111 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1112 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1113 |
+ case KEY_RSA: |
1114 |
+ return BN_num_bits(k->rsa->n); |
1115 |
+ case KEY_DSA: |
1116 |
+@@ -843,7 +843,7 @@ pamsshagentauth_key_from_private(const Key *k) |
1117 |
+ switch (k->type) { |
1118 |
+ case KEY_DSA: |
1119 |
+ n = pamsshagentauth_key_new(k->type); |
1120 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1121 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1122 |
+ if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || |
1123 |
+ (BN_copy(n->dsa->q, k->dsa->q) == NULL) || |
1124 |
+ (BN_copy(n->dsa->g, k->dsa->g) == NULL) || |
1125 |
+@@ -859,7 +859,7 @@ pamsshagentauth_key_from_private(const Key *k) |
1126 |
+ case KEY_RSA: |
1127 |
+ case KEY_RSA1: |
1128 |
+ n = pamsshagentauth_key_new(k->type); |
1129 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1130 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1131 |
+ if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || |
1132 |
+ (BN_copy(n->rsa->e, k->rsa->e) == NULL)) |
1133 |
+ #else |
1134 |
+@@ -967,7 +967,7 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen) |
1135 |
+ switch (type) { |
1136 |
+ case KEY_RSA: |
1137 |
+ key = pamsshagentauth_key_new(type); |
1138 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1139 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1140 |
+ if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->e) == -1 || |
1141 |
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->n) == -1) { |
1142 |
+ #else |
1143 |
+@@ -985,7 +985,7 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen) |
1144 |
+ break; |
1145 |
+ case KEY_DSA: |
1146 |
+ key = pamsshagentauth_key_new(type); |
1147 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1148 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1149 |
+ if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->p) == -1 || |
1150 |
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->q) == -1 || |
1151 |
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->g) == -1 || |
1152 |
+@@ -1113,7 +1113,7 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp) |
1153 |
+ } |
1154 |
+ pamsshagentauth_buffer_init(&b); |
1155 |
+ switch (key->type) { |
1156 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1157 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1158 |
+ case KEY_DSA: |
1159 |
+ pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key)); |
1160 |
+ pamsshagentauth_buffer_put_bignum2(&b, key->dsa->p); |
1161 |
+@@ -1251,7 +1251,7 @@ pamsshagentauth_key_demote(const Key *k) |
1162 |
+ case KEY_RSA: |
1163 |
+ if ((pk->rsa = RSA_new()) == NULL) |
1164 |
+ pamsshagentauth_fatal("key_demote: RSA_new failed"); |
1165 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1166 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1167 |
+ if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL) |
1168 |
+ pamsshagentauth_fatal("key_demote: BN_dup failed"); |
1169 |
+ if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL) |
1170 |
+@@ -1264,7 +1264,7 @@ pamsshagentauth_key_demote(const Key *k) |
1171 |
+ case KEY_DSA: |
1172 |
+ if ((pk->dsa = DSA_new()) == NULL) |
1173 |
+ pamsshagentauth_fatal("key_demote: DSA_new failed"); |
1174 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1175 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1176 |
+ if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL) |
1177 |
+ pamsshagentauth_fatal("key_demote: BN_dup failed"); |
1178 |
+ if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL) |
1179 |
+diff --git a/ssh-dss.c b/ssh-dss.c |
1180 |
+index 1051ae2..9b96274 100644 |
1181 |
+--- a/ssh-dss.c |
1182 |
++++ b/ssh-dss.c |
1183 |
+@@ -52,7 +52,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp, |
1184 |
+ u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN]; |
1185 |
+ u_int rlen, slen, len, dlen; |
1186 |
+ Buffer b; |
1187 |
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
1188 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
1189 |
+ const BIGNUM *r, *s; |
1190 |
+ #endif |
1191 |
+ |
1192 |
+@@ -74,7 +74,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp, |
1193 |
+ return -1; |
1194 |
+ } |
1195 |
+ |
1196 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1197 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1198 |
+ rlen = BN_num_bytes(sig->r); |
1199 |
+ slen = BN_num_bytes(sig->s); |
1200 |
+ #else |
1201 |
+@@ -88,7 +88,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp, |
1202 |
+ return -1; |
1203 |
+ } |
1204 |
+ memset(sigblob, 0, SIGBLOB_LEN); |
1205 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1206 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1207 |
+ BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen); |
1208 |
+ BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen); |
1209 |
+ #else |
1210 |
+@@ -131,7 +131,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, |
1211 |
+ u_int len, dlen; |
1212 |
+ int rlen, ret; |
1213 |
+ Buffer b; |
1214 |
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
1215 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
1216 |
+ BIGNUM *r, *s; |
1217 |
+ #endif |
1218 |
+ |
1219 |
+@@ -176,7 +176,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, |
1220 |
+ /* parse signature */ |
1221 |
+ if ((sig = DSA_SIG_new()) == NULL) |
1222 |
+ pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_new failed"); |
1223 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1224 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1225 |
+ if ((sig->r = BN_new()) == NULL) |
1226 |
+ pamsshagentauth_fatal("ssh_dss_verify: BN_new failed"); |
1227 |
+ if ((sig->s = BN_new()) == NULL) |
1228 |
+diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c |
1229 |
+index c213959..5b13b30 100644 |
1230 |
+--- a/ssh-ecdsa.c |
1231 |
++++ b/ssh-ecdsa.c |
1232 |
+@@ -45,7 +45,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, |
1233 |
+ u_char digest[EVP_MAX_MD_SIZE]; |
1234 |
+ u_int len, dlen; |
1235 |
+ Buffer b, bb; |
1236 |
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
1237 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
1238 |
+ BIGNUM *r, *s; |
1239 |
+ #endif |
1240 |
+ |
1241 |
+@@ -69,7 +69,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, |
1242 |
+ } |
1243 |
+ |
1244 |
+ pamsshagentauth_buffer_init(&bb); |
1245 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1246 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1247 |
+ if (pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->r) == -1 || |
1248 |
+ pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->s) == -1) { |
1249 |
+ #else |
1250 |
+@@ -110,7 +110,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, |
1251 |
+ u_int len, dlen; |
1252 |
+ int rlen, ret; |
1253 |
+ Buffer b; |
1254 |
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
1255 |
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
1256 |
+ BIGNUM *r, *s; |
1257 |
+ #endif |
1258 |
+ |
1259 |
+@@ -141,7 +141,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, |
1260 |
+ |
1261 |
+ pamsshagentauth_buffer_init(&b); |
1262 |
+ pamsshagentauth_buffer_append(&b, sigblob, len); |
1263 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1264 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1265 |
+ if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) || |
1266 |
+ (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1)) |
1267 |
+ #else |
1268 |
+diff --git a/ssh-rsa.c b/ssh-rsa.c |
1269 |
+index 9d74eb6..35f2e36 100644 |
1270 |
+--- a/ssh-rsa.c |
1271 |
++++ b/ssh-rsa.c |
1272 |
+@@ -119,13 +119,13 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, |
1273 |
+ pamsshagentauth_logerror("ssh_rsa_verify: no RSA key"); |
1274 |
+ return -1; |
1275 |
+ } |
1276 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1277 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1278 |
+ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { |
1279 |
+ #else |
1280 |
+ if (BN_num_bits(RSA_get0_n(key->rsa)) < SSH_RSA_MINIMUM_MODULUS_SIZE) { |
1281 |
+ #endif |
1282 |
+ pamsshagentauth_logerror("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits", |
1283 |
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1284 |
++#if OPENSSL_VERSION_NUMBER < 0x10100005L |
1285 |
+ BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); |
1286 |
+ #else |
1287 |
+ BN_num_bits(RSA_get0_n(key->rsa)), SSH_RSA_MINIMUM_MODULUS_SIZE); |
1288 |
|
1289 |
diff --git a/sys-auth/pam_ssh_agent_auth/metadata.xml b/sys-auth/pam_ssh_agent_auth/metadata.xml |
1290 |
index b2c4b0002ee..cbaa4da90d4 100644 |
1291 |
--- a/sys-auth/pam_ssh_agent_auth/metadata.xml |
1292 |
+++ b/sys-auth/pam_ssh_agent_auth/metadata.xml |
1293 |
@@ -6,5 +6,6 @@ |
1294 |
</maintainer> |
1295 |
<upstream> |
1296 |
<remote-id type="sourceforge">pamsshagentauth</remote-id> |
1297 |
+ <remote-id type="github">jbeverly/pam_ssh_agent_auth</remote-id> |
1298 |
</upstream> |
1299 |
</pkgmetadata> |
1300 |
|
1301 |
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild |
1302 |
new file mode 100644 |
1303 |
index 00000000000..8afccd4a986 |
1304 |
--- /dev/null |
1305 |
+++ b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild |
1306 |
@@ -0,0 +1,51 @@ |
1307 |
+# Copyright 1999-2018 Gentoo Authors |
1308 |
+# Distributed under the terms of the GNU General Public License v2 |
1309 |
+ |
1310 |
+EAPI=7 |
1311 |
+ |
1312 |
+inherit pam |
1313 |
+ |
1314 |
+DESCRIPTION="Simple module to authenticate users against their ssh-agent keys" |
1315 |
+HOMEPAGE="http://pamsshagentauth.sourceforge.net" |
1316 |
+ |
1317 |
+if [[ ${PV} == *9999 ]] ; then |
1318 |
+ EGIT_REPO_URI="https://github.com/jbeverly/${PN}.git" |
1319 |
+ inherit git-r3 |
1320 |
+else |
1321 |
+ SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2" |
1322 |
+ KEYWORDS="~amd64 ~arm ~x86" |
1323 |
+fi |
1324 |
+ |
1325 |
+LICENSE="MIT" |
1326 |
+SLOT="0" |
1327 |
+IUSE="" |
1328 |
+ |
1329 |
+PATCHES=( |
1330 |
+ "${FILESDIR}/${P}-openssl-1.1.1.patch" |
1331 |
+) |
1332 |
+DEPEND="virtual/pam |
1333 |
+ dev-libs/openssl:0=" |
1334 |
+ |
1335 |
+RDEPEND="${DEPEND} |
1336 |
+ virtual/ssh" |
1337 |
+ |
1338 |
+# needed for pod2man |
1339 |
+DEPEND="${DEPEND} |
1340 |
+ dev-lang/perl" |
1341 |
+ |
1342 |
+src_configure() { |
1343 |
+ pammod_hide_symbols |
1344 |
+ |
1345 |
+ econf \ |
1346 |
+ --without-openssl-header-check \ |
1347 |
+ --libexecdir="$(getpam_mod_dir)" |
1348 |
+} |
1349 |
+ |
1350 |
+src_install() { |
1351 |
+ # Don't use emake install as it makes it harder to have proper |
1352 |
+ # install paths. |
1353 |
+ dopammod pam_ssh_agent_auth.so |
1354 |
+ doman pam_ssh_agent_auth.8 |
1355 |
+ |
1356 |
+ dodoc CONTRIBUTORS |
1357 |
+} |
1358 |
|
1359 |
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild |
1360 |
new file mode 100644 |
1361 |
index 00000000000..2b877364229 |
1362 |
--- /dev/null |
1363 |
+++ b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild |
1364 |
@@ -0,0 +1,48 @@ |
1365 |
+# Copyright 1999-2018 Gentoo Authors |
1366 |
+# Distributed under the terms of the GNU General Public License v2 |
1367 |
+ |
1368 |
+EAPI=7 |
1369 |
+ |
1370 |
+inherit pam |
1371 |
+ |
1372 |
+DESCRIPTION="Simple module to authenticate users against their ssh-agent keys" |
1373 |
+HOMEPAGE="http://pamsshagentauth.sourceforge.net" |
1374 |
+ |
1375 |
+if [[ ${PV} == *9999 ]] ; then |
1376 |
+ EGIT_REPO_URI="https://github.com/jbeverly/${PN}.git" |
1377 |
+ inherit git-r3 |
1378 |
+else |
1379 |
+ SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2" |
1380 |
+ KEYWORDS="~amd64 ~arm ~x86" |
1381 |
+fi |
1382 |
+ |
1383 |
+LICENSE="MIT" |
1384 |
+SLOT="0" |
1385 |
+IUSE="" |
1386 |
+ |
1387 |
+DEPEND="virtual/pam |
1388 |
+ dev-libs/openssl:0=" |
1389 |
+ |
1390 |
+RDEPEND="${DEPEND} |
1391 |
+ virtual/ssh" |
1392 |
+ |
1393 |
+# needed for pod2man |
1394 |
+DEPEND="${DEPEND} |
1395 |
+ dev-lang/perl" |
1396 |
+ |
1397 |
+src_configure() { |
1398 |
+ pammod_hide_symbols |
1399 |
+ |
1400 |
+ econf \ |
1401 |
+ --without-openssl-header-check \ |
1402 |
+ --libexecdir="$(getpam_mod_dir)" |
1403 |
+} |
1404 |
+ |
1405 |
+src_install() { |
1406 |
+ # Don't use emake install as it makes it harder to have proper |
1407 |
+ # install paths. |
1408 |
+ dopammod pam_ssh_agent_auth.so |
1409 |
+ doman pam_ssh_agent_auth.8 |
1410 |
+ |
1411 |
+ dodoc CONTRIBUTORS |
1412 |
+} |