[pkgsrc/trunk]: pkgsrc/security/openssh Add legacymodsz option to allow short...

[manu <manu%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/d04f76259fa0
branches:  trunk
changeset: 339090:d04f76259fa0
user:      manu <manu%pkgsrc.org@localhost>
date:      Fri Sep 06 09:03:00 2019 +0000

description:
Add legacymodsz option to allow short (insecure) RSA keys

This may be required in order to access old, non-upgradable, devices for
which modulus size is less than 1024 bits (frequently 768 bits).

diffstat:

 security/openssh/distinfo               |   3 ++-
 security/openssh/options.mk             |   8 ++++++--
 security/openssh/patches/patch-sshkey.h |  20 ++++++++++++++++++++
 3 files changed, 28 insertions(+), 3 deletions(-)

diffs (62 lines):

diff -r 12b1bb83b667 -r d04f76259fa0 security/openssh/distinfo
--- a/security/openssh/distinfo Fri Sep 06 09:00:35 2019 +0000
+++ b/security/openssh/distinfo Fri Sep 06 09:03:00 2019 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.108 2019/06/04 09:08:06 he Exp $
+$NetBSD: distinfo,v 1.109 2019/09/06 09:03:00 manu Exp $
 
 SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
 RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612
@@ -16,3 +16,4 @@
 SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
 SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
 SHA1 (patch-sshd.c) = 825eeec13608859852f4cfdeaceedce21bd2f164
+SHA1 (patch-sshkey.h) = 8e6758a5f78eb48fae2df6efe8ddb9f5d4a71f7b
diff -r 12b1bb83b667 -r d04f76259fa0 security/openssh/options.mk
--- a/security/openssh/options.mk       Fri Sep 06 09:00:35 2019 +0000
+++ b/security/openssh/options.mk       Fri Sep 06 09:03:00 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $
+# $NetBSD: options.mk,v 1.37 2019/09/06 09:03:00 manu Exp $
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.openssh
-PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam
+PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam legacymodsz
 PKG_SUGGESTED_OPTIONS= editline openssl
 
 .include "../../mk/bsd.prefs.mk"
@@ -27,6 +27,10 @@
 .  endif
 .endif
 
+.if !empty(PKG_OPTIONS:Mlegacymodsz)
+CONFIGURE_ARGS+=   CPPFLAGS="${CPPFLAGS} -DSSH_RSA_INSECURE_LEGACY_MIN_MOD_SZ=768"
+.endif
+
 #.if !empty(PKG_OPTIONS:Mhpn-patch)
 #PATCHFILES=           openssh-7.1p1-hpn-20150822.diff.bz2
 #PATCH_SITES=          ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
diff -r 12b1bb83b667 -r d04f76259fa0 security/openssh/patches/patch-sshkey.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/openssh/patches/patch-sshkey.h   Fri Sep 06 09:03:00 2019 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-sshkey.h,v 1.1 2019/09/06 09:03:00 manu Exp $
+
+Support for non recommendable (insecure) modulus size for RSA. This may be
+required in order to access old, non-upgradable, devices for which modulus size
+is less than 1024 bits (frequently 768 bits).
+
+--- sshkey.h.orig      2019-09-03 17:55:31.695925772 +0200
++++ sshkey.h
+@@ -47,7 +47,11 @@
+ # define EC_POINT     void
+ #endif /* WITH_OPENSSL */
+
++#ifdef SSH_RSA_INSECURE_LEGACY_MIN_MOD_SZ
++#define SSH_RSA_MINIMUM_MODULUS_SIZE  SSH_RSA_INSECURE_LEGACY_MIN_MOD_SZ
++#else
+ #define SSH_RSA_MINIMUM_MODULUS_SIZE  1024
++#endif
+ #define SSH_KEY_MAX_SIGN_DATA_SIZE    (1 << 20)
+ 
+ struct sshbuf;