CVS commit: pkgsrc/security/openssh

["Emmanuel Dreyfus" <manu%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   manu
Date:           Fri Sep  6 09:03:00 UTC 2019

Modified Files:
        pkgsrc/security/openssh: distinfo options.mk
Added Files:
        pkgsrc/security/openssh/patches: patch-sshkey.h

Log Message:
Add legacymodsz option to allow short (insecure) RSA keys

This may be required in order to access old, non-upgradable, devices for
which modulus size is less than 1024 bits (frequently 768 bits).


To generate a diff of this commit:
cvs rdiff -u -r1.108 -r1.109 pkgsrc/security/openssh/distinfo
cvs rdiff -u -r1.36 -r1.37 pkgsrc/security/openssh/options.mk
cvs rdiff -u -r0 -r1.1 pkgsrc/security/openssh/patches/patch-sshkey.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/openssh/distinfo
diff -u pkgsrc/security/openssh/distinfo:1.108 pkgsrc/security/openssh/distinfo:1.109
--- pkgsrc/security/openssh/distinfo:1.108      Tue Jun  4 09:08:06 2019
+++ pkgsrc/security/openssh/distinfo    Fri Sep  6 09:03:00 2019
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.108 2019/06/04 09:08:06 he Exp $
+$NetBSD: distinfo,v 1.109 2019/09/06 09:03:00 manu Exp $
 
 SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
 RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612
@@ -16,3 +16,4 @@ SHA1 (patch-openbsd-compat_port-tun.c) =
 SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
 SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
 SHA1 (patch-sshd.c) = 825eeec13608859852f4cfdeaceedce21bd2f164
+SHA1 (patch-sshkey.h) = 8e6758a5f78eb48fae2df6efe8ddb9f5d4a71f7b

Index: pkgsrc/security/openssh/options.mk
diff -u pkgsrc/security/openssh/options.mk:1.36 pkgsrc/security/openssh/options.mk:1.37
--- pkgsrc/security/openssh/options.mk:1.36     Thu Apr 25 14:55:04 2019
+++ pkgsrc/security/openssh/options.mk  Fri Sep  6 09:03:00 2019
@@ -1,7 +1,7 @@
-# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $
+# $NetBSD: options.mk,v 1.37 2019/09/06 09:03:00 manu Exp $
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.openssh
-PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam
+PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam legacymodsz
 PKG_SUGGESTED_OPTIONS= editline openssl
 
 .include "../../mk/bsd.prefs.mk"
@@ -27,6 +27,10 @@ CONFIGURE_ENV+=              ac_cv_search_k_hasafs=n
 .  endif
 .endif
 
+.if !empty(PKG_OPTIONS:Mlegacymodsz)
+CONFIGURE_ARGS+=   CPPFLAGS="${CPPFLAGS} -DSSH_RSA_INSECURE_LEGACY_MIN_MOD_SZ=768"
+.endif
+
 #.if !empty(PKG_OPTIONS:Mhpn-patch)
 #PATCHFILES=           openssh-7.1p1-hpn-20150822.diff.bz2
 #PATCH_SITES=          ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/

Added files:

Index: pkgsrc/security/openssh/patches/patch-sshkey.h
diff -u /dev/null pkgsrc/security/openssh/patches/patch-sshkey.h:1.1
--- /dev/null   Fri Sep  6 09:03:00 2019
+++ pkgsrc/security/openssh/patches/patch-sshkey.h      Fri Sep  6 09:03:00 2019
@@ -0,0 +1,20 @@
+$NetBSD: patch-sshkey.h,v 1.1 2019/09/06 09:03:00 manu Exp $
+
+Support for non recommendable (insecure) modulus size for RSA. This may be
+required in order to access old, non-upgradable, devices for which modulus size
+is less than 1024 bits (frequently 768 bits).
+
+--- sshkey.h.orig      2019-09-03 17:55:31.695925772 +0200
++++ sshkey.h
+@@ -47,7 +47,11 @@
+ # define EC_POINT     void
+ #endif /* WITH_OPENSSL */
+
++#ifdef SSH_RSA_INSECURE_LEGACY_MIN_MOD_SZ
++#define SSH_RSA_MINIMUM_MODULUS_SIZE  SSH_RSA_INSECURE_LEGACY_MIN_MOD_SZ
++#else
+ #define SSH_RSA_MINIMUM_MODULUS_SIZE  1024
++#endif
+ #define SSH_KEY_MAX_SIGN_DATA_SIZE    (1 << 20)
+ 
+ struct sshbuf;