diff options
| author | manu <manu@pkgsrc.org> | 2019-09-06 09:03:00 +0000 |
|---|---|---|
| committer | manu <manu@pkgsrc.org> | 2019-09-06 09:03:00 +0000 |
| commit | 8bf55d48f9337ef78ecfdc51ed653fc8433163a9 (patch) | |
| tree | c9613a906fb17ca5caebd29bcca754ba19541e2b /security/openssh | |
| parent | 01fcc4f7a580770f83d205eaf0de482ed0ee711d (diff) | |
| download | pkgsrc-8bf55d48f9337ef78ecfdc51ed653fc8433163a9.tar.gz | |
Add legacymodsz option to allow short (insecure) RSA keys
This may be required in order to access old, non-upgradable, devices for
which modulus size is less than 1024 bits (frequently 768 bits).
Diffstat (limited to 'security/openssh')
| -rw-r--r-- | security/openssh/distinfo | 3 | ||||
| -rw-r--r-- | security/openssh/options.mk | 8 | ||||
| -rw-r--r-- | security/openssh/patches/patch-sshkey.h | 20 |
3 files changed, 28 insertions, 3 deletions
diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 9fc307bb7c9..3559d7d4246 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.108 2019/06/04 09:08:06 he Exp $ +$NetBSD: distinfo,v 1.109 2019/09/06 09:03:00 manu Exp $ SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612 @@ -16,3 +16,4 @@ SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a58922 SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75 SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1 SHA1 (patch-sshd.c) = 825eeec13608859852f4cfdeaceedce21bd2f164 +SHA1 (patch-sshkey.h) = 8e6758a5f78eb48fae2df6efe8ddb9f5d4a71f7b diff --git a/security/openssh/options.mk b/security/openssh/options.mk index 6e941d6b5bb..46115bfecad 100644 --- a/security/openssh/options.mk +++ b/security/openssh/options.mk @@ -1,7 +1,7 @@ -# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $ +# $NetBSD: options.mk,v 1.37 2019/09/06 09:03:00 manu Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.openssh -PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam +PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam legacymodsz PKG_SUGGESTED_OPTIONS= editline openssl .include "../../mk/bsd.prefs.mk" @@ -27,6 +27,10 @@ CONFIGURE_ENV+= ac_cv_search_k_hasafs=no . endif .endif +.if !empty(PKG_OPTIONS:Mlegacymodsz) +CONFIGURE_ARGS+= CPPFLAGS="${CPPFLAGS} -DSSH_RSA_INSECURE_LEGACY_MIN_MOD_SZ=768" +.endif + #.if !empty(PKG_OPTIONS:Mhpn-patch) #PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2 #PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/ diff --git a/security/openssh/patches/patch-sshkey.h b/security/openssh/patches/patch-sshkey.h new file mode 100644 index 00000000000..4b7b0eae4f8 --- /dev/null +++ b/security/openssh/patches/patch-sshkey.h @@ -0,0 +1,20 @@ +$NetBSD: patch-sshkey.h,v 1.1 2019/09/06 09:03:00 manu Exp $ + +Support for non recommendable (insecure) modulus size for RSA. This may be +required in order to access old, non-upgradable, devices for which modulus size +is less than 1024 bits (frequently 768 bits). + +--- sshkey.h.orig 2019-09-03 17:55:31.695925772 +0200 ++++ sshkey.h +@@ -47,7 +47,11 @@ + # define EC_POINT void + #endif /* WITH_OPENSSL */ + ++#ifdef SSH_RSA_INSECURE_LEGACY_MIN_MOD_SZ ++#define SSH_RSA_MINIMUM_MODULUS_SIZE SSH_RSA_INSECURE_LEGACY_MIN_MOD_SZ ++#else + #define SSH_RSA_MINIMUM_MODULUS_SIZE 1024 ++#endif + #define SSH_KEY_MAX_SIGN_DATA_SIZE (1 << 20) + + struct sshbuf; |