- add patch for RSAREF buffer overflow

- fix double slash in header path for GMP and Zlib - stop creating ${PREFIX}/etc directory - cleanup Makefile
1999-12-03 01:13:16 +00:00 · 1999-12-03 01:13:16 +00:00 · 1d61dec1cd
commit 1d61dec1cd
parent 7eb13beb0d
4 changed files with 81 additions and 39 deletions
--- a/security/ssh/Makefile
+++ b/security/ssh/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.42 1999/11/25 21:37:10 brad Exp $
+# $OpenBSD: Makefile,v 1.43 1999/12/03 01:13:16 brad Exp $

 DISTNAME=       ssh-1.2.27
 CATEGORIES=	security net
@ -22,19 +22,17 @@ RESTRICTED=	"Crypto; export-controlled"

 MAINTAINER=	todd@openbsd.org

-.if defined(NO_WARNINGS) || (defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES)
+.if defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES
 DISTFILES=	${DISTNAME}.tar.gz rsaref2.tar.gz:0
+CONFIGURE_ARGS+= --with-rsaref
 .endif

-ETCDIR?=	/etc
-RSHPROG?=	/usr/bin/rsh
-
-IS_INTERACTIVE=	yes
 GNU_CONFIGURE=	yes
-CONFIGURE_ARGS=	--with-etcdir=${ETCDIR} \
+CONFIGURE_ARGS+=--with-etcdir=${ETCDIR} \
 		--with-rsh=${RSHPROG} \
 		--with-libwrap
-CONFIGURE_ENV= PERL=/usr/bin/perl
+
+IS_INTERACTIVE=	yes

 .if defined(X11) && ${X11} == NO
 CONFIGURE_ARGS= --without-x
@ -51,10 +49,6 @@ CONFIGURE_ARGS= --without-x
 #
 #CONFIGURE_ARGS+= --with-none

-.if defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES
-CONFIGURE_ARGS+= --with-rsaref
-.endif
-
 # Include SOCKS firewall support
 .if defined(USE_SOCKS) && ${USE_SOCKS:U} == YES
 CONFIGURE_ARGS+= --with-socks="-L${PREFIX}/lib -lsocks5" --with-socks5
@ -73,56 +67,59 @@ CONFIGURE_ARGS+= --with-secureid
 CONFIGURE_ARGS+= --without-idea
 .endif

+ETCDIR?=	/etc
+RSHPROG?=	/usr/bin/rsh
+
 pre-patch:
 .if defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES
-	@${CP} ${FILESDIR}/patch-rsaref2 ${PATCHDIR}
+	@cp ${FILESDIR}/patch-rsaref2 ${PATCHDIR}
+	@cp ${FILESDIR}/patch-rsaref2-2 ${PATCHDIR}
 .endif
-	@${MV} -f ${WRKSRC}/make-ssh-known-hosts.pl \
+	@mv -f ${WRKSRC}/make-ssh-known-hosts.pl \
 	    ${WRKSRC}/make-ssh-known-hosts.pl.in

 post-patch:
 .if defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES
-	@${RM} ${PATCHDIR}/patch-rsaref2
+	@rm -f ${PATCHDIR}/patch-rsaref2
+	@rm -f ${PATCHDIR}/patch-rsaref2-2
 .endif

 fetch-depends:
 .if !defined(NO_WARNINGS)
 .if !defined(USA_RESIDENT) || ${USA_RESIDENT:U} != YES && ${USA_RESIDENT:U} != NO
-	@${ECHO}
-	@${ECHO} You must set variable USA_RESIDENT to YES if you are a USA
-	@${ECHO} resident or NO otherwise.  USA residents must obtain the
-	@${ECHO} RSAREF2 library to generate this program.  \(RSA Inc. holds
-	@${ECHO} a patent on RSA in the USA - using RSA implementations
-	@${ECHO} other than RSAREF in the USA will violate the US patent\).
-	@${ECHO} ""
-	@${ECHO} RSAREF2 will be automatically obtained and used to generate
-	@${ECHO} this program when given the command \"make USA_RESIDENT=YES\"
-	@${ECHO} ""
-	@${FALSE}
+	@echo ""
+	@echo "You must set variable USA_RESIDENT to YES if you are a USA"
+	@echo "resident or NO otherwise.  USA residents must obtain the"
+	@echo "RSAREF2 library to generate this program.  \(RSA Inc. holds"
+	@echo "a patent on RSA in the USA - using RSA implementations"
+	@echo "other than RSAREF in the USA will violate the US patent\)."
+	@echo ""
+	@echo "RSAREF2 will be automatically obtained and used to generate"
+	@echo "this program when given the command \"make USA_RESIDENT=YES\""
+	@echo ""
+	@false
 .endif
 .endif

 post-extract:
 .if defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES
-	@${MV} ${WRKDIR}/rsaref2 ${WRKSRC}/rsaref2
+	@mv ${WRKDIR}/rsaref2 ${WRKSRC}/rsaref2
 .endif

 # Put the config files someplace where they can be found to
 # create a package.
-#
 post-install:
-	@${MKDIR} ${PREFIX}/etc
-	@${MKDIR} ${PREFIX}/lib/ssh
+	@mkdir -p ${PREFIX}/lib/ssh
 	@cat ${WRKSRC}/server_config.sample | \
-	  ${SED} "s#_ETCDIR_#${ETCDIR}#g" > /tmp/ssh_inst.$$$$; \
+	  sed "s#_ETCDIR_#${ETCDIR}#g" > /tmp/ssh_inst.$$$$; \
 	  ${INSTALL_DATA} /tmp/ssh_inst.$$$$ ${PREFIX}/lib/ssh/server_config.sample
 	@${INSTALL_DATA} ${WRKSRC}/host_config.sample ${PREFIX}/lib/ssh
 	@if [ ! -f ${ETCDIR}/ssh_host_key ]; then \
-		${ECHO} "Generating a secret host key..."; \
-		${PREFIX}/bin/ssh-keygen -f ${ETCDIR}/ssh_host_key -N ""; \
+	 echo "Generating a secret host key..."; \
+	 ${PREFIX}/bin/ssh-keygen -f ${ETCDIR}/ssh_host_key -N ""; \
 	fi
-	@${RM} -f ${PREFIX}/man/man1/slogin.1
-	@${LN} -sf ssh.1 ${PREFIX}/man/man1/slogin.1
-	@${SH} ${PKGDIR}/INSTALL ${DISTNAME} POST-INSTALL
+	@rm -f ${PREFIX}/man/man1/slogin.1
+	@ln -sf ssh.1 ${PREFIX}/man/man1/slogin.1
+	@sh ${PKGDIR}/INSTALL ${DISTNAME} POST-INSTALL

 .include <bsd.port.mk>
--- a/security/ssh/files/patch-rsaref2-2
+++ b/security/ssh/files/patch-rsaref2-2
@ -0,0 +1,42 @@
+--- rsaref2/source/rsa.c.orig	Fri Mar 25 14:01:48 1994
+++ rsaref2/source/rsa.c	Thu Dec  2 16:43:04 1999
+@@ -33,6 +33,9 @@
+   unsigned char byte, pkcsBlock[MAX_RSA_MODULUS_LEN];
+   unsigned int i, modulusLen;
+   
+  if (inputLen + 3 > MAX_RSA_MODULUS_LEN)
+    return (RE_LEN);
+
+   modulusLen = (publicKey->bits + 7) / 8;
+   if (inputLen + 11 > modulusLen)
+     return (RE_LEN);
+@@ -78,6 +81,9 @@
+   unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
+   unsigned int i, modulusLen, pkcsBlockLen;
+   
+  if (inputLen > MAX_RSA_MODULUS_LEN)
+    return (RE_LEN);
+
+   modulusLen = (publicKey->bits + 7) / 8;
+   if (inputLen > modulusLen)
+     return (RE_LEN);
+@@ -129,6 +135,9 @@
+   unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
+   unsigned int i, modulusLen;
+   
+  if (inputLen + 3 > MAX_RSA_MODULUS_LEN)
+    return (RE_LEN);
+
+   modulusLen = (privateKey->bits + 7) / 8;
+   if (inputLen + 11 > modulusLen)
+     return (RE_LEN);
+@@ -168,6 +177,9 @@
+   unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
+   unsigned int i, modulusLen, pkcsBlockLen;
+   
+  if (inputLen > MAX_RSA_MODULUS_LEN)
+    return (RE_LEN);
+
+   modulusLen = (privateKey->bits + 7) / 8;
+   if (inputLen > modulusLen)
+     return (RE_LEN);
--- a/security/ssh/patches/patch-ac
+++ b/security/ssh/patches/patch-ac
@ -1,5 +1,5 @@
--- Makefile.in.orig	Wed May 12 05:19:31 1999
-+++ Makefile.in	Wed Oct  6 22:55:44 1999
+--- Makefile.in.orig	Wed May 12 07:19:31 1999
+++ Makefile.in	Thu Dec  2 17:08:54 1999
@@ -294,19 +294,24 @@
 transform	= @program_transform_name@
 
@ -36,7 +36,7 @@
 
 .c.o:
 -	$(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
-+	$(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPINCDIR) -I$(srcdir)/$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
+	$(CC) -c -I. $(KERBEROS_INCS) -I$(GMPINCDIR) -I$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
 
 sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
 	-rm -f sshd
--- a/security/ssh/pkg/SECURITY
+++ b/security/ssh/pkg/SECURITY
@ -3,3 +3,6 @@ ssh-1.2.27: patch-ai fixes the buffer overflow in RSAREF rsaglue code.

 OpenSSH (integrated into OpenBSD-2.6) does not have this bug.

+patch-rsaref2-2 fixes the buffer overflow in RSA{Private,Public}Decrypt(),
+as published by CORE SDI in their advisory of Dec. 1, 1999.
+