diff --git a/security/ssh/Makefile b/security/ssh/Makefile index 2263b1d709c..5c41090121a 100644 --- a/security/ssh/Makefile +++ b/security/ssh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.42 1999/11/25 21:37:10 brad Exp $ +# $OpenBSD: Makefile,v 1.43 1999/12/03 01:13:16 brad Exp $ DISTNAME= ssh-1.2.27 CATEGORIES= security net @@ -22,19 +22,17 @@ RESTRICTED= "Crypto; export-controlled" MAINTAINER= todd@openbsd.org -.if defined(NO_WARNINGS) || (defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES) +.if defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES DISTFILES= ${DISTNAME}.tar.gz rsaref2.tar.gz:0 +CONFIGURE_ARGS+= --with-rsaref .endif -ETCDIR?= /etc -RSHPROG?= /usr/bin/rsh - -IS_INTERACTIVE= yes GNU_CONFIGURE= yes -CONFIGURE_ARGS= --with-etcdir=${ETCDIR} \ +CONFIGURE_ARGS+=--with-etcdir=${ETCDIR} \ --with-rsh=${RSHPROG} \ --with-libwrap -CONFIGURE_ENV= PERL=/usr/bin/perl + +IS_INTERACTIVE= yes .if defined(X11) && ${X11} == NO CONFIGURE_ARGS= --without-x @@ -51,10 +49,6 @@ CONFIGURE_ARGS= --without-x # #CONFIGURE_ARGS+= --with-none -.if defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES -CONFIGURE_ARGS+= --with-rsaref -.endif - # Include SOCKS firewall support .if defined(USE_SOCKS) && ${USE_SOCKS:U} == YES CONFIGURE_ARGS+= --with-socks="-L${PREFIX}/lib -lsocks5" --with-socks5 @@ -73,56 +67,59 @@ CONFIGURE_ARGS+= --with-secureid CONFIGURE_ARGS+= --without-idea .endif +ETCDIR?= /etc +RSHPROG?= /usr/bin/rsh + pre-patch: .if defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES - @${CP} ${FILESDIR}/patch-rsaref2 ${PATCHDIR} + @cp ${FILESDIR}/patch-rsaref2 ${PATCHDIR} + @cp ${FILESDIR}/patch-rsaref2-2 ${PATCHDIR} .endif - @${MV} -f ${WRKSRC}/make-ssh-known-hosts.pl \ + @mv -f ${WRKSRC}/make-ssh-known-hosts.pl \ ${WRKSRC}/make-ssh-known-hosts.pl.in post-patch: .if defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES - @${RM} ${PATCHDIR}/patch-rsaref2 + @rm -f ${PATCHDIR}/patch-rsaref2 + @rm -f ${PATCHDIR}/patch-rsaref2-2 .endif fetch-depends: .if !defined(NO_WARNINGS) .if !defined(USA_RESIDENT) || ${USA_RESIDENT:U} != YES && ${USA_RESIDENT:U} != NO - @${ECHO} - @${ECHO} You must set variable USA_RESIDENT to YES if you are a USA - @${ECHO} resident or NO otherwise. USA residents must obtain the - @${ECHO} RSAREF2 library to generate this program. \(RSA Inc. holds - @${ECHO} a patent on RSA in the USA - using RSA implementations - @${ECHO} other than RSAREF in the USA will violate the US patent\). - @${ECHO} "" - @${ECHO} RSAREF2 will be automatically obtained and used to generate - @${ECHO} this program when given the command \"make USA_RESIDENT=YES\" - @${ECHO} "" - @${FALSE} + @echo "" + @echo "You must set variable USA_RESIDENT to YES if you are a USA" + @echo "resident or NO otherwise. USA residents must obtain the" + @echo "RSAREF2 library to generate this program. \(RSA Inc. holds" + @echo "a patent on RSA in the USA - using RSA implementations" + @echo "other than RSAREF in the USA will violate the US patent\)." + @echo "" + @echo "RSAREF2 will be automatically obtained and used to generate" + @echo "this program when given the command \"make USA_RESIDENT=YES\"" + @echo "" + @false .endif .endif post-extract: .if defined(USA_RESIDENT) && ${USA_RESIDENT:U} == YES - @${MV} ${WRKDIR}/rsaref2 ${WRKSRC}/rsaref2 + @mv ${WRKDIR}/rsaref2 ${WRKSRC}/rsaref2 .endif # Put the config files someplace where they can be found to # create a package. -# post-install: - @${MKDIR} ${PREFIX}/etc - @${MKDIR} ${PREFIX}/lib/ssh + @mkdir -p ${PREFIX}/lib/ssh @cat ${WRKSRC}/server_config.sample | \ - ${SED} "s#_ETCDIR_#${ETCDIR}#g" > /tmp/ssh_inst.$$$$; \ + sed "s#_ETCDIR_#${ETCDIR}#g" > /tmp/ssh_inst.$$$$; \ ${INSTALL_DATA} /tmp/ssh_inst.$$$$ ${PREFIX}/lib/ssh/server_config.sample @${INSTALL_DATA} ${WRKSRC}/host_config.sample ${PREFIX}/lib/ssh @if [ ! -f ${ETCDIR}/ssh_host_key ]; then \ - ${ECHO} "Generating a secret host key..."; \ - ${PREFIX}/bin/ssh-keygen -f ${ETCDIR}/ssh_host_key -N ""; \ + echo "Generating a secret host key..."; \ + ${PREFIX}/bin/ssh-keygen -f ${ETCDIR}/ssh_host_key -N ""; \ fi - @${RM} -f ${PREFIX}/man/man1/slogin.1 - @${LN} -sf ssh.1 ${PREFIX}/man/man1/slogin.1 - @${SH} ${PKGDIR}/INSTALL ${DISTNAME} POST-INSTALL + @rm -f ${PREFIX}/man/man1/slogin.1 + @ln -sf ssh.1 ${PREFIX}/man/man1/slogin.1 + @sh ${PKGDIR}/INSTALL ${DISTNAME} POST-INSTALL .include diff --git a/security/ssh/files/patch-rsaref2-2 b/security/ssh/files/patch-rsaref2-2 new file mode 100644 index 00000000000..0608bc0d857 --- /dev/null +++ b/security/ssh/files/patch-rsaref2-2 @@ -0,0 +1,42 @@ +--- rsaref2/source/rsa.c.orig Fri Mar 25 14:01:48 1994 ++++ rsaref2/source/rsa.c Thu Dec 2 16:43:04 1999 +@@ -33,6 +33,9 @@ + unsigned char byte, pkcsBlock[MAX_RSA_MODULUS_LEN]; + unsigned int i, modulusLen; + ++ if (inputLen + 3 > MAX_RSA_MODULUS_LEN) ++ return (RE_LEN); ++ + modulusLen = (publicKey->bits + 7) / 8; + if (inputLen + 11 > modulusLen) + return (RE_LEN); +@@ -78,6 +81,9 @@ + unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN]; + unsigned int i, modulusLen, pkcsBlockLen; + ++ if (inputLen > MAX_RSA_MODULUS_LEN) ++ return (RE_LEN); ++ + modulusLen = (publicKey->bits + 7) / 8; + if (inputLen > modulusLen) + return (RE_LEN); +@@ -129,6 +135,9 @@ + unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN]; + unsigned int i, modulusLen; + ++ if (inputLen + 3 > MAX_RSA_MODULUS_LEN) ++ return (RE_LEN); ++ + modulusLen = (privateKey->bits + 7) / 8; + if (inputLen + 11 > modulusLen) + return (RE_LEN); +@@ -168,6 +177,9 @@ + unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN]; + unsigned int i, modulusLen, pkcsBlockLen; + ++ if (inputLen > MAX_RSA_MODULUS_LEN) ++ return (RE_LEN); ++ + modulusLen = (privateKey->bits + 7) / 8; + if (inputLen > modulusLen) + return (RE_LEN); diff --git a/security/ssh/patches/patch-ac b/security/ssh/patches/patch-ac index 330ac476cce..d5c89d232bc 100644 --- a/security/ssh/patches/patch-ac +++ b/security/ssh/patches/patch-ac @@ -1,5 +1,5 @@ ---- Makefile.in.orig Wed May 12 05:19:31 1999 -+++ Makefile.in Wed Oct 6 22:55:44 1999 +--- Makefile.in.orig Wed May 12 07:19:31 1999 ++++ Makefile.in Thu Dec 2 17:08:54 1999 @@ -294,19 +294,24 @@ transform = @program_transform_name@ @@ -36,7 +36,7 @@ .c.o: - $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< -+ $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPINCDIR) -I$(srcdir)/$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< ++ $(CC) -c -I. $(KERBEROS_INCS) -I$(GMPINCDIR) -I$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP) -rm -f sshd diff --git a/security/ssh/pkg/SECURITY b/security/ssh/pkg/SECURITY index 18ae7a21635..b576c996402 100644 --- a/security/ssh/pkg/SECURITY +++ b/security/ssh/pkg/SECURITY @@ -3,3 +3,6 @@ ssh-1.2.27: patch-ai fixes the buffer overflow in RSAREF rsaglue code. OpenSSH (integrated into OpenBSD-2.6) does not have this bug. +patch-rsaref2-2 fixes the buffer overflow in RSA{Private,Public}Decrypt(), +as published by CORE SDI in their advisory of Dec. 1, 1999. +