Bug#859054: libpam-ssh: Please migrate to openssl1.1 in buster

2018-12-18 Thread Jerome BENOIT 
Thanks for the remainder, I will have a look this week-end,
Jerome

On 19/12/2018 05:32, John Stamp wrote:
> On 05/22/18 08:52 PM, Jerome BENOIT wrote:
>> Hello,
>>
>>
>>
>> On 22/05/18 23:52, Moritz Muehlenhoff wrote:
>>> Hi Jerome,
>>>
>>> On Fri, Oct 13, 2017 at 07:05:26PM +0400, Jerome BENOIT wrote:
 Dear Sebastian, thanks for your warning.

 The amount of change might be too heavy for me.
 Second, pam_ssh seems no more maintained.

 I have just contacted the upstream maintainer.
>>>
>>> Did you get a reply?
>>
>> No.
>>
>> I will have a look if time permit.
>> And, of course, any patch is welcome.
>>
>> Cheers,
>> Jerome
> 
> OpenSUSE has an OpenSSL 1.1 patch in their package:
> 
>   
> https://build.opensuse.org/package/view_file/openSUSE:Factory/pam_ssh/pam_ssh-openssl11.patch
> 
> Changelog here:
> 
>   https://build.opensuse.org/request/show/547009
> 
> I'm attaching the patch.  It will try to modify `configure' which isn't
> in Debian's source tarball, but if you remove that bit, it applies
> cleanly.  It seems to work OK on my locally-built package.
> 
> John
> 

-- 
Jerome BENOIT | calculus+at-rezozer^dot*net
https://qa.debian.org/developer.php?login=calcu...@rezozer.net
AE28 AE15 710D FF1D 87E5  A762 3F92 19A6 7F36 C68B



signature.asc
Description: OpenPGP digital signature

Bug#859054: libpam-ssh: Please migrate to openssl1.1 in buster

2018-12-18 Thread John Stamp 
On 05/22/18 08:52 PM, Jerome BENOIT wrote:
> Hello,
> 
> 
> 
> On 22/05/18 23:52, Moritz Muehlenhoff wrote:
> > Hi Jerome,
> > 
> > On Fri, Oct 13, 2017 at 07:05:26PM +0400, Jerome BENOIT wrote:
> >> Dear Sebastian, thanks for your warning.
> >>
> >> The amount of change might be too heavy for me.
> >> Second, pam_ssh seems no more maintained.
> >>
> >> I have just contacted the upstream maintainer.
> > 
> > Did you get a reply?
> 
> No.
> 
> I will have a look if time permit.
> And, of course, any patch is welcome.
> 
> Cheers,
> Jerome

OpenSUSE has an OpenSSL 1.1 patch in their package:

  
https://build.opensuse.org/package/view_file/openSUSE:Factory/pam_ssh/pam_ssh-openssl11.patch

Changelog here:

  https://build.opensuse.org/request/show/547009

I'm attaching the patch.  It will try to modify `configure' which isn't
in Debian's source tarball, but if you remove that bit, it applies
cleanly.  It seems to work OK on my locally-built package.

John

===
Index: pam_ssh-2.1/cipher.c
===
--- pam_ssh-2.1.orig/cipher.c	2015-05-03 13:30:39.0 +0200
+++ pam_ssh-2.1/cipher.c	2017-11-30 15:31:05.770390639 +0100
@@ -326,26 +326,26 @@ cipher_init(struct sshcipher_ctx *cc, co
 	return SSH_ERR_INVALID_ARGUMENT;
 #else
 	type = (*cipher->evptype)();
-	EVP_CIPHER_CTX_init(>evp);
-	if (EVP_CipherInit(>evp, type, NULL, (u_char *)iv,
+	cc->evp = EVP_CIPHER_CTX_new();
+	if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv,
 	(do_encrypt == CIPHER_ENCRYPT)) == 0) {
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto bad;
 	}
 	if (cipher_authlen(cipher) &&
-	!EVP_CIPHER_CTX_ctrl(>evp, EVP_CTRL_GCM_SET_IV_FIXED,
+	!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
 	-1, (u_char *)iv)) {
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto bad;
 	}
-	klen = EVP_CIPHER_CTX_key_length(>evp);
+	klen = EVP_CIPHER_CTX_key_length(cc->evp);
 	if (klen > 0 && keylen != (u_int)klen) {
-		if (EVP_CIPHER_CTX_set_key_length(>evp, keylen) == 0) {
+		if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) {
 			ret = SSH_ERR_LIBCRYPTO_ERROR;
 			goto bad;
 		}
 	}
-	if (EVP_CipherInit(>evp, NULL, (u_char *)key, NULL, -1) == 0) {
+	if (EVP_CipherInit(cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto bad;
 	}
@@ -358,14 +358,14 @@ cipher_init(struct sshcipher_ctx *cc, co
 			ret = SSH_ERR_ALLOC_FAIL;
 			goto bad;
 		}
-		ret = EVP_Cipher(>evp, discard, junk, cipher->discard_len);
+		ret = EVP_Cipher(cc->evp, discard, junk, cipher->discard_len);
 		explicit_bzero(discard, cipher->discard_len);
 		free(junk);
 		free(discard);
 		if (ret != 1) {
 			ret = SSH_ERR_LIBCRYPTO_ERROR;
  bad:
-			EVP_CIPHER_CTX_cleanup(>evp);
+			EVP_CIPHER_CTX_cleanup(cc->evp);
 			return ret;
 		}
 	}
@@ -412,33 +412,33 @@ cipher_crypt(struct sshcipher_ctx *cc, u
 		if (authlen != cipher_authlen(cc->cipher))
 			return SSH_ERR_INVALID_ARGUMENT;
 		/* increment IV */
-		if (!EVP_CIPHER_CTX_ctrl(>evp, EVP_CTRL_GCM_IV_GEN,
+		if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
 		1, lastiv))
 			return SSH_ERR_LIBCRYPTO_ERROR;
 		/* set tag on decyption */
 		if (!cc->encrypt &&
-		!EVP_CIPHER_CTX_ctrl(>evp, EVP_CTRL_GCM_SET_TAG,
+		!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
 		authlen, (u_char *)src + aadlen + len))
 			return SSH_ERR_LIBCRYPTO_ERROR;
 	}
 	if (aadlen) {
 		if (authlen &&
-		EVP_Cipher(>evp, NULL, (u_char *)src, aadlen) < 0)
+		EVP_Cipher(cc->evp, NULL, (u_char *)src, aadlen) < 0)
 			return SSH_ERR_LIBCRYPTO_ERROR;
 		memcpy(dest, src, aadlen);
 	}
 	if (len % cc->cipher->block_size)
 		return SSH_ERR_INVALID_ARGUMENT;
-	if (EVP_Cipher(>evp, dest + aadlen, (u_char *)src + aadlen,
+	if (EVP_Cipher(cc->evp, dest + aadlen, (u_char *)src + aadlen,
 	len) < 0)
 		return SSH_ERR_LIBCRYPTO_ERROR;
 	if (authlen) {
 		/* compute tag (on encrypt) or verify tag (on decrypt) */
-		if (EVP_Cipher(>evp, NULL, NULL, 0) < 0)
+		if (EVP_Cipher(cc->evp, NULL, NULL, 0) < 0)
 			return cc->encrypt ?
 			SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
 		if (cc->encrypt &&
-		!EVP_CIPHER_CTX_ctrl(>evp, EVP_CTRL_GCM_GET_TAG,
+		!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG,
 		authlen, dest + aadlen + len))
 			return SSH_ERR_LIBCRYPTO_ERROR;
 	}
@@ -471,7 +471,7 @@ cipher_cleanup(struct sshcipher_ctx *cc)
 	else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
 		explicit_bzero(>ac_ctx, sizeof(cc->ac_ctx));
 #ifdef WITH_OPENSSL
-	else if (EVP_CIPHER_CTX_cleanup(>evp) == 0)
+	else if (EVP_CIPHER_CTX_cleanup(cc->evp) == 0)
 		return SSH_ERR_LIBCRYPTO_ERROR;
 #endif
 	return 0;
@@ -518,7 +518,7 @@ cipher_get_keyiv_len(const struct sshcip
 		ivlen = 0;
 #ifdef WITH_OPENSSL
 	else
-		ivlen = EVP_CIPHER_CTX_iv_length(>evp);
+		ivlen = EVP_CIPHER_CTX_iv_length(cc->evp);
 #endif /* WITH_OPENSSL */
 	return (ivlen);
 }
@@ -544,7 +544,7 @@

Bug#859054: libpam-ssh: Please migrate to openssl1.1 in buster

2018-05-22 Thread Jerome BENOIT 
Hello,



On 22/05/18 23:52, Moritz Muehlenhoff wrote:
> Hi Jerome,
> 
> On Fri, Oct 13, 2017 at 07:05:26PM +0400, Jerome BENOIT wrote:
>> Dear Sebastian, thanks for your warning.
>>
>> The amount of change might be too heavy for me.
>> Second, pam_ssh seems no more maintained.
>>
>> I have just contacted the upstream maintainer.
> 
> Did you get a reply?

No.

I will have a look if time permit.
And, of course, any patch is welcome.

Cheers,
Jerome

> 
> Cheers,
> Moritz
> 

-- 
Jerome BENOIT | calculus+at-rezozer^dot*net
https://qa.debian.org/developer.php?login=calcu...@rezozer.net
AE28 AE15 710D FF1D 87E5  A762 3F92 19A6 7F36 C68B



signature.asc
Description: OpenPGP digital signature

Bug#859054: libpam-ssh: Please migrate to openssl1.1 in buster

2018-05-22 Thread Moritz Muehlenhoff 
Hi Jerome,

On Fri, Oct 13, 2017 at 07:05:26PM +0400, Jerome BENOIT wrote:
> Dear Sebastian, thanks for your warning.
> 
> The amount of change might be too heavy for me.
> Second, pam_ssh seems no more maintained.
> 
> I have just contacted the upstream maintainer.

Did you get a reply?

Cheers,
Moritz