Package: pam-ssh-agent-auth / 0.10.3-3

Metadata

Package Version Patches format
pam-ssh-agent-auth 0.10.3-3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 authfd.c check return value of seteuid 2.patch | (download)

authfd.c | 11 8 + 3 - 0 !
1 file changed, 8 insertions(+), 3 deletions(-)

 [patch] authfd.c: check return value of seteuid(2)

Ensure the call to seteuid(2) succeeds. As the linux man page rather
ominously states:

    Note: there are cases where seteuid() can fail even when the caller
    is UID 0; it is a grave security error to omit checking for a failure
    return from seteuid().

openssl 1.1.1 1.patch | (download)

authfd.c | 50 50 + 0 - 0 !
bufbn.c | 4 4 + 0 - 0 !
cipher.h | 6 5 + 1 - 0 !
kex.h | 9 8 + 1 - 0 !
key.c | 133 129 + 4 - 0 !
ssh-dss.c | 51 43 + 8 - 0 !
ssh-ecdsa.c | 40 31 + 9 - 0 !
ssh-rsa.c | 22 17 + 5 - 0 !
8 files changed, 287 insertions(+), 28 deletions(-)

 [patch 1/2] adapt to openssl 1.1.1.

The FreeBSD operating system is migrating to OpenSSL 1.1.1 and I have created this set of patches to make pam_ssh_agent_auth compile with it.

The patch comments out some parts of include files which are not actually used and reference now opaque OpenSSL internals.

I also have migrated the source files to use accessors to use the OpenSSL objects.

The patch works on FreeBSD head (will be 12.0) but the --without-openssl-header-check argument is required in configure there.

openssl 1.1.1 2.patch | (download)

authfd.c | 12 6 + 6 - 0 !
bufbn.c | 2 1 + 1 - 0 !
key.c | 36 18 + 18 - 0 !
ssh-dss.c | 10 5 + 5 - 0 !
ssh-ecdsa.c | 8 4 + 4 - 0 !
ssh-rsa.c | 4 2 + 2 - 0 !
6 files changed, 36 insertions(+), 36 deletions(-)

 [patch 2/2] check against the correct openssl_version_number

Alexey Dokuchaev (a fellow FreeBSD developer) pointed out to me the opaque structures were introduced in 1.1.0-pre
5, so the correct OPENSSL_VERSION_NUMBER to discriminate is 0x10100005L.