On 05/22/18 08:52 PM, Jerome BENOIT wrote:
> Hello,
>
>
>
> On 22/05/18 23:52, Moritz Muehlenhoff wrote:
> > Hi Jerome,
> >
> > On Fri, Oct 13, 2017 at 07:05:26PM +0400, Jerome BENOIT wrote:
> >> Dear Sebastian, thanks for your warning.
> >>
> >> The amount of change might be too heavy for me.
> >> Second, pam_ssh seems no more maintained.
> >>
> >> I have just contacted the upstream maintainer.
> >
> > Did you get a reply?
>
> No.
>
> I will have a look if time permit.
> And, of course, any patch is welcome.
>
> Cheers,
> Jerome
OpenSUSE has an OpenSSL 1.1 patch in their package:
https://build.opensuse.org/package/view_file/openSUSE:Factory/pam_ssh/pam_ssh-openssl11.patch
Changelog here:
https://build.opensuse.org/request/show/547009
I'm attaching the patch. It will try to modify `configure' which isn't
in Debian's source tarball, but if you remove that bit, it applies
cleanly. It seems to work OK on my locally-built package.
John
===
Index: pam_ssh-2.1/cipher.c
===
--- pam_ssh-2.1.orig/cipher.c 2015-05-03 13:30:39.0 +0200
+++ pam_ssh-2.1/cipher.c 2017-11-30 15:31:05.770390639 +0100
@@ -326,26 +326,26 @@ cipher_init(struct sshcipher_ctx *cc, co
return SSH_ERR_INVALID_ARGUMENT;
#else
type = (*cipher->evptype)();
- EVP_CIPHER_CTX_init(&cc->evp);
- if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
+ cc->evp = EVP_CIPHER_CTX_new();
+ if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv,
(do_encrypt == CIPHER_ENCRYPT)) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
}
if (cipher_authlen(cipher) &&
- !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
+ !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
-1, (u_char *)iv)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
}
- klen = EVP_CIPHER_CTX_key_length(&cc->evp);
+ klen = EVP_CIPHER_CTX_key_length(cc->evp);
if (klen > 0 && keylen != (u_int)klen) {
- if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) {
+ if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
}
}
- if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
+ if (EVP_CipherInit(cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
}
@@ -358,14 +358,14 @@ cipher_init(struct sshcipher_ctx *cc, co
ret = SSH_ERR_ALLOC_FAIL;
goto bad;
}
- ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len);
+ ret = EVP_Cipher(cc->evp, discard, junk, cipher->discard_len);
explicit_bzero(discard, cipher->discard_len);
free(junk);
free(discard);
if (ret != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
bad:
- EVP_CIPHER_CTX_cleanup(&cc->evp);
+ EVP_CIPHER_CTX_cleanup(cc->evp);
return ret;
}
}
@@ -412,33 +412,33 @@ cipher_crypt(struct sshcipher_ctx *cc, u
if (authlen != cipher_authlen(cc->cipher))
return SSH_ERR_INVALID_ARGUMENT;
/* increment IV */
- if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
+ if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
1, lastiv))
return SSH_ERR_LIBCRYPTO_ERROR;
/* set tag on decyption */
if (!cc->encrypt &&
- !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
+ !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
authlen, (u_char *)src + aadlen + len))
return SSH_ERR_LIBCRYPTO_ERROR;
}
if (aadlen) {
if (authlen &&
- EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
+ EVP_Cipher(cc->evp, NULL, (u_char *)src, aadlen) < 0)
return SSH_ERR_LIBCRYPTO_ERROR;
memcpy(dest, src, aadlen);
}
if (len % cc->cipher->block_size)
return SSH_ERR_INVALID_ARGUMENT;
- if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
+ if (EVP_Cipher(cc->evp, dest + aadlen, (u_char *)src + aadlen,
len) < 0)
return SSH_ERR_LIBCRYPTO_ERROR;
if (authlen) {
/* compute tag (on encrypt) or verify tag (on decrypt) */
- if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0)
+ if (EVP_Cipher(cc->evp, NULL, NULL, 0) < 0)
return cc->encrypt ?
SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
if (cc->encrypt &&
- !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
+ !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG,
authlen, dest + aadlen + len))
return SSH_ERR_LIBCRYPTO_ERROR;
}
@@ -471,7 +471,7 @@ cipher_cleanup(struct sshcipher_ctx *cc)
else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
#ifdef WITH_OPENSSL
- else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
+ else if (EVP_CIPHER_CTX_cleanup(cc->evp) == 0)
return SSH_ERR_LIBCRYPTO_ERROR;
#endif
return 0;
@@ -518,7 +518,7 @@ cipher_get_keyiv_len(const struct sshcip
ivlen = 0;
#ifdef WITH_OPENSSL
else
- ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+ ivlen = EVP_CIPHER_CTX_iv_length(cc->evp);
#endif