svn commit: r566222 - in head/security/pam_ssh_agent_auth: . files
Matthew Seaman
matthew at FreeBSD.org
Sun Feb 21 11:56:42 UTC 2021
Author: matthew
Date: Sun Feb 21 11:56:41 2021
New Revision: 566222
URL: https://svnweb.freebsd.org/changeset/ports/566222
Log:
Fix segfault when handling ECDSA keys
Import patch by Marc Deslauriers from the Ubuntu package of pam_ssh_agent_auth
Ref: https://github.com/jbeverly/pam_ssh_agent_auth/pull/24/files
https://github.com/jbeverly/pam_ssh_agent_auth/issues/18
https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1869512
PR: 253693
Submitted by: Matt <opensource mtcoster.net>
Obtained from: Marc Deslauriers <marc.deslauriers canonical.com>, Ubuntu
Added:
head/security/pam_ssh_agent_auth/files/patch-ssh-ecdsa.c (contents, props changed)
Modified:
head/security/pam_ssh_agent_auth/Makefile
Modified: head/security/pam_ssh_agent_auth/Makefile
==============================================================================
--- head/security/pam_ssh_agent_auth/Makefile Sun Feb 21 11:52:44 2021 (r566221)
+++ head/security/pam_ssh_agent_auth/Makefile Sun Feb 21 11:56:41 2021 (r566222)
@@ -3,6 +3,7 @@
PORTNAME= pam_ssh_agent_auth
PORTVERSION= 0.10.4
+PORTREVISION= 1
CATEGORIES= security
MAINTAINER= matthew at FreeBSD.org
Added: head/security/pam_ssh_agent_auth/files/patch-ssh-ecdsa.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/pam_ssh_agent_auth/files/patch-ssh-ecdsa.c Sun Feb 21 11:56:41 2021 (r566222)
@@ -0,0 +1,42 @@
+--- ssh-ecdsa.c.orig 2019-07-08 16:36:13 UTC
++++ ssh-ecdsa.c
+@@ -46,7 +46,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *l
+ u_int len, dlen;
+ Buffer b, bb;
+ #if OPENSSL_VERSION_NUMBER >= 0x10100005L
+- BIGNUM *r, *s;
++ BIGNUM *r = NULL, *s = NULL;
+ #endif
+
+ if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) {
+@@ -137,20 +137,27 @@ ssh_ecdsa_verify(const Key *key, const u_char *signatu
+
+ /* parse signature */
+ if ((sig = ECDSA_SIG_new()) == NULL)
+- pamsshagentauth_fatal("ssh_ecdsa_verify: DSA_SIG_new failed");
++ pamsshagentauth_fatal("ssh_ecdsa_verify: ECDSA_SIG_new failed");
+
+ pamsshagentauth_buffer_init(&b);
+ pamsshagentauth_buffer_append(&b, sigblob, len);
+ #if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) ||
+ (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1))
++ pamsshagentauth_fatal("ssh_ecdsa_verify:"
++ "pamsshagentauth_buffer_get_bignum2_ret failed");
+ #else
+- DSA_SIG_get0(sig, &r, &s);
++ if ((r = BN_new()) == NULL)
++ pamsshagentauth_fatal("ssh_ecdsa_verify: BN_new failed");
++ if ((s = BN_new()) == NULL)
++ pamsshagentauth_fatal("ssh_ecdsa_verify: BN_new failed");
+ if ((pamsshagentauth_buffer_get_bignum2_ret(&b, r) == -1) ||
+ (pamsshagentauth_buffer_get_bignum2_ret(&b, s) == -1))
+-#endif
+ pamsshagentauth_fatal("ssh_ecdsa_verify:"
+ "pamsshagentauth_buffer_get_bignum2_ret failed");
++ if (ECDSA_SIG_set0(sig, r, s) != 1)
++ pamsshagentauth_fatal("ssh_ecdsa_verify: ECDSA_SIG_set0 failed");
++#endif
+
+ /* clean up */
+ memset(sigblob, 0, len);
More information about the svn-ports-all
mailing list