net-misc/openssh: patch for getentropy fallback

This commit is contained in:
Alarig Le Lay 2023-01-14 11:51:48 +01:00
parent 93bbd4d923
commit 6931d83523
Signed by: alarig
GPG key ID: 7AFE62C6DF8BCDEC
2 changed files with 71 additions and 2 deletions

View file

@ -0,0 +1,69 @@
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
index 02f15f9c..ffd33734 100644
--- a/openbsd-compat/arc4random.c
+++ b/openbsd-compat/arc4random.c
@@ -44,13 +44,15 @@
#ifndef HAVE_ARC4RANDOM
/*
- * If we're not using a native getentropy, use the one from bsd-getentropy.c
- * under a different name, so that if in future these binaries are run on
- * a system that has a native getentropy OpenSSL cannot call the wrong one.
+ * Always use the getentropy implementation from bsd-getentropy.c, which
+ * will call a native getentropy if available then fall back as required.
+ * We use a different name so that OpenSSL cannot call the wrong getentropy.
*/
-#ifndef HAVE_GETENTROPY
-# define getentropy(x, y) (_ssh_compat_getentropy((x), (y)))
+int _ssh_compat_getentropy(void *, size_t);
+#ifdef getentropy
+# undef getentropy
#endif
+#define getentropy(x, y) (_ssh_compat_getentropy((x), (y)))
#include "log.h"
diff --git a/openbsd-compat/bsd-getentropy.c b/openbsd-compat/bsd-getentropy.c
index bd4b6695..554dfad7 100644
--- a/openbsd-compat/bsd-getentropy.c
+++ b/openbsd-compat/bsd-getentropy.c
@@ -18,8 +18,6 @@
#include "includes.h"
-#ifndef HAVE_GETENTROPY
-
#ifndef SSH_RANDOM_DEV
# define SSH_RANDOM_DEV "/dev/urandom"
#endif /* SSH_RANDOM_DEV */
@@ -52,6 +50,10 @@ _ssh_compat_getentropy(void *s, size_t len)
ssize_t r;
size_t o = 0;
+#ifdef HAVE_GETENTROPY
+ if (r = getentropy(s, len) == 0)
+ return 0;
+#endif /* HAVE_GETENTROPY */
#ifdef HAVE_GETRANDOM
if ((r = getrandom(s, len, 0)) > 0 && (size_t)r == len)
return 0;
@@ -79,4 +81,3 @@ _ssh_compat_getentropy(void *s, size_t len)
#endif /* WITH_OPENSSL */
return 0;
}
-#endif /* WITH_GETENTROPY */
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 4af207cd..8f815090 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -69,10 +69,6 @@ void closefrom(int);
int ftruncate(int filedes, off_t length);
#endif
-#if defined(HAVE_DECL_GETENTROPY) && HAVE_DECL_GETENTROPY == 0
-int _ssh_compat_getentropy(void *, size_t);
-#endif
-
#ifndef HAVE_GETLINE
#include <stdio.h>
ssize_t getline(char **, size_t *, FILE *);

View file

@ -51,7 +51,7 @@ LICENSE="BSD GPL-2"
SLOT="0" SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version. # Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie +sandbox sctp security-key selinux +ssl static test X X509 xmss" IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )" RESTRICT="!test? ( test )"
@ -124,6 +124,7 @@ PATCHES=(
"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019 "${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044 "${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
"${FILESDIR}/${PN}-9.1_p1-build-tests.patch" "${FILESDIR}/${PN}-9.1_p1-build-tests.patch"
"${FILESDIR}/${P}-getentropy.patch"
) )
pkg_pretend() { pkg_pretend() {
@ -342,7 +343,6 @@ src_configure() {
$(use_with ssl openssl) $(use_with ssl openssl)
$(use_with ssl ssl-engine) $(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210 $(use_with !elibc_Cygwin hardening) #659210
$(use_with sandbox sandbox)
) )
if use elibc_musl; then if use elibc_musl; then