commit: fe87ccdf589165221731be9d02fa9a1a576356ed Author: Craig Andrews <candrews <AT> gentoo <DOT> org> AuthorDate: Sat Dec 29 01:41:03 2018 +0000 Commit: Craig Andrews <candrews <AT> gentoo <DOT> org> CommitDate: Wed Jan 2 00:31:53 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe87ccdf
net-analyzer/ettercap: openssl 1.1 compatiblity, EAPI=6, fix tests Closes: https://bugs.gentoo.org/673222 Package-Manager: Portage-2.3.53, Repoman-2.3.12 Signed-off-by: Craig Andrews <candrews <AT> gentoo.org> ...tercap-9999.ebuild => ettercap-0.8.2-r2.ebuild} | 33 +-- net-analyzer/ettercap/ettercap-9999.ebuild | 29 ++- .../files/ettercap-0.8.2-openssl-1.1.patch | 254 +++++++++++++++++++++ 3 files changed, 284 insertions(+), 32 deletions(-) diff --git a/net-analyzer/ettercap/ettercap-9999.ebuild b/net-analyzer/ettercap/ettercap-0.8.2-r2.ebuild similarity index 65% copy from net-analyzer/ettercap/ettercap-9999.ebuild copy to net-analyzer/ettercap/ettercap-0.8.2-r2.ebuild index c8f2e6e8f41..6fa10f902c2 100644 --- a/net-analyzer/ettercap/ettercap-9999.ebuild +++ b/net-analyzer/ettercap/ettercap-0.8.2-r2.ebuild @@ -1,7 +1,7 @@ -# Copyright 1999-2017 Gentoo Foundation +# Copyright 1999-2018 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=5 +EAPI=6 inherit cmake-utils @@ -16,10 +16,10 @@ if [[ ${PV} == "9999" ]] ; then EGIT_REPO_URI="https://github.com/Ettercap/${PN}.git"; else SRC_URI="https://github.com/Ettercap/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" #mirror does not work - KEYWORDS="~alpha ~amd64 ~arm ~sparc ~x86 ~x86-fbsd" + KEYWORDS="~alpha ~amd64 ~arm ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" fi -#IUSE="doc gtk ipv6 ncurses +plugins test" -IUSE="doc gtk ipv6 libressl ncurses +plugins" + +IUSE="doc gtk ipv6 libressl ncurses +plugins test" RDEPEND="dev-libs/libbsd dev-libs/libpcre @@ -37,13 +37,18 @@ RDEPEND="dev-libs/libbsd >=x11-libs/gtk+-2.2.2:2 >=x11-libs/pango-1.2.3 ) - ncurses? ( sys-libs/ncurses:0= ) + ncurses? ( >=sys-libs/ncurses-5.3:= ) plugins? ( >=net-misc/curl-7.26.0 )" DEPEND="${RDEPEND} doc? ( app-text/ghostscript-gpl sys-apps/groff ) + test? ( dev-libs/check ) sys-devel/flex virtual/yacc" +PATCHES=( + "${FILESDIR}"/cve-2017-6430.patch + "${FILESDIR}"/${P}-openssl-1.1.patch +) src_prepare() { sed -i "s:Release:Release Gentoo:" CMakeLists.txt || die @@ -52,21 +57,17 @@ src_prepare() { src_configure() { local mycmakeargs=( - $(cmake-utils_use_enable ncurses CURSES) - $(cmake-utils_use_enable gtk) - $(cmake-utils_use_enable plugins) - $(cmake-utils_use_enable ipv6) - $(cmake-utils_use_enable doc PDF_DOCS) + -DENABLE_CURSES="$(usex ncurses)" + -DENABLE_GTK="$(usex gtk)" + -DENABLE_PLUGINS="$(usex plugins)" + -DENABLE_IPV6="$(usex ipv6)" + -DENABLE_TESTS="$(usex test)" + -DENABLE_PDF_DOCS="$(usex doc)" -DBUNDLED_LIBS=OFF -DSYSTEM_LIBS=ON -DINSTALL_SYSCONFDIR="${EROOT}"etc ) #right now we only support gtk2, but ettercap also supports gtk3 #do we care? do we want to support both? - - #we want to enable testing but it fails right now - #we want to disable the bundled crap, but we are missing at least "libcheck" - #if we want to enable tests, we need to fix it, and either package libcheck or allow bundled version - #$(cmake-utils_use_enable test TESTS) cmake-utils_src_configure } diff --git a/net-analyzer/ettercap/ettercap-9999.ebuild b/net-analyzer/ettercap/ettercap-9999.ebuild index c8f2e6e8f41..b83933eda5d 100644 --- a/net-analyzer/ettercap/ettercap-9999.ebuild +++ b/net-analyzer/ettercap/ettercap-9999.ebuild @@ -1,7 +1,7 @@ -# Copyright 1999-2017 Gentoo Foundation +# Copyright 1999-2018 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=5 +EAPI=6 inherit cmake-utils @@ -16,10 +16,10 @@ if [[ ${PV} == "9999" ]] ; then EGIT_REPO_URI="https://github.com/Ettercap/${PN}.git"; else SRC_URI="https://github.com/Ettercap/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" #mirror does not work - KEYWORDS="~alpha ~amd64 ~arm ~sparc ~x86 ~x86-fbsd" + KEYWORDS="~alpha ~amd64 ~arm ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" fi -#IUSE="doc gtk ipv6 ncurses +plugins test" -IUSE="doc gtk ipv6 libressl ncurses +plugins" + +IUSE="doc gtk ipv6 libressl ncurses +plugins test" RDEPEND="dev-libs/libbsd dev-libs/libpcre @@ -37,11 +37,12 @@ RDEPEND="dev-libs/libbsd >=x11-libs/gtk+-2.2.2:2 >=x11-libs/pango-1.2.3 ) - ncurses? ( sys-libs/ncurses:0= ) + ncurses? ( >=sys-libs/ncurses-5.3:= ) plugins? ( >=net-misc/curl-7.26.0 )" DEPEND="${RDEPEND} doc? ( app-text/ghostscript-gpl sys-apps/groff ) + test? ( dev-libs/check ) sys-devel/flex virtual/yacc" @@ -52,21 +53,17 @@ src_prepare() { src_configure() { local mycmakeargs=( - $(cmake-utils_use_enable ncurses CURSES) - $(cmake-utils_use_enable gtk) - $(cmake-utils_use_enable plugins) - $(cmake-utils_use_enable ipv6) - $(cmake-utils_use_enable doc PDF_DOCS) + -DENABLE_CURSES="$(usex ncurses)" + -DENABLE_GTK="$(usex gtk)" + -DENABLE_PLUGINS="$(usex plugins)" + -DENABLE_IPV6="$(usex ipv6)" + -DENABLE_TESTS="$(usex test)" + -DENABLE_PDF_DOCS="$(usex doc)" -DBUNDLED_LIBS=OFF -DSYSTEM_LIBS=ON -DINSTALL_SYSCONFDIR="${EROOT}"etc ) #right now we only support gtk2, but ettercap also supports gtk3 #do we care? do we want to support both? - - #we want to enable testing but it fails right now - #we want to disable the bundled crap, but we are missing at least "libcheck" - #if we want to enable tests, we need to fix it, and either package libcheck or allow bundled version - #$(cmake-utils_use_enable test TESTS) cmake-utils_src_configure } diff --git a/net-analyzer/ettercap/files/ettercap-0.8.2-openssl-1.1.patch b/net-analyzer/ettercap/files/ettercap-0.8.2-openssl-1.1.patch new file mode 100644 index 00000000000..b7703d3ef5c --- /dev/null +++ b/net-analyzer/ettercap/files/ettercap-0.8.2-openssl-1.1.patch @@ -0,0 +1,254 @@ +From f0d63b27c82df2ad5f7ada6310727d841b43fbcc Mon Sep 17 00:00:00 2001 +From: Gianfranco Costamagna <costamagnagianfra...@yahoo.it> +Date: Mon, 27 Jun 2016 12:41:33 +0200 +Subject: [PATCH 1/2] First draft of openssl 1.1 compatibility layer (from + https://github.com/curl/curl/commit/cfe16c22d7891a1f65ea8cd4c5352504a2afbddc) + Closes: #739 + +--- + src/dissectors/ec_ssh.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++- + src/ec_sslwrap.c | 14 ++++++++ + 2 files changed, 106 insertions(+), 1 deletion(-) + +Index: ettercap-0.8.2/src/dissectors/ec_ssh.c +=================================================================== +--- ettercap-0.8.2.orig/src/dissectors/ec_ssh.c ++++ ettercap-0.8.2/src/dissectors/ec_ssh.c +@@ -36,6 +36,10 @@ + #include <openssl/md5.h> + #include <zlib.h> + ++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) ++#define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */ ++#endif ++ + #define SMSG_PUBLIC_KEY 2 + #define CMSG_SESSION_KEY 3 + #define CMSG_USER 4 +@@ -138,6 +142,11 @@ + char tmp[MAX_ASCII_ADDR_LEN]; + u_int32 ssh_len, ssh_mod; + u_char ssh_packet_type, *ptr, *key_to_put; ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ BIGNUM *h_n, *s_n, *m_h_n, *m_s_n; ++ BIGNUM *h_e, *s_e, *m_h_e, *m_s_e; ++ BIGNUM *h_d, *s_d, *m_h_d, *m_s_d; ++#endif + + /* don't complain about unused var */ + (void) DECODE_DATA; +@@ -383,12 +392,25 @@ + if (session_data->ptrkey == NULL) { + /* Initialize RSA key structures (other fileds are set to 0) */ + session_data->serverkey = RSA_new(); ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ s_n = BN_new(); ++ s_e = BN_new(); ++ RSA_set0_key(session_data->serverkey, s_n, s_e, s_d); ++#else + session_data->serverkey->n = BN_new(); + session_data->serverkey->e = BN_new(); ++#endif + + session_data->hostkey = RSA_new(); ++ ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ h_n = BN_new(); ++ h_e = BN_new(); ++ RSA_set0_key(session_data->hostkey, h_n, h_e, h_d); ++#else + session_data->hostkey->n = BN_new(); + session_data->hostkey->e = BN_new(); ++#endif + + /* Get the RSA Key from the packet */ + NS_GET32(server_mod,ptr); +@@ -396,19 +418,37 @@ + DEBUG_MSG("Dissector_ssh Bougs Server_Mod"); + return NULL; + } ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ RSA_get0_key(session_data->serverkey, &s_n, &s_e, &s_d); ++ get_bn(s_e, &ptr); ++ get_bn(s_n, &ptr); ++#else + get_bn(session_data->serverkey->e, &ptr); + get_bn(session_data->serverkey->n, &ptr); ++#endif + + NS_GET32(host_mod,ptr); + if (ptr + (host_mod/8) > PACKET->DATA.data + PACKET->DATA.len) { + DEBUG_MSG("Dissector_ssh Bougs Host_Mod"); + return NULL; + } ++ ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ RSA_get0_key(session_data->hostkey, &h_n, &h_e, &h_d); ++ get_bn(h_e, &ptr); ++ get_bn(h_n, &ptr); ++#else + get_bn(session_data->hostkey->e, &ptr); + get_bn(session_data->hostkey->n, &ptr); ++#endif + ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ server_exp = BN_get_word(s_e); ++ host_exp = BN_get_word(h_e); ++#else + server_exp = *(session_data->serverkey->e->d); + host_exp = *(session_data->hostkey->e->d); ++#endif + + /* Check if we already have a suitable RSA key to substitute */ + index_ssl = &ssh_conn_key; +@@ -424,7 +464,7 @@ + SAFE_CALLOC(*index_ssl, 1, sizeof(ssh_my_key)); + + /* Generate the new key */ +- (*index_ssl)->myserverkey = (RSA *)RSA_generate_key(server_mod, server_exp, NULL, NULL); ++ (*index_ssl)->myserverkey = (RSA *)RSA_generate_key_ex(server_mod, server_exp, NULL, NULL); + (*index_ssl)->myhostkey = (RSA *)RSA_generate_key(host_mod, host_exp, NULL, NULL); + (*index_ssl)->server_mod = server_mod; + (*index_ssl)->host_mod = host_mod; +@@ -443,11 +483,25 @@ + + /* Put our RSA key in the packet */ + key_to_put+=4; ++ ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ RSA_get0_key(session_data->ptrkey->myserverkey, &m_s_n, &m_s_e, &m_s_d); ++ put_bn(m_s_e, &key_to_put); ++ put_bn(m_s_n, &key_to_put); ++#else + put_bn(session_data->ptrkey->myserverkey->e, &key_to_put); + put_bn(session_data->ptrkey->myserverkey->n, &key_to_put); ++#endif + key_to_put+=4; ++ ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ RSA_get0_key(session_data->ptrkey->myhostkey, &m_h_n, &m_h_e, &m_h_d); ++ put_bn(m_h_e, &key_to_put); ++ put_bn(m_h_n, &key_to_put); ++#else + put_bn(session_data->ptrkey->myhostkey->e, &key_to_put); + put_bn(session_data->ptrkey->myhostkey->n, &key_to_put); ++#endif + + /* Recalculate SSH crc */ + *(u_int32 *)(PACKET->DATA.data + PACKET->DATA.len - 4) = htonl(CRC_checksum(PACKET->DATA.data+4, PACKET->DATA.len-8, CRC_INIT_ZERO)); +@@ -482,19 +536,34 @@ + key_to_put = ptr; + + /* Calculate real session id and our fake session id */ ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ temp_session_id = ssh_session_id(cookie, h_n, s_n); ++#else + temp_session_id = ssh_session_id(cookie, session_data->hostkey->n, session_data->serverkey->n); ++#endif + if (temp_session_id) + memcpy(session_id1, temp_session_id, 16); ++ ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ temp_session_id=ssh_session_id(cookie, m_h_n, m_s_n); ++#else + temp_session_id=ssh_session_id(cookie, session_data->ptrkey->myhostkey->n, session_data->ptrkey->myserverkey->n); ++#endif ++ + if (temp_session_id) + memcpy(session_id2, temp_session_id, 16); + + /* Get the session key */ + enckey = BN_new(); ++ + get_bn(enckey, &ptr); + + /* Decrypt session key */ ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ if (BN_cmp(m_s_n, m_h_n) > 0) { ++#else + if (BN_cmp(session_data->ptrkey->myserverkey->n, session_data->ptrkey->myhostkey->n) > 0) { ++#endif + rsa_private_decrypt(enckey, enckey, session_data->ptrkey->myserverkey); + rsa_private_decrypt(enckey, enckey, session_data->ptrkey->myhostkey); + } else { +@@ -534,7 +603,11 @@ + BN_add_word(bn, sesskey[i]); + } + ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ if (BN_cmp(s_n, h_n) < 0) { ++#else + if (BN_cmp(session_data->serverkey->n, session_data->hostkey->n) < 0) { ++#endif + rsa_public_encrypt(bn, bn, session_data->serverkey); + rsa_public_encrypt(bn, bn, session_data->hostkey); + } else { +@@ -716,7 +789,16 @@ + u_char *inbuf, *outbuf; + int32 len, ilen, olen; + ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ BIGNUM *n; ++ BIGNUM *e; ++ BIGNUM *d; ++ RSA_get0_key(key, &n, &e, &d); ++ olen = BN_num_bytes(n); ++#else + olen = BN_num_bytes(key->n); ++#endif ++ + outbuf = malloc(olen); + if (outbuf == NULL) /* oops, couldn't allocate memory */ + return; +@@ -744,7 +826,16 @@ + u_char *inbuf, *outbuf; + int32 len, ilen, olen; + ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ BIGNUM *n; ++ BIGNUM *e; ++ BIGNUM *d; ++ RSA_get0_key(key, &n, &e, &d); ++ olen = BN_num_bytes(n); ++#else + olen = BN_num_bytes(key->n); ++#endif ++ + outbuf = malloc(olen); + if (outbuf == NULL) /* oops, couldn't allocate memory */ + return; +Index: ettercap-0.8.2/src/ec_sslwrap.c +=================================================================== +--- ettercap-0.8.2.orig/src/ec_sslwrap.c ++++ ettercap-0.8.2/src/ec_sslwrap.c +@@ -53,6 +53,10 @@ + #define OPENSSL_NO_KRB5 1 + #include <openssl/ssl.h> + ++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) ++#define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */ ++#endif ++ + #define BREAK_ON_ERROR(x,y,z) do { \ + if (x == -E_INVALID) { \ + SAFE_FREE(z.DATA.disp_data); \ +@@ -974,9 +978,19 @@ + index = X509_get_ext_by_NID(server_cert, NID_authority_key_identifier, -1); + if (index >=0) { + ext = X509_get_ext(server_cert, index); ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ ASN1_OCTET_STRING* os; ++ os = X509_EXTENSION_get_data (ext); ++#endif + if (ext) { ++#ifdef HAVE_OPAQUE_RSA_DSA_DH ++ os->data[7] = 0xe7; ++ os->data[8] = 0x7e; ++ X509_EXTENSION_set_data (ext, os); ++#else + ext->value->data[7] = 0xe7; + ext->value->data[8] = 0x7e; ++#endif + X509_add_ext(out_cert, ext, -1); + } + }
