541021ec24
Since glibc 2.28 (https://savannah.gnu.org/forum/forum.php?forum_id=9205), the obsolete functions encrypt, encrypt_r, setkey, setkey_r, cbc_crypt, ecb_crypt, and des_setparity are no longer available to newly linked binaries, and the headers <rpc/des_crypt.h> and <rpc/rpc_des.h> are no longer installed. These functions encrypted and decrypted data with the DES block cipher, which is no longer considered secure. Software that still uses these functions should switch to a modern cryptography library, such as libgcrypt. So retrieve an upstream patch to use openssl instead of these functions and a new patch to remove the unsafe header/library path '-I/usr/include/openssl' Fixes: - http://autobuild.buildroot.org/results/c13ca8b8afa8de700caf8cd2fa1812b8552b3f4a Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
114 lines
3.3 KiB
Diff
114 lines
3.3 KiB
Diff
From 3c7b86229f7bd2600d74db14b1fe5b3896be3875 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
|
|
Date: Fri, 6 Apr 2018 14:27:18 +0200
|
|
Subject: [PATCH] pppd: Use openssl for the DES instead of the libcrypt / glibc
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
It seems the latest glibc (in Fedora glibc-2.27.9000-12.fc29) dropped
|
|
libcrypt. The libxcrypt standalone package can be used instead, but
|
|
it dropped the old setkey/encrypt API which ppp uses for DES. There
|
|
is support for using openssl in pppcrypt.c, but it contains typos
|
|
preventing it from compiling and seems to be written for an ancient
|
|
openssl version.
|
|
|
|
This updates the code to use current openssl.
|
|
|
|
[paulus@ozlabs.org - wrote the commit description, fixed comment in
|
|
Makefile.linux.]
|
|
|
|
Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
|
|
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
|
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
[Retrieved from:
|
|
https://github.com/paulusmack/ppp/commit/3c7b86229f7bd2600d74db14b1fe5b3896be3875]
|
|
---
|
|
pppd/Makefile.linux | 7 ++++---
|
|
pppd/pppcrypt.c | 18 +++++++++---------
|
|
2 files changed, 13 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
|
|
index 36d2b036..8d5ce99d 100644
|
|
--- a/pppd/Makefile.linux
|
|
+++ b/pppd/Makefile.linux
|
|
@@ -35,10 +35,10 @@ endif
|
|
COPTS = -O2 -pipe -Wall -g
|
|
LIBS =
|
|
|
|
-# Uncomment the next 2 lines to include support for Microsoft's
|
|
+# Uncomment the next line to include support for Microsoft's
|
|
# MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux.
|
|
CHAPMS=y
|
|
-USE_CRYPT=y
|
|
+#USE_CRYPT=y
|
|
# Don't use MSLANMAN unless you really know what you're doing.
|
|
#MSLANMAN=y
|
|
# Uncomment the next line to include support for MPPE. CHAPMS (above) must
|
|
@@ -137,7 +137,8 @@ endif
|
|
|
|
ifdef NEEDDES
|
|
ifndef USE_CRYPT
|
|
-LIBS += -ldes $(LIBS)
|
|
+CFLAGS += -I/usr/include/openssl
|
|
+LIBS += -lcrypto
|
|
else
|
|
CFLAGS += -DUSE_CRYPT=1
|
|
endif
|
|
diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c
|
|
index 8b85b132..6b35375e 100644
|
|
--- a/pppd/pppcrypt.c
|
|
+++ b/pppd/pppcrypt.c
|
|
@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key with parity bits added */
|
|
des_key[7] = Get7Bits(key, 49);
|
|
|
|
#ifndef USE_CRYPT
|
|
- des_set_odd_parity((des_cblock *)des_key);
|
|
+ DES_set_odd_parity((DES_cblock *)des_key);
|
|
#endif
|
|
}
|
|
|
|
@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */
|
|
}
|
|
|
|
#else /* USE_CRYPT */
|
|
-static des_key_schedule key_schedule;
|
|
+static DES_key_schedule key_schedule;
|
|
|
|
bool
|
|
DesSetkey(key)
|
|
u_char *key;
|
|
{
|
|
- des_cblock des_key;
|
|
+ DES_cblock des_key;
|
|
MakeKey(key, des_key);
|
|
- des_set_key(&des_key, key_schedule);
|
|
+ DES_set_key(&des_key, &key_schedule);
|
|
return (1);
|
|
}
|
|
|
|
bool
|
|
-DesEncrypt(clear, key, cipher)
|
|
+DesEncrypt(clear, cipher)
|
|
u_char *clear; /* IN 8 octets */
|
|
u_char *cipher; /* OUT 8 octets */
|
|
{
|
|
- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher,
|
|
- key_schedule, 1);
|
|
+ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher,
|
|
+ &key_schedule, 1);
|
|
return (1);
|
|
}
|
|
|
|
@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear)
|
|
u_char *cipher; /* IN 8 octets */
|
|
u_char *clear; /* OUT 8 octets */
|
|
{
|
|
- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear,
|
|
- key_schedule, 0);
|
|
+ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear,
|
|
+ &key_schedule, 0);
|
|
return (1);
|
|
}
|
|
|