diff options
author | Michael Alan Dorman <mdorman@ironicdesign.com> | 2020-02-28 15:19:51 -0500 |
---|---|---|
committer | Michael Alan Dorman <mdorman@ironicdesign.com> | 2020-02-28 15:24:37 -0500 |
commit | b6b3e047593dff14c871214bf5df691a8c2c23ed (patch) | |
tree | 733dc741c8a137d122076911b8f3adb8a2b5eb20 | |
parent | a1ce8740facd1dce8e79b0b92d661d6bbedbf551 (diff) | |
download | nixpkgs-b6b3e047593dff14c871214bf5df691a8c2c23ed.tar nixpkgs-b6b3e047593dff14c871214bf5df691a8c2c23ed.tar.gz nixpkgs-b6b3e047593dff14c871214bf5df691a8c2c23ed.tar.bz2 nixpkgs-b6b3e047593dff14c871214bf5df691a8c2c23ed.tar.lz nixpkgs-b6b3e047593dff14c871214bf5df691a8c2c23ed.tar.xz nixpkgs-b6b3e047593dff14c871214bf5df691a8c2c23ed.tar.zst nixpkgs-b6b3e047593dff14c871214bf5df691a8c2c23ed.zip |
pam_ssh_agent_auth: fix dependency on insecure openssl
There have been a couple of patches floating around for about the last 18 months. While they originated with FreeBSD, but they've been adopted by Gentoo and Debian as well---and the most straightforward way to get access to them was from the Debian repository.
-rw-r--r-- | pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix | 23 | ||||
-rw-r--r-- | pkgs/top-level/all-packages.nix | 4 |
2 files changed, 23 insertions, 4 deletions
diff --git a/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix b/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix index 48c02be9c38..b47ad4815b5 100644 --- a/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix +++ b/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pam, openssl, perl }: +{ stdenv, fetchpatch, fetchurl, pam, openssl, perl }: stdenv.mkDerivation rec { name = "pam_ssh_agent_auth-0.10.3"; @@ -12,10 +12,31 @@ stdenv.mkDerivation rec { [ # Allow multiple colon-separated authorized keys files to be # specified in the file= option. ./multiple-key-files.patch + (fetchpatch { + name = "openssl-1.1.1-1.patch"; + url = "https://sources.debian.org/data/main/p/pam-ssh-agent-auth/0.10.3-3/debian/patches/openssl-1.1.1-1.patch"; + sha256 = "1ndp5j4xfhzshhnl345gb4mkldx6vjfa7284xgng6ikhzpc6y7pf"; + }) + (fetchpatch { + name = "openssl-1.1.1-2.patch"; + url = "https://sources.debian.org/data/main/p/pam-ssh-agent-auth/0.10.3-3/debian/patches/openssl-1.1.1-2.patch"; + sha256 = "0ksrs4xr417by8klf7862n3dircvnw30an1akq4pnsd3ichscmww"; + }) ]; buildInputs = [ pam openssl perl ]; + # It's not clear to me why this is necessary, but without it, you see: + # + # checking OpenSSL header version... 1010104f (OpenSSL 1.1.1d 10 Sep 2019) + # checking OpenSSL library version... 1010104f (OpenSSL 1.1.1d 10 Sep 2019) + # checking whether OpenSSL's headers match the library... no + # configure: WARNING: Your OpenSSL headers do not match your + # library. Check config.log for details. + # + # ...despite the fact that clearly the values match + configureFlags = [ "--without-openssl-header-check" ]; + enableParallelBuilding = true; meta = { diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e94c6455140..1c4539c2f1e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -17067,9 +17067,7 @@ in pam_pgsql = callPackage ../os-specific/linux/pam_pgsql { }; - pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth { - openssl = openssl_1_0_2; - }; + pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth { }; pam_u2f = callPackage ../os-specific/linux/pam_u2f { }; |