Backup_Repos/pentoo-overlay
1
0
Fork 0
mirror of https://github.com/pentoo/pentoo-overlay synced 2026-04-14 10:51:10 +02:00
Code Issues Projects Releases Wiki Activity

ettercap: fork with openssl-1.1 patch, https://bugs.gentoo.org/673222

Browse source
This commit is contained in:
blshkv 2018-12-16 08:28:05 +08:00
parent 28672befbb
commit 085fab5daf
No known key found for this signature in database
GPG key ID: 273E3E90D1A6294F
4 changed files with 386 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
net-analyzer/ettercap/Manifest Normal file
View file

@ -0,0 +1 @@
DIST ettercap-0.8.2.tar.gz 8082561 BLAKE2B 851df0a8700de45ce0e3427f7fdbdcd13feb2f75c0d1136563449db634b1f02276bade0d82a1a51bf8de726d6faddf05ff537e397c2e56cfc3e3181d25566fe9 SHA512 18137b1cc518c9db3c9650157a5cbf09dbb665b79876a24875d6c5125e8923ebde543464adb61cf1d1244101242f4d66b80d94ef3b36aa265cefca7646aa6415

63
net-analyzer/ettercap/ettercap-0.8.2-r2.ebuild Normal file
View file

@ -0,0 +1,63 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=5
inherit cmake-utils
DESCRIPTION="A suite for man in the middle attacks"
HOMEPAGE="https://github.com/Ettercap/ettercap"
SRC_URI="https://github.com/Ettercap/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" #mirror does not work
LICENSE="GPL-2+"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
IUSE="gtk ipv6 ncurses +plugins"
RDEPEND="dev-libs/libbsd
dev-libs/libpcre
dev-libs/openssl:0=
net-libs/libnet:1.1
>=net-libs/libpcap-0.8.1
sys-libs/zlib
gtk? (
>=dev-libs/atk-1.2.4
>=dev-libs/glib-2.2.2:2
media-libs/freetype
x11-libs/cairo
x11-libs/gdk-pixbuf:2
>=x11-libs/gtk+-2.2.2:2
>=x11-libs/pango-1.2.3
)
ncurses? ( >=sys-libs/ncurses-5.3:= )
plugins? ( >=net-misc/curl-7.26.0 )"
DEPEND="${RDEPEND}
sys-devel/flex
virtual/yacc"
src_prepare() {
sed -i "s:Release:Release Gentoo:" CMakeLists.txt || die
epatch "${FILESDIR}"/cve-2017-6430.patch
epatch "${FILESDIR}"/740.patch
cmake-utils_src_prepare
}
src_configure() {
local mycmakeargs=(
$(cmake-utils_use_enable ncurses CURSES)
$(cmake-utils_use_enable gtk)
$(cmake-utils_use_enable plugins)
$(cmake-utils_use_enable ipv6)
-DBUNDLED_LIBS=OFF
-DSYSTEM_LIBS=ON
-DINSTALL_SYSCONFDIR="${EROOT}"etc
)
#right now we only support gtk2, but ettercap also supports gtk3
#do we care? do we want to support both?
#we want to enable testing but it fails right now
#we want to disable the bundled crap, but we are missing at least "libcheck"
#if we want to enable tests, we need to fix it, and either package libcheck or allow bundled version
#$(cmake-utils_use_enable test TESTS)
cmake-utils_src_configure
}

254
net-analyzer/ettercap/files/740.patch Normal file
View file

@ -0,0 +1,254 @@
From f0d63b27c82df2ad5f7ada6310727d841b43fbcc Mon Sep 17 00:00:00 2001
From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Date: Mon, 27 Jun 2016 12:41:33 +0200
Subject: [PATCH 1/2] First draft of openssl 1.1 compatibility layer (from
https://github.com/curl/curl/commit/cfe16c22d7891a1f65ea8cd4c5352504a2afbddc)
Closes: #739
---
src/dissectors/ec_ssh.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++-
src/ec_sslwrap.c | 14 ++++++++
2 files changed, 106 insertions(+), 1 deletion(-)
Index: ettercap-0.8.2/src/dissectors/ec_ssh.c
===================================================================
--- ettercap-0.8.2.orig/src/dissectors/ec_ssh.c
+++ ettercap-0.8.2/src/dissectors/ec_ssh.c
@@ -36,6 +36,10 @@
#include <openssl/md5.h>
#include <zlib.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */
+#endif
+
#define SMSG_PUBLIC_KEY 2
#define CMSG_SESSION_KEY 3
#define CMSG_USER 4
@@ -138,6 +142,11 @@
char tmp[MAX_ASCII_ADDR_LEN];
u_int32 ssh_len, ssh_mod;
u_char ssh_packet_type, *ptr, *key_to_put;
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ BIGNUM *h_n, *s_n, *m_h_n, *m_s_n;
+ BIGNUM *h_e, *s_e, *m_h_e, *m_s_e;
+ BIGNUM *h_d, *s_d, *m_h_d, *m_s_d;
+#endif
/* don't complain about unused var */
(void) DECODE_DATA;
@@ -383,12 +392,25 @@
if (session_data->ptrkey == NULL) {
/* Initialize RSA key structures (other fileds are set to 0) */
session_data->serverkey = RSA_new();
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ s_n = BN_new();
+ s_e = BN_new();
+ RSA_set0_key(session_data->serverkey, s_n, s_e, s_d);
+#else
session_data->serverkey->n = BN_new();
session_data->serverkey->e = BN_new();
+#endif
session_data->hostkey = RSA_new();
+
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ h_n = BN_new();
+ h_e = BN_new();
+ RSA_set0_key(session_data->hostkey, h_n, h_e, h_d);
+#else
session_data->hostkey->n = BN_new();
session_data->hostkey->e = BN_new();
+#endif
/* Get the RSA Key from the packet */
NS_GET32(server_mod,ptr);
@@ -396,19 +418,37 @@
DEBUG_MSG("Dissector_ssh Bougs Server_Mod");
return NULL;
}
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ RSA_get0_key(session_data->serverkey, &s_n, &s_e, &s_d);
+ get_bn(s_e, &ptr);
+ get_bn(s_n, &ptr);
+#else
get_bn(session_data->serverkey->e, &ptr);
get_bn(session_data->serverkey->n, &ptr);
+#endif
NS_GET32(host_mod,ptr);
if (ptr + (host_mod/8) > PACKET->DATA.data + PACKET->DATA.len) {
DEBUG_MSG("Dissector_ssh Bougs Host_Mod");
return NULL;
}
+
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ RSA_get0_key(session_data->hostkey, &h_n, &h_e, &h_d);
+ get_bn(h_e, &ptr);
+ get_bn(h_n, &ptr);
+#else
get_bn(session_data->hostkey->e, &ptr);
get_bn(session_data->hostkey->n, &ptr);
+#endif
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ server_exp = BN_get_word(s_e);
+ host_exp = BN_get_word(h_e);
+#else
server_exp = *(session_data->serverkey->e->d);
host_exp = *(session_data->hostkey->e->d);
+#endif
/* Check if we already have a suitable RSA key to substitute */
index_ssl = &ssh_conn_key;
@@ -424,7 +464,7 @@
SAFE_CALLOC(*index_ssl, 1, sizeof(ssh_my_key));
/* Generate the new key */
- (*index_ssl)->myserverkey = (RSA *)RSA_generate_key(server_mod, server_exp, NULL, NULL);
+ (*index_ssl)->myserverkey = (RSA *)RSA_generate_key_ex(server_mod, server_exp, NULL, NULL);
(*index_ssl)->myhostkey = (RSA *)RSA_generate_key(host_mod, host_exp, NULL, NULL);
(*index_ssl)->server_mod = server_mod;
(*index_ssl)->host_mod = host_mod;
@@ -443,11 +483,25 @@
/* Put our RSA key in the packet */
key_to_put+=4;
+
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ RSA_get0_key(session_data->ptrkey->myserverkey, &m_s_n, &m_s_e, &m_s_d);
+ put_bn(m_s_e, &key_to_put);
+ put_bn(m_s_n, &key_to_put);
+#else
put_bn(session_data->ptrkey->myserverkey->e, &key_to_put);
put_bn(session_data->ptrkey->myserverkey->n, &key_to_put);
+#endif
key_to_put+=4;
+
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ RSA_get0_key(session_data->ptrkey->myhostkey, &m_h_n, &m_h_e, &m_h_d);
+ put_bn(m_h_e, &key_to_put);
+ put_bn(m_h_n, &key_to_put);
+#else
put_bn(session_data->ptrkey->myhostkey->e, &key_to_put);
put_bn(session_data->ptrkey->myhostkey->n, &key_to_put);
+#endif
/* Recalculate SSH crc */
*(u_int32 *)(PACKET->DATA.data + PACKET->DATA.len - 4) = htonl(CRC_checksum(PACKET->DATA.data+4, PACKET->DATA.len-8, CRC_INIT_ZERO));
@@ -482,19 +536,34 @@
key_to_put = ptr;
/* Calculate real session id and our fake session id */
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ temp_session_id = ssh_session_id(cookie, h_n, s_n);
+#else
temp_session_id = ssh_session_id(cookie, session_data->hostkey->n, session_data->serverkey->n);
+#endif
if (temp_session_id)
memcpy(session_id1, temp_session_id, 16);
+
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ temp_session_id=ssh_session_id(cookie, m_h_n, m_s_n);
+#else
temp_session_id=ssh_session_id(cookie, session_data->ptrkey->myhostkey->n, session_data->ptrkey->myserverkey->n);
+#endif
+
if (temp_session_id)
memcpy(session_id2, temp_session_id, 16);
/* Get the session key */
enckey = BN_new();
+
get_bn(enckey, &ptr);
/* Decrypt session key */
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ if (BN_cmp(m_s_n, m_h_n) > 0) {
+#else
if (BN_cmp(session_data->ptrkey->myserverkey->n, session_data->ptrkey->myhostkey->n) > 0) {
+#endif
rsa_private_decrypt(enckey, enckey, session_data->ptrkey->myserverkey);
rsa_private_decrypt(enckey, enckey, session_data->ptrkey->myhostkey);
} else {
@@ -534,7 +603,11 @@
BN_add_word(bn, sesskey[i]);
}
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ if (BN_cmp(s_n, h_n) < 0) {
+#else
if (BN_cmp(session_data->serverkey->n, session_data->hostkey->n) < 0) {
+#endif
rsa_public_encrypt(bn, bn, session_data->serverkey);
rsa_public_encrypt(bn, bn, session_data->hostkey);
} else {
@@ -716,7 +789,16 @@
u_char *inbuf, *outbuf;
int32 len, ilen, olen;
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ BIGNUM *n;
+ BIGNUM *e;
+ BIGNUM *d;
+ RSA_get0_key(key, &n, &e, &d);
+ olen = BN_num_bytes(n);
+#else
olen = BN_num_bytes(key->n);
+#endif
+
outbuf = malloc(olen);
if (outbuf == NULL) /* oops, couldn't allocate memory */
return;
@@ -744,7 +826,16 @@
u_char *inbuf, *outbuf;
int32 len, ilen, olen;
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ BIGNUM *n;
+ BIGNUM *e;
+ BIGNUM *d;
+ RSA_get0_key(key, &n, &e, &d);
+ olen = BN_num_bytes(n);
+#else
olen = BN_num_bytes(key->n);
+#endif
+
outbuf = malloc(olen);
if (outbuf == NULL) /* oops, couldn't allocate memory */
return;
Index: ettercap-0.8.2/src/ec_sslwrap.c
===================================================================
--- ettercap-0.8.2.orig/src/ec_sslwrap.c
+++ ettercap-0.8.2/src/ec_sslwrap.c
@@ -53,6 +53,10 @@
#define OPENSSL_NO_KRB5 1
#include <openssl/ssl.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */
+#endif
+
#define BREAK_ON_ERROR(x,y,z) do { \
if (x == -E_INVALID) { \
SAFE_FREE(z.DATA.disp_data); \
@@ -974,9 +978,19 @@
index = X509_get_ext_by_NID(server_cert, NID_authority_key_identifier, -1);
if (index >=0) {
ext = X509_get_ext(server_cert, index);
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ ASN1_OCTET_STRING* os;
+ os = X509_EXTENSION_get_data (ext);
+#endif
if (ext) {
+#ifdef HAVE_OPAQUE_RSA_DSA_DH
+ os->data[7] = 0xe7;
+ os->data[8] = 0x7e;
+ X509_EXTENSION_set_data (ext, os);
+#else
ext->value->data[7] = 0xe7;
ext->value->data[8] = 0x7e;
+#endif
X509_add_ext(out_cert, ext, -1);
}
}

68
net-analyzer/ettercap/files/cve-2017-6430.patch Normal file
View file

@ -0,0 +1,68 @@
From 4ad7f85dc01202e363659aa473c99470b3f4e1f4 Mon Sep 17 00:00:00 2001
From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Date: Tue, 7 Mar 2017 22:05:31 +0100
Subject: [PATCH] Fix issue #782
---
utils/etterfilter/ef_compiler.c | 4 +++-
utils/etterfilter/ef_main.c | 10 +++++++---
utils/etterfilter/ef_output.c | 3 +++
3 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/utils/etterfilter/ef_compiler.c b/utils/etterfilter/ef_compiler.c
index db876636e..ddb73bd30 100644
--- a/utils/etterfilter/ef_compiler.c
+++ b/utils/etterfilter/ef_compiler.c
@@ -239,7 +239,9 @@ size_t compile_tree(struct filter_op **fop)
struct filter_op *array = NULL;
struct unfold_elm *ue;
- BUG_IF(tree_root == NULL);
+ // invalid file
+ if (tree_root == NULL)
+ return 0;
fprintf(stdout, " Unfolding the meta-tree ");
fflush(stdout);
diff --git a/utils/etterfilter/ef_main.c b/utils/etterfilter/ef_main.c
index ae4591344..431084b91 100644
--- a/utils/etterfilter/ef_main.c
+++ b/utils/etterfilter/ef_main.c
@@ -39,7 +39,7 @@ struct globals *gbls;
int main(int argc, char *argv[])
{
-
+ int ret_value = 0;
globals_alloc();
/* etterfilter copyright */
fprintf(stdout, "\n" EC_COLOR_BOLD "%s %s" EC_COLOR_END " copyright %s %s\n\n",
@@ -84,8 +84,12 @@ int main(int argc, char *argv[])
fprintf(stdout, "\n\nThe script contains errors...\n\n");
/* write to file */
- if (write_output() != E_SUCCESS)
- FATAL_ERROR("Cannot write output file (%s)", GBL_OPTIONS->output_file);
+ ret_value = write_output();
+ if (ret_value == -E_NOTHANDLED)
+ FATAL_ERROR("Cannot write output file (%s): the filter is not correctly handled.", GBL_OPTIONS->output_file);
+ else if (ret_value == -E_INVALID)
+ FATAL_ERROR("Cannot write output file (%s): the filter format is not correct. ", GBL_OPTIONS->output_file);
+
globals_free();
return 0;
}
diff --git a/utils/etterfilter/ef_output.c b/utils/etterfilter/ef_output.c
index 5ae591904..fcf19f010 100644
--- a/utils/etterfilter/ef_output.c
+++ b/utils/etterfilter/ef_output.c
@@ -51,6 +51,9 @@ int write_output(void)
if (fop == NULL)
return -E_NOTHANDLED;
+ if (ninst == 0)
+ return -E_INVALID;
+
/* create the file */
fd = open(GBL_OPTIONS->output_file, O_CREAT | O_RDWR | O_TRUNC | O_BINARY, 0644);
ON_ERROR(fd, -1, "Can't create file %s", GBL_OPTIONS->output_file);