pam_ssh_agent_auth: fix dependency on insecure openssl

There have been a couple of patches floating around for about the last 18 months. While they originated with FreeBSD, but they've been adopted by Gentoo and Debian as well---and the most straightforward way to get access to them was from the Debian repository.
2020-02-28 15:19:51 -05:00 · 2020-02-28 15:19:51 -05:00 · b6b3e04759
commit b6b3e04759
parent a1ce8740fa
2 changed files with 23 additions and 4 deletions
--- a/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
+++ b/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pam, openssl, perl }:
+{ stdenv, fetchpatch, fetchurl, pam, openssl, perl }:

 stdenv.mkDerivation rec {
  name = "pam_ssh_agent_auth-0.10.3";
@ -12,10 +12,31 @@ stdenv.mkDerivation rec {
    [ # Allow multiple colon-separated authorized keys files to be
      # specified in the file= option.
      ./multiple-key-files.patch
+      (fetchpatch {
+        name = "openssl-1.1.1-1.patch";
+        url = "https://sources.debian.org/data/main/p/pam-ssh-agent-auth/0.10.3-3/debian/patches/openssl-1.1.1-1.patch";
+        sha256 = "1ndp5j4xfhzshhnl345gb4mkldx6vjfa7284xgng6ikhzpc6y7pf";
+      })
+      (fetchpatch {
+        name = "openssl-1.1.1-2.patch";
+        url = "https://sources.debian.org/data/main/p/pam-ssh-agent-auth/0.10.3-3/debian/patches/openssl-1.1.1-2.patch";
+        sha256 = "0ksrs4xr417by8klf7862n3dircvnw30an1akq4pnsd3ichscmww";
+      })
    ];

  buildInputs = [ pam openssl perl ];

+  # It's not clear to me why this is necessary, but without it, you see:
+  #
+  # checking OpenSSL header version... 1010104f (OpenSSL 1.1.1d  10 Sep 2019)
+  # checking OpenSSL library version... 1010104f (OpenSSL 1.1.1d  10 Sep 2019)
+  # checking whether OpenSSL's headers match the library... no
+  # configure: WARNING: Your OpenSSL headers do not match your
+  # library. Check config.log for details.
+  #
+  # ...despite the fact that clearly the values match
+  configureFlags = [ "--without-openssl-header-check" ];
+
  enableParallelBuilding = true;

  meta = {
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -17067,9 +17067,7 @@ in

  pam_pgsql = callPackage ../os-specific/linux/pam_pgsql { };

-  pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth {
-    openssl = openssl_1_0_2;
-  };
+  pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth { };

  pam_u2f = callPackage ../os-specific/linux/pam_u2f { };