pam_ssh_agent_auth: fix dependency on insecure openssl

There have been a couple of patches floating around for about the last 18 months. While they originated with FreeBSD, but they've been adopted by Gentoo and Debian as well---and the most straightforward way to get access to them was from the Debian repository. (cherry picked from commit b6b3e04)
NixOS · Feb 29, 2020 · 4f8bc8e · 4f8bc8e
1 parent 271707a
commit 4f8bc8e
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 4 deletions.
diff --git a/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix b/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pam, openssl, perl }:
+{ stdenv, fetchpatch, fetchurl, pam, openssl, perl }:
 
 stdenv.mkDerivation rec {
   name = "pam_ssh_agent_auth-0.10.3";
@@ -12,10 +12,31 @@ stdenv.mkDerivation rec {
     [ # Allow multiple colon-separated authorized keys files to be
       # specified in the file= option.
       ./multiple-key-files.patch
+      (fetchpatch {
+        name = "openssl-1.1.1-1.patch";
+        url = "https://sources.debian.org/data/main/p/pam-ssh-agent-auth/0.10.3-3/debian/patches/openssl-1.1.1-1.patch";
+        sha256 = "1ndp5j4xfhzshhnl345gb4mkldx6vjfa7284xgng6ikhzpc6y7pf";
+      })
+      (fetchpatch {
+        name = "openssl-1.1.1-2.patch";
+        url = "https://sources.debian.org/data/main/p/pam-ssh-agent-auth/0.10.3-3/debian/patches/openssl-1.1.1-2.patch";
+        sha256 = "0ksrs4xr417by8klf7862n3dircvnw30an1akq4pnsd3ichscmww";
+      })
     ];
 
   buildInputs = [ pam openssl perl ];
 
+  # It's not clear to me why this is necessary, but without it, you see:
+  #
+  # checking OpenSSL header version... 1010104f (OpenSSL 1.1.1d  10 Sep 2019)
+  # checking OpenSSL library version... 1010104f (OpenSSL 1.1.1d  10 Sep 2019)
+  # checking whether OpenSSL's headers match the library... no
+  # configure: WARNING: Your OpenSSL headers do not match your
+  # library. Check config.log for details.
+  #
+  # ...despite the fact that clearly the values match
+  configureFlags = [ "--without-openssl-header-check" ];
+
   enableParallelBuilding = true;
 
   meta = {

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -16965,9 +16965,7 @@ in
 
   pam_pgsql = callPackage ../os-specific/linux/pam_pgsql { };
 
-  pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth {
-    openssl = openssl_1_0_2;
-  };
+  pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth { };
 
   pam_u2f = callPackage ../os-specific/linux/pam_u2f { };