9,7 → 9,7 |
@DPATCH@ |
diff -urNad trunk~/src/Makefile.am trunk/src/Makefile.am |
--- trunk~/src/Makefile.am 2004-11-18 22:52:16.000000000 +0100 |
+++ trunk/src/Makefile.am 2009-11-06 01:07:40.000000000 +0100 |
+++ trunk/src/Makefile.am 2009-11-0 23:57:07.000000000 +0100 |
@@ -72,7 +72,8 @@ |
unix_interact.c unix_process.c unix_random.c unix_user.c \ |
userauth.c \ |
21,8 → 21,8 |
liblsh_a_LIBADD = @LIBOBJS@ |
|
diff -urNad trunk~/src/Makefile.in trunk/src/Makefile.in |
--- trunk~/src/Makefile.in 2009-11-06 01:07:40.000000000 +0100 |
+++ trunk/src/Makefile.in 2009-11-06 01:07:40.000000000 +0100 |
--- trunk~/src/Makefile.in 2009-11-07 23:57:06.000000000 +0100 |
+++ trunk/src/Makefile.in 2009-11-07 23:57:07.000000000 +0100 |
@@ -91,7 +91,8 @@ |
tty.$(OBJEXT) unix_interact.$(OBJEXT) unix_process.$(OBJEXT) \ |
unix_random.$(OBJEXT) unix_user.$(OBJEXT) userauth.$(OBJEXT) \ |
51,10 → 51,44 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel.Po@am__quote@ |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel_commands.Po@am__quote@ |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel_forward.Po@am__quote@ |
diff -urNad trunk~/src/abstract_crypto.h trunk/src/abstract_crypto.h |
--- trunk~/src/abstract_crypto.h 2003-11-16 19:10:30.000000000 +0100 |
+++ trunk/src/abstract_crypto.h 2009-11-07 23:57:37.000000000 +0100 |
@@ -162,7 +162,9 @@ |
(public_key method (string)) |
|
; Returns (public-key (<pub-sig-alg-id> <s-expr>*)) |
- (public_spki_key method (string) "int transport"))) |
+ (public_spki_key method (string) "int transport") |
+ |
+ (key_size method uint32_t))) |
*/ |
|
#define VERIFY(verifier, algorithm, length, data, slength, sdata) \ |
@@ -170,7 +172,7 @@ |
|
#define PUBLIC_KEY(verifier) ((verifier)->public_key((verifier))) |
#define PUBLIC_SPKI_KEY(verifier, t) ((verifier)->public_spki_key((verifier), (t))) |
- |
+#define KEY_SIZE(verifier) ((verifier)->key_size((verifier))) |
|
/* GABA: |
(class |
diff -urNad trunk~/src/abstract_crypto.h.x trunk/src/abstract_crypto.h.x |
--- trunk~/src/abstract_crypto.h.x 2007-06-04 22:18:39.000000000 +0200 |
+++ trunk/src/abstract_crypto.h.x 2009-11-07 23:57:07.000000000 +0100 |
@@ -161,6 +161,7 @@ |
int (*(verify))(struct verifier *self,int algorithm,uint32_t length,const uint8_t *data,uint32_t signature_length,const uint8_t *signature_data); |
struct lsh_string *(*(public_key))(struct verifier *self); |
struct lsh_string *(*(public_spki_key))(struct verifier *self,int transport); |
+ uint32_t *(*(key_size))(struct verifier *self); |
}; |
extern struct lsh_class verifier_class; |
#endif /* !GABA_DEFINE */ |
diff -urNad trunk~/src/blacklist.c trunk/src/blacklist.c |
--- trunk~/src/blacklist.c 1970-01-01 01:00:00.000000000 +0100 |
+++ trunk/src/blacklist.c 2009-11-06 01:07:40.000000000 +0100 |
@@ -0,0 +1,164 @@ |
+++ trunk/src/blacklist.c 2009-11-07 23:57:07.000000000 +0100 |
@@ -0,0 +1,150 @@ |
+#if HAVE_CONFIG_H |
+#include "config.h" |
+#endif |
61,19 → 95,11 |
+ |
+#include <assert.h> |
+ |
+#include "nettle/bignum.h" |
+#include "nettle/dsa.h" |
+#include "nettle/rsa.h" |
+#include "xalloc.h" |
+#include "atoms.h" |
+#include "format.h" |
+#include "lsh_string.h" |
+#include "abstract_crypto.h" |
+#include "werror.h" |
+#include "crypto.h" |
+#define GABA_DECLARE |
+#include "rsa.c.x" |
+#include "dsa.c.x" |
+ |
+#include <sys/types.h> |
+#include <sys/stat.h> |
81,6 → 107,8 |
+#include <fcntl.h> |
+#include <string.h> |
+ |
+int blacklisted_key(struct verifier *v, int method); |
+ |
+/* Scan a blacklist of known-vulnerable keys in blacklist_file. */ |
+static int |
+blacklisted_key_in_file(struct lsh_string *lsh_hash, struct lsh_string *blacklist_file) |
87,7 → 115,6 |
+{ |
+ int fd = -1; |
+ const char *hash = 0; |
+ int i; |
+ uint32_t line_len; |
+ struct stat st; |
+ char buf[256]; |
172,7 → 199,6 |
+int |
+blacklisted_key(struct verifier *v, int method) |
+{ |
+ size_t keysize; |
+ const char *keytype; |
+ int ret = -1; |
+ const char *paths[] = { "/usr/share/ssh/blacklist", "/etc/ssh/blacklist", NULL }; |
180,29 → 206,23 |
+ struct lsh_string *lsh_hash = ssh_format("%lfxS", |
+ hash_string(&crypto_md5_algorithm, |
+ PUBLIC_KEY(v), 1)); |
+ uint32_t keysize = KEY_SIZE(v); |
+ |
+ switch (method) |
+ { |
+ case ATOM_SSH_DSS: |
+ case ATOM_DSA: |
+ { |
+ CAST(dsa_verifier, self, v); |
+ keytype = "DSA"; |
+ keysize = mpz_sizeinbase(self->key.p, 2); |
+ } |
+ break; |
+ case ATOM_SSH_RSA: |
+ case ATOM_RSA_PKCS1_SHA1: |
+ case ATOM_RSA_PKCS1_MD5: |
+ case ATOM_RSA_PKCS1: |
+ { |
+ CAST(rsa_verifier, self, v); |
+ keytype = "RSA"; |
+ keysize = mpz_sizeinbase(self->key.n, 2); |
+ } break; |
+ break; |
+ default: |
+ werror("Unrecognized key type"); |
+ return 0; |
+ return -1; |
+ } |
+ |
+ for (pp = paths; *pp && ret <= 0; pp++) { |
219,9 → 239,35 |
+ } |
+ return ret; |
+} |
diff -urNad trunk~/src/dsa.c trunk/src/dsa.c |
--- trunk~/src/dsa.c 2004-06-08 20:00:45.000000000 +0200 |
+++ trunk/src/dsa.c 2009-11-07 23:57:07.000000000 +0100 |
@@ -189,6 +189,14 @@ |
"y", self->key.y); |
} |
|
+static uint32_t |
+do_dsa_key_size(struct verifier *v) |
+{ |
+ CAST(dsa_verifier, self, v); |
+ |
+ return mpz_sizeinbase(self->key.p, 2); |
+} |
+ |
static void |
init_dsa_verifier(struct dsa_verifier *self) |
{ |
@@ -199,6 +207,7 @@ |
self->super.verify = do_dsa_verify; |
self->super.public_spki_key = do_dsa_public_spki_key; |
self->super.public_key = do_dsa_public_key; |
+ self->super.key_size = do_dsa_key_size; |
} |
|
|
diff -urNad trunk~/src/lsh-decode-key.c trunk/src/lsh-decode-key.c |
--- trunk~/src/lsh-decode-key.c 2005-09-06 14:43:15.000000000 +0200 |
+++ trunk/src/lsh-decode-key.c 2009-11-06 01:07:40.000000000 +0100 |
+++ trunk/src/lsh-decode-key.c 2009-11-07 23:57:07.000000000 +0100 |
@@ -133,6 +133,10 @@ |
werror("Invalid dsa key.\n"); |
return NULL; |
246,7 → 292,7 |
} |
diff -urNad trunk~/src/lsh-writekey.c trunk/src/lsh-writekey.c |
--- trunk~/src/lsh-writekey.c 2004-11-17 11:55:11.000000000 +0100 |
+++ trunk/src/lsh-writekey.c 2009-11-06 01:11:54.000000000 +0100 |
+++ trunk/src/lsh-writekey.c 2009-11-07 23:57:07.000000000 +0100 |
@@ -397,14 +397,18 @@ |
{ |
struct signer *s; |
327,7 → 373,7 |
{ |
diff -urNad trunk~/src/publickey_crypto.h trunk/src/publickey_crypto.h |
--- trunk~/src/publickey_crypto.h 2004-06-15 13:32:51.000000000 +0200 |
+++ trunk/src/publickey_crypto.h 2009-11-06 01:07:40.000000000 +0100 |
+++ trunk/src/publickey_crypto.h 2009-11-07 23:57:07.000000000 +0100 |
@@ -203,5 +203,7 @@ |
struct verifier * |
make_ssh_dss_verifier(const struct lsh_string *public); |
336,9 → 382,35 |
+blacklisted_key(struct verifier *v, int method); |
|
#endif /* LSH_PUBLICKEY_CRYPTO_H_INCLUDED */ |
diff -urNad trunk~/src/rsa.c trunk/src/rsa.c |
--- trunk~/src/rsa.c 2003-11-16 19:49:12.000000000 +0100 |
+++ trunk/src/rsa.c 2009-11-07 23:57:07.000000000 +0100 |
@@ -167,6 +167,14 @@ |
self->key.n, self->key.e); |
} |
|
+static uint32_t |
+do_rsa_key_size(struct verifier *v) |
+{ |
+ CAST(rsa_verifier, self, v); |
+ |
+ return mpz_sizeinbase(self->key.n, 2); |
+} |
+ |
|
/* NOTE: To initialize an rsa verifier, one must |
* |
@@ -184,6 +192,7 @@ |
self->super.verify = do_rsa_verify; |
self->super.public_key = do_rsa_public_key; |
self->super.public_spki_key = do_rsa_public_spki_key; |
+ self->super.key_size = do_rsa_key_size; |
} |
|
/* Alternative constructor using a key of type ssh-rsa, when the atom |
diff -urNad trunk~/src/server_authorization.c trunk/src/server_authorization.c |
--- trunk~/src/server_authorization.c 2004-06-08 20:01:15.000000000 +0200 |
+++ trunk/src/server_authorization.c 2009-11-06 01:07:40.000000000 +0100 |
+++ trunk/src/server_authorization.c 2009-11-07 23:57:07.000000000 +0100 |
@@ -93,7 +93,8 @@ |
PUBLIC_SPKI_KEY(v, 0), |
1)); |