/trunk/debian/patches/20_sftp-server_mansection.dpatch |
---|
File deleted |
Property changes: |
Deleted: svn:executable |
## -1 +0,0 ## |
-* |
\ No newline at end of property |
Index: 40_better_errmsg_when_dotlsh_missing.dpatch |
=================================================================== |
--- 40_better_errmsg_when_dotlsh_missing.dpatch (revision 73) |
+++ 40_better_errmsg_when_dotlsh_missing.dpatch (nonexistent) |
@@ -1,36 +0,0 @@ |
-#! /bin/sh /usr/share/dpatch/dpatch-run |
-## 40_mkdir_dotlsh.dpatch by Magnus Holmgren <holmgren@debian.org> |
-## |
-## DP: Show the intended error message, instead of one about a locking |
-## DP: error, when no seed file exists |
- |
-@DPATCH@ |
-diff -urNad trunk~/src/unix_random.c trunk/src/unix_random.c |
---- trunk~/src/unix_random.c 2006-01-23 18:47:10.000000000 +0100 |
-+++ trunk/src/unix_random.c 2008-06-24 22:29:29.000000000 +0200 |
-@@ -353,6 +353,15 @@ |
- |
- yarrow256_init(&self->yarrow, RANDOM_NSOURCES, self->sources); |
- |
-+ if (access(lsh_get_cstring(seed_file_name), F_OK) < 0) |
-+ { |
-+ werror("No seed file. Please create one by running\n"); |
-+ werror("lsh-make-seed -o \"%S\".\n", seed_file_name); |
-+ |
-+ KILL(self); |
-+ return NULL; |
-+ } |
-+ |
- verbose("Reading seed-file `%S'\n", seed_file_name); |
- |
- self->lock |
-@@ -374,8 +383,7 @@ |
- self->seed_file_fd = open(lsh_get_cstring(seed_file_name), O_RDWR); |
- if (self->seed_file_fd < 0) |
- { |
-- werror("No seed file. Please create one by running\n"); |
-- werror("lsh-make-seed -o \"%S\".\n", seed_file_name); |
-+ werror("Could not open seed file \"%S\".\n", seed_file_name); |
- |
- KILL_RESOURCE(lock); |
- KILL(self); |
/40_better_errmsg_when_dotlsh_missing.dpatch |
---|
Property changes: |
Deleted: svn:executable |
## -1 +0,0 ## |
-* |
\ No newline at end of property |
Index: ipv6_v6only.dpatch |
=================================================================== |
--- ipv6_v6only.dpatch (revision 73) |
+++ ipv6_v6only.dpatch (nonexistent) |
@@ -1,25 +0,0 @@ |
-#! /bin/sh /usr/share/dpatch/dpatch-run |
-## ipv6_v6only.dpatch by Magnus Holmgren <holmgren@debian.org> |
-## |
-## DP: Set the IPV6_V6ONLY socket option on AF_INET6 sockets; since |
-## DP: lshd by default enumerates available address families and calls |
-## DP: bind() once for each, conflicts will occur otherwise. |
- |
-@DPATCH@ |
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/src/io.c trunk/src/io.c |
---- trunk~/src/io.c 2006-01-23 18:49:58.000000000 +0100 |
-+++ trunk/src/io.c 2010-07-27 02:17:04.000000000 +0200 |
-@@ -1690,6 +1690,13 @@ |
- { |
- int yes = 1; |
- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char*)&yes, sizeof yes); |
-+#if WITH_IPV6 && defined (IPV6_V6ONLY) |
-+ if (local->sa_family == AF_INET6) |
-+ { |
-+ if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &yes, sizeof(yes)) < 0) |
-+ werror("setsockopt IPV6_V6ONLY failed: %e.\n", errno); |
-+ } |
-+#endif |
- } |
- |
- if (bind(s, local, length) < 0) |
/ipv6_v6only.dpatch |
---|
Property changes: |
Deleted: svn:executable |
## -1 +0,0 ## |
-* |
\ No newline at end of property |
Index: terminate_on_connection_failure.dpatch |
=================================================================== |
--- terminate_on_connection_failure.dpatch (revision 73) |
+++ terminate_on_connection_failure.dpatch (nonexistent) |
@@ -1,19 +0,0 @@ |
-#! /bin/sh /usr/share/dpatch/dpatch-run |
-## terminate_on_connection_failure.dpatch by Magnus Holmgren <holmgren@debian.org> |
-## |
-## DP: Call exit() in lsh's default exception handler on EXC_IO_CONNECT; otherwise |
-## DP: lsh won't terminate. |
- |
-@DPATCH@ |
-diff -urNad trunk~/src/lsh.c trunk/src/lsh.c |
---- trunk~/src/lsh.c 2005-03-16 21:06:23.000000000 +0100 |
-+++ trunk/src/lsh.c 2010-01-09 22:32:51.000000000 +0100 |
-@@ -959,6 +959,8 @@ |
- *self->status = EXIT_FAILURE; |
- |
- werror("%z, (errno = %i)\n", e->msg, exc->error); |
-+ if (e->type == EXC_IO_CONNECT) |
-+ exit(*self->status); |
- } |
- else |
- switch(e->type) |
/terminate_on_connection_failure.dpatch |
---|
Property changes: |
Deleted: svn:executable |
## -1 +0,0 ## |
-* |
\ No newline at end of property |
Index: 30_nonettle.dpatch |
=================================================================== |
--- 30_nonettle.dpatch (revision 73) |
+++ 30_nonettle.dpatch (nonexistent) |
@@ -1,27 +0,0 @@ |
-#!/bin/sh |
-## 30_nonettle.dpatch by Magnus Holmgren <holmgren@debian.org> |
-## |
-## DP: Link dynamically with libnettle-dev instead of the bundled version |
- |
-set -e |
-FILES=`find src -name nettle -prune -o -name Makefile.in -print` |
- |
-dpatch_patch() { |
- if [ ! -f debian/patched/30_nonettle_orig.tar.gz ]; then |
- tar -czf debian/patched/30_nonettle_orig.tar.gz $FILES |
- sed -ri -e '/^LDADD/,+1s%(\.\.?/)*nettle/libnettle\.a|-lnettle%-lnettle -lhogweed%' \ |
- -e 's%\s*(-[IL]\s*)?(\.\.?/)*\bnettle(/libnettle\.a)?\b%%g' $FILES |
- mv src/nettle src/nettle-unused |
- fi |
-} |
- |
-dpatch_unpatch() { |
- if [ -f debian/patched/30_nonettle_orig.tar.gz ]; then |
- mv src/nettle-unused src/nettle |
- tar -xzf debian/patched/30_nonettle_orig.tar.gz |
- fi |
-} |
- |
-DPATCH_LIB_NO_DEFAULT=1 |
- |
-. /usr/share/dpatch/dpatch.lib.sh |
Index: blacklist.dpatch |
=================================================================== |
--- blacklist.dpatch (revision 73) |
+++ blacklist.dpatch (nonexistent) |
@@ -1,423 +0,0 @@ |
-#! /bin/sh /usr/share/dpatch/dpatch-run |
-## blacklist.dpatch by Magnus Holmgren <holmgren@debian.org> |
-## blacklist.c code copied from the openssh package and adapted for LSH. |
-## |
-## DP: Check keys against openssh-blacklist before accepting for |
-## DP: pubkey authentication as well as on conversion by lsh-writekey |
-## DP: and lsh-decode-key. |
- |
-@DPATCH@ |
-diff -urNad trunk~/src/Makefile.am trunk/src/Makefile.am |
---- trunk~/src/Makefile.am 2004-11-18 22:52:16.000000000 +0100 |
-+++ trunk/src/Makefile.am 2009-11-0 23:57:07.000000000 +0100 |
-@@ -72,7 +72,8 @@ |
- unix_interact.c unix_process.c unix_random.c unix_user.c \ |
- userauth.c \ |
- werror.c write_buffer.c write_packet.c \ |
-- xalloc.c xauth.c zlib.c |
-+ xalloc.c xauth.c zlib.c \ |
-+ blacklist.c |
- |
- liblsh_a_LIBADD = @LIBOBJS@ |
- |
-diff -urNad trunk~/src/Makefile.in trunk/src/Makefile.in |
---- trunk~/src/Makefile.in 2009-11-07 23:57:06.000000000 +0100 |
-+++ trunk/src/Makefile.in 2009-11-07 23:57:07.000000000 +0100 |
-@@ -91,7 +91,8 @@ |
- tty.$(OBJEXT) unix_interact.$(OBJEXT) unix_process.$(OBJEXT) \ |
- unix_random.$(OBJEXT) unix_user.$(OBJEXT) userauth.$(OBJEXT) \ |
- werror.$(OBJEXT) write_buffer.$(OBJEXT) write_packet.$(OBJEXT) \ |
-- xalloc.$(OBJEXT) xauth.$(OBJEXT) zlib.$(OBJEXT) |
-+ xalloc.$(OBJEXT) xauth.$(OBJEXT) zlib.$(OBJEXT) \ |
-+ blacklist.$(OBJEXT) |
- liblsh_a_OBJECTS = $(am_liblsh_a_OBJECTS) |
- am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" \ |
- "$(DESTDIR)$(bindir)" |
-@@ -510,7 +511,8 @@ |
- unix_interact.c unix_process.c unix_random.c unix_user.c \ |
- userauth.c \ |
- werror.c write_buffer.c write_packet.c \ |
-- xalloc.c xauth.c zlib.c |
-+ xalloc.c xauth.c zlib.c \ |
-+ blacklist.c |
- |
- liblsh_a_LIBADD = @LIBOBJS@ |
- |
-@@ -705,6 +707,7 @@ |
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/algorithms.Po@am__quote@ |
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alist.Po@am__quote@ |
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoms.Po@am__quote@ |
-+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blacklist.Po@am__quote@ |
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel.Po@am__quote@ |
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel_commands.Po@am__quote@ |
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel_forward.Po@am__quote@ |
-diff -urNad trunk~/src/abstract_crypto.h trunk/src/abstract_crypto.h |
---- trunk~/src/abstract_crypto.h 2003-11-16 19:10:30.000000000 +0100 |
-+++ trunk/src/abstract_crypto.h 2009-11-07 23:57:37.000000000 +0100 |
-@@ -162,7 +162,9 @@ |
- (public_key method (string)) |
- |
- ; Returns (public-key (<pub-sig-alg-id> <s-expr>*)) |
-- (public_spki_key method (string) "int transport"))) |
-+ (public_spki_key method (string) "int transport") |
-+ |
-+ (key_size method uint32_t))) |
- */ |
- |
- #define VERIFY(verifier, algorithm, length, data, slength, sdata) \ |
-@@ -170,7 +172,7 @@ |
- |
- #define PUBLIC_KEY(verifier) ((verifier)->public_key((verifier))) |
- #define PUBLIC_SPKI_KEY(verifier, t) ((verifier)->public_spki_key((verifier), (t))) |
-- |
-+#define KEY_SIZE(verifier) ((verifier)->key_size((verifier))) |
- |
- /* GABA: |
- (class |
-diff -urNad trunk~/src/abstract_crypto.h.x trunk/src/abstract_crypto.h.x |
---- trunk~/src/abstract_crypto.h.x 2007-06-04 22:18:39.000000000 +0200 |
-+++ trunk/src/abstract_crypto.h.x 2009-11-07 23:57:07.000000000 +0100 |
-@@ -161,6 +161,7 @@ |
- int (*(verify))(struct verifier *self,int algorithm,uint32_t length,const uint8_t *data,uint32_t signature_length,const uint8_t *signature_data); |
- struct lsh_string *(*(public_key))(struct verifier *self); |
- struct lsh_string *(*(public_spki_key))(struct verifier *self,int transport); |
-+ uint32_t *(*(key_size))(struct verifier *self); |
- }; |
- extern struct lsh_class verifier_class; |
- #endif /* !GABA_DEFINE */ |
-diff -urNad trunk~/src/blacklist.c trunk/src/blacklist.c |
---- trunk~/src/blacklist.c 1970-01-01 01:00:00.000000000 +0100 |
-+++ trunk/src/blacklist.c 2009-11-07 23:57:07.000000000 +0100 |
-@@ -0,0 +1,150 @@ |
-+#if HAVE_CONFIG_H |
-+#include "config.h" |
-+#endif |
-+ |
-+#include <assert.h> |
-+ |
-+#include "atoms.h" |
-+#include "format.h" |
-+#include "lsh_string.h" |
-+#include "werror.h" |
-+#include "crypto.h" |
-+ |
-+#include <sys/types.h> |
-+#include <sys/stat.h> |
-+#include <unistd.h> |
-+#include <fcntl.h> |
-+#include <string.h> |
-+ |
-+int blacklisted_key(struct verifier *v, int method); |
-+ |
-+/* Scan a blacklist of known-vulnerable keys in blacklist_file. */ |
-+static int |
-+blacklisted_key_in_file(struct lsh_string *lsh_hash, struct lsh_string *blacklist_file) |
-+{ |
-+ int fd = -1; |
-+ const char *hash = 0; |
-+ uint32_t line_len; |
-+ struct stat st; |
-+ char buf[256]; |
-+ off_t start, lower, upper; |
-+ int ret = 0; |
-+ |
-+ debug("Checking blacklist file %S\n", blacklist_file); |
-+ fd = open(lsh_get_cstring(blacklist_file), O_RDONLY); |
-+ if (fd < 0) { |
-+ ret = -1; |
-+ goto out; |
-+ } |
-+ |
-+ hash = lsh_get_cstring(lsh_hash) + 12; |
-+ line_len = strlen(hash); |
-+ if (line_len != 20) |
-+ goto out; |
-+ |
-+ /* Skip leading comments */ |
-+ start = 0; |
-+ for (;;) { |
-+ ssize_t r; |
-+ char *newline; |
-+ |
-+ r = read(fd, buf, sizeof(buf)); |
-+ if (r <= 0) |
-+ goto out; |
-+ if (buf[0] != '#') |
-+ break; |
-+ |
-+ newline = memchr(buf, '\n', sizeof(buf)); |
-+ if (!newline) |
-+ goto out; |
-+ start += newline + 1 - buf; |
-+ if (lseek(fd, start, SEEK_SET) < 0) |
-+ goto out; |
-+ } |
-+ |
-+ /* Initialise binary search record numbers */ |
-+ if (fstat(fd, &st) < 0) |
-+ goto out; |
-+ lower = 0; |
-+ upper = (st.st_size - start) / (line_len + 1); |
-+ |
-+ while (lower != upper) { |
-+ off_t cur; |
-+ int cmp; |
-+ |
-+ cur = lower + (upper - lower) / 2; |
-+ |
-+ /* Read this line and compare to digest; this is |
-+ * overflow-safe since cur < max(off_t) / (line_len + 1) */ |
-+ if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0) |
-+ break; |
-+ if (read(fd, buf, line_len) != line_len) |
-+ break; |
-+ cmp = memcmp(buf, hash, line_len); |
-+ if (cmp < 0) { |
-+ if (cur == lower) |
-+ break; |
-+ lower = cur; |
-+ } else if (cmp > 0) { |
-+ if (cur == upper) |
-+ break; |
-+ upper = cur; |
-+ } else { |
-+ ret = 1; |
-+ break; |
-+ } |
-+ } |
-+ |
-+out: |
-+ if (fd >= 0) |
-+ close(fd); |
-+ return ret; |
-+} |
-+ |
-+/* |
-+ * Scan blacklists of known-vulnerable keys. If a vulnerable key is found, |
-+ * its fingerprint is returned in *fp, unless fp is NULL. |
-+ */ |
-+int |
-+blacklisted_key(struct verifier *v, int method) |
-+{ |
-+ const char *keytype; |
-+ int ret = -1; |
-+ const char *paths[] = { "/usr/share/ssh/blacklist", "/etc/ssh/blacklist", NULL }; |
-+ const char **pp; |
-+ struct lsh_string *lsh_hash = ssh_format("%lfxS", |
-+ hash_string(&crypto_md5_algorithm, |
-+ PUBLIC_KEY(v), 1)); |
-+ uint32_t keysize = KEY_SIZE(v); |
-+ |
-+ switch (method) |
-+ { |
-+ case ATOM_SSH_DSS: |
-+ case ATOM_DSA: |
-+ keytype = "DSA"; |
-+ break; |
-+ case ATOM_SSH_RSA: |
-+ case ATOM_RSA_PKCS1_SHA1: |
-+ case ATOM_RSA_PKCS1_MD5: |
-+ case ATOM_RSA_PKCS1: |
-+ keytype = "RSA"; |
-+ break; |
-+ default: |
-+ werror("Unrecognized key type"); |
-+ return -1; |
-+ } |
-+ |
-+ for (pp = paths; *pp && ret <= 0; pp++) { |
-+ struct lsh_string *blacklist_file = ssh_format("%lz.%lz-%di", |
-+ *pp, keytype, keysize); |
-+ int r = blacklisted_key_in_file(lsh_hash, blacklist_file); |
-+ lsh_string_free(blacklist_file); |
-+ if (r > ret) ret = r; |
-+ } |
-+ |
-+ if (ret > 0) { |
-+ werror("Key is compromised: %z %i %fS\n", keytype, keysize, |
-+ lsh_string_colonize(lsh_hash, 2, 0)); |
-+ } |
-+ return ret; |
-+} |
-diff -urNad trunk~/src/dsa.c trunk/src/dsa.c |
---- trunk~/src/dsa.c 2004-06-08 20:00:45.000000000 +0200 |
-+++ trunk/src/dsa.c 2009-11-07 23:57:07.000000000 +0100 |
-@@ -189,6 +189,14 @@ |
- "y", self->key.y); |
- } |
- |
-+static uint32_t |
-+do_dsa_key_size(struct verifier *v) |
-+{ |
-+ CAST(dsa_verifier, self, v); |
-+ |
-+ return mpz_sizeinbase(self->key.p, 2); |
-+} |
-+ |
- static void |
- init_dsa_verifier(struct dsa_verifier *self) |
- { |
-@@ -199,6 +207,7 @@ |
- self->super.verify = do_dsa_verify; |
- self->super.public_spki_key = do_dsa_public_spki_key; |
- self->super.public_key = do_dsa_public_key; |
-+ self->super.key_size = do_dsa_key_size; |
- } |
- |
- |
-diff -urNad trunk~/src/lsh-decode-key.c trunk/src/lsh-decode-key.c |
---- trunk~/src/lsh-decode-key.c 2005-09-06 14:43:15.000000000 +0200 |
-+++ trunk/src/lsh-decode-key.c 2009-11-07 23:57:07.000000000 +0100 |
-@@ -133,6 +133,10 @@ |
- werror("Invalid dsa key.\n"); |
- return NULL; |
- } |
-+ else if (blacklisted_key(v, type)) |
-+ { |
-+ return NULL; |
-+ } |
- else |
- return PUBLIC_SPKI_KEY(v, 1); |
- } |
-@@ -150,6 +154,10 @@ |
- werror("Invalid rsa key.\n"); |
- return NULL; |
- } |
-+ else if (blacklisted_key(v, type)) |
-+ { |
-+ return NULL; |
-+ } |
- else |
- return PUBLIC_SPKI_KEY(v, 1); |
- } |
-diff -urNad trunk~/src/lsh-writekey.c trunk/src/lsh-writekey.c |
---- trunk~/src/lsh-writekey.c 2004-11-17 11:55:11.000000000 +0100 |
-+++ trunk/src/lsh-writekey.c 2009-11-07 23:57:07.000000000 +0100 |
-@@ -397,14 +397,18 @@ |
- { |
- struct signer *s; |
- struct verifier *v; |
-+ int algorithm_name; |
- |
-- s = spki_make_signer(options->signature_algorithms, key, NULL); |
-+ s = spki_make_signer(options->signature_algorithms, key, &algorithm_name); |
- |
- if (!s) |
- return NULL; |
- |
- v = SIGNER_GET_VERIFIER(s); |
- assert(v); |
-+ if (blacklisted_key(v, algorithm_name)) { |
-+ return NULL; |
-+ } |
- |
- return PUBLIC_SPKI_KEY(v, 1); |
- } |
-@@ -416,7 +420,8 @@ |
- int private_fd; |
- int public_fd; |
- struct lsh_string *input; |
-- struct lsh_string *output; |
-+ struct lsh_string *priv_output; |
-+ struct lsh_string *pub_output; |
- const struct exception *e; |
- |
- argp_parse(&main_argp, argc, argv, 0, NULL, options); |
-@@ -439,16 +444,22 @@ |
- return EXIT_FAILURE; |
- } |
- |
-- output = process_private(input, options); |
-- if (!output) |
-+ pub_output = process_public(input, options); |
-+ if (!pub_output) |
-+ return EXIT_FAILURE; |
-+ |
-+ priv_output = process_private(input, options); |
-+ if (!priv_output) |
- return EXIT_FAILURE; |
- |
-+ lsh_string_free(input); |
-+ |
- private_fd = open_file(options->private_file); |
- if (private_fd < 0) |
- return EXIT_FAILURE; |
- |
-- e = write_raw(private_fd, STRING_LD(output)); |
-- lsh_string_free(output); |
-+ e = write_raw(private_fd, STRING_LD(priv_output)); |
-+ lsh_string_free(priv_output); |
- |
- if (e) |
- { |
-@@ -457,18 +468,12 @@ |
- return EXIT_FAILURE; |
- } |
- |
-- output = process_public(input, options); |
-- lsh_string_free(input); |
-- |
-- if (!output) |
-- return EXIT_FAILURE; |
-- |
- public_fd = open_file(options->public_file); |
- if (public_fd < 0) |
- return EXIT_FAILURE; |
- |
-- e = write_raw(public_fd, STRING_LD(output)); |
-- lsh_string_free(output); |
-+ e = write_raw(public_fd, STRING_LD(pub_output)); |
-+ lsh_string_free(pub_output); |
- |
- if (e) |
- { |
-diff -urNad trunk~/src/publickey_crypto.h trunk/src/publickey_crypto.h |
---- trunk~/src/publickey_crypto.h 2004-06-15 13:32:51.000000000 +0200 |
-+++ trunk/src/publickey_crypto.h 2009-11-07 23:57:07.000000000 +0100 |
-@@ -203,5 +203,7 @@ |
- struct verifier * |
- make_ssh_dss_verifier(const struct lsh_string *public); |
- |
-+int |
-+blacklisted_key(struct verifier *v, int method); |
- |
- #endif /* LSH_PUBLICKEY_CRYPTO_H_INCLUDED */ |
-diff -urNad trunk~/src/rsa.c trunk/src/rsa.c |
---- trunk~/src/rsa.c 2003-11-16 19:49:12.000000000 +0100 |
-+++ trunk/src/rsa.c 2009-11-07 23:57:07.000000000 +0100 |
-@@ -167,6 +167,14 @@ |
- self->key.n, self->key.e); |
- } |
- |
-+static uint32_t |
-+do_rsa_key_size(struct verifier *v) |
-+{ |
-+ CAST(rsa_verifier, self, v); |
-+ |
-+ return mpz_sizeinbase(self->key.n, 2); |
-+} |
-+ |
- |
- /* NOTE: To initialize an rsa verifier, one must |
- * |
-@@ -184,6 +192,7 @@ |
- self->super.verify = do_rsa_verify; |
- self->super.public_key = do_rsa_public_key; |
- self->super.public_spki_key = do_rsa_public_spki_key; |
-+ self->super.key_size = do_rsa_key_size; |
- } |
- |
- /* Alternative constructor using a key of type ssh-rsa, when the atom |
-diff -urNad trunk~/src/server_authorization.c trunk/src/server_authorization.c |
---- trunk~/src/server_authorization.c 2004-06-08 20:01:15.000000000 +0200 |
-+++ trunk/src/server_authorization.c 2009-11-07 23:57:07.000000000 +0100 |
-@@ -93,7 +93,8 @@ |
- PUBLIC_SPKI_KEY(v, 0), |
- 1)); |
- |
-- if (USER_FILE_EXISTS(keyholder, filename, 1)) |
-+ if (USER_FILE_EXISTS(keyholder, filename, 1) |
-+ && blacklisted_key(v, method) < 1) |
- return v; |
- |
- return NULL; |
/blacklist.dpatch |
---|
Property changes: |
Deleted: svn:executable |
## -1 +0,0 ## |
-* |
\ No newline at end of property |
Index: nettle_2.0.dpatch |
=================================================================== |
--- nettle_2.0.dpatch (revision 73) |
+++ nettle_2.0.dpatch (nonexistent) |
@@ -1,200 +0,0 @@ |
-#! /bin/sh /usr/share/dpatch/dpatch-run |
-## nettle_2.0.dpatch by Magnus Holmgren <holmgren@debian.org> |
-## |
-## DP: Adapt to Nettle 2.0 |
- |
-@DPATCH@ |
-diff -ur lsh-2.0.4/src/crypto.c /var/cache/users/magnus/svn-buildpackage/lsh-utils/lsh-utils-2.0.4-dfsg/src/crypto.c |
---- lsh-2.0.4/src/crypto.c 2005-11-26 18:13:55.000000000 +0100 |
-+++ lsh-utils-2.0.4-dfsg/src/crypto.c 2009-08-04 23:57:22.000000000 +0200 |
-@@ -71,7 +71,7 @@ |
- assert(!(length % 8)); |
- |
- lsh_string_crypt(dst, di, src, si, length, |
-- (nettle_crypt_func) arcfour_crypt, &self->ctx); |
-+ (nettle_crypt_func*) arcfour_crypt, &self->ctx); |
- } |
- |
- static struct crypto_instance * |
-@@ -114,7 +114,7 @@ |
- |
- lsh_string_cbc_encrypt(dst, di, src, si, length, |
- AES_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) aes_encrypt, |
-+ (nettle_crypt_func*) aes_encrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -128,7 +128,7 @@ |
- |
- lsh_string_cbc_decrypt(dst, di, src, si, length, |
- AES_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) aes_decrypt, |
-+ (nettle_crypt_func*) aes_decrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -185,7 +185,7 @@ |
- |
- lsh_string_ctr_crypt(dst, di, src, si, length, |
- AES_BLOCK_SIZE, self->ctx.ctr, |
-- (nettle_crypt_func) aes_encrypt, |
-+ (nettle_crypt_func*) aes_encrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -227,7 +227,7 @@ |
- |
- lsh_string_cbc_encrypt(dst, di, src, si, length, |
- DES3_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) des3_encrypt, |
-+ (nettle_crypt_func*) des3_encrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -241,7 +241,7 @@ |
- |
- lsh_string_cbc_decrypt(dst, di, src, si, length, |
- DES3_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) des3_decrypt, |
-+ (nettle_crypt_func*) des3_decrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -303,7 +303,7 @@ |
- |
- lsh_string_cbc_encrypt(dst, di, src, si, length, |
- CAST128_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) cast128_encrypt, |
-+ (nettle_crypt_func*) cast128_encrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -317,7 +317,7 @@ |
- |
- lsh_string_cbc_decrypt(dst, di, src, si, length, |
- CAST128_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) cast128_decrypt, |
-+ (nettle_crypt_func*) cast128_decrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -363,7 +363,7 @@ |
- |
- lsh_string_cbc_encrypt(dst, di, src, si, length, |
- TWOFISH_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) twofish_encrypt, |
-+ (nettle_crypt_func*) twofish_encrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -377,7 +377,7 @@ |
- |
- lsh_string_cbc_decrypt(dst, di, src, si, length, |
- TWOFISH_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) twofish_decrypt, |
-+ (nettle_crypt_func*) twofish_decrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -422,7 +422,7 @@ |
- |
- lsh_string_cbc_encrypt(dst, di, src, si, length, |
- BLOWFISH_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) blowfish_encrypt, |
-+ (nettle_crypt_func*) blowfish_encrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -436,7 +436,7 @@ |
- |
- lsh_string_cbc_decrypt(dst, di, src, si, length, |
- BLOWFISH_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) blowfish_decrypt, |
-+ (nettle_crypt_func*) blowfish_decrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -488,7 +488,7 @@ |
- |
- lsh_string_cbc_encrypt(dst, di, src, si, length, |
- SERPENT_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) serpent_encrypt, |
-+ (nettle_crypt_func*) serpent_encrypt, |
- &self->ctx.ctx); |
- } |
- |
-@@ -502,7 +502,7 @@ |
- |
- lsh_string_cbc_decrypt(dst, di, src, si, length, |
- SERPENT_BLOCK_SIZE, self->ctx.iv, |
-- (nettle_crypt_func) serpent_decrypt, |
-+ (nettle_crypt_func*) serpent_decrypt, |
- &self->ctx.ctx); |
- } |
- |
-diff -ur lsh-2.0.4/src/lsh-make-seed.c /var/cache/users/magnus/svn-buildpackage/lsh-utils/lsh-utils-2.0.4-dfsg/src/lsh-make-seed.c |
---- lsh-2.0.4/src/lsh-make-seed.c 2006-01-23 18:51:06.000000000 +0100 |
-+++ lsh-utils-2.0.4-dfsg/src/lsh-make-seed.c 2009-08-05 00:24:58.000000000 +0200 |
-@@ -1219,6 +1219,7 @@ |
- |
- struct yarrow256_ctx yarrow; |
- struct yarrow_source sources[NSOURCES]; |
-+ uint8_t seed[YARROW256_SEED_FILE_SIZE]; |
- |
- argp_parse(&main_argp, argc, argv, 0, NULL, options); |
- |
-@@ -1371,7 +1372,8 @@ |
- } |
- } |
- |
-- e = write_raw(fd, sizeof(yarrow.seed_file), yarrow.seed_file); |
-+ yarrow256_random(&yarrow, sizeof(seed), seed); |
-+ e = write_raw(fd, sizeof(seed), seed); |
- |
- if (e) |
- { |
-diff -ur lsh-2.0.4/src/unix_random.c /var/cache/users/magnus/svn-buildpackage/lsh-utils/lsh-utils-2.0.4-dfsg/src/unix_random.c |
---- lsh-2.0.4/src/unix_random.c 2006-01-23 18:47:10.000000000 +0100 |
-+++ lsh-utils-2.0.4-dfsg/src/unix_random.c 2009-08-05 00:28:31.000000000 +0200 |
-@@ -81,6 +81,7 @@ |
- int fd) |
- { |
- const struct exception *e; |
-+ uint8_t seed[YARROW256_SEED_FILE_SIZE]; |
- |
- if (lseek(fd, 0, SEEK_SET) < 0) |
- { |
-@@ -88,7 +89,8 @@ |
- return 0; |
- } |
- |
-- e = write_raw(fd, YARROW256_SEED_FILE_SIZE, ctx->seed_file); |
-+ yarrow256_random(ctx, sizeof(seed), seed); |
-+ e = write_raw(fd, sizeof(seed), seed); |
- |
- if (e) |
- { |
-@@ -183,17 +183,19 @@ |
- { |
- struct lsh_string *s = read_seed_file(self->seed_file_fd); |
- |
-- write_seed_file(&self->yarrow, self->seed_file_fd); |
-- KILL_RESOURCE(lock); |
-- |
- /* Mix in the old seed file, it might have picked up |
- * some randomness. */ |
- if (s) |
- { |
-+ self->yarrow.sources[RANDOM_SOURCE_NEW_SEED].next = YARROW_FAST; |
- yarrow256_update(&self->yarrow, RANDOM_SOURCE_NEW_SEED, |
- 0, STRING_LD(s)); |
- lsh_string_free(s); |
-+ yarrow256_fast_reseed(&self->yarrow); |
- } |
-+ |
-+ write_seed_file(&self->yarrow, self->seed_file_fd); |
-+ KILL_RESOURCE(lock); |
- } |
- } |
- |
Index: 00list |
=================================================================== |
--- 00list (revision 73) |
+++ 00list (nonexistent) |
@@ -1,7 +0,0 @@ |
-20_sftp-server_mansection |
-30_nonettle |
-40_better_errmsg_when_dotlsh_missing |
-nettle_2.0 |
-blacklist |
-terminate_on_connection_failure |
-ipv6_v6only |
Index: better-errmsg-when-dotlsh-missing.patch |
=================================================================== |
--- better-errmsg-when-dotlsh-missing.patch (nonexistent) |
+++ better-errmsg-when-dotlsh-missing.patch (revision 79) |
@@ -0,0 +1,33 @@ |
+Author: Magnus Holmgren <holmgren@debian.org> |
+Description: Show the intended error message when no seed file exists |
+ (instead of one about a locking error) |
+ |
+diff -urNad trunk~/src/unix_random.c trunk/src/unix_random.c |
+--- trunk~/src/unix_random.c 2006-01-23 18:47:10.000000000 +0100 |
++++ trunk/src/unix_random.c 2008-06-24 22:29:29.000000000 +0200 |
+@@ -353,6 +353,15 @@ |
+ |
+ yarrow256_init(&self->yarrow, RANDOM_NSOURCES, self->sources); |
+ |
++ if (access(lsh_get_cstring(seed_file_name), F_OK) < 0) |
++ { |
++ werror("No seed file. Please create one by running\n"); |
++ werror("lsh-make-seed -o \"%S\".\n", seed_file_name); |
++ |
++ KILL(self); |
++ return NULL; |
++ } |
++ |
+ verbose("Reading seed-file `%S'\n", seed_file_name); |
+ |
+ self->lock |
+@@ -374,8 +383,7 @@ |
+ self->seed_file_fd = open(lsh_get_cstring(seed_file_name), O_RDWR); |
+ if (self->seed_file_fd < 0) |
+ { |
+- werror("No seed file. Please create one by running\n"); |
+- werror("lsh-make-seed -o \"%S\".\n", seed_file_name); |
++ werror("Could not open seed file \"%S\".\n", seed_file_name); |
+ |
+ KILL_RESOURCE(lock); |
+ KILL(self); |
/better-errmsg-when-dotlsh-missing.patch |
---|
Property changes: |
Added: svn:executable |
## -0,0 +1 ## |
+* |
\ No newline at end of property |
Index: terminate-on-connection-failure.patch |
=================================================================== |
--- terminate-on-connection-failure.patch (nonexistent) |
+++ terminate-on-connection-failure.patch (revision 79) |
@@ -0,0 +1,16 @@ |
+Author: Magnus Holmgren <holmgren@debian.org> |
+Description: Call exit() in lsh's default exception handler on EXC_IO_CONNECT |
+ Otherwise lsh won't terminate. |
+ |
+diff -urNad trunk~/src/lsh.c trunk/src/lsh.c |
+--- trunk~/src/lsh.c 2005-03-16 21:06:23.000000000 +0100 |
++++ trunk/src/lsh.c 2010-01-09 22:32:51.000000000 +0100 |
+@@ -959,6 +959,8 @@ |
+ *self->status = EXIT_FAILURE; |
+ |
+ werror("%z, (errno = %i)\n", e->msg, exc->error); |
++ if (e->type == EXC_IO_CONNECT) |
++ exit(*self->status); |
+ } |
+ else |
+ switch(e->type) |
/terminate-on-connection-failure.patch |
---|
Property changes: |
Added: svn:executable |
## -0,0 +1 ## |
+* |
\ No newline at end of property |
Index: blacklist.patch |
=================================================================== |
--- blacklist.patch (nonexistent) |
+++ blacklist.patch (revision 79) |
@@ -0,0 +1,380 @@ |
+Author: Magnus Holmgren <holmgren@debian.org> |
+Description: Check keys against openssh-blacklist |
+ Check keys before accepting for pubkey authentication as well as on conversion |
+ by lsh-writekey and lsh-decode-key. |
+ . |
+ blacklist.c code copied from the openssh package and adapted for LSH. |
+ |
+--- a/src/Makefile.am |
++++ b/src/Makefile.am |
+@@ -69,7 +69,8 @@ liblsh_a_SOURCES = abstract_io.c abstrac |
+ unix_interact.c unix_process.c unix_random.c unix_user.c \ |
+ userauth.c \ |
+ werror.c write_buffer.c write_packet.c \ |
+- xalloc.c xauth.c zlib.c |
++ xalloc.c xauth.c zlib.c \ |
++ blacklist.c |
+ |
+ liblsh_a_LIBADD = @LIBOBJS@ |
+ |
+--- a/src/abstract_crypto.h |
++++ b/src/abstract_crypto.h |
+@@ -162,7 +162,9 @@ MAC_DIGEST((instance), lsh_string_alloc( |
+ (public_key method (string)) |
+ |
+ ; Returns (public-key (<pub-sig-alg-id> <s-expr>*)) |
+- (public_spki_key method (string) "int transport"))) |
++ (public_spki_key method (string) "int transport") |
++ |
++ (key_size method uint32_t))) |
+ */ |
+ |
+ #define VERIFY(verifier, algorithm, length, data, slength, sdata) \ |
+@@ -170,7 +172,7 @@ MAC_DIGEST((instance), lsh_string_alloc( |
+ |
+ #define PUBLIC_KEY(verifier) ((verifier)->public_key((verifier))) |
+ #define PUBLIC_SPKI_KEY(verifier, t) ((verifier)->public_spki_key((verifier), (t))) |
+- |
++#define KEY_SIZE(verifier) ((verifier)->key_size((verifier))) |
+ |
+ /* GABA: |
+ (class |
+--- a/src/abstract_crypto.h.x |
++++ b/src/abstract_crypto.h.x |
+@@ -161,6 +161,7 @@ struct verifier |
+ int (*(verify))(struct verifier *self,int algorithm,uint32_t length,const uint8_t *data,uint32_t signature_length,const uint8_t *signature_data); |
+ struct lsh_string *(*(public_key))(struct verifier *self); |
+ struct lsh_string *(*(public_spki_key))(struct verifier *self,int transport); |
++ uint32_t *(*(key_size))(struct verifier *self); |
+ }; |
+ extern struct lsh_class verifier_class; |
+ #endif /* !GABA_DEFINE */ |
+--- /dev/null |
++++ b/src/blacklist.c |
+@@ -0,0 +1,150 @@ |
++#if HAVE_CONFIG_H |
++#include "config.h" |
++#endif |
++ |
++#include <assert.h> |
++ |
++#include "atoms.h" |
++#include "format.h" |
++#include "lsh_string.h" |
++#include "werror.h" |
++#include "crypto.h" |
++ |
++#include <sys/types.h> |
++#include <sys/stat.h> |
++#include <unistd.h> |
++#include <fcntl.h> |
++#include <string.h> |
++ |
++int blacklisted_key(struct verifier *v, int method); |
++ |
++/* Scan a blacklist of known-vulnerable keys in blacklist_file. */ |
++static int |
++blacklisted_key_in_file(struct lsh_string *lsh_hash, struct lsh_string *blacklist_file) |
++{ |
++ int fd = -1; |
++ const char *hash = 0; |
++ uint32_t line_len; |
++ struct stat st; |
++ char buf[256]; |
++ off_t start, lower, upper; |
++ int ret = 0; |
++ |
++ debug("Checking blacklist file %S\n", blacklist_file); |
++ fd = open(lsh_get_cstring(blacklist_file), O_RDONLY); |
++ if (fd < 0) { |
++ ret = -1; |
++ goto out; |
++ } |
++ |
++ hash = lsh_get_cstring(lsh_hash) + 12; |
++ line_len = strlen(hash); |
++ if (line_len != 20) |
++ goto out; |
++ |
++ /* Skip leading comments */ |
++ start = 0; |
++ for (;;) { |
++ ssize_t r; |
++ char *newline; |
++ |
++ r = read(fd, buf, sizeof(buf)); |
++ if (r <= 0) |
++ goto out; |
++ if (buf[0] != '#') |
++ break; |
++ |
++ newline = memchr(buf, '\n', sizeof(buf)); |
++ if (!newline) |
++ goto out; |
++ start += newline + 1 - buf; |
++ if (lseek(fd, start, SEEK_SET) < 0) |
++ goto out; |
++ } |
++ |
++ /* Initialise binary search record numbers */ |
++ if (fstat(fd, &st) < 0) |
++ goto out; |
++ lower = 0; |
++ upper = (st.st_size - start) / (line_len + 1); |
++ |
++ while (lower != upper) { |
++ off_t cur; |
++ int cmp; |
++ |
++ cur = lower + (upper - lower) / 2; |
++ |
++ /* Read this line and compare to digest; this is |
++ * overflow-safe since cur < max(off_t) / (line_len + 1) */ |
++ if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0) |
++ break; |
++ if (read(fd, buf, line_len) != line_len) |
++ break; |
++ cmp = memcmp(buf, hash, line_len); |
++ if (cmp < 0) { |
++ if (cur == lower) |
++ break; |
++ lower = cur; |
++ } else if (cmp > 0) { |
++ if (cur == upper) |
++ break; |
++ upper = cur; |
++ } else { |
++ ret = 1; |
++ break; |
++ } |
++ } |
++ |
++out: |
++ if (fd >= 0) |
++ close(fd); |
++ return ret; |
++} |
++ |
++/* |
++ * Scan blacklists of known-vulnerable keys. If a vulnerable key is found, |
++ * its fingerprint is returned in *fp, unless fp is NULL. |
++ */ |
++int |
++blacklisted_key(struct verifier *v, int method) |
++{ |
++ const char *keytype; |
++ int ret = -1; |
++ const char *paths[] = { "/usr/share/ssh/blacklist", "/etc/ssh/blacklist", NULL }; |
++ const char **pp; |
++ struct lsh_string *lsh_hash = ssh_format("%lfxS", |
++ hash_string(&crypto_md5_algorithm, |
++ PUBLIC_KEY(v), 1)); |
++ uint32_t keysize = KEY_SIZE(v); |
++ |
++ switch (method) |
++ { |
++ case ATOM_SSH_DSS: |
++ case ATOM_DSA: |
++ keytype = "DSA"; |
++ break; |
++ case ATOM_SSH_RSA: |
++ case ATOM_RSA_PKCS1_SHA1: |
++ case ATOM_RSA_PKCS1_MD5: |
++ case ATOM_RSA_PKCS1: |
++ keytype = "RSA"; |
++ break; |
++ default: |
++ werror("Unrecognized key type"); |
++ return -1; |
++ } |
++ |
++ for (pp = paths; *pp && ret <= 0; pp++) { |
++ struct lsh_string *blacklist_file = ssh_format("%lz.%lz-%di", |
++ *pp, keytype, keysize); |
++ int r = blacklisted_key_in_file(lsh_hash, blacklist_file); |
++ lsh_string_free(blacklist_file); |
++ if (r > ret) ret = r; |
++ } |
++ |
++ if (ret > 0) { |
++ werror("Key is compromised: %z %i %fS\n", keytype, keysize, |
++ lsh_string_colonize(lsh_hash, 2, 0)); |
++ } |
++ return ret; |
++} |
+--- a/src/dsa.c |
++++ b/src/dsa.c |
+@@ -189,6 +189,14 @@ do_dsa_public_spki_key(struct verifier * |
+ "y", self->key.y); |
+ } |
+ |
++static uint32_t |
++do_dsa_key_size(struct verifier *v) |
++{ |
++ CAST(dsa_verifier, self, v); |
++ |
++ return mpz_sizeinbase(self->key.p, 2); |
++} |
++ |
+ static void |
+ init_dsa_verifier(struct dsa_verifier *self) |
+ { |
+@@ -199,6 +207,7 @@ init_dsa_verifier(struct dsa_verifier *s |
+ self->super.verify = do_dsa_verify; |
+ self->super.public_spki_key = do_dsa_public_spki_key; |
+ self->super.public_key = do_dsa_public_key; |
++ self->super.key_size = do_dsa_key_size; |
+ } |
+ |
+ |
+--- a/src/lsh-decode-key.c |
++++ b/src/lsh-decode-key.c |
+@@ -133,6 +133,10 @@ lsh_decode_key(struct lsh_string *conten |
+ werror("Invalid dsa key.\n"); |
+ return NULL; |
+ } |
++ else if (blacklisted_key(v, type)) |
++ { |
++ return NULL; |
++ } |
+ else |
+ return PUBLIC_SPKI_KEY(v, 1); |
+ } |
+@@ -150,6 +154,10 @@ lsh_decode_key(struct lsh_string *conten |
+ werror("Invalid rsa key.\n"); |
+ return NULL; |
+ } |
++ else if (blacklisted_key(v, type)) |
++ { |
++ return NULL; |
++ } |
+ else |
+ return PUBLIC_SPKI_KEY(v, 1); |
+ } |
+--- a/src/lsh-writekey.c |
++++ b/src/lsh-writekey.c |
+@@ -397,14 +397,18 @@ process_public(const struct lsh_string * |
+ { |
+ struct signer *s; |
+ struct verifier *v; |
++ int algorithm_name; |
+ |
+- s = spki_make_signer(options->signature_algorithms, key, NULL); |
++ s = spki_make_signer(options->signature_algorithms, key, &algorithm_name); |
+ |
+ if (!s) |
+ return NULL; |
+ |
+ v = SIGNER_GET_VERIFIER(s); |
+ assert(v); |
++ if (blacklisted_key(v, algorithm_name)) { |
++ return NULL; |
++ } |
+ |
+ return PUBLIC_SPKI_KEY(v, 1); |
+ } |
+@@ -416,7 +420,8 @@ main(int argc, char **argv) |
+ int private_fd; |
+ int public_fd; |
+ struct lsh_string *input; |
+- struct lsh_string *output; |
++ struct lsh_string *priv_output; |
++ struct lsh_string *pub_output; |
+ const struct exception *e; |
+ |
+ argp_parse(&main_argp, argc, argv, 0, NULL, options); |
+@@ -439,16 +444,22 @@ main(int argc, char **argv) |
+ return EXIT_FAILURE; |
+ } |
+ |
+- output = process_private(input, options); |
+- if (!output) |
++ pub_output = process_public(input, options); |
++ if (!pub_output) |
++ return EXIT_FAILURE; |
++ |
++ priv_output = process_private(input, options); |
++ if (!priv_output) |
+ return EXIT_FAILURE; |
+ |
++ lsh_string_free(input); |
++ |
+ private_fd = open_file(options->private_file); |
+ if (private_fd < 0) |
+ return EXIT_FAILURE; |
+ |
+- e = write_raw(private_fd, STRING_LD(output)); |
+- lsh_string_free(output); |
++ e = write_raw(private_fd, STRING_LD(priv_output)); |
++ lsh_string_free(priv_output); |
+ |
+ if (e) |
+ { |
+@@ -457,18 +468,12 @@ main(int argc, char **argv) |
+ return EXIT_FAILURE; |
+ } |
+ |
+- output = process_public(input, options); |
+- lsh_string_free(input); |
+- |
+- if (!output) |
+- return EXIT_FAILURE; |
+- |
+ public_fd = open_file(options->public_file); |
+ if (public_fd < 0) |
+ return EXIT_FAILURE; |
+ |
+- e = write_raw(public_fd, STRING_LD(output)); |
+- lsh_string_free(output); |
++ e = write_raw(public_fd, STRING_LD(pub_output)); |
++ lsh_string_free(pub_output); |
+ |
+ if (e) |
+ { |
+--- a/src/publickey_crypto.h |
++++ b/src/publickey_crypto.h |
+@@ -203,5 +203,7 @@ parse_ssh_dss_public(struct simple_buffe |
+ struct verifier * |
+ make_ssh_dss_verifier(const struct lsh_string *public); |
+ |
++int |
++blacklisted_key(struct verifier *v, int method); |
+ |
+ #endif /* LSH_PUBLICKEY_CRYPTO_H_INCLUDED */ |
+--- a/src/rsa.c |
++++ b/src/rsa.c |
+@@ -167,6 +167,14 @@ do_rsa_public_spki_key(struct verifier * |
+ self->key.n, self->key.e); |
+ } |
+ |
++static uint32_t |
++do_rsa_key_size(struct verifier *v) |
++{ |
++ CAST(rsa_verifier, self, v); |
++ |
++ return mpz_sizeinbase(self->key.n, 2); |
++} |
++ |
+ |
+ /* NOTE: To initialize an rsa verifier, one must |
+ * |
+@@ -184,6 +192,7 @@ init_rsa_verifier(struct rsa_verifier *s |
+ self->super.verify = do_rsa_verify; |
+ self->super.public_key = do_rsa_public_key; |
+ self->super.public_spki_key = do_rsa_public_spki_key; |
++ self->super.key_size = do_rsa_key_size; |
+ } |
+ |
+ /* Alternative constructor using a key of type ssh-rsa, when the atom |
+--- a/src/server_authorization.c |
++++ b/src/server_authorization.c |
+@@ -93,7 +93,8 @@ do_key_lookup(struct lookup_verifier *c, |
+ PUBLIC_SPKI_KEY(v, 0), |
+ 1)); |
+ |
+- if (USER_FILE_EXISTS(keyholder, filename, 1)) |
++ if (USER_FILE_EXISTS(keyholder, filename, 1) |
++ && blacklisted_key(v, method) < 1) |
+ return v; |
+ |
+ return NULL; |
/blacklist.patch |
---|
Property changes: |
Added: svn:executable |
## -0,0 +1 ## |
+* |
\ No newline at end of property |
Index: nettle-2.0.patch |
=================================================================== |
--- nettle-2.0.patch (nonexistent) |
+++ nettle-2.0.patch (revision 79) |
@@ -0,0 +1,238 @@ |
+Author: Magnus Holmgren <holmgren@debian.org> |
+Description: Adapt to Nettle 2.0 |
+ |
+--- a/src/crypto.c |
++++ b/src/crypto.c |
+@@ -71,7 +71,7 @@ do_crypt_arcfour(struct crypto_instance |
+ assert(!(length % 8)); |
+ |
+ lsh_string_crypt(dst, di, src, si, length, |
+- (nettle_crypt_func) arcfour_crypt, &self->ctx); |
++ (nettle_crypt_func*) arcfour_crypt, &self->ctx); |
+ } |
+ |
+ static struct crypto_instance * |
+@@ -114,7 +114,7 @@ do_aes_cbc_encrypt(struct crypto_instanc |
+ |
+ lsh_string_cbc_encrypt(dst, di, src, si, length, |
+ AES_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) aes_encrypt, |
++ (nettle_crypt_func*) aes_encrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -128,7 +128,7 @@ do_aes_cbc_decrypt(struct crypto_instanc |
+ |
+ lsh_string_cbc_decrypt(dst, di, src, si, length, |
+ AES_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) aes_decrypt, |
++ (nettle_crypt_func*) aes_decrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -185,7 +185,7 @@ do_aes_ctr_crypt(struct crypto_instance |
+ |
+ lsh_string_ctr_crypt(dst, di, src, si, length, |
+ AES_BLOCK_SIZE, self->ctx.ctr, |
+- (nettle_crypt_func) aes_encrypt, |
++ (nettle_crypt_func*) aes_encrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -227,7 +227,7 @@ do_des3_encrypt(struct crypto_instance * |
+ |
+ lsh_string_cbc_encrypt(dst, di, src, si, length, |
+ DES3_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) des3_encrypt, |
++ (nettle_crypt_func*) des3_encrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -241,7 +241,7 @@ do_des3_decrypt(struct crypto_instance * |
+ |
+ lsh_string_cbc_decrypt(dst, di, src, si, length, |
+ DES3_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) des3_decrypt, |
++ (nettle_crypt_func*) des3_decrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -303,7 +303,7 @@ do_cast128_encrypt(struct crypto_instanc |
+ |
+ lsh_string_cbc_encrypt(dst, di, src, si, length, |
+ CAST128_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) cast128_encrypt, |
++ (nettle_crypt_func*) cast128_encrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -317,7 +317,7 @@ do_cast128_decrypt(struct crypto_instanc |
+ |
+ lsh_string_cbc_decrypt(dst, di, src, si, length, |
+ CAST128_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) cast128_decrypt, |
++ (nettle_crypt_func*) cast128_decrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -363,7 +363,7 @@ do_twofish_encrypt(struct crypto_instanc |
+ |
+ lsh_string_cbc_encrypt(dst, di, src, si, length, |
+ TWOFISH_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) twofish_encrypt, |
++ (nettle_crypt_func*) twofish_encrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -377,7 +377,7 @@ do_twofish_decrypt(struct crypto_instanc |
+ |
+ lsh_string_cbc_decrypt(dst, di, src, si, length, |
+ TWOFISH_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) twofish_decrypt, |
++ (nettle_crypt_func*) twofish_decrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -422,7 +422,7 @@ do_blowfish_encrypt(struct crypto_instan |
+ |
+ lsh_string_cbc_encrypt(dst, di, src, si, length, |
+ BLOWFISH_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) blowfish_encrypt, |
++ (nettle_crypt_func*) blowfish_encrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -436,7 +436,7 @@ do_blowfish_decrypt(struct crypto_instan |
+ |
+ lsh_string_cbc_decrypt(dst, di, src, si, length, |
+ BLOWFISH_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) blowfish_decrypt, |
++ (nettle_crypt_func*) blowfish_decrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -488,7 +488,7 @@ do_serpent_encrypt(struct crypto_instanc |
+ |
+ lsh_string_cbc_encrypt(dst, di, src, si, length, |
+ SERPENT_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) serpent_encrypt, |
++ (nettle_crypt_func*) serpent_encrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+@@ -502,7 +502,7 @@ do_serpent_decrypt(struct crypto_instanc |
+ |
+ lsh_string_cbc_decrypt(dst, di, src, si, length, |
+ SERPENT_BLOCK_SIZE, self->ctx.iv, |
+- (nettle_crypt_func) serpent_decrypt, |
++ (nettle_crypt_func*) serpent_decrypt, |
+ &self->ctx.ctx); |
+ } |
+ |
+--- a/src/lsh-make-seed.c |
++++ b/src/lsh-make-seed.c |
+@@ -1219,6 +1219,7 @@ main(int argc, char **argv) |
+ |
+ struct yarrow256_ctx yarrow; |
+ struct yarrow_source sources[NSOURCES]; |
++ uint8_t seed[YARROW256_SEED_FILE_SIZE]; |
+ |
+ argp_parse(&main_argp, argc, argv, 0, NULL, options); |
+ |
+@@ -1371,7 +1372,8 @@ main(int argc, char **argv) |
+ } |
+ } |
+ |
+- e = write_raw(fd, sizeof(yarrow.seed_file), yarrow.seed_file); |
++ yarrow256_random(&yarrow, sizeof(seed), seed); |
++ e = write_raw(fd, sizeof(seed), seed); |
+ |
+ if (e) |
+ { |
+--- a/src/unix_random.c |
++++ b/src/unix_random.c |
+@@ -81,6 +81,7 @@ write_seed_file(struct yarrow256_ctx *ct |
+ int fd) |
+ { |
+ const struct exception *e; |
++ uint8_t seed[YARROW256_SEED_FILE_SIZE]; |
+ |
+ if (lseek(fd, 0, SEEK_SET) < 0) |
+ { |
+@@ -88,7 +89,8 @@ write_seed_file(struct yarrow256_ctx *ct |
+ return 0; |
+ } |
+ |
+- e = write_raw(fd, YARROW256_SEED_FILE_SIZE, ctx->seed_file); |
++ yarrow256_random(ctx, sizeof(seed), seed); |
++ e = write_raw(fd, sizeof(seed), seed); |
+ |
+ if (e) |
+ { |
+@@ -183,17 +185,19 @@ update_seed_file(struct unix_random *sel |
+ { |
+ struct lsh_string *s = read_seed_file(self->seed_file_fd); |
+ |
+- write_seed_file(&self->yarrow, self->seed_file_fd); |
+- KILL_RESOURCE(lock); |
+- |
+ /* Mix in the old seed file, it might have picked up |
+ * some randomness. */ |
+ if (s) |
+ { |
++ self->yarrow.sources[RANDOM_SOURCE_NEW_SEED].next = YARROW_FAST; |
+ yarrow256_update(&self->yarrow, RANDOM_SOURCE_NEW_SEED, |
+ 0, STRING_LD(s)); |
+ lsh_string_free(s); |
++ yarrow256_fast_reseed(&self->yarrow); |
+ } |
++ |
++ write_seed_file(&self->yarrow, self->seed_file_fd); |
++ KILL_RESOURCE(lock); |
+ } |
+ } |
+ |
+--- a/src/Makefile.am |
++++ b/src/Makefile.am |
+@@ -113,7 +113,7 @@ lsh_krb_checkpw_LDADD=@KRB_LIBS@ |
+ |
+ lsh_execuv_LDADD= |
+ |
+-LDADD = liblsh.a spki/libspki.a -lnettle @LIBARGP@ |
++LDADD = liblsh.a spki/libspki.a -lnettle -lhogweed @LIBARGP@ |
+ |
+ # To avoid having to link lshg with nettle, link with dummy.o. |
+ |
+--- a/src/spki/testsuite/Makefile.am |
++++ b/src/spki/testsuite/Makefile.am |
+@@ -9,7 +9,7 @@ TS_ALL = $(TS_PROGS) $(TS_SH) |
+ |
+ noinst_PROGRAMS = $(TS_PROGS) |
+ |
+-LDADD = testutils.o ../libspki.a -lnettle |
++LDADD = testutils.o ../libspki.a -lnettle -lhogweed |
+ |
+ include .dist_cdsa |
+ |
+--- a/src/spki/tools/Makefile.am |
++++ b/src/spki/tools/Makefile.am |
+@@ -6,7 +6,7 @@ noinst_PROGRAMS = spki-check-signature s |
+ # that affects all programs. |
+ |
+ LDADD = misc.o getopt.o getopt1.o \ |
+- ../libspki.a -lnettle |
++ ../libspki.a -lnettle -lhogweed |
+ |
+ spki_make_signature_SOURCES = spki-make-signature.c sign.c |
+ spki_delegate_SOURCES = spki-delegate.c sign.c |
+--- a/src/testsuite/Makefile.am |
++++ b/src/testsuite/Makefile.am |
+@@ -34,7 +34,7 @@ noinst_PROGRAMS = $(TS_PROGS) |
+ # Workaround to get automake to keep dependencies for testutils.o |
+ EXTRA_PROGRAMS = testutils |
+ |
+-LDADD = testutils.o ../liblsh.a ../spki/libspki.a -lnettle \ |
++LDADD = testutils.o ../liblsh.a ../spki/libspki.a -lnettle -lhogweed \ |
+ $(DOTDOT_LIBARGP) |
+ |
+ include .dist_rapid7 |
Index: nonettle.patch |
=================================================================== |
--- nonettle.patch (nonexistent) |
+++ nonettle.patch (revision 79) |
@@ -0,0 +1,214 @@ |
+--- a/configure.ac |
++++ b/configure.ac |
+@@ -778,7 +778,6 @@ if test x$enable_ipv6 = xyes ; then |
+ fi |
+ |
+ AC_CONFIG_SUBDIRS(src/argp) |
+-AC_CONFIG_SUBDIRS(src/nettle) |
+ AC_CONFIG_SUBDIRS(src/spki) |
+ AC_CONFIG_SUBDIRS(src/sftp) |
+ |
+--- a/src/Makefile.am |
++++ b/src/Makefile.am |
+@@ -1,15 +1,12 @@ |
+ # Process this file with automake to produce Makefile.in |
+ |
+-SUBDIRS = argp rsync nettle scm sftp spki . testsuite |
++SUBDIRS = argp rsync scm sftp spki . testsuite |
+ |
+ include .dist_classes |
+ include .dist_headers |
+ |
+ BUILT_SOURCES = environ.h |
+ |
+-# Kludge needed for finding the nettle/nettle-types.h file in the build tree |
+-AM_CPPFLAGS = -I./nettle |
+- |
+ SCHEME = $(SCHEME_PROGRAM) -l $(srcdir)/scm/$(SCHEME_NAME)-compat.scm |
+ |
+ EXTRA_PROGRAMS = lsh-krb-checkpw lsh-pam-checkpw srp-gen |
+@@ -116,7 +113,7 @@ lsh_krb_checkpw_LDADD=@KRB_LIBS@ |
+ |
+ lsh_execuv_LDADD= |
+ |
+-LDADD = liblsh.a spki/libspki.a nettle/libnettle.a @LIBARGP@ |
++LDADD = liblsh.a spki/libspki.a -lnettle @LIBARGP@ |
+ |
+ # To avoid having to link lshg with nettle, link with dummy.o. |
+ |
+--- a/src/rsync/Makefile.am |
++++ b/src/rsync/Makefile.am |
+@@ -3,10 +3,6 @@ |
+ noinst_LIBRARIES = librsync.a |
+ noinst_HEADERS = rsync.h |
+ |
+-# Needed for finding the nettle include files in the source tree |
+-# and nettle-types.h in the build tree. |
+-AM_CPPFLAGS = -I$(srcdir)/.. -I../nettle |
+- |
+ librsync_a_SOURCES = generate.c receive.c checksum.c send.c |
+ |
+ |
+--- a/src/sftp/Makefile.am |
++++ b/src/sftp/Makefile.am |
+@@ -1,8 +1,5 @@ |
+ SUBDIRS = . testsuite |
+ |
+-# Needed for finding nettle-types.h in the build tree. |
+-AM_CPPFLAGS = -I.. |
+- |
+ AUTOMAKE_OPTIONS = foreign |
+ |
+ bin_PROGRAMS = lsftp |
+--- a/src/spki/Makefile.am |
++++ b/src/spki/Makefile.am |
+@@ -1,8 +1,5 @@ |
+ SUBDIRS = . tools testsuite |
+ |
+-# FIXME: Create a link to nettle directory instead? |
+-AM_CPPFLAGS = -I$(srcdir)/.. -I../nettle |
+- |
+ noinst_LIBRARIES = libspki.a |
+ # libspkiincludedir = $(includedir)/nettle |
+ |
+--- a/src/spki/testsuite/Makefile.am |
++++ b/src/spki/testsuite/Makefile.am |
+@@ -1,8 +1,4 @@ |
+ |
+-# FIXME: Create a link to nettle directory instead? |
+-AM_CPPFLAGS = -O0 -I$(top_srcdir) -I$(top_srcdir)/.. -I../../nettle |
+-AM_LDFLAGS = -L../../nettle |
+- |
+ TS_PROGS = principal-test date-test tag-test read-acl-test \ |
+ lookup-acl-test read-cert-test cdsa-reduce-test |
+ |
+--- a/src/spki/tools/Makefile.am |
++++ b/src/spki/tools/Makefile.am |
+@@ -1,16 +1,12 @@ |
+ noinst_PROGRAMS = spki-check-signature spki-make-signature \ |
+ spki-delegate spki-reduce |
+ |
+-# FIXME: Create a link to nettle directory instead? |
+-AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/.. -I../../nettle |
+-AM_LDFLAGS = -L.. -L../../nettle/ |
+- |
+ # libnettle.a and libspki.a are added at the end to make sure all |
+ # programs depend on it. It seems there's no DEPENDENCIES variable |
+ # that affects all programs. |
+ |
+ LDADD = misc.o getopt.o getopt1.o \ |
+- -lspki -lnettle ../libspki.a ../../nettle/libnettle.a |
++ ../libspki.a -lnettle |
+ |
+ spki_make_signature_SOURCES = spki-make-signature.c sign.c |
+ spki_delegate_SOURCES = spki-delegate.c sign.c |
+--- a/src/testsuite/Makefile.am |
++++ b/src/testsuite/Makefile.am |
+@@ -3,7 +3,7 @@ |
+ # -O0 is not recogniced on AIX |
+ # AM_CFLAGS = -O0 |
+ |
+-AM_CPPFLAGS = -I$(srcdir)/.. -I.. -I../nettle |
++AM_CPPFLAGS = -I$(srcdir)/.. |
+ |
+ TS_PROGS = arcfour-test aes-test blowfish-test cast128-test \ |
+ des-test \ |
+@@ -34,7 +34,7 @@ noinst_PROGRAMS = $(TS_PROGS) |
+ # Workaround to get automake to keep dependencies for testutils.o |
+ EXTRA_PROGRAMS = testutils |
+ |
+-LDADD = testutils.o ../liblsh.a ../spki/libspki.a ../nettle/libnettle.a \ |
++LDADD = testutils.o ../liblsh.a ../spki/libspki.a -lnettle \ |
+ $(DOTDOT_LIBARGP) |
+ |
+ include .dist_rapid7 |
+@@ -59,6 +59,6 @@ all: |
+ |
+ # sexp-conv may be dynamically linked |
+ check: $(TS_ALL) |
+- LD_LIBRARY_PATH="`pwd`/../nettle/.lib" srcdir=$(srcdir) \ |
++ srcdir=$(srcdir) \ |
+ $(srcdir)/run-tests $(TS_ALL) |
+ |
+--- a/src/spki/testsuite/check-signature-test |
++++ b/src/spki/testsuite/check-signature-test |
+@@ -1,7 +1,7 @@ |
+ #! /bin/sh |
+ |
+ conv () { |
+- echo "$1" | ../../nettle/tools/sexp-conv -s transport | tee test.in |
++ echo "$1" | sexp-conv -s transport | tee test.in |
+ } |
+ |
+ die () { |
+--- a/src/spki/testsuite/delegate-test |
++++ b/src/spki/testsuite/delegate-test |
+@@ -1,7 +1,7 @@ |
+ #! /bin/sh |
+ |
+ conv () { |
+- ../../nettle/tools/sexp-conv -s transport | tee test.in |
++ sexp-conv -s transport | tee test.in |
+ } |
+ |
+ die () { |
+@@ -12,7 +12,7 @@ die () { |
+ check_sexp () { |
+ file="$1" |
+ shift |
+- ../../nettle/tools/sexp-conv -s canonical > test.canonical || die "sexp-conv failed" |
++ sexp-conv -s canonical > test.canonical || die "sexp-conv failed" |
+ cmp "$file" test.canonical || die "$@" |
+ } |
+ |
+--- a/src/spki/testsuite/make-signature-test |
++++ b/src/spki/testsuite/make-signature-test |
+@@ -1,7 +1,7 @@ |
+ #! /bin/sh |
+ |
+ conv () { |
+- echo "$1" | ../../nettle/tools/sexp-conv -s transport | tee test.in |
++ echo "$1" | sexp-conv -s transport | tee test.in |
+ } |
+ |
+ die () { |
+@@ -10,7 +10,7 @@ die () { |
+ } |
+ |
+ echo foo | ../tools/spki-make-signature "$srcdir/key-1" \ |
+- | ../../nettle/tools/sexp-conv -s transport > test.in |
++ | sexp-conv -s transport > test.in |
+ |
+ echo foo | ../tools/spki-check-signature "`cat test.in`" \ |
+ || die "Valid signature failed" |
+--- a/src/spki/testsuite/reduce-test |
++++ b/src/spki/testsuite/reduce-test |
+@@ -3,7 +3,7 @@ |
+ # Test case from Oscar Cánovas Reverte |
+ |
+ conv () { |
+- ../../nettle/tools/sexp-conv -s transport |
++ sexp-conv -s transport |
+ } |
+ |
+ die () { |
+@@ -14,7 +14,7 @@ die () { |
+ check_sexp () { |
+ file="$1" |
+ shift |
+- ../../nettle/tools/sexp-conv -s canonical > test.canonical || die "sexp-conv failed" |
++ sexp-conv -s canonical > test.canonical || die "sexp-conv failed" |
+ cmp "$file" test.canonical || die "$@" |
+ } |
+ |
+--- a/src/testsuite/functions.sh |
++++ b/src/testsuite/functions.sh |
+@@ -9,7 +9,7 @@ set -e |
+ : ${LSH_YARROW_SEED_FILE:="$TEST_HOME/.lsh/yarrow-seed-file"} |
+ |
+ # For lsh-authorize |
+-: ${SEXP_CONV:="`pwd`/../nettle/tools/sexp-conv"} |
++: ${SEXP_CONV:="sexp-conv"} |
+ |
+ export LSH_YARROW_SEED_FILE SEXP_CONV |
+ |
Index: series |
=================================================================== |
--- series (nonexistent) |
+++ series (revision 79) |
@@ -0,0 +1,7 @@ |
+nonettle.patch |
+sftp-server-mansection.patch |
+better-errmsg-when-dotlsh-missing.patch |
+nettle-2.0.patch |
+blacklist.patch |
+terminate-on-connection-failure.patch |
+ipv6-v6only.patch |
Index: sftp-server-mansection.patch |
=================================================================== |
--- sftp-server-mansection.patch (nonexistent) |
+++ sftp-server-mansection.patch (revision 79) |
@@ -0,0 +1,16 @@ |
+Description: Invent manual section 8lsh for lsh's sftp-server |
+ (To avoid conflicts without having to rename the sftp-server binary.) |
+Author: Magnus Holmgren <holmgren@debian.org> |
+ |
+diff -urNad trunk~/src/sftp/sftp-server.8 trunk/src/sftp/sftp-server.8 |
+--- trunk~/src/sftp/sftp-server.8 2006-05-08 21:11:17.000000000 +0200 |
++++ trunk/src/sftp/sftp-server.8 2007-10-03 20:48:35.000000000 +0200 |
+@@ -22,7 +22,7 @@ |
+ .\" maintainers of the package you received this manual from and make your |
+ .\" modified versions available to them. |
+ .\" |
+-.TH SFTP-SERVER 8 "NOVEMBER 2004" SFTP-SERVER "Lsh Manuals" |
++.TH SFTP-SERVER 8lsh "NOVEMBER 2004" SFTP-SERVER "Lsh Manuals" |
+ .SH NAME |
+ sftp-server - Server for the sftp subsystem |
+ .SH SYNOPSIS |
/sftp-server-mansection.patch |
---|
Property changes: |
Added: svn:executable |
## -0,0 +1 ## |
+* |
\ No newline at end of property |
Index: ipv6-v6only.patch |
=================================================================== |
--- ipv6-v6only.patch (nonexistent) |
+++ ipv6-v6only.patch (revision 79) |
@@ -0,0 +1,22 @@ |
+Author: Magnus Holmgren <holmgren@debian.org> |
+Description: Set the IPV6_V6ONLY socket option on AF_INET6 sockets |
+ Since lshd by default enumerates available address families and calls |
+ bind() once for each, conflicts will occur otherwise. |
+ |
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/src/io.c trunk/src/io.c |
+--- trunk~/src/io.c 2006-01-23 18:49:58.000000000 +0100 |
++++ trunk/src/io.c 2010-07-27 02:17:04.000000000 +0200 |
+@@ -1690,6 +1690,13 @@ |
+ { |
+ int yes = 1; |
+ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char*)&yes, sizeof yes); |
++#if WITH_IPV6 && defined (IPV6_V6ONLY) |
++ if (local->sa_family == AF_INET6) |
++ { |
++ if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &yes, sizeof(yes)) < 0) |
++ werror("setsockopt IPV6_V6ONLY failed: %e.\n", errno); |
++ } |
++#endif |
+ } |
+ |
+ if (bind(s, local, length) < 0) |
/ipv6-v6only.patch |
---|
Property changes: |
Added: svn:executable |
## -0,0 +1 ## |
+* |
\ No newline at end of property |