Subversion Repositories lsh

Compare Revisions

Ignore whitespace Rev 89 → Rev 77

/trunk/debian/source/format
File deleted
/trunk/debian/control
4,8 → 4,8
Maintainer: Magnus Holmgren <holmgren@debian.org>
Uploaders: Stefan Pfetzing <dreamind@dreamind.de>
Standards-Version: 3.9.1
Build-Depends: debhelper (>= 7), dh-autoreconf, automake,
libgmp10-dev, zlib1g-dev | libz-dev, liboop-dev, libxau-dev, nettle-dev (>= 2.1~), nettle-bin,
Build-Depends: cdbs, debhelper (>= 5), dpatch, autotools-dev,
libgmp3-dev, zlib1g-dev | libz-dev, liboop-dev, libxau-dev, nettle-dev,
texinfo (>= 4.2), guile-1.6 | scsh-0.6, heimdal-dev, libwrap0-dev | libwrap-dev,
libpam0g-dev | libpam-dev, libreadline-dev, m4
Homepage: http://www.lysator.liu.se/~nisse/lsh/
/trunk/debian/changelog
1,29 → 1,3
lsh-utils (2.0.4-dfsg-8) unstable; urgency=low
 
* Change source format to 3.0 (quilt), renaming all patches
from *.dpatch to *.patch and dropping the numbers.
* While 30_nonettle.dpatch was a script that used sed to modify
instances of Makefile.in, nonettle.patch patches Makefile.am files as
well as configure.ac. dh-autoremake is used to call autoremake before
configure and to restore the effects in the clean target. The
src/nettle subdirectory still needs to be renamed to avoid its header
files from being found; that is now done in debian/rules.
* Switch from CDBS to a more old-style debian/rules to get better
control over the build process.
* Increase Debhelper compat level to 7.
* blacklist.patch: Don't reject when blacklisted_key() returns -1,
indicating no blacklist file for the key type and/or size in question
exists.
* nettle-2.1.patch (new): Build with Nettle 2.1.
* Enable tests.
testsuite-mini-inetd-localhost.patch (new): When told to bind to
"localhost", mini-inetd, which is used in certain (optional) tests,
seems to bind to 255.255.255.255, which is of course no good. Tell it
to bind to 127.0.0.1 instead.
* debian/lsh-doc.doc-base: Change section to the new `Network/Remote Access'.
 
-- Magnus Holmgren <holmgren@debian.org> Sun, 20 Mar 2011 01:30:08 +0100
 
lsh-utils (2.0.4-dfsg-7) unstable; urgency=low
 
* terminate_on_connection_failure.dpatch (new): Make sure that lsh exits
/trunk/debian/patches/testsuite-mini-inetd-localhost.patch
File deleted
/trunk/debian/patches/nettle-2.0.patch
File deleted
/trunk/debian/patches/nettle-2.1.patch
File deleted
/trunk/debian/patches/better-errmsg-when-dotlsh-missing.patch
File deleted
Property changes:
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: debian/patches/series
===================================================================
--- debian/patches/series (.../tags/2.0.4-dfsg-8) (revision 89)
+++ debian/patches/series (.../trunk) (nonexistent)
@@ -1,9 +0,0 @@
-nonettle.patch
-sftp-server-mansection.patch
-better-errmsg-when-dotlsh-missing.patch
-nettle-2.0.patch
-nettle-2.1.patch
-blacklist.patch
-terminate-on-connection-failure.patch
-ipv6-v6only.patch
-testsuite-mini-inetd-localhost.patch
Index: debian/patches/sftp-server-mansection.patch
===================================================================
--- debian/patches/sftp-server-mansection.patch (.../tags/2.0.4-dfsg-8) (revision 89)
+++ debian/patches/sftp-server-mansection.patch (.../trunk) (nonexistent)
@@ -1,16 +0,0 @@
-Description: Invent manual section 8lsh for lsh's sftp-server
- (To avoid conflicts without having to rename the sftp-server binary.)
-Author: Magnus Holmgren <holmgren@debian.org>
-
-diff -urNad trunk~/src/sftp/sftp-server.8 trunk/src/sftp/sftp-server.8
---- trunk~/src/sftp/sftp-server.8 2006-05-08 21:11:17.000000000 +0200
-+++ trunk/src/sftp/sftp-server.8 2007-10-03 20:48:35.000000000 +0200
-@@ -22,7 +22,7 @@
- .\" maintainers of the package you received this manual from and make your
- .\" modified versions available to them.
- .\"
--.TH SFTP-SERVER 8 "NOVEMBER 2004" SFTP-SERVER "Lsh Manuals"
-+.TH SFTP-SERVER 8lsh "NOVEMBER 2004" SFTP-SERVER "Lsh Manuals"
- .SH NAME
- sftp-server - Server for the sftp subsystem
- .SH SYNOPSIS
/debian/patches/sftp-server-mansection.patch
Property changes:
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: debian/patches/ipv6-v6only.patch
===================================================================
--- debian/patches/ipv6-v6only.patch (.../tags/2.0.4-dfsg-8) (revision 89)
+++ debian/patches/ipv6-v6only.patch (.../trunk) (nonexistent)
@@ -1,22 +0,0 @@
-Author: Magnus Holmgren <holmgren@debian.org>
-Description: Set the IPV6_V6ONLY socket option on AF_INET6 sockets
- Since lshd by default enumerates available address families and calls
- bind() once for each, conflicts will occur otherwise.
-
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/src/io.c trunk/src/io.c
---- trunk~/src/io.c 2006-01-23 18:49:58.000000000 +0100
-+++ trunk/src/io.c 2010-07-27 02:17:04.000000000 +0200
-@@ -1690,6 +1690,13 @@
- {
- int yes = 1;
- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char*)&yes, sizeof yes);
-+#if WITH_IPV6 && defined (IPV6_V6ONLY)
-+ if (local->sa_family == AF_INET6)
-+ {
-+ if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &yes, sizeof(yes)) < 0)
-+ werror("setsockopt IPV6_V6ONLY failed: %e.\n", errno);
-+ }
-+#endif
- }
-
- if (bind(s, local, length) < 0)
/debian/patches/ipv6-v6only.patch
Property changes:
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: debian/patches/nonettle.patch
===================================================================
--- debian/patches/nonettle.patch (.../tags/2.0.4-dfsg-8) (revision 89)
+++ debian/patches/nonettle.patch (.../trunk) (nonexistent)
@@ -1,214 +0,0 @@
---- a/configure.ac
-+++ b/configure.ac
-@@ -778,7 +778,6 @@ if test x$enable_ipv6 = xyes ; then
- fi
-
- AC_CONFIG_SUBDIRS(src/argp)
--AC_CONFIG_SUBDIRS(src/nettle)
- AC_CONFIG_SUBDIRS(src/spki)
- AC_CONFIG_SUBDIRS(src/sftp)
-
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -1,15 +1,12 @@
- # Process this file with automake to produce Makefile.in
-
--SUBDIRS = argp rsync nettle scm sftp spki . testsuite
-+SUBDIRS = argp rsync scm sftp spki . testsuite
-
- include .dist_classes
- include .dist_headers
-
- BUILT_SOURCES = environ.h
-
--# Kludge needed for finding the nettle/nettle-types.h file in the build tree
--AM_CPPFLAGS = -I./nettle
--
- SCHEME = $(SCHEME_PROGRAM) -l $(srcdir)/scm/$(SCHEME_NAME)-compat.scm
-
- EXTRA_PROGRAMS = lsh-krb-checkpw lsh-pam-checkpw srp-gen
-@@ -116,7 +113,7 @@ lsh_krb_checkpw_LDADD=@KRB_LIBS@
-
- lsh_execuv_LDADD=
-
--LDADD = liblsh.a spki/libspki.a nettle/libnettle.a @LIBARGP@
-+LDADD = liblsh.a spki/libspki.a -lnettle @LIBARGP@
-
- # To avoid having to link lshg with nettle, link with dummy.o.
-
---- a/src/rsync/Makefile.am
-+++ b/src/rsync/Makefile.am
-@@ -3,10 +3,6 @@
- noinst_LIBRARIES = librsync.a
- noinst_HEADERS = rsync.h
-
--# Needed for finding the nettle include files in the source tree
--# and nettle-types.h in the build tree.
--AM_CPPFLAGS = -I$(srcdir)/.. -I../nettle
--
- librsync_a_SOURCES = generate.c receive.c checksum.c send.c
-
-
---- a/src/sftp/Makefile.am
-+++ b/src/sftp/Makefile.am
-@@ -1,8 +1,5 @@
- SUBDIRS = . testsuite
-
--# Needed for finding nettle-types.h in the build tree.
--AM_CPPFLAGS = -I..
--
- AUTOMAKE_OPTIONS = foreign
-
- bin_PROGRAMS = lsftp
---- a/src/spki/Makefile.am
-+++ b/src/spki/Makefile.am
-@@ -1,8 +1,5 @@
- SUBDIRS = . tools testsuite
-
--# FIXME: Create a link to nettle directory instead?
--AM_CPPFLAGS = -I$(srcdir)/.. -I../nettle
--
- noinst_LIBRARIES = libspki.a
- # libspkiincludedir = $(includedir)/nettle
-
---- a/src/spki/testsuite/Makefile.am
-+++ b/src/spki/testsuite/Makefile.am
-@@ -1,8 +1,4 @@
-
--# FIXME: Create a link to nettle directory instead?
--AM_CPPFLAGS = -O0 -I$(top_srcdir) -I$(top_srcdir)/.. -I../../nettle
--AM_LDFLAGS = -L../../nettle
--
- TS_PROGS = principal-test date-test tag-test read-acl-test \
- lookup-acl-test read-cert-test cdsa-reduce-test
-
---- a/src/spki/tools/Makefile.am
-+++ b/src/spki/tools/Makefile.am
-@@ -1,16 +1,12 @@
- noinst_PROGRAMS = spki-check-signature spki-make-signature \
- spki-delegate spki-reduce
-
--# FIXME: Create a link to nettle directory instead?
--AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/.. -I../../nettle
--AM_LDFLAGS = -L.. -L../../nettle/
--
- # libnettle.a and libspki.a are added at the end to make sure all
- # programs depend on it. It seems there's no DEPENDENCIES variable
- # that affects all programs.
-
- LDADD = misc.o getopt.o getopt1.o \
-- -lspki -lnettle ../libspki.a ../../nettle/libnettle.a
-+ ../libspki.a -lnettle
-
- spki_make_signature_SOURCES = spki-make-signature.c sign.c
- spki_delegate_SOURCES = spki-delegate.c sign.c
---- a/src/testsuite/Makefile.am
-+++ b/src/testsuite/Makefile.am
-@@ -3,7 +3,7 @@
- # -O0 is not recogniced on AIX
- # AM_CFLAGS = -O0
-
--AM_CPPFLAGS = -I$(srcdir)/.. -I.. -I../nettle
-+AM_CPPFLAGS = -I$(srcdir)/..
-
- TS_PROGS = arcfour-test aes-test blowfish-test cast128-test \
- des-test \
-@@ -34,7 +34,7 @@ noinst_PROGRAMS = $(TS_PROGS)
- # Workaround to get automake to keep dependencies for testutils.o
- EXTRA_PROGRAMS = testutils
-
--LDADD = testutils.o ../liblsh.a ../spki/libspki.a ../nettle/libnettle.a \
-+LDADD = testutils.o ../liblsh.a ../spki/libspki.a -lnettle \
- $(DOTDOT_LIBARGP)
-
- include .dist_rapid7
-@@ -59,6 +59,6 @@ all:
-
- # sexp-conv may be dynamically linked
- check: $(TS_ALL)
-- LD_LIBRARY_PATH="`pwd`/../nettle/.lib" srcdir=$(srcdir) \
-+ srcdir=$(srcdir) \
- $(srcdir)/run-tests $(TS_ALL)
-
---- a/src/spki/testsuite/check-signature-test
-+++ b/src/spki/testsuite/check-signature-test
-@@ -1,7 +1,7 @@
- #! /bin/sh
-
- conv () {
-- echo "$1" | ../../nettle/tools/sexp-conv -s transport | tee test.in
-+ echo "$1" | sexp-conv -s transport | tee test.in
- }
-
- die () {
---- a/src/spki/testsuite/delegate-test
-+++ b/src/spki/testsuite/delegate-test
-@@ -1,7 +1,7 @@
- #! /bin/sh
-
- conv () {
-- ../../nettle/tools/sexp-conv -s transport | tee test.in
-+ sexp-conv -s transport | tee test.in
- }
-
- die () {
-@@ -12,7 +12,7 @@ die () {
- check_sexp () {
- file="$1"
- shift
-- ../../nettle/tools/sexp-conv -s canonical > test.canonical || die "sexp-conv failed"
-+ sexp-conv -s canonical > test.canonical || die "sexp-conv failed"
- cmp "$file" test.canonical || die "$@"
- }
-
---- a/src/spki/testsuite/make-signature-test
-+++ b/src/spki/testsuite/make-signature-test
-@@ -1,7 +1,7 @@
- #! /bin/sh
-
- conv () {
-- echo "$1" | ../../nettle/tools/sexp-conv -s transport | tee test.in
-+ echo "$1" | sexp-conv -s transport | tee test.in
- }
-
- die () {
-@@ -10,7 +10,7 @@ die () {
- }
-
- echo foo | ../tools/spki-make-signature "$srcdir/key-1" \
-- | ../../nettle/tools/sexp-conv -s transport > test.in
-+ | sexp-conv -s transport > test.in
-
- echo foo | ../tools/spki-check-signature "`cat test.in`" \
- || die "Valid signature failed"
---- a/src/spki/testsuite/reduce-test
-+++ b/src/spki/testsuite/reduce-test
-@@ -3,7 +3,7 @@
- # Test case from Oscar Cánovas Reverte
-
- conv () {
-- ../../nettle/tools/sexp-conv -s transport
-+ sexp-conv -s transport
- }
-
- die () {
-@@ -14,7 +14,7 @@ die () {
- check_sexp () {
- file="$1"
- shift
-- ../../nettle/tools/sexp-conv -s canonical > test.canonical || die "sexp-conv failed"
-+ sexp-conv -s canonical > test.canonical || die "sexp-conv failed"
- cmp "$file" test.canonical || die "$@"
- }
-
---- a/src/testsuite/functions.sh
-+++ b/src/testsuite/functions.sh
-@@ -9,7 +9,7 @@ set -e
- : ${LSH_YARROW_SEED_FILE:="$TEST_HOME/.lsh/yarrow-seed-file"}
-
- # For lsh-authorize
--: ${SEXP_CONV:="`pwd`/../nettle/tools/sexp-conv"}
-+: ${SEXP_CONV:="sexp-conv"}
-
- export LSH_YARROW_SEED_FILE SEXP_CONV
-
Index: debian/patches/terminate-on-connection-failure.patch
===================================================================
--- debian/patches/terminate-on-connection-failure.patch (.../tags/2.0.4-dfsg-8) (revision 89)
+++ debian/patches/terminate-on-connection-failure.patch (.../trunk) (nonexistent)
@@ -1,16 +0,0 @@
-Author: Magnus Holmgren <holmgren@debian.org>
-Description: Call exit() in lsh's default exception handler on EXC_IO_CONNECT
- Otherwise lsh won't terminate.
-
-diff -urNad trunk~/src/lsh.c trunk/src/lsh.c
---- trunk~/src/lsh.c 2005-03-16 21:06:23.000000000 +0100
-+++ trunk/src/lsh.c 2010-01-09 22:32:51.000000000 +0100
-@@ -959,6 +959,8 @@
- *self->status = EXIT_FAILURE;
-
- werror("%z, (errno = %i)\n", e->msg, exc->error);
-+ if (e->type == EXC_IO_CONNECT)
-+ exit(*self->status);
- }
- else
- switch(e->type)
/debian/patches/terminate-on-connection-failure.patch
Property changes:
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: debian/patches/blacklist.patch
===================================================================
--- debian/patches/blacklist.patch (.../tags/2.0.4-dfsg-8) (revision 89)
+++ debian/patches/blacklist.patch (.../trunk) (nonexistent)
@@ -1,382 +0,0 @@
-Author: Magnus Holmgren <holmgren@debian.org>
-Description: Check keys against openssh-blacklist
- Check keys before accepting for pubkey authentication as well as on conversion
- by lsh-writekey and lsh-decode-key.
- .
- blacklist.c code copied from the openssh package and adapted for LSH.
-
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -69,7 +69,8 @@ liblsh_a_SOURCES = abstract_io.c abstrac
- unix_interact.c unix_process.c unix_random.c unix_user.c \
- userauth.c \
- werror.c write_buffer.c write_packet.c \
-- xalloc.c xauth.c zlib.c
-+ xalloc.c xauth.c zlib.c \
-+ blacklist.c
-
- liblsh_a_LIBADD = @LIBOBJS@
-
---- a/src/abstract_crypto.h
-+++ b/src/abstract_crypto.h
-@@ -162,7 +162,9 @@ MAC_DIGEST((instance), lsh_string_alloc(
- (public_key method (string))
-
- ; Returns (public-key (<pub-sig-alg-id> <s-expr>*))
-- (public_spki_key method (string) "int transport")))
-+ (public_spki_key method (string) "int transport")
-+
-+ (key_size method uint32_t)))
- */
-
- #define VERIFY(verifier, algorithm, length, data, slength, sdata) \
-@@ -170,7 +172,7 @@ MAC_DIGEST((instance), lsh_string_alloc(
-
- #define PUBLIC_KEY(verifier) ((verifier)->public_key((verifier)))
- #define PUBLIC_SPKI_KEY(verifier, t) ((verifier)->public_spki_key((verifier), (t)))
--
-+#define KEY_SIZE(verifier) ((verifier)->key_size((verifier)))
-
- /* GABA:
- (class
---- a/src/abstract_crypto.h.x
-+++ b/src/abstract_crypto.h.x
-@@ -161,6 +161,7 @@ struct verifier
- int (*(verify))(struct verifier *self,int algorithm,uint32_t length,const uint8_t *data,uint32_t signature_length,const uint8_t *signature_data);
- struct lsh_string *(*(public_key))(struct verifier *self);
- struct lsh_string *(*(public_spki_key))(struct verifier *self,int transport);
-+ uint32_t *(*(key_size))(struct verifier *self);
- };
- extern struct lsh_class verifier_class;
- #endif /* !GABA_DEFINE */
---- /dev/null
-+++ b/src/blacklist.c
-@@ -0,0 +1,152 @@
-+#if HAVE_CONFIG_H
-+#include "config.h"
-+#endif
-+
-+#include <assert.h>
-+
-+#include "atoms.h"
-+#include "format.h"
-+#include "lsh_string.h"
-+#include "werror.h"
-+#include "crypto.h"
-+
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <unistd.h>
-+#include <fcntl.h>
-+#include <string.h>
-+
-+int blacklisted_key(struct verifier *v, int method);
-+
-+/* Scan a blacklist of known-vulnerable keys in blacklist_file. */
-+static int
-+blacklisted_key_in_file(struct lsh_string *lsh_hash, struct lsh_string *blacklist_file)
-+{
-+ int fd = -1;
-+ const char *hash = 0;
-+ uint32_t line_len;
-+ struct stat st;
-+ char buf[256];
-+ off_t start, lower, upper;
-+ int ret = 0;
-+
-+ debug("Checking blacklist file %S\n", blacklist_file);
-+ fd = open(lsh_get_cstring(blacklist_file), O_RDONLY);
-+ if (fd < 0) {
-+ ret = -1;
-+ goto out;
-+ }
-+
-+ hash = lsh_get_cstring(lsh_hash) + 12;
-+ line_len = strlen(hash);
-+ if (line_len != 20)
-+ goto out;
-+
-+ /* Skip leading comments */
-+ start = 0;
-+ for (;;) {
-+ ssize_t r;
-+ char *newline;
-+
-+ r = read(fd, buf, sizeof(buf));
-+ if (r <= 0)
-+ goto out;
-+ if (buf[0] != '#')
-+ break;
-+
-+ newline = memchr(buf, '\n', sizeof(buf));
-+ if (!newline)
-+ goto out;
-+ start += newline + 1 - buf;
-+ if (lseek(fd, start, SEEK_SET) < 0)
-+ goto out;
-+ }
-+
-+ /* Initialise binary search record numbers */
-+ if (fstat(fd, &st) < 0)
-+ goto out;
-+ lower = 0;
-+ upper = (st.st_size - start) / (line_len + 1);
-+
-+ while (lower != upper) {
-+ off_t cur;
-+ int cmp;
-+
-+ cur = lower + (upper - lower) / 2;
-+
-+ /* Read this line and compare to digest; this is
-+ * overflow-safe since cur < max(off_t) / (line_len + 1) */
-+ if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0)
-+ break;
-+ if (read(fd, buf, line_len) != line_len)
-+ break;
-+ cmp = memcmp(buf, hash, line_len);
-+ if (cmp < 0) {
-+ if (cur == lower)
-+ break;
-+ lower = cur;
-+ } else if (cmp > 0) {
-+ if (cur == upper)
-+ break;
-+ upper = cur;
-+ } else {
-+ ret = 1;
-+ break;
-+ }
-+ }
-+
-+out:
-+ if (fd >= 0)
-+ close(fd);
-+ return ret;
-+}
-+
-+/*
-+ * Scan blacklists of known-vulnerable keys. If a vulnerable key is found,
-+ * its fingerprint is returned in *fp, unless fp is NULL.
-+ */
-+int
-+blacklisted_key(struct verifier *v, int method)
-+{
-+ const char *keytype;
-+ int ret = -1;
-+ const char *paths[] = { "/usr/share/ssh/blacklist", "/etc/ssh/blacklist", NULL };
-+ const char **pp;
-+ struct lsh_string *lsh_hash = ssh_format("%lfxS",
-+ hash_string(&crypto_md5_algorithm,
-+ PUBLIC_KEY(v), 1));
-+ uint32_t keysize = KEY_SIZE(v);
-+
-+ switch (method)
-+ {
-+ case ATOM_SSH_DSS:
-+ case ATOM_DSA:
-+ keytype = "DSA";
-+ break;
-+ case ATOM_SSH_RSA:
-+ case ATOM_RSA_PKCS1_SHA1:
-+ case ATOM_RSA_PKCS1_MD5:
-+ case ATOM_RSA_PKCS1:
-+ keytype = "RSA";
-+ break;
-+ default:
-+ werror("Unrecognized key type");
-+ return -1;
-+ }
-+
-+ for (pp = paths; *pp && ret <= 0; pp++) {
-+ struct lsh_string *blacklist_file = ssh_format("%lz.%lz-%di",
-+ *pp, keytype, keysize);
-+ int r = blacklisted_key_in_file(lsh_hash, blacklist_file);
-+ lsh_string_free(blacklist_file);
-+ if (r > ret) ret = r;
-+ }
-+
-+ if (ret > 0) {
-+ werror("Key is compromised: %z %i %fS\n", keytype, keysize,
-+ lsh_string_colonize(lsh_hash, 2, 0));
-+ } else if (ret < 0) {
-+ verbose("No blacklist for key type %z size %i", keytype, keysize);
-+ }
-+ return ret;
-+}
---- a/src/dsa.c
-+++ b/src/dsa.c
-@@ -189,6 +189,14 @@ do_dsa_public_spki_key(struct verifier *
- "y", self->key.y);
- }
-
-+static uint32_t
-+do_dsa_key_size(struct verifier *v)
-+{
-+ CAST(dsa_verifier, self, v);
-+
-+ return mpz_sizeinbase(self->key.p, 2);
-+}
-+
- static void
- init_dsa_verifier(struct dsa_verifier *self)
- {
-@@ -199,6 +207,7 @@ init_dsa_verifier(struct dsa_verifier *s
- self->super.verify = do_dsa_verify;
- self->super.public_spki_key = do_dsa_public_spki_key;
- self->super.public_key = do_dsa_public_key;
-+ self->super.key_size = do_dsa_key_size;
- }
-
-
---- a/src/lsh-decode-key.c
-+++ b/src/lsh-decode-key.c
-@@ -133,6 +133,10 @@ lsh_decode_key(struct lsh_string *conten
- werror("Invalid dsa key.\n");
- return NULL;
- }
-+ else if (blacklisted_key(v, type) > 0)
-+ {
-+ return NULL;
-+ }
- else
- return PUBLIC_SPKI_KEY(v, 1);
- }
-@@ -150,6 +154,10 @@ lsh_decode_key(struct lsh_string *conten
- werror("Invalid rsa key.\n");
- return NULL;
- }
-+ else if (blacklisted_key(v, type) > 0)
-+ {
-+ return NULL;
-+ }
- else
- return PUBLIC_SPKI_KEY(v, 1);
- }
---- a/src/lsh-writekey.c
-+++ b/src/lsh-writekey.c
-@@ -397,14 +397,18 @@ process_public(const struct lsh_string *
- {
- struct signer *s;
- struct verifier *v;
-+ int algorithm_name;
-
-- s = spki_make_signer(options->signature_algorithms, key, NULL);
-+ s = spki_make_signer(options->signature_algorithms, key, &algorithm_name);
-
- if (!s)
- return NULL;
-
- v = SIGNER_GET_VERIFIER(s);
- assert(v);
-+ if (blacklisted_key(v, algorithm_name) > 0) {
-+ return NULL;
-+ }
-
- return PUBLIC_SPKI_KEY(v, 1);
- }
-@@ -416,7 +420,8 @@ main(int argc, char **argv)
- int private_fd;
- int public_fd;
- struct lsh_string *input;
-- struct lsh_string *output;
-+ struct lsh_string *priv_output;
-+ struct lsh_string *pub_output;
- const struct exception *e;
-
- argp_parse(&main_argp, argc, argv, 0, NULL, options);
-@@ -439,16 +444,22 @@ main(int argc, char **argv)
- return EXIT_FAILURE;
- }
-
-- output = process_private(input, options);
-- if (!output)
-+ pub_output = process_public(input, options);
-+ if (!pub_output)
-+ return EXIT_FAILURE;
-+
-+ priv_output = process_private(input, options);
-+ if (!priv_output)
- return EXIT_FAILURE;
-
-+ lsh_string_free(input);
-+
- private_fd = open_file(options->private_file);
- if (private_fd < 0)
- return EXIT_FAILURE;
-
-- e = write_raw(private_fd, STRING_LD(output));
-- lsh_string_free(output);
-+ e = write_raw(private_fd, STRING_LD(priv_output));
-+ lsh_string_free(priv_output);
-
- if (e)
- {
-@@ -457,18 +468,12 @@ main(int argc, char **argv)
- return EXIT_FAILURE;
- }
-
-- output = process_public(input, options);
-- lsh_string_free(input);
--
-- if (!output)
-- return EXIT_FAILURE;
--
- public_fd = open_file(options->public_file);
- if (public_fd < 0)
- return EXIT_FAILURE;
-
-- e = write_raw(public_fd, STRING_LD(output));
-- lsh_string_free(output);
-+ e = write_raw(public_fd, STRING_LD(pub_output));
-+ lsh_string_free(pub_output);
-
- if (e)
- {
---- a/src/publickey_crypto.h
-+++ b/src/publickey_crypto.h
-@@ -203,5 +203,7 @@ parse_ssh_dss_public(struct simple_buffe
- struct verifier *
- make_ssh_dss_verifier(const struct lsh_string *public);
-
-+int
-+blacklisted_key(struct verifier *v, int method);
-
- #endif /* LSH_PUBLICKEY_CRYPTO_H_INCLUDED */
---- a/src/rsa.c
-+++ b/src/rsa.c
-@@ -167,6 +167,14 @@ do_rsa_public_spki_key(struct verifier *
- self->key.n, self->key.e);
- }
-
-+static uint32_t
-+do_rsa_key_size(struct verifier *v)
-+{
-+ CAST(rsa_verifier, self, v);
-+
-+ return mpz_sizeinbase(self->key.n, 2);
-+}
-+
-
- /* NOTE: To initialize an rsa verifier, one must
- *
-@@ -184,6 +192,7 @@ init_rsa_verifier(struct rsa_verifier *s
- self->super.verify = do_rsa_verify;
- self->super.public_key = do_rsa_public_key;
- self->super.public_spki_key = do_rsa_public_spki_key;
-+ self->super.key_size = do_rsa_key_size;
- }
-
- /* Alternative constructor using a key of type ssh-rsa, when the atom
---- a/src/server_authorization.c
-+++ b/src/server_authorization.c
-@@ -93,7 +93,8 @@ do_key_lookup(struct lookup_verifier *c,
- PUBLIC_SPKI_KEY(v, 0),
- 1));
-
-- if (USER_FILE_EXISTS(keyholder, filename, 1))
-+ if (USER_FILE_EXISTS(keyholder, filename, 1)
-+ && blacklisted_key(v, method) < 1)
- return v;
-
- return NULL;
/debian/patches/blacklist.patch
Property changes:
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: debian/patches/ipv6_v6only.dpatch
===================================================================
--- debian/patches/ipv6_v6only.dpatch (.../tags/2.0.4-dfsg-8) (nonexistent)
+++ debian/patches/ipv6_v6only.dpatch (.../trunk) (revision 77)
@@ -0,0 +1,25 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ipv6_v6only.dpatch by Magnus Holmgren <holmgren@debian.org>
+##
+## DP: Set the IPV6_V6ONLY socket option on AF_INET6 sockets; since
+## DP: lshd by default enumerates available address families and calls
+## DP: bind() once for each, conflicts will occur otherwise.
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/src/io.c trunk/src/io.c
+--- trunk~/src/io.c 2006-01-23 18:49:58.000000000 +0100
++++ trunk/src/io.c 2010-07-27 02:17:04.000000000 +0200
+@@ -1690,6 +1690,13 @@
+ {
+ int yes = 1;
+ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char*)&yes, sizeof yes);
++#if WITH_IPV6 && defined (IPV6_V6ONLY)
++ if (local->sa_family == AF_INET6)
++ {
++ if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &yes, sizeof(yes)) < 0)
++ werror("setsockopt IPV6_V6ONLY failed: %e.\n", errno);
++ }
++#endif
+ }
+
+ if (bind(s, local, length) < 0)
/debian/patches/ipv6_v6only.dpatch
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: debian/patches/00list
===================================================================
--- debian/patches/00list (.../tags/2.0.4-dfsg-8) (nonexistent)
+++ debian/patches/00list (.../trunk) (revision 77)
@@ -0,0 +1,7 @@
+20_sftp-server_mansection
+30_nonettle
+40_better_errmsg_when_dotlsh_missing
+nettle_2.0
+blacklist
+terminate_on_connection_failure
+ipv6_v6only
Index: debian/patches/terminate_on_connection_failure.dpatch
===================================================================
--- debian/patches/terminate_on_connection_failure.dpatch (.../tags/2.0.4-dfsg-8) (nonexistent)
+++ debian/patches/terminate_on_connection_failure.dpatch (.../trunk) (revision 77)
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## terminate_on_connection_failure.dpatch by Magnus Holmgren <holmgren@debian.org>
+##
+## DP: Call exit() in lsh's default exception handler on EXC_IO_CONNECT; otherwise
+## DP: lsh won't terminate.
+
+@DPATCH@
+diff -urNad trunk~/src/lsh.c trunk/src/lsh.c
+--- trunk~/src/lsh.c 2005-03-16 21:06:23.000000000 +0100
++++ trunk/src/lsh.c 2010-01-09 22:32:51.000000000 +0100
+@@ -959,6 +959,8 @@
+ *self->status = EXIT_FAILURE;
+
+ werror("%z, (errno = %i)\n", e->msg, exc->error);
++ if (e->type == EXC_IO_CONNECT)
++ exit(*self->status);
+ }
+ else
+ switch(e->type)
/debian/patches/terminate_on_connection_failure.dpatch
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: debian/patches/blacklist.dpatch
===================================================================
--- debian/patches/blacklist.dpatch (.../tags/2.0.4-dfsg-8) (nonexistent)
+++ debian/patches/blacklist.dpatch (.../trunk) (revision 77)
@@ -0,0 +1,423 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## blacklist.dpatch by Magnus Holmgren <holmgren@debian.org>
+## blacklist.c code copied from the openssh package and adapted for LSH.
+##
+## DP: Check keys against openssh-blacklist before accepting for
+## DP: pubkey authentication as well as on conversion by lsh-writekey
+## DP: and lsh-decode-key.
+
+@DPATCH@
+diff -urNad trunk~/src/Makefile.am trunk/src/Makefile.am
+--- trunk~/src/Makefile.am 2004-11-18 22:52:16.000000000 +0100
++++ trunk/src/Makefile.am 2009-11-0 23:57:07.000000000 +0100
+@@ -72,7 +72,8 @@
+ unix_interact.c unix_process.c unix_random.c unix_user.c \
+ userauth.c \
+ werror.c write_buffer.c write_packet.c \
+- xalloc.c xauth.c zlib.c
++ xalloc.c xauth.c zlib.c \
++ blacklist.c
+
+ liblsh_a_LIBADD = @LIBOBJS@
+
+diff -urNad trunk~/src/Makefile.in trunk/src/Makefile.in
+--- trunk~/src/Makefile.in 2009-11-07 23:57:06.000000000 +0100
++++ trunk/src/Makefile.in 2009-11-07 23:57:07.000000000 +0100
+@@ -91,7 +91,8 @@
+ tty.$(OBJEXT) unix_interact.$(OBJEXT) unix_process.$(OBJEXT) \
+ unix_random.$(OBJEXT) unix_user.$(OBJEXT) userauth.$(OBJEXT) \
+ werror.$(OBJEXT) write_buffer.$(OBJEXT) write_packet.$(OBJEXT) \
+- xalloc.$(OBJEXT) xauth.$(OBJEXT) zlib.$(OBJEXT)
++ xalloc.$(OBJEXT) xauth.$(OBJEXT) zlib.$(OBJEXT) \
++ blacklist.$(OBJEXT)
+ liblsh_a_OBJECTS = $(am_liblsh_a_OBJECTS)
+ am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" \
+ "$(DESTDIR)$(bindir)"
+@@ -510,7 +511,8 @@
+ unix_interact.c unix_process.c unix_random.c unix_user.c \
+ userauth.c \
+ werror.c write_buffer.c write_packet.c \
+- xalloc.c xauth.c zlib.c
++ xalloc.c xauth.c zlib.c \
++ blacklist.c
+
+ liblsh_a_LIBADD = @LIBOBJS@
+
+@@ -705,6 +707,7 @@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/algorithms.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alist.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoms.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blacklist.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel_commands.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel_forward.Po@am__quote@
+diff -urNad trunk~/src/abstract_crypto.h trunk/src/abstract_crypto.h
+--- trunk~/src/abstract_crypto.h 2003-11-16 19:10:30.000000000 +0100
++++ trunk/src/abstract_crypto.h 2009-11-07 23:57:37.000000000 +0100
+@@ -162,7 +162,9 @@
+ (public_key method (string))
+
+ ; Returns (public-key (<pub-sig-alg-id> <s-expr>*))
+- (public_spki_key method (string) "int transport")))
++ (public_spki_key method (string) "int transport")
++
++ (key_size method uint32_t)))
+ */
+
+ #define VERIFY(verifier, algorithm, length, data, slength, sdata) \
+@@ -170,7 +172,7 @@
+
+ #define PUBLIC_KEY(verifier) ((verifier)->public_key((verifier)))
+ #define PUBLIC_SPKI_KEY(verifier, t) ((verifier)->public_spki_key((verifier), (t)))
+-
++#define KEY_SIZE(verifier) ((verifier)->key_size((verifier)))
+
+ /* GABA:
+ (class
+diff -urNad trunk~/src/abstract_crypto.h.x trunk/src/abstract_crypto.h.x
+--- trunk~/src/abstract_crypto.h.x 2007-06-04 22:18:39.000000000 +0200
++++ trunk/src/abstract_crypto.h.x 2009-11-07 23:57:07.000000000 +0100
+@@ -161,6 +161,7 @@
+ int (*(verify))(struct verifier *self,int algorithm,uint32_t length,const uint8_t *data,uint32_t signature_length,const uint8_t *signature_data);
+ struct lsh_string *(*(public_key))(struct verifier *self);
+ struct lsh_string *(*(public_spki_key))(struct verifier *self,int transport);
++ uint32_t *(*(key_size))(struct verifier *self);
+ };
+ extern struct lsh_class verifier_class;
+ #endif /* !GABA_DEFINE */
+diff -urNad trunk~/src/blacklist.c trunk/src/blacklist.c
+--- trunk~/src/blacklist.c 1970-01-01 01:00:00.000000000 +0100
++++ trunk/src/blacklist.c 2009-11-07 23:57:07.000000000 +0100
+@@ -0,0 +1,150 @@
++#if HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <assert.h>
++
++#include "atoms.h"
++#include "format.h"
++#include "lsh_string.h"
++#include "werror.h"
++#include "crypto.h"
++
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <unistd.h>
++#include <fcntl.h>
++#include <string.h>
++
++int blacklisted_key(struct verifier *v, int method);
++
++/* Scan a blacklist of known-vulnerable keys in blacklist_file. */
++static int
++blacklisted_key_in_file(struct lsh_string *lsh_hash, struct lsh_string *blacklist_file)
++{
++ int fd = -1;
++ const char *hash = 0;
++ uint32_t line_len;
++ struct stat st;
++ char buf[256];
++ off_t start, lower, upper;
++ int ret = 0;
++
++ debug("Checking blacklist file %S\n", blacklist_file);
++ fd = open(lsh_get_cstring(blacklist_file), O_RDONLY);
++ if (fd < 0) {
++ ret = -1;
++ goto out;
++ }
++
++ hash = lsh_get_cstring(lsh_hash) + 12;
++ line_len = strlen(hash);
++ if (line_len != 20)
++ goto out;
++
++ /* Skip leading comments */
++ start = 0;
++ for (;;) {
++ ssize_t r;
++ char *newline;
++
++ r = read(fd, buf, sizeof(buf));
++ if (r <= 0)
++ goto out;
++ if (buf[0] != '#')
++ break;
++
++ newline = memchr(buf, '\n', sizeof(buf));
++ if (!newline)
++ goto out;
++ start += newline + 1 - buf;
++ if (lseek(fd, start, SEEK_SET) < 0)
++ goto out;
++ }
++
++ /* Initialise binary search record numbers */
++ if (fstat(fd, &st) < 0)
++ goto out;
++ lower = 0;
++ upper = (st.st_size - start) / (line_len + 1);
++
++ while (lower != upper) {
++ off_t cur;
++ int cmp;
++
++ cur = lower + (upper - lower) / 2;
++
++ /* Read this line and compare to digest; this is
++ * overflow-safe since cur < max(off_t) / (line_len + 1) */
++ if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0)
++ break;
++ if (read(fd, buf, line_len) != line_len)
++ break;
++ cmp = memcmp(buf, hash, line_len);
++ if (cmp < 0) {
++ if (cur == lower)
++ break;
++ lower = cur;
++ } else if (cmp > 0) {
++ if (cur == upper)
++ break;
++ upper = cur;
++ } else {
++ ret = 1;
++ break;
++ }
++ }
++
++out:
++ if (fd >= 0)
++ close(fd);
++ return ret;
++}
++
++/*
++ * Scan blacklists of known-vulnerable keys. If a vulnerable key is found,
++ * its fingerprint is returned in *fp, unless fp is NULL.
++ */
++int
++blacklisted_key(struct verifier *v, int method)
++{
++ const char *keytype;
++ int ret = -1;
++ const char *paths[] = { "/usr/share/ssh/blacklist", "/etc/ssh/blacklist", NULL };
++ const char **pp;
++ struct lsh_string *lsh_hash = ssh_format("%lfxS",
++ hash_string(&crypto_md5_algorithm,
++ PUBLIC_KEY(v), 1));
++ uint32_t keysize = KEY_SIZE(v);
++
++ switch (method)
++ {
++ case ATOM_SSH_DSS:
++ case ATOM_DSA:
++ keytype = "DSA";
++ break;
++ case ATOM_SSH_RSA:
++ case ATOM_RSA_PKCS1_SHA1:
++ case ATOM_RSA_PKCS1_MD5:
++ case ATOM_RSA_PKCS1:
++ keytype = "RSA";
++ break;
++ default:
++ werror("Unrecognized key type");
++ return -1;
++ }
++
++ for (pp = paths; *pp && ret <= 0; pp++) {
++ struct lsh_string *blacklist_file = ssh_format("%lz.%lz-%di",
++ *pp, keytype, keysize);
++ int r = blacklisted_key_in_file(lsh_hash, blacklist_file);
++ lsh_string_free(blacklist_file);
++ if (r > ret) ret = r;
++ }
++
++ if (ret > 0) {
++ werror("Key is compromised: %z %i %fS\n", keytype, keysize,
++ lsh_string_colonize(lsh_hash, 2, 0));
++ }
++ return ret;
++}
+diff -urNad trunk~/src/dsa.c trunk/src/dsa.c
+--- trunk~/src/dsa.c 2004-06-08 20:00:45.000000000 +0200
++++ trunk/src/dsa.c 2009-11-07 23:57:07.000000000 +0100
+@@ -189,6 +189,14 @@
+ "y", self->key.y);
+ }
+
++static uint32_t
++do_dsa_key_size(struct verifier *v)
++{
++ CAST(dsa_verifier, self, v);
++
++ return mpz_sizeinbase(self->key.p, 2);
++}
++
+ static void
+ init_dsa_verifier(struct dsa_verifier *self)
+ {
+@@ -199,6 +207,7 @@
+ self->super.verify = do_dsa_verify;
+ self->super.public_spki_key = do_dsa_public_spki_key;
+ self->super.public_key = do_dsa_public_key;
++ self->super.key_size = do_dsa_key_size;
+ }
+
+
+diff -urNad trunk~/src/lsh-decode-key.c trunk/src/lsh-decode-key.c
+--- trunk~/src/lsh-decode-key.c 2005-09-06 14:43:15.000000000 +0200
++++ trunk/src/lsh-decode-key.c 2009-11-07 23:57:07.000000000 +0100
+@@ -133,6 +133,10 @@
+ werror("Invalid dsa key.\n");
+ return NULL;
+ }
++ else if (blacklisted_key(v, type))
++ {
++ return NULL;
++ }
+ else
+ return PUBLIC_SPKI_KEY(v, 1);
+ }
+@@ -150,6 +154,10 @@
+ werror("Invalid rsa key.\n");
+ return NULL;
+ }
++ else if (blacklisted_key(v, type))
++ {
++ return NULL;
++ }
+ else
+ return PUBLIC_SPKI_KEY(v, 1);
+ }
+diff -urNad trunk~/src/lsh-writekey.c trunk/src/lsh-writekey.c
+--- trunk~/src/lsh-writekey.c 2004-11-17 11:55:11.000000000 +0100
++++ trunk/src/lsh-writekey.c 2009-11-07 23:57:07.000000000 +0100
+@@ -397,14 +397,18 @@
+ {
+ struct signer *s;
+ struct verifier *v;
++ int algorithm_name;
+
+- s = spki_make_signer(options->signature_algorithms, key, NULL);
++ s = spki_make_signer(options->signature_algorithms, key, &algorithm_name);
+
+ if (!s)
+ return NULL;
+
+ v = SIGNER_GET_VERIFIER(s);
+ assert(v);
++ if (blacklisted_key(v, algorithm_name)) {
++ return NULL;
++ }
+
+ return PUBLIC_SPKI_KEY(v, 1);
+ }
+@@ -416,7 +420,8 @@
+ int private_fd;
+ int public_fd;
+ struct lsh_string *input;
+- struct lsh_string *output;
++ struct lsh_string *priv_output;
++ struct lsh_string *pub_output;
+ const struct exception *e;
+
+ argp_parse(&main_argp, argc, argv, 0, NULL, options);
+@@ -439,16 +444,22 @@
+ return EXIT_FAILURE;
+ }
+
+- output = process_private(input, options);
+- if (!output)
++ pub_output = process_public(input, options);
++ if (!pub_output)
++ return EXIT_FAILURE;
++
++ priv_output = process_private(input, options);
++ if (!priv_output)
+ return EXIT_FAILURE;
+
++ lsh_string_free(input);
++
+ private_fd = open_file(options->private_file);
+ if (private_fd < 0)
+ return EXIT_FAILURE;
+
+- e = write_raw(private_fd, STRING_LD(output));
+- lsh_string_free(output);
++ e = write_raw(private_fd, STRING_LD(priv_output));
++ lsh_string_free(priv_output);
+
+ if (e)
+ {
+@@ -457,18 +468,12 @@
+ return EXIT_FAILURE;
+ }
+
+- output = process_public(input, options);
+- lsh_string_free(input);
+-
+- if (!output)
+- return EXIT_FAILURE;
+-
+ public_fd = open_file(options->public_file);
+ if (public_fd < 0)
+ return EXIT_FAILURE;
+
+- e = write_raw(public_fd, STRING_LD(output));
+- lsh_string_free(output);
++ e = write_raw(public_fd, STRING_LD(pub_output));
++ lsh_string_free(pub_output);
+
+ if (e)
+ {
+diff -urNad trunk~/src/publickey_crypto.h trunk/src/publickey_crypto.h
+--- trunk~/src/publickey_crypto.h 2004-06-15 13:32:51.000000000 +0200
++++ trunk/src/publickey_crypto.h 2009-11-07 23:57:07.000000000 +0100
+@@ -203,5 +203,7 @@
+ struct verifier *
+ make_ssh_dss_verifier(const struct lsh_string *public);
+
++int
++blacklisted_key(struct verifier *v, int method);
+
+ #endif /* LSH_PUBLICKEY_CRYPTO_H_INCLUDED */
+diff -urNad trunk~/src/rsa.c trunk/src/rsa.c
+--- trunk~/src/rsa.c 2003-11-16 19:49:12.000000000 +0100
++++ trunk/src/rsa.c 2009-11-07 23:57:07.000000000 +0100
+@@ -167,6 +167,14 @@
+ self->key.n, self->key.e);
+ }
+
++static uint32_t
++do_rsa_key_size(struct verifier *v)
++{
++ CAST(rsa_verifier, self, v);
++
++ return mpz_sizeinbase(self->key.n, 2);
++}
++
+
+ /* NOTE: To initialize an rsa verifier, one must
+ *
+@@ -184,6 +192,7 @@
+ self->super.verify = do_rsa_verify;
+ self->super.public_key = do_rsa_public_key;
+ self->super.public_spki_key = do_rsa_public_spki_key;
++ self->super.key_size = do_rsa_key_size;
+ }
+
+ /* Alternative constructor using a key of type ssh-rsa, when the atom
+diff -urNad trunk~/src/server_authorization.c trunk/src/server_authorization.c
+--- trunk~/src/server_authorization.c 2004-06-08 20:01:15.000000000 +0200
++++ trunk/src/server_authorization.c 2009-11-07 23:57:07.000000000 +0100
+@@ -93,7 +93,8 @@
+ PUBLIC_SPKI_KEY(v, 0),
+ 1));
+
+- if (USER_FILE_EXISTS(keyholder, filename, 1))
++ if (USER_FILE_EXISTS(keyholder, filename, 1)
++ && blacklisted_key(v, method) < 1)
+ return v;
+
+ return NULL;
/debian/patches/blacklist.dpatch
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: debian/patches/40_better_errmsg_when_dotlsh_missing.dpatch
===================================================================
--- debian/patches/40_better_errmsg_when_dotlsh_missing.dpatch (.../tags/2.0.4-dfsg-8) (nonexistent)
+++ debian/patches/40_better_errmsg_when_dotlsh_missing.dpatch (.../trunk) (revision 77)
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 40_mkdir_dotlsh.dpatch by Magnus Holmgren <holmgren@debian.org>
+##
+## DP: Show the intended error message, instead of one about a locking
+## DP: error, when no seed file exists
+
+@DPATCH@
+diff -urNad trunk~/src/unix_random.c trunk/src/unix_random.c
+--- trunk~/src/unix_random.c 2006-01-23 18:47:10.000000000 +0100
++++ trunk/src/unix_random.c 2008-06-24 22:29:29.000000000 +0200
+@@ -353,6 +353,15 @@
+
+ yarrow256_init(&self->yarrow, RANDOM_NSOURCES, self->sources);
+
++ if (access(lsh_get_cstring(seed_file_name), F_OK) < 0)
++ {
++ werror("No seed file. Please create one by running\n");
++ werror("lsh-make-seed -o \"%S\".\n", seed_file_name);
++
++ KILL(self);
++ return NULL;
++ }
++
+ verbose("Reading seed-file `%S'\n", seed_file_name);
+
+ self->lock
+@@ -374,8 +383,7 @@
+ self->seed_file_fd = open(lsh_get_cstring(seed_file_name), O_RDWR);
+ if (self->seed_file_fd < 0)
+ {
+- werror("No seed file. Please create one by running\n");
+- werror("lsh-make-seed -o \"%S\".\n", seed_file_name);
++ werror("Could not open seed file \"%S\".\n", seed_file_name);
+
+ KILL_RESOURCE(lock);
+ KILL(self);
/debian/patches/40_better_errmsg_when_dotlsh_missing.dpatch
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: debian/patches/20_sftp-server_mansection.dpatch
===================================================================
--- debian/patches/20_sftp-server_mansection.dpatch (.../tags/2.0.4-dfsg-8) (nonexistent)
+++ debian/patches/20_sftp-server_mansection.dpatch (.../trunk) (revision 77)
@@ -0,0 +1,18 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20_sftp-server_mansection.dpatch by Magnus Holmgren <holmgren@debian.org>
+##
+## DP: Invent manual section 8lsh for lsh's sftp-server
+
+@DPATCH@
+diff -urNad trunk~/src/sftp/sftp-server.8 trunk/src/sftp/sftp-server.8
+--- trunk~/src/sftp/sftp-server.8 2006-05-08 21:11:17.000000000 +0200
++++ trunk/src/sftp/sftp-server.8 2007-10-03 20:48:35.000000000 +0200
+@@ -22,7 +22,7 @@
+ .\" maintainers of the package you received this manual from and make your
+ .\" modified versions available to them.
+ .\"
+-.TH SFTP-SERVER 8 "NOVEMBER 2004" SFTP-SERVER "Lsh Manuals"
++.TH SFTP-SERVER 8lsh "NOVEMBER 2004" SFTP-SERVER "Lsh Manuals"
+ .SH NAME
+ sftp-server - Server for the sftp subsystem
+ .SH SYNOPSIS
/debian/patches/20_sftp-server_mansection.dpatch
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: debian/patches/30_nonettle.dpatch
===================================================================
--- debian/patches/30_nonettle.dpatch (.../tags/2.0.4-dfsg-8) (nonexistent)
+++ debian/patches/30_nonettle.dpatch (.../trunk) (revision 77)
@@ -0,0 +1,27 @@
+#!/bin/sh
+## 30_nonettle.dpatch by Magnus Holmgren <holmgren@debian.org>
+##
+## DP: Link dynamically with libnettle-dev instead of the bundled version
+
+set -e
+FILES=`find src -name nettle -prune -o -name Makefile.in -print`
+
+dpatch_patch() {
+ if [ ! -f debian/patched/30_nonettle_orig.tar.gz ]; then
+ tar -czf debian/patched/30_nonettle_orig.tar.gz $FILES
+ sed -ri -e '/^LDADD/,+1s%(\.\.?/)*nettle/libnettle\.a|-lnettle%-lnettle -lhogweed%' \
+ -e 's%\s*(-[IL]\s*)?(\.\.?/)*\bnettle(/libnettle\.a)?\b%%g' $FILES
+ mv src/nettle src/nettle-unused
+ fi
+}
+
+dpatch_unpatch() {
+ if [ -f debian/patched/30_nonettle_orig.tar.gz ]; then
+ mv src/nettle-unused src/nettle
+ tar -xzf debian/patched/30_nonettle_orig.tar.gz
+ fi
+}
+
+DPATCH_LIB_NO_DEFAULT=1
+
+. /usr/share/dpatch/dpatch.lib.sh
Index: debian/patches/nettle_2.0.dpatch
===================================================================
--- debian/patches/nettle_2.0.dpatch (.../tags/2.0.4-dfsg-8) (nonexistent)
+++ debian/patches/nettle_2.0.dpatch (.../trunk) (revision 77)
@@ -0,0 +1,200 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## nettle_2.0.dpatch by Magnus Holmgren <holmgren@debian.org>
+##
+## DP: Adapt to Nettle 2.0
+
+@DPATCH@
+diff -ur lsh-2.0.4/src/crypto.c /var/cache/users/magnus/svn-buildpackage/lsh-utils/lsh-utils-2.0.4-dfsg/src/crypto.c
+--- lsh-2.0.4/src/crypto.c 2005-11-26 18:13:55.000000000 +0100
++++ lsh-utils-2.0.4-dfsg/src/crypto.c 2009-08-04 23:57:22.000000000 +0200
+@@ -71,7 +71,7 @@
+ assert(!(length % 8));
+
+ lsh_string_crypt(dst, di, src, si, length,
+- (nettle_crypt_func) arcfour_crypt, &self->ctx);
++ (nettle_crypt_func*) arcfour_crypt, &self->ctx);
+ }
+
+ static struct crypto_instance *
+@@ -114,7 +114,7 @@
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ AES_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) aes_encrypt,
++ (nettle_crypt_func*) aes_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -128,7 +128,7 @@
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ AES_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) aes_decrypt,
++ (nettle_crypt_func*) aes_decrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -185,7 +185,7 @@
+
+ lsh_string_ctr_crypt(dst, di, src, si, length,
+ AES_BLOCK_SIZE, self->ctx.ctr,
+- (nettle_crypt_func) aes_encrypt,
++ (nettle_crypt_func*) aes_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -227,7 +227,7 @@
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ DES3_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) des3_encrypt,
++ (nettle_crypt_func*) des3_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -241,7 +241,7 @@
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ DES3_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) des3_decrypt,
++ (nettle_crypt_func*) des3_decrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -303,7 +303,7 @@
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ CAST128_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) cast128_encrypt,
++ (nettle_crypt_func*) cast128_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -317,7 +317,7 @@
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ CAST128_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) cast128_decrypt,
++ (nettle_crypt_func*) cast128_decrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -363,7 +363,7 @@
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ TWOFISH_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) twofish_encrypt,
++ (nettle_crypt_func*) twofish_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -377,7 +377,7 @@
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ TWOFISH_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) twofish_decrypt,
++ (nettle_crypt_func*) twofish_decrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -422,7 +422,7 @@
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ BLOWFISH_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) blowfish_encrypt,
++ (nettle_crypt_func*) blowfish_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -436,7 +436,7 @@
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ BLOWFISH_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) blowfish_decrypt,
++ (nettle_crypt_func*) blowfish_decrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -488,7 +488,7 @@
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ SERPENT_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) serpent_encrypt,
++ (nettle_crypt_func*) serpent_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -502,7 +502,7 @@
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ SERPENT_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) serpent_decrypt,
++ (nettle_crypt_func*) serpent_decrypt,
+ &self->ctx.ctx);
+ }
+
+diff -ur lsh-2.0.4/src/lsh-make-seed.c /var/cache/users/magnus/svn-buildpackage/lsh-utils/lsh-utils-2.0.4-dfsg/src/lsh-make-seed.c
+--- lsh-2.0.4/src/lsh-make-seed.c 2006-01-23 18:51:06.000000000 +0100
++++ lsh-utils-2.0.4-dfsg/src/lsh-make-seed.c 2009-08-05 00:24:58.000000000 +0200
+@@ -1219,6 +1219,7 @@
+
+ struct yarrow256_ctx yarrow;
+ struct yarrow_source sources[NSOURCES];
++ uint8_t seed[YARROW256_SEED_FILE_SIZE];
+
+ argp_parse(&main_argp, argc, argv, 0, NULL, options);
+
+@@ -1371,7 +1372,8 @@
+ }
+ }
+
+- e = write_raw(fd, sizeof(yarrow.seed_file), yarrow.seed_file);
++ yarrow256_random(&yarrow, sizeof(seed), seed);
++ e = write_raw(fd, sizeof(seed), seed);
+
+ if (e)
+ {
+diff -ur lsh-2.0.4/src/unix_random.c /var/cache/users/magnus/svn-buildpackage/lsh-utils/lsh-utils-2.0.4-dfsg/src/unix_random.c
+--- lsh-2.0.4/src/unix_random.c 2006-01-23 18:47:10.000000000 +0100
++++ lsh-utils-2.0.4-dfsg/src/unix_random.c 2009-08-05 00:28:31.000000000 +0200
+@@ -81,6 +81,7 @@
+ int fd)
+ {
+ const struct exception *e;
++ uint8_t seed[YARROW256_SEED_FILE_SIZE];
+
+ if (lseek(fd, 0, SEEK_SET) < 0)
+ {
+@@ -88,7 +89,8 @@
+ return 0;
+ }
+
+- e = write_raw(fd, YARROW256_SEED_FILE_SIZE, ctx->seed_file);
++ yarrow256_random(ctx, sizeof(seed), seed);
++ e = write_raw(fd, sizeof(seed), seed);
+
+ if (e)
+ {
+@@ -183,17 +183,19 @@
+ {
+ struct lsh_string *s = read_seed_file(self->seed_file_fd);
+
+- write_seed_file(&self->yarrow, self->seed_file_fd);
+- KILL_RESOURCE(lock);
+-
+ /* Mix in the old seed file, it might have picked up
+ * some randomness. */
+ if (s)
+ {
++ self->yarrow.sources[RANDOM_SOURCE_NEW_SEED].next = YARROW_FAST;
+ yarrow256_update(&self->yarrow, RANDOM_SOURCE_NEW_SEED,
+ 0, STRING_LD(s));
+ lsh_string_free(s);
++ yarrow256_fast_reseed(&self->yarrow);
+ }
++
++ write_seed_file(&self->yarrow, self->seed_file_fd);
++ KILL_RESOURCE(lock);
+ }
+ }
+
Index: debian/README.source
===================================================================
--- debian/README.source (.../tags/2.0.4-dfsg-8) (nonexistent)
+++ debian/README.source (.../trunk) (revision 77)
@@ -0,0 +1,8 @@
+This package uses dpatch to manage all modifications to the upstream
+source. Changes are stored in the source package as diffs in
+debian/patches and applied during the build. For basic usage
+information, see
+
+ /usr/share/doc/dpatch/README.source.gz
+
+(after installing dpatch).
Index: debian/rules
===================================================================
--- debian/rules (.../tags/2.0.4-dfsg-8) (revision 89)
+++ debian/rules (.../trunk) (revision 77)
@@ -1,117 +1,18 @@
#!/usr/bin/make -f
-# -*- makefile -*-
-# Sample debian/rules that uses debhelper.
-# GNU copyright 1997 to 1999 by Joey Hess.
-# Uncomment this to turn on verbose mode.
-#export DH_VERBOSE=1
+include /usr/share/cdbs/1/class/autotools.mk
+include /usr/share/cdbs/1/rules/debhelper.mk
+include /usr/share/cdbs/1/rules/dpatch.mk
-# These are used for cross-compiling and for saving the configure script
-# from having to guess our platform (since we know it already)
-DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
-DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+# the used configure parameters for ./configure
+DEB_CONFIGURE_EXTRA_FLAGS := --enable-pam --enable-kerberos --enable-srp \
+ --with-pty --enable-tcp-forward --enable-x11-forward \
+ --enable-agent-forward --enable-ipv6 --enable-utmp \
+ --with-zlib --with-tcpwrappers --with-sshd1=/usr/sbin/sshd \
+ --with-x XAUTH_PROGRAM=/usr/bin/xauth
-ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
- buildflags = --build=$(DEB_BUILD_GNU_TYPE)
-else
- buildflags = --build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE)
-endif
+DEB_INSTALL_CHANGELOGS_ALL := ChangeLog
+DEB_INSTALL_DOCS_ALL := README
+DEB_DH_INSTALL_SOURCEDIR := debian/tmp
-parallel = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
-ifneq (,$(parallel))
-jobsflag = -j$(parallel)
-endif
-
-config.status: configure.ac
- dh_testdir
- # Add here commands to configure the package.
- [ -d src/nettle-dontuse -a ! -d src/nettle ] || mv src/nettle src/nettle-dontuse
- dh_autoreconf
- ./configure $(buildflags) \
- --prefix=/usr \
- --disable-dependency-tracking \
- --enable-pam --enable-kerberos --enable-srp \
- --with-pty --enable-tcp-forward --enable-x11-forward \
- --enable-agent-forward --enable-ipv6 --enable-utmp \
- --with-zlib --with-tcpwrappers --with-sshd1=/usr/sbin/sshd \
- --with-x XAUTH_PROGRAM=/usr/bin/xauth \
- CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) -Wl,-z,defs -Wl,--as-needed"
-
-build: build-stamp
-build-stamp: config.status
- dh_testdir
-
- # Add here commands to compile the package.
- $(MAKE) $(jobsflag) MAKEINFO='makeinfo --enable-encoding'
-ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
- $(MAKE) check
-endif
-
- touch build-stamp
-
-clean:
- dh_testdir
- dh_testroot
- rm -f build-stamp
-
- # Add here commands to clean up after the build process.
- [ ! -f Makefile ] || $(MAKE) distclean
- dh_autoreconf_clean
- dh_clean
- [ -d src/nettle -a ! -d src/nettle-dontuse ] || mv src/nettle-dontuse src/nettle
-
-install: build
- dh_testdir
- dh_testroot
- dh_prep
- dh_installdirs
-
- # Add here commands to install the package into debian/tmp
- $(MAKE) install DESTDIR=$(CURDIR)/debian/tmp
-
-build-indep build-arch: build
-
-# Build architecture-independent files here.
-binary-indep: build-indep install
- dh_testdir
- dh_testroot
- dh_install -i --sourcedir=debian/tmp
- dh_link -i
- dh_installchangelogs -i ChangeLog
- dh_installdocs -i -A README
- dh_installinfo -i
- dh_installman -i
- dh_installdebconf -i
- dh_compress -i
- dh_fixperms -i
- dh_makeshlibs -i
- dh_installdeb -i
- dh_shlibdeps -i
- dh_gencontrol -i
- dh_md5sums -i
- dh_builddeb -i
-
-# Build architecture-dependent files here.
-binary-arch: build-arch install
- dh_testdir
- dh_testroot
- dh_install -a --sourcedir=debian/tmp
- dh_link -a
- dh_installchangelogs -a ChangeLog
- dh_installdocs -a -A README
- dh_installexamples -a
- dh_installman -a
- dh_installinit -a
- dh_installdebconf -a
- dh_strip -a
- dh_compress -a
- dh_fixperms -a
- dh_makeshlibs -a
- dh_installdeb -a
- dh_shlibdeps -a
- dh_gencontrol -a
- dh_md5sums -a
- dh_builddeb -a
-
-binary: binary-arch binary-indep
-.PHONY: build-indep build-arch build clean clean-patched binary-indep binary-arch binary install
+LDFLAGS += -Wl,-z,defs -Wl,--as-needed
/trunk/debian/compat
1,0 → 0,0
7
5
/trunk/debian/lsh-doc.doc-base
2,7 → 2,7
Title: LSH documentation
Author: Niels Möller
Abstract: This document describes `lsh' and related programs.
Section: Network/Remote Access
Section: Network
 
Format: HTML
Index: /usr/share/doc/lsh-doc/lsh.html