Subversion Repositories lsh

Compare Revisions

Ignore whitespace Rev 62 → Rev 63

/trunk/debian/patches/blacklist.dpatch
9,7 → 9,7
@DPATCH@
diff -urNad trunk~/src/Makefile.am trunk/src/Makefile.am
--- trunk~/src/Makefile.am 2004-11-18 22:52:16.000000000 +0100
+++ trunk/src/Makefile.am 2009-11-06 01:07:40.000000000 +0100
+++ trunk/src/Makefile.am 2009-11-0 23:57:07.000000000 +0100
@@ -72,7 +72,8 @@
unix_interact.c unix_process.c unix_random.c unix_user.c \
userauth.c \
21,8 → 21,8
liblsh_a_LIBADD = @LIBOBJS@
diff -urNad trunk~/src/Makefile.in trunk/src/Makefile.in
--- trunk~/src/Makefile.in 2009-11-06 01:07:40.000000000 +0100
+++ trunk/src/Makefile.in 2009-11-06 01:07:40.000000000 +0100
--- trunk~/src/Makefile.in 2009-11-07 23:57:06.000000000 +0100
+++ trunk/src/Makefile.in 2009-11-07 23:57:07.000000000 +0100
@@ -91,7 +91,8 @@
tty.$(OBJEXT) unix_interact.$(OBJEXT) unix_process.$(OBJEXT) \
unix_random.$(OBJEXT) unix_user.$(OBJEXT) userauth.$(OBJEXT) \
51,10 → 51,44
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel_commands.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel_forward.Po@am__quote@
diff -urNad trunk~/src/abstract_crypto.h trunk/src/abstract_crypto.h
--- trunk~/src/abstract_crypto.h 2003-11-16 19:10:30.000000000 +0100
+++ trunk/src/abstract_crypto.h 2009-11-07 23:57:37.000000000 +0100
@@ -162,7 +162,9 @@
(public_key method (string))
; Returns (public-key (<pub-sig-alg-id> <s-expr>*))
- (public_spki_key method (string) "int transport")))
+ (public_spki_key method (string) "int transport")
+
+ (key_size method uint32_t)))
*/
#define VERIFY(verifier, algorithm, length, data, slength, sdata) \
@@ -170,7 +172,7 @@
#define PUBLIC_KEY(verifier) ((verifier)->public_key((verifier)))
#define PUBLIC_SPKI_KEY(verifier, t) ((verifier)->public_spki_key((verifier), (t)))
-
+#define KEY_SIZE(verifier) ((verifier)->key_size((verifier)))
/* GABA:
(class
diff -urNad trunk~/src/abstract_crypto.h.x trunk/src/abstract_crypto.h.x
--- trunk~/src/abstract_crypto.h.x 2007-06-04 22:18:39.000000000 +0200
+++ trunk/src/abstract_crypto.h.x 2009-11-07 23:57:07.000000000 +0100
@@ -161,6 +161,7 @@
int (*(verify))(struct verifier *self,int algorithm,uint32_t length,const uint8_t *data,uint32_t signature_length,const uint8_t *signature_data);
struct lsh_string *(*(public_key))(struct verifier *self);
struct lsh_string *(*(public_spki_key))(struct verifier *self,int transport);
+ uint32_t *(*(key_size))(struct verifier *self);
};
extern struct lsh_class verifier_class;
#endif /* !GABA_DEFINE */
diff -urNad trunk~/src/blacklist.c trunk/src/blacklist.c
--- trunk~/src/blacklist.c 1970-01-01 01:00:00.000000000 +0100
+++ trunk/src/blacklist.c 2009-11-06 01:07:40.000000000 +0100
@@ -0,0 +1,164 @@
+++ trunk/src/blacklist.c 2009-11-07 23:57:07.000000000 +0100
@@ -0,0 +1,150 @@
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif
61,19 → 95,11
+
+#include <assert.h>
+
+#include "nettle/bignum.h"
+#include "nettle/dsa.h"
+#include "nettle/rsa.h"
+#include "xalloc.h"
+#include "atoms.h"
+#include "format.h"
+#include "lsh_string.h"
+#include "abstract_crypto.h"
+#include "werror.h"
+#include "crypto.h"
+#define GABA_DECLARE
+#include "rsa.c.x"
+#include "dsa.c.x"
+
+#include <sys/types.h>
+#include <sys/stat.h>
81,6 → 107,8
+#include <fcntl.h>
+#include <string.h>
+
+int blacklisted_key(struct verifier *v, int method);
+
+/* Scan a blacklist of known-vulnerable keys in blacklist_file. */
+static int
+blacklisted_key_in_file(struct lsh_string *lsh_hash, struct lsh_string *blacklist_file)
87,7 → 115,6
+{
+ int fd = -1;
+ const char *hash = 0;
+ int i;
+ uint32_t line_len;
+ struct stat st;
+ char buf[256];
172,7 → 199,6
+int
+blacklisted_key(struct verifier *v, int method)
+{
+ size_t keysize;
+ const char *keytype;
+ int ret = -1;
+ const char *paths[] = { "/usr/share/ssh/blacklist", "/etc/ssh/blacklist", NULL };
180,29 → 206,23
+ struct lsh_string *lsh_hash = ssh_format("%lfxS",
+ hash_string(&crypto_md5_algorithm,
+ PUBLIC_KEY(v), 1));
+ uint32_t keysize = KEY_SIZE(v);
+
+ switch (method)
+ {
+ case ATOM_SSH_DSS:
+ case ATOM_DSA:
+ {
+ CAST(dsa_verifier, self, v);
+ keytype = "DSA";
+ keysize = mpz_sizeinbase(self->key.p, 2);
+ }
+ break;
+ break;
+ case ATOM_SSH_RSA:
+ case ATOM_RSA_PKCS1_SHA1:
+ case ATOM_RSA_PKCS1_MD5:
+ case ATOM_RSA_PKCS1:
+ {
+ CAST(rsa_verifier, self, v);
+ keytype = "RSA";
+ keysize = mpz_sizeinbase(self->key.n, 2);
+ } break;
+ break;
+ default:
+ werror("Unrecognized key type");
+ return 0;
+ return -1;
+ }
+
+ for (pp = paths; *pp && ret <= 0; pp++) {
219,9 → 239,35
+ }
+ return ret;
+}
diff -urNad trunk~/src/dsa.c trunk/src/dsa.c
--- trunk~/src/dsa.c 2004-06-08 20:00:45.000000000 +0200
+++ trunk/src/dsa.c 2009-11-07 23:57:07.000000000 +0100
@@ -189,6 +189,14 @@
"y", self->key.y);
}
+static uint32_t
+do_dsa_key_size(struct verifier *v)
+{
+ CAST(dsa_verifier, self, v);
+
+ return mpz_sizeinbase(self->key.p, 2);
+}
+
static void
init_dsa_verifier(struct dsa_verifier *self)
{
@@ -199,6 +207,7 @@
self->super.verify = do_dsa_verify;
self->super.public_spki_key = do_dsa_public_spki_key;
self->super.public_key = do_dsa_public_key;
+ self->super.key_size = do_dsa_key_size;
}
diff -urNad trunk~/src/lsh-decode-key.c trunk/src/lsh-decode-key.c
--- trunk~/src/lsh-decode-key.c 2005-09-06 14:43:15.000000000 +0200
+++ trunk/src/lsh-decode-key.c 2009-11-06 01:07:40.000000000 +0100
+++ trunk/src/lsh-decode-key.c 2009-11-07 23:57:07.000000000 +0100
@@ -133,6 +133,10 @@
werror("Invalid dsa key.\n");
return NULL;
246,7 → 292,7
}
diff -urNad trunk~/src/lsh-writekey.c trunk/src/lsh-writekey.c
--- trunk~/src/lsh-writekey.c 2004-11-17 11:55:11.000000000 +0100
+++ trunk/src/lsh-writekey.c 2009-11-06 01:11:54.000000000 +0100
+++ trunk/src/lsh-writekey.c 2009-11-07 23:57:07.000000000 +0100
@@ -397,14 +397,18 @@
{
struct signer *s;
327,7 → 373,7
{
diff -urNad trunk~/src/publickey_crypto.h trunk/src/publickey_crypto.h
--- trunk~/src/publickey_crypto.h 2004-06-15 13:32:51.000000000 +0200
+++ trunk/src/publickey_crypto.h 2009-11-06 01:07:40.000000000 +0100
+++ trunk/src/publickey_crypto.h 2009-11-07 23:57:07.000000000 +0100
@@ -203,5 +203,7 @@
struct verifier *
make_ssh_dss_verifier(const struct lsh_string *public);
336,9 → 382,35
+blacklisted_key(struct verifier *v, int method);
#endif /* LSH_PUBLICKEY_CRYPTO_H_INCLUDED */
diff -urNad trunk~/src/rsa.c trunk/src/rsa.c
--- trunk~/src/rsa.c 2003-11-16 19:49:12.000000000 +0100
+++ trunk/src/rsa.c 2009-11-07 23:57:07.000000000 +0100
@@ -167,6 +167,14 @@
self->key.n, self->key.e);
}
+static uint32_t
+do_rsa_key_size(struct verifier *v)
+{
+ CAST(rsa_verifier, self, v);
+
+ return mpz_sizeinbase(self->key.n, 2);
+}
+
/* NOTE: To initialize an rsa verifier, one must
*
@@ -184,6 +192,7 @@
self->super.verify = do_rsa_verify;
self->super.public_key = do_rsa_public_key;
self->super.public_spki_key = do_rsa_public_spki_key;
+ self->super.key_size = do_rsa_key_size;
}
/* Alternative constructor using a key of type ssh-rsa, when the atom
diff -urNad trunk~/src/server_authorization.c trunk/src/server_authorization.c
--- trunk~/src/server_authorization.c 2004-06-08 20:01:15.000000000 +0200
+++ trunk/src/server_authorization.c 2009-11-06 01:07:40.000000000 +0100
+++ trunk/src/server_authorization.c 2009-11-07 23:57:07.000000000 +0100
@@ -93,7 +93,8 @@
PUBLIC_SPKI_KEY(v, 0),
1));
/trunk/debian/copyright
40,5 → 40,6
complete list of the authors and licenses of various components
within lsh, see the file `/usr/share/doc/lsh-utils/AUTHORS'
 
-- Timshel Knoll <timshel@debian.org> Tue, 18 Jul 2000 19:40:07 +1000
 
The Debian patch debian/patches/blacklist.dpatch contains code from
the openssh package, apparently written by Colin Watson (cjwatson) and
released under a BSD license.