Subversion Repositories lsh

Compare Revisions

Ignore whitespace Rev 77 → Rev 79

/trunk/debian/README.source
File deleted
/trunk/debian/control
4,8 → 4,8
Maintainer: Magnus Holmgren <holmgren@debian.org>
Uploaders: Stefan Pfetzing <dreamind@dreamind.de>
Standards-Version: 3.9.1
Build-Depends: cdbs, debhelper (>= 5), dpatch, autotools-dev,
libgmp3-dev, zlib1g-dev | libz-dev, liboop-dev, libxau-dev, nettle-dev,
Build-Depends: cdbs, debhelper (>= 7), dh-autoreconf, automake,
libgmp10-dev, zlib1g-dev | libz-dev, liboop-dev, libxau-dev, nettle-dev, nettle-bin,
texinfo (>= 4.2), guile-1.6 | scsh-0.6, heimdal-dev, libwrap0-dev | libwrap-dev,
libpam0g-dev | libpam-dev, libreadline-dev, m4
Homepage: http://www.lysator.liu.se/~nisse/lsh/
/trunk/debian/compat
1,0 → 0,0
5
7
/trunk/debian/patches/20_sftp-server_mansection.dpatch
File deleted
Property changes:
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: debian/patches/40_better_errmsg_when_dotlsh_missing.dpatch
===================================================================
--- debian/patches/40_better_errmsg_when_dotlsh_missing.dpatch (revision 77)
+++ debian/patches/40_better_errmsg_when_dotlsh_missing.dpatch (nonexistent)
@@ -1,36 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 40_mkdir_dotlsh.dpatch by Magnus Holmgren <holmgren@debian.org>
-##
-## DP: Show the intended error message, instead of one about a locking
-## DP: error, when no seed file exists
-
-@DPATCH@
-diff -urNad trunk~/src/unix_random.c trunk/src/unix_random.c
---- trunk~/src/unix_random.c 2006-01-23 18:47:10.000000000 +0100
-+++ trunk/src/unix_random.c 2008-06-24 22:29:29.000000000 +0200
-@@ -353,6 +353,15 @@
-
- yarrow256_init(&self->yarrow, RANDOM_NSOURCES, self->sources);
-
-+ if (access(lsh_get_cstring(seed_file_name), F_OK) < 0)
-+ {
-+ werror("No seed file. Please create one by running\n");
-+ werror("lsh-make-seed -o \"%S\".\n", seed_file_name);
-+
-+ KILL(self);
-+ return NULL;
-+ }
-+
- verbose("Reading seed-file `%S'\n", seed_file_name);
-
- self->lock
-@@ -374,8 +383,7 @@
- self->seed_file_fd = open(lsh_get_cstring(seed_file_name), O_RDWR);
- if (self->seed_file_fd < 0)
- {
-- werror("No seed file. Please create one by running\n");
-- werror("lsh-make-seed -o \"%S\".\n", seed_file_name);
-+ werror("Could not open seed file \"%S\".\n", seed_file_name);
-
- KILL_RESOURCE(lock);
- KILL(self);
/debian/patches/40_better_errmsg_when_dotlsh_missing.dpatch
Property changes:
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: debian/patches/ipv6_v6only.dpatch
===================================================================
--- debian/patches/ipv6_v6only.dpatch (revision 77)
+++ debian/patches/ipv6_v6only.dpatch (nonexistent)
@@ -1,25 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## ipv6_v6only.dpatch by Magnus Holmgren <holmgren@debian.org>
-##
-## DP: Set the IPV6_V6ONLY socket option on AF_INET6 sockets; since
-## DP: lshd by default enumerates available address families and calls
-## DP: bind() once for each, conflicts will occur otherwise.
-
-@DPATCH@
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/src/io.c trunk/src/io.c
---- trunk~/src/io.c 2006-01-23 18:49:58.000000000 +0100
-+++ trunk/src/io.c 2010-07-27 02:17:04.000000000 +0200
-@@ -1690,6 +1690,13 @@
- {
- int yes = 1;
- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char*)&yes, sizeof yes);
-+#if WITH_IPV6 && defined (IPV6_V6ONLY)
-+ if (local->sa_family == AF_INET6)
-+ {
-+ if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &yes, sizeof(yes)) < 0)
-+ werror("setsockopt IPV6_V6ONLY failed: %e.\n", errno);
-+ }
-+#endif
- }
-
- if (bind(s, local, length) < 0)
/debian/patches/ipv6_v6only.dpatch
Property changes:
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: debian/patches/terminate_on_connection_failure.dpatch
===================================================================
--- debian/patches/terminate_on_connection_failure.dpatch (revision 77)
+++ debian/patches/terminate_on_connection_failure.dpatch (nonexistent)
@@ -1,19 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## terminate_on_connection_failure.dpatch by Magnus Holmgren <holmgren@debian.org>
-##
-## DP: Call exit() in lsh's default exception handler on EXC_IO_CONNECT; otherwise
-## DP: lsh won't terminate.
-
-@DPATCH@
-diff -urNad trunk~/src/lsh.c trunk/src/lsh.c
---- trunk~/src/lsh.c 2005-03-16 21:06:23.000000000 +0100
-+++ trunk/src/lsh.c 2010-01-09 22:32:51.000000000 +0100
-@@ -959,6 +959,8 @@
- *self->status = EXIT_FAILURE;
-
- werror("%z, (errno = %i)\n", e->msg, exc->error);
-+ if (e->type == EXC_IO_CONNECT)
-+ exit(*self->status);
- }
- else
- switch(e->type)
/debian/patches/terminate_on_connection_failure.dpatch
Property changes:
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: debian/patches/30_nonettle.dpatch
===================================================================
--- debian/patches/30_nonettle.dpatch (revision 77)
+++ debian/patches/30_nonettle.dpatch (nonexistent)
@@ -1,27 +0,0 @@
-#!/bin/sh
-## 30_nonettle.dpatch by Magnus Holmgren <holmgren@debian.org>
-##
-## DP: Link dynamically with libnettle-dev instead of the bundled version
-
-set -e
-FILES=`find src -name nettle -prune -o -name Makefile.in -print`
-
-dpatch_patch() {
- if [ ! -f debian/patched/30_nonettle_orig.tar.gz ]; then
- tar -czf debian/patched/30_nonettle_orig.tar.gz $FILES
- sed -ri -e '/^LDADD/,+1s%(\.\.?/)*nettle/libnettle\.a|-lnettle%-lnettle -lhogweed%' \
- -e 's%\s*(-[IL]\s*)?(\.\.?/)*\bnettle(/libnettle\.a)?\b%%g' $FILES
- mv src/nettle src/nettle-unused
- fi
-}
-
-dpatch_unpatch() {
- if [ -f debian/patched/30_nonettle_orig.tar.gz ]; then
- mv src/nettle-unused src/nettle
- tar -xzf debian/patched/30_nonettle_orig.tar.gz
- fi
-}
-
-DPATCH_LIB_NO_DEFAULT=1
-
-. /usr/share/dpatch/dpatch.lib.sh
Index: debian/patches/blacklist.dpatch
===================================================================
--- debian/patches/blacklist.dpatch (revision 77)
+++ debian/patches/blacklist.dpatch (nonexistent)
@@ -1,423 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## blacklist.dpatch by Magnus Holmgren <holmgren@debian.org>
-## blacklist.c code copied from the openssh package and adapted for LSH.
-##
-## DP: Check keys against openssh-blacklist before accepting for
-## DP: pubkey authentication as well as on conversion by lsh-writekey
-## DP: and lsh-decode-key.
-
-@DPATCH@
-diff -urNad trunk~/src/Makefile.am trunk/src/Makefile.am
---- trunk~/src/Makefile.am 2004-11-18 22:52:16.000000000 +0100
-+++ trunk/src/Makefile.am 2009-11-0 23:57:07.000000000 +0100
-@@ -72,7 +72,8 @@
- unix_interact.c unix_process.c unix_random.c unix_user.c \
- userauth.c \
- werror.c write_buffer.c write_packet.c \
-- xalloc.c xauth.c zlib.c
-+ xalloc.c xauth.c zlib.c \
-+ blacklist.c
-
- liblsh_a_LIBADD = @LIBOBJS@
-
-diff -urNad trunk~/src/Makefile.in trunk/src/Makefile.in
---- trunk~/src/Makefile.in 2009-11-07 23:57:06.000000000 +0100
-+++ trunk/src/Makefile.in 2009-11-07 23:57:07.000000000 +0100
-@@ -91,7 +91,8 @@
- tty.$(OBJEXT) unix_interact.$(OBJEXT) unix_process.$(OBJEXT) \
- unix_random.$(OBJEXT) unix_user.$(OBJEXT) userauth.$(OBJEXT) \
- werror.$(OBJEXT) write_buffer.$(OBJEXT) write_packet.$(OBJEXT) \
-- xalloc.$(OBJEXT) xauth.$(OBJEXT) zlib.$(OBJEXT)
-+ xalloc.$(OBJEXT) xauth.$(OBJEXT) zlib.$(OBJEXT) \
-+ blacklist.$(OBJEXT)
- liblsh_a_OBJECTS = $(am_liblsh_a_OBJECTS)
- am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" \
- "$(DESTDIR)$(bindir)"
-@@ -510,7 +511,8 @@
- unix_interact.c unix_process.c unix_random.c unix_user.c \
- userauth.c \
- werror.c write_buffer.c write_packet.c \
-- xalloc.c xauth.c zlib.c
-+ xalloc.c xauth.c zlib.c \
-+ blacklist.c
-
- liblsh_a_LIBADD = @LIBOBJS@
-
-@@ -705,6 +707,7 @@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/algorithms.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alist.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoms.Po@am__quote@
-+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blacklist.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel_commands.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/channel_forward.Po@am__quote@
-diff -urNad trunk~/src/abstract_crypto.h trunk/src/abstract_crypto.h
---- trunk~/src/abstract_crypto.h 2003-11-16 19:10:30.000000000 +0100
-+++ trunk/src/abstract_crypto.h 2009-11-07 23:57:37.000000000 +0100
-@@ -162,7 +162,9 @@
- (public_key method (string))
-
- ; Returns (public-key (<pub-sig-alg-id> <s-expr>*))
-- (public_spki_key method (string) "int transport")))
-+ (public_spki_key method (string) "int transport")
-+
-+ (key_size method uint32_t)))
- */
-
- #define VERIFY(verifier, algorithm, length, data, slength, sdata) \
-@@ -170,7 +172,7 @@
-
- #define PUBLIC_KEY(verifier) ((verifier)->public_key((verifier)))
- #define PUBLIC_SPKI_KEY(verifier, t) ((verifier)->public_spki_key((verifier), (t)))
--
-+#define KEY_SIZE(verifier) ((verifier)->key_size((verifier)))
-
- /* GABA:
- (class
-diff -urNad trunk~/src/abstract_crypto.h.x trunk/src/abstract_crypto.h.x
---- trunk~/src/abstract_crypto.h.x 2007-06-04 22:18:39.000000000 +0200
-+++ trunk/src/abstract_crypto.h.x 2009-11-07 23:57:07.000000000 +0100
-@@ -161,6 +161,7 @@
- int (*(verify))(struct verifier *self,int algorithm,uint32_t length,const uint8_t *data,uint32_t signature_length,const uint8_t *signature_data);
- struct lsh_string *(*(public_key))(struct verifier *self);
- struct lsh_string *(*(public_spki_key))(struct verifier *self,int transport);
-+ uint32_t *(*(key_size))(struct verifier *self);
- };
- extern struct lsh_class verifier_class;
- #endif /* !GABA_DEFINE */
-diff -urNad trunk~/src/blacklist.c trunk/src/blacklist.c
---- trunk~/src/blacklist.c 1970-01-01 01:00:00.000000000 +0100
-+++ trunk/src/blacklist.c 2009-11-07 23:57:07.000000000 +0100
-@@ -0,0 +1,150 @@
-+#if HAVE_CONFIG_H
-+#include "config.h"
-+#endif
-+
-+#include <assert.h>
-+
-+#include "atoms.h"
-+#include "format.h"
-+#include "lsh_string.h"
-+#include "werror.h"
-+#include "crypto.h"
-+
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <unistd.h>
-+#include <fcntl.h>
-+#include <string.h>
-+
-+int blacklisted_key(struct verifier *v, int method);
-+
-+/* Scan a blacklist of known-vulnerable keys in blacklist_file. */
-+static int
-+blacklisted_key_in_file(struct lsh_string *lsh_hash, struct lsh_string *blacklist_file)
-+{
-+ int fd = -1;
-+ const char *hash = 0;
-+ uint32_t line_len;
-+ struct stat st;
-+ char buf[256];
-+ off_t start, lower, upper;
-+ int ret = 0;
-+
-+ debug("Checking blacklist file %S\n", blacklist_file);
-+ fd = open(lsh_get_cstring(blacklist_file), O_RDONLY);
-+ if (fd < 0) {
-+ ret = -1;
-+ goto out;
-+ }
-+
-+ hash = lsh_get_cstring(lsh_hash) + 12;
-+ line_len = strlen(hash);
-+ if (line_len != 20)
-+ goto out;
-+
-+ /* Skip leading comments */
-+ start = 0;
-+ for (;;) {
-+ ssize_t r;
-+ char *newline;
-+
-+ r = read(fd, buf, sizeof(buf));
-+ if (r <= 0)
-+ goto out;
-+ if (buf[0] != '#')
-+ break;
-+
-+ newline = memchr(buf, '\n', sizeof(buf));
-+ if (!newline)
-+ goto out;
-+ start += newline + 1 - buf;
-+ if (lseek(fd, start, SEEK_SET) < 0)
-+ goto out;
-+ }
-+
-+ /* Initialise binary search record numbers */
-+ if (fstat(fd, &st) < 0)
-+ goto out;
-+ lower = 0;
-+ upper = (st.st_size - start) / (line_len + 1);
-+
-+ while (lower != upper) {
-+ off_t cur;
-+ int cmp;
-+
-+ cur = lower + (upper - lower) / 2;
-+
-+ /* Read this line and compare to digest; this is
-+ * overflow-safe since cur < max(off_t) / (line_len + 1) */
-+ if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0)
-+ break;
-+ if (read(fd, buf, line_len) != line_len)
-+ break;
-+ cmp = memcmp(buf, hash, line_len);
-+ if (cmp < 0) {
-+ if (cur == lower)
-+ break;
-+ lower = cur;
-+ } else if (cmp > 0) {
-+ if (cur == upper)
-+ break;
-+ upper = cur;
-+ } else {
-+ ret = 1;
-+ break;
-+ }
-+ }
-+
-+out:
-+ if (fd >= 0)
-+ close(fd);
-+ return ret;
-+}
-+
-+/*
-+ * Scan blacklists of known-vulnerable keys. If a vulnerable key is found,
-+ * its fingerprint is returned in *fp, unless fp is NULL.
-+ */
-+int
-+blacklisted_key(struct verifier *v, int method)
-+{
-+ const char *keytype;
-+ int ret = -1;
-+ const char *paths[] = { "/usr/share/ssh/blacklist", "/etc/ssh/blacklist", NULL };
-+ const char **pp;
-+ struct lsh_string *lsh_hash = ssh_format("%lfxS",
-+ hash_string(&crypto_md5_algorithm,
-+ PUBLIC_KEY(v), 1));
-+ uint32_t keysize = KEY_SIZE(v);
-+
-+ switch (method)
-+ {
-+ case ATOM_SSH_DSS:
-+ case ATOM_DSA:
-+ keytype = "DSA";
-+ break;
-+ case ATOM_SSH_RSA:
-+ case ATOM_RSA_PKCS1_SHA1:
-+ case ATOM_RSA_PKCS1_MD5:
-+ case ATOM_RSA_PKCS1:
-+ keytype = "RSA";
-+ break;
-+ default:
-+ werror("Unrecognized key type");
-+ return -1;
-+ }
-+
-+ for (pp = paths; *pp && ret <= 0; pp++) {
-+ struct lsh_string *blacklist_file = ssh_format("%lz.%lz-%di",
-+ *pp, keytype, keysize);
-+ int r = blacklisted_key_in_file(lsh_hash, blacklist_file);
-+ lsh_string_free(blacklist_file);
-+ if (r > ret) ret = r;
-+ }
-+
-+ if (ret > 0) {
-+ werror("Key is compromised: %z %i %fS\n", keytype, keysize,
-+ lsh_string_colonize(lsh_hash, 2, 0));
-+ }
-+ return ret;
-+}
-diff -urNad trunk~/src/dsa.c trunk/src/dsa.c
---- trunk~/src/dsa.c 2004-06-08 20:00:45.000000000 +0200
-+++ trunk/src/dsa.c 2009-11-07 23:57:07.000000000 +0100
-@@ -189,6 +189,14 @@
- "y", self->key.y);
- }
-
-+static uint32_t
-+do_dsa_key_size(struct verifier *v)
-+{
-+ CAST(dsa_verifier, self, v);
-+
-+ return mpz_sizeinbase(self->key.p, 2);
-+}
-+
- static void
- init_dsa_verifier(struct dsa_verifier *self)
- {
-@@ -199,6 +207,7 @@
- self->super.verify = do_dsa_verify;
- self->super.public_spki_key = do_dsa_public_spki_key;
- self->super.public_key = do_dsa_public_key;
-+ self->super.key_size = do_dsa_key_size;
- }
-
-
-diff -urNad trunk~/src/lsh-decode-key.c trunk/src/lsh-decode-key.c
---- trunk~/src/lsh-decode-key.c 2005-09-06 14:43:15.000000000 +0200
-+++ trunk/src/lsh-decode-key.c 2009-11-07 23:57:07.000000000 +0100
-@@ -133,6 +133,10 @@
- werror("Invalid dsa key.\n");
- return NULL;
- }
-+ else if (blacklisted_key(v, type))
-+ {
-+ return NULL;
-+ }
- else
- return PUBLIC_SPKI_KEY(v, 1);
- }
-@@ -150,6 +154,10 @@
- werror("Invalid rsa key.\n");
- return NULL;
- }
-+ else if (blacklisted_key(v, type))
-+ {
-+ return NULL;
-+ }
- else
- return PUBLIC_SPKI_KEY(v, 1);
- }
-diff -urNad trunk~/src/lsh-writekey.c trunk/src/lsh-writekey.c
---- trunk~/src/lsh-writekey.c 2004-11-17 11:55:11.000000000 +0100
-+++ trunk/src/lsh-writekey.c 2009-11-07 23:57:07.000000000 +0100
-@@ -397,14 +397,18 @@
- {
- struct signer *s;
- struct verifier *v;
-+ int algorithm_name;
-
-- s = spki_make_signer(options->signature_algorithms, key, NULL);
-+ s = spki_make_signer(options->signature_algorithms, key, &algorithm_name);
-
- if (!s)
- return NULL;
-
- v = SIGNER_GET_VERIFIER(s);
- assert(v);
-+ if (blacklisted_key(v, algorithm_name)) {
-+ return NULL;
-+ }
-
- return PUBLIC_SPKI_KEY(v, 1);
- }
-@@ -416,7 +420,8 @@
- int private_fd;
- int public_fd;
- struct lsh_string *input;
-- struct lsh_string *output;
-+ struct lsh_string *priv_output;
-+ struct lsh_string *pub_output;
- const struct exception *e;
-
- argp_parse(&main_argp, argc, argv, 0, NULL, options);
-@@ -439,16 +444,22 @@
- return EXIT_FAILURE;
- }
-
-- output = process_private(input, options);
-- if (!output)
-+ pub_output = process_public(input, options);
-+ if (!pub_output)
-+ return EXIT_FAILURE;
-+
-+ priv_output = process_private(input, options);
-+ if (!priv_output)
- return EXIT_FAILURE;
-
-+ lsh_string_free(input);
-+
- private_fd = open_file(options->private_file);
- if (private_fd < 0)
- return EXIT_FAILURE;
-
-- e = write_raw(private_fd, STRING_LD(output));
-- lsh_string_free(output);
-+ e = write_raw(private_fd, STRING_LD(priv_output));
-+ lsh_string_free(priv_output);
-
- if (e)
- {
-@@ -457,18 +468,12 @@
- return EXIT_FAILURE;
- }
-
-- output = process_public(input, options);
-- lsh_string_free(input);
--
-- if (!output)
-- return EXIT_FAILURE;
--
- public_fd = open_file(options->public_file);
- if (public_fd < 0)
- return EXIT_FAILURE;
-
-- e = write_raw(public_fd, STRING_LD(output));
-- lsh_string_free(output);
-+ e = write_raw(public_fd, STRING_LD(pub_output));
-+ lsh_string_free(pub_output);
-
- if (e)
- {
-diff -urNad trunk~/src/publickey_crypto.h trunk/src/publickey_crypto.h
---- trunk~/src/publickey_crypto.h 2004-06-15 13:32:51.000000000 +0200
-+++ trunk/src/publickey_crypto.h 2009-11-07 23:57:07.000000000 +0100
-@@ -203,5 +203,7 @@
- struct verifier *
- make_ssh_dss_verifier(const struct lsh_string *public);
-
-+int
-+blacklisted_key(struct verifier *v, int method);
-
- #endif /* LSH_PUBLICKEY_CRYPTO_H_INCLUDED */
-diff -urNad trunk~/src/rsa.c trunk/src/rsa.c
---- trunk~/src/rsa.c 2003-11-16 19:49:12.000000000 +0100
-+++ trunk/src/rsa.c 2009-11-07 23:57:07.000000000 +0100
-@@ -167,6 +167,14 @@
- self->key.n, self->key.e);
- }
-
-+static uint32_t
-+do_rsa_key_size(struct verifier *v)
-+{
-+ CAST(rsa_verifier, self, v);
-+
-+ return mpz_sizeinbase(self->key.n, 2);
-+}
-+
-
- /* NOTE: To initialize an rsa verifier, one must
- *
-@@ -184,6 +192,7 @@
- self->super.verify = do_rsa_verify;
- self->super.public_key = do_rsa_public_key;
- self->super.public_spki_key = do_rsa_public_spki_key;
-+ self->super.key_size = do_rsa_key_size;
- }
-
- /* Alternative constructor using a key of type ssh-rsa, when the atom
-diff -urNad trunk~/src/server_authorization.c trunk/src/server_authorization.c
---- trunk~/src/server_authorization.c 2004-06-08 20:01:15.000000000 +0200
-+++ trunk/src/server_authorization.c 2009-11-07 23:57:07.000000000 +0100
-@@ -93,7 +93,8 @@
- PUBLIC_SPKI_KEY(v, 0),
- 1));
-
-- if (USER_FILE_EXISTS(keyholder, filename, 1))
-+ if (USER_FILE_EXISTS(keyholder, filename, 1)
-+ && blacklisted_key(v, method) < 1)
- return v;
-
- return NULL;
/debian/patches/blacklist.dpatch
Property changes:
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: debian/patches/nettle_2.0.dpatch
===================================================================
--- debian/patches/nettle_2.0.dpatch (revision 77)
+++ debian/patches/nettle_2.0.dpatch (nonexistent)
@@ -1,200 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## nettle_2.0.dpatch by Magnus Holmgren <holmgren@debian.org>
-##
-## DP: Adapt to Nettle 2.0
-
-@DPATCH@
-diff -ur lsh-2.0.4/src/crypto.c /var/cache/users/magnus/svn-buildpackage/lsh-utils/lsh-utils-2.0.4-dfsg/src/crypto.c
---- lsh-2.0.4/src/crypto.c 2005-11-26 18:13:55.000000000 +0100
-+++ lsh-utils-2.0.4-dfsg/src/crypto.c 2009-08-04 23:57:22.000000000 +0200
-@@ -71,7 +71,7 @@
- assert(!(length % 8));
-
- lsh_string_crypt(dst, di, src, si, length,
-- (nettle_crypt_func) arcfour_crypt, &self->ctx);
-+ (nettle_crypt_func*) arcfour_crypt, &self->ctx);
- }
-
- static struct crypto_instance *
-@@ -114,7 +114,7 @@
-
- lsh_string_cbc_encrypt(dst, di, src, si, length,
- AES_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) aes_encrypt,
-+ (nettle_crypt_func*) aes_encrypt,
- &self->ctx.ctx);
- }
-
-@@ -128,7 +128,7 @@
-
- lsh_string_cbc_decrypt(dst, di, src, si, length,
- AES_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) aes_decrypt,
-+ (nettle_crypt_func*) aes_decrypt,
- &self->ctx.ctx);
- }
-
-@@ -185,7 +185,7 @@
-
- lsh_string_ctr_crypt(dst, di, src, si, length,
- AES_BLOCK_SIZE, self->ctx.ctr,
-- (nettle_crypt_func) aes_encrypt,
-+ (nettle_crypt_func*) aes_encrypt,
- &self->ctx.ctx);
- }
-
-@@ -227,7 +227,7 @@
-
- lsh_string_cbc_encrypt(dst, di, src, si, length,
- DES3_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) des3_encrypt,
-+ (nettle_crypt_func*) des3_encrypt,
- &self->ctx.ctx);
- }
-
-@@ -241,7 +241,7 @@
-
- lsh_string_cbc_decrypt(dst, di, src, si, length,
- DES3_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) des3_decrypt,
-+ (nettle_crypt_func*) des3_decrypt,
- &self->ctx.ctx);
- }
-
-@@ -303,7 +303,7 @@
-
- lsh_string_cbc_encrypt(dst, di, src, si, length,
- CAST128_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) cast128_encrypt,
-+ (nettle_crypt_func*) cast128_encrypt,
- &self->ctx.ctx);
- }
-
-@@ -317,7 +317,7 @@
-
- lsh_string_cbc_decrypt(dst, di, src, si, length,
- CAST128_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) cast128_decrypt,
-+ (nettle_crypt_func*) cast128_decrypt,
- &self->ctx.ctx);
- }
-
-@@ -363,7 +363,7 @@
-
- lsh_string_cbc_encrypt(dst, di, src, si, length,
- TWOFISH_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) twofish_encrypt,
-+ (nettle_crypt_func*) twofish_encrypt,
- &self->ctx.ctx);
- }
-
-@@ -377,7 +377,7 @@
-
- lsh_string_cbc_decrypt(dst, di, src, si, length,
- TWOFISH_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) twofish_decrypt,
-+ (nettle_crypt_func*) twofish_decrypt,
- &self->ctx.ctx);
- }
-
-@@ -422,7 +422,7 @@
-
- lsh_string_cbc_encrypt(dst, di, src, si, length,
- BLOWFISH_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) blowfish_encrypt,
-+ (nettle_crypt_func*) blowfish_encrypt,
- &self->ctx.ctx);
- }
-
-@@ -436,7 +436,7 @@
-
- lsh_string_cbc_decrypt(dst, di, src, si, length,
- BLOWFISH_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) blowfish_decrypt,
-+ (nettle_crypt_func*) blowfish_decrypt,
- &self->ctx.ctx);
- }
-
-@@ -488,7 +488,7 @@
-
- lsh_string_cbc_encrypt(dst, di, src, si, length,
- SERPENT_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) serpent_encrypt,
-+ (nettle_crypt_func*) serpent_encrypt,
- &self->ctx.ctx);
- }
-
-@@ -502,7 +502,7 @@
-
- lsh_string_cbc_decrypt(dst, di, src, si, length,
- SERPENT_BLOCK_SIZE, self->ctx.iv,
-- (nettle_crypt_func) serpent_decrypt,
-+ (nettle_crypt_func*) serpent_decrypt,
- &self->ctx.ctx);
- }
-
-diff -ur lsh-2.0.4/src/lsh-make-seed.c /var/cache/users/magnus/svn-buildpackage/lsh-utils/lsh-utils-2.0.4-dfsg/src/lsh-make-seed.c
---- lsh-2.0.4/src/lsh-make-seed.c 2006-01-23 18:51:06.000000000 +0100
-+++ lsh-utils-2.0.4-dfsg/src/lsh-make-seed.c 2009-08-05 00:24:58.000000000 +0200
-@@ -1219,6 +1219,7 @@
-
- struct yarrow256_ctx yarrow;
- struct yarrow_source sources[NSOURCES];
-+ uint8_t seed[YARROW256_SEED_FILE_SIZE];
-
- argp_parse(&main_argp, argc, argv, 0, NULL, options);
-
-@@ -1371,7 +1372,8 @@
- }
- }
-
-- e = write_raw(fd, sizeof(yarrow.seed_file), yarrow.seed_file);
-+ yarrow256_random(&yarrow, sizeof(seed), seed);
-+ e = write_raw(fd, sizeof(seed), seed);
-
- if (e)
- {
-diff -ur lsh-2.0.4/src/unix_random.c /var/cache/users/magnus/svn-buildpackage/lsh-utils/lsh-utils-2.0.4-dfsg/src/unix_random.c
---- lsh-2.0.4/src/unix_random.c 2006-01-23 18:47:10.000000000 +0100
-+++ lsh-utils-2.0.4-dfsg/src/unix_random.c 2009-08-05 00:28:31.000000000 +0200
-@@ -81,6 +81,7 @@
- int fd)
- {
- const struct exception *e;
-+ uint8_t seed[YARROW256_SEED_FILE_SIZE];
-
- if (lseek(fd, 0, SEEK_SET) < 0)
- {
-@@ -88,7 +89,8 @@
- return 0;
- }
-
-- e = write_raw(fd, YARROW256_SEED_FILE_SIZE, ctx->seed_file);
-+ yarrow256_random(ctx, sizeof(seed), seed);
-+ e = write_raw(fd, sizeof(seed), seed);
-
- if (e)
- {
-@@ -183,17 +183,19 @@
- {
- struct lsh_string *s = read_seed_file(self->seed_file_fd);
-
-- write_seed_file(&self->yarrow, self->seed_file_fd);
-- KILL_RESOURCE(lock);
--
- /* Mix in the old seed file, it might have picked up
- * some randomness. */
- if (s)
- {
-+ self->yarrow.sources[RANDOM_SOURCE_NEW_SEED].next = YARROW_FAST;
- yarrow256_update(&self->yarrow, RANDOM_SOURCE_NEW_SEED,
- 0, STRING_LD(s));
- lsh_string_free(s);
-+ yarrow256_fast_reseed(&self->yarrow);
- }
-+
-+ write_seed_file(&self->yarrow, self->seed_file_fd);
-+ KILL_RESOURCE(lock);
- }
- }
-
Index: debian/patches/00list
===================================================================
--- debian/patches/00list (revision 77)
+++ debian/patches/00list (nonexistent)
@@ -1,7 +0,0 @@
-20_sftp-server_mansection
-30_nonettle
-40_better_errmsg_when_dotlsh_missing
-nettle_2.0
-blacklist
-terminate_on_connection_failure
-ipv6_v6only
Index: debian/patches/better-errmsg-when-dotlsh-missing.patch
===================================================================
--- debian/patches/better-errmsg-when-dotlsh-missing.patch (nonexistent)
+++ debian/patches/better-errmsg-when-dotlsh-missing.patch (revision 79)
@@ -0,0 +1,33 @@
+Author: Magnus Holmgren <holmgren@debian.org>
+Description: Show the intended error message when no seed file exists
+ (instead of one about a locking error)
+
+diff -urNad trunk~/src/unix_random.c trunk/src/unix_random.c
+--- trunk~/src/unix_random.c 2006-01-23 18:47:10.000000000 +0100
++++ trunk/src/unix_random.c 2008-06-24 22:29:29.000000000 +0200
+@@ -353,6 +353,15 @@
+
+ yarrow256_init(&self->yarrow, RANDOM_NSOURCES, self->sources);
+
++ if (access(lsh_get_cstring(seed_file_name), F_OK) < 0)
++ {
++ werror("No seed file. Please create one by running\n");
++ werror("lsh-make-seed -o \"%S\".\n", seed_file_name);
++
++ KILL(self);
++ return NULL;
++ }
++
+ verbose("Reading seed-file `%S'\n", seed_file_name);
+
+ self->lock
+@@ -374,8 +383,7 @@
+ self->seed_file_fd = open(lsh_get_cstring(seed_file_name), O_RDWR);
+ if (self->seed_file_fd < 0)
+ {
+- werror("No seed file. Please create one by running\n");
+- werror("lsh-make-seed -o \"%S\".\n", seed_file_name);
++ werror("Could not open seed file \"%S\".\n", seed_file_name);
+
+ KILL_RESOURCE(lock);
+ KILL(self);
/debian/patches/better-errmsg-when-dotlsh-missing.patch
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: debian/patches/terminate-on-connection-failure.patch
===================================================================
--- debian/patches/terminate-on-connection-failure.patch (nonexistent)
+++ debian/patches/terminate-on-connection-failure.patch (revision 79)
@@ -0,0 +1,16 @@
+Author: Magnus Holmgren <holmgren@debian.org>
+Description: Call exit() in lsh's default exception handler on EXC_IO_CONNECT
+ Otherwise lsh won't terminate.
+
+diff -urNad trunk~/src/lsh.c trunk/src/lsh.c
+--- trunk~/src/lsh.c 2005-03-16 21:06:23.000000000 +0100
++++ trunk/src/lsh.c 2010-01-09 22:32:51.000000000 +0100
+@@ -959,6 +959,8 @@
+ *self->status = EXIT_FAILURE;
+
+ werror("%z, (errno = %i)\n", e->msg, exc->error);
++ if (e->type == EXC_IO_CONNECT)
++ exit(*self->status);
+ }
+ else
+ switch(e->type)
/debian/patches/terminate-on-connection-failure.patch
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: debian/patches/blacklist.patch
===================================================================
--- debian/patches/blacklist.patch (nonexistent)
+++ debian/patches/blacklist.patch (revision 79)
@@ -0,0 +1,380 @@
+Author: Magnus Holmgren <holmgren@debian.org>
+Description: Check keys against openssh-blacklist
+ Check keys before accepting for pubkey authentication as well as on conversion
+ by lsh-writekey and lsh-decode-key.
+ .
+ blacklist.c code copied from the openssh package and adapted for LSH.
+
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -69,7 +69,8 @@ liblsh_a_SOURCES = abstract_io.c abstrac
+ unix_interact.c unix_process.c unix_random.c unix_user.c \
+ userauth.c \
+ werror.c write_buffer.c write_packet.c \
+- xalloc.c xauth.c zlib.c
++ xalloc.c xauth.c zlib.c \
++ blacklist.c
+
+ liblsh_a_LIBADD = @LIBOBJS@
+
+--- a/src/abstract_crypto.h
++++ b/src/abstract_crypto.h
+@@ -162,7 +162,9 @@ MAC_DIGEST((instance), lsh_string_alloc(
+ (public_key method (string))
+
+ ; Returns (public-key (<pub-sig-alg-id> <s-expr>*))
+- (public_spki_key method (string) "int transport")))
++ (public_spki_key method (string) "int transport")
++
++ (key_size method uint32_t)))
+ */
+
+ #define VERIFY(verifier, algorithm, length, data, slength, sdata) \
+@@ -170,7 +172,7 @@ MAC_DIGEST((instance), lsh_string_alloc(
+
+ #define PUBLIC_KEY(verifier) ((verifier)->public_key((verifier)))
+ #define PUBLIC_SPKI_KEY(verifier, t) ((verifier)->public_spki_key((verifier), (t)))
+-
++#define KEY_SIZE(verifier) ((verifier)->key_size((verifier)))
+
+ /* GABA:
+ (class
+--- a/src/abstract_crypto.h.x
++++ b/src/abstract_crypto.h.x
+@@ -161,6 +161,7 @@ struct verifier
+ int (*(verify))(struct verifier *self,int algorithm,uint32_t length,const uint8_t *data,uint32_t signature_length,const uint8_t *signature_data);
+ struct lsh_string *(*(public_key))(struct verifier *self);
+ struct lsh_string *(*(public_spki_key))(struct verifier *self,int transport);
++ uint32_t *(*(key_size))(struct verifier *self);
+ };
+ extern struct lsh_class verifier_class;
+ #endif /* !GABA_DEFINE */
+--- /dev/null
++++ b/src/blacklist.c
+@@ -0,0 +1,150 @@
++#if HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <assert.h>
++
++#include "atoms.h"
++#include "format.h"
++#include "lsh_string.h"
++#include "werror.h"
++#include "crypto.h"
++
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <unistd.h>
++#include <fcntl.h>
++#include <string.h>
++
++int blacklisted_key(struct verifier *v, int method);
++
++/* Scan a blacklist of known-vulnerable keys in blacklist_file. */
++static int
++blacklisted_key_in_file(struct lsh_string *lsh_hash, struct lsh_string *blacklist_file)
++{
++ int fd = -1;
++ const char *hash = 0;
++ uint32_t line_len;
++ struct stat st;
++ char buf[256];
++ off_t start, lower, upper;
++ int ret = 0;
++
++ debug("Checking blacklist file %S\n", blacklist_file);
++ fd = open(lsh_get_cstring(blacklist_file), O_RDONLY);
++ if (fd < 0) {
++ ret = -1;
++ goto out;
++ }
++
++ hash = lsh_get_cstring(lsh_hash) + 12;
++ line_len = strlen(hash);
++ if (line_len != 20)
++ goto out;
++
++ /* Skip leading comments */
++ start = 0;
++ for (;;) {
++ ssize_t r;
++ char *newline;
++
++ r = read(fd, buf, sizeof(buf));
++ if (r <= 0)
++ goto out;
++ if (buf[0] != '#')
++ break;
++
++ newline = memchr(buf, '\n', sizeof(buf));
++ if (!newline)
++ goto out;
++ start += newline + 1 - buf;
++ if (lseek(fd, start, SEEK_SET) < 0)
++ goto out;
++ }
++
++ /* Initialise binary search record numbers */
++ if (fstat(fd, &st) < 0)
++ goto out;
++ lower = 0;
++ upper = (st.st_size - start) / (line_len + 1);
++
++ while (lower != upper) {
++ off_t cur;
++ int cmp;
++
++ cur = lower + (upper - lower) / 2;
++
++ /* Read this line and compare to digest; this is
++ * overflow-safe since cur < max(off_t) / (line_len + 1) */
++ if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0)
++ break;
++ if (read(fd, buf, line_len) != line_len)
++ break;
++ cmp = memcmp(buf, hash, line_len);
++ if (cmp < 0) {
++ if (cur == lower)
++ break;
++ lower = cur;
++ } else if (cmp > 0) {
++ if (cur == upper)
++ break;
++ upper = cur;
++ } else {
++ ret = 1;
++ break;
++ }
++ }
++
++out:
++ if (fd >= 0)
++ close(fd);
++ return ret;
++}
++
++/*
++ * Scan blacklists of known-vulnerable keys. If a vulnerable key is found,
++ * its fingerprint is returned in *fp, unless fp is NULL.
++ */
++int
++blacklisted_key(struct verifier *v, int method)
++{
++ const char *keytype;
++ int ret = -1;
++ const char *paths[] = { "/usr/share/ssh/blacklist", "/etc/ssh/blacklist", NULL };
++ const char **pp;
++ struct lsh_string *lsh_hash = ssh_format("%lfxS",
++ hash_string(&crypto_md5_algorithm,
++ PUBLIC_KEY(v), 1));
++ uint32_t keysize = KEY_SIZE(v);
++
++ switch (method)
++ {
++ case ATOM_SSH_DSS:
++ case ATOM_DSA:
++ keytype = "DSA";
++ break;
++ case ATOM_SSH_RSA:
++ case ATOM_RSA_PKCS1_SHA1:
++ case ATOM_RSA_PKCS1_MD5:
++ case ATOM_RSA_PKCS1:
++ keytype = "RSA";
++ break;
++ default:
++ werror("Unrecognized key type");
++ return -1;
++ }
++
++ for (pp = paths; *pp && ret <= 0; pp++) {
++ struct lsh_string *blacklist_file = ssh_format("%lz.%lz-%di",
++ *pp, keytype, keysize);
++ int r = blacklisted_key_in_file(lsh_hash, blacklist_file);
++ lsh_string_free(blacklist_file);
++ if (r > ret) ret = r;
++ }
++
++ if (ret > 0) {
++ werror("Key is compromised: %z %i %fS\n", keytype, keysize,
++ lsh_string_colonize(lsh_hash, 2, 0));
++ }
++ return ret;
++}
+--- a/src/dsa.c
++++ b/src/dsa.c
+@@ -189,6 +189,14 @@ do_dsa_public_spki_key(struct verifier *
+ "y", self->key.y);
+ }
+
++static uint32_t
++do_dsa_key_size(struct verifier *v)
++{
++ CAST(dsa_verifier, self, v);
++
++ return mpz_sizeinbase(self->key.p, 2);
++}
++
+ static void
+ init_dsa_verifier(struct dsa_verifier *self)
+ {
+@@ -199,6 +207,7 @@ init_dsa_verifier(struct dsa_verifier *s
+ self->super.verify = do_dsa_verify;
+ self->super.public_spki_key = do_dsa_public_spki_key;
+ self->super.public_key = do_dsa_public_key;
++ self->super.key_size = do_dsa_key_size;
+ }
+
+
+--- a/src/lsh-decode-key.c
++++ b/src/lsh-decode-key.c
+@@ -133,6 +133,10 @@ lsh_decode_key(struct lsh_string *conten
+ werror("Invalid dsa key.\n");
+ return NULL;
+ }
++ else if (blacklisted_key(v, type))
++ {
++ return NULL;
++ }
+ else
+ return PUBLIC_SPKI_KEY(v, 1);
+ }
+@@ -150,6 +154,10 @@ lsh_decode_key(struct lsh_string *conten
+ werror("Invalid rsa key.\n");
+ return NULL;
+ }
++ else if (blacklisted_key(v, type))
++ {
++ return NULL;
++ }
+ else
+ return PUBLIC_SPKI_KEY(v, 1);
+ }
+--- a/src/lsh-writekey.c
++++ b/src/lsh-writekey.c
+@@ -397,14 +397,18 @@ process_public(const struct lsh_string *
+ {
+ struct signer *s;
+ struct verifier *v;
++ int algorithm_name;
+
+- s = spki_make_signer(options->signature_algorithms, key, NULL);
++ s = spki_make_signer(options->signature_algorithms, key, &algorithm_name);
+
+ if (!s)
+ return NULL;
+
+ v = SIGNER_GET_VERIFIER(s);
+ assert(v);
++ if (blacklisted_key(v, algorithm_name)) {
++ return NULL;
++ }
+
+ return PUBLIC_SPKI_KEY(v, 1);
+ }
+@@ -416,7 +420,8 @@ main(int argc, char **argv)
+ int private_fd;
+ int public_fd;
+ struct lsh_string *input;
+- struct lsh_string *output;
++ struct lsh_string *priv_output;
++ struct lsh_string *pub_output;
+ const struct exception *e;
+
+ argp_parse(&main_argp, argc, argv, 0, NULL, options);
+@@ -439,16 +444,22 @@ main(int argc, char **argv)
+ return EXIT_FAILURE;
+ }
+
+- output = process_private(input, options);
+- if (!output)
++ pub_output = process_public(input, options);
++ if (!pub_output)
++ return EXIT_FAILURE;
++
++ priv_output = process_private(input, options);
++ if (!priv_output)
+ return EXIT_FAILURE;
+
++ lsh_string_free(input);
++
+ private_fd = open_file(options->private_file);
+ if (private_fd < 0)
+ return EXIT_FAILURE;
+
+- e = write_raw(private_fd, STRING_LD(output));
+- lsh_string_free(output);
++ e = write_raw(private_fd, STRING_LD(priv_output));
++ lsh_string_free(priv_output);
+
+ if (e)
+ {
+@@ -457,18 +468,12 @@ main(int argc, char **argv)
+ return EXIT_FAILURE;
+ }
+
+- output = process_public(input, options);
+- lsh_string_free(input);
+-
+- if (!output)
+- return EXIT_FAILURE;
+-
+ public_fd = open_file(options->public_file);
+ if (public_fd < 0)
+ return EXIT_FAILURE;
+
+- e = write_raw(public_fd, STRING_LD(output));
+- lsh_string_free(output);
++ e = write_raw(public_fd, STRING_LD(pub_output));
++ lsh_string_free(pub_output);
+
+ if (e)
+ {
+--- a/src/publickey_crypto.h
++++ b/src/publickey_crypto.h
+@@ -203,5 +203,7 @@ parse_ssh_dss_public(struct simple_buffe
+ struct verifier *
+ make_ssh_dss_verifier(const struct lsh_string *public);
+
++int
++blacklisted_key(struct verifier *v, int method);
+
+ #endif /* LSH_PUBLICKEY_CRYPTO_H_INCLUDED */
+--- a/src/rsa.c
++++ b/src/rsa.c
+@@ -167,6 +167,14 @@ do_rsa_public_spki_key(struct verifier *
+ self->key.n, self->key.e);
+ }
+
++static uint32_t
++do_rsa_key_size(struct verifier *v)
++{
++ CAST(rsa_verifier, self, v);
++
++ return mpz_sizeinbase(self->key.n, 2);
++}
++
+
+ /* NOTE: To initialize an rsa verifier, one must
+ *
+@@ -184,6 +192,7 @@ init_rsa_verifier(struct rsa_verifier *s
+ self->super.verify = do_rsa_verify;
+ self->super.public_key = do_rsa_public_key;
+ self->super.public_spki_key = do_rsa_public_spki_key;
++ self->super.key_size = do_rsa_key_size;
+ }
+
+ /* Alternative constructor using a key of type ssh-rsa, when the atom
+--- a/src/server_authorization.c
++++ b/src/server_authorization.c
+@@ -93,7 +93,8 @@ do_key_lookup(struct lookup_verifier *c,
+ PUBLIC_SPKI_KEY(v, 0),
+ 1));
+
+- if (USER_FILE_EXISTS(keyholder, filename, 1))
++ if (USER_FILE_EXISTS(keyholder, filename, 1)
++ && blacklisted_key(v, method) < 1)
+ return v;
+
+ return NULL;
/debian/patches/blacklist.patch
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: debian/patches/nettle-2.0.patch
===================================================================
--- debian/patches/nettle-2.0.patch (nonexistent)
+++ debian/patches/nettle-2.0.patch (revision 79)
@@ -0,0 +1,238 @@
+Author: Magnus Holmgren <holmgren@debian.org>
+Description: Adapt to Nettle 2.0
+
+--- a/src/crypto.c
++++ b/src/crypto.c
+@@ -71,7 +71,7 @@ do_crypt_arcfour(struct crypto_instance
+ assert(!(length % 8));
+
+ lsh_string_crypt(dst, di, src, si, length,
+- (nettle_crypt_func) arcfour_crypt, &self->ctx);
++ (nettle_crypt_func*) arcfour_crypt, &self->ctx);
+ }
+
+ static struct crypto_instance *
+@@ -114,7 +114,7 @@ do_aes_cbc_encrypt(struct crypto_instanc
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ AES_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) aes_encrypt,
++ (nettle_crypt_func*) aes_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -128,7 +128,7 @@ do_aes_cbc_decrypt(struct crypto_instanc
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ AES_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) aes_decrypt,
++ (nettle_crypt_func*) aes_decrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -185,7 +185,7 @@ do_aes_ctr_crypt(struct crypto_instance
+
+ lsh_string_ctr_crypt(dst, di, src, si, length,
+ AES_BLOCK_SIZE, self->ctx.ctr,
+- (nettle_crypt_func) aes_encrypt,
++ (nettle_crypt_func*) aes_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -227,7 +227,7 @@ do_des3_encrypt(struct crypto_instance *
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ DES3_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) des3_encrypt,
++ (nettle_crypt_func*) des3_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -241,7 +241,7 @@ do_des3_decrypt(struct crypto_instance *
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ DES3_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) des3_decrypt,
++ (nettle_crypt_func*) des3_decrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -303,7 +303,7 @@ do_cast128_encrypt(struct crypto_instanc
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ CAST128_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) cast128_encrypt,
++ (nettle_crypt_func*) cast128_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -317,7 +317,7 @@ do_cast128_decrypt(struct crypto_instanc
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ CAST128_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) cast128_decrypt,
++ (nettle_crypt_func*) cast128_decrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -363,7 +363,7 @@ do_twofish_encrypt(struct crypto_instanc
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ TWOFISH_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) twofish_encrypt,
++ (nettle_crypt_func*) twofish_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -377,7 +377,7 @@ do_twofish_decrypt(struct crypto_instanc
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ TWOFISH_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) twofish_decrypt,
++ (nettle_crypt_func*) twofish_decrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -422,7 +422,7 @@ do_blowfish_encrypt(struct crypto_instan
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ BLOWFISH_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) blowfish_encrypt,
++ (nettle_crypt_func*) blowfish_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -436,7 +436,7 @@ do_blowfish_decrypt(struct crypto_instan
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ BLOWFISH_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) blowfish_decrypt,
++ (nettle_crypt_func*) blowfish_decrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -488,7 +488,7 @@ do_serpent_encrypt(struct crypto_instanc
+
+ lsh_string_cbc_encrypt(dst, di, src, si, length,
+ SERPENT_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) serpent_encrypt,
++ (nettle_crypt_func*) serpent_encrypt,
+ &self->ctx.ctx);
+ }
+
+@@ -502,7 +502,7 @@ do_serpent_decrypt(struct crypto_instanc
+
+ lsh_string_cbc_decrypt(dst, di, src, si, length,
+ SERPENT_BLOCK_SIZE, self->ctx.iv,
+- (nettle_crypt_func) serpent_decrypt,
++ (nettle_crypt_func*) serpent_decrypt,
+ &self->ctx.ctx);
+ }
+
+--- a/src/lsh-make-seed.c
++++ b/src/lsh-make-seed.c
+@@ -1219,6 +1219,7 @@ main(int argc, char **argv)
+
+ struct yarrow256_ctx yarrow;
+ struct yarrow_source sources[NSOURCES];
++ uint8_t seed[YARROW256_SEED_FILE_SIZE];
+
+ argp_parse(&main_argp, argc, argv, 0, NULL, options);
+
+@@ -1371,7 +1372,8 @@ main(int argc, char **argv)
+ }
+ }
+
+- e = write_raw(fd, sizeof(yarrow.seed_file), yarrow.seed_file);
++ yarrow256_random(&yarrow, sizeof(seed), seed);
++ e = write_raw(fd, sizeof(seed), seed);
+
+ if (e)
+ {
+--- a/src/unix_random.c
++++ b/src/unix_random.c
+@@ -81,6 +81,7 @@ write_seed_file(struct yarrow256_ctx *ct
+ int fd)
+ {
+ const struct exception *e;
++ uint8_t seed[YARROW256_SEED_FILE_SIZE];
+
+ if (lseek(fd, 0, SEEK_SET) < 0)
+ {
+@@ -88,7 +89,8 @@ write_seed_file(struct yarrow256_ctx *ct
+ return 0;
+ }
+
+- e = write_raw(fd, YARROW256_SEED_FILE_SIZE, ctx->seed_file);
++ yarrow256_random(ctx, sizeof(seed), seed);
++ e = write_raw(fd, sizeof(seed), seed);
+
+ if (e)
+ {
+@@ -183,17 +185,19 @@ update_seed_file(struct unix_random *sel
+ {
+ struct lsh_string *s = read_seed_file(self->seed_file_fd);
+
+- write_seed_file(&self->yarrow, self->seed_file_fd);
+- KILL_RESOURCE(lock);
+-
+ /* Mix in the old seed file, it might have picked up
+ * some randomness. */
+ if (s)
+ {
++ self->yarrow.sources[RANDOM_SOURCE_NEW_SEED].next = YARROW_FAST;
+ yarrow256_update(&self->yarrow, RANDOM_SOURCE_NEW_SEED,
+ 0, STRING_LD(s));
+ lsh_string_free(s);
++ yarrow256_fast_reseed(&self->yarrow);
+ }
++
++ write_seed_file(&self->yarrow, self->seed_file_fd);
++ KILL_RESOURCE(lock);
+ }
+ }
+
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -113,7 +113,7 @@ lsh_krb_checkpw_LDADD=@KRB_LIBS@
+
+ lsh_execuv_LDADD=
+
+-LDADD = liblsh.a spki/libspki.a -lnettle @LIBARGP@
++LDADD = liblsh.a spki/libspki.a -lnettle -lhogweed @LIBARGP@
+
+ # To avoid having to link lshg with nettle, link with dummy.o.
+
+--- a/src/spki/testsuite/Makefile.am
++++ b/src/spki/testsuite/Makefile.am
+@@ -9,7 +9,7 @@ TS_ALL = $(TS_PROGS) $(TS_SH)
+
+ noinst_PROGRAMS = $(TS_PROGS)
+
+-LDADD = testutils.o ../libspki.a -lnettle
++LDADD = testutils.o ../libspki.a -lnettle -lhogweed
+
+ include .dist_cdsa
+
+--- a/src/spki/tools/Makefile.am
++++ b/src/spki/tools/Makefile.am
+@@ -6,7 +6,7 @@ noinst_PROGRAMS = spki-check-signature s
+ # that affects all programs.
+
+ LDADD = misc.o getopt.o getopt1.o \
+- ../libspki.a -lnettle
++ ../libspki.a -lnettle -lhogweed
+
+ spki_make_signature_SOURCES = spki-make-signature.c sign.c
+ spki_delegate_SOURCES = spki-delegate.c sign.c
+--- a/src/testsuite/Makefile.am
++++ b/src/testsuite/Makefile.am
+@@ -34,7 +34,7 @@ noinst_PROGRAMS = $(TS_PROGS)
+ # Workaround to get automake to keep dependencies for testutils.o
+ EXTRA_PROGRAMS = testutils
+
+-LDADD = testutils.o ../liblsh.a ../spki/libspki.a -lnettle \
++LDADD = testutils.o ../liblsh.a ../spki/libspki.a -lnettle -lhogweed \
+ $(DOTDOT_LIBARGP)
+
+ include .dist_rapid7
Index: debian/patches/nonettle.patch
===================================================================
--- debian/patches/nonettle.patch (nonexistent)
+++ debian/patches/nonettle.patch (revision 79)
@@ -0,0 +1,214 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -778,7 +778,6 @@ if test x$enable_ipv6 = xyes ; then
+ fi
+
+ AC_CONFIG_SUBDIRS(src/argp)
+-AC_CONFIG_SUBDIRS(src/nettle)
+ AC_CONFIG_SUBDIRS(src/spki)
+ AC_CONFIG_SUBDIRS(src/sftp)
+
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -1,15 +1,12 @@
+ # Process this file with automake to produce Makefile.in
+
+-SUBDIRS = argp rsync nettle scm sftp spki . testsuite
++SUBDIRS = argp rsync scm sftp spki . testsuite
+
+ include .dist_classes
+ include .dist_headers
+
+ BUILT_SOURCES = environ.h
+
+-# Kludge needed for finding the nettle/nettle-types.h file in the build tree
+-AM_CPPFLAGS = -I./nettle
+-
+ SCHEME = $(SCHEME_PROGRAM) -l $(srcdir)/scm/$(SCHEME_NAME)-compat.scm
+
+ EXTRA_PROGRAMS = lsh-krb-checkpw lsh-pam-checkpw srp-gen
+@@ -116,7 +113,7 @@ lsh_krb_checkpw_LDADD=@KRB_LIBS@
+
+ lsh_execuv_LDADD=
+
+-LDADD = liblsh.a spki/libspki.a nettle/libnettle.a @LIBARGP@
++LDADD = liblsh.a spki/libspki.a -lnettle @LIBARGP@
+
+ # To avoid having to link lshg with nettle, link with dummy.o.
+
+--- a/src/rsync/Makefile.am
++++ b/src/rsync/Makefile.am
+@@ -3,10 +3,6 @@
+ noinst_LIBRARIES = librsync.a
+ noinst_HEADERS = rsync.h
+
+-# Needed for finding the nettle include files in the source tree
+-# and nettle-types.h in the build tree.
+-AM_CPPFLAGS = -I$(srcdir)/.. -I../nettle
+-
+ librsync_a_SOURCES = generate.c receive.c checksum.c send.c
+
+
+--- a/src/sftp/Makefile.am
++++ b/src/sftp/Makefile.am
+@@ -1,8 +1,5 @@
+ SUBDIRS = . testsuite
+
+-# Needed for finding nettle-types.h in the build tree.
+-AM_CPPFLAGS = -I..
+-
+ AUTOMAKE_OPTIONS = foreign
+
+ bin_PROGRAMS = lsftp
+--- a/src/spki/Makefile.am
++++ b/src/spki/Makefile.am
+@@ -1,8 +1,5 @@
+ SUBDIRS = . tools testsuite
+
+-# FIXME: Create a link to nettle directory instead?
+-AM_CPPFLAGS = -I$(srcdir)/.. -I../nettle
+-
+ noinst_LIBRARIES = libspki.a
+ # libspkiincludedir = $(includedir)/nettle
+
+--- a/src/spki/testsuite/Makefile.am
++++ b/src/spki/testsuite/Makefile.am
+@@ -1,8 +1,4 @@
+
+-# FIXME: Create a link to nettle directory instead?
+-AM_CPPFLAGS = -O0 -I$(top_srcdir) -I$(top_srcdir)/.. -I../../nettle
+-AM_LDFLAGS = -L../../nettle
+-
+ TS_PROGS = principal-test date-test tag-test read-acl-test \
+ lookup-acl-test read-cert-test cdsa-reduce-test
+
+--- a/src/spki/tools/Makefile.am
++++ b/src/spki/tools/Makefile.am
+@@ -1,16 +1,12 @@
+ noinst_PROGRAMS = spki-check-signature spki-make-signature \
+ spki-delegate spki-reduce
+
+-# FIXME: Create a link to nettle directory instead?
+-AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/.. -I../../nettle
+-AM_LDFLAGS = -L.. -L../../nettle/
+-
+ # libnettle.a and libspki.a are added at the end to make sure all
+ # programs depend on it. It seems there's no DEPENDENCIES variable
+ # that affects all programs.
+
+ LDADD = misc.o getopt.o getopt1.o \
+- -lspki -lnettle ../libspki.a ../../nettle/libnettle.a
++ ../libspki.a -lnettle
+
+ spki_make_signature_SOURCES = spki-make-signature.c sign.c
+ spki_delegate_SOURCES = spki-delegate.c sign.c
+--- a/src/testsuite/Makefile.am
++++ b/src/testsuite/Makefile.am
+@@ -3,7 +3,7 @@
+ # -O0 is not recogniced on AIX
+ # AM_CFLAGS = -O0
+
+-AM_CPPFLAGS = -I$(srcdir)/.. -I.. -I../nettle
++AM_CPPFLAGS = -I$(srcdir)/..
+
+ TS_PROGS = arcfour-test aes-test blowfish-test cast128-test \
+ des-test \
+@@ -34,7 +34,7 @@ noinst_PROGRAMS = $(TS_PROGS)
+ # Workaround to get automake to keep dependencies for testutils.o
+ EXTRA_PROGRAMS = testutils
+
+-LDADD = testutils.o ../liblsh.a ../spki/libspki.a ../nettle/libnettle.a \
++LDADD = testutils.o ../liblsh.a ../spki/libspki.a -lnettle \
+ $(DOTDOT_LIBARGP)
+
+ include .dist_rapid7
+@@ -59,6 +59,6 @@ all:
+
+ # sexp-conv may be dynamically linked
+ check: $(TS_ALL)
+- LD_LIBRARY_PATH="`pwd`/../nettle/.lib" srcdir=$(srcdir) \
++ srcdir=$(srcdir) \
+ $(srcdir)/run-tests $(TS_ALL)
+
+--- a/src/spki/testsuite/check-signature-test
++++ b/src/spki/testsuite/check-signature-test
+@@ -1,7 +1,7 @@
+ #! /bin/sh
+
+ conv () {
+- echo "$1" | ../../nettle/tools/sexp-conv -s transport | tee test.in
++ echo "$1" | sexp-conv -s transport | tee test.in
+ }
+
+ die () {
+--- a/src/spki/testsuite/delegate-test
++++ b/src/spki/testsuite/delegate-test
+@@ -1,7 +1,7 @@
+ #! /bin/sh
+
+ conv () {
+- ../../nettle/tools/sexp-conv -s transport | tee test.in
++ sexp-conv -s transport | tee test.in
+ }
+
+ die () {
+@@ -12,7 +12,7 @@ die () {
+ check_sexp () {
+ file="$1"
+ shift
+- ../../nettle/tools/sexp-conv -s canonical > test.canonical || die "sexp-conv failed"
++ sexp-conv -s canonical > test.canonical || die "sexp-conv failed"
+ cmp "$file" test.canonical || die "$@"
+ }
+
+--- a/src/spki/testsuite/make-signature-test
++++ b/src/spki/testsuite/make-signature-test
+@@ -1,7 +1,7 @@
+ #! /bin/sh
+
+ conv () {
+- echo "$1" | ../../nettle/tools/sexp-conv -s transport | tee test.in
++ echo "$1" | sexp-conv -s transport | tee test.in
+ }
+
+ die () {
+@@ -10,7 +10,7 @@ die () {
+ }
+
+ echo foo | ../tools/spki-make-signature "$srcdir/key-1" \
+- | ../../nettle/tools/sexp-conv -s transport > test.in
++ | sexp-conv -s transport > test.in
+
+ echo foo | ../tools/spki-check-signature "`cat test.in`" \
+ || die "Valid signature failed"
+--- a/src/spki/testsuite/reduce-test
++++ b/src/spki/testsuite/reduce-test
+@@ -3,7 +3,7 @@
+ # Test case from Oscar Cánovas Reverte
+
+ conv () {
+- ../../nettle/tools/sexp-conv -s transport
++ sexp-conv -s transport
+ }
+
+ die () {
+@@ -14,7 +14,7 @@ die () {
+ check_sexp () {
+ file="$1"
+ shift
+- ../../nettle/tools/sexp-conv -s canonical > test.canonical || die "sexp-conv failed"
++ sexp-conv -s canonical > test.canonical || die "sexp-conv failed"
+ cmp "$file" test.canonical || die "$@"
+ }
+
+--- a/src/testsuite/functions.sh
++++ b/src/testsuite/functions.sh
+@@ -9,7 +9,7 @@ set -e
+ : ${LSH_YARROW_SEED_FILE:="$TEST_HOME/.lsh/yarrow-seed-file"}
+
+ # For lsh-authorize
+-: ${SEXP_CONV:="`pwd`/../nettle/tools/sexp-conv"}
++: ${SEXP_CONV:="sexp-conv"}
+
+ export LSH_YARROW_SEED_FILE SEXP_CONV
+
Index: debian/patches/series
===================================================================
--- debian/patches/series (nonexistent)
+++ debian/patches/series (revision 79)
@@ -0,0 +1,7 @@
+nonettle.patch
+sftp-server-mansection.patch
+better-errmsg-when-dotlsh-missing.patch
+nettle-2.0.patch
+blacklist.patch
+terminate-on-connection-failure.patch
+ipv6-v6only.patch
Index: debian/patches/sftp-server-mansection.patch
===================================================================
--- debian/patches/sftp-server-mansection.patch (nonexistent)
+++ debian/patches/sftp-server-mansection.patch (revision 79)
@@ -0,0 +1,16 @@
+Description: Invent manual section 8lsh for lsh's sftp-server
+ (To avoid conflicts without having to rename the sftp-server binary.)
+Author: Magnus Holmgren <holmgren@debian.org>
+
+diff -urNad trunk~/src/sftp/sftp-server.8 trunk/src/sftp/sftp-server.8
+--- trunk~/src/sftp/sftp-server.8 2006-05-08 21:11:17.000000000 +0200
++++ trunk/src/sftp/sftp-server.8 2007-10-03 20:48:35.000000000 +0200
+@@ -22,7 +22,7 @@
+ .\" maintainers of the package you received this manual from and make your
+ .\" modified versions available to them.
+ .\"
+-.TH SFTP-SERVER 8 "NOVEMBER 2004" SFTP-SERVER "Lsh Manuals"
++.TH SFTP-SERVER 8lsh "NOVEMBER 2004" SFTP-SERVER "Lsh Manuals"
+ .SH NAME
+ sftp-server - Server for the sftp subsystem
+ .SH SYNOPSIS
/debian/patches/sftp-server-mansection.patch
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: debian/patches/ipv6-v6only.patch
===================================================================
--- debian/patches/ipv6-v6only.patch (nonexistent)
+++ debian/patches/ipv6-v6only.patch (revision 79)
@@ -0,0 +1,22 @@
+Author: Magnus Holmgren <holmgren@debian.org>
+Description: Set the IPV6_V6ONLY socket option on AF_INET6 sockets
+ Since lshd by default enumerates available address families and calls
+ bind() once for each, conflicts will occur otherwise.
+
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/src/io.c trunk/src/io.c
+--- trunk~/src/io.c 2006-01-23 18:49:58.000000000 +0100
++++ trunk/src/io.c 2010-07-27 02:17:04.000000000 +0200
+@@ -1690,6 +1690,13 @@
+ {
+ int yes = 1;
+ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char*)&yes, sizeof yes);
++#if WITH_IPV6 && defined (IPV6_V6ONLY)
++ if (local->sa_family == AF_INET6)
++ {
++ if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &yes, sizeof(yes)) < 0)
++ werror("setsockopt IPV6_V6ONLY failed: %e.\n", errno);
++ }
++#endif
+ }
+
+ if (bind(s, local, length) < 0)
/debian/patches/ipv6-v6only.patch
Property changes:
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: debian/changelog
===================================================================
--- debian/changelog (revision 77)
+++ debian/changelog (revision 79)
@@ -1,3 +1,19 @@
+lsh-utils (2.0.4-dfsg-8) UNRELEASED; urgency=low
+
+ * Change source format to 3.0 (quilt), renaming all patches
+ from *.dpatch to *.patch and dropping the numbers.
+ * While 30_nonettle.dpatch was a script that used sed to modify
+ instances of Makefile.in, nonettle.patch patches Makefile.am files as
+ well as configure.ac. dh-autoremake is used to call autoremake before
+ configure and to restore the effects in the clean target. The
+ src/nettle subdirectory still needs to be renamed to avoid its header
+ files from being found; that is now done in debian/rules.
+ * Switch from CDBS to a more old-style debian/rules to get better
+ control over the build process.
+ * Increase Debhelper compat level to 7.
+
+ -- Magnus Holmgren <holmgren@debian.org> Sat, 19 Mar 2011 20:40:33 +0100
+
lsh-utils (2.0.4-dfsg-7) unstable; urgency=low
* terminate_on_connection_failure.dpatch (new): Make sure that lsh exits
/trunk/debian/rules
1,18 → 1,118
#!/usr/bin/make -f
# -*- makefile -*-
# Sample debian/rules that uses debhelper.
# GNU copyright 1997 to 1999 by Joey Hess.
 
include /usr/share/cdbs/1/class/autotools.mk
include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/rules/dpatch.mk
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
 
# the used configure parameters for ./configure
DEB_CONFIGURE_EXTRA_FLAGS := --enable-pam --enable-kerberos --enable-srp \
--with-pty --enable-tcp-forward --enable-x11-forward \
--enable-agent-forward --enable-ipv6 --enable-utmp \
--with-zlib --with-tcpwrappers --with-sshd1=/usr/sbin/sshd \
--with-x XAUTH_PROGRAM=/usr/bin/xauth
# These are used for cross-compiling and for saving the configure script
# from having to guess our platform (since we know it already)
DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 
DEB_INSTALL_CHANGELOGS_ALL := ChangeLog
DEB_INSTALL_DOCS_ALL := README
DEB_DH_INSTALL_SOURCEDIR := debian/tmp
ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
buildflags = --build=$(DEB_BUILD_GNU_TYPE)
else
buildflags = --build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE)
endif
 
LDFLAGS += -Wl,-z,defs -Wl,--as-needed
parallel = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
ifneq (,$(parallel))
jobsflag = -j$(parallel)
endif
 
config.status: configure.ac
dh_testdir
# Add here commands to configure the package.
[ -d src/nettle-dontuse -a ! -d src/nettle ] || mv src/nettle src/nettle-dontuse
dh_autoreconf
./configure $(buildflags) \
--prefix=/usr \
--libdir=/usr/lib \
--disable-dependency-tracking \
--enable-pam --enable-kerberos --enable-srp \
--with-pty --enable-tcp-forward --enable-x11-forward \
--enable-agent-forward --enable-ipv6 --enable-utmp \
--with-zlib --with-tcpwrappers --with-sshd1=/usr/sbin/sshd \
--with-x XAUTH_PROGRAM=/usr/bin/xauth \
CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) -Wl,-z,defs -Wl,--as-needed"
 
build: build-stamp
build-stamp: config.status
dh_testdir
 
# Add here commands to compile the package.
$(MAKE) $(jobsflag) MAKEINFO='makeinfo --enable-encoding'
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
$(MAKE) check
endif
 
touch build-stamp
 
clean:
dh_testdir
dh_testroot
rm -f build-stamp
 
# Add here commands to clean up after the build process.
[ ! -f Makefile ] || $(MAKE) distclean
dh_autoreconf_clean
dh_clean
[ -d src/nettle -a ! -d src/nettle-dontuse ] || mv src/nettle-dontuse src/nettle
 
install: build
dh_testdir
dh_testroot
dh_clean -k
dh_installdirs
 
# Add here commands to install the package into debian/tmp
$(MAKE) install DESTDIR=$(CURDIR)/debian/tmp
 
build-indep build-arch: build
 
# Build architecture-independent files here.
binary-indep: build-indep install
dh_testdir
dh_testroot
dh_install -i --sourcedir=debian/tmp
dh_link -i
dh_installchangelogs -i ChangeLog
dh_installdocs -i -A README
dh_installinfo -i
dh_installman -i
dh_installdebconf -i
dh_compress -i
dh_fixperms -i
dh_makeshlibs -i
dh_installdeb -i
dh_shlibdeps -i
dh_gencontrol -i
dh_md5sums -i
dh_builddeb -i
 
# Build architecture-dependent files here.
binary-arch: build-arch install
dh_testdir
dh_testroot
dh_install -a --sourcedir=debian/tmp
dh_link -a
dh_installchangelogs -a ChangeLog
dh_installdocs -a -A README
dh_installexamples -a
dh_installman -a
dh_installinit -a
dh_installdebconf -a
dh_strip -a
dh_compress -a
dh_fixperms -a
dh_makeshlibs -a
dh_installdeb -a
dh_shlibdeps -a
dh_gencontrol -a
dh_md5sums -a
dh_builddeb -a
 
binary: binary-arch binary-indep
.PHONY: build-indep build-arch build clean clean-patched binary-indep binary-arch binary install
/trunk/debian/source/format
0,0 → 1,0
3.0 (quilt)