summaryrefslogtreecommitdiff
path: root/debian/patches/ssh-vulnkey.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/ssh-vulnkey.patch')
-rw-r--r--debian/patches/ssh-vulnkey.patch114
1 files changed, 56 insertions, 58 deletions
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 03d6f15d9..a56911290 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -8,7 +8,7 @@ Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
8 See CVE-2008-0166. 8 See CVE-2008-0166.
9Author: Colin Watson <cjwatson@ubuntu.com> 9Author: Colin Watson <cjwatson@ubuntu.com>
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
11Last-Update: 2013-05-16 11Last-Update: 2013-09-14
12 12
13Index: b/Makefile.in 13Index: b/Makefile.in
14=================================================================== 14===================================================================
@@ -52,7 +52,7 @@ Index: b/Makefile.in
52 MANTYPE = @MANTYPE@ 52 MANTYPE = @MANTYPE@
53 53
54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out 54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
55@@ -174,6 +176,9 @@ 55@@ -176,6 +178,9 @@
56 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o 56 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
57 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) 57 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
58 58
@@ -62,7 +62,7 @@ Index: b/Makefile.in
62 # test driver for the loginrec code - not built by default 62 # test driver for the loginrec code - not built by default
63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o 63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) 64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
65@@ -269,6 +274,7 @@ 65@@ -272,6 +277,7 @@
66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) 66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) 67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +70,7 @@ Index: b/Makefile.in
70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
73@@ -283,6 +289,7 @@ 73@@ -286,6 +292,7 @@
74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +78,7 @@ Index: b/Makefile.in
78 -rm -f $(DESTDIR)$(bindir)/slogin 78 -rm -f $(DESTDIR)$(bindir)/slogin
79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin 79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
81@@ -364,6 +371,7 @@ 81@@ -367,6 +374,7 @@
82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) 82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) 83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) 84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +86,7 @@ Index: b/Makefile.in
86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) 86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) 87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
89@@ -376,6 +384,7 @@ 89@@ -379,6 +387,7 @@
90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -111,8 +111,8 @@ Index: b/auth-rsa.c
111=================================================================== 111===================================================================
112--- a/auth-rsa.c 112--- a/auth-rsa.c
113+++ b/auth-rsa.c 113+++ b/auth-rsa.c
114@@ -233,7 +233,7 @@ 114@@ -237,7 +237,7 @@
115 file, linenum, BN_num_bits(key->rsa->n), bits); 115 free(fp);
116 116
117 /* Never accept a revoked key */ 117 /* Never accept a revoked key */
118- if (auth_key_is_revoked(key)) 118- if (auth_key_is_revoked(key))
@@ -132,7 +132,7 @@ Index: b/auth.c
132 #include "auth.h" 132 #include "auth.h"
133 #include "auth-options.h" 133 #include "auth-options.h"
134 #include "canohost.h" 134 #include "canohost.h"
135@@ -635,10 +636,34 @@ 135@@ -657,10 +658,34 @@
136 136
137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
138 int 138 int
@@ -151,7 +151,7 @@ Index: b/auth.c
151+ logit("Public key %s from %s blacklisted (see " 151+ logit("Public key %s from %s blacklisted (see "
152+ "ssh-vulnkey(1)); continuing anyway", 152+ "ssh-vulnkey(1)); continuing anyway",
153+ key_fp, get_remote_ipaddr()); 153+ key_fp, get_remote_ipaddr());
154+ xfree(key_fp); 154+ free(key_fp);
155+ } else { 155+ } else {
156+ if (hostkey) 156+ if (hostkey)
157+ error("Host key %s blacklisted (see " 157+ error("Host key %s blacklisted (see "
@@ -160,7 +160,7 @@ Index: b/auth.c
160+ logit("Public key %s from %s blacklisted (see " 160+ logit("Public key %s from %s blacklisted (see "
161+ "ssh-vulnkey(1))", 161+ "ssh-vulnkey(1))",
162+ key_fp, get_remote_ipaddr()); 162+ key_fp, get_remote_ipaddr());
163+ xfree(key_fp); 163+ free(key_fp);
164+ return 1; 164+ return 1;
165+ } 165+ }
166+ } 166+ }
@@ -172,7 +172,7 @@ Index: b/auth.h
172=================================================================== 172===================================================================
173--- a/auth.h 173--- a/auth.h
174+++ b/auth.h 174+++ b/auth.h
175@@ -185,7 +185,7 @@ 175@@ -191,7 +191,7 @@
176 176
177 FILE *auth_openkeyfile(const char *, struct passwd *, int); 177 FILE *auth_openkeyfile(const char *, struct passwd *, int);
178 FILE *auth_openprincipals(const char *, struct passwd *, int); 178 FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -185,7 +185,7 @@ Index: b/auth2-hostbased.c
185=================================================================== 185===================================================================
186--- a/auth2-hostbased.c 186--- a/auth2-hostbased.c
187+++ b/auth2-hostbased.c 187+++ b/auth2-hostbased.c
188@@ -146,7 +146,7 @@ 188@@ -150,7 +150,7 @@
189 int len; 189 int len;
190 char *fp; 190 char *fp;
191 191
@@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c
198=================================================================== 198===================================================================
199--- a/auth2-pubkey.c 199--- a/auth2-pubkey.c
200+++ b/auth2-pubkey.c 200+++ b/auth2-pubkey.c
201@@ -608,9 +608,10 @@ 201@@ -647,9 +647,10 @@
202 u_int success, i; 202 u_int success, i;
203 char *file; 203 char *file;
204 204
@@ -223,7 +223,7 @@ Index: b/authfile.c
223 223
224 #define MAX_KEY_FILE_SIZE (1024 * 1024) 224 #define MAX_KEY_FILE_SIZE (1024 * 1024)
225 225
226@@ -944,3 +945,140 @@ 226@@ -944,3 +945,139 @@
227 return ret; 227 return ret;
228 } 228 }
229 229
@@ -316,10 +316,9 @@ Index: b/authfile.c
316+ } 316+ }
317+ 317+
318+out: 318+out:
319+ if (dgst_packed) 319+ free(dgst_packed);
320+ xfree(dgst_packed);
321+ if (ret != 1 && dgst_hex) { 320+ if (ret != 1 && dgst_hex) {
322+ xfree(dgst_hex); 321+ free(dgst_hex);
323+ dgst_hex = NULL; 322+ dgst_hex = NULL;
324+ } 323+ }
325+ if (fp) 324+ if (fp)
@@ -347,7 +346,7 @@ Index: b/authfile.c
347+ xasprintf(&blacklist_file, "%s.%s-%u", 346+ xasprintf(&blacklist_file, "%s.%s-%u",
348+ _PATH_BLACKLIST, key_type(public), key_size(public)); 347+ _PATH_BLACKLIST, key_type(public), key_size(public));
349+ ret = blacklisted_key_in_file(public, blacklist_file, fp); 348+ ret = blacklisted_key_in_file(public, blacklist_file, fp);
350+ xfree(blacklist_file); 349+ free(blacklist_file);
351+ if (ret > 0) { 350+ if (ret > 0) {
352+ key_free(public); 351+ key_free(public);
353+ return ret; 352+ return ret;
@@ -356,7 +355,7 @@ Index: b/authfile.c
356+ xasprintf(&blacklist_file, "%s.%s-%u", 355+ xasprintf(&blacklist_file, "%s.%s-%u",
357+ _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public)); 356+ _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public));
358+ ret2 = blacklisted_key_in_file(public, blacklist_file, fp); 357+ ret2 = blacklisted_key_in_file(public, blacklist_file, fp);
359+ xfree(blacklist_file); 358+ free(blacklist_file);
360+ if (ret2 > ret) 359+ if (ret2 > ret)
361+ ret = ret2; 360+ ret = ret2;
362+ 361+
@@ -404,7 +403,7 @@ Index: b/readconf.c
404=================================================================== 403===================================================================
405--- a/readconf.c 404--- a/readconf.c
406+++ b/readconf.c 405+++ b/readconf.c
407@@ -125,6 +125,7 @@ 406@@ -128,6 +128,7 @@
408 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 407 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
409 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 408 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
410 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 409 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -412,7 +411,7 @@ Index: b/readconf.c
412 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 411 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
413 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 412 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
414 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 413 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
415@@ -158,6 +159,7 @@ 414@@ -161,6 +162,7 @@
416 { "passwordauthentication", oPasswordAuthentication }, 415 { "passwordauthentication", oPasswordAuthentication },
417 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 416 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
418 { "kbdinteractivedevices", oKbdInteractiveDevices }, 417 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -420,7 +419,7 @@ Index: b/readconf.c
420 { "rsaauthentication", oRSAAuthentication }, 419 { "rsaauthentication", oRSAAuthentication },
421 { "pubkeyauthentication", oPubkeyAuthentication }, 420 { "pubkeyauthentication", oPubkeyAuthentication },
422 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 421 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
423@@ -510,6 +512,10 @@ 422@@ -523,6 +525,10 @@
424 intptr = &options->challenge_response_authentication; 423 intptr = &options->challenge_response_authentication;
425 goto parse_flag; 424 goto parse_flag;
426 425
@@ -431,7 +430,7 @@ Index: b/readconf.c
431 case oGssAuthentication: 430 case oGssAuthentication:
432 intptr = &options->gss_authentication; 431 intptr = &options->gss_authentication;
433 goto parse_flag; 432 goto parse_flag;
434@@ -1200,6 +1206,7 @@ 433@@ -1210,6 +1216,7 @@
435 options->kbd_interactive_devices = NULL; 434 options->kbd_interactive_devices = NULL;
436 options->rhosts_rsa_authentication = -1; 435 options->rhosts_rsa_authentication = -1;
437 options->hostbased_authentication = -1; 436 options->hostbased_authentication = -1;
@@ -439,7 +438,7 @@ Index: b/readconf.c
439 options->batch_mode = -1; 438 options->batch_mode = -1;
440 options->check_host_ip = -1; 439 options->check_host_ip = -1;
441 options->strict_host_key_checking = -1; 440 options->strict_host_key_checking = -1;
442@@ -1310,6 +1317,8 @@ 441@@ -1320,6 +1327,8 @@
443 options->rhosts_rsa_authentication = 0; 442 options->rhosts_rsa_authentication = 0;
444 if (options->hostbased_authentication == -1) 443 if (options->hostbased_authentication == -1)
445 options->hostbased_authentication = 0; 444 options->hostbased_authentication = 0;
@@ -464,7 +463,7 @@ Index: b/servconf.c
464=================================================================== 463===================================================================
465--- a/servconf.c 464--- a/servconf.c
466+++ b/servconf.c 465+++ b/servconf.c
467@@ -109,6 +109,7 @@ 466@@ -114,6 +114,7 @@
468 options->password_authentication = -1; 467 options->password_authentication = -1;
469 options->kbd_interactive_authentication = -1; 468 options->kbd_interactive_authentication = -1;
470 options->challenge_response_authentication = -1; 469 options->challenge_response_authentication = -1;
@@ -472,7 +471,7 @@ Index: b/servconf.c
472 options->permit_empty_passwd = -1; 471 options->permit_empty_passwd = -1;
473 options->permit_user_env = -1; 472 options->permit_user_env = -1;
474 options->use_login = -1; 473 options->use_login = -1;
475@@ -250,6 +251,8 @@ 474@@ -257,6 +258,8 @@
476 options->kbd_interactive_authentication = 0; 475 options->kbd_interactive_authentication = 0;
477 if (options->challenge_response_authentication == -1) 476 if (options->challenge_response_authentication == -1)
478 options->challenge_response_authentication = 1; 477 options->challenge_response_authentication = 1;
@@ -481,16 +480,16 @@ Index: b/servconf.c
481 if (options->permit_empty_passwd == -1) 480 if (options->permit_empty_passwd == -1)
482 options->permit_empty_passwd = 0; 481 options->permit_empty_passwd = 0;
483 if (options->permit_user_env == -1) 482 if (options->permit_user_env == -1)
484@@ -327,7 +330,7 @@ 483@@ -338,7 +341,7 @@
485 sListenAddress, sAddressFamily, 484 sListenAddress, sAddressFamily,
486 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 485 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 486 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
488- sStrictModes, sEmptyPasswd, sTCPKeepAlive, 487- sStrictModes, sEmptyPasswd, sTCPKeepAlive,
489+ sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, 488+ sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 489 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 490 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 491 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
493@@ -439,6 +442,7 @@ 492@@ -451,6 +454,7 @@
494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 493 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 494 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 495 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +497,7 @@ Index: b/servconf.c
498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 497 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 498 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
500 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 499 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
501@@ -1134,6 +1138,10 @@ 500@@ -1158,6 +1162,10 @@
502 intptr = &options->tcp_keep_alive; 501 intptr = &options->tcp_keep_alive;
503 goto parse_flag; 502 goto parse_flag;
504 503
@@ -509,7 +508,7 @@ Index: b/servconf.c
509 case sEmptyPasswd: 508 case sEmptyPasswd:
510 intptr = &options->permit_empty_passwd; 509 intptr = &options->permit_empty_passwd;
511 goto parse_flag; 510 goto parse_flag;
512@@ -1980,6 +1988,7 @@ 511@@ -2036,6 +2044,7 @@
513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 512 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
514 dump_cfg_fmtint(sStrictModes, o->strict_modes); 513 dump_cfg_fmtint(sStrictModes, o->strict_modes);
515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 514 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -521,7 +520,7 @@ Index: b/servconf.h
521=================================================================== 520===================================================================
522--- a/servconf.h 521--- a/servconf.h
523+++ b/servconf.h 522+++ b/servconf.h
524@@ -120,6 +120,7 @@ 523@@ -121,6 +121,7 @@
525 int challenge_response_authentication; 524 int challenge_response_authentication;
526 int zero_knowledge_password_authentication; 525 int zero_knowledge_password_authentication;
527 /* If true, permit jpake auth */ 526 /* If true, permit jpake auth */
@@ -572,9 +571,9 @@ Index: b/ssh-add.c
572+ if (blacklisted_key(private, &fp) == 1) { 571+ if (blacklisted_key(private, &fp) == 1) {
573+ fprintf(stderr, "Public key %s blacklisted (see " 572+ fprintf(stderr, "Public key %s blacklisted (see "
574+ "ssh-vulnkey(1)); refusing to add it\n", fp); 573+ "ssh-vulnkey(1)); refusing to add it\n", fp);
575+ xfree(fp); 574+ free(fp);
576+ key_free(private); 575+ key_free(private);
577+ xfree(comment); 576+ free(comment);
578+ return -1; 577+ return -1;
579+ } 578+ }
580 579
@@ -584,7 +583,7 @@ Index: b/ssh-keygen.1
584=================================================================== 583===================================================================
585--- a/ssh-keygen.1 584--- a/ssh-keygen.1
586+++ b/ssh-keygen.1 585+++ b/ssh-keygen.1
587@@ -810,6 +810,7 @@ 586@@ -809,6 +809,7 @@
588 .Xr ssh 1 , 587 .Xr ssh 1 ,
589 .Xr ssh-add 1 , 588 .Xr ssh-add 1 ,
590 .Xr ssh-agent 1 , 589 .Xr ssh-agent 1 ,
@@ -843,7 +842,7 @@ Index: b/ssh-vulnkey.c
843=================================================================== 842===================================================================
844--- /dev/null 843--- /dev/null
845+++ b/ssh-vulnkey.c 844+++ b/ssh-vulnkey.c
846@@ -0,0 +1,387 @@ 845@@ -0,0 +1,386 @@
847+/* 846+/*
848+ * Copyright (c) 2008 Canonical Ltd. All rights reserved. 847+ * Copyright (c) 2008 Canonical Ltd. All rights reserved.
849+ * 848+ *
@@ -940,7 +939,7 @@ Index: b/ssh-vulnkey.c
940+ printf(":%lu: %s: %s %u %s %s\n", linenum, msg, 939+ printf(":%lu: %s: %s %u %s %s\n", linenum, msg,
941+ key_type(key), key_size(key), fp, comment); 940+ key_type(key), key_size(key), fp, comment);
942+ } 941+ }
943+ xfree(fp); 942+ free(fp);
944+} 943+}
945+ 944+
946+static int 945+static int
@@ -1093,8 +1092,7 @@ Index: b/ssh-vulnkey.c
1093+ ret = 0; 1092+ ret = 0;
1094+ found = 1; 1093+ found = 1;
1095+ } 1094+ }
1096+ if (comment) 1095+ free(comment);
1097+ xfree(comment);
1098+ } 1096+ }
1099+ 1097+
1100+ return ret; 1098+ return ret;
@@ -1128,12 +1126,12 @@ Index: b/ssh-vulnkey.c
1128+ for (i = 0; default_files[i]; i++) { 1126+ for (i = 0; default_files[i]; i++) {
1129+ xasprintf(&file, "%s/%s", dir, default_files[i]); 1127+ xasprintf(&file, "%s/%s", dir, default_files[i]);
1130+ if (stat(file, &st) < 0 && errno == ENOENT) { 1128+ if (stat(file, &st) < 0 && errno == ENOENT) {
1131+ xfree(file); 1129+ free(file);
1132+ continue; 1130+ continue;
1133+ } 1131+ }
1134+ if (!do_filename(file, 0)) 1132+ if (!do_filename(file, 0))
1135+ ret = 0; 1133+ ret = 0;
1136+ xfree(file); 1134+ free(file);
1137+ } 1135+ }
1138+ 1136+
1139+ return ret; 1137+ return ret;
@@ -1235,7 +1233,7 @@ Index: b/ssh.1
1235=================================================================== 1233===================================================================
1236--- a/ssh.1 1234--- a/ssh.1
1237+++ b/ssh.1 1235+++ b/ssh.1
1238@@ -1429,6 +1429,7 @@ 1236@@ -1447,6 +1447,7 @@
1239 .Xr ssh-agent 1 , 1237 .Xr ssh-agent 1 ,
1240 .Xr ssh-keygen 1 , 1238 .Xr ssh-keygen 1 ,
1241 .Xr ssh-keyscan 1 , 1239 .Xr ssh-keyscan 1 ,
@@ -1247,7 +1245,7 @@ Index: b/ssh.c
1247=================================================================== 1245===================================================================
1248--- a/ssh.c 1246--- a/ssh.c
1249+++ b/ssh.c 1247+++ b/ssh.c
1250@@ -1492,7 +1492,7 @@ 1248@@ -1525,7 +1525,7 @@
1251 static void 1249 static void
1252 load_public_identity_files(void) 1250 load_public_identity_files(void)
1253 { 1251 {
@@ -1256,7 +1254,7 @@ Index: b/ssh.c
1256 char *pwdir = NULL, *pwname = NULL; 1254 char *pwdir = NULL, *pwname = NULL;
1257 int i = 0; 1255 int i = 0;
1258 Key *public; 1256 Key *public;
1259@@ -1550,6 +1550,22 @@ 1257@@ -1583,6 +1583,22 @@
1260 public = key_load_public(filename, NULL); 1258 public = key_load_public(filename, NULL);
1261 debug("identity file %s type %d", filename, 1259 debug("identity file %s type %d", filename,
1262 public ? public->type : -1); 1260 public ? public->type : -1);
@@ -1268,22 +1266,22 @@ Index: b/ssh.c
1268+ logit("Public key %s blacklisted (see " 1266+ logit("Public key %s blacklisted (see "
1269+ "ssh-vulnkey(1)); refusing to send it", 1267+ "ssh-vulnkey(1)); refusing to send it",
1270+ fp); 1268+ fp);
1271+ xfree(fp); 1269+ free(fp);
1272+ if (!options.use_blacklisted_keys) { 1270+ if (!options.use_blacklisted_keys) {
1273+ key_free(public); 1271+ key_free(public);
1274+ xfree(filename); 1272+ free(filename);
1275+ filename = NULL; 1273+ filename = NULL;
1276+ public = NULL; 1274+ public = NULL;
1277+ } 1275+ }
1278+ } 1276+ }
1279 xfree(options.identity_files[i]); 1277 free(options.identity_files[i]);
1280 identity_files[n_ids] = filename; 1278 identity_files[n_ids] = filename;
1281 identity_keys[n_ids] = public; 1279 identity_keys[n_ids] = public;
1282Index: b/ssh_config.5 1280Index: b/ssh_config.5
1283=================================================================== 1281===================================================================
1284--- a/ssh_config.5 1282--- a/ssh_config.5
1285+++ b/ssh_config.5 1283+++ b/ssh_config.5
1286@@ -1201,6 +1201,23 @@ 1284@@ -1229,6 +1229,23 @@
1287 .Dq any . 1285 .Dq any .
1288 The default is 1286 The default is
1289 .Dq any:any . 1287 .Dq any:any .
@@ -1320,7 +1318,7 @@ Index: b/sshconnect2.c
1320 key = options.identity_keys[i]; 1318 key = options.identity_keys[i];
1321 if (key && key->type == KEY_RSA1) 1319 if (key && key->type == KEY_RSA1)
1322 continue; 1320 continue;
1323@@ -1609,7 +1611,7 @@ 1321@@ -1608,7 +1610,7 @@
1324 debug("Offering %s public key: %s", key_type(id->key), 1322 debug("Offering %s public key: %s", key_type(id->key),
1325 id->filename); 1323 id->filename);
1326 sent = send_pubkey_test(authctxt, id); 1324 sent = send_pubkey_test(authctxt, id);
@@ -1333,7 +1331,7 @@ Index: b/sshd.8
1333=================================================================== 1331===================================================================
1334--- a/sshd.8 1332--- a/sshd.8
1335+++ b/sshd.8 1333+++ b/sshd.8
1336@@ -953,6 +953,7 @@ 1334@@ -954,6 +954,7 @@
1337 .Xr ssh-agent 1 , 1335 .Xr ssh-agent 1 ,
1338 .Xr ssh-keygen 1 , 1336 .Xr ssh-keygen 1 ,
1339 .Xr ssh-keyscan 1 , 1337 .Xr ssh-keyscan 1 ,
@@ -1345,23 +1343,23 @@ Index: b/sshd.c
1345=================================================================== 1343===================================================================
1346--- a/sshd.c 1344--- a/sshd.c
1347+++ b/sshd.c 1345+++ b/sshd.c
1348@@ -1631,6 +1631,11 @@ 1346@@ -1688,6 +1688,11 @@
1349 sensitive_data.host_keys[i] = NULL; 1347 sensitive_data.host_pubkeys[i] = NULL;
1350 continue; 1348 continue;
1351 } 1349 }
1352+ if (auth_key_is_revoked(key, 1)) { 1350+ if (auth_key_is_revoked(key != NULL ? key : pubkey, 1)) {
1353+ key_free(key);
1354+ sensitive_data.host_keys[i] = NULL; 1351+ sensitive_data.host_keys[i] = NULL;
1352+ sensitive_data.host_pubkeys[i] = NULL;
1355+ continue; 1353+ continue;
1356+ } 1354+ }
1357 switch (key->type) { 1355
1356 switch (keytype) {
1358 case KEY_RSA1: 1357 case KEY_RSA1:
1359 sensitive_data.ssh1_host_key = key;
1360Index: b/sshd_config.5 1358Index: b/sshd_config.5
1361=================================================================== 1359===================================================================
1362--- a/sshd_config.5 1360--- a/sshd_config.5
1363+++ b/sshd_config.5 1361+++ b/sshd_config.5
1364@@ -870,6 +870,20 @@ 1362@@ -885,6 +885,20 @@
1365 Specifies whether password authentication is allowed. 1363 Specifies whether password authentication is allowed.
1366 The default is 1364 The default is
1367 .Dq yes . 1365 .Dq yes .
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-19 07:26:10 +0000