2 files changed, 72 insertions, 0 deletions
diff --git a/debian/patches/hostbased-ecdsa.patch b/debian/patches/hostbased-ecdsa.patch
new file mode 100644
index 000000000..fb618940a
--- /dev/null
+++ b/debian/patches/hostbased-ecdsa.patch
@@ -0,0 +1,71 @@
+Description: Make hostbased auth with ECDSA keys work correctly
+Author: Harv <harvey.eneman@oracle.com>
+Author: Damien Miller <djm@mindrot.org>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1858
+Bug-Debian: http://bugs.debian.org/633368
+Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6327
+Applied-Upstream: yes
+Forwarded: not-needed
+Last-Update: 2011-07-17
+Index: b/ssh-keysign.c
+===================================================================
+--- a/ssh-keysign.c
+++ b/ssh-keysign.c
+@@ -150,9 +150,10 @@
+ {
+        Buffer b;
+        Options options;
+-       Key *keys[2], *key = NULL;
+#define NUM_KEYTYPES 3
+       Key *keys[NUM_KEYTYPES], *key = NULL;
+        struct passwd *pw;
+-       int key_fd[2], i, found, version = 2, fd;
+       int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
+        u_char *signature, *data;
+        char *host;
+        u_int slen, dlen;
+@@ -165,8 +166,10 @@
+        if (fd > 2)
+                close(fd);
+ 
+-       key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
+-       key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+       i = 0;
+       key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+       key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
+       key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
+ 
+        original_real_uid = getuid();   /* XXX readconf.c needs this */
+        if ((pw = getpwuid(original_real_uid)) == NULL)
+@@ -191,7 +194,11 @@
+                fatal("ssh-keysign not enabled in %s",
+                    _PATH_HOST_CONFIG_FILE);
+ 
+-       if (key_fd[0] == -1 && key_fd[1] == -1)
+       for (i = found = 0; i < NUM_KEYTYPES; i++) {
+               if (key_fd[i] != -1)
+                       found = 1;
+       }
+       if (found == 0)
+                fatal("could not open any host key");
+ 
+        OpenSSL_add_all_algorithms();
+@@ -200,7 +207,7 @@
+        RAND_seed(rnd, sizeof(rnd));
+ 
+        found = 0;
+-       for (i = 0; i < 2; i++) {
+       for (i = 0; i < NUM_KEYTYPES; i++) {
+                keys[i] = NULL;
+                if (key_fd[i] == -1)
+                        continue;
+@@ -230,7 +237,7 @@
+        xfree(host);
+ 
+        found = 0;
+-       for (i = 0; i < 2; i++) {
+       for (i = 0; i < NUM_KEYTYPES; i++) {
+                if (keys[i] != NULL &&
+                    key_equal_public(key, keys[i])) {
+                        found = 1;
diff --git a/debian/patches/series b/debian/patches/series
index 0a21f8ead..01ef70076 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -39,6 +39,7 @@ doc-hash-tab-completion.patch
 # Miscellaneous bug fixes
 selinux-build-failure.patch
 ssh-add-fifo.patch
+hostbased-ecdsa.patch
 # Debian-specific configuration
 gnome-ssh-askpass2-icon.patch

diff --git a/debian/patches/hostbased-ecdsa.patch b/debian/patches/hostbased-ecdsa.patch new file mode 100644 index 000000000..fb618940a --- /dev/null +++ b/debian/patches/hostbased-ecdsa.patch
@@ -0,0 +1,71 @@
		1	Description: Make hostbased auth with ECDSA keys work correctly
		2	Author: Harv <harvey.eneman@oracle.com>
		3	Author: Damien Miller <djm@mindrot.org>
		4	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1858
		5	Bug-Debian: http://bugs.debian.org/633368
		6	Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6327
		7	Applied-Upstream: yes
		8	Forwarded: not-needed
		9	Last-Update: 2011-07-17
		10
		11	Index: b/ssh-keysign.c
		12	===================================================================
		13	--- a/ssh-keysign.c
		14	+++ b/ssh-keysign.c
		15	@@ -150,9 +150,10 @@
		16	{
		17	Buffer b;
		18	Options options;
		19	- Key keys[2], key = NULL;
		20	+#define NUM_KEYTYPES 3
		21	+ Key keys[NUM_KEYTYPES], key = NULL;
		22	struct passwd *pw;
		23	- int key_fd[2], i, found, version = 2, fd;
		24	+ int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
		25	u_char signature, data;
		26	char *host;
		27	u_int slen, dlen;
		28	@@ -165,8 +166,10 @@
		29	if (fd > 2)
		30	close(fd);
		31
		32	- key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
		33	- key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
		34	+ i = 0;
		35	+ key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
		36	+ key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
		37	+ key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
		38
		39	original_real_uid = getuid(); /* XXX readconf.c needs this */
		40	if ((pw = getpwuid(original_real_uid)) == NULL)
		41	@@ -191,7 +194,11 @@
		42	fatal("ssh-keysign not enabled in %s",
		43	_PATH_HOST_CONFIG_FILE);
		44
		45	- if (key_fd[0] == -1 && key_fd[1] == -1)
		46	+ for (i = found = 0; i < NUM_KEYTYPES; i++) {
		47	+ if (key_fd[i] != -1)
		48	+ found = 1;
		49	+ }
		50	+ if (found == 0)
		51	fatal("could not open any host key");
		52
		53	OpenSSL_add_all_algorithms();
		54	@@ -200,7 +207,7 @@
		55	RAND_seed(rnd, sizeof(rnd));
		56
		57	found = 0;
		58	- for (i = 0; i < 2; i++) {
		59	+ for (i = 0; i < NUM_KEYTYPES; i++) {
		60	keys[i] = NULL;
		61	if (key_fd[i] == -1)
		62	continue;
		63	@@ -230,7 +237,7 @@
		64	xfree(host);
		65
		66	found = 0;
		67	- for (i = 0; i < 2; i++) {
		68	+ for (i = 0; i < NUM_KEYTYPES; i++) {
		69	if (keys[i] != NULL &&
		70	key_equal_public(key, keys[i])) {
		71	found = 1;


diff --git a/debian/patches/series b/debian/patches/series index 0a21f8ead..01ef70076 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -39,6 +39,7 @@ doc-hash-tab-completion.patch
39	# Miscellaneous bug fixes	39	# Miscellaneous bug fixes
40	selinux-build-failure.patch	40	selinux-build-failure.patch
41	ssh-add-fifo.patch	41	ssh-add-fifo.patch
		42	hostbased-ecdsa.patch
42		43
43	# Debian-specific configuration	44	# Debian-specific configuration
44	gnome-ssh-askpass2-icon.patch	45	gnome-ssh-askpass2-icon.patch