Bugzilla – Attachment 1936 Details for
Bug 1829
auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch
auth-rsa.c-move-auth_key_is_revoked.diff (text/plain), 1.72 KB, created by
Dmitry V. Levin
on 2010-10-19 09:07:14 AEDT
(
hide
)
Description:
proposed patch
Filename:
MIME Type:
Creator:
Dmitry V. Levin
Created:
2010-10-19 09:07:14 AEDT
Size:
1.72 KB
patch
obsolete
>From 8193eefdbb68b0b1faf1140ac188b259d6ce84b3 Mon Sep 17 00:00:00 2001 >From: Dmitry V. Levin <ldv@altlinux.org> >Date: Thu, 14 Oct 2010 16:14:30 +0000 >Subject: [PATCH] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed() > >Both auth_rsa_verify_response() and auth_rsa_key_allowed() are >PRIVSEP'ed, so there should be no security degradation. > >auth_rsa_key_allowed() is called from auth_rsa() only; >auth_rsa_verify_response() is called only from >auth_rsa_challenge_dialog(), which in turn is called >- either from auth_rsa(), right after auth_rsa_key_allowed() call, >- or from auth_rhosts_rsa(), right after auth_rhosts_rsa_key_allowed() >call, which already calls auth_key_is_revoked(). > >As result of this change, auth_rsa_key_allowed() will be called earlier >on the auth_rsa() path, before starting challenge-response, which is >good, and won't be called second time on the auth_rhosts_rsa() path, >which is also good. >--- > auth-rsa.c | 6 +++--- > 1 files changed, 3 insertions(+), 3 deletions(-) > >--- a/auth-rsa.c >+++ b/auth-rsa.c >@@ -94,9 +94,6 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) > MD5_CTX md; > int len; > >- if (auth_key_is_revoked(key)) >- return 0; >- > /* don't allow short keys */ > if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { > error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits", >@@ -249,6 +246,9 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) > "actual %d vs. announced %d.", > file, linenum, BN_num_bits(key->rsa->n), bits); > >+ if (auth_key_is_revoked(key)) >+ continue; >+ > /* We have found the desired key. */ > /* > * If our options do not allow this key to be used,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1936">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1829
: 1936