From 52d44ba993cdba62d05a2051c0e26744586b6811 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?=
 <stephane.lesimple+bastion@ovhcloud.com>
Date: Thu, 23 Mar 2023 19:13:08 +0000
Subject: [PATCH] chore: remove Debian openssh-blacklist logic

All Debian versions supporting this are EOL by now.
---
 lib/perl/OVH/Bastion/ssh.inc                 | 20 --------------------
 tests/functional/launch_tests_on_instance.sh |  3 +--
 tests/functional/tests.d/330-selfkeys.sh     | 12 ------------
 3 files changed, 1 insertion(+), 34 deletions(-)

diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc
index 759bc71..f99f676 100644
--- a/lib/perl/OVH/Bastion/ssh.inc
+++ b/lib/perl/OVH/Bastion/ssh.inc
@@ -365,26 +365,6 @@ sub get_ssh_pub_key_info {
             $return{'size'}        = $size + 0;
             $return{'fingerprint'} = $fingerprint;
             $return{'family'}      = $family;
-            my @blacklistfiles = qw{ DSA-1024 DSA-2048 RSA-1024 RSA-2048 RSA-4096 };
-            if (grep { "$family-$size" eq $_ } @blacklistfiles) {
-
-                # check for vulnkeys
-                my $blfile = '/usr/share/ssh/blacklist.' . $family . '-' . $size;
-                if (-r $blfile && open(my $fh_blacklist, '<', $blfile)) {
-                    my $shortfp = $fingerprint;
-                    $shortfp =~ s/://g;
-                    $shortfp =~ s/^.{12}//;
-
-                    #print "looking for shortfingerprint=$shortfp...\n";
-                    local $_ = undef;
-                    while (<$fh_blacklist>) {
-                        /^\Q$shortfp\E$/ or next;
-                        close($fh_blacklist);
-                        return R('KO_VULNERABLE_KEY', value => \%return);
-                    }
-                    close($fh_blacklist);
-                }
-            }
 
             # check allowed algos and key size
             my $allowedSshAlgorithms = OVH::Bastion::config("allowed${way}SshAlgorithms");
diff --git a/tests/functional/launch_tests_on_instance.sh b/tests/functional/launch_tests_on_instance.sh
index 4f36572..aed0515 100755
--- a/tests/functional/launch_tests_on_instance.sh
+++ b/tests/functional/launch_tests_on_instance.sh
@@ -15,7 +15,7 @@ opt_skip_consistency_check=0
 opt_no_pause_on_fail=0
 opt_log_prefix=
 opt_module=
-declare -A capabilities=( [ed25519]=1 [blacklist]=0 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 )
+declare -A capabilities=( [ed25519]=1 [mfa]=1 [mfa-password]=0 [pamtester]=1 [piv]=1 )
 
 # set the helptext now to get the proper default values
 help_text=$(cat <<EOF
@@ -31,7 +31,6 @@ Remote OS directory locations:
 
 Specifying features support of the underlying OS of the tested bastion:
     --has-ed25519=[0|1]        Ed25519 keys are supported (default: ${capabilities[ed25519]})
-    --has-blacklist=[0|1]      Detection of bad SSH keys generated during the Debian OpenSSL debacle of 2006 is supported (default: ${capabilities[blacklist]})
     --has-mfa=[0|1]            PAM is usable to check passwords and TOTP (default: ${capabilities[mfa]})
     --has-mfa-password=[0|1]   PAM is usable to check passwords (default: ${capabilities[mfa-password]})
     --has-pamtester=[0|1]      The \`pamtester\` binary is available, and PAM is usable (default: ${capabilities[pamtester]})
diff --git a/tests/functional/tests.d/330-selfkeys.sh b/tests/functional/tests.d/330-selfkeys.sh
index 28abb35..9677c16 100644
--- a/tests/functional/tests.d/330-selfkeys.sh
+++ b/tests/functional/tests.d/330-selfkeys.sh
@@ -503,18 +503,6 @@ EOS
             .value.key.prefix ""
     fi
 
-    if [ "${capabilities[blacklist]}" = 1 ] ; then
-    script  rsa1024fucked $a1 -osh selfAddIngressKey "<<< \"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA90Td1GTx+tYMbsti93lyiyKYelBgaXRrnweoYJXjUFNU93jZ+RmBR8yp5J6mx7jz9ECaMS7Dn49fNQi5uG75+m+DTUgq3bfNv8cygoVC4g3NhzA3e+uA22D+iI53j3Gm9YxaJVOypGXGkOoWnmXZy7FQ4aSBFvgqa81xfnoa+4M= compromised@rsa1024\""
-    retvalshouldbe 100
-    contain "IT IS VULNERABLE"
-    json .command selfAddIngressKey .error_code KO_VULNERABLE_KEY
-
-    script  rsa2048fucked $a1 -osh selfAddIngressKey "<<< \"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxP84hsnxNGSGczfSZTYwb7YCu7yFEyYq5r5qS0dKc6EVQkqdYCn5FrFj8d0+Qn9vglQyCMk+Aa9VLlmKV8/e43FqIq7oh4RDe3YhKKvQ28gLGB/nh2oBLDCB/AYMOjjkCsGU344mrcKQDZlPQsk7lJsied1YphOzHFD7MZVdWd0oUpKFdZSuGbpLRWR+bq29fx7JSiT2tw3G3+EQSW9bdqvzKgwQOAg94FFUTjiK/nVDXAowKMP3+R3cV/CxccA9q5glGw6Xh+K54oZRQ9frzEGmxOlDhMhthQCSRrAvwQQn9kBmcX8qiugHJGS91R5lWv+HU2ndyCQ6xTxRtYvMOw== compromised@rsa2048\""
-    retvalshouldbe 100
-    contain "IT IS VULNERABLE"
-    json .command selfAddIngressKey .error_code KO_VULNERABLE_KEY
-    fi
-
     run user1key2beforeadd $a1k2 -osh info
     retvalshouldbe 255
     contain "Permission denied"