import libssh-0.10.4-8.el9
This commit is contained in:
parent
1821413fbe
commit
a3f3a2747f
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/libssh-0.9.6.tar.xz
|
||||
SOURCES/libssh-0.10.4.tar.xz
|
||||
SOURCES/libssh.keyring
|
||||
|
@ -1,2 +1,2 @@
|
||||
1b2dd673b58e1eaf20fde45cd8de2197cfab2f78 SOURCES/libssh-0.9.6.tar.xz
|
||||
4c48350a0a688ad82080175ed26a2019928a99c4 SOURCES/libssh-0.10.4.tar.xz
|
||||
3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring
|
||||
|
23
SOURCES/coverity_scan.patch
Normal file
23
SOURCES/coverity_scan.patch
Normal file
@ -0,0 +1,23 @@
|
||||
diff --git a/src/dh_crypto.c b/src/dh_crypto.c
|
||||
index a847c6a2..1eb94307 100644
|
||||
--- a/src/dh_crypto.c
|
||||
+++ b/src/dh_crypto.c
|
||||
@@ -341,8 +341,16 @@ int ssh_dh_set_parameters(struct dh_ctx *ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, modulus);
|
||||
- OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, generator);
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, modulus);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, generator);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto done;
|
||||
+ }
|
||||
params = OSSL_PARAM_BLD_to_param(param_bld);
|
||||
if (params == NULL) {
|
||||
OSSL_PARAM_BLD_free(param_bld);
|
105
SOURCES/enable_sk_keys_by_config.patch
Normal file
105
SOURCES/enable_sk_keys_by_config.patch
Normal file
@ -0,0 +1,105 @@
|
||||
diff --git a/src/kex.c b/src/kex.c
|
||||
index 1155b9c7..528cb182 100644
|
||||
--- a/src/kex.c
|
||||
+++ b/src/kex.c
|
||||
@@ -101,12 +101,19 @@
|
||||
|
||||
#ifdef HAVE_ECDH
|
||||
#define ECDH "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,"
|
||||
-#define EC_HOSTKEYS "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,"
|
||||
-#define EC_PUBLIC_KEY_ALGORITHMS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
||||
+#define EC_HOSTKEYS "ecdsa-sha2-nistp521," \
|
||||
+ "ecdsa-sha2-nistp384," \
|
||||
+ "ecdsa-sha2-nistp256,"
|
||||
+#define EC_SK_HOSTKEYS "sk-ecdsa-sha2-nistp256@openssh.com,"
|
||||
+#define EC_FIPS_PUBLIC_KEY_ALGOS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
||||
"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
|
||||
"ecdsa-sha2-nistp256-cert-v01@openssh.com,"
|
||||
+#define EC_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
|
||||
+ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
|
||||
#else
|
||||
#define EC_HOSTKEYS ""
|
||||
+#define EC_SK_HOSTKEYS ""
|
||||
+#define EC_FIPS_PUBLIC_KEY_ALGOS ""
|
||||
#define EC_PUBLIC_KEY_ALGORITHMS ""
|
||||
#define ECDH ""
|
||||
#endif /* HAVE_ECDH */
|
||||
@@ -127,16 +134,21 @@
|
||||
|
||||
#define HOSTKEYS "ssh-ed25519," \
|
||||
EC_HOSTKEYS \
|
||||
+ "sk-ssh-ed25519@openssh.com," \
|
||||
+ EC_SK_HOSTKEYS \
|
||||
"rsa-sha2-512," \
|
||||
"rsa-sha2-256," \
|
||||
"ssh-rsa" \
|
||||
DSA_HOSTKEYS
|
||||
#define DEFAULT_HOSTKEYS "ssh-ed25519," \
|
||||
EC_HOSTKEYS \
|
||||
+ "sk-ssh-ed25519@openssh.com," \
|
||||
+ EC_SK_HOSTKEYS \
|
||||
"rsa-sha2-512," \
|
||||
"rsa-sha2-256"
|
||||
|
||||
#define PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \
|
||||
+ "sk-ssh-ed25519-cert-v01@openssh.com," \
|
||||
EC_PUBLIC_KEY_ALGORITHMS \
|
||||
"rsa-sha2-512-cert-v01@openssh.com," \
|
||||
"rsa-sha2-256-cert-v01@openssh.com," \
|
||||
@@ -186,7 +198,7 @@
|
||||
"rsa-sha2-512," \
|
||||
"rsa-sha2-256"
|
||||
|
||||
-#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_PUBLIC_KEY_ALGORITHMS \
|
||||
+#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
|
||||
"rsa-sha2-512-cert-v01@openssh.com," \
|
||||
"rsa-sha2-256-cert-v01@openssh.com," \
|
||||
FIPS_ALLOWED_HOSTKEYS
|
||||
diff --git a/src/knownhosts.c b/src/knownhosts.c
|
||||
index 1f52dedc..94618fe2 100644
|
||||
--- a/src/knownhosts.c
|
||||
+++ b/src/knownhosts.c
|
||||
@@ -480,6 +480,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
|
||||
return "rsa-sha2-512,rsa-sha2-256,ssh-rsa";
|
||||
case SSH_KEYTYPE_ED25519:
|
||||
return "ssh-ed25519";
|
||||
+ case SSH_KEYTYPE_SK_ED25519:
|
||||
+ return "sk-ssh-ed25519@openssh.com";
|
||||
#ifdef HAVE_DSA
|
||||
case SSH_KEYTYPE_DSS:
|
||||
return "ssh-dss";
|
||||
@@ -494,6 +496,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
|
||||
return "ecdsa-sha2-nistp384";
|
||||
case SSH_KEYTYPE_ECDSA_P521:
|
||||
return "ecdsa-sha2-nistp521";
|
||||
+ case SSH_KEYTYPE_SK_ECDSA:
|
||||
+ return "sk-ecdsa-sha2-nistp256@openssh.com";
|
||||
#else
|
||||
case SSH_KEYTYPE_ECDSA_P256:
|
||||
case SSH_KEYTYPE_ECDSA_P384:
|
||||
diff --git a/tests/unittests/torture_knownhosts_parsing.c b/tests/unittests/torture_knownhosts_parsing.c
|
||||
index fffa8296..7fd21f05 100644
|
||||
--- a/tests/unittests/torture_knownhosts_parsing.c
|
||||
+++ b/tests/unittests/torture_knownhosts_parsing.c
|
||||
@@ -634,7 +634,9 @@ static void torture_knownhosts_algorithms(void **state)
|
||||
bool process_config = false;
|
||||
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
|
||||
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
|
||||
- "ecdsa-sha2-nistp256";
|
||||
+ "ecdsa-sha2-nistp256,"
|
||||
+ "sk-ssh-ed25519@openssh.com,"
|
||||
+ "sk-ecdsa-sha2-nistp256@openssh.com";
|
||||
const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
|
||||
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
|
||||
|
||||
@@ -669,7 +671,9 @@ static void torture_knownhosts_algorithms_global(void **state)
|
||||
bool process_config = false;
|
||||
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
|
||||
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
|
||||
- "ecdsa-sha2-nistp256";
|
||||
+ "ecdsa-sha2-nistp256,"
|
||||
+ "sk-ssh-ed25519@openssh.com,"
|
||||
+ "sk-ecdsa-sha2-nistp256@openssh.com";
|
||||
const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
|
||||
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
|
||||
|
16
SOURCES/libssh-0.10.4.tar.xz.asc
Normal file
16
SOURCES/libssh-0.10.4.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmMYnSEACgkQfuD8TcwB
|
||||
Tj2qGBAAn/40MU/7PcyCRK9U+MhLo28peRpTF+i1/k0V5czVLiFubeFofsa6sjy8
|
||||
C6VyQsz0NYiTf6wXLlq9jO1p31LWQ13Z3K0d7Lg2eyftsVrGM1Ue9dTLlJrZ570d
|
||||
JjcBR/J3dpO9w5fz4HawWE8GIBBstZQnZYdoT75+tIeSMJ/tnovKfE1RGYc4kRJs
|
||||
quC7tyej7Y+t86U8psFSy2iUCajS82b+ddZEhuxwamel+RBRJZsmi5B2OvhkEaOj
|
||||
mhJOIkx3UD9XAjxeooVcTlzAaJ5JFZ7Im97o+DRbQYvJYe4ZqDo17lrzBh6wruLC
|
||||
vBo+/lwh9FbCqxbDpFfqwpf8qYsWu3m0Qlu5f+BZ/9WvjFCVoRmScNHJo42tu18r
|
||||
xcX2Txis8oWysgqhvIgTFRnLq010ErL8iE9WeZwrNJgcTnf+AQLolKQiVAHumMvk
|
||||
Djv0No+ZTBG03Hsb0tbvA8kVtxI0ZZtzPcRkRqmUwiLCtcO9oo1hInhu+D1sPZwI
|
||||
Q1xK6hI6LKsF80yPKGexZxlgV/vZYhIKtD0SIoZCpx7MSBxXqHYZARtTFUAXBSqF
|
||||
tIn800/pPhGuY1/x3ho4BeWCGj1eWG5zy7dr0q/d/OiqBj3OiUfxtTl4drqrYhca
|
||||
goNhzNTs0Ps+iYbVQlk4nEAjg54M8ru1jfcuNRgrhTqCI8yiESk=
|
||||
=AG91
|
||||
-----END PGP SIGNATURE-----
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmEniOkACgkQfuD8TcwB
|
||||
Tj0TKQ/9HiMAGSMHoQ+iPVLP06iTc6Cy7rNyON2nPDQwAz0V/dfvkrKAAEflfgYd
|
||||
3pt3dbE/qgh2kgQLb9kpbCUmFoGuLgKz36RPOsggwuOsN+eD1n65q8W39sMOQid3
|
||||
bjUIOKRdYWC1suZ9fMAO1Ignl69Opd8dAq1Has9YzglaeQaV/lnYQOW4UG0xKHck
|
||||
ZOp2qLfjmaQiBAI61eRyxqIYC0F67WKd0bo9D2csoocDVvHLq4syPdbMOfDTB+LL
|
||||
KZSAZVW1R1JUVZMkp/P/HU11jNNy3wKoLafocnq8bXkPVrqhyuo+hDJV/OPUvFLa
|
||||
VE/BzIRoMNG+1R+GJpwE7ut2DIHPxnZTThRkeVN5qP1+hbhgLJhW62I+HeAnD4s+
|
||||
+W7fwJovN28I+wqSjVEP8JguprVuoDAX5jVHbeZoMT7p8ATA4Nh3KCbYELEwTtFG
|
||||
zsEIlBvoNXD3ce7xGXL3MPqfgKqrZQjRG/iOWvKwDV7WrqK1cFFyL7aeBfK2+dQq
|
||||
1Ew7aYlTsH6Hap7XByeSsy4Z5ts3VXIoFix/h+Br5OTYKYgITM7bijNAQ6A2ZWQN
|
||||
TxCv8X0sVyaGyXhxG6QhrEWZjFe496MneZkq9e6HKZyaSbzwFwMgOvrUUC7fa8e5
|
||||
o1Rvozah81U0nsikwTmDrm15RSK3mr2X34zPW2Ahzr1I5tGZzOk=
|
||||
=cO0k
|
||||
-----END PGP SIGNATURE-----
|
4385
SOURCES/loglevel.patch
Normal file
4385
SOURCES/loglevel.patch
Normal file
File diff suppressed because it is too large
Load Diff
514
SOURCES/memory_leak.patch
Normal file
514
SOURCES/memory_leak.patch
Normal file
@ -0,0 +1,514 @@
|
||||
From 8795d8912c8a83aaf900c0260e252a35f64eb200 Mon Sep 17 00:00:00 2001
|
||||
From: Norbert Pocs <npocs@redhat.com>
|
||||
Date: Fri, 18 Nov 2022 17:22:46 +0100
|
||||
Subject: [PATCH] Fix memory leaks of bignums when openssl >= 3.0
|
||||
|
||||
The openssl 3.0 support has introduced some memory leaks at key build as
|
||||
OSSL_PARAM_BLD_push_BN duplicates the bignum and does not save the pointer
|
||||
itself.
|
||||
|
||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
include/libssh/dh.h | 2 +-
|
||||
src/dh_crypto.c | 28 ++---
|
||||
src/pki_crypto.c | 262 ++++++++++++++++++++++++--------------------
|
||||
3 files changed, 151 insertions(+), 141 deletions(-)
|
||||
|
||||
diff --git a/include/libssh/dh.h b/include/libssh/dh.h
|
||||
index 353dc233..9b9bb472 100644
|
||||
--- a/include/libssh/dh.h
|
||||
+++ b/include/libssh/dh.h
|
||||
@@ -53,7 +53,7 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
|
||||
bignum *priv, bignum *pub);
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
||||
- const bignum priv, const bignum pub);
|
||||
+ bignum priv, bignum pub);
|
||||
|
||||
int ssh_dh_compute_shared_secret(struct dh_ctx *ctx, int local, int remote,
|
||||
bignum *dest);
|
||||
diff --git a/src/dh_crypto.c b/src/dh_crypto.c
|
||||
index a847c6a2..b578ddec 100644
|
||||
--- a/src/dh_crypto.c
|
||||
+++ b/src/dh_crypto.c
|
||||
@@ -154,12 +154,9 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
||||
- const bignum priv, const bignum pub)
|
||||
+ bignum priv, bignum pub)
|
||||
{
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
- bignum priv_key = NULL;
|
||||
- bignum pub_key = NULL;
|
||||
-#else
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
int rc;
|
||||
OSSL_PARAM *params = NULL, *out_params = NULL, *merged_params = NULL;
|
||||
OSSL_PARAM_BLD *param_bld = NULL;
|
||||
@@ -172,7 +169,11 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
+ (void)DH_set0_key(ctx->keypair[peer], pub, priv);
|
||||
+
|
||||
+ return SSH_OK;
|
||||
+#else
|
||||
rc = EVP_PKEY_todata(ctx->keypair[peer], EVP_PKEY_KEYPAIR, &out_params);
|
||||
if (rc != 1) {
|
||||
return SSH_ERROR;
|
||||
@@ -195,35 +196,22 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
||||
rc = SSH_ERROR;
|
||||
goto out;
|
||||
}
|
||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
if (priv) {
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
- priv_key = priv;
|
||||
-#else
|
||||
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv);
|
||||
if (rc != 1) {
|
||||
rc = SSH_ERROR;
|
||||
goto out;
|
||||
}
|
||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||
}
|
||||
if (pub) {
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
- pub_key = pub;
|
||||
-#else
|
||||
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub);
|
||||
if (rc != 1) {
|
||||
rc = SSH_ERROR;
|
||||
goto out;
|
||||
}
|
||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||
}
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
- (void)DH_set0_key(ctx->keypair[peer], pub_key, priv_key);
|
||||
|
||||
- return SSH_OK;
|
||||
-#else
|
||||
params = OSSL_PARAM_BLD_to_param(param_bld);
|
||||
if (params == NULL) {
|
||||
rc = SSH_ERROR;
|
||||
@@ -248,6 +236,8 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
||||
|
||||
rc = SSH_OK;
|
||||
out:
|
||||
+ bignum_safe_free(priv);
|
||||
+ bignum_safe_free(pub);
|
||||
EVP_PKEY_CTX_free(evp_ctx);
|
||||
OSSL_PARAM_free(out_params);
|
||||
OSSL_PARAM_free(params);
|
||||
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
|
||||
index 0a5003da..d3359e2d 100644
|
||||
--- a/src/pki_crypto.c
|
||||
+++ b/src/pki_crypto.c
|
||||
@@ -1492,18 +1492,18 @@ int pki_privkey_build_dss(ssh_key key,
|
||||
ssh_string privkey)
|
||||
{
|
||||
int rc;
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
BIGNUM *bp, *bq, *bg, *bpub_key, *bpriv_key;
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
||||
+ if (param_bld == NULL) {
|
||||
+ return SSH_ERROR;
|
||||
+ }
|
||||
#else
|
||||
- const BIGNUM *pb, *qb, *gb, *pubb, *privb;
|
||||
- OSSL_PARAM_BLD *param_bld;
|
||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||
-
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
key->dsa = DSA_new();
|
||||
if (key->dsa == NULL) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
+#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
bp = ssh_make_string_bn(p);
|
||||
bq = ssh_make_string_bn(q);
|
||||
@@ -1512,9 +1512,11 @@ int pki_privkey_build_dss(ssh_key key,
|
||||
bpriv_key = ssh_make_string_bn(privkey);
|
||||
if (bp == NULL || bq == NULL ||
|
||||
bg == NULL || bpub_key == NULL) {
|
||||
+ rc = SSH_ERROR;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
/* Memory management of bp, qq and bg is transferred to DSA object */
|
||||
rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
|
||||
if (rc == 0) {
|
||||
@@ -1532,39 +1534,43 @@ fail:
|
||||
DSA_free(key->dsa);
|
||||
return SSH_ERROR;
|
||||
#else
|
||||
- param_bld = OSSL_PARAM_BLD_new();
|
||||
- if (param_bld == NULL)
|
||||
- goto err;
|
||||
-
|
||||
- pb = ssh_make_string_bn(p);
|
||||
- qb = ssh_make_string_bn(q);
|
||||
- gb = ssh_make_string_bn(g);
|
||||
- pubb = ssh_make_string_bn(pubkey);
|
||||
- privb = ssh_make_string_bn(privkey);
|
||||
-
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, pb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, qb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, gb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, privb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, bpriv_key);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
|
||||
rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
|
||||
+
|
||||
+fail:
|
||||
OSSL_PARAM_BLD_free(param_bld);
|
||||
+ bignum_safe_free(bp);
|
||||
+ bignum_safe_free(bq);
|
||||
+ bignum_safe_free(bg);
|
||||
+ bignum_safe_free(bpub_key);
|
||||
+ bignum_safe_free(bpriv_key);
|
||||
|
||||
return rc;
|
||||
-err:
|
||||
- OSSL_PARAM_BLD_free(param_bld);
|
||||
- return -1;
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
}
|
||||
|
||||
@@ -1574,18 +1580,18 @@ int pki_pubkey_build_dss(ssh_key key,
|
||||
ssh_string g,
|
||||
ssh_string pubkey) {
|
||||
int rc;
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
BIGNUM *bp = NULL, *bq = NULL, *bg = NULL, *bpub_key = NULL;
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
||||
+ if (param_bld == NULL) {
|
||||
+ return SSH_ERROR;
|
||||
+ }
|
||||
#else
|
||||
- const BIGNUM *pb, *qb, *gb, *pubb;
|
||||
- OSSL_PARAM_BLD *param_bld;
|
||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||
-
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
key->dsa = DSA_new();
|
||||
if (key->dsa == NULL) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
+#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
bp = ssh_make_string_bn(p);
|
||||
bq = ssh_make_string_bn(q);
|
||||
@@ -1593,9 +1599,11 @@ int pki_pubkey_build_dss(ssh_key key,
|
||||
bpub_key = ssh_make_string_bn(pubkey);
|
||||
if (bp == NULL || bq == NULL ||
|
||||
bg == NULL || bpub_key == NULL) {
|
||||
+ rc = SSH_ERROR;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
/* Memory management of bp, bq and bg is transferred to DSA object */
|
||||
rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
|
||||
if (rc == 0) {
|
||||
@@ -1613,35 +1621,37 @@ fail:
|
||||
DSA_free(key->dsa);
|
||||
return SSH_ERROR;
|
||||
#else
|
||||
- param_bld = OSSL_PARAM_BLD_new();
|
||||
- if (param_bld == NULL)
|
||||
- goto err;
|
||||
-
|
||||
- pb = ssh_make_string_bn(p);
|
||||
- qb = ssh_make_string_bn(q);
|
||||
- gb = ssh_make_string_bn(g);
|
||||
- pubb = ssh_make_string_bn(pubkey);
|
||||
-
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, pb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, qb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, gb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
|
||||
rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
|
||||
+
|
||||
+fail:
|
||||
OSSL_PARAM_BLD_free(param_bld);
|
||||
+ bignum_safe_free(bp);
|
||||
+ bignum_safe_free(bq);
|
||||
+ bignum_safe_free(bg);
|
||||
+ bignum_safe_free(bpub_key);
|
||||
|
||||
return rc;
|
||||
-err:
|
||||
- OSSL_PARAM_BLD_free(param_bld);
|
||||
- return -1;
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
}
|
||||
|
||||
@@ -1654,18 +1664,18 @@ int pki_privkey_build_rsa(ssh_key key,
|
||||
ssh_string q)
|
||||
{
|
||||
int rc;
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
BIGNUM *be, *bn, *bd/*, *biqmp*/, *bp, *bq;
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
||||
+ if (param_bld == NULL) {
|
||||
+ return SSH_ERROR;
|
||||
+ }
|
||||
#else
|
||||
- const BIGNUM *nb, *eb, *db, *pb, *qb;
|
||||
- OSSL_PARAM_BLD *param_bld;
|
||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||
-
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
key->rsa = RSA_new();
|
||||
if (key->rsa == NULL) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
+#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
bn = ssh_make_string_bn(n);
|
||||
be = ssh_make_string_bn(e);
|
||||
@@ -1675,9 +1685,11 @@ int pki_privkey_build_rsa(ssh_key key,
|
||||
bq = ssh_make_string_bn(q);
|
||||
if (be == NULL || bn == NULL || bd == NULL ||
|
||||
/*biqmp == NULL ||*/ bp == NULL || bq == NULL) {
|
||||
+ rc = SSH_ERROR;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
/* Memory management of be, bn and bd is transferred to RSA object */
|
||||
rc = RSA_set0_key(key->rsa, bn, be, bd);
|
||||
if (rc == 0) {
|
||||
@@ -1702,41 +1714,49 @@ fail:
|
||||
RSA_free(key->rsa);
|
||||
return SSH_ERROR;
|
||||
#else
|
||||
- param_bld = OSSL_PARAM_BLD_new();
|
||||
- if (param_bld == NULL)
|
||||
- goto err;
|
||||
-
|
||||
- nb = ssh_make_string_bn(n);
|
||||
- eb = ssh_make_string_bn(e);
|
||||
- db = ssh_make_string_bn(d);
|
||||
- pb = ssh_make_string_bn(p);
|
||||
- qb = ssh_make_string_bn(q);
|
||||
-
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, nb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, eb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, db);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, bn);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, be);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, bd);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
|
||||
rc = evp_build_pkey("RSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
|
||||
- OSSL_PARAM_BLD_free(param_bld);
|
||||
+ if (rc != SSH_OK) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
|
||||
- rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR1, pb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
+ rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR1, bp);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
|
||||
- rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR2, qb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
+ rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR2, bq);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
|
||||
- return rc;
|
||||
-err:
|
||||
+fail:
|
||||
OSSL_PARAM_BLD_free(param_bld);
|
||||
- return -1;
|
||||
+ bignum_safe_free(bn);
|
||||
+ bignum_safe_free(be);
|
||||
+ bignum_safe_free(bd);
|
||||
+ bignum_safe_free(bp);
|
||||
+ bignum_safe_free(bq);
|
||||
+
|
||||
+ return rc;
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
}
|
||||
|
||||
@@ -1744,25 +1764,27 @@ int pki_pubkey_build_rsa(ssh_key key,
|
||||
ssh_string e,
|
||||
ssh_string n) {
|
||||
int rc;
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
BIGNUM *be = NULL, *bn = NULL;
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
||||
+ if (param_bld == NULL) {
|
||||
+ return SSH_ERROR;
|
||||
+ }
|
||||
#else
|
||||
- const BIGNUM *eb, *nb;
|
||||
- OSSL_PARAM_BLD *param_bld;
|
||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||
-
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
key->rsa = RSA_new();
|
||||
if (key->rsa == NULL) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
+#endif /* OPENSSL_VERSION_NUMBER */
|
||||
|
||||
be = ssh_make_string_bn(e);
|
||||
bn = ssh_make_string_bn(n);
|
||||
if (be == NULL || bn == NULL) {
|
||||
+ rc = SSH_ERROR;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
/* Memory management of bn and be is transferred to RSA object */
|
||||
rc = RSA_set0_key(key->rsa, bn, be, NULL);
|
||||
if (rc == 0) {
|
||||
@@ -1774,27 +1796,25 @@ fail:
|
||||
RSA_free(key->rsa);
|
||||
return SSH_ERROR;
|
||||
#else
|
||||
- nb = ssh_make_string_bn(n);
|
||||
- eb = ssh_make_string_bn(e);
|
||||
-
|
||||
- param_bld = OSSL_PARAM_BLD_new();
|
||||
- if (param_bld == NULL)
|
||||
- goto err;
|
||||
-
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, nb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, eb);
|
||||
- if (rc != 1)
|
||||
- goto err;
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, bn);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, be);
|
||||
+ if (rc != 1) {
|
||||
+ rc = SSH_ERROR;
|
||||
+ goto fail;
|
||||
+ }
|
||||
|
||||
rc = evp_build_pkey("RSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
|
||||
+
|
||||
+fail:
|
||||
OSSL_PARAM_BLD_free(param_bld);
|
||||
+ bignum_safe_free(bn);
|
||||
+ bignum_safe_free(be);
|
||||
|
||||
return rc;
|
||||
-err:
|
||||
- OSSL_PARAM_BLD_free(param_bld);
|
||||
- return -1;
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
842
SOURCES/options_apply.patch
Normal file
842
SOURCES/options_apply.patch
Normal file
@ -0,0 +1,842 @@
|
||||
From 11c0d687a081fe64501e21c95def7f893611d029 Mon Sep 17 00:00:00 2001
|
||||
From: Norbert Pocs <npocs@redhat.com>
|
||||
Date: Wed, 16 Nov 2022 10:40:38 +0100
|
||||
Subject: [PATCH 1/5] Add a placehohlder for non-expanded identities
|
||||
|
||||
Expanding a string twice could lead to unwanted behaviour.
|
||||
This solution creates a ssh_list (`opts.identites_non_exp`) to store the strings
|
||||
before expansion and by using ssh_apply it moves the string to the
|
||||
`opts.identities`. This way the expanded strings are separated.
|
||||
|
||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
include/libssh/session.h | 1 +
|
||||
src/options.c | 86 +++++++++++++++++++++++++---------------
|
||||
src/session.c | 23 +++++++++--
|
||||
3 files changed, 75 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/include/libssh/session.h b/include/libssh/session.h
|
||||
index d3e5787c..e22b0d67 100644
|
||||
--- a/include/libssh/session.h
|
||||
+++ b/include/libssh/session.h
|
||||
@@ -209,6 +209,7 @@ struct ssh_session_struct {
|
||||
#endif
|
||||
struct {
|
||||
struct ssh_list *identity;
|
||||
+ struct ssh_list *identity_non_exp;
|
||||
char *username;
|
||||
char *host;
|
||||
char *bindaddr; /* bind the client to an ip addr */
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index 56e09c65..bb085384 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -52,7 +52,7 @@
|
||||
* @brief Duplicate the options of a session structure.
|
||||
*
|
||||
* If you make several sessions with the same options this is useful. You
|
||||
- * cannot use twice the same option structure in ssh_session_connect.
|
||||
+ * cannot use twice the same option structure in ssh_connect.
|
||||
*
|
||||
* @param src The session to use to copy the options.
|
||||
*
|
||||
@@ -61,13 +61,14 @@
|
||||
*
|
||||
* @returns 0 on success, -1 on error with errno set.
|
||||
*
|
||||
- * @see ssh_session_connect()
|
||||
+ * @see ssh_connect()
|
||||
* @see ssh_free()
|
||||
*/
|
||||
int ssh_options_copy(ssh_session src, ssh_session *dest)
|
||||
{
|
||||
ssh_session new;
|
||||
struct ssh_iterator *it = NULL;
|
||||
+ struct ssh_list *list = NULL;
|
||||
char *id = NULL;
|
||||
int i;
|
||||
|
||||
@@ -105,14 +106,15 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
|
||||
}
|
||||
|
||||
/* Remove the default identities */
|
||||
- for (id = ssh_list_pop_head(char *, new->opts.identity);
|
||||
+ for (id = ssh_list_pop_head(char *, new->opts.identity_non_exp);
|
||||
id != NULL;
|
||||
- id = ssh_list_pop_head(char *, new->opts.identity)) {
|
||||
+ id = ssh_list_pop_head(char *, new->opts.identity_non_exp)) {
|
||||
SAFE_FREE(id);
|
||||
}
|
||||
/* Copy the new identities from the source list */
|
||||
- if (src->opts.identity != NULL) {
|
||||
- it = ssh_list_get_iterator(src->opts.identity);
|
||||
+ list = new->opts.identity_non_exp;
|
||||
+ it = ssh_list_get_iterator(src->opts.identity_non_exp);
|
||||
+ for (i = 0; i < 2; i++) {
|
||||
while (it) {
|
||||
int rc;
|
||||
|
||||
@@ -122,7 +124,7 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
|
||||
return -1;
|
||||
}
|
||||
|
||||
- rc = ssh_list_append(new->opts.identity, id);
|
||||
+ rc = ssh_list_append(list, id);
|
||||
if (rc < 0) {
|
||||
free(id);
|
||||
ssh_free(new);
|
||||
@@ -130,6 +132,10 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
|
||||
}
|
||||
it = it->next;
|
||||
}
|
||||
+
|
||||
+ /* copy the identity list if there is any already */
|
||||
+ list = new->opts.identity;
|
||||
+ it = ssh_list_get_iterator(src->opts.identity);
|
||||
}
|
||||
|
||||
if (src->opts.sshdir != NULL) {
|
||||
@@ -331,7 +337,7 @@ int ssh_options_set_algo(ssh_session session,
|
||||
* Add a new identity file (const char *, format string) to
|
||||
* the identity list.\n
|
||||
* \n
|
||||
- * By default identity, id_dsa and id_rsa are checked.\n
|
||||
+ * By default id_rsa, id_ecdsa and id_ed25519 files are used.\n
|
||||
* \n
|
||||
* The identity used to authenticate with public key will be
|
||||
* prepended to the list.
|
||||
@@ -700,7 +706,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||
if (q == NULL) {
|
||||
return -1;
|
||||
}
|
||||
- rc = ssh_list_prepend(session->opts.identity, q);
|
||||
+ if (session->opts.exp_flags & SSH_OPT_EXP_FLAG_IDENTITY) {
|
||||
+ rc = ssh_list_append(session->opts.identity_non_exp, q);
|
||||
+ } else {
|
||||
+ rc = ssh_list_prepend(session->opts.identity_non_exp, q);
|
||||
+ }
|
||||
if (rc < 0) {
|
||||
free(q);
|
||||
return -1;
|
||||
@@ -1202,7 +1212,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) {
|
||||
* - SSH_OPTIONS_IDENTITY:
|
||||
* Get the first identity file name (const char *).\n
|
||||
* \n
|
||||
- * By default identity, id_dsa and id_rsa are checked.
|
||||
+ * By default id_rsa, id_ecdsa and id_ed25519 files are used.
|
||||
*
|
||||
* - SSH_OPTIONS_PROXYCOMMAND:
|
||||
* Get the proxycommand necessary to log into the
|
||||
@@ -1246,7 +1256,11 @@ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value)
|
||||
break;
|
||||
}
|
||||
case SSH_OPTIONS_IDENTITY: {
|
||||
- struct ssh_iterator *it = ssh_list_get_iterator(session->opts.identity);
|
||||
+ struct ssh_iterator *it;
|
||||
+ it = ssh_list_get_iterator(session->opts.identity);
|
||||
+ if (it == NULL) {
|
||||
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
||||
+ }
|
||||
if (it == NULL) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
@@ -1541,7 +1555,6 @@ out:
|
||||
|
||||
int ssh_options_apply(ssh_session session)
|
||||
{
|
||||
- struct ssh_iterator *it;
|
||||
char *tmp;
|
||||
int rc;
|
||||
|
||||
@@ -1586,15 +1599,17 @@ int ssh_options_apply(ssh_session session)
|
||||
size_t plen = strlen(session->opts.ProxyCommand) +
|
||||
5 /* strlen("exec ") */;
|
||||
|
||||
- p = malloc(plen + 1 /* \0 */);
|
||||
- if (p == NULL) {
|
||||
- return -1;
|
||||
- }
|
||||
+ if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
|
||||
+ p = malloc(plen + 1 /* \0 */);
|
||||
+ if (p == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
- rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
||||
- if ((size_t)rc != plen) {
|
||||
- free(p);
|
||||
- return -1;
|
||||
+ rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
||||
+ if ((size_t)rc != plen) {
|
||||
+ free(p);
|
||||
+ return -1;
|
||||
+ }
|
||||
}
|
||||
|
||||
tmp = ssh_path_expand_escape(session, p);
|
||||
@@ -1606,24 +1621,33 @@ int ssh_options_apply(ssh_session session)
|
||||
session->opts.ProxyCommand = tmp;
|
||||
}
|
||||
|
||||
- for (it = ssh_list_get_iterator(session->opts.identity);
|
||||
- it != NULL;
|
||||
- it = it->next) {
|
||||
- char *id = (char *) it->data;
|
||||
- if (strncmp(id, "pkcs11:", 6) == 0) {
|
||||
+ for (tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp);
|
||||
+ tmp != NULL;
|
||||
+ tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp)) {
|
||||
+ char *id = tmp;
|
||||
+ if (strncmp(id, "pkcs11:", 6) != 0) {
|
||||
/* PKCS#11 URIs are using percent-encoding so we can not mix
|
||||
* it with ssh expansion of ssh escape characters.
|
||||
- * Skip these identities now, before we will have PKCS#11 support
|
||||
*/
|
||||
- continue;
|
||||
+ tmp = ssh_path_expand_escape(session, id);
|
||||
+ if (tmp == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+ free(id);
|
||||
}
|
||||
- tmp = ssh_path_expand_escape(session, id);
|
||||
- if (tmp == NULL) {
|
||||
+
|
||||
+ /* use append to keep the order at first call and use prepend
|
||||
+ * to put anything that comes on the nth calls to the beginning */
|
||||
+ if (session->opts.exp_flags & SSH_OPT_EXP_FLAG_IDENTITY) {
|
||||
+ rc = ssh_list_prepend(session->opts.identity, tmp);
|
||||
+ } else {
|
||||
+ rc = ssh_list_append(session->opts.identity, tmp);
|
||||
+ }
|
||||
+ if (rc != SSH_OK) {
|
||||
return -1;
|
||||
}
|
||||
- free(id);
|
||||
- it->data = tmp;
|
||||
}
|
||||
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_IDENTITY;
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/src/session.c b/src/session.c
|
||||
index 64e54957..34a492e4 100644
|
||||
--- a/src/session.c
|
||||
+++ b/src/session.c
|
||||
@@ -118,13 +118,17 @@ ssh_session ssh_new(void)
|
||||
if (session->opts.identity == NULL) {
|
||||
goto err;
|
||||
}
|
||||
+ session->opts.identity_non_exp = ssh_list_new();
|
||||
+ if (session->opts.identity_non_exp == NULL) {
|
||||
+ goto err;
|
||||
+ }
|
||||
|
||||
id = strdup("%d/id_ed25519");
|
||||
if (id == NULL) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
- rc = ssh_list_append(session->opts.identity, id);
|
||||
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
||||
if (rc == SSH_ERROR) {
|
||||
goto err;
|
||||
}
|
||||
@@ -134,7 +138,7 @@ ssh_session ssh_new(void)
|
||||
if (id == NULL) {
|
||||
goto err;
|
||||
}
|
||||
- rc = ssh_list_append(session->opts.identity, id);
|
||||
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
||||
if (rc == SSH_ERROR) {
|
||||
goto err;
|
||||
}
|
||||
@@ -144,7 +148,7 @@ ssh_session ssh_new(void)
|
||||
if (id == NULL) {
|
||||
goto err;
|
||||
}
|
||||
- rc = ssh_list_append(session->opts.identity, id);
|
||||
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
||||
if (rc == SSH_ERROR) {
|
||||
goto err;
|
||||
}
|
||||
@@ -154,7 +158,7 @@ ssh_session ssh_new(void)
|
||||
if (id == NULL) {
|
||||
goto err;
|
||||
}
|
||||
- rc = ssh_list_append(session->opts.identity, id);
|
||||
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
||||
if (rc == SSH_ERROR) {
|
||||
goto err;
|
||||
}
|
||||
@@ -284,6 +288,17 @@ void ssh_free(ssh_session session)
|
||||
ssh_list_free(session->opts.identity);
|
||||
}
|
||||
|
||||
+ if (session->opts.identity_non_exp) {
|
||||
+ char *id;
|
||||
+
|
||||
+ for (id = ssh_list_pop_head(char *, session->opts.identity_non_exp);
|
||||
+ id != NULL;
|
||||
+ id = ssh_list_pop_head(char *, session->opts.identity_non_exp)) {
|
||||
+ SAFE_FREE(id);
|
||||
+ }
|
||||
+ ssh_list_free(session->opts.identity_non_exp);
|
||||
+ }
|
||||
+
|
||||
while ((b = ssh_list_pop_head(struct ssh_buffer_struct *,
|
||||
session->out_queue)) != NULL) {
|
||||
SSH_BUFFER_FREE(b);
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
||||
From 4cb84b99fdb1ffd26c0241f5809e4f67ddd407c6 Mon Sep 17 00:00:00 2001
|
||||
From: Norbert Pocs <npocs@redhat.com>
|
||||
Date: Wed, 16 Nov 2022 11:03:30 +0100
|
||||
Subject: [PATCH 2/5] tests: Use opts.identites_non_exp not opts.identities
|
||||
|
||||
The configuration of identities are first saved to `opts.identities_non_exp`,
|
||||
then moved to `opts.identities` after calling ssh_options_apply and expanding
|
||||
the identity strings. These tests are testing against the proper configuration
|
||||
|
||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
tests/client/torture_auth_pkcs11.c | 2 +-
|
||||
tests/unittests/torture_config.c | 3 ++-
|
||||
tests/unittests/torture_options.c | 14 +++++++-------
|
||||
3 files changed, 10 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/tests/client/torture_auth_pkcs11.c b/tests/client/torture_auth_pkcs11.c
|
||||
index ee97bff4..e75fea0e 100644
|
||||
--- a/tests/client/torture_auth_pkcs11.c
|
||||
+++ b/tests/client/torture_auth_pkcs11.c
|
||||
@@ -196,7 +196,7 @@ static void torture_auth_autopubkey(void **state, const char *obj_name, const ch
|
||||
|
||||
rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, priv_uri);
|
||||
assert_int_equal(rc, SSH_OK);
|
||||
- assert_string_equal(session->opts.identity->root->data, priv_uri);
|
||||
+ assert_string_equal(session->opts.identity_non_exp->root->data, priv_uri);
|
||||
|
||||
rc = ssh_connect(session);
|
||||
assert_int_equal(rc, SSH_OK);
|
||||
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
|
||||
index 354adc2f..100e68f6 100644
|
||||
--- a/tests/unittests/torture_config.c
|
||||
+++ b/tests/unittests/torture_config.c
|
||||
@@ -2078,7 +2078,8 @@ static void torture_config_identity(void **state)
|
||||
|
||||
_parse_config(session, NULL, LIBSSH_TESTCONFIG_STRING13, SSH_OK);
|
||||
|
||||
- it = ssh_list_get_iterator(session->opts.identity);
|
||||
+ /* The identities are first added to this temporary list before expanding */
|
||||
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
||||
assert_non_null(it);
|
||||
id = it->data;
|
||||
/* The identities are prepended to the list so we start with second one */
|
||||
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
||||
index dc4df383..3be2de8a 100644
|
||||
--- a/tests/unittests/torture_options.c
|
||||
+++ b/tests/unittests/torture_options.c
|
||||
@@ -406,12 +406,12 @@ static void torture_options_set_identity(void **state) {
|
||||
|
||||
rc = ssh_options_set(session, SSH_OPTIONS_ADD_IDENTITY, "identity1");
|
||||
assert_true(rc == 0);
|
||||
- assert_string_equal(session->opts.identity->root->data, "identity1");
|
||||
+ assert_string_equal(session->opts.identity_non_exp->root->data, "identity1");
|
||||
|
||||
rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, "identity2");
|
||||
assert_true(rc == 0);
|
||||
- assert_string_equal(session->opts.identity->root->data, "identity2");
|
||||
- assert_string_equal(session->opts.identity->root->next->data, "identity1");
|
||||
+ assert_string_equal(session->opts.identity_non_exp->root->data, "identity2");
|
||||
+ assert_string_equal(session->opts.identity_non_exp->root->next->data, "identity1");
|
||||
}
|
||||
|
||||
static void torture_options_get_identity(void **state) {
|
||||
@@ -429,7 +429,7 @@ static void torture_options_get_identity(void **state) {
|
||||
|
||||
rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, "identity2");
|
||||
assert_int_equal(rc, SSH_OK);
|
||||
- assert_string_equal(session->opts.identity->root->data, "identity2");
|
||||
+ assert_string_equal(session->opts.identity_non_exp->root->data, "identity2");
|
||||
rc = ssh_options_get(session, SSH_OPTIONS_IDENTITY, &identity);
|
||||
assert_int_equal(rc, SSH_OK);
|
||||
assert_non_null(identity);
|
||||
@@ -867,9 +867,9 @@ static void torture_options_copy(void **state)
|
||||
assert_non_null(new);
|
||||
|
||||
/* Check the identities match */
|
||||
- it = ssh_list_get_iterator(session->opts.identity);
|
||||
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
||||
assert_non_null(it);
|
||||
- it2 = ssh_list_get_iterator(new->opts.identity);
|
||||
+ it2 = ssh_list_get_iterator(new->opts.identity_non_exp);
|
||||
assert_non_null(it2);
|
||||
while (it != NULL && it2 != NULL) {
|
||||
assert_string_equal(it->data, it2->data);
|
||||
@@ -956,7 +956,7 @@ static void torture_options_getopt(void **state)
|
||||
"aes128-ctr");
|
||||
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_S_C],
|
||||
"aes128-ctr");
|
||||
- assert_string_equal(session->opts.identity->root->data, "id_rsa");
|
||||
+ assert_string_equal(session->opts.identity_non_exp->root->data, "id_rsa");
|
||||
#ifdef WITH_ZLIB
|
||||
assert_string_equal(session->opts.wanted_methods[SSH_COMP_C_S],
|
||||
"zlib@openssh.com,zlib,none");
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
||||
From cd30217c9032419ebcf722c0bfc6b5ebfa3518d0 Mon Sep 17 00:00:00 2001
|
||||
From: Norbert Pocs <npocs@redhat.com>
|
||||
Date: Wed, 16 Nov 2022 16:51:02 +0100
|
||||
Subject: [PATCH 3/5] Add flags for escape expand operation
|
||||
|
||||
Calling `ssh_options_apply` more times can result in an unwanted behaviour of
|
||||
expanding the escape characters more times. Adding flags to check if the
|
||||
expansion was already done on the current string variables.
|
||||
|
||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
include/libssh/session.h | 7 ++++
|
||||
src/options.c | 91 ++++++++++++++++++++++++----------------
|
||||
src/session.c | 2 +
|
||||
3 files changed, 63 insertions(+), 37 deletions(-)
|
||||
|
||||
diff --git a/include/libssh/session.h b/include/libssh/session.h
|
||||
index e22b0d67..cf219c2a 100644
|
||||
--- a/include/libssh/session.h
|
||||
+++ b/include/libssh/session.h
|
||||
@@ -93,6 +93,12 @@ enum ssh_pending_call_e {
|
||||
#define SSH_OPT_FLAG_KBDINT_AUTH 0x4
|
||||
#define SSH_OPT_FLAG_GSSAPI_AUTH 0x8
|
||||
|
||||
+/* Escape expansion of different variables */
|
||||
+#define SSH_OPT_EXP_FLAG_KNOWNHOSTS 0x1
|
||||
+#define SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS 0x2
|
||||
+#define SSH_OPT_EXP_FLAG_PROXYCOMMAND 0x4
|
||||
+#define SSH_OPT_EXP_FLAG_IDENTITY 0x8
|
||||
+
|
||||
/* extensions flags */
|
||||
/* negotiation enabled */
|
||||
#define SSH_EXT_NEGOTIATION 0x01
|
||||
@@ -232,6 +238,7 @@ struct ssh_session_struct {
|
||||
char *gss_client_identity;
|
||||
int gss_delegate_creds;
|
||||
int flags;
|
||||
+ int exp_flags;
|
||||
int nodelay;
|
||||
bool config_processed;
|
||||
uint8_t options_seen[SOC_MAX];
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index bb085384..c566244b 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -730,6 +730,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||
ssh_set_error_oom(session);
|
||||
return -1;
|
||||
}
|
||||
+ session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_KNOWNHOSTS;
|
||||
}
|
||||
break;
|
||||
case SSH_OPTIONS_GLOBAL_KNOWNHOSTS:
|
||||
@@ -751,6 +752,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||
ssh_set_error_oom(session);
|
||||
return -1;
|
||||
}
|
||||
+ session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS;
|
||||
}
|
||||
break;
|
||||
case SSH_OPTIONS_TIMEOUT:
|
||||
@@ -1014,6 +1016,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||
return -1;
|
||||
}
|
||||
session->opts.ProxyCommand = q;
|
||||
+ session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_PROXYCOMMAND;
|
||||
}
|
||||
}
|
||||
break;
|
||||
@@ -1572,53 +1575,67 @@ int ssh_options_apply(ssh_session session)
|
||||
}
|
||||
}
|
||||
|
||||
- if (session->opts.knownhosts == NULL) {
|
||||
- tmp = ssh_path_expand_escape(session, "%d/known_hosts");
|
||||
- } else {
|
||||
- tmp = ssh_path_expand_escape(session, session->opts.knownhosts);
|
||||
- }
|
||||
- if (tmp == NULL) {
|
||||
- return -1;
|
||||
+ if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS) == 0) {
|
||||
+ if (session->opts.knownhosts == NULL) {
|
||||
+ tmp = ssh_path_expand_escape(session, "%d/known_hosts");
|
||||
+ } else {
|
||||
+ tmp = ssh_path_expand_escape(session, session->opts.knownhosts);
|
||||
+ }
|
||||
+ if (tmp == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+ free(session->opts.knownhosts);
|
||||
+ session->opts.knownhosts = tmp;
|
||||
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_KNOWNHOSTS;
|
||||
}
|
||||
- free(session->opts.knownhosts);
|
||||
- session->opts.knownhosts = tmp;
|
||||
|
||||
- if (session->opts.global_knownhosts == NULL) {
|
||||
- tmp = strdup("/etc/ssh/ssh_known_hosts");
|
||||
- } else {
|
||||
- tmp = ssh_path_expand_escape(session, session->opts.global_knownhosts);
|
||||
- }
|
||||
- if (tmp == NULL) {
|
||||
- return -1;
|
||||
+ if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS) == 0) {
|
||||
+ if (session->opts.global_knownhosts == NULL) {
|
||||
+ tmp = strdup("/etc/ssh/ssh_known_hosts");
|
||||
+ } else {
|
||||
+ tmp = ssh_path_expand_escape(session,
|
||||
+ session->opts.global_knownhosts);
|
||||
+ }
|
||||
+ if (tmp == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+ free(session->opts.global_knownhosts);
|
||||
+ session->opts.global_knownhosts = tmp;
|
||||
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS;
|
||||
}
|
||||
- free(session->opts.global_knownhosts);
|
||||
- session->opts.global_knownhosts = tmp;
|
||||
|
||||
- if (session->opts.ProxyCommand != NULL) {
|
||||
- char *p = NULL;
|
||||
- size_t plen = strlen(session->opts.ProxyCommand) +
|
||||
- 5 /* strlen("exec ") */;
|
||||
|
||||
- if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
|
||||
- p = malloc(plen + 1 /* \0 */);
|
||||
- if (p == NULL) {
|
||||
- return -1;
|
||||
- }
|
||||
+ if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND) == 0) {
|
||||
+ if (session->opts.ProxyCommand != NULL) {
|
||||
+ char *p = NULL;
|
||||
+ size_t plen = strlen(session->opts.ProxyCommand) +
|
||||
+ 5 /* strlen("exec ") */;
|
||||
+
|
||||
+ if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
|
||||
+ p = malloc(plen + 1 /* \0 */);
|
||||
+ if (p == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
- rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
||||
- if ((size_t)rc != plen) {
|
||||
+ rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
||||
+ if ((size_t)rc != plen) {
|
||||
+ free(p);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ tmp = ssh_path_expand_escape(session, p);
|
||||
free(p);
|
||||
- return -1;
|
||||
+ } else {
|
||||
+ tmp = ssh_path_expand_escape(session,
|
||||
+ session->opts.ProxyCommand);
|
||||
}
|
||||
- }
|
||||
|
||||
- tmp = ssh_path_expand_escape(session, p);
|
||||
- free(p);
|
||||
- if (tmp == NULL) {
|
||||
- return -1;
|
||||
+ if (tmp == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+ free(session->opts.ProxyCommand);
|
||||
+ session->opts.ProxyCommand = tmp;
|
||||
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_PROXYCOMMAND;
|
||||
}
|
||||
- free(session->opts.ProxyCommand);
|
||||
- session->opts.ProxyCommand = tmp;
|
||||
}
|
||||
|
||||
for (tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp);
|
||||
diff --git a/src/session.c b/src/session.c
|
||||
index 34a492e4..06f6a26f 100644
|
||||
--- a/src/session.c
|
||||
+++ b/src/session.c
|
||||
@@ -114,6 +114,8 @@ ssh_session ssh_new(void)
|
||||
SSH_OPT_FLAG_KBDINT_AUTH |
|
||||
SSH_OPT_FLAG_GSSAPI_AUTH;
|
||||
|
||||
+ session->opts.exp_flags = 0;
|
||||
+
|
||||
session->opts.identity = ssh_list_new();
|
||||
if (session->opts.identity == NULL) {
|
||||
goto err;
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
||||
From ed58082f9706f2ab3bdeca24f632356b9bc325e6 Mon Sep 17 00:00:00 2001
|
||||
From: Norbert Pocs <npocs@redhat.com>
|
||||
Date: Wed, 16 Nov 2022 17:17:14 +0100
|
||||
Subject: [PATCH 4/5] torture_options.c: Add identity test for ssh_options_copy
|
||||
|
||||
Test if the ssh_options_apply is called on session before ssh_options_copy,
|
||||
then `opts.identity` ssh_list will be copied
|
||||
|
||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
tests/unittests/torture_options.c | 28 ++++++++++++++++++++++++++++
|
||||
1 file changed, 28 insertions(+)
|
||||
|
||||
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
||||
index 3be2de8a..907cc8df 100644
|
||||
--- a/tests/unittests/torture_options.c
|
||||
+++ b/tests/unittests/torture_options.c
|
||||
@@ -918,6 +918,34 @@ static void torture_options_copy(void **state)
|
||||
sizeof(session->opts.options_seen));
|
||||
|
||||
ssh_free(new);
|
||||
+
|
||||
+ /* test if ssh_options_apply was called before ssh_options_copy
|
||||
+ * the opts.identity list gets copied (percent expanded list) */
|
||||
+ rv = ssh_options_apply(session);
|
||||
+ assert_ssh_return_code(session, rv);
|
||||
+
|
||||
+ rv = ssh_options_copy(session, &new);
|
||||
+ assert_ssh_return_code(session, rv);
|
||||
+ assert_non_null(new);
|
||||
+
|
||||
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
||||
+ assert_null(it);
|
||||
+ it2 = ssh_list_get_iterator(new->opts.identity_non_exp);
|
||||
+ assert_null(it2);
|
||||
+
|
||||
+ it = ssh_list_get_iterator(session->opts.identity);
|
||||
+ assert_non_null(it);
|
||||
+ it2 = ssh_list_get_iterator(new->opts.identity);
|
||||
+ assert_non_null(it2);
|
||||
+ while (it != NULL && it2 != NULL) {
|
||||
+ assert_string_equal(it->data, it2->data);
|
||||
+ it = it->next;
|
||||
+ it2 = it2->next;
|
||||
+ }
|
||||
+ assert_null(it);
|
||||
+ assert_null(it2);
|
||||
+
|
||||
+ ssh_free(new);
|
||||
}
|
||||
|
||||
#define EXECUTABLE_NAME "test-exec"
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
||||
From 89dd4a927b946d4df5c48073ca25cd843e0acde0 Mon Sep 17 00:00:00 2001
|
||||
From: Norbert Pocs <npocs@redhat.com>
|
||||
Date: Wed, 16 Nov 2022 17:18:49 +0100
|
||||
Subject: [PATCH 5/5] torture_options.c: Add test for ssh_options_apply
|
||||
|
||||
Test that ssh_options_apply can be called multiple times without expanding
|
||||
escape characters more than once. If the options are updated after calling
|
||||
ssh_options_apply keep the last options.
|
||||
|
||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
tests/unittests/torture_options.c | 165 ++++++++++++++++++++++++++++++
|
||||
1 file changed, 165 insertions(+)
|
||||
|
||||
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
||||
index 907cc8df..ea63b45e 100644
|
||||
--- a/tests/unittests/torture_options.c
|
||||
+++ b/tests/unittests/torture_options.c
|
||||
@@ -1332,6 +1332,170 @@ static void torture_options_caret_sign(void **state)
|
||||
free(awaited);
|
||||
}
|
||||
|
||||
+static void torture_options_apply (void **state) {
|
||||
+ ssh_session session = *state;
|
||||
+ struct ssh_list *awaited_list = NULL;
|
||||
+ struct ssh_iterator *it1 = NULL, *it2 = NULL;
|
||||
+ char *id = NULL;
|
||||
+ int rc;
|
||||
+
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_KNOWNHOSTS,
|
||||
+ "%%d/.ssh/known_hosts");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
|
||||
+ "/etc/%%u/libssh/known_hosts");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_PROXYCOMMAND,
|
||||
+ "exec echo \"Hello libssh %%d!\"");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_ADD_IDENTITY,
|
||||
+ "%%d/do_not_expand");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ rc = ssh_options_apply(session);
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ /* check that the values got expanded */
|
||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
|
||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
|
||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
|
||||
+ assert_true(ssh_list_count(session->opts.identity_non_exp) == 0);
|
||||
+ assert_true(ssh_list_count(session->opts.identity) > 0);
|
||||
+
|
||||
+ /* should not change anything calling it again */
|
||||
+ rc = ssh_options_apply(session);
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ /* check that the expansion was done only once */
|
||||
+ assert_string_equal(session->opts.knownhosts, "%d/.ssh/known_hosts");
|
||||
+ assert_string_equal(session->opts.global_knownhosts,
|
||||
+ "/etc/%u/libssh/known_hosts");
|
||||
+ /* no exec should be added if there already is one */
|
||||
+ assert_string_equal(session->opts.ProxyCommand,
|
||||
+ "exec echo \"Hello libssh %d!\"");
|
||||
+ assert_string_equal(session->opts.identity->root->data,
|
||||
+ "%d/do_not_expand");
|
||||
+
|
||||
+ /* apply should keep the freshest setting */
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_KNOWNHOSTS,
|
||||
+ "hello there");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
|
||||
+ "lorem ipsum");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_PROXYCOMMAND,
|
||||
+ "mission_impossible");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_ADD_IDENTITY,
|
||||
+ "007");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_ADD_IDENTITY,
|
||||
+ "3");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_ADD_IDENTITY,
|
||||
+ "2");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ rc = ssh_options_set(session,
|
||||
+ SSH_OPTIONS_ADD_IDENTITY,
|
||||
+ "1");
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ /* check that flags show need of escape expansion */
|
||||
+ assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
|
||||
+ assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
|
||||
+ assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
|
||||
+ assert_false(ssh_list_count(session->opts.identity_non_exp) == 0);
|
||||
+
|
||||
+ rc = ssh_options_apply(session);
|
||||
+ assert_ssh_return_code(session, rc);
|
||||
+
|
||||
+ /* check that the values got expanded */
|
||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
|
||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
|
||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
|
||||
+ assert_true(ssh_list_count(session->opts.identity_non_exp) == 0);
|
||||
+
|
||||
+ assert_string_equal(session->opts.knownhosts, "hello there");
|
||||
+ assert_string_equal(session->opts.global_knownhosts, "lorem ipsum");
|
||||
+ /* check that the "exec " was added at the beginning */
|
||||
+ assert_string_equal(session->opts.ProxyCommand, "exec mission_impossible");
|
||||
+ assert_string_equal(session->opts.identity->root->data, "1");
|
||||
+
|
||||
+ /* check the order of the identity files after double expansion */
|
||||
+ awaited_list = ssh_list_new();
|
||||
+ /* append the new data in order */
|
||||
+ id = strdup("1");
|
||||
+ rc = ssh_list_append(awaited_list, id);
|
||||
+ assert_int_equal(rc, SSH_OK);
|
||||
+ id = strdup("2");
|
||||
+ rc = ssh_list_append(awaited_list, id);
|
||||
+ assert_int_equal(rc, SSH_OK);
|
||||
+ id = strdup("3");
|
||||
+ rc = ssh_list_append(awaited_list, id);
|
||||
+ assert_int_equal(rc, SSH_OK);
|
||||
+ id = strdup("007");
|
||||
+ rc = ssh_list_append(awaited_list, id);
|
||||
+ assert_int_equal(rc, SSH_OK);
|
||||
+ id = strdup("%d/do_not_expand");
|
||||
+ rc = ssh_list_append(awaited_list, id);
|
||||
+ assert_int_equal(rc, SSH_OK);
|
||||
+ /* append the defaults; this list is copied from ssh_new@src/session.c */
|
||||
+ id = ssh_path_expand_escape(session, "%d/id_ed25519");
|
||||
+ rc = ssh_list_append(awaited_list, id);
|
||||
+ assert_int_equal(rc, SSH_OK);
|
||||
+#ifdef HAVE_ECC
|
||||
+ id = ssh_path_expand_escape(session, "%d/id_ecdsa");
|
||||
+ rc = ssh_list_append(awaited_list, id);
|
||||
+ assert_int_equal(rc, SSH_OK);
|
||||
+#endif
|
||||
+ id = ssh_path_expand_escape(session, "%d/id_rsa");
|
||||
+ rc = ssh_list_append(awaited_list, id);
|
||||
+ assert_int_equal(rc, SSH_OK);
|
||||
+#ifdef HAVE_DSA
|
||||
+ id = ssh_path_expand_escape(session, "%d/id_dsa");
|
||||
+ rc = ssh_list_append(awaited_list, id);
|
||||
+ assert_int_equal(rc, SSH_OK);
|
||||
+#endif
|
||||
+
|
||||
+ assert_int_equal(ssh_list_count(awaited_list),
|
||||
+ ssh_list_count(session->opts.identity));
|
||||
+
|
||||
+ it1 = ssh_list_get_iterator(awaited_list);
|
||||
+ assert_non_null(it1);
|
||||
+ it2 = ssh_list_get_iterator(session->opts.identity);
|
||||
+ assert_non_null(it2);
|
||||
+ while (it1 != NULL && it2 != NULL) {
|
||||
+ assert_string_equal(it1->data, it2->data);
|
||||
+
|
||||
+ free((void*)it1->data);
|
||||
+ it1 = it1->next;
|
||||
+ it2 = it2->next;
|
||||
+ }
|
||||
+ assert_null(it1);
|
||||
+ assert_null(it2);
|
||||
+
|
||||
+ ssh_list_free(awaited_list);
|
||||
+}
|
||||
+
|
||||
#ifdef WITH_SERVER
|
||||
const char template[] = "temp_dir_XXXXXX";
|
||||
|
||||
@@ -2132,6 +2296,7 @@ int torture_run_tests(void) {
|
||||
setup, teardown),
|
||||
cmocka_unit_test_setup_teardown(torture_options_caret_sign,
|
||||
setup, teardown),
|
||||
+ cmocka_unit_test_setup_teardown(torture_options_apply, setup, teardown),
|
||||
};
|
||||
|
||||
#ifdef WITH_SERVER
|
||||
--
|
||||
2.38.1
|
||||
|
98
SOURCES/pkcs11_test_fix.patch
Normal file
98
SOURCES/pkcs11_test_fix.patch
Normal file
@ -0,0 +1,98 @@
|
||||
diff --git a/tests/pkcs11/setup-softhsm-tokens.sh b/tests/pkcs11/setup-softhsm-tokens.sh
|
||||
index 532c86a7..9050cea6 100755
|
||||
--- a/tests/pkcs11/setup-softhsm-tokens.sh
|
||||
+++ b/tests/pkcs11/setup-softhsm-tokens.sh
|
||||
@@ -17,10 +17,10 @@ echo "OBJNAME: $OBJNAME"
|
||||
echo "LOADPUBLIC: $LOADPUBLIC"
|
||||
|
||||
# Create temporary directory for tokens
|
||||
-install -d -m 0755 $TESTDIR/db
|
||||
+install -d -m 0755 "$TESTDIR/db"
|
||||
|
||||
# Create SoftHSM configuration file
|
||||
-cat >$TESTDIR/softhsm.conf <<EOF
|
||||
+cat >"$TESTDIR/softhsm.conf" <<EOF
|
||||
directories.tokendir = $TESTDIR/db
|
||||
objectstore.backend = file
|
||||
log.level = DEBUG
|
||||
@@ -28,12 +28,12 @@ EOF
|
||||
|
||||
export SOFTHSM2_CONF=$TESTDIR/softhsm.conf
|
||||
|
||||
-cat $TESTDIR/softhsm.conf
|
||||
+cat "$TESTDIR/softhsm.conf"
|
||||
|
||||
#init
|
||||
-cmd='softhsm2-util --init-token --label "$OBJNAME" --free --pin 1234 --so-pin 1234'
|
||||
+cmd="softhsm2-util --init-token --label $OBJNAME --free --pin 1234 --so-pin 1234"
|
||||
eval echo "$cmd"
|
||||
-out=$(eval $cmd)
|
||||
+out=$(eval "$cmd")
|
||||
ret=$?
|
||||
if [ $ret -ne 0 ]; then
|
||||
echo "Init token failed"
|
||||
@@ -41,10 +41,29 @@ if [ $ret -ne 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
+find_library_path() {
|
||||
+ echo "$@"
|
||||
+ for _lib in "$@" ; do
|
||||
+ if test -f "$_lib" ; then
|
||||
+ LIBSOFTHSM_PATH="$_lib"
|
||||
+ echo "Using libsofthsm path: $LIBSOFTHSM_PATH"
|
||||
+ return
|
||||
+ fi
|
||||
+ done
|
||||
+ echo "libsofthsm2.so not found"
|
||||
+ exit 1
|
||||
+}
|
||||
+
|
||||
+find_library_path \
|
||||
+ /usr/lib64/libsofthsm2.so \
|
||||
+ /usr/lib/libsofthsm2.so \
|
||||
+ /usr/local/lib/softhsm/libsofthsm2.so \
|
||||
+ /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
|
||||
+
|
||||
#load private key
|
||||
-cmd='p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --load-privkey "$PRIVKEY" --label "$OBJNAME" --login --set-pin=1234 "pkcs11:token="$OBJNAME""'
|
||||
+cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-privkey $PRIVKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$OBJNAME\""
|
||||
eval echo "$cmd"
|
||||
-out=$(eval $cmd)
|
||||
+out=$(eval "$cmd")
|
||||
ret=$?
|
||||
if [ $ret -ne 0 ]; then
|
||||
echo "Loading privkey failed"
|
||||
@@ -52,15 +71,15 @@ if [ $ret -ne 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
-cat $PUBKEY
|
||||
+cat "$PUBKEY"
|
||||
|
||||
-ls -l $TESTDIR
|
||||
+ls -l "$TESTDIR"
|
||||
|
||||
-if [ $LOADPUBLIC -ne 0 ]; then
|
||||
+if [ "$LOADPUBLIC" -ne 0 ]; then
|
||||
#load public key
|
||||
- cmd='p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --load-pubkey "$PUBKEY" --label "$OBJNAME" --login --set-pin=1234 "pkcs11:token="$OBJNAME""'
|
||||
+ cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-pubkey $PUBKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$OBJNAME\""
|
||||
eval echo "$cmd"
|
||||
- out=$(eval $cmd)
|
||||
+ out=$(eval "$cmd")
|
||||
ret=$?
|
||||
if [ $ret -ne 0 ]; then
|
||||
echo "Loading pubkey failed"
|
||||
@@ -69,9 +88,9 @@ if [ $LOADPUBLIC -ne 0 ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
-cmd='p11tool --list-all --login "pkcs11:token="$OBJNAME"" --set-pin=1234'
|
||||
+cmd="p11tool --list-all --login \"pkcs11:token=$OBJNAME\" --set-pin=1234"
|
||||
eval echo "$cmd"
|
||||
-out=$(eval $cmd)
|
||||
+out=$(eval "$cmd")
|
||||
ret=$?
|
||||
if [ $ret -ne 0 ]; then
|
||||
echo "Loging failed"
|
1653
SOURCES/plus_sign.patch
Normal file
1653
SOURCES/plus_sign.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,12 +1,12 @@
|
||||
Name: libssh
|
||||
Version: 0.9.6
|
||||
Release: 3%{?dist}
|
||||
Version: 0.10.4
|
||||
Release: 8%{?dist}
|
||||
Summary: A library implementing the SSH protocol
|
||||
License: LGPLv2+
|
||||
URL: http://www.libssh.org
|
||||
|
||||
Source0: https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz
|
||||
Source1: https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz.asc
|
||||
Source0: https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz
|
||||
Source1: https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc
|
||||
Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
|
||||
Source3: libssh_client.config
|
||||
Source4: libssh_server.config
|
||||
@ -15,6 +15,7 @@ BuildRequires: cmake
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: gnupg2
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: openssl-pkcs11
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: krb5-devel
|
||||
@ -26,6 +27,8 @@ BuildRequires: uid_wrapper
|
||||
BuildRequires: openssh-clients
|
||||
BuildRequires: openssh-server
|
||||
BuildRequires: nmap-ncat
|
||||
BuildRequires: softhsm
|
||||
BuildRequires: gnutls-utils
|
||||
|
||||
Requires: %{name}-config = %{version}-%{release}
|
||||
Requires: crypto-policies
|
||||
@ -36,6 +39,14 @@ Provides: libssh_threads.so.4()(64bit)
|
||||
Provides: libssh_threads.so.4
|
||||
%endif
|
||||
|
||||
Patch1: coverity_scan.patch
|
||||
Patch2: pkcs11_test_fix.patch
|
||||
Patch3: loglevel.patch
|
||||
Patch4: plus_sign.patch
|
||||
Patch5: memory_leak.patch
|
||||
Patch6: options_apply.patch
|
||||
Patch7: enable_sk_keys_by_config.patch
|
||||
|
||||
%description
|
||||
The ssh library was designed to be used by programmers needing a working SSH
|
||||
implementation by the mean of a library. The complete control of the client is
|
||||
@ -69,6 +80,7 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
||||
-DUNIT_TESTING=ON \
|
||||
-DCLIENT_TESTING=ON \
|
||||
-DSERVER_TESTING=ON \
|
||||
-DWITH_PKCS11_URI=ON \
|
||||
-DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
|
||||
-DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
|
||||
|
||||
@ -106,7 +118,7 @@ popd
|
||||
%ctest
|
||||
|
||||
%files
|
||||
%doc AUTHORS BSD ChangeLog README
|
||||
%doc AUTHORS BSD CHANGELOG README
|
||||
%license COPYING
|
||||
%{_libdir}/libssh.so.4*
|
||||
%{_libdir}/libssh_threads.so.4*
|
||||
@ -126,6 +138,51 @@ popd
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
|
||||
|
||||
%changelog
|
||||
* Mon Jan 23 2023 Stanislav Zidek <szidek@redhat.com> - 0.10.4-8
|
||||
+ libssh-0.10.4-8
|
||||
- Extended CI to run internal tests in RHEL
|
||||
- Related: rhbz#2160080
|
||||
|
||||
* Wed Jan 4 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4-7
|
||||
- Add sk-keys to configuration parsing allowing to turn on-off by config
|
||||
- Related: rhbz#2026449
|
||||
|
||||
* Thu Dec 1 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-6
|
||||
- Fix covscan error
|
||||
- Remove unwanted test with yet unimplemented feature
|
||||
- Related: rhbz#2137839, rhbz#2136824
|
||||
|
||||
* Thu Dec 01 2022 Stanislav Zidek <szidek@redhat.com> - 0.10.4-5
|
||||
+ libssh-0.10.4-5
|
||||
- Fixed CI configuration due to TMT changes
|
||||
|
||||
* Wed Nov 30 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-4
|
||||
- Move loglevel closer to openssh loglevel
|
||||
- Add openssh config feature of +,-,^ for algorithm lists
|
||||
- Fix memory leaks of bignum
|
||||
- Prevent multiple expansion of escape characters
|
||||
- Resolves: rhbz#2132407, rhbz#2137839, rhbz#2144795, rhbz#2136824
|
||||
|
||||
* Tue Oct 4 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-3
|
||||
- Enable pkcs11 support
|
||||
- Fix broken libsofthsm path on i686
|
||||
- Add missing bugzilla references from the rebase commit
|
||||
- Related: rhbz#2026449
|
||||
- Resolves: rhbz#1977913, rhbz#1975500
|
||||
|
||||
* Tue Sep 27 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-2
|
||||
- Fix coverity scan issues
|
||||
- Resolves: rhbz#2130126
|
||||
|
||||
* Mon Sep 19 2022 Norbert pocs <npocs@redhat.com> - 0.10.4-1
|
||||
- Rebase to version 0.10.4
|
||||
- Add pkcs11 support
|
||||
- Disallow ssh-rsa key in FIPS mode
|
||||
- Fix openssl KDF check at build
|
||||
- ChangeLog was renamed to CHANGELOG
|
||||
- Resolves: rhbz#2068475, rhbz#2026449, rhbz#2004021,
|
||||
rhbz#1977913, rhbz#1975500
|
||||
|
||||
* Fri Nov 12 2021 Stanislav Zidek <szidek@redhat.com> - 0.9.6-3
|
||||
+ libssh-0.9.6-3
|
||||
- Disabled gating on osci.brew-build.revdeps.integration
|
||||
|
Loading…
Reference in New Issue
Block a user