rpms/libssh
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c10s
Branches Tags
rpms:c8
rpms:c10s
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:c9s
rpms:imports/c10s/libssh-0.11.1-2.el10
rpms:imports/c10s/libssh-0.11.1-1.el10
rpms:imports/c10s/libssh-0.10.6-8.el10
rpms:imports/c10s/libssh-0.10.6-7.el10
rpms:imports/c8/libssh-0.9.6-14.el8
rpms:imports/c9/libssh-0.10.4-13.el9
rpms:imports/c9/libssh-0.10.4-12.el9_3
rpms:imports/c8/libssh-0.9.6-13.el8_9
rpms:imports/c9/libssh-0.10.4-11.el9
rpms:imports/c9-beta/libssh-0.10.4-11.el9
rpms:imports/c8/libssh-0.9.6-10.el8_8
rpms:imports/c8/libssh-0.9.6-6.el8
rpms:imports/c9/libssh-0.10.4-8.el9
rpms:imports/c9-beta/libssh-0.10.4-8.el9
rpms:imports/c8-beta/libssh-0.9.6-6.el8
rpms:imports/c8s/libssh-0.9.6-6.el8
rpms:imports/c8s/libssh-0.9.6-5.el8
rpms:imports/c8s/libssh-0.9.6-4.el8
rpms:imports/c9/libssh-0.9.6-3.el9
rpms:imports/c8/libssh-0.9.6-3.el8
rpms:imports/c8-beta/libssh-0.9.6-3.el8
rpms:imports/c9-beta/libssh-0.9.6-3.el9
rpms:imports/c9-beta/libssh-0.9.5-6.el9
rpms:imports/c8s/libssh-0.9.6-3.el8
rpms:imports/c8/libssh-0.9.4-3.el8
rpms:imports/c8-beta/libssh-0.9.4-3.el8
rpms:imports/c8-beta/libssh-0.9.4-2.el8
rpms:imports/c8-beta/libssh-0.9.0-4.el8
rpms:imports/c8-beta/libssh-0.8.91-0.1.el8
rpms:imports/c8s/libssh-0.9.4-3.el8
rpms:imports/c8s/libssh-0.9.4-2.el8
rpms:imports/c8s/libssh-0.9.4-1.el8
rpms:imports/c8/libssh-0.9.4-2.el8
rpms:imports/c8/libssh-0.9.0-4.el8
rpms:imports/c8/libssh-0.8.5-2.el8
..
compare: rpms:c8
Branches Tags
rpms:c10s
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:c9s
rpms:imports/c10s/libssh-0.11.1-2.el10
rpms:imports/c10s/libssh-0.11.1-1.el10
rpms:imports/c10s/libssh-0.10.6-8.el10
rpms:imports/c10s/libssh-0.10.6-7.el10
rpms:imports/c8/libssh-0.9.6-14.el8
rpms:imports/c9/libssh-0.10.4-13.el9
rpms:imports/c9/libssh-0.10.4-12.el9_3
rpms:imports/c8/libssh-0.9.6-13.el8_9
rpms:imports/c9/libssh-0.10.4-11.el9
rpms:imports/c9-beta/libssh-0.10.4-11.el9
rpms:imports/c8/libssh-0.9.6-10.el8_8
rpms:imports/c8/libssh-0.9.6-6.el8
rpms:imports/c9/libssh-0.10.4-8.el9
rpms:imports/c9-beta/libssh-0.10.4-8.el9
rpms:imports/c8-beta/libssh-0.9.6-6.el8
rpms:imports/c8s/libssh-0.9.6-6.el8
rpms:imports/c8s/libssh-0.9.6-5.el8
rpms:imports/c8s/libssh-0.9.6-4.el8
rpms:imports/c9/libssh-0.9.6-3.el9
rpms:imports/c8/libssh-0.9.6-3.el8
rpms:imports/c8-beta/libssh-0.9.6-3.el8
rpms:imports/c9-beta/libssh-0.9.6-3.el9
rpms:imports/c9-beta/libssh-0.9.5-6.el9
rpms:imports/c8s/libssh-0.9.6-3.el8
rpms:imports/c8/libssh-0.9.4-3.el8
rpms:imports/c8-beta/libssh-0.9.4-3.el8
rpms:imports/c8-beta/libssh-0.9.4-2.el8
rpms:imports/c8-beta/libssh-0.9.0-4.el8
rpms:imports/c8-beta/libssh-0.8.91-0.1.el8
rpms:imports/c8s/libssh-0.9.4-3.el8
rpms:imports/c8s/libssh-0.9.4-2.el8
rpms:imports/c8s/libssh-0.9.4-1.el8
rpms:imports/c8/libssh-0.9.4-2.el8
rpms:imports/c8/libssh-0.9.0-4.el8
rpms:imports/c8/libssh-0.8.5-2.el8

No commits in common. "c10s" and "c8" have entirely different histories.
c10s ... c8

22 changed files with 9863 additions and 434 deletions
Show Stats Expand all files Collapse all files

1
.fmf/version
View File

@ -1 +0,0 @@
1

76
.gitignore vendored
View File

@ -1,74 +1,2 @@
libssh-0.4.4.tar.gz
libssh-0.4.4.tar.gz.asc
/libssh-0.4.6.tar.gz
/libssh-0.4.6.tar.gz.asc
/libssh-0.4.8.tar.gz
/libssh-0.4.8.tar.gz.asc
/libssh-0.5.0.tar.gz
/libssh-0.5.0.tar.gz.asc
/libssh-0.5.2.tar.gz
/libssh-0.5.2.tar.gz.asc
/libssh-0.5.3.tar.gz
/libssh-0.5.3.tar.asc
/libssh-0.5.4.tar.gz
/libssh-0.5.4.tar.asc
/libssh-0.5.5.tar.gz
/libssh-0.5.5.tar.asc
/libssh-0.6.0.tar.xz
/libssh-0.6.1.tar.xz
/libssh-0.6.3.tar.xz
/libssh-0.6.4.tar.gz
/libssh-0.6.5.tar.xz
/libssh-0.7.0.tar.xz
/libssh-0.7.1.tar.xz
/libssh-0.7.2.tar.xz
/libssh-0.7.3.tar.xz
/libssh-0.7.4.tar.xz
/libssh-0.7.5.tar.xz
/libssh-0.8.0.tar.xz
/libssh-0.8.0.tar.xz.asc
/libssh-0.8.1.tar.xz
/libssh-0.8.1.tar.xz.asc
/libssh-0.8.2.tar.xz
/libssh-0.8.2.tar.xz.asc
/libssh-0.8.3.tar.xz
/libssh-0.8.3.tar.xz.asc
/libssh-0.8.4.tar.xz
/libssh-0.8.4.tar.xz.asc
/libssh-0.8.5.tar.xz
/libssh-0.8.5.tar.xz.asc
/libssh-0.8.6.tar.xz
/libssh-0.8.6.tar.xz.asc
/libssh-0.8.7.tar.xz
/libssh-0.8.7.tar.xz.asc
/libssh-0.8.91.tar.xz
/libssh_client.config
/libssh_server.config
/libssh-0.9.0.tar.xz
/libssh-0.9.0.tar.xz.asc
/libssh-0.9.2.tar.xz
/libssh-0.9.2.tar.xz.asc
/libssh-0.9.3.tar.xz
/libssh-0.9.3.tar.xz.asc
/libssh-0.9.4.tar.xz
/libssh-0.9.4.tar.xz.asc
/libssh-0.9.5.tar.xz
/libssh-0.9.5.tar.xz.asc
/libssh-0.9.6.tar.xz
/libssh-0.9.6.tar.xz.asc
/libssh-0.10.0.tar.xz
/libssh-0.10.0.tar.xz.asc
/libssh-0.10.1.tar.xz
/libssh-0.10.1.tar.xz.asc
/libssh-0.10.2.tar.xz
/libssh-0.10.2.tar.xz.asc
/libssh-0.10.3.tar.xz
/libssh-0.10.3.tar.xz.asc
/libssh-0.10.4.tar.xz
/libssh-0.10.4.tar.xz.asc
/libssh-0.10.5.tar.xz
/libssh-0.10.5.tar.xz.asc
/libssh-0.10.6.tar.xz
/libssh-0.10.6.tar.xz.asc
/libssh-0.11.1.tar.xz
/libssh-0.11.1.tar.xz.asc
SOURCES/libssh-0.9.6.tar.xz
SOURCES/libssh.keyring

2
.libssh.metadata Normal file
View File

@ -0,0 +1,2 @@
1b2dd673b58e1eaf20fde45cd8de2197cfab2f78 SOURCES/libssh-0.9.6.tar.xz
3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring

723
SOURCES/CVE-2023-48795.patch Normal file
View File

@ -0,0 +1,723 @@
From 87b93be5a2071be782aa84aa5a91544b18959d5e Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Tue, 12 Dec 2023 23:09:57 +0100
Subject: [PATCH 1/4] CVE-2023-48795: client side mitigation
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
include/libssh/packet.h | 1 +
include/libssh/session.h | 6 +++++
src/curve25519.c | 19 +++----------
src/dh-gex.c | 7 +----
src/dh.c | 17 +++---------
src/ecdh.c | 8 +-----
src/ecdh_crypto.c | 12 +++------
src/ecdh_gcrypt.c | 10 +++----
src/ecdh_mbedcrypto.c | 11 +++-----
src/kex.c | 34 +++++++++++++++++++----
src/packet.c | 58 ++++++++++++++++++++++++++++++++++++++++
src/packet_cb.c | 12 +++++++++
12 files changed, 126 insertions(+), 69 deletions(-)
diff --git a/include/libssh/packet.h b/include/libssh/packet.h
index 561bba8e..c6fbc3fc 100644
--- a/include/libssh/packet.h
+++ b/include/libssh/packet.h
@@ -63,6 +63,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
SSH_PACKET_CALLBACK(ssh_packet_kexdh_init);
#endif
+int ssh_packet_send_newkeys(ssh_session session);
int ssh_packet_send_unimplemented(ssh_session session, uint32_t seqnum);
int ssh_packet_parse_type(ssh_session session);
//int packet_flush(ssh_session session, int enforce_blocking);
diff --git a/include/libssh/session.h b/include/libssh/session.h
index 64e118ef..3cde0dd4 100644
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@@ -80,6 +80,12 @@ enum ssh_pending_call_e {
* sending it twice during key exchange to simplify the state machine. */
#define SSH_SESSION_FLAG_KEXINIT_SENT 4
+/* The current SSH2 session implements the "strict KEX" feature and should behave
+ * differently on SSH2_MSG_NEWKEYS. */
+#define SSH_SESSION_FLAG_KEX_STRICT 0x0010
+/* Unexpected packets have been sent while the session was still unencrypted */
+#define SSH_SESSION_FLAG_KEX_TAINTED 0x0020
+
/* codes to use with ssh_handle_packets*() */
/* Infinite timeout */
#define SSH_TIMEOUT_INFINITE -1
diff --git a/src/curve25519.c b/src/curve25519.c
index 37654438..6b7b4238 100644
--- a/src/curve25519.c
+++ b/src/curve25519.c
@@ -335,16 +335,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
}
/* Send the MSG_NEWKEYS */
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
- goto error;
- }
-
- rc=ssh_packet_send(session);
+ rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
-
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;
@@ -502,18 +496,13 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
return SSH_ERROR;
}
- /* Send the MSG_NEWKEYS */
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
- if (rc < 0) {
- goto error;
- }
-
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
- rc = ssh_packet_send(session);
+
+ /* Send the MSG_NEWKEYS */
+ rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
return SSH_PACKET_USED;
error:
diff --git a/src/dh-gex.c b/src/dh-gex.c
index 4a298542..f1880270 100644
--- a/src/dh-gex.c
+++ b/src/dh-gex.c
@@ -287,15 +287,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
}
/* Send the MSG_NEWKEYS */
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
- goto error;
- }
-
- rc = ssh_packet_send(session);
+ rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;
diff --git a/src/dh.c b/src/dh.c
index c265efcb..1d519c63 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -386,16 +386,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
}
/* Send the MSG_NEWKEYS */
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
- goto error;
- }
-
- rc=ssh_packet_send(session);
+ rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
-
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;
error:
@@ -532,15 +526,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
}
SSH_LOG(SSH_LOG_DEBUG, "Sent KEX_DH_[GEX]_REPLY");
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
- ssh_buffer_reinit(session->out_buffer);
- goto error;
- }
session->dh_handshake_state=DH_STATE_NEWKEYS_SENT;
- if (ssh_packet_send(session) == SSH_ERROR) {
+ /* Send the MSG_NEWKEYS */
+ rc = ssh_packet_send_newkeys(session);
+ if (rc == SSH_ERROR) {
goto error;
}
- SSH_LOG(SSH_LOG_PACKET, "SSH_MSG_NEWKEYS sent");
return SSH_OK;
error:
diff --git a/src/ecdh.c b/src/ecdh.c
index e5b11ba9..af80beec 100644
--- a/src/ecdh.c
+++ b/src/ecdh.c
@@ -93,16 +93,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_ecdh_reply){
}
/* Send the MSG_NEWKEYS */
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
- goto error;
- }
-
- rc=ssh_packet_send(session);
+ rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
goto error;
}
-
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
return SSH_PACKET_USED;
diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
index a1de27fd..62578c1b 100644
--- a/src/ecdh_crypto.c
+++ b/src/ecdh_crypto.c
@@ -323,18 +323,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
goto error;
}
- /* Send the MSG_NEWKEYS */
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
- if (rc < 0) {
- goto error;
- }
-
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
- rc = ssh_packet_send(session);
- if (rc == SSH_ERROR){
+ /* Send the MSG_NEWKEYS */
+ rc = ssh_packet_send_newkeys(session);
+ if (rc == SSH_ERROR) {
goto error;
}
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
return SSH_PACKET_USED;
error:
diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
index d9c41bf9..dd4332d7 100644
--- a/src/ecdh_gcrypt.c
+++ b/src/ecdh_gcrypt.c
@@ -372,17 +372,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
goto out;
}
-
+ session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
/* Send the MSG_NEWKEYS */
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
- if (rc != SSH_OK) {
+ rc = ssh_packet_send_newkeys(session);
+ if (rc == SSH_ERROR) {
goto out;
}
- session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
- rc = ssh_packet_send(session);
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
-
out:
gcry_sexp_release(param);
gcry_sexp_release(key);
diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
index 718f1522..45251a42 100644
--- a/src/ecdh_mbedcrypto.c
+++ b/src/ecdh_mbedcrypto.c
@@ -300,16 +300,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
goto out;
}
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
- if (rc < 0) {
- rc = SSH_ERROR;
+ session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+ /* Send the MSG_NEWKEYS */
+ rc = ssh_packet_send_newkeys(session);
+ if (rc == SSH_ERROR) {
goto out;
}
- session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
- rc = ssh_packet_send(session);
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
-
out:
mbedtls_ecp_group_free(&grp);
if (rc == SSH_ERROR) {
diff --git a/src/kex.c b/src/kex.c
index 3e5ca6ad..0772cae8 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -163,6 +163,9 @@
/* RFC 8308 */
#define KEX_EXTENSION_CLIENT "ext-info-c"
+/* Strict kex mitigation against CVE-2023-48795 */
+#define KEX_STRICT_CLIENT "kex-strict-c-v00@openssh.com"
+#define KEX_STRICT_SERVER "kex-strict-s-v00@openssh.com"
/* Allowed algorithms in FIPS mode */
#define FIPS_ALLOWED_CIPHERS "aes256-gcm@openssh.com,"\
@@ -491,6 +494,27 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
session->first_kex_follows_guess_wrong ? "wrong" : "right");
}
+ /*
+ * handle the "strict KEX" feature. If supported by peer, then set up the
+ * flag and verify packet sequence numbers.
+ */
+ if (server_kex) {
+ ok = ssh_match_group(crypto->client_kex.methods[SSH_KEX],
+ KEX_STRICT_CLIENT);
+ if (ok) {
+ SSH_LOG(SSH_LOG_DEBUG, "Client supports strict kex, enabling.");
+ session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
+ }
+ } else {
+ /* client kex */
+ ok = ssh_match_group(crypto->server_kex.methods[SSH_KEX],
+ KEX_STRICT_SERVER);
+ if (ok) {
+ SSH_LOG(SSH_LOG_DEBUG, "Server supports strict kex, enabling.");
+ session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
+ }
+ }
+
if (server_kex) {
/*
* If client sent a ext-info-c message in the kex list, it supports
@@ -767,21 +791,21 @@ int ssh_set_client_kex(ssh_session session)
return SSH_OK;
}
- /* Here we append ext-info-c to the list of kex algorithms */
+ /* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
kex = client->methods[SSH_KEX];
len = strlen(kex);
- if (len + strlen(KEX_EXTENSION_CLIENT) + 2 < len) {
+ /* Comma, comma, nul byte */
+ kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
+ if (kex_len >= MAX_PACKET_LEN) {
/* Overflow */
return SSH_ERROR;
}
- kex_len = len + strlen(KEX_EXTENSION_CLIENT) + 2; /* comma, NULL */
kex_tmp = realloc(kex, kex_len);
if (kex_tmp == NULL) {
- free(kex);
ssh_set_error_oom(session);
return SSH_ERROR;
}
- snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_EXTENSION_CLIENT);
+ snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
client->methods[SSH_KEX] = kex_tmp;
return SSH_OK;
diff --git a/src/packet.c b/src/packet.c
index ca7a03b7..82965fb3 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -1309,6 +1309,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
}
#endif /* WITH_ZLIB */
payloadsize = ssh_buffer_get_len(session->in_buffer);
+ if (session->recv_seq == UINT32_MAX) {
+ /* Overflowing sequence numbers is always fishy */
+ if (crypto == NULL) {
+ /* don't allow sequence number overflow when unencrypted */
+ ssh_set_error(session,
+ SSH_FATAL,
+ "Incoming sequence number overflow");
+ goto error;
+ } else {
+ SSH_LOG(SSH_LOG_WARNING,
+ "Incoming sequence number overflow");
+ }
+ }
session->recv_seq++;
if (crypto != NULL) {
struct ssh_cipher_struct *cipher = NULL;
@@ -1331,7 +1344,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
SSH_LOG(SSH_LOG_PACKET,
"packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
session->in_packet.type, packet_len, padding, compsize, payloadsize);
+ if (crypto == NULL) {
+ /* In strict kex, only a few packets are allowed. Taint the session
+ * if we received packets that are normally allowed but to be
+ * refused if we are in strict kex when KEX is over.
+ */
+ uint8_t type = session->in_packet.type;
+ if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
+ (type < SSH2_MSG_KEXDH_INIT ||
+ type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
+ }
+ }
/* Check if the packet is expected */
filter_result = ssh_packet_incoming_filter(session);
@@ -1347,6 +1372,9 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
session->in_packet.type);
goto error;
case SSH_PACKET_UNKNOWN:
+ if (crypto == NULL) {
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
+ }
ssh_packet_send_unimplemented(session, session->recv_seq - 1);
break;
}
@@ -1521,7 +1549,33 @@ void ssh_packet_process(ssh_session session, uint8_t type)
SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s",
ssh_get_error(session));
}
+ if (session->current_crypto == NULL) {
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
+ }
+ }
+}
+
+/** @internal
+ * @brief sends a SSH_MSG_NEWKEYS when enabling the new negotiated ciphers
+ * @param session the SSH session
+ * @return SSH_ERROR on error, else SSH_OK
+ */
+int ssh_packet_send_newkeys(ssh_session session)
+{
+ int rc;
+
+ /* Send the MSG_NEWKEYS */
+ rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+ if (rc < 0) {
+ return rc;
}
+
+ rc = ssh_packet_send(session);
+ if (rc == SSH_ERROR) {
+ return rc;
+ }
+ SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+ return rc;
}
/** @internal
@@ -1829,6 +1883,10 @@ int ssh_packet_send(ssh_session session)
if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
struct ssh_iterator *it;
+ if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
+ /* reset packet sequence number when running in strict kex mode */
+ session->send_seq = 0;
+ }
for (it = ssh_list_get_iterator(session->out_queue);
it != NULL;
it = ssh_list_get_iterator(session->out_queue)) {
diff --git a/src/packet_cb.c b/src/packet_cb.c
index 3e4d5f6d..a08f1d8a 100644
--- a/src/packet_cb.c
+++ b/src/packet_cb.c
@@ -110,6 +110,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
goto error;
}
+ if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
+ /* reset packet sequence number when running in strict kex mode */
+ session->recv_seq = 0;
+ /* Check that we aren't tainted */
+ if (session->flags & SSH_SESSION_FLAG_KEX_TAINTED) {
+ ssh_set_error(session,
+ SSH_FATAL,
+ "Received unexpected packets in strict KEX mode.");
+ goto error;
+ }
+ }
+
if(session->server){
/* server things are done in server.c */
session->dh_handshake_state=DH_STATE_FINISHED;
--
2.41.0
From fd4948255560039b51c2d61f0a62784ed8b6f5a6 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Tue, 12 Dec 2023 23:30:26 +0100
Subject: [PATCH 2/4] CVE-2023-48795: Server side mitigations
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
include/libssh/kex.h | 1 +
src/kex.c | 46 ++++++++++++++++++++++++++++++++++----------
src/server.c | 8 +++++++-
3 files changed, 44 insertions(+), 11 deletions(-)
diff --git a/include/libssh/kex.h b/include/libssh/kex.h
index 2ace69b6..40da4ef2 100644
--- a/include/libssh/kex.h
+++ b/include/libssh/kex.h
@@ -36,6 +36,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit);
int ssh_send_kex(ssh_session session);
void ssh_list_kex(struct ssh_kex_struct *kex);
int ssh_set_client_kex(ssh_session session);
+int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex);
int ssh_kex_select_methods(ssh_session session);
int ssh_verify_existing_algo(enum ssh_kex_types_e algo, const char *name);
char *ssh_keep_known_algos(enum ssh_kex_types_e algo, const char *list);
diff --git a/src/kex.c b/src/kex.c
index 0772cae8..e37c176c 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -738,11 +738,8 @@ int ssh_set_client_kex(ssh_session session)
{
struct ssh_kex_struct *client = &session->next_crypto->client_kex;
const char *wanted;
- char *kex = NULL;
- char *kex_tmp = NULL;
int ok;
int i;
- size_t kex_len, len;
/* Skip if already set, for example for the rekey or when we do the guessing
* it could have been already used to make some protocol decisions. */
@@ -791,11 +788,33 @@ int ssh_set_client_kex(ssh_session session)
return SSH_OK;
}
- /* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
- kex = client->methods[SSH_KEX];
+ ok = ssh_kex_append_extensions(session, client);
+ if (ok != SSH_OK){
+ return ok;
+ }
+
+ return SSH_OK;
+}
+
+int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex)
+{
+ char *kex = NULL;
+ char *kex_tmp = NULL;
+ size_t kex_len, len;
+
+ /* Here we append ext-info-c and kex-strict-c-v00@openssh.com for client
+ * and kex-strict-s-v00@openssh.com for server to the list of kex algorithms
+ */
+ kex = pkex->methods[SSH_KEX];
len = strlen(kex);
- /* Comma, comma, nul byte */
- kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
+ if (session->server) {
+ /* Comma, nul byte */
+ kex_len = len + 1 + strlen(KEX_STRICT_SERVER) + 1;
+ } else {
+ /* Comma, comma, nul byte */
+ kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 +
+ strlen(KEX_STRICT_CLIENT) + 1;
+ }
if (kex_len >= MAX_PACKET_LEN) {
/* Overflow */
return SSH_ERROR;
@@ -805,9 +824,16 @@ int ssh_set_client_kex(ssh_session session)
ssh_set_error_oom(session);
return SSH_ERROR;
}
- snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
- client->methods[SSH_KEX] = kex_tmp;
-
+ if (session->server){
+ snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_STRICT_SERVER);
+ } else {
+ snprintf(kex_tmp + len,
+ kex_len - len,
+ ",%s,%s",
+ KEX_EXTENSION_CLIENT,
+ KEX_STRICT_CLIENT);
+ }
+ pkex->methods[SSH_KEX] = kex_tmp;
return SSH_OK;
}
diff --git a/src/server.c b/src/server.c
index ed73e7fb..35e84465 100644
--- a/src/server.c
+++ b/src/server.c
@@ -195,7 +195,13 @@ int server_set_kex(ssh_session session)
}
}
- return 0;
+ /* Do not append the extensions during rekey */
+ if (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) {
+ return SSH_OK;
+ }
+
+ rc = ssh_kex_append_extensions(session, server);
+ return rc;
}
int ssh_server_init_kex(ssh_session session) {
--
2.41.0
From 03bbbc9e4c93aae2ccdd302d6123e4809be37746 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 14 Dec 2023 12:22:01 +0100
Subject: [PATCH 3/4] CVE-2023-48795: Strip extensions from both kex lists for
matching
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
src/kex.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/kex.c b/src/kex.c
index e37c176c..eea3604b 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -936,11 +936,19 @@ int ssh_kex_select_methods (ssh_session session)
enum ssh_key_exchange_e kex_type;
int i;
- /* Here we should drop the ext-info-c from the list so we avoid matching.
+ /* Here we should drop the extensions from the list so we avoid matching.
* it. We added it to the end, so we can just truncate the string here */
- ext_start = strstr(client->methods[SSH_KEX], ","KEX_EXTENSION_CLIENT);
- if (ext_start != NULL) {
- ext_start[0] = '\0';
+ if (session->client) {
+ ext_start = strstr(client->methods[SSH_KEX], "," KEX_EXTENSION_CLIENT);
+ if (ext_start != NULL) {
+ ext_start[0] = '\0';
+ }
+ }
+ if (session->server) {
+ ext_start = strstr(server->methods[SSH_KEX], "," KEX_STRICT_SERVER);
+ if (ext_start != NULL) {
+ ext_start[0] = '\0';
+ }
}
for (i = 0; i < SSH_KEX_METHODS; i++) {
--
2.41.0
From 768d1ed30cf4b3cb9628254ef3ee24b9c38abdbc Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 14 Dec 2023 12:47:48 +0100
Subject: [PATCH 4/4] CVE-2023-48795: tests: Adjust calculation to strict kex
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
tests/client/torture_rekey.c | 56 ++++++++++++++++++++----------------
1 file changed, 32 insertions(+), 24 deletions(-)
diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
index 13c9a7fe..bfb273af 100644
--- a/tests/client/torture_rekey.c
+++ b/tests/client/torture_rekey.c
@@ -148,6 +148,29 @@ static void torture_rekey_default(void **state)
ssh_disconnect(s->ssh.session);
}
+static void sanity_check_session(void **state)
+{
+ struct torture_state *s = *state;
+ struct ssh_crypto_struct *c = NULL;
+
+ c = s->ssh.session->current_crypto;
+ assert_non_null(c);
+ assert_int_equal(c->in_cipher->max_blocks,
+ bytes / c->in_cipher->blocksize);
+ assert_int_equal(c->out_cipher->max_blocks,
+ bytes / c->out_cipher->blocksize);
+ /* when strict kex is used, the newkeys reset the sequence number */
+ if ((s->ssh.session->flags & SSH_SESSION_FLAG_KEX_STRICT) != 0) {
+ assert_int_equal(c->out_cipher->packets, s->ssh.session->send_seq);
+ assert_int_equal(c->in_cipher->packets, s->ssh.session->recv_seq);
+ } else {
+ /* Otherwise we have less encrypted packets than transferred
+ * (first are not encrypted) */
+ assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
+ assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
+ }
+}
+
/* We lower the rekey limits manually and check that the rekey
* really happens when sending data
*/
@@ -166,16 +189,10 @@ static void torture_rekey_send(void **state)
rc = ssh_connect(s->ssh.session);
assert_ssh_return_code(s->ssh.session, rc);
- /* The blocks limit is set correctly */
- c = s->ssh.session->current_crypto;
- assert_int_equal(c->in_cipher->max_blocks,
- bytes / c->in_cipher->blocksize);
- assert_int_equal(c->out_cipher->max_blocks,
- bytes / c->out_cipher->blocksize);
- /* We should have less encrypted packets than transfered (first are not encrypted) */
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
+ sanity_check_session(state);
/* Copy the initial secret hash = session_id so we know we changed keys later */
+ c = s->ssh.session->current_crypto;
+ assert_non_null(c);
secret_hash = malloc(c->digest_len);
assert_non_null(secret_hash);
memcpy(secret_hash, c->secret_hash, c->digest_len);
@@ -272,14 +289,10 @@ static void torture_rekey_recv(void **state)
sftp_file file;
mode_t mask;
- /* The blocks limit is set correctly */
- c = s->ssh.session->current_crypto;
- assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
- assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
- /* We should have less encrypted packets than transfered (first are not encrypted) */
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
+ sanity_check_session(state);
/* Copy the initial secret hash = session_id so we know we changed keys later */
+ c = s->ssh.session->current_crypto;
+ assert_non_null(c);
secret_hash = malloc(c->digest_len);
assert_non_null(secret_hash);
memcpy(secret_hash, c->secret_hash, c->digest_len);
@@ -464,15 +477,10 @@ static void torture_rekey_different_kex(void **state)
assert_ssh_return_code(s->ssh.session, rc);
/* The blocks limit is set correctly */
- c = s->ssh.session->current_crypto;
- assert_int_equal(c->in_cipher->max_blocks,
- bytes / c->in_cipher->blocksize);
- assert_int_equal(c->out_cipher->max_blocks,
- bytes / c->out_cipher->blocksize);
- /* We should have less encrypted packets than transfered (first are not encrypted) */
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
+ sanity_check_session(state);
/* Copy the initial secret hash = session_id so we know we changed keys later */
+ c = s->ssh.session->current_crypto;
+ assert_non_null(c);
secret_hash = malloc(c->digest_len);
assert_non_null(secret_hash);
memcpy(secret_hash, c->secret_hash, c->digest_len);
--
2.41.0

1114
SOURCES/CVE-2023-6004.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1577
SOURCES/CVE-2023-6918.patch Normal file
View File

File diff suppressed because it is too large Load Diff

86
SOURCES/auth_bypass.patch Normal file
View File

@ -0,0 +1,86 @@
diff --color -ru ../libssh-0.9.6/src/pki_crypto.c ./src/pki_crypto.c
--- ../libssh-0.9.6/src/pki_crypto.c 2023-04-27 12:59:08.463259052 +0200
+++ ./src/pki_crypto.c 2023-04-27 13:05:24.020610873 +0200
@@ -2291,8 +2291,12 @@
unsigned char *raw_sig_data = NULL;
unsigned int raw_sig_len;
+ /* Function return code
+ * Do not change this variable throughout the function until the signature
+ * is successfully verified!
+ */
int rc = SSH_ERROR;
- int evp_rc;
+ int ok;
if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
signature == NULL || (signature->raw_sig == NULL
@@ -2307,8 +2311,8 @@
}
/* Check if public key and hash type are compatible */
- rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);
- if (rc != SSH_OK) {
+ ok = pki_key_check_hash_compatible(pubkey, signature->hash_type);
+ if (ok != SSH_OK) {
return SSH_ERROR;
}
@@ -2351,8 +2355,8 @@
}
/* Verify the signature */
- evp_rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
- if (evp_rc != 1){
+ ok = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+ if (ok != 1){
SSH_LOG(SSH_LOG_TRACE,
"EVP_DigestVerifyInit() failed: %s",
ERR_error_string(ERR_get_error(), NULL));
@@ -2360,35 +2364,31 @@
}
#ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
- evp_rc = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
+ ok = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
#else
- evp_rc = EVP_DigestVerifyUpdate(ctx, input, input_len);
- if (evp_rc != 1) {
+ ok = EVP_DigestVerifyUpdate(ctx, input, input_len);
+ if (ok != 1) {
SSH_LOG(SSH_LOG_TRACE,
"EVP_DigestVerifyUpdate() failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto out;
}
- evp_rc = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
+ ok = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
#endif
- if (evp_rc == 1) {
- SSH_LOG(SSH_LOG_TRACE, "Signature valid");
- rc = SSH_OK;
- } else {
+ if (ok != 1) {
SSH_LOG(SSH_LOG_TRACE,
"Signature invalid: %s",
ERR_error_string(ERR_get_error(), NULL));
- rc = SSH_ERROR;
+ goto out;
}
+ SSH_LOG(SSH_LOG_TRACE, "Signature valid");
+ rc = SSH_OK;
+
out:
- if (ctx != NULL) {
- EVP_MD_CTX_free(ctx);
- }
- if (pkey != NULL) {
- EVP_PKEY_free(pkey);
- }
+ EVP_MD_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
return rc;
}

228
SOURCES/covscan23.patch Normal file
View File

@ -0,0 +1,228 @@
diff --color -ru ../libssh-0.9.6/src/buffer.c ./src/buffer.c
--- ../libssh-0.9.6/src/buffer.c 2023-05-03 11:53:48.710217753 +0200
+++ ./src/buffer.c 2023-05-03 11:58:21.995200990 +0200
@@ -747,7 +747,8 @@
*/
int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)
{
- if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
+ if (buffer == NULL || buffer->pos + len < len ||
+ buffer->pos + len > buffer->used) {
return SSH_ERROR;
}
diff --color -ru ../libssh-0.9.6/src/gssapi.c ./src/gssapi.c
--- ../libssh-0.9.6/src/gssapi.c 2023-05-03 11:53:48.732217993 +0200
+++ ./src/gssapi.c 2023-05-03 11:58:21.976200782 +0200
@@ -437,11 +437,18 @@
hexa = ssh_get_hexa(output_token.value, output_token.length);
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
SAFE_FREE(hexa);
- ssh_buffer_pack(session->out_buffer,
- "bdP",
- SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
- output_token.length,
- (size_t)output_token.length, output_token.value);
+ rc = ssh_buffer_pack(session->out_buffer,
+ "bdP",
+ SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+ output_token.length,
+ (size_t)output_token.length, output_token.value);
+ if (rc != SSH_OK) {
+ ssh_set_error_oom(session);
+ ssh_auth_reply_default(session, 0);
+ ssh_gssapi_free(session);
+ session->gssapi = NULL;
+ return SSH_PACKET_USED;
+ }
ssh_packet_send(session);
}
@@ -846,6 +853,7 @@
}
SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
+ int rc;
ssh_string oid_s;
gss_uint32 maj_stat, min_stat;
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
@@ -897,11 +905,15 @@
hexa = ssh_get_hexa(output_token.value, output_token.length);
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s", hexa);
SAFE_FREE(hexa);
- ssh_buffer_pack(session->out_buffer,
- "bdP",
- SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
- output_token.length,
- (size_t)output_token.length, output_token.value);
+ rc = ssh_buffer_pack(session->out_buffer,
+ "bdP",
+ SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+ output_token.length,
+ (size_t)output_token.length, output_token.value);
+ if (rc != SSH_OK) {
+ ssh_set_error_oom(session);
+ goto error;
+ }
ssh_packet_send(session);
session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
}
@@ -963,6 +975,7 @@
}
SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
+ int rc;
ssh_string token;
char *hexa;
OM_uint32 maj_stat, min_stat;
@@ -1015,11 +1028,15 @@
hexa = ssh_get_hexa(output_token.value, output_token.length);
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
SAFE_FREE(hexa);
- ssh_buffer_pack(session->out_buffer,
- "bdP",
- SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
- output_token.length,
- (size_t)output_token.length, output_token.value);
+ rc = ssh_buffer_pack(session->out_buffer,
+ "bdP",
+ SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+ output_token.length,
+ (size_t)output_token.length, output_token.value);
+ if (rc != SSH_OK) {
+ ssh_set_error_oom(session);
+ goto error;
+ }
ssh_packet_send(session);
}
diff --color -ru ../libssh-0.9.6/src/options.c ./src/options.c
--- ../libssh-0.9.6/src/options.c 2021-08-26 14:27:42.000000000 +0200
+++ ./src/options.c 2023-05-03 11:58:22.000201044 +0200
@@ -547,7 +547,9 @@
}
i = strtol(q, &p, 10);
if (q == p) {
+ SSH_LOG(SSH_LOG_DEBUG, "No port number was parsed");
SAFE_FREE(q);
+ return -1;
}
SAFE_FREE(q);
if (i <= 0) {
@@ -743,7 +745,9 @@
}
i = strtol(q, &p, 10);
if (q == p) {
+ SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
SAFE_FREE(q);
+ return -1;
}
SAFE_FREE(q);
if (i < 0) {
@@ -1818,7 +1822,9 @@
}
i = strtol(q, &p, 10);
if (q == p) {
- SAFE_FREE(q);
+ SSH_LOG(SSH_LOG_DEBUG, "No bind port was parsed");
+ SAFE_FREE(q);
+ return -1;
}
SAFE_FREE(q);
@@ -1845,7 +1851,9 @@
}
i = strtol(q, &p, 10);
if (q == p) {
- SAFE_FREE(q);
+ SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
+ SAFE_FREE(q);
+ return -1;
}
SAFE_FREE(q);
diff --color -ru ../libssh-0.9.6/src/pki_container_openssh.c ./src/pki_container_openssh.c
--- ../libssh-0.9.6/src/pki_container_openssh.c 2023-05-03 11:53:48.713217785 +0200
+++ ./src/pki_container_openssh.c 2023-05-03 11:58:21.976200782 +0200
@@ -630,7 +630,11 @@
goto error;
}
- ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
+ rc = ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
+ if (rc != SSH_OK) {
+ SSH_BUFFER_FREE(kdf_buf);
+ goto error;
+ }
kdf_options = ssh_string_new(ssh_buffer_get_len(kdf_buf));
if (kdf_options == NULL){
SSH_BUFFER_FREE(kdf_buf);
diff --color -ru ../libssh-0.9.6/tests/unittests/torture_options.c ./tests/unittests/torture_options.c
--- ../libssh-0.9.6/tests/unittests/torture_options.c 2021-08-26 14:27:42.000000000 +0200
+++ ./tests/unittests/torture_options.c 2023-05-03 11:59:21.726853027 +0200
@@ -311,6 +311,7 @@
rc = ssh_options_set(session, SSH_OPTIONS_PORT_STR, "five");
assert_true(rc == -1);
+ assert_int_not_equal(session->opts.port, 0);
rc = ssh_options_set(session, SSH_OPTIONS_PORT, NULL);
assert_true(rc == -1);
@@ -853,6 +854,26 @@
ssh_free(new);
}
+static void torture_options_set_verbosity (void **state)
+{
+ ssh_session session = *state;
+ int rc, new_level;
+
+ rc = ssh_options_set(session,
+ SSH_OPTIONS_LOG_VERBOSITY_STR,
+ "3");
+ assert_int_equal(rc, SSH_OK);
+ new_level = ssh_get_log_level();
+ assert_int_equal(new_level, SSH_LOG_PACKET);
+
+ rc = ssh_options_set(session,
+ SSH_OPTIONS_LOG_VERBOSITY_STR,
+ "datsun");
+ assert_int_equal(rc, -1);
+ new_level = ssh_get_log_level();
+ assert_int_not_equal(new_level, 0);
+}
+
#ifdef WITH_SERVER
const char template[] = "temp_dir_XXXXXX";
@@ -1107,6 +1128,10 @@
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "23");
assert_int_equal(rc, 0);
assert_int_equal(bind->bindport, 23);
+
+ rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "twentythree");
+ assert_int_equal(rc, -1);
+ assert_int_not_equal(bind->bindport, 0);
}
static void torture_bind_options_log_verbosity(void **state)
@@ -1156,6 +1181,11 @@
new_level = ssh_get_log_level();
assert_int_equal(new_level, SSH_LOG_PACKET);
+ rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "verbosity");
+ assert_int_equal(rc, -1);
+ new_level = ssh_get_log_level();
+ assert_int_not_equal(new_level, 0);
+
rc = ssh_set_log_level(previous_level);
assert_int_equal(rc, SSH_OK);
}
@@ -1643,6 +1673,7 @@
cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown),
cmocka_unit_test_setup_teardown(torture_options_config_match,
setup, teardown),
+ cmocka_unit_test_setup_teardown(torture_options_set_verbosity, setup, teardown),
};
#ifdef WITH_SERVER

668
SOURCES/fix_tests.patch Normal file
View File

@ -0,0 +1,668 @@
diff --color -ru ../libssh-0.9.6/examples/sshnetcat.c ./examples/sshnetcat.c
--- ../libssh-0.9.6/examples/sshnetcat.c 2021-08-26 14:27:42.000000000 +0200
+++ ./examples/sshnetcat.c 2023-05-02 10:36:00.793381735 +0200
@@ -233,9 +233,10 @@
}
void cleanup_pcap(void);
-void cleanup_pcap(){
+void cleanup_pcap(void)
+{
ssh_pcap_file_free(pcap);
- pcap=NULL;
+ pcap = NULL;
}
#endif
diff --color -ru ../libssh-0.9.6/src/init.c ./src/init.c
--- ../libssh-0.9.6/src/init.c 2021-03-15 08:11:33.000000000 +0100
+++ ./src/init.c 2023-05-02 10:36:00.793381735 +0200
@@ -269,7 +269,7 @@
*
* @see ssh_init()
*/
-bool is_ssh_initialized() {
+bool is_ssh_initialized(void) {
bool is_initialized = false;
diff --color -ru ../libssh-0.9.6/tests/client/torture_auth.c ./tests/client/torture_auth.c
--- ../libssh-0.9.6/tests/client/torture_auth.c 2021-08-26 14:27:42.000000000 +0200
+++ ./tests/client/torture_auth.c 2023-05-02 10:36:00.815381960 +0200
@@ -200,7 +200,8 @@
assert_non_null(ssh_agent_pidfile);
/* kill agent pid */
- torture_terminate_process(ssh_agent_pidfile);
+ rc = torture_terminate_process(ssh_agent_pidfile);
+ assert_return_code(rc, errno);
unlink(ssh_agent_pidfile);
@@ -551,6 +552,7 @@
static void torture_auth_agent_cert(void **state)
{
+#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
@@ -570,6 +572,7 @@
"ssh-rsa-cert-v01@openssh.com");
assert_int_equal(rc, SSH_OK);
}
+#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
/* Setup loads a different key, tests are exactly the same. */
torture_auth_agent(state);
@@ -577,6 +580,7 @@
static void torture_auth_agent_cert_nonblocking(void **state)
{
+#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
@@ -596,6 +600,7 @@
"ssh-rsa-cert-v01@openssh.com");
assert_int_equal(rc, SSH_OK);
}
+#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
torture_auth_agent_nonblocking(state);
}
diff --color -ru ../libssh-0.9.6/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
--- ../libssh-0.9.6/tests/client/torture_rekey.c 2023-04-28 17:26:41.472315318 +0200
+++ ./tests/client/torture_rekey.c 2023-05-02 10:36:00.805381857 +0200
@@ -38,6 +38,8 @@
#include <fcntl.h>
#include <pwd.h>
+#define KEX_RETRY 32
+
static uint64_t bytes = 2048; /* 2KB (more than the authentication phase) */
static int sshd_setup(void **state)
@@ -190,10 +192,11 @@
rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
assert_int_equal(rc, SSH_AUTH_SUCCESS);
- /* send ignore packets of up to 1KB to trigger rekey */
+ /* send ignore packets of up to 1KB to trigger rekey. Send little bit more
+ * to make sure it completes with all different ciphers */
memset(data, 0, sizeof(data));
memset(data, 'A', 128);
- for (i = 0; i < 16; i++) {
+ for (i = 0; i < KEX_RETRY; i++) {
ssh_send_ignore(s->ssh.session, data);
ssh_handle_packets(s->ssh.session, 50);
}
@@ -496,9 +499,15 @@
* to make sure the rekey it completes with all different ciphers (paddings */
memset(data, 0, sizeof(data));
memset(data, 'A', 128);
- for (i = 0; i < 20; i++) {
+ for (i = 0; i < KEX_RETRY; i++) {
ssh_send_ignore(s->ssh.session, data);
- ssh_handle_packets(s->ssh.session, 50);
+ ssh_handle_packets(s->ssh.session, 100);
+
+ c = s->ssh.session->current_crypto;
+ /* SHA256 len */
+ if (c->digest_len != 32) {
+ break;
+ }
}
/* The rekey limit was restored in the new crypto to the same value */
@@ -568,9 +577,15 @@
* to make sure the rekey it completes with all different ciphers (paddings */
memset(data, 0, sizeof(data));
memset(data, 'A', 128);
- for (i = 0; i < 25; i++) {
+ for (i = 0; i < KEX_RETRY; i++) {
ssh_send_ignore(s->ssh.session, data);
- ssh_handle_packets(s->ssh.session, 50);
+ ssh_handle_packets(s->ssh.session, 100);
+
+ c = s->ssh.session->current_crypto;
+ /* SHA256 len */
+ if (c->digest_len != 32) {
+ break;
+ }
}
/* Check that the secret hash is different than initially */
diff --color -ru ../libssh-0.9.6/tests/CMakeLists.txt ./tests/CMakeLists.txt
--- ../libssh-0.9.6/tests/CMakeLists.txt 2021-08-26 14:27:42.000000000 +0200
+++ ./tests/CMakeLists.txt 2023-05-02 10:32:03.964511860 +0200
@@ -153,6 +153,17 @@
execute_process(COMMAND ${ID_EXECUTABLE} -u OUTPUT_VARIABLE LOCAL_UID OUTPUT_STRIP_TRAILING_WHITESPACE)
endif()
+ find_program(TIMEOUT_EXECUTABLE
+ NAME
+ timeout
+ PATHS
+ /bin
+ /usr/bin
+ /usr/local/bin)
+ if (TIMEOUT_EXECUTABLE)
+ set(WITH_TIMEOUT "1")
+ endif()
+
# chroot_wrapper
add_library(chroot_wrapper SHARED chroot_wrapper.c)
set(CHROOT_WRAPPER_LIBRARY ${libssh_BINARY_DIR}/lib/${CMAKE_SHARED_LIBRARY_PREFIX}chroot_wrapper${CMAKE_SHARED_LIBRARY_SUFFIX})
diff --color -ru ../libssh-0.9.6/tests/pkd/pkd_keyutil.c ./tests/pkd/pkd_keyutil.c
--- ../libssh-0.9.6/tests/pkd/pkd_keyutil.c 2021-03-15 08:11:33.000000000 +0100
+++ ./tests/pkd/pkd_keyutil.c 2023-05-02 10:36:00.793381735 +0200
@@ -22,7 +22,7 @@
#include "pkd_keyutil.h"
#include "pkd_util.h"
-void setup_rsa_key() {
+void setup_rsa_key(void) {
int rc = 0;
if (access(LIBSSH_RSA_TESTKEY, F_OK) != 0) {
rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f "
@@ -31,7 +31,7 @@
assert_int_equal(rc, 0);
}
-void setup_ed25519_key() {
+void setup_ed25519_key(void) {
int rc = 0;
if (access(LIBSSH_ED25519_TESTKEY, F_OK) != 0) {
rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
@@ -41,7 +41,7 @@
}
#ifdef HAVE_DSA
-void setup_dsa_key() {
+void setup_dsa_key(void) {
int rc = 0;
if (access(LIBSSH_DSA_TESTKEY, F_OK) != 0) {
rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
@@ -51,7 +51,7 @@
}
#endif
-void setup_ecdsa_keys() {
+void setup_ecdsa_keys(void) {
int rc = 0;
if (access(LIBSSH_ECDSA_256_TESTKEY, F_OK) != 0) {
@@ -71,27 +71,27 @@
}
}
-void cleanup_rsa_key() {
+void cleanup_rsa_key(void) {
cleanup_key(LIBSSH_RSA_TESTKEY);
}
-void cleanup_ed25519_key() {
+void cleanup_ed25519_key(void) {
cleanup_key(LIBSSH_ED25519_TESTKEY);
}
#ifdef HAVE_DSA
-void cleanup_dsa_key() {
+void cleanup_dsa_key(void) {
cleanup_key(LIBSSH_DSA_TESTKEY);
}
#endif
-void cleanup_ecdsa_keys() {
+void cleanup_ecdsa_keys(void) {
cleanup_key(LIBSSH_ECDSA_256_TESTKEY);
cleanup_key(LIBSSH_ECDSA_384_TESTKEY);
cleanup_key(LIBSSH_ECDSA_521_TESTKEY);
}
-void setup_openssh_client_keys() {
+void setup_openssh_client_keys(void) {
int rc = 0;
if (access(OPENSSH_CA_TESTKEY, F_OK) != 0) {
@@ -184,7 +184,7 @@
}
}
-void cleanup_openssh_client_keys() {
+void cleanup_openssh_client_keys(void) {
cleanup_key(OPENSSH_CA_TESTKEY);
cleanup_key(OPENSSH_RSA_TESTKEY);
cleanup_file(OPENSSH_RSA_TESTKEY "-sha256-cert.pub");
@@ -199,7 +199,7 @@
}
}
-void setup_dropbear_client_rsa_key() {
+void setup_dropbear_client_rsa_key(void) {
int rc = 0;
if (access(DROPBEAR_RSA_TESTKEY, F_OK) != 0) {
rc = system_checked(DROPBEAR_KEYGEN " -t rsa -f "
@@ -208,6 +208,6 @@
assert_int_equal(rc, 0);
}
-void cleanup_dropbear_client_rsa_key() {
+void cleanup_dropbear_client_rsa_key(void) {
unlink(DROPBEAR_RSA_TESTKEY);
}
diff --color -ru ../libssh-0.9.6/tests/server/torture_server_config.c ./tests/server/torture_server_config.c
--- ../libssh-0.9.6/tests/server/torture_server_config.c 2021-08-26 14:27:42.000000000 +0200
+++ ./tests/server/torture_server_config.c 2023-05-02 10:36:00.815381960 +0200
@@ -285,9 +285,7 @@
assert_non_null(s);
rc = torture_terminate_process(s->srv_pidfile);
- if (rc != 0) {
- fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
- }
+ assert_return_code(rc, errno);
unlink(s->srv_pidfile);
@@ -513,6 +511,12 @@
/* Try each algorithm individually */
j = 0;
while(tokens->tokens[j] != NULL) {
+ char *cmp = strstr(OPENSSH_CIPHERS, tokens->tokens[j]);
+ if (cmp == NULL) {
+ /* This cipher is not supported by the OpenSSH. Skip it */
+ j++;
+ continue;
+ }
snprintf(config_content,
sizeof(config_content),
"HostKey %s\nCiphers %s\n",
diff --color -ru ../libssh-0.9.6/tests/tests_config.h.cmake ./tests/tests_config.h.cmake
--- ../libssh-0.9.6/tests/tests_config.h.cmake 2021-08-26 14:27:42.000000000 +0200
+++ ./tests/tests_config.h.cmake 2023-05-02 10:32:03.964511860 +0200
@@ -66,4 +66,6 @@
#cmakedefine NC_EXECUTABLE "${NC_EXECUTABLE}"
#cmakedefine SSHD_EXECUTABLE "${SSHD_EXECUTABLE}"
-#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
\ No newline at end of file
+#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
+#cmakedefine WITH_TIMEOUT ${WITH_TIMEOUT}
+#cmakedefine TIMEOUT_EXECUTABLE "${TIMEOUT_EXECUTABLE}"
diff --color -ru ../libssh-0.9.6/tests/torture.c ./tests/torture.c
--- ../libssh-0.9.6/tests/torture.c 2021-08-26 14:27:44.000000000 +0200
+++ ./tests/torture.c 2023-05-02 10:36:00.815381960 +0200
@@ -51,6 +51,7 @@
#include "torture.h"
#include "torture_key.h"
#include "libssh/misc.h"
+#include "libssh/token.h"
#define TORTURE_SSHD_SRV_IPV4 "127.0.0.10"
/* socket wrapper IPv6 prefix fd00::5357:5fxx */
@@ -250,8 +251,12 @@
rc = kill(pid, 0);
if (rc != 0) {
- is_running = 0;
- break;
+ /* Process not found */
+ if (errno == ESRCH) {
+ is_running = 0;
+ rc = 0;
+ break;
+ }
}
}
@@ -260,7 +265,7 @@
"WARNING: The process with pid %u is still running!\n", pid);
}
- return 0;
+ return rc;
}
ssh_session torture_ssh_session(struct torture_state *s,
@@ -611,6 +616,112 @@
*state = s;
}
+/**
+ * @brief Create a libssh server configuration file
+ *
+ * It is expected the socket directory to be already created before by calling
+ * torture_setup_socket_dir(). The created configuration file will be stored in
+ * the socket directory and the srv_config pointer in the state will be
+ * initialized.
+ *
+ * @param[in] state A pointer to a pointer to an initialized torture_state
+ * structure
+ */
+void torture_setup_create_libssh_config(void **state)
+{
+ struct torture_state *s = *state;
+ char ed25519_hostkey[1024] = {0};
+#ifdef HAVE_DSA
+ char dsa_hostkey[1024];
+#endif /* HAVE_DSA */
+ char rsa_hostkey[1024];
+ char ecdsa_hostkey[1024];
+ char sshd_config[2048];
+ char sshd_path[1024];
+ const char *additional_config = NULL;
+ struct stat sb;
+ const char config_string[]=
+ "LogLevel DEBUG3\n"
+ "Port 22\n"
+ "ListenAddress 127.0.0.10\n"
+ "%s %s\n"
+ "%s %s\n"
+ "%s %s\n"
+#ifdef HAVE_DSA
+ "%s %s\n"
+#endif /* HAVE_DSA */
+ "%s\n"; /* The space for test-specific options */
+ bool written = false;
+ int rc;
+
+ assert_non_null(s->socket_dir);
+
+ snprintf(sshd_path,
+ sizeof(sshd_path),
+ "%s/sshd",
+ s->socket_dir);
+
+ rc = lstat(sshd_path, &sb);
+ if (rc == 0 ) { /* The directory is already in place */
+ written = true;
+ }
+
+ if (!written) {
+ rc = mkdir(sshd_path, 0755);
+ assert_return_code(rc, errno);
+ }
+
+ snprintf(ed25519_hostkey,
+ sizeof(ed25519_hostkey),
+ "%s/sshd/ssh_host_ed25519_key",
+ s->socket_dir);
+
+ snprintf(rsa_hostkey,
+ sizeof(rsa_hostkey),
+ "%s/sshd/ssh_host_rsa_key",
+ s->socket_dir);
+
+ snprintf(ecdsa_hostkey,
+ sizeof(ecdsa_hostkey),
+ "%s/sshd/ssh_host_ecdsa_key",
+ s->socket_dir);
+
+#ifdef HAVE_DSA
+ snprintf(dsa_hostkey,
+ sizeof(dsa_hostkey),
+ "%s/sshd/ssh_host_dsa_key",
+ s->socket_dir);
+#endif /* HAVE_DSA */
+
+ if (!written) {
+ torture_write_file(ed25519_hostkey,
+ torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
+ torture_write_file(rsa_hostkey,
+ torture_get_testkey(SSH_KEYTYPE_RSA, 0));
+ torture_write_file(ecdsa_hostkey,
+ torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
+#ifdef HAVE_DSA
+ torture_write_file(dsa_hostkey,
+ torture_get_testkey(SSH_KEYTYPE_DSS, 0));
+#endif /* HAVE_DSA */
+ }
+
+ additional_config = (s->srv_additional_config != NULL ?
+ s->srv_additional_config : "");
+
+ snprintf(sshd_config, sizeof(sshd_config),
+ config_string,
+ "HostKey", ed25519_hostkey,
+ "HostKey", rsa_hostkey,
+ "HostKey", ecdsa_hostkey,
+#ifdef HAVE_DSA
+ "HostKey", dsa_hostkey,
+#endif /* HAVE_DSA */
+ additional_config);
+
+ torture_write_file(s->srv_config, sshd_config);
+}
+
static void torture_setup_create_sshd_config(void **state, bool pam)
{
struct torture_state *s = *state;
@@ -856,21 +967,140 @@
return 1;
}
-void torture_setup_sshd_server(void **state, bool pam)
+/**
+ * @brief Run a libssh based server under timeout.
+ *
+ * It is expected that the socket directory and libssh configuration file were
+ * already created before by calling torture_setup_socket_dir() and
+ * torture_setup_create_libssh_config() (or alternatively setup the state with
+ * the correct values).
+ *
+ * @param[in] state The content of the address pointed by this variable must be
+ * a pointer to an initialized instance of torture_state
+ * structure; it can be obtained by calling
+ * torture_setup_socket_dir() and
+ * torture_setup_create_libssh_config().
+ * @param[in] server_path The path to the server executable.
+ *
+ * @note This function will use the state->srv_additional_config field as
+ * additional command line option used when starting the server instead of extra
+ * configuration file options.
+ * */
+void torture_setup_libssh_server(void **state, const char *server_path)
{
struct torture_state *s;
- char sshd_start_cmd[1024];
+ char start_cmd[1024];
+ char timeout_cmd[512];
+ char env[1024];
+ char extra_options[1024];
int rc;
+ char *ld_preload = NULL;
+ const char *force_fips = NULL;
- torture_setup_socket_dir(state);
- torture_setup_create_sshd_config(state, pam);
+ struct ssh_tokens_st *env_tokens;
+ struct ssh_tokens_st *arg_tokens;
+
+ pid_t pid;
+ ssize_t printed;
+
+ s = *state;
+
+ /* Get all the wrapper libraries to be pre-loaded */
+ ld_preload = getenv("LD_PRELOAD");
+
+ if (s->srv_additional_config != NULL) {
+ printed = snprintf(extra_options, sizeof(extra_options), " %s ",
+ s->srv_additional_config);
+ if (printed < 0) {
+ fail_msg("Failed to print additional config!");
+ }
+ } else {
+ printed = snprintf(extra_options, sizeof(extra_options), " ");
+ if (printed < 0) {
+ fail_msg("Failed to print empty additional config!");
+ }
+ }
+
+ if (ssh_fips_mode()) {
+ force_fips = "OPENSSL_FORCE_FIPS_MODE=1 ";
+ } else {
+ force_fips = "";
+ }
+
+ /* Write the environment setting */
+ printed = snprintf(env, sizeof(env),
+ "SOCKET_WRAPPER_DIR=%s "
+ "SOCKET_WRAPPER_DEFAULT_IFACE=10 "
+ "LD_PRELOAD=%s "
+ "%s",
+ s->socket_dir, ld_preload, force_fips);
+ if (printed < 0) {
+ fail_msg("Failed to print env!");
+ }
+
+#ifdef WITH_TIMEOUT
+ snprintf(timeout_cmd, sizeof(timeout_cmd),
+ "%s %s ", TIMEOUT_EXECUTABLE, "5m");
+#else
+ timeout_cmd[0] = '\0';
+#endif
+
+ /* Write the start command */
+ printed = snprintf(start_cmd, sizeof(start_cmd),
+ "%s"
+ "%s -f%s -v4 -p22 -i%s -C%s%s%s",
+ timeout_cmd,
+ server_path, s->pcap_file, s->srv_pidfile,
+ s->srv_config, extra_options, TORTURE_SSH_SERVER);
+ if (printed < 0) {
+ fail_msg("Failed to print start command!");
+ }
+
+ pid = fork();
+ switch(pid) {
+ case 0:
+ env_tokens = ssh_tokenize(env, ' ');
+ if (env_tokens == NULL || env_tokens->tokens == NULL) {
+ fail_msg("Failed to tokenize env!");
+ }
+
+ arg_tokens = ssh_tokenize(start_cmd, ' ');
+ if (arg_tokens == NULL || arg_tokens->tokens == NULL) {
+ ssh_tokens_free(env_tokens);
+ fail_msg("Failed to tokenize args!");
+ }
+
+ rc = execve(arg_tokens->tokens[0], (char **)arg_tokens->tokens,
+ (char **)env_tokens->tokens);
+
+ /* execve returns only in case of error */
+ ssh_tokens_free(env_tokens);
+ ssh_tokens_free(arg_tokens);
+ fail_msg("Error in execve: %s", strerror(errno));
+ case -1:
+ fail_msg("Failed to fork!");
+ default:
+ /* The parent continues the execution of the tests */
+ setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
+ unsetenv("PAM_WRAPPER");
+
+ /* Wait until the server is ready to accept connections */
+ rc = torture_wait_for_daemon(15);
+ assert_int_equal(rc, 0);
+ break;
+ }
+}
+
+static int torture_start_sshd_server(void **state)
+{
+ struct torture_state *s = *state;
+ char sshd_start_cmd[1024];
+ int rc;
/* Set the default interface for the server */
setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
setenv("PAM_WRAPPER", "1", 1);
- s = *state;
-
snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
SSHD_EXECUTABLE " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
s->srv_config, s->socket_dir, s->socket_dir);
@@ -882,7 +1112,20 @@
unsetenv("PAM_WRAPPER");
/* Wait until the sshd is ready to accept connections */
- rc = torture_wait_for_daemon(5);
+ rc = torture_wait_for_daemon(15);
+ assert_int_equal(rc, 0);
+
+ return SSH_OK;
+}
+
+void torture_setup_sshd_server(void **state, bool pam)
+{
+ int rc;
+
+ torture_setup_socket_dir(state);
+ torture_setup_create_sshd_config(state, pam);
+
+ rc = torture_start_sshd_server(state);
assert_int_equal(rc, 0);
}
@@ -922,29 +1165,12 @@
torture_reload_sshd_server(void **state)
{
struct torture_state *s = *state;
- pid_t pid;
int rc;
- /* read the pidfile */
- pid = torture_read_pidfile(s->srv_pidfile);
- assert_int_not_equal(pid, -1);
-
- kill(pid, SIGHUP);
-
- /* 10 ms */
- usleep(10 * 1000);
-
- rc = kill(pid, 0);
- if (rc != 0) {
- fprintf(stderr,
- "ERROR: SSHD process %u died during reload!\n", pid);
- return SSH_ERROR;
- }
+ rc = torture_terminate_process(s->srv_pidfile);
+ assert_return_code(rc, errno);
- /* Wait until the sshd is ready to accept connections */
- rc = torture_wait_for_daemon(5);
- assert_int_equal(rc, 0);
- return SSH_OK;
+ return torture_start_sshd_server(state);
}
/* @brief: Updates SSHD server configuration with more options and
@@ -980,9 +1206,7 @@
int rc;
rc = torture_terminate_process(s->srv_pidfile);
- if (rc != 0) {
- fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
- }
+ assert_return_code(rc, errno);
torture_teardown_socket_dir(state);
}
diff --color -ru ../libssh-0.9.6/tests/torture.h ./tests/torture.h
--- ../libssh-0.9.6/tests/torture.h 2021-08-26 14:27:44.000000000 +0200
+++ ./tests/torture.h 2023-05-02 10:32:03.964511860 +0200
@@ -132,6 +132,10 @@
void torture_reset_config(ssh_session session);
+void torture_setup_create_libssh_config(void **state);
+
+void torture_setup_libssh_server(void **state, const char *server_path);
+
/*
* This function must be defined in every unit test file.
*/

16
SOURCES/libssh-0.9.6.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmEniOkACgkQfuD8TcwB
Tj0TKQ/9HiMAGSMHoQ+iPVLP06iTc6Cy7rNyON2nPDQwAz0V/dfvkrKAAEflfgYd
3pt3dbE/qgh2kgQLb9kpbCUmFoGuLgKz36RPOsggwuOsN+eD1n65q8W39sMOQid3
bjUIOKRdYWC1suZ9fMAO1Ignl69Opd8dAq1Has9YzglaeQaV/lnYQOW4UG0xKHck
ZOp2qLfjmaQiBAI61eRyxqIYC0F67WKd0bo9D2csoocDVvHLq4syPdbMOfDTB+LL
KZSAZVW1R1JUVZMkp/P/HU11jNNy3wKoLafocnq8bXkPVrqhyuo+hDJV/OPUvFLa
VE/BzIRoMNG+1R+GJpwE7ut2DIHPxnZTThRkeVN5qP1+hbhgLJhW62I+HeAnD4s+
+W7fwJovN28I+wqSjVEP8JguprVuoDAX5jVHbeZoMT7p8ATA4Nh3KCbYELEwTtFG
zsEIlBvoNXD3ce7xGXL3MPqfgKqrZQjRG/iOWvKwDV7WrqK1cFFyL7aeBfK2+dQq
1Ew7aYlTsH6Hap7XByeSsy4Z5ts3VXIoFix/h+Br5OTYKYgITM7bijNAQ6A2ZWQN
TxCv8X0sVyaGyXhxG6QhrEWZjFe496MneZkq9e6HKZyaSbzwFwMgOvrUUC7fa8e5
o1Rvozah81U0nsikwTmDrm15RSK3mr2X34zPW2Ahzr1I5tGZzOk=
=cO0k
-----END PGP SIGNATURE-----

0
libssh_client.config → SOURCES/libssh_client.config
View File

0
libssh_server.config → SOURCES/libssh_server.config
View File

3424
SOURCES/loglevel.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1845
SOURCES/null_dereference_rekey.patch Normal file
View File

File diff suppressed because it is too large Load Diff

19
SOURCES/s390x_fix.patch Normal file
View File

@ -0,0 +1,19 @@
diff --git a/src/packet.c b/src/packet.c
index ec4a7203..a81eb8e3 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -1752,10 +1752,12 @@ static bool
ssh_packet_in_rekey(ssh_session session)
{
/* We know we are rekeying if we are authenticated and the DH
- * status is not finished
+ * status is not finished, but we only queue packets until we've
+ * sent our NEWKEYS.
*/
return (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) &&
- (session->dh_handshake_state != DH_STATE_FINISHED);
+ (session->dh_handshake_state != DH_STATE_FINISHED) &&
+ (session->dh_handshake_state != DH_STATE_NEWKEYS_SENT);
}
int ssh_packet_send(ssh_session session)

360
libssh.spec → SPECS/libssh.spec
View File

@ -1,51 +1,51 @@
Name: libssh
Version: 0.11.1
Release: 2%{?dist}
Version: 0.9.6
Release: 14%{?dist}
Summary: A library implementing the SSH protocol
License: LGPL-2.1-or-later
License: LGPLv2+
URL: http://www.libssh.org
Source0: https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz
Source1: https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz.asc
Source2: https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/%{name}.keyring
Source0: https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz
Source1: https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz.asc
Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
Source3: libssh_client.config
Source4: libssh_server.config
# Don't use global openssl.cnf for PKCS#11 URI Tests
# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/543
Patch1: libssh-0.11.1-fix-provider-loading.patch
Patch0: loglevel.patch
Patch1: s390x_fix.patch
Patch2: null_dereference_rekey.patch
Patch3: auth_bypass.patch
Patch4: fix_tests.patch
Patch5: covscan23.patch
Patch6: CVE-2023-48795.patch
Patch7: CVE-2023-6004.patch
Patch8: CVE-2023-6918.patch
BuildRequires: cmake
BuildRequires: doxygen
BuildRequires: gcc-c++
BuildRequires: gnupg2
BuildRequires: openssl-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
BuildRequires: krb5-devel
BuildRequires: krb5-server
BuildRequires: krb5-workstation
BuildRequires: libcmocka-devel
BuildRequires: openssh-clients
BuildRequires: openssh-server
BuildRequires: pam_wrapper
BuildRequires: socket_wrapper
BuildRequires: nss_wrapper
BuildRequires: uid_wrapper
BuildRequires: priv_wrapper
BuildRequires: openssh-clients
BuildRequires: openssh-server
BuildRequires: nmap-ncat
BuildRequires: pkcs11-provider
BuildRequires: p11-kit-devel
BuildRequires: p11-kit-server
BuildRequires: opensc
BuildRequires: softhsm
BuildRequires: gnutls-utils
Requires: crypto-policies
Requires: %{name}-config = %{version}-%{release}
Recommends: crypto-policies
%ifarch aarch64 ppc64 ppc64le s390x x86_64 riscv64
%ifarch aarch64 ppc64 ppc64le s390x x86_64
Provides: libssh_threads.so()(64bit)
Provides: libssh_threads.so.4()(64bit)
%else
Provides: libssh_threads.so
Provides: libssh_threads.so.4
%endif
@ -60,7 +60,6 @@ third-party programs others than libcrypto (from openssl).
%package devel
Summary: Development files for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: cmake-filesystem
%description devel
The %{name}-devel package contains libraries and header files for developing
@ -69,30 +68,36 @@ applications that use %{name}.
%package config
Summary: Configuration files for %{name}
BuildArch: noarch
Obsoletes: %{name} < 0.9.0-3
Obsoletes: %{name} < 0.9.0-1
%description config
The %{name}-config package provides the default configuration files for %{name}.
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%autosetup -p1
%build
%cmake \
if test ! -e "obj"; then
mkdir obj
fi
pushd obj
%cmake .. \
-DUNIT_TESTING=ON \
-DCLIENT_TESTING=ON \
-DSERVER_TESTING=ON \
-DGSSAPI_TESTING=ON \
-DWITH_PKCS11_URI=ON \
-DWITH_PKCS11_PROVIDER=ON \
-DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
-DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
%cmake_build
%make_build VERBOSE=1
make docs
popd
%install
%cmake_install
make DESTDIR=%{buildroot} install/fast -C obj
install -d -m755 %{buildroot}%{_sysconfdir}/libssh
install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
@ -104,7 +109,7 @@ install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
# requiring it to continue working.
#
pushd %{buildroot}%{_libdir}
for i in libssh.so*;
for i in libssh.so.4*;
do
_target="${i}"
_link_name="${i%libssh*}libssh_threads${i##*libssh}"
@ -118,22 +123,24 @@ popd
%ldconfig_scriptlets
%check
# Tests are randomly failing when run in parallel
%global _smp_build_ncpus 1
%ctest
pushd obj
ctest --output-on-failure
popd
%files
%doc AUTHORS BSD CHANGELOG README
%doc AUTHORS BSD ChangeLog README
%license COPYING
%{_libdir}/libssh.so.4*
%{_libdir}/libssh_threads.so.4*
%files devel
%doc obj/doc/html
%{_includedir}/libssh/
# own this to avoid dep on cmake -- rex
%dir %{_libdir}/cmake/
%{_libdir}/cmake/libssh/
%{_libdir}/pkgconfig/libssh.pc
%{_libdir}/libssh.so
%{_libdir}/libssh_threads.so
%files config
%attr(0755,root,root) %dir %{_sysconfdir}/libssh
@ -141,218 +148,168 @@ popd
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
%changelog
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.11.1-2
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Feb 26 2024 Sahana Prasad <sahana@redhat.com> - 0.9.6-14
- Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
- Fix CVE-2023-6918 Missing checks for return values for digests
- Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
of malicious code through hostname
- Note: version is bumped from 12 to 14 directly, as the z-stream
version in 8.9 also has 13. So bumping it to 14, will prevent
upgrade conflicts.
- Resolves:RHEL-19690, RHEL-17244, RHEL-19312
* Wed Oct 23 2024 Sahana Prasad <sahana@redhat.com> - 0.11.1-1
- Rebase to new upstream version 0.11.1
- Resolves: RHEL-64319
* Mon May 15 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-12
- Fix loglevel regression
- Related: rhbz#2182251, rhbz#2189742
* Tue Aug 20 2024 Jakub Jelen <jjelen@redhat.com> - 0.10.6-8
- Remove the dependency on engine.h
* Thu May 04 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-11
- .fmf/version is needed to run the tests
- Related: rhbz#2182251, rhbz#2189742
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.10.6-7
- Bump release for June 2024 mass rebuild
* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-10
- Add missing ci.fmf file
- Related: rhbz#2182251, rhbz#2189742
* Fri Jun 07 2024 David Abdurachmanov <davidlt@rivosinc.com> - 0.10.6-6
- Add riscv64
* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-9
- Fix covscan errors found at gating
- Related: rhbz#2182251, rhbz#2189742
* Wed May 22 2024 Sahana Prasad <sahana@redhat.com> - 0.10.6-5
- Build libssh with pkcs11-provider instead of pkcs11 engine
- Resolves: RHEL-30437
* Tue May 02 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-8
- Backport test fixing commits to make the build pass
- Related: rhbz#2182251, rhbz#2189742
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Apr 27 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-7
- Fix NULL dereference during rekeying with algorithm guessing
GHSL-2023-032 / CVE-2023-1667
- Fix possible authentication bypass
GHSL 2023-085 / CVE-2023-2283
- Resolves: rhbz#2182251, rhbz#2189742
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 06 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-6
- Enable client and server testing build time
- Fix failing rekey test on arch s390x
- Resolves: rhbz#2126342
* Fri Dec 22 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-2
- Fix regression in IPv6 hosntames parsing
* Mon Dec 05 2022 Stanislav Zidek <szidek@redhat.com> - 0.9.6-5
- Fix CI configuration for new TMT
- Resolves: rhbz#2149910
* Mon Dec 18 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-1
- New upstream release fixing (CVE-2023-48795, CVE-2023-6004, CVE-2023-6918)
* Mon Nov 28 2022 Norbert Pocs <npocs@redhat.com> - 0.9.6-4
- Make VERBOSE and lower log levels less verbose
- Resolves: rhbz#2091512
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Nov 05 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-3
- Remove STI tests
* Fri May 05 2023 Orion Poplawski <orion@nwra.com> - 0.10.5-1
- Update to 0.10.5 (CVE-2023-1667 CVE-2023-2283)
- Have libssh-devel require cmake-filesystem
* Thu Oct 21 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-2
- Remove bad patch causing errors
- Adding BuildRequires for openssh (SSHD support)
* Sun Mar 05 2023 Andreas Schneider <asn@redhat.com> - 0.10.4-4
- Update License to SPDX expression
* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
rekeying with different key exchange mechanism
- Rebase to version 0.9.6
- Rename SSHD_EXECUTABLE to SSH_EXECUTABLE in tests/torture.c
- Resolves: rhbz#1896651, rhbz#1994600
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Oct 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-4
- Revert previous commit as it is incorrect.
* Thu Oct 06 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-2
- Enable pkcs11 support
* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
rekeying with different key exchange mechanism (#1978810)
* Wed Sep 07 2022 Andreas Schneider <asn@redhat.com> - 0.10.4-1
- Update to version 0.10.4
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.4
* Wed Apr 21 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-3
- Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if
ssh_buffer_new returns NULL (#1862646)
* Fri Sep 02 2022 Andreas Schneider <asn@redhat.com> - 0.10.3-1
- Update to version 0.10.3
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.3
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.2
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.1
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.0
- Removed libssh-0.9.6-openssh-8.8p1-compat.patch
- resolves: rhbz#2121741
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Jan 28 2022 Jakub Jelen <jjelen@redhat.com> - 0.9.6-4
- Fix build-time tests to work with OpenSSH 8.8p1
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Jan 10 2022 Stephen Gallagher <sgallagh@redhat.com> - 0.9.6-2
- Skip broken torture_auth tests
* Wed Sep 15 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
- Fix CVE-CVE-2021-3634 libssh: possible heap-based buffer
overflow when rekeying
- Resolves: rhbz#1994600
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.5-4
- Rebuilt with OpenSSL 3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Sep 10 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.5-1
- Update to version 0.9.5
https://www.libssh.org/2020/09/10/libssh-0-9-5/
- Removed patch to re-enable algorithms using sha1 in sshd for testing
- The algorithms supported by sshd are now automatically detected for testing
- Resolves: #1862457 - CVE-2020-16135
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-5
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jun 22 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-3
- Do not return error when server properly closed the channel (#1849069)
* Wed Jun 24 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
- Do not return error when server properly closed the channel (#1849071)
- Add a test for CVE-2019-14889
- Do not parse configuration file in torture_knownhosts test
* Wed Apr 15 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
- Added patch to fix returned version
* Thu Apr 09 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
* Tue May 26 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
- Update to version 0.9.4
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
- Fixed CVE-2019-14889 (#1781782)
- Fixed CVE-2020-1730 (#1802422)
- Create missing directories in the path provided for known_hosts files (#1733914)
- Removed inclusion of OpenSSH server configuration file from
libssh_server.config
- Added patch to re-enable algorithms using sha1 in sshd for testing
- resolves: #1822529 - CVE-2020-1730
libssh_server.config (#1821339)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Aug 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
- Skip 1024 bits RSA key generation test in FIPS mode (#1734485)
* Tue Dec 10 2019 Andreas Schneider <asn@redhat.com> - 0.9.3-1
- Update to version 0.9.3
- resolves: #1781780 - Fixes CVE-2019-14889
* Thu Nov 07 2019 Andreas Schneider <asn@redhat.com> - 0.9.2-1
- Upate to version 0.9.2
- resolves #1769370 - Remove the docs, they can be found on https://api.libssh.org/
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-5
* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
- Add Obsoletes in libssh-config to avoid conflict with old libssh which
installed the configuration files.
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
- Eliminate circular dependency with libssh-config subpackage
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
- Provide the configuration files in a separate libssh-config subpackage
* Thu Jul 04 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
- Do not ignore keys from known_hosts when SSH_OPTIONS_HOSTKEYS is set
* Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
- Fixed Release number to released format
* Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-0.1
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
- Update to version 0.9.0
https://www.libssh.org/2019/06/28/libssh-0-9-0/
- Added explicit Requires for crypto-policies
- Do not ignore known_hosts keys when SSH_OPTIONS_HOSTKEYS is set
- Provide the configuration files in a separate libssh-config subpackage
* Wed Jun 19 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
* Mon Jun 17 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
- Update to 0.9.0 pre release version (0.8.91)
- Added default configuration files for client and server
- Follow system-wide crypto configuration (crypto-policies)
- Added Recommends for crypto-policies
- Use OpenSSL implementation for KDF, DH, and signatures.
- Detect FIPS mode and use only allowed algorithms
- Run client and server tests during build
- Removed unused patch files left behind
- Fixed issues found to run upstream test suite with SELinux
* Mon Feb 25 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.7-1
- Update to version 0.8.7
https://www.libssh.org/2019/02/25/libssh-0-8-7/
* Fri Dec 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-2
- Fix more regressions introduced by the fixes for CVE-2018-10933
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Jan 15 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-2
- Fix rsa-sha2 extension handling (#1666342)
* Thu Jan 03 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-1
- Update to version 0.8.6
https://www.libssh.org/2018/12/24/libssh-0-8-6-xmas-edition/
* Mon Oct 29 2018 Andreas Schneider <asn@redhat.com> - 0.8.5-1
* Thu Nov 29 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-1
- Update to version 0.8.5
https://www.libssh.org/2018/10/29/libssh-0-8-5-and-libssh-0-7-7/
* Fixed an issue where global known_hosts file was ignored (#1649321)
* Fixed ssh_get_fd() to return writable file descriptor (#1649319)
* Fixed regression introduced in known_hosts parsing (#1649315)
* Fixed a regression which caused only the first algorithm in known_hosts to
be considered (#1638790)
* Tue Oct 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.4-1
- Update to version 0.8.4
https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release
- Fixes CVE-2018-10933
* Thu Nov 08 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-5
- Fix regressions introduced by the fixes for CVE-2018-10933
* Mon Oct 01 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
- Fixed errors found by static code analysis
* Wed Oct 17 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.3-4
- Fix for authentication bypass issue in server implementation (#1639926)
* Tue Sep 25 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-2
- Add missing libssh_threads.so link to libssh-devel package
* Tue Oct 02 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
- Fixed errors found by static code analysis (#1602594)
* Fri Sep 21 2018 Andreas Schneider <asn@redhat.com> - 0.8.3-1
* Fri Sep 21 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-1
- Update to version 0.8.3
https://www.libssh.org/2018/09/21/libssh-0-8-3/
* Added support for rsa-sha2 (#1610882)
* Added support to parse private keys in openssh container format (other than
ed25519) (#1622983)
* Added support for diffie-hellman-group18-sha512 and
diffie-hellman-group16-sha512 (#1610885)
* Added ssh_get_fingerprint_hash()
* Added ssh_pki_export_privkey_base64()
* Added support for Match keyword in config file
* Improved performance and reduced memory footprint for sftp
* Fixed ecdsa publickey auth
* Fixed reading a closed channel
* Added support to announce posix-rename@openssh.com and hardlink@openssh.com
in the sftp server
* Use -fstack-protector-strong if possible (#1624135)
* Thu Aug 30 2018 Andreas Schneider <asn@redhat.com> - 0.8.2-1
- Update to version 0.8.2
https://www.libssh.org/2018/08/30/libssh-0-8-2
* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-4
- Fix the creation of symbolic links for libssh_threads.so.4
* Thu Aug 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-4
- Fix link creation or RPM doesn't install it
* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-3
- Add missing Provides for libssh_threads.so.4
* Wed Aug 15 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-3
- Add missing so version for libssh_threads.so.4
* Tue Aug 14 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-2
* Tue Aug 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-2
- Add Provides for libssh_threads.so to unbreak applications
- Fix ABIMap detection to not depend on python to build
* Mon Aug 13 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-1
- Update to version 0.8.1
https://www.libssh.org/2018/08/13/libssh-0-8-1
- resolves: #1615248 - pkg-config --modversion
- resolves: #1615132 - library initialization
https://www.libssh.org/2018/08/13/libssh-0-8-1/
* Fri Aug 10 2018 Andreas Schneider <asn@redhat.com> - 0.8.0-1
- Update to version 0.8.0
@ -366,6 +323,7 @@ popd
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.5-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
- Related: bug#1614611
* Thu Feb 01 2018 Andreas Schneider <asn@redhat.com> - 0.7.5-6
- resolves: #1540021 - Build against OpenSSL 1.1

1
ci.fmf
View File

@ -1 +0,0 @@
resultsdb-testcase: separate

23
gating.yaml
View File

@ -1,23 +0,0 @@
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_testing
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_stable
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}

54
libssh-0.11.1-fix-provider-loading.patch
View File

@ -1,54 +0,0 @@
diff -up libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp libssh-0.11.1/tests/client/torture_auth_pkcs11.c
--- libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp 2024-10-25 11:58:50.341126170 +0200
+++ libssh-0.11.1/tests/client/torture_auth_pkcs11.c 2024-10-25 12:11:01.766453259 +0200
@@ -240,6 +240,14 @@ int torture_run_tests(void) {
session_teardown),
};
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
+ * It can load a pkcs11 provider too early before we will set up environment
+ * variables that are needed for the pkcs11 provider to access correct
+ * tokens, causing unexpected failures.
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
+ */
+ setenv("OPENSSL_CONF", "/dev/null", 1);
+
ssh_init();
torture_filter_tests(tests);
rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
diff -up libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c
--- libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp 2024-10-25 11:59:22.964367137 +0200
+++ libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c 2024-10-25 12:12:51.473625481 +0200
@@ -563,6 +563,14 @@ int torture_run_tests(void) {
ssh_session session = ssh_new();
int verbosity = SSH_LOG_FUNCTIONS;
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
+ * It can load a pkcs11 provider too early before we will set up environment
+ * variables that are needed for the pkcs11 provider to access correct
+ * tokens, causing unexpected failures.
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
+ */
+ setenv("OPENSSL_CONF", "/dev/null", 1);
+
ssh_init();
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
diff -up libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c
--- libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp 2024-10-25 11:59:49.241336178 +0200
+++ libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c 2024-10-25 12:12:10.985614709 +0200
@@ -285,6 +285,14 @@ torture_run_tests(void)
ssh_session session = ssh_new();
int verbosity = SSH_LOG_FUNCTIONS;
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
+ * It can load a pkcs11 provider too early before we will set up environment
+ * variables that are needed for the pkcs11 provider to access correct
+ * tokens, causing unexpected failures.
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
+ */
+ setenv("OPENSSL_CONF", "/dev/null", 1);
+
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
ssh_init();

52
libssh.keyring
View File

@ -1,52 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGZxQOQBEAC1EO1SSoQmzAyAyfQRRHcI4Je5E4mdTchhblLXmuxThquYZ6Xp
MT3alO6UxDO6aulzd0/RpLviELRwXqEKuUVC9oNbsolWT3sCh0J6ju2LNtmixPIf
5hd6UQRE32k7AXgwju7bn4TebVkl2fXsdtqSY+57Rs+8G7HiCRDoiYw1S4OwKsuI
RU7F4VNTV3drfcqpY1JZhMM/oestGqhWfln59kRgvqPDdOlX6Jv1502lElRddHBl
1f/SnE/mZQJ8Y+zfFuCxkhKZHYLzO3scudUIOHfVt2tLEYYsYK23NFAnF4ECYv+H
F1PoITbd8WeXoFeMjSr1h19ElzW76eBPvOYzqlzEKQ8b8uQUTqmyZl7HhQOtsIXG
YBYi3V30I+JBuEGkkhtkbXVET8sE1FCX2xSDOsqshqSiLchlVJxiQlThqZ4prtBC
byaTmdxFKRsQmSvLv5V9Puel80mzvM/L85s+gop9btygJ+Vpo1Dtdkbvp/jz+k1f
arZaqAFPE9/rJlMEW8HE12QBYpxiQAl6k0KUu/1MUcTbaZ7wbzQVGHXTmrP9mGff
9DTPeK01UPJpR9lT/kFwo/ip7nkI0zHcoAgwCGLNHCnbWjjz6ZAzYS9Dj8RG1T13
g/TjpQtmNWxdPIQ3yZDv30BKFv1aoWLejz4rj19dtPnVClUyMlRPonDDfwARAQAB
tDRsaWJzc2ggcmVsZWFzZSBrZXkgKHJlbGVhc2Uga2V5KSA8bGlic3NoQGxpYnNz
aC5vcmc+iQJXBBMBCABBFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmZxQOQCGwMF
CRLMAwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQA9XfjP3T6OfPBA//
cQA2fdsNyIgAyhppHAtdmKtRaN5dWj9InKZTWRmWNMAU3lTrMCGVurz2tcg2X6Xz
rVvZuXbLnb6GIRU0ly+nYiBZF4qDL088NtqN7AEEUaabOmlSZr5wXyJObMvlzDg9
GkjKAKH2CBztROtG3P91uHQ12SDqqIGw5/LlWGUSBzDnChdaB7ntODmjJ8wHqyOy
tD6GIfy7KkvnD6nyCXvqlZgo0/nr91otkDFbJrF/IobZD1hiBcps7b3oC3ms0e9T
usk4wl+oUi2LdTIOVvAag17gdkbH7MXMMOwhbNrV5MEyKpleTfm+R+jo48hRwdrn
LMrDR0+f26bIsWILvGE9GIqvoJD3rKDgjTFwmMcM4OLssCgTTy0h93gDbyBrOmA9
gJDApWWLq26SkDGIrsp4JcYlcR3m4S2Bjg98PTbz96fATK+AZ/R1Kntbt1J7DcnT
th3q4jXFIPUzvZA0r7Ul+UM/OfVr/Ryc023oID5po1zeO3HyVKVxXYY/DgpzWTcq
iwGjWM18XRDhUVV7eOJZ4XRcyDhf4eEF8etwFFraXjVVimCCEqgukEQh9azr+kqi
IWYoAH0fwVP85u38WqlLS+9in5mKq+lBFI201RpkzsdPDtJMtXTYgw1s6IrQntzF
w1PIJ/49b7nZhqvp0sMQGlAKfYTQvQsiAuEfzNiFcTS5Ag0EZnFA5AEQAJNgU4Wg
S+DUP9/wutGn9ADAEIZvD+dxpliKFmtfUeLiNAtaEfxmL7YCazlZbJ7tdhplwfJP
Es9k7G0K+8k1t+gni9sc7/W/0bB12cbCOxDlfcWATP5RZUfCc7eQVsWm1Sq41W2C
WGLqp9oC9jd2KGlReE4tj1PUmYtdHDOLBKr3PJrHHTGaF+4Qem5PVx+4ZmaH0qGT
8CmKYdhE0P8EYNImkmYsCo2nf3tbnjxBNAvwb1ljwJ1djFO72huvHslo6oTuQ+W6
Bam4m37b+AA/NiXk3RkrL8dwHB/D4G4fk0yflVQFx+0uwYj+Ik5HAri7WISOYfBN
Yvb6VPm9cdw/ajF0sV4d1bChroLkw0Y9VW5jEkhwGeLexY+bLP+uLOn9CvSd5iZX
kmamBA5c/jDWAibqgADux3OKNOa7JND38axuc67o5BynfW1iw3osU5fa/jdOxogJ
xgRq+muWh8rpVGuJHLDcG2TWxC66zEA7Dp8UE/nToIZeP7m6Ihzpo37a33m0BfKH
qG2cM4EYjIoFDFlbBbk7RogOXTshVc69JhKUaNNh8zSlCOTjwQedqPb7eW+zkPOc
ZdII3a+oLe4j49+QBiRXoJT3QWhqbxQYF5gnv86o/ZhAUrzEW8KAk8vJAHiKJhe1
sGHgu0yuiq5Ox4HHBrVBiEgZPxEYo4+xGLz7ABEBAAGJAjwEGAEIACYWIQSIoijY
mwfCx30MeAkD1d+M/dPo5wUCZnFA5AIbDAUJEswDAAAKCRAD1d+M/dPo523QD/wM
+Tf6y684Vn1HKMMyDLLCv1fFoSdialbf0gieXIlLm9yH0VaAcnMYFN7flYSekISq
23uH6ZIcABSfvg4dCCKUUggR3CnUql0SjF9BtFisGiCsDGlH3fNH0d1Ts0FOUdkL
TH/U676r08DQu1t0iSdOuDxM9FAo926gJSvyorLx7X94KhUeHhXfmzZ88ydz0ked
KFTKoo/LVhxRIoAGUdl98uJ+oycoELAeg7u0djVk+Hkw6ZLnMsjJBYHV3SyOXBpy
beQ9O3yK0oNqHW1oIAnHtX/Msqzj+x2+BMpjirsaHWsewnXgDUG/2h1MN67XW1zu
boztT8zswALbPfkOxS4Y+evaSnq4W6xF4dGuh2sM6g82pyAHdpBPrp4WEKnAcvi4
5EFNZYpKbQVXnDyK4899CCPcsxj56DlVtJRv167WNRBlU6k6MUVZH0F1JLQpxwx5
TlohKUa2KBnBZofmCD0xRzV7GbT08KRObSrMqIQU4ILqs2TlhDJhYMurKh7sWKFO
CX8wWu1TupOt7Zkf/OPapW2konKTu4h36yoPR6D4JZQhd6zZ+4+BsxgzdKCORPM5
DfSh15+evGapxAdUZrt/N4q2o2TdMcaSu4cZQnqu2soBWiNEa1DeBurCwrHJu/tt
dEyK6ESk4OGJ2ycirv4skD17gMHNRODFjhAgKgEybg==
=m20i
-----END PGP PUBLIC KEY BLOCK-----

26
plans/ci.fmf
View File

@ -1,26 +0,0 @@
/fips-disabled-buildroot-disabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/libssh
name: /plans/ci/fips-disabled-buildroot-disabled
/fips-disabled-buildroot-enabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/libssh
name: /plans/ci/fips-disabled-buildroot-enabled
/fips-enabled-buildroot-disabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/libssh
name: /plans/ci/fips-enabled-buildroot-disabled
/fips-enabled-buildroot-enabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/libssh
name: /plans/ci/fips-enabled-buildroot-enabled

2
sources
View File

@ -1,2 +0,0 @@
SHA512 (libssh-0.11.1.tar.xz) = 284d376ad9ea30b0274b4ac754b27d168286dca862ece43ef15ca6d89e66865ad7a6703cc12dd4a8564a60b8449ae9b36e6496fd51d34cc27ac4030f6cf216d6
SHA512 (libssh-0.11.1.tar.xz.asc) = 7d1a2f02a9abba5373b1a29a9097fef65e46ff3a22e36bcb3549066d69fbd8e2702ff3b6182bae931282d10256da2ca8a364935b068d6d5bc767d877572ee3e2