Compare commits
No commits in common. "c8" and "c10s" have entirely different histories.
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
|||||||
|
1
|
76
.gitignore
vendored
76
.gitignore
vendored
@ -1,2 +1,74 @@
|
|||||||
SOURCES/libssh-0.9.6.tar.xz
|
libssh-0.4.4.tar.gz
|
||||||
SOURCES/libssh.keyring
|
libssh-0.4.4.tar.gz.asc
|
||||||
|
/libssh-0.4.6.tar.gz
|
||||||
|
/libssh-0.4.6.tar.gz.asc
|
||||||
|
/libssh-0.4.8.tar.gz
|
||||||
|
/libssh-0.4.8.tar.gz.asc
|
||||||
|
/libssh-0.5.0.tar.gz
|
||||||
|
/libssh-0.5.0.tar.gz.asc
|
||||||
|
/libssh-0.5.2.tar.gz
|
||||||
|
/libssh-0.5.2.tar.gz.asc
|
||||||
|
/libssh-0.5.3.tar.gz
|
||||||
|
/libssh-0.5.3.tar.asc
|
||||||
|
/libssh-0.5.4.tar.gz
|
||||||
|
/libssh-0.5.4.tar.asc
|
||||||
|
/libssh-0.5.5.tar.gz
|
||||||
|
/libssh-0.5.5.tar.asc
|
||||||
|
/libssh-0.6.0.tar.xz
|
||||||
|
/libssh-0.6.1.tar.xz
|
||||||
|
/libssh-0.6.3.tar.xz
|
||||||
|
/libssh-0.6.4.tar.gz
|
||||||
|
/libssh-0.6.5.tar.xz
|
||||||
|
/libssh-0.7.0.tar.xz
|
||||||
|
/libssh-0.7.1.tar.xz
|
||||||
|
/libssh-0.7.2.tar.xz
|
||||||
|
/libssh-0.7.3.tar.xz
|
||||||
|
/libssh-0.7.4.tar.xz
|
||||||
|
/libssh-0.7.5.tar.xz
|
||||||
|
/libssh-0.8.0.tar.xz
|
||||||
|
/libssh-0.8.0.tar.xz.asc
|
||||||
|
/libssh-0.8.1.tar.xz
|
||||||
|
/libssh-0.8.1.tar.xz.asc
|
||||||
|
/libssh-0.8.2.tar.xz
|
||||||
|
/libssh-0.8.2.tar.xz.asc
|
||||||
|
/libssh-0.8.3.tar.xz
|
||||||
|
/libssh-0.8.3.tar.xz.asc
|
||||||
|
/libssh-0.8.4.tar.xz
|
||||||
|
/libssh-0.8.4.tar.xz.asc
|
||||||
|
/libssh-0.8.5.tar.xz
|
||||||
|
/libssh-0.8.5.tar.xz.asc
|
||||||
|
/libssh-0.8.6.tar.xz
|
||||||
|
/libssh-0.8.6.tar.xz.asc
|
||||||
|
/libssh-0.8.7.tar.xz
|
||||||
|
/libssh-0.8.7.tar.xz.asc
|
||||||
|
/libssh-0.8.91.tar.xz
|
||||||
|
/libssh_client.config
|
||||||
|
/libssh_server.config
|
||||||
|
/libssh-0.9.0.tar.xz
|
||||||
|
/libssh-0.9.0.tar.xz.asc
|
||||||
|
/libssh-0.9.2.tar.xz
|
||||||
|
/libssh-0.9.2.tar.xz.asc
|
||||||
|
/libssh-0.9.3.tar.xz
|
||||||
|
/libssh-0.9.3.tar.xz.asc
|
||||||
|
/libssh-0.9.4.tar.xz
|
||||||
|
/libssh-0.9.4.tar.xz.asc
|
||||||
|
/libssh-0.9.5.tar.xz
|
||||||
|
/libssh-0.9.5.tar.xz.asc
|
||||||
|
/libssh-0.9.6.tar.xz
|
||||||
|
/libssh-0.9.6.tar.xz.asc
|
||||||
|
/libssh-0.10.0.tar.xz
|
||||||
|
/libssh-0.10.0.tar.xz.asc
|
||||||
|
/libssh-0.10.1.tar.xz
|
||||||
|
/libssh-0.10.1.tar.xz.asc
|
||||||
|
/libssh-0.10.2.tar.xz
|
||||||
|
/libssh-0.10.2.tar.xz.asc
|
||||||
|
/libssh-0.10.3.tar.xz
|
||||||
|
/libssh-0.10.3.tar.xz.asc
|
||||||
|
/libssh-0.10.4.tar.xz
|
||||||
|
/libssh-0.10.4.tar.xz.asc
|
||||||
|
/libssh-0.10.5.tar.xz
|
||||||
|
/libssh-0.10.5.tar.xz.asc
|
||||||
|
/libssh-0.10.6.tar.xz
|
||||||
|
/libssh-0.10.6.tar.xz.asc
|
||||||
|
/libssh-0.11.1.tar.xz
|
||||||
|
/libssh-0.11.1.tar.xz.asc
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
1b2dd673b58e1eaf20fde45cd8de2197cfab2f78 SOURCES/libssh-0.9.6.tar.xz
|
|
||||||
3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring
|
|
@ -1,723 +0,0 @@
|
|||||||
From 87b93be5a2071be782aa84aa5a91544b18959d5e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Aris Adamantiadis <aris@0xbadc0de.be>
|
|
||||||
Date: Tue, 12 Dec 2023 23:09:57 +0100
|
|
||||||
Subject: [PATCH 1/4] CVE-2023-48795: client side mitigation
|
|
||||||
|
|
||||||
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
|
|
||||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|
||||||
---
|
|
||||||
include/libssh/packet.h | 1 +
|
|
||||||
include/libssh/session.h | 6 +++++
|
|
||||||
src/curve25519.c | 19 +++----------
|
|
||||||
src/dh-gex.c | 7 +----
|
|
||||||
src/dh.c | 17 +++---------
|
|
||||||
src/ecdh.c | 8 +-----
|
|
||||||
src/ecdh_crypto.c | 12 +++------
|
|
||||||
src/ecdh_gcrypt.c | 10 +++----
|
|
||||||
src/ecdh_mbedcrypto.c | 11 +++-----
|
|
||||||
src/kex.c | 34 +++++++++++++++++++----
|
|
||||||
src/packet.c | 58 ++++++++++++++++++++++++++++++++++++++++
|
|
||||||
src/packet_cb.c | 12 +++++++++
|
|
||||||
12 files changed, 126 insertions(+), 69 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/libssh/packet.h b/include/libssh/packet.h
|
|
||||||
index 561bba8e..c6fbc3fc 100644
|
|
||||||
--- a/include/libssh/packet.h
|
|
||||||
+++ b/include/libssh/packet.h
|
|
||||||
@@ -63,6 +63,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
|
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_kexdh_init);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+int ssh_packet_send_newkeys(ssh_session session);
|
|
||||||
int ssh_packet_send_unimplemented(ssh_session session, uint32_t seqnum);
|
|
||||||
int ssh_packet_parse_type(ssh_session session);
|
|
||||||
//int packet_flush(ssh_session session, int enforce_blocking);
|
|
||||||
diff --git a/include/libssh/session.h b/include/libssh/session.h
|
|
||||||
index 64e118ef..3cde0dd4 100644
|
|
||||||
--- a/include/libssh/session.h
|
|
||||||
+++ b/include/libssh/session.h
|
|
||||||
@@ -80,6 +80,12 @@ enum ssh_pending_call_e {
|
|
||||||
* sending it twice during key exchange to simplify the state machine. */
|
|
||||||
#define SSH_SESSION_FLAG_KEXINIT_SENT 4
|
|
||||||
|
|
||||||
+/* The current SSH2 session implements the "strict KEX" feature and should behave
|
|
||||||
+ * differently on SSH2_MSG_NEWKEYS. */
|
|
||||||
+#define SSH_SESSION_FLAG_KEX_STRICT 0x0010
|
|
||||||
+/* Unexpected packets have been sent while the session was still unencrypted */
|
|
||||||
+#define SSH_SESSION_FLAG_KEX_TAINTED 0x0020
|
|
||||||
+
|
|
||||||
/* codes to use with ssh_handle_packets*() */
|
|
||||||
/* Infinite timeout */
|
|
||||||
#define SSH_TIMEOUT_INFINITE -1
|
|
||||||
diff --git a/src/curve25519.c b/src/curve25519.c
|
|
||||||
index 37654438..6b7b4238 100644
|
|
||||||
--- a/src/curve25519.c
|
|
||||||
+++ b/src/curve25519.c
|
|
||||||
@@ -335,16 +335,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Send the MSG_NEWKEYS */
|
|
||||||
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- rc=ssh_packet_send(session);
|
|
||||||
+ rc = ssh_packet_send_newkeys(session);
|
|
||||||
if (rc == SSH_ERROR) {
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
|
||||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
|
||||||
|
|
||||||
return SSH_PACKET_USED;
|
|
||||||
@@ -502,18 +496,13 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Send the MSG_NEWKEYS */
|
|
||||||
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
|
|
||||||
- if (rc < 0) {
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
|
||||||
- rc = ssh_packet_send(session);
|
|
||||||
+
|
|
||||||
+ /* Send the MSG_NEWKEYS */
|
|
||||||
+ rc = ssh_packet_send_newkeys(session);
|
|
||||||
if (rc == SSH_ERROR) {
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
|
||||||
|
|
||||||
return SSH_PACKET_USED;
|
|
||||||
error:
|
|
||||||
diff --git a/src/dh-gex.c b/src/dh-gex.c
|
|
||||||
index 4a298542..f1880270 100644
|
|
||||||
--- a/src/dh-gex.c
|
|
||||||
+++ b/src/dh-gex.c
|
|
||||||
@@ -287,15 +287,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Send the MSG_NEWKEYS */
|
|
||||||
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- rc = ssh_packet_send(session);
|
|
||||||
+ rc = ssh_packet_send_newkeys(session);
|
|
||||||
if (rc == SSH_ERROR) {
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
|
||||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
|
||||||
|
|
||||||
return SSH_PACKET_USED;
|
|
||||||
diff --git a/src/dh.c b/src/dh.c
|
|
||||||
index c265efcb..1d519c63 100644
|
|
||||||
--- a/src/dh.c
|
|
||||||
+++ b/src/dh.c
|
|
||||||
@@ -386,16 +386,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Send the MSG_NEWKEYS */
|
|
||||||
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- rc=ssh_packet_send(session);
|
|
||||||
+ rc = ssh_packet_send_newkeys(session);
|
|
||||||
if (rc == SSH_ERROR) {
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
|
||||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
|
||||||
return SSH_PACKET_USED;
|
|
||||||
error:
|
|
||||||
@@ -532,15 +526,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
|
|
||||||
}
|
|
||||||
SSH_LOG(SSH_LOG_DEBUG, "Sent KEX_DH_[GEX]_REPLY");
|
|
||||||
|
|
||||||
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
|
|
||||||
- ssh_buffer_reinit(session->out_buffer);
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
session->dh_handshake_state=DH_STATE_NEWKEYS_SENT;
|
|
||||||
- if (ssh_packet_send(session) == SSH_ERROR) {
|
|
||||||
+ /* Send the MSG_NEWKEYS */
|
|
||||||
+ rc = ssh_packet_send_newkeys(session);
|
|
||||||
+ if (rc == SSH_ERROR) {
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
- SSH_LOG(SSH_LOG_PACKET, "SSH_MSG_NEWKEYS sent");
|
|
||||||
|
|
||||||
return SSH_OK;
|
|
||||||
error:
|
|
||||||
diff --git a/src/ecdh.c b/src/ecdh.c
|
|
||||||
index e5b11ba9..af80beec 100644
|
|
||||||
--- a/src/ecdh.c
|
|
||||||
+++ b/src/ecdh.c
|
|
||||||
@@ -93,16 +93,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_ecdh_reply){
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Send the MSG_NEWKEYS */
|
|
||||||
- if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- rc=ssh_packet_send(session);
|
|
||||||
+ rc = ssh_packet_send_newkeys(session);
|
|
||||||
if (rc == SSH_ERROR) {
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
|
||||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
|
||||||
|
|
||||||
return SSH_PACKET_USED;
|
|
||||||
diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
|
|
||||||
index a1de27fd..62578c1b 100644
|
|
||||||
--- a/src/ecdh_crypto.c
|
|
||||||
+++ b/src/ecdh_crypto.c
|
|
||||||
@@ -323,18 +323,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Send the MSG_NEWKEYS */
|
|
||||||
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
|
|
||||||
- if (rc < 0) {
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
|
||||||
- rc = ssh_packet_send(session);
|
|
||||||
- if (rc == SSH_ERROR){
|
|
||||||
+ /* Send the MSG_NEWKEYS */
|
|
||||||
+ rc = ssh_packet_send_newkeys(session);
|
|
||||||
+ if (rc == SSH_ERROR) {
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
|
||||||
|
|
||||||
return SSH_PACKET_USED;
|
|
||||||
error:
|
|
||||||
diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
|
|
||||||
index d9c41bf9..dd4332d7 100644
|
|
||||||
--- a/src/ecdh_gcrypt.c
|
|
||||||
+++ b/src/ecdh_gcrypt.c
|
|
||||||
@@ -372,17 +372,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
-
|
|
||||||
+ session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
|
||||||
/* Send the MSG_NEWKEYS */
|
|
||||||
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
|
|
||||||
- if (rc != SSH_OK) {
|
|
||||||
+ rc = ssh_packet_send_newkeys(session);
|
|
||||||
+ if (rc == SSH_ERROR) {
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
|
||||||
- rc = ssh_packet_send(session);
|
|
||||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
|
||||||
-
|
|
||||||
out:
|
|
||||||
gcry_sexp_release(param);
|
|
||||||
gcry_sexp_release(key);
|
|
||||||
diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
|
|
||||||
index 718f1522..45251a42 100644
|
|
||||||
--- a/src/ecdh_mbedcrypto.c
|
|
||||||
+++ b/src/ecdh_mbedcrypto.c
|
|
||||||
@@ -300,16 +300,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
|
|
||||||
- if (rc < 0) {
|
|
||||||
- rc = SSH_ERROR;
|
|
||||||
+ session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
|
||||||
+ /* Send the MSG_NEWKEYS */
|
|
||||||
+ rc = ssh_packet_send_newkeys(session);
|
|
||||||
+ if (rc == SSH_ERROR) {
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
|
||||||
- rc = ssh_packet_send(session);
|
|
||||||
- SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
|
||||||
-
|
|
||||||
out:
|
|
||||||
mbedtls_ecp_group_free(&grp);
|
|
||||||
if (rc == SSH_ERROR) {
|
|
||||||
diff --git a/src/kex.c b/src/kex.c
|
|
||||||
index 3e5ca6ad..0772cae8 100644
|
|
||||||
--- a/src/kex.c
|
|
||||||
+++ b/src/kex.c
|
|
||||||
@@ -163,6 +163,9 @@
|
|
||||||
|
|
||||||
/* RFC 8308 */
|
|
||||||
#define KEX_EXTENSION_CLIENT "ext-info-c"
|
|
||||||
+/* Strict kex mitigation against CVE-2023-48795 */
|
|
||||||
+#define KEX_STRICT_CLIENT "kex-strict-c-v00@openssh.com"
|
|
||||||
+#define KEX_STRICT_SERVER "kex-strict-s-v00@openssh.com"
|
|
||||||
|
|
||||||
/* Allowed algorithms in FIPS mode */
|
|
||||||
#define FIPS_ALLOWED_CIPHERS "aes256-gcm@openssh.com,"\
|
|
||||||
@@ -491,6 +494,27 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
|
|
||||||
session->first_kex_follows_guess_wrong ? "wrong" : "right");
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * handle the "strict KEX" feature. If supported by peer, then set up the
|
|
||||||
+ * flag and verify packet sequence numbers.
|
|
||||||
+ */
|
|
||||||
+ if (server_kex) {
|
|
||||||
+ ok = ssh_match_group(crypto->client_kex.methods[SSH_KEX],
|
|
||||||
+ KEX_STRICT_CLIENT);
|
|
||||||
+ if (ok) {
|
|
||||||
+ SSH_LOG(SSH_LOG_DEBUG, "Client supports strict kex, enabling.");
|
|
||||||
+ session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ /* client kex */
|
|
||||||
+ ok = ssh_match_group(crypto->server_kex.methods[SSH_KEX],
|
|
||||||
+ KEX_STRICT_SERVER);
|
|
||||||
+ if (ok) {
|
|
||||||
+ SSH_LOG(SSH_LOG_DEBUG, "Server supports strict kex, enabling.");
|
|
||||||
+ session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (server_kex) {
|
|
||||||
/*
|
|
||||||
* If client sent a ext-info-c message in the kex list, it supports
|
|
||||||
@@ -767,21 +791,21 @@ int ssh_set_client_kex(ssh_session session)
|
|
||||||
return SSH_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Here we append ext-info-c to the list of kex algorithms */
|
|
||||||
+ /* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
|
|
||||||
kex = client->methods[SSH_KEX];
|
|
||||||
len = strlen(kex);
|
|
||||||
- if (len + strlen(KEX_EXTENSION_CLIENT) + 2 < len) {
|
|
||||||
+ /* Comma, comma, nul byte */
|
|
||||||
+ kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
|
|
||||||
+ if (kex_len >= MAX_PACKET_LEN) {
|
|
||||||
/* Overflow */
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
- kex_len = len + strlen(KEX_EXTENSION_CLIENT) + 2; /* comma, NULL */
|
|
||||||
kex_tmp = realloc(kex, kex_len);
|
|
||||||
if (kex_tmp == NULL) {
|
|
||||||
- free(kex);
|
|
||||||
ssh_set_error_oom(session);
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
- snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_EXTENSION_CLIENT);
|
|
||||||
+ snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
|
|
||||||
client->methods[SSH_KEX] = kex_tmp;
|
|
||||||
|
|
||||||
return SSH_OK;
|
|
||||||
diff --git a/src/packet.c b/src/packet.c
|
|
||||||
index ca7a03b7..82965fb3 100644
|
|
||||||
--- a/src/packet.c
|
|
||||||
+++ b/src/packet.c
|
|
||||||
@@ -1309,6 +1309,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
|
||||||
}
|
|
||||||
#endif /* WITH_ZLIB */
|
|
||||||
payloadsize = ssh_buffer_get_len(session->in_buffer);
|
|
||||||
+ if (session->recv_seq == UINT32_MAX) {
|
|
||||||
+ /* Overflowing sequence numbers is always fishy */
|
|
||||||
+ if (crypto == NULL) {
|
|
||||||
+ /* don't allow sequence number overflow when unencrypted */
|
|
||||||
+ ssh_set_error(session,
|
|
||||||
+ SSH_FATAL,
|
|
||||||
+ "Incoming sequence number overflow");
|
|
||||||
+ goto error;
|
|
||||||
+ } else {
|
|
||||||
+ SSH_LOG(SSH_LOG_WARNING,
|
|
||||||
+ "Incoming sequence number overflow");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
session->recv_seq++;
|
|
||||||
if (crypto != NULL) {
|
|
||||||
struct ssh_cipher_struct *cipher = NULL;
|
|
||||||
@@ -1331,7 +1344,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
|
||||||
SSH_LOG(SSH_LOG_PACKET,
|
|
||||||
"packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
|
|
||||||
session->in_packet.type, packet_len, padding, compsize, payloadsize);
|
|
||||||
+ if (crypto == NULL) {
|
|
||||||
+ /* In strict kex, only a few packets are allowed. Taint the session
|
|
||||||
+ * if we received packets that are normally allowed but to be
|
|
||||||
+ * refused if we are in strict kex when KEX is over.
|
|
||||||
+ */
|
|
||||||
+ uint8_t type = session->in_packet.type;
|
|
||||||
|
|
||||||
+ if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
|
|
||||||
+ (type < SSH2_MSG_KEXDH_INIT ||
|
|
||||||
+ type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
|
|
||||||
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
/* Check if the packet is expected */
|
|
||||||
filter_result = ssh_packet_incoming_filter(session);
|
|
||||||
|
|
||||||
@@ -1347,6 +1372,9 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
|
||||||
session->in_packet.type);
|
|
||||||
goto error;
|
|
||||||
case SSH_PACKET_UNKNOWN:
|
|
||||||
+ if (crypto == NULL) {
|
|
||||||
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
|
|
||||||
+ }
|
|
||||||
ssh_packet_send_unimplemented(session, session->recv_seq - 1);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
@@ -1521,7 +1549,33 @@ void ssh_packet_process(ssh_session session, uint8_t type)
|
|
||||||
SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s",
|
|
||||||
ssh_get_error(session));
|
|
||||||
}
|
|
||||||
+ if (session->current_crypto == NULL) {
|
|
||||||
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/** @internal
|
|
||||||
+ * @brief sends a SSH_MSG_NEWKEYS when enabling the new negotiated ciphers
|
|
||||||
+ * @param session the SSH session
|
|
||||||
+ * @return SSH_ERROR on error, else SSH_OK
|
|
||||||
+ */
|
|
||||||
+int ssh_packet_send_newkeys(ssh_session session)
|
|
||||||
+{
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ /* Send the MSG_NEWKEYS */
|
|
||||||
+ rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
|
|
||||||
+ if (rc < 0) {
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ rc = ssh_packet_send(session);
|
|
||||||
+ if (rc == SSH_ERROR) {
|
|
||||||
+ return rc;
|
|
||||||
+ }
|
|
||||||
+ SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
/** @internal
|
|
||||||
@@ -1829,6 +1883,10 @@ int ssh_packet_send(ssh_session session)
|
|
||||||
if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
|
|
||||||
struct ssh_iterator *it;
|
|
||||||
|
|
||||||
+ if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
|
|
||||||
+ /* reset packet sequence number when running in strict kex mode */
|
|
||||||
+ session->send_seq = 0;
|
|
||||||
+ }
|
|
||||||
for (it = ssh_list_get_iterator(session->out_queue);
|
|
||||||
it != NULL;
|
|
||||||
it = ssh_list_get_iterator(session->out_queue)) {
|
|
||||||
diff --git a/src/packet_cb.c b/src/packet_cb.c
|
|
||||||
index 3e4d5f6d..a08f1d8a 100644
|
|
||||||
--- a/src/packet_cb.c
|
|
||||||
+++ b/src/packet_cb.c
|
|
||||||
@@ -110,6 +110,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
|
|
||||||
+ /* reset packet sequence number when running in strict kex mode */
|
|
||||||
+ session->recv_seq = 0;
|
|
||||||
+ /* Check that we aren't tainted */
|
|
||||||
+ if (session->flags & SSH_SESSION_FLAG_KEX_TAINTED) {
|
|
||||||
+ ssh_set_error(session,
|
|
||||||
+ SSH_FATAL,
|
|
||||||
+ "Received unexpected packets in strict KEX mode.");
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if(session->server){
|
|
||||||
/* server things are done in server.c */
|
|
||||||
session->dh_handshake_state=DH_STATE_FINISHED;
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
||||||
|
|
||||||
From fd4948255560039b51c2d61f0a62784ed8b6f5a6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Aris Adamantiadis <aris@0xbadc0de.be>
|
|
||||||
Date: Tue, 12 Dec 2023 23:30:26 +0100
|
|
||||||
Subject: [PATCH 2/4] CVE-2023-48795: Server side mitigations
|
|
||||||
|
|
||||||
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
|
|
||||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|
||||||
---
|
|
||||||
include/libssh/kex.h | 1 +
|
|
||||||
src/kex.c | 46 ++++++++++++++++++++++++++++++++++----------
|
|
||||||
src/server.c | 8 +++++++-
|
|
||||||
3 files changed, 44 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/libssh/kex.h b/include/libssh/kex.h
|
|
||||||
index 2ace69b6..40da4ef2 100644
|
|
||||||
--- a/include/libssh/kex.h
|
|
||||||
+++ b/include/libssh/kex.h
|
|
||||||
@@ -36,6 +36,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit);
|
|
||||||
int ssh_send_kex(ssh_session session);
|
|
||||||
void ssh_list_kex(struct ssh_kex_struct *kex);
|
|
||||||
int ssh_set_client_kex(ssh_session session);
|
|
||||||
+int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex);
|
|
||||||
int ssh_kex_select_methods(ssh_session session);
|
|
||||||
int ssh_verify_existing_algo(enum ssh_kex_types_e algo, const char *name);
|
|
||||||
char *ssh_keep_known_algos(enum ssh_kex_types_e algo, const char *list);
|
|
||||||
diff --git a/src/kex.c b/src/kex.c
|
|
||||||
index 0772cae8..e37c176c 100644
|
|
||||||
--- a/src/kex.c
|
|
||||||
+++ b/src/kex.c
|
|
||||||
@@ -738,11 +738,8 @@ int ssh_set_client_kex(ssh_session session)
|
|
||||||
{
|
|
||||||
struct ssh_kex_struct *client = &session->next_crypto->client_kex;
|
|
||||||
const char *wanted;
|
|
||||||
- char *kex = NULL;
|
|
||||||
- char *kex_tmp = NULL;
|
|
||||||
int ok;
|
|
||||||
int i;
|
|
||||||
- size_t kex_len, len;
|
|
||||||
|
|
||||||
/* Skip if already set, for example for the rekey or when we do the guessing
|
|
||||||
* it could have been already used to make some protocol decisions. */
|
|
||||||
@@ -791,11 +788,33 @@ int ssh_set_client_kex(ssh_session session)
|
|
||||||
return SSH_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
|
|
||||||
- kex = client->methods[SSH_KEX];
|
|
||||||
+ ok = ssh_kex_append_extensions(session, client);
|
|
||||||
+ if (ok != SSH_OK){
|
|
||||||
+ return ok;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return SSH_OK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex)
|
|
||||||
+{
|
|
||||||
+ char *kex = NULL;
|
|
||||||
+ char *kex_tmp = NULL;
|
|
||||||
+ size_t kex_len, len;
|
|
||||||
+
|
|
||||||
+ /* Here we append ext-info-c and kex-strict-c-v00@openssh.com for client
|
|
||||||
+ * and kex-strict-s-v00@openssh.com for server to the list of kex algorithms
|
|
||||||
+ */
|
|
||||||
+ kex = pkex->methods[SSH_KEX];
|
|
||||||
len = strlen(kex);
|
|
||||||
- /* Comma, comma, nul byte */
|
|
||||||
- kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
|
|
||||||
+ if (session->server) {
|
|
||||||
+ /* Comma, nul byte */
|
|
||||||
+ kex_len = len + 1 + strlen(KEX_STRICT_SERVER) + 1;
|
|
||||||
+ } else {
|
|
||||||
+ /* Comma, comma, nul byte */
|
|
||||||
+ kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 +
|
|
||||||
+ strlen(KEX_STRICT_CLIENT) + 1;
|
|
||||||
+ }
|
|
||||||
if (kex_len >= MAX_PACKET_LEN) {
|
|
||||||
/* Overflow */
|
|
||||||
return SSH_ERROR;
|
|
||||||
@@ -805,9 +824,16 @@ int ssh_set_client_kex(ssh_session session)
|
|
||||||
ssh_set_error_oom(session);
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
- snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
|
|
||||||
- client->methods[SSH_KEX] = kex_tmp;
|
|
||||||
-
|
|
||||||
+ if (session->server){
|
|
||||||
+ snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_STRICT_SERVER);
|
|
||||||
+ } else {
|
|
||||||
+ snprintf(kex_tmp + len,
|
|
||||||
+ kex_len - len,
|
|
||||||
+ ",%s,%s",
|
|
||||||
+ KEX_EXTENSION_CLIENT,
|
|
||||||
+ KEX_STRICT_CLIENT);
|
|
||||||
+ }
|
|
||||||
+ pkex->methods[SSH_KEX] = kex_tmp;
|
|
||||||
return SSH_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/server.c b/src/server.c
|
|
||||||
index ed73e7fb..35e84465 100644
|
|
||||||
--- a/src/server.c
|
|
||||||
+++ b/src/server.c
|
|
||||||
@@ -195,7 +195,13 @@ int server_set_kex(ssh_session session)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- return 0;
|
|
||||||
+ /* Do not append the extensions during rekey */
|
|
||||||
+ if (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) {
|
|
||||||
+ return SSH_OK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = ssh_kex_append_extensions(session, server);
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
int ssh_server_init_kex(ssh_session session) {
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
||||||
|
|
||||||
From 03bbbc9e4c93aae2ccdd302d6123e4809be37746 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Thu, 14 Dec 2023 12:22:01 +0100
|
|
||||||
Subject: [PATCH 3/4] CVE-2023-48795: Strip extensions from both kex lists for
|
|
||||||
matching
|
|
||||||
|
|
||||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|
||||||
---
|
|
||||||
src/kex.c | 16 ++++++++++++----
|
|
||||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/kex.c b/src/kex.c
|
|
||||||
index e37c176c..eea3604b 100644
|
|
||||||
--- a/src/kex.c
|
|
||||||
+++ b/src/kex.c
|
|
||||||
@@ -936,11 +936,19 @@ int ssh_kex_select_methods (ssh_session session)
|
|
||||||
enum ssh_key_exchange_e kex_type;
|
|
||||||
int i;
|
|
||||||
|
|
||||||
- /* Here we should drop the ext-info-c from the list so we avoid matching.
|
|
||||||
+ /* Here we should drop the extensions from the list so we avoid matching.
|
|
||||||
* it. We added it to the end, so we can just truncate the string here */
|
|
||||||
- ext_start = strstr(client->methods[SSH_KEX], ","KEX_EXTENSION_CLIENT);
|
|
||||||
- if (ext_start != NULL) {
|
|
||||||
- ext_start[0] = '\0';
|
|
||||||
+ if (session->client) {
|
|
||||||
+ ext_start = strstr(client->methods[SSH_KEX], "," KEX_EXTENSION_CLIENT);
|
|
||||||
+ if (ext_start != NULL) {
|
|
||||||
+ ext_start[0] = '\0';
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if (session->server) {
|
|
||||||
+ ext_start = strstr(server->methods[SSH_KEX], "," KEX_STRICT_SERVER);
|
|
||||||
+ if (ext_start != NULL) {
|
|
||||||
+ ext_start[0] = '\0';
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < SSH_KEX_METHODS; i++) {
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
||||||
|
|
||||||
From 768d1ed30cf4b3cb9628254ef3ee24b9c38abdbc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Thu, 14 Dec 2023 12:47:48 +0100
|
|
||||||
Subject: [PATCH 4/4] CVE-2023-48795: tests: Adjust calculation to strict kex
|
|
||||||
|
|
||||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|
||||||
---
|
|
||||||
tests/client/torture_rekey.c | 56 ++++++++++++++++++++----------------
|
|
||||||
1 file changed, 32 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
|
|
||||||
index 13c9a7fe..bfb273af 100644
|
|
||||||
--- a/tests/client/torture_rekey.c
|
|
||||||
+++ b/tests/client/torture_rekey.c
|
|
||||||
@@ -148,6 +148,29 @@ static void torture_rekey_default(void **state)
|
|
||||||
ssh_disconnect(s->ssh.session);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void sanity_check_session(void **state)
|
|
||||||
+{
|
|
||||||
+ struct torture_state *s = *state;
|
|
||||||
+ struct ssh_crypto_struct *c = NULL;
|
|
||||||
+
|
|
||||||
+ c = s->ssh.session->current_crypto;
|
|
||||||
+ assert_non_null(c);
|
|
||||||
+ assert_int_equal(c->in_cipher->max_blocks,
|
|
||||||
+ bytes / c->in_cipher->blocksize);
|
|
||||||
+ assert_int_equal(c->out_cipher->max_blocks,
|
|
||||||
+ bytes / c->out_cipher->blocksize);
|
|
||||||
+ /* when strict kex is used, the newkeys reset the sequence number */
|
|
||||||
+ if ((s->ssh.session->flags & SSH_SESSION_FLAG_KEX_STRICT) != 0) {
|
|
||||||
+ assert_int_equal(c->out_cipher->packets, s->ssh.session->send_seq);
|
|
||||||
+ assert_int_equal(c->in_cipher->packets, s->ssh.session->recv_seq);
|
|
||||||
+ } else {
|
|
||||||
+ /* Otherwise we have less encrypted packets than transferred
|
|
||||||
+ * (first are not encrypted) */
|
|
||||||
+ assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
|
|
||||||
+ assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* We lower the rekey limits manually and check that the rekey
|
|
||||||
* really happens when sending data
|
|
||||||
*/
|
|
||||||
@@ -166,16 +189,10 @@ static void torture_rekey_send(void **state)
|
|
||||||
rc = ssh_connect(s->ssh.session);
|
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
|
||||||
|
|
||||||
- /* The blocks limit is set correctly */
|
|
||||||
- c = s->ssh.session->current_crypto;
|
|
||||||
- assert_int_equal(c->in_cipher->max_blocks,
|
|
||||||
- bytes / c->in_cipher->blocksize);
|
|
||||||
- assert_int_equal(c->out_cipher->max_blocks,
|
|
||||||
- bytes / c->out_cipher->blocksize);
|
|
||||||
- /* We should have less encrypted packets than transfered (first are not encrypted) */
|
|
||||||
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
|
|
||||||
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
|
|
||||||
+ sanity_check_session(state);
|
|
||||||
/* Copy the initial secret hash = session_id so we know we changed keys later */
|
|
||||||
+ c = s->ssh.session->current_crypto;
|
|
||||||
+ assert_non_null(c);
|
|
||||||
secret_hash = malloc(c->digest_len);
|
|
||||||
assert_non_null(secret_hash);
|
|
||||||
memcpy(secret_hash, c->secret_hash, c->digest_len);
|
|
||||||
@@ -272,14 +289,10 @@ static void torture_rekey_recv(void **state)
|
|
||||||
sftp_file file;
|
|
||||||
mode_t mask;
|
|
||||||
|
|
||||||
- /* The blocks limit is set correctly */
|
|
||||||
- c = s->ssh.session->current_crypto;
|
|
||||||
- assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
|
|
||||||
- assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
|
|
||||||
- /* We should have less encrypted packets than transfered (first are not encrypted) */
|
|
||||||
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
|
|
||||||
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
|
|
||||||
+ sanity_check_session(state);
|
|
||||||
/* Copy the initial secret hash = session_id so we know we changed keys later */
|
|
||||||
+ c = s->ssh.session->current_crypto;
|
|
||||||
+ assert_non_null(c);
|
|
||||||
secret_hash = malloc(c->digest_len);
|
|
||||||
assert_non_null(secret_hash);
|
|
||||||
memcpy(secret_hash, c->secret_hash, c->digest_len);
|
|
||||||
@@ -464,15 +477,10 @@ static void torture_rekey_different_kex(void **state)
|
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
|
||||||
|
|
||||||
/* The blocks limit is set correctly */
|
|
||||||
- c = s->ssh.session->current_crypto;
|
|
||||||
- assert_int_equal(c->in_cipher->max_blocks,
|
|
||||||
- bytes / c->in_cipher->blocksize);
|
|
||||||
- assert_int_equal(c->out_cipher->max_blocks,
|
|
||||||
- bytes / c->out_cipher->blocksize);
|
|
||||||
- /* We should have less encrypted packets than transfered (first are not encrypted) */
|
|
||||||
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
|
|
||||||
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
|
|
||||||
+ sanity_check_session(state);
|
|
||||||
/* Copy the initial secret hash = session_id so we know we changed keys later */
|
|
||||||
+ c = s->ssh.session->current_crypto;
|
|
||||||
+ assert_non_null(c);
|
|
||||||
secret_hash = malloc(c->digest_len);
|
|
||||||
assert_non_null(secret_hash);
|
|
||||||
memcpy(secret_hash, c->secret_hash, c->digest_len);
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,86 +0,0 @@
|
|||||||
diff --color -ru ../libssh-0.9.6/src/pki_crypto.c ./src/pki_crypto.c
|
|
||||||
--- ../libssh-0.9.6/src/pki_crypto.c 2023-04-27 12:59:08.463259052 +0200
|
|
||||||
+++ ./src/pki_crypto.c 2023-04-27 13:05:24.020610873 +0200
|
|
||||||
@@ -2291,8 +2291,12 @@
|
|
||||||
unsigned char *raw_sig_data = NULL;
|
|
||||||
unsigned int raw_sig_len;
|
|
||||||
|
|
||||||
+ /* Function return code
|
|
||||||
+ * Do not change this variable throughout the function until the signature
|
|
||||||
+ * is successfully verified!
|
|
||||||
+ */
|
|
||||||
int rc = SSH_ERROR;
|
|
||||||
- int evp_rc;
|
|
||||||
+ int ok;
|
|
||||||
|
|
||||||
if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
|
|
||||||
signature == NULL || (signature->raw_sig == NULL
|
|
||||||
@@ -2307,8 +2311,8 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check if public key and hash type are compatible */
|
|
||||||
- rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);
|
|
||||||
- if (rc != SSH_OK) {
|
|
||||||
+ ok = pki_key_check_hash_compatible(pubkey, signature->hash_type);
|
|
||||||
+ if (ok != SSH_OK) {
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2351,8 +2355,8 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Verify the signature */
|
|
||||||
- evp_rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
|
|
||||||
- if (evp_rc != 1){
|
|
||||||
+ ok = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
|
|
||||||
+ if (ok != 1){
|
|
||||||
SSH_LOG(SSH_LOG_TRACE,
|
|
||||||
"EVP_DigestVerifyInit() failed: %s",
|
|
||||||
ERR_error_string(ERR_get_error(), NULL));
|
|
||||||
@@ -2360,35 +2364,31 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
|
|
||||||
- evp_rc = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
|
|
||||||
+ ok = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
|
|
||||||
#else
|
|
||||||
- evp_rc = EVP_DigestVerifyUpdate(ctx, input, input_len);
|
|
||||||
- if (evp_rc != 1) {
|
|
||||||
+ ok = EVP_DigestVerifyUpdate(ctx, input, input_len);
|
|
||||||
+ if (ok != 1) {
|
|
||||||
SSH_LOG(SSH_LOG_TRACE,
|
|
||||||
"EVP_DigestVerifyUpdate() failed: %s",
|
|
||||||
ERR_error_string(ERR_get_error(), NULL));
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- evp_rc = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
|
|
||||||
+ ok = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
|
|
||||||
#endif
|
|
||||||
- if (evp_rc == 1) {
|
|
||||||
- SSH_LOG(SSH_LOG_TRACE, "Signature valid");
|
|
||||||
- rc = SSH_OK;
|
|
||||||
- } else {
|
|
||||||
+ if (ok != 1) {
|
|
||||||
SSH_LOG(SSH_LOG_TRACE,
|
|
||||||
"Signature invalid: %s",
|
|
||||||
ERR_error_string(ERR_get_error(), NULL));
|
|
||||||
- rc = SSH_ERROR;
|
|
||||||
+ goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ SSH_LOG(SSH_LOG_TRACE, "Signature valid");
|
|
||||||
+ rc = SSH_OK;
|
|
||||||
+
|
|
||||||
out:
|
|
||||||
- if (ctx != NULL) {
|
|
||||||
- EVP_MD_CTX_free(ctx);
|
|
||||||
- }
|
|
||||||
- if (pkey != NULL) {
|
|
||||||
- EVP_PKEY_free(pkey);
|
|
||||||
- }
|
|
||||||
+ EVP_MD_CTX_free(ctx);
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
@ -1,228 +0,0 @@
|
|||||||
diff --color -ru ../libssh-0.9.6/src/buffer.c ./src/buffer.c
|
|
||||||
--- ../libssh-0.9.6/src/buffer.c 2023-05-03 11:53:48.710217753 +0200
|
|
||||||
+++ ./src/buffer.c 2023-05-03 11:58:21.995200990 +0200
|
|
||||||
@@ -747,7 +747,8 @@
|
|
||||||
*/
|
|
||||||
int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)
|
|
||||||
{
|
|
||||||
- if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
|
|
||||||
+ if (buffer == NULL || buffer->pos + len < len ||
|
|
||||||
+ buffer->pos + len > buffer->used) {
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --color -ru ../libssh-0.9.6/src/gssapi.c ./src/gssapi.c
|
|
||||||
--- ../libssh-0.9.6/src/gssapi.c 2023-05-03 11:53:48.732217993 +0200
|
|
||||||
+++ ./src/gssapi.c 2023-05-03 11:58:21.976200782 +0200
|
|
||||||
@@ -437,11 +437,18 @@
|
|
||||||
hexa = ssh_get_hexa(output_token.value, output_token.length);
|
|
||||||
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
|
|
||||||
SAFE_FREE(hexa);
|
|
||||||
- ssh_buffer_pack(session->out_buffer,
|
|
||||||
- "bdP",
|
|
||||||
- SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
|
|
||||||
- output_token.length,
|
|
||||||
- (size_t)output_token.length, output_token.value);
|
|
||||||
+ rc = ssh_buffer_pack(session->out_buffer,
|
|
||||||
+ "bdP",
|
|
||||||
+ SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
|
|
||||||
+ output_token.length,
|
|
||||||
+ (size_t)output_token.length, output_token.value);
|
|
||||||
+ if (rc != SSH_OK) {
|
|
||||||
+ ssh_set_error_oom(session);
|
|
||||||
+ ssh_auth_reply_default(session, 0);
|
|
||||||
+ ssh_gssapi_free(session);
|
|
||||||
+ session->gssapi = NULL;
|
|
||||||
+ return SSH_PACKET_USED;
|
|
||||||
+ }
|
|
||||||
ssh_packet_send(session);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -846,6 +853,7 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
|
|
||||||
+ int rc;
|
|
||||||
ssh_string oid_s;
|
|
||||||
gss_uint32 maj_stat, min_stat;
|
|
||||||
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
|
|
||||||
@@ -897,11 +905,15 @@
|
|
||||||
hexa = ssh_get_hexa(output_token.value, output_token.length);
|
|
||||||
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s", hexa);
|
|
||||||
SAFE_FREE(hexa);
|
|
||||||
- ssh_buffer_pack(session->out_buffer,
|
|
||||||
- "bdP",
|
|
||||||
- SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
|
|
||||||
- output_token.length,
|
|
||||||
- (size_t)output_token.length, output_token.value);
|
|
||||||
+ rc = ssh_buffer_pack(session->out_buffer,
|
|
||||||
+ "bdP",
|
|
||||||
+ SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
|
|
||||||
+ output_token.length,
|
|
||||||
+ (size_t)output_token.length, output_token.value);
|
|
||||||
+ if (rc != SSH_OK) {
|
|
||||||
+ ssh_set_error_oom(session);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
ssh_packet_send(session);
|
|
||||||
session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
|
|
||||||
}
|
|
||||||
@@ -963,6 +975,7 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
|
|
||||||
+ int rc;
|
|
||||||
ssh_string token;
|
|
||||||
char *hexa;
|
|
||||||
OM_uint32 maj_stat, min_stat;
|
|
||||||
@@ -1015,11 +1028,15 @@
|
|
||||||
hexa = ssh_get_hexa(output_token.value, output_token.length);
|
|
||||||
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
|
|
||||||
SAFE_FREE(hexa);
|
|
||||||
- ssh_buffer_pack(session->out_buffer,
|
|
||||||
- "bdP",
|
|
||||||
- SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
|
|
||||||
- output_token.length,
|
|
||||||
- (size_t)output_token.length, output_token.value);
|
|
||||||
+ rc = ssh_buffer_pack(session->out_buffer,
|
|
||||||
+ "bdP",
|
|
||||||
+ SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
|
|
||||||
+ output_token.length,
|
|
||||||
+ (size_t)output_token.length, output_token.value);
|
|
||||||
+ if (rc != SSH_OK) {
|
|
||||||
+ ssh_set_error_oom(session);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
ssh_packet_send(session);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --color -ru ../libssh-0.9.6/src/options.c ./src/options.c
|
|
||||||
--- ../libssh-0.9.6/src/options.c 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./src/options.c 2023-05-03 11:58:22.000201044 +0200
|
|
||||||
@@ -547,7 +547,9 @@
|
|
||||||
}
|
|
||||||
i = strtol(q, &p, 10);
|
|
||||||
if (q == p) {
|
|
||||||
+ SSH_LOG(SSH_LOG_DEBUG, "No port number was parsed");
|
|
||||||
SAFE_FREE(q);
|
|
||||||
+ return -1;
|
|
||||||
}
|
|
||||||
SAFE_FREE(q);
|
|
||||||
if (i <= 0) {
|
|
||||||
@@ -743,7 +745,9 @@
|
|
||||||
}
|
|
||||||
i = strtol(q, &p, 10);
|
|
||||||
if (q == p) {
|
|
||||||
+ SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
|
|
||||||
SAFE_FREE(q);
|
|
||||||
+ return -1;
|
|
||||||
}
|
|
||||||
SAFE_FREE(q);
|
|
||||||
if (i < 0) {
|
|
||||||
@@ -1818,7 +1822,9 @@
|
|
||||||
}
|
|
||||||
i = strtol(q, &p, 10);
|
|
||||||
if (q == p) {
|
|
||||||
- SAFE_FREE(q);
|
|
||||||
+ SSH_LOG(SSH_LOG_DEBUG, "No bind port was parsed");
|
|
||||||
+ SAFE_FREE(q);
|
|
||||||
+ return -1;
|
|
||||||
}
|
|
||||||
SAFE_FREE(q);
|
|
||||||
|
|
||||||
@@ -1845,7 +1851,9 @@
|
|
||||||
}
|
|
||||||
i = strtol(q, &p, 10);
|
|
||||||
if (q == p) {
|
|
||||||
- SAFE_FREE(q);
|
|
||||||
+ SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
|
|
||||||
+ SAFE_FREE(q);
|
|
||||||
+ return -1;
|
|
||||||
}
|
|
||||||
SAFE_FREE(q);
|
|
||||||
|
|
||||||
diff --color -ru ../libssh-0.9.6/src/pki_container_openssh.c ./src/pki_container_openssh.c
|
|
||||||
--- ../libssh-0.9.6/src/pki_container_openssh.c 2023-05-03 11:53:48.713217785 +0200
|
|
||||||
+++ ./src/pki_container_openssh.c 2023-05-03 11:58:21.976200782 +0200
|
|
||||||
@@ -630,7 +630,11 @@
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
|
|
||||||
+ rc = ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
|
|
||||||
+ if (rc != SSH_OK) {
|
|
||||||
+ SSH_BUFFER_FREE(kdf_buf);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
kdf_options = ssh_string_new(ssh_buffer_get_len(kdf_buf));
|
|
||||||
if (kdf_options == NULL){
|
|
||||||
SSH_BUFFER_FREE(kdf_buf);
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/unittests/torture_options.c ./tests/unittests/torture_options.c
|
|
||||||
--- ../libssh-0.9.6/tests/unittests/torture_options.c 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./tests/unittests/torture_options.c 2023-05-03 11:59:21.726853027 +0200
|
|
||||||
@@ -311,6 +311,7 @@
|
|
||||||
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_PORT_STR, "five");
|
|
||||||
assert_true(rc == -1);
|
|
||||||
+ assert_int_not_equal(session->opts.port, 0);
|
|
||||||
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_PORT, NULL);
|
|
||||||
assert_true(rc == -1);
|
|
||||||
@@ -853,6 +854,26 @@
|
|
||||||
ssh_free(new);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void torture_options_set_verbosity (void **state)
|
|
||||||
+{
|
|
||||||
+ ssh_session session = *state;
|
|
||||||
+ int rc, new_level;
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_LOG_VERBOSITY_STR,
|
|
||||||
+ "3");
|
|
||||||
+ assert_int_equal(rc, SSH_OK);
|
|
||||||
+ new_level = ssh_get_log_level();
|
|
||||||
+ assert_int_equal(new_level, SSH_LOG_PACKET);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_LOG_VERBOSITY_STR,
|
|
||||||
+ "datsun");
|
|
||||||
+ assert_int_equal(rc, -1);
|
|
||||||
+ new_level = ssh_get_log_level();
|
|
||||||
+ assert_int_not_equal(new_level, 0);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#ifdef WITH_SERVER
|
|
||||||
const char template[] = "temp_dir_XXXXXX";
|
|
||||||
|
|
||||||
@@ -1107,6 +1128,10 @@
|
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "23");
|
|
||||||
assert_int_equal(rc, 0);
|
|
||||||
assert_int_equal(bind->bindport, 23);
|
|
||||||
+
|
|
||||||
+ rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "twentythree");
|
|
||||||
+ assert_int_equal(rc, -1);
|
|
||||||
+ assert_int_not_equal(bind->bindport, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void torture_bind_options_log_verbosity(void **state)
|
|
||||||
@@ -1156,6 +1181,11 @@
|
|
||||||
new_level = ssh_get_log_level();
|
|
||||||
assert_int_equal(new_level, SSH_LOG_PACKET);
|
|
||||||
|
|
||||||
+ rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "verbosity");
|
|
||||||
+ assert_int_equal(rc, -1);
|
|
||||||
+ new_level = ssh_get_log_level();
|
|
||||||
+ assert_int_not_equal(new_level, 0);
|
|
||||||
+
|
|
||||||
rc = ssh_set_log_level(previous_level);
|
|
||||||
assert_int_equal(rc, SSH_OK);
|
|
||||||
}
|
|
||||||
@@ -1643,6 +1673,7 @@
|
|
||||||
cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(torture_options_config_match,
|
|
||||||
setup, teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(torture_options_set_verbosity, setup, teardown),
|
|
||||||
};
|
|
||||||
|
|
||||||
#ifdef WITH_SERVER
|
|
@ -1,668 +0,0 @@
|
|||||||
diff --color -ru ../libssh-0.9.6/examples/sshnetcat.c ./examples/sshnetcat.c
|
|
||||||
--- ../libssh-0.9.6/examples/sshnetcat.c 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./examples/sshnetcat.c 2023-05-02 10:36:00.793381735 +0200
|
|
||||||
@@ -233,9 +233,10 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
void cleanup_pcap(void);
|
|
||||||
-void cleanup_pcap(){
|
|
||||||
+void cleanup_pcap(void)
|
|
||||||
+{
|
|
||||||
ssh_pcap_file_free(pcap);
|
|
||||||
- pcap=NULL;
|
|
||||||
+ pcap = NULL;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff --color -ru ../libssh-0.9.6/src/init.c ./src/init.c
|
|
||||||
--- ../libssh-0.9.6/src/init.c 2021-03-15 08:11:33.000000000 +0100
|
|
||||||
+++ ./src/init.c 2023-05-02 10:36:00.793381735 +0200
|
|
||||||
@@ -269,7 +269,7 @@
|
|
||||||
*
|
|
||||||
* @see ssh_init()
|
|
||||||
*/
|
|
||||||
-bool is_ssh_initialized() {
|
|
||||||
+bool is_ssh_initialized(void) {
|
|
||||||
|
|
||||||
bool is_initialized = false;
|
|
||||||
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/client/torture_auth.c ./tests/client/torture_auth.c
|
|
||||||
--- ../libssh-0.9.6/tests/client/torture_auth.c 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./tests/client/torture_auth.c 2023-05-02 10:36:00.815381960 +0200
|
|
||||||
@@ -200,7 +200,8 @@
|
|
||||||
assert_non_null(ssh_agent_pidfile);
|
|
||||||
|
|
||||||
/* kill agent pid */
|
|
||||||
- torture_terminate_process(ssh_agent_pidfile);
|
|
||||||
+ rc = torture_terminate_process(ssh_agent_pidfile);
|
|
||||||
+ assert_return_code(rc, errno);
|
|
||||||
|
|
||||||
unlink(ssh_agent_pidfile);
|
|
||||||
|
|
||||||
@@ -551,6 +552,7 @@
|
|
||||||
|
|
||||||
static void torture_auth_agent_cert(void **state)
|
|
||||||
{
|
|
||||||
+#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
|
|
||||||
struct torture_state *s = *state;
|
|
||||||
ssh_session session = s->ssh.session;
|
|
||||||
int rc;
|
|
||||||
@@ -570,6 +572,7 @@
|
|
||||||
"ssh-rsa-cert-v01@openssh.com");
|
|
||||||
assert_int_equal(rc, SSH_OK);
|
|
||||||
}
|
|
||||||
+#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
|
|
||||||
|
|
||||||
/* Setup loads a different key, tests are exactly the same. */
|
|
||||||
torture_auth_agent(state);
|
|
||||||
@@ -577,6 +580,7 @@
|
|
||||||
|
|
||||||
static void torture_auth_agent_cert_nonblocking(void **state)
|
|
||||||
{
|
|
||||||
+#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
|
|
||||||
struct torture_state *s = *state;
|
|
||||||
ssh_session session = s->ssh.session;
|
|
||||||
int rc;
|
|
||||||
@@ -596,6 +600,7 @@
|
|
||||||
"ssh-rsa-cert-v01@openssh.com");
|
|
||||||
assert_int_equal(rc, SSH_OK);
|
|
||||||
}
|
|
||||||
+#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
|
|
||||||
|
|
||||||
torture_auth_agent_nonblocking(state);
|
|
||||||
}
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
|
|
||||||
--- ../libssh-0.9.6/tests/client/torture_rekey.c 2023-04-28 17:26:41.472315318 +0200
|
|
||||||
+++ ./tests/client/torture_rekey.c 2023-05-02 10:36:00.805381857 +0200
|
|
||||||
@@ -38,6 +38,8 @@
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
|
|
||||||
+#define KEX_RETRY 32
|
|
||||||
+
|
|
||||||
static uint64_t bytes = 2048; /* 2KB (more than the authentication phase) */
|
|
||||||
|
|
||||||
static int sshd_setup(void **state)
|
|
||||||
@@ -190,10 +192,11 @@
|
|
||||||
rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
|
|
||||||
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
||||||
|
|
||||||
- /* send ignore packets of up to 1KB to trigger rekey */
|
|
||||||
+ /* send ignore packets of up to 1KB to trigger rekey. Send little bit more
|
|
||||||
+ * to make sure it completes with all different ciphers */
|
|
||||||
memset(data, 0, sizeof(data));
|
|
||||||
memset(data, 'A', 128);
|
|
||||||
- for (i = 0; i < 16; i++) {
|
|
||||||
+ for (i = 0; i < KEX_RETRY; i++) {
|
|
||||||
ssh_send_ignore(s->ssh.session, data);
|
|
||||||
ssh_handle_packets(s->ssh.session, 50);
|
|
||||||
}
|
|
||||||
@@ -496,9 +499,15 @@
|
|
||||||
* to make sure the rekey it completes with all different ciphers (paddings */
|
|
||||||
memset(data, 0, sizeof(data));
|
|
||||||
memset(data, 'A', 128);
|
|
||||||
- for (i = 0; i < 20; i++) {
|
|
||||||
+ for (i = 0; i < KEX_RETRY; i++) {
|
|
||||||
ssh_send_ignore(s->ssh.session, data);
|
|
||||||
- ssh_handle_packets(s->ssh.session, 50);
|
|
||||||
+ ssh_handle_packets(s->ssh.session, 100);
|
|
||||||
+
|
|
||||||
+ c = s->ssh.session->current_crypto;
|
|
||||||
+ /* SHA256 len */
|
|
||||||
+ if (c->digest_len != 32) {
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* The rekey limit was restored in the new crypto to the same value */
|
|
||||||
@@ -568,9 +577,15 @@
|
|
||||||
* to make sure the rekey it completes with all different ciphers (paddings */
|
|
||||||
memset(data, 0, sizeof(data));
|
|
||||||
memset(data, 'A', 128);
|
|
||||||
- for (i = 0; i < 25; i++) {
|
|
||||||
+ for (i = 0; i < KEX_RETRY; i++) {
|
|
||||||
ssh_send_ignore(s->ssh.session, data);
|
|
||||||
- ssh_handle_packets(s->ssh.session, 50);
|
|
||||||
+ ssh_handle_packets(s->ssh.session, 100);
|
|
||||||
+
|
|
||||||
+ c = s->ssh.session->current_crypto;
|
|
||||||
+ /* SHA256 len */
|
|
||||||
+ if (c->digest_len != 32) {
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check that the secret hash is different than initially */
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/CMakeLists.txt ./tests/CMakeLists.txt
|
|
||||||
--- ../libssh-0.9.6/tests/CMakeLists.txt 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./tests/CMakeLists.txt 2023-05-02 10:32:03.964511860 +0200
|
|
||||||
@@ -153,6 +153,17 @@
|
|
||||||
execute_process(COMMAND ${ID_EXECUTABLE} -u OUTPUT_VARIABLE LOCAL_UID OUTPUT_STRIP_TRAILING_WHITESPACE)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
+ find_program(TIMEOUT_EXECUTABLE
|
|
||||||
+ NAME
|
|
||||||
+ timeout
|
|
||||||
+ PATHS
|
|
||||||
+ /bin
|
|
||||||
+ /usr/bin
|
|
||||||
+ /usr/local/bin)
|
|
||||||
+ if (TIMEOUT_EXECUTABLE)
|
|
||||||
+ set(WITH_TIMEOUT "1")
|
|
||||||
+ endif()
|
|
||||||
+
|
|
||||||
# chroot_wrapper
|
|
||||||
add_library(chroot_wrapper SHARED chroot_wrapper.c)
|
|
||||||
set(CHROOT_WRAPPER_LIBRARY ${libssh_BINARY_DIR}/lib/${CMAKE_SHARED_LIBRARY_PREFIX}chroot_wrapper${CMAKE_SHARED_LIBRARY_SUFFIX})
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/pkd/pkd_keyutil.c ./tests/pkd/pkd_keyutil.c
|
|
||||||
--- ../libssh-0.9.6/tests/pkd/pkd_keyutil.c 2021-03-15 08:11:33.000000000 +0100
|
|
||||||
+++ ./tests/pkd/pkd_keyutil.c 2023-05-02 10:36:00.793381735 +0200
|
|
||||||
@@ -22,7 +22,7 @@
|
|
||||||
#include "pkd_keyutil.h"
|
|
||||||
#include "pkd_util.h"
|
|
||||||
|
|
||||||
-void setup_rsa_key() {
|
|
||||||
+void setup_rsa_key(void) {
|
|
||||||
int rc = 0;
|
|
||||||
if (access(LIBSSH_RSA_TESTKEY, F_OK) != 0) {
|
|
||||||
rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f "
|
|
||||||
@@ -31,7 +31,7 @@
|
|
||||||
assert_int_equal(rc, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void setup_ed25519_key() {
|
|
||||||
+void setup_ed25519_key(void) {
|
|
||||||
int rc = 0;
|
|
||||||
if (access(LIBSSH_ED25519_TESTKEY, F_OK) != 0) {
|
|
||||||
rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
|
|
||||||
@@ -41,7 +41,7 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef HAVE_DSA
|
|
||||||
-void setup_dsa_key() {
|
|
||||||
+void setup_dsa_key(void) {
|
|
||||||
int rc = 0;
|
|
||||||
if (access(LIBSSH_DSA_TESTKEY, F_OK) != 0) {
|
|
||||||
rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
|
|
||||||
@@ -51,7 +51,7 @@
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-void setup_ecdsa_keys() {
|
|
||||||
+void setup_ecdsa_keys(void) {
|
|
||||||
int rc = 0;
|
|
||||||
|
|
||||||
if (access(LIBSSH_ECDSA_256_TESTKEY, F_OK) != 0) {
|
|
||||||
@@ -71,27 +71,27 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-void cleanup_rsa_key() {
|
|
||||||
+void cleanup_rsa_key(void) {
|
|
||||||
cleanup_key(LIBSSH_RSA_TESTKEY);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void cleanup_ed25519_key() {
|
|
||||||
+void cleanup_ed25519_key(void) {
|
|
||||||
cleanup_key(LIBSSH_ED25519_TESTKEY);
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef HAVE_DSA
|
|
||||||
-void cleanup_dsa_key() {
|
|
||||||
+void cleanup_dsa_key(void) {
|
|
||||||
cleanup_key(LIBSSH_DSA_TESTKEY);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-void cleanup_ecdsa_keys() {
|
|
||||||
+void cleanup_ecdsa_keys(void) {
|
|
||||||
cleanup_key(LIBSSH_ECDSA_256_TESTKEY);
|
|
||||||
cleanup_key(LIBSSH_ECDSA_384_TESTKEY);
|
|
||||||
cleanup_key(LIBSSH_ECDSA_521_TESTKEY);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void setup_openssh_client_keys() {
|
|
||||||
+void setup_openssh_client_keys(void) {
|
|
||||||
int rc = 0;
|
|
||||||
|
|
||||||
if (access(OPENSSH_CA_TESTKEY, F_OK) != 0) {
|
|
||||||
@@ -184,7 +184,7 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-void cleanup_openssh_client_keys() {
|
|
||||||
+void cleanup_openssh_client_keys(void) {
|
|
||||||
cleanup_key(OPENSSH_CA_TESTKEY);
|
|
||||||
cleanup_key(OPENSSH_RSA_TESTKEY);
|
|
||||||
cleanup_file(OPENSSH_RSA_TESTKEY "-sha256-cert.pub");
|
|
||||||
@@ -199,7 +199,7 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-void setup_dropbear_client_rsa_key() {
|
|
||||||
+void setup_dropbear_client_rsa_key(void) {
|
|
||||||
int rc = 0;
|
|
||||||
if (access(DROPBEAR_RSA_TESTKEY, F_OK) != 0) {
|
|
||||||
rc = system_checked(DROPBEAR_KEYGEN " -t rsa -f "
|
|
||||||
@@ -208,6 +208,6 @@
|
|
||||||
assert_int_equal(rc, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void cleanup_dropbear_client_rsa_key() {
|
|
||||||
+void cleanup_dropbear_client_rsa_key(void) {
|
|
||||||
unlink(DROPBEAR_RSA_TESTKEY);
|
|
||||||
}
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/server/torture_server_config.c ./tests/server/torture_server_config.c
|
|
||||||
--- ../libssh-0.9.6/tests/server/torture_server_config.c 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./tests/server/torture_server_config.c 2023-05-02 10:36:00.815381960 +0200
|
|
||||||
@@ -285,9 +285,7 @@
|
|
||||||
assert_non_null(s);
|
|
||||||
|
|
||||||
rc = torture_terminate_process(s->srv_pidfile);
|
|
||||||
- if (rc != 0) {
|
|
||||||
- fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
|
|
||||||
- }
|
|
||||||
+ assert_return_code(rc, errno);
|
|
||||||
|
|
||||||
unlink(s->srv_pidfile);
|
|
||||||
|
|
||||||
@@ -513,6 +511,12 @@
|
|
||||||
/* Try each algorithm individually */
|
|
||||||
j = 0;
|
|
||||||
while(tokens->tokens[j] != NULL) {
|
|
||||||
+ char *cmp = strstr(OPENSSH_CIPHERS, tokens->tokens[j]);
|
|
||||||
+ if (cmp == NULL) {
|
|
||||||
+ /* This cipher is not supported by the OpenSSH. Skip it */
|
|
||||||
+ j++;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
snprintf(config_content,
|
|
||||||
sizeof(config_content),
|
|
||||||
"HostKey %s\nCiphers %s\n",
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/tests_config.h.cmake ./tests/tests_config.h.cmake
|
|
||||||
--- ../libssh-0.9.6/tests/tests_config.h.cmake 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./tests/tests_config.h.cmake 2023-05-02 10:32:03.964511860 +0200
|
|
||||||
@@ -66,4 +66,6 @@
|
|
||||||
|
|
||||||
#cmakedefine NC_EXECUTABLE "${NC_EXECUTABLE}"
|
|
||||||
#cmakedefine SSHD_EXECUTABLE "${SSHD_EXECUTABLE}"
|
|
||||||
-#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
|
|
||||||
\ No newline at end of file
|
|
||||||
+#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
|
|
||||||
+#cmakedefine WITH_TIMEOUT ${WITH_TIMEOUT}
|
|
||||||
+#cmakedefine TIMEOUT_EXECUTABLE "${TIMEOUT_EXECUTABLE}"
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/torture.c ./tests/torture.c
|
|
||||||
--- ../libssh-0.9.6/tests/torture.c 2021-08-26 14:27:44.000000000 +0200
|
|
||||||
+++ ./tests/torture.c 2023-05-02 10:36:00.815381960 +0200
|
|
||||||
@@ -51,6 +51,7 @@
|
|
||||||
#include "torture.h"
|
|
||||||
#include "torture_key.h"
|
|
||||||
#include "libssh/misc.h"
|
|
||||||
+#include "libssh/token.h"
|
|
||||||
|
|
||||||
#define TORTURE_SSHD_SRV_IPV4 "127.0.0.10"
|
|
||||||
/* socket wrapper IPv6 prefix fd00::5357:5fxx */
|
|
||||||
@@ -250,8 +251,12 @@
|
|
||||||
|
|
||||||
rc = kill(pid, 0);
|
|
||||||
if (rc != 0) {
|
|
||||||
- is_running = 0;
|
|
||||||
- break;
|
|
||||||
+ /* Process not found */
|
|
||||||
+ if (errno == ESRCH) {
|
|
||||||
+ is_running = 0;
|
|
||||||
+ rc = 0;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -260,7 +265,7 @@
|
|
||||||
"WARNING: The process with pid %u is still running!\n", pid);
|
|
||||||
}
|
|
||||||
|
|
||||||
- return 0;
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
ssh_session torture_ssh_session(struct torture_state *s,
|
|
||||||
@@ -611,6 +616,112 @@
|
|
||||||
*state = s;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * @brief Create a libssh server configuration file
|
|
||||||
+ *
|
|
||||||
+ * It is expected the socket directory to be already created before by calling
|
|
||||||
+ * torture_setup_socket_dir(). The created configuration file will be stored in
|
|
||||||
+ * the socket directory and the srv_config pointer in the state will be
|
|
||||||
+ * initialized.
|
|
||||||
+ *
|
|
||||||
+ * @param[in] state A pointer to a pointer to an initialized torture_state
|
|
||||||
+ * structure
|
|
||||||
+ */
|
|
||||||
+void torture_setup_create_libssh_config(void **state)
|
|
||||||
+{
|
|
||||||
+ struct torture_state *s = *state;
|
|
||||||
+ char ed25519_hostkey[1024] = {0};
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ char dsa_hostkey[1024];
|
|
||||||
+#endif /* HAVE_DSA */
|
|
||||||
+ char rsa_hostkey[1024];
|
|
||||||
+ char ecdsa_hostkey[1024];
|
|
||||||
+ char sshd_config[2048];
|
|
||||||
+ char sshd_path[1024];
|
|
||||||
+ const char *additional_config = NULL;
|
|
||||||
+ struct stat sb;
|
|
||||||
+ const char config_string[]=
|
|
||||||
+ "LogLevel DEBUG3\n"
|
|
||||||
+ "Port 22\n"
|
|
||||||
+ "ListenAddress 127.0.0.10\n"
|
|
||||||
+ "%s %s\n"
|
|
||||||
+ "%s %s\n"
|
|
||||||
+ "%s %s\n"
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ "%s %s\n"
|
|
||||||
+#endif /* HAVE_DSA */
|
|
||||||
+ "%s\n"; /* The space for test-specific options */
|
|
||||||
+ bool written = false;
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ assert_non_null(s->socket_dir);
|
|
||||||
+
|
|
||||||
+ snprintf(sshd_path,
|
|
||||||
+ sizeof(sshd_path),
|
|
||||||
+ "%s/sshd",
|
|
||||||
+ s->socket_dir);
|
|
||||||
+
|
|
||||||
+ rc = lstat(sshd_path, &sb);
|
|
||||||
+ if (rc == 0 ) { /* The directory is already in place */
|
|
||||||
+ written = true;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!written) {
|
|
||||||
+ rc = mkdir(sshd_path, 0755);
|
|
||||||
+ assert_return_code(rc, errno);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ snprintf(ed25519_hostkey,
|
|
||||||
+ sizeof(ed25519_hostkey),
|
|
||||||
+ "%s/sshd/ssh_host_ed25519_key",
|
|
||||||
+ s->socket_dir);
|
|
||||||
+
|
|
||||||
+ snprintf(rsa_hostkey,
|
|
||||||
+ sizeof(rsa_hostkey),
|
|
||||||
+ "%s/sshd/ssh_host_rsa_key",
|
|
||||||
+ s->socket_dir);
|
|
||||||
+
|
|
||||||
+ snprintf(ecdsa_hostkey,
|
|
||||||
+ sizeof(ecdsa_hostkey),
|
|
||||||
+ "%s/sshd/ssh_host_ecdsa_key",
|
|
||||||
+ s->socket_dir);
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ snprintf(dsa_hostkey,
|
|
||||||
+ sizeof(dsa_hostkey),
|
|
||||||
+ "%s/sshd/ssh_host_dsa_key",
|
|
||||||
+ s->socket_dir);
|
|
||||||
+#endif /* HAVE_DSA */
|
|
||||||
+
|
|
||||||
+ if (!written) {
|
|
||||||
+ torture_write_file(ed25519_hostkey,
|
|
||||||
+ torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
|
|
||||||
+ torture_write_file(rsa_hostkey,
|
|
||||||
+ torture_get_testkey(SSH_KEYTYPE_RSA, 0));
|
|
||||||
+ torture_write_file(ecdsa_hostkey,
|
|
||||||
+ torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ torture_write_file(dsa_hostkey,
|
|
||||||
+ torture_get_testkey(SSH_KEYTYPE_DSS, 0));
|
|
||||||
+#endif /* HAVE_DSA */
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ additional_config = (s->srv_additional_config != NULL ?
|
|
||||||
+ s->srv_additional_config : "");
|
|
||||||
+
|
|
||||||
+ snprintf(sshd_config, sizeof(sshd_config),
|
|
||||||
+ config_string,
|
|
||||||
+ "HostKey", ed25519_hostkey,
|
|
||||||
+ "HostKey", rsa_hostkey,
|
|
||||||
+ "HostKey", ecdsa_hostkey,
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ "HostKey", dsa_hostkey,
|
|
||||||
+#endif /* HAVE_DSA */
|
|
||||||
+ additional_config);
|
|
||||||
+
|
|
||||||
+ torture_write_file(s->srv_config, sshd_config);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void torture_setup_create_sshd_config(void **state, bool pam)
|
|
||||||
{
|
|
||||||
struct torture_state *s = *state;
|
|
||||||
@@ -856,21 +967,140 @@
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
-void torture_setup_sshd_server(void **state, bool pam)
|
|
||||||
+/**
|
|
||||||
+ * @brief Run a libssh based server under timeout.
|
|
||||||
+ *
|
|
||||||
+ * It is expected that the socket directory and libssh configuration file were
|
|
||||||
+ * already created before by calling torture_setup_socket_dir() and
|
|
||||||
+ * torture_setup_create_libssh_config() (or alternatively setup the state with
|
|
||||||
+ * the correct values).
|
|
||||||
+ *
|
|
||||||
+ * @param[in] state The content of the address pointed by this variable must be
|
|
||||||
+ * a pointer to an initialized instance of torture_state
|
|
||||||
+ * structure; it can be obtained by calling
|
|
||||||
+ * torture_setup_socket_dir() and
|
|
||||||
+ * torture_setup_create_libssh_config().
|
|
||||||
+ * @param[in] server_path The path to the server executable.
|
|
||||||
+ *
|
|
||||||
+ * @note This function will use the state->srv_additional_config field as
|
|
||||||
+ * additional command line option used when starting the server instead of extra
|
|
||||||
+ * configuration file options.
|
|
||||||
+ * */
|
|
||||||
+void torture_setup_libssh_server(void **state, const char *server_path)
|
|
||||||
{
|
|
||||||
struct torture_state *s;
|
|
||||||
- char sshd_start_cmd[1024];
|
|
||||||
+ char start_cmd[1024];
|
|
||||||
+ char timeout_cmd[512];
|
|
||||||
+ char env[1024];
|
|
||||||
+ char extra_options[1024];
|
|
||||||
int rc;
|
|
||||||
+ char *ld_preload = NULL;
|
|
||||||
+ const char *force_fips = NULL;
|
|
||||||
|
|
||||||
- torture_setup_socket_dir(state);
|
|
||||||
- torture_setup_create_sshd_config(state, pam);
|
|
||||||
+ struct ssh_tokens_st *env_tokens;
|
|
||||||
+ struct ssh_tokens_st *arg_tokens;
|
|
||||||
+
|
|
||||||
+ pid_t pid;
|
|
||||||
+ ssize_t printed;
|
|
||||||
+
|
|
||||||
+ s = *state;
|
|
||||||
+
|
|
||||||
+ /* Get all the wrapper libraries to be pre-loaded */
|
|
||||||
+ ld_preload = getenv("LD_PRELOAD");
|
|
||||||
+
|
|
||||||
+ if (s->srv_additional_config != NULL) {
|
|
||||||
+ printed = snprintf(extra_options, sizeof(extra_options), " %s ",
|
|
||||||
+ s->srv_additional_config);
|
|
||||||
+ if (printed < 0) {
|
|
||||||
+ fail_msg("Failed to print additional config!");
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ printed = snprintf(extra_options, sizeof(extra_options), " ");
|
|
||||||
+ if (printed < 0) {
|
|
||||||
+ fail_msg("Failed to print empty additional config!");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (ssh_fips_mode()) {
|
|
||||||
+ force_fips = "OPENSSL_FORCE_FIPS_MODE=1 ";
|
|
||||||
+ } else {
|
|
||||||
+ force_fips = "";
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Write the environment setting */
|
|
||||||
+ printed = snprintf(env, sizeof(env),
|
|
||||||
+ "SOCKET_WRAPPER_DIR=%s "
|
|
||||||
+ "SOCKET_WRAPPER_DEFAULT_IFACE=10 "
|
|
||||||
+ "LD_PRELOAD=%s "
|
|
||||||
+ "%s",
|
|
||||||
+ s->socket_dir, ld_preload, force_fips);
|
|
||||||
+ if (printed < 0) {
|
|
||||||
+ fail_msg("Failed to print env!");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#ifdef WITH_TIMEOUT
|
|
||||||
+ snprintf(timeout_cmd, sizeof(timeout_cmd),
|
|
||||||
+ "%s %s ", TIMEOUT_EXECUTABLE, "5m");
|
|
||||||
+#else
|
|
||||||
+ timeout_cmd[0] = '\0';
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ /* Write the start command */
|
|
||||||
+ printed = snprintf(start_cmd, sizeof(start_cmd),
|
|
||||||
+ "%s"
|
|
||||||
+ "%s -f%s -v4 -p22 -i%s -C%s%s%s",
|
|
||||||
+ timeout_cmd,
|
|
||||||
+ server_path, s->pcap_file, s->srv_pidfile,
|
|
||||||
+ s->srv_config, extra_options, TORTURE_SSH_SERVER);
|
|
||||||
+ if (printed < 0) {
|
|
||||||
+ fail_msg("Failed to print start command!");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ pid = fork();
|
|
||||||
+ switch(pid) {
|
|
||||||
+ case 0:
|
|
||||||
+ env_tokens = ssh_tokenize(env, ' ');
|
|
||||||
+ if (env_tokens == NULL || env_tokens->tokens == NULL) {
|
|
||||||
+ fail_msg("Failed to tokenize env!");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ arg_tokens = ssh_tokenize(start_cmd, ' ');
|
|
||||||
+ if (arg_tokens == NULL || arg_tokens->tokens == NULL) {
|
|
||||||
+ ssh_tokens_free(env_tokens);
|
|
||||||
+ fail_msg("Failed to tokenize args!");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = execve(arg_tokens->tokens[0], (char **)arg_tokens->tokens,
|
|
||||||
+ (char **)env_tokens->tokens);
|
|
||||||
+
|
|
||||||
+ /* execve returns only in case of error */
|
|
||||||
+ ssh_tokens_free(env_tokens);
|
|
||||||
+ ssh_tokens_free(arg_tokens);
|
|
||||||
+ fail_msg("Error in execve: %s", strerror(errno));
|
|
||||||
+ case -1:
|
|
||||||
+ fail_msg("Failed to fork!");
|
|
||||||
+ default:
|
|
||||||
+ /* The parent continues the execution of the tests */
|
|
||||||
+ setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
|
|
||||||
+ unsetenv("PAM_WRAPPER");
|
|
||||||
+
|
|
||||||
+ /* Wait until the server is ready to accept connections */
|
|
||||||
+ rc = torture_wait_for_daemon(15);
|
|
||||||
+ assert_int_equal(rc, 0);
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int torture_start_sshd_server(void **state)
|
|
||||||
+{
|
|
||||||
+ struct torture_state *s = *state;
|
|
||||||
+ char sshd_start_cmd[1024];
|
|
||||||
+ int rc;
|
|
||||||
|
|
||||||
/* Set the default interface for the server */
|
|
||||||
setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
|
|
||||||
setenv("PAM_WRAPPER", "1", 1);
|
|
||||||
|
|
||||||
- s = *state;
|
|
||||||
-
|
|
||||||
snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
|
|
||||||
SSHD_EXECUTABLE " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
|
|
||||||
s->srv_config, s->socket_dir, s->socket_dir);
|
|
||||||
@@ -882,7 +1112,20 @@
|
|
||||||
unsetenv("PAM_WRAPPER");
|
|
||||||
|
|
||||||
/* Wait until the sshd is ready to accept connections */
|
|
||||||
- rc = torture_wait_for_daemon(5);
|
|
||||||
+ rc = torture_wait_for_daemon(15);
|
|
||||||
+ assert_int_equal(rc, 0);
|
|
||||||
+
|
|
||||||
+ return SSH_OK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void torture_setup_sshd_server(void **state, bool pam)
|
|
||||||
+{
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ torture_setup_socket_dir(state);
|
|
||||||
+ torture_setup_create_sshd_config(state, pam);
|
|
||||||
+
|
|
||||||
+ rc = torture_start_sshd_server(state);
|
|
||||||
assert_int_equal(rc, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -922,29 +1165,12 @@
|
|
||||||
torture_reload_sshd_server(void **state)
|
|
||||||
{
|
|
||||||
struct torture_state *s = *state;
|
|
||||||
- pid_t pid;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
- /* read the pidfile */
|
|
||||||
- pid = torture_read_pidfile(s->srv_pidfile);
|
|
||||||
- assert_int_not_equal(pid, -1);
|
|
||||||
-
|
|
||||||
- kill(pid, SIGHUP);
|
|
||||||
-
|
|
||||||
- /* 10 ms */
|
|
||||||
- usleep(10 * 1000);
|
|
||||||
-
|
|
||||||
- rc = kill(pid, 0);
|
|
||||||
- if (rc != 0) {
|
|
||||||
- fprintf(stderr,
|
|
||||||
- "ERROR: SSHD process %u died during reload!\n", pid);
|
|
||||||
- return SSH_ERROR;
|
|
||||||
- }
|
|
||||||
+ rc = torture_terminate_process(s->srv_pidfile);
|
|
||||||
+ assert_return_code(rc, errno);
|
|
||||||
|
|
||||||
- /* Wait until the sshd is ready to accept connections */
|
|
||||||
- rc = torture_wait_for_daemon(5);
|
|
||||||
- assert_int_equal(rc, 0);
|
|
||||||
- return SSH_OK;
|
|
||||||
+ return torture_start_sshd_server(state);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* @brief: Updates SSHD server configuration with more options and
|
|
||||||
@@ -980,9 +1206,7 @@
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
rc = torture_terminate_process(s->srv_pidfile);
|
|
||||||
- if (rc != 0) {
|
|
||||||
- fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
|
|
||||||
- }
|
|
||||||
+ assert_return_code(rc, errno);
|
|
||||||
|
|
||||||
torture_teardown_socket_dir(state);
|
|
||||||
}
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/torture.h ./tests/torture.h
|
|
||||||
--- ../libssh-0.9.6/tests/torture.h 2021-08-26 14:27:44.000000000 +0200
|
|
||||||
+++ ./tests/torture.h 2023-05-02 10:32:03.964511860 +0200
|
|
||||||
@@ -132,6 +132,10 @@
|
|
||||||
|
|
||||||
void torture_reset_config(ssh_session session);
|
|
||||||
|
|
||||||
+void torture_setup_create_libssh_config(void **state);
|
|
||||||
+
|
|
||||||
+void torture_setup_libssh_server(void **state, const char *server_path);
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* This function must be defined in every unit test file.
|
|
||||||
*/
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmEniOkACgkQfuD8TcwB
|
|
||||||
Tj0TKQ/9HiMAGSMHoQ+iPVLP06iTc6Cy7rNyON2nPDQwAz0V/dfvkrKAAEflfgYd
|
|
||||||
3pt3dbE/qgh2kgQLb9kpbCUmFoGuLgKz36RPOsggwuOsN+eD1n65q8W39sMOQid3
|
|
||||||
bjUIOKRdYWC1suZ9fMAO1Ignl69Opd8dAq1Has9YzglaeQaV/lnYQOW4UG0xKHck
|
|
||||||
ZOp2qLfjmaQiBAI61eRyxqIYC0F67WKd0bo9D2csoocDVvHLq4syPdbMOfDTB+LL
|
|
||||||
KZSAZVW1R1JUVZMkp/P/HU11jNNy3wKoLafocnq8bXkPVrqhyuo+hDJV/OPUvFLa
|
|
||||||
VE/BzIRoMNG+1R+GJpwE7ut2DIHPxnZTThRkeVN5qP1+hbhgLJhW62I+HeAnD4s+
|
|
||||||
+W7fwJovN28I+wqSjVEP8JguprVuoDAX5jVHbeZoMT7p8ATA4Nh3KCbYELEwTtFG
|
|
||||||
zsEIlBvoNXD3ce7xGXL3MPqfgKqrZQjRG/iOWvKwDV7WrqK1cFFyL7aeBfK2+dQq
|
|
||||||
1Ew7aYlTsH6Hap7XByeSsy4Z5ts3VXIoFix/h+Br5OTYKYgITM7bijNAQ6A2ZWQN
|
|
||||||
TxCv8X0sVyaGyXhxG6QhrEWZjFe496MneZkq9e6HKZyaSbzwFwMgOvrUUC7fa8e5
|
|
||||||
o1Rvozah81U0nsikwTmDrm15RSK3mr2X34zPW2Ahzr1I5tGZzOk=
|
|
||||||
=cO0k
|
|
||||||
-----END PGP SIGNATURE-----
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,19 +0,0 @@
|
|||||||
diff --git a/src/packet.c b/src/packet.c
|
|
||||||
index ec4a7203..a81eb8e3 100644
|
|
||||||
--- a/src/packet.c
|
|
||||||
+++ b/src/packet.c
|
|
||||||
@@ -1752,10 +1752,12 @@ static bool
|
|
||||||
ssh_packet_in_rekey(ssh_session session)
|
|
||||||
{
|
|
||||||
/* We know we are rekeying if we are authenticated and the DH
|
|
||||||
- * status is not finished
|
|
||||||
+ * status is not finished, but we only queue packets until we've
|
|
||||||
+ * sent our NEWKEYS.
|
|
||||||
*/
|
|
||||||
return (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) &&
|
|
||||||
- (session->dh_handshake_state != DH_STATE_FINISHED);
|
|
||||||
+ (session->dh_handshake_state != DH_STATE_FINISHED) &&
|
|
||||||
+ (session->dh_handshake_state != DH_STATE_NEWKEYS_SENT);
|
|
||||||
}
|
|
||||||
|
|
||||||
int ssh_packet_send(ssh_session session)
|
|
23
gating.yaml
Normal file
23
gating.yaml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- fedora-*
|
||||||
|
decision_context: bodhi_update_push_testing
|
||||||
|
subject_type: koji_build
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- fedora-*
|
||||||
|
decision_context: bodhi_update_push_stable
|
||||||
|
subject_type: koji_build
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- rhel-10
|
||||||
|
decision_context: osci_compose_gate
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}
|
54
libssh-0.11.1-fix-provider-loading.patch
Normal file
54
libssh-0.11.1-fix-provider-loading.patch
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
diff -up libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp libssh-0.11.1/tests/client/torture_auth_pkcs11.c
|
||||||
|
--- libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp 2024-10-25 11:58:50.341126170 +0200
|
||||||
|
+++ libssh-0.11.1/tests/client/torture_auth_pkcs11.c 2024-10-25 12:11:01.766453259 +0200
|
||||||
|
@@ -240,6 +240,14 @@ int torture_run_tests(void) {
|
||||||
|
session_teardown),
|
||||||
|
};
|
||||||
|
|
||||||
|
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
|
||||||
|
+ * It can load a pkcs11 provider too early before we will set up environment
|
||||||
|
+ * variables that are needed for the pkcs11 provider to access correct
|
||||||
|
+ * tokens, causing unexpected failures.
|
||||||
|
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
|
||||||
|
+ */
|
||||||
|
+ setenv("OPENSSL_CONF", "/dev/null", 1);
|
||||||
|
+
|
||||||
|
ssh_init();
|
||||||
|
torture_filter_tests(tests);
|
||||||
|
rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
|
||||||
|
diff -up libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c
|
||||||
|
--- libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp 2024-10-25 11:59:22.964367137 +0200
|
||||||
|
+++ libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c 2024-10-25 12:12:51.473625481 +0200
|
||||||
|
@@ -563,6 +563,14 @@ int torture_run_tests(void) {
|
||||||
|
ssh_session session = ssh_new();
|
||||||
|
int verbosity = SSH_LOG_FUNCTIONS;
|
||||||
|
|
||||||
|
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
|
||||||
|
+ * It can load a pkcs11 provider too early before we will set up environment
|
||||||
|
+ * variables that are needed for the pkcs11 provider to access correct
|
||||||
|
+ * tokens, causing unexpected failures.
|
||||||
|
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
|
||||||
|
+ */
|
||||||
|
+ setenv("OPENSSL_CONF", "/dev/null", 1);
|
||||||
|
+
|
||||||
|
ssh_init();
|
||||||
|
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
|
||||||
|
|
||||||
|
diff -up libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c
|
||||||
|
--- libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp 2024-10-25 11:59:49.241336178 +0200
|
||||||
|
+++ libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c 2024-10-25 12:12:10.985614709 +0200
|
||||||
|
@@ -285,6 +285,14 @@ torture_run_tests(void)
|
||||||
|
ssh_session session = ssh_new();
|
||||||
|
int verbosity = SSH_LOG_FUNCTIONS;
|
||||||
|
|
||||||
|
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
|
||||||
|
+ * It can load a pkcs11 provider too early before we will set up environment
|
||||||
|
+ * variables that are needed for the pkcs11 provider to access correct
|
||||||
|
+ * tokens, causing unexpected failures.
|
||||||
|
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
|
||||||
|
+ */
|
||||||
|
+ setenv("OPENSSL_CONF", "/dev/null", 1);
|
||||||
|
+
|
||||||
|
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
|
||||||
|
ssh_init();
|
||||||
|
|
52
libssh.keyring
Normal file
52
libssh.keyring
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBGZxQOQBEAC1EO1SSoQmzAyAyfQRRHcI4Je5E4mdTchhblLXmuxThquYZ6Xp
|
||||||
|
MT3alO6UxDO6aulzd0/RpLviELRwXqEKuUVC9oNbsolWT3sCh0J6ju2LNtmixPIf
|
||||||
|
5hd6UQRE32k7AXgwju7bn4TebVkl2fXsdtqSY+57Rs+8G7HiCRDoiYw1S4OwKsuI
|
||||||
|
RU7F4VNTV3drfcqpY1JZhMM/oestGqhWfln59kRgvqPDdOlX6Jv1502lElRddHBl
|
||||||
|
1f/SnE/mZQJ8Y+zfFuCxkhKZHYLzO3scudUIOHfVt2tLEYYsYK23NFAnF4ECYv+H
|
||||||
|
F1PoITbd8WeXoFeMjSr1h19ElzW76eBPvOYzqlzEKQ8b8uQUTqmyZl7HhQOtsIXG
|
||||||
|
YBYi3V30I+JBuEGkkhtkbXVET8sE1FCX2xSDOsqshqSiLchlVJxiQlThqZ4prtBC
|
||||||
|
byaTmdxFKRsQmSvLv5V9Puel80mzvM/L85s+gop9btygJ+Vpo1Dtdkbvp/jz+k1f
|
||||||
|
arZaqAFPE9/rJlMEW8HE12QBYpxiQAl6k0KUu/1MUcTbaZ7wbzQVGHXTmrP9mGff
|
||||||
|
9DTPeK01UPJpR9lT/kFwo/ip7nkI0zHcoAgwCGLNHCnbWjjz6ZAzYS9Dj8RG1T13
|
||||||
|
g/TjpQtmNWxdPIQ3yZDv30BKFv1aoWLejz4rj19dtPnVClUyMlRPonDDfwARAQAB
|
||||||
|
tDRsaWJzc2ggcmVsZWFzZSBrZXkgKHJlbGVhc2Uga2V5KSA8bGlic3NoQGxpYnNz
|
||||||
|
aC5vcmc+iQJXBBMBCABBFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmZxQOQCGwMF
|
||||||
|
CRLMAwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQA9XfjP3T6OfPBA//
|
||||||
|
cQA2fdsNyIgAyhppHAtdmKtRaN5dWj9InKZTWRmWNMAU3lTrMCGVurz2tcg2X6Xz
|
||||||
|
rVvZuXbLnb6GIRU0ly+nYiBZF4qDL088NtqN7AEEUaabOmlSZr5wXyJObMvlzDg9
|
||||||
|
GkjKAKH2CBztROtG3P91uHQ12SDqqIGw5/LlWGUSBzDnChdaB7ntODmjJ8wHqyOy
|
||||||
|
tD6GIfy7KkvnD6nyCXvqlZgo0/nr91otkDFbJrF/IobZD1hiBcps7b3oC3ms0e9T
|
||||||
|
usk4wl+oUi2LdTIOVvAag17gdkbH7MXMMOwhbNrV5MEyKpleTfm+R+jo48hRwdrn
|
||||||
|
LMrDR0+f26bIsWILvGE9GIqvoJD3rKDgjTFwmMcM4OLssCgTTy0h93gDbyBrOmA9
|
||||||
|
gJDApWWLq26SkDGIrsp4JcYlcR3m4S2Bjg98PTbz96fATK+AZ/R1Kntbt1J7DcnT
|
||||||
|
th3q4jXFIPUzvZA0r7Ul+UM/OfVr/Ryc023oID5po1zeO3HyVKVxXYY/DgpzWTcq
|
||||||
|
iwGjWM18XRDhUVV7eOJZ4XRcyDhf4eEF8etwFFraXjVVimCCEqgukEQh9azr+kqi
|
||||||
|
IWYoAH0fwVP85u38WqlLS+9in5mKq+lBFI201RpkzsdPDtJMtXTYgw1s6IrQntzF
|
||||||
|
w1PIJ/49b7nZhqvp0sMQGlAKfYTQvQsiAuEfzNiFcTS5Ag0EZnFA5AEQAJNgU4Wg
|
||||||
|
S+DUP9/wutGn9ADAEIZvD+dxpliKFmtfUeLiNAtaEfxmL7YCazlZbJ7tdhplwfJP
|
||||||
|
Es9k7G0K+8k1t+gni9sc7/W/0bB12cbCOxDlfcWATP5RZUfCc7eQVsWm1Sq41W2C
|
||||||
|
WGLqp9oC9jd2KGlReE4tj1PUmYtdHDOLBKr3PJrHHTGaF+4Qem5PVx+4ZmaH0qGT
|
||||||
|
8CmKYdhE0P8EYNImkmYsCo2nf3tbnjxBNAvwb1ljwJ1djFO72huvHslo6oTuQ+W6
|
||||||
|
Bam4m37b+AA/NiXk3RkrL8dwHB/D4G4fk0yflVQFx+0uwYj+Ik5HAri7WISOYfBN
|
||||||
|
Yvb6VPm9cdw/ajF0sV4d1bChroLkw0Y9VW5jEkhwGeLexY+bLP+uLOn9CvSd5iZX
|
||||||
|
kmamBA5c/jDWAibqgADux3OKNOa7JND38axuc67o5BynfW1iw3osU5fa/jdOxogJ
|
||||||
|
xgRq+muWh8rpVGuJHLDcG2TWxC66zEA7Dp8UE/nToIZeP7m6Ihzpo37a33m0BfKH
|
||||||
|
qG2cM4EYjIoFDFlbBbk7RogOXTshVc69JhKUaNNh8zSlCOTjwQedqPb7eW+zkPOc
|
||||||
|
ZdII3a+oLe4j49+QBiRXoJT3QWhqbxQYF5gnv86o/ZhAUrzEW8KAk8vJAHiKJhe1
|
||||||
|
sGHgu0yuiq5Ox4HHBrVBiEgZPxEYo4+xGLz7ABEBAAGJAjwEGAEIACYWIQSIoijY
|
||||||
|
mwfCx30MeAkD1d+M/dPo5wUCZnFA5AIbDAUJEswDAAAKCRAD1d+M/dPo523QD/wM
|
||||||
|
+Tf6y684Vn1HKMMyDLLCv1fFoSdialbf0gieXIlLm9yH0VaAcnMYFN7flYSekISq
|
||||||
|
23uH6ZIcABSfvg4dCCKUUggR3CnUql0SjF9BtFisGiCsDGlH3fNH0d1Ts0FOUdkL
|
||||||
|
TH/U676r08DQu1t0iSdOuDxM9FAo926gJSvyorLx7X94KhUeHhXfmzZ88ydz0ked
|
||||||
|
KFTKoo/LVhxRIoAGUdl98uJ+oycoELAeg7u0djVk+Hkw6ZLnMsjJBYHV3SyOXBpy
|
||||||
|
beQ9O3yK0oNqHW1oIAnHtX/Msqzj+x2+BMpjirsaHWsewnXgDUG/2h1MN67XW1zu
|
||||||
|
boztT8zswALbPfkOxS4Y+evaSnq4W6xF4dGuh2sM6g82pyAHdpBPrp4WEKnAcvi4
|
||||||
|
5EFNZYpKbQVXnDyK4899CCPcsxj56DlVtJRv167WNRBlU6k6MUVZH0F1JLQpxwx5
|
||||||
|
TlohKUa2KBnBZofmCD0xRzV7GbT08KRObSrMqIQU4ILqs2TlhDJhYMurKh7sWKFO
|
||||||
|
CX8wWu1TupOt7Zkf/OPapW2konKTu4h36yoPR6D4JZQhd6zZ+4+BsxgzdKCORPM5
|
||||||
|
DfSh15+evGapxAdUZrt/N4q2o2TdMcaSu4cZQnqu2soBWiNEa1DeBurCwrHJu/tt
|
||||||
|
dEyK6ESk4OGJ2ycirv4skD17gMHNRODFjhAgKgEybg==
|
||||||
|
=m20i
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
@ -1,51 +1,51 @@
|
|||||||
Name: libssh
|
Name: libssh
|
||||||
Version: 0.9.6
|
Version: 0.11.1
|
||||||
Release: 14%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: A library implementing the SSH protocol
|
Summary: A library implementing the SSH protocol
|
||||||
License: LGPLv2+
|
License: LGPL-2.1-or-later
|
||||||
URL: http://www.libssh.org
|
URL: http://www.libssh.org
|
||||||
|
|
||||||
Source0: https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz
|
Source0: https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz
|
||||||
Source1: https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz.asc
|
Source1: https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz.asc
|
||||||
Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
|
Source2: https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/%{name}.keyring
|
||||||
Source3: libssh_client.config
|
Source3: libssh_client.config
|
||||||
Source4: libssh_server.config
|
Source4: libssh_server.config
|
||||||
|
# Don't use global openssl.cnf for PKCS#11 URI Tests
|
||||||
Patch0: loglevel.patch
|
# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/543
|
||||||
Patch1: s390x_fix.patch
|
Patch1: libssh-0.11.1-fix-provider-loading.patch
|
||||||
Patch2: null_dereference_rekey.patch
|
|
||||||
Patch3: auth_bypass.patch
|
|
||||||
Patch4: fix_tests.patch
|
|
||||||
Patch5: covscan23.patch
|
|
||||||
Patch6: CVE-2023-48795.patch
|
|
||||||
Patch7: CVE-2023-6004.patch
|
|
||||||
Patch8: CVE-2023-6918.patch
|
|
||||||
|
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
BuildRequires: doxygen
|
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
BuildRequires: gnupg2
|
BuildRequires: gnupg2
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
BuildRequires: krb5-devel
|
BuildRequires: krb5-devel
|
||||||
|
BuildRequires: krb5-server
|
||||||
|
BuildRequires: krb5-workstation
|
||||||
BuildRequires: libcmocka-devel
|
BuildRequires: libcmocka-devel
|
||||||
BuildRequires: openssh-clients
|
|
||||||
BuildRequires: openssh-server
|
|
||||||
BuildRequires: pam_wrapper
|
BuildRequires: pam_wrapper
|
||||||
BuildRequires: socket_wrapper
|
BuildRequires: socket_wrapper
|
||||||
BuildRequires: nss_wrapper
|
BuildRequires: nss_wrapper
|
||||||
BuildRequires: uid_wrapper
|
BuildRequires: uid_wrapper
|
||||||
|
BuildRequires: priv_wrapper
|
||||||
|
BuildRequires: openssh-clients
|
||||||
|
BuildRequires: openssh-server
|
||||||
BuildRequires: nmap-ncat
|
BuildRequires: nmap-ncat
|
||||||
|
BuildRequires: pkcs11-provider
|
||||||
|
BuildRequires: p11-kit-devel
|
||||||
|
BuildRequires: p11-kit-server
|
||||||
|
BuildRequires: opensc
|
||||||
|
BuildRequires: softhsm
|
||||||
|
BuildRequires: gnutls-utils
|
||||||
|
|
||||||
Requires: crypto-policies
|
|
||||||
Requires: %{name}-config = %{version}-%{release}
|
Requires: %{name}-config = %{version}-%{release}
|
||||||
|
|
||||||
%ifarch aarch64 ppc64 ppc64le s390x x86_64
|
Recommends: crypto-policies
|
||||||
Provides: libssh_threads.so()(64bit)
|
|
||||||
|
%ifarch aarch64 ppc64 ppc64le s390x x86_64 riscv64
|
||||||
Provides: libssh_threads.so.4()(64bit)
|
Provides: libssh_threads.so.4()(64bit)
|
||||||
%else
|
%else
|
||||||
Provides: libssh_threads.so
|
|
||||||
Provides: libssh_threads.so.4
|
Provides: libssh_threads.so.4
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
@ -60,6 +60,7 @@ third-party programs others than libcrypto (from openssl).
|
|||||||
%package devel
|
%package devel
|
||||||
Summary: Development files for %{name}
|
Summary: Development files for %{name}
|
||||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: cmake-filesystem
|
||||||
|
|
||||||
%description devel
|
%description devel
|
||||||
The %{name}-devel package contains libraries and header files for developing
|
The %{name}-devel package contains libraries and header files for developing
|
||||||
@ -68,36 +69,30 @@ applications that use %{name}.
|
|||||||
%package config
|
%package config
|
||||||
Summary: Configuration files for %{name}
|
Summary: Configuration files for %{name}
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
Obsoletes: %{name} < 0.9.0-1
|
Obsoletes: %{name} < 0.9.0-3
|
||||||
|
|
||||||
%description config
|
%description config
|
||||||
The %{name}-config package provides the default configuration files for %{name}.
|
The %{name}-config package provides the default configuration files for %{name}.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
if test ! -e "obj"; then
|
%cmake \
|
||||||
mkdir obj
|
|
||||||
fi
|
|
||||||
pushd obj
|
|
||||||
|
|
||||||
%cmake .. \
|
|
||||||
-DUNIT_TESTING=ON \
|
-DUNIT_TESTING=ON \
|
||||||
-DCLIENT_TESTING=ON \
|
-DCLIENT_TESTING=ON \
|
||||||
-DSERVER_TESTING=ON \
|
-DSERVER_TESTING=ON \
|
||||||
|
-DGSSAPI_TESTING=ON \
|
||||||
|
-DWITH_PKCS11_URI=ON \
|
||||||
|
-DWITH_PKCS11_PROVIDER=ON \
|
||||||
-DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
|
-DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
|
||||||
-DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
|
-DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
|
||||||
|
|
||||||
|
%cmake_build
|
||||||
%make_build VERBOSE=1
|
|
||||||
make docs
|
|
||||||
|
|
||||||
popd
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
make DESTDIR=%{buildroot} install/fast -C obj
|
%cmake_install
|
||||||
install -d -m755 %{buildroot}%{_sysconfdir}/libssh
|
install -d -m755 %{buildroot}%{_sysconfdir}/libssh
|
||||||
install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
|
install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
|
||||||
install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
|
install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
|
||||||
@ -109,7 +104,7 @@ install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
|
|||||||
# requiring it to continue working.
|
# requiring it to continue working.
|
||||||
#
|
#
|
||||||
pushd %{buildroot}%{_libdir}
|
pushd %{buildroot}%{_libdir}
|
||||||
for i in libssh.so.4*;
|
for i in libssh.so*;
|
||||||
do
|
do
|
||||||
_target="${i}"
|
_target="${i}"
|
||||||
_link_name="${i%libssh*}libssh_threads${i##*libssh}"
|
_link_name="${i%libssh*}libssh_threads${i##*libssh}"
|
||||||
@ -123,24 +118,22 @@ popd
|
|||||||
%ldconfig_scriptlets
|
%ldconfig_scriptlets
|
||||||
|
|
||||||
%check
|
%check
|
||||||
pushd obj
|
# Tests are randomly failing when run in parallel
|
||||||
ctest --output-on-failure
|
%global _smp_build_ncpus 1
|
||||||
popd
|
%ctest
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%doc AUTHORS BSD ChangeLog README
|
%doc AUTHORS BSD CHANGELOG README
|
||||||
%license COPYING
|
%license COPYING
|
||||||
%{_libdir}/libssh.so.4*
|
%{_libdir}/libssh.so.4*
|
||||||
%{_libdir}/libssh_threads.so.4*
|
%{_libdir}/libssh_threads.so.4*
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%doc obj/doc/html
|
|
||||||
%{_includedir}/libssh/
|
%{_includedir}/libssh/
|
||||||
# own this to avoid dep on cmake -- rex
|
|
||||||
%dir %{_libdir}/cmake/
|
|
||||||
%{_libdir}/cmake/libssh/
|
%{_libdir}/cmake/libssh/
|
||||||
%{_libdir}/pkgconfig/libssh.pc
|
%{_libdir}/pkgconfig/libssh.pc
|
||||||
%{_libdir}/libssh.so
|
%{_libdir}/libssh.so
|
||||||
|
%{_libdir}/libssh_threads.so
|
||||||
|
|
||||||
%files config
|
%files config
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/libssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/libssh
|
||||||
@ -148,168 +141,218 @@ popd
|
|||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Feb 26 2024 Sahana Prasad <sahana@redhat.com> - 0.9.6-14
|
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.11.1-2
|
||||||
- Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
|
- Bump release for October 2024 mass rebuild:
|
||||||
- Fix CVE-2023-6918 Missing checks for return values for digests
|
Resolves: RHEL-64018
|
||||||
- Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
|
|
||||||
of malicious code through hostname
|
|
||||||
- Note: version is bumped from 12 to 14 directly, as the z-stream
|
|
||||||
version in 8.9 also has 13. So bumping it to 14, will prevent
|
|
||||||
upgrade conflicts.
|
|
||||||
- Resolves:RHEL-19690, RHEL-17244, RHEL-19312
|
|
||||||
|
|
||||||
* Mon May 15 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-12
|
* Wed Oct 23 2024 Sahana Prasad <sahana@redhat.com> - 0.11.1-1
|
||||||
- Fix loglevel regression
|
- Rebase to new upstream version 0.11.1
|
||||||
- Related: rhbz#2182251, rhbz#2189742
|
- Resolves: RHEL-64319
|
||||||
|
|
||||||
* Thu May 04 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-11
|
* Tue Aug 20 2024 Jakub Jelen <jjelen@redhat.com> - 0.10.6-8
|
||||||
- .fmf/version is needed to run the tests
|
- Remove the dependency on engine.h
|
||||||
- Related: rhbz#2182251, rhbz#2189742
|
|
||||||
|
|
||||||
* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-10
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.10.6-7
|
||||||
- Add missing ci.fmf file
|
- Bump release for June 2024 mass rebuild
|
||||||
- Related: rhbz#2182251, rhbz#2189742
|
|
||||||
|
|
||||||
* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-9
|
* Fri Jun 07 2024 David Abdurachmanov <davidlt@rivosinc.com> - 0.10.6-6
|
||||||
- Fix covscan errors found at gating
|
- Add riscv64
|
||||||
- Related: rhbz#2182251, rhbz#2189742
|
|
||||||
|
|
||||||
* Tue May 02 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-8
|
* Wed May 22 2024 Sahana Prasad <sahana@redhat.com> - 0.10.6-5
|
||||||
- Backport test fixing commits to make the build pass
|
- Build libssh with pkcs11-provider instead of pkcs11 engine
|
||||||
- Related: rhbz#2182251, rhbz#2189742
|
- Resolves: RHEL-30437
|
||||||
|
|
||||||
* Thu Apr 27 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-7
|
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.6-4
|
||||||
- Fix NULL dereference during rekeying with algorithm guessing
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||||
GHSL-2023-032 / CVE-2023-1667
|
|
||||||
- Fix possible authentication bypass
|
|
||||||
GHSL 2023-085 / CVE-2023-2283
|
|
||||||
- Resolves: rhbz#2182251, rhbz#2189742
|
|
||||||
|
|
||||||
* Fri Jan 06 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-6
|
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.6-3
|
||||||
- Enable client and server testing build time
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||||
- Fix failing rekey test on arch s390x
|
|
||||||
- Resolves: rhbz#2126342
|
|
||||||
|
|
||||||
* Mon Dec 05 2022 Stanislav Zidek <szidek@redhat.com> - 0.9.6-5
|
* Fri Dec 22 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-2
|
||||||
- Fix CI configuration for new TMT
|
- Fix regression in IPv6 hosntames parsing
|
||||||
- Resolves: rhbz#2149910
|
|
||||||
|
|
||||||
* Mon Nov 28 2022 Norbert Pocs <npocs@redhat.com> - 0.9.6-4
|
* Mon Dec 18 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-1
|
||||||
- Make VERBOSE and lower log levels less verbose
|
- New upstream release fixing (CVE-2023-48795, CVE-2023-6004, CVE-2023-6918)
|
||||||
- Resolves: rhbz#2091512
|
|
||||||
|
|
||||||
* Fri Nov 05 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-3
|
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.5-2
|
||||||
- Remove STI tests
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||||
|
|
||||||
* Thu Oct 21 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-2
|
* Fri May 05 2023 Orion Poplawski <orion@nwra.com> - 0.10.5-1
|
||||||
- Remove bad patch causing errors
|
- Update to 0.10.5 (CVE-2023-1667 CVE-2023-2283)
|
||||||
- Adding BuildRequires for openssh (SSHD support)
|
- Have libssh-devel require cmake-filesystem
|
||||||
|
|
||||||
* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
|
* Sun Mar 05 2023 Andreas Schneider <asn@redhat.com> - 0.10.4-4
|
||||||
- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
|
- Update License to SPDX expression
|
||||||
rekeying with different key exchange mechanism
|
|
||||||
- Rebase to version 0.9.6
|
|
||||||
- Rename SSHD_EXECUTABLE to SSH_EXECUTABLE in tests/torture.c
|
|
||||||
- Resolves: rhbz#1896651, rhbz#1994600
|
|
||||||
|
|
||||||
* Thu Oct 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-4
|
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-3
|
||||||
- Revert previous commit as it is incorrect.
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||||
|
|
||||||
* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
|
* Thu Oct 06 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-2
|
||||||
- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
|
- Enable pkcs11 support
|
||||||
rekeying with different key exchange mechanism (#1978810)
|
|
||||||
|
|
||||||
* Wed Apr 21 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-3
|
* Wed Sep 07 2022 Andreas Schneider <asn@redhat.com> - 0.10.4-1
|
||||||
- Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if
|
- Update to version 0.10.4
|
||||||
ssh_buffer_new returns NULL (#1862646)
|
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.4
|
||||||
|
|
||||||
* Wed Jun 24 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
|
* Fri Sep 02 2022 Andreas Schneider <asn@redhat.com> - 0.10.3-1
|
||||||
- Do not return error when server properly closed the channel (#1849071)
|
- Update to version 0.10.3
|
||||||
|
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.3
|
||||||
|
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.2
|
||||||
|
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.1
|
||||||
|
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.0
|
||||||
|
- Removed libssh-0.9.6-openssh-8.8p1-compat.patch
|
||||||
|
- resolves: rhbz#2121741
|
||||||
|
|
||||||
|
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jan 28 2022 Jakub Jelen <jjelen@redhat.com> - 0.9.6-4
|
||||||
|
- Fix build-time tests to work with OpenSSH 8.8p1
|
||||||
|
|
||||||
|
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jan 10 2022 Stephen Gallagher <sgallagh@redhat.com> - 0.9.6-2
|
||||||
|
- Skip broken torture_auth tests
|
||||||
|
|
||||||
|
* Wed Sep 15 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
|
||||||
|
- Fix CVE-CVE-2021-3634 libssh: possible heap-based buffer
|
||||||
|
overflow when rekeying
|
||||||
|
- Resolves: rhbz#1994600
|
||||||
|
|
||||||
|
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.5-4
|
||||||
|
- Rebuilt with OpenSSL 3.0.0
|
||||||
|
|
||||||
|
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Sep 10 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.5-1
|
||||||
|
- Update to version 0.9.5
|
||||||
|
https://www.libssh.org/2020/09/10/libssh-0-9-5/
|
||||||
|
- Removed patch to re-enable algorithms using sha1 in sshd for testing
|
||||||
|
- The algorithms supported by sshd are now automatically detected for testing
|
||||||
|
- Resolves: #1862457 - CVE-2020-16135
|
||||||
|
|
||||||
|
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-5
|
||||||
|
- Second attempt - Rebuilt for
|
||||||
|
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jun 22 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-3
|
||||||
|
- Do not return error when server properly closed the channel (#1849069)
|
||||||
- Add a test for CVE-2019-14889
|
- Add a test for CVE-2019-14889
|
||||||
- Do not parse configuration file in torture_knownhosts test
|
- Do not parse configuration file in torture_knownhosts test
|
||||||
|
|
||||||
* Tue May 26 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
|
* Wed Apr 15 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
|
||||||
|
- Added patch to fix returned version
|
||||||
|
|
||||||
|
* Thu Apr 09 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
|
||||||
- Update to version 0.9.4
|
- Update to version 0.9.4
|
||||||
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
|
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
|
||||||
- Fixed CVE-2019-14889 (#1781782)
|
|
||||||
- Fixed CVE-2020-1730 (#1802422)
|
|
||||||
- Create missing directories in the path provided for known_hosts files (#1733914)
|
|
||||||
- Removed inclusion of OpenSSH server configuration file from
|
- Removed inclusion of OpenSSH server configuration file from
|
||||||
libssh_server.config (#1821339)
|
libssh_server.config
|
||||||
|
- Added patch to re-enable algorithms using sha1 in sshd for testing
|
||||||
|
- resolves: #1822529 - CVE-2020-1730
|
||||||
|
|
||||||
* Mon Aug 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
|
||||||
- Skip 1024 bits RSA key generation test in FIPS mode (#1734485)
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
|
* Tue Dec 10 2019 Andreas Schneider <asn@redhat.com> - 0.9.3-1
|
||||||
|
- Update to version 0.9.3
|
||||||
|
- resolves: #1781780 - Fixes CVE-2019-14889
|
||||||
|
|
||||||
|
* Thu Nov 07 2019 Andreas Schneider <asn@redhat.com> - 0.9.2-1
|
||||||
|
- Upate to version 0.9.2
|
||||||
|
- resolves #1769370 - Remove the docs, they can be found on https://api.libssh.org/
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-5
|
||||||
- Add Obsoletes in libssh-config to avoid conflict with old libssh which
|
- Add Obsoletes in libssh-config to avoid conflict with old libssh which
|
||||||
installed the configuration files.
|
installed the configuration files.
|
||||||
|
|
||||||
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
|
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
|
||||||
- Eliminate circular dependency with libssh-config subpackage
|
- Eliminate circular dependency with libssh-config subpackage
|
||||||
|
|
||||||
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
|
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
|
||||||
- Update to version 0.9.0
|
|
||||||
https://www.libssh.org/2019/06/28/libssh-0-9-0/
|
|
||||||
- Added explicit Requires for crypto-policies
|
|
||||||
- Do not ignore known_hosts keys when SSH_OPTIONS_HOSTKEYS is set
|
|
||||||
- Provide the configuration files in a separate libssh-config subpackage
|
- Provide the configuration files in a separate libssh-config subpackage
|
||||||
|
|
||||||
* Mon Jun 17 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
|
* Thu Jul 04 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
|
||||||
|
- Do not ignore keys from known_hosts when SSH_OPTIONS_HOSTKEYS is set
|
||||||
|
|
||||||
|
* Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
|
||||||
|
- Fixed Release number to released format
|
||||||
|
|
||||||
|
* Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-0.1
|
||||||
|
- Update to version 0.9.0
|
||||||
|
https://www.libssh.org/2019/06/28/libssh-0-9-0/
|
||||||
|
|
||||||
|
* Wed Jun 19 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
|
||||||
- Update to 0.9.0 pre release version (0.8.91)
|
- Update to 0.9.0 pre release version (0.8.91)
|
||||||
- Added default configuration files for client and server
|
- Added default configuration files for client and server
|
||||||
- Removed unused patch files left behind
|
- Follow system-wide crypto configuration (crypto-policies)
|
||||||
- Fixed issues found to run upstream test suite with SELinux
|
- Added Recommends for crypto-policies
|
||||||
|
- Use OpenSSL implementation for KDF, DH, and signatures.
|
||||||
|
- Detect FIPS mode and use only allowed algorithms
|
||||||
|
- Run client and server tests during build
|
||||||
|
|
||||||
* Fri Dec 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-2
|
* Mon Feb 25 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.7-1
|
||||||
- Fix more regressions introduced by the fixes for CVE-2018-10933
|
- Update to version 0.8.7
|
||||||
|
https://www.libssh.org/2019/02/25/libssh-0-8-7/
|
||||||
|
|
||||||
* Thu Nov 29 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-1
|
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jan 15 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-2
|
||||||
|
- Fix rsa-sha2 extension handling (#1666342)
|
||||||
|
|
||||||
|
* Thu Jan 03 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-1
|
||||||
|
- Update to version 0.8.6
|
||||||
|
https://www.libssh.org/2018/12/24/libssh-0-8-6-xmas-edition/
|
||||||
|
|
||||||
|
* Mon Oct 29 2018 Andreas Schneider <asn@redhat.com> - 0.8.5-1
|
||||||
- Update to version 0.8.5
|
- Update to version 0.8.5
|
||||||
* Fixed an issue where global known_hosts file was ignored (#1649321)
|
https://www.libssh.org/2018/10/29/libssh-0-8-5-and-libssh-0-7-7/
|
||||||
* Fixed ssh_get_fd() to return writable file descriptor (#1649319)
|
|
||||||
* Fixed regression introduced in known_hosts parsing (#1649315)
|
|
||||||
* Fixed a regression which caused only the first algorithm in known_hosts to
|
|
||||||
be considered (#1638790)
|
|
||||||
|
|
||||||
* Thu Nov 08 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-5
|
* Tue Oct 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.4-1
|
||||||
- Fix regressions introduced by the fixes for CVE-2018-10933
|
- Update to version 0.8.4
|
||||||
|
https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release
|
||||||
|
- Fixes CVE-2018-10933
|
||||||
|
|
||||||
* Wed Oct 17 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.3-4
|
* Mon Oct 01 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
|
||||||
- Fix for authentication bypass issue in server implementation (#1639926)
|
- Fixed errors found by static code analysis
|
||||||
|
|
||||||
* Tue Oct 02 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
|
* Tue Sep 25 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-2
|
||||||
- Fixed errors found by static code analysis (#1602594)
|
- Add missing libssh_threads.so link to libssh-devel package
|
||||||
|
|
||||||
* Fri Sep 21 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-1
|
* Fri Sep 21 2018 Andreas Schneider <asn@redhat.com> - 0.8.3-1
|
||||||
- Update to version 0.8.3
|
- Update to version 0.8.3
|
||||||
* Added support for rsa-sha2 (#1610882)
|
https://www.libssh.org/2018/09/21/libssh-0-8-3/
|
||||||
* Added support to parse private keys in openssh container format (other than
|
|
||||||
ed25519) (#1622983)
|
|
||||||
* Added support for diffie-hellman-group18-sha512 and
|
|
||||||
diffie-hellman-group16-sha512 (#1610885)
|
|
||||||
* Added ssh_get_fingerprint_hash()
|
|
||||||
* Added ssh_pki_export_privkey_base64()
|
|
||||||
* Added support for Match keyword in config file
|
|
||||||
* Improved performance and reduced memory footprint for sftp
|
|
||||||
* Fixed ecdsa publickey auth
|
|
||||||
* Fixed reading a closed channel
|
|
||||||
* Added support to announce posix-rename@openssh.com and hardlink@openssh.com
|
|
||||||
in the sftp server
|
|
||||||
* Use -fstack-protector-strong if possible (#1624135)
|
|
||||||
|
|
||||||
* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-4
|
* Thu Aug 30 2018 Andreas Schneider <asn@redhat.com> - 0.8.2-1
|
||||||
- Fix the creation of symbolic links for libssh_threads.so.4
|
- Update to version 0.8.2
|
||||||
|
https://www.libssh.org/2018/08/30/libssh-0-8-2
|
||||||
|
|
||||||
* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-3
|
* Thu Aug 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-4
|
||||||
- Add missing Provides for libssh_threads.so.4
|
- Fix link creation or RPM doesn't install it
|
||||||
|
|
||||||
* Tue Aug 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-2
|
* Wed Aug 15 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-3
|
||||||
|
- Add missing so version for libssh_threads.so.4
|
||||||
|
|
||||||
|
* Tue Aug 14 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-2
|
||||||
- Add Provides for libssh_threads.so to unbreak applications
|
- Add Provides for libssh_threads.so to unbreak applications
|
||||||
- Fix ABIMap detection to not depend on python to build
|
|
||||||
|
|
||||||
* Mon Aug 13 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-1
|
* Mon Aug 13 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-1
|
||||||
- Update to version 0.8.1
|
- Update to version 0.8.1
|
||||||
https://www.libssh.org/2018/08/13/libssh-0-8-1/
|
https://www.libssh.org/2018/08/13/libssh-0-8-1
|
||||||
|
- resolves: #1615248 - pkg-config --modversion
|
||||||
|
- resolves: #1615132 - library initialization
|
||||||
|
|
||||||
* Fri Aug 10 2018 Andreas Schneider <asn@redhat.com> - 0.8.0-1
|
* Fri Aug 10 2018 Andreas Schneider <asn@redhat.com> - 0.8.0-1
|
||||||
- Update to version 0.8.0
|
- Update to version 0.8.0
|
||||||
@ -323,7 +366,6 @@ popd
|
|||||||
|
|
||||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.5-7
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.5-7
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
- Related: bug#1614611
|
|
||||||
|
|
||||||
* Thu Feb 01 2018 Andreas Schneider <asn@redhat.com> - 0.7.5-6
|
* Thu Feb 01 2018 Andreas Schneider <asn@redhat.com> - 0.7.5-6
|
||||||
- resolves: #1540021 - Build against OpenSSL 1.1
|
- resolves: #1540021 - Build against OpenSSL 1.1
|
26
plans/ci.fmf
Normal file
26
plans/ci.fmf
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
/fips-disabled-buildroot-disabled:
|
||||||
|
plan:
|
||||||
|
import:
|
||||||
|
url: https://pkgs.devel.redhat.com/git/tests/libssh
|
||||||
|
name: /plans/ci/fips-disabled-buildroot-disabled
|
||||||
|
|
||||||
|
|
||||||
|
/fips-disabled-buildroot-enabled:
|
||||||
|
plan:
|
||||||
|
import:
|
||||||
|
url: https://pkgs.devel.redhat.com/git/tests/libssh
|
||||||
|
name: /plans/ci/fips-disabled-buildroot-enabled
|
||||||
|
|
||||||
|
|
||||||
|
/fips-enabled-buildroot-disabled:
|
||||||
|
plan:
|
||||||
|
import:
|
||||||
|
url: https://pkgs.devel.redhat.com/git/tests/libssh
|
||||||
|
name: /plans/ci/fips-enabled-buildroot-disabled
|
||||||
|
|
||||||
|
|
||||||
|
/fips-enabled-buildroot-enabled:
|
||||||
|
plan:
|
||||||
|
import:
|
||||||
|
url: https://pkgs.devel.redhat.com/git/tests/libssh
|
||||||
|
name: /plans/ci/fips-enabled-buildroot-enabled
|
2
sources
Normal file
2
sources
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
SHA512 (libssh-0.11.1.tar.xz) = 284d376ad9ea30b0274b4ac754b27d168286dca862ece43ef15ca6d89e66865ad7a6703cc12dd4a8564a60b8449ae9b36e6496fd51d34cc27ac4030f6cf216d6
|
||||||
|
SHA512 (libssh-0.11.1.tar.xz.asc) = 7d1a2f02a9abba5373b1a29a9097fef65e46ff3a22e36bcb3549066d69fbd8e2702ff3b6182bae931282d10256da2ca8a364935b068d6d5bc767d877572ee3e2
|
Loading…
Reference in New Issue
Block a user