Compare commits
No commits in common. "c9s" and "c8" have entirely different histories.
@ -1 +0,0 @@
|
|||||||
1
|
|
62
.gitignore
vendored
62
.gitignore
vendored
@ -1,60 +1,2 @@
|
|||||||
libssh-0.4.4.tar.gz
|
SOURCES/libssh-0.9.6.tar.xz
|
||||||
libssh-0.4.4.tar.gz.asc
|
SOURCES/libssh.keyring
|
||||||
/libssh-0.4.6.tar.gz
|
|
||||||
/libssh-0.4.6.tar.gz.asc
|
|
||||||
/libssh-0.4.8.tar.gz
|
|
||||||
/libssh-0.4.8.tar.gz.asc
|
|
||||||
/libssh-0.5.0.tar.gz
|
|
||||||
/libssh-0.5.0.tar.gz.asc
|
|
||||||
/libssh-0.5.2.tar.gz
|
|
||||||
/libssh-0.5.2.tar.gz.asc
|
|
||||||
/libssh-0.5.3.tar.gz
|
|
||||||
/libssh-0.5.3.tar.asc
|
|
||||||
/libssh-0.5.4.tar.gz
|
|
||||||
/libssh-0.5.4.tar.asc
|
|
||||||
/libssh-0.5.5.tar.gz
|
|
||||||
/libssh-0.5.5.tar.asc
|
|
||||||
/libssh-0.6.0.tar.xz
|
|
||||||
/libssh-0.6.1.tar.xz
|
|
||||||
/libssh-0.6.3.tar.xz
|
|
||||||
/libssh-0.6.4.tar.gz
|
|
||||||
/libssh-0.6.5.tar.xz
|
|
||||||
/libssh-0.7.0.tar.xz
|
|
||||||
/libssh-0.7.1.tar.xz
|
|
||||||
/libssh-0.7.2.tar.xz
|
|
||||||
/libssh-0.7.3.tar.xz
|
|
||||||
/libssh-0.7.4.tar.xz
|
|
||||||
/libssh-0.7.5.tar.xz
|
|
||||||
/libssh-0.8.0.tar.xz
|
|
||||||
/libssh-0.8.0.tar.xz.asc
|
|
||||||
/libssh-0.8.1.tar.xz
|
|
||||||
/libssh-0.8.1.tar.xz.asc
|
|
||||||
/libssh-0.8.2.tar.xz
|
|
||||||
/libssh-0.8.2.tar.xz.asc
|
|
||||||
/libssh-0.8.3.tar.xz
|
|
||||||
/libssh-0.8.3.tar.xz.asc
|
|
||||||
/libssh-0.8.4.tar.xz
|
|
||||||
/libssh-0.8.4.tar.xz.asc
|
|
||||||
/libssh-0.8.5.tar.xz
|
|
||||||
/libssh-0.8.5.tar.xz.asc
|
|
||||||
/libssh-0.8.6.tar.xz
|
|
||||||
/libssh-0.8.6.tar.xz.asc
|
|
||||||
/libssh-0.8.7.tar.xz
|
|
||||||
/libssh-0.8.7.tar.xz.asc
|
|
||||||
/libssh-0.8.91.tar.xz
|
|
||||||
/libssh_client.config
|
|
||||||
/libssh_server.config
|
|
||||||
/libssh-0.9.0.tar.xz
|
|
||||||
/libssh-0.9.0.tar.xz.asc
|
|
||||||
/libssh-0.9.2.tar.xz
|
|
||||||
/libssh-0.9.2.tar.xz.asc
|
|
||||||
/libssh-0.9.3.tar.xz
|
|
||||||
/libssh-0.9.3.tar.xz.asc
|
|
||||||
/libssh-0.9.4.tar.xz
|
|
||||||
/libssh-0.9.4.tar.xz.asc
|
|
||||||
/libssh-0.9.5.tar.xz
|
|
||||||
/libssh-0.9.5.tar.xz.asc
|
|
||||||
/libssh-0.9.6.tar.xz
|
|
||||||
/libssh-0.9.6.tar.xz.asc
|
|
||||||
/libssh-0.10.4.tar.xz
|
|
||||||
/libssh-0.10.4.tar.xz.asc
|
|
||||||
|
2
.libssh.metadata
Normal file
2
.libssh.metadata
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
1b2dd673b58e1eaf20fde45cd8de2197cfab2f78 SOURCES/libssh-0.9.6.tar.xz
|
||||||
|
3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring
|
@ -1,4 +1,4 @@
|
|||||||
From 4cef5e965a46e9271aed62631b152e4bd23c1e3c Mon Sep 17 00:00:00 2001
|
From 87b93be5a2071be782aa84aa5a91544b18959d5e Mon Sep 17 00:00:00 2001
|
||||||
From: Aris Adamantiadis <aris@0xbadc0de.be>
|
From: Aris Adamantiadis <aris@0xbadc0de.be>
|
||||||
Date: Tue, 12 Dec 2023 23:09:57 +0100
|
Date: Tue, 12 Dec 2023 23:09:57 +0100
|
||||||
Subject: [PATCH 1/4] CVE-2023-48795: client side mitigation
|
Subject: [PATCH 1/4] CVE-2023-48795: client side mitigation
|
||||||
@ -22,10 +22,10 @@ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|||||||
12 files changed, 126 insertions(+), 69 deletions(-)
|
12 files changed, 126 insertions(+), 69 deletions(-)
|
||||||
|
|
||||||
diff --git a/include/libssh/packet.h b/include/libssh/packet.h
|
diff --git a/include/libssh/packet.h b/include/libssh/packet.h
|
||||||
index 7f10a709..f0c8cb20 100644
|
index 561bba8e..c6fbc3fc 100644
|
||||||
--- a/include/libssh/packet.h
|
--- a/include/libssh/packet.h
|
||||||
+++ b/include/libssh/packet.h
|
+++ b/include/libssh/packet.h
|
||||||
@@ -67,6 +67,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
|
@@ -63,6 +63,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_kexdh_init);
|
SSH_PACKET_CALLBACK(ssh_packet_kexdh_init);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -34,10 +34,10 @@ index 7f10a709..f0c8cb20 100644
|
|||||||
int ssh_packet_parse_type(ssh_session session);
|
int ssh_packet_parse_type(ssh_session session);
|
||||||
//int packet_flush(ssh_session session, int enforce_blocking);
|
//int packet_flush(ssh_session session, int enforce_blocking);
|
||||||
diff --git a/include/libssh/session.h b/include/libssh/session.h
|
diff --git a/include/libssh/session.h b/include/libssh/session.h
|
||||||
index eb14e97a..97936195 100644
|
index 64e118ef..3cde0dd4 100644
|
||||||
--- a/include/libssh/session.h
|
--- a/include/libssh/session.h
|
||||||
+++ b/include/libssh/session.h
|
+++ b/include/libssh/session.h
|
||||||
@@ -81,6 +81,12 @@ enum ssh_pending_call_e {
|
@@ -80,6 +80,12 @@ enum ssh_pending_call_e {
|
||||||
* sending it twice during key exchange to simplify the state machine. */
|
* sending it twice during key exchange to simplify the state machine. */
|
||||||
#define SSH_SESSION_FLAG_KEXINIT_SENT 4
|
#define SSH_SESSION_FLAG_KEXINIT_SENT 4
|
||||||
|
|
||||||
@ -51,7 +51,7 @@ index eb14e97a..97936195 100644
|
|||||||
/* Infinite timeout */
|
/* Infinite timeout */
|
||||||
#define SSH_TIMEOUT_INFINITE -1
|
#define SSH_TIMEOUT_INFINITE -1
|
||||||
diff --git a/src/curve25519.c b/src/curve25519.c
|
diff --git a/src/curve25519.c b/src/curve25519.c
|
||||||
index 66291b5f..4aeb4756 100644
|
index 37654438..6b7b4238 100644
|
||||||
--- a/src/curve25519.c
|
--- a/src/curve25519.c
|
||||||
+++ b/src/curve25519.c
|
+++ b/src/curve25519.c
|
||||||
@@ -335,16 +335,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
|
@@ -335,16 +335,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
|
||||||
@ -95,10 +95,10 @@ index 66291b5f..4aeb4756 100644
|
|||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
error:
|
error:
|
||||||
diff --git a/src/dh-gex.c b/src/dh-gex.c
|
diff --git a/src/dh-gex.c b/src/dh-gex.c
|
||||||
index 91617081..642a88ae 100644
|
index 4a298542..f1880270 100644
|
||||||
--- a/src/dh-gex.c
|
--- a/src/dh-gex.c
|
||||||
+++ b/src/dh-gex.c
|
+++ b/src/dh-gex.c
|
||||||
@@ -297,15 +297,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
|
@@ -287,15 +287,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Send the MSG_NEWKEYS */
|
/* Send the MSG_NEWKEYS */
|
||||||
@ -116,10 +116,10 @@ index 91617081..642a88ae 100644
|
|||||||
|
|
||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
diff --git a/src/dh.c b/src/dh.c
|
diff --git a/src/dh.c b/src/dh.c
|
||||||
index 011d97b3..e19e43d1 100644
|
index c265efcb..1d519c63 100644
|
||||||
--- a/src/dh.c
|
--- a/src/dh.c
|
||||||
+++ b/src/dh.c
|
+++ b/src/dh.c
|
||||||
@@ -398,16 +398,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
|
@@ -386,16 +386,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Send the MSG_NEWKEYS */
|
/* Send the MSG_NEWKEYS */
|
||||||
@ -137,7 +137,7 @@ index 011d97b3..e19e43d1 100644
|
|||||||
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
error:
|
error:
|
||||||
@@ -551,15 +545,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
|
@@ -532,15 +526,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
|
||||||
}
|
}
|
||||||
SSH_LOG(SSH_LOG_DEBUG, "Sent KEX_DH_[GEX]_REPLY");
|
SSH_LOG(SSH_LOG_DEBUG, "Sent KEX_DH_[GEX]_REPLY");
|
||||||
|
|
||||||
@ -179,10 +179,10 @@ index e5b11ba9..af80beec 100644
|
|||||||
|
|
||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
|
diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
|
||||||
index 51084b7a..069b1372 100644
|
index a1de27fd..62578c1b 100644
|
||||||
--- a/src/ecdh_crypto.c
|
--- a/src/ecdh_crypto.c
|
||||||
+++ b/src/ecdh_crypto.c
|
+++ b/src/ecdh_crypto.c
|
||||||
@@ -619,18 +619,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
@@ -323,18 +323,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -205,7 +205,7 @@ index 51084b7a..069b1372 100644
|
|||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
error:
|
error:
|
||||||
diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
|
diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
|
||||||
index 235f2904..3d9d426f 100644
|
index d9c41bf9..dd4332d7 100644
|
||||||
--- a/src/ecdh_gcrypt.c
|
--- a/src/ecdh_gcrypt.c
|
||||||
+++ b/src/ecdh_gcrypt.c
|
+++ b/src/ecdh_gcrypt.c
|
||||||
@@ -372,17 +372,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
@@ -372,17 +372,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
||||||
@ -230,10 +230,10 @@ index 235f2904..3d9d426f 100644
|
|||||||
gcry_sexp_release(param);
|
gcry_sexp_release(param);
|
||||||
gcry_sexp_release(key);
|
gcry_sexp_release(key);
|
||||||
diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
|
diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
|
||||||
index cfe017a0..dda73922 100644
|
index 718f1522..45251a42 100644
|
||||||
--- a/src/ecdh_mbedcrypto.c
|
--- a/src/ecdh_mbedcrypto.c
|
||||||
+++ b/src/ecdh_mbedcrypto.c
|
+++ b/src/ecdh_mbedcrypto.c
|
||||||
@@ -318,16 +318,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
@@ -300,16 +300,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -255,10 +255,10 @@ index cfe017a0..dda73922 100644
|
|||||||
mbedtls_ecp_group_free(&grp);
|
mbedtls_ecp_group_free(&grp);
|
||||||
if (rc == SSH_ERROR) {
|
if (rc == SSH_ERROR) {
|
||||||
diff --git a/src/kex.c b/src/kex.c
|
diff --git a/src/kex.c b/src/kex.c
|
||||||
index b9455d2d..3818297b 100644
|
index 3e5ca6ad..0772cae8 100644
|
||||||
--- a/src/kex.c
|
--- a/src/kex.c
|
||||||
+++ b/src/kex.c
|
+++ b/src/kex.c
|
||||||
@@ -188,6 +188,9 @@
|
@@ -163,6 +163,9 @@
|
||||||
|
|
||||||
/* RFC 8308 */
|
/* RFC 8308 */
|
||||||
#define KEX_EXTENSION_CLIENT "ext-info-c"
|
#define KEX_EXTENSION_CLIENT "ext-info-c"
|
||||||
@ -268,7 +268,7 @@ index b9455d2d..3818297b 100644
|
|||||||
|
|
||||||
/* Allowed algorithms in FIPS mode */
|
/* Allowed algorithms in FIPS mode */
|
||||||
#define FIPS_ALLOWED_CIPHERS "aes256-gcm@openssh.com,"\
|
#define FIPS_ALLOWED_CIPHERS "aes256-gcm@openssh.com,"\
|
||||||
@@ -516,6 +519,27 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
|
@@ -491,6 +494,27 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
|
||||||
session->first_kex_follows_guess_wrong ? "wrong" : "right");
|
session->first_kex_follows_guess_wrong ? "wrong" : "right");
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -296,7 +296,7 @@ index b9455d2d..3818297b 100644
|
|||||||
if (server_kex) {
|
if (server_kex) {
|
||||||
/*
|
/*
|
||||||
* If client sent a ext-info-c message in the kex list, it supports
|
* If client sent a ext-info-c message in the kex list, it supports
|
||||||
@@ -792,21 +816,21 @@ int ssh_set_client_kex(ssh_session session)
|
@@ -767,21 +791,21 @@ int ssh_set_client_kex(ssh_session session)
|
||||||
return SSH_OK;
|
return SSH_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -324,10 +324,10 @@ index b9455d2d..3818297b 100644
|
|||||||
|
|
||||||
return SSH_OK;
|
return SSH_OK;
|
||||||
diff --git a/src/packet.c b/src/packet.c
|
diff --git a/src/packet.c b/src/packet.c
|
||||||
index eb7eb42a..ea73f9ad 100644
|
index ca7a03b7..82965fb3 100644
|
||||||
--- a/src/packet.c
|
--- a/src/packet.c
|
||||||
+++ b/src/packet.c
|
+++ b/src/packet.c
|
||||||
@@ -1314,6 +1314,19 @@ ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
@@ -1309,6 +1309,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
||||||
}
|
}
|
||||||
#endif /* WITH_ZLIB */
|
#endif /* WITH_ZLIB */
|
||||||
payloadsize = ssh_buffer_get_len(session->in_buffer);
|
payloadsize = ssh_buffer_get_len(session->in_buffer);
|
||||||
@ -347,7 +347,27 @@ index eb7eb42a..ea73f9ad 100644
|
|||||||
session->recv_seq++;
|
session->recv_seq++;
|
||||||
if (crypto != NULL) {
|
if (crypto != NULL) {
|
||||||
struct ssh_cipher_struct *cipher = NULL;
|
struct ssh_cipher_struct *cipher = NULL;
|
||||||
@@ -1354,6 +1379,9 @@ ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
@@ -1331,7 +1344,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
||||||
|
SSH_LOG(SSH_LOG_PACKET,
|
||||||
|
"packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
|
||||||
|
session->in_packet.type, packet_len, padding, compsize, payloadsize);
|
||||||
|
+ if (crypto == NULL) {
|
||||||
|
+ /* In strict kex, only a few packets are allowed. Taint the session
|
||||||
|
+ * if we received packets that are normally allowed but to be
|
||||||
|
+ * refused if we are in strict kex when KEX is over.
|
||||||
|
+ */
|
||||||
|
+ uint8_t type = session->in_packet.type;
|
||||||
|
|
||||||
|
+ if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
|
||||||
|
+ (type < SSH2_MSG_KEXDH_INIT ||
|
||||||
|
+ type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
|
||||||
|
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
/* Check if the packet is expected */
|
||||||
|
filter_result = ssh_packet_incoming_filter(session);
|
||||||
|
|
||||||
|
@@ -1347,6 +1372,9 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
|
||||||
session->in_packet.type);
|
session->in_packet.type);
|
||||||
goto error;
|
goto error;
|
||||||
case SSH_PACKET_UNKNOWN:
|
case SSH_PACKET_UNKNOWN:
|
||||||
@ -357,7 +377,7 @@ index eb7eb42a..ea73f9ad 100644
|
|||||||
ssh_packet_send_unimplemented(session, session->recv_seq - 1);
|
ssh_packet_send_unimplemented(session, session->recv_seq - 1);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -1529,7 +1557,33 @@ void ssh_packet_process(ssh_session session, uint8_t type)
|
@@ -1521,7 +1549,33 @@ void ssh_packet_process(ssh_session session, uint8_t type)
|
||||||
SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s",
|
SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s",
|
||||||
ssh_get_error(session));
|
ssh_get_error(session));
|
||||||
}
|
}
|
||||||
@ -391,7 +411,7 @@ index eb7eb42a..ea73f9ad 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** @internal
|
/** @internal
|
||||||
@@ -1842,6 +1896,10 @@ int ssh_packet_send(ssh_session session)
|
@@ -1829,6 +1883,10 @@ int ssh_packet_send(ssh_session session)
|
||||||
if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
|
if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
|
||||||
struct ssh_iterator *it;
|
struct ssh_iterator *it;
|
||||||
|
|
||||||
@ -403,10 +423,10 @@ index eb7eb42a..ea73f9ad 100644
|
|||||||
it != NULL;
|
it != NULL;
|
||||||
it = ssh_list_get_iterator(session->out_queue)) {
|
it = ssh_list_get_iterator(session->out_queue)) {
|
||||||
diff --git a/src/packet_cb.c b/src/packet_cb.c
|
diff --git a/src/packet_cb.c b/src/packet_cb.c
|
||||||
index 0ecf8771..2f364c26 100644
|
index 3e4d5f6d..a08f1d8a 100644
|
||||||
--- a/src/packet_cb.c
|
--- a/src/packet_cb.c
|
||||||
+++ b/src/packet_cb.c
|
+++ b/src/packet_cb.c
|
||||||
@@ -115,6 +115,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
@@ -110,6 +110,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -429,7 +449,7 @@ index 0ecf8771..2f364c26 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 0870c8db28be9eb457ee3d4f9a168959d9507efd Mon Sep 17 00:00:00 2001
|
From fd4948255560039b51c2d61f0a62784ed8b6f5a6 Mon Sep 17 00:00:00 2001
|
||||||
From: Aris Adamantiadis <aris@0xbadc0de.be>
|
From: Aris Adamantiadis <aris@0xbadc0de.be>
|
||||||
Date: Tue, 12 Dec 2023 23:30:26 +0100
|
Date: Tue, 12 Dec 2023 23:30:26 +0100
|
||||||
Subject: [PATCH 2/4] CVE-2023-48795: Server side mitigations
|
Subject: [PATCH 2/4] CVE-2023-48795: Server side mitigations
|
||||||
@ -444,10 +464,10 @@ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|||||||
3 files changed, 44 insertions(+), 11 deletions(-)
|
3 files changed, 44 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
diff --git a/include/libssh/kex.h b/include/libssh/kex.h
|
diff --git a/include/libssh/kex.h b/include/libssh/kex.h
|
||||||
index ede7fa8a..ba98fded 100644
|
index 2ace69b6..40da4ef2 100644
|
||||||
--- a/include/libssh/kex.h
|
--- a/include/libssh/kex.h
|
||||||
+++ b/include/libssh/kex.h
|
+++ b/include/libssh/kex.h
|
||||||
@@ -40,6 +40,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit);
|
@@ -36,6 +36,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit);
|
||||||
int ssh_send_kex(ssh_session session);
|
int ssh_send_kex(ssh_session session);
|
||||||
void ssh_list_kex(struct ssh_kex_struct *kex);
|
void ssh_list_kex(struct ssh_kex_struct *kex);
|
||||||
int ssh_set_client_kex(ssh_session session);
|
int ssh_set_client_kex(ssh_session session);
|
||||||
@ -456,10 +476,10 @@ index ede7fa8a..ba98fded 100644
|
|||||||
int ssh_verify_existing_algo(enum ssh_kex_types_e algo, const char *name);
|
int ssh_verify_existing_algo(enum ssh_kex_types_e algo, const char *name);
|
||||||
char *ssh_keep_known_algos(enum ssh_kex_types_e algo, const char *list);
|
char *ssh_keep_known_algos(enum ssh_kex_types_e algo, const char *list);
|
||||||
diff --git a/src/kex.c b/src/kex.c
|
diff --git a/src/kex.c b/src/kex.c
|
||||||
index 3818297b..9ad671db 100644
|
index 0772cae8..e37c176c 100644
|
||||||
--- a/src/kex.c
|
--- a/src/kex.c
|
||||||
+++ b/src/kex.c
|
+++ b/src/kex.c
|
||||||
@@ -763,11 +763,8 @@ int ssh_set_client_kex(ssh_session session)
|
@@ -738,11 +738,8 @@ int ssh_set_client_kex(ssh_session session)
|
||||||
{
|
{
|
||||||
struct ssh_kex_struct *client = &session->next_crypto->client_kex;
|
struct ssh_kex_struct *client = &session->next_crypto->client_kex;
|
||||||
const char *wanted;
|
const char *wanted;
|
||||||
@ -471,7 +491,7 @@ index 3818297b..9ad671db 100644
|
|||||||
|
|
||||||
/* Skip if already set, for example for the rekey or when we do the guessing
|
/* Skip if already set, for example for the rekey or when we do the guessing
|
||||||
* it could have been already used to make some protocol decisions. */
|
* it could have been already used to make some protocol decisions. */
|
||||||
@@ -816,11 +813,33 @@ int ssh_set_client_kex(ssh_session session)
|
@@ -791,11 +788,33 @@ int ssh_set_client_kex(ssh_session session)
|
||||||
return SSH_OK;
|
return SSH_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -509,7 +529,7 @@ index 3818297b..9ad671db 100644
|
|||||||
if (kex_len >= MAX_PACKET_LEN) {
|
if (kex_len >= MAX_PACKET_LEN) {
|
||||||
/* Overflow */
|
/* Overflow */
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
@@ -830,9 +849,16 @@ int ssh_set_client_kex(ssh_session session)
|
@@ -805,9 +824,16 @@ int ssh_set_client_kex(ssh_session session)
|
||||||
ssh_set_error_oom(session);
|
ssh_set_error_oom(session);
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
@ -530,7 +550,7 @@ index 3818297b..9ad671db 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/src/server.c b/src/server.c
|
diff --git a/src/server.c b/src/server.c
|
||||||
index dc070a73..70b90899 100644
|
index ed73e7fb..35e84465 100644
|
||||||
--- a/src/server.c
|
--- a/src/server.c
|
||||||
+++ b/src/server.c
|
+++ b/src/server.c
|
||||||
@@ -195,7 +195,13 @@ int server_set_kex(ssh_session session)
|
@@ -195,7 +195,13 @@ int server_set_kex(ssh_session session)
|
||||||
@ -552,7 +572,7 @@ index dc070a73..70b90899 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 5846e57538c750c5ce67df887d09fa99861c79c6 Mon Sep 17 00:00:00 2001
|
From 03bbbc9e4c93aae2ccdd302d6123e4809be37746 Mon Sep 17 00:00:00 2001
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
Date: Thu, 14 Dec 2023 12:22:01 +0100
|
Date: Thu, 14 Dec 2023 12:22:01 +0100
|
||||||
Subject: [PATCH 3/4] CVE-2023-48795: Strip extensions from both kex lists for
|
Subject: [PATCH 3/4] CVE-2023-48795: Strip extensions from both kex lists for
|
||||||
@ -565,10 +585,10 @@ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|||||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/kex.c b/src/kex.c
|
diff --git a/src/kex.c b/src/kex.c
|
||||||
index 9ad671db..fbc70cf4 100644
|
index e37c176c..eea3604b 100644
|
||||||
--- a/src/kex.c
|
--- a/src/kex.c
|
||||||
+++ b/src/kex.c
|
+++ b/src/kex.c
|
||||||
@@ -961,11 +961,19 @@ int ssh_kex_select_methods (ssh_session session)
|
@@ -936,11 +936,19 @@ int ssh_kex_select_methods (ssh_session session)
|
||||||
enum ssh_key_exchange_e kex_type;
|
enum ssh_key_exchange_e kex_type;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
@ -596,7 +616,7 @@ index 9ad671db..fbc70cf4 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 89df759200d31fc79fbbe213d8eda0d329eebf6d Mon Sep 17 00:00:00 2001
|
From 768d1ed30cf4b3cb9628254ef3ee24b9c38abdbc Mon Sep 17 00:00:00 2001
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
Date: Thu, 14 Dec 2023 12:47:48 +0100
|
Date: Thu, 14 Dec 2023 12:47:48 +0100
|
||||||
Subject: [PATCH 4/4] CVE-2023-48795: tests: Adjust calculation to strict kex
|
Subject: [PATCH 4/4] CVE-2023-48795: tests: Adjust calculation to strict kex
|
||||||
@ -604,11 +624,11 @@ Subject: [PATCH 4/4] CVE-2023-48795: tests: Adjust calculation to strict kex
|
|||||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
---
|
---
|
||||||
tests/client/torture_rekey.c | 55 ++++++++++++++++++++----------------
|
tests/client/torture_rekey.c | 56 ++++++++++++++++++++----------------
|
||||||
1 file changed, 31 insertions(+), 24 deletions(-)
|
1 file changed, 32 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
|
diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
|
||||||
index ccd5ae2c..57e03e3f 100644
|
index 13c9a7fe..bfb273af 100644
|
||||||
--- a/tests/client/torture_rekey.c
|
--- a/tests/client/torture_rekey.c
|
||||||
+++ b/tests/client/torture_rekey.c
|
+++ b/tests/client/torture_rekey.c
|
||||||
@@ -148,6 +148,29 @@ static void torture_rekey_default(void **state)
|
@@ -148,6 +148,29 @@ static void torture_rekey_default(void **state)
|
||||||
@ -661,7 +681,25 @@ index ccd5ae2c..57e03e3f 100644
|
|||||||
secret_hash = malloc(c->digest_len);
|
secret_hash = malloc(c->digest_len);
|
||||||
assert_non_null(secret_hash);
|
assert_non_null(secret_hash);
|
||||||
memcpy(secret_hash, c->secret_hash, c->digest_len);
|
memcpy(secret_hash, c->secret_hash, c->digest_len);
|
||||||
@@ -468,15 +480,10 @@ static void torture_rekey_different_kex(void **state)
|
@@ -272,14 +289,10 @@ static void torture_rekey_recv(void **state)
|
||||||
|
sftp_file file;
|
||||||
|
mode_t mask;
|
||||||
|
|
||||||
|
- /* The blocks limit is set correctly */
|
||||||
|
- c = s->ssh.session->current_crypto;
|
||||||
|
- assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
|
||||||
|
- assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
|
||||||
|
- /* We should have less encrypted packets than transfered (first are not encrypted) */
|
||||||
|
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
|
||||||
|
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
|
||||||
|
+ sanity_check_session(state);
|
||||||
|
/* Copy the initial secret hash = session_id so we know we changed keys later */
|
||||||
|
+ c = s->ssh.session->current_crypto;
|
||||||
|
+ assert_non_null(c);
|
||||||
|
secret_hash = malloc(c->digest_len);
|
||||||
|
assert_non_null(secret_hash);
|
||||||
|
memcpy(secret_hash, c->secret_hash, c->digest_len);
|
||||||
|
@@ -464,15 +477,10 @@ static void torture_rekey_different_kex(void **state)
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
/* The blocks limit is set correctly */
|
/* The blocks limit is set correctly */
|
||||||
@ -683,47 +721,3 @@ index ccd5ae2c..57e03e3f 100644
|
|||||||
--
|
--
|
||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
diff -up libssh-0.10.4/src/packet.c.CVE-2023-48795.patch libssh-0.10.4/src/packet.c
|
|
||||||
--- libssh-0.10.4/src/packet.c.CVE-2023-48795.patch 2024-01-09 05:46:53.064383034 +0100
|
|
||||||
+++ libssh-0.10.4/src/packet.c 2024-01-09 05:48:28.360340184 +0100
|
|
||||||
@@ -1345,6 +1345,19 @@ size_t ssh_packet_socket_callback(const
|
|
||||||
"packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
|
|
||||||
session->in_packet.type, packet_len, padding, compsize, payloadsize);
|
|
||||||
|
|
||||||
+ if (crypto == NULL) {
|
|
||||||
+ /* In strict kex, only a few packets are allowed. Taint the session
|
|
||||||
+ * if we received packets that are normally allowed but to be
|
|
||||||
+ * refused if we are in strict kex when KEX is over.
|
|
||||||
+ */
|
|
||||||
+ uint8_t type = session->in_packet.type;
|
|
||||||
+
|
|
||||||
+ if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
|
|
||||||
+ (type < SSH2_MSG_KEXDH_INIT ||
|
|
||||||
+ type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
|
|
||||||
+ session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
/* Check if the packet is expected */
|
|
||||||
filter_result = ssh_packet_incoming_filter(session);
|
|
||||||
|
|
||||||
diff -up libssh-0.10.4/tests/client/torture_rekey.c.CVE-2023-48795.patch libssh-0.10.4/tests/client/torture_rekey.c
|
|
||||||
--- libssh-0.10.4/tests/client/torture_rekey.c.CVE-2023-48795.patch 2024-01-09 18:48:16.684366049 +0100
|
|
||||||
+++ libssh-0.10.4/tests/client/torture_rekey.c 2024-01-09 18:50:49.135897268 +0100
|
|
||||||
@@ -290,14 +290,10 @@ static void torture_rekey_recv(void **st
|
|
||||||
mode_t mask;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
- /* The blocks limit is set correctly */
|
|
||||||
- c = s->ssh.session->current_crypto;
|
|
||||||
- assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
|
|
||||||
- assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
|
|
||||||
- /* We should have less encrypted packets than transfered (first are not encrypted) */
|
|
||||||
- assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
|
|
||||||
- assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
|
|
||||||
+ sanity_check_session(state);
|
|
||||||
/* Copy the initial secret hash = session_id so we know we changed keys later */
|
|
||||||
+ c = s->ssh.session->current_crypto;
|
|
||||||
+ assert_non_null(c);
|
|
||||||
secret_hash = malloc(c->digest_len);
|
|
||||||
assert_non_null(secret_hash);
|
|
||||||
memcpy(secret_hash, c->secret_hash, c->digest_len);
|
|
@ -1,4 +1,4 @@
|
|||||||
From c2c56bacab00766d01671413321d564227aabf19 Mon Sep 17 00:00:00 2001
|
From 11bd6e6ad926a38cd7b9f8308a4c2fd8dfd9200c Mon Sep 17 00:00:00 2001
|
||||||
From: Norbert Pocs <norbertpocs0@gmail.com>
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Date: Sun, 5 Nov 2023 13:12:47 +0100
|
Date: Sun, 5 Nov 2023 13:12:47 +0100
|
||||||
Subject: [PATCH 01/12] CVE-2023-6004: torture_config: Allow multiple '@' in
|
Subject: [PATCH 01/12] CVE-2023-6004: torture_config: Allow multiple '@' in
|
||||||
@ -6,98 +6,86 @@ Subject: [PATCH 01/12] CVE-2023-6004: torture_config: Allow multiple '@' in
|
|||||||
|
|
||||||
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
---
|
||||||
tests/unittests/torture_config.c | 56 +++++++++++++++++---------------
|
tests/unittests/torture_config.c | 44 ++++++++++++++++++--------------
|
||||||
1 file changed, 30 insertions(+), 26 deletions(-)
|
1 file changed, 25 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
|
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
|
||||||
index 406f1985..b7c763af 100644
|
index f91112a9..3a5a74bf 100644
|
||||||
--- a/tests/unittests/torture_config.c
|
--- a/tests/unittests/torture_config.c
|
||||||
+++ b/tests/unittests/torture_config.c
|
+++ b/tests/unittests/torture_config.c
|
||||||
@@ -995,23 +995,22 @@ static void torture_config_proxyjump(void **state,
|
@@ -671,24 +671,40 @@ static void torture_config_proxyjump(void **state) {
|
||||||
assert_string_equal(session->opts.ProxyCommand,
|
assert_string_equal(session->opts.ProxyCommand,
|
||||||
"ssh -W [%h]:%p 2620:52:0::fed");
|
"ssh -W [%h]:%p 2620:52:0::fed");
|
||||||
|
|
||||||
- /* In this part, we try various other config files and strings. */
|
|
||||||
-
|
|
||||||
- /* Try to create some invalid configurations */
|
- /* Try to create some invalid configurations */
|
||||||
- /* Non-numeric port */
|
- /* Non-numeric port */
|
||||||
- config = "Host bad-port\n"
|
|
||||||
- "\tProxyJump jumpbox:22bad22\n";
|
|
||||||
+ /* Multiple @ is allowed in second jump */
|
+ /* Multiple @ is allowed in second jump */
|
||||||
+ config = "Host allowed-hostname\n"
|
torture_write_file(LIBSSH_TESTCONFIG11,
|
||||||
+ "\tProxyJump localhost,user@principal.com@jumpbox:22\n";
|
- "Host bad-port\n"
|
||||||
if (file != NULL) {
|
- "\tProxyJump jumpbox:22bad22\n"
|
||||||
torture_write_file(file, config);
|
+ "Host allowed-hostname\n"
|
||||||
} else {
|
+ "\tProxyJump localhost,user@principal.com@jumpbox:22\n"
|
||||||
string = config;
|
"");
|
||||||
}
|
|
||||||
torture_reset_config(session);
|
torture_reset_config(session);
|
||||||
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
|
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
|
||||||
- _parse_config(session, file, string, SSH_ERROR);
|
|
||||||
+ ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
|
+ ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
|
||||||
+ _parse_config(session, file, string, SSH_OK);
|
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
|
||||||
|
- assert_ssh_return_code_equal(session, ret, SSH_ERROR);
|
||||||
|
+ assert_ssh_return_code(session, ret);
|
||||||
+ assert_string_equal(session->opts.ProxyCommand,
|
+ assert_string_equal(session->opts.ProxyCommand,
|
||||||
+ "ssh -J user@principal.com@jumpbox:22 -W '[%h]:%p' localhost");
|
+ "ssh -J user@principal.com@jumpbox:22 -W [%h]:%p localhost");
|
||||||
|
|
||||||
- /* Too many @ */
|
- /* Too many @ */
|
||||||
- config = "Host bad-hostname\n"
|
|
||||||
+ /* Multiple @ is allowed */
|
+ /* Multiple @ is allowed */
|
||||||
+ config = "Host allowed-hostname\n"
|
torture_write_file(LIBSSH_TESTCONFIG11,
|
||||||
"\tProxyJump user@principal.com@jumpbox:22\n";
|
- "Host bad-hostname\n"
|
||||||
if (file != NULL) {
|
+ "Host allowed-hostname\n"
|
||||||
torture_write_file(file, config);
|
"\tProxyJump user@principal.com@jumpbox:22\n"
|
||||||
@@ -1019,7 +1018,24 @@ static void torture_config_proxyjump(void **state,
|
"");
|
||||||
string = config;
|
|
||||||
}
|
|
||||||
torture_reset_config(session);
|
torture_reset_config(session);
|
||||||
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
|
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
|
||||||
+ ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
|
+ ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
|
||||||
+ _parse_config(session, file, string, SSH_OK);
|
+ ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
|
||||||
|
+ assert_ssh_return_code(session, ret);
|
||||||
+ assert_string_equal(session->opts.ProxyCommand,
|
+ assert_string_equal(session->opts.ProxyCommand,
|
||||||
+ "ssh -l user@principal.com -p 22 -W '[%h]:%p' jumpbox");
|
+ "ssh -l user@principal.com -p 22 -W [%h]:%p jumpbox");
|
||||||
+
|
+
|
||||||
+ /* In this part, we try various other config files and strings. */
|
+ /* In this part, we try various other config files and strings. */
|
||||||
+
|
+
|
||||||
+ /* Try to create some invalid configurations */
|
+ /* Try to create some invalid configurations */
|
||||||
+ /* Non-numeric port */
|
+ /* Non-numeric port */
|
||||||
+ config = "Host bad-port\n"
|
+ torture_write_file(LIBSSH_TESTCONFIG11,
|
||||||
+ "\tProxyJump jumpbox:22bad22\n";
|
+ "Host bad-port\n"
|
||||||
+ if (file != NULL) {
|
+ "\tProxyJump jumpbox:22bad22\n"
|
||||||
+ torture_write_file(file, config);
|
+ "");
|
||||||
+ } else {
|
|
||||||
+ string = config;
|
|
||||||
+ }
|
|
||||||
+ torture_reset_config(session);
|
+ torture_reset_config(session);
|
||||||
+ ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
|
+ ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
|
||||||
_parse_config(session, file, string, SSH_ERROR);
|
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
|
||||||
|
assert_ssh_return_code_equal(session, ret, SSH_ERROR);
|
||||||
|
|
||||||
/* Braces mismatch in hostname */
|
@@ -752,16 +768,6 @@ static void torture_config_proxyjump(void **state) {
|
||||||
@@ -1094,18 +1110,6 @@ static void torture_config_proxyjump(void **state,
|
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
|
||||||
ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port-2");
|
assert_ssh_return_code_equal(session, ret, SSH_ERROR);
|
||||||
_parse_config(session, file, string, SSH_ERROR);
|
|
||||||
|
|
||||||
- /* Too many @ in second jump */
|
- /* Too many @ in second jump */
|
||||||
- config = "Host bad-hostname\n"
|
- torture_write_file(LIBSSH_TESTCONFIG11,
|
||||||
- "\tProxyJump localhost,user@principal.com@jumpbox:22\n";
|
- "Host bad-hostname\n"
|
||||||
- if (file != NULL) {
|
- "\tProxyJump localhost,user@principal.com@jumpbox:22\n"
|
||||||
- torture_write_file(file, config);
|
- "");
|
||||||
- } else {
|
|
||||||
- string = config;
|
|
||||||
- }
|
|
||||||
- torture_reset_config(session);
|
- torture_reset_config(session);
|
||||||
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
|
- ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
|
||||||
- _parse_config(session, file, string, SSH_ERROR);
|
- ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
|
||||||
|
- assert_ssh_return_code_equal(session, ret, SSH_ERROR);
|
||||||
-
|
-
|
||||||
/* Braces mismatch in second jump */
|
/* Braces mismatch in second jump */
|
||||||
config = "Host mismatch\n"
|
torture_write_file(LIBSSH_TESTCONFIG11,
|
||||||
"\tProxyJump localhost,[::1:20\n";
|
"Host mismatch\n"
|
||||||
--
|
--
|
||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From a66b4a6eae6614d200a3625862d77565b96a7cd3 Mon Sep 17 00:00:00 2001
|
From c3234e5f94b96d6e29f0c1c82821c1e3ebb181ed Mon Sep 17 00:00:00 2001
|
||||||
From: Norbert Pocs <norbertpocs0@gmail.com>
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Date: Wed, 1 Nov 2023 11:24:43 +0100
|
Date: Wed, 1 Nov 2023 11:24:43 +0100
|
||||||
Subject: [PATCH 02/12] CVE-2023-6004: config_parser: Allow multiple '@' in
|
Subject: [PATCH 02/12] CVE-2023-6004: config_parser: Allow multiple '@' in
|
||||||
@ -105,16 +93,15 @@ Subject: [PATCH 02/12] CVE-2023-6004: config_parser: Allow multiple '@' in
|
|||||||
|
|
||||||
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
---
|
||||||
src/config_parser.c | 2 +-
|
src/config_parser.c | 2 +-
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/src/config_parser.c b/src/config_parser.c
|
diff --git a/src/config_parser.c b/src/config_parser.c
|
||||||
index 0d988fec..cf83e2c5 100644
|
index ae2aa2c8..76cca224 100644
|
||||||
--- a/src/config_parser.c
|
--- a/src/config_parser.c
|
||||||
+++ b/src/config_parser.c
|
+++ b/src/config_parser.c
|
||||||
@@ -180,7 +180,7 @@ int ssh_config_parse_uri(const char *tok,
|
@@ -152,7 +152,7 @@ int ssh_config_parse_uri(const char *tok,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Username part (optional) */
|
/* Username part (optional) */
|
||||||
@ -127,7 +114,7 @@ index 0d988fec..cf83e2c5 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 8615c24647f773a5e04203c7459512715d698be1 Mon Sep 17 00:00:00 2001
|
From a5b8bd0d8841296cf71d927824d60f576581243f Mon Sep 17 00:00:00 2001
|
||||||
From: Norbert Pocs <norbertpocs0@gmail.com>
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Date: Tue, 31 Oct 2023 09:48:52 +0100
|
Date: Tue, 31 Oct 2023 09:48:52 +0100
|
||||||
Subject: [PATCH 03/12] CVE-2023-6004: options: Simplify the hostname parsing
|
Subject: [PATCH 03/12] CVE-2023-6004: options: Simplify the hostname parsing
|
||||||
@ -138,16 +125,15 @@ parsing inside the function of ssh_options_set
|
|||||||
|
|
||||||
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
---
|
||||||
src/options.c | 40 ++++++++++++++++------------------------
|
src/options.c | 40 ++++++++++++++++------------------------
|
||||||
1 file changed, 16 insertions(+), 24 deletions(-)
|
1 file changed, 16 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/options.c b/src/options.c
|
diff --git a/src/options.c b/src/options.c
|
||||||
index 6f2c9397..38511455 100644
|
index b5f951ac..7c03e7ab 100644
|
||||||
--- a/src/options.c
|
--- a/src/options.c
|
||||||
+++ b/src/options.c
|
+++ b/src/options.c
|
||||||
@@ -37,6 +37,7 @@
|
@@ -36,6 +36,7 @@
|
||||||
#include "libssh/session.h"
|
#include "libssh/session.h"
|
||||||
#include "libssh/misc.h"
|
#include "libssh/misc.h"
|
||||||
#include "libssh/options.h"
|
#include "libssh/options.h"
|
||||||
@ -155,7 +141,7 @@ index 6f2c9397..38511455 100644
|
|||||||
#ifdef WITH_SERVER
|
#ifdef WITH_SERVER
|
||||||
#include "libssh/server.h"
|
#include "libssh/server.h"
|
||||||
#include "libssh/bind.h"
|
#include "libssh/bind.h"
|
||||||
@@ -515,33 +516,24 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
@@ -490,33 +491,24 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||||
ssh_set_error_invalid(session);
|
ssh_set_error_invalid(session);
|
||||||
return -1;
|
return -1;
|
||||||
} else {
|
} else {
|
||||||
@ -167,7 +153,7 @@ index 6f2c9397..38511455 100644
|
|||||||
+ if (rc != SSH_OK) {
|
+ if (rc != SSH_OK) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
- p = strrchr(q, '@');
|
- p = strchr(q, '@');
|
||||||
-
|
-
|
||||||
- SAFE_FREE(session->opts.host);
|
- SAFE_FREE(session->opts.host);
|
||||||
-
|
-
|
||||||
@ -208,7 +194,7 @@ index 6f2c9397..38511455 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From c6180409677c765e6b9ae2b18a3a7a9671ac1dbe Mon Sep 17 00:00:00 2001
|
From efb24b6472e8b87c5832c0590f14e99e82fcdeeb Mon Sep 17 00:00:00 2001
|
||||||
From: Norbert Pocs <norbertpocs0@gmail.com>
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Date: Tue, 10 Oct 2023 12:44:16 +0200
|
Date: Tue, 10 Oct 2023 12:44:16 +0200
|
||||||
Subject: [PATCH 04/12] CVE-2023-6004: misc: Add function to check allowed
|
Subject: [PATCH 04/12] CVE-2023-6004: misc: Add function to check allowed
|
||||||
@ -219,18 +205,37 @@ allowed because of IPv6 even it is prohibited in domain names.
|
|||||||
|
|
||||||
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
---
|
||||||
include/libssh/misc.h | 3 ++
|
include/libssh/misc.h | 2 ++
|
||||||
src/misc.c | 68 +++++++++++++++++++++++++++++++++++++++++++
|
src/misc.c | 68 +++++++++++++++++++++++++++++++++++++++++++
|
||||||
2 files changed, 71 insertions(+)
|
2 files changed, 70 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/include/libssh/misc.h b/include/libssh/misc.h
|
||||||
|
index 3cc3b113..a5bee930 100644
|
||||||
|
--- a/include/libssh/misc.h
|
||||||
|
+++ b/include/libssh/misc.h
|
||||||
|
@@ -97,4 +97,6 @@ int ssh_mkdirs(const char *pathname, mode_t mode);
|
||||||
|
int ssh_quote_file_name(const char *file_name, char *buf, size_t buf_len);
|
||||||
|
int ssh_newline_vis(const char *string, char *buf, size_t buf_len);
|
||||||
|
|
||||||
|
+int ssh_check_hostname_syntax(const char *hostname);
|
||||||
|
+
|
||||||
|
#endif /* MISC_H_ */
|
||||||
diff --git a/src/misc.c b/src/misc.c
|
diff --git a/src/misc.c b/src/misc.c
|
||||||
index 7c478a77..be6ee836 100644
|
index 149eb85e..e4239e81 100644
|
||||||
--- a/src/misc.c
|
--- a/src/misc.c
|
||||||
+++ b/src/misc.c
|
+++ b/src/misc.c
|
||||||
@@ -1974,4 +1976,70 @@ char *ssh_strerror(int err_num, char *buf, size_t buflen)
|
@@ -94,6 +94,8 @@
|
||||||
#endif /* defined(__linux__) && defined(__GLIBC__) && defined(_GNU_SOURCE) */
|
#define ZLIB_STRING ""
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#define ARPA_DOMAIN_MAX_LEN 63
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* @defgroup libssh_misc The SSH helper functions.
|
||||||
|
* @ingroup libssh
|
||||||
|
@@ -1734,4 +1736,70 @@ int ssh_newline_vis(const char *string, char *buf, size_t buf_len)
|
||||||
|
return out - buf;
|
||||||
}
|
}
|
||||||
|
|
||||||
+/**
|
+/**
|
||||||
@ -304,7 +309,7 @@ index 7c478a77..be6ee836 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 9bbb817c0c5434f03613d0783b2ef5f52235b901 Mon Sep 17 00:00:00 2001
|
From 234ecdf4d9705efa3727a54dcc1ddfe6377c7bf6 Mon Sep 17 00:00:00 2001
|
||||||
From: Norbert Pocs <norbertpocs0@gmail.com>
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Date: Tue, 10 Oct 2023 12:45:28 +0200
|
Date: Tue, 10 Oct 2023 12:45:28 +0200
|
||||||
Subject: [PATCH 05/12] CVE-2023-6004: torture_misc: Add test for
|
Subject: [PATCH 05/12] CVE-2023-6004: torture_misc: Add test for
|
||||||
@ -312,17 +317,16 @@ Subject: [PATCH 05/12] CVE-2023-6004: torture_misc: Add test for
|
|||||||
|
|
||||||
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
---
|
||||||
tests/unittests/torture_misc.c | 73 ++++++++++++++++++++++++++++++++++
|
tests/unittests/torture_misc.c | 73 ++++++++++++++++++++++++++++++++++
|
||||||
1 file changed, 73 insertions(+)
|
1 file changed, 73 insertions(+)
|
||||||
|
|
||||||
diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
|
diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
|
||||||
index 9e346ff8..e682b6d4 100644
|
index 0a48abbe..d14f4254 100644
|
||||||
--- a/tests/unittests/torture_misc.c
|
--- a/tests/unittests/torture_misc.c
|
||||||
+++ b/tests/unittests/torture_misc.c
|
+++ b/tests/unittests/torture_misc.c
|
||||||
@@ -760,6 +760,78 @@ static void torture_ssh_strerror(void **state)
|
@@ -656,6 +656,78 @@ static void torture_ssh_newline_vis(UNUSED_PARAM(void **state))
|
||||||
assert_non_null(out);
|
assert_string_equal(buffer, "a\\nb\\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
+static void torture_ssh_check_hostname_syntax(void **state)
|
+static void torture_ssh_check_hostname_syntax(void **state)
|
||||||
@ -400,10 +404,10 @@ index 9e346ff8..e682b6d4 100644
|
|||||||
int torture_run_tests(void) {
|
int torture_run_tests(void) {
|
||||||
int rc;
|
int rc;
|
||||||
struct CMUnitTest tests[] = {
|
struct CMUnitTest tests[] = {
|
||||||
@@ -784,6 +856,7 @@ int torture_run_tests(void) {
|
@@ -678,6 +750,7 @@ int torture_run_tests(void) {
|
||||||
|
cmocka_unit_test(torture_ssh_newline_vis),
|
||||||
|
cmocka_unit_test(torture_ssh_mkdirs),
|
||||||
cmocka_unit_test(torture_ssh_quote_file_name),
|
cmocka_unit_test(torture_ssh_quote_file_name),
|
||||||
cmocka_unit_test(torture_ssh_strreplace),
|
|
||||||
cmocka_unit_test(torture_ssh_strerror),
|
|
||||||
+ cmocka_unit_test(torture_ssh_check_hostname_syntax),
|
+ cmocka_unit_test(torture_ssh_check_hostname_syntax),
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -412,7 +416,7 @@ index 9e346ff8..e682b6d4 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 22492b69bba22b102342afc574800d354a08e405 Mon Sep 17 00:00:00 2001
|
From 4d7ae19e9cd8c407012b40f3f2eaf480bfb1da7d Mon Sep 17 00:00:00 2001
|
||||||
From: Norbert Pocs <norbertpocs0@gmail.com>
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Date: Tue, 10 Oct 2023 18:33:56 +0200
|
Date: Tue, 10 Oct 2023 18:33:56 +0200
|
||||||
Subject: [PATCH 06/12] CVE-2023-6004: config_parser: Check for valid syntax of
|
Subject: [PATCH 06/12] CVE-2023-6004: config_parser: Check for valid syntax of
|
||||||
@ -423,13 +427,12 @@ The domain name syntax checker is based on RFC1035.
|
|||||||
|
|
||||||
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
---
|
||||||
src/config_parser.c | 12 +++++++++++-
|
src/config_parser.c | 10 ++++++++++
|
||||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
diff --git a/src/config_parser.c b/src/config_parser.c
|
diff --git a/src/config_parser.c b/src/config_parser.c
|
||||||
index cf83e2c5..b8b94611 100644
|
index 76cca224..87bac5d4 100644
|
||||||
--- a/src/config_parser.c
|
--- a/src/config_parser.c
|
||||||
+++ b/src/config_parser.c
|
+++ b/src/config_parser.c
|
||||||
@@ -30,6 +30,7 @@
|
@@ -30,6 +30,7 @@
|
||||||
@ -438,9 +441,9 @@ index cf83e2c5..b8b94611 100644
|
|||||||
#include "libssh/priv.h"
|
#include "libssh/priv.h"
|
||||||
+#include "libssh/misc.h"
|
+#include "libssh/misc.h"
|
||||||
|
|
||||||
/* Returns the original string after skipping the leading whitespace
|
char *ssh_config_get_cmd(char **str)
|
||||||
* and optional quotes.
|
{
|
||||||
@@ -167,6 +168,7 @@ int ssh_config_parse_uri(const char *tok,
|
@@ -139,6 +140,7 @@ int ssh_config_parse_uri(const char *tok,
|
||||||
{
|
{
|
||||||
char *endp = NULL;
|
char *endp = NULL;
|
||||||
long port_n;
|
long port_n;
|
||||||
@ -448,7 +451,7 @@ index cf83e2c5..b8b94611 100644
|
|||||||
|
|
||||||
/* Sanitize inputs */
|
/* Sanitize inputs */
|
||||||
if (username != NULL) {
|
if (username != NULL) {
|
||||||
@@ -224,6 +226,14 @@ int ssh_config_parse_uri(const char *tok,
|
@@ -196,6 +198,14 @@ int ssh_config_parse_uri(const char *tok,
|
||||||
if (*hostname == NULL) {
|
if (*hostname == NULL) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@ -467,7 +470,7 @@ index cf83e2c5..b8b94611 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From d7467498fd988949edde9c6384973250fd454a8b Mon Sep 17 00:00:00 2001
|
From 8cf4f4bfda968ab526c1a601ea1030bbaccaba17 Mon Sep 17 00:00:00 2001
|
||||||
From: Norbert Pocs <norbertpocs0@gmail.com>
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Date: Tue, 10 Oct 2023 10:28:47 +0200
|
Date: Tue, 10 Oct 2023 10:28:47 +0200
|
||||||
Subject: [PATCH 07/12] CVE-2023-6004: torture_proxycommand: Add test for
|
Subject: [PATCH 07/12] CVE-2023-6004: torture_proxycommand: Add test for
|
||||||
@ -475,16 +478,15 @@ Subject: [PATCH 07/12] CVE-2023-6004: torture_proxycommand: Add test for
|
|||||||
|
|
||||||
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
---
|
||||||
tests/client/torture_proxycommand.c | 53 +++++++++++++++++++++++++++++
|
tests/client/torture_proxycommand.c | 53 +++++++++++++++++++++++++++++
|
||||||
1 file changed, 53 insertions(+)
|
1 file changed, 53 insertions(+)
|
||||||
|
|
||||||
diff --git a/tests/client/torture_proxycommand.c b/tests/client/torture_proxycommand.c
|
diff --git a/tests/client/torture_proxycommand.c b/tests/client/torture_proxycommand.c
|
||||||
index 9b8019ca..1bad4ccc 100644
|
index c04ff2ab..dc17f3d8 100644
|
||||||
--- a/tests/client/torture_proxycommand.c
|
--- a/tests/client/torture_proxycommand.c
|
||||||
+++ b/tests/client/torture_proxycommand.c
|
+++ b/tests/client/torture_proxycommand.c
|
||||||
@@ -166,6 +166,56 @@ static void torture_options_set_proxycommand_ssh_stderr(void **state)
|
@@ -161,6 +161,56 @@ static void torture_options_set_proxycommand_ssh_stderr(void **state)
|
||||||
assert_int_equal(rc & O_RDWR, O_RDWR);
|
assert_int_equal(rc & O_RDWR, O_RDWR);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -541,7 +543,7 @@ index 9b8019ca..1bad4ccc 100644
|
|||||||
int torture_run_tests(void) {
|
int torture_run_tests(void) {
|
||||||
int rc;
|
int rc;
|
||||||
struct CMUnitTest tests[] = {
|
struct CMUnitTest tests[] = {
|
||||||
@@ -181,6 +231,9 @@ int torture_run_tests(void) {
|
@@ -176,6 +226,9 @@ int torture_run_tests(void) {
|
||||||
cmocka_unit_test_setup_teardown(torture_options_set_proxycommand_ssh_stderr,
|
cmocka_unit_test_setup_teardown(torture_options_set_proxycommand_ssh_stderr,
|
||||||
session_setup,
|
session_setup,
|
||||||
session_teardown),
|
session_teardown),
|
||||||
@ -555,23 +557,22 @@ index 9b8019ca..1bad4ccc 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 62d3101c1f76b6891b70c50154e0e934d6b8cb57 Mon Sep 17 00:00:00 2001
|
From a0dbe0d556e073804cc549802569577bb24757d9 Mon Sep 17 00:00:00 2001
|
||||||
From: Norbert Pocs <norbertpocs0@gmail.com>
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Date: Mon, 6 Nov 2023 20:11:38 +0100
|
Date: Mon, 6 Nov 2023 20:11:38 +0100
|
||||||
Subject: [PATCH 08/12] CVE-2023-6004: torture_misc: Add test for ssh_is_ipaddr
|
Subject: [PATCH 08/12] CVE-2023-6004: torture_misc: Add test for ssh_is_ipaddr
|
||||||
|
|
||||||
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
---
|
||||||
tests/unittests/torture_misc.c | 26 ++++++++++++++++++++++++++
|
tests/unittests/torture_misc.c | 26 ++++++++++++++++++++++++++
|
||||||
1 file changed, 26 insertions(+)
|
1 file changed, 26 insertions(+)
|
||||||
|
|
||||||
diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
|
diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
|
||||||
index e682b6d4..b07392ab 100644
|
index d14f4254..073bc54c 100644
|
||||||
--- a/tests/unittests/torture_misc.c
|
--- a/tests/unittests/torture_misc.c
|
||||||
+++ b/tests/unittests/torture_misc.c
|
+++ b/tests/unittests/torture_misc.c
|
||||||
@@ -832,6 +832,31 @@ static void torture_ssh_check_hostname_syntax(void **state)
|
@@ -728,6 +728,31 @@ static void torture_ssh_check_hostname_syntax(void **state)
|
||||||
assert_int_equal(rc, SSH_ERROR);
|
assert_int_equal(rc, SSH_ERROR);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -603,9 +604,9 @@ index e682b6d4..b07392ab 100644
|
|||||||
int torture_run_tests(void) {
|
int torture_run_tests(void) {
|
||||||
int rc;
|
int rc;
|
||||||
struct CMUnitTest tests[] = {
|
struct CMUnitTest tests[] = {
|
||||||
@@ -857,6 +882,7 @@ int torture_run_tests(void) {
|
@@ -751,6 +776,7 @@ int torture_run_tests(void) {
|
||||||
cmocka_unit_test(torture_ssh_strreplace),
|
cmocka_unit_test(torture_ssh_mkdirs),
|
||||||
cmocka_unit_test(torture_ssh_strerror),
|
cmocka_unit_test(torture_ssh_quote_file_name),
|
||||||
cmocka_unit_test(torture_ssh_check_hostname_syntax),
|
cmocka_unit_test(torture_ssh_check_hostname_syntax),
|
||||||
+ cmocka_unit_test(torture_ssh_is_ipaddr),
|
+ cmocka_unit_test(torture_ssh_is_ipaddr),
|
||||||
};
|
};
|
||||||
@ -615,35 +616,57 @@ index e682b6d4..b07392ab 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From cea841d71c025f9c998b7d5fc9f2a2839df62921 Mon Sep 17 00:00:00 2001
|
From cdaec0d6273243a03f460cc5ba1a2265b4afb93a Mon Sep 17 00:00:00 2001
|
||||||
From: Norbert Pocs <norbertpocs0@gmail.com>
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Date: Tue, 28 Nov 2023 15:26:45 +0100
|
Date: Tue, 28 Nov 2023 15:26:45 +0100
|
||||||
Subject: [PATCH 09/12] CVE-2023-6004 misc: Add ipv6 link-local check for an ip
|
Subject: [PATCH 09/12] CVE-2023-6004: misc: Add ipv6 link-local check for an
|
||||||
address
|
ip address
|
||||||
|
|
||||||
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
---
|
||||||
src/CMakeLists.txt | 1 +
|
src/CMakeLists.txt | 17 ++++++++++-------
|
||||||
src/connect.c | 2 +-
|
src/connect.c | 2 +-
|
||||||
src/misc.c | 44 ++++++++++++++++++++++++++++++++++++++------
|
src/misc.c | 44 ++++++++++++++++++++++++++++++++++++++------
|
||||||
3 files changed, 40 insertions(+), 7 deletions(-)
|
3 files changed, 49 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
|
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
|
||||||
index d6245c0d..807313b5 100644
|
index a576cf71..fc401793 100644
|
||||||
--- a/src/CMakeLists.txt
|
--- a/src/CMakeLists.txt
|
||||||
+++ b/src/CMakeLists.txt
|
+++ b/src/CMakeLists.txt
|
||||||
@@ -91,6 +91,7 @@ endif()
|
@@ -9,13 +9,6 @@ set(LIBSSH_LINK_LIBRARIES
|
||||||
if (WIN32)
|
${LIBSSH_REQUIRED_LIBRARIES}
|
||||||
set(LIBSSH_LINK_LIBRARIES
|
|
||||||
${LIBSSH_LINK_LIBRARIES}
|
|
||||||
+ iphlpapi
|
|
||||||
ws2_32
|
|
||||||
)
|
)
|
||||||
endif (WIN32)
|
|
||||||
|
-if (WIN32)
|
||||||
|
- set(LIBSSH_LINK_LIBRARIES
|
||||||
|
- ${LIBSSH_LINK_LIBRARIES}
|
||||||
|
- ws2_32
|
||||||
|
- )
|
||||||
|
-endif (WIN32)
|
||||||
|
-
|
||||||
|
if (OPENSSL_CRYPTO_LIBRARIES)
|
||||||
|
set(LIBSSH_PRIVATE_INCLUDE_DIRS
|
||||||
|
${LIBSSH_PRIVATE_INCLUDE_DIRS}
|
||||||
|
@@ -93,6 +86,16 @@ if (MINGW AND Threads_FOUND)
|
||||||
|
)
|
||||||
|
endif()
|
||||||
|
|
||||||
|
+# This needs to be last for mingw to build
|
||||||
|
+# https://gitlab.com/libssh/libssh-mirror/-/issues/84
|
||||||
|
+if (WIN32)
|
||||||
|
+ set(LIBSSH_LINK_LIBRARIES
|
||||||
|
+ ${LIBSSH_LINK_LIBRARIES}
|
||||||
|
+ iphlpapi
|
||||||
|
+ ws2_32
|
||||||
|
+ )
|
||||||
|
+endif (WIN32)
|
||||||
|
+
|
||||||
|
if (BUILD_STATIC_LIB)
|
||||||
|
set(LIBSSH_STATIC_LIBRARY
|
||||||
|
ssh_static
|
||||||
diff --git a/src/connect.c b/src/connect.c
|
diff --git a/src/connect.c b/src/connect.c
|
||||||
index 57e37e63..15cae644 100644
|
index ce4d58df..ca62dcf0 100644
|
||||||
--- a/src/connect.c
|
--- a/src/connect.c
|
||||||
+++ b/src/connect.c
|
+++ b/src/connect.c
|
||||||
@@ -136,7 +136,7 @@ static int getai(const char *host, int port, struct addrinfo **ai)
|
@@ -136,7 +136,7 @@ static int getai(const char *host, int port, struct addrinfo **ai)
|
||||||
@ -656,7 +679,7 @@ index 57e37e63..15cae644 100644
|
|||||||
SSH_LOG(SSH_LOG_PACKET, "host %s matches an IP address", host);
|
SSH_LOG(SSH_LOG_PACKET, "host %s matches an IP address", host);
|
||||||
hints.ai_flags |= AI_NUMERICHOST;
|
hints.ai_flags |= AI_NUMERICHOST;
|
||||||
diff --git a/src/misc.c b/src/misc.c
|
diff --git a/src/misc.c b/src/misc.c
|
||||||
index be6ee836..7081f12a 100644
|
index e4239e81..6f5d2d60 100644
|
||||||
--- a/src/misc.c
|
--- a/src/misc.c
|
||||||
+++ b/src/misc.c
|
+++ b/src/misc.c
|
||||||
@@ -32,6 +32,7 @@
|
@@ -32,6 +32,7 @@
|
||||||
@ -675,9 +698,9 @@ index be6ee836..7081f12a 100644
|
|||||||
|
|
||||||
#ifdef HAVE_IO_H
|
#ifdef HAVE_IO_H
|
||||||
#include <io.h>
|
#include <io.h>
|
||||||
@@ -222,22 +224,37 @@ int ssh_is_ipaddr_v4(const char *str)
|
@@ -216,22 +218,37 @@ int ssh_is_ipaddr_v4(const char *str) {
|
||||||
int ssh_is_ipaddr(const char *str)
|
|
||||||
{
|
int ssh_is_ipaddr(const char *str) {
|
||||||
int rc = SOCKET_ERROR;
|
int rc = SOCKET_ERROR;
|
||||||
+ char *s = strdup(str);
|
+ char *s = strdup(str);
|
||||||
|
|
||||||
@ -716,9 +739,9 @@ index be6ee836..7081f12a 100644
|
|||||||
return ssh_is_ipaddr_v4(str);
|
return ssh_is_ipaddr_v4(str);
|
||||||
}
|
}
|
||||||
#else /* _WIN32 */
|
#else /* _WIN32 */
|
||||||
@@ -343,17 +360,32 @@ int ssh_is_ipaddr_v4(const char *str)
|
@@ -335,17 +352,32 @@ int ssh_is_ipaddr_v4(const char *str) {
|
||||||
int ssh_is_ipaddr(const char *str)
|
|
||||||
{
|
int ssh_is_ipaddr(const char *str) {
|
||||||
int rc = -1;
|
int rc = -1;
|
||||||
+ char *s = strdup(str);
|
+ char *s = strdup(str);
|
||||||
|
|
||||||
@ -756,7 +779,7 @@ index be6ee836..7081f12a 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 2c492ee179d5caa2718c5e768bab6e0b2b64a8b0 Mon Sep 17 00:00:00 2001
|
From 6a8a18c73e73a338283dfbade0a7d83e5cfafe3b Mon Sep 17 00:00:00 2001
|
||||||
From: Norbert Pocs <norbertpocs0@gmail.com>
|
From: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Date: Tue, 28 Nov 2023 15:27:31 +0100
|
Date: Tue, 28 Nov 2023 15:27:31 +0100
|
||||||
Subject: [PATCH 10/12] CVE-2023-6004: torture_misc: Add tests for ipv6
|
Subject: [PATCH 10/12] CVE-2023-6004: torture_misc: Add tests for ipv6
|
||||||
@ -764,17 +787,16 @@ Subject: [PATCH 10/12] CVE-2023-6004: torture_misc: Add tests for ipv6
|
|||||||
|
|
||||||
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
|
||||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
---
|
||||||
tests/unittests/torture_misc.c | 20 ++++++++++++++++++++
|
tests/unittests/torture_misc.c | 20 ++++++++++++++++++++
|
||||||
1 file changed, 20 insertions(+)
|
1 file changed, 20 insertions(+)
|
||||||
|
|
||||||
diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
|
diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
|
||||||
index b07392ab..77166759 100644
|
index 073bc54c..f16b766e 100644
|
||||||
--- a/tests/unittests/torture_misc.c
|
--- a/tests/unittests/torture_misc.c
|
||||||
+++ b/tests/unittests/torture_misc.c
|
+++ b/tests/unittests/torture_misc.c
|
||||||
@@ -17,7 +17,14 @@
|
@@ -17,7 +17,14 @@
|
||||||
#include "torture.h"
|
#include "misc.c"
|
||||||
#include "error.c"
|
#include "error.c"
|
||||||
|
|
||||||
+#ifdef _WIN32
|
+#ifdef _WIN32
|
||||||
@ -788,7 +810,7 @@ index b07392ab..77166759 100644
|
|||||||
|
|
||||||
const char template[] = "temp_dir_XXXXXX";
|
const char template[] = "temp_dir_XXXXXX";
|
||||||
|
|
||||||
@@ -834,14 +841,27 @@ static void torture_ssh_check_hostname_syntax(void **state)
|
@@ -730,14 +737,27 @@ static void torture_ssh_check_hostname_syntax(void **state)
|
||||||
|
|
||||||
static void torture_ssh_is_ipaddr(void **state) {
|
static void torture_ssh_is_ipaddr(void **state) {
|
||||||
int rc;
|
int rc;
|
||||||
@ -820,7 +842,7 @@ index b07392ab..77166759 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 1a02364b5107a4125ea3cb76fcdb6beabaebf3be Mon Sep 17 00:00:00 2001
|
From 72f59157e6ccbd4c0bb806690931413169a0886f Mon Sep 17 00:00:00 2001
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
Date: Fri, 22 Dec 2023 10:32:40 +0100
|
Date: Fri, 22 Dec 2023 10:32:40 +0100
|
||||||
Subject: [PATCH 11/12] Fix regression in IPv6 addresses in hostname parsing
|
Subject: [PATCH 11/12] Fix regression in IPv6 addresses in hostname parsing
|
||||||
@ -836,10 +858,10 @@ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|||||||
4 files changed, 23 insertions(+), 18 deletions(-)
|
4 files changed, 23 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h
|
diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h
|
||||||
index a7dd42a2..ca353432 100644
|
index e974917c..ee647bfb 100644
|
||||||
--- a/include/libssh/config_parser.h
|
--- a/include/libssh/config_parser.h
|
||||||
+++ b/include/libssh/config_parser.h
|
+++ b/include/libssh/config_parser.h
|
||||||
@@ -30,6 +30,8 @@
|
@@ -26,6 +26,8 @@
|
||||||
#ifndef CONFIG_PARSER_H_
|
#ifndef CONFIG_PARSER_H_
|
||||||
#define CONFIG_PARSER_H_
|
#define CONFIG_PARSER_H_
|
||||||
|
|
||||||
@ -848,11 +870,31 @@ index a7dd42a2..ca353432 100644
|
|||||||
char *ssh_config_get_cmd(char **str);
|
char *ssh_config_get_cmd(char **str);
|
||||||
|
|
||||||
char *ssh_config_get_token(char **str);
|
char *ssh_config_get_token(char **str);
|
||||||
|
@@ -45,13 +47,16 @@ int ssh_config_get_yesno(char **str, int notfound);
|
||||||
|
* be stored or NULL if we do not care about the result.
|
||||||
|
* @param[out] port Pointer to the location, where the new port will
|
||||||
|
* be stored or NULL if we do not care about the result.
|
||||||
|
+ * @param[in] ignore_port Set to true if the we should not attempt to parse
|
||||||
|
+ * port number.
|
||||||
|
*
|
||||||
|
* @returns SSH_OK if the provided string is in format of SSH URI,
|
||||||
|
* SSH_ERROR on failure
|
||||||
|
*/
|
||||||
|
int ssh_config_parse_uri(const char *tok,
|
||||||
|
- char **username,
|
||||||
|
- char **hostname,
|
||||||
|
- char **port);
|
||||||
|
+ char **username,
|
||||||
|
+ char **hostname,
|
||||||
|
+ char **port,
|
||||||
|
+ bool ignore_port);
|
||||||
|
|
||||||
|
#endif /* LIBSSH_CONFIG_H_ */
|
||||||
diff --git a/src/config.c b/src/config.c
|
diff --git a/src/config.c b/src/config.c
|
||||||
index c5c40125..273db7c8 100644
|
index 54ada276..a813568d 100644
|
||||||
--- a/src/config.c
|
--- a/src/config.c
|
||||||
+++ b/src/config.c
|
+++ b/src/config.c
|
||||||
@@ -464,7 +464,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
|
@@ -324,7 +324,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
|
||||||
}
|
}
|
||||||
if (parse_entry) {
|
if (parse_entry) {
|
||||||
/* We actually care only about the first item */
|
/* We actually care only about the first item */
|
||||||
@ -861,7 +903,7 @@ index c5c40125..273db7c8 100644
|
|||||||
/* The rest of the list needs to be passed on */
|
/* The rest of the list needs to be passed on */
|
||||||
if (endp != NULL) {
|
if (endp != NULL) {
|
||||||
next = strdup(endp + 1);
|
next = strdup(endp + 1);
|
||||||
@@ -475,7 +475,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
|
@@ -335,7 +335,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
/* The rest is just sanity-checked to avoid failures later */
|
/* The rest is just sanity-checked to avoid failures later */
|
||||||
@ -871,10 +913,10 @@ index c5c40125..273db7c8 100644
|
|||||||
if (rv != SSH_OK) {
|
if (rv != SSH_OK) {
|
||||||
goto out;
|
goto out;
|
||||||
diff --git a/src/config_parser.c b/src/config_parser.c
|
diff --git a/src/config_parser.c b/src/config_parser.c
|
||||||
index b8b94611..d4b2d2c3 100644
|
index 87bac5d4..a2da0a62 100644
|
||||||
--- a/src/config_parser.c
|
--- a/src/config_parser.c
|
||||||
+++ b/src/config_parser.c
|
+++ b/src/config_parser.c
|
||||||
@@ -162,9 +162,10 @@ int ssh_config_get_yesno(char **str, int notfound)
|
@@ -134,9 +134,10 @@ int ssh_config_get_yesno(char **str, int notfound)
|
||||||
}
|
}
|
||||||
|
|
||||||
int ssh_config_parse_uri(const char *tok,
|
int ssh_config_parse_uri(const char *tok,
|
||||||
@ -888,7 +930,7 @@ index b8b94611..d4b2d2c3 100644
|
|||||||
{
|
{
|
||||||
char *endp = NULL;
|
char *endp = NULL;
|
||||||
long port_n;
|
long port_n;
|
||||||
@@ -210,12 +211,17 @@ int ssh_config_parse_uri(const char *tok,
|
@@ -182,12 +183,17 @@ int ssh_config_parse_uri(const char *tok,
|
||||||
if (endp == NULL) {
|
if (endp == NULL) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@ -909,10 +951,10 @@ index b8b94611..d4b2d2c3 100644
|
|||||||
if (tok == endp) {
|
if (tok == endp) {
|
||||||
/* Zero-length hostnames are not valid */
|
/* Zero-length hostnames are not valid */
|
||||||
diff --git a/src/options.c b/src/options.c
|
diff --git a/src/options.c b/src/options.c
|
||||||
index 38511455..b3ecffe1 100644
|
index 7c03e7ab..0890ff2e 100644
|
||||||
--- a/src/options.c
|
--- a/src/options.c
|
||||||
+++ b/src/options.c
|
+++ b/src/options.c
|
||||||
@@ -516,17 +516,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
@@ -491,17 +491,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||||
ssh_set_error_invalid(session);
|
ssh_set_error_invalid(session);
|
||||||
return -1;
|
return -1;
|
||||||
} else {
|
} else {
|
||||||
@ -936,7 +978,7 @@ index 38511455..b3ecffe1 100644
|
|||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
From 6f1b1e76bb38bc89819132e1810e4301ec9034a4 Mon Sep 17 00:00:00 2001
|
From 5dc10ff63ca2e8db91abfdccf1d095f5b4261b8e Mon Sep 17 00:00:00 2001
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
Date: Fri, 22 Dec 2023 09:52:18 +0100
|
Date: Fri, 22 Dec 2023 09:52:18 +0100
|
||||||
Subject: [PATCH 12/12] tests: Increase test coverage for IPv6 address parsing
|
Subject: [PATCH 12/12] tests: Increase test coverage for IPv6 address parsing
|
||||||
@ -951,15 +993,23 @@ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|||||||
(cherry picked from commit 6f6e453d7b0ad4ee6a6f6a1c96a9a6b27821410d)
|
(cherry picked from commit 6f6e453d7b0ad4ee6a6f6a1c96a9a6b27821410d)
|
||||||
---
|
---
|
||||||
tests/unittests/torture_config.c | 49 +++++++++++++++++++++++++++++++
|
tests/unittests/torture_config.c | 49 +++++++++++++++++++++++++++++++
|
||||||
tests/unittests/torture_options.c | 16 ++++++++++
|
tests/unittests/torture_options.c | 22 ++++++++++++++
|
||||||
2 files changed, 65 insertions(+)
|
2 files changed, 71 insertions(+)
|
||||||
|
|
||||||
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
|
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
|
||||||
index b7c763af..26a24215 100644
|
index 3a5a74bf..d8097e79 100644
|
||||||
--- a/tests/unittests/torture_config.c
|
--- a/tests/unittests/torture_config.c
|
||||||
+++ b/tests/unittests/torture_config.c
|
+++ b/tests/unittests/torture_config.c
|
||||||
@@ -1850,6 +1850,53 @@ static void torture_config_make_absolute_no_sshdir(void **state)
|
@@ -2,6 +2,7 @@
|
||||||
torture_config_make_absolute_int(state, 1);
|
|
||||||
|
#define LIBSSH_STATIC
|
||||||
|
|
||||||
|
+#include <errno.h>
|
||||||
|
#include "torture.h"
|
||||||
|
#include "libssh/options.h"
|
||||||
|
#include "libssh/session.h"
|
||||||
|
@@ -997,6 +998,53 @@ static void torture_config_match_pattern(void **state)
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
+static void torture_config_parse_uri(void **state)
|
+static void torture_config_parse_uri(void **state)
|
||||||
@ -1009,23 +1059,22 @@ index b7c763af..26a24215 100644
|
|||||||
+ SAFE_FREE(hostname);
|
+ SAFE_FREE(hostname);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
int torture_run_tests(void)
|
|
||||||
{
|
int torture_run_tests(void) {
|
||||||
int rc;
|
int rc;
|
||||||
@@ -1922,6 +1969,8 @@ int torture_run_tests(void)
|
@@ -1012,6 +1060,7 @@ int torture_run_tests(void) {
|
||||||
setup, teardown),
|
cmocka_unit_test(torture_config_rekey),
|
||||||
cmocka_unit_test_setup_teardown(torture_config_make_absolute_no_sshdir,
|
cmocka_unit_test(torture_config_pubkeyacceptedkeytypes),
|
||||||
setup_no_sshdir, teardown),
|
cmocka_unit_test(torture_config_match_pattern),
|
||||||
+ cmocka_unit_test_setup_teardown(torture_config_parse_uri,
|
+ cmocka_unit_test(torture_config_parse_uri),
|
||||||
+ setup, teardown),
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
||||||
index 425d7295..8a5505a1 100644
|
index d0fdaed1..576ca9cd 100644
|
||||||
--- a/tests/unittests/torture_options.c
|
--- a/tests/unittests/torture_options.c
|
||||||
+++ b/tests/unittests/torture_options.c
|
+++ b/tests/unittests/torture_options.c
|
||||||
@@ -60,6 +60,20 @@ static void torture_options_set_host(void **state) {
|
@@ -59,12 +59,34 @@ static void torture_options_set_host(void **state) {
|
||||||
assert_non_null(session->opts.host);
|
assert_non_null(session->opts.host);
|
||||||
assert_string_equal(session->opts.host, "localhost");
|
assert_string_equal(session->opts.host, "localhost");
|
||||||
|
|
||||||
@ -1046,67 +1095,20 @@ index 425d7295..8a5505a1 100644
|
|||||||
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
|
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
assert_non_null(session->opts.host);
|
assert_non_null(session->opts.host);
|
||||||
@@ -67,12 +81,14 @@ static void torture_options_set_host(void **state) {
|
assert_string_equal(session->opts.host, "meditation");
|
||||||
assert_non_null(session->opts.username);
|
assert_non_null(session->opts.username);
|
||||||
assert_string_equal(session->opts.username, "guru");
|
assert_string_equal(session->opts.username, "guru");
|
||||||
|
|
||||||
+ /* more @ in uri is OK -- it should go to the username */
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
|
|
||||||
assert_true(rc == 0);
|
|
||||||
assert_non_null(session->opts.host);
|
|
||||||
assert_string_equal(session->opts.host, "hostname");
|
|
||||||
assert_non_null(session->opts.username);
|
|
||||||
assert_string_equal(session->opts.username, "at@login");
|
|
||||||
+
|
+
|
||||||
|
+ /* more @ in uri is OK -- it should go to the username */
|
||||||
|
+ rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
|
||||||
|
+ assert_true(rc == 0);
|
||||||
|
+ assert_non_null(session->opts.host);
|
||||||
|
+ assert_string_equal(session->opts.host, "hostname");
|
||||||
|
+ assert_non_null(session->opts.username);
|
||||||
|
+ assert_string_equal(session->opts.username, "at@login");
|
||||||
}
|
}
|
||||||
|
|
||||||
static void torture_options_set_ciphers(void **state) {
|
static void torture_options_set_ciphers(void **state) {
|
||||||
--
|
--
|
||||||
2.41.0
|
2.41.0
|
||||||
|
|
||||||
diff -up libssh-0.10.4/include/libssh/config_parser.h.CVE-2023-6004.patch libssh-0.10.4/include/libssh/config_parser.h
|
|
||||||
--- libssh-0.10.4/include/libssh/config_parser.h.CVE-2023-6004.patch 2024-01-08 19:48:48.964006647 +0100
|
|
||||||
+++ libssh-0.10.4/include/libssh/config_parser.h 2024-01-08 19:56:38.850726165 +0100
|
|
||||||
@@ -47,13 +47,16 @@ int ssh_config_get_yesno(char **str, int
|
|
||||||
* be stored or NULL if we do not care about the result.
|
|
||||||
* @param[out] port Pointer to the location, where the new port will
|
|
||||||
* be stored or NULL if we do not care about the result.
|
|
||||||
+ * @param[in] ignore_port Set to true if the we should not attempt to parse
|
|
||||||
+ * port number.
|
|
||||||
*
|
|
||||||
* @returns SSH_OK if the provided string is in format of SSH URI,
|
|
||||||
* SSH_ERROR on failure
|
|
||||||
*/
|
|
||||||
int ssh_config_parse_uri(const char *tok,
|
|
||||||
- char **username,
|
|
||||||
- char **hostname,
|
|
||||||
- char **port);
|
|
||||||
+ char **username,
|
|
||||||
+ char **hostname,
|
|
||||||
+ char **port,
|
|
||||||
+ bool ignore_port);
|
|
||||||
|
|
||||||
#endif /* LIBSSH_CONFIG_H_ */
|
|
||||||
diff -up libssh-0.10.4/include/libssh/misc.h.CVE-2023-6004.patch libssh-0.10.4/include/libssh/misc.h
|
|
||||||
--- libssh-0.10.4/include/libssh/misc.h.CVE-2023-6004.patch 2024-01-08 19:48:07.422589393 +0100
|
|
||||||
+++ libssh-0.10.4/include/libssh/misc.h 2024-01-08 19:53:33.830867829 +0100
|
|
||||||
@@ -99,4 +99,7 @@ int ssh_newline_vis(const char *string,
|
|
||||||
int ssh_tmpname(char *template);
|
|
||||||
|
|
||||||
char *ssh_strreplace(const char *src, const char *pattern, const char *repl);
|
|
||||||
+
|
|
||||||
+int ssh_check_hostname_syntax(const char *hostname);
|
|
||||||
+
|
|
||||||
#endif /* MISC_H_ */
|
|
||||||
diff -up libssh-0.10.4/src/misc.c.CVE-2023-6004.patch libssh-0.10.4/src/misc.c
|
|
||||||
--- libssh-0.10.4/src/misc.c.CVE-2023-6004.patch 2024-01-08 19:48:26.779783823 +0100
|
|
||||||
+++ libssh-0.10.4/src/misc.c 2024-01-08 19:54:55.209685193 +0100
|
|
||||||
@@ -96,6 +96,8 @@
|
|
||||||
#define ZLIB_STRING ""
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#define ARPA_DOMAIN_MAX_LEN 63
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* @defgroup libssh_misc The SSH helper functions.
|
|
||||||
* @ingroup libssh
|
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
|||||||
diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
|
diff --color -ru ../libssh-0.9.6/src/pki_crypto.c ./src/pki_crypto.c
|
||||||
--- ../libssh-0.10.4/src/pki_crypto.c 2023-04-27 13:24:03.105744519 +0200
|
--- ../libssh-0.9.6/src/pki_crypto.c 2023-04-27 12:59:08.463259052 +0200
|
||||||
+++ ./src/pki_crypto.c 2023-04-27 13:30:24.016756496 +0200
|
+++ ./src/pki_crypto.c 2023-04-27 13:05:24.020610873 +0200
|
||||||
@@ -3186,8 +3186,12 @@
|
@@ -2291,8 +2291,12 @@
|
||||||
unsigned char *raw_sig_data = NULL;
|
unsigned char *raw_sig_data = NULL;
|
||||||
unsigned int raw_sig_len;
|
unsigned int raw_sig_len;
|
||||||
|
|
||||||
@ -15,7 +15,7 @@ diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
|
|||||||
|
|
||||||
if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
|
if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
|
||||||
signature == NULL || (signature->raw_sig == NULL
|
signature == NULL || (signature->raw_sig == NULL
|
||||||
@@ -3202,8 +3206,8 @@
|
@@ -2307,8 +2311,8 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check if public key and hash type are compatible */
|
/* Check if public key and hash type are compatible */
|
||||||
@ -26,7 +26,7 @@ diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
|
|||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -3248,8 +3252,8 @@
|
@@ -2351,8 +2355,8 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Verify the signature */
|
/* Verify the signature */
|
||||||
@ -37,7 +37,7 @@ diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
|
|||||||
SSH_LOG(SSH_LOG_TRACE,
|
SSH_LOG(SSH_LOG_TRACE,
|
||||||
"EVP_DigestVerifyInit() failed: %s",
|
"EVP_DigestVerifyInit() failed: %s",
|
||||||
ERR_error_string(ERR_get_error(), NULL));
|
ERR_error_string(ERR_get_error(), NULL));
|
||||||
@@ -3257,32 +3261,30 @@
|
@@ -2360,35 +2364,31 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
|
#ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
|
||||||
@ -76,7 +76,11 @@ diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
|
|||||||
- if (ctx != NULL) {
|
- if (ctx != NULL) {
|
||||||
- EVP_MD_CTX_free(ctx);
|
- EVP_MD_CTX_free(ctx);
|
||||||
- }
|
- }
|
||||||
|
- if (pkey != NULL) {
|
||||||
|
- EVP_PKEY_free(pkey);
|
||||||
|
- }
|
||||||
+ EVP_MD_CTX_free(ctx);
|
+ EVP_MD_CTX_free(ctx);
|
||||||
EVP_PKEY_free(pkey);
|
+ EVP_PKEY_free(pkey);
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
diff --color -ru ../libssh-0.10.4/src/buffer.c ./src/buffer.c
|
diff --color -ru ../libssh-0.9.6/src/buffer.c ./src/buffer.c
|
||||||
--- ../libssh-0.10.4/src/buffer.c 2023-05-03 12:22:40.304114511 +0200
|
--- ../libssh-0.9.6/src/buffer.c 2023-05-03 11:53:48.710217753 +0200
|
||||||
+++ ./src/buffer.c 2023-05-03 12:24:11.578110236 +0200
|
+++ ./src/buffer.c 2023-05-03 11:58:21.995200990 +0200
|
||||||
@@ -747,7 +747,8 @@
|
@@ -747,7 +747,8 @@
|
||||||
*/
|
*/
|
||||||
int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)
|
int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)
|
||||||
@ -11,10 +11,10 @@ diff --color -ru ../libssh-0.10.4/src/buffer.c ./src/buffer.c
|
|||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
diff --color -ru ../libssh-0.9.6/src/gssapi.c ./src/gssapi.c
|
||||||
--- ../libssh-0.10.4/src/gssapi.c 2023-05-03 12:22:40.356115078 +0200
|
--- ../libssh-0.9.6/src/gssapi.c 2023-05-03 11:53:48.732217993 +0200
|
||||||
+++ ./src/gssapi.c 2023-05-03 12:24:11.566110105 +0200
|
+++ ./src/gssapi.c 2023-05-03 11:58:21.976200782 +0200
|
||||||
@@ -444,11 +444,18 @@
|
@@ -437,11 +437,18 @@
|
||||||
hexa = ssh_get_hexa(output_token.value, output_token.length);
|
hexa = ssh_get_hexa(output_token.value, output_token.length);
|
||||||
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
|
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
|
||||||
SAFE_FREE(hexa);
|
SAFE_FREE(hexa);
|
||||||
@ -38,7 +38,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
ssh_packet_send(session);
|
ssh_packet_send(session);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -857,6 +864,7 @@
|
@@ -846,6 +853,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
|
SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
|
||||||
@ -46,7 +46,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
ssh_string oid_s;
|
ssh_string oid_s;
|
||||||
gss_uint32 maj_stat, min_stat;
|
gss_uint32 maj_stat, min_stat;
|
||||||
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
|
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
|
||||||
@@ -908,11 +916,15 @@
|
@@ -897,11 +905,15 @@
|
||||||
hexa = ssh_get_hexa(output_token.value, output_token.length);
|
hexa = ssh_get_hexa(output_token.value, output_token.length);
|
||||||
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s", hexa);
|
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s", hexa);
|
||||||
SAFE_FREE(hexa);
|
SAFE_FREE(hexa);
|
||||||
@ -67,7 +67,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
ssh_packet_send(session);
|
ssh_packet_send(session);
|
||||||
session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
|
session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
|
||||||
}
|
}
|
||||||
@@ -975,6 +987,7 @@
|
@@ -963,6 +975,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
|
SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
|
||||||
@ -75,7 +75,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
ssh_string token;
|
ssh_string token;
|
||||||
char *hexa;
|
char *hexa;
|
||||||
OM_uint32 maj_stat, min_stat;
|
OM_uint32 maj_stat, min_stat;
|
||||||
@@ -1027,11 +1040,15 @@
|
@@ -1015,11 +1028,15 @@
|
||||||
hexa = ssh_get_hexa(output_token.value, output_token.length);
|
hexa = ssh_get_hexa(output_token.value, output_token.length);
|
||||||
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
|
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
|
||||||
SAFE_FREE(hexa);
|
SAFE_FREE(hexa);
|
||||||
@ -96,10 +96,10 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
ssh_packet_send(session);
|
ssh_packet_send(session);
|
||||||
}
|
}
|
||||||
|
|
||||||
diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
|
diff --color -ru ../libssh-0.9.6/src/options.c ./src/options.c
|
||||||
--- ../libssh-0.10.4/src/options.c 2023-05-03 12:22:40.342114926 +0200
|
--- ../libssh-0.9.6/src/options.c 2021-08-26 14:27:42.000000000 +0200
|
||||||
+++ ./src/options.c 2023-05-03 12:24:11.582110280 +0200
|
+++ ./src/options.c 2023-05-03 11:58:22.000201044 +0200
|
||||||
@@ -614,7 +614,9 @@
|
@@ -547,7 +547,9 @@
|
||||||
}
|
}
|
||||||
i = strtol(q, &p, 10);
|
i = strtol(q, &p, 10);
|
||||||
if (q == p) {
|
if (q == p) {
|
||||||
@ -109,7 +109,7 @@ diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
|
|||||||
}
|
}
|
||||||
SAFE_FREE(q);
|
SAFE_FREE(q);
|
||||||
if (i <= 0) {
|
if (i <= 0) {
|
||||||
@@ -816,7 +818,9 @@
|
@@ -743,7 +745,9 @@
|
||||||
}
|
}
|
||||||
i = strtol(q, &p, 10);
|
i = strtol(q, &p, 10);
|
||||||
if (q == p) {
|
if (q == p) {
|
||||||
@ -119,7 +119,7 @@ diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
|
|||||||
}
|
}
|
||||||
SAFE_FREE(q);
|
SAFE_FREE(q);
|
||||||
if (i < 0) {
|
if (i < 0) {
|
||||||
@@ -2035,7 +2039,9 @@
|
@@ -1818,7 +1822,9 @@
|
||||||
}
|
}
|
||||||
i = strtol(q, &p, 10);
|
i = strtol(q, &p, 10);
|
||||||
if (q == p) {
|
if (q == p) {
|
||||||
@ -130,7 +130,7 @@ diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
|
|||||||
}
|
}
|
||||||
SAFE_FREE(q);
|
SAFE_FREE(q);
|
||||||
|
|
||||||
@@ -2062,7 +2068,9 @@
|
@@ -1845,7 +1851,9 @@
|
||||||
}
|
}
|
||||||
i = strtol(q, &p, 10);
|
i = strtol(q, &p, 10);
|
||||||
if (q == p) {
|
if (q == p) {
|
||||||
@ -141,9 +141,9 @@ diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
|
|||||||
}
|
}
|
||||||
SAFE_FREE(q);
|
SAFE_FREE(q);
|
||||||
|
|
||||||
diff --color -ru ../libssh-0.10.4/src/pki_container_openssh.c ./src/pki_container_openssh.c
|
diff --color -ru ../libssh-0.9.6/src/pki_container_openssh.c ./src/pki_container_openssh.c
|
||||||
--- ../libssh-0.10.4/src/pki_container_openssh.c 2023-05-03 12:22:40.314114620 +0200
|
--- ../libssh-0.9.6/src/pki_container_openssh.c 2023-05-03 11:53:48.713217785 +0200
|
||||||
+++ ./src/pki_container_openssh.c 2023-05-03 12:24:11.566110105 +0200
|
+++ ./src/pki_container_openssh.c 2023-05-03 11:58:21.976200782 +0200
|
||||||
@@ -630,7 +630,11 @@
|
@@ -630,7 +630,11 @@
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@ -157,10 +157,10 @@ diff --color -ru ../libssh-0.10.4/src/pki_container_openssh.c ./src/pki_containe
|
|||||||
kdf_options = ssh_string_new(ssh_buffer_get_len(kdf_buf));
|
kdf_options = ssh_string_new(ssh_buffer_get_len(kdf_buf));
|
||||||
if (kdf_options == NULL){
|
if (kdf_options == NULL){
|
||||||
SSH_BUFFER_FREE(kdf_buf);
|
SSH_BUFFER_FREE(kdf_buf);
|
||||||
diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unittests/torture_options.c
|
diff --color -ru ../libssh-0.9.6/tests/unittests/torture_options.c ./tests/unittests/torture_options.c
|
||||||
--- ../libssh-0.10.4/tests/unittests/torture_options.c 2023-05-03 12:22:40.343114937 +0200
|
--- ../libssh-0.9.6/tests/unittests/torture_options.c 2021-08-26 14:27:42.000000000 +0200
|
||||||
+++ ./tests/unittests/torture_options.c 2023-05-03 12:24:11.587110335 +0200
|
+++ ./tests/unittests/torture_options.c 2023-05-03 11:59:21.726853027 +0200
|
||||||
@@ -319,6 +319,7 @@
|
@@ -311,6 +311,7 @@
|
||||||
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_PORT_STR, "five");
|
rc = ssh_options_set(session, SSH_OPTIONS_PORT_STR, "five");
|
||||||
assert_true(rc == -1);
|
assert_true(rc == -1);
|
||||||
@ -168,8 +168,8 @@ diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unit
|
|||||||
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_PORT, NULL);
|
rc = ssh_options_set(session, SSH_OPTIONS_PORT, NULL);
|
||||||
assert_true(rc == -1);
|
assert_true(rc == -1);
|
||||||
@@ -1496,6 +1497,26 @@
|
@@ -853,6 +854,26 @@
|
||||||
ssh_list_free(awaited_list);
|
ssh_free(new);
|
||||||
}
|
}
|
||||||
|
|
||||||
+static void torture_options_set_verbosity (void **state)
|
+static void torture_options_set_verbosity (void **state)
|
||||||
@ -195,7 +195,7 @@ diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unit
|
|||||||
#ifdef WITH_SERVER
|
#ifdef WITH_SERVER
|
||||||
const char template[] = "temp_dir_XXXXXX";
|
const char template[] = "temp_dir_XXXXXX";
|
||||||
|
|
||||||
@@ -1750,6 +1771,10 @@
|
@@ -1107,6 +1128,10 @@
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "23");
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "23");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_int_equal(bind->bindport, 23);
|
assert_int_equal(bind->bindport, 23);
|
||||||
@ -206,7 +206,7 @@ diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unit
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void torture_bind_options_log_verbosity(void **state)
|
static void torture_bind_options_log_verbosity(void **state)
|
||||||
@@ -1799,6 +1824,11 @@
|
@@ -1156,6 +1181,11 @@
|
||||||
new_level = ssh_get_log_level();
|
new_level = ssh_get_log_level();
|
||||||
assert_int_equal(new_level, SSH_LOG_PACKET);
|
assert_int_equal(new_level, SSH_LOG_PACKET);
|
||||||
|
|
||||||
@ -218,10 +218,10 @@ diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unit
|
|||||||
rc = ssh_set_log_level(previous_level);
|
rc = ssh_set_log_level(previous_level);
|
||||||
assert_int_equal(rc, SSH_OK);
|
assert_int_equal(rc, SSH_OK);
|
||||||
}
|
}
|
||||||
@@ -2297,6 +2327,7 @@
|
@@ -1643,6 +1673,7 @@
|
||||||
cmocka_unit_test_setup_teardown(torture_options_caret_sign,
|
cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown),
|
||||||
|
cmocka_unit_test_setup_teardown(torture_options_config_match,
|
||||||
setup, teardown),
|
setup, teardown),
|
||||||
cmocka_unit_test_setup_teardown(torture_options_apply, setup, teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(torture_options_set_verbosity, setup, teardown),
|
+ cmocka_unit_test_setup_teardown(torture_options_set_verbosity, setup, teardown),
|
||||||
};
|
};
|
||||||
|
|
668
SOURCES/fix_tests.patch
Normal file
668
SOURCES/fix_tests.patch
Normal file
@ -0,0 +1,668 @@
|
|||||||
|
diff --color -ru ../libssh-0.9.6/examples/sshnetcat.c ./examples/sshnetcat.c
|
||||||
|
--- ../libssh-0.9.6/examples/sshnetcat.c 2021-08-26 14:27:42.000000000 +0200
|
||||||
|
+++ ./examples/sshnetcat.c 2023-05-02 10:36:00.793381735 +0200
|
||||||
|
@@ -233,9 +233,10 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
void cleanup_pcap(void);
|
||||||
|
-void cleanup_pcap(){
|
||||||
|
+void cleanup_pcap(void)
|
||||||
|
+{
|
||||||
|
ssh_pcap_file_free(pcap);
|
||||||
|
- pcap=NULL;
|
||||||
|
+ pcap = NULL;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --color -ru ../libssh-0.9.6/src/init.c ./src/init.c
|
||||||
|
--- ../libssh-0.9.6/src/init.c 2021-03-15 08:11:33.000000000 +0100
|
||||||
|
+++ ./src/init.c 2023-05-02 10:36:00.793381735 +0200
|
||||||
|
@@ -269,7 +269,7 @@
|
||||||
|
*
|
||||||
|
* @see ssh_init()
|
||||||
|
*/
|
||||||
|
-bool is_ssh_initialized() {
|
||||||
|
+bool is_ssh_initialized(void) {
|
||||||
|
|
||||||
|
bool is_initialized = false;
|
||||||
|
|
||||||
|
diff --color -ru ../libssh-0.9.6/tests/client/torture_auth.c ./tests/client/torture_auth.c
|
||||||
|
--- ../libssh-0.9.6/tests/client/torture_auth.c 2021-08-26 14:27:42.000000000 +0200
|
||||||
|
+++ ./tests/client/torture_auth.c 2023-05-02 10:36:00.815381960 +0200
|
||||||
|
@@ -200,7 +200,8 @@
|
||||||
|
assert_non_null(ssh_agent_pidfile);
|
||||||
|
|
||||||
|
/* kill agent pid */
|
||||||
|
- torture_terminate_process(ssh_agent_pidfile);
|
||||||
|
+ rc = torture_terminate_process(ssh_agent_pidfile);
|
||||||
|
+ assert_return_code(rc, errno);
|
||||||
|
|
||||||
|
unlink(ssh_agent_pidfile);
|
||||||
|
|
||||||
|
@@ -551,6 +552,7 @@
|
||||||
|
|
||||||
|
static void torture_auth_agent_cert(void **state)
|
||||||
|
{
|
||||||
|
+#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
|
||||||
|
struct torture_state *s = *state;
|
||||||
|
ssh_session session = s->ssh.session;
|
||||||
|
int rc;
|
||||||
|
@@ -570,6 +572,7 @@
|
||||||
|
"ssh-rsa-cert-v01@openssh.com");
|
||||||
|
assert_int_equal(rc, SSH_OK);
|
||||||
|
}
|
||||||
|
+#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
|
||||||
|
|
||||||
|
/* Setup loads a different key, tests are exactly the same. */
|
||||||
|
torture_auth_agent(state);
|
||||||
|
@@ -577,6 +580,7 @@
|
||||||
|
|
||||||
|
static void torture_auth_agent_cert_nonblocking(void **state)
|
||||||
|
{
|
||||||
|
+#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
|
||||||
|
struct torture_state *s = *state;
|
||||||
|
ssh_session session = s->ssh.session;
|
||||||
|
int rc;
|
||||||
|
@@ -596,6 +600,7 @@
|
||||||
|
"ssh-rsa-cert-v01@openssh.com");
|
||||||
|
assert_int_equal(rc, SSH_OK);
|
||||||
|
}
|
||||||
|
+#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
|
||||||
|
|
||||||
|
torture_auth_agent_nonblocking(state);
|
||||||
|
}
|
||||||
|
diff --color -ru ../libssh-0.9.6/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
|
||||||
|
--- ../libssh-0.9.6/tests/client/torture_rekey.c 2023-04-28 17:26:41.472315318 +0200
|
||||||
|
+++ ./tests/client/torture_rekey.c 2023-05-02 10:36:00.805381857 +0200
|
||||||
|
@@ -38,6 +38,8 @@
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <pwd.h>
|
||||||
|
|
||||||
|
+#define KEX_RETRY 32
|
||||||
|
+
|
||||||
|
static uint64_t bytes = 2048; /* 2KB (more than the authentication phase) */
|
||||||
|
|
||||||
|
static int sshd_setup(void **state)
|
||||||
|
@@ -190,10 +192,11 @@
|
||||||
|
rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
|
||||||
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
||||||
|
|
||||||
|
- /* send ignore packets of up to 1KB to trigger rekey */
|
||||||
|
+ /* send ignore packets of up to 1KB to trigger rekey. Send little bit more
|
||||||
|
+ * to make sure it completes with all different ciphers */
|
||||||
|
memset(data, 0, sizeof(data));
|
||||||
|
memset(data, 'A', 128);
|
||||||
|
- for (i = 0; i < 16; i++) {
|
||||||
|
+ for (i = 0; i < KEX_RETRY; i++) {
|
||||||
|
ssh_send_ignore(s->ssh.session, data);
|
||||||
|
ssh_handle_packets(s->ssh.session, 50);
|
||||||
|
}
|
||||||
|
@@ -496,9 +499,15 @@
|
||||||
|
* to make sure the rekey it completes with all different ciphers (paddings */
|
||||||
|
memset(data, 0, sizeof(data));
|
||||||
|
memset(data, 'A', 128);
|
||||||
|
- for (i = 0; i < 20; i++) {
|
||||||
|
+ for (i = 0; i < KEX_RETRY; i++) {
|
||||||
|
ssh_send_ignore(s->ssh.session, data);
|
||||||
|
- ssh_handle_packets(s->ssh.session, 50);
|
||||||
|
+ ssh_handle_packets(s->ssh.session, 100);
|
||||||
|
+
|
||||||
|
+ c = s->ssh.session->current_crypto;
|
||||||
|
+ /* SHA256 len */
|
||||||
|
+ if (c->digest_len != 32) {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* The rekey limit was restored in the new crypto to the same value */
|
||||||
|
@@ -568,9 +577,15 @@
|
||||||
|
* to make sure the rekey it completes with all different ciphers (paddings */
|
||||||
|
memset(data, 0, sizeof(data));
|
||||||
|
memset(data, 'A', 128);
|
||||||
|
- for (i = 0; i < 25; i++) {
|
||||||
|
+ for (i = 0; i < KEX_RETRY; i++) {
|
||||||
|
ssh_send_ignore(s->ssh.session, data);
|
||||||
|
- ssh_handle_packets(s->ssh.session, 50);
|
||||||
|
+ ssh_handle_packets(s->ssh.session, 100);
|
||||||
|
+
|
||||||
|
+ c = s->ssh.session->current_crypto;
|
||||||
|
+ /* SHA256 len */
|
||||||
|
+ if (c->digest_len != 32) {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check that the secret hash is different than initially */
|
||||||
|
diff --color -ru ../libssh-0.9.6/tests/CMakeLists.txt ./tests/CMakeLists.txt
|
||||||
|
--- ../libssh-0.9.6/tests/CMakeLists.txt 2021-08-26 14:27:42.000000000 +0200
|
||||||
|
+++ ./tests/CMakeLists.txt 2023-05-02 10:32:03.964511860 +0200
|
||||||
|
@@ -153,6 +153,17 @@
|
||||||
|
execute_process(COMMAND ${ID_EXECUTABLE} -u OUTPUT_VARIABLE LOCAL_UID OUTPUT_STRIP_TRAILING_WHITESPACE)
|
||||||
|
endif()
|
||||||
|
|
||||||
|
+ find_program(TIMEOUT_EXECUTABLE
|
||||||
|
+ NAME
|
||||||
|
+ timeout
|
||||||
|
+ PATHS
|
||||||
|
+ /bin
|
||||||
|
+ /usr/bin
|
||||||
|
+ /usr/local/bin)
|
||||||
|
+ if (TIMEOUT_EXECUTABLE)
|
||||||
|
+ set(WITH_TIMEOUT "1")
|
||||||
|
+ endif()
|
||||||
|
+
|
||||||
|
# chroot_wrapper
|
||||||
|
add_library(chroot_wrapper SHARED chroot_wrapper.c)
|
||||||
|
set(CHROOT_WRAPPER_LIBRARY ${libssh_BINARY_DIR}/lib/${CMAKE_SHARED_LIBRARY_PREFIX}chroot_wrapper${CMAKE_SHARED_LIBRARY_SUFFIX})
|
||||||
|
diff --color -ru ../libssh-0.9.6/tests/pkd/pkd_keyutil.c ./tests/pkd/pkd_keyutil.c
|
||||||
|
--- ../libssh-0.9.6/tests/pkd/pkd_keyutil.c 2021-03-15 08:11:33.000000000 +0100
|
||||||
|
+++ ./tests/pkd/pkd_keyutil.c 2023-05-02 10:36:00.793381735 +0200
|
||||||
|
@@ -22,7 +22,7 @@
|
||||||
|
#include "pkd_keyutil.h"
|
||||||
|
#include "pkd_util.h"
|
||||||
|
|
||||||
|
-void setup_rsa_key() {
|
||||||
|
+void setup_rsa_key(void) {
|
||||||
|
int rc = 0;
|
||||||
|
if (access(LIBSSH_RSA_TESTKEY, F_OK) != 0) {
|
||||||
|
rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f "
|
||||||
|
@@ -31,7 +31,7 @@
|
||||||
|
assert_int_equal(rc, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
-void setup_ed25519_key() {
|
||||||
|
+void setup_ed25519_key(void) {
|
||||||
|
int rc = 0;
|
||||||
|
if (access(LIBSSH_ED25519_TESTKEY, F_OK) != 0) {
|
||||||
|
rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
|
||||||
|
@@ -41,7 +41,7 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_DSA
|
||||||
|
-void setup_dsa_key() {
|
||||||
|
+void setup_dsa_key(void) {
|
||||||
|
int rc = 0;
|
||||||
|
if (access(LIBSSH_DSA_TESTKEY, F_OK) != 0) {
|
||||||
|
rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
|
||||||
|
@@ -51,7 +51,7 @@
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-void setup_ecdsa_keys() {
|
||||||
|
+void setup_ecdsa_keys(void) {
|
||||||
|
int rc = 0;
|
||||||
|
|
||||||
|
if (access(LIBSSH_ECDSA_256_TESTKEY, F_OK) != 0) {
|
||||||
|
@@ -71,27 +71,27 @@
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-void cleanup_rsa_key() {
|
||||||
|
+void cleanup_rsa_key(void) {
|
||||||
|
cleanup_key(LIBSSH_RSA_TESTKEY);
|
||||||
|
}
|
||||||
|
|
||||||
|
-void cleanup_ed25519_key() {
|
||||||
|
+void cleanup_ed25519_key(void) {
|
||||||
|
cleanup_key(LIBSSH_ED25519_TESTKEY);
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_DSA
|
||||||
|
-void cleanup_dsa_key() {
|
||||||
|
+void cleanup_dsa_key(void) {
|
||||||
|
cleanup_key(LIBSSH_DSA_TESTKEY);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-void cleanup_ecdsa_keys() {
|
||||||
|
+void cleanup_ecdsa_keys(void) {
|
||||||
|
cleanup_key(LIBSSH_ECDSA_256_TESTKEY);
|
||||||
|
cleanup_key(LIBSSH_ECDSA_384_TESTKEY);
|
||||||
|
cleanup_key(LIBSSH_ECDSA_521_TESTKEY);
|
||||||
|
}
|
||||||
|
|
||||||
|
-void setup_openssh_client_keys() {
|
||||||
|
+void setup_openssh_client_keys(void) {
|
||||||
|
int rc = 0;
|
||||||
|
|
||||||
|
if (access(OPENSSH_CA_TESTKEY, F_OK) != 0) {
|
||||||
|
@@ -184,7 +184,7 @@
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-void cleanup_openssh_client_keys() {
|
||||||
|
+void cleanup_openssh_client_keys(void) {
|
||||||
|
cleanup_key(OPENSSH_CA_TESTKEY);
|
||||||
|
cleanup_key(OPENSSH_RSA_TESTKEY);
|
||||||
|
cleanup_file(OPENSSH_RSA_TESTKEY "-sha256-cert.pub");
|
||||||
|
@@ -199,7 +199,7 @@
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-void setup_dropbear_client_rsa_key() {
|
||||||
|
+void setup_dropbear_client_rsa_key(void) {
|
||||||
|
int rc = 0;
|
||||||
|
if (access(DROPBEAR_RSA_TESTKEY, F_OK) != 0) {
|
||||||
|
rc = system_checked(DROPBEAR_KEYGEN " -t rsa -f "
|
||||||
|
@@ -208,6 +208,6 @@
|
||||||
|
assert_int_equal(rc, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
-void cleanup_dropbear_client_rsa_key() {
|
||||||
|
+void cleanup_dropbear_client_rsa_key(void) {
|
||||||
|
unlink(DROPBEAR_RSA_TESTKEY);
|
||||||
|
}
|
||||||
|
diff --color -ru ../libssh-0.9.6/tests/server/torture_server_config.c ./tests/server/torture_server_config.c
|
||||||
|
--- ../libssh-0.9.6/tests/server/torture_server_config.c 2021-08-26 14:27:42.000000000 +0200
|
||||||
|
+++ ./tests/server/torture_server_config.c 2023-05-02 10:36:00.815381960 +0200
|
||||||
|
@@ -285,9 +285,7 @@
|
||||||
|
assert_non_null(s);
|
||||||
|
|
||||||
|
rc = torture_terminate_process(s->srv_pidfile);
|
||||||
|
- if (rc != 0) {
|
||||||
|
- fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
|
||||||
|
- }
|
||||||
|
+ assert_return_code(rc, errno);
|
||||||
|
|
||||||
|
unlink(s->srv_pidfile);
|
||||||
|
|
||||||
|
@@ -513,6 +511,12 @@
|
||||||
|
/* Try each algorithm individually */
|
||||||
|
j = 0;
|
||||||
|
while(tokens->tokens[j] != NULL) {
|
||||||
|
+ char *cmp = strstr(OPENSSH_CIPHERS, tokens->tokens[j]);
|
||||||
|
+ if (cmp == NULL) {
|
||||||
|
+ /* This cipher is not supported by the OpenSSH. Skip it */
|
||||||
|
+ j++;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
snprintf(config_content,
|
||||||
|
sizeof(config_content),
|
||||||
|
"HostKey %s\nCiphers %s\n",
|
||||||
|
diff --color -ru ../libssh-0.9.6/tests/tests_config.h.cmake ./tests/tests_config.h.cmake
|
||||||
|
--- ../libssh-0.9.6/tests/tests_config.h.cmake 2021-08-26 14:27:42.000000000 +0200
|
||||||
|
+++ ./tests/tests_config.h.cmake 2023-05-02 10:32:03.964511860 +0200
|
||||||
|
@@ -66,4 +66,6 @@
|
||||||
|
|
||||||
|
#cmakedefine NC_EXECUTABLE "${NC_EXECUTABLE}"
|
||||||
|
#cmakedefine SSHD_EXECUTABLE "${SSHD_EXECUTABLE}"
|
||||||
|
-#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
|
||||||
|
\ No newline at end of file
|
||||||
|
+#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
|
||||||
|
+#cmakedefine WITH_TIMEOUT ${WITH_TIMEOUT}
|
||||||
|
+#cmakedefine TIMEOUT_EXECUTABLE "${TIMEOUT_EXECUTABLE}"
|
||||||
|
diff --color -ru ../libssh-0.9.6/tests/torture.c ./tests/torture.c
|
||||||
|
--- ../libssh-0.9.6/tests/torture.c 2021-08-26 14:27:44.000000000 +0200
|
||||||
|
+++ ./tests/torture.c 2023-05-02 10:36:00.815381960 +0200
|
||||||
|
@@ -51,6 +51,7 @@
|
||||||
|
#include "torture.h"
|
||||||
|
#include "torture_key.h"
|
||||||
|
#include "libssh/misc.h"
|
||||||
|
+#include "libssh/token.h"
|
||||||
|
|
||||||
|
#define TORTURE_SSHD_SRV_IPV4 "127.0.0.10"
|
||||||
|
/* socket wrapper IPv6 prefix fd00::5357:5fxx */
|
||||||
|
@@ -250,8 +251,12 @@
|
||||||
|
|
||||||
|
rc = kill(pid, 0);
|
||||||
|
if (rc != 0) {
|
||||||
|
- is_running = 0;
|
||||||
|
- break;
|
||||||
|
+ /* Process not found */
|
||||||
|
+ if (errno == ESRCH) {
|
||||||
|
+ is_running = 0;
|
||||||
|
+ rc = 0;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -260,7 +265,7 @@
|
||||||
|
"WARNING: The process with pid %u is still running!\n", pid);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return 0;
|
||||||
|
+ return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
ssh_session torture_ssh_session(struct torture_state *s,
|
||||||
|
@@ -611,6 +616,112 @@
|
||||||
|
*state = s;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/**
|
||||||
|
+ * @brief Create a libssh server configuration file
|
||||||
|
+ *
|
||||||
|
+ * It is expected the socket directory to be already created before by calling
|
||||||
|
+ * torture_setup_socket_dir(). The created configuration file will be stored in
|
||||||
|
+ * the socket directory and the srv_config pointer in the state will be
|
||||||
|
+ * initialized.
|
||||||
|
+ *
|
||||||
|
+ * @param[in] state A pointer to a pointer to an initialized torture_state
|
||||||
|
+ * structure
|
||||||
|
+ */
|
||||||
|
+void torture_setup_create_libssh_config(void **state)
|
||||||
|
+{
|
||||||
|
+ struct torture_state *s = *state;
|
||||||
|
+ char ed25519_hostkey[1024] = {0};
|
||||||
|
+#ifdef HAVE_DSA
|
||||||
|
+ char dsa_hostkey[1024];
|
||||||
|
+#endif /* HAVE_DSA */
|
||||||
|
+ char rsa_hostkey[1024];
|
||||||
|
+ char ecdsa_hostkey[1024];
|
||||||
|
+ char sshd_config[2048];
|
||||||
|
+ char sshd_path[1024];
|
||||||
|
+ const char *additional_config = NULL;
|
||||||
|
+ struct stat sb;
|
||||||
|
+ const char config_string[]=
|
||||||
|
+ "LogLevel DEBUG3\n"
|
||||||
|
+ "Port 22\n"
|
||||||
|
+ "ListenAddress 127.0.0.10\n"
|
||||||
|
+ "%s %s\n"
|
||||||
|
+ "%s %s\n"
|
||||||
|
+ "%s %s\n"
|
||||||
|
+#ifdef HAVE_DSA
|
||||||
|
+ "%s %s\n"
|
||||||
|
+#endif /* HAVE_DSA */
|
||||||
|
+ "%s\n"; /* The space for test-specific options */
|
||||||
|
+ bool written = false;
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ assert_non_null(s->socket_dir);
|
||||||
|
+
|
||||||
|
+ snprintf(sshd_path,
|
||||||
|
+ sizeof(sshd_path),
|
||||||
|
+ "%s/sshd",
|
||||||
|
+ s->socket_dir);
|
||||||
|
+
|
||||||
|
+ rc = lstat(sshd_path, &sb);
|
||||||
|
+ if (rc == 0 ) { /* The directory is already in place */
|
||||||
|
+ written = true;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!written) {
|
||||||
|
+ rc = mkdir(sshd_path, 0755);
|
||||||
|
+ assert_return_code(rc, errno);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ snprintf(ed25519_hostkey,
|
||||||
|
+ sizeof(ed25519_hostkey),
|
||||||
|
+ "%s/sshd/ssh_host_ed25519_key",
|
||||||
|
+ s->socket_dir);
|
||||||
|
+
|
||||||
|
+ snprintf(rsa_hostkey,
|
||||||
|
+ sizeof(rsa_hostkey),
|
||||||
|
+ "%s/sshd/ssh_host_rsa_key",
|
||||||
|
+ s->socket_dir);
|
||||||
|
+
|
||||||
|
+ snprintf(ecdsa_hostkey,
|
||||||
|
+ sizeof(ecdsa_hostkey),
|
||||||
|
+ "%s/sshd/ssh_host_ecdsa_key",
|
||||||
|
+ s->socket_dir);
|
||||||
|
+
|
||||||
|
+#ifdef HAVE_DSA
|
||||||
|
+ snprintf(dsa_hostkey,
|
||||||
|
+ sizeof(dsa_hostkey),
|
||||||
|
+ "%s/sshd/ssh_host_dsa_key",
|
||||||
|
+ s->socket_dir);
|
||||||
|
+#endif /* HAVE_DSA */
|
||||||
|
+
|
||||||
|
+ if (!written) {
|
||||||
|
+ torture_write_file(ed25519_hostkey,
|
||||||
|
+ torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
|
||||||
|
+ torture_write_file(rsa_hostkey,
|
||||||
|
+ torture_get_testkey(SSH_KEYTYPE_RSA, 0));
|
||||||
|
+ torture_write_file(ecdsa_hostkey,
|
||||||
|
+ torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
|
||||||
|
+#ifdef HAVE_DSA
|
||||||
|
+ torture_write_file(dsa_hostkey,
|
||||||
|
+ torture_get_testkey(SSH_KEYTYPE_DSS, 0));
|
||||||
|
+#endif /* HAVE_DSA */
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ additional_config = (s->srv_additional_config != NULL ?
|
||||||
|
+ s->srv_additional_config : "");
|
||||||
|
+
|
||||||
|
+ snprintf(sshd_config, sizeof(sshd_config),
|
||||||
|
+ config_string,
|
||||||
|
+ "HostKey", ed25519_hostkey,
|
||||||
|
+ "HostKey", rsa_hostkey,
|
||||||
|
+ "HostKey", ecdsa_hostkey,
|
||||||
|
+#ifdef HAVE_DSA
|
||||||
|
+ "HostKey", dsa_hostkey,
|
||||||
|
+#endif /* HAVE_DSA */
|
||||||
|
+ additional_config);
|
||||||
|
+
|
||||||
|
+ torture_write_file(s->srv_config, sshd_config);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void torture_setup_create_sshd_config(void **state, bool pam)
|
||||||
|
{
|
||||||
|
struct torture_state *s = *state;
|
||||||
|
@@ -856,21 +967,140 @@
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-void torture_setup_sshd_server(void **state, bool pam)
|
||||||
|
+/**
|
||||||
|
+ * @brief Run a libssh based server under timeout.
|
||||||
|
+ *
|
||||||
|
+ * It is expected that the socket directory and libssh configuration file were
|
||||||
|
+ * already created before by calling torture_setup_socket_dir() and
|
||||||
|
+ * torture_setup_create_libssh_config() (or alternatively setup the state with
|
||||||
|
+ * the correct values).
|
||||||
|
+ *
|
||||||
|
+ * @param[in] state The content of the address pointed by this variable must be
|
||||||
|
+ * a pointer to an initialized instance of torture_state
|
||||||
|
+ * structure; it can be obtained by calling
|
||||||
|
+ * torture_setup_socket_dir() and
|
||||||
|
+ * torture_setup_create_libssh_config().
|
||||||
|
+ * @param[in] server_path The path to the server executable.
|
||||||
|
+ *
|
||||||
|
+ * @note This function will use the state->srv_additional_config field as
|
||||||
|
+ * additional command line option used when starting the server instead of extra
|
||||||
|
+ * configuration file options.
|
||||||
|
+ * */
|
||||||
|
+void torture_setup_libssh_server(void **state, const char *server_path)
|
||||||
|
{
|
||||||
|
struct torture_state *s;
|
||||||
|
- char sshd_start_cmd[1024];
|
||||||
|
+ char start_cmd[1024];
|
||||||
|
+ char timeout_cmd[512];
|
||||||
|
+ char env[1024];
|
||||||
|
+ char extra_options[1024];
|
||||||
|
int rc;
|
||||||
|
+ char *ld_preload = NULL;
|
||||||
|
+ const char *force_fips = NULL;
|
||||||
|
|
||||||
|
- torture_setup_socket_dir(state);
|
||||||
|
- torture_setup_create_sshd_config(state, pam);
|
||||||
|
+ struct ssh_tokens_st *env_tokens;
|
||||||
|
+ struct ssh_tokens_st *arg_tokens;
|
||||||
|
+
|
||||||
|
+ pid_t pid;
|
||||||
|
+ ssize_t printed;
|
||||||
|
+
|
||||||
|
+ s = *state;
|
||||||
|
+
|
||||||
|
+ /* Get all the wrapper libraries to be pre-loaded */
|
||||||
|
+ ld_preload = getenv("LD_PRELOAD");
|
||||||
|
+
|
||||||
|
+ if (s->srv_additional_config != NULL) {
|
||||||
|
+ printed = snprintf(extra_options, sizeof(extra_options), " %s ",
|
||||||
|
+ s->srv_additional_config);
|
||||||
|
+ if (printed < 0) {
|
||||||
|
+ fail_msg("Failed to print additional config!");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ printed = snprintf(extra_options, sizeof(extra_options), " ");
|
||||||
|
+ if (printed < 0) {
|
||||||
|
+ fail_msg("Failed to print empty additional config!");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ssh_fips_mode()) {
|
||||||
|
+ force_fips = "OPENSSL_FORCE_FIPS_MODE=1 ";
|
||||||
|
+ } else {
|
||||||
|
+ force_fips = "";
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Write the environment setting */
|
||||||
|
+ printed = snprintf(env, sizeof(env),
|
||||||
|
+ "SOCKET_WRAPPER_DIR=%s "
|
||||||
|
+ "SOCKET_WRAPPER_DEFAULT_IFACE=10 "
|
||||||
|
+ "LD_PRELOAD=%s "
|
||||||
|
+ "%s",
|
||||||
|
+ s->socket_dir, ld_preload, force_fips);
|
||||||
|
+ if (printed < 0) {
|
||||||
|
+ fail_msg("Failed to print env!");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef WITH_TIMEOUT
|
||||||
|
+ snprintf(timeout_cmd, sizeof(timeout_cmd),
|
||||||
|
+ "%s %s ", TIMEOUT_EXECUTABLE, "5m");
|
||||||
|
+#else
|
||||||
|
+ timeout_cmd[0] = '\0';
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ /* Write the start command */
|
||||||
|
+ printed = snprintf(start_cmd, sizeof(start_cmd),
|
||||||
|
+ "%s"
|
||||||
|
+ "%s -f%s -v4 -p22 -i%s -C%s%s%s",
|
||||||
|
+ timeout_cmd,
|
||||||
|
+ server_path, s->pcap_file, s->srv_pidfile,
|
||||||
|
+ s->srv_config, extra_options, TORTURE_SSH_SERVER);
|
||||||
|
+ if (printed < 0) {
|
||||||
|
+ fail_msg("Failed to print start command!");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ pid = fork();
|
||||||
|
+ switch(pid) {
|
||||||
|
+ case 0:
|
||||||
|
+ env_tokens = ssh_tokenize(env, ' ');
|
||||||
|
+ if (env_tokens == NULL || env_tokens->tokens == NULL) {
|
||||||
|
+ fail_msg("Failed to tokenize env!");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ arg_tokens = ssh_tokenize(start_cmd, ' ');
|
||||||
|
+ if (arg_tokens == NULL || arg_tokens->tokens == NULL) {
|
||||||
|
+ ssh_tokens_free(env_tokens);
|
||||||
|
+ fail_msg("Failed to tokenize args!");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = execve(arg_tokens->tokens[0], (char **)arg_tokens->tokens,
|
||||||
|
+ (char **)env_tokens->tokens);
|
||||||
|
+
|
||||||
|
+ /* execve returns only in case of error */
|
||||||
|
+ ssh_tokens_free(env_tokens);
|
||||||
|
+ ssh_tokens_free(arg_tokens);
|
||||||
|
+ fail_msg("Error in execve: %s", strerror(errno));
|
||||||
|
+ case -1:
|
||||||
|
+ fail_msg("Failed to fork!");
|
||||||
|
+ default:
|
||||||
|
+ /* The parent continues the execution of the tests */
|
||||||
|
+ setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
|
||||||
|
+ unsetenv("PAM_WRAPPER");
|
||||||
|
+
|
||||||
|
+ /* Wait until the server is ready to accept connections */
|
||||||
|
+ rc = torture_wait_for_daemon(15);
|
||||||
|
+ assert_int_equal(rc, 0);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int torture_start_sshd_server(void **state)
|
||||||
|
+{
|
||||||
|
+ struct torture_state *s = *state;
|
||||||
|
+ char sshd_start_cmd[1024];
|
||||||
|
+ int rc;
|
||||||
|
|
||||||
|
/* Set the default interface for the server */
|
||||||
|
setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
|
||||||
|
setenv("PAM_WRAPPER", "1", 1);
|
||||||
|
|
||||||
|
- s = *state;
|
||||||
|
-
|
||||||
|
snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
|
||||||
|
SSHD_EXECUTABLE " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
|
||||||
|
s->srv_config, s->socket_dir, s->socket_dir);
|
||||||
|
@@ -882,7 +1112,20 @@
|
||||||
|
unsetenv("PAM_WRAPPER");
|
||||||
|
|
||||||
|
/* Wait until the sshd is ready to accept connections */
|
||||||
|
- rc = torture_wait_for_daemon(5);
|
||||||
|
+ rc = torture_wait_for_daemon(15);
|
||||||
|
+ assert_int_equal(rc, 0);
|
||||||
|
+
|
||||||
|
+ return SSH_OK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void torture_setup_sshd_server(void **state, bool pam)
|
||||||
|
+{
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ torture_setup_socket_dir(state);
|
||||||
|
+ torture_setup_create_sshd_config(state, pam);
|
||||||
|
+
|
||||||
|
+ rc = torture_start_sshd_server(state);
|
||||||
|
assert_int_equal(rc, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -922,29 +1165,12 @@
|
||||||
|
torture_reload_sshd_server(void **state)
|
||||||
|
{
|
||||||
|
struct torture_state *s = *state;
|
||||||
|
- pid_t pid;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
- /* read the pidfile */
|
||||||
|
- pid = torture_read_pidfile(s->srv_pidfile);
|
||||||
|
- assert_int_not_equal(pid, -1);
|
||||||
|
-
|
||||||
|
- kill(pid, SIGHUP);
|
||||||
|
-
|
||||||
|
- /* 10 ms */
|
||||||
|
- usleep(10 * 1000);
|
||||||
|
-
|
||||||
|
- rc = kill(pid, 0);
|
||||||
|
- if (rc != 0) {
|
||||||
|
- fprintf(stderr,
|
||||||
|
- "ERROR: SSHD process %u died during reload!\n", pid);
|
||||||
|
- return SSH_ERROR;
|
||||||
|
- }
|
||||||
|
+ rc = torture_terminate_process(s->srv_pidfile);
|
||||||
|
+ assert_return_code(rc, errno);
|
||||||
|
|
||||||
|
- /* Wait until the sshd is ready to accept connections */
|
||||||
|
- rc = torture_wait_for_daemon(5);
|
||||||
|
- assert_int_equal(rc, 0);
|
||||||
|
- return SSH_OK;
|
||||||
|
+ return torture_start_sshd_server(state);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* @brief: Updates SSHD server configuration with more options and
|
||||||
|
@@ -980,9 +1206,7 @@
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
rc = torture_terminate_process(s->srv_pidfile);
|
||||||
|
- if (rc != 0) {
|
||||||
|
- fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
|
||||||
|
- }
|
||||||
|
+ assert_return_code(rc, errno);
|
||||||
|
|
||||||
|
torture_teardown_socket_dir(state);
|
||||||
|
}
|
||||||
|
diff --color -ru ../libssh-0.9.6/tests/torture.h ./tests/torture.h
|
||||||
|
--- ../libssh-0.9.6/tests/torture.h 2021-08-26 14:27:44.000000000 +0200
|
||||||
|
+++ ./tests/torture.h 2023-05-02 10:32:03.964511860 +0200
|
||||||
|
@@ -132,6 +132,10 @@
|
||||||
|
|
||||||
|
void torture_reset_config(ssh_session session);
|
||||||
|
|
||||||
|
+void torture_setup_create_libssh_config(void **state);
|
||||||
|
+
|
||||||
|
+void torture_setup_libssh_server(void **state, const char *server_path);
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* This function must be defined in every unit test file.
|
||||||
|
*/
|
16
SOURCES/libssh-0.9.6.tar.xz.asc
Normal file
16
SOURCES/libssh-0.9.6.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmEniOkACgkQfuD8TcwB
|
||||||
|
Tj0TKQ/9HiMAGSMHoQ+iPVLP06iTc6Cy7rNyON2nPDQwAz0V/dfvkrKAAEflfgYd
|
||||||
|
3pt3dbE/qgh2kgQLb9kpbCUmFoGuLgKz36RPOsggwuOsN+eD1n65q8W39sMOQid3
|
||||||
|
bjUIOKRdYWC1suZ9fMAO1Ignl69Opd8dAq1Has9YzglaeQaV/lnYQOW4UG0xKHck
|
||||||
|
ZOp2qLfjmaQiBAI61eRyxqIYC0F67WKd0bo9D2csoocDVvHLq4syPdbMOfDTB+LL
|
||||||
|
KZSAZVW1R1JUVZMkp/P/HU11jNNy3wKoLafocnq8bXkPVrqhyuo+hDJV/OPUvFLa
|
||||||
|
VE/BzIRoMNG+1R+GJpwE7ut2DIHPxnZTThRkeVN5qP1+hbhgLJhW62I+HeAnD4s+
|
||||||
|
+W7fwJovN28I+wqSjVEP8JguprVuoDAX5jVHbeZoMT7p8ATA4Nh3KCbYELEwTtFG
|
||||||
|
zsEIlBvoNXD3ce7xGXL3MPqfgKqrZQjRG/iOWvKwDV7WrqK1cFFyL7aeBfK2+dQq
|
||||||
|
1Ew7aYlTsH6Hap7XByeSsy4Z5ts3VXIoFix/h+Br5OTYKYgITM7bijNAQ6A2ZWQN
|
||||||
|
TxCv8X0sVyaGyXhxG6QhrEWZjFe496MneZkq9e6HKZyaSbzwFwMgOvrUUC7fa8e5
|
||||||
|
o1Rvozah81U0nsikwTmDrm15RSK3mr2X34zPW2Ahzr1I5tGZzOk=
|
||||||
|
=cO0k
|
||||||
|
-----END PGP SIGNATURE-----
|
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
|||||||
diff --color -ru ../libssh-0.10.4/include/libssh/curve25519.h ./include/libssh/curve25519.h
|
diff --color -ru ../libssh-0.9.6/include/libssh/curve25519.h ./include/libssh/curve25519.h
|
||||||
--- ../libssh-0.10.4/include/libssh/curve25519.h 2022-07-07 15:53:51.000000000 +0200
|
--- ../libssh-0.9.6/include/libssh/curve25519.h 2021-03-15 08:11:33.000000000 +0100
|
||||||
+++ ./include/libssh/curve25519.h 2023-04-27 14:35:27.030113530 +0200
|
+++ ./include/libssh/curve25519.h 2023-04-27 12:21:30.257820636 +0200
|
||||||
@@ -48,6 +48,7 @@
|
@@ -48,6 +48,7 @@
|
||||||
|
|
||||||
|
|
||||||
@ -9,9 +9,9 @@ diff --color -ru ../libssh-0.10.4/include/libssh/curve25519.h ./include/libssh/c
|
|||||||
|
|
||||||
#ifdef WITH_SERVER
|
#ifdef WITH_SERVER
|
||||||
void ssh_server_curve25519_init(ssh_session session);
|
void ssh_server_curve25519_init(ssh_session session);
|
||||||
diff --color -ru ../libssh-0.10.4/include/libssh/dh-gex.h ./include/libssh/dh-gex.h
|
diff --color -ru ../libssh-0.9.6/include/libssh/dh-gex.h ./include/libssh/dh-gex.h
|
||||||
--- ../libssh-0.10.4/include/libssh/dh-gex.h 2022-07-07 15:53:51.000000000 +0200
|
--- ../libssh-0.9.6/include/libssh/dh-gex.h 2021-03-15 08:11:33.000000000 +0100
|
||||||
+++ ./include/libssh/dh-gex.h 2023-04-27 14:35:27.030113530 +0200
|
+++ ./include/libssh/dh-gex.h 2023-04-27 12:21:30.257820636 +0200
|
||||||
@@ -24,6 +24,7 @@
|
@@ -24,6 +24,7 @@
|
||||||
#define SRC_DH_GEX_H_
|
#define SRC_DH_GEX_H_
|
||||||
|
|
||||||
@ -20,10 +20,10 @@ diff --color -ru ../libssh-0.10.4/include/libssh/dh-gex.h ./include/libssh/dh-ge
|
|||||||
|
|
||||||
#ifdef WITH_SERVER
|
#ifdef WITH_SERVER
|
||||||
void ssh_server_dhgex_init(ssh_session session);
|
void ssh_server_dhgex_init(ssh_session session);
|
||||||
diff --color -ru ../libssh-0.10.4/include/libssh/dh.h ./include/libssh/dh.h
|
diff --color -ru ../libssh-0.9.6/include/libssh/dh.h ./include/libssh/dh.h
|
||||||
--- ../libssh-0.10.4/include/libssh/dh.h 2023-04-27 14:25:46.353381599 +0200
|
--- ../libssh-0.9.6/include/libssh/dh.h 2021-03-15 08:11:33.000000000 +0100
|
||||||
+++ ./include/libssh/dh.h 2023-04-27 14:36:02.691475297 +0200
|
+++ ./include/libssh/dh.h 2023-04-27 12:21:30.257820636 +0200
|
||||||
@@ -73,8 +73,10 @@
|
@@ -63,8 +63,10 @@
|
||||||
ssh_key ssh_dh_get_next_server_publickey(ssh_session session);
|
ssh_key ssh_dh_get_next_server_publickey(ssh_session session);
|
||||||
int ssh_dh_get_next_server_publickey_blob(ssh_session session,
|
int ssh_dh_get_next_server_publickey_blob(ssh_session session,
|
||||||
ssh_string *pubkey_blob);
|
ssh_string *pubkey_blob);
|
||||||
@ -34,9 +34,9 @@ diff --color -ru ../libssh-0.10.4/include/libssh/dh.h ./include/libssh/dh.h
|
|||||||
#ifdef WITH_SERVER
|
#ifdef WITH_SERVER
|
||||||
void ssh_server_dh_init(ssh_session session);
|
void ssh_server_dh_init(ssh_session session);
|
||||||
#endif /* WITH_SERVER */
|
#endif /* WITH_SERVER */
|
||||||
diff --color -ru ../libssh-0.10.4/include/libssh/ecdh.h ./include/libssh/ecdh.h
|
diff --color -ru ../libssh-0.9.6/include/libssh/ecdh.h ./include/libssh/ecdh.h
|
||||||
--- ../libssh-0.10.4/include/libssh/ecdh.h 2022-07-07 15:53:51.000000000 +0200
|
--- ../libssh-0.9.6/include/libssh/ecdh.h 2021-03-15 08:11:33.000000000 +0100
|
||||||
+++ ./include/libssh/ecdh.h 2023-04-27 14:35:27.030113530 +0200
|
+++ ./include/libssh/ecdh.h 2023-04-27 12:21:30.257820636 +0200
|
||||||
@@ -45,6 +45,7 @@
|
@@ -45,6 +45,7 @@
|
||||||
extern struct ssh_packet_callbacks_struct ssh_ecdh_client_callbacks;
|
extern struct ssh_packet_callbacks_struct ssh_ecdh_client_callbacks;
|
||||||
/* Backend-specific functions. */
|
/* Backend-specific functions. */
|
||||||
@ -45,9 +45,9 @@ diff --color -ru ../libssh-0.10.4/include/libssh/ecdh.h ./include/libssh/ecdh.h
|
|||||||
int ecdh_build_k(ssh_session session);
|
int ecdh_build_k(ssh_session session);
|
||||||
|
|
||||||
#ifdef WITH_SERVER
|
#ifdef WITH_SERVER
|
||||||
diff --color -ru ../libssh-0.10.4/include/libssh/kex.h ./include/libssh/kex.h
|
diff --color -ru ../libssh-0.9.6/include/libssh/kex.h ./include/libssh/kex.h
|
||||||
--- ../libssh-0.10.4/include/libssh/kex.h 2023-04-27 14:25:46.346381527 +0200
|
--- ../libssh-0.9.6/include/libssh/kex.h 2021-03-15 08:11:33.000000000 +0100
|
||||||
+++ ./include/libssh/kex.h 2023-04-27 14:34:36.438602800 +0200
|
+++ ./include/libssh/kex.h 2023-04-27 12:21:30.257820636 +0200
|
||||||
@@ -33,7 +33,7 @@
|
@@ -33,7 +33,7 @@
|
||||||
|
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_kexinit);
|
SSH_PACKET_CALLBACK(ssh_packet_kexinit);
|
||||||
@ -57,10 +57,10 @@ diff --color -ru ../libssh-0.10.4/include/libssh/kex.h ./include/libssh/kex.h
|
|||||||
void ssh_list_kex(struct ssh_kex_struct *kex);
|
void ssh_list_kex(struct ssh_kex_struct *kex);
|
||||||
int ssh_set_client_kex(ssh_session session);
|
int ssh_set_client_kex(ssh_session session);
|
||||||
int ssh_kex_select_methods(ssh_session session);
|
int ssh_kex_select_methods(ssh_session session);
|
||||||
diff --color -ru ../libssh-0.10.4/include/libssh/session.h ./include/libssh/session.h
|
diff --color -ru ../libssh-0.9.6/include/libssh/session.h ./include/libssh/session.h
|
||||||
--- ../libssh-0.10.4/include/libssh/session.h 2023-04-27 14:25:46.361381682 +0200
|
--- ../libssh-0.9.6/include/libssh/session.h 2021-08-26 14:27:42.000000000 +0200
|
||||||
+++ ./include/libssh/session.h 2023-04-27 14:36:02.692475307 +0200
|
+++ ./include/libssh/session.h 2023-04-27 12:24:04.679475777 +0200
|
||||||
@@ -76,6 +76,11 @@
|
@@ -75,6 +75,11 @@
|
||||||
/* Client successfully authenticated */
|
/* Client successfully authenticated */
|
||||||
#define SSH_SESSION_FLAG_AUTHENTICATED 2
|
#define SSH_SESSION_FLAG_AUTHENTICATED 2
|
||||||
|
|
||||||
@ -72,7 +72,7 @@ diff --color -ru ../libssh-0.10.4/include/libssh/session.h ./include/libssh/sess
|
|||||||
/* codes to use with ssh_handle_packets*() */
|
/* codes to use with ssh_handle_packets*() */
|
||||||
/* Infinite timeout */
|
/* Infinite timeout */
|
||||||
#define SSH_TIMEOUT_INFINITE -1
|
#define SSH_TIMEOUT_INFINITE -1
|
||||||
@@ -138,10 +143,8 @@
|
@@ -131,10 +136,8 @@
|
||||||
/* Extensions negotiated using RFC 8308 */
|
/* Extensions negotiated using RFC 8308 */
|
||||||
uint32_t extensions;
|
uint32_t extensions;
|
||||||
|
|
||||||
@ -82,10 +82,10 @@ diff --color -ru ../libssh-0.10.4/include/libssh/session.h ./include/libssh/sess
|
|||||||
- the remote host */
|
- the remote host */
|
||||||
+ ssh_string banner; /* that's the issue banner from the server */
|
+ ssh_string banner; /* that's the issue banner from the server */
|
||||||
+ char *discon_msg; /* disconnect message from the remote host */
|
+ char *discon_msg; /* disconnect message from the remote host */
|
||||||
char *disconnect_message; /* disconnect message to be set */
|
|
||||||
ssh_buffer in_buffer;
|
ssh_buffer in_buffer;
|
||||||
PACKET in_packet;
|
PACKET in_packet;
|
||||||
@@ -166,25 +169,33 @@
|
ssh_buffer out_buffer;
|
||||||
|
@@ -158,25 +161,33 @@
|
||||||
uint32_t current_method;
|
uint32_t current_method;
|
||||||
} auth;
|
} auth;
|
||||||
|
|
||||||
@ -116,7 +116,7 @@ diff --color -ru ../libssh-0.10.4/include/libssh/session.h ./include/libssh/sess
|
|||||||
+ struct ssh_crypto_struct *next_crypto;
|
+ struct ssh_crypto_struct *next_crypto;
|
||||||
|
|
||||||
struct ssh_list *channels; /* linked list of channels */
|
struct ssh_list *channels; /* linked list of channels */
|
||||||
uint32_t maxchannel;
|
int maxchannel;
|
||||||
ssh_agent agent; /* ssh agent */
|
ssh_agent agent; /* ssh agent */
|
||||||
|
|
||||||
-/* keyb interactive data */
|
-/* keyb interactive data */
|
||||||
@ -124,7 +124,7 @@ diff --color -ru ../libssh-0.10.4/include/libssh/session.h ./include/libssh/sess
|
|||||||
struct ssh_kbdint_struct *kbdint;
|
struct ssh_kbdint_struct *kbdint;
|
||||||
struct ssh_gssapi_struct *gssapi;
|
struct ssh_gssapi_struct *gssapi;
|
||||||
|
|
||||||
@@ -201,7 +212,8 @@
|
@@ -193,7 +204,8 @@
|
||||||
|
|
||||||
/* auths accepted by server */
|
/* auths accepted by server */
|
||||||
struct ssh_list *ssh_message_list; /* list of delayed SSH messages */
|
struct ssh_list *ssh_message_list; /* list of delayed SSH messages */
|
||||||
@ -134,16 +134,17 @@ diff --color -ru ../libssh-0.10.4/include/libssh/session.h ./include/libssh/sess
|
|||||||
void *ssh_message_callback_data;
|
void *ssh_message_callback_data;
|
||||||
ssh_server_callbacks server_callbacks;
|
ssh_server_callbacks server_callbacks;
|
||||||
void (*ssh_connection_callback)( struct ssh_session_struct *session);
|
void (*ssh_connection_callback)( struct ssh_session_struct *session);
|
||||||
diff --color -ru ../libssh-0.10.4/src/client.c ./src/client.c
|
diff --color -ru ../libssh-0.9.6/src/client.c ./src/client.c
|
||||||
--- ../libssh-0.10.4/src/client.c 2023-04-27 14:25:46.339381455 +0200
|
--- ../libssh-0.9.6/src/client.c 2023-04-27 12:22:39.797925403 +0200
|
||||||
+++ ./src/client.c 2023-04-27 14:36:02.692475307 +0200
|
+++ ./src/client.c 2023-04-27 12:24:04.680475778 +0200
|
||||||
@@ -246,10 +246,13 @@
|
@@ -243,10 +243,13 @@
|
||||||
* @warning this function returning is no proof that DH handshake is
|
* @warning this function returning is no proof that DH handshake is
|
||||||
* completed
|
* completed
|
||||||
*/
|
*/
|
||||||
-static int dh_handshake(ssh_session session)
|
-static int dh_handshake(ssh_session session) {
|
||||||
|
-
|
||||||
+int dh_handshake(ssh_session session)
|
+int dh_handshake(ssh_session session)
|
||||||
{
|
+{
|
||||||
int rc = SSH_AGAIN;
|
int rc = SSH_AGAIN;
|
||||||
|
|
||||||
+ SSH_LOG(SSH_LOG_TRACE, "dh_handshake_state = %d, kex_type = %d",
|
+ SSH_LOG(SSH_LOG_TRACE, "dh_handshake_state = %d, kex_type = %d",
|
||||||
@ -152,7 +153,7 @@ diff --color -ru ../libssh-0.10.4/src/client.c ./src/client.c
|
|||||||
switch (session->dh_handshake_state) {
|
switch (session->dh_handshake_state) {
|
||||||
case DH_STATE_INIT:
|
case DH_STATE_INIT:
|
||||||
switch(session->next_crypto->kex_type){
|
switch(session->next_crypto->kex_type){
|
||||||
@@ -392,96 +395,103 @@
|
@@ -386,96 +389,102 @@
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
@ -207,10 +208,10 @@ diff --color -ru ../libssh-0.10.4/src/client.c ./src/client.c
|
|||||||
+ session->serverbanner);
|
+ session->serverbanner);
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
|
+ ssh_packet_register_socket_callback(session, session->socket);
|
||||||
|
|
||||||
- ssh_packet_register_socket_callback(session, session->socket);
|
- ssh_packet_register_socket_callback(session, session->socket);
|
||||||
+ ssh_packet_register_socket_callback(session, session->socket);
|
|
||||||
+
|
|
||||||
+ ssh_packet_set_default_callbacks(session);
|
+ ssh_packet_set_default_callbacks(session);
|
||||||
+ session->session_state = SSH_SESSION_STATE_INITIAL_KEX;
|
+ session->session_state = SSH_SESSION_STATE_INITIAL_KEX;
|
||||||
+ rc = ssh_set_client_kex(session);
|
+ rc = ssh_set_client_kex(session);
|
||||||
@ -321,15 +322,15 @@ diff --color -ru ../libssh-0.10.4/src/client.c ./src/client.c
|
|||||||
ssh_socket_close(session->socket);
|
ssh_socket_close(session->socket);
|
||||||
session->alive = 0;
|
session->alive = 0;
|
||||||
- session->session_state=SSH_SESSION_STATE_ERROR;
|
- session->session_state=SSH_SESSION_STATE_ERROR;
|
||||||
|
- SSH_LOG(SSH_LOG_WARN, "%s", ssh_get_error(session));
|
||||||
+ session->session_state = SSH_SESSION_STATE_ERROR;
|
+ session->session_state = SSH_SESSION_STATE_ERROR;
|
||||||
SSH_LOG(SSH_LOG_WARN, "%s", ssh_get_error(session));
|
|
||||||
+
|
+
|
||||||
}
|
}
|
||||||
|
|
||||||
/** @internal
|
/** @internal
|
||||||
diff --color -ru ../libssh-0.10.4/src/curve25519.c ./src/curve25519.c
|
diff --color -ru ../libssh-0.9.6/src/curve25519.c ./src/curve25519.c
|
||||||
--- ../libssh-0.10.4/src/curve25519.c 2023-04-27 14:25:46.333381393 +0200
|
--- ../libssh-0.9.6/src/curve25519.c 2023-04-27 12:22:39.797925403 +0200
|
||||||
+++ ./src/curve25519.c 2023-04-27 14:35:27.031113541 +0200
|
+++ ./src/curve25519.c 2023-04-27 12:24:04.680475778 +0200
|
||||||
@@ -172,6 +172,11 @@
|
@@ -172,6 +172,11 @@
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
@ -351,10 +352,10 @@ diff --color -ru ../libssh-0.10.4/src/curve25519.c ./src/curve25519.c
|
|||||||
|
|
||||||
pubkey_blob = ssh_buffer_get_ssh_string(packet);
|
pubkey_blob = ssh_buffer_get_ssh_string(packet);
|
||||||
if (pubkey_blob == NULL) {
|
if (pubkey_blob == NULL) {
|
||||||
diff --color -ru ../libssh-0.10.4/src/dh.c ./src/dh.c
|
diff --color -ru ../libssh-0.9.6/src/dh.c ./src/dh.c
|
||||||
--- ../libssh-0.10.4/src/dh.c 2023-04-27 14:25:46.333381393 +0200
|
--- ../libssh-0.9.6/src/dh.c 2023-04-27 12:22:39.798925404 +0200
|
||||||
+++ ./src/dh.c 2023-04-27 14:35:27.032113551 +0200
|
+++ ./src/dh.c 2023-04-27 12:24:04.680475778 +0200
|
||||||
@@ -352,6 +352,11 @@
|
@@ -342,6 +342,11 @@
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -366,7 +367,7 @@ diff --color -ru ../libssh-0.10.4/src/dh.c ./src/dh.c
|
|||||||
SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
|
SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
|
||||||
struct ssh_crypto_struct *crypto=session->next_crypto;
|
struct ssh_crypto_struct *crypto=session->next_crypto;
|
||||||
ssh_string pubkey_blob = NULL;
|
ssh_string pubkey_blob = NULL;
|
||||||
@@ -361,7 +366,7 @@
|
@@ -351,7 +356,7 @@
|
||||||
(void)type;
|
(void)type;
|
||||||
(void)user;
|
(void)user;
|
||||||
|
|
||||||
@ -375,10 +376,10 @@ diff --color -ru ../libssh-0.10.4/src/dh.c ./src/dh.c
|
|||||||
|
|
||||||
rc = ssh_buffer_unpack(packet, "SBS", &pubkey_blob, &server_pubkey,
|
rc = ssh_buffer_unpack(packet, "SBS", &pubkey_blob, &server_pubkey,
|
||||||
&crypto->dh_server_signature);
|
&crypto->dh_server_signature);
|
||||||
diff --color -ru ../libssh-0.10.4/src/dh-gex.c ./src/dh-gex.c
|
diff --color -ru ../libssh-0.9.6/src/dh-gex.c ./src/dh-gex.c
|
||||||
--- ../libssh-0.10.4/src/dh-gex.c 2023-04-27 14:25:46.333381393 +0200
|
--- ../libssh-0.9.6/src/dh-gex.c 2023-04-27 12:22:39.797925403 +0200
|
||||||
+++ ./src/dh-gex.c 2023-04-27 14:35:27.031113541 +0200
|
+++ ./src/dh-gex.c 2023-04-27 12:24:04.680475778 +0200
|
||||||
@@ -248,6 +248,11 @@
|
@@ -238,6 +238,11 @@
|
||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -390,7 +391,7 @@ diff --color -ru ../libssh-0.10.4/src/dh-gex.c ./src/dh-gex.c
|
|||||||
static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
|
static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
|
||||||
{
|
{
|
||||||
struct ssh_crypto_struct *crypto=session->next_crypto;
|
struct ssh_crypto_struct *crypto=session->next_crypto;
|
||||||
@@ -258,7 +263,7 @@
|
@@ -248,7 +253,7 @@
|
||||||
(void)user;
|
(void)user;
|
||||||
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_KEX_DH_GEX_REPLY received");
|
SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_KEX_DH_GEX_REPLY received");
|
||||||
|
|
||||||
@ -399,9 +400,9 @@ diff --color -ru ../libssh-0.10.4/src/dh-gex.c ./src/dh-gex.c
|
|||||||
rc = ssh_buffer_unpack(packet,
|
rc = ssh_buffer_unpack(packet,
|
||||||
"SBS",
|
"SBS",
|
||||||
&pubkey_blob, &server_pubkey,
|
&pubkey_blob, &server_pubkey,
|
||||||
diff --color -ru ../libssh-0.10.4/src/ecdh.c ./src/ecdh.c
|
diff --color -ru ../libssh-0.9.6/src/ecdh.c ./src/ecdh.c
|
||||||
--- ../libssh-0.10.4/src/ecdh.c 2023-04-27 14:25:46.333381393 +0200
|
--- ../libssh-0.9.6/src/ecdh.c 2023-04-27 12:22:39.798925404 +0200
|
||||||
+++ ./src/ecdh.c 2023-04-27 14:35:27.032113551 +0200
|
+++ ./src/ecdh.c 2023-04-27 12:24:04.680475778 +0200
|
||||||
@@ -43,6 +43,11 @@
|
@@ -43,6 +43,11 @@
|
||||||
.user = NULL
|
.user = NULL
|
||||||
};
|
};
|
||||||
@ -423,10 +424,10 @@ diff --color -ru ../libssh-0.10.4/src/ecdh.c ./src/ecdh.c
|
|||||||
pubkey_blob = ssh_buffer_get_ssh_string(packet);
|
pubkey_blob = ssh_buffer_get_ssh_string(packet);
|
||||||
if (pubkey_blob == NULL) {
|
if (pubkey_blob == NULL) {
|
||||||
ssh_set_error(session,SSH_FATAL, "No public key in packet");
|
ssh_set_error(session,SSH_FATAL, "No public key in packet");
|
||||||
diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
diff --color -ru ../libssh-0.9.6/src/gssapi.c ./src/gssapi.c
|
||||||
--- ../libssh-0.10.4/src/gssapi.c 2023-04-27 14:25:46.333381393 +0200
|
--- ../libssh-0.9.6/src/gssapi.c 2023-04-27 12:22:39.798925404 +0200
|
||||||
+++ ./src/gssapi.c 2023-04-27 14:29:22.606512115 +0200
|
+++ ./src/gssapi.c 2023-04-27 12:24:04.681475778 +0200
|
||||||
@@ -229,6 +229,7 @@
|
@@ -223,6 +223,7 @@
|
||||||
"indicate mechs",
|
"indicate mechs",
|
||||||
maj_stat,
|
maj_stat,
|
||||||
min_stat);
|
min_stat);
|
||||||
@ -434,7 +435,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -265,8 +266,10 @@
|
@@ -259,8 +260,10 @@
|
||||||
return SSH_OK;
|
return SSH_OK;
|
||||||
}
|
}
|
||||||
/* from now we have room for context */
|
/* from now we have room for context */
|
||||||
@ -446,7 +447,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
|
|
||||||
name_buf.value = service_name;
|
name_buf.value = service_name;
|
||||||
name_buf.length = strlen(name_buf.value) + 1;
|
name_buf.length = strlen(name_buf.value) + 1;
|
||||||
@@ -278,6 +281,7 @@
|
@@ -272,6 +275,7 @@
|
||||||
"importing name",
|
"importing name",
|
||||||
maj_stat,
|
maj_stat,
|
||||||
min_stat);
|
min_stat);
|
||||||
@ -454,7 +455,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -345,6 +349,7 @@
|
@@ -338,6 +342,7 @@
|
||||||
min_stat);
|
min_stat);
|
||||||
ptr = malloc(buffer.length + 1);
|
ptr = malloc(buffer.length + 1);
|
||||||
if (ptr == NULL) {
|
if (ptr == NULL) {
|
||||||
@ -462,7 +463,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
memcpy(ptr, buffer.value, buffer.length);
|
memcpy(ptr, buffer.value, buffer.length);
|
||||||
@@ -428,6 +433,7 @@
|
@@ -421,6 +426,7 @@
|
||||||
"Gssapi error",
|
"Gssapi error",
|
||||||
maj_stat,
|
maj_stat,
|
||||||
min_stat);
|
min_stat);
|
||||||
@ -470,7 +471,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
ssh_auth_reply_default(session,0);
|
ssh_auth_reply_default(session,0);
|
||||||
ssh_gssapi_free(session);
|
ssh_gssapi_free(session);
|
||||||
session->gssapi=NULL;
|
session->gssapi=NULL;
|
||||||
@@ -445,6 +451,9 @@
|
@@ -438,6 +444,9 @@
|
||||||
(size_t)output_token.length, output_token.value);
|
(size_t)output_token.length, output_token.value);
|
||||||
ssh_packet_send(session);
|
ssh_packet_send(session);
|
||||||
}
|
}
|
||||||
@ -480,7 +481,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
if(maj_stat == GSS_S_COMPLETE){
|
if(maj_stat == GSS_S_COMPLETE){
|
||||||
session->gssapi->state = SSH_GSSAPI_STATE_RCV_MIC;
|
session->gssapi->state = SSH_GSSAPI_STATE_RCV_MIC;
|
||||||
}
|
}
|
||||||
@@ -648,7 +657,7 @@
|
@@ -638,7 +647,7 @@
|
||||||
static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids)
|
static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids)
|
||||||
{
|
{
|
||||||
OM_uint32 maj_stat, min_stat, lifetime;
|
OM_uint32 maj_stat, min_stat, lifetime;
|
||||||
@ -489,7 +490,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
gss_buffer_desc namebuf;
|
gss_buffer_desc namebuf;
|
||||||
gss_name_t client_id = GSS_C_NO_NAME;
|
gss_name_t client_id = GSS_C_NO_NAME;
|
||||||
gss_OID oid;
|
gss_OID oid;
|
||||||
@@ -710,6 +719,7 @@
|
@@ -700,6 +709,7 @@
|
||||||
ret = SSH_OK;
|
ret = SSH_OK;
|
||||||
|
|
||||||
end:
|
end:
|
||||||
@ -497,16 +498,16 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
gss_release_name(&min_stat, &client_id);
|
gss_release_name(&min_stat, &client_id);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -724,7 +734,7 @@
|
@@ -713,7 +723,7 @@
|
||||||
int ssh_gssapi_auth_mic(ssh_session session)
|
*/
|
||||||
{
|
int ssh_gssapi_auth_mic(ssh_session session){
|
||||||
size_t i;
|
size_t i;
|
||||||
- gss_OID_set selected; /* oid selected for authentication */
|
- gss_OID_set selected; /* oid selected for authentication */
|
||||||
+ gss_OID_set selected = GSS_C_NO_OID_SET; /* oid selected for authentication */
|
+ gss_OID_set selected = GSS_C_NO_OID_SET; /* oid selected for authentication */
|
||||||
ssh_string *oids = NULL;
|
ssh_string *oids = NULL;
|
||||||
int rc;
|
int rc;
|
||||||
size_t n_oids = 0;
|
size_t n_oids = 0;
|
||||||
@@ -801,6 +811,8 @@
|
@@ -790,6 +800,8 @@
|
||||||
SSH_STRING_FREE(oids[i]);
|
SSH_STRING_FREE(oids[i]);
|
||||||
}
|
}
|
||||||
free(oids);
|
free(oids);
|
||||||
@ -515,7 +516,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
if (rc != SSH_ERROR) {
|
if (rc != SSH_ERROR) {
|
||||||
return SSH_AUTH_AGAIN;
|
return SSH_AUTH_AGAIN;
|
||||||
}
|
}
|
||||||
@@ -904,6 +916,8 @@
|
@@ -893,6 +905,8 @@
|
||||||
ssh_packet_send(session);
|
ssh_packet_send(session);
|
||||||
session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
|
session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
|
||||||
}
|
}
|
||||||
@ -524,7 +525,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
|
|
||||||
error:
|
error:
|
||||||
@@ -933,8 +947,10 @@
|
@@ -921,8 +935,10 @@
|
||||||
|
|
||||||
maj_stat = gss_get_mic(&min_stat,session->gssapi->ctx, GSS_C_QOP_DEFAULT,
|
maj_stat = gss_get_mic(&min_stat,session->gssapi->ctx, GSS_C_QOP_DEFAULT,
|
||||||
&mic_buf, &mic_token_buf);
|
&mic_buf, &mic_token_buf);
|
||||||
@ -536,7 +537,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
ssh_gssapi_log_error(SSH_LOG_DEBUG,
|
ssh_gssapi_log_error(SSH_LOG_DEBUG,
|
||||||
"generating MIC",
|
"generating MIC",
|
||||||
maj_stat,
|
maj_stat,
|
||||||
@@ -947,8 +963,10 @@
|
@@ -935,8 +951,10 @@
|
||||||
SSH2_MSG_USERAUTH_GSSAPI_MIC,
|
SSH2_MSG_USERAUTH_GSSAPI_MIC,
|
||||||
mic_token_buf.length,
|
mic_token_buf.length,
|
||||||
(size_t)mic_token_buf.length, mic_token_buf.value);
|
(size_t)mic_token_buf.length, mic_token_buf.value);
|
||||||
@ -548,7 +549,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
ssh_set_error_oom(session);
|
ssh_set_error_oom(session);
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
@@ -1017,6 +1035,8 @@
|
@@ -1005,6 +1023,8 @@
|
||||||
ssh_packet_send(session);
|
ssh_packet_send(session);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -557,9 +558,9 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
|
|||||||
if (maj_stat == GSS_S_COMPLETE) {
|
if (maj_stat == GSS_S_COMPLETE) {
|
||||||
ssh_gssapi_send_mic(session);
|
ssh_gssapi_send_mic(session);
|
||||||
session->auth.state = SSH_AUTH_STATE_GSSAPI_MIC_SENT;
|
session->auth.state = SSH_AUTH_STATE_GSSAPI_MIC_SENT;
|
||||||
diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
diff --color -ru ../libssh-0.9.6/src/kex.c ./src/kex.c
|
||||||
--- ../libssh-0.10.4/src/kex.c 2023-04-27 14:25:46.368381754 +0200
|
--- ../libssh-0.9.6/src/kex.c 2023-04-27 12:22:39.798925404 +0200
|
||||||
+++ ./src/kex.c 2023-04-27 14:36:02.692475307 +0200
|
+++ ./src/kex.c 2023-04-27 12:24:08.450478574 +0200
|
||||||
@@ -28,6 +28,7 @@
|
@@ -28,6 +28,7 @@
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
@ -568,7 +569,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
#include "libssh/priv.h"
|
#include "libssh/priv.h"
|
||||||
#include "libssh/buffer.h"
|
#include "libssh/buffer.h"
|
||||||
#include "libssh/dh.h"
|
#include "libssh/dh.h"
|
||||||
@@ -328,6 +329,10 @@
|
@@ -305,6 +306,10 @@
|
||||||
|
|
||||||
int is_wrong = 1;
|
int is_wrong = 1;
|
||||||
|
|
||||||
@ -579,7 +580,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
colon = strchr(client_str, ',');
|
colon = strchr(client_str, ',');
|
||||||
if (colon == NULL) {
|
if (colon == NULL) {
|
||||||
client_kex_len = strlen(client_str);
|
client_kex_len = strlen(client_str);
|
||||||
@@ -354,6 +359,7 @@
|
@@ -331,6 +336,7 @@
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_kexinit)
|
SSH_PACKET_CALLBACK(ssh_packet_kexinit)
|
||||||
{
|
{
|
||||||
int i, ok;
|
int i, ok;
|
||||||
@ -587,7 +588,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
int server_kex = session->server;
|
int server_kex = session->server;
|
||||||
ssh_string str = NULL;
|
ssh_string str = NULL;
|
||||||
char *strings[SSH_KEX_METHODS] = {0};
|
char *strings[SSH_KEX_METHODS] = {0};
|
||||||
@@ -367,35 +373,67 @@
|
@@ -344,35 +350,67 @@
|
||||||
(void)type;
|
(void)type;
|
||||||
(void)user;
|
(void)user;
|
||||||
|
|
||||||
@ -665,7 +666,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -408,7 +446,8 @@
|
@@ -385,7 +423,8 @@
|
||||||
|
|
||||||
rc = ssh_buffer_add_ssh_string(session->in_hashbuf, str);
|
rc = ssh_buffer_add_ssh_string(session->in_hashbuf, str);
|
||||||
if (rc < 0) {
|
if (rc < 0) {
|
||||||
@ -675,7 +676,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -421,14 +460,14 @@
|
@@ -398,14 +437,14 @@
|
||||||
str = NULL;
|
str = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -693,7 +694,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -442,30 +481,48 @@
|
@@ -419,30 +458,48 @@
|
||||||
* that its value is included when computing the session ID (see
|
* that its value is included when computing the session ID (see
|
||||||
* 'make_sessionid').
|
* 'make_sessionid').
|
||||||
*/
|
*/
|
||||||
@ -757,7 +758,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
|
|
||||||
/* The client supports extension negotiation */
|
/* The client supports extension negotiation */
|
||||||
session->extensions |= SSH_EXT_NEGOTIATION;
|
session->extensions |= SSH_EXT_NEGOTIATION;
|
||||||
@@ -475,14 +532,14 @@
|
@@ -452,14 +509,14 @@
|
||||||
* by the client and enable the respective extensions to provide
|
* by the client and enable the respective extensions to provide
|
||||||
* correct signature in the next packet if RSA is negotiated
|
* correct signature in the next packet if RSA is negotiated
|
||||||
*/
|
*/
|
||||||
@ -777,7 +778,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
if (is_allowed != NULL) {
|
if (is_allowed != NULL) {
|
||||||
session->extensions |= SSH_EXT_SIG_RSA_SHA512;
|
session->extensions |= SSH_EXT_SIG_RSA_SHA512;
|
||||||
}
|
}
|
||||||
@@ -492,10 +549,9 @@
|
@@ -469,10 +526,9 @@
|
||||||
ok = ssh_match_group(hostkeys, "rsa-sha2-256");
|
ok = ssh_match_group(hostkeys, "rsa-sha2-256");
|
||||||
if (ok) {
|
if (ok) {
|
||||||
/* Check if rsa-sha2-256 is allowed by config */
|
/* Check if rsa-sha2-256 is allowed by config */
|
||||||
@ -791,7 +792,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
if (is_allowed != NULL) {
|
if (is_allowed != NULL) {
|
||||||
session->extensions |= SSH_EXT_SIG_RSA_SHA256;
|
session->extensions |= SSH_EXT_SIG_RSA_SHA256;
|
||||||
}
|
}
|
||||||
@@ -511,7 +567,7 @@
|
@@ -488,7 +544,7 @@
|
||||||
(session->extensions & SSH_EXT_SIG_RSA_SHA512)) {
|
(session->extensions & SSH_EXT_SIG_RSA_SHA512)) {
|
||||||
session->extensions &= ~(SSH_EXT_SIG_RSA_SHA256 | SSH_EXT_SIG_RSA_SHA512);
|
session->extensions &= ~(SSH_EXT_SIG_RSA_SHA256 | SSH_EXT_SIG_RSA_SHA512);
|
||||||
rsa_sig_ext = ssh_find_matching("rsa-sha2-512,rsa-sha2-256",
|
rsa_sig_ext = ssh_find_matching("rsa-sha2-512,rsa-sha2-256",
|
||||||
@ -800,7 +801,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
if (rsa_sig_ext == NULL) {
|
if (rsa_sig_ext == NULL) {
|
||||||
goto error; /* should never happen */
|
goto error; /* should never happen */
|
||||||
} else if (strcmp(rsa_sig_ext, "rsa-sha2-512") == 0) {
|
} else if (strcmp(rsa_sig_ext, "rsa-sha2-512") == 0) {
|
||||||
@@ -530,24 +586,16 @@
|
@@ -507,24 +563,16 @@
|
||||||
session->extensions & SSH_EXT_SIG_RSA_SHA256 ? "SHA256" : "",
|
session->extensions & SSH_EXT_SIG_RSA_SHA256 ? "SHA256" : "",
|
||||||
session->extensions & SSH_EXT_SIG_RSA_SHA512 ? " SHA512" : "");
|
session->extensions & SSH_EXT_SIG_RSA_SHA512 ? " SHA512" : "");
|
||||||
}
|
}
|
||||||
@ -831,7 +832,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
session->ssh_connection_callback(session);
|
session->ssh_connection_callback(session);
|
||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
|
|
||||||
@@ -695,14 +743,18 @@
|
@@ -672,14 +720,18 @@
|
||||||
int i;
|
int i;
|
||||||
size_t kex_len, len;
|
size_t kex_len, len;
|
||||||
|
|
||||||
@ -852,7 +853,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
/* Set the list of allowed algorithms in order of preference, if it hadn't
|
/* Set the list of allowed algorithms in order of preference, if it hadn't
|
||||||
* been set yet. */
|
* been set yet. */
|
||||||
for (i = 0; i < SSH_KEX_METHODS; i++) {
|
for (i = 0; i < SSH_KEX_METHODS; i++) {
|
||||||
@@ -772,15 +824,89 @@
|
@@ -749,15 +801,89 @@
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -944,7 +945,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
int i;
|
int i;
|
||||||
|
|
||||||
/* Here we should drop the ext-info-c from the list so we avoid matching.
|
/* Here we should drop the ext-info-c from the list so we avoid matching.
|
||||||
@@ -791,52 +917,41 @@
|
@@ -768,52 +894,41 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < SSH_KEX_METHODS; i++) {
|
for (i = 0; i < SSH_KEX_METHODS; i++) {
|
||||||
@ -1022,7 +1023,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
session->next_crypto->kex_methods[SSH_KEX],
|
session->next_crypto->kex_methods[SSH_KEX],
|
||||||
session->next_crypto->kex_methods[SSH_HOSTKEYS],
|
session->next_crypto->kex_methods[SSH_HOSTKEYS],
|
||||||
session->next_crypto->kex_methods[SSH_CRYPT_C_S],
|
session->next_crypto->kex_methods[SSH_CRYPT_C_S],
|
||||||
@@ -853,63 +968,116 @@
|
@@ -830,63 +945,116 @@
|
||||||
|
|
||||||
|
|
||||||
/* this function only sends the predefined set of kex methods */
|
/* this function only sends the predefined set of kex methods */
|
||||||
@ -1184,7 +1185,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -952,7 +1120,7 @@
|
@@ -929,7 +1097,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
session->dh_handshake_state = DH_STATE_INIT;
|
session->dh_handshake_state = DH_STATE_INIT;
|
||||||
@ -1193,7 +1194,7 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
if (rc < 0) {
|
if (rc < 0) {
|
||||||
SSH_LOG(SSH_LOG_PACKET, "Failed to send kex");
|
SSH_LOG(SSH_LOG_PACKET, "Failed to send kex");
|
||||||
return rc;
|
return rc;
|
||||||
@@ -1142,33 +1310,6 @@
|
@@ -1006,33 +1174,6 @@
|
||||||
client_hash = session->in_hashbuf;
|
client_hash = session->in_hashbuf;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1227,11 +1228,11 @@ diff --color -ru ../libssh-0.10.4/src/kex.c ./src/kex.c
|
|||||||
rc = ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob);
|
rc = ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob);
|
||||||
if (rc != SSH_OK) {
|
if (rc != SSH_OK) {
|
||||||
goto error;
|
goto error;
|
||||||
diff --color -ru ../libssh-0.10.4/src/packet.c ./src/packet.c
|
diff --color -ru ../libssh-0.9.6/src/packet.c ./src/packet.c
|
||||||
--- ../libssh-0.10.4/src/packet.c 2023-04-27 14:25:46.334381403 +0200
|
--- ../libssh-0.9.6/src/packet.c 2023-04-27 12:22:39.811925413 +0200
|
||||||
+++ ./src/packet.c 2023-04-27 14:34:36.432602740 +0200
|
+++ ./src/packet.c 2023-04-27 12:24:04.682475779 +0200
|
||||||
@@ -366,6 +366,11 @@
|
@@ -366,6 +366,11 @@
|
||||||
* - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT
|
* - session->dh_handhsake_state = DH_STATE_NEWKEYS_SENT
|
||||||
* */
|
* */
|
||||||
|
|
||||||
+ if (!session->server) {
|
+ if (!session->server) {
|
||||||
@ -1308,7 +1309,7 @@ diff --color -ru ../libssh-0.10.4/src/packet.c ./src/packet.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** @internal
|
/** @internal
|
||||||
@@ -1930,7 +1946,7 @@
|
@@ -1928,7 +1944,7 @@
|
||||||
memcpy(session->next_crypto->session_id,
|
memcpy(session->next_crypto->session_id,
|
||||||
session->current_crypto->session_id,
|
session->current_crypto->session_id,
|
||||||
session_id_len);
|
session_id_len);
|
||||||
@ -1317,9 +1318,9 @@ diff --color -ru ../libssh-0.10.4/src/packet.c ./src/packet.c
|
|||||||
|
|
||||||
return SSH_OK;
|
return SSH_OK;
|
||||||
}
|
}
|
||||||
diff --color -ru ../libssh-0.10.4/src/packet_cb.c ./src/packet_cb.c
|
diff --color -ru ../libssh-0.9.6/src/packet_cb.c ./src/packet_cb.c
|
||||||
--- ../libssh-0.10.4/src/packet_cb.c 2023-04-27 14:25:46.334381403 +0200
|
--- ../libssh-0.9.6/src/packet_cb.c 2023-04-27 12:22:39.799925404 +0200
|
||||||
+++ ./src/packet_cb.c 2023-04-27 14:34:36.428602699 +0200
|
+++ ./src/packet_cb.c 2023-04-27 12:24:04.682475779 +0200
|
||||||
@@ -156,6 +156,9 @@
|
@@ -156,6 +156,9 @@
|
||||||
session->next_crypto->digest_len);
|
session->next_crypto->digest_len);
|
||||||
SSH_SIGNATURE_FREE(sig);
|
SSH_SIGNATURE_FREE(sig);
|
||||||
@ -1330,9 +1331,9 @@ diff --color -ru ../libssh-0.10.4/src/packet_cb.c ./src/packet_cb.c
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
SSH_LOG(SSH_LOG_DEBUG,"Signature verified and valid");
|
SSH_LOG(SSH_LOG_DEBUG,"Signature verified and valid");
|
||||||
diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
diff --color -ru ../libssh-0.9.6/src/server.c ./src/server.c
|
||||||
--- ../libssh-0.10.4/src/server.c 2023-04-27 14:25:46.347381537 +0200
|
--- ../libssh-0.9.6/src/server.c 2023-04-27 12:22:39.800925405 +0200
|
||||||
+++ ./src/server.c 2023-04-27 14:35:27.041113642 +0200
|
+++ ./src/server.c 2023-04-27 12:24:04.683475780 +0200
|
||||||
@@ -92,7 +92,11 @@
|
@@ -92,7 +92,11 @@
|
||||||
size_t len;
|
size_t len;
|
||||||
int ok;
|
int ok;
|
||||||
@ -1346,7 +1347,7 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
|
|
||||||
ok = ssh_get_random(server->cookie, 16, 0);
|
ok = ssh_get_random(server->cookie, 16, 0);
|
||||||
if (!ok) {
|
if (!ok) {
|
||||||
@@ -336,116 +340,119 @@
|
@@ -335,117 +339,121 @@
|
||||||
* @brief A function to be called each time a step has been done in the
|
* @brief A function to be called each time a step has been done in the
|
||||||
* connection.
|
* connection.
|
||||||
*/
|
*/
|
||||||
@ -1362,20 +1363,6 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
- break;
|
- break;
|
||||||
- case SSH_SESSION_STATE_BANNER_RECEIVED:
|
- case SSH_SESSION_STATE_BANNER_RECEIVED:
|
||||||
- if (session->clientbanner == NULL) {
|
- if (session->clientbanner == NULL) {
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
- set_status(session, 0.4f);
|
|
||||||
- SSH_LOG(SSH_LOG_DEBUG,
|
|
||||||
- "SSH client banner: %s", session->clientbanner);
|
|
||||||
-
|
|
||||||
- /* Here we analyze the different protocols the server allows. */
|
|
||||||
- rc = ssh_analyze_banner(session, 1);
|
|
||||||
- if (rc < 0) {
|
|
||||||
- ssh_set_error(session, SSH_FATAL,
|
|
||||||
- "No version of SSH protocol usable (banner: %s)",
|
|
||||||
- session->clientbanner);
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
+ switch (session->session_state) {
|
+ switch (session->session_state) {
|
||||||
+ case SSH_SESSION_STATE_NONE:
|
+ case SSH_SESSION_STATE_NONE:
|
||||||
+ case SSH_SESSION_STATE_CONNECTING:
|
+ case SSH_SESSION_STATE_CONNECTING:
|
||||||
@ -1397,16 +1384,11 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
+ session->clientbanner);
|
+ session->clientbanner);
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
- /* from now, the packet layer is handling incoming packets */
|
|
||||||
- ssh_packet_register_socket_callback(session, session->socket);
|
|
||||||
+ /* from now, the packet layer is handling incoming packets */
|
+ /* from now, the packet layer is handling incoming packets */
|
||||||
|
+ session->socket_callbacks.data = ssh_packet_socket_callback;
|
||||||
+ ssh_packet_register_socket_callback(session, session->socket);
|
+ ssh_packet_register_socket_callback(session, session->socket);
|
||||||
|
+
|
||||||
- ssh_packet_set_default_callbacks(session);
|
|
||||||
- set_status(session, 0.5f);
|
|
||||||
- session->session_state=SSH_SESSION_STATE_INITIAL_KEX;
|
|
||||||
- if (ssh_send_kex(session, 1) < 0) {
|
|
||||||
+ ssh_packet_set_default_callbacks(session);
|
+ ssh_packet_set_default_callbacks(session);
|
||||||
+ set_status(session, 0.5f);
|
+ set_status(session, 0.5f);
|
||||||
+ session->session_state = SSH_SESSION_STATE_INITIAL_KEX;
|
+ session->session_state = SSH_SESSION_STATE_INITIAL_KEX;
|
||||||
@ -1423,6 +1405,43 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
+ if (server_set_kex(session) == SSH_ERROR)
|
+ if (server_set_kex(session) == SSH_ERROR)
|
||||||
goto error;
|
goto error;
|
||||||
- }
|
- }
|
||||||
|
- set_status(session, 0.4f);
|
||||||
|
- SSH_LOG(SSH_LOG_DEBUG,
|
||||||
|
- "SSH client banner: %s", session->clientbanner);
|
||||||
|
-
|
||||||
|
- /* Here we analyze the different protocols the server allows. */
|
||||||
|
- rc = ssh_analyze_banner(session, 1);
|
||||||
|
- if (rc < 0) {
|
||||||
|
- ssh_set_error(session, SSH_FATAL,
|
||||||
|
- "No version of SSH protocol usable (banner: %s)",
|
||||||
|
- session->clientbanner);
|
||||||
|
+ /* We are in a rekeying, so we need to send the server kex */
|
||||||
|
+ if (ssh_send_kex(session) < 0)
|
||||||
|
goto error;
|
||||||
|
- }
|
||||||
|
+ }
|
||||||
|
+ ssh_list_kex(&session->next_crypto->client_kex); // log client kex
|
||||||
|
+ if (ssh_kex_select_methods(session) < 0) {
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+ if (crypt_set_algorithms_server(session) == SSH_ERROR)
|
||||||
|
+ goto error;
|
||||||
|
+ set_status(session, 0.8f);
|
||||||
|
+ session->session_state = SSH_SESSION_STATE_DH;
|
||||||
|
+ break;
|
||||||
|
+ case SSH_SESSION_STATE_DH:
|
||||||
|
+ if (session->dh_handshake_state == DH_STATE_FINISHED) {
|
||||||
|
|
||||||
|
- /* from now, the packet layer is handling incoming packets */
|
||||||
|
- session->socket_callbacks.data=ssh_packet_socket_callback;
|
||||||
|
- ssh_packet_register_socket_callback(session, session->socket);
|
||||||
|
-
|
||||||
|
- ssh_packet_set_default_callbacks(session);
|
||||||
|
- set_status(session, 0.5f);
|
||||||
|
- session->session_state=SSH_SESSION_STATE_INITIAL_KEX;
|
||||||
|
- if (ssh_send_kex(session, 1) < 0) {
|
||||||
|
- goto error;
|
||||||
|
- }
|
||||||
- break;
|
- break;
|
||||||
- case SSH_SESSION_STATE_INITIAL_KEX:
|
- case SSH_SESSION_STATE_INITIAL_KEX:
|
||||||
- /* TODO: This state should disappear in favor of get_key handle */
|
- /* TODO: This state should disappear in favor of get_key handle */
|
||||||
@ -1438,27 +1457,12 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
- }
|
- }
|
||||||
- ssh_list_kex(&session->next_crypto->client_kex); // log client kex
|
- ssh_list_kex(&session->next_crypto->client_kex); // log client kex
|
||||||
- if (ssh_kex_select_methods(session) < 0) {
|
- if (ssh_kex_select_methods(session) < 0) {
|
||||||
+ /* We are in a rekeying, so we need to send the server kex */
|
|
||||||
+ if (ssh_send_kex(session) < 0)
|
|
||||||
goto error;
|
|
||||||
- }
|
|
||||||
- if (crypt_set_algorithms_server(session) == SSH_ERROR)
|
|
||||||
+ }
|
|
||||||
+ ssh_list_kex(&session->next_crypto->client_kex); // log client kex
|
|
||||||
+ if (ssh_kex_select_methods(session) < 0) {
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+ if (crypt_set_algorithms_server(session) == SSH_ERROR)
|
|
||||||
+ goto error;
|
|
||||||
+ set_status(session, 0.8f);
|
|
||||||
+ session->session_state = SSH_SESSION_STATE_DH;
|
|
||||||
+ break;
|
|
||||||
+ case SSH_SESSION_STATE_DH:
|
|
||||||
+ if (session->dh_handshake_state == DH_STATE_FINISHED) {
|
|
||||||
+
|
|
||||||
+ rc = ssh_packet_set_newkeys(session, SSH_DIRECTION_IN);
|
+ rc = ssh_packet_set_newkeys(session, SSH_DIRECTION_IN);
|
||||||
+ if (rc != SSH_OK) {
|
+ if (rc != SSH_OK) {
|
||||||
goto error;
|
goto error;
|
||||||
|
}
|
||||||
|
- if (crypt_set_algorithms_server(session) == SSH_ERROR)
|
||||||
|
- goto error;
|
||||||
- set_status(session,0.8f);
|
- set_status(session,0.8f);
|
||||||
- session->session_state=SSH_SESSION_STATE_DH;
|
- session->session_state=SSH_SESSION_STATE_DH;
|
||||||
- break;
|
- break;
|
||||||
@ -1469,8 +1473,7 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
- if (rc != SSH_OK) {
|
- if (rc != SSH_OK) {
|
||||||
- goto error;
|
- goto error;
|
||||||
- }
|
- }
|
||||||
+ }
|
+
|
||||||
|
|
||||||
+ /*
|
+ /*
|
||||||
+ * If the client supports extension negotiation, we will send
|
+ * If the client supports extension negotiation, we will send
|
||||||
+ * our supported extensions now. This is the first message after
|
+ * our supported extensions now. This is the first message after
|
||||||
@ -1478,6 +1481,7 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
+ */
|
+ */
|
||||||
+ if (session->extensions & SSH_EXT_NEGOTIATION &&
|
+ if (session->extensions & SSH_EXT_NEGOTIATION &&
|
||||||
+ session->session_state != SSH_SESSION_STATE_AUTHENTICATED) {
|
+ session->session_state != SSH_SESSION_STATE_AUTHENTICATED) {
|
||||||
|
|
||||||
/*
|
/*
|
||||||
- * If the client supports extension negotiation, we will send
|
- * If the client supports extension negotiation, we will send
|
||||||
- * our supported extensions now. This is the first message after
|
- * our supported extensions now. This is the first message after
|
||||||
@ -1557,20 +1561,20 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -459,16 +466,17 @@
|
@@ -459,16 +467,17 @@
|
||||||
* @param user is a pointer to session
|
* @param user is a pointer to session
|
||||||
* @returns Number of bytes processed, or zero if the banner is not complete.
|
* @returns Number of bytes processed, or zero if the banner is not complete.
|
||||||
*/
|
*/
|
||||||
-static size_t callback_receive_banner(const void *data, size_t len, void *user) {
|
-static int callback_receive_banner(const void *data, size_t len, void *user) {
|
||||||
- char *buffer = (char *) data;
|
- char *buffer = (char *) data;
|
||||||
- ssh_session session = (ssh_session) user;
|
- ssh_session session = (ssh_session) user;
|
||||||
+static size_t callback_receive_banner(const void *data, size_t len, void *user)
|
+static int callback_receive_banner(const void *data, size_t len, void *user)
|
||||||
+{
|
+{
|
||||||
+ char *buffer = (char *)data;
|
+ char *buffer = (char *)data;
|
||||||
+ ssh_session session = (ssh_session)user;
|
+ ssh_session session = (ssh_session)user;
|
||||||
char *str = NULL;
|
char *str = NULL;
|
||||||
size_t i;
|
size_t i;
|
||||||
size_t processed = 0;
|
int ret=0;
|
||||||
|
|
||||||
for (i = 0; i < len; i++) {
|
for (i = 0; i < len; i++) {
|
||||||
#ifdef WITH_PCAP
|
#ifdef WITH_PCAP
|
||||||
@ -1579,7 +1583,7 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
ssh_pcap_context_write(session->pcap_ctx,
|
ssh_pcap_context_write(session->pcap_ctx,
|
||||||
SSH_PCAP_DIR_IN,
|
SSH_PCAP_DIR_IN,
|
||||||
buffer,
|
buffer,
|
||||||
@@ -477,11 +485,11 @@
|
@@ -477,11 +486,11 @@
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
if (buffer[i] == '\r') {
|
if (buffer[i] == '\r') {
|
||||||
@ -1593,8 +1597,8 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
|
|
||||||
str = strdup(buffer);
|
str = strdup(buffer);
|
||||||
/* number of bytes read */
|
/* number of bytes read */
|
||||||
@@ -494,10 +502,11 @@
|
@@ -494,10 +503,11 @@
|
||||||
return processed;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
- if(i > 127) {
|
- if(i > 127) {
|
||||||
@ -1607,7 +1611,7 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@@ -549,10 +558,14 @@
|
@@ -525,10 +535,14 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Do the banner and key exchange */
|
/* Do the banner and key exchange */
|
||||||
@ -1625,7 +1629,7 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
rc = ssh_send_banner(session, 1);
|
rc = ssh_send_banner(session, 1);
|
||||||
if (rc < 0) {
|
if (rc < 0) {
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
@@ -563,27 +576,28 @@
|
@@ -539,27 +553,28 @@
|
||||||
session->ssh_connection_callback = ssh_server_connection_callback;
|
session->ssh_connection_callback = ssh_server_connection_callback;
|
||||||
session->session_state = SSH_SESSION_STATE_SOCKET_CONNECTED;
|
session->session_state = SSH_SESSION_STATE_SOCKET_CONNECTED;
|
||||||
ssh_socket_set_callbacks(session->socket,&session->socket_callbacks);
|
ssh_socket_set_callbacks(session->socket,&session->socket_callbacks);
|
||||||
@ -1664,9 +1668,9 @@ diff --color -ru ../libssh-0.10.4/src/server.c ./src/server.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* messages */
|
/* messages */
|
||||||
diff --color -ru ../libssh-0.10.4/src/token.c ./src/token.c
|
diff --color -ru ../libssh-0.9.6/src/token.c ./src/token.c
|
||||||
--- ../libssh-0.10.4/src/token.c 2023-04-27 14:25:46.346381527 +0200
|
--- ../libssh-0.9.6/src/token.c 2021-03-15 08:11:33.000000000 +0100
|
||||||
+++ ./src/token.c 2023-04-27 14:34:36.426602679 +0200
|
+++ ./src/token.c 2023-04-27 12:21:30.260820657 +0200
|
||||||
@@ -87,7 +87,7 @@
|
@@ -87,7 +87,7 @@
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -1676,10 +1680,10 @@ diff --color -ru ../libssh-0.10.4/src/token.c ./src/token.c
|
|||||||
if (tokens->buffer == NULL) {
|
if (tokens->buffer == NULL) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
diff --color -ru ../libssh-0.10.4/src/wrapper.c ./src/wrapper.c
|
diff --color -ru ../libssh-0.9.6/src/wrapper.c ./src/wrapper.c
|
||||||
--- ../libssh-0.10.4/src/wrapper.c 2022-08-30 13:26:05.000000000 +0200
|
--- ../libssh-0.9.6/src/wrapper.c 2021-08-26 14:27:44.000000000 +0200
|
||||||
+++ ./src/wrapper.c 2023-04-27 14:31:16.130584204 +0200
|
+++ ./src/wrapper.c 2023-04-27 12:21:30.260820657 +0200
|
||||||
@@ -150,15 +150,16 @@
|
@@ -147,15 +147,16 @@
|
||||||
SAFE_FREE(cipher);
|
SAFE_FREE(cipher);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1704,24 +1708,10 @@ diff --color -ru ../libssh-0.10.4/src/wrapper.c ./src/wrapper.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
void crypto_free(struct ssh_crypto_struct *crypto)
|
void crypto_free(struct ssh_crypto_struct *crypto)
|
||||||
diff --color -ru ../libssh-0.10.4/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
|
diff --color -ru ../libssh-0.9.6/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
|
||||||
--- ../libssh-0.10.4/tests/client/torture_rekey.c 2022-09-02 09:56:54.000000000 +0200
|
--- ../libssh-0.9.6/tests/client/torture_rekey.c 2021-08-26 14:27:44.000000000 +0200
|
||||||
+++ ./tests/client/torture_rekey.c 2023-04-27 14:38:20.352896968 +0200
|
+++ ./tests/client/torture_rekey.c 2023-04-27 12:24:04.684475780 +0200
|
||||||
@@ -192,10 +192,11 @@
|
@@ -651,6 +651,92 @@
|
||||||
rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
|
|
||||||
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
||||||
|
|
||||||
- /* send ignore packets of up to 1KB to trigger rekey */
|
|
||||||
+ /* send ignore packets of up to 1KB to trigger rekey. Send little bit more
|
|
||||||
+ * to make sure it completes with all different ciphers */
|
|
||||||
memset(data, 0, sizeof(data));
|
|
||||||
memset(data, 'A', 128);
|
|
||||||
- for (i = 0; i < 16; i++) {
|
|
||||||
+ for (i = 0; i < KEX_RETRY; i++) {
|
|
||||||
ssh_send_ignore(s->ssh.session, data);
|
|
||||||
ssh_handle_packets(s->ssh.session, 50);
|
|
||||||
}
|
|
||||||
@@ -671,6 +672,92 @@
|
|
||||||
#endif /* WITH_SFTP */
|
#endif /* WITH_SFTP */
|
||||||
|
|
||||||
|
|
||||||
@ -1814,10 +1804,12 @@ diff --color -ru ../libssh-0.10.4/tests/client/torture_rekey.c ./tests/client/to
|
|||||||
int torture_run_tests(void) {
|
int torture_run_tests(void) {
|
||||||
int rc;
|
int rc;
|
||||||
struct CMUnitTest tests[] = {
|
struct CMUnitTest tests[] = {
|
||||||
@@ -704,6 +791,33 @@
|
@@ -671,19 +757,34 @@
|
||||||
|
cmocka_unit_test_setup_teardown(torture_rekey_different_kex,
|
||||||
session_setup,
|
session_setup,
|
||||||
session_teardown),
|
session_teardown),
|
||||||
/* TODO verify the two rekey are possible and the states are not broken after rekey */
|
- /* Note, that this modifies the sshd_config */
|
||||||
|
+ /* TODO verify the two rekey are possible and the states are not broken after rekey */
|
||||||
+
|
+
|
||||||
+ cmocka_unit_test_setup_teardown(torture_rekey_server_different_kex,
|
+ cmocka_unit_test_setup_teardown(torture_rekey_server_different_kex,
|
||||||
+ session_setup,
|
+ session_setup,
|
||||||
@ -1825,22 +1817,25 @@ diff --color -ru ../libssh-0.10.4/tests/client/torture_rekey.c ./tests/client/to
|
|||||||
+ /* Note, that these tests modify the sshd_config so follow-up tests
|
+ /* Note, that these tests modify the sshd_config so follow-up tests
|
||||||
+ * might get unexpected behavior if they do not update the server with
|
+ * might get unexpected behavior if they do not update the server with
|
||||||
+ * torture_update_sshd_config() too */
|
+ * torture_update_sshd_config() too */
|
||||||
+ cmocka_unit_test_setup_teardown(torture_rekey_server_send,
|
cmocka_unit_test_setup_teardown(torture_rekey_server_send,
|
||||||
+ session_setup,
|
session_setup,
|
||||||
+ session_teardown),
|
session_teardown),
|
||||||
+ cmocka_unit_test_setup_teardown(torture_rekey_guess_send,
|
+ cmocka_unit_test_setup_teardown(torture_rekey_guess_send,
|
||||||
+ session_setup,
|
+ session_setup,
|
||||||
+ session_teardown),
|
+ session_teardown),
|
||||||
+ cmocka_unit_test_setup_teardown(torture_rekey_guess_wrong_send,
|
+ cmocka_unit_test_setup_teardown(torture_rekey_guess_wrong_send,
|
||||||
+ session_setup,
|
+ session_setup,
|
||||||
+ session_teardown),
|
+ session_teardown),
|
||||||
+#ifdef WITH_SFTP
|
#ifdef WITH_SFTP
|
||||||
+ cmocka_unit_test_setup_teardown(torture_rekey_server_recv,
|
cmocka_unit_test_setup_teardown(torture_rekey_server_recv,
|
||||||
+ session_setup_sftp_server,
|
session_setup_sftp_server,
|
||||||
+ session_teardown),
|
session_teardown),
|
||||||
|
-#endif /* WITH_SFTP */
|
||||||
|
- cmocka_unit_test_setup_teardown(torture_rekey_server_different_kex,
|
||||||
+ cmocka_unit_test_setup_teardown(torture_rekey_guess_recv,
|
+ cmocka_unit_test_setup_teardown(torture_rekey_guess_recv,
|
||||||
+ session_setup,
|
session_setup,
|
||||||
+ session_teardown),
|
session_teardown),
|
||||||
|
- /* TODO verify the two rekey are possible and the states are not broken after rekey */
|
||||||
+ cmocka_unit_test_setup_teardown(torture_rekey_guess_wrong_recv,
|
+ cmocka_unit_test_setup_teardown(torture_rekey_guess_wrong_recv,
|
||||||
+ session_setup,
|
+ session_setup,
|
||||||
+ session_teardown),
|
+ session_teardown),
|
||||||
@ -1848,14 +1843,3 @@ diff --color -ru ../libssh-0.10.4/tests/client/torture_rekey.c ./tests/client/to
|
|||||||
};
|
};
|
||||||
|
|
||||||
ssh_init();
|
ssh_init();
|
||||||
diff --color -ru ../libssh-0.10.4/tests/fuzz/ssh_server_fuzzer.c ./tests/fuzz/ssh_server_fuzzer.c
|
|
||||||
--- ../libssh-0.10.4/tests/fuzz/ssh_server_fuzzer.c 2022-07-07 15:53:51.000000000 +0200
|
|
||||||
+++ ./tests/fuzz/ssh_server_fuzzer.c 2023-04-27 14:28:50.620219301 +0200
|
|
||||||
@@ -186,6 +186,7 @@
|
|
||||||
ssh_set_auth_methods(session, SSH_AUTH_METHOD_NONE);
|
|
||||||
|
|
||||||
ssh_callbacks_init(&server_cb);
|
|
||||||
+ ssh_set_server_callbacks(session, &server_cb);
|
|
||||||
|
|
||||||
rc = ssh_bind_accept_fd(sshbind, session, socket_fds[0]);
|
|
||||||
assert(rc == SSH_OK);
|
|
19
SOURCES/s390x_fix.patch
Normal file
19
SOURCES/s390x_fix.patch
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
diff --git a/src/packet.c b/src/packet.c
|
||||||
|
index ec4a7203..a81eb8e3 100644
|
||||||
|
--- a/src/packet.c
|
||||||
|
+++ b/src/packet.c
|
||||||
|
@@ -1752,10 +1752,12 @@ static bool
|
||||||
|
ssh_packet_in_rekey(ssh_session session)
|
||||||
|
{
|
||||||
|
/* We know we are rekeying if we are authenticated and the DH
|
||||||
|
- * status is not finished
|
||||||
|
+ * status is not finished, but we only queue packets until we've
|
||||||
|
+ * sent our NEWKEYS.
|
||||||
|
*/
|
||||||
|
return (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) &&
|
||||||
|
- (session->dh_handshake_state != DH_STATE_FINISHED);
|
||||||
|
+ (session->dh_handshake_state != DH_STATE_FINISHED) &&
|
||||||
|
+ (session->dh_handshake_state != DH_STATE_NEWKEYS_SENT);
|
||||||
|
}
|
||||||
|
|
||||||
|
int ssh_packet_send(ssh_session session)
|
@ -1,61 +1,54 @@
|
|||||||
Name: libssh
|
Name: libssh
|
||||||
Version: 0.10.4
|
Version: 0.9.6
|
||||||
Release: 13%{?dist}
|
Release: 14%{?dist}
|
||||||
Summary: A library implementing the SSH protocol
|
Summary: A library implementing the SSH protocol
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://www.libssh.org
|
URL: http://www.libssh.org
|
||||||
|
|
||||||
Source0: https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz
|
Source0: https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz
|
||||||
Source1: https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc
|
Source1: https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz.asc
|
||||||
Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
|
Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
|
||||||
Source3: libssh_client.config
|
Source3: libssh_client.config
|
||||||
Source4: libssh_server.config
|
Source4: libssh_server.config
|
||||||
|
|
||||||
|
Patch0: loglevel.patch
|
||||||
|
Patch1: s390x_fix.patch
|
||||||
|
Patch2: null_dereference_rekey.patch
|
||||||
|
Patch3: auth_bypass.patch
|
||||||
|
Patch4: fix_tests.patch
|
||||||
|
Patch5: covscan23.patch
|
||||||
|
Patch6: CVE-2023-48795.patch
|
||||||
|
Patch7: CVE-2023-6004.patch
|
||||||
|
Patch8: CVE-2023-6918.patch
|
||||||
|
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
|
BuildRequires: doxygen
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
BuildRequires: gnupg2
|
BuildRequires: gnupg2
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: openssl-pkcs11
|
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
BuildRequires: krb5-devel
|
BuildRequires: krb5-devel
|
||||||
BuildRequires: libcmocka-devel
|
BuildRequires: libcmocka-devel
|
||||||
|
BuildRequires: openssh-clients
|
||||||
|
BuildRequires: openssh-server
|
||||||
BuildRequires: pam_wrapper
|
BuildRequires: pam_wrapper
|
||||||
BuildRequires: socket_wrapper
|
BuildRequires: socket_wrapper
|
||||||
BuildRequires: nss_wrapper
|
BuildRequires: nss_wrapper
|
||||||
BuildRequires: uid_wrapper
|
BuildRequires: uid_wrapper
|
||||||
BuildRequires: openssh-clients
|
|
||||||
BuildRequires: openssh-server
|
|
||||||
BuildRequires: nmap-ncat
|
BuildRequires: nmap-ncat
|
||||||
BuildRequires: softhsm
|
|
||||||
BuildRequires: gnutls-utils
|
|
||||||
|
|
||||||
Requires: %{name}-config = %{version}-%{release}
|
|
||||||
Requires: crypto-policies
|
Requires: crypto-policies
|
||||||
|
Requires: %{name}-config = %{version}-%{release}
|
||||||
|
|
||||||
%ifarch aarch64 ppc64 ppc64le s390x x86_64
|
%ifarch aarch64 ppc64 ppc64le s390x x86_64
|
||||||
|
Provides: libssh_threads.so()(64bit)
|
||||||
Provides: libssh_threads.so.4()(64bit)
|
Provides: libssh_threads.so.4()(64bit)
|
||||||
%else
|
%else
|
||||||
|
Provides: libssh_threads.so
|
||||||
Provides: libssh_threads.so.4
|
Provides: libssh_threads.so.4
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
Patch1: coverity_scan.patch
|
|
||||||
Patch2: pkcs11_test_fix.patch
|
|
||||||
Patch3: loglevel.patch
|
|
||||||
Patch4: plus_sign.patch
|
|
||||||
Patch5: memory_leak.patch
|
|
||||||
Patch6: options_apply.patch
|
|
||||||
Patch7: enable_sk_keys_by_config.patch
|
|
||||||
Patch8: null_dereference_rekey.patch
|
|
||||||
Patch9: auth_bypass.patch
|
|
||||||
Patch10: covscan23.patch
|
|
||||||
Patch11: rekey_test_fixup.patch
|
|
||||||
Patch12: covscan23_1.patch
|
|
||||||
Patch13: CVE-2023-6004.patch
|
|
||||||
Patch14: CVE-2023-48795.patch
|
|
||||||
Patch15: CVE-2023-6918.patch
|
|
||||||
Patch16: escape-brackets-in-proxycommand.patch
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
The ssh library was designed to be used by programmers needing a working SSH
|
The ssh library was designed to be used by programmers needing a working SSH
|
||||||
implementation by the mean of a library. The complete control of the client is
|
implementation by the mean of a library. The complete control of the client is
|
||||||
@ -75,7 +68,7 @@ applications that use %{name}.
|
|||||||
%package config
|
%package config
|
||||||
Summary: Configuration files for %{name}
|
Summary: Configuration files for %{name}
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
Obsoletes: %{name} < 0.9.0-3
|
Obsoletes: %{name} < 0.9.0-1
|
||||||
|
|
||||||
%description config
|
%description config
|
||||||
The %{name}-config package provides the default configuration files for %{name}.
|
The %{name}-config package provides the default configuration files for %{name}.
|
||||||
@ -85,18 +78,26 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
|||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%cmake \
|
if test ! -e "obj"; then
|
||||||
|
mkdir obj
|
||||||
|
fi
|
||||||
|
pushd obj
|
||||||
|
|
||||||
|
%cmake .. \
|
||||||
-DUNIT_TESTING=ON \
|
-DUNIT_TESTING=ON \
|
||||||
-DCLIENT_TESTING=ON \
|
-DCLIENT_TESTING=ON \
|
||||||
-DSERVER_TESTING=ON \
|
-DSERVER_TESTING=ON \
|
||||||
-DWITH_PKCS11_URI=ON \
|
|
||||||
-DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
|
-DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
|
||||||
-DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
|
-DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
|
||||||
|
|
||||||
%cmake_build
|
|
||||||
|
%make_build VERBOSE=1
|
||||||
|
make docs
|
||||||
|
|
||||||
|
popd
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%cmake_install
|
make DESTDIR=%{buildroot} install/fast -C obj
|
||||||
install -d -m755 %{buildroot}%{_sysconfdir}/libssh
|
install -d -m755 %{buildroot}%{_sysconfdir}/libssh
|
||||||
install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
|
install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
|
||||||
install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
|
install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
|
||||||
@ -108,7 +109,7 @@ install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
|
|||||||
# requiring it to continue working.
|
# requiring it to continue working.
|
||||||
#
|
#
|
||||||
pushd %{buildroot}%{_libdir}
|
pushd %{buildroot}%{_libdir}
|
||||||
for i in libssh.so*;
|
for i in libssh.so.4*;
|
||||||
do
|
do
|
||||||
_target="${i}"
|
_target="${i}"
|
||||||
_link_name="${i%libssh*}libssh_threads${i##*libssh}"
|
_link_name="${i%libssh*}libssh_threads${i##*libssh}"
|
||||||
@ -122,24 +123,24 @@ popd
|
|||||||
%ldconfig_scriptlets
|
%ldconfig_scriptlets
|
||||||
|
|
||||||
%check
|
%check
|
||||||
# Tests are randomly failing when run in parallel
|
pushd obj
|
||||||
%global _smp_build_ncpus 1
|
ctest --output-on-failure
|
||||||
%ctest
|
popd
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%doc AUTHORS BSD CHANGELOG README
|
%doc AUTHORS BSD ChangeLog README
|
||||||
%license COPYING
|
%license COPYING
|
||||||
%{_libdir}/libssh.so.4*
|
%{_libdir}/libssh.so.4*
|
||||||
%{_libdir}/libssh_threads.so.4*
|
%{_libdir}/libssh_threads.so.4*
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
|
%doc obj/doc/html
|
||||||
%{_includedir}/libssh/
|
%{_includedir}/libssh/
|
||||||
# own this to avoid dep on cmake -- rex
|
# own this to avoid dep on cmake -- rex
|
||||||
%dir %{_libdir}/cmake/
|
%dir %{_libdir}/cmake/
|
||||||
%{_libdir}/cmake/libssh/
|
%{_libdir}/cmake/libssh/
|
||||||
%{_libdir}/pkgconfig/libssh.pc
|
%{_libdir}/pkgconfig/libssh.pc
|
||||||
%{_libdir}/libssh.so
|
%{_libdir}/libssh.so
|
||||||
%{_libdir}/libssh_threads.so
|
|
||||||
|
|
||||||
%files config
|
%files config
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/libssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/libssh
|
||||||
@ -147,233 +148,168 @@ popd
|
|||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Feb 19 2024 Sahana Prasad <sahana@redhat.com> - 0.10.4-13
|
* Mon Feb 26 2024 Sahana Prasad <sahana@redhat.com> - 0.9.6-14
|
||||||
- Bump up the version so that the version in 9.3 is lower.
|
|
||||||
- Resolves: RHEL-19310, RHEL-19691, RHEL-17245
|
|
||||||
|
|
||||||
* Tue Jan 09 2024 Sahana Prasad <sahana@redhat.com> - 0.10.4-12
|
|
||||||
- Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
|
- Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
|
||||||
- Fix CVE-2023-6918 Missing checks for return values for digests
|
- Fix CVE-2023-6918 Missing checks for return values for digests
|
||||||
- Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
|
- Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
|
||||||
of malicious code through hostname
|
of malicious code through hostname
|
||||||
- Resolves: RHEL-19310, RHEL-19691, RHEL-17245
|
- Note: version is bumped from 12 to 14 directly, as the z-stream
|
||||||
|
version in 8.9 also has 13. So bumping it to 14, will prevent
|
||||||
|
upgrade conflicts.
|
||||||
|
- Resolves:RHEL-19690, RHEL-17244, RHEL-19312
|
||||||
|
|
||||||
* Wed Jun 21 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4-11
|
* Mon May 15 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-12
|
||||||
- Fix loglevel regression
|
- Fix loglevel regression
|
||||||
- Related: rhbz#2182252, rhbz#2189740
|
- Related: rhbz#2182251, rhbz#2189742
|
||||||
|
|
||||||
* Mon May 22 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4.10
|
* Thu May 04 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-11
|
||||||
- Fix null dereference issues found by covscan
|
- .fmf/version is needed to run the tests
|
||||||
- Related: rhbz#2182252, rhbz#2189740
|
- Related: rhbz#2182251, rhbz#2189742
|
||||||
|
|
||||||
* Wed May 10 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4-9
|
* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-10
|
||||||
- Fix CVE-2023-1667 and CVE-2023-2283
|
- Add missing ci.fmf file
|
||||||
- Fix issues found by cosvcan
|
- Related: rhbz#2182251, rhbz#2189742
|
||||||
- Resolves: rhbz#2182252, rhbz#2189740
|
|
||||||
|
|
||||||
* Mon Jan 23 2023 Stanislav Zidek <szidek@redhat.com> - 0.10.4-8
|
* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-9
|
||||||
+ libssh-0.10.4-8
|
- Fix covscan errors found at gating
|
||||||
- Extended CI to run internal tests in RHEL
|
- Related: rhbz#2182251, rhbz#2189742
|
||||||
- Related: rhbz#2160080
|
|
||||||
|
|
||||||
* Wed Jan 4 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4-7
|
* Tue May 02 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-8
|
||||||
- Add sk-keys to configuration parsing allowing to turn on-off by config
|
- Backport test fixing commits to make the build pass
|
||||||
- Related: rhbz#2026449
|
- Related: rhbz#2182251, rhbz#2189742
|
||||||
|
|
||||||
* Thu Dec 1 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-6
|
* Thu Apr 27 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-7
|
||||||
- Fix covscan error
|
- Fix NULL dereference during rekeying with algorithm guessing
|
||||||
- Remove unwanted test with yet unimplemented feature
|
GHSL-2023-032 / CVE-2023-1667
|
||||||
- Related: rhbz#2137839, rhbz#2136824
|
- Fix possible authentication bypass
|
||||||
|
GHSL 2023-085 / CVE-2023-2283
|
||||||
|
- Resolves: rhbz#2182251, rhbz#2189742
|
||||||
|
|
||||||
* Thu Dec 01 2022 Stanislav Zidek <szidek@redhat.com> - 0.10.4-5
|
* Fri Jan 06 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-6
|
||||||
+ libssh-0.10.4-5
|
- Enable client and server testing build time
|
||||||
- Fixed CI configuration due to TMT changes
|
- Fix failing rekey test on arch s390x
|
||||||
|
- Resolves: rhbz#2126342
|
||||||
|
|
||||||
* Wed Nov 30 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-4
|
* Mon Dec 05 2022 Stanislav Zidek <szidek@redhat.com> - 0.9.6-5
|
||||||
- Move loglevel closer to openssh loglevel
|
- Fix CI configuration for new TMT
|
||||||
- Add openssh config feature of +,-,^ for algorithm lists
|
- Resolves: rhbz#2149910
|
||||||
- Fix memory leaks of bignum
|
|
||||||
- Prevent multiple expansion of escape characters
|
|
||||||
- Resolves: rhbz#2132407, rhbz#2137839, rhbz#2144795, rhbz#2136824
|
|
||||||
|
|
||||||
* Tue Oct 4 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-3
|
* Mon Nov 28 2022 Norbert Pocs <npocs@redhat.com> - 0.9.6-4
|
||||||
- Enable pkcs11 support
|
- Make VERBOSE and lower log levels less verbose
|
||||||
- Fix broken libsofthsm path on i686
|
- Resolves: rhbz#2091512
|
||||||
- Add missing bugzilla references from the rebase commit
|
|
||||||
- Related: rhbz#2026449
|
|
||||||
- Resolves: rhbz#1977913, rhbz#1975500
|
|
||||||
|
|
||||||
* Tue Sep 27 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-2
|
* Fri Nov 05 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-3
|
||||||
- Fix coverity scan issues
|
- Remove STI tests
|
||||||
- Resolves: rhbz#2130126
|
|
||||||
|
|
||||||
* Mon Sep 19 2022 Norbert pocs <npocs@redhat.com> - 0.10.4-1
|
* Thu Oct 21 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-2
|
||||||
- Rebase to version 0.10.4
|
- Remove bad patch causing errors
|
||||||
- Add pkcs11 support
|
- Adding BuildRequires for openssh (SSHD support)
|
||||||
- Disallow ssh-rsa key in FIPS mode
|
|
||||||
- Fix openssl KDF check at build
|
|
||||||
- ChangeLog was renamed to CHANGELOG
|
|
||||||
- Resolves: rhbz#2068475, rhbz#2026449, rhbz#2004021,
|
|
||||||
rhbz#1977913, rhbz#1975500
|
|
||||||
|
|
||||||
* Fri Nov 12 2021 Stanislav Zidek <szidek@redhat.com> - 0.9.6-3
|
* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
|
||||||
+ libssh-0.9.6-3
|
- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
|
||||||
- Disabled gating on osci.brew-build.revdeps.integration
|
rekeying with different key exchange mechanism
|
||||||
Related: rhbz#2022034
|
|
||||||
|
|
||||||
* Thu Nov 11 2021 Stanislav Zidek <szidek@redhat.com> - 0.9.6-2
|
|
||||||
- STI, FMF, and gating fixes
|
|
||||||
Resolves: rhbz#2022034
|
|
||||||
|
|
||||||
* Tue Oct 05 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
|
|
||||||
- Fix CVE-CVE-2021-3634 libssh: possible heap-based buffer
|
|
||||||
overflow when rekeying
|
|
||||||
- Fix static analyzer issues in rhbz#1938795
|
|
||||||
- Rebase to version 0.9.6
|
- Rebase to version 0.9.6
|
||||||
- Resolves: rhbz#1994607, rhbz#1938795, rhbz#2009669
|
- Rename SSHD_EXECUTABLE to SSH_EXECUTABLE in tests/torture.c
|
||||||
|
- Resolves: rhbz#1896651, rhbz#1994600
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.5-6
|
* Thu Oct 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-4
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Revert previous commit as it is incorrect.
|
||||||
Related: rhbz#1991688
|
|
||||||
|
|
||||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.5-5
|
* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
|
||||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
|
||||||
Related: rhbz#1971065
|
rekeying with different key exchange mechanism (#1978810)
|
||||||
|
|
||||||
* Tue Apr 27 2021 Sahana Prasad <sahana@redhat.com> - 0.9.5-4
|
* Wed Apr 21 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-3
|
||||||
- Change crypto-policies from recommends to requires
|
- Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if
|
||||||
Resolves: rhbz#1947863
|
ssh_buffer_new returns NULL (#1862646)
|
||||||
|
|
||||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.5-3
|
* Wed Jun 24 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- Do not return error when server properly closed the channel (#1849071)
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Sep 10 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.5-1
|
|
||||||
- Update to version 0.9.5
|
|
||||||
https://www.libssh.org/2020/09/10/libssh-0-9-5/
|
|
||||||
- Removed patch to re-enable algorithms using sha1 in sshd for testing
|
|
||||||
- The algorithms supported by sshd are now automatically detected for testing
|
|
||||||
- Resolves: #1862457 - CVE-2020-16135
|
|
||||||
|
|
||||||
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-5
|
|
||||||
- Second attempt - Rebuilt for
|
|
||||||
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jun 22 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-3
|
|
||||||
- Do not return error when server properly closed the channel (#1849069)
|
|
||||||
- Add a test for CVE-2019-14889
|
- Add a test for CVE-2019-14889
|
||||||
- Do not parse configuration file in torture_knownhosts test
|
- Do not parse configuration file in torture_knownhosts test
|
||||||
|
|
||||||
* Wed Apr 15 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
|
* Tue May 26 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
|
||||||
- Added patch to fix returned version
|
|
||||||
|
|
||||||
* Thu Apr 09 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
|
|
||||||
- Update to version 0.9.4
|
- Update to version 0.9.4
|
||||||
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
|
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
|
||||||
|
- Fixed CVE-2019-14889 (#1781782)
|
||||||
|
- Fixed CVE-2020-1730 (#1802422)
|
||||||
|
- Create missing directories in the path provided for known_hosts files (#1733914)
|
||||||
- Removed inclusion of OpenSSH server configuration file from
|
- Removed inclusion of OpenSSH server configuration file from
|
||||||
libssh_server.config
|
libssh_server.config (#1821339)
|
||||||
- Added patch to re-enable algorithms using sha1 in sshd for testing
|
|
||||||
- resolves: #1822529 - CVE-2020-1730
|
|
||||||
|
|
||||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
|
* Mon Aug 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
- Skip 1024 bits RSA key generation test in FIPS mode (#1734485)
|
||||||
|
|
||||||
* Tue Dec 10 2019 Andreas Schneider <asn@redhat.com> - 0.9.3-1
|
* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
|
||||||
- Update to version 0.9.3
|
|
||||||
- resolves: #1781780 - Fixes CVE-2019-14889
|
|
||||||
|
|
||||||
* Thu Nov 07 2019 Andreas Schneider <asn@redhat.com> - 0.9.2-1
|
|
||||||
- Upate to version 0.9.2
|
|
||||||
- resolves #1769370 - Remove the docs, they can be found on https://api.libssh.org/
|
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-6
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-5
|
|
||||||
- Add Obsoletes in libssh-config to avoid conflict with old libssh which
|
- Add Obsoletes in libssh-config to avoid conflict with old libssh which
|
||||||
installed the configuration files.
|
installed the configuration files.
|
||||||
|
|
||||||
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
|
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
|
||||||
- Eliminate circular dependency with libssh-config subpackage
|
- Eliminate circular dependency with libssh-config subpackage
|
||||||
|
|
||||||
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
|
* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
|
||||||
- Provide the configuration files in a separate libssh-config subpackage
|
|
||||||
|
|
||||||
* Thu Jul 04 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
|
|
||||||
- Do not ignore keys from known_hosts when SSH_OPTIONS_HOSTKEYS is set
|
|
||||||
|
|
||||||
* Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
|
|
||||||
- Fixed Release number to released format
|
|
||||||
|
|
||||||
* Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-0.1
|
|
||||||
- Update to version 0.9.0
|
- Update to version 0.9.0
|
||||||
https://www.libssh.org/2019/06/28/libssh-0-9-0/
|
https://www.libssh.org/2019/06/28/libssh-0-9-0/
|
||||||
|
- Added explicit Requires for crypto-policies
|
||||||
|
- Do not ignore known_hosts keys when SSH_OPTIONS_HOSTKEYS is set
|
||||||
|
- Provide the configuration files in a separate libssh-config subpackage
|
||||||
|
|
||||||
* Wed Jun 19 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
|
* Mon Jun 17 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
|
||||||
- Update to 0.9.0 pre release version (0.8.91)
|
- Update to 0.9.0 pre release version (0.8.91)
|
||||||
- Added default configuration files for client and server
|
- Added default configuration files for client and server
|
||||||
- Follow system-wide crypto configuration (crypto-policies)
|
- Removed unused patch files left behind
|
||||||
- Added Recommends for crypto-policies
|
- Fixed issues found to run upstream test suite with SELinux
|
||||||
- Use OpenSSL implementation for KDF, DH, and signatures.
|
|
||||||
- Detect FIPS mode and use only allowed algorithms
|
|
||||||
- Run client and server tests during build
|
|
||||||
|
|
||||||
* Mon Feb 25 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.7-1
|
* Fri Dec 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-2
|
||||||
- Update to version 0.8.7
|
- Fix more regressions introduced by the fixes for CVE-2018-10933
|
||||||
https://www.libssh.org/2019/02/25/libssh-0-8-7/
|
|
||||||
|
|
||||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-3
|
* Thu Nov 29 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-1
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jan 15 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-2
|
|
||||||
- Fix rsa-sha2 extension handling (#1666342)
|
|
||||||
|
|
||||||
* Thu Jan 03 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-1
|
|
||||||
- Update to version 0.8.6
|
|
||||||
https://www.libssh.org/2018/12/24/libssh-0-8-6-xmas-edition/
|
|
||||||
|
|
||||||
* Mon Oct 29 2018 Andreas Schneider <asn@redhat.com> - 0.8.5-1
|
|
||||||
- Update to version 0.8.5
|
- Update to version 0.8.5
|
||||||
https://www.libssh.org/2018/10/29/libssh-0-8-5-and-libssh-0-7-7/
|
* Fixed an issue where global known_hosts file was ignored (#1649321)
|
||||||
|
* Fixed ssh_get_fd() to return writable file descriptor (#1649319)
|
||||||
|
* Fixed regression introduced in known_hosts parsing (#1649315)
|
||||||
|
* Fixed a regression which caused only the first algorithm in known_hosts to
|
||||||
|
be considered (#1638790)
|
||||||
|
|
||||||
* Tue Oct 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.4-1
|
* Thu Nov 08 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-5
|
||||||
- Update to version 0.8.4
|
- Fix regressions introduced by the fixes for CVE-2018-10933
|
||||||
https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release
|
|
||||||
- Fixes CVE-2018-10933
|
|
||||||
|
|
||||||
* Mon Oct 01 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
|
* Wed Oct 17 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.3-4
|
||||||
- Fixed errors found by static code analysis
|
- Fix for authentication bypass issue in server implementation (#1639926)
|
||||||
|
|
||||||
* Tue Sep 25 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-2
|
* Tue Oct 02 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
|
||||||
- Add missing libssh_threads.so link to libssh-devel package
|
- Fixed errors found by static code analysis (#1602594)
|
||||||
|
|
||||||
* Fri Sep 21 2018 Andreas Schneider <asn@redhat.com> - 0.8.3-1
|
* Fri Sep 21 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-1
|
||||||
- Update to version 0.8.3
|
- Update to version 0.8.3
|
||||||
https://www.libssh.org/2018/09/21/libssh-0-8-3/
|
* Added support for rsa-sha2 (#1610882)
|
||||||
|
* Added support to parse private keys in openssh container format (other than
|
||||||
|
ed25519) (#1622983)
|
||||||
|
* Added support for diffie-hellman-group18-sha512 and
|
||||||
|
diffie-hellman-group16-sha512 (#1610885)
|
||||||
|
* Added ssh_get_fingerprint_hash()
|
||||||
|
* Added ssh_pki_export_privkey_base64()
|
||||||
|
* Added support for Match keyword in config file
|
||||||
|
* Improved performance and reduced memory footprint for sftp
|
||||||
|
* Fixed ecdsa publickey auth
|
||||||
|
* Fixed reading a closed channel
|
||||||
|
* Added support to announce posix-rename@openssh.com and hardlink@openssh.com
|
||||||
|
in the sftp server
|
||||||
|
* Use -fstack-protector-strong if possible (#1624135)
|
||||||
|
|
||||||
* Thu Aug 30 2018 Andreas Schneider <asn@redhat.com> - 0.8.2-1
|
* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-4
|
||||||
- Update to version 0.8.2
|
- Fix the creation of symbolic links for libssh_threads.so.4
|
||||||
https://www.libssh.org/2018/08/30/libssh-0-8-2
|
|
||||||
|
|
||||||
* Thu Aug 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-4
|
* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-3
|
||||||
- Fix link creation or RPM doesn't install it
|
- Add missing Provides for libssh_threads.so.4
|
||||||
|
|
||||||
* Wed Aug 15 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-3
|
* Tue Aug 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-2
|
||||||
- Add missing so version for libssh_threads.so.4
|
|
||||||
|
|
||||||
* Tue Aug 14 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-2
|
|
||||||
- Add Provides for libssh_threads.so to unbreak applications
|
- Add Provides for libssh_threads.so to unbreak applications
|
||||||
|
- Fix ABIMap detection to not depend on python to build
|
||||||
|
|
||||||
* Mon Aug 13 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-1
|
* Mon Aug 13 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-1
|
||||||
- Update to version 0.8.1
|
- Update to version 0.8.1
|
||||||
https://www.libssh.org/2018/08/13/libssh-0-8-1
|
https://www.libssh.org/2018/08/13/libssh-0-8-1/
|
||||||
- resolves: #1615248 - pkg-config --modversion
|
|
||||||
- resolves: #1615132 - library initialization
|
|
||||||
|
|
||||||
* Fri Aug 10 2018 Andreas Schneider <asn@redhat.com> - 0.8.0-1
|
* Fri Aug 10 2018 Andreas Schneider <asn@redhat.com> - 0.8.0-1
|
||||||
- Update to version 0.8.0
|
- Update to version 0.8.0
|
||||||
@ -387,6 +323,7 @@ popd
|
|||||||
|
|
||||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.5-7
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.5-7
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
- Related: bug#1614611
|
||||||
|
|
||||||
* Thu Feb 01 2018 Andreas Schneider <asn@redhat.com> - 0.7.5-6
|
* Thu Feb 01 2018 Andreas Schneider <asn@redhat.com> - 0.7.5-6
|
||||||
- resolves: #1540021 - Build against OpenSSL 1.1
|
- resolves: #1540021 - Build against OpenSSL 1.1
|
16
ci.fmf
16
ci.fmf
@ -1,16 +0,0 @@
|
|||||||
summary: Upstreamed tier tests
|
|
||||||
discover:
|
|
||||||
# upstreamed tests (public)
|
|
||||||
- how: fmf
|
|
||||||
url: https://gitlab.com/redhat-crypto/tests/libssh.git
|
|
||||||
filter: 'tier: 0,1,2,3'
|
|
||||||
execute:
|
|
||||||
how: tmt
|
|
||||||
adjust:
|
|
||||||
# discover step adjustments
|
|
||||||
- when: distro = rhel
|
|
||||||
discover+:
|
|
||||||
# internal tests
|
|
||||||
- how: fmf
|
|
||||||
url: git://pkgs.devel.redhat.com/tests/libssh
|
|
||||||
filter: 'tier: 0,1,2,3'
|
|
@ -1,23 +0,0 @@
|
|||||||
diff --git a/src/dh_crypto.c b/src/dh_crypto.c
|
|
||||||
index a847c6a2..1eb94307 100644
|
|
||||||
--- a/src/dh_crypto.c
|
|
||||||
+++ b/src/dh_crypto.c
|
|
||||||
@@ -341,8 +341,16 @@ int ssh_dh_set_parameters(struct dh_ctx *ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, modulus);
|
|
||||||
- OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, generator);
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, modulus);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, generator);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
params = OSSL_PARAM_BLD_to_param(param_bld);
|
|
||||||
if (params == NULL) {
|
|
||||||
OSSL_PARAM_BLD_free(param_bld);
|
|
@ -1,57 +0,0 @@
|
|||||||
File ../libssh-0.10.4/.git is a regular file while file ./.git is a directory
|
|
||||||
diff --color -ru ../libssh-0.10.4/src/sftp.c ./src/sftp.c
|
|
||||||
--- ../libssh-0.10.4/src/sftp.c 2023-05-22 12:45:48.383509085 +0200
|
|
||||||
+++ ./src/sftp.c 2023-05-22 12:54:31.004037650 +0200
|
|
||||||
@@ -1755,6 +1755,10 @@
|
|
||||||
int sftp_close(sftp_file file){
|
|
||||||
int err = SSH_NO_ERROR;
|
|
||||||
|
|
||||||
+ if (file == NULL) {
|
|
||||||
+ return err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
SAFE_FREE(file->name);
|
|
||||||
if (file->handle){
|
|
||||||
err = sftp_handle_close(file->sftp,file->handle);
|
|
||||||
@@ -1917,7 +1921,7 @@
|
|
||||||
|
|
||||||
/* Read from a file using an opened sftp file handle. */
|
|
||||||
ssize_t sftp_read(sftp_file handle, void *buf, size_t count) {
|
|
||||||
- sftp_session sftp = handle->sftp;
|
|
||||||
+ sftp_session sftp;
|
|
||||||
sftp_message msg = NULL;
|
|
||||||
sftp_status_message status;
|
|
||||||
ssh_string datastring;
|
|
||||||
@@ -1926,6 +1930,11 @@
|
|
||||||
uint32_t id;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
+ if (handle == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ sftp = handle->sftp;
|
|
||||||
+
|
|
||||||
if (handle->eof) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -2147,7 +2156,7 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
ssize_t sftp_write(sftp_file file, const void *buf, size_t count) {
|
|
||||||
- sftp_session sftp = file->sftp;
|
|
||||||
+ sftp_session sftp;
|
|
||||||
sftp_message msg = NULL;
|
|
||||||
sftp_status_message status;
|
|
||||||
ssh_buffer buffer;
|
|
||||||
@@ -2156,6 +2165,11 @@
|
|
||||||
size_t packetlen;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
+ if (file == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ sftp = file->sftp;
|
|
||||||
+
|
|
||||||
buffer = ssh_buffer_new();
|
|
||||||
if (buffer == NULL) {
|
|
||||||
ssh_set_error_oom(sftp->session);
|
|
@ -1,105 +0,0 @@
|
|||||||
diff --git a/src/kex.c b/src/kex.c
|
|
||||||
index 1155b9c7..528cb182 100644
|
|
||||||
--- a/src/kex.c
|
|
||||||
+++ b/src/kex.c
|
|
||||||
@@ -101,12 +101,19 @@
|
|
||||||
|
|
||||||
#ifdef HAVE_ECDH
|
|
||||||
#define ECDH "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,"
|
|
||||||
-#define EC_HOSTKEYS "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,"
|
|
||||||
-#define EC_PUBLIC_KEY_ALGORITHMS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
|
||||||
+#define EC_HOSTKEYS "ecdsa-sha2-nistp521," \
|
|
||||||
+ "ecdsa-sha2-nistp384," \
|
|
||||||
+ "ecdsa-sha2-nistp256,"
|
|
||||||
+#define EC_SK_HOSTKEYS "sk-ecdsa-sha2-nistp256@openssh.com,"
|
|
||||||
+#define EC_FIPS_PUBLIC_KEY_ALGOS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
|
||||||
"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
|
|
||||||
"ecdsa-sha2-nistp256-cert-v01@openssh.com,"
|
|
||||||
+#define EC_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
|
|
||||||
+ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
|
|
||||||
#else
|
|
||||||
#define EC_HOSTKEYS ""
|
|
||||||
+#define EC_SK_HOSTKEYS ""
|
|
||||||
+#define EC_FIPS_PUBLIC_KEY_ALGOS ""
|
|
||||||
#define EC_PUBLIC_KEY_ALGORITHMS ""
|
|
||||||
#define ECDH ""
|
|
||||||
#endif /* HAVE_ECDH */
|
|
||||||
@@ -127,16 +134,21 @@
|
|
||||||
|
|
||||||
#define HOSTKEYS "ssh-ed25519," \
|
|
||||||
EC_HOSTKEYS \
|
|
||||||
+ "sk-ssh-ed25519@openssh.com," \
|
|
||||||
+ EC_SK_HOSTKEYS \
|
|
||||||
"rsa-sha2-512," \
|
|
||||||
"rsa-sha2-256," \
|
|
||||||
"ssh-rsa" \
|
|
||||||
DSA_HOSTKEYS
|
|
||||||
#define DEFAULT_HOSTKEYS "ssh-ed25519," \
|
|
||||||
EC_HOSTKEYS \
|
|
||||||
+ "sk-ssh-ed25519@openssh.com," \
|
|
||||||
+ EC_SK_HOSTKEYS \
|
|
||||||
"rsa-sha2-512," \
|
|
||||||
"rsa-sha2-256"
|
|
||||||
|
|
||||||
#define PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \
|
|
||||||
+ "sk-ssh-ed25519-cert-v01@openssh.com," \
|
|
||||||
EC_PUBLIC_KEY_ALGORITHMS \
|
|
||||||
"rsa-sha2-512-cert-v01@openssh.com," \
|
|
||||||
"rsa-sha2-256-cert-v01@openssh.com," \
|
|
||||||
@@ -186,7 +198,7 @@
|
|
||||||
"rsa-sha2-512," \
|
|
||||||
"rsa-sha2-256"
|
|
||||||
|
|
||||||
-#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_PUBLIC_KEY_ALGORITHMS \
|
|
||||||
+#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
|
|
||||||
"rsa-sha2-512-cert-v01@openssh.com," \
|
|
||||||
"rsa-sha2-256-cert-v01@openssh.com," \
|
|
||||||
FIPS_ALLOWED_HOSTKEYS
|
|
||||||
diff --git a/src/knownhosts.c b/src/knownhosts.c
|
|
||||||
index 1f52dedc..94618fe2 100644
|
|
||||||
--- a/src/knownhosts.c
|
|
||||||
+++ b/src/knownhosts.c
|
|
||||||
@@ -480,6 +480,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
|
|
||||||
return "rsa-sha2-512,rsa-sha2-256,ssh-rsa";
|
|
||||||
case SSH_KEYTYPE_ED25519:
|
|
||||||
return "ssh-ed25519";
|
|
||||||
+ case SSH_KEYTYPE_SK_ED25519:
|
|
||||||
+ return "sk-ssh-ed25519@openssh.com";
|
|
||||||
#ifdef HAVE_DSA
|
|
||||||
case SSH_KEYTYPE_DSS:
|
|
||||||
return "ssh-dss";
|
|
||||||
@@ -494,6 +496,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
|
|
||||||
return "ecdsa-sha2-nistp384";
|
|
||||||
case SSH_KEYTYPE_ECDSA_P521:
|
|
||||||
return "ecdsa-sha2-nistp521";
|
|
||||||
+ case SSH_KEYTYPE_SK_ECDSA:
|
|
||||||
+ return "sk-ecdsa-sha2-nistp256@openssh.com";
|
|
||||||
#else
|
|
||||||
case SSH_KEYTYPE_ECDSA_P256:
|
|
||||||
case SSH_KEYTYPE_ECDSA_P384:
|
|
||||||
diff --git a/tests/unittests/torture_knownhosts_parsing.c b/tests/unittests/torture_knownhosts_parsing.c
|
|
||||||
index fffa8296..7fd21f05 100644
|
|
||||||
--- a/tests/unittests/torture_knownhosts_parsing.c
|
|
||||||
+++ b/tests/unittests/torture_knownhosts_parsing.c
|
|
||||||
@@ -634,7 +634,9 @@ static void torture_knownhosts_algorithms(void **state)
|
|
||||||
bool process_config = false;
|
|
||||||
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
|
|
||||||
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
|
|
||||||
- "ecdsa-sha2-nistp256";
|
|
||||||
+ "ecdsa-sha2-nistp256,"
|
|
||||||
+ "sk-ssh-ed25519@openssh.com,"
|
|
||||||
+ "sk-ecdsa-sha2-nistp256@openssh.com";
|
|
||||||
const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
|
|
||||||
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
|
|
||||||
|
|
||||||
@@ -669,7 +671,9 @@ static void torture_knownhosts_algorithms_global(void **state)
|
|
||||||
bool process_config = false;
|
|
||||||
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
|
|
||||||
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
|
|
||||||
- "ecdsa-sha2-nistp256";
|
|
||||||
+ "ecdsa-sha2-nistp256,"
|
|
||||||
+ "sk-ssh-ed25519@openssh.com,"
|
|
||||||
+ "sk-ecdsa-sha2-nistp256@openssh.com";
|
|
||||||
const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
|
|
||||||
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
|
|
||||||
|
|
@ -1,94 +0,0 @@
|
|||||||
From bccb8513fa4a836aef0519d65eb33bb212606fe1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Thomas Baag <libssh-git@spam.b2ag.de>
|
|
||||||
Date: Wed, 21 Sep 2022 20:55:27 +0200
|
|
||||||
Subject: [PATCH] config: Escape brackets in ProxyCommand build from ProxyJump
|
|
||||||
|
|
||||||
Missing escaping results in syntax errors in Zsh shell because of square
|
|
||||||
brackets getting interpreted as being a pattern for globbing.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Baag <libssh-git@spam.b2ag.de>
|
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
|
||||||
src/config.c | 2 +-
|
|
||||||
tests/unittests/torture_config.c | 14 +++++++-------
|
|
||||||
2 files changed, 8 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/config.c b/src/config.c
|
|
||||||
index c048418ec..308928429 100644
|
|
||||||
--- a/src/config.c
|
|
||||||
+++ b/src/config.c
|
|
||||||
@@ -491,7 +491,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
|
|
||||||
if (hostname != NULL && do_parsing) {
|
|
||||||
char com[512] = {0};
|
|
||||||
|
|
||||||
- rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W [%%h]:%%p %s",
|
|
||||||
+ rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W '[%%h]:%%p' %s",
|
|
||||||
username ? " -l " : "",
|
|
||||||
username ? username : "",
|
|
||||||
port ? " -p " : "",
|
|
||||||
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
|
|
||||||
index 31dadae37..5ff20c99a 100644
|
|
||||||
--- a/tests/unittests/torture_config.c
|
|
||||||
+++ b/tests/unittests/torture_config.c
|
|
||||||
@@ -649,7 +649,7 @@ static void torture_config_unknown(void **state,
|
|
||||||
/* test corner cases */
|
|
||||||
_parse_config(session, file, string, SSH_OK);
|
|
||||||
assert_string_equal(session->opts.ProxyCommand,
|
|
||||||
- "ssh -W [%h]:%p many-spaces.com");
|
|
||||||
+ "ssh -W '[%h]:%p' many-spaces.com");
|
|
||||||
assert_string_equal(session->opts.host, "equal.sign");
|
|
||||||
|
|
||||||
ret = ssh_config_parse_file(session, "/etc/ssh/ssh_config");
|
|
||||||
@@ -945,28 +945,28 @@ static void torture_config_proxyjump(void **state,
|
|
||||||
torture_reset_config(session);
|
|
||||||
ssh_options_set(session, SSH_OPTIONS_HOST, "simple");
|
|
||||||
_parse_config(session, file, string, SSH_OK);
|
|
||||||
- assert_string_equal(session->opts.ProxyCommand, "ssh -W [%h]:%p jumpbox");
|
|
||||||
+ assert_string_equal(session->opts.ProxyCommand, "ssh -W '[%h]:%p' jumpbox");
|
|
||||||
|
|
||||||
/* With username */
|
|
||||||
torture_reset_config(session);
|
|
||||||
ssh_options_set(session, SSH_OPTIONS_HOST, "user");
|
|
||||||
_parse_config(session, file, string, SSH_OK);
|
|
||||||
assert_string_equal(session->opts.ProxyCommand,
|
|
||||||
- "ssh -l user -W [%h]:%p jumpbox");
|
|
||||||
+ "ssh -l user -W '[%h]:%p' jumpbox");
|
|
||||||
|
|
||||||
/* With port */
|
|
||||||
torture_reset_config(session);
|
|
||||||
ssh_options_set(session, SSH_OPTIONS_HOST, "port");
|
|
||||||
_parse_config(session, file, string, SSH_OK);
|
|
||||||
assert_string_equal(session->opts.ProxyCommand,
|
|
||||||
- "ssh -p 2222 -W [%h]:%p jumpbox");
|
|
||||||
+ "ssh -p 2222 -W '[%h]:%p' jumpbox");
|
|
||||||
|
|
||||||
/* Two step jump */
|
|
||||||
torture_reset_config(session);
|
|
||||||
ssh_options_set(session, SSH_OPTIONS_HOST, "two-step");
|
|
||||||
_parse_config(session, file, string, SSH_OK);
|
|
||||||
assert_string_equal(session->opts.ProxyCommand,
|
|
||||||
- "ssh -l u1 -p 222 -J u2@second:33 -W [%h]:%p first");
|
|
||||||
+ "ssh -l u1 -p 222 -J u2@second:33 -W '[%h]:%p' first");
|
|
||||||
|
|
||||||
/* none */
|
|
||||||
torture_reset_config(session);
|
|
||||||
@@ -985,14 +985,14 @@ static void torture_config_proxyjump(void **state,
|
|
||||||
ssh_options_set(session, SSH_OPTIONS_HOST, "only-jump");
|
|
||||||
_parse_config(session, file, string, SSH_OK);
|
|
||||||
assert_string_equal(session->opts.ProxyCommand,
|
|
||||||
- "ssh -W [%h]:%p jumpbox");
|
|
||||||
+ "ssh -W '[%h]:%p' jumpbox");
|
|
||||||
|
|
||||||
/* IPv6 address */
|
|
||||||
torture_reset_config(session);
|
|
||||||
ssh_options_set(session, SSH_OPTIONS_HOST, "ipv6");
|
|
||||||
_parse_config(session, file, string, SSH_OK);
|
|
||||||
assert_string_equal(session->opts.ProxyCommand,
|
|
||||||
- "ssh -W [%h]:%p 2620:52:0::fed");
|
|
||||||
+ "ssh -W '[%h]:%p' 2620:52:0::fed");
|
|
||||||
|
|
||||||
/* Multiple @ is allowed in second jump */
|
|
||||||
config = "Host allowed-hostname\n"
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
25
gating.yaml
25
gating.yaml
@ -1,25 +0,0 @@
|
|||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- fedora-*
|
|
||||||
decision_context: bodhi_update_push_testing
|
|
||||||
subject_type: koji_build
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
|
||||||
|
|
||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- fedora-*
|
|
||||||
decision_context: bodhi_update_push_stable
|
|
||||||
subject_type: koji_build
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
|
||||||
|
|
||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- rhel-9
|
|
||||||
decision_context: osci_compose_gate
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
|
||||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.userspace-fips-mode.functional}
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
|
||||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
|
|
BIN
libssh.keyring
BIN
libssh.keyring
Binary file not shown.
@ -1,514 +0,0 @@
|
|||||||
From 8795d8912c8a83aaf900c0260e252a35f64eb200 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Date: Fri, 18 Nov 2022 17:22:46 +0100
|
|
||||||
Subject: [PATCH] Fix memory leaks of bignums when openssl >= 3.0
|
|
||||||
|
|
||||||
The openssl 3.0 support has introduced some memory leaks at key build as
|
|
||||||
OSSL_PARAM_BLD_push_BN duplicates the bignum and does not save the pointer
|
|
||||||
itself.
|
|
||||||
|
|
||||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
|
||||||
include/libssh/dh.h | 2 +-
|
|
||||||
src/dh_crypto.c | 28 ++---
|
|
||||||
src/pki_crypto.c | 262 ++++++++++++++++++++++++--------------------
|
|
||||||
3 files changed, 151 insertions(+), 141 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/libssh/dh.h b/include/libssh/dh.h
|
|
||||||
index 353dc233..9b9bb472 100644
|
|
||||||
--- a/include/libssh/dh.h
|
|
||||||
+++ b/include/libssh/dh.h
|
|
||||||
@@ -53,7 +53,7 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
|
|
||||||
bignum *priv, bignum *pub);
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
|
||||||
- const bignum priv, const bignum pub);
|
|
||||||
+ bignum priv, bignum pub);
|
|
||||||
|
|
||||||
int ssh_dh_compute_shared_secret(struct dh_ctx *ctx, int local, int remote,
|
|
||||||
bignum *dest);
|
|
||||||
diff --git a/src/dh_crypto.c b/src/dh_crypto.c
|
|
||||||
index a847c6a2..b578ddec 100644
|
|
||||||
--- a/src/dh_crypto.c
|
|
||||||
+++ b/src/dh_crypto.c
|
|
||||||
@@ -154,12 +154,9 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
|
|
||||||
int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
|
||||||
- const bignum priv, const bignum pub)
|
|
||||||
+ bignum priv, bignum pub)
|
|
||||||
{
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
- bignum priv_key = NULL;
|
|
||||||
- bignum pub_key = NULL;
|
|
||||||
-#else
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
int rc;
|
|
||||||
OSSL_PARAM *params = NULL, *out_params = NULL, *merged_params = NULL;
|
|
||||||
OSSL_PARAM_BLD *param_bld = NULL;
|
|
||||||
@@ -172,7 +169,11 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
+ (void)DH_set0_key(ctx->keypair[peer], pub, priv);
|
|
||||||
+
|
|
||||||
+ return SSH_OK;
|
|
||||||
+#else
|
|
||||||
rc = EVP_PKEY_todata(ctx->keypair[peer], EVP_PKEY_KEYPAIR, &out_params);
|
|
||||||
if (rc != 1) {
|
|
||||||
return SSH_ERROR;
|
|
||||||
@@ -195,35 +196,22 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
|
||||||
rc = SSH_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
|
|
||||||
if (priv) {
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
- priv_key = priv;
|
|
||||||
-#else
|
|
||||||
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv);
|
|
||||||
if (rc != 1) {
|
|
||||||
rc = SSH_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
}
|
|
||||||
if (pub) {
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
- pub_key = pub;
|
|
||||||
-#else
|
|
||||||
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub);
|
|
||||||
if (rc != 1) {
|
|
||||||
rc = SSH_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
}
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
- (void)DH_set0_key(ctx->keypair[peer], pub_key, priv_key);
|
|
||||||
|
|
||||||
- return SSH_OK;
|
|
||||||
-#else
|
|
||||||
params = OSSL_PARAM_BLD_to_param(param_bld);
|
|
||||||
if (params == NULL) {
|
|
||||||
rc = SSH_ERROR;
|
|
||||||
@@ -248,6 +236,8 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
|
||||||
|
|
||||||
rc = SSH_OK;
|
|
||||||
out:
|
|
||||||
+ bignum_safe_free(priv);
|
|
||||||
+ bignum_safe_free(pub);
|
|
||||||
EVP_PKEY_CTX_free(evp_ctx);
|
|
||||||
OSSL_PARAM_free(out_params);
|
|
||||||
OSSL_PARAM_free(params);
|
|
||||||
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
|
|
||||||
index 0a5003da..d3359e2d 100644
|
|
||||||
--- a/src/pki_crypto.c
|
|
||||||
+++ b/src/pki_crypto.c
|
|
||||||
@@ -1492,18 +1492,18 @@ int pki_privkey_build_dss(ssh_key key,
|
|
||||||
ssh_string privkey)
|
|
||||||
{
|
|
||||||
int rc;
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
BIGNUM *bp, *bq, *bg, *bpub_key, *bpriv_key;
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
|
||||||
+ if (param_bld == NULL) {
|
|
||||||
+ return SSH_ERROR;
|
|
||||||
+ }
|
|
||||||
#else
|
|
||||||
- const BIGNUM *pb, *qb, *gb, *pubb, *privb;
|
|
||||||
- OSSL_PARAM_BLD *param_bld;
|
|
||||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
-
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
key->dsa = DSA_new();
|
|
||||||
if (key->dsa == NULL) {
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
+#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
|
|
||||||
bp = ssh_make_string_bn(p);
|
|
||||||
bq = ssh_make_string_bn(q);
|
|
||||||
@@ -1512,9 +1512,11 @@ int pki_privkey_build_dss(ssh_key key,
|
|
||||||
bpriv_key = ssh_make_string_bn(privkey);
|
|
||||||
if (bp == NULL || bq == NULL ||
|
|
||||||
bg == NULL || bpub_key == NULL) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
/* Memory management of bp, qq and bg is transferred to DSA object */
|
|
||||||
rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
|
|
||||||
if (rc == 0) {
|
|
||||||
@@ -1532,39 +1534,43 @@ fail:
|
|
||||||
DSA_free(key->dsa);
|
|
||||||
return SSH_ERROR;
|
|
||||||
#else
|
|
||||||
- param_bld = OSSL_PARAM_BLD_new();
|
|
||||||
- if (param_bld == NULL)
|
|
||||||
- goto err;
|
|
||||||
-
|
|
||||||
- pb = ssh_make_string_bn(p);
|
|
||||||
- qb = ssh_make_string_bn(q);
|
|
||||||
- gb = ssh_make_string_bn(g);
|
|
||||||
- pubb = ssh_make_string_bn(pubkey);
|
|
||||||
- privb = ssh_make_string_bn(privkey);
|
|
||||||
-
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, pb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, qb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, gb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, privb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, bpriv_key);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
|
|
||||||
+
|
|
||||||
+fail:
|
|
||||||
OSSL_PARAM_BLD_free(param_bld);
|
|
||||||
+ bignum_safe_free(bp);
|
|
||||||
+ bignum_safe_free(bq);
|
|
||||||
+ bignum_safe_free(bg);
|
|
||||||
+ bignum_safe_free(bpub_key);
|
|
||||||
+ bignum_safe_free(bpriv_key);
|
|
||||||
|
|
||||||
return rc;
|
|
||||||
-err:
|
|
||||||
- OSSL_PARAM_BLD_free(param_bld);
|
|
||||||
- return -1;
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1574,18 +1580,18 @@ int pki_pubkey_build_dss(ssh_key key,
|
|
||||||
ssh_string g,
|
|
||||||
ssh_string pubkey) {
|
|
||||||
int rc;
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
BIGNUM *bp = NULL, *bq = NULL, *bg = NULL, *bpub_key = NULL;
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
|
||||||
+ if (param_bld == NULL) {
|
|
||||||
+ return SSH_ERROR;
|
|
||||||
+ }
|
|
||||||
#else
|
|
||||||
- const BIGNUM *pb, *qb, *gb, *pubb;
|
|
||||||
- OSSL_PARAM_BLD *param_bld;
|
|
||||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
-
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
key->dsa = DSA_new();
|
|
||||||
if (key->dsa == NULL) {
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
+#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
|
|
||||||
bp = ssh_make_string_bn(p);
|
|
||||||
bq = ssh_make_string_bn(q);
|
|
||||||
@@ -1593,9 +1599,11 @@ int pki_pubkey_build_dss(ssh_key key,
|
|
||||||
bpub_key = ssh_make_string_bn(pubkey);
|
|
||||||
if (bp == NULL || bq == NULL ||
|
|
||||||
bg == NULL || bpub_key == NULL) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
/* Memory management of bp, bq and bg is transferred to DSA object */
|
|
||||||
rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
|
|
||||||
if (rc == 0) {
|
|
||||||
@@ -1613,35 +1621,37 @@ fail:
|
|
||||||
DSA_free(key->dsa);
|
|
||||||
return SSH_ERROR;
|
|
||||||
#else
|
|
||||||
- param_bld = OSSL_PARAM_BLD_new();
|
|
||||||
- if (param_bld == NULL)
|
|
||||||
- goto err;
|
|
||||||
-
|
|
||||||
- pb = ssh_make_string_bn(p);
|
|
||||||
- qb = ssh_make_string_bn(q);
|
|
||||||
- gb = ssh_make_string_bn(g);
|
|
||||||
- pubb = ssh_make_string_bn(pubkey);
|
|
||||||
-
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, pb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, qb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, gb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
|
|
||||||
+
|
|
||||||
+fail:
|
|
||||||
OSSL_PARAM_BLD_free(param_bld);
|
|
||||||
+ bignum_safe_free(bp);
|
|
||||||
+ bignum_safe_free(bq);
|
|
||||||
+ bignum_safe_free(bg);
|
|
||||||
+ bignum_safe_free(bpub_key);
|
|
||||||
|
|
||||||
return rc;
|
|
||||||
-err:
|
|
||||||
- OSSL_PARAM_BLD_free(param_bld);
|
|
||||||
- return -1;
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1654,18 +1664,18 @@ int pki_privkey_build_rsa(ssh_key key,
|
|
||||||
ssh_string q)
|
|
||||||
{
|
|
||||||
int rc;
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
BIGNUM *be, *bn, *bd/*, *biqmp*/, *bp, *bq;
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
|
||||||
+ if (param_bld == NULL) {
|
|
||||||
+ return SSH_ERROR;
|
|
||||||
+ }
|
|
||||||
#else
|
|
||||||
- const BIGNUM *nb, *eb, *db, *pb, *qb;
|
|
||||||
- OSSL_PARAM_BLD *param_bld;
|
|
||||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
-
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
key->rsa = RSA_new();
|
|
||||||
if (key->rsa == NULL) {
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
+#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
|
|
||||||
bn = ssh_make_string_bn(n);
|
|
||||||
be = ssh_make_string_bn(e);
|
|
||||||
@@ -1675,9 +1685,11 @@ int pki_privkey_build_rsa(ssh_key key,
|
|
||||||
bq = ssh_make_string_bn(q);
|
|
||||||
if (be == NULL || bn == NULL || bd == NULL ||
|
|
||||||
/*biqmp == NULL ||*/ bp == NULL || bq == NULL) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
/* Memory management of be, bn and bd is transferred to RSA object */
|
|
||||||
rc = RSA_set0_key(key->rsa, bn, be, bd);
|
|
||||||
if (rc == 0) {
|
|
||||||
@@ -1702,41 +1714,49 @@ fail:
|
|
||||||
RSA_free(key->rsa);
|
|
||||||
return SSH_ERROR;
|
|
||||||
#else
|
|
||||||
- param_bld = OSSL_PARAM_BLD_new();
|
|
||||||
- if (param_bld == NULL)
|
|
||||||
- goto err;
|
|
||||||
-
|
|
||||||
- nb = ssh_make_string_bn(n);
|
|
||||||
- eb = ssh_make_string_bn(e);
|
|
||||||
- db = ssh_make_string_bn(d);
|
|
||||||
- pb = ssh_make_string_bn(p);
|
|
||||||
- qb = ssh_make_string_bn(q);
|
|
||||||
-
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, nb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, eb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, db);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, bn);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, be);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, bd);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
rc = evp_build_pkey("RSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
|
|
||||||
- OSSL_PARAM_BLD_free(param_bld);
|
|
||||||
+ if (rc != SSH_OK) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR1, pb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
+ rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR1, bp);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR2, qb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
+ rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR2, bq);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- return rc;
|
|
||||||
-err:
|
|
||||||
+fail:
|
|
||||||
OSSL_PARAM_BLD_free(param_bld);
|
|
||||||
- return -1;
|
|
||||||
+ bignum_safe_free(bn);
|
|
||||||
+ bignum_safe_free(be);
|
|
||||||
+ bignum_safe_free(bd);
|
|
||||||
+ bignum_safe_free(bp);
|
|
||||||
+ bignum_safe_free(bq);
|
|
||||||
+
|
|
||||||
+ return rc;
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1744,25 +1764,27 @@ int pki_pubkey_build_rsa(ssh_key key,
|
|
||||||
ssh_string e,
|
|
||||||
ssh_string n) {
|
|
||||||
int rc;
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
BIGNUM *be = NULL, *bn = NULL;
|
|
||||||
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
||||||
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
|
||||||
+ if (param_bld == NULL) {
|
|
||||||
+ return SSH_ERROR;
|
|
||||||
+ }
|
|
||||||
#else
|
|
||||||
- const BIGNUM *eb, *nb;
|
|
||||||
- OSSL_PARAM_BLD *param_bld;
|
|
||||||
-#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
-
|
|
||||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
key->rsa = RSA_new();
|
|
||||||
if (key->rsa == NULL) {
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
+#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
|
|
||||||
be = ssh_make_string_bn(e);
|
|
||||||
bn = ssh_make_string_bn(n);
|
|
||||||
if (be == NULL || bn == NULL) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
||||||
/* Memory management of bn and be is transferred to RSA object */
|
|
||||||
rc = RSA_set0_key(key->rsa, bn, be, NULL);
|
|
||||||
if (rc == 0) {
|
|
||||||
@@ -1774,27 +1796,25 @@ fail:
|
|
||||||
RSA_free(key->rsa);
|
|
||||||
return SSH_ERROR;
|
|
||||||
#else
|
|
||||||
- nb = ssh_make_string_bn(n);
|
|
||||||
- eb = ssh_make_string_bn(e);
|
|
||||||
-
|
|
||||||
- param_bld = OSSL_PARAM_BLD_new();
|
|
||||||
- if (param_bld == NULL)
|
|
||||||
- goto err;
|
|
||||||
-
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, nb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, eb);
|
|
||||||
- if (rc != 1)
|
|
||||||
- goto err;
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, bn);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, be);
|
|
||||||
+ if (rc != 1) {
|
|
||||||
+ rc = SSH_ERROR;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
rc = evp_build_pkey("RSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
|
|
||||||
+
|
|
||||||
+fail:
|
|
||||||
OSSL_PARAM_BLD_free(param_bld);
|
|
||||||
+ bignum_safe_free(bn);
|
|
||||||
+ bignum_safe_free(be);
|
|
||||||
|
|
||||||
return rc;
|
|
||||||
-err:
|
|
||||||
- OSSL_PARAM_BLD_free(param_bld);
|
|
||||||
- return -1;
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER */
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,842 +0,0 @@
|
|||||||
From 11c0d687a081fe64501e21c95def7f893611d029 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Date: Wed, 16 Nov 2022 10:40:38 +0100
|
|
||||||
Subject: [PATCH 1/5] Add a placehohlder for non-expanded identities
|
|
||||||
|
|
||||||
Expanding a string twice could lead to unwanted behaviour.
|
|
||||||
This solution creates a ssh_list (`opts.identites_non_exp`) to store the strings
|
|
||||||
before expansion and by using ssh_apply it moves the string to the
|
|
||||||
`opts.identities`. This way the expanded strings are separated.
|
|
||||||
|
|
||||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
|
||||||
include/libssh/session.h | 1 +
|
|
||||||
src/options.c | 86 +++++++++++++++++++++++++---------------
|
|
||||||
src/session.c | 23 +++++++++--
|
|
||||||
3 files changed, 75 insertions(+), 35 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/libssh/session.h b/include/libssh/session.h
|
|
||||||
index d3e5787c..e22b0d67 100644
|
|
||||||
--- a/include/libssh/session.h
|
|
||||||
+++ b/include/libssh/session.h
|
|
||||||
@@ -209,6 +209,7 @@ struct ssh_session_struct {
|
|
||||||
#endif
|
|
||||||
struct {
|
|
||||||
struct ssh_list *identity;
|
|
||||||
+ struct ssh_list *identity_non_exp;
|
|
||||||
char *username;
|
|
||||||
char *host;
|
|
||||||
char *bindaddr; /* bind the client to an ip addr */
|
|
||||||
diff --git a/src/options.c b/src/options.c
|
|
||||||
index 56e09c65..bb085384 100644
|
|
||||||
--- a/src/options.c
|
|
||||||
+++ b/src/options.c
|
|
||||||
@@ -52,7 +52,7 @@
|
|
||||||
* @brief Duplicate the options of a session structure.
|
|
||||||
*
|
|
||||||
* If you make several sessions with the same options this is useful. You
|
|
||||||
- * cannot use twice the same option structure in ssh_session_connect.
|
|
||||||
+ * cannot use twice the same option structure in ssh_connect.
|
|
||||||
*
|
|
||||||
* @param src The session to use to copy the options.
|
|
||||||
*
|
|
||||||
@@ -61,13 +61,14 @@
|
|
||||||
*
|
|
||||||
* @returns 0 on success, -1 on error with errno set.
|
|
||||||
*
|
|
||||||
- * @see ssh_session_connect()
|
|
||||||
+ * @see ssh_connect()
|
|
||||||
* @see ssh_free()
|
|
||||||
*/
|
|
||||||
int ssh_options_copy(ssh_session src, ssh_session *dest)
|
|
||||||
{
|
|
||||||
ssh_session new;
|
|
||||||
struct ssh_iterator *it = NULL;
|
|
||||||
+ struct ssh_list *list = NULL;
|
|
||||||
char *id = NULL;
|
|
||||||
int i;
|
|
||||||
|
|
||||||
@@ -105,14 +106,15 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Remove the default identities */
|
|
||||||
- for (id = ssh_list_pop_head(char *, new->opts.identity);
|
|
||||||
+ for (id = ssh_list_pop_head(char *, new->opts.identity_non_exp);
|
|
||||||
id != NULL;
|
|
||||||
- id = ssh_list_pop_head(char *, new->opts.identity)) {
|
|
||||||
+ id = ssh_list_pop_head(char *, new->opts.identity_non_exp)) {
|
|
||||||
SAFE_FREE(id);
|
|
||||||
}
|
|
||||||
/* Copy the new identities from the source list */
|
|
||||||
- if (src->opts.identity != NULL) {
|
|
||||||
- it = ssh_list_get_iterator(src->opts.identity);
|
|
||||||
+ list = new->opts.identity_non_exp;
|
|
||||||
+ it = ssh_list_get_iterator(src->opts.identity_non_exp);
|
|
||||||
+ for (i = 0; i < 2; i++) {
|
|
||||||
while (it) {
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
@@ -122,7 +124,7 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc = ssh_list_append(new->opts.identity, id);
|
|
||||||
+ rc = ssh_list_append(list, id);
|
|
||||||
if (rc < 0) {
|
|
||||||
free(id);
|
|
||||||
ssh_free(new);
|
|
||||||
@@ -130,6 +132,10 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
|
|
||||||
}
|
|
||||||
it = it->next;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* copy the identity list if there is any already */
|
|
||||||
+ list = new->opts.identity;
|
|
||||||
+ it = ssh_list_get_iterator(src->opts.identity);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (src->opts.sshdir != NULL) {
|
|
||||||
@@ -331,7 +337,7 @@ int ssh_options_set_algo(ssh_session session,
|
|
||||||
* Add a new identity file (const char *, format string) to
|
|
||||||
* the identity list.\n
|
|
||||||
* \n
|
|
||||||
- * By default identity, id_dsa and id_rsa are checked.\n
|
|
||||||
+ * By default id_rsa, id_ecdsa and id_ed25519 files are used.\n
|
|
||||||
* \n
|
|
||||||
* The identity used to authenticate with public key will be
|
|
||||||
* prepended to the list.
|
|
||||||
@@ -700,7 +706,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
|
||||||
if (q == NULL) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- rc = ssh_list_prepend(session->opts.identity, q);
|
|
||||||
+ if (session->opts.exp_flags & SSH_OPT_EXP_FLAG_IDENTITY) {
|
|
||||||
+ rc = ssh_list_append(session->opts.identity_non_exp, q);
|
|
||||||
+ } else {
|
|
||||||
+ rc = ssh_list_prepend(session->opts.identity_non_exp, q);
|
|
||||||
+ }
|
|
||||||
if (rc < 0) {
|
|
||||||
free(q);
|
|
||||||
return -1;
|
|
||||||
@@ -1202,7 +1212,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) {
|
|
||||||
* - SSH_OPTIONS_IDENTITY:
|
|
||||||
* Get the first identity file name (const char *).\n
|
|
||||||
* \n
|
|
||||||
- * By default identity, id_dsa and id_rsa are checked.
|
|
||||||
+ * By default id_rsa, id_ecdsa and id_ed25519 files are used.
|
|
||||||
*
|
|
||||||
* - SSH_OPTIONS_PROXYCOMMAND:
|
|
||||||
* Get the proxycommand necessary to log into the
|
|
||||||
@@ -1246,7 +1256,11 @@ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
case SSH_OPTIONS_IDENTITY: {
|
|
||||||
- struct ssh_iterator *it = ssh_list_get_iterator(session->opts.identity);
|
|
||||||
+ struct ssh_iterator *it;
|
|
||||||
+ it = ssh_list_get_iterator(session->opts.identity);
|
|
||||||
+ if (it == NULL) {
|
|
||||||
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
|
||||||
+ }
|
|
||||||
if (it == NULL) {
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
@@ -1541,7 +1555,6 @@ out:
|
|
||||||
|
|
||||||
int ssh_options_apply(ssh_session session)
|
|
||||||
{
|
|
||||||
- struct ssh_iterator *it;
|
|
||||||
char *tmp;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
@@ -1586,15 +1599,17 @@ int ssh_options_apply(ssh_session session)
|
|
||||||
size_t plen = strlen(session->opts.ProxyCommand) +
|
|
||||||
5 /* strlen("exec ") */;
|
|
||||||
|
|
||||||
- p = malloc(plen + 1 /* \0 */);
|
|
||||||
- if (p == NULL) {
|
|
||||||
- return -1;
|
|
||||||
- }
|
|
||||||
+ if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
|
|
||||||
+ p = malloc(plen + 1 /* \0 */);
|
|
||||||
+ if (p == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
|
||||||
- if ((size_t)rc != plen) {
|
|
||||||
- free(p);
|
|
||||||
- return -1;
|
|
||||||
+ rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
|
||||||
+ if ((size_t)rc != plen) {
|
|
||||||
+ free(p);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
tmp = ssh_path_expand_escape(session, p);
|
|
||||||
@@ -1606,24 +1621,33 @@ int ssh_options_apply(ssh_session session)
|
|
||||||
session->opts.ProxyCommand = tmp;
|
|
||||||
}
|
|
||||||
|
|
||||||
- for (it = ssh_list_get_iterator(session->opts.identity);
|
|
||||||
- it != NULL;
|
|
||||||
- it = it->next) {
|
|
||||||
- char *id = (char *) it->data;
|
|
||||||
- if (strncmp(id, "pkcs11:", 6) == 0) {
|
|
||||||
+ for (tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp);
|
|
||||||
+ tmp != NULL;
|
|
||||||
+ tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp)) {
|
|
||||||
+ char *id = tmp;
|
|
||||||
+ if (strncmp(id, "pkcs11:", 6) != 0) {
|
|
||||||
/* PKCS#11 URIs are using percent-encoding so we can not mix
|
|
||||||
* it with ssh expansion of ssh escape characters.
|
|
||||||
- * Skip these identities now, before we will have PKCS#11 support
|
|
||||||
*/
|
|
||||||
- continue;
|
|
||||||
+ tmp = ssh_path_expand_escape(session, id);
|
|
||||||
+ if (tmp == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ free(id);
|
|
||||||
}
|
|
||||||
- tmp = ssh_path_expand_escape(session, id);
|
|
||||||
- if (tmp == NULL) {
|
|
||||||
+
|
|
||||||
+ /* use append to keep the order at first call and use prepend
|
|
||||||
+ * to put anything that comes on the nth calls to the beginning */
|
|
||||||
+ if (session->opts.exp_flags & SSH_OPT_EXP_FLAG_IDENTITY) {
|
|
||||||
+ rc = ssh_list_prepend(session->opts.identity, tmp);
|
|
||||||
+ } else {
|
|
||||||
+ rc = ssh_list_append(session->opts.identity, tmp);
|
|
||||||
+ }
|
|
||||||
+ if (rc != SSH_OK) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- free(id);
|
|
||||||
- it->data = tmp;
|
|
||||||
}
|
|
||||||
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_IDENTITY;
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
diff --git a/src/session.c b/src/session.c
|
|
||||||
index 64e54957..34a492e4 100644
|
|
||||||
--- a/src/session.c
|
|
||||||
+++ b/src/session.c
|
|
||||||
@@ -118,13 +118,17 @@ ssh_session ssh_new(void)
|
|
||||||
if (session->opts.identity == NULL) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
+ session->opts.identity_non_exp = ssh_list_new();
|
|
||||||
+ if (session->opts.identity_non_exp == NULL) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
id = strdup("%d/id_ed25519");
|
|
||||||
if (id == NULL) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc = ssh_list_append(session->opts.identity, id);
|
|
||||||
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
|
||||||
if (rc == SSH_ERROR) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
@@ -134,7 +138,7 @@ ssh_session ssh_new(void)
|
|
||||||
if (id == NULL) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
- rc = ssh_list_append(session->opts.identity, id);
|
|
||||||
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
|
||||||
if (rc == SSH_ERROR) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
@@ -144,7 +148,7 @@ ssh_session ssh_new(void)
|
|
||||||
if (id == NULL) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
- rc = ssh_list_append(session->opts.identity, id);
|
|
||||||
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
|
||||||
if (rc == SSH_ERROR) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
@@ -154,7 +158,7 @@ ssh_session ssh_new(void)
|
|
||||||
if (id == NULL) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
- rc = ssh_list_append(session->opts.identity, id);
|
|
||||||
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
|
||||||
if (rc == SSH_ERROR) {
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
@@ -284,6 +288,17 @@ void ssh_free(ssh_session session)
|
|
||||||
ssh_list_free(session->opts.identity);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (session->opts.identity_non_exp) {
|
|
||||||
+ char *id;
|
|
||||||
+
|
|
||||||
+ for (id = ssh_list_pop_head(char *, session->opts.identity_non_exp);
|
|
||||||
+ id != NULL;
|
|
||||||
+ id = ssh_list_pop_head(char *, session->opts.identity_non_exp)) {
|
|
||||||
+ SAFE_FREE(id);
|
|
||||||
+ }
|
|
||||||
+ ssh_list_free(session->opts.identity_non_exp);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
while ((b = ssh_list_pop_head(struct ssh_buffer_struct *,
|
|
||||||
session->out_queue)) != NULL) {
|
|
||||||
SSH_BUFFER_FREE(b);
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
|
|
||||||
From 4cb84b99fdb1ffd26c0241f5809e4f67ddd407c6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Date: Wed, 16 Nov 2022 11:03:30 +0100
|
|
||||||
Subject: [PATCH 2/5] tests: Use opts.identites_non_exp not opts.identities
|
|
||||||
|
|
||||||
The configuration of identities are first saved to `opts.identities_non_exp`,
|
|
||||||
then moved to `opts.identities` after calling ssh_options_apply and expanding
|
|
||||||
the identity strings. These tests are testing against the proper configuration
|
|
||||||
|
|
||||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
|
||||||
tests/client/torture_auth_pkcs11.c | 2 +-
|
|
||||||
tests/unittests/torture_config.c | 3 ++-
|
|
||||||
tests/unittests/torture_options.c | 14 +++++++-------
|
|
||||||
3 files changed, 10 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/client/torture_auth_pkcs11.c b/tests/client/torture_auth_pkcs11.c
|
|
||||||
index ee97bff4..e75fea0e 100644
|
|
||||||
--- a/tests/client/torture_auth_pkcs11.c
|
|
||||||
+++ b/tests/client/torture_auth_pkcs11.c
|
|
||||||
@@ -196,7 +196,7 @@ static void torture_auth_autopubkey(void **state, const char *obj_name, const ch
|
|
||||||
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, priv_uri);
|
|
||||||
assert_int_equal(rc, SSH_OK);
|
|
||||||
- assert_string_equal(session->opts.identity->root->data, priv_uri);
|
|
||||||
+ assert_string_equal(session->opts.identity_non_exp->root->data, priv_uri);
|
|
||||||
|
|
||||||
rc = ssh_connect(session);
|
|
||||||
assert_int_equal(rc, SSH_OK);
|
|
||||||
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
|
|
||||||
index 354adc2f..100e68f6 100644
|
|
||||||
--- a/tests/unittests/torture_config.c
|
|
||||||
+++ b/tests/unittests/torture_config.c
|
|
||||||
@@ -2078,7 +2078,8 @@ static void torture_config_identity(void **state)
|
|
||||||
|
|
||||||
_parse_config(session, NULL, LIBSSH_TESTCONFIG_STRING13, SSH_OK);
|
|
||||||
|
|
||||||
- it = ssh_list_get_iterator(session->opts.identity);
|
|
||||||
+ /* The identities are first added to this temporary list before expanding */
|
|
||||||
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
|
||||||
assert_non_null(it);
|
|
||||||
id = it->data;
|
|
||||||
/* The identities are prepended to the list so we start with second one */
|
|
||||||
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
|
||||||
index dc4df383..3be2de8a 100644
|
|
||||||
--- a/tests/unittests/torture_options.c
|
|
||||||
+++ b/tests/unittests/torture_options.c
|
|
||||||
@@ -406,12 +406,12 @@ static void torture_options_set_identity(void **state) {
|
|
||||||
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_ADD_IDENTITY, "identity1");
|
|
||||||
assert_true(rc == 0);
|
|
||||||
- assert_string_equal(session->opts.identity->root->data, "identity1");
|
|
||||||
+ assert_string_equal(session->opts.identity_non_exp->root->data, "identity1");
|
|
||||||
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, "identity2");
|
|
||||||
assert_true(rc == 0);
|
|
||||||
- assert_string_equal(session->opts.identity->root->data, "identity2");
|
|
||||||
- assert_string_equal(session->opts.identity->root->next->data, "identity1");
|
|
||||||
+ assert_string_equal(session->opts.identity_non_exp->root->data, "identity2");
|
|
||||||
+ assert_string_equal(session->opts.identity_non_exp->root->next->data, "identity1");
|
|
||||||
}
|
|
||||||
|
|
||||||
static void torture_options_get_identity(void **state) {
|
|
||||||
@@ -429,7 +429,7 @@ static void torture_options_get_identity(void **state) {
|
|
||||||
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, "identity2");
|
|
||||||
assert_int_equal(rc, SSH_OK);
|
|
||||||
- assert_string_equal(session->opts.identity->root->data, "identity2");
|
|
||||||
+ assert_string_equal(session->opts.identity_non_exp->root->data, "identity2");
|
|
||||||
rc = ssh_options_get(session, SSH_OPTIONS_IDENTITY, &identity);
|
|
||||||
assert_int_equal(rc, SSH_OK);
|
|
||||||
assert_non_null(identity);
|
|
||||||
@@ -867,9 +867,9 @@ static void torture_options_copy(void **state)
|
|
||||||
assert_non_null(new);
|
|
||||||
|
|
||||||
/* Check the identities match */
|
|
||||||
- it = ssh_list_get_iterator(session->opts.identity);
|
|
||||||
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
|
||||||
assert_non_null(it);
|
|
||||||
- it2 = ssh_list_get_iterator(new->opts.identity);
|
|
||||||
+ it2 = ssh_list_get_iterator(new->opts.identity_non_exp);
|
|
||||||
assert_non_null(it2);
|
|
||||||
while (it != NULL && it2 != NULL) {
|
|
||||||
assert_string_equal(it->data, it2->data);
|
|
||||||
@@ -956,7 +956,7 @@ static void torture_options_getopt(void **state)
|
|
||||||
"aes128-ctr");
|
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_S_C],
|
|
||||||
"aes128-ctr");
|
|
||||||
- assert_string_equal(session->opts.identity->root->data, "id_rsa");
|
|
||||||
+ assert_string_equal(session->opts.identity_non_exp->root->data, "id_rsa");
|
|
||||||
#ifdef WITH_ZLIB
|
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_COMP_C_S],
|
|
||||||
"zlib@openssh.com,zlib,none");
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
|
|
||||||
From cd30217c9032419ebcf722c0bfc6b5ebfa3518d0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Date: Wed, 16 Nov 2022 16:51:02 +0100
|
|
||||||
Subject: [PATCH 3/5] Add flags for escape expand operation
|
|
||||||
|
|
||||||
Calling `ssh_options_apply` more times can result in an unwanted behaviour of
|
|
||||||
expanding the escape characters more times. Adding flags to check if the
|
|
||||||
expansion was already done on the current string variables.
|
|
||||||
|
|
||||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
|
||||||
include/libssh/session.h | 7 ++++
|
|
||||||
src/options.c | 91 ++++++++++++++++++++++++----------------
|
|
||||||
src/session.c | 2 +
|
|
||||||
3 files changed, 63 insertions(+), 37 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/libssh/session.h b/include/libssh/session.h
|
|
||||||
index e22b0d67..cf219c2a 100644
|
|
||||||
--- a/include/libssh/session.h
|
|
||||||
+++ b/include/libssh/session.h
|
|
||||||
@@ -93,6 +93,12 @@ enum ssh_pending_call_e {
|
|
||||||
#define SSH_OPT_FLAG_KBDINT_AUTH 0x4
|
|
||||||
#define SSH_OPT_FLAG_GSSAPI_AUTH 0x8
|
|
||||||
|
|
||||||
+/* Escape expansion of different variables */
|
|
||||||
+#define SSH_OPT_EXP_FLAG_KNOWNHOSTS 0x1
|
|
||||||
+#define SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS 0x2
|
|
||||||
+#define SSH_OPT_EXP_FLAG_PROXYCOMMAND 0x4
|
|
||||||
+#define SSH_OPT_EXP_FLAG_IDENTITY 0x8
|
|
||||||
+
|
|
||||||
/* extensions flags */
|
|
||||||
/* negotiation enabled */
|
|
||||||
#define SSH_EXT_NEGOTIATION 0x01
|
|
||||||
@@ -232,6 +238,7 @@ struct ssh_session_struct {
|
|
||||||
char *gss_client_identity;
|
|
||||||
int gss_delegate_creds;
|
|
||||||
int flags;
|
|
||||||
+ int exp_flags;
|
|
||||||
int nodelay;
|
|
||||||
bool config_processed;
|
|
||||||
uint8_t options_seen[SOC_MAX];
|
|
||||||
diff --git a/src/options.c b/src/options.c
|
|
||||||
index bb085384..c566244b 100644
|
|
||||||
--- a/src/options.c
|
|
||||||
+++ b/src/options.c
|
|
||||||
@@ -730,6 +730,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
|
||||||
ssh_set_error_oom(session);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+ session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_KNOWNHOSTS;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case SSH_OPTIONS_GLOBAL_KNOWNHOSTS:
|
|
||||||
@@ -751,6 +752,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
|
||||||
ssh_set_error_oom(session);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+ session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case SSH_OPTIONS_TIMEOUT:
|
|
||||||
@@ -1014,6 +1016,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
session->opts.ProxyCommand = q;
|
|
||||||
+ session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_PROXYCOMMAND;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
@@ -1572,53 +1575,67 @@ int ssh_options_apply(ssh_session session)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (session->opts.knownhosts == NULL) {
|
|
||||||
- tmp = ssh_path_expand_escape(session, "%d/known_hosts");
|
|
||||||
- } else {
|
|
||||||
- tmp = ssh_path_expand_escape(session, session->opts.knownhosts);
|
|
||||||
- }
|
|
||||||
- if (tmp == NULL) {
|
|
||||||
- return -1;
|
|
||||||
+ if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS) == 0) {
|
|
||||||
+ if (session->opts.knownhosts == NULL) {
|
|
||||||
+ tmp = ssh_path_expand_escape(session, "%d/known_hosts");
|
|
||||||
+ } else {
|
|
||||||
+ tmp = ssh_path_expand_escape(session, session->opts.knownhosts);
|
|
||||||
+ }
|
|
||||||
+ if (tmp == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ free(session->opts.knownhosts);
|
|
||||||
+ session->opts.knownhosts = tmp;
|
|
||||||
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_KNOWNHOSTS;
|
|
||||||
}
|
|
||||||
- free(session->opts.knownhosts);
|
|
||||||
- session->opts.knownhosts = tmp;
|
|
||||||
|
|
||||||
- if (session->opts.global_knownhosts == NULL) {
|
|
||||||
- tmp = strdup("/etc/ssh/ssh_known_hosts");
|
|
||||||
- } else {
|
|
||||||
- tmp = ssh_path_expand_escape(session, session->opts.global_knownhosts);
|
|
||||||
- }
|
|
||||||
- if (tmp == NULL) {
|
|
||||||
- return -1;
|
|
||||||
+ if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS) == 0) {
|
|
||||||
+ if (session->opts.global_knownhosts == NULL) {
|
|
||||||
+ tmp = strdup("/etc/ssh/ssh_known_hosts");
|
|
||||||
+ } else {
|
|
||||||
+ tmp = ssh_path_expand_escape(session,
|
|
||||||
+ session->opts.global_knownhosts);
|
|
||||||
+ }
|
|
||||||
+ if (tmp == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ free(session->opts.global_knownhosts);
|
|
||||||
+ session->opts.global_knownhosts = tmp;
|
|
||||||
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS;
|
|
||||||
}
|
|
||||||
- free(session->opts.global_knownhosts);
|
|
||||||
- session->opts.global_knownhosts = tmp;
|
|
||||||
|
|
||||||
- if (session->opts.ProxyCommand != NULL) {
|
|
||||||
- char *p = NULL;
|
|
||||||
- size_t plen = strlen(session->opts.ProxyCommand) +
|
|
||||||
- 5 /* strlen("exec ") */;
|
|
||||||
|
|
||||||
- if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
|
|
||||||
- p = malloc(plen + 1 /* \0 */);
|
|
||||||
- if (p == NULL) {
|
|
||||||
- return -1;
|
|
||||||
- }
|
|
||||||
+ if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND) == 0) {
|
|
||||||
+ if (session->opts.ProxyCommand != NULL) {
|
|
||||||
+ char *p = NULL;
|
|
||||||
+ size_t plen = strlen(session->opts.ProxyCommand) +
|
|
||||||
+ 5 /* strlen("exec ") */;
|
|
||||||
+
|
|
||||||
+ if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
|
|
||||||
+ p = malloc(plen + 1 /* \0 */);
|
|
||||||
+ if (p == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
|
||||||
- if ((size_t)rc != plen) {
|
|
||||||
+ rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
|
||||||
+ if ((size_t)rc != plen) {
|
|
||||||
+ free(p);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ tmp = ssh_path_expand_escape(session, p);
|
|
||||||
free(p);
|
|
||||||
- return -1;
|
|
||||||
+ } else {
|
|
||||||
+ tmp = ssh_path_expand_escape(session,
|
|
||||||
+ session->opts.ProxyCommand);
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
|
|
||||||
- tmp = ssh_path_expand_escape(session, p);
|
|
||||||
- free(p);
|
|
||||||
- if (tmp == NULL) {
|
|
||||||
- return -1;
|
|
||||||
+ if (tmp == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ free(session->opts.ProxyCommand);
|
|
||||||
+ session->opts.ProxyCommand = tmp;
|
|
||||||
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_PROXYCOMMAND;
|
|
||||||
}
|
|
||||||
- free(session->opts.ProxyCommand);
|
|
||||||
- session->opts.ProxyCommand = tmp;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp);
|
|
||||||
diff --git a/src/session.c b/src/session.c
|
|
||||||
index 34a492e4..06f6a26f 100644
|
|
||||||
--- a/src/session.c
|
|
||||||
+++ b/src/session.c
|
|
||||||
@@ -114,6 +114,8 @@ ssh_session ssh_new(void)
|
|
||||||
SSH_OPT_FLAG_KBDINT_AUTH |
|
|
||||||
SSH_OPT_FLAG_GSSAPI_AUTH;
|
|
||||||
|
|
||||||
+ session->opts.exp_flags = 0;
|
|
||||||
+
|
|
||||||
session->opts.identity = ssh_list_new();
|
|
||||||
if (session->opts.identity == NULL) {
|
|
||||||
goto err;
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
|
|
||||||
From ed58082f9706f2ab3bdeca24f632356b9bc325e6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Date: Wed, 16 Nov 2022 17:17:14 +0100
|
|
||||||
Subject: [PATCH 4/5] torture_options.c: Add identity test for ssh_options_copy
|
|
||||||
|
|
||||||
Test if the ssh_options_apply is called on session before ssh_options_copy,
|
|
||||||
then `opts.identity` ssh_list will be copied
|
|
||||||
|
|
||||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
|
||||||
tests/unittests/torture_options.c | 28 ++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 28 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
|
||||||
index 3be2de8a..907cc8df 100644
|
|
||||||
--- a/tests/unittests/torture_options.c
|
|
||||||
+++ b/tests/unittests/torture_options.c
|
|
||||||
@@ -918,6 +918,34 @@ static void torture_options_copy(void **state)
|
|
||||||
sizeof(session->opts.options_seen));
|
|
||||||
|
|
||||||
ssh_free(new);
|
|
||||||
+
|
|
||||||
+ /* test if ssh_options_apply was called before ssh_options_copy
|
|
||||||
+ * the opts.identity list gets copied (percent expanded list) */
|
|
||||||
+ rv = ssh_options_apply(session);
|
|
||||||
+ assert_ssh_return_code(session, rv);
|
|
||||||
+
|
|
||||||
+ rv = ssh_options_copy(session, &new);
|
|
||||||
+ assert_ssh_return_code(session, rv);
|
|
||||||
+ assert_non_null(new);
|
|
||||||
+
|
|
||||||
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
|
||||||
+ assert_null(it);
|
|
||||||
+ it2 = ssh_list_get_iterator(new->opts.identity_non_exp);
|
|
||||||
+ assert_null(it2);
|
|
||||||
+
|
|
||||||
+ it = ssh_list_get_iterator(session->opts.identity);
|
|
||||||
+ assert_non_null(it);
|
|
||||||
+ it2 = ssh_list_get_iterator(new->opts.identity);
|
|
||||||
+ assert_non_null(it2);
|
|
||||||
+ while (it != NULL && it2 != NULL) {
|
|
||||||
+ assert_string_equal(it->data, it2->data);
|
|
||||||
+ it = it->next;
|
|
||||||
+ it2 = it2->next;
|
|
||||||
+ }
|
|
||||||
+ assert_null(it);
|
|
||||||
+ assert_null(it2);
|
|
||||||
+
|
|
||||||
+ ssh_free(new);
|
|
||||||
}
|
|
||||||
|
|
||||||
#define EXECUTABLE_NAME "test-exec"
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
|
|
||||||
From 89dd4a927b946d4df5c48073ca25cd843e0acde0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Date: Wed, 16 Nov 2022 17:18:49 +0100
|
|
||||||
Subject: [PATCH 5/5] torture_options.c: Add test for ssh_options_apply
|
|
||||||
|
|
||||||
Test that ssh_options_apply can be called multiple times without expanding
|
|
||||||
escape characters more than once. If the options are updated after calling
|
|
||||||
ssh_options_apply keep the last options.
|
|
||||||
|
|
||||||
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
|
||||||
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
---
|
|
||||||
tests/unittests/torture_options.c | 165 ++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 165 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
|
||||||
index 907cc8df..ea63b45e 100644
|
|
||||||
--- a/tests/unittests/torture_options.c
|
|
||||||
+++ b/tests/unittests/torture_options.c
|
|
||||||
@@ -1332,6 +1332,170 @@ static void torture_options_caret_sign(void **state)
|
|
||||||
free(awaited);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void torture_options_apply (void **state) {
|
|
||||||
+ ssh_session session = *state;
|
|
||||||
+ struct ssh_list *awaited_list = NULL;
|
|
||||||
+ struct ssh_iterator *it1 = NULL, *it2 = NULL;
|
|
||||||
+ char *id = NULL;
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_KNOWNHOSTS,
|
|
||||||
+ "%%d/.ssh/known_hosts");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
|
|
||||||
+ "/etc/%%u/libssh/known_hosts");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_PROXYCOMMAND,
|
|
||||||
+ "exec echo \"Hello libssh %%d!\"");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_ADD_IDENTITY,
|
|
||||||
+ "%%d/do_not_expand");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_apply(session);
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ /* check that the values got expanded */
|
|
||||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
|
|
||||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
|
|
||||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
|
|
||||||
+ assert_true(ssh_list_count(session->opts.identity_non_exp) == 0);
|
|
||||||
+ assert_true(ssh_list_count(session->opts.identity) > 0);
|
|
||||||
+
|
|
||||||
+ /* should not change anything calling it again */
|
|
||||||
+ rc = ssh_options_apply(session);
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ /* check that the expansion was done only once */
|
|
||||||
+ assert_string_equal(session->opts.knownhosts, "%d/.ssh/known_hosts");
|
|
||||||
+ assert_string_equal(session->opts.global_knownhosts,
|
|
||||||
+ "/etc/%u/libssh/known_hosts");
|
|
||||||
+ /* no exec should be added if there already is one */
|
|
||||||
+ assert_string_equal(session->opts.ProxyCommand,
|
|
||||||
+ "exec echo \"Hello libssh %d!\"");
|
|
||||||
+ assert_string_equal(session->opts.identity->root->data,
|
|
||||||
+ "%d/do_not_expand");
|
|
||||||
+
|
|
||||||
+ /* apply should keep the freshest setting */
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_KNOWNHOSTS,
|
|
||||||
+ "hello there");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
|
|
||||||
+ "lorem ipsum");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_PROXYCOMMAND,
|
|
||||||
+ "mission_impossible");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_ADD_IDENTITY,
|
|
||||||
+ "007");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_ADD_IDENTITY,
|
|
||||||
+ "3");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_ADD_IDENTITY,
|
|
||||||
+ "2");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_set(session,
|
|
||||||
+ SSH_OPTIONS_ADD_IDENTITY,
|
|
||||||
+ "1");
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ /* check that flags show need of escape expansion */
|
|
||||||
+ assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
|
|
||||||
+ assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
|
|
||||||
+ assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
|
|
||||||
+ assert_false(ssh_list_count(session->opts.identity_non_exp) == 0);
|
|
||||||
+
|
|
||||||
+ rc = ssh_options_apply(session);
|
|
||||||
+ assert_ssh_return_code(session, rc);
|
|
||||||
+
|
|
||||||
+ /* check that the values got expanded */
|
|
||||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
|
|
||||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
|
|
||||||
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
|
|
||||||
+ assert_true(ssh_list_count(session->opts.identity_non_exp) == 0);
|
|
||||||
+
|
|
||||||
+ assert_string_equal(session->opts.knownhosts, "hello there");
|
|
||||||
+ assert_string_equal(session->opts.global_knownhosts, "lorem ipsum");
|
|
||||||
+ /* check that the "exec " was added at the beginning */
|
|
||||||
+ assert_string_equal(session->opts.ProxyCommand, "exec mission_impossible");
|
|
||||||
+ assert_string_equal(session->opts.identity->root->data, "1");
|
|
||||||
+
|
|
||||||
+ /* check the order of the identity files after double expansion */
|
|
||||||
+ awaited_list = ssh_list_new();
|
|
||||||
+ /* append the new data in order */
|
|
||||||
+ id = strdup("1");
|
|
||||||
+ rc = ssh_list_append(awaited_list, id);
|
|
||||||
+ assert_int_equal(rc, SSH_OK);
|
|
||||||
+ id = strdup("2");
|
|
||||||
+ rc = ssh_list_append(awaited_list, id);
|
|
||||||
+ assert_int_equal(rc, SSH_OK);
|
|
||||||
+ id = strdup("3");
|
|
||||||
+ rc = ssh_list_append(awaited_list, id);
|
|
||||||
+ assert_int_equal(rc, SSH_OK);
|
|
||||||
+ id = strdup("007");
|
|
||||||
+ rc = ssh_list_append(awaited_list, id);
|
|
||||||
+ assert_int_equal(rc, SSH_OK);
|
|
||||||
+ id = strdup("%d/do_not_expand");
|
|
||||||
+ rc = ssh_list_append(awaited_list, id);
|
|
||||||
+ assert_int_equal(rc, SSH_OK);
|
|
||||||
+ /* append the defaults; this list is copied from ssh_new@src/session.c */
|
|
||||||
+ id = ssh_path_expand_escape(session, "%d/id_ed25519");
|
|
||||||
+ rc = ssh_list_append(awaited_list, id);
|
|
||||||
+ assert_int_equal(rc, SSH_OK);
|
|
||||||
+#ifdef HAVE_ECC
|
|
||||||
+ id = ssh_path_expand_escape(session, "%d/id_ecdsa");
|
|
||||||
+ rc = ssh_list_append(awaited_list, id);
|
|
||||||
+ assert_int_equal(rc, SSH_OK);
|
|
||||||
+#endif
|
|
||||||
+ id = ssh_path_expand_escape(session, "%d/id_rsa");
|
|
||||||
+ rc = ssh_list_append(awaited_list, id);
|
|
||||||
+ assert_int_equal(rc, SSH_OK);
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ id = ssh_path_expand_escape(session, "%d/id_dsa");
|
|
||||||
+ rc = ssh_list_append(awaited_list, id);
|
|
||||||
+ assert_int_equal(rc, SSH_OK);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ assert_int_equal(ssh_list_count(awaited_list),
|
|
||||||
+ ssh_list_count(session->opts.identity));
|
|
||||||
+
|
|
||||||
+ it1 = ssh_list_get_iterator(awaited_list);
|
|
||||||
+ assert_non_null(it1);
|
|
||||||
+ it2 = ssh_list_get_iterator(session->opts.identity);
|
|
||||||
+ assert_non_null(it2);
|
|
||||||
+ while (it1 != NULL && it2 != NULL) {
|
|
||||||
+ assert_string_equal(it1->data, it2->data);
|
|
||||||
+
|
|
||||||
+ free((void*)it1->data);
|
|
||||||
+ it1 = it1->next;
|
|
||||||
+ it2 = it2->next;
|
|
||||||
+ }
|
|
||||||
+ assert_null(it1);
|
|
||||||
+ assert_null(it2);
|
|
||||||
+
|
|
||||||
+ ssh_list_free(awaited_list);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#ifdef WITH_SERVER
|
|
||||||
const char template[] = "temp_dir_XXXXXX";
|
|
||||||
|
|
||||||
@@ -2132,6 +2296,7 @@ int torture_run_tests(void) {
|
|
||||||
setup, teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(torture_options_caret_sign,
|
|
||||||
setup, teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(torture_options_apply, setup, teardown),
|
|
||||||
};
|
|
||||||
|
|
||||||
#ifdef WITH_SERVER
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,98 +0,0 @@
|
|||||||
diff --git a/tests/pkcs11/setup-softhsm-tokens.sh b/tests/pkcs11/setup-softhsm-tokens.sh
|
|
||||||
index 532c86a7..9050cea6 100755
|
|
||||||
--- a/tests/pkcs11/setup-softhsm-tokens.sh
|
|
||||||
+++ b/tests/pkcs11/setup-softhsm-tokens.sh
|
|
||||||
@@ -17,10 +17,10 @@ echo "OBJNAME: $OBJNAME"
|
|
||||||
echo "LOADPUBLIC: $LOADPUBLIC"
|
|
||||||
|
|
||||||
# Create temporary directory for tokens
|
|
||||||
-install -d -m 0755 $TESTDIR/db
|
|
||||||
+install -d -m 0755 "$TESTDIR/db"
|
|
||||||
|
|
||||||
# Create SoftHSM configuration file
|
|
||||||
-cat >$TESTDIR/softhsm.conf <<EOF
|
|
||||||
+cat >"$TESTDIR/softhsm.conf" <<EOF
|
|
||||||
directories.tokendir = $TESTDIR/db
|
|
||||||
objectstore.backend = file
|
|
||||||
log.level = DEBUG
|
|
||||||
@@ -28,12 +28,12 @@ EOF
|
|
||||||
|
|
||||||
export SOFTHSM2_CONF=$TESTDIR/softhsm.conf
|
|
||||||
|
|
||||||
-cat $TESTDIR/softhsm.conf
|
|
||||||
+cat "$TESTDIR/softhsm.conf"
|
|
||||||
|
|
||||||
#init
|
|
||||||
-cmd='softhsm2-util --init-token --label "$OBJNAME" --free --pin 1234 --so-pin 1234'
|
|
||||||
+cmd="softhsm2-util --init-token --label $OBJNAME --free --pin 1234 --so-pin 1234"
|
|
||||||
eval echo "$cmd"
|
|
||||||
-out=$(eval $cmd)
|
|
||||||
+out=$(eval "$cmd")
|
|
||||||
ret=$?
|
|
||||||
if [ $ret -ne 0 ]; then
|
|
||||||
echo "Init token failed"
|
|
||||||
@@ -41,10 +41,29 @@ if [ $ret -ne 0 ]; then
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
+find_library_path() {
|
|
||||||
+ echo "$@"
|
|
||||||
+ for _lib in "$@" ; do
|
|
||||||
+ if test -f "$_lib" ; then
|
|
||||||
+ LIBSOFTHSM_PATH="$_lib"
|
|
||||||
+ echo "Using libsofthsm path: $LIBSOFTHSM_PATH"
|
|
||||||
+ return
|
|
||||||
+ fi
|
|
||||||
+ done
|
|
||||||
+ echo "libsofthsm2.so not found"
|
|
||||||
+ exit 1
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+find_library_path \
|
|
||||||
+ /usr/lib64/libsofthsm2.so \
|
|
||||||
+ /usr/lib/libsofthsm2.so \
|
|
||||||
+ /usr/local/lib/softhsm/libsofthsm2.so \
|
|
||||||
+ /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
|
|
||||||
+
|
|
||||||
#load private key
|
|
||||||
-cmd='p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --load-privkey "$PRIVKEY" --label "$OBJNAME" --login --set-pin=1234 "pkcs11:token="$OBJNAME""'
|
|
||||||
+cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-privkey $PRIVKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$OBJNAME\""
|
|
||||||
eval echo "$cmd"
|
|
||||||
-out=$(eval $cmd)
|
|
||||||
+out=$(eval "$cmd")
|
|
||||||
ret=$?
|
|
||||||
if [ $ret -ne 0 ]; then
|
|
||||||
echo "Loading privkey failed"
|
|
||||||
@@ -52,15 +71,15 @@ if [ $ret -ne 0 ]; then
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
-cat $PUBKEY
|
|
||||||
+cat "$PUBKEY"
|
|
||||||
|
|
||||||
-ls -l $TESTDIR
|
|
||||||
+ls -l "$TESTDIR"
|
|
||||||
|
|
||||||
-if [ $LOADPUBLIC -ne 0 ]; then
|
|
||||||
+if [ "$LOADPUBLIC" -ne 0 ]; then
|
|
||||||
#load public key
|
|
||||||
- cmd='p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --load-pubkey "$PUBKEY" --label "$OBJNAME" --login --set-pin=1234 "pkcs11:token="$OBJNAME""'
|
|
||||||
+ cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-pubkey $PUBKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$OBJNAME\""
|
|
||||||
eval echo "$cmd"
|
|
||||||
- out=$(eval $cmd)
|
|
||||||
+ out=$(eval "$cmd")
|
|
||||||
ret=$?
|
|
||||||
if [ $ret -ne 0 ]; then
|
|
||||||
echo "Loading pubkey failed"
|
|
||||||
@@ -69,9 +88,9 @@ if [ $LOADPUBLIC -ne 0 ]; then
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
-cmd='p11tool --list-all --login "pkcs11:token="$OBJNAME"" --set-pin=1234'
|
|
||||||
+cmd="p11tool --list-all --login \"pkcs11:token=$OBJNAME\" --set-pin=1234"
|
|
||||||
eval echo "$cmd"
|
|
||||||
-out=$(eval $cmd)
|
|
||||||
+out=$(eval "$cmd")
|
|
||||||
ret=$?
|
|
||||||
if [ $ret -ne 0 ]; then
|
|
||||||
echo "Loging failed"
|
|
1653
plus_sign.patch
1653
plus_sign.patch
File diff suppressed because it is too large
Load Diff
@ -1,21 +0,0 @@
|
|||||||
diff --color -ru ../libssh-0.10.4/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
|
|
||||||
--- ../libssh-0.10.4/tests/client/torture_rekey.c 2023-05-17 10:55:23.384684129 +0200
|
|
||||||
+++ ./tests/client/torture_rekey.c 2023-05-17 10:56:29.819334665 +0200
|
|
||||||
@@ -504,7 +504,7 @@
|
|
||||||
memset(data, 'A', 128);
|
|
||||||
for (i = 0; i < KEX_RETRY; i++) {
|
|
||||||
ssh_send_ignore(s->ssh.session, data);
|
|
||||||
- ssh_handle_packets(s->ssh.session, 100);
|
|
||||||
+ ssh_handle_packets(s->ssh.session, 1000);
|
|
||||||
|
|
||||||
c = s->ssh.session->current_crypto;
|
|
||||||
/* SHA256 len */
|
|
||||||
@@ -582,7 +582,7 @@
|
|
||||||
memset(data, 'A', 128);
|
|
||||||
for (i = 0; i < KEX_RETRY; i++) {
|
|
||||||
ssh_send_ignore(s->ssh.session, data);
|
|
||||||
- ssh_handle_packets(s->ssh.session, 100);
|
|
||||||
+ ssh_handle_packets(s->ssh.session, 1000);
|
|
||||||
|
|
||||||
c = s->ssh.session->current_crypto;
|
|
||||||
/* SHA256 len */
|
|
2
sources
2
sources
@ -1,2 +0,0 @@
|
|||||||
SHA512 (libssh-0.10.4.tar.xz) = 01ee52d480201d9886c15e81137c185334b404d1c8e8b743ddf58e95fe8619c8c013616a49807bd1111fde72fa177cd35f3c22b66cbf5d720b5abfacdf7601ed
|
|
||||||
SHA512 (libssh-0.10.4.tar.xz.asc) = 8200215d6471851dac8cd8efd07400b9bc4403cf5406a9fdb28a68ef8fe85c227f92a26071fb32d9396b91661568333b5ceb9b23665d22e761b981dd880bbbc8
|
|
Loading…
Reference in New Issue
Block a user