Compare commits
No commits in common. 'i8c-beta' and 'c9' have entirely different histories.
@ -1,2 +1,2 @@
|
|||||||
SOURCES/libssh-0.9.6.tar.xz
|
SOURCES/libssh-0.10.4.tar.xz
|
||||||
SOURCES/libssh.keyring
|
SOURCES/libssh.keyring
|
||||||
|
|||||||
@ -1,2 +1,2 @@
|
|||||||
1b2dd673b58e1eaf20fde45cd8de2197cfab2f78 SOURCES/libssh-0.9.6.tar.xz
|
4c48350a0a688ad82080175ed26a2019928a99c4 SOURCES/libssh-0.10.4.tar.xz
|
||||||
3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring
|
3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,23 @@
|
|||||||
|
diff --git a/src/dh_crypto.c b/src/dh_crypto.c
|
||||||
|
index a847c6a2..1eb94307 100644
|
||||||
|
--- a/src/dh_crypto.c
|
||||||
|
+++ b/src/dh_crypto.c
|
||||||
|
@@ -341,8 +341,16 @@ int ssh_dh_set_parameters(struct dh_ctx *ctx,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, modulus);
|
||||||
|
- OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, generator);
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, modulus);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, generator);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
params = OSSL_PARAM_BLD_to_param(param_bld);
|
||||||
|
if (params == NULL) {
|
||||||
|
OSSL_PARAM_BLD_free(param_bld);
|
||||||
@ -0,0 +1,57 @@
|
|||||||
|
File ../libssh-0.10.4/.git is a regular file while file ./.git is a directory
|
||||||
|
diff --color -ru ../libssh-0.10.4/src/sftp.c ./src/sftp.c
|
||||||
|
--- ../libssh-0.10.4/src/sftp.c 2023-05-22 12:45:48.383509085 +0200
|
||||||
|
+++ ./src/sftp.c 2023-05-22 12:54:31.004037650 +0200
|
||||||
|
@@ -1755,6 +1755,10 @@
|
||||||
|
int sftp_close(sftp_file file){
|
||||||
|
int err = SSH_NO_ERROR;
|
||||||
|
|
||||||
|
+ if (file == NULL) {
|
||||||
|
+ return err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
SAFE_FREE(file->name);
|
||||||
|
if (file->handle){
|
||||||
|
err = sftp_handle_close(file->sftp,file->handle);
|
||||||
|
@@ -1917,7 +1921,7 @@
|
||||||
|
|
||||||
|
/* Read from a file using an opened sftp file handle. */
|
||||||
|
ssize_t sftp_read(sftp_file handle, void *buf, size_t count) {
|
||||||
|
- sftp_session sftp = handle->sftp;
|
||||||
|
+ sftp_session sftp;
|
||||||
|
sftp_message msg = NULL;
|
||||||
|
sftp_status_message status;
|
||||||
|
ssh_string datastring;
|
||||||
|
@@ -1926,6 +1930,11 @@
|
||||||
|
uint32_t id;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
+ if (handle == NULL) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ sftp = handle->sftp;
|
||||||
|
+
|
||||||
|
if (handle->eof) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -2147,7 +2156,7 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
ssize_t sftp_write(sftp_file file, const void *buf, size_t count) {
|
||||||
|
- sftp_session sftp = file->sftp;
|
||||||
|
+ sftp_session sftp;
|
||||||
|
sftp_message msg = NULL;
|
||||||
|
sftp_status_message status;
|
||||||
|
ssh_buffer buffer;
|
||||||
|
@@ -2156,6 +2165,11 @@
|
||||||
|
size_t packetlen;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
+ if (file == NULL) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ sftp = file->sftp;
|
||||||
|
+
|
||||||
|
buffer = ssh_buffer_new();
|
||||||
|
if (buffer == NULL) {
|
||||||
|
ssh_set_error_oom(sftp->session);
|
||||||
@ -0,0 +1,105 @@
|
|||||||
|
diff --git a/src/kex.c b/src/kex.c
|
||||||
|
index 1155b9c7..528cb182 100644
|
||||||
|
--- a/src/kex.c
|
||||||
|
+++ b/src/kex.c
|
||||||
|
@@ -101,12 +101,19 @@
|
||||||
|
|
||||||
|
#ifdef HAVE_ECDH
|
||||||
|
#define ECDH "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,"
|
||||||
|
-#define EC_HOSTKEYS "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,"
|
||||||
|
-#define EC_PUBLIC_KEY_ALGORITHMS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
||||||
|
+#define EC_HOSTKEYS "ecdsa-sha2-nistp521," \
|
||||||
|
+ "ecdsa-sha2-nistp384," \
|
||||||
|
+ "ecdsa-sha2-nistp256,"
|
||||||
|
+#define EC_SK_HOSTKEYS "sk-ecdsa-sha2-nistp256@openssh.com,"
|
||||||
|
+#define EC_FIPS_PUBLIC_KEY_ALGOS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
||||||
|
"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
|
||||||
|
"ecdsa-sha2-nistp256-cert-v01@openssh.com,"
|
||||||
|
+#define EC_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
|
||||||
|
+ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
|
||||||
|
#else
|
||||||
|
#define EC_HOSTKEYS ""
|
||||||
|
+#define EC_SK_HOSTKEYS ""
|
||||||
|
+#define EC_FIPS_PUBLIC_KEY_ALGOS ""
|
||||||
|
#define EC_PUBLIC_KEY_ALGORITHMS ""
|
||||||
|
#define ECDH ""
|
||||||
|
#endif /* HAVE_ECDH */
|
||||||
|
@@ -127,16 +134,21 @@
|
||||||
|
|
||||||
|
#define HOSTKEYS "ssh-ed25519," \
|
||||||
|
EC_HOSTKEYS \
|
||||||
|
+ "sk-ssh-ed25519@openssh.com," \
|
||||||
|
+ EC_SK_HOSTKEYS \
|
||||||
|
"rsa-sha2-512," \
|
||||||
|
"rsa-sha2-256," \
|
||||||
|
"ssh-rsa" \
|
||||||
|
DSA_HOSTKEYS
|
||||||
|
#define DEFAULT_HOSTKEYS "ssh-ed25519," \
|
||||||
|
EC_HOSTKEYS \
|
||||||
|
+ "sk-ssh-ed25519@openssh.com," \
|
||||||
|
+ EC_SK_HOSTKEYS \
|
||||||
|
"rsa-sha2-512," \
|
||||||
|
"rsa-sha2-256"
|
||||||
|
|
||||||
|
#define PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \
|
||||||
|
+ "sk-ssh-ed25519-cert-v01@openssh.com," \
|
||||||
|
EC_PUBLIC_KEY_ALGORITHMS \
|
||||||
|
"rsa-sha2-512-cert-v01@openssh.com," \
|
||||||
|
"rsa-sha2-256-cert-v01@openssh.com," \
|
||||||
|
@@ -186,7 +198,7 @@
|
||||||
|
"rsa-sha2-512," \
|
||||||
|
"rsa-sha2-256"
|
||||||
|
|
||||||
|
-#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_PUBLIC_KEY_ALGORITHMS \
|
||||||
|
+#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
|
||||||
|
"rsa-sha2-512-cert-v01@openssh.com," \
|
||||||
|
"rsa-sha2-256-cert-v01@openssh.com," \
|
||||||
|
FIPS_ALLOWED_HOSTKEYS
|
||||||
|
diff --git a/src/knownhosts.c b/src/knownhosts.c
|
||||||
|
index 1f52dedc..94618fe2 100644
|
||||||
|
--- a/src/knownhosts.c
|
||||||
|
+++ b/src/knownhosts.c
|
||||||
|
@@ -480,6 +480,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
|
||||||
|
return "rsa-sha2-512,rsa-sha2-256,ssh-rsa";
|
||||||
|
case SSH_KEYTYPE_ED25519:
|
||||||
|
return "ssh-ed25519";
|
||||||
|
+ case SSH_KEYTYPE_SK_ED25519:
|
||||||
|
+ return "sk-ssh-ed25519@openssh.com";
|
||||||
|
#ifdef HAVE_DSA
|
||||||
|
case SSH_KEYTYPE_DSS:
|
||||||
|
return "ssh-dss";
|
||||||
|
@@ -494,6 +496,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
|
||||||
|
return "ecdsa-sha2-nistp384";
|
||||||
|
case SSH_KEYTYPE_ECDSA_P521:
|
||||||
|
return "ecdsa-sha2-nistp521";
|
||||||
|
+ case SSH_KEYTYPE_SK_ECDSA:
|
||||||
|
+ return "sk-ecdsa-sha2-nistp256@openssh.com";
|
||||||
|
#else
|
||||||
|
case SSH_KEYTYPE_ECDSA_P256:
|
||||||
|
case SSH_KEYTYPE_ECDSA_P384:
|
||||||
|
diff --git a/tests/unittests/torture_knownhosts_parsing.c b/tests/unittests/torture_knownhosts_parsing.c
|
||||||
|
index fffa8296..7fd21f05 100644
|
||||||
|
--- a/tests/unittests/torture_knownhosts_parsing.c
|
||||||
|
+++ b/tests/unittests/torture_knownhosts_parsing.c
|
||||||
|
@@ -634,7 +634,9 @@ static void torture_knownhosts_algorithms(void **state)
|
||||||
|
bool process_config = false;
|
||||||
|
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
|
||||||
|
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
|
||||||
|
- "ecdsa-sha2-nistp256";
|
||||||
|
+ "ecdsa-sha2-nistp256,"
|
||||||
|
+ "sk-ssh-ed25519@openssh.com,"
|
||||||
|
+ "sk-ecdsa-sha2-nistp256@openssh.com";
|
||||||
|
const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
|
||||||
|
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
|
||||||
|
|
||||||
|
@@ -669,7 +671,9 @@ static void torture_knownhosts_algorithms_global(void **state)
|
||||||
|
bool process_config = false;
|
||||||
|
const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
|
||||||
|
"ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
|
||||||
|
- "ecdsa-sha2-nistp256";
|
||||||
|
+ "ecdsa-sha2-nistp256,"
|
||||||
|
+ "sk-ssh-ed25519@openssh.com,"
|
||||||
|
+ "sk-ecdsa-sha2-nistp256@openssh.com";
|
||||||
|
const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
|
||||||
|
"ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
|
||||||
|
|
||||||
@ -1,668 +0,0 @@
|
|||||||
diff --color -ru ../libssh-0.9.6/examples/sshnetcat.c ./examples/sshnetcat.c
|
|
||||||
--- ../libssh-0.9.6/examples/sshnetcat.c 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./examples/sshnetcat.c 2023-05-02 10:36:00.793381735 +0200
|
|
||||||
@@ -233,9 +233,10 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
void cleanup_pcap(void);
|
|
||||||
-void cleanup_pcap(){
|
|
||||||
+void cleanup_pcap(void)
|
|
||||||
+{
|
|
||||||
ssh_pcap_file_free(pcap);
|
|
||||||
- pcap=NULL;
|
|
||||||
+ pcap = NULL;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff --color -ru ../libssh-0.9.6/src/init.c ./src/init.c
|
|
||||||
--- ../libssh-0.9.6/src/init.c 2021-03-15 08:11:33.000000000 +0100
|
|
||||||
+++ ./src/init.c 2023-05-02 10:36:00.793381735 +0200
|
|
||||||
@@ -269,7 +269,7 @@
|
|
||||||
*
|
|
||||||
* @see ssh_init()
|
|
||||||
*/
|
|
||||||
-bool is_ssh_initialized() {
|
|
||||||
+bool is_ssh_initialized(void) {
|
|
||||||
|
|
||||||
bool is_initialized = false;
|
|
||||||
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/client/torture_auth.c ./tests/client/torture_auth.c
|
|
||||||
--- ../libssh-0.9.6/tests/client/torture_auth.c 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./tests/client/torture_auth.c 2023-05-02 10:36:00.815381960 +0200
|
|
||||||
@@ -200,7 +200,8 @@
|
|
||||||
assert_non_null(ssh_agent_pidfile);
|
|
||||||
|
|
||||||
/* kill agent pid */
|
|
||||||
- torture_terminate_process(ssh_agent_pidfile);
|
|
||||||
+ rc = torture_terminate_process(ssh_agent_pidfile);
|
|
||||||
+ assert_return_code(rc, errno);
|
|
||||||
|
|
||||||
unlink(ssh_agent_pidfile);
|
|
||||||
|
|
||||||
@@ -551,6 +552,7 @@
|
|
||||||
|
|
||||||
static void torture_auth_agent_cert(void **state)
|
|
||||||
{
|
|
||||||
+#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
|
|
||||||
struct torture_state *s = *state;
|
|
||||||
ssh_session session = s->ssh.session;
|
|
||||||
int rc;
|
|
||||||
@@ -570,6 +572,7 @@
|
|
||||||
"ssh-rsa-cert-v01@openssh.com");
|
|
||||||
assert_int_equal(rc, SSH_OK);
|
|
||||||
}
|
|
||||||
+#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
|
|
||||||
|
|
||||||
/* Setup loads a different key, tests are exactly the same. */
|
|
||||||
torture_auth_agent(state);
|
|
||||||
@@ -577,6 +580,7 @@
|
|
||||||
|
|
||||||
static void torture_auth_agent_cert_nonblocking(void **state)
|
|
||||||
{
|
|
||||||
+#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
|
|
||||||
struct torture_state *s = *state;
|
|
||||||
ssh_session session = s->ssh.session;
|
|
||||||
int rc;
|
|
||||||
@@ -596,6 +600,7 @@
|
|
||||||
"ssh-rsa-cert-v01@openssh.com");
|
|
||||||
assert_int_equal(rc, SSH_OK);
|
|
||||||
}
|
|
||||||
+#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
|
|
||||||
|
|
||||||
torture_auth_agent_nonblocking(state);
|
|
||||||
}
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
|
|
||||||
--- ../libssh-0.9.6/tests/client/torture_rekey.c 2023-04-28 17:26:41.472315318 +0200
|
|
||||||
+++ ./tests/client/torture_rekey.c 2023-05-02 10:36:00.805381857 +0200
|
|
||||||
@@ -38,6 +38,8 @@
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
|
|
||||||
+#define KEX_RETRY 32
|
|
||||||
+
|
|
||||||
static uint64_t bytes = 2048; /* 2KB (more than the authentication phase) */
|
|
||||||
|
|
||||||
static int sshd_setup(void **state)
|
|
||||||
@@ -190,10 +192,11 @@
|
|
||||||
rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
|
|
||||||
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
||||||
|
|
||||||
- /* send ignore packets of up to 1KB to trigger rekey */
|
|
||||||
+ /* send ignore packets of up to 1KB to trigger rekey. Send little bit more
|
|
||||||
+ * to make sure it completes with all different ciphers */
|
|
||||||
memset(data, 0, sizeof(data));
|
|
||||||
memset(data, 'A', 128);
|
|
||||||
- for (i = 0; i < 16; i++) {
|
|
||||||
+ for (i = 0; i < KEX_RETRY; i++) {
|
|
||||||
ssh_send_ignore(s->ssh.session, data);
|
|
||||||
ssh_handle_packets(s->ssh.session, 50);
|
|
||||||
}
|
|
||||||
@@ -496,9 +499,15 @@
|
|
||||||
* to make sure the rekey it completes with all different ciphers (paddings */
|
|
||||||
memset(data, 0, sizeof(data));
|
|
||||||
memset(data, 'A', 128);
|
|
||||||
- for (i = 0; i < 20; i++) {
|
|
||||||
+ for (i = 0; i < KEX_RETRY; i++) {
|
|
||||||
ssh_send_ignore(s->ssh.session, data);
|
|
||||||
- ssh_handle_packets(s->ssh.session, 50);
|
|
||||||
+ ssh_handle_packets(s->ssh.session, 100);
|
|
||||||
+
|
|
||||||
+ c = s->ssh.session->current_crypto;
|
|
||||||
+ /* SHA256 len */
|
|
||||||
+ if (c->digest_len != 32) {
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* The rekey limit was restored in the new crypto to the same value */
|
|
||||||
@@ -568,9 +577,15 @@
|
|
||||||
* to make sure the rekey it completes with all different ciphers (paddings */
|
|
||||||
memset(data, 0, sizeof(data));
|
|
||||||
memset(data, 'A', 128);
|
|
||||||
- for (i = 0; i < 25; i++) {
|
|
||||||
+ for (i = 0; i < KEX_RETRY; i++) {
|
|
||||||
ssh_send_ignore(s->ssh.session, data);
|
|
||||||
- ssh_handle_packets(s->ssh.session, 50);
|
|
||||||
+ ssh_handle_packets(s->ssh.session, 100);
|
|
||||||
+
|
|
||||||
+ c = s->ssh.session->current_crypto;
|
|
||||||
+ /* SHA256 len */
|
|
||||||
+ if (c->digest_len != 32) {
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check that the secret hash is different than initially */
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/CMakeLists.txt ./tests/CMakeLists.txt
|
|
||||||
--- ../libssh-0.9.6/tests/CMakeLists.txt 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./tests/CMakeLists.txt 2023-05-02 10:32:03.964511860 +0200
|
|
||||||
@@ -153,6 +153,17 @@
|
|
||||||
execute_process(COMMAND ${ID_EXECUTABLE} -u OUTPUT_VARIABLE LOCAL_UID OUTPUT_STRIP_TRAILING_WHITESPACE)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
+ find_program(TIMEOUT_EXECUTABLE
|
|
||||||
+ NAME
|
|
||||||
+ timeout
|
|
||||||
+ PATHS
|
|
||||||
+ /bin
|
|
||||||
+ /usr/bin
|
|
||||||
+ /usr/local/bin)
|
|
||||||
+ if (TIMEOUT_EXECUTABLE)
|
|
||||||
+ set(WITH_TIMEOUT "1")
|
|
||||||
+ endif()
|
|
||||||
+
|
|
||||||
# chroot_wrapper
|
|
||||||
add_library(chroot_wrapper SHARED chroot_wrapper.c)
|
|
||||||
set(CHROOT_WRAPPER_LIBRARY ${libssh_BINARY_DIR}/lib/${CMAKE_SHARED_LIBRARY_PREFIX}chroot_wrapper${CMAKE_SHARED_LIBRARY_SUFFIX})
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/pkd/pkd_keyutil.c ./tests/pkd/pkd_keyutil.c
|
|
||||||
--- ../libssh-0.9.6/tests/pkd/pkd_keyutil.c 2021-03-15 08:11:33.000000000 +0100
|
|
||||||
+++ ./tests/pkd/pkd_keyutil.c 2023-05-02 10:36:00.793381735 +0200
|
|
||||||
@@ -22,7 +22,7 @@
|
|
||||||
#include "pkd_keyutil.h"
|
|
||||||
#include "pkd_util.h"
|
|
||||||
|
|
||||||
-void setup_rsa_key() {
|
|
||||||
+void setup_rsa_key(void) {
|
|
||||||
int rc = 0;
|
|
||||||
if (access(LIBSSH_RSA_TESTKEY, F_OK) != 0) {
|
|
||||||
rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f "
|
|
||||||
@@ -31,7 +31,7 @@
|
|
||||||
assert_int_equal(rc, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void setup_ed25519_key() {
|
|
||||||
+void setup_ed25519_key(void) {
|
|
||||||
int rc = 0;
|
|
||||||
if (access(LIBSSH_ED25519_TESTKEY, F_OK) != 0) {
|
|
||||||
rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
|
|
||||||
@@ -41,7 +41,7 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef HAVE_DSA
|
|
||||||
-void setup_dsa_key() {
|
|
||||||
+void setup_dsa_key(void) {
|
|
||||||
int rc = 0;
|
|
||||||
if (access(LIBSSH_DSA_TESTKEY, F_OK) != 0) {
|
|
||||||
rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
|
|
||||||
@@ -51,7 +51,7 @@
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-void setup_ecdsa_keys() {
|
|
||||||
+void setup_ecdsa_keys(void) {
|
|
||||||
int rc = 0;
|
|
||||||
|
|
||||||
if (access(LIBSSH_ECDSA_256_TESTKEY, F_OK) != 0) {
|
|
||||||
@@ -71,27 +71,27 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-void cleanup_rsa_key() {
|
|
||||||
+void cleanup_rsa_key(void) {
|
|
||||||
cleanup_key(LIBSSH_RSA_TESTKEY);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void cleanup_ed25519_key() {
|
|
||||||
+void cleanup_ed25519_key(void) {
|
|
||||||
cleanup_key(LIBSSH_ED25519_TESTKEY);
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef HAVE_DSA
|
|
||||||
-void cleanup_dsa_key() {
|
|
||||||
+void cleanup_dsa_key(void) {
|
|
||||||
cleanup_key(LIBSSH_DSA_TESTKEY);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-void cleanup_ecdsa_keys() {
|
|
||||||
+void cleanup_ecdsa_keys(void) {
|
|
||||||
cleanup_key(LIBSSH_ECDSA_256_TESTKEY);
|
|
||||||
cleanup_key(LIBSSH_ECDSA_384_TESTKEY);
|
|
||||||
cleanup_key(LIBSSH_ECDSA_521_TESTKEY);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void setup_openssh_client_keys() {
|
|
||||||
+void setup_openssh_client_keys(void) {
|
|
||||||
int rc = 0;
|
|
||||||
|
|
||||||
if (access(OPENSSH_CA_TESTKEY, F_OK) != 0) {
|
|
||||||
@@ -184,7 +184,7 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-void cleanup_openssh_client_keys() {
|
|
||||||
+void cleanup_openssh_client_keys(void) {
|
|
||||||
cleanup_key(OPENSSH_CA_TESTKEY);
|
|
||||||
cleanup_key(OPENSSH_RSA_TESTKEY);
|
|
||||||
cleanup_file(OPENSSH_RSA_TESTKEY "-sha256-cert.pub");
|
|
||||||
@@ -199,7 +199,7 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-void setup_dropbear_client_rsa_key() {
|
|
||||||
+void setup_dropbear_client_rsa_key(void) {
|
|
||||||
int rc = 0;
|
|
||||||
if (access(DROPBEAR_RSA_TESTKEY, F_OK) != 0) {
|
|
||||||
rc = system_checked(DROPBEAR_KEYGEN " -t rsa -f "
|
|
||||||
@@ -208,6 +208,6 @@
|
|
||||||
assert_int_equal(rc, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void cleanup_dropbear_client_rsa_key() {
|
|
||||||
+void cleanup_dropbear_client_rsa_key(void) {
|
|
||||||
unlink(DROPBEAR_RSA_TESTKEY);
|
|
||||||
}
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/server/torture_server_config.c ./tests/server/torture_server_config.c
|
|
||||||
--- ../libssh-0.9.6/tests/server/torture_server_config.c 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./tests/server/torture_server_config.c 2023-05-02 10:36:00.815381960 +0200
|
|
||||||
@@ -285,9 +285,7 @@
|
|
||||||
assert_non_null(s);
|
|
||||||
|
|
||||||
rc = torture_terminate_process(s->srv_pidfile);
|
|
||||||
- if (rc != 0) {
|
|
||||||
- fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
|
|
||||||
- }
|
|
||||||
+ assert_return_code(rc, errno);
|
|
||||||
|
|
||||||
unlink(s->srv_pidfile);
|
|
||||||
|
|
||||||
@@ -513,6 +511,12 @@
|
|
||||||
/* Try each algorithm individually */
|
|
||||||
j = 0;
|
|
||||||
while(tokens->tokens[j] != NULL) {
|
|
||||||
+ char *cmp = strstr(OPENSSH_CIPHERS, tokens->tokens[j]);
|
|
||||||
+ if (cmp == NULL) {
|
|
||||||
+ /* This cipher is not supported by the OpenSSH. Skip it */
|
|
||||||
+ j++;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
snprintf(config_content,
|
|
||||||
sizeof(config_content),
|
|
||||||
"HostKey %s\nCiphers %s\n",
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/tests_config.h.cmake ./tests/tests_config.h.cmake
|
|
||||||
--- ../libssh-0.9.6/tests/tests_config.h.cmake 2021-08-26 14:27:42.000000000 +0200
|
|
||||||
+++ ./tests/tests_config.h.cmake 2023-05-02 10:32:03.964511860 +0200
|
|
||||||
@@ -66,4 +66,6 @@
|
|
||||||
|
|
||||||
#cmakedefine NC_EXECUTABLE "${NC_EXECUTABLE}"
|
|
||||||
#cmakedefine SSHD_EXECUTABLE "${SSHD_EXECUTABLE}"
|
|
||||||
-#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
|
|
||||||
\ No newline at end of file
|
|
||||||
+#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
|
|
||||||
+#cmakedefine WITH_TIMEOUT ${WITH_TIMEOUT}
|
|
||||||
+#cmakedefine TIMEOUT_EXECUTABLE "${TIMEOUT_EXECUTABLE}"
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/torture.c ./tests/torture.c
|
|
||||||
--- ../libssh-0.9.6/tests/torture.c 2021-08-26 14:27:44.000000000 +0200
|
|
||||||
+++ ./tests/torture.c 2023-05-02 10:36:00.815381960 +0200
|
|
||||||
@@ -51,6 +51,7 @@
|
|
||||||
#include "torture.h"
|
|
||||||
#include "torture_key.h"
|
|
||||||
#include "libssh/misc.h"
|
|
||||||
+#include "libssh/token.h"
|
|
||||||
|
|
||||||
#define TORTURE_SSHD_SRV_IPV4 "127.0.0.10"
|
|
||||||
/* socket wrapper IPv6 prefix fd00::5357:5fxx */
|
|
||||||
@@ -250,8 +251,12 @@
|
|
||||||
|
|
||||||
rc = kill(pid, 0);
|
|
||||||
if (rc != 0) {
|
|
||||||
- is_running = 0;
|
|
||||||
- break;
|
|
||||||
+ /* Process not found */
|
|
||||||
+ if (errno == ESRCH) {
|
|
||||||
+ is_running = 0;
|
|
||||||
+ rc = 0;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -260,7 +265,7 @@
|
|
||||||
"WARNING: The process with pid %u is still running!\n", pid);
|
|
||||||
}
|
|
||||||
|
|
||||||
- return 0;
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
ssh_session torture_ssh_session(struct torture_state *s,
|
|
||||||
@@ -611,6 +616,112 @@
|
|
||||||
*state = s;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * @brief Create a libssh server configuration file
|
|
||||||
+ *
|
|
||||||
+ * It is expected the socket directory to be already created before by calling
|
|
||||||
+ * torture_setup_socket_dir(). The created configuration file will be stored in
|
|
||||||
+ * the socket directory and the srv_config pointer in the state will be
|
|
||||||
+ * initialized.
|
|
||||||
+ *
|
|
||||||
+ * @param[in] state A pointer to a pointer to an initialized torture_state
|
|
||||||
+ * structure
|
|
||||||
+ */
|
|
||||||
+void torture_setup_create_libssh_config(void **state)
|
|
||||||
+{
|
|
||||||
+ struct torture_state *s = *state;
|
|
||||||
+ char ed25519_hostkey[1024] = {0};
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ char dsa_hostkey[1024];
|
|
||||||
+#endif /* HAVE_DSA */
|
|
||||||
+ char rsa_hostkey[1024];
|
|
||||||
+ char ecdsa_hostkey[1024];
|
|
||||||
+ char sshd_config[2048];
|
|
||||||
+ char sshd_path[1024];
|
|
||||||
+ const char *additional_config = NULL;
|
|
||||||
+ struct stat sb;
|
|
||||||
+ const char config_string[]=
|
|
||||||
+ "LogLevel DEBUG3\n"
|
|
||||||
+ "Port 22\n"
|
|
||||||
+ "ListenAddress 127.0.0.10\n"
|
|
||||||
+ "%s %s\n"
|
|
||||||
+ "%s %s\n"
|
|
||||||
+ "%s %s\n"
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ "%s %s\n"
|
|
||||||
+#endif /* HAVE_DSA */
|
|
||||||
+ "%s\n"; /* The space for test-specific options */
|
|
||||||
+ bool written = false;
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ assert_non_null(s->socket_dir);
|
|
||||||
+
|
|
||||||
+ snprintf(sshd_path,
|
|
||||||
+ sizeof(sshd_path),
|
|
||||||
+ "%s/sshd",
|
|
||||||
+ s->socket_dir);
|
|
||||||
+
|
|
||||||
+ rc = lstat(sshd_path, &sb);
|
|
||||||
+ if (rc == 0 ) { /* The directory is already in place */
|
|
||||||
+ written = true;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!written) {
|
|
||||||
+ rc = mkdir(sshd_path, 0755);
|
|
||||||
+ assert_return_code(rc, errno);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ snprintf(ed25519_hostkey,
|
|
||||||
+ sizeof(ed25519_hostkey),
|
|
||||||
+ "%s/sshd/ssh_host_ed25519_key",
|
|
||||||
+ s->socket_dir);
|
|
||||||
+
|
|
||||||
+ snprintf(rsa_hostkey,
|
|
||||||
+ sizeof(rsa_hostkey),
|
|
||||||
+ "%s/sshd/ssh_host_rsa_key",
|
|
||||||
+ s->socket_dir);
|
|
||||||
+
|
|
||||||
+ snprintf(ecdsa_hostkey,
|
|
||||||
+ sizeof(ecdsa_hostkey),
|
|
||||||
+ "%s/sshd/ssh_host_ecdsa_key",
|
|
||||||
+ s->socket_dir);
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ snprintf(dsa_hostkey,
|
|
||||||
+ sizeof(dsa_hostkey),
|
|
||||||
+ "%s/sshd/ssh_host_dsa_key",
|
|
||||||
+ s->socket_dir);
|
|
||||||
+#endif /* HAVE_DSA */
|
|
||||||
+
|
|
||||||
+ if (!written) {
|
|
||||||
+ torture_write_file(ed25519_hostkey,
|
|
||||||
+ torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
|
|
||||||
+ torture_write_file(rsa_hostkey,
|
|
||||||
+ torture_get_testkey(SSH_KEYTYPE_RSA, 0));
|
|
||||||
+ torture_write_file(ecdsa_hostkey,
|
|
||||||
+ torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ torture_write_file(dsa_hostkey,
|
|
||||||
+ torture_get_testkey(SSH_KEYTYPE_DSS, 0));
|
|
||||||
+#endif /* HAVE_DSA */
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ additional_config = (s->srv_additional_config != NULL ?
|
|
||||||
+ s->srv_additional_config : "");
|
|
||||||
+
|
|
||||||
+ snprintf(sshd_config, sizeof(sshd_config),
|
|
||||||
+ config_string,
|
|
||||||
+ "HostKey", ed25519_hostkey,
|
|
||||||
+ "HostKey", rsa_hostkey,
|
|
||||||
+ "HostKey", ecdsa_hostkey,
|
|
||||||
+#ifdef HAVE_DSA
|
|
||||||
+ "HostKey", dsa_hostkey,
|
|
||||||
+#endif /* HAVE_DSA */
|
|
||||||
+ additional_config);
|
|
||||||
+
|
|
||||||
+ torture_write_file(s->srv_config, sshd_config);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void torture_setup_create_sshd_config(void **state, bool pam)
|
|
||||||
{
|
|
||||||
struct torture_state *s = *state;
|
|
||||||
@@ -856,21 +967,140 @@
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
-void torture_setup_sshd_server(void **state, bool pam)
|
|
||||||
+/**
|
|
||||||
+ * @brief Run a libssh based server under timeout.
|
|
||||||
+ *
|
|
||||||
+ * It is expected that the socket directory and libssh configuration file were
|
|
||||||
+ * already created before by calling torture_setup_socket_dir() and
|
|
||||||
+ * torture_setup_create_libssh_config() (or alternatively setup the state with
|
|
||||||
+ * the correct values).
|
|
||||||
+ *
|
|
||||||
+ * @param[in] state The content of the address pointed by this variable must be
|
|
||||||
+ * a pointer to an initialized instance of torture_state
|
|
||||||
+ * structure; it can be obtained by calling
|
|
||||||
+ * torture_setup_socket_dir() and
|
|
||||||
+ * torture_setup_create_libssh_config().
|
|
||||||
+ * @param[in] server_path The path to the server executable.
|
|
||||||
+ *
|
|
||||||
+ * @note This function will use the state->srv_additional_config field as
|
|
||||||
+ * additional command line option used when starting the server instead of extra
|
|
||||||
+ * configuration file options.
|
|
||||||
+ * */
|
|
||||||
+void torture_setup_libssh_server(void **state, const char *server_path)
|
|
||||||
{
|
|
||||||
struct torture_state *s;
|
|
||||||
- char sshd_start_cmd[1024];
|
|
||||||
+ char start_cmd[1024];
|
|
||||||
+ char timeout_cmd[512];
|
|
||||||
+ char env[1024];
|
|
||||||
+ char extra_options[1024];
|
|
||||||
int rc;
|
|
||||||
+ char *ld_preload = NULL;
|
|
||||||
+ const char *force_fips = NULL;
|
|
||||||
|
|
||||||
- torture_setup_socket_dir(state);
|
|
||||||
- torture_setup_create_sshd_config(state, pam);
|
|
||||||
+ struct ssh_tokens_st *env_tokens;
|
|
||||||
+ struct ssh_tokens_st *arg_tokens;
|
|
||||||
+
|
|
||||||
+ pid_t pid;
|
|
||||||
+ ssize_t printed;
|
|
||||||
+
|
|
||||||
+ s = *state;
|
|
||||||
+
|
|
||||||
+ /* Get all the wrapper libraries to be pre-loaded */
|
|
||||||
+ ld_preload = getenv("LD_PRELOAD");
|
|
||||||
+
|
|
||||||
+ if (s->srv_additional_config != NULL) {
|
|
||||||
+ printed = snprintf(extra_options, sizeof(extra_options), " %s ",
|
|
||||||
+ s->srv_additional_config);
|
|
||||||
+ if (printed < 0) {
|
|
||||||
+ fail_msg("Failed to print additional config!");
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ printed = snprintf(extra_options, sizeof(extra_options), " ");
|
|
||||||
+ if (printed < 0) {
|
|
||||||
+ fail_msg("Failed to print empty additional config!");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (ssh_fips_mode()) {
|
|
||||||
+ force_fips = "OPENSSL_FORCE_FIPS_MODE=1 ";
|
|
||||||
+ } else {
|
|
||||||
+ force_fips = "";
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Write the environment setting */
|
|
||||||
+ printed = snprintf(env, sizeof(env),
|
|
||||||
+ "SOCKET_WRAPPER_DIR=%s "
|
|
||||||
+ "SOCKET_WRAPPER_DEFAULT_IFACE=10 "
|
|
||||||
+ "LD_PRELOAD=%s "
|
|
||||||
+ "%s",
|
|
||||||
+ s->socket_dir, ld_preload, force_fips);
|
|
||||||
+ if (printed < 0) {
|
|
||||||
+ fail_msg("Failed to print env!");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#ifdef WITH_TIMEOUT
|
|
||||||
+ snprintf(timeout_cmd, sizeof(timeout_cmd),
|
|
||||||
+ "%s %s ", TIMEOUT_EXECUTABLE, "5m");
|
|
||||||
+#else
|
|
||||||
+ timeout_cmd[0] = '\0';
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ /* Write the start command */
|
|
||||||
+ printed = snprintf(start_cmd, sizeof(start_cmd),
|
|
||||||
+ "%s"
|
|
||||||
+ "%s -f%s -v4 -p22 -i%s -C%s%s%s",
|
|
||||||
+ timeout_cmd,
|
|
||||||
+ server_path, s->pcap_file, s->srv_pidfile,
|
|
||||||
+ s->srv_config, extra_options, TORTURE_SSH_SERVER);
|
|
||||||
+ if (printed < 0) {
|
|
||||||
+ fail_msg("Failed to print start command!");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ pid = fork();
|
|
||||||
+ switch(pid) {
|
|
||||||
+ case 0:
|
|
||||||
+ env_tokens = ssh_tokenize(env, ' ');
|
|
||||||
+ if (env_tokens == NULL || env_tokens->tokens == NULL) {
|
|
||||||
+ fail_msg("Failed to tokenize env!");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ arg_tokens = ssh_tokenize(start_cmd, ' ');
|
|
||||||
+ if (arg_tokens == NULL || arg_tokens->tokens == NULL) {
|
|
||||||
+ ssh_tokens_free(env_tokens);
|
|
||||||
+ fail_msg("Failed to tokenize args!");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = execve(arg_tokens->tokens[0], (char **)arg_tokens->tokens,
|
|
||||||
+ (char **)env_tokens->tokens);
|
|
||||||
+
|
|
||||||
+ /* execve returns only in case of error */
|
|
||||||
+ ssh_tokens_free(env_tokens);
|
|
||||||
+ ssh_tokens_free(arg_tokens);
|
|
||||||
+ fail_msg("Error in execve: %s", strerror(errno));
|
|
||||||
+ case -1:
|
|
||||||
+ fail_msg("Failed to fork!");
|
|
||||||
+ default:
|
|
||||||
+ /* The parent continues the execution of the tests */
|
|
||||||
+ setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
|
|
||||||
+ unsetenv("PAM_WRAPPER");
|
|
||||||
+
|
|
||||||
+ /* Wait until the server is ready to accept connections */
|
|
||||||
+ rc = torture_wait_for_daemon(15);
|
|
||||||
+ assert_int_equal(rc, 0);
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int torture_start_sshd_server(void **state)
|
|
||||||
+{
|
|
||||||
+ struct torture_state *s = *state;
|
|
||||||
+ char sshd_start_cmd[1024];
|
|
||||||
+ int rc;
|
|
||||||
|
|
||||||
/* Set the default interface for the server */
|
|
||||||
setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
|
|
||||||
setenv("PAM_WRAPPER", "1", 1);
|
|
||||||
|
|
||||||
- s = *state;
|
|
||||||
-
|
|
||||||
snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
|
|
||||||
SSHD_EXECUTABLE " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
|
|
||||||
s->srv_config, s->socket_dir, s->socket_dir);
|
|
||||||
@@ -882,7 +1112,20 @@
|
|
||||||
unsetenv("PAM_WRAPPER");
|
|
||||||
|
|
||||||
/* Wait until the sshd is ready to accept connections */
|
|
||||||
- rc = torture_wait_for_daemon(5);
|
|
||||||
+ rc = torture_wait_for_daemon(15);
|
|
||||||
+ assert_int_equal(rc, 0);
|
|
||||||
+
|
|
||||||
+ return SSH_OK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void torture_setup_sshd_server(void **state, bool pam)
|
|
||||||
+{
|
|
||||||
+ int rc;
|
|
||||||
+
|
|
||||||
+ torture_setup_socket_dir(state);
|
|
||||||
+ torture_setup_create_sshd_config(state, pam);
|
|
||||||
+
|
|
||||||
+ rc = torture_start_sshd_server(state);
|
|
||||||
assert_int_equal(rc, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -922,29 +1165,12 @@
|
|
||||||
torture_reload_sshd_server(void **state)
|
|
||||||
{
|
|
||||||
struct torture_state *s = *state;
|
|
||||||
- pid_t pid;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
- /* read the pidfile */
|
|
||||||
- pid = torture_read_pidfile(s->srv_pidfile);
|
|
||||||
- assert_int_not_equal(pid, -1);
|
|
||||||
-
|
|
||||||
- kill(pid, SIGHUP);
|
|
||||||
-
|
|
||||||
- /* 10 ms */
|
|
||||||
- usleep(10 * 1000);
|
|
||||||
-
|
|
||||||
- rc = kill(pid, 0);
|
|
||||||
- if (rc != 0) {
|
|
||||||
- fprintf(stderr,
|
|
||||||
- "ERROR: SSHD process %u died during reload!\n", pid);
|
|
||||||
- return SSH_ERROR;
|
|
||||||
- }
|
|
||||||
+ rc = torture_terminate_process(s->srv_pidfile);
|
|
||||||
+ assert_return_code(rc, errno);
|
|
||||||
|
|
||||||
- /* Wait until the sshd is ready to accept connections */
|
|
||||||
- rc = torture_wait_for_daemon(5);
|
|
||||||
- assert_int_equal(rc, 0);
|
|
||||||
- return SSH_OK;
|
|
||||||
+ return torture_start_sshd_server(state);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* @brief: Updates SSHD server configuration with more options and
|
|
||||||
@@ -980,9 +1206,7 @@
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
rc = torture_terminate_process(s->srv_pidfile);
|
|
||||||
- if (rc != 0) {
|
|
||||||
- fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
|
|
||||||
- }
|
|
||||||
+ assert_return_code(rc, errno);
|
|
||||||
|
|
||||||
torture_teardown_socket_dir(state);
|
|
||||||
}
|
|
||||||
diff --color -ru ../libssh-0.9.6/tests/torture.h ./tests/torture.h
|
|
||||||
--- ../libssh-0.9.6/tests/torture.h 2021-08-26 14:27:44.000000000 +0200
|
|
||||||
+++ ./tests/torture.h 2023-05-02 10:32:03.964511860 +0200
|
|
||||||
@@ -132,6 +132,10 @@
|
|
||||||
|
|
||||||
void torture_reset_config(ssh_session session);
|
|
||||||
|
|
||||||
+void torture_setup_create_libssh_config(void **state);
|
|
||||||
+
|
|
||||||
+void torture_setup_libssh_server(void **state, const char *server_path);
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* This function must be defined in every unit test file.
|
|
||||||
*/
|
|
||||||
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmMYnSEACgkQfuD8TcwB
|
||||||
|
Tj2qGBAAn/40MU/7PcyCRK9U+MhLo28peRpTF+i1/k0V5czVLiFubeFofsa6sjy8
|
||||||
|
C6VyQsz0NYiTf6wXLlq9jO1p31LWQ13Z3K0d7Lg2eyftsVrGM1Ue9dTLlJrZ570d
|
||||||
|
JjcBR/J3dpO9w5fz4HawWE8GIBBstZQnZYdoT75+tIeSMJ/tnovKfE1RGYc4kRJs
|
||||||
|
quC7tyej7Y+t86U8psFSy2iUCajS82b+ddZEhuxwamel+RBRJZsmi5B2OvhkEaOj
|
||||||
|
mhJOIkx3UD9XAjxeooVcTlzAaJ5JFZ7Im97o+DRbQYvJYe4ZqDo17lrzBh6wruLC
|
||||||
|
vBo+/lwh9FbCqxbDpFfqwpf8qYsWu3m0Qlu5f+BZ/9WvjFCVoRmScNHJo42tu18r
|
||||||
|
xcX2Txis8oWysgqhvIgTFRnLq010ErL8iE9WeZwrNJgcTnf+AQLolKQiVAHumMvk
|
||||||
|
Djv0No+ZTBG03Hsb0tbvA8kVtxI0ZZtzPcRkRqmUwiLCtcO9oo1hInhu+D1sPZwI
|
||||||
|
Q1xK6hI6LKsF80yPKGexZxlgV/vZYhIKtD0SIoZCpx7MSBxXqHYZARtTFUAXBSqF
|
||||||
|
tIn800/pPhGuY1/x3ho4BeWCGj1eWG5zy7dr0q/d/OiqBj3OiUfxtTl4drqrYhca
|
||||||
|
goNhzNTs0Ps+iYbVQlk4nEAjg54M8ru1jfcuNRgrhTqCI8yiESk=
|
||||||
|
=AG91
|
||||||
|
-----END PGP SIGNATURE-----
|
||||||
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmEniOkACgkQfuD8TcwB
|
|
||||||
Tj0TKQ/9HiMAGSMHoQ+iPVLP06iTc6Cy7rNyON2nPDQwAz0V/dfvkrKAAEflfgYd
|
|
||||||
3pt3dbE/qgh2kgQLb9kpbCUmFoGuLgKz36RPOsggwuOsN+eD1n65q8W39sMOQid3
|
|
||||||
bjUIOKRdYWC1suZ9fMAO1Ignl69Opd8dAq1Has9YzglaeQaV/lnYQOW4UG0xKHck
|
|
||||||
ZOp2qLfjmaQiBAI61eRyxqIYC0F67WKd0bo9D2csoocDVvHLq4syPdbMOfDTB+LL
|
|
||||||
KZSAZVW1R1JUVZMkp/P/HU11jNNy3wKoLafocnq8bXkPVrqhyuo+hDJV/OPUvFLa
|
|
||||||
VE/BzIRoMNG+1R+GJpwE7ut2DIHPxnZTThRkeVN5qP1+hbhgLJhW62I+HeAnD4s+
|
|
||||||
+W7fwJovN28I+wqSjVEP8JguprVuoDAX5jVHbeZoMT7p8ATA4Nh3KCbYELEwTtFG
|
|
||||||
zsEIlBvoNXD3ce7xGXL3MPqfgKqrZQjRG/iOWvKwDV7WrqK1cFFyL7aeBfK2+dQq
|
|
||||||
1Ew7aYlTsH6Hap7XByeSsy4Z5ts3VXIoFix/h+Br5OTYKYgITM7bijNAQ6A2ZWQN
|
|
||||||
TxCv8X0sVyaGyXhxG6QhrEWZjFe496MneZkq9e6HKZyaSbzwFwMgOvrUUC7fa8e5
|
|
||||||
o1Rvozah81U0nsikwTmDrm15RSK3mr2X34zPW2Ahzr1I5tGZzOk=
|
|
||||||
=cO0k
|
|
||||||
-----END PGP SIGNATURE-----
|
|
||||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,514 @@
|
|||||||
|
From 8795d8912c8a83aaf900c0260e252a35f64eb200 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Date: Fri, 18 Nov 2022 17:22:46 +0100
|
||||||
|
Subject: [PATCH] Fix memory leaks of bignums when openssl >= 3.0
|
||||||
|
|
||||||
|
The openssl 3.0 support has introduced some memory leaks at key build as
|
||||||
|
OSSL_PARAM_BLD_push_BN duplicates the bignum and does not save the pointer
|
||||||
|
itself.
|
||||||
|
|
||||||
|
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
include/libssh/dh.h | 2 +-
|
||||||
|
src/dh_crypto.c | 28 ++---
|
||||||
|
src/pki_crypto.c | 262 ++++++++++++++++++++++++--------------------
|
||||||
|
3 files changed, 151 insertions(+), 141 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/include/libssh/dh.h b/include/libssh/dh.h
|
||||||
|
index 353dc233..9b9bb472 100644
|
||||||
|
--- a/include/libssh/dh.h
|
||||||
|
+++ b/include/libssh/dh.h
|
||||||
|
@@ -53,7 +53,7 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
|
||||||
|
bignum *priv, bignum *pub);
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
||||||
|
- const bignum priv, const bignum pub);
|
||||||
|
+ bignum priv, bignum pub);
|
||||||
|
|
||||||
|
int ssh_dh_compute_shared_secret(struct dh_ctx *ctx, int local, int remote,
|
||||||
|
bignum *dest);
|
||||||
|
diff --git a/src/dh_crypto.c b/src/dh_crypto.c
|
||||||
|
index a847c6a2..b578ddec 100644
|
||||||
|
--- a/src/dh_crypto.c
|
||||||
|
+++ b/src/dh_crypto.c
|
||||||
|
@@ -154,12 +154,9 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
|
||||||
|
int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
||||||
|
- const bignum priv, const bignum pub)
|
||||||
|
+ bignum priv, bignum pub)
|
||||||
|
{
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
- bignum priv_key = NULL;
|
||||||
|
- bignum pub_key = NULL;
|
||||||
|
-#else
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
int rc;
|
||||||
|
OSSL_PARAM *params = NULL, *out_params = NULL, *merged_params = NULL;
|
||||||
|
OSSL_PARAM_BLD *param_bld = NULL;
|
||||||
|
@@ -172,7 +169,11 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
||||||
|
return SSH_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
+ (void)DH_set0_key(ctx->keypair[peer], pub, priv);
|
||||||
|
+
|
||||||
|
+ return SSH_OK;
|
||||||
|
+#else
|
||||||
|
rc = EVP_PKEY_todata(ctx->keypair[peer], EVP_PKEY_KEYPAIR, &out_params);
|
||||||
|
if (rc != 1) {
|
||||||
|
return SSH_ERROR;
|
||||||
|
@@ -195,35 +196,22 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
||||||
|
rc = SSH_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
|
||||||
|
if (priv) {
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
- priv_key = priv;
|
||||||
|
-#else
|
||||||
|
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv);
|
||||||
|
if (rc != 1) {
|
||||||
|
rc = SSH_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
}
|
||||||
|
if (pub) {
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
- pub_key = pub;
|
||||||
|
-#else
|
||||||
|
rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub);
|
||||||
|
if (rc != 1) {
|
||||||
|
rc = SSH_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
}
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
- (void)DH_set0_key(ctx->keypair[peer], pub_key, priv_key);
|
||||||
|
|
||||||
|
- return SSH_OK;
|
||||||
|
-#else
|
||||||
|
params = OSSL_PARAM_BLD_to_param(param_bld);
|
||||||
|
if (params == NULL) {
|
||||||
|
rc = SSH_ERROR;
|
||||||
|
@@ -248,6 +236,8 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
|
||||||
|
|
||||||
|
rc = SSH_OK;
|
||||||
|
out:
|
||||||
|
+ bignum_safe_free(priv);
|
||||||
|
+ bignum_safe_free(pub);
|
||||||
|
EVP_PKEY_CTX_free(evp_ctx);
|
||||||
|
OSSL_PARAM_free(out_params);
|
||||||
|
OSSL_PARAM_free(params);
|
||||||
|
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
|
||||||
|
index 0a5003da..d3359e2d 100644
|
||||||
|
--- a/src/pki_crypto.c
|
||||||
|
+++ b/src/pki_crypto.c
|
||||||
|
@@ -1492,18 +1492,18 @@ int pki_privkey_build_dss(ssh_key key,
|
||||||
|
ssh_string privkey)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
BIGNUM *bp, *bq, *bg, *bpub_key, *bpriv_key;
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
||||||
|
+ if (param_bld == NULL) {
|
||||||
|
+ return SSH_ERROR;
|
||||||
|
+ }
|
||||||
|
#else
|
||||||
|
- const BIGNUM *pb, *qb, *gb, *pubb, *privb;
|
||||||
|
- OSSL_PARAM_BLD *param_bld;
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
-
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
key->dsa = DSA_new();
|
||||||
|
if (key->dsa == NULL) {
|
||||||
|
return SSH_ERROR;
|
||||||
|
}
|
||||||
|
+#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
|
||||||
|
bp = ssh_make_string_bn(p);
|
||||||
|
bq = ssh_make_string_bn(q);
|
||||||
|
@@ -1512,9 +1512,11 @@ int pki_privkey_build_dss(ssh_key key,
|
||||||
|
bpriv_key = ssh_make_string_bn(privkey);
|
||||||
|
if (bp == NULL || bq == NULL ||
|
||||||
|
bg == NULL || bpub_key == NULL) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
/* Memory management of bp, qq and bg is transferred to DSA object */
|
||||||
|
rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
|
||||||
|
if (rc == 0) {
|
||||||
|
@@ -1532,39 +1534,43 @@ fail:
|
||||||
|
DSA_free(key->dsa);
|
||||||
|
return SSH_ERROR;
|
||||||
|
#else
|
||||||
|
- param_bld = OSSL_PARAM_BLD_new();
|
||||||
|
- if (param_bld == NULL)
|
||||||
|
- goto err;
|
||||||
|
-
|
||||||
|
- pb = ssh_make_string_bn(p);
|
||||||
|
- qb = ssh_make_string_bn(q);
|
||||||
|
- gb = ssh_make_string_bn(g);
|
||||||
|
- pubb = ssh_make_string_bn(pubkey);
|
||||||
|
- privb = ssh_make_string_bn(privkey);
|
||||||
|
-
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, pb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, qb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, gb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, privb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, bpriv_key);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
|
||||||
|
+
|
||||||
|
+fail:
|
||||||
|
OSSL_PARAM_BLD_free(param_bld);
|
||||||
|
+ bignum_safe_free(bp);
|
||||||
|
+ bignum_safe_free(bq);
|
||||||
|
+ bignum_safe_free(bg);
|
||||||
|
+ bignum_safe_free(bpub_key);
|
||||||
|
+ bignum_safe_free(bpriv_key);
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
-err:
|
||||||
|
- OSSL_PARAM_BLD_free(param_bld);
|
||||||
|
- return -1;
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1574,18 +1580,18 @@ int pki_pubkey_build_dss(ssh_key key,
|
||||||
|
ssh_string g,
|
||||||
|
ssh_string pubkey) {
|
||||||
|
int rc;
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
BIGNUM *bp = NULL, *bq = NULL, *bg = NULL, *bpub_key = NULL;
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
||||||
|
+ if (param_bld == NULL) {
|
||||||
|
+ return SSH_ERROR;
|
||||||
|
+ }
|
||||||
|
#else
|
||||||
|
- const BIGNUM *pb, *qb, *gb, *pubb;
|
||||||
|
- OSSL_PARAM_BLD *param_bld;
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
-
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
key->dsa = DSA_new();
|
||||||
|
if (key->dsa == NULL) {
|
||||||
|
return SSH_ERROR;
|
||||||
|
}
|
||||||
|
+#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
|
||||||
|
bp = ssh_make_string_bn(p);
|
||||||
|
bq = ssh_make_string_bn(q);
|
||||||
|
@@ -1593,9 +1599,11 @@ int pki_pubkey_build_dss(ssh_key key,
|
||||||
|
bpub_key = ssh_make_string_bn(pubkey);
|
||||||
|
if (bp == NULL || bq == NULL ||
|
||||||
|
bg == NULL || bpub_key == NULL) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
/* Memory management of bp, bq and bg is transferred to DSA object */
|
||||||
|
rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
|
||||||
|
if (rc == 0) {
|
||||||
|
@@ -1613,35 +1621,37 @@ fail:
|
||||||
|
DSA_free(key->dsa);
|
||||||
|
return SSH_ERROR;
|
||||||
|
#else
|
||||||
|
- param_bld = OSSL_PARAM_BLD_new();
|
||||||
|
- if (param_bld == NULL)
|
||||||
|
- goto err;
|
||||||
|
-
|
||||||
|
- pb = ssh_make_string_bn(p);
|
||||||
|
- qb = ssh_make_string_bn(q);
|
||||||
|
- gb = ssh_make_string_bn(g);
|
||||||
|
- pubb = ssh_make_string_bn(pubkey);
|
||||||
|
-
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, pb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, qb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, gb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
|
||||||
|
+
|
||||||
|
+fail:
|
||||||
|
OSSL_PARAM_BLD_free(param_bld);
|
||||||
|
+ bignum_safe_free(bp);
|
||||||
|
+ bignum_safe_free(bq);
|
||||||
|
+ bignum_safe_free(bg);
|
||||||
|
+ bignum_safe_free(bpub_key);
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
-err:
|
||||||
|
- OSSL_PARAM_BLD_free(param_bld);
|
||||||
|
- return -1;
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1654,18 +1664,18 @@ int pki_privkey_build_rsa(ssh_key key,
|
||||||
|
ssh_string q)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
BIGNUM *be, *bn, *bd/*, *biqmp*/, *bp, *bq;
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
||||||
|
+ if (param_bld == NULL) {
|
||||||
|
+ return SSH_ERROR;
|
||||||
|
+ }
|
||||||
|
#else
|
||||||
|
- const BIGNUM *nb, *eb, *db, *pb, *qb;
|
||||||
|
- OSSL_PARAM_BLD *param_bld;
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
-
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
key->rsa = RSA_new();
|
||||||
|
if (key->rsa == NULL) {
|
||||||
|
return SSH_ERROR;
|
||||||
|
}
|
||||||
|
+#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
|
||||||
|
bn = ssh_make_string_bn(n);
|
||||||
|
be = ssh_make_string_bn(e);
|
||||||
|
@@ -1675,9 +1685,11 @@ int pki_privkey_build_rsa(ssh_key key,
|
||||||
|
bq = ssh_make_string_bn(q);
|
||||||
|
if (be == NULL || bn == NULL || bd == NULL ||
|
||||||
|
/*biqmp == NULL ||*/ bp == NULL || bq == NULL) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
/* Memory management of be, bn and bd is transferred to RSA object */
|
||||||
|
rc = RSA_set0_key(key->rsa, bn, be, bd);
|
||||||
|
if (rc == 0) {
|
||||||
|
@@ -1702,41 +1714,49 @@ fail:
|
||||||
|
RSA_free(key->rsa);
|
||||||
|
return SSH_ERROR;
|
||||||
|
#else
|
||||||
|
- param_bld = OSSL_PARAM_BLD_new();
|
||||||
|
- if (param_bld == NULL)
|
||||||
|
- goto err;
|
||||||
|
-
|
||||||
|
- nb = ssh_make_string_bn(n);
|
||||||
|
- eb = ssh_make_string_bn(e);
|
||||||
|
- db = ssh_make_string_bn(d);
|
||||||
|
- pb = ssh_make_string_bn(p);
|
||||||
|
- qb = ssh_make_string_bn(q);
|
||||||
|
-
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, nb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, eb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, db);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, bn);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, be);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, bd);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
rc = evp_build_pkey("RSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
|
||||||
|
- OSSL_PARAM_BLD_free(param_bld);
|
||||||
|
+ if (rc != SSH_OK) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR1, pb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
+ rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR1, bp);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR2, qb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
+ rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR2, bq);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- return rc;
|
||||||
|
-err:
|
||||||
|
+fail:
|
||||||
|
OSSL_PARAM_BLD_free(param_bld);
|
||||||
|
- return -1;
|
||||||
|
+ bignum_safe_free(bn);
|
||||||
|
+ bignum_safe_free(be);
|
||||||
|
+ bignum_safe_free(bd);
|
||||||
|
+ bignum_safe_free(bp);
|
||||||
|
+ bignum_safe_free(bq);
|
||||||
|
+
|
||||||
|
+ return rc;
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1744,25 +1764,27 @@ int pki_pubkey_build_rsa(ssh_key key,
|
||||||
|
ssh_string e,
|
||||||
|
ssh_string n) {
|
||||||
|
int rc;
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
BIGNUM *be = NULL, *bn = NULL;
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
||||||
|
+ if (param_bld == NULL) {
|
||||||
|
+ return SSH_ERROR;
|
||||||
|
+ }
|
||||||
|
#else
|
||||||
|
- const BIGNUM *eb, *nb;
|
||||||
|
- OSSL_PARAM_BLD *param_bld;
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
-
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
key->rsa = RSA_new();
|
||||||
|
if (key->rsa == NULL) {
|
||||||
|
return SSH_ERROR;
|
||||||
|
}
|
||||||
|
+#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
|
||||||
|
be = ssh_make_string_bn(e);
|
||||||
|
bn = ssh_make_string_bn(n);
|
||||||
|
if (be == NULL || bn == NULL) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
/* Memory management of bn and be is transferred to RSA object */
|
||||||
|
rc = RSA_set0_key(key->rsa, bn, be, NULL);
|
||||||
|
if (rc == 0) {
|
||||||
|
@@ -1774,27 +1796,25 @@ fail:
|
||||||
|
RSA_free(key->rsa);
|
||||||
|
return SSH_ERROR;
|
||||||
|
#else
|
||||||
|
- nb = ssh_make_string_bn(n);
|
||||||
|
- eb = ssh_make_string_bn(e);
|
||||||
|
-
|
||||||
|
- param_bld = OSSL_PARAM_BLD_new();
|
||||||
|
- if (param_bld == NULL)
|
||||||
|
- goto err;
|
||||||
|
-
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, nb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, eb);
|
||||||
|
- if (rc != 1)
|
||||||
|
- goto err;
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, bn);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, be);
|
||||||
|
+ if (rc != 1) {
|
||||||
|
+ rc = SSH_ERROR;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
rc = evp_build_pkey("RSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
|
||||||
|
+
|
||||||
|
+fail:
|
||||||
|
OSSL_PARAM_BLD_free(param_bld);
|
||||||
|
+ bignum_safe_free(bn);
|
||||||
|
+ bignum_safe_free(be);
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
-err:
|
||||||
|
- OSSL_PARAM_BLD_free(param_bld);
|
||||||
|
- return -1;
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
@ -0,0 +1,842 @@
|
|||||||
|
From 11c0d687a081fe64501e21c95def7f893611d029 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Date: Wed, 16 Nov 2022 10:40:38 +0100
|
||||||
|
Subject: [PATCH 1/5] Add a placehohlder for non-expanded identities
|
||||||
|
|
||||||
|
Expanding a string twice could lead to unwanted behaviour.
|
||||||
|
This solution creates a ssh_list (`opts.identites_non_exp`) to store the strings
|
||||||
|
before expansion and by using ssh_apply it moves the string to the
|
||||||
|
`opts.identities`. This way the expanded strings are separated.
|
||||||
|
|
||||||
|
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
include/libssh/session.h | 1 +
|
||||||
|
src/options.c | 86 +++++++++++++++++++++++++---------------
|
||||||
|
src/session.c | 23 +++++++++--
|
||||||
|
3 files changed, 75 insertions(+), 35 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/include/libssh/session.h b/include/libssh/session.h
|
||||||
|
index d3e5787c..e22b0d67 100644
|
||||||
|
--- a/include/libssh/session.h
|
||||||
|
+++ b/include/libssh/session.h
|
||||||
|
@@ -209,6 +209,7 @@ struct ssh_session_struct {
|
||||||
|
#endif
|
||||||
|
struct {
|
||||||
|
struct ssh_list *identity;
|
||||||
|
+ struct ssh_list *identity_non_exp;
|
||||||
|
char *username;
|
||||||
|
char *host;
|
||||||
|
char *bindaddr; /* bind the client to an ip addr */
|
||||||
|
diff --git a/src/options.c b/src/options.c
|
||||||
|
index 56e09c65..bb085384 100644
|
||||||
|
--- a/src/options.c
|
||||||
|
+++ b/src/options.c
|
||||||
|
@@ -52,7 +52,7 @@
|
||||||
|
* @brief Duplicate the options of a session structure.
|
||||||
|
*
|
||||||
|
* If you make several sessions with the same options this is useful. You
|
||||||
|
- * cannot use twice the same option structure in ssh_session_connect.
|
||||||
|
+ * cannot use twice the same option structure in ssh_connect.
|
||||||
|
*
|
||||||
|
* @param src The session to use to copy the options.
|
||||||
|
*
|
||||||
|
@@ -61,13 +61,14 @@
|
||||||
|
*
|
||||||
|
* @returns 0 on success, -1 on error with errno set.
|
||||||
|
*
|
||||||
|
- * @see ssh_session_connect()
|
||||||
|
+ * @see ssh_connect()
|
||||||
|
* @see ssh_free()
|
||||||
|
*/
|
||||||
|
int ssh_options_copy(ssh_session src, ssh_session *dest)
|
||||||
|
{
|
||||||
|
ssh_session new;
|
||||||
|
struct ssh_iterator *it = NULL;
|
||||||
|
+ struct ssh_list *list = NULL;
|
||||||
|
char *id = NULL;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
@@ -105,14 +106,15 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Remove the default identities */
|
||||||
|
- for (id = ssh_list_pop_head(char *, new->opts.identity);
|
||||||
|
+ for (id = ssh_list_pop_head(char *, new->opts.identity_non_exp);
|
||||||
|
id != NULL;
|
||||||
|
- id = ssh_list_pop_head(char *, new->opts.identity)) {
|
||||||
|
+ id = ssh_list_pop_head(char *, new->opts.identity_non_exp)) {
|
||||||
|
SAFE_FREE(id);
|
||||||
|
}
|
||||||
|
/* Copy the new identities from the source list */
|
||||||
|
- if (src->opts.identity != NULL) {
|
||||||
|
- it = ssh_list_get_iterator(src->opts.identity);
|
||||||
|
+ list = new->opts.identity_non_exp;
|
||||||
|
+ it = ssh_list_get_iterator(src->opts.identity_non_exp);
|
||||||
|
+ for (i = 0; i < 2; i++) {
|
||||||
|
while (it) {
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
@@ -122,7 +124,7 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = ssh_list_append(new->opts.identity, id);
|
||||||
|
+ rc = ssh_list_append(list, id);
|
||||||
|
if (rc < 0) {
|
||||||
|
free(id);
|
||||||
|
ssh_free(new);
|
||||||
|
@@ -130,6 +132,10 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
|
||||||
|
}
|
||||||
|
it = it->next;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* copy the identity list if there is any already */
|
||||||
|
+ list = new->opts.identity;
|
||||||
|
+ it = ssh_list_get_iterator(src->opts.identity);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (src->opts.sshdir != NULL) {
|
||||||
|
@@ -331,7 +337,7 @@ int ssh_options_set_algo(ssh_session session,
|
||||||
|
* Add a new identity file (const char *, format string) to
|
||||||
|
* the identity list.\n
|
||||||
|
* \n
|
||||||
|
- * By default identity, id_dsa and id_rsa are checked.\n
|
||||||
|
+ * By default id_rsa, id_ecdsa and id_ed25519 files are used.\n
|
||||||
|
* \n
|
||||||
|
* The identity used to authenticate with public key will be
|
||||||
|
* prepended to the list.
|
||||||
|
@@ -700,7 +706,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||||
|
if (q == NULL) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
- rc = ssh_list_prepend(session->opts.identity, q);
|
||||||
|
+ if (session->opts.exp_flags & SSH_OPT_EXP_FLAG_IDENTITY) {
|
||||||
|
+ rc = ssh_list_append(session->opts.identity_non_exp, q);
|
||||||
|
+ } else {
|
||||||
|
+ rc = ssh_list_prepend(session->opts.identity_non_exp, q);
|
||||||
|
+ }
|
||||||
|
if (rc < 0) {
|
||||||
|
free(q);
|
||||||
|
return -1;
|
||||||
|
@@ -1202,7 +1212,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) {
|
||||||
|
* - SSH_OPTIONS_IDENTITY:
|
||||||
|
* Get the first identity file name (const char *).\n
|
||||||
|
* \n
|
||||||
|
- * By default identity, id_dsa and id_rsa are checked.
|
||||||
|
+ * By default id_rsa, id_ecdsa and id_ed25519 files are used.
|
||||||
|
*
|
||||||
|
* - SSH_OPTIONS_PROXYCOMMAND:
|
||||||
|
* Get the proxycommand necessary to log into the
|
||||||
|
@@ -1246,7 +1256,11 @@ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
case SSH_OPTIONS_IDENTITY: {
|
||||||
|
- struct ssh_iterator *it = ssh_list_get_iterator(session->opts.identity);
|
||||||
|
+ struct ssh_iterator *it;
|
||||||
|
+ it = ssh_list_get_iterator(session->opts.identity);
|
||||||
|
+ if (it == NULL) {
|
||||||
|
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
||||||
|
+ }
|
||||||
|
if (it == NULL) {
|
||||||
|
return SSH_ERROR;
|
||||||
|
}
|
||||||
|
@@ -1541,7 +1555,6 @@ out:
|
||||||
|
|
||||||
|
int ssh_options_apply(ssh_session session)
|
||||||
|
{
|
||||||
|
- struct ssh_iterator *it;
|
||||||
|
char *tmp;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
@@ -1586,15 +1599,17 @@ int ssh_options_apply(ssh_session session)
|
||||||
|
size_t plen = strlen(session->opts.ProxyCommand) +
|
||||||
|
5 /* strlen("exec ") */;
|
||||||
|
|
||||||
|
- p = malloc(plen + 1 /* \0 */);
|
||||||
|
- if (p == NULL) {
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
+ if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
|
||||||
|
+ p = malloc(plen + 1 /* \0 */);
|
||||||
|
+ if (p == NULL) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
||||||
|
- if ((size_t)rc != plen) {
|
||||||
|
- free(p);
|
||||||
|
- return -1;
|
||||||
|
+ rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
||||||
|
+ if ((size_t)rc != plen) {
|
||||||
|
+ free(p);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
tmp = ssh_path_expand_escape(session, p);
|
||||||
|
@@ -1606,24 +1621,33 @@ int ssh_options_apply(ssh_session session)
|
||||||
|
session->opts.ProxyCommand = tmp;
|
||||||
|
}
|
||||||
|
|
||||||
|
- for (it = ssh_list_get_iterator(session->opts.identity);
|
||||||
|
- it != NULL;
|
||||||
|
- it = it->next) {
|
||||||
|
- char *id = (char *) it->data;
|
||||||
|
- if (strncmp(id, "pkcs11:", 6) == 0) {
|
||||||
|
+ for (tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp);
|
||||||
|
+ tmp != NULL;
|
||||||
|
+ tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp)) {
|
||||||
|
+ char *id = tmp;
|
||||||
|
+ if (strncmp(id, "pkcs11:", 6) != 0) {
|
||||||
|
/* PKCS#11 URIs are using percent-encoding so we can not mix
|
||||||
|
* it with ssh expansion of ssh escape characters.
|
||||||
|
- * Skip these identities now, before we will have PKCS#11 support
|
||||||
|
*/
|
||||||
|
- continue;
|
||||||
|
+ tmp = ssh_path_expand_escape(session, id);
|
||||||
|
+ if (tmp == NULL) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ free(id);
|
||||||
|
}
|
||||||
|
- tmp = ssh_path_expand_escape(session, id);
|
||||||
|
- if (tmp == NULL) {
|
||||||
|
+
|
||||||
|
+ /* use append to keep the order at first call and use prepend
|
||||||
|
+ * to put anything that comes on the nth calls to the beginning */
|
||||||
|
+ if (session->opts.exp_flags & SSH_OPT_EXP_FLAG_IDENTITY) {
|
||||||
|
+ rc = ssh_list_prepend(session->opts.identity, tmp);
|
||||||
|
+ } else {
|
||||||
|
+ rc = ssh_list_append(session->opts.identity, tmp);
|
||||||
|
+ }
|
||||||
|
+ if (rc != SSH_OK) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
- free(id);
|
||||||
|
- it->data = tmp;
|
||||||
|
}
|
||||||
|
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_IDENTITY;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
diff --git a/src/session.c b/src/session.c
|
||||||
|
index 64e54957..34a492e4 100644
|
||||||
|
--- a/src/session.c
|
||||||
|
+++ b/src/session.c
|
||||||
|
@@ -118,13 +118,17 @@ ssh_session ssh_new(void)
|
||||||
|
if (session->opts.identity == NULL) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
+ session->opts.identity_non_exp = ssh_list_new();
|
||||||
|
+ if (session->opts.identity_non_exp == NULL) {
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
id = strdup("%d/id_ed25519");
|
||||||
|
if (id == NULL) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = ssh_list_append(session->opts.identity, id);
|
||||||
|
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
||||||
|
if (rc == SSH_ERROR) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
@@ -134,7 +138,7 @@ ssh_session ssh_new(void)
|
||||||
|
if (id == NULL) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
- rc = ssh_list_append(session->opts.identity, id);
|
||||||
|
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
||||||
|
if (rc == SSH_ERROR) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
@@ -144,7 +148,7 @@ ssh_session ssh_new(void)
|
||||||
|
if (id == NULL) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
- rc = ssh_list_append(session->opts.identity, id);
|
||||||
|
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
||||||
|
if (rc == SSH_ERROR) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
@@ -154,7 +158,7 @@ ssh_session ssh_new(void)
|
||||||
|
if (id == NULL) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
- rc = ssh_list_append(session->opts.identity, id);
|
||||||
|
+ rc = ssh_list_append(session->opts.identity_non_exp, id);
|
||||||
|
if (rc == SSH_ERROR) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
@@ -284,6 +288,17 @@ void ssh_free(ssh_session session)
|
||||||
|
ssh_list_free(session->opts.identity);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (session->opts.identity_non_exp) {
|
||||||
|
+ char *id;
|
||||||
|
+
|
||||||
|
+ for (id = ssh_list_pop_head(char *, session->opts.identity_non_exp);
|
||||||
|
+ id != NULL;
|
||||||
|
+ id = ssh_list_pop_head(char *, session->opts.identity_non_exp)) {
|
||||||
|
+ SAFE_FREE(id);
|
||||||
|
+ }
|
||||||
|
+ ssh_list_free(session->opts.identity_non_exp);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
while ((b = ssh_list_pop_head(struct ssh_buffer_struct *,
|
||||||
|
session->out_queue)) != NULL) {
|
||||||
|
SSH_BUFFER_FREE(b);
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
|
|
||||||
|
From 4cb84b99fdb1ffd26c0241f5809e4f67ddd407c6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Date: Wed, 16 Nov 2022 11:03:30 +0100
|
||||||
|
Subject: [PATCH 2/5] tests: Use opts.identites_non_exp not opts.identities
|
||||||
|
|
||||||
|
The configuration of identities are first saved to `opts.identities_non_exp`,
|
||||||
|
then moved to `opts.identities` after calling ssh_options_apply and expanding
|
||||||
|
the identity strings. These tests are testing against the proper configuration
|
||||||
|
|
||||||
|
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
tests/client/torture_auth_pkcs11.c | 2 +-
|
||||||
|
tests/unittests/torture_config.c | 3 ++-
|
||||||
|
tests/unittests/torture_options.c | 14 +++++++-------
|
||||||
|
3 files changed, 10 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/client/torture_auth_pkcs11.c b/tests/client/torture_auth_pkcs11.c
|
||||||
|
index ee97bff4..e75fea0e 100644
|
||||||
|
--- a/tests/client/torture_auth_pkcs11.c
|
||||||
|
+++ b/tests/client/torture_auth_pkcs11.c
|
||||||
|
@@ -196,7 +196,7 @@ static void torture_auth_autopubkey(void **state, const char *obj_name, const ch
|
||||||
|
|
||||||
|
rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, priv_uri);
|
||||||
|
assert_int_equal(rc, SSH_OK);
|
||||||
|
- assert_string_equal(session->opts.identity->root->data, priv_uri);
|
||||||
|
+ assert_string_equal(session->opts.identity_non_exp->root->data, priv_uri);
|
||||||
|
|
||||||
|
rc = ssh_connect(session);
|
||||||
|
assert_int_equal(rc, SSH_OK);
|
||||||
|
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
|
||||||
|
index 354adc2f..100e68f6 100644
|
||||||
|
--- a/tests/unittests/torture_config.c
|
||||||
|
+++ b/tests/unittests/torture_config.c
|
||||||
|
@@ -2078,7 +2078,8 @@ static void torture_config_identity(void **state)
|
||||||
|
|
||||||
|
_parse_config(session, NULL, LIBSSH_TESTCONFIG_STRING13, SSH_OK);
|
||||||
|
|
||||||
|
- it = ssh_list_get_iterator(session->opts.identity);
|
||||||
|
+ /* The identities are first added to this temporary list before expanding */
|
||||||
|
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
||||||
|
assert_non_null(it);
|
||||||
|
id = it->data;
|
||||||
|
/* The identities are prepended to the list so we start with second one */
|
||||||
|
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
||||||
|
index dc4df383..3be2de8a 100644
|
||||||
|
--- a/tests/unittests/torture_options.c
|
||||||
|
+++ b/tests/unittests/torture_options.c
|
||||||
|
@@ -406,12 +406,12 @@ static void torture_options_set_identity(void **state) {
|
||||||
|
|
||||||
|
rc = ssh_options_set(session, SSH_OPTIONS_ADD_IDENTITY, "identity1");
|
||||||
|
assert_true(rc == 0);
|
||||||
|
- assert_string_equal(session->opts.identity->root->data, "identity1");
|
||||||
|
+ assert_string_equal(session->opts.identity_non_exp->root->data, "identity1");
|
||||||
|
|
||||||
|
rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, "identity2");
|
||||||
|
assert_true(rc == 0);
|
||||||
|
- assert_string_equal(session->opts.identity->root->data, "identity2");
|
||||||
|
- assert_string_equal(session->opts.identity->root->next->data, "identity1");
|
||||||
|
+ assert_string_equal(session->opts.identity_non_exp->root->data, "identity2");
|
||||||
|
+ assert_string_equal(session->opts.identity_non_exp->root->next->data, "identity1");
|
||||||
|
}
|
||||||
|
|
||||||
|
static void torture_options_get_identity(void **state) {
|
||||||
|
@@ -429,7 +429,7 @@ static void torture_options_get_identity(void **state) {
|
||||||
|
|
||||||
|
rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, "identity2");
|
||||||
|
assert_int_equal(rc, SSH_OK);
|
||||||
|
- assert_string_equal(session->opts.identity->root->data, "identity2");
|
||||||
|
+ assert_string_equal(session->opts.identity_non_exp->root->data, "identity2");
|
||||||
|
rc = ssh_options_get(session, SSH_OPTIONS_IDENTITY, &identity);
|
||||||
|
assert_int_equal(rc, SSH_OK);
|
||||||
|
assert_non_null(identity);
|
||||||
|
@@ -867,9 +867,9 @@ static void torture_options_copy(void **state)
|
||||||
|
assert_non_null(new);
|
||||||
|
|
||||||
|
/* Check the identities match */
|
||||||
|
- it = ssh_list_get_iterator(session->opts.identity);
|
||||||
|
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
||||||
|
assert_non_null(it);
|
||||||
|
- it2 = ssh_list_get_iterator(new->opts.identity);
|
||||||
|
+ it2 = ssh_list_get_iterator(new->opts.identity_non_exp);
|
||||||
|
assert_non_null(it2);
|
||||||
|
while (it != NULL && it2 != NULL) {
|
||||||
|
assert_string_equal(it->data, it2->data);
|
||||||
|
@@ -956,7 +956,7 @@ static void torture_options_getopt(void **state)
|
||||||
|
"aes128-ctr");
|
||||||
|
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_S_C],
|
||||||
|
"aes128-ctr");
|
||||||
|
- assert_string_equal(session->opts.identity->root->data, "id_rsa");
|
||||||
|
+ assert_string_equal(session->opts.identity_non_exp->root->data, "id_rsa");
|
||||||
|
#ifdef WITH_ZLIB
|
||||||
|
assert_string_equal(session->opts.wanted_methods[SSH_COMP_C_S],
|
||||||
|
"zlib@openssh.com,zlib,none");
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
|
|
||||||
|
From cd30217c9032419ebcf722c0bfc6b5ebfa3518d0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Date: Wed, 16 Nov 2022 16:51:02 +0100
|
||||||
|
Subject: [PATCH 3/5] Add flags for escape expand operation
|
||||||
|
|
||||||
|
Calling `ssh_options_apply` more times can result in an unwanted behaviour of
|
||||||
|
expanding the escape characters more times. Adding flags to check if the
|
||||||
|
expansion was already done on the current string variables.
|
||||||
|
|
||||||
|
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
include/libssh/session.h | 7 ++++
|
||||||
|
src/options.c | 91 ++++++++++++++++++++++++----------------
|
||||||
|
src/session.c | 2 +
|
||||||
|
3 files changed, 63 insertions(+), 37 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/include/libssh/session.h b/include/libssh/session.h
|
||||||
|
index e22b0d67..cf219c2a 100644
|
||||||
|
--- a/include/libssh/session.h
|
||||||
|
+++ b/include/libssh/session.h
|
||||||
|
@@ -93,6 +93,12 @@ enum ssh_pending_call_e {
|
||||||
|
#define SSH_OPT_FLAG_KBDINT_AUTH 0x4
|
||||||
|
#define SSH_OPT_FLAG_GSSAPI_AUTH 0x8
|
||||||
|
|
||||||
|
+/* Escape expansion of different variables */
|
||||||
|
+#define SSH_OPT_EXP_FLAG_KNOWNHOSTS 0x1
|
||||||
|
+#define SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS 0x2
|
||||||
|
+#define SSH_OPT_EXP_FLAG_PROXYCOMMAND 0x4
|
||||||
|
+#define SSH_OPT_EXP_FLAG_IDENTITY 0x8
|
||||||
|
+
|
||||||
|
/* extensions flags */
|
||||||
|
/* negotiation enabled */
|
||||||
|
#define SSH_EXT_NEGOTIATION 0x01
|
||||||
|
@@ -232,6 +238,7 @@ struct ssh_session_struct {
|
||||||
|
char *gss_client_identity;
|
||||||
|
int gss_delegate_creds;
|
||||||
|
int flags;
|
||||||
|
+ int exp_flags;
|
||||||
|
int nodelay;
|
||||||
|
bool config_processed;
|
||||||
|
uint8_t options_seen[SOC_MAX];
|
||||||
|
diff --git a/src/options.c b/src/options.c
|
||||||
|
index bb085384..c566244b 100644
|
||||||
|
--- a/src/options.c
|
||||||
|
+++ b/src/options.c
|
||||||
|
@@ -730,6 +730,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||||
|
ssh_set_error_oom(session);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+ session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_KNOWNHOSTS;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case SSH_OPTIONS_GLOBAL_KNOWNHOSTS:
|
||||||
|
@@ -751,6 +752,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||||
|
ssh_set_error_oom(session);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+ session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case SSH_OPTIONS_TIMEOUT:
|
||||||
|
@@ -1014,6 +1016,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
session->opts.ProxyCommand = q;
|
||||||
|
+ session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_PROXYCOMMAND;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
@@ -1572,53 +1575,67 @@ int ssh_options_apply(ssh_session session)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (session->opts.knownhosts == NULL) {
|
||||||
|
- tmp = ssh_path_expand_escape(session, "%d/known_hosts");
|
||||||
|
- } else {
|
||||||
|
- tmp = ssh_path_expand_escape(session, session->opts.knownhosts);
|
||||||
|
- }
|
||||||
|
- if (tmp == NULL) {
|
||||||
|
- return -1;
|
||||||
|
+ if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS) == 0) {
|
||||||
|
+ if (session->opts.knownhosts == NULL) {
|
||||||
|
+ tmp = ssh_path_expand_escape(session, "%d/known_hosts");
|
||||||
|
+ } else {
|
||||||
|
+ tmp = ssh_path_expand_escape(session, session->opts.knownhosts);
|
||||||
|
+ }
|
||||||
|
+ if (tmp == NULL) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ free(session->opts.knownhosts);
|
||||||
|
+ session->opts.knownhosts = tmp;
|
||||||
|
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_KNOWNHOSTS;
|
||||||
|
}
|
||||||
|
- free(session->opts.knownhosts);
|
||||||
|
- session->opts.knownhosts = tmp;
|
||||||
|
|
||||||
|
- if (session->opts.global_knownhosts == NULL) {
|
||||||
|
- tmp = strdup("/etc/ssh/ssh_known_hosts");
|
||||||
|
- } else {
|
||||||
|
- tmp = ssh_path_expand_escape(session, session->opts.global_knownhosts);
|
||||||
|
- }
|
||||||
|
- if (tmp == NULL) {
|
||||||
|
- return -1;
|
||||||
|
+ if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS) == 0) {
|
||||||
|
+ if (session->opts.global_knownhosts == NULL) {
|
||||||
|
+ tmp = strdup("/etc/ssh/ssh_known_hosts");
|
||||||
|
+ } else {
|
||||||
|
+ tmp = ssh_path_expand_escape(session,
|
||||||
|
+ session->opts.global_knownhosts);
|
||||||
|
+ }
|
||||||
|
+ if (tmp == NULL) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ free(session->opts.global_knownhosts);
|
||||||
|
+ session->opts.global_knownhosts = tmp;
|
||||||
|
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS;
|
||||||
|
}
|
||||||
|
- free(session->opts.global_knownhosts);
|
||||||
|
- session->opts.global_knownhosts = tmp;
|
||||||
|
|
||||||
|
- if (session->opts.ProxyCommand != NULL) {
|
||||||
|
- char *p = NULL;
|
||||||
|
- size_t plen = strlen(session->opts.ProxyCommand) +
|
||||||
|
- 5 /* strlen("exec ") */;
|
||||||
|
|
||||||
|
- if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
|
||||||
|
- p = malloc(plen + 1 /* \0 */);
|
||||||
|
- if (p == NULL) {
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
+ if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND) == 0) {
|
||||||
|
+ if (session->opts.ProxyCommand != NULL) {
|
||||||
|
+ char *p = NULL;
|
||||||
|
+ size_t plen = strlen(session->opts.ProxyCommand) +
|
||||||
|
+ 5 /* strlen("exec ") */;
|
||||||
|
+
|
||||||
|
+ if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
|
||||||
|
+ p = malloc(plen + 1 /* \0 */);
|
||||||
|
+ if (p == NULL) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
||||||
|
- if ((size_t)rc != plen) {
|
||||||
|
+ rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
|
||||||
|
+ if ((size_t)rc != plen) {
|
||||||
|
+ free(p);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ tmp = ssh_path_expand_escape(session, p);
|
||||||
|
free(p);
|
||||||
|
- return -1;
|
||||||
|
+ } else {
|
||||||
|
+ tmp = ssh_path_expand_escape(session,
|
||||||
|
+ session->opts.ProxyCommand);
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
|
||||||
|
- tmp = ssh_path_expand_escape(session, p);
|
||||||
|
- free(p);
|
||||||
|
- if (tmp == NULL) {
|
||||||
|
- return -1;
|
||||||
|
+ if (tmp == NULL) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ free(session->opts.ProxyCommand);
|
||||||
|
+ session->opts.ProxyCommand = tmp;
|
||||||
|
+ session->opts.exp_flags |= SSH_OPT_EXP_FLAG_PROXYCOMMAND;
|
||||||
|
}
|
||||||
|
- free(session->opts.ProxyCommand);
|
||||||
|
- session->opts.ProxyCommand = tmp;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp);
|
||||||
|
diff --git a/src/session.c b/src/session.c
|
||||||
|
index 34a492e4..06f6a26f 100644
|
||||||
|
--- a/src/session.c
|
||||||
|
+++ b/src/session.c
|
||||||
|
@@ -114,6 +114,8 @@ ssh_session ssh_new(void)
|
||||||
|
SSH_OPT_FLAG_KBDINT_AUTH |
|
||||||
|
SSH_OPT_FLAG_GSSAPI_AUTH;
|
||||||
|
|
||||||
|
+ session->opts.exp_flags = 0;
|
||||||
|
+
|
||||||
|
session->opts.identity = ssh_list_new();
|
||||||
|
if (session->opts.identity == NULL) {
|
||||||
|
goto err;
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
|
|
||||||
|
From ed58082f9706f2ab3bdeca24f632356b9bc325e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Date: Wed, 16 Nov 2022 17:17:14 +0100
|
||||||
|
Subject: [PATCH 4/5] torture_options.c: Add identity test for ssh_options_copy
|
||||||
|
|
||||||
|
Test if the ssh_options_apply is called on session before ssh_options_copy,
|
||||||
|
then `opts.identity` ssh_list will be copied
|
||||||
|
|
||||||
|
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
tests/unittests/torture_options.c | 28 ++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 28 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
||||||
|
index 3be2de8a..907cc8df 100644
|
||||||
|
--- a/tests/unittests/torture_options.c
|
||||||
|
+++ b/tests/unittests/torture_options.c
|
||||||
|
@@ -918,6 +918,34 @@ static void torture_options_copy(void **state)
|
||||||
|
sizeof(session->opts.options_seen));
|
||||||
|
|
||||||
|
ssh_free(new);
|
||||||
|
+
|
||||||
|
+ /* test if ssh_options_apply was called before ssh_options_copy
|
||||||
|
+ * the opts.identity list gets copied (percent expanded list) */
|
||||||
|
+ rv = ssh_options_apply(session);
|
||||||
|
+ assert_ssh_return_code(session, rv);
|
||||||
|
+
|
||||||
|
+ rv = ssh_options_copy(session, &new);
|
||||||
|
+ assert_ssh_return_code(session, rv);
|
||||||
|
+ assert_non_null(new);
|
||||||
|
+
|
||||||
|
+ it = ssh_list_get_iterator(session->opts.identity_non_exp);
|
||||||
|
+ assert_null(it);
|
||||||
|
+ it2 = ssh_list_get_iterator(new->opts.identity_non_exp);
|
||||||
|
+ assert_null(it2);
|
||||||
|
+
|
||||||
|
+ it = ssh_list_get_iterator(session->opts.identity);
|
||||||
|
+ assert_non_null(it);
|
||||||
|
+ it2 = ssh_list_get_iterator(new->opts.identity);
|
||||||
|
+ assert_non_null(it2);
|
||||||
|
+ while (it != NULL && it2 != NULL) {
|
||||||
|
+ assert_string_equal(it->data, it2->data);
|
||||||
|
+ it = it->next;
|
||||||
|
+ it2 = it2->next;
|
||||||
|
+ }
|
||||||
|
+ assert_null(it);
|
||||||
|
+ assert_null(it2);
|
||||||
|
+
|
||||||
|
+ ssh_free(new);
|
||||||
|
}
|
||||||
|
|
||||||
|
#define EXECUTABLE_NAME "test-exec"
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
|
|
||||||
|
From 89dd4a927b946d4df5c48073ca25cd843e0acde0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Date: Wed, 16 Nov 2022 17:18:49 +0100
|
||||||
|
Subject: [PATCH 5/5] torture_options.c: Add test for ssh_options_apply
|
||||||
|
|
||||||
|
Test that ssh_options_apply can be called multiple times without expanding
|
||||||
|
escape characters more than once. If the options are updated after calling
|
||||||
|
ssh_options_apply keep the last options.
|
||||||
|
|
||||||
|
Signed-off-by: Norbert Pocs <npocs@redhat.com>
|
||||||
|
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
---
|
||||||
|
tests/unittests/torture_options.c | 165 ++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 165 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
||||||
|
index 907cc8df..ea63b45e 100644
|
||||||
|
--- a/tests/unittests/torture_options.c
|
||||||
|
+++ b/tests/unittests/torture_options.c
|
||||||
|
@@ -1332,6 +1332,170 @@ static void torture_options_caret_sign(void **state)
|
||||||
|
free(awaited);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void torture_options_apply (void **state) {
|
||||||
|
+ ssh_session session = *state;
|
||||||
|
+ struct ssh_list *awaited_list = NULL;
|
||||||
|
+ struct ssh_iterator *it1 = NULL, *it2 = NULL;
|
||||||
|
+ char *id = NULL;
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_KNOWNHOSTS,
|
||||||
|
+ "%%d/.ssh/known_hosts");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
|
||||||
|
+ "/etc/%%u/libssh/known_hosts");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_PROXYCOMMAND,
|
||||||
|
+ "exec echo \"Hello libssh %%d!\"");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_ADD_IDENTITY,
|
||||||
|
+ "%%d/do_not_expand");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_apply(session);
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ /* check that the values got expanded */
|
||||||
|
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
|
||||||
|
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
|
||||||
|
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
|
||||||
|
+ assert_true(ssh_list_count(session->opts.identity_non_exp) == 0);
|
||||||
|
+ assert_true(ssh_list_count(session->opts.identity) > 0);
|
||||||
|
+
|
||||||
|
+ /* should not change anything calling it again */
|
||||||
|
+ rc = ssh_options_apply(session);
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ /* check that the expansion was done only once */
|
||||||
|
+ assert_string_equal(session->opts.knownhosts, "%d/.ssh/known_hosts");
|
||||||
|
+ assert_string_equal(session->opts.global_knownhosts,
|
||||||
|
+ "/etc/%u/libssh/known_hosts");
|
||||||
|
+ /* no exec should be added if there already is one */
|
||||||
|
+ assert_string_equal(session->opts.ProxyCommand,
|
||||||
|
+ "exec echo \"Hello libssh %d!\"");
|
||||||
|
+ assert_string_equal(session->opts.identity->root->data,
|
||||||
|
+ "%d/do_not_expand");
|
||||||
|
+
|
||||||
|
+ /* apply should keep the freshest setting */
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_KNOWNHOSTS,
|
||||||
|
+ "hello there");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
|
||||||
|
+ "lorem ipsum");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_PROXYCOMMAND,
|
||||||
|
+ "mission_impossible");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_ADD_IDENTITY,
|
||||||
|
+ "007");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_ADD_IDENTITY,
|
||||||
|
+ "3");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_ADD_IDENTITY,
|
||||||
|
+ "2");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_set(session,
|
||||||
|
+ SSH_OPTIONS_ADD_IDENTITY,
|
||||||
|
+ "1");
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ /* check that flags show need of escape expansion */
|
||||||
|
+ assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
|
||||||
|
+ assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
|
||||||
|
+ assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
|
||||||
|
+ assert_false(ssh_list_count(session->opts.identity_non_exp) == 0);
|
||||||
|
+
|
||||||
|
+ rc = ssh_options_apply(session);
|
||||||
|
+ assert_ssh_return_code(session, rc);
|
||||||
|
+
|
||||||
|
+ /* check that the values got expanded */
|
||||||
|
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
|
||||||
|
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
|
||||||
|
+ assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
|
||||||
|
+ assert_true(ssh_list_count(session->opts.identity_non_exp) == 0);
|
||||||
|
+
|
||||||
|
+ assert_string_equal(session->opts.knownhosts, "hello there");
|
||||||
|
+ assert_string_equal(session->opts.global_knownhosts, "lorem ipsum");
|
||||||
|
+ /* check that the "exec " was added at the beginning */
|
||||||
|
+ assert_string_equal(session->opts.ProxyCommand, "exec mission_impossible");
|
||||||
|
+ assert_string_equal(session->opts.identity->root->data, "1");
|
||||||
|
+
|
||||||
|
+ /* check the order of the identity files after double expansion */
|
||||||
|
+ awaited_list = ssh_list_new();
|
||||||
|
+ /* append the new data in order */
|
||||||
|
+ id = strdup("1");
|
||||||
|
+ rc = ssh_list_append(awaited_list, id);
|
||||||
|
+ assert_int_equal(rc, SSH_OK);
|
||||||
|
+ id = strdup("2");
|
||||||
|
+ rc = ssh_list_append(awaited_list, id);
|
||||||
|
+ assert_int_equal(rc, SSH_OK);
|
||||||
|
+ id = strdup("3");
|
||||||
|
+ rc = ssh_list_append(awaited_list, id);
|
||||||
|
+ assert_int_equal(rc, SSH_OK);
|
||||||
|
+ id = strdup("007");
|
||||||
|
+ rc = ssh_list_append(awaited_list, id);
|
||||||
|
+ assert_int_equal(rc, SSH_OK);
|
||||||
|
+ id = strdup("%d/do_not_expand");
|
||||||
|
+ rc = ssh_list_append(awaited_list, id);
|
||||||
|
+ assert_int_equal(rc, SSH_OK);
|
||||||
|
+ /* append the defaults; this list is copied from ssh_new@src/session.c */
|
||||||
|
+ id = ssh_path_expand_escape(session, "%d/id_ed25519");
|
||||||
|
+ rc = ssh_list_append(awaited_list, id);
|
||||||
|
+ assert_int_equal(rc, SSH_OK);
|
||||||
|
+#ifdef HAVE_ECC
|
||||||
|
+ id = ssh_path_expand_escape(session, "%d/id_ecdsa");
|
||||||
|
+ rc = ssh_list_append(awaited_list, id);
|
||||||
|
+ assert_int_equal(rc, SSH_OK);
|
||||||
|
+#endif
|
||||||
|
+ id = ssh_path_expand_escape(session, "%d/id_rsa");
|
||||||
|
+ rc = ssh_list_append(awaited_list, id);
|
||||||
|
+ assert_int_equal(rc, SSH_OK);
|
||||||
|
+#ifdef HAVE_DSA
|
||||||
|
+ id = ssh_path_expand_escape(session, "%d/id_dsa");
|
||||||
|
+ rc = ssh_list_append(awaited_list, id);
|
||||||
|
+ assert_int_equal(rc, SSH_OK);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ assert_int_equal(ssh_list_count(awaited_list),
|
||||||
|
+ ssh_list_count(session->opts.identity));
|
||||||
|
+
|
||||||
|
+ it1 = ssh_list_get_iterator(awaited_list);
|
||||||
|
+ assert_non_null(it1);
|
||||||
|
+ it2 = ssh_list_get_iterator(session->opts.identity);
|
||||||
|
+ assert_non_null(it2);
|
||||||
|
+ while (it1 != NULL && it2 != NULL) {
|
||||||
|
+ assert_string_equal(it1->data, it2->data);
|
||||||
|
+
|
||||||
|
+ free((void*)it1->data);
|
||||||
|
+ it1 = it1->next;
|
||||||
|
+ it2 = it2->next;
|
||||||
|
+ }
|
||||||
|
+ assert_null(it1);
|
||||||
|
+ assert_null(it2);
|
||||||
|
+
|
||||||
|
+ ssh_list_free(awaited_list);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#ifdef WITH_SERVER
|
||||||
|
const char template[] = "temp_dir_XXXXXX";
|
||||||
|
|
||||||
|
@@ -2132,6 +2296,7 @@ int torture_run_tests(void) {
|
||||||
|
setup, teardown),
|
||||||
|
cmocka_unit_test_setup_teardown(torture_options_caret_sign,
|
||||||
|
setup, teardown),
|
||||||
|
+ cmocka_unit_test_setup_teardown(torture_options_apply, setup, teardown),
|
||||||
|
};
|
||||||
|
|
||||||
|
#ifdef WITH_SERVER
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
@ -0,0 +1,98 @@
|
|||||||
|
diff --git a/tests/pkcs11/setup-softhsm-tokens.sh b/tests/pkcs11/setup-softhsm-tokens.sh
|
||||||
|
index 532c86a7..9050cea6 100755
|
||||||
|
--- a/tests/pkcs11/setup-softhsm-tokens.sh
|
||||||
|
+++ b/tests/pkcs11/setup-softhsm-tokens.sh
|
||||||
|
@@ -17,10 +17,10 @@ echo "OBJNAME: $OBJNAME"
|
||||||
|
echo "LOADPUBLIC: $LOADPUBLIC"
|
||||||
|
|
||||||
|
# Create temporary directory for tokens
|
||||||
|
-install -d -m 0755 $TESTDIR/db
|
||||||
|
+install -d -m 0755 "$TESTDIR/db"
|
||||||
|
|
||||||
|
# Create SoftHSM configuration file
|
||||||
|
-cat >$TESTDIR/softhsm.conf <<EOF
|
||||||
|
+cat >"$TESTDIR/softhsm.conf" <<EOF
|
||||||
|
directories.tokendir = $TESTDIR/db
|
||||||
|
objectstore.backend = file
|
||||||
|
log.level = DEBUG
|
||||||
|
@@ -28,12 +28,12 @@ EOF
|
||||||
|
|
||||||
|
export SOFTHSM2_CONF=$TESTDIR/softhsm.conf
|
||||||
|
|
||||||
|
-cat $TESTDIR/softhsm.conf
|
||||||
|
+cat "$TESTDIR/softhsm.conf"
|
||||||
|
|
||||||
|
#init
|
||||||
|
-cmd='softhsm2-util --init-token --label "$OBJNAME" --free --pin 1234 --so-pin 1234'
|
||||||
|
+cmd="softhsm2-util --init-token --label $OBJNAME --free --pin 1234 --so-pin 1234"
|
||||||
|
eval echo "$cmd"
|
||||||
|
-out=$(eval $cmd)
|
||||||
|
+out=$(eval "$cmd")
|
||||||
|
ret=$?
|
||||||
|
if [ $ret -ne 0 ]; then
|
||||||
|
echo "Init token failed"
|
||||||
|
@@ -41,10 +41,29 @@ if [ $ret -ne 0 ]; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
+find_library_path() {
|
||||||
|
+ echo "$@"
|
||||||
|
+ for _lib in "$@" ; do
|
||||||
|
+ if test -f "$_lib" ; then
|
||||||
|
+ LIBSOFTHSM_PATH="$_lib"
|
||||||
|
+ echo "Using libsofthsm path: $LIBSOFTHSM_PATH"
|
||||||
|
+ return
|
||||||
|
+ fi
|
||||||
|
+ done
|
||||||
|
+ echo "libsofthsm2.so not found"
|
||||||
|
+ exit 1
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+find_library_path \
|
||||||
|
+ /usr/lib64/libsofthsm2.so \
|
||||||
|
+ /usr/lib/libsofthsm2.so \
|
||||||
|
+ /usr/local/lib/softhsm/libsofthsm2.so \
|
||||||
|
+ /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
|
||||||
|
+
|
||||||
|
#load private key
|
||||||
|
-cmd='p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --load-privkey "$PRIVKEY" --label "$OBJNAME" --login --set-pin=1234 "pkcs11:token="$OBJNAME""'
|
||||||
|
+cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-privkey $PRIVKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$OBJNAME\""
|
||||||
|
eval echo "$cmd"
|
||||||
|
-out=$(eval $cmd)
|
||||||
|
+out=$(eval "$cmd")
|
||||||
|
ret=$?
|
||||||
|
if [ $ret -ne 0 ]; then
|
||||||
|
echo "Loading privkey failed"
|
||||||
|
@@ -52,15 +71,15 @@ if [ $ret -ne 0 ]; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
-cat $PUBKEY
|
||||||
|
+cat "$PUBKEY"
|
||||||
|
|
||||||
|
-ls -l $TESTDIR
|
||||||
|
+ls -l "$TESTDIR"
|
||||||
|
|
||||||
|
-if [ $LOADPUBLIC -ne 0 ]; then
|
||||||
|
+if [ "$LOADPUBLIC" -ne 0 ]; then
|
||||||
|
#load public key
|
||||||
|
- cmd='p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --load-pubkey "$PUBKEY" --label "$OBJNAME" --login --set-pin=1234 "pkcs11:token="$OBJNAME""'
|
||||||
|
+ cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-pubkey $PUBKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$OBJNAME\""
|
||||||
|
eval echo "$cmd"
|
||||||
|
- out=$(eval $cmd)
|
||||||
|
+ out=$(eval "$cmd")
|
||||||
|
ret=$?
|
||||||
|
if [ $ret -ne 0 ]; then
|
||||||
|
echo "Loading pubkey failed"
|
||||||
|
@@ -69,9 +88,9 @@ if [ $LOADPUBLIC -ne 0 ]; then
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
-cmd='p11tool --list-all --login "pkcs11:token="$OBJNAME"" --set-pin=1234'
|
||||||
|
+cmd="p11tool --list-all --login \"pkcs11:token=$OBJNAME\" --set-pin=1234"
|
||||||
|
eval echo "$cmd"
|
||||||
|
-out=$(eval $cmd)
|
||||||
|
+out=$(eval "$cmd")
|
||||||
|
ret=$?
|
||||||
|
if [ $ret -ne 0 ]; then
|
||||||
|
echo "Loging failed"
|
||||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,21 @@
|
|||||||
|
diff --color -ru ../libssh-0.10.4/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
|
||||||
|
--- ../libssh-0.10.4/tests/client/torture_rekey.c 2023-05-17 10:55:23.384684129 +0200
|
||||||
|
+++ ./tests/client/torture_rekey.c 2023-05-17 10:56:29.819334665 +0200
|
||||||
|
@@ -504,7 +504,7 @@
|
||||||
|
memset(data, 'A', 128);
|
||||||
|
for (i = 0; i < KEX_RETRY; i++) {
|
||||||
|
ssh_send_ignore(s->ssh.session, data);
|
||||||
|
- ssh_handle_packets(s->ssh.session, 100);
|
||||||
|
+ ssh_handle_packets(s->ssh.session, 1000);
|
||||||
|
|
||||||
|
c = s->ssh.session->current_crypto;
|
||||||
|
/* SHA256 len */
|
||||||
|
@@ -582,7 +582,7 @@
|
||||||
|
memset(data, 'A', 128);
|
||||||
|
for (i = 0; i < KEX_RETRY; i++) {
|
||||||
|
ssh_send_ignore(s->ssh.session, data);
|
||||||
|
- ssh_handle_packets(s->ssh.session, 100);
|
||||||
|
+ ssh_handle_packets(s->ssh.session, 1000);
|
||||||
|
|
||||||
|
c = s->ssh.session->current_crypto;
|
||||||
|
/* SHA256 len */
|
||||||
@ -1,19 +0,0 @@
|
|||||||
diff --git a/src/packet.c b/src/packet.c
|
|
||||||
index ec4a7203..a81eb8e3 100644
|
|
||||||
--- a/src/packet.c
|
|
||||||
+++ b/src/packet.c
|
|
||||||
@@ -1752,10 +1752,12 @@ static bool
|
|
||||||
ssh_packet_in_rekey(ssh_session session)
|
|
||||||
{
|
|
||||||
/* We know we are rekeying if we are authenticated and the DH
|
|
||||||
- * status is not finished
|
|
||||||
+ * status is not finished, but we only queue packets until we've
|
|
||||||
+ * sent our NEWKEYS.
|
|
||||||
*/
|
|
||||||
return (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) &&
|
|
||||||
- (session->dh_handshake_state != DH_STATE_FINISHED);
|
|
||||||
+ (session->dh_handshake_state != DH_STATE_FINISHED) &&
|
|
||||||
+ (session->dh_handshake_state != DH_STATE_NEWKEYS_SENT);
|
|
||||||
}
|
|
||||||
|
|
||||||
int ssh_packet_send(ssh_session session)
|
|
||||||
Loading…
Reference in new issue