aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
9 daysdh-gex: Avoid memory leaksHEADmasterJakub Jelen1-0/+3
Thanks oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29611 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
12 daystests/external_override: Add override test for internal implementationsAnderson Toshiyuki Sasaki13-0/+931
This adds a test to check if the internal implementation is not used when it is not supposed to be used. To be able to override functions using LD_PRELOAD, a shared version of the torture library was added, as well as a shared library for each of the algorithms implemented internally (ChaCha20, Poly1305, curve25519, and ed25519). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
12 dayslibmbedcrypto: Fix chacha20-poly1305Anderson Toshiyuki Sasaki3-8/+20
Previously, the mbed TLS implementation wouldn't be use at all when available, being the internal implementation always used instead. This corrects few bugs and makes the mbed TLS implementation to be used when ChaCha20 and Poly1305 are available. This also makes the constant time comparison to be used when checking the authentication tag. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
12 dayschachapoly: Use secure_memcmp() to compare auth tagAnderson Toshiyuki Sasaki1-1/+1
When checking the authentication tag, use secure_memcmp() instead of memcmp(). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
12 dayslibcrypto: Use CRYPTO_memcmp() instead of memcmpAnderson Toshiyuki Sasaki1-1/+1
When comparing the authentication tag for chacha20-poly1305, use the constant time CRYPTO_memcmp() instead of memcmp(). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
12 dayspacket_crypt: Move secure_memcmp() to a shared sourceAnderson Toshiyuki Sasaki4-11/+37
Move the secure_memcmp() function to a shared source to make it available internally for other crypto implementations. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
12 daysClean memory on failure pathsJakub Jelen2-3/+7
Thanks oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28490 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
12 daysinclude: Introduce secure SSH_SIGNATURE_FREE()Jakub Jelen1-0/+2
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
13 daystorture_session: Test delayed closeAnderson Toshiyuki Sasaki1-0/+43
The test for delayed close asks for the execution of a command that generates big output (larger than the default window) to make data to remain in buffers while the close message arrives, triggering the delayed channel closure. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
13 dayschannel_rcv_close: indentationTom Deseyn1-30/+30
Signed-off-by: Tom Deseyn <tom.deseyn@gmail.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
13 dayschannesl: Fix delayed closeTom Deseyn1-13/+28
If the SSH2_MSG_CHANNEL_CLOSE was previously received, change the channel state to SSH_STATE_CHANNEL_CLOSED in ssh_channel_read_timeout() after reading all data available. Fixes T31 Signed-off-by: Tom Deseyn <tom.deseyn@gmail.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
13 daysCleanup AES compatibility codeDirkjan Bussink4-158/+1
OpenSSL 1.0.1 has support for CTR & GCM modes so the checks here are no longer needed. This allows for a bunch of additional cleanup of the old code. As for old MacOS versions etc, LibreSSL is a kind of compatibility layer there but things already don't work anyway with that, so it doesn't break anything that isn't already broken. OpenSSL is needed on MacOS separately anyway (like installed with Homebrew). Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysRemove no longer needed compatibility checkDirkjan Bussink3-19/+0
CRYPTO_THREADID_set_callback is available since 1.0.1 which is the oldest supported version. This means the check and compatibility code can be removed. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysRemove no longer needed compatibility functionDirkjan Bussink3-24/+0
Since OpenSSL 1.0.1 is the minimum version, this function is always available so no compatibility check is needed anymore. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysRemove compat reset functionDirkjan Bussink3-10/+2
This can be implemented with the init directly when the context is reused. When a new cipher context is allocated, no initialization call is needed either so this moves the logic to one place as well. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysMove HMAC implementation to EVP APIDirkjan Bussink4-32/+28
Now that the minimum OpenSSL version is 1.0.1, we know that the EVP HMAC API is always available. This switches to this API. The existing API is deprecated for OpenSSL 3.0. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysFix formatting for file with changesDirkjan Bussink1-23/+25
This fixes the formatting for src/libcrypto.c for the last bits where it is not correct. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysRemove unneeded version conditionalDirkjan Bussink1-11/+4
The HMAC_CTX_free function in the compat layer already handles this so there's no need to add conditional logic to the code here. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysUse correct cleanup function for cipher contextDirkjan Bussink1-2/+1
This specific cleanup function describes better what happens here and is available for older OpenSSL releases. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysRemove unneeded HMAC_CTX_reset functionDirkjan Bussink2-7/+0
This isn't referenced anywhere outside of the compatibility layer so it is unneeded. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysRemove unneeded EVP_MD_CTX_reset custom cleanupDirkjan Bussink2-41/+1
The EVP_MD_CTX_reset function is not used anywhere outside of the compat layer and is not needed there. The only usage in the compat layer is for cleanup, but EVP_MD_CTX_cleanup can be used for that which is availble at least since OpenSSL 0.9.8. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysImprove cleanup logic for HMACDirkjan Bussink1-16/+1
Older OpenSSL version have a cleanup function that can be used here. This removes a whole bunch of now no longer needed logic and custom conditionals. These functions have existed since 0.9.8 and can be used here. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysRemove OPENSSL_zalloc helperDirkjan Bussink1-16/+8
This function is not needed, because in each case it is used, we follow it up immediately with an initialization function call. This means that the zeroing here is unneeded, since the initialization already guarantees things end up in the right state. It also swaps the reset call with a simpler init call, also because reset is implemented as init with a return value that is always 1. That means the more complex logic is not needed at all. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
13 daysUse current OpenSSL API as the exampleDirkjan Bussink2-21/+20
EVP_MD_CTX_new / EVP_MD_CTX_free is the current recommended / documented API. The other names are defined as aliases for backwards compatibility. The other part here is that EVP_MD_CTX_init is not needed for a context allocated with EVP_MD_CTX_new. Only for the compatibility path for older OpenSSL is the init needed if the structure is allocated directly. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-01Happy new year 2021!Andreas Schneider2-2/+2
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-22Require at least OpenSSL 1.0.1Dirkjan Bussink1-1/+1
This is now the minimum version, so check it in the CMake configuration. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-22Cleanup old OpenSSL 0.9.7 compatibility codeDirkjan Bussink3-16/+2
OpenSSL 0.9.7 is already not supported, so clean up the old legacy bits for that as well. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-22Bump minimum version requirement for OpenSSLDirkjan Bussink2-10/+2
This updates the minimum version requirement for OpenSSL in the documentation to 1.0.1 and also updates the practical minimum CMake version. Why pick 1.0.1 as the minimum? Main reason is whatever is still out there with long term support contracts etc. One of the oldest I could find is Ubuntu 14.04 which still has paid extended support and is on 1.0.1. Another reason that 1.0.1 is probably a good minimum is a bit more involved. 1.0.1 is the first version to add TLS 1.2. Large parts of the internet have TLS 1.2 as a minimum requirement. This means that systems with OpenSSL older than 1.0.1 already can't access large parts of the internet anyway, so not supporting the latest libssh there either is ok I think. Bumping minimum support also means things like the HMAC API can be moved to the more recent EVP style APIs and things can be more easily made compatible with the deprecated APIs in OpenSSL 3.0. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-14Fix CMake warning about mismatched if/endif arguments during OpenSSL detectionKevin Kane1-1/+1
Signed-off-by: Kevin Kane <kkane@microsoft.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-11Always check return value of ssh_list_new()Dirkjan Bussink5-21/+42
Another item identified during code review was cases where the return value of ssh_list_new() was not properly checked and handled. This updates all cases that were missing this to handle failure to allocate a new list. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-11Add safety checks for all ssh_string_fill callsDirkjan Bussink8-30/+97
These calls can fail and the return code should always be checked. These issues were identified when code review called it out on new code. The updates here are to existing code with no behavior changes to make review simpler. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-11Ignore request success and failure message if they are not expectedDirkjan Bussink2-18/+112
In https://gitlab.com/libssh/libssh-mirror/-/merge_requests/145#note_463232084 behavior in libssh was identified where it diverges from how for example OpenSSH behaves. In OpenSSH if a request success of failure message is received, apart from it being treated as a keepalive message, it is ignored otherwise. Libssh does handle the unexpected message and triggers an error condition internally. This means that with the Dropbear behavior where it replies to a hostkeys-00@openssh.com message even with a want_reply = 0 (arguably a bug), libssh enters an error state. This change makes the libssh behavior match OpenSSH to ignore these messages. The spec is a bit unclear on whether Dropbear is buggy here or not, but let's be liberal with the input accepted here in libssh. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-10Provide OPENSSL_CRYPTO_LIBRARIES synonym for OPENSSL_CRYPTO_LIBRARYKevin Kane1-1/+7
FindOpenSSL.cmake usually defines this synonym, but it doesn't on CMake < 3.16 when building on Windows outside of Cygwin. Signed-off-by: Kevin Kane <kkane@microsoft.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-10Use OPENSSL_CRYPTO_LIBRARIES CMake variable when linking against OpenSSLKevin Kane2-18/+18
The build currently breaks when attempting to link libssh.so using a statically-linked OpenSSL. -ldl and -lpthread are required when linking a binary with the static libcrypto.a. The OPENSSL_CRYPTO_LIBRARY does not include these dependencies when linking against static OpenSSL. OPENSSL_CRYPTO_LIBRARIES contains the correct dependencies in both static and shared configurations; -ldl and -lpthread are not required when linking against shared libcrypto.so. This change changes all uses of OPENSSL_CRYPTO_LIBRARY to OPENSSL_CRYPTO_LIBRARIES to let the FindOpenSSL CMake module always provide the correct libraries at link time. Signed-off-by: Kevin Kane <kkane@microsoft.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-10Revert "cmake: Use OPENSSL_CRYPTO_LIBRARIES CMake variable when linking ↵Andreas Schneider2-18/+18
against OpenSSL" This reverts commit 026879e9f0d766ebe651e6d3fd9809e243928391.
2020-12-10auth: Add ssh_userauth_publickey_auto_get_current_identity()Marius Vollmer7-0/+177
Signed-off-by: Marius Vollmer <mvollmer@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-10cmake: Use OPENSSL_CRYPTO_LIBRARIES CMake variable when linking against OpenSSLKevin Kane2-18/+18
The build currently breaks when attempting to link libssh.so using a statically-linked OpenSSL. -ldl and -lpthread are required when linking a binary with the static libcrypto.a. The OPENSSL_CRYPTO_LIBRARY does not include these dependencies when linking against static OpenSSL. OPENSSL_CRYPTO_LIBRARIES contains the correct dependencies in both static and shared configurations; -ldl and -lpthread are not required when linking against shared libcrypto.so. This change changes all uses of OPENSSL_CRYPTO_LIBRARY to OPENSSL_CRYPTO_LIBRARIES to let the FindOpenSSL CMake module always provide the correct libraries at link time. Signed-off-by: Kevin Kane <kkane@microsoft.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-09gitlab-ci: Fix packaging artifacts for Coverity runnerAndreas Schneider1-1/+6
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2020-12-08wrapper: Avoid memory leak on errors during key exchangeJakub Jelen1-0/+1
As reported by oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28075 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-08fuzz: Extend readme for reproducing and debugging tipsJakub Jelen1-0/+64
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-11-03tests for parsing configuration string; rework and many fixesStanislav Zidek1-423/+815
Signed-off-by: Stanislav Zidek <szidek@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-11-03New API for parsing configuration from stringStanislav Zidek2-0/+55
Fixes T248 Signed-off-by: Stanislav Zidek <szidek@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-11-02tests: Disable *cbc ciphers in Dropbear testsJakub Jelen1-23/+42
These are disabled in latest since Dropbear 2020.79, while older do not support anything better than aes-ctr ciphers. We should implement some dynamic algorithm detection for dropbear too to increase test coverage. https://bugs.libssh.org/T252 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-10-14Fix handshake bug with AEAD ciphers and no HMAC overlapDirkjan Bussink1-16/+41
There's currently a bug in libssh that a handshake doesn't complete if there is no overlap between HMAC methods, but when an AEAD cipher is used. In case of an AEAD cipher such as chacha20-poly1305 or aes256-gcm, the HMAC algorithm that is being picked is not relevant. But the problem here is that the HMAC still needs to have an overlap in the handshake, even if it is not used afterwards. This was found with a very strict server side configuration with libssh where only AEAD ciphers and EtM HMAC modes are accepted. The client tested against was dropbear. Dropbear does have support for chacha20-poly1305 and AES GCM modes, but no support for EtM HMAC modes. This meant that the libssh server in this case rejected the dropbear client, even though it is perfectly able to serve it since dropbear supports AEAD algorithms. The fix implemented here updates the HMAC phase of the handshake to handle this case. If it detects an AEAD cipher is used, it uses the HMAC abbreviations for the method instead. This is the same name that is used in other places as well. It matches the client to server and server to client values, but it does depend on the order of things in the ssh_kex_types_e enum, which I'm assuming here is ok since it's explicit. I've looked at how to add a test for this, but I couldn't really find a suitable place for it. I would love some tips if this is easily possible, or if it's easier for someone else to contribute, that's of course welcome too. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2020-10-14Add initial server algorithm test for no HMAC overlapDirkjan Bussink2-0/+365
This adds an initial test with all AEAD modes to verify that they work if there is no overlap in HMAC ciphers. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2020-10-14tests: Test MAC algorithm mismatch when AEAD cipher is selectedJakub Jelen1-0/+57
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-10-14torture: Place additional configuration options before defaults so they can ↵Jakub Jelen1-10/+10
override them Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-10-02client: Reset pending_call_state on disconnectJakub Jelen1-0/+1
Fixes T251 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-10-02client: Reformat ssh_disconnect()Jakub Jelen1-69/+73
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-09-29README: Mention CONTRIBUTING not SubmittingPatchesPaul Capron2-2/+2
The “SubmittingPatches” file is no more since commit a76badf77af9ff92164fd97327d63cc731d753ef, but the READMEs were still referencing it. They now correctly point to “CONTRIBUTING.md”. Signed-off-by: Paul Capron <paul@fragara.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>