aboutsummaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2019-03-29misc: Avoid printing full path in debug messageAlberto Garcia Illera1-2/+2
Signed-off-by: Alberto Garcia Illera <agarciaillera@gmail.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-03-29channels: Added function to create channel to UNIX socketpmorris671-0/+82
[asn: Reformatting and added openssh version check] Signed-off-by: Philip Morris <philip.morris67@ntlworld.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-03-25config: Use size_t instead of u_intAndreas Schneider1-1/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-03-25auth: Set buffer used to store password as secureAnderson Toshiyuki Sasaki1-0/+3
This will make such buffer to be explicity overwritten with zeroes when freed. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-03-13libcrypto: Add missing includes for modes.hAndreas Schneider1-0/+5
This defines block128_f. Fixes T133. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-03-11The SSH_LOG_ENTRY is not defined all, match the descriptions to ↵Jan Pazdziora1-15/+10
SSH_BIND_OPTIONS_LOG_VERBOSITY*. The documentation amends change in 801bc29494f7b0da377334a9e48eff698d53376d. The SSH_LOG_ENTRY macro was removed during cleanup ab60d1d67847f2af20604f8890381a0cbbed0524. Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-03-07Use a common KDF functionSimo Sorce6-244/+274
Cleanup the KDF function to use only one function per crypto backend. Improve the KDF function to properly handle requested lenght and to avoid unnecessarily reallocating buffers. In OpenSSL use the new EVP_KDF API if available. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-03-07Clean up code that generates session keysSimo Sorce1-147/+110
This patch simply reworks the code to make it more understandable and reduce if() branches. It also avoids reallocs, and instead uses a support buffer to hold intermediate results of the hmac function so that no buffer overrides happen when the requested size is not an exact mutiple of the digest_len. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-03-07Fix crypto_free zeroing of encryption keysSimo Sorce1-5/+5
The zeroing MUST use the correct cipher length as keys can be both longer or shorter than the digest. In one case only some part of the key may end up being zeroed, in the other memory corruption may happen as we zero memory we do not own. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-27ssh_event_dopoll can also return SSH_AGAINTill Wimmer1-0/+1
Signed-off-by: Till Wimmer <g4-lisz@tonarchiv.ch> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-22Add tests and implementation for Encrypt-then-MAC modeDirkjan Bussink4-49/+115
This adds the OpenSSH HMACs that do encrypt then mac. This is a more secure mode than the original HMAC. Newer AEAD ciphers like chacha20 and AES-GCM are already encrypt-then-mac, but this also adds it for older legacy clients that don't support those ciphers yet. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-02-22Add flag for tracking EtM HMACsDirkjan Bussink2-11/+17
This adds a flag to the type structures to track if we use a Encrypt-then-MAC cipher instead of Encrypt-and-MAC. EtM is a more secure hashing mechanism. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-02-22Refactor ssh_packet_hmac_verify to allow for direct bufferDirkjan Bussink2-9/+12
This will make it easier to do Encrypt-then-MAC checks as those will be on the direct encrypted data received before decrypting which means they are not allocated in an ssh buffer at that point yet. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-02-22Remove SHA384 HMACDirkjan Bussink4-12/+0
This is not supported by OpenSSH and not recommended to be implemented either. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-02-22Use constant time comparison function for HMAC comparisonDirkjan Bussink1-1/+12
Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-02-22config: Avoid buffer overflowJakub Jelen1-0/+1
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-22pki_gcrypt: Include missing stdbool.hAndreas Schneider1-0/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-21pki: Fix size type for len in privatekey_string_to_buffer()Andreas Schneider1-7/+21
src/pki_gcrypt.c:485:10: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow] Fixes T132 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-21connector: Fallback on the socket output callbackDavid Wedderwille1-0/+1
Fixes T124 Signed-off-by: David Wedderwille <davidwe@posteo.de> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-21client: Add missing break, remove useless returnTilo Eckert1-4/+1
Signed-off-by: Tilo Eckert <tilo.eckert@flam.de> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-02-21socket: Use more portable PF_UNIX instead of PF_LOCALTilo Eckert1-1/+1
Signed-off-by: Tilo Eckert <tilo.eckert@flam.de> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-02-21crypto: Use uint8_t instead of non-standard u_charTilo Eckert2-6/+6
Signed-off-by: Tilo Eckert <tilo.eckert@flam.de> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-02-07cmake: Bump API version to 4.7.4Andreas Schneider2-1/+416
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-07kex: honor client preference for rsa-sha2-{256,512} host key algorithmsJon Simons1-0/+24
Ensure to honor the client preference ordering when enabling one of the RFC8332 RSA signature extensions (`rsa-sha2-{256,512}`). Before this change, libssh unconditionally selects the `rsa-sha2-512` algorithm for clients which may have offered "rsa-sha2-256,rsa-sha2-512". The change can be observed before-and-after with the pkd tests: ./pkd_hello -t torture_pkd_openssh_rsa_rsa_sha2_256_512 Signed-off-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-07pki_container_openssh: Add padding to be compatible with OpenSSHJakub Jelen1-10/+14
OpenSSH has a block size of 8 so we need to always add padding. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-07Allow building without Group Exchange supportJakub Jelen5-1/+32
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-07kex: Disable diffie-hellman-group-exchange-sha1 by defaultJakub Jelen1-4/+9
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-07options: Allow to configure cryptographic algorithms for serverJakub Jelen1-1/+97
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-07docs: Missing documentation for SSH_OPTIONS_HMAC_*Jakub Jelen1-0/+8
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-07buffer: Fix typo in a commentJakub Jelen1-1/+1
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-07dh: Add function references to ssh_print_hash() docAndreas Schneider1-0/+3
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-07include: Mark ssh_print_hexa as deprecatedAndreas Schneider1-7/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-30pki_crypto: plug pki_signature_from_blob leaksJon Simons1-0/+8
In 3341f49a49a07cbce003e487ef24a2042e800f01, some direct assignments to OpenSSL structures was replaced with usage of getter and setter macros. Ensure to `bignum_safe_free` a couple of intermediate values in error paths for `pki_signature_from_blob` DSS and ECDSA cases. Signed-off-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-30pki: NULL check pki_signature_from_rsa_blob resultJon Simons2-0/+6
Check for a potential NULL result from `pki_signature_from_rsa_blob` in `pki_signature_from_blob`. Otherwise the following `sig->type_c` will result in a segfault. Introduced in 7f83a1efae6a7da19e18268d6298fc11b4e68c57. Signed-off-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-30dh: harden error handling in 'ssh_dh_init_common'Jon Simons1-0/+3
Harden the error path in 'ssh_dh_init_common' such that all potential allocations are free'd upon exit. Signed-off-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-30dh: plug pubkey_blob leak in ssh_server_dh_process_initJon Simons1-1/+4
Ensure to `SSH_STRING_FREE` the pubkey_blob local in `ssh_server_dh_process_init`. The leak can be seen with valgrind and the pkd tests with: valgrind \ --leak-check=full \ --show-leak-kinds=definite \ ./pkd_hello -i1 -t torture_pkd_openssh_rsa_rsa_diffie_hellman_group14_sha1 Signed-off-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-30dh-gex: fix double-ssh_dh_init_common memory leakJon Simons1-6/+0
Fix a memory leak whereby the x, y, and k bignum fields within a session's next_crypto structure were being unintentionally initialized twice. The leak can be seen before the fix with valgrind and the pkd tests with: valgrind \ --leak-check=full \ --show-leak-kinds=definite \ ./pkd_hello -i1 -t torture_pkd_openssh_rsa_rsa_diffie_hellman_group_exchange_sha256 Signed-off-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-30dh-gex: fix moduli file stream leakJon Simons1-0/+1
Ensure to close the moduli file stream in `ssh_retrieve_dhgroup`. The leak is observable with the pkd tests and valgrind with: valgrind \ --track-fds=yes \ ./pkd_hello -i1 \ -t torture_pkd_openssh_rsa_rsa_diffie_hellman_group_exchange_sha256 Signed-off-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-30session: Repects timeout=0 for packets on blocking sessionsTill Wimmer1-1/+1
Signed-off-by: Till Wimmer <g4-lisz@tonarchiv.ch> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-30options: Removed outdated param annotations of ssh_options_set()Till Wimmer1-31/+0
Signed-off-by: Till Wimmer <g4-lisz@tonarchiv.ch> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-30connector: Don't NULL connector (in|out) channels on event removeTill Wimmer1-2/+0
Signed-off-by: Till Wimmer <g4-lisz@tonarchiv.ch> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-26bignum: Reformat ssh_make_string_bn and unbreak build with DEBUG_CRYPTOJakub Jelen1-10/+11
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-26dh: Reformat ssh_dh_debug, ssh_dh_build_k and unbreak build with DEBUG_CRYPTOJakub Jelen1-21/+29
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-26packet: Add missing error check in packet_send2()Andreas Schneider1-0/+3
Found by csbuild. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-26pki: Avoid a possible segfaults in error pathsAndreas Schneider1-2/+2
Found by csbuild. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-26dh-gex: Add error check for ssh_packet_send() in ssh_packet_server_dhgex_requestAndreas Schneider1-0/+3
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-26libcrypto: Use size_t for size calculationsAndreas Schneider1-5/+8
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-26sftp: Add NULL check in sftp_ext_free()Anderson Toshiyuki Sasaki1-7/+14
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-26sftp: Reformat sftp_ext_free()Anderson Toshiyuki Sasaki1-13/+14
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-26misc: Add NULL checks before accessing listsAnderson Toshiyuki Sasaki1-8/+33
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>