aboutsummaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2021-02-04cmake: Avoid setting compiler flags directlyDDoSolitary1-13/+6
Calling set_target_properties directly overrides previously set flags, so replace them with target_compile_definitions and target_link_options. Signed-off-by: DDoSolitary <DDoSolitary@gmail.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-28pki: Fix memory leak on error pathJakub Jelen1-0/+1
Thanks coverity CID 1445481 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2021-01-28config: Support more identity files in configurationJakub Jelen1-0/+1
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2021-01-15dh-gex: Avoid memory leaksJakub Jelen1-0/+3
Thanks oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29611 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2021-01-12libmbedcrypto: Fix chacha20-poly1305Anderson Toshiyuki Sasaki2-8/+14
Previously, the mbed TLS implementation wouldn't be use at all when available, being the internal implementation always used instead. This corrects few bugs and makes the mbed TLS implementation to be used when ChaCha20 and Poly1305 are available. This also makes the constant time comparison to be used when checking the authentication tag. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-12chachapoly: Use secure_memcmp() to compare auth tagAnderson Toshiyuki Sasaki1-1/+1
When checking the authentication tag, use secure_memcmp() instead of memcmp(). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-12libcrypto: Use CRYPTO_memcmp() instead of memcmpAnderson Toshiyuki Sasaki1-1/+1
When comparing the authentication tag for chacha20-poly1305, use the constant time CRYPTO_memcmp() instead of memcmp(). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-12packet_crypt: Move secure_memcmp() to a shared sourceAnderson Toshiyuki Sasaki3-11/+35
Move the secure_memcmp() function to a shared source to make it available internally for other crypto implementations. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-12Clean memory on failure pathsJakub Jelen2-3/+7
Thanks oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28490 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2021-01-11channel_rcv_close: indentationTom Deseyn1-30/+30
Signed-off-by: Tom Deseyn <tom.deseyn@gmail.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2021-01-11channesl: Fix delayed closeTom Deseyn1-13/+28
If the SSH2_MSG_CHANNEL_CLOSE was previously received, change the channel state to SSH_STATE_CHANNEL_CLOSED in ssh_channel_read_timeout() after reading all data available. Fixes T31 Signed-off-by: Tom Deseyn <tom.deseyn@gmail.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2021-01-11Cleanup AES compatibility codeDirkjan Bussink2-130/+1
OpenSSL 1.0.1 has support for CTR & GCM modes so the checks here are no longer needed. This allows for a bunch of additional cleanup of the old code. As for old MacOS versions etc, LibreSSL is a kind of compatibility layer there but things already don't work anyway with that, so it doesn't break anything that isn't already broken. OpenSSL is needed on MacOS separately anyway (like installed with Homebrew). Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Remove no longer needed compatibility checkDirkjan Bussink1-12/+0
CRYPTO_THREADID_set_callback is available since 1.0.1 which is the oldest supported version. This means the check and compatibility code can be removed. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Remove no longer needed compatibility functionDirkjan Bussink1-17/+0
Since OpenSSL 1.0.1 is the minimum version, this function is always available so no compatibility check is needed anymore. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Remove compat reset functionDirkjan Bussink3-10/+2
This can be implemented with the init directly when the context is reused. When a new cipher context is allocated, no initialization call is needed either so this moves the logic to one place as well. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Move HMAC implementation to EVP APIDirkjan Bussink3-31/+27
Now that the minimum OpenSSL version is 1.0.1, we know that the EVP HMAC API is always available. This switches to this API. The existing API is deprecated for OpenSSL 3.0. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Fix formatting for file with changesDirkjan Bussink1-23/+25
This fixes the formatting for src/libcrypto.c for the last bits where it is not correct. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Remove unneeded version conditionalDirkjan Bussink1-11/+4
The HMAC_CTX_free function in the compat layer already handles this so there's no need to add conditional logic to the code here. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Use correct cleanup function for cipher contextDirkjan Bussink1-2/+1
This specific cleanup function describes better what happens here and is available for older OpenSSL releases. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Remove unneeded HMAC_CTX_reset functionDirkjan Bussink2-7/+0
This isn't referenced anywhere outside of the compatibility layer so it is unneeded. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Remove unneeded EVP_MD_CTX_reset custom cleanupDirkjan Bussink2-41/+1
The EVP_MD_CTX_reset function is not used anywhere outside of the compat layer and is not needed there. The only usage in the compat layer is for cleanup, but EVP_MD_CTX_cleanup can be used for that which is availble at least since OpenSSL 0.9.8. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Improve cleanup logic for HMACDirkjan Bussink1-16/+1
Older OpenSSL version have a cleanup function that can be used here. This removes a whole bunch of now no longer needed logic and custom conditionals. These functions have existed since 0.9.8 and can be used here. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Remove OPENSSL_zalloc helperDirkjan Bussink1-16/+8
This function is not needed, because in each case it is used, we follow it up immediately with an initialization function call. This means that the zeroing here is unneeded, since the initialization already guarantees things end up in the right state. It also swaps the reset call with a simpler init call, also because reset is implemented as init with a return value that is always 1. That means the more complex logic is not needed at all. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Use current OpenSSL API as the exampleDirkjan Bussink2-21/+20
EVP_MD_CTX_new / EVP_MD_CTX_free is the current recommended / documented API. The other names are defined as aliases for backwards compatibility. The other part here is that EVP_MD_CTX_init is not needed for a context allocated with EVP_MD_CTX_new. Only for the compatibility path for older OpenSSL is the init needed if the structure is allocated directly. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-01Happy new year 2021!Andreas Schneider1-1/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-22Cleanup old OpenSSL 0.9.7 compatibility codeDirkjan Bussink2-12/+2
OpenSSL 0.9.7 is already not supported, so clean up the old legacy bits for that as well. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-22Bump minimum version requirement for OpenSSLDirkjan Bussink1-8/+0
This updates the minimum version requirement for OpenSSL in the documentation to 1.0.1 and also updates the practical minimum CMake version. Why pick 1.0.1 as the minimum? Main reason is whatever is still out there with long term support contracts etc. One of the oldest I could find is Ubuntu 14.04 which still has paid extended support and is on 1.0.1. Another reason that 1.0.1 is probably a good minimum is a bit more involved. 1.0.1 is the first version to add TLS 1.2. Large parts of the internet have TLS 1.2 as a minimum requirement. This means that systems with OpenSSL older than 1.0.1 already can't access large parts of the internet anyway, so not supporting the latest libssh there either is ok I think. Bumping minimum support also means things like the HMAC API can be moved to the more recent EVP style APIs and things can be more easily made compatible with the deprecated APIs in OpenSSL 3.0. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-11Always check return value of ssh_list_new()Dirkjan Bussink4-21/+37
Another item identified during code review was cases where the return value of ssh_list_new() was not properly checked and handled. This updates all cases that were missing this to handle failure to allocate a new list. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-11Add safety checks for all ssh_string_fill callsDirkjan Bussink6-27/+90
These calls can fail and the return code should always be checked. These issues were identified when code review called it out on new code. The updates here are to existing code with no behavior changes to make review simpler. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-11Ignore request success and failure message if they are not expectedDirkjan Bussink1-18/+16
In https://gitlab.com/libssh/libssh-mirror/-/merge_requests/145#note_463232084 behavior in libssh was identified where it diverges from how for example OpenSSH behaves. In OpenSSH if a request success of failure message is received, apart from it being treated as a keepalive message, it is ignored otherwise. Libssh does handle the unexpected message and triggers an error condition internally. This means that with the Dropbear behavior where it replies to a hostkeys-00@openssh.com message even with a want_reply = 0 (arguably a bug), libssh enters an error state. This change makes the libssh behavior match OpenSSH to ignore these messages. The spec is a bit unclear on whether Dropbear is buggy here or not, but let's be liberal with the input accepted here in libssh. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-10Use OPENSSL_CRYPTO_LIBRARIES CMake variable when linking against OpenSSLKevin Kane1-3/+3
The build currently breaks when attempting to link libssh.so using a statically-linked OpenSSL. -ldl and -lpthread are required when linking a binary with the static libcrypto.a. The OPENSSL_CRYPTO_LIBRARY does not include these dependencies when linking against static OpenSSL. OPENSSL_CRYPTO_LIBRARIES contains the correct dependencies in both static and shared configurations; -ldl and -lpthread are not required when linking against shared libcrypto.so. This change changes all uses of OPENSSL_CRYPTO_LIBRARY to OPENSSL_CRYPTO_LIBRARIES to let the FindOpenSSL CMake module always provide the correct libraries at link time. Signed-off-by: Kevin Kane <kkane@microsoft.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-10Revert "cmake: Use OPENSSL_CRYPTO_LIBRARIES CMake variable when linking ↵Andreas Schneider1-3/+3
against OpenSSL" This reverts commit 026879e9f0d766ebe651e6d3fd9809e243928391.
2020-12-10auth: Add ssh_userauth_publickey_auto_get_current_identity()Marius Vollmer2-0/+50
Signed-off-by: Marius Vollmer <mvollmer@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-10cmake: Use OPENSSL_CRYPTO_LIBRARIES CMake variable when linking against OpenSSLKevin Kane1-3/+3
The build currently breaks when attempting to link libssh.so using a statically-linked OpenSSL. -ldl and -lpthread are required when linking a binary with the static libcrypto.a. The OPENSSL_CRYPTO_LIBRARY does not include these dependencies when linking against static OpenSSL. OPENSSL_CRYPTO_LIBRARIES contains the correct dependencies in both static and shared configurations; -ldl and -lpthread are not required when linking against shared libcrypto.so. This change changes all uses of OPENSSL_CRYPTO_LIBRARY to OPENSSL_CRYPTO_LIBRARIES to let the FindOpenSSL CMake module always provide the correct libraries at link time. Signed-off-by: Kevin Kane <kkane@microsoft.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-08wrapper: Avoid memory leak on errors during key exchangeJakub Jelen1-0/+1
As reported by oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28075 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-11-03New API for parsing configuration from stringStanislav Zidek1-0/+54
Fixes T248 Signed-off-by: Stanislav Zidek <szidek@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-10-14Fix handshake bug with AEAD ciphers and no HMAC overlapDirkjan Bussink1-16/+41
There's currently a bug in libssh that a handshake doesn't complete if there is no overlap between HMAC methods, but when an AEAD cipher is used. In case of an AEAD cipher such as chacha20-poly1305 or aes256-gcm, the HMAC algorithm that is being picked is not relevant. But the problem here is that the HMAC still needs to have an overlap in the handshake, even if it is not used afterwards. This was found with a very strict server side configuration with libssh where only AEAD ciphers and EtM HMAC modes are accepted. The client tested against was dropbear. Dropbear does have support for chacha20-poly1305 and AES GCM modes, but no support for EtM HMAC modes. This meant that the libssh server in this case rejected the dropbear client, even though it is perfectly able to serve it since dropbear supports AEAD algorithms. The fix implemented here updates the HMAC phase of the handshake to handle this case. If it detects an AEAD cipher is used, it uses the HMAC abbreviations for the method instead. This is the same name that is used in other places as well. It matches the client to server and server to client values, but it does depend on the order of things in the ssh_kex_types_e enum, which I'm assuming here is ok since it's explicit. I've looked at how to add a test for this, but I couldn't really find a suitable place for it. I would love some tips if this is easily possible, or if it's easier for someone else to contribute, that's of course welcome too. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2020-10-02client: Reset pending_call_state on disconnectJakub Jelen1-0/+1
Fixes T251 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-10-02client: Reformat ssh_disconnect()Jakub Jelen1-69/+73
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-09-29pki_gcrypt.c: Fix typo + inconsistency in warningPaul Capron1-2/+3
In function pki_signature_from_blob(), the warning message in case of an oversized RSA key was missing an ‘o’ (reading “to” instead of “too”). While we are here, make this oversized message the same than the ones found in pki_crypto.c & pki_mbedcrypto.c: put the expected size in it. The message in case of an _under_sized key include the expected size, so that’s more consistent in that regard too (and more informative!) Signed-off-by: Paul Capron <paul@fragara.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2020-09-29src/kex.c: removes DES and SHA1 from mac and kex algorithms by default.Sahana Prasad1-9/+10
Signed-off-by: Sahana Prasad <sahana@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2020-09-17misc: Do not call random()Anderson Toshiyuki Sasaki1-10/+13
Avoid calling random() and use ssh_get_random() instead. CID #1412376 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2020-09-03Fix another memory leak on invalid nid valueDirkjan Bussink1-0/+4
In 906cc7e7e95047981677a43743cb7c4aa2bb3aab a memory leak was fixed but a similar one is present here that needs a fix as well. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2020-08-12sftp: Fix more typosJakub Jelen1-1/+1
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-07-16Disable *-cbc ciphers by defaultJakub Jelen1-10/+13
OpenSSH disabled them in 2014 and 2017 for servers and clients so its our turn to follow the suit. Fixes T236 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-07-16pki: Avoid memory leak on invalid curve NIDJakub Jelen1-0/+2
Thanks oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24166 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-07-16packet: Fix unterminated brace and better context name in debug messageJakub Jelen1-1/+1
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-07-16misc: Do not confuse client/server in debug messagesJakub Jelen1-1/+2
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-06-23channel: Do not return error if the server closed the channelAnderson Toshiyuki Sasaki1-3/+4
If the server properly closed the channel, the client should not return error if it finds the channel closed. Fixes T231 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2020-06-03buffer: Add NULL check for 'buffer' argumentAndreas Schneider1-0/+4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>