From a0707afc3e4ead3cf57122b8872b011cfe36c721 Mon Sep 17 00:00:00 2001 From: Gauravsingh Sisodia Date: Mon, 14 Jul 2025 06:04:04 +0000 Subject: [PATCH] reformat: gssapi key exchange Signed-off-by: Gauravsingh Sisodia Reviewed-by: Jakub Jelen Reviewed-by: Andreas Schneider --- include/libssh/auth.h | 64 +++---- include/libssh/gssapi.h | 14 +- include/libssh/libssh.h | 16 +- include/libssh/session.h | 22 +-- include/libssh/ssh2.h | 14 +- src/auth.c | 32 ++-- src/bind.c | 15 +- src/client.c | 16 +- src/config.c | 1 - src/dh-gss.c | 163 +++++++++++------- src/dh.c | 2 +- src/gssapi.c | 153 +++++++++------- src/kex.c | 13 +- src/messages.c | 7 +- src/options.c | 19 +- src/packet.c | 39 ++--- src/packet_cb.c | 17 +- src/server.c | 52 +++--- src/session.c | 3 +- src/wrapper.c | 4 +- tests/client/torture_gssapi_key_exchange.c | 69 ++++---- .../client/torture_gssapi_key_exchange_null.c | 25 ++- tests/fs_wrapper.c | 37 ++-- .../torture_gssapi_server_key_exchange.c | 102 +++++------ .../torture_gssapi_server_key_exchange_null.c | 31 ++-- tests/torture.c | 24 ++- tests/unittests/torture_config.c | 3 +- 27 files changed, 511 insertions(+), 446 deletions(-) diff --git a/include/libssh/auth.h b/include/libssh/auth.h index 089d6472..309930d5 100644 --- a/include/libssh/auth.h +++ b/include/libssh/auth.h @@ -59,38 +59,38 @@ int ssh_userauth_gssapi_keyex(ssh_session session); * what was the last response from the server */ enum ssh_auth_state_e { - /** No authentication asked */ - SSH_AUTH_STATE_NONE=0, - /** Last authentication response was a partial success */ - SSH_AUTH_STATE_PARTIAL, - /** Last authentication response was a success */ - SSH_AUTH_STATE_SUCCESS, - /** Last authentication response was failed */ - SSH_AUTH_STATE_FAILED, - /** Last authentication was erroneous */ - SSH_AUTH_STATE_ERROR, - /** Last state was a keyboard-interactive ask for info */ - SSH_AUTH_STATE_INFO, - /** Last state was a public key accepted for authentication */ - SSH_AUTH_STATE_PK_OK, - /** We asked for a keyboard-interactive authentication */ - SSH_AUTH_STATE_KBDINT_SENT, - /** We have sent an userauth request with gssapi-with-mic */ - SSH_AUTH_STATE_GSSAPI_REQUEST_SENT, - /** We are exchanging tokens until authentication */ - SSH_AUTH_STATE_GSSAPI_TOKEN, - /** We have sent the MIC and expecting to be authenticated */ - SSH_AUTH_STATE_GSSAPI_MIC_SENT, - /** We have offered a pubkey to check if it is supported */ - SSH_AUTH_STATE_PUBKEY_OFFER_SENT, - /** We have sent pubkey and signature expecting to be authenticated */ - SSH_AUTH_STATE_PUBKEY_AUTH_SENT, - /** We have sent a password expecting to be authenticated */ - SSH_AUTH_STATE_PASSWORD_AUTH_SENT, - /** We have sent a request without auth information (method 'none') */ - SSH_AUTH_STATE_AUTH_NONE_SENT, - /** We have sent the MIC and expecting to be authenticated */ - SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT, + /** No authentication asked */ + SSH_AUTH_STATE_NONE = 0, + /** Last authentication response was a partial success */ + SSH_AUTH_STATE_PARTIAL, + /** Last authentication response was a success */ + SSH_AUTH_STATE_SUCCESS, + /** Last authentication response was failed */ + SSH_AUTH_STATE_FAILED, + /** Last authentication was erroneous */ + SSH_AUTH_STATE_ERROR, + /** Last state was a keyboard-interactive ask for info */ + SSH_AUTH_STATE_INFO, + /** Last state was a public key accepted for authentication */ + SSH_AUTH_STATE_PK_OK, + /** We asked for a keyboard-interactive authentication */ + SSH_AUTH_STATE_KBDINT_SENT, + /** We have sent an userauth request with gssapi-with-mic */ + SSH_AUTH_STATE_GSSAPI_REQUEST_SENT, + /** We are exchanging tokens until authentication */ + SSH_AUTH_STATE_GSSAPI_TOKEN, + /** We have sent the MIC and expecting to be authenticated */ + SSH_AUTH_STATE_GSSAPI_MIC_SENT, + /** We have offered a pubkey to check if it is supported */ + SSH_AUTH_STATE_PUBKEY_OFFER_SENT, + /** We have sent pubkey and signature expecting to be authenticated */ + SSH_AUTH_STATE_PUBKEY_AUTH_SENT, + /** We have sent a password expecting to be authenticated */ + SSH_AUTH_STATE_PASSWORD_AUTH_SENT, + /** We have sent a request without auth information (method 'none') */ + SSH_AUTH_STATE_AUTH_NONE_SENT, + /** We have sent the MIC and expecting to be authenticated */ + SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT, }; /** @internal diff --git a/include/libssh/gssapi.h b/include/libssh/gssapi.h index 578ec1d6..0ab5e2aa 100644 --- a/include/libssh/gssapi.h +++ b/include/libssh/gssapi.h @@ -29,8 +29,7 @@ /* all OID begin with the tag identifier + length */ #define SSH_OID_TAG 06 -#define GSSAPI_KEY_EXCHANGE_SUPPORTED \ - "gss-group14-sha256-,gss-group16-sha512-," +#define GSSAPI_KEY_EXCHANGE_SUPPORTED "gss-group14-sha256-,gss-group16-sha512-," typedef struct ssh_gssapi_struct *ssh_gssapi; @@ -82,15 +81,16 @@ int ssh_gssapi_client_identity(ssh_session session, gss_OID_set *valid_oids); char *ssh_gssapi_name_to_char(gss_name_t name); int ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host); OM_uint32 ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi, - gss_buffer_desc *input_token, - gss_buffer_desc *output_token, - OM_uint32 *ret_flags); + gss_buffer_desc *input_token, + gss_buffer_desc *output_token, + OM_uint32 *ret_flags); char *ssh_gssapi_oid_hash(ssh_string oid); -char *ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs); +char *ssh_gssapi_kex_mechs(ssh_session session); int ssh_gssapi_check_client_config(ssh_session session); ssh_buffer ssh_gssapi_build_mic(ssh_session session, const char *context); -int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_buf); +int ssh_gssapi_auth_keyex_mic(ssh_session session, + gss_buffer_desc *mic_token_buf); #ifdef __cplusplus } diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h index a0d28d0f..56ea8f1b 100644 --- a/include/libssh/libssh.h +++ b/include/libssh/libssh.h @@ -152,14 +152,14 @@ enum ssh_auth_e { }; /* auth flags */ -#define SSH_AUTH_METHOD_UNKNOWN 0x0000u -#define SSH_AUTH_METHOD_NONE 0x0001u -#define SSH_AUTH_METHOD_PASSWORD 0x0002u -#define SSH_AUTH_METHOD_PUBLICKEY 0x0004u -#define SSH_AUTH_METHOD_HOSTBASED 0x0008u -#define SSH_AUTH_METHOD_INTERACTIVE 0x0010u -#define SSH_AUTH_METHOD_GSSAPI_MIC 0x0020u -#define SSH_AUTH_METHOD_GSSAPI_KEYEX 0x0040u +#define SSH_AUTH_METHOD_UNKNOWN 0x0000u +#define SSH_AUTH_METHOD_NONE 0x0001u +#define SSH_AUTH_METHOD_PASSWORD 0x0002u +#define SSH_AUTH_METHOD_PUBLICKEY 0x0004u +#define SSH_AUTH_METHOD_HOSTBASED 0x0008u +#define SSH_AUTH_METHOD_INTERACTIVE 0x0010u +#define SSH_AUTH_METHOD_GSSAPI_MIC 0x0020u +#define SSH_AUTH_METHOD_GSSAPI_KEYEX 0x0040u /* messages */ enum ssh_requests_e { diff --git a/include/libssh/session.h b/include/libssh/session.h index 53b608aa..e171b683 100644 --- a/include/libssh/session.h +++ b/include/libssh/session.h @@ -58,17 +58,17 @@ enum ssh_dh_state_e { }; enum ssh_pending_call_e { - SSH_PENDING_CALL_NONE = 0, - SSH_PENDING_CALL_CONNECT, - SSH_PENDING_CALL_AUTH_NONE, - SSH_PENDING_CALL_AUTH_PASSWORD, - SSH_PENDING_CALL_AUTH_OFFER_PUBKEY, - SSH_PENDING_CALL_AUTH_PUBKEY, - SSH_PENDING_CALL_AUTH_AGENT, - SSH_PENDING_CALL_AUTH_KBDINT_INIT, - SSH_PENDING_CALL_AUTH_KBDINT_SEND, - SSH_PENDING_CALL_AUTH_GSSAPI_MIC, - SSH_PENDING_CALL_AUTH_GSSAPI_KEYEX + SSH_PENDING_CALL_NONE = 0, + SSH_PENDING_CALL_CONNECT, + SSH_PENDING_CALL_AUTH_NONE, + SSH_PENDING_CALL_AUTH_PASSWORD, + SSH_PENDING_CALL_AUTH_OFFER_PUBKEY, + SSH_PENDING_CALL_AUTH_PUBKEY, + SSH_PENDING_CALL_AUTH_AGENT, + SSH_PENDING_CALL_AUTH_KBDINT_INIT, + SSH_PENDING_CALL_AUTH_KBDINT_SEND, + SSH_PENDING_CALL_AUTH_GSSAPI_MIC, + SSH_PENDING_CALL_AUTH_GSSAPI_KEYEX }; /* libssh calls may block an undefined amount of time */ diff --git a/include/libssh/ssh2.h b/include/libssh/ssh2.h index 65f6eef1..71cb8d0d 100644 --- a/include/libssh/ssh2.h +++ b/include/libssh/ssh2.h @@ -39,13 +39,13 @@ #define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65 #define SSH2_MSG_USERAUTH_GSSAPI_MIC 66 -#define SSH2_MSG_KEXGSS_INIT 30 -#define SSH2_MSG_KEXGSS_CONTINUE 31 -#define SSH2_MSG_KEXGSS_COMPLETE 32 -#define SSH2_MSG_KEXGSS_HOSTKEY 33 -#define SSH2_MSG_KEXGSS_ERROR 34 -#define SSH2_MSG_KEXGSS_GROUPREQ 40 -#define SSH2_MSG_KEXGSS_GROUP 41 +#define SSH2_MSG_KEXGSS_INIT 30 +#define SSH2_MSG_KEXGSS_CONTINUE 31 +#define SSH2_MSG_KEXGSS_COMPLETE 32 +#define SSH2_MSG_KEXGSS_HOSTKEY 33 +#define SSH2_MSG_KEXGSS_ERROR 34 +#define SSH2_MSG_KEXGSS_GROUPREQ 40 +#define SSH2_MSG_KEXGSS_GROUP 41 #define SSH2_MSG_GLOBAL_REQUEST 80 #define SSH2_MSG_REQUEST_SUCCESS 81 diff --git a/src/auth.c b/src/auth.c index 3882b435..071730b1 100644 --- a/src/auth.c +++ b/src/auth.c @@ -32,20 +32,19 @@ #include #endif -#include "libssh/priv.h" -#include "libssh/crypto.h" -#include "libssh/ssh2.h" -#include "libssh/buffer.h" #include "libssh/agent.h" +#include "libssh/auth.h" +#include "libssh/buffer.h" +#include "libssh/crypto.h" +#include "libssh/gssapi.h" +#include "libssh/keys.h" +#include "libssh/legacy.h" #include "libssh/misc.h" #include "libssh/packet.h" -#include "libssh/session.h" -#include "libssh/keys.h" -#include "libssh/auth.h" #include "libssh/pki.h" -#include "libssh/gssapi.h" -#include "libssh/legacy.h" -#include "libssh/gssapi.h" +#include "libssh/priv.h" +#include "libssh/session.h" +#include "libssh/ssh2.h" /** * @defgroup libssh_auth The SSH authentication functions @@ -2476,16 +2475,16 @@ int ssh_userauth_gssapi_keyex(ssh_session session) OM_uint32 min_stat; gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER; - switch(session->pending_call_state) { + switch (session->pending_call_state) { case SSH_PENDING_CALL_NONE: break; case SSH_PENDING_CALL_AUTH_GSSAPI_KEYEX: goto pending; default: ssh_set_error(session, - SSH_FATAL, - "Wrong state (%d) during pending SSH call", - session->pending_call_state); + SSH_FATAL, + "Wrong state (%d) during pending SSH call", + session->pending_call_state); return SSH_ERROR; } @@ -2493,7 +2492,8 @@ int ssh_userauth_gssapi_keyex(ssh_session session) if (!ssh_kex_is_gss(session->current_crypto)) { ssh_set_error(session, SSH_FATAL, - "Attempt to authenticate with \"gssapi-keyex\" without doing GSSAPI Key exchange."); + "Attempt to authenticate with gssapi-keyex without " + "doing GSSAPI Key exchange."); return SSH_ERROR; } @@ -2546,7 +2546,7 @@ pending: session->pending_call_state = SSH_PENDING_CALL_NONE; } #else - (void) session; /* unused */ + (void)session; /* unused */ #endif return rc; } diff --git a/src/bind.c b/src/bind.c index 5b419e46..3063019d 100644 --- a/src/bind.c +++ b/src/bind.c @@ -247,11 +247,11 @@ int ssh_bind_listen(ssh_bind sshbind) rc = ssh_bind_import_keys(sshbind); if (rc == SSH_ERROR) { if (!sshbind->gssapi_key_exchange) { - ssh_set_error(sshbind, SSH_FATAL, - "No hostkeys found"); + ssh_set_error(sshbind, SSH_FATAL, "No hostkeys found"); return SSH_ERROR; } - SSH_LOG(SSH_LOG_DEBUG, "No hostkeys found: Using \"null\" hostkey algorithm"); + SSH_LOG(SSH_LOG_DEBUG, + "No hostkeys found: Using \"null\" hostkey algorithm"); } } @@ -473,7 +473,8 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd) if (sshbind->gssapi_key_exchange_algs != NULL) { SAFE_FREE(session->opts.gssapi_key_exchange_algs); - session->opts.gssapi_key_exchange_algs = strdup(sshbind->gssapi_key_exchange_algs); + session->opts.gssapi_key_exchange_algs = + strdup(sshbind->gssapi_key_exchange_algs); if (session->opts.gssapi_key_exchange_algs == NULL) { ssh_set_error_oom(sshbind); return SSH_ERROR; @@ -527,11 +528,11 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd) rc = ssh_bind_import_keys(sshbind); if (rc == SSH_ERROR) { if (!sshbind->gssapi_key_exchange) { - ssh_set_error(sshbind, SSH_FATAL, - "No hostkeys found"); + ssh_set_error(sshbind, SSH_FATAL, "No hostkeys found"); return SSH_ERROR; } - SSH_LOG(SSH_LOG_DEBUG, "No hostkeys found: Using \"null\" hostkey algorithm"); + SSH_LOG(SSH_LOG_DEBUG, + "No hostkeys found: Using \"null\" hostkey algorithm"); } } diff --git a/src/client.c b/src/client.c index 4dc5975b..760abed9 100644 --- a/src/client.c +++ b/src/client.c @@ -30,15 +30,15 @@ #include #endif -#include "libssh/priv.h" -#include "libssh/ssh2.h" #include "libssh/buffer.h" -#include "libssh/packet.h" -#include "libssh/options.h" -#include "libssh/socket.h" -#include "libssh/session.h" -#include "libssh/dh.h" #include "libssh/dh-gss.h" +#include "libssh/dh.h" +#include "libssh/options.h" +#include "libssh/packet.h" +#include "libssh/priv.h" +#include "libssh/session.h" +#include "libssh/socket.h" +#include "libssh/ssh2.h" #ifdef WITH_GEX #include "libssh/dh-gex.h" #endif /* WITH_GEX */ @@ -267,7 +267,7 @@ int dh_handshake(ssh_session session) switch (session->dh_handshake_state) { case DH_STATE_INIT: - switch(session->next_crypto->kex_type){ + switch (session->next_crypto->kex_type) { #ifdef WITH_GSSAPI case SSH_GSS_KEX_DH_GROUP14_SHA256: case SSH_GSS_KEX_DH_GROUP16_SHA512: diff --git a/src/config.c b/src/config.c index 6edbcfdf..18b1db52 100644 --- a/src/config.c +++ b/src/config.c @@ -1560,7 +1560,6 @@ static int ssh_config_parse_line_internal(ssh_session session, } break; case SOC_GSSAPIKEYEXCHANGE: { - bool b = false; i = ssh_config_get_yesno(&s, -1); CHECK_COND_OR_FAIL(i < 0, "Invalid argument"); if (*parsing) { diff --git a/src/dh-gss.c b/src/dh-gss.c index c890d99e..88d55082 100644 --- a/src/dh-gss.c +++ b/src/dh-gss.c @@ -23,22 +23,22 @@ #include "config.h" -#include -#include -#include #include "libssh/gssapi.h" +#include +#include +#include -#include "libssh/priv.h" -#include "libssh/crypto.h" #include "libssh/buffer.h" -#include "libssh/session.h" -#include "libssh/dh.h" -#include "libssh/ssh2.h" +#include "libssh/crypto.h" #include "libssh/dh-gss.h" +#include "libssh/dh.h" +#include "libssh/priv.h" +#include "libssh/session.h" +#include "libssh/ssh2.h" static SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply); -static ssh_packet_callback gss_dh_client_callbacks[]= { +static ssh_packet_callback gss_dh_client_callbacks[] = { ssh_packet_client_gss_dh_reply }; @@ -51,7 +51,7 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_client_callbacks = { static SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey); -static ssh_packet_callback gss_dh_client_callback_hostkey[]= { +static ssh_packet_callback gss_dh_client_callback_hostkey[] = { ssh_packet_client_gss_dh_hostkey }; @@ -65,7 +65,8 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_client_callback_hostkey = { /** @internal * @brief Starts gssapi key exchange */ -int ssh_client_gss_dh_init(ssh_session session){ +int ssh_client_gss_dh_init(ssh_session session) +{ struct ssh_crypto_struct *crypto = session->next_crypto; #if !defined(HAVE_LIBCRYPTO) || OPENSSL_VERSION_NUMBER < 0x30000000L const_bignum pubkey; @@ -73,7 +74,8 @@ int ssh_client_gss_dh_init(ssh_session session){ bignum pubkey = NULL; #endif /* OPENSSL_VERSION_NUMBER */ int rc; - gss_OID_set selected = GSS_C_NO_OID_SET; /* oid selected for authentication */ + /* oid selected for authentication */ + gss_OID_set selected = GSS_C_NO_OID_SET; OM_uint32 maj_stat, min_stat; const char *gss_host = session->opts.host; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; @@ -89,7 +91,10 @@ int ssh_client_gss_dh_init(ssh_session session){ if (rc == SSH_ERROR) { goto error; } - rc = ssh_dh_keypair_get_keys(crypto->dh_ctx, DH_CLIENT_KEYPAIR, NULL, &pubkey); + rc = ssh_dh_keypair_get_keys(crypto->dh_ctx, + DH_CLIENT_KEYPAIR, + NULL, + &pubkey); if (rc != SSH_OK) { goto error; } @@ -114,7 +119,10 @@ int ssh_client_gss_dh_init(ssh_session session){ } session->gssapi->client.flags = GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG; - maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, &oflags); + maj_stat = ssh_gssapi_init_ctx(session->gssapi, + &input_token, + &output_token, + &oflags); gss_release_oid_set(&min_stat, &selected); if (GSS_ERROR(maj_stat)) { ssh_gssapi_log_error(SSH_LOG_WARN, @@ -124,16 +132,18 @@ int ssh_client_gss_dh_init(ssh_session session){ goto error; } if (!(oflags & GSS_C_INTEG_FLAG) || !(oflags & GSS_C_MUTUAL_FLAG)) { - SSH_LOG(SSH_LOG_WARN, "GSSAPI(init) integrity and mutual flags were not set"); + SSH_LOG(SSH_LOG_WARN, + "GSSAPI(init) integrity and mutual flags were not set"); goto error; } - rc = ssh_buffer_pack(session->out_buffer, "bdPB", - SSH2_MSG_KEXGSS_INIT, - output_token.length, - (size_t)output_token.length, - output_token.value, - pubkey); + rc = ssh_buffer_pack(session->out_buffer, + "bdPB", + SSH2_MSG_KEXGSS_INIT, + output_token.length, + (size_t)output_token.length, + output_token.value, + pubkey); if (rc != SSH_OK) { goto error; } @@ -167,8 +177,9 @@ void ssh_client_gss_dh_remove_callback_hostkey(ssh_session session) ssh_packet_remove_callbacks(session, &ssh_gss_dh_client_callback_hostkey); } -SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){ - struct ssh_crypto_struct *crypto=session->next_crypto; +SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply) +{ + struct ssh_crypto_struct *crypto = session->next_crypto; ssh_string pubkey_blob = NULL, mic = NULL, otoken = NULL; uint8_t b; bignum server_pubkey; @@ -183,25 +194,25 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){ ssh_client_gss_dh_remove_callbacks(session); - rc = ssh_buffer_unpack(packet, - "BSbS", - &server_pubkey, - &mic, - &b, - &otoken); + rc = ssh_buffer_unpack(packet, "BSbS", &server_pubkey, &mic, &b, &otoken); if (rc == SSH_ERROR) { goto error; } session->gssapi_key_exchange_mic = mic; input_token.length = ssh_string_len(otoken); input_token.value = ssh_string_data(otoken); - maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, &oflags); + maj_stat = ssh_gssapi_init_ctx(session->gssapi, + &input_token, + &output_token, + &oflags); if (maj_stat != GSS_S_COMPLETE) { goto error; } SSH_STRING_FREE(otoken); - rc = ssh_dh_keypair_set_keys(crypto->dh_ctx, DH_SERVER_KEYPAIR, - NULL, server_pubkey); + rc = ssh_dh_keypair_set_keys(crypto->dh_ctx, + DH_SERVER_KEYPAIR, + NULL, + server_pubkey); if (rc != SSH_OK) { SSH_STRING_FREE(pubkey_blob); bignum_safe_free(server_pubkey); @@ -209,10 +220,11 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){ } rc = ssh_dh_compute_shared_secret(session->next_crypto->dh_ctx, - DH_CLIENT_KEYPAIR, DH_SERVER_KEYPAIR, - &session->next_crypto->shared_secret); + DH_CLIENT_KEYPAIR, + DH_SERVER_KEYPAIR, + &session->next_crypto->shared_secret); ssh_dh_debug_crypto(session->next_crypto); - if (rc == SSH_ERROR){ + if (rc == SSH_ERROR) { ssh_set_error(session, SSH_FATAL, "Could not generate shared secret"); goto error; } @@ -226,11 +238,12 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){ return SSH_PACKET_USED; error: ssh_dh_cleanup(session->next_crypto); - session->session_state=SSH_SESSION_STATE_ERROR; + session->session_state = SSH_SESSION_STATE_ERROR; return SSH_PACKET_USED; } -SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) { +SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) +{ ssh_string pubkey_blob = NULL; int rc; @@ -239,11 +252,11 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) { ssh_client_gss_dh_remove_callback_hostkey(session); - rc = ssh_buffer_unpack(packet, - "S", - &pubkey_blob); + rc = ssh_buffer_unpack(packet, "S", &pubkey_blob); if (rc == SSH_ERROR) { - ssh_set_error(session, SSH_FATAL, "Invalid SSH2_MSG_KEXGSS_HOSTKEY packet"); + ssh_set_error(session, + SSH_FATAL, + "Invalid SSH2_MSG_KEXGSS_HOSTKEY packet"); goto error; } @@ -256,7 +269,7 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) { return SSH_PACKET_USED; error: ssh_dh_cleanup(session->next_crypto); - session->session_state=SSH_SESSION_STATE_ERROR; + session->session_state = SSH_SESSION_STATE_ERROR; return SSH_PACKET_USED; } @@ -272,13 +285,13 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_server_callbacks = { .start = SSH2_MSG_KEXGSS_INIT, .n_callbacks = 1, .callbacks = gss_dh_server_callbacks, - .user = NULL -}; + .user = NULL}; /** @internal * @brief sets up the gssapi kex callbacks */ -void ssh_server_gss_dh_init(ssh_session session){ +void ssh_server_gss_dh_init(ssh_session session) +{ /* register the packet callbacks */ ssh_packet_set_callbacks(session, &ssh_gss_dh_server_callbacks); @@ -307,7 +320,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) ssh_string server_pubkey_blob = NULL; OM_uint32 maj_stat, min_stat; gss_name_t client_name = GSS_C_NO_NAME; - OM_uint32 ret_flags=0; + OM_uint32 ret_flags = 0; gss_buffer_desc mic = GSS_C_EMPTY_BUFFER, msg = GSS_C_EMPTY_BUFFER; char hostname[NI_MAXHOST] = {0}; char err_msg[SSH_ERRNO_MSG_MAX] = {0}; @@ -326,8 +339,10 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) goto error; } - rc = ssh_dh_keypair_set_keys(crypto->dh_ctx, DH_CLIENT_KEYPAIR, - NULL, client_pubkey); + rc = ssh_dh_keypair_set_keys(crypto->dh_ctx, + DH_CLIENT_KEYPAIR, + NULL, + client_pubkey); if (rc != SSH_OK) { bignum_safe_free(client_pubkey); goto error; @@ -339,7 +354,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) } rc = ssh_dh_compute_shared_secret(crypto->dh_ctx, - DH_SERVER_KEYPAIR, DH_CLIENT_KEYPAIR, + DH_SERVER_KEYPAIR, + DH_CLIENT_KEYPAIR, &crypto->shared_secret); ssh_dh_debug_crypto(crypto); if (rc == SSH_ERROR) { @@ -358,7 +374,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) } if (strncmp(crypto->kex_methods[SSH_HOSTKEYS], "null", 4) != 0) { - rc = ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob); + rc = + ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob); if (rc != SSH_OK) { goto error; } @@ -366,7 +383,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) "bS", SSH2_MSG_KEXGSS_HOSTKEY, server_pubkey_blob); - if(rc != SSH_OK) { + if (rc != SSH_OK) { ssh_set_error_oom(session); ssh_buffer_reinit(session->out_buffer); goto error; @@ -380,9 +397,11 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) SSH_STRING_FREE(server_pubkey_blob); } - rc = ssh_dh_keypair_get_keys(crypto->dh_ctx, DH_SERVER_KEYPAIR, - NULL, &server_pubkey); - if (rc != SSH_OK){ + rc = ssh_dh_keypair_get_keys(crypto->dh_ctx, + DH_SERVER_KEYPAIR, + NULL, + &server_pubkey); + if (rc != SSH_OK) { goto error; } @@ -404,9 +423,14 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) goto error; } - maj_stat = gss_acquire_cred(&min_stat, session->gssapi->client.server_name, 0, - GSS_C_NO_OID_SET, GSS_C_ACCEPT, - &session->gssapi->server_creds, NULL, NULL); + maj_stat = gss_acquire_cred(&min_stat, + session->gssapi->client.server_name, + 0, + GSS_C_NO_OID_SET, + GSS_C_ACCEPT, + &session->gssapi->server_creds, + NULL, + NULL); if (maj_stat != GSS_S_COMPLETE) { ssh_gssapi_log_error(SSH_LOG_TRACE, "acquiring credentials", @@ -415,9 +439,17 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) goto error; } - maj_stat = gss_accept_sec_context(&min_stat, &session->gssapi->ctx, session->gssapi->server_creds, - &input_token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL /*mech_oid*/, &output_token, &ret_flags, - NULL /*time*/, &session->gssapi->client_creds); + maj_stat = gss_accept_sec_context(&min_stat, + &session->gssapi->ctx, + session->gssapi->server_creds, + &input_token, + GSS_C_NO_CHANNEL_BINDINGS, + &client_name, + NULL /*mech_oid*/, + &output_token, + &ret_flags, + NULL /*time*/, + &session->gssapi->client_creds); if (GSS_ERROR(maj_stat)) { ssh_gssapi_log_error(SSH_LOG_DEBUG, "accepting token failed", @@ -428,7 +460,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) SSH_STRING_FREE(otoken); gss_release_name(&min_stat, &client_name); if (!(ret_flags & GSS_C_INTEG_FLAG) || !(ret_flags & GSS_C_MUTUAL_FLAG)) { - SSH_LOG(SSH_LOG_WARN, "GSSAPI(accept) integrity and mutual flags were not set"); + SSH_LOG(SSH_LOG_WARN, + "GSSAPI(accept) integrity and mutual flags were not set"); goto error; } SSH_LOG(SSH_LOG_DEBUG, "token accepted"); @@ -448,7 +481,6 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) goto error; } - rc = ssh_buffer_pack(session->out_buffer, "bBdPbdP", SSH2_MSG_KEXGSS_COMPLETE, @@ -463,7 +495,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) #if defined(HAVE_LIBCRYPTO) && OPENSSL_VERSION_NUMBER >= 0x30000000L bignum_safe_free(server_pubkey); #endif - if(rc != SSH_OK) { + if (rc != SSH_OK) { ssh_set_error_oom(session); ssh_buffer_reinit(session->out_buffer); goto error; @@ -478,7 +510,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet) } SSH_LOG(SSH_LOG_DEBUG, "Sent SSH2_MSG_KEXGSS_COMPLETE"); - session->dh_handshake_state=DH_STATE_NEWKEYS_SENT; + session->dh_handshake_state = DH_STATE_NEWKEYS_SENT; /* Send the MSG_NEWKEYS */ rc = ssh_packet_send_newkeys(session); if (rc == SSH_ERROR) { @@ -501,7 +533,8 @@ error: * @brief parse an incoming SSH_MSG_KEXGSS_INIT packet and complete * Diffie-Hellman key exchange **/ -static SSH_PACKET_CALLBACK(ssh_packet_server_gss_dh_init){ +static SSH_PACKET_CALLBACK(ssh_packet_server_gss_dh_init) +{ (void)type; (void)user; SSH_LOG(SSH_LOG_DEBUG, "Received SSH_MSG_KEXGSS_INIT"); diff --git a/src/dh.c b/src/dh.c index b688ca85..c04418dd 100644 --- a/src/dh.c +++ b/src/dh.c @@ -27,8 +27,8 @@ #include #ifdef WITH_GSSAPI -#include #include "libssh/gssapi.h" +#include #endif #include "libssh/priv.h" diff --git a/src/gssapi.c b/src/gssapi.c index 2c1bdb0f..36dc675c 100644 --- a/src/gssapi.c +++ b/src/gssapi.c @@ -21,23 +21,23 @@ #include "config.h" +#include #include #include -#include #ifdef HAVE_UNISTD_H #include #endif #include +#include +#include +#include #include #include -#include -#include -#include -#include -#include #include +#include +#include #include static gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; @@ -155,8 +155,7 @@ static int ssh_gssapi_send_response(ssh_session session, ssh_string oid) * @param[out] selected OID set of supported oids * @returns SSH_OK if successful, SSH_ERROR otherwise */ -int -ssh_gssapi_server_oids(gss_OID_set *selected) +int ssh_gssapi_server_oids(gss_OID_set *selected) { OM_uint32 maj_stat, min_stat; size_t i; @@ -172,11 +171,14 @@ ssh_gssapi_server_oids(gss_OID_set *selected) return SSH_ERROR; } - for (i=0; i < supported->count; ++i){ - ptr = ssh_get_hexa(supported->elements[i].elements, supported->elements[i].length); + for (i = 0; i < supported->count; ++i) { + ptr = ssh_get_hexa(supported->elements[i].elements, + supported->elements[i].length); /* According to RFC 4462 we MUST NOT use SPNEGO */ if (supported->elements[i].length == spnego_oid.length && - memcmp(supported->elements[i].elements, spnego_oid.elements, supported->elements[i].length) == 0) { + memcmp(supported->elements[i].elements, + spnego_oid.elements, + supported->elements[i].length) == 0) { SAFE_FREE(ptr); continue; } @@ -289,9 +291,14 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user, return SSH_ERROR; } - maj_stat = gss_acquire_cred(&min_stat, session->gssapi->client.server_name, 0, - both_supported, GSS_C_ACCEPT, - &session->gssapi->server_creds, &selected, NULL); + maj_stat = gss_acquire_cred(&min_stat, + session->gssapi->client.server_name, + 0, + both_supported, + GSS_C_ACCEPT, + &session->gssapi->server_creds, + &selected, + NULL); gss_release_oid_set(&min_stat, &both_supported); if (maj_stat != GSS_S_COMPLETE) { ssh_gssapi_log_error(SSH_LOG_TRACE, @@ -477,7 +484,8 @@ ssh_buffer ssh_gssapi_build_mic(ssh_session session, const char *context) rc = ssh_buffer_pack(mic_buffer, "dPbsss", crypto->session_id_len, - crypto->session_id_len, crypto->session_id, + crypto->session_id_len, + crypto->session_id, SSH2_MSG_USERAUTH_REQUEST, session->gssapi->user, "ssh-connection", @@ -655,8 +663,7 @@ fail: * * @returns the hash or NULL on error */ -char * -ssh_gssapi_oid_hash(ssh_string oid) +char *ssh_gssapi_oid_hash(ssh_string oid) { MD5CTX ctx = NULL; unsigned char *h = NULL; @@ -674,9 +681,7 @@ ssh_gssapi_oid_hash(ssh_string oid) return NULL; } - rc = md5_update(ctx, - ssh_string_data(oid), - ssh_string_len(oid)); + rc = md5_update(ctx, ssh_string_data(oid), ssh_string_len(oid)); if (rc != SSH_OK) { SAFE_FREE(h); md5_ctx_free(ctx); @@ -700,8 +705,7 @@ ssh_gssapi_oid_hash(ssh_string oid) * * @returns SSH_OK if any one of the mechanisms is configured or NULL */ -int -ssh_gssapi_check_client_config(ssh_session session) +int ssh_gssapi_check_client_config(ssh_session session) { OM_uint32 maj_stat, min_stat; size_t i; @@ -725,7 +729,7 @@ ssh_gssapi_check_client_config(ssh_session session) return SSH_ERROR; } - for (i = 0; i < supported->count; ++i){ + for (i = 0; i < supported->count; ++i) { gssapi = calloc(1, sizeof(struct ssh_gssapi_struct)); if (gssapi == NULL) { ssh_set_error_oom(session); @@ -738,7 +742,9 @@ ssh_gssapi_check_client_config(ssh_session session) /* According to RFC 4462 we MUST NOT use SPNEGO */ if (supported->elements[i].length == spnego_oid.length && - memcmp(supported->elements[i].elements, spnego_oid.elements, supported->elements[i].length) == 0) { + memcmp(supported->elements[i].elements, + spnego_oid.elements, + supported->elements[i].length) == 0) { ret = SSH_ERROR; goto end; } @@ -750,18 +756,24 @@ ssh_gssapi_check_client_config(ssh_session session) namebuf.value = (void *)session->opts.gss_client_identity; namebuf.length = strlen(session->opts.gss_client_identity); - maj_stat = gss_import_name(&min_stat, &namebuf, - GSS_C_NT_USER_NAME, &client_id); + maj_stat = gss_import_name(&min_stat, + &namebuf, + GSS_C_NT_USER_NAME, + &client_id); if (GSS_ERROR(maj_stat)) { ret = SSH_ERROR; goto end; } } - maj_stat = gss_acquire_cred(&min_stat, client_id, GSS_C_INDEFINITE, - one_oidset, GSS_C_INITIATE, + maj_stat = gss_acquire_cred(&min_stat, + client_id, + GSS_C_INDEFINITE, + one_oidset, + GSS_C_INITIATE, &gssapi->client.creds, - NULL, NULL); + NULL, + NULL); if (GSS_ERROR(maj_stat)) { ssh_gssapi_log_error(SSH_LOG_WARN, "acquiring credential", @@ -776,7 +788,8 @@ ssh_gssapi_check_client_config(ssh_session session) goto end; } - maj_stat = ssh_gssapi_init_ctx(gssapi, &input_token, &output_token, &oflags); + maj_stat = + ssh_gssapi_init_ctx(gssapi, &input_token, &output_token, &oflags); if (GSS_ERROR(maj_stat)) { ssh_gssapi_log_error(SSH_LOG_WARN, "initializing context", @@ -786,14 +799,15 @@ ssh_gssapi_check_client_config(ssh_session session) goto end; } - ptr = ssh_get_hexa(supported->elements[i].elements, supported->elements[i].length); + ptr = ssh_get_hexa(supported->elements[i].elements, + supported->elements[i].length); SSH_LOG(SSH_LOG_DEBUG, "Supported mech %zu: %s", i, ptr); free(ptr); /* If atleast one mechanism is configured then return successfully */ ret = SSH_OK; -end: + end: if (ret == SSH_ERROR) { SSH_LOG(SSH_LOG_WARN, "GSSAPI not configured correctly"); } @@ -802,8 +816,8 @@ end: gss_release_oid_set(&min_stat, &one_oidset); gss_release_name(&min_stat, &gssapi->client.server_name); - gss_release_cred(&min_stat,&gssapi->server_creds); - gss_release_cred(&min_stat,&gssapi->client.creds); + gss_release_cred(&min_stat, &gssapi->server_creds); + gss_release_cred(&min_stat, &gssapi->client.creds); gss_release_oid(&min_stat, &gssapi->client.oid); gss_release_buffer(&min_stat, &output_token); gss_delete_sec_context(&min_stat, &gssapi->ctx, GSS_C_NO_BUFFER); @@ -909,16 +923,17 @@ end: * @param[in] session current session handler * @returns string suffixed kex algorithms or NULL on error */ -char * -ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs) +char *ssh_gssapi_kex_mechs(ssh_session session) { - size_t i,j; - gss_OID_set selected = GSS_C_NO_OID_SET; /* oid selected for authentication */ + size_t i, j; + /* oid selected for authentication */ + gss_OID_set selected = GSS_C_NO_OID_SET; ssh_string *oids = NULL; int rc; size_t n_oids = 0; struct ssh_tokens_st *algs = NULL; char *oid_hash = NULL; + const char *gss_algs = session->opts.gssapi_key_exchange_algs; char *new_gss_algs = NULL; char gss_kex_algs[8000] = {0}; OM_uint32 min_stat; @@ -950,11 +965,13 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs) } /* Check if algorithms are valid */ - new_gss_algs = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, gss_algs); + new_gss_algs = + ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, gss_algs); if (gss_algs == NULL) { - ssh_set_error(session, - SSH_FATAL, - "GSSAPI key exchange algorithms not supported or invalid"); + ssh_set_error( + session, + SSH_FATAL, + "GSSAPI key exchange algorithms not supported or invalid"); rc = SSH_ERROR; goto out; } @@ -967,7 +984,7 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs) rc = SSH_ERROR; goto out; } - for (i=0; ielements[i].length + 2); if (oids[i] == NULL) { ssh_set_error_oom(session); @@ -976,8 +993,9 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs) } ((unsigned char *)oids[i]->data)[0] = SSH_OID_TAG; ((unsigned char *)oids[i]->data)[1] = selected->elements[i].length; - memcpy((unsigned char *)oids[i]->data + 2, selected->elements[i].elements, - selected->elements[i].length); + memcpy((unsigned char *)oids[i]->data + 2, + selected->elements[i].elements, + selected->elements[i].length); /* Get the algorithm suffix */ oid_hash = ssh_gssapi_oid_hash(oids[i]); @@ -991,17 +1009,17 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs) * the algorithms to a string */ for (j = 0; algs->tokens[j]; j++) { if (sizeof(gss_kex_algs) < offset) { - ssh_set_error(session, - SSH_FATAL, - "snprintf failed"); + ssh_set_error(session, SSH_FATAL, "snprintf failed"); rc = SSH_ERROR; goto out; } - rc = snprintf(&gss_kex_algs[offset], sizeof(gss_kex_algs)-offset, "%s%s,", algs->tokens[j], oid_hash); + rc = snprintf(&gss_kex_algs[offset], + sizeof(gss_kex_algs) - offset, + "%s%s,", + algs->tokens[j], + oid_hash); if (rc < 0 || rc >= (ssize_t)sizeof(gss_kex_algs)) { - ssh_set_error(session, - SSH_FATAL, - "snprintf failed"); + ssh_set_error(session, SSH_FATAL, "snprintf failed"); rc = SSH_ERROR; goto out; } @@ -1028,8 +1046,7 @@ out: return strdup(gss_kex_algs); } -int -ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host) +int ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host) { gss_buffer_desc hostname; char name_buf[256] = {0}; @@ -1055,11 +1072,10 @@ ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host) return maj_stat; } -OM_uint32 -ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi, - gss_buffer_desc *input_token, - gss_buffer_desc *output_token, - OM_uint32 *ret_flags) +OM_uint32 ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi, + gss_buffer_desc *input_token, + gss_buffer_desc *output_token, + OM_uint32 *ret_flags) { OM_uint32 maj_stat, min_stat; @@ -1175,7 +1191,9 @@ out: * @returns SSH_ERROR: A serious error happened\n * SSH_OK: MIC token is stored in mic_token_buf */ -int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_buf) { +int ssh_gssapi_auth_keyex_mic(ssh_session session, + gss_buffer_desc *mic_token_buf) +{ ssh_buffer buf = NULL; gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER; OM_uint32 maj_stat, min_stat; @@ -1189,8 +1207,11 @@ int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_bu mic_buf.length = ssh_buffer_get_len(buf); mic_buf.value = ssh_buffer_get(buf); - maj_stat = gss_get_mic(&min_stat,session->gssapi->ctx, GSS_C_QOP_DEFAULT, - &mic_buf, mic_token_buf); + maj_stat = gss_get_mic(&min_stat, + session->gssapi->ctx, + GSS_C_QOP_DEFAULT, + &mic_buf, + mic_token_buf); if (GSS_ERROR(maj_stat)) { ssh_gssapi_log_error(SSH_LOG_DEBUG, "generating MIC", @@ -1273,8 +1294,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){ session->gssapi->client.flags |= GSS_C_DELEG_FLAG; } - maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL); - if (GSS_ERROR(maj_stat)){ + maj_stat = + ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL); + if (GSS_ERROR(maj_stat)) { goto error; } @@ -1380,7 +1402,8 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client) input_token.length = ssh_string_len(token); input_token.value = ssh_string_data(token); - maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL); + maj_stat = + ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL); if (GSS_ERROR(maj_stat)) { goto error; } diff --git a/src/kex.c b/src/kex.c index d7dfac35..c0d228e9 100644 --- a/src/kex.c +++ b/src/kex.c @@ -825,14 +825,15 @@ int ssh_set_client_kex(ssh_session session) return SSH_ERROR; } - gssapi_algs = ssh_gssapi_kex_mechs(session, session->opts.gssapi_key_exchange_algs); + gssapi_algs = ssh_gssapi_kex_mechs(session); if (gssapi_algs == NULL) { return SSH_ERROR; } /* Prefix the default algorithms with gsskex algs */ session->opts.wanted_methods[SSH_KEX] = - ssh_prefix_without_duplicates(default_methods[SSH_KEX], gssapi_algs); + ssh_prefix_without_duplicates(default_methods[SSH_KEX], + gssapi_algs); gssapi_null_alg = true; @@ -853,7 +854,8 @@ int ssh_set_client_kex(ssh_session session) return SSH_ERROR; } if (gssapi_null_alg) { - hostkeys = ssh_append_without_duplicates(client->methods[i], "null"); + hostkeys = + ssh_append_without_duplicates(client->methods[i], "null"); if (hostkeys == NULL) { ssh_set_error_oom(session); return SSH_ERROR; @@ -1490,7 +1492,7 @@ int ssh_make_sessionid(ssh_session session) if (server_pubkey_blob == NULL) { if ((session->server && ssh_kex_is_gss(session->next_crypto)) || - session->opts.gssapi_key_exchange) { + session->opts.gssapi_key_exchange) { server_pubkey_blob = ssh_string_new(0); if (server_pubkey_blob == NULL) { ssh_set_error_oom(session); @@ -2036,8 +2038,7 @@ error: * @param[in] crypto The SSH crypto context * @return true if the KEX of the context is a GSSAPI KEX, false otherwise */ -bool -ssh_kex_is_gss(struct ssh_crypto_struct *crypto) +bool ssh_kex_is_gss(struct ssh_crypto_struct *crypto) { switch (crypto->kex_type) { case SSH_GSS_KEX_DH_GROUP14_SHA256: diff --git a/src/messages.c b/src/messages.c index 9d55a5ec..ce0bc7a5 100644 --- a/src/messages.c +++ b/src/messages.c @@ -1157,13 +1157,14 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request) if (!ssh_kex_is_gss(session->current_crypto)) { ssh_set_error(session, SSH_FATAL, - "Attempt to authenticate with \"gssapi-keyex\" without doing GSSAPI Key Exchange"); + "Attempt to authenticate with gssapi-keyex without " + "doing GSSAPI Key Exchange."); ssh_auth_reply_default(session, 0); goto error; } rc = ssh_buffer_unpack(packet, "S", &mic_token_string); - if (rc != SSH_OK){ + if (rc != SSH_OK) { ssh_auth_reply_default(session, 0); goto error; } @@ -1190,7 +1191,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request) if (maj_stat != GSS_S_COMPLETE) { ssh_set_error(session, SSH_FATAL, - "Failed to verify MIC for \"gssapi-keyex\" auth"); + "Failed to verify MIC for gssapi-keyex auth"); SSH_BUFFER_FREE(buf); SSH_STRING_FREE(mic_token_string); ssh_auth_reply_default(session, 0); diff --git a/src/options.c b/src/options.c index 932becbc..7bb9ed45 100644 --- a/src/options.c +++ b/src/options.c @@ -1278,11 +1278,13 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type, return -1; } else { /* Check if algorithms are supported */ - char *ret = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, v); + char *ret = + ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, v); if (ret == NULL) { ssh_set_error(session, SSH_FATAL, - "GSSAPI key exchange algorithms not supported or invalid"); + "GSSAPI key exchange algorithms not " + "supported or invalid"); return -1; } SAFE_FREE(session->opts.gssapi_key_exchange_algs); @@ -2332,9 +2334,9 @@ static int ssh_bind_set_algo(ssh_bind sshbind, * false to disable GSSAPI key exchange. (bool) * * - SSH_BIND_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS - * Set the GSSAPI key exchange method to be used (const char *, - * comma-separated list). ex: - * "gss-group14-sha256-,gss-group16-sha512-" + * Set the GSSAPI key exchange method to be used + * (const char *, comma-separated list). + * ex: "gss-group14-sha256-,gss-group16-sha512-" * * @param value The value to set. This is a generic pointer and the * datatype which should be used is described at the @@ -2751,9 +2753,10 @@ ssh_bind_options_set(ssh_bind sshbind, SAFE_FREE(sshbind->gssapi_key_exchange_algs); ret = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, value); if (ret == NULL) { - ssh_set_error(sshbind, - SSH_REQUEST_DENIED, - "GSSAPI key exchange algorithms not supported or invalid"); + ssh_set_error( + sshbind, + SSH_REQUEST_DENIED, + "GSSAPI key exchange algorithms not supported or invalid"); return -1; } sshbind->gssapi_key_exchange_algs = ret; diff --git a/src/packet.c b/src/packet.c index 7a9bff4d..99a35b74 100644 --- a/src/packet.c +++ b/src/packet.c @@ -428,15 +428,15 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se /* Client only */ /* - * States required: - * - session_state == SSH_SESSION_STATE_DH - * - dh_handshake_state == DH_STATE_INIT_SENT - * - * Transitions: - * - session->dh_handshake_state = DH_STATE_INIT_SENT - * then calls ssh_packet_client_gss_dh_reply which triggers: - * - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT - * */ + * States required: + * - session_state == SSH_SESSION_STATE_DH + * - dh_handshake_state == DH_STATE_INIT_SENT + * + * Transitions: + * - session->dh_handshake_state = DH_STATE_INIT_SENT + * then calls ssh_packet_client_gss_dh_reply which triggers: + * - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT + * */ if (!session->client) { rc = SSH_PACKET_DENIED; @@ -457,15 +457,15 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se /* Server only */ /* - * States required: - * - session_state == SSH_SESSION_STATE_DH - * - dh_handshake_state == DH_STATE_GROUP_SENT - * - * Transitions: - * - session->dh_handshake_state = DH_STATE_GROUP_SENT - * then calls ssh_packet_server_dhgex_init which triggers: - * - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT - * */ + * States required: + * - session_state == SSH_SESSION_STATE_DH + * - dh_handshake_state == DH_STATE_GROUP_SENT + * + * Transitions: + * - session->dh_handshake_state = DH_STATE_GROUP_SENT + * then calls ssh_packet_server_dhgex_init which triggers: + * - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT + * */ if (session->client) { rc = SSH_PACKET_DENIED; @@ -657,8 +657,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se (session->auth.state != SSH_AUTH_STATE_PASSWORD_AUTH_SENT) && (session->auth.state != SSH_AUTH_STATE_GSSAPI_MIC_SENT) && (session->auth.state != SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT) && - (session->auth.state != SSH_AUTH_STATE_AUTH_NONE_SENT)) - { + (session->auth.state != SSH_AUTH_STATE_AUTH_NONE_SENT)) { rc = SSH_PACKET_DENIED; break; } diff --git a/src/packet_cb.c b/src/packet_cb.c index f0b597f8..13d34ee4 100644 --- a/src/packet_cb.c +++ b/src/packet_cb.c @@ -28,8 +28,8 @@ #include #endif #ifdef WITH_GSSAPI -#include #include "libssh/gssapi.h" +#include #endif #include "libssh/priv.h" @@ -226,14 +226,15 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys) /* Check if signature from server matches user preferences */ if (session->opts.wanted_methods[SSH_HOSTKEYS]) { rc = match_group(session->opts.wanted_methods[SSH_HOSTKEYS], - sig->type_c); + sig->type_c); if (rc == 0) { - ssh_set_error(session, - SSH_FATAL, - "Public key from server (%s) doesn't match user " - "preference (%s)", - sig->type_c, - session->opts.wanted_methods[SSH_HOSTKEYS]); + ssh_set_error( + session, + SSH_FATAL, + "Public key from server (%s) doesn't match user " + "preference (%s)", + sig->type_c, + session->opts.wanted_methods[SSH_HOSTKEYS]); goto error; } } diff --git a/src/server.c b/src/server.c index d984b79c..8ea082d5 100644 --- a/src/server.c +++ b/src/server.c @@ -44,23 +44,23 @@ # include #endif -#include "libssh/priv.h" -#include "libssh/libssh.h" -#include "libssh/server.h" -#include "libssh/ssh2.h" #include "libssh/buffer.h" -#include "libssh/packet.h" -#include "libssh/socket.h" -#include "libssh/session.h" -#include "libssh/kex.h" -#include "libssh/misc.h" -#include "libssh/pki.h" -#include "libssh/dh.h" -#include "libssh/messages.h" -#include "libssh/options.h" #include "libssh/curve25519.h" -#include "libssh/token.h" +#include "libssh/dh.h" #include "libssh/gssapi.h" +#include "libssh/kex.h" +#include "libssh/libssh.h" +#include "libssh/messages.h" +#include "libssh/misc.h" +#include "libssh/options.h" +#include "libssh/packet.h" +#include "libssh/pki.h" +#include "libssh/priv.h" +#include "libssh/server.h" +#include "libssh/session.h" +#include "libssh/socket.h" +#include "libssh/ssh2.h" +#include "libssh/token.h" #define set_status(session, status) do {\ if (session->common.callbacks && session->common.callbacks->connect_status_function) \ @@ -154,8 +154,9 @@ int server_set_kex(ssh_session session) if (strlen(hostkeys) != 0) { /* It is expected for the list of allowed hostkeys to be ordered by * preference */ - kept = ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys, - allowed); + kept = + ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys, + allowed); if (kept == NULL) { /* Nothing was allowed */ return -1; @@ -178,7 +179,7 @@ int server_set_kex(ssh_session session) return SSH_ERROR; } - gssapi_algs = ssh_gssapi_kex_mechs(session, session->opts.gssapi_key_exchange_algs); + gssapi_algs = ssh_gssapi_kex_mechs(session); if (gssapi_algs == NULL) { return SSH_ERROR; } @@ -186,7 +187,8 @@ int server_set_kex(ssh_session session) /* Prefix the default algorithms with gsskex algs */ session->opts.wanted_methods[SSH_KEX] = - ssh_prefix_without_duplicates(ssh_kex_get_default_methods(SSH_KEX), gssapi_algs); + ssh_prefix_without_duplicates(ssh_kex_get_default_methods(SSH_KEX), + gssapi_algs); if (strlen(hostkeys) == 0) { session->opts.wanted_methods[SSH_HOSTKEYS] = strdup("null"); @@ -700,12 +702,14 @@ int ssh_auth_reply_default(ssh_session session,int partial) { strncat(methods_c,"gssapi-with-mic,", sizeof(methods_c) - strlen(methods_c) - 1); } - /* Check if GSSAPI Key exchange was performed */ - if (session->auth.supported_methods & SSH_AUTH_METHOD_GSSAPI_KEYEX) { - if (ssh_kex_is_gss(session->current_crypto)) { - strncat(methods_c, "gssapi-keyex,", sizeof(methods_c) - strlen(methods_c) - 1); - } - } + /* Check if GSSAPI Key exchange was performed */ + if (session->auth.supported_methods & SSH_AUTH_METHOD_GSSAPI_KEYEX) { + if (ssh_kex_is_gss(session->current_crypto)) { + strncat(methods_c, + "gssapi-keyex,", + sizeof(methods_c) - strlen(methods_c) - 1); + } + } if (session->auth.supported_methods & SSH_AUTH_METHOD_INTERACTIVE) { strncat(methods_c, "keyboard-interactive,", sizeof(methods_c) - strlen(methods_c) - 1); diff --git a/src/session.c b/src/session.c index 3c22bf47..64431c2e 100644 --- a/src/session.c +++ b/src/session.c @@ -161,7 +161,8 @@ ssh_session ssh_new(void) } #ifdef WITH_GSSAPI - session->opts.gssapi_key_exchange_algs = strdup(GSSAPI_KEY_EXCHANGE_SUPPORTED); + session->opts.gssapi_key_exchange_algs = + strdup(GSSAPI_KEY_EXCHANGE_SUPPORTED); if (session->opts.gssapi_key_exchange_algs == NULL) { goto err; } diff --git a/src/wrapper.c b/src/wrapper.c index 3506f28f..a5f63269 100644 --- a/src/wrapper.c +++ b/src/wrapper.c @@ -591,8 +591,8 @@ int crypt_set_algorithms_server(ssh_session session){ #ifdef WITH_GSSAPI case SSH_GSS_KEX_DH_GROUP14_SHA256: case SSH_GSS_KEX_DH_GROUP16_SHA512: - ssh_server_gss_dh_init(session); - break; + ssh_server_gss_dh_init(session); + break; #endif /* WITH_GSSAPI */ #ifdef WITH_GEX case SSH_KEX_DH_GEX_SHA1: diff --git a/tests/client/torture_gssapi_key_exchange.c b/tests/client/torture_gssapi_key_exchange.c index 80f5934e..7c9e49a3 100644 --- a/tests/client/torture_gssapi_key_exchange.c +++ b/tests/client/torture_gssapi_key_exchange.c @@ -2,17 +2,16 @@ #define LIBSSH_STATIC +#include "libssh/crypto.h" #include "torture.h" #include -#include "libssh/crypto.h" #include #include #include #include -static int -sshd_setup(void **state) +static int sshd_setup(void **state) { torture_setup_sshd_server(state, false); torture_update_sshd_config(state, @@ -22,8 +21,7 @@ sshd_setup(void **state) return 0; } -static int -sshd_teardown(void **state) +static int sshd_teardown(void **state) { assert_non_null(state); @@ -32,8 +30,7 @@ sshd_teardown(void **state) return 0; } -static int -session_setup(void **state) +static int session_setup(void **state) { struct torture_state *s = *state; int verbosity = torture_libssh_verbosity(); @@ -62,8 +59,7 @@ session_setup(void **state) return 0; } -static int -session_teardown(void **state) +static int session_teardown(void **state) { struct torture_state *s = *state; @@ -75,8 +71,7 @@ session_teardown(void **state) return 0; } -static void -torture_gssapi_key_exchange(void **state) +static void torture_gssapi_key_exchange(void **state) { struct torture_state *s = *state; ssh_session session = s->ssh.session; @@ -106,8 +101,7 @@ torture_gssapi_key_exchange(void **state) torture_teardown_kdc_server(state); } -static void -torture_gssapi_key_exchange_no_tgt(void **state) +static void torture_gssapi_key_exchange_no_tgt(void **state) { struct torture_state *s = *state; ssh_session session = s->ssh.session; @@ -136,14 +130,15 @@ torture_gssapi_key_exchange_no_tgt(void **state) rc = ssh_connect(session); assert_ssh_return_code(session, rc); - assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256); - assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512); + assert_int_not_equal(session->current_crypto->kex_type, + SSH_GSS_KEX_DH_GROUP14_SHA256); + assert_int_not_equal(session->current_crypto->kex_type, + SSH_GSS_KEX_DH_GROUP16_SHA512); torture_teardown_kdc_server(state); } -static void -torture_gssapi_key_exchange_gss_group14_sha256(void **state) +static void torture_gssapi_key_exchange_gss_group14_sha256(void **state) { struct torture_state *s = *state; ssh_session session = s->ssh.session; @@ -168,19 +163,21 @@ torture_gssapi_key_exchange_gss_group14_sha256(void **state) rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t); assert_ssh_return_code(s->ssh.session, rc); - rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group14-sha256-"); + rc = ssh_options_set(s->ssh.session, + SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, + "gss-group14-sha256-"); assert_ssh_return_code(s->ssh.session, rc); rc = ssh_connect(session); assert_ssh_return_code(session, rc); - assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256); + assert_int_equal(session->current_crypto->kex_type, + SSH_GSS_KEX_DH_GROUP14_SHA256); torture_teardown_kdc_server(state); } -static void -torture_gssapi_key_exchange_gss_group16_sha512(void **state) +static void torture_gssapi_key_exchange_gss_group16_sha512(void **state) { struct torture_state *s = *state; ssh_session session = s->ssh.session; @@ -205,19 +202,21 @@ torture_gssapi_key_exchange_gss_group16_sha512(void **state) rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t); assert_ssh_return_code(s->ssh.session, rc); - rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group16-sha512-"); + rc = ssh_options_set(s->ssh.session, + SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, + "gss-group16-sha512-"); assert_ssh_return_code(s->ssh.session, rc); rc = ssh_connect(session); assert_ssh_return_code(session, rc); - assert_true(session->current_crypto->kex_type == SSH_GSS_KEX_DH_GROUP16_SHA512); + assert_true(session->current_crypto->kex_type == + SSH_GSS_KEX_DH_GROUP16_SHA512); torture_teardown_kdc_server(state); } -static void -torture_gssapi_key_exchange_auth(void **state) +static void torture_gssapi_key_exchange_auth(void **state) { struct torture_state *s = *state; ssh_session session = s->ssh.session; @@ -251,8 +250,7 @@ torture_gssapi_key_exchange_auth(void **state) torture_teardown_kdc_server(state); } -static void -torture_gssapi_key_exchange_no_auth(void **state) +static void torture_gssapi_key_exchange_no_auth(void **state) { struct torture_state *s = *state; ssh_session session = s->ssh.session; @@ -288,8 +286,7 @@ torture_gssapi_key_exchange_no_auth(void **state) torture_teardown_kdc_server(state); } -int -torture_run_tests(void) +int torture_run_tests(void) { int rc; struct CMUnitTest tests[] = { @@ -299,12 +296,14 @@ torture_run_tests(void) cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_no_tgt, session_setup, session_teardown), - cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_gss_group14_sha256, - session_setup, - session_teardown), - cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_gss_group16_sha512, - session_setup, - session_teardown), + cmocka_unit_test_setup_teardown( + torture_gssapi_key_exchange_gss_group14_sha256, + session_setup, + session_teardown), + cmocka_unit_test_setup_teardown( + torture_gssapi_key_exchange_gss_group16_sha512, + session_setup, + session_teardown), cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_auth, session_setup, session_teardown), diff --git a/tests/client/torture_gssapi_key_exchange_null.c b/tests/client/torture_gssapi_key_exchange_null.c index f6e24a86..c8df5c13 100644 --- a/tests/client/torture_gssapi_key_exchange_null.c +++ b/tests/client/torture_gssapi_key_exchange_null.c @@ -10,8 +10,7 @@ #include #include -static int -sshd_setup(void **state) +static int sshd_setup(void **state) { struct torture_state *s = NULL; torture_setup_sshd_server(state, false); @@ -31,16 +30,15 @@ sshd_setup(void **state) "echo bar | kinit alice"); torture_update_sshd_config(state, - "GSSAPIAuthentication yes\n" - "GSSAPIKeyExchange yes\n"); + "GSSAPIAuthentication yes\n" + "GSSAPIKeyExchange yes\n"); torture_teardown_kdc_server(state); } return 0; } -static int -sshd_teardown(void **state) +static int sshd_teardown(void **state) { assert_non_null(state); @@ -49,8 +47,7 @@ sshd_teardown(void **state) return 0; } -static int -session_setup(void **state) +static int session_setup(void **state) { struct torture_state *s = *state; int verbosity = torture_libssh_verbosity(); @@ -79,8 +76,7 @@ session_setup(void **state) return 0; } -static int -session_teardown(void **state) +static int session_teardown(void **state) { struct torture_state *s = *state; @@ -92,8 +88,7 @@ session_teardown(void **state) return 0; } -static void -torture_gssapi_key_exchange_null(void **state) +static void torture_gssapi_key_exchange_null(void **state) { struct torture_state *s = *state; ssh_session session = s->ssh.session; @@ -121,13 +116,13 @@ torture_gssapi_key_exchange_null(void **state) rc = ssh_connect(session); assert_ssh_return_code(s->ssh.session, rc); - assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS], "null"); + assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS], + "null"); torture_teardown_kdc_server(state); } -int -torture_run_tests(void) +int torture_run_tests(void) { int rc; struct CMUnitTest tests[] = { diff --git a/tests/fs_wrapper.c b/tests/fs_wrapper.c index 4dc200a2..b718eff0 100644 --- a/tests/fs_wrapper.c +++ b/tests/fs_wrapper.c @@ -1,13 +1,13 @@ #define _GNU_SOURCE #include +#include #include #include #include #include #include -#include -#include #include +#include /******************************************************************************* * Structs @@ -224,31 +224,32 @@ static int is_file_blocked(const char *pathname) /* Block for torture_gssapi_server_key_exchange_null */ "/etc/ssh/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_rsa_key", - "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key", }; - for (size_t i = 0; i < sizeof(blocked_files) / sizeof(blocked_files[0]); i++) { + for (size_t i = 0; i < sizeof(blocked_files) / sizeof(blocked_files[0]); + i++) { if (strcmp(pathname, blocked_files[i]) == 0) { - errno = ENOENT; /* No such file or directory */ + errno = ENOENT; /* No such file or directory */ return 1; } } return 0; } -#define WRAP_FOPEN(func_name) \ -FILE *func_name(const char *pathname, const char *mode) \ -{ \ - typedef FILE *(*orig_func_t)(const char *pathname, const char *mode); \ - static orig_func_t orig_func = NULL; \ - if (orig_func == NULL) { \ - orig_func = (orig_func_t)dlsym(RTLD_NEXT, #func_name); \ - } \ - if (is_file_blocked(pathname)) { \ - return NULL; \ - } \ - return orig_func(pathname, mode); \ -} +#define WRAP_FOPEN(func_name) \ + FILE *func_name(const char *pathname, const char *mode) \ + { \ + typedef FILE *(*orig_func_t)(const char *pathname, const char *mode); \ + static orig_func_t orig_func = NULL; \ + if (orig_func == NULL) { \ + orig_func = (orig_func_t)dlsym(RTLD_NEXT, #func_name); \ + } \ + if (is_file_blocked(pathname)) { \ + return NULL; \ + } \ + return orig_func(pathname, mode); \ + } WRAP_FOPEN(fopen) WRAP_FOPEN(fopen64) diff --git a/tests/server/torture_gssapi_server_key_exchange.c b/tests/server/torture_gssapi_server_key_exchange.c index 7139a65b..e1d5e228 100644 --- a/tests/server/torture_gssapi_server_key_exchange.c +++ b/tests/server/torture_gssapi_server_key_exchange.c @@ -7,8 +7,8 @@ #include #include -#include "libssh/libssh.h" #include "libssh/crypto.h" +#include "libssh/libssh.h" #include "torture.h" #include "torture_key.h" @@ -21,8 +21,7 @@ struct test_server_st { char *cwd; }; -static void -free_test_server_state(void **state) +static void free_test_server_state(void **state) { struct test_server_st *tss = *state; @@ -30,8 +29,7 @@ free_test_server_state(void **state) SAFE_FREE(tss); } -static void -setup_config(void **state) +static void setup_config(void **state) { struct torture_state *s = NULL; struct server_state_st *ss = NULL; @@ -147,8 +145,7 @@ setup_config(void **state) *state = tss; } -static int -setup_default_server(void **state) +static int setup_default_server(void **state) { struct torture_state *s = NULL; struct server_state_st *ss = NULL; @@ -186,8 +183,7 @@ setup_default_server(void **state) return 0; } -static int -teardown_default_server(void **state) +static int teardown_default_server(void **state) { struct torture_state *s = NULL; struct server_state_st *ss = NULL; @@ -212,8 +208,7 @@ teardown_default_server(void **state) return 0; } -static int -session_setup(void **state) +static int session_setup(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -253,8 +248,7 @@ session_setup(void **state) return 0; } -static int -session_teardown(void **state) +static int session_teardown(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -276,9 +270,7 @@ session_teardown(void **state) return 0; } - -static void -torture_gssapi_server_key_exchange(void **state) +static void torture_gssapi_server_key_exchange(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -303,7 +295,8 @@ torture_gssapi_server_key_exchange(void **state) torture_setup_kdc_server( (void **)&s, "kadmin.local addprinc -randkey host/server.libssh.site\n" - "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site\n" + "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab " + "host/server.libssh.site\n" "kadmin.local addprinc -pw bar alice\n" "kadmin.local list_principals", @@ -318,8 +311,7 @@ torture_gssapi_server_key_exchange(void **state) torture_teardown_kdc_server((void **)&s); } -static void -torture_gssapi_server_key_exchange_no_tgt(void **state) +static void torture_gssapi_server_key_exchange_no_tgt(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -344,7 +336,8 @@ torture_gssapi_server_key_exchange_no_tgt(void **state) torture_setup_kdc_server( (void **)&s, "kadmin.local addprinc -randkey host/server.libssh.site \n" - "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n" + "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab " + "host/server.libssh.site \n" "kadmin.local addprinc -pw bar alice \n" "kadmin.local list_principals", @@ -357,14 +350,15 @@ torture_gssapi_server_key_exchange_no_tgt(void **state) rc = ssh_connect(session); assert_ssh_return_code(session, rc); - assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256); - assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512); + assert_int_not_equal(session->current_crypto->kex_type, + SSH_GSS_KEX_DH_GROUP14_SHA256); + assert_int_not_equal(session->current_crypto->kex_type, + SSH_GSS_KEX_DH_GROUP16_SHA512); torture_teardown_kdc_server((void **)&s); } -static void -torture_gssapi_server_key_exchange_gss_group14_sha256(void **state) +static void torture_gssapi_server_key_exchange_gss_group14_sha256(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -389,7 +383,8 @@ torture_gssapi_server_key_exchange_gss_group14_sha256(void **state) torture_setup_kdc_server( (void **)&s, "kadmin.local addprinc -randkey host/server.libssh.site \n" - "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n" + "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab " + "host/server.libssh.site \n" "kadmin.local addprinc -pw bar alice \n" "kadmin.local list_principals", @@ -398,19 +393,21 @@ torture_gssapi_server_key_exchange_gss_group14_sha256(void **state) rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t); assert_ssh_return_code(s->ssh.session, rc); - rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group14-sha256-"); + rc = ssh_options_set(s->ssh.session, + SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, + "gss-group14-sha256-"); assert_ssh_return_code(s->ssh.session, rc); rc = ssh_connect(session); assert_ssh_return_code(session, rc); - assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256); + assert_int_equal(session->current_crypto->kex_type, + SSH_GSS_KEX_DH_GROUP14_SHA256); torture_teardown_kdc_server((void **)&s); } -static void -torture_gssapi_server_key_exchange_gss_group16_sha512(void **state) +static void torture_gssapi_server_key_exchange_gss_group16_sha512(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -435,7 +432,8 @@ torture_gssapi_server_key_exchange_gss_group16_sha512(void **state) torture_setup_kdc_server( (void **)&s, "kadmin.local addprinc -randkey host/server.libssh.site \n" - "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n" + "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab " + "host/server.libssh.site \n" "kadmin.local addprinc -pw bar alice \n" "kadmin.local list_principals", @@ -444,19 +442,21 @@ torture_gssapi_server_key_exchange_gss_group16_sha512(void **state) rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t); assert_ssh_return_code(s->ssh.session, rc); - rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group16-sha512-"); + rc = ssh_options_set(s->ssh.session, + SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, + "gss-group16-sha512-"); assert_ssh_return_code(s->ssh.session, rc); rc = ssh_connect(session); assert_ssh_return_code(session, rc); - assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512); + assert_int_equal(session->current_crypto->kex_type, + SSH_GSS_KEX_DH_GROUP16_SHA512); torture_teardown_kdc_server((void **)&s); } -static void -torture_gssapi_server_key_exchange_auth(void **state) +static void torture_gssapi_server_key_exchange_auth(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -499,8 +499,7 @@ torture_gssapi_server_key_exchange_auth(void **state) torture_teardown_kdc_server((void **)&s); } -static void -torture_gssapi_server_key_exchange_no_auth(void **state) +static void torture_gssapi_server_key_exchange_no_auth(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -545,29 +544,32 @@ torture_gssapi_server_key_exchange_no_auth(void **state) torture_teardown_kdc_server((void **)&s); } -int -torture_run_tests(void) +int torture_run_tests(void) { int rc; struct CMUnitTest tests[] = { cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange, session_setup, session_teardown), - cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_no_tgt, - session_setup, - session_teardown), - cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_gss_group14_sha256, - session_setup, - session_teardown), - cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_gss_group16_sha512, - session_setup, - session_teardown), + cmocka_unit_test_setup_teardown( + torture_gssapi_server_key_exchange_no_tgt, + session_setup, + session_teardown), + cmocka_unit_test_setup_teardown( + torture_gssapi_server_key_exchange_gss_group14_sha256, + session_setup, + session_teardown), + cmocka_unit_test_setup_teardown( + torture_gssapi_server_key_exchange_gss_group16_sha512, + session_setup, + session_teardown), cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_auth, session_setup, session_teardown), - cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_no_auth, - session_setup, - session_teardown), + cmocka_unit_test_setup_teardown( + torture_gssapi_server_key_exchange_no_auth, + session_setup, + session_teardown), }; ssh_init(); diff --git a/tests/server/torture_gssapi_server_key_exchange_null.c b/tests/server/torture_gssapi_server_key_exchange_null.c index 01f962f1..082c9e9d 100644 --- a/tests/server/torture_gssapi_server_key_exchange_null.c +++ b/tests/server/torture_gssapi_server_key_exchange_null.c @@ -19,8 +19,7 @@ struct test_server_st { char *cwd; }; -static void -free_test_server_state(void **state) +static void free_test_server_state(void **state) { struct test_server_st *tss = *state; @@ -28,8 +27,7 @@ free_test_server_state(void **state) SAFE_FREE(tss); } -static void -setup_config(void **state) +static void setup_config(void **state) { struct torture_state *s = NULL; struct server_state_st *ss = NULL; @@ -105,8 +103,7 @@ setup_config(void **state) *state = tss; } -static int -setup_default_server(void **state) +static int setup_default_server(void **state) { struct torture_state *s = NULL; struct server_state_st *ss = NULL; @@ -144,8 +141,7 @@ setup_default_server(void **state) return 0; } -static int -teardown_default_server(void **state) +static int teardown_default_server(void **state) { struct torture_state *s = NULL; struct server_state_st *ss = NULL; @@ -170,8 +166,7 @@ teardown_default_server(void **state) return 0; } -static int -session_setup(void **state) +static int session_setup(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -211,8 +206,7 @@ session_setup(void **state) return 0; } -static int -session_teardown(void **state) +static int session_teardown(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -234,9 +228,7 @@ session_teardown(void **state) return 0; } - -static void -torture_gssapi_server_key_exchange_null(void **state) +static void torture_gssapi_server_key_exchange_null(void **state) { struct test_server_st *tss = *state; struct torture_state *s = NULL; @@ -261,7 +253,8 @@ torture_gssapi_server_key_exchange_null(void **state) torture_setup_kdc_server( (void **)&s, "kadmin.local addprinc -randkey host/server.libssh.site\n" - "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site\n" + "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab " + "host/server.libssh.site\n" "kadmin.local addprinc -pw bar alice\n" "kadmin.local list_principals", @@ -273,13 +266,13 @@ torture_gssapi_server_key_exchange_null(void **state) rc = ssh_connect(session); assert_ssh_return_code(s->ssh.session, rc); - assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS], "null"); + assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS], + "null"); torture_teardown_kdc_server((void **)&s); } -int -torture_run_tests(void) +int torture_run_tests(void) { int rc; struct CMUnitTest tests[] = { diff --git a/tests/torture.c b/tests/torture.c index 6b32d329..30521947 100644 --- a/tests/torture.c +++ b/tests/torture.c @@ -999,8 +999,10 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd) fips_config_string, second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4, second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6, - "HostKey", rsa_hostkey, - "HostKey", ecdsa_hostkey, + "HostKey", + rsa_hostkey, + "HostKey", + ecdsa_hostkey, trusted_ca_pubkey, sftp_server, usepam, @@ -1012,9 +1014,12 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd) config_string, second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4, second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6, - "", "", - "", "", - "", "", + "", + "", + "", + "", + "", + "", trusted_ca_pubkey, sftp_server, usepam, @@ -1026,9 +1031,12 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd) config_string, second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4, second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6, - "HostKey", ed25519_hostkey, - "HostKey", rsa_hostkey, - "HostKey", ecdsa_hostkey, + "HostKey", + ed25519_hostkey, + "HostKey", + rsa_hostkey, + "HostKey", + ecdsa_hostkey, trusted_ca_pubkey, sftp_server, usepam, diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c index 00dd9055..482a1a7a 100644 --- a/tests/unittests/torture_config.c +++ b/tests/unittests/torture_config.c @@ -650,7 +650,8 @@ static void torture_config_new(void ** state, assert_string_equal(session->opts.gss_server_identity, "example.com"); assert_string_equal(session->opts.gss_client_identity, "home.sweet"); #ifdef WITH_GSSAPI - assert_string_equal(session->opts.gssapi_key_exchange_algs, "gss-group14-sha256-"); + assert_string_equal(session->opts.gssapi_key_exchange_algs, + "gss-group14-sha256-"); #endif /* WITH_GSSAPI */ assert_int_equal(ssh_get_log_level(), SSH_LOG_TRACE);