shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-04 12:20:42 +09:00
Code Issues Packages Projects Releases Wiki Activity

reformat: gssapi key exchange

Browse Source 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Gauravsingh Sisodia
2025-07-14 06:04:04 +00:00
committed by Jakub Jelen
parent 06b61f75fa
commit a0707afc3e
27 changed files with 511 additions and 446 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
include/libssh/gssapi.h
View File

@@ -29,8 +29,7 @@
/* all OID begin with the tag identifier + length */ /* all OID begin with the tag identifier + length */
#define SSH_OID_TAG 06 #define SSH_OID_TAG 06
#define GSSAPI_KEY_EXCHANGE_SUPPORTED \ #define GSSAPI_KEY_EXCHANGE_SUPPORTED "gss-group14-sha256-,gss-group16-sha512-,"
"gss-group14-sha256-,gss-group16-sha512-,"
typedef struct ssh_gssapi_struct *ssh_gssapi; typedef struct ssh_gssapi_struct *ssh_gssapi;
@@ -87,10 +86,11 @@ OM_uint32 ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi,
OM_uint32 *ret_flags); OM_uint32 *ret_flags);
char *ssh_gssapi_oid_hash(ssh_string oid); char *ssh_gssapi_oid_hash(ssh_string oid);
char *ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs); char *ssh_gssapi_kex_mechs(ssh_session session);
int ssh_gssapi_check_client_config(ssh_session session); int ssh_gssapi_check_client_config(ssh_session session);
ssh_buffer ssh_gssapi_build_mic(ssh_session session, const char *context); ssh_buffer ssh_gssapi_build_mic(ssh_session session, const char *context);
int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_buf); int ssh_gssapi_auth_keyex_mic(ssh_session session,
gss_buffer_desc *mic_token_buf);
#ifdef __cplusplus #ifdef __cplusplus
} }

22
src/auth.c
View File

@@ -32,20 +32,19 @@
#include <arpa/inet.h> #include <arpa/inet.h>
#endif #endif
#include "libssh/priv.h"
#include "libssh/crypto.h"
#include "libssh/ssh2.h"
#include "libssh/buffer.h"
#include "libssh/agent.h" #include "libssh/agent.h"
#include "libssh/auth.h"
#include "libssh/buffer.h"
#include "libssh/crypto.h"
#include "libssh/gssapi.h"
#include "libssh/keys.h"
#include "libssh/legacy.h"
#include "libssh/misc.h" #include "libssh/misc.h"
#include "libssh/packet.h" #include "libssh/packet.h"
#include "libssh/session.h"
#include "libssh/keys.h"
#include "libssh/auth.h"
#include "libssh/pki.h" #include "libssh/pki.h"
#include "libssh/gssapi.h" #include "libssh/priv.h"
#include "libssh/legacy.h" #include "libssh/session.h"
#include "libssh/gssapi.h" #include "libssh/ssh2.h"
/** /**
* @defgroup libssh_auth The SSH authentication functions * @defgroup libssh_auth The SSH authentication functions
@@ -2493,7 +2492,8 @@ int ssh_userauth_gssapi_keyex(ssh_session session)
if (!ssh_kex_is_gss(session->current_crypto)) { if (!ssh_kex_is_gss(session->current_crypto)) {
ssh_set_error(session, ssh_set_error(session,
SSH_FATAL, SSH_FATAL,
"Attempt to authenticate with \"gssapi-keyex\" without doing GSSAPI Key exchange."); "Attempt to authenticate with gssapi-keyex without "
"doing GSSAPI Key exchange.");
return SSH_ERROR; return SSH_ERROR;
} }

15
src/bind.c
View File

@@ -247,11 +247,11 @@ int ssh_bind_listen(ssh_bind sshbind)
rc = ssh_bind_import_keys(sshbind); rc = ssh_bind_import_keys(sshbind);
if (rc == SSH_ERROR) { if (rc == SSH_ERROR) {
if (!sshbind->gssapi_key_exchange) { if (!sshbind->gssapi_key_exchange) {
ssh_set_error(sshbind, SSH_FATAL, ssh_set_error(sshbind, SSH_FATAL, "No hostkeys found");
"No hostkeys found");
return SSH_ERROR; return SSH_ERROR;
} }
SSH_LOG(SSH_LOG_DEBUG, "No hostkeys found: Using \"null\" hostkey algorithm"); SSH_LOG(SSH_LOG_DEBUG,
"No hostkeys found: Using \"null\" hostkey algorithm");
} }
} }
@@ -473,7 +473,8 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
if (sshbind->gssapi_key_exchange_algs != NULL) { if (sshbind->gssapi_key_exchange_algs != NULL) {
SAFE_FREE(session->opts.gssapi_key_exchange_algs); SAFE_FREE(session->opts.gssapi_key_exchange_algs);
session->opts.gssapi_key_exchange_algs = strdup(sshbind->gssapi_key_exchange_algs); session->opts.gssapi_key_exchange_algs =
strdup(sshbind->gssapi_key_exchange_algs);
if (session->opts.gssapi_key_exchange_algs == NULL) { if (session->opts.gssapi_key_exchange_algs == NULL) {
ssh_set_error_oom(sshbind); ssh_set_error_oom(sshbind);
return SSH_ERROR; return SSH_ERROR;
@@ -527,11 +528,11 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
rc = ssh_bind_import_keys(sshbind); rc = ssh_bind_import_keys(sshbind);
if (rc == SSH_ERROR) { if (rc == SSH_ERROR) {
if (!sshbind->gssapi_key_exchange) { if (!sshbind->gssapi_key_exchange) {
ssh_set_error(sshbind, SSH_FATAL, ssh_set_error(sshbind, SSH_FATAL, "No hostkeys found");
"No hostkeys found");
return SSH_ERROR; return SSH_ERROR;
} }
SSH_LOG(SSH_LOG_DEBUG, "No hostkeys found: Using \"null\" hostkey algorithm"); SSH_LOG(SSH_LOG_DEBUG,
"No hostkeys found: Using \"null\" hostkey algorithm");
} }
} }

14
src/client.c
View File

@@ -30,15 +30,15 @@
#include <arpa/inet.h> #include <arpa/inet.h>
#endif #endif
#include "libssh/priv.h"
#include "libssh/ssh2.h"
#include "libssh/buffer.h" #include "libssh/buffer.h"
#include "libssh/packet.h"
#include "libssh/options.h"
#include "libssh/socket.h"
#include "libssh/session.h"
#include "libssh/dh.h"
#include "libssh/dh-gss.h" #include "libssh/dh-gss.h"
#include "libssh/dh.h"
#include "libssh/options.h"
#include "libssh/packet.h"
#include "libssh/priv.h"
#include "libssh/session.h"
#include "libssh/socket.h"
#include "libssh/ssh2.h"
#ifdef WITH_GEX #ifdef WITH_GEX
#include "libssh/dh-gex.h" #include "libssh/dh-gex.h"
#endif /* WITH_GEX */ #endif /* WITH_GEX */

1
src/config.c
View File

@@ -1560,7 +1560,6 @@ static int ssh_config_parse_line_internal(ssh_session session,
} }
break; break;
case SOC_GSSAPIKEYEXCHANGE: { case SOC_GSSAPIKEYEXCHANGE: {
bool b = false;
i = ssh_config_get_yesno(&s, -1); i = ssh_config_get_yesno(&s, -1);
CHECK_COND_OR_FAIL(i < 0, "Invalid argument"); CHECK_COND_OR_FAIL(i < 0, "Invalid argument");
if (*parsing) { if (*parsing) {

129
src/dh-gss.c
View File

@@ -23,18 +23,18 @@
#include "config.h" #include "config.h"
#include <stdio.h>
#include <gssapi/gssapi.h>
#include <errno.h>
#include "libssh/gssapi.h" #include "libssh/gssapi.h"
#include <errno.h>
#include <gssapi/gssapi.h>
#include <stdio.h>
#include "libssh/priv.h"
#include "libssh/crypto.h"
#include "libssh/buffer.h" #include "libssh/buffer.h"
#include "libssh/session.h" #include "libssh/crypto.h"
#include "libssh/dh.h"
#include "libssh/ssh2.h"
#include "libssh/dh-gss.h" #include "libssh/dh-gss.h"
#include "libssh/dh.h"
#include "libssh/priv.h"
#include "libssh/session.h"
#include "libssh/ssh2.h"
static SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply); static SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply);
@@ -65,7 +65,8 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_client_callback_hostkey = {
/** @internal /** @internal
* @brief Starts gssapi key exchange * @brief Starts gssapi key exchange
*/ */
int ssh_client_gss_dh_init(ssh_session session){ int ssh_client_gss_dh_init(ssh_session session)
{
struct ssh_crypto_struct *crypto = session->next_crypto; struct ssh_crypto_struct *crypto = session->next_crypto;
#if !defined(HAVE_LIBCRYPTO) || OPENSSL_VERSION_NUMBER < 0x30000000L #if !defined(HAVE_LIBCRYPTO) || OPENSSL_VERSION_NUMBER < 0x30000000L
const_bignum pubkey; const_bignum pubkey;
@@ -73,7 +74,8 @@ int ssh_client_gss_dh_init(ssh_session session){
bignum pubkey = NULL; bignum pubkey = NULL;
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
int rc; int rc;
gss_OID_set selected = GSS_C_NO_OID_SET; /* oid selected for authentication */ /* oid selected for authentication */
gss_OID_set selected = GSS_C_NO_OID_SET;
OM_uint32 maj_stat, min_stat; OM_uint32 maj_stat, min_stat;
const char *gss_host = session->opts.host; const char *gss_host = session->opts.host;
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
@@ -89,7 +91,10 @@ int ssh_client_gss_dh_init(ssh_session session){
if (rc == SSH_ERROR) { if (rc == SSH_ERROR) {
goto error; goto error;
} }
rc = ssh_dh_keypair_get_keys(crypto->dh_ctx, DH_CLIENT_KEYPAIR, NULL, &pubkey); rc = ssh_dh_keypair_get_keys(crypto->dh_ctx,
DH_CLIENT_KEYPAIR,
NULL,
&pubkey);
if (rc != SSH_OK) { if (rc != SSH_OK) {
goto error; goto error;
} }
@@ -114,7 +119,10 @@ int ssh_client_gss_dh_init(ssh_session session){
} }
session->gssapi->client.flags = GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG; session->gssapi->client.flags = GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, &oflags); maj_stat = ssh_gssapi_init_ctx(session->gssapi,
&input_token,
&output_token,
&oflags);
gss_release_oid_set(&min_stat, &selected); gss_release_oid_set(&min_stat, &selected);
if (GSS_ERROR(maj_stat)) { if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_WARN, ssh_gssapi_log_error(SSH_LOG_WARN,
@@ -124,11 +132,13 @@ int ssh_client_gss_dh_init(ssh_session session){
goto error; goto error;
} }
if (!(oflags & GSS_C_INTEG_FLAG) || !(oflags & GSS_C_MUTUAL_FLAG)) { if (!(oflags & GSS_C_INTEG_FLAG) || !(oflags & GSS_C_MUTUAL_FLAG)) {
SSH_LOG(SSH_LOG_WARN, "GSSAPI(init) integrity and mutual flags were not set"); SSH_LOG(SSH_LOG_WARN,
"GSSAPI(init) integrity and mutual flags were not set");
goto error; goto error;
} }
rc = ssh_buffer_pack(session->out_buffer, "bdPB", rc = ssh_buffer_pack(session->out_buffer,
"bdPB",
SSH2_MSG_KEXGSS_INIT, SSH2_MSG_KEXGSS_INIT,
output_token.length, output_token.length,
(size_t)output_token.length, (size_t)output_token.length,
@@ -167,7 +177,8 @@ void ssh_client_gss_dh_remove_callback_hostkey(ssh_session session)
ssh_packet_remove_callbacks(session, &ssh_gss_dh_client_callback_hostkey); ssh_packet_remove_callbacks(session, &ssh_gss_dh_client_callback_hostkey);
} }
SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply)
{
struct ssh_crypto_struct *crypto = session->next_crypto; struct ssh_crypto_struct *crypto = session->next_crypto;
ssh_string pubkey_blob = NULL, mic = NULL, otoken = NULL; ssh_string pubkey_blob = NULL, mic = NULL, otoken = NULL;
uint8_t b; uint8_t b;
@@ -183,25 +194,25 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){
ssh_client_gss_dh_remove_callbacks(session); ssh_client_gss_dh_remove_callbacks(session);
rc = ssh_buffer_unpack(packet, rc = ssh_buffer_unpack(packet, "BSbS", &server_pubkey, &mic, &b, &otoken);
"BSbS",
&server_pubkey,
&mic,
&b,
&otoken);
if (rc == SSH_ERROR) { if (rc == SSH_ERROR) {
goto error; goto error;
} }
session->gssapi_key_exchange_mic = mic; session->gssapi_key_exchange_mic = mic;
input_token.length = ssh_string_len(otoken); input_token.length = ssh_string_len(otoken);
input_token.value = ssh_string_data(otoken); input_token.value = ssh_string_data(otoken);
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, &oflags); maj_stat = ssh_gssapi_init_ctx(session->gssapi,
&input_token,
&output_token,
&oflags);
if (maj_stat != GSS_S_COMPLETE) { if (maj_stat != GSS_S_COMPLETE) {
goto error; goto error;
} }
SSH_STRING_FREE(otoken); SSH_STRING_FREE(otoken);
rc = ssh_dh_keypair_set_keys(crypto->dh_ctx, DH_SERVER_KEYPAIR, rc = ssh_dh_keypair_set_keys(crypto->dh_ctx,
NULL, server_pubkey); DH_SERVER_KEYPAIR,
NULL,
server_pubkey);
if (rc != SSH_OK) { if (rc != SSH_OK) {
SSH_STRING_FREE(pubkey_blob); SSH_STRING_FREE(pubkey_blob);
bignum_safe_free(server_pubkey); bignum_safe_free(server_pubkey);
@@ -209,7 +220,8 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){
} }
rc = ssh_dh_compute_shared_secret(session->next_crypto->dh_ctx, rc = ssh_dh_compute_shared_secret(session->next_crypto->dh_ctx,
DH_CLIENT_KEYPAIR, DH_SERVER_KEYPAIR, DH_CLIENT_KEYPAIR,
DH_SERVER_KEYPAIR,
&session->next_crypto->shared_secret); &session->next_crypto->shared_secret);
ssh_dh_debug_crypto(session->next_crypto); ssh_dh_debug_crypto(session->next_crypto);
if (rc == SSH_ERROR) { if (rc == SSH_ERROR) {
@@ -230,7 +242,8 @@ error:
return SSH_PACKET_USED; return SSH_PACKET_USED;
} }
SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) { SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey)
{
ssh_string pubkey_blob = NULL; ssh_string pubkey_blob = NULL;
int rc; int rc;
@@ -239,11 +252,11 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) {
ssh_client_gss_dh_remove_callback_hostkey(session); ssh_client_gss_dh_remove_callback_hostkey(session);
rc = ssh_buffer_unpack(packet, rc = ssh_buffer_unpack(packet, "S", &pubkey_blob);
"S",
&pubkey_blob);
if (rc == SSH_ERROR) { if (rc == SSH_ERROR) {
ssh_set_error(session, SSH_FATAL, "Invalid SSH2_MSG_KEXGSS_HOSTKEY packet"); ssh_set_error(session,
SSH_FATAL,
"Invalid SSH2_MSG_KEXGSS_HOSTKEY packet");
goto error; goto error;
} }
@@ -272,13 +285,13 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_server_callbacks = {
.start = SSH2_MSG_KEXGSS_INIT, .start = SSH2_MSG_KEXGSS_INIT,
.n_callbacks = 1, .n_callbacks = 1,
.callbacks = gss_dh_server_callbacks, .callbacks = gss_dh_server_callbacks,
.user = NULL .user = NULL};
};
/** @internal /** @internal
* @brief sets up the gssapi kex callbacks * @brief sets up the gssapi kex callbacks
*/ */
void ssh_server_gss_dh_init(ssh_session session){ void ssh_server_gss_dh_init(ssh_session session)
{
/* register the packet callbacks */ /* register the packet callbacks */
ssh_packet_set_callbacks(session, &ssh_gss_dh_server_callbacks); ssh_packet_set_callbacks(session, &ssh_gss_dh_server_callbacks);
@@ -326,8 +339,10 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
goto error; goto error;
} }
rc = ssh_dh_keypair_set_keys(crypto->dh_ctx, DH_CLIENT_KEYPAIR, rc = ssh_dh_keypair_set_keys(crypto->dh_ctx,
NULL, client_pubkey); DH_CLIENT_KEYPAIR,
NULL,
client_pubkey);
if (rc != SSH_OK) { if (rc != SSH_OK) {
bignum_safe_free(client_pubkey); bignum_safe_free(client_pubkey);
goto error; goto error;
@@ -339,7 +354,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
} }
rc = ssh_dh_compute_shared_secret(crypto->dh_ctx, rc = ssh_dh_compute_shared_secret(crypto->dh_ctx,
DH_SERVER_KEYPAIR, DH_CLIENT_KEYPAIR, DH_SERVER_KEYPAIR,
DH_CLIENT_KEYPAIR,
&crypto->shared_secret); &crypto->shared_secret);
ssh_dh_debug_crypto(crypto); ssh_dh_debug_crypto(crypto);
if (rc == SSH_ERROR) { if (rc == SSH_ERROR) {
@@ -358,7 +374,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
} }
if (strncmp(crypto->kex_methods[SSH_HOSTKEYS], "null", 4) != 0) { if (strncmp(crypto->kex_methods[SSH_HOSTKEYS], "null", 4) != 0) {
rc = ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob); rc =
ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob);
if (rc != SSH_OK) { if (rc != SSH_OK) {
goto error; goto error;
} }
@@ -380,8 +397,10 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
SSH_STRING_FREE(server_pubkey_blob); SSH_STRING_FREE(server_pubkey_blob);
} }
rc = ssh_dh_keypair_get_keys(crypto->dh_ctx, DH_SERVER_KEYPAIR, rc = ssh_dh_keypair_get_keys(crypto->dh_ctx,
NULL, &server_pubkey); DH_SERVER_KEYPAIR,
NULL,
&server_pubkey);
if (rc != SSH_OK) { if (rc != SSH_OK) {
goto error; goto error;
} }
@@ -404,9 +423,14 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
goto error; goto error;
} }
maj_stat = gss_acquire_cred(&min_stat, session->gssapi->client.server_name, 0, maj_stat = gss_acquire_cred(&min_stat,
GSS_C_NO_OID_SET, GSS_C_ACCEPT, session->gssapi->client.server_name,
&session->gssapi->server_creds, NULL, NULL); 0,
GSS_C_NO_OID_SET,
GSS_C_ACCEPT,
&session->gssapi->server_creds,
NULL,
NULL);
if (maj_stat != GSS_S_COMPLETE) { if (maj_stat != GSS_S_COMPLETE) {
ssh_gssapi_log_error(SSH_LOG_TRACE, ssh_gssapi_log_error(SSH_LOG_TRACE,
"acquiring credentials", "acquiring credentials",
@@ -415,9 +439,17 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
goto error; goto error;
} }
maj_stat = gss_accept_sec_context(&min_stat, &session->gssapi->ctx, session->gssapi->server_creds, maj_stat = gss_accept_sec_context(&min_stat,
&input_token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL /*mech_oid*/, &output_token, &ret_flags, &session->gssapi->ctx,
NULL /*time*/, &session->gssapi->client_creds); session->gssapi->server_creds,
&input_token,
GSS_C_NO_CHANNEL_BINDINGS,
&client_name,
NULL /*mech_oid*/,
&output_token,
&ret_flags,
NULL /*time*/,
&session->gssapi->client_creds);
if (GSS_ERROR(maj_stat)) { if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_DEBUG, ssh_gssapi_log_error(SSH_LOG_DEBUG,
"accepting token failed", "accepting token failed",
@@ -428,7 +460,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
SSH_STRING_FREE(otoken); SSH_STRING_FREE(otoken);
gss_release_name(&min_stat, &client_name); gss_release_name(&min_stat, &client_name);
if (!(ret_flags & GSS_C_INTEG_FLAG) || !(ret_flags & GSS_C_MUTUAL_FLAG)) { if (!(ret_flags & GSS_C_INTEG_FLAG) || !(ret_flags & GSS_C_MUTUAL_FLAG)) {
SSH_LOG(SSH_LOG_WARN, "GSSAPI(accept) integrity and mutual flags were not set"); SSH_LOG(SSH_LOG_WARN,
"GSSAPI(accept) integrity and mutual flags were not set");
goto error; goto error;
} }
SSH_LOG(SSH_LOG_DEBUG, "token accepted"); SSH_LOG(SSH_LOG_DEBUG, "token accepted");
@@ -448,7 +481,6 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
goto error; goto error;
} }
rc = ssh_buffer_pack(session->out_buffer, rc = ssh_buffer_pack(session->out_buffer,
"bBdPbdP", "bBdPbdP",
SSH2_MSG_KEXGSS_COMPLETE, SSH2_MSG_KEXGSS_COMPLETE,
@@ -501,7 +533,8 @@ error:
* @brief parse an incoming SSH_MSG_KEXGSS_INIT packet and complete * @brief parse an incoming SSH_MSG_KEXGSS_INIT packet and complete
* Diffie-Hellman key exchange * Diffie-Hellman key exchange
**/ **/
static SSH_PACKET_CALLBACK(ssh_packet_server_gss_dh_init){ static SSH_PACKET_CALLBACK(ssh_packet_server_gss_dh_init)
{
(void)type; (void)type;
(void)user; (void)user;
SSH_LOG(SSH_LOG_DEBUG, "Received SSH_MSG_KEXGSS_INIT"); SSH_LOG(SSH_LOG_DEBUG, "Received SSH_MSG_KEXGSS_INIT");

2
src/dh.c
View File

@@ -27,8 +27,8 @@
#include <stdio.h> #include <stdio.h>
#ifdef WITH_GSSAPI #ifdef WITH_GSSAPI
#include <gssapi/gssapi.h>
#include "libssh/gssapi.h" #include "libssh/gssapi.h"
#include <gssapi/gssapi.h>
#endif #endif
#include "libssh/priv.h" #include "libssh/priv.h"

125
src/gssapi.c
View File

@@ -21,23 +21,23 @@
#include "config.h" #include "config.h"
#include <errno.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <errno.h>
#ifdef HAVE_UNISTD_H #ifdef HAVE_UNISTD_H
#include <unistd.h> #include <unistd.h>
#endif #endif
#include <gssapi/gssapi.h> #include <gssapi/gssapi.h>
#include <libssh/buffer.h>
#include <libssh/callbacks.h>
#include <libssh/crypto.h>
#include <libssh/gssapi.h> #include <libssh/gssapi.h>
#include <libssh/libssh.h> #include <libssh/libssh.h>
#include <libssh/ssh2.h>
#include <libssh/buffer.h>
#include <libssh/crypto.h>
#include <libssh/callbacks.h>
#include <libssh/string.h>
#include <libssh/server.h> #include <libssh/server.h>
#include <libssh/ssh2.h>
#include <libssh/string.h>
#include <libssh/token.h> #include <libssh/token.h>
static gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; static gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
@@ -155,8 +155,7 @@ static int ssh_gssapi_send_response(ssh_session session, ssh_string oid)
* @param[out] selected OID set of supported oids * @param[out] selected OID set of supported oids
* @returns SSH_OK if successful, SSH_ERROR otherwise * @returns SSH_OK if successful, SSH_ERROR otherwise
*/ */
int int ssh_gssapi_server_oids(gss_OID_set *selected)
ssh_gssapi_server_oids(gss_OID_set *selected)
{ {
OM_uint32 maj_stat, min_stat; OM_uint32 maj_stat, min_stat;
size_t i; size_t i;
@@ -173,10 +172,13 @@ ssh_gssapi_server_oids(gss_OID_set *selected)
} }
for (i = 0; i < supported->count; ++i) { for (i = 0; i < supported->count; ++i) {
ptr = ssh_get_hexa(supported->elements[i].elements, supported->elements[i].length); ptr = ssh_get_hexa(supported->elements[i].elements,
supported->elements[i].length);
/* According to RFC 4462 we MUST NOT use SPNEGO */ /* According to RFC 4462 we MUST NOT use SPNEGO */
if (supported->elements[i].length == spnego_oid.length && if (supported->elements[i].length == spnego_oid.length &&
memcmp(supported->elements[i].elements, spnego_oid.elements, supported->elements[i].length) == 0) { memcmp(supported->elements[i].elements,
spnego_oid.elements,
supported->elements[i].length) == 0) {
SAFE_FREE(ptr); SAFE_FREE(ptr);
continue; continue;
} }
@@ -289,9 +291,14 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user,
return SSH_ERROR; return SSH_ERROR;
} }
maj_stat = gss_acquire_cred(&min_stat, session->gssapi->client.server_name, 0, maj_stat = gss_acquire_cred(&min_stat,
both_supported, GSS_C_ACCEPT, session->gssapi->client.server_name,
&session->gssapi->server_creds, &selected, NULL); 0,
both_supported,
GSS_C_ACCEPT,
&session->gssapi->server_creds,
&selected,
NULL);
gss_release_oid_set(&min_stat, &both_supported); gss_release_oid_set(&min_stat, &both_supported);
if (maj_stat != GSS_S_COMPLETE) { if (maj_stat != GSS_S_COMPLETE) {
ssh_gssapi_log_error(SSH_LOG_TRACE, ssh_gssapi_log_error(SSH_LOG_TRACE,
@@ -477,7 +484,8 @@ ssh_buffer ssh_gssapi_build_mic(ssh_session session, const char *context)
rc = ssh_buffer_pack(mic_buffer, rc = ssh_buffer_pack(mic_buffer,
"dPbsss", "dPbsss",
crypto->session_id_len, crypto->session_id_len,
crypto->session_id_len, crypto->session_id, crypto->session_id_len,
crypto->session_id,
SSH2_MSG_USERAUTH_REQUEST, SSH2_MSG_USERAUTH_REQUEST,
session->gssapi->user, session->gssapi->user,
"ssh-connection", "ssh-connection",
@@ -655,8 +663,7 @@ fail:
* *
* @returns the hash or NULL on error * @returns the hash or NULL on error
*/ */
char * char *ssh_gssapi_oid_hash(ssh_string oid)
ssh_gssapi_oid_hash(ssh_string oid)
{ {
MD5CTX ctx = NULL; MD5CTX ctx = NULL;
unsigned char *h = NULL; unsigned char *h = NULL;
@@ -674,9 +681,7 @@ ssh_gssapi_oid_hash(ssh_string oid)
return NULL; return NULL;
} }
rc = md5_update(ctx, rc = md5_update(ctx, ssh_string_data(oid), ssh_string_len(oid));
ssh_string_data(oid),
ssh_string_len(oid));
if (rc != SSH_OK) { if (rc != SSH_OK) {
SAFE_FREE(h); SAFE_FREE(h);
md5_ctx_free(ctx); md5_ctx_free(ctx);
@@ -700,8 +705,7 @@ ssh_gssapi_oid_hash(ssh_string oid)
* *
* @returns SSH_OK if any one of the mechanisms is configured or NULL * @returns SSH_OK if any one of the mechanisms is configured or NULL
*/ */
int int ssh_gssapi_check_client_config(ssh_session session)
ssh_gssapi_check_client_config(ssh_session session)
{ {
OM_uint32 maj_stat, min_stat; OM_uint32 maj_stat, min_stat;
size_t i; size_t i;
@@ -738,7 +742,9 @@ ssh_gssapi_check_client_config(ssh_session session)
/* According to RFC 4462 we MUST NOT use SPNEGO */ /* According to RFC 4462 we MUST NOT use SPNEGO */
if (supported->elements[i].length == spnego_oid.length && if (supported->elements[i].length == spnego_oid.length &&
memcmp(supported->elements[i].elements, spnego_oid.elements, supported->elements[i].length) == 0) { memcmp(supported->elements[i].elements,
spnego_oid.elements,
supported->elements[i].length) == 0) {
ret = SSH_ERROR; ret = SSH_ERROR;
goto end; goto end;
} }
@@ -750,18 +756,24 @@ ssh_gssapi_check_client_config(ssh_session session)
namebuf.value = (void *)session->opts.gss_client_identity; namebuf.value = (void *)session->opts.gss_client_identity;
namebuf.length = strlen(session->opts.gss_client_identity); namebuf.length = strlen(session->opts.gss_client_identity);
maj_stat = gss_import_name(&min_stat, &namebuf, maj_stat = gss_import_name(&min_stat,
GSS_C_NT_USER_NAME, &client_id); &namebuf,
GSS_C_NT_USER_NAME,
&client_id);
if (GSS_ERROR(maj_stat)) { if (GSS_ERROR(maj_stat)) {
ret = SSH_ERROR; ret = SSH_ERROR;
goto end; goto end;
} }
} }
maj_stat = gss_acquire_cred(&min_stat, client_id, GSS_C_INDEFINITE, maj_stat = gss_acquire_cred(&min_stat,
one_oidset, GSS_C_INITIATE, client_id,
GSS_C_INDEFINITE,
one_oidset,
GSS_C_INITIATE,
&gssapi->client.creds, &gssapi->client.creds,
NULL, NULL); NULL,
NULL);
if (GSS_ERROR(maj_stat)) { if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_WARN, ssh_gssapi_log_error(SSH_LOG_WARN,
"acquiring credential", "acquiring credential",
@@ -776,7 +788,8 @@ ssh_gssapi_check_client_config(ssh_session session)
goto end; goto end;
} }
maj_stat = ssh_gssapi_init_ctx(gssapi, &input_token, &output_token, &oflags); maj_stat =
ssh_gssapi_init_ctx(gssapi, &input_token, &output_token, &oflags);
if (GSS_ERROR(maj_stat)) { if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_WARN, ssh_gssapi_log_error(SSH_LOG_WARN,
"initializing context", "initializing context",
@@ -786,7 +799,8 @@ ssh_gssapi_check_client_config(ssh_session session)
goto end; goto end;
} }
ptr = ssh_get_hexa(supported->elements[i].elements, supported->elements[i].length); ptr = ssh_get_hexa(supported->elements[i].elements,
supported->elements[i].length);
SSH_LOG(SSH_LOG_DEBUG, "Supported mech %zu: %s", i, ptr); SSH_LOG(SSH_LOG_DEBUG, "Supported mech %zu: %s", i, ptr);
free(ptr); free(ptr);
@@ -909,16 +923,17 @@ end:
* @param[in] session current session handler * @param[in] session current session handler
* @returns string suffixed kex algorithms or NULL on error * @returns string suffixed kex algorithms or NULL on error
*/ */
char * char *ssh_gssapi_kex_mechs(ssh_session session)
ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
{ {
size_t i, j; size_t i, j;
gss_OID_set selected = GSS_C_NO_OID_SET; /* oid selected for authentication */ /* oid selected for authentication */
gss_OID_set selected = GSS_C_NO_OID_SET;
ssh_string *oids = NULL; ssh_string *oids = NULL;
int rc; int rc;
size_t n_oids = 0; size_t n_oids = 0;
struct ssh_tokens_st *algs = NULL; struct ssh_tokens_st *algs = NULL;
char *oid_hash = NULL; char *oid_hash = NULL;
const char *gss_algs = session->opts.gssapi_key_exchange_algs;
char *new_gss_algs = NULL; char *new_gss_algs = NULL;
char gss_kex_algs[8000] = {0}; char gss_kex_algs[8000] = {0};
OM_uint32 min_stat; OM_uint32 min_stat;
@@ -950,9 +965,11 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
} }
/* Check if algorithms are valid */ /* Check if algorithms are valid */
new_gss_algs = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, gss_algs); new_gss_algs =
ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, gss_algs);
if (gss_algs == NULL) { if (gss_algs == NULL) {
ssh_set_error(session, ssh_set_error(
session,
SSH_FATAL, SSH_FATAL,
"GSSAPI key exchange algorithms not supported or invalid"); "GSSAPI key exchange algorithms not supported or invalid");
rc = SSH_ERROR; rc = SSH_ERROR;
@@ -976,7 +993,8 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
} }
((unsigned char *)oids[i]->data)[0] = SSH_OID_TAG; ((unsigned char *)oids[i]->data)[0] = SSH_OID_TAG;
((unsigned char *)oids[i]->data)[1] = selected->elements[i].length; ((unsigned char *)oids[i]->data)[1] = selected->elements[i].length;
memcpy((unsigned char *)oids[i]->data + 2, selected->elements[i].elements, memcpy((unsigned char *)oids[i]->data + 2,
selected->elements[i].elements,
selected->elements[i].length); selected->elements[i].length);
/* Get the algorithm suffix */ /* Get the algorithm suffix */
@@ -991,17 +1009,17 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
* the algorithms to a string */ * the algorithms to a string */
for (j = 0; algs->tokens[j]; j++) { for (j = 0; algs->tokens[j]; j++) {
if (sizeof(gss_kex_algs) < offset) { if (sizeof(gss_kex_algs) < offset) {
ssh_set_error(session, ssh_set_error(session, SSH_FATAL, "snprintf failed");
SSH_FATAL,
"snprintf failed");
rc = SSH_ERROR; rc = SSH_ERROR;
goto out; goto out;
} }
rc = snprintf(&gss_kex_algs[offset], sizeof(gss_kex_algs)-offset, "%s%s,", algs->tokens[j], oid_hash); rc = snprintf(&gss_kex_algs[offset],
sizeof(gss_kex_algs) - offset,
"%s%s,",
algs->tokens[j],
oid_hash);
if (rc < 0 || rc >= (ssize_t)sizeof(gss_kex_algs)) { if (rc < 0 || rc >= (ssize_t)sizeof(gss_kex_algs)) {
ssh_set_error(session, ssh_set_error(session, SSH_FATAL, "snprintf failed");
SSH_FATAL,
"snprintf failed");
rc = SSH_ERROR; rc = SSH_ERROR;
goto out; goto out;
} }
@@ -1028,8 +1046,7 @@ out:
return strdup(gss_kex_algs); return strdup(gss_kex_algs);
} }
int int ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host)
ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host)
{ {
gss_buffer_desc hostname; gss_buffer_desc hostname;
char name_buf[256] = {0}; char name_buf[256] = {0};
@@ -1055,8 +1072,7 @@ ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host)
return maj_stat; return maj_stat;
} }
OM_uint32 OM_uint32 ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi,
ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi,
gss_buffer_desc *input_token, gss_buffer_desc *input_token,
gss_buffer_desc *output_token, gss_buffer_desc *output_token,
OM_uint32 *ret_flags) OM_uint32 *ret_flags)
@@ -1175,7 +1191,9 @@ out:
* @returns SSH_ERROR: A serious error happened\n * @returns SSH_ERROR: A serious error happened\n
* SSH_OK: MIC token is stored in mic_token_buf * SSH_OK: MIC token is stored in mic_token_buf
*/ */
int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_buf) { int ssh_gssapi_auth_keyex_mic(ssh_session session,
gss_buffer_desc *mic_token_buf)
{
ssh_buffer buf = NULL; ssh_buffer buf = NULL;
gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER; gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER;
OM_uint32 maj_stat, min_stat; OM_uint32 maj_stat, min_stat;
@@ -1189,8 +1207,11 @@ int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_bu
mic_buf.length = ssh_buffer_get_len(buf); mic_buf.length = ssh_buffer_get_len(buf);
mic_buf.value = ssh_buffer_get(buf); mic_buf.value = ssh_buffer_get(buf);
maj_stat = gss_get_mic(&min_stat,session->gssapi->ctx, GSS_C_QOP_DEFAULT, maj_stat = gss_get_mic(&min_stat,
&mic_buf, mic_token_buf); session->gssapi->ctx,
GSS_C_QOP_DEFAULT,
&mic_buf,
mic_token_buf);
if (GSS_ERROR(maj_stat)) { if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_DEBUG, ssh_gssapi_log_error(SSH_LOG_DEBUG,
"generating MIC", "generating MIC",
@@ -1273,7 +1294,8 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
session->gssapi->client.flags |= GSS_C_DELEG_FLAG; session->gssapi->client.flags |= GSS_C_DELEG_FLAG;
} }
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL); maj_stat =
ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL);
if (GSS_ERROR(maj_stat)) { if (GSS_ERROR(maj_stat)) {
goto error; goto error;
} }
@@ -1380,7 +1402,8 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client)
input_token.length = ssh_string_len(token); input_token.length = ssh_string_len(token);
input_token.value = ssh_string_data(token); input_token.value = ssh_string_data(token);
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL); maj_stat =
ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL);
if (GSS_ERROR(maj_stat)) { if (GSS_ERROR(maj_stat)) {
goto error; goto error;
} }

11
src/kex.c
View File

@@ -825,14 +825,15 @@ int ssh_set_client_kex(ssh_session session)
return SSH_ERROR; return SSH_ERROR;
} }
gssapi_algs = ssh_gssapi_kex_mechs(session, session->opts.gssapi_key_exchange_algs); gssapi_algs = ssh_gssapi_kex_mechs(session);
if (gssapi_algs == NULL) { if (gssapi_algs == NULL) {
return SSH_ERROR; return SSH_ERROR;
} }
/* Prefix the default algorithms with gsskex algs */ /* Prefix the default algorithms with gsskex algs */
session->opts.wanted_methods[SSH_KEX] = session->opts.wanted_methods[SSH_KEX] =
ssh_prefix_without_duplicates(default_methods[SSH_KEX], gssapi_algs); ssh_prefix_without_duplicates(default_methods[SSH_KEX],
gssapi_algs);
gssapi_null_alg = true; gssapi_null_alg = true;
@@ -853,7 +854,8 @@ int ssh_set_client_kex(ssh_session session)
return SSH_ERROR; return SSH_ERROR;
} }
if (gssapi_null_alg) { if (gssapi_null_alg) {
hostkeys = ssh_append_without_duplicates(client->methods[i], "null"); hostkeys =
ssh_append_without_duplicates(client->methods[i], "null");
if (hostkeys == NULL) { if (hostkeys == NULL) {
ssh_set_error_oom(session); ssh_set_error_oom(session);
return SSH_ERROR; return SSH_ERROR;
@@ -2036,8 +2038,7 @@ error:
* @param[in] crypto The SSH crypto context * @param[in] crypto The SSH crypto context
* @return true if the KEX of the context is a GSSAPI KEX, false otherwise * @return true if the KEX of the context is a GSSAPI KEX, false otherwise
*/ */
bool bool ssh_kex_is_gss(struct ssh_crypto_struct *crypto)
ssh_kex_is_gss(struct ssh_crypto_struct *crypto)
{ {
switch (crypto->kex_type) { switch (crypto->kex_type) {
case SSH_GSS_KEX_DH_GROUP14_SHA256: case SSH_GSS_KEX_DH_GROUP14_SHA256:

5
src/messages.c
View File

@@ -1157,7 +1157,8 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request)
if (!ssh_kex_is_gss(session->current_crypto)) { if (!ssh_kex_is_gss(session->current_crypto)) {
ssh_set_error(session, ssh_set_error(session,
SSH_FATAL, SSH_FATAL,
"Attempt to authenticate with \"gssapi-keyex\" without doing GSSAPI Key Exchange"); "Attempt to authenticate with gssapi-keyex without "
"doing GSSAPI Key Exchange.");
ssh_auth_reply_default(session, 0); ssh_auth_reply_default(session, 0);
goto error; goto error;
} }
@@ -1190,7 +1191,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request)
if (maj_stat != GSS_S_COMPLETE) { if (maj_stat != GSS_S_COMPLETE) {
ssh_set_error(session, ssh_set_error(session,
SSH_FATAL, SSH_FATAL,
"Failed to verify MIC for \"gssapi-keyex\" auth"); "Failed to verify MIC for gssapi-keyex auth");
SSH_BUFFER_FREE(buf); SSH_BUFFER_FREE(buf);
SSH_STRING_FREE(mic_token_string); SSH_STRING_FREE(mic_token_string);
ssh_auth_reply_default(session, 0); ssh_auth_reply_default(session, 0);

15
src/options.c
View File

@@ -1278,11 +1278,13 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
return -1; return -1;
} else { } else {
/* Check if algorithms are supported */ /* Check if algorithms are supported */
char *ret = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, v); char *ret =
ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, v);
if (ret == NULL) { if (ret == NULL) {
ssh_set_error(session, ssh_set_error(session,
SSH_FATAL, SSH_FATAL,
"GSSAPI key exchange algorithms not supported or invalid"); "GSSAPI key exchange algorithms not "
"supported or invalid");
return -1; return -1;
} }
SAFE_FREE(session->opts.gssapi_key_exchange_algs); SAFE_FREE(session->opts.gssapi_key_exchange_algs);
@@ -2332,9 +2334,9 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
* false to disable GSSAPI key exchange. (bool) * false to disable GSSAPI key exchange. (bool)
* *
* - SSH_BIND_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS * - SSH_BIND_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS
* Set the GSSAPI key exchange method to be used (const char *, * Set the GSSAPI key exchange method to be used
* comma-separated list). ex: * (const char *, comma-separated list).
* "gss-group14-sha256-,gss-group16-sha512-" * ex: "gss-group14-sha256-,gss-group16-sha512-"
* *
* @param value The value to set. This is a generic pointer and the * @param value The value to set. This is a generic pointer and the
* datatype which should be used is described at the * datatype which should be used is described at the
@@ -2751,7 +2753,8 @@ ssh_bind_options_set(ssh_bind sshbind,
SAFE_FREE(sshbind->gssapi_key_exchange_algs); SAFE_FREE(sshbind->gssapi_key_exchange_algs);
ret = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, value); ret = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, value);
if (ret == NULL) { if (ret == NULL) {
ssh_set_error(sshbind, ssh_set_error(
sshbind,
SSH_REQUEST_DENIED, SSH_REQUEST_DENIED,
"GSSAPI key exchange algorithms not supported or invalid"); "GSSAPI key exchange algorithms not supported or invalid");
return -1; return -1;

3
src/packet.c
View File

@@ -657,8 +657,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
(session->auth.state != SSH_AUTH_STATE_PASSWORD_AUTH_SENT) && (session->auth.state != SSH_AUTH_STATE_PASSWORD_AUTH_SENT) &&
(session->auth.state != SSH_AUTH_STATE_GSSAPI_MIC_SENT) && (session->auth.state != SSH_AUTH_STATE_GSSAPI_MIC_SENT) &&
(session->auth.state != SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT) && (session->auth.state != SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT) &&
(session->auth.state != SSH_AUTH_STATE_AUTH_NONE_SENT)) (session->auth.state != SSH_AUTH_STATE_AUTH_NONE_SENT)) {
{
rc = SSH_PACKET_DENIED; rc = SSH_PACKET_DENIED;
break; break;
} }

5
src/packet_cb.c
View File

@@ -28,8 +28,8 @@
#include <arpa/inet.h> #include <arpa/inet.h>
#endif #endif
#ifdef WITH_GSSAPI #ifdef WITH_GSSAPI
#include <gssapi/gssapi.h>
#include "libssh/gssapi.h" #include "libssh/gssapi.h"
#include <gssapi/gssapi.h>
#endif #endif
#include "libssh/priv.h" #include "libssh/priv.h"
@@ -228,7 +228,8 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys)
rc = match_group(session->opts.wanted_methods[SSH_HOSTKEYS], rc = match_group(session->opts.wanted_methods[SSH_HOSTKEYS],
sig->type_c); sig->type_c);
if (rc == 0) { if (rc == 0) {
ssh_set_error(session, ssh_set_error(
session,
SSH_FATAL, SSH_FATAL,
"Public key from server (%s) doesn't match user " "Public key from server (%s) doesn't match user "
"preference (%s)", "preference (%s)",

40
src/server.c
View File

@@ -44,23 +44,23 @@
# include <netinet/in.h> # include <netinet/in.h>
#endif #endif
#include "libssh/priv.h"
#include "libssh/libssh.h"
#include "libssh/server.h"
#include "libssh/ssh2.h"
#include "libssh/buffer.h" #include "libssh/buffer.h"
#include "libssh/packet.h"
#include "libssh/socket.h"
#include "libssh/session.h"
#include "libssh/kex.h"
#include "libssh/misc.h"
#include "libssh/pki.h"
#include "libssh/dh.h"
#include "libssh/messages.h"
#include "libssh/options.h"
#include "libssh/curve25519.h" #include "libssh/curve25519.h"
#include "libssh/token.h" #include "libssh/dh.h"
#include "libssh/gssapi.h" #include "libssh/gssapi.h"
#include "libssh/kex.h"
#include "libssh/libssh.h"
#include "libssh/messages.h"
#include "libssh/misc.h"
#include "libssh/options.h"
#include "libssh/packet.h"
#include "libssh/pki.h"
#include "libssh/priv.h"
#include "libssh/server.h"
#include "libssh/session.h"
#include "libssh/socket.h"
#include "libssh/ssh2.h"
#include "libssh/token.h"
#define set_status(session, status) do {\ #define set_status(session, status) do {\
if (session->common.callbacks && session->common.callbacks->connect_status_function) \ if (session->common.callbacks && session->common.callbacks->connect_status_function) \
@@ -154,7 +154,8 @@ int server_set_kex(ssh_session session)
if (strlen(hostkeys) != 0) { if (strlen(hostkeys) != 0) {
/* It is expected for the list of allowed hostkeys to be ordered by /* It is expected for the list of allowed hostkeys to be ordered by
* preference */ * preference */
kept = ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys, kept =
ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys,
allowed); allowed);
if (kept == NULL) { if (kept == NULL) {
/* Nothing was allowed */ /* Nothing was allowed */
@@ -178,7 +179,7 @@ int server_set_kex(ssh_session session)
return SSH_ERROR; return SSH_ERROR;
} }
gssapi_algs = ssh_gssapi_kex_mechs(session, session->opts.gssapi_key_exchange_algs); gssapi_algs = ssh_gssapi_kex_mechs(session);
if (gssapi_algs == NULL) { if (gssapi_algs == NULL) {
return SSH_ERROR; return SSH_ERROR;
} }
@@ -186,7 +187,8 @@ int server_set_kex(ssh_session session)
/* Prefix the default algorithms with gsskex algs */ /* Prefix the default algorithms with gsskex algs */
session->opts.wanted_methods[SSH_KEX] = session->opts.wanted_methods[SSH_KEX] =
ssh_prefix_without_duplicates(ssh_kex_get_default_methods(SSH_KEX), gssapi_algs); ssh_prefix_without_duplicates(ssh_kex_get_default_methods(SSH_KEX),
gssapi_algs);
if (strlen(hostkeys) == 0) { if (strlen(hostkeys) == 0) {
session->opts.wanted_methods[SSH_HOSTKEYS] = strdup("null"); session->opts.wanted_methods[SSH_HOSTKEYS] = strdup("null");
@@ -703,7 +705,9 @@ int ssh_auth_reply_default(ssh_session session,int partial) {
/* Check if GSSAPI Key exchange was performed */ /* Check if GSSAPI Key exchange was performed */
if (session->auth.supported_methods & SSH_AUTH_METHOD_GSSAPI_KEYEX) { if (session->auth.supported_methods & SSH_AUTH_METHOD_GSSAPI_KEYEX) {
if (ssh_kex_is_gss(session->current_crypto)) { if (ssh_kex_is_gss(session->current_crypto)) {
strncat(methods_c, "gssapi-keyex,", sizeof(methods_c) - strlen(methods_c) - 1); strncat(methods_c,
"gssapi-keyex,",
sizeof(methods_c) - strlen(methods_c) - 1);
} }
} }
if (session->auth.supported_methods & SSH_AUTH_METHOD_INTERACTIVE) { if (session->auth.supported_methods & SSH_AUTH_METHOD_INTERACTIVE) {

3
src/session.c
View File

@@ -161,7 +161,8 @@ ssh_session ssh_new(void)
} }
#ifdef WITH_GSSAPI #ifdef WITH_GSSAPI
session->opts.gssapi_key_exchange_algs = strdup(GSSAPI_KEY_EXCHANGE_SUPPORTED); session->opts.gssapi_key_exchange_algs =
strdup(GSSAPI_KEY_EXCHANGE_SUPPORTED);
if (session->opts.gssapi_key_exchange_algs == NULL) { if (session->opts.gssapi_key_exchange_algs == NULL) {
goto err; goto err;
} }

61
tests/client/torture_gssapi_key_exchange.c
View File

@@ -2,17 +2,16 @@
#define LIBSSH_STATIC #define LIBSSH_STATIC
#include "libssh/crypto.h"
#include "torture.h" #include "torture.h"
#include <libssh/libssh.h> #include <libssh/libssh.h>
#include "libssh/crypto.h"
#include <errno.h> #include <errno.h>
#include <fcntl.h> #include <fcntl.h>
#include <gssapi.h> #include <gssapi.h>
#include <pwd.h> #include <pwd.h>
static int static int sshd_setup(void **state)
sshd_setup(void **state)
{ {
torture_setup_sshd_server(state, false); torture_setup_sshd_server(state, false);
torture_update_sshd_config(state, torture_update_sshd_config(state,
@@ -22,8 +21,7 @@ sshd_setup(void **state)
return 0; return 0;
} }
static int static int sshd_teardown(void **state)
sshd_teardown(void **state)
{ {
assert_non_null(state); assert_non_null(state);
@@ -32,8 +30,7 @@ sshd_teardown(void **state)
return 0; return 0;
} }
static int static int session_setup(void **state)
session_setup(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
int verbosity = torture_libssh_verbosity(); int verbosity = torture_libssh_verbosity();
@@ -62,8 +59,7 @@ session_setup(void **state)
return 0; return 0;
} }
static int static int session_teardown(void **state)
session_teardown(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
@@ -75,8 +71,7 @@ session_teardown(void **state)
return 0; return 0;
} }
static void static void torture_gssapi_key_exchange(void **state)
torture_gssapi_key_exchange(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
ssh_session session = s->ssh.session; ssh_session session = s->ssh.session;
@@ -106,8 +101,7 @@ torture_gssapi_key_exchange(void **state)
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
} }
static void static void torture_gssapi_key_exchange_no_tgt(void **state)
torture_gssapi_key_exchange_no_tgt(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
ssh_session session = s->ssh.session; ssh_session session = s->ssh.session;
@@ -136,14 +130,15 @@ torture_gssapi_key_exchange_no_tgt(void **state)
rc = ssh_connect(session); rc = ssh_connect(session);
assert_ssh_return_code(session, rc); assert_ssh_return_code(session, rc);
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256); assert_int_not_equal(session->current_crypto->kex_type,
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512); SSH_GSS_KEX_DH_GROUP14_SHA256);
assert_int_not_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP16_SHA512);
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
} }
static void static void torture_gssapi_key_exchange_gss_group14_sha256(void **state)
torture_gssapi_key_exchange_gss_group14_sha256(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
ssh_session session = s->ssh.session; ssh_session session = s->ssh.session;
@@ -168,19 +163,21 @@ torture_gssapi_key_exchange_gss_group14_sha256(void **state)
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t); rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
assert_ssh_return_code(s->ssh.session, rc); assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group14-sha256-"); rc = ssh_options_set(s->ssh.session,
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
"gss-group14-sha256-");
assert_ssh_return_code(s->ssh.session, rc); assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_connect(session); rc = ssh_connect(session);
assert_ssh_return_code(session, rc); assert_ssh_return_code(session, rc);
assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256); assert_int_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP14_SHA256);
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
} }
static void static void torture_gssapi_key_exchange_gss_group16_sha512(void **state)
torture_gssapi_key_exchange_gss_group16_sha512(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
ssh_session session = s->ssh.session; ssh_session session = s->ssh.session;
@@ -205,19 +202,21 @@ torture_gssapi_key_exchange_gss_group16_sha512(void **state)
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t); rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
assert_ssh_return_code(s->ssh.session, rc); assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group16-sha512-"); rc = ssh_options_set(s->ssh.session,
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
"gss-group16-sha512-");
assert_ssh_return_code(s->ssh.session, rc); assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_connect(session); rc = ssh_connect(session);
assert_ssh_return_code(session, rc); assert_ssh_return_code(session, rc);
assert_true(session->current_crypto->kex_type == SSH_GSS_KEX_DH_GROUP16_SHA512); assert_true(session->current_crypto->kex_type ==
SSH_GSS_KEX_DH_GROUP16_SHA512);
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
} }
static void static void torture_gssapi_key_exchange_auth(void **state)
torture_gssapi_key_exchange_auth(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
ssh_session session = s->ssh.session; ssh_session session = s->ssh.session;
@@ -251,8 +250,7 @@ torture_gssapi_key_exchange_auth(void **state)
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
} }
static void static void torture_gssapi_key_exchange_no_auth(void **state)
torture_gssapi_key_exchange_no_auth(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
ssh_session session = s->ssh.session; ssh_session session = s->ssh.session;
@@ -288,8 +286,7 @@ torture_gssapi_key_exchange_no_auth(void **state)
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
} }
int int torture_run_tests(void)
torture_run_tests(void)
{ {
int rc; int rc;
struct CMUnitTest tests[] = { struct CMUnitTest tests[] = {
@@ -299,10 +296,12 @@ torture_run_tests(void)
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_no_tgt, cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_no_tgt,
session_setup, session_setup,
session_teardown), session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_gss_group14_sha256, cmocka_unit_test_setup_teardown(
torture_gssapi_key_exchange_gss_group14_sha256,
session_setup, session_setup,
session_teardown), session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_gss_group16_sha512, cmocka_unit_test_setup_teardown(
torture_gssapi_key_exchange_gss_group16_sha512,
session_setup, session_setup,
session_teardown), session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_auth, cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_auth,

21
tests/client/torture_gssapi_key_exchange_null.c
View File

@@ -10,8 +10,7 @@
#include <gssapi.h> #include <gssapi.h>
#include <pwd.h> #include <pwd.h>
static int static int sshd_setup(void **state)
sshd_setup(void **state)
{ {
struct torture_state *s = NULL; struct torture_state *s = NULL;
torture_setup_sshd_server(state, false); torture_setup_sshd_server(state, false);
@@ -39,8 +38,7 @@ sshd_setup(void **state)
return 0; return 0;
} }
static int static int sshd_teardown(void **state)
sshd_teardown(void **state)
{ {
assert_non_null(state); assert_non_null(state);
@@ -49,8 +47,7 @@ sshd_teardown(void **state)
return 0; return 0;
} }
static int static int session_setup(void **state)
session_setup(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
int verbosity = torture_libssh_verbosity(); int verbosity = torture_libssh_verbosity();
@@ -79,8 +76,7 @@ session_setup(void **state)
return 0; return 0;
} }
static int static int session_teardown(void **state)
session_teardown(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
@@ -92,8 +88,7 @@ session_teardown(void **state)
return 0; return 0;
} }
static void static void torture_gssapi_key_exchange_null(void **state)
torture_gssapi_key_exchange_null(void **state)
{ {
struct torture_state *s = *state; struct torture_state *s = *state;
ssh_session session = s->ssh.session; ssh_session session = s->ssh.session;
@@ -121,13 +116,13 @@ torture_gssapi_key_exchange_null(void **state)
rc = ssh_connect(session); rc = ssh_connect(session);
assert_ssh_return_code(s->ssh.session, rc); assert_ssh_return_code(s->ssh.session, rc);
assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS], "null"); assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS],
"null");
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
} }
int int torture_run_tests(void)
torture_run_tests(void)
{ {
int rc; int rc;
struct CMUnitTest tests[] = { struct CMUnitTest tests[] = {

9
tests/fs_wrapper.c
View File

@@ -1,13 +1,13 @@
#define _GNU_SOURCE #define _GNU_SOURCE
#include <dlfcn.h> #include <dlfcn.h>
#include <errno.h>
#include <fcntl.h> #include <fcntl.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
#include <sys/syscall.h> #include <sys/syscall.h>
#include <unistd.h>
/******************************************************************************* /*******************************************************************************
* Structs * Structs
@@ -224,10 +224,11 @@ static int is_file_blocked(const char *pathname)
/* Block for torture_gssapi_server_key_exchange_null */ /* Block for torture_gssapi_server_key_exchange_null */
"/etc/ssh/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ecdsa_key",
"/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_rsa_key",
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key",
}; };
for (size_t i = 0; i < sizeof(blocked_files) / sizeof(blocked_files[0]); i++) { for (size_t i = 0; i < sizeof(blocked_files) / sizeof(blocked_files[0]);
i++) {
if (strcmp(pathname, blocked_files[i]) == 0) { if (strcmp(pathname, blocked_files[i]) == 0) {
errno = ENOENT; /* No such file or directory */ errno = ENOENT; /* No such file or directory */
return 1; return 1;

86
tests/server/torture_gssapi_server_key_exchange.c
View File

@@ -7,8 +7,8 @@
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/types.h> #include <sys/types.h>
#include "libssh/libssh.h"
#include "libssh/crypto.h" #include "libssh/crypto.h"
#include "libssh/libssh.h"
#include "torture.h" #include "torture.h"
#include "torture_key.h" #include "torture_key.h"
@@ -21,8 +21,7 @@ struct test_server_st {
char *cwd; char *cwd;
}; };
static void static void free_test_server_state(void **state)
free_test_server_state(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
@@ -30,8 +29,7 @@ free_test_server_state(void **state)
SAFE_FREE(tss); SAFE_FREE(tss);
} }
static void static void setup_config(void **state)
setup_config(void **state)
{ {
struct torture_state *s = NULL; struct torture_state *s = NULL;
struct server_state_st *ss = NULL; struct server_state_st *ss = NULL;
@@ -147,8 +145,7 @@ setup_config(void **state)
*state = tss; *state = tss;
} }
static int static int setup_default_server(void **state)
setup_default_server(void **state)
{ {
struct torture_state *s = NULL; struct torture_state *s = NULL;
struct server_state_st *ss = NULL; struct server_state_st *ss = NULL;
@@ -186,8 +183,7 @@ setup_default_server(void **state)
return 0; return 0;
} }
static int static int teardown_default_server(void **state)
teardown_default_server(void **state)
{ {
struct torture_state *s = NULL; struct torture_state *s = NULL;
struct server_state_st *ss = NULL; struct server_state_st *ss = NULL;
@@ -212,8 +208,7 @@ teardown_default_server(void **state)
return 0; return 0;
} }
static int static int session_setup(void **state)
session_setup(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -253,8 +248,7 @@ session_setup(void **state)
return 0; return 0;
} }
static int static int session_teardown(void **state)
session_teardown(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -276,9 +270,7 @@ session_teardown(void **state)
return 0; return 0;
} }
static void torture_gssapi_server_key_exchange(void **state)
static void
torture_gssapi_server_key_exchange(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -303,7 +295,8 @@ torture_gssapi_server_key_exchange(void **state)
torture_setup_kdc_server( torture_setup_kdc_server(
(void **)&s, (void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site\n" "kadmin.local addprinc -randkey host/server.libssh.site\n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site\n" "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
"host/server.libssh.site\n"
"kadmin.local addprinc -pw bar alice\n" "kadmin.local addprinc -pw bar alice\n"
"kadmin.local list_principals", "kadmin.local list_principals",
@@ -318,8 +311,7 @@ torture_gssapi_server_key_exchange(void **state)
torture_teardown_kdc_server((void **)&s); torture_teardown_kdc_server((void **)&s);
} }
static void static void torture_gssapi_server_key_exchange_no_tgt(void **state)
torture_gssapi_server_key_exchange_no_tgt(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -344,7 +336,8 @@ torture_gssapi_server_key_exchange_no_tgt(void **state)
torture_setup_kdc_server( torture_setup_kdc_server(
(void **)&s, (void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site \n" "kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n" "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
"host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n" "kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals", "kadmin.local list_principals",
@@ -357,14 +350,15 @@ torture_gssapi_server_key_exchange_no_tgt(void **state)
rc = ssh_connect(session); rc = ssh_connect(session);
assert_ssh_return_code(session, rc); assert_ssh_return_code(session, rc);
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256); assert_int_not_equal(session->current_crypto->kex_type,
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512); SSH_GSS_KEX_DH_GROUP14_SHA256);
assert_int_not_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP16_SHA512);
torture_teardown_kdc_server((void **)&s); torture_teardown_kdc_server((void **)&s);
} }
static void static void torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -389,7 +383,8 @@ torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
torture_setup_kdc_server( torture_setup_kdc_server(
(void **)&s, (void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site \n" "kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n" "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
"host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n" "kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals", "kadmin.local list_principals",
@@ -398,19 +393,21 @@ torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t); rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
assert_ssh_return_code(s->ssh.session, rc); assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group14-sha256-"); rc = ssh_options_set(s->ssh.session,
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
"gss-group14-sha256-");
assert_ssh_return_code(s->ssh.session, rc); assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_connect(session); rc = ssh_connect(session);
assert_ssh_return_code(session, rc); assert_ssh_return_code(session, rc);
assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256); assert_int_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP14_SHA256);
torture_teardown_kdc_server((void **)&s); torture_teardown_kdc_server((void **)&s);
} }
static void static void torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -435,7 +432,8 @@ torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
torture_setup_kdc_server( torture_setup_kdc_server(
(void **)&s, (void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site \n" "kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n" "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
"host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n" "kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals", "kadmin.local list_principals",
@@ -444,19 +442,21 @@ torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t); rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
assert_ssh_return_code(s->ssh.session, rc); assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group16-sha512-"); rc = ssh_options_set(s->ssh.session,
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
"gss-group16-sha512-");
assert_ssh_return_code(s->ssh.session, rc); assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_connect(session); rc = ssh_connect(session);
assert_ssh_return_code(session, rc); assert_ssh_return_code(session, rc);
assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512); assert_int_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP16_SHA512);
torture_teardown_kdc_server((void **)&s); torture_teardown_kdc_server((void **)&s);
} }
static void static void torture_gssapi_server_key_exchange_auth(void **state)
torture_gssapi_server_key_exchange_auth(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -499,8 +499,7 @@ torture_gssapi_server_key_exchange_auth(void **state)
torture_teardown_kdc_server((void **)&s); torture_teardown_kdc_server((void **)&s);
} }
static void static void torture_gssapi_server_key_exchange_no_auth(void **state)
torture_gssapi_server_key_exchange_no_auth(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -545,27 +544,30 @@ torture_gssapi_server_key_exchange_no_auth(void **state)
torture_teardown_kdc_server((void **)&s); torture_teardown_kdc_server((void **)&s);
} }
int int torture_run_tests(void)
torture_run_tests(void)
{ {
int rc; int rc;
struct CMUnitTest tests[] = { struct CMUnitTest tests[] = {
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange, cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange,
session_setup, session_setup,
session_teardown), session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_no_tgt, cmocka_unit_test_setup_teardown(
torture_gssapi_server_key_exchange_no_tgt,
session_setup, session_setup,
session_teardown), session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_gss_group14_sha256, cmocka_unit_test_setup_teardown(
torture_gssapi_server_key_exchange_gss_group14_sha256,
session_setup, session_setup,
session_teardown), session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_gss_group16_sha512, cmocka_unit_test_setup_teardown(
torture_gssapi_server_key_exchange_gss_group16_sha512,
session_setup, session_setup,
session_teardown), session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_auth, cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_auth,
session_setup, session_setup,
session_teardown), session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_no_auth, cmocka_unit_test_setup_teardown(
torture_gssapi_server_key_exchange_no_auth,
session_setup, session_setup,
session_teardown), session_teardown),
}; };

31
tests/server/torture_gssapi_server_key_exchange_null.c
View File

@@ -19,8 +19,7 @@ struct test_server_st {
char *cwd; char *cwd;
}; };
static void static void free_test_server_state(void **state)
free_test_server_state(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
@@ -28,8 +27,7 @@ free_test_server_state(void **state)
SAFE_FREE(tss); SAFE_FREE(tss);
} }
static void static void setup_config(void **state)
setup_config(void **state)
{ {
struct torture_state *s = NULL; struct torture_state *s = NULL;
struct server_state_st *ss = NULL; struct server_state_st *ss = NULL;
@@ -105,8 +103,7 @@ setup_config(void **state)
*state = tss; *state = tss;
} }
static int static int setup_default_server(void **state)
setup_default_server(void **state)
{ {
struct torture_state *s = NULL; struct torture_state *s = NULL;
struct server_state_st *ss = NULL; struct server_state_st *ss = NULL;
@@ -144,8 +141,7 @@ setup_default_server(void **state)
return 0; return 0;
} }
static int static int teardown_default_server(void **state)
teardown_default_server(void **state)
{ {
struct torture_state *s = NULL; struct torture_state *s = NULL;
struct server_state_st *ss = NULL; struct server_state_st *ss = NULL;
@@ -170,8 +166,7 @@ teardown_default_server(void **state)
return 0; return 0;
} }
static int static int session_setup(void **state)
session_setup(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -211,8 +206,7 @@ session_setup(void **state)
return 0; return 0;
} }
static int static int session_teardown(void **state)
session_teardown(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -234,9 +228,7 @@ session_teardown(void **state)
return 0; return 0;
} }
static void torture_gssapi_server_key_exchange_null(void **state)
static void
torture_gssapi_server_key_exchange_null(void **state)
{ {
struct test_server_st *tss = *state; struct test_server_st *tss = *state;
struct torture_state *s = NULL; struct torture_state *s = NULL;
@@ -261,7 +253,8 @@ torture_gssapi_server_key_exchange_null(void **state)
torture_setup_kdc_server( torture_setup_kdc_server(
(void **)&s, (void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site\n" "kadmin.local addprinc -randkey host/server.libssh.site\n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site\n" "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
"host/server.libssh.site\n"
"kadmin.local addprinc -pw bar alice\n" "kadmin.local addprinc -pw bar alice\n"
"kadmin.local list_principals", "kadmin.local list_principals",
@@ -273,13 +266,13 @@ torture_gssapi_server_key_exchange_null(void **state)
rc = ssh_connect(session); rc = ssh_connect(session);
assert_ssh_return_code(s->ssh.session, rc); assert_ssh_return_code(s->ssh.session, rc);
assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS], "null"); assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS],
"null");
torture_teardown_kdc_server((void **)&s); torture_teardown_kdc_server((void **)&s);
} }
int int torture_run_tests(void)
torture_run_tests(void)
{ {
int rc; int rc;
struct CMUnitTest tests[] = { struct CMUnitTest tests[] = {

24
tests/torture.c
View File

@@ -999,8 +999,10 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
fips_config_string, fips_config_string,
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4, second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6, second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
"HostKey", rsa_hostkey, "HostKey",
"HostKey", ecdsa_hostkey, rsa_hostkey,
"HostKey",
ecdsa_hostkey,
trusted_ca_pubkey, trusted_ca_pubkey,
sftp_server, sftp_server,
usepam, usepam,
@@ -1012,9 +1014,12 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
config_string, config_string,
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4, second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6, second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
"", "", "",
"", "", "",
"", "", "",
"",
"",
"",
trusted_ca_pubkey, trusted_ca_pubkey,
sftp_server, sftp_server,
usepam, usepam,
@@ -1026,9 +1031,12 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
config_string, config_string,
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4, second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6, second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
"HostKey", ed25519_hostkey, "HostKey",
"HostKey", rsa_hostkey, ed25519_hostkey,
"HostKey", ecdsa_hostkey, "HostKey",
rsa_hostkey,
"HostKey",
ecdsa_hostkey,
trusted_ca_pubkey, trusted_ca_pubkey,
sftp_server, sftp_server,
usepam, usepam,

3
tests/unittests/torture_config.c
View File

@@ -650,7 +650,8 @@ static void torture_config_new(void ** state,
assert_string_equal(session->opts.gss_server_identity, "example.com"); assert_string_equal(session->opts.gss_server_identity, "example.com");
assert_string_equal(session->opts.gss_client_identity, "home.sweet"); assert_string_equal(session->opts.gss_client_identity, "home.sweet");
#ifdef WITH_GSSAPI #ifdef WITH_GSSAPI
assert_string_equal(session->opts.gssapi_key_exchange_algs, "gss-group14-sha256-"); assert_string_equal(session->opts.gssapi_key_exchange_algs,
"gss-group14-sha256-");
#endif /* WITH_GSSAPI */ #endif /* WITH_GSSAPI */
assert_int_equal(ssh_get_log_level(), SSH_LOG_TRACE); assert_int_equal(ssh_get_log_level(), SSH_LOG_TRACE);