mirror of
https://git.libssh.org/projects/libssh.git
synced 2026-02-04 12:20:42 +09:00
reformat: gssapi key exchange
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Gauravsingh Sisodia
committed by
Jakub Jelen
Jakub Jelen
parent
06b61f75fa
commit
a0707afc3e
@@ -59,38 +59,38 @@ int ssh_userauth_gssapi_keyex(ssh_session session);
|
|||||||
* what was the last response from the server
|
* what was the last response from the server
|
||||||
*/
|
*/
|
||||||
enum ssh_auth_state_e {
|
enum ssh_auth_state_e {
|
||||||
/** No authentication asked */
|
/** No authentication asked */
|
||||||
SSH_AUTH_STATE_NONE=0,
|
SSH_AUTH_STATE_NONE = 0,
|
||||||
/** Last authentication response was a partial success */
|
/** Last authentication response was a partial success */
|
||||||
SSH_AUTH_STATE_PARTIAL,
|
SSH_AUTH_STATE_PARTIAL,
|
||||||
/** Last authentication response was a success */
|
/** Last authentication response was a success */
|
||||||
SSH_AUTH_STATE_SUCCESS,
|
SSH_AUTH_STATE_SUCCESS,
|
||||||
/** Last authentication response was failed */
|
/** Last authentication response was failed */
|
||||||
SSH_AUTH_STATE_FAILED,
|
SSH_AUTH_STATE_FAILED,
|
||||||
/** Last authentication was erroneous */
|
/** Last authentication was erroneous */
|
||||||
SSH_AUTH_STATE_ERROR,
|
SSH_AUTH_STATE_ERROR,
|
||||||
/** Last state was a keyboard-interactive ask for info */
|
/** Last state was a keyboard-interactive ask for info */
|
||||||
SSH_AUTH_STATE_INFO,
|
SSH_AUTH_STATE_INFO,
|
||||||
/** Last state was a public key accepted for authentication */
|
/** Last state was a public key accepted for authentication */
|
||||||
SSH_AUTH_STATE_PK_OK,
|
SSH_AUTH_STATE_PK_OK,
|
||||||
/** We asked for a keyboard-interactive authentication */
|
/** We asked for a keyboard-interactive authentication */
|
||||||
SSH_AUTH_STATE_KBDINT_SENT,
|
SSH_AUTH_STATE_KBDINT_SENT,
|
||||||
/** We have sent an userauth request with gssapi-with-mic */
|
/** We have sent an userauth request with gssapi-with-mic */
|
||||||
SSH_AUTH_STATE_GSSAPI_REQUEST_SENT,
|
SSH_AUTH_STATE_GSSAPI_REQUEST_SENT,
|
||||||
/** We are exchanging tokens until authentication */
|
/** We are exchanging tokens until authentication */
|
||||||
SSH_AUTH_STATE_GSSAPI_TOKEN,
|
SSH_AUTH_STATE_GSSAPI_TOKEN,
|
||||||
/** We have sent the MIC and expecting to be authenticated */
|
/** We have sent the MIC and expecting to be authenticated */
|
||||||
SSH_AUTH_STATE_GSSAPI_MIC_SENT,
|
SSH_AUTH_STATE_GSSAPI_MIC_SENT,
|
||||||
/** We have offered a pubkey to check if it is supported */
|
/** We have offered a pubkey to check if it is supported */
|
||||||
SSH_AUTH_STATE_PUBKEY_OFFER_SENT,
|
SSH_AUTH_STATE_PUBKEY_OFFER_SENT,
|
||||||
/** We have sent pubkey and signature expecting to be authenticated */
|
/** We have sent pubkey and signature expecting to be authenticated */
|
||||||
SSH_AUTH_STATE_PUBKEY_AUTH_SENT,
|
SSH_AUTH_STATE_PUBKEY_AUTH_SENT,
|
||||||
/** We have sent a password expecting to be authenticated */
|
/** We have sent a password expecting to be authenticated */
|
||||||
SSH_AUTH_STATE_PASSWORD_AUTH_SENT,
|
SSH_AUTH_STATE_PASSWORD_AUTH_SENT,
|
||||||
/** We have sent a request without auth information (method 'none') */
|
/** We have sent a request without auth information (method 'none') */
|
||||||
SSH_AUTH_STATE_AUTH_NONE_SENT,
|
SSH_AUTH_STATE_AUTH_NONE_SENT,
|
||||||
/** We have sent the MIC and expecting to be authenticated */
|
/** We have sent the MIC and expecting to be authenticated */
|
||||||
SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT,
|
SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT,
|
||||||
};
|
};
|
||||||
|
|
||||||
/** @internal
|
/** @internal
|
||||||
|
|||||||
@@ -29,8 +29,7 @@
|
|||||||
/* all OID begin with the tag identifier + length */
|
/* all OID begin with the tag identifier + length */
|
||||||
#define SSH_OID_TAG 06
|
#define SSH_OID_TAG 06
|
||||||
|
|
||||||
#define GSSAPI_KEY_EXCHANGE_SUPPORTED \
|
#define GSSAPI_KEY_EXCHANGE_SUPPORTED "gss-group14-sha256-,gss-group16-sha512-,"
|
||||||
"gss-group14-sha256-,gss-group16-sha512-,"
|
|
||||||
|
|
||||||
typedef struct ssh_gssapi_struct *ssh_gssapi;
|
typedef struct ssh_gssapi_struct *ssh_gssapi;
|
||||||
|
|
||||||
@@ -82,15 +81,16 @@ int ssh_gssapi_client_identity(ssh_session session, gss_OID_set *valid_oids);
|
|||||||
char *ssh_gssapi_name_to_char(gss_name_t name);
|
char *ssh_gssapi_name_to_char(gss_name_t name);
|
||||||
int ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host);
|
int ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host);
|
||||||
OM_uint32 ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi,
|
OM_uint32 ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi,
|
||||||
gss_buffer_desc *input_token,
|
gss_buffer_desc *input_token,
|
||||||
gss_buffer_desc *output_token,
|
gss_buffer_desc *output_token,
|
||||||
OM_uint32 *ret_flags);
|
OM_uint32 *ret_flags);
|
||||||
|
|
||||||
char *ssh_gssapi_oid_hash(ssh_string oid);
|
char *ssh_gssapi_oid_hash(ssh_string oid);
|
||||||
char *ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs);
|
char *ssh_gssapi_kex_mechs(ssh_session session);
|
||||||
int ssh_gssapi_check_client_config(ssh_session session);
|
int ssh_gssapi_check_client_config(ssh_session session);
|
||||||
ssh_buffer ssh_gssapi_build_mic(ssh_session session, const char *context);
|
ssh_buffer ssh_gssapi_build_mic(ssh_session session, const char *context);
|
||||||
int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_buf);
|
int ssh_gssapi_auth_keyex_mic(ssh_session session,
|
||||||
|
gss_buffer_desc *mic_token_buf);
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -152,14 +152,14 @@ enum ssh_auth_e {
|
|||||||
};
|
};
|
||||||
|
|
||||||
/* auth flags */
|
/* auth flags */
|
||||||
#define SSH_AUTH_METHOD_UNKNOWN 0x0000u
|
#define SSH_AUTH_METHOD_UNKNOWN 0x0000u
|
||||||
#define SSH_AUTH_METHOD_NONE 0x0001u
|
#define SSH_AUTH_METHOD_NONE 0x0001u
|
||||||
#define SSH_AUTH_METHOD_PASSWORD 0x0002u
|
#define SSH_AUTH_METHOD_PASSWORD 0x0002u
|
||||||
#define SSH_AUTH_METHOD_PUBLICKEY 0x0004u
|
#define SSH_AUTH_METHOD_PUBLICKEY 0x0004u
|
||||||
#define SSH_AUTH_METHOD_HOSTBASED 0x0008u
|
#define SSH_AUTH_METHOD_HOSTBASED 0x0008u
|
||||||
#define SSH_AUTH_METHOD_INTERACTIVE 0x0010u
|
#define SSH_AUTH_METHOD_INTERACTIVE 0x0010u
|
||||||
#define SSH_AUTH_METHOD_GSSAPI_MIC 0x0020u
|
#define SSH_AUTH_METHOD_GSSAPI_MIC 0x0020u
|
||||||
#define SSH_AUTH_METHOD_GSSAPI_KEYEX 0x0040u
|
#define SSH_AUTH_METHOD_GSSAPI_KEYEX 0x0040u
|
||||||
|
|
||||||
/* messages */
|
/* messages */
|
||||||
enum ssh_requests_e {
|
enum ssh_requests_e {
|
||||||
|
|||||||
@@ -58,17 +58,17 @@ enum ssh_dh_state_e {
|
|||||||
};
|
};
|
||||||
|
|
||||||
enum ssh_pending_call_e {
|
enum ssh_pending_call_e {
|
||||||
SSH_PENDING_CALL_NONE = 0,
|
SSH_PENDING_CALL_NONE = 0,
|
||||||
SSH_PENDING_CALL_CONNECT,
|
SSH_PENDING_CALL_CONNECT,
|
||||||
SSH_PENDING_CALL_AUTH_NONE,
|
SSH_PENDING_CALL_AUTH_NONE,
|
||||||
SSH_PENDING_CALL_AUTH_PASSWORD,
|
SSH_PENDING_CALL_AUTH_PASSWORD,
|
||||||
SSH_PENDING_CALL_AUTH_OFFER_PUBKEY,
|
SSH_PENDING_CALL_AUTH_OFFER_PUBKEY,
|
||||||
SSH_PENDING_CALL_AUTH_PUBKEY,
|
SSH_PENDING_CALL_AUTH_PUBKEY,
|
||||||
SSH_PENDING_CALL_AUTH_AGENT,
|
SSH_PENDING_CALL_AUTH_AGENT,
|
||||||
SSH_PENDING_CALL_AUTH_KBDINT_INIT,
|
SSH_PENDING_CALL_AUTH_KBDINT_INIT,
|
||||||
SSH_PENDING_CALL_AUTH_KBDINT_SEND,
|
SSH_PENDING_CALL_AUTH_KBDINT_SEND,
|
||||||
SSH_PENDING_CALL_AUTH_GSSAPI_MIC,
|
SSH_PENDING_CALL_AUTH_GSSAPI_MIC,
|
||||||
SSH_PENDING_CALL_AUTH_GSSAPI_KEYEX
|
SSH_PENDING_CALL_AUTH_GSSAPI_KEYEX
|
||||||
};
|
};
|
||||||
|
|
||||||
/* libssh calls may block an undefined amount of time */
|
/* libssh calls may block an undefined amount of time */
|
||||||
|
|||||||
@@ -39,13 +39,13 @@
|
|||||||
#define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65
|
#define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65
|
||||||
#define SSH2_MSG_USERAUTH_GSSAPI_MIC 66
|
#define SSH2_MSG_USERAUTH_GSSAPI_MIC 66
|
||||||
|
|
||||||
#define SSH2_MSG_KEXGSS_INIT 30
|
#define SSH2_MSG_KEXGSS_INIT 30
|
||||||
#define SSH2_MSG_KEXGSS_CONTINUE 31
|
#define SSH2_MSG_KEXGSS_CONTINUE 31
|
||||||
#define SSH2_MSG_KEXGSS_COMPLETE 32
|
#define SSH2_MSG_KEXGSS_COMPLETE 32
|
||||||
#define SSH2_MSG_KEXGSS_HOSTKEY 33
|
#define SSH2_MSG_KEXGSS_HOSTKEY 33
|
||||||
#define SSH2_MSG_KEXGSS_ERROR 34
|
#define SSH2_MSG_KEXGSS_ERROR 34
|
||||||
#define SSH2_MSG_KEXGSS_GROUPREQ 40
|
#define SSH2_MSG_KEXGSS_GROUPREQ 40
|
||||||
#define SSH2_MSG_KEXGSS_GROUP 41
|
#define SSH2_MSG_KEXGSS_GROUP 41
|
||||||
|
|
||||||
#define SSH2_MSG_GLOBAL_REQUEST 80
|
#define SSH2_MSG_GLOBAL_REQUEST 80
|
||||||
#define SSH2_MSG_REQUEST_SUCCESS 81
|
#define SSH2_MSG_REQUEST_SUCCESS 81
|
||||||
|
|||||||
32
src/auth.c
32
src/auth.c
@@ -32,20 +32,19 @@
|
|||||||
#include <arpa/inet.h>
|
#include <arpa/inet.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "libssh/priv.h"
|
|
||||||
#include "libssh/crypto.h"
|
|
||||||
#include "libssh/ssh2.h"
|
|
||||||
#include "libssh/buffer.h"
|
|
||||||
#include "libssh/agent.h"
|
#include "libssh/agent.h"
|
||||||
|
#include "libssh/auth.h"
|
||||||
|
#include "libssh/buffer.h"
|
||||||
|
#include "libssh/crypto.h"
|
||||||
|
#include "libssh/gssapi.h"
|
||||||
|
#include "libssh/keys.h"
|
||||||
|
#include "libssh/legacy.h"
|
||||||
#include "libssh/misc.h"
|
#include "libssh/misc.h"
|
||||||
#include "libssh/packet.h"
|
#include "libssh/packet.h"
|
||||||
#include "libssh/session.h"
|
|
||||||
#include "libssh/keys.h"
|
|
||||||
#include "libssh/auth.h"
|
|
||||||
#include "libssh/pki.h"
|
#include "libssh/pki.h"
|
||||||
#include "libssh/gssapi.h"
|
#include "libssh/priv.h"
|
||||||
#include "libssh/legacy.h"
|
#include "libssh/session.h"
|
||||||
#include "libssh/gssapi.h"
|
#include "libssh/ssh2.h"
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @defgroup libssh_auth The SSH authentication functions
|
* @defgroup libssh_auth The SSH authentication functions
|
||||||
@@ -2476,16 +2475,16 @@ int ssh_userauth_gssapi_keyex(ssh_session session)
|
|||||||
OM_uint32 min_stat;
|
OM_uint32 min_stat;
|
||||||
gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER;
|
gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER;
|
||||||
|
|
||||||
switch(session->pending_call_state) {
|
switch (session->pending_call_state) {
|
||||||
case SSH_PENDING_CALL_NONE:
|
case SSH_PENDING_CALL_NONE:
|
||||||
break;
|
break;
|
||||||
case SSH_PENDING_CALL_AUTH_GSSAPI_KEYEX:
|
case SSH_PENDING_CALL_AUTH_GSSAPI_KEYEX:
|
||||||
goto pending;
|
goto pending;
|
||||||
default:
|
default:
|
||||||
ssh_set_error(session,
|
ssh_set_error(session,
|
||||||
SSH_FATAL,
|
SSH_FATAL,
|
||||||
"Wrong state (%d) during pending SSH call",
|
"Wrong state (%d) during pending SSH call",
|
||||||
session->pending_call_state);
|
session->pending_call_state);
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2493,7 +2492,8 @@ int ssh_userauth_gssapi_keyex(ssh_session session)
|
|||||||
if (!ssh_kex_is_gss(session->current_crypto)) {
|
if (!ssh_kex_is_gss(session->current_crypto)) {
|
||||||
ssh_set_error(session,
|
ssh_set_error(session,
|
||||||
SSH_FATAL,
|
SSH_FATAL,
|
||||||
"Attempt to authenticate with \"gssapi-keyex\" without doing GSSAPI Key exchange.");
|
"Attempt to authenticate with gssapi-keyex without "
|
||||||
|
"doing GSSAPI Key exchange.");
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2546,7 +2546,7 @@ pending:
|
|||||||
session->pending_call_state = SSH_PENDING_CALL_NONE;
|
session->pending_call_state = SSH_PENDING_CALL_NONE;
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
(void) session; /* unused */
|
(void)session; /* unused */
|
||||||
#endif
|
#endif
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|||||||
15
src/bind.c
15
src/bind.c
@@ -247,11 +247,11 @@ int ssh_bind_listen(ssh_bind sshbind)
|
|||||||
rc = ssh_bind_import_keys(sshbind);
|
rc = ssh_bind_import_keys(sshbind);
|
||||||
if (rc == SSH_ERROR) {
|
if (rc == SSH_ERROR) {
|
||||||
if (!sshbind->gssapi_key_exchange) {
|
if (!sshbind->gssapi_key_exchange) {
|
||||||
ssh_set_error(sshbind, SSH_FATAL,
|
ssh_set_error(sshbind, SSH_FATAL, "No hostkeys found");
|
||||||
"No hostkeys found");
|
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
SSH_LOG(SSH_LOG_DEBUG, "No hostkeys found: Using \"null\" hostkey algorithm");
|
SSH_LOG(SSH_LOG_DEBUG,
|
||||||
|
"No hostkeys found: Using \"null\" hostkey algorithm");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -473,7 +473,8 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
|
|||||||
|
|
||||||
if (sshbind->gssapi_key_exchange_algs != NULL) {
|
if (sshbind->gssapi_key_exchange_algs != NULL) {
|
||||||
SAFE_FREE(session->opts.gssapi_key_exchange_algs);
|
SAFE_FREE(session->opts.gssapi_key_exchange_algs);
|
||||||
session->opts.gssapi_key_exchange_algs = strdup(sshbind->gssapi_key_exchange_algs);
|
session->opts.gssapi_key_exchange_algs =
|
||||||
|
strdup(sshbind->gssapi_key_exchange_algs);
|
||||||
if (session->opts.gssapi_key_exchange_algs == NULL) {
|
if (session->opts.gssapi_key_exchange_algs == NULL) {
|
||||||
ssh_set_error_oom(sshbind);
|
ssh_set_error_oom(sshbind);
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
@@ -527,11 +528,11 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
|
|||||||
rc = ssh_bind_import_keys(sshbind);
|
rc = ssh_bind_import_keys(sshbind);
|
||||||
if (rc == SSH_ERROR) {
|
if (rc == SSH_ERROR) {
|
||||||
if (!sshbind->gssapi_key_exchange) {
|
if (!sshbind->gssapi_key_exchange) {
|
||||||
ssh_set_error(sshbind, SSH_FATAL,
|
ssh_set_error(sshbind, SSH_FATAL, "No hostkeys found");
|
||||||
"No hostkeys found");
|
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
SSH_LOG(SSH_LOG_DEBUG, "No hostkeys found: Using \"null\" hostkey algorithm");
|
SSH_LOG(SSH_LOG_DEBUG,
|
||||||
|
"No hostkeys found: Using \"null\" hostkey algorithm");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
16
src/client.c
16
src/client.c
@@ -30,15 +30,15 @@
|
|||||||
#include <arpa/inet.h>
|
#include <arpa/inet.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "libssh/priv.h"
|
|
||||||
#include "libssh/ssh2.h"
|
|
||||||
#include "libssh/buffer.h"
|
#include "libssh/buffer.h"
|
||||||
#include "libssh/packet.h"
|
|
||||||
#include "libssh/options.h"
|
|
||||||
#include "libssh/socket.h"
|
|
||||||
#include "libssh/session.h"
|
|
||||||
#include "libssh/dh.h"
|
|
||||||
#include "libssh/dh-gss.h"
|
#include "libssh/dh-gss.h"
|
||||||
|
#include "libssh/dh.h"
|
||||||
|
#include "libssh/options.h"
|
||||||
|
#include "libssh/packet.h"
|
||||||
|
#include "libssh/priv.h"
|
||||||
|
#include "libssh/session.h"
|
||||||
|
#include "libssh/socket.h"
|
||||||
|
#include "libssh/ssh2.h"
|
||||||
#ifdef WITH_GEX
|
#ifdef WITH_GEX
|
||||||
#include "libssh/dh-gex.h"
|
#include "libssh/dh-gex.h"
|
||||||
#endif /* WITH_GEX */
|
#endif /* WITH_GEX */
|
||||||
@@ -267,7 +267,7 @@ int dh_handshake(ssh_session session)
|
|||||||
|
|
||||||
switch (session->dh_handshake_state) {
|
switch (session->dh_handshake_state) {
|
||||||
case DH_STATE_INIT:
|
case DH_STATE_INIT:
|
||||||
switch(session->next_crypto->kex_type){
|
switch (session->next_crypto->kex_type) {
|
||||||
#ifdef WITH_GSSAPI
|
#ifdef WITH_GSSAPI
|
||||||
case SSH_GSS_KEX_DH_GROUP14_SHA256:
|
case SSH_GSS_KEX_DH_GROUP14_SHA256:
|
||||||
case SSH_GSS_KEX_DH_GROUP16_SHA512:
|
case SSH_GSS_KEX_DH_GROUP16_SHA512:
|
||||||
|
|||||||
@@ -1560,7 +1560,6 @@ static int ssh_config_parse_line_internal(ssh_session session,
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case SOC_GSSAPIKEYEXCHANGE: {
|
case SOC_GSSAPIKEYEXCHANGE: {
|
||||||
bool b = false;
|
|
||||||
i = ssh_config_get_yesno(&s, -1);
|
i = ssh_config_get_yesno(&s, -1);
|
||||||
CHECK_COND_OR_FAIL(i < 0, "Invalid argument");
|
CHECK_COND_OR_FAIL(i < 0, "Invalid argument");
|
||||||
if (*parsing) {
|
if (*parsing) {
|
||||||
|
|||||||
163
src/dh-gss.c
163
src/dh-gss.c
@@ -23,22 +23,22 @@
|
|||||||
|
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <gssapi/gssapi.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#include "libssh/gssapi.h"
|
#include "libssh/gssapi.h"
|
||||||
|
#include <errno.h>
|
||||||
|
#include <gssapi/gssapi.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
#include "libssh/priv.h"
|
|
||||||
#include "libssh/crypto.h"
|
|
||||||
#include "libssh/buffer.h"
|
#include "libssh/buffer.h"
|
||||||
#include "libssh/session.h"
|
#include "libssh/crypto.h"
|
||||||
#include "libssh/dh.h"
|
|
||||||
#include "libssh/ssh2.h"
|
|
||||||
#include "libssh/dh-gss.h"
|
#include "libssh/dh-gss.h"
|
||||||
|
#include "libssh/dh.h"
|
||||||
|
#include "libssh/priv.h"
|
||||||
|
#include "libssh/session.h"
|
||||||
|
#include "libssh/ssh2.h"
|
||||||
|
|
||||||
static SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply);
|
static SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply);
|
||||||
|
|
||||||
static ssh_packet_callback gss_dh_client_callbacks[]= {
|
static ssh_packet_callback gss_dh_client_callbacks[] = {
|
||||||
ssh_packet_client_gss_dh_reply
|
ssh_packet_client_gss_dh_reply
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -51,7 +51,7 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_client_callbacks = {
|
|||||||
|
|
||||||
static SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey);
|
static SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey);
|
||||||
|
|
||||||
static ssh_packet_callback gss_dh_client_callback_hostkey[]= {
|
static ssh_packet_callback gss_dh_client_callback_hostkey[] = {
|
||||||
ssh_packet_client_gss_dh_hostkey
|
ssh_packet_client_gss_dh_hostkey
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -65,7 +65,8 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_client_callback_hostkey = {
|
|||||||
/** @internal
|
/** @internal
|
||||||
* @brief Starts gssapi key exchange
|
* @brief Starts gssapi key exchange
|
||||||
*/
|
*/
|
||||||
int ssh_client_gss_dh_init(ssh_session session){
|
int ssh_client_gss_dh_init(ssh_session session)
|
||||||
|
{
|
||||||
struct ssh_crypto_struct *crypto = session->next_crypto;
|
struct ssh_crypto_struct *crypto = session->next_crypto;
|
||||||
#if !defined(HAVE_LIBCRYPTO) || OPENSSL_VERSION_NUMBER < 0x30000000L
|
#if !defined(HAVE_LIBCRYPTO) || OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
const_bignum pubkey;
|
const_bignum pubkey;
|
||||||
@@ -73,7 +74,8 @@ int ssh_client_gss_dh_init(ssh_session session){
|
|||||||
bignum pubkey = NULL;
|
bignum pubkey = NULL;
|
||||||
#endif /* OPENSSL_VERSION_NUMBER */
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
int rc;
|
int rc;
|
||||||
gss_OID_set selected = GSS_C_NO_OID_SET; /* oid selected for authentication */
|
/* oid selected for authentication */
|
||||||
|
gss_OID_set selected = GSS_C_NO_OID_SET;
|
||||||
OM_uint32 maj_stat, min_stat;
|
OM_uint32 maj_stat, min_stat;
|
||||||
const char *gss_host = session->opts.host;
|
const char *gss_host = session->opts.host;
|
||||||
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
|
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
|
||||||
@@ -89,7 +91,10 @@ int ssh_client_gss_dh_init(ssh_session session){
|
|||||||
if (rc == SSH_ERROR) {
|
if (rc == SSH_ERROR) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
rc = ssh_dh_keypair_get_keys(crypto->dh_ctx, DH_CLIENT_KEYPAIR, NULL, &pubkey);
|
rc = ssh_dh_keypair_get_keys(crypto->dh_ctx,
|
||||||
|
DH_CLIENT_KEYPAIR,
|
||||||
|
NULL,
|
||||||
|
&pubkey);
|
||||||
if (rc != SSH_OK) {
|
if (rc != SSH_OK) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@@ -114,7 +119,10 @@ int ssh_client_gss_dh_init(ssh_session session){
|
|||||||
}
|
}
|
||||||
|
|
||||||
session->gssapi->client.flags = GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
|
session->gssapi->client.flags = GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
|
||||||
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, &oflags);
|
maj_stat = ssh_gssapi_init_ctx(session->gssapi,
|
||||||
|
&input_token,
|
||||||
|
&output_token,
|
||||||
|
&oflags);
|
||||||
gss_release_oid_set(&min_stat, &selected);
|
gss_release_oid_set(&min_stat, &selected);
|
||||||
if (GSS_ERROR(maj_stat)) {
|
if (GSS_ERROR(maj_stat)) {
|
||||||
ssh_gssapi_log_error(SSH_LOG_WARN,
|
ssh_gssapi_log_error(SSH_LOG_WARN,
|
||||||
@@ -124,16 +132,18 @@ int ssh_client_gss_dh_init(ssh_session session){
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
if (!(oflags & GSS_C_INTEG_FLAG) || !(oflags & GSS_C_MUTUAL_FLAG)) {
|
if (!(oflags & GSS_C_INTEG_FLAG) || !(oflags & GSS_C_MUTUAL_FLAG)) {
|
||||||
SSH_LOG(SSH_LOG_WARN, "GSSAPI(init) integrity and mutual flags were not set");
|
SSH_LOG(SSH_LOG_WARN,
|
||||||
|
"GSSAPI(init) integrity and mutual flags were not set");
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = ssh_buffer_pack(session->out_buffer, "bdPB",
|
rc = ssh_buffer_pack(session->out_buffer,
|
||||||
SSH2_MSG_KEXGSS_INIT,
|
"bdPB",
|
||||||
output_token.length,
|
SSH2_MSG_KEXGSS_INIT,
|
||||||
(size_t)output_token.length,
|
output_token.length,
|
||||||
output_token.value,
|
(size_t)output_token.length,
|
||||||
pubkey);
|
output_token.value,
|
||||||
|
pubkey);
|
||||||
if (rc != SSH_OK) {
|
if (rc != SSH_OK) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@@ -167,8 +177,9 @@ void ssh_client_gss_dh_remove_callback_hostkey(ssh_session session)
|
|||||||
ssh_packet_remove_callbacks(session, &ssh_gss_dh_client_callback_hostkey);
|
ssh_packet_remove_callbacks(session, &ssh_gss_dh_client_callback_hostkey);
|
||||||
}
|
}
|
||||||
|
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){
|
SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply)
|
||||||
struct ssh_crypto_struct *crypto=session->next_crypto;
|
{
|
||||||
|
struct ssh_crypto_struct *crypto = session->next_crypto;
|
||||||
ssh_string pubkey_blob = NULL, mic = NULL, otoken = NULL;
|
ssh_string pubkey_blob = NULL, mic = NULL, otoken = NULL;
|
||||||
uint8_t b;
|
uint8_t b;
|
||||||
bignum server_pubkey;
|
bignum server_pubkey;
|
||||||
@@ -183,25 +194,25 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){
|
|||||||
|
|
||||||
ssh_client_gss_dh_remove_callbacks(session);
|
ssh_client_gss_dh_remove_callbacks(session);
|
||||||
|
|
||||||
rc = ssh_buffer_unpack(packet,
|
rc = ssh_buffer_unpack(packet, "BSbS", &server_pubkey, &mic, &b, &otoken);
|
||||||
"BSbS",
|
|
||||||
&server_pubkey,
|
|
||||||
&mic,
|
|
||||||
&b,
|
|
||||||
&otoken);
|
|
||||||
if (rc == SSH_ERROR) {
|
if (rc == SSH_ERROR) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
session->gssapi_key_exchange_mic = mic;
|
session->gssapi_key_exchange_mic = mic;
|
||||||
input_token.length = ssh_string_len(otoken);
|
input_token.length = ssh_string_len(otoken);
|
||||||
input_token.value = ssh_string_data(otoken);
|
input_token.value = ssh_string_data(otoken);
|
||||||
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, &oflags);
|
maj_stat = ssh_gssapi_init_ctx(session->gssapi,
|
||||||
|
&input_token,
|
||||||
|
&output_token,
|
||||||
|
&oflags);
|
||||||
if (maj_stat != GSS_S_COMPLETE) {
|
if (maj_stat != GSS_S_COMPLETE) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
SSH_STRING_FREE(otoken);
|
SSH_STRING_FREE(otoken);
|
||||||
rc = ssh_dh_keypair_set_keys(crypto->dh_ctx, DH_SERVER_KEYPAIR,
|
rc = ssh_dh_keypair_set_keys(crypto->dh_ctx,
|
||||||
NULL, server_pubkey);
|
DH_SERVER_KEYPAIR,
|
||||||
|
NULL,
|
||||||
|
server_pubkey);
|
||||||
if (rc != SSH_OK) {
|
if (rc != SSH_OK) {
|
||||||
SSH_STRING_FREE(pubkey_blob);
|
SSH_STRING_FREE(pubkey_blob);
|
||||||
bignum_safe_free(server_pubkey);
|
bignum_safe_free(server_pubkey);
|
||||||
@@ -209,10 +220,11 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){
|
|||||||
}
|
}
|
||||||
|
|
||||||
rc = ssh_dh_compute_shared_secret(session->next_crypto->dh_ctx,
|
rc = ssh_dh_compute_shared_secret(session->next_crypto->dh_ctx,
|
||||||
DH_CLIENT_KEYPAIR, DH_SERVER_KEYPAIR,
|
DH_CLIENT_KEYPAIR,
|
||||||
&session->next_crypto->shared_secret);
|
DH_SERVER_KEYPAIR,
|
||||||
|
&session->next_crypto->shared_secret);
|
||||||
ssh_dh_debug_crypto(session->next_crypto);
|
ssh_dh_debug_crypto(session->next_crypto);
|
||||||
if (rc == SSH_ERROR){
|
if (rc == SSH_ERROR) {
|
||||||
ssh_set_error(session, SSH_FATAL, "Could not generate shared secret");
|
ssh_set_error(session, SSH_FATAL, "Could not generate shared secret");
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@@ -226,11 +238,12 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){
|
|||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
error:
|
error:
|
||||||
ssh_dh_cleanup(session->next_crypto);
|
ssh_dh_cleanup(session->next_crypto);
|
||||||
session->session_state=SSH_SESSION_STATE_ERROR;
|
session->session_state = SSH_SESSION_STATE_ERROR;
|
||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
}
|
}
|
||||||
|
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) {
|
SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey)
|
||||||
|
{
|
||||||
ssh_string pubkey_blob = NULL;
|
ssh_string pubkey_blob = NULL;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
@@ -239,11 +252,11 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) {
|
|||||||
|
|
||||||
ssh_client_gss_dh_remove_callback_hostkey(session);
|
ssh_client_gss_dh_remove_callback_hostkey(session);
|
||||||
|
|
||||||
rc = ssh_buffer_unpack(packet,
|
rc = ssh_buffer_unpack(packet, "S", &pubkey_blob);
|
||||||
"S",
|
|
||||||
&pubkey_blob);
|
|
||||||
if (rc == SSH_ERROR) {
|
if (rc == SSH_ERROR) {
|
||||||
ssh_set_error(session, SSH_FATAL, "Invalid SSH2_MSG_KEXGSS_HOSTKEY packet");
|
ssh_set_error(session,
|
||||||
|
SSH_FATAL,
|
||||||
|
"Invalid SSH2_MSG_KEXGSS_HOSTKEY packet");
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -256,7 +269,7 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) {
|
|||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
error:
|
error:
|
||||||
ssh_dh_cleanup(session->next_crypto);
|
ssh_dh_cleanup(session->next_crypto);
|
||||||
session->session_state=SSH_SESSION_STATE_ERROR;
|
session->session_state = SSH_SESSION_STATE_ERROR;
|
||||||
return SSH_PACKET_USED;
|
return SSH_PACKET_USED;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -272,13 +285,13 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_server_callbacks = {
|
|||||||
.start = SSH2_MSG_KEXGSS_INIT,
|
.start = SSH2_MSG_KEXGSS_INIT,
|
||||||
.n_callbacks = 1,
|
.n_callbacks = 1,
|
||||||
.callbacks = gss_dh_server_callbacks,
|
.callbacks = gss_dh_server_callbacks,
|
||||||
.user = NULL
|
.user = NULL};
|
||||||
};
|
|
||||||
|
|
||||||
/** @internal
|
/** @internal
|
||||||
* @brief sets up the gssapi kex callbacks
|
* @brief sets up the gssapi kex callbacks
|
||||||
*/
|
*/
|
||||||
void ssh_server_gss_dh_init(ssh_session session){
|
void ssh_server_gss_dh_init(ssh_session session)
|
||||||
|
{
|
||||||
/* register the packet callbacks */
|
/* register the packet callbacks */
|
||||||
ssh_packet_set_callbacks(session, &ssh_gss_dh_server_callbacks);
|
ssh_packet_set_callbacks(session, &ssh_gss_dh_server_callbacks);
|
||||||
|
|
||||||
@@ -307,7 +320,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
ssh_string server_pubkey_blob = NULL;
|
ssh_string server_pubkey_blob = NULL;
|
||||||
OM_uint32 maj_stat, min_stat;
|
OM_uint32 maj_stat, min_stat;
|
||||||
gss_name_t client_name = GSS_C_NO_NAME;
|
gss_name_t client_name = GSS_C_NO_NAME;
|
||||||
OM_uint32 ret_flags=0;
|
OM_uint32 ret_flags = 0;
|
||||||
gss_buffer_desc mic = GSS_C_EMPTY_BUFFER, msg = GSS_C_EMPTY_BUFFER;
|
gss_buffer_desc mic = GSS_C_EMPTY_BUFFER, msg = GSS_C_EMPTY_BUFFER;
|
||||||
char hostname[NI_MAXHOST] = {0};
|
char hostname[NI_MAXHOST] = {0};
|
||||||
char err_msg[SSH_ERRNO_MSG_MAX] = {0};
|
char err_msg[SSH_ERRNO_MSG_MAX] = {0};
|
||||||
@@ -326,8 +339,10 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = ssh_dh_keypair_set_keys(crypto->dh_ctx, DH_CLIENT_KEYPAIR,
|
rc = ssh_dh_keypair_set_keys(crypto->dh_ctx,
|
||||||
NULL, client_pubkey);
|
DH_CLIENT_KEYPAIR,
|
||||||
|
NULL,
|
||||||
|
client_pubkey);
|
||||||
if (rc != SSH_OK) {
|
if (rc != SSH_OK) {
|
||||||
bignum_safe_free(client_pubkey);
|
bignum_safe_free(client_pubkey);
|
||||||
goto error;
|
goto error;
|
||||||
@@ -339,7 +354,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
}
|
}
|
||||||
|
|
||||||
rc = ssh_dh_compute_shared_secret(crypto->dh_ctx,
|
rc = ssh_dh_compute_shared_secret(crypto->dh_ctx,
|
||||||
DH_SERVER_KEYPAIR, DH_CLIENT_KEYPAIR,
|
DH_SERVER_KEYPAIR,
|
||||||
|
DH_CLIENT_KEYPAIR,
|
||||||
&crypto->shared_secret);
|
&crypto->shared_secret);
|
||||||
ssh_dh_debug_crypto(crypto);
|
ssh_dh_debug_crypto(crypto);
|
||||||
if (rc == SSH_ERROR) {
|
if (rc == SSH_ERROR) {
|
||||||
@@ -358,7 +374,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (strncmp(crypto->kex_methods[SSH_HOSTKEYS], "null", 4) != 0) {
|
if (strncmp(crypto->kex_methods[SSH_HOSTKEYS], "null", 4) != 0) {
|
||||||
rc = ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob);
|
rc =
|
||||||
|
ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob);
|
||||||
if (rc != SSH_OK) {
|
if (rc != SSH_OK) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@@ -366,7 +383,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
"bS",
|
"bS",
|
||||||
SSH2_MSG_KEXGSS_HOSTKEY,
|
SSH2_MSG_KEXGSS_HOSTKEY,
|
||||||
server_pubkey_blob);
|
server_pubkey_blob);
|
||||||
if(rc != SSH_OK) {
|
if (rc != SSH_OK) {
|
||||||
ssh_set_error_oom(session);
|
ssh_set_error_oom(session);
|
||||||
ssh_buffer_reinit(session->out_buffer);
|
ssh_buffer_reinit(session->out_buffer);
|
||||||
goto error;
|
goto error;
|
||||||
@@ -380,9 +397,11 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
SSH_STRING_FREE(server_pubkey_blob);
|
SSH_STRING_FREE(server_pubkey_blob);
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = ssh_dh_keypair_get_keys(crypto->dh_ctx, DH_SERVER_KEYPAIR,
|
rc = ssh_dh_keypair_get_keys(crypto->dh_ctx,
|
||||||
NULL, &server_pubkey);
|
DH_SERVER_KEYPAIR,
|
||||||
if (rc != SSH_OK){
|
NULL,
|
||||||
|
&server_pubkey);
|
||||||
|
if (rc != SSH_OK) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -404,9 +423,14 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
maj_stat = gss_acquire_cred(&min_stat, session->gssapi->client.server_name, 0,
|
maj_stat = gss_acquire_cred(&min_stat,
|
||||||
GSS_C_NO_OID_SET, GSS_C_ACCEPT,
|
session->gssapi->client.server_name,
|
||||||
&session->gssapi->server_creds, NULL, NULL);
|
0,
|
||||||
|
GSS_C_NO_OID_SET,
|
||||||
|
GSS_C_ACCEPT,
|
||||||
|
&session->gssapi->server_creds,
|
||||||
|
NULL,
|
||||||
|
NULL);
|
||||||
if (maj_stat != GSS_S_COMPLETE) {
|
if (maj_stat != GSS_S_COMPLETE) {
|
||||||
ssh_gssapi_log_error(SSH_LOG_TRACE,
|
ssh_gssapi_log_error(SSH_LOG_TRACE,
|
||||||
"acquiring credentials",
|
"acquiring credentials",
|
||||||
@@ -415,9 +439,17 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
maj_stat = gss_accept_sec_context(&min_stat, &session->gssapi->ctx, session->gssapi->server_creds,
|
maj_stat = gss_accept_sec_context(&min_stat,
|
||||||
&input_token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL /*mech_oid*/, &output_token, &ret_flags,
|
&session->gssapi->ctx,
|
||||||
NULL /*time*/, &session->gssapi->client_creds);
|
session->gssapi->server_creds,
|
||||||
|
&input_token,
|
||||||
|
GSS_C_NO_CHANNEL_BINDINGS,
|
||||||
|
&client_name,
|
||||||
|
NULL /*mech_oid*/,
|
||||||
|
&output_token,
|
||||||
|
&ret_flags,
|
||||||
|
NULL /*time*/,
|
||||||
|
&session->gssapi->client_creds);
|
||||||
if (GSS_ERROR(maj_stat)) {
|
if (GSS_ERROR(maj_stat)) {
|
||||||
ssh_gssapi_log_error(SSH_LOG_DEBUG,
|
ssh_gssapi_log_error(SSH_LOG_DEBUG,
|
||||||
"accepting token failed",
|
"accepting token failed",
|
||||||
@@ -428,7 +460,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
SSH_STRING_FREE(otoken);
|
SSH_STRING_FREE(otoken);
|
||||||
gss_release_name(&min_stat, &client_name);
|
gss_release_name(&min_stat, &client_name);
|
||||||
if (!(ret_flags & GSS_C_INTEG_FLAG) || !(ret_flags & GSS_C_MUTUAL_FLAG)) {
|
if (!(ret_flags & GSS_C_INTEG_FLAG) || !(ret_flags & GSS_C_MUTUAL_FLAG)) {
|
||||||
SSH_LOG(SSH_LOG_WARN, "GSSAPI(accept) integrity and mutual flags were not set");
|
SSH_LOG(SSH_LOG_WARN,
|
||||||
|
"GSSAPI(accept) integrity and mutual flags were not set");
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
SSH_LOG(SSH_LOG_DEBUG, "token accepted");
|
SSH_LOG(SSH_LOG_DEBUG, "token accepted");
|
||||||
@@ -448,7 +481,6 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
rc = ssh_buffer_pack(session->out_buffer,
|
rc = ssh_buffer_pack(session->out_buffer,
|
||||||
"bBdPbdP",
|
"bBdPbdP",
|
||||||
SSH2_MSG_KEXGSS_COMPLETE,
|
SSH2_MSG_KEXGSS_COMPLETE,
|
||||||
@@ -463,7 +495,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
#if defined(HAVE_LIBCRYPTO) && OPENSSL_VERSION_NUMBER >= 0x30000000L
|
#if defined(HAVE_LIBCRYPTO) && OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
bignum_safe_free(server_pubkey);
|
bignum_safe_free(server_pubkey);
|
||||||
#endif
|
#endif
|
||||||
if(rc != SSH_OK) {
|
if (rc != SSH_OK) {
|
||||||
ssh_set_error_oom(session);
|
ssh_set_error_oom(session);
|
||||||
ssh_buffer_reinit(session->out_buffer);
|
ssh_buffer_reinit(session->out_buffer);
|
||||||
goto error;
|
goto error;
|
||||||
@@ -478,7 +510,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
|
|||||||
}
|
}
|
||||||
SSH_LOG(SSH_LOG_DEBUG, "Sent SSH2_MSG_KEXGSS_COMPLETE");
|
SSH_LOG(SSH_LOG_DEBUG, "Sent SSH2_MSG_KEXGSS_COMPLETE");
|
||||||
|
|
||||||
session->dh_handshake_state=DH_STATE_NEWKEYS_SENT;
|
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
|
||||||
/* Send the MSG_NEWKEYS */
|
/* Send the MSG_NEWKEYS */
|
||||||
rc = ssh_packet_send_newkeys(session);
|
rc = ssh_packet_send_newkeys(session);
|
||||||
if (rc == SSH_ERROR) {
|
if (rc == SSH_ERROR) {
|
||||||
@@ -501,7 +533,8 @@ error:
|
|||||||
* @brief parse an incoming SSH_MSG_KEXGSS_INIT packet and complete
|
* @brief parse an incoming SSH_MSG_KEXGSS_INIT packet and complete
|
||||||
* Diffie-Hellman key exchange
|
* Diffie-Hellman key exchange
|
||||||
**/
|
**/
|
||||||
static SSH_PACKET_CALLBACK(ssh_packet_server_gss_dh_init){
|
static SSH_PACKET_CALLBACK(ssh_packet_server_gss_dh_init)
|
||||||
|
{
|
||||||
(void)type;
|
(void)type;
|
||||||
(void)user;
|
(void)user;
|
||||||
SSH_LOG(SSH_LOG_DEBUG, "Received SSH_MSG_KEXGSS_INIT");
|
SSH_LOG(SSH_LOG_DEBUG, "Received SSH_MSG_KEXGSS_INIT");
|
||||||
|
|||||||
2
src/dh.c
2
src/dh.c
@@ -27,8 +27,8 @@
|
|||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#ifdef WITH_GSSAPI
|
#ifdef WITH_GSSAPI
|
||||||
#include <gssapi/gssapi.h>
|
|
||||||
#include "libssh/gssapi.h"
|
#include "libssh/gssapi.h"
|
||||||
|
#include <gssapi/gssapi.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "libssh/priv.h"
|
#include "libssh/priv.h"
|
||||||
|
|||||||
153
src/gssapi.c
153
src/gssapi.c
@@ -21,23 +21,23 @@
|
|||||||
|
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <errno.h>
|
|
||||||
#ifdef HAVE_UNISTD_H
|
#ifdef HAVE_UNISTD_H
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <gssapi/gssapi.h>
|
#include <gssapi/gssapi.h>
|
||||||
|
|
||||||
|
#include <libssh/buffer.h>
|
||||||
|
#include <libssh/callbacks.h>
|
||||||
|
#include <libssh/crypto.h>
|
||||||
#include <libssh/gssapi.h>
|
#include <libssh/gssapi.h>
|
||||||
#include <libssh/libssh.h>
|
#include <libssh/libssh.h>
|
||||||
#include <libssh/ssh2.h>
|
|
||||||
#include <libssh/buffer.h>
|
|
||||||
#include <libssh/crypto.h>
|
|
||||||
#include <libssh/callbacks.h>
|
|
||||||
#include <libssh/string.h>
|
|
||||||
#include <libssh/server.h>
|
#include <libssh/server.h>
|
||||||
|
#include <libssh/ssh2.h>
|
||||||
|
#include <libssh/string.h>
|
||||||
#include <libssh/token.h>
|
#include <libssh/token.h>
|
||||||
|
|
||||||
static gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
|
static gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
|
||||||
@@ -155,8 +155,7 @@ static int ssh_gssapi_send_response(ssh_session session, ssh_string oid)
|
|||||||
* @param[out] selected OID set of supported oids
|
* @param[out] selected OID set of supported oids
|
||||||
* @returns SSH_OK if successful, SSH_ERROR otherwise
|
* @returns SSH_OK if successful, SSH_ERROR otherwise
|
||||||
*/
|
*/
|
||||||
int
|
int ssh_gssapi_server_oids(gss_OID_set *selected)
|
||||||
ssh_gssapi_server_oids(gss_OID_set *selected)
|
|
||||||
{
|
{
|
||||||
OM_uint32 maj_stat, min_stat;
|
OM_uint32 maj_stat, min_stat;
|
||||||
size_t i;
|
size_t i;
|
||||||
@@ -172,11 +171,14 @@ ssh_gssapi_server_oids(gss_OID_set *selected)
|
|||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i=0; i < supported->count; ++i){
|
for (i = 0; i < supported->count; ++i) {
|
||||||
ptr = ssh_get_hexa(supported->elements[i].elements, supported->elements[i].length);
|
ptr = ssh_get_hexa(supported->elements[i].elements,
|
||||||
|
supported->elements[i].length);
|
||||||
/* According to RFC 4462 we MUST NOT use SPNEGO */
|
/* According to RFC 4462 we MUST NOT use SPNEGO */
|
||||||
if (supported->elements[i].length == spnego_oid.length &&
|
if (supported->elements[i].length == spnego_oid.length &&
|
||||||
memcmp(supported->elements[i].elements, spnego_oid.elements, supported->elements[i].length) == 0) {
|
memcmp(supported->elements[i].elements,
|
||||||
|
spnego_oid.elements,
|
||||||
|
supported->elements[i].length) == 0) {
|
||||||
SAFE_FREE(ptr);
|
SAFE_FREE(ptr);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@@ -289,9 +291,14 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user,
|
|||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
maj_stat = gss_acquire_cred(&min_stat, session->gssapi->client.server_name, 0,
|
maj_stat = gss_acquire_cred(&min_stat,
|
||||||
both_supported, GSS_C_ACCEPT,
|
session->gssapi->client.server_name,
|
||||||
&session->gssapi->server_creds, &selected, NULL);
|
0,
|
||||||
|
both_supported,
|
||||||
|
GSS_C_ACCEPT,
|
||||||
|
&session->gssapi->server_creds,
|
||||||
|
&selected,
|
||||||
|
NULL);
|
||||||
gss_release_oid_set(&min_stat, &both_supported);
|
gss_release_oid_set(&min_stat, &both_supported);
|
||||||
if (maj_stat != GSS_S_COMPLETE) {
|
if (maj_stat != GSS_S_COMPLETE) {
|
||||||
ssh_gssapi_log_error(SSH_LOG_TRACE,
|
ssh_gssapi_log_error(SSH_LOG_TRACE,
|
||||||
@@ -477,7 +484,8 @@ ssh_buffer ssh_gssapi_build_mic(ssh_session session, const char *context)
|
|||||||
rc = ssh_buffer_pack(mic_buffer,
|
rc = ssh_buffer_pack(mic_buffer,
|
||||||
"dPbsss",
|
"dPbsss",
|
||||||
crypto->session_id_len,
|
crypto->session_id_len,
|
||||||
crypto->session_id_len, crypto->session_id,
|
crypto->session_id_len,
|
||||||
|
crypto->session_id,
|
||||||
SSH2_MSG_USERAUTH_REQUEST,
|
SSH2_MSG_USERAUTH_REQUEST,
|
||||||
session->gssapi->user,
|
session->gssapi->user,
|
||||||
"ssh-connection",
|
"ssh-connection",
|
||||||
@@ -655,8 +663,7 @@ fail:
|
|||||||
*
|
*
|
||||||
* @returns the hash or NULL on error
|
* @returns the hash or NULL on error
|
||||||
*/
|
*/
|
||||||
char *
|
char *ssh_gssapi_oid_hash(ssh_string oid)
|
||||||
ssh_gssapi_oid_hash(ssh_string oid)
|
|
||||||
{
|
{
|
||||||
MD5CTX ctx = NULL;
|
MD5CTX ctx = NULL;
|
||||||
unsigned char *h = NULL;
|
unsigned char *h = NULL;
|
||||||
@@ -674,9 +681,7 @@ ssh_gssapi_oid_hash(ssh_string oid)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = md5_update(ctx,
|
rc = md5_update(ctx, ssh_string_data(oid), ssh_string_len(oid));
|
||||||
ssh_string_data(oid),
|
|
||||||
ssh_string_len(oid));
|
|
||||||
if (rc != SSH_OK) {
|
if (rc != SSH_OK) {
|
||||||
SAFE_FREE(h);
|
SAFE_FREE(h);
|
||||||
md5_ctx_free(ctx);
|
md5_ctx_free(ctx);
|
||||||
@@ -700,8 +705,7 @@ ssh_gssapi_oid_hash(ssh_string oid)
|
|||||||
*
|
*
|
||||||
* @returns SSH_OK if any one of the mechanisms is configured or NULL
|
* @returns SSH_OK if any one of the mechanisms is configured or NULL
|
||||||
*/
|
*/
|
||||||
int
|
int ssh_gssapi_check_client_config(ssh_session session)
|
||||||
ssh_gssapi_check_client_config(ssh_session session)
|
|
||||||
{
|
{
|
||||||
OM_uint32 maj_stat, min_stat;
|
OM_uint32 maj_stat, min_stat;
|
||||||
size_t i;
|
size_t i;
|
||||||
@@ -725,7 +729,7 @@ ssh_gssapi_check_client_config(ssh_session session)
|
|||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < supported->count; ++i){
|
for (i = 0; i < supported->count; ++i) {
|
||||||
gssapi = calloc(1, sizeof(struct ssh_gssapi_struct));
|
gssapi = calloc(1, sizeof(struct ssh_gssapi_struct));
|
||||||
if (gssapi == NULL) {
|
if (gssapi == NULL) {
|
||||||
ssh_set_error_oom(session);
|
ssh_set_error_oom(session);
|
||||||
@@ -738,7 +742,9 @@ ssh_gssapi_check_client_config(ssh_session session)
|
|||||||
|
|
||||||
/* According to RFC 4462 we MUST NOT use SPNEGO */
|
/* According to RFC 4462 we MUST NOT use SPNEGO */
|
||||||
if (supported->elements[i].length == spnego_oid.length &&
|
if (supported->elements[i].length == spnego_oid.length &&
|
||||||
memcmp(supported->elements[i].elements, spnego_oid.elements, supported->elements[i].length) == 0) {
|
memcmp(supported->elements[i].elements,
|
||||||
|
spnego_oid.elements,
|
||||||
|
supported->elements[i].length) == 0) {
|
||||||
ret = SSH_ERROR;
|
ret = SSH_ERROR;
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
@@ -750,18 +756,24 @@ ssh_gssapi_check_client_config(ssh_session session)
|
|||||||
namebuf.value = (void *)session->opts.gss_client_identity;
|
namebuf.value = (void *)session->opts.gss_client_identity;
|
||||||
namebuf.length = strlen(session->opts.gss_client_identity);
|
namebuf.length = strlen(session->opts.gss_client_identity);
|
||||||
|
|
||||||
maj_stat = gss_import_name(&min_stat, &namebuf,
|
maj_stat = gss_import_name(&min_stat,
|
||||||
GSS_C_NT_USER_NAME, &client_id);
|
&namebuf,
|
||||||
|
GSS_C_NT_USER_NAME,
|
||||||
|
&client_id);
|
||||||
if (GSS_ERROR(maj_stat)) {
|
if (GSS_ERROR(maj_stat)) {
|
||||||
ret = SSH_ERROR;
|
ret = SSH_ERROR;
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
maj_stat = gss_acquire_cred(&min_stat, client_id, GSS_C_INDEFINITE,
|
maj_stat = gss_acquire_cred(&min_stat,
|
||||||
one_oidset, GSS_C_INITIATE,
|
client_id,
|
||||||
|
GSS_C_INDEFINITE,
|
||||||
|
one_oidset,
|
||||||
|
GSS_C_INITIATE,
|
||||||
&gssapi->client.creds,
|
&gssapi->client.creds,
|
||||||
NULL, NULL);
|
NULL,
|
||||||
|
NULL);
|
||||||
if (GSS_ERROR(maj_stat)) {
|
if (GSS_ERROR(maj_stat)) {
|
||||||
ssh_gssapi_log_error(SSH_LOG_WARN,
|
ssh_gssapi_log_error(SSH_LOG_WARN,
|
||||||
"acquiring credential",
|
"acquiring credential",
|
||||||
@@ -776,7 +788,8 @@ ssh_gssapi_check_client_config(ssh_session session)
|
|||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
|
||||||
maj_stat = ssh_gssapi_init_ctx(gssapi, &input_token, &output_token, &oflags);
|
maj_stat =
|
||||||
|
ssh_gssapi_init_ctx(gssapi, &input_token, &output_token, &oflags);
|
||||||
if (GSS_ERROR(maj_stat)) {
|
if (GSS_ERROR(maj_stat)) {
|
||||||
ssh_gssapi_log_error(SSH_LOG_WARN,
|
ssh_gssapi_log_error(SSH_LOG_WARN,
|
||||||
"initializing context",
|
"initializing context",
|
||||||
@@ -786,14 +799,15 @@ ssh_gssapi_check_client_config(ssh_session session)
|
|||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
|
||||||
ptr = ssh_get_hexa(supported->elements[i].elements, supported->elements[i].length);
|
ptr = ssh_get_hexa(supported->elements[i].elements,
|
||||||
|
supported->elements[i].length);
|
||||||
SSH_LOG(SSH_LOG_DEBUG, "Supported mech %zu: %s", i, ptr);
|
SSH_LOG(SSH_LOG_DEBUG, "Supported mech %zu: %s", i, ptr);
|
||||||
free(ptr);
|
free(ptr);
|
||||||
|
|
||||||
/* If atleast one mechanism is configured then return successfully */
|
/* If atleast one mechanism is configured then return successfully */
|
||||||
ret = SSH_OK;
|
ret = SSH_OK;
|
||||||
|
|
||||||
end:
|
end:
|
||||||
if (ret == SSH_ERROR) {
|
if (ret == SSH_ERROR) {
|
||||||
SSH_LOG(SSH_LOG_WARN, "GSSAPI not configured correctly");
|
SSH_LOG(SSH_LOG_WARN, "GSSAPI not configured correctly");
|
||||||
}
|
}
|
||||||
@@ -802,8 +816,8 @@ end:
|
|||||||
gss_release_oid_set(&min_stat, &one_oidset);
|
gss_release_oid_set(&min_stat, &one_oidset);
|
||||||
|
|
||||||
gss_release_name(&min_stat, &gssapi->client.server_name);
|
gss_release_name(&min_stat, &gssapi->client.server_name);
|
||||||
gss_release_cred(&min_stat,&gssapi->server_creds);
|
gss_release_cred(&min_stat, &gssapi->server_creds);
|
||||||
gss_release_cred(&min_stat,&gssapi->client.creds);
|
gss_release_cred(&min_stat, &gssapi->client.creds);
|
||||||
gss_release_oid(&min_stat, &gssapi->client.oid);
|
gss_release_oid(&min_stat, &gssapi->client.oid);
|
||||||
gss_release_buffer(&min_stat, &output_token);
|
gss_release_buffer(&min_stat, &output_token);
|
||||||
gss_delete_sec_context(&min_stat, &gssapi->ctx, GSS_C_NO_BUFFER);
|
gss_delete_sec_context(&min_stat, &gssapi->ctx, GSS_C_NO_BUFFER);
|
||||||
@@ -909,16 +923,17 @@ end:
|
|||||||
* @param[in] session current session handler
|
* @param[in] session current session handler
|
||||||
* @returns string suffixed kex algorithms or NULL on error
|
* @returns string suffixed kex algorithms or NULL on error
|
||||||
*/
|
*/
|
||||||
char *
|
char *ssh_gssapi_kex_mechs(ssh_session session)
|
||||||
ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
|
|
||||||
{
|
{
|
||||||
size_t i,j;
|
size_t i, j;
|
||||||
gss_OID_set selected = GSS_C_NO_OID_SET; /* oid selected for authentication */
|
/* oid selected for authentication */
|
||||||
|
gss_OID_set selected = GSS_C_NO_OID_SET;
|
||||||
ssh_string *oids = NULL;
|
ssh_string *oids = NULL;
|
||||||
int rc;
|
int rc;
|
||||||
size_t n_oids = 0;
|
size_t n_oids = 0;
|
||||||
struct ssh_tokens_st *algs = NULL;
|
struct ssh_tokens_st *algs = NULL;
|
||||||
char *oid_hash = NULL;
|
char *oid_hash = NULL;
|
||||||
|
const char *gss_algs = session->opts.gssapi_key_exchange_algs;
|
||||||
char *new_gss_algs = NULL;
|
char *new_gss_algs = NULL;
|
||||||
char gss_kex_algs[8000] = {0};
|
char gss_kex_algs[8000] = {0};
|
||||||
OM_uint32 min_stat;
|
OM_uint32 min_stat;
|
||||||
@@ -950,11 +965,13 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Check if algorithms are valid */
|
/* Check if algorithms are valid */
|
||||||
new_gss_algs = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, gss_algs);
|
new_gss_algs =
|
||||||
|
ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, gss_algs);
|
||||||
if (gss_algs == NULL) {
|
if (gss_algs == NULL) {
|
||||||
ssh_set_error(session,
|
ssh_set_error(
|
||||||
SSH_FATAL,
|
session,
|
||||||
"GSSAPI key exchange algorithms not supported or invalid");
|
SSH_FATAL,
|
||||||
|
"GSSAPI key exchange algorithms not supported or invalid");
|
||||||
rc = SSH_ERROR;
|
rc = SSH_ERROR;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -967,7 +984,7 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
|
|||||||
rc = SSH_ERROR;
|
rc = SSH_ERROR;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
for (i=0; i<n_oids; ++i){
|
for (i = 0; i < n_oids; ++i) {
|
||||||
oids[i] = ssh_string_new(selected->elements[i].length + 2);
|
oids[i] = ssh_string_new(selected->elements[i].length + 2);
|
||||||
if (oids[i] == NULL) {
|
if (oids[i] == NULL) {
|
||||||
ssh_set_error_oom(session);
|
ssh_set_error_oom(session);
|
||||||
@@ -976,8 +993,9 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
|
|||||||
}
|
}
|
||||||
((unsigned char *)oids[i]->data)[0] = SSH_OID_TAG;
|
((unsigned char *)oids[i]->data)[0] = SSH_OID_TAG;
|
||||||
((unsigned char *)oids[i]->data)[1] = selected->elements[i].length;
|
((unsigned char *)oids[i]->data)[1] = selected->elements[i].length;
|
||||||
memcpy((unsigned char *)oids[i]->data + 2, selected->elements[i].elements,
|
memcpy((unsigned char *)oids[i]->data + 2,
|
||||||
selected->elements[i].length);
|
selected->elements[i].elements,
|
||||||
|
selected->elements[i].length);
|
||||||
|
|
||||||
/* Get the algorithm suffix */
|
/* Get the algorithm suffix */
|
||||||
oid_hash = ssh_gssapi_oid_hash(oids[i]);
|
oid_hash = ssh_gssapi_oid_hash(oids[i]);
|
||||||
@@ -991,17 +1009,17 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
|
|||||||
* the algorithms to a string */
|
* the algorithms to a string */
|
||||||
for (j = 0; algs->tokens[j]; j++) {
|
for (j = 0; algs->tokens[j]; j++) {
|
||||||
if (sizeof(gss_kex_algs) < offset) {
|
if (sizeof(gss_kex_algs) < offset) {
|
||||||
ssh_set_error(session,
|
ssh_set_error(session, SSH_FATAL, "snprintf failed");
|
||||||
SSH_FATAL,
|
|
||||||
"snprintf failed");
|
|
||||||
rc = SSH_ERROR;
|
rc = SSH_ERROR;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
rc = snprintf(&gss_kex_algs[offset], sizeof(gss_kex_algs)-offset, "%s%s,", algs->tokens[j], oid_hash);
|
rc = snprintf(&gss_kex_algs[offset],
|
||||||
|
sizeof(gss_kex_algs) - offset,
|
||||||
|
"%s%s,",
|
||||||
|
algs->tokens[j],
|
||||||
|
oid_hash);
|
||||||
if (rc < 0 || rc >= (ssize_t)sizeof(gss_kex_algs)) {
|
if (rc < 0 || rc >= (ssize_t)sizeof(gss_kex_algs)) {
|
||||||
ssh_set_error(session,
|
ssh_set_error(session, SSH_FATAL, "snprintf failed");
|
||||||
SSH_FATAL,
|
|
||||||
"snprintf failed");
|
|
||||||
rc = SSH_ERROR;
|
rc = SSH_ERROR;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1028,8 +1046,7 @@ out:
|
|||||||
return strdup(gss_kex_algs);
|
return strdup(gss_kex_algs);
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host)
|
||||||
ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host)
|
|
||||||
{
|
{
|
||||||
gss_buffer_desc hostname;
|
gss_buffer_desc hostname;
|
||||||
char name_buf[256] = {0};
|
char name_buf[256] = {0};
|
||||||
@@ -1055,11 +1072,10 @@ ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host)
|
|||||||
return maj_stat;
|
return maj_stat;
|
||||||
}
|
}
|
||||||
|
|
||||||
OM_uint32
|
OM_uint32 ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi,
|
||||||
ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi,
|
gss_buffer_desc *input_token,
|
||||||
gss_buffer_desc *input_token,
|
gss_buffer_desc *output_token,
|
||||||
gss_buffer_desc *output_token,
|
OM_uint32 *ret_flags)
|
||||||
OM_uint32 *ret_flags)
|
|
||||||
{
|
{
|
||||||
OM_uint32 maj_stat, min_stat;
|
OM_uint32 maj_stat, min_stat;
|
||||||
|
|
||||||
@@ -1175,7 +1191,9 @@ out:
|
|||||||
* @returns SSH_ERROR: A serious error happened\n
|
* @returns SSH_ERROR: A serious error happened\n
|
||||||
* SSH_OK: MIC token is stored in mic_token_buf
|
* SSH_OK: MIC token is stored in mic_token_buf
|
||||||
*/
|
*/
|
||||||
int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_buf) {
|
int ssh_gssapi_auth_keyex_mic(ssh_session session,
|
||||||
|
gss_buffer_desc *mic_token_buf)
|
||||||
|
{
|
||||||
ssh_buffer buf = NULL;
|
ssh_buffer buf = NULL;
|
||||||
gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER;
|
gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER;
|
||||||
OM_uint32 maj_stat, min_stat;
|
OM_uint32 maj_stat, min_stat;
|
||||||
@@ -1189,8 +1207,11 @@ int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_bu
|
|||||||
mic_buf.length = ssh_buffer_get_len(buf);
|
mic_buf.length = ssh_buffer_get_len(buf);
|
||||||
mic_buf.value = ssh_buffer_get(buf);
|
mic_buf.value = ssh_buffer_get(buf);
|
||||||
|
|
||||||
maj_stat = gss_get_mic(&min_stat,session->gssapi->ctx, GSS_C_QOP_DEFAULT,
|
maj_stat = gss_get_mic(&min_stat,
|
||||||
&mic_buf, mic_token_buf);
|
session->gssapi->ctx,
|
||||||
|
GSS_C_QOP_DEFAULT,
|
||||||
|
&mic_buf,
|
||||||
|
mic_token_buf);
|
||||||
if (GSS_ERROR(maj_stat)) {
|
if (GSS_ERROR(maj_stat)) {
|
||||||
ssh_gssapi_log_error(SSH_LOG_DEBUG,
|
ssh_gssapi_log_error(SSH_LOG_DEBUG,
|
||||||
"generating MIC",
|
"generating MIC",
|
||||||
@@ -1273,8 +1294,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
|
|||||||
session->gssapi->client.flags |= GSS_C_DELEG_FLAG;
|
session->gssapi->client.flags |= GSS_C_DELEG_FLAG;
|
||||||
}
|
}
|
||||||
|
|
||||||
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL);
|
maj_stat =
|
||||||
if (GSS_ERROR(maj_stat)){
|
ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL);
|
||||||
|
if (GSS_ERROR(maj_stat)) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1380,7 +1402,8 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client)
|
|||||||
|
|
||||||
input_token.length = ssh_string_len(token);
|
input_token.length = ssh_string_len(token);
|
||||||
input_token.value = ssh_string_data(token);
|
input_token.value = ssh_string_data(token);
|
||||||
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL);
|
maj_stat =
|
||||||
|
ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL);
|
||||||
if (GSS_ERROR(maj_stat)) {
|
if (GSS_ERROR(maj_stat)) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|||||||
13
src/kex.c
13
src/kex.c
@@ -825,14 +825,15 @@ int ssh_set_client_kex(ssh_session session)
|
|||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
gssapi_algs = ssh_gssapi_kex_mechs(session, session->opts.gssapi_key_exchange_algs);
|
gssapi_algs = ssh_gssapi_kex_mechs(session);
|
||||||
if (gssapi_algs == NULL) {
|
if (gssapi_algs == NULL) {
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Prefix the default algorithms with gsskex algs */
|
/* Prefix the default algorithms with gsskex algs */
|
||||||
session->opts.wanted_methods[SSH_KEX] =
|
session->opts.wanted_methods[SSH_KEX] =
|
||||||
ssh_prefix_without_duplicates(default_methods[SSH_KEX], gssapi_algs);
|
ssh_prefix_without_duplicates(default_methods[SSH_KEX],
|
||||||
|
gssapi_algs);
|
||||||
|
|
||||||
gssapi_null_alg = true;
|
gssapi_null_alg = true;
|
||||||
|
|
||||||
@@ -853,7 +854,8 @@ int ssh_set_client_kex(ssh_session session)
|
|||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
if (gssapi_null_alg) {
|
if (gssapi_null_alg) {
|
||||||
hostkeys = ssh_append_without_duplicates(client->methods[i], "null");
|
hostkeys =
|
||||||
|
ssh_append_without_duplicates(client->methods[i], "null");
|
||||||
if (hostkeys == NULL) {
|
if (hostkeys == NULL) {
|
||||||
ssh_set_error_oom(session);
|
ssh_set_error_oom(session);
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
@@ -1490,7 +1492,7 @@ int ssh_make_sessionid(ssh_session session)
|
|||||||
|
|
||||||
if (server_pubkey_blob == NULL) {
|
if (server_pubkey_blob == NULL) {
|
||||||
if ((session->server && ssh_kex_is_gss(session->next_crypto)) ||
|
if ((session->server && ssh_kex_is_gss(session->next_crypto)) ||
|
||||||
session->opts.gssapi_key_exchange) {
|
session->opts.gssapi_key_exchange) {
|
||||||
server_pubkey_blob = ssh_string_new(0);
|
server_pubkey_blob = ssh_string_new(0);
|
||||||
if (server_pubkey_blob == NULL) {
|
if (server_pubkey_blob == NULL) {
|
||||||
ssh_set_error_oom(session);
|
ssh_set_error_oom(session);
|
||||||
@@ -2036,8 +2038,7 @@ error:
|
|||||||
* @param[in] crypto The SSH crypto context
|
* @param[in] crypto The SSH crypto context
|
||||||
* @return true if the KEX of the context is a GSSAPI KEX, false otherwise
|
* @return true if the KEX of the context is a GSSAPI KEX, false otherwise
|
||||||
*/
|
*/
|
||||||
bool
|
bool ssh_kex_is_gss(struct ssh_crypto_struct *crypto)
|
||||||
ssh_kex_is_gss(struct ssh_crypto_struct *crypto)
|
|
||||||
{
|
{
|
||||||
switch (crypto->kex_type) {
|
switch (crypto->kex_type) {
|
||||||
case SSH_GSS_KEX_DH_GROUP14_SHA256:
|
case SSH_GSS_KEX_DH_GROUP14_SHA256:
|
||||||
|
|||||||
@@ -1157,13 +1157,14 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request)
|
|||||||
if (!ssh_kex_is_gss(session->current_crypto)) {
|
if (!ssh_kex_is_gss(session->current_crypto)) {
|
||||||
ssh_set_error(session,
|
ssh_set_error(session,
|
||||||
SSH_FATAL,
|
SSH_FATAL,
|
||||||
"Attempt to authenticate with \"gssapi-keyex\" without doing GSSAPI Key Exchange");
|
"Attempt to authenticate with gssapi-keyex without "
|
||||||
|
"doing GSSAPI Key Exchange.");
|
||||||
ssh_auth_reply_default(session, 0);
|
ssh_auth_reply_default(session, 0);
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = ssh_buffer_unpack(packet, "S", &mic_token_string);
|
rc = ssh_buffer_unpack(packet, "S", &mic_token_string);
|
||||||
if (rc != SSH_OK){
|
if (rc != SSH_OK) {
|
||||||
ssh_auth_reply_default(session, 0);
|
ssh_auth_reply_default(session, 0);
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@@ -1190,7 +1191,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request)
|
|||||||
if (maj_stat != GSS_S_COMPLETE) {
|
if (maj_stat != GSS_S_COMPLETE) {
|
||||||
ssh_set_error(session,
|
ssh_set_error(session,
|
||||||
SSH_FATAL,
|
SSH_FATAL,
|
||||||
"Failed to verify MIC for \"gssapi-keyex\" auth");
|
"Failed to verify MIC for gssapi-keyex auth");
|
||||||
SSH_BUFFER_FREE(buf);
|
SSH_BUFFER_FREE(buf);
|
||||||
SSH_STRING_FREE(mic_token_string);
|
SSH_STRING_FREE(mic_token_string);
|
||||||
ssh_auth_reply_default(session, 0);
|
ssh_auth_reply_default(session, 0);
|
||||||
|
|||||||
@@ -1278,11 +1278,13 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
|||||||
return -1;
|
return -1;
|
||||||
} else {
|
} else {
|
||||||
/* Check if algorithms are supported */
|
/* Check if algorithms are supported */
|
||||||
char *ret = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, v);
|
char *ret =
|
||||||
|
ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, v);
|
||||||
if (ret == NULL) {
|
if (ret == NULL) {
|
||||||
ssh_set_error(session,
|
ssh_set_error(session,
|
||||||
SSH_FATAL,
|
SSH_FATAL,
|
||||||
"GSSAPI key exchange algorithms not supported or invalid");
|
"GSSAPI key exchange algorithms not "
|
||||||
|
"supported or invalid");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
SAFE_FREE(session->opts.gssapi_key_exchange_algs);
|
SAFE_FREE(session->opts.gssapi_key_exchange_algs);
|
||||||
@@ -2332,9 +2334,9 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
|
|||||||
* false to disable GSSAPI key exchange. (bool)
|
* false to disable GSSAPI key exchange. (bool)
|
||||||
*
|
*
|
||||||
* - SSH_BIND_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS
|
* - SSH_BIND_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS
|
||||||
* Set the GSSAPI key exchange method to be used (const char *,
|
* Set the GSSAPI key exchange method to be used
|
||||||
* comma-separated list). ex:
|
* (const char *, comma-separated list).
|
||||||
* "gss-group14-sha256-,gss-group16-sha512-"
|
* ex: "gss-group14-sha256-,gss-group16-sha512-"
|
||||||
*
|
*
|
||||||
* @param value The value to set. This is a generic pointer and the
|
* @param value The value to set. This is a generic pointer and the
|
||||||
* datatype which should be used is described at the
|
* datatype which should be used is described at the
|
||||||
@@ -2751,9 +2753,10 @@ ssh_bind_options_set(ssh_bind sshbind,
|
|||||||
SAFE_FREE(sshbind->gssapi_key_exchange_algs);
|
SAFE_FREE(sshbind->gssapi_key_exchange_algs);
|
||||||
ret = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, value);
|
ret = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, value);
|
||||||
if (ret == NULL) {
|
if (ret == NULL) {
|
||||||
ssh_set_error(sshbind,
|
ssh_set_error(
|
||||||
SSH_REQUEST_DENIED,
|
sshbind,
|
||||||
"GSSAPI key exchange algorithms not supported or invalid");
|
SSH_REQUEST_DENIED,
|
||||||
|
"GSSAPI key exchange algorithms not supported or invalid");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
sshbind->gssapi_key_exchange_algs = ret;
|
sshbind->gssapi_key_exchange_algs = ret;
|
||||||
|
|||||||
39
src/packet.c
39
src/packet.c
@@ -428,15 +428,15 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
|
|||||||
/* Client only */
|
/* Client only */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* States required:
|
* States required:
|
||||||
* - session_state == SSH_SESSION_STATE_DH
|
* - session_state == SSH_SESSION_STATE_DH
|
||||||
* - dh_handshake_state == DH_STATE_INIT_SENT
|
* - dh_handshake_state == DH_STATE_INIT_SENT
|
||||||
*
|
*
|
||||||
* Transitions:
|
* Transitions:
|
||||||
* - session->dh_handshake_state = DH_STATE_INIT_SENT
|
* - session->dh_handshake_state = DH_STATE_INIT_SENT
|
||||||
* then calls ssh_packet_client_gss_dh_reply which triggers:
|
* then calls ssh_packet_client_gss_dh_reply which triggers:
|
||||||
* - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT
|
* - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT
|
||||||
* */
|
* */
|
||||||
|
|
||||||
if (!session->client) {
|
if (!session->client) {
|
||||||
rc = SSH_PACKET_DENIED;
|
rc = SSH_PACKET_DENIED;
|
||||||
@@ -457,15 +457,15 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
|
|||||||
/* Server only */
|
/* Server only */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* States required:
|
* States required:
|
||||||
* - session_state == SSH_SESSION_STATE_DH
|
* - session_state == SSH_SESSION_STATE_DH
|
||||||
* - dh_handshake_state == DH_STATE_GROUP_SENT
|
* - dh_handshake_state == DH_STATE_GROUP_SENT
|
||||||
*
|
*
|
||||||
* Transitions:
|
* Transitions:
|
||||||
* - session->dh_handshake_state = DH_STATE_GROUP_SENT
|
* - session->dh_handshake_state = DH_STATE_GROUP_SENT
|
||||||
* then calls ssh_packet_server_dhgex_init which triggers:
|
* then calls ssh_packet_server_dhgex_init which triggers:
|
||||||
* - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT
|
* - session->dh_handshake_state = DH_STATE_NEWKEYS_SENT
|
||||||
* */
|
* */
|
||||||
|
|
||||||
if (session->client) {
|
if (session->client) {
|
||||||
rc = SSH_PACKET_DENIED;
|
rc = SSH_PACKET_DENIED;
|
||||||
@@ -657,8 +657,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
|
|||||||
(session->auth.state != SSH_AUTH_STATE_PASSWORD_AUTH_SENT) &&
|
(session->auth.state != SSH_AUTH_STATE_PASSWORD_AUTH_SENT) &&
|
||||||
(session->auth.state != SSH_AUTH_STATE_GSSAPI_MIC_SENT) &&
|
(session->auth.state != SSH_AUTH_STATE_GSSAPI_MIC_SENT) &&
|
||||||
(session->auth.state != SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT) &&
|
(session->auth.state != SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT) &&
|
||||||
(session->auth.state != SSH_AUTH_STATE_AUTH_NONE_SENT))
|
(session->auth.state != SSH_AUTH_STATE_AUTH_NONE_SENT)) {
|
||||||
{
|
|
||||||
rc = SSH_PACKET_DENIED;
|
rc = SSH_PACKET_DENIED;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -28,8 +28,8 @@
|
|||||||
#include <arpa/inet.h>
|
#include <arpa/inet.h>
|
||||||
#endif
|
#endif
|
||||||
#ifdef WITH_GSSAPI
|
#ifdef WITH_GSSAPI
|
||||||
#include <gssapi/gssapi.h>
|
|
||||||
#include "libssh/gssapi.h"
|
#include "libssh/gssapi.h"
|
||||||
|
#include <gssapi/gssapi.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "libssh/priv.h"
|
#include "libssh/priv.h"
|
||||||
@@ -226,14 +226,15 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys)
|
|||||||
/* Check if signature from server matches user preferences */
|
/* Check if signature from server matches user preferences */
|
||||||
if (session->opts.wanted_methods[SSH_HOSTKEYS]) {
|
if (session->opts.wanted_methods[SSH_HOSTKEYS]) {
|
||||||
rc = match_group(session->opts.wanted_methods[SSH_HOSTKEYS],
|
rc = match_group(session->opts.wanted_methods[SSH_HOSTKEYS],
|
||||||
sig->type_c);
|
sig->type_c);
|
||||||
if (rc == 0) {
|
if (rc == 0) {
|
||||||
ssh_set_error(session,
|
ssh_set_error(
|
||||||
SSH_FATAL,
|
session,
|
||||||
"Public key from server (%s) doesn't match user "
|
SSH_FATAL,
|
||||||
"preference (%s)",
|
"Public key from server (%s) doesn't match user "
|
||||||
sig->type_c,
|
"preference (%s)",
|
||||||
session->opts.wanted_methods[SSH_HOSTKEYS]);
|
sig->type_c,
|
||||||
|
session->opts.wanted_methods[SSH_HOSTKEYS]);
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
52
src/server.c
52
src/server.c
@@ -44,23 +44,23 @@
|
|||||||
# include <netinet/in.h>
|
# include <netinet/in.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "libssh/priv.h"
|
|
||||||
#include "libssh/libssh.h"
|
|
||||||
#include "libssh/server.h"
|
|
||||||
#include "libssh/ssh2.h"
|
|
||||||
#include "libssh/buffer.h"
|
#include "libssh/buffer.h"
|
||||||
#include "libssh/packet.h"
|
|
||||||
#include "libssh/socket.h"
|
|
||||||
#include "libssh/session.h"
|
|
||||||
#include "libssh/kex.h"
|
|
||||||
#include "libssh/misc.h"
|
|
||||||
#include "libssh/pki.h"
|
|
||||||
#include "libssh/dh.h"
|
|
||||||
#include "libssh/messages.h"
|
|
||||||
#include "libssh/options.h"
|
|
||||||
#include "libssh/curve25519.h"
|
#include "libssh/curve25519.h"
|
||||||
#include "libssh/token.h"
|
#include "libssh/dh.h"
|
||||||
#include "libssh/gssapi.h"
|
#include "libssh/gssapi.h"
|
||||||
|
#include "libssh/kex.h"
|
||||||
|
#include "libssh/libssh.h"
|
||||||
|
#include "libssh/messages.h"
|
||||||
|
#include "libssh/misc.h"
|
||||||
|
#include "libssh/options.h"
|
||||||
|
#include "libssh/packet.h"
|
||||||
|
#include "libssh/pki.h"
|
||||||
|
#include "libssh/priv.h"
|
||||||
|
#include "libssh/server.h"
|
||||||
|
#include "libssh/session.h"
|
||||||
|
#include "libssh/socket.h"
|
||||||
|
#include "libssh/ssh2.h"
|
||||||
|
#include "libssh/token.h"
|
||||||
|
|
||||||
#define set_status(session, status) do {\
|
#define set_status(session, status) do {\
|
||||||
if (session->common.callbacks && session->common.callbacks->connect_status_function) \
|
if (session->common.callbacks && session->common.callbacks->connect_status_function) \
|
||||||
@@ -154,8 +154,9 @@ int server_set_kex(ssh_session session)
|
|||||||
if (strlen(hostkeys) != 0) {
|
if (strlen(hostkeys) != 0) {
|
||||||
/* It is expected for the list of allowed hostkeys to be ordered by
|
/* It is expected for the list of allowed hostkeys to be ordered by
|
||||||
* preference */
|
* preference */
|
||||||
kept = ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys,
|
kept =
|
||||||
allowed);
|
ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys,
|
||||||
|
allowed);
|
||||||
if (kept == NULL) {
|
if (kept == NULL) {
|
||||||
/* Nothing was allowed */
|
/* Nothing was allowed */
|
||||||
return -1;
|
return -1;
|
||||||
@@ -178,7 +179,7 @@ int server_set_kex(ssh_session session)
|
|||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
gssapi_algs = ssh_gssapi_kex_mechs(session, session->opts.gssapi_key_exchange_algs);
|
gssapi_algs = ssh_gssapi_kex_mechs(session);
|
||||||
if (gssapi_algs == NULL) {
|
if (gssapi_algs == NULL) {
|
||||||
return SSH_ERROR;
|
return SSH_ERROR;
|
||||||
}
|
}
|
||||||
@@ -186,7 +187,8 @@ int server_set_kex(ssh_session session)
|
|||||||
|
|
||||||
/* Prefix the default algorithms with gsskex algs */
|
/* Prefix the default algorithms with gsskex algs */
|
||||||
session->opts.wanted_methods[SSH_KEX] =
|
session->opts.wanted_methods[SSH_KEX] =
|
||||||
ssh_prefix_without_duplicates(ssh_kex_get_default_methods(SSH_KEX), gssapi_algs);
|
ssh_prefix_without_duplicates(ssh_kex_get_default_methods(SSH_KEX),
|
||||||
|
gssapi_algs);
|
||||||
|
|
||||||
if (strlen(hostkeys) == 0) {
|
if (strlen(hostkeys) == 0) {
|
||||||
session->opts.wanted_methods[SSH_HOSTKEYS] = strdup("null");
|
session->opts.wanted_methods[SSH_HOSTKEYS] = strdup("null");
|
||||||
@@ -700,12 +702,14 @@ int ssh_auth_reply_default(ssh_session session,int partial) {
|
|||||||
strncat(methods_c,"gssapi-with-mic,",
|
strncat(methods_c,"gssapi-with-mic,",
|
||||||
sizeof(methods_c) - strlen(methods_c) - 1);
|
sizeof(methods_c) - strlen(methods_c) - 1);
|
||||||
}
|
}
|
||||||
/* Check if GSSAPI Key exchange was performed */
|
/* Check if GSSAPI Key exchange was performed */
|
||||||
if (session->auth.supported_methods & SSH_AUTH_METHOD_GSSAPI_KEYEX) {
|
if (session->auth.supported_methods & SSH_AUTH_METHOD_GSSAPI_KEYEX) {
|
||||||
if (ssh_kex_is_gss(session->current_crypto)) {
|
if (ssh_kex_is_gss(session->current_crypto)) {
|
||||||
strncat(methods_c, "gssapi-keyex,", sizeof(methods_c) - strlen(methods_c) - 1);
|
strncat(methods_c,
|
||||||
}
|
"gssapi-keyex,",
|
||||||
}
|
sizeof(methods_c) - strlen(methods_c) - 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
if (session->auth.supported_methods & SSH_AUTH_METHOD_INTERACTIVE) {
|
if (session->auth.supported_methods & SSH_AUTH_METHOD_INTERACTIVE) {
|
||||||
strncat(methods_c, "keyboard-interactive,",
|
strncat(methods_c, "keyboard-interactive,",
|
||||||
sizeof(methods_c) - strlen(methods_c) - 1);
|
sizeof(methods_c) - strlen(methods_c) - 1);
|
||||||
|
|||||||
@@ -161,7 +161,8 @@ ssh_session ssh_new(void)
|
|||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_GSSAPI
|
#ifdef WITH_GSSAPI
|
||||||
session->opts.gssapi_key_exchange_algs = strdup(GSSAPI_KEY_EXCHANGE_SUPPORTED);
|
session->opts.gssapi_key_exchange_algs =
|
||||||
|
strdup(GSSAPI_KEY_EXCHANGE_SUPPORTED);
|
||||||
if (session->opts.gssapi_key_exchange_algs == NULL) {
|
if (session->opts.gssapi_key_exchange_algs == NULL) {
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -591,8 +591,8 @@ int crypt_set_algorithms_server(ssh_session session){
|
|||||||
#ifdef WITH_GSSAPI
|
#ifdef WITH_GSSAPI
|
||||||
case SSH_GSS_KEX_DH_GROUP14_SHA256:
|
case SSH_GSS_KEX_DH_GROUP14_SHA256:
|
||||||
case SSH_GSS_KEX_DH_GROUP16_SHA512:
|
case SSH_GSS_KEX_DH_GROUP16_SHA512:
|
||||||
ssh_server_gss_dh_init(session);
|
ssh_server_gss_dh_init(session);
|
||||||
break;
|
break;
|
||||||
#endif /* WITH_GSSAPI */
|
#endif /* WITH_GSSAPI */
|
||||||
#ifdef WITH_GEX
|
#ifdef WITH_GEX
|
||||||
case SSH_KEX_DH_GEX_SHA1:
|
case SSH_KEX_DH_GEX_SHA1:
|
||||||
|
|||||||
@@ -2,17 +2,16 @@
|
|||||||
|
|
||||||
#define LIBSSH_STATIC
|
#define LIBSSH_STATIC
|
||||||
|
|
||||||
|
#include "libssh/crypto.h"
|
||||||
#include "torture.h"
|
#include "torture.h"
|
||||||
#include <libssh/libssh.h>
|
#include <libssh/libssh.h>
|
||||||
#include "libssh/crypto.h"
|
|
||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include <gssapi.h>
|
#include <gssapi.h>
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
|
|
||||||
static int
|
static int sshd_setup(void **state)
|
||||||
sshd_setup(void **state)
|
|
||||||
{
|
{
|
||||||
torture_setup_sshd_server(state, false);
|
torture_setup_sshd_server(state, false);
|
||||||
torture_update_sshd_config(state,
|
torture_update_sshd_config(state,
|
||||||
@@ -22,8 +21,7 @@ sshd_setup(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int sshd_teardown(void **state)
|
||||||
sshd_teardown(void **state)
|
|
||||||
{
|
{
|
||||||
assert_non_null(state);
|
assert_non_null(state);
|
||||||
|
|
||||||
@@ -32,8 +30,7 @@ sshd_teardown(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int session_setup(void **state)
|
||||||
session_setup(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
int verbosity = torture_libssh_verbosity();
|
int verbosity = torture_libssh_verbosity();
|
||||||
@@ -62,8 +59,7 @@ session_setup(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int session_teardown(void **state)
|
||||||
session_teardown(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
|
|
||||||
@@ -75,8 +71,7 @@ session_teardown(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_key_exchange(void **state)
|
||||||
torture_gssapi_key_exchange(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
ssh_session session = s->ssh.session;
|
ssh_session session = s->ssh.session;
|
||||||
@@ -106,8 +101,7 @@ torture_gssapi_key_exchange(void **state)
|
|||||||
torture_teardown_kdc_server(state);
|
torture_teardown_kdc_server(state);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_key_exchange_no_tgt(void **state)
|
||||||
torture_gssapi_key_exchange_no_tgt(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
ssh_session session = s->ssh.session;
|
ssh_session session = s->ssh.session;
|
||||||
@@ -136,14 +130,15 @@ torture_gssapi_key_exchange_no_tgt(void **state)
|
|||||||
rc = ssh_connect(session);
|
rc = ssh_connect(session);
|
||||||
assert_ssh_return_code(session, rc);
|
assert_ssh_return_code(session, rc);
|
||||||
|
|
||||||
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256);
|
assert_int_not_equal(session->current_crypto->kex_type,
|
||||||
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512);
|
SSH_GSS_KEX_DH_GROUP14_SHA256);
|
||||||
|
assert_int_not_equal(session->current_crypto->kex_type,
|
||||||
|
SSH_GSS_KEX_DH_GROUP16_SHA512);
|
||||||
|
|
||||||
torture_teardown_kdc_server(state);
|
torture_teardown_kdc_server(state);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_key_exchange_gss_group14_sha256(void **state)
|
||||||
torture_gssapi_key_exchange_gss_group14_sha256(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
ssh_session session = s->ssh.session;
|
ssh_session session = s->ssh.session;
|
||||||
@@ -168,19 +163,21 @@ torture_gssapi_key_exchange_gss_group14_sha256(void **state)
|
|||||||
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
|
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group14-sha256-");
|
rc = ssh_options_set(s->ssh.session,
|
||||||
|
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
|
||||||
|
"gss-group14-sha256-");
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
rc = ssh_connect(session);
|
rc = ssh_connect(session);
|
||||||
assert_ssh_return_code(session, rc);
|
assert_ssh_return_code(session, rc);
|
||||||
|
|
||||||
assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256);
|
assert_int_equal(session->current_crypto->kex_type,
|
||||||
|
SSH_GSS_KEX_DH_GROUP14_SHA256);
|
||||||
|
|
||||||
torture_teardown_kdc_server(state);
|
torture_teardown_kdc_server(state);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_key_exchange_gss_group16_sha512(void **state)
|
||||||
torture_gssapi_key_exchange_gss_group16_sha512(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
ssh_session session = s->ssh.session;
|
ssh_session session = s->ssh.session;
|
||||||
@@ -205,19 +202,21 @@ torture_gssapi_key_exchange_gss_group16_sha512(void **state)
|
|||||||
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
|
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group16-sha512-");
|
rc = ssh_options_set(s->ssh.session,
|
||||||
|
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
|
||||||
|
"gss-group16-sha512-");
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
rc = ssh_connect(session);
|
rc = ssh_connect(session);
|
||||||
assert_ssh_return_code(session, rc);
|
assert_ssh_return_code(session, rc);
|
||||||
|
|
||||||
assert_true(session->current_crypto->kex_type == SSH_GSS_KEX_DH_GROUP16_SHA512);
|
assert_true(session->current_crypto->kex_type ==
|
||||||
|
SSH_GSS_KEX_DH_GROUP16_SHA512);
|
||||||
|
|
||||||
torture_teardown_kdc_server(state);
|
torture_teardown_kdc_server(state);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_key_exchange_auth(void **state)
|
||||||
torture_gssapi_key_exchange_auth(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
ssh_session session = s->ssh.session;
|
ssh_session session = s->ssh.session;
|
||||||
@@ -251,8 +250,7 @@ torture_gssapi_key_exchange_auth(void **state)
|
|||||||
torture_teardown_kdc_server(state);
|
torture_teardown_kdc_server(state);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_key_exchange_no_auth(void **state)
|
||||||
torture_gssapi_key_exchange_no_auth(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
ssh_session session = s->ssh.session;
|
ssh_session session = s->ssh.session;
|
||||||
@@ -288,8 +286,7 @@ torture_gssapi_key_exchange_no_auth(void **state)
|
|||||||
torture_teardown_kdc_server(state);
|
torture_teardown_kdc_server(state);
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int torture_run_tests(void)
|
||||||
torture_run_tests(void)
|
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
struct CMUnitTest tests[] = {
|
struct CMUnitTest tests[] = {
|
||||||
@@ -299,12 +296,14 @@ torture_run_tests(void)
|
|||||||
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_no_tgt,
|
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_no_tgt,
|
||||||
session_setup,
|
session_setup,
|
||||||
session_teardown),
|
session_teardown),
|
||||||
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_gss_group14_sha256,
|
cmocka_unit_test_setup_teardown(
|
||||||
session_setup,
|
torture_gssapi_key_exchange_gss_group14_sha256,
|
||||||
session_teardown),
|
session_setup,
|
||||||
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_gss_group16_sha512,
|
session_teardown),
|
||||||
session_setup,
|
cmocka_unit_test_setup_teardown(
|
||||||
session_teardown),
|
torture_gssapi_key_exchange_gss_group16_sha512,
|
||||||
|
session_setup,
|
||||||
|
session_teardown),
|
||||||
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_auth,
|
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_auth,
|
||||||
session_setup,
|
session_setup,
|
||||||
session_teardown),
|
session_teardown),
|
||||||
|
|||||||
@@ -10,8 +10,7 @@
|
|||||||
#include <gssapi.h>
|
#include <gssapi.h>
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
|
|
||||||
static int
|
static int sshd_setup(void **state)
|
||||||
sshd_setup(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
torture_setup_sshd_server(state, false);
|
torture_setup_sshd_server(state, false);
|
||||||
@@ -31,16 +30,15 @@ sshd_setup(void **state)
|
|||||||
"echo bar | kinit alice");
|
"echo bar | kinit alice");
|
||||||
|
|
||||||
torture_update_sshd_config(state,
|
torture_update_sshd_config(state,
|
||||||
"GSSAPIAuthentication yes\n"
|
"GSSAPIAuthentication yes\n"
|
||||||
"GSSAPIKeyExchange yes\n");
|
"GSSAPIKeyExchange yes\n");
|
||||||
|
|
||||||
torture_teardown_kdc_server(state);
|
torture_teardown_kdc_server(state);
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int sshd_teardown(void **state)
|
||||||
sshd_teardown(void **state)
|
|
||||||
{
|
{
|
||||||
assert_non_null(state);
|
assert_non_null(state);
|
||||||
|
|
||||||
@@ -49,8 +47,7 @@ sshd_teardown(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int session_setup(void **state)
|
||||||
session_setup(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
int verbosity = torture_libssh_verbosity();
|
int verbosity = torture_libssh_verbosity();
|
||||||
@@ -79,8 +76,7 @@ session_setup(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int session_teardown(void **state)
|
||||||
session_teardown(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
|
|
||||||
@@ -92,8 +88,7 @@ session_teardown(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_key_exchange_null(void **state)
|
||||||
torture_gssapi_key_exchange_null(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
ssh_session session = s->ssh.session;
|
ssh_session session = s->ssh.session;
|
||||||
@@ -121,13 +116,13 @@ torture_gssapi_key_exchange_null(void **state)
|
|||||||
rc = ssh_connect(session);
|
rc = ssh_connect(session);
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS], "null");
|
assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS],
|
||||||
|
"null");
|
||||||
|
|
||||||
torture_teardown_kdc_server(state);
|
torture_teardown_kdc_server(state);
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int torture_run_tests(void)
|
||||||
torture_run_tests(void)
|
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
struct CMUnitTest tests[] = {
|
struct CMUnitTest tests[] = {
|
||||||
|
|||||||
@@ -1,13 +1,13 @@
|
|||||||
#define _GNU_SOURCE
|
#define _GNU_SOURCE
|
||||||
#include <dlfcn.h>
|
#include <dlfcn.h>
|
||||||
|
#include <errno.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
#include <unistd.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#include <sys/syscall.h>
|
#include <sys/syscall.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
/*******************************************************************************
|
/*******************************************************************************
|
||||||
* Structs
|
* Structs
|
||||||
@@ -224,31 +224,32 @@ static int is_file_blocked(const char *pathname)
|
|||||||
/* Block for torture_gssapi_server_key_exchange_null */
|
/* Block for torture_gssapi_server_key_exchange_null */
|
||||||
"/etc/ssh/ssh_host_ecdsa_key",
|
"/etc/ssh/ssh_host_ecdsa_key",
|
||||||
"/etc/ssh/ssh_host_rsa_key",
|
"/etc/ssh/ssh_host_rsa_key",
|
||||||
"/etc/ssh/ssh_host_ed25519_key"
|
"/etc/ssh/ssh_host_ed25519_key",
|
||||||
};
|
};
|
||||||
|
|
||||||
for (size_t i = 0; i < sizeof(blocked_files) / sizeof(blocked_files[0]); i++) {
|
for (size_t i = 0; i < sizeof(blocked_files) / sizeof(blocked_files[0]);
|
||||||
|
i++) {
|
||||||
if (strcmp(pathname, blocked_files[i]) == 0) {
|
if (strcmp(pathname, blocked_files[i]) == 0) {
|
||||||
errno = ENOENT; /* No such file or directory */
|
errno = ENOENT; /* No such file or directory */
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#define WRAP_FOPEN(func_name) \
|
#define WRAP_FOPEN(func_name) \
|
||||||
FILE *func_name(const char *pathname, const char *mode) \
|
FILE *func_name(const char *pathname, const char *mode) \
|
||||||
{ \
|
{ \
|
||||||
typedef FILE *(*orig_func_t)(const char *pathname, const char *mode); \
|
typedef FILE *(*orig_func_t)(const char *pathname, const char *mode); \
|
||||||
static orig_func_t orig_func = NULL; \
|
static orig_func_t orig_func = NULL; \
|
||||||
if (orig_func == NULL) { \
|
if (orig_func == NULL) { \
|
||||||
orig_func = (orig_func_t)dlsym(RTLD_NEXT, #func_name); \
|
orig_func = (orig_func_t)dlsym(RTLD_NEXT, #func_name); \
|
||||||
} \
|
} \
|
||||||
if (is_file_blocked(pathname)) { \
|
if (is_file_blocked(pathname)) { \
|
||||||
return NULL; \
|
return NULL; \
|
||||||
} \
|
} \
|
||||||
return orig_func(pathname, mode); \
|
return orig_func(pathname, mode); \
|
||||||
}
|
}
|
||||||
|
|
||||||
WRAP_FOPEN(fopen)
|
WRAP_FOPEN(fopen)
|
||||||
WRAP_FOPEN(fopen64)
|
WRAP_FOPEN(fopen64)
|
||||||
|
|||||||
@@ -7,8 +7,8 @@
|
|||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include "libssh/libssh.h"
|
|
||||||
#include "libssh/crypto.h"
|
#include "libssh/crypto.h"
|
||||||
|
#include "libssh/libssh.h"
|
||||||
#include "torture.h"
|
#include "torture.h"
|
||||||
#include "torture_key.h"
|
#include "torture_key.h"
|
||||||
|
|
||||||
@@ -21,8 +21,7 @@ struct test_server_st {
|
|||||||
char *cwd;
|
char *cwd;
|
||||||
};
|
};
|
||||||
|
|
||||||
static void
|
static void free_test_server_state(void **state)
|
||||||
free_test_server_state(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
|
|
||||||
@@ -30,8 +29,7 @@ free_test_server_state(void **state)
|
|||||||
SAFE_FREE(tss);
|
SAFE_FREE(tss);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void setup_config(void **state)
|
||||||
setup_config(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
struct server_state_st *ss = NULL;
|
struct server_state_st *ss = NULL;
|
||||||
@@ -147,8 +145,7 @@ setup_config(void **state)
|
|||||||
*state = tss;
|
*state = tss;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int setup_default_server(void **state)
|
||||||
setup_default_server(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
struct server_state_st *ss = NULL;
|
struct server_state_st *ss = NULL;
|
||||||
@@ -186,8 +183,7 @@ setup_default_server(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int teardown_default_server(void **state)
|
||||||
teardown_default_server(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
struct server_state_st *ss = NULL;
|
struct server_state_st *ss = NULL;
|
||||||
@@ -212,8 +208,7 @@ teardown_default_server(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int session_setup(void **state)
|
||||||
session_setup(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -253,8 +248,7 @@ session_setup(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int session_teardown(void **state)
|
||||||
session_teardown(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -276,9 +270,7 @@ session_teardown(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void torture_gssapi_server_key_exchange(void **state)
|
||||||
static void
|
|
||||||
torture_gssapi_server_key_exchange(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -303,7 +295,8 @@ torture_gssapi_server_key_exchange(void **state)
|
|||||||
torture_setup_kdc_server(
|
torture_setup_kdc_server(
|
||||||
(void **)&s,
|
(void **)&s,
|
||||||
"kadmin.local addprinc -randkey host/server.libssh.site\n"
|
"kadmin.local addprinc -randkey host/server.libssh.site\n"
|
||||||
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site\n"
|
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
|
||||||
|
"host/server.libssh.site\n"
|
||||||
"kadmin.local addprinc -pw bar alice\n"
|
"kadmin.local addprinc -pw bar alice\n"
|
||||||
"kadmin.local list_principals",
|
"kadmin.local list_principals",
|
||||||
|
|
||||||
@@ -318,8 +311,7 @@ torture_gssapi_server_key_exchange(void **state)
|
|||||||
torture_teardown_kdc_server((void **)&s);
|
torture_teardown_kdc_server((void **)&s);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_server_key_exchange_no_tgt(void **state)
|
||||||
torture_gssapi_server_key_exchange_no_tgt(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -344,7 +336,8 @@ torture_gssapi_server_key_exchange_no_tgt(void **state)
|
|||||||
torture_setup_kdc_server(
|
torture_setup_kdc_server(
|
||||||
(void **)&s,
|
(void **)&s,
|
||||||
"kadmin.local addprinc -randkey host/server.libssh.site \n"
|
"kadmin.local addprinc -randkey host/server.libssh.site \n"
|
||||||
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
|
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
|
||||||
|
"host/server.libssh.site \n"
|
||||||
"kadmin.local addprinc -pw bar alice \n"
|
"kadmin.local addprinc -pw bar alice \n"
|
||||||
"kadmin.local list_principals",
|
"kadmin.local list_principals",
|
||||||
|
|
||||||
@@ -357,14 +350,15 @@ torture_gssapi_server_key_exchange_no_tgt(void **state)
|
|||||||
rc = ssh_connect(session);
|
rc = ssh_connect(session);
|
||||||
assert_ssh_return_code(session, rc);
|
assert_ssh_return_code(session, rc);
|
||||||
|
|
||||||
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256);
|
assert_int_not_equal(session->current_crypto->kex_type,
|
||||||
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512);
|
SSH_GSS_KEX_DH_GROUP14_SHA256);
|
||||||
|
assert_int_not_equal(session->current_crypto->kex_type,
|
||||||
|
SSH_GSS_KEX_DH_GROUP16_SHA512);
|
||||||
|
|
||||||
torture_teardown_kdc_server((void **)&s);
|
torture_teardown_kdc_server((void **)&s);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
|
||||||
torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -389,7 +383,8 @@ torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
|
|||||||
torture_setup_kdc_server(
|
torture_setup_kdc_server(
|
||||||
(void **)&s,
|
(void **)&s,
|
||||||
"kadmin.local addprinc -randkey host/server.libssh.site \n"
|
"kadmin.local addprinc -randkey host/server.libssh.site \n"
|
||||||
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
|
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
|
||||||
|
"host/server.libssh.site \n"
|
||||||
"kadmin.local addprinc -pw bar alice \n"
|
"kadmin.local addprinc -pw bar alice \n"
|
||||||
"kadmin.local list_principals",
|
"kadmin.local list_principals",
|
||||||
|
|
||||||
@@ -398,19 +393,21 @@ torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
|
|||||||
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
|
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group14-sha256-");
|
rc = ssh_options_set(s->ssh.session,
|
||||||
|
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
|
||||||
|
"gss-group14-sha256-");
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
rc = ssh_connect(session);
|
rc = ssh_connect(session);
|
||||||
assert_ssh_return_code(session, rc);
|
assert_ssh_return_code(session, rc);
|
||||||
|
|
||||||
assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256);
|
assert_int_equal(session->current_crypto->kex_type,
|
||||||
|
SSH_GSS_KEX_DH_GROUP14_SHA256);
|
||||||
|
|
||||||
torture_teardown_kdc_server((void **)&s);
|
torture_teardown_kdc_server((void **)&s);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
|
||||||
torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -435,7 +432,8 @@ torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
|
|||||||
torture_setup_kdc_server(
|
torture_setup_kdc_server(
|
||||||
(void **)&s,
|
(void **)&s,
|
||||||
"kadmin.local addprinc -randkey host/server.libssh.site \n"
|
"kadmin.local addprinc -randkey host/server.libssh.site \n"
|
||||||
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
|
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
|
||||||
|
"host/server.libssh.site \n"
|
||||||
"kadmin.local addprinc -pw bar alice \n"
|
"kadmin.local addprinc -pw bar alice \n"
|
||||||
"kadmin.local list_principals",
|
"kadmin.local list_principals",
|
||||||
|
|
||||||
@@ -444,19 +442,21 @@ torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
|
|||||||
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
|
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group16-sha512-");
|
rc = ssh_options_set(s->ssh.session,
|
||||||
|
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
|
||||||
|
"gss-group16-sha512-");
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
rc = ssh_connect(session);
|
rc = ssh_connect(session);
|
||||||
assert_ssh_return_code(session, rc);
|
assert_ssh_return_code(session, rc);
|
||||||
|
|
||||||
assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512);
|
assert_int_equal(session->current_crypto->kex_type,
|
||||||
|
SSH_GSS_KEX_DH_GROUP16_SHA512);
|
||||||
|
|
||||||
torture_teardown_kdc_server((void **)&s);
|
torture_teardown_kdc_server((void **)&s);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_server_key_exchange_auth(void **state)
|
||||||
torture_gssapi_server_key_exchange_auth(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -499,8 +499,7 @@ torture_gssapi_server_key_exchange_auth(void **state)
|
|||||||
torture_teardown_kdc_server((void **)&s);
|
torture_teardown_kdc_server((void **)&s);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void torture_gssapi_server_key_exchange_no_auth(void **state)
|
||||||
torture_gssapi_server_key_exchange_no_auth(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -545,29 +544,32 @@ torture_gssapi_server_key_exchange_no_auth(void **state)
|
|||||||
torture_teardown_kdc_server((void **)&s);
|
torture_teardown_kdc_server((void **)&s);
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int torture_run_tests(void)
|
||||||
torture_run_tests(void)
|
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
struct CMUnitTest tests[] = {
|
struct CMUnitTest tests[] = {
|
||||||
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange,
|
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange,
|
||||||
session_setup,
|
session_setup,
|
||||||
session_teardown),
|
session_teardown),
|
||||||
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_no_tgt,
|
cmocka_unit_test_setup_teardown(
|
||||||
session_setup,
|
torture_gssapi_server_key_exchange_no_tgt,
|
||||||
session_teardown),
|
session_setup,
|
||||||
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_gss_group14_sha256,
|
session_teardown),
|
||||||
session_setup,
|
cmocka_unit_test_setup_teardown(
|
||||||
session_teardown),
|
torture_gssapi_server_key_exchange_gss_group14_sha256,
|
||||||
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_gss_group16_sha512,
|
session_setup,
|
||||||
session_setup,
|
session_teardown),
|
||||||
session_teardown),
|
cmocka_unit_test_setup_teardown(
|
||||||
|
torture_gssapi_server_key_exchange_gss_group16_sha512,
|
||||||
|
session_setup,
|
||||||
|
session_teardown),
|
||||||
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_auth,
|
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_auth,
|
||||||
session_setup,
|
session_setup,
|
||||||
session_teardown),
|
session_teardown),
|
||||||
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_no_auth,
|
cmocka_unit_test_setup_teardown(
|
||||||
session_setup,
|
torture_gssapi_server_key_exchange_no_auth,
|
||||||
session_teardown),
|
session_setup,
|
||||||
|
session_teardown),
|
||||||
};
|
};
|
||||||
|
|
||||||
ssh_init();
|
ssh_init();
|
||||||
|
|||||||
@@ -19,8 +19,7 @@ struct test_server_st {
|
|||||||
char *cwd;
|
char *cwd;
|
||||||
};
|
};
|
||||||
|
|
||||||
static void
|
static void free_test_server_state(void **state)
|
||||||
free_test_server_state(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
|
|
||||||
@@ -28,8 +27,7 @@ free_test_server_state(void **state)
|
|||||||
SAFE_FREE(tss);
|
SAFE_FREE(tss);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void setup_config(void **state)
|
||||||
setup_config(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
struct server_state_st *ss = NULL;
|
struct server_state_st *ss = NULL;
|
||||||
@@ -105,8 +103,7 @@ setup_config(void **state)
|
|||||||
*state = tss;
|
*state = tss;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int setup_default_server(void **state)
|
||||||
setup_default_server(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
struct server_state_st *ss = NULL;
|
struct server_state_st *ss = NULL;
|
||||||
@@ -144,8 +141,7 @@ setup_default_server(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int teardown_default_server(void **state)
|
||||||
teardown_default_server(void **state)
|
|
||||||
{
|
{
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
struct server_state_st *ss = NULL;
|
struct server_state_st *ss = NULL;
|
||||||
@@ -170,8 +166,7 @@ teardown_default_server(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int session_setup(void **state)
|
||||||
session_setup(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -211,8 +206,7 @@ session_setup(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int session_teardown(void **state)
|
||||||
session_teardown(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -234,9 +228,7 @@ session_teardown(void **state)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void torture_gssapi_server_key_exchange_null(void **state)
|
||||||
static void
|
|
||||||
torture_gssapi_server_key_exchange_null(void **state)
|
|
||||||
{
|
{
|
||||||
struct test_server_st *tss = *state;
|
struct test_server_st *tss = *state;
|
||||||
struct torture_state *s = NULL;
|
struct torture_state *s = NULL;
|
||||||
@@ -261,7 +253,8 @@ torture_gssapi_server_key_exchange_null(void **state)
|
|||||||
torture_setup_kdc_server(
|
torture_setup_kdc_server(
|
||||||
(void **)&s,
|
(void **)&s,
|
||||||
"kadmin.local addprinc -randkey host/server.libssh.site\n"
|
"kadmin.local addprinc -randkey host/server.libssh.site\n"
|
||||||
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site\n"
|
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
|
||||||
|
"host/server.libssh.site\n"
|
||||||
"kadmin.local addprinc -pw bar alice\n"
|
"kadmin.local addprinc -pw bar alice\n"
|
||||||
"kadmin.local list_principals",
|
"kadmin.local list_principals",
|
||||||
|
|
||||||
@@ -273,13 +266,13 @@ torture_gssapi_server_key_exchange_null(void **state)
|
|||||||
rc = ssh_connect(session);
|
rc = ssh_connect(session);
|
||||||
assert_ssh_return_code(s->ssh.session, rc);
|
assert_ssh_return_code(s->ssh.session, rc);
|
||||||
|
|
||||||
assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS], "null");
|
assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS],
|
||||||
|
"null");
|
||||||
|
|
||||||
torture_teardown_kdc_server((void **)&s);
|
torture_teardown_kdc_server((void **)&s);
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int torture_run_tests(void)
|
||||||
torture_run_tests(void)
|
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
struct CMUnitTest tests[] = {
|
struct CMUnitTest tests[] = {
|
||||||
|
|||||||
@@ -999,8 +999,10 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
|
|||||||
fips_config_string,
|
fips_config_string,
|
||||||
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
|
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
|
||||||
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
|
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
|
||||||
"HostKey", rsa_hostkey,
|
"HostKey",
|
||||||
"HostKey", ecdsa_hostkey,
|
rsa_hostkey,
|
||||||
|
"HostKey",
|
||||||
|
ecdsa_hostkey,
|
||||||
trusted_ca_pubkey,
|
trusted_ca_pubkey,
|
||||||
sftp_server,
|
sftp_server,
|
||||||
usepam,
|
usepam,
|
||||||
@@ -1012,9 +1014,12 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
|
|||||||
config_string,
|
config_string,
|
||||||
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
|
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
|
||||||
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
|
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
|
||||||
"", "",
|
"",
|
||||||
"", "",
|
"",
|
||||||
"", "",
|
"",
|
||||||
|
"",
|
||||||
|
"",
|
||||||
|
"",
|
||||||
trusted_ca_pubkey,
|
trusted_ca_pubkey,
|
||||||
sftp_server,
|
sftp_server,
|
||||||
usepam,
|
usepam,
|
||||||
@@ -1026,9 +1031,12 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
|
|||||||
config_string,
|
config_string,
|
||||||
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
|
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
|
||||||
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
|
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
|
||||||
"HostKey", ed25519_hostkey,
|
"HostKey",
|
||||||
"HostKey", rsa_hostkey,
|
ed25519_hostkey,
|
||||||
"HostKey", ecdsa_hostkey,
|
"HostKey",
|
||||||
|
rsa_hostkey,
|
||||||
|
"HostKey",
|
||||||
|
ecdsa_hostkey,
|
||||||
trusted_ca_pubkey,
|
trusted_ca_pubkey,
|
||||||
sftp_server,
|
sftp_server,
|
||||||
usepam,
|
usepam,
|
||||||
|
|||||||
@@ -650,7 +650,8 @@ static void torture_config_new(void ** state,
|
|||||||
assert_string_equal(session->opts.gss_server_identity, "example.com");
|
assert_string_equal(session->opts.gss_server_identity, "example.com");
|
||||||
assert_string_equal(session->opts.gss_client_identity, "home.sweet");
|
assert_string_equal(session->opts.gss_client_identity, "home.sweet");
|
||||||
#ifdef WITH_GSSAPI
|
#ifdef WITH_GSSAPI
|
||||||
assert_string_equal(session->opts.gssapi_key_exchange_algs, "gss-group14-sha256-");
|
assert_string_equal(session->opts.gssapi_key_exchange_algs,
|
||||||
|
"gss-group14-sha256-");
|
||||||
#endif /* WITH_GSSAPI */
|
#endif /* WITH_GSSAPI */
|
||||||
|
|
||||||
assert_int_equal(ssh_get_log_level(), SSH_LOG_TRACE);
|
assert_int_equal(ssh_get_log_level(), SSH_LOG_TRACE);
|
||||||
|
|||||||
Reference in New Issue
Block a user