shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-04 12:20:42 +09:00
Code Issues Packages Projects Releases Wiki Activity

reformat: gssapi key exchange

Browse Source 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Gauravsingh Sisodia
2025-07-14 06:04:04 +00:00
committed by Jakub Jelen
parent 06b61f75fa
commit a0707afc3e
27 changed files with 511 additions and 446 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/libssh/auth.h
View File

@@ -60,7 +60,7 @@ int ssh_userauth_gssapi_keyex(ssh_session session);
*/
enum ssh_auth_state_e {
/** No authentication asked */
SSH_AUTH_STATE_NONE=0,
SSH_AUTH_STATE_NONE = 0,
/** Last authentication response was a partial success */
SSH_AUTH_STATE_PARTIAL,
/** Last authentication response was a success */

8
include/libssh/gssapi.h
View File

@@ -29,8 +29,7 @@
/* all OID begin with the tag identifier + length */
#define SSH_OID_TAG 06
#define GSSAPI_KEY_EXCHANGE_SUPPORTED \
"gss-group14-sha256-,gss-group16-sha512-,"
#define GSSAPI_KEY_EXCHANGE_SUPPORTED "gss-group14-sha256-,gss-group16-sha512-,"
typedef struct ssh_gssapi_struct *ssh_gssapi;
@@ -87,10 +86,11 @@ OM_uint32 ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi,
OM_uint32 *ret_flags);
char *ssh_gssapi_oid_hash(ssh_string oid);
char *ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs);
char *ssh_gssapi_kex_mechs(ssh_session session);
int ssh_gssapi_check_client_config(ssh_session session);
ssh_buffer ssh_gssapi_build_mic(ssh_session session, const char *context);
int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_buf);
int ssh_gssapi_auth_keyex_mic(ssh_session session,
gss_buffer_desc *mic_token_buf);
#ifdef __cplusplus
}

26
src/auth.c
View File

@@ -32,20 +32,19 @@
#include <arpa/inet.h>
#endif
#include "libssh/priv.h"
#include "libssh/crypto.h"
#include "libssh/ssh2.h"
#include "libssh/buffer.h"
#include "libssh/agent.h"
#include "libssh/auth.h"
#include "libssh/buffer.h"
#include "libssh/crypto.h"
#include "libssh/gssapi.h"
#include "libssh/keys.h"
#include "libssh/legacy.h"
#include "libssh/misc.h"
#include "libssh/packet.h"
#include "libssh/session.h"
#include "libssh/keys.h"
#include "libssh/auth.h"
#include "libssh/pki.h"
#include "libssh/gssapi.h"
#include "libssh/legacy.h"
#include "libssh/gssapi.h"
#include "libssh/priv.h"
#include "libssh/session.h"
#include "libssh/ssh2.h"
/**
* @defgroup libssh_auth The SSH authentication functions
@@ -2476,7 +2475,7 @@ int ssh_userauth_gssapi_keyex(ssh_session session)
OM_uint32 min_stat;
gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER;
switch(session->pending_call_state) {
switch (session->pending_call_state) {
case SSH_PENDING_CALL_NONE:
break;
case SSH_PENDING_CALL_AUTH_GSSAPI_KEYEX:
@@ -2493,7 +2492,8 @@ int ssh_userauth_gssapi_keyex(ssh_session session)
if (!ssh_kex_is_gss(session->current_crypto)) {
ssh_set_error(session,
SSH_FATAL,
"Attempt to authenticate with \"gssapi-keyex\" without doing GSSAPI Key exchange.");
"Attempt to authenticate with gssapi-keyex without "
"doing GSSAPI Key exchange.");
return SSH_ERROR;
}
@@ -2546,7 +2546,7 @@ pending:
session->pending_call_state = SSH_PENDING_CALL_NONE;
}
#else
(void) session; /* unused */
(void)session; /* unused */
#endif
return rc;
}

15
src/bind.c
View File

@@ -247,11 +247,11 @@ int ssh_bind_listen(ssh_bind sshbind)
rc = ssh_bind_import_keys(sshbind);
if (rc == SSH_ERROR) {
if (!sshbind->gssapi_key_exchange) {
ssh_set_error(sshbind, SSH_FATAL,
"No hostkeys found");
ssh_set_error(sshbind, SSH_FATAL, "No hostkeys found");
return SSH_ERROR;
}
SSH_LOG(SSH_LOG_DEBUG, "No hostkeys found: Using \"null\" hostkey algorithm");
SSH_LOG(SSH_LOG_DEBUG,
"No hostkeys found: Using \"null\" hostkey algorithm");
}
}
@@ -473,7 +473,8 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
if (sshbind->gssapi_key_exchange_algs != NULL) {
SAFE_FREE(session->opts.gssapi_key_exchange_algs);
session->opts.gssapi_key_exchange_algs = strdup(sshbind->gssapi_key_exchange_algs);
session->opts.gssapi_key_exchange_algs =
strdup(sshbind->gssapi_key_exchange_algs);
if (session->opts.gssapi_key_exchange_algs == NULL) {
ssh_set_error_oom(sshbind);
return SSH_ERROR;
@@ -527,11 +528,11 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
rc = ssh_bind_import_keys(sshbind);
if (rc == SSH_ERROR) {
if (!sshbind->gssapi_key_exchange) {
ssh_set_error(sshbind, SSH_FATAL,
"No hostkeys found");
ssh_set_error(sshbind, SSH_FATAL, "No hostkeys found");
return SSH_ERROR;
}
SSH_LOG(SSH_LOG_DEBUG, "No hostkeys found: Using \"null\" hostkey algorithm");
SSH_LOG(SSH_LOG_DEBUG,
"No hostkeys found: Using \"null\" hostkey algorithm");
}
}

16
src/client.c
View File

@@ -30,15 +30,15 @@
#include <arpa/inet.h>
#endif
#include "libssh/priv.h"
#include "libssh/ssh2.h"
#include "libssh/buffer.h"
#include "libssh/packet.h"
#include "libssh/options.h"
#include "libssh/socket.h"
#include "libssh/session.h"
#include "libssh/dh.h"
#include "libssh/dh-gss.h"
#include "libssh/dh.h"
#include "libssh/options.h"
#include "libssh/packet.h"
#include "libssh/priv.h"
#include "libssh/session.h"
#include "libssh/socket.h"
#include "libssh/ssh2.h"
#ifdef WITH_GEX
#include "libssh/dh-gex.h"
#endif /* WITH_GEX */
@@ -267,7 +267,7 @@ int dh_handshake(ssh_session session)
switch (session->dh_handshake_state) {
case DH_STATE_INIT:
switch(session->next_crypto->kex_type){
switch (session->next_crypto->kex_type) {
#ifdef WITH_GSSAPI
case SSH_GSS_KEX_DH_GROUP14_SHA256:
case SSH_GSS_KEX_DH_GROUP16_SHA512:

1
src/config.c
View File

@@ -1560,7 +1560,6 @@ static int ssh_config_parse_line_internal(ssh_session session,
}
break;
case SOC_GSSAPIKEYEXCHANGE: {
bool b = false;
i = ssh_config_get_yesno(&s, -1);
CHECK_COND_OR_FAIL(i < 0, "Invalid argument");
if (*parsing) {

151
src/dh-gss.c
View File

@@ -23,22 +23,22 @@
#include "config.h"
#include <stdio.h>
#include <gssapi/gssapi.h>
#include <errno.h>
#include "libssh/gssapi.h"
#include <errno.h>
#include <gssapi/gssapi.h>
#include <stdio.h>
#include "libssh/priv.h"
#include "libssh/crypto.h"
#include "libssh/buffer.h"
#include "libssh/session.h"
#include "libssh/dh.h"
#include "libssh/ssh2.h"
#include "libssh/crypto.h"
#include "libssh/dh-gss.h"
#include "libssh/dh.h"
#include "libssh/priv.h"
#include "libssh/session.h"
#include "libssh/ssh2.h"
static SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply);
static ssh_packet_callback gss_dh_client_callbacks[]= {
static ssh_packet_callback gss_dh_client_callbacks[] = {
ssh_packet_client_gss_dh_reply
};
@@ -51,7 +51,7 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_client_callbacks = {
static SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey);
static ssh_packet_callback gss_dh_client_callback_hostkey[]= {
static ssh_packet_callback gss_dh_client_callback_hostkey[] = {
ssh_packet_client_gss_dh_hostkey
};
@@ -65,7 +65,8 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_client_callback_hostkey = {
/** @internal
* @brief Starts gssapi key exchange
*/
int ssh_client_gss_dh_init(ssh_session session){
int ssh_client_gss_dh_init(ssh_session session)
{
struct ssh_crypto_struct *crypto = session->next_crypto;
#if !defined(HAVE_LIBCRYPTO) || OPENSSL_VERSION_NUMBER < 0x30000000L
const_bignum pubkey;
@@ -73,7 +74,8 @@ int ssh_client_gss_dh_init(ssh_session session){
bignum pubkey = NULL;
#endif /* OPENSSL_VERSION_NUMBER */
int rc;
gss_OID_set selected = GSS_C_NO_OID_SET; /* oid selected for authentication */
/* oid selected for authentication */
gss_OID_set selected = GSS_C_NO_OID_SET;
OM_uint32 maj_stat, min_stat;
const char *gss_host = session->opts.host;
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
@@ -89,7 +91,10 @@ int ssh_client_gss_dh_init(ssh_session session){
if (rc == SSH_ERROR) {
goto error;
}
rc = ssh_dh_keypair_get_keys(crypto->dh_ctx, DH_CLIENT_KEYPAIR, NULL, &pubkey);
rc = ssh_dh_keypair_get_keys(crypto->dh_ctx,
DH_CLIENT_KEYPAIR,
NULL,
&pubkey);
if (rc != SSH_OK) {
goto error;
}
@@ -114,7 +119,10 @@ int ssh_client_gss_dh_init(ssh_session session){
}
session->gssapi->client.flags = GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, &oflags);
maj_stat = ssh_gssapi_init_ctx(session->gssapi,
&input_token,
&output_token,
&oflags);
gss_release_oid_set(&min_stat, &selected);
if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_WARN,
@@ -124,11 +132,13 @@ int ssh_client_gss_dh_init(ssh_session session){
goto error;
}
if (!(oflags & GSS_C_INTEG_FLAG) || !(oflags & GSS_C_MUTUAL_FLAG)) {
SSH_LOG(SSH_LOG_WARN, "GSSAPI(init) integrity and mutual flags were not set");
SSH_LOG(SSH_LOG_WARN,
"GSSAPI(init) integrity and mutual flags were not set");
goto error;
}
rc = ssh_buffer_pack(session->out_buffer, "bdPB",
rc = ssh_buffer_pack(session->out_buffer,
"bdPB",
SSH2_MSG_KEXGSS_INIT,
output_token.length,
(size_t)output_token.length,
@@ -167,8 +177,9 @@ void ssh_client_gss_dh_remove_callback_hostkey(ssh_session session)
ssh_packet_remove_callbacks(session, &ssh_gss_dh_client_callback_hostkey);
}
SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){
struct ssh_crypto_struct *crypto=session->next_crypto;
SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply)
{
struct ssh_crypto_struct *crypto = session->next_crypto;
ssh_string pubkey_blob = NULL, mic = NULL, otoken = NULL;
uint8_t b;
bignum server_pubkey;
@@ -183,25 +194,25 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){
ssh_client_gss_dh_remove_callbacks(session);
rc = ssh_buffer_unpack(packet,
"BSbS",
&server_pubkey,
&mic,
&b,
&otoken);
rc = ssh_buffer_unpack(packet, "BSbS", &server_pubkey, &mic, &b, &otoken);
if (rc == SSH_ERROR) {
goto error;
}
session->gssapi_key_exchange_mic = mic;
input_token.length = ssh_string_len(otoken);
input_token.value = ssh_string_data(otoken);
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, &oflags);
maj_stat = ssh_gssapi_init_ctx(session->gssapi,
&input_token,
&output_token,
&oflags);
if (maj_stat != GSS_S_COMPLETE) {
goto error;
}
SSH_STRING_FREE(otoken);
rc = ssh_dh_keypair_set_keys(crypto->dh_ctx, DH_SERVER_KEYPAIR,
NULL, server_pubkey);
rc = ssh_dh_keypair_set_keys(crypto->dh_ctx,
DH_SERVER_KEYPAIR,
NULL,
server_pubkey);
if (rc != SSH_OK) {
SSH_STRING_FREE(pubkey_blob);
bignum_safe_free(server_pubkey);
@@ -209,10 +220,11 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){
}
rc = ssh_dh_compute_shared_secret(session->next_crypto->dh_ctx,
DH_CLIENT_KEYPAIR, DH_SERVER_KEYPAIR,
DH_CLIENT_KEYPAIR,
DH_SERVER_KEYPAIR,
&session->next_crypto->shared_secret);
ssh_dh_debug_crypto(session->next_crypto);
if (rc == SSH_ERROR){
if (rc == SSH_ERROR) {
ssh_set_error(session, SSH_FATAL, "Could not generate shared secret");
goto error;
}
@@ -226,11 +238,12 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_reply){
return SSH_PACKET_USED;
error:
ssh_dh_cleanup(session->next_crypto);
session->session_state=SSH_SESSION_STATE_ERROR;
session->session_state = SSH_SESSION_STATE_ERROR;
return SSH_PACKET_USED;
}
SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) {
SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey)
{
ssh_string pubkey_blob = NULL;
int rc;
@@ -239,11 +252,11 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) {
ssh_client_gss_dh_remove_callback_hostkey(session);
rc = ssh_buffer_unpack(packet,
"S",
&pubkey_blob);
rc = ssh_buffer_unpack(packet, "S", &pubkey_blob);
if (rc == SSH_ERROR) {
ssh_set_error(session, SSH_FATAL, "Invalid SSH2_MSG_KEXGSS_HOSTKEY packet");
ssh_set_error(session,
SSH_FATAL,
"Invalid SSH2_MSG_KEXGSS_HOSTKEY packet");
goto error;
}
@@ -256,7 +269,7 @@ SSH_PACKET_CALLBACK(ssh_packet_client_gss_dh_hostkey) {
return SSH_PACKET_USED;
error:
ssh_dh_cleanup(session->next_crypto);
session->session_state=SSH_SESSION_STATE_ERROR;
session->session_state = SSH_SESSION_STATE_ERROR;
return SSH_PACKET_USED;
}
@@ -272,13 +285,13 @@ static struct ssh_packet_callbacks_struct ssh_gss_dh_server_callbacks = {
.start = SSH2_MSG_KEXGSS_INIT,
.n_callbacks = 1,
.callbacks = gss_dh_server_callbacks,
.user = NULL
};
.user = NULL};
/** @internal
* @brief sets up the gssapi kex callbacks
*/
void ssh_server_gss_dh_init(ssh_session session){
void ssh_server_gss_dh_init(ssh_session session)
{
/* register the packet callbacks */
ssh_packet_set_callbacks(session, &ssh_gss_dh_server_callbacks);
@@ -307,7 +320,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
ssh_string server_pubkey_blob = NULL;
OM_uint32 maj_stat, min_stat;
gss_name_t client_name = GSS_C_NO_NAME;
OM_uint32 ret_flags=0;
OM_uint32 ret_flags = 0;
gss_buffer_desc mic = GSS_C_EMPTY_BUFFER, msg = GSS_C_EMPTY_BUFFER;
char hostname[NI_MAXHOST] = {0};
char err_msg[SSH_ERRNO_MSG_MAX] = {0};
@@ -326,8 +339,10 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
goto error;
}
rc = ssh_dh_keypair_set_keys(crypto->dh_ctx, DH_CLIENT_KEYPAIR,
NULL, client_pubkey);
rc = ssh_dh_keypair_set_keys(crypto->dh_ctx,
DH_CLIENT_KEYPAIR,
NULL,
client_pubkey);
if (rc != SSH_OK) {
bignum_safe_free(client_pubkey);
goto error;
@@ -339,7 +354,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
}
rc = ssh_dh_compute_shared_secret(crypto->dh_ctx,
DH_SERVER_KEYPAIR, DH_CLIENT_KEYPAIR,
DH_SERVER_KEYPAIR,
DH_CLIENT_KEYPAIR,
&crypto->shared_secret);
ssh_dh_debug_crypto(crypto);
if (rc == SSH_ERROR) {
@@ -358,7 +374,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
}
if (strncmp(crypto->kex_methods[SSH_HOSTKEYS], "null", 4) != 0) {
rc = ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob);
rc =
ssh_dh_get_next_server_publickey_blob(session, &server_pubkey_blob);
if (rc != SSH_OK) {
goto error;
}
@@ -366,7 +383,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
"bS",
SSH2_MSG_KEXGSS_HOSTKEY,
server_pubkey_blob);
if(rc != SSH_OK) {
if (rc != SSH_OK) {
ssh_set_error_oom(session);
ssh_buffer_reinit(session->out_buffer);
goto error;
@@ -380,9 +397,11 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
SSH_STRING_FREE(server_pubkey_blob);
}
rc = ssh_dh_keypair_get_keys(crypto->dh_ctx, DH_SERVER_KEYPAIR,
NULL, &server_pubkey);
if (rc != SSH_OK){
rc = ssh_dh_keypair_get_keys(crypto->dh_ctx,
DH_SERVER_KEYPAIR,
NULL,
&server_pubkey);
if (rc != SSH_OK) {
goto error;
}
@@ -404,9 +423,14 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
goto error;
}
maj_stat = gss_acquire_cred(&min_stat, session->gssapi->client.server_name, 0,
GSS_C_NO_OID_SET, GSS_C_ACCEPT,
&session->gssapi->server_creds, NULL, NULL);
maj_stat = gss_acquire_cred(&min_stat,
session->gssapi->client.server_name,
0,
GSS_C_NO_OID_SET,
GSS_C_ACCEPT,
&session->gssapi->server_creds,
NULL,
NULL);
if (maj_stat != GSS_S_COMPLETE) {
ssh_gssapi_log_error(SSH_LOG_TRACE,
"acquiring credentials",
@@ -415,9 +439,17 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
goto error;
}
maj_stat = gss_accept_sec_context(&min_stat, &session->gssapi->ctx, session->gssapi->server_creds,
&input_token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL /*mech_oid*/, &output_token, &ret_flags,
NULL /*time*/, &session->gssapi->client_creds);
maj_stat = gss_accept_sec_context(&min_stat,
&session->gssapi->ctx,
session->gssapi->server_creds,
&input_token,
GSS_C_NO_CHANNEL_BINDINGS,
&client_name,
NULL /*mech_oid*/,
&output_token,
&ret_flags,
NULL /*time*/,
&session->gssapi->client_creds);
if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_DEBUG,
"accepting token failed",
@@ -428,7 +460,8 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
SSH_STRING_FREE(otoken);
gss_release_name(&min_stat, &client_name);
if (!(ret_flags & GSS_C_INTEG_FLAG) || !(ret_flags & GSS_C_MUTUAL_FLAG)) {
SSH_LOG(SSH_LOG_WARN, "GSSAPI(accept) integrity and mutual flags were not set");
SSH_LOG(SSH_LOG_WARN,
"GSSAPI(accept) integrity and mutual flags were not set");
goto error;
}
SSH_LOG(SSH_LOG_DEBUG, "token accepted");
@@ -448,7 +481,6 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
goto error;
}
rc = ssh_buffer_pack(session->out_buffer,
"bBdPbdP",
SSH2_MSG_KEXGSS_COMPLETE,
@@ -463,7 +495,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
#if defined(HAVE_LIBCRYPTO) && OPENSSL_VERSION_NUMBER >= 0x30000000L
bignum_safe_free(server_pubkey);
#endif
if(rc != SSH_OK) {
if (rc != SSH_OK) {
ssh_set_error_oom(session);
ssh_buffer_reinit(session->out_buffer);
goto error;
@@ -478,7 +510,7 @@ int ssh_server_gss_dh_process_init(ssh_session session, ssh_buffer packet)
}
SSH_LOG(SSH_LOG_DEBUG, "Sent SSH2_MSG_KEXGSS_COMPLETE");
session->dh_handshake_state=DH_STATE_NEWKEYS_SENT;
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
/* Send the MSG_NEWKEYS */
rc = ssh_packet_send_newkeys(session);
if (rc == SSH_ERROR) {
@@ -501,7 +533,8 @@ error:
* @brief parse an incoming SSH_MSG_KEXGSS_INIT packet and complete
* Diffie-Hellman key exchange
**/
static SSH_PACKET_CALLBACK(ssh_packet_server_gss_dh_init){
static SSH_PACKET_CALLBACK(ssh_packet_server_gss_dh_init)
{
(void)type;
(void)user;
SSH_LOG(SSH_LOG_DEBUG, "Received SSH_MSG_KEXGSS_INIT");

2
src/dh.c
View File

@@ -27,8 +27,8 @@
#include <stdio.h>
#ifdef WITH_GSSAPI
#include <gssapi/gssapi.h>
#include "libssh/gssapi.h"
#include <gssapi/gssapi.h>
#endif
#include "libssh/priv.h"

141
src/gssapi.c
View File

@@ -21,23 +21,23 @@
#include "config.h"
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <gssapi/gssapi.h>
#include <libssh/buffer.h>
#include <libssh/callbacks.h>
#include <libssh/crypto.h>
#include <libssh/gssapi.h>
#include <libssh/libssh.h>
#include <libssh/ssh2.h>
#include <libssh/buffer.h>
#include <libssh/crypto.h>
#include <libssh/callbacks.h>
#include <libssh/string.h>
#include <libssh/server.h>
#include <libssh/ssh2.h>
#include <libssh/string.h>
#include <libssh/token.h>
static gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
@@ -155,8 +155,7 @@ static int ssh_gssapi_send_response(ssh_session session, ssh_string oid)
* @param[out] selected OID set of supported oids
* @returns SSH_OK if successful, SSH_ERROR otherwise
*/
int
ssh_gssapi_server_oids(gss_OID_set *selected)
int ssh_gssapi_server_oids(gss_OID_set *selected)
{
OM_uint32 maj_stat, min_stat;
size_t i;
@@ -172,11 +171,14 @@ ssh_gssapi_server_oids(gss_OID_set *selected)
return SSH_ERROR;
}
for (i=0; i < supported->count; ++i){
ptr = ssh_get_hexa(supported->elements[i].elements, supported->elements[i].length);
for (i = 0; i < supported->count; ++i) {
ptr = ssh_get_hexa(supported->elements[i].elements,
supported->elements[i].length);
/* According to RFC 4462 we MUST NOT use SPNEGO */
if (supported->elements[i].length == spnego_oid.length &&
memcmp(supported->elements[i].elements, spnego_oid.elements, supported->elements[i].length) == 0) {
memcmp(supported->elements[i].elements,
spnego_oid.elements,
supported->elements[i].length) == 0) {
SAFE_FREE(ptr);
continue;
}
@@ -289,9 +291,14 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user,
return SSH_ERROR;
}
maj_stat = gss_acquire_cred(&min_stat, session->gssapi->client.server_name, 0,
both_supported, GSS_C_ACCEPT,
&session->gssapi->server_creds, &selected, NULL);
maj_stat = gss_acquire_cred(&min_stat,
session->gssapi->client.server_name,
0,
both_supported,
GSS_C_ACCEPT,
&session->gssapi->server_creds,
&selected,
NULL);
gss_release_oid_set(&min_stat, &both_supported);
if (maj_stat != GSS_S_COMPLETE) {
ssh_gssapi_log_error(SSH_LOG_TRACE,
@@ -477,7 +484,8 @@ ssh_buffer ssh_gssapi_build_mic(ssh_session session, const char *context)
rc = ssh_buffer_pack(mic_buffer,
"dPbsss",
crypto->session_id_len,
crypto->session_id_len, crypto->session_id,
crypto->session_id_len,
crypto->session_id,
SSH2_MSG_USERAUTH_REQUEST,
session->gssapi->user,
"ssh-connection",
@@ -655,8 +663,7 @@ fail:
*
* @returns the hash or NULL on error
*/
char *
ssh_gssapi_oid_hash(ssh_string oid)
char *ssh_gssapi_oid_hash(ssh_string oid)
{
MD5CTX ctx = NULL;
unsigned char *h = NULL;
@@ -674,9 +681,7 @@ ssh_gssapi_oid_hash(ssh_string oid)
return NULL;
}
rc = md5_update(ctx,
ssh_string_data(oid),
ssh_string_len(oid));
rc = md5_update(ctx, ssh_string_data(oid), ssh_string_len(oid));
if (rc != SSH_OK) {
SAFE_FREE(h);
md5_ctx_free(ctx);
@@ -700,8 +705,7 @@ ssh_gssapi_oid_hash(ssh_string oid)
*
* @returns SSH_OK if any one of the mechanisms is configured or NULL
*/
int
ssh_gssapi_check_client_config(ssh_session session)
int ssh_gssapi_check_client_config(ssh_session session)
{
OM_uint32 maj_stat, min_stat;
size_t i;
@@ -725,7 +729,7 @@ ssh_gssapi_check_client_config(ssh_session session)
return SSH_ERROR;
}
for (i = 0; i < supported->count; ++i){
for (i = 0; i < supported->count; ++i) {
gssapi = calloc(1, sizeof(struct ssh_gssapi_struct));
if (gssapi == NULL) {
ssh_set_error_oom(session);
@@ -738,7 +742,9 @@ ssh_gssapi_check_client_config(ssh_session session)
/* According to RFC 4462 we MUST NOT use SPNEGO */
if (supported->elements[i].length == spnego_oid.length &&
memcmp(supported->elements[i].elements, spnego_oid.elements, supported->elements[i].length) == 0) {
memcmp(supported->elements[i].elements,
spnego_oid.elements,
supported->elements[i].length) == 0) {
ret = SSH_ERROR;
goto end;
}
@@ -750,18 +756,24 @@ ssh_gssapi_check_client_config(ssh_session session)
namebuf.value = (void *)session->opts.gss_client_identity;
namebuf.length = strlen(session->opts.gss_client_identity);
maj_stat = gss_import_name(&min_stat, &namebuf,
GSS_C_NT_USER_NAME, &client_id);
maj_stat = gss_import_name(&min_stat,
&namebuf,
GSS_C_NT_USER_NAME,
&client_id);
if (GSS_ERROR(maj_stat)) {
ret = SSH_ERROR;
goto end;
}
}
maj_stat = gss_acquire_cred(&min_stat, client_id, GSS_C_INDEFINITE,
one_oidset, GSS_C_INITIATE,
maj_stat = gss_acquire_cred(&min_stat,
client_id,
GSS_C_INDEFINITE,
one_oidset,
GSS_C_INITIATE,
&gssapi->client.creds,
NULL, NULL);
NULL,
NULL);
if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_WARN,
"acquiring credential",
@@ -776,7 +788,8 @@ ssh_gssapi_check_client_config(ssh_session session)
goto end;
}
maj_stat = ssh_gssapi_init_ctx(gssapi, &input_token, &output_token, &oflags);
maj_stat =
ssh_gssapi_init_ctx(gssapi, &input_token, &output_token, &oflags);
if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_WARN,
"initializing context",
@@ -786,14 +799,15 @@ ssh_gssapi_check_client_config(ssh_session session)
goto end;
}
ptr = ssh_get_hexa(supported->elements[i].elements, supported->elements[i].length);
ptr = ssh_get_hexa(supported->elements[i].elements,
supported->elements[i].length);
SSH_LOG(SSH_LOG_DEBUG, "Supported mech %zu: %s", i, ptr);
free(ptr);
/* If atleast one mechanism is configured then return successfully */
ret = SSH_OK;
end:
end:
if (ret == SSH_ERROR) {
SSH_LOG(SSH_LOG_WARN, "GSSAPI not configured correctly");
}
@@ -802,8 +816,8 @@ end:
gss_release_oid_set(&min_stat, &one_oidset);
gss_release_name(&min_stat, &gssapi->client.server_name);
gss_release_cred(&min_stat,&gssapi->server_creds);
gss_release_cred(&min_stat,&gssapi->client.creds);
gss_release_cred(&min_stat, &gssapi->server_creds);
gss_release_cred(&min_stat, &gssapi->client.creds);
gss_release_oid(&min_stat, &gssapi->client.oid);
gss_release_buffer(&min_stat, &output_token);
gss_delete_sec_context(&min_stat, &gssapi->ctx, GSS_C_NO_BUFFER);
@@ -909,16 +923,17 @@ end:
* @param[in] session current session handler
* @returns string suffixed kex algorithms or NULL on error
*/
char *
ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
char *ssh_gssapi_kex_mechs(ssh_session session)
{
size_t i,j;
gss_OID_set selected = GSS_C_NO_OID_SET; /* oid selected for authentication */
size_t i, j;
/* oid selected for authentication */
gss_OID_set selected = GSS_C_NO_OID_SET;
ssh_string *oids = NULL;
int rc;
size_t n_oids = 0;
struct ssh_tokens_st *algs = NULL;
char *oid_hash = NULL;
const char *gss_algs = session->opts.gssapi_key_exchange_algs;
char *new_gss_algs = NULL;
char gss_kex_algs[8000] = {0};
OM_uint32 min_stat;
@@ -950,9 +965,11 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
}
/* Check if algorithms are valid */
new_gss_algs = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, gss_algs);
new_gss_algs =
ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, gss_algs);
if (gss_algs == NULL) {
ssh_set_error(session,
ssh_set_error(
session,
SSH_FATAL,
"GSSAPI key exchange algorithms not supported or invalid");
rc = SSH_ERROR;
@@ -967,7 +984,7 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
rc = SSH_ERROR;
goto out;
}
for (i=0; i<n_oids; ++i){
for (i = 0; i < n_oids; ++i) {
oids[i] = ssh_string_new(selected->elements[i].length + 2);
if (oids[i] == NULL) {
ssh_set_error_oom(session);
@@ -976,7 +993,8 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
}
((unsigned char *)oids[i]->data)[0] = SSH_OID_TAG;
((unsigned char *)oids[i]->data)[1] = selected->elements[i].length;
memcpy((unsigned char *)oids[i]->data + 2, selected->elements[i].elements,
memcpy((unsigned char *)oids[i]->data + 2,
selected->elements[i].elements,
selected->elements[i].length);
/* Get the algorithm suffix */
@@ -991,17 +1009,17 @@ ssh_gssapi_kex_mechs(ssh_session session, const char *gss_algs)
* the algorithms to a string */
for (j = 0; algs->tokens[j]; j++) {
if (sizeof(gss_kex_algs) < offset) {
ssh_set_error(session,
SSH_FATAL,
"snprintf failed");
ssh_set_error(session, SSH_FATAL, "snprintf failed");
rc = SSH_ERROR;
goto out;
}
rc = snprintf(&gss_kex_algs[offset], sizeof(gss_kex_algs)-offset, "%s%s,", algs->tokens[j], oid_hash);
rc = snprintf(&gss_kex_algs[offset],
sizeof(gss_kex_algs) - offset,
"%s%s,",
algs->tokens[j],
oid_hash);
if (rc < 0 || rc >= (ssize_t)sizeof(gss_kex_algs)) {
ssh_set_error(session,
SSH_FATAL,
"snprintf failed");
ssh_set_error(session, SSH_FATAL, "snprintf failed");
rc = SSH_ERROR;
goto out;
}
@@ -1028,8 +1046,7 @@ out:
return strdup(gss_kex_algs);
}
int
ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host)
int ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host)
{
gss_buffer_desc hostname;
char name_buf[256] = {0};
@@ -1055,8 +1072,7 @@ ssh_gssapi_import_name(struct ssh_gssapi_struct *gssapi, const char *host)
return maj_stat;
}
OM_uint32
ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi,
OM_uint32 ssh_gssapi_init_ctx(struct ssh_gssapi_struct *gssapi,
gss_buffer_desc *input_token,
gss_buffer_desc *output_token,
OM_uint32 *ret_flags)
@@ -1175,7 +1191,9 @@ out:
* @returns SSH_ERROR: A serious error happened\n
* SSH_OK: MIC token is stored in mic_token_buf
*/
int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_buf) {
int ssh_gssapi_auth_keyex_mic(ssh_session session,
gss_buffer_desc *mic_token_buf)
{
ssh_buffer buf = NULL;
gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER;
OM_uint32 maj_stat, min_stat;
@@ -1189,8 +1207,11 @@ int ssh_gssapi_auth_keyex_mic(ssh_session session, gss_buffer_desc *mic_token_bu
mic_buf.length = ssh_buffer_get_len(buf);
mic_buf.value = ssh_buffer_get(buf);
maj_stat = gss_get_mic(&min_stat,session->gssapi->ctx, GSS_C_QOP_DEFAULT,
&mic_buf, mic_token_buf);
maj_stat = gss_get_mic(&min_stat,
session->gssapi->ctx,
GSS_C_QOP_DEFAULT,
&mic_buf,
mic_token_buf);
if (GSS_ERROR(maj_stat)) {
ssh_gssapi_log_error(SSH_LOG_DEBUG,
"generating MIC",
@@ -1273,8 +1294,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
session->gssapi->client.flags |= GSS_C_DELEG_FLAG;
}
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL);
if (GSS_ERROR(maj_stat)){
maj_stat =
ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL);
if (GSS_ERROR(maj_stat)) {
goto error;
}
@@ -1380,7 +1402,8 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client)
input_token.length = ssh_string_len(token);
input_token.value = ssh_string_data(token);
maj_stat = ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL);
maj_stat =
ssh_gssapi_init_ctx(session->gssapi, &input_token, &output_token, NULL);
if (GSS_ERROR(maj_stat)) {
goto error;
}

11
src/kex.c
View File

@@ -825,14 +825,15 @@ int ssh_set_client_kex(ssh_session session)
return SSH_ERROR;
}
gssapi_algs = ssh_gssapi_kex_mechs(session, session->opts.gssapi_key_exchange_algs);
gssapi_algs = ssh_gssapi_kex_mechs(session);
if (gssapi_algs == NULL) {
return SSH_ERROR;
}
/* Prefix the default algorithms with gsskex algs */
session->opts.wanted_methods[SSH_KEX] =
ssh_prefix_without_duplicates(default_methods[SSH_KEX], gssapi_algs);
ssh_prefix_without_duplicates(default_methods[SSH_KEX],
gssapi_algs);
gssapi_null_alg = true;
@@ -853,7 +854,8 @@ int ssh_set_client_kex(ssh_session session)
return SSH_ERROR;
}
if (gssapi_null_alg) {
hostkeys = ssh_append_without_duplicates(client->methods[i], "null");
hostkeys =
ssh_append_without_duplicates(client->methods[i], "null");
if (hostkeys == NULL) {
ssh_set_error_oom(session);
return SSH_ERROR;
@@ -2036,8 +2038,7 @@ error:
* @param[in] crypto The SSH crypto context
* @return true if the KEX of the context is a GSSAPI KEX, false otherwise
*/
bool
ssh_kex_is_gss(struct ssh_crypto_struct *crypto)
bool ssh_kex_is_gss(struct ssh_crypto_struct *crypto)
{
switch (crypto->kex_type) {
case SSH_GSS_KEX_DH_GROUP14_SHA256:

7
src/messages.c
View File

@@ -1157,13 +1157,14 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request)
if (!ssh_kex_is_gss(session->current_crypto)) {
ssh_set_error(session,
SSH_FATAL,
"Attempt to authenticate with \"gssapi-keyex\" without doing GSSAPI Key Exchange");
"Attempt to authenticate with gssapi-keyex without "
"doing GSSAPI Key Exchange.");
ssh_auth_reply_default(session, 0);
goto error;
}
rc = ssh_buffer_unpack(packet, "S", &mic_token_string);
if (rc != SSH_OK){
if (rc != SSH_OK) {
ssh_auth_reply_default(session, 0);
goto error;
}
@@ -1190,7 +1191,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request)
if (maj_stat != GSS_S_COMPLETE) {
ssh_set_error(session,
SSH_FATAL,
"Failed to verify MIC for \"gssapi-keyex\" auth");
"Failed to verify MIC for gssapi-keyex auth");
SSH_BUFFER_FREE(buf);
SSH_STRING_FREE(mic_token_string);
ssh_auth_reply_default(session, 0);

15
src/options.c
View File

@@ -1278,11 +1278,13 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
return -1;
} else {
/* Check if algorithms are supported */
char *ret = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, v);
char *ret =
ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, v);
if (ret == NULL) {
ssh_set_error(session,
SSH_FATAL,
"GSSAPI key exchange algorithms not supported or invalid");
"GSSAPI key exchange algorithms not "
"supported or invalid");
return -1;
}
SAFE_FREE(session->opts.gssapi_key_exchange_algs);
@@ -2332,9 +2334,9 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
* false to disable GSSAPI key exchange. (bool)
*
* - SSH_BIND_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS
* Set the GSSAPI key exchange method to be used (const char *,
* comma-separated list). ex:
* "gss-group14-sha256-,gss-group16-sha512-"
* Set the GSSAPI key exchange method to be used
* (const char *, comma-separated list).
* ex: "gss-group14-sha256-,gss-group16-sha512-"
*
* @param value The value to set. This is a generic pointer and the
* datatype which should be used is described at the
@@ -2751,7 +2753,8 @@ ssh_bind_options_set(ssh_bind sshbind,
SAFE_FREE(sshbind->gssapi_key_exchange_algs);
ret = ssh_find_all_matching(GSSAPI_KEY_EXCHANGE_SUPPORTED, value);
if (ret == NULL) {
ssh_set_error(sshbind,
ssh_set_error(
sshbind,
SSH_REQUEST_DENIED,
"GSSAPI key exchange algorithms not supported or invalid");
return -1;

3
src/packet.c
View File

@@ -657,8 +657,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
(session->auth.state != SSH_AUTH_STATE_PASSWORD_AUTH_SENT) &&
(session->auth.state != SSH_AUTH_STATE_GSSAPI_MIC_SENT) &&
(session->auth.state != SSH_AUTH_STATE_GSSAPI_KEYEX_MIC_SENT) &&
(session->auth.state != SSH_AUTH_STATE_AUTH_NONE_SENT))
{
(session->auth.state != SSH_AUTH_STATE_AUTH_NONE_SENT)) {
rc = SSH_PACKET_DENIED;
break;
}

5
src/packet_cb.c
View File

@@ -28,8 +28,8 @@
#include <arpa/inet.h>
#endif
#ifdef WITH_GSSAPI
#include <gssapi/gssapi.h>
#include "libssh/gssapi.h"
#include <gssapi/gssapi.h>
#endif
#include "libssh/priv.h"
@@ -228,7 +228,8 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys)
rc = match_group(session->opts.wanted_methods[SSH_HOSTKEYS],
sig->type_c);
if (rc == 0) {
ssh_set_error(session,
ssh_set_error(
session,
SSH_FATAL,
"Public key from server (%s) doesn't match user "
"preference (%s)",

40
src/server.c
View File

@@ -44,23 +44,23 @@
# include <netinet/in.h>
#endif
#include "libssh/priv.h"
#include "libssh/libssh.h"
#include "libssh/server.h"
#include "libssh/ssh2.h"
#include "libssh/buffer.h"
#include "libssh/packet.h"
#include "libssh/socket.h"
#include "libssh/session.h"
#include "libssh/kex.h"
#include "libssh/misc.h"
#include "libssh/pki.h"
#include "libssh/dh.h"
#include "libssh/messages.h"
#include "libssh/options.h"
#include "libssh/curve25519.h"
#include "libssh/token.h"
#include "libssh/dh.h"
#include "libssh/gssapi.h"
#include "libssh/kex.h"
#include "libssh/libssh.h"
#include "libssh/messages.h"
#include "libssh/misc.h"
#include "libssh/options.h"
#include "libssh/packet.h"
#include "libssh/pki.h"
#include "libssh/priv.h"
#include "libssh/server.h"
#include "libssh/session.h"
#include "libssh/socket.h"
#include "libssh/ssh2.h"
#include "libssh/token.h"
#define set_status(session, status) do {\
if (session->common.callbacks && session->common.callbacks->connect_status_function) \
@@ -154,7 +154,8 @@ int server_set_kex(ssh_session session)
if (strlen(hostkeys) != 0) {
/* It is expected for the list of allowed hostkeys to be ordered by
* preference */
kept = ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys,
kept =
ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys,
allowed);
if (kept == NULL) {
/* Nothing was allowed */
@@ -178,7 +179,7 @@ int server_set_kex(ssh_session session)
return SSH_ERROR;
}
gssapi_algs = ssh_gssapi_kex_mechs(session, session->opts.gssapi_key_exchange_algs);
gssapi_algs = ssh_gssapi_kex_mechs(session);
if (gssapi_algs == NULL) {
return SSH_ERROR;
}
@@ -186,7 +187,8 @@ int server_set_kex(ssh_session session)
/* Prefix the default algorithms with gsskex algs */
session->opts.wanted_methods[SSH_KEX] =
ssh_prefix_without_duplicates(ssh_kex_get_default_methods(SSH_KEX), gssapi_algs);
ssh_prefix_without_duplicates(ssh_kex_get_default_methods(SSH_KEX),
gssapi_algs);
if (strlen(hostkeys) == 0) {
session->opts.wanted_methods[SSH_HOSTKEYS] = strdup("null");
@@ -703,7 +705,9 @@ int ssh_auth_reply_default(ssh_session session,int partial) {
/* Check if GSSAPI Key exchange was performed */
if (session->auth.supported_methods & SSH_AUTH_METHOD_GSSAPI_KEYEX) {
if (ssh_kex_is_gss(session->current_crypto)) {
strncat(methods_c, "gssapi-keyex,", sizeof(methods_c) - strlen(methods_c) - 1);
strncat(methods_c,
"gssapi-keyex,",
sizeof(methods_c) - strlen(methods_c) - 1);
}
}
if (session->auth.supported_methods & SSH_AUTH_METHOD_INTERACTIVE) {

3
src/session.c
View File

@@ -161,7 +161,8 @@ ssh_session ssh_new(void)
}
#ifdef WITH_GSSAPI
session->opts.gssapi_key_exchange_algs = strdup(GSSAPI_KEY_EXCHANGE_SUPPORTED);
session->opts.gssapi_key_exchange_algs =
strdup(GSSAPI_KEY_EXCHANGE_SUPPORTED);
if (session->opts.gssapi_key_exchange_algs == NULL) {
goto err;
}

61
tests/client/torture_gssapi_key_exchange.c
View File

@@ -2,17 +2,16 @@
#define LIBSSH_STATIC
#include "libssh/crypto.h"
#include "torture.h"
#include <libssh/libssh.h>
#include "libssh/crypto.h"
#include <errno.h>
#include <fcntl.h>
#include <gssapi.h>
#include <pwd.h>
static int
sshd_setup(void **state)
static int sshd_setup(void **state)
{
torture_setup_sshd_server(state, false);
torture_update_sshd_config(state,
@@ -22,8 +21,7 @@ sshd_setup(void **state)
return 0;
}
static int
sshd_teardown(void **state)
static int sshd_teardown(void **state)
{
assert_non_null(state);
@@ -32,8 +30,7 @@ sshd_teardown(void **state)
return 0;
}
static int
session_setup(void **state)
static int session_setup(void **state)
{
struct torture_state *s = *state;
int verbosity = torture_libssh_verbosity();
@@ -62,8 +59,7 @@ session_setup(void **state)
return 0;
}
static int
session_teardown(void **state)
static int session_teardown(void **state)
{
struct torture_state *s = *state;
@@ -75,8 +71,7 @@ session_teardown(void **state)
return 0;
}
static void
torture_gssapi_key_exchange(void **state)
static void torture_gssapi_key_exchange(void **state)
{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
@@ -106,8 +101,7 @@ torture_gssapi_key_exchange(void **state)
torture_teardown_kdc_server(state);
}
static void
torture_gssapi_key_exchange_no_tgt(void **state)
static void torture_gssapi_key_exchange_no_tgt(void **state)
{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
@@ -136,14 +130,15 @@ torture_gssapi_key_exchange_no_tgt(void **state)
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256);
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512);
assert_int_not_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP14_SHA256);
assert_int_not_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP16_SHA512);
torture_teardown_kdc_server(state);
}
static void
torture_gssapi_key_exchange_gss_group14_sha256(void **state)
static void torture_gssapi_key_exchange_gss_group14_sha256(void **state)
{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
@@ -168,19 +163,21 @@ torture_gssapi_key_exchange_gss_group14_sha256(void **state)
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group14-sha256-");
rc = ssh_options_set(s->ssh.session,
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
"gss-group14-sha256-");
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256);
assert_int_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP14_SHA256);
torture_teardown_kdc_server(state);
}
static void
torture_gssapi_key_exchange_gss_group16_sha512(void **state)
static void torture_gssapi_key_exchange_gss_group16_sha512(void **state)
{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
@@ -205,19 +202,21 @@ torture_gssapi_key_exchange_gss_group16_sha512(void **state)
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group16-sha512-");
rc = ssh_options_set(s->ssh.session,
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
"gss-group16-sha512-");
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
assert_true(session->current_crypto->kex_type == SSH_GSS_KEX_DH_GROUP16_SHA512);
assert_true(session->current_crypto->kex_type ==
SSH_GSS_KEX_DH_GROUP16_SHA512);
torture_teardown_kdc_server(state);
}
static void
torture_gssapi_key_exchange_auth(void **state)
static void torture_gssapi_key_exchange_auth(void **state)
{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
@@ -251,8 +250,7 @@ torture_gssapi_key_exchange_auth(void **state)
torture_teardown_kdc_server(state);
}
static void
torture_gssapi_key_exchange_no_auth(void **state)
static void torture_gssapi_key_exchange_no_auth(void **state)
{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
@@ -288,8 +286,7 @@ torture_gssapi_key_exchange_no_auth(void **state)
torture_teardown_kdc_server(state);
}
int
torture_run_tests(void)
int torture_run_tests(void)
{
int rc;
struct CMUnitTest tests[] = {
@@ -299,10 +296,12 @@ torture_run_tests(void)
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_no_tgt,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_gss_group14_sha256,
cmocka_unit_test_setup_teardown(
torture_gssapi_key_exchange_gss_group14_sha256,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_gss_group16_sha512,
cmocka_unit_test_setup_teardown(
torture_gssapi_key_exchange_gss_group16_sha512,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_key_exchange_auth,

21
tests/client/torture_gssapi_key_exchange_null.c
View File

@@ -10,8 +10,7 @@
#include <gssapi.h>
#include <pwd.h>
static int
sshd_setup(void **state)
static int sshd_setup(void **state)
{
struct torture_state *s = NULL;
torture_setup_sshd_server(state, false);
@@ -39,8 +38,7 @@ sshd_setup(void **state)
return 0;
}
static int
sshd_teardown(void **state)
static int sshd_teardown(void **state)
{
assert_non_null(state);
@@ -49,8 +47,7 @@ sshd_teardown(void **state)
return 0;
}
static int
session_setup(void **state)
static int session_setup(void **state)
{
struct torture_state *s = *state;
int verbosity = torture_libssh_verbosity();
@@ -79,8 +76,7 @@ session_setup(void **state)
return 0;
}
static int
session_teardown(void **state)
static int session_teardown(void **state)
{
struct torture_state *s = *state;
@@ -92,8 +88,7 @@ session_teardown(void **state)
return 0;
}
static void
torture_gssapi_key_exchange_null(void **state)
static void torture_gssapi_key_exchange_null(void **state)
{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
@@ -121,13 +116,13 @@ torture_gssapi_key_exchange_null(void **state)
rc = ssh_connect(session);
assert_ssh_return_code(s->ssh.session, rc);
assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS], "null");
assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS],
"null");
torture_teardown_kdc_server(state);
}
int
torture_run_tests(void)
int torture_run_tests(void)
{
int rc;
struct CMUnitTest tests[] = {

15
tests/fs_wrapper.c
View File

@@ -1,13 +1,13 @@
#define _GNU_SOURCE
#include <dlfcn.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
#include <sys/syscall.h>
#include <unistd.h>
/*******************************************************************************
* Structs
@@ -224,10 +224,11 @@ static int is_file_blocked(const char *pathname)
/* Block for torture_gssapi_server_key_exchange_null */
"/etc/ssh/ssh_host_ecdsa_key",
"/etc/ssh/ssh_host_rsa_key",
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key",
};
for (size_t i = 0; i < sizeof(blocked_files) / sizeof(blocked_files[0]); i++) {
for (size_t i = 0; i < sizeof(blocked_files) / sizeof(blocked_files[0]);
i++) {
if (strcmp(pathname, blocked_files[i]) == 0) {
errno = ENOENT; /* No such file or directory */
return 1;
@@ -237,8 +238,8 @@ static int is_file_blocked(const char *pathname)
}
#define WRAP_FOPEN(func_name) \
FILE *func_name(const char *pathname, const char *mode) \
{ \
FILE *func_name(const char *pathname, const char *mode) \
{ \
typedef FILE *(*orig_func_t)(const char *pathname, const char *mode); \
static orig_func_t orig_func = NULL; \
if (orig_func == NULL) { \
@@ -248,7 +249,7 @@ FILE *func_name(const char *pathname, const char *mode) \
return NULL; \
} \
return orig_func(pathname, mode); \
}
}
WRAP_FOPEN(fopen)
WRAP_FOPEN(fopen64)

86
tests/server/torture_gssapi_server_key_exchange.c
View File

@@ -7,8 +7,8 @@
#include <sys/stat.h>
#include <sys/types.h>
#include "libssh/libssh.h"
#include "libssh/crypto.h"
#include "libssh/libssh.h"
#include "torture.h"
#include "torture_key.h"
@@ -21,8 +21,7 @@ struct test_server_st {
char *cwd;
};
static void
free_test_server_state(void **state)
static void free_test_server_state(void **state)
{
struct test_server_st *tss = *state;
@@ -30,8 +29,7 @@ free_test_server_state(void **state)
SAFE_FREE(tss);
}
static void
setup_config(void **state)
static void setup_config(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
@@ -147,8 +145,7 @@ setup_config(void **state)
*state = tss;
}
static int
setup_default_server(void **state)
static int setup_default_server(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
@@ -186,8 +183,7 @@ setup_default_server(void **state)
return 0;
}
static int
teardown_default_server(void **state)
static int teardown_default_server(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
@@ -212,8 +208,7 @@ teardown_default_server(void **state)
return 0;
}
static int
session_setup(void **state)
static int session_setup(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -253,8 +248,7 @@ session_setup(void **state)
return 0;
}
static int
session_teardown(void **state)
static int session_teardown(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -276,9 +270,7 @@ session_teardown(void **state)
return 0;
}
static void
torture_gssapi_server_key_exchange(void **state)
static void torture_gssapi_server_key_exchange(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -303,7 +295,8 @@ torture_gssapi_server_key_exchange(void **state)
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site\n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site\n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
"host/server.libssh.site\n"
"kadmin.local addprinc -pw bar alice\n"
"kadmin.local list_principals",
@@ -318,8 +311,7 @@ torture_gssapi_server_key_exchange(void **state)
torture_teardown_kdc_server((void **)&s);
}
static void
torture_gssapi_server_key_exchange_no_tgt(void **state)
static void torture_gssapi_server_key_exchange_no_tgt(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -344,7 +336,8 @@ torture_gssapi_server_key_exchange_no_tgt(void **state)
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
"host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals",
@@ -357,14 +350,15 @@ torture_gssapi_server_key_exchange_no_tgt(void **state)
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256);
assert_int_not_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512);
assert_int_not_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP14_SHA256);
assert_int_not_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP16_SHA512);
torture_teardown_kdc_server((void **)&s);
}
static void
torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
static void torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -389,7 +383,8 @@ torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
"host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals",
@@ -398,19 +393,21 @@ torture_gssapi_server_key_exchange_gss_group14_sha256(void **state)
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group14-sha256-");
rc = ssh_options_set(s->ssh.session,
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
"gss-group14-sha256-");
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP14_SHA256);
assert_int_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP14_SHA256);
torture_teardown_kdc_server((void **)&s);
}
static void
torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
static void torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -435,7 +432,8 @@ torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
"host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals",
@@ -444,19 +442,21 @@ torture_gssapi_server_key_exchange_gss_group16_sha512(void **state)
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE, &t);
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS, "gss-group16-sha512-");
rc = ssh_options_set(s->ssh.session,
SSH_OPTIONS_GSSAPI_KEY_EXCHANGE_ALGS,
"gss-group16-sha512-");
assert_ssh_return_code(s->ssh.session, rc);
rc = ssh_connect(session);
assert_ssh_return_code(session, rc);
assert_int_equal(session->current_crypto->kex_type, SSH_GSS_KEX_DH_GROUP16_SHA512);
assert_int_equal(session->current_crypto->kex_type,
SSH_GSS_KEX_DH_GROUP16_SHA512);
torture_teardown_kdc_server((void **)&s);
}
static void
torture_gssapi_server_key_exchange_auth(void **state)
static void torture_gssapi_server_key_exchange_auth(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -499,8 +499,7 @@ torture_gssapi_server_key_exchange_auth(void **state)
torture_teardown_kdc_server((void **)&s);
}
static void
torture_gssapi_server_key_exchange_no_auth(void **state)
static void torture_gssapi_server_key_exchange_no_auth(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -545,27 +544,30 @@ torture_gssapi_server_key_exchange_no_auth(void **state)
torture_teardown_kdc_server((void **)&s);
}
int
torture_run_tests(void)
int torture_run_tests(void)
{
int rc;
struct CMUnitTest tests[] = {
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_no_tgt,
cmocka_unit_test_setup_teardown(
torture_gssapi_server_key_exchange_no_tgt,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_gss_group14_sha256,
cmocka_unit_test_setup_teardown(
torture_gssapi_server_key_exchange_gss_group14_sha256,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_gss_group16_sha512,
cmocka_unit_test_setup_teardown(
torture_gssapi_server_key_exchange_gss_group16_sha512,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_auth,
session_setup,
session_teardown),
cmocka_unit_test_setup_teardown(torture_gssapi_server_key_exchange_no_auth,
cmocka_unit_test_setup_teardown(
torture_gssapi_server_key_exchange_no_auth,
session_setup,
session_teardown),
};

31
tests/server/torture_gssapi_server_key_exchange_null.c
View File

@@ -19,8 +19,7 @@ struct test_server_st {
char *cwd;
};
static void
free_test_server_state(void **state)
static void free_test_server_state(void **state)
{
struct test_server_st *tss = *state;
@@ -28,8 +27,7 @@ free_test_server_state(void **state)
SAFE_FREE(tss);
}
static void
setup_config(void **state)
static void setup_config(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
@@ -105,8 +103,7 @@ setup_config(void **state)
*state = tss;
}
static int
setup_default_server(void **state)
static int setup_default_server(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
@@ -144,8 +141,7 @@ setup_default_server(void **state)
return 0;
}
static int
teardown_default_server(void **state)
static int teardown_default_server(void **state)
{
struct torture_state *s = NULL;
struct server_state_st *ss = NULL;
@@ -170,8 +166,7 @@ teardown_default_server(void **state)
return 0;
}
static int
session_setup(void **state)
static int session_setup(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -211,8 +206,7 @@ session_setup(void **state)
return 0;
}
static int
session_teardown(void **state)
static int session_teardown(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -234,9 +228,7 @@ session_teardown(void **state)
return 0;
}
static void
torture_gssapi_server_key_exchange_null(void **state)
static void torture_gssapi_server_key_exchange_null(void **state)
{
struct test_server_st *tss = *state;
struct torture_state *s = NULL;
@@ -261,7 +253,8 @@ torture_gssapi_server_key_exchange_null(void **state)
torture_setup_kdc_server(
(void **)&s,
"kadmin.local addprinc -randkey host/server.libssh.site\n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site\n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab "
"host/server.libssh.site\n"
"kadmin.local addprinc -pw bar alice\n"
"kadmin.local list_principals",
@@ -273,13 +266,13 @@ torture_gssapi_server_key_exchange_null(void **state)
rc = ssh_connect(session);
assert_ssh_return_code(s->ssh.session, rc);
assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS], "null");
assert_string_equal(session->current_crypto->kex_methods[SSH_HOSTKEYS],
"null");
torture_teardown_kdc_server((void **)&s);
}
int
torture_run_tests(void)
int torture_run_tests(void)
{
int rc;
struct CMUnitTest tests[] = {

24
tests/torture.c
View File

@@ -999,8 +999,10 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
fips_config_string,
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
"HostKey", rsa_hostkey,
"HostKey", ecdsa_hostkey,
"HostKey",
rsa_hostkey,
"HostKey",
ecdsa_hostkey,
trusted_ca_pubkey,
sftp_server,
usepam,
@@ -1012,9 +1014,12 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
config_string,
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
"", "",
"", "",
"", "",
"",
"",
"",
"",
"",
"",
trusted_ca_pubkey,
sftp_server,
usepam,
@@ -1026,9 +1031,12 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
config_string,
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
"HostKey", ed25519_hostkey,
"HostKey", rsa_hostkey,
"HostKey", ecdsa_hostkey,
"HostKey",
ed25519_hostkey,
"HostKey",
rsa_hostkey,
"HostKey",
ecdsa_hostkey,
trusted_ca_pubkey,
sftp_server,
usepam,

3
tests/unittests/torture_config.c
View File

@@ -650,7 +650,8 @@ static void torture_config_new(void ** state,
assert_string_equal(session->opts.gss_server_identity, "example.com");
assert_string_equal(session->opts.gss_client_identity, "home.sweet");
#ifdef WITH_GSSAPI
assert_string_equal(session->opts.gssapi_key_exchange_algs, "gss-group14-sha256-");
assert_string_equal(session->opts.gssapi_key_exchange_algs,
"gss-group14-sha256-");
#endif /* WITH_GSSAPI */
assert_int_equal(ssh_get_log_level(), SSH_LOG_TRACE);