without explicitly setting the algorithms, they might be set by
some other configuration file, for example crypto policies pulled
from `/etc/libssh/libssh_server.config` during RPM build.
Log also the generated configuration file and change the other case
to use standard logging mechanism instead of fprintf.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
We want to make sure it suceeds because it could fail if
the client tries to send a hostbound public key authentication
request.
Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
All gssapi-keyex tests have to be disabled in Centos Stream 8
because the KEX is not allowed in FIPS. In Centos Stream 9,
only tests against OpenSSH have to be disabled because
OpenSSH only enables gssapi-keyex since Centos Stream 10.
Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
And setup a KDC server before pinging the server so we
can connect.
Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
In particular, gss-nistp256-sha256-* and
gss-curve25519-sha256-*.
Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
With packet filtering now implemented for type 65,
the current test packet would be rejected, resulting
in failed tests.
Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Make it use the one-shot API of hash functions,
and remove the FIPS restriction for OpenSSL 3.5+
where we can fetch the MD5 implementation from
a non-FIPS provider to use for non-crypto purposes.
Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
fix: skip gssapi tests in fips mode
fix: skip gssapi_key_exchange_null test on ubuntu and tumbleweed
fix: return early when rc != 0 to show error
tests: replace int asserts by ssh return code asserts
fix: add fatal error when hostkeys are not found and gssapi kex is not enabled
ci: add comment linking gssapi null kex bug in ubuntu and tumbleweed
fix: don't specify hostkeys in config instead of deleting files
tests: assert kex method was null
refactor: remove redundant include
refactor: better error message
fix: check null before accessing in gssapi.c
fix: allow setting no hostkeys
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
feat: add negative auth client tests, and more key exchange server tests
feat: add function for checkinf if GSSAPI key exchange was performed
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
feat: add generic functions for importing name and initializing ctx
feat: add suffix to gsskex algs dynamically
feat: move gssapi key exchange to another file
feat: add gssapi key exchange for server
refactor: remove unnecessary fields in gssapi struct
refactor: add some documentation and improve logging
fix: remove gss_dh callbacks
feat: add a check to see if GSSAPI is configured correctly
fix: memory leaks
feat: add client side "gssapi-keyex" auth
feat: add gssapi_key_exchange_algs for server
fix: some memory issues
feat: add gssapi kex options to config
feat: add check to see if GSSAPI key exchange was performed
feat: add more tests for gssapi key exchange
fix: add valgrind supp
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
* allow parsing of AddressFamily in config and cli
* supports options "any", "inet" and "inet6"
* introduce SSH_OPTIONS_ADDRESS_FAMILY
Signed-off-by: Samir Benmendil <me@rmz.io>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This builds on top of a9c8f94. The pure ML-KEM
code is now separated from the hybrid parts,
with the hybrid implementation generalized to
support NIST curves.
Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
