This should not be a problem for well-behaving clients that do not
append the ext-info-c to the rekey, but if they do, we should not
send it either.
Resolves: T121
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The RFC 8308 clearly says, that the additional ext-info-c should
be added only to the first SSH_MSG_KEXINIT.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
If nread is < 0 and no exception callback is set,
the following code block would cause a buffer overrun.
Signed-off-by: Tilo Eckert <tilo.eckert@flam.de>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 0b9e07fbdc)
If the hostkey type was not in the list of acceptable hostkey
types, the function failed to set the error state. Due to the
fact that the calling function ssh_packet_process() does not
handle the SSH_ERROR return code, the newkeys packet from the
server was silently ignored, stalling the connection until a
timeout occurred.
Signed-off-by: Tilo Eckert <tilo.eckert@flam.de>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 4b6eb05023)
ssh_send_keepalive() should use global_request() to properly configure
the state machine for packet filtering.
Signed-off-by: Nicolas Viennot <nicolas@viennot.biz>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 59ada799d7)
Added missing bn.h include.
Made engine.h include conditional, otherwise it would fail.
DSA_generate_parameters was deprecated long before 1.1.0.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 61cac32288)
This commit fixes a couple issues in the CMake configuration files and uses
native features from CMake:
* libssh-build-tree-settings.cmake is deleted. There was a typo that made
this file unusable, anyway.
* use the macros available in CMakePackageConfigHelpers.cmake to generate
the version file and check that the files exist
* Remove the LIBSSH_THREADS_LIBRARY variable, it used the non-existent
LIBSSH_THREADS_LIBRARY_NAME variable.
* Fix the in tree build. libssh can be used uninstalled again.
Test plan:
The values were tested after installing the new files and also without running
'make install'.
Signed-off-by: Christophe Giboudeaux <christophe@krop.fr>
(cherry picked from commit aa899f8ec0)
If either one is missing at this point, fill it with default vaules in
ssh_options_apply().
Previously, when setting up only knownhosts, global_knownhosts file
was left pointing to NULL and the ssh_known_hosts_read_entries()
was trying to open NULL file which is invalid.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 5159cd96e8)
Previously, not all of the host keys algorithms were used for algorithm
negotiation. This verifies the algorithms list is sane and ordered
with the key types from known hosts in the first place.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit bdb3bb9ccd)
Previously, the file contained the known_hosts strings separated
by NULL bytes which somehow magically worked.
The test was also expecting all the keys from the file will have
the same key type, which was not indeed true.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 32e502a79d)
Previously, only the algorithms we had a keys for in known_hosts
were used, which could lead to no-matching algorithms errors if the
one key we used to depend on was removed from the server.
This commit adds also the other algorithms, but lists them only after
all the key types we have in known_hosts file.
Resolves: T105
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 35a6455489)
The code as it was written used only the first algorithm from
preferred_hostkeys array and compared it with the list returned
from the known hosts.
This commit is fixing the code so we actually compare each of the
algorithms from both of the lists and returns the intersection.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit c1a8c41c5d)
The conversion from ssh_keytype_e to string does not work for ECDSA keys,
because different key lengths have different string representation.
The usage of type_c should work also for every other key type in future,
but it does not reflrect different signature types (SHA2 extension for RSA
keys), but this early in the key exchange phase, we can not make any
assumptions about supported extensions by the server.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 893b69d82b)
