The new OpenSSH rate limits the failed authentication attempts per source
address and drops connection when the amount is reached, which is happening
in our testsuite.
By whitelisting the IP address of the client on the socket wrapper,
this allows the tests to pass.
https://man.openbsd.org/sshd_config.5#PerSourcePenaltyExemptList
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
For some reason, both compress and decompress contexts were terminated
with both compress and decompress end functions (if the deflateEnd worked),
which was causing for some another unexplained reasons issues on i686
architecture when running the torture_packet unit test.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
... before checking the content.
This test was failing randomly when the read returned only partial buffer.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Casting int to bool might not always work as expected
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This is more portable than specifying a compiler flag explicitly.
Signed-off-by: James Wrigley <james@puiterwijk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Some architectures (esp32) might not have this API.
Fixes: #263
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This removes the code reported by the following coverity issue:
*** CID 1548867: Insecure data handling (INTEGER_OVERFLOW)
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
The coverity thinks the best_nlines could be 0 for logging at the end of the
function. It is obvious that the 0 is immediately incremented. Changing the code
to do this in one step to make it easier to understand for static analyzers.
** CID 1548873: Integer handling issues (INTEGER_OVERFLOW)
Thanks coverity
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
fix: implement gssapi logging according to docs
fix: remove redundant setting of session->gssapi to NULL
feat: add gssapi struct and functions to header file
refactor: initialize gssapi context once
fix: remove redundant ssh_gssapi_free
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
feat: tests set hostname for sshd, make GSSAPIStrictAcceptorCheck yes pass
feat: add GSSAPI_TESTING cmake option
feat: gssapi libssh server test
feat: make kdc setup and teardown functions
feat: add kinit, kadmin scripts to kdc setup function
feat: add some client gssapi auth tests
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
tests: modify proxyjump tests to check for ssh_jump_info_struct
tests: add proxyjump functionality test
feat: add SSH_OPTIONS_PROXYJUMP
tests: proxyjump, check authentication
fix: ssh_socket_connect_proxyjump add exit label to exit on error
feat: implement io forwarding using pthread
feat: proxyjump: use threading instead of forking
feat: proxyjump: cancel forwarding threads on ssh_disconnect
fix: proxyjump remove ProxyJump bool and put pthread ifdefs
feat: use ssh_event for io forwarding instead of threads
reformat: tests to use assert_int_not_equal
fix: link to pthread
refactor: make function to free proxy jump list
docs: add comment for proxy jump channel
feat: add env variable to enable libssh proxy jump
feat: open channel for proxyjump like OpenSSH
feat: add more tests for proxy jump
fix: use a global variable to close io forwarding, this prevents segfaults
fix: handle proxy list in thread without creating copy
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
.. to satisfy restricted environment or fuzzers
We are encountering weird issues in the oss-fuzz that the file disappears during
coverage build so I assume some corpus sneaked in, that contains some commands
that end up being executed as part of the coverage run causing it randomly
failing.
The solution I propose is to build fuzzers without ability to call arbitrary
commands on the filesystem (such as `rm -rf /`) as this is not the point the
fuzzers should be testing.
This is controlled by the WITH_EXEC CMake option (enabled by default).
https://github.com/google/oss-fuzz/issues/10136
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
Turns out it indirectly included err.h, which was needed for some other uses in
this file.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
The libgcrypt has a lot of reachable code so allowing it to fail
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
