Previously, when no methods were set, the server would enable all
supported methods. This changes this behaviour by setting only the
default methods.
The server in pkd_daemon.c was changed to set explicitly all the
supported methods to keep the previous behaviour.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
The default order of preference for signature algorithms were not
consistent. This makes the following order of preference to be the
default order:
* ssh-ed25519
* ecdsa-sha2-nistp521
* ecdsa-sha2-nistp384
* ecdsa-sha2-nistp256
* rsa-sha2-512
* rsa-sha2-256
* ssh-rsa
* ssh-dss
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
The added option SSH_BIND_OPTIONS_PROCESS_CONFIG allows to skip
processing the system-wide configuration file. The global configuration
file is processed automatically if this option is not set as false.
This option will only be effective if set before any call to
ssh_bind_options_parse_config().
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Add support for setting the allowed HostKey algorithms through
configuration file.
Note that this does NOT add support for adding or removing values using
'+' or '-'. Only replacing the whole list is supported.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
The added option SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS allows restricting
the signature algorithms to offer to the client for host authentication.
The list set is used as a filter of allowed algorithms.
First a list of possible signature algorithms to offer is created from
the keys set and then such list is filtered against the allowed
algorithms.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Add support for setting the accepted public key types through
configuration file.
Note that this does NOT add support for adding or removing values using
'+' or '-'. Only replacing the whole list is supported.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
The added option SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES allows
restricting the allowed public key types accepted by the server for
authentication.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Replace the old tokens handling functions usage with the new implementation.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
The added functions allow splitting chains of tokens separated by a
given character (usually ','), and extracting matching parts between two
chains of tokens.
The previously existing functions in kex.c were replaced by the
introduced ones.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Previously when generating the signature in server side the key was
checked against the wrong list, potentially making the server to select
the wrong algorithm to sign (e.g. rsa-sha2-512 instead of rsa-sha2-256).
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
They aren't needed and perhaps some compilers will issue "Unreachable
code" warnings.
Signed-off-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This makes sure the content will be zero after successful allocation.
Resolves T134
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
When using OpenSSL, the bignums generated during group exchange are
duplicated and don't transfer the memory management responsibility to
the back-end. The original generated bignums can be freed.
The leak was detectable by running:
$ valgrind --leak-check=full ./tests/pkd/pkd_hello -i1 \
-t torture_pkd_openssh_rsa_rsa_diffie_hellman_group_exchange_sha256
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The added option is an alias for the previously existing option
PubkeyAcceptedTypes.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This allows the global client (ssh_session) configuration file path to
be set in configuration time by defining GLOBAL_CLIENT_CONFIG when
calling cmake. If it is not defined, the default path is set as
"/etc/ssh/ssh_config".
usage example:
$ cmake -DGLOBAL_CLIENT_CONFIG=/etc/my/custom/path ..
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Do not allow using SSH_DIGEST_AUTO for any algorithm other than
ed25519.
Do not allow using incompatible hash algorithms when signing or
verifying signatures.
Added negative tests for all combinations of signature and hash
algorithms.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
pki_sign_data() uses the given private key and hash algorithm to sign
the data using the OpenSSL EVP interface. The corresponding function
pki_verify_data_signature() receives the signature, the signed data, and
the public key to verify the signature.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Store the raw signature instead of the internal backend structure.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Store the raw signature instead of the internal backend structure.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This is a preparation to store the raw signature for all algorithms in
the same place in ssh_signature.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This makes pki_do_sign() and pki_signature_verify() to receive the
original input instead of the pre-calculated hash. The hash is then
calculated internally.
The hash to be used inside the signature is decided earlier, when all
the information about the signature to be generated/verified is
available.
Simplify ssh_pki_do_sign() and ssh_srv_pki_do_sign_sessionid().
The tests were modified to use pki_do_sign() instead of
pki_do_sign_hash().
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The goal here is to avoid errors due to fall through when
HAVE_OPENSSL_ECC is not defined.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Refactor pki_signature_to_blob() without behaviour changes.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The goal of this change is to make pki_signature_from_*_blob()
consistent.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Remove duplicate code previously used only in server side to generate
signatures. Currently the code used to generate the signature is the
same for both client and server.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Refactor ssh_srv_pki_do_sign_sessionid() without behaviour changes.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Added ECDSA key types to ssh_key_type_to_hash(). Refactor
ssh_pki_do_sign() without behaviour changes.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Upon SSH_OK, callers of `ssh_dh_keypair_set_keys` expect for ownership
of the `priv` and `pub` values to be transferred away and eventually
later managed by way of the `struct dh_ctx` at hand.
The mbedTLS and gcrypt builds transfer ownership of these values in
that way, but the libcrypto `ssh_dh_keypair_set_keys` is copying the
given values with `BN_dup`. This causes a memory leak that can be
seen with pkd and valgrind:
valgrind --leak-check=full \
./pkd_hello -i1 -t torture_pkd_openssh_dsa_rsa_diffie_hellman_group16_sha512
Fix the leak by replacing the `BN_dup` with direct assignment.
Now the bignums will eventually be freed via `ssh_dh_cleanup`.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Ensure to free the `dh_ctx` member in `ssh_dh_cleanup` to match
the allocation in `ssh_dh_init_common`.
The before-and-after of this change can be observed with the pkd
tests and valgrind:
valgrind --leak-check=full \
./pkd_hello -i1 -t torture_pkd_openssh_dsa_rsa_diffie_hellman_group16_sha512
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Fix libssh server sending SSH_MSG_EXT_INFO messages upon rekey: clients
do not expect that message during rekey, and OpenSSH in particular will
log error messages along the lines of:
"kex protocol error: type 7 seq 15"
when the message is received during a rekey.
To fix, check against the session connected flag, which only transitions
to non-zero following the first successful authentication.
bf2c7128ab adds logic to resolve this
issue, but it turns out that checking the session_state to avoid
sending the message is insufficient, because that state is re-set
to SSH_SESSION_STATE_KEXINIT_RECEIVED during rekey.
The before-and-after effects of this change can be observed using the
pkd --rekey flag as so:
./pkd_hello -t torture_pkd_openssh_rsa_rsa_sha2_256 \
-i1 --rekey=16 -v -v -v 2>&1 |
grep -e 'KEY' -e 'EXT'
^ where before the change, multiple SSH_MSG_EXT_INFO send messages are
logged; after, there is only a single SSH_MSG_EXT_INFO logged once upon
the first initial key exchange.
Cross-reference: https://bugs.libssh.org/T121.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
