kex: Fix zlib compression

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 747e7d05db)

CMakeLists.txt

@@ -8,7 +8,7 @@ set(APPLICATION_NAME ${PROJECT_NAME})
 
 set(APPLICATION_VERSION_MAJOR "0")
 set(APPLICATION_VERSION_MINOR "7")
-set(APPLICATION_VERSION_PATCH "1")
+set(APPLICATION_VERSION_PATCH "2")
 
 set(APPLICATION_VERSION "${APPLICATION_VERSION_MAJOR}.${APPLICATION_VERSION_MINOR}.${APPLICATION_VERSION_PATCH}")
 
@@ -84,8 +84,8 @@ add_subdirectory(include)
 add_subdirectory(src)
 
 # pkg-config file
+if (UNIX)
 configure_file(libssh.pc.cmake ${CMAKE_CURRENT_BINARY_DIR}/libssh.pc)
-configure_file(libssh_threads.pc.cmake ${CMAKE_CURRENT_BINARY_DIR}/libssh_threads.pc)
 install(
   FILES
     ${CMAKE_CURRENT_BINARY_DIR}/libssh.pc
@@ -96,6 +96,20 @@ install(
     pkgconfig
 )
 
+    if (LIBSSH_THREADS)
+        configure_file(libssh_threads.pc.cmake ${CMAKE_CURRENT_BINARY_DIR}/libssh_threads.pc)
+        install(
+          FILES
+            ${CMAKE_CURRENT_BINARY_DIR}/libssh.pc
+            ${CMAKE_CURRENT_BINARY_DIR}/libssh_threads.pc
+          DESTINATION
+            ${LIB_INSTALL_DIR}/pkgconfig
+          COMPONENT
+            pkgconfig
+        )
+    endif (LIBSSH_THREADS)
+endif (UNIX)
+
 # cmake config files
 set(LIBSSH_LIBRARY_NAME ${CMAKE_SHARED_LIBRARY_PREFIX}ssh${CMAKE_SHARED_LIBRARY_SUFFIX})
 set(LIBSSH_THREADS_LIBRARY_NAME ${CMAKE_SHARED_LIBRARY_PREFIX}ssh${CMAKE_SHARED_LIBRARY_SUFFIX})

CPackConfig.cmake

@@ -18,7 +18,7 @@ set(CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSIO
 
 
 ### source generator
-set(CPACK_SOURCE_GENERATOR "TGZ")
+set(CPACK_SOURCE_GENERATOR "TXZ")
 set(CPACK_SOURCE_IGNORE_FILES "~$;[.]swp$;/[.]svn/;/[.]git/;.gitignore;/build/;/obj/;tags;cscope.*")
 set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")
 

ChangeLog

@@ -1,6 +1,14 @@
 ChangeLog
 ==========
 
+version 0.7.2 (released 2015-09-15)
+  * Fixed OpenSSL detection on Windows
+  * Fixed return status for ssh_userauth_agent()
+  * Fixed KEX to prefer hmac-sha2-256
+  * Fixed sftp packet handling
+  * Fixed return values of ssh_key_is_(public|private)
+  * Fixed bug in global success reply
+
 version 0.7.1 (released 2015-06-30)
   * Fixed SSH_AUTH_PARTIAL auth with auto public key
   * Fixed memory leak in session options

ConfigureChecks.cmake

@@ -65,23 +65,31 @@ if (WIN32)
   check_include_files("winsock2.h;ws2tcpip.h" HAVE_WS2TCPIP_H)
 endif (WIN32)
 
-set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIRS})
-check_include_file(openssl/aes.h HAVE_OPENSSL_AES_H)
+if (OPENSSL_FOUND)
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    check_include_file(openssl/des.h HAVE_OPENSSL_DES_H)
+    if (NOT HAVE_OPENSSL_DES_H)
+        message(FATAL_ERROR "Could not detect openssl/des.h")
+    endif()
 
-set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIRS})
-check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H)
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    check_include_file(openssl/aes.h HAVE_OPENSSL_AES_H)
+    if (NOT HAVE_OPENSSL_AES_H)
+        message(FATAL_ERROR "Could not detect openssl/aes.h")
+    endif()
 
-set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIRS})
-check_include_file(openssl/des.h HAVE_OPENSSL_DES_H)
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H)
 
-set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIRS})
-check_include_file(openssl/ecdh.h HAVE_OPENSSL_ECDH_H)
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    check_include_file(openssl/ecdh.h HAVE_OPENSSL_ECDH_H)
 
-set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIRS})
-check_include_file(openssl/ec.h HAVE_OPENSSL_EC_H)
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    check_include_file(openssl/ec.h HAVE_OPENSSL_EC_H)
 
-set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIRS})
-check_include_file(openssl/ecdsa.h HAVE_OPENSSL_ECDSA_H)
+    set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+    check_include_file(openssl/ecdsa.h HAVE_OPENSSL_ECDSA_H)
+endif()
 
 if (CMAKE_HAVE_PTHREAD_H)
   set(HAVE_PTHREAD_H 1)

doc/sftp.dox

@@ -253,7 +253,7 @@ int sftp_read_sync(ssh_session session, sftp_session sftp)
           return SSH_ERROR;
       }
 
-      nwritten = write(fd, buf, nbytes);
+      nwritten = write(fd, buffer, nbytes);
       if (nwritten != nbytes) {
           fprintf(stderr, "Error writing: %s\n",
                   strerror(errno));
@@ -282,7 +282,7 @@ sftp_async_read() waits for the data to come. To open a file in nonblocking mode
 call sftp_file_set_nonblocking() right after you opened it. Default is blocking mode.
 
 The example below reads a very big file in asynchronous, nonblocking, mode. Each
-time the data are not ready yet, a counter is incrementer.
+time the data is not ready yet, a counter is incremented.
 
 @code
 // Good chunk size

include/libssh/libssh.h

@@ -78,7 +78,7 @@
 /* libssh version */
 #define LIBSSH_VERSION_MAJOR  0
 #define LIBSSH_VERSION_MINOR  7
-#define LIBSSH_VERSION_MICRO  1
+#define LIBSSH_VERSION_MICRO  2
 
 #define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \
                                            LIBSSH_VERSION_MINOR, \

include/libssh/priv.h

@@ -60,6 +60,7 @@
 
 # ifdef _MSC_VER
 #  include <stdio.h>
+#  include <stdarg.h> /* va_copy define check */
 
 /* On Microsoft compilers define inline to __inline on all others use inline */
 #  undef inline

src/CMakeLists.txt

@@ -54,7 +54,7 @@ endif (GCRYPT_LIBRARY)
 if (WITH_ZLIB)
   set(LIBSSH_PRIVATE_INCLUDE_DIRS
     ${LIBSSH_PRIVATE_INCLUDE_DIRS}
-    ${ZLIB_INCLUDE_DIRS}
+    ${ZLIB_INCLUDE_DIR}
   )
 
   set(LIBSSH_LINK_LIBRARIES
@@ -300,6 +300,7 @@ if (WITH_STATIC_LIB)
   )
 endif (WITH_STATIC_LIB)
 
+message(STATUS "Threads_FOUND=${Threads_FOUND}")
 if (Threads_FOUND)
     add_subdirectory(threads)
 endif (Threads_FOUND)

src/auth.c

@@ -786,6 +786,11 @@ int ssh_userauth_agent(ssh_session session,
     state = session->agent_state;
     if (state->pubkey == NULL)
         state->pubkey = ssh_agent_get_first_ident(session, &state->comment);
+
+    if (state->pubkey == NULL) {
+        return SSH_AUTH_DENIED;
+    }
+
     while (state->pubkey != NULL) {
         if(state->state == SSH_AGENT_STATE_NONE){
             SSH_LOG(SSH_LOG_DEBUG,

src/bignum.c

@@ -103,5 +103,9 @@ void ssh_print_bignum(const char *which, bignum num) {
 #endif
   fprintf(stderr, "%s value: ", which);
   fprintf(stderr, "%s\n", (hex == NULL) ? "(null)" : (char *) hex);
+#ifdef HAVE_LIBGCRYPT
   SAFE_FREE(hex);
+#elif defined HAVE_LIBCRYPTO
+  OPENSSL_free(hex);
+#endif
 }

src/kex.c

@@ -94,8 +94,8 @@ static const char *default_methods[] = {
   HOSTKEYS,
   AES BLOWFISH DES,
   AES BLOWFISH DES,
-  "hmac-sha1,hmac-sha2-256,hmac-sha2-512",
-  "hmac-sha1,hmac-sha2-256,hmac-sha2-512",
+  "hmac-sha2-256,hmac-sha2-512,hmac-sha1",
+  "hmac-sha2-256,hmac-sha2-512,hmac-sha1",
   "none",
   "none",
   "",
@@ -109,8 +109,8 @@ static const char *supported_methods[] = {
   HOSTKEYS,
   AES BLOWFISH DES_SUPPORTED,
   AES BLOWFISH DES_SUPPORTED,
-  "hmac-sha1,hmac-sha2-256,hmac-sha2-512",
-  "hmac-sha1,hmac-sha2-256,hmac-sha2-512",
+  "hmac-sha2-256,hmac-sha2-512,hmac-sha1",
+  "hmac-sha2-256,hmac-sha2-512,hmac-sha1",
   ZLIB,
   ZLIB,
   "",

src/pki.c

@@ -271,7 +271,7 @@ int ssh_key_is_public(const ssh_key k) {
         return 0;
     }
 
-    return (k->flags & SSH_KEY_FLAG_PUBLIC);
+    return (k->flags & SSH_KEY_FLAG_PUBLIC) == SSH_KEY_FLAG_PUBLIC;
 }
 
 /**
@@ -286,7 +286,7 @@ int ssh_key_is_private(const ssh_key k) {
         return 0;
     }
 
-    return (k->flags & SSH_KEY_FLAG_PRIVATE);
+    return (k->flags & SSH_KEY_FLAG_PRIVATE) == SSH_KEY_FLAG_PRIVATE;
 }
 
 /**

src/server.c

@@ -746,7 +746,7 @@ int ssh_message_global_request_reply_success(ssh_message msg, uint16_t bound_por
         if(msg->global_request.type == SSH_GLOBAL_REQUEST_TCPIP_FORWARD 
                                 && msg->global_request.bind_port == 0) {
             rc = ssh_buffer_pack(msg->session->out_buffer, "d", bound_port);
-            if (rc != SSH_ERROR) {
+            if (rc != SSH_OK) {
                 ssh_set_error_oom(msg->session);
                 goto error;
             }

src/sftp.c

@@ -315,7 +315,7 @@ sftp_packet sftp_packet_read(sftp_session sftp) {
   sftp_packet packet = NULL;
   uint32_t tmp;
   size_t size;
-  int r;
+  int r, s;
 
   packet = malloc(sizeof(struct sftp_packet_struct));
   if (packet == NULL) {
@@ -330,12 +330,18 @@ sftp_packet sftp_packet_read(sftp_session sftp) {
     return NULL;
   }
 
-  r=ssh_channel_read(sftp->channel, buffer, 4, 0);
-  if (r < 0) {
-    ssh_buffer_free(packet->payload);
-    SAFE_FREE(packet);
-    return NULL;
-  }
+  r=0;
+  do {
+    // read from channel until 4 bytes have been read or an error occurs
+    s=ssh_channel_read(sftp->channel, buffer+r, 4-r, 0);
+    if (s < 0) {
+      ssh_buffer_free(packet->payload);
+      SAFE_FREE(packet);
+      return NULL;
+    } else {
+      r += s;
+    }
+  } while (r<4);
   ssh_buffer_add_data(packet->payload, buffer, r);
   if (buffer_get_u32(packet->payload, &tmp) != sizeof(uint32_t)) {
     ssh_set_error(sftp->session, SSH_FATAL, "Short sftp packet!");

src/threads/CMakeLists.txt

@@ -27,8 +27,9 @@ set(LIBSSH_THREADS_LINK_LIBRARIES
     ${LIBSSH_SHARED_LIBRARY}
 )
 
-set(libssh_threads_SRCS
-)
+message(STATUS "threads library: Threads_FOUND=${Threads_FOUND}")
+
+set(libssh_threads_SRCS) # empty SRC
 
 # build and link pthread
 if (CMAKE_USE_PTHREADS_INIT)
@@ -41,6 +42,8 @@ if (CMAKE_USE_PTHREADS_INIT)
         ${LIBSSH_THREADS_LINK_LIBRARIES}
         ${CMAKE_THREAD_LIBS_INIT}
     )
+
+    message(STATUS "libssh_threads_SRCS=${libssh_threads_SRCS}")
 endif (CMAKE_USE_PTHREADS_INIT)
 
 set(LIBSSH_THREADS_LINK_LIBRARIES
@@ -54,6 +57,8 @@ include_directories(
 )
 
 if (libssh_threads_SRCS)
+    set(LIBSSH_THREADS ON CACHE "libssh threads lib" INTERNAL)
+
     add_library(${LIBSSH_THREADS_SHARED_LIBRARY} SHARED ${libssh_threads_SRCS})
 
     target_link_libraries(${LIBSSH_THREADS_SHARED_LIBRARY} ${LIBSSH_THREADS_LINK_LIBRARIES})

tests/CMakeLists.txt

@@ -9,9 +9,9 @@ set(TORTURE_LIBRARY torture)
 include_directories(
   ${LIBSSH_PUBLIC_INCLUDE_DIRS}
   ${CMOCKA_INCLUDE_DIR}
-  ${OPENSSL_INCLUDE_DIRS}
-  ${GCRYPT_INCLUDE_DIRS}
-  ${ZLIB_INCLUDE_DIRS}
+  ${OPENSSL_INCLUDE_DIR}
+  ${GCRYPT_INCLUDE_DIR}
+  ${ZLIB_INCLUDE_DIR}
   ${CMAKE_BINARY_DIR}
   ${CMAKE_SOURCE_DIR}/src
   ${CMAKE_CURRENT_SOURCE_DIR}
@@ -22,12 +22,12 @@ set(TORTURE_LINK_LIBRARIES
     ${LIBSSH_STATIC_LIBRARY}
     ${LIBSSH_LINK_LIBRARIES})
 
-if (Threads_FOUND)
+if (LIBSSH_THREADS)
     set(TORTURE_LINK_LIBRARIES
         ${TORTURE_LINK_LIBRARIES}
         ${LIBSSH_THREADS_STATIC_LIBRARY}
         ${LIBSSH_THREADS_LINK_LIBRARIES})
-endif ()
+endif (LIBSSH_THREADS)
 
 # create test library
 add_library(${TORTURE_LIBRARY} STATIC cmdline.c torture.c)

tests/pkd/CMakeLists.txt

@@ -5,9 +5,9 @@ if (WITH_SERVER AND UNIX AND NOT WIN32)
 include_directories(
   ${LIBSSH_PUBLIC_INCLUDE_DIRS}
   ${CMOCKA_INCLUDE_DIR}
-  ${OPENSSL_INCLUDE_DIRS}
-  ${GCRYPT_INCLUDE_DIRS}
-  ${ZLIB_INCLUDE_DIRS}
+  ${OPENSSL_INCLUDE_DIR}
+  ${GCRYPT_INCLUDE_DIR}
+  ${ZLIB_INCLUDE_DIR}
   ${CMAKE_BINARY_DIR}
   ${CMAKE_SOURCE_DIR}/src
   ${CMAKE_CURRENT_SOURCE_DIR}

tests/unittests/CMakeLists.txt

@@ -14,11 +14,13 @@ if (UNIX AND NOT WIN32)
     # requires ssh-keygen
     add_cmocka_test(torture_keyfiles torture_keyfiles.c ${TORTURE_LIBRARY})
     add_cmocka_test(torture_pki torture_pki.c ${TORTURE_LIBRARY})
-    # requires pthread
-    add_cmocka_test(torture_rand torture_rand.c ${TORTURE_LIBRARY})
     # requires /dev/null
     add_cmocka_test(torture_channel torture_channel.c ${TORTURE_LIBRARY})
-    if (WITH_SERVER AND Threads_FOUND)
-        add_cmocka_test(torture_server_x11 torture_server_x11.c ${TORTURE_LIBRARY})
-    endif (WITH_SERVER AND Threads_FOUND)
+    # requires pthread
+    if (LIBSSH_THREADS)
+        add_cmocka_test(torture_rand torture_rand.c ${TORTURE_LIBRARY})
+        if (WITH_SERVER)
+            add_cmocka_test(torture_server_x11 torture_server_x11.c ${TORTURE_LIBRARY})
+        endif (WITH_SERVER)
+    endif (LIBSSH_THREADS)
 endif (UNIX AND NOT WIN32)

tests/unittests/torture_pki.c

@@ -212,6 +212,9 @@ static void torture_pki_import_privkey_base64_RSA(void **state) {
     type = ssh_key_type(key);
     assert_true(type == SSH_KEYTYPE_RSA);
 
+    rc = ssh_key_is_private(key);
+    assert_true(rc == 1);
+
     rc = ssh_key_is_public(key);
     assert_true(rc == 1);
 
@@ -281,6 +284,9 @@ static void torture_pki_import_privkey_base64_ECDSA(void **state) {
     rc = ssh_pki_import_privkey_base64(key_str, passphrase, NULL, NULL, &key);
     assert_true(rc == 0);
 
+    rc = ssh_key_is_private(key);
+    assert_true(rc == 1);
+
     free(key_str);
     ssh_key_free(key);
 }
@@ -300,6 +306,10 @@ static void torture_pki_import_privkey_base64_passphrase(void **state) {
                                        NULL,
                                        &key);
     assert_true(rc == 0);
+
+    rc = ssh_key_is_private(key);
+    assert_true(rc == 1);
+
     ssh_key_free(key);
 
     /* test if it returns -1 if passphrase is wrong */
@@ -329,6 +339,10 @@ static void torture_pki_import_privkey_base64_passphrase(void **state) {
                                        NULL,
                                        &key);
     assert_true(rc == 0);
+
+    rc = ssh_key_is_private(key);
+    assert_true(rc == 1);
+
     ssh_key_free(key);
 
     /* test if it returns -1 if passphrase is wrong */
@@ -358,6 +372,10 @@ static void torture_pki_import_privkey_base64_passphrase(void **state) {
                                        NULL,
                                        &key);
     assert_true(rc == 0);
+
+    rc = ssh_key_is_private(key);
+    assert_true(rc == 1);
+
     ssh_key_free(key);
 
     /* test if it returns -1 if passphrase is wrong */
@@ -388,6 +406,9 @@ static void torture_pki_import_privkey_base64_ed25519(void **state){
     type = ssh_key_type(key);
     assert_true(type == SSH_KEYTYPE_ED25519);
 
+    rc = ssh_key_is_private(key);
+    assert_true(rc == 1);
+
     rc = ssh_key_is_public(key);
     assert_true(rc == 1);
 
@@ -411,6 +432,9 @@ static void torture_pki_pki_publickey_from_privatekey_RSA(void **state) {
                                        &key);
     assert_true(rc == 0);
 
+    rc = ssh_key_is_private(key);
+    assert_true(rc == 1);
+
     rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
     assert_true(rc == SSH_OK);
 
@@ -433,6 +457,9 @@ static void torture_pki_pki_publickey_from_privatekey_DSA(void **state) {
                                        &key);
     assert_true(rc == 0);
 
+    rc = ssh_key_is_private(key);
+    assert_true(rc == 1);
+
     rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
     assert_true(rc == SSH_OK);
 
@@ -455,6 +482,9 @@ static void torture_pki_pki_publickey_from_privatekey_ed25519(void **state){
                                        &key);
     assert_true(rc == 0);
 
+    rc = ssh_key_is_private(key);
+    assert_true(rc == 1);
+
     rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
     assert_true(rc == SSH_OK);