Bump version to 0.7.7

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>

CMakeLists.txt

@@ -8,7 +8,7 @@ set(APPLICATION_NAME ${PROJECT_NAME})
 
 set(APPLICATION_VERSION_MAJOR "0")
 set(APPLICATION_VERSION_MINOR "7")
-set(APPLICATION_VERSION_PATCH "6")
+set(APPLICATION_VERSION_PATCH "7")
 
 set(APPLICATION_VERSION "${APPLICATION_VERSION_MAJOR}.${APPLICATION_VERSION_MINOR}.${APPLICATION_VERSION_PATCH}")
 
@@ -19,7 +19,7 @@ set(APPLICATION_VERSION "${APPLICATION_VERSION_MAJOR}.${APPLICATION_VERSION_MINO
 #     Increment AGE. Set REVISION to 0
 #   If the source code was changed, but there were no interface changes:
 #     Increment REVISION.
-set(LIBRARY_VERSION "4.4.3")
+set(LIBRARY_VERSION "4.4.4")
 set(LIBRARY_SOVERSION "4")
 
 # where to look first for cmake modules, before ${CMAKE_ROOT}/Modules/ is checked

ChangeLog

@@ -1,6 +1,13 @@
 ChangeLog
 ==========
 
+version 0.7.7 (released 2018-10-29)
+  * Fixed issues with MSVC
+  * Fixed keyboard-interactive auth in server mode
+    (regression from CVE-2018-10933)
+  * Fixed gssapi auth in server mode (regression from CVE-2018-10933)
+  * Fixed a memory leak with OpenSSL
+
 version 0.7.6 (released 2018-10-16)
   * Fixed CVE-2018-10933
   * Added support for OpenSSL 1.1

ConfigureChecks.cmake

@@ -115,6 +115,7 @@ endif (NOT WITH_GCRYPT)
 
 check_function_exists(isblank HAVE_ISBLANK)
 check_function_exists(strncpy HAVE_STRNCPY)
+check_function_exists(strndup HAVE_STRNDUP)
 check_function_exists(strtoull HAVE_STRTOULL)
 
 if (NOT WIN32)

config.h.cmake

@@ -103,6 +103,9 @@
 /* Define to 1 if you have the `strncpy' function. */
 #cmakedefine HAVE_STRNCPY 1
 
+/* Define to 1 if you have the `strndup' function. */
+#cmakedefine HAVE_STRNDUP 1
+
 /* Define to 1 if you have the `cfmakeraw' function. */
 #cmakedefine HAVE_CFMAKERAW 1
 

examples/samplesshd-kbdint.c

@@ -23,6 +23,7 @@ clients must be made or how a client should react.
 #include <stdlib.h>
 #include <string.h>
 #include <stdio.h>
+#include <stdbool.h>
 
 #define SSHD_USER "libssh"
 #define SSHD_PASSWORD "libssh"
@@ -36,6 +37,7 @@ clients must be made or how a client should react.
 #endif
 
 static int port = 22;
+static bool authenticated = false;
 
 #ifdef WITH_PCAP
 static const char *pcap_file = "debug.server.pcap";
@@ -61,11 +63,20 @@ static void cleanup_pcap(void) {
 #endif
 
 
-static int auth_password(const char *user, const char *password){
-    if(strcmp(user, SSHD_USER))
+static int auth_password(const char *user, const char *password)
+{
+    int cmp;
+
+    cmp = strcmp(user, SSHD_USER);
+    if (cmp != 0) {
         return 0;
-    if(strcmp(password, SSHD_PASSWORD))
+    }
+    cmp = strcmp(password, SSHD_PASSWORD);
+    if (cmp != 0) {
         return 0;
+    }
+
+    authenticated = true;
     return 1; // authenticated
 }
 #ifdef HAVE_ARGP_H
@@ -200,6 +211,7 @@ static int kbdint_check_response(ssh_session session) {
         return 0;
     }
 
+    authenticated = true;
     return 1;
 }
 
@@ -328,7 +340,7 @@ int main(int argc, char **argv){
 
     /* proceed to authentication */
     auth = authenticate(session);
-    if(!auth){
+    if (!auth || !authenticated) {
         printf("Authentication error: %s\n", ssh_get_error(session));
         ssh_disconnect(session);
         return 1;

include/libssh/libssh.h

@@ -79,7 +79,7 @@
 /* libssh version */
 #define LIBSSH_VERSION_MAJOR  0
 #define LIBSSH_VERSION_MINOR  7
-#define LIBSSH_VERSION_MICRO  6
+#define LIBSSH_VERSION_MICRO  7
 
 #define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \
                                            LIBSSH_VERSION_MINOR, \

include/libssh/priv.h

@@ -43,6 +43,10 @@
 # endif
 #endif /* !defined(HAVE_STRTOULL) */
 
+#if !defined(HAVE_STRNDUP)
+char *strndup(const char *s, size_t n);
+#endif /* ! HAVE_STRNDUP */
+
 #ifdef HAVE_BYTESWAP_H
 #include <byteswap.h>
 #endif

src/gssapi.c

@@ -120,6 +120,7 @@ static int ssh_gssapi_send_response(ssh_session session, ssh_string oid){
         ssh_set_error_oom(session);
         return SSH_ERROR;
     }
+    session->auth_state = SSH_AUTH_STATE_GSSAPI_TOKEN;
 
     packet_send(session);
     SSH_LOG(SSH_LOG_PACKET,

src/libcrypto.c

@@ -165,6 +165,7 @@ void evp_update(EVPCTX ctx, const void *data, unsigned long len)
 void evp_final(EVPCTX ctx, unsigned char *md, unsigned int *mdlen)
 {
     EVP_DigestFinal(ctx, md, mdlen);
+    EVP_MD_CTX_free(ctx);
 }
 #endif
 

src/messages.c

@@ -649,6 +649,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
   ssh_message msg = NULL;
   char *service = NULL;
   char *method = NULL;
+  int cmp;
   int rc;
 
   (void)user;
@@ -675,6 +676,13 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
       service, method,
       msg->auth_request.username);
 
+  cmp = strcmp(service, "ssh-connection");
+  if (cmp != 0) {
+      SSH_LOG(SSH_LOG_WARNING,
+              "Invalid service request: %s",
+              service);
+      goto end;
+  }
 
   if (strcmp(method, "none") == 0) {
     msg->auth_request.method = SSH_AUTH_METHOD_NONE;

src/misc.c

@@ -1028,6 +1028,27 @@ int ssh_match_group(const char *group, const char *object)
     return 0;
 }
 
+#if !defined(HAVE_STRNDUP)
+char *strndup(const char *s, size_t n)
+{
+    char *x = NULL;
+
+    if (n + 1 < n) {
+        return NULL;
+    }
+
+    x = malloc(n + 1);
+    if (x == NULL) {
+        return NULL;
+    }
+
+    memcpy(x, s, n);
+    x[n] = '\0';
+
+    return x;
+}
+#endif /* ! HAVE_STRNDUP */
+
 /** @} */
 
 /* vim: set ts=4 sw=4 et cindent: */

src/packet.c

@@ -285,6 +285,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
             (session->dh_handshake_state != DH_STATE_FINISHED))
         {
             rc = SSH_PACKET_DENIED;
+            break;
         }
 
         rc = SSH_PACKET_ALLOWED;

src/server.c

@@ -976,6 +976,7 @@ int ssh_message_auth_interactive_request(ssh_message msg, const char *name,
     msg->session->kbdint->prompts = NULL;
     msg->session->kbdint->echo = NULL;
   }
+  msg->session->auth_state = SSH_AUTH_STATE_INFO;
 
   return rc;
 }