lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-05-30 05:24:50 +03:00
Code

knownhosts: Introduce new known hosts managing functions

Browse Source 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Andreas Schneider 2017-02-05 20:30:04 +01:00
parent 250bf37a28
commit 702e9e8ad5
5 changed files with 538 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
include/libssh/libssh.h
View File

@ -267,6 +267,16 @@ enum ssh_keycmp_e {
SSH_KEY_CMP_PRIVATE SSH_KEY_CMP_PRIVATE
}; };
#define SSH_ADDRSTRLEN 46
struct ssh_knownhosts_entry {
char *hostname;
char *unparsed;
ssh_key publickey;
char *comment;
};
/* Error return codes */ /* Error return codes */
#define SSH_OK 0 /* No error */ #define SSH_OK 0 /* No error */
#define SSH_ERROR -1 /* Error of some kind */ #define SSH_ERROR -1 /* Error of some kind */
@ -505,6 +515,19 @@ LIBSSH_API int ssh_is_blocking(ssh_session session);
LIBSSH_API int ssh_is_connected(ssh_session session); LIBSSH_API int ssh_is_connected(ssh_session session);
LIBSSH_API int ssh_is_server_known(ssh_session session); LIBSSH_API int ssh_is_server_known(ssh_session session);
/* KNOWN HOSTS */
LIBSSH_API void ssh_knownhosts_entry_free(struct ssh_knownhosts_entry *entry);
#define SSH_KNOWNHOSTS_ENTRY_FREE(e) do { \
if ((e) != NULL) { \
ssh_knownhosts_entry_free(e); \
e = NULL; \
} \
} while(0)
LIBSSH_API int ssh_known_hosts_parse_line(const char *host,
const char *line,
struct ssh_knownhosts_entry **entry);
/* LOGGING */ /* LOGGING */
LIBSSH_API int ssh_set_log_level(int level); LIBSSH_API int ssh_set_log_level(int level);
LIBSSH_API int ssh_get_log_level(void); LIBSSH_API int ssh_get_log_level(void);

1
src/CMakeLists.txt
View File

@ -135,6 +135,7 @@ set(libssh_SRCS
init.c init.c
kex.c kex.c
known_hosts.c known_hosts.c
knownhosts.c
legacy.c legacy.c
log.c log.c
match.c match.c

295
src/knownhosts.c Normal file
View File

@ -0,0 +1,295 @@
/*
* known_hosts: Host and public key verification.
*
* This file is part of the SSH Library
*
* Copyright (c) 2003-2009 by Aris Adamantiadis
* Copyright (c) 2009-2017 by Andreas Schneider <asn@cryptomilk.org>
*
* The SSH Library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The SSH Library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the SSH Library; see the file COPYING. If not, write to
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
#include "config.h"
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include "libssh/priv.h"
#include "libssh/session.h"
#include "libssh/options.h"
#include "libssh/misc.h"
#include "libssh/pki.h"
static int hash_hostname(const char *name,
unsigned char *salt,
unsigned int salt_size,
unsigned char **hash,
unsigned int *hash_size)
{
HMACCTX mac_ctx;
mac_ctx = hmac_init(salt, salt_size, SSH_HMAC_SHA1);
if (mac_ctx == NULL) {
return SSH_ERROR;
}
hmac_update(mac_ctx, name, strlen(name));
hmac_final(mac_ctx, *hash, hash_size);
return SSH_OK;
}
static int match_hashed_hostname(const char *host, const char *hashed_host)
{
char *hashed;
char *b64_hash;
ssh_buffer salt = NULL;
ssh_buffer hash = NULL;
unsigned char hashed_buf[256] = {0};
unsigned char *hashed_buf_ptr = hashed_buf;
unsigned int hashed_buf_size = sizeof(hashed_buf);
int cmp;
int rc;
int match = 0;
cmp = strncmp(hashed_host, "|1|", 3);
if (cmp != 0) {
return 0;
}
hashed = strdup(hashed_host + 3);
if (hashed == NULL) {
return 0;
}
b64_hash = strchr(hashed, '|');
if (b64_hash == NULL) {
goto error;
}
*b64_hash = '\0';
b64_hash++;
salt = base64_to_bin(hashed);
if (salt == NULL) {
goto error;
}
hash = base64_to_bin(b64_hash);
if (hash == NULL) {
goto error;
}
rc = hash_hostname(host,
ssh_buffer_get(salt),
ssh_buffer_get_len(salt),
&hashed_buf_ptr,
&hashed_buf_size);
if (rc != SSH_OK) {
goto error;
}
if (hashed_buf_size != ssh_buffer_get_len(hash)) {
goto error;
}
cmp = memcmp(hashed_buf, ssh_buffer_get(hash), hashed_buf_size);
if (cmp == 0) {
match = 1;
}
error:
free(hashed);
ssh_buffer_free(salt);
ssh_buffer_free(hash);
return match;
}
/**
* @brief Free an allocated ssh_knownhosts_entry.
*
* Use SSH_KNOWNHOSTS_ENTRY_FREE() to set the pointer to NULL.
*
* @param[in] entry The entry to free.
*/
void ssh_knownhosts_entry_free(struct ssh_knownhosts_entry *entry)
{
if (entry == NULL) {
return;
}
SAFE_FREE(entry->hostname);
SAFE_FREE(entry->unparsed);
ssh_key_free(entry->publickey);
SAFE_FREE(entry->comment);
SAFE_FREE(entry);
}
/**
* @brief Parse a line from a known_hosts entry into a structure
*
* This parses an known_hosts entry into a structure with the key in a libssh
* consumeable form. You can use the PKI key function to further work with it.
*
* @param[in] hostname The hostname to match the line to
*
* @param[in] line The line to compare and parse if we have a hostname
* match.
*
* @param[in] entry A pointer to store the the allocated known_hosts
* entry structure. The user needs to free the memory
* using SSH_KNOWNHOSTS_ENTRY_FREE().
*
* @return SSH_OK on success, SSH_ERROR otherwise.
*/
int ssh_known_hosts_parse_line(const char *hostname,
const char *line,
struct ssh_knownhosts_entry **entry)
{
struct ssh_knownhosts_entry *e = NULL;
char *known_host = NULL;
char *p;
enum ssh_keytypes_e key_type;
int match = 0;
int rc = SSH_OK;
known_host = strdup(line);
if (known_host == NULL) {
return SSH_ERROR;
}
/* match pattern for hostname or hashed hostname */
p = strtok(known_host, " ");
if (p == NULL ) {
free(known_host);
return SSH_ERROR;
}
e = calloc(1, sizeof(struct ssh_knownhosts_entry));
if (e == NULL) {
free(known_host);
return SSH_ERROR;
}
if (hostname != NULL) {
char *match_pattern = NULL;
char *q;
/* Hashed */
if (p[0] == '|') {
match = match_hashed_hostname(hostname, p);
}
for (q = strtok(p, ",");
q != NULL;
q = strtok(NULL, ",")) {
int cmp;
cmp = match_hostname(hostname, q, strlen(q));
if (cmp == 1) {
match = 1;
break;
}
}
SAFE_FREE(match_pattern);
if (match == 0) {
rc = SSH_AGAIN;
goto out;
}
e->hostname = strdup(hostname);
if (e->hostname == NULL) {
rc = SSH_ERROR;
goto out;
}
}
/* Restart parsing */
SAFE_FREE(known_host);
known_host = strdup(line);
if (known_host == NULL) {
return SSH_ERROR;
}
p = strtok(known_host, " ");
if (p == NULL ) {
free(known_host);
return SSH_ERROR;
}
e->unparsed = strdup(p);
if (e->unparsed == NULL) {
rc = SSH_ERROR;
goto out;
}
/* pubkey type */
p = strtok(NULL, " ");
if (p == NULL) {
rc = SSH_ERROR;
goto out;
}
key_type = ssh_key_type_from_name(p);
if (key_type == SSH_KEYTYPE_UNKNOWN) {
SSH_LOG(SSH_LOG_WARN, "key type '%s' unknown!", p);
rc = SSH_ERROR;
goto out;
}
/* public key */
p = strtok(NULL, " ");
if (p == NULL) {
rc = SSH_ERROR;
goto out;
}
rc = ssh_pki_import_pubkey_base64(p,
key_type,
&e->publickey);
if (rc != SSH_OK) {
SSH_LOG(SSH_LOG_WARN,
"Failed to parse %s key for entry: %s!",
ssh_key_type_to_char(key_type),
e->unparsed);
goto out;
}
/* comment */
p = strtok(NULL, " ");
if (p != NULL) {
p = strstr(line, p);
e->comment = strdup(p);
if (e->comment == NULL) {
rc = SSH_ERROR;
goto out;
}
}
*entry = e;
SAFE_FREE(known_host);
return SSH_OK;
out:
SAFE_FREE(known_host);
ssh_knownhosts_entry_free(e);
return rc;
}

1
tests/unittests/CMakeLists.txt
View File

@ -11,6 +11,7 @@ add_cmocka_test(torture_misc torture_misc.c ${TORTURE_LIBRARY})
add_cmocka_test(torture_config torture_config.c ${TORTURE_LIBRARY}) add_cmocka_test(torture_config torture_config.c ${TORTURE_LIBRARY})
add_cmocka_test(torture_options torture_options.c ${TORTURE_LIBRARY}) add_cmocka_test(torture_options torture_options.c ${TORTURE_LIBRARY})
add_cmocka_test(torture_isipaddr torture_isipaddr.c ${TORTURE_LIBRARY}) add_cmocka_test(torture_isipaddr torture_isipaddr.c ${TORTURE_LIBRARY})
add_cmocka_test(torture_knownhosts_parsing torture_knownhosts_parsing.c ${TORTURE_LIBRARY})
if (UNIX AND NOT WIN32) if (UNIX AND NOT WIN32)
# requires ssh-keygen # requires ssh-keygen
add_cmocka_test(torture_keyfiles torture_keyfiles.c ${TORTURE_LIBRARY}) add_cmocka_test(torture_keyfiles torture_keyfiles.c ${TORTURE_LIBRARY})

218
tests/unittests/torture_knownhosts_parsing.c Normal file
View File

@ -0,0 +1,218 @@
#include "config.h"
#define LIBSSH_STATIC
#include <libssh/priv.h>
#include "torture.h"
#include "knownhosts.c"
#define LOCALHOST_RSA_LINE "localhost,127.0.0.1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD7g+vV5cvxxGN0Ldmda4WZCPgRaxV1tV+1KRZoGUNUI61h0X4bmmGaAPRQBCz4G1d9bawqDqEqnpFWazrxBU5cQtISSjzuDJKovLGliky/ShTszee1Thszg3qVNk9gGOWj7jn/HDaOxRlp003Bp47MOdnMnK/oftllFDfY2fF5IRpE6sSIGtg2ZDtF95TV5/9W2oMOIAy8u/83tuibYlNPa1X/von5LgdaPLn6Bk16bQKIhAhlMtFZH8MBYEWe4ZtOGaSWKOsK9MM/RTMlwPi6PkfoHNl4MCMupjx+CdLXwbQEt9Ww+bBIaCui2VWBEiruVbIgJh0W2Tal0e2BzYZ What a Wurst!"
#define LOCALHOST_ECDSA_SHA1_NISTP256_LINE "localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFWmI0n0Tn5+zR7pPGcKYszRbJ/T0T3QfzRBSMMiyebGKRY8tjkU5h2l/UMugzOrOyWqMGQDgQn+a0aMunhKMg0="
#define LOCALHOST_DEFAULT_ED25519 "localhost ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7M22fXD7OiS7kGMXP+OoIjCa+J+5sq8SgAZfIOmDgM"
#define LOCALHOST_PORT_ED25519 "[localhost]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7M22fXD7OiS7kGMXP+OoIjCa+J+5sq8SgAZfIOmDgM"
#define LOCALHOST_PATTERN_ED25519 "local* ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7M22fXD7OiS7kGMXP+OoIjCa+J+5sq8SgAZfIOmDgM"
#define LOCALHOST_HASHED_ED25519 "|1|ayWjmTf9mYgj7PuQNVOa7Lqkj5s=|hkbEh8FN6IkLo6t6GQGuBwamgsM= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7M22fXD7OiS7kGMXP+OoIjCa+J+5sq8SgAZfIOmDgM"
#define TMP_FILE_NAME "/tmp/known_hosts_XXXXXX"
static int setup_knownhosts_file(void **state)
{
char *tmp_file = NULL;
size_t nwritten;
FILE *fp = NULL;
int fd;
tmp_file = strdup(TMP_FILE_NAME);
assert_non_null(tmp_file);
*state = tmp_file;
fd = mkstemp(tmp_file);
assert_return_code(fd, errno);
fp = fdopen(fd, "w");
if (fp == NULL) {
close(fd);
return -1;
}
nwritten = fwrite(LOCALHOST_PATTERN_ED25519,
sizeof(char),
sizeof(LOCALHOST_PATTERN_ED25519),
fp);
if (nwritten != sizeof(LOCALHOST_PATTERN_ED25519)) {
fclose(fp);
return -1;
}
nwritten = fwrite(LOCALHOST_RSA_LINE,
sizeof(char),
sizeof(LOCALHOST_RSA_LINE),
fp);
if (nwritten != sizeof(LOCALHOST_RSA_LINE)) {
fclose(fp);
return -1;
}
fclose(fp);
return 0;
}
static int teardown_knownhosts_file(void **state)
{
char *tmp_file = *state;
if (tmp_file == NULL) {
return -1;
}
unlink(tmp_file);
return 0;
}
static void torture_knownhosts_parse_line_rsa(void **state) {
struct ssh_knownhosts_entry *entry = NULL;
int rc;
(void) state;
rc = ssh_known_hosts_parse_line("localhost",
LOCALHOST_RSA_LINE,
&entry);
assert_int_equal(rc, SSH_OK);
assert_string_equal(entry->hostname, "localhost");
assert_non_null(entry->unparsed);
assert_non_null(entry->publickey);
assert_int_equal(ssh_key_type(entry->publickey), SSH_KEYTYPE_RSA);
assert_string_equal(entry->comment, "What a Wurst!");
SSH_KNOWNHOSTS_ENTRY_FREE(entry);
rc = ssh_known_hosts_parse_line("127.0.0.1",
LOCALHOST_RSA_LINE,
&entry);
assert_int_equal(rc, SSH_OK);
assert_string_equal(entry->hostname, "127.0.0.1");
assert_non_null(entry->unparsed);
assert_non_null(entry->publickey);
assert_int_equal(ssh_key_type(entry->publickey), SSH_KEYTYPE_RSA);
assert_string_equal(entry->comment, "What a Wurst!");
SSH_KNOWNHOSTS_ENTRY_FREE(entry);
}
static void torture_knownhosts_parse_line_ecdsa(void **state) {
struct ssh_knownhosts_entry *entry = NULL;
int rc;
(void) state;
rc = ssh_known_hosts_parse_line("localhost",
LOCALHOST_ECDSA_SHA1_NISTP256_LINE,
&entry);
assert_int_equal(rc, SSH_OK);
assert_string_equal(entry->hostname, "localhost");
assert_non_null(entry->unparsed);
assert_non_null(entry->publickey);
assert_int_equal(ssh_key_type(entry->publickey), SSH_KEYTYPE_ECDSA);
SSH_KNOWNHOSTS_ENTRY_FREE(entry);
}
static void torture_knownhosts_parse_line_default_ed25519(void **state) {
struct ssh_knownhosts_entry *entry = NULL;
int rc;
(void) state;
rc = ssh_known_hosts_parse_line("localhost",
LOCALHOST_DEFAULT_ED25519,
&entry);
assert_int_equal(rc, SSH_OK);
assert_string_equal(entry->hostname, "localhost");
assert_non_null(entry->unparsed);
assert_non_null(entry->publickey);
assert_int_equal(ssh_key_type(entry->publickey), SSH_KEYTYPE_ED25519);
SSH_KNOWNHOSTS_ENTRY_FREE(entry);
}
static void torture_knownhosts_parse_line_port_ed25519(void **state) {
struct ssh_knownhosts_entry *entry = NULL;
int rc;
(void) state;
rc = ssh_known_hosts_parse_line("[localhost]:2222",
LOCALHOST_PORT_ED25519,
&entry);
assert_int_equal(rc, SSH_OK);
assert_string_equal(entry->hostname, "[localhost]:2222");
assert_non_null(entry->unparsed);
assert_non_null(entry->publickey);
assert_int_equal(ssh_key_type(entry->publickey), SSH_KEYTYPE_ED25519);
SSH_KNOWNHOSTS_ENTRY_FREE(entry);
}
static void torture_knownhosts_parse_line_pattern_ed25519(void **state) {
struct ssh_knownhosts_entry *entry = NULL;
int rc;
(void) state;
rc = ssh_known_hosts_parse_line("localhost",
LOCALHOST_PATTERN_ED25519,
&entry);
assert_int_equal(rc, SSH_OK);
assert_string_equal(entry->hostname, "localhost");
assert_non_null(entry->unparsed);
assert_non_null(entry->publickey);
assert_int_equal(ssh_key_type(entry->publickey), SSH_KEYTYPE_ED25519);
SSH_KNOWNHOSTS_ENTRY_FREE(entry);
}
static void torture_knownhosts_parse_line_hashed_ed25519(void **state) {
struct ssh_knownhosts_entry *entry = NULL;
int rc;
(void) state;
rc = ssh_known_hosts_parse_line("localhost",
LOCALHOST_HASHED_ED25519,
&entry);
assert_int_equal(rc, SSH_OK);
assert_string_equal(entry->hostname, "localhost");
assert_non_null(entry->unparsed);
assert_non_null(entry->publickey);
assert_int_equal(ssh_key_type(entry->publickey), SSH_KEYTYPE_ED25519);
SSH_KNOWNHOSTS_ENTRY_FREE(entry);
}
int torture_run_tests(void) {
int rc;
struct CMUnitTest tests[] = {
cmocka_unit_test(torture_knownhosts_parse_line_rsa),
cmocka_unit_test(torture_knownhosts_parse_line_ecdsa),
cmocka_unit_test(torture_knownhosts_parse_line_default_ed25519),
cmocka_unit_test(torture_knownhosts_parse_line_port_ed25519),
cmocka_unit_test(torture_knownhosts_parse_line_pattern_ed25519),
cmocka_unit_test(torture_knownhosts_parse_line_hashed_ed25519),
};
ssh_init();
torture_filter_tests(tests);
rc = cmocka_run_group_tests(tests, NULL, NULL);
ssh_finalize();
return rc;
}