Add SSH_AGAIN as return value to ssh_handle_packets documentation.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Previously, there was non-consistent usage of constans SSH_KEX_METHODS,
KEX_METHODS_SIZE and of magic number 10 to reference the arrays used
for algorithm negotiation by peers. This commit settles down to the single
constant and its usage throughout the whole codebase.
Fixes T195
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
In ssh_session_new(), initialize the state machines states explicitly
for better readability.
Fixes T194
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Do not use MD5 when generating fingerprints in FIPS mode. The call will
fail in such case. The test suite was updated with a negative test for
this case.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This adds a flag to the type structures to track if we use a
Encrypt-then-MAC cipher instead of Encrypt-and-MAC. EtM is a more secure
hashing mechanism.
Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com>
Reviewed-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
The default rekeying recommendations are specified in
RFC4344 Section 3 (First and Second Rekeying Recommendations).
Additionally, the rekeying can be specified in configuration
file/options allowing us to turn the rekeying off, base it
on time or make it more strict.
The code is highly inspired by the OpenSSH rekeying code.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This checks if a timeout has been set using ssh_options_set(). If it has
been set it will use that parametr by default for blocking sessions.
This is at least what users are expecting.
Fixes T33
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
* This makes the array constant in the session structure, avoiding
allocations and frees while parsing the file
* It also drops passing the seen array to all the functions,
because it is already part of the passed session
* The test cases are adjusted to match these changes
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This follows the OpenSSH behavior of parsing subseqent configuration
files, while applying only the first option.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This option allows to specify acceptable public key algorithms
and reflects the PubkeyAcceptedTypes configuration option from
OpenSSH.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
If you want modelines use my vim plugin:
https://github.com/cryptomilk/git-modeline.vim
git config --add vim.modeline "ts=4 sw=4 et"
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Add a new option SSH_OPTIONS_NODELAY to enable or disable the
Nagle Algorithm (TCP_NODELAY) on the session socket.
Improved performance can be achieved for some applications like
sftp servers by enabling SSH_OPTIONS_NODELAY as typically, the
next request won't arrive until the server replies, which are
typically small writes.
Signed-off-by: Alberto Aguirre <albaguirre@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Summary:
This patch adds support for mbedTLS as a crypto backend for libssh.
mbedTLS is an SSL/TLS library that has been designed to mainly be used
in embedded systems. It is loosely coupled and has a low memory
footprint. mbedTLS also provides a cryptography library (libmbedcrypto)
that can be used without the TLS modules.
The patch is unfortunately quite big, since several new files had to
be added.
DSA is disabled at compile time, since mbedTLS doesn't support DSA
Patch review and feedback would be appreciated, and if any issues or
suggestions appear, I'm willing to work on them.
Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
Test Plan:
* The patch has been tested with a Debug and MinSizeRel build, with
libssh unit tests, client tests and the pkd tests.
* All the tests have been run with valgrind's memcheck, drd and helgrind
tools.
* The examples/samplessh client works when built with the patch.
Reviewers: asn, aris
Subscribers: simonsj
Differential Revision: https://bugs.libssh.org/D1
Pair-Programmed-With: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Summary:
Based on Dirkjan's original patch series here:
* https://www.libssh.org/archive/libssh/2015-08/0000029.html
Here the changes are adapted for the current master
branch, and expanded to include libgcrypt support.
Co-Authored-By: Dirkjan Bussink <d.bussink@gmail.com>
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Test Plan:
* Ran pkd tests for libcrypto and libgcrypt builds.
* Ran client torture_algorithms.c tests for libcrypto and libgcrypt builds.
* Tested across multiple libgcrypts ("1.6.3" and "1.7.6-beta").
Reviewers: aris, asn
Tags: #libssh
Differential Revision: https://bugs.libssh.org/D7
Makes sure we free pending keyboard auth prompts
so prompts that have not be replied to do not leak.
Signed-off-by: Peter Volpe <pvolpe@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
In Cockpit we've seen this memory leak:
at 0x4C2A9C7: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x5B76B03: ssh_userauth_agent (auth.c:778)
by 0x40DD5A: cockpit_ssh_authenticate (cockpitsshtransport.c:327)
BUG: https://red.libssh.org/issues/208
Signed-off-by: Stef Walter <stefw@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Having "ssh_" prefix in the functions' name will avoid possible clashes
when compiling libssh statically.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Having "ssh_" prefix in the functions' name will avoid possible clashes
when compiling libssh statically.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
