lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-12-03 13:31:11 +03:00
Code Activity
6,084 Commits 12 Branches 62 Tags
3bfa6e8637f2399633e11805640c696a94096e5e
Commit Graph

83 Commits

Author SHA1 Message Date
Gauravsingh Sisodia
3bfa6e8637 feat: add gssapi server callbacks tests 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2024-07-11 16:44:20 +02:00
Gauravsingh Sisodia
965a94b515 fix: memory leaks in gssapi.c 
fix: implement gssapi logging according to docs

fix: remove redundant setting of session->gssapi to NULL

feat: add gssapi struct and functions to header file

refactor: initialize gssapi context once

fix: remove redundant ssh_gssapi_free

Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2024-07-11 16:44:14 +02:00
Gauravsingh Sisodia
74d42ca38b feat: add tests for gssapi-with-mic 
feat: tests set hostname for sshd, make GSSAPIStrictAcceptorCheck yes pass

feat: add GSSAPI_TESTING cmake option

feat: gssapi libssh server test

feat: make kdc setup and teardown functions

feat: add kinit, kadmin scripts to kdc setup function

feat: add some client gssapi auth tests

Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2024-07-11 16:44:07 +02:00
Jakub Jelen
70d0993312 gssapi: Fix typo 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2024-06-04 12:47:20 +02:00
Jakub Jelen
cba1dfac6c gssapi: Rewrite allocation check to avoid zero_structpt 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Norbert Pocs <npocs@redhat.com>
 2023-07-11 17:45:39 +02:00
Norbert Pocs
9f8d46a45a Add missing return value check 
This issue was detected by covscan

Signed-off-by: Norbert Pocs <npocs@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Jakub Jelen
0a9b5bcd45 gssapi: Free mic_buffer on all code paths (GHSL-2023-042) 
Thanks Phil Turnbull from GitHub

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Jakub Jelen
bb4e6ad1ee gssapi: Release output_token on error path (GHSL-2023-041) 
Thanks Phil Turnbull from GitHub

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Jakub Jelen
19ec009b7d gssapi: Release actual_mechs on exit (GHSL-2023-040) 
Thanks Phil Turnbull from GitHub

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Jakub Jelen
ccc87f5593 gssapi: Free output token on exit path (GHSL-2023-039) 
Thanks Phil Turnbull from GitHub

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Jakub Jelen
23ff6f9388 gssapi: Free mic_token_buffer on before return (GHSL-2023-038) 
Thanks Phil Turnbull from GitHub

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Jakub Jelen
5928d7962e gssapi: Release output_token (GHSL-2023-037) 
Thanks Phil Turnbull from GitHub

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Jakub Jelen
3334070f63 gssapi: Avoid memory leaks of selected OID (GHSL-2023-036) 
Thanks Phil Turnbull from GitHub

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Jakub Jelen
f691dbbaab gssapi: Release buffer on error path (GHSL-2023-035) 
Thanks Phil Turnbull from GitHub

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Jakub Jelen
bdabf25a5b gssapi: Free selected OID set on error paths (GHSL-2023-034) 
Thanks Phil Turnbull from GitHub

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Jakub Jelen
2b5bef9c03 gssapi: Free both_supported on error paths (GHSL-2023-033) 
Thanks Phil Turnbull from GitHub

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2023-05-04 11:51:17 +02:00
Norbert Pocs
7b12876f04 doc: Fix doxygen errors when QUIET=yes EXTRACT_ALL=yes 
Signed-off-by: Norbert Pocs <npocs@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2023-03-15 10:21:31 +01:00
Norbert Pocs
657d9143d1 SSH_LOG_DEBUG: Recategorize loglevels 
Loglevel INFO is the default openssh configuration setting which does not print
redundant information. On a system using openssh with loglevels set by the
terms of openssh will cause unwanted log lines in the output.
recategorized based on - SSH_LOG_DEBUG are informational debug logs (no error)

Signed-off-by: Norbert Pocs <npocs@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2022-10-07 09:13:19 +02:00
Norbert Pocs
7ea75cda45 SSH_LOG_TRACE: Recategorize loglevels 
Do not print out logs when no fatal error happens.
This approach is similiar to openssh, when Error/Fatal does not print
recoverable error logs.
recategorized based on - SSH_LOG_TRACE are debug logs when error happens

Signed-off-by: Norbert Pocs <npocs@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2022-10-07 09:13:19 +02:00
Jakub Jelen
2aa137947a Reformat most of the function headers 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2022-06-09 09:08:02 +02:00
Junda Ai
41e2d17119 Fix multiple spelling and grammar mistakes 
Signed-off-by: Junda Ai <aijunda29@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2022-05-02 19:05:51 +02:00
Jakub Jelen
f5211239f9 CVE-2021-3634: Create a separate length for session_id 
Normally, the length of session_id and secret_hash is the same,
but if we will get into rekeying with a peer that changes preference
of key exchange algorithm, the new secret hash can be larger or
smaller than the previous session_id causing invalid reads or writes.

Resolves https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35485

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2021-08-18 14:13:56 +02:00
Andreas Schneider
b719f705c6 gssapi: Use SSH_BUFFER_FREE() 
Fixes T183

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2019-12-09 16:08:03 +01:00
Andreas Schneider
3b8fcbad24 gssapi: Use SSH_STRING_FREE() 
Fixes T183

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2019-12-09 16:08:03 +01:00
Andreas Schneider
da81b99df1 gssapi: Make sure buffer is initialized 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2019-12-09 16:08:03 +01:00
Andreas Schneider
6b8ab4bcd2 SSH-01-006: Add missing NULL check in ssh_gssapi_handle_userauth() 
Fixes T193

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2019-12-09 16:08:03 +01:00
Andreas Schneider
af2ea417da SSH-01-006: Add missing NULL check in ssh_gssapi_handle_userauth() 
Fixes T193

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2019-12-09 16:08:03 +01:00
Andreas Schneider
c7172c183f SSH-01-006: Add missing NULL check in ssh_gssapi_build_mic() 
Fixes T193

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2019-12-09 16:08:03 +01:00
Andreas Schneider
33cca875c2 SSH-01-006: Add missing NULL check in ssh_gssapi_oid_from_string() 
Fixes T193

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2019-12-09 16:08:03 +01:00
Andreas Schneider
7588979977 SSH-01-006: Add missing ENOMEM check in ssh_gssapi_auth_mic() 
Fixes T193

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2019-12-09 16:08:03 +01:00
Andreas Schneider
643ca67f88 gssapi: Add missing malloc checks 
Fixes T141

Reported-By: Ramin Farajpour Cami
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2019-04-29 13:17:21 +02:00
Jakub Jelen
8e0c047031 packet: Introduce a new function to access crypto 
And remove most of the direct access to the structure throughout the code

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2019-01-09 10:14:56 +01:00
Meng Tan
bce8d56705 gssapi: Set correct state after sending GSSAPI_RESPONSE (select mechanism OID) 
Signed-off-by: Meng Tan <mtan@wallix.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2018-10-26 07:28:20 +02:00
Andreas Schneider
7e5291668c gssapi: Check return code of gss_indicate_mechs() 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
 2018-10-24 09:48:35 +02:00
Andreas Schneider
bb081f6681 gssapi: Ignore return codes of gss_release_buffer() 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
 2018-10-24 09:48:35 +02:00
Anderson Toshiyuki Sasaki
5d7414467d CVE-2018-10933: Set correct state after sending MIC 
After sending the client token, the auth state is set as
SSH_AUTH_STATE_GSSAPI_MIC_SENT.  Then this can be expected to be the
state when a USERAUTH_FAILURE or USERAUTH_SUCCESS arrives.

Fixes T101

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2018-10-16 09:19:03 +02:00
Andreas Schneider
73c9d60e5a session: Group auth variables in a struct 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
 2018-08-27 09:30:24 +02:00
Andreas Schneider
64a354159f gssapi: Fix size types 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
 2018-08-22 08:54:59 +02:00
Anderson Toshiyuki Sasaki
18dd902307 gssapi: set error state when GSSAPI auth fails 
When errors occurred, the session auth state was not being updated,
leading to failures due to the wrong state in following authentication
methods.

Fixes T56

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2018-08-06 10:48:16 +02:00
Pino Toscano
67ffe26dea Remove extra newlines from log/error messages 
Signed-off-by: Pino Toscano <ptoscano@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2016-10-22 16:05:32 +02:00
Andreas Schneider
83421c0e8c gssapi: Use correct return code in ssh_gssapi_auth_mic() 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
 2016-10-06 18:36:54 +02:00
Andreas Schneider
095733ed9c gssapi: Print minor stat in error logging function 
This also releases the memory allocated for the messages.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
 2016-10-06 18:22:26 +02:00
Fabiano Fidêncio
d1d003c232 buffer: use ssh_buffer_get() instead of ssh_buffer_get_begin() 
This commit is a preparatory stage for removing ssh_buffer_get_begin().
Note that removing ssh_buffer_get_begin() doesn't break API
compatibility, as this functions has never been exposed (it only has the
LIBSSH_API prefix).

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2016-01-19 11:31:08 +01:00
Fabiano Fidêncio
e368d01385 cleanup: use ssh_ prefix in the packet (non-static) functions 
Having "ssh_" prefix in the functions' name will avoid possible clashes
when compiling libssh statically.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2016-01-19 11:31:07 +01:00
Fabiano Fidêncio
adc8c20ac1 cleanup: use ssh_ prefix in the buffer (non-static) functions 
Having "ssh_" prefix in the functions' name will avoid possible clashes
when compiling libssh statically.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2016-01-19 11:31:07 +01:00
Stef Walter
cd2dc3770a gssapi: ssh_gssapi_set_creds() is a client side function 
It should not be guarded by the WITH_SERVER #ifdef

Signed-off-by: Stef Walter <stefw@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2014-10-12 15:41:15 +02:00
Aris Adamantiadis
3703389feb buffers: adapt gssapi.c to ssh_buffer_(un)pack() 2014-08-06 09:46:14 +02:00
Andreas Schneider
cb9786b3ae src: Rename buffer_add_data() to ssh_buffer_add_data(). 2014-01-19 20:55:55 +01:00
Andreas Schneider
9c4144689d src: Rename buffer_init to ssh_buffer_init(). 2014-01-19 20:43:29 +01:00
Aris Adamantiadis
d8ead516de gssapi: fix logging 2013-11-18 15:11:26 +01:00