lib/libssh2
1
0
Fork 0
mirror of https://github.com/libssh2/libssh2.git synced 2025-07-01 11:01:40 +03:00
Code Activity

md5: allow disabling old-style encrypted private keys at build-time

Browse Source 
Before this patch, this happened at runtime when using an old (pre-3.0),
FIPS-enabled OpenSSL backend.

This patch makes it possible to disable this via the build-time option
`LIBSSH2_NO_MD5_PEM`.

Also:
- make sure to exclude all MD5 internal APIs when both the above and
  `LIBSSH2_NO_MD5` are enabled.
- fix tests to support build with`LIBSSH2_NO_MD5`, `LIBSSH2_NO_MD5_PEM`
  and `LIBSSH2_NO_3DES`.
- add FIXME to apply this change to `os400qc3.*`.

Old-style encrypted private keys require MD5 and they look like this:
```
-----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: AES-128-CBC,<MD5-hex>

 <base64>
 -----END RSA PRIVATE KEY-----
```

E.g.: `tests/key_rsa_encrypted`

Ref: https://github.com/libssh2/www/issues/20
Closes #1181
This commit is contained in:
Viktor Szakats
2023-08-26 21:56:23 +00:00
parent 4a64ca1430
commit eb9f9de2c1
15 changed files with 170 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/ci.yml vendored
View File

@ -322,7 +322,7 @@ jobs:
- name: 'make build' - name: 'make build'
if: ${{ matrix.build == 'make' }} if: ${{ matrix.build == 'make' }}
env: env:
CPPFLAGS: -DLIBSSH2_NO_MD5 -DLIBSSH2_NO_HMAC_RIPEMD -DLIBSSH2_NO_DSA -DLIBSSH2_NO_AES_CBC -DLIBSSH2_NO_AES_CTR -DLIBSSH2_NO_BLOWFISH -DLIBSSH2_NO_RC4 -DLIBSSH2_NO_CAST -DLIBSSH2_NO_3DES CPPFLAGS: -DLIBSSH2_NO_MD5 -DLIBSSH2_NO_MD5_PEM -DLIBSSH2_NO_HMAC_RIPEMD -DLIBSSH2_NO_DSA -DLIBSSH2_NO_AES_CBC -DLIBSSH2_NO_AES_CTR -DLIBSSH2_NO_BLOWFISH -DLIBSSH2_NO_RC4 -DLIBSSH2_NO_CAST -DLIBSSH2_NO_3DES
LIBSSH2_CPPFLAGS_LIB: -DLIBSSH2_EXPORTS LIBSSH2_CPPFLAGS_LIB: -DLIBSSH2_EXPORTS
ZLIB_PATH: /${{ matrix.sys }} ZLIB_PATH: /${{ matrix.sys }}
OPENSSL_PATH: /${{ matrix.sys }} OPENSSL_PATH: /${{ matrix.sys }}

1
src/Makefile.inc
View File

@ -29,6 +29,7 @@ HHEADERS = \
channel.h \ channel.h \
comp.h \ comp.h \
crypto.h \ crypto.h \
crypto_config.h \
libgcrypt.h \ libgcrypt.h \
libssh2_priv.h \ libssh2_priv.h \
libssh2_setup.h \ libssh2_setup.h \

65
src/crypto.h
View File

@ -55,71 +55,6 @@
#error "no cryptography backend selected" #error "no cryptography backend selected"
#endif #endif
#ifdef LIBSSH2_NO_MD5
#undef LIBSSH2_MD5
#define LIBSSH2_MD5 0
#endif
#ifdef LIBSSH2_NO_HMAC_RIPEMD
#undef LIBSSH2_HMAC_RIPEMD
#define LIBSSH2_HMAC_RIPEMD 0
#endif
#ifdef LIBSSH2_NO_DSA
#undef LIBSSH2_DSA
#define LIBSSH2_DSA 0
#endif
#ifdef LIBSSH2_NO_RSA
#undef LIBSSH2_RSA
#define LIBSSH2_RSA 0
#endif
#ifdef LIBSSH2_NO_RSA_SHA1
#undef LIBSSH2_RSA_SHA1
#define LIBSSH2_RSA_SHA1 0
#endif
#ifdef LIBSSH2_NO_ECDSA
#undef LIBSSH2_ECDSA
#define LIBSSH2_ECDSA 0
#endif
#ifdef LIBSSH2_NO_ED25519
#undef LIBSSH2_ED25519
#define LIBSSH2_ED25519 0
#endif
#ifdef LIBSSH2_NO_AES_CTR
#undef LIBSSH2_AES_CTR
#define LIBSSH2_AES_CTR 0
#endif
#ifdef LIBSSH2_NO_AES_CBC
#undef LIBSSH2_AES_CBC
#define LIBSSH2_AES_CBC 0
#endif
#ifdef LIBSSH2_NO_BLOWFISH
#undef LIBSSH2_BLOWFISH
#define LIBSSH2_BLOWFISH 0
#endif
#ifdef LIBSSH2_NO_RC4
#undef LIBSSH2_RC4
#define LIBSSH2_RC4 0
#endif
#ifdef LIBSSH2_NO_CAST
#undef LIBSSH2_CAST
#define LIBSSH2_CAST 0
#endif
#ifdef LIBSSH2_NO_3DES
#undef LIBSSH2_3DES
#define LIBSSH2_3DES 0
#endif
#define LIBSSH2_ED25519_KEY_LEN 32 #define LIBSSH2_ED25519_KEY_LEN 32
#define LIBSSH2_ED25519_PRIVATE_KEY_LEN 64 #define LIBSSH2_ED25519_PRIVATE_KEY_LEN 64
#define LIBSSH2_ED25519_SIG_LEN 64 #define LIBSSH2_ED25519_SIG_LEN 64

76
src/crypto_config.h Normal file
View File

@ -0,0 +1,76 @@
/* Copyright (C) Viktor Szakats
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#define LIBSSH2_MD5_PEM LIBSSH2_MD5
#ifdef LIBSSH2_NO_MD5
#undef LIBSSH2_MD5
#define LIBSSH2_MD5 0
#endif
#ifdef LIBSSH2_NO_MD5_PEM
#undef LIBSSH2_MD5_PEM
#define LIBSSH2_MD5_PEM 0
#endif
#ifdef LIBSSH2_NO_HMAC_RIPEMD
#undef LIBSSH2_HMAC_RIPEMD
#define LIBSSH2_HMAC_RIPEMD 0
#endif
#ifdef LIBSSH2_NO_DSA
#undef LIBSSH2_DSA
#define LIBSSH2_DSA 0
#endif
#ifdef LIBSSH2_NO_RSA
#undef LIBSSH2_RSA
#define LIBSSH2_RSA 0
#endif
#ifdef LIBSSH2_NO_RSA_SHA1
#undef LIBSSH2_RSA_SHA1
#define LIBSSH2_RSA_SHA1 0
#endif
#ifdef LIBSSH2_NO_ECDSA
#undef LIBSSH2_ECDSA
#define LIBSSH2_ECDSA 0
#endif
#ifdef LIBSSH2_NO_ED25519
#undef LIBSSH2_ED25519
#define LIBSSH2_ED25519 0
#endif
#ifdef LIBSSH2_NO_AES_CTR
#undef LIBSSH2_AES_CTR
#define LIBSSH2_AES_CTR 0
#endif
#ifdef LIBSSH2_NO_AES_CBC
#undef LIBSSH2_AES_CBC
#define LIBSSH2_AES_CBC 0
#endif
#ifdef LIBSSH2_NO_BLOWFISH
#undef LIBSSH2_BLOWFISH
#define LIBSSH2_BLOWFISH 0
#endif
#ifdef LIBSSH2_NO_RC4
#undef LIBSSH2_RC4
#define LIBSSH2_RC4 0
#endif
#ifdef LIBSSH2_NO_CAST
#undef LIBSSH2_CAST
#define LIBSSH2_CAST 0
#endif
#ifdef LIBSSH2_NO_3DES
#undef LIBSSH2_3DES
#define LIBSSH2_3DES 0
#endif

8
src/libgcrypt.h
View File

@ -66,7 +66,11 @@
#define LIBSSH2_ECDSA 0 #define LIBSSH2_ECDSA 0
#define LIBSSH2_ED25519 0 #define LIBSSH2_ED25519 0
#include "crypto_config.h"
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
#define MD5_DIGEST_LENGTH 16 #define MD5_DIGEST_LENGTH 16
#endif
#define SHA_DIGEST_LENGTH 20 #define SHA_DIGEST_LENGTH 20
#define SHA256_DIGEST_LENGTH 32 #define SHA256_DIGEST_LENGTH 32
#define SHA384_DIGEST_LENGTH 48 #define SHA384_DIGEST_LENGTH 48
@ -124,6 +128,7 @@
#define libssh2_sha512(message, len, out) \ #define libssh2_sha512(message, len, out) \
gcry_md_hash_buffer(GCRY_MD_SHA512, out, message, len) gcry_md_hash_buffer(GCRY_MD_SHA512, out, message, len)
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
#define libssh2_md5_ctx gcry_md_hd_t #define libssh2_md5_ctx gcry_md_hd_t
/* returns 0 in case of failure */ /* returns 0 in case of failure */
@ -136,15 +141,18 @@
memcpy(out, gcry_md_read(ctx, 0), MD5_DIGEST_LENGTH), gcry_md_close(ctx) memcpy(out, gcry_md_read(ctx, 0), MD5_DIGEST_LENGTH), gcry_md_close(ctx)
#define libssh2_md5(message, len, out) \ #define libssh2_md5(message, len, out) \
gcry_md_hash_buffer(GCRY_MD_MD5, out, message, len) gcry_md_hash_buffer(GCRY_MD_MD5, out, message, len)
#endif
#define libssh2_hmac_ctx gcry_md_hd_t #define libssh2_hmac_ctx gcry_md_hd_t
#define libssh2_hmac_ctx_init(ctx) #define libssh2_hmac_ctx_init(ctx)
#define libssh2_hmac_sha1_init(ctx, key, keylen) \ #define libssh2_hmac_sha1_init(ctx, key, keylen) \
gcry_md_open(ctx, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC), \ gcry_md_open(ctx, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC), \
gcry_md_setkey(*ctx, key, keylen) gcry_md_setkey(*ctx, key, keylen)
#if LIBSSH2_MD5
#define libssh2_hmac_md5_init(ctx, key, keylen) \ #define libssh2_hmac_md5_init(ctx, key, keylen) \
gcry_md_open(ctx, GCRY_MD_MD5, GCRY_MD_FLAG_HMAC), \ gcry_md_open(ctx, GCRY_MD_MD5, GCRY_MD_FLAG_HMAC), \
gcry_md_setkey(*ctx, key, keylen) gcry_md_setkey(*ctx, key, keylen)
#endif
#define libssh2_hmac_ripemd160_init(ctx, key, keylen) \ #define libssh2_hmac_ripemd160_init(ctx, key, keylen) \
gcry_md_open(ctx, GCRY_MD_RMD160, GCRY_MD_FLAG_HMAC), \ gcry_md_open(ctx, GCRY_MD_RMD160, GCRY_MD_FLAG_HMAC), \
gcry_md_setkey(*ctx, key, keylen) gcry_md_setkey(*ctx, key, keylen)

9
src/mbedtls.h
View File

@ -92,7 +92,11 @@
#endif #endif
#define LIBSSH2_ED25519 0 #define LIBSSH2_ED25519 0
#include "crypto_config.h"
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
#define MD5_DIGEST_LENGTH 16 #define MD5_DIGEST_LENGTH 16
#endif
#define SHA_DIGEST_LENGTH 20 #define SHA_DIGEST_LENGTH 20
#define SHA256_DIGEST_LENGTH 32 #define SHA256_DIGEST_LENGTH 32
#define SHA384_DIGEST_LENGTH 48 #define SHA384_DIGEST_LENGTH 48
@ -134,8 +138,10 @@
#define libssh2_hmac_sha1_init(pctx, key, keylen) \ #define libssh2_hmac_sha1_init(pctx, key, keylen) \
_libssh2_mbedtls_hash_init(pctx, MBEDTLS_MD_SHA1, key, keylen) _libssh2_mbedtls_hash_init(pctx, MBEDTLS_MD_SHA1, key, keylen)
#if LIBSSH2_MD5
#define libssh2_hmac_md5_init(pctx, key, keylen) \ #define libssh2_hmac_md5_init(pctx, key, keylen) \
_libssh2_mbedtls_hash_init(pctx, MBEDTLS_MD_MD5, key, keylen) _libssh2_mbedtls_hash_init(pctx, MBEDTLS_MD_MD5, key, keylen)
#endif
#define libssh2_hmac_ripemd160_init(pctx, key, keylen) \ #define libssh2_hmac_ripemd160_init(pctx, key, keylen) \
_libssh2_mbedtls_hash_init(pctx, MBEDTLS_MD_RIPEMD160, key, keylen) _libssh2_mbedtls_hash_init(pctx, MBEDTLS_MD_RIPEMD160, key, keylen)
#define libssh2_hmac_sha256_init(pctx, key, keylen) \ #define libssh2_hmac_sha256_init(pctx, key, keylen) \
@ -219,6 +225,7 @@
* mbedTLS backend: MD5 functions * mbedTLS backend: MD5 functions
*/ */
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
#define libssh2_md5_ctx mbedtls_md_context_t #define libssh2_md5_ctx mbedtls_md_context_t
#define libssh2_md5_init(pctx) \ #define libssh2_md5_init(pctx) \
@ -229,7 +236,7 @@
_libssh2_mbedtls_hash_final(&ctx, hash) _libssh2_mbedtls_hash_final(&ctx, hash)
#define libssh2_md5(data, datalen, hash) \ #define libssh2_md5(data, datalen, hash) \
_libssh2_mbedtls_hash(data, datalen, MBEDTLS_MD_MD5, hash) _libssh2_mbedtls_hash(data, datalen, MBEDTLS_MD_MD5, hash)
#endif
/*******************************************************************/ /*******************************************************************/
/* /*

2
src/openssl.c
View File

@ -2495,6 +2495,7 @@ _libssh2_sha512(const unsigned char *message, size_t len,
return 1; /* error */ return 1; /* error */
} }
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
int int
_libssh2_md5_init(libssh2_md5_ctx *ctx) _libssh2_md5_init(libssh2_md5_ctx *ctx)
{ {
@ -2530,6 +2531,7 @@ _libssh2_md5_init(libssh2_md5_ctx *ctx)
return EVP_DigestInit(ctx, EVP_get_digestbyname("md5")); return EVP_DigestInit(ctx, EVP_get_digestbyname("md5"));
#endif #endif
} }
#endif
#if LIBSSH2_ECDSA #if LIBSSH2_ECDSA

4
src/openssl.h
View File

@ -194,6 +194,8 @@
# define LIBSSH2_3DES 1 # define LIBSSH2_3DES 1
#endif #endif
#include "crypto_config.h"
#define EC_MAX_POINT_LEN ((528 * 2 / 8) + 1) #define EC_MAX_POINT_LEN ((528 * 2 / 8) + 1)
#define _libssh2_random(buf, len) \ #define _libssh2_random(buf, len) \
@ -296,6 +298,7 @@ int _libssh2_sha512(const unsigned char *message, size_t len,
unsigned char *out); unsigned char *out);
#define libssh2_sha512(x,y,z) _libssh2_sha512(x,y,z) #define libssh2_sha512(x,y,z) _libssh2_sha512(x,y,z)
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
#ifdef HAVE_OPAQUE_STRUCTS #ifdef HAVE_OPAQUE_STRUCTS
#define libssh2_md5_ctx EVP_MD_CTX * #define libssh2_md5_ctx EVP_MD_CTX *
#else #else
@ -315,6 +318,7 @@ int _libssh2_md5_init(libssh2_md5_ctx *ctx);
#define libssh2_md5_update(ctx, data, len) EVP_DigestUpdate(&(ctx), data, len) #define libssh2_md5_update(ctx, data, len) EVP_DigestUpdate(&(ctx), data, len)
#define libssh2_md5_final(ctx, out) EVP_DigestFinal(&(ctx), out, NULL) #define libssh2_md5_final(ctx, out) EVP_DigestFinal(&(ctx), out, NULL)
#endif #endif
#endif
#ifdef HAVE_OPAQUE_STRUCTS #ifdef HAVE_OPAQUE_STRUCTS
#define libssh2_hmac_ctx HMAC_CTX * #define libssh2_hmac_ctx HMAC_CTX *

4
src/os400qc3.h
View File

@ -164,6 +164,8 @@
#undef Qc3_MK_Pending #undef Qc3_MK_Pending
#define Qc3_MK_Pending '\xF3' /* '3' */ #define Qc3_MK_Pending '\xF3' /* '3' */
/* FIXME: Disable MD5 macros/constants and functions when
LIBSSH2_MD5 and LIBSSH_MD5_PEM have the value 0. */
/* Define which features are supported. */ /* Define which features are supported. */
#define LIBSSH2_MD5 1 #define LIBSSH2_MD5 1
@ -186,6 +188,8 @@
#define LIBSSH2_ECDSA 0 #define LIBSSH2_ECDSA 0
#define LIBSSH2_ED25519 0 #define LIBSSH2_ED25519 0
#include "crypto_config.h"
#define MD5_DIGEST_LENGTH 16 #define MD5_DIGEST_LENGTH 16
#define SHA_DIGEST_LENGTH 20 #define SHA_DIGEST_LENGTH 20
#define SHA256_DIGEST_LENGTH 32 #define SHA256_DIGEST_LENGTH 32

11
src/pem.c
View File

@ -106,12 +106,6 @@ static unsigned char hex_decode(char digit)
((digit >= 'A') ? (0xA + (digit - 'A')) : (digit - '0')); ((digit >= 'A') ? (0xA + (digit - 'A')) : (digit - '0'));
} }
/* Hack to fix builds with crypto backends with MD5 support disabled.
FIXME: Honor our LIBSSH2_MD5 macro for MD5-dependent logic. */
#ifdef OPENSSL_NO_MD5
#define MD5_DIGEST_LENGTH 16
#endif
int int
_libssh2_pem_parse(LIBSSH2_SESSION * session, _libssh2_pem_parse(LIBSSH2_SESSION * session,
const char *headerbegin, const char *headerbegin,
@ -215,6 +209,7 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session,
} }
if(method) { if(method) {
#if LIBSSH2_MD5_PEM
/* Set up decryption */ /* Set up decryption */
int free_iv = 0, free_secret = 0, len_decrypted = 0, padding = 0; int free_iv = 0, free_secret = 0, len_decrypted = 0, padding = 0;
int blocksize = method->blocksize; int blocksize = method->blocksize;
@ -292,6 +287,10 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session,
/* Clean up */ /* Clean up */
_libssh2_explicit_zero((char *)secret, sizeof(secret)); _libssh2_explicit_zero((char *)secret, sizeof(secret));
method->dtor(session, &abstract); method->dtor(session, &abstract);
#else
ret = -1;
goto out;
#endif
} }
ret = 0; ret = 0;

10
src/wincng.c
View File

@ -94,9 +94,11 @@
#define BCRYPT_RNG_ALGORITHM L"RNG" #define BCRYPT_RNG_ALGORITHM L"RNG"
#endif #endif
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
#ifndef BCRYPT_MD5_ALGORITHM #ifndef BCRYPT_MD5_ALGORITHM
#define BCRYPT_MD5_ALGORITHM L"MD5" #define BCRYPT_MD5_ALGORITHM L"MD5"
#endif #endif
#endif
#ifndef BCRYPT_SHA1_ALGORITHM #ifndef BCRYPT_SHA1_ALGORITHM
#define BCRYPT_SHA1_ALGORITHM L"SHA1" #define BCRYPT_SHA1_ALGORITHM L"SHA1"
@ -254,11 +256,13 @@ _libssh2_wincng_init(void)
_libssh2_wincng.hAlgRNG = NULL; _libssh2_wincng.hAlgRNG = NULL;
} }
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHashMD5, ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHashMD5,
BCRYPT_MD5_ALGORITHM, NULL, 0); BCRYPT_MD5_ALGORITHM, NULL, 0);
if(!BCRYPT_SUCCESS(ret)) { if(!BCRYPT_SUCCESS(ret)) {
_libssh2_wincng.hAlgHashMD5 = NULL; _libssh2_wincng.hAlgHashMD5 = NULL;
} }
#endif
ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHashSHA1, ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHashSHA1,
BCRYPT_SHA1_ALGORITHM, NULL, 0); BCRYPT_SHA1_ALGORITHM, NULL, 0);
if(!BCRYPT_SUCCESS(ret)) { if(!BCRYPT_SUCCESS(ret)) {
@ -280,12 +284,14 @@ _libssh2_wincng_init(void)
_libssh2_wincng.hAlgHashSHA512 = NULL; _libssh2_wincng.hAlgHashSHA512 = NULL;
} }
#if LIBSSH2_MD5
ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHmacMD5, ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHmacMD5,
BCRYPT_MD5_ALGORITHM, NULL, BCRYPT_MD5_ALGORITHM, NULL,
BCRYPT_ALG_HANDLE_HMAC_FLAG); BCRYPT_ALG_HANDLE_HMAC_FLAG);
if(!BCRYPT_SUCCESS(ret)) { if(!BCRYPT_SUCCESS(ret)) {
_libssh2_wincng.hAlgHmacMD5 = NULL; _libssh2_wincng.hAlgHmacMD5 = NULL;
} }
#endif
ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHmacSHA1, ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHmacSHA1,
BCRYPT_SHA1_ALGORITHM, NULL, BCRYPT_SHA1_ALGORITHM, NULL,
BCRYPT_ALG_HANDLE_HMAC_FLAG); BCRYPT_ALG_HANDLE_HMAC_FLAG);
@ -395,8 +401,10 @@ _libssh2_wincng_free(void)
{ {
if(_libssh2_wincng.hAlgRNG) if(_libssh2_wincng.hAlgRNG)
(void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgRNG, 0); (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgRNG, 0);
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
if(_libssh2_wincng.hAlgHashMD5) if(_libssh2_wincng.hAlgHashMD5)
(void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashMD5, 0); (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashMD5, 0);
#endif
if(_libssh2_wincng.hAlgHashSHA1) if(_libssh2_wincng.hAlgHashSHA1)
(void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashSHA1, 0); (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashSHA1, 0);
if(_libssh2_wincng.hAlgHashSHA256) if(_libssh2_wincng.hAlgHashSHA256)
@ -405,8 +413,10 @@ _libssh2_wincng_free(void)
(void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashSHA384, 0); (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashSHA384, 0);
if(_libssh2_wincng.hAlgHashSHA512) if(_libssh2_wincng.hAlgHashSHA512)
(void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashSHA512, 0); (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashSHA512, 0);
#if LIBSSH2_MD5
if(_libssh2_wincng.hAlgHmacMD5) if(_libssh2_wincng.hAlgHmacMD5)
(void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHmacMD5, 0); (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHmacMD5, 0);
#endif
if(_libssh2_wincng.hAlgHmacSHA1) if(_libssh2_wincng.hAlgHmacSHA1)
(void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHmacSHA1, 0); (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHmacSHA1, 0);
if(_libssh2_wincng.hAlgHmacSHA256) if(_libssh2_wincng.hAlgHmacSHA256)

8
src/wincng.h
View File

@ -74,7 +74,11 @@
#define LIBSSH2_ECDSA 0 #define LIBSSH2_ECDSA 0
#define LIBSSH2_ED25519 0 #define LIBSSH2_ED25519 0
#include "crypto_config.h"
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
#define MD5_DIGEST_LENGTH 16 #define MD5_DIGEST_LENGTH 16
#endif
#define SHA_DIGEST_LENGTH 20 #define SHA_DIGEST_LENGTH 20
#define SHA256_DIGEST_LENGTH 32 #define SHA256_DIGEST_LENGTH 32
#define SHA384_DIGEST_LENGTH 48 #define SHA384_DIGEST_LENGTH 48
@ -204,6 +208,7 @@ typedef struct __libssh2_wincng_hash_ctx {
_libssh2_wincng_hash(data, datalen, _libssh2_wincng.hAlgHashSHA512, \ _libssh2_wincng_hash(data, datalen, _libssh2_wincng.hAlgHashSHA512, \
hash, SHA512_DIGEST_LENGTH) hash, SHA512_DIGEST_LENGTH)
#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM
#define libssh2_md5_ctx _libssh2_wincng_hash_ctx #define libssh2_md5_ctx _libssh2_wincng_hash_ctx
#define libssh2_md5_init(ctx) \ #define libssh2_md5_init(ctx) \
(_libssh2_wincng_hash_init(ctx, _libssh2_wincng.hAlgHashMD5, \ (_libssh2_wincng_hash_init(ctx, _libssh2_wincng.hAlgHashMD5, \
@ -216,6 +221,7 @@ typedef struct __libssh2_wincng_hash_ctx {
#define libssh2_md5(data, datalen, hash) \ #define libssh2_md5(data, datalen, hash) \
_libssh2_wincng_hash(data, datalen, _libssh2_wincng.hAlgHashMD5, \ _libssh2_wincng_hash(data, datalen, _libssh2_wincng.hAlgHashMD5, \
hash, MD5_DIGEST_LENGTH) hash, MD5_DIGEST_LENGTH)
#endif
/* /*
* Windows CNG backend: HMAC functions * Windows CNG backend: HMAC functions
@ -226,9 +232,11 @@ typedef struct __libssh2_wincng_hash_ctx {
#define libssh2_hmac_sha1_init(ctx, key, keylen) \ #define libssh2_hmac_sha1_init(ctx, key, keylen) \
_libssh2_wincng_hash_init(ctx, _libssh2_wincng.hAlgHmacSHA1, \ _libssh2_wincng_hash_init(ctx, _libssh2_wincng.hAlgHmacSHA1, \
SHA_DIGEST_LENGTH, key, (ULONG) keylen) SHA_DIGEST_LENGTH, key, (ULONG) keylen)
#if LIBSSH2_MD5
#define libssh2_hmac_md5_init(ctx, key, keylen) \ #define libssh2_hmac_md5_init(ctx, key, keylen) \
_libssh2_wincng_hash_init(ctx, _libssh2_wincng.hAlgHmacMD5, \ _libssh2_wincng_hash_init(ctx, _libssh2_wincng.hAlgHmacMD5, \
MD5_DIGEST_LENGTH, key, (ULONG) keylen) MD5_DIGEST_LENGTH, key, (ULONG) keylen)
#endif
#define libssh2_hmac_ripemd160_init(ctx, key, keylen) #define libssh2_hmac_ripemd160_init(ctx, key, keylen)
/* not implemented */ /* not implemented */
#define libssh2_hmac_sha256_init(ctx, key, keylen) \ #define libssh2_hmac_sha256_init(ctx, key, keylen) \

35
tests/session_fixture.c
View File

@ -91,6 +91,10 @@ static char const *skip_crypt[] = {
"rijndael-cbc@lysator.liu.se", "rijndael-cbc@lysator.liu.se",
#endif #endif
#if !LIBSSH2_3DES
"3des-cbc",
#endif
#if defined(LIBSSH2_LIBGCRYPT) || defined(LIBSSH2_OS400QC3) || \ #if defined(LIBSSH2_LIBGCRYPT) || defined(LIBSSH2_OS400QC3) || \
defined(LIBSSH2_WINCNG) defined(LIBSSH2_WINCNG)
/* Support for AES-GCM hasn't been added to these back-ends yet */ /* Support for AES-GCM hasn't been added to these back-ends yet */
@ -101,6 +105,15 @@ static char const *skip_crypt[] = {
NULL NULL
}; };
/* List of MAC protocols for which tests are skipped */
static char const *skip_mac[] = {
#if !LIBSSH2_MD5
"hmac-md5",
"hmac-md5-96",
#endif
NULL
};
LIBSSH2_SESSION *start_session_fixture(int *skipped, int *err) LIBSSH2_SESSION *start_session_fixture(int *skipped, int *err)
{ {
int rc; int rc;
@ -112,11 +125,23 @@ LIBSSH2_SESSION *start_session_fixture(int *skipped, int *err)
*err = LIBSSH2_ERROR_NONE; *err = LIBSSH2_ERROR_NONE;
if(crypt) { if(crypt) {
char const * const *cr; char const * const *sk;
for(cr = skip_crypt; *cr; ++cr) { for(sk = skip_crypt; *sk; ++sk) {
if(strcmp(*cr, crypt) == 0) { if(strcmp(*sk, crypt) == 0) {
fprintf(stderr, "crypt algorithm (%s) skipped " fprintf(stderr, "unsupported crypt algorithm (%s) skipped.\n",
"for this crypto backend.\n", crypt); crypt);
*skipped = 1;
return NULL;
}
}
}
if(mac) {
char const * const *sk;
for(sk = skip_mac; *sk; ++sk) {
if(strcmp(*sk, mac) == 0) {
fprintf(stderr, "unsupported MAC algorithm (%s) skipped.\n",
mac);
*skipped = 1; *skipped = 1;
return NULL; return NULL;
} }

2
tests/test_auth_pubkey_ok_rsa_encrypted.c
View File

@ -7,7 +7,7 @@
int test(LIBSSH2_SESSION *session) int test(LIBSSH2_SESSION *session)
{ {
#if LIBSSH2_RSA_SHA1 #if LIBSSH2_RSA_SHA1 && LIBSSH2_MD5_PEM
/* set in Dockerfile */ /* set in Dockerfile */
return test_auth_pubkey(session, 0, return test_auth_pubkey(session, 0,
"libssh2", "libssh2",

12
tests/test_hostkey_hash.c
View File

@ -20,8 +20,10 @@ static const char *EXPECTED_ECDSA_HOSTKEY =
static const char *EXPECTED_ED25519_HOSTKEY = static const char *EXPECTED_ED25519_HOSTKEY =
"AAAAC3NzaC1lZDI1NTE5AAAAIIxtdyg2ZRXE70UwyPVUH3UyfDBV8GX5cPF636P6hjom"; "AAAAC3NzaC1lZDI1NTE5AAAAIIxtdyg2ZRXE70UwyPVUH3UyfDBV8GX5cPF636P6hjom";
#if LIBSSH2_MD5
static const char *EXPECTED_RSA_MD5_HASH_DIGEST = static const char *EXPECTED_RSA_MD5_HASH_DIGEST =
"0C0ED1A5BB10275F76924CE187CE5C5E"; "0C0ED1A5BB10275F76924CE187CE5C5E";
#endif
static const char *EXPECTED_RSA_SHA1_HASH_DIGEST = static const char *EXPECTED_RSA_SHA1_HASH_DIGEST =
"F3CD59E2913F4422B80F7B0A82B2B89EAE449387"; "F3CD59E2913F4422B80F7B0A82B2B89EAE449387";
@ -29,8 +31,10 @@ static const char *EXPECTED_RSA_SHA1_HASH_DIGEST =
static const char *EXPECTED_RSA_SHA256_HASH_DIGEST = static const char *EXPECTED_RSA_SHA256_HASH_DIGEST =
"92E3DA49DF3C7F99A828F505ED8239397A5D1F62914459760F878F7510F563A3"; "92E3DA49DF3C7F99A828F505ED8239397A5D1F62914459760F878F7510F563A3";
#if LIBSSH2_MD5
static const char *EXPECTED_ECDSA_MD5_HASH_DIGEST = static const char *EXPECTED_ECDSA_MD5_HASH_DIGEST =
"0402E4D897580BBC911379CBD88BCD3D"; "0402E4D897580BBC911379CBD88BCD3D";
#endif
static const char *EXPECTED_ECDSA_SHA1_HASH_DIGEST = static const char *EXPECTED_ECDSA_SHA1_HASH_DIGEST =
"12FDAD1E3B31B10BABB00F2A8D1B9A62C326BD2F"; "12FDAD1E3B31B10BABB00F2A8D1B9A62C326BD2F";
@ -41,7 +45,9 @@ static const char *EXPECTED_ECDSA_SHA256_HASH_DIGEST =
static const char *EXPECTED_ED25519_SHA256_HASH_DIGEST = static const char *EXPECTED_ED25519_SHA256_HASH_DIGEST =
"2638B020F6121FA750A7F4754B718419F621814C6E779D68ADF26AA68814ADDF"; "2638B020F6121FA750A7F4754B718419F621814C6E779D68ADF26AA68814ADDF";
#if LIBSSH2_MD5
static const int MD5_HASH_SIZE = 16; static const int MD5_HASH_SIZE = 16;
#endif
static const int SHA1_HASH_SIZE = 20; static const int SHA1_HASH_SIZE = 20;
static const int SHA256_HASH_SIZE = 32; static const int SHA256_HASH_SIZE = 32;
@ -62,7 +68,9 @@ int test(LIBSSH2_SESSION *session)
char buf[BUFSIZ]; char buf[BUFSIZ];
const char *hostkey; const char *hostkey;
#if LIBSSH2_MD5
const char *md5_hash; const char *md5_hash;
#endif
const char *sha1_hash; const char *sha1_hash;
const char *sha256_hash; const char *sha256_hash;
int type; int type;
@ -100,6 +108,7 @@ int test(LIBSSH2_SESSION *session)
} }
else if(type == LIBSSH2_HOSTKEY_TYPE_ECDSA_256) { else if(type == LIBSSH2_HOSTKEY_TYPE_ECDSA_256) {
#if LIBSSH2_MD5
md5_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5); md5_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5);
if(!md5_hash) { if(!md5_hash) {
print_last_session_error( print_last_session_error(
@ -115,6 +124,7 @@ int test(LIBSSH2_SESSION *session)
buf, EXPECTED_ECDSA_MD5_HASH_DIGEST); buf, EXPECTED_ECDSA_MD5_HASH_DIGEST);
return 1; return 1;
} }
#endif
sha1_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); sha1_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
if(!sha1_hash) { if(!sha1_hash) {
@ -151,6 +161,7 @@ int test(LIBSSH2_SESSION *session)
} }
else if(type == LIBSSH2_HOSTKEY_TYPE_RSA) { else if(type == LIBSSH2_HOSTKEY_TYPE_RSA) {
#if LIBSSH2_MD5
md5_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5); md5_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5);
if(!md5_hash) { if(!md5_hash) {
print_last_session_error( print_last_session_error(
@ -166,6 +177,7 @@ int test(LIBSSH2_SESSION *session)
buf, EXPECTED_RSA_MD5_HASH_DIGEST); buf, EXPECTED_RSA_MD5_HASH_DIGEST);
return 1; return 1;
} }
#endif
sha1_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); sha1_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
if(!sha1_hash) { if(!sha1_hash) {