Files: userauth_kbd_packet.c, userauth_kbd_packet.h, test_keyboard_interactive_auth_info_request.c, userauth.c
Notes:
This refactors `SSH_MSG_USERAUTH_INFO_REQUEST` processing in `userauth_keyboard_interactive()` in order to improve robustness, correctness and readability or the code.
* Refactor userauth_keyboard_interactive to use new api for packet parsing
* add unit test for userauth_keyboard_interactive_parse_response()
* add _libssh2_get_boolean() and _libssh2_get_byte() utility functions
Credit:
xalopp
files: packet.c, libssh2_priv.h
notes:
* Fix heap buffer overflow in _libssh2_key_sign_algorithm
When allocating `session->server_sign_algorithms` which is a `char*` is is important to also allocate space for the string-terminating null byte at the end and make sure the string is actually null terminated.
Without this fix, the `strchr()` call inside the `_libssh2_key_sign_algorithm` (line 1219) function will try to parse the string and go out of buffer on the last invocation.
Credit: tihmstar
Co-authored-by: Will Cosgrove <will@panic.com>
Files: libssh2.h, agent.c, userauth.c
Notes:
Part 2 of the fix for #659. This adds rsa key downgrading for agents that don't support sha2 upgrading. It also adds better trace output for debugging/logging around key upgrading.
Credit:
Will Cosgrove (signed off by Michael Buckley)
It uses wolfSSL's OpenSSL compatibility layer, so rather than introduce new
wolfssl.h/c files, the new backend just reuses openssl.h/c. Additionally,
replace EVP_Cipher() calls with EVP_CipherUpdate(), since EVP_Cipher() is not
recommended.
Credit: Hayden Roche
File:
version.c, HACKING-CRYPTO, libssh2.h, libssh2_crypto_engine.3, makefile.
Notes:
libssh2_crypto_engine() API to get crypto engine at runtime.
Credit: Bastien Durel
Notes:
* Host Key RSA 256/512 support #536
* Client side key hash upgrading for RFC 8332
* Support for server-sig-algs, ext-info-c server messages
* Customizing preferred server-sig-algs via the preference LIBSSH2_METHOD_SIGN_ALGO
Credit: Anders Borum, Will Cosgrove
Notes:
Add CIFuzz integration to run fuzzer using the OSS-Fuzz infrastructure
at each PR.
Signed-off-by: David Korczynski <david@adalogics.com>
Closes#635
Files: libssh2.h
Notes:
`_WINDLL` is only defined when a Visual Studio CMake generator is used, `libssh2_EXPORTS` is used though for all CMake generator if a shared libssh2 library is being built.
Credit:
Uwe L. Korn
Fix these categories of warning:
- in `wincng.c` disagreement in signed/unsigned char when passing around
the passphrase string:
`warning: pointer targets in passing argument [...] differ in signedness [-Wpointer-sign]`
Fixed by using `const unsigned char *` in all static functions and
applying/updating casts as necessary.
- in each use of `libssh2_*_init()` macros where the result is not used:
`warning: value computed is not used [-Wunused-value]`
Fixed by using `(void)` casts.
- `channel.c:1171:7: warning: 'rc' may be used uninitialized in this function [-Wmaybe-uninitialized]`
Fixed by initializing this variable with `LIBSSH2_ERROR_CHANNEL_UNKNOWN`.
While there I replaced a few 0 literals with `LIBSSH2_ERROR_NONE`.
- in `sftp.c`, several of these two warnings:
`warning: 'data' may be used uninitialized in this function [-Wmaybe-uninitialized]`
`warning: 'data_len' may be used uninitialized in this function [-Wmaybe-uninitialized]`
Fixed by initializing these variables with NULL and 0 respectively.
- Also removed the exec attribute from `wincng.h`.
Notes:
- There are many pre-existing checksrc issues.
- The `sftp.c` and `channel.c` warnings may apply to other platforms as well.
Closes#628
Sometimes, as the OCI container is run in detached mode, it is possible
the actual server is not ready yet to handle SSH traffic. The goal of
this PR is to try several times (max 3). The mechanism is the same as
for the connection to the docker machine.
The current tests suite starts SSH server as OCI container. This commit
add the possibility to run the tests in a container provided that:
* the docker client is installed builder container
* the host docker daemon unix socket has been mounted in the builder
container (with, if needed, the DOCKER_HOST environment variable
accordingly set, and the permission to write on this socket)
* the builder container is run on the default bridge network, or the
host network. This PR does not handle the case where the builder
container is on another network.
No longer rely on DigitalOcean to host the Docker container.
Unfortunately we require a small dispatcher script that has
access to a GitHub access token with scope repo in order to
trigger the daemon workflow on GitHub Actions also for PRs.
This script is hosted by myself for the time being until GitHub
provides a tighter scope to trigger the workflow_dispatch event.
Notes:
FIPS_mode() is not implemented in LibreSSL and this API is removed in OpenSSL 3.0 and was introduced in 0.9.7. Added guards around making this call.
Credit:
Will Cosgrove
* configure.ac: don't undefine scoped variable
To get this script to run with Autoconf 2.71 on macOS I had to remove the undefine of the backend for loop variable. It seems scoped to the for loop and also isn't referenced later in the script so it seems OK to remove it.
* configure.ac: remove cygwin specific CFLAGS #598
Notes:
Remove cygwin specific Win32 CFLAGS and treat the build like a posix build
Credit:
Will Cosgrove, Brian Inglis
File:
packet.c
Notes:
Attempt keyboard interactive login (Azure AD 2FA login) and use more than 60 seconds to complete the login, the connection fails.
The _libssh2_packet_require function does almost the same as _libssh2_packet_requirev but this function sets state->start = 0 before returning.
Credit:
teottin, Co-authored-by: Tor Erik Ottinsen <tor.ottinsen@kdi.kongsberg.com>
Files: hostkey.c, userauth.c, test_public_key_auth_succeeds_with_correct_ecdsa_key.c
Notes:
Support ECDSA certificate authentication
Add a test for:
- Existing ecdsa basic public key authentication
- ecdsa public key authentication with a signed public key
Credit:
kkoenig
Files: agent.c, agent.h, agent_win.c
Notes:
* agent: Add support for Windows OpenSSH agent
The implementation was partially taken and modified from that found in
the Portable OpenSSH port to Win32 by the PowerShell team, but mostly
based on the existing Unix OpenSSH agent support.
https://github.com/PowerShell/openssh-portable
Regarding the partial transfer support implementation: partial transfers
are easy to deal with, but you need to track additional state when
non-blocking IO enters the picture. A tracker of how many bytes have
been transfered has been placed in the transfer context struct as that's
where it makes most sense. This tracker isn't placed behind a WIN32
#ifdef as it will probably be useful for other agent implementations.
* agent: win32 openssh: Disable overlapped IO
Non-blocking IO is not currently supported by the surrounding agent
code, despite a lot of the code having everything set up to handle it.
Credit:
Co-authored-by: Gabriel Smith <gabriel.smith@precisionot.com>
