src/libcrypto.c:773:27: warning: comparison of integer expressions of
different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’}
[-Wsign-compare] <--[cc]
if (rc != 1 || outlen != len - aadlen) {
^~
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Valgrind detects many uninitialized memory false positives from
libcrypto's AES-NI internals. Roll back to software AES when running
tests.
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The commit also propares the internals throughout the code base
for the inclusion of a new AEAD cipher, because previously, the
source code counted only with chacha20-poly1305 cipher, which
is very specific in many cases.
The SSH_HMAC_AEAD_GCM mac algorithm is not actually used, but the name
needed to be defined so we can match in the algorithms selection per
OpenSSH specification (MACs are ignored in case GCM is select as a cipher [1]).
If the provided OpenSSL does not provide EVP_aes_128_gcm() function,
the AES-GCM ciphers will not be compiled in.
[1] https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
On OpenSSL versions prior to 1.1.0, `EVP_CIPHER_CTX_cleanup` will
dereference its argument regardless of whether it is NULL. This
is not a problem on OpenSSL at or beyond 1.1.0, where
`EVP_CIPHER_CTX_cleanup` (macro to `EVP_CIPHER_CTX_reset`) returns
early upon NULL input.
Move the call to `EVP_CIPHER_CTX_cleanup` under the existing NULL
check in `evp_cipher_cleanup` to avoid the problem.
Introduced with this build-break fix:
* e66f370682927ca8bd7ae0e7544754c6f4ac4969
Found in manual testing in an environment with an older OpenSSL.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
With this change, a HAVE_LIBCRYPTO #ifdef is removed from wrapper.c.
Now, the libcrypto-specific logic for EVP_CIPHER_CTX_free is moved
into the ssh_cipher_struct cleanup callback handler for those
ciphers.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Fix a resource leak in `hmac_final`: say `HMAC_CTX_free` instead
of `HMAC_CTX_reset`. This matches the error handling as done in
`hmac_init`. Introduced with cf1e808e2ffa1f26644fb5d2cb82a919f323deba.
The problem is reproducible running the `pkd_hello` test with:
valgrind --leak-check=full ./pkd_hello -i1 -t torture_pkd_openssh_dsa_rsa_default
Resolves https://red.libssh.org/issues/252.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This has been made opaque and it needs to be a pointer.
This is for OpenSSL 1.1.0 support.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
When accepting a new connection, a forking server based on libssh forks
and the child process handles the request. The RAND_bytes() function of
openssl doesn't reset its state after the fork, but simply adds the
current process id (getpid) to the PRNG state, which is not guaranteed
to be unique.
This can cause several children to end up with same PRNG state which is
a security issue.
