1
1
Граф коммитов

781 Коммитов

Автор SHA1 Сообщение Дата
Jon Simons
5865b9436f kex: server fix for first_kex_packet_follows
Ensure to honor the 'first_kex_packet_follow' field when processing
KEXINIT messages in the 'ssh_packet_kexinit' callback.  Until now
libssh would assume that this field is always unset (zero).  But
some clients may set this (dropbear at or beyond version 2013.57),
and it needs to be included when computing the session ID.

Also include logic for handling wrongly-guessed key exchange algorithms.
Save whether a client's guess is wrong in a new field in the session
struct: when set, the next KEX_DHINIT message to be processed will be
ignored per RFC 4253, 7.1.

While here, update both 'ssh_packet_kexinit' and 'make_sessionid' to
use softabs with a 4 space indent level throughout, and also convert
various error-checking to store intermediate values into an explicit
'rc'.

Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-04-10 08:54:10 +02:00
Andreas Schneider
ad1313c2e5 Revert "direct-tcpip and forwarded-tcpip callbacks"
This reverts commit efe785e711.

We need a Signed-off version. I didn't have the Certificate of Origin
yet.
2014-04-09 12:49:06 +02:00
Loïc Michaux
efe785e711 direct-tcpip and forwarded-tcpip callbacks 2014-04-09 11:13:57 +02:00
Jon Simons
48aca98cd5 pki crypto: expose new ssh_pki_key_ecdsa_name API
Enable retrieving the "ecdsa-sha2-nistpNNN" name of ECDSA keys with a
new 'ssh_pki_key_ecdsa_name' API.  This gives more information than the
'ssh_key_type_to_char' API, which yields "ssh-ecdsa" for ECDSA keys.
The motivation is that this info is useful to have in a server context.

The torture_pki unit test is updated to include the new API, and a few
more passes are added to additionally test 384 and 521-bit keys.

Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-04-09 11:01:11 +02:00
Petar Koretic
89e154f78c libsshpp: include required <string> header for std::string
Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-04-09 10:59:59 +02:00
Alan Dunn
47bd0b6d1f doc: Improve and consolidate ssh_bind_options_set docs
Signed-off-by: Alan Dunn <amdunn@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-03-27 10:49:08 +01:00
Petar Koretic
8e2590b535 libssh: libhpp: overload read function to support timeout parameter
Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-03-27 10:48:13 +01:00
Petar Koretic
c51f42a566 libssh: libhpp: avoid unnecessary call to ssh_channel_read
ssh_channel_read is a wrapper for ssh_channel_read_timeout with timeout
-1 (infinite) so we call that directly.

Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-03-27 10:46:21 +01:00
Petar Koretic
00d4fbe753 libssh: libhpp: fix multiple definitions for acceptForward function
Defining a non inlined class function in a header will cause multiple
definitions when header is included in more that one file since for each
file function will get defined.

Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-03-27 10:45:54 +01:00
Alan Dunn
2a1089d607 options: Allow use of host ECDSA key
Signed-off-by: Alan Dunn <amdunn@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-03-27 10:05:23 +01:00
Aris Adamantiadis
e99246246b security: fix for vulnerability CVE-2014-0017
When accepting a new connection, a forking server based on libssh forks
and the child process handles the request. The RAND_bytes() function of
openssl doesn't reset its state after the fork, but simply adds the
current process id (getpid) to the PRNG state, which is not guaranteed
to be unique.
This can cause several children to end up with same PRNG state which is
a security issue.
2014-03-04 09:55:28 +01:00
Audrius Butkevicius
a277dd9277 Add session/channel byte/packet counters
Signed-off-by: Audrius Butkevicius <audrius.butkevicius@elastichosts.com>
2014-02-12 18:21:16 +01:00
Jon Simons
93370d61ba session: add getters for session cipher names
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-02-06 10:21:07 +01:00
Aris Adamantiadis
fdc660f313 knownhosts: detect variations of ecdsa 2014-02-04 22:28:30 +01:00
Jon Simons
f7b61bf557 doc: correct ssh_channel_read_timeout units
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-02-02 22:19:46 +01:00
Audrius Butkevicius
adf4d4f147 doc: Document expected return value of channel data callback
Signed-off-by: Audrius Butkevicius <audrius.butkevicius@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-02-02 22:19:46 +01:00
Joseph Southwell
6bbdaceaca src: Define MAX_BUF_SIZE globally and use it.
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-02-02 22:19:46 +01:00
Aris Adamantiadis
31fb4e1e69 build: remove OSX deprecated warnings for openssl 2014-02-02 21:41:32 +01:00
Aris Adamantiadis
671f1979a6 server: allow custom server banners (bug #83) 2014-02-01 18:00:01 +01:00
Aris Adamantiadis
c433ac02bd known_hosts: add ssh_knownhosts_algorithms()
Goal of that function is to test the preferred key exchange methods
based on what's available in the known_hosts file
2014-02-01 16:42:29 +01:00
Andreas Schneider
cb9786b3ae src: Rename buffer_add_data() to ssh_buffer_add_data(). 2014-01-19 20:55:55 +01:00
Andreas Schneider
9c4144689d src: Rename buffer_init to ssh_buffer_init(). 2014-01-19 20:43:29 +01:00
Andreas Schneider
a7157b7907 include: Mark functions as deprecated! 2014-01-16 15:27:23 +01:00
Andreas Schneider
5229253f86 channel: Fix the name scheme of the forward functions. 2014-01-16 09:13:06 +01:00
Oleksandr Shneyder
a1c4fc07d4 channel: Add ssh_channel_accept_forward().
This works same way as ssh_forward_accept() but can return a destination
port of the channel (useful if SSH connection forwarding several TCP/IP
ports).

Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2014-01-16 09:12:03 +01:00
Aris Adamantiadis
57ef959aa3 threads: support libgcrypt 1.6 hack
Not 100% satisfied of this patch, but the way libgcrypt handles
threading in 1.6 is not compatible with custom handlers. The
new code basicaly uses pthreads in every case. This will probably
not work on windows.
2014-01-08 18:57:31 +01:00
Andreas Schneider
b617d7fa29 include: Remove warning cause VSC doesn't know about it. 2014-01-08 10:55:20 +01:00
Andreas Schneider
4b3363ecf2 include: Fix building if we do not have asm volatile. 2014-01-08 10:52:29 +01:00
Jon Simons
a1f0b2acfc session: Add ssh_get_clientbanner(). 2013-12-07 16:24:33 +01:00
Andreas Schneider
d65777b570 channels: Add a ssh_channel_read_timeout function. 2013-12-04 20:34:13 +01:00
Andreas Schneider
136efd6ed5 pki: Add ssh_pki_import_privkey_file(). 2013-11-27 22:54:13 +01:00
Andreas Schneider
68c3c26029 pki_gcrypt: Add pki_private_key_to_pem() stub. 2013-11-27 22:54:13 +01:00
Andreas Schneider
7ecdc3e0d5 ecdh: Check if we have ECC support. 2013-11-27 17:38:21 +01:00
Nicolas Viennot
7b63fe2f22 server: Add a ssh_send_keepalive() function.
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2013-11-24 23:21:04 +01:00
Simo Sorce
811c645f2a options: Add SSH_OPTIONS_GSSAPI_DELEGATE_CREDENTIALS option.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2013-11-15 16:10:29 -05:00
Andreas Schneider
095a01b70c options: Add SSH_OPTIONS_GSSAPI_CLIENT_IDENTITY option. 2013-11-15 15:50:09 +01:00
Andreas Schneider
41d99d32e8 gssapi: Add suppport to set GSSAPI server identity. 2013-11-15 15:50:09 +01:00
Colin Walters
4cc7f4ad03 Add ssh_get_poll_flags()
For integration with an external mainloop, we need to know how to
replicate libssh's internal poll() calls.  We originally through
ssh_get_status() was that API, but it's not really - those flags only
get updated from the *result* of a poll(), where what we really need
is to know how libssh would *start* a poll().

Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2013-11-09 12:26:19 +01:00
Andreas Schneider
06cd9bc4dc dh: Add new ssh_get_publickey_hash() function. 2013-11-06 17:10:35 +01:00
Aris Adamantiadis
cb165df64e remove warnings on OSX (workaround) 2013-11-04 10:47:22 +01:00
Aris Adamantiadis
c5ef5ed18f curve25519: include reference implementation 2013-11-03 14:58:10 +01:00
Aris Adamantiadis
04cb94a2dd socket: Fix check for pending data.
BUG: https://red.libssh.org/issues/119

Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2013-11-03 12:46:27 +01:00
Andreas Schneider
d2dea8dc2e priv: Fix brackets of burn macros. 2013-11-03 10:24:47 +01:00
Alan Dunn
ee95c05c08 SSH_AUTH_OK -> SSH_AUTH_SUCCESS in comments
A few callback descriptions refer to a non-existent value SSH_AUTH_OK,
which should be SSH_AUTH_SUCCESS.  This commit fixes these.

Signed-off-by: Alan Dunn <amdunn@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2013-10-31 08:18:55 +01:00
Andreas Schneider
cfea381307 cmake: Check for isblank(). 2013-10-30 17:30:07 +01:00
Andreas Schneider
5baa6aed6b include: Fix build on platforms without ECC. 2013-10-21 07:15:59 +02:00
Andreas Schneider
5201c5850e wrapper: Fix compilation with gcrypt. 2013-10-19 10:39:00 +02:00
Andreas Schneider
ac4c5699b1 pki: Add the type as a char pointer. 2013-10-18 23:22:24 +02:00
Andreas Schneider
15e31eb464 wrapper: Add more evp functions. 2013-10-18 23:22:24 +02:00
Aris Adamantiadis
4cb6afcbd4 kex: implement curve25519-sha256@libssh.org 2013-09-27 15:32:44 +02:00