Summary:
Hello, resending this patch series for the `pkd` tests, originally
sent to the mailing list here:
* https://www.libssh.org/archive/libssh/2017-07/0000011.html
Here are a few improvements and fixups for the `pkd` tests, including
a new flag `-m` that can be used to run only certain subsets of the
test passes.
Jon Simons (5):
pkd: rename AES192 cipher suite -> OPENSSHONLY
pkd_daemon.c: mark `pkd_ready` field as volatile
pkd: fixups for updated CMocka CMUnitTest struct
pkd: refactor -t testname lookup-by-name
pkd: support -m to match multiple tests
tests/pkd/pkd_daemon.c | 2 +-
tests/pkd/pkd_daemon.h | 1 +
tests/pkd/pkd_hello.c | 84 +++++++++++++++++++++++++++++++++-----------------
3 files changed, 58 insertions(+), 29 deletions(-)
--
Test Plan:
* I've been using the new `-m` mode locally for a long time to run
only certain groups of tests.
* The CMocka struct fixes can be seen in the pkd output before and
after: after, there are no more extraneous test output strings.
* The fix for the `pkd_ready` field can be observed when building
the libssh tests with `-Os` on a Debian system (before the fix,
pkd would hang, after the fix, it runs as intended).
Reviewers: asn
Reviewed By: asn
Tags: #libssh
Differential Revision: https://bugs.libssh.org/D2
On OpenSSL versions prior to 1.1.0, `EVP_CIPHER_CTX_cleanup` will
dereference its argument regardless of whether it is NULL. This
is not a problem on OpenSSL at or beyond 1.1.0, where
`EVP_CIPHER_CTX_cleanup` (macro to `EVP_CIPHER_CTX_reset`) returns
early upon NULL input.
Move the call to `EVP_CIPHER_CTX_cleanup` under the existing NULL
check in `evp_cipher_cleanup` to avoid the problem.
Introduced with this build-break fix:
* e66f370682927ca8bd7ae0e7544754c6f4ac4969
Found in manual testing in an environment with an older OpenSSL.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Relax the cases where `ssh_analyze_banner` fails to extract a
major and minor version from banners which appear like OpenSSH
banners.
Update the tests to demonstrate that now a banner as might be
sent by `ssh-keyscan(1)` ("SSH-2.0-OpenSSH-keyscan") no longer
returns failure.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
With this change, a HAVE_LIBCRYPTO #ifdef is removed from wrapper.c.
Now, the libcrypto-specific logic for EVP_CIPHER_CTX_free is moved
into the ssh_cipher_struct cleanup callback handler for those
ciphers.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Fix a gcrypt build error introduced with
48e7b098f86207f8596651b5ba8242a3b834a868.
The ssh_cipher_struct only contains a `ctx` field on
the libcrypto builds, so it can't be referenced unless
within HAVE_LIBCRYPTO.
This build fix preserves the original spirit of the
change in 48e7b098f86207f8596651b5ba8242a3b834a868:
only call `EVP_CIPHER_CTX_free` when `cipher->ctx`
is non-NULL.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Fix error-checking for `strtoul` in `ssh_analyze_banner`, and
enable some tests which demonstrate the fix before-and-after.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
No changes to code, only whitespace indentation and
an update to the function docs.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Fix a resource leak in `hmac_final`: say `HMAC_CTX_free` instead
of `HMAC_CTX_reset`. This matches the error handling as done in
`hmac_init`. Introduced with cf1e808e2ffa1f26644fb5d2cb82a919f323deba.
The problem is reproducible running the `pkd_hello` test with:
valgrind --leak-check=full ./pkd_hello -i1 -t torture_pkd_openssh_dsa_rsa_default
Resolves https://red.libssh.org/issues/252.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
On older OpenSSL versions, the EVP_MD_CTX fields within an HMAC_CTX
structure are contained inlined (change here [1]): be sure to not
try to free those fields on those builds.
Found running the `pkd_hello` test with:
valgrind ./pkd_hello -i1 -t torture_pkd_openssh_dsa_rsa_default
^ valgrind will cite "Invalid free() ..." errors which are present
before this fix and absent after, when building with OpenSSL 1.0.1.
[1] 6e59a892db
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
libssh fails to read the configuration from a config file due to a
wrong check in 'ssh_config_parse_line' procedure in 'config.c'; it's
effectively skipping every opcode (and therefore every option) from
the file. The change fixes that behaviour.
Signed-off-by: Artyom V. Poptsov <poptsov.artyom@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Makes sure we free pending keyboard auth prompts
so prompts that have not be replied to do not leak.
Signed-off-by: Peter Volpe <pvolpe@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Check if the size the other party sent is a valid size in the
transmitted buffer.
Thanks to Alex Gaynor for finding and reporting the issue.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Check if the size the other party sent is a valid size in the
transmitted buffer.
Thanks to Alex Gaynor for finding and reporting the issue.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
ssh_config's manpage says:
"For each parameter, the first obtained value will be used."
Make libssh adhere to this rule.
BUG: https://red.libssh.org/issues/256
Signed-off-by: Alex Hermann <alex@hexla.nl>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Tokens are not allowed (according to the manpage).
Expansion was introduced by a wrong fix for #127.
This commit reverts part of 6eea08a9ef
Signed-off-by: Alex Hermann <alex@hexla.nl>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
BUG: https://red.libssh.org/issues/127
The original "fix" for 127 was expanding the wrong variable: Host instead
of HostName.
Signed-off-by: Alex Hermann <alex@hexla.nl>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This sets the bind private key directly from an ssh_key struct instead
of reading a file.
Signed-off-by: Alfredo Mazzinghi <am2419@cl.cam.ac.uk>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
* src/pki.c (ssh_signature_free): Fix test for ECC using gcrypt.
Signed-off-by: Justus Winter <justus@g10code.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
