Hello community, here is the log from the commit of package libssh for openSUSE:Factory checked in at 2020-04-18 00:28:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libssh (Old) and /work/SRC/openSUSE:Factory/.libssh.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libssh" Sat Apr 18 00:28:42 2020 rev:62 rq:794523 version:0.9.4 Changes: -------- --- /work/SRC/openSUSE:Factory/libssh/libssh.changes 2020-02-22 19:05:32.562239571 +0100 +++ /work/SRC/openSUSE:Factory/.libssh.new.2738/libssh.changes 2020-04-18 00:29:16.725909228 +0200 @@ -1,0 +2,6 @@ +Thu Apr 9 07:50:07 UTC 2020 - Andreas Schneider <[email protected]> + +- Update to version 0.9.4 + * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/ + +------------------------------------------------------------------- Old: ---- libssh-0.9.3.tar.xz libssh-0.9.3.tar.xz.asc New: ---- libssh-0.9.4.tar.xz libssh-0.9.4.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libssh.spec ++++++ --- /var/tmp/diff_new_pack.uTMeH7/_old 2020-04-18 00:29:17.997911862 +0200 +++ /var/tmp/diff_new_pack.uTMeH7/_new 2020-04-18 00:29:18.001911870 +0200 @@ -30,7 +30,7 @@ %bcond_with test %endif Name: libssh%{pkg_suffix} -Version: 0.9.3 +Version: 0.9.4 Release: 0 Summary: The SSH library License: LGPL-2.1-or-later ++++++ libssh-0.9.3.tar.xz -> libssh-0.9.4.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/.gitlab-ci.yml new/libssh-0.9.4/.gitlab-ci.yml --- old/libssh-0.9.3/.gitlab-ci.yml 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/.gitlab-ci.yml 2020-04-09 09:28:43.000000000 +0200 @@ -456,9 +456,11 @@ - obj/scan visualstudio/x86_64: + variables: + ErrorActionPreference: STOP script: - $env:VCPKG_DEFAULT_TRIPLET="x64-windows" - - cd obj + - mkdir -p obj; if ($?) {cd obj}; if (! $?) {exit 1} - cmake -A x64 -DCMAKE_TOOLCHAIN_FILE="$env:VCPKG_TOOLCHAIN_FILE" @@ -484,9 +486,11 @@ - obj/ visualstudio/x86: + variables: + ErrorActionPreference: STOP script: - $env:VCPKG_DEFAULT_TRIPLET="x86-windows" - - cd obj + - mkdir -p obj; if ($?) {cd obj}; if (! $?) {exit 1} - cmake -DCMAKE_TOOLCHAIN_FILE="$env:VCPKG_TOOLCHAIN_FILE" -DPICKY_DEVELOPER=ON diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/CMakeLists.txt new/libssh-0.9.4/CMakeLists.txt --- old/libssh-0.9.3/CMakeLists.txt 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/CMakeLists.txt 2020-04-09 09:30:20.000000000 +0200 @@ -10,7 +10,7 @@ include(DefineCMakeDefaults) include(DefineCompilerFlags) -project(libssh VERSION 0.9.3 LANGUAGES C) +project(libssh VERSION 0.9.4 LANGUAGES C) # global needed variable set(APPLICATION_NAME ${PROJECT_NAME}) @@ -22,7 +22,7 @@ # Increment AGE. Set REVISION to 0 # If the source code was changed, but there were no interface changes: # Increment REVISION. -set(LIBRARY_VERSION "4.8.4") +set(LIBRARY_VERSION "4.8.5") set(LIBRARY_SOVERSION "4") # where to look first for cmake modules, before ${CMAKE_ROOT}/Modules/ is checked diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/ChangeLog new/libssh-0.9.4/ChangeLog --- old/libssh-0.9.3/ChangeLog 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/ChangeLog 2020-04-09 09:30:20.000000000 +0200 @@ -1,6 +1,12 @@ ChangeLog ========== +version 0.9.4 (released 2020-04-09) + * Fixed CVE-2020-1730 - Possible DoS in client and server when handling + AES-CTR keys with OpenSSL + * Added diffie-hellman-group14-sha256 + * Fixed serveral possible memory leaks + version 0.9.3 (released 2019-12-10) * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution * SSH-01-003 Client: Missing NULL check leads to crash in erroneous state diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/doc/CMakeLists.txt new/libssh-0.9.4/doc/CMakeLists.txt --- old/libssh-0.9.3/doc/CMakeLists.txt 2019-10-16 10:19:59.000000000 +0200 +++ new/libssh-0.9.4/doc/CMakeLists.txt 2020-03-30 09:46:07.000000000 +0200 @@ -15,6 +15,8 @@ set(DOXYGEN_MARKDOWN_SUPPORT YES) set(DOXYGEN_PREDEFINED DOXYGEN + WITH_SERVER + WITH_SFTP PRINTF_ATTRIBUTE(x,y)) set(DOXYGEN_EXCLUDE ${CMAKE_CURRENT_SOURCE_DIR}/that_style) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/doc/linking.dox new/libssh-0.9.4/doc/linking.dox --- old/libssh-0.9.3/doc/linking.dox 2019-10-16 10:20:03.000000000 +0200 +++ new/libssh-0.9.4/doc/linking.dox 2020-03-30 09:46:07.000000000 +0200 @@ -28,6 +28,6 @@ @endcode If you're are statically linking with OpenSSL, read the "Linking your -application" section in the NOTES.<OS> in the OpenSSL source tree! +application" section in the NOTES.[OS] in the OpenSSL source tree! */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/include/libssh/crypto.h new/libssh-0.9.4/include/libssh/crypto.h --- old/libssh-0.9.3/include/libssh/crypto.h 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/include/libssh/crypto.h 2020-04-06 11:36:35.000000000 +0200 @@ -80,6 +80,8 @@ SSH_KEX_DH_GROUP16_SHA512, /* diffie-hellman-group18-sha512 */ SSH_KEX_DH_GROUP18_SHA512, + /* diffie-hellman-group14-sha256 */ + SSH_KEX_DH_GROUP14_SHA256, }; enum ssh_cipher_e { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/include/libssh/keys.h new/libssh-0.9.4/include/libssh/keys.h --- old/libssh-0.9.3/include/libssh/keys.h 2019-10-16 10:19:59.000000000 +0200 +++ new/libssh-0.9.4/include/libssh/keys.h 2020-03-27 13:13:36.000000000 +0100 @@ -28,13 +28,13 @@ struct ssh_public_key_struct { int type; const char *type_c; /* Don't free it ! it is static */ -#ifdef HAVE_LIBGCRYPT +#if defined(HAVE_LIBGCRYPT) gcry_sexp_t dsa_pub; gcry_sexp_t rsa_pub; -#elif HAVE_LIBCRYPTO +#elif defined(HAVE_LIBCRYPTO) DSA *dsa_pub; RSA *rsa_pub; -#elif HAVE_LIBMBEDCRYPTO +#elif defined(HAVE_LIBMBEDCRYPTO) mbedtls_pk_context *rsa_pub; void *dsa_pub; #endif @@ -42,13 +42,13 @@ struct ssh_private_key_struct { int type; -#ifdef HAVE_LIBGCRYPT +#if defined(HAVE_LIBGCRYPT) gcry_sexp_t dsa_priv; gcry_sexp_t rsa_priv; -#elif defined HAVE_LIBCRYPTO +#elif defined(HAVE_LIBCRYPTO) DSA *dsa_priv; RSA *rsa_priv; -#elif HAVE_LIBMBEDCRYPTO +#elif defined(HAVE_LIBMBEDCRYPTO) mbedtls_pk_context *rsa_priv; void *dsa_priv; #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/include/libssh/libssh.h new/libssh-0.9.4/include/libssh/libssh.h --- old/libssh-0.9.3/include/libssh/libssh.h 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/include/libssh/libssh.h 2020-04-09 09:28:43.000000000 +0200 @@ -633,7 +633,13 @@ LIBSSH_API int ssh_pcap_file_open(ssh_pcap_file pcap, const char *filename); /** - * @brief SSH authentication callback. + * @addtogroup libssh_auth + * + * @{ + */ + +/** + * @brief SSH authentication callback for password and publickey auth. * * @param prompt Prompt to be displayed. * @param buf Buffer to save the password. You should null-terminate it. @@ -648,6 +654,8 @@ typedef int (*ssh_auth_callback) (const char *prompt, char *buf, size_t len, int echo, int verify, void *userdata); +/** @} */ + LIBSSH_API ssh_key ssh_key_new(void); #define SSH_KEY_FREE(x) \ do { if ((x) != NULL) { ssh_key_free(x); x = NULL; } } while(0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/include/libssh/priv.h new/libssh-0.9.4/include/libssh/priv.h --- old/libssh-0.9.3/include/libssh/priv.h 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/include/libssh/priv.h 2020-04-09 09:28:43.000000000 +0200 @@ -405,20 +405,20 @@ # endif /* HAVE_FALLTHROUGH_ATTRIBUTE */ #endif /* FALL_THROUGH */ -#ifndef __unused__ +#ifndef __attr_unused__ # ifdef HAVE_UNUSED_ATTRIBUTE -# define __unused__ __attribute__((unused)) +# define __attr_unused__ __attribute__((unused)) # else /* HAVE_UNUSED_ATTRIBUTE */ -# define __unused__ +# define __attr_unused__ # endif /* HAVE_UNUSED_ATTRIBUTE */ -#endif /* __unused__ */ +#endif /* __attr_unused__ */ #ifndef UNUSED_PARAM -#define UNUSED_PARAM(param) param __unused__ +#define UNUSED_PARAM(param) param __attr_unused__ #endif /* UNUSED_PARAM */ #ifndef UNUSED_VAR -#define UNUSED_VAR(var) __unused__ var +#define UNUSED_VAR(var) __attr_unused__ var #endif /* UNUSED_VAR */ void ssh_agent_state_free(void *data); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/ABI/current new/libssh-0.9.4/src/ABI/current --- old/libssh-0.9.3/src/ABI/current 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/ABI/current 2020-04-09 09:30:20.000000000 +0200 @@ -1 +1 @@ -4.8.4 \ No newline at end of file +4.8.5 \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/ABI/libssh-4.8.5.symbols new/libssh-0.9.4/src/ABI/libssh-4.8.5.symbols --- old/libssh-0.9.3/src/ABI/libssh-4.8.5.symbols 1970-01-01 01:00:00.000000000 +0100 +++ new/libssh-0.9.4/src/ABI/libssh-4.8.5.symbols 2020-04-09 09:30:20.000000000 +0200 @@ -0,0 +1,421 @@ +_ssh_log +buffer_free +buffer_get +buffer_get_len +buffer_new +channel_accept_x11 +channel_change_pty_size +channel_close +channel_forward_accept +channel_forward_cancel +channel_forward_listen +channel_free +channel_get_exit_status +channel_get_session +channel_is_closed +channel_is_eof +channel_is_open +channel_new +channel_open_forward +channel_open_session +channel_poll +channel_read +channel_read_buffer +channel_read_nonblocking +channel_request_env +channel_request_exec +channel_request_pty +channel_request_pty_size +channel_request_send_signal +channel_request_sftp +channel_request_shell +channel_request_subsystem +channel_request_x11 +channel_select +channel_send_eof +channel_set_blocking +channel_write +channel_write_stderr +privatekey_free +privatekey_from_file +publickey_free +publickey_from_file +publickey_from_privatekey +publickey_to_string +sftp_async_read +sftp_async_read_begin +sftp_attributes_free +sftp_canonicalize_path +sftp_chmod +sftp_chown +sftp_client_message_free +sftp_client_message_get_data +sftp_client_message_get_filename +sftp_client_message_get_flags +sftp_client_message_get_submessage +sftp_client_message_get_type +sftp_client_message_set_filename +sftp_close +sftp_closedir +sftp_dir_eof +sftp_extension_supported +sftp_extensions_get_count +sftp_extensions_get_data +sftp_extensions_get_name +sftp_file_set_blocking +sftp_file_set_nonblocking +sftp_free +sftp_fstat +sftp_fstatvfs +sftp_fsync +sftp_get_client_message +sftp_get_error +sftp_handle +sftp_handle_alloc +sftp_handle_remove +sftp_init +sftp_lstat +sftp_mkdir +sftp_new +sftp_new_channel +sftp_open +sftp_opendir +sftp_read +sftp_readdir +sftp_readlink +sftp_rename +sftp_reply_attr +sftp_reply_data +sftp_reply_handle +sftp_reply_name +sftp_reply_names +sftp_reply_names_add +sftp_reply_status +sftp_rewind +sftp_rmdir +sftp_seek +sftp_seek64 +sftp_send_client_message +sftp_server_free +sftp_server_init +sftp_server_new +sftp_server_version +sftp_setstat +sftp_stat +sftp_statvfs +sftp_statvfs_free +sftp_symlink +sftp_tell +sftp_tell64 +sftp_unlink +sftp_utimes +sftp_write +ssh_accept +ssh_add_channel_callbacks +ssh_auth_list +ssh_basename +ssh_bind_accept +ssh_bind_accept_fd +ssh_bind_fd_toaccept +ssh_bind_free +ssh_bind_get_fd +ssh_bind_listen +ssh_bind_new +ssh_bind_options_parse_config +ssh_bind_options_set +ssh_bind_set_blocking +ssh_bind_set_callbacks +ssh_bind_set_fd +ssh_blocking_flush +ssh_buffer_add_data +ssh_buffer_free +ssh_buffer_get +ssh_buffer_get_data +ssh_buffer_get_len +ssh_buffer_new +ssh_buffer_reinit +ssh_channel_accept_forward +ssh_channel_accept_x11 +ssh_channel_cancel_forward +ssh_channel_change_pty_size +ssh_channel_close +ssh_channel_free +ssh_channel_get_exit_status +ssh_channel_get_session +ssh_channel_is_closed +ssh_channel_is_eof +ssh_channel_is_open +ssh_channel_listen_forward +ssh_channel_new +ssh_channel_open_auth_agent +ssh_channel_open_forward +ssh_channel_open_forward_unix +ssh_channel_open_reverse_forward +ssh_channel_open_session +ssh_channel_open_x11 +ssh_channel_poll +ssh_channel_poll_timeout +ssh_channel_read +ssh_channel_read_nonblocking +ssh_channel_read_timeout +ssh_channel_request_auth_agent +ssh_channel_request_env +ssh_channel_request_exec +ssh_channel_request_pty +ssh_channel_request_pty_size +ssh_channel_request_send_break +ssh_channel_request_send_exit_signal +ssh_channel_request_send_exit_status +ssh_channel_request_send_signal +ssh_channel_request_sftp +ssh_channel_request_shell +ssh_channel_request_subsystem +ssh_channel_request_x11 +ssh_channel_select +ssh_channel_send_eof +ssh_channel_set_blocking +ssh_channel_set_counter +ssh_channel_window_size +ssh_channel_write +ssh_channel_write_stderr +ssh_clean_pubkey_hash +ssh_connect +ssh_connector_free +ssh_connector_new +ssh_connector_set_in_channel +ssh_connector_set_in_fd +ssh_connector_set_out_channel +ssh_connector_set_out_fd +ssh_copyright +ssh_dirname +ssh_disconnect +ssh_dump_knownhost +ssh_event_add_connector +ssh_event_add_fd +ssh_event_add_session +ssh_event_dopoll +ssh_event_free +ssh_event_new +ssh_event_remove_connector +ssh_event_remove_fd +ssh_event_remove_session +ssh_execute_message_callbacks +ssh_finalize +ssh_forward_accept +ssh_forward_cancel +ssh_forward_listen +ssh_free +ssh_get_cipher_in +ssh_get_cipher_out +ssh_get_clientbanner +ssh_get_disconnect_message +ssh_get_error +ssh_get_error_code +ssh_get_fd +ssh_get_fingerprint_hash +ssh_get_hexa +ssh_get_hmac_in +ssh_get_hmac_out +ssh_get_issue_banner +ssh_get_kex_algo +ssh_get_log_callback +ssh_get_log_level +ssh_get_log_userdata +ssh_get_openssh_version +ssh_get_poll_flags +ssh_get_pubkey +ssh_get_pubkey_hash +ssh_get_publickey +ssh_get_publickey_hash +ssh_get_random +ssh_get_server_publickey +ssh_get_serverbanner +ssh_get_status +ssh_get_version +ssh_getpass +ssh_gssapi_get_creds +ssh_gssapi_set_creds +ssh_handle_key_exchange +ssh_init +ssh_is_blocking +ssh_is_connected +ssh_is_server_known +ssh_key_cmp +ssh_key_free +ssh_key_is_private +ssh_key_is_public +ssh_key_new +ssh_key_type +ssh_key_type_from_name +ssh_key_type_to_char +ssh_known_hosts_parse_line +ssh_knownhosts_entry_free +ssh_log +ssh_message_auth_interactive_request +ssh_message_auth_kbdint_is_response +ssh_message_auth_password +ssh_message_auth_pubkey +ssh_message_auth_publickey +ssh_message_auth_publickey_state +ssh_message_auth_reply_pk_ok +ssh_message_auth_reply_pk_ok_simple +ssh_message_auth_reply_success +ssh_message_auth_set_methods +ssh_message_auth_user +ssh_message_channel_request_channel +ssh_message_channel_request_command +ssh_message_channel_request_env_name +ssh_message_channel_request_env_value +ssh_message_channel_request_open_destination +ssh_message_channel_request_open_destination_port +ssh_message_channel_request_open_originator +ssh_message_channel_request_open_originator_port +ssh_message_channel_request_open_reply_accept +ssh_message_channel_request_open_reply_accept_channel +ssh_message_channel_request_pty_height +ssh_message_channel_request_pty_pxheight +ssh_message_channel_request_pty_pxwidth +ssh_message_channel_request_pty_term +ssh_message_channel_request_pty_width +ssh_message_channel_request_reply_success +ssh_message_channel_request_subsystem +ssh_message_channel_request_x11_auth_cookie +ssh_message_channel_request_x11_auth_protocol +ssh_message_channel_request_x11_screen_number +ssh_message_channel_request_x11_single_connection +ssh_message_free +ssh_message_get +ssh_message_global_request_address +ssh_message_global_request_port +ssh_message_global_request_reply_success +ssh_message_reply_default +ssh_message_retrieve +ssh_message_service_reply_success +ssh_message_service_service +ssh_message_subtype +ssh_message_type +ssh_mkdir +ssh_new +ssh_options_copy +ssh_options_get +ssh_options_get_port +ssh_options_getopt +ssh_options_parse_config +ssh_options_set +ssh_pcap_file_close +ssh_pcap_file_free +ssh_pcap_file_new +ssh_pcap_file_open +ssh_pki_copy_cert_to_privkey +ssh_pki_export_privkey_base64 +ssh_pki_export_privkey_file +ssh_pki_export_privkey_to_pubkey +ssh_pki_export_pubkey_base64 +ssh_pki_export_pubkey_file +ssh_pki_generate +ssh_pki_import_cert_base64 +ssh_pki_import_cert_file +ssh_pki_import_privkey_base64 +ssh_pki_import_privkey_file +ssh_pki_import_pubkey_base64 +ssh_pki_import_pubkey_file +ssh_pki_key_ecdsa_name +ssh_print_hash +ssh_print_hexa +ssh_privatekey_type +ssh_publickey_to_file +ssh_remove_channel_callbacks +ssh_scp_accept_request +ssh_scp_close +ssh_scp_deny_request +ssh_scp_free +ssh_scp_init +ssh_scp_leave_directory +ssh_scp_new +ssh_scp_pull_request +ssh_scp_push_directory +ssh_scp_push_file +ssh_scp_push_file64 +ssh_scp_read +ssh_scp_request_get_filename +ssh_scp_request_get_permissions +ssh_scp_request_get_size +ssh_scp_request_get_size64 +ssh_scp_request_get_warning +ssh_scp_write +ssh_select +ssh_send_debug +ssh_send_ignore +ssh_send_keepalive +ssh_server_init_kex +ssh_service_request +ssh_session_export_known_hosts_entry +ssh_session_get_known_hosts_entry +ssh_session_has_known_hosts_entry +ssh_session_is_known_server +ssh_session_update_known_hosts +ssh_set_agent_channel +ssh_set_agent_socket +ssh_set_auth_methods +ssh_set_blocking +ssh_set_callbacks +ssh_set_channel_callbacks +ssh_set_counters +ssh_set_fd_except +ssh_set_fd_toread +ssh_set_fd_towrite +ssh_set_log_callback +ssh_set_log_level +ssh_set_log_userdata +ssh_set_message_callback +ssh_set_pcap_file +ssh_set_server_callbacks +ssh_silent_disconnect +ssh_string_burn +ssh_string_copy +ssh_string_data +ssh_string_fill +ssh_string_free +ssh_string_free_char +ssh_string_from_char +ssh_string_get_char +ssh_string_len +ssh_string_new +ssh_string_to_char +ssh_threads_get_default +ssh_threads_get_noop +ssh_threads_get_pthread +ssh_threads_set_callbacks +ssh_try_publickey_from_file +ssh_userauth_agent +ssh_userauth_agent_pubkey +ssh_userauth_autopubkey +ssh_userauth_gssapi +ssh_userauth_kbdint +ssh_userauth_kbdint_getanswer +ssh_userauth_kbdint_getinstruction +ssh_userauth_kbdint_getname +ssh_userauth_kbdint_getnanswers +ssh_userauth_kbdint_getnprompts +ssh_userauth_kbdint_getprompt +ssh_userauth_kbdint_setanswer +ssh_userauth_list +ssh_userauth_none +ssh_userauth_offer_pubkey +ssh_userauth_password +ssh_userauth_privatekey_file +ssh_userauth_pubkey +ssh_userauth_publickey +ssh_userauth_publickey_auto +ssh_userauth_try_publickey +ssh_version +ssh_write_knownhost +string_burn +string_copy +string_data +string_fill +string_free +string_from_char +string_len +string_new +string_to_char \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/CMakeLists.txt new/libssh-0.9.4/src/CMakeLists.txt --- old/libssh-0.9.3/src/CMakeLists.txt 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/CMakeLists.txt 2020-04-09 09:28:43.000000000 +0200 @@ -85,6 +85,13 @@ ) endif (WITH_NACL AND NACL_FOUND) +if (MINGW AND Threads_FOUND) + set(LIBSSH_LINK_LIBRARIES + ${LIBSSH_LINK_LIBRARIES} + Threads::Threads + ) +endif() + if (BUILD_STATIC_LIB) set(LIBSSH_STATIC_LIBRARY ssh_static diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/auth.c new/libssh-0.9.4/src/auth.c --- old/libssh-0.9.3/src/auth.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/auth.c 2020-04-09 09:28:43.000000000 +0200 @@ -1116,7 +1116,9 @@ "Public key authentication error for %s", privkey_file); ssh_key_free(state->privkey); + state->privkey = NULL; ssh_key_free(state->pubkey); + state->pubkey = NULL; SAFE_FREE(session->auth.auto_state); return rc; } else if (rc == SSH_AUTH_AGAIN) { @@ -1182,6 +1184,9 @@ return rc; } + ssh_key_free(state->privkey); + ssh_key_free(state->pubkey); + SSH_LOG(SSH_LOG_WARN, "The server accepted the public key but refused the signature"); state->it = state->it->next; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/channels.c new/libssh-0.9.4/src/channels.c --- old/libssh-0.9.3/src/channels.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/channels.c 2020-04-09 09:28:43.000000000 +0200 @@ -3119,6 +3119,11 @@ } len = ssh_buffer_get_len(stdbuf); if (len > 0) { + if (len > INT_MAX) { + rc = SSH_ERROR; + } else { + rc = (int)len; + } goto out; } if (channel->remote_eof) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/client.c new/libssh-0.9.4/src/client.c --- old/libssh-0.9.3/src/client.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/client.c 2020-04-06 11:36:35.000000000 +0200 @@ -252,6 +252,7 @@ switch(session->next_crypto->kex_type){ case SSH_KEX_DH_GROUP1_SHA1: case SSH_KEX_DH_GROUP14_SHA1: + case SSH_KEX_DH_GROUP14_SHA256: case SSH_KEX_DH_GROUP16_SHA512: case SSH_KEX_DH_GROUP18_SHA512: rc = ssh_client_dh_init(session); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/curve25519.c new/libssh-0.9.4/src/curve25519.c --- old/libssh-0.9.3/src/curve25519.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/curve25519.c 2020-03-27 13:13:36.000000000 +0100 @@ -179,8 +179,8 @@ #ifdef HAVE_OPENSSL_X25519 EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL, *pubkey = NULL; - size_t shared_key_len; - int rc; + size_t shared_key_len = sizeof(k); + int rc, ret = SSH_ERROR; pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL, session->next_crypto->curve25519_privkey, @@ -197,8 +197,7 @@ SSH_LOG(SSH_LOG_TRACE, "Failed to initialize X25519 context: %s", ERR_error_string(ERR_get_error(), NULL)); - EVP_PKEY_free(pkey); - return SSH_ERROR; + goto out; } rc = EVP_PKEY_derive_init(pctx); @@ -206,9 +205,7 @@ SSH_LOG(SSH_LOG_TRACE, "Failed to initialize X25519 key derivation: %s", ERR_error_string(ERR_get_error(), NULL)); - EVP_PKEY_free(pkey); - EVP_PKEY_CTX_free(pctx); - return SSH_ERROR; + goto out; } if (session->server) { @@ -224,9 +221,7 @@ SSH_LOG(SSH_LOG_TRACE, "Failed to create X25519 public key EVP_PKEY: %s", ERR_error_string(ERR_get_error(), NULL)); - EVP_PKEY_free(pkey); - EVP_PKEY_CTX_free(pctx); - return SSH_ERROR; + goto out; } rc = EVP_PKEY_derive_set_peer(pctx, pubkey); @@ -234,23 +229,23 @@ SSH_LOG(SSH_LOG_TRACE, "Failed to set peer X25519 public key: %s", ERR_error_string(ERR_get_error(), NULL)); - EVP_PKEY_free(pkey); - EVP_PKEY_free(pubkey); - EVP_PKEY_CTX_free(pctx); - return SSH_ERROR; + goto out; } - rc = EVP_PKEY_derive(pctx, - k, - &shared_key_len); + rc = EVP_PKEY_derive(pctx, k, &shared_key_len); if (rc != 1) { SSH_LOG(SSH_LOG_TRACE, "Failed to derive X25519 shared secret: %s", ERR_error_string(ERR_get_error(), NULL)); - EVP_PKEY_free(pkey); - EVP_PKEY_free(pubkey); - EVP_PKEY_CTX_free(pctx); - return SSH_ERROR; + goto out; + } + ret = SSH_OK; +out: + EVP_PKEY_free(pkey); + EVP_PKEY_free(pubkey); + EVP_PKEY_CTX_free(pctx); + if (ret == SSH_ERROR) { + return ret; } #else if (session->server) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/dh-gex.c new/libssh-0.9.4/src/dh-gex.c --- old/libssh-0.9.3/src/dh-gex.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/dh-gex.c 2020-04-06 11:36:33.000000000 +0200 @@ -366,8 +366,13 @@ */ static bool invn_chance(int n) { - uint32_t nounce; - ssh_get_random(&nounce, sizeof(nounce), 0); + uint32_t nounce = 0; + int ok; + + ok = ssh_get_random(&nounce, sizeof(nounce), 0); + if (!ok) { + return false; + } return (nounce % n) == 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/dh.c new/libssh-0.9.4/src/dh.c --- old/libssh-0.9.3/src/dh.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/dh.c 2020-04-06 11:36:35.000000000 +0200 @@ -482,6 +482,7 @@ switch (crypto->kex_type){ case SSH_KEX_DH_GROUP1_SHA1: case SSH_KEX_DH_GROUP14_SHA1: + case SSH_KEX_DH_GROUP14_SHA256: case SSH_KEX_DH_GROUP16_SHA512: case SSH_KEX_DH_GROUP18_SHA512: packet_type = SSH2_MSG_KEXDH_REPLY; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/dh_crypto.c new/libssh-0.9.4/src/dh_crypto.c --- old/libssh-0.9.3/src/dh_crypto.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/dh_crypto.c 2020-04-06 11:36:35.000000000 +0200 @@ -179,6 +179,7 @@ rc = ssh_dh_set_parameters(ctx, ssh_dh_group1, ssh_dh_generator); break; case SSH_KEX_DH_GROUP14_SHA1: + case SSH_KEX_DH_GROUP14_SHA256: rc = ssh_dh_set_parameters(ctx, ssh_dh_group14, ssh_dh_generator); break; case SSH_KEX_DH_GROUP16_SHA512: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/dh_key.c new/libssh-0.9.4/src/dh_key.c --- old/libssh-0.9.3/src/dh_key.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/dh_key.c 2020-04-06 11:36:35.000000000 +0200 @@ -247,6 +247,7 @@ rc = ssh_dh_set_parameters(ctx, ssh_dh_group1, ssh_dh_generator); break; case SSH_KEX_DH_GROUP14_SHA1: + case SSH_KEX_DH_GROUP14_SHA256: rc = ssh_dh_set_parameters(ctx, ssh_dh_group14, ssh_dh_generator); break; case SSH_KEX_DH_GROUP16_SHA512: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/init.c new/libssh-0.9.4/src/init.c --- old/libssh-0.9.3/src/init.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/init.c 2020-01-27 16:45:35.000000000 +0100 @@ -106,7 +106,6 @@ * * This functions is automatically called when the library is loaded. * - * @returns 0 on success, -1 if an error occured. */ void libssh_constructor(void) { @@ -188,8 +187,6 @@ * * This function is automatically called when the library is unloaded. * - * @returns SSH_OK on success, SSH_ERROR if an error occurred. - * */ void libssh_destructor(void) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/kex.c new/libssh-0.9.4/src/kex.c --- old/libssh-0.9.3/src/kex.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/kex.c 2020-04-06 11:36:35.000000000 +0200 @@ -154,6 +154,7 @@ ECDH \ "diffie-hellman-group18-sha512,diffie-hellman-group16-sha512," \ GEX_SHA256 \ + "diffie-hellman-group14-sha256," \ "diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" #define KEY_EXCHANGE_SUPPORTED \ GEX_SHA1 \ @@ -183,6 +184,7 @@ "ecdh-sha2-nistp384,"\ "ecdh-sha2-nistp521,"\ "diffie-hellman-group-exchange-sha256,"\ + "diffie-hellman-group14-sha256,"\ "diffie-hellman-group16-sha512,"\ "diffie-hellman-group18-sha512" @@ -356,8 +358,8 @@ goto error; } - len = ssh_hashbufin_add_cookie(session, session->next_crypto->client_kex.cookie); - if (len < 0) { + ok = ssh_hashbufin_add_cookie(session, session->next_crypto->client_kex.cookie); + if (ok < 0) { ssh_set_error(session, SSH_FATAL, "ssh_packet_kexinit: adding cookie failed"); goto error; } @@ -368,8 +370,8 @@ goto error; } - len = ssh_hashbufin_add_cookie(session, session->next_crypto->server_kex.cookie); - if (len < 0) { + ok = ssh_hashbufin_add_cookie(session, session->next_crypto->server_kex.cookie); + if (ok < 0) { ssh_set_error(session, SSH_FATAL, "ssh_packet_kexinit: adding cookie failed"); goto error; } @@ -764,6 +766,8 @@ session->next_crypto->kex_type=SSH_KEX_DH_GROUP1_SHA1; } else if(strcmp(session->next_crypto->kex_methods[SSH_KEX], "diffie-hellman-group14-sha1") == 0){ session->next_crypto->kex_type=SSH_KEX_DH_GROUP14_SHA1; + } else if(strcmp(session->next_crypto->kex_methods[SSH_KEX], "diffie-hellman-group14-sha256") == 0){ + session->next_crypto->kex_type=SSH_KEX_DH_GROUP14_SHA256; } else if(strcmp(session->next_crypto->kex_methods[SSH_KEX], "diffie-hellman-group16-sha512") == 0){ session->next_crypto->kex_type=SSH_KEX_DH_GROUP16_SHA512; } else if(strcmp(session->next_crypto->kex_methods[SSH_KEX], "diffie-hellman-group18-sha512") == 0){ @@ -1026,6 +1030,7 @@ switch(session->next_crypto->kex_type) { case SSH_KEX_DH_GROUP1_SHA1: case SSH_KEX_DH_GROUP14_SHA1: + case SSH_KEX_DH_GROUP14_SHA256: case SSH_KEX_DH_GROUP16_SHA512: case SSH_KEX_DH_GROUP18_SHA512: rc = ssh_dh_keypair_get_keys(session->next_crypto->dh_ctx, @@ -1137,6 +1142,7 @@ sha1(ssh_buffer_get(buf), ssh_buffer_get_len(buf), session->next_crypto->secret_hash); break; + case SSH_KEX_DH_GROUP14_SHA256: case SSH_KEX_ECDH_SHA2_NISTP256: case SSH_KEX_CURVE25519_SHA256: case SSH_KEX_CURVE25519_SHA256_LIBSSH_ORG: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/legacy.c new/libssh-0.9.4/src/legacy.c --- old/libssh-0.9.3/src/legacy.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/legacy.c 2020-03-27 13:13:36.000000000 +0100 @@ -353,7 +353,7 @@ case SSH_KEYTYPE_DSS: #ifdef HAVE_LIBGCRYPT gcry_sexp_release(key->dsa_pub); -#elif HAVE_LIBCRYPTO +#elif defined HAVE_LIBCRYPTO DSA_free(key->dsa_pub); #endif break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/libcrypto.c new/libssh-0.9.4/src/libcrypto.c --- old/libssh-0.9.3/src/libcrypto.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/libcrypto.c 2020-04-09 09:29:52.000000000 +0200 @@ -708,8 +708,12 @@ } static void aes_ctr_cleanup(struct ssh_cipher_struct *cipher){ - explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key)); - SAFE_FREE(cipher->aes_key); + if (cipher != NULL) { + if (cipher->aes_key != NULL) { + explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key)); + } + SAFE_FREE(cipher->aes_key); + } } #endif /* HAVE_OPENSSL_EVP_AES_CTR */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/libgcrypt.c new/libssh-0.9.4/src/libgcrypt.c --- old/libssh-0.9.3/src/libgcrypt.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/libgcrypt.c 2020-04-09 09:28:43.000000000 +0200 @@ -328,6 +328,10 @@ return -1; } break; + default: + SSH_LOG(SSH_LOG_WARNING, "Unksupported key length %u.", cipher->keysize); + SAFE_FREE(cipher->key); + return -1; } if (gcry_cipher_setkey(cipher->key[0], key, cipher->keysize / 8)) { SAFE_FREE(cipher->key); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/mbedcrypto_missing.c new/libssh-0.9.4/src/mbedcrypto_missing.c --- old/libssh-0.9.3/src/mbedcrypto_missing.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/mbedcrypto_missing.c 2020-03-27 13:13:36.000000000 +0100 @@ -104,6 +104,9 @@ if (top == 0) { rc = mbedtls_mpi_set_bit(rnd, bits - 1, 0); + if (rc != 0) { + return 0; + } } if (top == 1) { @@ -149,7 +152,8 @@ return 0; } rc = bignum_rand(rnd, bits); - if (rc != 1){ + if (rc != 1) { + bignum_safe_free(rnd); return rc; } mbedtls_mpi_mod_mpi(dest, rnd, max); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/messages.c new/libssh-0.9.4/src/messages.c --- old/libssh-0.9.3/src/messages.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/messages.c 2020-03-27 13:13:36.000000000 +0100 @@ -692,6 +692,9 @@ int rc; crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN); + if (crypto == NULL) { + return NULL; + } buffer = ssh_buffer_new(); if (buffer == NULL) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/options.c new/libssh-0.9.4/src/options.c --- old/libssh-0.9.3/src/options.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/options.c 2020-03-27 13:13:36.000000000 +0100 @@ -968,7 +968,6 @@ case SSH_OPTIONS_PUBKEY_AUTH: case SSH_OPTIONS_KBDINT_AUTH: case SSH_OPTIONS_GSSAPI_AUTH: - u = 0; if (value == NULL) { ssh_set_error_invalid(session); return -1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/packet_crypt.c new/libssh-0.9.4/src/packet_crypt.c --- old/libssh-0.9.3/src/packet_crypt.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/packet_crypt.c 2020-04-09 09:28:43.000000000 +0200 @@ -60,7 +60,7 @@ crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN); if (crypto != NULL) { if (crypto->in_cipher->aead_decrypt_length != NULL) { - crypto->in_cipher->aead_decrypt_length( + rc = crypto->in_cipher->aead_decrypt_length( crypto->in_cipher, source, destination, crypto->in_cipher->lenfield_blocksize, session->recv_seq); @@ -71,9 +71,9 @@ source, 0, crypto->in_cipher->blocksize); - if (rc < 0) { - return 0; - } + } + if (rc < 0) { + return 0; } } else { memcpy(destination, source, 8); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/pki_crypto.c new/libssh-0.9.4/src/pki_crypto.c --- old/libssh-0.9.3/src/pki_crypto.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/pki_crypto.c 2020-04-09 09:28:43.000000000 +0200 @@ -94,7 +94,7 @@ static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(EC_KEY *k) { - static int nid; + int nid; nid = pki_key_ecdsa_to_nid(k); @@ -1569,9 +1569,9 @@ ssh_signature sig) { uint32_t pad_len = 0; - char *blob_orig; - char *blob_padded_data; - ssh_string sig_blob_padded; + char *blob_orig = NULL; + char *blob_padded_data = NULL; + ssh_string sig_blob_padded = NULL; size_t rsalen = 0; size_t len = ssh_string_len(sig_blob); @@ -1629,6 +1629,7 @@ return SSH_OK; errout: + SSH_STRING_FREE(sig_blob_padded); return SSH_ERROR; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/pki_gcrypt.c new/libssh-0.9.4/src/pki_gcrypt.c --- old/libssh-0.9.3/src/pki_gcrypt.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/pki_gcrypt.c 2020-04-09 09:28:43.000000000 +0200 @@ -315,7 +315,7 @@ if (gcry_cipher_open(&cipher, algo, mode, 0) || gcry_cipher_setkey(cipher, key, key_len) || gcry_cipher_setiv(cipher, iv, iv_len) - || (tmp = calloc(ssh_buffer_get_len(data), sizeof(char))) == NULL + || (tmp = calloc(ssh_buffer_get_len(data), sizeof(unsigned char))) == NULL || gcry_cipher_decrypt(cipher, tmp, ssh_buffer_get_len(data), ssh_buffer_get(data), ssh_buffer_get_len(data))) { gcry_cipher_close(cipher); @@ -741,7 +741,7 @@ static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(gcry_sexp_t k) { - static int nid; + int nid; nid = pki_key_ecdsa_to_nid(k); @@ -938,6 +938,8 @@ (void) auth_fn; (void) auth_data; + SSH_LOG(SSH_LOG_WARN, "PEM export not supported by gcrypt backend!"); + return NULL; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/pki_mbedcrypto.c new/libssh-0.9.4/src/pki_mbedcrypto.c --- old/libssh-0.9.3/src/pki_mbedcrypto.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/pki_mbedcrypto.c 2020-04-09 09:28:43.000000000 +0200 @@ -64,7 +64,7 @@ static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(mbedtls_ecdsa_context *ecdsa) { - static int nid; + int nid; nid = pki_key_ecdsa_to_nid(ecdsa); @@ -113,7 +113,7 @@ valid = auth_fn("Passphrase for private key:", (char *) tmp, MAX_PASSPHRASE_SIZE, 0, 0, auth_data); if (valid < 0) { - return NULL; + goto fail; } /* TODO fix signedness and strlen */ valid = mbedtls_pk_parse_key(rsa, @@ -155,7 +155,7 @@ valid = auth_fn("Passphrase for private key:", (char *) tmp, MAX_PASSPHRASE_SIZE, 0, 0, auth_data); if (valid < 0) { - return NULL; + goto fail; } valid = mbedtls_pk_parse_key(ecdsa, (const unsigned char *) b64_key, @@ -246,7 +246,7 @@ ssh_string n, ssh_string e, ssh_string d, - ssh_string iqmp, + UNUSED_PARAM(ssh_string iqmp), ssh_string p, ssh_string q) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/session.c new/libssh-0.9.4/src/session.c --- old/libssh-0.9.3/src/session.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/session.c 2020-04-06 11:36:35.000000000 +0200 @@ -372,6 +372,8 @@ return "diffie-hellman-group1-sha1"; case SSH_KEX_DH_GROUP14_SHA1: return "diffie-hellman-group14-sha1"; + case SSH_KEX_DH_GROUP14_SHA256: + return "diffie-hellman-group14-sha256"; case SSH_KEX_DH_GROUP16_SHA512: return "diffie-hellman-group16-sha512"; case SSH_KEX_DH_GROUP18_SHA512: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/socket.c new/libssh-0.9.4/src/socket.c --- old/libssh-0.9.3/src/socket.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/socket.c 2020-04-09 09:28:43.000000000 +0200 @@ -42,8 +42,10 @@ #else /* _WIN32 */ #include <fcntl.h> #include <sys/types.h> +#include <sys/wait.h> #include <sys/socket.h> #include <sys/un.h> +#include <signal.h> #endif /* _WIN32 */ #include "libssh/priv.h" @@ -87,6 +89,9 @@ ssh_session session; ssh_socket_callbacks callbacks; ssh_poll_handle poll_handle; +#ifndef _WIN32 + pid_t proxy_pid; +#endif }; static int sockets_initialized = 0; @@ -191,6 +196,9 @@ s->data_except = 0; s->poll_handle = NULL; s->state=SSH_SOCKET_NONE; +#ifndef _WIN32 + s->proxy_pid = 0; +#endif } /** @@ -454,6 +462,28 @@ } s->state = SSH_SOCKET_CLOSED; + +#ifndef _WIN32 + /* If the proxy command still runs try to kill it */ + if (s->proxy_pid != 0) { + int status; + pid_t pid = s->proxy_pid; + + s->proxy_pid = 0; + kill(pid, SIGTERM); + while (waitpid(pid, &status, 0) == -1) { + if (errno != EINTR) { + SSH_LOG(SSH_LOG_WARN, "waitpid failed: %s", strerror(errno)); + return; + } + } + if (!WIFEXITED(status)) { + SSH_LOG(SSH_LOG_WARN, "Proxy command exitted abnormally"); + return; + } + SSH_LOG(SSH_LOG_TRACE, "Proxy command returned %d", WEXITSTATUS(status)); + } +#endif } /** @@ -843,7 +873,7 @@ /* Prepare /dev/null socket for the stderr redirection */ int devnull = open("/dev/null", O_WRONLY); if (devnull == -1) { - SSH_LOG(SSH_LOG_WARNING, "Failed to open stderr"); + SSH_LOG(SSH_LOG_WARNING, "Failed to open /dev/null"); exit(1); } @@ -886,9 +916,11 @@ SSH_LOG(SSH_LOG_PROTOCOL, "Executing proxycommand '%s'", command); pid = fork(); - if(pid == 0) { + if (pid == 0) { ssh_execute_command(command, pair[0], pair[0]); + /* Does not return */ } + s->proxy_pid = pid; close(pair[0]); SSH_LOG(SSH_LOG_PROTOCOL, "ProxyCommand connection pipe: [%d,%d]",pair[0],pair[1]); ssh_socket_set_fd(s, pair[1]); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/src/wrapper.c new/libssh-0.9.4/src/wrapper.c --- old/libssh-0.9.3/src/wrapper.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/src/wrapper.c 2020-04-06 11:36:35.000000000 +0200 @@ -545,6 +545,7 @@ switch (session->next_crypto->kex_type) { case SSH_KEX_DH_GROUP1_SHA1: case SSH_KEX_DH_GROUP14_SHA1: + case SSH_KEX_DH_GROUP14_SHA256: case SSH_KEX_DH_GROUP16_SHA512: case SSH_KEX_DH_GROUP18_SHA512: ssh_server_dh_init(session); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/tests/CMakeLists.txt new/libssh-0.9.4/tests/CMakeLists.txt --- old/libssh-0.9.3/tests/CMakeLists.txt 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/tests/CMakeLists.txt 2020-04-09 09:28:43.000000000 +0200 @@ -119,7 +119,7 @@ file(COPY keys/id_ed25519 DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE) file(COPY keys/id_ed25519.pub DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE) - # Allow to auth with bob his public keys on alice account + # Allow to auth with bob's public keys on alice account configure_file(keys/id_rsa.pub ${CMAKE_CURRENT_BINARY_DIR}/home/alice/.ssh/authorized_keys @ONLY) # append ECDSA public key file(READ keys/id_ecdsa.pub CONTENTS) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/tests/client/torture_algorithms.c new/libssh-0.9.4/tests/client/torture_algorithms.c --- old/libssh-0.9.3/tests/client/torture_algorithms.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/tests/client/torture_algorithms.c 2020-04-09 09:28:43.000000000 +0200 @@ -691,6 +691,16 @@ test_algorithm(s->ssh.session, "diffie-hellman-group14-sha1", NULL/*cipher*/, NULL/*hmac*/); } +static void torture_algorithms_dh_group14_sha256(void **state) { + struct torture_state *s = *state; + + if (ssh_fips_mode()) { + skip(); + } + + test_algorithm(s->ssh.session, "diffie-hellman-group14-sha256", NULL/*cipher*/, NULL/*hmac*/); +} + static void torture_algorithms_dh_group16(void **state) { struct torture_state *s = *state; @@ -901,6 +911,9 @@ cmocka_unit_test_setup_teardown(torture_algorithms_dh_group14, session_setup, session_teardown), + cmocka_unit_test_setup_teardown(torture_algorithms_dh_group14_sha256, + session_setup, + session_teardown), cmocka_unit_test_setup_teardown(torture_algorithms_dh_group16, session_setup, session_teardown), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/tests/client/torture_proxycommand.c new/libssh-0.9.4/tests/client/torture_proxycommand.c --- old/libssh-0.9.3/tests/client/torture_proxycommand.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/tests/client/torture_proxycommand.c 2020-04-09 09:28:43.000000000 +0200 @@ -110,7 +110,9 @@ int rc; socket_t fd; - rc = snprintf(command, sizeof(command), "ssh -W [%%h]:%%p alice@%s", address); + rc = snprintf(command, sizeof(command), + "ssh -oStrictHostKeyChecking=no -W [%%h]:%%p alice@%s", + address); assert_true((size_t)rc < sizeof(command)); rc = ssh_options_set(session, SSH_OPTIONS_PROXYCOMMAND, command); @@ -132,7 +134,10 @@ int rc; socket_t fd; - rc = snprintf(command, sizeof(command), "ssh -vvv -W [%%h]:%%p alice@%s", address); + /* The -vvv switches produce the desired output on the standard error */ + rc = snprintf(command, sizeof(command), + "ssh -vvv -oStrictHostKeyChecking=no -W [%%h]:%%p alice@%s", + address); assert_true((size_t)rc < sizeof(command)); rc = ssh_options_set(session, SSH_OPTIONS_PROXYCOMMAND, command); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/tests/client/torture_rekey.c new/libssh-0.9.4/tests/client/torture_rekey.c --- old/libssh-0.9.3/tests/client/torture_rekey.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/tests/client/torture_rekey.c 2020-04-09 09:28:43.000000000 +0200 @@ -72,7 +72,7 @@ ssh_options_set(s->ssh.session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity); ssh_options_set(s->ssh.session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER); - /* Authenticate as alice with bob his pubkey */ + /* Authenticate as alice with bob's pubkey */ rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE); assert_int_equal(rc, SSH_OK); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/tests/client/torture_scp.c new/libssh-0.9.4/tests/client/torture_scp.c --- old/libssh-0.9.3/tests/client/torture_scp.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/tests/client/torture_scp.c 2020-03-27 13:13:36.000000000 +0100 @@ -157,7 +157,7 @@ char expected_a[BUF_SIZE]; char buf[BUF_SIZE]; FILE *file = NULL; - + size_t len = 0; int rc; assert_non_null(state); @@ -202,7 +202,8 @@ file = fopen(buf, "r"); assert_non_null(file); - fread(buf, BUF_SIZE, 1, file); + len = fread(buf, BUF_SIZE, 1, file); + assert_int_equal(len, 1); assert_memory_equal(buf, expected_a, BUF_SIZE); fclose(file); @@ -218,8 +219,8 @@ char expected_b[BUF_SIZE]; char buf[BUF_SIZE]; - FILE *file = NULL; + size_t len = 0; int rc; @@ -273,7 +274,8 @@ file = fopen(buf, "r"); assert_non_null(file); - fread(buf, BUF_SIZE, 1, file); + len = fread(buf, BUF_SIZE, 1, file); + assert_int_equal(len, 1); assert_memory_equal(buf, expected_b, BUF_SIZE); fclose(file); @@ -480,7 +482,7 @@ FILE *file = NULL; char buf[1024]; - + char *rs = NULL; int rc; assert_non_null(state); @@ -531,7 +533,8 @@ file = fopen(buf, "r"); assert_non_null(file); - fgets(buf, 1024, file); + rs = fgets(buf, 1024, file); + assert_non_null(rs); assert_string_equal(buf, "original"); fclose(file); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/tests/pkd/pkd_hello.c new/libssh-0.9.4/tests/pkd/pkd_hello.c --- old/libssh-0.9.3/tests/pkd/pkd_hello.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/tests/pkd/pkd_hello.c 2020-04-09 09:28:43.000000000 +0200 @@ -266,21 +266,25 @@ f(client, rsa_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_rsa, teardown) \ f(client, rsa_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_rsa, teardown) \ f(client, rsa_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_rsa, teardown) \ + f(client, rsa_diffie_hellman_group14_sha256, kexcmd("diffie-hellman-group14-sha256"), setup_rsa, teardown) \ f(client, rsa_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_rsa, teardown) \ f(client, rsa_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_rsa, teardown) \ f(client, ecdsa_256_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ecdsa_256, teardown) \ f(client, ecdsa_256_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ecdsa_256, teardown) \ f(client, ecdsa_256_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ecdsa_256, teardown) \ + f(client, ecdsa_256_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_256, teardown) \ f(client, ecdsa_256_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_256, teardown) \ f(client, ecdsa_256_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_256, teardown) \ f(client, ecdsa_384_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ecdsa_384, teardown) \ f(client, ecdsa_384_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ecdsa_384, teardown) \ f(client, ecdsa_384_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ecdsa_384, teardown) \ + f(client, ecdsa_384_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_384, teardown) \ f(client, ecdsa_384_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_384, teardown) \ f(client, ecdsa_384_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_384, teardown) \ f(client, ecdsa_521_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ecdsa_521, teardown) \ f(client, ecdsa_521_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ecdsa_521, teardown) \ f(client, ecdsa_521_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ecdsa_521, teardown) \ + f(client, ecdsa_521_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_521, teardown) \ f(client, ecdsa_521_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_521, teardown) \ f(client, ecdsa_521_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_521, teardown) #endif @@ -318,6 +322,7 @@ f(client, dsa_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_dsa, teardown) \ f(client, dsa_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_dsa, teardown) \ f(client, dsa_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_dsa, teardown) \ + f(client, dsa_diffie_hellman_group14_sha256, kexcmd("diffie-hellman-group14-sha256"), setup_dsa, teardown) \ f(client, dsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_dsa, teardown) \ f(client, dsa_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_dsa, teardown) \ f(client, dsa_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_dsa, teardown) \ @@ -337,6 +342,7 @@ f(client, dsa_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_dsa, teardown) \ f(client, dsa_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_dsa, teardown) \ f(client, dsa_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_dsa, teardown) \ + f(client, dsa_diffie_hellman_group14_sha256, kexcmd("diffie-hellman-group14-sha256"), setup_dsa, teardown) \ f(client, dsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_dsa, teardown) #elif defined(WITH_GEX) /* && !defined(HAVE_DSA) */ @@ -362,6 +368,7 @@ f(client, ed25519_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ed25519, teardown) \ f(client, ed25519_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ed25519, teardown) \ f(client, ed25519_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ed25519, teardown) \ + f(client, ed25519_diffie_hellman_group14_sha256, kexcmd("diffie-hellman-group14-sha256"), setup_ed25519, teardown) \ f(client, ed25519_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_ed25519, teardown) \ f(client, ed25519_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_ed25519, teardown) \ f(client, ed25519_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_ed25519, teardown) \ @@ -376,6 +383,7 @@ f(client, ed25519_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ed25519, teardown) \ f(client, ed25519_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ed25519, teardown) \ f(client, ed25519_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ed25519, teardown) \ + f(client, ed25519_diffie_hellman_group14_sha256, kexcmd("diffie-hellman-group14-sha256"), setup_ed25519, teardown) \ f(client, ed25519_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_ed25519, teardown) \ f(client, ed25519_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_ed25519, teardown) \ f(client, ed25519_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_ed25519, teardown) \ @@ -1006,7 +1014,6 @@ rc = ssh_init(); if (rc != 0) { - rc = SSH_ERROR; goto out; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/tests/server/torture_server.c new/libssh-0.9.4/tests/server/torture_server.c --- old/libssh-0.9.3/tests/server/torture_server.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/tests/server/torture_server.c 2020-04-09 09:28:43.000000000 +0200 @@ -404,7 +404,7 @@ session = s->ssh.session; assert_non_null(session); - /* Authenticate as alice with bob his pubkey */ + /* Authenticate as alice with bob's pubkey */ rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE); assert_int_equal(rc, SSH_OK); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/tests/server/torture_server_config.c new/libssh-0.9.4/tests/server/torture_server_config.c --- old/libssh-0.9.3/tests/server/torture_server_config.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/tests/server/torture_server_config.c 2020-04-09 09:28:43.000000000 +0200 @@ -321,9 +321,9 @@ assert_non_null(s->ssh.session); rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity); - assert_return_code(s->ssh.session, rc); + assert_ssh_return_code(s->ssh.session, rc); rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER); - assert_return_code(s->ssh.session, rc); + assert_ssh_return_code(s->ssh.session, rc); /* Make sure no other configuration options from system will get used */ rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_PROCESS_CONFIG, &b); assert_ssh_return_code(s->ssh.session, rc); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/tests/torture.c new/libssh-0.9.4/tests/torture.c --- old/libssh-0.9.3/tests/torture.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/tests/torture.c 2020-04-09 09:28:43.000000000 +0200 @@ -196,6 +196,7 @@ { char buf[8] = {0}; long int tmp; + pid_t ret; ssize_t rc; int fd; @@ -213,11 +214,16 @@ buf[sizeof(buf) - 1] = '\0'; tmp = strtol(buf, NULL, 10); - if (tmp == 0 || tmp > 0xFFFF || errno == ERANGE) { + if (tmp == 0 || errno == ERANGE) { + return -1; + } + ret = (pid_t)tmp; + /* Check if we are out of pid_t range on this system */ + if ((long)ret != tmp) { return -1; } - return (pid_t)(tmp & 0xFFFF); + return ret; } int torture_terminate_process(const char *pidfile) @@ -588,7 +594,7 @@ char rsa_hostkey[1024]; char ecdsa_hostkey[1024]; char trusted_ca_pubkey[1024]; - char sshd_config[2048]; + char sshd_config[4096]; char sshd_path[1024]; const char *additional_config = NULL; struct stat sb; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libssh-0.9.3/tests/unittests/torture_options.c new/libssh-0.9.4/tests/unittests/torture_options.c --- old/libssh-0.9.3/tests/unittests/torture_options.c 2019-12-09 19:30:58.000000000 +0100 +++ new/libssh-0.9.4/tests/unittests/torture_options.c 2020-04-09 09:28:43.000000000 +0200 @@ -109,18 +109,21 @@ "curve25519-sha256,[email protected]," "ecdh-sha2-nistp256,diffie-hellman-group16-sha512," "diffie-hellman-group18-sha512," + "diffie-hellman-group14-sha256," "diffie-hellman-group14-sha1"); assert_true(rc == 0); assert_non_null(session->opts.wanted_methods[SSH_KEX]); if (ssh_fips_mode()) { assert_string_equal(session->opts.wanted_methods[SSH_KEX], "ecdh-sha2-nistp256,diffie-hellman-group16-sha512," - "diffie-hellman-group18-sha512"); + "diffie-hellman-group18-sha512," + "diffie-hellman-group14-sha256"); } else { assert_string_equal(session->opts.wanted_methods[SSH_KEX], "curve25519-sha256,[email protected]," "ecdh-sha2-nistp256,diffie-hellman-group16-sha512," "diffie-hellman-group18-sha512," + "diffie-hellman-group14-sha256," "diffie-hellman-group14-sha1"); } @@ -1327,18 +1330,21 @@ "curve25519-sha256,[email protected]," "ecdh-sha2-nistp256,diffie-hellman-group16-sha512," "diffie-hellman-group18-sha512," + "diffie-hellman-group14-sha256," "diffie-hellman-group14-sha1"); assert_int_equal(rc, 0); assert_non_null(bind->wanted_methods[SSH_KEX]); if (ssh_fips_mode()) { assert_string_equal(bind->wanted_methods[SSH_KEX], "ecdh-sha2-nistp256,diffie-hellman-group16-sha512," - "diffie-hellman-group18-sha512"); + "diffie-hellman-group18-sha512," + "diffie-hellman-group14-sha256"); } else { assert_string_equal(bind->wanted_methods[SSH_KEX], "curve25519-sha256,[email protected]," "ecdh-sha2-nistp256,diffie-hellman-group16-sha512," "diffie-hellman-group18-sha512," + "diffie-hellman-group14-sha256," "diffie-hellman-group14-sha1"); }
