Compare commits
15 Commits
69f48f4ca1
...
a2378456fe
Author | SHA1 | Date |
---|---|---|
David Abdurachmanov | a2378456fe | |
David Abdurachmanov | b319e9f9d0 | |
Jakub Jelen | 82f9303583 | |
Jakub Jelen | 30a0031f45 | |
Jakub Jelen | 69d2dd9eae | |
Jakub Jelen | ef6352ea97 | |
Jakub Jelen | 16736bd4a1 | |
Fedora Release Engineering | 50575f2528 | |
Jakub Jelen | 65bc5d4d38 | |
Jakub Jelen | d75e8466c2 | |
Orion Poplawski | 471d720f0c | |
Andreas Schneider | 26da1b5f58 | |
Andreas Schneider | 62aed8e029 | |
Fedora Release Engineering | 8e11da540f | |
Norbert Pocs | 766cc6286d |
|
@ -66,3 +66,7 @@ libssh-0.4.4.tar.gz.asc
|
|||
/libssh-0.10.3.tar.xz.asc
|
||||
/libssh-0.10.4.tar.xz
|
||||
/libssh-0.10.4.tar.xz.asc
|
||||
/libssh-0.10.5.tar.xz
|
||||
/libssh-0.10.5.tar.xz.asc
|
||||
/libssh-0.10.6.tar.xz
|
||||
/libssh-0.10.6.tar.xz.asc
|
||||
|
|
|
@ -0,0 +1,263 @@
|
|||
From 4f997aee7c7d7ea346b3e8ba505da0b7601ff318 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Fri, 22 Dec 2023 10:32:40 +0100
|
||||
Subject: [PATCH 1/2] Fix regression in IPv6 addresses in hostname parsing
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||
---
|
||||
include/libssh/config_parser.h | 11 ++++++++---
|
||||
src/config.c | 4 ++--
|
||||
src/config_parser.c | 16 +++++++++++-----
|
||||
src/options.c | 10 ++--------
|
||||
4 files changed, 23 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h
|
||||
index a7dd42a2..ca353432 100644
|
||||
--- a/include/libssh/config_parser.h
|
||||
+++ b/include/libssh/config_parser.h
|
||||
@@ -30,6 +30,8 @@
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
+#include <stdbool.h>
|
||||
+
|
||||
char *ssh_config_get_cmd(char **str);
|
||||
|
||||
char *ssh_config_get_token(char **str);
|
||||
@@ -49,14 +51,17 @@ int ssh_config_get_yesno(char **str, int notfound);
|
||||
* be stored or NULL if we do not care about the result.
|
||||
* @param[out] port Pointer to the location, where the new port will
|
||||
* be stored or NULL if we do not care about the result.
|
||||
+ * @param[in] ignore_port Set to true if the we should not attempt to parse
|
||||
+ * port number.
|
||||
*
|
||||
* @returns SSH_OK if the provided string is in format of SSH URI,
|
||||
* SSH_ERROR on failure
|
||||
*/
|
||||
int ssh_config_parse_uri(const char *tok,
|
||||
- char **username,
|
||||
- char **hostname,
|
||||
- char **port);
|
||||
+ char **username,
|
||||
+ char **hostname,
|
||||
+ char **port,
|
||||
+ bool ignore_port);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
diff --git a/src/config.c b/src/config.c
|
||||
index 5eedbce9..7135c3b1 100644
|
||||
--- a/src/config.c
|
||||
+++ b/src/config.c
|
||||
@@ -464,7 +464,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
|
||||
}
|
||||
if (parse_entry) {
|
||||
/* We actually care only about the first item */
|
||||
- rv = ssh_config_parse_uri(cp, &username, &hostname, &port);
|
||||
+ rv = ssh_config_parse_uri(cp, &username, &hostname, &port, false);
|
||||
/* The rest of the list needs to be passed on */
|
||||
if (endp != NULL) {
|
||||
next = strdup(endp + 1);
|
||||
@@ -475,7 +475,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
|
||||
}
|
||||
} else {
|
||||
/* The rest is just sanity-checked to avoid failures later */
|
||||
- rv = ssh_config_parse_uri(cp, NULL, NULL, NULL);
|
||||
+ rv = ssh_config_parse_uri(cp, NULL, NULL, NULL, false);
|
||||
}
|
||||
if (rv != SSH_OK) {
|
||||
goto out;
|
||||
diff --git a/src/config_parser.c b/src/config_parser.c
|
||||
index 9ffc8b8b..5f30cd3e 100644
|
||||
--- a/src/config_parser.c
|
||||
+++ b/src/config_parser.c
|
||||
@@ -162,9 +162,10 @@ int ssh_config_get_yesno(char **str, int notfound)
|
||||
}
|
||||
|
||||
int ssh_config_parse_uri(const char *tok,
|
||||
- char **username,
|
||||
- char **hostname,
|
||||
- char **port)
|
||||
+ char **username,
|
||||
+ char **hostname,
|
||||
+ char **port,
|
||||
+ bool ignore_port)
|
||||
{
|
||||
char *endp = NULL;
|
||||
long port_n;
|
||||
@@ -210,12 +211,17 @@ int ssh_config_parse_uri(const char *tok,
|
||||
if (endp == NULL) {
|
||||
goto error;
|
||||
}
|
||||
- } else {
|
||||
- /* Hostnames or aliases expand to the last colon or to the end */
|
||||
+ } else if (!ignore_port) {
|
||||
+ /* Hostnames or aliases expand to the last colon (if port is requested)
|
||||
+ * or to the end */
|
||||
endp = strrchr(tok, ':');
|
||||
if (endp == NULL) {
|
||||
endp = strchr(tok, '\0');
|
||||
}
|
||||
+ } else {
|
||||
+ /* If no port is requested, expand to the end of line
|
||||
+ * (to accommodate the IPv6 addresses) */
|
||||
+ endp = strchr(tok, '\0');
|
||||
}
|
||||
if (tok == endp) {
|
||||
/* Zero-length hostnames are not valid */
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index 2e73be46..676c49e7 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -634,17 +634,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
|
||||
ssh_set_error_invalid(session);
|
||||
return -1;
|
||||
} else {
|
||||
- char *username = NULL, *hostname = NULL, *port = NULL;
|
||||
- rc = ssh_config_parse_uri(value, &username, &hostname, &port);
|
||||
+ char *username = NULL, *hostname = NULL;
|
||||
+ rc = ssh_config_parse_uri(value, &username, &hostname, NULL, true);
|
||||
if (rc != SSH_OK) {
|
||||
return -1;
|
||||
}
|
||||
- if (port != NULL) {
|
||||
- SAFE_FREE(username);
|
||||
- SAFE_FREE(hostname);
|
||||
- SAFE_FREE(port);
|
||||
- return -1;
|
||||
- }
|
||||
if (username != NULL) {
|
||||
SAFE_FREE(session->opts.username);
|
||||
session->opts.username = username;
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
||||
From 6f6e453d7b0ad4ee6a6f6a1c96a9a6b27821410d Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Fri, 22 Dec 2023 09:52:18 +0100
|
||||
Subject: [PATCH 2/2] tests: Increase test coverage for IPv6 address parsing as
|
||||
hostnames
|
||||
|
||||
This was an issue in cockpit:
|
||||
|
||||
https://github.com/cockpit-project/cockpit/issues/19772
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||
---
|
||||
tests/unittests/torture_config.c | 49 +++++++++++++++++++++++++++++++
|
||||
tests/unittests/torture_options.c | 16 ++++++++++
|
||||
2 files changed, 65 insertions(+)
|
||||
|
||||
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
|
||||
index bc6b08f9..751aa126 100644
|
||||
--- a/tests/unittests/torture_config.c
|
||||
+++ b/tests/unittests/torture_config.c
|
||||
@@ -2332,6 +2332,53 @@ static void torture_config_make_absolute_no_sshdir(void **state)
|
||||
torture_config_make_absolute_int(state, 1);
|
||||
}
|
||||
|
||||
+static void torture_config_parse_uri(void **state)
|
||||
+{
|
||||
+ char *username = NULL;
|
||||
+ char *hostname = NULL;
|
||||
+ char *port = NULL;
|
||||
+ int rc;
|
||||
+
|
||||
+ (void)state; /* unused */
|
||||
+
|
||||
+ rc = ssh_config_parse_uri("localhost", &username, &hostname, &port, false);
|
||||
+ assert_return_code(rc, errno);
|
||||
+ assert_null(username);
|
||||
+ assert_string_equal(hostname, "localhost");
|
||||
+ SAFE_FREE(hostname);
|
||||
+ assert_null(port);
|
||||
+
|
||||
+ rc = ssh_config_parse_uri("1.2.3.4", &username, &hostname, &port, false);
|
||||
+ assert_return_code(rc, errno);
|
||||
+ assert_null(username);
|
||||
+ assert_string_equal(hostname, "1.2.3.4");
|
||||
+ SAFE_FREE(hostname);
|
||||
+ assert_null(port);
|
||||
+
|
||||
+ rc = ssh_config_parse_uri("1.2.3.4:2222", &username, &hostname, &port, false);
|
||||
+ assert_return_code(rc, errno);
|
||||
+ assert_null(username);
|
||||
+ assert_string_equal(hostname, "1.2.3.4");
|
||||
+ SAFE_FREE(hostname);
|
||||
+ assert_string_equal(port, "2222");
|
||||
+ SAFE_FREE(port);
|
||||
+
|
||||
+ rc = ssh_config_parse_uri("[1:2:3::4]:2222", &username, &hostname, &port, false);
|
||||
+ assert_return_code(rc, errno);
|
||||
+ assert_null(username);
|
||||
+ assert_string_equal(hostname, "1:2:3::4");
|
||||
+ SAFE_FREE(hostname);
|
||||
+ assert_string_equal(port, "2222");
|
||||
+ SAFE_FREE(port);
|
||||
+
|
||||
+ /* do not want port */
|
||||
+ rc = ssh_config_parse_uri("1:2:3::4", &username, &hostname, NULL, true);
|
||||
+ assert_return_code(rc, errno);
|
||||
+ assert_null(username);
|
||||
+ assert_string_equal(hostname, "1:2:3::4");
|
||||
+ SAFE_FREE(hostname);
|
||||
+}
|
||||
+
|
||||
int torture_run_tests(void)
|
||||
{
|
||||
int rc;
|
||||
@@ -2424,6 +2471,8 @@ int torture_run_tests(void)
|
||||
setup, teardown),
|
||||
cmocka_unit_test_setup_teardown(torture_config_make_absolute_no_sshdir,
|
||||
setup_no_sshdir, teardown),
|
||||
+ cmocka_unit_test_setup_teardown(torture_config_parse_uri,
|
||||
+ setup, teardown),
|
||||
};
|
||||
|
||||
|
||||
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
|
||||
index 5ba3bdc6..b07712d8 100644
|
||||
--- a/tests/unittests/torture_options.c
|
||||
+++ b/tests/unittests/torture_options.c
|
||||
@@ -57,6 +57,20 @@ static void torture_options_set_host(void **state) {
|
||||
assert_non_null(session->opts.host);
|
||||
assert_string_equal(session->opts.host, "localhost");
|
||||
|
||||
+ /* IPv4 address */
|
||||
+ rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.1.1.1");
|
||||
+ assert_true(rc == 0);
|
||||
+ assert_non_null(session->opts.host);
|
||||
+ assert_string_equal(session->opts.host, "127.1.1.1");
|
||||
+ assert_null(session->opts.username);
|
||||
+
|
||||
+ /* IPv6 address */
|
||||
+ rc = ssh_options_set(session, SSH_OPTIONS_HOST, "::1");
|
||||
+ assert_true(rc == 0);
|
||||
+ assert_non_null(session->opts.host);
|
||||
+ assert_string_equal(session->opts.host, "::1");
|
||||
+ assert_null(session->opts.username);
|
||||
+
|
||||
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
|
||||
assert_true(rc == 0);
|
||||
assert_non_null(session->opts.host);
|
||||
@@ -64,12 +78,14 @@ static void torture_options_set_host(void **state) {
|
||||
assert_non_null(session->opts.username);
|
||||
assert_string_equal(session->opts.username, "guru");
|
||||
|
||||
+ /* more @ in uri is OK -- it should go to the username */
|
||||
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
|
||||
assert_true(rc == 0);
|
||||
assert_non_null(session->opts.host);
|
||||
assert_string_equal(session->opts.host, "hostname");
|
||||
assert_non_null(session->opts.username);
|
||||
assert_string_equal(session->opts.username, "at@login");
|
||||
+
|
||||
}
|
||||
|
||||
static void torture_options_set_ciphers(void **state) {
|
||||
--
|
||||
2.43.0
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From 96d76161666b117099696afebcef2fe42ae80715 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 16 May 2023 22:55:11 +0200
|
||||
Subject: [PATCH] tests: Give the server more time handle rekey
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
Reviewed-by: Norbert Pocs <npocs@redhat.com>
|
||||
---
|
||||
tests/client/torture_rekey.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
|
||||
index ccd5ae2cf..0fc13b8b3 100644
|
||||
--- a/tests/client/torture_rekey.c
|
||||
+++ b/tests/client/torture_rekey.c
|
||||
@@ -505,7 +505,7 @@ static void torture_rekey_different_kex(void **state)
|
||||
memset(data, 'A', 128);
|
||||
for (i = 0; i < KEX_RETRY; i++) {
|
||||
ssh_send_ignore(s->ssh.session, data);
|
||||
- ssh_handle_packets(s->ssh.session, 100);
|
||||
+ ssh_handle_packets(s->ssh.session, 1000);
|
||||
|
||||
c = s->ssh.session->current_crypto;
|
||||
/* SHA256 len */
|
||||
@@ -583,7 +583,7 @@ static void torture_rekey_server_different_kex(void **state)
|
||||
memset(data, 'A', 128);
|
||||
for (i = 0; i < KEX_RETRY; i++) {
|
||||
ssh_send_ignore(s->ssh.session, data);
|
||||
- ssh_handle_packets(s->ssh.session, 100);
|
||||
+ ssh_handle_packets(s->ssh.session, 1000);
|
||||
|
||||
c = s->ssh.session->current_crypto;
|
||||
/* SHA256 len */
|
||||
--
|
||||
GitLab
|
||||
|
||||
|
51
libssh.spec
51
libssh.spec
|
@ -1,8 +1,8 @@
|
|||
Name: libssh
|
||||
Version: 0.10.4
|
||||
Release: 1.0.riscv64%{?dist}
|
||||
Version: 0.10.6
|
||||
Release: 2.0.riscv64%{?dist}
|
||||
Summary: A library implementing the SSH protocol
|
||||
License: LGPLv2+
|
||||
License: LGPL-2.1-or-later
|
||||
URL: http://www.libssh.org
|
||||
|
||||
Source0: https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz
|
||||
|
@ -10,6 +10,9 @@ Source1: https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc
|
|||
Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
|
||||
Source3: libssh_client.config
|
||||
Source4: libssh_server.config
|
||||
Patch1: libssh-0.10.6-rekey-timeout.patch
|
||||
# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/431
|
||||
Patch2: libssh-0.10.6-ipv6-hostname.patch
|
||||
|
||||
BuildRequires: cmake
|
||||
BuildRequires: gcc-c++
|
||||
|
@ -23,9 +26,13 @@ BuildRequires: pam_wrapper
|
|||
BuildRequires: socket_wrapper
|
||||
BuildRequires: nss_wrapper
|
||||
BuildRequires: uid_wrapper
|
||||
BuildRequires: priv_wrapper
|
||||
BuildRequires: openssh-clients
|
||||
BuildRequires: openssh-server
|
||||
BuildRequires: nmap-ncat
|
||||
BuildRequires: openssl-pkcs11
|
||||
BuildRequires: softhsm
|
||||
BuildRequires: gnutls-utils
|
||||
|
||||
Requires: %{name}-config = %{version}-%{release}
|
||||
|
||||
|
@ -48,6 +55,7 @@ third-party programs others than libcrypto (from openssl).
|
|||
%package devel
|
||||
Summary: Development files for %{name}
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
Requires: cmake-filesystem
|
||||
|
||||
%description devel
|
||||
The %{name}-devel package contains libraries and header files for developing
|
||||
|
@ -70,6 +78,7 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
|||
-DUNIT_TESTING=ON \
|
||||
-DCLIENT_TESTING=ON \
|
||||
-DSERVER_TESTING=ON \
|
||||
-DWITH_PKCS11_URI=ON \
|
||||
-DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
|
||||
-DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
|
||||
|
||||
|
@ -104,11 +113,11 @@ popd
|
|||
%check
|
||||
# Tests are randomly failing when run in parallel
|
||||
%global _smp_build_ncpus 1
|
||||
%ifnarch riscv64
|
||||
%ctest
|
||||
%else
|
||||
%ctest || :
|
||||
%ifarch i686
|
||||
# The test torture_packet fails now on i686 arch on rawhide
|
||||
%global libssh_ctest_args -E torture_packet
|
||||
%endif
|
||||
%ctest %{?libssh_ctest_args}
|
||||
|
||||
%files
|
||||
%doc AUTHORS BSD CHANGELOG README
|
||||
|
@ -118,8 +127,6 @@ popd
|
|||
|
||||
%files devel
|
||||
%{_includedir}/libssh/
|
||||
# own this to avoid dep on cmake -- rex
|
||||
%dir %{_libdir}/cmake/
|
||||
%{_libdir}/cmake/libssh/
|
||||
%{_libdir}/pkgconfig/libssh.pc
|
||||
%{_libdir}/libssh.so
|
||||
|
@ -131,8 +138,30 @@ popd
|
|||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
|
||||
|
||||
%changelog
|
||||
* Mon Sep 12 2022 David Abdurachmanov <davidlt@rivosinc.com> - 0.10.4-1.0.riscv64
|
||||
- Ignore tests failures on riscv64
|
||||
* Tue Jan 09 2024 David Abdurachmanov <davidlt@rivosinc.com> - 0.10.6-2.0.riscv64
|
||||
- Add riscv64
|
||||
|
||||
* Fri Dec 22 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-2
|
||||
- Fix regression in IPv6 hosntames parsing
|
||||
|
||||
* Mon Dec 18 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-1
|
||||
- New upstream release fixing (CVE-2023-48795, CVE-2023-6004, CVE-2023-6918)
|
||||
|
||||
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.5-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Fri May 05 2023 Orion Poplawski <orion@nwra.com> - 0.10.5-1
|
||||
- Update to 0.10.5 (CVE-2023-1667 CVE-2023-2283)
|
||||
- Have libssh-devel require cmake-filesystem
|
||||
|
||||
* Sun Mar 05 2023 Andreas Schneider <asn@redhat.com> - 0.10.4-4
|
||||
- Update License to SPDX expression
|
||||
|
||||
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Thu Oct 06 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-2
|
||||
- Enable pkcs11 support
|
||||
|
||||
* Wed Sep 07 2022 Andreas Schneider <asn@redhat.com> - 0.10.4-1
|
||||
- Update to version 0.10.4
|
||||
|
|
4
sources
4
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (libssh-0.10.4.tar.xz) = 01ee52d480201d9886c15e81137c185334b404d1c8e8b743ddf58e95fe8619c8c013616a49807bd1111fde72fa177cd35f3c22b66cbf5d720b5abfacdf7601ed
|
||||
SHA512 (libssh-0.10.4.tar.xz.asc) = 8200215d6471851dac8cd8efd07400b9bc4403cf5406a9fdb28a68ef8fe85c227f92a26071fb32d9396b91661568333b5ceb9b23665d22e761b981dd880bbbc8
|
||||
SHA512 (libssh-0.10.6.tar.xz) = 40c62d63c44e882999b71552c237d73fc7364313bd00b15a211a34aeff1b73693da441d2c8d4e40108d00fb7480ec7c5b6d472f9c0784b2359a179632ab0d6c1
|
||||
SHA512 (libssh-0.10.6.tar.xz.asc) = 214d7920bebc80a8e6838c64ed06e070709a96fabfb4fff657b55f9588bc0e1612887fe887d23de73ad3540f3bb85288e62eb6a11ccd4bc80afbd44d34ba70d4
|
||||
|
|
Loading…
Reference in New Issue