aboutsummaryrefslogtreecommitdiff
path: root/crypto/openssh/regress/misc
diff options
context:
space:
mode:
authorEd Maste <emaste@FreeBSD.org>2022-10-19 14:27:11 +0000
committerEd Maste <emaste@FreeBSD.org>2022-10-19 14:27:11 +0000
commit38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 (patch)
tree19efd716d56fca37802e8c6c6ebec2e873b3786a /crypto/openssh/regress/misc
parentaf3297898720af2f2ed18d18d45ea6bf50d55ef1 (diff)
parent56fae06595918644df9cfd2f285777195c8d29b8 (diff)
downloadsrc-38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3.tar.gz
src-38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3.zip
ssh: update to OpenSSH 9.1p1
Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'crypto/openssh/regress/misc')
-rw-r--r--crypto/openssh/regress/misc/fuzz-harness/Makefile5
-rw-r--r--crypto/openssh/regress/misc/fuzz-harness/authkeys_fuzz.cc81
-rw-r--r--crypto/openssh/regress/misc/sk-dummy/sk-dummy.c2
3 files changed, 86 insertions, 2 deletions
diff --git a/crypto/openssh/regress/misc/fuzz-harness/Makefile b/crypto/openssh/regress/misc/fuzz-harness/Makefile
index 3938ac853d31..0b4238fd39a4 100644
--- a/crypto/openssh/regress/misc/fuzz-harness/Makefile
+++ b/crypto/openssh/regress/misc/fuzz-harness/Makefile
@@ -11,7 +11,7 @@ LIBS=-lssh -lopenbsd-compat -lmd -lcrypto -lfido2 -lcbor $(FUZZ_LIBS)
SK_NULL_OBJS=ssh-sk-null.o
COMMON_DEPS=../../../libssh.a
-TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz \
+TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz authkeys_fuzz sshsig_fuzz \
sshsigopt_fuzz privkey_fuzz kex_fuzz agent_fuzz
all: $(TARGETS)
@@ -28,6 +28,9 @@ sig_fuzz: sig_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
authopt_fuzz: authopt_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
$(CXX) -o $@ authopt_fuzz.o $(SK_NULL_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS)
+authkeys_fuzz: authkeys_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
+ $(CXX) -o $@ authkeys_fuzz.o $(SK_NULL_OBJS) ../../../auth-options.o ../../../auth2-pubkeyfile.o $(LDFLAGS) $(LIBS)
+
sshsig_fuzz: sshsig_fuzz.o $(SK_NULL_OBJS) $(COMMON_DEPS)
$(CXX) -o $@ sshsig_fuzz.o $(SK_NULL_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
diff --git a/crypto/openssh/regress/misc/fuzz-harness/authkeys_fuzz.cc b/crypto/openssh/regress/misc/fuzz-harness/authkeys_fuzz.cc
new file mode 100644
index 000000000000..8b3e54e543d8
--- /dev/null
+++ b/crypto/openssh/regress/misc/fuzz-harness/authkeys_fuzz.cc
@@ -0,0 +1,81 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+#include <pwd.h>
+#include <unistd.h>
+
+extern "C" {
+
+#include "hostfile.h"
+#include "auth.h"
+#include "auth-options.h"
+#include "sshkey.h"
+
+// testdata/id_ed25519.pub and testdata/id_ed25519-cert.pub
+const char *pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPQXmEVMVLmeFRyafKMVWgPDkv8/uRBTwmcEDatZzMD";
+const char *certtext = "ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIMDQjYH6XRzH3j3MW1DdjCoAfvrHfgjnVGF+sLK0pBfqAAAAIDPQXmEVMVLmeFRyafKMVWgPDkv8/uRBTwmcEDatZzMDAAAAAAAAA+sAAAABAAAAB3VseXNzZXMAAAAXAAAAB3VseXNzZXMAAAAIb2R5c3NldXMAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgM9BeYRUxUuZ4VHJp8oxVaA8OS/z+5EFPCZwQNq1nMwMAAABTAAAAC3NzaC1lZDI1NTE5AAAAQBj0og+s09/HpwdHZbzN0twooKPDWWrxGfnP1Joy6cDnY2BCSQ7zg9vbq11kLF8H/sKOTZWAQrUZ7LlChOu9Ogw= id_ed25519.pub";
+
+// stubs
+void auth_debug_add(const char *fmt,...)
+{
+}
+
+void
+auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
+{
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+ char *tmp, *o, *cp = (char *)malloc(size + 1 + strlen(pubkey) + 1);
+ struct sshauthopt *opts = NULL;
+ struct passwd *pw = getpwuid(getuid());
+ static struct sshkey *key, *cert;
+
+ if (key == NULL) {
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL ||
+ (cert = sshkey_new(KEY_UNSPEC)) == NULL)
+ abort();
+ if ((o = tmp = strdup(pubkey)) == NULL ||
+ sshkey_read(key, &tmp) != 0)
+ abort();
+ free(o);
+ if ((o = tmp = strdup(certtext)) == NULL ||
+ sshkey_read(cert, &tmp) != 0)
+ abort();
+ free(o);
+ }
+ if (cp == NULL || pw == NULL || key == NULL || cert == NULL)
+ abort();
+
+ // Cleanup whitespace at input EOL.
+ for (; size > 0 && strchr(" \t\r\n", data[size - 1]) != NULL; size--) ;
+
+ // Append a pubkey that will match.
+ memcpy(cp, data, size);
+ cp[size] = ' ';
+ memcpy(cp + size + 1, pubkey, strlen(pubkey) + 1);
+
+ // Try key.
+ if ((tmp = strdup(cp)) == NULL)
+ abort();
+ (void) auth_check_authkey_line(pw, key, tmp, "127.0.0.1", "localhost",
+ "fuzz", &opts);
+ free(tmp);
+ sshauthopt_free(opts);
+
+ // Try cert.
+ if ((tmp = strdup(cp)) == NULL)
+ abort();
+ (void) auth_check_authkey_line(pw, cert, tmp, "127.0.0.1", "localhost",
+ "fuzz", &opts);
+ free(tmp);
+ sshauthopt_free(opts);
+
+ free(cp);
+ return 0;
+}
+
+} // extern "C"
diff --git a/crypto/openssh/regress/misc/sk-dummy/sk-dummy.c b/crypto/openssh/regress/misc/sk-dummy/sk-dummy.c
index a10c0be281b1..ad5e4745237d 100644
--- a/crypto/openssh/regress/misc/sk-dummy/sk-dummy.c
+++ b/crypto/openssh/regress/misc/sk-dummy/sk-dummy.c
@@ -59,7 +59,7 @@
/* #define SK_DEBUG 1 */
-#if SSH_SK_VERSION_MAJOR != 0x00090000
+#if SSH_SK_VERSION_MAJOR != 0x000a0000
# error SK API has changed, sk-dummy.c needs an update
#endif