Commit Graph

11935 Commits

Author SHA1 Message Date
Darren Tucker fdbd5bf507 Test hostbased auth on github runners. 2022-08-10 17:37:58 +10:00
Darren Tucker 7e2f51940b Rename our getentropy to prevent possible loops.
Since arc4random seeds from getentropy, and we use OpenSSL for that
if enabled, there's the possibility that if we build on a system that
does not have getentropy then run on a system that does have it, then
OpenSSL could end up calling our getentropy and getting stuck in a loop.
Pointed out by deraadt@, ok djm@
2022-08-10 17:36:44 +10:00
Darren Tucker 7a01f61be8 Actually put HAVE_STDINT_H around the stdint.h. 2022-08-08 12:17:04 +10:00
Darren Tucker 73541f29f0 Give unused param a name.
Fixes builds on platforms that do have fido2 but don't have
fido_dev_is_winhello.
2022-08-08 10:32:27 +10:00
djm@openbsd.org 2a108c0ea9 upstream: don't prompt for FIDO passphrase before attempting to enroll
the credential, just let the enroll operating fail and we'll attempt to get a
PIN anyway. Might avoid some unneccessary PIN prompts.

Part of GHPR#302 from Corinna Vinschen; ok dtucker@

OpenBSD-Commit-ID: bd5342ffc353ee37d39617906867c305564d1ce2
2022-08-05 15:03:40 +10:00
Corinna Vinschen 2886975c0a sk_sign: set FIDO2 uv attribute explicitely for WinHello
WinHello via libfido2 performs user verification by default.
However, if we stick to that, there's no way to differentiate
between keys created with or without "-O  verify-required".
Set FIDO2 uv attribute explicitely to FIDO_OPT_FALSE, then check
if user verification has been requested.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2022-08-05 14:44:03 +10:00
Corinna Vinschen 242c044ab1 check_sk_options: add temporary WinHello workaround
Up to libfido 1.10.0, WinHello advertises "clientPin" rather
than "uv" capability.  This is fixed in 1.11.0.  For the time
being, workaround it here.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2022-08-05 14:42:10 +10:00
Corinna Vinschen 78774c08cc compat code for fido_dev_is_winhello()
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2022-08-05 14:39:05 +10:00
Darren Tucker 3d3a932a01 Factor out getrnd() and rename to getentropy().
Factor out the arc4random seeding into its own file and change the
interface to match getentropy.  Use native getentropy if available.
This will make it easier to resync OpenBSD changes to arc4random.
Prompted by bz#3467, ok djm@.
2022-08-05 13:12:27 +10:00
Darren Tucker 9385d277b7 Include CHANNEL and FIDO2 libs in configure output 2022-08-04 22:02:04 +10:00
djm@openbsd.org 141535b904 upstream: avoid double-free in error path introduced in r1.70; report
and fix based on GHPR#332 by v-rzh ok dtucker@

OpenBSD-Commit-ID: 3d21aa127b1f37cfc5bdc21461db369a663a951f
2022-08-01 21:11:33 +10:00
Darren Tucker dba7099ffc Remove deprecated MacOS 10.15 runners. 2022-07-27 18:40:12 +10:00
Darren Tucker 722a56439a Move stale-configure check as early as possible.
We added a check in Makefile to catch the case where configure needs to
be rebuilt, however this did not happen until a build was attempted in
which case all of the work done by configure was wasted.  Move this check
 to the start of configure to catch it as early as possible.  ok djm@
2022-07-27 18:31:14 +10:00
Darren Tucker 099d6b5628 Move libcrypto into CHANNELLIBS.
This will result in sftp, sftp-server and scp no longer being linked
against libcrypto.  ok djm@
2022-07-27 16:22:39 +10:00
Darren Tucker 1bdf86725b Remove seed_rng calls from scp, sftp, sftp-server.
These binaries don't use OpenSSL's random functions.  The next step
will be to stop linking them against libcrypto.  ok djm@
2022-07-27 16:22:30 +10:00
Darren Tucker d73f77b8cb Group libcrypto and PRNGD checks together.
They're related more than the libcrypt or libiaf checks which are
currently between them.  ok djm@
2022-07-27 16:22:12 +10:00
Darren Tucker f117e372b3 Do not link scp, sftp and sftp-server w/ zlib.
Some of our binaries (eg sftp, sftp-server, scp) do not interact with
the channels code and thus do use libraries such as zlib and libcrypto
although they are linked with them.  This adds a CHANNELLIBS and starts
by moving zlib into it, which means the aformentioned binaries are no
longer linked against zlib.  ok djm@
2022-07-27 16:22:03 +10:00
Darren Tucker 800c2483e6 Remove workarounds for OpenSSL missing AES-CTR.
We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES CTR mode.  Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have CTR, so this is no longer needed.  ok djm@
2022-07-25 21:49:04 +10:00
Darren Tucker b7c56b65c1 Remove workarounds for OpenSSL missing AES-GCM.
We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES GCM mode.  Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have GCM, so this is no longer needed.  ok djm@
2022-07-25 21:43:00 +10:00
dtucker@openbsd.org 5a4a9f7a96 upstream: Restore missing "!" in TEST_SSH_ELAPSED_TIMES test.
OpenBSD-Regress-ID: 38783f9676ec348c5a792caecee9a16e354b37b0
2022-07-25 17:33:44 +10:00
dtucker@openbsd.org 0ff886be13 upstream: Test TEST_SSH_ELAPSED_TIMES for empty string not
executable.  No-op on most platforms but should prevent warnings in -portable
on systems that don't have 'date %s'.

OpenBSD-Regress-ID: e39d79867b8065e33d0c5926fa1a31f85659d2a4
2022-07-25 11:05:27 +10:00
Darren Tucker f69319ad8a Convert "have_prog" function into "which".
"which" and its behaviour is not standardized, so convert the existing
have_prog function into "which" so we can rely on it being available
and what its semantics are.  Add a have_prog wrapper that maintains the
existing behaviour.
2022-07-23 14:40:49 +10:00
Darren Tucker ea7ecc2c3a Skip scp3 test if there's no scp on remote path.
scp -3 ends up using the scp that's in the remote path and will fail if
one is not available.  Based on a patch from rapier at psc.edu.
2022-07-23 14:36:38 +10:00
Damien Miller c46f6fed41 crank SSH_SK_VERSION_MAJOR in sk-dummy.so 2022-07-20 13:39:14 +10:00
djm@openbsd.org f208e3b9ff upstream: ssh-keygen: fix touch prompt, pin retries;
part of GHPR329 from Pedro Martelletto

OpenBSD-Commit-ID: 75d1005bd2ef8f29fa834c90d2684e73556fffe8
2022-07-20 13:38:48 +10:00
djm@openbsd.org 8638a2ce7e upstream: sk-usbhid: preserve error code returned by key_lookup()
it conveys useful information, such as the supplied pin being wrong.

Part of GHPR329 from Pedro Martelletto

OpenBSD-Commit-ID: c0647eb9290f793add363d81378439b273756c1b
2022-07-20 13:38:47 +10:00
djm@openbsd.org 9ab929ca2d upstream: when enrolling a resident key on a security token, check
if a credential with matching application and user ID strings already exists.
if so, prompt the user for confirmation before overwriting the credential.

patch from Pedro Martelletto via GHPR329

NB. cranks SSH_SK_VERSION_MAJOR, so any third-party FIDO middleware
implementations will need to adjust

OpenBSD-Commit-ID: e45e9f1bf2b2f32d9850669e7a8dbd64acc5fca4
2022-07-20 13:38:47 +10:00
djm@openbsd.org 5bcfc788b3 upstream: pull passphrase reading and confirmation into a separate
function so it can be used for FIDO2 PINs; no functional change

OpenBSD-Commit-ID: bf34f76b8283cc1d3f54633e0d4f13613d87bb2f
2022-07-20 13:18:53 +10:00
Darren Tucker eb679e2959 Move vmshutdown to first step.
If a previous run on a physical runner has failed to clean up, the next
run will fail because it'll try to check out the code to a broken
directory mount.  Make cleanup the first step.
2022-07-15 21:31:48 +10:00
Darren Tucker 46b91b70ff Rename bbone test target to ARM. 2022-07-15 20:25:27 +10:00
Darren Tucker 751d22cdef Add AUDIT_ARCH_PPC to supported seccomp arches.
Patch from dries.deschout at dodeco.eu.
2022-07-15 13:37:29 +10:00
Darren Tucker a061792a6e Remove unintended changes.
I inadvertently included a couple of local changes with the OpenSSL
3.0.4 change.  Revert, anything that should be there will be committed
separately.
2022-07-14 19:22:47 +10:00
Darren Tucker 527cb43fa1 Return ERANGE from getcwd() if buffer size is 1.
If getcwd() is supplied a buffer size of exactly 1 and a path of "/", it
could result in a nul byte being written out of array bounds.  POSIX says
it should return ERANGE if the path will not fit in the available buffer
(with terminating nul). 1 byte cannot fit any possible path with its nul,
so immediately return ERANGE in that case.

OpenSSH never uses getcwd() with this buffer size, and all current
(and even quite old) platforms that we are currently known to work
on have a native getcwd() so this code is not used on those anyway.
Reported by Qualys, ok djm@
2022-07-14 11:22:08 +10:00
Darren Tucker 36857fefd8 Split README.platform into its own line.
README.platform has general platform-specific information, having it
following text about FIDO2 on the same line could imply that it only
has information about FIDO2.
2022-07-14 10:02:35 +10:00
Darren Tucker 00a496c6c1 Clarify README.md text.
Clarify the text about the implications of building without OpenSSL, and
prefix the "configure --help" example command with a "./" so it's likely
to work as-is in more shells.  From bz#3461.
2022-07-14 09:56:01 +10:00
Darren Tucker f40b52f21f Remove special casing of crypt().
Configure goes to some lengths to pick crypt() from either libcrypt
or OpenSSL's libcrypto because they can more or less featureful (eg
supporting md5-style passwords).

OpenSSL removed its crypt() interface in 2002:
https://github.com/openssl/openssl/commit/69deec58 so these hijinks
should no longer be necessary.  This also only links sshd with libcrypt
which is the only thing that needs it.  ok djm@
2022-07-13 18:41:38 +10:00
Darren Tucker 76f4e48631 Only refuse to use OpenSSL 3.0.4 on x86_64.
The potential RCE only impacts x86_64, so only refuse to use it if we're
targetting a potentially impacted architecture.  ok djm@
2022-07-13 13:17:47 +10:00
Darren Tucker e75bbc1d88 Capture stderr output from configure. 2022-07-12 14:37:15 +10:00
Darren Tucker d9eaea4bea Refuse to use OpenSSL 3.0.4 due to potential RCE.
OpenSSL has a potential RCE in its RSA implementation (CVE-2022-2274)
so refuse to use that specific version.
2022-07-12 12:54:49 +10:00
Darren Tucker fb2f3a61bf Move unset to before we set anything. 2022-07-12 12:54:24 +10:00
Darren Tucker c483a5c0fb Test against openssl-3.0.5. 2022-07-06 11:52:54 +10:00
Darren Tucker 669a56bcfe Update sanitizer test targets:
- remove clang-sanitize-memory for now.  It takes so long that the test
   times out.
 - add gcc sanitize-address and sanitize-undefined test targets.
2022-07-05 18:35:53 +10:00
Darren Tucker 48cc68b691 Add GCC address sanitizer build/test. 2022-07-05 18:30:10 +10:00
Darren Tucker 55c60bdd39 Move sanitizer logs into regress for collection. 2022-07-05 18:30:10 +10:00
dtucker@openbsd.org 35ef2b3b6e upstream: Add TEST_REGRESS_CACHE_DIR.
If set, it is used to cache regress test names that have succeeded and
skip those on a re-run.

OpenBSD-Regress-ID: a7570dd29a58df59f2cca647c3c2ec989b49f247
2022-07-04 19:41:06 +10:00
Darren Tucker 7394ed80c4 Add clang sanitizer tests. 2022-07-03 22:53:44 +10:00
Darren Tucker bfce0e66b6 Skip all rlimit tests when sandboxing disabled.
The rlimit tests can hang when being run with some compiler sanitizers
so skip all of them if sandbox=no.
2022-07-03 18:14:09 +10:00
Darren Tucker 6208d61152 Move checks for pollfd.fd and nfds_t.
Move the checks for struct pollfd.fd and nfds_t to before the sandboxing
checks.  This groups all the sandbox checks together so we can skip them
all when sandboxing is disabled.
2022-07-03 17:54:49 +10:00
dtucker@openbsd.org 322964f8f2 upstream: Remove leftover line.
Remove extra line leftover from merge conflict. ok djm@

OpenBSD-Commit-ID: 460e2290875d7ae64971a7e669c244b1d1c0ae2e
2022-07-01 16:00:17 +10:00
djm@openbsd.org 7ec81daad0 upstream: use consistent field names (s/char/byte)
in format description

OpenBSD-Commit-ID: 3de33572733ee7fcfd7db33d37db23d2280254f0
2022-07-01 16:00:01 +10:00