diff --git a/backport-Fix-a-memcmp-errors-in-code-that-was-changed-from-me.patch b/backport-Fix-a-memcmp-errors-in-code-that-was-changed-from-me.patch new file mode 100644 index 0000000000000000000000000000000000000000..4cd4931062b1df4a13c4645c8a5fcd2d6827092a --- /dev/null +++ b/backport-Fix-a-memcmp-errors-in-code-that-was-changed-from-me.patch @@ -0,0 +1,41 @@ +From 13ad7b2f5cd67e0dc843098ce19ce8b208368c29 Mon Sep 17 00:00:00 2001 +From: Michael Buckley +Date: Thu, 6 Jan 2022 13:56:22 -0800 +Subject: [PATCH] Fix a memcmp errors in code that was changed from memmem to + memcmp (#656) + +Notes: +Fixed supported algo prefs list check when upgrading rsa keys + +Credit: Michael Buckley +Conflict:NA +Reference:https://github.com/libssh2/commit/13ad7b2f5cd67e0dc843098ce19ce8b208368c29 +--- + src/userauth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/userauth.c b/src/userauth.c +index 988dc17..29f58ba 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -1147,7 +1147,7 @@ _libssh2_key_sign_algorithm(LIBSSH2_SESSION *session, + f = strchr(a, ','); + f_len = f ? (f - a) : (int) strlen(a); + +- if(f_len == p_len && memcmp(a, s, p_len)) { ++ if(f_len == p_len && memcmp(a, s, p_len) == 0) { + + if(i != filtered_algs) { + memcpy(i, ",", 1); +@@ -1185,7 +1185,7 @@ _libssh2_key_sign_algorithm(LIBSSH2_SESSION *session, + f = strchr(a, ','); + f_len = f ? (f - a) : (int) strlen(a); + +- if(f_len == p_len && memcmp(a, s, p_len)) { ++ if(f_len == p_len && memcmp(a, s, p_len) == 0) { + /* found a match, upgrade key method */ + match = s; + match_len = p_len; +-- +2.23.0 + diff --git a/backport-Legacy-Agent-support-for-rsa2-key-upgrading-downgrad.patch b/backport-Legacy-Agent-support-for-rsa2-key-upgrading-downgrad.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1a0837111d4c27c6657dde81ad70c6b71752bd0 --- /dev/null +++ b/backport-Legacy-Agent-support-for-rsa2-key-upgrading-downgrad.patch @@ -0,0 +1,172 @@ +From de7a74aff24c47b2f2e9815f0a98598195d602e4 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Fri, 14 Jan 2022 11:55:18 -0800 +Subject: [PATCH] Legacy Agent support for rsa2 key upgrading/downgrading #659 + (#662) + +Files: libssh2.h, agent.c, userauth.c + +Notes: +Part 2 of the fix for #659. This adds rsa key downgrading for agents that don't support sha2 upgrading. It also adds better trace output for debugging/logging around key upgrading. + +Credit: +Will Cosgrove (signed off by Michael Buckley) + +Conflict:NA +Reference:https://github.com/libssh2/commit/de7a74aff24c47b2f2e9815f0a98598195d602e4 +--- + include/libssh2.h | 1 + + src/agent.c | 27 +++++++++++++++++++++++++++ + src/userauth.c | 43 ++++++++++++++++++++++++++++++++++--------- + 3 files changed, 62 insertions(+), 9 deletions(-) + +diff --git a/include/libssh2.h b/include/libssh2.h +index 20ba548..15dda6f 100644 +--- a/include/libssh2.h ++++ b/include/libssh2.h +@@ -508,5 +508,6 @@ typedef struct _LIBSSH2_POLLFD { + #define LIBSSH2_ERROR_KEYFILE_AUTH_FAILED -48 + #define LIBSSH2_ERROR_RANDGEN -49 ++#define LIBSSH2_ERROR_ALGO_UNSUPPORTED -51 + + /* this is a define to provide the old (<= 1.2.7) name */ + #define LIBSSH2_ERROR_BANNER_NONE LIBSSH2_ERROR_BANNER_RECV +diff --git a/src/agent.c b/src/agent.c +index bce7175..4ed79ac 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -379,6 +379,7 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, + ssize_t method_len; + unsigned char *s; + int rc; ++ unsigned char *method_name = NULL; + uint32_t sign_flags = 0; + + /* Create a request to sign the data */ +@@ -465,8 +466,28 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, + rc = LIBSSH2_ERROR_AGENT_PROTOCOL; + goto error; + } ++ ++ /* method name */ ++ method_name = LIBSSH2_ALLOC(session, method_len); ++ if(!method_name) { ++ rc = LIBSSH2_ERROR_ALLOC; ++ goto error; ++ } ++ memcpy(method_name, s, method_len); + s += method_len; + ++ /* check to see if we match requested */ ++ if((size_t)method_len != session->userauth_pblc_method_len || ++ memcmp(method_name, session->userauth_pblc_method, method_len)) { ++ _libssh2_debug(session, ++ LIBSSH2_TRACE_KEX, ++ "Agent sign method %.*s", ++ method_len, method_name); ++ ++ rc = LIBSSH2_ERROR_ALGO_UNSUPPORTED; ++ goto error; ++ } ++ + /* Read the signature */ + len -= 4; + if(len < 0) { +@@ -489,12 +510,18 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, + memcpy(*sig, s, *sig_len); + + error: ++ ++ if(method_name) ++ LIBSSH2_FREE(session, method_name); ++ + LIBSSH2_FREE(session, transctx->request); + transctx->request = NULL; + + LIBSSH2_FREE(session, transctx->response); + transctx->response = NULL; + ++ transctx->state = agent_NB_state_init; ++ + return _libssh2_error(session, rc, "agent sign failure"); + } + +diff --git a/src/userauth.c b/src/userauth.c +index 84285bf..59b76ca 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -1283,9 +1283,6 @@ _libssh2_key_sign_algorithm(LIBSSH2_SESSION *session, + if(key_method) { + memcpy(*key_method, match, match_len); + *key_method_len = match_len; +- +- _libssh2_debug(session, LIBSSH2_TRACE_KEX, +- "Signing using %.*s", match_len, match); + } + else { + *key_method_len = 0; +@@ -1321,6 +1318,10 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, + }; + int rc; + unsigned char *s; ++ int auth_attempts = 0; ++ ++ retry_auth: ++ auth_attempts++; + + if(session->userauth_pblc_state == libssh2_NB_state_idle) { + +@@ -1364,13 +1365,26 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, + session->userauth_pblc_method_len); + } + +- /* upgrade key key signing algo needed */ +- rc = _libssh2_key_sign_algorithm(session, +- &session->userauth_pblc_method, +- &session->userauth_pblc_method_len); ++ /* upgrade key signing algo if it is supported and ++ * it is our first auth attempt, otherwise fallback to ++ * the key default algo */ ++ if(auth_attempts == 1) { ++ rc = _libssh2_key_sign_algorithm(session, ++ &session->userauth_pblc_method, ++ &session->userauth_pblc_method_len); + +- if(rc) +- return rc; ++ if(rc) ++ return rc; ++ } ++ ++ if(session->userauth_pblc_method_len && ++ session->userauth_pblc_method) { ++ _libssh2_debug(session, ++ LIBSSH2_TRACE_KEX, ++ "Signing using %.*s", ++ session->userauth_pblc_method_len, ++ session->userauth_pblc_method); ++ } + + /* + * 45 = packet_type(1) + username_len(4) + servicename_len(4) + +@@ -1528,6 +1542,17 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, + return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, + "Would block"); + } ++ else if(rc == LIBSSH2_ERROR_ALGO_UNSUPPORTED && auth_attempts == 1) { ++ /* try again with the default key algo */ ++ LIBSSH2_FREE(session, session->userauth_pblc_method); ++ session->userauth_pblc_method = NULL; ++ LIBSSH2_FREE(session, session->userauth_pblc_packet); ++ session->userauth_pblc_packet = NULL; ++ session->userauth_pblc_state = libssh2_NB_state_idle; ++ ++ rc = LIBSSH2_ERROR_NONE; ++ goto retry_auth; ++ } + else if(rc) { + LIBSSH2_FREE(session, session->userauth_pblc_method); + session->userauth_pblc_method = NULL; +-- +2.23.0 + diff --git a/backport-NULL-terminate-server_sign_algorithms-string-669.patch b/backport-NULL-terminate-server_sign_algorithms-string-669.patch new file mode 100644 index 0000000000000000000000000000000000000000..b3d38573450ace4af5d74fcff8a6bf4bcd50a09e --- /dev/null +++ b/backport-NULL-terminate-server_sign_algorithms-string-669.patch @@ -0,0 +1,58 @@ +From 2a2aaed3b6c3c1dc25e35e11afcfb23f88a18510 Mon Sep 17 00:00:00 2001 +From: tihmstar +Date: Thu, 3 Feb 2022 19:11:36 +0100 +Subject: [PATCH] NULL terminate server_sign_algorithms string (#669) + +files: packet.c, libssh2_priv.h + +notes: +* Fix heap buffer overflow in _libssh2_key_sign_algorithm + +When allocating `session->server_sign_algorithms` which is a `char*` is is important to also allocate space for the string-terminating null byte at the end and make sure the string is actually null terminated. + +Without this fix, the `strchr()` call inside the `_libssh2_key_sign_algorithm` (line 1219) function will try to parse the string and go out of buffer on the last invocation. + +Credit: tihmstar +Co-authored-by: Will Cosgrove + +Conflict:NA +Reference:https://github.com/libssh2/commit/2a2aaed3b6c3c1dc25e35e11afcfb23f88a18510 +--- + src/libssh2_priv.h | 1 - + src/packet.c | 4 ++-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index f218a83..be16ad2 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -642,7 +642,6 @@ struct _LIBSSH2_SESSION + + /* public key algorithms accepted as comma separated list */ + char *server_sign_algorithms; +- size_t server_sign_algorithms_len; + + /* key signing algorithm preferences -- NULL yields server order */ + char *sign_algo_prefs; +diff --git a/src/packet.c b/src/packet.c +index 686be5c..c3756a8 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -665,12 +665,12 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + session->server_sign_algorithms = + LIBSSH2_ALLOC(session, +- value_len); ++ value_len + 1); + + if(session->server_sign_algorithms) { +- session->server_sign_algorithms_len = value_len; + memcpy(session->server_sign_algorithms, + value, value_len); ++ session->server_sign_algorithms[value_len] = '\0'; + } + else { + rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, +-- +2.23.0 + diff --git a/backport-Skip-leading-r-and-n-characters-in-banner_receive-76.patch b/backport-Skip-leading-r-and-n-characters-in-banner_receive-76.patch new file mode 100644 index 0000000000000000000000000000000000000000..15ed7a8ff2f775944d469d4f10b8ff2d66dc697f --- /dev/null +++ b/backport-Skip-leading-r-and-n-characters-in-banner_receive-76.patch @@ -0,0 +1,33 @@ +From 821d50dad313b53fb2782f26aec1f52f1be34fc0 Mon Sep 17 00:00:00 2001 +From: Michael Buckley +Date: Wed, 9 Nov 2022 15:56:22 -0800 +Subject: [PATCH] Skip leading \r and \n characters in banner_receive() (#769) + +Fixes #768 + +Credit: +Michael Buckley +Conflict:NA +Reference:https://github.com/libssh2/commit/821d50dad313b53fb2782f26aec1f52f1be34fc0 +--- + src/session.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/session.c b/src/session.c +index 3549152..235ab95 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -147,6 +147,10 @@ banner_receive(LIBSSH2_SESSION * session) + return LIBSSH2_ERROR_SOCKET_DISCONNECT; + } + ++ if((c == '\r' || c == '\n') && banner_len == 0) { ++ continue; ++ } ++ + if(c == '\0') { + /* NULLs are not allowed in SSH banners */ + session->banner_TxRx_state = libssh2_NB_state_idle; +-- +2.23.0 + diff --git a/backport-free-RSA2-related-memory-664.patch b/backport-free-RSA2-related-memory-664.patch new file mode 100644 index 0000000000000000000000000000000000000000..3f0230bac55db065141ed4cea14b2cdc6f7fe247 --- /dev/null +++ b/backport-free-RSA2-related-memory-664.patch @@ -0,0 +1,32 @@ +From 30fc410b972e6dec87c248c0fedbff28cfa18f17 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Tue, 18 Jan 2022 11:28:13 -0800 +Subject: [PATCH] free RSA2 related memory (#664) + +Free `server_sign_algorithms` and `sign_algo_prefs`. +Conflict:NA +Reference:https://github.com/libssh2/commit/30fc410b972e6dec87c248c0fedbff28cfa18f17 +--- + src/session.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/session.c b/src/session.c +index 0de5ab3..ae6132c 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -981,6 +981,12 @@ session_free(LIBSSH2_SESSION *session) + if(session->remote.lang_prefs) { + LIBSSH2_FREE(session, session->remote.lang_prefs); + } ++ if(session->server_sign_algorithms) { ++ LIBSSH2_FREE(session, session->server_sign_algorithms); ++ } ++ if(session->sign_algo_prefs) { ++ LIBSSH2_FREE(session, session->sign_algo_prefs); ++ } + + /* + * Make sure all memory used in the state variables are free +-- +2.23.0 + diff --git a/libssh2.spec b/libssh2.spec index a7092c7b048e198f6c061e279e748490f0a92c7f..05343959c3f979daa2354d8e7c653b6c041421dc 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.10.0 -Release: 5 +Release: 6 Summary: A library implementing the SSH2 protocol License: BSD URL: https://www.libssh2.org/ @@ -10,6 +10,11 @@ Patch0: backport-RSA-SHA2-256-512-key-upgrade-support-RFC-8332.patch Patch1: backport-misc-libssh2_copy_string-avoid-malloc-zero-bytes.patch Patch2: sftp-Prevent-files-from-being-skipped-if-the-output.patch Patch3: backport-Support-rsa-sha2-agent-flags.patch +Patch4: backport-Fix-a-memcmp-errors-in-code-that-was-changed-from-me.patch +Patch5: backport-Legacy-Agent-support-for-rsa2-key-upgrading-downgrad.patch +Patch6: backport-free-RSA2-related-memory-664.patch +Patch7: backport-NULL-terminate-server_sign_algorithms-string-669.patch +Patch8: backport-Skip-leading-r-and-n-characters-in-banner_receive-76.patch BuildRequires: coreutils findutils /usr/bin/man zlib-devel BuildRequires: gcc make sed openssl-devel > 1:1.0.1 openssh-server @@ -89,6 +94,12 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_mandir}/man3/libssh2_*.3* %changelog +* Tue Mar 28 2023 renmingshuai - 1.10.0-6 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:backport some upstream patches + * Thu Feb 16 2023 renmingshuai - 1.10.0-5 - Type:bugfix - ID:NA