0002-curl-7.27.0-f05e5136.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197

From ce515e993fe7bc7e95549317fe5180b196454d4c Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 12 Sep 2012 16:06:18 +0200
Subject: [PATCH 1/3] ssh: move the fingerprint checking code to a separate fnc

---
 lib/ssh.c |   71 +++++++++++++++++++++++++++++++++---------------------------
 1 files changed, 39 insertions(+), 32 deletions(-)

diff --git a/lib/ssh.c b/lib/ssh.c
index c76a48e..4455d44 100644
--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -635,6 +635,43 @@ static CURLcode ssh_knownhost(struct connectdata *conn)
   return result;
 }
 
+static bool ssh_check_fingerprint(struct connectdata *conn)
+{
+  struct ssh_conn *sshc = &conn->proto.sshc;
+  struct SessionHandle *data = conn->data;
+  const char *pubkey_md5 = data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5];
+  char md5buffer[33];
+  int i;
+
+  const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session,
+      LIBSSH2_HOSTKEY_HASH_MD5);
+
+  /* The fingerprint points to static storage (!), don't free() it. */
+  for(i = 0; i < 16; i++)
+    snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]);
+  infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
+
+  /* Before we authenticate we check the hostkey's MD5 fingerprint
+   * against a known fingerprint, if available.
+   */
+  if(pubkey_md5 && strlen(pubkey_md5) == 32) {
+    if(!strequal(md5buffer, pubkey_md5)) {
+      failf(data,
+          "Denied establishing ssh session: mismatch md5 fingerprint. "
+          "Remote %s is not equal to %s", md5buffer, pubkey_md5);
+      state(conn, SSH_SESSION_FREE);
+      sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
+      return sshc->actualcode;
+    }
+    else {
+      infof(data, "MD5 checksum match!\n");
+      /* as we already matched, we skip the check for known hosts */
+      return CURLE_OK;
+    }
+  }
+  else
+    return ssh_knownhost(conn);
+}
 
 /*
  * ssh_statemach_act() runs the SSH state machine as far as it can without
@@ -650,10 +687,8 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
   struct SSHPROTO *sftp_scp = data->state.proto.ssh;
   struct ssh_conn *sshc = &conn->proto.sshc;
   curl_socket_t sock = conn->sock[FIRSTSOCKET];
-  const char *fingerprint;
-  char md5buffer[33];
   char *new_readdir_line;
-  int rc = LIBSSH2_ERROR_NONE, i;
+  int rc = LIBSSH2_ERROR_NONE;
   int err;
   int seekerr = CURL_SEEKFUNC_OK;
   *block = 0; /* we're not blocking by default */
@@ -694,35 +729,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
        * against our known hosts. How that is handled (reading from file,
        * whatever) is up to us.
        */
-      fingerprint = libssh2_hostkey_hash(sshc->ssh_session,
-                                         LIBSSH2_HOSTKEY_HASH_MD5);
-
-      /* The fingerprint points to static storage (!), don't free() it. */
-      for(i = 0; i < 16; i++)
-        snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]);
-      infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
-
-      /* Before we authenticate we check the hostkey's MD5 fingerprint
-       * against a known fingerprint, if available.
-       */
-      if(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5] &&
-         strlen(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]) == 32) {
-        if(!strequal(md5buffer,
-                     data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5])) {
-          failf(data,
-                "Denied establishing ssh session: mismatch md5 fingerprint. "
-                "Remote %s is not equal to %s",
-                md5buffer, data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]);
-          state(conn, SSH_SESSION_FREE);
-          result = sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
-        }
-        else
-          infof(data, "MD5 checksum match!\n");
-        /* as we already matched, we skip the check for known hosts */
-      }
-      else
-        result = ssh_knownhost(conn);
-
+      result = ssh_check_fingerprint(conn);
       if(!result)
         state(conn, SSH_AUTHLIST);
       break;
-- 
1.7.1


From f05e51362f310cb04b0ad8d086b9cf693aad5c9d Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 12 Sep 2012 16:18:36 +0200
Subject: [PATCH 2/3] ssh: do not crash if MD5 fingerprint is not provided by libssh2

The MD5 fingerprint cannot be computed when running in FIPS mode.
---
 lib/ssh.c |   22 ++++++++++++++--------
 1 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/lib/ssh.c b/lib/ssh.c
index 4455d44..466566c 100644
--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -646,19 +646,25 @@ static bool ssh_check_fingerprint(struct connectdata *conn)
   const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session,
       LIBSSH2_HOSTKEY_HASH_MD5);
 
-  /* The fingerprint points to static storage (!), don't free() it. */
-  for(i = 0; i < 16; i++)
-    snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]);
-  infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
+  if(fingerprint) {
+    /* The fingerprint points to static storage (!), don't free() it. */
+    for(i = 0; i < 16; i++)
+      snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]);
+    infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
+  }
 
   /* Before we authenticate we check the hostkey's MD5 fingerprint
    * against a known fingerprint, if available.
    */
   if(pubkey_md5 && strlen(pubkey_md5) == 32) {
-    if(!strequal(md5buffer, pubkey_md5)) {
-      failf(data,
-          "Denied establishing ssh session: mismatch md5 fingerprint. "
-          "Remote %s is not equal to %s", md5buffer, pubkey_md5);
+    if(!fingerprint || !strequal(md5buffer, pubkey_md5)) {
+      if(fingerprint)
+        failf(data,
+            "Denied establishing ssh session: mismatch md5 fingerprint. "
+            "Remote %s is not equal to %s", md5buffer, pubkey_md5);
+      else
+        failf(data,
+            "Denied establishing ssh session: md5 fingerprint not available");
       state(conn, SSH_SESSION_FREE);
       sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
       return sshc->actualcode;
-- 
1.7.1


From 1ab6c353635760e8e25bacc13ae0cab2f97f7338 Mon Sep 17 00:00:00 2001
From: Marc Hoersken <info@marc-hoersken.de>
Date: Fri, 14 Sep 2012 14:48:55 +0200
Subject: [PATCH 3/3] ssh.c: Fixed warning: implicit conversion from enumeration type

Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/ssh.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/ssh.c b/lib/ssh.c
index 466566c..e8b7172 100644
--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -635,7 +635,7 @@ static CURLcode ssh_knownhost(struct connectdata *conn)
   return result;
 }
 
-static bool ssh_check_fingerprint(struct connectdata *conn)
+static CURLcode ssh_check_fingerprint(struct connectdata *conn)
 {
   struct ssh_conn *sshc = &conn->proto.sshc;
   struct SessionHandle *data = conn->data;
@@ -736,7 +736,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
        * whatever) is up to us.
        */
       result = ssh_check_fingerprint(conn);
-      if(!result)
+      if(result == CURLE_OK)
         state(conn, SSH_AUTHLIST);
       break;
 
-- 
1.7.1