File 0001-ssh-verify-the-remote-s-host-key-against-known_hosts.patch of Package libgit2.28345
From 67126da8f5c113b86e12d6d88e284a66fc7f346f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carlos=20Mart=C3=ADn=20Nieto?= <carlosmn@github.com>
Date: Tue, 1 Nov 2022 12:54:29 +0100
Subject: [PATCH 1/6] ssh: verify the remote's host key against known_hosts if
it exists
It turns out this has been available in libssh2 for a long time and we should
have been verifying this the whole time.
---
diff -urp libgit2-0.26.8.orig/src/transports/ssh.c libgit2-0.26.8/src/transports/ssh.c
--- libgit2-0.26.8.orig/src/transports/ssh.c 2023-03-17 16:04:19.953933466 -0500
+++ libgit2-0.26.8/src/transports/ssh.c 2023-03-17 16:16:28.305778494 -0500
@@ -500,6 +500,184 @@ static int _git_ssh_session_create(
return 0;
}
+/*
+ * Returns the typemask argument to pass to libssh2_knownhost_check{,p} based on
+ * the type of key that libssh2_session_hostkey returns.
+ */
+static int fingerprint_type_mask(int keytype)
+{
+ int mask = LIBSSH2_KNOWNHOST_TYPE_PLAIN | LIBSSH2_KNOWNHOST_KEYENC_RAW;
+ return mask;
+
+ switch (keytype) {
+ case LIBSSH2_HOSTKEY_TYPE_RSA:
+ mask |= LIBSSH2_KNOWNHOST_KEY_SSHRSA;
+ break;
+ case LIBSSH2_HOSTKEY_TYPE_DSS:
+ mask |= LIBSSH2_KNOWNHOST_KEY_SSHDSS;
+ break;
+#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_256
+ case LIBSSH2_HOSTKEY_TYPE_ECDSA_256:
+ mask |= LIBSSH2_KNOWNHOST_KEY_ECDSA_256;
+ break;
+ case LIBSSH2_HOSTKEY_TYPE_ECDSA_384:
+ mask |= LIBSSH2_KNOWNHOST_KEY_ECDSA_384;
+ break;
+ case LIBSSH2_HOSTKEY_TYPE_ECDSA_521:
+ mask |= LIBSSH2_KNOWNHOST_KEY_ECDSA_521;
+ break;
+#endif
+#ifdef LIBSSH2_HOSTKEY_TYPE_ED25519
+ case LIBSSH2_HOSTKEY_TYPE_ED25519:
+ mask |= LIBSSH2_KNOWNHOST_KEY_ED25519;
+ break;
+#endif
+ }
+
+ return mask;
+}
+
+#define KNOWN_HOSTS_FILE ".ssh/known_hosts"
+
+/*
+ * Check the host against the user's known_hosts file.
+ *
+ * Returns 1/0 for valid/''not-valid or <0 for an error
+ */
+static int check_against_known_hosts(
+ LIBSSH2_SESSION *session,
+ const char *hostname,
+ int port,
+ const char *key,
+ size_t key_len,
+ int key_type)
+{
+ int error, check, typemask, ret = 0;
+ git_str path = GIT_STR_INIT, home = GIT_STR_INIT;
+ LIBSSH2_KNOWNHOSTS *known_hosts = NULL;
+ struct libssh2_knownhost *host = NULL;
+
+ if ((error = git__getenv(&home, "HOME")) < 0) {
+ return error;
+ }
+
+ if ((error = git_str_joinpath(&path, git_str_cstr(&home), KNOWN_HOSTS_FILE)) < 0) {
+ ret = error;
+ goto out;
+ }
+
+ if ((known_hosts = libssh2_knownhost_init(session)) == NULL) {
+ ssh_error(session, "error initializing known hosts");
+ ret = -1;
+ goto out;
+ }
+
+ /*
+ * Try to read the file and consider not finding it as not trusting the
+ * host rather than an error.
+ */
+ error = libssh2_knownhost_readfile(known_hosts, git_str_cstr(&path), LIBSSH2_KNOWNHOST_FILE_OPENSSH);
+ if (error == LIBSSH2_ERROR_FILE) {
+ ret = 0;
+ goto out;
+ }
+ if (error < 0) {
+ ssh_error(session, "error reading known_hosts");
+ ret = -1;
+ goto out;
+ }
+
+ typemask = fingerprint_type_mask(key_type);
+ check = libssh2_knownhost_checkp(known_hosts, hostname, port, key, key_len, typemask, &host);
+ if (check == LIBSSH2_KNOWNHOST_CHECK_FAILURE) {
+ ssh_error(session, "error checking for known host");
+ ret = -1;
+ goto out;
+ }
+
+ ret = check == LIBSSH2_KNOWNHOST_CHECK_MATCH ? 1 : 0;
+
+out:
+ libssh2_knownhost_free(known_hosts);
+ git_str_clear(&path);
+ git_str_clear(&home);
+
+ return ret;
+}
+
+/*
+ * Perform the check for the session's certificate against known hosts if
+ * possible and then ask the user if they have a callback.
+ *
+ * Returns 1/0 for valid/not-valid or <0 for an error
+ */
+static int check_certificate(
+ LIBSSH2_SESSION *session,
+ git_transport_certificate_check_cb check_cb,
+ void *check_cb_payload,
+ const char *host,
+ const char *portstr)
+{
+ git_cert_hostkey cert = {{ 0 }};
+ const char *key;
+ size_t cert_len;
+ int cert_type, port, cert_valid = 0, error = 0;
+
+ if ((key = libssh2_session_hostkey(session, &cert_len, &cert_type)) == NULL) {
+ ssh_error(session, "failed to retrieve hostkey");
+ return -1;
+ }
+
+ /* Try to parse the port as a number, if we can't then fall back to default */
+ if (git__strntol32(&port, portstr, strlen(portstr), NULL, 10) < 0)
+ port = -1;
+
+ if ((cert_valid = check_against_known_hosts(session, host, port, key, cert_len, cert_type)) < 0)
+ return -1;
+
+ cert.parent.cert_type = GIT_CERT_HOSTKEY_LIBSSH2;
+ key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
+ if (key != NULL) {
+ cert.type |= GIT_CERT_SSH_SHA1;
+ memcpy(&cert.hash_sha1, key, 20);
+ }
+
+ key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5);
+ if (key != NULL) {
+ cert.type |= GIT_CERT_SSH_MD5;
+ memcpy(&cert.hash_md5, key, 16);
+ }
+
+ if (cert.type == 0) {
+ giterr_set(GITERR_SSH, "unable to get the host key");
+ return -1;
+ }
+
+ giterr_clear();
+ error = 0;
+ if (!cert_valid) {
+ giterr_set(GITERR_SSH, "invalid or unknown remote ssh hostkey");
+ error = GIT_ECERTIFICATE;
+ }
+
+ if (check_cb != NULL) {
+ git_cert_hostkey *cert_ptr = &cert;
+ git_error_state previous_error = {0};
+
+ giterr_state_capture(&previous_error, error);
+ error = check_cb((git_cert *) cert_ptr, cert_valid, host, check_cb_payload);
+ if (error == GIT_PASSTHROUGH) {
+ error = giterr_state_restore(&previous_error);
+ } else if (error < 0 && !giterr_last()) {
+ giterr_set(GITERR_NET, "user canceled hostkey check");
+ }
+
+ giterr_state_free(&previous_error);
+ }
+
+ return error;
+}
+
static int _git_ssh_setup_conn(
ssh_subtransport *t,
const char *url,
@@ -548,43 +726,8 @@ post_extract:
if ((error = _git_ssh_session_create(&session, s->io)) < 0)
goto done;
- if (t->owner->certificate_check_cb != NULL) {
- git_cert_hostkey cert = {{ 0 }}, *cert_ptr;
- const char *key;
-
- cert.parent.cert_type = GIT_CERT_HOSTKEY_LIBSSH2;
-
- key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
- if (key != NULL) {
- cert.type |= GIT_CERT_SSH_SHA1;
- memcpy(&cert.hash_sha1, key, 20);
- }
-
- key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5);
- if (key != NULL) {
- cert.type |= GIT_CERT_SSH_MD5;
- memcpy(&cert.hash_md5, key, 16);
- }
-
- if (cert.type == 0) {
- giterr_set(GITERR_SSH, "unable to get the host key");
- error = -1;
- goto done;
- }
-
- /* We don't currently trust any hostkeys */
- giterr_clear();
-
- cert_ptr = &cert;
-
- error = t->owner->certificate_check_cb((git_cert *) cert_ptr, 0, host, t->owner->message_cb_payload);
- if (error < 0) {
- if (!giterr_last())
- giterr_set(GITERR_NET, "user cancelled hostkey check");
-
- goto done;
- }
- }
+ if ((error = check_certificate(session, t->owner->certificate_check_cb, t->owner->message_cb_payload, host, port)) < 0)
+ goto done;
/* we need the username to ask for auth methods */
if (!user) {
