forked from kkovaacs/zorp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
3550 lines (2383 loc) · 129 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2008-10-26 Balazs Scheidler <bazsi@balabit.hu>
* configure.in.in: require version 0 from libwbclient as samba
advertises it as such
* modules/rdp/rdp_credssp.c: fixed wbclient.h include path
* modules/rdp/Makefile.am: use WBCLIENT_LIBS and WBCLIENT_CFLAGS
to reference wbclient include/lib paths
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshconnection.c: partially changed max. line length to 120 (fixes #nobug)
* modules/ssh/ssh.c: removed empty line (fixes #nobug)
* modules/ssh/sshspecialuserauth.c,
* modules/ssh/sshagentforward.c: changed line length to 120, changed format to gnu (fixes #nobug)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshagentforward.c (ssh_agent_resync_global_request): parsing MSG_REQUEST_SUCCESS msg (fixes #16182)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshconnection.c (ssh_connection_process_channel_open_msg):
update channel id within packet (fixes #16181)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshauthkbdint.c (ssh_uam_kbd_int_process_userauth_info_response_msg):
implement functionality of g_hash_table_remove_all of glib-2.12 (fixes #15526)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshconnection.c,
modules/ssh/sshuserauth.c,
modules/ssh/sshtransport.c,
modules/ssh/sshtransport.h,
modules/ssh/sshagentforward.c: removed unnecessary agent states,
free transport layer's members related to agent forwarding
and tl's pkey_auth_blob is renamed to pubkey_auth_blob (fixes #15526)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshauthkbdint.c (ssh_uam_kbd_int_process_userauth_info_response):
set to NULL unrefed packets of special userauth (fixes #14961)
* modules/ssh/ssh.c (ssh_proxy_free): free non-null variables of special userauth (fixes #14961)
* modules/ssh/sshspecialuserauth.h (_SshSpecialUserauthInfo): removed unused member,
local_passwd (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshauthkbdint.c (ssh_uam_kbd_int_process_userauth_info_response): removed code for SSH_SUA_AUTH_PUBKEY state
(it happens later now) (fixes #14961)
* modules/ssh/sshauthpubkey.c (ssh_uam_pubkey_request,
ssh_uam_pubkey_process_userauth_pubkey_ok_msg): added support for special userauth (fixes #14961 and #15526),
format changes (fixes #nobug)
* modules/ssh/sshuserauth.c (ssh_userauth_process_userauth_request_msg): updated to handle
both specialuserauth and agent fwd (fixes #14961 and #15526)
* modules/ssh/sshtransport.c: code cleanup: format changes (fixes #nobug)
(ssh_tl_process_packet): doesn't check current agent fwd state (fixes #14961 and #15526)
* modules/ssh/sshtransport.h (SshTranportLayer): comment changes (fixes #15526)
* modules/ssh/sshspecialuserauth.c (ssh_special_userauth_pubkey_request):
handling agent forwarding parts (fixes #14961 and #15526)
* modules/ssh/sshspecialuserauth.h (SshSpecUserAuthState): added SSH_SUA_STATE_PUBKEY_RESP_SIGNED state (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshconnection.c,
modules/ssh/sshalgo.h,
modules/ssh/sshagentforward.c,
modules/ssh/sshagentforward.h: cleanups,
freeing up memory, validating packets (fixes #15526)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshconnection.c,
modules/ssh/sshauthpubkey.c,
modules/ssh/sshtransport.c,
modules/ssh/sshalgo.h,
modules/ssh/sshtransport.h,
modules/ssh/sshspecialuserauth.c,
modules/ssh/sshagentforward.c,
modules/ssh/sshagentforward.h: rewritten resyncing when agent forwarding is enabled.
Added ssh_tl_resync_forward().
pubkey_blob to SshKey is happens by ssh_key_from_blob.
Lots of cleanup, syntax style changes (fixes #15526)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshconnection.c,
modules/ssh/sshconnection.h,
modules/ssh/sshagentforward.c,
modules/ssh/sshagentforward.h: replaying packets after 'session' request is rewritten,
lots of changes (fixes #15526)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshauthpubkey.c,
modules/ssh/sshtransport.h,
modules/ssh/sshagentforward.c: added body for ssh_agent_resync_pubkey_authentication()
ssh_agent_send(), ssh_agent_fetch(): allowing oversized data (splitted to multiple packets)
ssh_agent_resync_exchange_public_key(): signing key, too (fixes #15526)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshagentforward.c,
modules/ssh/sshagentforward.h: comminicating with ssh auth agent at resyncing (fixes #15526)
* modules/ssh/sshconnection.c: agent-related functions are moved into sshagentforward.c (fixes #15526)
* modules/ssh/Makefile.am: added sshagentforward.[ch] (fixes #15526)
* modules/ssh/ssh.c: format changes (fixes #nobug)
* modules/ssh/sshtransport.h: ssh_get_message_type() has const parameter (fixes #nobug)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshtransport.h,
modules/ssh/sshconnection.c (ssh_connection_process_channel_data_msg,
ssh_connection_process_channel_close_msg): new states to keep information
where the ssh stays at the current packet. Implemented till exchanging pubkey
with ssh auth agent (fixes #1556)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshconnection.c: rewrites recipient/sender channel ids
in forwarded packets (fixes #15526 (#nobug))
* modules/ssh/sshtransport.c: added ssh_tl_prepend_resync_task() (fixes #15526)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshconnection.c,
modules/ssh/sshalgo.c,
modules/ssh/sshformat.c,
modules/ssh/sshauthpubkey.c,
modules/ssh/sshuserauth.c,
modules/ssh/sshchantcpip.c,
modules/ssh/sshchanx11.c,
modules/ssh/sshtransport.c,
modules/ssh/sshparse.c,
modules/ssh/sshkex.c,
modules/ssh/sshkex.h,
modules/ssh/sshspecialuserauth.c: code cleanup, no more warnings appear with gcc-4.2.3 (fixes #nobug)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshconnection.h,
modules/ssh/sshconnection.c: ssh_connection_find_channel uses channel's channel_id member instead of channel_ids[side] (fixes #15526)
* modules/ssh/sshauthpubkey.c: keep pubkey blob for agent fwd (fixes #15526)
* modules/ssh/sshtransport.c: ssh_tl_perform_resync() is now non-static (fixes #15526)
* modules/ssh/sshtransport.h: added new states; added pubkey_blob member for transport layer (fixes #15526)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshconnection.c: added resync callbacks,
using this when agent request arrives or another packet arrives from the client;
(ssh_connection_process_global_request_msg,ssh_connection_process_channel_open_msg,
ssh_connection_process_channel_request_msg): checking for agent forwarding (fixes #15526)
* modules/ssh/sshauthpubkey.c (ssh_uam_pubkey_request_agent_fwd,
ssh_uam_pubkey_process_userauth_pubkey_ok_msg): new state is SSH_AG_ST_SESSION_REQ (fixes #15526)
* modules/ssh/sshspecialuserauth.c,
modules/ssh/ssh.c: whitespace cleanup (fixes #nobug)
* modules/ssh/sshtransport.c (ssh_tl_process_packet): checks for agent_state (fixes #1556)
* modules/ssh/sshtransport.h: removed start_time, max_time (fixes #15526)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* ssh_uam_pubkey_request() splitted into 3 similar function, based on the proxy state ( agent fwd and special userauth)
* proxy has a new attribute, enable_agent_forwarding
* The transport layer keeps actual state of the agent forwarding authentication
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshalgo.c (ssh_key_verify_x509): Log the server key type and its signature type (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshchansession.c,
modules/ssh/sshconnection.c,
modules/ssh/sshconnection.h,
modules/ssh/sshformat.c,
modules/ssh/sshauthpubkey.c,
modules/ssh/sshsftp.c,
modules/ssh/sshpolicy.c,
modules/ssh/sshpolicy.h,
modules/ssh/sshuserauth.c,
modules/ssh/sshkexdh.c,
modules/ssh/sshkexdh.h,
modules/ssh/sshsubproto.h,
modules/ssh/sshglobals.h,
modules/ssh/sshchantcpip.c,
modules/ssh/sshchanx11.c,
modules/ssh/Ssh.py,
modules/ssh/sshtransport.c,
modules/ssh/sshnames.c,
modules/ssh/sshparse.c,
modules/ssh/sshkex.c,
modules/ssh/sshformat.h,
modules/ssh/sshkex.h,
modules/ssh/sshnames.h,
modules/ssh/sshtransport.h: whitespace changes, removed trailing whitespaces, unnecessary empty lines (fixes #nobug)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshspecialuserauth.c (ssh_special_userauth_pubkey_validate): added missing z_policy_unlock (fixes #14961)
* modules/ssh/Ssh.py: removed debug lines (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshauthkbdint.c: fixed typo (fixes #14961)
* modules/ssh/sshauthpubkey.c (ssh_uam_pubkey_request): if pubkey spec. auth fails,
sends an SSH_MSG_USERAUTH_FAILURE, whith none as method list (fixes #14961)
* modules/ssh/Ssh.py: added specialUserAuthPubkey() with test code (fixes #14961)
* modules/ssh/sshspecialuserauth.c (ssh_special_userauth_pubkey_validate):
added username parameter for the python callback (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshauthkbdint.c: set owner->quit to TRUE on error (fixes #14961)
* modules/ssh/sshauthpubkey.c: checkinf for special user auth-pubkey auth (fixes #14961)
* modules/ssh/sshchanagent.c,
modules/ssh/sshauthpassword.c,
modules/ssh/sshauthnone.c: whitespace change (fixes #nobug)
* modules/ssh/sshuserauth.c (ssh_special_userauth_pubkey_validate): added callback
(ssh_special_userauth_parse_request): first 2 item may be the luser and lpasswd (fixes #14961)
* modules/ssh/Ssh.py: M
* modules/ssh/ssh.c (ssh_main): checks for succesful spec. userauth request parsing (fixes #14961)
* modules/ssh/sshspecialuserauth.h,
modules/ssh/sshspecialuserauth.c (ssh_special_userauth_pubkey_validate): added callback
(ssh_special_userauth_parse_request): first 2 item may be the luser and lpasswd (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshauthkbdint.c (ssh_uam_kbd_int_process_userauth_info_resonse):
if spec.userauth failed it is restarted when it is the first or second attempt.
If it succeded, checks for pubkey auth (fixes #14961)
* modules/ssh/sshalgo.c (ssh_key_verify_x509): enabled dss1raw for DSA keys (fixes #14012)
* modules/ssh/sshauthpubkey.c (ssh_uam_pubkey_request): checks for pubkey auth in spec. userauth (fixes #14961)
* modules/ssh/sshuserauth.c: auth_on_request is checked when spec. userauth is unused (fixes #1461)
* modules/ssh/Ssh.py: added spec.userauth type constants; inband auth enabled. (fixes #14961)
* modules/ssh/ssh.c: changes in python interface: special_userauth_request,
special_userauth_type local_user are related to spec.userauth and nothing else
(ssh_main): checks for self->auth and modify things repectively (fixes #14961)
* modules/ssh/sshspecialuserauth.c: (ssh_special_userauth_parse_username): only the first packet's username is parsed,
added passwd auth (fixes #14961)
(ssh_special_userauth_add_response): request list may empty, local user/passwd are handled specially (fixes #14961)
* modules/ssh/sshspecialuserauth.h: more types and states for extended spec. userauth,
the 3rd failure drops connection, and pubkey auth added - partially (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshalgo.c: added EVP_dss1raw();
(ssh_key_sign_x509): signer MD is SHA-1 for RSA, DSS1-RAW for DSA keys (fixes #14012)
* modules/ssh/ssh.c: frees SpecialUserauth-related data (fixes #14961)
* modules/ssh/sshalgo.h: added EVP_dss1raw() (fixes #14012)
* modules/ssh/sshspecialuserauth.c(: replaces old response data (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshspecialuserauth.c: added definition of username parser function (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshauthkbdint.c (ssh_uam_kbd_int_process_userauth_info_response):
Doesn't forward the saved packet (the actual user auth method sends it) (fixes #14961)
* modules/ssh/sshalgo.c (ssh_key_verify_x509): added log msg (fixes #nogbug)
* modules/ssh/sshuserauth.c (ssh_userauth_process_userauth_request_ms): added kbdint_method_list global variable,
saves current method's ID (fixes #14961)
* modules/ssh/Ssh.py: specialUserAuth() returns TRUE (fixes #14961)
* modules/ssh/ssh.c (ssh_config_set_defaults): sua_info.{request,request_policy} is
initialized by NULL value (fixes #14961)
* modules/ssh/sshspecialuserauth.c: Several fixes - function names; sets num of prompt
for SSH_USERAUTH_INFO_REQUEST, etc. (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshspecialuserauth.c,
* modules/ssh/sshspecialuserauth.h,
* modules/ssh/sshauthkbdint.c,
* modules/ssh/sshuserauth.c
* modules/ssh/sshuserauth.h: lots of changes with code (type) cleanups to pass required information to each functions;
(ssh_special_userauth_parse_request, ssh_special_userauth_format_packet): added definition (fixes #14961)
* modules/ssh/ssh.c (ssh_register_vars): removed specialuserauth_response,
added specialuserauth_local_{username,password}_required to python interface
(ssh_main): calls ssh_special_userauth_parse_request (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshspecialuserauth.c,
* modules/ssh/sshspecialuserauth.h: SpecialUsername-related functions
and types are moved to here (fixes #14961)
* modules/ssh/sshauthkbdint.c: updated to use reogranized sshproxy (fixes #14961)
* modules/ssh/sshpolicy.c: removed ssh_policy_special_userauth_validate() (fixes #14961)
* modules/ssh/sshuserauth.c: removed specialusername-related functions (fixes #14961)
* modules/ssh/Makefile.am: added sshspecialuserauth.c sshspecialuserauth.h
* modules/ssh/ssh.c (ssh_config_set_defaults): hash tables uses g_str_{hash,equal}
(ssh_register_vars): name changes (specialusername_*)
Whitespace changes (fixes #14961)
* modules/ssh/ssh.h: SpecialUsername-related types and members are moved
to sshspecialuserauth.h. It is now SshProxy.sua_info (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshauthkbdint.c (ssh_uam_kbd_int_process_userauth_info_response):
parse packet for specialusername if necessary
(ssh_uam_kbd_int_request): send USERAUTH_INFO_REQUEST packet for specialusername (fixes #14644)
* modules/ssh/sshalgo.c (ssh_key_sign_x509): sign with SHA-1 theX509V3_SIGN_RSA keys
(ssh_key_set_certificate_blob): free the private key (fixes #14012)
* modules/ssh/sshpolicy.c (ssh_policy_special_userauth_validate): added this skeleton (fixes #14961)
* modules/ssh/sshuserauth.c: added several function skeleton (ssh_userauth_parse_special_username,
ssh_userauth_special_need_kbd_info, ssh_userauth_special_validate_full, ssh_userauth_special_add_response,
ssh_userauth_special_format_packet)
(ssh_userauth_process_userauth_request_msg): parsing username
for specialusername-related settings (fixes #14961)
* modules/ssh/sshuserauth.h: added functions for specialusername (fixes #14644)
* modules/ssh/Ssh.py: added specialUserAuth() function
* modules/ssh/ssh.c,
* modules/ssh/ssh.h (SshProxy: added members for SpecialUsername (fixes #14961)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshkexdh.c (ssh_kex_dh_send_kexdh_reply_msg): create the host key (fixes #14012)
* modules/ssh/Ssh.py (SshProxy postconfig): updated x509 support due to renamed variables (fixes #14012)
* modules/ssh/ssh.c (ssh_config_set_defaults): renamed/new x509 hostkey and cert variables
(ssh_get_hostkey): removed hostkey variable checkings
(ssh_register_vars): register new variables
(ssh_init_key and ssh_init_key): not necessary
(ssh_main): removed call of ssh_init_keys (fixes #14012)
* modules/ssh/ssh.h (SshProxy): removed hostkeys[] member;
added individual private keys for X.509 keys (fixes #14012)
* modules/ssh/sshkex.c (ssh_kex_setup_proposal): check whether
variables for X.509 host keys are empty or not (fixes #14012)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/Ssh.py (SshProxy): fixed errors related to new variables,
host_key_*_keypair (fixes #14012)
* modules/ssh/ssh.c (ssh_proxy_free): freeing up host keys (fixes #14012)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshalgo.c,
modules/ssh/sshalgo.h (ssh_key_set_from_blob): wrapper of ssh_key_set_*_blob (fixes #14012)
* modules/ssh/sshkexdh.c (ssh_kex_dh_send_kexdh_reply_msg): do not free up hostkey (fixes #14012)
* modules/ssh/Ssh.py (SshProxy): added host_key_rsa_keypair and host_key_dss_keypair tuples
(private key, certificate) (fixes #14012)
* modules/ssh/ssh.c (ssh_config_set_defaults): set hostkey algos to x509v3-sign*,ssh-*,
so the default is the first with X.509
(ssh_get_hostkey): added support of x509v3-sign* and check the result of ssh_key_set_openssh_privfile_cert
(ssh_init_key, ssh_init_keys): new functions to load all available host keys for the client side
(ssh_main): call of ssh_init_keys and if it fails, return immediately (fixes #14012)
* modules/ssh/ssh.h (SshProxy): new members for host keys and certificates (fixes #14012)
* modules/ssh/sshkex.c (ssh_kex_check_algos, ssh_kex_select_kex_algo, ssh_kex_select_kex_hostkey_algo):
checking algos for kex and hostkey
(ssh_kex_choose_algorithms): check the algos for kex and hostkey and if it was unsuccessful,
it is an error (fixes #14012)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshalgo.c: added 'static' keyword for most
functions with documentation (ssh_key_{verify,sign}_*) (fixes #14012)
* modules/ssh/sshkexdh.c: replaced functions with
ssh_key_{verify,sign} (fixes #14012)
* modules/ssh/sshauthpubkey.c,
modules/ssh/ssh.c: removed unnecessary blank lines (fixes #14012)
* modules/ssh/sshalgo.h: removed non-public functions
(ssh_key_{verify,sign}_*) (fixes #14012)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshalgo.c (ssh_key_sign_finish) and (ssh_key_sign_finish):
don't free the ctx (fixes #14012)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshalgo.c: (ssh_cipher_evp_map): became const
Added ssh_key_verify{,rsa_dss,x509} functions and use only
ssh_key_verify from anywhere (fixes #14012)
* modules/ssh/sshauthpubkey.c (ssh_uam_pubkey_request): freeing
up created packet (fixes #nobug)
* modules/ssh/sshauthpubkey.c (ssh_uam_pubkey_request): using
ssh_key_verify function for every type of keys (fixes #14012)
* modules/ssh/ssh.c: whitespace changes (fixes #nobug)
* modules/ssh/sshalgo.h: added ssh_key_verify (fixes #14012)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshalgo.c: added wrapper functions for ssh-dsa, ssh-rsa and x509v3-sign-* signing
(ssh_key_set_openssh_privfile_cert): set X.509 certificates
(ssh_key_set_certificate_blob): removed unused parameter
(ssh_key_set_certificate_blob): added X.509 validation stub
(ssh_key_get_pubkey_blob): added x509v3-sign* types (fixes #14010)
* modules/ssh/sshauthpubkey.c (ssh_uam_pubkey_request): doesn't verify incoming
keys and certificates, temporarily. Signing both old pubkeys and certificates (fixes #14010)
* modules/ssh/ssh.c (ssh_config_set_defaults): different host key algs
(ssh_map_userkey): code cleanup (fixes #14010)
* modules/ssh/sshalgo.h: added ssh_key_sign wrapper function (fixes #14010)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshalgo.c (ssh_key_set_type, ssh_key_free): added X509V3_SIGN* names
ssh_key_set_openssh_privfile renamed to ssh_key_set_openssh_privfile_cert and supports X509V3_SIGN*
(ssh_key_set_certificate_blob): freeing previously allocated RSA/DSA keys (fixes #14010)
* modules/ssh/sshauthpubkey.c (ssh_uam_pubkey_request):
SSH_NAME_X509V3_SIGN* name changes (fixes #14010)
* modules/ssh/ssh.c (ssh_map_userkey): implemented support of X.509 certifcates (fixes #14010)
* modules/ssh/sshnames.txt: removed x509v3-sign, x509v3-sign-*-sha1 (fixes #14010)
* modules/ssh/sshalgo.h: ssh_key_set_openssh_privfile is a wrapper
of ssh_key_set_openssh_privfile_cert (fixes #14010)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/ssh.c (ssh_map_userkey): Creating PEM format from the X.509 certificate
of the userkey (fixes #14010)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshalgo.c: added ssh_key_set_certificate_blob to parse received
certificate blob (fixes #14010)
* modules/ssh/sshauthpubkey.c (ssh_uam_pubkey_request): added support of X.509 pubkeys
(ssh_map_userkey): added stub for x509 certificates(fixes #14010)
* modules/ssh/ssh.c (ssh_config_set_defaults): added X.509 host keyalgorithms
but commented out (fixes #14010)
* modules/ssh/sshnames.txt: changed order of x509v3-sign* (fixes #14010)
* modules/ssh/sshalgo.h (_SshKey): added X509 member
Added ssh_key_set_certificate_blob (fixes #14010)
2008-10-25 Laszlo Attila Toth <panther@balabit.hu>
* modules/ssh/sshnames.txt: Added x509v3-sign* names (fixes #14012)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/*: enabled crypt types made configurable (fixes: #13235)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_mangle.c: leftover junk code removed (fixes: #13235)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp.c: mem leak fixed (fixes: #13667)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_crypt.c, rdp_data.c, rdp_iso.c, rdp_rdp4.c,
rdp_licence.c: missing checks on inclusive length fields added
(fixes: #13833)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/*: enabled crypt types made configurable (fixes: #13235)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_mangle.c: leftover junk code removed (fixes: #13235)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_crypt.c, rdp_data.c, rdp_iso.c, rdp_rdp4.c,
rdp_licence.c: missing checks on inclusive length fields added
(fixes: #13833)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_mangle.c: reset requests on unknown devices allowed
to pass through (fixes: #15399)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_iso.[hc], rdp_mangle.c: crypt type 'credssp' added (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_credssp.[hc]: credssp packet support started (fixes: #12762)
* modules/rdp/rdp.[hc]: credssp parsing integrated into the existing
processing sequence (fixes: #12762)
* modules/rdp/rdp_common.[hc]: ber class and tag numbers joined,
misnamed 'ber_result' renamed to 'ber_enum', 'ber_mcs_domain_params' to
'ber_sequence', definition for standard ber tags added (fixes: #12762)
* modules/rdp/rdp_initreq.[hc], rdp_initrsp.[hc]: changes required by
new ber parsing code done (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_credssp.[hc]: ntlm_challenge and ntlm_authenticate
added (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp.c: (rdp_deinit_stream) typo fixed (fixes: #12762)
* modules/rdp/rdp_credssp.[hc]: parsing of ntlm_restrictions and
av_pair added, preserving of ntlm_challenge and ntlm_authenticate made
conditionally configurable (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp.c: credssp mangling added (fixes: #12762)
* modules/rdp/rdp_drawing.c: logging of bitmap data moved to log
level 9 (fixes: #12762)
* modules/rdp/rdp_iso.[hc]: crcc proto 'credssp_or_ssl' added, double
logging of fastpath data commented out (fixes: #12762)
* modules/rdp/rdp_mangle.[hc]: starting and stopping of credssp phase
fixed (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/*: credssp man-in-the-middle started (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_credssp.c: mitm faking of cssp pubkeyauth packets fixed (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp.[hc], rdp_credssp.h: mitm state variable added
(fixes: #12762)
* modules/rdp/rdp_initrsp.[hc]: RC4_NONE support of mcs_init_rsp_crypt
fixed (fixes: #12762)
* modules/rdp/rdp_mangle.c: cssp mitm client-side implemented
(fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp.[hc]: two additional proxy domain attributes
propagated to policy level, top-level processing loop restructured
in order to support substitution of regular iso packets by cssp
ones (fixes: #12762)
* modules/rdp/rdp_credssp.c: support for partial cssp packets
added (fixes: #12762)
* moduesl/rdp/rdp_mangle.c: cssp mitm server-side started (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp.[hc]: original server ssl certificate obtained (fixes: #12762)
* modules/rdp/rdp_data.c: log format of rdp5 logon info password
fixed (fixes: #12762)
* modules/rdp/rdp_mangle.c: generating of fake server-side ntlm
authenticate message added (fixes: #12762)
* modules/rdp/rdp_credssp.[hc]: processing of AuthInfo blocks started,
threadsafeness of some constant logging functions fixed (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp.[hc]: storing of server ssl pubkey added,
variable nomenclature unified, conditionals moved to the
common header (fixes: #12762)
* modules/rdp/rdp_data.c: logging of passwords conditionally
removed (fixes: #12762)
* modules/rdp/rdp_credssp.[hc]: log levels fine-tuned, handling of
cssp_credentials and cssp_password_creds added, unneeded MITM
levels removed (fixes: #12762)
* modules/rdp/rdp_mangle.c: unneeded MITM code removed, reset of
unknown rdpdr device is now tolerated, another MS bug at x509 cert
algo fixed, server-side cssp MITM completed (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/Rdp.py: attributes 'proxy_netbios_name' and
'proxy_dns_name' propagated to policy level (fixes: #12762)
* modules/rdp/rdp.[hc]: obsolete comments, unused variables and
unneeded log messages removed, memory leaks eliminated (fixes: #12762)
* modules/rdp/rdp_crypt.c: comment added for leak-suspicious
assignment (fixes: #12762)
* modules/rdp/rdp_mangle.c: processing of RDP4_DATA_SET_ERROR
fixed, obsoleted code snippets removed, ms bad x509 algo workaround
improved, error handling improved (fixes: #12762)
* modules/rdp/rdp_rdp4.[hc]: type rdp4_data_disconnect renamed to
rdp4_data_set_error, missing rdp4 capability type constants added
(fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_credssp.c: freeing of wbcAuthUserInfo implemented here (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_credssp.c: reference to the location of the wbclient header fixed (fixes: #12762)
2008-10-25 Pal Tamas <folti@balabit.hu>
* configure.in.in: Added pkg_check for wbclient.
* debian/control.in-pro: Added libsmbclient-dev as build-dependency
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_common.[hc]: empty licence cert bug fixed (fixes: #14910)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_credssp.c: winbind header location fixed (fixes: #12762)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_mangle.c: empty licence cert bug fixed (fixes: #14910)
2008-10-25 Simon Gabor <fules@balabit.hu>
* modules/rdp/rdp_rdpdr.c: typo fixed in rdpdr devices available rDAD
processing code (fixes: #15399)
2008-10-20 Balazs Scheidler <bazsi@balabit.hu>
* lib/audit.c, lib/ifmonitor.c, lib/pyaudit.c, lib/timestamp.c:
fixed some gcc4 warnings
* lib/audit.c (z_audit_trail_write_record): don't memset the memory
pointed to by the sign_priv_key pointer, it belongs to a Python
string object
2008-10-20 Balazs Scheidler <bazsi@balabit.hu>
* zorp/audit/audit.h (ZAuditSessionParams): changed
constructor/destructor functions to indicate that they do not
allocate/free the instance itself (e.g. rename them to _init,
_deinit)
* lib/proxy.c (z_proxy_policy_start_audit_method): adapted to
ZAuditSessionParams changed
* lib/pyaudit.c (z_policy_audit_parse_global_params): new function,
code mostly moved out of z_read_global_params to parse global
audit related parameters,
(z_policy_audit_parse_session_params): new function, parses
startAudit Python argument list into a ZAuditSessionParams
structure
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/timestamp.c (timestamp_thread): removed unnecessary *free() calls, which were caused sigsegvs (fixes #15444)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* modules/vnc/vnc.c (vnc_policy_get_audit_stream): set self->enable_audit
if the audit stream is created (fixes #15364)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* modules/vnc/vnc.c (vnc_main): fixed log msg (fixes #15363)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* modules/vnc/vnc.c (vnc_main): checks for return value of vnc_init_audit(),
shuts down proxy if it is FALSE (fixes #15363)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/zorp.c (z_main_loop): checks for successful audit system startup (fixes #15921)
* lib/audit.c,
lib/zorp/audit.h: z_audit_init has gboolean return value, TRUE means successful startup (fixes #15921)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c: removed z_audit_log_ssl_error(); log OpenSSL error messages when an error occured (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/proxy.c (z_proxy_policy_start_audit_method): removed "digest_" prefix from sign_* (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c (z_audit_init): Fixed typo in log msg (fixes #15280)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c (z_audit_trail_write_digest_record): readded ! to EVP_SignFinal() (fixes #15267)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c: added z_audit_log_ssl_error(); for RSA keys the digest message algorithm is the SHA-1, for DSA, it is DSS-1 (fixes #15267)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c (z_audit_trail_write_digest_record): rsa_pkt changed to sign_pkt (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c: replaced nullc/onec by unset/set (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* configure.in.in: removed check for openssl/ssl.h; fixed typo (fixes #14644)
* lib/audit.c (z_audit_trail_write_timestamp),
lib/timestamp.c: added notifications (fixes #14644)
* lib/audit.c (z_audit_trail_write_header): checks the certificate against the private key (fixes #15260)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c (z_audit_trail_new): close fd only if it is already opened (fixes #15201)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/proxy.c (z_proxy_policy_start_audit_method): code cleanup (fixes #14644
* lib/audit.c (z_audit_session_params_free): doesn't memset the private key (fixes #15201)
* lib/audit.c (z_audit_trail_free): writes record only when the audit trail file is opened (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c (z_audit_trail_new): If an error occured,
unlinks the current audit trail file and sets fd to -1 (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c (z_audit_trail_write_header):
log if certificate is not set, and set trail's error member on errors (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c,
lib/timestamp.c: gurl.h -> zurlparse.h (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c (_ZAuditEncInfo): added BIO* array for DER-formatted certificates
Added z_audit_trail_get_x509_der() to create X509 and BIO object
from a PEM-formatted string of certificate (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c: writes the HMAC key length to the encryption info header;
keeps it as a member of ZAuditTrail (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c (z_audit_read_private_key): encrypted private keys are handled as an error, Zorp won't ask the passphrase,
(z_audit_trail_new): log msg changes; logs if the trail is signed/timestamped (fixes #14644, #15100, #15095)
* modules/vnc/Vnc.py: Removed startAudit and stopAudit Python functions (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/zorp/proxy.h,
* lib/proxy.c: passing kw_args to get_audit_stream proxy function (fixes #14644)
* modules/telnet/telnet.c,
* modules/telnet/telnet.h: implemented get_audit_stream(), removed startAudit()
and audit_session for this proxy, in favour of ZProxy's;
added "version" info to the z_audit_stream_init(fixes #14644)
* lib/audit.c (z_audit_trail_write_digest_record): continue the digest (fixes #14644)
* modules/ssh/ssh.c: added kw_args to ssh_policy_get_audit_stream (fixes #14644)
* modules/rdp/rdp.c: M
modules/rdp/rdp_audit.c,
modules/rdp/rdp_audit.h,
modules/rdp/rdp_policy.c,
modules/rdp/rdp_policy.h: modified code for using ZProxy's startAudit() method (fixes #14644)
* modules/vnc/vnc.c: implemented functions for startAudit/startSession python functions (fixes #14644)
* modules/vnc/vnc.h: removed cert_list_obj member (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/zorp.c,
pylib/Zorp/Config.py: added config.audit.timestamp_length (fixes #14644)
* lib/zorp/proxy.h: added get_audit_stream function to proxy functions (fixes #14644)
* lib/proxy.c: Implemented startAudit() function (fixes #14644)
* lib/zorp/audit.h,
lib/audit.c,
modules/ssh/sshconnection.c.
modules/ssh/sshconnection.h: ZAuditTrailInitInfo is renamed to ZAuditSessionParams (fixes #14644)
* modules/ssh/ssh.c: implemented get_audit_stream() function (fixes #14644)
* lib/zorp/pyaudit.h,
lib/pyaudit.c: removed z_policy_audit_stream_init (fixes #14644)
* lib/timestamp.c,
lib/zorp/timestamp.h: functions got z_ prefix; GAtomicCounter is replaced by ZRefCount (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/zorp.c (z_read_global_params): renamed members of audit_params;
audit_params.timestamp_length is changed here (fixes #14644)
* lib/proxy.c (z_proxy_free_method),
lib/zorp/proxy.h (ZProxy): removed audit_params-related members (fixes #14644)
* pylib/Zorp/Zorp.py,
pylib/Zorp/Config.py: renamed config.audit.*sign* (fixes #14644)
* lib/zorp/audit.h: renamed/removed members of audit_params related to signature;
removed *initinfo_{ref,unref}, session's info member (fixes #14644)
* lib/audit.c: hmac_keys and private keys are temporarily in the memory,
if they are used once, memset'd. The audit trail's RSA/DSA signing key is passed
as an EVP_PKEY pointer instead of its low-level version.
The *InitInfo is passed from z_audit_stream_init to the corresponding functions
as function parameter. It can be null anywhere. (fixes #14644)
* lib/zorp/pyaudit.h,
lib/pyaudit.c: ZAuditTrailInitInfo is passed via callback parameter instead of
the proxy itself (fixes #14644)
* modules/ssh/sshconnection.c (ssh_connection_process_channel_open_msg),
modules/ssh/ssh.c (ssh_policy_start_audit_method_cb): updated as of the current implementation
of the audit system (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c,
lib/zorp/audit.h,
lib/pyaudit.c: whitespace changes (fixes #nobug)
* modules/vnc/vnc.c (vnc_ready): changed for the new z_audit_stream_init() (fixes #14644)
2008-10-20 Simon Gabor <fules@balabit.hu>
* modules/vnc/vnc.[hc]: audit trail cert list made configurable (fixes: #14288)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/audit.c: z_audit_read_digest_sign_private_key's code is moved
to z_audit_read_private_key which is also used by the z_audit_trail_new
to support RSA/DSA signing keys specified as startAudit parameters
(_ZAuditTrail): copied signing-related audit parameters
Using audit_parameter.* if it is not optional (e.g compress, but encrypt may
differs based on startAudit parameters) (fixes #14644)
* lib/zorp.c,
lib/zorp/proxy.h,
lib/proxy.c,
modules/ssh/sshconnection.c,
modules/ssh/sshconnection.h,
modules/telnet/telnet.c,
lib/audit.c,
lib/zorp/audit.h,
modules/ssh/ssh.c,
lib/pyaudit.c,
modules/rdp/rdp_audit.c: ZProxy's certs member is replaced by audit_info,
which contains certificate lists, key and cert of the digital signature in digest records.
It is a reference-counted type, however, ZAuditStream has a borrowed reference (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* pylib/Zorp/Config.py,
lib/zorp/audit.h: audit_params.rsa_sign renamed to digest_sign
* lib/audit.c (z_audit_stream_init): 2 new params for digest key and certificate;
log the changes in audit_param.* if it is really changed (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* configure.in.in: removed PKG_CHECK_MODULES, and constants related to libzaudit (fixes #14644)
* debian/control.in-pro: removed libzaudit dependency (fixes #14644)
* lib/zorp/audit.h: copied definitions from "zorp/audit/libzaudit.h" (fixes #14644)
2008-10-20 Laszlo Attila Toth <panther@balabit.hu>
* lib/zorp.c (z_read_global_params): function name changes (fixes #14644)
* lib/zorp/proxy.h: added digest_sign_private_key, digest_sign_certificate (fixes #14644)
* lib/proxy.c (z_proxy_free_method): freeing up new members (fixes #14644)
* modules/rdp/rdp_policy.h,
modules/ssh/ssh.c,
modules/telnet/telnet.c,
modules/rdp/rdp_policy.c: changed layout of the start_audit_methods and callbacks.
Using kw_args. (fixes #14644)
* lib/pydict.c (z_policy_method_call): uses all parameters (fixe #14644)
* modules/ssh/sshconnection.c (ssh_connection_start_channel_audit): proxy.cert
is not set here (fixes #14644)