Use checksrc.pl from the curl project, with (for now)
suppressed long line warnings and indentation set to
4 spaces. Fixes are whitespace for the most part.
Warning count went down from 2704 to 12.
Also fix codespell typos, two non-ANSI C89 comments
and a stray tab in include/libssh2.h.
Ref: https://github.com/libssh2/libssh2/pull/235
This is a slightly extended version of this original source
from the curl project:
8b754c430b/lib/checksrc.pl
This version adds the following options to customize it for
libssh2 (plus some whitespace formatting):
`-i<n>` to override indentation spaces (2)
`-m<n>` to override maximum line length (79)
Command-line used to check libssh2 sources:
$ ./checksrc.pl -i4 -m500 *.c *.h
Closes https://github.com/libssh2/libssh2/pull/236
This commit lands full ECDSA key support when using the OpenSSL
backend. Which includes:
New KEX methods:
ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
Can now read OpenSSL formatted ECDSA key files.
Now supports known host keys of type ecdsa-sha2-nistp256.
New curve types:
NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1
Default host key preferred ordering is now nistp256, nistp384,
nistp521, rsa, dss.
Ref: https://github.com/libssh2/libssh2/issues/41
Closes https://github.com/libssh2/libssh2/pull/206
When trying to decode invalid data, it frees the buffer but doesn't nil it so the caller gets a junk memory pointer which they could potentially double free.
Fixed incorrectly copied memory from p->buf into init instead of from the decrypted buffer block. The only reason this worked was because the crypt() function decrypts the value in-place and overwrites p->buf. I'm working on a fork that no longer does this and exposed this bug.
... while throwing LIBSSH2_ERROR_EAGAIN out of session_startup()
If the session runs in blocking mode, LIBSSH2_ERROR_EAGAIN never reaches
the libssh2 API boundary and, in non-blocking mode, these messages are
suppressed by the condition in _libssh2_error_flags() anyway.
Closes#211
- New `LIBSSH2_DLL_SUFFIX` envvar will add a suffix to the generated
libssh2 dll name. Useful to add `-x64` to 64-bit builds so that
it can live in the same directory as the 32-bit one. By default
this is empty.
- New `LIBSSH2_DLL_A_SUFFIX` envvar to customize the suffix of the
generated import library (implib) for libssh2 .dll. It defaults
to `dll`, and it's useful to modify that to `.dll` to have the
standard naming scheme for mingw-built .dlls, i.e. `libssh2.dll.a`.
Ref: aaa16f8025
Closes https://github.com/libssh2/libssh2/pull/215
Allow to ovverride certain build tools, making it possible to
use LLVM/Clang to build libssh2. The default behavior is unchanged.
To build with clang (as offered by MSYS2), these settings can
be used:
LIBSSH2_CC=clang
LIBSSH2_AR=llvm-ar
LIBSSH2_RANLIB=llvm-ranlib
Also adjust ranlib parameters to be compatible with LLVM/Clang's
ranlib tool.
Closes https://github.com/libssh2/libssh2/pull/214
It breaks SCP download/upload from/to certain server implementations.
The bug does not manifest with OpenSSH, which silently drops the NUL
byte (eventually with any garbage that follows the NUL byte) before
executing it.
Bug: https://bugzilla.redhat.com/1489736
When building with OPENSSL_API_COMPAT=0x10100000L, OpenSSL_add_all_algorithms
and OpenSSL_add_all_ciphers don't exist. The corresponding functionality is
handled automatically with OpenSSL 1.1.
Since they use our own PEM parser which did not support encrypted
PEM files, trying to use such files on these backends failed.
Fix that by augmenting the PEM parser to support encrypted PEM files.
Fixes a segfault using ssh-agent on Windows
This commit fixes a segfault seen dereferencing a null pointer on
Windows when using ssh-agent. The problem ended up being that errors
weren't being communicated all the way through, causing null pointers to
be used when functions should have bailed out sooner.
The `_libssh2_dh_key_pair` function for WinCNG was modified to propagate
errors, and then the two callsites in kex.c of
`diffie_hellman_sha{1,256}` were updated to recognize this error and
bail out.
Fixes#162Closes#163
Not all backends feature the low level API needed to compute a Diffie-Hellman
secret, but some of them directly implement Diffie-Hellman support with opaque
private data. The later approach is now generalized and backends are
responsible for all Diffie Hellman computations.
As a side effect, procedures/macros _libssh2_bn_rand and _libssh2_bn_mod_exp
are no longer needed outside the backends.
Examples can't be linked with libmbedtls but need libmbedcrypto, and
any users of libssh2 which use libtool and libssh2.la would encounter
the same problem.
This changes the mbedtls detection to search for libmbedcrypto, which
is the actual dependency for the backend.
* os400: minimum supported OS version is now V6R1.
Do not log compiler informational messages.
* Implement crypto backend specific Diffie-Hellman computation.
This feature is now needed on os400 because the QC3 library does not
implement bn_mod_exp() natively. Up to now, this function was emulated using
an RSA encryption, but commits ca5222ea819cc5ed797860070b4c6c1aeeb28420 and
7934c9ce2a029c43e3642a492d3b9e494d1542be (CVE-2016-0787) broke the emulation
because QC3 only supports RSA exponents up to 512 bits.
Happily, QC3 supports a native API for Diffie-Hellman computation, with
opaque random value: this commit implements the use of this API and, as a
side effect, enables support of this feature for any other crypto backend that
would use it.
A "generic" Diffie-Hellman computation internal API supports crypto backends
not implementing their own: this generic API uses the same functions as before.
* Fix typos in docs/HACKING.CRYPTO.
The new --with-crypto option replaces the previous backend-specific
--with-{openssl,libgcrypt,mbedtls,wincng} options and fixes some issues.
* libgcrypt or mbedtls would previously be used whenever found, even
if configure was passed --without-libgcrypt or --without-mbedtls.
* If --with-$backend was specified then configure would not fail even
if that library could not be found, and would instead use whichever
crypto library was found first.
The new option defaults to `auto`, which makes configure check for all
supported crypto libraries in turn, choosing the first one found, or
exiting with an error if none can be found.
* Revert "Revert "travis: Test mbedtls too""
This reverts commit c4c60eac5ca756333034b07dd9e0b97741493ed3.
* travis: Build mbedtls from source on Travis
Use TOOLCHAIN_OPTION when calling cmake on mbedtls
* tests: only run DSA tests for non-mbedtls
crypto backends
