| Server IP : 170.10.162.208 / Your IP : 216.73.216.181 Web Server : LiteSpeed System : Linux altar19.supremepanel19.com 4.18.0-553.69.1.lve.el8.x86_64 #1 SMP Wed Aug 13 19:53:59 UTC 2025 x86_64 User : deltahospital ( 1806) PHP Version : 7.4.33 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : OFF | Pkexec : OFF Directory : /tmp/ |
Upload File : |
/* Copyright (C) 2004-2007 Sara Golemon <sarag@libssh2.org>
* Copyright (C) 2005,2006 Mikhail Gusarov <dottedmag@dottedmag.net>
* Copyright (C) 2006-2007 The Written Word, Inc.
* Copyright (C) 2007 Eli Fant <elifantu@mail.ru>
* Copyright (C) 2009-2023 Daniel Stenberg
* Copyright (C) 2008, 2009 Simon Josefsson
* Copyright (C) 2000 Markus Friedl
* Copyright (C) 2015 Microsoft Corp.
* All rights reserved.
*
* Redistribution and use in source and binary forms,
* with or without modification, are permitted provided
* that the following conditions are met:
*
* Redistributions of source code must retain the above
* copyright notice, this list of conditions and the
* following disclaimer.
*
* Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials
* provided with the distribution.
*
* Neither the name of the copyright holder nor the names
* of any other contributors may be used to endorse or
* promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*/
see NEWS
libssh2 - SSH2 library
======================
libssh2 is a library implementing the SSH2 protocol, available under
the revised BSD license.
Web site: https://libssh2.org/
Mailing list: https://lists.haxx.se/listinfo/libssh2-devel
License: see COPYING
Source code: https://github.com/libssh2/libssh2
Web site source code: https://github.com/libssh2/www
Installation instructions are in:
- docs/INSTALL_CMAKE for CMake
- docs/INSTALL_AUTOTOOLS for Autotools
Changelog for the libssh2 project. Generated with git2news.pl
Daniel Stenberg (16 Oct 2024)
- RELEASE-NOTES: 1.11.1
Viktor Szakats (8 Oct 2024)
- RELEASE-NOTES: sync [ci skip]
- [Anders Borum brought this change]
session: support server banners up to 8192 bytes (was: 256)
If server had banner exceeding 256 bytes there wasn't enough room in
`_LIBSSH2_SESSION.banner_TxRx_banner`. Only the first 256 bytes would be
read making the first packet read fail but also dooming key exchange as
`session->remote.banner` didn't include everything.
This change bumps the banner buffer to 8KB to match OpenSSH.
Fixes #1442
Closes #1443
- RELEASE-NOTES: sync [ci skip]
- cmake: sync and improve Find modules, add `pkg-config` native detection
- sync code between Find modules.
- wolfssl: replace `pkg-config` hints with native detection.
- libgcrypt, mbedtls: add `pkg-config`-based native detection.
- libgcrypt: add version detection.
- limit `pkg-config` use for `UNIX`, vcpkg, and non-cross MinGW builds,
and builds with no manual customization via `*_INCLUDE_DIR` or
`*_LIBRARY`.
- replace and sync Find module header comments.
- ci: delete manual mbedTLS config that's now redundant.
Based on similar work done in curl.
Second attempt at #1420
Closes #1445
- cmake: initialize `LIBSSH2_LIBDIRS` [ci skip]
Follow-up to c87f12963037b22e6b60411c9c2d6513c06e2f03 #1466
- ci/appveyor: fix and bump OpenSSL 3 path, add path check
Follow-up to b5e68bdc37c6afa0dc777794dda8307167919d04 #1461
Closes #1468
- cmake: link to OpenSSL::Crypto, not OpenSSL::SSL
Follow-up to 82b09f9b3aae97f641fbcc2d746d2a6383abe857 #1322
Follow-up to c84745e34e53f863ffba997ceeee7d43d1c63a4b #1128
Cherry-picked from #1445
Closes #1467
- cmake: generate `LIBSSH2_PC_LIBS_PRIVATE` dynamically
Generate `LIBSSH2_PC_LIBS_PRIVATE` from `LIBSSH2_LIBS`.
Also add extra libdirs (`-L`) to `Libs` and `Libs.private`.
Logic copied from curl.
Closes #1466
- cmake: initialize `LIBSSH2_PC_REQUIRES_PRIVATE` [ci skip]
Follow-up to 0fce9dcc2909ffff5f4a1a1bc3d359fc7f409299 #1464
- cmake: add comment about `ibssh2.pc.in` variables [ci skip]
- cmake: support absolute `CMAKE_INSTALL_INCLUDEDIR`/`CMAKE_INSTALL_LIBDIR`
in `libssh2.pc`.
Also use `${exec_prefix}` (instead of `${prefix}`) as a base for `libdir`.
Closes #1465
- cmake: rename two variables and initialize them
- `LIBRARIES` -> `LIBSSH2_LIBS`
- `SOCKET_LIBRARIES` -> `LIBSSH2_LIBS_SOCKET`
Also initialize them before use.
Cherry-picked from #1445
Closes #1464
- ci/appveyor: reduce test runs (workaround for infrastructure permafails)
Jobs consistently fail to connect to the test server (run in GHA) since
2024-Aug-29:
https://ci.appveyor.com/project/libssh2org/libssh2/builds/50498393
There was an earlier phase of failures one month before that, that got
fixed by increasing the wait for the server in
bf3af90b3f1bb14cf452df7a8eb55cc9088f3e7f.
Thus, skip running tests in AppVeyor CI jobs, except: After some
experiments, it seems that running tests with the last OpenSSL job and
the last WinCrypt job _work_, which still leaves some coverage.
It remains to be seen how stable this is.
This is meant as a temporary fix till there is a solution to make all
jobs run tests reliable like up until a few months ago.
Closes #1461
- [Patrick Monnerat brought this change]
os400: drop vsprintf() use
Follow-up to discussion in #1457
Plus e-mail address update.
Closes #1462
- RELEASE-NOTES: sync [ci skip]
Daniel Stenberg (30 Sep 2024)
- openssl: free allocated resources when using openssl3
Reproduces consistently with curl test case 638
Closes #1459
Viktor Szakats (28 Sep 2024)
- checksrc: update, check all sources, fix fallouts
update from curl:
https://github.com/curl/curl/blob/cff75acfeca65738da8297aee0b30427b004b240/scripts/checksrc.pl
Closes #1457
- cmake: prefer `find_dependency()` in `libssh2-config.cmake`
CMake manual suggest using `find_dependency()` (over `find_package()`)
in `config.cmake` scripts.
Ref: https://cmake.org/cmake/help/latest/module/CMakeFindDependencyMacro.html
Closes #1460
- ci: use Ninja with cmake
Closes #1458
GitHub (27 Sep 2024)
- [dksslq brought this change]
Fix memory leaks in _libssh2_ecdsa_curve_name_with_octal_new and _libssh2_ecdsa_verify (#1449)
Better error handling in`_libssh2_ecdsa_curve_name_with_octal_new` and `_libssh2_ecdsa_verify` to prevent leaks.
Credit: dksslq <dksslq@github.com>
- [rolag brought this change]
Fix unstable connections over nonblocking sockets (#1454)
The `send_existing()` function allows partially sent packets to be sent
fully before any further packets are sent. Originally this returned
`LIBSSH2_ERROR_BAD_USE` when a different caller or thread tried to send
an existing packet created by a different caller or thread causing the
connection to disconnect. Commit 33dddd2f8ac3bc81 removed the return
allowing any caller to continue sending another caller's packet. This
caused connection instability as discussed in #1397 and confused the
client and server causing occasional duplicate packets to be sent and
giving the error `rcvd too much data` as discussed in #1431. We return
`LIBSSH2_ERROR_EAGAIN` instead to allow existing callers to finish
sending their own packets.
Fixes #1397
Fixes #1431
Related #720
Credit: klux21, rolag
- [Will Cosgrove brought this change]
Prevent possible double free of hostkey (#1452)
NULL server hostkey based on fuzzer failure case.
Viktor Szakats (7 Sep 2024)
- cmake: tidy up syntax, minor improvements
- make internal variables underscore-lowercase.
- unfold lines.
- fold lines setting header directories.
- fix indent.
- drop interim variable `EXAMPLES`.
- initialize some variables before populating them.
- clear a variable after use.
- add `libssh2_dumpvars()` function for debugging.
- allow to override default `CMAKE_UNITY_BUILD_BATCH_SIZE`.
- bump up default `CMAKE_UNITY_BUILD_BATCH_SIZE` to 0 (was 32).
- tidy up option descriptions.
Closes #1446
- cmake: rename mbedTLS and wolfSSL Find modules
To match the curl ones.
Cherry-picked from #1445
- RELEASE-NOTES: sync [ci skip]
- cmake: fixup version detection in mbedTLS find module
- avoid warning with 2.x versions about missing header file while
extracting the version number.
- clear temp variables.
Closes #1444
- buildconf: drop
Use `autoreconf -fi` instead.
Follow-up to fc5d77881eb6bb179f831e626d15f4f29179aad5
Closes #1441
- [Michael Buckley brought this change]
Implement chacha20-poly1305@openssh.com
Probably the biggest and potentially most controversial change we have
to upstream.
Because earlier versions of OpenSSL implemented the algorithm before
standardization, using an older version of OpenSSL can cause problems
connecting to OpenSSH servers. Because of this, we use the public domain
reference implementation instead of the crypto backends, just like
OpenSSH does.
We've been holding this one for a few years. We were about to upstream
it around the same time as aes128gcm landed upstream, and the two
changes were completely incompatible. Honestly, it took me weeks to
reconcile these two implementations, and it could be much better.
Our original implementation changed every crypt method to decrypt the
entire message at once. the AESGCM implementation instead went with this
firstlast design, where a firstlast paramater indicates whether this is
the first or last call to the crypt method for each message. That added
a lot of bookkeeping overhead, and wasn't compatible with the chacha
public domain implementation.
As far as I could tell, OpenSSH uses the technique of decrypting the
entire message in one go, and doesn't have anything like firstlast.
However, I could not get out aes128gcm implementation to work that way,
nor could I get the chacha implementation to work with firstlast, so I
split it down the middle and let each implementation work differently.
It's kind of a mess, and probably should be cleaned up, but I don't have
the time to spend on it anymore, and it's probably better to have
everything upstream.
Fixes #584
Closes #1426
- tidy-up: do/while formatting
Also fix an indentation and delete empty lines.
Closes #1440
- wolfssl: drop header path hack
The wolfSSL OpenSSL headers reside in `wolfssl/openssl/*.h`.
Before this patch the wolfSSL OpenSSL compatibilty header includes were
shared with the native OpenSSL codepath, and used `openssl/*h`. For
wolfSSL builds this required a hack to append the
`<wolfssl-prefix>/wolfssl` directory to the header search path, to find
the headers.
This patch changes the source to use the correct header references,
allowing to drop the header path hack.
Also fix to use the correct variable to set up the header path in CMake:
`WOLFSSL_INCLUDE_DIRS` (was: `WOLFSSL_INCLUDE_DIR`, without the `S`)
Closes #1439
- cmake: mbedTLS detection tidy-ups
- set and use `MBEDTLS_INCLUDE_DIRS`.
- stop marking `MBEDTLS_LIBRARIES` as advanced.
Closes #1438
- cmake: add quotes, delete ending dirseps
Follow-up to 3fa5282d6284efba62dc591697e6a687152bdcb1 #1166
Closes #1437
- CI/appveyor: increase wait for SSH server on GHA [ci skip]
Blind attempt to make AppVeyor CI tests work again.
- disable DSA by default
Also:
- add `LIBSSH2_DSA_ENABLE` to enable it explicitly.
- test the above option in CI.
- say 'deprecated' in docs and public header.
- disable DSA in the CI server config.
(OpenSSH 9.8 no longer builds with it by default)
https://www.openssh.com/txt/release-9.8
Patch-by: Jose Quaresma
- disable more DSA code when not enabled.
Fixes #1433
Closes #1435
GitHub (30 Jul 2024)
- [Viktor Szakats brought this change]
tidy-up: link updates (#1434)
Marc Hoersken (27 Jul 2024)
- ci/GHA: revert concurrency and improve permissions
Statuses are per AppVeyor event and commit, not pull-request.
Also align permissions approach with curl, least priviledge.
Partially reverts b08cfbc99fa4df3459db4e1ccf4263fd260e9b15.
GitHub (23 Jul 2024)
- [Will Cosgrove brought this change]
Always init mbedtls_pk_context (#1430)
In the failure case, mbedtls_pk_context could be free'd without first being initialized.
- [Viktor Szakats brought this change]
mbedtls: tidy-up (#1429)
- [Will Cosgrove brought this change]
Correctly initialize values (#1428)
Fix regression with commit from #1421
Viktor Szakats (14 Jul 2024)
- RELEASE-NOTES: sync [ci skip]
- [Seo Suchan brought this change]
mbedtls: expose `mbedtls_pk_load_file()` for our use
While it's moved to pk_internal, it won't removed in mbedTLS 3.6 LTS
so it's safe to redeclare it on our side to find it.
This is implementing emergency fix suggested from
https://github.com/libssh2/libssh2/commit/2e4c5ec4627b3ecf4b6da16f365c011dec9a31b4#commitcomment-141379351
Follow-up to e973493f992313b3be73f51d3f7ca6d52e288558 #1393
Follow-up to 2e4c5ec4627b3ecf4b6da16f365c011dec9a31b4 #1349
Closes #1421
GitHub (13 Jul 2024)
- [Viktor Szakats brought this change]
ci/GHA: simplify mbedTLS build hack for autotools (#1425)
Follow-up to e973493f992313b3be73f51d3f7ca6d52e288558 #1393
- [Michael Buckley brought this change]
Always check for null pointers before calling _libssh2_bn_set_word (#1423)
- [Viktor Szakats brought this change]
ci/GHA: FreeBSD 14.1, actions bump (#1424)
- [Michael Buckley brought this change]
Increase SFTP_HANDLE_MAXLEN back to 4092 (#1422)
Match OpenSSH for compatibility.
Viktor Szakats (10 Jul 2024)
- ci/GHA: tidy up casing [ci skip]
- REUSE: fix typo in comment
- REUSE: shorten and improve
Follow-up to 70b8bf314cf4566a7529c5d6eae63097a926abb0 #1419
- REUSE: upgrade to `REUSE.toml`
Closes #1419
- build: stop detecting `sys/param.h` header
This header is no longer used.
Follow-up to 12427f4fb8e789adcee4a6e30974932883915e88 #1415
Closes #1418
- [Nicolas Mora brought this change]
tests: avoid using `MAXPATHLEN`, for portability
`MAXPATHLEN` is not present in some systems, e.g. GNU Hurd.
Co-authored-by: Viktor Szakats
Ref: 54bef4c5dad868a9d45fdbfca9729b191c0abab5 #198
Fixes #1414
Closes #1415
- cmake: sync formatting in `cmake/Find*` modules
- [Michael Buckley brought this change]
sftp: implement posix-rename@openssh.com
Add a new function `libssh2_sftp_posix_rename_ex()` and
`libssh2_sftp_posix_rename()`, which implement
the posix-rename@openssh.com extension.
If the server does not support this extension, the function returns
`LIBSSH2_FX_OP_UNSUPPORTED` and it's up to the user to recover, possibly
by calling `libssh2_sftp_rename()`.
Co-authored-by: Viktor Szakats (bump to size_t)
Closes #1386
- src: use `UINT32_MAX`
Needs to be defined for platforms missing it, e.g. VS2008.
Closes #1413
GitHub (25 Jun 2024)
- [Michael Buckley brought this change]
Fix a memory leak in key exchange. (#1412)
Original fix submitted as a patch by Trzik.
Co-authored-by: Michael Buckley <michael@panic.com>
Viktor Szakats (25 Jun 2024)
- RELEASE-NOTES: sync [ci skip]
- wolfssl: fix `EVP_Cipher()` use with v5.6.0 and older
Add workaround for the wolfSSL `EVP_Cipher(*p, NULL, NULL, 0)` bug to
make libssh2 work with wolfSSL v5.6.0 and older.
wolfSSL fixed this issue in v5.7.0:
https://github.com/wolfSSL/wolfssl/pull/7143
https://github.com/wolfSSL/wolfssl/commit/b0de0a1c95119786cf5651dd76dd7d7bdfac5a04
Without our local workaround:
- v5.3.0 and older fail most tests:
Ref: https://github.com/libssh2/libssh2/actions/runs/9646827522/job/26604211476#step:17:1263
- v5.4.0, v5.5.x, v5.6.0 fail these:
```
29 - test_read-aes128-cbc (Failed)
30 - test_read-aes128-ctr (Failed)
32 - test_read-aes192-cbc (Failed)
33 - test_read-aes192-ctr (Failed)
34 - test_read-aes256-cbc (Failed)
35 - test_read-aes256-ctr (Failed)
```
Ref: https://github.com/libssh2/libssh2/actions/runs/9646827522/job/26604233819#step:17:978
Oddly enough the workaround breaks OpenSSL tests, so only enable it for
the affected wolfSSL versions.
Also add new build-from-source wolfSSL CI job to test the new codepath.
wolfSSL has a build bug where `wolfssl/options.h` and
`wolfssl/version.h` are not copied to the `install` destination with
autotools. With CMake it has a different bug where `wolfcrypt/sp_int.h`
is not copied (with v5.4.0). And another with CMake where `FIPS_mode()`
remains missing (with v5.6.0 and earlier.)
Therefore use CMake with v5.5.4 and a workaround for `FIPS_mode()`.
Another option is autotools with v5.4.0 and a workaround for `install`,
but CMake builds quicker.
Regression-from 3c953c05d67eb1ebcfd3316f279f12c4b1d600b4 #797
Fixes #1020
Fixes #1299
Assisted-by: Michael Buckley via #1394
Closes #1394 (another attempt to fix the mentioned wolfSSL bug)
Closes #1407
- wolfssl: bump version in upstream issue comment [ci skip]
- wolfssl: require v5.4.0 for AES-GCM
Earlier versions crash while running tests.
This patch is part of a series of fixes to make wolfSSL AES-GCM support
work together with libssh2.
Possibly related is this wolfSSL bugfix patch, released in v5.4.0:
https://github.com/wolfSSL/wolfssl/pull/5205
https://github.com/wolfSSL/wolfssl/commit/fb3c611275dfe454c331baa0818445a0406c208a
"Fix another AES-GCM EVP control command issue"
Ref: #1020
Ref: #1299
Cherry-picked from #1407
Closes #1411
- tests: fix excluding AES-GCM tests
Replace hard-coded crypto backends and rely on `LIBSSH2_GCM` macro
to decide whether to run AES-GCM tests.
Without this, build attempted to run AES-GCM tests (and failed)
for crypto backends that have conditional support for this feature, e.g.
wolfSSL without the necessary features built-in
(as in before Homewbrew wolfssl 5.7.0_1, or OpenSSL v1.1.0 and older).
This patch is part of a series of fixes to make wolfSSL AES-GCM support
work together with libssh2.
Cherry-picked from #1407
Closes #1410
- ci/GHA: fix wolfSSL-from-source AES-GCM tests
Turns out these tests:
```
31 - test_read-aes128-gcm@openssh.com (Failed)
36 - test_read-aes256-gcm@openssh.com (Failed)
```
were failing because AES-GCM wasn't enabled in libssh2. This in turn
happened because the `WOLFSSL_AESGCM_STREAM` macro wasn't enabled while
building wolfSSL. Which happened because this macro isn't enabled by
any CMake-level wolfSSL option. Passing it as `CPPFLAGS` fixes it.
This allows enabling tests with wolfSSL 5.7.0.
Follow-up to d4cea53f53c78febad14b4caa600e25d1aaf92fd #1408
Closes #1409
- ci/GHA: add Linux job with latest wolfSSL built from source
After this patch it's possible to run tests with wolfSSL 5.7.0.
wolfSSL 5.7.0 fixes this bug that affects open issues #1020 and #1299:
https://github.com/wolfSSL/wolfssl/pull/7143
`-DWOLFSSL_OPENSSLALL=ON` is necessary for `wolfSSL_FIPS_mode()`
Closes #1408
- ci/GHA: tidy up build-from-source steps [ci skip]
- make curl downloads less verbose.
- fix cmake warning:
```
CMake Warning:
No source or binary directory provided. Both will be assumed to be the
same as the current working directory, but note that this warning will
become a fatal error in future CMake releases.
```
Ref: https://github.com/libssh2/libssh2/actions/runs/9509866494/job/26213472410#step:5:32
- [Adam brought this change]
src: fix type warning in `libssh2_sftp_unlink` macro
The `libssh2_sftp_unlink` macro was implicitly casting the `size_t`
returned by `strlen` to the `unsigned int` type expected by
`libssh2_sftp_unlink_ex`.
This fix adds an explicit cast to match similar macro definitions in
the same file (e.g. `libssh2_sftp_rename`, `libssh2_sftp_mkdir`).
Closes #1406
- libssh2.pc: reference mbedcrypto pkgconfig
mbedtls 3.6.0 got pkgconfig support:
https://github.com/Mbed-TLS/mbedtls/commit/a4d17b34f354557838e05d2cb47200e8dcaaf59b
Reference it from `libssh2.pc`.
Closes #1405
- tidy-up: typo in comment [ci skip]
- RELEASE-NOTES: sync [ci skip]
Also bump planned deprecation dates.
- ci/GHA: show configure logs on failure and other tidy-ups
- dump cmake error log on configure failure. (for cmake 3.26 and newer)
- dump `config.log` on autotools configure failure.
- convert specs filename to Windows format before passing to CMake.
- add missing quotes.
Closes #1403
- ci/GHA: bump parallel jobs to nproc+1
Ref: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories
Closes #1402
- ci/GHA: show test logs on failure
Closes #1401
- ci/GHA: fix `Dockerfile` failing after Ubuntu package update
Likely due an upstream Ubuntu package update (requiring an apt-get
install call beforehand), tests run via autotools started failing with
no change in the libssh2 repo:
```
FAIL: test_aa_warmup
====================
Error running command 'docker build --quiet -t libssh2/openssh_server %s' (exit 256): Dockerfile:10
--------------------
8 | && apt-get clean \
9 | && rm -rf /var/lib/apt/lists/*
10 | >>> RUN mkdir /var/run/sshd
11 |
12 | # Chmodding because, when building on Windows, files are copied in with
--------------------
ERROR: failed to solve: process "/bin/sh -c mkdir /var/run/sshd" did not complete successfully: exit code: 1
Failed to build docker image
Cannot stop session - none started
Cannot stop container - none started
Command: docker build --quiet -t libssh2/openssh_server ../../tests/openssh_server
FAIL test_aa_warmup (exit status: 1)
```
Ref: https://github.com/libssh2/libssh2/actions/runs/9322194756/job/25662748095#step:11:390
Fix it by skipping `mkdir` if `/var/run/sshd` already exists.
(Why cmake-based jobs aren't affected, I don't know.)
Ref: https://github.com/libssh2/libssh2/commit/50143d5867d35df76a6cf589ca8a13b22105aa64#commitcomment-142560875
Closes #1400
- ci/GHA: use ubuntu-latest with OmniOS job
It's the same as ubuntu-22.04.
Also update OmniOS package search link.
- ci: disable dependency tracking in autotools builds
For better build performance. Dependency tracking causes a build
overhead while compiling to help a subsequent build, but in CI there is
never one and the extra work is discarded.
Closes #1396
- mbedtls: fail to compile with v3.6.0 outside CI
A compile-time failure is preferred over an unexpected one at
runtime.
The problem is silenced with a macro in CI and this macro will have
to be added to more platforms when mbedTLS v3.6.0 reaches them.
Follow-up to 2e4c5ec4627b3ecf4b6da16f365c011dec9a31b4 #1349
Closes #1393
- tests: drop default cygpath option `-u`
- tidy-up: fix typo found by codespell
Ref: https://github.com/libssh2/libssh2/actions/runs/9224795055/job/25380857082?pr=1393#step:4:5
- ci/GHA: shell syntax tidy-up
Closes #1390
- RELEASE-NOTES: sync [ci skip]
- ci/GHA: bump NetBSD/OpenBSD, add NetBSD arm64 job
OpenBSD arm64 jobs were very slow, so skipped that.
Closes #1388
- autotools: fix to update `LDFLAGS` for each detected dependency
autotools lib detection routine failed to extend LDFLAGS for each
detection. This could cause successful detection of a dependency, but
later failing to use it. This did not cause an issue as long as all
dependencies lived under the same prefix, but started breaking on macOS
ARM + Homebrew where this was no longer true for mbedTLS and zlib in
particular.
Follow-up to 844115393bffb4e92c6569204cbe4cd8e553480d #1381
Follow-up to ae2770de25949bc7c74e60b4cc6a011bbe1d3d7c #1377
Closes #1384
GitHub (8 May 2024)
- [Michael Buckley brought this change]
OpenSSL 3: Fix calculating DSA public key (#1380)
Viktor Szakats (8 May 2024)
- ci/GHA: tidy-up wolfSSL autotools config on macOS
Closes #1383
- ci/GHA: shorter mbedTLS autotools workaround
Follow-up to 844115393bffb4e92c6569204cbe4cd8e553480d #1381
Closes #1382
GitHub (8 May 2024)
- [Michael Buckley brought this change]
ci: fix mbedtls runners on macOS (#1381)
Sets LDFLAGS while configuring the autoconf mbedTLS build for macOS.
Viktor Szakats (29 Apr 2024)
- RELEASE-NOTES: sync [ci skip]
- [binary1248 brought this change]
wincng: fix `DH_GEX_MAXGROUP` set higher than supported
In 1c3a03ebc3166cf69735111aba2b8cee57cdba51 #493,
`LIBSSH2_DH_GEX_MAXGROUP` was introduced to specify
crypto-backend-specific modulus sizes. Unfortunately, the max size for
the wincng DH modulus was defined to 8192, probably because this is the
value most other backends support.
According to Microsoft documentation [1], `BCryptGenerateKeyPair`
currently only supports up to 4096-bit keys when the selected algorithm
is `BCRYPT_DH_ALGORITHM`. Requesting larger keys when calling
`BCryptGenerateKeyPair` in `_libssh2_dh_key_pair` always results in
`STATUS_INVALID_PARAMETER` being returned and ultimately key exchange
failing.
When attempting to connect to any server that offers 8192 bit DH, this
causes key exchange to always fail when using the wincng backend.
Reducing `LIBSSH2_DH_GEX_MAXGROUP` to 4096 fixes the issue.
[1] https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgeneratekeypair
Closes #1372
- build: silence warnings inside `FD_SET()`/`FD_ISSET()` macros
Use an ugly workaround to silence `-Wsign-conversion` warnings triggered
by the internals of `FD_SET()`/`FD_ISSET()` macros. They've been showing
up in OmniOS CI builds when compiling `example` programs. They also have
been seen with older Cygwin and other envs and configurations.
Also scope two related variables in examples.
E.g.:
```
../../example/direct_tcpip.c:251:9: warning: conversion to 'long unsigned int' from 'libssh2_socket_t' {aka 'int'} may change the sign of the result [-Wsign-conversion]
251 | FD_SET(forwardsock, &fds);
| ^~~~~~
../../example/direct_tcpip.c:251:9: warning: conversion to 'long unsigned int' from 'libssh2_socket_t' {aka 'int'} may change the sign of the result [-Wsign-conversion]
../../example/direct_tcpip.c:251:9: warning: conversion to 'long unsigned int' from 'long int' may change the sign of the result [-Wsign-conversion]
../../example/direct_tcpip.c:251:9: warning: conversion to 'long int' from 'long unsigned int' may change the sign of the result [-Wsign-conversion]
../../example/direct_tcpip.c:259:18: warning: conversion to 'long unsigned int' from 'libssh2_socket_t' {aka 'int'} may change the sign of the result [-Wsign-conversion]
259 | if(rc && FD_ISSET(forwardsock, &fds)) {
| ^~~~~~~~
../../example/direct_tcpip.c:259:18: warning: conversion to 'long unsigned int' from 'libssh2_socket_t' {aka 'int'} may change the sign of the result [-Wsign-conversion]
../../example/direct_tcpip.c:259:18: warning: conversion to 'long unsigned int' from 'long int' may change the sign of the result [-Wsign-conversion]
```
Ref: https://github.com/libssh2/libssh2/actions/runs/8854199687/job/24316762831#step:3:2020
Closes #1379
- autotools: use `AM_CFLAGS`
Use `AM_CFLAGS` to pass custom, per-target C flags. This replaces using
`CFLAGS` which triggered this warning when running `autoreconf -fi`:
```
tests/Makefile.am:8: warning: 'CFLAGS' is a user variable, you should not override it;
tests/Makefile.am:8: use 'AM_CFLAGS' instead
```
(Only for `tests`, even though `example` and `src` also used this
method. The warning is also missing from curl, that also uses
`CFLAGS`.)
Follow-up to 3ec53f3ea26f61cbf2e0fbbeccb852fca7f9b156 #1286
Closes #1378
GitHub (25 Apr 2024)
- [Viktor Szakats brought this change]
ci/GHA: fix gcrypt with autotools/macOS/Homebrew/ARM64 (#1377)
mbedtls configure fails to detect anything due to this:
```
configure:23101: gcc -o conftest -g -O2 -I/opt/homebrew/include conftest.c -lmbedcrypto -lz >&5
ld: library 'mbedcrypto' not found
clang: error: linker command failed with exit code 1 (use -v to see invocation)
```
Viktor Szakats (25 Apr 2024)
- autotools: delete bogus square bracket from help text [ci skip]
Follow-up to 3f98bfb0900b5e68445a339cfebc60b307a24650 #1368
GitHub (25 Apr 2024)
- [Viktor Szakats brought this change]
ci/GHA: fix verbose option for autotools jobs (#1376)
Also enable verbose for macOS `make` step.
- [Viktor Szakats brought this change]
ci/GHA: dump `config.log` on failure for macOS autotools jobs (#1375)
- [Viktor Szakats brought this change]
ci/GHA: fix `autoreconf` failure on macOS/Homebrew (#1374)
By manually installing `libtool`.
```
autoreconf -fi
shell: /bin/bash -e {0}
configure.ac:75: error: possibly undefined macro: AC_LIBTOOL_WIN32_DLL
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:76: error: possibly undefined macro: AC_PROG_LIBTOOL
autoreconf: error: /opt/homebrew/Cellar/autoconf/2.72/bin/autoconf failed with exit status: 1
```
Ref: https://github.com/libssh2/libssh2/actions/runs/8833608758/job/24253334557#step:4:1
- [Viktor Szakats brought this change]
ci/GHA: fixup Homebrew location (for ARM runners) (#1373)
GHA macOS runners became ARM64 machines. Make the Homebrew prefix
dynamic to adapt to these installations.
Viktor Szakats (14 Apr 2024)
- RELEASE-NOTES: sync [ci skip]
- [Patrick Monnerat brought this change]
os400: Add two recent files to the distribution
Closes #1364
- wincng: add to ci/GHA, add `./configure` option `--enable-ecdsa-wincng`
- add `./configure` option `--enable-ecdsa-wincng`
- add WinCNG autotools jobs to GHA.
- enable WinCNG ECDSA in some GHA jobs (both CMake and autotools).
Follow-up to 3e72343737e5b17ac98236c03d5591d429b119ae #1315
Closes #1368
GitHub (14 Apr 2024)
- [Johannes Passing brought this change]
wincng: add ECDSA support for host and user authentication (#1315)
The WinCNG backend currently only supports DSA and RSA. This PR
adds ECDSA support for host and user authentication.
* Disable WinCNG ECDSA support by default to maintain backward
compatibility for projects that target versions below Windows 10.
* Add cmake option `ENABLE_ECDSA_WINCNG` to guard ECDSA support.
* Update AppVeyor job matrix to only enable ECDSA on Server 2016+
Viktor Szakats (14 Apr 2024)
- ci: enable Unity mode for most CMake builds
Ref: 7129ea9ca8cca86dac80a6bac2d63937987efe9d #1034
Closes #1367
- os400: fix shellcheck warnings in scripts (fixups)
- Build scripts must be executed by the os/400 shell (sh), not bash which
is a PASE program: The `-ot` non-POSIX test extension works in os/400 as
well. Ref: https://github.com/libssh2/libssh2/pull/1364#issue-2241646754
- Drop/fixup mods trying to make some syntax highlighters happier.
Follow-up to c6625707b94d9093f38f1a0a4d89c11b64f12ba8 #1358
Assisted-by: Patrick Monnerat
Closes #1364
Closes #1366
- cmake: style tidy-up (more)
Follow-up to 3fa5282d6284efba62dc591697e6a687152bdcb1 #1166
Closes #1365
- RELEASE-NOTES: sync [ci skip]
- os400: fix shellcheck warnings in scripts
- use `$()` instead of backticks, and re-arrange double-quotes inside.
- add missing `|| exit 1` to `cd` calls. (could be dropped by using `set -eu`.)
- add `-n` to a few `if`s.
- shorten redirections by using `{} >` (as shellcheck recommended).
- silence warnings where variables were detected as unused (SC2034).
- a couple misc updates to silence warnings.
- switch to bash shebang for `-ot` feature.
- split two lines to unbreak syntax highlighting in my editor. (`$(expr \`, `$(dirname \`)
Also enable CI checks for OS/400 shell scripts.
Ref: d88b9bcdafe9d19aad2fb120d0a0acb3edab64f7
Closes #1358
- RELEASE-NOTES: sync [ci skip]
- ci: add shellcheck job and script
Add FIXME for OS/400 scripts.
Cherry-picked from #1358
- tests: fix shellcheck issues in `test_sshd.test`
Cherry-picked from #1358
- RELEASE-NOTES: sync [ci skip]
GitHub (9 Apr 2024)
- [Viktor Szakats brought this change]
ci/appveyor: re-enable OpenSSL 3, also bump to 3.2.1 (#1363)
Ref: 104744f4a523de574ce3767c50948d9b8385be4c #1348
Viktor Szakats (9 Apr 2024)
- ci: use a better test timestamp [ci skip]
Mar 27 2024 08:00:00 GMT+0000
Follow-up to 2d765e454d98b794a5e5bbc497b1fcba4a9b8c4b #1360
GitHub (9 Apr 2024)
- [Viktor Szakats brought this change]
ci: verify build and install from tarball (#1362)
Install verification based on:
https://github.com/curl/curl/blob/28c5ddf13ac311d10bc4e8f9fc4ce0858a19b888/scripts/installcheck.sh
Viktor Szakats (9 Apr 2024)
- tidy-up: dir names, command-line [ci skip]
Follow-up to 2d765e454d98b794a5e5bbc497b1fcba4a9b8c4b #1360
- cmake: tidy up function name casing in `CopyRuntimeDependencies.cmake`
Use lowercase to match callers.
GitHub (9 Apr 2024)
- [Viktor Szakats brought this change]
ci: add reproducibility test for `maketgz` (#1360)
Viktor Szakats (9 Apr 2024)
- maketgz: add reproducible dir entries to tarballs
In the initial implementation of reproducible tarballs, they were
missing directory entries, while .zip archives had them. It meant
that on extracting the tarball, on-disk directory entries got the
current timestamp.
This patch fixes this by including directory entries in the tarball,
with reproducible timestamps. It also moves sorting inside tar,
to ensure reproducible directory entry timestamps on extract
(without the need of `--delay-directory-restore` option, when
extracting with GNU tar. BSD tar got that right by default.)
GNU tar 1.28 (2014-07-28) introduced `--sort=`.
Follow-up to d52fe1b4358fab891037d86b5c73c098079567db #1357
Closes #1359
- ci/GHA: improve version number in `maketgz` test
Follow-up to cba7f97506c1b8e5ff131bbbc57b5796ac634c56 #1353
GitHub (8 Apr 2024)
- [Michael Buckley brought this change]
src: check the return value from `_libssh2_bn_*()` functions (#1354)
Found by oss-fuzz. In `diffie_hellman_sha_algo()`, we were calling
`_libssh2_bn_from_bin()` with data recieved by the server without
checking whether that data was zero-length or ridiculously long.
In the OpenSSL backend, this would cause `_libssh2_bn_from_bin()`
to fail an allocation, which would eventually lead to a NULL
dereference when the bignum was used.
Add the same check for `_libssh2_bn_set_word()` and
`_libssh2_bn_to_bin()`.
Viktor Szakats (8 Apr 2024)
- maketgz: reproducible tarballs/zip, display tarball hashes
- support `SOURCE_DATE_EPOCH` for reproducibility.
- make tarballs reproducible.
- make file timestamps in tarball/zip reproducible.
- make directory timestamps in zip reproducible.
- make timestamps of tarballs/zip reproducible.
- make file order in tarball/zip reproducible.
- use POSIX ustar tarball format to avoid supply chain vulnerability: https://seclists.org/oss-sec/2021/q4/0
- make uid/gid in tarball reproducible.
- omit owner user/group names from tarball for reproducibility and privacy.
- omit current timestamp from .gz header for reproducibility.
- display SHA-256 hashes of produced tarballs/zip. (Requires `sha256sum`)
- re-sync formatting with curl's `maketgz`.
Closes #1357
- maketgz: `set -eu`, reproducibility, improve zip, add CI test
- set bash `-eu`.
- fix bash `-eu` issues.
- apply `TZ=UTC` and `LC_ALL=C` for reproducibility.
- sort `.zip` entries for reproducibility.
- zip with `--no-extra` for reproducibliity.
- use maximum zip compression.
- add the gpg sign command-line. Copied from curl.
- add CI test for `maketgz`.
Closes #1353
- RELEASE-NOTES: sync and cleanups [ci skip]
GitHub (3 Apr 2024)
- [Tejaswikandula brought this change]
Support RSA SHA2 cert-based authentication (rsa-sha2-512_cert and rsa-sha2-256_cert) (#1314)
Replicating OpenSSH's behavior to handle RSA certificate authentication
differently based on the remote server version.
1. For OpenSSH versions >= 7.8, ascertain server's support for RSA Cert
types by checking if the certificate's signature type is present in
the `server-sig-algs`.
2. For OpenSSH versions < 7.8, Set the "SSH_BUG_SIGTYPE" flag when the
RSA key in question is a certificate to ignore `server-sig-algs` and
only offer ssh-rsa signature algorithm for RSA certs.
This arises from the fact that OpenSSH versions up to 7.7 accept
RSA-SHA2 keys but not RSA-SHA2 certificate types. Although OpenSSH <=7.7
includes RSA-SHA2 keys in the `server-sig-algs`, versions <=7.7 do not
actually support RSA certs. Therefore, server sending RSA-SHA2 keys in
`server-sig-algs` should not be interpreted as indicating support for
RSA-SHA2 certs. So, `server-sig-algs` are ignored when the RSA key in
question is a cert, and the remote server version is 7.7 or below.
Relevant sections of the OpenSSH source code:
<https://github.com/openssh/openssh-portable/blob/V_8_9_P1/sshconnect2.c#L1191-L1197>
<https://github.com/openssh/openssh-portable/blob/master/compat.c#L43>
Assisted-by: Will Cosgrove
Reviewed-by: Viktor Szakats
Viktor Szakats (3 Apr 2024)
- RELEASE-NOTES: sync [ci skip]
Also fix to include 3-digit issue/PR references.
- mbedtls: add workaround + FIXME to build with 3.6.0
This is just a stub to make `_libssh2_mbedtls_ecdsa_new_private`
compile.
mbedtls 3.6.0 silently deleted its public API `mbedtls_pk_load_file`,
which this function relies on.
Closes #1349
GitHub (3 Apr 2024)
- [Viktor Szakats brought this change]
ci/appveyor: OpenSSL 3 no longer found by CMake, revert to 1.1.1 (#1348)
Ref: https://github.com/appveyor/build-images/commit/702e8cdca01f28f6a40687783f493c786cebbe2c
Ref: https://github.com/appveyor/build-images/pull/149
Viktor Szakats (3 Apr 2024)
- docs: improve `libssh2_userauth_publickey_from*` manpages
Reported-by: Lyndon Brown
Assisted-by: Ryan Kelley
Fixes #652
Closes #1308
Closes #xxxx
- RELEASE-NOTES: sync [ci skip]
GitHub (2 Apr 2024)
- [Viktor Szakats brought this change]
test debian:testing-slim post xz backdoor removal (#1346)
The unexplained CI fallouts are gone with the latest debian:testing (20240330).
Ref #1328 #1329 #1338.
Closes #1346
Viktor Szakats (30 Mar 2024)
- ci: use Linux runner for BSDs, add arm64 FreeBSD 14 job
- bump cross-platform-actions to 0.23.0.
Ref: https://github.com/cross-platform-actions/action/releases/tag/v0.23.0
- switch to Linux runners (from macOS) for cross-platform-actions.
It's significantly faster.
- switch back FreeBSD 14 job to cross-platform-actions.
Also switch back to default shell.
- add FreeBSD 14 arm64 job.
Closes #1343
- ci: use single quotes in yaml [ci skip]
- ci: tidy-up job order [ci skip]
- build: drop `-Wformat-nonliteral` warning suppressions
Also markup a vararg function as such.
In functions marked up as vararg functions, there is no need to suppress
`-Wformat-nonliteral` warnings. It's done automatically by the compiler.
Closes #1342
- ci: delete flaky FreeBSD 13.2 job
Keep FreeBSD 14.
- RELEASE-NOTES: sync [ci skip]
- example: restore `sys/time.h` for AIX
In AIX, `time.h` header file doesn't have definitions like
`fd_set`, `struct timeval`, which are found in `sys/time.h`.
Add `sys/time.h` to files affected when available.
Regression from e53aae0e16dbf53ddd1a4fcfc50e365a15fcb8b9 #1001.
Reported-by: shubhamhii on GitHub
Assisted-by: shubhamhii on GitHub
Fixes #1334
Fixes #1335
Closes #1340
- userauth: avoid oob with huge interactive kbd response
- If the length of a response is `UINT_MAX - 3` or larger, an unsigned
integer overflow occurs on 64-bit systems. Avoid such truncation to
always allocate enough memory to avoid subsequent out of boundary
writes.
Patch-by: Tobias Stoeckmann
- also add FIXME to bump up length field to `size_t` (ABI break)
Closes #1337
GitHub (28 Mar 2024)
- [Josef Cejka brought this change]
transport: check ETM on remote end when receiving (#1332)
We should check if encrypt-then-MAC feature is enabled in remote end's
configuration.
Fixes #1331
- [Josef Cejka brought this change]
kex: always add extension indicators to kex_algorithms (#1327)
KEX pseudo-methods "ext-info-c" and "kex-strict-c-v00@openssh.com"
are in default kex method list but they were lost after configuring
custom kex method list in libssh2_session_method_pref().
Fixes #1326
- [Jiwoo Park brought this change]
cmake: use the imported target of FindOpenSSL module (#1322)
* Use the imported target of FindOpenSSL module
* Build libssh2 before test runner
* Use find_package() in the CMake config file
* Use find_dependency() rather than find_package()
* Install CMake module files and use them in the config file
* Use elseif() to choose the crypto backend
- [Andrei Augustin brought this change]
docs: update INSTALL_AUTOTOOLS (#1316)
corrected --with-libmbedtls-prefix to current option --with-libmbedcrypto-prefix
Viktor Szakats (28 Mar 2024)
- ci: don't parallelize `distcheck` job
A while ago the `distcheck` CI job became flaky. This continued after
switching to Debian stable (from testing). Try stabilzing it by running
it single-threaded.
Closes #1339
- Dockerfile: switch to Debian stable (from testing)
This fixes flakiness experienced recently with two OpenSSL jobs and one
libgcrypt job, and/or intermittently causing all Docker-based tests to
fail.
Reported-by: András Fekete
Fixes #1328
Fixes #1329
Closes #1338
GitHub (22 Feb 2024)
- [Michael Buckley brought this change]
Supply empty hash functions for mac_method_hmac_aesgcm to avoid a crash when e.g. setting LIBSSH2_METHOD_CRYPT_CS (#1321)
- [Michael Buckley brought this change]
gen_publickey_from_dsa: Initialize BIGNUMs to NULL for OpenSSL 3 (#1320)
Viktor Szakats (23 Jan 2024)
- RELEASE-NOTES: add algo deprecation notices [ci skip]
Closes #1307
- RELEASE-NOTES: sync [ci skip]
GitHub (22 Jan 2024)
- [Juliusz Sosinowicz brought this change]
wolfssl: enable debug logging in wolfSSL when compiled in (#1310)
Co-authored-by: Viktor Szakats
- [monnerat brought this change]
os400: maintain up to date (#1309)
- Handle MD5 conditionals in os400qc3.
- Check for errors in os400qc3 pbkdf1.
- Implement an optional build options override file.
- Sync ILE/RPG copy files with current C header files.
- Allow a null session within a string conversion cache.
- Add an ILE/RPG example.
- Adjust outdated copyrights in changed files.
Viktor Szakats (18 Jan 2024)
- RELEASE-NOTES: sync
- src: check hash update/final success
Also:
- delete unused internal macro `libssh2_md5()` where defined.
- prefix `libssh2_os400qc3_hash*()` function names with underscore.
These are public/visible, but internal.
- add FIXMEs to OS/400 code to verify update/final calls; some OS API,
some internal.
Ref: https://github.com/libssh2/libssh2/pull/1301#discussion_r1446861650
Reviewed-by: Michael Buckley
Reviewed-by: Patrick Monnerat
Closes #1303
- RELEASE-NOTES: sync [ci skip]
GitHub (18 Jan 2024)
- [Ryan Kelley brought this change]
openssl: fix cppcheck found NULL dereferences (#1304)
* Fix NULL dereference in gen_publickey_from_rsa_evp and
gen_publickey_from_dsa_evp.
* Add checks for en_publickey_from_ec_evp and en_publickey_from_ed_evp
Viktor Szakats (12 Jan 2024)
- openssl: delete internal `read_openssh_private_key_from_memory()`
It was wrapping another internal function with no added logic.
Closes #1306
- openssl: formatting/whitespace
Also use `NULL` instead of `0` for pointers.
Closes #1305
- HACKING-CRYPTO: more fixups [ci skip]
Follow-up to f64885b6ab9bbdae2da9ebd70f4dd5cea56e838a #1297
- HACKING-CRYPTO: fixups [ci skip]
Follow-up to f64885b6ab9bbdae2da9ebd70f4dd5cea56e838a #1297
- RELEASE-NOTES: sync [ci skip]
- src: check hash init success
Before this patch, SHA2 and SHA1 init function results were cast to
`void`. This patch makes sure to verify these values.
Also:
- exclude an `assert(0)` from release builds in `_libssh2_sha_algo_ctx_init()`.
(return error instead)
- fix indentation / whitespace
Reviewed-by: Michael Buckley
Closes #1301
- mac: handle low-level errors
- update low-level hmac functions from macros to functions.
- libgcrypt: propagate low-level hmac errors.
- libgcrypt: add error checks for hmac calls.
- os400qc3: add error checks, propagate them.
Assisted-by: Patrick Monnerat
- mbedtls: fix propagating low-level hmac errors.
- wincng: fix propagating low-level hmac errors.
- mac: verify success of low-level hmac functions.
- knownhost: verify success of low-level hmac functions.
- transport: verify success of MAC hash call.
- minor type cleanup in wincng.
- delete unused ripemd wrapper in wincng.
- delete unused SHA384 wrapper in mbedtls.
Reported-by: Paul Howarth
Reviewed-by: Michael Buckley
Closes #1297
GitHub (8 Jan 2024)
- [Michael Buckley brought this change]
Fix an out-of-bounds read in _libssh2_kex_agree_instr when searching for a KEX not in the server list (#1302)
Viktor Szakats (21 Dec 2023)
- RELEASE-NOTES: sync [ci skip]
- ci/appveyor: re-enable parallel mode
The comment cited earlier is no longer true with recent CMake versions.
This options does actually enable parallel builds with MSVC since CMake
v3.26.0: https://gitlab.kitware.com/cmake/cmake/-/issues/20564
The effect isn't much for libssh2, because it spends most time in tests,
but let's enable it anyway for efficiency.
Ref: 0d08974633cfc02641e6593db8d569ddb3644255 #884
Ref: 7a039d9a7a2945c10b4622f38eeed21ba6b4ec55 #867
Closes #1294
- ci/gha: review/fixup auto-cancel settings
- use the group expression from `reuse.yml` (via curl).
- add auto-cancel for `ci` and `cifuzz`.
- add auto-cancel to `appveyor_docker`. I'm just guessing here.
The hope is that it fixes AppVeyor CI runs when re-pushing a PR.
This frequently caused the freshly pushed session to fail waiting for
a connection.
- sync group expression in `appveyor_status` with `reuse`.
Closes #1292
- RELEASE-NOTES: fix casing in GitHub names [ci skip]
- RELEASE-NOTES: synced [ci skip]
Closes #1279
- [Michael Buckley brought this change]
src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack"
Refs:
https://terrapin-attack.com/
https://seclists.org/oss-sec/2023/q4/292
https://osv.dev/list?ecosystem=&q=CVE-2023-48795
https://github.com/advisories/GHSA-45x7-px36-x8w8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
Fixes #1290
Closes #1291
- session: add `libssh2_session_callback_set2()`
Add new `libssh2_session_callback_set2()` API that deprecates
`libssh2_session_callback_set()`.
The new implementation offers the same functionality, but accepts and
returns a generic function pointer (of type `libssh2_cb_generic *`), as
opposed to the old function that used data pointers (`void *`). The new
solution thus avoids data to function (and vice versa) pointer
conversions, which has undefined behaviour in standard C.
About the name: It seems the `*2` suffix was used in the past for
replacement functions for deprecated ones. Let's stick with that.
`*_ex` was preferred for new functions that extend existing ones with
new features.
Closes #1285
- build: enable `-pedantic-errors`
According to the manual, this isn't the same as `-Werror -pedantic`.
Enable it together with `-Werror`.
https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-pedantic-errors-1
This option results in autotools feature detection going into crazies.
To avoid this, we add it to `CFLAGS` late. Idea copied from curl.
This option has an effect only with gcc 5.0 and newer as of this commit.
Let's enable it for clang and older versions too for simplicity. Ref:
https://github.com/curl/curl/commit/d5c0351055d5709da8f3e16c91348092fdb481aa
https://github.com/curl/curl/pull/2747
Closes #1286
- build: add mingw-w64 support to `LIBSSH2_PRINTF()` attribute
And fix the warning it detected.
Closes #1287
- libssh2.h: add deprecated function warnings
With deprecated-at versions and suggested replacement function.
It's possible to silence them by defining `LIBSSH2_DISABLE_DEPRECATION`.
Also add depcreated-at versions to documentation, and unify wording.
Ref: https://github.com/libssh2/libssh2/pull/1260#issuecomment-1837017987
Closes #1289
- ci/spellcheck: delete redundant option [ci skip]
`--check-hidden` not necessary when passing filenames explicitly.
Follow-up to a79218d3a058a333bb9de14079548a3511679a04
- tidy-up: add empty line for clarity [ci skip]
- build: FIXME `-Wsign-conversion` to be errors [ci skip]
- src: disable `-Wsign-conversion` warnings, add option to re-enable
To avoid the log noise till we fix those ~360 compiler warnings.
Also add macro `LIBSSH2_WARN_SIGN_CONVERSION` to re-enable them.
Follow-up to afa6b865604019ab27ec033294edfe3ded9ae0c0 #1257
Closes #1284
- cmake: fix indentation [ci skip]
- example, tests: call `WSACleanup()` for each `WSAStartup()`
On Windows.
Closes #1283
- RELEASE-NOTES: update credits [ci skip]
Ref: https://github.com/libssh2/libssh2/pull/1241#issuecomment-1830118584
- RELEASE-NOTES: avoid splitting names, fix typo, refine order [ci skip]
- RELEASE-NOTES: synced [ci skip]
- add portable `LIBSSH2_SOCKET_CLOSE()` macro
Add `LIBSSH2_SOCKET_CLOSE()` to the public `libssh2.h` header, for user
code. It translates to `closesocket()` on Windows and `close()` on other
platforms.
Use it in example code.
It makes them more readable by reducing the number of `_WIN32` guards.
Closes #1278
- ci: add FreeBSD 14 job, fix issues
- install bash to fix error when running tests:
```
ERROR: test_sshd.test - missing test plan
ERROR: test_sshd.test - exited with status 127 (command not found?)
=====================================
[...]
# TOTAL: 4
# PASS: 2
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 2
[...]
env: bash: No such file or directory
```
Ref: https://github.com/libssh2/libssh2/actions/runs/7133852508/job/19427420687#step:3:3998
- fix sshd issue when running tests:
```
# sshd log:
# Server listening on :: port 4711.
# Server listening on 0.0.0.0 port 4711.
# Authentication refused: bad ownership or modes for file /home/runner/work/libssh2/libssh2/tests/key_rsa.pub
# Authentication refused: bad ownership or modes for file /home/runner/work/libssh2/libssh2/tests/openssh_server/authorized_keys
```
Ref: https://github.com/libssh2/libssh2/actions/runs/7134629175/job/19429828342#step:3:4059
Cherry-picked from #1277
Closes #1277
- ci: add OmniOS job, fix issues
- use GNU Make, to avoid errors:
```
make: Fatal error in reader: Makefile, line 983: Badly formed macro assignment
```
Ref: https://github.com/libssh2/libssh2/actions/runs/7134629175/job/19429838379#step:3:1956
Caused by `?=` in `Makefile.am`. Fix it just in case.
```
make: Fatal error in reader: Makefile, line 438: Unexpected end of line seen
```
Ref: https://github.com/libssh2/libssh2/actions/runs/7135524843/job/19432451767#step:3:1966
It's around line 43 in `Makefile.am`, reason undiscovered.
- fix error:
```
../../src/hostkey.c:1227:44: error: pointer targets in passing argument 5 of '_libssh2_ed25519_sign' differ in signedness [-Werror=pointer-sign]
1227 | datavec[0].iov_base, datavec[0].iov_len);
| ~~~~~~~~~~^~~~~~~~~
| |
| caddr_t {aka char *}
```
Ref: https://github.com/libssh2/libssh2/actions/runs/7135102832/job/19431233967#step:3:2225
https://docs.oracle.com/cd/E36784_01/html/E36887/iovec-9s.html
- FIXME: new `-Wsign-conversion` warnings appeared in examples:
```
../../example/direct_tcpip.c:251:9: warning: conversion to 'long unsigned int' from 'libssh2_socket_t' {aka 'int'} may change the sign of the result [-Wsign-conversion]
251 | FD_SET(forwardsock, &fds);
| ^~~~~~
../../example/direct_tcpip.c:251:9: warning: conversion to 'long unsigned int' from 'libssh2_socket_t' {aka 'int'} may change the sign of the result [-Wsign-conversion]
../../example/direct_tcpip.c:251:9: warning: conversion to 'long unsigned int' from 'long int' may change the sign of the result [-Wsign-conversion]
../../example/direct_tcpip.c:251:9: warning: conversion to 'long int' from 'long unsigned int' may change the sign of the result [-Wsign-conversion]
../../example/direct_tcpip.c:259:18: warning: conversion to 'long unsigned int' from 'libssh2_socket_t' {aka 'int'} may change the sign of the result [-Wsign-conversion]
259 | if(rc && FD_ISSET(forwardsock, &fds)) {
| ^~~~~~~~
../../example/direct_tcpip.c:259:18: warning: conversion to 'long unsigned int' from 'libssh2_socket_t' {aka 'int'} may change the sign of the result [-Wsign-conversion]
../../example/direct_tcpip.c:259:18: warning: conversion to 'long unsigned int' from 'long int' may change the sign of the result [-Wsign-conversion]
[...]
```
Ref: https://github.com/libssh2/libssh2/actions/runs/7136086865/job/19433997429#step:3:3450
Cherry-picked from #1277
- example: use `libssh2_socket_t` in X11 example
Cherry-picked from #1277
- [Aaron Stone brought this change]
Handle EINTR from send/recv/poll/select to try again as the error is not fatal
Integration-patches-by: Viktor Szakats
Fixes #955
Closes #1058
- appveyor: delete UWP job broken since Visual Studio upgrade
Few days ago UWP job started permafailing.
fail: https://ci.appveyor.com/project/libssh2org/libssh2/builds/48678129/job/yb8n2pox8mfjwv6m
good: https://ci.appveyor.com/project/libssh2org/libssh2/builds/48673013
Other projects also affected:
https://ci.appveyor.com/project/c-ares/c-ares/builds/48687390/job/l0fo4b0sijvqkw9r
No related local update. Same CMake version. Same CI image.
This seems to be the culprit, which could mean that this update broke
CMake detection, needs a different CMake configuration on our end, or
that this MSVC update pulled support for UWP apps:
fail: -- The C compiler identification is MSVC 19.38.33130.0 (~ Visual Studio 2022 v17.8)
good: -- The C compiler identification is MSVC 19.37.32825.0 (~ Visual Studio 2022 v17.7)
If this is v17.8, release notes don't readily suggest a feature removal:
https://learn.microsoft.com/en-us/visualstudio/releases/2022/release-notes-v17.8
So it might just be UWP accidentally broken in this release.
Closes #1275
- checksrc: sync with curl
Closes #1272
- autotools: delete `--disable-tests` option, fix CI tests
Originally added to improve build performance by skipping building
tests. But, there seems to be no point in this, because autotools
doesn't build tests by default, unless explicitly invoking
`make check`.
Delete this option from Cygwin and FreeBSD CI tests, where it caused
`make check` to do nothing. Tests are built now, and runtime tests are
too, where supported.
Also disable Docker-based tests for these, and add a missing `make -j3`
for FreeBSD.
Reverts 7483edfada1f7e17cf8f9ac1c87ffa3d814c987e #715
Closes #1271
GitHub (6 Dec 2023)
- [ren mingshuai brought this change]
build: add `LIBSSH2_NO_DEPRECATED` option (#1266)
The following APIs have been deprecated for over 10 years and
use `LIBSSH2_NO_DEPRECATED` to mark them as deprecated:
libssh2_session_startup()
libssh2_banner_set()
libssh2_channel_receive_window_adjust()
libssh2_channel_handle_extended_data()
libssh2_scp_recv()
Add these options to disable them:
- autotools: `--disable-deprecated`
- cmake: `-DLIBSSH2_NO_DEPRECATED=ON`
- `CPPFLAGS`: `-DLIBSSH2_NO_DEPRECATED`
Fixes #1259
Replaces #1260
Co-authored-by: Viktor Szakats
Closes #1267
Viktor Szakats (5 Dec 2023)
- autotools: show the default for `hidden-symbols` option
Closes #1269
- tidy-up: bump casts from int to long for large C99 types in printfs
Cast large integer types to avoid dealing with printf masks for
`size_t` and other C99 types. Some of existing code used `int`
for this, bump them to `long`.
Ref: afa6b865604019ab27ec033294edfe3ded9ae0c0 #1257
Closes #1264
- build: enable missing OpenSSF-recommended warnings, with fixes
Ref:
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
(2023-11-29)
Enable new warnings:
- replace `-Wno-sign-conversion` with `-Wsign-conversion`.
Fix them in example, tests and wincng. There remain about 360 of these
warnings in `src`. Add a TODO item for those and disable `-Werror` for
this particular warning.
- enable `-Wformat=2` for clang (in both cmake and autotools).
- enable `__attribute__((format))` for `_libssh2_debug()`,
`_libssh2_snprintf()` and in tests for `run_command()`.
`LIBSSH2_PRINTF()` copied from `CURL_TEMP_PRINTF()` in curl.
- enable `-Wimplicit-fallthrough`.
- enable `-Wtrampolines`.
Fix them:
- src: replace obsolete fall-through-comments with
`__attribute__((fallthrough))`.
- wincng: fix `-Wsign-conversion` warnings.
- tests: fix `-Wsign-conversion` warnings.
- example: fix `-Wsign-conversion` warnings.
- src: fix `-Wformat` issues in trace calls.
Also, where necessary fix `int` and `unsigned char` casts to
`unsigned int` and adjust printf format strings. These were not
causing compiler warnings.
Cast large types to `long` to avoid dealing with printf masks for
`size_t` and other C99 types. Existing code often used `int` for this.
I'll update them to `long` in an upcoming commit.
- tests: fix `-Wformat` warning.
- silence `-Wformat-nonliteral` warnings.
- mbedtls: silence `-Wsign-conversion`/`-Warith-conversion`
in external header.
Closes #1257
- packet: whitespace fix
Tested via #1257
- tidy-up: unsigned -> unsigned int
In the `interval` argument of public `libssh2_keepalive_config()`.
Tested via #1257
- tests: sync port number type with the rest of codebase
Tested via #1257
- autotools: enable `-Wunused-macros` with gcc
It works with gcc without the libtool warnings seen with clang
on Windows in 96682bd5e14c20828e18bf10ed5b4b5c7543924a #1227.
Sync usage of of this macro with CMake and
autotools + clang + non-Windows. Making it enabled everywhere except
autotools + clang + Windows due to the libtool stub issue.
Follow-up to 7ecc309cd10454c54814b478c4f85d0041da6721 #1224
Closes #1262
- TODO: disable or drop weak algos [ci skip]
Closes #1261
- example, tests: fix/silence `-Wformat-truncation=2` gcc warnings
Then sync this warning option with curl.
Seems like a false positive and/or couldn't figure how to fix it, so silence:
```
example/ssh2.c:227:38: error: '%s' directive output may be truncated writing likely 1 or more bytes into a region of size 0 [-Werror=format-truncation=]
227 | snprintf(fn1, fn1sz, "%s/%s", h, pubkey);
| ^~
example/ssh2.c:227:34: note: assuming directive output of 1 byte
227 | snprintf(fn1, fn1sz, "%s/%s", h, pubkey);
| ^~~~~~~
example/ssh2.c:227:13: note: 'snprintf' output 3 or more bytes (assuming 4) into a destination of size 2
227 | snprintf(fn1, fn1sz, "%s/%s", h, pubkey);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
example/ssh2.c:228:38: error: '%s' directive output may be truncated writing likely 1 or more bytes into a region of size 0 [-Werror=format-truncation=]
228 | snprintf(fn2, fn2sz, "%s/%s", h, privkey);
| ^~
example/ssh2.c:228:34: note: assuming directive output of 1 byte
228 | snprintf(fn2, fn2sz, "%s/%s", h, privkey);
| ^~~~~~~
example/ssh2.c:228:13: note: 'snprintf' output 3 or more bytes (assuming 4) into a destination of size 2
228 | snprintf(fn2, fn2sz, "%s/%s", h, privkey);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/libssh2/libssh2/actions/runs/7055480458/job/19205970397#step:10:98
Fix:
```
tests/openssh_fixture.c:116:38: error: ' 2>&1' directive output may be truncated writing 5 bytes into a region of size between 1 and 1024 [-Werror=format-truncation=]
tests/openssh_fixture.c:116:11: note: 'snprintf' output between 6 and 1029 bytes into a destination of size 1024
```
Ref: https://github.com/libssh2/libssh2/actions/runs/7055480458/job/19205969221#step:10:51
Tested via #1257
- example: fix indentation follow-up
Fix long line and fix more indentations.
Follow-up to 9e896e1b80911a53d6aabb322e034e6ca51b6898
- example: fix indentation
Tested via #1257
- autotools: fix missed `-pedantic` and `-Wall` options for gcc
Follow-up to 5996fefe2bad80cfba85b2569ce6ab6ef575142c #1223
Tested via #1257
- ci: show compiler in cross/cygwin job names
Tested via #1257
- mbedtls: further improve disabling `-Wredundant-decls`
Move warning option suppression to `src/mbedtls.h` to surround the actual
external header #includes that need it.
Follow-up to ecec68a2c13a9c63fe8c2dc457ae785a513e157c #1226
Follow-up to 7ecc309cd10454c54814b478c4f85d0041da6721 #1224
Tested via #1257
GitHub (1 Dec 2023)
- [ren mingshuai brought this change]
example: replace remaining libssh2_scp_recv with libssh2_scp_recv2 in output messages (#1258)
libssh2_scp_recv is deprecated and has been replaced by libssh2_scp_recv2
in prior commit.
Follow-up to 6c84a426beb494980579e5c1d244ea54d3fc1a3f
Viktor Szakats (27 Nov 2023)
- openssl: use OpenSSL 3 HMAC API, add `no-deprecated` CI job
- use OpenSSL 3 API when available for HMAC.
This fixes building with OpenSSL 3 `no-deprecated` builds.
- ensure we support pure OpenSSL 3 API by adding a CI job using
OpenSSL 3 custom-built with `no-deprecated`.
Follow-up to b0ab005fe79260e6e9fe08f8d73b58dd4856943d #1207
Fixes #1235
Closes #1243
- ci: restore lost comment for FreeBSD [ci skip]
Follow-up to eee4e8055ab375c9f9061d4feb39086737f41a9c
- ci: add OpenBSD (v7.4) job + fix build error in example
- Use CMake, LibreSSL and clang from the base install.
- This uncovered a build error in `example/subsystem_netconf.c`, caused
by using the `%n` printf mask. This is a security risk and some
systems (notably OpenBSD) disable this feature.
Fix it by applying this patch from OpenBSD ports (from 2021-09-11):
https://cvsweb.openbsd.org/ports/security/libssh2/patches/patch-example_subsystem_netconf_c?rev=1.1&content-type=text/x-cvsweb-markup
https://github.com/openbsd/ports/commit/2c5b2f3e94381914a3e8ade960ce8c997ca9d6d7
"The old code is also broken, as it passes a pointer to a variable
of a different size (on LP64). There is no check for truncation,
but buf[] is 1MB in size."
Patch-by: naddy
```
/home/runner/work/libssh2/libssh2/example/subsystem_netconf.c:252:17: error: '%n' format specifier support is deactivated and will call abort(3) [-Werror]
"]]>]]>\n%n", (int *)&len);
~^
/home/runner/work/libssh2/libssh2/example/subsystem_netconf.c:270:17: error: '%n' format specifier support is deactivated and will call abort(3) [-Werror]
"]]>]]>\n%n", (int *)&len);
~^
2 errors generated.
```
Ref: https://github.com/libssh2/libssh2/actions/runs/6991449778/job/19022024280#step:3:420
Also made tests with arm64, but it takes consistently almost 14m to
finish the job, vs. 2-3m for the native amd64:
https://github.com/libssh2/libssh2/actions/runs/6991648984/job/19022440525
https://github.com/libssh2/libssh2/actions/runs/6991551220/job/19022233651
Cherry-picked from #1250
Closes #1250
- ci: add NetBSD (v9.3) job
Use CMake, OpenSSL (v1.1) and clang from the base install.
Cherry-picked from #1250
- ci: update and speed up FreeBSD job
- switch to an alternate GitHub action. This one seems (more) actively
maintained, and runs faster:
https://github.com/cross-platform-actions/action
- use clang instead of gcc. clang is already present in the base
install, saving install time and bandwidth.
- stop installing `openssl-quictls` and use the OpenSSL (v1.1) from
the base system.
(I'm suspecting that quictls before this patch wasn't detected by
the build.)
https://wiki.freebsd.org/OpenSSL
Cherry-picked from #1250
- stop using leading underscores in macro names
Underscored macros are reserved for the compiler / standard lib / etc.
Stop using them in user code.
We used them as header guards in `src` and in `__FILESIZE` in `example`.
Closes #1248
- ci: use absolute path in `CMAKE_INSTALL_PREFIX`
To make the installed locations unambiguous in the build logs.
Closes #1247
- openssl: make a function static, add `#ifdef` comments
Follow-up to 03092292597ac601c3f9f0c267ecb145dda75e4e #248
where the function was added.
Also add comments to make `#ifdef` branches easier to follow in
`openssl.h`.
Closes #1246
- ci: boost mbedTLS build speed
Build times down to 4 seconds (from 18-20).
Closes #1245
- openssl: fix DSA code to use OpenSSL 3 API
- fix missing `DSA` type when building for OpenSSL 3 `no-deprecated`.
- fix fallouts after fixing the above by switching away from `DSA`
with OpenSSL 3.
Follow-up to b0ab005fe79260e6e9fe08f8d73b58dd4856943d #1207
Closes #1244
- openssl: formatting (delete empty lines) [ci skip]
- tests: fall back to `$LOGNAME` for username
If the `$USER` variable is empty, fall back to using `$LOGNAME` to
retrieve the logged-in username.
In POSIX, `$LOGNAME` is a mandatory variable, while `$USER` isn't, and
on some systems it may not be set. Without this value, tests were unable
to provide the correct username when logging into the SSH server running
under the active user's session.
Reported-by: Nicolas Mora
Suggested-by: Nicolas Mora
Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056348
Fixes #1240
Closes #1241
- libssh2.h: use `_WIN32` for Windows detection instead of rolling our own
Sync up `libssh2.h` Windows detection with the libssh2 source code.
`libssh2.h` was using `WIN32` and `LIBSSH2_WIN32` for Windows detection,
next to the official `_WIN32`. After this patch it only uses `_WIN32`
for this. Also, make it stop defining `LIBSSH2_WIN32`.
There is a slight chance these break compatibility with Windows
compilers that fail to define `_WIN32`. I'm not aware of any obsolete
or modern compiler affected, but in case there is one, one possible
solution is to define this macro manually.
Closes #1238
- openssl: fix `EC_KEY` reference with OpenSSL 3 `no-deprecated` build
Fixes:
```
src/openssl.c:650:5: error: use of undeclared identifier 'EC_KEY'
EC_KEY *ec_key = EC_KEY_new_by_curve_name(curve);
^
src/openssl.c:650:13: error: use of undeclared identifier 'ec_key'
EC_KEY *ec_key = EC_KEY_new_by_curve_name(curve);
^
src/openssl.c:650:22: error: implicit declaration of function 'EC_KEY_new_by_curve_name' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
EC_KEY *ec_key = EC_KEY_new_by_curve_name(curve);
^
src/openssl.c:650:22: note: did you mean 'EC_GROUP_new_by_curve_name'?
./quictls/_a64-mac-sys/usr/include/openssl/ec.h:483:11: note: 'EC_GROUP_new_by_curve_name' declared here
EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
^
In file included from ./_a64-mac-sys-bld/src/CMakeFiles/libssh2_static.dir/Unity/unity_0_c.c:19:
In file included from src/crypto.c:10:
src/openssl.c:652:8: error: use of undeclared identifier 'ec_key'
if(ec_key) {
^
```
Ref: https://github.com/curl/curl-for-win/actions/runs/6950001225/job/18909297867#step:3:4341
Follow-up to b0ab005fe79260e6e9fe08f8d73b58dd4856943d #1207
Bug #1235
Closes #1236
- openssl: formatting
Sync up these lines with the other two similar occurrences in the code.
Cherry-picked from #1236
GitHub (21 Nov 2023)
- [Michael Buckley brought this change]
openssl: use non-deprecated APIs with OpenSSL 3.x (#1207)
Assisted-by: Viktor Szakats
Viktor Szakats (21 Nov 2023)
- ci: add BoringSSL job (cmake, gcc, amd64)
Closes #1233
- autotools: fix dotless gcc and Apple clang version detections
- fix parsing dotless (major-only) gcc versions.
Follow-up to 00a3b88c51cdb407fbbb347a2e38c5c7d89875ad #1187
- sync gcc detection variable names with curl.
- fix Apple clang version detection for releases between
'Apple LLVM version 7.3.0' and 'Apple LLVM version 10.0.1' where the
version was under-detected as 3.7 llvm/clang equivalent.
- fix Apple clang version detection for 'Apple clang version 11.0.0'
and newer where the Apple clang version was detected, instead of its
llvm/clang equivalent.
- revert to show `clang` instead of `Apple clang`, because we follow it
with an llvm/clang version number. (Apple-ness still visible in raw
version.)
Used this collection for Apple clang / llvm/clang translation and test
inputs: https://gist.github.com/yamaya/2924292
Closes #1232
- acinclude.m4: revert accidental edit [ci skip]
Follow-up to 8c320a93a48775b74f40415e46f84bf68b4d5ae8
- autotools: show more clang/gcc version details
Also:
- show if we detected Apple clang.
- delete duplicate version detection for clang.
Closes #1230
- acinclude.m4: re-sync with curl [ci skip]
- autotools: avoid warnings in libtool stub code
Seen on Windows with clang64, in libtool-generated stub code for
examples and tests.
The error didn't break the CI job for some reason.
msys2 (autotools, clang64, clang-x86_64:
```
[...]
2023-11-17T20:14:17.8639574Z ./.libs/lt-test_read.c:91:10: error: macro is not used [-Werror,-Wunused-macros]
[...]
2023-11-17T20:14:39.8729255Z ./.libs/lt-sftp_write_nonblock.c:91:10: error: macro is not used [-Werror,-Wunused-macros]
[...]
```
Ref: https://github.com/libssh2/libssh2/actions/runs/6908585056/job/18798193405?pr=1226#step:8:474
Follow-up to 7ecc309cd10454c54814b478c4f85d0041da6721 #1224
Closes #1227
- mbedtls: improve disabling `-Wredundant-decls`
Disable these warnings specifically for the mbedTLS public headers
and leave it on for the the rest of the code. This also fixes this
issue for autotools. Previous solution was globally disabling this
warning for the whole code when using mbedTLS and only with CMake.
Follow-up to 7ecc309cd10454c54814b478c4f85d0041da6721 #1224
Closes #1226
- cmake: rename picky warnings script
To match the camel-case style used in other CMake scripts and also
to match the name used in curl.
Closes #1225
- build: enable more compiler warnings and fix them
Enable more picky compiler warnings. I've found these options in the
nghttp3 project when implementing the CMake quick picky warning
functionality for it.
Fix issues found along the way:
- wincng, mbedtls: delete duplicate function declarations.
Most of this was due to re-#defining crypto functions to
crypto-backend specific implementations These redefines also remapped
the declarations in `crypto.h`, making the backend-specific
declarations duplicates.
This patch deletes the backend-specific declarations.
- wincng mapped two crypto functions to the same local function.
Also causing double declarations.
Fix this by adding two disctinct wrappers and moving
the common function to a static one.
- delete unreachable `break;` statements.
- kex: disable macros when unused.
- agent: disable unused constants.
- mbedtls: disable double declaration warnings because public mbedTLS
headers trigger it. (with function `psa_set_key_domain_parameters`)
- crypto.h: formatting.
Ref: https://github.com/ngtcp2/nghttp3/blob/a70edb08e954d690e8fb2c1df999b5a056f8bf9f/cmake/PickyWarningsC.cmake
Closes #1224
- autotools: sync warning enabler code with curl
Tiny changes and minor updates to bring this code closer
to curl's `m4/curl-compilers.m4`.
Closes #1223
- acinclude.m4: fix indentation [ci skip]
Also match indentation of curl's `m4/curl-compilers.m4` for
easier syncing.
- autotool: rename variable
`WARN` -> `tmp_CFLAGS`
To match curl and make syncing this code easier.
Ref: https://github.com/curl/curl/blob/d1820768cce0e797d1f072343868ce1902170e93/m4/curl-compilers.m4#L479
Closes #1222
- autotools: picky warning options tidy-up
- sync clang warning version limits with CMake.
- make `WARN=` vs. `CURL_ADD_COMPILER_WARNINGS()` consistent with curl
and between clang and gcc (`WARN=` is for `no-` options in general).
Closes #1221
- build: picky warning updates
- cmake, autotools: sync picky gcc warnings with curl.
- cmake, autotools: add `-Wold-style-definition` for clang too.
- cmake, autotools: add comment for `-Wformat-truncation=1`.
- cmake: more precise version info for old clang options.
Closes #1219
- ci: fixup FreeBSD version, bump mbedtls
We haven't been using the FreeBSD version. Also it turns out,
the single version supported is 13.2 at the moment:
https://github.com/vmactions/freebsd-vm/tree/main/conf
Stop trying to set the version and instead rely on the action
providing the latest supported one automatically.
Follow-up to a7d2a573be26238cc2b55e5ff6649bbe620cb8d9
Also:
- add more details to the FreeBSD job description.
- bump mbedtls version while here.
Closes #1217
- cmake: fix multiple include of libssh2 package
Also extend our in