shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-04 12:20:42 +09:00
Code Issues Packages Projects Releases Wiki Activity
6,592 Commits 12 Branches 62 Tags
master
Commit Graph

633 Commits

Author SHA1 Message Date
Jakub Jelen
1b3c061aae Reproducer for memory leak from parsing knonw hosts 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Norbert Pocs <norbertpocs0@gmail.com>
 2026-02-03 18:01:36 +01:00
Jakub Jelen
34db488e4d Native ML-KEM768 implementation 
for cryptographic backends that do not have support for ML-KEM (old
OpenSSL and Gcrypt; MbedTLS).

Based on the libcrux implementation used in OpenSSH, taken from this
revision:

https://github.com/openssh/openssh-portable/blob/6aba700/libcrux_mlkem768_sha3.h

But refactored to separate C and header file to support testing and
removed unused functions (to make compiler happy).

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
 2026-01-15 12:48:06 +01:00
Jakub Jelen
b33a90d20b tests: Provide minimal openssl configuration file 
When we use empty configuration file, some stuff go south in c10s
and for example fips mode detection does not work anymore.

Providing minimal configuration file avoids the issues of loading
the provider too early, while keeping fips mode activation working
and tests happy.

It also configures the pkcs11-provider to assume the token provides
FIPS approved crypto so the tests can work.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-15 12:22:10 +01:00
Jakub Jelen
7dea005729 tests: Avoid needless skip in testcases 
the whole unit is skipped in fips mode

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-15 12:22:10 +01:00
Jakub Jelen
82db6a7ab3 tests: Test proxyjump configuration parsing 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 13:32:01 +01:00
Pavol Žáčik
5fed1bc8be torture_packet: use SSH2_MSG_IGNORE type of test packet 
With packet filtering now implemented for type 65,
the current test packet would be rejected, resulting
in failed tests.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Pavol Žáčik
3710b31d24 session: Refactor ssh_get_publickey_hash 
Make it use the one-shot API of hash functions,
and remove the FIPS restriction for OpenSSL 3.5+
where we can fetch the MD5 implementation from
a non-FIPS provider to use for non-crypto purposes.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
e94fd6ccd1 tests: add config tests for SSH_OPTIONS_GSSAPI_KEY_EXCHANGE 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
a0707afc3e reformat: gssapi key exchange 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
bc5211d055 feat: add gssapi key exchange 
feat: add generic functions for importing name and initializing ctx

feat: add suffix to gsskex algs dynamically

feat: move gssapi key exchange to another file

feat: add gssapi key exchange for server

refactor: remove unnecessary fields in gssapi struct

refactor: add some documentation and improve logging

fix: remove gss_dh callbacks

feat: add a check to see if GSSAPI is configured correctly

fix: memory leaks

feat: add client side "gssapi-keyex" auth

feat: add gssapi_key_exchange_algs for server

fix: some memory issues

feat: add gssapi kex options to config

feat: add check to see if GSSAPI key exchange was performed

feat: add more tests for gssapi key exchange

fix: add valgrind supp

Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:00 +01:00
Jakub Jelen
701a2155a7 tests: Improve test coverage of comparing certificates 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:21:43 +01:00
Samir Benmendil
98a844ceb2 tidy(unittests): zero-init config string pointers 
Signed-off-by: Samir Benmendil <me@rmz.io>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 21:44:45 +00:00
Samir Benmendil
c4f1a70a89 connect: Support AddressFamily option 
* allow parsing of AddressFamily in config and cli
  * supports options "any", "inet" and "inet6"
* introduce SSH_OPTIONS_ADDRESS_FAMILY

Signed-off-by: Samir Benmendil <me@rmz.io>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 14:34:11 +00:00
Jakub Jelen
163373c9d9 tests: Reproducer for missing value to LogLevel 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-12-19 22:08:15 +01:00
abdallah elhdad
ecea5b6052 Support new '-o' option parsing to client 
Signed-off-by: abdallah elhdad <abdallahselhdad@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-12 18:15:42 +01:00
abdallah elhdad
64f72ed55f Replace explicit_bzero with ssh_burn 
Signed-off-by: abdallah elhdad <abdallahselhdad@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-12-12 18:03:19 +01:00
Pavol Žáčik
0ef79018b3 kex: Implement remaining hybrid ML-KEM methods 
This builds on top of a9c8f94. The pure ML-KEM
code is now separated from the hybrid parts,
with the hybrid implementation generalized to
support NIST curves.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-25 17:57:42 +01:00
Praneeth Sarode
5bbaecfaa7 feat(pki): extend the sshsig API to support security keys along with tests 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:28:14 +05:30
Praneeth Sarode
5d4d9f8208 tests(rsa): add test for RSA key generation using the newer ssh_pki_generate_key API 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
c128cf8807 tests(pki): add torture tests for pki_sk functions 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
d91630308d pki: add security key identities to session options 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
acc080ac03 tests(fido2): add tests for the usb-hid security key callbacks 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:46 +05:30
Jakub Jelen
491cd81a32 kex: Place PQC KEX methods first 
The ML-KEMx25519 is now preferred algorithm in OpenSSH so follow the suit

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:24:47 +01:00
Jakub Jelen
b9c6701c68 tests: Avoid needless pthread_exit() 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Sahana Prasad
a9c8f942a5 kex: Implement mlkem768x25519-sha256 
The implementation largely follows that of sntrup761x25519-sha512.

Most of the work was done by Sahana with the help of Claude,
Pavol provided fixes to match specs and did a final clean up.

Co-Authored-By: Sahana Prasad <sahana@redhat.com>
Co-Authored-By: Pavol Žáčik <pzacik@redhat.com>
Co-Authored-By: Claude <noreply@anthropic.com>

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-05 17:44:33 +01:00
Praneeth Sarode
f3d70e54e9 tests(string): add tests for ssh_string_from_data function 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-10-10 14:00:22 +02:00
Jakub Jelen
00f1d6fac2 Add RequiredRsaSize configuration option 
to both client and server configuration file

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-01 16:06:43 +02:00
Praneeth Sarode
8541b6584f test(buffer): add unit tests for ssh_buffer_dup function 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-09-25 15:04:18 +02:00
Jakub Jelen
6ca59307d4 Add non-namespaced alias sntrup761x25519-sha512 that is being standardized 
The specification is now in the last call, data point is allocated so there is
no need to stick to the namespaces alias anymore

https://datatracker.ietf.org/doc/draft-ietf-sshm-ntruprime-ssh/

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2025-09-10 12:23:08 +02:00
Praneeth Sarode
e8bbd194c7 refactor(pki): Define RSA_MIN_KEY_SIZE and update related checks 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-09-09 12:53:43 +02:00
Jakub Jelen
d1bf9068a9 Use calloc instead of zeroizing structure after malloc 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-08-06 11:16:58 +02:00
Praneeth Sarode
cc667021e5 tests(pki): add torture tests for security keys 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-08-01 15:28:58 +05:30
Praneeth Sarode
09155adb19 tests(string): add unit tests for ssh_string_cmp function 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-07-30 16:06:32 +02:00
Jakub Jelen
82c8bbc504 tests: Add missing header file to unbreak build on freebsd 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2025-07-24 11:13:35 +02:00
Nicolas Graves
aeb0b2ec6f Add unittests for sshsig functions 
Signed-off-by: Nicolas Graves <ngraves@ngraves.fr>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-07-10 11:21:44 +02:00
Theo Buehler
ccb8cf88c8 Unbreak torture_config_make_absolute() on OpenBSD 
The torture_config_make_absolute() and its _no_sshdir() version both
segfault on OpenBSD. The reason for this is that the storage returned
by getpwuid() is backed by mmap and is unapped by the getpwnam() call
in ssh_path_expand_tilde(), so a later access to home segfaults. The
possibility of this happening (getpwnam() overwriting values returned
by getpwuid()) is explicitly called out in POSIX.

A simple fix is to work with copies of username and homedir.

Signed-off-by: Theo Buehler <tb@openbsd.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-07-01 20:50:25 +02:00
Praneeth Sarode
b43392c31d tests(string): add unit tests for ssh_string functions 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-01 20:49:39 +02:00
Nicolas Graves
4135154b6d cmocka_unit_test_setup_teardown: Comply with codespell style. 
Signed-off-by: Nicolas Graves <ngraves@ngraves.fr>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-05-30 20:11:51 +02:00
Lucas Mulling
d758990d39 misc: Fix OpenSSH banner parsing 
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Norbert Pocs <norbertpocs0@gmail.com>
 2025-04-28 14:56:27 -03:00
Andreas Schneider
bfae56634c tests:unittests: Fix tests on FreeBSD 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-04-24 10:47:26 +02:00
Jakub Jelen
bd10ec1162 tests: Use fseek instead of rewind to simplify error checking 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Norbert Pocs <norbertpocs0@gmail.com>
 2025-04-16 17:41:22 +02:00
Jakub Jelen
3b4b8033de tests: Make the static ananlyzers happy with the threads 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Norbert Pocs <norbertpocs0@gmail.com>
 2025-04-16 17:41:22 +02:00
Praneeth Sarode
344235c954 fix(tests): improve synchronization in torture_forwarded_tcpip_callback tests 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-04-16 14:49:40 +02:00
Jakub Jelen
b14018ecab tests: Do not build zlib test when built without 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Norbert Pocs <norbertpocs0@gmail.com>
 2025-04-15 16:15:52 +02:00
Jakub Jelen
184dad101d Move the PKCS#11 provider environment variable where it needs to be 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Norbert Pocs <norbertpocs0@gmail.com>
 2025-04-15 16:15:52 +02:00
Praneeth Sarode
f3b389d112 tests: add unit test for direct-tcpip channel open request 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-04-07 14:02:41 +02:00
Praneeth Sarode
8c8d3ceef7 tests: add unit test for forwarded-tcpip callback 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-04-07 10:57:21 +02:00
Praneeth Sarode
d92a057090 tests: fix torture_server_x11 and add it to tests 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-04-01 10:19:14 +02:00
Jakub Jelen
a25f9d211d tests: Fix variable names to avoid codespell issues 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-03-04 16:00:33 +01:00
Jakub Jelen
3a52bf1679 tests: Reproducer for graceful failure on ignored Match arguments 
https://gitlab.com/libssh/libssh-mirror/-/issues/291#note_2376323499
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-03-04 16:00:33 +01:00