shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-04 12:20:42 +09:00
Code Issues Packages Projects Releases Wiki Activity
6,503 Commits 12 Branches 62 Tags
38f3d158f663cef68e8f83d7713f3df571d3dfb8
Commit Graph

6503 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jakub Jelen
38f3d158f6 pki: Fix comparing public key of certificate 
When the first key object is a certificate object, this match will
fall through to the generic key comparison that is unable to handle
the ed25519 keys and fails.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:21:43 +01:00
Jakub Jelen
0d5a2652b4 pki: Avoild false positive matches when comparing certificates in mbedtls and gcrypt 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:21:43 +01:00
Jakub Jelen
5c496acef7 pkd: Run openssh client with SK keys 
Fixes: #331

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:20:28 +01:00
Jakub Jelen
3e074a3fba tests: Use standard way of setting cmake variables 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:20:28 +01:00
Samir Benmendil
98a844ceb2 tidy(unittests): zero-init config string pointers 
Signed-off-by: Samir Benmendil <me@rmz.io>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 21:44:45 +00:00
Samir Benmendil
ce45ba8c61 tests: suppress leaks from NSS modules 
Signed-off-by: Samir Benmendil <me@rmz.io>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 14:34:11 +00:00
Samir Benmendil
62c85a59a9 ssh_client: Return non-zero on config parsing failure 
Signed-off-by: Samir Benmendil <me@rmz.io>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 14:34:11 +00:00
Samir Benmendil
c4f1a70a89 connect: Support AddressFamily option 
* allow parsing of AddressFamily in config and cli
  * supports options "any", "inet" and "inet6"
* introduce SSH_OPTIONS_ADDRESS_FAMILY

Signed-off-by: Samir Benmendil <me@rmz.io>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 14:34:11 +00:00
Jakub Jelen
f52be27114 connect: Improve logging around the connection code 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 14:34:11 +00:00
Jakub Jelen
228208af5e Happy new year 2026! 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 14:36:19 +01:00
Jakub Jelen
163373c9d9 tests: Reproducer for missing value to LogLevel 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-12-19 22:08:15 +01:00
Jakub Jelen
e82677a923 config: Fix error paths of configuration parsing 
Thanks coverity, oss-fuzz and Ram-Z reporting this independently.

CID 1643770

https://oss-fuzz.com/issue/4969113899565056
https://oss-fuzz.com/issue/6448013813022720

Fixes up 1833ce86f9.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-12-19 22:08:15 +01:00
Nikhil V
79966eb924 fix : modify ssh_connector_free to accept NULL values 
Signed-off-by: Nikhil V <nikhilgreyshines@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-18 13:44:05 +01:00
Nikhil V
4feb0dd79d Improve doxygen documentation 
Signed-off-by: Nikhil V <nikhilgreyshines@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-18 13:44:05 +01:00
nikhil-nari
f8d943afda Improve doxygen docs 
Signed-off-by: Nikhil V <nikhilgreyshines@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-18 13:44:05 +01:00
Pavol Žáčik
4bad7cc08f hybrid_mlkem: Convert ECDH shared secret to a fixed-size string 
The shared secret is derived as bignum, and draft-ietf-sshm-mlkem-hybrid-kex
mandates that it is converted to a fixed-size byte array. Not doing this
would lead to incompatibilities with other implementations when the derived
shared secret happens to start with zero bytes.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-17 14:51:29 +01:00
Mike Frysinger
3526e02dee use standard O_NONBLOCK naming 
Systems define O_NONBLOCK & O_NDELAY as the same thing.  POSIX however
only defines O_NONBLOCK.  Rename the current define to be portable.

Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-12 18:18:02 +01:00
abdallah elhdad
ecea5b6052 Support new '-o' option parsing to client 
Signed-off-by: abdallah elhdad <abdallahselhdad@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-12 18:15:42 +01:00
abdallah elhdad
1833ce86f9 refactor auth options handler 
Signed-off-by: abdallah elhdad <abdallahselhdad@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-12 18:15:41 +01:00
abdallah elhdad
3938e5e850 set log level when debug option is increased 
Signed-off-by: abdallah elhdad <abdallahselhdad@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-12 18:15:40 +01:00
Norbert Pocs
dd80a56029 libcrypto.c: Use openssl const algorithm names 
Use the openssl constants algorithm names instead of string
representations. They should not change, but it's clearer to have it
this way.

Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-12 18:12:13 +01:00
Jakub Jelen
9d6df9d0fa ssh_known_hosts_get_algorithms: Simplify cleanup ... 
...  and prevent memory leak of host_port on memory allocation failure.

Thanks Xiaoke Wang for the report!

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-12-12 18:06:47 +01:00
Jakub Jelen
ee180c660e server: Check strdup allocation failure 
Thanks Xiaoke Wang for the report!

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-12-12 18:06:45 +01:00
abdallah elhdad
541cd39f14 zeroize sensitive buffers in ssh_sntrup761x25519_build_k 
Signed-off-by: abdallah elhdad <abdallahselhdad@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-12-12 18:03:21 +01:00
abdallah elhdad
64f72ed55f Replace explicit_bzero with ssh_burn 
Signed-off-by: abdallah elhdad <abdallahselhdad@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-12-12 18:03:19 +01:00
Pavol Žáčik
0ef79018b3 kex: Implement remaining hybrid ML-KEM methods 
This builds on top of a9c8f94. The pure ML-KEM
code is now separated from the hybrid parts,
with the hybrid implementation generalized to
support NIST curves.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-25 17:57:42 +01:00
Pavol Žáčik
7911580304 ecdh: Factor out keypair generation 
This adds a new internal API function (ssh_ecdh_init),
similar to how it's done in curve25519 implementation.
The new function can be used in hybrid key exchange
constructions.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-25 17:57:41 +01:00
Andreas Schneider
e5108f2ffc docs: Use a modern doxygen theme 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-21 17:49:52 +01:00
Andreas Schneider
5ce4b65abb cmake: Add .cmake-format.yaml 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-21 17:49:52 +01:00
Andreas Schneider
b62675b435 chore(editorconfig): Put CMakeLists.txt in its own section 
This is read by neocmakelsp for formatting.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-21 17:49:52 +01:00
Jakub Jelen
f333d95013 ci: Avoid repetitive definitions 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-19 17:31:53 +01:00
Jakub Jelen
92d0f8aba6 ci: Remove GSSAPI from minimal build 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-19 17:31:37 +01:00
Jakub Jelen
66460578b1 ci: Remove marco from the whitelist 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-19 17:31:37 +01:00
Jakub Jelen
b93db6c3d1 ci: Replace ad-hoc exports with variables 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-19 17:31:37 +01:00
Jakub Jelen
1c3143ff00 ci: Add cmocka.cfg to avoid false positives reports from csbuild 
Based on cmocka changes:

https://gitlab.com/cmocka/cmocka/-/blob/master/cppcheck/cmocka.cfg

https://gitlab.com/cmocka/cmocka/-/blob/master/.gitlab-ci.yml#L148

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-19 17:31:31 +01:00
Praneeth Sarode
47305a2f72 docs(fido2): add FIDO2/U2F security key support chapter to documentation 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:28:23 +05:30
Praneeth Sarode
5bbaecfaa7 feat(pki): extend the sshsig API to support security keys along with tests 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:28:14 +05:30
Praneeth Sarode
6e5d0a935f tests(fido2): add tests for SK ECDSA and SK Ed25519 public key authentication 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
5d4d9f8208 tests(rsa): add test for RSA key generation using the newer ssh_pki_generate_key API 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
c128cf8807 tests(pki): add torture tests for pki_sk functions 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
5937b5ba4e feat(torture_sk): add functions to validate security key signatures and to create PKI context 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
1241a3a8c9 tests(fido2): add sk-dummy support to the testing infrastructure 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
21d338737a tests(fido2): add sk key files to the testing infrastructure 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
d91630308d pki: add security key identities to session options 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
37f0e91814 feat(pki): add security key support with enrollment, signing, and resident key loading functions 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:36 +05:30
Praneeth Sarode
32a256e157 feat(pki): add ssh_key getters to retrieve security key flags, application, and user ID 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:53 +05:30
Praneeth Sarode
14bd26e71c feat(pki): add support for user ID in ssh_key structure 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:53 +05:30
Praneeth Sarode
97e71606e0 feat(pki): add ssh_pki_ctx to ssh_session 
The session struct now contains an ssh_pki_ctx struct as its member to allow for passing user configured pki options across many functions.
The ssh_options_set API has been extended to allow users to set this member.

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:53 +05:30
Praneeth Sarode
d4b0de702b feat(pki): implement PKI context API 
A new generic struct is introduced which contains the various configuration options that can be used by pki operations.
API functions have been provided to configure all the options.

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:53 +05:30
Praneeth Sarode
acc080ac03 tests(fido2): add tests for the usb-hid security key callbacks 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:46 +05:30