shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-04 20:30:38 +09:00
Code Issues Packages Projects Releases Wiki Activity
6,529 Commits 12 Branches 62 Tags
a30ba0091feb4e4962e6208632ef3ce27ccbc86e
Commit Graph

1398 Commits

Author SHA1 Message Date
Pavol Žáčik
3710b31d24 session: Refactor ssh_get_publickey_hash 
Make it use the one-shot API of hash functions,
and remove the FIPS restriction for OpenSSL 3.5+
where we can fetch the MD5 implementation from
a non-FIPS provider to use for non-crypto purposes.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
f1490170f3 tests: add test for gssapi server key exchange with null hostkey and no tgt 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
e94fd6ccd1 tests: add config tests for SSH_OPTIONS_GSSAPI_KEY_EXCHANGE 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
5a99cf9c7f refactor: remove extra else if branch for disable_hostkeys 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
96807b9313 tests: add valgrind suppressions 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
6d81ecddbe fix: replace pthread_exit in gssapi tests 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
a0707afc3e reformat: gssapi key exchange 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
f9d7cadf4b fix: create fopen wrapper and block default hostkey paths 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
c1aab9903f feat: add null hostkey for server 
fix: skip gssapi tests in fips mode

fix: skip gssapi_key_exchange_null test on ubuntu and tumbleweed

fix: return early when rc != 0 to show error

tests: replace int asserts by ssh return code asserts

fix: add fatal error when hostkeys are not found and gssapi kex is not enabled

ci: add comment linking gssapi null kex bug in ubuntu and tumbleweed

fix: don't specify hostkeys in config instead of deleting files

tests: assert kex method was null

refactor: remove redundant include

refactor: better error message

fix: check null before accessing in gssapi.c

fix: allow setting no hostkeys
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
fd1c3e8878 feat: test null hostkey on ci 
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
9044fcdb52 feat: add "gssapi-keyex" for server 
feat: add negative auth client tests, and more key exchange server tests

feat: add function for checkinf if GSSAPI key exchange was performed
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:13 +01:00
Gauravsingh Sisodia
bc5211d055 feat: add gssapi key exchange 
feat: add generic functions for importing name and initializing ctx

feat: add suffix to gsskex algs dynamically

feat: move gssapi key exchange to another file

feat: add gssapi key exchange for server

refactor: remove unnecessary fields in gssapi struct

refactor: add some documentation and improve logging

fix: remove gss_dh callbacks

feat: add a check to see if GSSAPI is configured correctly

fix: memory leaks

feat: add client side "gssapi-keyex" auth

feat: add gssapi_key_exchange_algs for server

fix: some memory issues

feat: add gssapi kex options to config

feat: add check to see if GSSAPI key exchange was performed

feat: add more tests for gssapi key exchange

fix: add valgrind supp

Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:24:00 +01:00
Jakub Jelen
701a2155a7 tests: Improve test coverage of comparing certificates 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:21:43 +01:00
Jakub Jelen
5c496acef7 pkd: Run openssh client with SK keys 
Fixes: #331

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:20:28 +01:00
Jakub Jelen
3e074a3fba tests: Use standard way of setting cmake variables 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-05 12:20:28 +01:00
Samir Benmendil
98a844ceb2 tidy(unittests): zero-init config string pointers 
Signed-off-by: Samir Benmendil <me@rmz.io>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 21:44:45 +00:00
Samir Benmendil
ce45ba8c61 tests: suppress leaks from NSS modules 
Signed-off-by: Samir Benmendil <me@rmz.io>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 14:34:11 +00:00
Samir Benmendil
c4f1a70a89 connect: Support AddressFamily option 
* allow parsing of AddressFamily in config and cli
  * supports options "any", "inet" and "inet6"
* introduce SSH_OPTIONS_ADDRESS_FAMILY

Signed-off-by: Samir Benmendil <me@rmz.io>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2026-01-02 14:34:11 +00:00
Jakub Jelen
163373c9d9 tests: Reproducer for missing value to LogLevel 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-12-19 22:08:15 +01:00
abdallah elhdad
ecea5b6052 Support new '-o' option parsing to client 
Signed-off-by: abdallah elhdad <abdallahselhdad@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-12-12 18:15:42 +01:00
abdallah elhdad
64f72ed55f Replace explicit_bzero with ssh_burn 
Signed-off-by: abdallah elhdad <abdallahselhdad@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-12-12 18:03:19 +01:00
Pavol Žáčik
0ef79018b3 kex: Implement remaining hybrid ML-KEM methods 
This builds on top of a9c8f94. The pure ML-KEM
code is now separated from the hybrid parts,
with the hybrid implementation generalized to
support NIST curves.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-25 17:57:42 +01:00
Praneeth Sarode
5bbaecfaa7 feat(pki): extend the sshsig API to support security keys along with tests 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:28:14 +05:30
Praneeth Sarode
6e5d0a935f tests(fido2): add tests for SK ECDSA and SK Ed25519 public key authentication 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
5d4d9f8208 tests(rsa): add test for RSA key generation using the newer ssh_pki_generate_key API 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
c128cf8807 tests(pki): add torture tests for pki_sk functions 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
5937b5ba4e feat(torture_sk): add functions to validate security key signatures and to create PKI context 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
1241a3a8c9 tests(fido2): add sk-dummy support to the testing infrastructure 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
21d338737a tests(fido2): add sk key files to the testing infrastructure 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
d91630308d pki: add security key identities to session options 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
acc080ac03 tests(fido2): add tests for the usb-hid security key callbacks 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:46 +05:30
Praneeth Sarode
e56af9fa79 feat(torture_sk): add validation functions for security key callback responses and resident keys 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:52:48 +05:30
Praneeth Sarode
c4b2bd34a8 feat(torture): add torture_get_sk_pin function to retrieve PIN from environment 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:52:48 +05:30
Praneeth Sarode
eda5c6576b tests(torture_sk): validate sk_flags against allowed security key flags 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:04:38 +05:30
Jakub Jelen
cefc4f8c97 pkd: Run tests with ecdsa and ed25519 keys with dropbear 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:25:25 +01:00
Jakub Jelen
b64e7f67d3 pkd: Run ed25519 tests with dropbear 
Resolves: #336

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:25:25 +01:00
Jakub Jelen
491cd81a32 kex: Place PQC KEX methods first 
The ML-KEMx25519 is now preferred algorithm in OpenSSH so follow the suit

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:24:47 +01:00
Jakub Jelen
b042477f83 Suppress remaining OpenSSL 3.5 memory leaks 
Reported as

https://github.com/openssl/openssl/issues/29077

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Jakub Jelen
950abbbd81 tests: Remove the -E which is overridden by followed -E on ctest CLI 
The threads_pki_rsa was running and working under valgrind for some
time already without anyone noticing this syntax does not work.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Jakub Jelen
b9c6701c68 tests: Avoid needless pthread_exit() 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Jakub Jelen
a94df4bb8f tests: Adjust valgrind supressions for Fedora 43 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Sahana Prasad
a9c8f942a5 kex: Implement mlkem768x25519-sha256 
The implementation largely follows that of sntrup761x25519-sha512.

Most of the work was done by Sahana with the help of Claude,
Pavol provided fixes to match specs and did a final clean up.

Co-Authored-By: Sahana Prasad <sahana@redhat.com>
Co-Authored-By: Pavol Žáčik <pzacik@redhat.com>
Co-Authored-By: Claude <noreply@anthropic.com>

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-05 17:44:33 +01:00
Jakub Jelen
07d099f652 examples: Support passing port to libssh_scp to simplify testing 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-10 16:20:53 +02:00
Praneeth Sarode
f3d70e54e9 tests(string): add tests for ssh_string_from_data function 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-10-10 14:00:22 +02:00
Jakub Jelen
00f1d6fac2 Add RequiredRsaSize configuration option 
to both client and server configuration file

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-01 16:06:43 +02:00
Jakub Jelen
ecb11f1a18 tests: Fix wording in comment to make sense 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-01 16:04:54 +02:00
Jakub Jelen
6aea779918 sftpserver: Fix loop termination 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-01 16:03:46 +02:00
Jakub Jelen
a51384fe4e sftpserver: Remove some needless parts 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-01 16:03:45 +02:00
Praneeth Sarode
8541b6584f test(buffer): add unit tests for ssh_buffer_dup function 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-09-25 15:04:18 +02:00
Jakub Jelen
a3c5d3b256 tests: Rewrite all fuzzers to LLVMFuzzerInitialize and nalloc 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-09-25 15:03:07 +02:00