Bump version to 0.9.5

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

.gitlab-ci.yml

@@ -456,9 +456,11 @@ tumbleweed/static-analysis:
       - obj/scan
 
 visualstudio/x86_64:
+  variables:
+    ErrorActionPreference: STOP
   script:
   - $env:VCPKG_DEFAULT_TRIPLET="x64-windows"
-  - cd obj
+  - mkdir -p obj; if ($?) {cd obj}; if (! $?) {exit 1}
   - cmake
       -A x64
       -DCMAKE_TOOLCHAIN_FILE="$env:VCPKG_TOOLCHAIN_FILE"
@@ -484,9 +486,11 @@ visualstudio/x86_64:
       - obj/
 
 visualstudio/x86:
+  variables:
+    ErrorActionPreference: STOP
   script:
   - $env:VCPKG_DEFAULT_TRIPLET="x86-windows"
-  - cd obj
+  - mkdir -p obj; if ($?) {cd obj}; if (! $?) {exit 1}
   - cmake
       -DCMAKE_TOOLCHAIN_FILE="$env:VCPKG_TOOLCHAIN_FILE"
       -DPICKY_DEVELOPER=ON

CMakeLists.txt

@@ -10,7 +10,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/Modules")
 include(DefineCMakeDefaults)
 include(DefineCompilerFlags)
 
-project(libssh VERSION 0.9.3 LANGUAGES C)
+project(libssh VERSION 0.9.5 LANGUAGES C)
 
 # global needed variable
 set(APPLICATION_NAME ${PROJECT_NAME})
@@ -22,7 +22,7 @@ set(APPLICATION_NAME ${PROJECT_NAME})
 #     Increment AGE. Set REVISION to 0
 #   If the source code was changed, but there were no interface changes:
 #     Increment REVISION.
-set(LIBRARY_VERSION "4.8.4")
+set(LIBRARY_VERSION "4.8.6")
 set(LIBRARY_SOVERSION "4")
 
 # where to look first for cmake modules, before ${CMAKE_ROOT}/Modules/ is checked

ChangeLog

@@ -1,6 +1,23 @@
 ChangeLog
 ==========
 
+version 0.9.5 (released 2020-XX-XX)
+  * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
+  * Improve handling of library initialization (T222)
+  * Fix parsing of subsecond times in SFTP (T219)
+  * Make the documentation reproducible
+  * Remove deprecated API usage in OpenSSL
+  * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
+  * Define version in one place (T226)
+  * Prevent invalid free when using different C runtimes than OpenSSL (T229)
+  * Compatibility improvements to testsuite
+
+version 0.9.4 (released 2020-04-09)
+  * Fixed CVE-2020-1730 - Possible DoS in client and server when handling
+    AES-CTR keys with OpenSSL
+  * Added diffie-hellman-group14-sha256
+  * Fixed serveral possible memory leaks
+
 version 0.9.3 (released 2019-12-10)
   * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution
   * SSH-01-003 Client: Missing NULL check leads to crash in erroneous state

doc/CMakeLists.txt

@@ -13,8 +13,11 @@ if (DOXYGEN_FOUND)
     set(DOXYGEN_TAB_SIZE 4)
     set(DOXYGEN_OPTIMIZE_OUTPUT_FOR_C YES)
     set(DOXYGEN_MARKDOWN_SUPPORT YES)
+    set(DOXYGEN_FULL_PATH_NAMES NO)
 
     set(DOXYGEN_PREDEFINED DOXYGEN
+                           WITH_SERVER
+                           WITH_SFTP
                            PRINTF_ATTRIBUTE(x,y))
 
     set(DOXYGEN_EXCLUDE ${CMAKE_CURRENT_SOURCE_DIR}/that_style)

doc/linking.dox

@@ -28,6 +28,6 @@ the dllimport attribute.
 @endcode
 
 If you're are statically linking with OpenSSL, read the "Linking your
-application" section in the NOTES.<OS> in the OpenSSL source tree!
+application" section in the NOTES.[OS] in the OpenSSL source tree!
 
 */

examples/CMakeLists.txt

@@ -6,7 +6,7 @@ set(examples_SRCS
   connect_ssh.c
 )
 
-include_directories(${libssh_BINARY_DIR})
+include_directories(${libssh_BINARY_DIR}/include ${libssh_BINARY_DIR})
 
 if (ARGP_INCLUDE_DIR)
     include_directories(${ARGP_INCLUDE_DIR})

examples/exec.c

@@ -8,7 +8,7 @@ int main(void) {
     ssh_session session;
     ssh_channel channel;
     char buffer[256];
-    int nbytes;
+    int rbytes, wbytes, total = 0;
     int rc;
 
     session = connect_ssh("localhost", NULL, 0);
@@ -35,15 +35,30 @@ int main(void) {
         goto failed;
     }
 
-    nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
-    while (nbytes > 0) {
-        if (fwrite(buffer, 1, nbytes, stdout) != (unsigned int) nbytes) {
-            goto failed;
-        }
-        nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
+    rbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
+    if (rbytes <= 0) {
+        goto failed;
     }
 
-    if (nbytes < 0) {
+    do {
+        wbytes = fwrite(buffer + total, 1, rbytes, stdout);
+        if (wbytes <= 0) {
+            goto failed;
+        }
+
+        total += wbytes;
+
+        /* When it was not possible to write the whole buffer to stdout */
+        if (wbytes < rbytes) {
+            rbytes -= wbytes;
+            continue;
+        }
+
+        rbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
+        total = 0;
+    } while (rbytes > 0);
+
+    if (rbytes < 0) {
         goto failed;
     }
 

examples/sshd_direct-tcpip.c

@@ -27,6 +27,8 @@ clients must be made or how a client should react.
 #ifdef HAVE_ARGP_H
 #include <argp.h>
 #endif
+#include <sys/types.h>
+#include <sys/socket.h>
 #include <stdbool.h>
 #include <stdlib.h>
 #include <string.h>
@@ -79,7 +81,10 @@ static struct cleanup_node_struct *cleanup_stack = NULL;
 
 static void _close_socket(struct event_fd_data_struct event_fd_data);
 
-static void cleanup_push(struct cleanup_node_struct** head_ref, struct event_fd_data_struct *new_data) {
+static void
+cleanup_push(struct cleanup_node_struct** head_ref,
+             struct event_fd_data_struct *new_data)
+{
     // Allocate memory for node
     struct cleanup_node_struct *new_node = malloc(sizeof *new_node);
 
@@ -92,7 +97,9 @@ static void cleanup_push(struct cleanup_node_struct** head_ref, struct event_fd_
     (*head_ref) = new_node;
 }
 
-static void do_cleanup(struct cleanup_node_struct **head_ref) {
+static void
+do_cleanup(struct cleanup_node_struct **head_ref)
+{
     struct cleanup_node_struct *current = (*head_ref);
     struct cleanup_node_struct *previous = NULL, *gone = NULL;
 
@@ -131,16 +138,22 @@ static void do_cleanup(struct cleanup_node_struct **head_ref) {
     }
 }
 
-static int auth_password(ssh_session session, const char *user,
-            const char *password, void *userdata) {
-    (void)userdata;
-    _ssh_log(SSH_LOG_PROTOCOL, "=== auth_password", "Authenticating user %s pwd %s",user, password);
-    if (strcmp(user,USER) == 0 && strcmp(password, PASSWORD) == 0){
+static int
+auth_password(ssh_session session,
+              const char *user,
+              const char *password,
+              UNUSED_PARAM(void *userdata))
+{
+    _ssh_log(SSH_LOG_PROTOCOL,
+             "=== auth_password", "Authenticating user %s pwd %s",
+             user,
+             password);
+    if (strcmp(user, USER) == 0 && strcmp(password, PASSWORD) == 0) {
         authenticated = true;
         printf("Authenticated\n");
         return SSH_AUTH_SUCCESS;
     }
-    if (tries >= 3){
+    if (tries >= 3) {
         printf("Too many authentication tries\n");
         ssh_disconnect(session);
         error_set = true;
@@ -150,25 +163,34 @@ static int auth_password(ssh_session session, const char *user,
     return SSH_AUTH_DENIED;
 }
 
-static int auth_gssapi_mic(ssh_session session, const char *user, const char *principal, void *userdata) {
+static int
+auth_gssapi_mic(ssh_session session,
+                const char *user,
+                const char *principal,
+                UNUSED_PARAM(void *userdata))
+{
     ssh_gssapi_creds creds = ssh_gssapi_get_creds(session);
-    (void)userdata;
-    printf("Authenticating user %s with gssapi principal %s\n", user, principal);
-    if (creds != NULL)
+    printf("Authenticating user %s with gssapi principal %s\n",
+           user, principal);
+    if (creds != NULL) {
         printf("Received some gssapi credentials\n");
-    else
+    } else {
         printf("Not received any forwardable creds\n");
+    }
     printf("authenticated\n");
     authenticated = true;
     return SSH_AUTH_SUCCESS;
 }
 
-static int subsystem_request(ssh_session session, ssh_channel channel, const char *subsystem, void *userdata) {
-    (void)session;
-    (void)channel;
-    //(void)subsystem;
-    (void)userdata;
-    _ssh_log(SSH_LOG_PROTOCOL, "=== subsystem_request", "Channel subsystem reqeuest: %s", subsystem);
+static int
+subsystem_request(UNUSED_PARAM(ssh_session session),
+                  UNUSED_PARAM(ssh_channel channel),
+                  const char *subsystem,
+                  UNUSED_PARAM(void *userdata))
+{
+    _ssh_log(SSH_LOG_PROTOCOL,
+             "=== subsystem_request", "Channel subsystem reqeuest: %s",
+             subsystem);
     return 0;
 }
 
@@ -176,9 +198,10 @@ struct ssh_channel_callbacks_struct channel_cb = {
     .channel_subsystem_request_function = subsystem_request
 };
 
-static ssh_channel new_session_channel(ssh_session session, void *userdata) {
-    (void)session;
-    (void)userdata;
+static ssh_channel
+new_session_channel(UNUSED_PARAM(ssh_session session),
+                    UNUSED_PARAM(void *userdata))
+{
     _ssh_log(SSH_LOG_PROTOCOL, "=== subsystem_request", "Session channel request");
     /* For TCP forward only there seems to be no need for a session channel */
     /*if(chan != NULL)
@@ -191,18 +214,25 @@ static ssh_channel new_session_channel(ssh_session session, void *userdata) {
     return NULL;
 }
 
-static void stack_socket_close(UNUSED_PARAM(ssh_session session),
-                               struct event_fd_data_struct *event_fd_data)
+static void
+stack_socket_close(UNUSED_PARAM(ssh_session session),
+                   struct event_fd_data_struct *event_fd_data)
 {
     if (event_fd_data->stacked != 1) {
-        _ssh_log(SSH_LOG_FUNCTIONS, "=== stack_socket_close", "Closing fd = %d sockets_cnt = %d", *event_fd_data->p_fd, sockets_cnt);
+        _ssh_log(SSH_LOG_FUNCTIONS, "=== stack_socket_close",
+                 "Closing fd = %d sockets_cnt = %d", *event_fd_data->p_fd,
+                 sockets_cnt);
         event_fd_data->stacked = 1;
         cleanup_push(&cleanup_stack, event_fd_data);
     }
 }
 
-static void _close_socket(struct event_fd_data_struct event_fd_data) {
-    _ssh_log(SSH_LOG_FUNCTIONS, "=== close_socket", "Closing fd = %d sockets_cnt = %d", *event_fd_data.p_fd, sockets_cnt);
+static void
+_close_socket(struct event_fd_data_struct event_fd_data)
+{
+    _ssh_log(SSH_LOG_FUNCTIONS, "=== close_socket",
+             "Closing fd = %d sockets_cnt = %d", *event_fd_data.p_fd,
+             sockets_cnt);
     ssh_event_remove_fd(mainloop, *event_fd_data.p_fd);
     sockets_cnt--;
 #ifdef _WIN32
@@ -213,23 +243,31 @@ static void _close_socket(struct event_fd_data_struct event_fd_data) {
     (*event_fd_data.p_fd) = SSH_INVALID_SOCKET;
 }
 
-static int service_request(ssh_session session, const char *service, void *userdata) {
-    (void)session;
-    //(void)service;
-    (void)userdata;
+static int
+service_request(UNUSED_PARAM(ssh_session session),
+                const char *service,
+                UNUSED_PARAM(void *userdata))
+{
     _ssh_log(SSH_LOG_PROTOCOL, "=== service_request", "Service request: %s", service);
     return 0;
 }
 
-static void global_request(ssh_session session, ssh_message message, void *userdata) {
-    (void)session;
-    (void)userdata;
-    _ssh_log(SSH_LOG_PROTOCOL, "=== global_request", "Global request, message type: %d", ssh_message_type(message));
+static void
+global_request(UNUSED_PARAM(ssh_session session),
+               ssh_message message,
+               UNUSED_PARAM(void *userdata))
+{
+    _ssh_log(SSH_LOG_PROTOCOL,
+             "=== global_request", "Global request, message type: %d",
+             ssh_message_type(message));
 }
 
-static void my_channel_close_function(ssh_session session, ssh_channel channel, void *userdata) {
+static void
+my_channel_close_function(ssh_session session,
+                          UNUSED_PARAM(ssh_channel channel),
+                          void *userdata)
+{
     struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
-    (void)session;
 
     _ssh_log(SSH_LOG_PROTOCOL,
              "=== my_channel_close_function",
@@ -238,9 +276,12 @@ static void my_channel_close_function(ssh_session session, ssh_channel channel,
     stack_socket_close(session, event_fd_data);
 }
 
-static void my_channel_eof_function(ssh_session session, ssh_channel channel, void *userdata) {
+static void
+my_channel_eof_function(ssh_session session,
+                        UNUSED_PARAM(ssh_channel channel),
+                        void *userdata)
+{
     struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
-    (void)session;
 
     _ssh_log(SSH_LOG_PROTOCOL,
              "=== my_channel_eof_function",
@@ -250,9 +291,13 @@ static void my_channel_eof_function(ssh_session session, ssh_channel channel, vo
     stack_socket_close(session, event_fd_data);
 }
 
-static void my_channel_exit_status_function(ssh_session session, ssh_channel channel, int exit_status, void *userdata) {
+static void
+my_channel_exit_status_function(UNUSED_PARAM(ssh_session session),
+                                UNUSED_PARAM(ssh_channel channel),
+                                int exit_status,
+                                void *userdata)
+{
     struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
-    (void)session;
 
     _ssh_log(SSH_LOG_PROTOCOL,
              "=== my_channel_exit_status_function",
@@ -260,12 +305,13 @@ static void my_channel_exit_status_function(ssh_session session, ssh_channel cha
              exit_status, *event_fd_data->p_fd);
 }
 
-static int my_channel_data_function(ssh_session session,
-                                    ssh_channel channel,
-                                    void *data,
-                                    uint32_t len,
-                                    UNUSED_PARAM(int is_stderr),
-                                    void *userdata)
+static int
+my_channel_data_function(ssh_session session,
+                         UNUSED_PARAM(ssh_channel channel),
+                         void *data,
+                         uint32_t len,
+                         UNUSED_PARAM(int is_stderr),
+                         void *userdata)
 {
     int i = 0;
     struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
@@ -283,7 +329,9 @@ static int my_channel_data_function(ssh_session session,
         i = send(*event_fd_data->p_fd, data, len, 0);
     }
     if (i < 0) {
-        _ssh_log(SSH_LOG_WARNING, "=== my_channel_data_function", "Writing to tcp socket %d: %s", *event_fd_data->p_fd, strerror(errno));
+        _ssh_log(SSH_LOG_WARNING, "=== my_channel_data_function",
+                 "Writing to tcp socket %d: %s", *event_fd_data->p_fd,
+                 strerror(errno));
         stack_socket_close(session, event_fd_data);
     }
     else {
@@ -292,9 +340,10 @@ static int my_channel_data_function(ssh_session session,
     return i;
 }
 
-static int my_fd_data_function(UNUSED_PARAM(socket_t fd),
-                               int revents,
-                               void *userdata)
+static int
+my_fd_data_function(UNUSED_PARAM(socket_t fd),
+                    int revents,
+                    void *userdata)
 {
     struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
     ssh_channel channel = event_fd_data->channel;
@@ -387,7 +436,9 @@ static int my_fd_data_function(UNUSED_PARAM(socket_t fd),
     return len;
 }
 
-static int open_tcp_socket(ssh_message msg) {
+static int
+open_tcp_socket(ssh_message msg)
+{
     struct sockaddr_in sin;
     int forwardsock = -1;
     struct hostent *host;
@@ -428,17 +479,20 @@ static int open_tcp_socket(ssh_message msg) {
     return forwardsock;
 }
 
-static int message_callback(ssh_session session, ssh_message message, void *userdata) {
+static int
+message_callback(UNUSED_PARAM(ssh_session session),
+                 ssh_message message,
+                 UNUSED_PARAM(void *userdata))
+{
     ssh_channel channel;
     int socket_fd, *pFd;
     struct ssh_channel_callbacks_struct *cb_chan;
     struct event_fd_data_struct *event_fd_data;
-    (void)session;
-    (void)message;
-    (void)userdata;
 
-    _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message type: %d", ssh_message_type(message));
-    _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message Subtype: %d", ssh_message_subtype(message));
+    _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message type: %d",
+             ssh_message_type(message));
+    _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message Subtype: %d",
+             ssh_message_subtype(message));
     if (ssh_message_type(message) == SSH_REQUEST_CHANNEL_OPEN) {
         _ssh_log(SSH_LOG_PROTOCOL, "=== message_callback", "channel_request_open");
 
@@ -542,7 +596,9 @@ static struct argp_option options[] = {
 };
 
 /* Parse a single option. */
-static error_t parse_opt (int key, char *arg, struct argp_state *state) {
+static error_t
+parse_opt (int key, char *arg, struct argp_state *state)
+{
     /* Get the input argument from argp_parse, which we
      * know is a pointer to our arguments structure.
      */
@@ -588,7 +644,9 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
 static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
 #endif /* HAVE_ARGP_H */
 
-int main(int argc, char **argv){
+int
+main(int argc, char **argv)
+{
     ssh_session session;
     ssh_bind sshbind;
     struct ssh_server_callbacks_struct cb = {

include/libssh/CMakeLists.txt

@@ -31,3 +31,9 @@ install(
     headers
 )
 
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/libssh_version.h.cmake
+               ${libssh_BINARY_DIR}/include/libssh/libssh_version.h
+               @ONLY)
+install(FILES ${libssh_BINARY_DIR}/include/libssh/libssh_version.h
+        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${APPLICATION_NAME}
+        COMPONENT headers)

include/libssh/crypto.h

@@ -80,6 +80,8 @@ enum ssh_key_exchange_e {
   SSH_KEX_DH_GROUP16_SHA512,
   /* diffie-hellman-group18-sha512 */
   SSH_KEX_DH_GROUP18_SHA512,
+  /* diffie-hellman-group14-sha256 */
+  SSH_KEX_DH_GROUP14_SHA256,
 };
 
 enum ssh_cipher_e {

include/libssh/keys.h

@@ -28,13 +28,13 @@
 struct ssh_public_key_struct {
     int type;
     const char *type_c; /* Don't free it ! it is static */
-#ifdef HAVE_LIBGCRYPT
+#if defined(HAVE_LIBGCRYPT)
     gcry_sexp_t dsa_pub;
     gcry_sexp_t rsa_pub;
-#elif HAVE_LIBCRYPTO
+#elif defined(HAVE_LIBCRYPTO)
     DSA *dsa_pub;
     RSA *rsa_pub;
-#elif HAVE_LIBMBEDCRYPTO
+#elif defined(HAVE_LIBMBEDCRYPTO)
     mbedtls_pk_context *rsa_pub;
     void *dsa_pub;
 #endif
@@ -42,13 +42,13 @@ struct ssh_public_key_struct {
 
 struct ssh_private_key_struct {
     int type;
-#ifdef HAVE_LIBGCRYPT
+#if defined(HAVE_LIBGCRYPT)
     gcry_sexp_t dsa_priv;
     gcry_sexp_t rsa_priv;
-#elif defined HAVE_LIBCRYPTO
+#elif defined(HAVE_LIBCRYPTO)
     DSA *dsa_priv;
     RSA *rsa_priv;
-#elif HAVE_LIBMBEDCRYPTO
+#elif defined(HAVE_LIBMBEDCRYPTO)
     mbedtls_pk_context *rsa_priv;
     void *dsa_priv;
 #endif

include/libssh/libssh.h

@@ -21,6 +21,8 @@
 #ifndef _LIBSSH_H
 #define _LIBSSH_H
 
+#include <libssh/libssh_version.h>
+
 #if defined _WIN32 || defined __CYGWIN__
   #ifdef LIBSSH_STATIC
     #define LIBSSH_API
@@ -71,23 +73,6 @@
 #define SSH_STRINGIFY(s) SSH_TOSTRING(s)
 #define SSH_TOSTRING(s) #s
 
-/* libssh version macros */
-#define SSH_VERSION_INT(a, b, c) ((a) << 16 | (b) << 8 | (c))
-#define SSH_VERSION_DOT(a, b, c) a ##.## b ##.## c
-#define SSH_VERSION(a, b, c) SSH_VERSION_DOT(a, b, c)
-
-/* libssh version */
-#define LIBSSH_VERSION_MAJOR  0
-#define LIBSSH_VERSION_MINOR  9
-#define LIBSSH_VERSION_MICRO  3
-
-#define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \
-                                           LIBSSH_VERSION_MINOR, \
-                                           LIBSSH_VERSION_MICRO)
-#define LIBSSH_VERSION     SSH_VERSION(LIBSSH_VERSION_MAJOR, \
-                                       LIBSSH_VERSION_MINOR, \
-                                       LIBSSH_VERSION_MICRO)
-
 /* GCC have printf type attribute check.  */
 #ifdef __GNUC__
 #define PRINTF_ATTRIBUTE(a,b) __attribute__ ((__format__ (__printf__, a, b)))
@@ -633,7 +618,13 @@ LIBSSH_API ssh_pcap_file ssh_pcap_file_new(void);
 LIBSSH_API int ssh_pcap_file_open(ssh_pcap_file pcap, const char *filename);
 
 /**
- * @brief SSH authentication callback.
+ * @addtogroup libssh_auth
+ *
+ * @{
+ */
+
+/**
+ * @brief SSH authentication callback for password and publickey auth.
  *
  * @param prompt        Prompt to be displayed.
  * @param buf           Buffer to save the password. You should null-terminate it.
@@ -648,6 +639,8 @@ LIBSSH_API int ssh_pcap_file_open(ssh_pcap_file pcap, const char *filename);
 typedef int (*ssh_auth_callback) (const char *prompt, char *buf, size_t len,
     int echo, int verify, void *userdata);
 
+/** @} */
+
 LIBSSH_API ssh_key ssh_key_new(void);
 #define SSH_KEY_FREE(x) \
     do { if ((x) != NULL) { ssh_key_free(x); x = NULL; } } while(0)

include/libssh/libssh_version.h.cmake

@@ -0,0 +1,41 @@
+/*
+ * This file is part of the SSH Library
+ *
+ * Copyright (c) 2020 by Heiko Thiery
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef _LIBSSH_VERSION_H
+#define _LIBSSH_VERSION_H
+
+/* libssh version macros */
+#define SSH_VERSION_INT(a, b, c) ((a) << 16 | (b) << 8 | (c))
+#define SSH_VERSION_DOT(a, b, c) a ##.## b ##.## c
+#define SSH_VERSION(a, b, c) SSH_VERSION_DOT(a, b, c)
+
+/* libssh version */
+#define LIBSSH_VERSION_MAJOR  @libssh_VERSION_MAJOR@
+#define LIBSSH_VERSION_MINOR  @libssh_VERSION_MINOR@
+#define LIBSSH_VERSION_MICRO  @libssh_VERSION_PATCH@
+
+#define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \
+                                           LIBSSH_VERSION_MINOR, \
+                                           LIBSSH_VERSION_MICRO)
+#define LIBSSH_VERSION     SSH_VERSION(LIBSSH_VERSION_MAJOR, \
+                                       LIBSSH_VERSION_MINOR, \
+                                       LIBSSH_VERSION_MICRO)
+
+#endif /* _LIBSSH_VERSION_H */

include/libssh/priv.h

@@ -32,6 +32,7 @@
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdbool.h>
 
 #if !defined(HAVE_STRTOULL)
 # if defined(HAVE___STRTOULL)
@@ -405,22 +406,24 @@ void explicit_bzero(void *s, size_t n);
 # endif /* HAVE_FALLTHROUGH_ATTRIBUTE */
 #endif /* FALL_THROUGH */
 
-#ifndef __unused__
+#ifndef __attr_unused__
 # ifdef HAVE_UNUSED_ATTRIBUTE
-#  define __unused__ __attribute__((unused))
+#  define __attr_unused__ __attribute__((unused))
 # else /* HAVE_UNUSED_ATTRIBUTE */
-#  define __unused__
+#  define __attr_unused__
 # endif /* HAVE_UNUSED_ATTRIBUTE */
-#endif /* __unused__ */
+#endif /* __attr_unused__ */
 
 #ifndef UNUSED_PARAM
-#define UNUSED_PARAM(param) param __unused__
+#define UNUSED_PARAM(param) param __attr_unused__
 #endif /* UNUSED_PARAM */
 
 #ifndef UNUSED_VAR
-#define UNUSED_VAR(var) __unused__ var
+#define UNUSED_VAR(var) __attr_unused__ var
 #endif /* UNUSED_VAR */
 
 void ssh_agent_state_free(void *data);
 
+bool is_ssh_initialized(void);
+
 #endif /* _LIBSSH_PRIV_H */

src/ABI/current

@@ -1 +1 @@
-4.8.4
+4.8.6

src/ABI/libssh-4.8.5.symbols

@@ -0,0 +1,421 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_try_publickey
+ssh_version
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char

src/ABI/libssh-4.8.6.symbols

@@ -0,0 +1,421 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_init
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_try_publickey
+ssh_version
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char

src/CMakeLists.txt

@@ -1,6 +1,7 @@
 set(LIBSSH_PUBLIC_INCLUDE_DIRS ${libssh_SOURCE_DIR}/include)
 
 set(LIBSSH_PRIVATE_INCLUDE_DIRS
+  ${libssh_BINARY_DIR}/include
   ${libssh_BINARY_DIR}
 )
 
@@ -85,6 +86,13 @@ if (WITH_NACL AND NACL_FOUND)
   )
 endif (WITH_NACL AND NACL_FOUND)
 
+if (MINGW AND Threads_FOUND)
+  set(LIBSSH_LINK_LIBRARIES
+    ${LIBSSH_LINK_LIBRARIES}
+    Threads::Threads
+  )
+endif()
+
 if (BUILD_STATIC_LIB)
   set(LIBSSH_STATIC_LIBRARY
     ssh_static
@@ -355,6 +363,7 @@ endif (WITH_VISIBILITY_HIDDEN)
 
 if (MINGW)
     set_target_properties(ssh PROPERTIES LINK_FLAGS "-Wl,--enable-stdcall-fixup")
+    set_target_properties(ssh PROPERTIES COMPILE_FLAGS "-D_POSIX_SOURCE")
 endif ()
 
 

src/auth.c

@@ -1116,7 +1116,9 @@ int ssh_userauth_publickey_auto(ssh_session session,
                         "Public key authentication error for %s",
                         privkey_file);
                 ssh_key_free(state->privkey);
+                state->privkey = NULL;
                 ssh_key_free(state->pubkey);
+                state->pubkey = NULL;
                 SAFE_FREE(session->auth.auto_state);
                 return rc;
             } else if (rc == SSH_AUTH_AGAIN) {
@@ -1182,6 +1184,9 @@ int ssh_userauth_publickey_auto(ssh_session session,
                 return rc;
             }
 
+            ssh_key_free(state->privkey);
+            ssh_key_free(state->pubkey);
+
             SSH_LOG(SSH_LOG_WARN,
                     "The server accepted the public key but refused the signature");
             state->it = state->it->next;

src/buffer.c

@@ -299,28 +299,33 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
  */
 int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
 {
-  buffer_verify(buffer);
-
-  if (data == NULL) {
-      return -1;
-  }
-
-  if (buffer->used + len < len) {
-    return -1;
-  }
-
-  if (buffer->allocated < (buffer->used + len)) {
-    if(buffer->pos > 0)
-      buffer_shift(buffer);
-    if (realloc_buffer(buffer, buffer->used + len) < 0) {
-      return -1;
+    if (buffer == NULL) {
+        return -1;
     }
-  }
 
-  memcpy(buffer->data+buffer->used, data, len);
-  buffer->used+=len;
-  buffer_verify(buffer);
-  return 0;
+    buffer_verify(buffer);
+
+    if (data == NULL) {
+        return -1;
+    }
+
+    if (buffer->used + len < len) {
+        return -1;
+    }
+
+    if (buffer->allocated < (buffer->used + len)) {
+        if (buffer->pos > 0) {
+            buffer_shift(buffer);
+        }
+        if (realloc_buffer(buffer, buffer->used + len) < 0) {
+            return -1;
+        }
+    }
+
+    memcpy(buffer->data + buffer->used, data, len);
+    buffer->used += len;
+    buffer_verify(buffer);
+    return 0;
 }
 
 /**

src/channels.c

@@ -2932,15 +2932,16 @@ int ssh_channel_read_timeout(ssh_channel channel,
   if (session->session_state == SSH_SESSION_STATE_ERROR) {
       return SSH_ERROR;
   }
+  /* If the server closed the channel properly, there is nothing to do */
+  if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) {
+      return 0;
+  }
   if (channel->state == SSH_CHANNEL_STATE_CLOSED) {
       ssh_set_error(session,
                     SSH_FATAL,
                     "Remote channel is closed.");
       return SSH_ERROR;
   }
-  if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) {
-    return 0;
-  }
   len = ssh_buffer_get_len(stdbuf);
   /* Read count bytes if len is greater, everything otherwise */
   len = (len > count ? count : len);
@@ -3095,7 +3096,7 @@ int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr)
     size_t len;
     int rc;
 
-    if(channel == NULL) {
+    if (channel == NULL) {
         return SSH_ERROR;
     }
 
@@ -3113,12 +3114,23 @@ int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr)
                                         ssh_channel_read_termination,
                                         &ctx);
     if (rc == SSH_ERROR ||
-       session->session_state == SSH_SESSION_STATE_ERROR) {
+        session->session_state == SSH_SESSION_STATE_ERROR) {
         rc = SSH_ERROR;
         goto out;
+    } else if (rc == SSH_AGAIN) {
+        /* If the above timeout expired, it is ok and we do not need to
+         * attempt to check the read buffer. The calling functions do not
+         * expect us to return SSH_AGAIN either here. */
+        rc = SSH_OK;
+        goto out;
     }
     len = ssh_buffer_get_len(stdbuf);
     if (len > 0) {
+        if (len > INT_MAX) {
+            rc = SSH_ERROR;
+        } else {
+            rc = (int)len;
+        }
         goto out;
     }
     if (channel->remote_eof) {

src/client.c

@@ -252,6 +252,7 @@ static int dh_handshake(ssh_session session) {
       switch(session->next_crypto->kex_type){
         case SSH_KEX_DH_GROUP1_SHA1:
         case SSH_KEX_DH_GROUP14_SHA1:
+        case SSH_KEX_DH_GROUP14_SHA256:
         case SSH_KEX_DH_GROUP16_SHA512:
         case SSH_KEX_DH_GROUP18_SHA512:
           rc = ssh_client_dh_init(session);
@@ -450,7 +451,7 @@ static void ssh_client_connection_callback(ssh_session session)
             if (dh_handshake(session) == SSH_ERROR) {
                 goto error;
             }
-            /* FALL THROUGH */
+            FALL_THROUGH;
         case SSH_SESSION_STATE_DH:
             if(session->dh_handshake_state==DH_STATE_FINISHED){
                 set_status(session,1.0f);
@@ -504,119 +505,138 @@ static int ssh_connect_termination(void *user){
  * @see ssh_new()
  * @see ssh_disconnect()
  */
-int ssh_connect(ssh_session session) {
-  int ret;
+int ssh_connect(ssh_session session)
+{
+    int ret;
 
-  if (session == NULL) {
-    return SSH_ERROR;
-  }
+    if (!is_ssh_initialized()) {
+        ssh_set_error(session, SSH_FATAL,
+                      "Library not initialized.");
 
-  switch(session->pending_call_state){
-  case SSH_PENDING_CALL_NONE:
-  	break;
-  case SSH_PENDING_CALL_CONNECT:
-  	goto pending;
-  default:
-  	ssh_set_error(session,SSH_FATAL,"Bad call during pending SSH call in ssh_connect");
-
-  	return SSH_ERROR;
-  }
-  session->alive = 0;
-  session->client = 1;
-
-  if (session->opts.fd == SSH_INVALID_SOCKET &&
-      session->opts.host == NULL &&
-      session->opts.ProxyCommand == NULL) {
-    ssh_set_error(session, SSH_FATAL, "Hostname required");
-    return SSH_ERROR;
-  }
-
-  /* If the system configuration files were not yet processed, do it now */
-  if (!session->opts.config_processed) {
-    ret = ssh_options_parse_config(session, NULL);
-    if (ret != 0) {
-      ssh_set_error(session, SSH_FATAL,
-                    "Failed to process system configuration files");
-      return SSH_ERROR;
+        return SSH_ERROR;
     }
-  }
 
-  ret = ssh_options_apply(session);
-  if (ret < 0) {
-      ssh_set_error(session, SSH_FATAL, "Couldn't apply options");
-      return SSH_ERROR;
-  }
+    if (session == NULL) {
+        return SSH_ERROR;
+    }
 
-  SSH_LOG(SSH_LOG_PROTOCOL,
-          "libssh %s, using threading %s",
-          ssh_copyright(),
-          ssh_threads_get_type());
+    switch(session->pending_call_state) {
+    case SSH_PENDING_CALL_NONE:
+        break;
+    case SSH_PENDING_CALL_CONNECT:
+        goto pending;
+    default:
+        ssh_set_error(session, SSH_FATAL,
+                      "Bad call during pending SSH call in ssh_connect");
 
-  session->ssh_connection_callback = ssh_client_connection_callback;
-  session->session_state=SSH_SESSION_STATE_CONNECTING;
-  ssh_socket_set_callbacks(session->socket,&session->socket_callbacks);
-  session->socket_callbacks.connected=socket_callback_connected;
-  session->socket_callbacks.data=callback_receive_banner;
-  session->socket_callbacks.exception=ssh_socket_exception_callback;
-  session->socket_callbacks.userdata=session;
-  if (session->opts.fd != SSH_INVALID_SOCKET) {
-    session->session_state=SSH_SESSION_STATE_SOCKET_CONNECTED;
-    ssh_socket_set_fd(session->socket, session->opts.fd);
-    ret=SSH_OK;
+        return SSH_ERROR;
+    }
+    session->alive = 0;
+    session->client = 1;
+
+    if (session->opts.fd == SSH_INVALID_SOCKET &&
+        session->opts.host == NULL &&
+        session->opts.ProxyCommand == NULL)
+    {
+        ssh_set_error(session, SSH_FATAL, "Hostname required");
+        return SSH_ERROR;
+    }
+
+    /* If the system configuration files were not yet processed, do it now */
+    if (!session->opts.config_processed) {
+        ret = ssh_options_parse_config(session, NULL);
+        if (ret != 0) {
+            ssh_set_error(session, SSH_FATAL,
+                          "Failed to process system configuration files");
+            return SSH_ERROR;
+        }
+    }
+
+    ret = ssh_options_apply(session);
+    if (ret < 0) {
+        ssh_set_error(session, SSH_FATAL, "Couldn't apply options");
+        return SSH_ERROR;
+    }
+
+    SSH_LOG(SSH_LOG_PROTOCOL,
+            "libssh %s, using threading %s",
+            ssh_copyright(),
+            ssh_threads_get_type());
+
+    session->ssh_connection_callback = ssh_client_connection_callback;
+    session->session_state = SSH_SESSION_STATE_CONNECTING;
+    ssh_socket_set_callbacks(session->socket, &session->socket_callbacks);
+    session->socket_callbacks.connected = socket_callback_connected;
+    session->socket_callbacks.data = callback_receive_banner;
+    session->socket_callbacks.exception = ssh_socket_exception_callback;
+    session->socket_callbacks.userdata = session;
+
+    if (session->opts.fd != SSH_INVALID_SOCKET) {
+        session->session_state = SSH_SESSION_STATE_SOCKET_CONNECTED;
+        ssh_socket_set_fd(session->socket, session->opts.fd);
+        ret = SSH_OK;
 #ifndef _WIN32
-  } else if (session->opts.ProxyCommand != NULL){
-    ret = ssh_socket_connect_proxycommand(session->socket,
-                                          session->opts.ProxyCommand);
+    } else if (session->opts.ProxyCommand != NULL) {
+        ret = ssh_socket_connect_proxycommand(session->socket,
+                session->opts.ProxyCommand);
 #endif
-  } else {
-    ret=ssh_socket_connect(session->socket,
-                           session->opts.host,
-                           session->opts.port > 0 ? session->opts.port : 22,
-                           session->opts.bindaddr);
-  }
-  if (ret == SSH_ERROR) {
-    return SSH_ERROR;
-  }
+    } else {
+        ret = ssh_socket_connect(session->socket,
+                                 session->opts.host,
+                                 session->opts.port > 0 ? session->opts.port : 22,
+                                 session->opts.bindaddr);
+    }
+    if (ret == SSH_ERROR) {
+        return SSH_ERROR;
+    }
 
-  set_status(session, 0.2f);
+    set_status(session, 0.2f);
+
+    session->alive = 1;
+    SSH_LOG(SSH_LOG_PROTOCOL,
+            "Socket connecting, now waiting for the callbacks to work");
 
-  session->alive = 1;
-  SSH_LOG(SSH_LOG_PROTOCOL,"Socket connecting, now waiting for the callbacks to work");
 pending:
-  session->pending_call_state=SSH_PENDING_CALL_CONNECT;
-  if(ssh_is_blocking(session)) {
-      int timeout = (session->opts.timeout * 1000) +
-                    (session->opts.timeout_usec / 1000);
-      if (timeout == 0) {
-          timeout = 10 * 1000;
-      }
-      SSH_LOG(SSH_LOG_PACKET,"Actual timeout : %d", timeout);
-      ret = ssh_handle_packets_termination(session, timeout, ssh_connect_termination, session);
-      if (session->session_state != SSH_SESSION_STATE_ERROR &&
-          (ret == SSH_ERROR || !ssh_connect_termination(session))) {
-          ssh_set_error(session, SSH_FATAL,
-                        "Timeout connecting to %s", session->opts.host);
-          session->session_state = SSH_SESSION_STATE_ERROR;
-      }
-  }
-  else {
-      ret = ssh_handle_packets_termination(session,
-                                           SSH_TIMEOUT_NONBLOCKING,
-                                           ssh_connect_termination,
-                                           session);
-      if (ret == SSH_ERROR) {
-          session->session_state = SSH_SESSION_STATE_ERROR;
-      }
-  }
-  SSH_LOG(SSH_LOG_PACKET,"current state : %d",session->session_state);
-  if(!ssh_is_blocking(session) && !ssh_connect_termination(session)){
-    return SSH_AGAIN;
-  }
+    session->pending_call_state = SSH_PENDING_CALL_CONNECT;
+    if(ssh_is_blocking(session)) {
+        int timeout = (session->opts.timeout * 1000) +
+            (session->opts.timeout_usec / 1000);
+        if (timeout == 0) {
+            timeout = 10 * 1000;
+        }
+        SSH_LOG(SSH_LOG_PACKET, "Actual timeout : %d", timeout);
+        ret = ssh_handle_packets_termination(session, timeout,
+                                             ssh_connect_termination, session);
+        if (session->session_state != SSH_SESSION_STATE_ERROR &&
+            (ret == SSH_ERROR || !ssh_connect_termination(session)))
+        {
+            ssh_set_error(session, SSH_FATAL,
+                          "Timeout connecting to %s", session->opts.host);
+            session->session_state = SSH_SESSION_STATE_ERROR;
+        }
+    } else {
+        ret = ssh_handle_packets_termination(session,
+                                             SSH_TIMEOUT_NONBLOCKING,
+                                             ssh_connect_termination,
+                                             session);
+        if (ret == SSH_ERROR) {
+            session->session_state = SSH_SESSION_STATE_ERROR;
+        }
+    }
 
-  session->pending_call_state=SSH_PENDING_CALL_NONE;
-  if(session->session_state == SSH_SESSION_STATE_ERROR || session->session_state == SSH_SESSION_STATE_DISCONNECTED)
-  	return SSH_ERROR;
-  return SSH_OK;
+    SSH_LOG(SSH_LOG_PACKET, "current state : %d", session->session_state);
+    if (!ssh_is_blocking(session) && !ssh_connect_termination(session)) {
+        return SSH_AGAIN;
+    }
+
+    session->pending_call_state = SSH_PENDING_CALL_NONE;
+    if (session->session_state == SSH_SESSION_STATE_ERROR ||
+        session->session_state == SSH_SESSION_STATE_DISCONNECTED)
+    {
+        return SSH_ERROR;
+    }
+
+    return SSH_OK;
 }
 
 /**

src/curve25519.c

@@ -179,8 +179,8 @@ static int ssh_curve25519_build_k(ssh_session session)
 #ifdef HAVE_OPENSSL_X25519
     EVP_PKEY_CTX *pctx = NULL;
     EVP_PKEY *pkey = NULL, *pubkey = NULL;
-    size_t shared_key_len;
-    int rc;
+    size_t shared_key_len = sizeof(k);
+    int rc, ret = SSH_ERROR;
 
     pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL,
                                         session->next_crypto->curve25519_privkey,
@@ -197,8 +197,7 @@ static int ssh_curve25519_build_k(ssh_session session)
         SSH_LOG(SSH_LOG_TRACE,
                 "Failed to initialize X25519 context: %s",
                 ERR_error_string(ERR_get_error(), NULL));
-        EVP_PKEY_free(pkey);
-        return SSH_ERROR;
+        goto out;
     }
 
     rc = EVP_PKEY_derive_init(pctx);
@@ -206,9 +205,7 @@ static int ssh_curve25519_build_k(ssh_session session)
         SSH_LOG(SSH_LOG_TRACE,
                 "Failed to initialize X25519 key derivation: %s",
                 ERR_error_string(ERR_get_error(), NULL));
-        EVP_PKEY_free(pkey);
-        EVP_PKEY_CTX_free(pctx);
-        return SSH_ERROR;
+        goto out;
     }
 
     if (session->server) {
@@ -224,9 +221,7 @@ static int ssh_curve25519_build_k(ssh_session session)
         SSH_LOG(SSH_LOG_TRACE,
                 "Failed to create X25519 public key EVP_PKEY: %s",
                 ERR_error_string(ERR_get_error(), NULL));
-        EVP_PKEY_free(pkey);
-        EVP_PKEY_CTX_free(pctx);
-        return SSH_ERROR;
+        goto out;
     }
 
     rc = EVP_PKEY_derive_set_peer(pctx, pubkey);
@@ -234,23 +229,23 @@ static int ssh_curve25519_build_k(ssh_session session)
         SSH_LOG(SSH_LOG_TRACE,
                 "Failed to set peer X25519 public key: %s",
                 ERR_error_string(ERR_get_error(), NULL));
-        EVP_PKEY_free(pkey);
-        EVP_PKEY_free(pubkey);
-        EVP_PKEY_CTX_free(pctx);
-        return SSH_ERROR;
+        goto out;
     }
 
-    rc = EVP_PKEY_derive(pctx,
-                         k,
-                         &shared_key_len);
+    rc = EVP_PKEY_derive(pctx, k, &shared_key_len);
     if (rc != 1) {
         SSH_LOG(SSH_LOG_TRACE,
                 "Failed to derive X25519 shared secret: %s",
                 ERR_error_string(ERR_get_error(), NULL));
-        EVP_PKEY_free(pkey);
-        EVP_PKEY_free(pubkey);
-        EVP_PKEY_CTX_free(pctx);
-        return SSH_ERROR;
+        goto out;
+    }
+    ret = SSH_OK;
+out:
+    EVP_PKEY_free(pkey);
+    EVP_PKEY_free(pubkey);
+    EVP_PKEY_CTX_free(pctx);
+    if (ret == SSH_ERROR) {
+        return ret;
     }
 #else
     if (session->server) {

src/dh-gex.c

@@ -366,8 +366,13 @@ static bool dhgroup_better_size(uint32_t pmin,
  */
 static bool invn_chance(int n)
 {
-    uint32_t nounce;
-    ssh_get_random(&nounce, sizeof(nounce), 0);
+    uint32_t nounce = 0;
+    int ok;
+
+    ok = ssh_get_random(&nounce, sizeof(nounce), 0);
+    if (!ok) {
+        return false;
+    }
     return (nounce % n) == 0;
 }
 

src/dh.c

@@ -482,6 +482,7 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
     switch (crypto->kex_type){
     case SSH_KEX_DH_GROUP1_SHA1:
     case SSH_KEX_DH_GROUP14_SHA1:
+    case SSH_KEX_DH_GROUP14_SHA256:
     case SSH_KEX_DH_GROUP16_SHA512:
     case SSH_KEX_DH_GROUP18_SHA512:
         packet_type = SSH2_MSG_KEXDH_REPLY;

src/dh_crypto.c

@@ -179,6 +179,7 @@ int ssh_dh_init_common(struct ssh_crypto_struct *crypto)
         rc = ssh_dh_set_parameters(ctx, ssh_dh_group1, ssh_dh_generator);
         break;
     case SSH_KEX_DH_GROUP14_SHA1:
+    case SSH_KEX_DH_GROUP14_SHA256:
         rc = ssh_dh_set_parameters(ctx, ssh_dh_group14, ssh_dh_generator);
         break;
     case SSH_KEX_DH_GROUP16_SHA512:

src/dh_key.c

@@ -247,6 +247,7 @@ int ssh_dh_init_common(struct ssh_crypto_struct *crypto)
         rc = ssh_dh_set_parameters(ctx, ssh_dh_group1, ssh_dh_generator);
         break;
     case SSH_KEX_DH_GROUP14_SHA1:
+    case SSH_KEX_DH_GROUP14_SHA256:
         rc = ssh_dh_set_parameters(ctx, ssh_dh_group14, ssh_dh_generator);
         break;
     case SSH_KEX_DH_GROUP16_SHA512:

src/external/bcrypt_pbkdf.c

@@ -87,7 +87,7 @@ bcrypt_hash(uint8_t *sha2pass, uint8_t *sha2salt, uint8_t *out)
 		cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext),
 		    &j);
 	for (i = 0; i < 64; i++)
-		ssh_blf_enc(&state, cdata, sizeof(cdata) / sizeof(uint64_t));
+		ssh_blf_enc(&state, cdata, BCRYPT_BLOCKS/2);
 
 	/* copy out */
 	for (i = 0; i < BCRYPT_BLOCKS; i++) {

src/init.c

@@ -106,7 +106,6 @@ _ret:
  *
  * This functions is automatically called when the library is loaded.
  *
- * @returns             0 on success, -1 if an error occured.
  */
 void libssh_constructor(void)
 {
@@ -136,14 +135,20 @@ void libssh_constructor(void)
 /**
  * @brief Initialize global cryptographic data structures.
  *
- * Since version 0.8.0, it is not necessary to call this function on systems
- * which are fully supported with regards to threading (that is, system with
- * pthreads available).
+ * Since version 0.8.0, when libssh is dynamically linked, it is not necessary
+ * to call this function on systems which are fully supported with regards to
+ * threading (that is, system with pthreads available).
+ *
+ * If libssh is statically linked, it is necessary to explicitly call ssh_init()
+ * before calling any other provided API, and it is necessary to explicitly call
+ * ssh_finalize() to free the allocated resources before exiting.
  *
  * If the library is already initialized, increments the _ssh_initialized
  * counter and return the error code cached in _ssh_init_ret.
  *
  * @returns             SSH_OK on success, SSH_ERROR if an error occurred.
+ *
+ * @see ssh_finalize()
  */
 int ssh_init(void) {
     return _ssh_init(0);
@@ -188,8 +193,6 @@ _ret:
  *
  * This function is automatically called when the library is unloaded.
  *
- * @returns             SSH_OK on success, SSH_ERROR if an error occurred.
- *
  */
 void libssh_destructor(void)
 {
@@ -205,8 +208,13 @@ void libssh_destructor(void)
 /**
  * @brief Finalize and cleanup all libssh and cryptographic data structures.
  *
- * Since version 0.8.0, it is not necessary to call this function, since it is
- * automatically called when the library is unloaded.
+ * Since version 0.8.0, when libssh is dynamically linked, it is not necessary
+ * to call this function, since it is automatically called when the library is
+ * unloaded.
+ *
+ * If libssh is statically linked, it is necessary to explicitly call ssh_init()
+ * before calling any other provided API, and it is necessary to explicitly call
+ * ssh_finalize() to free the allocated resources before exiting.
  *
  * If ssh_init() is called explicitly, then ssh_finalize() must be called
  * explicitly.
@@ -214,9 +222,9 @@ void libssh_destructor(void)
  * When called, decrements the counter _ssh_initialized. If the counter reaches
  * zero, then the libssh and cryptographic data structures are cleaned up.
  *
- * @returns             0 on succes, -1 if an error occured.
+ * @returns             0 on success, -1 if an error occurred.
  *
- @returns 0 otherwise
+ * @see ssh_init()
  */
 int ssh_finalize(void) {
     return _ssh_finalize(0);
@@ -253,4 +261,23 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL,
 
 #endif /* _WIN32 */
 
+/**
+ * @internal
+ * @brief Return whether the library is initialized
+ *
+ * @returns true if the library is initialized; false otherwise.
+ *
+ * @see ssh_init()
+ */
+bool is_ssh_initialized() {
+
+    bool is_initialized = false;
+
+    ssh_mutex_lock(&ssh_init_mutex);
+    is_initialized = _ssh_initialized > 0;
+    ssh_mutex_unlock(&ssh_init_mutex);
+
+    return is_initialized;
+}
+
 /** @} */

src/kex.c

@@ -154,6 +154,7 @@
     ECDH \
     "diffie-hellman-group18-sha512,diffie-hellman-group16-sha512," \
     GEX_SHA256 \
+    "diffie-hellman-group14-sha256," \
     "diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
 #define KEY_EXCHANGE_SUPPORTED \
     GEX_SHA1 \
@@ -183,6 +184,7 @@
                          "ecdh-sha2-nistp384,"\
                          "ecdh-sha2-nistp521,"\
                          "diffie-hellman-group-exchange-sha256,"\
+                         "diffie-hellman-group14-sha256,"\
                          "diffie-hellman-group16-sha512,"\
                          "diffie-hellman-group18-sha512"
 
@@ -356,8 +358,8 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
             goto error;
         }
 
-        len = ssh_hashbufin_add_cookie(session, session->next_crypto->client_kex.cookie);
-        if (len < 0) {
+        ok = ssh_hashbufin_add_cookie(session, session->next_crypto->client_kex.cookie);
+        if (ok < 0) {
             ssh_set_error(session, SSH_FATAL, "ssh_packet_kexinit: adding cookie failed");
             goto error;
         }
@@ -368,8 +370,8 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
             goto error;
         }
 
-        len = ssh_hashbufin_add_cookie(session, session->next_crypto->server_kex.cookie);
-        if (len < 0) {
+        ok = ssh_hashbufin_add_cookie(session, session->next_crypto->server_kex.cookie);
+        if (ok < 0) {
             ssh_set_error(session, SSH_FATAL, "ssh_packet_kexinit: adding cookie failed");
             goto error;
         }
@@ -764,6 +766,8 @@ int ssh_kex_select_methods (ssh_session session){
       session->next_crypto->kex_type=SSH_KEX_DH_GROUP1_SHA1;
     } else if(strcmp(session->next_crypto->kex_methods[SSH_KEX], "diffie-hellman-group14-sha1") == 0){
       session->next_crypto->kex_type=SSH_KEX_DH_GROUP14_SHA1;
+    } else if(strcmp(session->next_crypto->kex_methods[SSH_KEX], "diffie-hellman-group14-sha256") == 0){
+      session->next_crypto->kex_type=SSH_KEX_DH_GROUP14_SHA256;
     } else if(strcmp(session->next_crypto->kex_methods[SSH_KEX], "diffie-hellman-group16-sha512") == 0){
       session->next_crypto->kex_type=SSH_KEX_DH_GROUP16_SHA512;
     } else if(strcmp(session->next_crypto->kex_methods[SSH_KEX], "diffie-hellman-group18-sha512") == 0){
@@ -1026,6 +1030,7 @@ int ssh_make_sessionid(ssh_session session)
     switch(session->next_crypto->kex_type) {
     case SSH_KEX_DH_GROUP1_SHA1:
     case SSH_KEX_DH_GROUP14_SHA1:
+    case SSH_KEX_DH_GROUP14_SHA256:
     case SSH_KEX_DH_GROUP16_SHA512:
     case SSH_KEX_DH_GROUP18_SHA512:
         rc = ssh_dh_keypair_get_keys(session->next_crypto->dh_ctx,
@@ -1137,6 +1142,7 @@ int ssh_make_sessionid(ssh_session session)
         sha1(ssh_buffer_get(buf), ssh_buffer_get_len(buf),
                                    session->next_crypto->secret_hash);
         break;
+    case SSH_KEX_DH_GROUP14_SHA256:
     case SSH_KEX_ECDH_SHA2_NISTP256:
     case SSH_KEX_CURVE25519_SHA256:
     case SSH_KEX_CURVE25519_SHA256_LIBSSH_ORG:

src/legacy.c

@@ -353,7 +353,7 @@ void publickey_free(ssh_public_key key) {
     case SSH_KEYTYPE_DSS:
 #ifdef HAVE_LIBGCRYPT
       gcry_sexp_release(key->dsa_pub);
-#elif HAVE_LIBCRYPTO
+#elif defined HAVE_LIBCRYPTO
       DSA_free(key->dsa_pub);
 #endif
       break;

src/libcrypto-compat.c

@@ -280,6 +280,12 @@ void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
     OPENSSL_free(ctx);
 }
 
+int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx)
+{
+    EVP_CIPHER_CTX_init(ctx);
+    return 1;
+}
+
 HMAC_CTX *HMAC_CTX_new(void)
 {
     HMAC_CTX *ctx = OPENSSL_zalloc(sizeof(HMAC_CTX));
@@ -394,3 +400,12 @@ int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
     }
     return 1;
 }
+
+const char *OpenSSL_version(int type)
+{
+    return SSLeay_version(type);
+}
+unsigned long OpenSSL_version_num(void)
+{
+    return SSLeay();
+}

src/libcrypto-compat.h

@@ -34,6 +34,8 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
 EVP_MD_CTX *EVP_MD_CTX_new(void);
 void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
 
+int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx);
+
 HMAC_CTX *HMAC_CTX_new(void);
 int HMAC_CTX_reset(HMAC_CTX *ctx);
 void HMAC_CTX_free(HMAC_CTX *ctx);
@@ -44,6 +46,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
 void DH_get0_key(const DH *dh,
                  const BIGNUM **pub_key, const BIGNUM **priv_key);
 int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
+
+const char *OpenSSL_version(int type);
+unsigned long OpenSSL_version_num(void);
+
 #endif /* OPENSSL_VERSION_NUMBER */
 
 #endif /* LIBCRYPTO_COMPAT_H */

src/libcrypto.c

@@ -536,7 +536,7 @@ static int evp_cipher_set_encrypt_key(struct ssh_cipher_struct *cipher,
     int rc;
 
     evp_cipher_init(cipher);
-    EVP_CIPHER_CTX_init(cipher->ctx);
+    EVP_CIPHER_CTX_reset(cipher->ctx);
 
     rc = EVP_EncryptInit_ex(cipher->ctx, cipher->cipher, NULL, key, IV);
     if (rc != 1){
@@ -569,7 +569,7 @@ static int evp_cipher_set_decrypt_key(struct ssh_cipher_struct *cipher,
     int rc;
 
     evp_cipher_init(cipher);
-    EVP_CIPHER_CTX_init(cipher->ctx);
+    EVP_CIPHER_CTX_reset(cipher->ctx);
 
     rc = EVP_DecryptInit_ex(cipher->ctx, cipher->cipher, NULL, key, IV);
     if (rc != 1){
@@ -652,7 +652,6 @@ static void evp_cipher_decrypt(struct ssh_cipher_struct *cipher,
 
 static void evp_cipher_cleanup(struct ssh_cipher_struct *cipher) {
     if (cipher->ctx != NULL) {
-        EVP_CIPHER_CTX_cleanup(cipher->ctx);
         EVP_CIPHER_CTX_free(cipher->ctx);
     }
 }
@@ -708,8 +707,12 @@ aes_ctr_encrypt(struct ssh_cipher_struct *cipher,
 }
 
 static void aes_ctr_cleanup(struct ssh_cipher_struct *cipher){
-    explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key));
-    SAFE_FREE(cipher->aes_key);
+    if (cipher != NULL) {
+        if (cipher->aes_key != NULL) {
+            explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key));
+        }
+        SAFE_FREE(cipher->aes_key);
+    }
 }
 
 #endif /* HAVE_OPENSSL_EVP_AES_CTR */
@@ -1080,11 +1083,11 @@ int ssh_crypto_init(void)
     if (libcrypto_initialized) {
         return SSH_OK;
     }
-    if (SSLeay() != OPENSSL_VERSION_NUMBER){
+    if (OpenSSL_version_num() != OPENSSL_VERSION_NUMBER){
         SSH_LOG(SSH_LOG_WARNING, "libssh compiled with %s "
             "headers, currently running with %s.",
             OPENSSL_VERSION_TEXT,
-            SSLeay_version(SSLeay())
+            OpenSSL_version(OpenSSL_version_num())
         );
     }
 #ifdef CAN_DISABLE_AESNI

src/libgcrypt.c

@@ -328,6 +328,10 @@ static int aes_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV) {
           return -1;
         }
         break;
+      default:
+        SSH_LOG(SSH_LOG_WARNING, "Unksupported key length %u.", cipher->keysize);
+        SAFE_FREE(cipher->key);
+        return -1;
     }
     if (gcry_cipher_setkey(cipher->key[0], key, cipher->keysize / 8)) {
       SAFE_FREE(cipher->key);

src/mbedcrypto_missing.c

@@ -104,6 +104,9 @@ int ssh_mbedcry_rand(bignum rnd, int bits, int top, int bottom)
 
     if (top == 0) {
         rc = mbedtls_mpi_set_bit(rnd, bits - 1, 0);
+        if (rc != 0) {
+            return 0;
+        }
     }
 
     if (top == 1) {
@@ -149,7 +152,8 @@ int ssh_mbedcry_rand_range(bignum dest, bignum max)
         return 0;
     }
     rc = bignum_rand(rnd, bits);
-    if (rc != 1){
+    if (rc != 1) {
+        bignum_safe_free(rnd);
         return rc;
     }
     mbedtls_mpi_mod_mpi(dest, rnd, max);

src/messages.c

@@ -692,6 +692,9 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session,
     int rc;
 
     crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN);
+    if (crypto == NULL) {
+        return NULL;
+    }
 
     buffer = ssh_buffer_new();
     if (buffer == NULL) {

src/options.c

@@ -968,7 +968,6 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
         case SSH_OPTIONS_PUBKEY_AUTH:
         case SSH_OPTIONS_KBDINT_AUTH:
         case SSH_OPTIONS_GSSAPI_AUTH:
-            u = 0;
             if (value == NULL) {
                 ssh_set_error_invalid(session);
                 return -1;

src/packet_crypt.c

@@ -60,7 +60,7 @@ uint32_t ssh_packet_decrypt_len(ssh_session session,
     crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN);
     if (crypto != NULL) {
         if (crypto->in_cipher->aead_decrypt_length != NULL) {
-            crypto->in_cipher->aead_decrypt_length(
+            rc = crypto->in_cipher->aead_decrypt_length(
                     crypto->in_cipher, source, destination,
                     crypto->in_cipher->lenfield_blocksize,
                     session->recv_seq);
@@ -71,9 +71,9 @@ uint32_t ssh_packet_decrypt_len(ssh_session session,
                     source,
                     0,
                     crypto->in_cipher->blocksize);
-            if (rc < 0) {
-                return 0;
-            }
+        }
+        if (rc < 0) {
+            return 0;
         }
     } else {
         memcpy(destination, source, 8);

src/pki_crypto.c

@@ -94,7 +94,7 @@ static int pki_key_ecdsa_to_nid(EC_KEY *k)
 
 static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(EC_KEY *k)
 {
-    static int nid;
+    int nid;
 
     nid = pki_key_ecdsa_to_nid(k);
 
@@ -1569,9 +1569,9 @@ static int pki_signature_from_rsa_blob(const ssh_key pubkey,
                                        ssh_signature sig)
 {
     uint32_t pad_len = 0;
-    char *blob_orig;
-    char *blob_padded_data;
-    ssh_string sig_blob_padded;
+    char *blob_orig = NULL;
+    char *blob_padded_data = NULL;
+    ssh_string sig_blob_padded = NULL;
 
     size_t rsalen = 0;
     size_t len = ssh_string_len(sig_blob);
@@ -1629,6 +1629,7 @@ static int pki_signature_from_rsa_blob(const ssh_key pubkey,
     return SSH_OK;
 
 errout:
+    SSH_STRING_FREE(sig_blob_padded);
     return SSH_ERROR;
 }
 
@@ -1646,6 +1647,7 @@ static int pki_signature_from_dsa_blob(UNUSED_PARAM(const ssh_key pubkey),
 
     int raw_sig_len = 0;
     unsigned char *raw_sig_data = NULL;
+    unsigned char *temp_raw_sig = NULL;
 
     int rc;
 
@@ -1704,8 +1706,23 @@ static int pki_signature_from_dsa_blob(UNUSED_PARAM(const ssh_key pubkey),
     ps = NULL;
     pr = NULL;
 
-    raw_sig_len = i2d_DSA_SIG(dsa_sig, &raw_sig_data);
-    if (raw_sig_len < 0) {
+    /* Get the expected size of the buffer */
+    rc = i2d_DSA_SIG(dsa_sig, NULL);
+    if (rc <= 0) {
+        goto error;
+    }
+    raw_sig_len = rc;
+
+    raw_sig_data = (unsigned char *)calloc(1, raw_sig_len);
+    if (raw_sig_data == NULL) {
+        goto error;
+    }
+    temp_raw_sig = raw_sig_data;
+
+    /* It is necessary to use a temporary pointer as i2d_* "advances" the
+     * pointer */
+    raw_sig_len = i2d_DSA_SIG(dsa_sig, &temp_raw_sig);
+    if (raw_sig_len <= 0) {
         goto error;
     }
 
@@ -1749,6 +1766,7 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey),
     uint32_t rlen;
 
     unsigned char *raw_sig_data = NULL;
+    unsigned char *temp_raw_sig = NULL;
     size_t raw_sig_len = 0;
 
     int rc;
@@ -1824,12 +1842,26 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey),
     pr = NULL;
     ps = NULL;
 
-    rc = i2d_ECDSA_SIG(ecdsa_sig, &raw_sig_data);
-    if (rc < 0) {
+    /* Get the expected size of the buffer */
+    rc = i2d_ECDSA_SIG(ecdsa_sig, NULL);
+    if (rc <= 0) {
         goto error;
     }
     raw_sig_len = rc;
 
+    raw_sig_data = (unsigned char *)calloc(1, raw_sig_len);
+    if (raw_sig_data == NULL) {
+        goto error;
+    }
+    temp_raw_sig = raw_sig_data;
+
+    /* It is necessary to use a temporary pointer as i2d_* "advances" the
+     * pointer */
+    rc = i2d_ECDSA_SIG(ecdsa_sig, &temp_raw_sig);
+    if (rc <= 0) {
+        goto error;
+    }
+
     sig->raw_sig = ssh_string_new(raw_sig_len);
     if (sig->raw_sig == NULL) {
         explicit_bzero(raw_sig_data, raw_sig_len);

src/pki_ed25519_common.c

@@ -112,7 +112,7 @@ int pki_ed25519_key_cmp(const ssh_key k1,
         if (cmp != 0) {
             return 1;
         }
-        /* FALL THROUGH */
+        FALL_THROUGH;
     case SSH_KEY_CMP_PUBLIC:
         if (k1->ed25519_pubkey == NULL || k2->ed25519_pubkey == NULL) {
             return 1;

src/pki_gcrypt.c

@@ -315,7 +315,7 @@ static int privatekey_decrypt(int algo, int mode, unsigned int key_len,
   if (gcry_cipher_open(&cipher, algo, mode, 0)
       || gcry_cipher_setkey(cipher, key, key_len)
       || gcry_cipher_setiv(cipher, iv, iv_len)
-      || (tmp = calloc(ssh_buffer_get_len(data), sizeof(char))) == NULL
+      || (tmp = calloc(ssh_buffer_get_len(data), sizeof(unsigned char))) == NULL
       || gcry_cipher_decrypt(cipher, tmp, ssh_buffer_get_len(data),
                        ssh_buffer_get(data), ssh_buffer_get_len(data))) {
     gcry_cipher_close(cipher);
@@ -741,7 +741,7 @@ static int pki_key_ecdsa_to_nid(gcry_sexp_t k)
 
 static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(gcry_sexp_t k)
 {
-    static int nid;
+    int nid;
 
     nid = pki_key_ecdsa_to_nid(k);
 
@@ -938,6 +938,8 @@ ssh_string pki_private_key_to_pem(const ssh_key key,
     (void) auth_fn;
     (void) auth_data;
 
+    SSH_LOG(SSH_LOG_WARN, "PEM export not supported by gcrypt backend!");
+
     return NULL;
 }
 

src/pki_mbedcrypto.c

@@ -64,7 +64,7 @@ static int pki_key_ecdsa_to_nid(mbedtls_ecdsa_context *ecdsa)
 
 static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(mbedtls_ecdsa_context *ecdsa)
 {
-    static int nid;
+    int nid;
 
     nid = pki_key_ecdsa_to_nid(ecdsa);
 
@@ -113,7 +113,7 @@ ssh_key pki_private_key_from_base64(const char *b64_key, const char *passphrase,
                     valid = auth_fn("Passphrase for private key:", (char *) tmp,
                             MAX_PASSPHRASE_SIZE, 0, 0, auth_data);
                     if (valid < 0) {
-                        return NULL;
+                        goto fail;
                     }
                     /* TODO fix signedness and strlen */
                     valid = mbedtls_pk_parse_key(rsa,
@@ -155,7 +155,7 @@ ssh_key pki_private_key_from_base64(const char *b64_key, const char *passphrase,
                     valid = auth_fn("Passphrase for private key:", (char *) tmp,
                             MAX_PASSPHRASE_SIZE, 0, 0, auth_data);
                     if (valid < 0) {
-                        return NULL;
+                        goto fail;
                     }
                     valid = mbedtls_pk_parse_key(ecdsa,
                             (const unsigned char *) b64_key,
@@ -246,7 +246,7 @@ int pki_privkey_build_rsa(ssh_key key,
                           ssh_string n,
                           ssh_string e,
                           ssh_string d,
-                          ssh_string iqmp,
+                          UNUSED_PARAM(ssh_string iqmp),
                           ssh_string p,
                           ssh_string q)
 {

src/session.c

@@ -372,6 +372,8 @@ const char* ssh_get_kex_algo(ssh_session session) {
             return "diffie-hellman-group1-sha1";
         case SSH_KEX_DH_GROUP14_SHA1:
             return "diffie-hellman-group14-sha1";
+        case SSH_KEX_DH_GROUP14_SHA256:
+            return "diffie-hellman-group14-sha256";
         case SSH_KEX_DH_GROUP16_SHA512:
             return "diffie-hellman-group16-sha512";
         case SSH_KEX_DH_GROUP18_SHA512:
@@ -687,7 +689,8 @@ int ssh_handle_packets(ssh_session session, int timeout) {
  * @param[in] fct       Termination function to be used to determine if it is
  *                      possible to stop polling.
  * @param[in] user      User parameter to be passed to fct termination function.
- * @return              SSH_OK on success, SSH_ERROR otherwise.
+ * @returns             SSH_OK on success, SSH_AGAIN if timeout occurred,
+ *                      SSH_ERROR otherwise.
  */
 int ssh_handle_packets_termination(ssh_session session,
                                    long timeout,

src/sftp.c

@@ -1173,13 +1173,13 @@ static sftp_attributes sftp_parse_attr_4(sftp_session sftp, ssh_buffer buf,
         break;
       }
       attr->atime64 = ntohll(attr->atime64);
-    }
 
-    if (flags & SSH_FILEXFER_ATTR_SUBSECOND_TIMES) {
-      if (ssh_buffer_get_u32(buf, &attr->atime_nseconds) != 4) {
-        break;
+      if (flags & SSH_FILEXFER_ATTR_SUBSECOND_TIMES) {
+        if (ssh_buffer_get_u32(buf, &attr->atime_nseconds) != 4) {
+          break;
+        }
+        attr->atime_nseconds = ntohl(attr->atime_nseconds);
       }
-      attr->atime_nseconds = ntohl(attr->atime_nseconds);
     }
 
     if (flags & SSH_FILEXFER_ATTR_CREATETIME) {
@@ -1187,13 +1187,13 @@ static sftp_attributes sftp_parse_attr_4(sftp_session sftp, ssh_buffer buf,
         break;
       }
       attr->createtime = ntohll(attr->createtime);
-    }
 
-    if (flags & SSH_FILEXFER_ATTR_SUBSECOND_TIMES) {
-      if (ssh_buffer_get_u32(buf, &attr->createtime_nseconds) != 4) {
-        break;
+      if (flags & SSH_FILEXFER_ATTR_SUBSECOND_TIMES) {
+        if (ssh_buffer_get_u32(buf, &attr->createtime_nseconds) != 4) {
+          break;
+        }
+        attr->createtime_nseconds = ntohl(attr->createtime_nseconds);
       }
-      attr->createtime_nseconds = ntohl(attr->createtime_nseconds);
     }
 
     if (flags & SSH_FILEXFER_ATTR_MODIFYTIME) {
@@ -1201,13 +1201,13 @@ static sftp_attributes sftp_parse_attr_4(sftp_session sftp, ssh_buffer buf,
         break;
       }
       attr->mtime64 = ntohll(attr->mtime64);
-    }
 
-    if (flags & SSH_FILEXFER_ATTR_SUBSECOND_TIMES) {
-      if (ssh_buffer_get_u32(buf, &attr->mtime_nseconds) != 4) {
-        break;
+      if (flags & SSH_FILEXFER_ATTR_SUBSECOND_TIMES) {
+        if (ssh_buffer_get_u32(buf, &attr->mtime_nseconds) != 4) {
+          break;
+        }
+        attr->mtime_nseconds = ntohl(attr->mtime_nseconds);
       }
-      attr->mtime_nseconds = ntohl(attr->mtime_nseconds);
     }
 
     if (flags & SSH_FILEXFER_ATTR_ACL) {

src/sftpserver.c

@@ -67,9 +67,20 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
 
   /* take a copy of the whole packet */
   msg->complete_message = ssh_buffer_new();
-  ssh_buffer_add_data(msg->complete_message,
-                      ssh_buffer_get(payload),
-                      ssh_buffer_get_len(payload));
+  if (msg->complete_message == NULL) {
+      ssh_set_error_oom(session);
+      sftp_client_message_free(msg);
+      return NULL;
+  }
+
+  rc = ssh_buffer_add_data(msg->complete_message,
+                           ssh_buffer_get(payload),
+                           ssh_buffer_get_len(payload));
+  if (rc < 0) {
+      ssh_set_error_oom(session);
+      sftp_client_message_free(msg);
+      return NULL;
+  }
 
   ssh_buffer_get_u32(payload, &msg->id);
 

src/socket.c

@@ -42,8 +42,10 @@
 #else /* _WIN32 */
 #include <fcntl.h>
 #include <sys/types.h>
+#include <sys/wait.h>
 #include <sys/socket.h>
 #include <sys/un.h>
+#include <signal.h>
 #endif /* _WIN32 */
 
 #include "libssh/priv.h"
@@ -87,6 +89,9 @@ struct ssh_socket_struct {
   ssh_session session;
   ssh_socket_callbacks callbacks;
   ssh_poll_handle poll_handle;
+#ifndef _WIN32
+  pid_t proxy_pid;
+#endif
 };
 
 static int sockets_initialized = 0;
@@ -191,6 +196,9 @@ void ssh_socket_reset(ssh_socket s)
     s->data_except = 0;
     s->poll_handle = NULL;
     s->state=SSH_SOCKET_NONE;
+#ifndef _WIN32
+    s->proxy_pid = 0;
+#endif
 }
 
 /**
@@ -454,6 +462,28 @@ void ssh_socket_close(ssh_socket s)
     }
 
     s->state = SSH_SOCKET_CLOSED;
+
+#ifndef _WIN32
+    /* If the proxy command still runs try to kill it */
+    if (s->proxy_pid != 0) {
+        int status;
+        pid_t pid = s->proxy_pid;
+
+        s->proxy_pid = 0;
+        kill(pid, SIGTERM);
+        while (waitpid(pid, &status, 0) == -1) {
+            if (errno != EINTR) {
+                SSH_LOG(SSH_LOG_WARN, "waitpid failed: %s", strerror(errno));
+                return;
+            }
+        }
+        if (!WIFEXITED(status)) {
+            SSH_LOG(SSH_LOG_WARN, "Proxy command exitted abnormally");
+            return;
+        }
+        SSH_LOG(SSH_LOG_TRACE, "Proxy command returned %d", WEXITSTATUS(status));
+    }
+#endif
 }
 
 /**
@@ -843,7 +873,7 @@ ssh_execute_command(const char *command, socket_t in, socket_t out)
     /* Prepare /dev/null socket for the stderr redirection */
     int devnull = open("/dev/null", O_WRONLY);
     if (devnull == -1) {
-        SSH_LOG(SSH_LOG_WARNING, "Failed to open stderr");
+        SSH_LOG(SSH_LOG_WARNING, "Failed to open /dev/null");
         exit(1);
     }
 
@@ -886,9 +916,11 @@ ssh_socket_connect_proxycommand(ssh_socket s, const char *command)
 
     SSH_LOG(SSH_LOG_PROTOCOL, "Executing proxycommand '%s'", command);
     pid = fork();
-    if(pid == 0) {
+    if (pid == 0) {
         ssh_execute_command(command, pair[0], pair[0]);
+        /* Does not return */
     }
+    s->proxy_pid = pid;
     close(pair[0]);
     SSH_LOG(SSH_LOG_PROTOCOL, "ProxyCommand connection pipe: [%d,%d]",pair[0],pair[1]);
     ssh_socket_set_fd(s, pair[1]);

src/wrapper.c

@@ -545,6 +545,7 @@ int crypt_set_algorithms_server(ssh_session session){
     switch (session->next_crypto->kex_type) {
     case SSH_KEX_DH_GROUP1_SHA1:
     case SSH_KEX_DH_GROUP14_SHA1:
+    case SSH_KEX_DH_GROUP14_SHA256:
     case SSH_KEX_DH_GROUP16_SHA512:
     case SSH_KEX_DH_GROUP18_SHA512:
       ssh_server_dh_init(session);

tests/CMakeLists.txt

@@ -9,9 +9,11 @@ set(TORTURE_LIBRARY torture)
 include_directories(${OPENSSL_INCLUDE_DIR}
                     ${CMOCKA_INCLUDE_DIR}
                     ${ZLIB_INCLUDE_DIR}
+                    ${libssh_BINARY_DIR}/include
                     ${libssh_BINARY_DIR}
                     ${libssh_SOURCE_DIR}/src
-                    ${CMAKE_CURRENT_SOURCE_DIR})
+                    ${CMAKE_CURRENT_SOURCE_DIR}
+                    ${CMAKE_BINARY_DIR}/tests)
 
 set(TORTURE_LINK_LIBRARIES
     ${CMOCKA_LIBRARY}
@@ -43,22 +45,96 @@ set(TEST_TARGET_LIBRARIES
 
 add_subdirectory(unittests)
 
+# OpenSSH Capabilities are required for all unit tests
+find_program(SSH_EXECUTABLE NAMES ssh)
+if (SSH_EXECUTABLE)
+    execute_process(COMMAND ${SSH_EXECUTABLE} -V ERROR_VARIABLE OPENSSH_VERSION_STR)
+    string(REGEX REPLACE "^.*OpenSSH_([0-9]).[0-9].*$" "\\1" OPENSSH_VERSION_MAJOR "${OPENSSH_VERSION_STR}")
+    string(REGEX REPLACE "^.*OpenSSH_[0-9].([0-9]).*$" "\\1" OPENSSH_VERSION_MINOR "${OPENSSH_VERSION_STR}")
+    set(OPENSSH_VERSION "${OPENSSH_VERSION_MAJOR}.${OPENSSH_VERSION_MINOR}")
+    if("${OPENSSH_VERSION}" VERSION_LESS "6.3")
+        # ssh - Q was introduced in 6.3
+        message("Version less than 6.3, hardcoding cipher list")
+        set(OPENSSH_CIPHERS "aes128-ctr\naes192-ctr\naes256-ctr\narcfour256\narcfour128\naes128-gcm@openssh.com\naes256-gcm@openssh.com\naes128-cbc\n3des-cbc\nblowfish-cbc\ncast128-cbc\naes192-cbc\naes256-cbc\narcfour\nrijndael-cbc@lysator.liu.se\n")
+        set(OPENSSH_MACS "hmac-md5-etm@openssh.com\nhmac-sha1-etm@openssh.com\numac-64-etm@openssh.com\numac-128-etm@openssh.com\nhmac-sha2-256-etm@openssh.com\nhmac-sha2-512-etm@openssh.com\nhmac-ripemd160-etm@openssh.com\nhmac-sha1-96-etm@openssh.com\nhmac-md5-96-etm@openssh.com\nhmac-md5\nhmac-sha1\numac-64@openssh.com\numac-128@openssh.com\nhmac-sha2-256\nhmac-sha2-512\nhmac-ripemd160\nhmac-ripemd160@openssh.com\nhmac-sha1-96\nhmac-md5-96\n")
+        set(OPENSSH_KEX "ecdh-sha2-nistp256\necdh-sha2-nistp384\necdh-sha2-nistp521\ndiffie-hellman-group-exchange-sha256\ndiffie-hellman-group-exchange-sha1\ndiffie-hellman-group14-sha1\ndiffie-hellman-group1-sha1\n")
+        set(OPENSSH_KEYS "ssh-rsa\nssh-dss\necdsa-sha2-nistp256\n")
+    else()
+        execute_process(COMMAND ${SSH_EXECUTABLE} -Q cipher OUTPUT_VARIABLE OPENSSH_CIPHERS)
+        execute_process(COMMAND ${SSH_EXECUTABLE} -Q mac OUTPUT_VARIABLE OPENSSH_MACS)
+        execute_process(COMMAND ${SSH_EXECUTABLE} -Q kex OUTPUT_VARIABLE OPENSSH_KEX)
+        execute_process(COMMAND ${SSH_EXECUTABLE} -Q key OUTPUT_VARIABLE OPENSSH_KEYS)
+        execute_process(COMMAND ${SSH_EXECUTABLE} -Q sig OUTPUT_VARIABLE OPENSSH_SIGS ERROR_QUIET)
+
+        # We need both of them, but lets get rid of duplicate items presented in both lists
+        # to avoid processing too long arguments in pkd
+        set(OPENSSH_KEYS "${OPENSSH_KEYS}${OPENSSH_SIGS}")
+        string(REPLACE "\n" ";" OPENSSH_KEYS "${OPENSSH_KEYS}")
+        list(REMOVE_DUPLICATES OPENSSH_KEYS)
+        string(REPLACE ";" "\n" OPENSSH_KEYS "${OPENSSH_KEYS}")
+    endif()
+
+    set(SSH_ALGORITHMS
+        3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr
+        aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com
+        hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com
+        umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com
+        hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com
+        hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com
+        diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256
+        diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1
+        diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
+        curve25519-sha256 curve25519-sha256@libssh.org
+        ssh-ed25519 ssh-ed25519-cert-v01@openssh.com ssh-rsa ssh-dss
+        ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
+        ssh-rsa-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com
+        ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com
+        ecdsa-sha2-nistp521-cert-v01@openssh.com
+        )
+    foreach(ALGORITHM ${SSH_ALGORITHMS})
+        string(TOUPPER ${ALGORITHM} VARNAME)
+        string(REGEX REPLACE "[-@.]" "_" VARNAME "OPENSSH_${VARNAME}")
+
+        # Match the current algorithm into the complete list of OpenSSH supported algorithms.
+        # If matching, create an OPENSSH_CIPHER_NAME variable.
+        string(REGEX MATCH ".*${ALGORITHM}\n" "${VARNAME}" "${OPENSSH_CIPHERS}${OPENSSH_MACS}${OPENSSH_KEX}${OPENSSH_KEYS}")
+    endforeach(ALGORITHM)
+
+    string(STRIP "${OPENSSH_CIPHERS}" OPENSSH_CIPHERS)
+    string(STRIP "${OPENSSH_MACS}" OPENSSH_MACS)
+    string(STRIP "${OPENSSH_KEX}" OPENSSH_KEX)
+    string(STRIP "${OPENSSH_KEYS}" OPENSSH_KEYS)
+    string(REPLACE "\n" "," OPENSSH_CIPHERS "${OPENSSH_CIPHERS}")
+    string(REPLACE "\n" "," OPENSSH_MACS "${OPENSSH_MACS}")
+    string(REPLACE "\n" "," OPENSSH_KEX "${OPENSSH_KEX}")
+    string(REPLACE "\n" "," OPENSSH_KEYS "${OPENSSH_KEYS}")
+
+endif()
+
+find_program(SSHD_EXECUTABLE
+             NAME
+                sshd
+             PATHS
+                /sbin
+                /usr/sbin
+                /usr/local/sbin)
+
 if (CLIENT_TESTING OR SERVER_TESTING)
     find_package(socket_wrapper 1.1.5 REQUIRED)
     find_package(nss_wrapper 1.1.2 REQUIRED)
     find_package(uid_wrapper 1.2.0 REQUIRED)
     find_package(pam_wrapper 1.0.1 REQUIRED)
 
-    find_program(SSHD_EXECUTABLE
-                 NAME
-                    sshd
-                 PATHS
-                    /sbin
-                    /usr/sbin
-                    /usr/local/sbin)
     if (NOT SSHD_EXECUTABLE)
         message(SEND_ERROR "Could not find sshd which is required for client testing")
     endif()
+    find_program(NC_EXECUTABLE
+                 NAME
+                    nc
+                 PATHS
+                    /bin
+                    /usr/bin
+                    /usr/local/bin)
 
     find_program(SSH_EXECUTABLE NAMES ssh)
     if (SSH_EXECUTABLE)
@@ -119,7 +195,7 @@ if (CLIENT_TESTING OR SERVER_TESTING)
     file(COPY keys/id_ed25519 DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE)
     file(COPY keys/id_ed25519.pub DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE)
 
-    # Allow to auth with bob his public keys on alice account
+    # Allow to auth with bob's public keys on alice account
     configure_file(keys/id_rsa.pub ${CMAKE_CURRENT_BINARY_DIR}/home/alice/.ssh/authorized_keys @ONLY)
     # append ECDSA public key
     file(READ keys/id_ecdsa.pub CONTENTS)
@@ -137,6 +213,8 @@ if (CLIENT_TESTING OR SERVER_TESTING)
     message(STATUS "TORTURE_ENVIRONMENT=${TORTURE_ENVIRONMENT}")
 endif ()
 
+configure_file(tests_config.h.cmake ${CMAKE_CURRENT_BINARY_DIR}/tests_config.h)
+
 if (WITH_BENCHMARKS)
     add_subdirectory(benchmarks)
 endif ()

tests/client/torture_algorithms.c

@@ -472,8 +472,7 @@ static void torture_algorithms_3des_cbc_hmac_sha2_512_etm(void **state) {
     test_algorithm(s->ssh.session, NULL/*kex*/, "3des-cbc", "hmac-sha2-512-etm@openssh.com");
 }
 
-#ifdef WITH_BLOWFISH_CIPHER
-#if ((OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR < 6) || OPENSSH_VERSION_MAJOR <= 6)
+#if defined(WITH_BLOWFISH_CIPHER) && defined(OPENSSH_BLOWFISH_CBC)
 static void torture_algorithms_blowfish_cbc_hmac_sha1(void **state) {
     struct torture_state *s = *state;
 
@@ -533,9 +532,9 @@ static void torture_algorithms_blowfish_cbc_hmac_sha2_512_etm(void **state) {
 
     test_algorithm(s->ssh.session, NULL/*kex*/, "blowfish-cbc", "hmac-sha2-512-etm@openssh.com");
 }
-#endif
 #endif /* WITH_BLOWFISH_CIPHER */
 
+#ifdef OPENSSH_CHACHA20_POLY1305_OPENSSH_COM
 static void torture_algorithms_chacha20_poly1305(void **state)
 {
     struct torture_state *s = *state;
@@ -549,6 +548,7 @@ static void torture_algorithms_chacha20_poly1305(void **state)
                    "chacha20-poly1305@openssh.com",
                    NULL);
 }
+#endif /* OPENSSH_CHACHA20_POLY1305_OPENSSH_COM */
 
 static void torture_algorithms_zlib(void **state) {
     struct torture_state *s = *state;
@@ -647,7 +647,7 @@ static void torture_algorithms_ecdh_sha2_nistp521(void **state) {
 }
 #endif
 
-#if ((OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR >= 3) || OPENSSH_VERSION_MAJOR > 7)
+#ifdef OPENSSH_CURVE25519_SHA256
 static void torture_algorithms_ecdh_curve25519_sha256(void **state) {
     struct torture_state *s = *state;
 
@@ -657,9 +657,9 @@ static void torture_algorithms_ecdh_curve25519_sha256(void **state) {
 
     test_algorithm(s->ssh.session, "curve25519-sha256", NULL/*cipher*/, NULL/*hmac*/);
 }
-#endif
+#endif /* OPENSSH_CURVE25519_SHA256 */
 
-#if ((OPENSSH_VERSION_MAJOR == 6 && OPENSSH_VERSION_MINOR >= 5) || OPENSSH_VERSION_MAJOR > 6)
+#ifdef OPENSSH_CURVE25519_SHA256_LIBSSH_ORG
 static void torture_algorithms_ecdh_curve25519_sha256_libssh_org(void **state) {
     struct torture_state *s = *state;
 
@@ -669,7 +669,7 @@ static void torture_algorithms_ecdh_curve25519_sha256_libssh_org(void **state) {
 
     test_algorithm(s->ssh.session, "curve25519-sha256@libssh.org", NULL/*cipher*/, NULL/*hmac*/);
 }
-#endif
+#endif /* OPENSSH_CURVE25519_SHA256_LIBSSH_ORG */
 
 static void torture_algorithms_dh_group1(void **state) {
     struct torture_state *s = *state;
@@ -691,6 +691,16 @@ static void torture_algorithms_dh_group14(void **state) {
     test_algorithm(s->ssh.session, "diffie-hellman-group14-sha1", NULL/*cipher*/, NULL/*hmac*/);
 }
 
+static void torture_algorithms_dh_group14_sha256(void **state) {
+    struct torture_state *s = *state;
+
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
+    test_algorithm(s->ssh.session, "diffie-hellman-group14-sha256", NULL/*cipher*/, NULL/*hmac*/);
+}
+
 static void torture_algorithms_dh_group16(void **state) {
     struct torture_state *s = *state;
 
@@ -864,8 +874,7 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_algorithms_3des_cbc_hmac_sha2_512_etm,
                                         session_setup,
                                         session_teardown),
-#ifdef WITH_BLOWFISH_CIPHER
-#if ((OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR < 6) || OPENSSH_VERSION_MAJOR <= 6)
+#if defined(WITH_BLOWFISH_CIPHER) && defined(OPENSSH_BLOWFISH_CBC)
         cmocka_unit_test_setup_teardown(torture_algorithms_blowfish_cbc_hmac_sha1,
                                         session_setup,
                                         session_teardown),
@@ -884,11 +893,12 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_algorithms_blowfish_cbc_hmac_sha2_512_etm,
                                         session_setup,
                                         session_teardown),
-#endif
 #endif /* WITH_BLOWFISH_CIPHER */
+#ifdef OPENSSH_CHACHA20_POLY1305_OPENSSH_COM
         cmocka_unit_test_setup_teardown(torture_algorithms_chacha20_poly1305,
                                         session_setup,
                                         session_teardown),
+#endif /* OPENSSH_CHACHA20_POLY1305_OPENSSH_COM */
         cmocka_unit_test_setup_teardown(torture_algorithms_zlib,
                                         session_setup,
                                         session_teardown),
@@ -901,6 +911,9 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_algorithms_dh_group14,
                                         session_setup,
                                         session_teardown),
+        cmocka_unit_test_setup_teardown(torture_algorithms_dh_group14_sha256,
+                                        session_setup,
+                                        session_teardown),
         cmocka_unit_test_setup_teardown(torture_algorithms_dh_group16,
                                         session_setup,
                                         session_teardown),
@@ -915,16 +928,16 @@ int torture_run_tests(void) {
                                         session_setup,
                                         session_teardown),
 #endif /* WITH_GEX */
-#if ((OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR >= 3) || OPENSSH_VERSION_MAJOR > 7)
+#ifdef OPENSSH_CURVE25519_SHA256
         cmocka_unit_test_setup_teardown(torture_algorithms_ecdh_curve25519_sha256,
                                         session_setup,
                                         session_teardown),
-#endif
-#if ((OPENSSH_VERSION_MAJOR == 6 && OPENSSH_VERSION_MINOR >= 5) || OPENSSH_VERSION_MAJOR > 6)
+#endif /* OPENSSH_CURVE25519_SHA256 */
+#ifdef OPENSSH_CURVE25519_SHA256_LIBSSH_ORG
         cmocka_unit_test_setup_teardown(torture_algorithms_ecdh_curve25519_sha256_libssh_org,
                                         session_setup,
                                         session_teardown),
-#endif
+#endif /* OPENSSH_CURVE25519_SHA256_LIBSSH_ORG */
 #if defined(HAVE_ECC)
         cmocka_unit_test_setup_teardown(torture_algorithms_ecdh_sha2_nistp256,
                                         session_setup,

tests/client/torture_auth.c

@@ -52,6 +52,7 @@ static int session_setup(void **state)
 {
     struct torture_state *s = *state;
     int verbosity = torture_libssh_verbosity();
+    const char *all_keytypes = NULL;
     struct passwd *pwd;
     bool b = false;
     int rc;
@@ -71,6 +72,11 @@ static int session_setup(void **state)
     rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_PROCESS_CONFIG, &b);
     assert_ssh_return_code(s->ssh.session, rc);
 
+    /* Enable all hostkeys */
+    all_keytypes = ssh_kex_get_supported_method(SSH_HOSTKEYS);
+    rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, all_keytypes);
+    assert_ssh_return_code(s->ssh.session, rc);
+
     return 0;
 }
 

tests/client/torture_connect.c

@@ -183,6 +183,38 @@ static void torture_connect_socket(void **state) {
     assert_ssh_return_code(session, rc);
 }
 
+static void torture_connect_uninitialized(UNUSED_PARAM(void **state))
+{
+    int rc;
+    ssh_session session;
+    struct passwd *pwd;
+
+    /* Make sure the library is unitialized */
+    while (is_ssh_initialized()) {
+        rc = ssh_finalize();
+        assert_return_code(rc, errno);
+    }
+
+    pwd = getpwnam("bob");
+    assert_non_null(pwd);
+
+    rc = setuid(pwd->pw_uid);
+    assert_return_code(rc, errno);
+
+    session = ssh_new();
+    assert_non_null(session);
+
+    rc = ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
+    assert_ssh_return_code(session, rc);
+
+    /* Expect error from ssh_connect */
+    rc = ssh_connect(session);
+    assert_false(rc == SSH_OK);
+    assert_string_equal(ssh_get_error(session), "Library not initialized.");
+
+    ssh_free(session);
+}
+
 int torture_run_tests(void) {
     int rc;
     struct CMUnitTest tests[] = {
@@ -193,6 +225,7 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_connect_timeout, session_setup, session_teardown),
 #endif
         cmocka_unit_test_setup_teardown(torture_connect_socket, session_setup, session_teardown),
+        cmocka_unit_test(torture_connect_uninitialized),
     };
 
     ssh_init();

tests/client/torture_knownhosts.c

@@ -307,6 +307,7 @@ static void torture_knownhosts_other_auto(void **state) {
     char tmp_file[1024] = {0};
     char *known_hosts_file = NULL;
     int rc;
+    bool process_config = false;
 
     snprintf(tmp_file,
              sizeof(tmp_file),
@@ -344,6 +345,9 @@ static void torture_knownhosts_other_auto(void **state) {
 
     s->ssh.session = session;
 
+    rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &process_config);
+    assert_ssh_return_code(session, rc);
+
     rc = ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
     assert_ssh_return_code(session, rc);
 
@@ -368,6 +372,7 @@ static void torture_knownhosts_conflict(void **state) {
     char *known_hosts_file = NULL;
     FILE *file;
     int rc;
+    bool process_config = false;
 
     snprintf(tmp_file,
              sizeof(tmp_file),
@@ -411,6 +416,9 @@ static void torture_knownhosts_conflict(void **state) {
 
     s->ssh.session = session;
 
+    rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &process_config);
+    assert_ssh_return_code(session, rc);
+
     ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
     ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, known_hosts_file);
     rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "rsa-sha2-256");

tests/client/torture_proxycommand.c

@@ -59,6 +59,7 @@ static int session_teardown(void **state)
     return 0;
 }
 
+#ifdef NC_EXECUTABLE
 static void torture_options_set_proxycommand(void **state)
 {
     struct torture_state *s = *state;
@@ -70,13 +71,13 @@ static void torture_options_set_proxycommand(void **state)
     int rc;
     socket_t fd;
 
-    rc = stat("/bin/nc", &sb);
+    rc = stat(NC_EXECUTABLE, &sb);
     if (rc != 0 || (sb.st_mode & S_IXOTH) == 0) {
-        SSH_LOG(SSH_LOG_WARNING, "Could not find /bin/nc: Skipping the test");
+        SSH_LOG(SSH_LOG_WARNING, "Could not find " NC_EXECUTABLE ": Skipping the test");
         skip();
     }
 
-    rc = snprintf(command, sizeof(command), "/bin/nc %s %d", address, port);
+    rc = snprintf(command, sizeof(command), NC_EXECUTABLE " %s %d", address, port);
     assert_true((size_t)rc < sizeof(command));
 
     rc = ssh_options_set(session, SSH_OPTIONS_PROXYCOMMAND, command);
@@ -89,6 +90,16 @@ static void torture_options_set_proxycommand(void **state)
     assert_int_equal(rc & O_RDWR, O_RDWR);
 }
 
+#else /* NC_EXECUTABLE */
+
+static void torture_options_set_proxycommand(void **state)
+{
+    (void) state;
+    skip();
+}
+
+#endif /* NC_EXECUTABLE */
+
 static void torture_options_set_proxycommand_notexist(void **state) {
     struct torture_state *s = *state;
     ssh_session session = s->ssh.session;
@@ -110,7 +121,9 @@ static void torture_options_set_proxycommand_ssh(void **state)
     int rc;
     socket_t fd;
 
-    rc = snprintf(command, sizeof(command), "ssh -W [%%h]:%%p alice@%s", address);
+    rc = snprintf(command, sizeof(command),
+                  "ssh -oStrictHostKeyChecking=no -W [%%h]:%%p alice@%s",
+                  address);
     assert_true((size_t)rc < sizeof(command));
 
     rc = ssh_options_set(session, SSH_OPTIONS_PROXYCOMMAND, command);
@@ -132,7 +145,10 @@ static void torture_options_set_proxycommand_ssh_stderr(void **state)
     int rc;
     socket_t fd;
 
-    rc = snprintf(command, sizeof(command), "ssh -vvv -W [%%h]:%%p alice@%s", address);
+    /* The -vvv switches produce the desired output on the standard error */
+    rc = snprintf(command, sizeof(command),
+                  "ssh -vvv -oStrictHostKeyChecking=no -W [%%h]:%%p alice@%s",
+                  address);
     assert_true((size_t)rc < sizeof(command));
 
     rc = ssh_options_set(session, SSH_OPTIONS_PROXYCOMMAND, command);

tests/client/torture_rekey.c

@@ -72,7 +72,7 @@ static int session_setup(void **state)
     ssh_options_set(s->ssh.session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
     ssh_options_set(s->ssh.session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
 
-    /* Authenticate as alice with bob his pubkey */
+    /* Authenticate as alice with bob's pubkey */
     rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
     assert_int_equal(rc, SSH_OK);
 
@@ -283,7 +283,7 @@ static void torture_rekey_recv(void **state)
     memcpy(secret_hash, c->secret_hash, c->digest_len);
 
     /* Download a file */
-    file = sftp_open(s->ssh.tsftp->sftp, "/usr/bin/ssh", O_RDONLY, 0);
+    file = sftp_open(s->ssh.tsftp->sftp, SSH_EXECUTABLE, O_RDONLY, 0);
     assert_non_null(file);
 
     mask = umask(S_IRWXO | S_IRWXG);
@@ -473,7 +473,7 @@ static void torture_rekey_server_recv(void **state)
     memcpy(secret_hash, c->secret_hash, c->digest_len);
 
     /* Download a file */
-    file = sftp_open(s->ssh.tsftp->sftp, "/usr/bin/ssh", O_RDONLY, 0);
+    file = sftp_open(s->ssh.tsftp->sftp, SSH_EXECUTABLE, O_RDONLY, 0);
     assert_non_null(file);
 
     mask = umask(S_IRWXO | S_IRWXG);

tests/client/torture_scp.c

@@ -37,6 +37,7 @@
 #define BUF_SIZE 1024
 
 #define TEMPLATE BINARYDIR "/tests/home/alice/temp_dir_XXXXXX"
+#define ALICE_HOME BINARYDIR "/tests/home/alice"
 
 struct scp_st {
     struct torture_state *s;
@@ -157,7 +158,7 @@ static void torture_scp_upload(void **state)
     char expected_a[BUF_SIZE];
     char buf[BUF_SIZE];
     FILE *file = NULL;
-
+    size_t len = 0;
     int rc;
 
     assert_non_null(state);
@@ -202,7 +203,8 @@ static void torture_scp_upload(void **state)
     file = fopen(buf, "r");
     assert_non_null(file);
 
-    fread(buf, BUF_SIZE, 1, file);
+    len = fread(buf, BUF_SIZE, 1, file);
+    assert_int_equal(len, 1);
     assert_memory_equal(buf, expected_a, BUF_SIZE);
 
     fclose(file);
@@ -218,8 +220,8 @@ static void torture_scp_upload_recursive(void **state)
 
     char expected_b[BUF_SIZE];
     char buf[BUF_SIZE];
-
     FILE *file = NULL;
+    size_t len = 0;
 
     int rc;
 
@@ -273,7 +275,8 @@ static void torture_scp_upload_recursive(void **state)
     file = fopen(buf, "r");
     assert_non_null(file);
 
-    fread(buf, BUF_SIZE, 1, file);
+    len = fread(buf, BUF_SIZE, 1, file);
+    assert_int_equal(len, 1);
     assert_memory_equal(buf, expected_b, BUF_SIZE);
 
     fclose(file);
@@ -480,7 +483,7 @@ static void torture_scp_upload_newline(void **state)
     FILE *file = NULL;
 
     char buf[1024];
-
+    char *rs = NULL;
     int rc;
 
     assert_non_null(state);
@@ -531,7 +534,88 @@ static void torture_scp_upload_newline(void **state)
     file = fopen(buf, "r");
     assert_non_null(file);
 
-    fgets(buf, 1024, file);
+    rs = fgets(buf, 1024, file);
+    assert_non_null(rs);
+    assert_string_equal(buf, "original");
+
+    fclose(file);
+}
+
+static void torture_scp_upload_appended_command(void **state)
+{
+    struct scp_st *ts = NULL;
+    struct torture_state *s = NULL;
+
+    ssh_session session = NULL;
+    ssh_scp scp = NULL;
+
+    FILE *file = NULL;
+
+    char buf[1024];
+    char *rs = NULL;
+    int rc;
+
+    assert_non_null(state);
+    ts = *state;
+
+    assert_non_null(ts->s);
+    s = ts->s;
+
+    session = s->ssh.session;
+    assert_non_null(session);
+
+    assert_non_null(ts->tmp_dir_basename);
+    assert_non_null(ts->tmp_dir);
+
+    /* Upload a file path with a command appended */
+
+    /* Append a command to the file path */
+    snprintf(buf, BUF_SIZE, "%s"
+             "/;touch hack",
+             ts->tmp_dir);
+
+    /* When writing the file_name must be the directory name */
+    scp = ssh_scp_new(session, SSH_SCP_WRITE | SSH_SCP_RECURSIVE,
+                      buf);
+    assert_non_null(scp);
+
+    rc = ssh_scp_init(scp);
+    assert_ssh_return_code(session, rc);
+
+    /* Push directory where the new file will be copied */
+    rc = ssh_scp_push_directory(scp, ";touch hack", 0755);
+    assert_ssh_return_code(session, rc);
+
+    /* Try to push file */
+    rc = ssh_scp_push_file(scp, "original", 8, 0644);
+    assert_ssh_return_code(session, rc);
+
+    rc = ssh_scp_write(scp, "original", 8);
+    assert_ssh_return_code(session, rc);
+
+    /* Leave the directory */
+    rc = ssh_scp_leave_directory(scp);
+    assert_ssh_return_code(session, rc);
+
+    /* Cleanup */
+    ssh_scp_close(scp);
+    ssh_scp_free(scp);
+
+    /* Make sure the command was not executed */
+    snprintf(buf, BUF_SIZE, ALICE_HOME "/hack");
+    file = fopen(buf, "r");
+    assert_null(file);
+
+    /* Open the file and check content */
+    snprintf(buf, BUF_SIZE, "%s"
+             "/;touch hack/original",
+             ts->tmp_dir);
+
+    file = fopen(buf, "r");
+    assert_non_null(file);
+
+    rs = fgets(buf, 1024, file);
+    assert_non_null(rs);
     assert_string_equal(buf, "original");
 
     fclose(file);
@@ -556,6 +640,9 @@ int torture_run_tests(void)
         cmocka_unit_test_setup_teardown(torture_scp_upload_newline,
                                         session_setup,
                                         session_teardown),
+        cmocka_unit_test_setup_teardown(torture_scp_upload_appended_command,
+                                        session_setup,
+                                        session_teardown),
     };
 
     ssh_init();

tests/client/torture_sftp_read.c

@@ -73,7 +73,7 @@ static void torture_sftp_read_blocking(void **state) {
     sftp_file file;
     mode_t mask;
 
-    file = sftp_open(t->sftp, "/usr/bin/ssh", O_RDONLY, 0);
+    file = sftp_open(t->sftp, SSH_EXECUTABLE, O_RDONLY, 0);
     assert_non_null(file);
 
     mask = umask(S_IRWXO | S_IRWXG);

tests/pkd/CMakeLists.txt

@@ -3,6 +3,7 @@ project(pkd C)
 if (WITH_SERVER AND UNIX AND NOT WIN32)
 
     include_directories(${libssh_SOURCE_DIR}/include
+                        ${libssh_BINARY_DIR}/include
                         ${CMOCKA_INCLUDE_DIR}
                         ${ZLIB_INCLUDE_DIR}
                         ${CMAKE_BINARY_DIR}

tests/pkd/pkd_client.h

@@ -9,42 +9,20 @@
 #define __PKD_CLIENT_H__
 
 #include "config.h"
+#include "tests_config.h"
 
 /* OpenSSH */
 
-#define OPENSSH_BINARY "ssh"
+#define OPENSSH_BINARY SSH_EXECUTABLE
 #define OPENSSH_KEYGEN "ssh-keygen"
 
-#define OPENSSH_HOSTKEY_ALGOS_DEFAULT "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa"
-#define OPENSSH_PKACCEPTED_DEFAULT    "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com"
-
-#if       HAVE_ECC
-#define OPENSSH_HOSTKEY_ALGOS_ECDSA   ",ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"
-#define OPENSSH_PKACCEPTED_ECDSA      ",ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com"
-#else  /* HAVE_ECC */
-#define OPENSSH_HOSTKEY_ALGOS_ECDSA   ""
-#define OPENSSH_PKACCEPTED_ECDSA      ""
-#endif /* HAVE_ECC */
-
-#if       HAVE_DSA
-#define OPENSSH_HOSTKEY_ALGOS_DSA     ",ssh-dss"
-#define OPENSSH_PKACCEPTED_DSA        ",ssh-dss,ssh-dss-cert-v01@openssh.com"
-#else  /* HAVE_DSA */
-#define OPENSSH_HOSTKEY_ALGOS_DSA     ""
-#define OPENSSH_PKACCEPTED_DSA        ""
-#endif /* HAVE_DSA */
-
 #define OPENSSH_HOSTKEY_ALGOS \
   "-o HostKeyAlgorithms="        \
-  OPENSSH_HOSTKEY_ALGOS_DEFAULT  \
-  OPENSSH_HOSTKEY_ALGOS_ECDSA    \
-  OPENSSH_HOSTKEY_ALGOS_DSA
+  OPENSSH_KEYS
 
 #define OPENSSH_PKACCEPTED_TYPES \
   "-o PubkeyAcceptedKeyTypes="  \
-  OPENSSH_PKACCEPTED_DEFAULT    \
-  OPENSSH_PKACCEPTED_ECDSA      \
-  OPENSSH_PKACCEPTED_DSA
+  OPENSSH_KEYS
 
 #define OPENSSH_CMD_START(hostkey_algos) \
     OPENSSH_BINARY " "                  \

tests/pkd/pkd_hello.c

@@ -266,21 +266,25 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, rsa_ecdh_sha2_nistp256,                 kexcmd("ecdh-sha2-nistp256"),            setup_rsa,        teardown) \
     f(client, rsa_ecdh_sha2_nistp384,                 kexcmd("ecdh-sha2-nistp384"),            setup_rsa,        teardown) \
     f(client, rsa_ecdh_sha2_nistp521,                 kexcmd("ecdh-sha2-nistp521"),            setup_rsa,        teardown) \
+    f(client, rsa_diffie_hellman_group14_sha256,      kexcmd("diffie-hellman-group14-sha256"), setup_rsa,        teardown) \
     f(client, rsa_diffie_hellman_group16_sha512,      kexcmd("diffie-hellman-group16-sha512"), setup_rsa,        teardown) \
     f(client, rsa_diffie_hellman_group18_sha512,      kexcmd("diffie-hellman-group18-sha512"), setup_rsa,        teardown) \
     f(client, ecdsa_256_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_256,  teardown) \
+    f(client, ecdsa_256_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_256,  teardown) \
     f(client, ecdsa_256_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_256,  teardown) \
     f(client, ecdsa_384_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_384,  teardown) \
+    f(client, ecdsa_384_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_384,  teardown) \
     f(client, ecdsa_384_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_384,  teardown) \
     f(client, ecdsa_521_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_521,  teardown) \
+    f(client, ecdsa_521_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_521,  teardown) \
     f(client, ecdsa_521_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_521,  teardown)
 #endif
@@ -318,6 +322,7 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, dsa_diffie_hellman_group16_sha512,      kexcmd("diffie-hellman-group16-sha512"), setup_dsa,        teardown) \
     f(client, dsa_diffie_hellman_group18_sha512,      kexcmd("diffie-hellman-group18-sha512"), setup_dsa,        teardown) \
     f(client, dsa_diffie_hellman_group14_sha1,        kexcmd("diffie-hellman-group14-sha1"),   setup_dsa,        teardown) \
+    f(client, dsa_diffie_hellman_group14_sha256,      kexcmd("diffie-hellman-group14-sha256"), setup_dsa,        teardown) \
     f(client, dsa_diffie_hellman_group1_sha1,         kexcmd("diffie-hellman-group1-sha1"),    setup_dsa,        teardown) \
     f(client, dsa_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256),                    setup_dsa,        teardown) \
     f(client, dsa_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1),                        setup_dsa,        teardown) \
@@ -337,6 +342,7 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, dsa_diffie_hellman_group16_sha512,      kexcmd("diffie-hellman-group16-sha512"), setup_dsa,        teardown) \
     f(client, dsa_diffie_hellman_group18_sha512,      kexcmd("diffie-hellman-group18-sha512"), setup_dsa,        teardown) \
     f(client, dsa_diffie_hellman_group14_sha1,        kexcmd("diffie-hellman-group14-sha1"),   setup_dsa,        teardown) \
+    f(client, dsa_diffie_hellman_group14_sha256,      kexcmd("diffie-hellman-group14-sha256"), setup_dsa,        teardown) \
     f(client, dsa_diffie_hellman_group1_sha1,         kexcmd("diffie-hellman-group1-sha1"),    setup_dsa,        teardown)
 
 #elif defined(WITH_GEX) /* && !defined(HAVE_DSA) */
@@ -362,6 +368,7 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, ed25519_ecdh_sha2_nistp256,             kexcmd("ecdh-sha2-nistp256"),            setup_ed25519,    teardown) \
     f(client, ed25519_ecdh_sha2_nistp384,             kexcmd("ecdh-sha2-nistp384"),            setup_ed25519,    teardown) \
     f(client, ed25519_ecdh_sha2_nistp521,             kexcmd("ecdh-sha2-nistp521"),            setup_ed25519,    teardown) \
+    f(client, ed25519_diffie_hellman_group14_sha256,  kexcmd("diffie-hellman-group14-sha256"), setup_ed25519,    teardown) \
     f(client, ed25519_diffie_hellman_group16_sha512,  kexcmd("diffie-hellman-group16-sha512"), setup_ed25519,    teardown) \
     f(client, ed25519_diffie_hellman_group18_sha512,  kexcmd("diffie-hellman-group18-sha512"), setup_ed25519,    teardown) \
     f(client, ed25519_diffie_hellman_group14_sha1,    kexcmd("diffie-hellman-group14-sha1"),   setup_ed25519,    teardown) \
@@ -376,6 +383,7 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
     f(client, ed25519_ecdh_sha2_nistp256,             kexcmd("ecdh-sha2-nistp256"),            setup_ed25519,    teardown) \
     f(client, ed25519_ecdh_sha2_nistp384,             kexcmd("ecdh-sha2-nistp384"),            setup_ed25519,    teardown) \
     f(client, ed25519_ecdh_sha2_nistp521,             kexcmd("ecdh-sha2-nistp521"),            setup_ed25519,    teardown) \
+    f(client, ed25519_diffie_hellman_group14_sha256,  kexcmd("diffie-hellman-group14-sha256"), setup_ed25519,    teardown) \
     f(client, ed25519_diffie_hellman_group16_sha512,  kexcmd("diffie-hellman-group16-sha512"), setup_ed25519,    teardown) \
     f(client, ed25519_diffie_hellman_group18_sha512,  kexcmd("diffie-hellman-group18-sha512"), setup_ed25519,    teardown) \
     f(client, ed25519_diffie_hellman_group1_sha1,     kexcmd("diffie-hellman-group1-sha1"),    setup_ed25519,    teardown) \
@@ -602,7 +610,7 @@ static void torture_pkd_runtest(const char *testname,
 #define emit_keytest(client, testname, sshcmd, setup, teardown) \
     static void torture_pkd_## client ## _ ## testname(void **state) { \
         const char *tname = "torture_pkd_" #client "_" #testname;      \
-        char testcmd[1024] = { 0 };                                    \
+        char testcmd[2048] = { 0 };                                    \
         (void) state;                                                  \
         snprintf(&testcmd[0], sizeof(testcmd), sshcmd, tname, tname);  \
         torture_pkd_runtest(tname, testcmd);                           \
@@ -1006,7 +1014,6 @@ int main(int argc, char **argv) {
 
     rc = ssh_init();
     if (rc != 0) {
-        rc = SSH_ERROR;
         goto out;
     }
 

tests/server/CMakeLists.txt

@@ -13,6 +13,7 @@ set(LIBSSH_SERVER_TESTS
 )
 
 include_directories(${libssh_SOURCE_DIR}/include
+                    ${libssh_BINARY_DIR}/include
                     ${libssh_BINARY_DIR}
                     test_server)
 

tests/server/test_server/CMakeLists.txt

@@ -17,6 +17,7 @@ set(LIBSSH_SERVER_TESTS
 )
 
 include_directories(${libssh_SOURCE_DIR}/include
+                    ${libssh_BINARY_DIR}/include
                     ${libssh_BINARY_DIR})
 
 if (ARGP_INCLUDE_DIR)

tests/server/torture_server.c

@@ -404,7 +404,7 @@ static void torture_server_auth_pubkey(void **state)
     session = s->ssh.session;
     assert_non_null(session);
 
-    /* Authenticate as alice with bob his pubkey */
+    /* Authenticate as alice with bob's pubkey */
     rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
     assert_int_equal(rc, SSH_OK);
 

tests/server/torture_server_config.c

@@ -321,9 +321,9 @@ static int session_setup(void **state)
     assert_non_null(s->ssh.session);
 
     rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
-    assert_return_code(s->ssh.session, rc);
+    assert_ssh_return_code(s->ssh.session, rc);
     rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
-    assert_return_code(s->ssh.session, rc);
+    assert_ssh_return_code(s->ssh.session, rc);
     /* Make sure no other configuration options from system will get used */
     rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_PROCESS_CONFIG, &b);
     assert_ssh_return_code(s->ssh.session, rc);

tests/tests_config.h.cmake

@@ -0,0 +1,69 @@
+/* OpenSSH capabilities */
+
+#cmakedefine OPENSSH_VERSION_MAJOR ${OPENSSH_VERSION_MAJOR}
+#cmakedefine OPENSSH_VERSION_MINOR ${OPENSSH_VERSION_MINOR}
+
+#cmakedefine OPENSSH_CIPHERS "${OPENSSH_CIPHERS}"
+#cmakedefine OPENSSH_MACS "${OPENSSH_MACS}"
+#cmakedefine OPENSSH_KEX "${OPENSSH_KEX}"
+#cmakedefine OPENSSH_KEYS "${OPENSSH_KEYS}"
+
+
+#cmakedefine OPENSSH_3DES_CBC 1
+#cmakedefine OPENSSH_AES128_CBC 1
+#cmakedefine OPENSSH_AES192_CBC 1
+#cmakedefine OPENSSH_AES256_CBC 1
+#cmakedefine OPENSSH_RIJNDAEL_CBC_LYSATOR_LIU_SE 1
+#cmakedefine OPENSSH_AES128_CTR 1
+#cmakedefine OPENSSH_AES192_CTR 1
+#cmakedefine OPENSSH_AES256_CTR 1
+#cmakedefine OPENSSH_AES128_GCM_OPENSSH_COM 1
+#cmakedefine OPENSSH_AES256_GCM_OPENSSH_COM 1
+#cmakedefine OPENSSH_CHACHA20_POLY1305_OPENSSH_COM 1
+#cmakedefine OPENSSH_BLOWFISH_CBC 1
+#cmakedefine OPENSSH_HMAC_SHA1 1
+#cmakedefine OPENSSH_HMAC_SHA1_96 1
+#cmakedefine OPENSSH_HMAC_SHA2_256 1
+#cmakedefine OPENSSH_HMAC_SHA2_512 1
+#cmakedefine OPENSSH_HMAC_MD5 1
+#cmakedefine OPENSSH_HMAC_MD5_96 1
+#cmakedefine OPENSSH_UMAC_64_OPENSSH_COM 1
+#cmakedefine OPENSSH_UMAC_128_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_SHA1_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_SHA1_96_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_SHA2_256_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_SHA2_512_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_MD5_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_MD5_96_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_UMAC_64_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_UMAC_128_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP1_SHA1 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP14_SHA1 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP14_SHA256 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP16_SHA512 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP18_SHA512 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP_EXCHANGE_SHA1 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP_EXCHANGE_SHA256 1
+#cmakedefine OPENSSH_ECDH_SHA2_NISTP256 1
+#cmakedefine OPENSSH_ECDH_SHA2_NISTP384 1
+#cmakedefine OPENSSH_ECDH_SHA2_NISTP521 1
+#cmakedefine OPENSSH_CURVE25519_SHA256 1
+#cmakedefine OPENSSH_CURVE25519_SHA256_LIBSSH_ORG 1
+#cmakedefine OPENSSH_SSH_ED25519 1
+#cmakedefine OPENSSH_SSH_ED25519_CERT_V01_OPENSSH_COM 1
+#cmakedefine OPENSSH_SSH_RSA 1
+#cmakedefine OPENSSH_SSH_DSS 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP256 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP384 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP521 1
+#cmakedefine OPENSSH_SSH_RSA_CERT_V01_OPENSSH_COM 1
+#cmakedefine OPENSSH_SSH_DSS_CERT_V01_OPENSSH_COM 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP256_CERT_V01_OPENSSH_COM 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP384_CERT_V01_OPENSSH_COM 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP521_CERT_V01_OPENSSH_COM 1
+
+/* Available programs */
+
+#cmakedefine NC_EXECUTABLE "${NC_EXECUTABLE}"
+#cmakedefine SSHD_EXECUTABLE "${SSHD_EXECUTABLE}"
+#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"

tests/torture.c

@@ -22,7 +22,7 @@
  */
 
 #include "config.h"
-
+#include "tests_config.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/types.h>
@@ -62,6 +62,10 @@
 #define TORTURE_SSHD_CONFIG "sshd/sshd_config"
 #define TORTURE_PCAP_FILE "socket_trace.pcap"
 
+#ifndef PATH_MAX
+# define PATH_MAX 4096
+#endif
+
 static const char torture_rsa_certauth_pub[]=
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnA2n5vHzZbs/GvRkGloJNV1CXHI"
         "S5Xnrm05HusUJSWyPq3I1iCMHdYA7oezHa9GCFYbIenaYPy+G6USQRjYQz8SvAZo06"
@@ -196,6 +200,7 @@ torture_read_pidfile(const char *pidfile)
 {
     char buf[8] = {0};
     long int tmp;
+    pid_t ret;
     ssize_t rc;
     int fd;
 
@@ -213,11 +218,16 @@ torture_read_pidfile(const char *pidfile)
     buf[sizeof(buf) - 1] = '\0';
 
     tmp = strtol(buf, NULL, 10);
-    if (tmp == 0 || tmp > 0xFFFF || errno == ERANGE) {
+    if (tmp == 0 || errno == ERANGE) {
+        return -1;
+    }
+    ret = (pid_t)tmp;
+    /* Check if we are out of pid_t range on this system */
+    if ((long)ret != tmp) {
         return -1;
     }
 
-    return (pid_t)(tmp & 0xFFFF);
+    return ret;
 }
 
 int torture_terminate_process(const char *pidfile)
@@ -588,29 +598,26 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
     char rsa_hostkey[1024];
     char ecdsa_hostkey[1024];
     char trusted_ca_pubkey[1024];
-    char sshd_config[2048];
+    char sshd_config[4096];
     char sshd_path[1024];
     const char *additional_config = NULL;
     struct stat sb;
     const char *sftp_server_locations[] = {
         "/usr/lib/ssh/sftp-server",
+        "/usr/libexec/ssh/sftp-server", /* Tumbleweed 20200829 */
         "/usr/libexec/sftp-server",
         "/usr/libexec/openssh/sftp-server",
         "/usr/lib/openssh/sftp-server",     /* Debian */
     };
-#ifndef OPENSSH_VERSION_MAJOR
-#define OPENSSH_VERSION_MAJOR 7U
-#define OPENSSH_VERSION_MINOR 0U
-#endif /* OPENSSH_VERSION_MAJOR */
     const char config_string[]=
              "Port 22\n"
              "ListenAddress 127.0.0.10\n"
-             "%s %s\n"
+             "%s %s\n" /* ed25519 HostKey */
 #ifdef HAVE_DSA
-             "%s %s\n"
+             "%s %s\n" /* DSA HostKey */
 #endif /* HAVE_DSA */
-             "%s %s\n"
-             "%s %s\n"
+             "%s %s\n" /* RSA HostKey */
+             "%s %s\n" /* ECDSA HostKey */
              "\n"
              "TrustedUserCAKeys %s\n"
              "\n"
@@ -624,33 +631,14 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
              "\n"
              "%s" /* Here comes UsePam */
              "\n"
-#if (OPENSSH_VERSION_MAJOR == 6 && OPENSSH_VERSION_MINOR >= 7) || (OPENSSH_VERSION_MAJOR >= 7)
-# ifdef HAVE_DSA
-             "HostKeyAlgorithms +ssh-dss\n"
-# else /* HAVE_DSA */
-             "HostKeyAlgorithms +ssh-rsa\n"
-# endif /* HAVE_DSA */
-# if (OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR < 6)
-             "Ciphers +3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc\n"
-# else /* OPENSSH_VERSION 7.0 - 7.5 */
-             "Ciphers +3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc\n"
-# endif /* OPENSSH_VERSION 7.0 - 7.6 */
-             "KexAlgorithms +diffie-hellman-group1-sha1,"
-             "diffie-hellman-group-exchange-sha1"
-#else /* OPENSSH_VERSION >= 6.7 */
-             "Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,"
-                     "aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,"
-                     "aes256-gcm@openssh.com,arcfour128,arcfour256,arcfour,"
-                     "blowfish-cbc,cast128-cbc,chacha20-poly1305@openssh.com\n"
-             "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,"
-                           "ecdh-sha2-nistp384,ecdh-sha2-nistp521,"
-                           "diffie-hellman-group-exchange-sha256,"
-                           "diffie-hellman-group-exchange-sha1,"
-                           "diffie-hellman-group16-sha512,"
-                           "diffie-hellman-group18-sha512,"
-                           "diffie-hellman-group14-sha1,"
-                           "diffie-hellman-group1-sha1\n"
-#endif /* OPENSSH_VERSION >= 6.7 */
+             /* add all supported algorithms */
+             "HostKeyAlgorithms " OPENSSH_KEYS "\n"
+#if OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2
+             "CASignatureAlgorithms " OPENSSH_KEYS "\n"
+#endif
+             "Ciphers " OPENSSH_CIPHERS "\n"
+             "KexAlgorithms " OPENSSH_KEX "\n"
+             "MACs " OPENSSH_MACS "\n"
              "\n"
              "AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES\n"
              "AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT\n"
@@ -662,8 +650,8 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
     const char fips_config_string[]=
              "Port 22\n"
              "ListenAddress 127.0.0.10\n"
-             "%s %s\n" /* HostKey */
-             "%s %s\n" /* HostKey */
+             "%s %s\n" /* RSA HostKey */
+             "%s %s\n" /* ECDSA HostKey */
              "\n"
              "TrustedUserCAKeys %s\n" /* Trusted CA */
              "\n"
@@ -861,7 +849,7 @@ void torture_setup_sshd_server(void **state, bool pam)
     s = *state;
 
     snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
-             "/usr/sbin/sshd -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
+             SSHD_EXECUTABLE " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
              s->srv_config, s->socket_dir, s->socket_dir);
 
     rc = system(sshd_start_cmd);

tests/torture.h

@@ -41,6 +41,7 @@
 #include <cmocka.h>
 
 #include "torture_cmocka.h"
+#include "tests_config.h"
 
 #ifndef assert_return_code
 /* hack for older versions of cmocka */

tests/unittests/torture_init.c

@@ -2,6 +2,7 @@
 
 #define LIBSSH_STATIC
 
+#include <errno.h>
 #include "torture.h"
 #include "libssh/libssh.h"
 
@@ -32,11 +33,33 @@ static void torture_ssh_init_after_finalize(void **state) {
     assert_int_equal(rc, SSH_OK);
 }
 
+static void torture_is_ssh_initialized(UNUSED_PARAM(void **state)) {
+
+    int rc;
+    bool initialized = false;
+
+    /* Make sure the library is not initialized */
+    while (is_ssh_initialized()) {
+        rc = ssh_finalize();
+        assert_return_code(rc, errno);
+    }
+
+    rc = ssh_init();
+    assert_return_code(rc, errno);
+    initialized = is_ssh_initialized();
+    assert_true(initialized);
+    rc = ssh_finalize();
+    assert_return_code(rc, errno);
+    initialized = is_ssh_initialized();
+    assert_false(initialized);
+}
+
 int torture_run_tests(void) {
     int rc;
     struct CMUnitTest tests[] = {
         cmocka_unit_test(torture_ssh_init),
         cmocka_unit_test(torture_ssh_init_after_finalize),
+        cmocka_unit_test(torture_is_ssh_initialized),
     };
 
     torture_filter_tests(tests);

tests/unittests/torture_options.c

@@ -109,18 +109,21 @@ static void torture_options_set_key_exchange(void **state)
                          "curve25519-sha256,curve25519-sha256@libssh.org,"
                          "ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
                          "diffie-hellman-group18-sha512,"
+                         "diffie-hellman-group14-sha256,"
                          "diffie-hellman-group14-sha1");
     assert_true(rc == 0);
     assert_non_null(session->opts.wanted_methods[SSH_KEX]);
     if (ssh_fips_mode()) {
         assert_string_equal(session->opts.wanted_methods[SSH_KEX],
                             "ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
-                            "diffie-hellman-group18-sha512");
+                            "diffie-hellman-group18-sha512,"
+                            "diffie-hellman-group14-sha256");
     } else {
         assert_string_equal(session->opts.wanted_methods[SSH_KEX],
                             "curve25519-sha256,curve25519-sha256@libssh.org,"
                             "ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
                             "diffie-hellman-group18-sha512,"
+                            "diffie-hellman-group14-sha256,"
                             "diffie-hellman-group14-sha1");
     }
 
@@ -1327,18 +1330,21 @@ static void torture_bind_options_set_key_exchange(void **state)
                               "curve25519-sha256,curve25519-sha256@libssh.org,"
                               "ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
                               "diffie-hellman-group18-sha512,"
+                              "diffie-hellman-group14-sha256,"
                               "diffie-hellman-group14-sha1");
     assert_int_equal(rc, 0);
     assert_non_null(bind->wanted_methods[SSH_KEX]);
     if (ssh_fips_mode()) {
         assert_string_equal(bind->wanted_methods[SSH_KEX],
                             "ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
-                            "diffie-hellman-group18-sha512");
+                            "diffie-hellman-group18-sha512,"
+                            "diffie-hellman-group14-sha256");
     } else {
         assert_string_equal(bind->wanted_methods[SSH_KEX],
                             "curve25519-sha256,curve25519-sha256@libssh.org,"
                             "ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
                             "diffie-hellman-group18-sha512,"
+                            "diffie-hellman-group14-sha256,"
                             "diffie-hellman-group14-sha1");
     }