lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-12-06 13:20:57 +03:00
Code Activity
6,454 Commits 12 Branches 62 Tags
acc080ac03a86d09152f307a90bea468fd1e11b0
Commit Graph

1368 Commits

Author SHA1 Message Date
Praneeth Sarode
acc080ac03 tests(fido2): add tests for the usb-hid security key callbacks 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:46 +05:30
Praneeth Sarode
e56af9fa79 feat(torture_sk): add validation functions for security key callback responses and resident keys 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:52:48 +05:30
Praneeth Sarode
c4b2bd34a8 feat(torture): add torture_get_sk_pin function to retrieve PIN from environment 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:52:48 +05:30
Praneeth Sarode
eda5c6576b tests(torture_sk): validate sk_flags against allowed security key flags 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:04:38 +05:30
Jakub Jelen
cefc4f8c97 pkd: Run tests with ecdsa and ed25519 keys with dropbear 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:25:25 +01:00
Jakub Jelen
b64e7f67d3 pkd: Run ed25519 tests with dropbear 
Resolves: #336

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:25:25 +01:00
Jakub Jelen
491cd81a32 kex: Place PQC KEX methods first 
The ML-KEMx25519 is now preferred algorithm in OpenSSH so follow the suit

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:24:47 +01:00
Jakub Jelen
b042477f83 Suppress remaining OpenSSL 3.5 memory leaks 
Reported as

https://github.com/openssl/openssl/issues/29077

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Jakub Jelen
950abbbd81 tests: Remove the -E which is overridden by followed -E on ctest CLI 
The threads_pki_rsa was running and working under valgrind for some
time already without anyone noticing this syntax does not work.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Jakub Jelen
b9c6701c68 tests: Avoid needless pthread_exit() 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Jakub Jelen
a94df4bb8f tests: Adjust valgrind supressions for Fedora 43 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Sahana Prasad
a9c8f942a5 kex: Implement mlkem768x25519-sha256 
The implementation largely follows that of sntrup761x25519-sha512.

Most of the work was done by Sahana with the help of Claude,
Pavol provided fixes to match specs and did a final clean up.

Co-Authored-By: Sahana Prasad <sahana@redhat.com>
Co-Authored-By: Pavol Žáčik <pzacik@redhat.com>
Co-Authored-By: Claude <noreply@anthropic.com>

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-05 17:44:33 +01:00
Jakub Jelen
07d099f652 examples: Support passing port to libssh_scp to simplify testing 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-10 16:20:53 +02:00
Praneeth Sarode
f3d70e54e9 tests(string): add tests for ssh_string_from_data function 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-10-10 14:00:22 +02:00
Jakub Jelen
00f1d6fac2 Add RequiredRsaSize configuration option 
to both client and server configuration file

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-01 16:06:43 +02:00
Jakub Jelen
ecb11f1a18 tests: Fix wording in comment to make sense 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-01 16:04:54 +02:00
Jakub Jelen
6aea779918 sftpserver: Fix loop termination 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-01 16:03:46 +02:00
Jakub Jelen
a51384fe4e sftpserver: Remove some needless parts 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-10-01 16:03:45 +02:00
Praneeth Sarode
8541b6584f test(buffer): add unit tests for ssh_buffer_dup function 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-09-25 15:04:18 +02:00
Jakub Jelen
a3c5d3b256 tests: Rewrite all fuzzers to LLVMFuzzerInitialize and nalloc 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-09-25 15:03:07 +02:00
Philippe Antoine
59a502ede6 fuzz: test allocations failures 
Signed-off-by: Philippe Antoine <p.antoine@catenacyber.fr>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-09-25 15:03:04 +02:00
Jakub Jelen
3d3b12891f tests: Avoid prefix matching when selecting algorithmms 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2025-09-10 13:05:50 +02:00
Jakub Jelen
6ca59307d4 Add non-namespaced alias sntrup761x25519-sha512 that is being standardized 
The specification is now in the last call, data point is allocated so there is
no need to stick to the namespaces alias anymore

https://datatracker.ietf.org/doc/draft-ietf-sshm-ntruprime-ssh/

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2025-09-10 12:23:08 +02:00
Praneeth Sarode
e8bbd194c7 refactor(pki): Define RSA_MIN_KEY_SIZE and update related checks 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-09-09 12:53:43 +02:00
Jakub Jelen
d357a9f3e2 tests: Invoke all combinations of wrong guesses during rekey 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-08-14 10:32:13 +02:00
Jakub Jelen
771e19a7a9 tests: Enable all key exchange methods in ssh_ping 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-08-14 10:31:30 +02:00
Jakub Jelen
ef50a3c0f0 tests: Remove tests of operations on freed channels 
These tests are flaky because even though the care was taken to guess if
the ssh_channel_free() really freed the channel, it might not always be correct
and call to operation on the freed channel results in use after free.

Generally, no operation should be called after the channel is freed by the user.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-08-06 11:18:45 +02:00
Jakub Jelen
d1bf9068a9 Use calloc instead of zeroizing structure after malloc 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-08-06 11:16:58 +02:00
Praneeth Sarode
cc667021e5 tests(pki): add torture tests for security keys 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-08-01 15:28:58 +05:30
Praneeth Sarode
f9f8c939bc tests(pki): add security key testing helper functions to torture library 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-08-01 15:28:54 +05:30
Praneeth Sarode
aab6ce364a tests(pki): add sk type keys to the testing infrastructure 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-08-01 15:28:41 +05:30
Praneeth Sarode
09155adb19 tests(string): add unit tests for ssh_string_cmp function 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-07-30 16:06:32 +02:00
Jakub Jelen
c2e9d39dbe tests: Fix build script to work also on MacOS correctly 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-25 16:40:56 +02:00
Jakub Jelen
ab44f606b2 tests: Add more valgrind supressions for krb5 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-25 13:20:15 +02:00
Jakub Jelen
444982b38a tests: Avoid needless call to pthread_exit() 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-25 13:20:15 +02:00
Jakub Jelen
3df61a4e86 pkd: Cleanup OpenSSL context 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-25 13:20:15 +02:00
Jakub Jelen
7eefbbd478 tests: Cleanup OpenSSL in the forked server processes 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-25 13:20:15 +02:00
Jakub Jelen
c4c28c6473 tests: Skip test leaking handle under valgrind 
This is leaking memory allocated in process_open(), which is stored in the
handles list in the sftpserver session. Given that the data is provided by the
use callbacks, we can not universally free them on our side, but we should, in
the long term, introduce some way for the implementers to free outstanding
handles that were not closed by misbehaving clients.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-25 13:20:15 +02:00
Jakub Jelen
08a32ac381 tests: Cleanup OpenSSL in tests when GSSAPI is built 
also from the fuzzer tests

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-25 13:20:15 +02:00
Jakub Jelen
ab3e08c2b5 Finalize OpenSSL context from tests to make the valgrind output clean 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-25 13:20:15 +02:00
Jakub Jelen
809898b980 tests: Adjust valgrind supression to match new calls stack 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-25 13:20:15 +02:00
Jakub Jelen
9817392e26 pkd: Run hmac-sha1 tests with OpenSSH 
This was initially in hurry disabled in
ca4c874a9e because dropbear dropped support for
these HMACs. The follow-up commit enabled running these tests on old dropbear in
c17112f070, but still did not run them on openssh,
when the new dropbear was installed.

This fixes up the above commit to run the HMAC-SHA1 tests with OpenSSH even if
the new dropbear is installed.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2025-07-24 16:09:55 +02:00
Jakub Jelen
82c8bbc504 tests: Add missing header file to unbreak build on freebsd 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2025-07-24 11:13:35 +02:00
Jakub Jelen
1ea1782036 Add simple sshsig fuzzer 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
 2025-07-24 11:13:34 +02:00
abdallah elhdad
c17112f070 Enable HMAC SHA1 tests for dropbear <2025.87 
Signed-off-by: abdallah elhdad <abdallahselhdad@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-07-24 10:49:51 +02:00
Nicolas Graves
aeb0b2ec6f Add unittests for sshsig functions 
Signed-off-by: Nicolas Graves <ngraves@ngraves.fr>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-07-10 11:21:44 +02:00
Theo Buehler
ccb8cf88c8 Unbreak torture_config_make_absolute() on OpenBSD 
The torture_config_make_absolute() and its _no_sshdir() version both
segfault on OpenBSD. The reason for this is that the storage returned
by getpwuid() is backed by mmap and is unapped by the getpwnam() call
in ssh_path_expand_tilde(), so a later access to home segfaults. The
possibility of this happening (getpwnam() overwriting values returned
by getpwuid()) is explicitly called out in POSIX.

A simple fix is to work with copies of username and homedir.

Signed-off-by: Theo Buehler <tb@openbsd.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-07-01 20:50:25 +02:00
Praneeth Sarode
b43392c31d tests(string): add unit tests for ssh_string functions 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-07-01 20:49:39 +02:00
Jakub Jelen
c22bfa792f CVE-2025-5449 tests: Reproducer for payload length overrun 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-06-23 13:37:06 +02:00
Jakub Jelen
681a5aaa26 CVE-2025-5449 tests: Reproducer for server processing invalid handles 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-06-23 13:37:06 +02:00