lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-12-06 13:20:57 +03:00
Code Activity
6,476 Commits 12 Branches 62 Tags
e5108f2ffca74db2f98cf16e04acfb65e7dbeb2e
Commit Graph

6476 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andreas Schneider
e5108f2ffc docs: Use a modern doxygen theme 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-21 17:49:52 +01:00
Andreas Schneider
5ce4b65abb cmake: Add .cmake-format.yaml 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-21 17:49:52 +01:00
Andreas Schneider
b62675b435 chore(editorconfig): Put CMakeLists.txt in its own section 
This is read by neocmakelsp for formatting.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-21 17:49:52 +01:00
Jakub Jelen
f333d95013 ci: Avoid repetitive definitions 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-19 17:31:53 +01:00
Jakub Jelen
92d0f8aba6 ci: Remove GSSAPI from minimal build 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-19 17:31:37 +01:00
Jakub Jelen
66460578b1 ci: Remove marco from the whitelist 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-19 17:31:37 +01:00
Jakub Jelen
b93db6c3d1 ci: Replace ad-hoc exports with variables 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-19 17:31:37 +01:00
Jakub Jelen
1c3143ff00 ci: Add cmocka.cfg to avoid false positives reports from csbuild 
Based on cmocka changes:

https://gitlab.com/cmocka/cmocka/-/blob/master/cppcheck/cmocka.cfg

https://gitlab.com/cmocka/cmocka/-/blob/master/.gitlab-ci.yml#L148

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-19 17:31:31 +01:00
Praneeth Sarode
47305a2f72 docs(fido2): add FIDO2/U2F security key support chapter to documentation 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:28:23 +05:30
Praneeth Sarode
5bbaecfaa7 feat(pki): extend the sshsig API to support security keys along with tests 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:28:14 +05:30
Praneeth Sarode
6e5d0a935f tests(fido2): add tests for SK ECDSA and SK Ed25519 public key authentication 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
5d4d9f8208 tests(rsa): add test for RSA key generation using the newer ssh_pki_generate_key API 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
c128cf8807 tests(pki): add torture tests for pki_sk functions 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
5937b5ba4e feat(torture_sk): add functions to validate security key signatures and to create PKI context 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
1241a3a8c9 tests(fido2): add sk-dummy support to the testing infrastructure 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
21d338737a tests(fido2): add sk key files to the testing infrastructure 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
d91630308d pki: add security key identities to session options 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:48 +05:30
Praneeth Sarode
37f0e91814 feat(pki): add security key support with enrollment, signing, and resident key loading functions 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:27:36 +05:30
Praneeth Sarode
32a256e157 feat(pki): add ssh_key getters to retrieve security key flags, application, and user ID 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:53 +05:30
Praneeth Sarode
14bd26e71c feat(pki): add support for user ID in ssh_key structure 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:53 +05:30
Praneeth Sarode
97e71606e0 feat(pki): add ssh_pki_ctx to ssh_session 
The session struct now contains an ssh_pki_ctx struct as its member to allow for passing user configured pki options across many functions.
The ssh_options_set API has been extended to allow users to set this member.

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:53 +05:30
Praneeth Sarode
d4b0de702b feat(pki): implement PKI context API 
A new generic struct is introduced which contains the various configuration options that can be used by pki operations.
API functions have been provided to configure all the options.

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:53 +05:30
Praneeth Sarode
acc080ac03 tests(fido2): add tests for the usb-hid security key callbacks 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-13 15:11:46 +05:30
Praneeth Sarode
e56af9fa79 feat(torture_sk): add validation functions for security key callback responses and resident keys 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:52:48 +05:30
Praneeth Sarode
c4b2bd34a8 feat(torture): add torture_get_sk_pin function to retrieve PIN from environment 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:52:48 +05:30
Praneeth Sarode
50ee6411f2 fido2: implement the default sk_callbacks for FIDO2/U2F keys using the usb-hid protocol 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:52:45 +05:30
Praneeth Sarode
c1dd30b47b fido2: add helper functions for writing FIDO2/U2F callbacks 
Add some common helper functions that can be used by any developer
writing callbacks for interacting with FIDO2/U2F devices.

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:04:38 +05:30
Praneeth Sarode
8ba9e931e8 fido2: declare callbacks for sk operations 
Declare ssh_sk_callbacks_struct so that the users can define custom functions as callbacks for interacting with FIDO2/U2F devices.

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:04:38 +05:30
Praneeth Sarode
eda5c6576b tests(torture_sk): validate sk_flags against allowed security key flags 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:04:38 +05:30
Praneeth Sarode
302d868875 fido2: add sk_api.h 
The sk_api.h file added is a copy of the sk-api.h file in openSSH, including only the struct and constant definitions.
This has been done to ensure compatibility with any security key middleware developed for openSSH.

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:04:38 +05:30
Praneeth Sarode
7db75e8fd0 ci: enable FIDO2/U2F support in some images 
Build with WITH_FIDO2=ON in the default fedora, tumbleweed, centos, ubuntu, and visualstudio images.

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:04:38 +05:30
Praneeth Sarode
ebe632cf8f cmake: add build option to enable FIDO2/U2F support 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:04:38 +05:30
Praneeth Sarode
150d606db7 cmake: add cmake module to find libfido2 
Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
 2025-11-09 05:04:37 +05:30
Jakub Jelen
63fbf00efe pki: Use constant for minimal RSA key size in FIPS 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:25:25 +01:00
Jakub Jelen
ae33ced0dc coverage: Ignore parse errors again 
Without this, the gcov is crashing with some suspicious coverage reports on
functions like `uint32_divmod_uint14()` from internal sntrup implementation.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:25:25 +01:00
Jakub Jelen
ee6e2c69e1 Bump minimal RSA key size to 1024 
Fixes: #326

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:25:25 +01:00
Jakub Jelen
cefc4f8c97 pkd: Run tests with ecdsa and ed25519 keys with dropbear 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:25:25 +01:00
Jakub Jelen
b64e7f67d3 pkd: Run ed25519 tests with dropbear 
Resolves: #336

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:25:25 +01:00
Jakub Jelen
491cd81a32 kex: Place PQC KEX methods first 
The ML-KEMx25519 is now preferred algorithm in OpenSSH so follow the suit

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:24:47 +01:00
Jakub Jelen
3444f4c449 Remove references to (unused) pre-release ssh messages SSH2_MSG_ECMQV_* 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-06 16:24:47 +01:00
Pavol Žáčik
80541ab828 mlkem768: Fix missing jumps in error handling 
Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-06 12:10:03 +01:00
Jakub Jelen
b042477f83 Suppress remaining OpenSSL 3.5 memory leaks 
Reported as

https://github.com/openssl/openssl/issues/29077

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Jakub Jelen
950abbbd81 tests: Remove the -E which is overridden by followed -E on ctest CLI 
The threads_pki_rsa was running and working under valgrind for some
time already without anyone noticing this syntax does not work.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Jakub Jelen
b9c6701c68 tests: Avoid needless pthread_exit() 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Jakub Jelen
a94df4bb8f tests: Adjust valgrind supressions for Fedora 43 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-05 17:52:24 +01:00
Pavol Žáčik
41b8b3326c client: Reset session packet state on disconnect 
When reusing session structures for multiple
connections, the packet state could be SIZE_READ
before disconnect, causing initial packets of the
next connection to be misinterpreted.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-05 17:44:33 +01:00
Sahana Prasad
a9c8f942a5 kex: Implement mlkem768x25519-sha256 
The implementation largely follows that of sntrup761x25519-sha512.

Most of the work was done by Sahana with the help of Claude,
Pavol provided fixes to match specs and did a final clean up.

Co-Authored-By: Sahana Prasad <sahana@redhat.com>
Co-Authored-By: Pavol Žáčik <pzacik@redhat.com>
Co-Authored-By: Claude <noreply@anthropic.com>

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-05 17:44:33 +01:00
Jakub Jelen
d307bfa239 pki_crypto: Avoid potential memory leak if malloc fails 
Thanks oss-fuzz and nalloc.

https://issues.oss-fuzz.com/issues/449101878

Thanks Andreas for review and nugging into rewriting it to something readable.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 2025-11-04 16:08:58 +01:00
Mike Frysinger
66e8491f73 ttyopts: make non-POSIX defines optional 
This file uses a bunch of defines that, while common, are not in POSIX.
https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/termios.h.html

Add more ifdef checks around them to fix building on platforms that omit
them.

Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-04 14:46:58 +01:00
Mike Frysinger
e93c1f6a61 libcrypto: update EVP API usage 
The EVP_CIPHER_CTX_init API is deprecated and doesn't exist in some
OpenSSL versions.  Switch to EVP_CIPHER_CTX_reset which works with
1.1.x which is the min version libssh requires.

Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 2025-11-04 14:45:39 +01:00