- userauth: fix NULL dereference when out-of-memory.
Also fix indentation.
Follow-up to 3a6ab70dcf#1314
- openssl: drop redundant NULL check and logic.
Follow-up to ed439a29bb#698
Pointed out by CodeQL
Closes#1656
actions/upload-artifact from 4.6.1 to 4.6.2
cygwin/cygwin-install-action from 5 to 6
msys2/setup-msys2 from 2.26.0 to 2.29.0
Closes#1649Closes#1650Closes#1651
This version check may have never worked before this patch. Fixing it
uncovered another issue with assembling `gcov` compiler options. Fix
that issue too.
Follow-up to 09f0ffd9fbCloses#1648
Notes:
Added additional base64 decoding validation when parsing known_hosts and no longer assume what is going into _libssh2_base64_encode() is a null terminated C string, input now must have a length and buffer.
Reported by:
Dhiraj Mishra mishra.dhiraj95@gmail.com
Credit:
Will Cosgrove
Reviewed by:
Michael Buckley
By micromanaging the project dependency and its inclusion into the test
project. It feels like an awkward construct, but perhaps better than
nothing.
It's also fragile because it's a static build with no assistance from
the external project (curl in this case). Mitigated in test by disabling
all dependencies and some features.
Since there is no special core cmake logic to be tested here, in CI
the test is tested really. To keep CI jobs at minimum, only add 3 of
them, taking 26s in total. (All 6 would take 203s.)
Follow-up to 77df767784#1589Closes#1637
In `kex_method_diffie_hellman_group_exchange_sha256_key_exchange`,
`p` and `g` are later initialized with `_libssh2_bn_from_bin`, so they
should be initially created using `_libssh2_bn_init_from_bin` rather
than `_libssh2_bn_init`, as is done in
`kex_method_diffie_hellman_group_exchange_sha1_key_exchange`.
Fixing memory leaks when using the libgcrypt backend.
Follow-up to 09c5e59933
Ref: https://web.archive.org/web/trac.libssh2.org/ticket/168Closes#1599
- Reworking the `Libs.private` collector logic for INTERFACE targets,
broke the original lib order. Fix it by going back a single loop
to retain order.
Follow-up to df0563a857#1535
- Implement the above with one change: move implicit CMake libs
to the end of the list (was: the beginning).
I expect these to be libs that any custom libs may depend on,
like system libs, C runtime, compiler runtime lib.
Follow-up to c87f129630#1466Closes#1623
`LIBSSH2_PC_LIBS_PRIVATE` ends up in `Libs.private` in `libssh2.pc`.
The order and duplication may be significant for linkers that rely on
strict lib order and unable to resolve symbols without it. Such linker
is binutils `ld`. De-duplication can break it.
As of now there is no purposeful duplication in libs in libssh2, thus
the de-duplication most likely did not affect actual builds.
It was originally introduced to avoid a repeat `-lz` (with
a zlib-enabled OpenSSL or wolfSSL build.) To keep this feature, this
patch makes sure to only delete duplicates that are next to each other.
Follow-up to 6464301820#1131Closes#1621
The `libssh2.pc` generator logic automatically adds `-lws2_32` while
parsing `LIBSSH2_LIBS`, which contains this lib already. Then discard
the duplicate.
This patch introduces a change in the position of `ws2_32` within
the lib list advertised via `libssh2.pc` for static builds.
This order might in cases by significant, but:
- libssh2 no longer links against `libssl`, which was the library
also referencing `ws2_32` and breaking picky binutils `ld` linker
when not passed in strict dependency order.
Ref: c84745e34e#1128
- since switching to INTERFACE targets, cmake messes up the lib order
anyway, adding `OpenSSL:Crypto` last, instead of `ws2_32`. This did
not seem to cause an issue so far.
Ref: df0563a857#1535
For these reasons it seems unlikely this position change could break
Windows OpenSSL static gcc/ld builds relying on `libssh2.pc` for their
lib list. It least no more than it was before this patch.
Turns out these theories don't stand in practice and the order is broken
possibly by introducing INTERFACE targets, with or without this patch.
`libcrypto` (tested with LibreSSL) is in fact depending on `ws2_32`, and
the `bcrypt` dependency is also causing breakage with picky binutils ld.
I may try addressing it in a separate PR.
Ref: 33b6d5f89d#827
Ref: 31fb8860db#811Closes#1619
Also:
- merge CI check and shellcheck jobs into a single one.
To share the same shellcheck version and less overhead.
- use `set -eu` in more scripts.
- make sure CI scripts run from any cwd.
To make it easy to run them on local machine.
- minor tidy-ups.
Closes#1618
Also:
- fix old yamllint warnings.
- make quoting more consistent.
- drop stray step name: "checkout".
- merge REUSE workflow into main CI one.
Closes#1614
It looks like the incorrect length is used to copy the public key method
into the session in `libssh2_agent_sign()` and while the public key type
at the start of a identity blob is often identical to the public key
method it might not always be such as when method is `rsa-sha2-256` for
`ssh-rsa` keys.
Closes#1603
It was an exercise to run old cmake versions in CI and in the test suite.
It also revealed that 3.7.2 2017-01-13 is too old to consume libssh2 via
`find_package()` due to:
```
CMake Error at bld-libssh2/_pkg/lib/cmake/libssh2/libssh2-config.cmake:35 (add_library):
add_library cannot create ALIAS target "libssh2::libssh2" because target
"libssh2::libssh2_shared" is IMPORTED.
Call Stack (most recent call first):
CMakeLists.txt:27 (find_package)
```
The mitigation for this issue requires 3.11.
Also:
- rename a few existing envs to use the `TEST_` prefix.
- make the `find_package` test provider stage verbose.
Closes#1591
- cmake: sync `-ftree-vrp` behavior with autotools.
- build: enable `-Wjump-misses-init` for GCC 4.5+.
Credits-to: Marcel Raad
- packet: fix `-Wjump-misses-init` warnings.
```
src/packet.c: In function ‘_libssh2_packet_add’:
src/packet.c:671:9: error: jump skips variable initialization [-Werror=jump-misses-init]
src/packet.c:920:31: note: ‘want_reply’ declared here
src/packet.c:671:9: error: jump skips variable initialization [-Werror=jump-misses-init]
src/packet.c:919:26: note: ‘len’ declared here
src/packet.c:669:9: error: jump skips variable initialization [-Werror=jump-misses-init]
src/packet.c:1121:31: note: ‘want_reply’ declared here
src/packet.c:669:9: error: jump skips variable initialization [-Werror=jump-misses-init]
src/packet.c:1120:26: note: ‘len’ declared here
src/packet.c:669:9: error: jump skips variable initialization [-Werror=jump-misses-init]
src/packet.c:1119:26: note: ‘channel’ declared here
```
- build: enable gcc-12/13+, clang-10+ picky warnings
- acinclude.m4: sync formatting/comments with curl.
- autotools: fix `-Wtrampolines` picky warning for gcc 4.x versions.
Follow-up to 854cfa8292#1524
- cmake: enable `-Wall` for MSVC when `PICKY_COMPILER=ON`.
- MSVC: fix `-Wall` warnings.
Seen on VS2015. Not seen on VS2022. Unknown for other versions.
```
tests\test_simple.c(60): warning C4777: 'fprintf' : format string '%d' requires an argument of type 'int', but variadic argument 1 has type 'std::size_t'
tests\test_simple.c(60): warning C4777: 'fprintf' : format string '%.*s' requires an argument of type 'int', but variadic argument 2 has type 'std::size_t'
```
- mbedtls: stop silencing warnings in 3rd-party header.
Follow-up to a3aa6b4ca8#1525
- cmake: stop deleting `-W<n>` from `CMAKE_C_FLAGS` (MSVC)
1. `CMAKE_C_FLAGS` may apply to other projects, and deleting/altering it
may be unexpected.
2. We pass `-W4`/`-Wall` internally now, which do override custom
`-W<n>` options as tested with VS2008 and newer VS generators.
Closes#1588
Also to sync up with similar `./configure` feature via
`CURL_ADD_COMPILER_WARNINGS()`.
Example: `-DCMAKE_C_FLAGS=-Wno-xor-used-as-pow`
It may be useful as a workaround if a specific build combination hits
a picky warning within libssh2's source code. If such happens, we do
appreciate a report to fix it in libssh2 itself.
Closes#1590
- ci/GHA: add cmake integration tests for Windows.
- ci/GHA: test `add_subdirectory` with Libgcrypt.
- make them run faster with prefill, unity, Ninja, omitting curl tool.
- add support for any build configuration.
- add old-cmake support with auto-detection.
- auto-detect Ninja.
- run consumer test apps to see if they work.
Also show the cryptography backend.
- add support for Windows.
- make it more verbose.
- re-add `ExternalProject` cmake consumer test. It's broken.
- tidy up terminology.
Cherry-picked from #1581Closes#1589
- fix `add_subdirectory` builds for old CMake versions.
- libssh2-config.cmake: fix to set CMP0099 for CMake 3.17+ only.
- libssh2-config.cmake: generalize code to support any number of deps.
(mainly to sync with curl.)
- libssh2-config.cmake: bind dependencies to the static libssh2 only.
Follow-up to a0d8529b08#1571
Follow-up to df0563a857#1535Closes#1581
