To avoid littering the Actions cache.
Another, libssh2-specific issue is that the cache is bound to codeql
version, master commit hash and platform. But in libssh2 we buidl 4
different configurations on Linux, which caused these caching failures:
```
C (OpenSSL) Failed to save: Unable to reserve cache with key codeql-trap-1-2.23.0-cpp-5bd1baed82ada192a2ae7e9801882813853e4d87, another job may be creating this cache.
C (wolfSSL) Failed to save: Unable to reserve cache with key codeql-trap-1-2.23.0-cpp-5bd1baed82ada192a2ae7e9801882813853e4d87, another job may be creating this cache.
C (mbedTLS) Failed to save: Unable to reserve cache with key codeql-trap-1-2.23.0-cpp-5bd1baed82ada192a2ae7e9801882813853e4d87, another job may be creating this cache.
```
Ref: https://github.com/libssh2/libssh2/actions/runs/17744827522
It's probably something to fix, because it suggests that it's unexpected
to build multiple configs in a matrix. Perhaps it's better to build them
after each other in the build step. Though it's not yet clear how
the CodeQL engine is considering coverage for different build
configurations of the same codebase.
Ref: https://github.com/curl/curl/pull/18613
Ref: 9618c337d1
- userauth: fix NULL dereference when out-of-memory.
Also fix indentation.
Follow-up to 3a6ab70dcf#1314
- openssl: drop redundant NULL check and logic.
Follow-up to ed439a29bb#698
Pointed out by CodeQL
Closes#1656
actions/upload-artifact from 4.6.1 to 4.6.2
cygwin/cygwin-install-action from 5 to 6
msys2/setup-msys2 from 2.26.0 to 2.29.0
Closes#1649Closes#1650Closes#1651
This version check may have never worked before this patch. Fixing it
uncovered another issue with assembling `gcov` compiler options. Fix
that issue too.
Follow-up to 09f0ffd9fbCloses#1648
Notes:
Added additional base64 decoding validation when parsing known_hosts and no longer assume what is going into _libssh2_base64_encode() is a null terminated C string, input now must have a length and buffer.
Reported by:
Dhiraj Mishra mishra.dhiraj95@gmail.com
Credit:
Will Cosgrove
Reviewed by:
Michael Buckley
By micromanaging the project dependency and its inclusion into the test
project. It feels like an awkward construct, but perhaps better than
nothing.
It's also fragile because it's a static build with no assistance from
the external project (curl in this case). Mitigated in test by disabling
all dependencies and some features.
Since there is no special core cmake logic to be tested here, in CI
the test is tested really. To keep CI jobs at minimum, only add 3 of
them, taking 26s in total. (All 6 would take 203s.)
Follow-up to 77df767784#1589Closes#1637
In `kex_method_diffie_hellman_group_exchange_sha256_key_exchange`,
`p` and `g` are later initialized with `_libssh2_bn_from_bin`, so they
should be initially created using `_libssh2_bn_init_from_bin` rather
than `_libssh2_bn_init`, as is done in
`kex_method_diffie_hellman_group_exchange_sha1_key_exchange`.
Fixing memory leaks when using the libgcrypt backend.
Follow-up to 09c5e59933
Ref: https://web.archive.org/web/trac.libssh2.org/ticket/168Closes#1599
- Reworking the `Libs.private` collector logic for INTERFACE targets,
broke the original lib order. Fix it by going back a single loop
to retain order.
Follow-up to df0563a857#1535
- Implement the above with one change: move implicit CMake libs
to the end of the list (was: the beginning).
I expect these to be libs that any custom libs may depend on,
like system libs, C runtime, compiler runtime lib.
Follow-up to c87f129630#1466Closes#1623
`LIBSSH2_PC_LIBS_PRIVATE` ends up in `Libs.private` in `libssh2.pc`.
The order and duplication may be significant for linkers that rely on
strict lib order and unable to resolve symbols without it. Such linker
is binutils `ld`. De-duplication can break it.
As of now there is no purposeful duplication in libs in libssh2, thus
the de-duplication most likely did not affect actual builds.
It was originally introduced to avoid a repeat `-lz` (with
a zlib-enabled OpenSSL or wolfSSL build.) To keep this feature, this
patch makes sure to only delete duplicates that are next to each other.
Follow-up to 6464301820#1131Closes#1621
The `libssh2.pc` generator logic automatically adds `-lws2_32` while
parsing `LIBSSH2_LIBS`, which contains this lib already. Then discard
the duplicate.
This patch introduces a change in the position of `ws2_32` within
the lib list advertised via `libssh2.pc` for static builds.
This order might in cases by significant, but:
- libssh2 no longer links against `libssl`, which was the library
also referencing `ws2_32` and breaking picky binutils `ld` linker
when not passed in strict dependency order.
Ref: c84745e34e#1128
- since switching to INTERFACE targets, cmake messes up the lib order
anyway, adding `OpenSSL:Crypto` last, instead of `ws2_32`. This did
not seem to cause an issue so far.
Ref: df0563a857#1535
For these reasons it seems unlikely this position change could break
Windows OpenSSL static gcc/ld builds relying on `libssh2.pc` for their
lib list. It least no more than it was before this patch.
Turns out these theories don't stand in practice and the order is broken
possibly by introducing INTERFACE targets, with or without this patch.
`libcrypto` (tested with LibreSSL) is in fact depending on `ws2_32`, and
the `bcrypt` dependency is also causing breakage with picky binutils ld.
I may try addressing it in a separate PR.
Ref: 33b6d5f89d#827
Ref: 31fb8860db#811Closes#1619
Also:
- merge CI check and shellcheck jobs into a single one.
To share the same shellcheck version and less overhead.
- use `set -eu` in more scripts.
- make sure CI scripts run from any cwd.
To make it easy to run them on local machine.
- minor tidy-ups.
Closes#1618
Also:
- fix old yamllint warnings.
- make quoting more consistent.
- drop stray step name: "checkout".
- merge REUSE workflow into main CI one.
Closes#1614
It looks like the incorrect length is used to copy the public key method
into the session in `libssh2_agent_sign()` and while the public key type
at the start of a identity blob is often identical to the public key
method it might not always be such as when method is `rsa-sha2-256` for
`ssh-rsa` keys.
Closes#1603
It was an exercise to run old cmake versions in CI and in the test suite.
It also revealed that 3.7.2 2017-01-13 is too old to consume libssh2 via
`find_package()` due to:
```
CMake Error at bld-libssh2/_pkg/lib/cmake/libssh2/libssh2-config.cmake:35 (add_library):
add_library cannot create ALIAS target "libssh2::libssh2" because target
"libssh2::libssh2_shared" is IMPORTED.
Call Stack (most recent call first):
CMakeLists.txt:27 (find_package)
```
The mitigation for this issue requires 3.11.
Also:
- rename a few existing envs to use the `TEST_` prefix.
- make the `find_package` test provider stage verbose.
Closes#1591
- cmake: sync `-ftree-vrp` behavior with autotools.
- build: enable `-Wjump-misses-init` for GCC 4.5+.
Credits-to: Marcel Raad
- packet: fix `-Wjump-misses-init` warnings.
```
src/packet.c: In function ‘_libssh2_packet_add’:
src/packet.c:671:9: error: jump skips variable initialization [-Werror=jump-misses-init]
src/packet.c:920:31: note: ‘want_reply’ declared here
src/packet.c:671:9: error: jump skips variable initialization [-Werror=jump-misses-init]
src/packet.c:919:26: note: ‘len’ declared here
src/packet.c:669:9: error: jump skips variable initialization [-Werror=jump-misses-init]
src/packet.c:1121:31: note: ‘want_reply’ declared here
src/packet.c:669:9: error: jump skips variable initialization [-Werror=jump-misses-init]
src/packet.c:1120:26: note: ‘len’ declared here
src/packet.c:669:9: error: jump skips variable initialization [-Werror=jump-misses-init]
src/packet.c:1119:26: note: ‘channel’ declared here
```
- build: enable gcc-12/13+, clang-10+ picky warnings
- acinclude.m4: sync formatting/comments with curl.
- autotools: fix `-Wtrampolines` picky warning for gcc 4.x versions.
Follow-up to 854cfa8292#1524
- cmake: enable `-Wall` for MSVC when `PICKY_COMPILER=ON`.
- MSVC: fix `-Wall` warnings.
Seen on VS2015. Not seen on VS2022. Unknown for other versions.
```
tests\test_simple.c(60): warning C4777: 'fprintf' : format string '%d' requires an argument of type 'int', but variadic argument 1 has type 'std::size_t'
tests\test_simple.c(60): warning C4777: 'fprintf' : format string '%.*s' requires an argument of type 'int', but variadic argument 2 has type 'std::size_t'
```
- mbedtls: stop silencing warnings in 3rd-party header.
Follow-up to a3aa6b4ca8#1525
- cmake: stop deleting `-W<n>` from `CMAKE_C_FLAGS` (MSVC)
1. `CMAKE_C_FLAGS` may apply to other projects, and deleting/altering it
may be unexpected.
2. We pass `-W4`/`-Wall` internally now, which do override custom
`-W<n>` options as tested with VS2008 and newer VS generators.
Closes#1588
Also to sync up with similar `./configure` feature via
`CURL_ADD_COMPILER_WARNINGS()`.
Example: `-DCMAKE_C_FLAGS=-Wno-xor-used-as-pow`
It may be useful as a workaround if a specific build combination hits
a picky warning within libssh2's source code. If such happens, we do
appreciate a report to fix it in libssh2 itself.
Closes#1590
