Drop the `git config --global core.autocrlf input` step in Cygwin jobs.
It's no longer necessary. Also saving ~10 seconds per job.
Quote the cmake variable for consistency.
Closes#1730
In `_libssh2_mbedtls_pub_priv_key()` on a NON-error code path, a stack
variable was checked without initializing it first.
I found it interesting that clang-tidy did not find this when building
against the system mbedtls (2.x) with 2.x compatibility code still in.
Then it did find it when using a manual build of mbedtls 3.1.0 with
2.x compatibility code deleted from libssh2. Being such a trivial error
I wonder why no compiler ever detected it as a regular warning.
linux (clang-tidy, amd64, mbedTLS-prev [3.1.0], cmake, ON):
```
src/mbedtls.c:744:8: error: Branch condition evaluates to a garbage value [clang-analyzer-core.uninitialized.Branch,-warnings-as-errors]
744 | if(ret) {
| ^
```
Ref: https://github.com/libssh2/libssh2/actions/runs/18620615649/job/53091295760#step:22:44
Follow-up to 186f1a2d75#132
Cherry-picked from #1727Closes#1729
- pin Debian trixie Docker image to hash.
- set Dependabot to update the pin once every month.
- set Dependabot commit message prefixes to `GHA:` (to match curl).
Closes#1724
Tests started failing after touching `sshd_config`, which bumped
the test container from Debian Bookworm to Trixie, and openssh-server
from 9.2p1 to 10.0p1 with it. OpenSSH v10 no longer supports legacy KEX
algos `diffie-hellman-group*` and `diffie-hellman-group-exchange-*`,
making libssh2 require ECDSA or ED25519 to enable `curve25519-sha256*`
or `ecdh-sha2-*`, for the tests to succeed.
libgcrypt, stock Ubuntu wolfSSL, and WinCNG CI jobs broke.
- ED25519 is only supported with OpenSSL and LibreSSL 3.7+.
- ECDSA is supported by OpenSSL and mbedTLS (unless disabled),
by wolfSSL in certain cases (but not on Ubuntu 24.04 with the stock
v5.6.6 build), and by WinCNG when explicitly enabled, and targeting
Windows 10/2016 Server.
Fixed by:
- wolfSSL support received an ECDSA detection fix, that resolved
the issue with the stock Ubuntu builds, via:
b807dac921#1723
- WinCNG had ECDSA enabled in CI in the job running tests, via:
0f5843874b#1721
- to make CI pass, disable running tests with Libgcrypt in this patch.
An alternate option is to downgrade to Bookworm, with the undesired
effect that its openssh-server doesn't support ML-KEM and other modern
SSH features, meaning those could not be tested once implemented in
libssh2, e.g. in #1644.
Ref: https://www.openssh.com/txt/release-10.0
Ref: https://packages.debian.org/trixie/openssh-server
Ref: https://packages.debian.org/bookworm/openssh-server
Ref: https://packages.ubuntu.com/noble/libwolfssl-dev
Bug: https://github.com/libssh2/libssh2/pull/1718#issuecomment-3397142351
Follow-up to 4f9e6e0bfb#1718Closes#1720
Use `HAVE_ECC` as an indicator for ECDSA when building with wolfSSL.
Before this patch the OpenSSL macros were used, in particular
`OPENSSL_NO_EC`, which made ECDSA support disabled with certain
wolfSSL build configurations, e.g. the Ubuntu 24.04 one.
ECDSA is necessary to run tests with OpenSSH v10, e.g. on Debian Trixie.
Follow-up to b95e758239#666
Ref: #1720Closes#1723
Also:
- rename a spellcheck file to match curl.
- editorconfig: fix line width.
- editorconfig: make it use UTF-8.
- editroconfig: apply some rules to all files.
- .gitignore: drop dupe, drop `.DS_Store` (not created by this repo),
sort.
- .gitignore: add for tests executables.
Closes#1718
To render in Git webviews as-is, to make it easier to edit, verify,
and to sync up with curl.
- add options to not build the `.3` man pages:
- autotools: `--disable-docs`
- cmake: `LIBSSH2_BUILD_DOCS=OFF`
- building `.3` man pages requires Perl after this patch.
- drop `mansyntax` and the shell / `grep` / GNU `man` tool requirements with it.
- scripts and most logic were copied from curl.
- add `cd2nroff` from curl, with edits to relax curl-specific checks.
- used `nroff2cd` (from curl) to convert from `.3` to `.md`. Then
manually fixed copyrights, inline function references and a couple
of other things.
Credits-to: Daniel Stenberg
Ref: eefcc1bda4
Ref: https://github.com/curl/curl/pull/12730
Ref: https://github.com/libssh2/www/issues/25#issuecomment-3289431671Closes#1660
This also means that we no longer pass any picky warning option to
ossfuzz. It's probably not worth maintaining picky C++ options for this
single, small target.
Silencing:
```
cc1plus: warning: command-line option '-Wbad-function-cast' is valid for C/ObjC but not for C++
cc1plus: warning: command-line option '-Wdeclaration-after-statement' is valid for C/ObjC but not for C++
cc1plus: warning: command-line option '-Wenum-int-mismatch' is valid for C/ObjC but not for C++
cc1plus: warning: command-line option '-Wjump-misses-init' is valid for C/ObjC but not for C++
cc1plus: warning: command-line option '-Wmissing-parameter-type' is valid for C/ObjC but not for C++
cc1plus: warning: command-line option '-Wmissing-prototypes' is valid for C/ObjC but not for C++
cc1plus: warning: command-line option '-Wnested-externs' is valid for C/ObjC but not for C++
cc1plus: warning: command-line option '-Wold-style-declaration' is valid for C/ObjC but not for C++
cc1plus: warning: command-line option '-Wold-style-definition' is valid for C/ObjC but not for C++
cc1plus: warning: command-line option '-Wstrict-prototypes' is valid for C/ObjC but not for C++
```
Ref: https://github.com/libssh2/libssh2/actions/runs/18063134305/job/51402236388#step:7:15Closes#1686
- drop redundant `--parallel` cmake option for Ninja builds.
- use Ninja for aws-lc, also simplify the script.
- use global default `MAKEFLAGS`. This also makes certain
steps faster due to missing parallelism before this patch.
- enable `-DBUILD_OSSFUZZ=ON` in a cmake job.
- split Cygwin job into steps. To sync with others.
- sync Cygwin build type name with other jobs.
Closes#1684
- use `cmake_path()` to query filenames, with CMake 3.20 or upper.
https://cmake.org/cmake/help/v4.1/command/cmake_path.html#query
- also quote the value passed to `get_filename_component()` where
missing. (Could not cause an actual issue as used in the code.)
Closes#1673
To avoid littering the Actions cache.
Another, libssh2-specific issue is that the cache is bound to codeql
version, master commit hash and platform. But in libssh2 we buidl 4
different configurations on Linux, which caused these caching failures:
```
C (OpenSSL) Failed to save: Unable to reserve cache with key codeql-trap-1-2.23.0-cpp-5bd1baed82ada192a2ae7e9801882813853e4d87, another job may be creating this cache.
C (wolfSSL) Failed to save: Unable to reserve cache with key codeql-trap-1-2.23.0-cpp-5bd1baed82ada192a2ae7e9801882813853e4d87, another job may be creating this cache.
C (mbedTLS) Failed to save: Unable to reserve cache with key codeql-trap-1-2.23.0-cpp-5bd1baed82ada192a2ae7e9801882813853e4d87, another job may be creating this cache.
```
Ref: https://github.com/libssh2/libssh2/actions/runs/17744827522
It's probably something to fix, because it suggests that it's unexpected
to build multiple configs in a matrix. Perhaps it's better to build them
after each other in the build step. Though it's not yet clear how
the CodeQL engine is considering coverage for different build
configurations of the same codebase.
Ref: https://github.com/curl/curl/pull/18613
Ref: 9618c337d1
- userauth: fix NULL dereference when out-of-memory.
Also fix indentation.
Follow-up to 3a6ab70dcf#1314
- openssl: drop redundant NULL check and logic.
Follow-up to ed439a29bb#698
Pointed out by CodeQL
Closes#1656
