- update `actions/checkout` from 5.0.0 to 6.0.0
- update `cross-platform-actions/action` from 0.29.0 to 0.30.0
- update pip package `reuse` from 6.1.2 to 6.2.0
Closes#1755Closes#1756
To make configure step output more readable in case of a build error.
To expose configure logs for successful builds without adding clutter.
Also:
- set shell globally for Windows jobs.
- move all Cygwin files to `D:`.
Closes#1749
The Pageant transact path trusted the 32-bit length in the shared memory
mapping and could memcpy past the mapped view. It also treated
a non-positive SendMessage(WM_COPYDATA) result as success.
Changes:
Reject replies when SendMessage returns ≤ 0 and report
LIBSSH2_ERROR_AGENT_PROTOCOL.
Bound the copy by validating response_len <= PAGEANT_MAX_MSGLEN - 4
(accounting for the length prefix) to avoid OOB reads.
Impact: prevents potential out-of-bounds read and use of uninitialized
mapping contents when Pageant misbehaves or is malicious.
Drop the `git config --global core.autocrlf input` step in Cygwin jobs.
It's no longer necessary. Also saving ~10 seconds per job.
Quote the cmake variable for consistency.
Closes#1730
In `_libssh2_mbedtls_pub_priv_key()` on a NON-error code path, a stack
variable was checked without initializing it first.
I found it interesting that clang-tidy did not find this when building
against the system mbedtls (2.x) with 2.x compatibility code still in.
Then it did find it when using a manual build of mbedtls 3.1.0 with
2.x compatibility code deleted from libssh2. Being such a trivial error
I wonder why no compiler ever detected it as a regular warning.
linux (clang-tidy, amd64, mbedTLS-prev [3.1.0], cmake, ON):
```
src/mbedtls.c:744:8: error: Branch condition evaluates to a garbage value [clang-analyzer-core.uninitialized.Branch,-warnings-as-errors]
744 | if(ret) {
| ^
```
Ref: https://github.com/libssh2/libssh2/actions/runs/18620615649/job/53091295760#step:22:44
Follow-up to 186f1a2d75#132
Cherry-picked from #1727Closes#1729
- pin Debian trixie Docker image to hash.
- set Dependabot to update the pin once every month.
- set Dependabot commit message prefixes to `GHA:` (to match curl).
Closes#1724
Tests started failing after touching `sshd_config`, which bumped
the test container from Debian Bookworm to Trixie, and openssh-server
from 9.2p1 to 10.0p1 with it. OpenSSH v10 no longer supports legacy KEX
algos `diffie-hellman-group*` and `diffie-hellman-group-exchange-*`,
making libssh2 require ECDSA or ED25519 to enable `curve25519-sha256*`
or `ecdh-sha2-*`, for the tests to succeed.
libgcrypt, stock Ubuntu wolfSSL, and WinCNG CI jobs broke.
- ED25519 is only supported with OpenSSL and LibreSSL 3.7+.
- ECDSA is supported by OpenSSL and mbedTLS (unless disabled),
by wolfSSL in certain cases (but not on Ubuntu 24.04 with the stock
v5.6.6 build), and by WinCNG when explicitly enabled, and targeting
Windows 10/2016 Server.
Fixed by:
- wolfSSL support received an ECDSA detection fix, that resolved
the issue with the stock Ubuntu builds, via:
b807dac921#1723
- WinCNG had ECDSA enabled in CI in the job running tests, via:
0f5843874b#1721
- to make CI pass, disable running tests with Libgcrypt in this patch.
An alternate option is to downgrade to Bookworm, with the undesired
effect that its openssh-server doesn't support ML-KEM and other modern
SSH features, meaning those could not be tested once implemented in
libssh2, e.g. in #1644.
Ref: https://www.openssh.com/txt/release-10.0
Ref: https://packages.debian.org/trixie/openssh-server
Ref: https://packages.debian.org/bookworm/openssh-server
Ref: https://packages.ubuntu.com/noble/libwolfssl-dev
Bug: https://github.com/libssh2/libssh2/pull/1718#issuecomment-3397142351
Follow-up to 4f9e6e0bfb#1718Closes#1720
Use `HAVE_ECC` as an indicator for ECDSA when building with wolfSSL.
Before this patch the OpenSSL macros were used, in particular
`OPENSSL_NO_EC`, which made ECDSA support disabled with certain
wolfSSL build configurations, e.g. the Ubuntu 24.04 one.
ECDSA is necessary to run tests with OpenSSH v10, e.g. on Debian Trixie.
Follow-up to b95e758239#666
Ref: #1720Closes#1723
Also:
- rename a spellcheck file to match curl.
- editorconfig: fix line width.
- editorconfig: make it use UTF-8.
- editroconfig: apply some rules to all files.
- .gitignore: drop dupe, drop `.DS_Store` (not created by this repo),
sort.
- .gitignore: add for tests executables.
Closes#1718
To render in Git webviews as-is, to make it easier to edit, verify,
and to sync up with curl.
- add options to not build the `.3` man pages:
- autotools: `--disable-docs`
- cmake: `LIBSSH2_BUILD_DOCS=OFF`
- building `.3` man pages requires Perl after this patch.
- drop `mansyntax` and the shell / `grep` / GNU `man` tool requirements with it.
- scripts and most logic were copied from curl.
- add `cd2nroff` from curl, with edits to relax curl-specific checks.
- used `nroff2cd` (from curl) to convert from `.3` to `.md`. Then
manually fixed copyrights, inline function references and a couple
of other things.
Credits-to: Daniel Stenberg
Ref: eefcc1bda4
Ref: https://github.com/curl/curl/pull/12730
Ref: https://github.com/libssh2/www/issues/25#issuecomment-3289431671Closes#1660
