RELEASE: libssh2 1.10.0

[Daniel Stenberg]

Hello,

I'm happy to announce that we've just packaged and shipped libssh2 1.10.0

You find it at https://libssh2.org/

This release includes the following enhancements and bugfixes:

 o adds agent forwarding support
 o adds OpenSSH Agent support on Windows
 o adds ECDSA key support using the Mbed TLS backend
 o adds ECDSA cert authentication
 o adds diffie-hellman-group14-sha256, diffie-hellman-group16-sha512,
   diffie-hellman-group18-sha512 key exchanges
 o adds support for PKIX key reading when using ed25519 with OpenSSL
 o adds support for EWOULDBLOCK on VMS systems
 o adds support for building with OpenSSL 3
 o adds support for using FIPS mode in OpenSSL
 o adds debug symbols when building with MSVC
 o adds support for building on the 3DS
 o adds unicode build support on Windows
 o restores os400 building
 o increases min, max and opt Diffie Hellman group values
 o improves portiablity of the make file
 o improves timeout behavior with 2FA keyboard auth
 o various improvements to the Wincng backend
 o fixes reading parital packet replies when using an agent
 o fixes Diffie Hellman key exchange on Windows 1903+ builds
 o fixes building tests with older versions of OpenSSL
 o fixes possible multiple definition warnings
 o fixes potential cast issues _libssh2_ecdsa_key_get_curve_type()
 o fixes potential use after free if libssh2_init() is called twice
 o improved linking when using Mbed TLS
 o fixes call to libssh2_crypto_exit() if crypto hasn't been initialized
 o fixes crash when loading public keys with no id
 o fixes possible out of bounds read when exchanging keys
 o fixes possible out of bounds read when reading packets
 o fixes possible out of bounds read when opening an X11 connection
 o fixes possible out of bounds read when ecdh host keys
 o fixes possible hang when trying to read a disconnected socket
 o fixes a crash when using the delayed compression option
 o fixes read error with large known host entries
 o fixes various warnings
 o fixes various small memory leaks
 o improved error handling, various detailed errors will now be reported
 o builds are now using OSS-Fuzz
 o builds now use autoreconf instead of a custom build script
 o cmake now respects install directory
 o improved CI backend
 o updated HACKING-CRYPTO documentation
 o use markdown file extensions
 o improved unit tests

This release would not have looked like this without help, code, reports and
advice from friends like these:

  katzer, Orgad Shaneh, mark-i-m, Zenju, axjowa, Thilo Schulz,
  Etienne Samson, hlefebvre, seba30, Panos, jethrogb, Fabrice Fontaine,
  Will Cosgrove, Daniel Stenberg, Michael Buckley, Wallace Souza Silva,
  Romain-Geissler-1A, meierha, Tseng Jun, Thomas Klausner, Brendan Shanks,
  Harry Sintonen, monnerat, Koutheir Attouchi, Marc Hörsken, yann-morin-1998,
  Wez Furlong, TDi-jonesds, David Benjamin, Max Dymond, Igor Klevanets,
  Viktor Szakats, Laurent Stacul, Mstrodl, Gabriel Smith, MarcT512,
  Paul Capron, teottin, Tor Erik Ottinsen, Brian Inglis

Thanks everyone!

--

 / daniel.haxx.se___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: No block direction in _libssh2_wait_socket?

[Daniel Stenberg]

On Thu, 15 Jul 2021, Evan M wrote:

Are there any normal situations where this could occur other than a bug in 
the library?


No. It should probably even have an assert there or something to help us 
detect if it actually ever end up in that condition...


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: 1.9.1 release pending, please give it a look

[Daniel Stenberg]

On Wed, 12 May 2021, Will Cosgrove wrote:

We are pulling together the 1.9.1 release and I’d request, if you haven’t 
already, give the main branch a sanity pass with your existing code and get 
any last minute issues submitted ASAP.


There are a few changes and improvementslanded since 1.9.0 though, shouldn't 
the next release from master than perhaps rather be called 1.10.0 ?


--

 / daniel.haxx.se___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: 1.9.1 release pending, please give it a look

[Daniel Stenberg]

On Wed, 12 May 2021, Jan Ehrhardt wrote:


Are the dauly snapshots at https://www.libssh2.org/snapshots/ snapshots of
the main branch?


Yes they are!

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Can HTTP proxy support be added for SFTP transfers?

[Daniel Stenberg]

On Mon, 1 Feb 2021, Bob K wrote:

I was wondering if proxy support could be added. Unfortunately this is 
outside my knowledge. Is this possible? Something libssh2 handles or I'd 
need some other lib?


libssh2 doesn't handle that, but it is left for the application to do by 
itself. HTTP and auth and all that comes with it is quite a lot of code that's 
not a job for libssh2.


Incidently, libcurl speaks SFTP over HTTP proxies with the help of libssh2...

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: New Release - 1.9.1

[Daniel Stenberg]

On Thu, 8 Oct 2020, Will Cosgrove wrote:


To my knowledge, there is nothing that needs to be merged before a release.


Cool. Will you make sure RELEASE-NOTES is decent? Then I can press the 
additional necessary key sequence to turn that into an actual release...


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: New Release - 1.9.1

[Daniel Stenberg]

On Thu, 8 Oct 2020, Kelley, Ryan wrote:

It has been about an year since Will put out a call to release a 1.9.1 soon 
due to a bunch of good fixes. It would be great if we could get that release 
out the door.


I'd be in favor.

Any particular issues/pull-requests that SHOULD get fixed first?

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: SFTP read buffer size

[Daniel Stenberg]

On Wed, 26 Aug 2020, Tamar Sery (BLOOMBERG/ 120 PARK) wrote:

I'm trying to increase the download speed of files using libssh2_sftp_read . 
I was able to see considerable speed increase by using a larger buffer, up 
to 3. However, any size over 3 seem to have no affect on actual 
received packet size, all packets are exactly 3 (except for the last 
chunk of the file, and an occasional 6 sized packet). Is there a way to 
increase the download speed, using a larger buffer or otherwise?


You don't increase speed by getting larger packet sizes here, as SFTP has a 
restriction on the packet size. But if you provide a large buffer to the read 
function, libssh2 can do the read in multiple packets so you'll be able to get 
more packets back in less time.


In my testing, years ago, I could easily get increased transfer speeds by 
increasing the buffer up to well over 100K. This is of course extra noticable 
when working with high-RTT high-bandwidth servers.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: 1.9.1 release + call for maintainers

[Daniel Stenberg]

On Mon, 14 Oct 2019, Will Cosgrove wrote:

There as been a handful of good fixes since the 1.9.0 release so I’m putting 
out a call for a 1.9.1 release soon. Please test master with your projects 
and get those bugs in and/or touch any PRs and issues that you’d like landed 
for 1.9.1.


I propose we set a cut-off date for that not too far into the future, then set 
a release date too like a week later, so that we can all plan ahead.


Then, whatever is in master on the release day we can ship as version 1.9.1. 
I'll happily volunteer to build the tarball, sign it and upload it to the site 
etc.


--

 / daniel.haxx.se___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: 1.9 release

[Daniel Stenberg]

On Tue, 25 Jun 2019, Will Cosgrove wrote:

You need to pull down the missing files from master if you downloaded the 
release tarball.


There is an open issue on the release tarball missing files due to the way 
it is created.


That issue would be: https://github.com/libssh2/libssh2/issues/379

Once this is fixed, we could perhaps consider making a 1.9.1 release?

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: libssh2 licensing

[Daniel Stenberg]

On Wed, 26 Jun 2019, Narayan Subramanian wrote:

 * I noticed that the licensing page viz: 
https://www.libssh2.org/license.html draws up a ‘Not Found’ page. So where 
would I find the official license governing use and distribution of libssh2? 
Or do I simply refer the license in code.


That's fixed now, but the license is the same as found in the source repo: 
https://github.com/libssh2/libssh2/blob/master/COPYING


 * Also is it within licensing terms to change fields such as Product Name, 
Company Name in the resource file (for Windows) before usage / distribution?


I don't see anything text in the license that restricts such actions.

--

 / daniel.haxx.se___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: 1.9 release

[Daniel Stenberg]

On Wed, 19 Jun 2019, Will Cosgrove wrote:


Daniel, can you update the website and release the tarball on GitHub?


Done!

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Future directions

[Daniel Stenberg]

On Sat, 11 May 2019, Etienne Samson wrote:

So, well, there's a bunch, there's a release looming, some bugfixes left to 
do, I understand this might be out of scope, but let's keep the ball 
rolling, is there interest in things like those ? Should I tentatively file 
PRs/RFC for those ?


From my point of view these all sound like Good Things.

As you probably have noticed, we have a small problem with maintainer presence 
(myself included) in the project so getting someone to actually review your 
code and merge it might not be a quick operation...


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: libssh2-security

[Daniel Stenberg]

On Sat, 11 May 2019, Will Cosgrove wrote:


Feel free to add me to the list.


Added!

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

libssh2-security

[Daniel Stenberg]

Hi team,

I am the only member on that email alias - and I'm trying to get away from 
maintaining libssh2. It makes me a shitty representative for the project there 
and it makes the libssh2 security handling far from ideal.


Suggestions?

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Ship a 1.9.0 asap

[Daniel Stenberg]

On Thu, 4 Apr 2019, Engstrom, John wrote:

We’re having discussions of whether to include 1.8.2or 1.9.0 in our next 
product release.


What level of confidence is there in an April 11 release date for 1.9.0?


Low confidence level. But hopefully the date won't slip too much... :-/

--

 / daniel.haxx.se___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: LIBSSH2_ERROR_KEX_FAILURE

[Daniel Stenberg]

On Fri, 29 Mar 2019, William Shipley wrote:

I guess my question is “what is the crypto backend that will give my client 
the best chance of being able to connect to any unknown SFTP server”.


The oldest and (I guess) most tested backend is the OpenSSL one.

--

 / daniel.haxx.se___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

RELEASE: libssh2 1.8.2

[Daniel Stenberg]

Hi!

I'm happy to announce a small update to the previous release as we managed to 
get a little hiccup included. Here's 1.8.2!


Get it from https://www.libssh2.org/ as always!

libssh2 1.8.2

This release includes the following bugfixes:

 o Fixed the misapplied userauth patch that broke 1.8.1
 o moved the MAX size declarations from the public header

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Will Cosgrove
  (1 contributors)

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Ship a 1.9.0 asap

[Daniel Stenberg]

On Wed, 20 Mar 2019, Daniel Stenberg wrote:


My second alternative is April 11.


I don't think we're ready yet (and nobody else has said anything) so I'm 
now aiming for a release on April 11.


Please help us out with tests, fixes and code reviews.

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

commit messages and ABI

[Daniel Stenberg]

Team!

We also need to

1. Stick to the commit message style. The commit message SHOULD follow this 
template:


  [area]: [short description]

  [longer description]

  [Reported-by: XXX YYY - credit is important!]
  [Fixes/Closes #num]

Personally, I find that alone is a mighty good reason to *not* use the merge 
button on github since then it's really hard to cleanup and make sure the 
commit message is fine and compliant. We only commit once (to master) but the 
commit might be read thousands of times. It is worth spending a little extra 
time on making it good.


I find it really valuable when "git log" tells a good story of the changes 
without me having to actually read the diff to understand where and what the 
change was about. Unless of course I want to *exact* details, but that's not 
what I'm talking about here.


2. Do not break the ABI. I find it curious that nobody else had found this 
mistake, but changing variable types in a public struct is *not* okay (and it 
caused my application to get big fat warnings in the build). See 
https://github.com/libssh2/libssh2/pull/339. This suggests to me we're not 
ripe for a 1.9.0 release yet. We need more testing first. I'll try to do my 
part.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Code style and project status

[Daniel Stenberg]

On Wed, 20 Mar 2019, Will Cosgrove wrote:

Any chance we can extend the line length over 80 characters? Is there a 
reason to use this antiquated value?


Some call it antiquated. I call it sensible.

Seriously though, I'm open to discussing the rules as I believe consistency is 
more valuable than insisting on an exact style. Code style is a lot about 
taste and religion.


So what do you say is a suitable max length?

Let me state why I think code should be within 80 columns:

 - To allow many code editor windows next to each other on my screens (I often
   have several)
 - To fit in a "standard" terminal with when using regular command line tools
 - The above include sensible line widths when doing "git blame" and gdb'ing
   from command line
 - To let diff tools like the github diff viewer to sensibly show before
   and after in two columns in a not too crazily wide browser window.
 - For the same reason books and newspapers don't do overly wide lines: code
   gets less readable when very wide.


It makes using descriptive function & variable names problematic


I actually think it works the other way around. It forces us to stop using 
ridiculously long and hard-to-read names and instead encourage us to use 
shorter names that are more readable and easier to remember. I do think we 
still have far too many very long names in libssh2.


and also forces a lot of wrapping in if statements which makes them harder 
to parse.


The easy fix for this is: shorter names, fewer indent levels.

But I'm also used to code like this and I think multi-line statements are 
easier to read than very wide statements. Again: preference and taste.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Ship a 1.9.0 asap

[Daniel Stenberg]

Hey,

We have lots of users wanting fixes and enhancements merged since 1.8.0 that 
weren't incduded in the 1.8.1 release.


I propose that we set a date on which we release 1.9.0 and until then we can 
merge some final bug-fixes if people have them and they look fine.


Can we do March 27 or is it too aggressive? My second alternative is April 11.

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Code style and project status

[Daniel Stenberg]

On Sun, 17 Mar 2019, Daniel Stenberg wrote:


Some of the issues I found:


This is now merged.

With this, we should no longer land code that causes compiler warnings or code 
style warnings as the CI will yell at us if we try.


I'm sure a few (most?) pull-requests now need to get rebased, but I think 
that's a necessary price to pay. The upside is that they will also now get 
checked much more critically and some of them will be get warnings to work on 
- fully automatically.


'make checsrc' in the source root runs the style checker if you build with 
configure. I might add a rule to do it automatically for --enable-debug builds 
in a future. That's how I do it in curl and I find it convenient and really 
helps to write code to stick to the style.


I would appreciate some help in generating the similar make target made for 
cmake builds, as I still lack basic cmake skills... :-/


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

[RELEASE] libssh2 1.8.1

[Daniel Stenberg]

Hello!

I'm happy to announce that we have release libssh2 1.8.1. This release is a 
pure security release with no less than *nine* security fixes addressed. See 
also the separate security announcement following this email.


As always, get it from https://www.libssh2.org/

The changes included in 1.8.1 are:

 o fixed possible integer overflow when reading a specially crafted packet
   (https://www.libssh2.org/CVE-2019-3855.html)
 o fixed possible integer overflow in userauth_keyboard_interactive with a
   number of extremely long prompt strings
   (https://www.libssh2.org/CVE-2019-3863.html)
 o fixed possible integer overflow if the server sent an extremely large
   number of keyboard prompts (https://www.libssh2.org/CVE-2019-3856.html)
 o fixed possible out of bounds read when processing a specially crafted
   packet (https://www.libssh2.org/CVE-2019-3861.html)
 o fixed possible integer overflow when receiving a specially crafted exit
   signal message channel packet (https://www.libssh2.org/CVE-2019-3857.html)
 o fixed possible out of bounds read when receiving a specially crafted exit
   status message channel packet (https://www.libssh2.org/CVE-2019-3862.html)
 o fixed possible zero byte allocation when reading a specially crafted SFTP
   packet (https://www.libssh2.org/CVE-2019-3858.html)
 o fixed possible out of bounds reads when processing specially crafted SFTP
   packets (https://www.libssh2.org/CVE-2019-3860.html)
 o fixed possible out of bounds reads in _libssh2_packet_require(v)
   (https://www.libssh2.org/CVE-2019-3859.html)

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

[SECURITY ADVISORIES] libssh2

[Daniel Stenberg]

Hello!

I'm writing you to announce the release of nine separate security advisories 
concerning libssh2.


All these fixes are also included in the brand new libssh2 1.8.1 release, just 
shipped and available on https://www.libssh2.org/


CVE-2019-3855
 Possible integer overflow in transport read allows out-of-bounds write
 URL: https://www.libssh2.org/CVE-2019-3855.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch

CVE-2019-3856
 Possible integer overflow in keyboard interactive handling allows
 out-of-bounds write
 URL: https://www.libssh2.org/CVE-2019-3856.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch

CVE-2019-3857
 Possible integer overflow leading to zero-byte allocation and out-of-bounds
 write
 URL: https://www.libssh2.org/CVE-2019-3857.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch

CVE-2019-3858
 Possible zero-byte allocation leading to an out-of-bounds read
 URL: https://www.libssh2.org/CVE-2019-3858.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch

CVE-2019-3859
 Out-of-bounds reads with specially crafted payloads due to unchecked use of
 `_libssh2_packet_require` and `_libssh2_packet_requirev`
 URL: https://www.libssh2.org/CVE-2019-3859.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

CVE-2019-3860
 Out-of-bounds reads with specially crafted SFTP packets
 URL: https://www.libssh2.org/CVE-2019-3860.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch

CVE-2019-3861
 Out-of-bounds reads with specially crafted SSH packets
 URL: https://www.libssh2.org/CVE-2019-3861.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch

CVE-2019-3862
 Out-of-bounds memory comparison
 URL: https://www.libssh2.org/CVE-2019-3862.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch

CVE-2019-3863
 Integer overflow in user authenicate keyboard interactive allows
 out-of-bounds writes
 URL: https://www.libssh2.org/CVE-2019-3863.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.txt

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Code style and project status

[Daniel Stenberg]

On Mon, 18 Mar 2019, Salvador Fandino wrote:


  - A (rather large) code overhaul that unifies the style, white space,   
 bracing, line lengths and some more to make sure that the new CI build   
 still builds greeen.


There are currently 36 open pull requests on GitHub. This code overhaul 
would probably break a large number of them. Is that a good idea?


Thanks for your feedback and expressed concerns.

I think it (the cleanup) still is a good idea. Even though I understand this 
will cause some merge conflicts and thus force authors to act and edit the PRs 
somewhat, I don't think doing things the other way around is productive.


We've already drifted out on a tangent (code wise). I think we need to pull 
back from the bad trend and shape up rather than to continue down that path.


You have come back to the project and discovered that the code is quite 
rotten, and now you are trying to fix it fast but you are missing the real 
cause of the problem: there is not a real community around libssh2, nobody 
taking care of it as a whole, nobody systematically listening to users, 
fixing bugs, looking at the pull requests, etc.


That's painfully obvious. I don't think it's possible to miss.

I don't think I can fix that problem so I'll focus on some problems that I 
*can* work on. Things I think at least brings is a small step in the right 
direction.


If people don't contribute and help out, the project is simply doomed to die.

Those 36 open pull requests belong to potential future libssh2 contributors 
and restyling the code may just send them the message "libssh2 doesn't care 
about your contributions" driving them away from the project and that is 
exactly the opposite of what it's needed.


Since - right now - nobody seems to be around in the project to welcome such 
contributions I figure that message seems apt.


Everyone and anyone is more than welcome and encouraged to help out to carry 
libssh2 forward.


Note that I am not against that plan. I just think it shouldn't be done 
until at least the most recent PRs are reviewed.


Given the (lack of) feedback to most of the PRs, that is basically the same as 
saying it will never happen.


I think landing the cleanup and stricter checks first will also make it easier 
to do reviews since the style checks will find and report on a lot of the nits 
that the PRs now violate and we need humans to point out. (The same 
non-existing humans that don't even point out those flaws...)


I don't want to mean that as an accusation or anything like that, just as 
anecdotal evidence that the project is not very good at getting new people 
involved and to explain why I feel sympathetic with the people behind those 
pull request.


"The project" is the people involved and it seems we basically have no people 
involved. So yeah, there isn't anybody around to welcome or guide newcomers.


I'm at least as much to blame for this as much as anyone else, but 
unfortunately this fact does not magically give me more energy, time and 
ethusiasm.


I don't think just giving up and declaring the project dead makes anything 
better either.


--

 / daniel.haxx.se___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Code style and project status

[Daniel Stenberg]

Hi all,

I've kept away from the project for a good while, mostly idling in the 
background as I've been determined to step down as maintainer completely.


I'm back here now primarily to put together and push out a new release 
together with Will Cosgrove.


I'm slightly disappointed in the current shape of the project and of code I've 
seen landed and that's one of the reasons why it now takes a lot more time 
than anticipated to get the release done.


Some of the issues I found:

 - numerous compiler warnings with picky options have been introduced
 - no longer C89 compliant (//-comments and more)
 - TABs in the code
 - trailing whitespace all over
 - weird (inconsistent) code style used
 - more or less constant appveyor CI build failures
 - occasional VERY long source lines

I've put in efforts to clean some things up and have landed:

 - Removed all compiler warnings a picky gcc shows

 - I added a travis CI build that uses "configure --enable-debug" to
   trigger more compiler warnings and make it harder to land bad code.

 - I added an --enable-werror option that sets -Werror in the build so
   that it will FAIL on any warning in the build (including examples),
   now used by the travis job.

Possibly more controversial, what I want to land next is in PR 324 (
https://github.com/libssh2/libssh2/pull/324)

 - A code style checker job to the CI that will warn on basic code style
   violations, using the checksrc tool from the curl project.

 - It should cause the CI to fail on blatant style violations - it checks
   some of the most obvious things - but can still be foooled. It's not a
   replacement for human reviews. But as long as it warns on something,
   the code isn't code-style compliant.

 - A (rather large) code overhaul that unifies the style, white space,
   bracing, line lengths and some more to make sure that the new CI build
   still builds greeen.

 - The idea being that with (much) stricter tests and tooling, we will land
   more unified code and there will be less need for humans to point out the
   most obvious style violations in PRs.

Thoughts?

I realize I come here barging in, but I felt this was needed. I can be told 
I'm wrong and I certainly think we could discuss code style etc if that's what 
anyone wants. Especially I think the ones who actually write code in the 
project more frequently than I do should have a say in how to write it.


I'm not married to a particular style but I will insist on the style to be 
consistent *and enforced*.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: sftp_mkdir() with server default permissions

[Daniel Stenberg]

On Tue, 6 Nov 2018, Will Cosgrove wrote:

There are several possible solutions, my current super simple solution is to 
pass -1 as the mode which then causes sftp_mkdir to not set the permissions 
on the folder. That works, but it’s a bit ‘magical’ if you’re not reading 
the source.


I could imagine a LIBSSH2_MKDIR_DEFAULT_MODE (name to be bike-shedded) define 
to be provided for the API, which very well could have a value of -1 if we 
treat the mode signed internally or it could be some otherwise insane (large) 
value that is unlikely to every actually be used as a real mode.


--

 / daniel.haxx.se___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: git tag for libssh2-1.8.0

[Daniel Stenberg]

On Fri, 2 Nov 2018, Afschin Hormozdiary wrote:

There must be something that changes this macro definition between commit 
and tarball packaging.


Yes, the maketgz script that generates the releases. Checkout the tag, run the 
script and voila, you have the release tarball.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: git tag for libssh2-1.8.0

[Daniel Stenberg]

On Fri, 2 Nov 2018, Afschin Hormozdiary wrote:

Could you please correct this version insonsistency or let me know if this 
is intentionally?


The official libssh2 releases are the tarballs on the web page that also are 
attached to the release tags on github. The tarballs are also signed (by me) 
to allow everyone to verify their authenticity.


The tag in the git repo is the exact state of the files when the release was 
generated. It is consistent and reproducible.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Time to pull together 1.9?

[Daniel Stenberg]

On Mon, 8 Oct 2018, Peter Stuge wrote:

I can look at getting axTLS crypto support in, but last time I looked the 
libssh2 repo had some changes for the worse. :\ I'll look again in the next 
days, probably day after tomorrow.


Just a FYI: in the curl project we're dropping axTLS support (and will soon 
remove that code) for TLS because of several reasons[1]. We no longer consider 
it a good idea to recommend our users to build code with this library since we 
doubt its quality and its ability/desire to fix those issues.


Now, SSH has different needs than TLS so the situation isn't exactly 
identical, but I would advice caution to anyone building anything that uses 
axTLS today.


[1] = https://curl.haxx.se/dev/deprecate.html

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Time to pull together 1.9?

[Daniel Stenberg]

hey,

Issue #220 (https://github.com/libssh2/libssh2/issues/220) was filed already 
in October last year asking for a new release, and we're actually quickly 
approaching the two-year anniversary since the 1.8 release (on October 25).


I'm not imposing anything onto anyone and I'm not the one doing much 
development here these days so I'm humbly asking: is it perhaps time to start 
putting a 1.9 release together?


There are some features and patches merged since 1.8 that make life easier for 
people that would be nice to ship in a proper release.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Optimal way to do directory listing

[Daniel Stenberg]

On Thu, 4 Oct 2018, Kannamraju P wrote:

  I am trying to do remote directory listing . If I use 
"libssh2_sftp_opendir" and get details using libssh2_sftp_readdir ,I get 
file details one after the other . With latency in network this is verify 
slow . Is there any better way of doing this using libssh2.


That's the only API libssh2 provides for this feature today. It is certainly 
not optimized for high-RTT connections...


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: curl / libssh2 sftp write performance (with patch)

[Daniel Stenberg]

On Sun, 26 Aug 2018, Daniel Jeliński wrote:

I propose a change implemented in 
https://github.com/libssh2/libssh2/pull/264, where sftp write acknowledges 
data as soon as it is sent to the server, and checks server response when it 
becomes available, which may happen during sftp close.


So will it not care for any ACKs? If you send a 10GB file and the first packet 
is never acked? Maybe a limit for amount of outstanding un-acked data?


I realize that this is a breaking change - many code examples do not even 
check the result of sftp close, which means that a lot of code in the wild 
would probably break if the patch was accepted in its current form.


Can we make users opt-in to this and if not, do like before?

--

 / daniel.haxx.se___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Windows compilation help

[Daniel Stenberg]

On Thu, 19 Jul 2018, Milind Gupta wrote:

In file included from conftest.c:79:0: 
/usr/include/w32api/winsock2.h:1004:34: error: conflicting types for 
'gethostname'

  WINSOCK_API_LINKAGE int WSAAPI gethostname(char *name,int namelen);

I have attached the config.log file. I found a similar error reported for 
imagemagick and I think they did a patch for it.


Your compiler found two conflicting declarations of gethostname(). That seems 
like a problem that's not up to libssh2 to fix...


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: FYI: Redhat switched to curl built with libssh...

[Daniel Stenberg]

On Sat, 5 May 2018, Antenore wrote:

Maybe asks publicly what are the reasons, so that if are just technical, you 
can push for improvements.


The reasons are actually stated in the page I linked to: libssh has some 
features that libssh2 lacks (I think that refers to crypto algos) and 
apparently curl was about the only package left in Redhat that used libssh2.


Redhat put in a lot of effort when they provided the libssh-using backend to 
curl a while back so that we can now chose to use either library at build-time 
and curl works just the same for SCP and SFTP transfers.


I personally don't have any actual technical argument against this decision. I 
have an emotional attachment to and argument for libssh2 of course but I don't 
think that's very helpful...


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

FYI: Redhat switched to curl built with libssh...

[Daniel Stenberg]

... instead of libssh2.

Info:

 https://fedoraproject.org//wiki/Changes/libssh-in-libcurl

It has also been suggested in Debian:

 https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1602413.html

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: libssh2_sftp_write blocks for about 3 minutes

[Daniel Stenberg]

On Tue, 5 Dec 2017, Pan K wrote:

Absolutely, however from previous messages in this thread, the select poll 
libssh2 is using immediately returns 'ready' when the socket is in that 
state without anything actually being ready to read, which results in a hot 
loop.


I maintain it is a bug to act like that. libssh2 should not do that.

I'm sorry, but I haven't really kept up with the details this thread.

Not sure what could be done to correctly determine the socket is 
actually in a re-transmission state pending close.


If select() / poll() returns at once and says that the socket is readable or 
writable, then libssh2 should act on it accordingly to give it a chance to 
move from that state. It shouldn't ask for the bits it doesn't want to know 
about and for the action it asks for, it should act.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: libssh2_sftp_write blocks for about 3 minutes

[Daniel Stenberg]

On Tue, 5 Dec 2017, Pan K via libssh2-devel wrote:

Since the undesirable behaviour is the high CPU usage when the socket is not 
available, would not running the SFTP transfer in non-blocking mode help?  


Busy-looping like that is a bug, so if libssh2 does it it is a bug we should 
track down and fix. You could probably use non-blocking mode as a work-around, 
as then you can handle the looping in your own code.


--

 / daniel.haxx.se___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Feedback re: Build on AIX - FYI.

[Daniel Stenberg]

On Mon, 4 Dec 2017, Michael wrote:

However, this also has a GNU make dependency - I am guessing due to the m4 
macros that check for changes to Makefile.in, etc.. That is where "default" 
make dies.


I'm not denying there may be problems. I'm not sure that's because of gnu 
makeisms though. We haven't heard any complaints before from people who 
normally don't use gnu make, like BSD people. And the makefile has basically 
remained like this since a very long time afaicr.



root@x064:[/data/prj/aixtools/libssh2-1.8.0]make
"Makefile", line 980: make: 1254-055 Dependency line needs colon or double 
colon operator.
"Makefile", line 981: make: 1254-055 Dependency line needs colon or double 
colon operator.


Can you show us line 980 and 981 of your generated Makefile?

"../../src/libssh2-1.8.0/src/kex.c", line 195.82: 1506-041 (E) The invocation 
of macro _libssh2_debug contains fewer arguments than are required by the 
macro definition.


This looks like your compiler has an issue with the _libssh2_debug #define in 
libssh2_priv.h.


"../../src/libssh2-1.8.0/src/session.c", line 522.15: 1506-068 (W) Operation 
between types "void*" and "void(*)(struct _LIBSSH2_SESSION*,const 
char*,int,void**)" is not allowed.


This warning (error?) is hard do fix with our current API. It shows with other 
compilers as well.



# ERROR: 0


... so you still managed to build and test everything suceessfully?

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: libssh2 read performance. query..

[Daniel Stenberg]

On Wed, 25 Oct 2017, Kannamraju P wrote:

I see some documentation online that some other client libraries like 
openssh query these reads parallely and assemble them . this gives better 
throughput I believe. Do we have something similar in libssh2.


That's exactly what this system does. It sends out multiple read packets at 
the same time and assembles them when the responses come back. That's what 
OpenSSH does as well.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: libssh2 read performance. query..

[Daniel Stenberg]

On Tue, 24 Oct 2017, Kannamraju P wrote:

It seems that the reads are done in sequential order , in networks which 
have latency this slows down the read quite a bit.


Yes of course they're sequential, since the API implies reading sequentially!

And it is a work-around to *help* when you have long latencies, as I tried to 
explain as it allows the first responses to arrive earlier than otherwise. It 
is especially effective if you're reading more data in a loop (in a 
non-blocking fashion), and not just that single function call.


SFTP is notoriously bad for long-latency connections (since each individual 
packet needs to be individually acked the in SFTP protocol layer). This 
approach is a way to try to make the effects of this less bad.


Is there any workaround or configuration at library level or TCP level to 
tune this.


We've previously discussed adding some way to allow applications to tweak this 
behavior, and in particular the block sizes and read-ahead length libssh2 
does, but we've never gotten around to actually do it.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: libssh2 read performance. query..

[Daniel Stenberg]

On Sat, 21 Oct 2017, Kannamraju P via libssh2-devel wrote:

   I was running a test to check the speed of SFTP read , A single read of 
60K bytes with 64K buffer is resulting in these many packets on the wire . 
Any input on optimizing read would be really helpful.


It behaves like that to optimize reading! libssh2 will send a lot of small 
reads in a "pipelining" manner so that you don't have to wait for any single 
large packet to return but it can return data as soon as the first packet has 
arrived.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Valgrind reports unitialized data in 'scp_write_nonblock' example

[Daniel Stenberg]

On Wed, 6 Sep 2017, Jarkko Palviainen via libssh2-devel wrote:

Can you comment whether this is a bug in the example, in libssh2 1.4.3 or 
false positive report? Please, note that Debian 8 as well as RHEL/Centos 7 
ship a (security) patched 1.4.3 libssh2.


libssh2 1.4.3 was released almost 5 years ago and we've fixed NUMEROUS bugs 
since.


I don't know about this specific error, but I've seen several other valgrind 
errors in older versions that are already fixed in the current version, so I 
would ask you to at least first test with a modern libssh2 version first 
before spending a lot of time on hunting down problems.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Recursive scp downloads?

[Daniel Stenberg]

On Thu, 20 Jul 2017, Peter Stuge wrote:

Recursing through a hierarchy of files is not in any way part of either the 
SSH protocol, the SFTP protocol or the SCP protocol.


It would have to be implemented entirely within the client.


Not entirely right? Since the client sends the recursive scp command line to 
the server and then needs to correctly handle what it gets sent back.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Recursive scp downloads?

[Daniel Stenberg]

On Sun, 16 Jul 2017, George Nachman wrote:

Is there any way to do a "recursive" download using libssh2, like scp -r? 
libssh2_scp_recv simply fails with an error when you give it a directory, 
but perhaps there's a trick I haven't figured out yet?


That's still a missing feature in libssh2.

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: some help on a security related thing?

[Daniel Stenberg]

On Sun, 12 Feb 2017, Daniel Stenberg wrote:

We recently received an email about a libssh2 security problem, but it turns 
out basically none of us old "maintainers" of this project (me and Alexander 
Lamaison at least) feel that we have enough time and energy to handle it.


Thank you for all the (offers to) stepping up. It warms my heart to see that 
there are many friends around prepared to help out!


Since both Peter Stuge and Sara Golemon spoke up, I decided to hand over 
details to them to let them persue this. Sara of course started this project 
and Peter has been pariticpating since many years. They should have the 
perfect background and set of skills to handle this. And my trust.


Let's see how things develop and what Peter and Sara think of it.

Again, thanks for responses.

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

some help on a security related thing?

[Daniel Stenberg]

Hi,

We recently received an email about a libssh2 security problem, but it turns 
out basically none of us old "maintainers" of this project (me and Alexander 
Lamaison at least) feel that we have enough time and energy to handle it.


This is ultimately a cry for help that this project needs more hands on deck 
to function, but to at least handle this immediate short-term crisis I would 
like you call for volunteers to help us work on this specific problem now. To 
investigate it and work on a fix, or fixes together with the person who has 
found the issue.


Failing to deal with it will eventually end up with the issue getting 
published without any action from our end prior to that, and that would be 
very unfortunate.


Any takers?

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

RE: support with openssl 1.1.0x

[Daniel Stenberg]

On Thu, 19 Jan 2017, Kees Dekker wrote:


For 64-bit builds?


I do nothing but 64 bit builds.


Will it help you if I provide the configure output (for RHAT7 in this case)?


I think the configure log might help *you* figure out why the script fails to 
detect openssl.


Did something change in terms of placement of libraries when openssl was 
bumped to 1.1.0 ? I've build libssh2 with openssl 64 bit since basically 
forever.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

RE: support with openssl 1.1.0x

[Daniel Stenberg]

On Tue, 17 Jan 2017, Kees Dekker wrote:

I also found a minor issue on Linux: the configure script expects the 
openSSL libraries in /lib64, although these are (for openssl 
1.1.0c) in /lib. Not sure whether this is related to openSSL 
1.1.0.x, but is it supported?


I build and run current libssh2 perfectly fine with OpenSSL 1.1.0c on my 
Debian Linux.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

energy boost?

[Daniel Stenberg]

Hi friends,

We've been stalling in this project lately[1]. We get pull requests and issues 
filed, but they mostly just accumulate without being dealt with. I am of 
course personally guilty of this neglect but I'm not alone.


I'm interested in hearing what you all think we can do to up our game.

I've spent almost exactly ten years in this project and I've done 769 source 
code commits to date, but these days libssh2 is not a priority in my life 
anymore. I don't plan to run away or hide, but I am interested in seeing 
others step up their game to help driving the project forward so that I can 
remain in a backseat position without having the project suffer.


[1] = https://www.openhub.net/p/libssh2/contributors/summary

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Buffer overflow with mbedTLS

[Daniel Stenberg]

On Tue, 25 Oct 2016, Daniel Stenberg wrote:

I'm forwarding this just to make sure you all are aware - this is not what I 
normally do with bugs. The mbedTLS crypto backend is obviously brand new so 
this flaw shouldn't hurt anyone's use of libssh2 in production but should 
perhaps make you pause if you had plans to.


Hm, okay I trigged really fast due to the possible importance but the bug was 
closed again... Sorry for being alarmist. But let's keep our eyes open and I 
think it is reasonable to be careful with a brand new backend like this.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Buffer overflow with mbedTLS

[Daniel Stenberg]

Hey all,

I'm forwarding this just to make sure you all are aware - this is not what I 
normally do with bugs. The mbedTLS crypto backend is obviously brand new so 
this flaw shouldn't hurt anyone's use of libssh2 in production but should 
perhaps make you pause if you had plans to.


I suppose this could warrant a follow-up release once this is fixed.

--

 / daniel.haxx.se

-- Forwarded message --
Date: Tue, 25 Oct 2016 23:35:32
From: doublex 
Reply-To: libssh2/libssh2

To: libssh2/libssh2 
Subject: [libssh2/libssh2] Buffer overflow (#138)

I have tried  libssh2 with mbedtls. "AddressSanitizer" aborts the progress due 
a heap-buffer overflow:


=
==4888==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130cad0 
at pc 0x7f94e1993bec bp 0x7ffd2af357e0 sp 0x7ffd2af34f88
WRITE of size 384 at 0x6130cad0 thread T0
#0 0x7f94e1993beb in __asan_memset 
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb)
#1 0xd7a240 in mbedtls_rsa_init mbedtls/rsa.c:71
#2 0xecee57 in _libssh2_mbedtls_rsa_new ssh2/mbedtls.c:279
#3 0xebbf5b in hostkey_method_ssh_rsa_init ssh2/hostkey.c:96
#4 0xec3af4 in diffie_hellman_sha256 ssh2/kex.c:928
#5 0xec8e2a in kex_method_diffie_hellman_group_exchange_sha256_key_exchange 
ssh2/kex.c:1657
#6 0xeccaa9 in _libssh2_kex_exchange ssh2/kex.c:2542
#7 0xede6f7 in session_startup ssh2/session.c:726
#8 0xedec95 in libssh2_session_handshake ssh2/session.c:804
#9 0xeded2e in libssh2_session_startup ssh2/session.c:823
#10 0x10e2b24 in ssh2_session_init ssh.cpp:1386
#11 0x10e389a in ssh2_connect ssh.cpp:1440
#12 0xfbcfbc in update update.cpp:98
#13 0xfbdb60 in main update.cpp:2195
#14 0x7f94e000782f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#15 0x40a358 in _start (update+0x40a358)

0x6130cad0 is located 0 bytes to the right of 336-byte region 
[0x6130c980,0x6130cad0)
allocated by thread T0 here:
#0 0x7f94e199f79a in __interceptor_calloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0xecee36 in _libssh2_mbedtls_rsa_new ssh2/mbedtls.c:277
#2 0xebbf5b in hostkey_method_ssh_rsa_init ssh2/hostkey.c:96
#3 0xec3af4 in diffie_hellman_sha256 ssh2/kex.c:928
#4 0xec8e2a in kex_method_diffie_hellman_group_exchange_sha256_key_exchange 
ssh2/kex.c:1657
#5 0xeccaa9 in _libssh2_kex_exchange ssh2/kex.c:2542
#6 0xede6f7 in session_startup ssh2/session.c:726
#7 0xedec95 in libssh2_session_handshake ssh2/session.c:804
#8 0xeded2e in libssh2_session_startup ssh2/session.c:823
#9 0x10e2b24 in ssh2_session_init ssh.cpp:1386
#10 0x10e389a in ssh2_connect ssh.cpp:1440
#11 0xfbcfbc in update update.cpp:98
#12 0xfbdb60 in main update.cpp:2195
#13 0x7f94e000782f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)


--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/libssh2/libssh2/issues/138
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

[RELEASE] libssh2 1.8.0

[Daniel Stenberg]

Hi friends,

I've just packaged, signed and uploaded libssh2 1.8.0. Enjoy! As always, 
you'll find it here:


  https://www.libssh2.org/

libssh2 1.8.0

This release includes the following changes:

 o added a basic dockerised test suite
 o crypto: add support for the mbedTLS backend

This release includes the following bugfixes:

 o libgcrypt: fixed a NULL pointer dereference on OOM
 o VMS: can't use %zd for off_t format
 o VMS: update vms/libssh2_config.h
 o windows: link with crypt32.lib
 o libssh2_channel_open: speeling error fixed in channel error message
 o msvc: fixed 14 compilation warnings
 o tests: HAVE_NETINET_IN_H was not defined correctly
 o openssl: add OpenSSL 1.1.0 compatibility
 o cmake: Add CLEAR_MEMORY option, analogously to that for autoconf
 o configure: make the --with-* options override the OpenSSL default
 o libssh2_wait_socket: set err_msg on errors
 o libssh2_wait_socket: Fix comparison with api_timeout to use milliseconds

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Alexander Lamaison, Antenore Gatta, Brad Harder, Charles Collicutt,
  Craig A. Berry, Dan Fandrich, Daniel Stenberg, Kamil Dudka, Keno Fischer,
  Taylor Holberton, Viktor Szakats, Will Cosgrove, Zenju
  (12 contributors)

Thanks! (and sorry if I forgot to mention someone)

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: time to release another libssh2 version!

[Daniel Stenberg]

On Mon, 17 Oct 2016, Peter Stuge wrote:

I've attached my current git diff master state for review as well as 
testing. It has a couple of things which still need to be done, but is 
already functional.


The diff also includes a few unrelated cleanups; a few type issues and not 
using RSA if the crypto backend does not implement it.


Here's some quick first questions/notes:

Which axTLS version or versions does this work with? (I couldn't even figure 
out how to build axTLS 2.0.1 so I didn't try it out yet)


Your configure check doesn't work at all like the other crypto backends and it 
doesn't seem to support a custom install path. I would expect that you be 
fairly common with this crypto lib. Does it even ship a pkg-config file 
itself? It also adds a requirement for the pkg-config autoconf stuff, which I 
guess I'm fine with but I know that in other projects that make people 
uncomfortable because it adds more prerequisits to the build process.


src/axtls.[ch] don't use our source code style: tabs, wrong indent level, long 
lines, starting brace in function declaration on the wrong line, case + return 
on the same line.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: time to release another libssh2 version!

[Daniel Stenberg]

On Mon, 26 Sep 2016, Peter Stuge wrote:

Can that date please be pushed two weeks? I'm not sure I can find time to 
finish the code up completely by the 11th.


Now we're 8 days away from release. I think you need to subit this work ASAP 
if you still think you can get it into the release - so that it gets some time 
to sink in, get tested and reviewed. Otherwise I suggest we aim to get that 
merged for the next release instead.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: time to release another libssh2 version!

[Daniel Stenberg]

On Fri, 14 Oct 2016, Yuriy M. Kaminskiy wrote:

E.g. that libssh2 uses oversized exponent (private key) in DH handshake, 
which renders it several times slower than it should?


E.g. that libssh2 fails to verify if received field length fits in buffer 
size *everywhere*, and so malicious server (or maybe even MitM attacker) can 
trivially crash client, or steal host (client) memory?


Please submit your patches/pull requests and we will take them into 
consideration!


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: time to release another libssh2 version!

[Daniel Stenberg]

On Mon, 26 Sep 2016, Peter Stuge wrote:

I would like to propose that we aim for doing the release on Tuesday 
October 11.


Can that date please be pushed two weeks? I'm not sure I can find time to 
finish the code up completely by the 11th.


Absolutely! Let's go with October 25th instead. With a some luck and hard work 
we'll looking forward to quite a few supported backends by that time!


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: time to release another libssh2 version!

[Daniel Stenberg]

On Fri, 23 Sep 2016, Ben Kibbey wrote:

Support for passphrase authentication when using an identity would be nice 
when libssh2 is compiled with libgcrypt. This would also maybe have the 
benefit of not requiring both the secret and public ssh key but only the 
private key.


That's already working with the OpenSSL backend so yeah, it should certainly 
be doable in the gcrypt code too.


We welcome patches!

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

time to release another libssh2 version!

[Daniel Stenberg]

Hi friends,

I think it is about time we ship another release. The OpenSSL 1.1.0 support 
being a major reason I think.


So, please bring up your issues that we should squeeze in before we release.

We have a whole bunch of issues and pull-requests we could use more eyes and 
hands on to deal with. Maybe we could take care of some of them before next 
release?


The mbedTLS backend for example maybe? 
https://github.com/libssh2/libssh2/pull/106


Any suggestion on how long time we should set for ourselves to prepare until 
we ship? I would like to propose that we aim for doing the release on Tuesday 
October 11. And this means that if there's anything larger anyone wants to 
merge, it needs to be done ASAP so that we have at least a week with no large 
changes before we ship.


Feel free to object, agree or suggest something different!

--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: MIgration from libssh

[Daniel Stenberg]

On Wed, 31 Aug 2016, Antenore Gatta wrote:

We are considering the possibility to move away from libssh and migrate all 
of our libssh code to libssh2.


As reference we were using the comparison page on your site, but it looks 
really outdated.


So what in particular looks outdated? We could possibly try to address those 
specific concerns if you articulate them.


There's that pull request from a libssh contributor that I've never merged 
(https://github.com/libssh2/www/pull/2) but I think there's a value for our 
users if we keep that comparison accurate and honest.


Do you please have any advices for us? Do you have any experience on these 
kind of migrations?


I've not seen any users write about such experiences before so I'm afraid 
that's a road not very frequently travelled.


Once upon the time I castually followed the libssh development a bit, but that 
was many years ago and I was never much into how their API worked anyway.


There are also some features we are interested with, like support for 
~/ssh/config files parsing (I know it's openssh only), FIDO U2F, that at the 
moment you are not supporting, if I'm not wrong, and I was wondering if 
these are in your todo list.


We don't really have a TODO or a roadmap as a project but simply depend on 
what people and contributers want to work on and submit to us for inclusion.


But there's hardly any secret that there aren't that many developers who 
actually work on improving libssh2 day to day and we have quite a few 
outstanding bugs and pull requests now that could really use more attention.


config parsing and fido u2f sound like decent things to support and if someone 
would provide code for them, I pretty sure they will be welcome.


--

 / daniel.haxx.se
___
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: libssh2 security

[Daniel Stenberg]

On Sat, 20 Aug 2016, Daniel Stenberg wrote:

I'll make it viewable from the web site too in a day or two, depending on 
the feedback here.


Now visible here: https://www.libssh2.org/security.html

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

perfect forward secrecy?

[Daniel Stenberg]

Hey,

There's a best practice left that I haven't marked as 'Met' because I'm not 
entirely sure (mostly because my memory is weak on the specifics). So I wanted 
to bounce this you you peeps on the list. This the critiera:


Under Security / Good cryptographic practices:

 "The project SHOULD implement perfect forward secrecy for key agreement 
protocols so a session key derived from a set of long-term keys cannot be 
compromised if one of the long-term keys is compromised in the future"


We can mark this is as a 'Met', can't we?

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

libssh2 security

[Daniel Stenberg]

Hi friends,

One of the remaining steps to make us reach 100% "CII best practices", is to 
make sure we document how we deal with security problems and provide a way for 
users to report such problems without immediately disclosing them to the 
public.


I've written a suggested "security process" for how to handle these sort of 
problems and I've set up an email alias (libssh2-secur...@haxx.se) with a 
closed list of receivers to which suspected vulerabilities can be reported.


The process is my *suggested* approach and I'm interested in feedback and 
comments to make sure we all agree on it. It is right now already easily 
browsable here:


  https://github.com/libssh2/libssh2/blob/master/docs/SECURITY.md

There should be very few surprises in that. It is basically the same document 
I've used in the curl project for many years. I stole it from there with 
permission since I wrote the original =)


I'll make it viewable from the web site too in a day or two, depending on the 
feedback here.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

CII best practices

[Daniel Stenberg]

Hey,

I've been participating in the CII best practices project to help open source 
projects get better. It contains a catalogue of open source software where 
each project fills in its status and declares how it works.


I've added "libssh2" [1] to the list of projects, and right now we're at 92% 
coverage of the practices.


It would be awesome to make libssh2 reach 100% so I'm posting this email to 
ask for those who care to do to the best practices site and check out the 
entries that we don't adhere to so far and either tell us here that the info 
can be updated (and how) or help us move in a direction so that we can meet 
the critieras in a future.


[1] = https://bestpractices.coreinfrastructure.org/projects/81

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Specification for agent protocol (fwd)

[Daniel Stenberg]

FYI

Seems like this could be interesting to some libssh2 peeps as well...

--

 / daniel.haxx.se

-- Forwarded message --
Date: Tue, 24 May 2016 09:29:06
From: Damien Miller 
To: ietf-...@netbsd.org
Subject: Specification for agent protocol

Hi,

A few people have asked over the years for a proper specification of the
agent protocol that most SSH implementations support. I've maintained
the PROTOCOL.agent file[1] in the OpenSSH source distribution as a
half-assed standard for some time, but I think that the protocol is
widely used enough to warrant an actual RFC.

So I've converted the half-assed documentation into something
a little bit more formal and published it as an I-D at
https://tools.ietf.org/html/draft-miller-ssh-agent-00

This is pretty much exactly the protocol as OpenSSH implements it. The
main changes from PROTOCOL.agent (for those who are familiar with it)
are removal of SSH v.1 bits and adding a couple of backwards-compatible
extension mechanisms to support u...@domain.org-style extensibility.

I'd welcome any feedback and/or assistance in getting it completed and
published. Thanks to Simon Tatham for reviewing an earlier version.

-d

[1] https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.agent
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

RE: Multithreaded SFTP application crash on CRYPTO_free in SUSE SLES12 environment

[Daniel Stenberg]

On Tue, 19 Apr 2016, Paolo Elefante wrote:

I see that the bug I have experienced is described here 
http://trac.libssh2.org/ticket/279 and it has been fixed also in the Version 
1.5.0 where it is highlighted in the change log as "openssl: initialize the 
digest context before calling EVP_DigestInit()"


commit 61df22c4601

I only have one more doubt and question at the moment. I'm wondering if this 
bug fix is responsible for the random crash fixed in the 1.6.0. In the 
change log https://www.libssh2.org/changes.html I see that libssh2 version 
1.6.0 contains a fix for: "openssl.c: fix possible segfault in case 
EVP_DigestInit fails".


commit 84590bc78f19


Are those problems related each other?


Yes, they both fix similar problems.

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

I'm slow

[Daniel Stenberg]

Hey,

If you think I'm slow and behind on my duties in this project, it is because 
that is true and it is a legitimate observation. And I don't expect my 
situtation regarding libssh2 to change much anytime soon.


So, I'm hoping others will step up and help out and drive where things need to 
get done etc. If you review a patch and you like it, say so. If you review a 
patch and don't like it, say so. Grab an issue and try to reproduce it. 
Respond in issues and help them get clarified. Open source only works fine 
when we all join in and do our share.


If you think you'd do the project good by getting push rights so that *you* 
can merge patches and push commits, do say so. But only bother if you've 
actually been around and shown yourself worthy in the project for a good while 
first.


Thanks!

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: dh parameter generation still not quite right?

[Daniel Stenberg]

On Thu, 7 Apr 2016, Kamil Dudka wrote:


Daniel, should we apply the patch upstream, too?

I know there are some outstanding issues reported in the above thread but 
they should IMO not prevent this one-liner from being applied as such.


Yeps, I just merged #103 which was the same change as a pull-request. Thanks.

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: [PATCH][WIP][v2] Fix out-of-buffer-boundary reads (Was: [SECURITY ADVISORY] Truncated Difffie-Hellman secret length)

[Daniel Stenberg]

On Sun, 27 Mar 2016, Yuriy M. Kaminskiy wrote:

Ping? I'd like to stress out this issue has security imlications. At very 
least, DoS (and this is not a standalone application, so it is not a minor 
issue), and maybe host memory exposure too. (However, it is only heap 
over-reads, without heap/stack over-writes, so no risk of escalating to 
remote code execution).


I can only agree that we need cleanups and fixes to make the code less 
trusting of remote packets.


It'd be easier if you'd break up your patch in smaller chunks so that they are 
easier to review and merge step by step and I would also appreciate if you'd 
add comments or use defines when you use magic constants in the code to aid 
reviewers and future readers of the code to realize that the numbers come 
from.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: speeling error (and fix) in channel error message

[Daniel Stenberg]

On Fri, 25 Mar 2016, bch wrote:

Thanks, merged!

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: [SECURITY ADVISORY] Truncated Difffie-Hellman secret length

[Daniel Stenberg]

On Tue, 23 Feb 2016, Daniel Stenberg wrote:


A patch for this problem is available at:

   https://www.libssh2.org/CVE-2016-0787.patch


Will Cosgrove pointed out to me that the patch is probably a bit too simple as 
it missed fixing the diffie_hellman_sha1() function.


And 'yumkam' added this remark on github:
https://github.com/libssh2/libssh2/commit/ca5222ea819cc5ed797860070b4c6c1aeeb28420#commitcomment-16277362

... of which the second part I'm not really qualified to debate much, other 
than it doesn't match what I've been told when we got this bug reported and 
worked on a fix.


I'll welcome further thoughts and feedback on this!

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

[SECURITY ADVISORY] Truncated Difffie-Hellman secret length

[Daniel Stenberg]

Truncated Difffie-Hellman secret length
===

Project libssh2 Security Advisory, February 23rd 2016 -
[Permalink](https://www.libssh2.org/adv_20160223.html)

VULNERABILITY
-

During the SSHv2 handshake when libssh2 is to get a suitable value for 'group
order' in the Diffle Hellman negotiation, it would pass in number of *bytes*
to a function that expected number of *bits*. This would result in the library
generating numbers using only an 8th the number of random bits than what were
intended: 128 or 256 bits instead of 1023 or 2047

Using such drastically reduced amount of random bits for Diffie Hellman
weakended the handshake security significantly.

There are no known exploits of this flaw at this time.

INFO


The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-0787 to this issue.

AFFECTED VERSIONS
-

- Affected versions: all versions to and including 1.6.0
- Not affected versions: libssh2 >= 1.7.0

libssh2 is used by many applications, but not always advertised as such!

THE SOLUTION


libssh2 1.7.0 makes sure that there's a convertion done from number of bytes
to number of bits when the internal `_libssh2_bn_rand` function is called.

A patch for this problem is available at:

https://www.libssh2.org/CVE-2016-0787.patch

RECOMMENDATIONS
---

We suggest you take one of the following actions immediately, in order of
preference:

A - Upgrade to libssh2 1.7.0

B - Apply the patch and rebuild libssh2

TIME LINE
-

It was first reported to the libssh2 project on February 7 2016 by Andreas
Schneider.

libssh2 1.7.0 was released on February 23rd 2016, coordinated with the
publication of this advisory.

CREDITS
---

Reported by Andreas Schneider.

Thanks a lot!

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

[RELEASE] libssh2 1.7.0

[Daniel Stenberg]

Hi friends,

I'm happy to announce libssh2 1.7.0. Pay special attention to the security 
advisory shipped with this relase. Download libssh2 like always from


  https://www.libssh2.org/

libssh2 1.7.0

This release includes the following changes:

 o libssh2_session_set_last_error: Add function
 o mac: Add support for HMAC-SHA-256 and HMAC-SHA-512
 o WinCNG: support for SHA256/512 HMAC
 o kex: Added diffie-hellman-group-exchange-sha256 support
 o OS/400 crypto library QC3 support

This release includes the following security advisory:

 o diffie_hellman_sha256: convert bytes to bits
   CVE-2016-0787: http://www.libssh2.org/adv_20160223.html

This release includes the following bugfixes:

 o SFTP: Increase speed and datasize in SFTP read
 o openssl: make libssh2_sha1 return error code
 o openssl: fix memleak in _libssh2_dsa_sha1_verify()
 o cmake: include CMake files in the release tarballs
 o Fix builds with Visual Studio 2015
 o hostkey.c: Fix compiling error when OPENSSL_NO_MD5 is defined
 o GNUmakefile: add support for LIBSSH2_LDFLAG_EXTRAS
 o GNUmakefile: add -m64 CFLAGS when targeting mingw64
 o kex: free server host key before allocating it (again)
 o SCP: add libssh2_scp_recv2 to support large (> 2GB) files on windows
 o channel: Detect bad usage of libssh2_channel_process_startup
 o userauth: Fix off by one error when reading public key file
 o kex: removed dupe entry from libssh2_kex_methods
 o _libssh2_error: Support allocating the error message
 o hostkey: fix invalid memory access if libssh2_dsa_new fails
 o hostkey: align code path of ssh_rsa_init to ssh_dss_init
 o libssh2.pc.in: fix the output of pkg-config --libs
 o wincng: fixed possible memory leak in _libssh2_wincng_hash
 o wincng: fixed _libssh2_wincng_hash_final return value
 o add OpenSSL 1.1.0-pre2 compatibility
 o agent_disconnect_unix: unset the agent fd after closing it
 o sftp: stop reading when buffer is full
 o sftp: Send at least one read request before reading
 o sftp: Don't return EAGAIN if data was written to buffer
 o sftp: Check read packet file offset
 o configure: build "silent" if possible
 o openssl: add OpenSSL 1.1.0-pre3-dev compatibility
 o GNUmakefile: list system libs after user libs

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Alexander Lamaison, Andreas Schneider, brian m. carlson, Daniel Stenberg,
  David Byron, Jakob Egger, Kamil Dudka, Marc Hoersken, Mizunashi Mana,
  Patrick Monnerat, Paul Howarth, Salvador Fandino, Salvador Fandiño,
  Salvador Fandiño, Viktor Szakats, Will Cosgrove,
  (16 contributors)

Thanks! (and sorry if I forgot to mention someone)

--

 / daniel.haxx.se___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

the libssh2.org web site on HTTPS

[Daniel Stenberg]

Hey

The libssh2.org web site is now on HTTPS. Enjoy.

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Regarding hmac-sha2-256 support in 1.6.0 version

[Daniel Stenberg]

On Thu, 18 Feb 2016, suyog jadhav wrote:


IS there a release planned for near future with the hmac-sha2-256 support?


Yes! hmac-sha2-256 support is in git and the daily snapshots since a while 
back and will be part of the 1.7.0 release we plan to ship on February 23.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: ping for release

[Daniel Stenberg]

On Sun, 14 Feb 2016, Alexander Lamaison wrote:


So I think we're good to go for a release now.


I'm scheduling the release to happen on February 23. That is Tuesday next 
week. Gives us a few more days to run tests and if possible correct obvious 
bugs.


The most recent packages found at http://libssh2.org/snapshots/ are then what 
the release will look like in case anyone wants to get a "release candidate" 
for a spin.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: ping for release

[Daniel Stenberg]

On Mon, 2 Nov 2015, David Byron wrote:

Sorry to nag, but is the repo in a good state to release?  Still hoping for 
the large file stuff to get a little farther out in the world.


I've merged the "fix SFTP" patches from the patient Jakob Egger into master 
now. I _think_ we might be in a decent shape for release now.


If you disagree, please tell us why. Also, please get the latest from git and 
have a go at it to help us polish out the last few quirks before we ship.


I have also been notified about a security problem that will get fixed and 
announced with the pending release.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Problem with random delay in terminal

[Daniel Stenberg]

On Tue, 26 Jan 2016, Lars Nordin wrote:

Have I missed any setting? I know local_echo is an option, but if SecureCRT 
can, why not libssh2?


Could it be as easy as setsockopt(... TCP_NODELAY ...) ?
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: ping for release

[Daniel Stenberg]

On Wed, 20 Jan 2016, Alexander Lamaison wrote:

I'm not convinced putting them back as-is makes much sense though if 
they're introducing these problems. Faster performance isn't that fun when 
it comes at the priace of broken functionality.


Agreed, although now Jakob has put some great fixes in, maybe the situation 
is resolved.


Yes, the comments in pull #75 (https://github.com/libssh2/libssh2/pull/75) 
sounds really promising.


I'm actually mostly awaiting for response to my comments there (and possibly 
some updated commits) and then I'd be prepared to merge. *Then*, after letting 
that merge cook in master for a short while I think we're truly closing in on 
a release.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Encryption functions

[Daniel Stenberg]

On Wed, 20 Jan 2016, Kishore Av wrote:


1. Could you please list me the functions uses the encryption?
2. What Encryption scheme used in the functions?
3. Length of the key used in the functions?


Is there anything particular that prevents you from doing this yourself? The 
code is equally accessible to all of us!


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

MSVC users and lib name?

[Daniel Stenberg]

Hello!

I wouldn't mind a comment or two from users who build and use libssh2 on 
Windows on this pull request:


  https://github.com/libssh2/libssh2/pull/73

"add placeholder for library name depending on platform"

Thanks!

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: ping for release

[Daniel Stenberg]

On Fri, 15 Jan 2016, Jakob Egger wrote:

Sune Bredahl confirmed on Github that with my latest commits he can no 
longer reproduce the issues in sftp_read(): 
https://github.com/libssh2/libssh2/pull/75 



Does anybody else have time to test this, or are we good to go?


I commented on some minor nits on the commits there, but once we can get that 
PR merged and some time for people to get that tested in the master branch I 
think we should be in a decent state for release...


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: CVE-2016-0777 and CVE-2016-0778

[Daniel Stenberg]

On Thu, 14 Jan 2016, George Nachman wrote:


Is libssh2 affected?


No. We don't share any code with OpenSSH.

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

attending fosdem?

[Daniel Stenberg]

Hello all,

I'll be attending FOSDEM, and it struck me that if there are other fellow 
libssh2 hackers there, we could possibly join up, say hello and talk libssh2 
for a few minutes.


If that sounds interesting, feel free to reply here or to me privately and we 
can try to arrange something.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: ping for release

[Daniel Stenberg]

On Tue, 12 Jan 2016, Alexander Lamaison wrote:

What about preemptively reverting those commits, making a release, then 
immediately re-applying the commits to master. It's seems a shame to delay 
other useful improvements.


So you're that sure just reverting them will fix the SFTP problems as of late? 
If so, then reverting them now seems fine.


I'm not convinced putting them back as-is makes much sense though if they're 
introducing these problems. Faster performance isn't that fun when it comes at 
the priace of broken functionality.


I was wishing that someone who experienced the SFTP problems would try to 
revert those two commits and verify that the problems go away and tell us 
about this fact on the list.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: ping for release

[Daniel Stenberg]

On Tue, 12 Jan 2016, Jakob Egger wrote:


Has anybody been able to sort this out in the last two months?


I haven't seen any attempts nor reports on the list since Alexander pointed 
out the likely offending commits. I take that as a pretty strong sign that 
there isn't a very strong desire to get a version out.



Is there anything else blocking the release?


There are a few very interesting-looking pull requests pending, but we don't 
need to do them before a release.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: upstream git repo (was Re: [PATCH] add function libssh2_session_set_last_error)

[Daniel Stenberg]

On Tue, 8 Dec 2015, Kamil Dudka wrote:

One would expect that a git repository at http://git.libssh2.org/ named 
libssh2 is the upstream git repository for the libssh2 project.  I am not 
sure if removing external references to it is enough to avoid confusion.


Fair enough. Peter, can you please shut down your libssh2 git server there? 
I've asked Sara to remove the entry from the libssh2.org domain as well.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: upstream git repo (was Re: [PATCH] add function libssh2_session_set_last_error)

[Daniel Stenberg]

On Mon, 7 Dec 2015, Kamil Dudka wrote:

So it is one month later and we still have two _divergent_ git repositories 
that both look like upstream?


The github one is the upstream one since many months back. Is there any 
mention somehwere that makes this unclear?


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

IBM iSeries port of LIBSSH2 (fwd)

[Daniel Stenberg]

Hey Stan,

You accidentally sent your mail to libssh2-devel-owner@ instead of just 
libssh2-devel@, which made it end up with the mailing list owners only. I'm 
now forwarding it to the proper list address, lets keep it on the list now! 
See below for the full content.


To answer your question in there: yes we are interested in extending our 
portability to the IBM iSeries. At least if the changes are clean and 
managable to review. (I'll admit that EBCDIC handling scares me a bit.)


I think you could start with rebasing your work on top of what we have in git 
right now so that we have an up-to-date version of your work to start working 
with to hopefully merge.


--

 / daniel.haxx.se

-- Forwarded message --
Date: Thu, 19 Nov 2015 15:30:40
From: Stan Prichard 
To: "libssh2-devel-ow...@cool.haxx.se" 
Subject: IBM iSeries port of LIBSSH2

Hello,

I am Stan Prichard, a developer at Liaison Technologies.

A couple of years ago, I ported LIBSSH2 v1.2.7 to the IBM iSeries, an EBCDIC 
based system. These changes would also be usable on IBM zSeries systems.

Additionally, I created the server-side interfaces (server KEX, message 
handling, etc.) to allow LIBSSH2 to be used in our SFTP Server.

I have recently been given the approval to discuss these changes with you.

I would like to know if you would be interested in incorporating any of these 
modifications into your code base.

I would also like to know what licensing model is being used by your 
organization.

Please respond if there is any interest in this proposal.

Best regards,

Stan Prichard
Sr. Engineer, IBM(tm) Systems

Liaison Technologies
3157 Royal Drive | Suite 200 | Alpharetta, GA 30022
T: +1 940.498.9625 | M: +1 214.437.3496
www.liaison.com
Connect with us!


___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: ping for release

[Daniel Stenberg]

On Tue, 3 Nov 2015, Alexander Lamaison wrote:

We should consider reverting the recent SFTP changes because they are known 
to cause data loss. After the release we can add them back and work on a 
proper fix.


Do you know which commits that caused this? I've seen some reports about 
problems but I've not seen it clarified that recent changes caused them or 
which commits it might've been.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: ping for release

[Daniel Stenberg]

On Mon, 2 Nov 2015, David Byron wrote:

Sorry to nag, but is the repo in a good state to release?  Still hoping for 
the large file stuff to get a little farther out in the world.


I'd say we're in a decent shape.

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: [PATCH] add function libssh2_session_set_last_error

[Daniel Stenberg]

On Mon, 2 Nov 2015, Peter Stuge wrote:

Daniel, I think you have to decide exactly what you want git.libssh2.org and 
trac.libssh2.org to do in the future, if anything.


The former git repo at git.libssh2.org has been abandoned and we only use that 
as a historical reference in case of need.


trac.libssh2.org is still populated with lots of bug reports that we haven't 
taken care of, so it would be nice to keep that around for an unknown period 
going forward.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: [PATCH] add function libssh2_session_set_last_error

[Daniel Stenberg]

On Mon, 2 Nov 2015, Kamil Dudka wrote:

In any case we should now merge the other git repo, which is fast forward to 
the upstream one and contains the commits which this thread was originally 
about.


They're merged now, with slightly modified first-line commit messages.

--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: Key exchange methods

[Daniel Stenberg]

On Tue, 27 Oct 2015, George Nachman wrote:

I had a user of my application complain that he couldn't connect to his 
server because it doesn't support any of these methods. Are there plans to 
add any non-DH methods? I see a bunch of others that BSD's sshd supports:


curve25519-sha...@libssh.org
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521


Feel free to implement any or all of these and send patches. I doubt anyone 
will be against merging support for them.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: [PATCH] add function libssh2_session_set_last_error

[Daniel Stenberg]

On Mon, 26 Oct 2015, Kamil Dudka wrote:

If git.libssh2.org is intended to be a mirror of the upstream git repo at 
github, it should only contain commits already pushed to github and nothing 
else.  Additionally, already pushed commits should not be rewritten.


If git.libssh2.org is intended to be a staging repository for your work, it 
should be clearly marked such (e.g. by using a separate branch for that 
while keeping the master branch synced with github).


I agree completely. As it is now, saying we merge new code into thay git repo 
will probably make some people think it was merged into our master repo, which 
it isn't.


What about renaming it to a name that makes it sound less official and more 
like a staging/experimental git repo?


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: How to structure code for multiple sessions with async API

[Daniel Stenberg]

On Tue, 27 Oct 2015, Salvador Fandiño wrote:

If I am understanding libssh2 code correctly, libssh2_keepalive_send can not 
work reliably in non-blocking mode as it converts 
LIBSSH2_ERROR_SOCKET_EAGAIN errors from _libssh2_transport_send into 
LIBSSH2_ERROR_SOCKET_SEND and leaves the transport layer in an inconsistent 
state.


In other words, if you call libssh2_keepalive_send and for any reason the 
keep-alive packet can not be immediately delivered, the connection becomes 
corrupted.


Isn't that just a bug we should fix?

--

 / daniel.haxx.se___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: [PATCH] add function libssh2_session_set_last_error

[Daniel Stenberg]

On Mon, 26 Oct 2015, Peter Stuge wrote:


Thanks. I've pushed these to git.libssh2.org.


But why push that to the deprecated git repo? Are you intending to keep your 
own fork there or why are you splintering the effort like that?


The official libssh2 git repo is at https://github.com/libssh2/libssh2

Also: that's a new API function but without any provided docs and I don't 
think we should merge new functions undocumented.


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: time to release a new version?

[Daniel Stenberg]

On Wed, 23 Sep 2015, Daniel Stenberg wrote:

If nobody objects, I propose a 1.7.0 release on September 30 - in exactly 
one week.


Due to the recent patch activity and interest to get more stuff merged before 
a release (and my personal upcoming travels), I want to postpone the 1.7.0 
release a bit. Like a week. Let's try October 8.


This has the additional upside that it gives us all another week to really 
test things in git before we ship it!


--

 / daniel.haxx.se
___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Re: time to release a new version?

[Daniel Stenberg]

On Fri, 25 Sep 2015, Salvador Fandiño wrote:


Anyway, I am attaching the patches here again.


Thanks a lot, I merged both of them now!

--

 / daniel.haxx.se___
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel