Updated libssh

83 files changed, 4631 insertions, 1243 deletions

diff --git a/libssh/CMakeLists.txt b/libssh/CMakeLists.txt
index 81ac5884..e783c2b4 100644
--- a/libssh/CMakeLists.txt
+++ b/libssh/CMakeLists.txt
@@ -67,6 +67,10 @@ endif(WITH_GCRYPT)
 set(CMAKE_THREAD_PREFER_PTHREADS ON)
 find_package(Threads)
 
+if (WITH_GSSAPI)
+    find_package(GSSAPI)
+endif (WITH_GSSAPI)
+
 # config.h checks
 include(ConfigureChecks.cmake)
 configure_file(config.h.cmake ${CMAKE_CURRENT_BINARY_DIR}/config.h)
@@ -122,6 +126,7 @@ message(STATUS "libgcrypt support: ${WITH_GCRYPT}")
 message(STATUS "SSH-1 support: ${WITH_SSH1}")
 message(STATUS "SFTP support: ${WITH_SFTP}")
 message(STATUS "Server support : ${WITH_SERVER}")
+message(STATUS "GSSAPI support : ${WITH_GSSAPI}")
 message(STATUS "Pcap debugging support : ${WITH_PCAP}")
 message(STATUS "With static library: ${WITH_STATIC_LIB}")
 message(STATUS "Unit testing: ${WITH_TESTING}")
diff --git a/libssh/CTestConfig.cmake b/libssh/CTestConfig.cmake
index d8a41831..20d2e8f5 100644
--- a/libssh/CTestConfig.cmake
+++ b/libssh/CTestConfig.cmake
@@ -1,7 +1,7 @@
 set(UPDATE_TYPE "true")
 
 set(CTEST_PROJECT_NAME "libssh")
-set(CTEST_NIGHTLY_START_TIME "01:00:00 CET")
+set(CTEST_NIGHTLY_START_TIME "01:00:00 UTC")
 
 set(CTEST_DROP_METHOD "http")
 set(CTEST_DROP_SITE "test.libssh.org")
diff --git a/libssh/ChangeLog b/libssh/ChangeLog
index 5bc0784a..6f4d906c 100644
--- a/libssh/ChangeLog
+++ b/libssh/ChangeLog
@@ -1,13 +1,75 @@
 ChangeLog
 ==========
 
-version 0.5.x (released 2012-xx-xx)
-  * Added new PKI infrastructure.
-  * Added simplified user auth functions.
-  * Added ECDSA pubkey support.
-  * Added ECDSA hostkey support.
-  * Added diffie-hellman-group14-sha1 support.
-  * Fixed a ton of bugs.
+version 0.6.0 (released 2013-XX-XX)
+  * Added new publicy key API.
+  * Added new userauth API.
+  * Added gssapi-mic userauth.
+  * Added new callback based server API.
+  * Added Elliptic Curve DSA (ECDSA) support (with OpenSSL).
+  * Added Elliptic Curve Diffie Hellman (ECDH) support.
+  * Added improved logging system.
+  * Added SSH-agent forwarding.
+  * Added key-reexchange.
+  * Improved documentation.
+  * Fixed timeout handling.
+
+version 0.5.5 (released 2013-07-26)
+  * BUG 103: Fix ProxyCommand parsing.
+  * Fix setting -D_FORTIFY_SOURCE=2.
+  * Fix pollset error return if emtpy.
+  * Fix NULL pointer checks in channel functions.
+  * Several bugfixes.
+
+version 0.5.4 (released 2013-01-22)
+  * CVE-2013-0176 - NULL dereference leads to denial of service
+  * Fixed several NULL pointer dereferences in SSHv1.
+  * Fixed a free crash bug in options parsing.
+
+version 0.5.3 (released 2012-11-20)
+  * CVE-2012-4559 Fixed multiple double free() flaws.
+  * CVE-2012-4560 Fixed multiple buffer overflow flaws.
+  * CVE-2012-4561 Fixed multiple invalid free() flaws.
+  * BUG #84 - Fix bug in sftp_mkdir not returning on error.
+  * BUG #85 - Fixed a possible channel infinite loop if the connection dropped.
+  * BUG #88 - Added missing channel request_state and set it to accepted.
+  * BUG #89 - Reset error state to no error on successful SSHv1 authentiction.
+  * Fixed a possible use after free in ssh_free().
+  * Fixed multiple possible NULL pointer dereferences.
+  * Fixed multiple memory leaks in error paths.
+  * Fixed timeout handling.
+  * Fixed regression in pre-connected socket setting.
+  * Handle all unknown global messages.
+
+version 0.5.2 (released 2011-09-17)
+  * Increased window size x10.
+  * Fixed SSHv1.
+  * Fixed bugged lists.
+  * Fixed use-after-free + inconsistent callbacks call in poll.
+  * Fixed scp documentation.
+  * Fixed possible infinite loop in channel_read().
+  * Fixed handling of short reads of sftp_async_read().
+  * Fixed handling request service timeout in blocking mode.
+  * Fixed ssh_auth_list() documentation.
+  * Fixed incorrect return values in ssh_channel_write().
+  * Fixed an infinite loop in the termination callback.
+  * Fixed handling of SSH_AGAIN in channel_open().
+  * Fixed "status -5 inflating zlib packet"
+
+version 0.5.1 (released 2011-08-09)
+  * Added checks for NULL pointers in string.c.
+  * Set the channel max packet size to 32768.
+  * Don't (de)compress empty buffers.
+  * Fixed ssh_scp_write so it works when doing recursive copy.
+  * Fixed another source of endless wait.
+  * Fixed an endless loop in case of a channel_open error.
+  * Fixed session timeout handling.
+  * Fixed ssh_channel_from_local() loop.
+  * Fixed permissions of scp example when we copy a file.
+  * Workaround ssh_get_user_home_dir on LDAP users.
+  * Added pkg-config support for libssh_threads.
+  * Fixed compilation without server and sftp modes.
+  * Fix static .lib overwriting on Windows.
 
 version 0.5.0 (released 2011-06-01)
   * Added ssh_ prefix to all functions.
diff --git a/libssh/ConfigureChecks.cmake b/libssh/ConfigureChecks.cmake
index b0485d98..1c89c4c7 100644
--- a/libssh/ConfigureChecks.cmake
+++ b/libssh/ConfigureChecks.cmake
@@ -49,6 +49,7 @@ endif(CMAKE_COMPILER_IS_GNUCC AND NOT MINGW AND NOT OS2)
 check_include_file(argp.h HAVE_ARGP_H)
 check_include_file(pty.h HAVE_PTY_H)
 check_include_file(termios.h HAVE_TERMIOS_H)
+check_include_file(unistd.h HAVE_UNISTD_H)
 
 if (WIN32)
   check_include_files("winsock2.h;ws2tcpip.h;wspiapi.h" HAVE_WSPIAPI_H)
@@ -56,12 +57,6 @@ if (WIN32)
     message(STATUS "WARNING: Without wspiapi.h, this build will only work on Windows XP and newer versions")
   endif (NOT HAVE_WSPIAPI_H)
   check_include_files("winsock2.h;ws2tcpip.h" HAVE_WS2TCPIP_H)
-  if (HAVE_WSPIAPI_H OR HAVE_WS2TCPIP_H)
-    set(HAVE_GETADDRINFO TRUE)
-    set(HAVE_GETHOSTBYNAME TRUE)
-  endif (HAVE_WSPIAPI_H OR HAVE_WS2TCPIP_H)
-
-  set(HAVE_SELECT TRUE)
 endif (WIN32)
 
 set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIRS})
@@ -101,12 +96,30 @@ endif (NOT WITH_GCRYPT)
 check_function_exists(strncpy HAVE_STRNCPY)
 check_function_exists(vsnprintf HAVE_VSNPRINTF)
 check_function_exists(snprintf HAVE_SNPRINTF)
+check_function_exists(poll HAVE_POLL)
+check_function_exists(select HAVE_SELECT)
+check_function_exists(getaddrinfo HAVE_GETADDRINFO)
+check_function_exists(ntohll HAVE_NTOHLL)
+check_function_exists(htonll HAVE_HTONLL)
 
 if (WIN32)
+    check_function_exists(_strtoui64 HAVE__STRTOUI64)
+
     check_function_exists(_vsnprintf_s HAVE__VSNPRINTF_S)
     check_function_exists(_vsnprintf HAVE__VSNPRINTF)
     check_function_exists(_snprintf HAVE__SNPRINTF)
     check_function_exists(_snprintf_s HAVE__SNPRINTF_S)
+
+    if (HAVE_WSPIAPI_H OR HAVE_WS2TCPIP_H)
+        set(HAVE_GETADDRINFO TRUE)
+        set(HAVE_GETHOSTBYNAME TRUE)
+        if (MSVC)
+            set(HAVE_NTOHLL TRUE)
+            set(HAVE_HTONLL TRUE)
+        endif (MSVC)
+    endif (HAVE_WSPIAPI_H OR HAVE_WS2TCPIP_H)
+
+    set(HAVE_SELECT TRUE)
 endif (WIN32)
 
 if (UNIX)
@@ -114,7 +127,8 @@ if (UNIX)
         # libsocket (Solaris)
         check_library_exists(socket getaddrinfo "" HAVE_LIBSOCKET)
         if (HAVE_LIBSOCKET)
-          set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} socket)
+            set(HAVE_GETADDRINFO TRUE)
+            set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} socket)
         endif (HAVE_LIBSOCKET)
 
         # libnsl/inet_pton (Solaris)
@@ -133,12 +147,7 @@ if (UNIX)
     endif (HAVE_LIBRT OR HAVE_CLOCK_GETTIME)
 
     check_library_exists(util forkpty "" HAVE_LIBUTIL)
-    check_function_exists(getaddrinfo HAVE_GETADDRINFO)
-    check_function_exists(poll HAVE_POLL)
-    check_function_exists(select HAVE_SELECT)
     check_function_exists(cfmakeraw HAVE_CFMAKERAW)
-    check_function_exists(ntohll HAVE_NTOHLL)
-    check_function_exists(htonll HAVE_HTONLL)
     check_function_exists(strtoull HAVE_STRTOULL)
     check_function_exists(__strtoull HAVE___STRTOULL)
 endif (UNIX)
@@ -165,6 +174,32 @@ if (CMAKE_HAVE_THREADS_LIBRARY)
 endif (CMAKE_HAVE_THREADS_LIBRARY)
 
 # OPTIONS
+check_c_source_compiles("
+__thread int tls;
+
+int main(void) {
+    return 0;
+}" HAVE_GCC_THREAD_LOCAL_STORAGE)
+
+check_c_source_compiles("
+__declspec(thread) int tls;
+
+int main(void) {
+    return 0;
+}" HAVE_MSC_THREAD_LOCAL_STORAGE)
+
+check_c_source_compiles("
+#include <string.h>
+
+int main(void)
+{
+    char buf[] = \"This is some content\";
+
+    memset(buf, '\\\\0', sizeof(buf)); __asm__ volatile(\"\" : : \"r\"(&buf) : \"memory\");
+
+    return 0;
+}" HAVE_GCC_VOLATILE_MEMORY_PROTECTION)
+
 if (WITH_DEBUG_CRYPTO)
   set(DEBUG_CRYPTO 1)
 endif (WITH_DEBUG_CRYPTO)
@@ -173,6 +208,10 @@ if (WITH_DEBUG_CALLTRACE)
   set(DEBUG_CALLTRACE 1)
 endif (WITH_DEBUG_CALLTRACE)
 
+if (WITH_GSSAPI AND NOT GSSAPI_FOUND)
+    set(WITH_GSSAPI 0)
+endif (WITH_GSSAPI AND NOT GSSAPI_FOUND)
+
 # ENDIAN
 if (NOT WIN32)
     test_big_endian(WORDS_BIGENDIAN)
diff --git a/libssh/DefineOptions.cmake b/libssh/DefineOptions.cmake
index ea8265c0..6913f040 100644
--- a/libssh/DefineOptions.cmake
+++ b/libssh/DefineOptions.cmake
@@ -1,3 +1,4 @@
+option(WITH_GSSAPI "Build with GSSAPI support" ON)
 option(WITH_ZLIB "Build with ZLIB support" ON)
 option(WITH_SSH1 "Build with SSH1 support" OFF)
 option(WITH_SFTP "Build with SFTP support" ON)
diff --git a/libssh/INSTALL b/libssh/INSTALL
index a772b824..25960367 100644
--- a/libssh/INSTALL
+++ b/libssh/INSTALL
@@ -21,7 +21,7 @@ build and run libssh successfully with an older version, please let us know.
 Windows binaries known to be working:
 
 - http://www.slproweb.com/products/Win32OpenSSL.html
-- http://www.winimage.com/zLibDll/index.html
+- http://zlib.net/ -> zlib compiled DLL
 
 We installed them in C:\Program Files
 
@@ -34,7 +34,9 @@ GNU/Linux, MacOS X, MSYS/MinGW:
     cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Debug ..
     make
 
-On Windows you should choose a makefile gernerator with -G.
+On Windows you should choose a makefile gernerator with -G or use
+
+    cmake-gui.exe ..
 
 ### CMake standard options
 Here is a list of the most interesting options provided out of the box by
@@ -86,7 +88,7 @@ If you want to install libssh after compilation run:
 
 ## Running
 
-The libssh binary can be found in the `build/libssh` directory.
+The libssh binary can be found in the `build/src` directory.
 You can use `build/examples/samplessh` which is a sample client to
 test libssh on UNIX.
 
diff --git a/libssh/cmake/Modules/DefineCompilerFlags.cmake b/libssh/cmake/Modules/DefineCompilerFlags.cmake
index 582ea1ca..0ab8802c 100644
--- a/libssh/cmake/Modules/DefineCompilerFlags.cmake
+++ b/libssh/cmake/Modules/DefineCompilerFlags.cmake
@@ -28,10 +28,10 @@ if (UNIX AND NOT WIN32)
 
         if (CMAKE_BUILD_TYPE)
             string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE_LOWER)
-            if (NOT CMAKE_BUILD_TYPE_LOWER MATCHES debug)
-                check_c_compiler_flag("-D_FORTIFY_SOURCE=2" WITH_FORTIFY_SOURCE)
+            if (CMAKE_BUILD_TYPE_LOWER MATCHES (release|relwithdebinfo|minsizerel))
+                check_c_compiler_flag("-Wp,-D_FORTIFY_SOURCE=2" WITH_FORTIFY_SOURCE)
                 if (WITH_FORTIFY_SOURCE)
-                    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_FORTIFY_SOURCE=2")
+                    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wp,-D_FORTIFY_SOURCE=2")
                 endif (WITH_FORTIFY_SOURCE)
             endif()
         endif()
diff --git a/libssh/cmake/Modules/FindCMocka.cmake b/libssh/cmake/Modules/FindCMocka.cmake
index 2dd9fc5f..76b4ba74 100644
--- a/libssh/cmake/Modules/FindCMocka.cmake
+++ b/libssh/cmake/Modules/FindCMocka.cmake
@@ -21,6 +21,23 @@
 #=============================================================================
 #
 
+set(_CMOCKA_ROOT_HINTS
+)
+
+set(_CMOCKA_ROOT_PATHS
+    "$ENV{PROGRAMFILES}/cmocka"
+)
+
+find_path(CMOCKA_ROOT_DIR
+    NAMES
+        include/cmocka.h
+    HINTS
+        ${_CMOCKA_ROOT_HINTS}
+    PATHS
+        ${_CMOCKA_ROOT_PATHS}
+)
+mark_as_advanced(CMOCKA_ROOT_DIR)
+
 find_path(CMOCKA_INCLUDE_DIR
     NAMES
         cmocka.h
@@ -32,7 +49,7 @@ find_library(CMOCKA_LIBRARY
     NAMES
         cmocka
     PATHS
-        ${CMOCKA_ROOT_DIR}/include
+        ${CMOCKA_ROOT_DIR}/lib
 )
 
 if (CMOCKA_LIBRARY)
diff --git a/libssh/cmake/Modules/FindGSSAPI.cmake b/libssh/cmake/Modules/FindGSSAPI.cmake
new file mode 100644
index 00000000..8520d35d
--- /dev/null
+++ b/libssh/cmake/Modules/FindGSSAPI.cmake
@@ -0,0 +1,324 @@
+# - Try to find GSSAPI
+# Once done this will define
+#
+#  KRB5_CONFIG - Path to krb5-config
+#  GSSAPI_ROOT_DIR - Set this variable to the root installation of GSSAPI
+#
+# Read-Only variables:
+#  GSSAPI_FLAVOR_MIT - set to TURE if MIT Kerberos has been found
+#  GSSAPI_FLAVOR_HEIMDAL - set to TRUE if Heimdal Keberos has been found
+#  GSSAPI_FOUND - system has GSSAPI
+#  GSSAPI_INCLUDE_DIR - the GSSAPI include directory
+#  GSSAPI_LIBRARIES - Link these to use GSSAPI
+#  GSSAPI_DEFINITIONS - Compiler switches required for using GSSAPI
+#
+#=============================================================================
+#  Copyright (c) 2013 Andreas Schneider <asn@cryptomilk.org>
+#
+#  Distributed under the OSI-approved BSD License (the "License");
+#  see accompanying file Copyright.txt for details.
+#
+#  This software is distributed WITHOUT ANY WARRANTY; without even the
+#  implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#  See the License for more information.
+#=============================================================================
+#
+
+find_path(GSSAPI_ROOT_DIR
+    NAMES
+        include/gssapi.h
+        include/gssapi/gssapi.h
+    HINTS
+        ${_GSSAPI_ROOT_HINTS}
+    PATHS
+        ${_GSSAPI_ROOT_PATHS}
+)
+mark_as_advanced(GSSAPI_ROOT_DIR)
+
+if (UNIX)
+    find_program(KRB5_CONFIG
+        NAMES
+            krb5-config
+        PATHS
+            ${GSSAPI_ROOT_DIR}/bin
+            /opt/local/bin)
+    mark_as_advanced(KRB5_CONFIG)
+
+    if (KRB5_CONFIG)
+        # Check if we have MIT KRB5
+        execute_process(
+            COMMAND
+                ${KRB5_CONFIG} --vendor
+            RESULT_VARIABLE
+                _GSSAPI_VENDOR_RESULT
+            OUTPUT_VARIABLE
+                _GSSAPI_VENDOR_STRING)
+
+        if (_GSSAPI_VENDOR_STRING MATCHES ".*Massachusetts.*")
+            set(GSSAPI_FLAVOR_MIT TRUE)
+        else()
+            execute_process(
+                COMMAND
+                    ${KRB5_CONFIG} --libs gssapi
+                RESULT_VARIABLE
+                    _GSSAPI_LIBS_RESULT
+                OUTPUT_VARIABLE
+                    _GSSAPI_LIBS_STRING)
+
+            if (