16 changed files with 605 additions and 859 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
 1
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,23 @@
-SOURCES/iperf-3.5.tar.gz
+/iperf-3.0b4.tar.gz
 /iperf-3.0b5.tar.gz
 /iperf-3.0.tar.gz
 /iperf-3.0.1.tar.gz
 /iperf-3.0.2.tar.gz
 /iperf-3.0.3.tar.gz
 /iperf-3.0.5.tar.gz
 /iperf-3.0.6.tar.gz
 /iperf-3.0.10.tar.gz
 /iperf-3.0.11.tar.gz
 /iperf-3.1b3.tar.gz
 /iperf-3.1.3.tar.gz
 /iperf-3.1.4.tar.gz
 /iperf-3.1.5.tar.gz
 /iperf-3.1.6.tar.gz
 /iperf-3.1.7.tar.gz
 /iperf-3.2.tar.gz
 /iperf-3.3.tar.gz
 /iperf-3.4.tar.gz
 /iperf-3.5.tar.gz
 /iperf-3.6.tar.gz
 /iperf-3.7.tar.gz
 /3.9.tar.gz
--- a/.iperf3.metadata
+++ b/.iperf3.metadata
@ -1 +0,0 @@
 b255fe0905159bcfe2578e4774ab3091f69f898f SOURCES/iperf-3.5.tar.gz
--- a/SOURCES/0004-cve-2023-38403.patch
+++ b/SOURCES/0004-cve-2023-38403.patch
--- a/0001-cve-2023-7250.patch
+++ b/0001-cve-2023-7250.patch
@ -0,0 +1,129 @@
 From 5e3704dd850a5df2fb2b3eafd117963d017d07b4 Mon Sep 17 00:00:00 2001
 From: "Bruce A. Mah" <bmah@es.net>
 Date: Tue, 1 Aug 2023 14:02:54 -0700
 Subject: [PATCH] Implement fixes to make the control connection more robust.
 These include various timeouts in Nread() to guarantee that it will
 eventually exit, a 10-second timeout for each attempt to read data
 from the network and an approximately 30-second overall timeout per
 Nread() call.
 Also the iperf3 server now checks the length of the received session
 cookie, and errors out if this happens to be incorrect.
 Reported by Jorge Sancho Larraz - Canonical.
 ---
 src/iperf_server_api.c |  7 ++++-
 src/net.c              | 62 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 1 deletion(-)
 diff --git a/src/iperf_server_api.c b/src/iperf_server_api.c
 index 5fa1dd7..c528d5f 100644
 --- a/src/iperf_server_api.c
 +++ b/src/iperf_server_api.c
@@ -118,7 +118,12 @@ iperf_accept(struct iperf_test *test)
     if (test->ctrl_sck == -1) {
         /* Server free, accept new client */
         test->ctrl_sck = s;
 -        if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) < 0) {
 +        if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) != COOKIE_SIZE) {
 +            /*
 +             * Note this error covers both the case of a system error
 +             * or the inability to read the correct amount of data
 +             * (i.e. timed out).
 +             */
             i_errno = IERECVCOOKIE;
             return -1;
         }
 diff --git a/src/net.c b/src/net.c
 index fd525ee..8804a39 100644
 --- a/src/net.c
 +++ b/src/net.c
@@ -60,10 +60,14 @@
 #include <poll.h>
 #endif /* HAVE_POLL_H */
 +#include "iperf.h"
 #include "iperf_util.h"
 #include "net.h"
 #include "timer.h"
 +static int nread_read_timeout = 10;
 +static int nread_overall_timeout = 30;
 +
 /*
  * Declaration of gerror in iperf_error.c.  Most other files in iperf3 can get this
  * by including "iperf.h", but net.c lives "below" this layer.  Clearly the
@@ -313,6 +317,32 @@ Nread(int fd, char *buf, size_t count, int prot)
 {
     register ssize_t r;
     register size_t nleft = count;
 +    struct iperf_time ftimeout = { 0, 0 };
 +
 +    fd_set rfdset;
 +    struct timeval timeout = { nread_read_timeout, 0 };
 +
 +    /*
 +     * fd might not be ready for reading on entry. Check for this
 +     * (with timeout) first.
 +     *
 +     * This check could go inside the while() loop below, except we're
 +     * currently considering whether it might make sense to support a
 +     * codepath that bypassese this check, for situations where we
 +     * already know that fd has data on it (for example if we'd gotten
 +     * to here as the result of a select() call.
 +     */
 +    {
 +        FD_ZERO(&rfdset);
 +        FD_SET(fd, &rfdset);
 +        r = select(fd + 1, &rfdset, NULL, NULL, &timeout);
 +        if (r < 0) {
 +            return NET_HARDERROR;
 +        }
 +        if (r == 0) {
 +            return 0;
 +        }
 +    }
     while (nleft > 0) {
         r = read(fd, buf, nleft);
@@ -326,6 +356,39 @@ Nread(int fd, char *buf, size_t count, int prot)
         nleft -= r;
         buf += r;
 +
 +        /*
 +         * We need some more bytes but don't want to wait around
 +         * forever for them. In the case of partial results, we need
 +         * to be able to read some bytes every nread_timeout seconds.
 +         */
 +        if (nleft > 0) {
 +            struct iperf_time now;
 +
 +            /*
 +             * Also, we have an approximate upper limit for the total time
 +             * that a Nread call is supposed to take. We trade off accuracy
 +             * of this timeout for a hopefully lower performance impact.
 +             */
 +            iperf_time_now(&now);
 +            if (ftimeout.secs == 0) {
 +                ftimeout = now;
 +                iperf_time_add_usecs(&ftimeout, nread_overall_timeout * 1000000L);
 +            }
 +            if (iperf_time_compare(&ftimeout, &now) < 0) {
 +                break;
 +            }
 +
 +            FD_ZERO(&rfdset);
 +            FD_SET(fd, &rfdset);
 +            r = select(fd + 1, &rfdset, NULL, NULL, &timeout);
 +            if (r < 0) {
 +                return NET_HARDERROR;
 +            }
 +            if (r == 0) {
 +                break;
 +            }
 +        }
     }
     return count - nleft;
 }
--- a/0002-cve-2024-26306.patch
+++ b/0002-cve-2024-26306.patch
@ -0,0 +1,315 @@
 From 299b356df6939f71619bf45bf7a7d2222e17d840 Mon Sep 17 00:00:00 2001
 From: Sarah Larsen <swlarsen@Sarahs-MBP.lan>
 Date: Wed, 20 Mar 2024 17:02:31 -0700
 Subject: [PATCH] Using OAEP padding instead of PKCS1 padding for OpenSSL. Fix
 for CVE-2024-26306.
 Special thanks to Hubert Kario at Red Hat for finding the vulnerability.
 diff --git a/src/iperf.h b/src/iperf.h
 index c1d839be1..527e549ed 100644
 --- a/src/iperf.h
 +++ b/src/iperf.h
@@ -319,6 +319,7 @@ struct iperf_test
 #if defined(HAVE_SSL)
     char      *server_authorized_users;
     EVP_PKEY  *server_rsa_private_key;
 +    int       use_pkcs1_padding;
 #endif // HAVE_SSL
     /* boolean variables for Options */
 diff --git a/src/iperf_api.c b/src/iperf_api.c
 index d40561c10..7fb741e77 100644
 --- a/src/iperf_api.c
 +++ b/src/iperf_api.c
@@ -1137,6 +1137,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
     {"rsa-public-key-path", required_argument, NULL, OPT_CLIENT_RSA_PUBLIC_KEY},
     {"rsa-private-key-path", required_argument, NULL, OPT_SERVER_RSA_PRIVATE_KEY},
     {"authorized-users-path", required_argument, NULL, OPT_SERVER_AUTHORIZED_USERS},
 +    {"use-pkcs1-padding", no_argument, NULL, OPT_USE_PKCS1_PADDING},
 #endif /* HAVE_SSL */
 	{"fq-rate", required_argument, NULL, OPT_FQ_RATE},
 	{"pacing-timer", required_argument, NULL, OPT_PACING_TIMER},
@@ -1630,6 +1631,9 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
         case OPT_SERVER_AUTHORIZED_USERS:
             test->server_authorized_users = strdup(optarg);
             break;
 +	       case OPT_USE_PKCS1_PADDING:
 +	           test->use_pkcs1_padding = 1;
 +	           break;
 #endif /* HAVE_SSL */
 	    case OPT_PACING_TIMER:
 		test->settings->pacing_timer = unit_atoi(optarg);
@@ -2070,7 +2074,7 @@ int test_is_authorized(struct iperf_test *test){
     if (test->settings->authtoken){
         char *username = NULL, *password = NULL;
         time_t ts;
 -        int rc = decode_auth_setting(test->debug, test->settings->authtoken, test->server_rsa_private_key, &username, &password, &ts);
 +        int rc = decode_auth_setting(test->debug, test->settings->authtoken, test->server_rsa_private_key, &username, &password, &ts, test->use_pkcs1_padding);
 	if (rc) {
 	    return -1;
 	}
@@ -2255,7 +2259,7 @@ send_parameters(struct iperf_test *test)
 #if defined(HAVE_SSL)
 	/* Send authentication parameters */
 	if (test->settings->client_username && test->settings->client_password && test->settings->client_rsa_pubkey){
 -	    int rc = encode_auth_setting(test->settings->client_username, test->settings->client_password, test->settings->client_rsa_pubkey, &test->settings->authtoken);
 +	    int rc = encode_auth_setting(test->settings->client_username, test->settings->client_password, test->settings->client_rsa_pubkey, &test->settings->authtoken, test->use_pkcs1_padding);
 	    if (rc) {
 		cJSON_Delete(j);
 diff --git a/src/iperf_api.h b/src/iperf_api.h
 index d2bbdfe96..131314243 100644
 --- a/src/iperf_api.h
 +++ b/src/iperf_api.h
@@ -100,6 +100,7 @@ typedef atomic_uint_fast64_t atomic_iperf_size_t;
 #define OPT_BIDIRECTIONAL 20
 #define OPT_SERVER_BITRATE_LIMIT 21
 #define OPT_TIMESTAMPS 22
 +#define OPT_USE_PKCS1_PADDING 30
 /* states */
 #define TEST_START 1
 diff --git a/src/t_auth.c b/src/t_auth.c
 index 77c225531..3b0fd2f32 100644
 --- a/src/t_auth.c
 +++ b/src/t_auth.c
@@ -101,8 +101,9 @@ test_authtoken(const char *authUser, const char *authPassword, EVP_PKEY *pubkey,
     char *decodePassword;
     time_t decodeTime;
 -    assert(encode_auth_setting(authUser, authPassword, pubkey, &authToken) == 0);
 -    assert(decode_auth_setting(0, authToken, privkey, &decodeUser, &decodePassword, &decodeTime) == 0);
 +    int use_pkcs1_padding = 1;
 +    assert(encode_auth_setting(authUser, authPassword, pubkey, &authToken, use_pkcs1_padding) == 0);
 +    assert(decode_auth_setting(0, authToken, privkey, &decodeUser, &decodePassword, &decodeTime, use_pkcs1_padding) == 0);
     assert(strcmp(decodeUser, authUser) == 0);
     assert(strcmp(decodePassword, authPassword) == 0);
 diff --git a/src/iperf_auth.c b/src/iperf_auth.c
 index eb4610f..2025a71 100644
 --- a/src/iperf_auth.c
 +++ b/src/iperf_auth.c
@@ -44,6 +44,10 @@
 #include <openssl/sha.h>
 #include <openssl/buffer.h>
 #include <openssl/err.h>
 +#if OPENSSL_VERSION_MAJOR >= 3
 +#include <openssl/evp.h>
 +#include <openssl/core_names.h>
 +#endif
 const char *auth_text_format = "user: %s\npwd:  %s\nts:   %ld";
@@ -224,61 +224,123 @@ int test_load_private_key_from_file(const char *file){
     return 0;
 }
 -int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned char **encryptedtext) {
 +int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned char **encryptedtext, int use_pkcs1_padding) {
 +#if OPENSSL_VERSION_MAJOR >= 3
 +    EVP_PKEY_CTX *ctx;
 +#else
     RSA *rsa = NULL;
 -    unsigned char *rsa_buffer = NULL, pad = RSA_PKCS1_PADDING;
 -    int keysize, encryptedtext_len, rsa_buffer_len;
 -
 +#endif
 +    unsigned char *rsa_buffer = NULL;
 +    size_t encryptedtext_len = 0;
 +    int rsa_buffer_len, keysize;
 +
 +#if OPENSSL_VERSION_MAJOR >= 3
 +    int rc;
 +    ctx = EVP_PKEY_CTX_new_from_pkey(NULL, public_key, "");
 +    /* See evp_pkey_rsa(7) and provider-keymgmt(7) */
 +    rc = EVP_PKEY_get_int_param(public_key, OSSL_PKEY_PARAM_MAX_SIZE, &keysize); /* XXX not really keysize */
 +    if (!rc) {
 +        goto errreturn;
 +    }
 +#else
     rsa = EVP_PKEY_get1_RSA(public_key);
     keysize = RSA_size(rsa);
 -
 +#endif
     rsa_buffer  = OPENSSL_malloc(keysize * 2);
     *encryptedtext = (unsigned char*)OPENSSL_malloc(keysize);
     BIO *bioBuff   = BIO_new_mem_buf((void*)plaintext, (int)strlen(plaintext));
     rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
 -    encryptedtext_len = RSA_public_encrypt(rsa_buffer_len, rsa_buffer, *encryptedtext, rsa, pad);
 +    int padding = RSA_PKCS1_OAEP_PADDING;
 +    if (use_pkcs1_padding){
 +        padding = RSA_PKCS1_PADDING;
 +    }
 +#if OPENSSL_VERSION_MAJOR >= 3
 +    EVP_PKEY_encrypt_init(ctx);
 +    EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
 +
 +    EVP_PKEY_encrypt(ctx, *encryptedtext, &encryptedtext_len, rsa_buffer, rsa_buffer_len);
 +    EVP_PKEY_CTX_free(ctx);
 +#else
 +    encryptedtext_len = RSA_public_encrypt(rsa_buffer_len, rsa_buffer, *encryptedtext, rsa, padding);
     RSA_free(rsa);
 +#endif
     OPENSSL_free(rsa_buffer);
     BIO_free(bioBuff);
     if (encryptedtext_len < 0) {
 -      /* We probably shoudln't be printing stuff like this */
 -      fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
 +        goto errreturn;
     }
     return encryptedtext_len;  
 +
 +  errreturn:
 +    fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
 +    return 0;
 }
 -int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext) {
 +int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) {
 +#if OPENSSL_VERSION_MAJOR >= 3
 +    EVP_PKEY_CTX *ctx;
 +#else
     RSA *rsa = NULL;
 -    unsigned char *rsa_buffer = NULL, pad = RSA_PKCS1_PADDING;
 -    int plaintext_len, rsa_buffer_len, keysize;
 +#endif
 +    unsigned char *rsa_buffer = NULL;
 +    size_t plaintext_len = 0;
 +    int rsa_buffer_len, keysize;
 +#if OPENSSL_VERSION_MAJOR >= 3
 +    int rc;
 +    ctx = EVP_PKEY_CTX_new_from_pkey(NULL, private_key, "");
 +    /* See evp_pkey_rsa(7) and provider-keymgmt(7) */
 +    rc = EVP_PKEY_get_int_param(private_key, OSSL_PKEY_PARAM_MAX_SIZE, &keysize); /* XXX not really keysize */
 +    if (!rc) {
 +        goto errreturn;
 +    }
 +#else
     rsa = EVP_PKEY_get1_RSA(private_key);
 -
     keysize = RSA_size(rsa);
 +#endif
     rsa_buffer  = OPENSSL_malloc(keysize * 2);
     *plaintext = (unsigned char*)OPENSSL_malloc(keysize);
     BIO *bioBuff   = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len);
     rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
 -    plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, pad);
 +    int padding = RSA_PKCS1_OAEP_PADDING;
 +    if (use_pkcs1_padding){
 +        padding = RSA_PKCS1_PADDING;
 +    }
 +#if OPENSSL_VERSION_MAJOR >= 3
 +    plaintext_len = keysize;
 +    EVP_PKEY_decrypt_init(ctx);
 +    int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
 +    if (ret < 0){
 +        goto errreturn;
 +    }
 +    EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
 +    EVP_PKEY_CTX_free(ctx);
 +#else
 +    plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding);
     RSA_free(rsa);
 +#endif
 +
     OPENSSL_free(rsa_buffer);
     BIO_free(bioBuff);
     if (plaintext_len < 0) {
 -      /* We probably shoudln't be printing stuff like this */
 -      fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
 +        plaintext_len = 0;
     }
     return plaintext_len;
 +
 +  errreturn:
 +    fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
 +    return 0;
 }
 -int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken){
 +int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken, int use_pkcs1_padding){
     time_t t = time(NULL);
     time_t utc_seconds = mktime(localtime(&t));
@@ -295,7 +353,7 @@ int encode_auth_setting(const char *username, const char *password, EVP_PKEY *pu
     unsigned char *encrypted = NULL;
     int encrypted_len;
 -    encrypted_len = encrypt_rsa_message(text, public_key, &encrypted);
 +    encrypted_len = encrypt_rsa_message(text, public_key, &encrypted, use_pkcs1_padding);
     free(text);
     if (encrypted_len < 0) {
       return -1;
@@ -306,14 +364,14 @@ int encode_auth_setting(const char *username, const char *password, EVP_PKEY *pu
     return (0); //success
 }
 -int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts){
 +int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts, int use_pkcs1_padding){
     unsigned char *encrypted_b64 = NULL;
     size_t encrypted_len_b64;
     Base64Decode(authtoken, &encrypted_b64, &encrypted_len_b64);        
     unsigned char *plaintext = NULL;
     int plaintext_len;
 -    plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext);
 +    plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding);
     free(encrypted_b64);
     if (plaintext_len < 0) {
         return -1;
 diff --git a/src/iperf_auth.h b/src/iperf_auth.h
 index ffadbf3e5..eedd45abd 100644
 --- a/src/iperf_auth.h
 +++ b/src/iperf_auth.h
@@ -35,7 +35,7 @@ EVP_PKEY *load_pubkey_from_file(const char *file);
 EVP_PKEY *load_pubkey_from_base64(const char *buffer);
 EVP_PKEY *load_privkey_from_file(const char *file);
 EVP_PKEY *load_privkey_from_base64(const char *buffer);
 -int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken);
 -int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts);
 +int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken, int use_pkcs1_padding);
 +int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts, int use_pkcs1_padding);
 int check_authentication(const char *username, const char *password, const time_t ts, const char *filename);
 ssize_t iperf_getpass (char **lineptr, size_t *n, FILE *stream);
 diff --git a/src/iperf_locale.c b/src/iperf_locale.c
 index d5a5354..3b6860d 100644
 --- a/src/iperf_locale.c
 +++ b/src/iperf_locale.c
@@ -128,6 +128,7 @@ const char usage_longstr[] = "Usage: iperf3 [-s|-c host] [options]\n"
 			   "                            authentication credentials\n"
                            "  --authorized-users-path   path to the configuration file containing user\n"
                            "                            credentials\n"
 +                           "  --use-pkcs1-padding       use pkcs1 padding at your own risk\n"
 #endif //HAVE_SSL
                            "Client specific:\n"
                            "  -c, --client    <host>    run in client mode, connecting to <host>\n"
 diff --git a/src/iperf3.1 b/src/iperf3.1
 index 97d66ed..6fe71c9 100644
 --- a/src/iperf3.1
 +++ b/src/iperf3.1
@@ -161,6 +161,15 @@ Optionally, a format specification can be passed to customize the
 timestamps, see
 .BR strftime ( 3 ).
 .TP
 +.BR --use-pkcs1-padding
 +This option is only meaningful when using iperf3's authentication
 +features. Versions of iperf3 prior to 3.17 used PCKS1 padding in the
 +RSA-encrypted credentials, which was vulnerable to a side-channel
 +attack that could reveal a server's private key.  Beginning with
 +iperf-3.17, OAEP padding is used, however this is a breaking change
 +that is not compatible with older iperf3 versions.  Use this option to
 +preserve the less secure, but more compatible, behavior.
 +.TP
 .BR -d ", " --debug " "
 emit debugging output.
 Primarily (perhaps exclusively) of use to developers.
--- a/SOURCES/0002-udp-counters-manpage.patch
+++ b/SOURCES/0002-udp-counters-manpage.patch
@ -1,18 +0,0 @@
 diff --git a/src/iperf3.1 b/src/iperf3.1
 index 05483a9..35a0873 100644
 --- a/src/iperf3.1
 +++ b/src/iperf3.1
@@ -329,6 +329,13 @@ If the client is run with \fB--json\fR, the server output is included
 in a JSON object; otherwise it is appended at the bottom of the
 human-readable output.
 .TP
 +.BR --udp-counters-64bit
 +Use 64-bit counters in UDP test packets.
 +The use of this option can help prevent counter overflows during long
 +or high-bitrate UDP tests.  Both client and server need to be running
 +at least version 3.1 for this option to work.  It may become the
 +default behavior at some point in the future.
 +.TP
 .BR --username " \fIusername\fR" 
 username to use for authentication to the iperf server (if built with
 OpenSSL support).
--- a/SOURCES/0003-covscan-sctp.patch
+++ b/SOURCES/0003-covscan-sctp.patch
@ -1,69 +0,0 @@
 diff --git a/src/iperf_sctp.c b/src/iperf_sctp.c
 index a0869a3..13f5cdf 100644
 --- a/src/iperf_sctp.c
 +++ b/src/iperf_sctp.c
@@ -130,12 +130,14 @@ iperf_sctp_accept(struct iperf_test * test)
     if (Nread(s, cookie, COOKIE_SIZE, Psctp) < 0) {
         i_errno = IERECVCOOKIE;
 +        close(s);
         return -1;
     }
 -    if (strcmp(test->cookie, cookie) != 0) {
 +    if (strncmp(test->cookie, cookie, COOKIE_SIZE) != 0) {
         if (Nwrite(s, (char*) &rbuf, sizeof(rbuf), Psctp) < 0) {
             i_errno = IESENDMESSAGE;
 +            close(s);
             return -1;
         }
         close(s);
@@ -209,9 +211,11 @@ iperf_sctp_listen(struct iperf_test *test)
     /* servers must call sctp_bindx() _instead_ of bind() */
     if (!TAILQ_EMPTY(&test->xbind_addrs)) {
 -        freeaddrinfo(res);
 -        if (iperf_sctp_bindx(test, s, IPERF_SCTP_SERVER))
 +        if (iperf_sctp_bindx(test, s, IPERF_SCTP_SERVER)) {
 +            close(s);
 +            freeaddrinfo(res);
             return -1;
 +		}
     } else
     if (bind(s, (struct sockaddr *) res->ai_addr, res->ai_addrlen) < 0) {
         saved_errno = errno;
@@ -422,8 +426,11 @@ iperf_sctp_connect(struct iperf_test *test)
     /* clients must call bind() followed by sctp_bindx() before connect() */
     if (!TAILQ_EMPTY(&test->xbind_addrs)) {
 -        if (iperf_sctp_bindx(test, s, IPERF_SCTP_CLIENT))
 +        if (iperf_sctp_bindx(test, s, IPERF_SCTP_CLIENT)) {
 +            freeaddrinfo(server_res);
 +            close(s);
             return -1;
 +        }
     }
     /* TODO support sctp_connectx() to avoid heartbeating. */
@@ -435,12 +442,12 @@ iperf_sctp_connect(struct iperf_test *test)
         i_errno = IESTREAMCONNECT;
         return -1;
     }
 -    freeaddrinfo(server_res);
     /* Send cookie for verification */
     if (Nwrite(s, test->cookie, COOKIE_SIZE, Psctp) < 0) {
 	saved_errno = errno;
 	close(s);
 +   freeaddrinfo(server_res);
 	errno = saved_errno;
         i_errno = IESENDCOOKIE;
         return -1;
@@ -464,6 +471,7 @@ iperf_sctp_connect(struct iperf_test *test)
         return -1;
     }
 +    freeaddrinfo(server_res);
     return s;
 #else
     i_errno = IENOSCTP;
--- a/SOURCES/0005-cve-2023-7250.patch
+++ b/SOURCES/0005-cve-2023-7250.patch
@ -1,497 +0,0 @@
 From 5e3704dd850a5df2fb2b3eafd117963d017d07b4 Mon Sep 17 00:00:00 2001
 From: "Bruce A. Mah" <bmah@es.net>
 Date: Tue, 1 Aug 2023 14:02:54 -0700
 Subject: [PATCH] Implement fixes to make the control connection more robust.
 These include various timeouts in Nread() to guarantee that it will
 eventually exit, a 10-second timeout for each attempt to read data
 from the network and an approximately 30-second overall timeout per
 Nread() call.
 Also the iperf3 server now checks the length of the received session
 cookie, and errors out if this happens to be incorrect.
 Reported by Jorge Sancho Larraz - Canonical.
 ---
 src/iperf_server_api.c |  7 ++++-
 src/net.c              | 62 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 1 deletion(-)
 diff --git a/src/iperf_server_api.c b/src/iperf_server_api.c
 index 5fa1dd7..c528d5f 100644
 --- a/src/iperf_server_api.c
 +++ b/src/iperf_server_api.c
@@ -118,7 +118,12 @@ iperf_accept(struct iperf_test *test)
     if (test->ctrl_sck == -1) {
         /* Server free, accept new client */
         test->ctrl_sck = s;
 -        if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) < 0) {
 +        if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) != COOKIE_SIZE) {
 +            /*
 +             * Note this error covers both the case of a system error
 +             * or the inability to read the correct amount of data
 +             * (i.e. timed out).
 +             */
             i_errno = IERECVCOOKIE;
             return -1;
         }
 diff --git a/src/iperf_time.c b/src/iperf_time.c
 new file mode 100644
 index 0000000..a435dd3
 --- /dev/null
 +++ b/src/iperf_time.c
@@ -0,0 +1,156 @@
 +/*
 + * iperf, Copyright (c) 2014-2018, The Regents of the University of
 + * California, through Lawrence Berkeley National Laboratory (subject
 + * to receipt of any required approvals from the U.S. Dept. of
 + * Energy).  All rights reserved.
 + *
 + * If you have questions about your rights to use or distribute this
 + * software, please contact Berkeley Lab's Technology Transfer
 + * Department at TTD@lbl.gov.
 + *
 + * NOTICE.  This software is owned by the U.S. Department of Energy.
 + * As such, the U.S. Government has been granted for itself and others
 + * acting on its behalf a paid-up, nonexclusive, irrevocable,
 + * worldwide license in the Software to reproduce, prepare derivative
 + * works, and perform publicly and display publicly.  Beginning five
 + * (5) years after the date permission to assert copyright is obtained
 + * from the U.S. Department of Energy, and subject to any subsequent
 + * five (5) year renewals, the U.S. Government is granted for itself
 + * and others acting on its behalf a paid-up, nonexclusive,
 + * irrevocable, worldwide license in the Software to reproduce,
 + * prepare derivative works, distribute copies to the public, perform
 + * publicly and display publicly, and to permit others to do so.
 + *
 + * This code is distributed under a BSD style license, see the LICENSE
 + * file for complete information.
 + */
 +
 +
 +#include <stddef.h>
 +
 +#include "iperf_config.h"
 +#include "iperf_time.h"
 +
 +#ifdef HAVE_CLOCK_GETTIME
 +
 +#include <time.h>
 +
 +int
 +iperf_time_now(struct iperf_time *time1)
 +{
 +    struct timespec ts;
 +    int result;
 +    result = clock_gettime(CLOCK_MONOTONIC, &ts);
 +    if (result == 0) {
 +        time1->secs = (uint32_t) ts.tv_sec;
 +        time1->usecs = (uint32_t) ts.tv_nsec / 1000;
 +    }
 +    return result;
 +}
 +
 +#else
 +
 +#include <sys/time.h>
 +
 +int
 +iperf_time_now(struct iperf_time *time1)
 +{
 +    struct timeval tv;
 +    int result;
 +    result = gettimeofday(&tv, NULL);
 +    time1->secs = tv.tv_sec;
 +    time1->usecs = tv.tv_usec;
 +    return result;
 +}
 +
 +#endif
 +
 +/* iperf_time_add_usecs
 + *
 + * Add a number of microseconds to a iperf_time.
 + */
 +void
 +iperf_time_add_usecs(struct iperf_time *time1, uint64_t usecs)
 +{
 +    time1->secs += usecs / 1000000L;
 +    time1->usecs += usecs % 1000000L;
 +    if ( time1->usecs >= 1000000L ) {
 +        time1->secs += time1->usecs / 1000000L;
 +        time1->usecs %= 1000000L;
 +    }
 +}
 +
 +uint64_t
 +iperf_time_in_usecs(struct iperf_time *time)
 +{
 +    return time->secs * 1000000LL + time->usecs;
 +}
 +
 +double
 +iperf_time_in_secs(struct iperf_time *time)
 +{
 +    return time->secs + time->usecs / 1000000.0;
 +}
 +
 +/* iperf_time_compare
 + *
 + * Compare two timestamps
 + *
 + * Returns -1 if time1 is earlier, 1 if time1 is later,
 + * or 0 if the timestamps are equal.
 + */
 +int
 +iperf_time_compare(struct iperf_time *time1, struct iperf_time *time2)
 +{
 +    if (time1->secs < time2->secs)
 +        return -1;
 +    if (time1->secs > time2->secs)
 +        return 1;
 +    if (time1->usecs < time2->usecs)
 +        return -1;
 +    if (time1->usecs > time2->usecs)
 +        return 1;
 +    return 0;
 +}
 +
 +/* iperf_time_diff
 + *
 + * Calculates the time from time2 to time1, assuming time1 is later than time2.
 + * The diff will always be positive, so the return value should be checked
 + * to determine if time1 was earlier than time2.
 + *
 + * Returns 1 if the time1 is less than or equal to time2, otherwise 0.
 + */
 +int
 +iperf_time_diff(struct iperf_time *time1, struct iperf_time *time2, struct iperf_time *diff)
 +{
 +    int past = 0;
 +    int cmp = 0;
 +
 +    cmp = iperf_time_compare(time1, time2);
 +    if (cmp == 0) {
 +        diff->secs = 0;
 +        diff->usecs = 0;
 +        past = 1;
 +    }
 +    else if (cmp == 1) {
 +        diff->secs = time1->secs - time2->secs;
 +        diff->usecs = time1->usecs;
 +        if (diff->usecs < time2->usecs) {
 +            diff->secs -= 1;
 +            diff->usecs += 1000000;
 +        }
 +        diff->usecs = diff->usecs - time2->usecs;
 +    } else {
 +        diff->secs = time2->secs - time1->secs;
 +        diff->usecs = time2->usecs;
 +        if (diff->usecs < time1->usecs) {
 +            diff->secs -= 1;
 +            diff->usecs += 1000000;
 +        }
 +        diff->usecs = diff->usecs - time1->usecs;
 +        past = 1;
 +    }
 +
 +    return past;
 +}
 diff --git a/src/iperf_time.h b/src/iperf_time.h
 new file mode 100644
 index 0000000..588ee26
 --- /dev/null
 +++ b/src/iperf_time.h
@@ -0,0 +1,49 @@
 +/*
 + * iperf, Copyright (c) 2014-2018, The Regents of the University of
 + * California, through Lawrence Berkeley National Laboratory (subject
 + * to receipt of any required approvals from the U.S. Dept. of
 + * Energy).  All rights reserved.
 + *
 + * If you have questions about your rights to use or distribute this
 + * software, please contact Berkeley Lab's Technology Transfer
 + * Department at TTD@lbl.gov.
 + *
 + * NOTICE.  This software is owned by the U.S. Department of Energy.
 + * As such, the U.S. Government has been granted for itself and others
 + * acting on its behalf a paid-up, nonexclusive, irrevocable,
 + * worldwide license in the Software to reproduce, prepare derivative
 + * works, and perform publicly and display publicly.  Beginning five
 + * (5) years after the date permission to assert copyright is obtained
 + * from the U.S. Department of Energy, and subject to any subsequent
 + * five (5) year renewals, the U.S. Government is granted for itself
 + * and others acting on its behalf a paid-up, nonexclusive,
 + * irrevocable, worldwide license in the Software to reproduce,
 + * prepare derivative works, distribute copies to the public, perform
 + * publicly and display publicly, and to permit others to do so.
 + *
 + * This code is distributed under a BSD style license, see the LICENSE
 + * file for complete information.
 + */
 +#ifndef __IPERF_TIME_H
 +#define __IPERF_TIME_H
 +
 +#include <stdint.h>
 +
 +struct iperf_time {
 +    uint32_t secs;
 +    uint32_t usecs;
 +};
 +
 +int iperf_time_now(struct iperf_time *time1);
 +
 +void iperf_time_add_usecs(struct iperf_time *time1, uint64_t usecs);
 +
 +int iperf_time_compare(struct iperf_time *time1, struct iperf_time *time2);
 +
 +int iperf_time_diff(struct iperf_time *time1, struct iperf_time *time2, struct iperf_time *diff);
 +
 +uint64_t iperf_time_in_usecs(struct iperf_time *time);
 +
 +double iperf_time_in_secs(struct iperf_time *time);
 +
 +#endif
 diff --git a/src/iperf.h b/src/iperf.h
 index f55994f..f137b07 100755
 --- a/src/iperf.h
 +++ b/src/iperf.h
@@ -61,6 +61,7 @@
 #include "timer.h"
 #include "queue.h"
 #include "cjson.h"
 +#include "iperf_time.h"
 typedef uint64_t iperf_size_t;
 diff --git a/src/net.c b/src/net.c
 index fd525ee..8804a39 100644
 --- a/src/net.c
 +++ b/src/net.c
@@ -60,10 +60,14 @@
 #include <poll.h>
 #endif /* HAVE_POLL_H */
 +#include "iperf.h"
 #include "iperf_util.h"
 #include "net.h"
 #include "timer.h"
 +static int nread_read_timeout = 10;
 +static int nread_overall_timeout = 30;
 +
 /*
  * timeout_connect adapted from netcat, via OpenBSD and FreeBSD
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
@@ -313,6 +317,32 @@ Nread(int fd, char *buf, size_t count, int prot)
 {
     register ssize_t r;
     register size_t nleft = count;
 +    struct iperf_time ftimeout = { 0, 0 };
 +
 +    fd_set rfdset;
 +    struct timeval timeout = { nread_read_timeout, 0 };
 +
 +    /*
 +     * fd might not be ready for reading on entry. Check for this
 +     * (with timeout) first.
 +     *
 +     * This check could go inside the while() loop below, except we're
 +     * currently considering whether it might make sense to support a
 +     * codepath that bypassese this check, for situations where we
 +     * already know that fd has data on it (for example if we'd gotten
 +     * to here as the result of a select() call.
 +     */
 +    {
 +        FD_ZERO(&rfdset);
 +        FD_SET(fd, &rfdset);
 +        r = select(fd + 1, &rfdset, NULL, NULL, &timeout);
 +        if (r < 0) {
 +            return NET_HARDERROR;
 +        }
 +        if (r == 0) {
 +            return 0;
 +        }
 +    }
     while (nleft > 0) {
         r = read(fd, buf, nleft);
@@ -326,6 +356,39 @@ Nread(int fd, char *buf, size_t count, int prot)
         nleft -= r;
         buf += r;
 +
 +        /*
 +         * We need some more bytes but don't want to wait around
 +         * forever for them. In the case of partial results, we need
 +         * to be able to read some bytes every nread_timeout seconds.
 +         */
 +        if (nleft > 0) {
 +            struct iperf_time now;
 +
 +            /*
 +             * Also, we have an approximate upper limit for the total time
 +             * that a Nread call is supposed to take. We trade off accuracy
 +             * of this timeout for a hopefully lower performance impact.
 +             */
 +            iperf_time_now(&now);
 +            if (ftimeout.secs == 0) {
 +                ftimeout = now;
 +                iperf_time_add_usecs(&ftimeout, nread_overall_timeout * 1000000L);
 +            }
 +            if (iperf_time_compare(&ftimeout, &now) < 0) {
 +                break;
 +            }
 +
 +            FD_ZERO(&rfdset);
 +            FD_SET(fd, &rfdset);
 +            r = select(fd + 1, &rfdset, NULL, NULL, &timeout);
 +            if (r < 0) {
 +                return NET_HARDERROR;
 +            }
 +            if (r == 0) {
 +                break;
 +            }
 +        }
     }
     return count - nleft;
 }
 diff --git a/src/Makefile.am b/src/Makefile.am
 index 9184e84..1c24b62 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
@@ -21,6 +21,8 @@ libiperf_la_SOURCES     = \
                         iperf_server_api.c \
                         iperf_tcp.c \
                         iperf_tcp.h \
 +                        iperf_time.c \
 +                        iperf_time.h \
                         iperf_udp.c \
                         iperf_udp.h \
 			iperf_sctp.c \
 diff --git a/src/Makefile.in b/src/Makefile.in
 index 714f601..6e75194 100644
 --- a/src/Makefile.in
 +++ b/src/Makefile.in
@@ -142,7 +142,8 @@ libiperf_la_LIBADD =
 am_libiperf_la_OBJECTS = cjson.lo iperf_api.lo iperf_error.lo \
 	iperf_auth.lo iperf_client_api.lo iperf_locale.lo \
 	iperf_server_api.lo iperf_tcp.lo iperf_udp.lo iperf_sctp.lo \
 -	iperf_util.lo dscp.lo net.lo tcp_info.lo timer.lo units.lo
 +	iperf_util.lo iperf_time.lo dscp.lo net.lo tcp_info.lo \
 +	timer.lo units.lo
 libiperf_la_OBJECTS = $(am_libiperf_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -165,6 +166,7 @@ am__objects_1 = iperf3_profile-cjson.$(OBJEXT) \
 	iperf3_profile-iperf_udp.$(OBJEXT) \
 	iperf3_profile-iperf_sctp.$(OBJEXT) \
 	iperf3_profile-iperf_util.$(OBJEXT) \
 +	iperf3_profile-iperf_time.$(OBJEXT) \
 	iperf3_profile-dscp.$(OBJEXT) iperf3_profile-net.$(OBJEXT) \
 	iperf3_profile-tcp_info.$(OBJEXT) \
 	iperf3_profile-timer.$(OBJEXT) iperf3_profile-units.$(OBJEXT)
@@ -220,6 +222,7 @@ am__depfiles_remade = ./$(DEPDIR)/cjson.Plo ./$(DEPDIR)/dscp.Plo \
 	./$(DEPDIR)/iperf3_profile-iperf_sctp.Po \
 	./$(DEPDIR)/iperf3_profile-iperf_server_api.Po \
 	./$(DEPDIR)/iperf3_profile-iperf_tcp.Po \
 +	./$(DEPDIR)/iperf3_profile-iperf_time.Po \
 	./$(DEPDIR)/iperf3_profile-iperf_udp.Po \
 	./$(DEPDIR)/iperf3_profile-iperf_util.Po \
 	./$(DEPDIR)/iperf3_profile-main.Po \
@@ -230,11 +233,12 @@ am__depfiles_remade = ./$(DEPDIR)/cjson.Plo ./$(DEPDIR)/dscp.Plo \
 	./$(DEPDIR)/iperf_auth.Plo ./$(DEPDIR)/iperf_client_api.Plo \
 	./$(DEPDIR)/iperf_error.Plo ./$(DEPDIR)/iperf_locale.Plo \
 	./$(DEPDIR)/iperf_sctp.Plo ./$(DEPDIR)/iperf_server_api.Plo \
 -	./$(DEPDIR)/iperf_tcp.Plo ./$(DEPDIR)/iperf_udp.Plo \
 -	./$(DEPDIR)/iperf_util.Plo ./$(DEPDIR)/net.Plo \
 -	./$(DEPDIR)/t_timer-t_timer.Po ./$(DEPDIR)/t_units-t_units.Po \
 -	./$(DEPDIR)/t_uuid-t_uuid.Po ./$(DEPDIR)/tcp_info.Plo \
 -	./$(DEPDIR)/timer.Plo ./$(DEPDIR)/units.Plo
 +	./$(DEPDIR)/iperf_tcp.Plo ./$(DEPDIR)/iperf_time.Plo \
 +	./$(DEPDIR)/iperf_udp.Plo ./$(DEPDIR)/iperf_util.Plo \
 +	./$(DEPDIR)/net.Plo ./$(DEPDIR)/t_timer-t_timer.Po \
 +	./$(DEPDIR)/t_units-t_units.Po ./$(DEPDIR)/t_uuid-t_uuid.Po \
 +	./$(DEPDIR)/tcp_info.Plo ./$(DEPDIR)/timer.Plo \
 +	./$(DEPDIR)/units.Plo
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -613,6 +613,8 @@ libiperf_la_SOURCES = \
                         iperf_server_api.c \
                         iperf_tcp.c \
                         iperf_tcp.h \
 +                        iperf_time.c \
 +                        iperf_time.h \
                         iperf_udp.c \
                         iperf_udp.h \
 			iperf_sctp.c \
@@ -850,6 +854,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf3_profile-iperf_sctp.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf3_profile-iperf_server_api.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf3_profile-iperf_tcp.Po@am__quote@ # am--include-marker
 +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf3_profile-iperf_time.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf3_profile-iperf_udp.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf3_profile-iperf_util.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf3_profile-main.Po@am__quote@ # am--include-marker
@@ -865,6 +870,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf_sctp.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf_server_api.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf_tcp.Plo@am__quote@ # am--include-marker
 +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf_time.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf_udp.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iperf_util.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/net.Plo@am__quote@ # am--include-marker
@@ -1084,6 +1090,20 @@ iperf3_profile-iperf_util.obj: iperf_util.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iperf3_profile_CFLAGS) $(CFLAGS) -c -o iperf3_profile-iperf_util.obj `if test -f 'iperf_util.c'; then $(CYGPATH_W) 'iperf_util.c'; else $(CYGPATH_W) '$(srcdir)/iperf_util.c'; fi`
 +iperf3_profile-iperf_time.o: iperf_time.c
 +@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iperf3_profile_CFLAGS) $(CFLAGS) -MT iperf3_profile-iperf_time.o -MD -MP -MF $(DEPDIR)/iperf3_profile-iperf_time.Tpo -c -o iperf3_profile-iperf_time.o `test -f 'iperf_time.c' || echo '$(srcdir)/'`iperf_time.c
 +@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/iperf3_profile-iperf_time.Tpo $(DEPDIR)/iperf3_profile-iperf_time.Po
 +@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='iperf_time.c' object='iperf3_profile-iperf_time.o' libtool=no @AMDEPBACKSLASH@
 +@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 +@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iperf3_profile_CFLAGS) $(CFLAGS) -c -o iperf3_profile-iperf_time.o `test -f 'iperf_time.c' || echo '$(srcdir)/'`iperf_time.c
 +
 +iperf3_profile-iperf_time.obj: iperf_time.c
 +@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iperf3_profile_CFLAGS) $(CFLAGS) -MT iperf3_profile-iperf_time.obj -MD -MP -MF $(DEPDIR)/iperf3_profile-iperf_time.Tpo -c -o iperf3_profile-iperf_time.obj `if test -f 'iperf_time.c'; then $(CYGPATH_W) 'iperf_time.c'; else $(CYGPATH_W) '$(srcdir)/iperf_time.c'; fi`
 +@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/iperf3_profile-iperf_time.Tpo $(DEPDIR)/iperf3_profile-iperf_time.Po
 +@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='iperf_time.c' object='iperf3_profile-iperf_time.obj' libtool=no @AMDEPBACKSLASH@
 +@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 +@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iperf3_profile_CFLAGS) $(CFLAGS) -c -o iperf3_profile-iperf_time.obj `if test -f 'iperf_time.c'; then $(CYGPATH_W) 'iperf_time.c'; else $(CYGPATH_W) '$(srcdir)/iperf_time.c'; fi`
 +
 iperf3_profile-dscp.o: dscp.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iperf3_profile_CFLAGS) $(CFLAGS) -MT iperf3_profile-dscp.o -MD -MP -MF $(DEPDIR)/iperf3_profile-dscp.Tpo -c -o iperf3_profile-dscp.o `test -f 'dscp.c' || echo '$(srcdir)/'`dscp.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/iperf3_profile-dscp.Tpo $(DEPDIR)/iperf3_profile-dscp.Po
@@ -1634,6 +1654,7 @@ distclean: distclean-am
 	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_sctp.Po
 	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_server_api.Po
 	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_tcp.Po
 +	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_time.Po
 	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_udp.Po
 	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_util.Po
 	-rm -f ./$(DEPDIR)/iperf3_profile-main.Po
@@ -1649,6 +1670,7 @@ distclean: distclean-am
 	-rm -f ./$(DEPDIR)/iperf_sctp.Plo
 	-rm -f ./$(DEPDIR)/iperf_server_api.Plo
 	-rm -f ./$(DEPDIR)/iperf_tcp.Plo
 +	-rm -f ./$(DEPDIR)/iperf_time.Plo
 	-rm -f ./$(DEPDIR)/iperf_udp.Plo
 	-rm -f ./$(DEPDIR)/iperf_util.Plo
 	-rm -f ./$(DEPDIR)/net.Plo
@@ -1716,6 +1738,7 @@ maintainer-clean: maintainer-clean-am
 	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_sctp.Po
 	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_server_api.Po
 	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_tcp.Po
 +	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_time.Po
 	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_udp.Po
 	-rm -f ./$(DEPDIR)/iperf3_profile-iperf_util.Po
 	-rm -f ./$(DEPDIR)/iperf3_profile-main.Po
@@ -1731,6 +1754,7 @@ maintainer-clean: maintainer-clean-am
 	-rm -f ./$(DEPDIR)/iperf_sctp.Plo
 	-rm -f ./$(DEPDIR)/iperf_server_api.Plo
 	-rm -f ./$(DEPDIR)/iperf_tcp.Plo
 +	-rm -f ./$(DEPDIR)/iperf_time.Plo
 	-rm -f ./$(DEPDIR)/iperf_udp.Plo
 	-rm -f ./$(DEPDIR)/iperf_util.Plo
 	-rm -f ./$(DEPDIR)/net.Plo
--- a/SOURCES/0006-cve-2024-26306.patch
+++ b/SOURCES/0006-cve-2024-26306.patch
@ -1,231 +0,0 @@
 From 299b356df6939f71619bf45bf7a7d2222e17d840 Mon Sep 17 00:00:00 2001
 From: Sarah Larsen <swlarsen@Sarahs-MBP.lan>
 Date: Wed, 20 Mar 2024 17:02:31 -0700
 Subject: [PATCH] Using OAEP padding instead of PKCS1 padding for OpenSSL. Fix
 for CVE-2024-26306.
 Special thanks to Hubert Kario at Red Hat for finding the vulnerability.
 diff --git a/src/iperf.h b/src/iperf.h
 index f137b07..f6c0313 100755
 --- a/src/iperf.h
 +++ b/src/iperf.h
@@ -260,6 +260,7 @@ struct iperf_test
     int	      ctrl_sck_mss;			/* MSS for the control channel */
     char     *server_rsa_private_key;
     char     *server_authorized_users;
 +    int       use_pkcs1_padding;
     /* boolean variables for Options */
     int       daemon;                           /* -D option */
 diff --git a/src/iperf_api.c b/src/iperf_api.c
 index d40561c10..7fb741e77 100644
 --- a/src/iperf_api.c
 +++ b/src/iperf_api.c
@@ -1137,6 +1137,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
     {"rsa-public-key-path", required_argument, NULL, OPT_CLIENT_RSA_PUBLIC_KEY},
     {"rsa-private-key-path", required_argument, NULL, OPT_SERVER_RSA_PRIVATE_KEY},
     {"authorized-users-path", required_argument, NULL, OPT_SERVER_AUTHORIZED_USERS},
 +    {"use-pkcs1-padding", no_argument, NULL, OPT_USE_PKCS1_PADDING},
 #endif /* HAVE_SSL */
 	{"fq-rate", required_argument, NULL, OPT_FQ_RATE},
 	{"pacing-timer", required_argument, NULL, OPT_PACING_TIMER},
@@ -1630,6 +1631,9 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
         case OPT_SERVER_AUTHORIZED_USERS:
             test->server_authorized_users = strdup(optarg);
             break;
 +	       case OPT_USE_PKCS1_PADDING:
 +	           test->use_pkcs1_padding = 1;
 +	           break;
 #endif /* HAVE_SSL */
 	    case OPT_PACING_TIMER:
 		test->settings->pacing_timer = unit_atoi(optarg);
@@ -1100,7 +1104,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv)
             i_errno = IESETCLIENTAUTH;
             return -1;
         }
 -        encode_auth_setting(client_username, client_password, client_rsa_public_key, &test->settings->authtoken);
 +        encode_auth_setting(client_username, client_password, client_rsa_public_key, &test->settings->authtoken, test->use_pkcs1_padding);
     }
     if (test->role == 'c' && (test->server_rsa_private_key || test->server_authorized_users)){
@@ -1346,7 +1350,7 @@ int test_is_authorized(struct iperf_test *test){
     if (test->settings->authtoken){
         char *username = NULL, *password = NULL;
         time_t ts;
 -        decode_auth_setting(test->debug, test->settings->authtoken, test->server_rsa_private_key, &username, &password, &ts);
 +        decode_auth_setting(test->debug, test->settings->authtoken, test->server_rsa_private_key, &username, &password, &ts, test->use_pkcs1_padding);
         int ret = check_authentication(username, password, ts, test->server_authorized_users);
         if (ret == 0){
             iperf_printf(test, report_authetication_successed, username, ts);
 diff --git a/src/iperf_locale.c b/src/iperf_locale.c
 index d5a5354..3b6860d 100644
 --- a/src/iperf_locale.c
 +++ b/src/iperf_locale.c
@@ -128,6 +128,7 @@ const char usage_longstr[] = "Usage: iperf3 [-s|-c host] [options]\n"
 			   "                            authentication credentials\n"
                            "  --authorized-users-path   path to the configuration file containing user\n"
                            "                            credentials\n"
 +                           "  --use-pkcs1-padding       use pkcs1 padding at your own risk\n"
 #endif //HAVE_SSL
                            "Client specific:\n"
                            "  -c, --client    <host>    run in client mode, connecting to <host>\n"
 diff --git a/src/iperf_api.h b/src/iperf_api.h
 index 3a5df03..255227c 100755
 --- a/src/iperf_api.h
 +++ b/src/iperf_api.h
@@ -68,6 +68,7 @@ struct iperf_stream;
 #define OPT_SERVER_AUTHORIZED_USERS 15
 #define OPT_PACING_TIMER 16
 #define OPT_CONNECT_TIMEOUT 17
 +#define OPT_USE_PKCS1_PADDING 30
 /* states */
 #define TEST_START 1
 diff --git a/src/iperf_auth.h b/src/iperf_auth.h
 index 38971d8..1f78699 100644
 --- a/src/iperf_auth.h
 +++ b/src/iperf_auth.h
@@ -30,7 +30,7 @@
 int test_load_pubkey(const char *public_keyfile);
 int test_load_private_key(const char *private_keyfile);
 -int encode_auth_setting(const char *username, const char *password, const char *public_keyfile, char **authtoken);
 -int decode_auth_setting(int enable_debug, const char *authtoken, const char *private_keyfile, char **username, char **password, time_t *ts);
 +int encode_auth_setting(const char *username, const char *password, const char *public_keyfile, char **authtoken, int use_pkcs1_padding);
 +int decode_auth_setting(int enable_debug, const char *authtoken, const char *private_keyfile, char **username, char **password, time_t *ts, int use_pkcs1_padding);
 int check_authentication(const char *username, const char *password, const time_t ts, const char *filename);
 ssize_t iperf_getpass (char **lineptr, size_t *n, FILE *stream);
 diff --git a/src/iperf3.1 b/src/iperf3.1
 index 1be8cc3..87c3e02 100644
 --- a/src/iperf3.1
 +++ b/src/iperf3.1
@@ -155,6 +155,15 @@ send output to a log file.
 force flushing output at every interval.
 Used to avoid buffering when sending output to pipe.
 .TP
 +.BR --use-pkcs1-padding
 +This option is only meaningful when using iperf3's authentication
 +features. Versions of iperf3 prior to 3.17 used PCKS1 padding in the
 +RSA-encrypted credentials, which was vulnerable to a side-channel
 +attack that could reveal a server's private key.  Beginning with
 +iperf-3.17, OAEP padding is used, however this is a breaking change
 +that is not compatible with older iperf3 versions.  Use this option to
 +preserve the less secure, but more compatible, behavior.
 +.TP
 .BR -d ", " --debug " "
 emit debugging output.
 Primarily (perhaps exclusively) of use to developers.
 diff --git a/src/iperf_auth.c b/src/iperf_auth.c
 index f8d2b0a..2d7d519 100644
 --- a/src/iperf_auth.c
 +++ b/src/iperf_auth.c
@@ -194,11 +194,12 @@ int test_load_private_key(const char *file){
     return 0;
 }
 -int encrypt_rsa_message(const char *plaintext, const char *public_keyfile, unsigned char **encryptedtext) {
 +int encrypt_rsa_message(const char *plaintext, const char *public_keyfile, unsigned char **encryptedtext, int use_pkcs1_padding) {
     EVP_PKEY *public_key = NULL;
     RSA *rsa = NULL;
 -    unsigned char *rsa_buffer = NULL, pad = RSA_PKCS1_PADDING;
 -    int keysize, encryptedtext_len, rsa_buffer_len;
 +    unsigned char *rsa_buffer = NULL;
 +    size_t encryptedtext_len = 0;
 +    int rsa_buffer_len, keysize;
     public_key = load_pubkey(public_keyfile);
     rsa = EVP_PKEY_get1_RSA(public_key);
@@ -210,20 +211,35 @@ int encrypt_rsa_message(const char *plaintext, const char *public_keyfile, unsig
     BIO *bioBuff   = BIO_new_mem_buf((void*)plaintext, (int)strlen(plaintext));
     rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
 -    encryptedtext_len = RSA_public_encrypt(rsa_buffer_len, rsa_buffer, *encryptedtext, rsa, pad);
 +
 +    int padding = RSA_PKCS1_OAEP_PADDING;
 +    if (use_pkcs1_padding){
 +        padding = RSA_PKCS1_PADDING;
 +    }
 +
 +    encryptedtext_len = RSA_public_encrypt(rsa_buffer_len, rsa_buffer, *encryptedtext, rsa, padding);
     RSA_free(rsa);
     OPENSSL_free(rsa_buffer);
 -    OPENSSL_free(bioBuff);  
 +    OPENSSL_free(bioBuff);
 +
 +    if (encryptedtext_len < 0) {
 +        goto errreturn;
 +    }
 +
 +    return encryptedtext_len;
 -    return encryptedtext_len;  
 +  errreturn:
 +    fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
 +    return 0;
 }
 -int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, const char *private_keyfile, unsigned char **plaintext) {
 +int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, const char *private_keyfile, unsigned char **plaintext, int use_pkcs1_padding) {
     EVP_PKEY *private_key = NULL;
     RSA *rsa = NULL;
 -    unsigned char *rsa_buffer = NULL, pad = RSA_PKCS1_PADDING;
 -    int plaintext_len, rsa_buffer_len, keysize;
 +    unsigned char *rsa_buffer = NULL;
 +    size_t plaintext_len = 0;
 +    int rsa_buffer_len, keysize;
     private_key = load_key(private_keyfile);
     rsa = EVP_PKEY_get1_RSA(private_key);
@@ -235,35 +250,45 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
     BIO *bioBuff   = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len);
     rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
 -    plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, pad);
 +
 +    int padding = RSA_PKCS1_OAEP_PADDING;
 +    if (use_pkcs1_padding){
 +        padding = RSA_PKCS1_PADDING;
 +    }
 +
 +    plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding);
     RSA_free(rsa);
     OPENSSL_free(rsa_buffer);
     OPENSSL_free(bioBuff);   
 +    if (plaintext_len < 0) {
 +        plaintext_len = 0;
 +    }
 +
     return plaintext_len;
 }
 -int encode_auth_setting(const char *username, const char *password, const char *public_keyfile, char **authtoken){
 +int encode_auth_setting(const char *username, const char *password, const char *public_keyfile, char **authtoken, int use_pkcs1_padding){
     time_t t = time(NULL);
     time_t utc_seconds = mktime(localtime(&t));
     char text[150];
     sprintf (text, "user: %s\npwd:  %s\nts:   %ld", username, password, utc_seconds);
     unsigned char *encrypted = NULL;
     int encrypted_len;
 -    encrypted_len = encrypt_rsa_message(text, public_keyfile, &encrypted);
 +    encrypted_len = encrypt_rsa_message(text, public_keyfile, &encrypted, use_pkcs1_padding);
     Base64Encode(encrypted, encrypted_len, authtoken);
     return (0); //success
 }
 -int decode_auth_setting(int enable_debug, char *authtoken, const char *private_keyfile, char **username, char **password, time_t *ts){
 +int decode_auth_setting(int enable_debug, char *authtoken, const char *private_keyfile, char **username, char **password, time_t *ts, int use_pkcs1_padding){
     unsigned char *encrypted_b64 = NULL;
     size_t encrypted_len_b64;
     Base64Decode(authtoken, &encrypted_b64, &encrypted_len_b64);        
     unsigned char *plaintext = NULL;
     int plaintext_len;
 -    plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_keyfile, &plaintext);
 +    plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_keyfile, &plaintext, use_pkcs1_padding);
     plaintext[plaintext_len] = '\0';
     char s_username[20], s_password[20];
--- a/ci.fmf
+++ b/ci.fmf
@ -0,0 +1 @@
 resultsdb-testcase: separate
--- a/fix-compilation-open-argument.patch
+++ b/fix-compilation-open-argument.patch
@ -0,0 +1,11 @@
 --- iperf-3.0.3/src/iperf_api.c	2014-03-26 23:36:38.000000000 +0530
 +++ iperf-3.0.3.patch/src/iperf_api.c	2014-06-09 23:31:46.183346802 +0530
@@ -2215,7 +2215,7 @@ iperf_new_stream(struct iperf_test *test
     sp->rcv = test->protocol->recv;
     if (test->diskfile_name != (char*) 0) {
 -	sp->diskfile_fd = open(test->diskfile_name, test->sender ? O_RDONLY : (O_WRONLY|O_CREAT|O_TRUNC));
 +	sp->diskfile_fd = open(test->diskfile_name, test->sender ? O_RDONLY : (O_WRONLY|O_CREAT|O_TRUNC), S_IRUSR|S_IWUSR);
 	if (sp->diskfile_fd == -1) {
 	    i_errno = IEFILE;
             munmap(sp->buffer, sp->test->settings->blksize);
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,25 @@
 --- !Policy
 product_versions:
  - fedora-*
 decision_context: bodhi_update_push_testing
 subject_type: koji_build
 rules:
  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
 #Rawhide
 --- !Policy
 product_versions:
  - fedora-*
 decision_context: bodhi_update_push_stable
 subject_type: koji_build
 rules:
  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
 #gating rhel
 --- !Policy
 product_versions:
  - rhel-*
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
--- a/SPECS/iperf3.spec
+++ b/SPECS/iperf3.spec
@ -1,21 +1,20 @@
 Name:           iperf3
-Version:        3.5
+Version:        3.9
-Release:        10%{?dist}
+Release:        13%{?dist}
 Summary:        Measurement tool for TCP/UDP bandwidth performance
 Group:          Applications/Internet
 License:        BSD
-URL:            http://github.com/esnet/iperf
+URL:            https://github.com/esnet/iperf
-Source0:        http://downloads.es.net/pub/iperf/iperf-%{version}.tar.gz
+Source0:        https://github.com/esnet/iperf/archive/%{version}.tar.gz
-BuildRequires:  libuuid-devel git-core gcc make
+Patch0000:	0000-cve-2023-38403.patch
 Patch0001:	0001-cve-2023-7250.patch
 Patch0002:	0002-cve-2024-26306.patch
 BuildRequires:  libuuid-devel
 BuildRequires:  gcc
 BuildRequires:  lksctp-tools-devel
 BuildRequires:  openssl-devel
-
+BuildRequires:  make
 Patch0002:	0002-udp-counters-manpage.patch
 Patch0003:	0003-covscan-sctp.patch
 Patch0004:	0004-cve-2023-38403.patch
 Patch0005:	0005-cve-2023-7250.patch
 Patch0006:	0006-cve-2024-26306.patch
 %description
 Iperf is a tool to measure maximum TCP bandwidth, allowing the tuning of
@ -24,7 +23,6 @@ jitter, data-gram loss.
 %package        devel
 Summary:        Development files for %{name}
 Group:          Development/Libraries
 Requires:       %{name}%{?_isa} = %{version}-%{release}
 %description    devel
@ -32,7 +30,7 @@ The %{name}-devel package contains libraries and header files for
 developing applications that use %{name}.
 %prep
-%autosetup -S git -n iperf-%{version}
+%autosetup -n iperf-%{version} -p1
 %build
 %configure --disable-static
@ -47,54 +45,77 @@ mkdir -p %{buildroot}%{_mandir}/man1
 rm -f %{buildroot}%{_libdir}/libiperf.la
 %files
-%defattr(-,root,root,-)
+%doc README.md LICENSE RELNOTES.md
 %doc README.md LICENSE RELEASE_NOTES
 %{_mandir}/man1/iperf3.1.gz
 %{_mandir}/man3/libiperf.3.gz
 %{_bindir}/iperf3
 %{_libdir}/*.so.*
 %post -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
 %files          devel
 %defattr(-,root,root,-)
 %{_includedir}/iperf_api.h
 %{_libdir}/*.so
 %changelog
-* Tue Jun 11 2024 Michal Ruprich <mruprich@redhat.com> - 3.5-10
+* Tue Jun 11 2024 Michal Ruprich <mruprich@redhat.com> - 3.9-13
- Resolves: RHEL-29578 - vulnerable to marvin attack if the authentication option is used
+- Resolves: RHEL-29579 - vulnerable to marvin attack if the authentication option is used
-* Tue Jun 04 2024 Michal Ruprich <mruprich@redhat.com> - 3.5-9
+* Tue Jun 04 2024 Michal Ruprich <mruprich@redhat.com> - 3.9-12
- Resolves: RHEL-17069 - possible denial of service
+- Resolves: RHEL-39975 - possible denial of service
-* Fri Jul 28 2023 Michal Ruprich <mruprich@redhat.com> - 3.5-8
+* Wed Aug 09 2023 Michal Ruprich <mruprich@redhat.com> - 3.9-11
- Related: #2222205 - bumping nvr for correct update path
+- Related: #2223676 - bumping version for correct update path
-* Tue Jul 18 2023 Jonathan Wright <jonathan@almalinux.org> - 3.5-7
+* Fri Jul 28 2023 Jonathan Wright <jonathan@almalinux.org> - 3.9-10
 - Fixes CVE-2023-38403
-  Resolves: rhbz#2223729
+  Resolves: rhbz#2223676
-* Tue May 05 2020 Michal Ruprich <michalruprich@gmail.com> - 3.5-6
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.9-9
- Related: #1665142 - Fixing a couple of covscan issues
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
-* Fri Mar 13 2020 Michal Ruprich <michalruprich@gmail.com> - 3.5-5
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.9-8
- Related: #1665142 - Removing patch that deletes sctp from manpage
+- Rebuilt for RHEL 9 BETA for openssl 3.0
  Related: rhbz#1971065
-* Mon Mar 09 2020 Michal Ruprich <mruprich@redhat.com> - 3.5-4
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.9-7
- Resolves: #1665142 - [RFE] enable SCTP support in iperf3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 - Resolves: #1656429 - option --udp-counters-64bit shown in --help output but not in man page
 - Resolves: #1700497 - [RFE] enable SSL support in iperf3
-* Sun Dec 16 2018 Michal Ruprich <mruprich@redhat.com> - 3.5-3
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.9-6
- Related: #1647413 - Removing nstreams and xbind from man since these are SCTP-related options
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-* Thu Nov 22 2018 Michal Ruprich <mruprich@redhat.com> - 3.5-2
+* Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 3.9-5
- Related: #1647413 - adding some BuildRequires
+- Update to 3.9. Fixes bug #1846161
-* Thu Nov 22 2018 Michal Ruprich <mruprich@redhat.com> - 3.5-2
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.7-5
- Resolves: #1647413 - iperf3 with option --sctp in client mode fails with error 'iperf3: unrecognized option --sctp'
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Wed Feb 19 2020 Michal Ruprich <mruprich@redhat.com> - 3.7-4
 - Add openssl-devel to BuildRequires to enable authentization of client
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.7-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.7-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Sat Jun 22 2019 Kevin Fenzi <kevin@scrye.com> - 3.7-1
 - Update to 3.7. Fixes bug #1723020
 * Tue Feb 26 2019 Tomas Korbar <tkorbar@redhat.com> - 3.6-5
 - Add lksctp-tools-devel to BuildRequires
 - Fix bug #1647385
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.6-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Fri Jul 20 2018 Kevin Fenzi <kevin@scrye.com> - 3.6-3
 - Fix FTBFS bug #1604377 by adding BuildRequires: gcc
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Thu Jun 28 2018 Kevin Fenzi <kevin@scrye.com> - 3.6-1
 - Update to 3.6. Fixes bug #1594995
 * Sat Mar 03 2018 Kevin Fenzi <kevin@scrye.com> - 3.5-1
 - Update to 3.5. Fixes bug #1551166
--- a/plans.fmf
+++ b/plans.fmf
@ -0,0 +1,36 @@
 /tier1-internal:
  plan:
    import:
      url: https://src.fedoraproject.org/tests/iperf3.git
      name: /plans/tier1/internal
 /tier1-public:
  plan:
    import:
      url: https://src.fedoraproject.org/tests/iperf3.git
      name: /plans/tier1/public
 /tier2-tier3-internal:
  plan:
    import:
      url: https://src.fedoraproject.org/tests/iperf3.git
      name: /plans/tier2-tier3/internal
 /tier2-tier3-public:
  plan:
    import:
      url: https://src.fedoraproject.org/tests/iperf3.git
      name: /plans/tier2-tier3/public
 /others-internal:
  plan:
    import:
      url: https://src.fedoraproject.org/tests/iperf3.git
      name: /plans/others/internal
 /others-public:
  plan:
    import:
      url: https://src.fedoraproject.org/tests/iperf3.git
      name: /plans/others/public
--- a/1
+++ b/1
@ -0,0 +1 @@
 SHA512 (3.9.tar.gz) = 3da0939bed576a7c14baa03c996e6f407f20bfe58c4b3a36a66e74f41bd5442c0b23ab18c8eb1f2f37fd47449af533b61b658d810c68707b2b06d28894ac2035
		`@ -1 +0,0 @@`
			`b255fe0905159bcfe2578e4774ab3091f69f898f SOURCES/iperf-3.5.tar.gz`
		`@ -0,0 +1 @@`
							`SHA512 (3.9.tar.gz) = 3da0939bed576a7c14baa03c996e6f407f20bfe58c4b3a36a66e74f41bd5442c0b23ab18c8eb1f2f37fd47449af533b61b658d810c68707b2b06d28894ac2035`