diff --git a/libssh-0.10.6-compress.patch b/libssh-0.10.6-compress.patch new file mode 100644 index 0000000..be72f9d --- /dev/null +++ b/libssh-0.10.6-compress.patch @@ -0,0 +1,41 @@ +From c9cfeb9b838b801c3e2bb070c3db914e81ca4e68 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 12 Aug 2024 17:49:46 +0200 +Subject: [PATCH] wrapper: Avoid asymmetric termination of gzip context + +For some reason, both compress and decompress contexts were terminated +with both compress and decompress end functions (if the deflateEnd worked), +which was causing for some another unexplained reasons issues on i686 +architecture when running the torture_packet unit test. + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +--- + src/wrapper.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/src/wrapper.c b/src/wrapper.c +index bf949ea9..d9cf6db5 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -200,14 +200,12 @@ void crypto_free(struct ssh_crypto_struct *crypto) + SAFE_FREE(crypto->secret_hash); + } + #ifdef WITH_ZLIB +- if (crypto->compress_out_ctx && +- (deflateEnd(crypto->compress_out_ctx) != 0)) { +- inflateEnd(crypto->compress_out_ctx); ++ if (crypto->compress_out_ctx) { ++ deflateEnd(crypto->compress_out_ctx); + } + SAFE_FREE(crypto->compress_out_ctx); + +- if (crypto->compress_in_ctx && +- (deflateEnd(crypto->compress_in_ctx) != 0)) { ++ if (crypto->compress_in_ctx) { + inflateEnd(crypto->compress_in_ctx); + } + SAFE_FREE(crypto->compress_in_ctx); +-- +2.46.0 + diff --git a/libssh-0.10.6-rate-limit.patch b/libssh-0.10.6-rate-limit.patch new file mode 100644 index 0000000..e3fc1bd --- /dev/null +++ b/libssh-0.10.6-rate-limit.patch @@ -0,0 +1,47 @@ +From 7b89ff760a2c7119916eaa8fd6a62afbd15fc3ad Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 9 Aug 2024 11:30:15 +0200 +Subject: [PATCH] test: Workaround the new OpenSSH failure rate limiting + +The new OpenSSH rate limits the failed authentication attempts per source +address and drops connection when the amount is reached, which is happening +in our testsuite. + +By whitelisting the IP address of the client on the socket wrapper, +this allows the tests to pass. + +https://man.openbsd.org/sshd_config.5#PerSourcePenaltyExemptList + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +--- + tests/torture.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tests/torture.c b/tests/torture.c +index c832dfa6..ad0a7836 100644 +--- a/tests/torture.c ++++ b/tests/torture.c +@@ -755,6 +755,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam) + "HostKeyAlgorithms " OPENSSH_KEYS "\n" + #if OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2 + "CASignatureAlgorithms " OPENSSH_KEYS "\n" ++#endif ++#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9 ++ "PerSourcePenaltyExemptList 127.0.0.21\n" + #endif + "Ciphers " OPENSSH_CIPHERS "\n" + "KexAlgorithms " OPENSSH_KEX "\n" +@@ -786,6 +789,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam) + "%s\n" /* Here comes UsePam */ + "%s" /* The space for test-specific options */ + "\n" ++#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9 ++ "PerSourcePenaltyExemptList 127.0.0.21\n" ++#endif + "Ciphers " + "aes256-gcm@openssh.com,aes256-ctr,aes256-cbc," + "aes128-gcm@openssh.com,aes128-ctr,aes128-cbc" +-- +2.46.0 + diff --git a/libssh.spec b/libssh.spec index ef72605..db08ec9 100644 --- a/libssh.spec +++ b/libssh.spec @@ -27,6 +27,11 @@ Patch2: libssh-0.10.6-ipv6-hostname.patch # 2c918aad6763754bdffb84796b410e21f24bb7ec tests: Use /tmp for tmpdirs that contain sockets Patch3: libssh-0.10.6-pkcs11-provider.patch Patch4: libssh-0.10.6-no-engine.patch +# 7b89ff760a2c7119916eaa8fd6a62afbd15fc3ad +Patch5: libssh-0.10.6-rate-limit.patch +# c9cfeb9b838b801c3e2bb070c3db914e81ca4e68 +Patch6: libssh-0.10.6-compress.patch + BuildRequires: cmake BuildRequires: gcc-c++ @@ -131,11 +136,7 @@ popd %check # Tests are randomly failing when run in parallel %global _smp_build_ncpus 1 -%ifarch i686 -# The test torture_packet fails now on i686 arch on rawhide -%global libssh_ctest_args -E torture_packet -%endif -%ctest %{?libssh_ctest_args} +%ctest %files %doc AUTHORS BSD CHANGELOG README