From 842d5a7fe94c698924598189f91479aff67307b2 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 21 Aug 2024 11:05:19 +0200
Subject: [PATCH] Pull more fixes to stabilize tests

---
 libssh-0.10.6-compress.patch   | 41 +++++++++++++++++++++++++++++
 libssh-0.10.6-rate-limit.patch | 47 ++++++++++++++++++++++++++++++++++
 libssh.spec                    | 11 ++++----
 3 files changed, 94 insertions(+), 5 deletions(-)
 create mode 100644 libssh-0.10.6-compress.patch
 create mode 100644 libssh-0.10.6-rate-limit.patch

diff --git a/libssh-0.10.6-compress.patch b/libssh-0.10.6-compress.patch
new file mode 100644
index 0000000..be72f9d
--- /dev/null
+++ b/libssh-0.10.6-compress.patch
@@ -0,0 +1,41 @@
+From c9cfeb9b838b801c3e2bb070c3db914e81ca4e68 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 12 Aug 2024 17:49:46 +0200
+Subject: [PATCH] wrapper: Avoid asymmetric termination of gzip context
+
+For some reason, both compress and decompress contexts were terminated
+with both compress and decompress end functions (if the deflateEnd worked),
+which was causing for some another unexplained reasons issues on i686
+architecture when running the torture_packet unit test.
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/wrapper.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/src/wrapper.c b/src/wrapper.c
+index bf949ea9..d9cf6db5 100644
+--- a/src/wrapper.c
++++ b/src/wrapper.c
+@@ -200,14 +200,12 @@ void crypto_free(struct ssh_crypto_struct *crypto)
+         SAFE_FREE(crypto->secret_hash);
+     }
+ #ifdef WITH_ZLIB
+-    if (crypto->compress_out_ctx &&
+-        (deflateEnd(crypto->compress_out_ctx) != 0)) {
+-        inflateEnd(crypto->compress_out_ctx);
++    if (crypto->compress_out_ctx) {
++        deflateEnd(crypto->compress_out_ctx);
+     }
+     SAFE_FREE(crypto->compress_out_ctx);
+ 
+-    if (crypto->compress_in_ctx &&
+-        (deflateEnd(crypto->compress_in_ctx) != 0)) {
++    if (crypto->compress_in_ctx) {
+         inflateEnd(crypto->compress_in_ctx);
+     }
+     SAFE_FREE(crypto->compress_in_ctx);
+-- 
+2.46.0
+
diff --git a/libssh-0.10.6-rate-limit.patch b/libssh-0.10.6-rate-limit.patch
new file mode 100644
index 0000000..e3fc1bd
--- /dev/null
+++ b/libssh-0.10.6-rate-limit.patch
@@ -0,0 +1,47 @@
+From 7b89ff760a2c7119916eaa8fd6a62afbd15fc3ad Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 9 Aug 2024 11:30:15 +0200
+Subject: [PATCH] test: Workaround the new OpenSSH failure rate limiting
+
+The new OpenSSH rate limits the failed authentication attempts per source
+address and drops connection when the amount is reached, which is happening
+in our testsuite.
+
+By whitelisting the IP address of the client on the socket wrapper,
+this allows the tests to pass.
+
+https://man.openbsd.org/sshd_config.5#PerSourcePenaltyExemptList
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ tests/torture.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tests/torture.c b/tests/torture.c
+index c832dfa6..ad0a7836 100644
+--- a/tests/torture.c
++++ b/tests/torture.c
+@@ -755,6 +755,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
+              "HostKeyAlgorithms " OPENSSH_KEYS "\n"
+ #if OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2
+              "CASignatureAlgorithms " OPENSSH_KEYS "\n"
++#endif
++#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
++             "PerSourcePenaltyExemptList 127.0.0.21\n"
+ #endif
+              "Ciphers " OPENSSH_CIPHERS "\n"
+              "KexAlgorithms " OPENSSH_KEX "\n"
+@@ -786,6 +789,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
+              "%s\n" /* Here comes UsePam */
+              "%s" /* The space for test-specific options */
+              "\n"
++#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
++             "PerSourcePenaltyExemptList 127.0.0.21\n"
++#endif
+              "Ciphers "
+                 "aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,"
+                 "aes128-gcm@openssh.com,aes128-ctr,aes128-cbc"
+-- 
+2.46.0
+
diff --git a/libssh.spec b/libssh.spec
index ef72605..db08ec9 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -27,6 +27,11 @@ Patch2:         libssh-0.10.6-ipv6-hostname.patch
 # 2c918aad6763754bdffb84796b410e21f24bb7ec tests: Use /tmp for tmpdirs that contain sockets
 Patch3:         libssh-0.10.6-pkcs11-provider.patch
 Patch4:         libssh-0.10.6-no-engine.patch
+# 7b89ff760a2c7119916eaa8fd6a62afbd15fc3ad
+Patch5:         libssh-0.10.6-rate-limit.patch
+# c9cfeb9b838b801c3e2bb070c3db914e81ca4e68
+Patch6:         libssh-0.10.6-compress.patch
+
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -131,11 +136,7 @@ popd
 %check
 # Tests are randomly failing when run in parallel
 %global _smp_build_ncpus 1
-%ifarch i686
-# The test torture_packet fails now on i686 arch on rawhide
-%global libssh_ctest_args -E torture_packet
-%endif
-%ctest %{?libssh_ctest_args}
+%ctest
 
 %files
 %doc AUTHORS BSD CHANGELOG README