import libssh-0.9.6-10.el8_8

2023-06-29 19:07:10 +00:00 · 2023-06-29 19:07:10 +00:00 · 93ccf6c206
parent b5748463d2
commit 93ccf6c206
5 changed files with 2851 additions and 1 deletions
--- a/SOURCES/auth_bypass.patch
+++ b/SOURCES/auth_bypass.patch
@ -0,0 +1,86 @@
+diff --color -ru ../libssh-0.9.6/src/pki_crypto.c ./src/pki_crypto.c
+--- ../libssh-0.9.6/src/pki_crypto.c	2023-04-27 12:59:08.463259052 +0200
+++ ./src/pki_crypto.c	2023-04-27 13:05:24.020610873 +0200
+@@ -2291,8 +2291,12 @@
+     unsigned char *raw_sig_data = NULL;
+     unsigned int raw_sig_len;
+ 
+    /* Function return code
+     * Do not change this variable throughout the function until the signature
+     * is successfully verified!
+     */
+     int rc = SSH_ERROR;
+-    int evp_rc;
+    int ok;
+ 
+     if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
+         signature == NULL || (signature->raw_sig == NULL
+@@ -2307,8 +2311,8 @@
+     }
+ 
+     /* Check if public key and hash type are compatible */
+-    rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);
+-    if (rc != SSH_OK) {
+    ok = pki_key_check_hash_compatible(pubkey, signature->hash_type);
+    if (ok != SSH_OK) {
+         return SSH_ERROR;
+     }
+ 
+@@ -2351,8 +2355,8 @@
+     }
+ 
+     /* Verify the signature */
+-    evp_rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+-    if (evp_rc != 1){
+    ok = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+    if (ok != 1){
+         SSH_LOG(SSH_LOG_TRACE,
+                 "EVP_DigestVerifyInit() failed: %s",
+                 ERR_error_string(ERR_get_error(), NULL));
+@@ -2360,35 +2364,31 @@
+     }
+ 
+ #ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
+-    evp_rc = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
+    ok = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
+ #else
+-    evp_rc = EVP_DigestVerifyUpdate(ctx, input, input_len);
+-    if (evp_rc != 1) {
+    ok = EVP_DigestVerifyUpdate(ctx, input, input_len);
+    if (ok != 1) {
+         SSH_LOG(SSH_LOG_TRACE,
+                 "EVP_DigestVerifyUpdate() failed: %s",
+                 ERR_error_string(ERR_get_error(), NULL));
+         goto out;
+     }
+ 
+-    evp_rc = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
+    ok = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
+ #endif
+-    if (evp_rc == 1) {
+-        SSH_LOG(SSH_LOG_TRACE, "Signature valid");
+-        rc = SSH_OK;
+-    } else {
+    if (ok != 1) {
+         SSH_LOG(SSH_LOG_TRACE,
+                 "Signature invalid: %s",
+                 ERR_error_string(ERR_get_error(), NULL));
+-        rc = SSH_ERROR;
+        goto out;
+     }
+ 
+    SSH_LOG(SSH_LOG_TRACE, "Signature valid");
+    rc = SSH_OK;
+
+ out:
+-    if (ctx != NULL) {
+-        EVP_MD_CTX_free(ctx);
+-    }
+-    if (pkey != NULL) {
+-        EVP_PKEY_free(pkey);
+-    }
+    EVP_MD_CTX_free(ctx);
+    EVP_PKEY_free(pkey);
+     return rc;
+ }
+ 
--- a/SOURCES/covscan23.patch
+++ b/SOURCES/covscan23.patch
@ -0,0 +1,228 @@
+diff --color -ru ../libssh-0.9.6/src/buffer.c ./src/buffer.c
+--- ../libssh-0.9.6/src/buffer.c	2023-05-03 11:53:48.710217753 +0200
+++ ./src/buffer.c	2023-05-03 11:58:21.995200990 +0200
+@@ -747,7 +747,8 @@
+  */
+ int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)
+ {
+-    if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
+    if (buffer == NULL || buffer->pos + len < len ||
+        buffer->pos + len > buffer->used) {
+         return SSH_ERROR;
+     }
+ 
+diff --color -ru ../libssh-0.9.6/src/gssapi.c ./src/gssapi.c
+--- ../libssh-0.9.6/src/gssapi.c	2023-05-03 11:53:48.732217993 +0200
+++ ./src/gssapi.c	2023-05-03 11:58:21.976200782 +0200
+@@ -437,11 +437,18 @@
+         hexa = ssh_get_hexa(output_token.value, output_token.length);
+         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
+         SAFE_FREE(hexa);
+-        ssh_buffer_pack(session->out_buffer,
+-                        "bdP",
+-                        SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+-                        output_token.length,
+-                        (size_t)output_token.length, output_token.value);
+        rc = ssh_buffer_pack(session->out_buffer,
+                             "bdP",
+                             SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+                             output_token.length,
+                             (size_t)output_token.length, output_token.value);
+        if (rc != SSH_OK) {
+            ssh_set_error_oom(session);
+            ssh_auth_reply_default(session, 0);
+            ssh_gssapi_free(session);
+            session->gssapi = NULL;
+            return SSH_PACKET_USED;
+        }
+         ssh_packet_send(session);
+     }
+ 
+@@ -846,6 +853,7 @@
+ }
+ 
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
+    int rc;
+     ssh_string oid_s;
+     gss_uint32 maj_stat, min_stat;
+     gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
+@@ -897,11 +905,15 @@
+         hexa = ssh_get_hexa(output_token.value, output_token.length);
+         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s", hexa);
+         SAFE_FREE(hexa);
+-        ssh_buffer_pack(session->out_buffer,
+-                        "bdP",
+-                        SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+-                        output_token.length,
+-                        (size_t)output_token.length, output_token.value);
+        rc = ssh_buffer_pack(session->out_buffer,
+                             "bdP",
+                             SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+                             output_token.length,
+                             (size_t)output_token.length, output_token.value);
+        if (rc != SSH_OK) {
+            ssh_set_error_oom(session);
+            goto error;
+        }
+         ssh_packet_send(session);
+         session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
+     }
+@@ -963,6 +975,7 @@
+ }
+ 
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
+    int rc;
+     ssh_string token;
+     char *hexa;
+     OM_uint32 maj_stat, min_stat;
+@@ -1015,11 +1028,15 @@
+         hexa = ssh_get_hexa(output_token.value, output_token.length);
+         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
+         SAFE_FREE(hexa);
+-        ssh_buffer_pack(session->out_buffer,
+-                        "bdP",
+-                        SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+-                        output_token.length,
+-                        (size_t)output_token.length, output_token.value);
+        rc = ssh_buffer_pack(session->out_buffer,
+                             "bdP",
+                             SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+                             output_token.length,
+                             (size_t)output_token.length, output_token.value);
+        if (rc != SSH_OK) {
+            ssh_set_error_oom(session);
+            goto error;
+        }
+         ssh_packet_send(session);
+     }
+ 
+diff --color -ru ../libssh-0.9.6/src/options.c ./src/options.c
+--- ../libssh-0.9.6/src/options.c	2021-08-26 14:27:42.000000000 +0200
+++ ./src/options.c	2023-05-03 11:58:22.000201044 +0200
+@@ -547,7 +547,9 @@
+                 }
+                 i = strtol(q, &p, 10);
+                 if (q == p) {
+                    SSH_LOG(SSH_LOG_DEBUG, "No port number was parsed");
+                     SAFE_FREE(q);
+                    return -1;
+                 }
+                 SAFE_FREE(q);
+                 if (i <= 0) {
+@@ -743,7 +745,9 @@
+                 }
+                 i = strtol(q, &p, 10);
+                 if (q == p) {
+                    SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
+                     SAFE_FREE(q);
+                    return -1;
+                 }
+                 SAFE_FREE(q);
+                 if (i < 0) {
+@@ -1818,7 +1822,9 @@
+         }
+         i = strtol(q, &p, 10);
+         if (q == p) {
+-          SAFE_FREE(q);
+            SSH_LOG(SSH_LOG_DEBUG, "No bind port was parsed");
+            SAFE_FREE(q);
+            return -1;
+         }
+         SAFE_FREE(q);
+ 
+@@ -1845,7 +1851,9 @@
+         }
+         i = strtol(q, &p, 10);
+         if (q == p) {
+-          SAFE_FREE(q);
+            SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
+            SAFE_FREE(q);
+            return -1;
+         }
+         SAFE_FREE(q);
+ 
+diff --color -ru ../libssh-0.9.6/src/pki_container_openssh.c ./src/pki_container_openssh.c
+--- ../libssh-0.9.6/src/pki_container_openssh.c	2023-05-03 11:53:48.713217785 +0200
+++ ./src/pki_container_openssh.c	2023-05-03 11:58:21.976200782 +0200
+@@ -630,7 +630,11 @@
+             goto error;
+         }
+ 
+-        ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
+        rc = ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
+        if (rc != SSH_OK) {
+            SSH_BUFFER_FREE(kdf_buf);
+            goto error;
+        }
+         kdf_options = ssh_string_new(ssh_buffer_get_len(kdf_buf));
+         if (kdf_options == NULL){
+             SSH_BUFFER_FREE(kdf_buf);
+diff --color -ru ../libssh-0.9.6/tests/unittests/torture_options.c ./tests/unittests/torture_options.c
+--- ../libssh-0.9.6/tests/unittests/torture_options.c	2021-08-26 14:27:42.000000000 +0200
+++ ./tests/unittests/torture_options.c	2023-05-03 11:59:21.726853027 +0200
+@@ -311,6 +311,7 @@
+ 
+     rc = ssh_options_set(session, SSH_OPTIONS_PORT_STR, "five");
+     assert_true(rc == -1);
+    assert_int_not_equal(session->opts.port, 0);
+ 
+     rc = ssh_options_set(session, SSH_OPTIONS_PORT, NULL);
+     assert_true(rc == -1);
+@@ -853,6 +854,26 @@
+     ssh_free(new);
+ }
+ 
+static void torture_options_set_verbosity (void **state)
+{
+    ssh_session session = *state;
+    int rc, new_level;
+
+    rc = ssh_options_set(session,
+                         SSH_OPTIONS_LOG_VERBOSITY_STR,
+                         "3");
+    assert_int_equal(rc, SSH_OK);
+    new_level = ssh_get_log_level();
+    assert_int_equal(new_level, SSH_LOG_PACKET);
+
+    rc = ssh_options_set(session,
+                         SSH_OPTIONS_LOG_VERBOSITY_STR,
+                         "datsun");
+    assert_int_equal(rc, -1);
+    new_level = ssh_get_log_level();
+    assert_int_not_equal(new_level, 0);
+}
+
+ #ifdef WITH_SERVER
+ const char template[] = "temp_dir_XXXXXX";
+ 
+@@ -1107,6 +1128,10 @@
+     rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "23");
+     assert_int_equal(rc, 0);
+     assert_int_equal(bind->bindport, 23);
+
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "twentythree");
+    assert_int_equal(rc, -1);
+    assert_int_not_equal(bind->bindport, 0);
+ }
+ 
+ static void torture_bind_options_log_verbosity(void **state)
+@@ -1156,6 +1181,11 @@
+     new_level = ssh_get_log_level();
+     assert_int_equal(new_level, SSH_LOG_PACKET);
+ 
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "verbosity");
+    assert_int_equal(rc, -1);
+    new_level = ssh_get_log_level();
+    assert_int_not_equal(new_level, 0);
+
+     rc = ssh_set_log_level(previous_level);
+     assert_int_equal(rc, SSH_OK);
+ }
+@@ -1643,6 +1673,7 @@
+         cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown),
+         cmocka_unit_test_setup_teardown(torture_options_config_match,
+                                         setup, teardown),
+        cmocka_unit_test_setup_teardown(torture_options_set_verbosity, setup, teardown),
+     };
+ 
+ #ifdef WITH_SERVER
--- a/SOURCES/fix_tests.patch
+++ b/SOURCES/fix_tests.patch
@ -0,0 +1,668 @@
+diff --color -ru ../libssh-0.9.6/examples/sshnetcat.c ./examples/sshnetcat.c
+--- ../libssh-0.9.6/examples/sshnetcat.c	2021-08-26 14:27:42.000000000 +0200
+++ ./examples/sshnetcat.c	2023-05-02 10:36:00.793381735 +0200
+@@ -233,9 +233,10 @@
+ }
+ 
+ void cleanup_pcap(void);
+-void cleanup_pcap(){
+void cleanup_pcap(void)
+{
+ 	ssh_pcap_file_free(pcap);
+-	pcap=NULL;
+	pcap = NULL;
+ }
+ #endif
+ 
+diff --color -ru ../libssh-0.9.6/src/init.c ./src/init.c
+--- ../libssh-0.9.6/src/init.c	2021-03-15 08:11:33.000000000 +0100
+++ ./src/init.c	2023-05-02 10:36:00.793381735 +0200
+@@ -269,7 +269,7 @@
+  *
+  * @see ssh_init()
+  */
+-bool is_ssh_initialized() {
+bool is_ssh_initialized(void) {
+ 
+     bool is_initialized = false;
+ 
+diff --color -ru ../libssh-0.9.6/tests/client/torture_auth.c ./tests/client/torture_auth.c
+--- ../libssh-0.9.6/tests/client/torture_auth.c	2021-08-26 14:27:42.000000000 +0200
+++ ./tests/client/torture_auth.c	2023-05-02 10:36:00.815381960 +0200
+@@ -200,7 +200,8 @@
+     assert_non_null(ssh_agent_pidfile);
+ 
+     /* kill agent pid */
+-    torture_terminate_process(ssh_agent_pidfile);
+    rc = torture_terminate_process(ssh_agent_pidfile);
+    assert_return_code(rc, errno);
+ 
+     unlink(ssh_agent_pidfile);
+ 
+@@ -551,6 +552,7 @@
+ 
+ static void torture_auth_agent_cert(void **state)
+ {
+#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
+     struct torture_state *s = *state;
+     ssh_session session = s->ssh.session;
+     int rc;
+@@ -570,6 +572,7 @@
+                              "ssh-rsa-cert-v01@openssh.com");
+         assert_int_equal(rc, SSH_OK);
+     }
+#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
+ 
+     /* Setup loads a different key, tests are exactly the same. */
+     torture_auth_agent(state);
+@@ -577,6 +580,7 @@
+ 
+ static void torture_auth_agent_cert_nonblocking(void **state)
+ {
+#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
+     struct torture_state *s = *state;
+     ssh_session session = s->ssh.session;
+     int rc;
+@@ -596,6 +600,7 @@
+                              "ssh-rsa-cert-v01@openssh.com");
+         assert_int_equal(rc, SSH_OK);
+     }
+#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
+ 
+     torture_auth_agent_nonblocking(state);
+ }
+diff --color -ru ../libssh-0.9.6/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
+--- ../libssh-0.9.6/tests/client/torture_rekey.c	2023-04-28 17:26:41.472315318 +0200
+++ ./tests/client/torture_rekey.c	2023-05-02 10:36:00.805381857 +0200
+@@ -38,6 +38,8 @@
+ #include <fcntl.h>
+ #include <pwd.h>
+ 
+#define KEX_RETRY 32
+
+ static uint64_t bytes = 2048; /* 2KB (more than the authentication phase) */
+ 
+ static int sshd_setup(void **state)
+@@ -190,10 +192,11 @@
+     rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
+     assert_int_equal(rc, SSH_AUTH_SUCCESS);
+ 
+-    /* send ignore packets of up to 1KB to trigger rekey */
+    /* send ignore packets of up to 1KB to trigger rekey. Send little bit more
+     * to make sure it completes with all different ciphers */
+     memset(data, 0, sizeof(data));
+     memset(data, 'A', 128);
+-    for (i = 0; i < 16; i++) {
+    for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+         ssh_handle_packets(s->ssh.session, 50);
+     }
+@@ -496,9 +499,15 @@
+      * to make sure the rekey it completes with all different ciphers (paddings */
+     memset(data, 0, sizeof(data));
+     memset(data, 'A', 128);
+-    for (i = 0; i < 20; i++) {
+    for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+-        ssh_handle_packets(s->ssh.session, 50);
+        ssh_handle_packets(s->ssh.session, 100);
+
+        c = s->ssh.session->current_crypto;
+        /* SHA256 len */
+        if (c->digest_len != 32) {
+            break;
+        }
+     }
+ 
+     /* The rekey limit was restored in the new crypto to the same value */
+@@ -568,9 +577,15 @@
+      * to make sure the rekey it completes with all different ciphers (paddings */
+     memset(data, 0, sizeof(data));
+     memset(data, 'A', 128);
+-    for (i = 0; i < 25; i++) {
+    for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+-        ssh_handle_packets(s->ssh.session, 50);
+        ssh_handle_packets(s->ssh.session, 100);
+
+        c = s->ssh.session->current_crypto;
+        /* SHA256 len */
+        if (c->digest_len != 32) {
+            break;
+        }
+     }
+ 
+     /* Check that the secret hash is different than initially */
+diff --color -ru ../libssh-0.9.6/tests/CMakeLists.txt ./tests/CMakeLists.txt
+--- ../libssh-0.9.6/tests/CMakeLists.txt	2021-08-26 14:27:42.000000000 +0200
+++ ./tests/CMakeLists.txt	2023-05-02 10:32:03.964511860 +0200
+@@ -153,6 +153,17 @@
+         execute_process(COMMAND ${ID_EXECUTABLE} -u OUTPUT_VARIABLE LOCAL_UID OUTPUT_STRIP_TRAILING_WHITESPACE)
+     endif()
+ 
+    find_program(TIMEOUT_EXECUTABLE
+                 NAME
+                    timeout
+                 PATHS
+                    /bin
+                    /usr/bin
+                    /usr/local/bin)
+    if (TIMEOUT_EXECUTABLE)
+        set(WITH_TIMEOUT "1")
+    endif()
+
+     # chroot_wrapper
+     add_library(chroot_wrapper SHARED chroot_wrapper.c)
+     set(CHROOT_WRAPPER_LIBRARY ${libssh_BINARY_DIR}/lib/${CMAKE_SHARED_LIBRARY_PREFIX}chroot_wrapper${CMAKE_SHARED_LIBRARY_SUFFIX})
+diff --color -ru ../libssh-0.9.6/tests/pkd/pkd_keyutil.c ./tests/pkd/pkd_keyutil.c
+--- ../libssh-0.9.6/tests/pkd/pkd_keyutil.c	2021-03-15 08:11:33.000000000 +0100
+++ ./tests/pkd/pkd_keyutil.c	2023-05-02 10:36:00.793381735 +0200
+@@ -22,7 +22,7 @@
+ #include "pkd_keyutil.h"
+ #include "pkd_util.h"
+ 
+-void setup_rsa_key() {
+void setup_rsa_key(void) {
+     int rc = 0;
+     if (access(LIBSSH_RSA_TESTKEY, F_OK) != 0) {
+         rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f "
+@@ -31,7 +31,7 @@
+     assert_int_equal(rc, 0);
+ }
+ 
+-void setup_ed25519_key() {
+void setup_ed25519_key(void) {
+     int rc = 0;
+     if (access(LIBSSH_ED25519_TESTKEY, F_OK) != 0) {
+         rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
+@@ -41,7 +41,7 @@
+ }
+ 
+ #ifdef HAVE_DSA
+-void setup_dsa_key() {
+void setup_dsa_key(void) {
+     int rc = 0;
+     if (access(LIBSSH_DSA_TESTKEY, F_OK) != 0) {
+         rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
+@@ -51,7 +51,7 @@
+ }
+ #endif
+ 
+-void setup_ecdsa_keys() {
+void setup_ecdsa_keys(void) {
+     int rc = 0;
+ 
+     if (access(LIBSSH_ECDSA_256_TESTKEY, F_OK) != 0) {
+@@ -71,27 +71,27 @@
+     }
+ }
+ 
+-void cleanup_rsa_key() {
+void cleanup_rsa_key(void) {
+     cleanup_key(LIBSSH_RSA_TESTKEY);
+ }
+ 
+-void cleanup_ed25519_key() {
+void cleanup_ed25519_key(void) {
+     cleanup_key(LIBSSH_ED25519_TESTKEY);
+ }
+ 
+ #ifdef HAVE_DSA
+-void cleanup_dsa_key() {
+void cleanup_dsa_key(void) {
+     cleanup_key(LIBSSH_DSA_TESTKEY);
+ }
+ #endif
+ 
+-void cleanup_ecdsa_keys() {
+void cleanup_ecdsa_keys(void) {
+     cleanup_key(LIBSSH_ECDSA_256_TESTKEY);
+     cleanup_key(LIBSSH_ECDSA_384_TESTKEY);
+     cleanup_key(LIBSSH_ECDSA_521_TESTKEY);
+ }
+ 
+-void setup_openssh_client_keys() {
+void setup_openssh_client_keys(void) {
+     int rc = 0;
+ 
+     if (access(OPENSSH_CA_TESTKEY, F_OK) != 0) {
+@@ -184,7 +184,7 @@
+     }
+ }
+ 
+-void cleanup_openssh_client_keys() {
+void cleanup_openssh_client_keys(void) {
+     cleanup_key(OPENSSH_CA_TESTKEY);
+     cleanup_key(OPENSSH_RSA_TESTKEY);
+     cleanup_file(OPENSSH_RSA_TESTKEY "-sha256-cert.pub");
+@@ -199,7 +199,7 @@
+     }
+ }
+ 
+-void setup_dropbear_client_rsa_key() {
+void setup_dropbear_client_rsa_key(void) {
+     int rc = 0;
+     if (access(DROPBEAR_RSA_TESTKEY, F_OK) != 0) {
+         rc = system_checked(DROPBEAR_KEYGEN " -t rsa -f "
+@@ -208,6 +208,6 @@
+     assert_int_equal(rc, 0);
+ }
+ 
+-void cleanup_dropbear_client_rsa_key() {
+void cleanup_dropbear_client_rsa_key(void) {
+     unlink(DROPBEAR_RSA_TESTKEY);
+ }
+diff --color -ru ../libssh-0.9.6/tests/server/torture_server_config.c ./tests/server/torture_server_config.c
+--- ../libssh-0.9.6/tests/server/torture_server_config.c	2021-08-26 14:27:42.000000000 +0200
+++ ./tests/server/torture_server_config.c	2023-05-02 10:36:00.815381960 +0200
+@@ -285,9 +285,7 @@
+     assert_non_null(s);
+ 
+     rc = torture_terminate_process(s->srv_pidfile);
+-    if (rc != 0) {
+-        fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
+-    }
+    assert_return_code(rc, errno);
+ 
+     unlink(s->srv_pidfile);
+ 
+@@ -513,6 +511,12 @@
+         /* Try each algorithm individually */
+         j = 0;
+         while(tokens->tokens[j] != NULL) {
+            char *cmp = strstr(OPENSSH_CIPHERS, tokens->tokens[j]);
+            if (cmp == NULL) {
+                /* This cipher is not supported by the OpenSSH. Skip it */
+                j++;
+                continue;
+            }
+             snprintf(config_content,
+                     sizeof(config_content),
+                     "HostKey %s\nCiphers %s\n",
+diff --color -ru ../libssh-0.9.6/tests/tests_config.h.cmake ./tests/tests_config.h.cmake
+--- ../libssh-0.9.6/tests/tests_config.h.cmake	2021-08-26 14:27:42.000000000 +0200
+++ ./tests/tests_config.h.cmake	2023-05-02 10:32:03.964511860 +0200
+@@ -66,4 +66,6 @@
+ 
+ #cmakedefine NC_EXECUTABLE "${NC_EXECUTABLE}"
+ #cmakedefine SSHD_EXECUTABLE "${SSHD_EXECUTABLE}"
+-#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
+\ No newline at end of file
+#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
+#cmakedefine WITH_TIMEOUT ${WITH_TIMEOUT}
+#cmakedefine TIMEOUT_EXECUTABLE "${TIMEOUT_EXECUTABLE}"
+diff --color -ru ../libssh-0.9.6/tests/torture.c ./tests/torture.c
+--- ../libssh-0.9.6/tests/torture.c	2021-08-26 14:27:44.000000000 +0200
+++ ./tests/torture.c	2023-05-02 10:36:00.815381960 +0200
+@@ -51,6 +51,7 @@
+ #include "torture.h"
+ #include "torture_key.h"
+ #include "libssh/misc.h"
+#include "libssh/token.h"
+ 
+ #define TORTURE_SSHD_SRV_IPV4 "127.0.0.10"
+ /* socket wrapper IPv6 prefix  fd00::5357:5fxx */
+@@ -250,8 +251,12 @@
+ 
+         rc = kill(pid, 0);
+         if (rc != 0) {
+-            is_running = 0;
+-            break;
+            /* Process not found */
+            if (errno == ESRCH) {
+                is_running = 0;
+                rc = 0;
+                break;
+            }
+         }
+     }
+ 
+@@ -260,7 +265,7 @@
+                 "WARNING: The process with pid %u is still running!\n", pid);
+     }
+ 
+-    return 0;
+    return rc;
+ }
+ 
+ ssh_session torture_ssh_session(struct torture_state *s,
+@@ -611,6 +616,112 @@
+     *state = s;
+ }
+ 
+/**
+ * @brief Create a libssh server configuration file
+ *
+ * It is expected the socket directory to be already created before by calling
+ * torture_setup_socket_dir().  The created configuration file will be stored in
+ * the socket directory and the srv_config pointer in the state will be
+ * initialized.
+ *
+ * @param[in] state A pointer to a pointer to an initialized torture_state
+ *                  structure
+ */
+void torture_setup_create_libssh_config(void **state)
+{
+    struct torture_state *s = *state;
+    char ed25519_hostkey[1024] = {0};
+#ifdef HAVE_DSA
+    char dsa_hostkey[1024];
+#endif /* HAVE_DSA */
+    char rsa_hostkey[1024];
+    char ecdsa_hostkey[1024];
+    char sshd_config[2048];
+    char sshd_path[1024];
+    const char *additional_config = NULL;
+    struct stat sb;
+    const char config_string[]=
+             "LogLevel DEBUG3\n"
+             "Port 22\n"
+             "ListenAddress 127.0.0.10\n"
+             "%s %s\n"
+             "%s %s\n"
+             "%s %s\n"
+#ifdef HAVE_DSA
+             "%s %s\n"
+#endif /* HAVE_DSA */
+             "%s\n"; /* The space for test-specific options */
+    bool written = false;
+    int rc;
+
+    assert_non_null(s->socket_dir);
+
+    snprintf(sshd_path,
+             sizeof(sshd_path),
+             "%s/sshd",
+             s->socket_dir);
+
+    rc = lstat(sshd_path, &sb);
+    if (rc == 0 ) { /* The directory is already in place */
+        written = true;
+    }
+
+    if (!written) {
+        rc = mkdir(sshd_path, 0755);
+        assert_return_code(rc, errno);
+    }
+
+    snprintf(ed25519_hostkey,
+             sizeof(ed25519_hostkey),
+             "%s/sshd/ssh_host_ed25519_key",
+             s->socket_dir);
+
+    snprintf(rsa_hostkey,
+             sizeof(rsa_hostkey),
+             "%s/sshd/ssh_host_rsa_key",
+             s->socket_dir);
+
+    snprintf(ecdsa_hostkey,
+             sizeof(ecdsa_hostkey),
+             "%s/sshd/ssh_host_ecdsa_key",
+             s->socket_dir);
+
+#ifdef HAVE_DSA
+    snprintf(dsa_hostkey,
+             sizeof(dsa_hostkey),
+             "%s/sshd/ssh_host_dsa_key",
+             s->socket_dir);
+#endif /* HAVE_DSA */
+
+    if (!written) {
+        torture_write_file(ed25519_hostkey,
+                           torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
+        torture_write_file(rsa_hostkey,
+                           torture_get_testkey(SSH_KEYTYPE_RSA, 0));
+        torture_write_file(ecdsa_hostkey,
+                           torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
+#ifdef HAVE_DSA
+        torture_write_file(dsa_hostkey,
+                           torture_get_testkey(SSH_KEYTYPE_DSS, 0));
+#endif /* HAVE_DSA */
+    }
+
+    additional_config = (s->srv_additional_config != NULL ?
+                         s->srv_additional_config : "");
+
+    snprintf(sshd_config, sizeof(sshd_config),
+            config_string,
+            "HostKey", ed25519_hostkey,
+            "HostKey", rsa_hostkey,
+            "HostKey", ecdsa_hostkey,
+#ifdef HAVE_DSA
+            "HostKey", dsa_hostkey,
+#endif /* HAVE_DSA */
+            additional_config);
+
+    torture_write_file(s->srv_config, sshd_config);
+}
+
+ static void torture_setup_create_sshd_config(void **state, bool pam)
+ {
+     struct torture_state *s = *state;
+@@ -856,21 +967,140 @@
+     return 1;
+ }
+ 
+-void torture_setup_sshd_server(void **state, bool pam)
+/**
+ * @brief Run a libssh based server under timeout.
+ *
+ * It is expected that the socket directory and libssh configuration file were
+ * already created before by calling torture_setup_socket_dir() and
+ * torture_setup_create_libssh_config() (or alternatively setup the state with
+ * the correct values).
+ *
+ * @param[in] state The content of the address pointed by this variable must be
+ *                  a pointer to an initialized instance of torture_state
+ *                  structure; it can be obtained by calling
+ *                  torture_setup_socket_dir() and
+ *                  torture_setup_create_libssh_config().
+ * @param[in] server_path  The path to the server executable.
+ *
+ * @note This function will use the state->srv_additional_config field as
+ * additional command line option used when starting the server instead of extra
+ * configuration file options.
+ * */
+void torture_setup_libssh_server(void **state, const char *server_path)
+ {
+     struct torture_state *s;
+-    char sshd_start_cmd[1024];
+    char start_cmd[1024];
+    char timeout_cmd[512];
+    char env[1024];
+    char extra_options[1024];
+     int rc;
+    char *ld_preload = NULL;
+    const char *force_fips = NULL;
+ 
+-    torture_setup_socket_dir(state);
+-    torture_setup_create_sshd_config(state, pam);
+    struct ssh_tokens_st *env_tokens;
+    struct ssh_tokens_st *arg_tokens;
+
+    pid_t pid;
+    ssize_t printed;
+
+    s = *state;
+
+    /* Get all the wrapper libraries to be pre-loaded */
+    ld_preload = getenv("LD_PRELOAD");
+
+    if (s->srv_additional_config != NULL) {
+        printed = snprintf(extra_options, sizeof(extra_options), " %s ",
+                           s->srv_additional_config);
+        if (printed < 0) {
+            fail_msg("Failed to print additional config!");
+        }
+    } else {
+        printed = snprintf(extra_options, sizeof(extra_options), " ");
+        if (printed < 0) {
+            fail_msg("Failed to print empty additional config!");
+        }
+    }
+
+    if (ssh_fips_mode()) {
+        force_fips = "OPENSSL_FORCE_FIPS_MODE=1 ";
+    } else {
+        force_fips = "";
+    }
+
+    /* Write the environment setting */
+    printed = snprintf(env, sizeof(env),
+                       "SOCKET_WRAPPER_DIR=%s "
+                       "SOCKET_WRAPPER_DEFAULT_IFACE=10 "
+                       "LD_PRELOAD=%s "
+                       "%s",
+                       s->socket_dir, ld_preload, force_fips);
+    if (printed < 0) {
+        fail_msg("Failed to print env!");
+    }
+
+#ifdef WITH_TIMEOUT
+    snprintf(timeout_cmd, sizeof(timeout_cmd),
+             "%s %s ", TIMEOUT_EXECUTABLE, "5m");
+#else
+    timeout_cmd[0] = '\0';
+#endif
+
+    /* Write the start command */
+    printed = snprintf(start_cmd, sizeof(start_cmd),
+                       "%s"
+                       "%s -f%s -v4 -p22 -i%s -C%s%s%s",
+                       timeout_cmd,
+                       server_path, s->pcap_file, s->srv_pidfile,
+                       s->srv_config, extra_options, TORTURE_SSH_SERVER);
+    if (printed < 0) {
+        fail_msg("Failed to print start command!");
+    }
+
+    pid = fork();
+    switch(pid) {
+    case 0:
+        env_tokens = ssh_tokenize(env, ' ');
+        if (env_tokens == NULL || env_tokens->tokens == NULL) {
+            fail_msg("Failed to tokenize env!");
+        }
+
+        arg_tokens = ssh_tokenize(start_cmd, ' ');
+        if (arg_tokens == NULL || arg_tokens->tokens == NULL) {
+            ssh_tokens_free(env_tokens);
+            fail_msg("Failed to tokenize args!");
+        }
+
+        rc = execve(arg_tokens->tokens[0], (char **)arg_tokens->tokens,
+                    (char **)env_tokens->tokens);
+
+        /* execve returns only in case of error */
+        ssh_tokens_free(env_tokens);
+        ssh_tokens_free(arg_tokens);
+        fail_msg("Error in execve: %s", strerror(errno));
+    case -1:
+        fail_msg("Failed to fork!");
+    default:
+        /* The parent continues the execution of the tests */
+        setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
+        unsetenv("PAM_WRAPPER");
+
+        /* Wait until the server is ready to accept connections */
+        rc = torture_wait_for_daemon(15);
+        assert_int_equal(rc, 0);
+        break;
+    }
+}
+
+static int torture_start_sshd_server(void **state)
+{
+    struct torture_state *s = *state;
+    char sshd_start_cmd[1024];
+    int rc;
+ 
+     /* Set the default interface for the server */
+     setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
+     setenv("PAM_WRAPPER", "1", 1);
+ 
+-    s = *state;
+-
+     snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
+              SSHD_EXECUTABLE " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
+              s->srv_config, s->socket_dir, s->socket_dir);
+@@ -882,7 +1112,20 @@
+     unsetenv("PAM_WRAPPER");
+ 
+     /* Wait until the sshd is ready to accept connections */
+-    rc = torture_wait_for_daemon(5);
+    rc = torture_wait_for_daemon(15);
+    assert_int_equal(rc, 0);
+
+    return SSH_OK;
+}
+
+void torture_setup_sshd_server(void **state, bool pam)
+{
+    int rc;
+
+    torture_setup_socket_dir(state);
+    torture_setup_create_sshd_config(state, pam);
+
+    rc = torture_start_sshd_server(state);
+     assert_int_equal(rc, 0);
+ }
+ 
+@@ -922,29 +1165,12 @@
+ torture_reload_sshd_server(void **state)
+ {
+     struct torture_state *s = *state;
+-    pid_t pid;
+     int rc;
+ 
+-    /* read the pidfile */
+-    pid = torture_read_pidfile(s->srv_pidfile);
+-    assert_int_not_equal(pid, -1);
+-
+-    kill(pid, SIGHUP);
+-
+-    /* 10 ms */
+-    usleep(10 * 1000);
+-
+-    rc = kill(pid, 0);
+-    if (rc != 0) {
+-        fprintf(stderr,
+-                "ERROR: SSHD process %u died during reload!\n", pid);
+-        return SSH_ERROR;
+-    }
+    rc = torture_terminate_process(s->srv_pidfile);
+    assert_return_code(rc, errno);
+ 
+-    /* Wait until the sshd is ready to accept connections */
+-    rc = torture_wait_for_daemon(5);
+-    assert_int_equal(rc, 0);
+-    return SSH_OK;
+    return torture_start_sshd_server(state);
+ }
+ 
+ /* @brief: Updates SSHD server configuration with more options and
+@@ -980,9 +1206,7 @@
+     int rc;
+ 
+     rc = torture_terminate_process(s->srv_pidfile);
+-    if (rc != 0) {
+-        fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
+-    }
+    assert_return_code(rc, errno);
+ 
+     torture_teardown_socket_dir(state);
+ }
+diff --color -ru ../libssh-0.9.6/tests/torture.h ./tests/torture.h
+--- ../libssh-0.9.6/tests/torture.h	2021-08-26 14:27:44.000000000 +0200
+++ ./tests/torture.h	2023-05-02 10:32:03.964511860 +0200
+@@ -132,6 +132,10 @@
+ 
+ void torture_reset_config(ssh_session session);
+ 
+void torture_setup_create_libssh_config(void **state);
+
+void torture_setup_libssh_server(void **state, const char *server_path);
+
+ /*
+  * This function must be defined in every unit test file.
+  */
--- a/SOURCES/null_dereference_rekey.patch
+++ b/SOURCES/null_dereference_rekey.patch
--- a/SPECS/libssh.spec
+++ b/SPECS/libssh.spec
@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.9.6
-Release:        6%{?dist}
+Release:        10%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@ -13,6 +13,10 @@ Source4:        libssh_server.config

 Patch0:         loglevel.patch
 Patch1:         s390x_fix.patch
+Patch2:         null_dereference_rekey.patch
+Patch3:         auth_bypass.patch
+Patch4:         fix_tests.patch
+Patch5:         covscan23.patch

 BuildRequires:  cmake
 BuildRequires:  doxygen
@ -141,6 +145,25 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config

 %changelog
+* Mon May 15 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-10
+- Fix loglevel regression
+- Related: rhbz#2189968, rhbz#2189741
+
+* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-9
+- Fix covscan issue found at gating
+- Related: rhbz#2189968, rhbz#2189741
+
+* Tue May 02 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-8
+- Backport test fixing commits to make the build pass
+- Relates: rhbz#2189968, rhbz#2189741
+
+* Tue Apr 25 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-7
+- Fix NULL dereference during rekeying with algorithm guessing 
+  GHSL-2023-032 / CVE-2023-1667 
+- Fix possible authentication bypass
+  GHSL 2023-085 / CVE-2023-2283
+- Resolves: rhbz#2189968, rhbz#2189741
+
 * Fri Jan 06 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-6
 - Enable client and server testing build time
 - Fix failing rekey test on arch s390x