rpms/libssh
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to new upstream version 0.11.1

Browse Source 
Resolves: RHEL-64319

Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
Sahana Prasad 2024-10-23 11:29:28 +02:00
parent 8cea5f4273
commit f839ac2f29
11 changed files with 74 additions and 4535 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -70,3 +70,5 @@ libssh-0.4.4.tar.gz.asc
/libssh-0.10.5.tar.xz.asc /libssh-0.10.5.tar.xz.asc
/libssh-0.10.6.tar.xz /libssh-0.10.6.tar.xz
/libssh-0.10.6.tar.xz.asc /libssh-0.10.6.tar.xz.asc
/libssh-0.11.1.tar.xz
/libssh-0.11.1.tar.xz.asc

41
libssh-0.10.6-compress.patch
View File

@ -1,41 +0,0 @@
From c9cfeb9b838b801c3e2bb070c3db914e81ca4e68 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 12 Aug 2024 17:49:46 +0200
Subject: [PATCH] wrapper: Avoid asymmetric termination of gzip context
For some reason, both compress and decompress contexts were terminated
with both compress and decompress end functions (if the deflateEnd worked),
which was causing for some another unexplained reasons issues on i686
architecture when running the torture_packet unit test.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
src/wrapper.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/wrapper.c b/src/wrapper.c
index bf949ea9..d9cf6db5 100644
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -200,14 +200,12 @@ void crypto_free(struct ssh_crypto_struct *crypto)
SAFE_FREE(crypto->secret_hash);
}
#ifdef WITH_ZLIB
- if (crypto->compress_out_ctx &&
- (deflateEnd(crypto->compress_out_ctx) != 0)) {
- inflateEnd(crypto->compress_out_ctx);
+ if (crypto->compress_out_ctx) {
+ deflateEnd(crypto->compress_out_ctx);
}
SAFE_FREE(crypto->compress_out_ctx);
- if (crypto->compress_in_ctx &&
- (deflateEnd(crypto->compress_in_ctx) != 0)) {
+ if (crypto->compress_in_ctx) {
inflateEnd(crypto->compress_in_ctx);
}
SAFE_FREE(crypto->compress_in_ctx);
--
2.46.0

263
libssh-0.10.6-ipv6-hostname.patch
View File

@ -1,263 +0,0 @@
From 4f997aee7c7d7ea346b3e8ba505da0b7601ff318 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 22 Dec 2023 10:32:40 +0100
Subject: [PATCH 1/2] Fix regression in IPv6 addresses in hostname parsing
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
include/libssh/config_parser.h | 11 ++++++++---
src/config.c | 4 ++--
src/config_parser.c | 16 +++++++++++-----
src/options.c | 10 ++--------
4 files changed, 23 insertions(+), 18 deletions(-)
diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h
index a7dd42a2..ca353432 100644
--- a/include/libssh/config_parser.h
+++ b/include/libssh/config_parser.h
@@ -30,6 +30,8 @@
extern "C" {
#endif
+#include <stdbool.h>
+
char *ssh_config_get_cmd(char **str);
char *ssh_config_get_token(char **str);
@@ -49,14 +51,17 @@ int ssh_config_get_yesno(char **str, int notfound);
* be stored or NULL if we do not care about the result.
* @param[out] port Pointer to the location, where the new port will
* be stored or NULL if we do not care about the result.
+ * @param[in] ignore_port Set to true if the we should not attempt to parse
+ * port number.
*
* @returns SSH_OK if the provided string is in format of SSH URI,
* SSH_ERROR on failure
*/
int ssh_config_parse_uri(const char *tok,
- char **username,
- char **hostname,
- char **port);
+ char **username,
+ char **hostname,
+ char **port,
+ bool ignore_port);
#ifdef __cplusplus
}
diff --git a/src/config.c b/src/config.c
index 5eedbce9..7135c3b1 100644
--- a/src/config.c
+++ b/src/config.c
@@ -464,7 +464,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
}
if (parse_entry) {
/* We actually care only about the first item */
- rv = ssh_config_parse_uri(cp, &username, &hostname, &port);
+ rv = ssh_config_parse_uri(cp, &username, &hostname, &port, false);
/* The rest of the list needs to be passed on */
if (endp != NULL) {
next = strdup(endp + 1);
@@ -475,7 +475,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
}
} else {
/* The rest is just sanity-checked to avoid failures later */
- rv = ssh_config_parse_uri(cp, NULL, NULL, NULL);
+ rv = ssh_config_parse_uri(cp, NULL, NULL, NULL, false);
}
if (rv != SSH_OK) {
goto out;
diff --git a/src/config_parser.c b/src/config_parser.c
index 9ffc8b8b..5f30cd3e 100644
--- a/src/config_parser.c
+++ b/src/config_parser.c
@@ -162,9 +162,10 @@ int ssh_config_get_yesno(char **str, int notfound)
}
int ssh_config_parse_uri(const char *tok,
- char **username,
- char **hostname,
- char **port)
+ char **username,
+ char **hostname,
+ char **port,
+ bool ignore_port)
{
char *endp = NULL;
long port_n;
@@ -210,12 +211,17 @@ int ssh_config_parse_uri(const char *tok,
if (endp == NULL) {
goto error;
}
- } else {
- /* Hostnames or aliases expand to the last colon or to the end */
+ } else if (!ignore_port) {
+ /* Hostnames or aliases expand to the last colon (if port is requested)
+ * or to the end */
endp = strrchr(tok, ':');
if (endp == NULL) {
endp = strchr(tok, '\0');
}
+ } else {
+ /* If no port is requested, expand to the end of line
+ * (to accommodate the IPv6 addresses) */
+ endp = strchr(tok, '\0');
}
if (tok == endp) {
/* Zero-length hostnames are not valid */
diff --git a/src/options.c b/src/options.c
index 2e73be46..676c49e7 100644
--- a/src/options.c
+++ b/src/options.c
@@ -634,17 +634,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
ssh_set_error_invalid(session);
return -1;
} else {
- char *username = NULL, *hostname = NULL, *port = NULL;
- rc = ssh_config_parse_uri(value, &username, &hostname, &port);
+ char *username = NULL, *hostname = NULL;
+ rc = ssh_config_parse_uri(value, &username, &hostname, NULL, true);
if (rc != SSH_OK) {
return -1;
}
- if (port != NULL) {
- SAFE_FREE(username);
- SAFE_FREE(hostname);
- SAFE_FREE(port);
- return -1;
- }
if (username != NULL) {
SAFE_FREE(session->opts.username);
session->opts.username = username;
--
2.43.0
From 6f6e453d7b0ad4ee6a6f6a1c96a9a6b27821410d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 22 Dec 2023 09:52:18 +0100
Subject: [PATCH 2/2] tests: Increase test coverage for IPv6 address parsing as
hostnames
This was an issue in cockpit:
https://github.com/cockpit-project/cockpit/issues/19772
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
tests/unittests/torture_config.c | 49 +++++++++++++++++++++++++++++++
tests/unittests/torture_options.c | 16 ++++++++++
2 files changed, 65 insertions(+)
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
index bc6b08f9..751aa126 100644
--- a/tests/unittests/torture_config.c
+++ b/tests/unittests/torture_config.c
@@ -2332,6 +2332,53 @@ static void torture_config_make_absolute_no_sshdir(void **state)
torture_config_make_absolute_int(state, 1);
}
+static void torture_config_parse_uri(void **state)
+{
+ char *username = NULL;
+ char *hostname = NULL;
+ char *port = NULL;
+ int rc;
+
+ (void)state; /* unused */
+
+ rc = ssh_config_parse_uri("localhost", &username, &hostname, &port, false);
+ assert_return_code(rc, errno);
+ assert_null(username);
+ assert_string_equal(hostname, "localhost");
+ SAFE_FREE(hostname);
+ assert_null(port);
+
+ rc = ssh_config_parse_uri("1.2.3.4", &username, &hostname, &port, false);
+ assert_return_code(rc, errno);
+ assert_null(username);
+ assert_string_equal(hostname, "1.2.3.4");
+ SAFE_FREE(hostname);
+ assert_null(port);
+
+ rc = ssh_config_parse_uri("1.2.3.4:2222", &username, &hostname, &port, false);
+ assert_return_code(rc, errno);
+ assert_null(username);
+ assert_string_equal(hostname, "1.2.3.4");
+ SAFE_FREE(hostname);
+ assert_string_equal(port, "2222");
+ SAFE_FREE(port);
+
+ rc = ssh_config_parse_uri("[1:2:3::4]:2222", &username, &hostname, &port, false);
+ assert_return_code(rc, errno);
+ assert_null(username);
+ assert_string_equal(hostname, "1:2:3::4");
+ SAFE_FREE(hostname);
+ assert_string_equal(port, "2222");
+ SAFE_FREE(port);
+
+ /* do not want port */
+ rc = ssh_config_parse_uri("1:2:3::4", &username, &hostname, NULL, true);
+ assert_return_code(rc, errno);
+ assert_null(username);
+ assert_string_equal(hostname, "1:2:3::4");
+ SAFE_FREE(hostname);
+}
+
int torture_run_tests(void)
{
int rc;
@@ -2424,6 +2471,8 @@ int torture_run_tests(void)
setup, teardown),
cmocka_unit_test_setup_teardown(torture_config_make_absolute_no_sshdir,
setup_no_sshdir, teardown),
+ cmocka_unit_test_setup_teardown(torture_config_parse_uri,
+ setup, teardown),
};
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
index 5ba3bdc6..b07712d8 100644
--- a/tests/unittests/torture_options.c
+++ b/tests/unittests/torture_options.c
@@ -57,6 +57,20 @@ static void torture_options_set_host(void **state) {
assert_non_null(session->opts.host);
assert_string_equal(session->opts.host, "localhost");
+ /* IPv4 address */
+ rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.1.1.1");
+ assert_true(rc == 0);
+ assert_non_null(session->opts.host);
+ assert_string_equal(session->opts.host, "127.1.1.1");
+ assert_null(session->opts.username);
+
+ /* IPv6 address */
+ rc = ssh_options_set(session, SSH_OPTIONS_HOST, "::1");
+ assert_true(rc == 0);
+ assert_non_null(session->opts.host);
+ assert_string_equal(session->opts.host, "::1");
+ assert_null(session->opts.username);
+
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
assert_true(rc == 0);
assert_non_null(session->opts.host);
@@ -64,12 +78,14 @@ static void torture_options_set_host(void **state) {
assert_non_null(session->opts.username);
assert_string_equal(session->opts.username, "guru");
+ /* more @ in uri is OK -- it should go to the username */
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
assert_true(rc == 0);
assert_non_null(session->opts.host);
assert_string_equal(session->opts.host, "hostname");
assert_non_null(session->opts.username);
assert_string_equal(session->opts.username, "at@login");
+
}
static void torture_options_set_ciphers(void **state) {
--
2.43.0

48
libssh-0.10.6-no-engine.patch
View File

@ -1,48 +0,0 @@
diff -up libssh-0.10.6/src/libcrypto.c.no-engine libssh-0.10.6/src/libcrypto.c
--- libssh-0.10.6/src/libcrypto.c.no-engine 2024-07-31 09:25:56.460404672 +0200
+++ libssh-0.10.6/src/libcrypto.c 2024-07-31 09:28:46.900273530 +0200
@@ -94,7 +94,7 @@ void ssh_reseed(void){
#endif
}
-#ifndef WITH_PKCS11_PROVIDER
+#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER)
static ENGINE *engine = NULL;
ENGINE *pki_get_engine(void)
@@ -126,7 +126,7 @@ ENGINE *pki_get_engine(void)
}
return engine;
}
-#endif /* WITH_PKCS11_PROVIDER */
+#endif /* defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER) */
#ifdef HAVE_OPENSSL_EVP_KDF_CTX
#if OPENSSL_VERSION_NUMBER < 0x30000000L
diff -up libssh-0.10.6/src/pki_crypto.c.no-engine libssh-0.10.6/src/pki_crypto.c
--- libssh-0.10.6/src/pki_crypto.c.no-engine 2024-07-31 09:26:34.296823306 +0200
+++ libssh-0.10.6/src/pki_crypto.c 2024-07-31 09:29:36.414810967 +0200
@@ -33,7 +33,9 @@
#include <openssl/pem.h>
#include <openssl/evp.h>
+#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER)
#include <openssl/engine.h>
+#endif
#include <openssl/err.h>
#if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/dsa.h>
diff -up libssh-0.10.6/src/libcrypto.c.no-engine libssh-0.10.6/src/libcrypto.c
--- libssh-0.10.6/src/libcrypto.c.no-engine 2024-07-31 11:03:45.262319724 +0200
+++ libssh-0.10.6/src/libcrypto.c 2024-07-31 11:04:59.842161279 +0200
@@ -53,7 +53,9 @@
#include <openssl/core_names.h>
#endif /* OPENSSL_VERSION_NUMBER */
#include <openssl/rand.h>
+#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER)
#include <openssl/engine.h>
+#endif
#include "libcrypto-compat.h"

4069
libssh-0.10.6-pkcs11-provider.patch
View File

File diff suppressed because it is too large Load Diff

47
libssh-0.10.6-rate-limit.patch
View File

@ -1,47 +0,0 @@
From 7b89ff760a2c7119916eaa8fd6a62afbd15fc3ad Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 9 Aug 2024 11:30:15 +0200
Subject: [PATCH] test: Workaround the new OpenSSH failure rate limiting
The new OpenSSH rate limits the failed authentication attempts per source
address and drops connection when the amount is reached, which is happening
in our testsuite.
By whitelisting the IP address of the client on the socket wrapper,
this allows the tests to pass.
https://man.openbsd.org/sshd_config.5#PerSourcePenaltyExemptList
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
tests/torture.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tests/torture.c b/tests/torture.c
index c832dfa6..ad0a7836 100644
--- a/tests/torture.c
+++ b/tests/torture.c
@@ -755,6 +755,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
"HostKeyAlgorithms " OPENSSH_KEYS "\n"
#if OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2
"CASignatureAlgorithms " OPENSSH_KEYS "\n"
+#endif
+#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
+ "PerSourcePenaltyExemptList 127.0.0.21\n"
#endif
"Ciphers " OPENSSH_CIPHERS "\n"
"KexAlgorithms " OPENSSH_KEX "\n"
@@ -786,6 +789,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
"%s\n" /* Here comes UsePam */
"%s" /* The space for test-specific options */
"\n"
+#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
+ "PerSourcePenaltyExemptList 127.0.0.21\n"
+#endif
"Ciphers "
"aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,"
"aes128-gcm@openssh.com,aes128-ctr,aes128-cbc"
--
2.46.0

37
libssh-0.10.6-rekey-timeout.patch
View File

@ -1,37 +0,0 @@
From 96d76161666b117099696afebcef2fe42ae80715 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 16 May 2023 22:55:11 +0200
Subject: [PATCH] tests: Give the server more time handle rekey
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Norbert Pocs <npocs@redhat.com>
---
tests/client/torture_rekey.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
index ccd5ae2cf..0fc13b8b3 100644
--- a/tests/client/torture_rekey.c
+++ b/tests/client/torture_rekey.c
@@ -505,7 +505,7 @@ static void torture_rekey_different_kex(void **state)
memset(data, 'A', 128);
for (i = 0; i < KEX_RETRY; i++) {
ssh_send_ignore(s->ssh.session, data);
- ssh_handle_packets(s->ssh.session, 100);
+ ssh_handle_packets(s->ssh.session, 1000);
c = s->ssh.session->current_crypto;
/* SHA256 len */
@@ -583,7 +583,7 @@ static void torture_rekey_server_different_kex(void **state)
memset(data, 'A', 128);
for (i = 0; i < KEX_RETRY; i++) {
ssh_send_ignore(s->ssh.session, data);
- ssh_handle_packets(s->ssh.session, 100);
+ ssh_handle_packets(s->ssh.session, 1000);
c = s->ssh.session->current_crypto;
/* SHA256 len */
--
GitLab

54
libssh-0.11.1-fix-provider-loading.patch Normal file
View File

@ -0,0 +1,54 @@
diff -up libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp libssh-0.11.1/tests/client/torture_auth_pkcs11.c
--- libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp 2024-10-25 11:58:50.341126170 +0200
+++ libssh-0.11.1/tests/client/torture_auth_pkcs11.c 2024-10-25 12:11:01.766453259 +0200
@@ -240,6 +240,14 @@ int torture_run_tests(void) {
session_teardown),
};
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
+ * It can load a pkcs11 provider too early before we will set up environment
+ * variables that are needed for the pkcs11 provider to access correct
+ * tokens, causing unexpected failures.
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
+ */
+ setenv("OPENSSL_CONF", "/dev/null", 1);
+
ssh_init();
torture_filter_tests(tests);
rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
diff -up libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c
--- libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp 2024-10-25 11:59:22.964367137 +0200
+++ libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c 2024-10-25 12:12:51.473625481 +0200
@@ -563,6 +563,14 @@ int torture_run_tests(void) {
ssh_session session = ssh_new();
int verbosity = SSH_LOG_FUNCTIONS;
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
+ * It can load a pkcs11 provider too early before we will set up environment
+ * variables that are needed for the pkcs11 provider to access correct
+ * tokens, causing unexpected failures.
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
+ */
+ setenv("OPENSSL_CONF", "/dev/null", 1);
+
ssh_init();
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
diff -up libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c
--- libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp 2024-10-25 11:59:49.241336178 +0200
+++ libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c 2024-10-25 12:12:10.985614709 +0200
@@ -285,6 +285,14 @@ torture_run_tests(void)
ssh_session session = ssh_new();
int verbosity = SSH_LOG_FUNCTIONS;
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
+ * It can load a pkcs11 provider too early before we will set up environment
+ * variables that are needed for the pkcs11 provider to access correct
+ * tokens, causing unexpected failures.
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
+ */
+ setenv("OPENSSL_CONF", "/dev/null", 1);
+
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
ssh_init();

BIN
libssh.keyring
View File

Binary file not shown.

44
libssh.spec
View File

@ -1,37 +1,18 @@
Name: libssh Name: libssh
Version: 0.10.6 Version: 0.11.1
Release: 8%{?dist} Release: 1%{?dist}
Summary: A library implementing the SSH protocol Summary: A library implementing the SSH protocol
License: LGPL-2.1-or-later License: LGPL-2.1-or-later
URL: http://www.libssh.org URL: http://www.libssh.org
Source0: https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz Source0: https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz
Source1: https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc Source1: https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz.asc
Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring Source2: https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/%{name}.keyring
Source3: libssh_client.config Source3: libssh_client.config
Source4: libssh_server.config Source4: libssh_server.config
Patch1: libssh-0.10.6-rekey-timeout.patch # Don't use global openssl.cnf for PKCS#11 URI Tests
# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/431 # https://gitlab.com/libssh/libssh-mirror/-/merge_requests/543
Patch2: libssh-0.10.6-ipv6-hostname.patch Patch1: libssh-0.11.1-fix-provider-loading.patch
# Backport of the following commits from master before we will have the next 0.11.0 release:
# 9717b99136cbff850000378f70d1391f348713f9 libcrypto-compat.c/h: Remove no longer supported openssl versions
# 54c1703cb22b917222a6eb2a5d2fde22319d9b7a Move old DSA and RSA structs into EVP_PKEY
# 1eb3df5254a4348eae6edbc8a2bf08fef4015897 Get rid of the deprecated OpenSSL API
# 4fb5af1da5cb02933cb4cfa10f72484cca9ca961 src/pki_crypto.c: Fix errors introduced by EC rework
# 2539d72b7c8d03d54538533db5b346dad52d6db3 Add support for PKCS#11 provider in OpenSSL 3.0
# f8d7fee58842a11ad7a0386b4e829e36cd6e9432 pki: Use preference hints when loading keys from store
# e0011a197009897fcba09229e76940d9f5b12404 pki: Avoid freeing static groups/points on OpenSSL<3
# 9b263cf5e1da6e06f6ab90e3169409a7bed60835 pki_crypto: Fix ecdsa memory leak
# baa773d1cd6838af33fedcd65ddbb4e46e2b06c0 pki: Calculate missing CRT parameters when building RSA Key
# 2c876464ab0a27387a122c6a4b39ec187a6fc596 ecdh: Fix missing-prototype warning
# 2c918aad6763754bdffb84796b410e21f24bb7ec tests: Use /tmp for tmpdirs that contain sockets
Patch3: libssh-0.10.6-pkcs11-provider.patch
Patch4: libssh-0.10.6-no-engine.patch
# 7b89ff760a2c7119916eaa8fd6a62afbd15fc3ad
Patch5: libssh-0.10.6-rate-limit.patch
# c9cfeb9b838b801c3e2bb070c3db914e81ca4e68
Patch6: libssh-0.10.6-compress.patch
BuildRequires: cmake BuildRequires: cmake
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -40,6 +21,8 @@ BuildRequires: openssl-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: krb5-devel BuildRequires: krb5-devel
BuildRequires: krb5-server
BuildRequires: krb5-workstation
BuildRequires: libcmocka-devel BuildRequires: libcmocka-devel
BuildRequires: pam_wrapper BuildRequires: pam_wrapper
BuildRequires: socket_wrapper BuildRequires: socket_wrapper
@ -92,7 +75,7 @@ Obsoletes: %{name} < 0.9.0-3
The %{name}-config package provides the default configuration files for %{name}. The %{name}-config package provides the default configuration files for %{name}.
%prep %prep
gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -p1 %autosetup -p1
%build %build
@ -100,6 +83,7 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
-DUNIT_TESTING=ON \ -DUNIT_TESTING=ON \
-DCLIENT_TESTING=ON \ -DCLIENT_TESTING=ON \
-DSERVER_TESTING=ON \ -DSERVER_TESTING=ON \
-DGSSAPI_TESTING=ON \
-DWITH_PKCS11_URI=ON \ -DWITH_PKCS11_URI=ON \
-DWITH_PKCS11_PROVIDER=ON \ -DWITH_PKCS11_PROVIDER=ON \
-DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \ -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
@ -157,6 +141,10 @@ popd
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
%changelog %changelog
* Wed Oct 23 2024 Sahana Prasad <sahana@redhat.com> - 0.11.1-1
- Rebase to new upstream version 0.11.1
- Resolves: RHEL-64319
* Tue Aug 20 2024 Jakub Jelen <jjelen@redhat.com> - 0.10.6-8 * Tue Aug 20 2024 Jakub Jelen <jjelen@redhat.com> - 0.10.6-8
- Remove the dependency on engine.h - Remove the dependency on engine.h

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (libssh-0.10.6.tar.xz) = 40c62d63c44e882999b71552c237d73fc7364313bd00b15a211a34aeff1b73693da441d2c8d4e40108d00fb7480ec7c5b6d472f9c0784b2359a179632ab0d6c1 SHA512 (libssh-0.11.1.tar.xz) = 284d376ad9ea30b0274b4ac754b27d168286dca862ece43ef15ca6d89e66865ad7a6703cc12dd4a8564a60b8449ae9b36e6496fd51d34cc27ac4030f6cf216d6
SHA512 (libssh-0.10.6.tar.xz.asc) = 214d7920bebc80a8e6838c64ed06e070709a96fabfb4fff657b55f9588bc0e1612887fe887d23de73ad3540f3bb85288e62eb6a11ccd4bc80afbd44d34ba70d4 SHA512 (libssh-0.11.1.tar.xz.asc) = 7d1a2f02a9abba5373b1a29a9097fef65e46ff3a22e36bcb3549066d69fbd8e2702ff3b6182bae931282d10256da2ca8a364935b068d6d5bc767d877572ee3e2