.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,76 +1,2 @@
-libssh-0.4.4.tar.gz
-libssh-0.4.4.tar.gz.asc
-/libssh-0.4.6.tar.gz
-/libssh-0.4.6.tar.gz.asc
-/libssh-0.4.8.tar.gz
-/libssh-0.4.8.tar.gz.asc
-/libssh-0.5.0.tar.gz
-/libssh-0.5.0.tar.gz.asc
-/libssh-0.5.2.tar.gz
-/libssh-0.5.2.tar.gz.asc
-/libssh-0.5.3.tar.gz
-/libssh-0.5.3.tar.asc
-/libssh-0.5.4.tar.gz
-/libssh-0.5.4.tar.asc
-/libssh-0.5.5.tar.gz
-/libssh-0.5.5.tar.asc
-/libssh-0.6.0.tar.xz
-/libssh-0.6.1.tar.xz
-/libssh-0.6.3.tar.xz
-/libssh-0.6.4.tar.gz
-/libssh-0.6.5.tar.xz
-/libssh-0.7.0.tar.xz
-/libssh-0.7.1.tar.xz
-/libssh-0.7.2.tar.xz
-/libssh-0.7.3.tar.xz
-/libssh-0.7.4.tar.xz
-/libssh-0.7.5.tar.xz
-/libssh-0.8.0.tar.xz
-/libssh-0.8.0.tar.xz.asc
-/libssh-0.8.1.tar.xz
-/libssh-0.8.1.tar.xz.asc
-/libssh-0.8.2.tar.xz
-/libssh-0.8.2.tar.xz.asc
-/libssh-0.8.3.tar.xz
-/libssh-0.8.3.tar.xz.asc
-/libssh-0.8.4.tar.xz
-/libssh-0.8.4.tar.xz.asc
-/libssh-0.8.5.tar.xz
-/libssh-0.8.5.tar.xz.asc
-/libssh-0.8.6.tar.xz
-/libssh-0.8.6.tar.xz.asc
-/libssh-0.8.7.tar.xz
-/libssh-0.8.7.tar.xz.asc
-/libssh-0.8.91.tar.xz
-/libssh_client.config
-/libssh_server.config
-/libssh-0.9.0.tar.xz
-/libssh-0.9.0.tar.xz.asc
-/libssh-0.9.2.tar.xz
-/libssh-0.9.2.tar.xz.asc
-/libssh-0.9.3.tar.xz
-/libssh-0.9.3.tar.xz.asc
-/libssh-0.9.4.tar.xz
-/libssh-0.9.4.tar.xz.asc
-/libssh-0.9.5.tar.xz
-/libssh-0.9.5.tar.xz.asc
-/libssh-0.9.6.tar.xz
-/libssh-0.9.6.tar.xz.asc
-/libssh-0.10.0.tar.xz
-/libssh-0.10.0.tar.xz.asc
-/libssh-0.10.1.tar.xz
-/libssh-0.10.1.tar.xz.asc
-/libssh-0.10.2.tar.xz
-/libssh-0.10.2.tar.xz.asc
-/libssh-0.10.3.tar.xz
-/libssh-0.10.3.tar.xz.asc
-/libssh-0.10.4.tar.xz
-/libssh-0.10.4.tar.xz.asc
-/libssh-0.10.5.tar.xz
-/libssh-0.10.5.tar.xz.asc
-/libssh-0.10.6.tar.xz
-/libssh-0.10.6.tar.xz.asc
-/libssh-0.11.1.tar.xz
-/libssh-0.11.1.tar.xz.asc
-/libssh-0.12.0.tar.xz
-/libssh-0.12.0.tar.xz.asc
+SOURCES/libssh-0.9.6.tar.xz
+SOURCES/libssh.keyring

.libssh.metadata

@@ -0,0 +1,2 @@
+1b2dd673b58e1eaf20fde45cd8de2197cfab2f78 SOURCES/libssh-0.9.6.tar.xz
+3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring

SOURCES/CVE-2023-48795.patch

@@ -0,0 +1,723 @@
+From 87b93be5a2071be782aa84aa5a91544b18959d5e Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris@0xbadc0de.be>
+Date: Tue, 12 Dec 2023 23:09:57 +0100
+Subject: [PATCH 1/4] CVE-2023-48795: client side mitigation
+
+Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ include/libssh/packet.h  |  1 +
+ include/libssh/session.h |  6 +++++
+ src/curve25519.c         | 19 +++----------
+ src/dh-gex.c             |  7 +----
+ src/dh.c                 | 17 +++---------
+ src/ecdh.c               |  8 +-----
+ src/ecdh_crypto.c        | 12 +++------
+ src/ecdh_gcrypt.c        | 10 +++----
+ src/ecdh_mbedcrypto.c    | 11 +++-----
+ src/kex.c                | 34 +++++++++++++++++++----
+ src/packet.c             | 58 ++++++++++++++++++++++++++++++++++++++++
+ src/packet_cb.c          | 12 +++++++++
+ 12 files changed, 126 insertions(+), 69 deletions(-)
+
+diff --git a/include/libssh/packet.h b/include/libssh/packet.h
+index 561bba8e..c6fbc3fc 100644
+--- a/include/libssh/packet.h
++++ b/include/libssh/packet.h
+@@ -63,6 +63,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
+ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init);
+ #endif
+ 
++int ssh_packet_send_newkeys(ssh_session session);
+ int ssh_packet_send_unimplemented(ssh_session session, uint32_t seqnum);
+ int ssh_packet_parse_type(ssh_session session);
+ //int packet_flush(ssh_session session, int enforce_blocking);
+diff --git a/include/libssh/session.h b/include/libssh/session.h
+index 64e118ef..3cde0dd4 100644
+--- a/include/libssh/session.h
++++ b/include/libssh/session.h
+@@ -80,6 +80,12 @@ enum ssh_pending_call_e {
+  * sending it twice during key exchange to simplify the state machine. */
+ #define SSH_SESSION_FLAG_KEXINIT_SENT 4
+ 
++/* The current SSH2 session implements the "strict KEX" feature and should behave
++ * differently on SSH2_MSG_NEWKEYS. */
++#define SSH_SESSION_FLAG_KEX_STRICT 0x0010
++/* Unexpected packets have been sent while the session was still unencrypted */
++#define SSH_SESSION_FLAG_KEX_TAINTED 0x0020
++
+ /* codes to use with ssh_handle_packets*() */
+ /* Infinite timeout */
+ #define SSH_TIMEOUT_INFINITE -1
+diff --git a/src/curve25519.c b/src/curve25519.c
+index 37654438..6b7b4238 100644
+--- a/src/curve25519.c
++++ b/src/curve25519.c
+@@ -335,16 +335,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
+   }
+ 
+   /* Send the MSG_NEWKEYS */
+-  if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
+-    goto error;
+-  }
+-
+-  rc=ssh_packet_send(session);
++  rc = ssh_packet_send_newkeys(session);
+   if (rc == SSH_ERROR) {
+     goto error;
+   }
+-
+-  SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+   session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+ 
+   return SSH_PACKET_USED;
+@@ -502,18 +496,13 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
+         return SSH_ERROR;
+     }
+ 
+-    /* Send the MSG_NEWKEYS */
+-    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+-    if (rc < 0) {
+-        goto error;
+-    }
+-
+     session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+-    rc = ssh_packet_send(session);
++
++    /* Send the MSG_NEWKEYS */
++    rc = ssh_packet_send_newkeys(session);
+     if (rc == SSH_ERROR) {
+         goto error;
+     }
+-    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+ 
+     return SSH_PACKET_USED;
+ error:
+diff --git a/src/dh-gex.c b/src/dh-gex.c
+index 4a298542..f1880270 100644
+--- a/src/dh-gex.c
++++ b/src/dh-gex.c
+@@ -287,15 +287,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
+     }
+ 
+     /* Send the MSG_NEWKEYS */
+-    if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
+-        goto error;
+-    }
+-
+-    rc = ssh_packet_send(session);
++    rc = ssh_packet_send_newkeys(session);
+     if (rc == SSH_ERROR) {
+         goto error;
+     }
+-    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+     session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+ 
+     return SSH_PACKET_USED;
+diff --git a/src/dh.c b/src/dh.c
+index c265efcb..1d519c63 100644
+--- a/src/dh.c
++++ b/src/dh.c
+@@ -386,16 +386,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
+   }
+ 
+   /* Send the MSG_NEWKEYS */
+-  if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
+-    goto error;
+-  }
+-
+-  rc=ssh_packet_send(session);
++  rc = ssh_packet_send_newkeys(session);
+   if (rc == SSH_ERROR) {
+     goto error;
+   }
+-
+-  SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+   session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+   return SSH_PACKET_USED;
+ error:
+@@ -532,15 +526,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
+     }
+     SSH_LOG(SSH_LOG_DEBUG, "Sent KEX_DH_[GEX]_REPLY");
+ 
+-    if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
+-        ssh_buffer_reinit(session->out_buffer);
+-        goto error;
+-    }
+     session->dh_handshake_state=DH_STATE_NEWKEYS_SENT;
+-    if (ssh_packet_send(session) == SSH_ERROR) {
++    /* Send the MSG_NEWKEYS */
++    rc = ssh_packet_send_newkeys(session);
++    if (rc == SSH_ERROR) {
+         goto error;
+     }
+-    SSH_LOG(SSH_LOG_PACKET, "SSH_MSG_NEWKEYS sent");
+ 
+     return SSH_OK;
+ error:
+diff --git a/src/ecdh.c b/src/ecdh.c
+index e5b11ba9..af80beec 100644
+--- a/src/ecdh.c
++++ b/src/ecdh.c
+@@ -93,16 +93,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_ecdh_reply){
+   }
+ 
+   /* Send the MSG_NEWKEYS */
+-  if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
+-    goto error;
+-  }
+-
+-  rc=ssh_packet_send(session);
++  rc = ssh_packet_send_newkeys(session);
+   if (rc == SSH_ERROR) {
+     goto error;
+   }
+-
+-  SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+   session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+ 
+   return SSH_PACKET_USED;
+diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
+index a1de27fd..62578c1b 100644
+--- a/src/ecdh_crypto.c
++++ b/src/ecdh_crypto.c
+@@ -323,18 +323,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
+         goto error;
+     }
+ 
+-    /* Send the MSG_NEWKEYS */
+-    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+-    if (rc < 0) {
+-        goto error;
+-    }
+-
+     session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+-    rc = ssh_packet_send(session);
+-    if (rc == SSH_ERROR){
++    /* Send the MSG_NEWKEYS */
++    rc = ssh_packet_send_newkeys(session);
++    if (rc == SSH_ERROR) {
+         goto error;
+     }
+-    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+ 
+     return SSH_PACKET_USED;
+ error:
+diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
+index d9c41bf9..dd4332d7 100644
+--- a/src/ecdh_gcrypt.c
++++ b/src/ecdh_gcrypt.c
+@@ -372,17 +372,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
+         goto out;
+     }
+ 
+-
++    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+     /* Send the MSG_NEWKEYS */
+-    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+-    if (rc != SSH_OK) {
++    rc = ssh_packet_send_newkeys(session);
++    if (rc == SSH_ERROR) {
+         goto out;
+     }
+ 
+-    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+-    rc = ssh_packet_send(session);
+-    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+-
+  out:
+     gcry_sexp_release(param);
+     gcry_sexp_release(key);
+diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
+index 718f1522..45251a42 100644
+--- a/src/ecdh_mbedcrypto.c
++++ b/src/ecdh_mbedcrypto.c
+@@ -300,16 +300,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
+         goto out;
+     }
+ 
+-    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+-    if (rc < 0) {
+-        rc = SSH_ERROR;
++    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
++    /* Send the MSG_NEWKEYS */
++    rc = ssh_packet_send_newkeys(session);
++    if (rc == SSH_ERROR) {
+         goto out;
+     }
+ 
+-    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+-    rc = ssh_packet_send(session);
+-    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+-
+ out:
+     mbedtls_ecp_group_free(&grp);
+     if (rc == SSH_ERROR) {
+diff --git a/src/kex.c b/src/kex.c
+index 3e5ca6ad..0772cae8 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -163,6 +163,9 @@
+ 
+ /* RFC 8308 */
+ #define KEX_EXTENSION_CLIENT "ext-info-c"
++/* Strict kex mitigation against CVE-2023-48795 */
++#define KEX_STRICT_CLIENT "kex-strict-c-v00@openssh.com"
++#define KEX_STRICT_SERVER "kex-strict-s-v00@openssh.com"
+ 
+ /* Allowed algorithms in FIPS mode */
+ #define FIPS_ALLOWED_CIPHERS "aes256-gcm@openssh.com,"\
+@@ -491,6 +494,27 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
+                     session->first_kex_follows_guess_wrong ? "wrong" : "right");
+     }
+ 
++    /*
++     * handle the "strict KEX" feature. If supported by peer, then set up the
++     * flag and verify packet sequence numbers.
++     */
++    if (server_kex) {
++        ok = ssh_match_group(crypto->client_kex.methods[SSH_KEX],
++                             KEX_STRICT_CLIENT);
++        if (ok) {
++            SSH_LOG(SSH_LOG_DEBUG, "Client supports strict kex, enabling.");
++            session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
++        }
++    } else {
++        /* client kex */
++        ok = ssh_match_group(crypto->server_kex.methods[SSH_KEX],
++                             KEX_STRICT_SERVER);
++        if (ok) {
++            SSH_LOG(SSH_LOG_DEBUG, "Server supports strict kex, enabling.");
++            session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
++        }
++    }
++
+     if (server_kex) {
+         /*
+          * If client sent a ext-info-c message in the kex list, it supports
+@@ -767,21 +791,21 @@ int ssh_set_client_kex(ssh_session session)
+         return SSH_OK;
+     }
+ 
+-    /* Here we append  ext-info-c  to the list of kex algorithms */
++    /* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
+     kex = client->methods[SSH_KEX];
+     len = strlen(kex);
+-    if (len + strlen(KEX_EXTENSION_CLIENT) + 2 < len) {
++    /* Comma, comma, nul byte */
++    kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
++    if (kex_len >= MAX_PACKET_LEN) {
+         /* Overflow */
+         return SSH_ERROR;
+     }
+-    kex_len = len + strlen(KEX_EXTENSION_CLIENT) + 2; /* comma, NULL */
+     kex_tmp = realloc(kex, kex_len);
+     if (kex_tmp == NULL) {
+-        free(kex);
+         ssh_set_error_oom(session);
+         return SSH_ERROR;
+     }
+-    snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_EXTENSION_CLIENT);
++    snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
+     client->methods[SSH_KEX] = kex_tmp;
+ 
+     return SSH_OK;
+diff --git a/src/packet.c b/src/packet.c
+index ca7a03b7..82965fb3 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -1309,6 +1309,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
+             }
+ #endif /* WITH_ZLIB */
+             payloadsize = ssh_buffer_get_len(session->in_buffer);
++            if (session->recv_seq == UINT32_MAX) {
++                /* Overflowing sequence numbers is always fishy */
++                if (crypto == NULL) {
++                    /* don't allow sequence number overflow when unencrypted */
++                    ssh_set_error(session,
++                                  SSH_FATAL,
++                                  "Incoming sequence number overflow");
++                    goto error;
++                } else {
++                    SSH_LOG(SSH_LOG_WARNING,
++                            "Incoming sequence number overflow");
++                }
++            }
+             session->recv_seq++;
+             if (crypto != NULL) {
+                 struct ssh_cipher_struct *cipher = NULL;
+@@ -1331,7 +1344,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
+             SSH_LOG(SSH_LOG_PACKET,
+                     "packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
+                     session->in_packet.type, packet_len, padding, compsize, payloadsize);
++            if (crypto == NULL) {
++                /* In strict kex, only a few packets are allowed. Taint the session
++                 * if we received packets that are normally allowed but to be
++                 * refused if we are in strict kex when KEX is over.
++                 */
++                uint8_t type = session->in_packet.type;
+ 
++                if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
++                    (type < SSH2_MSG_KEXDH_INIT ||
++                     type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
++                    session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
++                }
++            }
+             /* Check if the packet is expected */
+             filter_result = ssh_packet_incoming_filter(session);
+ 
+@@ -1347,6 +1372,9 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
+                               session->in_packet.type);
+                 goto error;
+             case SSH_PACKET_UNKNOWN:
++                if (crypto == NULL) {
++                    session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
++                }
+                 ssh_packet_send_unimplemented(session, session->recv_seq - 1);
+                 break;
+             }
+@@ -1521,7 +1549,33 @@ void ssh_packet_process(ssh_session session, uint8_t type)
+             SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s",
+                     ssh_get_error(session));
+         }
++        if (session->current_crypto == NULL) {
++            session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
++        }
++    }
++}
++
++/** @internal
++ * @brief sends a SSH_MSG_NEWKEYS when enabling the new negotiated ciphers
++ * @param session the SSH session
++ * @return SSH_ERROR on error, else SSH_OK
++ */
++int ssh_packet_send_newkeys(ssh_session session)
++{
++    int rc;
++
++    /* Send the MSG_NEWKEYS */
++    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
++    if (rc < 0) {
++        return rc;
+     }
++
++    rc = ssh_packet_send(session);
++    if (rc == SSH_ERROR) {
++        return rc;
++    }
++    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
++    return rc;
+ }
+ 
+ /** @internal
+@@ -1829,6 +1883,10 @@ int ssh_packet_send(ssh_session session)
+     if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
+         struct ssh_iterator *it;
+ 
++        if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
++            /* reset packet sequence number when running in strict kex mode */
++            session->send_seq = 0;
++        }
+         for (it = ssh_list_get_iterator(session->out_queue);
+              it != NULL;
+              it = ssh_list_get_iterator(session->out_queue)) {
+diff --git a/src/packet_cb.c b/src/packet_cb.c
+index 3e4d5f6d..a08f1d8a 100644
+--- a/src/packet_cb.c
++++ b/src/packet_cb.c
+@@ -110,6 +110,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
+       goto error;
+   }
+ 
++  if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
++      /* reset packet sequence number when running in strict kex mode */
++      session->recv_seq = 0;
++      /* Check that we aren't tainted */
++      if (session->flags & SSH_SESSION_FLAG_KEX_TAINTED) {
++          ssh_set_error(session,
++                        SSH_FATAL,
++                        "Received unexpected packets in strict KEX mode.");
++          goto error;
++      }
++  }
++
+   if(session->server){
+     /* server things are done in server.c */
+     session->dh_handshake_state=DH_STATE_FINISHED;
+-- 
+2.41.0
+
+
+From fd4948255560039b51c2d61f0a62784ed8b6f5a6 Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris@0xbadc0de.be>
+Date: Tue, 12 Dec 2023 23:30:26 +0100
+Subject: [PATCH 2/4] CVE-2023-48795: Server side mitigations
+
+Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ include/libssh/kex.h |  1 +
+ src/kex.c            | 46 ++++++++++++++++++++++++++++++++++----------
+ src/server.c         |  8 +++++++-
+ 3 files changed, 44 insertions(+), 11 deletions(-)
+
+diff --git a/include/libssh/kex.h b/include/libssh/kex.h
+index 2ace69b6..40da4ef2 100644
+--- a/include/libssh/kex.h
++++ b/include/libssh/kex.h
+@@ -36,6 +36,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit);
+ int ssh_send_kex(ssh_session session);
+ void ssh_list_kex(struct ssh_kex_struct *kex);
+ int ssh_set_client_kex(ssh_session session);
++int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex);
+ int ssh_kex_select_methods(ssh_session session);
+ int ssh_verify_existing_algo(enum ssh_kex_types_e algo, const char *name);
+ char *ssh_keep_known_algos(enum ssh_kex_types_e algo, const char *list);
+diff --git a/src/kex.c b/src/kex.c
+index 0772cae8..e37c176c 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -738,11 +738,8 @@ int ssh_set_client_kex(ssh_session session)
+ {
+     struct ssh_kex_struct *client = &session->next_crypto->client_kex;
+     const char *wanted;
+-    char *kex = NULL;
+-    char *kex_tmp = NULL;
+     int ok;
+     int i;
+-    size_t kex_len, len;
+ 
+     /* Skip if already set, for example for the rekey or when we do the guessing
+      * it could have been already used to make some protocol decisions. */
+@@ -791,11 +788,33 @@ int ssh_set_client_kex(ssh_session session)
+         return SSH_OK;
+     }
+ 
+-    /* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
+-    kex = client->methods[SSH_KEX];
++    ok = ssh_kex_append_extensions(session, client);
++    if (ok != SSH_OK){
++        return ok;
++    }
++
++    return SSH_OK;
++}
++
++int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex)
++{
++    char *kex = NULL;
++    char *kex_tmp = NULL;
++    size_t kex_len, len;
++
++    /* Here we append ext-info-c and kex-strict-c-v00@openssh.com for client
++     * and kex-strict-s-v00@openssh.com for server to the list of kex algorithms
++     */
++    kex = pkex->methods[SSH_KEX];
+     len = strlen(kex);
+-    /* Comma, comma, nul byte */
+-    kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
++    if (session->server) {
++        /* Comma, nul byte */
++        kex_len = len + 1 + strlen(KEX_STRICT_SERVER) + 1;
++    } else {
++        /* Comma, comma, nul byte */
++        kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 +
++                  strlen(KEX_STRICT_CLIENT) + 1;
++    }
+     if (kex_len >= MAX_PACKET_LEN) {
+         /* Overflow */
+         return SSH_ERROR;
+@@ -805,9 +824,16 @@ int ssh_set_client_kex(ssh_session session)
+         ssh_set_error_oom(session);
+         return SSH_ERROR;
+     }
+-    snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
+-    client->methods[SSH_KEX] = kex_tmp;
+-
++    if (session->server){
++        snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_STRICT_SERVER);
++    } else {
++        snprintf(kex_tmp + len,
++                 kex_len - len,
++                 ",%s,%s",
++                 KEX_EXTENSION_CLIENT,
++                 KEX_STRICT_CLIENT);
++    }
++    pkex->methods[SSH_KEX] = kex_tmp;
+     return SSH_OK;
+ }
+ 
+diff --git a/src/server.c b/src/server.c
+index ed73e7fb..35e84465 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -195,7 +195,13 @@ int server_set_kex(ssh_session session)
+         }
+     }
+ 
+-    return 0;
++    /* Do not append the extensions during rekey */
++    if (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) {
++        return SSH_OK;
++    }
++
++    rc = ssh_kex_append_extensions(session, server);
++    return rc;
+ }
+ 
+ int ssh_server_init_kex(ssh_session session) {
+-- 
+2.41.0
+
+
+From 03bbbc9e4c93aae2ccdd302d6123e4809be37746 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 14 Dec 2023 12:22:01 +0100
+Subject: [PATCH 3/4] CVE-2023-48795: Strip extensions from both kex lists for
+ matching
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/kex.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index e37c176c..eea3604b 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -936,11 +936,19 @@ int ssh_kex_select_methods (ssh_session session)
+     enum ssh_key_exchange_e kex_type;
+     int i;
+ 
+-    /* Here we should drop the  ext-info-c  from the list so we avoid matching.
++    /* Here we should drop the extensions from the list so we avoid matching.
+      * it. We added it to the end, so we can just truncate the string here */
+-    ext_start = strstr(client->methods[SSH_KEX], ","KEX_EXTENSION_CLIENT);
+-    if (ext_start != NULL) {
+-        ext_start[0] = '\0';
++    if (session->client) {
++        ext_start = strstr(client->methods[SSH_KEX], "," KEX_EXTENSION_CLIENT);
++        if (ext_start != NULL) {
++            ext_start[0] = '\0';
++        }
++    }
++    if (session->server) {
++        ext_start = strstr(server->methods[SSH_KEX], "," KEX_STRICT_SERVER);
++        if (ext_start != NULL) {
++            ext_start[0] = '\0';
++        }
+     }
+ 
+     for (i = 0; i < SSH_KEX_METHODS; i++) {
+-- 
+2.41.0
+
+
+From 768d1ed30cf4b3cb9628254ef3ee24b9c38abdbc Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 14 Dec 2023 12:47:48 +0100
+Subject: [PATCH 4/4] CVE-2023-48795: tests: Adjust calculation to strict kex
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ tests/client/torture_rekey.c | 56 ++++++++++++++++++++----------------
+ 1 file changed, 32 insertions(+), 24 deletions(-)
+
+diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
+index 13c9a7fe..bfb273af 100644
+--- a/tests/client/torture_rekey.c
++++ b/tests/client/torture_rekey.c
+@@ -148,6 +148,29 @@ static void torture_rekey_default(void **state)
+     ssh_disconnect(s->ssh.session);
+ }
+ 
++static void sanity_check_session(void **state)
++{
++    struct torture_state *s = *state;
++    struct ssh_crypto_struct *c = NULL;
++
++    c = s->ssh.session->current_crypto;
++    assert_non_null(c);
++    assert_int_equal(c->in_cipher->max_blocks,
++                     bytes / c->in_cipher->blocksize);
++    assert_int_equal(c->out_cipher->max_blocks,
++                     bytes / c->out_cipher->blocksize);
++    /* when strict kex is used, the newkeys reset the sequence number */
++    if ((s->ssh.session->flags & SSH_SESSION_FLAG_KEX_STRICT) != 0) {
++        assert_int_equal(c->out_cipher->packets, s->ssh.session->send_seq);
++        assert_int_equal(c->in_cipher->packets, s->ssh.session->recv_seq);
++    } else {
++        /* Otherwise we have less encrypted packets than transferred
++         * (first are not encrypted) */
++        assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
++        assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
++    }
++}
++
+ /* We lower the rekey limits manually and check that the rekey
+  * really happens when sending data
+  */
+@@ -166,16 +189,10 @@ static void torture_rekey_send(void **state)
+     rc = ssh_connect(s->ssh.session);
+     assert_ssh_return_code(s->ssh.session, rc);
+ 
+-    /* The blocks limit is set correctly */
+-    c = s->ssh.session->current_crypto;
+-    assert_int_equal(c->in_cipher->max_blocks,
+-                     bytes / c->in_cipher->blocksize);
+-    assert_int_equal(c->out_cipher->max_blocks,
+-                     bytes / c->out_cipher->blocksize);
+-    /* We should have less encrypted packets than transfered (first are not encrypted) */
+-    assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
+-    assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
++    sanity_check_session(state);
+     /* Copy the initial secret hash = session_id so we know we changed keys later */
++    c = s->ssh.session->current_crypto;
++    assert_non_null(c);
+     secret_hash = malloc(c->digest_len);
+     assert_non_null(secret_hash);
+     memcpy(secret_hash, c->secret_hash, c->digest_len);
+@@ -272,14 +289,10 @@ static void torture_rekey_recv(void **state)
+     sftp_file file;
+     mode_t mask;
+ 
+-    /* The blocks limit is set correctly */
+-    c = s->ssh.session->current_crypto;
+-    assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
+-    assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
+-    /* We should have less encrypted packets than transfered (first are not encrypted) */
+-    assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
+-    assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
++    sanity_check_session(state);
+     /* Copy the initial secret hash = session_id so we know we changed keys later */
++    c = s->ssh.session->current_crypto;
++    assert_non_null(c);
+     secret_hash = malloc(c->digest_len);
+     assert_non_null(secret_hash);
+     memcpy(secret_hash, c->secret_hash, c->digest_len);
+@@ -464,15 +477,10 @@ static void torture_rekey_different_kex(void **state)
+     assert_ssh_return_code(s->ssh.session, rc);
+ 
+     /* The blocks limit is set correctly */
+-    c = s->ssh.session->current_crypto;
+-    assert_int_equal(c->in_cipher->max_blocks,
+-                     bytes / c->in_cipher->blocksize);
+-    assert_int_equal(c->out_cipher->max_blocks,
+-                     bytes / c->out_cipher->blocksize);
+-    /* We should have less encrypted packets than transfered (first are not encrypted) */
+-    assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
+-    assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
++    sanity_check_session(state);
+     /* Copy the initial secret hash = session_id so we know we changed keys later */
++    c = s->ssh.session->current_crypto;
++    assert_non_null(c);
+     secret_hash = malloc(c->digest_len);
+     assert_non_null(secret_hash);
+     memcpy(secret_hash, c->secret_hash, c->digest_len);
+-- 
+2.41.0
+

SOURCES/CVE-2025-5318.patch

@@ -0,0 +1,27 @@
+From 9a08a370f68266f92df5a6037bd722041703df27 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 22 Apr 2025 21:18:44 +0200
+Subject: [PATCH] CVE-2025-5318: sftpserver: Fix possible buffer overrun
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/sftpserver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 9117f155..b3349e16 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -538,7 +538,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle){
+ 
+   memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
+ 
+-  if (val > SFTP_HANDLES) {
++  if (val >= SFTP_HANDLES) {
+     return NULL;
+   }
+ 
+-- 
+2.50.1
+

SOURCES/CVE-2025-5372.patch

@@ -0,0 +1,42 @@
+From 155df31305bee839041a04247645ad066ada95ee Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 14 May 2025 14:07:58 +0200
+Subject: [PATCH] CVE-2025-5372 libgcrypto: Simplify error checking and
+ handling of return codes in ssh_kdf()
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/libcrypto.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 3db75df6..88d93862 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -366,6 +366,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
+             int key_type, unsigned char *output,
+             size_t requested_len)
+ {
++    int ret = SSH_ERROR;
+     EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
+     int rc;
+ 
+@@ -401,10 +402,12 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
+         goto out;
+     }
+ 
++    ret = SSH_OK;
++
+ out:
+     EVP_KDF_CTX_free(ctx);
+-    if (rc < 0) {
+-        return rc;
++    if (ret < 0) {
++        return ret;
+     }
+     return 0;
+ }
+-- 
+2.51.0
+

SOURCES/auth_bypass.patch

@@ -0,0 +1,86 @@
+diff --color -ru ../libssh-0.9.6/src/pki_crypto.c ./src/pki_crypto.c
+--- ../libssh-0.9.6/src/pki_crypto.c	2023-04-27 12:59:08.463259052 +0200
++++ ./src/pki_crypto.c	2023-04-27 13:05:24.020610873 +0200
+@@ -2291,8 +2291,12 @@
+     unsigned char *raw_sig_data = NULL;
+     unsigned int raw_sig_len;
+ 
++    /* Function return code
++     * Do not change this variable throughout the function until the signature
++     * is successfully verified!
++     */
+     int rc = SSH_ERROR;
+-    int evp_rc;
++    int ok;
+ 
+     if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
+         signature == NULL || (signature->raw_sig == NULL
+@@ -2307,8 +2311,8 @@
+     }
+ 
+     /* Check if public key and hash type are compatible */
+-    rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);
+-    if (rc != SSH_OK) {
++    ok = pki_key_check_hash_compatible(pubkey, signature->hash_type);
++    if (ok != SSH_OK) {
+         return SSH_ERROR;
+     }
+ 
+@@ -2351,8 +2355,8 @@
+     }
+ 
+     /* Verify the signature */
+-    evp_rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+-    if (evp_rc != 1){
++    ok = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
++    if (ok != 1){
+         SSH_LOG(SSH_LOG_TRACE,
+                 "EVP_DigestVerifyInit() failed: %s",
+                 ERR_error_string(ERR_get_error(), NULL));
+@@ -2360,35 +2364,31 @@
+     }
+ 
+ #ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
+-    evp_rc = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
++    ok = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
+ #else
+-    evp_rc = EVP_DigestVerifyUpdate(ctx, input, input_len);
+-    if (evp_rc != 1) {
++    ok = EVP_DigestVerifyUpdate(ctx, input, input_len);
++    if (ok != 1) {
+         SSH_LOG(SSH_LOG_TRACE,
+                 "EVP_DigestVerifyUpdate() failed: %s",
+                 ERR_error_string(ERR_get_error(), NULL));
+         goto out;
+     }
+ 
+-    evp_rc = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
++    ok = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
+ #endif
+-    if (evp_rc == 1) {
+-        SSH_LOG(SSH_LOG_TRACE, "Signature valid");
+-        rc = SSH_OK;
+-    } else {
++    if (ok != 1) {
+         SSH_LOG(SSH_LOG_TRACE,
+                 "Signature invalid: %s",
+                 ERR_error_string(ERR_get_error(), NULL));
+-        rc = SSH_ERROR;
++        goto out;
+     }
+ 
++    SSH_LOG(SSH_LOG_TRACE, "Signature valid");
++    rc = SSH_OK;
++
+ out:
+-    if (ctx != NULL) {
+-        EVP_MD_CTX_free(ctx);
+-    }
+-    if (pkey != NULL) {
+-        EVP_PKEY_free(pkey);
+-    }
++    EVP_MD_CTX_free(ctx);
++    EVP_PKEY_free(pkey);
+     return rc;
+ }
+ 

SOURCES/covscan23.patch

@@ -0,0 +1,228 @@
+diff --color -ru ../libssh-0.9.6/src/buffer.c ./src/buffer.c
+--- ../libssh-0.9.6/src/buffer.c	2023-05-03 11:53:48.710217753 +0200
++++ ./src/buffer.c	2023-05-03 11:58:21.995200990 +0200
+@@ -747,7 +747,8 @@
+  */
+ int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)
+ {
+-    if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
++    if (buffer == NULL || buffer->pos + len < len ||
++        buffer->pos + len > buffer->used) {
+         return SSH_ERROR;
+     }
+ 
+diff --color -ru ../libssh-0.9.6/src/gssapi.c ./src/gssapi.c
+--- ../libssh-0.9.6/src/gssapi.c	2023-05-03 11:53:48.732217993 +0200
++++ ./src/gssapi.c	2023-05-03 11:58:21.976200782 +0200
+@@ -437,11 +437,18 @@
+         hexa = ssh_get_hexa(output_token.value, output_token.length);
+         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
+         SAFE_FREE(hexa);
+-        ssh_buffer_pack(session->out_buffer,
+-                        "bdP",
+-                        SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+-                        output_token.length,
+-                        (size_t)output_token.length, output_token.value);
++        rc = ssh_buffer_pack(session->out_buffer,
++                             "bdP",
++                             SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
++                             output_token.length,
++                             (size_t)output_token.length, output_token.value);
++        if (rc != SSH_OK) {
++            ssh_set_error_oom(session);
++            ssh_auth_reply_default(session, 0);
++            ssh_gssapi_free(session);
++            session->gssapi = NULL;
++            return SSH_PACKET_USED;
++        }
+         ssh_packet_send(session);
+     }
+ 
+@@ -846,6 +853,7 @@
+ }
+ 
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
++    int rc;
+     ssh_string oid_s;
+     gss_uint32 maj_stat, min_stat;
+     gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
+@@ -897,11 +905,15 @@
+         hexa = ssh_get_hexa(output_token.value, output_token.length);
+         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s", hexa);
+         SAFE_FREE(hexa);
+-        ssh_buffer_pack(session->out_buffer,
+-                        "bdP",
+-                        SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+-                        output_token.length,
+-                        (size_t)output_token.length, output_token.value);
++        rc = ssh_buffer_pack(session->out_buffer,
++                             "bdP",
++                             SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
++                             output_token.length,
++                             (size_t)output_token.length, output_token.value);
++        if (rc != SSH_OK) {
++            ssh_set_error_oom(session);
++            goto error;
++        }
+         ssh_packet_send(session);
+         session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
+     }
+@@ -963,6 +975,7 @@
+ }
+ 
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
++    int rc;
+     ssh_string token;
+     char *hexa;
+     OM_uint32 maj_stat, min_stat;
+@@ -1015,11 +1028,15 @@
+         hexa = ssh_get_hexa(output_token.value, output_token.length);
+         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
+         SAFE_FREE(hexa);
+-        ssh_buffer_pack(session->out_buffer,
+-                        "bdP",
+-                        SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+-                        output_token.length,
+-                        (size_t)output_token.length, output_token.value);
++        rc = ssh_buffer_pack(session->out_buffer,
++                             "bdP",
++                             SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
++                             output_token.length,
++                             (size_t)output_token.length, output_token.value);
++        if (rc != SSH_OK) {
++            ssh_set_error_oom(session);
++            goto error;
++        }
+         ssh_packet_send(session);
+     }
+ 
+diff --color -ru ../libssh-0.9.6/src/options.c ./src/options.c
+--- ../libssh-0.9.6/src/options.c	2021-08-26 14:27:42.000000000 +0200
++++ ./src/options.c	2023-05-03 11:58:22.000201044 +0200
+@@ -547,7 +547,9 @@
+                 }
+                 i = strtol(q, &p, 10);
+                 if (q == p) {
++                    SSH_LOG(SSH_LOG_DEBUG, "No port number was parsed");
+                     SAFE_FREE(q);
++                    return -1;
+                 }
+                 SAFE_FREE(q);
+                 if (i <= 0) {
+@@ -743,7 +745,9 @@
+                 }
+                 i = strtol(q, &p, 10);
+                 if (q == p) {
++                    SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
+                     SAFE_FREE(q);
++                    return -1;
+                 }
+                 SAFE_FREE(q);
+                 if (i < 0) {
+@@ -1818,7 +1822,9 @@
+         }
+         i = strtol(q, &p, 10);
+         if (q == p) {
+-          SAFE_FREE(q);
++            SSH_LOG(SSH_LOG_DEBUG, "No bind port was parsed");
++            SAFE_FREE(q);
++            return -1;
+         }
+         SAFE_FREE(q);
+ 
+@@ -1845,7 +1851,9 @@
+         }
+         i = strtol(q, &p, 10);
+         if (q == p) {
+-          SAFE_FREE(q);
++            SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
++            SAFE_FREE(q);
++            return -1;
+         }
+         SAFE_FREE(q);
+ 
+diff --color -ru ../libssh-0.9.6/src/pki_container_openssh.c ./src/pki_container_openssh.c
+--- ../libssh-0.9.6/src/pki_container_openssh.c	2023-05-03 11:53:48.713217785 +0200
++++ ./src/pki_container_openssh.c	2023-05-03 11:58:21.976200782 +0200
+@@ -630,7 +630,11 @@
+             goto error;
+         }
+ 
+-        ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
++        rc = ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
++        if (rc != SSH_OK) {
++            SSH_BUFFER_FREE(kdf_buf);
++            goto error;
++        }
+         kdf_options = ssh_string_new(ssh_buffer_get_len(kdf_buf));
+         if (kdf_options == NULL){
+             SSH_BUFFER_FREE(kdf_buf);
+diff --color -ru ../libssh-0.9.6/tests/unittests/torture_options.c ./tests/unittests/torture_options.c
+--- ../libssh-0.9.6/tests/unittests/torture_options.c	2021-08-26 14:27:42.000000000 +0200
++++ ./tests/unittests/torture_options.c	2023-05-03 11:59:21.726853027 +0200
+@@ -311,6 +311,7 @@
+ 
+     rc = ssh_options_set(session, SSH_OPTIONS_PORT_STR, "five");
+     assert_true(rc == -1);
++    assert_int_not_equal(session->opts.port, 0);
+ 
+     rc = ssh_options_set(session, SSH_OPTIONS_PORT, NULL);
+     assert_true(rc == -1);
+@@ -853,6 +854,26 @@
+     ssh_free(new);
+ }
+ 
++static void torture_options_set_verbosity (void **state)
++{
++    ssh_session session = *state;
++    int rc, new_level;
++
++    rc = ssh_options_set(session,
++                         SSH_OPTIONS_LOG_VERBOSITY_STR,
++                         "3");
++    assert_int_equal(rc, SSH_OK);
++    new_level = ssh_get_log_level();
++    assert_int_equal(new_level, SSH_LOG_PACKET);
++
++    rc = ssh_options_set(session,
++                         SSH_OPTIONS_LOG_VERBOSITY_STR,
++                         "datsun");
++    assert_int_equal(rc, -1);
++    new_level = ssh_get_log_level();
++    assert_int_not_equal(new_level, 0);
++}
++
+ #ifdef WITH_SERVER
+ const char template[] = "temp_dir_XXXXXX";
+ 
+@@ -1107,6 +1128,10 @@
+     rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "23");
+     assert_int_equal(rc, 0);
+     assert_int_equal(bind->bindport, 23);
++
++    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "twentythree");
++    assert_int_equal(rc, -1);
++    assert_int_not_equal(bind->bindport, 0);
+ }
+ 
+ static void torture_bind_options_log_verbosity(void **state)
+@@ -1156,6 +1181,11 @@
+     new_level = ssh_get_log_level();
+     assert_int_equal(new_level, SSH_LOG_PACKET);
+ 
++    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "verbosity");
++    assert_int_equal(rc, -1);
++    new_level = ssh_get_log_level();
++    assert_int_not_equal(new_level, 0);
++
+     rc = ssh_set_log_level(previous_level);
+     assert_int_equal(rc, SSH_OK);
+ }
+@@ -1643,6 +1673,7 @@
+         cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown),
+         cmocka_unit_test_setup_teardown(torture_options_config_match,
+                                         setup, teardown),
++        cmocka_unit_test_setup_teardown(torture_options_set_verbosity, setup, teardown),
+     };
+ 
+ #ifdef WITH_SERVER

SOURCES/fix_tests.patch

@@ -0,0 +1,668 @@
+diff --color -ru ../libssh-0.9.6/examples/sshnetcat.c ./examples/sshnetcat.c
+--- ../libssh-0.9.6/examples/sshnetcat.c	2021-08-26 14:27:42.000000000 +0200
++++ ./examples/sshnetcat.c	2023-05-02 10:36:00.793381735 +0200
+@@ -233,9 +233,10 @@
+ }
+ 
+ void cleanup_pcap(void);
+-void cleanup_pcap(){
++void cleanup_pcap(void)
++{
+ 	ssh_pcap_file_free(pcap);
+-	pcap=NULL;
++	pcap = NULL;
+ }
+ #endif
+ 
+diff --color -ru ../libssh-0.9.6/src/init.c ./src/init.c
+--- ../libssh-0.9.6/src/init.c	2021-03-15 08:11:33.000000000 +0100
++++ ./src/init.c	2023-05-02 10:36:00.793381735 +0200
+@@ -269,7 +269,7 @@
+  *
+  * @see ssh_init()
+  */
+-bool is_ssh_initialized() {
++bool is_ssh_initialized(void) {
+ 
+     bool is_initialized = false;
+ 
+diff --color -ru ../libssh-0.9.6/tests/client/torture_auth.c ./tests/client/torture_auth.c
+--- ../libssh-0.9.6/tests/client/torture_auth.c	2021-08-26 14:27:42.000000000 +0200
++++ ./tests/client/torture_auth.c	2023-05-02 10:36:00.815381960 +0200
+@@ -200,7 +200,8 @@
+     assert_non_null(ssh_agent_pidfile);
+ 
+     /* kill agent pid */
+-    torture_terminate_process(ssh_agent_pidfile);
++    rc = torture_terminate_process(ssh_agent_pidfile);
++    assert_return_code(rc, errno);
+ 
+     unlink(ssh_agent_pidfile);
+ 
+@@ -551,6 +552,7 @@
+ 
+ static void torture_auth_agent_cert(void **state)
+ {
++#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
+     struct torture_state *s = *state;
+     ssh_session session = s->ssh.session;
+     int rc;
+@@ -570,6 +572,7 @@
+                              "ssh-rsa-cert-v01@openssh.com");
+         assert_int_equal(rc, SSH_OK);
+     }
++#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
+ 
+     /* Setup loads a different key, tests are exactly the same. */
+     torture_auth_agent(state);
+@@ -577,6 +580,7 @@
+ 
+ static void torture_auth_agent_cert_nonblocking(void **state)
+ {
++#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
+     struct torture_state *s = *state;
+     ssh_session session = s->ssh.session;
+     int rc;
+@@ -596,6 +600,7 @@
+                              "ssh-rsa-cert-v01@openssh.com");
+         assert_int_equal(rc, SSH_OK);
+     }
++#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
+ 
+     torture_auth_agent_nonblocking(state);
+ }
+diff --color -ru ../libssh-0.9.6/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
+--- ../libssh-0.9.6/tests/client/torture_rekey.c	2023-04-28 17:26:41.472315318 +0200
++++ ./tests/client/torture_rekey.c	2023-05-02 10:36:00.805381857 +0200
+@@ -38,6 +38,8 @@
+ #include <fcntl.h>
+ #include <pwd.h>
+ 
++#define KEX_RETRY 32
++
+ static uint64_t bytes = 2048; /* 2KB (more than the authentication phase) */
+ 
+ static int sshd_setup(void **state)
+@@ -190,10 +192,11 @@
+     rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
+     assert_int_equal(rc, SSH_AUTH_SUCCESS);
+ 
+-    /* send ignore packets of up to 1KB to trigger rekey */
++    /* send ignore packets of up to 1KB to trigger rekey. Send little bit more
++     * to make sure it completes with all different ciphers */
+     memset(data, 0, sizeof(data));
+     memset(data, 'A', 128);
+-    for (i = 0; i < 16; i++) {
++    for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+         ssh_handle_packets(s->ssh.session, 50);
+     }
+@@ -496,9 +499,15 @@
+      * to make sure the rekey it completes with all different ciphers (paddings */
+     memset(data, 0, sizeof(data));
+     memset(data, 'A', 128);
+-    for (i = 0; i < 20; i++) {
++    for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+-        ssh_handle_packets(s->ssh.session, 50);
++        ssh_handle_packets(s->ssh.session, 100);
++
++        c = s->ssh.session->current_crypto;
++        /* SHA256 len */
++        if (c->digest_len != 32) {
++            break;
++        }
+     }
+ 
+     /* The rekey limit was restored in the new crypto to the same value */
+@@ -568,9 +577,15 @@
+      * to make sure the rekey it completes with all different ciphers (paddings */
+     memset(data, 0, sizeof(data));
+     memset(data, 'A', 128);
+-    for (i = 0; i < 25; i++) {
++    for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+-        ssh_handle_packets(s->ssh.session, 50);
++        ssh_handle_packets(s->ssh.session, 100);
++
++        c = s->ssh.session->current_crypto;
++        /* SHA256 len */
++        if (c->digest_len != 32) {
++            break;
++        }
+     }
+ 
+     /* Check that the secret hash is different than initially */
+diff --color -ru ../libssh-0.9.6/tests/CMakeLists.txt ./tests/CMakeLists.txt
+--- ../libssh-0.9.6/tests/CMakeLists.txt	2021-08-26 14:27:42.000000000 +0200
++++ ./tests/CMakeLists.txt	2023-05-02 10:32:03.964511860 +0200
+@@ -153,6 +153,17 @@
+         execute_process(COMMAND ${ID_EXECUTABLE} -u OUTPUT_VARIABLE LOCAL_UID OUTPUT_STRIP_TRAILING_WHITESPACE)
+     endif()
+ 
++    find_program(TIMEOUT_EXECUTABLE
++                 NAME
++                    timeout
++                 PATHS
++                    /bin
++                    /usr/bin
++                    /usr/local/bin)
++    if (TIMEOUT_EXECUTABLE)
++        set(WITH_TIMEOUT "1")
++    endif()
++
+     # chroot_wrapper
+     add_library(chroot_wrapper SHARED chroot_wrapper.c)
+     set(CHROOT_WRAPPER_LIBRARY ${libssh_BINARY_DIR}/lib/${CMAKE_SHARED_LIBRARY_PREFIX}chroot_wrapper${CMAKE_SHARED_LIBRARY_SUFFIX})
+diff --color -ru ../libssh-0.9.6/tests/pkd/pkd_keyutil.c ./tests/pkd/pkd_keyutil.c
+--- ../libssh-0.9.6/tests/pkd/pkd_keyutil.c	2021-03-15 08:11:33.000000000 +0100
++++ ./tests/pkd/pkd_keyutil.c	2023-05-02 10:36:00.793381735 +0200
+@@ -22,7 +22,7 @@
+ #include "pkd_keyutil.h"
+ #include "pkd_util.h"
+ 
+-void setup_rsa_key() {
++void setup_rsa_key(void) {
+     int rc = 0;
+     if (access(LIBSSH_RSA_TESTKEY, F_OK) != 0) {
+         rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f "
+@@ -31,7 +31,7 @@
+     assert_int_equal(rc, 0);
+ }
+ 
+-void setup_ed25519_key() {
++void setup_ed25519_key(void) {
+     int rc = 0;
+     if (access(LIBSSH_ED25519_TESTKEY, F_OK) != 0) {
+         rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
+@@ -41,7 +41,7 @@
+ }
+ 
+ #ifdef HAVE_DSA
+-void setup_dsa_key() {
++void setup_dsa_key(void) {
+     int rc = 0;
+     if (access(LIBSSH_DSA_TESTKEY, F_OK) != 0) {
+         rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
+@@ -51,7 +51,7 @@
+ }
+ #endif
+ 
+-void setup_ecdsa_keys() {
++void setup_ecdsa_keys(void) {
+     int rc = 0;
+ 
+     if (access(LIBSSH_ECDSA_256_TESTKEY, F_OK) != 0) {
+@@ -71,27 +71,27 @@
+     }
+ }
+ 
+-void cleanup_rsa_key() {
++void cleanup_rsa_key(void) {
+     cleanup_key(LIBSSH_RSA_TESTKEY);
+ }
+ 
+-void cleanup_ed25519_key() {
++void cleanup_ed25519_key(void) {
+     cleanup_key(LIBSSH_ED25519_TESTKEY);
+ }
+ 
+ #ifdef HAVE_DSA
+-void cleanup_dsa_key() {
++void cleanup_dsa_key(void) {
+     cleanup_key(LIBSSH_DSA_TESTKEY);
+ }
+ #endif
+ 
+-void cleanup_ecdsa_keys() {
++void cleanup_ecdsa_keys(void) {
+     cleanup_key(LIBSSH_ECDSA_256_TESTKEY);
+     cleanup_key(LIBSSH_ECDSA_384_TESTKEY);
+     cleanup_key(LIBSSH_ECDSA_521_TESTKEY);
+ }
+ 
+-void setup_openssh_client_keys() {
++void setup_openssh_client_keys(void) {
+     int rc = 0;
+ 
+     if (access(OPENSSH_CA_TESTKEY, F_OK) != 0) {
+@@ -184,7 +184,7 @@
+     }
+ }
+ 
+-void cleanup_openssh_client_keys() {
++void cleanup_openssh_client_keys(void) {
+     cleanup_key(OPENSSH_CA_TESTKEY);
+     cleanup_key(OPENSSH_RSA_TESTKEY);
+     cleanup_file(OPENSSH_RSA_TESTKEY "-sha256-cert.pub");
+@@ -199,7 +199,7 @@
+     }
+ }
+ 
+-void setup_dropbear_client_rsa_key() {
++void setup_dropbear_client_rsa_key(void) {
+     int rc = 0;
+     if (access(DROPBEAR_RSA_TESTKEY, F_OK) != 0) {
+         rc = system_checked(DROPBEAR_KEYGEN " -t rsa -f "
+@@ -208,6 +208,6 @@
+     assert_int_equal(rc, 0);
+ }
+ 
+-void cleanup_dropbear_client_rsa_key() {
++void cleanup_dropbear_client_rsa_key(void) {
+     unlink(DROPBEAR_RSA_TESTKEY);
+ }
+diff --color -ru ../libssh-0.9.6/tests/server/torture_server_config.c ./tests/server/torture_server_config.c
+--- ../libssh-0.9.6/tests/server/torture_server_config.c	2021-08-26 14:27:42.000000000 +0200
++++ ./tests/server/torture_server_config.c	2023-05-02 10:36:00.815381960 +0200
+@@ -285,9 +285,7 @@
+     assert_non_null(s);
+ 
+     rc = torture_terminate_process(s->srv_pidfile);
+-    if (rc != 0) {
+-        fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
+-    }
++    assert_return_code(rc, errno);
+ 
+     unlink(s->srv_pidfile);
+ 
+@@ -513,6 +511,12 @@
+         /* Try each algorithm individually */
+         j = 0;
+         while(tokens->tokens[j] != NULL) {
++            char *cmp = strstr(OPENSSH_CIPHERS, tokens->tokens[j]);
++            if (cmp == NULL) {
++                /* This cipher is not supported by the OpenSSH. Skip it */
++                j++;
++                continue;
++            }
+             snprintf(config_content,
+                     sizeof(config_content),
+                     "HostKey %s\nCiphers %s\n",
+diff --color -ru ../libssh-0.9.6/tests/tests_config.h.cmake ./tests/tests_config.h.cmake
+--- ../libssh-0.9.6/tests/tests_config.h.cmake	2021-08-26 14:27:42.000000000 +0200
++++ ./tests/tests_config.h.cmake	2023-05-02 10:32:03.964511860 +0200
+@@ -66,4 +66,6 @@
+ 
+ #cmakedefine NC_EXECUTABLE "${NC_EXECUTABLE}"
+ #cmakedefine SSHD_EXECUTABLE "${SSHD_EXECUTABLE}"
+-#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
+\ No newline at end of file
++#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
++#cmakedefine WITH_TIMEOUT ${WITH_TIMEOUT}
++#cmakedefine TIMEOUT_EXECUTABLE "${TIMEOUT_EXECUTABLE}"
+diff --color -ru ../libssh-0.9.6/tests/torture.c ./tests/torture.c
+--- ../libssh-0.9.6/tests/torture.c	2021-08-26 14:27:44.000000000 +0200
++++ ./tests/torture.c	2023-05-02 10:36:00.815381960 +0200
+@@ -51,6 +51,7 @@
+ #include "torture.h"
+ #include "torture_key.h"
+ #include "libssh/misc.h"
++#include "libssh/token.h"
+ 
+ #define TORTURE_SSHD_SRV_IPV4 "127.0.0.10"
+ /* socket wrapper IPv6 prefix  fd00::5357:5fxx */
+@@ -250,8 +251,12 @@
+ 
+         rc = kill(pid, 0);
+         if (rc != 0) {
+-            is_running = 0;
+-            break;
++            /* Process not found */
++            if (errno == ESRCH) {
++                is_running = 0;
++                rc = 0;
++                break;
++            }
+         }
+     }
+ 
+@@ -260,7 +265,7 @@
+                 "WARNING: The process with pid %u is still running!\n", pid);
+     }
+ 
+-    return 0;
++    return rc;
+ }
+ 
+ ssh_session torture_ssh_session(struct torture_state *s,
+@@ -611,6 +616,112 @@
+     *state = s;
+ }
+ 
++/**
++ * @brief Create a libssh server configuration file
++ *
++ * It is expected the socket directory to be already created before by calling
++ * torture_setup_socket_dir().  The created configuration file will be stored in
++ * the socket directory and the srv_config pointer in the state will be
++ * initialized.
++ *
++ * @param[in] state A pointer to a pointer to an initialized torture_state
++ *                  structure
++ */
++void torture_setup_create_libssh_config(void **state)
++{
++    struct torture_state *s = *state;
++    char ed25519_hostkey[1024] = {0};
++#ifdef HAVE_DSA
++    char dsa_hostkey[1024];
++#endif /* HAVE_DSA */
++    char rsa_hostkey[1024];
++    char ecdsa_hostkey[1024];
++    char sshd_config[2048];
++    char sshd_path[1024];
++    const char *additional_config = NULL;
++    struct stat sb;
++    const char config_string[]=
++             "LogLevel DEBUG3\n"
++             "Port 22\n"
++             "ListenAddress 127.0.0.10\n"
++             "%s %s\n"
++             "%s %s\n"
++             "%s %s\n"
++#ifdef HAVE_DSA
++             "%s %s\n"
++#endif /* HAVE_DSA */
++             "%s\n"; /* The space for test-specific options */
++    bool written = false;
++    int rc;
++
++    assert_non_null(s->socket_dir);
++
++    snprintf(sshd_path,
++             sizeof(sshd_path),
++             "%s/sshd",
++             s->socket_dir);
++
++    rc = lstat(sshd_path, &sb);
++    if (rc == 0 ) { /* The directory is already in place */
++        written = true;
++    }
++
++    if (!written) {
++        rc = mkdir(sshd_path, 0755);
++        assert_return_code(rc, errno);
++    }
++
++    snprintf(ed25519_hostkey,
++             sizeof(ed25519_hostkey),
++             "%s/sshd/ssh_host_ed25519_key",
++             s->socket_dir);
++
++    snprintf(rsa_hostkey,
++             sizeof(rsa_hostkey),
++             "%s/sshd/ssh_host_rsa_key",
++             s->socket_dir);
++
++    snprintf(ecdsa_hostkey,
++             sizeof(ecdsa_hostkey),
++             "%s/sshd/ssh_host_ecdsa_key",
++             s->socket_dir);
++
++#ifdef HAVE_DSA
++    snprintf(dsa_hostkey,
++             sizeof(dsa_hostkey),
++             "%s/sshd/ssh_host_dsa_key",
++             s->socket_dir);
++#endif /* HAVE_DSA */
++
++    if (!written) {
++        torture_write_file(ed25519_hostkey,
++                           torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
++        torture_write_file(rsa_hostkey,
++                           torture_get_testkey(SSH_KEYTYPE_RSA, 0));
++        torture_write_file(ecdsa_hostkey,
++                           torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
++#ifdef HAVE_DSA
++        torture_write_file(dsa_hostkey,
++                           torture_get_testkey(SSH_KEYTYPE_DSS, 0));
++#endif /* HAVE_DSA */
++    }
++
++    additional_config = (s->srv_additional_config != NULL ?
++                         s->srv_additional_config : "");
++
++    snprintf(sshd_config, sizeof(sshd_config),
++            config_string,
++            "HostKey", ed25519_hostkey,
++            "HostKey", rsa_hostkey,
++            "HostKey", ecdsa_hostkey,
++#ifdef HAVE_DSA
++            "HostKey", dsa_hostkey,
++#endif /* HAVE_DSA */
++            additional_config);
++
++    torture_write_file(s->srv_config, sshd_config);
++}
++
+ static void torture_setup_create_sshd_config(void **state, bool pam)
+ {
+     struct torture_state *s = *state;
+@@ -856,21 +967,140 @@
+     return 1;
+ }
+ 
+-void torture_setup_sshd_server(void **state, bool pam)
++/**
++ * @brief Run a libssh based server under timeout.
++ *
++ * It is expected that the socket directory and libssh configuration file were
++ * already created before by calling torture_setup_socket_dir() and
++ * torture_setup_create_libssh_config() (or alternatively setup the state with
++ * the correct values).
++ *
++ * @param[in] state The content of the address pointed by this variable must be
++ *                  a pointer to an initialized instance of torture_state
++ *                  structure; it can be obtained by calling
++ *                  torture_setup_socket_dir() and
++ *                  torture_setup_create_libssh_config().
++ * @param[in] server_path  The path to the server executable.
++ *
++ * @note This function will use the state->srv_additional_config field as
++ * additional command line option used when starting the server instead of extra
++ * configuration file options.
++ * */
++void torture_setup_libssh_server(void **state, const char *server_path)
+ {
+     struct torture_state *s;
+-    char sshd_start_cmd[1024];
++    char start_cmd[1024];
++    char timeout_cmd[512];
++    char env[1024];
++    char extra_options[1024];
+     int rc;
++    char *ld_preload = NULL;
++    const char *force_fips = NULL;
+ 
+-    torture_setup_socket_dir(state);
+-    torture_setup_create_sshd_config(state, pam);
++    struct ssh_tokens_st *env_tokens;
++    struct ssh_tokens_st *arg_tokens;
++
++    pid_t pid;
++    ssize_t printed;
++
++    s = *state;
++
++    /* Get all the wrapper libraries to be pre-loaded */
++    ld_preload = getenv("LD_PRELOAD");
++
++    if (s->srv_additional_config != NULL) {
++        printed = snprintf(extra_options, sizeof(extra_options), " %s ",
++                           s->srv_additional_config);
++        if (printed < 0) {
++            fail_msg("Failed to print additional config!");
++        }
++    } else {
++        printed = snprintf(extra_options, sizeof(extra_options), " ");
++        if (printed < 0) {
++            fail_msg("Failed to print empty additional config!");
++        }
++    }
++
++    if (ssh_fips_mode()) {
++        force_fips = "OPENSSL_FORCE_FIPS_MODE=1 ";
++    } else {
++        force_fips = "";
++    }
++
++    /* Write the environment setting */
++    printed = snprintf(env, sizeof(env),
++                       "SOCKET_WRAPPER_DIR=%s "
++                       "SOCKET_WRAPPER_DEFAULT_IFACE=10 "
++                       "LD_PRELOAD=%s "
++                       "%s",
++                       s->socket_dir, ld_preload, force_fips);
++    if (printed < 0) {
++        fail_msg("Failed to print env!");
++    }
++
++#ifdef WITH_TIMEOUT
++    snprintf(timeout_cmd, sizeof(timeout_cmd),
++             "%s %s ", TIMEOUT_EXECUTABLE, "5m");
++#else
++    timeout_cmd[0] = '\0';
++#endif
++
++    /* Write the start command */
++    printed = snprintf(start_cmd, sizeof(start_cmd),
++                       "%s"
++                       "%s -f%s -v4 -p22 -i%s -C%s%s%s",
++                       timeout_cmd,
++                       server_path, s->pcap_file, s->srv_pidfile,
++                       s->srv_config, extra_options, TORTURE_SSH_SERVER);
++    if (printed < 0) {
++        fail_msg("Failed to print start command!");
++    }
++
++    pid = fork();
++    switch(pid) {
++    case 0:
++        env_tokens = ssh_tokenize(env, ' ');
++        if (env_tokens == NULL || env_tokens->tokens == NULL) {
++            fail_msg("Failed to tokenize env!");
++        }
++
++        arg_tokens = ssh_tokenize(start_cmd, ' ');
++        if (arg_tokens == NULL || arg_tokens->tokens == NULL) {
++            ssh_tokens_free(env_tokens);
++            fail_msg("Failed to tokenize args!");
++        }
++
++        rc = execve(arg_tokens->tokens[0], (char **)arg_tokens->tokens,
++                    (char **)env_tokens->tokens);
++
++        /* execve returns only in case of error */
++        ssh_tokens_free(env_tokens);
++        ssh_tokens_free(arg_tokens);
++        fail_msg("Error in execve: %s", strerror(errno));
++    case -1:
++        fail_msg("Failed to fork!");
++    default:
++        /* The parent continues the execution of the tests */
++        setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
++        unsetenv("PAM_WRAPPER");
++
++        /* Wait until the server is ready to accept connections */
++        rc = torture_wait_for_daemon(15);
++        assert_int_equal(rc, 0);
++        break;
++    }
++}
++
++static int torture_start_sshd_server(void **state)
++{
++    struct torture_state *s = *state;
++    char sshd_start_cmd[1024];
++    int rc;
+ 
+     /* Set the default interface for the server */
+     setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
+     setenv("PAM_WRAPPER", "1", 1);
+ 
+-    s = *state;
+-
+     snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
+              SSHD_EXECUTABLE " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
+              s->srv_config, s->socket_dir, s->socket_dir);
+@@ -882,7 +1112,20 @@
+     unsetenv("PAM_WRAPPER");
+ 
+     /* Wait until the sshd is ready to accept connections */
+-    rc = torture_wait_for_daemon(5);
++    rc = torture_wait_for_daemon(15);
++    assert_int_equal(rc, 0);
++
++    return SSH_OK;
++}
++
++void torture_setup_sshd_server(void **state, bool pam)
++{
++    int rc;
++
++    torture_setup_socket_dir(state);
++    torture_setup_create_sshd_config(state, pam);
++
++    rc = torture_start_sshd_server(state);
+     assert_int_equal(rc, 0);
+ }
+ 
+@@ -922,29 +1165,12 @@
+ torture_reload_sshd_server(void **state)
+ {
+     struct torture_state *s = *state;
+-    pid_t pid;
+     int rc;
+ 
+-    /* read the pidfile */
+-    pid = torture_read_pidfile(s->srv_pidfile);
+-    assert_int_not_equal(pid, -1);
+-
+-    kill(pid, SIGHUP);
+-
+-    /* 10 ms */
+-    usleep(10 * 1000);
+-
+-    rc = kill(pid, 0);
+-    if (rc != 0) {
+-        fprintf(stderr,
+-                "ERROR: SSHD process %u died during reload!\n", pid);
+-        return SSH_ERROR;
+-    }
++    rc = torture_terminate_process(s->srv_pidfile);
++    assert_return_code(rc, errno);
+ 
+-    /* Wait until the sshd is ready to accept connections */
+-    rc = torture_wait_for_daemon(5);
+-    assert_int_equal(rc, 0);
+-    return SSH_OK;
++    return torture_start_sshd_server(state);
+ }
+ 
+ /* @brief: Updates SSHD server configuration with more options and
+@@ -980,9 +1206,7 @@
+     int rc;
+ 
+     rc = torture_terminate_process(s->srv_pidfile);
+-    if (rc != 0) {
+-        fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
+-    }
++    assert_return_code(rc, errno);
+ 
+     torture_teardown_socket_dir(state);
+ }
+diff --color -ru ../libssh-0.9.6/tests/torture.h ./tests/torture.h
+--- ../libssh-0.9.6/tests/torture.h	2021-08-26 14:27:44.000000000 +0200
++++ ./tests/torture.h	2023-05-02 10:32:03.964511860 +0200
+@@ -132,6 +132,10 @@
+ 
+ void torture_reset_config(ssh_session session);
+ 
++void torture_setup_create_libssh_config(void **state);
++
++void torture_setup_libssh_server(void **state, const char *server_path);
++
+ /*
+  * This function must be defined in every unit test file.
+  */

SOURCES/libssh-0.9.6.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmEniOkACgkQfuD8TcwB
+Tj0TKQ/9HiMAGSMHoQ+iPVLP06iTc6Cy7rNyON2nPDQwAz0V/dfvkrKAAEflfgYd
+3pt3dbE/qgh2kgQLb9kpbCUmFoGuLgKz36RPOsggwuOsN+eD1n65q8W39sMOQid3
+bjUIOKRdYWC1suZ9fMAO1Ignl69Opd8dAq1Has9YzglaeQaV/lnYQOW4UG0xKHck
+ZOp2qLfjmaQiBAI61eRyxqIYC0F67WKd0bo9D2csoocDVvHLq4syPdbMOfDTB+LL
+KZSAZVW1R1JUVZMkp/P/HU11jNNy3wKoLafocnq8bXkPVrqhyuo+hDJV/OPUvFLa
+VE/BzIRoMNG+1R+GJpwE7ut2DIHPxnZTThRkeVN5qP1+hbhgLJhW62I+HeAnD4s+
++W7fwJovN28I+wqSjVEP8JguprVuoDAX5jVHbeZoMT7p8ATA4Nh3KCbYELEwTtFG
+zsEIlBvoNXD3ce7xGXL3MPqfgKqrZQjRG/iOWvKwDV7WrqK1cFFyL7aeBfK2+dQq
+1Ew7aYlTsH6Hap7XByeSsy4Z5ts3VXIoFix/h+Br5OTYKYgITM7bijNAQ6A2ZWQN
+TxCv8X0sVyaGyXhxG6QhrEWZjFe496MneZkq9e6HKZyaSbzwFwMgOvrUUC7fa8e5
+o1Rvozah81U0nsikwTmDrm15RSK3mr2X34zPW2Ahzr1I5tGZzOk=
+=cO0k
+-----END PGP SIGNATURE-----

SOURCES/s390x_fix.patch

@@ -0,0 +1,19 @@
+diff --git a/src/packet.c b/src/packet.c
+index ec4a7203..a81eb8e3 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -1752,10 +1752,12 @@ static bool
+ ssh_packet_in_rekey(ssh_session session)
+ {
+     /* We know we are rekeying if we are authenticated and the DH
+-     * status is not finished
++     * status is not finished, but we only queue packets until we've
++     * sent our NEWKEYS.
+      */
+     return (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) &&
+-           (session->dh_handshake_state != DH_STATE_FINISHED);
++           (session->dh_handshake_state != DH_STATE_FINISHED) &&
++           (session->dh_handshake_state != DH_STATE_NEWKEYS_SENT);
+ }
+ 
+ int ssh_packet_send(ssh_session session)

SPECS/libssh.spec

@@ -1,55 +1,53 @@
 Name:           libssh
-Version:        0.12.0
-Release:        2%{?dist}
+Version:        0.9.6
+Release:        16%{?dist}
 Summary:        A library implementing the SSH protocol
-License:        LGPL-2.1-or-later
+License:        LGPLv2+
 URL:            http://www.libssh.org
 
-Source0:        https://www.libssh.org/files/0.12/%{name}-%{version}.tar.xz
-Source1:        https://www.libssh.org/files/0.12/%{name}-%{version}.tar.xz.asc
-Source2:        https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/%{name}.keyring
+Source0:        https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz
+Source1:        https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz.asc
+Source2:        https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
 Source3:        libssh_client.config
 Source4:        libssh_server.config
 
-# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/742
-Patch1:         Update-recently-added-logging-to-be-less-verbose.patch
+Patch0:         loglevel.patch
+Patch1:         s390x_fix.patch
+Patch2:         null_dereference_rekey.patch
+Patch3:         auth_bypass.patch
+Patch4:         fix_tests.patch
+Patch5:         covscan23.patch
+Patch6:         CVE-2023-48795.patch
+Patch7:         CVE-2023-6004.patch
+Patch8:         CVE-2023-6918.patch
+Patch9:         CVE-2025-5318.patch
+Patch10:        CVE-2025-5372.patch
 
 BuildRequires:  cmake
+BuildRequires:  doxygen
 BuildRequires:  gcc-c++
 BuildRequires:  gnupg2
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig
 BuildRequires:  zlib-devel
 BuildRequires:  krb5-devel
-BuildRequires:  krb5-server
-BuildRequires:  krb5-workstation
 BuildRequires:  libcmocka-devel
+BuildRequires:  openssh-clients
+BuildRequires:  openssh-server
 BuildRequires:  pam_wrapper
 BuildRequires:  socket_wrapper
 BuildRequires:  nss_wrapper
 BuildRequires:  uid_wrapper
-BuildRequires:  priv_wrapper
-BuildRequires:  openssh-clients
-BuildRequires:  openssh-server
 BuildRequires:  nmap-ncat
-BuildRequires:  pkcs11-provider
-BuildRequires:  p11-kit-devel
-BuildRequires:  p11-kit-server
-BuildRequires:  p11-kit-client
-BuildRequires:  opensc
-BuildRequires:  softhsm
-BuildRequires:  gnutls-utils
-BuildRequires:  libfido2-devel
-BuildRequires:  openssh-sk-dummy
-BuildRequires:  hostname
-
-Requires:       %{name}-config = %{version}-%{release}
 
 Requires:       crypto-policies
+Requires:       %{name}-config = %{version}-%{release}
 
-%ifarch aarch64 ppc64 ppc64le s390x x86_64 riscv64
+%ifarch aarch64 ppc64 ppc64le s390x x86_64
+Provides: libssh_threads.so()(64bit)
 Provides: libssh_threads.so.4()(64bit)
 %else
+Provides: libssh_threads.so
 Provides: libssh_threads.so.4
 %endif
 
@@ -64,7 +62,6 @@ third-party programs others than libcrypto (from openssl).
 %package devel
 Summary:        Development files for %{name}
 Requires:       %{name}%{?_isa} = %{version}-%{release}
-Requires:       cmake-filesystem
 
 %description devel
 The %{name}-devel package contains libraries and header files for developing
@@ -73,31 +70,36 @@ applications that use %{name}.
 %package config
 Summary:        Configuration files for %{name}
 BuildArch:      noarch
-Obsoletes:      %{name} < 0.9.0-3
+Obsoletes:      %{name} < 0.9.0-1
 
 %description config
 The %{name}-config package provides the default configuration files for %{name}.
 
 %prep
-%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 %autosetup -p1
 
 %build
-%cmake \
+if test ! -e "obj"; then
+  mkdir obj
+fi
+pushd obj
+
+%cmake .. \
     -DUNIT_TESTING=ON \
     -DCLIENT_TESTING=ON \
     -DSERVER_TESTING=ON \
-    -DGSSAPI_TESTING=ON \
-    -DWITH_PKCS11_URI=ON \
-    -DWITH_PKCS11_PROVIDER=ON \
-    -DWITH_FIDO2=ON \
     -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
     -DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
 
-%cmake_build
+
+%make_build VERBOSE=1
+make docs
+
+popd
 
 %install
-%cmake_install
+make DESTDIR=%{buildroot} install/fast -C obj
 install -d -m755 %{buildroot}%{_sysconfdir}/libssh
 install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
 install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
@@ -109,7 +111,7 @@ install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
 # requiring it to continue working.
 #
 pushd %{buildroot}%{_libdir}
-for i in libssh.so*;
+for i in libssh.so.4*;
 do
     _target="${i}"
     _link_name="${i%libssh*}libssh_threads${i##*libssh}"
@@ -123,22 +125,24 @@ popd
 %ldconfig_scriptlets
 
 %check
-# Tests are randomly failing when run in parallel
-%global _smp_build_ncpus 1
-%ctest
+pushd obj
+ctest --output-on-failure
+popd
 
 %files
-%doc AUTHORS BSD CHANGELOG README
+%doc AUTHORS BSD ChangeLog README
 %license COPYING
 %{_libdir}/libssh.so.4*
 %{_libdir}/libssh_threads.so.4*
 
 %files devel
+%doc obj/doc/html
 %{_includedir}/libssh/
+# own this to avoid dep on cmake -- rex
+%dir  %{_libdir}/cmake/
 %{_libdir}/cmake/libssh/
 %{_libdir}/pkgconfig/libssh.pc
 %{_libdir}/libssh.so
-%{_libdir}/libssh_threads.so
 
 %files config
 %attr(0755,root,root) %dir %{_sysconfdir}/libssh
@@ -146,233 +150,176 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
-* Thu Feb 19 2026 Pavol Žáčik <pzacik@redhat.com> - 0.12.0-2
-- Fix the verbosity of some new logs added in 0.12.0
-  Resolves: RHEL-93748
+* Wed Nov 05 2025 Pavol Žáčik <pzacik@redhat.com> - 0.9.6-16
+- Fix CVE-2025-5372
+  Resolves: RHEL-121232
 
-* Tue Feb 10 2026 Pavol Žáčik <pzacik@redhat.com> - 0.12.0-1
-- Rebase to 0.12.0
-  Resolves: RHEL-133421, RHEL-70825, RHEL-130042
-- Add a Requires for crypto-policies instead of a Recommends
-  Resolves: RHEL-139045
-
-* Tue Sep 30 2025 Pavol Žáčik <pzacik@redhat.com> - 0.11.1-3
+* Tue Sep 30 2025 Pavol Žáčik <pzacik@redhat.com> - 0.9.6-15
 - Fix CVE-2025-5318
-  Resolves: RHEL-111721
-- Add BuildRequires for p11-kit-client
+  Resolves: RHEL-111724
 
-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.11.1-2
-- Bump release for October 2024 mass rebuild:
-  Resolves: RHEL-64018
+* Mon Feb 26 2024 Sahana Prasad <sahana@redhat.com> - 0.9.6-14
+- Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
+- Fix CVE-2023-6918 Missing checks for return values for digests
+- Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
+  of malicious code through hostname
+- Note: version is bumped from 12 to 14 directly, as the z-stream
+  version in 8.9 also has 13. So bumping it to 14, will prevent
+  upgrade conflicts.
+- Resolves:RHEL-19690, RHEL-17244, RHEL-19312
 
-* Wed Oct 23 2024 Sahana Prasad <sahana@redhat.com> - 0.11.1-1
-- Rebase to new upstream version 0.11.1
-- Resolves: RHEL-64319
+* Mon May 15 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-12
+- Fix loglevel regression
+- Related: rhbz#2182251, rhbz#2189742
 
-* Tue Aug 20 2024 Jakub Jelen <jjelen@redhat.com> - 0.10.6-8
-- Remove the dependency on engine.h
+* Thu May 04 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-11
+- .fmf/version is needed to run the tests
+- Related: rhbz#2182251, rhbz#2189742
 
-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.10.6-7
-- Bump release for June 2024 mass rebuild
+* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-10
+- Add missing ci.fmf file
+- Related: rhbz#2182251, rhbz#2189742
 
-* Fri Jun 07 2024 David Abdurachmanov <davidlt@rivosinc.com> - 0.10.6-6
-- Add riscv64
+* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-9
+- Fix covscan errors found at gating
+- Related: rhbz#2182251, rhbz#2189742
 
-* Wed May 22 2024 Sahana Prasad <sahana@redhat.com> - 0.10.6-5
-- Build libssh with pkcs11-provider instead of pkcs11 engine
-- Resolves: RHEL-30437
+* Tue May 02 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-8
+- Backport test fixing commits to make the build pass
+- Related: rhbz#2182251, rhbz#2189742
 
-* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.6-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+* Thu Apr 27 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-7
+- Fix NULL dereference during rekeying with algorithm guessing
+  GHSL-2023-032 / CVE-2023-1667
+- Fix possible authentication bypass
+  GHSL 2023-085 / CVE-2023-2283
+- Resolves: rhbz#2182251, rhbz#2189742
 
-* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.6-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+* Fri Jan 06 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-6
+- Enable client and server testing build time
+- Fix failing rekey test on arch s390x
+- Resolves: rhbz#2126342
 
-* Fri Dec 22 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-2
-- Fix regression in IPv6 hosntames parsing
+* Mon Dec 05 2022 Stanislav Zidek <szidek@redhat.com> - 0.9.6-5
+- Fix CI configuration for new TMT
+- Resolves: rhbz#2149910
 
-* Mon Dec 18 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-1
-- New upstream release fixing (CVE-2023-48795, CVE-2023-6004, CVE-2023-6918)
+* Mon Nov 28 2022 Norbert Pocs <npocs@redhat.com> - 0.9.6-4
+- Make VERBOSE and lower log levels less verbose
+- Resolves: rhbz#2091512
 
-* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.5-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+* Fri Nov 05 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-3
+- Remove STI tests
 
-* Fri May 05 2023 Orion Poplawski <orion@nwra.com> - 0.10.5-1
-- Update to 0.10.5 (CVE-2023-1667 CVE-2023-2283)
-- Have libssh-devel require cmake-filesystem
+* Thu Oct 21 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-2
+- Remove bad patch causing errors
+- Adding BuildRequires for openssh (SSHD support)
 
-* Sun Mar 05 2023 Andreas Schneider <asn@redhat.com> - 0.10.4-4
-- Update License to SPDX expression
+* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
+- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
+  rekeying with different key exchange mechanism
+- Rebase to version 0.9.6
+- Rename SSHD_EXECUTABLE to SSH_EXECUTABLE in tests/torture.c
+- Resolves: rhbz#1896651, rhbz#1994600
 
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+* Thu Oct 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-4
+- Revert previous commit as it is incorrect.
 
-* Thu Oct 06 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-2
-- Enable pkcs11 support
+* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
+- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
+  rekeying with different key exchange mechanism (#1978810)
 
-* Wed Sep 07 2022 Andreas Schneider <asn@redhat.com> - 0.10.4-1
-- Update to version 0.10.4
-  https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.4
+* Wed Apr 21 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-3
+- Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if
+  ssh_buffer_new returns NULL (#1862646)
 
-* Fri Sep 02 2022 Andreas Schneider <asn@redhat.com> - 0.10.3-1
-- Update to version 0.10.3
-  https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.3
-  https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.2
-  https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.1
-  https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.0
-- Removed libssh-0.9.6-openssh-8.8p1-compat.patch
-- resolves: rhbz#2121741
-
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Fri Jan 28 2022 Jakub Jelen <jjelen@redhat.com> - 0.9.6-4
-- Fix build-time tests to work with OpenSSH 8.8p1
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Mon Jan 10 2022 Stephen Gallagher <sgallagh@redhat.com> - 0.9.6-2
-- Skip broken torture_auth tests
-
-* Wed Sep 15 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
-- Fix CVE-CVE-2021-3634 libssh: possible heap-based buffer
-  overflow when rekeying
-- Resolves: rhbz#1994600
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.5-4
-- Rebuilt with OpenSSL 3.0.0
-
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Thu Sep 10 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.5-1
-- Update to version 0.9.5
-  https://www.libssh.org/2020/09/10/libssh-0-9-5/
-- Removed patch to re-enable algorithms using sha1 in sshd for testing
-- The algorithms supported by sshd are now automatically detected for testing
-- Resolves: #1862457 - CVE-2020-16135
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-5
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Mon Jun 22 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-3
-- Do not return error when server properly closed the channel (#1849069)
+* Wed Jun 24 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
+- Do not return error when server properly closed the channel (#1849071)
 - Add a test for CVE-2019-14889
 - Do not parse configuration file in torture_knownhosts test
 
-* Wed Apr 15 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
-- Added patch to fix returned version
-
-* Thu Apr 09 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
+* Tue May 26 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
 - Update to version 0.9.4
   https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
+- Fixed CVE-2019-14889 (#1781782)
+- Fixed CVE-2020-1730 (#1802422)
+- Create missing directories in the path provided for known_hosts files (#1733914)
 - Removed inclusion of OpenSSH server configuration file from
-  libssh_server.config
-- Added patch to re-enable algorithms using sha1 in sshd for testing
-- resolves: #1822529 - CVE-2020-1730
+  libssh_server.config (#1821339)
 
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+* Mon Aug 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
+- Skip 1024 bits RSA key generation test in FIPS mode (#1734485)
 
-* Tue Dec 10 2019 Andreas Schneider <asn@redhat.com> - 0.9.3-1
-- Update to version 0.9.3
-- resolves: #1781780 - Fixes CVE-2019-14889
-
-* Thu Nov 07 2019 Andreas Schneider <asn@redhat.com> - 0.9.2-1
-- Upate to version 0.9.2
-- resolves #1769370 - Remove the docs, they can be found on https://api.libssh.org/
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-5
+* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
 - Add Obsoletes in libssh-config to avoid conflict with old libssh which
   installed the configuration files.
 
-* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
+* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
 - Eliminate circular dependency with libssh-config subpackage
 
-* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
-- Provide the configuration files in a separate libssh-config subpackage
-
-* Thu Jul 04 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
-- Do not ignore keys from known_hosts when SSH_OPTIONS_HOSTKEYS is set
-
-* Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
-- Fixed Release number to released format
-
-* Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-0.1
+* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
 - Update to version 0.9.0
   https://www.libssh.org/2019/06/28/libssh-0-9-0/
+- Added explicit Requires for crypto-policies
+- Do not ignore known_hosts keys when SSH_OPTIONS_HOSTKEYS is set
+- Provide the configuration files in a separate libssh-config subpackage
 
-* Wed Jun 19 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
+* Mon Jun 17 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
 - Update to 0.9.0 pre release version (0.8.91)
 - Added default configuration files for client and server
-- Follow system-wide crypto configuration (crypto-policies)
-- Added Recommends for crypto-policies
-- Use OpenSSL implementation for KDF, DH, and signatures.
-- Detect FIPS mode and use only allowed algorithms
-- Run client and server tests during build
+- Removed unused patch files left behind
+- Fixed issues found to run upstream test suite with SELinux
 
-* Mon Feb 25 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.7-1
-- Update to version 0.8.7
-  https://www.libssh.org/2019/02/25/libssh-0-8-7/
+* Fri Dec 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-2
+- Fix more regressions introduced by the fixes for CVE-2018-10933
 
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Tue Jan 15 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-2
-- Fix rsa-sha2 extension handling (#1666342)
-
-* Thu Jan 03 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-1
-- Update to version 0.8.6
-  https://www.libssh.org/2018/12/24/libssh-0-8-6-xmas-edition/
-
-* Mon Oct 29 2018 Andreas Schneider <asn@redhat.com> - 0.8.5-1
+* Thu Nov 29 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-1
 - Update to version 0.8.5
-  https://www.libssh.org/2018/10/29/libssh-0-8-5-and-libssh-0-7-7/
+  * Fixed an issue where global known_hosts file was ignored (#1649321)
+  * Fixed ssh_get_fd() to return writable file descriptor (#1649319)
+  * Fixed regression introduced in known_hosts parsing (#1649315)
+  * Fixed a regression which caused only the first algorithm in known_hosts to
+    be considered (#1638790)
 
-* Tue Oct 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.4-1
-- Update to version 0.8.4
-  https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release
-- Fixes CVE-2018-10933
+* Thu Nov 08 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-5
+- Fix regressions introduced by the fixes for CVE-2018-10933
 
-* Mon Oct 01 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
-- Fixed errors found by static code analysis
+* Wed Oct 17 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.3-4
+- Fix for authentication bypass issue in server implementation (#1639926)
 
-* Tue Sep 25 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-2
-- Add missing libssh_threads.so link to libssh-devel package
+* Tue Oct 02 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
+- Fixed errors found by static code analysis (#1602594)
 
-* Fri Sep 21 2018 Andreas Schneider <asn@redhat.com> - 0.8.3-1
+* Fri Sep 21 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-1
 - Update to version 0.8.3
-  https://www.libssh.org/2018/09/21/libssh-0-8-3/
+  * Added support for rsa-sha2 (#1610882)
+  * Added support to parse private keys in openssh container format (other than
+    ed25519) (#1622983)
+  * Added support for diffie-hellman-group18-sha512 and
+    diffie-hellman-group16-sha512 (#1610885)
+  * Added ssh_get_fingerprint_hash()
+  * Added ssh_pki_export_privkey_base64()
+  * Added support for Match keyword in config file
+  * Improved performance and reduced memory footprint for sftp
+  * Fixed ecdsa publickey auth
+  * Fixed reading a closed channel
+  * Added support to announce posix-rename@openssh.com and hardlink@openssh.com
+    in the sftp server
+  * Use -fstack-protector-strong if possible (#1624135)
 
-* Thu Aug 30 2018 Andreas Schneider <asn@redhat.com> - 0.8.2-1
-- Update to version 0.8.2
-  https://www.libssh.org/2018/08/30/libssh-0-8-2
+* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-4
+- Fix the creation of symbolic links for libssh_threads.so.4
 
-* Thu Aug 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-4
-- Fix link creation or RPM doesn't install it
+* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-3
+- Add missing Provides for libssh_threads.so.4
 
-* Wed Aug 15 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-3
-- Add missing so version for libssh_threads.so.4
-
-* Tue Aug 14 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-2
+* Tue Aug 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-2
 - Add Provides for libssh_threads.so to unbreak applications
+- Fix ABIMap detection to not depend on python to build
 
 * Mon Aug 13 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-1
 - Update to version 0.8.1
-  https://www.libssh.org/2018/08/13/libssh-0-8-1
-- resolves: #1615248 - pkg-config --modversion
-- resolves: #1615132 - library initialization
+  https://www.libssh.org/2018/08/13/libssh-0-8-1/
 
 * Fri Aug 10 2018 Andreas Schneider <asn@redhat.com> - 0.8.0-1
 - Update to version 0.8.0
@@ -386,6 +333,7 @@ popd
 
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.5-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+- Related: bug#1614611
 
 * Thu Feb 01 2018 Andreas Schneider <asn@redhat.com> - 0.7.5-6
 - resolves: #1540021 - Build against OpenSSL 1.1

Update-recently-added-logging-to-be-less-verbose.patch

@@ -1,137 +0,0 @@
-From 3f99712641a584c5390e0d5f67ab23ff2451f778 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
-Date: Thu, 19 Feb 2026 10:03:28 +0100
-Subject: [PATCH] Update recently added logging to be less verbose
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In 20d9642c and parent commits, log levels were
-recategorized to be less verbose when using the
-level INFO and lower. These levels should not
-print any information redundant to the end user.
-
-This commit fixes recently added uses of logging
-that are not consistent with the abovementioned
-categorization, in particular:
-
-- logs in ssh_strict_fopen should not have
-  the RARE/WARNING level since failing to open
-  a file may not be an issue at all (e.g., when
-  trying to open the knownhosts file).
-
-- logging the username used in authentication
-  or proxyjump-related information should be done
-  at the DEBUG level, otherwise it could pollute
-  the output of, e.g., curl.
-
-Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
----
- src/auth.c   |  2 +-
- src/config.c |  4 +++-
- src/misc.c   | 10 +++++-----
- src/socket.c |  4 ++--
- 4 files changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/src/auth.c b/src/auth.c
-index 8dae696d..1f8a08b4 100644
---- a/src/auth.c
-+++ b/src/auth.c
-@@ -1397,7 +1397,7 @@ int ssh_userauth_publickey_auto(ssh_session session,
-         return SSH_AUTH_ERROR;
-     }
- 
--    SSH_LOG(SSH_LOG_INFO,
-+    SSH_LOG(SSH_LOG_DEBUG,
-             "Starting authentication as a user %s",
-             username ? username : session->opts.username);
- 
-diff --git a/src/config.c b/src/config.c
-index eceaba61..12eb3a71 100644
---- a/src/config.c
-+++ b/src/config.c
-@@ -258,7 +258,9 @@ local_parse_file(ssh_session session,
- 
-     f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE);
-     if (f == NULL) {
--        /* The underlying function logs the reasons */
-+        SSH_LOG(SSH_LOG_RARE,
-+                "Failed to open included configuration file %s",
-+                filename);
-         return;
-     }
- 
-diff --git a/src/misc.c b/src/misc.c
-index 0d702f7b..4b8d3616 100644
---- a/src/misc.c
-+++ b/src/misc.c
-@@ -2454,7 +2454,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size)
-     /* open first to avoid TOCTOU */
-     fd = open(filename, O_RDONLY);
-     if (fd == -1) {
--        SSH_LOG(SSH_LOG_RARE,
-+        SSH_LOG(SSH_LOG_TRACE,
-                 "Failed to open a file %s for reading: %s",
-                 filename,
-                 ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX));
-@@ -2464,7 +2464,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size)
-     /* Check the file is sensible for a configuration file */
-     r = fstat(fd, &sb);
-     if (r != 0) {
--        SSH_LOG(SSH_LOG_RARE,
-+        SSH_LOG(SSH_LOG_TRACE,
-                 "Failed to stat %s: %s",
-                 filename,
-                 ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX));
-@@ -2472,7 +2472,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size)
-         return NULL;
-     }
-     if ((sb.st_mode & S_IFMT) != S_IFREG) {
--        SSH_LOG(SSH_LOG_RARE,
-+        SSH_LOG(SSH_LOG_TRACE,
-                 "The file %s is not a regular file: skipping",
-                 filename);
-         close(fd);
-@@ -2480,7 +2480,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size)
-     }
- 
-     if ((size_t)sb.st_size > max_file_size) {
--        SSH_LOG(SSH_LOG_RARE,
-+        SSH_LOG(SSH_LOG_TRACE,
-                 "The file %s is too large (%jd MB > %zu MB): skipping",
-                 filename,
-                 (intmax_t)sb.st_size / 1024 / 1024,
-@@ -2491,7 +2491,7 @@ FILE *ssh_strict_fopen(const char *filename, size_t max_file_size)
- 
-     f = fdopen(fd, "r");
-     if (f == NULL) {
--        SSH_LOG(SSH_LOG_RARE,
-+        SSH_LOG(SSH_LOG_TRACE,
-                 "Failed to open a file %s for reading: %s",
-                 filename,
-                 ssh_strerror(r, err_msg, SSH_ERRNO_MSG_MAX));
-diff --git a/src/socket.c b/src/socket.c
-index 09bc71ef..7a8bf168 100644
---- a/src/socket.c
-+++ b/src/socket.c
-@@ -1435,7 +1435,7 @@ ssh_socket_connect_proxyjump(ssh_socket s)
- 
-     session = s->session;
- 
--    SSH_LOG(SSH_LOG_INFO,
-+    SSH_LOG(SSH_LOG_DEBUG,
-             "Connecting to host %s port %d user %s through ProxyJump",
-             session->opts.host,
-             session->opts.port,
-@@ -1515,7 +1515,7 @@ ssh_socket_connect_proxyjump(ssh_socket s)
-     /* transferred to the jump_thread_data */
-     jump_session = NULL;
- 
--    SSH_LOG(SSH_LOG_INFO,
-+    SSH_LOG(SSH_LOG_DEBUG,
-             "Starting proxy thread to host %s port %d user %s, callbacks=%p",
-             jump_thread_data->next_jump->hostname,
-             jump_thread_data->next_jump->port,
--- 
-2.53.0
-

ci.fmf

@@ -1 +0,0 @@
-resultsdb-testcase: separate

gating.yaml

@@ -1,23 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_testing
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
---- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}

libssh.keyring

@@ -1,52 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGZxQOQBEAC1EO1SSoQmzAyAyfQRRHcI4Je5E4mdTchhblLXmuxThquYZ6Xp
-MT3alO6UxDO6aulzd0/RpLviELRwXqEKuUVC9oNbsolWT3sCh0J6ju2LNtmixPIf
-5hd6UQRE32k7AXgwju7bn4TebVkl2fXsdtqSY+57Rs+8G7HiCRDoiYw1S4OwKsuI
-RU7F4VNTV3drfcqpY1JZhMM/oestGqhWfln59kRgvqPDdOlX6Jv1502lElRddHBl
-1f/SnE/mZQJ8Y+zfFuCxkhKZHYLzO3scudUIOHfVt2tLEYYsYK23NFAnF4ECYv+H
-F1PoITbd8WeXoFeMjSr1h19ElzW76eBPvOYzqlzEKQ8b8uQUTqmyZl7HhQOtsIXG
-YBYi3V30I+JBuEGkkhtkbXVET8sE1FCX2xSDOsqshqSiLchlVJxiQlThqZ4prtBC
-byaTmdxFKRsQmSvLv5V9Puel80mzvM/L85s+gop9btygJ+Vpo1Dtdkbvp/jz+k1f
-arZaqAFPE9/rJlMEW8HE12QBYpxiQAl6k0KUu/1MUcTbaZ7wbzQVGHXTmrP9mGff
-9DTPeK01UPJpR9lT/kFwo/ip7nkI0zHcoAgwCGLNHCnbWjjz6ZAzYS9Dj8RG1T13
-g/TjpQtmNWxdPIQ3yZDv30BKFv1aoWLejz4rj19dtPnVClUyMlRPonDDfwARAQAB
-tDRsaWJzc2ggcmVsZWFzZSBrZXkgKHJlbGVhc2Uga2V5KSA8bGlic3NoQGxpYnNz
-aC5vcmc+iQJXBBMBCABBFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmZxQOQCGwMF
-CRLMAwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQA9XfjP3T6OfPBA//
-cQA2fdsNyIgAyhppHAtdmKtRaN5dWj9InKZTWRmWNMAU3lTrMCGVurz2tcg2X6Xz
-rVvZuXbLnb6GIRU0ly+nYiBZF4qDL088NtqN7AEEUaabOmlSZr5wXyJObMvlzDg9
-GkjKAKH2CBztROtG3P91uHQ12SDqqIGw5/LlWGUSBzDnChdaB7ntODmjJ8wHqyOy
-tD6GIfy7KkvnD6nyCXvqlZgo0/nr91otkDFbJrF/IobZD1hiBcps7b3oC3ms0e9T
-usk4wl+oUi2LdTIOVvAag17gdkbH7MXMMOwhbNrV5MEyKpleTfm+R+jo48hRwdrn
-LMrDR0+f26bIsWILvGE9GIqvoJD3rKDgjTFwmMcM4OLssCgTTy0h93gDbyBrOmA9
-gJDApWWLq26SkDGIrsp4JcYlcR3m4S2Bjg98PTbz96fATK+AZ/R1Kntbt1J7DcnT
-th3q4jXFIPUzvZA0r7Ul+UM/OfVr/Ryc023oID5po1zeO3HyVKVxXYY/DgpzWTcq
-iwGjWM18XRDhUVV7eOJZ4XRcyDhf4eEF8etwFFraXjVVimCCEqgukEQh9azr+kqi
-IWYoAH0fwVP85u38WqlLS+9in5mKq+lBFI201RpkzsdPDtJMtXTYgw1s6IrQntzF
-w1PIJ/49b7nZhqvp0sMQGlAKfYTQvQsiAuEfzNiFcTS5Ag0EZnFA5AEQAJNgU4Wg
-S+DUP9/wutGn9ADAEIZvD+dxpliKFmtfUeLiNAtaEfxmL7YCazlZbJ7tdhplwfJP
-Es9k7G0K+8k1t+gni9sc7/W/0bB12cbCOxDlfcWATP5RZUfCc7eQVsWm1Sq41W2C
-WGLqp9oC9jd2KGlReE4tj1PUmYtdHDOLBKr3PJrHHTGaF+4Qem5PVx+4ZmaH0qGT
-8CmKYdhE0P8EYNImkmYsCo2nf3tbnjxBNAvwb1ljwJ1djFO72huvHslo6oTuQ+W6
-Bam4m37b+AA/NiXk3RkrL8dwHB/D4G4fk0yflVQFx+0uwYj+Ik5HAri7WISOYfBN
-Yvb6VPm9cdw/ajF0sV4d1bChroLkw0Y9VW5jEkhwGeLexY+bLP+uLOn9CvSd5iZX
-kmamBA5c/jDWAibqgADux3OKNOa7JND38axuc67o5BynfW1iw3osU5fa/jdOxogJ
-xgRq+muWh8rpVGuJHLDcG2TWxC66zEA7Dp8UE/nToIZeP7m6Ihzpo37a33m0BfKH
-qG2cM4EYjIoFDFlbBbk7RogOXTshVc69JhKUaNNh8zSlCOTjwQedqPb7eW+zkPOc
-ZdII3a+oLe4j49+QBiRXoJT3QWhqbxQYF5gnv86o/ZhAUrzEW8KAk8vJAHiKJhe1
-sGHgu0yuiq5Ox4HHBrVBiEgZPxEYo4+xGLz7ABEBAAGJAjwEGAEIACYWIQSIoijY
-mwfCx30MeAkD1d+M/dPo5wUCZnFA5AIbDAUJEswDAAAKCRAD1d+M/dPo523QD/wM
-+Tf6y684Vn1HKMMyDLLCv1fFoSdialbf0gieXIlLm9yH0VaAcnMYFN7flYSekISq
-23uH6ZIcABSfvg4dCCKUUggR3CnUql0SjF9BtFisGiCsDGlH3fNH0d1Ts0FOUdkL
-TH/U676r08DQu1t0iSdOuDxM9FAo926gJSvyorLx7X94KhUeHhXfmzZ88ydz0ked
-KFTKoo/LVhxRIoAGUdl98uJ+oycoELAeg7u0djVk+Hkw6ZLnMsjJBYHV3SyOXBpy
-beQ9O3yK0oNqHW1oIAnHtX/Msqzj+x2+BMpjirsaHWsewnXgDUG/2h1MN67XW1zu
-boztT8zswALbPfkOxS4Y+evaSnq4W6xF4dGuh2sM6g82pyAHdpBPrp4WEKnAcvi4
-5EFNZYpKbQVXnDyK4899CCPcsxj56DlVtJRv167WNRBlU6k6MUVZH0F1JLQpxwx5
-TlohKUa2KBnBZofmCD0xRzV7GbT08KRObSrMqIQU4ILqs2TlhDJhYMurKh7sWKFO
-CX8wWu1TupOt7Zkf/OPapW2konKTu4h36yoPR6D4JZQhd6zZ+4+BsxgzdKCORPM5
-DfSh15+evGapxAdUZrt/N4q2o2TdMcaSu4cZQnqu2soBWiNEa1DeBurCwrHJu/tt
-dEyK6ESk4OGJ2ycirv4skD17gMHNRODFjhAgKgEybg==
-=m20i
------END PGP PUBLIC KEY BLOCK-----

plans/ci.fmf

@@ -1,26 +0,0 @@
-/fips-disabled-buildroot-disabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/libssh
-      name: /plans/ci/fips-disabled-buildroot-disabled
-
-
-/fips-disabled-buildroot-enabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/libssh
-      name: /plans/ci/fips-disabled-buildroot-enabled
-
-
-/fips-enabled-buildroot-disabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/libssh
-      name: /plans/ci/fips-enabled-buildroot-disabled
-
-
-/fips-enabled-buildroot-enabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/libssh
-      name: /plans/ci/fips-enabled-buildroot-enabled

sources

@@ -1,2 +0,0 @@
-SHA512 (libssh-0.12.0.tar.xz) = dd28483f391e36c9da0f0b8c469bc9e19f75dc1016d04e35930b1a28e0711fa02a1eae9ddeb95b9e48cb1fd3f2bc456789457bc092cf53d00d55b20257f082a2
-SHA512 (libssh-0.12.0.tar.xz.asc) = 2b24cc6d0a8accba4637978b9d9df49eaa432aa6394af7ee192e99df652049ec1a7b4c4e3951f6858ff2aa93a6cd9d48befbe1104724160d686eb2a20b6547ab