29 changed files with 3343 additions and 7191 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -1 +0,0 @@
 1
--- a/.gitignore
+++ b/.gitignore
@ -1,60 +1,2 @@
-libssh-0.4.4.tar.gz
+SOURCES/libssh-0.9.6.tar.xz
-libssh-0.4.4.tar.gz.asc
+SOURCES/libssh.keyring
 /libssh-0.4.6.tar.gz
 /libssh-0.4.6.tar.gz.asc
 /libssh-0.4.8.tar.gz
 /libssh-0.4.8.tar.gz.asc
 /libssh-0.5.0.tar.gz
 /libssh-0.5.0.tar.gz.asc
 /libssh-0.5.2.tar.gz
 /libssh-0.5.2.tar.gz.asc
 /libssh-0.5.3.tar.gz
 /libssh-0.5.3.tar.asc
 /libssh-0.5.4.tar.gz
 /libssh-0.5.4.tar.asc
 /libssh-0.5.5.tar.gz
 /libssh-0.5.5.tar.asc
 /libssh-0.6.0.tar.xz
 /libssh-0.6.1.tar.xz
 /libssh-0.6.3.tar.xz
 /libssh-0.6.4.tar.gz
 /libssh-0.6.5.tar.xz
 /libssh-0.7.0.tar.xz
 /libssh-0.7.1.tar.xz
 /libssh-0.7.2.tar.xz
 /libssh-0.7.3.tar.xz
 /libssh-0.7.4.tar.xz
 /libssh-0.7.5.tar.xz
 /libssh-0.8.0.tar.xz
 /libssh-0.8.0.tar.xz.asc
 /libssh-0.8.1.tar.xz
 /libssh-0.8.1.tar.xz.asc
 /libssh-0.8.2.tar.xz
 /libssh-0.8.2.tar.xz.asc
 /libssh-0.8.3.tar.xz
 /libssh-0.8.3.tar.xz.asc
 /libssh-0.8.4.tar.xz
 /libssh-0.8.4.tar.xz.asc
 /libssh-0.8.5.tar.xz
 /libssh-0.8.5.tar.xz.asc
 /libssh-0.8.6.tar.xz
 /libssh-0.8.6.tar.xz.asc
 /libssh-0.8.7.tar.xz
 /libssh-0.8.7.tar.xz.asc
 /libssh-0.8.91.tar.xz
 /libssh_client.config
 /libssh_server.config
 /libssh-0.9.0.tar.xz
 /libssh-0.9.0.tar.xz.asc
 /libssh-0.9.2.tar.xz
 /libssh-0.9.2.tar.xz.asc
 /libssh-0.9.3.tar.xz
 /libssh-0.9.3.tar.xz.asc
 /libssh-0.9.4.tar.xz
 /libssh-0.9.4.tar.xz.asc
 /libssh-0.9.5.tar.xz
 /libssh-0.9.5.tar.xz.asc
 /libssh-0.9.6.tar.xz
 /libssh-0.9.6.tar.xz.asc
 /libssh-0.10.4.tar.xz
 /libssh-0.10.4.tar.xz.asc
--- a/.libssh.metadata
+++ b/.libssh.metadata
@ -0,0 +1,2 @@
 1b2dd673b58e1eaf20fde45cd8de2197cfab2f78 SOURCES/libssh-0.9.6.tar.xz
 3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring
--- a/SOURCES/CVE-2023-48795.patch
+++ b/SOURCES/CVE-2023-48795.patch
@ -1,4 +1,4 @@
-From 4cef5e965a46e9271aed62631b152e4bd23c1e3c Mon Sep 17 00:00:00 2001
+From 87b93be5a2071be782aa84aa5a91544b18959d5e Mon Sep 17 00:00:00 2001
 From: Aris Adamantiadis <aris@0xbadc0de.be>
 Date: Tue, 12 Dec 2023 23:09:57 +0100
 Subject: [PATCH 1/4] CVE-2023-48795: client side mitigation
@ -22,10 +22,10 @@ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 12 files changed, 126 insertions(+), 69 deletions(-)
 diff --git a/include/libssh/packet.h b/include/libssh/packet.h
-index 7f10a709..f0c8cb20 100644
+index 561bba8e..c6fbc3fc 100644
 --- a/include/libssh/packet.h
 +++ b/include/libssh/packet.h
-@@ -67,6 +67,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
+@@ -63,6 +63,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
 SSH_PACKET_CALLBACK(ssh_packet_kexdh_init);
 #endif
@ -34,10 +34,10 @@ index 7f10a709..f0c8cb20 100644
 int ssh_packet_parse_type(ssh_session session);
 //int packet_flush(ssh_session session, int enforce_blocking);
 diff --git a/include/libssh/session.h b/include/libssh/session.h
-index eb14e97a..97936195 100644
+index 64e118ef..3cde0dd4 100644
 --- a/include/libssh/session.h
 +++ b/include/libssh/session.h
-@@ -81,6 +81,12 @@ enum ssh_pending_call_e {
+@@ -80,6 +80,12 @@ enum ssh_pending_call_e {
  * sending it twice during key exchange to simplify the state machine. */
 #define SSH_SESSION_FLAG_KEXINIT_SENT 4
@ -51,7 +51,7 @@ index eb14e97a..97936195 100644
 /* Infinite timeout */
 #define SSH_TIMEOUT_INFINITE -1
 diff --git a/src/curve25519.c b/src/curve25519.c
-index 66291b5f..4aeb4756 100644
+index 37654438..6b7b4238 100644
 --- a/src/curve25519.c
 +++ b/src/curve25519.c
@@ -335,16 +335,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
@ -95,10 +95,10 @@ index 66291b5f..4aeb4756 100644
     return SSH_PACKET_USED;
 error:
 diff --git a/src/dh-gex.c b/src/dh-gex.c
-index 91617081..642a88ae 100644
+index 4a298542..f1880270 100644
 --- a/src/dh-gex.c
 +++ b/src/dh-gex.c
-@@ -297,15 +297,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
+@@ -287,15 +287,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
     }
     /* Send the MSG_NEWKEYS */
@ -116,10 +116,10 @@ index 91617081..642a88ae 100644
     return SSH_PACKET_USED;
 diff --git a/src/dh.c b/src/dh.c
-index 011d97b3..e19e43d1 100644
+index c265efcb..1d519c63 100644
 --- a/src/dh.c
 +++ b/src/dh.c
-@@ -398,16 +398,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
+@@ -386,16 +386,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
   }
   /* Send the MSG_NEWKEYS */
@ -137,7 +137,7 @@ index 011d97b3..e19e43d1 100644
   session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
   return SSH_PACKET_USED;
 error:
-@@ -551,15 +545,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
+@@ -532,15 +526,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
     }
     SSH_LOG(SSH_LOG_DEBUG, "Sent KEX_DH_[GEX]_REPLY");
@ -179,10 +179,10 @@ index e5b11ba9..af80beec 100644
   return SSH_PACKET_USED;
 diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
-index 51084b7a..069b1372 100644
+index a1de27fd..62578c1b 100644
 --- a/src/ecdh_crypto.c
 +++ b/src/ecdh_crypto.c
-@@ -619,18 +619,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
+@@ -323,18 +323,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
         goto error;
     }
@ -205,7 +205,7 @@ index 51084b7a..069b1372 100644
     return SSH_PACKET_USED;
 error:
 diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
-index 235f2904..3d9d426f 100644
+index d9c41bf9..dd4332d7 100644
 --- a/src/ecdh_gcrypt.c
 +++ b/src/ecdh_gcrypt.c
@@ -372,17 +372,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
@ -230,10 +230,10 @@ index 235f2904..3d9d426f 100644
     gcry_sexp_release(param);
     gcry_sexp_release(key);
 diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
-index cfe017a0..dda73922 100644
+index 718f1522..45251a42 100644
 --- a/src/ecdh_mbedcrypto.c
 +++ b/src/ecdh_mbedcrypto.c
-@@ -318,16 +318,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
+@@ -300,16 +300,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
         goto out;
     }
@ -255,10 +255,10 @@ index cfe017a0..dda73922 100644
     mbedtls_ecp_group_free(&grp);
     if (rc == SSH_ERROR) {
 diff --git a/src/kex.c b/src/kex.c
-index b9455d2d..3818297b 100644
+index 3e5ca6ad..0772cae8 100644
 --- a/src/kex.c
 +++ b/src/kex.c
-@@ -188,6 +188,9 @@
+@@ -163,6 +163,9 @@
 /* RFC 8308 */
 #define KEX_EXTENSION_CLIENT "ext-info-c"
@ -268,7 +268,7 @@ index b9455d2d..3818297b 100644
 /* Allowed algorithms in FIPS mode */
 #define FIPS_ALLOWED_CIPHERS "aes256-gcm@openssh.com,"\
-@@ -516,6 +519,27 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
+@@ -491,6 +494,27 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
                     session->first_kex_follows_guess_wrong ? "wrong" : "right");
     }
@ -296,7 +296,7 @@ index b9455d2d..3818297b 100644
     if (server_kex) {
         /*
          * If client sent a ext-info-c message in the kex list, it supports
-@@ -792,21 +816,21 @@ int ssh_set_client_kex(ssh_session session)
+@@ -767,21 +791,21 @@ int ssh_set_client_kex(ssh_session session)
         return SSH_OK;
     }
@ -324,10 +324,10 @@ index b9455d2d..3818297b 100644
     return SSH_OK;
 diff --git a/src/packet.c b/src/packet.c
-index eb7eb42a..ea73f9ad 100644
+index ca7a03b7..82965fb3 100644
 --- a/src/packet.c
 +++ b/src/packet.c
-@@ -1314,6 +1314,19 @@ ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
+@@ -1309,6 +1309,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
             }
 #endif /* WITH_ZLIB */
             payloadsize = ssh_buffer_get_len(session->in_buffer);
@ -347,7 +347,27 @@ index eb7eb42a..ea73f9ad 100644
             session->recv_seq++;
             if (crypto != NULL) {
                 struct ssh_cipher_struct *cipher = NULL;
-@@ -1354,6 +1379,9 @@ ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
+@@ -1331,7 +1344,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
             SSH_LOG(SSH_LOG_PACKET,
                     "packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
                     session->in_packet.type, packet_len, padding, compsize, payloadsize);
 +            if (crypto == NULL) {
 +                /* In strict kex, only a few packets are allowed. Taint the session
 +                 * if we received packets that are normally allowed but to be
 +                 * refused if we are in strict kex when KEX is over.
 +                 */
 +                uint8_t type = session->in_packet.type;
 +                if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
 +                    (type < SSH2_MSG_KEXDH_INIT ||
 +                     type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
 +                    session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
 +                }
 +            }
             /* Check if the packet is expected */
             filter_result = ssh_packet_incoming_filter(session);
@@ -1347,6 +1372,9 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
                               session->in_packet.type);
                 goto error;
             case SSH_PACKET_UNKNOWN:
@ -357,7 +377,7 @@ index eb7eb42a..ea73f9ad 100644
                 ssh_packet_send_unimplemented(session, session->recv_seq - 1);
                 break;
             }
-@@ -1529,7 +1557,33 @@ void ssh_packet_process(ssh_session session, uint8_t type)
+@@ -1521,7 +1549,33 @@ void ssh_packet_process(ssh_session session, uint8_t type)
             SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s",
                     ssh_get_error(session));
         }
@ -391,7 +411,7 @@ index eb7eb42a..ea73f9ad 100644
 }
 /** @internal
-@@ -1842,6 +1896,10 @@ int ssh_packet_send(ssh_session session)
+@@ -1829,6 +1883,10 @@ int ssh_packet_send(ssh_session session)
     if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
         struct ssh_iterator *it;
@ -403,10 +423,10 @@ index eb7eb42a..ea73f9ad 100644
              it != NULL;
              it = ssh_list_get_iterator(session->out_queue)) {
 diff --git a/src/packet_cb.c b/src/packet_cb.c
-index 0ecf8771..2f364c26 100644
+index 3e4d5f6d..a08f1d8a 100644
 --- a/src/packet_cb.c
 +++ b/src/packet_cb.c
-@@ -115,6 +115,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
+@@ -110,6 +110,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
       goto error;
   }
@ -429,7 +449,7 @@ index 0ecf8771..2f364c26 100644
 2.41.0
-From 0870c8db28be9eb457ee3d4f9a168959d9507efd Mon Sep 17 00:00:00 2001
+From fd4948255560039b51c2d61f0a62784ed8b6f5a6 Mon Sep 17 00:00:00 2001
 From: Aris Adamantiadis <aris@0xbadc0de.be>
 Date: Tue, 12 Dec 2023 23:30:26 +0100
 Subject: [PATCH 2/4] CVE-2023-48795: Server side mitigations
@ -444,10 +464,10 @@ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 3 files changed, 44 insertions(+), 11 deletions(-)
 diff --git a/include/libssh/kex.h b/include/libssh/kex.h
-index ede7fa8a..ba98fded 100644
+index 2ace69b6..40da4ef2 100644
 --- a/include/libssh/kex.h
 +++ b/include/libssh/kex.h
-@@ -40,6 +40,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit);
+@@ -36,6 +36,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit);
 int ssh_send_kex(ssh_session session);
 void ssh_list_kex(struct ssh_kex_struct *kex);
 int ssh_set_client_kex(ssh_session session);
@ -456,10 +476,10 @@ index ede7fa8a..ba98fded 100644
 int ssh_verify_existing_algo(enum ssh_kex_types_e algo, const char *name);
 char *ssh_keep_known_algos(enum ssh_kex_types_e algo, const char *list);
 diff --git a/src/kex.c b/src/kex.c
-index 3818297b..9ad671db 100644
+index 0772cae8..e37c176c 100644
 --- a/src/kex.c
 +++ b/src/kex.c
-@@ -763,11 +763,8 @@ int ssh_set_client_kex(ssh_session session)
+@@ -738,11 +738,8 @@ int ssh_set_client_kex(ssh_session session)
 {
     struct ssh_kex_struct *client = &session->next_crypto->client_kex;
     const char *wanted;
@ -471,7 +491,7 @@ index 3818297b..9ad671db 100644
     /* Skip if already set, for example for the rekey or when we do the guessing
      * it could have been already used to make some protocol decisions. */
-@@ -816,11 +813,33 @@ int ssh_set_client_kex(ssh_session session)
+@@ -791,11 +788,33 @@ int ssh_set_client_kex(ssh_session session)
         return SSH_OK;
     }
@ -509,7 +529,7 @@ index 3818297b..9ad671db 100644
     if (kex_len >= MAX_PACKET_LEN) {
         /* Overflow */
         return SSH_ERROR;
-@@ -830,9 +849,16 @@ int ssh_set_client_kex(ssh_session session)
+@@ -805,9 +824,16 @@ int ssh_set_client_kex(ssh_session session)
         ssh_set_error_oom(session);
         return SSH_ERROR;
     }
@ -530,7 +550,7 @@ index 3818297b..9ad671db 100644
 }
 diff --git a/src/server.c b/src/server.c
-index dc070a73..70b90899 100644
+index ed73e7fb..35e84465 100644
 --- a/src/server.c
 +++ b/src/server.c
@@ -195,7 +195,13 @@ int server_set_kex(ssh_session session)
@ -552,7 +572,7 @@ index dc070a73..70b90899 100644
 2.41.0
-From 5846e57538c750c5ce67df887d09fa99861c79c6 Mon Sep 17 00:00:00 2001
+From 03bbbc9e4c93aae2ccdd302d6123e4809be37746 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 14 Dec 2023 12:22:01 +0100
 Subject: [PATCH 3/4] CVE-2023-48795: Strip extensions from both kex lists for
@ -565,10 +585,10 @@ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 1 file changed, 12 insertions(+), 4 deletions(-)
 diff --git a/src/kex.c b/src/kex.c
-index 9ad671db..fbc70cf4 100644
+index e37c176c..eea3604b 100644
 --- a/src/kex.c
 +++ b/src/kex.c
-@@ -961,11 +961,19 @@ int ssh_kex_select_methods (ssh_session session)
+@@ -936,11 +936,19 @@ int ssh_kex_select_methods (ssh_session session)
     enum ssh_key_exchange_e kex_type;
     int i;
@ -596,7 +616,7 @@ index 9ad671db..fbc70cf4 100644
 2.41.0
-From 89df759200d31fc79fbbe213d8eda0d329eebf6d Mon Sep 17 00:00:00 2001
+From 768d1ed30cf4b3cb9628254ef3ee24b9c38abdbc Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 14 Dec 2023 12:47:48 +0100
 Subject: [PATCH 4/4] CVE-2023-48795: tests: Adjust calculation to strict kex
@ -604,11 +624,11 @@ Subject: [PATCH 4/4] CVE-2023-48795: tests: Adjust calculation to strict kex
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 ---
- tests/client/torture_rekey.c | 55 ++++++++++++++++++++----------------
+ tests/client/torture_rekey.c | 56 ++++++++++++++++++++----------------
- 1 file changed, 31 insertions(+), 24 deletions(-)
+ 1 file changed, 32 insertions(+), 24 deletions(-)
 diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
-index ccd5ae2c..57e03e3f 100644
+index 13c9a7fe..bfb273af 100644
 --- a/tests/client/torture_rekey.c
 +++ b/tests/client/torture_rekey.c
@@ -148,6 +148,29 @@ static void torture_rekey_default(void **state)
@ -661,7 +681,25 @@ index ccd5ae2c..57e03e3f 100644
     secret_hash = malloc(c->digest_len);
     assert_non_null(secret_hash);
     memcpy(secret_hash, c->secret_hash, c->digest_len);
-@@ -468,15 +480,10 @@ static void torture_rekey_different_kex(void **state)
+@@ -272,14 +289,10 @@ static void torture_rekey_recv(void **state)
     sftp_file file;
     mode_t mask;
 -    /* The blocks limit is set correctly */
 -    c = s->ssh.session->current_crypto;
 -    assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
 -    assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
 -    /* We should have less encrypted packets than transfered (first are not encrypted) */
 -    assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
 -    assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
 +    sanity_check_session(state);
     /* Copy the initial secret hash = session_id so we know we changed keys later */
 +    c = s->ssh.session->current_crypto;
 +    assert_non_null(c);
     secret_hash = malloc(c->digest_len);
     assert_non_null(secret_hash);
     memcpy(secret_hash, c->secret_hash, c->digest_len);
@@ -464,15 +477,10 @@ static void torture_rekey_different_kex(void **state)
     assert_ssh_return_code(s->ssh.session, rc);
     /* The blocks limit is set correctly */
@ -683,47 +721,3 @@ index ccd5ae2c..57e03e3f 100644
 -- 
 2.41.0
 diff -up libssh-0.10.4/src/packet.c.CVE-2023-48795.patch libssh-0.10.4/src/packet.c
 --- libssh-0.10.4/src/packet.c.CVE-2023-48795.patch	2024-01-09 05:46:53.064383034 +0100
 +++ libssh-0.10.4/src/packet.c	2024-01-09 05:48:28.360340184 +0100
@@ -1345,6 +1345,19 @@ size_t ssh_packet_socket_callback(const
                     "packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
                     session->in_packet.type, packet_len, padding, compsize, payloadsize);
 +            if (crypto == NULL) {
 +                /* In strict kex, only a few packets are allowed. Taint the session
 +                 * if we received packets that are normally allowed but to be
 +                 * refused if we are in strict kex when KEX is over.
 +                 */
 +                uint8_t type = session->in_packet.type;
 +
 +                if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
 +                    (type < SSH2_MSG_KEXDH_INIT ||
 +                     type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
 +                    session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
 +                }
 +            }
             /* Check if the packet is expected */
             filter_result = ssh_packet_incoming_filter(session);
 diff -up libssh-0.10.4/tests/client/torture_rekey.c.CVE-2023-48795.patch libssh-0.10.4/tests/client/torture_rekey.c
 --- libssh-0.10.4/tests/client/torture_rekey.c.CVE-2023-48795.patch	2024-01-09 18:48:16.684366049 +0100
 +++ libssh-0.10.4/tests/client/torture_rekey.c	2024-01-09 18:50:49.135897268 +0100
@@ -290,14 +290,10 @@ static void torture_rekey_recv(void **st
     mode_t mask;
     int rc;
 -    /* The blocks limit is set correctly */
 -    c = s->ssh.session->current_crypto;
 -    assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
 -    assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
 -    /* We should have less encrypted packets than transfered (first are not encrypted) */
 -    assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
 -    assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
 +    sanity_check_session(state);
     /* Copy the initial secret hash = session_id so we know we changed keys later */
 +    c = s->ssh.session->current_crypto;
 +    assert_non_null(c);
     secret_hash = malloc(c->digest_len);
     assert_non_null(secret_hash);
     memcpy(secret_hash, c->secret_hash, c->digest_len);
--- a/SOURCES/CVE-2023-6004.patch
+++ b/SOURCES/CVE-2023-6004.patch
@ -1,4 +1,4 @@
-From c2c56bacab00766d01671413321d564227aabf19 Mon Sep 17 00:00:00 2001
+From 11bd6e6ad926a38cd7b9f8308a4c2fd8dfd9200c Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <norbertpocs0@gmail.com>
 Date: Sun, 5 Nov 2023 13:12:47 +0100
 Subject: [PATCH 01/12] CVE-2023-6004: torture_config: Allow multiple '@' in
@ -6,98 +6,86 @@ Subject: [PATCH 01/12] CVE-2023-6004: torture_config: Allow multiple '@' in
 Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
- tests/unittests/torture_config.c | 56 +++++++++++++++++---------------
+ tests/unittests/torture_config.c | 44 ++++++++++++++++++--------------
- 1 file changed, 30 insertions(+), 26 deletions(-)
+ 1 file changed, 25 insertions(+), 19 deletions(-)
 diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
-index 406f1985..b7c763af 100644
+index f91112a9..3a5a74bf 100644
 --- a/tests/unittests/torture_config.c
 +++ b/tests/unittests/torture_config.c
-@@ -995,23 +995,22 @@ static void torture_config_proxyjump(void **state,
+@@ -671,24 +671,40 @@ static void torture_config_proxyjump(void **state) {
     assert_string_equal(session->opts.ProxyCommand,
                         "ssh -W [%h]:%p 2620:52:0::fed");
-
+ 
 -    /* In this part, we try various other config files and strings. */
 -
 -    /* Try to create some invalid configurations */
 -    /* Non-numeric port */
 -    config = "Host bad-port\n"
 -             "\tProxyJump jumpbox:22bad22\n";
 +    /* Multiple @ is allowed in second jump */
-+    config = "Host allowed-hostname\n"
+     torture_write_file(LIBSSH_TESTCONFIG11,
-+             "\tProxyJump localhost,user@principal.com@jumpbox:22\n";
+-                       "Host bad-port\n"
-     if (file != NULL) {
+-                       "\tProxyJump jumpbox:22bad22\n"
-         torture_write_file(file, config);
+                       "Host allowed-hostname\n"
-     } else {
+                       "\tProxyJump localhost,user@principal.com@jumpbox:22\n"
-         string = config;
+                        "");
     }
     torture_reset_config(session);
 -    ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
 -    _parse_config(session, file, string, SSH_ERROR);
 +    ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
-+    _parse_config(session, file, string, SSH_OK);
+     ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
 -    assert_ssh_return_code_equal(session, ret, SSH_ERROR);
 +    assert_ssh_return_code(session, ret);
 +    assert_string_equal(session->opts.ProxyCommand,
-+                        "ssh -J user@principal.com@jumpbox:22 -W '[%h]:%p' localhost");
+                        "ssh -J user@principal.com@jumpbox:22 -W [%h]:%p localhost");
-
+ 
 -    /* Too many @ */
 -    config = "Host bad-hostname\n"
 +    /* Multiple @ is allowed */
-+    config = "Host allowed-hostname\n"
+     torture_write_file(LIBSSH_TESTCONFIG11,
-              "\tProxyJump user@principal.com@jumpbox:22\n";
+-                       "Host bad-hostname\n"
-     if (file != NULL) {
+                       "Host allowed-hostname\n"
-         torture_write_file(file, config);
+                        "\tProxyJump user@principal.com@jumpbox:22\n"
-@@ -1019,7 +1018,24 @@ static void torture_config_proxyjump(void **state,
+                        "");
         string = config;
     }
     torture_reset_config(session);
 -    ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
 +    ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
-+    _parse_config(session, file, string, SSH_OK);
+    ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
 +    assert_ssh_return_code(session, ret);
 +    assert_string_equal(session->opts.ProxyCommand,
-+                        "ssh -l user@principal.com -p 22 -W '[%h]:%p' jumpbox");
+                        "ssh -l user@principal.com -p 22 -W [%h]:%p jumpbox");
 +
 +    /* In this part, we try various other config files and strings. */
 +
 +    /* Try to create some invalid configurations */
 +    /* Non-numeric port */
-+    config = "Host bad-port\n"
+    torture_write_file(LIBSSH_TESTCONFIG11,
-+             "\tProxyJump jumpbox:22bad22\n";
+                       "Host bad-port\n"
-+    if (file != NULL) {
+                       "\tProxyJump jumpbox:22bad22\n"
-+        torture_write_file(file, config);
+                       "");
 +    } else {
 +        string = config;
 +    }
 +    torture_reset_config(session);
 +    ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port");
-     _parse_config(session, file, string, SSH_ERROR);
+     ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
-
+     assert_ssh_return_code_equal(session, ret, SSH_ERROR);
-     /* Braces mismatch in hostname */
+ 
-@@ -1094,18 +1110,6 @@ static void torture_config_proxyjump(void **state,
+@@ -752,16 +768,6 @@ static void torture_config_proxyjump(void **state) {
-     ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port-2");
+     ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
-     _parse_config(session, file, string, SSH_ERROR);
+     assert_ssh_return_code_equal(session, ret, SSH_ERROR);
-
+ 
 -    /* Too many @ in second jump */
-    config = "Host bad-hostname\n"
+-    torture_write_file(LIBSSH_TESTCONFIG11,
-             "\tProxyJump localhost,user@principal.com@jumpbox:22\n";
+-                       "Host bad-hostname\n"
-    if (file != NULL) {
+-                       "\tProxyJump localhost,user@principal.com@jumpbox:22\n"
-        torture_write_file(file, config);
+-                       "");
 -    } else {
 -        string = config;
 -    }
 -    torture_reset_config(session);
 -    ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
-    _parse_config(session, file, string, SSH_ERROR);
+-    ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
 -    assert_ssh_return_code_equal(session, ret, SSH_ERROR);
 -
     /* Braces mismatch in second jump */
-     config = "Host mismatch\n"
+     torture_write_file(LIBSSH_TESTCONFIG11,
-              "\tProxyJump localhost,[::1:20\n";
+                        "Host mismatch\n"
--
+-- 
 2.41.0
-From a66b4a6eae6614d200a3625862d77565b96a7cd3 Mon Sep 17 00:00:00 2001
+From c3234e5f94b96d6e29f0c1c82821c1e3ebb181ed Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <norbertpocs0@gmail.com>
 Date: Wed, 1 Nov 2023 11:24:43 +0100
 Subject: [PATCH 02/12] CVE-2023-6004: config_parser: Allow multiple '@' in
@ -105,29 +93,28 @@ Subject: [PATCH 02/12] CVE-2023-6004: config_parser: Allow multiple '@' in
 Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 src/config_parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/config_parser.c b/src/config_parser.c
-index 0d988fec..cf83e2c5 100644
+index ae2aa2c8..76cca224 100644
 --- a/src/config_parser.c
 +++ b/src/config_parser.c
-@@ -180,7 +180,7 @@ int ssh_config_parse_uri(const char *tok,
+@@ -152,7 +152,7 @@ int ssh_config_parse_uri(const char *tok,
     }
-
+ 
     /* Username part (optional) */
 -    endp = strchr(tok, '@');
 +    endp = strrchr(tok, '@');
     if (endp != NULL) {
         /* Zero-length username is not valid */
         if (tok == endp) {
--
+-- 
 2.41.0
-From 8615c24647f773a5e04203c7459512715d698be1 Mon Sep 17 00:00:00 2001
+From a5b8bd0d8841296cf71d927824d60f576581243f Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <norbertpocs0@gmail.com>
 Date: Tue, 31 Oct 2023 09:48:52 +0100
 Subject: [PATCH 03/12] CVE-2023-6004: options: Simplify the hostname parsing
@ -138,16 +125,15 @@ parsing inside the function of ssh_options_set
 Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 src/options.c | 40 ++++++++++++++++------------------------
 1 file changed, 16 insertions(+), 24 deletions(-)
 diff --git a/src/options.c b/src/options.c
-index 6f2c9397..38511455 100644
+index b5f951ac..7c03e7ab 100644
 --- a/src/options.c
 +++ b/src/options.c
-@@ -37,6 +37,7 @@
+@@ -36,6 +36,7 @@
 #include "libssh/session.h"
 #include "libssh/misc.h"
 #include "libssh/options.h"
@ -155,7 +141,7 @@ index 6f2c9397..38511455 100644
 #ifdef WITH_SERVER
 #include "libssh/server.h"
 #include "libssh/bind.h"
-@@ -515,33 +516,24 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
+@@ -490,33 +491,24 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                 ssh_set_error_invalid(session);
                 return -1;
             } else {
@ -167,7 +153,7 @@ index 6f2c9397..38511455 100644
 +                if (rc != SSH_OK) {
                     return -1;
                 }
-                p = strrchr(q, '@');
+-                p = strchr(q, '@');
 -
 -                SAFE_FREE(session->opts.host);
 -
@ -204,11 +190,11 @@ index 6f2c9397..38511455 100644
                 }
             }
             break;
--
+-- 
 2.41.0
-From c6180409677c765e6b9ae2b18a3a7a9671ac1dbe Mon Sep 17 00:00:00 2001
+From efb24b6472e8b87c5832c0590f14e99e82fcdeeb Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <norbertpocs0@gmail.com>
 Date: Tue, 10 Oct 2023 12:44:16 +0200
 Subject: [PATCH 04/12] CVE-2023-6004: misc: Add function to check allowed
@ -219,20 +205,39 @@ allowed because of IPv6 even it is prohibited in domain names.
 Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
- include/libssh/misc.h |  3 ++
+ include/libssh/misc.h |  2 ++
 src/misc.c            | 68 +++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 71 insertions(+)
+ 2 files changed, 70 insertions(+)
 diff --git a/include/libssh/misc.h b/include/libssh/misc.h
 index 3cc3b113..a5bee930 100644
 --- a/include/libssh/misc.h
 +++ b/include/libssh/misc.h
@@ -97,4 +97,6 @@ int ssh_mkdirs(const char *pathname, mode_t mode);
 int ssh_quote_file_name(const char *file_name, char *buf, size_t buf_len);
 int ssh_newline_vis(const char *string, char *buf, size_t buf_len);
 +int ssh_check_hostname_syntax(const char *hostname);
 +
 #endif /* MISC_H_ */
 diff --git a/src/misc.c b/src/misc.c
-index 7c478a77..be6ee836 100644
+index 149eb85e..e4239e81 100644
 --- a/src/misc.c
 +++ b/src/misc.c
-@@ -1974,4 +1976,70 @@ char *ssh_strerror(int err_num, char *buf, size_t buflen)
+@@ -94,6 +94,8 @@
- #endif /* defined(__linux__) && defined(__GLIBC__) && defined(_GNU_SOURCE) */
+ #define ZLIB_STRING ""
 #endif
 +#define ARPA_DOMAIN_MAX_LEN 63
 +
 /**
  * @defgroup libssh_misc The SSH helper functions.
  * @ingroup libssh
@@ -1734,4 +1736,70 @@ int ssh_newline_vis(const char *string, char *buf, size_t buf_len)
     return out - buf;
 }
-
+ 
 +/**
 + * @brief Checks syntax of a domain name
 + *
@ -300,11 +305,11 @@ index 7c478a77..be6ee836 100644
 +}
 +
 /** @} */
--
+-- 
 2.41.0
-From 9bbb817c0c5434f03613d0783b2ef5f52235b901 Mon Sep 17 00:00:00 2001
+From 234ecdf4d9705efa3727a54dcc1ddfe6377c7bf6 Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <norbertpocs0@gmail.com>
 Date: Tue, 10 Oct 2023 12:45:28 +0200
 Subject: [PATCH 05/12] CVE-2023-6004: torture_misc: Add test for
@ -312,19 +317,18 @@ Subject: [PATCH 05/12] CVE-2023-6004: torture_misc: Add test for
 Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 tests/unittests/torture_misc.c | 73 ++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
-index 9e346ff8..e682b6d4 100644
+index 0a48abbe..d14f4254 100644
 --- a/tests/unittests/torture_misc.c
 +++ b/tests/unittests/torture_misc.c
-@@ -760,6 +760,78 @@ static void torture_ssh_strerror(void **state)
+@@ -656,6 +656,78 @@ static void torture_ssh_newline_vis(UNUSED_PARAM(void **state))
-     assert_non_null(out);
+     assert_string_equal(buffer, "a\\nb\\n");
 }
-
+ 
 +static void torture_ssh_check_hostname_syntax(void **state)
 +{
 +    int rc;
@ -400,19 +404,19 @@ index 9e346ff8..e682b6d4 100644
 int torture_run_tests(void) {
     int rc;
     struct CMUnitTest tests[] = {
-@@ -784,6 +856,7 @@ int torture_run_tests(void) {
+@@ -678,6 +750,7 @@ int torture_run_tests(void) {
         cmocka_unit_test(torture_ssh_newline_vis),
         cmocka_unit_test(torture_ssh_mkdirs),
         cmocka_unit_test(torture_ssh_quote_file_name),
         cmocka_unit_test(torture_ssh_strreplace),
         cmocka_unit_test(torture_ssh_strerror),
 +        cmocka_unit_test(torture_ssh_check_hostname_syntax),
     };
-
+ 
     ssh_init();
--
+-- 
 2.41.0
-From 22492b69bba22b102342afc574800d354a08e405 Mon Sep 17 00:00:00 2001
+From 4d7ae19e9cd8c407012b40f3f2eaf480bfb1da7d Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <norbertpocs0@gmail.com>
 Date: Tue, 10 Oct 2023 18:33:56 +0200
 Subject: [PATCH 06/12] CVE-2023-6004: config_parser: Check for valid syntax of
@ -423,32 +427,31 @@ The domain name syntax checker is based on RFC1035.
 Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
- src/config_parser.c | 12 +++++++++++-
+ src/config_parser.c | 10 ++++++++++
- 1 file changed, 11 insertions(+), 1 deletion(-)
+ 1 file changed, 10 insertions(+)
 diff --git a/src/config_parser.c b/src/config_parser.c
-index cf83e2c5..b8b94611 100644
+index 76cca224..87bac5d4 100644
 --- a/src/config_parser.c
 +++ b/src/config_parser.c
@@ -30,6 +30,7 @@
-
+ 
 #include "libssh/config_parser.h"
 #include "libssh/priv.h"
 +#include "libssh/misc.h"
-
+ 
- /* Returns the original string after skipping the leading whitespace
+ char *ssh_config_get_cmd(char **str)
-  * and optional quotes.
+ {
-@@ -167,6 +168,7 @@ int ssh_config_parse_uri(const char *tok,
+@@ -139,6 +140,7 @@ int ssh_config_parse_uri(const char *tok,
 {
     char *endp = NULL;
     long port_n;
 +    int rc;
-
+ 
     /* Sanitize inputs */
     if (username != NULL) {
-@@ -224,6 +226,14 @@ int ssh_config_parse_uri(const char *tok,
+@@ -196,6 +198,14 @@ int ssh_config_parse_uri(const char *tok,
         if (*hostname == NULL) {
             goto error;
         }
@ -463,11 +466,11 @@ index cf83e2c5..b8b94611 100644
     }
     /* Skip also the closing bracket */
     if (*endp == ']') {
--
+-- 
 2.41.0
-From d7467498fd988949edde9c6384973250fd454a8b Mon Sep 17 00:00:00 2001
+From 8cf4f4bfda968ab526c1a601ea1030bbaccaba17 Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <norbertpocs0@gmail.com>
 Date: Tue, 10 Oct 2023 10:28:47 +0200
 Subject: [PATCH 07/12] CVE-2023-6004: torture_proxycommand: Add test for
@ -475,19 +478,18 @@ Subject: [PATCH 07/12] CVE-2023-6004: torture_proxycommand: Add test for
 Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 tests/client/torture_proxycommand.c | 53 +++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 diff --git a/tests/client/torture_proxycommand.c b/tests/client/torture_proxycommand.c
-index 9b8019ca..1bad4ccc 100644
+index c04ff2ab..dc17f3d8 100644
 --- a/tests/client/torture_proxycommand.c
 +++ b/tests/client/torture_proxycommand.c
-@@ -166,6 +166,56 @@ static void torture_options_set_proxycommand_ssh_stderr(void **state)
+@@ -161,6 +161,56 @@ static void torture_options_set_proxycommand_ssh_stderr(void **state)
     assert_int_equal(rc & O_RDWR, O_RDWR);
 }
-
+ 
 +static void torture_options_proxycommand_injection(void **state)
 +{
 +    struct torture_state *s = *state;
@ -541,7 +543,7 @@ index 9b8019ca..1bad4ccc 100644
 int torture_run_tests(void) {
     int rc;
     struct CMUnitTest tests[] = {
-@@ -181,6 +231,9 @@ int torture_run_tests(void) {
+@@ -176,6 +226,9 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_options_set_proxycommand_ssh_stderr,
                                         session_setup,
                                         session_teardown),
@ -549,32 +551,31 @@ index 9b8019ca..1bad4ccc 100644
 +                                        NULL,
 +                                        session_teardown),
     };
-
+ 
-
+ 
--
+-- 
 2.41.0
-From 62d3101c1f76b6891b70c50154e0e934d6b8cb57 Mon Sep 17 00:00:00 2001
+From a0dbe0d556e073804cc549802569577bb24757d9 Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <norbertpocs0@gmail.com>
 Date: Mon, 6 Nov 2023 20:11:38 +0100
 Subject: [PATCH 08/12] CVE-2023-6004: torture_misc: Add test for ssh_is_ipaddr
 Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 tests/unittests/torture_misc.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
-index e682b6d4..b07392ab 100644
+index d14f4254..073bc54c 100644
 --- a/tests/unittests/torture_misc.c
 +++ b/tests/unittests/torture_misc.c
-@@ -832,6 +832,31 @@ static void torture_ssh_check_hostname_syntax(void **state)
+@@ -728,6 +728,31 @@ static void torture_ssh_check_hostname_syntax(void **state)
     assert_int_equal(rc, SSH_ERROR);
 }
-
+ 
 +static void torture_ssh_is_ipaddr(void **state) {
 +    int rc;
 +    (void)state;
@ -603,60 +604,82 @@ index e682b6d4..b07392ab 100644
 int torture_run_tests(void) {
     int rc;
     struct CMUnitTest tests[] = {
-@@ -857,6 +882,7 @@ int torture_run_tests(void) {
+@@ -751,6 +776,7 @@ int torture_run_tests(void) {
-         cmocka_unit_test(torture_ssh_strreplace),
+         cmocka_unit_test(torture_ssh_mkdirs),
-         cmocka_unit_test(torture_ssh_strerror),
+         cmocka_unit_test(torture_ssh_quote_file_name),
         cmocka_unit_test(torture_ssh_check_hostname_syntax),
 +        cmocka_unit_test(torture_ssh_is_ipaddr),
     };
-
+ 
     ssh_init();
--
+-- 
 2.41.0
-From cea841d71c025f9c998b7d5fc9f2a2839df62921 Mon Sep 17 00:00:00 2001
+From cdaec0d6273243a03f460cc5ba1a2265b4afb93a Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <norbertpocs0@gmail.com>
 Date: Tue, 28 Nov 2023 15:26:45 +0100
-Subject: [PATCH 09/12] CVE-2023-6004 misc: Add ipv6 link-local check for an ip
+Subject: [PATCH 09/12] CVE-2023-6004: misc: Add ipv6 link-local check for an
- address
+ ip address
 Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
- src/CMakeLists.txt |  1 +
+ src/CMakeLists.txt | 17 ++++++++++-------
 src/connect.c      |  2 +-
 src/misc.c         | 44 ++++++++++++++++++++++++++++++++++++++------
- 3 files changed, 40 insertions(+), 7 deletions(-)
+ 3 files changed, 49 insertions(+), 14 deletions(-)
 diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
-index d6245c0d..807313b5 100644
+index a576cf71..fc401793 100644
 --- a/src/CMakeLists.txt
 +++ b/src/CMakeLists.txt
-@@ -91,6 +91,7 @@ endif()
+@@ -9,13 +9,6 @@ set(LIBSSH_LINK_LIBRARIES
- if (WIN32)
+   ${LIBSSH_REQUIRED_LIBRARIES}
-   set(LIBSSH_LINK_LIBRARIES
+ )
-     ${LIBSSH_LINK_LIBRARIES}
+ 
-+    iphlpapi
+-if (WIN32)
-     ws2_32
+-  set(LIBSSH_LINK_LIBRARIES
 -    ${LIBSSH_LINK_LIBRARIES}
 -    ws2_32
 -  )
 -endif (WIN32)
 -
 if (OPENSSL_CRYPTO_LIBRARIES)
   set(LIBSSH_PRIVATE_INCLUDE_DIRS
     ${LIBSSH_PRIVATE_INCLUDE_DIRS}
@@ -93,6 +86,16 @@ if (MINGW AND Threads_FOUND)
   )
- endif (WIN32)
+ endif()
 +# This needs to be last for mingw to build
 +# https://gitlab.com/libssh/libssh-mirror/-/issues/84
 +if (WIN32)
 +  set(LIBSSH_LINK_LIBRARIES
 +    ${LIBSSH_LINK_LIBRARIES}
 +    iphlpapi
 +    ws2_32
 +  )
 +endif (WIN32)
 +
 if (BUILD_STATIC_LIB)
   set(LIBSSH_STATIC_LIBRARY
     ssh_static
 diff --git a/src/connect.c b/src/connect.c
-index 57e37e63..15cae644 100644
+index ce4d58df..ca62dcf0 100644
 --- a/src/connect.c
 +++ b/src/connect.c
@@ -136,7 +136,7 @@ static int getai(const char *host, int port, struct addrinfo **ai)
 #endif
     }
-
+ 
 -    if (ssh_is_ipaddr(host)) {
 +    if (ssh_is_ipaddr(host) == 1) {
         /* this is an IP address */
         SSH_LOG(SSH_LOG_PACKET, "host %s matches an IP address", host);
         hints.ai_flags |= AI_NUMERICHOST;
 diff --git a/src/misc.c b/src/misc.c
-index be6ee836..7081f12a 100644
+index e4239e81..6f5d2d60 100644
 --- a/src/misc.c
 +++ b/src/misc.c
@@ -32,6 +32,7 @@
@ -664,23 +687,23 @@ index be6ee836..7081f12a 100644
 #include <netinet/in.h>
 #include <arpa/inet.h>
 +#include <net/if.h>
-
+ 
 #endif /* _WIN32 */
-
+ 
@@ -59,6 +60,7 @@
 #include <ws2tcpip.h>
 #include <shlobj.h>
 #include <direct.h>
 +#include <netioapi.h>
-
+ 
 #ifdef HAVE_IO_H
 #include <io.h>
-@@ -222,22 +224,37 @@ int ssh_is_ipaddr_v4(const char *str)
+@@ -216,22 +218,37 @@ int ssh_is_ipaddr_v4(const char *str) {
- int ssh_is_ipaddr(const char *str)
+ 
- {
+ int ssh_is_ipaddr(const char *str) {
     int rc = SOCKET_ERROR;
 +    char *s = strdup(str);
-
+ 
 -    if (strchr(str, ':')) {
 +    if (s == NULL) {
 +        return -1;
@ -689,7 +712,7 @@ index be6ee836..7081f12a 100644
         struct sockaddr_storage ss;
         int sslen = sizeof(ss);
 +        char *network_interface = strchr(s, '%');
-
+ 
 -        /* TODO link-local (IP:v6:addr%ifname). */
 -        rc = WSAStringToAddressA((LPSTR) str,
 +        /* link-local (IP:v6:addr%ifname). */
@ -711,17 +734,17 @@ index be6ee836..7081f12a 100644
             return 1;
         }
     }
-
+ 
 +    free(s);
     return ssh_is_ipaddr_v4(str);
 }
 #else /* _WIN32 */
-@@ -343,17 +360,32 @@ int ssh_is_ipaddr_v4(const char *str)
+@@ -335,17 +352,32 @@ int ssh_is_ipaddr_v4(const char *str) {
- int ssh_is_ipaddr(const char *str)
+ 
- {
+ int ssh_is_ipaddr(const char *str) {
     int rc = -1;
 +    char *s = strdup(str);
-
+ 
 -    if (strchr(str, ':')) {
 +    if (s == NULL) {
 +        return -1;
@ -729,7 +752,7 @@ index be6ee836..7081f12a 100644
 +    if (strchr(s, ':')) {
         struct in6_addr dest6;
 +        char *network_interface = strchr(s, '%');
-
+ 
 -        /* TODO link-local (IP:v6:addr%ifname). */
 -        rc = inet_pton(AF_INET6, str, &dest6);
 +        /* link-local (IP:v6:addr%ifname). */
@ -747,16 +770,16 @@ index be6ee836..7081f12a 100644
             return 1;
         }
     }
-
+ 
 +    free(s);
     return ssh_is_ipaddr_v4(str);
 }
-
+ 
--
+-- 
 2.41.0
-From 2c492ee179d5caa2718c5e768bab6e0b2b64a8b0 Mon Sep 17 00:00:00 2001
+From 6a8a18c73e73a338283dfbade0a7d83e5cfafe3b Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <norbertpocs0@gmail.com>
 Date: Tue, 28 Nov 2023 15:27:31 +0100
 Subject: [PATCH 10/12] CVE-2023-6004: torture_misc: Add tests for ipv6
@ -764,19 +787,18 @@ Subject: [PATCH 10/12] CVE-2023-6004: torture_misc: Add tests for ipv6
 Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 tests/unittests/torture_misc.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
-index b07392ab..77166759 100644
+index 073bc54c..f16b766e 100644
 --- a/tests/unittests/torture_misc.c
 +++ b/tests/unittests/torture_misc.c
@@ -17,7 +17,14 @@
- #include "torture.h"
+ #include "misc.c"
 #include "error.c"
-
+ 
 +#ifdef _WIN32
 +#include <netioapi.h>
 +#else
@ -785,17 +807,17 @@ index b07392ab..77166759 100644
 +
 #define TORTURE_TEST_DIR "/usr/local/bin/truc/much/.."
 +#define TORTURE_IPV6_LOCAL_LINK "fe80::98e1:82ff:fe8d:28b3%%%s"
-
+ 
 const char template[] = "temp_dir_XXXXXX";
-
+ 
-@@ -834,14 +841,27 @@ static void torture_ssh_check_hostname_syntax(void **state)
+@@ -730,14 +737,27 @@ static void torture_ssh_check_hostname_syntax(void **state)
-
+ 
 static void torture_ssh_is_ipaddr(void **state) {
     int rc;
 +    char *interf = malloc(64);
 +    char *test_interf = malloc(128);
     (void)state;
-
+ 
 +    assert_non_null(interf);
 +    assert_non_null(test_interf);
     rc = ssh_is_ipaddr("201.255.3.69");
@ -813,14 +835,14 @@ index b07392ab..77166759 100644
 +    assert_int_equal(rc, 1);
 +    free(interf);
 +    free(test_interf);
-
+ 
     rc = ssh_is_ipaddr("..");
     assert_int_equal(rc, 0);
--
+-- 
 2.41.0
-From 1a02364b5107a4125ea3cb76fcdb6beabaebf3be Mon Sep 17 00:00:00 2001
+From 72f59157e6ccbd4c0bb806690931413169a0886f Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Fri, 22 Dec 2023 10:32:40 +0100
 Subject: [PATCH 11/12] Fix regression in IPv6 addresses in hostname parsing
@ -836,23 +858,43 @@ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 4 files changed, 23 insertions(+), 18 deletions(-)
 diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h
-index a7dd42a2..ca353432 100644
+index e974917c..ee647bfb 100644
 --- a/include/libssh/config_parser.h
 +++ b/include/libssh/config_parser.h
-@@ -30,6 +30,8 @@
+@@ -26,6 +26,8 @@
 #ifndef CONFIG_PARSER_H_
 #define CONFIG_PARSER_H_
-
+ 
 +#include <stdbool.h>
 +
 char *ssh_config_get_cmd(char **str);
-
+ 
 char *ssh_config_get_token(char **str);
@@ -45,13 +47,16 @@ int ssh_config_get_yesno(char **str, int notfound);
  *                       be stored or NULL if we do not care about the result.
  * @param[out]  port     Pointer to the location, where the new port will
  *                       be stored or NULL if we do not care about the result.
 + * @param[in]   ignore_port Set to true if the we should not attempt to parse
 + *                       port number.
  *
  * @returns     SSH_OK if the provided string is in format of SSH URI,
  *              SSH_ERROR on failure
  */
 int ssh_config_parse_uri(const char *tok,
 -        char **username,
 -        char **hostname,
 -        char **port);
 +                         char **username,
 +                         char **hostname,
 +                         char **port,
 +                         bool ignore_port);
 #endif /* LIBSSH_CONFIG_H_ */
 diff --git a/src/config.c b/src/config.c
-index c5c40125..273db7c8 100644
+index 54ada276..a813568d 100644
 --- a/src/config.c
 +++ b/src/config.c
-@@ -464,7 +464,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
+@@ -324,7 +324,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
         }
         if (parse_entry) {
             /* We actually care only about the first item */
@ -861,7 +903,7 @@ index c5c40125..273db7c8 100644
             /* The rest of the list needs to be passed on */
             if (endp != NULL) {
                 next = strdup(endp + 1);
-@@ -475,7 +475,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
+@@ -335,7 +335,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
             }
         } else {
             /* The rest is just sanity-checked to avoid failures later */
@ -871,12 +913,12 @@ index c5c40125..273db7c8 100644
         if (rv != SSH_OK) {
             goto out;
 diff --git a/src/config_parser.c b/src/config_parser.c
-index b8b94611..d4b2d2c3 100644
+index 87bac5d4..a2da0a62 100644
 --- a/src/config_parser.c
 +++ b/src/config_parser.c
-@@ -162,9 +162,10 @@ int ssh_config_get_yesno(char **str, int notfound)
+@@ -134,9 +134,10 @@ int ssh_config_get_yesno(char **str, int notfound)
 }
-
+ 
 int ssh_config_parse_uri(const char *tok,
 -        char **username,
 -        char **hostname,
@ -888,7 +930,7 @@ index b8b94611..d4b2d2c3 100644
 {
     char *endp = NULL;
     long port_n;
-@@ -210,12 +211,17 @@ int ssh_config_parse_uri(const char *tok,
+@@ -182,12 +183,17 @@ int ssh_config_parse_uri(const char *tok,
         if (endp == NULL) {
             goto error;
         }
@ -909,10 +951,10 @@ index b8b94611..d4b2d2c3 100644
     if (tok == endp) {
         /* Zero-length hostnames are not valid */
 diff --git a/src/options.c b/src/options.c
-index 38511455..b3ecffe1 100644
+index 7c03e7ab..0890ff2e 100644
 --- a/src/options.c
 +++ b/src/options.c
-@@ -516,17 +516,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
+@@ -491,17 +491,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                 ssh_set_error_invalid(session);
                 return -1;
             } else {
@ -932,11 +974,11 @@ index 38511455..b3ecffe1 100644
                 if (username != NULL) {
                     SAFE_FREE(session->opts.username);
                     session->opts.username = username;
--
+-- 
 2.41.0
-From 6f1b1e76bb38bc89819132e1810e4301ec9034a4 Mon Sep 17 00:00:00 2001
+From 5dc10ff63ca2e8db91abfdccf1d095f5b4261b8e Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Fri, 22 Dec 2023 09:52:18 +0100
 Subject: [PATCH 12/12] tests: Increase test coverage for IPv6 address parsing
@ -951,17 +993,25 @@ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 (cherry picked from commit 6f6e453d7b0ad4ee6a6f6a1c96a9a6b27821410d)
 ---
 tests/unittests/torture_config.c  | 49 +++++++++++++++++++++++++++++++
- tests/unittests/torture_options.c | 16 ++++++++++
+ tests/unittests/torture_options.c | 22 ++++++++++++++
- 2 files changed, 65 insertions(+)
+ 2 files changed, 71 insertions(+)
 diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
-index b7c763af..26a24215 100644
+index 3a5a74bf..d8097e79 100644
 --- a/tests/unittests/torture_config.c
 +++ b/tests/unittests/torture_config.c
-@@ -1850,6 +1850,53 @@ static void torture_config_make_absolute_no_sshdir(void **state)
+@@ -2,6 +2,7 @@
-     torture_config_make_absolute_int(state, 1);
+ 
 #define LIBSSH_STATIC
 +#include <errno.h>
 #include "torture.h"
 #include "libssh/options.h"
 #include "libssh/session.h"
@@ -997,6 +998,53 @@ static void torture_config_match_pattern(void **state)
 }
-
+ 
 +static void torture_config_parse_uri(void **state)
 +{
 +    char *username = NULL;
@ -1009,26 +1059,25 @@ index b7c763af..26a24215 100644
 +    SAFE_FREE(hostname);
 +}
 +
- int torture_run_tests(void)
+ 
- {
+ int torture_run_tests(void) {
     int rc;
-@@ -1922,6 +1969,8 @@ int torture_run_tests(void)
+@@ -1012,6 +1060,7 @@ int torture_run_tests(void) {
-                                         setup, teardown),
+         cmocka_unit_test(torture_config_rekey),
-         cmocka_unit_test_setup_teardown(torture_config_make_absolute_no_sshdir,
+         cmocka_unit_test(torture_config_pubkeyacceptedkeytypes),
-                                         setup_no_sshdir, teardown),
+         cmocka_unit_test(torture_config_match_pattern),
-+        cmocka_unit_test_setup_teardown(torture_config_parse_uri,
+        cmocka_unit_test(torture_config_parse_uri),
 +                                        setup, teardown),
     };
-
+ 
-
+ 
 diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
-index 425d7295..8a5505a1 100644
+index d0fdaed1..576ca9cd 100644
 --- a/tests/unittests/torture_options.c
 +++ b/tests/unittests/torture_options.c
-@@ -60,6 +60,20 @@ static void torture_options_set_host(void **state) {
+@@ -59,12 +59,34 @@ static void torture_options_set_host(void **state) {
     assert_non_null(session->opts.host);
     assert_string_equal(session->opts.host, "localhost");
-
+ 
 +    /* IPv4 address */
 +    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.1.1.1");
 +    assert_true(rc == 0);
@ -1046,67 +1095,20 @@ index 425d7295..8a5505a1 100644
     rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
     assert_true(rc == 0);
     assert_non_null(session->opts.host);
-@@ -67,12 +81,14 @@ static void torture_options_set_host(void **state) {
+     assert_string_equal(session->opts.host, "meditation");
     assert_non_null(session->opts.username);
     assert_string_equal(session->opts.username, "guru");
 +    /* more @ in uri is OK -- it should go to the username */
     rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
     assert_true(rc == 0);
     assert_non_null(session->opts.host);
     assert_string_equal(session->opts.host, "hostname");
     assert_non_null(session->opts.username);
     assert_string_equal(session->opts.username, "at@login");
 +
 +    /* more @ in uri is OK -- it should go to the username */
 +    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
 +    assert_true(rc == 0);
 +    assert_non_null(session->opts.host);
 +    assert_string_equal(session->opts.host, "hostname");
 +    assert_non_null(session->opts.username);
 +    assert_string_equal(session->opts.username, "at@login");
 }
-
+ 
 static void torture_options_set_ciphers(void **state) {
--
+-- 
 2.41.0
 diff -up libssh-0.10.4/include/libssh/config_parser.h.CVE-2023-6004.patch libssh-0.10.4/include/libssh/config_parser.h
 --- libssh-0.10.4/include/libssh/config_parser.h.CVE-2023-6004.patch	2024-01-08 19:48:48.964006647 +0100
 +++ libssh-0.10.4/include/libssh/config_parser.h	2024-01-08 19:56:38.850726165 +0100
@@ -47,13 +47,16 @@ int ssh_config_get_yesno(char **str, int
  *                       be stored or NULL if we do not care about the result.
  * @param[out]  port     Pointer to the location, where the new port will
  *                       be stored or NULL if we do not care about the result.
 + * @param[in]   ignore_port Set to true if the we should not attempt to parse
 + *                       port number.
  *
  * @returns     SSH_OK if the provided string is in format of SSH URI,
  *              SSH_ERROR on failure
  */
 int ssh_config_parse_uri(const char *tok,
 -        char **username,
 -        char **hostname,
 -        char **port);
 +                         char **username,
 +                         char **hostname,
 +                         char **port,
 +                         bool ignore_port);
 #endif /* LIBSSH_CONFIG_H_ */
 diff -up libssh-0.10.4/include/libssh/misc.h.CVE-2023-6004.patch libssh-0.10.4/include/libssh/misc.h
 --- libssh-0.10.4/include/libssh/misc.h.CVE-2023-6004.patch	2024-01-08 19:48:07.422589393 +0100
 +++ libssh-0.10.4/include/libssh/misc.h	2024-01-08 19:53:33.830867829 +0100
@@ -99,4 +99,7 @@ int ssh_newline_vis(const char *string,
 int ssh_tmpname(char *template);
 char *ssh_strreplace(const char *src, const char *pattern, const char *repl);
 +
 +int ssh_check_hostname_syntax(const char *hostname);
 +
 #endif /* MISC_H_ */
 diff -up libssh-0.10.4/src/misc.c.CVE-2023-6004.patch libssh-0.10.4/src/misc.c
 --- libssh-0.10.4/src/misc.c.CVE-2023-6004.patch	2024-01-08 19:48:26.779783823 +0100
 +++ libssh-0.10.4/src/misc.c	2024-01-08 19:54:55.209685193 +0100
@@ -96,6 +96,8 @@
 #define ZLIB_STRING ""
 #endif
 +#define ARPA_DOMAIN_MAX_LEN 63
 +
 /**
  * @defgroup libssh_misc The SSH helper functions.
  * @ingroup libssh
--- a/SOURCES/CVE-2023-6918.patch
+++ b/SOURCES/CVE-2023-6918.patch
--- a/SOURCES/auth_bypass.patch
+++ b/SOURCES/auth_bypass.patch
@ -1,7 +1,7 @@
-diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
+diff --color -ru ../libssh-0.9.6/src/pki_crypto.c ./src/pki_crypto.c
--- ../libssh-0.10.4/src/pki_crypto.c	2023-04-27 13:24:03.105744519 +0200
+--- ../libssh-0.9.6/src/pki_crypto.c	2023-04-27 12:59:08.463259052 +0200
-+++ ./src/pki_crypto.c	2023-04-27 13:30:24.016756496 +0200
+++ ./src/pki_crypto.c	2023-04-27 13:05:24.020610873 +0200
-@@ -3186,8 +3186,12 @@
+@@ -2291,8 +2291,12 @@
     unsigned char *raw_sig_data = NULL;
     unsigned int raw_sig_len;
@ -15,7 +15,7 @@ diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
     if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
         signature == NULL || (signature->raw_sig == NULL
-@@ -3202,8 +3206,8 @@
+@@ -2307,8 +2311,8 @@
     }
     /* Check if public key and hash type are compatible */
@ -26,7 +26,7 @@ diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
         return SSH_ERROR;
     }
-@@ -3248,8 +3252,8 @@
+@@ -2351,8 +2355,8 @@
     }
     /* Verify the signature */
@ -37,7 +37,7 @@ diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
         SSH_LOG(SSH_LOG_TRACE,
                 "EVP_DigestVerifyInit() failed: %s",
                 ERR_error_string(ERR_get_error(), NULL));
-@@ -3257,32 +3261,30 @@
+@@ -2360,35 +2364,31 @@
     }
 #ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
@ -76,7 +76,11 @@ diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
 -    if (ctx != NULL) {
 -        EVP_MD_CTX_free(ctx);
 -    }
 -    if (pkey != NULL) {
 -        EVP_PKEY_free(pkey);
 -    }
 +    EVP_MD_CTX_free(ctx);
-     EVP_PKEY_free(pkey);
+    EVP_PKEY_free(pkey);
     return rc;
 }
--- a/SOURCES/covscan23.patch
+++ b/SOURCES/covscan23.patch
@ -1,6 +1,6 @@
-diff --color -ru ../libssh-0.10.4/src/buffer.c ./src/buffer.c
+diff --color -ru ../libssh-0.9.6/src/buffer.c ./src/buffer.c
--- ../libssh-0.10.4/src/buffer.c	2023-05-03 12:22:40.304114511 +0200
+--- ../libssh-0.9.6/src/buffer.c	2023-05-03 11:53:48.710217753 +0200
-+++ ./src/buffer.c	2023-05-03 12:24:11.578110236 +0200
+++ ./src/buffer.c	2023-05-03 11:58:21.995200990 +0200
@@ -747,7 +747,8 @@
  */
 int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)
@ -11,10 +11,10 @@ diff --color -ru ../libssh-0.10.4/src/buffer.c ./src/buffer.c
         return SSH_ERROR;
     }
-diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
+diff --color -ru ../libssh-0.9.6/src/gssapi.c ./src/gssapi.c
--- ../libssh-0.10.4/src/gssapi.c	2023-05-03 12:22:40.356115078 +0200
+--- ../libssh-0.9.6/src/gssapi.c	2023-05-03 11:53:48.732217993 +0200
-+++ ./src/gssapi.c	2023-05-03 12:24:11.566110105 +0200
+++ ./src/gssapi.c	2023-05-03 11:58:21.976200782 +0200
-@@ -444,11 +444,18 @@
+@@ -437,11 +437,18 @@
         hexa = ssh_get_hexa(output_token.value, output_token.length);
         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
         SAFE_FREE(hexa);
@ -38,7 +38,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
         ssh_packet_send(session);
     }
-@@ -857,6 +864,7 @@
+@@ -846,6 +853,7 @@
 }
 SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
@ -46,7 +46,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
     ssh_string oid_s;
     gss_uint32 maj_stat, min_stat;
     gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
-@@ -908,11 +916,15 @@
+@@ -897,11 +905,15 @@
         hexa = ssh_get_hexa(output_token.value, output_token.length);
         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s", hexa);
         SAFE_FREE(hexa);
@ -67,7 +67,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
         ssh_packet_send(session);
         session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
     }
-@@ -975,6 +987,7 @@
+@@ -963,6 +975,7 @@
 }
 SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
@ -75,7 +75,7 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
     ssh_string token;
     char *hexa;
     OM_uint32 maj_stat, min_stat;
-@@ -1027,11 +1040,15 @@
+@@ -1015,11 +1028,15 @@
         hexa = ssh_get_hexa(output_token.value, output_token.length);
         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
         SAFE_FREE(hexa);
@ -96,10 +96,10 @@ diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
         ssh_packet_send(session);
     }
-diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
+diff --color -ru ../libssh-0.9.6/src/options.c ./src/options.c
--- ../libssh-0.10.4/src/options.c	2023-05-03 12:22:40.342114926 +0200
+--- ../libssh-0.9.6/src/options.c	2021-08-26 14:27:42.000000000 +0200
-+++ ./src/options.c	2023-05-03 12:24:11.582110280 +0200
+++ ./src/options.c	2023-05-03 11:58:22.000201044 +0200
-@@ -614,7 +614,9 @@
+@@ -547,7 +547,9 @@
                 }
                 i = strtol(q, &p, 10);
                 if (q == p) {
@ -109,7 +109,7 @@ diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
                 }
                 SAFE_FREE(q);
                 if (i <= 0) {
-@@ -816,7 +818,9 @@
+@@ -743,7 +745,9 @@
                 }
                 i = strtol(q, &p, 10);
                 if (q == p) {
@ -119,7 +119,7 @@ diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
                 }
                 SAFE_FREE(q);
                 if (i < 0) {
-@@ -2035,7 +2039,9 @@
+@@ -1818,7 +1822,9 @@
         }
         i = strtol(q, &p, 10);
         if (q == p) {
@ -130,7 +130,7 @@ diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
         }
         SAFE_FREE(q);
-@@ -2062,7 +2068,9 @@
+@@ -1845,7 +1851,9 @@
         }
         i = strtol(q, &p, 10);
         if (q == p) {
@ -141,9 +141,9 @@ diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
         }
         SAFE_FREE(q);
-diff --color -ru ../libssh-0.10.4/src/pki_container_openssh.c ./src/pki_container_openssh.c
+diff --color -ru ../libssh-0.9.6/src/pki_container_openssh.c ./src/pki_container_openssh.c
--- ../libssh-0.10.4/src/pki_container_openssh.c	2023-05-03 12:22:40.314114620 +0200
+--- ../libssh-0.9.6/src/pki_container_openssh.c	2023-05-03 11:53:48.713217785 +0200
-+++ ./src/pki_container_openssh.c	2023-05-03 12:24:11.566110105 +0200
+++ ./src/pki_container_openssh.c	2023-05-03 11:58:21.976200782 +0200
@@ -630,7 +630,11 @@
             goto error;
         }
@ -157,10 +157,10 @@ diff --color -ru ../libssh-0.10.4/src/pki_container_openssh.c ./src/pki_containe
         kdf_options = ssh_string_new(ssh_buffer_get_len(kdf_buf));
         if (kdf_options == NULL){
             SSH_BUFFER_FREE(kdf_buf);
-diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unittests/torture_options.c
+diff --color -ru ../libssh-0.9.6/tests/unittests/torture_options.c ./tests/unittests/torture_options.c
--- ../libssh-0.10.4/tests/unittests/torture_options.c	2023-05-03 12:22:40.343114937 +0200
+--- ../libssh-0.9.6/tests/unittests/torture_options.c	2021-08-26 14:27:42.000000000 +0200
-+++ ./tests/unittests/torture_options.c	2023-05-03 12:24:11.587110335 +0200
+++ ./tests/unittests/torture_options.c	2023-05-03 11:59:21.726853027 +0200
-@@ -319,6 +319,7 @@
+@@ -311,6 +311,7 @@
     rc = ssh_options_set(session, SSH_OPTIONS_PORT_STR, "five");
     assert_true(rc == -1);
@ -168,8 +168,8 @@ diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unit
     rc = ssh_options_set(session, SSH_OPTIONS_PORT, NULL);
     assert_true(rc == -1);
-@@ -1496,6 +1497,26 @@
+@@ -853,6 +854,26 @@
-     ssh_list_free(awaited_list);
+     ssh_free(new);
 }
 +static void torture_options_set_verbosity (void **state)
@ -195,7 +195,7 @@ diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unit
 #ifdef WITH_SERVER
 const char template[] = "temp_dir_XXXXXX";
-@@ -1750,6 +1771,10 @@
+@@ -1107,6 +1128,10 @@
     rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "23");
     assert_int_equal(rc, 0);
     assert_int_equal(bind->bindport, 23);
@ -206,7 +206,7 @@ diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unit
 }
 static void torture_bind_options_log_verbosity(void **state)
-@@ -1799,6 +1824,11 @@
+@@ -1156,6 +1181,11 @@
     new_level = ssh_get_log_level();
     assert_int_equal(new_level, SSH_LOG_PACKET);
@ -218,10 +218,10 @@ diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unit
     rc = ssh_set_log_level(previous_level);
     assert_int_equal(rc, SSH_OK);
 }
-@@ -2297,6 +2327,7 @@
+@@ -1643,6 +1673,7 @@
-         cmocka_unit_test_setup_teardown(torture_options_caret_sign,
+         cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown),
         cmocka_unit_test_setup_teardown(torture_options_config_match,
                                         setup, teardown),
         cmocka_unit_test_setup_teardown(torture_options_apply, setup, teardown),
 +        cmocka_unit_test_setup_teardown(torture_options_set_verbosity, setup, teardown),
     };
--- a/SOURCES/fix_tests.patch
+++ b/SOURCES/fix_tests.patch
@ -0,0 +1,668 @@
 diff --color -ru ../libssh-0.9.6/examples/sshnetcat.c ./examples/sshnetcat.c
 --- ../libssh-0.9.6/examples/sshnetcat.c	2021-08-26 14:27:42.000000000 +0200
 +++ ./examples/sshnetcat.c	2023-05-02 10:36:00.793381735 +0200
@@ -233,9 +233,10 @@
 }
 void cleanup_pcap(void);
 -void cleanup_pcap(){
 +void cleanup_pcap(void)
 +{
 	ssh_pcap_file_free(pcap);
 -	pcap=NULL;
 +	pcap = NULL;
 }
 #endif
 diff --color -ru ../libssh-0.9.6/src/init.c ./src/init.c
 --- ../libssh-0.9.6/src/init.c	2021-03-15 08:11:33.000000000 +0100
 +++ ./src/init.c	2023-05-02 10:36:00.793381735 +0200
@@ -269,7 +269,7 @@
  *
  * @see ssh_init()
  */
 -bool is_ssh_initialized() {
 +bool is_ssh_initialized(void) {
     bool is_initialized = false;
 diff --color -ru ../libssh-0.9.6/tests/client/torture_auth.c ./tests/client/torture_auth.c
 --- ../libssh-0.9.6/tests/client/torture_auth.c	2021-08-26 14:27:42.000000000 +0200
 +++ ./tests/client/torture_auth.c	2023-05-02 10:36:00.815381960 +0200
@@ -200,7 +200,8 @@
     assert_non_null(ssh_agent_pidfile);
     /* kill agent pid */
 -    torture_terminate_process(ssh_agent_pidfile);
 +    rc = torture_terminate_process(ssh_agent_pidfile);
 +    assert_return_code(rc, errno);
     unlink(ssh_agent_pidfile);
@@ -551,6 +552,7 @@
 static void torture_auth_agent_cert(void **state)
 {
 +#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
     struct torture_state *s = *state;
     ssh_session session = s->ssh.session;
     int rc;
@@ -570,6 +572,7 @@
                              "ssh-rsa-cert-v01@openssh.com");
         assert_int_equal(rc, SSH_OK);
     }
 +#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
     /* Setup loads a different key, tests are exactly the same. */
     torture_auth_agent(state);
@@ -577,6 +580,7 @@
 static void torture_auth_agent_cert_nonblocking(void **state)
 {
 +#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
     struct torture_state *s = *state;
     ssh_session session = s->ssh.session;
     int rc;
@@ -596,6 +600,7 @@
                              "ssh-rsa-cert-v01@openssh.com");
         assert_int_equal(rc, SSH_OK);
     }
 +#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
     torture_auth_agent_nonblocking(state);
 }
 diff --color -ru ../libssh-0.9.6/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
 --- ../libssh-0.9.6/tests/client/torture_rekey.c	2023-04-28 17:26:41.472315318 +0200
 +++ ./tests/client/torture_rekey.c	2023-05-02 10:36:00.805381857 +0200
@@ -38,6 +38,8 @@
 #include <fcntl.h>
 #include <pwd.h>
 +#define KEX_RETRY 32
 +
 static uint64_t bytes = 2048; /* 2KB (more than the authentication phase) */
 static int sshd_setup(void **state)
@@ -190,10 +192,11 @@
     rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
     assert_int_equal(rc, SSH_AUTH_SUCCESS);
 -    /* send ignore packets of up to 1KB to trigger rekey */
 +    /* send ignore packets of up to 1KB to trigger rekey. Send little bit more
 +     * to make sure it completes with all different ciphers */
     memset(data, 0, sizeof(data));
     memset(data, 'A', 128);
 -    for (i = 0; i < 16; i++) {
 +    for (i = 0; i < KEX_RETRY; i++) {
         ssh_send_ignore(s->ssh.session, data);
         ssh_handle_packets(s->ssh.session, 50);
     }
@@ -496,9 +499,15 @@
      * to make sure the rekey it completes with all different ciphers (paddings */
     memset(data, 0, sizeof(data));
     memset(data, 'A', 128);
 -    for (i = 0; i < 20; i++) {
 +    for (i = 0; i < KEX_RETRY; i++) {
         ssh_send_ignore(s->ssh.session, data);
 -        ssh_handle_packets(s->ssh.session, 50);
 +        ssh_handle_packets(s->ssh.session, 100);
 +
 +        c = s->ssh.session->current_crypto;
 +        /* SHA256 len */
 +        if (c->digest_len != 32) {
 +            break;
 +        }
     }
     /* The rekey limit was restored in the new crypto to the same value */
@@ -568,9 +577,15 @@
      * to make sure the rekey it completes with all different ciphers (paddings */
     memset(data, 0, sizeof(data));
     memset(data, 'A', 128);
 -    for (i = 0; i < 25; i++) {
 +    for (i = 0; i < KEX_RETRY; i++) {
         ssh_send_ignore(s->ssh.session, data);
 -        ssh_handle_packets(s->ssh.session, 50);
 +        ssh_handle_packets(s->ssh.session, 100);
 +
 +        c = s->ssh.session->current_crypto;
 +        /* SHA256 len */
 +        if (c->digest_len != 32) {
 +            break;
 +        }
     }
     /* Check that the secret hash is different than initially */
 diff --color -ru ../libssh-0.9.6/tests/CMakeLists.txt ./tests/CMakeLists.txt
 --- ../libssh-0.9.6/tests/CMakeLists.txt	2021-08-26 14:27:42.000000000 +0200
 +++ ./tests/CMakeLists.txt	2023-05-02 10:32:03.964511860 +0200
@@ -153,6 +153,17 @@
         execute_process(COMMAND ${ID_EXECUTABLE} -u OUTPUT_VARIABLE LOCAL_UID OUTPUT_STRIP_TRAILING_WHITESPACE)
     endif()
 +    find_program(TIMEOUT_EXECUTABLE
 +                 NAME
 +                    timeout
 +                 PATHS
 +                    /bin
 +                    /usr/bin
 +                    /usr/local/bin)
 +    if (TIMEOUT_EXECUTABLE)
 +        set(WITH_TIMEOUT "1")
 +    endif()
 +
     # chroot_wrapper
     add_library(chroot_wrapper SHARED chroot_wrapper.c)
     set(CHROOT_WRAPPER_LIBRARY ${libssh_BINARY_DIR}/lib/${CMAKE_SHARED_LIBRARY_PREFIX}chroot_wrapper${CMAKE_SHARED_LIBRARY_SUFFIX})
 diff --color -ru ../libssh-0.9.6/tests/pkd/pkd_keyutil.c ./tests/pkd/pkd_keyutil.c
 --- ../libssh-0.9.6/tests/pkd/pkd_keyutil.c	2021-03-15 08:11:33.000000000 +0100
 +++ ./tests/pkd/pkd_keyutil.c	2023-05-02 10:36:00.793381735 +0200
@@ -22,7 +22,7 @@
 #include "pkd_keyutil.h"
 #include "pkd_util.h"
 -void setup_rsa_key() {
 +void setup_rsa_key(void) {
     int rc = 0;
     if (access(LIBSSH_RSA_TESTKEY, F_OK) != 0) {
         rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f "
@@ -31,7 +31,7 @@
     assert_int_equal(rc, 0);
 }
 -void setup_ed25519_key() {
 +void setup_ed25519_key(void) {
     int rc = 0;
     if (access(LIBSSH_ED25519_TESTKEY, F_OK) != 0) {
         rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
@@ -41,7 +41,7 @@
 }
 #ifdef HAVE_DSA
 -void setup_dsa_key() {
 +void setup_dsa_key(void) {
     int rc = 0;
     if (access(LIBSSH_DSA_TESTKEY, F_OK) != 0) {
         rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
@@ -51,7 +51,7 @@
 }
 #endif
 -void setup_ecdsa_keys() {
 +void setup_ecdsa_keys(void) {
     int rc = 0;
     if (access(LIBSSH_ECDSA_256_TESTKEY, F_OK) != 0) {
@@ -71,27 +71,27 @@
     }
 }
 -void cleanup_rsa_key() {
 +void cleanup_rsa_key(void) {
     cleanup_key(LIBSSH_RSA_TESTKEY);
 }
 -void cleanup_ed25519_key() {
 +void cleanup_ed25519_key(void) {
     cleanup_key(LIBSSH_ED25519_TESTKEY);
 }
 #ifdef HAVE_DSA
 -void cleanup_dsa_key() {
 +void cleanup_dsa_key(void) {
     cleanup_key(LIBSSH_DSA_TESTKEY);
 }
 #endif
 -void cleanup_ecdsa_keys() {
 +void cleanup_ecdsa_keys(void) {
     cleanup_key(LIBSSH_ECDSA_256_TESTKEY);
     cleanup_key(LIBSSH_ECDSA_384_TESTKEY);
     cleanup_key(LIBSSH_ECDSA_521_TESTKEY);
 }
 -void setup_openssh_client_keys() {
 +void setup_openssh_client_keys(void) {
     int rc = 0;
     if (access(OPENSSH_CA_TESTKEY, F_OK) != 0) {
@@ -184,7 +184,7 @@
     }
 }
 -void cleanup_openssh_client_keys() {
 +void cleanup_openssh_client_keys(void) {
     cleanup_key(OPENSSH_CA_TESTKEY);
     cleanup_key(OPENSSH_RSA_TESTKEY);
     cleanup_file(OPENSSH_RSA_TESTKEY "-sha256-cert.pub");
@@ -199,7 +199,7 @@
     }
 }
 -void setup_dropbear_client_rsa_key() {
 +void setup_dropbear_client_rsa_key(void) {
     int rc = 0;
     if (access(DROPBEAR_RSA_TESTKEY, F_OK) != 0) {
         rc = system_checked(DROPBEAR_KEYGEN " -t rsa -f "
@@ -208,6 +208,6 @@
     assert_int_equal(rc, 0);
 }
 -void cleanup_dropbear_client_rsa_key() {
 +void cleanup_dropbear_client_rsa_key(void) {
     unlink(DROPBEAR_RSA_TESTKEY);
 }
 diff --color -ru ../libssh-0.9.6/tests/server/torture_server_config.c ./tests/server/torture_server_config.c
 --- ../libssh-0.9.6/tests/server/torture_server_config.c	2021-08-26 14:27:42.000000000 +0200
 +++ ./tests/server/torture_server_config.c	2023-05-02 10:36:00.815381960 +0200
@@ -285,9 +285,7 @@
     assert_non_null(s);
     rc = torture_terminate_process(s->srv_pidfile);
 -    if (rc != 0) {
 -        fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
 -    }
 +    assert_return_code(rc, errno);
     unlink(s->srv_pidfile);
@@ -513,6 +511,12 @@
         /* Try each algorithm individually */
         j = 0;
         while(tokens->tokens[j] != NULL) {
 +            char *cmp = strstr(OPENSSH_CIPHERS, tokens->tokens[j]);
 +            if (cmp == NULL) {
 +                /* This cipher is not supported by the OpenSSH. Skip it */
 +                j++;
 +                continue;
 +            }
             snprintf(config_content,
                     sizeof(config_content),
                     "HostKey %s\nCiphers %s\n",
 diff --color -ru ../libssh-0.9.6/tests/tests_config.h.cmake ./tests/tests_config.h.cmake
 --- ../libssh-0.9.6/tests/tests_config.h.cmake	2021-08-26 14:27:42.000000000 +0200
 +++ ./tests/tests_config.h.cmake	2023-05-02 10:32:03.964511860 +0200
@@ -66,4 +66,6 @@
 #cmakedefine NC_EXECUTABLE "${NC_EXECUTABLE}"
 #cmakedefine SSHD_EXECUTABLE "${SSHD_EXECUTABLE}"
 -#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
 \ No newline at end of file
 +#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
 +#cmakedefine WITH_TIMEOUT ${WITH_TIMEOUT}
 +#cmakedefine TIMEOUT_EXECUTABLE "${TIMEOUT_EXECUTABLE}"
 diff --color -ru ../libssh-0.9.6/tests/torture.c ./tests/torture.c
 --- ../libssh-0.9.6/tests/torture.c	2021-08-26 14:27:44.000000000 +0200
 +++ ./tests/torture.c	2023-05-02 10:36:00.815381960 +0200
@@ -51,6 +51,7 @@
 #include "torture.h"
 #include "torture_key.h"
 #include "libssh/misc.h"
 +#include "libssh/token.h"
 #define TORTURE_SSHD_SRV_IPV4 "127.0.0.10"
 /* socket wrapper IPv6 prefix  fd00::5357:5fxx */
@@ -250,8 +251,12 @@
         rc = kill(pid, 0);
         if (rc != 0) {
 -            is_running = 0;
 -            break;
 +            /* Process not found */
 +            if (errno == ESRCH) {
 +                is_running = 0;
 +                rc = 0;
 +                break;
 +            }
         }
     }
@@ -260,7 +265,7 @@
                 "WARNING: The process with pid %u is still running!\n", pid);
     }
 -    return 0;
 +    return rc;
 }
 ssh_session torture_ssh_session(struct torture_state *s,
@@ -611,6 +616,112 @@
     *state = s;
 }
 +/**
 + * @brief Create a libssh server configuration file
 + *
 + * It is expected the socket directory to be already created before by calling
 + * torture_setup_socket_dir().  The created configuration file will be stored in
 + * the socket directory and the srv_config pointer in the state will be
 + * initialized.
 + *
 + * @param[in] state A pointer to a pointer to an initialized torture_state
 + *                  structure
 + */
 +void torture_setup_create_libssh_config(void **state)
 +{
 +    struct torture_state *s = *state;
 +    char ed25519_hostkey[1024] = {0};
 +#ifdef HAVE_DSA
 +    char dsa_hostkey[1024];
 +#endif /* HAVE_DSA */
 +    char rsa_hostkey[1024];
 +    char ecdsa_hostkey[1024];
 +    char sshd_config[2048];
 +    char sshd_path[1024];
 +    const char *additional_config = NULL;
 +    struct stat sb;
 +    const char config_string[]=
 +             "LogLevel DEBUG3\n"
 +             "Port 22\n"
 +             "ListenAddress 127.0.0.10\n"
 +             "%s %s\n"
 +             "%s %s\n"
 +             "%s %s\n"
 +#ifdef HAVE_DSA
 +             "%s %s\n"
 +#endif /* HAVE_DSA */
 +             "%s\n"; /* The space for test-specific options */
 +    bool written = false;
 +    int rc;
 +
 +    assert_non_null(s->socket_dir);
 +
 +    snprintf(sshd_path,
 +             sizeof(sshd_path),
 +             "%s/sshd",
 +             s->socket_dir);
 +
 +    rc = lstat(sshd_path, &sb);
 +    if (rc == 0 ) { /* The directory is already in place */
 +        written = true;
 +    }
 +
 +    if (!written) {
 +        rc = mkdir(sshd_path, 0755);
 +        assert_return_code(rc, errno);
 +    }
 +
 +    snprintf(ed25519_hostkey,
 +             sizeof(ed25519_hostkey),
 +             "%s/sshd/ssh_host_ed25519_key",
 +             s->socket_dir);
 +
 +    snprintf(rsa_hostkey,
 +             sizeof(rsa_hostkey),
 +             "%s/sshd/ssh_host_rsa_key",
 +             s->socket_dir);
 +
 +    snprintf(ecdsa_hostkey,
 +             sizeof(ecdsa_hostkey),
 +             "%s/sshd/ssh_host_ecdsa_key",
 +             s->socket_dir);
 +
 +#ifdef HAVE_DSA
 +    snprintf(dsa_hostkey,
 +             sizeof(dsa_hostkey),
 +             "%s/sshd/ssh_host_dsa_key",
 +             s->socket_dir);
 +#endif /* HAVE_DSA */
 +
 +    if (!written) {
 +        torture_write_file(ed25519_hostkey,
 +                           torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
 +        torture_write_file(rsa_hostkey,
 +                           torture_get_testkey(SSH_KEYTYPE_RSA, 0));
 +        torture_write_file(ecdsa_hostkey,
 +                           torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
 +#ifdef HAVE_DSA
 +        torture_write_file(dsa_hostkey,
 +                           torture_get_testkey(SSH_KEYTYPE_DSS, 0));
 +#endif /* HAVE_DSA */
 +    }
 +
 +    additional_config = (s->srv_additional_config != NULL ?
 +                         s->srv_additional_config : "");
 +
 +    snprintf(sshd_config, sizeof(sshd_config),
 +            config_string,
 +            "HostKey", ed25519_hostkey,
 +            "HostKey", rsa_hostkey,
 +            "HostKey", ecdsa_hostkey,
 +#ifdef HAVE_DSA
 +            "HostKey", dsa_hostkey,
 +#endif /* HAVE_DSA */
 +            additional_config);
 +
 +    torture_write_file(s->srv_config, sshd_config);
 +}
 +
 static void torture_setup_create_sshd_config(void **state, bool pam)
 {
     struct torture_state *s = *state;
@@ -856,21 +967,140 @@
     return 1;
 }
 -void torture_setup_sshd_server(void **state, bool pam)
 +/**
 + * @brief Run a libssh based server under timeout.
 + *
 + * It is expected that the socket directory and libssh configuration file were
 + * already created before by calling torture_setup_socket_dir() and
 + * torture_setup_create_libssh_config() (or alternatively setup the state with
 + * the correct values).
 + *
 + * @param[in] state The content of the address pointed by this variable must be
 + *                  a pointer to an initialized instance of torture_state
 + *                  structure; it can be obtained by calling
 + *                  torture_setup_socket_dir() and
 + *                  torture_setup_create_libssh_config().
 + * @param[in] server_path  The path to the server executable.
 + *
 + * @note This function will use the state->srv_additional_config field as
 + * additional command line option used when starting the server instead of extra
 + * configuration file options.
 + * */
 +void torture_setup_libssh_server(void **state, const char *server_path)
 {
     struct torture_state *s;
 -    char sshd_start_cmd[1024];
 +    char start_cmd[1024];
 +    char timeout_cmd[512];
 +    char env[1024];
 +    char extra_options[1024];
     int rc;
 +    char *ld_preload = NULL;
 +    const char *force_fips = NULL;
 -    torture_setup_socket_dir(state);
 -    torture_setup_create_sshd_config(state, pam);
 +    struct ssh_tokens_st *env_tokens;
 +    struct ssh_tokens_st *arg_tokens;
 +
 +    pid_t pid;
 +    ssize_t printed;
 +
 +    s = *state;
 +
 +    /* Get all the wrapper libraries to be pre-loaded */
 +    ld_preload = getenv("LD_PRELOAD");
 +
 +    if (s->srv_additional_config != NULL) {
 +        printed = snprintf(extra_options, sizeof(extra_options), " %s ",
 +                           s->srv_additional_config);
 +        if (printed < 0) {
 +            fail_msg("Failed to print additional config!");
 +        }
 +    } else {
 +        printed = snprintf(extra_options, sizeof(extra_options), " ");
 +        if (printed < 0) {
 +            fail_msg("Failed to print empty additional config!");
 +        }
 +    }
 +
 +    if (ssh_fips_mode()) {
 +        force_fips = "OPENSSL_FORCE_FIPS_MODE=1 ";
 +    } else {
 +        force_fips = "";
 +    }
 +
 +    /* Write the environment setting */
 +    printed = snprintf(env, sizeof(env),
 +                       "SOCKET_WRAPPER_DIR=%s "
 +                       "SOCKET_WRAPPER_DEFAULT_IFACE=10 "
 +                       "LD_PRELOAD=%s "
 +                       "%s",
 +                       s->socket_dir, ld_preload, force_fips);
 +    if (printed < 0) {
 +        fail_msg("Failed to print env!");
 +    }
 +
 +#ifdef WITH_TIMEOUT
 +    snprintf(timeout_cmd, sizeof(timeout_cmd),
 +             "%s %s ", TIMEOUT_EXECUTABLE, "5m");
 +#else
 +    timeout_cmd[0] = '\0';
 +#endif
 +
 +    /* Write the start command */
 +    printed = snprintf(start_cmd, sizeof(start_cmd),
 +                       "%s"
 +                       "%s -f%s -v4 -p22 -i%s -C%s%s%s",
 +                       timeout_cmd,
 +                       server_path, s->pcap_file, s->srv_pidfile,
 +                       s->srv_config, extra_options, TORTURE_SSH_SERVER);
 +    if (printed < 0) {
 +        fail_msg("Failed to print start command!");
 +    }
 +
 +    pid = fork();
 +    switch(pid) {
 +    case 0:
 +        env_tokens = ssh_tokenize(env, ' ');
 +        if (env_tokens == NULL || env_tokens->tokens == NULL) {
 +            fail_msg("Failed to tokenize env!");
 +        }
 +
 +        arg_tokens = ssh_tokenize(start_cmd, ' ');
 +        if (arg_tokens == NULL || arg_tokens->tokens == NULL) {
 +            ssh_tokens_free(env_tokens);
 +            fail_msg("Failed to tokenize args!");
 +        }
 +
 +        rc = execve(arg_tokens->tokens[0], (char **)arg_tokens->tokens,
 +                    (char **)env_tokens->tokens);
 +
 +        /* execve returns only in case of error */
 +        ssh_tokens_free(env_tokens);
 +        ssh_tokens_free(arg_tokens);
 +        fail_msg("Error in execve: %s", strerror(errno));
 +    case -1:
 +        fail_msg("Failed to fork!");
 +    default:
 +        /* The parent continues the execution of the tests */
 +        setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
 +        unsetenv("PAM_WRAPPER");
 +
 +        /* Wait until the server is ready to accept connections */
 +        rc = torture_wait_for_daemon(15);
 +        assert_int_equal(rc, 0);
 +        break;
 +    }
 +}
 +
 +static int torture_start_sshd_server(void **state)
 +{
 +    struct torture_state *s = *state;
 +    char sshd_start_cmd[1024];
 +    int rc;
     /* Set the default interface for the server */
     setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
     setenv("PAM_WRAPPER", "1", 1);
 -    s = *state;
 -
     snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
              SSHD_EXECUTABLE " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
              s->srv_config, s->socket_dir, s->socket_dir);
@@ -882,7 +1112,20 @@
     unsetenv("PAM_WRAPPER");
     /* Wait until the sshd is ready to accept connections */
 -    rc = torture_wait_for_daemon(5);
 +    rc = torture_wait_for_daemon(15);
 +    assert_int_equal(rc, 0);
 +
 +    return SSH_OK;
 +}
 +
 +void torture_setup_sshd_server(void **state, bool pam)
 +{
 +    int rc;
 +
 +    torture_setup_socket_dir(state);
 +    torture_setup_create_sshd_config(state, pam);
 +
 +    rc = torture_start_sshd_server(state);
     assert_int_equal(rc, 0);
 }
@@ -922,29 +1165,12 @@
 torture_reload_sshd_server(void **state)
 {
     struct torture_state *s = *state;
 -    pid_t pid;
     int rc;
 -    /* read the pidfile */
 -    pid = torture_read_pidfile(s->srv_pidfile);
 -    assert_int_not_equal(pid, -1);
 -
 -    kill(pid, SIGHUP);
 -
 -    /* 10 ms */
 -    usleep(10 * 1000);
 -
 -    rc = kill(pid, 0);
 -    if (rc != 0) {
 -        fprintf(stderr,
 -                "ERROR: SSHD process %u died during reload!\n", pid);
 -        return SSH_ERROR;
 -    }
 +    rc = torture_terminate_process(s->srv_pidfile);
 +    assert_return_code(rc, errno);
 -    /* Wait until the sshd is ready to accept connections */
 -    rc = torture_wait_for_daemon(5);
 -    assert_int_equal(rc, 0);
 -    return SSH_OK;
 +    return torture_start_sshd_server(state);
 }
 /* @brief: Updates SSHD server configuration with more options and
@@ -980,9 +1206,7 @@
     int rc;
     rc = torture_terminate_process(s->srv_pidfile);
 -    if (rc != 0) {
 -        fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
 -    }
 +    assert_return_code(rc, errno);
     torture_teardown_socket_dir(state);
 }
 diff --color -ru ../libssh-0.9.6/tests/torture.h ./tests/torture.h
 --- ../libssh-0.9.6/tests/torture.h	2021-08-26 14:27:44.000000000 +0200
 +++ ./tests/torture.h	2023-05-02 10:32:03.964511860 +0200
@@ -132,6 +132,10 @@
 void torture_reset_config(ssh_session session);
 +void torture_setup_create_libssh_config(void **state);
 +
 +void torture_setup_libssh_server(void **state, const char *server_path);
 +
 /*
  * This function must be defined in every unit test file.
  */
--- a/SOURCES/libssh-0.9.6.tar.xz.asc
+++ b/SOURCES/libssh-0.9.6.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmEniOkACgkQfuD8TcwB
 Tj0TKQ/9HiMAGSMHoQ+iPVLP06iTc6Cy7rNyON2nPDQwAz0V/dfvkrKAAEflfgYd
 3pt3dbE/qgh2kgQLb9kpbCUmFoGuLgKz36RPOsggwuOsN+eD1n65q8W39sMOQid3
 bjUIOKRdYWC1suZ9fMAO1Ignl69Opd8dAq1Has9YzglaeQaV/lnYQOW4UG0xKHck
 ZOp2qLfjmaQiBAI61eRyxqIYC0F67WKd0bo9D2csoocDVvHLq4syPdbMOfDTB+LL
 KZSAZVW1R1JUVZMkp/P/HU11jNNy3wKoLafocnq8bXkPVrqhyuo+hDJV/OPUvFLa
 VE/BzIRoMNG+1R+GJpwE7ut2DIHPxnZTThRkeVN5qP1+hbhgLJhW62I+HeAnD4s+
 +W7fwJovN28I+wqSjVEP8JguprVuoDAX5jVHbeZoMT7p8ATA4Nh3KCbYELEwTtFG
 zsEIlBvoNXD3ce7xGXL3MPqfgKqrZQjRG/iOWvKwDV7WrqK1cFFyL7aeBfK2+dQq
 1Ew7aYlTsH6Hap7XByeSsy4Z5ts3VXIoFix/h+Br5OTYKYgITM7bijNAQ6A2ZWQN
 TxCv8X0sVyaGyXhxG6QhrEWZjFe496MneZkq9e6HKZyaSbzwFwMgOvrUUC7fa8e5
 o1Rvozah81U0nsikwTmDrm15RSK3mr2X34zPW2Ahzr1I5tGZzOk=
 =cO0k
 -----END PGP SIGNATURE-----
--- a/SOURCES/libssh_client.config
+++ b/SOURCES/libssh_client.config
--- a/SOURCES/libssh_server.config
+++ b/SOURCES/libssh_server.config
--- a/SOURCES/loglevel.patch
+++ b/SOURCES/loglevel.patch
--- a/SOURCES/null_dereference_rekey.patch
+++ b/SOURCES/null_dereference_rekey.patch
--- a/SOURCES/s390x_fix.patch
+++ b/SOURCES/s390x_fix.patch
@ -0,0 +1,19 @@
 diff --git a/src/packet.c b/src/packet.c
 index ec4a7203..a81eb8e3 100644
 --- a/src/packet.c
 +++ b/src/packet.c
@@ -1752,10 +1752,12 @@ static bool
 ssh_packet_in_rekey(ssh_session session)
 {
     /* We know we are rekeying if we are authenticated and the DH
 -     * status is not finished
 +     * status is not finished, but we only queue packets until we've
 +     * sent our NEWKEYS.
      */
     return (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) &&
 -           (session->dh_handshake_state != DH_STATE_FINISHED);
 +           (session->dh_handshake_state != DH_STATE_FINISHED) &&
 +           (session->dh_handshake_state != DH_STATE_NEWKEYS_SENT);
 }
 int ssh_packet_send(ssh_session session)
--- a/SPECS/libssh.spec
+++ b/SPECS/libssh.spec
@ -1,61 +1,54 @@
 Name:           libssh
-Version:        0.10.4
+Version:        0.9.6
-Release:        13%{?dist}
+Release:        14%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
-Source0:        https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz
+Source0:        https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz
-Source1:        https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc
+Source1:        https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz.asc
 Source2:        https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
 Source3:        libssh_client.config
 Source4:        libssh_server.config
 Patch0:         loglevel.patch
 Patch1:         s390x_fix.patch
 Patch2:         null_dereference_rekey.patch
 Patch3:         auth_bypass.patch
 Patch4:         fix_tests.patch
 Patch5:         covscan23.patch
 Patch6:         CVE-2023-48795.patch
 Patch7:         CVE-2023-6004.patch
 Patch8:         CVE-2023-6918.patch
 BuildRequires:  cmake
 BuildRequires:  doxygen
 BuildRequires:  gcc-c++
 BuildRequires:  gnupg2
 BuildRequires:  openssl-devel
 BuildRequires:  openssl-pkcs11
 BuildRequires:  pkgconfig
 BuildRequires:  zlib-devel
 BuildRequires:  krb5-devel
 BuildRequires:  libcmocka-devel
 BuildRequires:  openssh-clients
 BuildRequires:  openssh-server
 BuildRequires:  pam_wrapper
 BuildRequires:  socket_wrapper
 BuildRequires:  nss_wrapper
 BuildRequires:  uid_wrapper
 BuildRequires:  openssh-clients
 BuildRequires:  openssh-server
 BuildRequires:  nmap-ncat
 BuildRequires:  softhsm
 BuildRequires:  gnutls-utils
 Requires:       %{name}-config = %{version}-%{release}
 Requires:       crypto-policies
 Requires:       %{name}-config = %{version}-%{release}
 %ifarch aarch64 ppc64 ppc64le s390x x86_64
 Provides: libssh_threads.so()(64bit)
 Provides: libssh_threads.so.4()(64bit)
 %else
 Provides: libssh_threads.so
 Provides: libssh_threads.so.4
 %endif
 Patch1: coverity_scan.patch
 Patch2: pkcs11_test_fix.patch
 Patch3: loglevel.patch
 Patch4: plus_sign.patch
 Patch5: memory_leak.patch
 Patch6: options_apply.patch
 Patch7: enable_sk_keys_by_config.patch
 Patch8: null_dereference_rekey.patch
 Patch9: auth_bypass.patch
 Patch10: covscan23.patch
 Patch11: rekey_test_fixup.patch
 Patch12: covscan23_1.patch
 Patch13: CVE-2023-6004.patch
 Patch14: CVE-2023-48795.patch
 Patch15: CVE-2023-6918.patch
 Patch16: escape-brackets-in-proxycommand.patch
 %description
 The ssh library was designed to be used by programmers needing a working SSH
 implementation by the mean of a library. The complete control of the client is
@ -75,7 +68,7 @@ applications that use %{name}.
 %package config
 Summary:        Configuration files for %{name}
 BuildArch:      noarch
-Obsoletes:      %{name} < 0.9.0-3
+Obsoletes:      %{name} < 0.9.0-1
 %description config
 The %{name}-config package provides the default configuration files for %{name}.
@ -85,18 +78,26 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 %autosetup -p1
 %build
-%cmake \
+if test ! -e "obj"; then
  mkdir obj
 fi
 pushd obj
 %cmake .. \
    -DUNIT_TESTING=ON \
    -DCLIENT_TESTING=ON \
    -DSERVER_TESTING=ON \
    -DWITH_PKCS11_URI=ON \
    -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
    -DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
-%cmake_build
+
 %make_build VERBOSE=1
 make docs
 popd
 %install
-%cmake_install
+make DESTDIR=%{buildroot} install/fast -C obj
 install -d -m755 %{buildroot}%{_sysconfdir}/libssh
 install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
 install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
@ -108,7 +109,7 @@ install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
 # requiring it to continue working.
 #
 pushd %{buildroot}%{_libdir}
-for i in libssh.so*;
+for i in libssh.so.4*;
 do
    _target="${i}"
    _link_name="${i%libssh*}libssh_threads${i##*libssh}"
@ -122,24 +123,24 @@ popd
 %ldconfig_scriptlets
 %check
-# Tests are randomly failing when run in parallel
+pushd obj
-%global _smp_build_ncpus 1
+ctest --output-on-failure
-%ctest
+popd
 %files
-%doc AUTHORS BSD CHANGELOG README
+%doc AUTHORS BSD ChangeLog README
 %license COPYING
 %{_libdir}/libssh.so.4*
 %{_libdir}/libssh_threads.so.4*
 %files devel
 %doc obj/doc/html
 %{_includedir}/libssh/
 # own this to avoid dep on cmake -- rex
 %dir  %{_libdir}/cmake/
 %{_libdir}/cmake/libssh/
 %{_libdir}/pkgconfig/libssh.pc
 %{_libdir}/libssh.so
 %{_libdir}/libssh_threads.so
 %files config
 %attr(0755,root,root) %dir %{_sysconfdir}/libssh
@ -147,233 +148,168 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 %changelog
-* Mon Feb 19 2024 Sahana Prasad <sahana@redhat.com> - 0.10.4-13
+* Mon Feb 26 2024 Sahana Prasad <sahana@redhat.com> - 0.9.6-14
 - Bump up the version so that the version in 9.3 is lower.
 - Resolves: RHEL-19310, RHEL-19691, RHEL-17245
 * Tue Jan 09 2024 Sahana Prasad <sahana@redhat.com> - 0.10.4-12
 - Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
 - Fix CVE-2023-6918 Missing checks for return values for digests
 - Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
  of malicious code through hostname
- Resolves: RHEL-19310, RHEL-19691, RHEL-17245
+- Note: version is bumped from 12 to 14 directly, as the z-stream
  version in 8.9 also has 13. So bumping it to 14, will prevent
  upgrade conflicts.
 - Resolves:RHEL-19690, RHEL-17244, RHEL-19312
-* Wed Jun 21 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4-11
+* Mon May 15 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-12
 - Fix loglevel regression
- Related: rhbz#2182252, rhbz#2189740
+- Related: rhbz#2182251, rhbz#2189742
-* Mon May 22 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4.10
+* Thu May 04 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-11
- Fix null dereference issues found by covscan
+- .fmf/version is needed to run the tests
- Related: rhbz#2182252, rhbz#2189740
+- Related: rhbz#2182251, rhbz#2189742
-* Wed May 10 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4-9
+* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-10
- Fix CVE-2023-1667 and CVE-2023-2283
+- Add missing ci.fmf file
- Fix issues found by cosvcan
+- Related: rhbz#2182251, rhbz#2189742
 - Resolves: rhbz#2182252, rhbz#2189740
-* Mon Jan 23 2023 Stanislav Zidek <szidek@redhat.com> - 0.10.4-8
+* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-9
-+ libssh-0.10.4-8
+- Fix covscan errors found at gating
- Extended CI to run internal tests in RHEL
+- Related: rhbz#2182251, rhbz#2189742
 - Related: rhbz#2160080
-* Wed Jan 4 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4-7
+* Tue May 02 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-8
- Add sk-keys to configuration parsing allowing to turn on-off by config
+- Backport test fixing commits to make the build pass
- Related: rhbz#2026449
+- Related: rhbz#2182251, rhbz#2189742
-* Thu Dec 1 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-6
+* Thu Apr 27 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-7
- Fix covscan error
+- Fix NULL dereference during rekeying with algorithm guessing
- Remove unwanted test with yet unimplemented feature
+  GHSL-2023-032 / CVE-2023-1667
- Related: rhbz#2137839, rhbz#2136824
+- Fix possible authentication bypass
  GHSL 2023-085 / CVE-2023-2283
 - Resolves: rhbz#2182251, rhbz#2189742
-* Thu Dec 01 2022 Stanislav Zidek <szidek@redhat.com> - 0.10.4-5
+* Fri Jan 06 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-6
-+ libssh-0.10.4-5
+- Enable client and server testing build time
- Fixed CI configuration due to TMT changes
+- Fix failing rekey test on arch s390x
 - Resolves: rhbz#2126342
-* Wed Nov 30 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-4
+* Mon Dec 05 2022 Stanislav Zidek <szidek@redhat.com> - 0.9.6-5
- Move loglevel closer to openssh loglevel
+- Fix CI configuration for new TMT
- Add openssh config feature of +,-,^ for algorithm lists
+- Resolves: rhbz#2149910
 - Fix memory leaks of bignum
 - Prevent multiple expansion of escape characters
 - Resolves: rhbz#2132407, rhbz#2137839, rhbz#2144795, rhbz#2136824
-* Tue Oct 4 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-3
+* Mon Nov 28 2022 Norbert Pocs <npocs@redhat.com> - 0.9.6-4
- Enable pkcs11 support
+- Make VERBOSE and lower log levels less verbose
- Fix broken libsofthsm path on i686
+- Resolves: rhbz#2091512
 - Add missing bugzilla references from the rebase commit
 - Related: rhbz#2026449
 - Resolves: rhbz#1977913, rhbz#1975500
-* Tue Sep 27 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-2
+* Fri Nov 05 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-3
- Fix coverity scan issues
+- Remove STI tests
 - Resolves: rhbz#2130126
-* Mon Sep 19 2022 Norbert pocs <npocs@redhat.com> - 0.10.4-1
+* Thu Oct 21 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-2
- Rebase to version 0.10.4
+- Remove bad patch causing errors
- Add pkcs11 support
+- Adding BuildRequires for openssh (SSHD support)
 - Disallow ssh-rsa key in FIPS mode
 - Fix openssl KDF check at build
 - ChangeLog was renamed to CHANGELOG
 - Resolves: rhbz#2068475, rhbz#2026449, rhbz#2004021,
            rhbz#1977913, rhbz#1975500
-* Fri Nov 12 2021 Stanislav Zidek <szidek@redhat.com> - 0.9.6-3
+* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
-+ libssh-0.9.6-3
+- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
- Disabled gating on osci.brew-build.revdeps.integration
+  rekeying with different key exchange mechanism
  Related: rhbz#2022034
 * Thu Nov 11 2021 Stanislav Zidek <szidek@redhat.com> - 0.9.6-2
 - STI, FMF, and gating fixes
  Resolves: rhbz#2022034
 * Tue Oct 05 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
 - Fix CVE-CVE-2021-3634 libssh: possible heap-based buffer
  overflow when rekeying
 - Fix static analyzer issues in rhbz#1938795
 - Rebase to version 0.9.6
- Resolves: rhbz#1994607, rhbz#1938795, rhbz#2009669
+- Rename SSHD_EXECUTABLE to SSH_EXECUTABLE in tests/torture.c
 - Resolves: rhbz#1896651, rhbz#1994600
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.5-6
+* Thu Oct 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Revert previous commit as it is incorrect.
  Related: rhbz#1991688
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.5-5
+* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
- Rebuilt for RHEL 9 BETA for openssl 3.0
+- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
-  Related: rhbz#1971065
+  rekeying with different key exchange mechanism (#1978810)
-* Tue Apr 27 2021 Sahana Prasad <sahana@redhat.com> - 0.9.5-4
+* Wed Apr 21 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-3
- Change crypto-policies from recommends to requires
+- Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if
-  Resolves: rhbz#1947863
+  ssh_buffer_new returns NULL (#1862646)
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.9.5-3
+* Wed Jun 24 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Do not return error when server properly closed the channel (#1849071)
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Thu Sep 10 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.5-1
 - Update to version 0.9.5
  https://www.libssh.org/2020/09/10/libssh-0-9-5/
 - Removed patch to re-enable algorithms using sha1 in sshd for testing
 - The algorithms supported by sshd are now automatically detected for testing
 - Resolves: #1862457 - CVE-2020-16135
 * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-5
 - Second attempt - Rebuilt for
  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Jun 22 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-3
 - Do not return error when server properly closed the channel (#1849069)
 - Add a test for CVE-2019-14889
 - Do not parse configuration file in torture_knownhosts test
-* Wed Apr 15 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
+* Tue May 26 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
 - Added patch to fix returned version
 * Thu Apr 09 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
 - Update to version 0.9.4
  https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
 - Fixed CVE-2019-14889 (#1781782)
 - Fixed CVE-2020-1730 (#1802422)
 - Create missing directories in the path provided for known_hosts files (#1733914)
 - Removed inclusion of OpenSSH server configuration file from
-  libssh_server.config
+  libssh_server.config (#1821339)
 - Added patch to re-enable algorithms using sha1 in sshd for testing
 - resolves: #1822529 - CVE-2020-1730
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
+* Mon Aug 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+- Skip 1024 bits RSA key generation test in FIPS mode (#1734485)
-* Tue Dec 10 2019 Andreas Schneider <asn@redhat.com> - 0.9.3-1
+* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
 - Update to version 0.9.3
 - resolves: #1781780 - Fixes CVE-2019-14889
 * Thu Nov 07 2019 Andreas Schneider <asn@redhat.com> - 0.9.2-1
 - Upate to version 0.9.2
 - resolves #1769370 - Remove the docs, they can be found on https://api.libssh.org/
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-5
 - Add Obsoletes in libssh-config to avoid conflict with old libssh which
  installed the configuration files.
-* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
+* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
 - Eliminate circular dependency with libssh-config subpackage
-* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
+* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
 - Provide the configuration files in a separate libssh-config subpackage
 * Thu Jul 04 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
 - Do not ignore keys from known_hosts when SSH_OPTIONS_HOSTKEYS is set
 * Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
 - Fixed Release number to released format
 * Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-0.1
 - Update to version 0.9.0
  https://www.libssh.org/2019/06/28/libssh-0-9-0/
 - Added explicit Requires for crypto-policies
 - Do not ignore known_hosts keys when SSH_OPTIONS_HOSTKEYS is set
 - Provide the configuration files in a separate libssh-config subpackage
-* Wed Jun 19 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
+* Mon Jun 17 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
 - Update to 0.9.0 pre release version (0.8.91)
 - Added default configuration files for client and server
- Follow system-wide crypto configuration (crypto-policies)
+- Removed unused patch files left behind
- Added Recommends for crypto-policies
+- Fixed issues found to run upstream test suite with SELinux
 - Use OpenSSL implementation for KDF, DH, and signatures.
 - Detect FIPS mode and use only allowed algorithms
 - Run client and server tests during build
-* Mon Feb 25 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.7-1
+* Fri Dec 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-2
- Update to version 0.8.7
+- Fix more regressions introduced by the fixes for CVE-2018-10933
  https://www.libssh.org/2019/02/25/libssh-0-8-7/
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-3
+* Thu Nov 29 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Tue Jan 15 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-2
 - Fix rsa-sha2 extension handling (#1666342)
 * Thu Jan 03 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-1
 - Update to version 0.8.6
  https://www.libssh.org/2018/12/24/libssh-0-8-6-xmas-edition/
 * Mon Oct 29 2018 Andreas Schneider <asn@redhat.com> - 0.8.5-1
 - Update to version 0.8.5
-  https://www.libssh.org/2018/10/29/libssh-0-8-5-and-libssh-0-7-7/
+  * Fixed an issue where global known_hosts file was ignored (#1649321)
  * Fixed ssh_get_fd() to return writable file descriptor (#1649319)
  * Fixed regression introduced in known_hosts parsing (#1649315)
  * Fixed a regression which caused only the first algorithm in known_hosts to
    be considered (#1638790)
-* Tue Oct 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.4-1
+* Thu Nov 08 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-5
- Update to version 0.8.4
+- Fix regressions introduced by the fixes for CVE-2018-10933
  https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release
 - Fixes CVE-2018-10933
-* Mon Oct 01 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
+* Wed Oct 17 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.3-4
- Fixed errors found by static code analysis
+- Fix for authentication bypass issue in server implementation (#1639926)
-* Tue Sep 25 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-2
+* Tue Oct 02 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
- Add missing libssh_threads.so link to libssh-devel package
+- Fixed errors found by static code analysis (#1602594)
-* Fri Sep 21 2018 Andreas Schneider <asn@redhat.com> - 0.8.3-1
+* Fri Sep 21 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-1
 - Update to version 0.8.3
-  https://www.libssh.org/2018/09/21/libssh-0-8-3/
+  * Added support for rsa-sha2 (#1610882)
  * Added support to parse private keys in openssh container format (other than
    ed25519) (#1622983)
  * Added support for diffie-hellman-group18-sha512 and
    diffie-hellman-group16-sha512 (#1610885)
  * Added ssh_get_fingerprint_hash()
  * Added ssh_pki_export_privkey_base64()
  * Added support for Match keyword in config file
  * Improved performance and reduced memory footprint for sftp
  * Fixed ecdsa publickey auth
  * Fixed reading a closed channel
  * Added support to announce posix-rename@openssh.com and hardlink@openssh.com
    in the sftp server
  * Use -fstack-protector-strong if possible (#1624135)
-* Thu Aug 30 2018 Andreas Schneider <asn@redhat.com> - 0.8.2-1
+* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-4
- Update to version 0.8.2
+- Fix the creation of symbolic links for libssh_threads.so.4
  https://www.libssh.org/2018/08/30/libssh-0-8-2
-* Thu Aug 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-4
+* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-3
- Fix link creation or RPM doesn't install it
+- Add missing Provides for libssh_threads.so.4
-* Wed Aug 15 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-3
+* Tue Aug 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-2
 - Add missing so version for libssh_threads.so.4
 * Tue Aug 14 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-2
 - Add Provides for libssh_threads.so to unbreak applications
 - Fix ABIMap detection to not depend on python to build
 * Mon Aug 13 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-1
 - Update to version 0.8.1
-  https://www.libssh.org/2018/08/13/libssh-0-8-1
+  https://www.libssh.org/2018/08/13/libssh-0-8-1/
 - resolves: #1615248 - pkg-config --modversion
 - resolves: #1615132 - library initialization
 * Fri Aug 10 2018 Andreas Schneider <asn@redhat.com> - 0.8.0-1
 - Update to version 0.8.0
@ -387,6 +323,7 @@ popd
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.5-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 - Related: bug#1614611
 * Thu Feb 01 2018 Andreas Schneider <asn@redhat.com> - 0.7.5-6
 - resolves: #1540021 - Build against OpenSSL 1.1
--- a/ci.fmf
+++ b/ci.fmf
@ -1,16 +0,0 @@
 summary: Upstreamed tier tests
 discover:
  # upstreamed tests (public)
  - how: fmf
    url: https://gitlab.com/redhat-crypto/tests/libssh.git
    filter: 'tier: 0,1,2,3'
 execute:
  how: tmt
 adjust:
  # discover step adjustments
  - when: distro = rhel
    discover+:
      # internal tests
      - how: fmf
        url: git://pkgs.devel.redhat.com/tests/libssh
        filter: 'tier: 0,1,2,3'
--- a/coverity_scan.patch
+++ b/coverity_scan.patch
@ -1,23 +0,0 @@
 diff --git a/src/dh_crypto.c b/src/dh_crypto.c
 index a847c6a2..1eb94307 100644
 --- a/src/dh_crypto.c
 +++ b/src/dh_crypto.c
@@ -341,8 +341,16 @@ int ssh_dh_set_parameters(struct dh_ctx *ctx,
             goto done;
         }
 -        OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, modulus);
 -        OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, generator);
 +        rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, modulus);
 +        if (rc != 1) {
 +            rc = SSH_ERROR;
 +            goto done;
 +        }
 +        rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, generator);
 +        if (rc != 1) {
 +            rc = SSH_ERROR;
 +            goto done;
 +        }
         params = OSSL_PARAM_BLD_to_param(param_bld);
         if (params == NULL) {
             OSSL_PARAM_BLD_free(param_bld);
--- a/covscan23_1.patch
+++ b/covscan23_1.patch
@ -1,57 +0,0 @@
 File ../libssh-0.10.4/.git is a regular file while file ./.git is a directory
 diff --color -ru ../libssh-0.10.4/src/sftp.c ./src/sftp.c
 --- ../libssh-0.10.4/src/sftp.c	2023-05-22 12:45:48.383509085 +0200
 +++ ./src/sftp.c	2023-05-22 12:54:31.004037650 +0200
@@ -1755,6 +1755,10 @@
 int sftp_close(sftp_file file){
   int err = SSH_NO_ERROR;
 +  if (file == NULL) {
 +      return err;
 +  }
 +
   SAFE_FREE(file->name);
   if (file->handle){
     err = sftp_handle_close(file->sftp,file->handle);
@@ -1917,7 +1921,7 @@
 /* Read from a file using an opened sftp file handle. */
 ssize_t sftp_read(sftp_file handle, void *buf, size_t count) {
 -  sftp_session sftp = handle->sftp;
 +  sftp_session sftp;
   sftp_message msg = NULL;
   sftp_status_message status;
   ssh_string datastring;
@@ -1926,6 +1930,11 @@
   uint32_t id;
   int rc;
 +  if (handle == NULL) {
 +      return -1;
 +  }
 +  sftp = handle->sftp;
 +
   if (handle->eof) {
     return 0;
   }
@@ -2147,7 +2156,7 @@
 }
 ssize_t sftp_write(sftp_file file, const void *buf, size_t count) {
 -  sftp_session sftp = file->sftp;
 +  sftp_session sftp;
   sftp_message msg = NULL;
   sftp_status_message status;
   ssh_buffer buffer;
@@ -2156,6 +2165,11 @@
   size_t packetlen;
   int rc;
 +  if (file == NULL) {
 +      return -1;
 +  }
 +  sftp = file->sftp;
 +
   buffer = ssh_buffer_new();
   if (buffer == NULL) {
     ssh_set_error_oom(sftp->session);
--- a/enable_sk_keys_by_config.patch
+++ b/enable_sk_keys_by_config.patch
@ -1,105 +0,0 @@
 diff --git a/src/kex.c b/src/kex.c
 index 1155b9c7..528cb182 100644
 --- a/src/kex.c
 +++ b/src/kex.c
@@ -101,12 +101,19 @@
 #ifdef HAVE_ECDH
 #define ECDH "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,"
 -#define EC_HOSTKEYS "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,"
 -#define EC_PUBLIC_KEY_ALGORITHMS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
 +#define EC_HOSTKEYS "ecdsa-sha2-nistp521," \
 +                    "ecdsa-sha2-nistp384," \
 +                    "ecdsa-sha2-nistp256,"
 +#define EC_SK_HOSTKEYS "sk-ecdsa-sha2-nistp256@openssh.com,"
 +#define EC_FIPS_PUBLIC_KEY_ALGOS "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
                                  "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
                                  "ecdsa-sha2-nistp256-cert-v01@openssh.com,"
 +#define EC_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
 +                                 "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
 #else
 #define EC_HOSTKEYS ""
 +#define EC_SK_HOSTKEYS ""
 +#define EC_FIPS_PUBLIC_KEY_ALGOS ""
 #define EC_PUBLIC_KEY_ALGORITHMS ""
 #define ECDH ""
 #endif /* HAVE_ECDH */
@@ -127,16 +134,21 @@
 #define HOSTKEYS "ssh-ed25519," \
                  EC_HOSTKEYS \
 +                 "sk-ssh-ed25519@openssh.com," \
 +                 EC_SK_HOSTKEYS \
                  "rsa-sha2-512," \
                  "rsa-sha2-256," \
                  "ssh-rsa" \
                  DSA_HOSTKEYS
 #define DEFAULT_HOSTKEYS "ssh-ed25519," \
                          EC_HOSTKEYS \
 +                         "sk-ssh-ed25519@openssh.com," \
 +                         EC_SK_HOSTKEYS \
                          "rsa-sha2-512," \
                          "rsa-sha2-256"
 #define PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \
 +                              "sk-ssh-ed25519-cert-v01@openssh.com," \
                               EC_PUBLIC_KEY_ALGORITHMS \
                               "rsa-sha2-512-cert-v01@openssh.com," \
                               "rsa-sha2-256-cert-v01@openssh.com," \
@@ -186,7 +198,7 @@
                               "rsa-sha2-512," \
                               "rsa-sha2-256"
 -#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_PUBLIC_KEY_ALGORITHMS \
 +#define FIPS_ALLOWED_PUBLIC_KEY_ALGORITHMS EC_FIPS_PUBLIC_KEY_ALGOS \
                                            "rsa-sha2-512-cert-v01@openssh.com," \
                                            "rsa-sha2-256-cert-v01@openssh.com," \
                                            FIPS_ALLOWED_HOSTKEYS
 diff --git a/src/knownhosts.c b/src/knownhosts.c
 index 1f52dedc..94618fe2 100644
 --- a/src/knownhosts.c
 +++ b/src/knownhosts.c
@@ -480,6 +480,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
         return "rsa-sha2-512,rsa-sha2-256,ssh-rsa";
     case SSH_KEYTYPE_ED25519:
         return "ssh-ed25519";
 +    case SSH_KEYTYPE_SK_ED25519:
 +        return "sk-ssh-ed25519@openssh.com";
 #ifdef HAVE_DSA
     case SSH_KEYTYPE_DSS:
         return "ssh-dss";
@@ -494,6 +496,8 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
         return "ecdsa-sha2-nistp384";
     case SSH_KEYTYPE_ECDSA_P521:
         return "ecdsa-sha2-nistp521";
 +    case SSH_KEYTYPE_SK_ECDSA:
 +        return "sk-ecdsa-sha2-nistp256@openssh.com";
 #else
     case SSH_KEYTYPE_ECDSA_P256:
     case SSH_KEYTYPE_ECDSA_P384:
 diff --git a/tests/unittests/torture_knownhosts_parsing.c b/tests/unittests/torture_knownhosts_parsing.c
 index fffa8296..7fd21f05 100644
 --- a/tests/unittests/torture_knownhosts_parsing.c
 +++ b/tests/unittests/torture_knownhosts_parsing.c
@@ -634,7 +634,9 @@ static void torture_knownhosts_algorithms(void **state)
     bool process_config = false;
     const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
                          "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
 -                         "ecdsa-sha2-nistp256";
 +                         "ecdsa-sha2-nistp256,"
 +                         "sk-ssh-ed25519@openssh.com,"
 +                         "sk-ecdsa-sha2-nistp256@openssh.com";
     const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
                               "ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
@@ -669,7 +671,9 @@ static void torture_knownhosts_algorithms_global(void **state)
     bool process_config = false;
     const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,"
                          "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,"
 -                         "ecdsa-sha2-nistp256";
 +                         "ecdsa-sha2-nistp256,"
 +                         "sk-ssh-ed25519@openssh.com,"
 +                         "sk-ecdsa-sha2-nistp256@openssh.com";
     const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,"
                               "ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
--- a/escape-brackets-in-proxycommand.patch
+++ b/escape-brackets-in-proxycommand.patch
@ -1,94 +0,0 @@
 From bccb8513fa4a836aef0519d65eb33bb212606fe1 Mon Sep 17 00:00:00 2001
 From: Thomas Baag <libssh-git@spam.b2ag.de>
 Date: Wed, 21 Sep 2022 20:55:27 +0200
 Subject: [PATCH] config: Escape brackets in ProxyCommand build from ProxyJump
 Missing escaping results in syntax errors in Zsh shell because of square
 brackets getting interpreted as being a pattern for globbing.
 Signed-off-by: Thomas Baag <libssh-git@spam.b2ag.de>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 src/config.c                     |  2 +-
 tests/unittests/torture_config.c | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)
 diff --git a/src/config.c b/src/config.c
 index c048418ec..308928429 100644
 --- a/src/config.c
 +++ b/src/config.c
@@ -491,7 +491,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
     if (hostname != NULL && do_parsing) {
         char com[512] = {0};
 -        rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W [%%h]:%%p %s",
 +        rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W '[%%h]:%%p' %s",
                       username ? " -l " : "",
                       username ? username : "",
                       port ? " -p " : "",
 diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
 index 31dadae37..5ff20c99a 100644
 --- a/tests/unittests/torture_config.c
 +++ b/tests/unittests/torture_config.c
@@ -649,7 +649,7 @@ static void torture_config_unknown(void **state,
     /* test corner cases */
     _parse_config(session, file, string, SSH_OK);
     assert_string_equal(session->opts.ProxyCommand,
 -            "ssh -W [%h]:%p many-spaces.com");
 +            "ssh -W '[%h]:%p' many-spaces.com");
     assert_string_equal(session->opts.host, "equal.sign");
     ret = ssh_config_parse_file(session, "/etc/ssh/ssh_config");
@@ -945,28 +945,28 @@ static void torture_config_proxyjump(void **state,
     torture_reset_config(session);
     ssh_options_set(session, SSH_OPTIONS_HOST, "simple");
     _parse_config(session, file, string, SSH_OK);
 -    assert_string_equal(session->opts.ProxyCommand, "ssh -W [%h]:%p jumpbox");
 +    assert_string_equal(session->opts.ProxyCommand, "ssh -W '[%h]:%p' jumpbox");
     /* With username */
     torture_reset_config(session);
     ssh_options_set(session, SSH_OPTIONS_HOST, "user");
     _parse_config(session, file, string, SSH_OK);
     assert_string_equal(session->opts.ProxyCommand,
 -                        "ssh -l user -W [%h]:%p jumpbox");
 +                        "ssh -l user -W '[%h]:%p' jumpbox");
     /* With port */
     torture_reset_config(session);
     ssh_options_set(session, SSH_OPTIONS_HOST, "port");
     _parse_config(session, file, string, SSH_OK);
     assert_string_equal(session->opts.ProxyCommand,
 -                        "ssh -p 2222 -W [%h]:%p jumpbox");
 +                        "ssh -p 2222 -W '[%h]:%p' jumpbox");
     /* Two step jump */
     torture_reset_config(session);
     ssh_options_set(session, SSH_OPTIONS_HOST, "two-step");
     _parse_config(session, file, string, SSH_OK);
     assert_string_equal(session->opts.ProxyCommand,
 -                        "ssh -l u1 -p 222 -J u2@second:33 -W [%h]:%p first");
 +                        "ssh -l u1 -p 222 -J u2@second:33 -W '[%h]:%p' first");
     /* none */
     torture_reset_config(session);
@@ -985,14 +985,14 @@ static void torture_config_proxyjump(void **state,
     ssh_options_set(session, SSH_OPTIONS_HOST, "only-jump");
     _parse_config(session, file, string, SSH_OK);
     assert_string_equal(session->opts.ProxyCommand,
 -                        "ssh -W [%h]:%p jumpbox");
 +                        "ssh -W '[%h]:%p' jumpbox");
     /* IPv6 address */
     torture_reset_config(session);
     ssh_options_set(session, SSH_OPTIONS_HOST, "ipv6");
     _parse_config(session, file, string, SSH_OK);
     assert_string_equal(session->opts.ProxyCommand,
 -                        "ssh -W [%h]:%p 2620:52:0::fed");
 +                        "ssh -W '[%h]:%p' 2620:52:0::fed");
     /* Multiple @ is allowed in second jump */
     config = "Host allowed-hostname\n"
 -- 
 GitLab
--- a/gating.yaml
+++ b/gating.yaml
@ -1,25 +0,0 @@
 --- !Policy
 product_versions:
  - fedora-*
 decision_context: bodhi_update_push_testing
 subject_type: koji_build
 rules:
  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
 --- !Policy
 product_versions:
  - fedora-*
 decision_context: bodhi_update_push_stable
 subject_type: koji_build
 rules:
  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
 --- !Policy
 product_versions:
  - rhel-9
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.userspace-fips-mode.functional}
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
--- a/libssh.keyring
+++ b/libssh.keyring
--- a/memory_leak.patch
+++ b/memory_leak.patch
@ -1,514 +0,0 @@
 From 8795d8912c8a83aaf900c0260e252a35f64eb200 Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <npocs@redhat.com>
 Date: Fri, 18 Nov 2022 17:22:46 +0100
 Subject: [PATCH] Fix memory leaks of bignums when openssl >= 3.0
 The openssl 3.0 support has introduced some memory leaks at key build as
 OSSL_PARAM_BLD_push_BN duplicates the bignum and does not save the pointer
 itself.
 Signed-off-by: Norbert Pocs <npocs@redhat.com>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 include/libssh/dh.h |   2 +-
 src/dh_crypto.c     |  28 ++---
 src/pki_crypto.c    | 262 ++++++++++++++++++++++++--------------------
 3 files changed, 151 insertions(+), 141 deletions(-)
 diff --git a/include/libssh/dh.h b/include/libssh/dh.h
 index 353dc233..9b9bb472 100644
 --- a/include/libssh/dh.h
 +++ b/include/libssh/dh.h
@@ -53,7 +53,7 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
                             bignum *priv, bignum *pub);
 #endif /* OPENSSL_VERSION_NUMBER */
 int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
 -                            const bignum priv, const bignum pub);
 +                            bignum priv, bignum pub);
 int ssh_dh_compute_shared_secret(struct dh_ctx *ctx, int local, int remote,
                                  bignum *dest);
 diff --git a/src/dh_crypto.c b/src/dh_crypto.c
 index a847c6a2..b578ddec 100644
 --- a/src/dh_crypto.c
 +++ b/src/dh_crypto.c
@@ -154,12 +154,9 @@ int ssh_dh_keypair_get_keys(struct dh_ctx *ctx, int peer,
 #endif /* OPENSSL_VERSION_NUMBER */
 int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
 -                            const bignum priv, const bignum pub)
 +                            bignum priv, bignum pub)
 {
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
 -    bignum priv_key = NULL;
 -    bignum pub_key = NULL;
 -#else
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
     int rc;
     OSSL_PARAM *params = NULL, *out_params = NULL, *merged_params = NULL;
     OSSL_PARAM_BLD *param_bld = NULL;
@@ -172,7 +169,11 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
         return SSH_ERROR;
     }
 -#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +#if OPENSSL_VERSION_NUMBER < 0x30000000L
 +    (void)DH_set0_key(ctx->keypair[peer], pub, priv);
 +
 +    return SSH_OK;
 +#else
     rc = EVP_PKEY_todata(ctx->keypair[peer], EVP_PKEY_KEYPAIR, &out_params);
     if (rc != 1) {
         return SSH_ERROR;
@@ -195,35 +196,22 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
         rc = SSH_ERROR;
         goto out;
     }
 -#endif /* OPENSSL_VERSION_NUMBER */
     if (priv) {
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
 -        priv_key = priv;
 -#else
         rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv);
         if (rc != 1) {
             rc = SSH_ERROR;
             goto out;
         }
 -#endif /* OPENSSL_VERSION_NUMBER */
     }
     if (pub) {
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
 -        pub_key = pub;
 -#else
         rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub);
         if (rc != 1) {
             rc = SSH_ERROR;
             goto out;
         }
 -#endif /* OPENSSL_VERSION_NUMBER */
     }
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
 -    (void)DH_set0_key(ctx->keypair[peer], pub_key, priv_key);
 -    return SSH_OK;
 -#else
     params = OSSL_PARAM_BLD_to_param(param_bld);
     if (params == NULL) {
         rc = SSH_ERROR;
@@ -248,6 +236,8 @@ int ssh_dh_keypair_set_keys(struct dh_ctx *ctx, int peer,
     rc = SSH_OK;
 out:
 +    bignum_safe_free(priv);
 +    bignum_safe_free(pub);
     EVP_PKEY_CTX_free(evp_ctx);
     OSSL_PARAM_free(out_params);
     OSSL_PARAM_free(params);
 diff --git a/src/pki_crypto.c b/src/pki_crypto.c
 index 0a5003da..d3359e2d 100644
 --- a/src/pki_crypto.c
 +++ b/src/pki_crypto.c
@@ -1492,18 +1492,18 @@ int pki_privkey_build_dss(ssh_key key,
                           ssh_string privkey)
 {
     int rc;
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
     BIGNUM *bp, *bq, *bg, *bpub_key, *bpriv_key;
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +    OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
 +    if (param_bld == NULL) {
 +        return SSH_ERROR;
 +    }
 #else
 -    const BIGNUM *pb, *qb, *gb, *pubb, *privb;
 -    OSSL_PARAM_BLD *param_bld;
 -#endif /* OPENSSL_VERSION_NUMBER */
 -
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
     key->dsa = DSA_new();
     if (key->dsa == NULL) {
         return SSH_ERROR;
     }
 +#endif /* OPENSSL_VERSION_NUMBER */
     bp = ssh_make_string_bn(p);
     bq = ssh_make_string_bn(q);
@@ -1512,9 +1512,11 @@ int pki_privkey_build_dss(ssh_key key,
     bpriv_key = ssh_make_string_bn(privkey);
     if (bp == NULL || bq == NULL ||
         bg == NULL || bpub_key == NULL) {
 +        rc = SSH_ERROR;
         goto fail;
     }
 +#if OPENSSL_VERSION_NUMBER < 0x30000000L
     /* Memory management of bp, qq and bg is transferred to DSA object */
     rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
     if (rc == 0) {
@@ -1532,39 +1534,43 @@ fail:
     DSA_free(key->dsa);
     return SSH_ERROR;
 #else
 -    param_bld = OSSL_PARAM_BLD_new();
 -    if (param_bld == NULL)
 -        goto err;
 -
 -    pb = ssh_make_string_bn(p);
 -    qb = ssh_make_string_bn(q);
 -    gb = ssh_make_string_bn(g);
 -    pubb = ssh_make_string_bn(pubkey);
 -    privb = ssh_make_string_bn(privkey);
 -
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, pb);
 -    if (rc != 1)
 -        goto err;
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, qb);
 -    if (rc != 1)
 -        goto err;
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, gb);
 -    if (rc != 1)
 -        goto err;
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubb);
 -    if (rc != 1)
 -        goto err;
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, privb);
 -    if (rc != 1)
 -        goto err;
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, bpriv_key);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
     rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
 +
 +fail:
     OSSL_PARAM_BLD_free(param_bld);
 +    bignum_safe_free(bp);
 +    bignum_safe_free(bq);
 +    bignum_safe_free(bg);
 +    bignum_safe_free(bpub_key);
 +    bignum_safe_free(bpriv_key);
     return rc;
 -err:
 -    OSSL_PARAM_BLD_free(param_bld);
 -    return -1;
 #endif /* OPENSSL_VERSION_NUMBER */
 }
@@ -1574,18 +1580,18 @@ int pki_pubkey_build_dss(ssh_key key,
                          ssh_string g,
                          ssh_string pubkey) {
     int rc;
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
     BIGNUM *bp = NULL, *bq = NULL, *bg = NULL, *bpub_key = NULL;
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +    OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
 +    if (param_bld == NULL) {
 +        return SSH_ERROR;
 +    }
 #else
 -    const BIGNUM *pb, *qb, *gb, *pubb;
 -    OSSL_PARAM_BLD *param_bld;
 -#endif /* OPENSSL_VERSION_NUMBER */
 -
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
     key->dsa = DSA_new();
     if (key->dsa == NULL) {
         return SSH_ERROR;
     }
 +#endif /* OPENSSL_VERSION_NUMBER */
     bp = ssh_make_string_bn(p);
     bq = ssh_make_string_bn(q);
@@ -1593,9 +1599,11 @@ int pki_pubkey_build_dss(ssh_key key,
     bpub_key = ssh_make_string_bn(pubkey);
     if (bp == NULL || bq == NULL ||
         bg == NULL || bpub_key == NULL) {
 +        rc = SSH_ERROR;
         goto fail;
     }
 +#if OPENSSL_VERSION_NUMBER < 0x30000000L
     /* Memory management of bp, bq and bg is transferred to DSA object */
     rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
     if (rc == 0) {
@@ -1613,35 +1621,37 @@ fail:
     DSA_free(key->dsa);
     return SSH_ERROR;
 #else
 -    param_bld = OSSL_PARAM_BLD_new();
 -    if (param_bld == NULL)
 -        goto err;
 -
 -    pb = ssh_make_string_bn(p);
 -    qb = ssh_make_string_bn(q);
 -    gb = ssh_make_string_bn(g);
 -    pubb = ssh_make_string_bn(pubkey);
 -
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, pb);
 -    if (rc != 1)
 -        goto err;
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, qb);
 -    if (rc != 1)
 -        goto err;
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, gb);
 -    if (rc != 1)
 -        goto err;
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pubb);
 -    if (rc != 1)
 -        goto err;
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
     rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
 +
 +fail:
     OSSL_PARAM_BLD_free(param_bld);
 +    bignum_safe_free(bp);
 +    bignum_safe_free(bq);
 +    bignum_safe_free(bg);
 +    bignum_safe_free(bpub_key);
     return rc;
 -err:
 -    OSSL_PARAM_BLD_free(param_bld);
 -    return -1;
 #endif /* OPENSSL_VERSION_NUMBER */
 }
@@ -1654,18 +1664,18 @@ int pki_privkey_build_rsa(ssh_key key,
                           ssh_string q)
 {
     int rc;
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
     BIGNUM *be, *bn, *bd/*, *biqmp*/, *bp, *bq;
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +    OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
 +    if (param_bld == NULL) {
 +        return SSH_ERROR;
 +    }
 #else
 -    const BIGNUM *nb, *eb, *db, *pb, *qb;
 -    OSSL_PARAM_BLD *param_bld;
 -#endif /* OPENSSL_VERSION_NUMBER */
 -
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
     key->rsa = RSA_new();
     if (key->rsa == NULL) {
         return SSH_ERROR;
     }
 +#endif /* OPENSSL_VERSION_NUMBER */
     bn = ssh_make_string_bn(n);
     be = ssh_make_string_bn(e);
@@ -1675,9 +1685,11 @@ int pki_privkey_build_rsa(ssh_key key,
     bq = ssh_make_string_bn(q);
     if (be == NULL || bn == NULL || bd == NULL ||
         /*biqmp == NULL ||*/ bp == NULL || bq == NULL) {
 +        rc = SSH_ERROR;
         goto fail;
     }
 +#if OPENSSL_VERSION_NUMBER < 0x30000000L
     /* Memory management of be, bn and bd is transferred to RSA object */
     rc = RSA_set0_key(key->rsa, bn, be, bd);
     if (rc == 0) {
@@ -1702,41 +1714,49 @@ fail:
     RSA_free(key->rsa);
     return SSH_ERROR;
 #else
 -    param_bld = OSSL_PARAM_BLD_new();
 -    if (param_bld == NULL)
 -        goto err;
 -
 -    nb = ssh_make_string_bn(n);
 -    eb = ssh_make_string_bn(e);
 -    db = ssh_make_string_bn(d);
 -    pb = ssh_make_string_bn(p);
 -    qb = ssh_make_string_bn(q);
 -
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, nb);
 -    if (rc != 1)
 -        goto err;
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, eb);
 -    if (rc != 1)
 -        goto err;
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, db);
 -    if (rc != 1)
 -        goto err;
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, bn);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, be);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, bd);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
     rc = evp_build_pkey("RSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
 -    OSSL_PARAM_BLD_free(param_bld);
 +    if (rc != SSH_OK) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 -    rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR1, pb);
 -    if (rc != 1)
 -        goto err;
 +    rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR1, bp);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 -    rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR2, qb);
 -    if (rc != 1)
 -        goto err;
 +    rc = EVP_PKEY_set_bn_param(key->key, OSSL_PKEY_PARAM_RSA_FACTOR2, bq);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 -    return rc;
 -err:
 +fail:
     OSSL_PARAM_BLD_free(param_bld);
 -    return -1;
 +    bignum_safe_free(bn);
 +    bignum_safe_free(be);
 +    bignum_safe_free(bd);
 +    bignum_safe_free(bp);
 +    bignum_safe_free(bq);
 +
 +    return rc;
 #endif /* OPENSSL_VERSION_NUMBER */
 }
@@ -1744,25 +1764,27 @@ int pki_pubkey_build_rsa(ssh_key key,
                          ssh_string e,
                          ssh_string n) {
     int rc;
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
     BIGNUM *be = NULL, *bn = NULL;
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +    OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
 +    if (param_bld == NULL) {
 +        return SSH_ERROR;
 +    }
 #else
 -    const BIGNUM *eb, *nb;
 -    OSSL_PARAM_BLD *param_bld;
 -#endif /* OPENSSL_VERSION_NUMBER */
 -
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
     key->rsa = RSA_new();
     if (key->rsa == NULL) {
         return SSH_ERROR;
     }
 +#endif /* OPENSSL_VERSION_NUMBER */
     be = ssh_make_string_bn(e);
     bn = ssh_make_string_bn(n);
     if (be == NULL || bn == NULL) {
 +        rc = SSH_ERROR;
         goto fail;
     }
 +#if OPENSSL_VERSION_NUMBER < 0x30000000L
     /* Memory management of bn and be is transferred to RSA object */
     rc = RSA_set0_key(key->rsa, bn, be, NULL);
     if (rc == 0) {
@@ -1774,27 +1796,25 @@ fail:
     RSA_free(key->rsa);
     return SSH_ERROR;
 #else
 -    nb = ssh_make_string_bn(n);
 -    eb = ssh_make_string_bn(e);
 -
 -    param_bld = OSSL_PARAM_BLD_new();
 -    if (param_bld == NULL)
 -        goto err;
 -
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, nb);
 -    if (rc != 1)
 -        goto err;
 -    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, eb);
 -    if (rc != 1)
 -        goto err;
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, bn);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
 +    rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, be);
 +    if (rc != 1) {
 +        rc = SSH_ERROR;
 +        goto fail;
 +    }
     rc = evp_build_pkey("RSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
 +
 +fail:
     OSSL_PARAM_BLD_free(param_bld);
 +    bignum_safe_free(bn);
 +    bignum_safe_free(be);
     return rc;
 -err:
 -    OSSL_PARAM_BLD_free(param_bld);
 -    return -1;
 #endif /* OPENSSL_VERSION_NUMBER */
 }
 --
 2.38.1
--- a/options_apply.patch
+++ b/options_apply.patch
@ -1,842 +0,0 @@
 From 11c0d687a081fe64501e21c95def7f893611d029 Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <npocs@redhat.com>
 Date: Wed, 16 Nov 2022 10:40:38 +0100
 Subject: [PATCH 1/5] Add a placehohlder for non-expanded identities
 Expanding a string twice could lead to unwanted behaviour.
 This solution creates a ssh_list (`opts.identites_non_exp`) to store the strings
 before expansion and by using ssh_apply it moves the string to the
 `opts.identities`. This way the expanded strings are separated.
 Signed-off-by: Norbert Pocs <npocs@redhat.com>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 include/libssh/session.h |  1 +
 src/options.c            | 86 +++++++++++++++++++++++++---------------
 src/session.c            | 23 +++++++++--
 3 files changed, 75 insertions(+), 35 deletions(-)
 diff --git a/include/libssh/session.h b/include/libssh/session.h
 index d3e5787c..e22b0d67 100644
 --- a/include/libssh/session.h
 +++ b/include/libssh/session.h
@@ -209,6 +209,7 @@ struct ssh_session_struct {
 #endif
     struct {
         struct ssh_list *identity;
 +        struct ssh_list *identity_non_exp;
         char *username;
         char *host;
         char *bindaddr; /* bind the client to an ip addr */
 diff --git a/src/options.c b/src/options.c
 index 56e09c65..bb085384 100644
 --- a/src/options.c
 +++ b/src/options.c
@@ -52,7 +52,7 @@
  * @brief Duplicate the options of a session structure.
  *
  * If you make several sessions with the same options this is useful. You
 - * cannot use twice the same option structure in ssh_session_connect.
 + * cannot use twice the same option structure in ssh_connect.
  *
  * @param src           The session to use to copy the options.
  *
@@ -61,13 +61,14 @@
  *
  * @returns             0 on success, -1 on error with errno set.
  *
 - * @see ssh_session_connect()
 + * @see ssh_connect()
  * @see ssh_free()
  */
 int ssh_options_copy(ssh_session src, ssh_session *dest)
 {
     ssh_session new;
     struct ssh_iterator *it = NULL;
 +    struct ssh_list *list = NULL;
     char *id = NULL;
     int i;
@@ -105,14 +106,15 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
     }
     /* Remove the default identities */
 -    for (id = ssh_list_pop_head(char *, new->opts.identity);
 +    for (id = ssh_list_pop_head(char *, new->opts.identity_non_exp);
          id != NULL;
 -         id = ssh_list_pop_head(char *, new->opts.identity)) {
 +         id = ssh_list_pop_head(char *, new->opts.identity_non_exp)) {
         SAFE_FREE(id);
     }
     /* Copy the new identities from the source list */
 -    if (src->opts.identity != NULL) {
 -        it = ssh_list_get_iterator(src->opts.identity);
 +    list = new->opts.identity_non_exp;
 +    it = ssh_list_get_iterator(src->opts.identity_non_exp);
 +    for (i = 0; i < 2; i++) {
         while (it) {
             int rc;
@@ -122,7 +124,7 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
                 return -1;
             }
 -            rc = ssh_list_append(new->opts.identity, id);
 +            rc = ssh_list_append(list, id);
             if (rc < 0) {
                 free(id);
                 ssh_free(new);
@@ -130,6 +132,10 @@ int ssh_options_copy(ssh_session src, ssh_session *dest)
             }
             it = it->next;
         }
 +
 +        /* copy the identity list if there is any already */
 +        list = new->opts.identity;
 +        it = ssh_list_get_iterator(src->opts.identity);
     }
     if (src->opts.sshdir != NULL) {
@@ -331,7 +337,7 @@ int ssh_options_set_algo(ssh_session session,
  *                Add a new identity file (const char *, format string) to
  *                the identity list.\n
  *                \n
 - *                By default identity, id_dsa and id_rsa are checked.\n
 + *                By default id_rsa, id_ecdsa and id_ed25519 files are used.\n
  *                \n
  *                The identity used to authenticate with public key will be
  *                prepended to the list.
@@ -700,7 +706,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
             if (q == NULL) {
                 return -1;
             }
 -            rc = ssh_list_prepend(session->opts.identity, q);
 +            if (session->opts.exp_flags & SSH_OPT_EXP_FLAG_IDENTITY) {
 +                rc = ssh_list_append(session->opts.identity_non_exp, q);
 +            } else {
 +                rc = ssh_list_prepend(session->opts.identity_non_exp, q);
 +            }
             if (rc < 0) {
                 free(q);
                 return -1;
@@ -1202,7 +1212,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) {
  *              - SSH_OPTIONS_IDENTITY:
  *                Get the first identity file name (const char *).\n
  *                \n
 - *                By default identity, id_dsa and id_rsa are checked.
 + *                By default id_rsa, id_ecdsa and id_ed25519 files are used.
  *
  *              - SSH_OPTIONS_PROXYCOMMAND:
  *                Get the proxycommand necessary to log into the
@@ -1246,7 +1256,11 @@ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value)
             break;
         }
         case SSH_OPTIONS_IDENTITY: {
 -            struct ssh_iterator *it = ssh_list_get_iterator(session->opts.identity);
 +            struct ssh_iterator *it;
 +            it = ssh_list_get_iterator(session->opts.identity);
 +            if (it == NULL) {
 +                it = ssh_list_get_iterator(session->opts.identity_non_exp);
 +            }
             if (it == NULL) {
                 return SSH_ERROR;
             }
@@ -1541,7 +1555,6 @@ out:
 int ssh_options_apply(ssh_session session)
 {
 -    struct ssh_iterator *it;
     char *tmp;
     int rc;
@@ -1586,15 +1599,17 @@ int ssh_options_apply(ssh_session session)
         size_t plen = strlen(session->opts.ProxyCommand) +
                       5 /* strlen("exec ") */;
 -        p = malloc(plen + 1 /* \0 */);
 -        if (p == NULL) {
 -            return -1;
 -        }
 +        if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
 +            p = malloc(plen + 1 /* \0 */);
 +            if (p == NULL) {
 +                return -1;
 +            }
 -        rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
 -        if ((size_t)rc != plen) {
 -            free(p);
 -            return -1;
 +            rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
 +            if ((size_t)rc != plen) {
 +                free(p);
 +                return -1;
 +            }
         }
         tmp = ssh_path_expand_escape(session, p);
@@ -1606,24 +1621,33 @@ int ssh_options_apply(ssh_session session)
         session->opts.ProxyCommand = tmp;
     }
 -    for (it = ssh_list_get_iterator(session->opts.identity);
 -         it != NULL;
 -         it = it->next) {
 -        char *id = (char *) it->data;
 -        if (strncmp(id, "pkcs11:", 6) == 0) {
 +    for (tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp);
 +         tmp != NULL;
 +         tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp)) {
 +        char *id = tmp;
 +        if (strncmp(id, "pkcs11:", 6) != 0) {
             /* PKCS#11 URIs are using percent-encoding so we can not mix
              * it with ssh expansion of ssh escape characters.
 -             * Skip these identities now, before we will have PKCS#11 support
              */
 -             continue;
 +            tmp = ssh_path_expand_escape(session, id);
 +            if (tmp == NULL) {
 +                return -1;
 +            }
 +            free(id);
         }
 -        tmp = ssh_path_expand_escape(session, id);
 -        if (tmp == NULL) {
 +
 +        /* use append to keep the order at first call and use prepend
 +         * to put anything that comes on the nth calls to the beginning */
 +        if (session->opts.exp_flags & SSH_OPT_EXP_FLAG_IDENTITY) {
 +            rc = ssh_list_prepend(session->opts.identity, tmp);
 +        } else {
 +            rc = ssh_list_append(session->opts.identity, tmp);
 +        }
 +        if (rc != SSH_OK) {
             return -1;
         }
 -        free(id);
 -        it->data = tmp;
     }
 +    session->opts.exp_flags |= SSH_OPT_EXP_FLAG_IDENTITY;
     return 0;
 }
 diff --git a/src/session.c b/src/session.c
 index 64e54957..34a492e4 100644
 --- a/src/session.c
 +++ b/src/session.c
@@ -118,13 +118,17 @@ ssh_session ssh_new(void)
     if (session->opts.identity == NULL) {
         goto err;
     }
 +    session->opts.identity_non_exp = ssh_list_new();
 +    if (session->opts.identity_non_exp == NULL) {
 +        goto err;
 +    }
     id = strdup("%d/id_ed25519");
     if (id == NULL) {
         goto err;
     }
 -    rc = ssh_list_append(session->opts.identity, id);
 +    rc = ssh_list_append(session->opts.identity_non_exp, id);
     if (rc == SSH_ERROR) {
         goto err;
     }
@@ -134,7 +138,7 @@ ssh_session ssh_new(void)
     if (id == NULL) {
         goto err;
     }
 -    rc = ssh_list_append(session->opts.identity, id);
 +    rc = ssh_list_append(session->opts.identity_non_exp, id);
     if (rc == SSH_ERROR) {
         goto err;
     }
@@ -144,7 +148,7 @@ ssh_session ssh_new(void)
     if (id == NULL) {
         goto err;
     }
 -    rc = ssh_list_append(session->opts.identity, id);
 +    rc = ssh_list_append(session->opts.identity_non_exp, id);
     if (rc == SSH_ERROR) {
         goto err;
     }
@@ -154,7 +158,7 @@ ssh_session ssh_new(void)
     if (id == NULL) {
         goto err;
     }
 -    rc = ssh_list_append(session->opts.identity, id);
 +    rc = ssh_list_append(session->opts.identity_non_exp, id);
     if (rc == SSH_ERROR) {
         goto err;
     }
@@ -284,6 +288,17 @@ void ssh_free(ssh_session session)
       ssh_list_free(session->opts.identity);
   }
 +  if (session->opts.identity_non_exp) {
 +      char *id;
 +
 +      for (id = ssh_list_pop_head(char *, session->opts.identity_non_exp);
 +           id != NULL;
 +           id = ssh_list_pop_head(char *, session->opts.identity_non_exp)) {
 +          SAFE_FREE(id);
 +      }
 +      ssh_list_free(session->opts.identity_non_exp);
 +  }
 +
     while ((b = ssh_list_pop_head(struct ssh_buffer_struct *,
                                   session->out_queue)) != NULL) {
         SSH_BUFFER_FREE(b);
 --
 2.38.1
 From 4cb84b99fdb1ffd26c0241f5809e4f67ddd407c6 Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <npocs@redhat.com>
 Date: Wed, 16 Nov 2022 11:03:30 +0100
 Subject: [PATCH 2/5] tests: Use opts.identites_non_exp not opts.identities
 The configuration of identities are first saved to `opts.identities_non_exp`,
 then moved to `opts.identities` after calling ssh_options_apply and expanding
 the identity strings. These tests are testing against the proper configuration
 Signed-off-by: Norbert Pocs <npocs@redhat.com>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 tests/client/torture_auth_pkcs11.c |  2 +-
 tests/unittests/torture_config.c   |  3 ++-
 tests/unittests/torture_options.c  | 14 +++++++-------
 3 files changed, 10 insertions(+), 9 deletions(-)
 diff --git a/tests/client/torture_auth_pkcs11.c b/tests/client/torture_auth_pkcs11.c
 index ee97bff4..e75fea0e 100644
 --- a/tests/client/torture_auth_pkcs11.c
 +++ b/tests/client/torture_auth_pkcs11.c
@@ -196,7 +196,7 @@ static void torture_auth_autopubkey(void **state, const char *obj_name, const ch
     rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, priv_uri);
     assert_int_equal(rc, SSH_OK);
 -    assert_string_equal(session->opts.identity->root->data, priv_uri);
 +    assert_string_equal(session->opts.identity_non_exp->root->data, priv_uri);
     rc = ssh_connect(session);
     assert_int_equal(rc, SSH_OK);
 diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
 index 354adc2f..100e68f6 100644
 --- a/tests/unittests/torture_config.c
 +++ b/tests/unittests/torture_config.c
@@ -2078,7 +2078,8 @@ static void torture_config_identity(void **state)
     _parse_config(session, NULL, LIBSSH_TESTCONFIG_STRING13, SSH_OK);
 -    it = ssh_list_get_iterator(session->opts.identity);
 +    /* The identities are first added to this temporary list before expanding */
 +    it = ssh_list_get_iterator(session->opts.identity_non_exp);
     assert_non_null(it);
     id = it->data;
     /* The identities are prepended to the list so we start with second one */
 diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
 index dc4df383..3be2de8a 100644
 --- a/tests/unittests/torture_options.c
 +++ b/tests/unittests/torture_options.c
@@ -406,12 +406,12 @@ static void torture_options_set_identity(void **state) {
     rc = ssh_options_set(session, SSH_OPTIONS_ADD_IDENTITY, "identity1");
     assert_true(rc == 0);
 -    assert_string_equal(session->opts.identity->root->data, "identity1");
 +    assert_string_equal(session->opts.identity_non_exp->root->data, "identity1");
     rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, "identity2");
     assert_true(rc == 0);
 -    assert_string_equal(session->opts.identity->root->data, "identity2");
 -    assert_string_equal(session->opts.identity->root->next->data, "identity1");
 +    assert_string_equal(session->opts.identity_non_exp->root->data, "identity2");
 +    assert_string_equal(session->opts.identity_non_exp->root->next->data, "identity1");
 }
 static void torture_options_get_identity(void **state) {
@@ -429,7 +429,7 @@ static void torture_options_get_identity(void **state) {
     rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, "identity2");
     assert_int_equal(rc, SSH_OK);
 -    assert_string_equal(session->opts.identity->root->data, "identity2");
 +    assert_string_equal(session->opts.identity_non_exp->root->data, "identity2");
     rc = ssh_options_get(session, SSH_OPTIONS_IDENTITY, &identity);
     assert_int_equal(rc, SSH_OK);
     assert_non_null(identity);
@@ -867,9 +867,9 @@ static void torture_options_copy(void **state)
     assert_non_null(new);
     /* Check the identities match */
 -    it = ssh_list_get_iterator(session->opts.identity);
 +    it = ssh_list_get_iterator(session->opts.identity_non_exp);
     assert_non_null(it);
 -    it2 = ssh_list_get_iterator(new->opts.identity);
 +    it2 = ssh_list_get_iterator(new->opts.identity_non_exp);
     assert_non_null(it2);
     while (it != NULL && it2 != NULL) {
         assert_string_equal(it->data, it2->data);
@@ -956,7 +956,7 @@ static void torture_options_getopt(void **state)
                         "aes128-ctr");
     assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_S_C],
                         "aes128-ctr");
 -    assert_string_equal(session->opts.identity->root->data, "id_rsa");
 +    assert_string_equal(session->opts.identity_non_exp->root->data, "id_rsa");
 #ifdef WITH_ZLIB
     assert_string_equal(session->opts.wanted_methods[SSH_COMP_C_S],
                         "zlib@openssh.com,zlib,none");
 --
 2.38.1
 From cd30217c9032419ebcf722c0bfc6b5ebfa3518d0 Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <npocs@redhat.com>
 Date: Wed, 16 Nov 2022 16:51:02 +0100
 Subject: [PATCH 3/5] Add flags for escape expand operation
 Calling `ssh_options_apply` more times can result in an unwanted behaviour of
 expanding the escape characters more times. Adding flags to check if the
 expansion was already done on the current string variables.
 Signed-off-by: Norbert Pocs <npocs@redhat.com>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 include/libssh/session.h |  7 ++++
 src/options.c            | 91 ++++++++++++++++++++++++----------------
 src/session.c            |  2 +
 3 files changed, 63 insertions(+), 37 deletions(-)
 diff --git a/include/libssh/session.h b/include/libssh/session.h
 index e22b0d67..cf219c2a 100644
 --- a/include/libssh/session.h
 +++ b/include/libssh/session.h
@@ -93,6 +93,12 @@ enum ssh_pending_call_e {
 #define SSH_OPT_FLAG_KBDINT_AUTH 0x4
 #define SSH_OPT_FLAG_GSSAPI_AUTH 0x8
 +/* Escape expansion of different variables */
 +#define SSH_OPT_EXP_FLAG_KNOWNHOSTS 0x1
 +#define SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS 0x2
 +#define SSH_OPT_EXP_FLAG_PROXYCOMMAND 0x4
 +#define SSH_OPT_EXP_FLAG_IDENTITY 0x8
 +
 /* extensions flags */
 /* negotiation enabled */
 #define SSH_EXT_NEGOTIATION     0x01
@@ -232,6 +238,7 @@ struct ssh_session_struct {
         char *gss_client_identity;
         int gss_delegate_creds;
         int flags;
 +        int exp_flags;
         int nodelay;
         bool config_processed;
         uint8_t options_seen[SOC_MAX];
 diff --git a/src/options.c b/src/options.c
 index bb085384..c566244b 100644
 --- a/src/options.c
 +++ b/src/options.c
@@ -730,6 +730,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                     ssh_set_error_oom(session);
                     return -1;
                 }
 +                session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_KNOWNHOSTS;
             }
             break;
         case SSH_OPTIONS_GLOBAL_KNOWNHOSTS:
@@ -751,6 +752,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                     ssh_set_error_oom(session);
                     return -1;
                 }
 +                session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS;
             }
             break;
         case SSH_OPTIONS_TIMEOUT:
@@ -1014,6 +1016,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                         return -1;
                     }
                     session->opts.ProxyCommand = q;
 +                    session->opts.exp_flags &= ~SSH_OPT_EXP_FLAG_PROXYCOMMAND;
                 }
             }
             break;
@@ -1572,53 +1575,67 @@ int ssh_options_apply(ssh_session session)
         }
     }
 -    if (session->opts.knownhosts == NULL) {
 -        tmp = ssh_path_expand_escape(session, "%d/known_hosts");
 -    } else {
 -        tmp = ssh_path_expand_escape(session, session->opts.knownhosts);
 -    }
 -    if (tmp == NULL) {
 -        return -1;
 +    if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS) == 0) {
 +        if (session->opts.knownhosts == NULL) {
 +            tmp = ssh_path_expand_escape(session, "%d/known_hosts");
 +        } else {
 +            tmp = ssh_path_expand_escape(session, session->opts.knownhosts);
 +        }
 +        if (tmp == NULL) {
 +            return -1;
 +        }
 +        free(session->opts.knownhosts);
 +        session->opts.knownhosts = tmp;
 +        session->opts.exp_flags |= SSH_OPT_EXP_FLAG_KNOWNHOSTS;
     }
 -    free(session->opts.knownhosts);
 -    session->opts.knownhosts = tmp;
 -    if (session->opts.global_knownhosts == NULL) {
 -        tmp = strdup("/etc/ssh/ssh_known_hosts");
 -    } else {
 -        tmp = ssh_path_expand_escape(session, session->opts.global_knownhosts);
 -    }
 -    if (tmp == NULL) {
 -        return -1;
 +    if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS) == 0) {
 +        if (session->opts.global_knownhosts == NULL) {
 +            tmp = strdup("/etc/ssh/ssh_known_hosts");
 +        } else {
 +            tmp = ssh_path_expand_escape(session,
 +                                         session->opts.global_knownhosts);
 +        }
 +        if (tmp == NULL) {
 +            return -1;
 +        }
 +        free(session->opts.global_knownhosts);
 +        session->opts.global_knownhosts = tmp;
 +        session->opts.exp_flags |= SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS;
     }
 -    free(session->opts.global_knownhosts);
 -    session->opts.global_knownhosts = tmp;
 -    if (session->opts.ProxyCommand != NULL) {
 -        char *p = NULL;
 -        size_t plen = strlen(session->opts.ProxyCommand) +
 -                      5 /* strlen("exec ") */;
 -        if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
 -            p = malloc(plen + 1 /* \0 */);
 -            if (p == NULL) {
 -                return -1;
 -            }
 +    if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND) == 0) {
 +        if (session->opts.ProxyCommand != NULL) {
 +            char *p = NULL;
 +            size_t plen = strlen(session->opts.ProxyCommand) +
 +                          5 /* strlen("exec ") */;
 +
 +            if (strncmp(session->opts.ProxyCommand, "exec ", 5) != 0) {
 +                p = malloc(plen + 1 /* \0 */);
 +                if (p == NULL) {
 +                    return -1;
 +                }
 -            rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
 -            if ((size_t)rc != plen) {
 +                rc = snprintf(p, plen + 1, "exec %s", session->opts.ProxyCommand);
 +                if ((size_t)rc != plen) {
 +                    free(p);
 +                    return -1;
 +                }
 +                tmp = ssh_path_expand_escape(session, p);
                 free(p);
 -                return -1;
 +            } else {
 +                tmp = ssh_path_expand_escape(session,
 +                                             session->opts.ProxyCommand);
             }
 -        }
 -        tmp = ssh_path_expand_escape(session, p);
 -        free(p);
 -        if (tmp == NULL) {
 -            return -1;
 +            if (tmp == NULL) {
 +                return -1;
 +            }
 +            free(session->opts.ProxyCommand);
 +            session->opts.ProxyCommand = tmp;
 +            session->opts.exp_flags |= SSH_OPT_EXP_FLAG_PROXYCOMMAND;
         }
 -        free(session->opts.ProxyCommand);
 -        session->opts.ProxyCommand = tmp;
     }
     for (tmp = ssh_list_pop_head(char *, session->opts.identity_non_exp);
 diff --git a/src/session.c b/src/session.c
 index 34a492e4..06f6a26f 100644
 --- a/src/session.c
 +++ b/src/session.c
@@ -114,6 +114,8 @@ ssh_session ssh_new(void)
                           SSH_OPT_FLAG_KBDINT_AUTH |
                           SSH_OPT_FLAG_GSSAPI_AUTH;
 +    session->opts.exp_flags = 0;
 +
     session->opts.identity = ssh_list_new();
     if (session->opts.identity == NULL) {
         goto err;
 --
 2.38.1
 From ed58082f9706f2ab3bdeca24f632356b9bc325e6 Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <npocs@redhat.com>
 Date: Wed, 16 Nov 2022 17:17:14 +0100
 Subject: [PATCH 4/5] torture_options.c: Add identity test for ssh_options_copy
 Test if the ssh_options_apply is called on session before ssh_options_copy,
 then `opts.identity` ssh_list will be copied
 Signed-off-by: Norbert Pocs <npocs@redhat.com>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 tests/unittests/torture_options.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
 index 3be2de8a..907cc8df 100644
 --- a/tests/unittests/torture_options.c
 +++ b/tests/unittests/torture_options.c
@@ -918,6 +918,34 @@ static void torture_options_copy(void **state)
                         sizeof(session->opts.options_seen));
     ssh_free(new);
 +
 +    /* test if ssh_options_apply was called before ssh_options_copy
 +     * the opts.identity list gets copied (percent expanded list) */
 +    rv = ssh_options_apply(session);
 +    assert_ssh_return_code(session, rv);
 +
 +    rv = ssh_options_copy(session, &new);
 +    assert_ssh_return_code(session, rv);
 +    assert_non_null(new);
 +
 +    it = ssh_list_get_iterator(session->opts.identity_non_exp);
 +    assert_null(it);
 +    it2 = ssh_list_get_iterator(new->opts.identity_non_exp);
 +    assert_null(it2);
 +
 +    it = ssh_list_get_iterator(session->opts.identity);
 +    assert_non_null(it);
 +    it2 = ssh_list_get_iterator(new->opts.identity);
 +    assert_non_null(it2);
 +    while (it != NULL && it2 != NULL) {
 +        assert_string_equal(it->data, it2->data);
 +        it = it->next;
 +        it2 = it2->next;
 +    }
 +    assert_null(it);
 +    assert_null(it2);
 +
 +    ssh_free(new);
 }
 #define EXECUTABLE_NAME "test-exec"
 --
 2.38.1
 From 89dd4a927b946d4df5c48073ca25cd843e0acde0 Mon Sep 17 00:00:00 2001
 From: Norbert Pocs <npocs@redhat.com>
 Date: Wed, 16 Nov 2022 17:18:49 +0100
 Subject: [PATCH 5/5] torture_options.c: Add test for ssh_options_apply
 Test that ssh_options_apply can be called multiple times without expanding
 escape characters more than once. If the options are updated after calling
 ssh_options_apply keep the last options.
 Signed-off-by: Norbert Pocs <npocs@redhat.com>
 Reviewed-by: Jakub Jelen <jjelen@redhat.com>
 ---
 tests/unittests/torture_options.c | 165 ++++++++++++++++++++++++++++++
 1 file changed, 165 insertions(+)
 diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
 index 907cc8df..ea63b45e 100644
 --- a/tests/unittests/torture_options.c
 +++ b/tests/unittests/torture_options.c
@@ -1332,6 +1332,170 @@ static void torture_options_caret_sign(void **state)
     free(awaited);
 }
 +static void torture_options_apply (void **state) {
 +    ssh_session session = *state;
 +    struct ssh_list *awaited_list = NULL;
 +    struct ssh_iterator *it1 = NULL, *it2 = NULL;
 +    char *id = NULL;
 +    int rc;
 +
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_KNOWNHOSTS,
 +                         "%%d/.ssh/known_hosts");
 +    assert_ssh_return_code(session, rc);
 +
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
 +                         "/etc/%%u/libssh/known_hosts");
 +    assert_ssh_return_code(session, rc);
 +
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_PROXYCOMMAND,
 +                         "exec echo \"Hello libssh %%d!\"");
 +    assert_ssh_return_code(session, rc);
 +
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_ADD_IDENTITY,
 +                         "%%d/do_not_expand");
 +    assert_ssh_return_code(session, rc);
 +
 +    rc = ssh_options_apply(session);
 +    assert_ssh_return_code(session, rc);
 +
 +    /* check that the values got expanded */
 +    assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
 +    assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
 +    assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
 +    assert_true(ssh_list_count(session->opts.identity_non_exp) == 0);
 +    assert_true(ssh_list_count(session->opts.identity) > 0);
 +
 +    /* should not change anything calling it again */
 +    rc = ssh_options_apply(session);
 +    assert_ssh_return_code(session, rc);
 +
 +    /* check that the expansion was done only once */
 +    assert_string_equal(session->opts.knownhosts, "%d/.ssh/known_hosts");
 +    assert_string_equal(session->opts.global_knownhosts,
 +                        "/etc/%u/libssh/known_hosts");
 +    /* no exec should be added if there already is one */
 +    assert_string_equal(session->opts.ProxyCommand,
 +                        "exec echo \"Hello libssh %d!\"");
 +    assert_string_equal(session->opts.identity->root->data,
 +                        "%d/do_not_expand");
 +
 +    /* apply should keep the freshest setting */
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_KNOWNHOSTS,
 +                         "hello there");
 +    assert_ssh_return_code(session, rc);
 +
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
 +                         "lorem ipsum");
 +    assert_ssh_return_code(session, rc);
 +
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_PROXYCOMMAND,
 +                         "mission_impossible");
 +    assert_ssh_return_code(session, rc);
 +
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_ADD_IDENTITY,
 +                         "007");
 +    assert_ssh_return_code(session, rc);
 +
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_ADD_IDENTITY,
 +                         "3");
 +    assert_ssh_return_code(session, rc);
 +
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_ADD_IDENTITY,
 +                         "2");
 +    assert_ssh_return_code(session, rc);
 +
 +    rc = ssh_options_set(session,
 +                         SSH_OPTIONS_ADD_IDENTITY,
 +                         "1");
 +    assert_ssh_return_code(session, rc);
 +
 +    /* check that flags show need of escape expansion */
 +    assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
 +    assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
 +    assert_false(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
 +    assert_false(ssh_list_count(session->opts.identity_non_exp) == 0);
 +
 +    rc = ssh_options_apply(session);
 +    assert_ssh_return_code(session, rc);
 +
 +    /* check that the values got expanded */
 +    assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_KNOWNHOSTS);
 +    assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS);
 +    assert_true(session->opts.exp_flags & SSH_OPT_EXP_FLAG_PROXYCOMMAND);
 +    assert_true(ssh_list_count(session->opts.identity_non_exp) == 0);
 +
 +    assert_string_equal(session->opts.knownhosts, "hello there");
 +    assert_string_equal(session->opts.global_knownhosts, "lorem ipsum");
 +    /* check that the "exec " was added at the beginning */
 +    assert_string_equal(session->opts.ProxyCommand, "exec mission_impossible");
 +    assert_string_equal(session->opts.identity->root->data, "1");
 +
 +    /* check the order of the identity files after double expansion */
 +    awaited_list = ssh_list_new();
 +    /* append the new data in order */
 +    id = strdup("1");
 +    rc = ssh_list_append(awaited_list, id);
 +    assert_int_equal(rc, SSH_OK);
 +    id = strdup("2");
 +    rc = ssh_list_append(awaited_list, id);
 +    assert_int_equal(rc, SSH_OK);
 +    id = strdup("3");
 +    rc = ssh_list_append(awaited_list, id);
 +    assert_int_equal(rc, SSH_OK);
 +    id = strdup("007");
 +    rc = ssh_list_append(awaited_list, id);
 +    assert_int_equal(rc, SSH_OK);
 +    id = strdup("%d/do_not_expand");
 +    rc = ssh_list_append(awaited_list, id);
 +    assert_int_equal(rc, SSH_OK);
 +    /* append the defaults; this list is copied from ssh_new@src/session.c */
 +    id = ssh_path_expand_escape(session, "%d/id_ed25519");
 +    rc = ssh_list_append(awaited_list, id);
 +    assert_int_equal(rc, SSH_OK);
 +#ifdef HAVE_ECC
 +    id = ssh_path_expand_escape(session, "%d/id_ecdsa");
 +    rc = ssh_list_append(awaited_list, id);
 +    assert_int_equal(rc, SSH_OK);
 +#endif
 +    id = ssh_path_expand_escape(session, "%d/id_rsa");
 +    rc = ssh_list_append(awaited_list, id);
 +    assert_int_equal(rc, SSH_OK);
 +#ifdef HAVE_DSA
 +    id = ssh_path_expand_escape(session, "%d/id_dsa");
 +    rc = ssh_list_append(awaited_list, id);
 +    assert_int_equal(rc, SSH_OK);
 +#endif
 +
 +    assert_int_equal(ssh_list_count(awaited_list),
 +                     ssh_list_count(session->opts.identity));
 +
 +    it1 = ssh_list_get_iterator(awaited_list);
 +    assert_non_null(it1);
 +    it2 = ssh_list_get_iterator(session->opts.identity);
 +    assert_non_null(it2);
 +    while (it1 != NULL && it2 != NULL) {
 +        assert_string_equal(it1->data, it2->data);
 +
 +        free((void*)it1->data);
 +        it1 = it1->next;
 +        it2 = it2->next;
 +    }
 +    assert_null(it1);
 +    assert_null(it2);
 +
 +    ssh_list_free(awaited_list);
 +}
 +
 #ifdef WITH_SERVER
 const char template[] = "temp_dir_XXXXXX";
@@ -2132,6 +2296,7 @@ int torture_run_tests(void) {
                                         setup, teardown),
         cmocka_unit_test_setup_teardown(torture_options_caret_sign,
                                         setup, teardown),
 +        cmocka_unit_test_setup_teardown(torture_options_apply, setup, teardown),
     };
 #ifdef WITH_SERVER
 --
 2.38.1
--- a/pkcs11_test_fix.patch
+++ b/pkcs11_test_fix.patch
@ -1,98 +0,0 @@
 diff --git a/tests/pkcs11/setup-softhsm-tokens.sh b/tests/pkcs11/setup-softhsm-tokens.sh
 index 532c86a7..9050cea6 100755
 --- a/tests/pkcs11/setup-softhsm-tokens.sh
 +++ b/tests/pkcs11/setup-softhsm-tokens.sh
@@ -17,10 +17,10 @@ echo "OBJNAME: $OBJNAME"
 echo "LOADPUBLIC: $LOADPUBLIC"
 # Create temporary directory for tokens
 -install -d -m 0755 $TESTDIR/db
 +install -d -m 0755 "$TESTDIR/db"
 # Create SoftHSM configuration file
 -cat >$TESTDIR/softhsm.conf <<EOF
 +cat >"$TESTDIR/softhsm.conf" <<EOF
 directories.tokendir = $TESTDIR/db
 objectstore.backend = file
 log.level = DEBUG
@@ -28,12 +28,12 @@ EOF
 export SOFTHSM2_CONF=$TESTDIR/softhsm.conf
 -cat $TESTDIR/softhsm.conf
 +cat "$TESTDIR/softhsm.conf"
 #init
 -cmd='softhsm2-util --init-token --label "$OBJNAME" --free --pin 1234 --so-pin 1234'
 +cmd="softhsm2-util --init-token --label $OBJNAME --free --pin 1234 --so-pin 1234"
 eval echo "$cmd"
 -out=$(eval $cmd)
 +out=$(eval "$cmd")
 ret=$?
 if [ $ret -ne 0 ]; then
     echo "Init token failed"
@@ -41,10 +41,29 @@ if [ $ret -ne 0 ]; then
     exit 1
 fi
 +find_library_path() {
 +    echo "$@"
 +    for _lib in "$@" ; do
 +        if test -f "$_lib" ; then
 +            LIBSOFTHSM_PATH="$_lib"
 +            echo "Using libsofthsm path: $LIBSOFTHSM_PATH"
 +            return
 +        fi
 +    done
 +    echo "libsofthsm2.so not found"
 +    exit 1
 +}
 +
 +find_library_path \
 +    /usr/lib64/libsofthsm2.so \
 +    /usr/lib/libsofthsm2.so \
 +    /usr/local/lib/softhsm/libsofthsm2.so \
 +    /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
 +
 #load private key
 -cmd='p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --load-privkey "$PRIVKEY" --label "$OBJNAME" --login --set-pin=1234 "pkcs11:token="$OBJNAME""'
 +cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-privkey $PRIVKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$OBJNAME\""
 eval echo "$cmd"
 -out=$(eval $cmd)
 +out=$(eval "$cmd")
 ret=$?
 if [ $ret -ne 0 ]; then
    echo "Loading privkey failed"
@@ -52,15 +71,15 @@ if [ $ret -ne 0 ]; then
    exit 1
 fi
 -cat $PUBKEY
 +cat "$PUBKEY"
 -ls -l $TESTDIR
 +ls -l "$TESTDIR"
 -if [ $LOADPUBLIC -ne 0 ]; then
 +if [ "$LOADPUBLIC" -ne 0 ]; then
 #load public key
 -    cmd='p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so --write --load-pubkey "$PUBKEY" --label "$OBJNAME" --login --set-pin=1234 "pkcs11:token="$OBJNAME""'
 +    cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-pubkey $PUBKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$OBJNAME\""
     eval echo "$cmd"
 -    out=$(eval $cmd)
 +    out=$(eval "$cmd")
     ret=$?
     if [ $ret -ne 0 ]; then
         echo "Loading pubkey failed"
@@ -69,9 +88,9 @@ if [ $LOADPUBLIC -ne 0 ]; then
     fi
 fi
 -cmd='p11tool --list-all --login "pkcs11:token="$OBJNAME"" --set-pin=1234'
 +cmd="p11tool --list-all --login \"pkcs11:token=$OBJNAME\" --set-pin=1234"
 eval echo "$cmd"
 -out=$(eval $cmd)
 +out=$(eval "$cmd")
 ret=$?
 if [ $ret -ne 0 ]; then
     echo "Loging failed"
--- a/plus_sign.patch
+++ b/plus_sign.patch
--- a/rekey_test_fixup.patch
+++ b/rekey_test_fixup.patch
@ -1,21 +0,0 @@
 diff --color -ru ../libssh-0.10.4/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
 --- ../libssh-0.10.4/tests/client/torture_rekey.c	2023-05-17 10:55:23.384684129 +0200
 +++ ./tests/client/torture_rekey.c	2023-05-17 10:56:29.819334665 +0200
@@ -504,7 +504,7 @@
     memset(data, 'A', 128);
     for (i = 0; i < KEX_RETRY; i++) {
         ssh_send_ignore(s->ssh.session, data);
 -        ssh_handle_packets(s->ssh.session, 100);
 +        ssh_handle_packets(s->ssh.session, 1000);
         c = s->ssh.session->current_crypto;
         /* SHA256 len */
@@ -582,7 +582,7 @@
     memset(data, 'A', 128);
     for (i = 0; i < KEX_RETRY; i++) {
         ssh_send_ignore(s->ssh.session, data);
 -        ssh_handle_packets(s->ssh.session, 100);
 +        ssh_handle_packets(s->ssh.session, 1000);
         c = s->ssh.session->current_crypto;
         /* SHA256 len */
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 SHA512 (libssh-0.10.4.tar.xz) = 01ee52d480201d9886c15e81137c185334b404d1c8e8b743ddf58e95fe8619c8c013616a49807bd1111fde72fa177cd35f3c22b66cbf5d720b5abfacdf7601ed
 SHA512 (libssh-0.10.4.tar.xz.asc) = 8200215d6471851dac8cd8efd07400b9bc4403cf5406a9fdb28a68ef8fe85c227f92a26071fb32d9396b91661568333b5ceb9b23665d22e761b981dd880bbbc8
		`@ -0,0 +1,2 @@`
							`1b2dd673b58e1eaf20fde45cd8de2197cfab2f78 SOURCES/libssh-0.9.6.tar.xz`
							`3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring`
		`@ -1,2 +0,0 @@`
			`SHA512 (libssh-0.10.4.tar.xz) = 01ee52d480201d9886c15e81137c185334b404d1c8e8b743ddf58e95fe8619c8c013616a49807bd1111fde72fa177cd35f3c22b66cbf5d720b5abfacdf7601ed`
			`SHA512 (libssh-0.10.4.tar.xz.asc) = 8200215d6471851dac8cd8efd07400b9bc4403cf5406a9fdb28a68ef8fe85c227f92a26071fb32d9396b91661568333b5ceb9b23665d22e761b981dd880bbbc8`