.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,72 +1,2 @@
-libssh-0.4.4.tar.gz
+SOURCES/libssh-0.9.6.tar.xz
-libssh-0.4.4.tar.gz.asc
+SOURCES/libssh.keyring
-/libssh-0.4.6.tar.gz
-/libssh-0.4.6.tar.gz.asc
-/libssh-0.4.8.tar.gz
-/libssh-0.4.8.tar.gz.asc
-/libssh-0.5.0.tar.gz
-/libssh-0.5.0.tar.gz.asc
-/libssh-0.5.2.tar.gz
-/libssh-0.5.2.tar.gz.asc
-/libssh-0.5.3.tar.gz
-/libssh-0.5.3.tar.asc
-/libssh-0.5.4.tar.gz
-/libssh-0.5.4.tar.asc
-/libssh-0.5.5.tar.gz
-/libssh-0.5.5.tar.asc
-/libssh-0.6.0.tar.xz
-/libssh-0.6.1.tar.xz
-/libssh-0.6.3.tar.xz
-/libssh-0.6.4.tar.gz
-/libssh-0.6.5.tar.xz
-/libssh-0.7.0.tar.xz
-/libssh-0.7.1.tar.xz
-/libssh-0.7.2.tar.xz
-/libssh-0.7.3.tar.xz
-/libssh-0.7.4.tar.xz
-/libssh-0.7.5.tar.xz
-/libssh-0.8.0.tar.xz
-/libssh-0.8.0.tar.xz.asc
-/libssh-0.8.1.tar.xz
-/libssh-0.8.1.tar.xz.asc
-/libssh-0.8.2.tar.xz
-/libssh-0.8.2.tar.xz.asc
-/libssh-0.8.3.tar.xz
-/libssh-0.8.3.tar.xz.asc
-/libssh-0.8.4.tar.xz
-/libssh-0.8.4.tar.xz.asc
-/libssh-0.8.5.tar.xz
-/libssh-0.8.5.tar.xz.asc
-/libssh-0.8.6.tar.xz
-/libssh-0.8.6.tar.xz.asc
-/libssh-0.8.7.tar.xz
-/libssh-0.8.7.tar.xz.asc
-/libssh-0.8.91.tar.xz
-/libssh_client.config
-/libssh_server.config
-/libssh-0.9.0.tar.xz
-/libssh-0.9.0.tar.xz.asc
-/libssh-0.9.2.tar.xz
-/libssh-0.9.2.tar.xz.asc
-/libssh-0.9.3.tar.xz
-/libssh-0.9.3.tar.xz.asc
-/libssh-0.9.4.tar.xz
-/libssh-0.9.4.tar.xz.asc
-/libssh-0.9.5.tar.xz
-/libssh-0.9.5.tar.xz.asc
-/libssh-0.9.6.tar.xz
-/libssh-0.9.6.tar.xz.asc
-/libssh-0.10.0.tar.xz
-/libssh-0.10.0.tar.xz.asc
-/libssh-0.10.1.tar.xz
-/libssh-0.10.1.tar.xz.asc
-/libssh-0.10.2.tar.xz
-/libssh-0.10.2.tar.xz.asc
-/libssh-0.10.3.tar.xz
-/libssh-0.10.3.tar.xz.asc
-/libssh-0.10.4.tar.xz
-/libssh-0.10.4.tar.xz.asc
-/libssh-0.10.5.tar.xz
-/libssh-0.10.5.tar.xz.asc
-/libssh-0.10.6.tar.xz
-/libssh-0.10.6.tar.xz.asc

.libssh.metadata

@@ -0,0 +1,2 @@
+1b2dd673b58e1eaf20fde45cd8de2197cfab2f78 SOURCES/libssh-0.9.6.tar.xz
+3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring

SOURCES/CVE-2023-48795.patch

@@ -0,0 +1,723 @@
+From 87b93be5a2071be782aa84aa5a91544b18959d5e Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris@0xbadc0de.be>
+Date: Tue, 12 Dec 2023 23:09:57 +0100
+Subject: [PATCH 1/4] CVE-2023-48795: client side mitigation
+
+Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ include/libssh/packet.h  |  1 +
+ include/libssh/session.h |  6 +++++
+ src/curve25519.c         | 19 +++----------
+ src/dh-gex.c             |  7 +----
+ src/dh.c                 | 17 +++---------
+ src/ecdh.c               |  8 +-----
+ src/ecdh_crypto.c        | 12 +++------
+ src/ecdh_gcrypt.c        | 10 +++----
+ src/ecdh_mbedcrypto.c    | 11 +++-----
+ src/kex.c                | 34 +++++++++++++++++++----
+ src/packet.c             | 58 ++++++++++++++++++++++++++++++++++++++++
+ src/packet_cb.c          | 12 +++++++++
+ 12 files changed, 126 insertions(+), 69 deletions(-)
+
+diff --git a/include/libssh/packet.h b/include/libssh/packet.h
+index 561bba8e..c6fbc3fc 100644
+--- a/include/libssh/packet.h
++++ b/include/libssh/packet.h
+@@ -63,6 +63,7 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info);
+ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init);
+ #endif
+ 
++int ssh_packet_send_newkeys(ssh_session session);
+ int ssh_packet_send_unimplemented(ssh_session session, uint32_t seqnum);
+ int ssh_packet_parse_type(ssh_session session);
+ //int packet_flush(ssh_session session, int enforce_blocking);
+diff --git a/include/libssh/session.h b/include/libssh/session.h
+index 64e118ef..3cde0dd4 100644
+--- a/include/libssh/session.h
++++ b/include/libssh/session.h
+@@ -80,6 +80,12 @@ enum ssh_pending_call_e {
+  * sending it twice during key exchange to simplify the state machine. */
+ #define SSH_SESSION_FLAG_KEXINIT_SENT 4
+ 
++/* The current SSH2 session implements the "strict KEX" feature and should behave
++ * differently on SSH2_MSG_NEWKEYS. */
++#define SSH_SESSION_FLAG_KEX_STRICT 0x0010
++/* Unexpected packets have been sent while the session was still unencrypted */
++#define SSH_SESSION_FLAG_KEX_TAINTED 0x0020
++
+ /* codes to use with ssh_handle_packets*() */
+ /* Infinite timeout */
+ #define SSH_TIMEOUT_INFINITE -1
+diff --git a/src/curve25519.c b/src/curve25519.c
+index 37654438..6b7b4238 100644
+--- a/src/curve25519.c
++++ b/src/curve25519.c
+@@ -335,16 +335,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_curve25519_reply){
+   }
+ 
+   /* Send the MSG_NEWKEYS */
+-  if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
+-    goto error;
+-  }
+-
+-  rc=ssh_packet_send(session);
++  rc = ssh_packet_send_newkeys(session);
+   if (rc == SSH_ERROR) {
+     goto error;
+   }
+-
+-  SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+   session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+ 
+   return SSH_PACKET_USED;
+@@ -502,18 +496,13 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
+         return SSH_ERROR;
+     }
+ 
+-    /* Send the MSG_NEWKEYS */
+-    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+-    if (rc < 0) {
+-        goto error;
+-    }
+-
+     session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+-    rc = ssh_packet_send(session);
++
++    /* Send the MSG_NEWKEYS */
++    rc = ssh_packet_send_newkeys(session);
+     if (rc == SSH_ERROR) {
+         goto error;
+     }
+-    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+ 
+     return SSH_PACKET_USED;
+ error:
+diff --git a/src/dh-gex.c b/src/dh-gex.c
+index 4a298542..f1880270 100644
+--- a/src/dh-gex.c
++++ b/src/dh-gex.c
+@@ -287,15 +287,10 @@ static SSH_PACKET_CALLBACK(ssh_packet_client_dhgex_reply)
+     }
+ 
+     /* Send the MSG_NEWKEYS */
+-    if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
+-        goto error;
+-    }
+-
+-    rc = ssh_packet_send(session);
++    rc = ssh_packet_send_newkeys(session);
+     if (rc == SSH_ERROR) {
+         goto error;
+     }
+-    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+     session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+ 
+     return SSH_PACKET_USED;
+diff --git a/src/dh.c b/src/dh.c
+index c265efcb..1d519c63 100644
+--- a/src/dh.c
++++ b/src/dh.c
+@@ -386,16 +386,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_dh_reply){
+   }
+ 
+   /* Send the MSG_NEWKEYS */
+-  if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
+-    goto error;
+-  }
+-
+-  rc=ssh_packet_send(session);
++  rc = ssh_packet_send_newkeys(session);
+   if (rc == SSH_ERROR) {
+     goto error;
+   }
+-
+-  SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+   session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+   return SSH_PACKET_USED;
+ error:
+@@ -532,15 +526,12 @@ int ssh_server_dh_process_init(ssh_session session, ssh_buffer packet)
+     }
+     SSH_LOG(SSH_LOG_DEBUG, "Sent KEX_DH_[GEX]_REPLY");
+ 
+-    if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
+-        ssh_buffer_reinit(session->out_buffer);
+-        goto error;
+-    }
+     session->dh_handshake_state=DH_STATE_NEWKEYS_SENT;
+-    if (ssh_packet_send(session) == SSH_ERROR) {
++    /* Send the MSG_NEWKEYS */
++    rc = ssh_packet_send_newkeys(session);
++    if (rc == SSH_ERROR) {
+         goto error;
+     }
+-    SSH_LOG(SSH_LOG_PACKET, "SSH_MSG_NEWKEYS sent");
+ 
+     return SSH_OK;
+ error:
+diff --git a/src/ecdh.c b/src/ecdh.c
+index e5b11ba9..af80beec 100644
+--- a/src/ecdh.c
++++ b/src/ecdh.c
+@@ -93,16 +93,10 @@ SSH_PACKET_CALLBACK(ssh_packet_client_ecdh_reply){
+   }
+ 
+   /* Send the MSG_NEWKEYS */
+-  if (ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
+-    goto error;
+-  }
+-
+-  rc=ssh_packet_send(session);
++  rc = ssh_packet_send_newkeys(session);
+   if (rc == SSH_ERROR) {
+     goto error;
+   }
+-
+-  SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+   session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+ 
+   return SSH_PACKET_USED;
+diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
+index a1de27fd..62578c1b 100644
+--- a/src/ecdh_crypto.c
++++ b/src/ecdh_crypto.c
+@@ -323,18 +323,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
+         goto error;
+     }
+ 
+-    /* Send the MSG_NEWKEYS */
+-    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+-    if (rc < 0) {
+-        goto error;
+-    }
+-
+     session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+-    rc = ssh_packet_send(session);
+-    if (rc == SSH_ERROR){
++    /* Send the MSG_NEWKEYS */
++    rc = ssh_packet_send_newkeys(session);
++    if (rc == SSH_ERROR) {
+         goto error;
+     }
+-    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+ 
+     return SSH_PACKET_USED;
+ error:
+diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
+index d9c41bf9..dd4332d7 100644
+--- a/src/ecdh_gcrypt.c
++++ b/src/ecdh_gcrypt.c
+@@ -372,17 +372,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
+         goto out;
+     }
+ 
+-
++    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+     /* Send the MSG_NEWKEYS */
+-    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+-    if (rc != SSH_OK) {
++    rc = ssh_packet_send_newkeys(session);
++    if (rc == SSH_ERROR) {
+         goto out;
+     }
+ 
+-    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+-    rc = ssh_packet_send(session);
+-    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+-
+  out:
+     gcry_sexp_release(param);
+     gcry_sexp_release(key);
+diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
+index 718f1522..45251a42 100644
+--- a/src/ecdh_mbedcrypto.c
++++ b/src/ecdh_mbedcrypto.c
+@@ -300,16 +300,13 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
+         goto out;
+     }
+ 
+-    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
+-    if (rc < 0) {
+-        rc = SSH_ERROR;
++    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
++    /* Send the MSG_NEWKEYS */
++    rc = ssh_packet_send_newkeys(session);
++    if (rc == SSH_ERROR) {
+         goto out;
+     }
+ 
+-    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
+-    rc = ssh_packet_send(session);
+-    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
+-
+ out:
+     mbedtls_ecp_group_free(&grp);
+     if (rc == SSH_ERROR) {
+diff --git a/src/kex.c b/src/kex.c
+index 3e5ca6ad..0772cae8 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -163,6 +163,9 @@
+ 
+ /* RFC 8308 */
+ #define KEX_EXTENSION_CLIENT "ext-info-c"
++/* Strict kex mitigation against CVE-2023-48795 */
++#define KEX_STRICT_CLIENT "kex-strict-c-v00@openssh.com"
++#define KEX_STRICT_SERVER "kex-strict-s-v00@openssh.com"
+ 
+ /* Allowed algorithms in FIPS mode */
+ #define FIPS_ALLOWED_CIPHERS "aes256-gcm@openssh.com,"\
+@@ -491,6 +494,27 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
+                     session->first_kex_follows_guess_wrong ? "wrong" : "right");
+     }
+ 
++    /*
++     * handle the "strict KEX" feature. If supported by peer, then set up the
++     * flag and verify packet sequence numbers.
++     */
++    if (server_kex) {
++        ok = ssh_match_group(crypto->client_kex.methods[SSH_KEX],
++                             KEX_STRICT_CLIENT);
++        if (ok) {
++            SSH_LOG(SSH_LOG_DEBUG, "Client supports strict kex, enabling.");
++            session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
++        }
++    } else {
++        /* client kex */
++        ok = ssh_match_group(crypto->server_kex.methods[SSH_KEX],
++                             KEX_STRICT_SERVER);
++        if (ok) {
++            SSH_LOG(SSH_LOG_DEBUG, "Server supports strict kex, enabling.");
++            session->flags |= SSH_SESSION_FLAG_KEX_STRICT;
++        }
++    }
++
+     if (server_kex) {
+         /*
+          * If client sent a ext-info-c message in the kex list, it supports
+@@ -767,21 +791,21 @@ int ssh_set_client_kex(ssh_session session)
+         return SSH_OK;
+     }
+ 
+-    /* Here we append  ext-info-c  to the list of kex algorithms */
++    /* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
+     kex = client->methods[SSH_KEX];
+     len = strlen(kex);
+-    if (len + strlen(KEX_EXTENSION_CLIENT) + 2 < len) {
++    /* Comma, comma, nul byte */
++    kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
++    if (kex_len >= MAX_PACKET_LEN) {
+         /* Overflow */
+         return SSH_ERROR;
+     }
+-    kex_len = len + strlen(KEX_EXTENSION_CLIENT) + 2; /* comma, NULL */
+     kex_tmp = realloc(kex, kex_len);
+     if (kex_tmp == NULL) {
+-        free(kex);
+         ssh_set_error_oom(session);
+         return SSH_ERROR;
+     }
+-    snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_EXTENSION_CLIENT);
++    snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
+     client->methods[SSH_KEX] = kex_tmp;
+ 
+     return SSH_OK;
+diff --git a/src/packet.c b/src/packet.c
+index ca7a03b7..82965fb3 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -1309,6 +1309,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
+             }
+ #endif /* WITH_ZLIB */
+             payloadsize = ssh_buffer_get_len(session->in_buffer);
++            if (session->recv_seq == UINT32_MAX) {
++                /* Overflowing sequence numbers is always fishy */
++                if (crypto == NULL) {
++                    /* don't allow sequence number overflow when unencrypted */
++                    ssh_set_error(session,
++                                  SSH_FATAL,
++                                  "Incoming sequence number overflow");
++                    goto error;
++                } else {
++                    SSH_LOG(SSH_LOG_WARNING,
++                            "Incoming sequence number overflow");
++                }
++            }
+             session->recv_seq++;
+             if (crypto != NULL) {
+                 struct ssh_cipher_struct *cipher = NULL;
+@@ -1331,7 +1344,19 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
+             SSH_LOG(SSH_LOG_PACKET,
+                     "packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]",
+                     session->in_packet.type, packet_len, padding, compsize, payloadsize);
++            if (crypto == NULL) {
++                /* In strict kex, only a few packets are allowed. Taint the session
++                 * if we received packets that are normally allowed but to be
++                 * refused if we are in strict kex when KEX is over.
++                 */
++                uint8_t type = session->in_packet.type;
+ 
++                if (type != SSH2_MSG_KEXINIT && type != SSH2_MSG_NEWKEYS &&
++                    (type < SSH2_MSG_KEXDH_INIT ||
++                     type > SSH2_MSG_KEX_DH_GEX_REQUEST)) {
++                    session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
++                }
++            }
+             /* Check if the packet is expected */
+             filter_result = ssh_packet_incoming_filter(session);
+ 
+@@ -1347,6 +1372,9 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
+                               session->in_packet.type);
+                 goto error;
+             case SSH_PACKET_UNKNOWN:
++                if (crypto == NULL) {
++                    session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
++                }
+                 ssh_packet_send_unimplemented(session, session->recv_seq - 1);
+                 break;
+             }
+@@ -1521,7 +1549,33 @@ void ssh_packet_process(ssh_session session, uint8_t type)
+             SSH_LOG(SSH_LOG_RARE, "Failed to send unimplemented: %s",
+                     ssh_get_error(session));
+         }
++        if (session->current_crypto == NULL) {
++            session->flags |= SSH_SESSION_FLAG_KEX_TAINTED;
++        }
++    }
++}
++
++/** @internal
++ * @brief sends a SSH_MSG_NEWKEYS when enabling the new negotiated ciphers
++ * @param session the SSH session
++ * @return SSH_ERROR on error, else SSH_OK
++ */
++int ssh_packet_send_newkeys(ssh_session session)
++{
++    int rc;
++
++    /* Send the MSG_NEWKEYS */
++    rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
++    if (rc < 0) {
++        return rc;
+     }
++
++    rc = ssh_packet_send(session);
++    if (rc == SSH_ERROR) {
++        return rc;
++    }
++    SSH_LOG(SSH_LOG_DEBUG, "SSH_MSG_NEWKEYS sent");
++    return rc;
+ }
+ 
+ /** @internal
+@@ -1829,6 +1883,10 @@ int ssh_packet_send(ssh_session session)
+     if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
+         struct ssh_iterator *it;
+ 
++        if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
++            /* reset packet sequence number when running in strict kex mode */
++            session->send_seq = 0;
++        }
+         for (it = ssh_list_get_iterator(session->out_queue);
+              it != NULL;
+              it = ssh_list_get_iterator(session->out_queue)) {
+diff --git a/src/packet_cb.c b/src/packet_cb.c
+index 3e4d5f6d..a08f1d8a 100644
+--- a/src/packet_cb.c
++++ b/src/packet_cb.c
+@@ -110,6 +110,18 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
+       goto error;
+   }
+ 
++  if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
++      /* reset packet sequence number when running in strict kex mode */
++      session->recv_seq = 0;
++      /* Check that we aren't tainted */
++      if (session->flags & SSH_SESSION_FLAG_KEX_TAINTED) {
++          ssh_set_error(session,
++                        SSH_FATAL,
++                        "Received unexpected packets in strict KEX mode.");
++          goto error;
++      }
++  }
++
+   if(session->server){
+     /* server things are done in server.c */
+     session->dh_handshake_state=DH_STATE_FINISHED;
+-- 
+2.41.0
+
+
+From fd4948255560039b51c2d61f0a62784ed8b6f5a6 Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris@0xbadc0de.be>
+Date: Tue, 12 Dec 2023 23:30:26 +0100
+Subject: [PATCH 2/4] CVE-2023-48795: Server side mitigations
+
+Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ include/libssh/kex.h |  1 +
+ src/kex.c            | 46 ++++++++++++++++++++++++++++++++++----------
+ src/server.c         |  8 +++++++-
+ 3 files changed, 44 insertions(+), 11 deletions(-)
+
+diff --git a/include/libssh/kex.h b/include/libssh/kex.h
+index 2ace69b6..40da4ef2 100644
+--- a/include/libssh/kex.h
++++ b/include/libssh/kex.h
+@@ -36,6 +36,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit);
+ int ssh_send_kex(ssh_session session);
+ void ssh_list_kex(struct ssh_kex_struct *kex);
+ int ssh_set_client_kex(ssh_session session);
++int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex);
+ int ssh_kex_select_methods(ssh_session session);
+ int ssh_verify_existing_algo(enum ssh_kex_types_e algo, const char *name);
+ char *ssh_keep_known_algos(enum ssh_kex_types_e algo, const char *list);
+diff --git a/src/kex.c b/src/kex.c
+index 0772cae8..e37c176c 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -738,11 +738,8 @@ int ssh_set_client_kex(ssh_session session)
+ {
+     struct ssh_kex_struct *client = &session->next_crypto->client_kex;
+     const char *wanted;
+-    char *kex = NULL;
+-    char *kex_tmp = NULL;
+     int ok;
+     int i;
+-    size_t kex_len, len;
+ 
+     /* Skip if already set, for example for the rekey or when we do the guessing
+      * it could have been already used to make some protocol decisions. */
+@@ -791,11 +788,33 @@ int ssh_set_client_kex(ssh_session session)
+         return SSH_OK;
+     }
+ 
+-    /* Here we append ext-info-c and kex-strict-c-v00@openssh.com to the list of kex algorithms */
+-    kex = client->methods[SSH_KEX];
++    ok = ssh_kex_append_extensions(session, client);
++    if (ok != SSH_OK){
++        return ok;
++    }
++
++    return SSH_OK;
++}
++
++int ssh_kex_append_extensions(ssh_session session, struct ssh_kex_struct *pkex)
++{
++    char *kex = NULL;
++    char *kex_tmp = NULL;
++    size_t kex_len, len;
++
++    /* Here we append ext-info-c and kex-strict-c-v00@openssh.com for client
++     * and kex-strict-s-v00@openssh.com for server to the list of kex algorithms
++     */
++    kex = pkex->methods[SSH_KEX];
+     len = strlen(kex);
+-    /* Comma, comma, nul byte */
+-    kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 + strlen(KEX_STRICT_CLIENT ) + 1;
++    if (session->server) {
++        /* Comma, nul byte */
++        kex_len = len + 1 + strlen(KEX_STRICT_SERVER) + 1;
++    } else {
++        /* Comma, comma, nul byte */
++        kex_len = len + 1 + strlen(KEX_EXTENSION_CLIENT) + 1 +
++                  strlen(KEX_STRICT_CLIENT) + 1;
++    }
+     if (kex_len >= MAX_PACKET_LEN) {
+         /* Overflow */
+         return SSH_ERROR;
+@@ -805,9 +824,16 @@ int ssh_set_client_kex(ssh_session session)
+         ssh_set_error_oom(session);
+         return SSH_ERROR;
+     }
+-    snprintf(kex_tmp + len, kex_len - len, ",%s,%s", KEX_EXTENSION_CLIENT, KEX_STRICT_CLIENT);
+-    client->methods[SSH_KEX] = kex_tmp;
+-
++    if (session->server){
++        snprintf(kex_tmp + len, kex_len - len, ",%s", KEX_STRICT_SERVER);
++    } else {
++        snprintf(kex_tmp + len,
++                 kex_len - len,
++                 ",%s,%s",
++                 KEX_EXTENSION_CLIENT,
++                 KEX_STRICT_CLIENT);
++    }
++    pkex->methods[SSH_KEX] = kex_tmp;
+     return SSH_OK;
+ }
+ 
+diff --git a/src/server.c b/src/server.c
+index ed73e7fb..35e84465 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -195,7 +195,13 @@ int server_set_kex(ssh_session session)
+         }
+     }
+ 
+-    return 0;
++    /* Do not append the extensions during rekey */
++    if (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) {
++        return SSH_OK;
++    }
++
++    rc = ssh_kex_append_extensions(session, server);
++    return rc;
+ }
+ 
+ int ssh_server_init_kex(ssh_session session) {
+-- 
+2.41.0
+
+
+From 03bbbc9e4c93aae2ccdd302d6123e4809be37746 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 14 Dec 2023 12:22:01 +0100
+Subject: [PATCH 3/4] CVE-2023-48795: Strip extensions from both kex lists for
+ matching
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/kex.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index e37c176c..eea3604b 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -936,11 +936,19 @@ int ssh_kex_select_methods (ssh_session session)
+     enum ssh_key_exchange_e kex_type;
+     int i;
+ 
+-    /* Here we should drop the  ext-info-c  from the list so we avoid matching.
++    /* Here we should drop the extensions from the list so we avoid matching.
+      * it. We added it to the end, so we can just truncate the string here */
+-    ext_start = strstr(client->methods[SSH_KEX], ","KEX_EXTENSION_CLIENT);
+-    if (ext_start != NULL) {
+-        ext_start[0] = '\0';
++    if (session->client) {
++        ext_start = strstr(client->methods[SSH_KEX], "," KEX_EXTENSION_CLIENT);
++        if (ext_start != NULL) {
++            ext_start[0] = '\0';
++        }
++    }
++    if (session->server) {
++        ext_start = strstr(server->methods[SSH_KEX], "," KEX_STRICT_SERVER);
++        if (ext_start != NULL) {
++            ext_start[0] = '\0';
++        }
+     }
+ 
+     for (i = 0; i < SSH_KEX_METHODS; i++) {
+-- 
+2.41.0
+
+
+From 768d1ed30cf4b3cb9628254ef3ee24b9c38abdbc Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 14 Dec 2023 12:47:48 +0100
+Subject: [PATCH 4/4] CVE-2023-48795: tests: Adjust calculation to strict kex
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ tests/client/torture_rekey.c | 56 ++++++++++++++++++++----------------
+ 1 file changed, 32 insertions(+), 24 deletions(-)
+
+diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
+index 13c9a7fe..bfb273af 100644
+--- a/tests/client/torture_rekey.c
++++ b/tests/client/torture_rekey.c
+@@ -148,6 +148,29 @@ static void torture_rekey_default(void **state)
+     ssh_disconnect(s->ssh.session);
+ }
+ 
++static void sanity_check_session(void **state)
++{
++    struct torture_state *s = *state;
++    struct ssh_crypto_struct *c = NULL;
++
++    c = s->ssh.session->current_crypto;
++    assert_non_null(c);
++    assert_int_equal(c->in_cipher->max_blocks,
++                     bytes / c->in_cipher->blocksize);
++    assert_int_equal(c->out_cipher->max_blocks,
++                     bytes / c->out_cipher->blocksize);
++    /* when strict kex is used, the newkeys reset the sequence number */
++    if ((s->ssh.session->flags & SSH_SESSION_FLAG_KEX_STRICT) != 0) {
++        assert_int_equal(c->out_cipher->packets, s->ssh.session->send_seq);
++        assert_int_equal(c->in_cipher->packets, s->ssh.session->recv_seq);
++    } else {
++        /* Otherwise we have less encrypted packets than transferred
++         * (first are not encrypted) */
++        assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
++        assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
++    }
++}
++
+ /* We lower the rekey limits manually and check that the rekey
+  * really happens when sending data
+  */
+@@ -166,16 +189,10 @@ static void torture_rekey_send(void **state)
+     rc = ssh_connect(s->ssh.session);
+     assert_ssh_return_code(s->ssh.session, rc);
+ 
+-    /* The blocks limit is set correctly */
+-    c = s->ssh.session->current_crypto;
+-    assert_int_equal(c->in_cipher->max_blocks,
+-                     bytes / c->in_cipher->blocksize);
+-    assert_int_equal(c->out_cipher->max_blocks,
+-                     bytes / c->out_cipher->blocksize);
+-    /* We should have less encrypted packets than transfered (first are not encrypted) */
+-    assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
+-    assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
++    sanity_check_session(state);
+     /* Copy the initial secret hash = session_id so we know we changed keys later */
++    c = s->ssh.session->current_crypto;
++    assert_non_null(c);
+     secret_hash = malloc(c->digest_len);
+     assert_non_null(secret_hash);
+     memcpy(secret_hash, c->secret_hash, c->digest_len);
+@@ -272,14 +289,10 @@ static void torture_rekey_recv(void **state)
+     sftp_file file;
+     mode_t mask;
+ 
+-    /* The blocks limit is set correctly */
+-    c = s->ssh.session->current_crypto;
+-    assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
+-    assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
+-    /* We should have less encrypted packets than transfered (first are not encrypted) */
+-    assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
+-    assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
++    sanity_check_session(state);
+     /* Copy the initial secret hash = session_id so we know we changed keys later */
++    c = s->ssh.session->current_crypto;
++    assert_non_null(c);
+     secret_hash = malloc(c->digest_len);
+     assert_non_null(secret_hash);
+     memcpy(secret_hash, c->secret_hash, c->digest_len);
+@@ -464,15 +477,10 @@ static void torture_rekey_different_kex(void **state)
+     assert_ssh_return_code(s->ssh.session, rc);
+ 
+     /* The blocks limit is set correctly */
+-    c = s->ssh.session->current_crypto;
+-    assert_int_equal(c->in_cipher->max_blocks,
+-                     bytes / c->in_cipher->blocksize);
+-    assert_int_equal(c->out_cipher->max_blocks,
+-                     bytes / c->out_cipher->blocksize);
+-    /* We should have less encrypted packets than transfered (first are not encrypted) */
+-    assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
+-    assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
++    sanity_check_session(state);
+     /* Copy the initial secret hash = session_id so we know we changed keys later */
++    c = s->ssh.session->current_crypto;
++    assert_non_null(c);
+     secret_hash = malloc(c->digest_len);
+     assert_non_null(secret_hash);
+     memcpy(secret_hash, c->secret_hash, c->digest_len);
+-- 
+2.41.0
+

SOURCES/auth_bypass.patch

@@ -0,0 +1,86 @@
+diff --color -ru ../libssh-0.9.6/src/pki_crypto.c ./src/pki_crypto.c
+--- ../libssh-0.9.6/src/pki_crypto.c	2023-04-27 12:59:08.463259052 +0200
++++ ./src/pki_crypto.c	2023-04-27 13:05:24.020610873 +0200
+@@ -2291,8 +2291,12 @@
+     unsigned char *raw_sig_data = NULL;
+     unsigned int raw_sig_len;
+ 
++    /* Function return code
++     * Do not change this variable throughout the function until the signature
++     * is successfully verified!
++     */
+     int rc = SSH_ERROR;
+-    int evp_rc;
++    int ok;
+ 
+     if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
+         signature == NULL || (signature->raw_sig == NULL
+@@ -2307,8 +2311,8 @@
+     }
+ 
+     /* Check if public key and hash type are compatible */
+-    rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);
+-    if (rc != SSH_OK) {
++    ok = pki_key_check_hash_compatible(pubkey, signature->hash_type);
++    if (ok != SSH_OK) {
+         return SSH_ERROR;
+     }
+ 
+@@ -2351,8 +2355,8 @@
+     }
+ 
+     /* Verify the signature */
+-    evp_rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+-    if (evp_rc != 1){
++    ok = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
++    if (ok != 1){
+         SSH_LOG(SSH_LOG_TRACE,
+                 "EVP_DigestVerifyInit() failed: %s",
+                 ERR_error_string(ERR_get_error(), NULL));
+@@ -2360,35 +2364,31 @@
+     }
+ 
+ #ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
+-    evp_rc = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
++    ok = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
+ #else
+-    evp_rc = EVP_DigestVerifyUpdate(ctx, input, input_len);
+-    if (evp_rc != 1) {
++    ok = EVP_DigestVerifyUpdate(ctx, input, input_len);
++    if (ok != 1) {
+         SSH_LOG(SSH_LOG_TRACE,
+                 "EVP_DigestVerifyUpdate() failed: %s",
+                 ERR_error_string(ERR_get_error(), NULL));
+         goto out;
+     }
+ 
+-    evp_rc = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
++    ok = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
+ #endif
+-    if (evp_rc == 1) {
+-        SSH_LOG(SSH_LOG_TRACE, "Signature valid");
+-        rc = SSH_OK;
+-    } else {
++    if (ok != 1) {
+         SSH_LOG(SSH_LOG_TRACE,
+                 "Signature invalid: %s",
+                 ERR_error_string(ERR_get_error(), NULL));
+-        rc = SSH_ERROR;
++        goto out;
+     }
+ 
++    SSH_LOG(SSH_LOG_TRACE, "Signature valid");
++    rc = SSH_OK;
++
+ out:
+-    if (ctx != NULL) {
+-        EVP_MD_CTX_free(ctx);
+-    }
+-    if (pkey != NULL) {
+-        EVP_PKEY_free(pkey);
+-    }
++    EVP_MD_CTX_free(ctx);
++    EVP_PKEY_free(pkey);
+     return rc;
+ }
+ 

SOURCES/covscan23.patch

@@ -0,0 +1,228 @@
+diff --color -ru ../libssh-0.9.6/src/buffer.c ./src/buffer.c
+--- ../libssh-0.9.6/src/buffer.c	2023-05-03 11:53:48.710217753 +0200
++++ ./src/buffer.c	2023-05-03 11:58:21.995200990 +0200
+@@ -747,7 +747,8 @@
+  */
+ int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)
+ {
+-    if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
++    if (buffer == NULL || buffer->pos + len < len ||
++        buffer->pos + len > buffer->used) {
+         return SSH_ERROR;
+     }
+ 
+diff --color -ru ../libssh-0.9.6/src/gssapi.c ./src/gssapi.c
+--- ../libssh-0.9.6/src/gssapi.c	2023-05-03 11:53:48.732217993 +0200
++++ ./src/gssapi.c	2023-05-03 11:58:21.976200782 +0200
+@@ -437,11 +437,18 @@
+         hexa = ssh_get_hexa(output_token.value, output_token.length);
+         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
+         SAFE_FREE(hexa);
+-        ssh_buffer_pack(session->out_buffer,
+-                        "bdP",
+-                        SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+-                        output_token.length,
+-                        (size_t)output_token.length, output_token.value);
++        rc = ssh_buffer_pack(session->out_buffer,
++                             "bdP",
++                             SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
++                             output_token.length,
++                             (size_t)output_token.length, output_token.value);
++        if (rc != SSH_OK) {
++            ssh_set_error_oom(session);
++            ssh_auth_reply_default(session, 0);
++            ssh_gssapi_free(session);
++            session->gssapi = NULL;
++            return SSH_PACKET_USED;
++        }
+         ssh_packet_send(session);
+     }
+ 
+@@ -846,6 +853,7 @@
+ }
+ 
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
++    int rc;
+     ssh_string oid_s;
+     gss_uint32 maj_stat, min_stat;
+     gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
+@@ -897,11 +905,15 @@
+         hexa = ssh_get_hexa(output_token.value, output_token.length);
+         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s", hexa);
+         SAFE_FREE(hexa);
+-        ssh_buffer_pack(session->out_buffer,
+-                        "bdP",
+-                        SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+-                        output_token.length,
+-                        (size_t)output_token.length, output_token.value);
++        rc = ssh_buffer_pack(session->out_buffer,
++                             "bdP",
++                             SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
++                             output_token.length,
++                             (size_t)output_token.length, output_token.value);
++        if (rc != SSH_OK) {
++            ssh_set_error_oom(session);
++            goto error;
++        }
+         ssh_packet_send(session);
+         session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
+     }
+@@ -963,6 +975,7 @@
+ }
+ 
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
++    int rc;
+     ssh_string token;
+     char *hexa;
+     OM_uint32 maj_stat, min_stat;
+@@ -1015,11 +1028,15 @@
+         hexa = ssh_get_hexa(output_token.value, output_token.length);
+         SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
+         SAFE_FREE(hexa);
+-        ssh_buffer_pack(session->out_buffer,
+-                        "bdP",
+-                        SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+-                        output_token.length,
+-                        (size_t)output_token.length, output_token.value);
++        rc = ssh_buffer_pack(session->out_buffer,
++                             "bdP",
++                             SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
++                             output_token.length,
++                             (size_t)output_token.length, output_token.value);
++        if (rc != SSH_OK) {
++            ssh_set_error_oom(session);
++            goto error;
++        }
+         ssh_packet_send(session);
+     }
+ 
+diff --color -ru ../libssh-0.9.6/src/options.c ./src/options.c
+--- ../libssh-0.9.6/src/options.c	2021-08-26 14:27:42.000000000 +0200
++++ ./src/options.c	2023-05-03 11:58:22.000201044 +0200
+@@ -547,7 +547,9 @@
+                 }
+                 i = strtol(q, &p, 10);
+                 if (q == p) {
++                    SSH_LOG(SSH_LOG_DEBUG, "No port number was parsed");
+                     SAFE_FREE(q);
++                    return -1;
+                 }
+                 SAFE_FREE(q);
+                 if (i <= 0) {
+@@ -743,7 +745,9 @@
+                 }
+                 i = strtol(q, &p, 10);
+                 if (q == p) {
++                    SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
+                     SAFE_FREE(q);
++                    return -1;
+                 }
+                 SAFE_FREE(q);
+                 if (i < 0) {
+@@ -1818,7 +1822,9 @@
+         }
+         i = strtol(q, &p, 10);
+         if (q == p) {
+-          SAFE_FREE(q);
++            SSH_LOG(SSH_LOG_DEBUG, "No bind port was parsed");
++            SAFE_FREE(q);
++            return -1;
+         }
+         SAFE_FREE(q);
+ 
+@@ -1845,7 +1851,9 @@
+         }
+         i = strtol(q, &p, 10);
+         if (q == p) {
+-          SAFE_FREE(q);
++            SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
++            SAFE_FREE(q);
++            return -1;
+         }
+         SAFE_FREE(q);
+ 
+diff --color -ru ../libssh-0.9.6/src/pki_container_openssh.c ./src/pki_container_openssh.c
+--- ../libssh-0.9.6/src/pki_container_openssh.c	2023-05-03 11:53:48.713217785 +0200
++++ ./src/pki_container_openssh.c	2023-05-03 11:58:21.976200782 +0200
+@@ -630,7 +630,11 @@
+             goto error;
+         }
+ 
+-        ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
++        rc = ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
++        if (rc != SSH_OK) {
++            SSH_BUFFER_FREE(kdf_buf);
++            goto error;
++        }
+         kdf_options = ssh_string_new(ssh_buffer_get_len(kdf_buf));
+         if (kdf_options == NULL){
+             SSH_BUFFER_FREE(kdf_buf);
+diff --color -ru ../libssh-0.9.6/tests/unittests/torture_options.c ./tests/unittests/torture_options.c
+--- ../libssh-0.9.6/tests/unittests/torture_options.c	2021-08-26 14:27:42.000000000 +0200
++++ ./tests/unittests/torture_options.c	2023-05-03 11:59:21.726853027 +0200
+@@ -311,6 +311,7 @@
+ 
+     rc = ssh_options_set(session, SSH_OPTIONS_PORT_STR, "five");
+     assert_true(rc == -1);
++    assert_int_not_equal(session->opts.port, 0);
+ 
+     rc = ssh_options_set(session, SSH_OPTIONS_PORT, NULL);
+     assert_true(rc == -1);
+@@ -853,6 +854,26 @@
+     ssh_free(new);
+ }
+ 
++static void torture_options_set_verbosity (void **state)
++{
++    ssh_session session = *state;
++    int rc, new_level;
++
++    rc = ssh_options_set(session,
++                         SSH_OPTIONS_LOG_VERBOSITY_STR,
++                         "3");
++    assert_int_equal(rc, SSH_OK);
++    new_level = ssh_get_log_level();
++    assert_int_equal(new_level, SSH_LOG_PACKET);
++
++    rc = ssh_options_set(session,
++                         SSH_OPTIONS_LOG_VERBOSITY_STR,
++                         "datsun");
++    assert_int_equal(rc, -1);
++    new_level = ssh_get_log_level();
++    assert_int_not_equal(new_level, 0);
++}
++
+ #ifdef WITH_SERVER
+ const char template[] = "temp_dir_XXXXXX";
+ 
+@@ -1107,6 +1128,10 @@
+     rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "23");
+     assert_int_equal(rc, 0);
+     assert_int_equal(bind->bindport, 23);
++
++    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "twentythree");
++    assert_int_equal(rc, -1);
++    assert_int_not_equal(bind->bindport, 0);
+ }
+ 
+ static void torture_bind_options_log_verbosity(void **state)
+@@ -1156,6 +1181,11 @@
+     new_level = ssh_get_log_level();
+     assert_int_equal(new_level, SSH_LOG_PACKET);
+ 
++    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "verbosity");
++    assert_int_equal(rc, -1);
++    new_level = ssh_get_log_level();
++    assert_int_not_equal(new_level, 0);
++
+     rc = ssh_set_log_level(previous_level);
+     assert_int_equal(rc, SSH_OK);
+ }
+@@ -1643,6 +1673,7 @@
+         cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown),
+         cmocka_unit_test_setup_teardown(torture_options_config_match,
+                                         setup, teardown),
++        cmocka_unit_test_setup_teardown(torture_options_set_verbosity, setup, teardown),
+     };
+ 
+ #ifdef WITH_SERVER

SOURCES/fix_tests.patch

@@ -0,0 +1,668 @@
+diff --color -ru ../libssh-0.9.6/examples/sshnetcat.c ./examples/sshnetcat.c
+--- ../libssh-0.9.6/examples/sshnetcat.c	2021-08-26 14:27:42.000000000 +0200
++++ ./examples/sshnetcat.c	2023-05-02 10:36:00.793381735 +0200
+@@ -233,9 +233,10 @@
+ }
+ 
+ void cleanup_pcap(void);
+-void cleanup_pcap(){
++void cleanup_pcap(void)
++{
+ 	ssh_pcap_file_free(pcap);
+-	pcap=NULL;
++	pcap = NULL;
+ }
+ #endif
+ 
+diff --color -ru ../libssh-0.9.6/src/init.c ./src/init.c
+--- ../libssh-0.9.6/src/init.c	2021-03-15 08:11:33.000000000 +0100
++++ ./src/init.c	2023-05-02 10:36:00.793381735 +0200
+@@ -269,7 +269,7 @@
+  *
+  * @see ssh_init()
+  */
+-bool is_ssh_initialized() {
++bool is_ssh_initialized(void) {
+ 
+     bool is_initialized = false;
+ 
+diff --color -ru ../libssh-0.9.6/tests/client/torture_auth.c ./tests/client/torture_auth.c
+--- ../libssh-0.9.6/tests/client/torture_auth.c	2021-08-26 14:27:42.000000000 +0200
++++ ./tests/client/torture_auth.c	2023-05-02 10:36:00.815381960 +0200
+@@ -200,7 +200,8 @@
+     assert_non_null(ssh_agent_pidfile);
+ 
+     /* kill agent pid */
+-    torture_terminate_process(ssh_agent_pidfile);
++    rc = torture_terminate_process(ssh_agent_pidfile);
++    assert_return_code(rc, errno);
+ 
+     unlink(ssh_agent_pidfile);
+ 
+@@ -551,6 +552,7 @@
+ 
+ static void torture_auth_agent_cert(void **state)
+ {
++#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
+     struct torture_state *s = *state;
+     ssh_session session = s->ssh.session;
+     int rc;
+@@ -570,6 +572,7 @@
+                              "ssh-rsa-cert-v01@openssh.com");
+         assert_int_equal(rc, SSH_OK);
+     }
++#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
+ 
+     /* Setup loads a different key, tests are exactly the same. */
+     torture_auth_agent(state);
+@@ -577,6 +580,7 @@
+ 
+ static void torture_auth_agent_cert_nonblocking(void **state)
+ {
++#if OPENSSH_VERSION_MAJOR < 8 || (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR == 0)
+     struct torture_state *s = *state;
+     ssh_session session = s->ssh.session;
+     int rc;
+@@ -596,6 +600,7 @@
+                              "ssh-rsa-cert-v01@openssh.com");
+         assert_int_equal(rc, SSH_OK);
+     }
++#endif /* OPENSSH_VERSION_MAJOR < 8.1 */
+ 
+     torture_auth_agent_nonblocking(state);
+ }
+diff --color -ru ../libssh-0.9.6/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
+--- ../libssh-0.9.6/tests/client/torture_rekey.c	2023-04-28 17:26:41.472315318 +0200
++++ ./tests/client/torture_rekey.c	2023-05-02 10:36:00.805381857 +0200
+@@ -38,6 +38,8 @@
+ #include <fcntl.h>
+ #include <pwd.h>
+ 
++#define KEX_RETRY 32
++
+ static uint64_t bytes = 2048; /* 2KB (more than the authentication phase) */
+ 
+ static int sshd_setup(void **state)
+@@ -190,10 +192,11 @@
+     rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
+     assert_int_equal(rc, SSH_AUTH_SUCCESS);
+ 
+-    /* send ignore packets of up to 1KB to trigger rekey */
++    /* send ignore packets of up to 1KB to trigger rekey. Send little bit more
++     * to make sure it completes with all different ciphers */
+     memset(data, 0, sizeof(data));
+     memset(data, 'A', 128);
+-    for (i = 0; i < 16; i++) {
++    for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+         ssh_handle_packets(s->ssh.session, 50);
+     }
+@@ -496,9 +499,15 @@
+      * to make sure the rekey it completes with all different ciphers (paddings */
+     memset(data, 0, sizeof(data));
+     memset(data, 'A', 128);
+-    for (i = 0; i < 20; i++) {
++    for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+-        ssh_handle_packets(s->ssh.session, 50);
++        ssh_handle_packets(s->ssh.session, 100);
++
++        c = s->ssh.session->current_crypto;
++        /* SHA256 len */
++        if (c->digest_len != 32) {
++            break;
++        }
+     }
+ 
+     /* The rekey limit was restored in the new crypto to the same value */
+@@ -568,9 +577,15 @@
+      * to make sure the rekey it completes with all different ciphers (paddings */
+     memset(data, 0, sizeof(data));
+     memset(data, 'A', 128);
+-    for (i = 0; i < 25; i++) {
++    for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+-        ssh_handle_packets(s->ssh.session, 50);
++        ssh_handle_packets(s->ssh.session, 100);
++
++        c = s->ssh.session->current_crypto;
++        /* SHA256 len */
++        if (c->digest_len != 32) {
++            break;
++        }
+     }
+ 
+     /* Check that the secret hash is different than initially */
+diff --color -ru ../libssh-0.9.6/tests/CMakeLists.txt ./tests/CMakeLists.txt
+--- ../libssh-0.9.6/tests/CMakeLists.txt	2021-08-26 14:27:42.000000000 +0200
++++ ./tests/CMakeLists.txt	2023-05-02 10:32:03.964511860 +0200
+@@ -153,6 +153,17 @@
+         execute_process(COMMAND ${ID_EXECUTABLE} -u OUTPUT_VARIABLE LOCAL_UID OUTPUT_STRIP_TRAILING_WHITESPACE)
+     endif()
+ 
++    find_program(TIMEOUT_EXECUTABLE
++                 NAME
++                    timeout
++                 PATHS
++                    /bin
++                    /usr/bin
++                    /usr/local/bin)
++    if (TIMEOUT_EXECUTABLE)
++        set(WITH_TIMEOUT "1")
++    endif()
++
+     # chroot_wrapper
+     add_library(chroot_wrapper SHARED chroot_wrapper.c)
+     set(CHROOT_WRAPPER_LIBRARY ${libssh_BINARY_DIR}/lib/${CMAKE_SHARED_LIBRARY_PREFIX}chroot_wrapper${CMAKE_SHARED_LIBRARY_SUFFIX})
+diff --color -ru ../libssh-0.9.6/tests/pkd/pkd_keyutil.c ./tests/pkd/pkd_keyutil.c
+--- ../libssh-0.9.6/tests/pkd/pkd_keyutil.c	2021-03-15 08:11:33.000000000 +0100
++++ ./tests/pkd/pkd_keyutil.c	2023-05-02 10:36:00.793381735 +0200
+@@ -22,7 +22,7 @@
+ #include "pkd_keyutil.h"
+ #include "pkd_util.h"
+ 
+-void setup_rsa_key() {
++void setup_rsa_key(void) {
+     int rc = 0;
+     if (access(LIBSSH_RSA_TESTKEY, F_OK) != 0) {
+         rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f "
+@@ -31,7 +31,7 @@
+     assert_int_equal(rc, 0);
+ }
+ 
+-void setup_ed25519_key() {
++void setup_ed25519_key(void) {
+     int rc = 0;
+     if (access(LIBSSH_ED25519_TESTKEY, F_OK) != 0) {
+         rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
+@@ -41,7 +41,7 @@
+ }
+ 
+ #ifdef HAVE_DSA
+-void setup_dsa_key() {
++void setup_dsa_key(void) {
+     int rc = 0;
+     if (access(LIBSSH_DSA_TESTKEY, F_OK) != 0) {
+         rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
+@@ -51,7 +51,7 @@
+ }
+ #endif
+ 
+-void setup_ecdsa_keys() {
++void setup_ecdsa_keys(void) {
+     int rc = 0;
+ 
+     if (access(LIBSSH_ECDSA_256_TESTKEY, F_OK) != 0) {
+@@ -71,27 +71,27 @@
+     }
+ }
+ 
+-void cleanup_rsa_key() {
++void cleanup_rsa_key(void) {
+     cleanup_key(LIBSSH_RSA_TESTKEY);
+ }
+ 
+-void cleanup_ed25519_key() {
++void cleanup_ed25519_key(void) {
+     cleanup_key(LIBSSH_ED25519_TESTKEY);
+ }
+ 
+ #ifdef HAVE_DSA
+-void cleanup_dsa_key() {
++void cleanup_dsa_key(void) {
+     cleanup_key(LIBSSH_DSA_TESTKEY);
+ }
+ #endif
+ 
+-void cleanup_ecdsa_keys() {
++void cleanup_ecdsa_keys(void) {
+     cleanup_key(LIBSSH_ECDSA_256_TESTKEY);
+     cleanup_key(LIBSSH_ECDSA_384_TESTKEY);
+     cleanup_key(LIBSSH_ECDSA_521_TESTKEY);
+ }
+ 
+-void setup_openssh_client_keys() {
++void setup_openssh_client_keys(void) {
+     int rc = 0;
+ 
+     if (access(OPENSSH_CA_TESTKEY, F_OK) != 0) {
+@@ -184,7 +184,7 @@
+     }
+ }
+ 
+-void cleanup_openssh_client_keys() {
++void cleanup_openssh_client_keys(void) {
+     cleanup_key(OPENSSH_CA_TESTKEY);
+     cleanup_key(OPENSSH_RSA_TESTKEY);
+     cleanup_file(OPENSSH_RSA_TESTKEY "-sha256-cert.pub");
+@@ -199,7 +199,7 @@
+     }
+ }
+ 
+-void setup_dropbear_client_rsa_key() {
++void setup_dropbear_client_rsa_key(void) {
+     int rc = 0;
+     if (access(DROPBEAR_RSA_TESTKEY, F_OK) != 0) {
+         rc = system_checked(DROPBEAR_KEYGEN " -t rsa -f "
+@@ -208,6 +208,6 @@
+     assert_int_equal(rc, 0);
+ }
+ 
+-void cleanup_dropbear_client_rsa_key() {
++void cleanup_dropbear_client_rsa_key(void) {
+     unlink(DROPBEAR_RSA_TESTKEY);
+ }
+diff --color -ru ../libssh-0.9.6/tests/server/torture_server_config.c ./tests/server/torture_server_config.c
+--- ../libssh-0.9.6/tests/server/torture_server_config.c	2021-08-26 14:27:42.000000000 +0200
++++ ./tests/server/torture_server_config.c	2023-05-02 10:36:00.815381960 +0200
+@@ -285,9 +285,7 @@
+     assert_non_null(s);
+ 
+     rc = torture_terminate_process(s->srv_pidfile);
+-    if (rc != 0) {
+-        fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
+-    }
++    assert_return_code(rc, errno);
+ 
+     unlink(s->srv_pidfile);
+ 
+@@ -513,6 +511,12 @@
+         /* Try each algorithm individually */
+         j = 0;
+         while(tokens->tokens[j] != NULL) {
++            char *cmp = strstr(OPENSSH_CIPHERS, tokens->tokens[j]);
++            if (cmp == NULL) {
++                /* This cipher is not supported by the OpenSSH. Skip it */
++                j++;
++                continue;
++            }
+             snprintf(config_content,
+                     sizeof(config_content),
+                     "HostKey %s\nCiphers %s\n",
+diff --color -ru ../libssh-0.9.6/tests/tests_config.h.cmake ./tests/tests_config.h.cmake
+--- ../libssh-0.9.6/tests/tests_config.h.cmake	2021-08-26 14:27:42.000000000 +0200
++++ ./tests/tests_config.h.cmake	2023-05-02 10:32:03.964511860 +0200
+@@ -66,4 +66,6 @@
+ 
+ #cmakedefine NC_EXECUTABLE "${NC_EXECUTABLE}"
+ #cmakedefine SSHD_EXECUTABLE "${SSHD_EXECUTABLE}"
+-#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
+\ No newline at end of file
++#cmakedefine SSH_EXECUTABLE "${SSH_EXECUTABLE}"
++#cmakedefine WITH_TIMEOUT ${WITH_TIMEOUT}
++#cmakedefine TIMEOUT_EXECUTABLE "${TIMEOUT_EXECUTABLE}"
+diff --color -ru ../libssh-0.9.6/tests/torture.c ./tests/torture.c
+--- ../libssh-0.9.6/tests/torture.c	2021-08-26 14:27:44.000000000 +0200
++++ ./tests/torture.c	2023-05-02 10:36:00.815381960 +0200
+@@ -51,6 +51,7 @@
+ #include "torture.h"
+ #include "torture_key.h"
+ #include "libssh/misc.h"
++#include "libssh/token.h"
+ 
+ #define TORTURE_SSHD_SRV_IPV4 "127.0.0.10"
+ /* socket wrapper IPv6 prefix  fd00::5357:5fxx */
+@@ -250,8 +251,12 @@
+ 
+         rc = kill(pid, 0);
+         if (rc != 0) {
+-            is_running = 0;
+-            break;
++            /* Process not found */
++            if (errno == ESRCH) {
++                is_running = 0;
++                rc = 0;
++                break;
++            }
+         }
+     }
+ 
+@@ -260,7 +265,7 @@
+                 "WARNING: The process with pid %u is still running!\n", pid);
+     }
+ 
+-    return 0;
++    return rc;
+ }
+ 
+ ssh_session torture_ssh_session(struct torture_state *s,
+@@ -611,6 +616,112 @@
+     *state = s;
+ }
+ 
++/**
++ * @brief Create a libssh server configuration file
++ *
++ * It is expected the socket directory to be already created before by calling
++ * torture_setup_socket_dir().  The created configuration file will be stored in
++ * the socket directory and the srv_config pointer in the state will be
++ * initialized.
++ *
++ * @param[in] state A pointer to a pointer to an initialized torture_state
++ *                  structure
++ */
++void torture_setup_create_libssh_config(void **state)
++{
++    struct torture_state *s = *state;
++    char ed25519_hostkey[1024] = {0};
++#ifdef HAVE_DSA
++    char dsa_hostkey[1024];
++#endif /* HAVE_DSA */
++    char rsa_hostkey[1024];
++    char ecdsa_hostkey[1024];
++    char sshd_config[2048];
++    char sshd_path[1024];
++    const char *additional_config = NULL;
++    struct stat sb;
++    const char config_string[]=
++             "LogLevel DEBUG3\n"
++             "Port 22\n"
++             "ListenAddress 127.0.0.10\n"
++             "%s %s\n"
++             "%s %s\n"
++             "%s %s\n"
++#ifdef HAVE_DSA
++             "%s %s\n"
++#endif /* HAVE_DSA */
++             "%s\n"; /* The space for test-specific options */
++    bool written = false;
++    int rc;
++
++    assert_non_null(s->socket_dir);
++
++    snprintf(sshd_path,
++             sizeof(sshd_path),
++             "%s/sshd",
++             s->socket_dir);
++
++    rc = lstat(sshd_path, &sb);
++    if (rc == 0 ) { /* The directory is already in place */
++        written = true;
++    }
++
++    if (!written) {
++        rc = mkdir(sshd_path, 0755);
++        assert_return_code(rc, errno);
++    }
++
++    snprintf(ed25519_hostkey,
++             sizeof(ed25519_hostkey),
++             "%s/sshd/ssh_host_ed25519_key",
++             s->socket_dir);
++
++    snprintf(rsa_hostkey,
++             sizeof(rsa_hostkey),
++             "%s/sshd/ssh_host_rsa_key",
++             s->socket_dir);
++
++    snprintf(ecdsa_hostkey,
++             sizeof(ecdsa_hostkey),
++             "%s/sshd/ssh_host_ecdsa_key",
++             s->socket_dir);
++
++#ifdef HAVE_DSA
++    snprintf(dsa_hostkey,
++             sizeof(dsa_hostkey),
++             "%s/sshd/ssh_host_dsa_key",
++             s->socket_dir);
++#endif /* HAVE_DSA */
++
++    if (!written) {
++        torture_write_file(ed25519_hostkey,
++                           torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
++        torture_write_file(rsa_hostkey,
++                           torture_get_testkey(SSH_KEYTYPE_RSA, 0));
++        torture_write_file(ecdsa_hostkey,
++                           torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
++#ifdef HAVE_DSA
++        torture_write_file(dsa_hostkey,
++                           torture_get_testkey(SSH_KEYTYPE_DSS, 0));
++#endif /* HAVE_DSA */
++    }
++
++    additional_config = (s->srv_additional_config != NULL ?
++                         s->srv_additional_config : "");
++
++    snprintf(sshd_config, sizeof(sshd_config),
++            config_string,
++            "HostKey", ed25519_hostkey,
++            "HostKey", rsa_hostkey,
++            "HostKey", ecdsa_hostkey,
++#ifdef HAVE_DSA
++            "HostKey", dsa_hostkey,
++#endif /* HAVE_DSA */
++            additional_config);
++
++    torture_write_file(s->srv_config, sshd_config);
++}
++
+ static void torture_setup_create_sshd_config(void **state, bool pam)
+ {
+     struct torture_state *s = *state;
+@@ -856,21 +967,140 @@
+     return 1;
+ }
+ 
+-void torture_setup_sshd_server(void **state, bool pam)
++/**
++ * @brief Run a libssh based server under timeout.
++ *
++ * It is expected that the socket directory and libssh configuration file were
++ * already created before by calling torture_setup_socket_dir() and
++ * torture_setup_create_libssh_config() (or alternatively setup the state with
++ * the correct values).
++ *
++ * @param[in] state The content of the address pointed by this variable must be
++ *                  a pointer to an initialized instance of torture_state
++ *                  structure; it can be obtained by calling
++ *                  torture_setup_socket_dir() and
++ *                  torture_setup_create_libssh_config().
++ * @param[in] server_path  The path to the server executable.
++ *
++ * @note This function will use the state->srv_additional_config field as
++ * additional command line option used when starting the server instead of extra
++ * configuration file options.
++ * */
++void torture_setup_libssh_server(void **state, const char *server_path)
+ {
+     struct torture_state *s;
+-    char sshd_start_cmd[1024];
++    char start_cmd[1024];
++    char timeout_cmd[512];
++    char env[1024];
++    char extra_options[1024];
+     int rc;
++    char *ld_preload = NULL;
++    const char *force_fips = NULL;
+ 
+-    torture_setup_socket_dir(state);
+-    torture_setup_create_sshd_config(state, pam);
++    struct ssh_tokens_st *env_tokens;
++    struct ssh_tokens_st *arg_tokens;
++
++    pid_t pid;
++    ssize_t printed;
++
++    s = *state;
++
++    /* Get all the wrapper libraries to be pre-loaded */
++    ld_preload = getenv("LD_PRELOAD");
++
++    if (s->srv_additional_config != NULL) {
++        printed = snprintf(extra_options, sizeof(extra_options), " %s ",
++                           s->srv_additional_config);
++        if (printed < 0) {
++            fail_msg("Failed to print additional config!");
++        }
++    } else {
++        printed = snprintf(extra_options, sizeof(extra_options), " ");
++        if (printed < 0) {
++            fail_msg("Failed to print empty additional config!");
++        }
++    }
++
++    if (ssh_fips_mode()) {
++        force_fips = "OPENSSL_FORCE_FIPS_MODE=1 ";
++    } else {
++        force_fips = "";
++    }
++
++    /* Write the environment setting */
++    printed = snprintf(env, sizeof(env),
++                       "SOCKET_WRAPPER_DIR=%s "
++                       "SOCKET_WRAPPER_DEFAULT_IFACE=10 "
++                       "LD_PRELOAD=%s "
++                       "%s",
++                       s->socket_dir, ld_preload, force_fips);
++    if (printed < 0) {
++        fail_msg("Failed to print env!");
++    }
++
++#ifdef WITH_TIMEOUT
++    snprintf(timeout_cmd, sizeof(timeout_cmd),
++             "%s %s ", TIMEOUT_EXECUTABLE, "5m");
++#else
++    timeout_cmd[0] = '\0';
++#endif
++
++    /* Write the start command */
++    printed = snprintf(start_cmd, sizeof(start_cmd),
++                       "%s"
++                       "%s -f%s -v4 -p22 -i%s -C%s%s%s",
++                       timeout_cmd,
++                       server_path, s->pcap_file, s->srv_pidfile,
++                       s->srv_config, extra_options, TORTURE_SSH_SERVER);
++    if (printed < 0) {
++        fail_msg("Failed to print start command!");
++    }
++
++    pid = fork();
++    switch(pid) {
++    case 0:
++        env_tokens = ssh_tokenize(env, ' ');
++        if (env_tokens == NULL || env_tokens->tokens == NULL) {
++            fail_msg("Failed to tokenize env!");
++        }
++
++        arg_tokens = ssh_tokenize(start_cmd, ' ');
++        if (arg_tokens == NULL || arg_tokens->tokens == NULL) {
++            ssh_tokens_free(env_tokens);
++            fail_msg("Failed to tokenize args!");
++        }
++
++        rc = execve(arg_tokens->tokens[0], (char **)arg_tokens->tokens,
++                    (char **)env_tokens->tokens);
++
++        /* execve returns only in case of error */
++        ssh_tokens_free(env_tokens);
++        ssh_tokens_free(arg_tokens);
++        fail_msg("Error in execve: %s", strerror(errno));
++    case -1:
++        fail_msg("Failed to fork!");
++    default:
++        /* The parent continues the execution of the tests */
++        setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
++        unsetenv("PAM_WRAPPER");
++
++        /* Wait until the server is ready to accept connections */
++        rc = torture_wait_for_daemon(15);
++        assert_int_equal(rc, 0);
++        break;
++    }
++}
++
++static int torture_start_sshd_server(void **state)
++{
++    struct torture_state *s = *state;
++    char sshd_start_cmd[1024];
++    int rc;
+ 
+     /* Set the default interface for the server */
+     setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
+     setenv("PAM_WRAPPER", "1", 1);
+ 
+-    s = *state;
+-
+     snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
+              SSHD_EXECUTABLE " -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
+              s->srv_config, s->socket_dir, s->socket_dir);
+@@ -882,7 +1112,20 @@
+     unsetenv("PAM_WRAPPER");
+ 
+     /* Wait until the sshd is ready to accept connections */
+-    rc = torture_wait_for_daemon(5);
++    rc = torture_wait_for_daemon(15);
++    assert_int_equal(rc, 0);
++
++    return SSH_OK;
++}
++
++void torture_setup_sshd_server(void **state, bool pam)
++{
++    int rc;
++
++    torture_setup_socket_dir(state);
++    torture_setup_create_sshd_config(state, pam);
++
++    rc = torture_start_sshd_server(state);
+     assert_int_equal(rc, 0);
+ }
+ 
+@@ -922,29 +1165,12 @@
+ torture_reload_sshd_server(void **state)
+ {
+     struct torture_state *s = *state;
+-    pid_t pid;
+     int rc;
+ 
+-    /* read the pidfile */
+-    pid = torture_read_pidfile(s->srv_pidfile);
+-    assert_int_not_equal(pid, -1);
+-
+-    kill(pid, SIGHUP);
+-
+-    /* 10 ms */
+-    usleep(10 * 1000);
+-
+-    rc = kill(pid, 0);
+-    if (rc != 0) {
+-        fprintf(stderr,
+-                "ERROR: SSHD process %u died during reload!\n", pid);
+-        return SSH_ERROR;
+-    }
++    rc = torture_terminate_process(s->srv_pidfile);
++    assert_return_code(rc, errno);
+ 
+-    /* Wait until the sshd is ready to accept connections */
+-    rc = torture_wait_for_daemon(5);
+-    assert_int_equal(rc, 0);
+-    return SSH_OK;
++    return torture_start_sshd_server(state);
+ }
+ 
+ /* @brief: Updates SSHD server configuration with more options and
+@@ -980,9 +1206,7 @@
+     int rc;
+ 
+     rc = torture_terminate_process(s->srv_pidfile);
+-    if (rc != 0) {
+-        fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
+-    }
++    assert_return_code(rc, errno);
+ 
+     torture_teardown_socket_dir(state);
+ }
+diff --color -ru ../libssh-0.9.6/tests/torture.h ./tests/torture.h
+--- ../libssh-0.9.6/tests/torture.h	2021-08-26 14:27:44.000000000 +0200
++++ ./tests/torture.h	2023-05-02 10:32:03.964511860 +0200
+@@ -132,6 +132,10 @@
+ 
+ void torture_reset_config(ssh_session session);
+ 
++void torture_setup_create_libssh_config(void **state);
++
++void torture_setup_libssh_server(void **state, const char *server_path);
++
+ /*
+  * This function must be defined in every unit test file.
+  */

SOURCES/libssh-0.9.6.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmEniOkACgkQfuD8TcwB
+Tj0TKQ/9HiMAGSMHoQ+iPVLP06iTc6Cy7rNyON2nPDQwAz0V/dfvkrKAAEflfgYd
+3pt3dbE/qgh2kgQLb9kpbCUmFoGuLgKz36RPOsggwuOsN+eD1n65q8W39sMOQid3
+bjUIOKRdYWC1suZ9fMAO1Ignl69Opd8dAq1Has9YzglaeQaV/lnYQOW4UG0xKHck
+ZOp2qLfjmaQiBAI61eRyxqIYC0F67WKd0bo9D2csoocDVvHLq4syPdbMOfDTB+LL
+KZSAZVW1R1JUVZMkp/P/HU11jNNy3wKoLafocnq8bXkPVrqhyuo+hDJV/OPUvFLa
+VE/BzIRoMNG+1R+GJpwE7ut2DIHPxnZTThRkeVN5qP1+hbhgLJhW62I+HeAnD4s+
++W7fwJovN28I+wqSjVEP8JguprVuoDAX5jVHbeZoMT7p8ATA4Nh3KCbYELEwTtFG
+zsEIlBvoNXD3ce7xGXL3MPqfgKqrZQjRG/iOWvKwDV7WrqK1cFFyL7aeBfK2+dQq
+1Ew7aYlTsH6Hap7XByeSsy4Z5ts3VXIoFix/h+Br5OTYKYgITM7bijNAQ6A2ZWQN
+TxCv8X0sVyaGyXhxG6QhrEWZjFe496MneZkq9e6HKZyaSbzwFwMgOvrUUC7fa8e5
+o1Rvozah81U0nsikwTmDrm15RSK3mr2X34zPW2Ahzr1I5tGZzOk=
+=cO0k
+-----END PGP SIGNATURE-----

SOURCES/s390x_fix.patch

@@ -0,0 +1,19 @@
+diff --git a/src/packet.c b/src/packet.c
+index ec4a7203..a81eb8e3 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -1752,10 +1752,12 @@ static bool
+ ssh_packet_in_rekey(ssh_session session)
+ {
+     /* We know we are rekeying if we are authenticated and the DH
+-     * status is not finished
++     * status is not finished, but we only queue packets until we've
++     * sent our NEWKEYS.
+      */
+     return (session->flags & SSH_SESSION_FLAG_AUTHENTICATED) &&
+-           (session->dh_handshake_state != DH_STATE_FINISHED);
++           (session->dh_handshake_state != DH_STATE_FINISHED) &&
++           (session->dh_handshake_state != DH_STATE_NEWKEYS_SENT);
+ }
+ 
+ int ssh_packet_send(ssh_session session)

SPECS/libssh.spec

@@ -1,39 +1,28 @@
 Name:           libssh
-Version:        0.10.6
+Version:        0.9.6
-Release:        8%{?dist}
+Release:        14%{?dist}
 Summary:        A library implementing the SSH protocol
-License:        LGPL-2.1-or-later
+License:        LGPLv2+
 URL:            http://www.libssh.org
 
-Source0:        https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz
+Source0:        https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz
-Source1:        https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc
+Source1:        https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz.asc
 Source2:        https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
 Source3:        libssh_client.config
 Source4:        libssh_server.config
-Patch1:         libssh-0.10.6-rekey-timeout.patch
-# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/431
-Patch2:         libssh-0.10.6-ipv6-hostname.patch
-# Backport of the following commits from master before we will have the next 0.11.0 release:
-# 9717b99136cbff850000378f70d1391f348713f9 libcrypto-compat.c/h: Remove no longer supported openssl versions
-# 54c1703cb22b917222a6eb2a5d2fde22319d9b7a Move old DSA and RSA structs into EVP_PKEY
-# 1eb3df5254a4348eae6edbc8a2bf08fef4015897 Get rid of the deprecated OpenSSL API
-# 4fb5af1da5cb02933cb4cfa10f72484cca9ca961 src/pki_crypto.c: Fix errors introduced by EC rework
-# 2539d72b7c8d03d54538533db5b346dad52d6db3 Add support for PKCS#11 provider in OpenSSL 3.0
-# f8d7fee58842a11ad7a0386b4e829e36cd6e9432 pki: Use preference hints when loading keys from store
-# e0011a197009897fcba09229e76940d9f5b12404 pki: Avoid freeing static groups/points on OpenSSL<3
-# 9b263cf5e1da6e06f6ab90e3169409a7bed60835 pki_crypto: Fix ecdsa memory leak
-# baa773d1cd6838af33fedcd65ddbb4e46e2b06c0 pki: Calculate missing CRT parameters when building RSA Key
-# 2c876464ab0a27387a122c6a4b39ec187a6fc596 ecdh: Fix missing-prototype warning
-# 2c918aad6763754bdffb84796b410e21f24bb7ec tests: Use /tmp for tmpdirs that contain sockets
-Patch3:         libssh-0.10.6-pkcs11-provider.patch
-Patch4:         libssh-0.10.6-no-engine.patch
-# 7b89ff760a2c7119916eaa8fd6a62afbd15fc3ad
-Patch5:         libssh-0.10.6-rate-limit.patch
-# c9cfeb9b838b801c3e2bb070c3db914e81ca4e68
-Patch6:         libssh-0.10.6-compress.patch
 
+Patch0:         loglevel.patch
+Patch1:         s390x_fix.patch
+Patch2:         null_dereference_rekey.patch
+Patch3:         auth_bypass.patch
+Patch4:         fix_tests.patch
+Patch5:         covscan23.patch
+Patch6:         CVE-2023-48795.patch
+Patch7:         CVE-2023-6004.patch
+Patch8:         CVE-2023-6918.patch
 
 BuildRequires:  cmake
+BuildRequires:  doxygen
 BuildRequires:  gcc-c++
 BuildRequires:  gnupg2
 BuildRequires:  openssl-devel
@@ -41,28 +30,22 @@ BuildRequires:  pkgconfig
 BuildRequires:  zlib-devel
 BuildRequires:  krb5-devel
 BuildRequires:  libcmocka-devel
+BuildRequires:  openssh-clients
+BuildRequires:  openssh-server
 BuildRequires:  pam_wrapper
 BuildRequires:  socket_wrapper
 BuildRequires:  nss_wrapper
 BuildRequires:  uid_wrapper
-BuildRequires:  priv_wrapper
-BuildRequires:  openssh-clients
-BuildRequires:  openssh-server
 BuildRequires:  nmap-ncat
-BuildRequires:  pkcs11-provider
-BuildRequires:  p11-kit-devel
-BuildRequires:  p11-kit-server
-BuildRequires:  opensc
-BuildRequires:  softhsm
-BuildRequires:  gnutls-utils
 
+Requires:       crypto-policies
 Requires:       %{name}-config = %{version}-%{release}
 
-Recommends:     crypto-policies
+%ifarch aarch64 ppc64 ppc64le s390x x86_64
-
+Provides: libssh_threads.so()(64bit)
-%ifarch aarch64 ppc64 ppc64le s390x x86_64 riscv64
 Provides: libssh_threads.so.4()(64bit)
 %else
+Provides: libssh_threads.so
 Provides: libssh_threads.so.4
 %endif
 
@@ -77,7 +60,6 @@ third-party programs others than libcrypto (from openssl).
 %package devel
 Summary:        Development files for %{name}
 Requires:       %{name}%{?_isa} = %{version}-%{release}
-Requires:       cmake-filesystem
 
 %description devel
 The %{name}-devel package contains libraries and header files for developing
@@ -86,7 +68,7 @@ applications that use %{name}.
 %package config
 Summary:        Configuration files for %{name}
 BuildArch:      noarch
-Obsoletes:      %{name} < 0.9.0-3
+Obsoletes:      %{name} < 0.9.0-1
 
 %description config
 The %{name}-config package provides the default configuration files for %{name}.
@@ -96,19 +78,26 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 %autosetup -p1
 
 %build
-%cmake \
+if test ! -e "obj"; then
+  mkdir obj
+fi
+pushd obj
+
+%cmake .. \
     -DUNIT_TESTING=ON \
     -DCLIENT_TESTING=ON \
     -DSERVER_TESTING=ON \
-    -DWITH_PKCS11_URI=ON \
-    -DWITH_PKCS11_PROVIDER=ON \
     -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
     -DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
 
-%cmake_build
+
+%make_build VERBOSE=1
+make docs
+
+popd
 
 %install
-%cmake_install
+make DESTDIR=%{buildroot} install/fast -C obj
 install -d -m755 %{buildroot}%{_sysconfdir}/libssh
 install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
 install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
@@ -120,7 +109,7 @@ install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
 # requiring it to continue working.
 #
 pushd %{buildroot}%{_libdir}
-for i in libssh.so*;
+for i in libssh.so.4*;
 do
     _target="${i}"
     _link_name="${i%libssh*}libssh_threads${i##*libssh}"
@@ -134,22 +123,24 @@ popd
 %ldconfig_scriptlets
 
 %check
-# Tests are randomly failing when run in parallel
+pushd obj
-%global _smp_build_ncpus 1
+ctest --output-on-failure
-%ctest
+popd
 
 %files
-%doc AUTHORS BSD CHANGELOG README
+%doc AUTHORS BSD ChangeLog README
 %license COPYING
 %{_libdir}/libssh.so.4*
 %{_libdir}/libssh_threads.so.4*
 
 %files devel
+%doc obj/doc/html
 %{_includedir}/libssh/
+# own this to avoid dep on cmake -- rex
+%dir  %{_libdir}/cmake/
 %{_libdir}/cmake/libssh/
 %{_libdir}/pkgconfig/libssh.pc
 %{_libdir}/libssh.so
-%{_libdir}/libssh_threads.so
 
 %files config
 %attr(0755,root,root) %dir %{_sysconfdir}/libssh
@@ -157,210 +148,168 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
-* Tue Aug 20 2024 Jakub Jelen <jjelen@redhat.com> - 0.10.6-8
+* Mon Feb 26 2024 Sahana Prasad <sahana@redhat.com> - 0.9.6-14
-- Remove the dependency on engine.h
+- Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
+- Fix CVE-2023-6918 Missing checks for return values for digests
+- Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
+  of malicious code through hostname
+- Note: version is bumped from 12 to 14 directly, as the z-stream
+  version in 8.9 also has 13. So bumping it to 14, will prevent
+  upgrade conflicts.
+- Resolves:RHEL-19690, RHEL-17244, RHEL-19312
 
-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.10.6-7
+* Mon May 15 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-12
-- Bump release for June 2024 mass rebuild
+- Fix loglevel regression
+- Related: rhbz#2182251, rhbz#2189742
 
-* Fri Jun 07 2024 David Abdurachmanov <davidlt@rivosinc.com> - 0.10.6-6
+* Thu May 04 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-11
-- Add riscv64
+- .fmf/version is needed to run the tests
+- Related: rhbz#2182251, rhbz#2189742
 
-* Wed May 22 2024 Sahana Prasad <sahana@redhat.com> - 0.10.6-5
+* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-10
-- Build libssh with pkcs11-provider instead of pkcs11 engine
+- Add missing ci.fmf file
-- Resolves: RHEL-30437
+- Related: rhbz#2182251, rhbz#2189742
 
-* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.6-4
+* Wed May 03 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- Fix covscan errors found at gating
+- Related: rhbz#2182251, rhbz#2189742
 
-* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.6-3
+* Tue May 02 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- Backport test fixing commits to make the build pass
+- Related: rhbz#2182251, rhbz#2189742
 
-* Fri Dec 22 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-2
+* Thu Apr 27 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-7
-- Fix regression in IPv6 hosntames parsing
+- Fix NULL dereference during rekeying with algorithm guessing
+  GHSL-2023-032 / CVE-2023-1667
+- Fix possible authentication bypass
+  GHSL 2023-085 / CVE-2023-2283
+- Resolves: rhbz#2182251, rhbz#2189742
 
-* Mon Dec 18 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-1
+* Fri Jan 06 2023 Norbert Pocs <npocs@redhat.com> - 0.9.6-6
-- New upstream release fixing (CVE-2023-48795, CVE-2023-6004, CVE-2023-6918)
+- Enable client and server testing build time
+- Fix failing rekey test on arch s390x
+- Resolves: rhbz#2126342
 
-* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.5-2
+* Mon Dec 05 2022 Stanislav Zidek <szidek@redhat.com> - 0.9.6-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+- Fix CI configuration for new TMT
+- Resolves: rhbz#2149910
 
-* Fri May 05 2023 Orion Poplawski <orion@nwra.com> - 0.10.5-1
+* Mon Nov 28 2022 Norbert Pocs <npocs@redhat.com> - 0.9.6-4
-- Update to 0.10.5 (CVE-2023-1667 CVE-2023-2283)
+- Make VERBOSE and lower log levels less verbose
-- Have libssh-devel require cmake-filesystem
+- Resolves: rhbz#2091512
 
-* Sun Mar 05 2023 Andreas Schneider <asn@redhat.com> - 0.10.4-4
+* Fri Nov 05 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-3
-- Update License to SPDX expression
+- Remove STI tests
 
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-3
+* Thu Oct 21 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+- Remove bad patch causing errors
+- Adding BuildRequires for openssh (SSHD support)
 
-* Thu Oct 06 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-2
+* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
-- Enable pkcs11 support
+- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
+  rekeying with different key exchange mechanism
+- Rebase to version 0.9.6
+- Rename SSHD_EXECUTABLE to SSH_EXECUTABLE in tests/torture.c
+- Resolves: rhbz#1896651, rhbz#1994600
 
-* Wed Sep 07 2022 Andreas Schneider <asn@redhat.com> - 0.10.4-1
+* Thu Oct 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-4
-- Update to version 0.10.4
+- Revert previous commit as it is incorrect.
-  https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.4
 
-* Fri Sep 02 2022 Andreas Schneider <asn@redhat.com> - 0.10.3-1
+* Thu Oct 14 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
-- Update to version 0.10.3
+- Fix CVE-2021-3634: Fix possible heap-buffer overflow when
-  https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.3
+  rekeying with different key exchange mechanism (#1978810)
-  https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.2
-  https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.1
-  https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.0
-- Removed libssh-0.9.6-openssh-8.8p1-compat.patch
-- resolves: rhbz#2121741
 
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-5
+* Wed Apr 21 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+- Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if
+  ssh_buffer_new returns NULL (#1862646)
 
-* Fri Jan 28 2022 Jakub Jelen <jjelen@redhat.com> - 0.9.6-4
+* Wed Jun 24 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
-- Fix build-time tests to work with OpenSSH 8.8p1
+- Do not return error when server properly closed the channel (#1849071)
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Mon Jan 10 2022 Stephen Gallagher <sgallagh@redhat.com> - 0.9.6-2
-- Skip broken torture_auth tests
-
-* Wed Sep 15 2021 Norbert Pocs <npocs@redhat.com> - 0.9.6-1
-- Fix CVE-CVE-2021-3634 libssh: possible heap-based buffer
-  overflow when rekeying
-- Resolves: rhbz#1994600
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.5-4
-- Rebuilt with OpenSSL 3.0.0
-
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Thu Sep 10 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.5-1
-- Update to version 0.9.5
-  https://www.libssh.org/2020/09/10/libssh-0-9-5/
-- Removed patch to re-enable algorithms using sha1 in sshd for testing
-- The algorithms supported by sshd are now automatically detected for testing
-- Resolves: #1862457 - CVE-2020-16135
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-5
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Mon Jun 22 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-3
-- Do not return error when server properly closed the channel (#1849069)
 - Add a test for CVE-2019-14889
 - Do not parse configuration file in torture_knownhosts test
 
-* Wed Apr 15 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
+* Tue May 26 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
-- Added patch to fix returned version
-
-* Thu Apr 09 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
 - Update to version 0.9.4
   https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
+- Fixed CVE-2019-14889 (#1781782)
+- Fixed CVE-2020-1730 (#1802422)
+- Create missing directories in the path provided for known_hosts files (#1733914)
 - Removed inclusion of OpenSSH server configuration file from
-  libssh_server.config
+  libssh_server.config (#1821339)
-- Added patch to re-enable algorithms using sha1 in sshd for testing
-- resolves: #1822529 - CVE-2020-1730
 
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
+* Mon Aug 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+- Skip 1024 bits RSA key generation test in FIPS mode (#1734485)
 
-* Tue Dec 10 2019 Andreas Schneider <asn@redhat.com> - 0.9.3-1
+* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
-- Update to version 0.9.3
-- resolves: #1781780 - Fixes CVE-2019-14889
-
-* Thu Nov 07 2019 Andreas Schneider <asn@redhat.com> - 0.9.2-1
-- Upate to version 0.9.2
-- resolves #1769370 - Remove the docs, they can be found on https://api.libssh.org/
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-5
 - Add Obsoletes in libssh-config to avoid conflict with old libssh which
   installed the configuration files.
 
-* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
+* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
 - Eliminate circular dependency with libssh-config subpackage
 
-* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
+* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
-- Provide the configuration files in a separate libssh-config subpackage
-
-* Thu Jul 04 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
-- Do not ignore keys from known_hosts when SSH_OPTIONS_HOSTKEYS is set
-
-* Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
-- Fixed Release number to released format
-
-* Fri Jun 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-0.1
 - Update to version 0.9.0
   https://www.libssh.org/2019/06/28/libssh-0-9-0/
+- Added explicit Requires for crypto-policies
+- Do not ignore known_hosts keys when SSH_OPTIONS_HOSTKEYS is set
+- Provide the configuration files in a separate libssh-config subpackage
 
-* Wed Jun 19 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
+* Mon Jun 17 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
 - Update to 0.9.0 pre release version (0.8.91)
 - Added default configuration files for client and server
-- Follow system-wide crypto configuration (crypto-policies)
+- Removed unused patch files left behind
-- Added Recommends for crypto-policies
+- Fixed issues found to run upstream test suite with SELinux
-- Use OpenSSL implementation for KDF, DH, and signatures.
-- Detect FIPS mode and use only allowed algorithms
-- Run client and server tests during build
 
-* Mon Feb 25 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.7-1
+* Fri Dec 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-2
-- Update to version 0.8.7
+- Fix more regressions introduced by the fixes for CVE-2018-10933
-  https://www.libssh.org/2019/02/25/libssh-0-8-7/
 
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.6-3
+* Thu Nov 29 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Tue Jan 15 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-2
-- Fix rsa-sha2 extension handling (#1666342)
-
-* Thu Jan 03 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.6-1
-- Update to version 0.8.6
-  https://www.libssh.org/2018/12/24/libssh-0-8-6-xmas-edition/
-
-* Mon Oct 29 2018 Andreas Schneider <asn@redhat.com> - 0.8.5-1
 - Update to version 0.8.5
-  https://www.libssh.org/2018/10/29/libssh-0-8-5-and-libssh-0-7-7/
+  * Fixed an issue where global known_hosts file was ignored (#1649321)
+  * Fixed ssh_get_fd() to return writable file descriptor (#1649319)
+  * Fixed regression introduced in known_hosts parsing (#1649315)
+  * Fixed a regression which caused only the first algorithm in known_hosts to
+    be considered (#1638790)
 
-* Tue Oct 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.4-1
+* Thu Nov 08 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-5
-- Update to version 0.8.4
+- Fix regressions introduced by the fixes for CVE-2018-10933
-  https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release
-- Fixes CVE-2018-10933
 
-* Mon Oct 01 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
+* Wed Oct 17 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.3-4
-- Fixed errors found by static code analysis
+- Fix for authentication bypass issue in server implementation (#1639926)
 
-* Tue Sep 25 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-2
+* Tue Oct 02 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-3
-- Add missing libssh_threads.so link to libssh-devel package
+- Fixed errors found by static code analysis (#1602594)
 
-* Fri Sep 21 2018 Andreas Schneider <asn@redhat.com> - 0.8.3-1
+* Fri Sep 21 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.3-1
 - Update to version 0.8.3
-  https://www.libssh.org/2018/09/21/libssh-0-8-3/
+  * Added support for rsa-sha2 (#1610882)
+  * Added support to parse private keys in openssh container format (other than
+    ed25519) (#1622983)
+  * Added support for diffie-hellman-group18-sha512 and
+    diffie-hellman-group16-sha512 (#1610885)
+  * Added ssh_get_fingerprint_hash()
+  * Added ssh_pki_export_privkey_base64()
+  * Added support for Match keyword in config file
+  * Improved performance and reduced memory footprint for sftp
+  * Fixed ecdsa publickey auth
+  * Fixed reading a closed channel
+  * Added support to announce posix-rename@openssh.com and hardlink@openssh.com
+    in the sftp server
+  * Use -fstack-protector-strong if possible (#1624135)
 
-* Thu Aug 30 2018 Andreas Schneider <asn@redhat.com> - 0.8.2-1
+* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-4
-- Update to version 0.8.2
+- Fix the creation of symbolic links for libssh_threads.so.4
-  https://www.libssh.org/2018/08/30/libssh-0-8-2
 
-* Thu Aug 16 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-4
+* Wed Aug 15 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-3
-- Fix link creation or RPM doesn't install it
+- Add missing Provides for libssh_threads.so.4
 
-* Wed Aug 15 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-3
+* Tue Aug 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.1-2
-- Add missing so version for libssh_threads.so.4
-
-* Tue Aug 14 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-2
 - Add Provides for libssh_threads.so to unbreak applications
+- Fix ABIMap detection to not depend on python to build
 
 * Mon Aug 13 2018 Andreas Schneider <asn@redhat.com> - 0.8.1-1
 - Update to version 0.8.1
-  https://www.libssh.org/2018/08/13/libssh-0-8-1
+  https://www.libssh.org/2018/08/13/libssh-0-8-1/
-- resolves: #1615248 - pkg-config --modversion
-- resolves: #1615132 - library initialization
 
 * Fri Aug 10 2018 Andreas Schneider <asn@redhat.com> - 0.8.0-1
 - Update to version 0.8.0
@@ -374,6 +323,7 @@ popd
 
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.5-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+- Related: bug#1614611
 
 * Thu Feb 01 2018 Andreas Schneider <asn@redhat.com> - 0.7.5-6
 - resolves: #1540021 - Build against OpenSSL 1.1

ci.fmf

@@ -1 +0,0 @@
-resultsdb-testcase: separate

gating.yaml

@@ -1,23 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_testing
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
---- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}

libssh-0.10.6-compress.patch

@@ -1,41 +0,0 @@
-From c9cfeb9b838b801c3e2bb070c3db914e81ca4e68 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 12 Aug 2024 17:49:46 +0200
-Subject: [PATCH] wrapper: Avoid asymmetric termination of gzip context
-
-For some reason, both compress and decompress contexts were terminated
-with both compress and decompress end functions (if the deflateEnd worked),
-which was causing for some another unexplained reasons issues on i686
-architecture when running the torture_packet unit test.
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
----
- src/wrapper.c | 8 +++-----
- 1 file changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/src/wrapper.c b/src/wrapper.c
-index bf949ea9..d9cf6db5 100644
---- a/src/wrapper.c
-+++ b/src/wrapper.c
-@@ -200,14 +200,12 @@ void crypto_free(struct ssh_crypto_struct *crypto)
-         SAFE_FREE(crypto->secret_hash);
-     }
- #ifdef WITH_ZLIB
--    if (crypto->compress_out_ctx &&
--        (deflateEnd(crypto->compress_out_ctx) != 0)) {
--        inflateEnd(crypto->compress_out_ctx);
-+    if (crypto->compress_out_ctx) {
-+        deflateEnd(crypto->compress_out_ctx);
-     }
-     SAFE_FREE(crypto->compress_out_ctx);
- 
--    if (crypto->compress_in_ctx &&
--        (deflateEnd(crypto->compress_in_ctx) != 0)) {
-+    if (crypto->compress_in_ctx) {
-         inflateEnd(crypto->compress_in_ctx);
-     }
-     SAFE_FREE(crypto->compress_in_ctx);
--- 
-2.46.0
-

libssh-0.10.6-ipv6-hostname.patch

@@ -1,263 +0,0 @@
-From 4f997aee7c7d7ea346b3e8ba505da0b7601ff318 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Fri, 22 Dec 2023 10:32:40 +0100
-Subject: [PATCH 1/2] Fix regression in IPv6 addresses in hostname parsing
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
----
- include/libssh/config_parser.h | 11 ++++++++---
- src/config.c                   |  4 ++--
- src/config_parser.c            | 16 +++++++++++-----
- src/options.c                  | 10 ++--------
- 4 files changed, 23 insertions(+), 18 deletions(-)
-
-diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h
-index a7dd42a2..ca353432 100644
---- a/include/libssh/config_parser.h
-+++ b/include/libssh/config_parser.h
-@@ -30,6 +30,8 @@
- extern "C" {
- #endif
- 
-+#include <stdbool.h>
-+
- char *ssh_config_get_cmd(char **str);
- 
- char *ssh_config_get_token(char **str);
-@@ -49,14 +51,17 @@ int ssh_config_get_yesno(char **str, int notfound);
-  *                       be stored or NULL if we do not care about the result.
-  * @param[out]  port     Pointer to the location, where the new port will
-  *                       be stored or NULL if we do not care about the result.
-+ * @param[in]   ignore_port Set to true if the we should not attempt to parse
-+ *                       port number.
-  *
-  * @returns     SSH_OK if the provided string is in format of SSH URI,
-  *              SSH_ERROR on failure
-  */
- int ssh_config_parse_uri(const char *tok,
--        char **username,
--        char **hostname,
--        char **port);
-+                         char **username,
-+                         char **hostname,
-+                         char **port,
-+                         bool ignore_port);
- 
- #ifdef __cplusplus
- }
-diff --git a/src/config.c b/src/config.c
-index 5eedbce9..7135c3b1 100644
---- a/src/config.c
-+++ b/src/config.c
-@@ -464,7 +464,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
-         }
-         if (parse_entry) {
-             /* We actually care only about the first item */
--            rv = ssh_config_parse_uri(cp, &username, &hostname, &port);
-+            rv = ssh_config_parse_uri(cp, &username, &hostname, &port, false);
-             /* The rest of the list needs to be passed on */
-             if (endp != NULL) {
-                 next = strdup(endp + 1);
-@@ -475,7 +475,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
-             }
-         } else {
-             /* The rest is just sanity-checked to avoid failures later */
--            rv = ssh_config_parse_uri(cp, NULL, NULL, NULL);
-+            rv = ssh_config_parse_uri(cp, NULL, NULL, NULL, false);
-         }
-         if (rv != SSH_OK) {
-             goto out;
-diff --git a/src/config_parser.c b/src/config_parser.c
-index 9ffc8b8b..5f30cd3e 100644
---- a/src/config_parser.c
-+++ b/src/config_parser.c
-@@ -162,9 +162,10 @@ int ssh_config_get_yesno(char **str, int notfound)
- }
- 
- int ssh_config_parse_uri(const char *tok,
--        char **username,
--        char **hostname,
--        char **port)
-+                         char **username,
-+                         char **hostname,
-+                         char **port,
-+                         bool ignore_port)
- {
-     char *endp = NULL;
-     long port_n;
-@@ -210,12 +211,17 @@ int ssh_config_parse_uri(const char *tok,
-         if (endp == NULL) {
-             goto error;
-         }
--    } else {
--        /* Hostnames or aliases expand to the last colon or to the end */
-+    } else if (!ignore_port) {
-+        /* Hostnames or aliases expand to the last colon (if port is requested)
-+         * or to the end */
-         endp = strrchr(tok, ':');
-         if (endp == NULL) {
-             endp = strchr(tok, '\0');
-         }
-+    } else {
-+        /* If no port is requested, expand to the end of line
-+         * (to accommodate the IPv6 addresses) */
-+        endp = strchr(tok, '\0');
-     }
-     if (tok == endp) {
-         /* Zero-length hostnames are not valid */
-diff --git a/src/options.c b/src/options.c
-index 2e73be46..676c49e7 100644
---- a/src/options.c
-+++ b/src/options.c
-@@ -634,17 +634,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
-                 ssh_set_error_invalid(session);
-                 return -1;
-             } else {
--                char *username = NULL, *hostname = NULL, *port = NULL;
--                rc = ssh_config_parse_uri(value, &username, &hostname, &port);
-+                char *username = NULL, *hostname = NULL;
-+                rc = ssh_config_parse_uri(value, &username, &hostname, NULL, true);
-                 if (rc != SSH_OK) {
-                     return -1;
-                 }
--                if (port != NULL) {
--                    SAFE_FREE(username);
--                    SAFE_FREE(hostname);
--                    SAFE_FREE(port);
--                    return -1;
--                }
-                 if (username != NULL) {
-                     SAFE_FREE(session->opts.username);
-                     session->opts.username = username;
--- 
-2.43.0
-
-
-From 6f6e453d7b0ad4ee6a6f6a1c96a9a6b27821410d Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Fri, 22 Dec 2023 09:52:18 +0100
-Subject: [PATCH 2/2] tests: Increase test coverage for IPv6 address parsing as
- hostnames
-
-This was an issue in cockpit:
-
-https://github.com/cockpit-project/cockpit/issues/19772
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
----
- tests/unittests/torture_config.c  | 49 +++++++++++++++++++++++++++++++
- tests/unittests/torture_options.c | 16 ++++++++++
- 2 files changed, 65 insertions(+)
-
-diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
-index bc6b08f9..751aa126 100644
---- a/tests/unittests/torture_config.c
-+++ b/tests/unittests/torture_config.c
-@@ -2332,6 +2332,53 @@ static void torture_config_make_absolute_no_sshdir(void **state)
-     torture_config_make_absolute_int(state, 1);
- }
- 
-+static void torture_config_parse_uri(void **state)
-+{
-+    char *username = NULL;
-+    char *hostname = NULL;
-+    char *port = NULL;
-+    int rc;
-+
-+    (void)state; /* unused */
-+
-+    rc = ssh_config_parse_uri("localhost", &username, &hostname, &port, false);
-+    assert_return_code(rc, errno);
-+    assert_null(username);
-+    assert_string_equal(hostname, "localhost");
-+    SAFE_FREE(hostname);
-+    assert_null(port);
-+
-+    rc = ssh_config_parse_uri("1.2.3.4", &username, &hostname, &port, false);
-+    assert_return_code(rc, errno);
-+    assert_null(username);
-+    assert_string_equal(hostname, "1.2.3.4");
-+    SAFE_FREE(hostname);
-+    assert_null(port);
-+
-+    rc = ssh_config_parse_uri("1.2.3.4:2222", &username, &hostname, &port, false);
-+    assert_return_code(rc, errno);
-+    assert_null(username);
-+    assert_string_equal(hostname, "1.2.3.4");
-+    SAFE_FREE(hostname);
-+    assert_string_equal(port, "2222");
-+    SAFE_FREE(port);
-+
-+    rc = ssh_config_parse_uri("[1:2:3::4]:2222", &username, &hostname, &port, false);
-+    assert_return_code(rc, errno);
-+    assert_null(username);
-+    assert_string_equal(hostname, "1:2:3::4");
-+    SAFE_FREE(hostname);
-+    assert_string_equal(port, "2222");
-+    SAFE_FREE(port);
-+
-+    /* do not want port */
-+    rc = ssh_config_parse_uri("1:2:3::4", &username, &hostname, NULL, true);
-+    assert_return_code(rc, errno);
-+    assert_null(username);
-+    assert_string_equal(hostname, "1:2:3::4");
-+    SAFE_FREE(hostname);
-+}
-+
- int torture_run_tests(void)
- {
-     int rc;
-@@ -2424,6 +2471,8 @@ int torture_run_tests(void)
-                                         setup, teardown),
-         cmocka_unit_test_setup_teardown(torture_config_make_absolute_no_sshdir,
-                                         setup_no_sshdir, teardown),
-+        cmocka_unit_test_setup_teardown(torture_config_parse_uri,
-+                                        setup, teardown),
-     };
- 
- 
-diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
-index 5ba3bdc6..b07712d8 100644
---- a/tests/unittests/torture_options.c
-+++ b/tests/unittests/torture_options.c
-@@ -57,6 +57,20 @@ static void torture_options_set_host(void **state) {
-     assert_non_null(session->opts.host);
-     assert_string_equal(session->opts.host, "localhost");
- 
-+    /* IPv4 address */
-+    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.1.1.1");
-+    assert_true(rc == 0);
-+    assert_non_null(session->opts.host);
-+    assert_string_equal(session->opts.host, "127.1.1.1");
-+    assert_null(session->opts.username);
-+
-+    /* IPv6 address */
-+    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "::1");
-+    assert_true(rc == 0);
-+    assert_non_null(session->opts.host);
-+    assert_string_equal(session->opts.host, "::1");
-+    assert_null(session->opts.username);
-+
-     rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
-     assert_true(rc == 0);
-     assert_non_null(session->opts.host);
-@@ -64,12 +78,14 @@ static void torture_options_set_host(void **state) {
-     assert_non_null(session->opts.username);
-     assert_string_equal(session->opts.username, "guru");
- 
-+    /* more @ in uri is OK -- it should go to the username */
-     rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
-     assert_true(rc == 0);
-     assert_non_null(session->opts.host);
-     assert_string_equal(session->opts.host, "hostname");
-     assert_non_null(session->opts.username);
-     assert_string_equal(session->opts.username, "at@login");
-+
- }
- 
- static void torture_options_set_ciphers(void **state) {
--- 
-2.43.0
-

libssh-0.10.6-no-engine.patch

@@ -1,48 +0,0 @@
-diff -up libssh-0.10.6/src/libcrypto.c.no-engine libssh-0.10.6/src/libcrypto.c
---- libssh-0.10.6/src/libcrypto.c.no-engine	2024-07-31 09:25:56.460404672 +0200
-+++ libssh-0.10.6/src/libcrypto.c	2024-07-31 09:28:46.900273530 +0200
-@@ -94,7 +94,7 @@ void ssh_reseed(void){
- #endif
- }
- 
--#ifndef WITH_PKCS11_PROVIDER
-+#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER)
- static ENGINE *engine = NULL;
- 
- ENGINE *pki_get_engine(void)
-@@ -126,7 +126,7 @@ ENGINE *pki_get_engine(void)
-     }
-     return engine;
- }
--#endif /* WITH_PKCS11_PROVIDER */
-+#endif /* defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER) */
- 
- #ifdef HAVE_OPENSSL_EVP_KDF_CTX
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
-diff -up libssh-0.10.6/src/pki_crypto.c.no-engine libssh-0.10.6/src/pki_crypto.c
---- libssh-0.10.6/src/pki_crypto.c.no-engine	2024-07-31 09:26:34.296823306 +0200
-+++ libssh-0.10.6/src/pki_crypto.c	2024-07-31 09:29:36.414810967 +0200
-@@ -33,7 +33,9 @@
- 
- #include <openssl/pem.h>
- #include <openssl/evp.h>
-+#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER)
- #include <openssl/engine.h>
-+#endif
- #include <openssl/err.h>
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
- #include <openssl/dsa.h>
-diff -up libssh-0.10.6/src/libcrypto.c.no-engine libssh-0.10.6/src/libcrypto.c
---- libssh-0.10.6/src/libcrypto.c.no-engine	2024-07-31 11:03:45.262319724 +0200
-+++ libssh-0.10.6/src/libcrypto.c	2024-07-31 11:04:59.842161279 +0200
-@@ -53,7 +53,9 @@
- #include <openssl/core_names.h>
- #endif /* OPENSSL_VERSION_NUMBER */
- #include <openssl/rand.h>
-+#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER)
- #include <openssl/engine.h>
-+#endif
- 
- #include "libcrypto-compat.h"
- 
-

libssh-0.10.6-rate-limit.patch

@@ -1,47 +0,0 @@
-From 7b89ff760a2c7119916eaa8fd6a62afbd15fc3ad Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Fri, 9 Aug 2024 11:30:15 +0200
-Subject: [PATCH] test: Workaround the new OpenSSH failure rate limiting
-
-The new OpenSSH rate limits the failed authentication attempts per source
-address and drops connection when the amount is reached, which is happening
-in our testsuite.
-
-By whitelisting the IP address of the client on the socket wrapper,
-this allows the tests to pass.
-
-https://man.openbsd.org/sshd_config.5#PerSourcePenaltyExemptList
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
----
- tests/torture.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/tests/torture.c b/tests/torture.c
-index c832dfa6..ad0a7836 100644
---- a/tests/torture.c
-+++ b/tests/torture.c
-@@ -755,6 +755,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
-              "HostKeyAlgorithms " OPENSSH_KEYS "\n"
- #if OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2
-              "CASignatureAlgorithms " OPENSSH_KEYS "\n"
-+#endif
-+#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
-+             "PerSourcePenaltyExemptList 127.0.0.21\n"
- #endif
-              "Ciphers " OPENSSH_CIPHERS "\n"
-              "KexAlgorithms " OPENSSH_KEX "\n"
-@@ -786,6 +789,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
-              "%s\n" /* Here comes UsePam */
-              "%s" /* The space for test-specific options */
-              "\n"
-+#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
-+             "PerSourcePenaltyExemptList 127.0.0.21\n"
-+#endif
-              "Ciphers "
-                 "aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,"
-                 "aes128-gcm@openssh.com,aes128-ctr,aes128-cbc"
--- 
-2.46.0
-

libssh-0.10.6-rekey-timeout.patch

@@ -1,37 +0,0 @@
-From 96d76161666b117099696afebcef2fe42ae80715 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 16 May 2023 22:55:11 +0200
-Subject: [PATCH] tests: Give the server more time handle rekey
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Norbert Pocs <npocs@redhat.com>
----
- tests/client/torture_rekey.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
-index ccd5ae2cf..0fc13b8b3 100644
---- a/tests/client/torture_rekey.c
-+++ b/tests/client/torture_rekey.c
-@@ -505,7 +505,7 @@ static void torture_rekey_different_kex(void **state)
-     memset(data, 'A', 128);
-     for (i = 0; i < KEX_RETRY; i++) {
-         ssh_send_ignore(s->ssh.session, data);
--        ssh_handle_packets(s->ssh.session, 100);
-+        ssh_handle_packets(s->ssh.session, 1000);
- 
-         c = s->ssh.session->current_crypto;
-         /* SHA256 len */
-@@ -583,7 +583,7 @@ static void torture_rekey_server_different_kex(void **state)
-     memset(data, 'A', 128);
-     for (i = 0; i < KEX_RETRY; i++) {
-         ssh_send_ignore(s->ssh.session, data);
--        ssh_handle_packets(s->ssh.session, 100);
-+        ssh_handle_packets(s->ssh.session, 1000);
- 
-         c = s->ssh.session->current_crypto;
-         /* SHA256 len */
--- 
-GitLab
-
-

plans/ci.fmf

@@ -1,26 +0,0 @@
-/fips-disabled-buildroot-disabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/libssh
-      name: /plans/ci/fips-disabled-buildroot-disabled
-
-
-/fips-disabled-buildroot-enabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/libssh
-      name: /plans/ci/fips-disabled-buildroot-enabled
-
-
-/fips-enaled-buildroot-disabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/libssh
-      name: /plans/ci/fips-enabled-buildroot-disabled
-
-
-/fips-enaled-buildroot-enabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/libssh
-      name: /plans/ci/fips-enabled-buildroot-enabled

sources

@@ -1,2 +0,0 @@
-SHA512 (libssh-0.10.6.tar.xz) = 40c62d63c44e882999b71552c237d73fc7364313bd00b15a211a34aeff1b73693da441d2c8d4e40108d00fb7480ec7c5b6d472f9c0784b2359a179632ab0d6c1
-SHA512 (libssh-0.10.6.tar.xz.asc) = 214d7920bebc80a8e6838c64ed06e070709a96fabfb4fff657b55f9588bc0e1612887fe887d23de73ad3540f3bb85288e62eb6a11ccd4bc80afbd44d34ba70d4