16 changed files with 584 additions and 398 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 SOURCES/openwsmand.8.gz
-SOURCES/v2.6.5.tar.gz
+SOURCES/v2.6.8.tar.gz
+SOURCES/v2.8.1.tar.gz
--- a/.openwsman.metadata
+++ b/.openwsman.metadata
@ -0,0 +1,3 @@
+a6a8bbbfa71ce04bedae55f2f06ce97089b6c5e1 SOURCES/openwsmand.8.gz
+e061a41b3d5f5fa4ee284726d283e15f4a0e8c46 SOURCES/v2.6.8.tar.gz
+1ecfd2f1f3bc9cc3e56065c52f796390752bc14e SOURCES/v2.8.1.tar.gz
--- a/SOURCES/openwsman-2.4.0-pamsetup.patch
+++ b/SOURCES/openwsman-2.4.0-pamsetup.patch
@ -1,16 +1,13 @@
-diff -up openwsman-2.6.1/etc/pam/openwsman.pamsetup openwsman-2.6.1/etc/pam/openwsman
--- openwsman-2.6.1/etc/pam/openwsman.pamsetup	2015-08-27 15:46:46.000000000 +0200
-+++ openwsman-2.6.1/etc/pam/openwsman	2015-08-31 16:08:28.166913889 +0200
-@@ -1,7 +1,7 @@
- #%PAM-1.0
-auth       required	pam_unix2.so	nullok
-+auth       required	pam_unix.so		nullok
+diff -up openwsman-2.6.8/etc/pam/openwsman.orig openwsman-2.6.8/etc/pam/openwsman
+--- openwsman-2.6.8/etc/pam/openwsman.orig	2018-11-21 13:51:52.776325243 +0100
+++ openwsman-2.6.8/etc/pam/openwsman	2018-11-21 13:54:17.066351134 +0100
+@@ -2,6 +2,6 @@
+ auth       required	pam_unix.so	nullok
 auth       required	pam_nologin.so
-account    required	pam_unix2.so
-password   required	pam_pwcheck.so	nullok
-password   required	pam_unix2.so	nullok use_first_pass use_authtok
-session    required	pam_unix2.so	none
-+account    required	pam_unix.so
+ account    required	pam_unix.so
+-password   required	pam_cracklib.so	nullok
+-password   required	pam_unix.so	nullok use_first_pass use_authtok nis shadow
+-session    required	pam_unix.so	none
 +password   required	pam_pwquality.so
-+password   required	pam_unix.so		nullok use_first_pass use_authtok
+password   required	pam_unix.so	nullok use_first_pass use_authtok
 +session    required	pam_unix.so
--- a/SOURCES/openwsman-2.4.12-ruby-binding-build.patch
+++ b/SOURCES/openwsman-2.4.12-ruby-binding-build.patch
@ -1,12 +1,54 @@
-diff -up openwsman-2.4.12/bindings/ruby/extconf.rb.orig openwsman-2.4.12/bindings/ruby/extconf.rb
--- openwsman-2.4.12/bindings/ruby/extconf.rb.orig	2015-02-09 09:28:58.232581263 +0100
-+++ openwsman-2.4.12/bindings/ruby/extconf.rb	2015-02-09 09:38:22.836772879 +0100
-@@ -32,7 +32,7 @@ swig = find_executable("swig")
+diff -up openwsman-2.8.1/bindings/ruby/extconf.rb.orig openwsman-2.8.1/bindings/ruby/extconf.rb
+--- openwsman-2.8.1/bindings/ruby/extconf.rb.orig	2025-01-23 10:23:52.000000000 +0100
+++ openwsman-2.8.1/bindings/ruby/extconf.rb	2025-10-20 12:55:46.327604671 +0200
+@@ -5,16 +5,31 @@
+ require 'mkmf'
+ # $CFLAGS = "#{$CFLAGS} -Werror"
+ 
+# libwsman requires 'int facility' to be defined by the application
+# Add syslog.h for LOG_DAEMON constant
+$CFLAGS = "#{$CFLAGS} -include syslog.h"
+
+ # requires wsman, wsman_client, and libxml2
+# Add build directory to library search path
+$LDFLAGS = "#{$LDFLAGS} -L/builddir/build/BUILD/openwsman/openwsman-2.8.1/build/src/lib"
+
+# Add BOTH source include roots (and their /u) to compilation flags
+$CPPFLAGS = "#{$CPPFLAGS} " \
+"-I/builddir/build/BUILD/openwsman-2.8.1/include " \
+"-I/builddir/build/BUILD/openwsman-2.8.1/include/u " \
+"-I/builddir/build/BUILD/openwsman/openwsman-2.8.1/include " \
+"-I/builddir/build/BUILD/openwsman/openwsman-2.8.1/include/u"
+ 
+-unless have_library('wsman', 'wsman_create_doc')
+# Custom test for libwsman that includes facility definition
+unless try_link("#include <syslog.h>\n#include <wsman-xml-api.h>\nint facility = LOG_DAEMON;\nint main(void) { (void)wsman_create_doc(); return 0; }", '-lwsman -lxml2')
+   STDERR.puts "Cannot find wsman_create_doc() in libwsman"
+   STDERR.puts "Is openwsman-devel installed ?"
+   exit 1
+ end
+ find_header 'wsman-xml-api.h', '/usr/include/openwsman'
+ 
+-unless have_library('wsman_client', 'wsmc_create')
+# Custom test for libwsman_client that includes facility definition
+unless try_link("#include <syslog.h>\n#include <wsman-client-api.h>\nint facility = LOG_DAEMON;\nint main(void) { (void)wsmc_create(\"localhost\", 80, \"/wsman\", \"http\", \"u\", \"p\"); return 0; }", '-lwsman_client -lwsman -lxml2')
+   STDERR.puts "Cannot find wsmc_create() in libwsman_client"
+   STDERR.puts "Is openwsman-devel installed ?"
+   exit 1
+@@ -32,8 +47,14 @@ swig = find_executable("swig")
 raise "SWIG not found" unless swig
 
 major, minor, path = RUBY_VERSION.split(".")
 -raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -o openwsman_wrap.c openwsman.i")
-+raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -I/builddir/build/BUILD/openwsman-2.6.5/include/ -o openwsman_wrap.c openwsman.i")
+raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} " \
+"-I. -I/usr/include/openwsman " \
+"-I/builddir/build/BUILD/openwsman-2.8.1/include " \
+"-I/builddir/build/BUILD/openwsman-2.8.1/include/u " \
+"-I/builddir/build/BUILD/openwsman/openwsman-2.8.1/include " \
+"-I/builddir/build/BUILD/openwsman/openwsman-2.8.1/include/u " \
+"-o openwsman_wrap.c openwsman.i")
 
- $CPPFLAGS = "-I/usr/include/openwsman -I.."
+-$CPPFLAGS = "-I/usr/include/openwsman -I.."
+$CPPFLAGS = "#{$CPPFLAGS} -I/usr/include/openwsman -I.."
 
+ create_makefile('_openwsman')
--- a/SOURCES/openwsman-2.6.2-openssl-1.1-fix.patch
+++ b/SOURCES/openwsman-2.6.2-openssl-1.1-fix.patch
@ -1,31 +1,6 @@
-diff -up openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.5/src/lib/wsman-curl-client-transport.c
--- openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig	2017-11-28 09:32:15.000000000 +0100
-+++ openwsman-2.6.5/src/lib/wsman-curl-client-transport.c	2018-01-23 13:14:59.357153453 +0100
-@@ -241,12 +241,20 @@ write_handler( void *ptr, size_t size, s
- static int ssl_certificate_thumbprint_verify_callback(X509_STORE_CTX *ctx, void *arg)
- {
- 	unsigned char *thumbprint = (unsigned char *)arg;
-	X509 *cert = ctx->cert;
- 	EVP_MD                                  *tempDigest;
- 
- 	unsigned char   tempFingerprint[EVP_MAX_MD_SIZE];
- 	unsigned int      tempFingerprintLen;
- 	tempDigest = (EVP_MD*)EVP_sha1( );
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
-+#else
-+	X509 *cert = ctx->cert;
-+#endif
-+	if(!cert)
-+		return 0;
-+
- 	if ( X509_digest(cert, tempDigest, tempFingerprint, &tempFingerprintLen ) <= 0)
- 		return 0;
- 	if(!memcmp(tempFingerprint, thumbprint, tempFingerprintLen))
-diff -up openwsman-2.6.5/src/server/shttpd/compat_unix.h.orig openwsman-2.6.5/src/server/shttpd/compat_unix.h
--- openwsman-2.6.5/src/server/shttpd/compat_unix.h.orig	2017-11-28 09:32:15.000000000 +0100
-+++ openwsman-2.6.5/src/server/shttpd/compat_unix.h	2018-01-23 13:14:59.357153453 +0100
+diff -up openwsman-2.8.1/src/server/shttpd/compat_unix.h.orig openwsman-2.8.1/src/server/shttpd/compat_unix.h
+--- openwsman-2.8.1/src/server/shttpd/compat_unix.h.orig	2025-01-23 10:23:52.000000000 +0100
+++ openwsman-2.8.1/src/server/shttpd/compat_unix.h	2025-02-03 09:11:35.072818890 +0100
@@ -27,10 +27,6 @@
 	pthread_create(&tid, NULL, (void *(*)(void *))a, c); } while (0)
 #endif /* !NO_THREADS */
@ -37,10 +12,10 @@ diff -up openwsman-2.6.5/src/server/shttpd/compat_unix.h.orig openwsman-2.6.5/sr
 #define	DIRSEP				'/'
 #define	IS_DIRSEP_CHAR(c)		((c) == '/')
 #define	O_BINARY			0
-diff -up openwsman-2.6.5/src/server/shttpd/io_ssl.c.orig openwsman-2.6.5/src/server/shttpd/io_ssl.c
--- openwsman-2.6.5/src/server/shttpd/io_ssl.c.orig	2017-11-28 09:32:15.000000000 +0100
-+++ openwsman-2.6.5/src/server/shttpd/io_ssl.c	2018-01-23 13:14:59.357153453 +0100
-@@ -11,23 +11,6 @@
+diff -up openwsman-2.8.1/src/server/shttpd/io_ssl.c.orig openwsman-2.8.1/src/server/shttpd/io_ssl.c
+--- openwsman-2.8.1/src/server/shttpd/io_ssl.c.orig	2025-01-23 10:23:52.000000000 +0100
+++ openwsman-2.8.1/src/server/shttpd/io_ssl.c	2025-02-03 09:12:22.387355905 +0100
+@@ -11,28 +11,6 @@
 #include "defs.h"
 
 #if !defined(NO_SSL)
@ -54,8 +29,13 @@ diff -up openwsman-2.6.5/src/server/shttpd/io_ssl.c.orig openwsman-2.6.5/src/ser
 -	{"SSL_set_fd",			{0}},
 -	{"SSL_new",			{0}},
 -	{"SSL_CTX_new",			{0}},
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
 -	{"SSLv23_server_method",	{0}},
 -	{"SSL_library_init",		{0}},
+-#else
+-	{"TLS_server_method",	{0}},
+-	{"OPENSSL_init_ssl",		{0}},
+-#endif
 -	{"SSL_CTX_use_PrivateKey_file",	{0}},
 -	{"SSL_CTX_use_certificate_file",{0}},
 -	{NULL,				{0}}
@ -64,10 +44,10 @@ diff -up openwsman-2.6.5/src/server/shttpd/io_ssl.c.orig openwsman-2.6.5/src/ser
 void
 _shttpd_ssl_handshake(struct stream *stream)
 {
-diff -up openwsman-2.6.5/src/server/shttpd/shttpd.c.orig openwsman-2.6.5/src/server/shttpd/shttpd.c
--- openwsman-2.6.5/src/server/shttpd/shttpd.c.orig	2017-11-28 09:32:15.000000000 +0100
-+++ openwsman-2.6.5/src/server/shttpd/shttpd.c	2018-01-23 13:16:13.738228773 +0100
-@@ -1476,20 +1476,14 @@ set_ssl(struct shttpd_ctx *ctx, const ch
+diff -up openwsman-2.8.1/src/server/shttpd/shttpd.c.orig openwsman-2.8.1/src/server/shttpd/shttpd.c
+--- openwsman-2.8.1/src/server/shttpd/shttpd.c.orig	2025-01-23 10:23:52.000000000 +0100
+++ openwsman-2.8.1/src/server/shttpd/shttpd.c	2025-02-03 09:13:43.415562784 +0100
+@@ -1510,25 +1510,13 @@ set_ssl(struct shttpd_ctx *ctx, const ch
 	int		retval = FALSE;
 	EC_KEY*		key;
 
@ -84,32 +64,20 @@ diff -up openwsman-2.6.5/src/server/shttpd/shttpd.c.orig openwsman-2.6.5/src/ser
 -		}
 -
 	/* Initialize SSL crap */
-+	debug("Initialize SSL");
-+	SSL_load_error_strings();
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+	OPENSSL_init_ssl(0, NULL);
-+#else
- 	SSL_library_init();
-+#endif
 
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	SSL_library_init();
 	if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL)
- 		_shttpd_elog(E_LOG, NULL, "SSL_CTX_new error");
-@@ -1532,7 +1526,11 @@ set_ssl(struct shttpd_ctx *ctx, const ch
- 			if (strncasecmp(protocols[idx].name, ssl_disabled_protocols, blank_ptr-ssl_disabled_protocols) == 0) {
- 				//_shttpd_elog(E_LOG, NULL, "SSL: disable %s protocol", protocols[idx].name);
- 				debug("SSL: disable %s protocol", protocols[idx].name);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+				SSL_CTX_set_options(CTX, protocols[idx].opt);
-+#else
- 				SSL_CTX_ctrl(CTX, SSL_CTRL_OPTIONS, protocols[idx].opt, NULL);
-+#endif
- 				break;
- 			}
- 		}
-diff -up openwsman-2.6.5/src/server/shttpd/ssl.h.orig openwsman-2.6.5/src/server/shttpd/ssl.h
--- openwsman-2.6.5/src/server/shttpd/ssl.h.orig	2017-11-28 09:32:15.000000000 +0100
-+++ openwsman-2.6.5/src/server/shttpd/ssl.h	2018-01-23 13:14:59.358153454 +0100
-@@ -12,50 +12,4 @@
+ #else
+-        OPENSSL_init_ssl();
+        OPENSSL_init_ssl(0, NULL);
+ 	if ((CTX = SSL_CTX_new(TLS_server_method())) == NULL)
+ #endif
+ 	        _shttpd_report_ssl_error("SSL_CTX_new failed", NULL);
+diff -up openwsman-2.8.1/src/server/shttpd/ssl.h.orig openwsman-2.8.1/src/server/shttpd/ssl.h
+--- openwsman-2.8.1/src/server/shttpd/ssl.h.orig	2025-01-23 10:23:52.000000000 +0100
+++ openwsman-2.8.1/src/server/shttpd/ssl.h	2025-02-03 09:14:43.142975166 +0100
+@@ -12,55 +12,4 @@
 
 #include <openssl/ssl.h>
 
@ -130,7 +98,7 @@ diff -up openwsman-2.6.5/src/server/shttpd/ssl.h.orig openwsman-2.6.5/src/server
 -#define	SSL_ERROR_SYSCALL	5
 -#define	SSL_FILETYPE_PEM	1
 -
- #endif
+-#endif
 -
 -/*
 - * Dynamically loaded SSL functionality
@ -153,9 +121,14 @@ diff -up openwsman-2.6.5/src/server/shttpd/ssl.h.orig openwsman-2.6.5/src/server
 -#define	SSL_get_error(x,y)(* (int (*)(SSL *, int)) FUNC(5))((x), (y))
 -#define	SSL_set_fd(x,y)	(* (int (*)(SSL *, int)) FUNC(6))((x), (y))
 -#define	SSL_new(x)	(* (SSL * (*)(SSL_CTX *)) FUNC(7))(x)
-#define	SSL_CTX_new(x)	(* (SSL_CTX * (*)(SSL_METHOD *)) FUNC(8))(x)
+-#define	SSL_CTX_new(x)	(* (SSL_CTX * (*)(const SSL_METHOD *)) FUNC(8))(x)
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
 -#define	SSLv23_server_method()	(* (SSL_METHOD * (*)(void)) FUNC(9))()
 -#define	SSL_library_init() (* (int (*)(void)) FUNC(10))()
+-#else
+-#define	TLS_server_method()	(* (SSL_METHOD * (*)(void)) FUNC(9))()
+-#define	OPENSSL_init_ssl() (* (int (*)(void)) FUNC(10))()
+ #endif
 -#define	SSL_CTX_use_PrivateKey_file(x,y,z)	(* (int (*)(SSL_CTX *, \
 -		const char *, int)) FUNC(11))((x), (y), (z))
 -#define	SSL_CTX_use_certificate_file(x,y,z)	(* (int (*)(SSL_CTX *, \
--- a/SOURCES/openwsman-2.6.5-CVE-2019-3816.patch
+++ b/SOURCES/openwsman-2.6.5-CVE-2019-3816.patch
@ -1,79 +0,0 @@
-diff -up openwsman-2.6.5/src/server/shttpd/shttpd.c.orig openwsman-2.6.5/src/server/shttpd/shttpd.c
--- openwsman-2.6.5/src/server/shttpd/shttpd.c.orig	2019-03-13 10:20:07.376527798 +0100
-+++ openwsman-2.6.5/src/server/shttpd/shttpd.c	2019-03-13 10:20:07.380527801 +0100
-@@ -336,10 +336,12 @@ date_to_epoch(const char *s)
- }
- 
- static void
-remove_double_dots(char *s)
-+remove_all_leading_dots(char *s)
- {
- 	char	*p = s;
- 
-+	while (*s != '\0' && *s == '.') s++;
-+
- 	while (*s != '\0') {
- 		*p++ = *s++;
- 		if (s[-1] == '/' || s[-1] == '\\')
-@@ -546,7 +548,7 @@ decide_what_to_do(struct conn *c)
- 		*c->query++ = '\0';
- 
- 	_shttpd_url_decode(c->uri, strlen(c->uri), c->uri, strlen(c->uri) + 1);
-	remove_double_dots(c->uri);
-+	remove_all_leading_dots(c->uri);
- 
- 	root = c->ctx->options[OPT_ROOT];
- 	if (strlen(c->uri) + strlen(root) >= sizeof(path)) {
-@@ -556,6 +558,7 @@ decide_what_to_do(struct conn *c)
- 
- 	(void) _shttpd_snprintf(path, sizeof(path), "%s%s", root, c->uri);
- 
-+	DBG(("decide_what_to_do -> processed path: [%s]", path));
- 	/* User may use the aliases - check URI for mount point */
- 	if (is_alias(c->ctx, c->uri, &alias_uri, &alias_path) != NULL) {
- 		(void) _shttpd_snprintf(path, sizeof(path), "%.*s%s",
-@@ -572,7 +575,10 @@ decide_what_to_do(struct conn *c)
- 	if ((ruri = _shttpd_is_registered_uri(c->ctx, c->uri)) != NULL) {
- 		_shttpd_setup_embedded_stream(c,
- 		    ruri->callback, ruri->callback_data);
-	} else
-+	} else {
-+		_shttpd_send_server_error(c, 403, "Forbidden");
-+	}
-+#if 0
- 	if (strstr(path, HTPASSWD)) {
- 		/* Do not allow to view passwords files */
- 		_shttpd_send_server_error(c, 403, "Forbidden");
-@@ -656,6 +662,7 @@ decide_what_to_do(struct conn *c)
- 	} else {
- 		_shttpd_send_server_error(c, 500, "Internal Error");
- 	}
-+#endif
- }
- 
- static int
-diff -up openwsman-2.6.5/src/server/wsmand.c.orig openwsman-2.6.5/src/server/wsmand.c
--- openwsman-2.6.5/src/server/wsmand.c.orig	2017-11-28 09:32:15.000000000 +0100
-+++ openwsman-2.6.5/src/server/wsmand.c	2019-03-13 10:20:07.380527801 +0100
-@@ -198,6 +198,10 @@ static void daemonize(void)
- 	int fd;
- 	char *pid;
- 
-+	/* Change our CWD to / */
-+	i = chdir("/");
-+	assert(i == 0);
-+
- 	if (wsmand_options_get_foreground_debug() > 0) {
- 		return;
- 	}
-@@ -214,10 +218,6 @@ static void daemonize(void)
- 	log_pid = 0;
- 	setsid();
- 
-	/* Change our CWD to / */
-	i=chdir("/");
-        assert(i == 0);
-
- 	/* Close all file descriptors. */
- 	for (i = getdtablesize(); i >= 0; --i)
- 		close(i);
--- a/SOURCES/openwsman-2.6.5-CVE-2019-3833.patch
+++ b/SOURCES/openwsman-2.6.5-CVE-2019-3833.patch
@ -1,94 +0,0 @@
-diff -up openwsman-2.6.5/src/server/shttpd/shttpd.c.orig openwsman-2.6.5/src/server/shttpd/shttpd.c
--- openwsman-2.6.5/src/server/shttpd/shttpd.c.orig	2020-05-11 11:10:04.783971915 +0200
-+++ openwsman-2.6.5/src/server/shttpd/shttpd.c	2020-05-11 11:10:04.786971932 +0200
-@@ -705,11 +705,11 @@ parse_http_request(struct conn *c)
- 		_shttpd_send_server_error(c, 500, "Cannot allocate request");
- 	}
- 
-+	io_inc_tail(&c->rem.io, req_len);
-+
- 	if (c->loc.flags & FLAG_CLOSED)
- 		return;
- 
-	io_inc_tail(&c->rem.io, req_len);
-
- 	DBG(("Conn %d: parsing request: [%.*s]", c->rem.chan.sock, req_len, s));
- 	c->rem.flags |= FLAG_HEADERS_PARSED;
- 
-@@ -975,7 +975,7 @@ write_stream(struct stream *from, struct
- }
- 
- 
-static void
-+static int
- connection_desctructor(struct llhead *lp)
- {
- 	struct conn		*c = LL_ENTRY(lp, struct conn, link);
-@@ -999,7 +999,8 @@ connection_desctructor(struct llhead *lp
- 	 * Check the "Connection: " header before we free c->request
- 	 * If it its 'keep-alive', then do not close the connection
- 	 */
-	do_close = (c->ch.connection.v_vec.len >= vec.len &&
-+	do_close = c->rem.flags & FLAG_CLOSED ||
-+	    (c->ch.connection.v_vec.len >= vec.len &&
- 	    !_shttpd_strncasecmp(vec.ptr,c->ch.connection.v_vec.ptr,vec.len)) ||
- 	    (c->major_version < 1 ||
- 	    (c->major_version >= 1 && c->minor_version < 1));
-@@ -1021,7 +1022,7 @@ connection_desctructor(struct llhead *lp
- 		io_clear(&c->loc.io);
- 		c->birth_time = _shttpd_current_time;
- 		if (io_data_len(&c->rem.io) > 0)
-			process_connection(c, 0, 0);
-+			return 1;
- 	} else {
- 		if (c->rem.io_class != NULL)
- 			c->rem.io_class->close(&c->rem);
-@@ -1032,6 +1033,8 @@ connection_desctructor(struct llhead *lp
- 
- 		free(c);
- 	}
-+
-+	return 0;
- }
- 
- static void
-@@ -1039,7 +1042,7 @@ worker_destructor(struct llhead *lp)
- {
- 	struct worker	*worker = LL_ENTRY(lp, struct worker, link);
- 
-	free_list(&worker->connections, connection_desctructor);
-+	free_list(&worker->connections, (void (*)(struct llhead *))connection_desctructor);
- 	free(worker);
- }
- 
-@@ -1072,6 +1075,8 @@ add_to_set(int fd, fd_set *set, int *max
- static void
- process_connection(struct conn *c, int remote_ready, int local_ready)
- {
-+again:
-+
- 	/* Read from remote end if it is ready */
- 	if (remote_ready && io_space_len(&c->rem.io))
- 		read_stream(&c->rem);
-@@ -1100,7 +1105,11 @@ process_connection(struct conn *c, int r
- 	if ((_shttpd_current_time > c->expire_time) ||
- 	    (c->rem.flags & FLAG_CLOSED) ||
- 	    ((c->loc.flags & FLAG_CLOSED) && !io_data_len(&c->loc.io)))
-		connection_desctructor(&c->link);
-+		if (connection_desctructor(&c->link)) {
-+			remote_ready = 0;
-+			local_ready = 0;
-+			goto again;
-+		}
- }
- 
- static int
-@@ -1640,7 +1649,7 @@ worker_function(void *param)
- 	while (worker->exit_flag == 0)
- 		poll_worker(worker, 1000 * 10);
- 
-	free_list(&worker->connections, connection_desctructor);
-+	free_list(&worker->connections, (void (*)(struct llhead *))connection_desctructor);
- 	free(worker);
- }
- 
--- a/SOURCES/openwsman-2.6.5-fix-set-cipher-list-retval-check.patch
+++ b/SOURCES/openwsman-2.6.5-fix-set-cipher-list-retval-check.patch
@ -1,12 +0,0 @@
-diff -up openwsman-2.6.5/src/server/shttpd/shttpd.c.orig openwsman-2.6.5/src/server/shttpd/shttpd.c
--- openwsman-2.6.5/src/server/shttpd/shttpd.c.orig	2018-02-21 10:53:24.964163710 +0100
-+++ openwsman-2.6.5/src/server/shttpd/shttpd.c	2018-02-21 10:53:31.854162875 +0100
-@@ -1541,7 +1541,7 @@ set_ssl(struct shttpd_ctx *ctx, const ch
- 
- 	if (ssl_cipher_list) {
-           int rc = SSL_CTX_set_cipher_list(CTX, ssl_cipher_list);
-          if (rc != 0) {
-+          if (rc != 1) {
-             _shttpd_elog(E_LOG, NULL, "Failed to set SSL cipher list \"%s\"", ssl_cipher_list);
-           }
-         }
--- a/SOURCES/openwsman-2.6.5-http-unauthorized-improve.patch
+++ b/SOURCES/openwsman-2.6.5-http-unauthorized-improve.patch
@ -1,56 +0,0 @@
-diff -up openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.5/src/lib/wsman-curl-client-transport.c
--- openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig	2022-09-08 10:36:46.265107915 +0200
-+++ openwsman-2.6.5/src/lib/wsman-curl-client-transport.c	2022-09-08 10:36:46.273107919 +0200
-@@ -452,6 +452,7 @@ wsmc_handler( WsManClient *cl,
- 	long http_code;
- 	long auth_avail = 0;
- 	char *_user = NULL, *_pass = NULL;
-+	int _no_auth = 0; /* 0 if authentication is used, 1 if no authentication was used */
- 	u_buf_t *response = NULL;
- 	//char *soapaction;
- 	char *tmp_str = NULL;
-@@ -551,6 +552,7 @@ wsmc_handler( WsManClient *cl,
- 		_user = wsmc_get_user(cl);
- 		_pass = wsmc_get_password(cl);
- 		if (_user && _pass && cl->data.auth_set) {
-+			_no_auth = 0;
- 			r = curl_easy_setopt(curl, CURLOPT_HTTPAUTH, cl->data.auth_set);
- 			if (r != CURLE_OK) {
- 				cl->fault_string = u_strdup(curl_easy_strerror(r));
-@@ -571,6 +573,11 @@ wsmc_handler( WsManClient *cl,
- 				curl_err("curl_easy_setopt(curl, CURLOPT_USERPWD, ..) failed");
- 				goto DONE;
- 			}
-+        } else {
-+            /* request without user credentials, remember this for
-+             * later use when it might become necessary to print an error message
-+             */
-+            _no_auth = 1;
- 		}
- 
- 		if (wsman_debug_level_debugged(DEBUG_LEVEL_MESSAGE)) {
-@@ -603,6 +610,24 @@ wsmc_handler( WsManClient *cl,
- 				break;
- 			case 401:
- 				// The server requires authentication.
-+                /* RFC 2616 states:
-+                 *
-+                 * If the request already included Authorization credentials, then the 401
-+                 * response indicates that authorization has been refused for those
-+                 * credentials. If the 401 response contains the same challenge as the
-+                 * prior response, and the user agent has already attempted
-+                 * authentication at least once, then the user SHOULD be presented the
-+                 * entity that was given in the response, since that entity might
-+                 * include relevant diagnostic information.
-+                 */
-+                if (_no_auth == 0) {
-+                    /* no authentication credentials were used. It is only
-+                     * possible to write a message about the current situation. There
-+                     * is no information about the last attempt to access the resource.
-+                     * Maybe at a later point in time I will implement more state information.
-+                     */
-+                    fprintf(stdout,"Authentication failed, please retry\n");
-+                }
- 				break;
- 			default:
- 				// The status code does not indicate success.
--- a/SOURCES/openwsman-2.6.5-libcurl-error-codes-update.patch
+++ b/SOURCES/openwsman-2.6.5-libcurl-error-codes-update.patch
@ -0,0 +1,27 @@
+diff -up openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.5/src/lib/wsman-curl-client-transport.c
+--- openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig	2018-11-14 13:53:27.442138557 +0100
+++ openwsman-2.6.5/src/lib/wsman-curl-client-transport.c	2018-11-14 14:11:28.508714204 +0100
+@@ -186,16 +186,23 @@ convert_to_last_error(CURLcode r)
+ 		return WS_LASTERR_SSL_CONNECT_ERROR;
+         case CURLE_BAD_FUNCTION_ARGUMENT:
+                 return WS_LASTERR_CURL_BAD_FUNCTION_ARG;
+#if LIBCURL_VERSION_NUM < 0x073E00
+ 	case CURLE_SSL_PEER_CERTIFICATE:
+ 		return WS_LASTERR_SSL_PEER_CERTIFICATE;
+#endif
+ 	case CURLE_SSL_ENGINE_NOTFOUND:
+ 		return WS_LASTERR_SSL_ENGINE_NOTFOUND;
+ 	case CURLE_SSL_ENGINE_SETFAILED:
+ 		return WS_LASTERR_SSL_ENGINE_SETFAILED;
+ 	case CURLE_SSL_CERTPROBLEM:
+ 		return WS_LASTERR_SSL_CERTPROBLEM;
+#if LIBCURL_VERSION_NUM < 0x073E00
+ 	case CURLE_SSL_CACERT:
+ 		return WS_LASTERR_SSL_CACERT;
+#else
+	case CURLE_PEER_FAILED_VERIFICATION:
+		return WS_LASTERR_SSL_PEER_CERTIFICATE;
+#endif
+ #if LIBCURL_VERSION_NUM > 0x70C01
+ 	case CURLE_SSL_ENGINE_INITFAILED:
+ 		return WS_LASTERR_SSL_ENGINE_INITFAILED;
--- a/SOURCES/openwsman-2.6.5-update-ssleay-conf.patch
+++ b/SOURCES/openwsman-2.6.5-update-ssleay-conf.patch
@ -1,15 +0,0 @@
-diff -up openwsman-2.6.5/etc/ssleay.cnf.orig openwsman-2.6.5/etc/ssleay.cnf
--- openwsman-2.6.5/etc/ssleay.cnf.orig	2017-11-28 09:32:15.000000000 +0100
-+++ openwsman-2.6.5/etc/ssleay.cnf	2023-07-10 10:00:44.713426317 +0200
-@@ -2,10 +2,8 @@
- # SSLeay example configuration file.
- #
- 
-RANDFILE                = /dev/random
-
- [ req ]
-default_bits            = 1024
-+default_bits            = 2048
- default_keyfile         = privkey.pem
- distinguished_name      = req_distinguished_name
- 
--- a/SOURCES/openwsman-2.6.8-ssl-certs-gen-changes.patch
+++ b/SOURCES/openwsman-2.6.8-ssl-certs-gen-changes.patch
@ -0,0 +1,102 @@
+diff -up openwsman-2.8.1/etc/owsmangencert.sh.cmake.orig openwsman-2.8.1/etc/owsmangencert.sh.cmake
+--- openwsman-2.8.1/etc/owsmangencert.sh.cmake.orig	2025-01-23 10:23:52.000000000 +0100
+++ openwsman-2.8.1/etc/owsmangencert.sh.cmake	2025-10-17 10:16:34.482996406 +0200
+@@ -1,10 +1,74 @@
+-#!/bin/sh
+-
+ #!/bin/sh -e
+ 
+ CERTFILE=@WSMANCONF_DIR@/servercert.pem
+ KEYFILE=@WSMANCONF_DIR@/serverkey.pem
+ CNFFILE=@WSMANCONF_DIR@/ssleay.cnf
+CAFILE=@WSMANCONF_DIR@/ca.crt
+DAYS=365
+
+function create_ssl_cnf
+{
+    # Get minimum RSA key length at current security level
+    # This workarounds openssl not enforcing min. key length enforced by current security level
+    KEYSIZE=`grep min_rsa_size /etc/crypto-policies/state/CURRENT.pol | cut -d ' ' -f 3`
+
+    # Create OpenSSL configuration files for generating certificates
+    echo "[ req ]" > $CNFFILE
+    echo "default_bits            = $KEYSIZE" >> $CNFFILE
+    echo "default_keyfile         = privkey.pem" >> $CNFFILE
+    echo "distinguished_name      = req_distinguished_name" >> $CNFFILE
+
+    echo "[ req_distinguished_name ]" >> $CNFFILE
+    echo "countryName                     = Country Name (2 letter code)" >> $CNFFILE
+    echo "countryName_default             = GB" >> $CNFFILE
+    echo "countryName_min                 = 2" >> $CNFFILE
+    echo "countryName_max                 = 2" >> $CNFFILE
+
+    echo "stateOrProvinceName             = State or Province Name (full name)" >> $CNFFILE
+    echo "stateOrProvinceName_default     = Some-State" >> $CNFFILE
+
+    echo "localityName                    = Locality Name (eg, city)" >> $CNFFILE
+
+    echo "organizationName                = Organization Name (eg, company; recommended)" >> $CNFFILE
+    echo "organizationName_max            = 64" >> $CNFFILE
+
+    echo "organizationalUnitName          = Organizational Unit Name (eg, section)" >> $CNFFILE
+    echo "organizationalUnitName_max      = 64" >> $CNFFILE
+
+    echo "commonName                      = server name (eg. ssl.domain.tld; required!!!)" >> $CNFFILE
+    echo "commonName_max                  = 80" >> $CNFFILE
+
+    echo "emailAddress                    = Email Address" >> $CNFFILE
+    echo "emailAddress_max                = 85" >> $CNFFILE
+}
+
+function selfsign_sscg()
+{
+    sscg --quiet \
+         --lifetime "$DAYS" \
+         --cert-key-file "$KEYFILE" \
+         --cert-file "$CERTFILE" \
+         --ca-file "$CAFILE"
+}
+
+function selfsign_openssl()
+{
+
+    echo
+    echo creating selfsigned certificate
+    echo "replace it with one signed by a certification authority (CA)"
+    echo
+    echo enter your ServerName at the Common Name prompt
+    echo
+
+    # use special .cnf, because with normal one no valid selfsigned
+    # certificate is created
+
+    openssl req -days $DAYS $@ -config $CNFFILE \
+        -new -x509 -nodes -out $CERTFILE \
+        -keyout $KEYFILE
+    chmod 600 $KEYFILE
+}
+ 
+ if [ "$1" != "--force" -a -f $KEYFILE ]; then
+   echo "$KEYFILE exists!  Use \"$0 --force.\""
+@@ -15,18 +79,7 @@ if [ "$1" = "--force" ]; then
+   shift
+ fi
+ 
+-echo
+-echo creating selfsigned certificate
+-echo "replace it with one signed by a certification authority (CA)"
+-echo
+-echo enter your ServerName at the Common Name prompt
+-echo
+-
+-# use special .cnf, because with normal one no valid selfsigned
+-# certificate is created
+-
+-openssl req -days 365 $@ -config $CNFFILE \
+-  -newkey rsa:2048 -x509 -nodes -out $CERTFILE \
+-  -keyout $KEYFILE
+-chmod 600 $KEYFILE
+create_ssl_cnf
+ 
+# If sscg fails, try openssl
+selfsign_sscg || selfsign_openssl
--- a/SOURCES/openwsman-2.6.8-update-ssleay-conf.patch
+++ b/SOURCES/openwsman-2.6.8-update-ssleay-conf.patch
@ -0,0 +1,12 @@
+diff -up openwsman-2.7.1/etc/ssleay.cnf.orig openwsman-2.7.1/etc/ssleay.cnf
+--- openwsman-2.7.1/etc/ssleay.cnf.orig	2021-11-09 08:27:48.577749509 +0100
+++ openwsman-2.7.1/etc/ssleay.cnf	2021-11-09 08:28:10.499967010 +0100
+@@ -3,7 +3,7 @@
+ #
+ 
+ [ req ]
+-default_bits            = 1024
+default_bits            = 2048
+ default_keyfile         = privkey.pem
+ distinguished_name      = req_distinguished_name
+ 
--- a/SOURCES/openwsman-2.8.1-facility-definition.patch
+++ b/SOURCES/openwsman-2.8.1-facility-definition.patch
@ -0,0 +1,16 @@
+diff -up openwsman-2.8.1/src/lib/u/log.c.orig openwsman-2.8.1/src/lib/u/log.c
+--- openwsman-2.8.1/src/lib/u/log.c.orig	2025-01-23 10:23:52.000000000 +0100
+++ openwsman-2.8.1/src/lib/u/log.c	2025-10-22 09:22:30.104144805 +0200
+@@ -25,8 +25,10 @@
+ 
+ #include <u/syslog.h>
+ 
+-/* applications that use libu will define their own "int facility" variable */
+-extern int facility;
+/* Define facility in the library for backward compatibility with openwsman 2.6.8
+ * Applications can still override this if needed */
+int facility = LOG_DAEMON;
+ 
+ 
+ /* log hook. if not-zero use this function to write log messages */
+ static u_log_hook_t hook = NULL;
--- a/SOURCES/openwsman-2.8.1-post-quantum.patch
+++ b/SOURCES/openwsman-2.8.1-post-quantum.patch
@ -0,0 +1,128 @@
+diff -up openwsman-2.8.1/etc/openwsman.conf.orig openwsman-2.8.1/etc/openwsman.conf
+--- openwsman-2.8.1/etc/openwsman.conf.orig	2025-01-23 10:23:52.000000000 +0100
+++ openwsman-2.8.1/etc/openwsman.conf	2026-01-27 14:55:28.358323530 +0100
+@@ -32,8 +32,12 @@ ipv6 = yes
+ 
+ # the openwsman server certificate file, in .pem format
+ ssl_cert_file = /etc/openwsman/servercert.pem
+# the openwsman server certificate fallback file, in .pem format
+#ssl_cert_fallback_file = /etc/openwsman/servercert-fallback.pem
+ # the openwsman server private key, in .pem format
+ ssl_key_file = /etc/openwsman/serverkey.pem
+# the openwsman server private key fallback, in .pem format
+#ssl_key_fallback_file = /etc/openwsman/serverkey-fallback.pem
+ 
+ # space-separated list of SSL protocols to *dis*able
+ # possible values: SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv1_2
+diff -up openwsman-2.8.1/src/server/shttpd/shttpd.c.orig openwsman-2.8.1/src/server/shttpd/shttpd.c
+--- openwsman-2.8.1/src/server/shttpd/shttpd.c.orig	2026-01-27 14:55:28.353983369 +0100
+++ openwsman-2.8.1/src/server/shttpd/shttpd.c	2026-01-27 15:02:00.178890046 +0100
+@@ -1508,7 +1508,6 @@ set_ssl(struct shttpd_ctx *ctx, const ch
+ 	char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols();
+ 	char *ssl_cipher_list = wsmand_options_get_ssl_cipher_list();
+ 	int		retval = FALSE;
+-	EC_KEY*		key;
+ 
+ 	/* Initialize SSL crap */
+ 
+@@ -1527,11 +1526,15 @@ set_ssl(struct shttpd_ctx *ctx, const ch
+ 	else
+ 		retval = TRUE;
+ 
+-	/* This enables ECDH Perfect Forward secrecy. Currently with just the most generic p256 prime curve */
+-	key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+-	if (key != NULL) {
+-		SSL_CTX_set_tmp_ecdh(CTX, key);
+-		EC_KEY_free(key);
+	/* Add fall back certificate/key pair */
+	if (wsmand_options_get_ssl_cert_fallback_file() &&
+                    wsmand_options_get_ssl_key_fallback_file()) {
+		if (SSL_CTX_use_certificate_file(CTX, wsmand_options_get_ssl_cert_fallback_file(), SSL_FILETYPE_PEM) != 1)
+			_shttpd_elog(E_LOG, NULL, "cannot open certificate fallback file %s", pem);
+		else if (SSL_CTX_use_PrivateKey_file(CTX, wsmand_options_get_ssl_key_fallback_file(), SSL_FILETYPE_PEM) != 1)
+			_shttpd_elog(E_LOG, NULL, "cannot open fallback PrivateKey %s", pem);
+		else
+			retval = TRUE;
+ 	}
+ 
+ 	while (ssl_disabled_protocols) {
+@@ -1593,6 +1596,26 @@ set_ssl(struct shttpd_ctx *ctx, const ch
+         }
+ 	ctx->ssl_ctx = CTX;
+ 
+	/* Configure TLS key exchange groups with PQC support */
+	if (SSL_CTX_set1_groups_list(CTX, "X25519MLKEM768:P-256:P-384:X25519") != 1) {
+		unsigned long err = ERR_peek_last_error();
+		_shttpd_elog(E_LOG, NULL, "SSL: Failed to set PQC groups: %s",
+			ERR_error_string(err, NULL));
+		/* Fallback to traditional groups */
+		if (SSL_CTX_set1_groups_list(CTX, "P-256:P-384:X25519") != 1)
+			_shttpd_elog(E_LOG, NULL, "SSL: Failed to set traditional groups");
+	}
+
+	/* Configure TLS signature algorithms with PQC support (ML-DSA) */
+	if (SSL_CTX_set1_sigalgs_list(CTX, "mldsa65:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384") != 1) {
+		unsigned long err = ERR_peek_last_error();
+		_shttpd_elog(E_LOG, NULL, "SSL: Failed to set PQC signature algorithms: %s",
+			ERR_error_string(err, NULL));
+		/* Fallback to traditional signature algorithms */
+		if (SSL_CTX_set1_sigalgs_list(CTX, "rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384") != 1)
+			_shttpd_elog(E_LOG, NULL, "SSL: Failed to set traditional signature algorithms");
+	}
+
+ 	return (retval);
+ }
+ #endif /* NO_SSL */
+diff -up openwsman-2.8.1/src/server/wsmand-daemon.c.orig openwsman-2.8.1/src/server/wsmand-daemon.c
+--- openwsman-2.8.1/src/server/wsmand-daemon.c.orig	2025-01-23 10:23:52.000000000 +0100
+++ openwsman-2.8.1/src/server/wsmand-daemon.c	2026-01-27 14:55:28.358709575 +0100
+@@ -76,8 +76,10 @@ static int use_ipv6 = 0;
+ #endif
+ static int use_digest = 0;
+ static char *ssl_key_file = NULL;
+static char *ssl_key_fallback_file = NULL;
+ static char *service_path = DEFAULT_SERVICE_PATH;
+ static char *ssl_cert_file = NULL;
+static char *ssl_cert_fallback_file = NULL;
+ static char *ssl_disabled_protocols = NULL;
+ static char *ssl_cipher_list = NULL;
+ static char *pid_file = DEFAULT_PID_PATH;
+@@ -186,7 +188,9 @@ int wsmand_read_config(dictionary * ini)
+ 	service_path =
+ 	    iniparser_getstring(ini, "server:service_path", "/wsman");
+ 	ssl_key_file = iniparser_getstr(ini, "server:ssl_key_file");
+	ssl_key_fallback_file = iniparser_getstr(ini, "server:ssl_key_fallback_file");
+ 	ssl_cert_file = iniparser_getstr(ini, "server:ssl_cert_file");
+	ssl_cert_fallback_file = iniparser_getstr(ini, "server:ssl_cert_fallback_file");
+         ssl_disabled_protocols = iniparser_getstr(ini, "server:ssl_disabled_protocols");
+         ssl_cipher_list = iniparser_getstr(ini, "server:ssl_cipher_list");
+ 	use_ipv4 = iniparser_getboolean(ini, "server:ipv4", 1);
+@@ -364,6 +368,16 @@ char *wsmand_options_get_ssl_cert_file(v
+ 	return ssl_cert_file;
+ }
+ 
+char *wsmand_options_get_ssl_key_fallback_file(void)
+{
+	return ssl_key_fallback_file;
+}
+
+char *wsmand_options_get_ssl_cert_fallback_file(void)
+{
+	return ssl_cert_fallback_file;
+}
+
+ char *wsmand_options_get_ssl_disabled_protocols(void)
+ {
+ 	return ssl_disabled_protocols;
+diff -up openwsman-2.8.1/src/server/wsmand-daemon.h.orig openwsman-2.8.1/src/server/wsmand-daemon.h
+--- openwsman-2.8.1/src/server/wsmand-daemon.h.orig	2025-01-23 10:23:52.000000000 +0100
+++ openwsman-2.8.1/src/server/wsmand-daemon.h	2026-01-27 14:55:28.358825793 +0100
+@@ -76,6 +76,8 @@ int wsmand_options_get_server_port(void)
+ int wsmand_options_get_server_ssl_port(void);
+ char *wsmand_options_get_ssl_key_file(void);
+ char *wsmand_options_get_ssl_cert_file(void);
+char *wsmand_options_get_ssl_key_fallback_file(void);
+char *wsmand_options_get_ssl_cert_fallback_file(void);
+ char *wsmand_options_get_ssl_disabled_protocols(void);
+ char *wsmand_options_get_ssl_cipher_list(void);
+ int wsmand_options_get_digest(void);
--- a/SPECS/openwsman.spec
+++ b/SPECS/openwsman.spec
@ -1,9 +1,10 @@
 # RubyGems's macros expect gem_name to exist.
 %global		gem_name %{name}
+%global		compatver	2.6.8

 Name:		openwsman
-Version:	2.6.5
-Release:	10%{?dist}
+Version:	2.8.1
+Release:	2%{?dist}
 Summary:	Open source Implementation of WS-Management

 License:	BSD
@ -15,23 +16,27 @@ Source1:	openwsmand.8.gz
 Source2:	openwsmand.service
 # script for testing presence of the certificates in ExecStartPre
 Source3:	owsmantestcert.sh
+# source for libwsman_client lib compatibility
+Source4:	https://github.com/Openwsman/openwsman/archive/v%{compatver}.tar.gz
 Patch1:		openwsman-2.4.0-pamsetup.patch
 Patch2:		openwsman-2.4.12-ruby-binding-build.patch
 Patch3:		openwsman-2.6.2-openssl-1.1-fix.patch
 Patch4:		openwsman-2.6.5-http-status-line.patch
-Patch5:		openwsman-2.6.5-fix-set-cipher-list-retval-check.patch
-Patch6:		openwsman-2.6.5-CVE-2019-3816.patch
-# Patch7: fixes CVE-2019-3833, rhbz#1687865
-Patch7:		openwsman-2.6.5-CVE-2019-3833.patch
-Patch8:		openwsman-2.6.5-http-unauthorized-improve.patch
-# Patch9: fixes cert issue, rhbz#2220821
-Patch9:         openwsman-2.6.5-update-ssleay-conf.patch
+# Patch5 is just for compat package, not needed in 2.8.1
+Patch5:		openwsman-2.6.5-libcurl-error-codes-update.patch
+Patch8:		openwsman-2.6.8-update-ssleay-conf.patch
+Patch10:	openwsman-2.6.8-ssl-certs-gen-changes.patch
+# Patch11 is just for compat
+Patch11:	openwsman-2.8.1-facility-definition.patch
+Patch12:	openwsman-2.8.1-post-quantum.patch
+BuildRequires: make
 BuildRequires:	swig
 BuildRequires:	libcurl-devel libxml2-devel pam-devel sblim-sfcc-devel
 BuildRequires:	python3 python3-devel ruby ruby-devel rubygems-devel perl-interpreter
 BuildRequires:	perl-devel perl-generators pkgconfig openssl-devel
 BuildRequires:	cmake
 BuildRequires:	systemd-units
+BuildRequires:	gcc gcc-c++

 %description
 Openwsman is a project intended to provide an open-source
@ -94,6 +99,7 @@ This package provides Python3 bindings to access the openwsman client API.
 License:	BSD
 Summary:	Ruby client bindings for Openwsman
 Obsoletes:	%{name}-ruby < %{version}-%{release}
+Requires:	libwsman1 = %{version}-%{release}

 %description -n rubygem-%{gem_name}
 The openwsman gem provides a Ruby API to manage systems using
@ -125,28 +131,35 @@ This is a command line tool for the Windows Remote Shell protocol.
 You can use it to send shell commands to a remote Windows hosts.

 %prep
-%setup -q
+%setup -q -c -n %{name} -a 4
+# apply patches for regular source
+cd %{name}-%{version}

-%patch1 -p1 -b .pamsetup
-%patch2 -p1 -b .ruby-binding-build
-%patch3 -p1 -b .openssl-1.1-fix
-%patch4 -p1 -b .http-status-line
-%patch5 -p1 -b .fix-set-cipher-list-retval-check
-%patch6 -p1 -b .CVE-2019-3816
-%patch7 -p1 -b .CVE-2019-3833
-%patch8 -p1 -b .http-unauthorized-improve
-%patch9 -p1 -b .update-ssleay-conf
+%patch -P1 -p1 -b .pamsetup
+%patch -P2 -p1 -b .ruby-binding-build
+%patch -P3 -p1 -b .openssl-1.1-fix
+%patch -P4 -p1 -b .http-status-line
+%patch -P8 -p1 -b .update-ssleay-conf
+%patch -P10 -p1 -b .ssl-certs-gen-changes
+%patch -P11 -p1 -b .facility-definition
+%patch -P12 -p1 -b .post-quantum
+
+# apply patches for compatibility source
+cd ../%{name}-%{compatver}
+%patch -P5 -p1 -b .libcurl-error-codes-update

 %build
-# Removing executable permissions on .c and .h files to fix rpmlint warnings. 
+# build regular source
+cd %{name}-%{version}
+# Removing executable permissions on .c and .h files to fix rpmlint warnings.
 chmod -x src/cpp/WsmanClient.h

 rm -rf build
 mkdir build

 export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -DFEDORA -DNO_SSL_CALLBACK"
-export CFLAGS="-D_GNU_SOURCE -fPIE -DPIE"
-export LDFLAGS="$LDFLAGS -Wl,-z,now -pie"
+export CFLAGS="$RPM_OPT_FLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now"
+export CXXFLAGS="$RPM_OPT_FLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now"
 cd build
 cmake \
 	-DCMAKE_INSTALL_PREFIX=/usr \
@ -158,30 +171,64 @@ cmake \
 	-DPACKAGE_ARCHITECTURE=`uname -m` \
 	-DLIB=%{_lib} \
 	-DBUILD_JAVA=no \
+	-DBUILD_PYTHON=no \
 	..

 make

 # Make the freshly build openwsman libraries available to build the gem's
 # binary extension.
-export LIBRARY_PATH=%{_builddir}/%{name}-%{version}/build/src/lib
-export CPATH=%{_builddir}/%{name}-%{version}/include/
-export LD_LIBRARY_PATH=%{_builddir}/%{name}-%{version}/build/src/lib/
+export LIBRARY_PATH=%{_builddir}/%{name}/%{name}-%{version}/build/src/lib
+export CPATH=%{_builddir}/%{name/}%{name}-%{version}/include/
+export LD_LIBRARY_PATH=%{_builddir}/%{name}/%{name}-%{version}/build/src/lib/

 %gem_install -n ./bindings/ruby/%{name}-%{version}.gem

+# build compat source
+cd ../../%{name}-%{compatver}
+# Removing executable permissions on .c and .h files to fix rpmlint warnings.
+chmod -x src/cpp/WsmanClient.h
+
+rm -rf build
+mkdir build
+
+export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -DFEDORA -DNO_SSL_CALLBACK"
+export CFLAGS="$RPM_OPT_FLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now"
+export CXXFLAGS="$RPM_OPT_FLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now"
+cd build
+cmake \
+	-DCMAKE_INSTALL_PREFIX=/usr \
+	-DCMAKE_VERBOSE_MAKEFILE=TRUE \
+	-DCMAKE_BUILD_TYPE=Release \
+	-DCMAKE_C_FLAGS_RELEASE:STRING="$RPM_OPT_FLAGS -fno-strict-aliasing" \
+	-DCMAKE_CXX_FLAGS_RELEASE:STRING="$RPM_OPT_FLAGS" \
+	-DCMAKE_SKIP_RPATH=1 \
+	-DPACKAGE_ARCHITECTURE=`uname -m` \
+	-DLIB=%{_lib} \
+	-DBUILD_JAVA=no \
+	-DBUILD_PYTHON=no \
+	-DBUILD_PYTHON3=no \
+	-DBUILD_PERL=no \
+	-DBUILD_RUBY=no \
+	..
+
+make
+
 %install
+# install regular source
+cd %{name}-%{version}
 cd build

 # Do not install the ruby extension, we are proviging the rubygem- instead.
 echo -n > bindings/ruby/cmake_install.cmake

-make DESTDIR=%{buildroot} install
+%make_install
 cd ..
 rm -f %{buildroot}/%{_libdir}/*.la
 rm -f %{buildroot}/%{_libdir}/openwsman/plugins/*.la
 rm -f %{buildroot}/%{_libdir}/openwsman/authenticators/*.la
 [ -d %{buildroot}/%{ruby_vendorlibdir} ] && rm -f %{buildroot}/%{ruby_vendorlibdir}/openwsmanplugin.rb
+[ -d %{buildroot}/%{ruby_sitelibdir} ] && rm -f %{buildroot}%{ruby_sitelibdir}/openwsmanplugin.rb
 [ -d %{buildroot}/%{ruby_vendorlibdir} ] && rm -f %{buildroot}/%{ruby_vendorlibdir}/openwsman.rb
 mkdir -p %{buildroot}%{_sysconfdir}/init.d
 install -m 644 etc/openwsman.conf %{buildroot}/%{_sysconfdir}/openwsman
@ -207,12 +254,18 @@ rm -rf %{buildroot}%{gem_instdir}/ext
 mkdir -p %{buildroot}%{gem_extdir_mri}
 cp -a ./build%{gem_extdir_mri}/{gem.build_complete,*.so} %{buildroot}%{gem_extdir_mri}/

-%post -n libwsman1 -p /sbin/ldconfig
+# install compat library
+cd ../%{name}-%{compatver}
+install build/src/lib/libwsman_client.so.4.0.0 %{buildroot}/%{_libdir}
+# create symlink
+pushd %{buildroot}/%{_libdir}
+ln -s libwsman_client.so.4.0.0 libwsman_client.so.4
+popd

-%postun -n libwsman1 -p /sbin/ldconfig
+%ldconfig_scriptlets -n libwsman1

 %post server
-/sbin/ldconfig
+%{?ldconfig}
 %systemd_post openwsmand.service

 %preun server
@ -221,32 +274,30 @@ cp -a ./build%{gem_extdir_mri}/{gem.build_complete,*.so} %{buildroot}%{gem_extdi
 %postun server
 rm -f /var/log/wsmand.log
 %systemd_postun_with_restart openwsmand.service
-/sbin/ldconfig
+%{?ldconfig}

-%post client -p /sbin/ldconfig
-
-%postun client -p /sbin/ldconfig
+%ldconfig_scriptlets client

 %files -n libwsman1
-%doc AUTHORS COPYING ChangeLog README.md TODO
+%doc %{name}-%{version}/AUTHORS %{name}-%{version}/COPYING %{name}-%{version}/ChangeLog %{name}-%{version}/README.md %{name}-%{version}/TODO
 %{_libdir}/libwsman.so.*
 %{_libdir}/libwsman_client.so.*
 %{_libdir}/libwsman_curl_client_transport.so.*

 %files -n libwsman-devel
-%doc AUTHORS COPYING ChangeLog README.md
+%doc %{name}-%{version}/AUTHORS %{name}-%{version}/COPYING %{name}-%{version}/ChangeLog %{name}-%{version}/README.md
 %{_includedir}/*
 %{_libdir}/pkgconfig/*
 %{_libdir}/*.so

 %files python3
-%doc AUTHORS COPYING ChangeLog README.md
+%doc %{name}-%{version}/AUTHORS %{name}-%{version}/COPYING %{name}-%{version}/ChangeLog %{name}-%{version}/README.md
 %{python3_sitearch}/*.so
 %{python3_sitearch}/*.py
 %{python3_sitearch}/__pycache__/*

 %files -n rubygem-%{gem_name}
-%doc AUTHORS COPYING ChangeLog README.md
+%doc %{name}-%{version}/AUTHORS %{name}-%{version}/COPYING %{name}-%{version}/ChangeLog %{name}-%{version}/README.md
 %dir %{gem_instdir}
 %{gem_libdir}
 %{gem_extdir_mri}
@ -257,17 +308,17 @@ rm -f /var/log/wsmand.log
 %doc %{gem_docdir}

 %files perl
-%doc AUTHORS COPYING ChangeLog README.md
+%doc %{name}-%{version}/AUTHORS %{name}-%{version}/COPYING %{name}-%{version}/ChangeLog %{name}-%{version}/README.md
 %{perl_vendorarch}/openwsman.so
 %{perl_vendorlib}/openwsman.pm

 %files server
-%doc AUTHORS COPYING ChangeLog README.md
+%doc %{name}-%{version}/AUTHORS %{name}-%{version}/COPYING %{name}-%{version}/ChangeLog %{name}-%{version}/README.md
 # Don't remove *.so files from the server package.
 # the server fails to start without these files.
 %dir %{_sysconfdir}/openwsman
 %config(noreplace) %{_sysconfdir}/openwsman/openwsman.conf
-%config(noreplace) %{_sysconfdir}/openwsman/ssleay.cnf
+%config(noreplace) %verify(not size md5 mtime) %{_sysconfdir}/openwsman/ssleay.cnf
 %attr(0755,root,root) %{_sysconfdir}/openwsman/owsmangencert.sh
 %attr(0755,root,root) %{_sysconfdir}/openwsman/owsmantestcert.sh
 %config(noreplace) %{_sysconfdir}/pam.d/openwsman
@ -284,7 +335,7 @@ rm -f /var/log/wsmand.log
 %{_mandir}/man8/*

 %files client
-%doc AUTHORS COPYING ChangeLog README.md
+%doc %{name}-%{version}/AUTHORS %{name}-%{version}/COPYING %{name}-%{version}/ChangeLog %{name}-%{version}/README.md
 %{_libdir}/libwsman_clientpp.so.*
 %config(noreplace) %{_sysconfdir}/openwsman/openwsman_client.conf

@ -292,36 +343,126 @@ rm -f /var/log/wsmand.log
 %{_bindir}/winrs

 %changelog
-* Thu Jul 27 2023 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-10
- Remove RANDFILE and increase default bits in ssleay.conf
-  Resolves: #2220821
+* Wed Feb 04 2026 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.8.1-2
+- Support added for post-quantum cryptography
+  Resolves: RHEL-127516
+- Fix bogus 'sscg' arguments
+  Related: RHEL-118292

-* Tue Feb 14 2023 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-9
- Add rpminspect.yaml
-  Related: #2105315
+* Thu Oct 23 2025 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.8.1-1
+- Update to openwsman-2.8.1
+  Resolves: RHEL-97643
+- Add libwsman-client.so.4 for backward compatibility
+  Related: RHEL-97643

-* Thu Sep 08 2022 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-8
+* Tue Oct 14 2025 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.8-24
+- Update OpenSSL certificates set up
+  Resolves: RHEL-118292
+
+* Thu Nov 24 2022 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.8-23
 - Improve handling of HTTP 401 Unauthorized
-  Resolves: #2105315
+  Resolves: #2127415

-* Mon May 11 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-7
- Fix CVE-2019-3833
-  Resolves: #1687865
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.8-22
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688

-* Wed Jul 17 2019 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-6
- Fix name of Patch6
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.8-21
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065

-* Wed Mar 13 2019 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-5
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.8-20
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.8-19
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 06 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.6.8-18
+- F-34: rebuild against ruby 3.0
+
+* Tue Sep 22 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.8-17
+- Use make macros, patch by Tom Stellard <tstellar@redhat.com>
+  (https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro)
+- Update flags, enable LTO
+- Remove RANDFILE and increase default bits in ssleay.conf
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.8-16
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 08 2020 Jeff Law <law@redhat.com> - 2.6.8-15
+- Disable LTO
+
+* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.8-14
+- Perl 5.32 rebuild
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 2.6.8-13
+- Rebuilt for Python 3.9
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.8-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jan 18 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.6.8-11
+- F-32: rebuild against ruby27
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.8-10
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.8-9
+- Rebuilt for Python 3.8
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.8-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.8-7
+- Perl 5.30 rebuild
+
+* Mon Apr 01 2019 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.8-6
+- Add requires libwsman1 for rubygem-openwsman
+
+* Wed Mar 13 2019 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.8-5
 - Fix CVE-2019-3816
-  Resolves: #1687864
+  Resolves: #1687760
+- Fix CVE-2019-3833
+  Resolves: #1687762
 - Remove Dist Tag from the oldest changelog entry

-* Thu Sep 20 2018 Tomas Orsava <torsava@redhat.com> - 2.6.5-4
- Require the Python interpreter directly instead of using the package name
- Related: rhbz#1619153
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

-* Wed Feb 21 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-3
+* Mon Jan 21 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.6.8-3
+- F-30: rebuild against ruby26
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2.6.8-2
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Thu Nov 22 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.8-1
+- Update to openwsman-2.6.8
+
+* Wed Nov 14 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-10
+- Reflect changes in libcurl error codes
+  Resolves: #1649393
+
+* Mon Oct 01 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-9
+- Require the Python interpreter directly instead of using the package name
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.5-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jul 03 2018 Petr Pisar <ppisar@redhat.com> - 2.6.5-7
+- Perl 5.28 rebuild
+
+* Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.5-6
+- Perl 5.28 rebuild
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.6.5-5
+- Rebuilt for Python 3.7
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.6.5-4
+- Rebuilt for Python 3.7
+
+* Thu Feb 22 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-3
 - Fix wrong SSL_CTX_set_cipher_list() retval check
+- Add BuildRequires gcc and gcc-c++
 - Explicitly disable build of java bindings (build fails if java-devel is installed)

 * Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.5-2