Add riscv64

Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>

.gitignore

@@ -66,3 +66,7 @@ libssh-0.4.4.tar.gz.asc
 /libssh-0.10.3.tar.xz.asc
 /libssh-0.10.4.tar.xz
 /libssh-0.10.4.tar.xz.asc
+/libssh-0.10.5.tar.xz
+/libssh-0.10.5.tar.xz.asc
+/libssh-0.10.6.tar.xz
+/libssh-0.10.6.tar.xz.asc

libssh-0.10.6-ipv6-hostname.patch

@@ -0,0 +1,263 @@
+From 4f997aee7c7d7ea346b3e8ba505da0b7601ff318 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 22 Dec 2023 10:32:40 +0100
+Subject: [PATCH 1/2] Fix regression in IPv6 addresses in hostname parsing
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ include/libssh/config_parser.h | 11 ++++++++---
+ src/config.c                   |  4 ++--
+ src/config_parser.c            | 16 +++++++++++-----
+ src/options.c                  | 10 ++--------
+ 4 files changed, 23 insertions(+), 18 deletions(-)
+
+diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h
+index a7dd42a2..ca353432 100644
+--- a/include/libssh/config_parser.h
++++ b/include/libssh/config_parser.h
+@@ -30,6 +30,8 @@
+ extern "C" {
+ #endif
+ 
++#include <stdbool.h>
++
+ char *ssh_config_get_cmd(char **str);
+ 
+ char *ssh_config_get_token(char **str);
+@@ -49,14 +51,17 @@ int ssh_config_get_yesno(char **str, int notfound);
+  *                       be stored or NULL if we do not care about the result.
+  * @param[out]  port     Pointer to the location, where the new port will
+  *                       be stored or NULL if we do not care about the result.
++ * @param[in]   ignore_port Set to true if the we should not attempt to parse
++ *                       port number.
+  *
+  * @returns     SSH_OK if the provided string is in format of SSH URI,
+  *              SSH_ERROR on failure
+  */
+ int ssh_config_parse_uri(const char *tok,
+-        char **username,
+-        char **hostname,
+-        char **port);
++                         char **username,
++                         char **hostname,
++                         char **port,
++                         bool ignore_port);
+ 
+ #ifdef __cplusplus
+ }
+diff --git a/src/config.c b/src/config.c
+index 5eedbce9..7135c3b1 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -464,7 +464,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
+         }
+         if (parse_entry) {
+             /* We actually care only about the first item */
+-            rv = ssh_config_parse_uri(cp, &username, &hostname, &port);
++            rv = ssh_config_parse_uri(cp, &username, &hostname, &port, false);
+             /* The rest of the list needs to be passed on */
+             if (endp != NULL) {
+                 next = strdup(endp + 1);
+@@ -475,7 +475,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
+             }
+         } else {
+             /* The rest is just sanity-checked to avoid failures later */
+-            rv = ssh_config_parse_uri(cp, NULL, NULL, NULL);
++            rv = ssh_config_parse_uri(cp, NULL, NULL, NULL, false);
+         }
+         if (rv != SSH_OK) {
+             goto out;
+diff --git a/src/config_parser.c b/src/config_parser.c
+index 9ffc8b8b..5f30cd3e 100644
+--- a/src/config_parser.c
++++ b/src/config_parser.c
+@@ -162,9 +162,10 @@ int ssh_config_get_yesno(char **str, int notfound)
+ }
+ 
+ int ssh_config_parse_uri(const char *tok,
+-        char **username,
+-        char **hostname,
+-        char **port)
++                         char **username,
++                         char **hostname,
++                         char **port,
++                         bool ignore_port)
+ {
+     char *endp = NULL;
+     long port_n;
+@@ -210,12 +211,17 @@ int ssh_config_parse_uri(const char *tok,
+         if (endp == NULL) {
+             goto error;
+         }
+-    } else {
+-        /* Hostnames or aliases expand to the last colon or to the end */
++    } else if (!ignore_port) {
++        /* Hostnames or aliases expand to the last colon (if port is requested)
++         * or to the end */
+         endp = strrchr(tok, ':');
+         if (endp == NULL) {
+             endp = strchr(tok, '\0');
+         }
++    } else {
++        /* If no port is requested, expand to the end of line
++         * (to accommodate the IPv6 addresses) */
++        endp = strchr(tok, '\0');
+     }
+     if (tok == endp) {
+         /* Zero-length hostnames are not valid */
+diff --git a/src/options.c b/src/options.c
+index 2e73be46..676c49e7 100644
+--- a/src/options.c
++++ b/src/options.c
+@@ -634,17 +634,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
+                 ssh_set_error_invalid(session);
+                 return -1;
+             } else {
+-                char *username = NULL, *hostname = NULL, *port = NULL;
+-                rc = ssh_config_parse_uri(value, &username, &hostname, &port);
++                char *username = NULL, *hostname = NULL;
++                rc = ssh_config_parse_uri(value, &username, &hostname, NULL, true);
+                 if (rc != SSH_OK) {
+                     return -1;
+                 }
+-                if (port != NULL) {
+-                    SAFE_FREE(username);
+-                    SAFE_FREE(hostname);
+-                    SAFE_FREE(port);
+-                    return -1;
+-                }
+                 if (username != NULL) {
+                     SAFE_FREE(session->opts.username);
+                     session->opts.username = username;
+-- 
+2.43.0
+
+
+From 6f6e453d7b0ad4ee6a6f6a1c96a9a6b27821410d Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 22 Dec 2023 09:52:18 +0100
+Subject: [PATCH 2/2] tests: Increase test coverage for IPv6 address parsing as
+ hostnames
+
+This was an issue in cockpit:
+
+https://github.com/cockpit-project/cockpit/issues/19772
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ tests/unittests/torture_config.c  | 49 +++++++++++++++++++++++++++++++
+ tests/unittests/torture_options.c | 16 ++++++++++
+ 2 files changed, 65 insertions(+)
+
+diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
+index bc6b08f9..751aa126 100644
+--- a/tests/unittests/torture_config.c
++++ b/tests/unittests/torture_config.c
+@@ -2332,6 +2332,53 @@ static void torture_config_make_absolute_no_sshdir(void **state)
+     torture_config_make_absolute_int(state, 1);
+ }
+ 
++static void torture_config_parse_uri(void **state)
++{
++    char *username = NULL;
++    char *hostname = NULL;
++    char *port = NULL;
++    int rc;
++
++    (void)state; /* unused */
++
++    rc = ssh_config_parse_uri("localhost", &username, &hostname, &port, false);
++    assert_return_code(rc, errno);
++    assert_null(username);
++    assert_string_equal(hostname, "localhost");
++    SAFE_FREE(hostname);
++    assert_null(port);
++
++    rc = ssh_config_parse_uri("1.2.3.4", &username, &hostname, &port, false);
++    assert_return_code(rc, errno);
++    assert_null(username);
++    assert_string_equal(hostname, "1.2.3.4");
++    SAFE_FREE(hostname);
++    assert_null(port);
++
++    rc = ssh_config_parse_uri("1.2.3.4:2222", &username, &hostname, &port, false);
++    assert_return_code(rc, errno);
++    assert_null(username);
++    assert_string_equal(hostname, "1.2.3.4");
++    SAFE_FREE(hostname);
++    assert_string_equal(port, "2222");
++    SAFE_FREE(port);
++
++    rc = ssh_config_parse_uri("[1:2:3::4]:2222", &username, &hostname, &port, false);
++    assert_return_code(rc, errno);
++    assert_null(username);
++    assert_string_equal(hostname, "1:2:3::4");
++    SAFE_FREE(hostname);
++    assert_string_equal(port, "2222");
++    SAFE_FREE(port);
++
++    /* do not want port */
++    rc = ssh_config_parse_uri("1:2:3::4", &username, &hostname, NULL, true);
++    assert_return_code(rc, errno);
++    assert_null(username);
++    assert_string_equal(hostname, "1:2:3::4");
++    SAFE_FREE(hostname);
++}
++
+ int torture_run_tests(void)
+ {
+     int rc;
+@@ -2424,6 +2471,8 @@ int torture_run_tests(void)
+                                         setup, teardown),
+         cmocka_unit_test_setup_teardown(torture_config_make_absolute_no_sshdir,
+                                         setup_no_sshdir, teardown),
++        cmocka_unit_test_setup_teardown(torture_config_parse_uri,
++                                        setup, teardown),
+     };
+ 
+ 
+diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
+index 5ba3bdc6..b07712d8 100644
+--- a/tests/unittests/torture_options.c
++++ b/tests/unittests/torture_options.c
+@@ -57,6 +57,20 @@ static void torture_options_set_host(void **state) {
+     assert_non_null(session->opts.host);
+     assert_string_equal(session->opts.host, "localhost");
+ 
++    /* IPv4 address */
++    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.1.1.1");
++    assert_true(rc == 0);
++    assert_non_null(session->opts.host);
++    assert_string_equal(session->opts.host, "127.1.1.1");
++    assert_null(session->opts.username);
++
++    /* IPv6 address */
++    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "::1");
++    assert_true(rc == 0);
++    assert_non_null(session->opts.host);
++    assert_string_equal(session->opts.host, "::1");
++    assert_null(session->opts.username);
++
+     rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
+     assert_true(rc == 0);
+     assert_non_null(session->opts.host);
+@@ -64,12 +78,14 @@ static void torture_options_set_host(void **state) {
+     assert_non_null(session->opts.username);
+     assert_string_equal(session->opts.username, "guru");
+ 
++    /* more @ in uri is OK -- it should go to the username */
+     rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
+     assert_true(rc == 0);
+     assert_non_null(session->opts.host);
+     assert_string_equal(session->opts.host, "hostname");
+     assert_non_null(session->opts.username);
+     assert_string_equal(session->opts.username, "at@login");
++
+ }
+ 
+ static void torture_options_set_ciphers(void **state) {
+-- 
+2.43.0
+

libssh-0.10.6-rekey-timeout.patch

@@ -0,0 +1,37 @@
+From 96d76161666b117099696afebcef2fe42ae80715 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 16 May 2023 22:55:11 +0200
+Subject: [PATCH] tests: Give the server more time handle rekey
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Norbert Pocs <npocs@redhat.com>
+---
+ tests/client/torture_rekey.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
+index ccd5ae2cf..0fc13b8b3 100644
+--- a/tests/client/torture_rekey.c
++++ b/tests/client/torture_rekey.c
+@@ -505,7 +505,7 @@ static void torture_rekey_different_kex(void **state)
+     memset(data, 'A', 128);
+     for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+-        ssh_handle_packets(s->ssh.session, 100);
++        ssh_handle_packets(s->ssh.session, 1000);
+ 
+         c = s->ssh.session->current_crypto;
+         /* SHA256 len */
+@@ -583,7 +583,7 @@ static void torture_rekey_server_different_kex(void **state)
+     memset(data, 'A', 128);
+     for (i = 0; i < KEX_RETRY; i++) {
+         ssh_send_ignore(s->ssh.session, data);
+-        ssh_handle_packets(s->ssh.session, 100);
++        ssh_handle_packets(s->ssh.session, 1000);
+ 
+         c = s->ssh.session->current_crypto;
+         /* SHA256 len */
+-- 
+GitLab
+
+

libssh.spec

@@ -1,8 +1,8 @@
 Name:           libssh
-Version:        0.10.4
-Release:        1.0.riscv64%{?dist}
+Version:        0.10.6
+Release:        2.0.riscv64%{?dist}
 Summary:        A library implementing the SSH protocol
-License:        LGPLv2+
+License:        LGPL-2.1-or-later
 URL:            http://www.libssh.org
 
 Source0:        https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz
@@ -10,6 +10,9 @@ Source1:        https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc
 Source2:        https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
 Source3:        libssh_client.config
 Source4:        libssh_server.config
+Patch1:         libssh-0.10.6-rekey-timeout.patch
+# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/431
+Patch2:         libssh-0.10.6-ipv6-hostname.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -23,9 +26,13 @@ BuildRequires:  pam_wrapper
 BuildRequires:  socket_wrapper
 BuildRequires:  nss_wrapper
 BuildRequires:  uid_wrapper
+BuildRequires:  priv_wrapper
 BuildRequires:  openssh-clients
 BuildRequires:  openssh-server
 BuildRequires:  nmap-ncat
+BuildRequires:  openssl-pkcs11
+BuildRequires:  softhsm
+BuildRequires:  gnutls-utils
 
 Requires:       %{name}-config = %{version}-%{release}
 
@@ -48,6 +55,7 @@ third-party programs others than libcrypto (from openssl).
 %package devel
 Summary:        Development files for %{name}
 Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       cmake-filesystem
 
 %description devel
 The %{name}-devel package contains libraries and header files for developing
@@ -70,6 +78,7 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
     -DUNIT_TESTING=ON \
     -DCLIENT_TESTING=ON \
     -DSERVER_TESTING=ON \
+    -DWITH_PKCS11_URI=ON \
     -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
     -DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
 
@@ -104,11 +113,11 @@ popd
 %check
 # Tests are randomly failing when run in parallel
 %global _smp_build_ncpus 1
-%ifnarch riscv64
-%ctest
-%else
-%ctest || :
+%ifarch i686
+# The test torture_packet fails now on i686 arch on rawhide
+%global libssh_ctest_args -E torture_packet
 %endif
+%ctest %{?libssh_ctest_args}
 
 %files
 %doc AUTHORS BSD CHANGELOG README
@@ -118,8 +127,6 @@ popd
 
 %files devel
 %{_includedir}/libssh/
-# own this to avoid dep on cmake -- rex
-%dir  %{_libdir}/cmake/
 %{_libdir}/cmake/libssh/
 %{_libdir}/pkgconfig/libssh.pc
 %{_libdir}/libssh.so
@@ -131,8 +138,30 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
-* Mon Sep 12 2022 David Abdurachmanov <davidlt@rivosinc.com> - 0.10.4-1.0.riscv64
-- Ignore tests failures on riscv64
+* Tue Jan 09 2024 David Abdurachmanov <davidlt@rivosinc.com> - 0.10.6-2.0.riscv64
+- Add riscv64
+
+* Fri Dec 22 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-2
+- Fix regression in IPv6 hosntames parsing
+
+* Mon Dec 18 2023 Jakub Jelen <jjelen@redhat.com> - 0.10.6-1
+- New upstream release fixing (CVE-2023-48795, CVE-2023-6004, CVE-2023-6918)
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri May 05 2023 Orion Poplawski <orion@nwra.com> - 0.10.5-1
+- Update to 0.10.5 (CVE-2023-1667 CVE-2023-2283)
+- Have libssh-devel require cmake-filesystem
+
+* Sun Mar 05 2023 Andreas Schneider <asn@redhat.com> - 0.10.4-4
+- Update License to SPDX expression
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Oct 06 2022 Norbert Pocs <npocs@redhat.com> - 0.10.4-2
+- Enable pkcs11 support
 
 * Wed Sep 07 2022 Andreas Schneider <asn@redhat.com> - 0.10.4-1
 - Update to version 0.10.4

sources

@@ -1,2 +1,2 @@
-SHA512 (libssh-0.10.4.tar.xz) = 01ee52d480201d9886c15e81137c185334b404d1c8e8b743ddf58e95fe8619c8c013616a49807bd1111fde72fa177cd35f3c22b66cbf5d720b5abfacdf7601ed
-SHA512 (libssh-0.10.4.tar.xz.asc) = 8200215d6471851dac8cd8efd07400b9bc4403cf5406a9fdb28a68ef8fe85c227f92a26071fb32d9396b91661568333b5ceb9b23665d22e761b981dd880bbbc8
+SHA512 (libssh-0.10.6.tar.xz) = 40c62d63c44e882999b71552c237d73fc7364313bd00b15a211a34aeff1b73693da441d2c8d4e40108d00fb7480ec7c5b6d472f9c0784b2359a179632ab0d6c1
+SHA512 (libssh-0.10.6.tar.xz.asc) = 214d7920bebc80a8e6838c64ed06e070709a96fabfb4fff657b55f9588bc0e1612887fe887d23de73ad3540f3bb85288e62eb6a11ccd4bc80afbd44d34ba70d4