Add libssh 0.7.1-7 from RHEL/CentOS 7 to EPEL 7 (limited arch pkg)

Package got part of rhel-7-{server,workstation}-extras-rpms repo,
however only for x86_64, but not for aarch64, ppc64 and ppc64le.

.gitignore

@@ -1,14 +1 @@
-libssh-0.4.4.tar.gz
-libssh-0.4.4.tar.gz.asc
-/libssh-0.4.6.tar.gz
-/libssh-0.4.6.tar.gz.asc
-/libssh-0.4.8.tar.gz
-/libssh-0.4.8.tar.gz.asc
-/libssh-0.5.0.tar.gz
-/libssh-0.5.0.tar.gz.asc
-/libssh-0.5.2.tar.gz
-/libssh-0.5.2.tar.gz.asc
-/libssh-0.5.3.tar.gz
-/libssh-0.5.3.tar.asc
-/libssh-0.5.4.tar.gz
-/libssh-0.5.4.tar.asc
+/libssh-*.tar.xz

libssh-0.5.4-channel-close.patch

@@ -1,33 +0,0 @@
-From 068ab9f61196b01235173623c1cca3143cf1d43a Mon Sep 17 00:00:00 2001
-From: Igor Gnatenko <i.gnatenko.brain@gmail.com>
-Date: Sat, 13 Jul 2013 14:13:52 +0400
-Subject: [PATCH] Check for NULL pointers in ssh_channel_close
-
----
- src/channels.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/channels.c b/src/channels.c
-index 214485c..3fac10e 100644
---- a/src/channels.c
-+++ b/src/channels.c
-@@ -1080,9 +1080,15 @@ error:
-  * @see channel_eof()
-  */
- int ssh_channel_close(ssh_channel channel){
--  ssh_session session = channel->session;
-+  ssh_session session;
-   int rc = 0;
- 
-+  if (channel == NULL) {
-+    return SSH_ERROR;
-+  }
-+  
-+  session = channel->session;
-+
-   enter_function();
- 
-   if (channel->local_eof == 0) {
--- 
-1.8.3.1
-

libssh-0.5.4-disable-latex-documentation.patch

@@ -1,15 +0,0 @@
-Description: Be sure we never build LaTeX documentation
-Author: Laurent Bigonville <bigon@debian.org>
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622108
-
---- a/doc/doxy.config.in
-+++ b/doc/doxy.config.in
-@@ -1014,7 +1014,7 @@
- # If the GENERATE_LATEX tag is set to YES (the default) Doxygen will
- # generate Latex output.
- 
--GENERATE_LATEX         = @DOXYFILE_LATEX@
-+GENERATE_LATEX         = NO
- 
- # The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put.
- # If a relative path is entered the value of OUTPUT_DIRECTORY will be

libssh-0.5.4-fix-html-doc-generation.patch

@@ -1,16 +0,0 @@
-Description: Do not exclude "*/build/*" directory as buildd use that path
-Author: Laurent Bigonville <bigon@debian.org>
-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/821437
-
---- a/doc/doxy.config.in
-+++ b/doc/doxy.config.in
-@@ -631,8 +631,7 @@
- 
- EXCLUDE_PATTERNS       = */.git/* \
-                          */.svn/* \
--                         */cmake/* \
--                         */build/*
-+                         */cmake/*
- 
- # The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
- # (namespaces, classes, functions, etc.) that should be excluded from the

libssh-0.5.4-fix-typo.patch

@@ -1,14 +0,0 @@
-Subject: Fix typo
-From: Laurent Bigonville <bigon@debian.org>
-
---- a/src/server.c
-+++ b/src/server.c
-@@ -186,7 +186,7 @@ static int dh_handshake_server(ssh_sessi
-     default:
-       ssh_set_error(session,
-                     SSH_FATAL,
--                    "Could determine the specified hostkey");
-+                    "Could not determine the specified hostkey");
-       ssh_string_free(f);
-       return -1;
-   }

libssh-0.7.1-fix_agent_bigendian.patch

@@ -0,0 +1,109 @@
+--- a/libssh-0.7.2-fix_agent_bigendian.patch	
++++ a/libssh-0.7.2-fix_agent_bigendian.patch	
+@@ -0,0 +1,105 @@ 
++From 0425ac9ad0f8f1cefa12b448d31a400ced3e89b9 Mon Sep 17 00:00:00 2001
++From: Andreas Schneider <asn@cryptomilk.org>
++Date: Wed, 14 Oct 2015 20:45:49 +0200
++Subject: [PATCH] agent: Fix agent auth on big endian machines
++
++BUG: https://red.libssh.org/issues/204
++
++Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
++---
++ ConfigureChecks.cmake |  1 +
++ include/libssh/priv.h | 10 ++++++++++
++ src/agent.c           | 17 +++++++++++++----
++ 3 files changed, 24 insertions(+), 4 deletions(-)
++
++diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
++index c0326c2..3587b07 100644
++--- a/ConfigureChecks.cmake
+++++ b/ConfigureChecks.cmake
++@@ -56,6 +56,7 @@ check_include_file(libutil.h HAVE_LIBUTIL_H)
++ check_include_file(sys/time.h HAVE_SYS_TIME_H)
++ check_include_file(sys/param.h HAVE_SYS_PARAM_H)
++ check_include_file(arpa/inet.h HAVE_ARPA_INET_H)
+++check_include_file(byteswap.h HAVE_BYTESWAP_H)
++ 
++ if (WIN32)
++   check_include_files("winsock2.h;ws2tcpip.h;wspiapi.h" HAVE_WSPIAPI_H)
++diff --git a/include/libssh/priv.h b/include/libssh/priv.h
++index 95a22c6..b7a80fe 100644
++--- a/include/libssh/priv.h
+++++ b/include/libssh/priv.h
++@@ -43,6 +43,16 @@
++ # endif
++ #endif /* !defined(HAVE_STRTOULL) */
++ 
+++#ifdef HAVE_BYTESWAP_H
+++#include <byteswap.h>
+++#endif
+++
+++#ifndef bswap_32
+++#define bswap_32(x) \
+++    ((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >>  8) | \
+++     (((x) & 0x0000ff00) <<  8) | (((x) & 0x000000ff) << 24))
+++#endif
+++
++ #ifdef _WIN32
++ 
++ /* Imitate define of inttypes.h */
++diff --git a/src/agent.c b/src/agent.c
++index 922d753..e520773 100644
++--- a/src/agent.c
+++++ b/src/agent.c
++@@ -382,6 +382,9 @@ int ssh_agent_get_ident_count(struct ssh_session_struct *session) {
++     ssh_buffer_free(reply);
++     return -1;
++   }
+++#ifdef WORDS_BIGENDIAN
+++  type = bswap_32(type);
+++#endif
++ 
++   SSH_LOG(SSH_LOG_WARN,
++       "Answer type: %d, expected answer: %d",
++@@ -392,7 +395,7 @@ int ssh_agent_get_ident_count(struct ssh_session_struct *session) {
++       return 0;
++   } else if (type != c2) {
++       ssh_set_error(session, SSH_FATAL,
++-          "Bad authentication reply message type: %d", type);
+++          "Bad authentication reply message type: %u", type);
++       ssh_buffer_free(reply);
++       return -1;
++   }
++@@ -507,8 +510,8 @@ ssh_string ssh_agent_sign_data(ssh_session session,
++     ssh_buffer reply;
++     ssh_string key_blob;
++     ssh_string sig_blob;
++-    int type = SSH2_AGENT_FAILURE;
++-    int flags = 0;
+++    unsigned int type = 0;
+++    unsigned int flags = 0;
++     uint32_t dlen;
++     int rc;
++ 
++@@ -572,13 +575,19 @@ ssh_string ssh_agent_sign_data(ssh_session session,
++         ssh_buffer_free(reply);
++         return NULL;
++     }
+++#ifdef WORDS_BIGENDIAN
+++    type = bswap_32(type);
+++#endif
++ 
++     if (agent_failed(type)) {
++         SSH_LOG(SSH_LOG_WARN, "Agent reports failure in signing the key");
++         ssh_buffer_free(reply);
++         return NULL;
++     } else if (type != SSH2_AGENT_SIGN_RESPONSE) {
++-        ssh_set_error(session, SSH_FATAL, "Bad authentication response: %d", type);
+++        ssh_set_error(session,
+++                      SSH_FATAL,
+++                      "Bad authentication response: %u",
+++                      type);
++         ssh_buffer_free(reply);
++         return NULL;
++     }
++-- 
++2.5.0
++
+

libssh-CVE-2016-0739.patch

@@ -0,0 +1,68 @@
+From dc2eaa017fe77e53bd9f1d4327a480d9bfe6cc6a Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris@0xbadc0de.be>
+Date: Tue, 9 Feb 2016 15:09:27 +0100
+Subject: [PATCH] dh: fix CVE-2016-0739
+
+Due to a byte/bit confusion, the DH secret was too short. This file was
+completely reworked and will be commited in a future version.
+---
+ src/dh.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/dh.c b/src/dh.c
+index e489a1d..d27b66e 100644
+--- a/src/dh.c
++++ b/src/dh.c
+@@ -227,15 +227,21 @@ void ssh_crypto_finalize(void) {
+ }
+ 
+ int dh_generate_x(ssh_session session) {
++  int keysize;
++  if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
++    keysize = 1023;
++  } else {
++    keysize = 2047;
++  }
+   session->next_crypto->x = bignum_new();
+   if (session->next_crypto->x == NULL) {
+     return -1;
+   }
+ 
+ #ifdef HAVE_LIBGCRYPT
+-  bignum_rand(session->next_crypto->x, 128);
++  bignum_rand(session->next_crypto->x, keysize);
+ #elif defined HAVE_LIBCRYPTO
+-  bignum_rand(session->next_crypto->x, 128, 0, -1);
++  bignum_rand(session->next_crypto->x, keysize, -1, 0);
+ #endif
+ 
+   /* not harder than this */
+@@ -248,15 +254,21 @@ int dh_generate_x(ssh_session session) {
+ 
+ /* used by server */
+ int dh_generate_y(ssh_session session) {
+-    session->next_crypto->y = bignum_new();
++  int keysize;
++  if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
++    keysize = 1023;
++  } else {
++    keysize = 2047;
++  }
++  session->next_crypto->y = bignum_new();
+   if (session->next_crypto->y == NULL) {
+     return -1;
+   }
+ 
+ #ifdef HAVE_LIBGCRYPT
+-  bignum_rand(session->next_crypto->y, 128);
++  bignum_rand(session->next_crypto->y, keysize);
+ #elif defined HAVE_LIBCRYPTO
+-  bignum_rand(session->next_crypto->y, 128, 0, -1);
++  bignum_rand(session->next_crypto->y, keysize, -1, 0);
+ #endif
+ 
+   /* not harder than this */
+-- 
+2.7.1
+
+

libssh-SHA256.patch

@@ -0,0 +1,363 @@
+From f3f140e65f0e58fc37b04dbe4173d6ecda0127ac Mon Sep 17 00:00:00 2001
+From: Jan-Niklas Burfeind <libssh@aiyionpri.me>
+Date: Thu, 9 Aug 2018 11:00:00 +0200
+Subject: dh: Add SSH_PUBLICKEY_HASH_SHA256 to ssh_get_publickey_hash()
+
+Signed-off-by: Jan-Niklas Burfeind <libssh@aiyionpri.me>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 1499b38aef17beac8b438522535daf428600d529)
+---
+ include/libssh/libssh.h |  3 ++-
+ src/dh.c                | 23 +++++++++++++++++++++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
+index 37214898..320dc032 100644
+--- a/include/libssh/libssh.h
++++ b/include/libssh/libssh.h
+@@ -444,7 +444,8 @@ LIBSSH_API int ssh_get_publickey(ssh_session session, ssh_key *key);
+ 
+ enum ssh_publickey_hash_type {
+     SSH_PUBLICKEY_HASH_SHA1,
+-    SSH_PUBLICKEY_HASH_MD5
++    SSH_PUBLICKEY_HASH_MD5,
++    SSH_PUBLICKEY_HASH_SHA256
+ };
+ LIBSSH_API int ssh_get_publickey_hash(const ssh_key key,
+                                       enum ssh_publickey_hash_type type,
+diff --git a/src/dh.c b/src/dh.c
+index d27b66eb..bf1ade8b 100644
+--- a/src/dh.c
++++ b/src/dh.c
+@@ -1039,6 +1039,29 @@ int ssh_get_publickey_hash(const ssh_key key,
+             *hlen = SHA_DIGEST_LEN;
+         }
+         break;
++    case SSH_PUBLICKEY_HASH_SHA256:
++        {
++            SHA256CTX ctx;
++
++            h = malloc(SHA256_DIGEST_LEN);
++            if (h == NULL) {
++                rc = -1;
++                goto out;
++            }
++
++            ctx = sha256_init();
++            if (ctx == NULL) {
++                free(h);
++                rc = -1;
++                goto out;
++            }
++
++            sha256_update(ctx, ssh_string_data(blob), ssh_string_len(blob));
++            sha256_final(h, ctx);
++
++            *hlen = SHA256_DIGEST_LEN;
++        }
++        break;
+     case SSH_PUBLICKEY_HASH_MD5:
+         {
+             MD5CTX ctx;
+-- 
+cgit v1.2.1
+
+From 9c62d6dfcd798d28895f5dd1b76a28524bcf18d3 Mon Sep 17 00:00:00 2001
+From: Jan-Niklas Burfeind <libssh@aiyionpri.me>
+Date: Thu, 9 Aug 2018 11:00:00 +0200
+Subject: dh: Add ssh_print_hash() function which can deal with sha256
+
+Signed-off-by: Jan-Niklas Burfeind <libssh@aiyionpri.me>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit f32cb706752d8dc35ad53a64f51e432cc0bc41cd)
+---
+ include/libssh/libssh.h |  1 +
+ src/dh.c                | 80 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 81 insertions(+)
+
+diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
+index 320dc032..f6cce1e4 100644
+--- a/include/libssh/libssh.h
++++ b/include/libssh/libssh.h
+@@ -564,6 +564,7 @@ LIBSSH_API int ssh_pki_export_pubkey_file(const ssh_key key,
+ 
+ LIBSSH_API const char *ssh_pki_key_ecdsa_name(const ssh_key key);
+ 
++LIBSSH_API void ssh_print_hash(enum ssh_publickey_hash_type type, unsigned char *hash, size_t len);
+ LIBSSH_API void ssh_print_hexa(const char *descr, const unsigned char *what, size_t len);
+ LIBSSH_API int ssh_send_ignore (ssh_session session, const char *data);
+ LIBSSH_API int ssh_send_debug (ssh_session session, const char *message, int always_display);
+diff --git a/src/dh.c b/src/dh.c
+index bf1ade8b..66a0e704 100644
+--- a/src/dh.c
++++ b/src/dh.c
+@@ -1097,6 +1097,38 @@ out:
+     return rc;
+ }
+ 
++/**
++ * @internal
++ *
++ * @brief Convert a buffer into an unpadded base64 string.
++ * The caller has to free the memory.
++ *
++ * @param  hash         What should be converted to a base64 string.
++ *
++ * @param  len          Length of the buffer to convert.
++ *
++ * @return              The base64 string or NULL on error.
++ *
++ * @see ssh_string_free_char()
++ */
++static char *ssh_get_b64_unpadded(const unsigned char *hash, size_t len)
++{
++    char *b64_padded = NULL;
++    char *b64_unpadded = NULL;
++    size_t k;
++
++    b64_padded = (char *)bin_to_base64(hash, (int)len);
++    if (b64_padded == NULL) {
++        return NULL;
++    }
++    for (k = strlen(b64_padded); k != 0 && b64_padded[k-1] == '='; k--);
++
++    b64_unpadded = strndup(b64_padded, k);
++    SAFE_FREE(b64_padded);
++
++    return b64_unpadded;
++}
++
+ /**
+  * @brief Convert a buffer into a colon separated hex string.
+  * The caller has to free the memory.
+@@ -1134,6 +1166,54 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) {
+   return hexa;
+ }
+ 
++/**
++ * @brief Print a hash as a human-readable hex- or base64-string.
++ *
++ * This function prints hex strings if the given hash is a md5 sum.
++ * But prints unpadded base64 strings for sha sums.
++ * Either way, the output is prepended by the hash-type.
++ *
++ * @param  type         Which sort of hash is given.
++ *
++ * @param  hash         What should be converted to a base64 string.
++ *
++ * @param  len          Length of the buffer to convert.
++ */
++void ssh_print_hash(enum ssh_publickey_hash_type type,
++                    unsigned char *hash,
++                    size_t len) {
++    const char *prefix = "UNKNOWN";
++    char *fingerprint = NULL;
++
++    switch (type) {
++    case SSH_PUBLICKEY_HASH_SHA1:
++    case SSH_PUBLICKEY_HASH_SHA256:
++        fingerprint = ssh_get_b64_unpadded(hash, len);
++        break;
++    case SSH_PUBLICKEY_HASH_MD5:
++        fingerprint = ssh_get_hexa(hash, len);
++        break;
++    }
++    if (fingerprint == NULL) {
++        return;
++    }
++
++    switch (type) {
++    case SSH_PUBLICKEY_HASH_MD5:
++        prefix = "MD5";
++        break;
++    case SSH_PUBLICKEY_HASH_SHA1:
++        prefix = "SHA1";
++        break;
++    case SSH_PUBLICKEY_HASH_SHA256:
++        prefix = "SHA256";
++        break;
++    }
++    fprintf(stderr, "%s:%s\n", prefix, fingerprint);
++
++    SAFE_FREE(fingerprint);
++}
++
+ /**
+  * @brief Print a buffer as colon separated hex string.
+  *
+-- 
+cgit v1.2.1
+
+From 7a7c0a54bc24391fcff0aaccd983de621cb3e60d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Sun, 2 Sep 2018 15:45:41 +0200
+Subject: dh: Add ssh_get_fingerprint_hash()
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit bbed139ecab26cb46b0bb3a21fa4cd2a4f12dadd)
+---
+ include/libssh/libssh.h |  3 ++
+ src/dh.c                | 73 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 76 insertions(+)
+
+diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
+index f6cce1e4..7f59abe4 100644
+--- a/include/libssh/libssh.h
++++ b/include/libssh/libssh.h
+@@ -564,6 +564,9 @@ LIBSSH_API int ssh_pki_export_pubkey_file(const ssh_key key,
+ 
+ LIBSSH_API const char *ssh_pki_key_ecdsa_name(const ssh_key key);
+ 
++LIBSSH_API char *ssh_get_fingerprint_hash(enum ssh_publickey_hash_type type,
++                                          unsigned char *hash,
++                                          size_t len);
+ LIBSSH_API void ssh_print_hash(enum ssh_publickey_hash_type type, unsigned char *hash, size_t len);
+ LIBSSH_API void ssh_print_hexa(const char *descr, const unsigned char *what, size_t len);
+ LIBSSH_API int ssh_send_ignore (ssh_session session, const char *data);
+diff --git a/src/dh.c b/src/dh.c
+index 66a0e704..38298b2d 100644
+--- a/src/dh.c
++++ b/src/dh.c
+@@ -1166,6 +1166,79 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) {
+   return hexa;
+ }
+ 
++/**
++ * @brief Get a hash as a human-readable hex- or base64-string.
++ *
++ * This gets an allocated fingerprint hash. It is a hex strings if the given
++ * hash is a md5 sum.  If it is a SHA sum, it will return an unpadded base64
++ * strings.  Either way, the output is prepended by the hash-type.
++ *
++ * @param  type         Which sort of hash is given.
++ *
++ * @param  hash         What should be converted to a base64 string.
++ *
++ * @param  len          Length of the buffer to convert.
++ *
++ * @return Returns the allocated fingerprint hash or NULL on error.
++ *
++ * @see ssh_string_free_char()
++ */
++char *ssh_get_fingerprint_hash(enum ssh_publickey_hash_type type,
++                               unsigned char *hash,
++                               size_t len)
++{
++    const char *prefix = "UNKNOWN";
++    char *fingerprint = NULL;
++    char *str = NULL;
++    size_t str_len;
++    int rc;
++
++    switch (type) {
++    case SSH_PUBLICKEY_HASH_SHA1:
++    case SSH_PUBLICKEY_HASH_SHA256:
++        fingerprint = ssh_get_b64_unpadded(hash, len);
++        break;
++    case SSH_PUBLICKEY_HASH_MD5:
++        fingerprint = ssh_get_hexa(hash, len);
++        break;
++    }
++    if (fingerprint == NULL) {
++        return NULL;
++    }
++
++    switch (type) {
++    case SSH_PUBLICKEY_HASH_MD5:
++        prefix = "MD5";
++        break;
++    case SSH_PUBLICKEY_HASH_SHA1:
++        prefix = "SHA1";
++        break;
++    case SSH_PUBLICKEY_HASH_SHA256:
++        prefix = "SHA256";
++        break;
++    }
++
++    str_len = strlen(prefix);
++    if (str_len + 1 + strlen(fingerprint) + 1 < str_len) {
++        SAFE_FREE(fingerprint);
++        return NULL;
++    }
++    str_len += 1 + strlen(fingerprint) + 1;
++
++    str = malloc(str_len);
++    if (str == NULL) {
++        SAFE_FREE(fingerprint);
++        return NULL;
++    }
++    rc = snprintf(str, str_len, "%s:%s", prefix, fingerprint);
++    SAFE_FREE(fingerprint);
++    if (rc < 0 || rc < (int)(str_len - 1)) {
++        SAFE_FREE(str);
++    }
++
++    return str;
++}
++
+ /**
+  * @brief Print a hash as a human-readable hex- or base64-string.
+  *
+-- 
+cgit v1.2.1
+
+From e765c1400a724cc5009fd03395ef54b28de9c296 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Sun, 2 Sep 2018 15:47:41 +0200
+Subject: dh: Use ssh_get_fingerprint_hash() in ssh_print_hash()
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 92aa2cf4963b714d0f30d4fb0f9e609200224f7a)
+---
+ src/dh.c | 29 ++++++-----------------------
+ 1 file changed, 6 insertions(+), 23 deletions(-)
+
+diff --git a/src/dh.c b/src/dh.c
+index 38298b2d..d7182798 100644
+--- a/src/dh.c
++++ b/src/dh.c
+@@ -1254,35 +1254,18 @@ char *ssh_get_fingerprint_hash(enum ssh_publickey_hash_type type,
+  */
+ void ssh_print_hash(enum ssh_publickey_hash_type type,
+                     unsigned char *hash,
+-                    size_t len) {
+-    const char *prefix = "UNKNOWN";
++                    size_t len)
++{
+     char *fingerprint = NULL;
+ 
+-    switch (type) {
+-    case SSH_PUBLICKEY_HASH_SHA1:
+-    case SSH_PUBLICKEY_HASH_SHA256:
+-        fingerprint = ssh_get_b64_unpadded(hash, len);
+-        break;
+-    case SSH_PUBLICKEY_HASH_MD5:
+-        fingerprint = ssh_get_hexa(hash, len);
+-        break;
+-    }
++    fingerprint = ssh_get_fingerprint_hash(type,
++                                           hash,
++                                           len);
+     if (fingerprint == NULL) {
+         return;
+     }
+ 
+-    switch (type) {
+-    case SSH_PUBLICKEY_HASH_MD5:
+-        prefix = "MD5";
+-        break;
+-    case SSH_PUBLICKEY_HASH_SHA1:
+-        prefix = "SHA1";
+-        break;
+-    case SSH_PUBLICKEY_HASH_SHA256:
+-        prefix = "SHA256";
+-        break;
+-    }
+-    fprintf(stderr, "%s:%s\n", prefix, fingerprint);
++    fprintf(stderr, "%s\n", fingerprint);
+ 
+     SAFE_FREE(fingerprint);
+ }
+-- 
+cgit v1.2.1
+

libssh-fix-kbdint.patch

@@ -0,0 +1,27 @@
+From 4ea46eecce9f4e676150fe27fec34e1570b70ace Mon Sep 17 00:00:00 2001
+From: Meng Tan <mtan@wallix.com>
+Date: Wed, 17 Oct 2018 14:50:08 +0200
+Subject: server: Set correct state after sending INFO_REQUEST (Kbd
+ Interactive)
+
+Signed-off-by: Meng Tan <mtan@wallix.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/server.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/server.c b/src/server.c
+index e14636ec..84cc4f7a 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -1039,6 +1039,7 @@ int ssh_message_auth_interactive_request(ssh_message msg, const char *name,
+     msg->session->kbdint->prompts = NULL;
+     msg->session->kbdint->echo = NULL;
+   }
++  msg->session->auth_state = SSH_AUTH_STATE_INFO;
+ 
+   return rc;
+ }
+-- 
+cgit v1.2.1
+

libssh.spec

@@ -1,23 +1,27 @@
+%define _hardened_build 1
+
 Name:           libssh
-Version:        0.5.4
-Release:        5%{?dist}
-Summary:        A library implementing the SSH2 protocol (0xbadc0de version)
+Version:        0.7.1
+Release:        0.7%{?dist}
+Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
-URL:            http://www.libssh.org/
+URL:            http://www.libssh.org
 Group:          System Environment/Libraries
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-Source0:        https://red.libssh.org/attachments/download/41/libssh-0.5.4.tar.gz
-Source1:        https://red.libssh.org/attachments/download/42/libssh-0.5.4.tar.asc
-Patch0:         libssh-0.5.4-channel-close.patch
-Patch1:         libssh-0.5.4-disable-latex-documentation.patch
-Patch2:         libssh-0.5.4-fix-html-doc-generation.patch
-Patch3:         libssh-0.5.4-fix-typo.patch
+Source0:        https://red.libssh.org/attachments/download/154/libssh-0.7.1.tar.xz
+
+Patch1:         libssh-CVE-2016-0739.patch
+Patch2:         libssh-0.7.1-fix_agent_bigendian.patch
+Patch3:         libssh-CVE-2018-10933.patch
+Patch4:         libssh-SHA256.patch
+Patch5:         libssh-fix-kbdint.patch
 
 BuildRequires:  cmake
 BuildRequires:  doxygen
 BuildRequires:  openssl-devel
-BuildRequires:  zlib-devel   
+BuildRequires:  pkgconfig
+BuildRequires:  zlib-devel
 
 %description
 The ssh library was designed to be used by programmers needing a working SSH
@@ -31,6 +35,8 @@ third-party programs others than libcrypto (from openssl).
 Summary:        Development files for %{name}
 Group:          Development/Libraries
 Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       pkgconfig
+Requires:       cmake
 
 %description devel
 The %{name}-devel package contains libraries and header files for developing
@@ -38,28 +44,34 @@ applications that use %{name}.
 
 %prep
 %setup -q
-%patch0 -p1 -b .channel-close
-%patch1 -p1 -b .disable-latex-documentation
-%patch2 -p1 -b .fix-html-doc-generation
-%patch3 -p1 -b .fix-typo
+%patch1 -p1
+%patch2 -p1 -b .libssh-0.7.2-fix_agent_bigendian.patch
+%patch3 -p1 -b .libssh-CVE-2018-10933.patch
+%patch4 -p1 -b .libssh-SHA256.patch
+%patch5 -p1 -b .libssh-fix-kbdint.patch
+
 # Remove examples, they are not packaged and do not build on EPEL 5
 sed -i -e 's|add_subdirectory(examples)||g' CMakeLists.txt
-rm -fr examples
+rm -rf examples
+sed -i -e 's| -pedantic-errors||g' cmake/Modules/DefineCompilerFlags.cmake
 
 %build
-mkdir obj
-cd obj
-%cmake ..
-make
+if test ! -e "obj"; then
+  mkdir obj
+fi
+pushd obj
+
+%cmake \
+    %{_builddir}/%{name}-%{version}
+make %{?_smp_mflags} VERBOSE=1 CFLAGS="-no-pedantic-errors"
 make doc
 
+popd
+
 %install
-rm -rf %{buildroot}
-cd obj
-make install DESTDIR=%{buildroot}
-find %{buildroot} -name '*.la' -delete
-install -d %{buildroot}%{_datadir}
-mv %{buildroot}/%{_libdir}/pkgconfig %{buildroot}/usr/share
+pushd obj
+make DESTDIR=%{buildroot} install
+popd
 
 %post -p /sbin/ldconfig
 
@@ -70,15 +82,81 @@ rm -rf %{buildroot}
 
 %files
 %doc AUTHORS BSD ChangeLog COPYING README
-%{_libdir}/*.so.*
+%{_libdir}/libssh.so.*
+%{_libdir}/libssh_threads.so.*
 
 %files devel
 %doc obj/doc/html
-%{_datadir}/pkgconfig/*.pc
-%{_includedir}/*
-%{_libdir}/*.so
+%{_includedir}/libssh/callbacks.h
+%{_includedir}/libssh/legacy.h
+%{_includedir}/libssh/libssh.h
+%{_includedir}/libssh/libsshpp.hpp
+%{_includedir}/libssh/server.h
+%{_includedir}/libssh/sftp.h
+%{_includedir}/libssh/ssh2.h
+%dir  %{_libdir}/cmake/libssh
+%{_libdir}/cmake/libssh/libssh-config-version.cmake
+%{_libdir}/cmake/libssh/libssh-config.cmake
+%{_libdir}/pkgconfig/libssh.pc
+%{_libdir}/pkgconfig/libssh_threads.pc
+%{_libdir}/libssh.so
+%{_libdir}/libssh_threads.so
 
 %changelog
+* Mon Apr 01 2019 Robert Scheck <robert@fedoraproject.org> - 0.7.1-0.7
+- Add libssh 0.7.1-7 from RHEL/CentOS 7 to EPEL 7 (limited arch pkg)
+
+* Sun Oct 28 2018 Martin Pitt <mpitt@redhat.com> - 0.7.1-7
+- resolves: #1637182 - Add SHA256 fingerprint support
+- Fix regression with keyboard interactive authentication introduced in
+  previous update
+
+* Tue Oct 09 2018 Andreas Schneider <asn@redhat.com> - 0.7.1-6
+- resolves: #1637257 - Fix CVE-2018-10933
+
+* Thu May 03 2018 - Lokesh Mandvekar <lsm5@redhat.com> - 0.7.1-5
+- correct bogus date annoyance
+
+* Thu May 03 2018 - Lokesh Mandvekar <lsm5@redhat.com> - 0.7.1-4
+- Resolves: #1574670 - bump release tag to have build shipped to
+client/workstation repos
+
+* Wed Mar 22 2017 - Dominik Perpeet <dperpeet@redhat.com> - 0.7.1-3
+- Fix agent auth on big endian machines
+
+* Mon Feb 22 2016 - Stef Walter <stefw@redhat.com> - 0.7.1-2
+- Security fix for CVE-2016-0739 rhbz#1305971
+
+* Mon Jul 06 2015 - Stef Walter <stefw@redhat.com> - 0.7.1-1
+- Updated to 0.7.1 release rhbz#1239085
+
+* Wed Apr 22 2015 - Stef Walter <stefw@redhat.com> - 0.6.4-4
+- Updated patch for CVE-2015-3146
+
+* Wed Apr 22 2015 - Stef Walter <stefw@redhat.com> - 0.6.4-3
+- Enable _hardened_build
+
+* Tue Apr 21 2015 - Stef Walter <stefw@redhat.com> - 0.6.4-2
+- Security fix for CVE-2015-3145.
+
+* Wed Apr 01 2015 - Stef Walter <stefw@redhat.com> - 0.6.4-1
+- Security fix for CVE-2014-8132.
+
+* Tue Mar 04 2014 - Andreas Schneider <asn@redhat.com> - 0.6.3-1
+- Fix CVE-2014-0017.
+
+* Mon Feb 10 2014 - Andreas Schneider <asn@redhat.com> - 0.6.1-1
+- Update to version 0.6.1.
+- resolves: #1056757 - Fix scp mode.
+- resolves: #1053305 - Fix known_hosts heuristic.
+
+* Wed Jan 08 2014 - Andreas Schneider <asn@redhat.com> - 0.6.0-1
+- Update to 0.6.0
+
+* Fri Jul 26 2013 - Andreas Schneider <asn@redhat.com> - 0.5.5-1
+- Update to 0.5.5.
+- Clenup the spec file.
+
 * Thu Jul 18 2013 Simone Caronni <negativo17@gmail.com> - 0.5.4-5
 - Add EPEL 5 support.
 - Add Debian patches to enable Doxygen documentation.

sources

@@ -1,2 +1 @@
-b8b4e733c13dfabae33b2688ef82dacc  libssh-0.5.4.tar.gz
-210057766ea316dfef9119a06768320c  libssh-0.5.4.tar.asc
+SHA512 (libssh-0.7.1.tar.xz) = c7cea829e97c9f37c23b5d331e02ea5b8c8bea1a0b28fad62a273b252040a30ea9631b502ea165a1e041b6e23c3bf6746d49800875fa492d8f42c7d1e232ebb9