From 579bb92fce0603464863bef566a3408a85e49bff Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Wed, 28 Nov 2007 01:23:22 +0000 Subject: [PATCH 01/93] initial commit --- .cvsignore | 1 + libssh2.spec | 118 +++++++++++++++++++++++++++++++++++++++++++++++++++ sources | 1 + 3 files changed, 120 insertions(+) create mode 100644 libssh2.spec diff --git a/.cvsignore b/.cvsignore index e69de29..082a13e 100644 --- a/.cvsignore +++ b/.cvsignore @@ -0,0 +1 @@ +libssh2-0.18.tar.gz diff --git a/libssh2.spec b/libssh2.spec new file mode 100644 index 0000000..18dc39d --- /dev/null +++ b/libssh2.spec @@ -0,0 +1,118 @@ +Name: libssh2 +Version: 0.18 +Release: 4%{?dist} +Summary: A library implementing the SSH2 protocol + +Group: System Environment/Libraries +License: BSD +URL: http://www.libssh2.org/ +Source0: http://downloads.sourceforge.net/libssh2/%{name}-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: openssl-devel +BuildRequires: zlib-devel + +%description +libssh2 is a library implementing the SSH2 protocol as defined by +Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25), +SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*, +SECSH-DHGEX(04), and SECSH-NUMBERS(10). + + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + +%package docs +Summary: Documentation for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description docs +The %{name}-docs package contains man pages and examples for +developing applications that use %{name}. + + +%prep +%setup -q + +# make sure things are UTF-8... +for i in ChangeLog NEWS ; do + iconv --from=ISO-8859-1 --to=UTF-8 $i > new + mv new $i +done + +%build +%configure --disable-static --enable-shared + +make %{?_smp_mflags} + + +%install +rm -rf %{buildroot} + +make install DESTDIR=%{buildroot} INSTALL="install -p" +find %{buildroot} -name '*.la' -exec rm -f {} + + +# clean things up a bit for packaging +( cd example && make clean ) +rm -rf example/simple/.deps +find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} + + +%check +(cd tests && make check) + +%clean +rm -rf %{buildroot} + + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + + +%files +%defattr(-,root,root,-) +%doc AUTHORS ChangeLog COPYING README NEWS +%{_libdir}/*.so.* + +%files docs +%defattr(-,root,root,-) +%doc COPYING HACKING example/ +%{_mandir}/man?/* + +%files devel +%defattr(-,root,root,-) +%doc COPYING +%{_includedir}/* +%{_libdir}/*.so + +%changelog +* Tue Nov 27 2007 Chris Weyl 0.18-4 +- add INSTALL arg to make install vs env. var + +* Mon Nov 26 2007 Chris Weyl 0.18-3 +- run tests; don't package test + +* Sun Nov 18 2007 Chris Weyl 0.18-2 +- split docs into -docs (they seemed... large.) + +* Tue Nov 13 2007 Chris Weyl 0.18-1 +- update to 0.18 + +* Sun Oct 14 2007 Chris Weyl 0.17-1 +- update to 0.17 +- many spec file changes + +* Wed May 23 2007 Sindre Pedersen Bjørdal - 0.15-0.2.20070506 +- Fix release tag +- Move manpages to -devel package +- Add Examples dir to -devel package + +* Sun May 06 2007 Sindre Pedersen Bjørdal - 0.15-0.20070506.1 +- Initial build diff --git a/sources b/sources index e69de29..d331369 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +5b9c83660aa4d1821ff2c05838e77e9d libssh2-0.18.tar.gz From ca69061c5b1e57d3781366733f118c9c9cb1274e Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Wed, 28 Nov 2007 01:25:14 +0000 Subject: [PATCH 02/93] release bump --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 18dc39d..ecaa73e 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 0.18 -Release: 4%{?dist} +Release: 5%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -93,6 +93,9 @@ rm -rf %{buildroot} %{_libdir}/*.so %changelog +* Tue Nov 27 2007 Chris Weyl 0.18-5 +- bump + * Tue Nov 27 2007 Chris Weyl 0.18-4 - add INSTALL arg to make install vs env. var From a74497a268e4e51c29869323fa4bcc895a566393 Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Wed, 5 Dec 2007 17:46:05 +0000 Subject: [PATCH 03/93] - rebuild for new openssl... --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index ecaa73e..66b9965 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 0.18 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -93,6 +93,9 @@ rm -rf %{buildroot} %{_libdir}/*.so %changelog +* Wed Dec 05 2007 Chris Weyl 0.18-6 +- rebuild for new openssl... + * Tue Nov 27 2007 Chris Weyl 0.18-5 - bump From 25724311d273700f5eded0ec7c4620da0af0de5a Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Mon, 18 Feb 2008 23:06:21 +0000 Subject: [PATCH 04/93] - Autorebuild for GCC 4.3 --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 66b9965..4a0ba18 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 0.18 -Release: 6%{?dist} +Release: 7%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -93,6 +93,9 @@ rm -rf %{buildroot} %{_libdir}/*.so %changelog +* Mon Feb 18 2008 Fedora Release Engineering - 0.18-7 +- Autorebuild for GCC 4.3 + * Wed Dec 05 2007 Chris Weyl 0.18-6 - rebuild for new openssl... From 5bb5071a6b7de929e3448994d3c17cb55214c802 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Sat, 17 Jan 2009 14:32:48 +0000 Subject: [PATCH 05/93] - rebuild with new openssl --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 4a0ba18..69fdfa8 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 0.18 -Release: 7%{?dist} +Release: 8%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -93,6 +93,9 @@ rm -rf %{buildroot} %{_libdir}/*.so %changelog +* Sat Jan 17 2009 Tomas Mraz - 0.18-8 +- rebuild with new openssl + * Mon Feb 18 2008 Fedora Release Engineering - 0.18-7 - Autorebuild for GCC 4.3 From 5f58f793d1bc07196dc91e27b2e92e62a9a6b8d0 Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Tue, 17 Feb 2009 04:43:59 +0000 Subject: [PATCH 06/93] - update to 1.0 --- .cvsignore | 8 +++++++- libssh2.spec | 7 +++++-- sources | 2 +- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.cvsignore b/.cvsignore index 082a13e..07a28be 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,7 @@ -libssh2-0.18.tar.gz +libssh2-1.0.tar.gz +libssh2* +*.gz +*.tar +*.rpm +x86_64 +.build* diff --git a/libssh2.spec b/libssh2.spec index 69fdfa8..dadd746 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 -Version: 0.18 -Release: 8%{?dist} +Version: 1.0 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -93,6 +93,9 @@ rm -rf %{buildroot} %{_libdir}/*.so %changelog +* Mon Feb 16 2009 Chris Weyl 1.0-1 +- update to 1.0 + * Sat Jan 17 2009 Tomas Mraz - 0.18-8 - rebuild with new openssl diff --git a/sources b/sources index d331369..1cedd91 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -5b9c83660aa4d1821ff2c05838e77e9d libssh2-0.18.tar.gz +c3602adae912702ba9cbefbe813b7b5b libssh2-1.0.tar.gz From ea10ac360145de3af833ae1db2964fe49d51f6d1 Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Wed, 25 Feb 2009 19:06:30 +0000 Subject: [PATCH 07/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index dadd746..8fadd8d 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -93,6 +93,9 @@ rm -rf %{buildroot} %{_libdir}/*.so %changelog +* Wed Feb 25 2009 Fedora Release Engineering - 1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + * Mon Feb 16 2009 Chris Weyl 1.0-1 - update to 1.0 From b0c32672a95637c80e01b0955883f52e1ce226ad Mon Sep 17 00:00:00 2001 From: Jesse Keating Date: Sat, 25 Jul 2009 08:41:56 +0000 Subject: [PATCH 08/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 8fadd8d..20e1336 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -93,6 +93,9 @@ rm -rf %{buildroot} %{_libdir}/*.so %changelog +* Sat Jul 25 2009 Fedora Release Engineering - 1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + * Wed Feb 25 2009 Fedora Release Engineering - 1.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild From 8eb74aa2fe88328634abb4c5b2edc637325ff2cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Fri, 21 Aug 2009 14:22:18 +0000 Subject: [PATCH 09/93] - rebuilt with new openssl --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 20e1336..0b46981 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -93,6 +93,9 @@ rm -rf %{buildroot} %{_libdir}/*.so %changelog +* Fri Aug 21 2009 Tomas Mraz - 1.0-4 +- rebuilt with new openssl + * Sat Jul 25 2009 Fedora Release Engineering - 1.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild From 6b0d8a15fe4882641de6b5d29ed878ba7a9fe8d1 Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Tue, 22 Sep 2009 03:56:35 +0000 Subject: [PATCH 10/93] - patch based on 683aa0f6b52fb1014873c961709102b5006372fc - disable tests (*sigh*) --- .cvsignore | 8 +------- libssh2.spec | 19 +++++++++++++++---- sources | 2 +- transport_c_7a9d369.patch | 13 +++++++++++++ 4 files changed, 30 insertions(+), 12 deletions(-) create mode 100644 transport_c_7a9d369.patch diff --git a/.cvsignore b/.cvsignore index 07a28be..52f6e48 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,7 +1 @@ -libssh2-1.0.tar.gz -libssh2* -*.gz -*.tar -*.rpm -x86_64 -.build* +libssh2-1.2.tar.gz diff --git a/libssh2.spec b/libssh2.spec index 0b46981..380e41d 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,14 +1,16 @@ Name: libssh2 -Version: 1.0 -Release: 4%{?dist} +Version: 1.2 +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ -Source0: http://downloads.sourceforge.net/libssh2/%{name}-%{version}.tar.gz +Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Patch0: transport_c_7a9d369.patch + BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -40,6 +42,7 @@ developing applications that use %{name}. %prep %setup -q +%patch0 -p1 # make sure things are UTF-8... for i in ChangeLog NEWS ; do @@ -65,7 +68,8 @@ rm -rf example/simple/.deps find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} + %check -(cd tests && make check) +# tests are currently not doing so well under rpmbuild +#(cd tests && make check) %clean rm -rf %{buildroot} @@ -93,6 +97,13 @@ rm -rf %{buildroot} %{_libdir}/*.so %changelog +* Mon Sep 21 2009 Chris Weyl 1.2-2 +- patch based on 683aa0f6b52fb1014873c961709102b5006372fc +- disable tests (*sigh*) + +* Tue Aug 25 2009 Chris Weyl 1.2-1 +- update to 1.2 + * Fri Aug 21 2009 Tomas Mraz - 1.0-4 - rebuilt with new openssl diff --git a/sources b/sources index 1cedd91..71db5eb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -c3602adae912702ba9cbefbe813b7b5b libssh2-1.0.tar.gz +751f4b5b5d8091f84cfe25fa52226cf9 libssh2-1.2.tar.gz diff --git a/transport_c_7a9d369.patch b/transport_c_7a9d369.patch new file mode 100644 index 0000000..d642991 --- /dev/null +++ b/transport_c_7a9d369.patch @@ -0,0 +1,13 @@ +diff --git a/src/transport.c b/src/transport.c +index 19efdf2..d9a38ca 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -626,7 +626,7 @@ send_existing(LIBSSH2_SESSION * session, unsigned char *data, + + p->osent += rc; /* we sent away this much data */ + +- return PACKET_NONE; ++ return p->osent < data_len ? PACKET_EAGAIN : PACKET_NONE; + } + + /* From afda1f6ba610e51b9a11d073c1c7322fbe10fa78 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Wed, 25 Nov 2009 23:51:18 +0000 Subject: [PATCH 11/93] Fix typo that causes a failure to update the common directory. (releng #2781) --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index eed16c6..320eebd 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,10 @@ # Makefile for source rpm: libssh2 -# $Id$ +# $Id: Makefile,v 1.1 2007/11/27 20:15:45 kevin Exp $ NAME := libssh2 SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) From 82f313cfa1593d30d23386a365d146b4ce2db938 Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Thu, 14 Jan 2010 16:22:26 +0000 Subject: [PATCH 12/93] - trim trailing spaces --- libssh2.spec | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 380e41d..93d4666 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,18 +1,18 @@ Name: libssh2 -Version: 1.2 +Version: 1.2 Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ -Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz +Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch0: transport_c_7a9d369.patch BuildRequires: openssl-devel -BuildRequires: zlib-devel +BuildRequires: zlib-devel %description libssh2 is a library implementing the SSH2 protocol as defined by @@ -30,7 +30,7 @@ Requires: %{name} = %{version}-%{release} The %{name}-devel package contains libraries and header files for developing applications that use %{name}. -%package docs +%package docs Summary: Documentation for %{name} Group: Development/Libraries Requires: %{name} = %{version}-%{release} @@ -60,15 +60,15 @@ make %{?_smp_mflags} rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" -find %{buildroot} -name '*.la' -exec rm -f {} + +find %{buildroot} -name '*.la' -exec rm -f {} + # clean things up a bit for packaging ( cd example && make clean ) -rm -rf example/simple/.deps +rm -rf example/simple/.deps find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} + %check -# tests are currently not doing so well under rpmbuild +# tests are currently not doing so well under rpmbuild #(cd tests && make check) %clean @@ -92,7 +92,7 @@ rm -rf %{buildroot} %files devel %defattr(-,root,root,-) -%doc COPYING +%doc COPYING %{_includedir}/* %{_libdir}/*.so From 3265846cad4e4eac8f3c80209ced4f82be9479c4 Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Thu, 14 Jan 2010 17:14:53 +0000 Subject: [PATCH 13/93] - update to 1.2.2 - drop old patch now in upstream - add new pkgconfig file to -devel --- .cvsignore | 2 +- libssh2.spec | 16 ++++++++++------ sources | 2 +- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/.cvsignore b/.cvsignore index 52f6e48..4d467a1 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -libssh2-1.2.tar.gz +libssh2-1.2.2.tar.gz diff --git a/libssh2.spec b/libssh2.spec index 93d4666..b97c8d4 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,16 +1,14 @@ Name: libssh2 -Version: 1.2 -Release: 2%{?dist} +Version: 1.2.2 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD -URL: http://www.libssh2.org/ +URL: http://www.libssh2.org Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Patch0: transport_c_7a9d369.patch - BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -34,6 +32,7 @@ developing applications that use %{name}. Summary: Documentation for %{name} Group: Development/Libraries Requires: %{name} = %{version}-%{release} +Requires: pkgconfig %description docs The %{name}-docs package contains man pages and examples for @@ -42,7 +41,6 @@ developing applications that use %{name}. %prep %setup -q -%patch0 -p1 # make sure things are UTF-8... for i in ChangeLog NEWS ; do @@ -95,8 +93,14 @@ rm -rf %{buildroot} %doc COPYING %{_includedir}/* %{_libdir}/*.so +%{_libdir}pkgconfig/* %changelog +* Thu Jan 14 2010 Chris Weyl 1.2.2-1 +- update to 1.2.2 +- drop old patch now in upstream +- add new pkgconfig file to -devel + * Mon Sep 21 2009 Chris Weyl 1.2-2 - patch based on 683aa0f6b52fb1014873c961709102b5006372fc - disable tests (*sigh*) diff --git a/sources b/sources index 71db5eb..9919209 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -751f4b5b5d8091f84cfe25fa52226cf9 libssh2-1.2.tar.gz +fa8d9cd425bdd62f57244fc61fb54da7 libssh2-1.2.2.tar.gz From 43585348ef97d069eba6babdc09cbea3201c0c87 Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Thu, 14 Jan 2010 17:21:15 +0000 Subject: [PATCH 14/93] - correct bad file entry under -devel --- libssh2.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index b97c8d4..7e913b3 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.2.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -93,9 +93,12 @@ rm -rf %{buildroot} %doc COPYING %{_includedir}/* %{_libdir}/*.so -%{_libdir}pkgconfig/* +%{_libdir}/pkgconfig/* %changelog +* Thu Jan 14 2010 Chris Weyl 1.2.2-2 +- correct bad file entry under -devel + * Thu Jan 14 2010 Chris Weyl 1.2.2-1 - update to 1.2.2 - drop old patch now in upstream From 8d25ddbae1426b127be51f30eccc05a4e6aea60a Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Tue, 19 Jan 2010 05:34:11 +0000 Subject: [PATCH 15/93] - patch w/1aba38cd7d2658146675ce1737e5090f879f306; not yet in a GA release --- libssh2-1.2.2-padding.patch | 117 ++++++++++++++++++++++++++++++++++++ libssh2.spec | 9 ++- 2 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 libssh2-1.2.2-padding.patch diff --git a/libssh2-1.2.2-padding.patch b/libssh2-1.2.2-padding.patch new file mode 100644 index 0000000..127ad9d --- /dev/null +++ b/libssh2-1.2.2-padding.patch @@ -0,0 +1,117 @@ +commit 1aba38cd7d2658146675ce1737e5090f879f3068 +Author: Peter Stuge +Date: Sun Dec 6 07:20:58 2009 +0100 + + Fix padding in ssh-dss signature blob encoding + + DSA signatures consist of two 160-bit integers called r and s. In ssh-dss + signature blobs r and s are stored directly after each other in binary + representation, making up a 320-bit (40 byte) string. (See RFC4253 p14.) + + The crypto wrappers in libssh2 would either pack r and s incorrectly, or + fail, when at least one integer was small enough to be stored in 19 bytes + or less. + + The patch ensures that r and s are always stored as two 160 bit numbers. + +diff --git a/src/libgcrypt.c b/src/libgcrypt.c +index ba00284..b06be42 100644 +--- a/src/libgcrypt.c ++++ b/src/libgcrypt.c +@@ -424,6 +424,8 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, + return -1; + } + ++ memset(sig, 0, 40); ++ + /* Extract R. */ + + data = gcry_sexp_find_token(sig_sexp, "r", 0); +@@ -433,22 +435,12 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, + } + + tmp = gcry_sexp_nth_data(data, 1, &size); +- if (!tmp) { +- ret = -1; +- goto out; +- } +- +- if (tmp[0] == '\0') { +- tmp++; +- size--; +- } +- +- if (size != 20) { ++ if (!tmp || size < 1 || size > 20) { + ret = -1; + goto out; + } + +- memcpy(sig, tmp, 20); ++ memcpy(sig + (20 - size), tmp, size); + + gcry_sexp_release(data); + +@@ -461,22 +453,12 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, + } + + tmp = gcry_sexp_nth_data(data, 1, &size); +- if (!tmp) { +- ret = -1; +- goto out; +- } +- +- if (tmp[0] == '\0') { +- tmp++; +- size--; +- } +- +- if (size != 20) { ++ if (!tmp || size < 1 || size > 20) { + ret = -1; + goto out; + } + +- memcpy(sig + 20, tmp, 20); ++ memcpy(sig + 20 + (20 - size), tmp, size); + + ret = 0; + out: +diff --git a/src/openssl.c b/src/openssl.c +index 250ea63..000c9ec 100644 +--- a/src/openssl.c ++++ b/src/openssl.c +@@ -420,7 +420,7 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, + unsigned long hash_len, unsigned char *signature) + { + DSA_SIG *sig; +- int r_len, s_len, rs_pad; ++ int r_len, s_len; + (void) hash_len; + + sig = DSA_do_sign(hash, SHA_DIGEST_LENGTH, dsactx); +@@ -429,15 +429,20 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, + } + + r_len = BN_num_bytes(sig->r); ++ if (r_len < 1 || r_len > 20) { ++ DSA_SIG_free(sig); ++ return -1; ++ } + s_len = BN_num_bytes(sig->s); +- rs_pad = (2 * SHA_DIGEST_LENGTH) - (r_len + s_len); +- if (rs_pad < 0) { ++ if (s_len < 1 || s_len > 20) { + DSA_SIG_free(sig); + return -1; + } + +- BN_bn2bin(sig->r, signature + rs_pad); +- BN_bn2bin(sig->s, signature + rs_pad + r_len); ++ memset(signature, 0, 40); ++ ++ BN_bn2bin(sig->r, signature + (20 - r_len)); ++ BN_bn2bin(sig->s, signature + 20 + (20 - s_len)); + + DSA_SIG_free(sig); + diff --git a/libssh2.spec b/libssh2.spec index 7e913b3..250323a 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.2.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -9,6 +9,9 @@ URL: http://www.libssh2.org Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +# aka commit 1aba38cd7d2658146675ce1737e5090f879f306 +Patch0: libssh2-1.2.2-padding.patch + BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -41,6 +44,7 @@ developing applications that use %{name}. %prep %setup -q +%patch0 -p1 # make sure things are UTF-8... for i in ChangeLog NEWS ; do @@ -96,6 +100,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/* %changelog +* Mon Jan 18 2010 Chris Weyl 1.2.2-3 +- patch w/1aba38cd7d2658146675ce1737e5090f879f306; not yet in a GA release + * Thu Jan 14 2010 Chris Weyl 1.2.2-2 - correct bad file entry under -devel From ce5ce38efe6f5d8b727061b8e2d750986f4927d0 Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Tue, 19 Jan 2010 06:18:57 +0000 Subject: [PATCH 16/93] - enable tests; conditionalize sshd test, which fails with a funky SElinux error when run locally --- libssh2.spec | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 250323a..a56cba6 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.2.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -15,6 +15,9 @@ Patch0: libssh2-1.2.2-padding.patch BuildRequires: openssl-devel BuildRequires: zlib-devel +# tests +BuildRequires: openssh-server + %description libssh2 is a library implementing the SSH2 protocol as defined by Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25), @@ -70,8 +73,9 @@ rm -rf example/simple/.deps find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} + %check -# tests are currently not doing so well under rpmbuild -#(cd tests && make check) +# sshd/loopback test fails under local build, with selinux enforcing +%{?_without_sshd_tests:echo "Skipping sshd tests" ; echo "exit 0" > tests/ssh2.sh } +(cd tests && make check) %clean rm -rf %{buildroot} @@ -100,6 +104,10 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/* %changelog +* Mon Jan 18 2010 Chris Weyl 1.2.2-4 +- enable tests; conditionalize sshd test, which fails with a funky SElinux + error when run locally + * Mon Jan 18 2010 Chris Weyl 1.2.2-3 - patch w/1aba38cd7d2658146675ce1737e5090f879f306; not yet in a GA release From e9dc94c445de0e0a77f0077e2b3e2b384c501ac9 Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Wed, 20 Jan 2010 17:44:18 +0000 Subject: [PATCH 17/93] - pkgconfig dep should be with -devel, not -docs --- libssh2.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index a56cba6..ed4ecc5 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.2.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -29,6 +29,7 @@ SECSH-DHGEX(04), and SECSH-NUMBERS(10). Summary: Development files for %{name} Group: Development/Libraries Requires: %{name} = %{version}-%{release} +Requires: pkgconfig %description devel The %{name}-devel package contains libraries and header files for @@ -38,7 +39,6 @@ developing applications that use %{name}. Summary: Documentation for %{name} Group: Development/Libraries Requires: %{name} = %{version}-%{release} -Requires: pkgconfig %description docs The %{name}-docs package contains man pages and examples for @@ -104,6 +104,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/* %changelog +* Wed Jan 20 2010 Chris Weyl 1.2.2-5 +- pkgconfig dep should be with -devel, not -docs + * Mon Jan 18 2010 Chris Weyl 1.2.2-4 - enable tests; conditionalize sshd test, which fails with a funky SElinux error when run locally From 92c18b1937d920c38a2b27e7e14485bf0417436b Mon Sep 17 00:00:00 2001 From: Chris Weyl Date: Sat, 13 Mar 2010 05:15:12 +0000 Subject: [PATCH 18/93] - update to 1.2.4 - drop old patch0 - be more aggressive about keeping .deps from intruding into -docs --- .cvsignore | 2 +- libssh2-1.2.2-padding.patch | 117 ------------------------------------ libssh2.spec | 15 ++--- sources | 2 +- 4 files changed, 10 insertions(+), 126 deletions(-) delete mode 100644 libssh2-1.2.2-padding.patch diff --git a/.cvsignore b/.cvsignore index 4d467a1..99b391f 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -libssh2-1.2.2.tar.gz +libssh2-1.2.4.tar.gz diff --git a/libssh2-1.2.2-padding.patch b/libssh2-1.2.2-padding.patch deleted file mode 100644 index 127ad9d..0000000 --- a/libssh2-1.2.2-padding.patch +++ /dev/null @@ -1,117 +0,0 @@ -commit 1aba38cd7d2658146675ce1737e5090f879f3068 -Author: Peter Stuge -Date: Sun Dec 6 07:20:58 2009 +0100 - - Fix padding in ssh-dss signature blob encoding - - DSA signatures consist of two 160-bit integers called r and s. In ssh-dss - signature blobs r and s are stored directly after each other in binary - representation, making up a 320-bit (40 byte) string. (See RFC4253 p14.) - - The crypto wrappers in libssh2 would either pack r and s incorrectly, or - fail, when at least one integer was small enough to be stored in 19 bytes - or less. - - The patch ensures that r and s are always stored as two 160 bit numbers. - -diff --git a/src/libgcrypt.c b/src/libgcrypt.c -index ba00284..b06be42 100644 ---- a/src/libgcrypt.c -+++ b/src/libgcrypt.c -@@ -424,6 +424,8 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, - return -1; - } - -+ memset(sig, 0, 40); -+ - /* Extract R. */ - - data = gcry_sexp_find_token(sig_sexp, "r", 0); -@@ -433,22 +435,12 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, - } - - tmp = gcry_sexp_nth_data(data, 1, &size); -- if (!tmp) { -- ret = -1; -- goto out; -- } -- -- if (tmp[0] == '\0') { -- tmp++; -- size--; -- } -- -- if (size != 20) { -+ if (!tmp || size < 1 || size > 20) { - ret = -1; - goto out; - } - -- memcpy(sig, tmp, 20); -+ memcpy(sig + (20 - size), tmp, size); - - gcry_sexp_release(data); - -@@ -461,22 +453,12 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, - } - - tmp = gcry_sexp_nth_data(data, 1, &size); -- if (!tmp) { -- ret = -1; -- goto out; -- } -- -- if (tmp[0] == '\0') { -- tmp++; -- size--; -- } -- -- if (size != 20) { -+ if (!tmp || size < 1 || size > 20) { - ret = -1; - goto out; - } - -- memcpy(sig + 20, tmp, 20); -+ memcpy(sig + 20 + (20 - size), tmp, size); - - ret = 0; - out: -diff --git a/src/openssl.c b/src/openssl.c -index 250ea63..000c9ec 100644 ---- a/src/openssl.c -+++ b/src/openssl.c -@@ -420,7 +420,7 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, - unsigned long hash_len, unsigned char *signature) - { - DSA_SIG *sig; -- int r_len, s_len, rs_pad; -+ int r_len, s_len; - (void) hash_len; - - sig = DSA_do_sign(hash, SHA_DIGEST_LENGTH, dsactx); -@@ -429,15 +429,20 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, - } - - r_len = BN_num_bytes(sig->r); -+ if (r_len < 1 || r_len > 20) { -+ DSA_SIG_free(sig); -+ return -1; -+ } - s_len = BN_num_bytes(sig->s); -- rs_pad = (2 * SHA_DIGEST_LENGTH) - (r_len + s_len); -- if (rs_pad < 0) { -+ if (s_len < 1 || s_len > 20) { - DSA_SIG_free(sig); - return -1; - } - -- BN_bn2bin(sig->r, signature + rs_pad); -- BN_bn2bin(sig->s, signature + rs_pad + r_len); -+ memset(signature, 0, 40); -+ -+ BN_bn2bin(sig->r, signature + (20 - r_len)); -+ BN_bn2bin(sig->s, signature + 20 + (20 - s_len)); - - DSA_SIG_free(sig); - diff --git a/libssh2.spec b/libssh2.spec index ed4ecc5..15347de 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 -Version: 1.2.2 -Release: 5%{?dist} +Version: 1.2.4 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -9,9 +9,6 @@ URL: http://www.libssh2.org Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -# aka commit 1aba38cd7d2658146675ce1737e5090f879f306 -Patch0: libssh2-1.2.2-padding.patch - BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -47,7 +44,6 @@ developing applications that use %{name}. %prep %setup -q -%patch0 -p1 # make sure things are UTF-8... for i in ChangeLog NEWS ; do @@ -69,7 +65,7 @@ find %{buildroot} -name '*.la' -exec rm -f {} + # clean things up a bit for packaging ( cd example && make clean ) -rm -rf example/simple/.deps +find example/ -type d -name .deps -exec rm -rf {} + find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} + %check @@ -104,6 +100,11 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/* %changelog +* Fri Mar 12 2010 Chris Weyl 1.2.4-1 +- update to 1.2.4 +- drop old patch0 +- be more aggressive about keeping .deps from intruding into -docs + * Wed Jan 20 2010 Chris Weyl 1.2.2-5 - pkgconfig dep should be with -devel, not -docs diff --git a/sources b/sources index 9919209..9d21b2e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -fa8d9cd425bdd62f57244fc61fb54da7 libssh2-1.2.2.tar.gz +4d65a66d5f232e5bb1d05b311e43d46d libssh2-1.2.4.tar.gz From a6bc831ff0073faf8ec574fb802563c5ddf9d365 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 28 Jul 2010 21:42:18 +0000 Subject: [PATCH 19/93] dist-git conversion --- .cvsignore => .gitignore | 0 Makefile | 21 --------------------- 2 files changed, 21 deletions(-) rename .cvsignore => .gitignore (100%) delete mode 100644 Makefile diff --git a/.cvsignore b/.gitignore similarity index 100% rename from .cvsignore rename to .gitignore diff --git a/Makefile b/Makefile deleted file mode 100644 index 320eebd..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: libssh2 -# $Id: Makefile,v 1.1 2007/11/27 20:15:45 kevin Exp $ -NAME := libssh2 -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) From 9936af47e13ef1a34b23bd83329468365dd54b5d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 12 Oct 2010 23:37:04 +0200 Subject: [PATCH 20/93] update to 1.2.7 (#632916) - avoid multilib conflict on libssh2-docs - avoid build failure in mock with SELinux in the enforcing mode (#558964) --- .gitignore | 1 + libssh2-1.2.7.tar.gz.asc | 7 +++++++ libssh2.spec | 15 ++++++++++++++- sources | 2 +- transport_c_7a9d369.patch | 13 ------------- 5 files changed, 23 insertions(+), 15 deletions(-) create mode 100644 libssh2-1.2.7.tar.gz.asc delete mode 100644 transport_c_7a9d369.patch diff --git a/.gitignore b/.gitignore index 99b391f..a4df282 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ libssh2-1.2.4.tar.gz +/libssh2-1.2.7.tar.gz diff --git a/libssh2-1.2.7.tar.gz.asc b/libssh2-1.2.7.tar.gz.asc new file mode 100644 index 0000000..1f761c0 --- /dev/null +++ b/libssh2-1.2.7.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.10 (GNU/Linux) + +iEYEABECAAYFAkxq+yUACgkQeOEcayedXJG20ACeMdXVfOb0uopARLRRxVdZ3y4/ +a5EAn2lxpeDn1L6JMtdYtJQT19hjfL1T +=eefQ +-----END PGP SIGNATURE----- diff --git a/libssh2.spec b/libssh2.spec index 15347de..dd4f16c 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,5 +1,5 @@ Name: libssh2 -Version: 1.2.4 +Version: 1.2.7 Release: 1%{?dist} Summary: A library implementing the SSH2 protocol @@ -51,6 +51,11 @@ for i in ChangeLog NEWS ; do mv new $i done +# make it possible to launch OpenSSH server for testing purposes +chcon -t initrc_exec_t tests/ssh2.sh || : +chcon -Rt etc_t tests/etc || : +chcon -t sshd_key_t tests/etc/{host,user} || : + %build %configure --disable-static --enable-shared @@ -68,6 +73,9 @@ find %{buildroot} -name '*.la' -exec rm -f {} + find example/ -type d -name .deps -exec rm -rf {} + find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} + +# avoid multilib conflict on libssh2-docs +mv -v example/Makefile example/Makefile.%{_arch} + %check # sshd/loopback test fails under local build, with selinux enforcing %{?_without_sshd_tests:echo "Skipping sshd tests" ; echo "exit 0" > tests/ssh2.sh } @@ -100,6 +108,11 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/* %changelog +* Tue Oct 12 2010 Kamil Dudka 1.2.7-1 +- update to 1.2.7 (#632916) +- avoid multilib conflict on libssh2-docs +- avoid build failure in mock with SELinux in the enforcing mode (#558964) + * Fri Mar 12 2010 Chris Weyl 1.2.4-1 - update to 1.2.4 - drop old patch0 diff --git a/sources b/sources index 9d21b2e..5fa0b4e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -4d65a66d5f232e5bb1d05b311e43d46d libssh2-1.2.4.tar.gz +a5d78344886f1282e4008c09bf568076 libssh2-1.2.7.tar.gz diff --git a/transport_c_7a9d369.patch b/transport_c_7a9d369.patch deleted file mode 100644 index d642991..0000000 --- a/transport_c_7a9d369.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/transport.c b/src/transport.c -index 19efdf2..d9a38ca 100644 ---- a/src/transport.c -+++ b/src/transport.c -@@ -626,7 +626,7 @@ send_existing(LIBSSH2_SESSION * session, unsigned char *data, - - p->osent += rc; /* we sent away this much data */ - -- return PACKET_NONE; -+ return p->osent < data_len ? PACKET_EAGAIN : PACKET_NONE; - } - - /* From d8deb37f038c028f00b7df3ad619f309e357cbe0 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sat, 25 Jun 2011 08:20:10 -0500 Subject: [PATCH 21/93] sshd/loopback test fails in the sparc buildsystem --- libssh2.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index dd4f16c..4e102d5 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.2.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -79,6 +79,10 @@ mv -v example/Makefile example/Makefile.%{_arch} %check # sshd/loopback test fails under local build, with selinux enforcing %{?_without_sshd_tests:echo "Skipping sshd tests" ; echo "exit 0" > tests/ssh2.sh } +# sshd/loopback test fails in the sparc buildsystem +%ifarch %{sparc} +echo "exit 0" > tests/ssh2.sh +%endif (cd tests && make check) %clean @@ -108,6 +112,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/* %changelog +* Sat Jun 25 2011 Dennis Gilmore - 1.2.7-2 +- sshd/loopback test fails in the sparc buildsystem + * Tue Oct 12 2010 Kamil Dudka 1.2.7-1 - update to 1.2.7 (#632916) - avoid multilib conflict on libssh2-docs From 13e3a891a5735adc8432dab740e18c5daddcb445 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 8 Sep 2011 11:14:41 +0200 Subject: [PATCH 22/93] update to 1.3.0 --- .gitignore | 3 +-- libssh2-1.2.7.tar.gz.asc | 7 ------- libssh2-1.3.0.tar.gz.asc | 7 +++++++ libssh2.spec | 7 +++++-- sources | 2 +- 5 files changed, 14 insertions(+), 12 deletions(-) delete mode 100644 libssh2-1.2.7.tar.gz.asc create mode 100644 libssh2-1.3.0.tar.gz.asc diff --git a/.gitignore b/.gitignore index a4df282..8846a13 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -libssh2-1.2.4.tar.gz -/libssh2-1.2.7.tar.gz +/libssh2-1.3.0.tar.gz diff --git a/libssh2-1.2.7.tar.gz.asc b/libssh2-1.2.7.tar.gz.asc deleted file mode 100644 index 1f761c0..0000000 --- a/libssh2-1.2.7.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.10 (GNU/Linux) - -iEYEABECAAYFAkxq+yUACgkQeOEcayedXJG20ACeMdXVfOb0uopARLRRxVdZ3y4/ -a5EAn2lxpeDn1L6JMtdYtJQT19hjfL1T -=eefQ ------END PGP SIGNATURE----- diff --git a/libssh2-1.3.0.tar.gz.asc b/libssh2-1.3.0.tar.gz.asc new file mode 100644 index 0000000..0de0e44 --- /dev/null +++ b/libssh2-1.3.0.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEABECAAYFAk5miSYACgkQeOEcayedXJH3swCg6URaVPa2VvmUISM7KrLAbyfw +aqYAoJxpmM0XY9HYqrMqmtH2uYNbpJyL +=yCYe +-----END PGP SIGNATURE----- diff --git a/libssh2.spec b/libssh2.spec index 4e102d5..406ef11 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 -Version: 1.2.7 -Release: 2%{?dist} +Version: 1.3.0 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -112,6 +112,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/* %changelog +* Thu Sep 08 2011 Kamil Dudka 1.3.0-1 +- update to 1.3.0 + * Sat Jun 25 2011 Dennis Gilmore - 1.2.7-2 - sshd/loopback test fails in the sparc buildsystem diff --git a/sources b/sources index 5fa0b4e..05b2d34 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a5d78344886f1282e4008c09bf568076 libssh2-1.2.7.tar.gz +6425331899ccf1015f1ed79448cb4709 libssh2-1.3.0.tar.gz From b46de2ab55812a3cae860c66c84cf6348fbe5c20 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Fri, 13 Jan 2012 02:29:01 -0600 Subject: [PATCH 23/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 406ef11..e967115 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.3.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -112,6 +112,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/* %changelog +* Fri Jan 13 2012 Fedora Release Engineering - 1.3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + * Thu Sep 08 2011 Kamil Dudka 1.3.0-1 - update to 1.3.0 From edbbfd779a6b589cab2c106707ae99724b22c72b Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 13 Jan 2012 16:01:35 +0000 Subject: [PATCH 24/93] Spec clean-up - make docs package noarch where possible - use patch rather than scripted iconv to fix character encoding - don't make assumptions about SELinux context types used for the ssh server in the test suite - skip the ssh test if /dev/tty isn't present, as in some versions of mock - make the %files list more explicit --- libssh2-1.2.9-utf8.patch | 11 ++++ libssh2.spec | 115 +++++++++++++++++++++++---------------- 2 files changed, 80 insertions(+), 46 deletions(-) create mode 100644 libssh2-1.2.9-utf8.patch diff --git a/libssh2-1.2.9-utf8.patch b/libssh2-1.2.9-utf8.patch new file mode 100644 index 0000000..b41f6a2 --- /dev/null +++ b/libssh2-1.2.9-utf8.patch @@ -0,0 +1,11 @@ +--- libssh2/NEWS ++++ libssh2/NEWS +@@ -2507,7 +2507,7 @@ + - support arcfour128 cipher per RFC 4345 + + Daniel Stenberg (21 Oct 2009) +-- [Cristian Rodríguez brought this change] ++- [Cristian Rodríguez brought this change] + + add support for GCC visibility features + diff --git a/libssh2.spec b/libssh2.spec index e967115..ff49d36 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,19 +1,34 @@ +# Fedora 10 onwards support noarch subpackages; by using one, we can +# put the arch-independent docs in a common subpackage and save lots +# of space on the mirrors +%if 0%{?fedora} > 9 || 0%{?rhel} > 5 +%global noarch_docs_package 1 +%else +%global noarch_docs_package 0 +%endif + Name: libssh2 Version: 1.3.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol - Group: System Environment/Libraries License: BSD -URL: http://www.libssh2.org +URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - +Patch0: libssh2-1.2.9-utf8.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel -# tests +# Test suite requirements - we run the OpenSSH server and try to connect to it BuildRequires: openssh-server +# We use matchpathcon to get the correct SELinux context for the ssh server +# initialization script so that it can transition correctly in an SELinux +# environment; matchpathcon is only available from FC-4 and moved from the +# libselinux to libselinux-utils package in F-10 +%if 0%{?fedora} >= 4 || 0%{?rhel} >= 5 +BuildRequires: /usr/sbin/matchpathcon selinux-policy-targeted +%endif %description libssh2 is a library implementing the SSH2 protocol as defined by @@ -21,104 +36,112 @@ Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25), SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*, SECSH-DHGEX(04), and SECSH-NUMBERS(10). - %package devel -Summary: Development files for %{name} +Summary: Development files for libssh2 Group: Development/Libraries Requires: %{name} = %{version}-%{release} Requires: pkgconfig %description devel -The %{name}-devel package contains libraries and header files for -developing applications that use %{name}. +The libssh2-devel package contains libraries and header files for +developing applications that use libssh2. %package docs -Summary: Documentation for %{name} +Summary: Documentation for libssh2 Group: Development/Libraries Requires: %{name} = %{version}-%{release} +%if %{noarch_docs_package} +BuildArch: noarch +%endif %description docs -The %{name}-docs package contains man pages and examples for -developing applications that use %{name}. - +The libssh2-docs package contains man pages and examples for +developing applications that use libssh2. %prep %setup -q -# make sure things are UTF-8... -for i in ChangeLog NEWS ; do - iconv --from=ISO-8859-1 --to=UTF-8 $i > new - mv new $i -done +# Make sure things are UTF-8... +%patch0 -p1 -# make it possible to launch OpenSSH server for testing purposes -chcon -t initrc_exec_t tests/ssh2.sh || : -chcon -Rt etc_t tests/etc || : -chcon -t sshd_key_t tests/etc/{host,user} || : +# Make sshd transition appropriately if building in an SELinux environment +chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : +chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || : +chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} || : %build %configure --disable-static --enable-shared - make %{?_smp_mflags} - %install rm -rf %{buildroot} - make install DESTDIR=%{buildroot} INSTALL="install -p" -find %{buildroot} -name '*.la' -exec rm -f {} + +find %{buildroot} -name '*.la' -exec rm -f {} \; # clean things up a bit for packaging -( cd example && make clean ) -find example/ -type d -name .deps -exec rm -rf {} + -find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} + +make -C example clean +rm -rf example/.deps +find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} \; # avoid multilib conflict on libssh2-docs mv -v example/Makefile example/Makefile.%{_arch} %check -# sshd/loopback test fails under local build, with selinux enforcing -%{?_without_sshd_tests:echo "Skipping sshd tests" ; echo "exit 0" > tests/ssh2.sh } -# sshd/loopback test fails in the sparc buildsystem +# The SSH test will fail if we don't have /dev/tty, as is the case in some +# versions of mock (#672713) +if [ ! -c /dev/tty ]; then + echo Skipping SSH test due to missing /dev/tty + echo "exit 0" > tests/ssh2.sh +fi +# Apparently it fails in the sparc buildsystem too %ifarch %{sparc} +echo Skipping SSH test on sparc echo "exit 0" > tests/ssh2.sh %endif -(cd tests && make check) +make -C tests check %clean rm -rf %{buildroot} - %post -p /sbin/ldconfig %postun -p /sbin/ldconfig - %files %defattr(-,root,root,-) %doc AUTHORS ChangeLog COPYING README NEWS -%{_libdir}/*.so.* +%{_libdir}/libssh2.so.1 +%{_libdir}/libssh2.so.1.* %files docs %defattr(-,root,root,-) -%doc COPYING HACKING example/ -%{_mandir}/man?/* +%doc HACKING example/ +%{_mandir}/man3/libssh2_*.3* %files devel %defattr(-,root,root,-) -%doc COPYING -%{_includedir}/* -%{_libdir}/*.so -%{_libdir}/pkgconfig/* +%{_includedir}/libssh2.h +%{_includedir}/libssh2_publickey.h +%{_includedir}/libssh2_sftp.h +%{_libdir}/libssh2.so +%{_libdir}/pkgconfig/libssh2.pc %changelog -* Fri Jan 13 2012 Fedora Release Engineering - 1.3.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild +* Fri Jan 13 2012 Paul Howarth 1.3.0-3 +- make docs package noarch where possible +- use patch rather than scripted iconv to fix character encoding +- don't make assumptions about SELinux context types used for the ssh server + in the test suite +- skip the ssh test if /dev/tty isn't present, as in some versions of mock +- make the %%files list more explicit + +* Fri Jan 13 2012 Fedora Release Engineering 1.3.0-2 +- rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild * Thu Sep 08 2011 Kamil Dudka 1.3.0-1 - update to 1.3.0 -* Sat Jun 25 2011 Dennis Gilmore - 1.2.7-2 +* Sat Jun 25 2011 Dennis Gilmore 1.2.7-2 - sshd/loopback test fails in the sparc buildsystem * Tue Oct 12 2010 Kamil Dudka 1.2.7-1 From 2981c211dfc0c0012b5f1c9cc96fe837d42904fb Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 13 Jan 2012 16:05:02 +0000 Subject: [PATCH 25/93] use tabs for indentation --- libssh2.spec | 57 ++++++++++++++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index ff49d36..deeb613 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -7,27 +7,27 @@ %global noarch_docs_package 0 %endif -Name: libssh2 -Version: 1.3.0 -Release: 3%{?dist} -Summary: A library implementing the SSH2 protocol -Group: System Environment/Libraries -License: BSD -URL: http://www.libssh2.org/ -Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz -Patch0: libssh2-1.2.9-utf8.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) -BuildRequires: openssl-devel -BuildRequires: zlib-devel +Name: libssh2 +Version: 1.3.0 +Release: 3%{?dist} +Summary: A library implementing the SSH2 protocol +Group: System Environment/Libraries +License: BSD +URL: http://www.libssh2.org/ +Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz +Patch0: libssh2-1.2.9-utf8.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) +BuildRequires: openssl-devel +BuildRequires: zlib-devel # Test suite requirements - we run the OpenSSH server and try to connect to it -BuildRequires: openssh-server +BuildRequires: openssh-server # We use matchpathcon to get the correct SELinux context for the ssh server # initialization script so that it can transition correctly in an SELinux # environment; matchpathcon is only available from FC-4 and moved from the # libselinux to libselinux-utils package in F-10 %if 0%{?fedora} >= 4 || 0%{?rhel} >= 5 -BuildRequires: /usr/sbin/matchpathcon selinux-policy-targeted +BuildRequires: /usr/sbin/matchpathcon selinux-policy-targeted %endif %description @@ -36,25 +36,25 @@ Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25), SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*, SECSH-DHGEX(04), and SECSH-NUMBERS(10). -%package devel -Summary: Development files for libssh2 -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} -Requires: pkgconfig +%package devel +Summary: Development files for libssh2 +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: pkgconfig -%description devel +%description devel The libssh2-devel package contains libraries and header files for developing applications that use libssh2. -%package docs -Summary: Documentation for libssh2 -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +%package docs +Summary: Documentation for libssh2 +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} %if %{noarch_docs_package} -BuildArch: noarch +BuildArch: noarch %endif -%description docs +%description docs The libssh2-docs package contains man pages and examples for developing applications that use libssh2. @@ -90,8 +90,8 @@ mv -v example/Makefile example/Makefile.%{_arch} # The SSH test will fail if we don't have /dev/tty, as is the case in some # versions of mock (#672713) if [ ! -c /dev/tty ]; then - echo Skipping SSH test due to missing /dev/tty - echo "exit 0" > tests/ssh2.sh + echo Skipping SSH test due to missing /dev/tty + echo "exit 0" > tests/ssh2.sh fi # Apparently it fails in the sparc buildsystem too %ifarch %{sparc} @@ -134,6 +134,7 @@ rm -rf %{buildroot} in the test suite - skip the ssh test if /dev/tty isn't present, as in some versions of mock - make the %%files list more explicit +- use tabs for indentation * Fri Jan 13 2012 Fedora Release Engineering 1.3.0-2 - rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild From 980b4761eed7af5f091c50bbb3fce9e3faf8a144 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 13 Jan 2012 17:14:29 +0000 Subject: [PATCH 26/93] example includes arch-specific bits, so move to devel package --- libssh2.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index deeb613..8069913 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -83,7 +83,7 @@ make -C example clean rm -rf example/.deps find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} \; -# avoid multilib conflict on libssh2-docs +# avoid multilib conflict on libssh2-devel mv -v example/Makefile example/Makefile.%{_arch} %check @@ -115,11 +115,12 @@ rm -rf %{buildroot} %files docs %defattr(-,root,root,-) -%doc HACKING example/ +%doc HACKING %{_mandir}/man3/libssh2_*.3* %files devel %defattr(-,root,root,-) +%doc example/ %{_includedir}/libssh2.h %{_includedir}/libssh2_publickey.h %{_includedir}/libssh2_sftp.h @@ -129,6 +130,7 @@ rm -rf %{buildroot} %changelog * Fri Jan 13 2012 Paul Howarth 1.3.0-3 - make docs package noarch where possible +- example includes arch-specific bits, so move to devel package - use patch rather than scripted iconv to fix character encoding - don't make assumptions about SELinux context types used for the ssh server in the test suite From d70bd6d322fcc13746030bd4e29fdb0359f8bac0 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 15 Jan 2012 23:11:01 +0000 Subject: [PATCH 27/93] Disable some tests on ARM --- libssh2.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 8069913..c8c5b2b 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -9,7 +9,7 @@ Name: libssh2 Version: 1.3.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -93,8 +93,8 @@ if [ ! -c /dev/tty ]; then echo Skipping SSH test due to missing /dev/tty echo "exit 0" > tests/ssh2.sh fi -# Apparently it fails in the sparc buildsystem too -%ifarch %{sparc} +# Apparently it fails in the sparc and arm buildsystem too +%ifarch %{sparc} %{arm} echo Skipping SSH test on sparc echo "exit 0" > tests/ssh2.sh %endif @@ -128,6 +128,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sun Jan 15 2012 Peter Robinson 1.3.0-4 +- Disable some tests on ARM + * Fri Jan 13 2012 Paul Howarth 1.3.0-3 - make docs package noarch where possible - example includes arch-specific bits, so move to devel package From 4256e1a18eb43b2716077c2c71d9143972ce148c Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Mon, 16 Jan 2012 09:24:22 +0000 Subject: [PATCH 28/93] Comment clean-up --- libssh2.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index c8c5b2b..b4c0dd4 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -93,9 +93,9 @@ if [ ! -c /dev/tty ]; then echo Skipping SSH test due to missing /dev/tty echo "exit 0" > tests/ssh2.sh fi -# Apparently it fails in the sparc and arm buildsystem too +# Apparently it fails in the sparc and arm buildsystems too %ifarch %{sparc} %{arm} -echo Skipping SSH test on sparc +echo Skipping SSH test on sparc/arm echo "exit 0" > tests/ssh2.sh %endif make -C tests check @@ -129,7 +129,7 @@ rm -rf %{buildroot} %changelog * Sun Jan 15 2012 Peter Robinson 1.3.0-4 -- Disable some tests on ARM +- skip the ssh test on ARM too * Fri Jan 13 2012 Paul Howarth 1.3.0-3 - make docs package noarch where possible From d2c802f8e0119c41caf37c974c2dc299af83864d Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 1 Feb 2012 11:06:03 +0000 Subject: [PATCH 29/93] Update to 1.4.0 - Update to 1.4.0 - Added libssh2_session_supported_algs() - Added libssh2_session_banner_get() - Added libssh2_sftp_get_channel() - libssh2.h: bump the default window size to 256K - sftp-seek: clear EOF flag - userauth: provide more informations if ssh pub key extraction fails - ssh2_exec: skip error outputs for EAGAIN - LIBSSH2_SFTP_PACKET_MAXLEN: increase to 80000 - knownhost_check(): don't dereference ext if NULL is passed - knownhost_add: avoid dereferencing uninitialized memory on error path - OpenSSL EVP: fix threaded use of structs - _libssh2_channel_read: react on errors from receive_window_adjust - sftp_read: cap the read ahead maximum amount - _libssh2_channel_read: fix non-blocking window adjusting - Add upstream patch fixing undefined function reference in libgcrypt backend - BR: /usr/bin/man for test suite --- .gitignore | 2 +- libssh2-1.4.0-c4a0e0.patch | 28 ++++++++++++++++++++++++++++ libssh2.spec | 28 ++++++++++++++++++++++++++-- sources | 2 +- 4 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 libssh2-1.4.0-c4a0e0.patch diff --git a/.gitignore b/.gitignore index 8846a13..0fc8c0e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/libssh2-1.3.0.tar.gz +/libssh2-[0-9.]*.tar.gz diff --git a/libssh2-1.4.0-c4a0e0.patch b/libssh2-1.4.0-c4a0e0.patch new file mode 100644 index 0000000..6fb4c44 --- /dev/null +++ b/libssh2-1.4.0-c4a0e0.patch @@ -0,0 +1,28 @@ +From b3ade9a63e881e69b4c9cfe7b5dbad78dcc4a0e0 Mon Sep 17 00:00:00 2001 +From: Peter Stuge +Date: Wed, 1 Feb 2012 09:53:44 +0100 +Subject: [PATCH] Fix undefined reference to _libssh_error in libgcrypt + backend + +Commit 209de22299b4b58e582891dfba70f57e1e0492db introduced a function +call to a non-existing function, and since then the libgcrypt backend +has not been buildable. +--- + src/libgcrypt.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/src/libgcrypt.c b/src/libgcrypt.c +index 1bda5ee..5c2787b 100644 +--- a/src/libgcrypt.c ++++ b/src/libgcrypt.c +@@ -581,7 +581,7 @@ _libssh2_pub_priv_keyfile(LIBSSH2_SESSION *session, + const char *privatekey, + const char *passphrase) + { +- return _libssh_error(session, LIBSSH2_ERROR_FILE, ++ return _libssh2_error(session, LIBSSH2_ERROR_FILE, + "Unable to extract public key from private key file: " + "Method unimplemented in libgcrypt backend"); + } +-- +1.7.6.1 diff --git a/libssh2.spec b/libssh2.spec index b4c0dd4..791b37e 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -8,17 +8,19 @@ %endif Name: libssh2 -Version: 1.3.0 -Release: 4%{?dist} +Version: 1.4.0 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.2.9-utf8.patch +Patch1: libssh2-1.4.0-c4a0e0.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel +BuildRequires: /usr/bin/man # Test suite requirements - we run the OpenSSH server and try to connect to it BuildRequires: openssh-server @@ -64,6 +66,9 @@ developing applications that use libssh2. # Make sure things are UTF-8... %patch0 -p1 +# Fix undefined reference to _libssh_error in libgcrypt (upstream patch) +%patch1 -p1 + # Make sshd transition appropriately if building in an SELinux environment chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || : @@ -128,6 +133,25 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Feb 1 2012 Paul Howarth 1.4.0-1 +- update to 1.4.0 + - added libssh2_session_supported_algs() + - added libssh2_session_banner_get() + - added libssh2_sftp_get_channel() + - libssh2.h: bump the default window size to 256K + - sftp-seek: clear EOF flag + - userauth: provide more informations if ssh pub key extraction fails + - ssh2_exec: skip error outputs for EAGAIN + - LIBSSH2_SFTP_PACKET_MAXLEN: increase to 80000 + - knownhost_check(): don't dereference ext if NULL is passed + - knownhost_add: avoid dereferencing uninitialized memory on error path + - OpenSSL EVP: fix threaded use of structs + - _libssh2_channel_read: react on errors from receive_window_adjust + - sftp_read: cap the read ahead maximum amount + - _libssh2_channel_read: fix non-blocking window adjusting +- add upstream patch fixing undefined function reference in libgcrypt backend +- BR: /usr/bin/man for test suite + * Sun Jan 15 2012 Peter Robinson 1.3.0-4 - skip the ssh test on ARM too diff --git a/sources b/sources index 05b2d34..aa596fe 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6425331899ccf1015f1ed79448cb4709 libssh2-1.3.0.tar.gz +ee670161d8c5dff93ae84a3f34f15669 libssh2-1.4.0.tar.gz From 12e9f5a79fe1ca6076ecb48196c8ee6e60a7b4c7 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 16 Mar 2012 19:24:44 +0000 Subject: [PATCH 30/93] Fix libssh2 failing key re-exchange when write channel is saturated (#804156) --- libssh2-1.4.0-cc4f9d.patch | 58 ++++++++++++++++++++++++++++++++++++++ libssh2.spec | 14 ++++++--- 2 files changed, 68 insertions(+), 4 deletions(-) create mode 100644 libssh2-1.4.0-cc4f9d.patch diff --git a/libssh2-1.4.0-cc4f9d.patch b/libssh2-1.4.0-cc4f9d.patch new file mode 100644 index 0000000..33e5e4d --- /dev/null +++ b/libssh2-1.4.0-cc4f9d.patch @@ -0,0 +1,58 @@ +commit cc4f9d5679278ce41cd5480fab3f5e71dba163ed +Author: Matthew Booth +Date: Fri Mar 16 16:29:00 2012 +0100 + + transport_send: Finish in-progress key exchange before sending data + + _libssh2_channel_write() first reads outstanding packets before writing + new data. If it reads a key exchange request, it will immediately start + key re-exchange, which will require sending a response. If the output + socket is full, this will result in a return from + _libssh2_transport_read() of LIBSSH2_ERROR_EAGAIN. In order not to block + a write because there is no data to read, this error is explicitly + ignored and the code continues marshalling a packet for sending. When it + is sent, the remote end immediately drops the connection because it was + expecting a continuation of the key exchange, but got a data packet. + + This change adds the same check for key exchange to + _libssh2_transport_send() that is in _libssh2_transport_read(). This + ensures that key exchange is completed before any data packet is sent. + +diff --git a/src/transport.c b/src/transport.c +index 057dcf5..95b9a3a 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -296,7 +296,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + * is done! + */ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, "Redirecting into the" +- " key re-exchange"); ++ " key re-exchange from _libssh2_transport_read"); + rc = _libssh2_kex_exchange(session, 1, &session->startup_key_state); + if (rc) + return rc; +@@ -687,6 +687,24 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session, + const unsigned char *orgdata = data; + size_t orgdata_len = data_len; + ++ /* ++ * If the last read operation was interrupted in the middle of a key ++ * exchange, we must complete that key exchange before continuing to write ++ * further data. ++ * ++ * See the similar block in _libssh2_transport_read for more details. ++ */ ++ if (session->state & LIBSSH2_STATE_EXCHANGING_KEYS && ++ !(session->state & LIBSSH2_STATE_KEX_ACTIVE)) { ++ /* Don't write any new packets if we're still in the middle of a key ++ * exchange. */ ++ _libssh2_debug(session, LIBSSH2_TRACE_TRANS, "Redirecting into the" ++ " key re-exchange from _libssh2_transport_send"); ++ rc = _libssh2_kex_exchange(session, 1, &session->startup_key_state); ++ if (rc) ++ return rc; ++ } ++ + debugdump(session, "libssh2_transport_write plain", data, data_len); + if(data2) + debugdump(session, "libssh2_transport_write plain2", data2, data2_len); diff --git a/libssh2.spec b/libssh2.spec index 791b37e..7627806 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -9,7 +9,7 @@ Name: libssh2 Version: 1.4.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -17,6 +17,7 @@ URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.2.9-utf8.patch Patch1: libssh2-1.4.0-c4a0e0.patch +Patch2: libssh2-1.4.0-cc4f9d.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -69,6 +70,10 @@ developing applications that use libssh2. # Fix undefined reference to _libssh_error in libgcrypt (upstream patch) %patch1 -p1 +# Fix libssh2 failing key re-exchange when write channel is saturated +# (upstream patch, #804156) +%patch2 -p1 + # Make sshd transition appropriately if building in an SELinux environment chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || : @@ -113,18 +118,15 @@ rm -rf %{buildroot} %postun -p /sbin/ldconfig %files -%defattr(-,root,root,-) %doc AUTHORS ChangeLog COPYING README NEWS %{_libdir}/libssh2.so.1 %{_libdir}/libssh2.so.1.* %files docs -%defattr(-,root,root,-) %doc HACKING %{_mandir}/man3/libssh2_*.3* %files devel -%defattr(-,root,root,-) %doc example/ %{_includedir}/libssh2.h %{_includedir}/libssh2_publickey.h @@ -133,6 +135,10 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Fri Mar 16 2012 Paul Howarth 1.4.0-2 +- fix libssh2 failing key re-exchange when write channel is saturated (#804156) +- drop %%defattr, redundant since rpm 4.4 + * Wed Feb 1 2012 Paul Howarth 1.4.0-1 - update to 1.4.0 - added libssh2_session_supported_algs() From 1d6da849c359c48dda5b70b7c518d59ddc4f7de0 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 18 Mar 2012 14:53:07 +0000 Subject: [PATCH 31/93] Don't try to use openssl's AES-CTR functions The code supporting openssl's AES-CTR functions does not currently work: (http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0111.shtml) --- libssh2-1.4.0-f4f229.patch | 60 ++++++++++++++++++++++++++++++++++++++ libssh2.spec | 10 ++++++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 libssh2-1.4.0-f4f229.patch diff --git a/libssh2-1.4.0-f4f229.patch b/libssh2-1.4.0-f4f229.patch new file mode 100644 index 0000000..d413f3f --- /dev/null +++ b/libssh2-1.4.0-f4f229.patch @@ -0,0 +1,60 @@ +From f4f2298ef3635acd031cc2ee0e71026cdcda5864 Mon Sep 17 00:00:00 2001 +From: Paul Howarth +Date: Sun, 18 Mar 2012 12:07:27 +0000 +Subject: [PATCH] aes: the init function fails when OpenSSL has AES support + +The internal init function only worked fine when the configure script +didn't detect the OpenSSL AES_CTR function! + +Bug: http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0111.shtml +Reported by: Paul Howarth +--- + src/openssl.c | 4 +++- + src/openssl.h | 6 ------ + 2 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/src/openssl.c b/src/openssl.c +index 40818c0..481982c 100644 +--- a/src/openssl.c ++++ b/src/openssl.c +@@ -201,7 +201,7 @@ _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx, + return ret == 1 ? 0 : 1; + } + +-#if LIBSSH2_AES_CTR && !defined(HAVE_EVP_AES_128_CTR) ++#if LIBSSH2_AES_CTR + + #include + #include +@@ -362,6 +362,8 @@ void _libssh2_init_aes_ctr(void) + _libssh2_EVP_aes_256_ctr(); + } + ++#else ++void _libssh2_init_aes_ctr(void) {} + #endif /* LIBSSH2_AES_CTR */ + + /* TODO: Optionally call a passphrase callback specified by the +diff --git a/src/openssl.h b/src/openssl.h +index a196184..6d2aeed 100644 +--- a/src/openssl.h ++++ b/src/openssl.h +@@ -148,15 +148,9 @@ void libssh2_md5(const unsigned char *message, unsigned long len, unsigned char + #define _libssh2_cipher_aes256 EVP_aes_256_cbc + #define _libssh2_cipher_aes192 EVP_aes_192_cbc + #define _libssh2_cipher_aes128 EVP_aes_128_cbc +-#ifdef HAVE_EVP_AES_128_CTR +-#define _libssh2_cipher_aes128ctr EVP_aes_128_ctr +-#define _libssh2_cipher_aes192ctr EVP_aes_192_ctr +-#define _libssh2_cipher_aes256ctr EVP_aes_256_ctr +-#else + #define _libssh2_cipher_aes128ctr _libssh2_EVP_aes_128_ctr + #define _libssh2_cipher_aes192ctr _libssh2_EVP_aes_192_ctr + #define _libssh2_cipher_aes256ctr _libssh2_EVP_aes_256_ctr +-#endif + #define _libssh2_cipher_blowfish EVP_bf_cbc + #define _libssh2_cipher_arcfour EVP_rc4 + #define _libssh2_cipher_cast5 EVP_cast5_cbc +-- +1.7.7.6 + diff --git a/libssh2.spec b/libssh2.spec index 7627806..85700bf 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -9,7 +9,7 @@ Name: libssh2 Version: 1.4.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -18,6 +18,7 @@ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.2.9-utf8.patch Patch1: libssh2-1.4.0-c4a0e0.patch Patch2: libssh2-1.4.0-cc4f9d.patch +Patch3: libssh2-1.4.0-f4f229.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -74,6 +75,9 @@ developing applications that use libssh2. # (upstream patch, #804156) %patch2 -p1 +# Don't try to use openssl's AES-CTR functions (upstream patch) +%patch3 -p1 + # Make sshd transition appropriately if building in an SELinux environment chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || : @@ -135,6 +139,10 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sun Mar 18 2012 Paul Howarth 1.4.0-3 +- Don't try to use openssl's AES-CTR functions + (http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0111.shtml) + * Fri Mar 16 2012 Paul Howarth 1.4.0-2 - fix libssh2 failing key re-exchange when write channel is saturated (#804156) - drop %%defattr, redundant since rpm 4.4 From 8e8214ab7732e85ccac59dec29a9fb6530b28570 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 19 Mar 2012 14:58:27 +0100 Subject: [PATCH 32/93] Don't ignore transport errors when writing to channel (#804150) --- libssh2-1.2.9-utf8.patch | 2 +- libssh2-1.4.0-f4f229.patch | 2 +- libssh2-1.4.0-fed075.patch | 34 ++++++++++++++++++++++++++++++++++ libssh2.spec | 9 ++++++++- 4 files changed, 44 insertions(+), 3 deletions(-) create mode 100644 libssh2-1.4.0-fed075.patch diff --git a/libssh2-1.2.9-utf8.patch b/libssh2-1.2.9-utf8.patch index b41f6a2..1535fa5 100644 --- a/libssh2-1.2.9-utf8.patch +++ b/libssh2-1.2.9-utf8.patch @@ -1,6 +1,6 @@ --- libssh2/NEWS +++ libssh2/NEWS -@@ -2507,7 +2507,7 @@ +@@ -2886,7 +2886,7 @@ - support arcfour128 cipher per RFC 4345 Daniel Stenberg (21 Oct 2009) diff --git a/libssh2-1.4.0-f4f229.patch b/libssh2-1.4.0-f4f229.patch index d413f3f..2dee81a 100644 --- a/libssh2-1.4.0-f4f229.patch +++ b/libssh2-1.4.0-f4f229.patch @@ -26,7 +26,7 @@ index 40818c0..481982c 100644 #include #include -@@ -362,6 +362,8 @@ void _libssh2_init_aes_ctr(void) +@@ -358,6 +358,8 @@ void _libssh2_init_aes_ctr(void) _libssh2_EVP_aes_256_ctr(); } diff --git a/libssh2-1.4.0-fed075.patch b/libssh2-1.4.0-fed075.patch new file mode 100644 index 0000000..510a9cc --- /dev/null +++ b/libssh2-1.4.0-fed075.patch @@ -0,0 +1,34 @@ +From fed075972080ed705bd79b731c40cf5e73085aeb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Mar 2012 13:03:08 +0100 +Subject: [PATCH] channel_write: acknowledge transport errors + +When draining data off the socket with _libssh2_transport_read() (which +in turn has to be done so that we can be sure to have read any possible +window-increasing packets), this code previously ignored errors which +could lead to nasty loops. Now all error codes except EAGAIN will cause +the error to be returned at once. + +Bug: http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0068.shtml +Reported by: Matthew Booth +--- + src/channel.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/src/channel.c b/src/channel.c +index 8d6fb0a..9e29492 100644 +--- a/src/channel.c ++++ b/src/channel.c +@@ -2008,6 +2008,9 @@ _libssh2_channel_write(LIBSSH2_CHANNEL *channel, int stream_id, + rc = _libssh2_transport_read(session); + while (rc > 0); + ++ if((rc < 0) && (rc != LIBSSH2_ERROR_EAGAIN)) ++ return rc; ++ + if(channel->local.window_size <= 0) + /* there's no room for data so we stop */ + return (rc==LIBSSH2_ERROR_EAGAIN?rc:0); +-- +1.7.1 + diff --git a/libssh2.spec b/libssh2.spec index 85700bf..57c53c9 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -9,7 +9,7 @@ Name: libssh2 Version: 1.4.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -19,6 +19,7 @@ Patch0: libssh2-1.2.9-utf8.patch Patch1: libssh2-1.4.0-c4a0e0.patch Patch2: libssh2-1.4.0-cc4f9d.patch Patch3: libssh2-1.4.0-f4f229.patch +Patch4: libssh2-1.4.0-fed075.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -78,6 +79,9 @@ developing applications that use libssh2. # Don't try to use openssl's AES-CTR functions (upstream patch) %patch3 -p1 +# Don't ignore transport errors in channel_write (upstream patch, #804150) +%patch4 -p1 + # Make sshd transition appropriately if building in an SELinux environment chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || : @@ -139,6 +143,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Mon Mar 19 2012 Kamil Dudka 1.4.0-4 +- Don't ignore transport errors when writing to channel (#804150) + * Sun Mar 18 2012 Paul Howarth 1.4.0-3 - Don't try to use openssl's AES-CTR functions (http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0111.shtml) From e3d0f1a309ca614c5ded4a57f52452d31f2c2147 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Thu, 5 Apr 2012 10:46:49 +0100 Subject: [PATCH 33/93] Update to 1.4.1 - New upstream release 1.4.1 - Build error with gcrypt backend - Always do "forced" window updates to avoid corner case stalls - aes: the init function fails when OpenSSL has AES support - transport_send: finish in-progress key exchange before sending data - channel_write: acknowledge transport errors - examples/x11.c: make sure sizeof passed to read operation is correct - examples/x11.c: fix suspicious sizeof usage - sftp_packet_add: verify the packet before accepting it - SFTP: preserve the original error code more - sftp_packet_read: adjust window size as necessary - Use safer snprintf rather then sprintf in several places - Define and use LIBSSH2_INVALID_SOCKET instead of INVALID_SOCKET - sftp_write: cannot return acked data *and* EAGAIN - sftp_read: avoid data *and* EAGAIN - libssh2.h: add missing prototype for libssh2_session_banner_set() - Drop upstream patches now included in release tarball --- libssh2-1.4.0-c4a0e0.patch | 28 ------------------ libssh2-1.4.0-cc4f9d.patch | 58 ------------------------------------ libssh2-1.4.0-f4f229.patch | 60 -------------------------------------- libssh2-1.4.0-fed075.patch | 34 --------------------- libssh2.spec | 40 +++++++++++++------------ sources | 2 +- 6 files changed, 22 insertions(+), 200 deletions(-) delete mode 100644 libssh2-1.4.0-c4a0e0.patch delete mode 100644 libssh2-1.4.0-cc4f9d.patch delete mode 100644 libssh2-1.4.0-f4f229.patch delete mode 100644 libssh2-1.4.0-fed075.patch diff --git a/libssh2-1.4.0-c4a0e0.patch b/libssh2-1.4.0-c4a0e0.patch deleted file mode 100644 index 6fb4c44..0000000 --- a/libssh2-1.4.0-c4a0e0.patch +++ /dev/null @@ -1,28 +0,0 @@ -From b3ade9a63e881e69b4c9cfe7b5dbad78dcc4a0e0 Mon Sep 17 00:00:00 2001 -From: Peter Stuge -Date: Wed, 1 Feb 2012 09:53:44 +0100 -Subject: [PATCH] Fix undefined reference to _libssh_error in libgcrypt - backend - -Commit 209de22299b4b58e582891dfba70f57e1e0492db introduced a function -call to a non-existing function, and since then the libgcrypt backend -has not been buildable. ---- - src/libgcrypt.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/src/libgcrypt.c b/src/libgcrypt.c -index 1bda5ee..5c2787b 100644 ---- a/src/libgcrypt.c -+++ b/src/libgcrypt.c -@@ -581,7 +581,7 @@ _libssh2_pub_priv_keyfile(LIBSSH2_SESSION *session, - const char *privatekey, - const char *passphrase) - { -- return _libssh_error(session, LIBSSH2_ERROR_FILE, -+ return _libssh2_error(session, LIBSSH2_ERROR_FILE, - "Unable to extract public key from private key file: " - "Method unimplemented in libgcrypt backend"); - } --- -1.7.6.1 diff --git a/libssh2-1.4.0-cc4f9d.patch b/libssh2-1.4.0-cc4f9d.patch deleted file mode 100644 index 33e5e4d..0000000 --- a/libssh2-1.4.0-cc4f9d.patch +++ /dev/null @@ -1,58 +0,0 @@ -commit cc4f9d5679278ce41cd5480fab3f5e71dba163ed -Author: Matthew Booth -Date: Fri Mar 16 16:29:00 2012 +0100 - - transport_send: Finish in-progress key exchange before sending data - - _libssh2_channel_write() first reads outstanding packets before writing - new data. If it reads a key exchange request, it will immediately start - key re-exchange, which will require sending a response. If the output - socket is full, this will result in a return from - _libssh2_transport_read() of LIBSSH2_ERROR_EAGAIN. In order not to block - a write because there is no data to read, this error is explicitly - ignored and the code continues marshalling a packet for sending. When it - is sent, the remote end immediately drops the connection because it was - expecting a continuation of the key exchange, but got a data packet. - - This change adds the same check for key exchange to - _libssh2_transport_send() that is in _libssh2_transport_read(). This - ensures that key exchange is completed before any data packet is sent. - -diff --git a/src/transport.c b/src/transport.c -index 057dcf5..95b9a3a 100644 ---- a/src/transport.c -+++ b/src/transport.c -@@ -296,7 +296,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) - * is done! - */ - _libssh2_debug(session, LIBSSH2_TRACE_TRANS, "Redirecting into the" -- " key re-exchange"); -+ " key re-exchange from _libssh2_transport_read"); - rc = _libssh2_kex_exchange(session, 1, &session->startup_key_state); - if (rc) - return rc; -@@ -687,6 +687,24 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session, - const unsigned char *orgdata = data; - size_t orgdata_len = data_len; - -+ /* -+ * If the last read operation was interrupted in the middle of a key -+ * exchange, we must complete that key exchange before continuing to write -+ * further data. -+ * -+ * See the similar block in _libssh2_transport_read for more details. -+ */ -+ if (session->state & LIBSSH2_STATE_EXCHANGING_KEYS && -+ !(session->state & LIBSSH2_STATE_KEX_ACTIVE)) { -+ /* Don't write any new packets if we're still in the middle of a key -+ * exchange. */ -+ _libssh2_debug(session, LIBSSH2_TRACE_TRANS, "Redirecting into the" -+ " key re-exchange from _libssh2_transport_send"); -+ rc = _libssh2_kex_exchange(session, 1, &session->startup_key_state); -+ if (rc) -+ return rc; -+ } -+ - debugdump(session, "libssh2_transport_write plain", data, data_len); - if(data2) - debugdump(session, "libssh2_transport_write plain2", data2, data2_len); diff --git a/libssh2-1.4.0-f4f229.patch b/libssh2-1.4.0-f4f229.patch deleted file mode 100644 index 2dee81a..0000000 --- a/libssh2-1.4.0-f4f229.patch +++ /dev/null @@ -1,60 +0,0 @@ -From f4f2298ef3635acd031cc2ee0e71026cdcda5864 Mon Sep 17 00:00:00 2001 -From: Paul Howarth -Date: Sun, 18 Mar 2012 12:07:27 +0000 -Subject: [PATCH] aes: the init function fails when OpenSSL has AES support - -The internal init function only worked fine when the configure script -didn't detect the OpenSSL AES_CTR function! - -Bug: http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0111.shtml -Reported by: Paul Howarth ---- - src/openssl.c | 4 +++- - src/openssl.h | 6 ------ - 2 files changed, 3 insertions(+), 7 deletions(-) - -diff --git a/src/openssl.c b/src/openssl.c -index 40818c0..481982c 100644 ---- a/src/openssl.c -+++ b/src/openssl.c -@@ -201,7 +201,7 @@ _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx, - return ret == 1 ? 0 : 1; - } - --#if LIBSSH2_AES_CTR && !defined(HAVE_EVP_AES_128_CTR) -+#if LIBSSH2_AES_CTR - - #include - #include -@@ -358,6 +358,8 @@ void _libssh2_init_aes_ctr(void) - _libssh2_EVP_aes_256_ctr(); - } - -+#else -+void _libssh2_init_aes_ctr(void) {} - #endif /* LIBSSH2_AES_CTR */ - - /* TODO: Optionally call a passphrase callback specified by the -diff --git a/src/openssl.h b/src/openssl.h -index a196184..6d2aeed 100644 ---- a/src/openssl.h -+++ b/src/openssl.h -@@ -148,15 +148,9 @@ void libssh2_md5(const unsigned char *message, unsigned long len, unsigned char - #define _libssh2_cipher_aes256 EVP_aes_256_cbc - #define _libssh2_cipher_aes192 EVP_aes_192_cbc - #define _libssh2_cipher_aes128 EVP_aes_128_cbc --#ifdef HAVE_EVP_AES_128_CTR --#define _libssh2_cipher_aes128ctr EVP_aes_128_ctr --#define _libssh2_cipher_aes192ctr EVP_aes_192_ctr --#define _libssh2_cipher_aes256ctr EVP_aes_256_ctr --#else - #define _libssh2_cipher_aes128ctr _libssh2_EVP_aes_128_ctr - #define _libssh2_cipher_aes192ctr _libssh2_EVP_aes_192_ctr - #define _libssh2_cipher_aes256ctr _libssh2_EVP_aes_256_ctr --#endif - #define _libssh2_cipher_blowfish EVP_bf_cbc - #define _libssh2_cipher_arcfour EVP_rc4 - #define _libssh2_cipher_cast5 EVP_cast5_cbc --- -1.7.7.6 - diff --git a/libssh2-1.4.0-fed075.patch b/libssh2-1.4.0-fed075.patch deleted file mode 100644 index 510a9cc..0000000 --- a/libssh2-1.4.0-fed075.patch +++ /dev/null @@ -1,34 +0,0 @@ -From fed075972080ed705bd79b731c40cf5e73085aeb Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 15 Mar 2012 13:03:08 +0100 -Subject: [PATCH] channel_write: acknowledge transport errors - -When draining data off the socket with _libssh2_transport_read() (which -in turn has to be done so that we can be sure to have read any possible -window-increasing packets), this code previously ignored errors which -could lead to nasty loops. Now all error codes except EAGAIN will cause -the error to be returned at once. - -Bug: http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0068.shtml -Reported by: Matthew Booth ---- - src/channel.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 8d6fb0a..9e29492 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -2008,6 +2008,9 @@ _libssh2_channel_write(LIBSSH2_CHANNEL *channel, int stream_id, - rc = _libssh2_transport_read(session); - while (rc > 0); - -+ if((rc < 0) && (rc != LIBSSH2_ERROR_EAGAIN)) -+ return rc; -+ - if(channel->local.window_size <= 0) - /* there's no room for data so we stop */ - return (rc==LIBSSH2_ERROR_EAGAIN?rc:0); --- -1.7.1 - diff --git a/libssh2.spec b/libssh2.spec index 57c53c9..f0f473b 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -8,18 +8,14 @@ %endif Name: libssh2 -Version: 1.4.0 -Release: 4%{?dist} +Version: 1.4.1 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.2.9-utf8.patch -Patch1: libssh2-1.4.0-c4a0e0.patch -Patch2: libssh2-1.4.0-cc4f9d.patch -Patch3: libssh2-1.4.0-f4f229.patch -Patch4: libssh2-1.4.0-fed075.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -69,19 +65,6 @@ developing applications that use libssh2. # Make sure things are UTF-8... %patch0 -p1 -# Fix undefined reference to _libssh_error in libgcrypt (upstream patch) -%patch1 -p1 - -# Fix libssh2 failing key re-exchange when write channel is saturated -# (upstream patch, #804156) -%patch2 -p1 - -# Don't try to use openssl's AES-CTR functions (upstream patch) -%patch3 -p1 - -# Don't ignore transport errors in channel_write (upstream patch, #804150) -%patch4 -p1 - # Make sshd transition appropriately if building in an SELinux environment chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || : @@ -143,6 +126,25 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Thu Apr 5 2012 Paul Howarth 1.4.1-1 +- Update to 1.4.1 + - Build error with gcrypt backend + - Always do "forced" window updates to avoid corner case stalls + - aes: the init function fails when OpenSSL has AES support + - transport_send: finish in-progress key exchange before sending data + - channel_write: acknowledge transport errors + - examples/x11.c: make sure sizeof passed to read operation is correct + - examples/x11.c: fix suspicious sizeof usage + - sftp_packet_add: verify the packet before accepting it + - SFTP: preserve the original error code more + - sftp_packet_read: adjust window size as necessary + - Use safer snprintf rather then sprintf in several places + - Define and use LIBSSH2_INVALID_SOCKET instead of INVALID_SOCKET + - sftp_write: cannot return acked data *and* EAGAIN + - sftp_read: avoid data *and* EAGAIN + - libssh2.h: add missing prototype for libssh2_session_banner_set() +- Drop upstream patches now included in release tarball + * Mon Mar 19 2012 Kamil Dudka 1.4.0-4 - Don't ignore transport errors when writing to channel (#804150) diff --git a/sources b/sources index aa596fe..03137b9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ee670161d8c5dff93ae84a3f34f15669 libssh2-1.4.0.tar.gz +b94106e046af37fdc0734e487842fe66 libssh2-1.4.1.tar.gz From a352ea2406f3d32b5a3343053a0f5e899d2de6b9 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 27 Apr 2012 13:21:06 +0100 Subject: [PATCH 34/93] Fix multi-arch conflict again (#816969) --- libssh2.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index f0f473b..79b684a 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -9,7 +9,7 @@ Name: libssh2 Version: 1.4.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -85,7 +85,7 @@ rm -rf example/.deps find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} \; # avoid multilib conflict on libssh2-devel -mv -v example/Makefile example/Makefile.%{_arch} +mv -v example example.%{_arch} %check # The SSH test will fail if we don't have /dev/tty, as is the case in some @@ -118,7 +118,7 @@ rm -rf %{buildroot} %{_mandir}/man3/libssh2_*.3* %files devel -%doc example/ +%doc example.%{_arch}/ %{_includedir}/libssh2.h %{_includedir}/libssh2_publickey.h %{_includedir}/libssh2_sftp.h @@ -126,6 +126,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Fri Apr 27 2012 Paul Howarth 1.4.1-2 +- Fix multi-arch conflict again (#816969) + * Thu Apr 5 2012 Paul Howarth 1.4.1-1 - Update to 1.4.1 - Build error with gcrypt backend From 8e792e752cbbac63178cebf7cbe80b674c4a60c1 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 20 May 2012 22:08:23 +0100 Subject: [PATCH 35/93] Update to 1.4.2 - New upstream release 1.4.2 - Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner - userauth.c: fread() from public key file to correctly detect any errors - configure.ac: add option to disable build of the example applications - added 'Requires.private:' line to libssh2.pc - SFTP: filter off incoming "zombie" responses - gettimeofday: no need for a replacement under cygwin - SSH_MSG_CHANNEL_REQUEST: default to want_reply - win32/libssh2_config.h: remove hardcoded #define LIBSSH2_HAVE_ZLIB --- libssh2.spec | 15 +++++++++++++-- sources | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 79b684a..c984575 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -8,8 +8,8 @@ %endif Name: libssh2 -Version: 1.4.1 -Release: 2%{?dist} +Version: 1.4.2 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -126,6 +126,17 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sun May 20 2012 Paul Howarth 1.4.2-1 +- Update to 1.4.2 + - Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner + - userauth.c: fread() from public key file to correctly detect any errors + - configure.ac: add option to disable build of the example applications + - added 'Requires.private:' line to libssh2.pc + - SFTP: filter off incoming "zombie" responses + - gettimeofday: no need for a replacement under cygwin + - SSH_MSG_CHANNEL_REQUEST: default to want_reply + - win32/libssh2_config.h: remove hardcoded #define LIBSSH2_HAVE_ZLIB + * Fri Apr 27 2012 Paul Howarth 1.4.1-2 - Fix multi-arch conflict again (#816969) diff --git a/sources b/sources index 03137b9..397badd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b94106e046af37fdc0734e487842fe66 libssh2-1.4.1.tar.gz +42e2b3796ac07fc1dbafc7abcc002cd3 libssh2-1.4.2.tar.gz From b1dbb78e83e948b62a66e7dffe85ed6a40d15460 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Thu, 19 Jul 2012 16:17:19 -0500 Subject: [PATCH 36/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index c984575..b99d8ef 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -9,7 +9,7 @@ Name: libssh2 Version: 1.4.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -126,6 +126,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Thu Jul 19 2012 Fedora Release Engineering - 1.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + * Sun May 20 2012 Paul Howarth 1.4.2-1 - Update to 1.4.2 - Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner From 8576e203136faa66c4a6a488184452d2bdcec0a6 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Sep 2012 13:19:04 +0200 Subject: [PATCH 37/93] fix basic functionality of libssh2 in FIPS mode --- libssh2-1.4.2-fips.patch | 304 +++++++++++++++++++++++++++++++++++++++ libssh2.spec | 9 +- 2 files changed, 312 insertions(+), 1 deletion(-) create mode 100644 libssh2-1.4.2-fips.patch diff --git a/libssh2-1.4.2-fips.patch b/libssh2-1.4.2-fips.patch new file mode 100644 index 0000000..af88656 --- /dev/null +++ b/libssh2-1.4.2-fips.patch @@ -0,0 +1,304 @@ +From 43b730ce56f010e9d33573fcb020df49798c1ed8 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 10 Sep 2012 15:32:40 +0200 +Subject: [PATCH 1/4] kex: do not ignore failure of libssh2_md5_init() + +The MD5 algorithm is disabled when running in FIPS mode. +--- + src/hostkey.c | 4 +++- + src/kex.c | 13 +++++++++---- + src/libgcrypt.h | 6 +++++- + src/libssh2_priv.h | 1 + + src/openssl.h | 3 +++ + 5 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/src/hostkey.c b/src/hostkey.c +index 53f7479..753563d 100644 +--- a/src/hostkey.c ++++ b/src/hostkey.c +@@ -429,7 +429,9 @@ libssh2_hostkey_hash(LIBSSH2_SESSION * session, int hash_type) + switch (hash_type) { + #if LIBSSH2_MD5 + case LIBSSH2_HOSTKEY_HASH_MD5: +- return (char *) session->server_hostkey_md5; ++ return (session->server_hostkey_md5_valid) ++ ? (char *) session->server_hostkey_md5 ++ : NULL; + break; + #endif /* LIBSSH2_MD5 */ + case LIBSSH2_HOSTKEY_HASH_SHA1: +diff --git a/src/kex.c b/src/kex.c +index 0a72cb7..07e717f 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -218,10 +218,15 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, + { + libssh2_md5_ctx fingerprint_ctx; + +- libssh2_md5_init(&fingerprint_ctx); +- libssh2_md5_update(fingerprint_ctx, session->server_hostkey, +- session->server_hostkey_len); +- libssh2_md5_final(fingerprint_ctx, session->server_hostkey_md5); ++ if (libssh2_md5_init(&fingerprint_ctx)) { ++ libssh2_md5_update(fingerprint_ctx, session->server_hostkey, ++ session->server_hostkey_len); ++ libssh2_md5_final(fingerprint_ctx, session->server_hostkey_md5); ++ session->server_hostkey_md5_valid = TRUE; ++ } ++ else { ++ session->server_hostkey_md5_valid = FALSE; ++ } + } + #ifdef LIBSSH2DEBUG + { +diff --git a/src/libgcrypt.h b/src/libgcrypt.h +index 04516e5..1f0276e 100644 +--- a/src/libgcrypt.h ++++ b/src/libgcrypt.h +@@ -68,7 +68,11 @@ + gcry_md_hash_buffer (GCRY_MD_SHA1, out, message, len) + + #define libssh2_md5_ctx gcry_md_hd_t +-#define libssh2_md5_init(ctx) gcry_md_open (ctx, GCRY_MD_MD5, 0); ++ ++/* returns 0 in case of failure */ ++#define libssh2_md5_init(ctx) \ ++ (GPG_ERR_NO_ERROR == gcry_md_open (ctx, GCRY_MD_MD5, 0)) ++ + #define libssh2_md5_update(ctx, data, len) gcry_md_write (ctx, data, len) + #define libssh2_md5_final(ctx, out) \ + memcpy (out, gcry_md_read (ctx, 0), MD5_DIGEST_LENGTH), gcry_md_close (ctx) +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index 23fbc65..196864d 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -597,6 +597,7 @@ struct _LIBSSH2_SESSION + uint32_t server_hostkey_len; + #if LIBSSH2_MD5 + unsigned char server_hostkey_md5[MD5_DIGEST_LENGTH]; ++ int server_hostkey_md5_valid; + #endif /* ! LIBSSH2_MD5 */ + unsigned char server_hostkey_sha1[SHA_DIGEST_LENGTH]; + +diff --git a/src/openssl.h b/src/openssl.h +index 6d2aeed..4835ab6 100644 +--- a/src/openssl.h ++++ b/src/openssl.h +@@ -113,7 +113,10 @@ + void libssh2_sha1(const unsigned char *message, unsigned long len, unsigned char *out); + + #define libssh2_md5_ctx EVP_MD_CTX ++ ++/* returns 0 in case of failure */ + #define libssh2_md5_init(ctx) EVP_DigestInit(ctx, EVP_get_digestbyname("md5")) ++ + #define libssh2_md5_update(ctx, data, len) EVP_DigestUpdate(&(ctx), data, len) + #define libssh2_md5_final(ctx, out) EVP_DigestFinal(&(ctx), out, NULL) + void libssh2_md5(const unsigned char *message, unsigned long len, unsigned char *out); +-- +1.7.1 + + +From bfbb5a4dc75c04b3532063c03b80796dd6d69da4 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 10 Sep 2012 15:59:16 +0200 +Subject: [PATCH 2/4] openssl: do not ignore failure of EVP_CipherInit() + +--- + src/openssl.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +diff --git a/src/openssl.c b/src/openssl.c +index 481982c..c61cb0e 100644 +--- a/src/openssl.c ++++ b/src/openssl.c +@@ -175,8 +175,7 @@ _libssh2_cipher_init(_libssh2_cipher_ctx * h, + unsigned char *iv, unsigned char *secret, int encrypt) + { + EVP_CIPHER_CTX_init(h); +- EVP_CipherInit(h, algo(), secret, iv, encrypt); +- return 0; ++ return !EVP_CipherInit(h, algo(), secret, iv, encrypt); + } + + int +-- +1.7.1 + + +From 5d567faecce45a891de2a3e10fad7b221a4f6540 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 11 Sep 2012 09:33:34 +0200 +Subject: [PATCH 3/4] crypt: use hard-wired cipher block sizes consistently + +--- + src/crypt.c | 8 +++++--- + src/crypto.h | 2 +- + src/libgcrypt.c | 8 +------- + src/libssh2_priv.h | 2 +- + src/openssl.c | 7 +------ + src/transport.c | 3 ++- + 6 files changed, 11 insertions(+), 19 deletions(-) + +diff --git a/src/crypt.c b/src/crypt.c +index 93d99c4..931ae8b 100644 +--- a/src/crypt.c ++++ b/src/crypt.c +@@ -96,11 +96,12 @@ crypt_init(LIBSSH2_SESSION * session, + + static int + crypt_encrypt(LIBSSH2_SESSION * session, unsigned char *block, +- void **abstract) ++ size_t blocksize, void **abstract) + { + struct crypt_ctx *cctx = *(struct crypt_ctx **) abstract; + (void) session; +- return _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, block); ++ return _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, block, ++ blocksize); + } + + static int +@@ -248,7 +249,8 @@ crypt_init_arcfour128(LIBSSH2_SESSION * session, + unsigned char block[8]; + size_t discard = 1536; + for (; discard; discard -= 8) +- _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, block); ++ _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, block, ++ method->blocksize); + } + + return rc; +diff --git a/src/crypto.h b/src/crypto.h +index 8cf34f5..5dc5931 100644 +--- a/src/crypto.h ++++ b/src/crypto.h +@@ -103,7 +103,7 @@ int _libssh2_cipher_init(_libssh2_cipher_ctx * h, + + int _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx, + _libssh2_cipher_type(algo), +- int encrypt, unsigned char *block); ++ int encrypt, unsigned char *block, size_t blocksize); + + int _libssh2_pub_priv_keyfile(LIBSSH2_SESSION *session, + unsigned char **method, +diff --git a/src/libgcrypt.c b/src/libgcrypt.c +index 5c2787b..29770c7 100644 +--- a/src/libgcrypt.c ++++ b/src/libgcrypt.c +@@ -553,17 +553,11 @@ _libssh2_cipher_init(_libssh2_cipher_ctx * h, + int + _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx, + _libssh2_cipher_type(algo), +- int encrypt, unsigned char *block) ++ int encrypt, unsigned char *block, size_t blklen) + { + int cipher = _libssh2_gcry_cipher (algo); +- size_t blklen = gcry_cipher_get_algo_blklen(cipher); + int ret; + +- if (blklen == 1) { +-/* Hack for arcfour. */ +- blklen = 8; +- } +- + if (encrypt) { + ret = gcry_cipher_encrypt(*ctx, block, blklen, block, blklen); + } else { +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index 196864d..4ec9f73 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -883,7 +883,7 @@ struct _LIBSSH2_CRYPT_METHOD + int *free_iv, unsigned char *secret, int *free_secret, + int encrypt, void **abstract); + int (*crypt) (LIBSSH2_SESSION * session, unsigned char *block, +- void **abstract); ++ size_t blocksize, void **abstract); + int (*dtor) (LIBSSH2_SESSION * session, void **abstract); + + _libssh2_cipher_type(algo); +diff --git a/src/openssl.c b/src/openssl.c +index c61cb0e..8643591 100644 +--- a/src/openssl.c ++++ b/src/openssl.c +@@ -181,18 +181,13 @@ _libssh2_cipher_init(_libssh2_cipher_ctx * h, + int + _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx, + _libssh2_cipher_type(algo), +- int encrypt, unsigned char *block) ++ int encrypt, unsigned char *block, size_t blocksize) + { +- int blocksize = ctx->cipher->block_size; + unsigned char buf[EVP_MAX_BLOCK_LENGTH]; + int ret; + (void) algo; + (void) encrypt; + +- if (blocksize == 1) { +-/* Hack for arcfour. */ +- blocksize = 8; +- } + ret = EVP_Cipher(ctx, buf, block, blocksize); + if (ret == 1) { + memcpy(block, buf, blocksize); +diff --git a/src/transport.c b/src/transport.c +index 15425b9..b4ec037 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -139,7 +139,7 @@ decrypt(LIBSSH2_SESSION * session, unsigned char *source, + assert((len % blocksize) == 0); + + while (len >= blocksize) { +- if (session->remote.crypt->crypt(session, source, ++ if (session->remote.crypt->crypt(session, source, blocksize, + &session->remote.crypt_abstract)) { + LIBSSH2_FREE(session, p->payload); + return LIBSSH2_ERROR_DECRYPT; +@@ -846,6 +846,7 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session, + for(i = 0; i < packet_length; i += session->local.crypt->blocksize) { + unsigned char *ptr = &p->outbuf[i]; + if (session->local.crypt->crypt(session, ptr, ++ session->local.crypt->blocksize, + &session->local.crypt_abstract)) + return LIBSSH2_ERROR_ENCRYPT; /* encryption failure */ + } +-- +1.7.1 + + +From 9f6fd5af8282ef82c0ff8d89cf9ebc121bb35b59 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 11 Sep 2012 09:02:31 +0200 +Subject: [PATCH 4/4] Revert "aes: the init function fails when OpenSSL has AES support" + +This partially reverts commit f4f2298ef3635acd031cc2ee0e71026cdcda5864. + +We need to use the EVP_aes_???_ctr() functions in FIPS mode. +--- + src/openssl.h | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +diff --git a/src/openssl.h b/src/openssl.h +index 4835ab6..6f21a1a 100644 +--- a/src/openssl.h ++++ b/src/openssl.h +@@ -151,9 +151,15 @@ void libssh2_md5(const unsigned char *message, unsigned long len, unsigned char + #define _libssh2_cipher_aes256 EVP_aes_256_cbc + #define _libssh2_cipher_aes192 EVP_aes_192_cbc + #define _libssh2_cipher_aes128 EVP_aes_128_cbc ++#ifdef HAVE_EVP_AES_128_CTR ++#define _libssh2_cipher_aes128ctr EVP_aes_128_ctr ++#define _libssh2_cipher_aes192ctr EVP_aes_192_ctr ++#define _libssh2_cipher_aes256ctr EVP_aes_256_ctr ++#else + #define _libssh2_cipher_aes128ctr _libssh2_EVP_aes_128_ctr + #define _libssh2_cipher_aes192ctr _libssh2_EVP_aes_192_ctr + #define _libssh2_cipher_aes256ctr _libssh2_EVP_aes_256_ctr ++#endif + #define _libssh2_cipher_blowfish EVP_bf_cbc + #define _libssh2_cipher_arcfour EVP_rc4 + #define _libssh2_cipher_cast5 EVP_cast5_cbc +-- +1.7.1 + diff --git a/libssh2.spec b/libssh2.spec index b99d8ef..5e1e2a0 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -9,13 +9,14 @@ Name: libssh2 Version: 1.4.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.2.9-utf8.patch +Patch1: libssh2-1.4.2-fips.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -65,6 +66,9 @@ developing applications that use libssh2. # Make sure things are UTF-8... %patch0 -p1 +# Make sure libssh2 works in FIPS mode... +%patch1 -p1 + # Make sshd transition appropriately if building in an SELinux environment chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || : @@ -126,6 +130,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Sep 26 2012 Kamil Dudka 1.4.2-3 +- fix basic functionality of libssh2 in FIPS mode + * Thu Jul 19 2012 Fedora Release Engineering - 1.4.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild From 529c6ce524d6f6afe68642d11a4ff03346c57bae Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 1 Oct 2012 12:40:10 +0200 Subject: [PATCH 38/93] skip SELinux-related quirks on recent distros ... to prevent a test-suite failure --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 5e1e2a0..87ba988 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -28,7 +28,7 @@ BuildRequires: openssh-server # initialization script so that it can transition correctly in an SELinux # environment; matchpathcon is only available from FC-4 and moved from the # libselinux to libselinux-utils package in F-10 -%if 0%{?fedora} >= 4 || 0%{?rhel} >= 5 +%if (0%{?fedora} >= 4 || 0%{?rhel} >= 5) && !(0%{?fedora} >=17 || 0%{?rhel} >=7) BuildRequires: /usr/sbin/matchpathcon selinux-policy-targeted %endif @@ -70,9 +70,11 @@ developing applications that use libssh2. %patch1 -p1 # Make sshd transition appropriately if building in an SELinux environment +%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || : chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} || : +%endif %build %configure --disable-static --enable-shared @@ -132,6 +134,7 @@ rm -rf %{buildroot} %changelog * Wed Sep 26 2012 Kamil Dudka 1.4.2-3 - fix basic functionality of libssh2 in FIPS mode +- skip SELinux-related quirks on recent distros to prevent a test-suite failure * Thu Jul 19 2012 Fedora Release Engineering - 1.4.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild From 15d584a147800f60c6618fb3ab837b6034162cff Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Sep 2012 13:25:19 +0200 Subject: [PATCH 39/93] defuzz patches --- libssh2-1.4.2-fips.patch | 2 +- libssh2-1.2.9-utf8.patch => libssh2-1.4.2-utf8.patch | 5 ++++- libssh2.spec | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) rename libssh2-1.2.9-utf8.patch => libssh2-1.4.2-utf8.patch (66%) diff --git a/libssh2-1.4.2-fips.patch b/libssh2-1.4.2-fips.patch index af88656..e45d794 100644 --- a/libssh2-1.4.2-fips.patch +++ b/libssh2-1.4.2-fips.patch @@ -255,7 +255,7 @@ index 15425b9..b4ec037 100644 &session->remote.crypt_abstract)) { LIBSSH2_FREE(session, p->payload); return LIBSSH2_ERROR_DECRYPT; -@@ -846,6 +846,7 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session, +@@ -834,6 +834,7 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session, for(i = 0; i < packet_length; i += session->local.crypt->blocksize) { unsigned char *ptr = &p->outbuf[i]; if (session->local.crypt->crypt(session, ptr, diff --git a/libssh2-1.2.9-utf8.patch b/libssh2-1.4.2-utf8.patch similarity index 66% rename from libssh2-1.2.9-utf8.patch rename to libssh2-1.4.2-utf8.patch index 1535fa5..aa1e854 100644 --- a/libssh2-1.2.9-utf8.patch +++ b/libssh2-1.4.2-utf8.patch @@ -1,6 +1,9 @@ + NEWS | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + --- libssh2/NEWS +++ libssh2/NEWS -@@ -2886,7 +2886,7 @@ +@@ -3284,7 +3284,7 @@ Simon Josefsson (16 Nov 2009) - support arcfour128 cipher per RFC 4345 Daniel Stenberg (21 Oct 2009) diff --git a/libssh2.spec b/libssh2.spec index 87ba988..c5e5b5d 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -15,7 +15,7 @@ Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz -Patch0: libssh2-1.2.9-utf8.patch +Patch0: libssh2-1.4.2-utf8.patch Patch1: libssh2-1.4.2-fips.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel From 4e05bd07c30ebc500fa60687294d5314feb9c5cb Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 7 Nov 2012 15:34:30 +0100 Subject: [PATCH 40/93] examples: use stderr for messages, stdout for data [upstream commit b31e35ab] --- libssh2-1.4.2-examples.patch | 1019 ++++++++++++++++++++++++++++++++++ libssh2.spec | 9 +- 2 files changed, 1027 insertions(+), 1 deletion(-) create mode 100644 libssh2-1.4.2-examples.patch diff --git a/libssh2-1.4.2-examples.patch b/libssh2-1.4.2-examples.patch new file mode 100644 index 0000000..fa138c9 --- /dev/null +++ b/libssh2-1.4.2-examples.patch @@ -0,0 +1,1019 @@ +From b31e35aba6fa2e39f7aa91c21400722afe8d675e Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 22 Oct 2012 13:29:27 +0200 +Subject: [PATCH] examples: use stderr for messages, stdout for data + +Reported by: Karel Srot +Bug: https://bugzilla.redhat.com/867462 +--- + example/direct_tcpip.c | 19 ++++++++------- + example/scp_nonblock.c | 2 +- + example/scp_write_nonblock.c | 2 +- + example/sftp.c | 49 +++++++++++++++++++++------------------- + example/sftp_RW_nonblock.c | 14 ++++++------ + example/sftp_append.c | 18 +++++++------- + example/sftp_mkdir.c | 12 +++++----- + example/sftp_mkdir_nonblock.c | 12 +++++----- + example/sftp_nonblock.c | 4 +- + example/sftp_write.c | 14 ++++++------ + example/sftp_write_nonblock.c | 16 ++++++------ + example/sftp_write_sliding.c | 16 ++++++------ + example/sftpdir.c | 12 +++++----- + example/sftpdir_nonblock.c | 8 +++--- + example/ssh2.c | 26 +++++++++++---------- + example/ssh2_agent.c | 14 ++++++------ + example/ssh2_echo.c | 2 +- + example/ssh2_exec.c | 4 +- + example/subsystem_netconf.c | 20 ++++++++-------- + example/tcpip-forward.c | 25 +++++++++++---------- + 20 files changed, 148 insertions(+), 141 deletions(-) + +diff --git a/example/direct_tcpip.c b/example/direct_tcpip.c +index 6aa9845..e530199 100644 +--- a/example/direct_tcpip.c ++++ b/example/direct_tcpip.c +@@ -135,7 +135,7 @@ int main(int argc, char *argv[]) + + /* check what authentication methods are available */ + userauthlist = libssh2_userauth_list(session, username, strlen(username)); +- printf("Authentication methods: %s\n", userauthlist); ++ fprintf(stderr, "Authentication methods: %s\n", userauthlist); + if (strstr(userauthlist, "password")) + auth |= AUTH_PASSWORD; + if (strstr(userauthlist, "publickey")) +@@ -157,12 +157,12 @@ int main(int argc, char *argv[]) + } else if (auth & AUTH_PUBLICKEY) { + if (libssh2_userauth_publickey_fromfile(session, username, keyfile1, + keyfile2, password)) { +- printf("\tAuthentication by public key failed!\n"); ++ fprintf(stderr, "\tAuthentication by public key failed!\n"); + goto shutdown; + } +- printf("\tAuthentication by public key succeeded.\n"); ++ fprintf(stderr, "\tAuthentication by public key succeeded.\n"); + } else { +- printf("No supported authentication methods found!\n"); ++ fprintf(stderr, "No supported authentication methods found!\n"); + goto shutdown; + } + +@@ -185,7 +185,7 @@ int main(int argc, char *argv[]) + goto shutdown; + } + +- printf("Waiting for TCP connection on %s:%d...\n", ++ fprintf(stderr, "Waiting for TCP connection on %s:%d...\n", + inet_ntoa(sin.sin_addr), ntohs(sin.sin_port)); + + forwardsock = accept(listensock, (struct sockaddr *)&sin, &sinlen); +@@ -197,8 +197,8 @@ int main(int argc, char *argv[]) + shost = inet_ntoa(sin.sin_addr); + sport = ntohs(sin.sin_port); + +- printf("Forwarding connection from %s:%d here to remote %s:%d\n", shost, +- sport, remote_desthost, remote_destport); ++ fprintf(stderr, "Forwarding connection from %s:%d here to remote %s:%d\n", ++ shost, sport, remote_desthost, remote_destport); + + channel = libssh2_channel_direct_tcpip_ex(session, remote_desthost, + remote_destport, shost, sport); +@@ -228,7 +228,8 @@ int main(int argc, char *argv[]) + perror("read"); + goto shutdown; + } else if (0 == len) { +- printf("The client at %s:%d disconnected!\n", shost, sport); ++ fprintf(stderr, "The client at %s:%d disconnected!\n", shost, ++ sport); + goto shutdown; + } + wr = 0; +@@ -259,7 +260,7 @@ int main(int argc, char *argv[]) + wr += i; + } + if (libssh2_channel_eof(channel)) { +- printf("The server at %s:%d disconnected!\n", ++ fprintf(stderr, "The server at %s:%d disconnected!\n", + remote_desthost, remote_destport); + goto shutdown; + } +diff --git a/example/scp_nonblock.c b/example/scp_nonblock.c +index 867d851..5d636c0 100644 +--- a/example/scp_nonblock.c ++++ b/example/scp_nonblock.c +@@ -250,7 +250,7 @@ int main(int argc, char *argv[]) + gettimeofday(&end, NULL); + + time_ms = tvdiff(end, start); +- printf("Got %d bytes in %ld ms = %.1f bytes/sec spin: %d\n", total, ++ fprintf(stderr, "Got %d bytes in %ld ms = %.1f bytes/sec spin: %d\n", total, + time_ms, total/(time_ms/1000.0), spin ); + + libssh2_channel_free(channel); +diff --git a/example/scp_write_nonblock.c b/example/scp_write_nonblock.c +index 9dfbd4e..0ac0f69 100644 +--- a/example/scp_write_nonblock.c ++++ b/example/scp_write_nonblock.c +@@ -243,7 +243,7 @@ int main(int argc, char *argv[]) + + duration = (int)(time(NULL)-start); + +- printf("%ld bytes in %d seconds makes %.1f bytes/sec\n", ++ fprintf(stderr, "%ld bytes in %d seconds makes %.1f bytes/sec\n", + total, duration, total/(double)duration); + + fprintf(stderr, "Sending EOF\n"); +diff --git a/example/sftp.c b/example/sftp.c +index e69b3c3..88ceba2 100644 +--- a/example/sftp.c ++++ b/example/sftp.c +@@ -55,24 +55,24 @@ static void kbd_callback(const char *name, int name_len, + char buf[1024]; + (void)abstract; + +- printf("Performing keyboard-interactive authentication.\n"); ++ fprintf(stderr, "Performing keyboard-interactive authentication.\n"); + +- printf("Authentication name: '"); +- fwrite(name, 1, name_len, stdout); +- printf("'\n"); ++ fprintf(stderr, "Authentication name: '"); ++ fwrite(name, 1, name_len, stderr); ++ fprintf(stderr, "'\n"); + +- printf("Authentication instruction: '"); +- fwrite(instruction, 1, instruction_len, stdout); +- printf("'\n"); ++ fprintf(stderr, "Authentication instruction: '"); ++ fwrite(instruction, 1, instruction_len, stderr); ++ fprintf(stderr, "'\n"); + +- printf("Number of prompts: %d\n\n", num_prompts); ++ fprintf(stderr, "Number of prompts: %d\n\n", num_prompts); + + for (i = 0; i < num_prompts; i++) { +- printf("Prompt %d from server: '", i); +- fwrite(prompts[i].text, 1, prompts[i].length, stdout); +- printf("'\n"); ++ fprintf(stderr, "Prompt %d from server: '", i); ++ fwrite(prompts[i].text, 1, prompts[i].length, stderr); ++ fprintf(stderr, "'\n"); + +- printf("Please type response: "); ++ fprintf(stderr, "Please type response: "); + fgets(buf, sizeof(buf), stdin); + n = strlen(buf); + while (n > 0 && strchr("\r\n", buf[n - 1])) +@@ -82,12 +82,13 @@ static void kbd_callback(const char *name, int name_len, + responses[i].text = strdup(buf); + responses[i].length = n; + +- printf("Response %d from user is '", i); +- fwrite(responses[i].text, 1, responses[i].length, stdout); +- printf("'\n\n"); ++ fprintf(stderr, "Response %d from user is '", i); ++ fwrite(responses[i].text, 1, responses[i].length, stderr); ++ fprintf(stderr, "'\n\n"); + } + +- printf("Done. Sending keyboard-interactive responses to server now.\n"); ++ fprintf(stderr, ++ "Done. Sending keyboard-interactive responses to server now.\n"); + } + + +@@ -127,7 +128,7 @@ int main(int argc, char *argv[]) + + rc = libssh2_init (0); + if (rc != 0) { +- fprintf (stderr, "libssh2 initialization failed (%d)\n", rc); ++ fprintf(stderr, "libssh2 initialization failed (%d)\n", rc); + return 1; + } + +@@ -178,7 +179,7 @@ int main(int argc, char *argv[]) + + /* check what authentication methods are available */ + userauthlist = libssh2_userauth_list(session, username, strlen(username)); +- printf("Authentication methods: %s\n", userauthlist); ++ fprintf(stderr, "Authentication methods: %s\n", userauthlist); + if (strstr(userauthlist, "password") != NULL) { + auth_pw |= 1; + } +@@ -211,21 +212,23 @@ int main(int argc, char *argv[]) + } else if (auth_pw & 2) { + /* Or via keyboard-interactive */ + if (libssh2_userauth_keyboard_interactive(session, username, &kbd_callback) ) { +- printf("\tAuthentication by keyboard-interactive failed!\n"); ++ fprintf(stderr, ++ "\tAuthentication by keyboard-interactive failed!\n"); + goto shutdown; + } else { +- printf("\tAuthentication by keyboard-interactive succeeded.\n"); ++ fprintf(stderr, ++ "\tAuthentication by keyboard-interactive succeeded.\n"); + } + } else if (auth_pw & 4) { + /* Or by public key */ + if (libssh2_userauth_publickey_fromfile(session, username, keyfile1, keyfile2, password)) { +- printf("\tAuthentication by public key failed!\n"); ++ fprintf(stderr, "\tAuthentication by public key failed!\n"); + goto shutdown; + } else { +- printf("\tAuthentication by public key succeeded.\n"); ++ fprintf(stderr, "\tAuthentication by public key succeeded.\n"); + } + } else { +- printf("No supported authentication methods found!\n"); ++ fprintf(stderr, "No supported authentication methods found!\n"); + goto shutdown; + } + +diff --git a/example/sftp_RW_nonblock.c b/example/sftp_RW_nonblock.c +index babb48a..77c2027 100644 +--- a/example/sftp_RW_nonblock.c ++++ b/example/sftp_RW_nonblock.c +@@ -141,11 +141,11 @@ int main(int argc, char *argv[]) + * user, that's your call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + if(argc > 1) { + username = argv[1]; +@@ -162,7 +162,7 @@ int main(int argc, char *argv[]) + + tempstorage = fopen(STORAGE, "wb"); + if(!tempstorage) { +- printf("Can't open temp storage file %s\n", STORAGE); ++ fprintf(stderr, "Can't open temp storage file %s\n", STORAGE); + goto shutdown; + } + +@@ -171,7 +171,7 @@ int main(int argc, char *argv[]) + while ((rc = libssh2_userauth_password(session, username, password)) + == LIBSSH2_ERROR_EAGAIN); + if (rc) { +- printf("Authentication by password failed.\n"); ++ fprintf(stderr, "Authentication by password failed.\n"); + goto shutdown; + } + } else { +@@ -185,7 +185,7 @@ int main(int argc, char *argv[]) + password)) == + LIBSSH2_ERROR_EAGAIN); + if (rc) { +- printf("\tAuthentication by public key failed\n"); ++ fprintf(stderr, "\tAuthentication by public key failed\n"); + goto shutdown; + } + } +@@ -341,7 +341,7 @@ int main(int argc, char *argv[]) + #endif + if (tempstorage) + fclose(tempstorage); +- printf("all done\n"); ++ fprintf(stderr, "all done\n"); + + libssh2_exit(); + +diff --git a/example/sftp_append.c b/example/sftp_append.c +index 731d21a..7585d38 100644 +--- a/example/sftp_append.c ++++ b/example/sftp_append.c +@@ -86,7 +86,7 @@ int main(int argc, char *argv[]) + + local = fopen(loclfile, "rb"); + if (!local) { +- printf("Can't local file %s\n", loclfile); ++ fprintf(stderr, "Can't open local file %s\n", loclfile); + return -1; + } + +@@ -129,16 +129,16 @@ int main(int argc, char *argv[]) + * user, that's your call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + if (auth_pw) { + /* We could authenticate via password */ + if (libssh2_userauth_password(session, username, password)) { +- printf("Authentication by password failed.\n"); ++ fprintf(stderr, "Authentication by password failed.\n"); + goto shutdown; + } + } else { +@@ -147,7 +147,7 @@ int main(int argc, char *argv[]) + "/home/username/.ssh/id_rsa.pub", + "/home/username/.ssh/id_rsa", + password)) { +- printf("\tAuthentication by public key failed\n"); ++ fprintf(stderr, "\tAuthentication by public key failed\n"); + goto shutdown; + } + } +@@ -174,12 +174,12 @@ int main(int argc, char *argv[]) + } + + if(libssh2_sftp_fstat_ex(sftp_handle, &attrs, 0) < 0) { +- printf("libssh2_sftp_fstat_ex failed\n"); ++ fprintf(stderr, "libssh2_sftp_fstat_ex failed\n"); + goto shutdown; + } + else + libssh2_sftp_seek64(sftp_handle, attrs.filesize); +- printf("Did a seek to position %ld\n", (long) attrs.filesize); ++ fprintf(stderr, "Did a seek to position %ld\n", (long) attrs.filesize); + + fprintf(stderr, "libssh2_sftp_open() a handle for APPEND\n"); + +@@ -222,7 +222,7 @@ shutdown: + #endif + if (local) + fclose(local); +- printf("all done\n"); ++ fprintf(stderr, "all done\n"); + + libssh2_exit(); + +diff --git a/example/sftp_mkdir.c b/example/sftp_mkdir.c +index 39af8f0..8747084 100644 +--- a/example/sftp_mkdir.c ++++ b/example/sftp_mkdir.c +@@ -110,16 +110,16 @@ int main(int argc, char *argv[]) + * user, that's your call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + if (auth_pw) { + /* We could authenticate via password */ + if (libssh2_userauth_password(session, username, password)) { +- printf("Authentication by password failed.\n"); ++ fprintf(stderr, "Authentication by password failed.\n"); + goto shutdown; + } + } else { +@@ -128,7 +128,7 @@ int main(int argc, char *argv[]) + "/home/username/.ssh/id_rsa.pub", + "/home/username/.ssh/id_rsa", + password)) { +- printf("\tAuthentication by public key failed\n"); ++ fprintf(stderr, "\tAuthentication by public key failed\n"); + goto shutdown; + } + } +@@ -164,7 +164,7 @@ int main(int argc, char *argv[]) + #else + close(sock); + #endif +- printf("all done\n"); ++ fprintf(stderr, "all done\n"); + + libssh2_exit(); + +diff --git a/example/sftp_mkdir_nonblock.c b/example/sftp_mkdir_nonblock.c +index 84cdc8f..22a8f59 100644 +--- a/example/sftp_mkdir_nonblock.c ++++ b/example/sftp_mkdir_nonblock.c +@@ -110,16 +110,16 @@ int main(int argc, char *argv[]) + * user, that's your call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + if (auth_pw) { + /* We could authenticate via password */ + if (libssh2_userauth_password(session, username, password)) { +- printf("Authentication by password failed.\n"); ++ fprintf(stderr, "Authentication by password failed.\n"); + goto shutdown; + } + } else { +@@ -128,7 +128,7 @@ int main(int argc, char *argv[]) + "/home/username/.ssh/id_rsa.pub", + "/home/username/.ssh/id_rsa", + password)) { +- printf("\tAuthentication by public key failed\n"); ++ fprintf(stderr, "\tAuthentication by public key failed\n"); + goto shutdown; + } + } +@@ -164,7 +164,7 @@ int main(int argc, char *argv[]) + #else + close(sock); + #endif +- printf("all done\n"); ++ fprintf(stderr, "all done\n"); + + libssh2_exit(); + +diff --git a/example/sftp_nonblock.c b/example/sftp_nonblock.c +index 6ddc109..29cec8a 100644 +--- a/example/sftp_nonblock.c ++++ b/example/sftp_nonblock.c +@@ -251,7 +251,7 @@ int main(int argc, char *argv[]) + + gettimeofday(&end, NULL); + time_ms = tvdiff(end, start); +- printf("Got %d bytes in %ld ms = %.1f bytes/sec spin: %d\n", total, ++ fprintf(stderr, "Got %d bytes in %ld ms = %.1f bytes/sec spin: %d\n", total, + time_ms, total/(time_ms/1000.0), spin ); + + libssh2_sftp_close(sftp_handle); +@@ -259,7 +259,7 @@ int main(int argc, char *argv[]) + + shutdown: + +- printf("libssh2_session_disconnect\n"); ++ fprintf(stderr, "libssh2_session_disconnect\n"); + while (libssh2_session_disconnect(session, + "Normal Shutdown, Thank you") == + LIBSSH2_ERROR_EAGAIN); +diff --git a/example/sftp_write.c b/example/sftp_write.c +index 9415ce4..483f80a 100644 +--- a/example/sftp_write.c ++++ b/example/sftp_write.c +@@ -85,7 +85,7 @@ int main(int argc, char *argv[]) + + local = fopen(loclfile, "rb"); + if (!local) { +- printf("Can't local file %s\n", loclfile); ++ fprintf(stderr, "Can't open local file %s\n", loclfile); + return -1; + } + +@@ -128,16 +128,16 @@ int main(int argc, char *argv[]) + * user, that's your call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + if (auth_pw) { + /* We could authenticate via password */ + if (libssh2_userauth_password(session, username, password)) { +- printf("Authentication by password failed.\n"); ++ fprintf(stderr, "Authentication by password failed.\n"); + goto shutdown; + } + } else { +@@ -146,7 +146,7 @@ int main(int argc, char *argv[]) + "/home/username/.ssh/id_rsa.pub", + "/home/username/.ssh/id_rsa", + password)) { +- printf("\tAuthentication by public key failed\n"); ++ fprintf(stderr, "\tAuthentication by public key failed\n"); + goto shutdown; + } + } +@@ -206,7 +206,7 @@ shutdown: + #endif + if (local) + fclose(local); +- printf("all done\n"); ++ fprintf(stderr, "all done\n"); + + libssh2_exit(); + +diff --git a/example/sftp_write_nonblock.c b/example/sftp_write_nonblock.c +index 61cc5f4..0d66c40 100644 +--- a/example/sftp_write_nonblock.c ++++ b/example/sftp_write_nonblock.c +@@ -125,7 +125,7 @@ int main(int argc, char *argv[]) + + local = fopen(loclfile, "rb"); + if (!local) { +- printf("Can't local file %s\n", loclfile); ++ fprintf(stderr, "Can't open local file %s\n", loclfile); + return -1; + } + +@@ -169,18 +169,18 @@ int main(int argc, char *argv[]) + * that's your call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + if (auth_pw) { + /* We could authenticate via password */ + while ((rc = libssh2_userauth_password(session, username, password)) == + LIBSSH2_ERROR_EAGAIN); + if (rc) { +- printf("Authentication by password failed.\n"); ++ fprintf(stderr, "Authentication by password failed.\n"); + goto shutdown; + } + } else { +@@ -191,7 +191,7 @@ int main(int argc, char *argv[]) + password)) == + LIBSSH2_ERROR_EAGAIN); + if (rc) { +- printf("\tAuthentication by public key failed\n"); ++ fprintf(stderr, "\tAuthentication by public key failed\n"); + goto shutdown; + } + } +@@ -253,7 +253,7 @@ int main(int argc, char *argv[]) + + duration = (int)(time(NULL)-start); + +- printf("%ld bytes in %d seconds makes %.1f bytes/sec\n", ++ fprintf(stderr, "%ld bytes in %d seconds makes %.1f bytes/sec\n", + total, duration, total/(double)duration); + + +@@ -272,7 +272,7 @@ shutdown: + #else + close(sock); + #endif +- printf("all done\n"); ++ fprintf(stderr, "all done\n"); + + libssh2_exit(); + +diff --git a/example/sftp_write_sliding.c b/example/sftp_write_sliding.c +index 2d8301c..c2ba39d 100644 +--- a/example/sftp_write_sliding.c ++++ b/example/sftp_write_sliding.c +@@ -125,7 +125,7 @@ int main(int argc, char *argv[]) + + local = fopen(loclfile, "rb"); + if (!local) { +- printf("Can't local file %s\n", loclfile); ++ fprintf(stderr, "Can't open local file %s\n", loclfile); + return -1; + } + +@@ -169,18 +169,18 @@ int main(int argc, char *argv[]) + * that's your call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + if (auth_pw) { + /* We could authenticate via password */ + while ((rc = libssh2_userauth_password(session, username, password)) == + LIBSSH2_ERROR_EAGAIN); + if (rc) { +- printf("Authentication by password failed.\n"); ++ fprintf(stderr, "Authentication by password failed.\n"); + goto shutdown; + } + } else { +@@ -191,7 +191,7 @@ int main(int argc, char *argv[]) + password)) == + LIBSSH2_ERROR_EAGAIN); + if (rc) { +- printf("\tAuthentication by public key failed\n"); ++ fprintf(stderr, "\tAuthentication by public key failed\n"); + goto shutdown; + } + } +@@ -262,7 +262,7 @@ int main(int argc, char *argv[]) + + duration = (int)(time(NULL)-start); + +- printf("%ld bytes in %d seconds makes %.1f bytes/sec\n", ++ fprintf(stderr, "%ld bytes in %d seconds makes %.1f bytes/sec\n", + total, duration, total/(double)duration); + + +@@ -281,7 +281,7 @@ shutdown: + #else + close(sock); + #endif +- printf("all done\n"); ++ fprintf(stderr, "all done\n"); + + libssh2_exit(); + +diff --git a/example/sftpdir.c b/example/sftpdir.c +index 006fd27..cb9fb88 100644 +--- a/example/sftpdir.c ++++ b/example/sftpdir.c +@@ -130,16 +130,16 @@ int main(int argc, char *argv[]) + * user, that's your call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + if (auth_pw) { + /* We could authenticate via password */ + if (libssh2_userauth_password(session, username, password)) { +- printf("Authentication by password failed.\n"); ++ fprintf(stderr, "Authentication by password failed.\n"); + goto shutdown; + } + } else { +@@ -148,7 +148,7 @@ int main(int argc, char *argv[]) + "/home/username/.ssh/id_rsa.pub", + "/home/username/.ssh/id_rsa", + password)) { +- printf("\tAuthentication by public key failed\n"); ++ fprintf(stderr, "\tAuthentication by public key failed\n"); + goto shutdown; + } + } +@@ -229,7 +229,7 @@ int main(int argc, char *argv[]) + #else + close(sock); + #endif +- printf("all done\n"); ++ fprintf(stderr, "all done\n"); + + libssh2_exit(); + +diff --git a/example/sftpdir_nonblock.c b/example/sftpdir_nonblock.c +index 38fb010..c8ad9f5 100644 +--- a/example/sftpdir_nonblock.c ++++ b/example/sftpdir_nonblock.c +@@ -134,11 +134,11 @@ int main(int argc, char *argv[]) + * user, that's your call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + if (auth_pw) { + /* We could authenticate via password */ +@@ -239,7 +239,7 @@ int main(int argc, char *argv[]) + #else + close(sock); + #endif +- printf("all done\n"); ++ fprintf(stderr, "all done\n"); + + libssh2_exit(); + +diff --git a/example/ssh2.c b/example/ssh2.c +index d5e6166..008496c 100644 +--- a/example/ssh2.c ++++ b/example/ssh2.c +@@ -126,15 +126,15 @@ int main(int argc, char *argv[]) + * call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + /* check what authentication methods are available */ + userauthlist = libssh2_userauth_list(session, username, strlen(username)); +- printf("Authentication methods: %s\n", userauthlist); ++ fprintf(stderr, "Authentication methods: %s\n", userauthlist); + if (strstr(userauthlist, "password") != NULL) { + auth_pw |= 1; + } +@@ -161,31 +161,33 @@ int main(int argc, char *argv[]) + if (auth_pw & 1) { + /* We could authenticate via password */ + if (libssh2_userauth_password(session, username, password)) { +- printf("\tAuthentication by password failed!\n"); ++ fprintf(stderr, "\tAuthentication by password failed!\n"); + goto shutdown; + } else { +- printf("\tAuthentication by password succeeded.\n"); ++ fprintf(stderr, "\tAuthentication by password succeeded.\n"); + } + } else if (auth_pw & 2) { + /* Or via keyboard-interactive */ + if (libssh2_userauth_keyboard_interactive(session, username, + &kbd_callback) ) { +- printf("\tAuthentication by keyboard-interactive failed!\n"); ++ fprintf(stderr, ++ "\tAuthentication by keyboard-interactive failed!\n"); + goto shutdown; + } else { +- printf("\tAuthentication by keyboard-interactive succeeded.\n"); ++ fprintf(stderr, ++ "\tAuthentication by keyboard-interactive succeeded.\n"); + } + } else if (auth_pw & 4) { + /* Or by public key */ + if (libssh2_userauth_publickey_fromfile(session, username, keyfile1, + keyfile2, password)) { +- printf("\tAuthentication by public key failed!\n"); ++ fprintf(stderr, "\tAuthentication by public key failed!\n"); + goto shutdown; + } else { +- printf("\tAuthentication by public key succeeded.\n"); ++ fprintf(stderr, "\tAuthentication by public key succeeded.\n"); + } + } else { +- printf("No supported authentication methods found!\n"); ++ fprintf(stderr, "No supported authentication methods found!\n"); + goto shutdown; + } + +@@ -250,7 +252,7 @@ int main(int argc, char *argv[]) + #else + close(sock); + #endif +- printf("all done!\n"); ++ fprintf(stderr, "all done!\n"); + + libssh2_exit(); + +diff --git a/example/ssh2_agent.c b/example/ssh2_agent.c +index 9ca1a42..231445f 100644 +--- a/example/ssh2_agent.c ++++ b/example/ssh2_agent.c +@@ -105,15 +105,15 @@ int main(int argc, char *argv[]) + * call + */ + fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); +- printf("Fingerprint: "); ++ fprintf(stderr, "Fingerprint: "); + for(i = 0; i < 20; i++) { +- printf("%02X ", (unsigned char)fingerprint[i]); ++ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); + } +- printf("\n"); ++ fprintf(stderr, "\n"); + + /* check what authentication methods are available */ + userauthlist = libssh2_userauth_list(session, username, strlen(username)); +- printf("Authentication methods: %s\n", userauthlist); ++ fprintf(stderr, "Authentication methods: %s\n", userauthlist); + if (strstr(userauthlist, "publickey") == NULL) { + fprintf(stderr, "\"publickey\" authentication is not supported\n"); + goto shutdown; +@@ -147,11 +147,11 @@ int main(int argc, char *argv[]) + goto shutdown; + } + if (libssh2_agent_userauth(agent, username, identity)) { +- printf("\tAuthentication with username %s and " ++ fprintf(stderr, "\tAuthentication with username %s and " + "public key %s failed!\n", + username, identity->comment); + } else { +- printf("\tAuthentication with username %s and " ++ fprintf(stderr, "\tAuthentication with username %s and " + "public key %s succeeded!\n", + username, identity->comment); + break; +@@ -234,7 +234,7 @@ int main(int argc, char *argv[]) + #endif + } + +- printf("all done!\n"); ++ fprintf(stderr, "all done!\n"); + + libssh2_exit(); + +diff --git a/example/ssh2_echo.c b/example/ssh2_echo.c +index 1fd8f3f..2430e33 100644 +--- a/example/ssh2_echo.c ++++ b/example/ssh2_echo.c +@@ -327,7 +327,7 @@ int main(int argc, char *argv[]) + } + + if (exitsignal) +- printf("\nGot signal: %s\n", exitsignal); ++ fprintf(stderr, "\nGot signal: %s\n", exitsignal); + + libssh2_channel_free(channel); + channel = NULL; +diff --git a/example/ssh2_exec.c b/example/ssh2_exec.c +index e5b151d..d47761c 100644 +--- a/example/ssh2_exec.c ++++ b/example/ssh2_exec.c +@@ -292,9 +292,9 @@ int main(int argc, char *argv[]) + } + + if (exitsignal) +- printf("\nGot signal: %s\n", exitsignal); ++ fprintf(stderr, "\nGot signal: %s\n", exitsignal); + else +- printf("\nEXIT: %d bytecount: %d\n", exitcode, bytecount); ++ fprintf(stderr, "\nEXIT: %d bytecount: %d\n", exitcode, bytecount); + + libssh2_channel_free(channel); + channel = NULL; +diff --git a/example/subsystem_netconf.c b/example/subsystem_netconf.c +index 708113b..6f83661 100644 +--- a/example/subsystem_netconf.c ++++ b/example/subsystem_netconf.c +@@ -173,7 +173,7 @@ int main(int argc, char *argv[]) + + /* check what authentication methods are available */ + userauthlist = libssh2_userauth_list(session, username, strlen(username)); +- printf("Authentication methods: %s\n", userauthlist); ++ fprintf(stderr, "Authentication methods: %s\n", userauthlist); + if (strstr(userauthlist, "password")) + auth |= AUTH_PASSWORD; + if (strstr(userauthlist, "publickey")) +@@ -195,12 +195,12 @@ int main(int argc, char *argv[]) + } else if (auth & AUTH_PUBLICKEY) { + if (libssh2_userauth_publickey_fromfile(session, username, keyfile1, + keyfile2, password)) { +- printf("Authentication by public key failed!\n"); ++ fprintf(stderr, "Authentication by public key failed!\n"); + goto shutdown; + } +- printf("Authentication by public key succeeded.\n"); ++ fprintf(stderr, "Authentication by public key succeeded.\n"); + } else { +- printf("No supported authentication methods found!\n"); ++ fprintf(stderr, "No supported authentication methods found!\n"); + goto shutdown; + } + +@@ -223,7 +223,7 @@ int main(int argc, char *argv[]) + + /* NETCONF: http://tools.ietf.org/html/draft-ietf-netconf-ssh-06 */ + +- printf("Sending NETCONF client \n"); ++ fprintf(stderr, "Sending NETCONF client \n"); + snprintf(buf, sizeof(buf), + "\n" + "" +@@ -235,14 +235,14 @@ int main(int argc, char *argv[]) + if (-1 == netconf_write(channel, buf, len)) + goto shutdown; + +- printf("Reading NETCONF server \n"); ++ fprintf(stderr, "Reading NETCONF server \n"); + len = netconf_read_until(channel, "", buf, sizeof(buf)); + if (-1 == len) + goto shutdown; + +- printf("Got %d bytes:\n----------------------\n%s", (int)len, buf); ++ fprintf(stderr, "Got %d bytes:\n----------------------\n%s", (int)len, buf); + +- printf("Sending NETCONF \n"); ++ fprintf(stderr, "Sending NETCONF \n"); + snprintf(buf, sizeof(buf), + "\n" + "" +@@ -252,12 +252,12 @@ int main(int argc, char *argv[]) + if (-1 == netconf_write(channel, buf, len)) + goto shutdown; + +- printf("Reading NETCONF \n"); ++ fprintf(stderr, "Reading NETCONF \n"); + len = netconf_read_until(channel, "", buf, sizeof(buf)); + if (-1 == len) + goto shutdown; + +- printf("Got %d bytes:\n----------------------\n%s", (int)len, buf); ++ fprintf(stderr, "Got %d bytes:\n----------------------\n%s", (int)len, buf); + + shutdown: + if (channel) +diff --git a/example/tcpip-forward.c b/example/tcpip-forward.c +index a408b69..94d3cc8 100644 +--- a/example/tcpip-forward.c ++++ b/example/tcpip-forward.c +@@ -137,7 +137,7 @@ int main(int argc, char *argv[]) + + /* check what authentication methods are available */ + userauthlist = libssh2_userauth_list(session, username, strlen(username)); +- printf("Authentication methods: %s\n", userauthlist); ++ fprintf(stderr, "Authentication methods: %s\n", userauthlist); + if (strstr(userauthlist, "password")) + auth |= AUTH_PASSWORD; + if (strstr(userauthlist, "publickey")) +@@ -159,17 +159,17 @@ int main(int argc, char *argv[]) + } else if (auth & AUTH_PUBLICKEY) { + if (libssh2_userauth_publickey_fromfile(session, username, keyfile1, + keyfile2, password)) { +- printf("\tAuthentication by public key failed!\n"); ++ fprintf(stderr, "\tAuthentication by public key failed!\n"); + goto shutdown; + } +- printf("\tAuthentication by public key succeeded.\n"); ++ fprintf(stderr, "\tAuthentication by public key succeeded.\n"); + } else { +- printf("No supported authentication methods found!\n"); ++ fprintf(stderr, "No supported authentication methods found!\n"); + goto shutdown; + } + +- printf("Asking server to listen on remote %s:%d\n", remote_listenhost, +- remote_wantport); ++ fprintf(stderr, "Asking server to listen on remote %s:%d\n", ++ remote_listenhost, remote_wantport); + + listener = libssh2_channel_forward_listen_ex(session, remote_listenhost, + remote_wantport, &remote_listenport, 1); +@@ -180,10 +180,10 @@ int main(int argc, char *argv[]) + goto shutdown; + } + +- printf("Server is listening on %s:%d\n", remote_listenhost, ++ fprintf(stderr, "Server is listening on %s:%d\n", remote_listenhost, + remote_listenport); + +- printf("Waiting for remote connection\n"); ++ fprintf(stderr, "Waiting for remote connection\n"); + channel = libssh2_channel_forward_accept(listener); + if (!channel) { + fprintf(stderr, "Could not accept connection!\n" +@@ -192,7 +192,8 @@ int main(int argc, char *argv[]) + goto shutdown; + } + +- printf("Accepted remote connection. Connecting to local server %s:%d\n", ++ fprintf(stderr, ++ "Accepted remote connection. Connecting to local server %s:%d\n", + local_destip, local_destport); + forwardsock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); + sin.sin_family = AF_INET; +@@ -206,7 +207,7 @@ int main(int argc, char *argv[]) + goto shutdown; + } + +- printf("Forwarding connection from remote %s:%d to local %s:%d\n", ++ fprintf(stderr, "Forwarding connection from remote %s:%d to local %s:%d\n", + remote_listenhost, remote_listenport, local_destip, local_destport); + + /* Must use non-blocking IO hereafter due to the current libssh2 API */ +@@ -228,7 +229,7 @@ int main(int argc, char *argv[]) + perror("read"); + goto shutdown; + } else if (0 == len) { +- printf("The local server at %s:%d disconnected!\n", ++ fprintf(stderr, "The local server at %s:%d disconnected!\n", + local_destip, local_destport); + goto shutdown; + } +@@ -260,7 +261,7 @@ int main(int argc, char *argv[]) + wr += i; + } + if (libssh2_channel_eof(channel)) { +- printf("The remote client at %s:%d disconnected!\n", ++ fprintf(stderr, "The remote client at %s:%d disconnected!\n", + remote_listenhost, remote_listenport); + goto shutdown; + } +-- +1.7.1 + diff --git a/libssh2.spec b/libssh2.spec index c5e5b5d..5c25b39 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -9,7 +9,7 @@ Name: libssh2 Version: 1.4.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -17,6 +17,7 @@ URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.4.2-utf8.patch Patch1: libssh2-1.4.2-fips.patch +Patch2: libssh2-1.4.2-examples.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -69,6 +70,9 @@ developing applications that use libssh2. # Make sure libssh2 works in FIPS mode... %patch1 -p1 +# examples: use stderr for messages, stdout for data +%patch2 -p1 + # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -132,6 +136,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Nov 07 2012 Kamil Dudka 1.4.2-4 +- examples: use stderr for messages, stdout for data (upstream commit b31e35ab) + * Wed Sep 26 2012 Kamil Dudka 1.4.2-3 - fix basic functionality of libssh2 in FIPS mode - skip SELinux-related quirks on recent distros to prevent a test-suite failure From 91ca20147c4e3238c61224cedbbf9e8854966ba6 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 7 Nov 2012 15:35:06 +0100 Subject: [PATCH 41/93] update libssh2_hostkey_hash(3) man page [upstream commit fe8f3deb] --- libssh2-1.4.2-fips.patch | 30 ++++++++++++++++++++++++++++++ libssh2.spec | 1 + 2 files changed, 31 insertions(+) diff --git a/libssh2-1.4.2-fips.patch b/libssh2-1.4.2-fips.patch index e45d794..38d49af 100644 --- a/libssh2-1.4.2-fips.patch +++ b/libssh2-1.4.2-fips.patch @@ -302,3 +302,33 @@ index 4835ab6..6f21a1a 100644 -- 1.7.1 +From fe8f3deb480d1fcef0d720e6b9acabbd640fe7c3 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 1 Nov 2012 14:57:06 +0100 +Subject: [PATCH] libssh2_hostkey_hash.3: update the description of return value + +The function returns NULL also if the hash algorithm is not available. +--- + docs/libssh2_hostkey_hash.3 | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/docs/libssh2_hostkey_hash.3 b/docs/libssh2_hostkey_hash.3 +index f78831c..c2f1644 100644 +--- a/docs/libssh2_hostkey_hash.3 ++++ b/docs/libssh2_hostkey_hash.3 +@@ -18,8 +18,9 @@ Returns the computed digest of the remote system's hostkey. The length of + the returned string is hash_type specific (e.g. 16 bytes for MD5, + 20 bytes for SHA1). + .SH RETURN VALUE +-Computed hostkey hash value. or NULL if the session has not yet been started +-up. (The hash consists of raw binary bytes, not hex digits, so is not +-directly printable.) ++Computed hostkey hash value, or NULL if the information is not available ++(either the session has not yet been started up, or the requested hash ++algorithm was not available). The hash consists of raw binary bytes, not hex ++digits, so it is not directly printable. + .SH SEE ALSO + .BR libssh2_session_init_ex(3) +-- +1.7.1 + diff --git a/libssh2.spec b/libssh2.spec index 5c25b39..cff63e8 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -138,6 +138,7 @@ rm -rf %{buildroot} %changelog * Wed Nov 07 2012 Kamil Dudka 1.4.2-4 - examples: use stderr for messages, stdout for data (upstream commit b31e35ab) +- update libssh2_hostkey_hash(3) man page (upstream commit fe8f3deb) * Wed Sep 26 2012 Kamil Dudka 1.4.2-3 - fix basic functionality of libssh2 in FIPS mode From c256d188f4af3b4b98f578742846d851954f4504 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 28 Nov 2012 12:47:04 +0000 Subject: [PATCH 42/93] Update to 1.4.3 - New upstream release 1.4.3 - compression: add support for zlib@openssh.com - sftp_read: return error if a too large package arrives - libssh2_hostkey_hash.3: update the description of return value - Fixed MSVC NMakefile - examples: use stderr for messages, stdout for data - openssl: do not leak memory when handling errors - improved handling of disabled MD5 algorithm in OpenSSL - known_hosts: Fail when parsing unknown keys in known_hosts file - configure: gcrypt doesn't come with pkg-config support - session_free: wrong variable used for keeping state - libssh2_userauth_publickey_fromfile_ex.3: mention publickey == NULL - comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating - Drop upstreamed patches --- libssh2-1.4.2-examples.patch | 1019 ---------------------------------- libssh2-1.4.2-fips.patch | 334 ----------- libssh2.spec | 34 +- sources | 2 +- 4 files changed, 22 insertions(+), 1367 deletions(-) delete mode 100644 libssh2-1.4.2-examples.patch delete mode 100644 libssh2-1.4.2-fips.patch diff --git a/libssh2-1.4.2-examples.patch b/libssh2-1.4.2-examples.patch deleted file mode 100644 index fa138c9..0000000 --- a/libssh2-1.4.2-examples.patch +++ /dev/null @@ -1,1019 +0,0 @@ -From b31e35aba6fa2e39f7aa91c21400722afe8d675e Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 22 Oct 2012 13:29:27 +0200 -Subject: [PATCH] examples: use stderr for messages, stdout for data - -Reported by: Karel Srot -Bug: https://bugzilla.redhat.com/867462 ---- - example/direct_tcpip.c | 19 ++++++++------- - example/scp_nonblock.c | 2 +- - example/scp_write_nonblock.c | 2 +- - example/sftp.c | 49 +++++++++++++++++++++------------------- - example/sftp_RW_nonblock.c | 14 ++++++------ - example/sftp_append.c | 18 +++++++------- - example/sftp_mkdir.c | 12 +++++----- - example/sftp_mkdir_nonblock.c | 12 +++++----- - example/sftp_nonblock.c | 4 +- - example/sftp_write.c | 14 ++++++------ - example/sftp_write_nonblock.c | 16 ++++++------ - example/sftp_write_sliding.c | 16 ++++++------ - example/sftpdir.c | 12 +++++----- - example/sftpdir_nonblock.c | 8 +++--- - example/ssh2.c | 26 +++++++++++---------- - example/ssh2_agent.c | 14 ++++++------ - example/ssh2_echo.c | 2 +- - example/ssh2_exec.c | 4 +- - example/subsystem_netconf.c | 20 ++++++++-------- - example/tcpip-forward.c | 25 +++++++++++---------- - 20 files changed, 148 insertions(+), 141 deletions(-) - -diff --git a/example/direct_tcpip.c b/example/direct_tcpip.c -index 6aa9845..e530199 100644 ---- a/example/direct_tcpip.c -+++ b/example/direct_tcpip.c -@@ -135,7 +135,7 @@ int main(int argc, char *argv[]) - - /* check what authentication methods are available */ - userauthlist = libssh2_userauth_list(session, username, strlen(username)); -- printf("Authentication methods: %s\n", userauthlist); -+ fprintf(stderr, "Authentication methods: %s\n", userauthlist); - if (strstr(userauthlist, "password")) - auth |= AUTH_PASSWORD; - if (strstr(userauthlist, "publickey")) -@@ -157,12 +157,12 @@ int main(int argc, char *argv[]) - } else if (auth & AUTH_PUBLICKEY) { - if (libssh2_userauth_publickey_fromfile(session, username, keyfile1, - keyfile2, password)) { -- printf("\tAuthentication by public key failed!\n"); -+ fprintf(stderr, "\tAuthentication by public key failed!\n"); - goto shutdown; - } -- printf("\tAuthentication by public key succeeded.\n"); -+ fprintf(stderr, "\tAuthentication by public key succeeded.\n"); - } else { -- printf("No supported authentication methods found!\n"); -+ fprintf(stderr, "No supported authentication methods found!\n"); - goto shutdown; - } - -@@ -185,7 +185,7 @@ int main(int argc, char *argv[]) - goto shutdown; - } - -- printf("Waiting for TCP connection on %s:%d...\n", -+ fprintf(stderr, "Waiting for TCP connection on %s:%d...\n", - inet_ntoa(sin.sin_addr), ntohs(sin.sin_port)); - - forwardsock = accept(listensock, (struct sockaddr *)&sin, &sinlen); -@@ -197,8 +197,8 @@ int main(int argc, char *argv[]) - shost = inet_ntoa(sin.sin_addr); - sport = ntohs(sin.sin_port); - -- printf("Forwarding connection from %s:%d here to remote %s:%d\n", shost, -- sport, remote_desthost, remote_destport); -+ fprintf(stderr, "Forwarding connection from %s:%d here to remote %s:%d\n", -+ shost, sport, remote_desthost, remote_destport); - - channel = libssh2_channel_direct_tcpip_ex(session, remote_desthost, - remote_destport, shost, sport); -@@ -228,7 +228,8 @@ int main(int argc, char *argv[]) - perror("read"); - goto shutdown; - } else if (0 == len) { -- printf("The client at %s:%d disconnected!\n", shost, sport); -+ fprintf(stderr, "The client at %s:%d disconnected!\n", shost, -+ sport); - goto shutdown; - } - wr = 0; -@@ -259,7 +260,7 @@ int main(int argc, char *argv[]) - wr += i; - } - if (libssh2_channel_eof(channel)) { -- printf("The server at %s:%d disconnected!\n", -+ fprintf(stderr, "The server at %s:%d disconnected!\n", - remote_desthost, remote_destport); - goto shutdown; - } -diff --git a/example/scp_nonblock.c b/example/scp_nonblock.c -index 867d851..5d636c0 100644 ---- a/example/scp_nonblock.c -+++ b/example/scp_nonblock.c -@@ -250,7 +250,7 @@ int main(int argc, char *argv[]) - gettimeofday(&end, NULL); - - time_ms = tvdiff(end, start); -- printf("Got %d bytes in %ld ms = %.1f bytes/sec spin: %d\n", total, -+ fprintf(stderr, "Got %d bytes in %ld ms = %.1f bytes/sec spin: %d\n", total, - time_ms, total/(time_ms/1000.0), spin ); - - libssh2_channel_free(channel); -diff --git a/example/scp_write_nonblock.c b/example/scp_write_nonblock.c -index 9dfbd4e..0ac0f69 100644 ---- a/example/scp_write_nonblock.c -+++ b/example/scp_write_nonblock.c -@@ -243,7 +243,7 @@ int main(int argc, char *argv[]) - - duration = (int)(time(NULL)-start); - -- printf("%ld bytes in %d seconds makes %.1f bytes/sec\n", -+ fprintf(stderr, "%ld bytes in %d seconds makes %.1f bytes/sec\n", - total, duration, total/(double)duration); - - fprintf(stderr, "Sending EOF\n"); -diff --git a/example/sftp.c b/example/sftp.c -index e69b3c3..88ceba2 100644 ---- a/example/sftp.c -+++ b/example/sftp.c -@@ -55,24 +55,24 @@ static void kbd_callback(const char *name, int name_len, - char buf[1024]; - (void)abstract; - -- printf("Performing keyboard-interactive authentication.\n"); -+ fprintf(stderr, "Performing keyboard-interactive authentication.\n"); - -- printf("Authentication name: '"); -- fwrite(name, 1, name_len, stdout); -- printf("'\n"); -+ fprintf(stderr, "Authentication name: '"); -+ fwrite(name, 1, name_len, stderr); -+ fprintf(stderr, "'\n"); - -- printf("Authentication instruction: '"); -- fwrite(instruction, 1, instruction_len, stdout); -- printf("'\n"); -+ fprintf(stderr, "Authentication instruction: '"); -+ fwrite(instruction, 1, instruction_len, stderr); -+ fprintf(stderr, "'\n"); - -- printf("Number of prompts: %d\n\n", num_prompts); -+ fprintf(stderr, "Number of prompts: %d\n\n", num_prompts); - - for (i = 0; i < num_prompts; i++) { -- printf("Prompt %d from server: '", i); -- fwrite(prompts[i].text, 1, prompts[i].length, stdout); -- printf("'\n"); -+ fprintf(stderr, "Prompt %d from server: '", i); -+ fwrite(prompts[i].text, 1, prompts[i].length, stderr); -+ fprintf(stderr, "'\n"); - -- printf("Please type response: "); -+ fprintf(stderr, "Please type response: "); - fgets(buf, sizeof(buf), stdin); - n = strlen(buf); - while (n > 0 && strchr("\r\n", buf[n - 1])) -@@ -82,12 +82,13 @@ static void kbd_callback(const char *name, int name_len, - responses[i].text = strdup(buf); - responses[i].length = n; - -- printf("Response %d from user is '", i); -- fwrite(responses[i].text, 1, responses[i].length, stdout); -- printf("'\n\n"); -+ fprintf(stderr, "Response %d from user is '", i); -+ fwrite(responses[i].text, 1, responses[i].length, stderr); -+ fprintf(stderr, "'\n\n"); - } - -- printf("Done. Sending keyboard-interactive responses to server now.\n"); -+ fprintf(stderr, -+ "Done. Sending keyboard-interactive responses to server now.\n"); - } - - -@@ -127,7 +128,7 @@ int main(int argc, char *argv[]) - - rc = libssh2_init (0); - if (rc != 0) { -- fprintf (stderr, "libssh2 initialization failed (%d)\n", rc); -+ fprintf(stderr, "libssh2 initialization failed (%d)\n", rc); - return 1; - } - -@@ -178,7 +179,7 @@ int main(int argc, char *argv[]) - - /* check what authentication methods are available */ - userauthlist = libssh2_userauth_list(session, username, strlen(username)); -- printf("Authentication methods: %s\n", userauthlist); -+ fprintf(stderr, "Authentication methods: %s\n", userauthlist); - if (strstr(userauthlist, "password") != NULL) { - auth_pw |= 1; - } -@@ -211,21 +212,23 @@ int main(int argc, char *argv[]) - } else if (auth_pw & 2) { - /* Or via keyboard-interactive */ - if (libssh2_userauth_keyboard_interactive(session, username, &kbd_callback) ) { -- printf("\tAuthentication by keyboard-interactive failed!\n"); -+ fprintf(stderr, -+ "\tAuthentication by keyboard-interactive failed!\n"); - goto shutdown; - } else { -- printf("\tAuthentication by keyboard-interactive succeeded.\n"); -+ fprintf(stderr, -+ "\tAuthentication by keyboard-interactive succeeded.\n"); - } - } else if (auth_pw & 4) { - /* Or by public key */ - if (libssh2_userauth_publickey_fromfile(session, username, keyfile1, keyfile2, password)) { -- printf("\tAuthentication by public key failed!\n"); -+ fprintf(stderr, "\tAuthentication by public key failed!\n"); - goto shutdown; - } else { -- printf("\tAuthentication by public key succeeded.\n"); -+ fprintf(stderr, "\tAuthentication by public key succeeded.\n"); - } - } else { -- printf("No supported authentication methods found!\n"); -+ fprintf(stderr, "No supported authentication methods found!\n"); - goto shutdown; - } - -diff --git a/example/sftp_RW_nonblock.c b/example/sftp_RW_nonblock.c -index babb48a..77c2027 100644 ---- a/example/sftp_RW_nonblock.c -+++ b/example/sftp_RW_nonblock.c -@@ -141,11 +141,11 @@ int main(int argc, char *argv[]) - * user, that's your call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - if(argc > 1) { - username = argv[1]; -@@ -162,7 +162,7 @@ int main(int argc, char *argv[]) - - tempstorage = fopen(STORAGE, "wb"); - if(!tempstorage) { -- printf("Can't open temp storage file %s\n", STORAGE); -+ fprintf(stderr, "Can't open temp storage file %s\n", STORAGE); - goto shutdown; - } - -@@ -171,7 +171,7 @@ int main(int argc, char *argv[]) - while ((rc = libssh2_userauth_password(session, username, password)) - == LIBSSH2_ERROR_EAGAIN); - if (rc) { -- printf("Authentication by password failed.\n"); -+ fprintf(stderr, "Authentication by password failed.\n"); - goto shutdown; - } - } else { -@@ -185,7 +185,7 @@ int main(int argc, char *argv[]) - password)) == - LIBSSH2_ERROR_EAGAIN); - if (rc) { -- printf("\tAuthentication by public key failed\n"); -+ fprintf(stderr, "\tAuthentication by public key failed\n"); - goto shutdown; - } - } -@@ -341,7 +341,7 @@ int main(int argc, char *argv[]) - #endif - if (tempstorage) - fclose(tempstorage); -- printf("all done\n"); -+ fprintf(stderr, "all done\n"); - - libssh2_exit(); - -diff --git a/example/sftp_append.c b/example/sftp_append.c -index 731d21a..7585d38 100644 ---- a/example/sftp_append.c -+++ b/example/sftp_append.c -@@ -86,7 +86,7 @@ int main(int argc, char *argv[]) - - local = fopen(loclfile, "rb"); - if (!local) { -- printf("Can't local file %s\n", loclfile); -+ fprintf(stderr, "Can't open local file %s\n", loclfile); - return -1; - } - -@@ -129,16 +129,16 @@ int main(int argc, char *argv[]) - * user, that's your call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - if (auth_pw) { - /* We could authenticate via password */ - if (libssh2_userauth_password(session, username, password)) { -- printf("Authentication by password failed.\n"); -+ fprintf(stderr, "Authentication by password failed.\n"); - goto shutdown; - } - } else { -@@ -147,7 +147,7 @@ int main(int argc, char *argv[]) - "/home/username/.ssh/id_rsa.pub", - "/home/username/.ssh/id_rsa", - password)) { -- printf("\tAuthentication by public key failed\n"); -+ fprintf(stderr, "\tAuthentication by public key failed\n"); - goto shutdown; - } - } -@@ -174,12 +174,12 @@ int main(int argc, char *argv[]) - } - - if(libssh2_sftp_fstat_ex(sftp_handle, &attrs, 0) < 0) { -- printf("libssh2_sftp_fstat_ex failed\n"); -+ fprintf(stderr, "libssh2_sftp_fstat_ex failed\n"); - goto shutdown; - } - else - libssh2_sftp_seek64(sftp_handle, attrs.filesize); -- printf("Did a seek to position %ld\n", (long) attrs.filesize); -+ fprintf(stderr, "Did a seek to position %ld\n", (long) attrs.filesize); - - fprintf(stderr, "libssh2_sftp_open() a handle for APPEND\n"); - -@@ -222,7 +222,7 @@ shutdown: - #endif - if (local) - fclose(local); -- printf("all done\n"); -+ fprintf(stderr, "all done\n"); - - libssh2_exit(); - -diff --git a/example/sftp_mkdir.c b/example/sftp_mkdir.c -index 39af8f0..8747084 100644 ---- a/example/sftp_mkdir.c -+++ b/example/sftp_mkdir.c -@@ -110,16 +110,16 @@ int main(int argc, char *argv[]) - * user, that's your call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - if (auth_pw) { - /* We could authenticate via password */ - if (libssh2_userauth_password(session, username, password)) { -- printf("Authentication by password failed.\n"); -+ fprintf(stderr, "Authentication by password failed.\n"); - goto shutdown; - } - } else { -@@ -128,7 +128,7 @@ int main(int argc, char *argv[]) - "/home/username/.ssh/id_rsa.pub", - "/home/username/.ssh/id_rsa", - password)) { -- printf("\tAuthentication by public key failed\n"); -+ fprintf(stderr, "\tAuthentication by public key failed\n"); - goto shutdown; - } - } -@@ -164,7 +164,7 @@ int main(int argc, char *argv[]) - #else - close(sock); - #endif -- printf("all done\n"); -+ fprintf(stderr, "all done\n"); - - libssh2_exit(); - -diff --git a/example/sftp_mkdir_nonblock.c b/example/sftp_mkdir_nonblock.c -index 84cdc8f..22a8f59 100644 ---- a/example/sftp_mkdir_nonblock.c -+++ b/example/sftp_mkdir_nonblock.c -@@ -110,16 +110,16 @@ int main(int argc, char *argv[]) - * user, that's your call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - if (auth_pw) { - /* We could authenticate via password */ - if (libssh2_userauth_password(session, username, password)) { -- printf("Authentication by password failed.\n"); -+ fprintf(stderr, "Authentication by password failed.\n"); - goto shutdown; - } - } else { -@@ -128,7 +128,7 @@ int main(int argc, char *argv[]) - "/home/username/.ssh/id_rsa.pub", - "/home/username/.ssh/id_rsa", - password)) { -- printf("\tAuthentication by public key failed\n"); -+ fprintf(stderr, "\tAuthentication by public key failed\n"); - goto shutdown; - } - } -@@ -164,7 +164,7 @@ int main(int argc, char *argv[]) - #else - close(sock); - #endif -- printf("all done\n"); -+ fprintf(stderr, "all done\n"); - - libssh2_exit(); - -diff --git a/example/sftp_nonblock.c b/example/sftp_nonblock.c -index 6ddc109..29cec8a 100644 ---- a/example/sftp_nonblock.c -+++ b/example/sftp_nonblock.c -@@ -251,7 +251,7 @@ int main(int argc, char *argv[]) - - gettimeofday(&end, NULL); - time_ms = tvdiff(end, start); -- printf("Got %d bytes in %ld ms = %.1f bytes/sec spin: %d\n", total, -+ fprintf(stderr, "Got %d bytes in %ld ms = %.1f bytes/sec spin: %d\n", total, - time_ms, total/(time_ms/1000.0), spin ); - - libssh2_sftp_close(sftp_handle); -@@ -259,7 +259,7 @@ int main(int argc, char *argv[]) - - shutdown: - -- printf("libssh2_session_disconnect\n"); -+ fprintf(stderr, "libssh2_session_disconnect\n"); - while (libssh2_session_disconnect(session, - "Normal Shutdown, Thank you") == - LIBSSH2_ERROR_EAGAIN); -diff --git a/example/sftp_write.c b/example/sftp_write.c -index 9415ce4..483f80a 100644 ---- a/example/sftp_write.c -+++ b/example/sftp_write.c -@@ -85,7 +85,7 @@ int main(int argc, char *argv[]) - - local = fopen(loclfile, "rb"); - if (!local) { -- printf("Can't local file %s\n", loclfile); -+ fprintf(stderr, "Can't open local file %s\n", loclfile); - return -1; - } - -@@ -128,16 +128,16 @@ int main(int argc, char *argv[]) - * user, that's your call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - if (auth_pw) { - /* We could authenticate via password */ - if (libssh2_userauth_password(session, username, password)) { -- printf("Authentication by password failed.\n"); -+ fprintf(stderr, "Authentication by password failed.\n"); - goto shutdown; - } - } else { -@@ -146,7 +146,7 @@ int main(int argc, char *argv[]) - "/home/username/.ssh/id_rsa.pub", - "/home/username/.ssh/id_rsa", - password)) { -- printf("\tAuthentication by public key failed\n"); -+ fprintf(stderr, "\tAuthentication by public key failed\n"); - goto shutdown; - } - } -@@ -206,7 +206,7 @@ shutdown: - #endif - if (local) - fclose(local); -- printf("all done\n"); -+ fprintf(stderr, "all done\n"); - - libssh2_exit(); - -diff --git a/example/sftp_write_nonblock.c b/example/sftp_write_nonblock.c -index 61cc5f4..0d66c40 100644 ---- a/example/sftp_write_nonblock.c -+++ b/example/sftp_write_nonblock.c -@@ -125,7 +125,7 @@ int main(int argc, char *argv[]) - - local = fopen(loclfile, "rb"); - if (!local) { -- printf("Can't local file %s\n", loclfile); -+ fprintf(stderr, "Can't open local file %s\n", loclfile); - return -1; - } - -@@ -169,18 +169,18 @@ int main(int argc, char *argv[]) - * that's your call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - if (auth_pw) { - /* We could authenticate via password */ - while ((rc = libssh2_userauth_password(session, username, password)) == - LIBSSH2_ERROR_EAGAIN); - if (rc) { -- printf("Authentication by password failed.\n"); -+ fprintf(stderr, "Authentication by password failed.\n"); - goto shutdown; - } - } else { -@@ -191,7 +191,7 @@ int main(int argc, char *argv[]) - password)) == - LIBSSH2_ERROR_EAGAIN); - if (rc) { -- printf("\tAuthentication by public key failed\n"); -+ fprintf(stderr, "\tAuthentication by public key failed\n"); - goto shutdown; - } - } -@@ -253,7 +253,7 @@ int main(int argc, char *argv[]) - - duration = (int)(time(NULL)-start); - -- printf("%ld bytes in %d seconds makes %.1f bytes/sec\n", -+ fprintf(stderr, "%ld bytes in %d seconds makes %.1f bytes/sec\n", - total, duration, total/(double)duration); - - -@@ -272,7 +272,7 @@ shutdown: - #else - close(sock); - #endif -- printf("all done\n"); -+ fprintf(stderr, "all done\n"); - - libssh2_exit(); - -diff --git a/example/sftp_write_sliding.c b/example/sftp_write_sliding.c -index 2d8301c..c2ba39d 100644 ---- a/example/sftp_write_sliding.c -+++ b/example/sftp_write_sliding.c -@@ -125,7 +125,7 @@ int main(int argc, char *argv[]) - - local = fopen(loclfile, "rb"); - if (!local) { -- printf("Can't local file %s\n", loclfile); -+ fprintf(stderr, "Can't open local file %s\n", loclfile); - return -1; - } - -@@ -169,18 +169,18 @@ int main(int argc, char *argv[]) - * that's your call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - if (auth_pw) { - /* We could authenticate via password */ - while ((rc = libssh2_userauth_password(session, username, password)) == - LIBSSH2_ERROR_EAGAIN); - if (rc) { -- printf("Authentication by password failed.\n"); -+ fprintf(stderr, "Authentication by password failed.\n"); - goto shutdown; - } - } else { -@@ -191,7 +191,7 @@ int main(int argc, char *argv[]) - password)) == - LIBSSH2_ERROR_EAGAIN); - if (rc) { -- printf("\tAuthentication by public key failed\n"); -+ fprintf(stderr, "\tAuthentication by public key failed\n"); - goto shutdown; - } - } -@@ -262,7 +262,7 @@ int main(int argc, char *argv[]) - - duration = (int)(time(NULL)-start); - -- printf("%ld bytes in %d seconds makes %.1f bytes/sec\n", -+ fprintf(stderr, "%ld bytes in %d seconds makes %.1f bytes/sec\n", - total, duration, total/(double)duration); - - -@@ -281,7 +281,7 @@ shutdown: - #else - close(sock); - #endif -- printf("all done\n"); -+ fprintf(stderr, "all done\n"); - - libssh2_exit(); - -diff --git a/example/sftpdir.c b/example/sftpdir.c -index 006fd27..cb9fb88 100644 ---- a/example/sftpdir.c -+++ b/example/sftpdir.c -@@ -130,16 +130,16 @@ int main(int argc, char *argv[]) - * user, that's your call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - if (auth_pw) { - /* We could authenticate via password */ - if (libssh2_userauth_password(session, username, password)) { -- printf("Authentication by password failed.\n"); -+ fprintf(stderr, "Authentication by password failed.\n"); - goto shutdown; - } - } else { -@@ -148,7 +148,7 @@ int main(int argc, char *argv[]) - "/home/username/.ssh/id_rsa.pub", - "/home/username/.ssh/id_rsa", - password)) { -- printf("\tAuthentication by public key failed\n"); -+ fprintf(stderr, "\tAuthentication by public key failed\n"); - goto shutdown; - } - } -@@ -229,7 +229,7 @@ int main(int argc, char *argv[]) - #else - close(sock); - #endif -- printf("all done\n"); -+ fprintf(stderr, "all done\n"); - - libssh2_exit(); - -diff --git a/example/sftpdir_nonblock.c b/example/sftpdir_nonblock.c -index 38fb010..c8ad9f5 100644 ---- a/example/sftpdir_nonblock.c -+++ b/example/sftpdir_nonblock.c -@@ -134,11 +134,11 @@ int main(int argc, char *argv[]) - * user, that's your call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - if (auth_pw) { - /* We could authenticate via password */ -@@ -239,7 +239,7 @@ int main(int argc, char *argv[]) - #else - close(sock); - #endif -- printf("all done\n"); -+ fprintf(stderr, "all done\n"); - - libssh2_exit(); - -diff --git a/example/ssh2.c b/example/ssh2.c -index d5e6166..008496c 100644 ---- a/example/ssh2.c -+++ b/example/ssh2.c -@@ -126,15 +126,15 @@ int main(int argc, char *argv[]) - * call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - /* check what authentication methods are available */ - userauthlist = libssh2_userauth_list(session, username, strlen(username)); -- printf("Authentication methods: %s\n", userauthlist); -+ fprintf(stderr, "Authentication methods: %s\n", userauthlist); - if (strstr(userauthlist, "password") != NULL) { - auth_pw |= 1; - } -@@ -161,31 +161,33 @@ int main(int argc, char *argv[]) - if (auth_pw & 1) { - /* We could authenticate via password */ - if (libssh2_userauth_password(session, username, password)) { -- printf("\tAuthentication by password failed!\n"); -+ fprintf(stderr, "\tAuthentication by password failed!\n"); - goto shutdown; - } else { -- printf("\tAuthentication by password succeeded.\n"); -+ fprintf(stderr, "\tAuthentication by password succeeded.\n"); - } - } else if (auth_pw & 2) { - /* Or via keyboard-interactive */ - if (libssh2_userauth_keyboard_interactive(session, username, - &kbd_callback) ) { -- printf("\tAuthentication by keyboard-interactive failed!\n"); -+ fprintf(stderr, -+ "\tAuthentication by keyboard-interactive failed!\n"); - goto shutdown; - } else { -- printf("\tAuthentication by keyboard-interactive succeeded.\n"); -+ fprintf(stderr, -+ "\tAuthentication by keyboard-interactive succeeded.\n"); - } - } else if (auth_pw & 4) { - /* Or by public key */ - if (libssh2_userauth_publickey_fromfile(session, username, keyfile1, - keyfile2, password)) { -- printf("\tAuthentication by public key failed!\n"); -+ fprintf(stderr, "\tAuthentication by public key failed!\n"); - goto shutdown; - } else { -- printf("\tAuthentication by public key succeeded.\n"); -+ fprintf(stderr, "\tAuthentication by public key succeeded.\n"); - } - } else { -- printf("No supported authentication methods found!\n"); -+ fprintf(stderr, "No supported authentication methods found!\n"); - goto shutdown; - } - -@@ -250,7 +252,7 @@ int main(int argc, char *argv[]) - #else - close(sock); - #endif -- printf("all done!\n"); -+ fprintf(stderr, "all done!\n"); - - libssh2_exit(); - -diff --git a/example/ssh2_agent.c b/example/ssh2_agent.c -index 9ca1a42..231445f 100644 ---- a/example/ssh2_agent.c -+++ b/example/ssh2_agent.c -@@ -105,15 +105,15 @@ int main(int argc, char *argv[]) - * call - */ - fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); -- printf("Fingerprint: "); -+ fprintf(stderr, "Fingerprint: "); - for(i = 0; i < 20; i++) { -- printf("%02X ", (unsigned char)fingerprint[i]); -+ fprintf(stderr, "%02X ", (unsigned char)fingerprint[i]); - } -- printf("\n"); -+ fprintf(stderr, "\n"); - - /* check what authentication methods are available */ - userauthlist = libssh2_userauth_list(session, username, strlen(username)); -- printf("Authentication methods: %s\n", userauthlist); -+ fprintf(stderr, "Authentication methods: %s\n", userauthlist); - if (strstr(userauthlist, "publickey") == NULL) { - fprintf(stderr, "\"publickey\" authentication is not supported\n"); - goto shutdown; -@@ -147,11 +147,11 @@ int main(int argc, char *argv[]) - goto shutdown; - } - if (libssh2_agent_userauth(agent, username, identity)) { -- printf("\tAuthentication with username %s and " -+ fprintf(stderr, "\tAuthentication with username %s and " - "public key %s failed!\n", - username, identity->comment); - } else { -- printf("\tAuthentication with username %s and " -+ fprintf(stderr, "\tAuthentication with username %s and " - "public key %s succeeded!\n", - username, identity->comment); - break; -@@ -234,7 +234,7 @@ int main(int argc, char *argv[]) - #endif - } - -- printf("all done!\n"); -+ fprintf(stderr, "all done!\n"); - - libssh2_exit(); - -diff --git a/example/ssh2_echo.c b/example/ssh2_echo.c -index 1fd8f3f..2430e33 100644 ---- a/example/ssh2_echo.c -+++ b/example/ssh2_echo.c -@@ -327,7 +327,7 @@ int main(int argc, char *argv[]) - } - - if (exitsignal) -- printf("\nGot signal: %s\n", exitsignal); -+ fprintf(stderr, "\nGot signal: %s\n", exitsignal); - - libssh2_channel_free(channel); - channel = NULL; -diff --git a/example/ssh2_exec.c b/example/ssh2_exec.c -index e5b151d..d47761c 100644 ---- a/example/ssh2_exec.c -+++ b/example/ssh2_exec.c -@@ -292,9 +292,9 @@ int main(int argc, char *argv[]) - } - - if (exitsignal) -- printf("\nGot signal: %s\n", exitsignal); -+ fprintf(stderr, "\nGot signal: %s\n", exitsignal); - else -- printf("\nEXIT: %d bytecount: %d\n", exitcode, bytecount); -+ fprintf(stderr, "\nEXIT: %d bytecount: %d\n", exitcode, bytecount); - - libssh2_channel_free(channel); - channel = NULL; -diff --git a/example/subsystem_netconf.c b/example/subsystem_netconf.c -index 708113b..6f83661 100644 ---- a/example/subsystem_netconf.c -+++ b/example/subsystem_netconf.c -@@ -173,7 +173,7 @@ int main(int argc, char *argv[]) - - /* check what authentication methods are available */ - userauthlist = libssh2_userauth_list(session, username, strlen(username)); -- printf("Authentication methods: %s\n", userauthlist); -+ fprintf(stderr, "Authentication methods: %s\n", userauthlist); - if (strstr(userauthlist, "password")) - auth |= AUTH_PASSWORD; - if (strstr(userauthlist, "publickey")) -@@ -195,12 +195,12 @@ int main(int argc, char *argv[]) - } else if (auth & AUTH_PUBLICKEY) { - if (libssh2_userauth_publickey_fromfile(session, username, keyfile1, - keyfile2, password)) { -- printf("Authentication by public key failed!\n"); -+ fprintf(stderr, "Authentication by public key failed!\n"); - goto shutdown; - } -- printf("Authentication by public key succeeded.\n"); -+ fprintf(stderr, "Authentication by public key succeeded.\n"); - } else { -- printf("No supported authentication methods found!\n"); -+ fprintf(stderr, "No supported authentication methods found!\n"); - goto shutdown; - } - -@@ -223,7 +223,7 @@ int main(int argc, char *argv[]) - - /* NETCONF: http://tools.ietf.org/html/draft-ietf-netconf-ssh-06 */ - -- printf("Sending NETCONF client \n"); -+ fprintf(stderr, "Sending NETCONF client \n"); - snprintf(buf, sizeof(buf), - "\n" - "" -@@ -235,14 +235,14 @@ int main(int argc, char *argv[]) - if (-1 == netconf_write(channel, buf, len)) - goto shutdown; - -- printf("Reading NETCONF server \n"); -+ fprintf(stderr, "Reading NETCONF server \n"); - len = netconf_read_until(channel, "", buf, sizeof(buf)); - if (-1 == len) - goto shutdown; - -- printf("Got %d bytes:\n----------------------\n%s", (int)len, buf); -+ fprintf(stderr, "Got %d bytes:\n----------------------\n%s", (int)len, buf); - -- printf("Sending NETCONF \n"); -+ fprintf(stderr, "Sending NETCONF \n"); - snprintf(buf, sizeof(buf), - "\n" - "" -@@ -252,12 +252,12 @@ int main(int argc, char *argv[]) - if (-1 == netconf_write(channel, buf, len)) - goto shutdown; - -- printf("Reading NETCONF \n"); -+ fprintf(stderr, "Reading NETCONF \n"); - len = netconf_read_until(channel, "", buf, sizeof(buf)); - if (-1 == len) - goto shutdown; - -- printf("Got %d bytes:\n----------------------\n%s", (int)len, buf); -+ fprintf(stderr, "Got %d bytes:\n----------------------\n%s", (int)len, buf); - - shutdown: - if (channel) -diff --git a/example/tcpip-forward.c b/example/tcpip-forward.c -index a408b69..94d3cc8 100644 ---- a/example/tcpip-forward.c -+++ b/example/tcpip-forward.c -@@ -137,7 +137,7 @@ int main(int argc, char *argv[]) - - /* check what authentication methods are available */ - userauthlist = libssh2_userauth_list(session, username, strlen(username)); -- printf("Authentication methods: %s\n", userauthlist); -+ fprintf(stderr, "Authentication methods: %s\n", userauthlist); - if (strstr(userauthlist, "password")) - auth |= AUTH_PASSWORD; - if (strstr(userauthlist, "publickey")) -@@ -159,17 +159,17 @@ int main(int argc, char *argv[]) - } else if (auth & AUTH_PUBLICKEY) { - if (libssh2_userauth_publickey_fromfile(session, username, keyfile1, - keyfile2, password)) { -- printf("\tAuthentication by public key failed!\n"); -+ fprintf(stderr, "\tAuthentication by public key failed!\n"); - goto shutdown; - } -- printf("\tAuthentication by public key succeeded.\n"); -+ fprintf(stderr, "\tAuthentication by public key succeeded.\n"); - } else { -- printf("No supported authentication methods found!\n"); -+ fprintf(stderr, "No supported authentication methods found!\n"); - goto shutdown; - } - -- printf("Asking server to listen on remote %s:%d\n", remote_listenhost, -- remote_wantport); -+ fprintf(stderr, "Asking server to listen on remote %s:%d\n", -+ remote_listenhost, remote_wantport); - - listener = libssh2_channel_forward_listen_ex(session, remote_listenhost, - remote_wantport, &remote_listenport, 1); -@@ -180,10 +180,10 @@ int main(int argc, char *argv[]) - goto shutdown; - } - -- printf("Server is listening on %s:%d\n", remote_listenhost, -+ fprintf(stderr, "Server is listening on %s:%d\n", remote_listenhost, - remote_listenport); - -- printf("Waiting for remote connection\n"); -+ fprintf(stderr, "Waiting for remote connection\n"); - channel = libssh2_channel_forward_accept(listener); - if (!channel) { - fprintf(stderr, "Could not accept connection!\n" -@@ -192,7 +192,8 @@ int main(int argc, char *argv[]) - goto shutdown; - } - -- printf("Accepted remote connection. Connecting to local server %s:%d\n", -+ fprintf(stderr, -+ "Accepted remote connection. Connecting to local server %s:%d\n", - local_destip, local_destport); - forwardsock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); - sin.sin_family = AF_INET; -@@ -206,7 +207,7 @@ int main(int argc, char *argv[]) - goto shutdown; - } - -- printf("Forwarding connection from remote %s:%d to local %s:%d\n", -+ fprintf(stderr, "Forwarding connection from remote %s:%d to local %s:%d\n", - remote_listenhost, remote_listenport, local_destip, local_destport); - - /* Must use non-blocking IO hereafter due to the current libssh2 API */ -@@ -228,7 +229,7 @@ int main(int argc, char *argv[]) - perror("read"); - goto shutdown; - } else if (0 == len) { -- printf("The local server at %s:%d disconnected!\n", -+ fprintf(stderr, "The local server at %s:%d disconnected!\n", - local_destip, local_destport); - goto shutdown; - } -@@ -260,7 +261,7 @@ int main(int argc, char *argv[]) - wr += i; - } - if (libssh2_channel_eof(channel)) { -- printf("The remote client at %s:%d disconnected!\n", -+ fprintf(stderr, "The remote client at %s:%d disconnected!\n", - remote_listenhost, remote_listenport); - goto shutdown; - } --- -1.7.1 - diff --git a/libssh2-1.4.2-fips.patch b/libssh2-1.4.2-fips.patch deleted file mode 100644 index 38d49af..0000000 --- a/libssh2-1.4.2-fips.patch +++ /dev/null @@ -1,334 +0,0 @@ -From 43b730ce56f010e9d33573fcb020df49798c1ed8 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 10 Sep 2012 15:32:40 +0200 -Subject: [PATCH 1/4] kex: do not ignore failure of libssh2_md5_init() - -The MD5 algorithm is disabled when running in FIPS mode. ---- - src/hostkey.c | 4 +++- - src/kex.c | 13 +++++++++---- - src/libgcrypt.h | 6 +++++- - src/libssh2_priv.h | 1 + - src/openssl.h | 3 +++ - 5 files changed, 21 insertions(+), 6 deletions(-) - -diff --git a/src/hostkey.c b/src/hostkey.c -index 53f7479..753563d 100644 ---- a/src/hostkey.c -+++ b/src/hostkey.c -@@ -429,7 +429,9 @@ libssh2_hostkey_hash(LIBSSH2_SESSION * session, int hash_type) - switch (hash_type) { - #if LIBSSH2_MD5 - case LIBSSH2_HOSTKEY_HASH_MD5: -- return (char *) session->server_hostkey_md5; -+ return (session->server_hostkey_md5_valid) -+ ? (char *) session->server_hostkey_md5 -+ : NULL; - break; - #endif /* LIBSSH2_MD5 */ - case LIBSSH2_HOSTKEY_HASH_SHA1: -diff --git a/src/kex.c b/src/kex.c -index 0a72cb7..07e717f 100644 ---- a/src/kex.c -+++ b/src/kex.c -@@ -218,10 +218,15 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, - { - libssh2_md5_ctx fingerprint_ctx; - -- libssh2_md5_init(&fingerprint_ctx); -- libssh2_md5_update(fingerprint_ctx, session->server_hostkey, -- session->server_hostkey_len); -- libssh2_md5_final(fingerprint_ctx, session->server_hostkey_md5); -+ if (libssh2_md5_init(&fingerprint_ctx)) { -+ libssh2_md5_update(fingerprint_ctx, session->server_hostkey, -+ session->server_hostkey_len); -+ libssh2_md5_final(fingerprint_ctx, session->server_hostkey_md5); -+ session->server_hostkey_md5_valid = TRUE; -+ } -+ else { -+ session->server_hostkey_md5_valid = FALSE; -+ } - } - #ifdef LIBSSH2DEBUG - { -diff --git a/src/libgcrypt.h b/src/libgcrypt.h -index 04516e5..1f0276e 100644 ---- a/src/libgcrypt.h -+++ b/src/libgcrypt.h -@@ -68,7 +68,11 @@ - gcry_md_hash_buffer (GCRY_MD_SHA1, out, message, len) - - #define libssh2_md5_ctx gcry_md_hd_t --#define libssh2_md5_init(ctx) gcry_md_open (ctx, GCRY_MD_MD5, 0); -+ -+/* returns 0 in case of failure */ -+#define libssh2_md5_init(ctx) \ -+ (GPG_ERR_NO_ERROR == gcry_md_open (ctx, GCRY_MD_MD5, 0)) -+ - #define libssh2_md5_update(ctx, data, len) gcry_md_write (ctx, data, len) - #define libssh2_md5_final(ctx, out) \ - memcpy (out, gcry_md_read (ctx, 0), MD5_DIGEST_LENGTH), gcry_md_close (ctx) -diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h -index 23fbc65..196864d 100644 ---- a/src/libssh2_priv.h -+++ b/src/libssh2_priv.h -@@ -597,6 +597,7 @@ struct _LIBSSH2_SESSION - uint32_t server_hostkey_len; - #if LIBSSH2_MD5 - unsigned char server_hostkey_md5[MD5_DIGEST_LENGTH]; -+ int server_hostkey_md5_valid; - #endif /* ! LIBSSH2_MD5 */ - unsigned char server_hostkey_sha1[SHA_DIGEST_LENGTH]; - -diff --git a/src/openssl.h b/src/openssl.h -index 6d2aeed..4835ab6 100644 ---- a/src/openssl.h -+++ b/src/openssl.h -@@ -113,7 +113,10 @@ - void libssh2_sha1(const unsigned char *message, unsigned long len, unsigned char *out); - - #define libssh2_md5_ctx EVP_MD_CTX -+ -+/* returns 0 in case of failure */ - #define libssh2_md5_init(ctx) EVP_DigestInit(ctx, EVP_get_digestbyname("md5")) -+ - #define libssh2_md5_update(ctx, data, len) EVP_DigestUpdate(&(ctx), data, len) - #define libssh2_md5_final(ctx, out) EVP_DigestFinal(&(ctx), out, NULL) - void libssh2_md5(const unsigned char *message, unsigned long len, unsigned char *out); --- -1.7.1 - - -From bfbb5a4dc75c04b3532063c03b80796dd6d69da4 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 10 Sep 2012 15:59:16 +0200 -Subject: [PATCH 2/4] openssl: do not ignore failure of EVP_CipherInit() - ---- - src/openssl.c | 3 +-- - 1 files changed, 1 insertions(+), 2 deletions(-) - -diff --git a/src/openssl.c b/src/openssl.c -index 481982c..c61cb0e 100644 ---- a/src/openssl.c -+++ b/src/openssl.c -@@ -175,8 +175,7 @@ _libssh2_cipher_init(_libssh2_cipher_ctx * h, - unsigned char *iv, unsigned char *secret, int encrypt) - { - EVP_CIPHER_CTX_init(h); -- EVP_CipherInit(h, algo(), secret, iv, encrypt); -- return 0; -+ return !EVP_CipherInit(h, algo(), secret, iv, encrypt); - } - - int --- -1.7.1 - - -From 5d567faecce45a891de2a3e10fad7b221a4f6540 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 11 Sep 2012 09:33:34 +0200 -Subject: [PATCH 3/4] crypt: use hard-wired cipher block sizes consistently - ---- - src/crypt.c | 8 +++++--- - src/crypto.h | 2 +- - src/libgcrypt.c | 8 +------- - src/libssh2_priv.h | 2 +- - src/openssl.c | 7 +------ - src/transport.c | 3 ++- - 6 files changed, 11 insertions(+), 19 deletions(-) - -diff --git a/src/crypt.c b/src/crypt.c -index 93d99c4..931ae8b 100644 ---- a/src/crypt.c -+++ b/src/crypt.c -@@ -96,11 +96,12 @@ crypt_init(LIBSSH2_SESSION * session, - - static int - crypt_encrypt(LIBSSH2_SESSION * session, unsigned char *block, -- void **abstract) -+ size_t blocksize, void **abstract) - { - struct crypt_ctx *cctx = *(struct crypt_ctx **) abstract; - (void) session; -- return _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, block); -+ return _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, block, -+ blocksize); - } - - static int -@@ -248,7 +249,8 @@ crypt_init_arcfour128(LIBSSH2_SESSION * session, - unsigned char block[8]; - size_t discard = 1536; - for (; discard; discard -= 8) -- _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, block); -+ _libssh2_cipher_crypt(&cctx->h, cctx->algo, cctx->encrypt, block, -+ method->blocksize); - } - - return rc; -diff --git a/src/crypto.h b/src/crypto.h -index 8cf34f5..5dc5931 100644 ---- a/src/crypto.h -+++ b/src/crypto.h -@@ -103,7 +103,7 @@ int _libssh2_cipher_init(_libssh2_cipher_ctx * h, - - int _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx, - _libssh2_cipher_type(algo), -- int encrypt, unsigned char *block); -+ int encrypt, unsigned char *block, size_t blocksize); - - int _libssh2_pub_priv_keyfile(LIBSSH2_SESSION *session, - unsigned char **method, -diff --git a/src/libgcrypt.c b/src/libgcrypt.c -index 5c2787b..29770c7 100644 ---- a/src/libgcrypt.c -+++ b/src/libgcrypt.c -@@ -553,17 +553,11 @@ _libssh2_cipher_init(_libssh2_cipher_ctx * h, - int - _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx, - _libssh2_cipher_type(algo), -- int encrypt, unsigned char *block) -+ int encrypt, unsigned char *block, size_t blklen) - { - int cipher = _libssh2_gcry_cipher (algo); -- size_t blklen = gcry_cipher_get_algo_blklen(cipher); - int ret; - -- if (blklen == 1) { --/* Hack for arcfour. */ -- blklen = 8; -- } -- - if (encrypt) { - ret = gcry_cipher_encrypt(*ctx, block, blklen, block, blklen); - } else { -diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h -index 196864d..4ec9f73 100644 ---- a/src/libssh2_priv.h -+++ b/src/libssh2_priv.h -@@ -883,7 +883,7 @@ struct _LIBSSH2_CRYPT_METHOD - int *free_iv, unsigned char *secret, int *free_secret, - int encrypt, void **abstract); - int (*crypt) (LIBSSH2_SESSION * session, unsigned char *block, -- void **abstract); -+ size_t blocksize, void **abstract); - int (*dtor) (LIBSSH2_SESSION * session, void **abstract); - - _libssh2_cipher_type(algo); -diff --git a/src/openssl.c b/src/openssl.c -index c61cb0e..8643591 100644 ---- a/src/openssl.c -+++ b/src/openssl.c -@@ -181,18 +181,13 @@ _libssh2_cipher_init(_libssh2_cipher_ctx * h, - int - _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx, - _libssh2_cipher_type(algo), -- int encrypt, unsigned char *block) -+ int encrypt, unsigned char *block, size_t blocksize) - { -- int blocksize = ctx->cipher->block_size; - unsigned char buf[EVP_MAX_BLOCK_LENGTH]; - int ret; - (void) algo; - (void) encrypt; - -- if (blocksize == 1) { --/* Hack for arcfour. */ -- blocksize = 8; -- } - ret = EVP_Cipher(ctx, buf, block, blocksize); - if (ret == 1) { - memcpy(block, buf, blocksize); -diff --git a/src/transport.c b/src/transport.c -index 15425b9..b4ec037 100644 ---- a/src/transport.c -+++ b/src/transport.c -@@ -139,7 +139,7 @@ decrypt(LIBSSH2_SESSION * session, unsigned char *source, - assert((len % blocksize) == 0); - - while (len >= blocksize) { -- if (session->remote.crypt->crypt(session, source, -+ if (session->remote.crypt->crypt(session, source, blocksize, - &session->remote.crypt_abstract)) { - LIBSSH2_FREE(session, p->payload); - return LIBSSH2_ERROR_DECRYPT; -@@ -834,6 +834,7 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session, - for(i = 0; i < packet_length; i += session->local.crypt->blocksize) { - unsigned char *ptr = &p->outbuf[i]; - if (session->local.crypt->crypt(session, ptr, -+ session->local.crypt->blocksize, - &session->local.crypt_abstract)) - return LIBSSH2_ERROR_ENCRYPT; /* encryption failure */ - } --- -1.7.1 - - -From 9f6fd5af8282ef82c0ff8d89cf9ebc121bb35b59 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 11 Sep 2012 09:02:31 +0200 -Subject: [PATCH 4/4] Revert "aes: the init function fails when OpenSSL has AES support" - -This partially reverts commit f4f2298ef3635acd031cc2ee0e71026cdcda5864. - -We need to use the EVP_aes_???_ctr() functions in FIPS mode. ---- - src/openssl.h | 6 ++++++ - 1 files changed, 6 insertions(+), 0 deletions(-) - -diff --git a/src/openssl.h b/src/openssl.h -index 4835ab6..6f21a1a 100644 ---- a/src/openssl.h -+++ b/src/openssl.h -@@ -151,9 +151,15 @@ void libssh2_md5(const unsigned char *message, unsigned long len, unsigned char - #define _libssh2_cipher_aes256 EVP_aes_256_cbc - #define _libssh2_cipher_aes192 EVP_aes_192_cbc - #define _libssh2_cipher_aes128 EVP_aes_128_cbc -+#ifdef HAVE_EVP_AES_128_CTR -+#define _libssh2_cipher_aes128ctr EVP_aes_128_ctr -+#define _libssh2_cipher_aes192ctr EVP_aes_192_ctr -+#define _libssh2_cipher_aes256ctr EVP_aes_256_ctr -+#else - #define _libssh2_cipher_aes128ctr _libssh2_EVP_aes_128_ctr - #define _libssh2_cipher_aes192ctr _libssh2_EVP_aes_192_ctr - #define _libssh2_cipher_aes256ctr _libssh2_EVP_aes_256_ctr -+#endif - #define _libssh2_cipher_blowfish EVP_bf_cbc - #define _libssh2_cipher_arcfour EVP_rc4 - #define _libssh2_cipher_cast5 EVP_cast5_cbc --- -1.7.1 - -From fe8f3deb480d1fcef0d720e6b9acabbd640fe7c3 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 1 Nov 2012 14:57:06 +0100 -Subject: [PATCH] libssh2_hostkey_hash.3: update the description of return value - -The function returns NULL also if the hash algorithm is not available. ---- - docs/libssh2_hostkey_hash.3 | 7 ++++--- - 1 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/docs/libssh2_hostkey_hash.3 b/docs/libssh2_hostkey_hash.3 -index f78831c..c2f1644 100644 ---- a/docs/libssh2_hostkey_hash.3 -+++ b/docs/libssh2_hostkey_hash.3 -@@ -18,8 +18,9 @@ Returns the computed digest of the remote system's hostkey. The length of - the returned string is hash_type specific (e.g. 16 bytes for MD5, - 20 bytes for SHA1). - .SH RETURN VALUE --Computed hostkey hash value. or NULL if the session has not yet been started --up. (The hash consists of raw binary bytes, not hex digits, so is not --directly printable.) -+Computed hostkey hash value, or NULL if the information is not available -+(either the session has not yet been started up, or the requested hash -+algorithm was not available). The hash consists of raw binary bytes, not hex -+digits, so it is not directly printable. - .SH SEE ALSO - .BR libssh2_session_init_ex(3) --- -1.7.1 - diff --git a/libssh2.spec b/libssh2.spec index cff63e8..7ea624f 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -8,16 +8,14 @@ %endif Name: libssh2 -Version: 1.4.2 -Release: 4%{?dist} +Version: 1.4.3 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.4.2-utf8.patch -Patch1: libssh2-1.4.2-fips.patch -Patch2: libssh2-1.4.2-examples.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -67,12 +65,6 @@ developing applications that use libssh2. # Make sure things are UTF-8... %patch0 -p1 -# Make sure libssh2 works in FIPS mode... -%patch1 -p1 - -# examples: use stderr for messages, stdout for data -%patch2 -p1 - # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -136,13 +128,29 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Nov 28 2012 Paul Howarth 1.4.3-1 +- Update to 1.4.3 + - compression: add support for zlib@openssh.com + - sftp_read: return error if a too large package arrives + - libssh2_hostkey_hash.3: update the description of return value + - Fixed MSVC NMakefile + - examples: use stderr for messages, stdout for data + - openssl: do not leak memory when handling errors + - improved handling of disabled MD5 algorithm in OpenSSL + - known_hosts: Fail when parsing unknown keys in known_hosts file + - configure: gcrypt doesn't come with pkg-config support + - session_free: wrong variable used for keeping state + - libssh2_userauth_publickey_fromfile_ex.3: mention publickey == NULL + - comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating +- Drop upstreamed patches + * Wed Nov 07 2012 Kamil Dudka 1.4.2-4 - examples: use stderr for messages, stdout for data (upstream commit b31e35ab) -- update libssh2_hostkey_hash(3) man page (upstream commit fe8f3deb) +- Update libssh2_hostkey_hash(3) man page (upstream commit fe8f3deb) * Wed Sep 26 2012 Kamil Dudka 1.4.2-3 -- fix basic functionality of libssh2 in FIPS mode -- skip SELinux-related quirks on recent distros to prevent a test-suite failure +- Fix basic functionality of libssh2 in FIPS mode +- Skip SELinux-related quirks on recent distros to prevent a test-suite failure * Thu Jul 19 2012 Fedora Release Engineering - 1.4.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild diff --git a/sources b/sources index 397badd..fab710a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -42e2b3796ac07fc1dbafc7abcc002cd3 libssh2-1.4.2.tar.gz +071004c60c5d6f90354ad1b701013a0b libssh2-1.4.3.tar.gz From 8cfe889c9eab12f00f7ef23f190d0b92fa002e8e Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Wed, 13 Feb 2013 23:17:48 -0600 Subject: [PATCH 43/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 7ea624f..b32a405 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -9,7 +9,7 @@ Name: libssh2 Version: 1.4.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -128,6 +128,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Thu Feb 14 2013 Fedora Release Engineering - 1.4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + * Wed Nov 28 2012 Paul Howarth 1.4.3-1 - Update to 1.4.3 - compression: add support for zlib@openssh.com From abdd90b894fcf158bc4ec3adb0a7e840b5162465 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 26 Mar 2013 13:29:19 +0100 Subject: [PATCH 44/93] avoid collisions between 32bit and 64bit builds ... running on a single build-host --- libssh2.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index b32a405..04b0f73 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -9,7 +9,7 @@ Name: libssh2 Version: 1.4.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -62,6 +62,10 @@ developing applications that use libssh2. %prep %setup -q +# replace hard wired port number in the test suite to avoid collisions +# between 32bit and 64bit builds running on a single build-host +sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} + # Make sure things are UTF-8... %patch0 -p1 @@ -128,6 +132,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Mar 26 2013 Kamil Dudka 1.4.3-3 +- avoid collisions between 32bit and 64bit builds running on a single build-host + * Thu Feb 14 2013 Fedora Release Engineering - 1.4.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild From 976807eeb410cd88c44128a1eaf97cd89e833373 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Tue, 26 Mar 2013 14:56:04 +0000 Subject: [PATCH 45/93] Retain EL-5 compatibility --- libssh2.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 04b0f73..a24c2a0 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -7,6 +7,9 @@ %global noarch_docs_package 0 %endif +# Define %%{__isa_bits} for old releases +%{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} + Name: libssh2 Version: 1.4.3 Release: 3%{?dist} @@ -62,8 +65,8 @@ developing applications that use libssh2. %prep %setup -q -# replace hard wired port number in the test suite to avoid collisions -# between 32bit and 64bit builds running on a single build-host +# Replace hard wired port number in the test suite to avoid collisions +# between 32-bit and 64-bit builds running on a single build-host sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # Make sure things are UTF-8... From 7899b8095fadc839150320bcea157590e1c5190d Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 3 Apr 2013 12:25:16 +0100 Subject: [PATCH 46/93] Avoid polluting libssh2.pc with linker options (#947813) --- libssh2.spec | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index a24c2a0..11bf195 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -83,6 +83,9 @@ chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} | %configure --disable-static --enable-shared make %{?_smp_mflags} +# Avoid polluting libssh2.pc with linker options (#947813) +sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc + %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" @@ -135,8 +138,12 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Apr 3 2013 Paul Howarth 1.4.3-4 +- Avoid polluting libssh2.pc with linker options (#947813) + * Tue Mar 26 2013 Kamil Dudka 1.4.3-3 -- avoid collisions between 32bit and 64bit builds running on a single build-host +- Avoid collisions between 32-bit and 64-bit builds running on a single build + host * Thu Feb 14 2013 Fedora Release Engineering - 1.4.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild From e53393977dd831fe3c55ffd190c2698640b2cd3e Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 9 Apr 2013 15:57:01 +0100 Subject: [PATCH 47/93] Modernize the spec file: * Remove BuildRoot. * Remove Group. * Remove clean section. * Don't need to clean up buildroot before installing. --- libssh2.spec | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 11bf195..ef86d61 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,14 +12,14 @@ Name: libssh2 Version: 1.4.3 -Release: 4%{?dist} +Release: 5%{?dist} Summary: A library implementing the SSH2 protocol -Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ + Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.4.2-utf8.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) + BuildRequires: openssl-devel BuildRequires: zlib-devel BuildRequires: /usr/bin/man @@ -42,7 +42,6 @@ SECSH-DHGEX(04), and SECSH-NUMBERS(10). %package devel Summary: Development files for libssh2 -Group: Development/Libraries Requires: %{name} = %{version}-%{release} Requires: pkgconfig @@ -52,7 +51,6 @@ developing applications that use libssh2. %package docs Summary: Documentation for libssh2 -Group: Development/Libraries Requires: %{name} = %{version}-%{release} %if %{noarch_docs_package} BuildArch: noarch @@ -87,7 +85,6 @@ make %{?_smp_mflags} sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc %install -rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" find %{buildroot} -name '*.la' -exec rm -f {} \; @@ -113,9 +110,6 @@ echo "exit 0" > tests/ssh2.sh %endif make -C tests check -%clean -rm -rf %{buildroot} - %post -p /sbin/ldconfig %postun -p /sbin/ldconfig @@ -138,6 +132,13 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Apr 9 2013 Richard W.M. Jones 1.4.3-5 +- Modernize the spec file: + * Remove BuildRoot. + * Remove Group. + * Remove clean section. + * Don't need to clean up buildroot before installing. + * Wed Apr 3 2013 Paul Howarth 1.4.3-4 - Avoid polluting libssh2.pc with linker options (#947813) From fe8b55ff64258c7dea0d9e180096b4e26e51c1a1 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 9 Apr 2013 16:01:23 +0100 Subject: [PATCH 48/93] Add three patches from upstream git required for qemu ssh block driver. --- ...k-Don-t-flush-buffers-on-same-offset.patch | 54 +++++ ...ng-error-path-reset-the-correct-stat.patch | 26 ++ ...-support-for-fsync-OpenSSH-extension.patch | 223 ++++++++++++++++++ libssh2.spec | 9 + 4 files changed, 312 insertions(+) create mode 100644 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch create mode 100644 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch create mode 100644 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch diff --git a/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch b/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch new file mode 100644 index 0000000..9acbd6d --- /dev/null +++ b/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch @@ -0,0 +1,54 @@ +From 486bb376218a37fe15318d7724d6eada36b81e6c Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Tue, 26 Mar 2013 17:58:04 +0100 +Subject: [PATCH 1/3] sftp: seek: Don't flush buffers on same offset + +Signed-off-by: Richard W.M. Jones +--- + src/sftp.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/sftp.c b/src/sftp.c +index d0536dd..3760025 100644 +--- a/src/sftp.c ++++ b/src/sftp.c +@@ -2132,21 +2132,24 @@ libssh2_sftp_fstat_ex(LIBSSH2_SFTP_HANDLE *hnd, + LIBSSH2_API void + libssh2_sftp_seek64(LIBSSH2_SFTP_HANDLE *handle, libssh2_uint64_t offset) + { +- if(handle) { +- handle->u.file.offset = handle->u.file.offset_sent = offset; +- /* discard all pending requests and currently read data */ +- sftp_packetlist_flush(handle); ++ if(!handle) ++ return; ++ if(handle->u.file.offset == offset && handle->u.file.offset_sent == offset) ++ return; + +- /* free the left received buffered data */ +- if (handle->u.file.data_left) { +- LIBSSH2_FREE(handle->sftp->channel->session, handle->u.file.data); +- handle->u.file.data_left = handle->u.file.data_len = 0; +- handle->u.file.data = NULL; +- } ++ handle->u.file.offset = handle->u.file.offset_sent = offset; ++ /* discard all pending requests and currently read data */ ++ sftp_packetlist_flush(handle); + +- /* reset EOF to False */ +- handle->u.file.eof = FALSE; ++ /* free the left received buffered data */ ++ if (handle->u.file.data_left) { ++ LIBSSH2_FREE(handle->sftp->channel->session, handle->u.file.data); ++ handle->u.file.data_left = handle->u.file.data_len = 0; ++ handle->u.file.data = NULL; + } ++ ++ /* reset EOF to False */ ++ handle->u.file.eof = FALSE; + } + + /* libssh2_sftp_seek +-- +1.8.1.4 + diff --git a/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch b/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch new file mode 100644 index 0000000..83ca15e --- /dev/null +++ b/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch @@ -0,0 +1,26 @@ +From a12f3ffab579b514eeb7fdfaca0ade271961cdb4 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Mon, 8 Apr 2013 17:30:10 +0100 +Subject: [PATCH 2/3] sftp: statvfs: Along error path, reset the correct + 'state' variable. + +--- + src/sftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sftp.c b/src/sftp.c +index 3760025..65fa77a 100644 +--- a/src/sftp.c ++++ b/src/sftp.c +@@ -2752,7 +2752,7 @@ static int sftp_statvfs(LIBSSH2_SFTP *sftp, const char *path, + "Error waiting for FXP EXTENDED REPLY"); + } else if (data_len < 93) { + LIBSSH2_FREE(session, data); +- sftp->fstatvfs_state = libssh2_NB_state_idle; ++ sftp->statvfs_state = libssh2_NB_state_idle; + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP Protocol Error: short response"); + } +-- +1.8.1.4 + diff --git a/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch b/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch new file mode 100644 index 0000000..cc1cbb4 --- /dev/null +++ b/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch @@ -0,0 +1,223 @@ +From 6e0d757f24a45252c4cae9ea09732eda2562c767 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Tue, 9 Apr 2013 11:42:09 +0200 +Subject: [PATCH 3/3] sftp: Add support for fsync (OpenSSH extension). + +The new libssh2_sftp_fsync API causes data and metadata in the +currently open file to be committed to disk at the server. + +This is an OpenSSH extension to the SFTP protocol. See: + +https://bugzilla.mindrot.org/show_bug.cgi?id=1798 +--- + docs/Makefile.am | 1 + + docs/libssh2_sftp_fsync.3 | 39 +++++++++++++++++++ + include/libssh2_sftp.h | 1 + + src/sftp.c | 97 +++++++++++++++++++++++++++++++++++++++++++++++ + src/sftp.h | 5 +++ + 5 files changed, 143 insertions(+) + create mode 100644 docs/libssh2_sftp_fsync.3 + +diff --git a/docs/Makefile.am b/docs/Makefile.am +index e4cf487..e6ab394 100644 +--- a/docs/Makefile.am ++++ b/docs/Makefile.am +@@ -120,6 +120,7 @@ dist_man_MANS = \ + libssh2_sftp_fstat.3 \ + libssh2_sftp_fstat_ex.3 \ + libssh2_sftp_fstatvfs.3 \ ++ libssh2_sftp_fsync.3 \ + libssh2_sftp_get_channel.3 \ + libssh2_sftp_init.3 \ + libssh2_sftp_last_error.3 \ +diff --git a/docs/libssh2_sftp_fsync.3 b/docs/libssh2_sftp_fsync.3 +new file mode 100644 +index 0000000..646760a +--- /dev/null ++++ b/docs/libssh2_sftp_fsync.3 +@@ -0,0 +1,39 @@ ++.TH libssh2_sftp_fsync 3 "8 Apr 2013" "libssh2 1.4.4" "libssh2 manual" ++.SH NAME ++libssh2_sftp_fsync - synchronize file to disk ++.SH SYNOPSIS ++.nf ++#include ++#include ++ ++int ++libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *handle) ++.fi ++.SH DESCRIPTION ++This function causes the remote server to synchronize the file ++data and metadata to disk (like fsync(2)). ++ ++For this to work requires fsync@openssh.com support on the server. ++ ++\fIhandle\fP - SFTP File Handle as returned by ++.BR libssh2_sftp_open_ex(3) ++ ++.SH RETURN VALUE ++Returns 0 on success or negative on failure. If used in non-blocking mode, it ++returns LIBSSH2_ERROR_EAGAIN when it would otherwise block. While ++LIBSSH2_ERROR_EAGAIN is a negative number, it isn't really a failure per se. ++.SH ERRORS ++\fILIBSSH2_ERROR_ALLOC\fP - An internal memory allocation call failed. ++ ++\fILIBSSH2_ERROR_SOCKET_SEND\fP - Unable to send data on socket. ++ ++\fILIBSSH2_ERROR_SFTP_PROTOCOL\fP - An invalid SFTP protocol response ++was received on the socket, or an SFTP operation caused an errorcode ++to be returned by the server. In particular, this can be returned if ++the SSH server does not support the fsync operation: the SFTP subcode ++\fILIBSSH2_FX_OP_UNSUPPORTED\fP will be returned in this case. ++ ++.SH AVAILABILITY ++Added in libssh2 1.4.4 and OpenSSH 6.3. ++.SH SEE ALSO ++.BR fsync(2) +diff --git a/include/libssh2_sftp.h b/include/libssh2_sftp.h +index 74884fb..677faf2 100644 +--- a/include/libssh2_sftp.h ++++ b/include/libssh2_sftp.h +@@ -247,6 +247,7 @@ LIBSSH2_API int libssh2_sftp_readdir_ex(LIBSSH2_SFTP_HANDLE *handle, \ + + LIBSSH2_API ssize_t libssh2_sftp_write(LIBSSH2_SFTP_HANDLE *handle, + const char *buffer, size_t count); ++LIBSSH2_API int libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *handle); + + LIBSSH2_API int libssh2_sftp_close_handle(LIBSSH2_SFTP_HANDLE *handle); + #define libssh2_sftp_close(handle) libssh2_sftp_close_handle(handle) +diff --git a/src/sftp.c b/src/sftp.c +index 65fa77a..01017fd 100644 +--- a/src/sftp.c ++++ b/src/sftp.c +@@ -986,6 +986,10 @@ sftp_shutdown(LIBSSH2_SFTP *sftp) + LIBSSH2_FREE(session, sftp->symlink_packet); + sftp->symlink_packet = NULL; + } ++ if (sftp->fsync_packet) { ++ LIBSSH2_FREE(session, sftp->fsync_packet); ++ sftp->fsync_packet = NULL; ++ } + + sftp_packet_flush(sftp); + +@@ -2014,6 +2018,99 @@ libssh2_sftp_write(LIBSSH2_SFTP_HANDLE *hnd, const char *buffer, + + } + ++static int sftp_fsync(LIBSSH2_SFTP_HANDLE *handle) ++{ ++ LIBSSH2_SFTP *sftp = handle->sftp; ++ LIBSSH2_CHANNEL *channel = sftp->channel; ++ LIBSSH2_SESSION *session = channel->session; ++ /* 34 = packet_len(4) + packet_type(1) + request_id(4) + ++ string_len(4) + strlen("fsync@openssh.com")(17) + handle_len(4) */ ++ uint32_t packet_len = handle->handle_len + 34; ++ size_t data_len; ++ unsigned char *packet, *s, *data; ++ ssize_t rc; ++ uint32_t retcode; ++ ++ if (sftp->fsync_state == libssh2_NB_state_idle) { ++ _libssh2_debug(session, LIBSSH2_TRACE_SFTP, ++ "Issuing fsync command"); ++ s = packet = LIBSSH2_ALLOC(session, packet_len); ++ if (!packet) { ++ return _libssh2_error(session, LIBSSH2_ERROR_ALLOC, ++ "Unable to allocate memory for FXP_EXTENDED " ++ "packet"); ++ } ++ ++ _libssh2_store_u32(&s, packet_len - 4); ++ *(s++) = SSH_FXP_EXTENDED; ++ sftp->fsync_request_id = sftp->request_id++; ++ _libssh2_store_u32(&s, sftp->fsync_request_id); ++ _libssh2_store_str(&s, "fsync@openssh.com", 17); ++ _libssh2_store_str(&s, handle->handle, handle->handle_len); ++ ++ sftp->fsync_state = libssh2_NB_state_created; ++ } else { ++ packet = sftp->fsync_packet; ++ } ++ ++ if (sftp->fsync_state == libssh2_NB_state_created) { ++ rc = _libssh2_channel_write(channel, 0, packet, packet_len); ++ if (rc == LIBSSH2_ERROR_EAGAIN || ++ (0 <= rc && rc < (ssize_t)packet_len)) { ++ sftp->fsync_packet = packet; ++ return LIBSSH2_ERROR_EAGAIN; ++ } ++ ++ LIBSSH2_FREE(session, packet); ++ sftp->fsync_packet = NULL; ++ ++ if (rc < 0) { ++ sftp->fsync_state = libssh2_NB_state_idle; ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND, ++ "_libssh2_channel_write() failed"); ++ } ++ sftp->fsync_state = libssh2_NB_state_sent; ++ } ++ ++ rc = sftp_packet_require(sftp, SSH_FXP_STATUS, ++ sftp->fsync_request_id, &data, &data_len); ++ if (rc == LIBSSH2_ERROR_EAGAIN) { ++ return rc; ++ } else if (rc) { ++ sftp->fsync_state = libssh2_NB_state_idle; ++ return _libssh2_error(session, rc, ++ "Error waiting for FXP EXTENDED REPLY"); ++ } ++ ++ sftp->fsync_state = libssh2_NB_state_idle; ++ ++ retcode = _libssh2_ntohu32(data + 5); ++ LIBSSH2_FREE(session, data); ++ ++ if (retcode != LIBSSH2_FX_OK) { ++ sftp->last_errno = retcode; ++ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, ++ "fsync failed"); ++ } ++ ++ return 0; ++} ++ ++/* libssh2_sftp_fsync ++ * Commit data on the handle to disk. ++ */ ++LIBSSH2_API int ++libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *hnd) ++{ ++ int rc; ++ if(!hnd) ++ return LIBSSH2_ERROR_BAD_USE; ++ BLOCK_ADJUST(rc, hnd->sftp->channel->session, ++ sftp_fsync(hnd)); ++ return rc; ++} ++ ++ + /* + * sftp_fstat + * +diff --git a/src/sftp.h b/src/sftp.h +index 55bdb46..63e8139 100644 +--- a/src/sftp.h ++++ b/src/sftp.h +@@ -175,6 +175,11 @@ struct _LIBSSH2_SFTP + /* State variable used in sftp_write() */ + libssh2_nonblocking_states write_state; + ++ /* State variables used in sftp_fsync() */ ++ libssh2_nonblocking_states fsync_state; ++ unsigned char *fsync_packet; ++ uint32_t fsync_request_id; ++ + /* State variables used in libssh2_sftp_readdir() */ + libssh2_nonblocking_states readdir_state; + unsigned char *readdir_packet; +-- +1.8.1.4 + diff --git a/libssh2.spec b/libssh2.spec index ef86d61..8c936f9 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -19,6 +19,9 @@ URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.4.2-utf8.patch +Patch1: 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch +Patch2: 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch +Patch3: 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -70,6 +73,11 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # Make sure things are UTF-8... %patch0 -p1 +# Three upstream patches required for qemu ssh block driver. +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 + # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -133,6 +141,7 @@ make -C tests check %changelog * Tue Apr 9 2013 Richard W.M. Jones 1.4.3-5 +- Add three patches from upstream git required for qemu ssh block driver. - Modernize the spec file: * Remove BuildRoot. * Remove Group. From 10b73a08d728c74fe7ac4b99bef00fd1ab4f80ec Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Tue, 9 Apr 2013 16:47:40 +0100 Subject: [PATCH 49/93] Revert 'Modernize the spec file' so as to retain EL-5 spec compatibility --- libssh2.spec | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 8c936f9..c98e659 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,17 +12,17 @@ Name: libssh2 Version: 1.4.3 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A library implementing the SSH2 protocol +Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ - Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.4.2-utf8.patch Patch1: 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch Patch2: 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch Patch3: 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch - +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel BuildRequires: /usr/bin/man @@ -45,6 +45,7 @@ SECSH-DHGEX(04), and SECSH-NUMBERS(10). %package devel Summary: Development files for libssh2 +Group: Development/Libraries Requires: %{name} = %{version}-%{release} Requires: pkgconfig @@ -54,6 +55,7 @@ developing applications that use libssh2. %package docs Summary: Documentation for libssh2 +Group: Development/Libraries Requires: %{name} = %{version}-%{release} %if %{noarch_docs_package} BuildArch: noarch @@ -93,6 +95,7 @@ make %{?_smp_mflags} sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc %install +rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" find %{buildroot} -name '*.la' -exec rm -f {} \; @@ -118,6 +121,9 @@ echo "exit 0" > tests/ssh2.sh %endif make -C tests check +%clean +rm -rf %{buildroot} + %post -p /sbin/ldconfig %postun -p /sbin/ldconfig @@ -140,6 +146,9 @@ make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Apr 9 2013 Paul Howarth 1.4.3-6 +- Revert 'Modernize the spec file' so as to retain EL-5 spec compatibility + * Tue Apr 9 2013 Richard W.M. Jones 1.4.3-5 - Add three patches from upstream git required for qemu ssh block driver. - Modernize the spec file: From bddd40fef52eee9692af3732d5456e41e2b15c30 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sat, 3 Aug 2013 02:06:55 -0500 Subject: [PATCH 50/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index c98e659..63ce2a0 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 6%{?dist} +Release: 7%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -146,6 +146,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sat Aug 03 2013 Fedora Release Engineering - 1.4.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + * Tue Apr 9 2013 Paul Howarth 1.4.3-6 - Revert 'Modernize the spec file' so as to retain EL-5 spec compatibility From 68034f3fb240e170ed1c9565b369fc017178777c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 14 Aug 2013 17:49:59 +0200 Subject: [PATCH 51/93] fix very slow sftp upload to localhost --- ...-window_size-explicit-adjustments-on.patch | 69 +++++++++++++++++++ libssh2-1.4.2-utf8.patch | 2 +- libssh2.spec | 9 ++- 3 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 0004-partially-revert-window_size-explicit-adjustments-on.patch diff --git a/0004-partially-revert-window_size-explicit-adjustments-on.patch b/0004-partially-revert-window_size-explicit-adjustments-on.patch new file mode 100644 index 0000000..fe7751a --- /dev/null +++ b/0004-partially-revert-window_size-explicit-adjustments-on.patch @@ -0,0 +1,69 @@ +From 9e56b84c41efcaf3349f82a93c3dc854e172e5c4 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 9 Aug 2013 16:22:08 +0200 +Subject: [PATCH 4/5] partially revert "window_size: explicit adjustments only" + +This partially reverts commit 03ca9020756a4e16f0294e5b35e9826ee6af2364 +in order to fix extreme slowdown when uploading to localhost via SFTP. + +I was able to repeat the issue on RHEL-7 on localhost only. It did not +occur when uploading via network and it did not occur on a RHEL-6 box +with the same version of libssh2. + +The problem was that sftp_read() used a read-ahead logic to figure out +the window_size, but sftp_packet_read() called indirectly from +sftp_write() did not use any read-ahead logic. +--- + src/channel.c | 29 +++++++++++++++++++++++++++++ + 1 files changed, 29 insertions(+), 0 deletions(-) + +diff --git a/src/channel.c b/src/channel.c +index 4f41e1f..d4ffdce 100644 +--- a/src/channel.c ++++ b/src/channel.c +@@ -1759,6 +1759,15 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, + channel->read_state = libssh2_NB_state_created; + } + ++ /* ++ * =============================== NOTE =============================== ++ * I know this is very ugly and not a really good use of "goto", but ++ * this case statement would be even uglier to do it any other way ++ */ ++ if (channel->read_state == libssh2_NB_state_jump1) { ++ goto channel_read_window_adjust; ++ } ++ + rc = 1; /* set to >0 to let the while loop start */ + + /* Process all pending incoming packets in all states in order to "even +@@ -1867,6 +1876,26 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, + more off the network again */ + channel->read_state = libssh2_NB_state_created; + ++ if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) { ++ /* the window is getting too narrow, expand it! */ ++ ++ channel_read_window_adjust: ++ channel->read_state = libssh2_NB_state_jump1; ++ /* the actual window adjusting may not finish so we need to deal with ++ this special state here */ ++ rc = _libssh2_channel_receive_window_adjust(channel, ++ (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), 0, NULL); ++ if (rc) ++ return rc; ++ ++ _libssh2_debug(session, LIBSSH2_TRACE_CONN, ++ "channel_read() filled %d adjusted %d", ++ bytes_read, buflen); ++ /* continue in 'created' state to drain the already read packages ++ first before starting to empty the socket further */ ++ channel->read_state = libssh2_NB_state_created; ++ } ++ + return bytes_read; + } + +-- +1.7.1 + diff --git a/libssh2-1.4.2-utf8.patch b/libssh2-1.4.2-utf8.patch index aa1e854..9177691 100644 --- a/libssh2-1.4.2-utf8.patch +++ b/libssh2-1.4.2-utf8.patch @@ -3,7 +3,7 @@ --- libssh2/NEWS +++ libssh2/NEWS -@@ -3284,7 +3284,7 @@ Simon Josefsson (16 Nov 2009) +@@ -3552,7 +3552,7 @@ Simon Josefsson (16 Nov 2009) - support arcfour128 cipher per RFC 4345 Daniel Stenberg (21 Oct 2009) diff --git a/libssh2.spec b/libssh2.spec index 63ce2a0..c485e67 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 7%{?dist} +Release: 8%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -22,6 +22,7 @@ Patch0: libssh2-1.4.2-utf8.patch Patch1: 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch Patch2: 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch Patch3: 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch +Patch4: 0004-partially-revert-window_size-explicit-adjustments-on.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -80,6 +81,9 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} %patch2 -p1 %patch3 -p1 +# http://thread.gmane.org/gmane.network.ssh.libssh2.devel/6428 +%patch4 -p1 + # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -146,6 +150,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Aug 14 2013 Kamil Dudka 1.4.3-8 +- fix very slow sftp upload to localhost + * Sat Aug 03 2013 Fedora Release Engineering - 1.4.3-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild From 343e650ca6130c7b16f0a41e00f476fe3ce82716 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 14 Aug 2013 17:54:06 +0200 Subject: [PATCH 52/93] fix a use after free in channel.c --- 0005-channel.c-fix-a-use-after-free.patch | 26 +++++++++++++++++++++++ libssh2.spec | 5 +++++ 2 files changed, 31 insertions(+) create mode 100644 0005-channel.c-fix-a-use-after-free.patch diff --git a/0005-channel.c-fix-a-use-after-free.patch b/0005-channel.c-fix-a-use-after-free.patch new file mode 100644 index 0000000..8fa0a05 --- /dev/null +++ b/0005-channel.c-fix-a-use-after-free.patch @@ -0,0 +1,26 @@ +From 96e1078fced70e39e4163857ad8345ae9d24573f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 14 Aug 2013 17:37:00 +0200 +Subject: [PATCH 5/5] channel.c: fix a use after free + +Bug: https://trac.libssh2.org/ticket/268 +--- + src/channel.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +diff --git a/src/channel.c b/src/channel.c +index d4ffdce..9f2c241 100644 +--- a/src/channel.c ++++ b/src/channel.c +@@ -670,8 +670,6 @@ int _libssh2_channel_forward_cancel(LIBSSH2_LISTENER *listener) + + LIBSSH2_FREE(session, listener); + +- listener->chanFwdCncl_state = libssh2_NB_state_idle; +- + return 0; + } + +-- +1.7.1 + diff --git a/libssh2.spec b/libssh2.spec index c485e67..9536806 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -23,6 +23,7 @@ Patch1: 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch Patch2: 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch Patch3: 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch Patch4: 0004-partially-revert-window_size-explicit-adjustments-on.patch +Patch5: 0005-channel.c-fix-a-use-after-free.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -84,6 +85,9 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # http://thread.gmane.org/gmane.network.ssh.libssh2.devel/6428 %patch4 -p1 +# https://trac.libssh2.org/ticket/268 +%patch5 -p1 + # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -152,6 +156,7 @@ rm -rf %{buildroot} %changelog * Wed Aug 14 2013 Kamil Dudka 1.4.3-8 - fix very slow sftp upload to localhost +- fix a use after free in channel.c * Sat Aug 03 2013 Fedora Release Engineering - 1.4.3-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild From 0816533a631586044ad3f572967f648a69285365 Mon Sep 17 00:00:00 2001 From: Karsten Hopp Date: Mon, 17 Feb 2014 14:26:40 +0100 Subject: [PATCH 53/93] skip self checks on ppc* --- libssh2.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 9536806..37d6ebc 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 8%{?dist} +Release: 9%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -122,8 +122,8 @@ if [ ! -c /dev/tty ]; then echo Skipping SSH test due to missing /dev/tty echo "exit 0" > tests/ssh2.sh fi -# Apparently it fails in the sparc and arm buildsystems too -%ifarch %{sparc} %{arm} +# Apparently it fails in the sparc, ppc* and arm buildsystems too +%ifarch %{sparc} %{arm} ppc %{power64} echo Skipping SSH test on sparc/arm echo "exit 0" > tests/ssh2.sh %endif @@ -154,6 +154,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Mon Feb 17 2014 Karsten Hopp 1.4.3-9 +- skip self checks on ppc* + * Wed Aug 14 2013 Kamil Dudka 1.4.3-8 - fix very slow sftp upload to localhost - fix a use after free in channel.c From fc169ae47c744f8b53796b99272a0edebb358855 Mon Sep 17 00:00:00 2001 From: Karsten Hopp Date: Mon, 17 Feb 2014 15:39:41 +0100 Subject: [PATCH 54/93] next attempt to work around a self check problem on PPC* --- libssh2.spec | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 37d6ebc..4bc611c 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 9%{?dist} +Release: 10%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -122,11 +122,16 @@ if [ ! -c /dev/tty ]; then echo Skipping SSH test due to missing /dev/tty echo "exit 0" > tests/ssh2.sh fi -# Apparently it fails in the sparc, ppc* and arm buildsystems too -%ifarch %{sparc} %{arm} ppc %{power64} +# Apparently it fails in the sparc and arm buildsystems too +%ifarch %{sparc} %{arm} echo Skipping SSH test on sparc/arm echo "exit 0" > tests/ssh2.sh %endif +# mansyntax check fails on PPC* with some strange locale error +%ifarch ppc %{power64} +echo "Skipping mansyntax test on PPC*" +echo "exit 0" > tests/mansyntax.sh +%endif make -C tests check %clean @@ -154,6 +159,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Mon Feb 17 2014 Karsten Hopp 1.4.3-10 +- next attempt to work around a self check problem on PPC* + * Mon Feb 17 2014 Karsten Hopp 1.4.3-9 - skip self checks on ppc* From 0908d2fabdc1f829e16fca1dde6670382c5998b2 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Mon, 17 Feb 2014 16:19:16 +0000 Subject: [PATCH 55/93] The aarch64 buildroot seems to have the same locale issue as the PPC one --- libssh2.spec | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 4bc611c..a0eec8b 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 10%{?dist} +Release: 11%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -116,6 +116,7 @@ find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} \; mv -v example example.%{_arch} %check +echo "Running tests for %{_arch}" # The SSH test will fail if we don't have /dev/tty, as is the case in some # versions of mock (#672713) if [ ! -c /dev/tty ]; then @@ -127,9 +128,9 @@ fi echo Skipping SSH test on sparc/arm echo "exit 0" > tests/ssh2.sh %endif -# mansyntax check fails on PPC* with some strange locale error -%ifarch ppc %{power64} -echo "Skipping mansyntax test on PPC*" +# mansyntax check fails on PPC* and aarch64 with some strange locale error +%ifarch ppc %{power64} aarch64 +echo "Skipping mansyntax test on PPC* and aarch64" echo "exit 0" > tests/mansyntax.sh %endif make -C tests check @@ -159,15 +160,18 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Mon Feb 17 2014 Paul Howarth - 1.4.3-11 +- The aarch64 buildroot seems to have the same locale issue as the PPC one + * Mon Feb 17 2014 Karsten Hopp 1.4.3-10 -- next attempt to work around a self check problem on PPC* +- Next attempt to work around a self check problem on PPC* * Mon Feb 17 2014 Karsten Hopp 1.4.3-9 -- skip self checks on ppc* +- Skip self checks on ppc* * Wed Aug 14 2013 Kamil Dudka 1.4.3-8 -- fix very slow sftp upload to localhost -- fix a use after free in channel.c +- Fix very slow sftp upload to localhost +- Fix a use after free in channel.c * Sat Aug 03 2013 Fedora Release Engineering - 1.4.3-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild @@ -176,12 +180,12 @@ rm -rf %{buildroot} - Revert 'Modernize the spec file' so as to retain EL-5 spec compatibility * Tue Apr 9 2013 Richard W.M. Jones 1.4.3-5 -- Add three patches from upstream git required for qemu ssh block driver. +- Add three patches from upstream git required for qemu ssh block driver - Modernize the spec file: - * Remove BuildRoot. - * Remove Group. - * Remove clean section. - * Don't need to clean up buildroot before installing. + * Remove BuildRoot + * Remove Group + * Remove clean section + * Don't need to clean up buildroot before installing * Wed Apr 3 2013 Paul Howarth 1.4.3-4 - Avoid polluting libssh2.pc with linker options (#947813) From 5881ed46862f398276183bc7999ac1c69b159696 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 28 Mar 2014 11:56:56 +0100 Subject: [PATCH 56/93] Fix curl's excessive memory consumption during scp download --- ..._write-client-spins-on-write-when-wi.patch | 45 ++++++ ...d-window-handling-for-flow-control-r.patch | 146 ++++++++++++++++++ ..._read-fix-data-drop-when-out-of-wind.patch | 140 +++++++++++++++++ ...nnel_read-Honour-window_size_initial.patch | 62 ++++++++ 0010-Set-default-window-size-to-2MB.patch | 85 ++++++++++ ...window_adjust-store-windows-size-alw.patch | 66 ++++++++ libssh2.spec | 19 ++- 7 files changed, 562 insertions(+), 1 deletion(-) create mode 100644 0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch create mode 100644 0007-window_size-redid-window-handling-for-flow-control-r.patch create mode 100644 0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch create mode 100644 0009-_libssh2_channel_read-Honour-window_size_initial.patch create mode 100644 0010-Set-default-window-size-to-2MB.patch create mode 100644 0011-channel_receive_window_adjust-store-windows-size-alw.patch diff --git a/0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch b/0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch new file mode 100644 index 0000000..4389e5e --- /dev/null +++ b/0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch @@ -0,0 +1,45 @@ +From d0a263ef805244245afd9b709bdd3dc733113a6c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 7 Sep 2013 13:41:14 +0200 +Subject: [PATCH 06/11] _libssh2_channel_write: client spins on write when window full + +When there's no window to "write to", there's no point in waiting for +the socket to become writable since it most likely just will continue to +be. + +Patch-by: ncm +Fixes #258 + +[upstream commit e6c46cc249227de7b7cd136d72eded5dcb3f9381] + +Signed-off-by: Kamil Dudka +--- + src/channel.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +diff --git a/src/channel.c b/src/channel.c +index 9f2c241..74262d8 100644 +--- a/src/channel.c ++++ b/src/channel.c +@@ -2039,9 +2039,17 @@ _libssh2_channel_write(LIBSSH2_CHANNEL *channel, int stream_id, + if((rc < 0) && (rc != LIBSSH2_ERROR_EAGAIN)) + return rc; + +- if(channel->local.window_size <= 0) ++ if(channel->local.window_size <= 0) { + /* there's no room for data so we stop */ ++ ++ /* Waiting on the socket to be writable would be wrong because we ++ * would be back here immediately, but a readable socket might ++ * herald an incoming window adjustment. ++ */ ++ session->socket_block_directions = LIBSSH2_SESSION_BLOCK_INBOUND; ++ + return (rc==LIBSSH2_ERROR_EAGAIN?rc:0); ++ } + + channel->write_bufwrite = buflen; + +-- +1.7.1 + diff --git a/0007-window_size-redid-window-handling-for-flow-control-r.patch b/0007-window_size-redid-window-handling-for-flow-control-r.patch new file mode 100644 index 0000000..64b7607 --- /dev/null +++ b/0007-window_size-redid-window-handling-for-flow-control-r.patch @@ -0,0 +1,146 @@ +From 8af6637d86b6a85e8889c286f7ff3d841fc5621c Mon Sep 17 00:00:00 2001 +From: Salvador Fandino +Date: Sat, 12 Oct 2013 02:51:46 +0200 +Subject: [PATCH 07/11] window_size: redid window handling for flow control reasons + +Until now, the window size (channel->remote.window_size) was being +updated just after receiving the packet from the transport layer. + +That behaviour is wrong because the channel queue may grow uncontrolled +when data arrives from the network faster that the upper layer consumes +it. + +This patch adds a new counter, read_avail, which keeps a count of the +bytes available from the packet queue for reading. Also, now the window +size is adjusted when the data is actually read by an upper layer. + +That way, if the upper layer stops reading data, the window will +eventually fill and the remote host will stop sending data. When the +upper layers reads enough data, a window adjust packet is delivered and +the transfer resumes. + +The read_avail counter is used to detect the situation when the remote +server tries to send data surpassing the window size. In that case, the +extra data is discarded. + +Signed-off-by: Salvador + +[upstream commit cdeef54967ed5b7d5bd8fa6da5851aa3d173faa0] +Signed-off-by: Kamil Dudka +--- + src/channel.c | 8 +++++++- + src/libssh2_priv.h | 2 ++ + src/packet.c | 35 ++++++++++++++++++++++++++++------- + 3 files changed, 37 insertions(+), 8 deletions(-) + +diff --git a/src/channel.c b/src/channel.c +index 74262d8..499d815 100644 +--- a/src/channel.c ++++ b/src/channel.c +@@ -1411,6 +1411,9 @@ _libssh2_channel_flush(LIBSSH2_CHANNEL *channel, int streamid) + channel->flush_state = libssh2_NB_state_created; + } + ++ channel->read_avail -= channel->flush_flush_bytes; ++ channel->remote.window_size -= channel->flush_flush_bytes; ++ + if (channel->flush_refund_bytes) { + int rc; + +@@ -1868,11 +1871,14 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, + /* if the transport layer said EAGAIN then we say so as well */ + return _libssh2_error(session, rc, "would block"); + } +- else ++ else { ++ channel->read_avail -= bytes_read; ++ channel->remote.window_size -= bytes_read; + /* make sure we remain in the created state to focus on emptying the + data we already have in the packet brigade before we try to read + more off the network again */ + channel->read_state = libssh2_NB_state_created; ++ } + + if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) { + /* the window is getting too narrow, expand it! */ +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index 4ec9f73..fcf4370 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -357,6 +357,8 @@ struct _LIBSSH2_CHANNEL + libssh2_channel_data local, remote; + /* Amount of bytes to be refunded to receive window (but not yet sent) */ + uint32_t adjust_queue; ++ /* Data immediately available for reading */ ++ uint32_t read_avail; + + LIBSSH2_SESSION *session; + +diff --git a/src/packet.c b/src/packet.c +index bfbd56a..d2e758c 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -653,6 +653,18 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + _libssh2_debug(session, LIBSSH2_TRACE_CONN, + "Ignoring extended data and refunding %d bytes", + (int) (datalen - 13)); ++ if (channelp->read_avail + datalen - data_head >= ++ channelp->remote.window_size) ++ datalen = channelp->remote.window_size - ++ channelp->read_avail + data_head; ++ ++ channelp->remote.window_size -= datalen - data_head; ++ _libssh2_debug(session, LIBSSH2_TRACE_CONN, ++ "shrinking window size by %lu bytes to %lu, read_avail %lu", ++ datalen - data_head, ++ channelp->remote.window_size, ++ channelp->read_avail); ++ + session->packAdd_channelp = channelp; + + /* Adjust the window based on the block we just freed */ +@@ -684,7 +696,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + " to receive, truncating"); + datalen = channelp->remote.packet_size + data_head; + } +- if (channelp->remote.window_size <= 0) { ++ if (channelp->remote.window_size <= channelp->read_avail) { + /* + * Spec says we MAY ignore bytes sent beyond + * window_size +@@ -700,17 +712,26 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + /* Reset EOF status */ + channelp->remote.eof = 0; + +- if ((datalen - data_head) > channelp->remote.window_size) { ++ if (channelp->read_avail + datalen - data_head > ++ channelp->remote.window_size) { + _libssh2_error(session, + LIBSSH2_ERROR_CHANNEL_WINDOW_EXCEEDED, + "Remote sent more data than current " + "window allows, truncating"); +- datalen = channelp->remote.window_size + data_head; +- channelp->remote.window_size = 0; ++ datalen = channelp->remote.window_size - ++ channelp->read_avail + data_head; + } +- else +- /* Now that we've received it, shrink our window */ +- channelp->remote.window_size -= datalen - data_head; ++ ++ /* Update the read_avail counter. The window size will be ++ * updated once the data is actually read from the queue ++ * from an upper layer */ ++ channelp->read_avail += datalen - data_head; ++ ++ _libssh2_debug(session, LIBSSH2_TRACE_CONN, ++ "increasing read_avail by %lu bytes to %lu/%lu", ++ (long)(datalen - data_head), ++ (long)channelp->read_avail, ++ (long)channelp->remote.window_size); + + break; + +-- +1.7.1 + diff --git a/0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch b/0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch new file mode 100644 index 0000000..f06b7ad --- /dev/null +++ b/0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch @@ -0,0 +1,140 @@ +From cae2385ba898f71038ed4dd00ddae02f85e588e7 Mon Sep 17 00:00:00 2001 +From: Salvador +Date: Tue, 15 Oct 2013 11:45:10 +0200 +Subject: [PATCH 08/11] _libssh2_channel_read: fix data drop when out of window + +After filling the read buffer with data from the read queue, when the +window size was too small, "libssh2_channel_receive_window_adjust" was +called to increase it. In non-blocking mode that function could return +EAGAIN and, in that case, the EAGAIN was propagated upwards and the data +already read on the buffer lost. + +The function was also moving between the two read states +"libssh2_NB_state_idle" and "libssh2_NB_state_created" both of which +behave in the same way (excepting a debug statment). + +This commit modifies "_libssh2_channel_read" so that the +"libssh2_channel_receive_window_adjust" call is performed first (when +required) and if everything goes well, then it reads the data from the +queued packets into the read buffer. + +It also removes the useless "libssh2_NB_state_created" read state. + +Some rotted comments have also been updated. + +Signed-off-by: Salvador + +[upstream commit 27f9ac2549b7721cf9d857022c0e7a311830b367] +Signed-off-by: Kamil Dudka +--- + src/channel.c | 75 +++++++++++++++++++-------------------------------------- + 1 files changed, 25 insertions(+), 50 deletions(-) + +diff --git a/src/channel.c b/src/channel.c +index 499d815..82f6980 100644 +--- a/src/channel.c ++++ b/src/channel.c +@@ -1751,31 +1751,33 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, + LIBSSH2_PACKET *read_packet; + LIBSSH2_PACKET *read_next; + +- if (channel->read_state == libssh2_NB_state_idle) { +- _libssh2_debug(session, LIBSSH2_TRACE_CONN, +- "channel_read() wants %d bytes from channel %lu/%lu " +- "stream #%d", +- (int) buflen, channel->local.id, channel->remote.id, +- stream_id); +- channel->read_state = libssh2_NB_state_created; +- } ++ _libssh2_debug(session, LIBSSH2_TRACE_CONN, ++ "channel_read() wants %d bytes from channel %lu/%lu " ++ "stream #%d", ++ (int) buflen, channel->local.id, channel->remote.id, ++ stream_id); + +- /* +- * =============================== NOTE =============================== +- * I know this is very ugly and not a really good use of "goto", but +- * this case statement would be even uglier to do it any other way +- */ +- if (channel->read_state == libssh2_NB_state_jump1) { +- goto channel_read_window_adjust; +- } ++ /* expand the receiving window first if it has become too narrow */ ++ if((channel->read_state == libssh2_NB_state_jump1) || ++ (channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30))) { ++ ++ /* the actual window adjusting may not finish so we need to deal with ++ this special state here */ ++ channel->read_state = libssh2_NB_state_jump1; ++ rc = _libssh2_channel_receive_window_adjust(channel, ++ (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), ++ 0, NULL); ++ if (rc) ++ return rc; + +- rc = 1; /* set to >0 to let the while loop start */ ++ channel->read_state = libssh2_NB_state_idle; ++ } + +- /* Process all pending incoming packets in all states in order to "even +- out" the network readings. Tests prove that this way produces faster +- transfers. */ +- while (rc > 0) ++ /* Process all pending incoming packets. Tests prove that this way ++ produces faster transfers. */ ++ do { + rc = _libssh2_transport_read(session); ++ } while (rc > 0); + + if ((rc < 0) && (rc != LIBSSH2_ERROR_EAGAIN)) + return _libssh2_error(session, rc, "transport read"); +@@ -1857,8 +1859,6 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, + } + + if (!bytes_read) { +- channel->read_state = libssh2_NB_state_idle; +- + /* If the channel is already at EOF or even closed, we need to signal + that back. We may have gotten that info while draining the incoming + transport layer until EAGAIN so we must not be fooled by that +@@ -1871,34 +1871,9 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, + /* if the transport layer said EAGAIN then we say so as well */ + return _libssh2_error(session, rc, "would block"); + } +- else { +- channel->read_avail -= bytes_read; +- channel->remote.window_size -= bytes_read; +- /* make sure we remain in the created state to focus on emptying the +- data we already have in the packet brigade before we try to read +- more off the network again */ +- channel->read_state = libssh2_NB_state_created; +- } +- +- if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) { +- /* the window is getting too narrow, expand it! */ +- +- channel_read_window_adjust: +- channel->read_state = libssh2_NB_state_jump1; +- /* the actual window adjusting may not finish so we need to deal with +- this special state here */ +- rc = _libssh2_channel_receive_window_adjust(channel, +- (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), 0, NULL); +- if (rc) +- return rc; + +- _libssh2_debug(session, LIBSSH2_TRACE_CONN, +- "channel_read() filled %d adjusted %d", +- bytes_read, buflen); +- /* continue in 'created' state to drain the already read packages +- first before starting to empty the socket further */ +- channel->read_state = libssh2_NB_state_created; +- } ++ channel->read_avail -= bytes_read; ++ channel->remote.window_size -= bytes_read; + + return bytes_read; + } +-- +1.7.1 + diff --git a/0009-_libssh2_channel_read-Honour-window_size_initial.patch b/0009-_libssh2_channel_read-Honour-window_size_initial.patch new file mode 100644 index 0000000..eea48df --- /dev/null +++ b/0009-_libssh2_channel_read-Honour-window_size_initial.patch @@ -0,0 +1,62 @@ +From 5c14f0e6ecfe73da86d3ad20edd60c4756037935 Mon Sep 17 00:00:00 2001 +From: Salvador +Date: Wed, 16 Oct 2013 13:31:31 +0200 +Subject: [PATCH 09/11] _libssh2_channel_read: Honour window_size_initial + +_libssh2_channel_read was using an arbitrary hard-coded limit to trigger +the window adjusting code. The adjustment used was also hard-coded and +arbitrary, 15MB actually, which would limit the usability of libssh2 on +systems with little RAM. + +This patch, uses the window_size parameter passed to +libssh2_channel_open_ex (stored as remote.window_size_initial) plus the +buflen as the base for the trigger and the adjustment calculation. + +The memory usage when using the default window size is reduced from 22MB +to 256KB per channel (actually, if compression is used, these numbers +should be incremented by ~50% to account for the errors between the +decompressed packet sizes and the predicted sizes). + +My tests indicate that this change does not impact the performance of +transfers across localhost or a LAN, being it on par with that of +OpenSSH. On the other hand, it will probably slow down transfers on +networks with high bandwidth*delay when the default window size +(LIBSSH2_CHANNEL_WINDOW_DEFAULT=256KB) is used. + +Signed-off-by: Salvador Fandino + +[upstream commit 1b3307dda0c58d9023a657747592ac86703b1ff4] +Signed-off-by: Kamil Dudka +--- + src/channel.c | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/channel.c b/src/channel.c +index 82f6980..36c75d2 100644 +--- a/src/channel.c ++++ b/src/channel.c +@@ -1758,14 +1758,17 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, + stream_id); + + /* expand the receiving window first if it has become too narrow */ +- if((channel->read_state == libssh2_NB_state_jump1) || +- (channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30))) { ++ if( (channel->read_state == libssh2_NB_state_jump1) || ++ (channel->remote.window_size < channel->remote.window_size_initial / 4 * 3 + buflen) ) { ++ ++ uint32_t adjustment = channel->remote.window_size_initial + buflen - channel->remote.window_size; ++ if (adjustment < LIBSSH2_CHANNEL_MINADJUST) ++ adjustment = LIBSSH2_CHANNEL_MINADJUST; + + /* the actual window adjusting may not finish so we need to deal with + this special state here */ + channel->read_state = libssh2_NB_state_jump1; +- rc = _libssh2_channel_receive_window_adjust(channel, +- (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), ++ rc = _libssh2_channel_receive_window_adjust(channel, adjustment, + 0, NULL); + if (rc) + return rc; +-- +1.7.1 + diff --git a/0010-Set-default-window-size-to-2MB.patch b/0010-Set-default-window-size-to-2MB.patch new file mode 100644 index 0000000..0b8f693 --- /dev/null +++ b/0010-Set-default-window-size-to-2MB.patch @@ -0,0 +1,85 @@ +From 0a758095c40ae1b32dc5052a706a16c2d9ac5742 Mon Sep 17 00:00:00 2001 +From: Salvador Fandino +Date: Mon, 21 Oct 2013 11:58:55 +0200 +Subject: [PATCH 10/11] Set default window size to 2MB + +The default channel window size used until now was 256KB. This value is +too small and results on a bottleneck on real-life networks where +round-trip delays can easily reach 300ms. + +The issue was not visible because the configured channel window size +was being ignored and a hard-coded value of ~22MB being used instead, +but that was fixed on a previous commit. + +This patch just changes the default window size +(LIBSSH2_CHANNEL_WINDOW_DEFAULT) to 2MB. It is the same value used by +OpenSSH and in our opinion represents a good compromise between memory +used and transfer speed. + +Performance tests were run to determine the optimum value. The details +and related discussion are available from the following thread on the +libssh2 mailing-list: + +http://www.libssh2.org/mail/libssh2-devel-archive-2013-10/0018.shtml +http://article.gmane.org/gmane.network.ssh.libssh2.devel/6543 + +An excerpt follows: + +"I have been running some transfer test and measuring their speed. + +My setup was composed of a quad-core Linux machine running Ubuntu 13.10 +x86_64 with a LXC container inside. The data transfers were performed +from the container to the host (never crossing through a physical +network device). + +Network delays were simulated using the tc tool. And ping was used to +verify that they worked as intended during the tests. + +The operation performed was the equivalent to the following ssh command: + + $ ssh container "dd bs=16K count=8K if=/dev/zero" >/dev/null + +Though, establishment and closing of the SSH connection was excluded +from the timings. + +I run the tests several times transferring files of sizes up to 128MB +and the results were consistent between runs. + +The results corresponding to the 128MB transfer are available here: + +https://docs.google.com/spreadsheet/ccc?key=0Ao1yRmX6PQQzdG5wSFlrZl9HRWNET3ZyN0hnaGo5ZFE&usp=sharing + +It clearly shows that 256KB is too small as the default window size. +Moving to a 512MB generates a great improvement and after the 1MB mark +the returns rapidly diminish. Other factors (TCP window size, probably) +become more limiting than the channel window size + +For comparison I also performed the same transfers using OpenSSH. Its +speed is usually on par with that of libssh2 using a window size of 1MB +(even if it uses a 2MB window, maybe it is less aggressive sending the +window adjust msgs)." + +Signed-off-by: Salvador Fandino + +[upstream commit 85a827d1bceb9abd4442f225dd7c65ef5cefdc32] +Signed-off-by: Kamil Dudka +--- + include/libssh2.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/include/libssh2.h b/include/libssh2.h +index 9b1a6e1..df873fc 100644 +--- a/include/libssh2.h ++++ b/include/libssh2.h +@@ -587,7 +587,7 @@ LIBSSH2_API int libssh2_poll(LIBSSH2_POLLFD *fds, unsigned int nfds, + long timeout); + + /* Channel API */ +-#define LIBSSH2_CHANNEL_WINDOW_DEFAULT (256*1024) ++#define LIBSSH2_CHANNEL_WINDOW_DEFAULT (2*1024*1024) + #define LIBSSH2_CHANNEL_PACKET_DEFAULT 32768 + #define LIBSSH2_CHANNEL_MINADJUST 1024 + +-- +1.7.1 + diff --git a/0011-channel_receive_window_adjust-store-windows-size-alw.patch b/0011-channel_receive_window_adjust-store-windows-size-alw.patch new file mode 100644 index 0000000..b14f844 --- /dev/null +++ b/0011-channel_receive_window_adjust-store-windows-size-alw.patch @@ -0,0 +1,66 @@ +From baadc811a703b9a6dec655c7afb3218d8cff51fa Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 16 Mar 2014 20:02:37 +0100 +Subject: [PATCH 11/11] channel_receive_window_adjust: store windows size always + +Avoid it sometimes returning without storing it, leaving calling +functions with unknown content! + +Detected by clang-analyzer + +[upstream commit fcb601da7b37c6e9bbcd264199597e2ddb7bc347] + +Signed-off-by: Kamil Dudka +--- + src/channel.c | 11 ++++------- + 1 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/src/channel.c b/src/channel.c +index 36c75d2..1d074df 100644 +--- a/src/channel.c ++++ b/src/channel.c +@@ -1,6 +1,6 @@ + /* Copyright (c) 2004-2007 Sara Golemon + * Copyright (c) 2005 Mikhail Gusarov +- * Copyright (c) 2008-2011 by Daniel Stenberg ++ * Copyright (c) 2008-2014 by Daniel Stenberg + * + * All rights reserved. + * +@@ -1544,6 +1544,9 @@ _libssh2_channel_receive_window_adjust(LIBSSH2_CHANNEL * channel, + { + int rc; + ++ if(store) ++ *store = channel->remote.window_size; ++ + if (channel->adjust_state == libssh2_NB_state_idle) { + if (!force + && (adjustment + channel->adjust_queue < +@@ -1553,14 +1556,10 @@ _libssh2_channel_receive_window_adjust(LIBSSH2_CHANNEL * channel, + "for channel %lu/%lu", + adjustment, channel->local.id, channel->remote.id); + channel->adjust_queue += adjustment; +- if(store) +- *store = channel->remote.window_size; + return 0; + } + + if (!adjustment && !channel->adjust_queue) { +- if(store) +- *store = channel->remote.window_size; + return 0; + } + +@@ -1598,8 +1597,6 @@ _libssh2_channel_receive_window_adjust(LIBSSH2_CHANNEL * channel, + + channel->adjust_state = libssh2_NB_state_idle; + +- if(store) +- *store = channel->remote.window_size; + return 0; + } + +-- +1.7.1 + diff --git a/libssh2.spec b/libssh2.spec index a0eec8b..e32833d 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 11%{?dist} +Release: 12%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -24,6 +24,12 @@ Patch2: 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch Patch3: 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch Patch4: 0004-partially-revert-window_size-explicit-adjustments-on.patch Patch5: 0005-channel.c-fix-a-use-after-free.patch +Patch6: 0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch +Patch7: 0007-window_size-redid-window-handling-for-flow-control-r.patch +Patch8: 0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch +Patch9: 0009-_libssh2_channel_read-Honour-window_size_initial.patch +Patch10: 0010-Set-default-window-size-to-2MB.patch +Patch11: 0011-channel_receive_window_adjust-store-windows-size-alw.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -88,6 +94,14 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # https://trac.libssh2.org/ticket/268 %patch5 -p1 +# Fix curl's excessive memory consumption during scp download +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 + # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -160,6 +174,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Apr 30 2014 Kamil Dudka 1.4.3-12 +- Fix curl's excessive memory consumption during scp download + * Mon Feb 17 2014 Paul Howarth - 1.4.3-11 - The aarch64 buildroot seems to have the same locale issue as the PPC one From d7ba3102d392da8b0465498ac140df598adb1749 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Sat, 7 Jun 2014 00:34:36 -0500 Subject: [PATCH 57/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index e32833d..e65e61a 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 12%{?dist} +Release: 13%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -174,6 +174,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sat Jun 07 2014 Fedora Release Engineering - 1.4.3-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + * Wed Apr 30 2014 Kamil Dudka 1.4.3-12 - Fix curl's excessive memory consumption during scp download From a53677d01bd96bc6aebcf74232c7103569f0b5c5 Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Fri, 18 Jul 2014 15:23:38 -0400 Subject: [PATCH 58/93] fix license handling --- libssh2.spec | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index e65e61a..8a8ce1e 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 13%{?dist} +Release: 14%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -157,7 +157,9 @@ rm -rf %{buildroot} %postun -p /sbin/ldconfig %files -%doc AUTHORS ChangeLog COPYING README NEWS +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc AUTHORS ChangeLog README NEWS %{_libdir}/libssh2.so.1 %{_libdir}/libssh2.so.1.* @@ -174,6 +176,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Fri Jul 18 2014 Tom Callaway - 1.4.3-14 +- fix license handling + * Sat Jun 07 2014 Fedora Release Engineering - 1.4.3-13 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild From f3791deea43f4c0880dfac5f1182138b0912c558 Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Fri, 18 Jul 2014 15:23:59 -0400 Subject: [PATCH 59/93] fix license handling --- libssh2.spec | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index e65e61a..8a8ce1e 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 13%{?dist} +Release: 14%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -157,7 +157,9 @@ rm -rf %{buildroot} %postun -p /sbin/ldconfig %files -%doc AUTHORS ChangeLog COPYING README NEWS +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc AUTHORS ChangeLog README NEWS %{_libdir}/libssh2.so.1 %{_libdir}/libssh2.so.1.* @@ -174,6 +176,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Fri Jul 18 2014 Tom Callaway - 1.4.3-14 +- fix license handling + * Sat Jun 07 2014 Fedora Release Engineering - 1.4.3-13 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild From aa67a4734046f73c2f003c1fa6c3f33b93eaa1e7 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 17 Aug 2014 06:09:50 +0000 Subject: [PATCH 60/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 8a8ce1e..80c5fad 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 14%{?dist} +Release: 15%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -176,6 +176,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sun Aug 17 2014 Fedora Release Engineering - 1.4.3-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + * Fri Jul 18 2014 Tom Callaway - 1.4.3-14 - fix license handling From 48f7eb2d50f8461b78bdaf1d43f64d4c29278d42 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 17 Aug 2014 06:10:03 +0000 Subject: [PATCH 61/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 8a8ce1e..80c5fad 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 14%{?dist} +Release: 15%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -176,6 +176,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sun Aug 17 2014 Fedora Release Engineering - 1.4.3-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + * Fri Jul 18 2014 Tom Callaway - 1.4.3-14 - fix license handling From 384b1c0765543e907c879473139cbd0a9379427f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 10 Oct 2014 13:22:55 +0200 Subject: [PATCH 62/93] Resolves: #1147717 - prevent a not-connected agent from closing STDIN --- ...it-init-fd-to-LIBSSH2_INVALID_SOCKET.patch | 31 +++++++++++++++++++ libssh2.spec | 9 +++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch diff --git a/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch b/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch new file mode 100644 index 0000000..48a62e8 --- /dev/null +++ b/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch @@ -0,0 +1,31 @@ +From a958624be229315ab57017040ef15c5ae072d1ac Mon Sep 17 00:00:00 2001 +From: Matthias Kerestesch +Date: Sat, 18 May 2013 23:01:35 +0200 +Subject: [PATCH] libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET + +... previously it was left at 0 which is a valid file descriptor! + +Bug: https://trac.libssh2.org/ticket/265 + +Fixes #265 + +Upstream-commit: 1ad20ac7d3e21d091e7cfec58fda0afdc359360a +--- + src/agent.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/agent.c b/src/agent.c +index 1c65149..a8a5025 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -652,6 +652,7 @@ libssh2_agent_init(LIBSSH2_SESSION *session) + return NULL; + } + memset(agent, 0, sizeof *agent); ++ agent->fd = LIBSSH2_INVALID_SOCKET; + agent->session = session; + _libssh2_list_init(&agent->head); + +-- +2.1.0 + diff --git a/libssh2.spec b/libssh2.spec index 80c5fad..1df6f32 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 15%{?dist} +Release: 16%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -30,6 +30,7 @@ Patch8: 0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch Patch9: 0009-_libssh2_channel_read-Honour-window_size_initial.patch Patch10: 0010-Set-default-window-size-to-2MB.patch Patch11: 0011-channel_receive_window_adjust-store-windows-size-alw.patch +Patch12: 0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -102,6 +103,9 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} %patch10 -p1 %patch11 -p1 +# prevent a not-connected agent from closing STDIN (#1147717) +%patch12 -p1 + # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -176,6 +180,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Fri Oct 10 2014 Kamil Dudka 1.4.3-16 +- prevent a not-connected agent from closing STDIN (#1147717) + * Sun Aug 17 2014 Fedora Release Engineering - 1.4.3-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild From 61ab33f54880e6f973eb41bcdedb10946c1cf08c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 10 Oct 2014 13:22:55 +0200 Subject: [PATCH 63/93] Resolves: #1147717 - prevent a not-connected agent from closing STDIN --- ...it-init-fd-to-LIBSSH2_INVALID_SOCKET.patch | 31 +++++++++++++++++++ libssh2.spec | 9 +++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch diff --git a/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch b/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch new file mode 100644 index 0000000..48a62e8 --- /dev/null +++ b/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch @@ -0,0 +1,31 @@ +From a958624be229315ab57017040ef15c5ae072d1ac Mon Sep 17 00:00:00 2001 +From: Matthias Kerestesch +Date: Sat, 18 May 2013 23:01:35 +0200 +Subject: [PATCH] libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET + +... previously it was left at 0 which is a valid file descriptor! + +Bug: https://trac.libssh2.org/ticket/265 + +Fixes #265 + +Upstream-commit: 1ad20ac7d3e21d091e7cfec58fda0afdc359360a +--- + src/agent.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/agent.c b/src/agent.c +index 1c65149..a8a5025 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -652,6 +652,7 @@ libssh2_agent_init(LIBSSH2_SESSION *session) + return NULL; + } + memset(agent, 0, sizeof *agent); ++ agent->fd = LIBSSH2_INVALID_SOCKET; + agent->session = session; + _libssh2_list_init(&agent->head); + +-- +2.1.0 + diff --git a/libssh2.spec b/libssh2.spec index 80c5fad..1df6f32 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 15%{?dist} +Release: 16%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -30,6 +30,7 @@ Patch8: 0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch Patch9: 0009-_libssh2_channel_read-Honour-window_size_initial.patch Patch10: 0010-Set-default-window-size-to-2MB.patch Patch11: 0011-channel_receive_window_adjust-store-windows-size-alw.patch +Patch12: 0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -102,6 +103,9 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} %patch10 -p1 %patch11 -p1 +# prevent a not-connected agent from closing STDIN (#1147717) +%patch12 -p1 + # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -176,6 +180,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Fri Oct 10 2014 Kamil Dudka 1.4.3-16 +- prevent a not-connected agent from closing STDIN (#1147717) + * Sun Aug 17 2014 Fedora Release Engineering - 1.4.3-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild From 33cf9702d82652f637e94c5211ebb14e4edd3c3e Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 11 Mar 2015 10:30:38 +0000 Subject: [PATCH 64/93] Update to 1.5.0 - New upstream release 1.5.0 - See RELEASE-NOTES for details of bug fixes and enhancements - Security Advisory for CVE-2015-1782, using SSH_MSG_KEXINIT data unbounded --- ...k-Don-t-flush-buffers-on-same-offset.patch | 54 ----- ...ng-error-path-reset-the-correct-stat.patch | 26 -- ...-support-for-fsync-OpenSSH-extension.patch | 223 ------------------ ...-window_size-explicit-adjustments-on.patch | 69 ------ 0005-channel.c-fix-a-use-after-free.patch | 26 -- ..._write-client-spins-on-write-when-wi.patch | 45 ---- ...d-window-handling-for-flow-control-r.patch | 146 ------------ ..._read-fix-data-drop-when-out-of-wind.patch | 140 ----------- ...nnel_read-Honour-window_size_initial.patch | 62 ----- 0010-Set-default-window-size-to-2MB.patch | 85 ------- ...window_adjust-store-windows-size-alw.patch | 66 ------ ...it-init-fd-to-LIBSSH2_INVALID_SOCKET.patch | 31 --- libssh2-1.3.0.tar.gz.asc | 7 - libssh2.spec | 52 +--- sources | 2 +- 15 files changed, 14 insertions(+), 1020 deletions(-) delete mode 100644 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch delete mode 100644 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch delete mode 100644 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch delete mode 100644 0004-partially-revert-window_size-explicit-adjustments-on.patch delete mode 100644 0005-channel.c-fix-a-use-after-free.patch delete mode 100644 0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch delete mode 100644 0007-window_size-redid-window-handling-for-flow-control-r.patch delete mode 100644 0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch delete mode 100644 0009-_libssh2_channel_read-Honour-window_size_initial.patch delete mode 100644 0010-Set-default-window-size-to-2MB.patch delete mode 100644 0011-channel_receive_window_adjust-store-windows-size-alw.patch delete mode 100644 0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch delete mode 100644 libssh2-1.3.0.tar.gz.asc diff --git a/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch b/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch deleted file mode 100644 index 9acbd6d..0000000 --- a/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 486bb376218a37fe15318d7724d6eada36b81e6c Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Tue, 26 Mar 2013 17:58:04 +0100 -Subject: [PATCH 1/3] sftp: seek: Don't flush buffers on same offset - -Signed-off-by: Richard W.M. Jones ---- - src/sftp.c | 27 +++++++++++++++------------ - 1 file changed, 15 insertions(+), 12 deletions(-) - -diff --git a/src/sftp.c b/src/sftp.c -index d0536dd..3760025 100644 ---- a/src/sftp.c -+++ b/src/sftp.c -@@ -2132,21 +2132,24 @@ libssh2_sftp_fstat_ex(LIBSSH2_SFTP_HANDLE *hnd, - LIBSSH2_API void - libssh2_sftp_seek64(LIBSSH2_SFTP_HANDLE *handle, libssh2_uint64_t offset) - { -- if(handle) { -- handle->u.file.offset = handle->u.file.offset_sent = offset; -- /* discard all pending requests and currently read data */ -- sftp_packetlist_flush(handle); -+ if(!handle) -+ return; -+ if(handle->u.file.offset == offset && handle->u.file.offset_sent == offset) -+ return; - -- /* free the left received buffered data */ -- if (handle->u.file.data_left) { -- LIBSSH2_FREE(handle->sftp->channel->session, handle->u.file.data); -- handle->u.file.data_left = handle->u.file.data_len = 0; -- handle->u.file.data = NULL; -- } -+ handle->u.file.offset = handle->u.file.offset_sent = offset; -+ /* discard all pending requests and currently read data */ -+ sftp_packetlist_flush(handle); - -- /* reset EOF to False */ -- handle->u.file.eof = FALSE; -+ /* free the left received buffered data */ -+ if (handle->u.file.data_left) { -+ LIBSSH2_FREE(handle->sftp->channel->session, handle->u.file.data); -+ handle->u.file.data_left = handle->u.file.data_len = 0; -+ handle->u.file.data = NULL; - } -+ -+ /* reset EOF to False */ -+ handle->u.file.eof = FALSE; - } - - /* libssh2_sftp_seek --- -1.8.1.4 - diff --git a/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch b/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch deleted file mode 100644 index 83ca15e..0000000 --- a/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch +++ /dev/null @@ -1,26 +0,0 @@ -From a12f3ffab579b514eeb7fdfaca0ade271961cdb4 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Mon, 8 Apr 2013 17:30:10 +0100 -Subject: [PATCH 2/3] sftp: statvfs: Along error path, reset the correct - 'state' variable. - ---- - src/sftp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sftp.c b/src/sftp.c -index 3760025..65fa77a 100644 ---- a/src/sftp.c -+++ b/src/sftp.c -@@ -2752,7 +2752,7 @@ static int sftp_statvfs(LIBSSH2_SFTP *sftp, const char *path, - "Error waiting for FXP EXTENDED REPLY"); - } else if (data_len < 93) { - LIBSSH2_FREE(session, data); -- sftp->fstatvfs_state = libssh2_NB_state_idle; -+ sftp->statvfs_state = libssh2_NB_state_idle; - return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, - "SFTP Protocol Error: short response"); - } --- -1.8.1.4 - diff --git a/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch b/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch deleted file mode 100644 index cc1cbb4..0000000 --- a/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch +++ /dev/null @@ -1,223 +0,0 @@ -From 6e0d757f24a45252c4cae9ea09732eda2562c767 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Tue, 9 Apr 2013 11:42:09 +0200 -Subject: [PATCH 3/3] sftp: Add support for fsync (OpenSSH extension). - -The new libssh2_sftp_fsync API causes data and metadata in the -currently open file to be committed to disk at the server. - -This is an OpenSSH extension to the SFTP protocol. See: - -https://bugzilla.mindrot.org/show_bug.cgi?id=1798 ---- - docs/Makefile.am | 1 + - docs/libssh2_sftp_fsync.3 | 39 +++++++++++++++++++ - include/libssh2_sftp.h | 1 + - src/sftp.c | 97 +++++++++++++++++++++++++++++++++++++++++++++++ - src/sftp.h | 5 +++ - 5 files changed, 143 insertions(+) - create mode 100644 docs/libssh2_sftp_fsync.3 - -diff --git a/docs/Makefile.am b/docs/Makefile.am -index e4cf487..e6ab394 100644 ---- a/docs/Makefile.am -+++ b/docs/Makefile.am -@@ -120,6 +120,7 @@ dist_man_MANS = \ - libssh2_sftp_fstat.3 \ - libssh2_sftp_fstat_ex.3 \ - libssh2_sftp_fstatvfs.3 \ -+ libssh2_sftp_fsync.3 \ - libssh2_sftp_get_channel.3 \ - libssh2_sftp_init.3 \ - libssh2_sftp_last_error.3 \ -diff --git a/docs/libssh2_sftp_fsync.3 b/docs/libssh2_sftp_fsync.3 -new file mode 100644 -index 0000000..646760a ---- /dev/null -+++ b/docs/libssh2_sftp_fsync.3 -@@ -0,0 +1,39 @@ -+.TH libssh2_sftp_fsync 3 "8 Apr 2013" "libssh2 1.4.4" "libssh2 manual" -+.SH NAME -+libssh2_sftp_fsync - synchronize file to disk -+.SH SYNOPSIS -+.nf -+#include -+#include -+ -+int -+libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *handle) -+.fi -+.SH DESCRIPTION -+This function causes the remote server to synchronize the file -+data and metadata to disk (like fsync(2)). -+ -+For this to work requires fsync@openssh.com support on the server. -+ -+\fIhandle\fP - SFTP File Handle as returned by -+.BR libssh2_sftp_open_ex(3) -+ -+.SH RETURN VALUE -+Returns 0 on success or negative on failure. If used in non-blocking mode, it -+returns LIBSSH2_ERROR_EAGAIN when it would otherwise block. While -+LIBSSH2_ERROR_EAGAIN is a negative number, it isn't really a failure per se. -+.SH ERRORS -+\fILIBSSH2_ERROR_ALLOC\fP - An internal memory allocation call failed. -+ -+\fILIBSSH2_ERROR_SOCKET_SEND\fP - Unable to send data on socket. -+ -+\fILIBSSH2_ERROR_SFTP_PROTOCOL\fP - An invalid SFTP protocol response -+was received on the socket, or an SFTP operation caused an errorcode -+to be returned by the server. In particular, this can be returned if -+the SSH server does not support the fsync operation: the SFTP subcode -+\fILIBSSH2_FX_OP_UNSUPPORTED\fP will be returned in this case. -+ -+.SH AVAILABILITY -+Added in libssh2 1.4.4 and OpenSSH 6.3. -+.SH SEE ALSO -+.BR fsync(2) -diff --git a/include/libssh2_sftp.h b/include/libssh2_sftp.h -index 74884fb..677faf2 100644 ---- a/include/libssh2_sftp.h -+++ b/include/libssh2_sftp.h -@@ -247,6 +247,7 @@ LIBSSH2_API int libssh2_sftp_readdir_ex(LIBSSH2_SFTP_HANDLE *handle, \ - - LIBSSH2_API ssize_t libssh2_sftp_write(LIBSSH2_SFTP_HANDLE *handle, - const char *buffer, size_t count); -+LIBSSH2_API int libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *handle); - - LIBSSH2_API int libssh2_sftp_close_handle(LIBSSH2_SFTP_HANDLE *handle); - #define libssh2_sftp_close(handle) libssh2_sftp_close_handle(handle) -diff --git a/src/sftp.c b/src/sftp.c -index 65fa77a..01017fd 100644 ---- a/src/sftp.c -+++ b/src/sftp.c -@@ -986,6 +986,10 @@ sftp_shutdown(LIBSSH2_SFTP *sftp) - LIBSSH2_FREE(session, sftp->symlink_packet); - sftp->symlink_packet = NULL; - } -+ if (sftp->fsync_packet) { -+ LIBSSH2_FREE(session, sftp->fsync_packet); -+ sftp->fsync_packet = NULL; -+ } - - sftp_packet_flush(sftp); - -@@ -2014,6 +2018,99 @@ libssh2_sftp_write(LIBSSH2_SFTP_HANDLE *hnd, const char *buffer, - - } - -+static int sftp_fsync(LIBSSH2_SFTP_HANDLE *handle) -+{ -+ LIBSSH2_SFTP *sftp = handle->sftp; -+ LIBSSH2_CHANNEL *channel = sftp->channel; -+ LIBSSH2_SESSION *session = channel->session; -+ /* 34 = packet_len(4) + packet_type(1) + request_id(4) + -+ string_len(4) + strlen("fsync@openssh.com")(17) + handle_len(4) */ -+ uint32_t packet_len = handle->handle_len + 34; -+ size_t data_len; -+ unsigned char *packet, *s, *data; -+ ssize_t rc; -+ uint32_t retcode; -+ -+ if (sftp->fsync_state == libssh2_NB_state_idle) { -+ _libssh2_debug(session, LIBSSH2_TRACE_SFTP, -+ "Issuing fsync command"); -+ s = packet = LIBSSH2_ALLOC(session, packet_len); -+ if (!packet) { -+ return _libssh2_error(session, LIBSSH2_ERROR_ALLOC, -+ "Unable to allocate memory for FXP_EXTENDED " -+ "packet"); -+ } -+ -+ _libssh2_store_u32(&s, packet_len - 4); -+ *(s++) = SSH_FXP_EXTENDED; -+ sftp->fsync_request_id = sftp->request_id++; -+ _libssh2_store_u32(&s, sftp->fsync_request_id); -+ _libssh2_store_str(&s, "fsync@openssh.com", 17); -+ _libssh2_store_str(&s, handle->handle, handle->handle_len); -+ -+ sftp->fsync_state = libssh2_NB_state_created; -+ } else { -+ packet = sftp->fsync_packet; -+ } -+ -+ if (sftp->fsync_state == libssh2_NB_state_created) { -+ rc = _libssh2_channel_write(channel, 0, packet, packet_len); -+ if (rc == LIBSSH2_ERROR_EAGAIN || -+ (0 <= rc && rc < (ssize_t)packet_len)) { -+ sftp->fsync_packet = packet; -+ return LIBSSH2_ERROR_EAGAIN; -+ } -+ -+ LIBSSH2_FREE(session, packet); -+ sftp->fsync_packet = NULL; -+ -+ if (rc < 0) { -+ sftp->fsync_state = libssh2_NB_state_idle; -+ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND, -+ "_libssh2_channel_write() failed"); -+ } -+ sftp->fsync_state = libssh2_NB_state_sent; -+ } -+ -+ rc = sftp_packet_require(sftp, SSH_FXP_STATUS, -+ sftp->fsync_request_id, &data, &data_len); -+ if (rc == LIBSSH2_ERROR_EAGAIN) { -+ return rc; -+ } else if (rc) { -+ sftp->fsync_state = libssh2_NB_state_idle; -+ return _libssh2_error(session, rc, -+ "Error waiting for FXP EXTENDED REPLY"); -+ } -+ -+ sftp->fsync_state = libssh2_NB_state_idle; -+ -+ retcode = _libssh2_ntohu32(data + 5); -+ LIBSSH2_FREE(session, data); -+ -+ if (retcode != LIBSSH2_FX_OK) { -+ sftp->last_errno = retcode; -+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, -+ "fsync failed"); -+ } -+ -+ return 0; -+} -+ -+/* libssh2_sftp_fsync -+ * Commit data on the handle to disk. -+ */ -+LIBSSH2_API int -+libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *hnd) -+{ -+ int rc; -+ if(!hnd) -+ return LIBSSH2_ERROR_BAD_USE; -+ BLOCK_ADJUST(rc, hnd->sftp->channel->session, -+ sftp_fsync(hnd)); -+ return rc; -+} -+ -+ - /* - * sftp_fstat - * -diff --git a/src/sftp.h b/src/sftp.h -index 55bdb46..63e8139 100644 ---- a/src/sftp.h -+++ b/src/sftp.h -@@ -175,6 +175,11 @@ struct _LIBSSH2_SFTP - /* State variable used in sftp_write() */ - libssh2_nonblocking_states write_state; - -+ /* State variables used in sftp_fsync() */ -+ libssh2_nonblocking_states fsync_state; -+ unsigned char *fsync_packet; -+ uint32_t fsync_request_id; -+ - /* State variables used in libssh2_sftp_readdir() */ - libssh2_nonblocking_states readdir_state; - unsigned char *readdir_packet; --- -1.8.1.4 - diff --git a/0004-partially-revert-window_size-explicit-adjustments-on.patch b/0004-partially-revert-window_size-explicit-adjustments-on.patch deleted file mode 100644 index fe7751a..0000000 --- a/0004-partially-revert-window_size-explicit-adjustments-on.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 9e56b84c41efcaf3349f82a93c3dc854e172e5c4 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 9 Aug 2013 16:22:08 +0200 -Subject: [PATCH 4/5] partially revert "window_size: explicit adjustments only" - -This partially reverts commit 03ca9020756a4e16f0294e5b35e9826ee6af2364 -in order to fix extreme slowdown when uploading to localhost via SFTP. - -I was able to repeat the issue on RHEL-7 on localhost only. It did not -occur when uploading via network and it did not occur on a RHEL-6 box -with the same version of libssh2. - -The problem was that sftp_read() used a read-ahead logic to figure out -the window_size, but sftp_packet_read() called indirectly from -sftp_write() did not use any read-ahead logic. ---- - src/channel.c | 29 +++++++++++++++++++++++++++++ - 1 files changed, 29 insertions(+), 0 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 4f41e1f..d4ffdce 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1759,6 +1759,15 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - channel->read_state = libssh2_NB_state_created; - } - -+ /* -+ * =============================== NOTE =============================== -+ * I know this is very ugly and not a really good use of "goto", but -+ * this case statement would be even uglier to do it any other way -+ */ -+ if (channel->read_state == libssh2_NB_state_jump1) { -+ goto channel_read_window_adjust; -+ } -+ - rc = 1; /* set to >0 to let the while loop start */ - - /* Process all pending incoming packets in all states in order to "even -@@ -1867,6 +1876,26 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - more off the network again */ - channel->read_state = libssh2_NB_state_created; - -+ if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) { -+ /* the window is getting too narrow, expand it! */ -+ -+ channel_read_window_adjust: -+ channel->read_state = libssh2_NB_state_jump1; -+ /* the actual window adjusting may not finish so we need to deal with -+ this special state here */ -+ rc = _libssh2_channel_receive_window_adjust(channel, -+ (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), 0, NULL); -+ if (rc) -+ return rc; -+ -+ _libssh2_debug(session, LIBSSH2_TRACE_CONN, -+ "channel_read() filled %d adjusted %d", -+ bytes_read, buflen); -+ /* continue in 'created' state to drain the already read packages -+ first before starting to empty the socket further */ -+ channel->read_state = libssh2_NB_state_created; -+ } -+ - return bytes_read; - } - --- -1.7.1 - diff --git a/0005-channel.c-fix-a-use-after-free.patch b/0005-channel.c-fix-a-use-after-free.patch deleted file mode 100644 index 8fa0a05..0000000 --- a/0005-channel.c-fix-a-use-after-free.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 96e1078fced70e39e4163857ad8345ae9d24573f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 14 Aug 2013 17:37:00 +0200 -Subject: [PATCH 5/5] channel.c: fix a use after free - -Bug: https://trac.libssh2.org/ticket/268 ---- - src/channel.c | 2 -- - 1 files changed, 0 insertions(+), 2 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index d4ffdce..9f2c241 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -670,8 +670,6 @@ int _libssh2_channel_forward_cancel(LIBSSH2_LISTENER *listener) - - LIBSSH2_FREE(session, listener); - -- listener->chanFwdCncl_state = libssh2_NB_state_idle; -- - return 0; - } - --- -1.7.1 - diff --git a/0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch b/0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch deleted file mode 100644 index 4389e5e..0000000 --- a/0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch +++ /dev/null @@ -1,45 +0,0 @@ -From d0a263ef805244245afd9b709bdd3dc733113a6c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 7 Sep 2013 13:41:14 +0200 -Subject: [PATCH 06/11] _libssh2_channel_write: client spins on write when window full - -When there's no window to "write to", there's no point in waiting for -the socket to become writable since it most likely just will continue to -be. - -Patch-by: ncm -Fixes #258 - -[upstream commit e6c46cc249227de7b7cd136d72eded5dcb3f9381] - -Signed-off-by: Kamil Dudka ---- - src/channel.c | 10 +++++++++- - 1 files changed, 9 insertions(+), 1 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 9f2c241..74262d8 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -2039,9 +2039,17 @@ _libssh2_channel_write(LIBSSH2_CHANNEL *channel, int stream_id, - if((rc < 0) && (rc != LIBSSH2_ERROR_EAGAIN)) - return rc; - -- if(channel->local.window_size <= 0) -+ if(channel->local.window_size <= 0) { - /* there's no room for data so we stop */ -+ -+ /* Waiting on the socket to be writable would be wrong because we -+ * would be back here immediately, but a readable socket might -+ * herald an incoming window adjustment. -+ */ -+ session->socket_block_directions = LIBSSH2_SESSION_BLOCK_INBOUND; -+ - return (rc==LIBSSH2_ERROR_EAGAIN?rc:0); -+ } - - channel->write_bufwrite = buflen; - --- -1.7.1 - diff --git a/0007-window_size-redid-window-handling-for-flow-control-r.patch b/0007-window_size-redid-window-handling-for-flow-control-r.patch deleted file mode 100644 index 64b7607..0000000 --- a/0007-window_size-redid-window-handling-for-flow-control-r.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 8af6637d86b6a85e8889c286f7ff3d841fc5621c Mon Sep 17 00:00:00 2001 -From: Salvador Fandino -Date: Sat, 12 Oct 2013 02:51:46 +0200 -Subject: [PATCH 07/11] window_size: redid window handling for flow control reasons - -Until now, the window size (channel->remote.window_size) was being -updated just after receiving the packet from the transport layer. - -That behaviour is wrong because the channel queue may grow uncontrolled -when data arrives from the network faster that the upper layer consumes -it. - -This patch adds a new counter, read_avail, which keeps a count of the -bytes available from the packet queue for reading. Also, now the window -size is adjusted when the data is actually read by an upper layer. - -That way, if the upper layer stops reading data, the window will -eventually fill and the remote host will stop sending data. When the -upper layers reads enough data, a window adjust packet is delivered and -the transfer resumes. - -The read_avail counter is used to detect the situation when the remote -server tries to send data surpassing the window size. In that case, the -extra data is discarded. - -Signed-off-by: Salvador - -[upstream commit cdeef54967ed5b7d5bd8fa6da5851aa3d173faa0] -Signed-off-by: Kamil Dudka ---- - src/channel.c | 8 +++++++- - src/libssh2_priv.h | 2 ++ - src/packet.c | 35 ++++++++++++++++++++++++++++------- - 3 files changed, 37 insertions(+), 8 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 74262d8..499d815 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1411,6 +1411,9 @@ _libssh2_channel_flush(LIBSSH2_CHANNEL *channel, int streamid) - channel->flush_state = libssh2_NB_state_created; - } - -+ channel->read_avail -= channel->flush_flush_bytes; -+ channel->remote.window_size -= channel->flush_flush_bytes; -+ - if (channel->flush_refund_bytes) { - int rc; - -@@ -1868,11 +1871,14 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - /* if the transport layer said EAGAIN then we say so as well */ - return _libssh2_error(session, rc, "would block"); - } -- else -+ else { -+ channel->read_avail -= bytes_read; -+ channel->remote.window_size -= bytes_read; - /* make sure we remain in the created state to focus on emptying the - data we already have in the packet brigade before we try to read - more off the network again */ - channel->read_state = libssh2_NB_state_created; -+ } - - if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) { - /* the window is getting too narrow, expand it! */ -diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h -index 4ec9f73..fcf4370 100644 ---- a/src/libssh2_priv.h -+++ b/src/libssh2_priv.h -@@ -357,6 +357,8 @@ struct _LIBSSH2_CHANNEL - libssh2_channel_data local, remote; - /* Amount of bytes to be refunded to receive window (but not yet sent) */ - uint32_t adjust_queue; -+ /* Data immediately available for reading */ -+ uint32_t read_avail; - - LIBSSH2_SESSION *session; - -diff --git a/src/packet.c b/src/packet.c -index bfbd56a..d2e758c 100644 ---- a/src/packet.c -+++ b/src/packet.c -@@ -653,6 +653,18 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - _libssh2_debug(session, LIBSSH2_TRACE_CONN, - "Ignoring extended data and refunding %d bytes", - (int) (datalen - 13)); -+ if (channelp->read_avail + datalen - data_head >= -+ channelp->remote.window_size) -+ datalen = channelp->remote.window_size - -+ channelp->read_avail + data_head; -+ -+ channelp->remote.window_size -= datalen - data_head; -+ _libssh2_debug(session, LIBSSH2_TRACE_CONN, -+ "shrinking window size by %lu bytes to %lu, read_avail %lu", -+ datalen - data_head, -+ channelp->remote.window_size, -+ channelp->read_avail); -+ - session->packAdd_channelp = channelp; - - /* Adjust the window based on the block we just freed */ -@@ -684,7 +696,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - " to receive, truncating"); - datalen = channelp->remote.packet_size + data_head; - } -- if (channelp->remote.window_size <= 0) { -+ if (channelp->remote.window_size <= channelp->read_avail) { - /* - * Spec says we MAY ignore bytes sent beyond - * window_size -@@ -700,17 +712,26 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - /* Reset EOF status */ - channelp->remote.eof = 0; - -- if ((datalen - data_head) > channelp->remote.window_size) { -+ if (channelp->read_avail + datalen - data_head > -+ channelp->remote.window_size) { - _libssh2_error(session, - LIBSSH2_ERROR_CHANNEL_WINDOW_EXCEEDED, - "Remote sent more data than current " - "window allows, truncating"); -- datalen = channelp->remote.window_size + data_head; -- channelp->remote.window_size = 0; -+ datalen = channelp->remote.window_size - -+ channelp->read_avail + data_head; - } -- else -- /* Now that we've received it, shrink our window */ -- channelp->remote.window_size -= datalen - data_head; -+ -+ /* Update the read_avail counter. The window size will be -+ * updated once the data is actually read from the queue -+ * from an upper layer */ -+ channelp->read_avail += datalen - data_head; -+ -+ _libssh2_debug(session, LIBSSH2_TRACE_CONN, -+ "increasing read_avail by %lu bytes to %lu/%lu", -+ (long)(datalen - data_head), -+ (long)channelp->read_avail, -+ (long)channelp->remote.window_size); - - break; - --- -1.7.1 - diff --git a/0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch b/0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch deleted file mode 100644 index f06b7ad..0000000 --- a/0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch +++ /dev/null @@ -1,140 +0,0 @@ -From cae2385ba898f71038ed4dd00ddae02f85e588e7 Mon Sep 17 00:00:00 2001 -From: Salvador -Date: Tue, 15 Oct 2013 11:45:10 +0200 -Subject: [PATCH 08/11] _libssh2_channel_read: fix data drop when out of window - -After filling the read buffer with data from the read queue, when the -window size was too small, "libssh2_channel_receive_window_adjust" was -called to increase it. In non-blocking mode that function could return -EAGAIN and, in that case, the EAGAIN was propagated upwards and the data -already read on the buffer lost. - -The function was also moving between the two read states -"libssh2_NB_state_idle" and "libssh2_NB_state_created" both of which -behave in the same way (excepting a debug statment). - -This commit modifies "_libssh2_channel_read" so that the -"libssh2_channel_receive_window_adjust" call is performed first (when -required) and if everything goes well, then it reads the data from the -queued packets into the read buffer. - -It also removes the useless "libssh2_NB_state_created" read state. - -Some rotted comments have also been updated. - -Signed-off-by: Salvador - -[upstream commit 27f9ac2549b7721cf9d857022c0e7a311830b367] -Signed-off-by: Kamil Dudka ---- - src/channel.c | 75 +++++++++++++++++++-------------------------------------- - 1 files changed, 25 insertions(+), 50 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 499d815..82f6980 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1751,31 +1751,33 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - LIBSSH2_PACKET *read_packet; - LIBSSH2_PACKET *read_next; - -- if (channel->read_state == libssh2_NB_state_idle) { -- _libssh2_debug(session, LIBSSH2_TRACE_CONN, -- "channel_read() wants %d bytes from channel %lu/%lu " -- "stream #%d", -- (int) buflen, channel->local.id, channel->remote.id, -- stream_id); -- channel->read_state = libssh2_NB_state_created; -- } -+ _libssh2_debug(session, LIBSSH2_TRACE_CONN, -+ "channel_read() wants %d bytes from channel %lu/%lu " -+ "stream #%d", -+ (int) buflen, channel->local.id, channel->remote.id, -+ stream_id); - -- /* -- * =============================== NOTE =============================== -- * I know this is very ugly and not a really good use of "goto", but -- * this case statement would be even uglier to do it any other way -- */ -- if (channel->read_state == libssh2_NB_state_jump1) { -- goto channel_read_window_adjust; -- } -+ /* expand the receiving window first if it has become too narrow */ -+ if((channel->read_state == libssh2_NB_state_jump1) || -+ (channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30))) { -+ -+ /* the actual window adjusting may not finish so we need to deal with -+ this special state here */ -+ channel->read_state = libssh2_NB_state_jump1; -+ rc = _libssh2_channel_receive_window_adjust(channel, -+ (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), -+ 0, NULL); -+ if (rc) -+ return rc; - -- rc = 1; /* set to >0 to let the while loop start */ -+ channel->read_state = libssh2_NB_state_idle; -+ } - -- /* Process all pending incoming packets in all states in order to "even -- out" the network readings. Tests prove that this way produces faster -- transfers. */ -- while (rc > 0) -+ /* Process all pending incoming packets. Tests prove that this way -+ produces faster transfers. */ -+ do { - rc = _libssh2_transport_read(session); -+ } while (rc > 0); - - if ((rc < 0) && (rc != LIBSSH2_ERROR_EAGAIN)) - return _libssh2_error(session, rc, "transport read"); -@@ -1857,8 +1859,6 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - } - - if (!bytes_read) { -- channel->read_state = libssh2_NB_state_idle; -- - /* If the channel is already at EOF or even closed, we need to signal - that back. We may have gotten that info while draining the incoming - transport layer until EAGAIN so we must not be fooled by that -@@ -1871,34 +1871,9 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - /* if the transport layer said EAGAIN then we say so as well */ - return _libssh2_error(session, rc, "would block"); - } -- else { -- channel->read_avail -= bytes_read; -- channel->remote.window_size -= bytes_read; -- /* make sure we remain in the created state to focus on emptying the -- data we already have in the packet brigade before we try to read -- more off the network again */ -- channel->read_state = libssh2_NB_state_created; -- } -- -- if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) { -- /* the window is getting too narrow, expand it! */ -- -- channel_read_window_adjust: -- channel->read_state = libssh2_NB_state_jump1; -- /* the actual window adjusting may not finish so we need to deal with -- this special state here */ -- rc = _libssh2_channel_receive_window_adjust(channel, -- (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), 0, NULL); -- if (rc) -- return rc; - -- _libssh2_debug(session, LIBSSH2_TRACE_CONN, -- "channel_read() filled %d adjusted %d", -- bytes_read, buflen); -- /* continue in 'created' state to drain the already read packages -- first before starting to empty the socket further */ -- channel->read_state = libssh2_NB_state_created; -- } -+ channel->read_avail -= bytes_read; -+ channel->remote.window_size -= bytes_read; - - return bytes_read; - } --- -1.7.1 - diff --git a/0009-_libssh2_channel_read-Honour-window_size_initial.patch b/0009-_libssh2_channel_read-Honour-window_size_initial.patch deleted file mode 100644 index eea48df..0000000 --- a/0009-_libssh2_channel_read-Honour-window_size_initial.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 5c14f0e6ecfe73da86d3ad20edd60c4756037935 Mon Sep 17 00:00:00 2001 -From: Salvador -Date: Wed, 16 Oct 2013 13:31:31 +0200 -Subject: [PATCH 09/11] _libssh2_channel_read: Honour window_size_initial - -_libssh2_channel_read was using an arbitrary hard-coded limit to trigger -the window adjusting code. The adjustment used was also hard-coded and -arbitrary, 15MB actually, which would limit the usability of libssh2 on -systems with little RAM. - -This patch, uses the window_size parameter passed to -libssh2_channel_open_ex (stored as remote.window_size_initial) plus the -buflen as the base for the trigger and the adjustment calculation. - -The memory usage when using the default window size is reduced from 22MB -to 256KB per channel (actually, if compression is used, these numbers -should be incremented by ~50% to account for the errors between the -decompressed packet sizes and the predicted sizes). - -My tests indicate that this change does not impact the performance of -transfers across localhost or a LAN, being it on par with that of -OpenSSH. On the other hand, it will probably slow down transfers on -networks with high bandwidth*delay when the default window size -(LIBSSH2_CHANNEL_WINDOW_DEFAULT=256KB) is used. - -Signed-off-by: Salvador Fandino - -[upstream commit 1b3307dda0c58d9023a657747592ac86703b1ff4] -Signed-off-by: Kamil Dudka ---- - src/channel.c | 11 +++++++---- - 1 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 82f6980..36c75d2 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1758,14 +1758,17 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - stream_id); - - /* expand the receiving window first if it has become too narrow */ -- if((channel->read_state == libssh2_NB_state_jump1) || -- (channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30))) { -+ if( (channel->read_state == libssh2_NB_state_jump1) || -+ (channel->remote.window_size < channel->remote.window_size_initial / 4 * 3 + buflen) ) { -+ -+ uint32_t adjustment = channel->remote.window_size_initial + buflen - channel->remote.window_size; -+ if (adjustment < LIBSSH2_CHANNEL_MINADJUST) -+ adjustment = LIBSSH2_CHANNEL_MINADJUST; - - /* the actual window adjusting may not finish so we need to deal with - this special state here */ - channel->read_state = libssh2_NB_state_jump1; -- rc = _libssh2_channel_receive_window_adjust(channel, -- (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), -+ rc = _libssh2_channel_receive_window_adjust(channel, adjustment, - 0, NULL); - if (rc) - return rc; --- -1.7.1 - diff --git a/0010-Set-default-window-size-to-2MB.patch b/0010-Set-default-window-size-to-2MB.patch deleted file mode 100644 index 0b8f693..0000000 --- a/0010-Set-default-window-size-to-2MB.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 0a758095c40ae1b32dc5052a706a16c2d9ac5742 Mon Sep 17 00:00:00 2001 -From: Salvador Fandino -Date: Mon, 21 Oct 2013 11:58:55 +0200 -Subject: [PATCH 10/11] Set default window size to 2MB - -The default channel window size used until now was 256KB. This value is -too small and results on a bottleneck on real-life networks where -round-trip delays can easily reach 300ms. - -The issue was not visible because the configured channel window size -was being ignored and a hard-coded value of ~22MB being used instead, -but that was fixed on a previous commit. - -This patch just changes the default window size -(LIBSSH2_CHANNEL_WINDOW_DEFAULT) to 2MB. It is the same value used by -OpenSSH and in our opinion represents a good compromise between memory -used and transfer speed. - -Performance tests were run to determine the optimum value. The details -and related discussion are available from the following thread on the -libssh2 mailing-list: - -http://www.libssh2.org/mail/libssh2-devel-archive-2013-10/0018.shtml -http://article.gmane.org/gmane.network.ssh.libssh2.devel/6543 - -An excerpt follows: - -"I have been running some transfer test and measuring their speed. - -My setup was composed of a quad-core Linux machine running Ubuntu 13.10 -x86_64 with a LXC container inside. The data transfers were performed -from the container to the host (never crossing through a physical -network device). - -Network delays were simulated using the tc tool. And ping was used to -verify that they worked as intended during the tests. - -The operation performed was the equivalent to the following ssh command: - - $ ssh container "dd bs=16K count=8K if=/dev/zero" >/dev/null - -Though, establishment and closing of the SSH connection was excluded -from the timings. - -I run the tests several times transferring files of sizes up to 128MB -and the results were consistent between runs. - -The results corresponding to the 128MB transfer are available here: - -https://docs.google.com/spreadsheet/ccc?key=0Ao1yRmX6PQQzdG5wSFlrZl9HRWNET3ZyN0hnaGo5ZFE&usp=sharing - -It clearly shows that 256KB is too small as the default window size. -Moving to a 512MB generates a great improvement and after the 1MB mark -the returns rapidly diminish. Other factors (TCP window size, probably) -become more limiting than the channel window size - -For comparison I also performed the same transfers using OpenSSH. Its -speed is usually on par with that of libssh2 using a window size of 1MB -(even if it uses a 2MB window, maybe it is less aggressive sending the -window adjust msgs)." - -Signed-off-by: Salvador Fandino - -[upstream commit 85a827d1bceb9abd4442f225dd7c65ef5cefdc32] -Signed-off-by: Kamil Dudka ---- - include/libssh2.h | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/include/libssh2.h b/include/libssh2.h -index 9b1a6e1..df873fc 100644 ---- a/include/libssh2.h -+++ b/include/libssh2.h -@@ -587,7 +587,7 @@ LIBSSH2_API int libssh2_poll(LIBSSH2_POLLFD *fds, unsigned int nfds, - long timeout); - - /* Channel API */ --#define LIBSSH2_CHANNEL_WINDOW_DEFAULT (256*1024) -+#define LIBSSH2_CHANNEL_WINDOW_DEFAULT (2*1024*1024) - #define LIBSSH2_CHANNEL_PACKET_DEFAULT 32768 - #define LIBSSH2_CHANNEL_MINADJUST 1024 - --- -1.7.1 - diff --git a/0011-channel_receive_window_adjust-store-windows-size-alw.patch b/0011-channel_receive_window_adjust-store-windows-size-alw.patch deleted file mode 100644 index b14f844..0000000 --- a/0011-channel_receive_window_adjust-store-windows-size-alw.patch +++ /dev/null @@ -1,66 +0,0 @@ -From baadc811a703b9a6dec655c7afb3218d8cff51fa Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 16 Mar 2014 20:02:37 +0100 -Subject: [PATCH 11/11] channel_receive_window_adjust: store windows size always - -Avoid it sometimes returning without storing it, leaving calling -functions with unknown content! - -Detected by clang-analyzer - -[upstream commit fcb601da7b37c6e9bbcd264199597e2ddb7bc347] - -Signed-off-by: Kamil Dudka ---- - src/channel.c | 11 ++++------- - 1 files changed, 4 insertions(+), 7 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 36c75d2..1d074df 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1,6 +1,6 @@ - /* Copyright (c) 2004-2007 Sara Golemon - * Copyright (c) 2005 Mikhail Gusarov -- * Copyright (c) 2008-2011 by Daniel Stenberg -+ * Copyright (c) 2008-2014 by Daniel Stenberg - * - * All rights reserved. - * -@@ -1544,6 +1544,9 @@ _libssh2_channel_receive_window_adjust(LIBSSH2_CHANNEL * channel, - { - int rc; - -+ if(store) -+ *store = channel->remote.window_size; -+ - if (channel->adjust_state == libssh2_NB_state_idle) { - if (!force - && (adjustment + channel->adjust_queue < -@@ -1553,14 +1556,10 @@ _libssh2_channel_receive_window_adjust(LIBSSH2_CHANNEL * channel, - "for channel %lu/%lu", - adjustment, channel->local.id, channel->remote.id); - channel->adjust_queue += adjustment; -- if(store) -- *store = channel->remote.window_size; - return 0; - } - - if (!adjustment && !channel->adjust_queue) { -- if(store) -- *store = channel->remote.window_size; - return 0; - } - -@@ -1598,8 +1597,6 @@ _libssh2_channel_receive_window_adjust(LIBSSH2_CHANNEL * channel, - - channel->adjust_state = libssh2_NB_state_idle; - -- if(store) -- *store = channel->remote.window_size; - return 0; - } - --- -1.7.1 - diff --git a/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch b/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch deleted file mode 100644 index 48a62e8..0000000 --- a/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a958624be229315ab57017040ef15c5ae072d1ac Mon Sep 17 00:00:00 2001 -From: Matthias Kerestesch -Date: Sat, 18 May 2013 23:01:35 +0200 -Subject: [PATCH] libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET - -... previously it was left at 0 which is a valid file descriptor! - -Bug: https://trac.libssh2.org/ticket/265 - -Fixes #265 - -Upstream-commit: 1ad20ac7d3e21d091e7cfec58fda0afdc359360a ---- - src/agent.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/agent.c b/src/agent.c -index 1c65149..a8a5025 100644 ---- a/src/agent.c -+++ b/src/agent.c -@@ -652,6 +652,7 @@ libssh2_agent_init(LIBSSH2_SESSION *session) - return NULL; - } - memset(agent, 0, sizeof *agent); -+ agent->fd = LIBSSH2_INVALID_SOCKET; - agent->session = session; - _libssh2_list_init(&agent->head); - --- -2.1.0 - diff --git a/libssh2-1.3.0.tar.gz.asc b/libssh2-1.3.0.tar.gz.asc deleted file mode 100644 index 0de0e44..0000000 --- a/libssh2-1.3.0.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iEYEABECAAYFAk5miSYACgkQeOEcayedXJH3swCg6URaVPa2VvmUISM7KrLAbyfw -aqYAoJxpmM0XY9HYqrMqmtH2uYNbpJyL -=yCYe ------END PGP SIGNATURE----- diff --git a/libssh2.spec b/libssh2.spec index 1df6f32..5621619 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -11,26 +11,14 @@ %{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} Name: libssh2 -Version: 1.4.3 -Release: 16%{?dist} +Version: 1.5.0 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.4.2-utf8.patch -Patch1: 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch -Patch2: 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch -Patch3: 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch -Patch4: 0004-partially-revert-window_size-explicit-adjustments-on.patch -Patch5: 0005-channel.c-fix-a-use-after-free.patch -Patch6: 0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch -Patch7: 0007-window_size-redid-window-handling-for-flow-control-r.patch -Patch8: 0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch -Patch9: 0009-_libssh2_channel_read-Honour-window_size_initial.patch -Patch10: 0010-Set-default-window-size-to-2MB.patch -Patch11: 0011-channel_receive_window_adjust-store-windows-size-alw.patch -Patch12: 0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -84,28 +72,6 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # Make sure things are UTF-8... %patch0 -p1 -# Three upstream patches required for qemu ssh block driver. -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 - -# http://thread.gmane.org/gmane.network.ssh.libssh2.devel/6428 -%patch4 -p1 - -# https://trac.libssh2.org/ticket/268 -%patch5 -p1 - -# Fix curl's excessive memory consumption during scp download -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 - -# prevent a not-connected agent from closing STDIN (#1147717) -%patch12 -p1 - # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -161,14 +127,17 @@ rm -rf %{buildroot} %postun -p /sbin/ldconfig %files -%{!?_licensedir:%global license %%doc} +%if 0%{?_licensedir:1} %license COPYING -%doc AUTHORS ChangeLog README NEWS +%else +%doc COPYING +%endif +%doc docs/AUTHORS ChangeLog NEWS README RELEASE-NOTES %{_libdir}/libssh2.so.1 %{_libdir}/libssh2.so.1.* %files docs -%doc HACKING +%doc docs/BINDINGS docs/HACKING docs/TODO %{_mandir}/man3/libssh2_*.3* %files devel @@ -180,6 +149,11 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Mar 11 2015 Paul Howarth - 1.5.0-1 +- Update to 1.5.0 + - See RELEASE-NOTES for details of bug fixes and enhancements + - Security Advisory for CVE-2015-1782, using SSH_MSG_KEXINIT data unbounded + * Fri Oct 10 2014 Kamil Dudka 1.4.3-16 - prevent a not-connected agent from closing STDIN (#1147717) diff --git a/sources b/sources index fab710a..039b601 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -071004c60c5d6f90354ad1b701013a0b libssh2-1.4.3.tar.gz +e7fa3f5c6bd2d67a9b360ff726bbc6ba libssh2-1.5.0.tar.gz From 80ed1ccaeb128cdf52a7df3850d59173cfa6e6b1 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 14 Jun 2015 17:35:46 +0100 Subject: [PATCH 65/93] Update to 1.6.0 - New upstream release 1.6.0 - Added CMake build system - Added libssh2_userauth_publickey_frommemory() - See RELEASE-NOTES for details of bug fixes --- libssh2.spec | 8 +++++++- sources | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 5621619..e9b6d61 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -11,7 +11,7 @@ %{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} Name: libssh2 -Version: 1.5.0 +Version: 1.6.0 Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries @@ -149,6 +149,12 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sun Jun 14 2015 Paul Howarth - 1.6.0-1 +- Update to 1.6.0 + - Added CMake build system + - Added libssh2_userauth_publickey_frommemory() + - See RELEASE-NOTES for details of bug fixes + * Wed Mar 11 2015 Paul Howarth - 1.5.0-1 - Update to 1.5.0 - See RELEASE-NOTES for details of bug fixes and enhancements diff --git a/sources b/sources index 039b601..63539e4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e7fa3f5c6bd2d67a9b360ff726bbc6ba libssh2-1.5.0.tar.gz +00aabd6e714a5f42a4fb82ace20db1dd libssh2-1.6.0.tar.gz From 576be02309735ac72eade3ce78376d7ada165082 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Wed, 17 Jun 2015 17:21:55 +0000 Subject: [PATCH 66/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index e9b6d61..17a4bc4 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.6.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -149,6 +149,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Jun 17 2015 Fedora Release Engineering - 1.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + * Sun Jun 14 2015 Paul Howarth - 1.6.0-1 - Update to 1.6.0 - Added CMake build system From eb271841330bda1963ae9745bc67f8f426280550 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 11 Nov 2015 09:07:53 +0000 Subject: [PATCH 67/93] Fix pkg-config --libs output (#1279966) --- libssh2-1.6.0-pkgconfig.patch | 12 ++++++++++++ libssh2.spec | 9 ++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 libssh2-1.6.0-pkgconfig.patch diff --git a/libssh2-1.6.0-pkgconfig.patch b/libssh2-1.6.0-pkgconfig.patch new file mode 100644 index 0000000..6cd69fc --- /dev/null +++ b/libssh2-1.6.0-pkgconfig.patch @@ -0,0 +1,12 @@ +Remove LDFLAGS from pkg-config --libs output (#1279966) + +--- libssh2.pc.in ++++ libssh2.pc.in +@@ -12,6 +12,6 @@ URL: http://www.libssh2.org/ + Description: Library for SSH-based communication + Version: @LIBSSH2VER@ + Requires.private: @LIBSREQUIRED@ +-Libs: -L${libdir} -lssh2 @LDFLAGS@ @LIBS@ ++Libs: -L${libdir} -lssh2 @LIBS@ + Libs.private: @LIBS@ + Cflags: -I${includedir} diff --git a/libssh2.spec b/libssh2.spec index 17a4bc4..437f3ec 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,13 +12,14 @@ Name: libssh2 Version: 1.6.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.4.2-utf8.patch +Patch1: libssh2-1.6.0-pkgconfig.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: openssl-devel BuildRequires: zlib-devel @@ -72,6 +73,9 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # Make sure things are UTF-8... %patch0 -p1 +# Fix pkg-config --libs output (#1279966) +%patch1 + # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -149,6 +153,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Nov 10 2015 Paul Howarth - 1.6.0-3 +- Fix pkg-config --libs output (#1279966) + * Wed Jun 17 2015 Fedora Release Engineering - 1.6.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild From 1ce9bf4210bb57e430aa474af8d4fa4d903bfc2b Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Thu, 4 Feb 2016 03:58:15 +0000 Subject: [PATCH 68/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 437f3ec..e86ae93 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.6.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -153,6 +153,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Thu Feb 04 2016 Fedora Release Engineering - 1.6.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + * Tue Nov 10 2015 Paul Howarth - 1.6.0-3 - Fix pkg-config --libs output (#1279966) From 0587739ebe38abf6718b7193786e71ba020e0528 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Tue, 23 Feb 2016 10:55:39 +0000 Subject: [PATCH 69/93] Update to 1.7.0 - New upstream release 1.7.0 - diffie_hellman_sha256: Convert bytes to bits (CVE-2016-0787); see http://www.libssh2.org/adv_20160223.html - libssh2_session_set_last_error: Add function - See RELEASE-NOTES for details of bug fixes --- libssh2-1.6.0-pkgconfig.patch | 12 ------------ libssh2.spec | 22 +++++++++++++++------- sources | 2 +- 3 files changed, 16 insertions(+), 20 deletions(-) delete mode 100644 libssh2-1.6.0-pkgconfig.patch diff --git a/libssh2-1.6.0-pkgconfig.patch b/libssh2-1.6.0-pkgconfig.patch deleted file mode 100644 index 6cd69fc..0000000 --- a/libssh2-1.6.0-pkgconfig.patch +++ /dev/null @@ -1,12 +0,0 @@ -Remove LDFLAGS from pkg-config --libs output (#1279966) - ---- libssh2.pc.in -+++ libssh2.pc.in -@@ -12,6 +12,6 @@ URL: http://www.libssh2.org/ - Description: Library for SSH-based communication - Version: @LIBSSH2VER@ - Requires.private: @LIBSREQUIRED@ --Libs: -L${libdir} -lssh2 @LDFLAGS@ @LIBS@ -+Libs: -L${libdir} -lssh2 @LIBS@ - Libs.private: @LIBS@ - Cflags: -I${includedir} diff --git a/libssh2.spec b/libssh2.spec index e86ae93..8fba1eb 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -11,17 +11,21 @@ %{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} Name: libssh2 -Version: 1.6.0 -Release: 4%{?dist} +Version: 1.7.0 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.4.2-utf8.patch -Patch1: libssh2-1.6.0-pkgconfig.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: gcc +BuildRequires: make BuildRequires: openssl-devel +BuildRequires: sed BuildRequires: zlib-devel BuildRequires: /usr/bin/man @@ -73,9 +77,6 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # Make sure things are UTF-8... %patch0 -p1 -# Fix pkg-config --libs output (#1279966) -%patch1 - # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -84,7 +85,7 @@ chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} | %endif %build -%configure --disable-static --enable-shared +%configure --disable-silent-rules --disable-static --enable-shared make %{?_smp_mflags} # Avoid polluting libssh2.pc with linker options (#947813) @@ -153,6 +154,13 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Feb 23 2016 Paul Howarth - 1.7.0-1 +- Update to 1.7.0 + - diffie_hellman_sha256: Convert bytes to bits (CVE-2016-0787); see + http://www.libssh2.org/adv_20160223.html + - libssh2_session_set_last_error: Add function + - See RELEASE-NOTES for details of bug fixes + * Thu Feb 04 2016 Fedora Release Engineering - 1.6.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild diff --git a/sources b/sources index 63539e4..e4f6cdc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -00aabd6e714a5f42a4fb82ace20db1dd libssh2-1.6.0.tar.gz +b01662a210e94cccf2f76094db7dac5c libssh2-1.7.0.tar.gz From 2d448ce0839973362cc5ff0bba0cf74191175e3f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 24 Feb 2016 09:08:02 +0100 Subject: [PATCH 70/93] Resolves: CVE-2016-0787 - diffie_hellman_sha1: Convert bytes to bits --- CVE-2016-0787.patch | 30 ++++++++++++++++++++++++++++++ libssh2.spec | 9 ++++++++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 CVE-2016-0787.patch diff --git a/CVE-2016-0787.patch b/CVE-2016-0787.patch new file mode 100644 index 0000000..8827c5d --- /dev/null +++ b/CVE-2016-0787.patch @@ -0,0 +1,30 @@ +From 8a453a7b0f1e667b7369eb73b00843a8decdecc9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 11 Feb 2016 13:52:20 +0100 +Subject: [PATCH] diffie_hellman_sha1: convert bytes to bits + +As otherwise we get far too small numbers. + +CVE-2016-0787 + +Signed-off-by: Kamil Dudka +--- + src/kex.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kex.c b/src/kex.c +index 6349457..e89b36c 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -133,7 +133,7 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, + memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t)); + + /* Generate x and e */ +- _libssh2_bn_rand(exchange_state->x, group_order, 0, -1); ++ _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1); + _libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p, + exchange_state->ctx); + +-- +2.7.0 + diff --git a/libssh2.spec b/libssh2.spec index 8fba1eb..c071267 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,13 +12,14 @@ Name: libssh2 Version: 1.7.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: libssh2-1.4.2-utf8.patch +Patch2: CVE-2016-0787.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: coreutils BuildRequires: findutils @@ -77,6 +78,9 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # Make sure things are UTF-8... %patch0 -p1 +# diffie_hellman_sha1: Convert bytes to bits (additional fix for CVE-2016-0787) +%patch2 -p1 + # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -154,6 +158,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Feb 24 2016 Kamil Dudka - 1.7.0-2 +- diffie_hellman_sha1: Convert bytes to bits (additional fix for CVE-2016-0787) + * Tue Feb 23 2016 Paul Howarth - 1.7.0-1 - Update to 1.7.0 - diffie_hellman_sha256: Convert bytes to bits (CVE-2016-0787); see From f9f6b45015cd00f081626f0bfe0b8350ff35d7e6 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 24 Feb 2016 12:12:23 +0000 Subject: [PATCH 71/93] Drop UTF-8 patch, which breaks things rather than fixes them --- libssh2-1.4.2-utf8.patch | 14 -------------- libssh2.spec | 9 ++++----- 2 files changed, 4 insertions(+), 19 deletions(-) delete mode 100644 libssh2-1.4.2-utf8.patch diff --git a/libssh2-1.4.2-utf8.patch b/libssh2-1.4.2-utf8.patch deleted file mode 100644 index 9177691..0000000 --- a/libssh2-1.4.2-utf8.patch +++ /dev/null @@ -1,14 +0,0 @@ - NEWS | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - ---- libssh2/NEWS -+++ libssh2/NEWS -@@ -3552,7 +3552,7 @@ Simon Josefsson (16 Nov 2009) - - support arcfour128 cipher per RFC 4345 - - Daniel Stenberg (21 Oct 2009) --- [Cristian Rodríguez brought this change] -+- [Cristian Rodríguez brought this change] - - add support for GCC visibility features - diff --git a/libssh2.spec b/libssh2.spec index c071267..2a5d2da 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,13 +12,12 @@ Name: libssh2 Version: 1.7.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz -Patch0: libssh2-1.4.2-utf8.patch Patch2: CVE-2016-0787.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: coreutils @@ -75,9 +74,6 @@ developing applications that use libssh2. # between 32-bit and 64-bit builds running on a single build-host sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} -# Make sure things are UTF-8... -%patch0 -p1 - # diffie_hellman_sha1: Convert bytes to bits (additional fix for CVE-2016-0787) %patch2 -p1 @@ -158,6 +154,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Feb 24 2016 Paul Howarth - 1.7.0-3 +- Drop UTF-8 patch, which breaks things rather than fixes them + * Wed Feb 24 2016 Kamil Dudka - 1.7.0-2 - diffie_hellman_sha1: Convert bytes to bits (additional fix for CVE-2016-0787) From 0355577a5dc4dcbf6004839ef41e48421eb81870 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sat, 5 Mar 2016 17:45:34 +0000 Subject: [PATCH 72/93] Modernise spec (no we really don't care about el4/fc4), Don't ship ChangeLog/NEWS, duplicates of RELEASE-NOTES --- libssh2.spec | 42 ++++++++++++------------------------------ 1 file changed, 12 insertions(+), 30 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 2a5d2da..8826175 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,25 +1,16 @@ -# Fedora 10 onwards support noarch subpackages; by using one, we can -# put the arch-independent docs in a common subpackage and save lots -# of space on the mirrors -%if 0%{?fedora} > 9 || 0%{?rhel} > 5 -%global noarch_docs_package 1 -%else -%global noarch_docs_package 0 -%endif - # Define %%{__isa_bits} for old releases %{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} Name: libssh2 Version: 1.7.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch2: CVE-2016-0787.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) + BuildRequires: coreutils BuildRequires: findutils BuildRequires: gcc @@ -28,16 +19,11 @@ BuildRequires: openssl-devel BuildRequires: sed BuildRequires: zlib-devel BuildRequires: /usr/bin/man +BuildRequires: libselinux-utils +BuildRequires: selinux-policy-targeted # Test suite requirements - we run the OpenSSH server and try to connect to it BuildRequires: openssh-server -# We use matchpathcon to get the correct SELinux context for the ssh server -# initialization script so that it can transition correctly in an SELinux -# environment; matchpathcon is only available from FC-4 and moved from the -# libselinux to libselinux-utils package in F-10 -%if (0%{?fedora} >= 4 || 0%{?rhel} >= 5) && !(0%{?fedora} >=17 || 0%{?rhel} >=7) -BuildRequires: /usr/sbin/matchpathcon selinux-policy-targeted -%endif %description libssh2 is a library implementing the SSH2 protocol as defined by @@ -59,9 +45,7 @@ developing applications that use libssh2. Summary: Documentation for libssh2 Group: Development/Libraries Requires: %{name} = %{version}-%{release} -%if %{noarch_docs_package} BuildArch: noarch -%endif %description docs The libssh2-docs package contains man pages and examples for @@ -92,14 +76,13 @@ make %{?_smp_mflags} sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc %install -rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" -find %{buildroot} -name '*.la' -exec rm -f {} \; +find %{buildroot} -name '*.la' -delete # clean things up a bit for packaging make -C example clean rm -rf example/.deps -find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} \; +find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -delete # avoid multilib conflict on libssh2-devel mv -v example example.%{_arch} @@ -124,20 +107,15 @@ echo "exit 0" > tests/mansyntax.sh %endif make -C tests check -%clean -rm -rf %{buildroot} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files -%if 0%{?_licensedir:1} +%{!?_licensedir:%global license %%doc} %license COPYING -%else -%doc COPYING -%endif -%doc docs/AUTHORS ChangeLog NEWS README RELEASE-NOTES +%doc docs/AUTHORS README RELEASE-NOTES %{_libdir}/libssh2.so.1 %{_libdir}/libssh2.so.1.* @@ -154,6 +132,10 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sat Mar 5 2016 Peter Robinson 1.7.0-4 +- Modernise spec (no we really don't care about el4/fc4) +- Don't ship ChangeLog/NEWS, duplicates of RELEASE-NOTES + * Wed Feb 24 2016 Paul Howarth - 1.7.0-3 - Drop UTF-8 patch, which breaks things rather than fixes them From f8c7ae2c29f6ea3d55e37e2d5af9023c38253ef7 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 6 Mar 2016 11:56:26 +0000 Subject: [PATCH 73/93] Fix EL-5 compatibility - Revert parts of previous change that broke EL-5 compatibility - Include NEWS in docs package, it's much more than RELEASE-NOTES --- libssh2.spec | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 8826175..4d942dc 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,15 +1,25 @@ +# Fedora 10 onwards support noarch subpackages; by using one, we can +# put the arch-independent docs in a common subpackage and save lots +# of space on the mirrors +%if 0%{?fedora} > 9 || 0%{?rhel} > 5 +%global noarch_docs_package 1 +%else +%global noarch_docs_package 0 +%endif + # Define %%{__isa_bits} for old releases %{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} Name: libssh2 Version: 1.7.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch2: CVE-2016-0787.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: coreutils BuildRequires: findutils @@ -19,11 +29,16 @@ BuildRequires: openssl-devel BuildRequires: sed BuildRequires: zlib-devel BuildRequires: /usr/bin/man -BuildRequires: libselinux-utils -BuildRequires: selinux-policy-targeted # Test suite requirements - we run the OpenSSH server and try to connect to it BuildRequires: openssh-server +# We use matchpathcon to get the correct SELinux context for the ssh server +# initialization script so that it can transition correctly in an SELinux +# environment +%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) +BuildRequires: libselinux-utils +BuildRequires: selinux-policy-targeted +%endif %description libssh2 is a library implementing the SSH2 protocol as defined by @@ -45,7 +60,9 @@ developing applications that use libssh2. Summary: Documentation for libssh2 Group: Development/Libraries Requires: %{name} = %{version}-%{release} +%if %{noarch_docs_package} BuildArch: noarch +%endif %description docs The libssh2-docs package contains man pages and examples for @@ -76,6 +93,7 @@ make %{?_smp_mflags} sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc %install +rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" find %{buildroot} -name '*.la' -delete @@ -107,6 +125,8 @@ echo "exit 0" > tests/mansyntax.sh %endif make -C tests check +%clean +rm -rf %{buildroot} %post -p /sbin/ldconfig @@ -120,7 +140,7 @@ make -C tests check %{_libdir}/libssh2.so.1.* %files docs -%doc docs/BINDINGS docs/HACKING docs/TODO +%doc docs/BINDINGS docs/HACKING docs/TODO NEWS %{_mandir}/man3/libssh2_*.3* %files devel @@ -132,7 +152,11 @@ make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog -* Sat Mar 5 2016 Peter Robinson 1.7.0-4 +* Sun Mar 6 2016 Paul Howarth - 1.7.0-5 +- Revert parts of previous change that broke EL-5 compatibility +- Include NEWS in docs package, it's much more than RELEASE-NOTES + +* Sat Mar 5 2016 Peter Robinson - 1.7.0-4 - Modernise spec (no we really don't care about el4/fc4) - Don't ship ChangeLog/NEWS, duplicates of RELEASE-NOTES From 975ba11ea3dd9b11a99f572c899410db4ab231ed Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 11 Oct 2016 18:12:02 +0200 Subject: [PATCH 74/93] rebuild with OpenSSL 1.1.0 --- libssh2-1.7.0-openssl11.patch | 304 ++++++++++++++++++++++++++++++++++ libssh2.spec | 8 +- 2 files changed, 311 insertions(+), 1 deletion(-) create mode 100644 libssh2-1.7.0-openssl11.patch diff --git a/libssh2-1.7.0-openssl11.patch b/libssh2-1.7.0-openssl11.patch new file mode 100644 index 0000000..bb32c3d --- /dev/null +++ b/libssh2-1.7.0-openssl11.patch @@ -0,0 +1,304 @@ +commit 64ebfd8182a9b6e637e65c3059e3798e199274b3 +Author: Taylor Holberton +Date: Mon Sep 5 06:28:51 2016 -0400 + + openssl: add OpenSSL 1.1.0 compatibility + +diff --git a/src/openssl.c b/src/openssl.c +index b0c695d..a31e2dd 100644 +--- a/src/openssl.c ++++ b/src/openssl.c +@@ -66,33 +66,63 @@ _libssh2_rsa_new(libssh2_rsa_ctx ** rsa, + unsigned long e2len, + const unsigned char *coeffdata, unsigned long coefflen) + { +- *rsa = RSA_new(); ++ BIGNUM * e; ++ BIGNUM * n; ++ BIGNUM * d = 0; ++ BIGNUM * p = 0; ++ BIGNUM * q = 0; ++ BIGNUM * dmp1 = 0; ++ BIGNUM * dmq1 = 0; ++ BIGNUM * iqmp = 0; + +- (*rsa)->e = BN_new(); +- BN_bin2bn(edata, elen, (*rsa)->e); ++ e = BN_new(); ++ BN_bin2bn(edata, elen, e); + +- (*rsa)->n = BN_new(); +- BN_bin2bn(ndata, nlen, (*rsa)->n); ++ n = BN_new(); ++ BN_bin2bn(ndata, nlen, n); + + if (ddata) { +- (*rsa)->d = BN_new(); +- BN_bin2bn(ddata, dlen, (*rsa)->d); ++ d = BN_new(); ++ BN_bin2bn(ddata, dlen, d); + +- (*rsa)->p = BN_new(); +- BN_bin2bn(pdata, plen, (*rsa)->p); ++ p = BN_new(); ++ BN_bin2bn(pdata, plen, p); + +- (*rsa)->q = BN_new(); +- BN_bin2bn(qdata, qlen, (*rsa)->q); ++ q = BN_new(); ++ BN_bin2bn(qdata, qlen, q); + +- (*rsa)->dmp1 = BN_new(); +- BN_bin2bn(e1data, e1len, (*rsa)->dmp1); ++ dmp1 = BN_new(); ++ BN_bin2bn(e1data, e1len, dmp1); + +- (*rsa)->dmq1 = BN_new(); +- BN_bin2bn(e2data, e2len, (*rsa)->dmq1); ++ dmq1 = BN_new(); ++ BN_bin2bn(e2data, e2len, dmq1); + +- (*rsa)->iqmp = BN_new(); +- BN_bin2bn(coeffdata, coefflen, (*rsa)->iqmp); ++ iqmp = BN_new(); ++ BN_bin2bn(coeffdata, coefflen, iqmp); + } ++ ++ *rsa = RSA_new(); ++#ifdef HAVE_OPAQUE_STRUCTS ++ RSA_set0_key(*rsa, n, e, d); ++#else ++ (*rsa)->e = e; ++ (*rsa)->n = n; ++#endif ++ ++#ifdef HAVE_OPAQUE_STRUCTS ++ RSA_set0_factors(*rsa, p, q); ++#else ++ (*rsa)->p = p; ++ (*rsa)->q = q; ++#endif ++ ++#ifdef HAVE_OPAQUE_STRUCTS ++ RSA_set0_crt_params(*rsa, dmp1, dmq1, iqmp); ++#else ++ (*rsa)->dmp1 = dmp1; ++ (*rsa)->dmq1 = dmq1; ++ (*rsa)->iqmp = iqmp; ++#endif + return 0; + } + +@@ -125,25 +155,45 @@ _libssh2_dsa_new(libssh2_dsa_ctx ** dsactx, + unsigned long y_len, + const unsigned char *x, unsigned long x_len) + { +- *dsactx = DSA_new(); ++ BIGNUM * p_bn; ++ BIGNUM * q_bn; ++ BIGNUM * g_bn; ++ BIGNUM * pub_key; ++ BIGNUM * priv_key = NULL; + +- (*dsactx)->p = BN_new(); +- BN_bin2bn(p, p_len, (*dsactx)->p); ++ p_bn = BN_new(); ++ BN_bin2bn(p, p_len, p_bn); + +- (*dsactx)->q = BN_new(); +- BN_bin2bn(q, q_len, (*dsactx)->q); ++ q_bn = BN_new(); ++ BN_bin2bn(q, q_len, q_bn); + +- (*dsactx)->g = BN_new(); +- BN_bin2bn(g, g_len, (*dsactx)->g); ++ g_bn = BN_new(); ++ BN_bin2bn(g, g_len, g_bn); + +- (*dsactx)->pub_key = BN_new(); +- BN_bin2bn(y, y_len, (*dsactx)->pub_key); ++ pub_key = BN_new(); ++ BN_bin2bn(y, y_len, pub_key); + + if (x_len) { +- (*dsactx)->priv_key = BN_new(); +- BN_bin2bn(x, x_len, (*dsactx)->priv_key); ++ priv_key = BN_new(); ++ BN_bin2bn(x, x_len, priv_key); + } + ++ *dsactx = DSA_new(); ++ ++#ifdef HAVE_OPAQUE_STRUCTS ++ DSA_set0_pqg(*dsactx, p_bn, q_bn, g_bn); ++#else ++ (*dsactx)->p = p_bn; ++ (*dsactx)->g = g_bn; ++ (*dsactx)->q = q_bn; ++#endif ++ ++#ifdef HAVE_OPAQUE_STRUCTS ++ DSA_set0_key(*dsactx, pub_key, priv_key); ++#else ++ (*dsactx)->pub_key = pub_key; ++ (*dsactx)->priv_key = priv_key; ++#endif + return 0; + } + +@@ -153,20 +203,28 @@ _libssh2_dsa_sha1_verify(libssh2_dsa_ctx * dsactx, + const unsigned char *m, unsigned long m_len) + { + unsigned char hash[SHA_DIGEST_LENGTH]; +- DSA_SIG dsasig; ++ DSA_SIG * dsasig; ++ BIGNUM * r; ++ BIGNUM * s; + int ret = -1; + +- dsasig.r = BN_new(); +- BN_bin2bn(sig, 20, dsasig.r); +- dsasig.s = BN_new(); +- BN_bin2bn(sig + 20, 20, dsasig.s); ++ r = BN_new(); ++ BN_bin2bn(sig, 20, r); ++ s = BN_new(); ++ BN_bin2bn(sig + 20, 20, s); + ++ dsasig = DSA_SIG_new(); ++#ifdef HAVE_OPAQUE_STRUCTS ++ DSA_SIG_set0(dsasig, r, s); ++#else ++ dsasig->r = r; ++ dsasig->s = s; ++#endif + if (!_libssh2_sha1(m, m_len, hash)) + /* _libssh2_sha1() succeeded */ +- ret = DSA_do_verify(hash, SHA_DIGEST_LENGTH, &dsasig, dsactx); ++ ret = DSA_do_verify(hash, SHA_DIGEST_LENGTH, dsasig, dsactx); + +- BN_clear_free(dsasig.s); +- BN_clear_free(dsasig.r); ++ DSA_SIG_free(dsasig); + + return (ret == 1) ? 0 : -1; + } +@@ -586,6 +644,8 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, + unsigned long hash_len, unsigned char *signature) + { + DSA_SIG *sig; ++ const BIGNUM * r; ++ const BIGNUM * s; + int r_len, s_len; + (void) hash_len; + +@@ -594,12 +654,18 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, + return -1; + } + +- r_len = BN_num_bytes(sig->r); ++#ifdef HAVE_OPAQUE_STRUCTS ++ DSA_SIG_get0(sig, &r, &s); ++#else ++ r = sig->r; ++ s = sig->s; ++#endif ++ r_len = BN_num_bytes(r); + if (r_len < 1 || r_len > 20) { + DSA_SIG_free(sig); + return -1; + } +- s_len = BN_num_bytes(sig->s); ++ s_len = BN_num_bytes(s); + if (s_len < 1 || s_len > 20) { + DSA_SIG_free(sig); + return -1; +@@ -607,8 +673,8 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, + + memset(signature, 0, 40); + +- BN_bn2bin(sig->r, signature + (20 - r_len)); +- BN_bn2bin(sig->s, signature + 20 + (20 - s_len)); ++ BN_bn2bin(r, signature + (20 - r_len)); ++ BN_bn2bin(s, signature + 20 + (20 - s_len)); + + DSA_SIG_free(sig); + +@@ -768,9 +834,16 @@ gen_publickey_from_rsa(LIBSSH2_SESSION *session, RSA *rsa, + unsigned long len; + unsigned char* key; + unsigned char* p; +- +- e_bytes = BN_num_bytes(rsa->e) + 1; +- n_bytes = BN_num_bytes(rsa->n) + 1; ++ const BIGNUM * e; ++ const BIGNUM * n; ++#ifdef HAVE_OPAQUE_STRUCTS ++ RSA_get0_key(rsa, &n, &e, NULL); ++#else ++ e = rsa->e; ++ n = rsa->n; ++#endif ++ e_bytes = BN_num_bytes(e) + 1; ++ n_bytes = BN_num_bytes(n) + 1; + + /* Key form is "ssh-rsa" + e + n. */ + len = 4 + 7 + 4 + e_bytes + 4 + n_bytes; +@@ -788,8 +861,8 @@ gen_publickey_from_rsa(LIBSSH2_SESSION *session, RSA *rsa, + memcpy(p, "ssh-rsa", 7); + p += 7; + +- p = write_bn(p, rsa->e, e_bytes); +- p = write_bn(p, rsa->n, n_bytes); ++ p = write_bn(p, e, e_bytes); ++ p = write_bn(p, n, n_bytes); + + *key_len = (size_t)(p - key); + return key; +@@ -805,10 +878,27 @@ gen_publickey_from_dsa(LIBSSH2_SESSION* session, DSA *dsa, + unsigned char* key; + unsigned char* p; + +- p_bytes = BN_num_bytes(dsa->p) + 1; +- q_bytes = BN_num_bytes(dsa->q) + 1; +- g_bytes = BN_num_bytes(dsa->g) + 1; +- k_bytes = BN_num_bytes(dsa->pub_key) + 1; ++ const BIGNUM * p_bn; ++ const BIGNUM * q; ++ const BIGNUM * g; ++ const BIGNUM * pub_key; ++#ifdef HAVE_OPAQUE_STRUCTS ++ DSA_get0_pqg(dsa, &p_bn, &q, &g); ++#else ++ p_bn = dsa->p; ++ q = dsa->q; ++ g = dsa->g; ++#endif ++ ++#ifdef HAVE_OPAQUE_STRUCTS ++ DSA_get0_key(dsa, &pub_key, NULL); ++#else ++ pub_key = dsa->pub_key; ++#endif ++ p_bytes = BN_num_bytes(p_bn) + 1; ++ q_bytes = BN_num_bytes(q) + 1; ++ g_bytes = BN_num_bytes(g) + 1; ++ k_bytes = BN_num_bytes(pub_key) + 1; + + /* Key form is "ssh-dss" + p + q + g + pub_key. */ + len = 4 + 7 + 4 + p_bytes + 4 + q_bytes + 4 + g_bytes + 4 + k_bytes; +@@ -826,10 +916,10 @@ gen_publickey_from_dsa(LIBSSH2_SESSION* session, DSA *dsa, + memcpy(p, "ssh-dss", 7); + p += 7; + +- p = write_bn(p, dsa->p, p_bytes); +- p = write_bn(p, dsa->q, q_bytes); +- p = write_bn(p, dsa->g, g_bytes); +- p = write_bn(p, dsa->pub_key, k_bytes); ++ p = write_bn(p, p_bn, p_bytes); ++ p = write_bn(p, q, q_bytes); ++ p = write_bn(p, g, g_bytes); ++ p = write_bn(p, pub_key, k_bytes); + + *key_len = (size_t)(p - key); + return key; diff --git a/libssh2.spec b/libssh2.spec index 4d942dc..8060e5f 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,13 +12,14 @@ Name: libssh2 Version: 1.7.0 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch2: CVE-2016-0787.patch +Patch3: libssh2-1.7.0-openssl11.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: coreutils @@ -77,6 +78,8 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # diffie_hellman_sha1: Convert bytes to bits (additional fix for CVE-2016-0787) %patch2 -p1 +# Build with OpenSSL 1.1.0 from upstream git +%patch3 -p1 # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) @@ -152,6 +155,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Oct 11 2016 Tomáš Mráz - 1.7.0-6 +- rebuild with OpenSSL 1.1.0 + * Sun Mar 6 2016 Paul Howarth - 1.7.0-5 - Revert parts of previous change that broke EL-5 compatibility - Include NEWS in docs package, it's much more than RELEASE-NOTES From 999a09c3363f72865aeb7487beaddff5783de755 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 20 Oct 2016 17:38:44 +0200 Subject: [PATCH 75/93] make curl test-suite work again with valgrind enabled --- libssh2.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 8060e5f..4c1514a 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.7.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -20,6 +20,7 @@ URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch2: CVE-2016-0787.patch Patch3: libssh2-1.7.0-openssl11.patch +Patch4: libssh2-1.7.0-openssl11-memleak.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: coreutils @@ -78,9 +79,13 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # diffie_hellman_sha1: Convert bytes to bits (additional fix for CVE-2016-0787) %patch2 -p1 + # Build with OpenSSL 1.1.0 from upstream git %patch3 -p1 +# make curl test-suite work again with valgrind enabled +%patch4 -p1 + # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -155,6 +160,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Thu Oct 20 2016 Kamil Dudka - 1.7.0-7 +- make curl test-suite work again with valgrind enabled + * Tue Oct 11 2016 Tomáš Mráz - 1.7.0-6 - rebuild with OpenSSL 1.1.0 From 29e2533fad980a44f73f4d83d4fa79f222309033 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 20 Oct 2016 17:47:18 +0200 Subject: [PATCH 76/93] add libssh2-1.7.0-openssl11-memleak.patch ... forgotten in the last commit --- libssh2-1.7.0-openssl11-memleak.patch | 38 +++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 libssh2-1.7.0-openssl11-memleak.patch diff --git a/libssh2-1.7.0-openssl11-memleak.patch b/libssh2-1.7.0-openssl11-memleak.patch new file mode 100644 index 0000000..94f88c0 --- /dev/null +++ b/libssh2-1.7.0-openssl11-memleak.patch @@ -0,0 +1,38 @@ +From c43eb3bae2b63affe5b16bfdab028a65cdc055db Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 20 Oct 2016 17:22:31 +0200 +Subject: [PATCH] Revert "aes: the init function fails when OpenSSL has AES + support" + +This partially reverts commit f4f2298ef3635acd031cc2ee0e71026cdcda5864 +because it caused the compatibility code to call initialization routines +redundantly, leading to memory leakage with OpenSSL 1.1 and broken curl +test-suite in Fedora: + +88 bytes in 1 blocks are definitely lost in loss record 5 of 8 + at 0x4C2DB8D: malloc (vg_replace_malloc.c:299) + by 0x72C607D: CRYPTO_zalloc (mem.c:100) + by 0x72A2480: EVP_CIPHER_meth_new (cmeth_lib.c:18) + by 0x4E5A550: make_ctr_evp.isra.0 (openssl.c:407) + by 0x4E5A8E8: _libssh2_init_aes_ctr (openssl.c:471) + by 0x4E5BB5A: libssh2_init (global.c:49) +--- + src/openssl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/openssl.c b/src/openssl.c +index a31e2dd..4f63ef9 100644 +--- a/src/openssl.c ++++ b/src/openssl.c +@@ -265,7 +265,7 @@ _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx, + return ret == 1 ? 0 : 1; + } + +-#if LIBSSH2_AES_CTR ++#if LIBSSH2_AES_CTR && !defined(HAVE_EVP_AES_128_CTR) + + #include + #include +-- +2.7.4 + From a9c954ed4c8241e05c610dd7ed282911f8b7a7b8 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Tue, 25 Oct 2016 09:16:53 +0100 Subject: [PATCH 77/93] Update to 1.8.0 - New upstream release 1.8.0 - Added a basic dockerised test suite - crypto: Add support for the mbedTLS backend - See RELEASE-NOTES for details of bug fixes --- CVE-2016-0787.patch | 30 --- libssh2-1.7.0-openssl11-memleak.patch | 38 ---- libssh2-1.7.0-openssl11.patch | 304 -------------------------- libssh2.spec | 29 +-- 4 files changed, 10 insertions(+), 391 deletions(-) delete mode 100644 CVE-2016-0787.patch delete mode 100644 libssh2-1.7.0-openssl11-memleak.patch delete mode 100644 libssh2-1.7.0-openssl11.patch diff --git a/CVE-2016-0787.patch b/CVE-2016-0787.patch deleted file mode 100644 index 8827c5d..0000000 --- a/CVE-2016-0787.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 8a453a7b0f1e667b7369eb73b00843a8decdecc9 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 11 Feb 2016 13:52:20 +0100 -Subject: [PATCH] diffie_hellman_sha1: convert bytes to bits - -As otherwise we get far too small numbers. - -CVE-2016-0787 - -Signed-off-by: Kamil Dudka ---- - src/kex.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/kex.c b/src/kex.c -index 6349457..e89b36c 100644 ---- a/src/kex.c -+++ b/src/kex.c -@@ -133,7 +133,7 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, - memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t)); - - /* Generate x and e */ -- _libssh2_bn_rand(exchange_state->x, group_order, 0, -1); -+ _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1); - _libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p, - exchange_state->ctx); - --- -2.7.0 - diff --git a/libssh2-1.7.0-openssl11-memleak.patch b/libssh2-1.7.0-openssl11-memleak.patch deleted file mode 100644 index 94f88c0..0000000 --- a/libssh2-1.7.0-openssl11-memleak.patch +++ /dev/null @@ -1,38 +0,0 @@ -From c43eb3bae2b63affe5b16bfdab028a65cdc055db Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 20 Oct 2016 17:22:31 +0200 -Subject: [PATCH] Revert "aes: the init function fails when OpenSSL has AES - support" - -This partially reverts commit f4f2298ef3635acd031cc2ee0e71026cdcda5864 -because it caused the compatibility code to call initialization routines -redundantly, leading to memory leakage with OpenSSL 1.1 and broken curl -test-suite in Fedora: - -88 bytes in 1 blocks are definitely lost in loss record 5 of 8 - at 0x4C2DB8D: malloc (vg_replace_malloc.c:299) - by 0x72C607D: CRYPTO_zalloc (mem.c:100) - by 0x72A2480: EVP_CIPHER_meth_new (cmeth_lib.c:18) - by 0x4E5A550: make_ctr_evp.isra.0 (openssl.c:407) - by 0x4E5A8E8: _libssh2_init_aes_ctr (openssl.c:471) - by 0x4E5BB5A: libssh2_init (global.c:49) ---- - src/openssl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/openssl.c b/src/openssl.c -index a31e2dd..4f63ef9 100644 ---- a/src/openssl.c -+++ b/src/openssl.c -@@ -265,7 +265,7 @@ _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx, - return ret == 1 ? 0 : 1; - } - --#if LIBSSH2_AES_CTR -+#if LIBSSH2_AES_CTR && !defined(HAVE_EVP_AES_128_CTR) - - #include - #include --- -2.7.4 - diff --git a/libssh2-1.7.0-openssl11.patch b/libssh2-1.7.0-openssl11.patch deleted file mode 100644 index bb32c3d..0000000 --- a/libssh2-1.7.0-openssl11.patch +++ /dev/null @@ -1,304 +0,0 @@ -commit 64ebfd8182a9b6e637e65c3059e3798e199274b3 -Author: Taylor Holberton -Date: Mon Sep 5 06:28:51 2016 -0400 - - openssl: add OpenSSL 1.1.0 compatibility - -diff --git a/src/openssl.c b/src/openssl.c -index b0c695d..a31e2dd 100644 ---- a/src/openssl.c -+++ b/src/openssl.c -@@ -66,33 +66,63 @@ _libssh2_rsa_new(libssh2_rsa_ctx ** rsa, - unsigned long e2len, - const unsigned char *coeffdata, unsigned long coefflen) - { -- *rsa = RSA_new(); -+ BIGNUM * e; -+ BIGNUM * n; -+ BIGNUM * d = 0; -+ BIGNUM * p = 0; -+ BIGNUM * q = 0; -+ BIGNUM * dmp1 = 0; -+ BIGNUM * dmq1 = 0; -+ BIGNUM * iqmp = 0; - -- (*rsa)->e = BN_new(); -- BN_bin2bn(edata, elen, (*rsa)->e); -+ e = BN_new(); -+ BN_bin2bn(edata, elen, e); - -- (*rsa)->n = BN_new(); -- BN_bin2bn(ndata, nlen, (*rsa)->n); -+ n = BN_new(); -+ BN_bin2bn(ndata, nlen, n); - - if (ddata) { -- (*rsa)->d = BN_new(); -- BN_bin2bn(ddata, dlen, (*rsa)->d); -+ d = BN_new(); -+ BN_bin2bn(ddata, dlen, d); - -- (*rsa)->p = BN_new(); -- BN_bin2bn(pdata, plen, (*rsa)->p); -+ p = BN_new(); -+ BN_bin2bn(pdata, plen, p); - -- (*rsa)->q = BN_new(); -- BN_bin2bn(qdata, qlen, (*rsa)->q); -+ q = BN_new(); -+ BN_bin2bn(qdata, qlen, q); - -- (*rsa)->dmp1 = BN_new(); -- BN_bin2bn(e1data, e1len, (*rsa)->dmp1); -+ dmp1 = BN_new(); -+ BN_bin2bn(e1data, e1len, dmp1); - -- (*rsa)->dmq1 = BN_new(); -- BN_bin2bn(e2data, e2len, (*rsa)->dmq1); -+ dmq1 = BN_new(); -+ BN_bin2bn(e2data, e2len, dmq1); - -- (*rsa)->iqmp = BN_new(); -- BN_bin2bn(coeffdata, coefflen, (*rsa)->iqmp); -+ iqmp = BN_new(); -+ BN_bin2bn(coeffdata, coefflen, iqmp); - } -+ -+ *rsa = RSA_new(); -+#ifdef HAVE_OPAQUE_STRUCTS -+ RSA_set0_key(*rsa, n, e, d); -+#else -+ (*rsa)->e = e; -+ (*rsa)->n = n; -+#endif -+ -+#ifdef HAVE_OPAQUE_STRUCTS -+ RSA_set0_factors(*rsa, p, q); -+#else -+ (*rsa)->p = p; -+ (*rsa)->q = q; -+#endif -+ -+#ifdef HAVE_OPAQUE_STRUCTS -+ RSA_set0_crt_params(*rsa, dmp1, dmq1, iqmp); -+#else -+ (*rsa)->dmp1 = dmp1; -+ (*rsa)->dmq1 = dmq1; -+ (*rsa)->iqmp = iqmp; -+#endif - return 0; - } - -@@ -125,25 +155,45 @@ _libssh2_dsa_new(libssh2_dsa_ctx ** dsactx, - unsigned long y_len, - const unsigned char *x, unsigned long x_len) - { -- *dsactx = DSA_new(); -+ BIGNUM * p_bn; -+ BIGNUM * q_bn; -+ BIGNUM * g_bn; -+ BIGNUM * pub_key; -+ BIGNUM * priv_key = NULL; - -- (*dsactx)->p = BN_new(); -- BN_bin2bn(p, p_len, (*dsactx)->p); -+ p_bn = BN_new(); -+ BN_bin2bn(p, p_len, p_bn); - -- (*dsactx)->q = BN_new(); -- BN_bin2bn(q, q_len, (*dsactx)->q); -+ q_bn = BN_new(); -+ BN_bin2bn(q, q_len, q_bn); - -- (*dsactx)->g = BN_new(); -- BN_bin2bn(g, g_len, (*dsactx)->g); -+ g_bn = BN_new(); -+ BN_bin2bn(g, g_len, g_bn); - -- (*dsactx)->pub_key = BN_new(); -- BN_bin2bn(y, y_len, (*dsactx)->pub_key); -+ pub_key = BN_new(); -+ BN_bin2bn(y, y_len, pub_key); - - if (x_len) { -- (*dsactx)->priv_key = BN_new(); -- BN_bin2bn(x, x_len, (*dsactx)->priv_key); -+ priv_key = BN_new(); -+ BN_bin2bn(x, x_len, priv_key); - } - -+ *dsactx = DSA_new(); -+ -+#ifdef HAVE_OPAQUE_STRUCTS -+ DSA_set0_pqg(*dsactx, p_bn, q_bn, g_bn); -+#else -+ (*dsactx)->p = p_bn; -+ (*dsactx)->g = g_bn; -+ (*dsactx)->q = q_bn; -+#endif -+ -+#ifdef HAVE_OPAQUE_STRUCTS -+ DSA_set0_key(*dsactx, pub_key, priv_key); -+#else -+ (*dsactx)->pub_key = pub_key; -+ (*dsactx)->priv_key = priv_key; -+#endif - return 0; - } - -@@ -153,20 +203,28 @@ _libssh2_dsa_sha1_verify(libssh2_dsa_ctx * dsactx, - const unsigned char *m, unsigned long m_len) - { - unsigned char hash[SHA_DIGEST_LENGTH]; -- DSA_SIG dsasig; -+ DSA_SIG * dsasig; -+ BIGNUM * r; -+ BIGNUM * s; - int ret = -1; - -- dsasig.r = BN_new(); -- BN_bin2bn(sig, 20, dsasig.r); -- dsasig.s = BN_new(); -- BN_bin2bn(sig + 20, 20, dsasig.s); -+ r = BN_new(); -+ BN_bin2bn(sig, 20, r); -+ s = BN_new(); -+ BN_bin2bn(sig + 20, 20, s); - -+ dsasig = DSA_SIG_new(); -+#ifdef HAVE_OPAQUE_STRUCTS -+ DSA_SIG_set0(dsasig, r, s); -+#else -+ dsasig->r = r; -+ dsasig->s = s; -+#endif - if (!_libssh2_sha1(m, m_len, hash)) - /* _libssh2_sha1() succeeded */ -- ret = DSA_do_verify(hash, SHA_DIGEST_LENGTH, &dsasig, dsactx); -+ ret = DSA_do_verify(hash, SHA_DIGEST_LENGTH, dsasig, dsactx); - -- BN_clear_free(dsasig.s); -- BN_clear_free(dsasig.r); -+ DSA_SIG_free(dsasig); - - return (ret == 1) ? 0 : -1; - } -@@ -586,6 +644,8 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, - unsigned long hash_len, unsigned char *signature) - { - DSA_SIG *sig; -+ const BIGNUM * r; -+ const BIGNUM * s; - int r_len, s_len; - (void) hash_len; - -@@ -594,12 +654,18 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, - return -1; - } - -- r_len = BN_num_bytes(sig->r); -+#ifdef HAVE_OPAQUE_STRUCTS -+ DSA_SIG_get0(sig, &r, &s); -+#else -+ r = sig->r; -+ s = sig->s; -+#endif -+ r_len = BN_num_bytes(r); - if (r_len < 1 || r_len > 20) { - DSA_SIG_free(sig); - return -1; - } -- s_len = BN_num_bytes(sig->s); -+ s_len = BN_num_bytes(s); - if (s_len < 1 || s_len > 20) { - DSA_SIG_free(sig); - return -1; -@@ -607,8 +673,8 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx, - - memset(signature, 0, 40); - -- BN_bn2bin(sig->r, signature + (20 - r_len)); -- BN_bn2bin(sig->s, signature + 20 + (20 - s_len)); -+ BN_bn2bin(r, signature + (20 - r_len)); -+ BN_bn2bin(s, signature + 20 + (20 - s_len)); - - DSA_SIG_free(sig); - -@@ -768,9 +834,16 @@ gen_publickey_from_rsa(LIBSSH2_SESSION *session, RSA *rsa, - unsigned long len; - unsigned char* key; - unsigned char* p; -- -- e_bytes = BN_num_bytes(rsa->e) + 1; -- n_bytes = BN_num_bytes(rsa->n) + 1; -+ const BIGNUM * e; -+ const BIGNUM * n; -+#ifdef HAVE_OPAQUE_STRUCTS -+ RSA_get0_key(rsa, &n, &e, NULL); -+#else -+ e = rsa->e; -+ n = rsa->n; -+#endif -+ e_bytes = BN_num_bytes(e) + 1; -+ n_bytes = BN_num_bytes(n) + 1; - - /* Key form is "ssh-rsa" + e + n. */ - len = 4 + 7 + 4 + e_bytes + 4 + n_bytes; -@@ -788,8 +861,8 @@ gen_publickey_from_rsa(LIBSSH2_SESSION *session, RSA *rsa, - memcpy(p, "ssh-rsa", 7); - p += 7; - -- p = write_bn(p, rsa->e, e_bytes); -- p = write_bn(p, rsa->n, n_bytes); -+ p = write_bn(p, e, e_bytes); -+ p = write_bn(p, n, n_bytes); - - *key_len = (size_t)(p - key); - return key; -@@ -805,10 +878,27 @@ gen_publickey_from_dsa(LIBSSH2_SESSION* session, DSA *dsa, - unsigned char* key; - unsigned char* p; - -- p_bytes = BN_num_bytes(dsa->p) + 1; -- q_bytes = BN_num_bytes(dsa->q) + 1; -- g_bytes = BN_num_bytes(dsa->g) + 1; -- k_bytes = BN_num_bytes(dsa->pub_key) + 1; -+ const BIGNUM * p_bn; -+ const BIGNUM * q; -+ const BIGNUM * g; -+ const BIGNUM * pub_key; -+#ifdef HAVE_OPAQUE_STRUCTS -+ DSA_get0_pqg(dsa, &p_bn, &q, &g); -+#else -+ p_bn = dsa->p; -+ q = dsa->q; -+ g = dsa->g; -+#endif -+ -+#ifdef HAVE_OPAQUE_STRUCTS -+ DSA_get0_key(dsa, &pub_key, NULL); -+#else -+ pub_key = dsa->pub_key; -+#endif -+ p_bytes = BN_num_bytes(p_bn) + 1; -+ q_bytes = BN_num_bytes(q) + 1; -+ g_bytes = BN_num_bytes(g) + 1; -+ k_bytes = BN_num_bytes(pub_key) + 1; - - /* Key form is "ssh-dss" + p + q + g + pub_key. */ - len = 4 + 7 + 4 + p_bytes + 4 + q_bytes + 4 + g_bytes + 4 + k_bytes; -@@ -826,10 +916,10 @@ gen_publickey_from_dsa(LIBSSH2_SESSION* session, DSA *dsa, - memcpy(p, "ssh-dss", 7); - p += 7; - -- p = write_bn(p, dsa->p, p_bytes); -- p = write_bn(p, dsa->q, q_bytes); -- p = write_bn(p, dsa->g, g_bytes); -- p = write_bn(p, dsa->pub_key, k_bytes); -+ p = write_bn(p, p_bn, p_bytes); -+ p = write_bn(p, q, q_bytes); -+ p = write_bn(p, g, g_bytes); -+ p = write_bn(p, pub_key, k_bytes); - - *key_len = (size_t)(p - key); - return key; diff --git a/libssh2.spec b/libssh2.spec index 4c1514a..dcb51ae 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -11,16 +11,13 @@ %{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} Name: libssh2 -Version: 1.7.0 -Release: 7%{?dist} +Version: 1.8.0 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz -Patch2: CVE-2016-0787.patch -Patch3: libssh2-1.7.0-openssl11.patch -Patch4: libssh2-1.7.0-openssl11-memleak.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: coreutils @@ -77,15 +74,6 @@ developing applications that use libssh2. # between 32-bit and 64-bit builds running on a single build-host sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} -# diffie_hellman_sha1: Convert bytes to bits (additional fix for CVE-2016-0787) -%patch2 -p1 - -# Build with OpenSSL 1.1.0 from upstream git -%patch3 -p1 - -# make curl test-suite work again with valgrind enabled -%patch4 -p1 - # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : @@ -97,9 +85,6 @@ chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} | %configure --disable-silent-rules --disable-static --enable-shared make %{?_smp_mflags} -# Avoid polluting libssh2.pc with linker options (#947813) -sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc - %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" @@ -160,11 +145,17 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Oct 25 2016 Paul Howarth - 1.8.0-1 +- Update to 1.8.0 + - Added a basic dockerised test suite + - crypto: Add support for the mbedTLS backend + - See RELEASE-NOTES for details of bug fixes + * Thu Oct 20 2016 Kamil Dudka - 1.7.0-7 -- make curl test-suite work again with valgrind enabled +- Make curl test-suite work again with valgrind enabled * Tue Oct 11 2016 Tomáš Mráz - 1.7.0-6 -- rebuild with OpenSSL 1.1.0 +- Rebuild with OpenSSL 1.1.0 * Sun Mar 6 2016 Paul Howarth - 1.7.0-5 - Revert parts of previous change that broke EL-5 compatibility From fa24637e03111b90868a95c847bc76b391063e60 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Tue, 25 Oct 2016 09:23:34 +0100 Subject: [PATCH 78/93] libssh2 1.8.0 --- sources | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources b/sources index e4f6cdc..8551b1a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b01662a210e94cccf2f76094db7dac5c libssh2-1.7.0.tar.gz +3d1147cae66e2959ea5441b183de1b1c libssh2-1.8.0.tar.gz From e44a6af4ac5f823db5654f18f7db7cf9f1b176d9 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 10 Feb 2017 19:30:17 +0000 Subject: [PATCH 79/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index dcb51ae..a708cab 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.8.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -145,6 +145,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Fri Feb 10 2017 Fedora Release Engineering - 1.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Tue Oct 25 2016 Paul Howarth - 1.8.0-1 - Update to 1.8.0 - Added a basic dockerised test suite From 30a5673bf1f1782599a85415ad6bcdb132d64013 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 26 Jul 2017 19:46:05 +0000 Subject: [PATCH 80/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index a708cab..c527012 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.8.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -145,6 +145,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Jul 26 2017 Fedora Release Engineering - 1.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Fri Feb 10 2017 Fedora Release Engineering - 1.8.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild From 29d026f7128d73c88d91a9d381e4315aadfa906f Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 3 Aug 2017 02:19:51 +0000 Subject: [PATCH 81/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index c527012..a65be61 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.8.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -145,6 +145,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Thu Aug 03 2017 Fedora Release Engineering - 1.8.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + * Wed Jul 26 2017 Fedora Release Engineering - 1.8.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild From af56e4903a2940143c82edfd92315be582458dd7 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Tue, 12 Sep 2017 10:54:52 +0100 Subject: [PATCH 82/93] Fix for BrickFTP (#1489736), spec clean-up - scp: Do not NUL-terminate the command for remote exec (#1489736, GH#208) - Make devel package dependency on main package arch-specific - Drop EL-5 support - noarch sub-packages always available now - Drop legacy Group: and BuildRoot: tags - Drop explicit buildroot cleaning - %{__isa_bits} always defined now --- ...erminate-the-command-for-remote-exec.patch | 45 +++++++++++++++++++ libssh2.spec | 45 ++++++++----------- 2 files changed, 64 insertions(+), 26 deletions(-) create mode 100644 0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch diff --git a/0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch b/0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch new file mode 100644 index 0000000..a6881dd --- /dev/null +++ b/0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch @@ -0,0 +1,45 @@ +From 819ef4f2037490b6aa2e870aea851b6364184090 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 11 Sep 2017 21:13:45 +0200 +Subject: [PATCH] scp: do not NUL-terminate the command for remote exec (#208) + +It breaks SCP download/upload from/to certain server implementations. + +The bug does not manifest with OpenSSH, which silently drops the NUL +byte (eventually with any garbage that follows the NUL byte) before +executing it. + +Bug: https://bugzilla.redhat.com/1489736 +--- + src/scp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/scp.c b/src/scp.c +index 22778dd..d1665a6 100644 +--- a/src/scp.c ++++ b/src/scp.c +@@ -303,8 +303,8 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, libssh2_struct_stat * sb) + &session->scpRecv_command[cmd_len], + session->scpRecv_command_len - cmd_len); + +- session->scpRecv_command[cmd_len] = '\0'; +- session->scpRecv_command_len = cmd_len + 1; ++ /* the command to exec should _not_ be NUL-terminated */ ++ session->scpRecv_command_len = cmd_len; + + _libssh2_debug(session, LIBSSH2_TRACE_SCP, + "Opening channel for SCP receive"); +@@ -845,8 +845,8 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode, + &session->scpSend_command[cmd_len], + session->scpSend_command_len - cmd_len); + +- session->scpSend_command[cmd_len] = '\0'; +- session->scpSend_command_len = cmd_len + 1; ++ /* the command to exec should _not_ be NUL-terminated */ ++ session->scpSend_command_len = cmd_len; + + _libssh2_debug(session, LIBSSH2_TRACE_SCP, + "Opening channel for SCP send"); +-- +2.9.5 + diff --git a/libssh2.spec b/libssh2.spec index a65be61..ef5d135 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,24 +1,11 @@ -# Fedora 10 onwards support noarch subpackages; by using one, we can -# put the arch-independent docs in a common subpackage and save lots -# of space on the mirrors -%if 0%{?fedora} > 9 || 0%{?rhel} > 5 -%global noarch_docs_package 1 -%else -%global noarch_docs_package 0 -%endif - -# Define %%{__isa_bits} for old releases -%{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} - Name: libssh2 Version: 1.8.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: A library implementing the SSH2 protocol -Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) +Patch1: 0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch BuildRequires: coreutils BuildRequires: findutils @@ -47,8 +34,7 @@ SECSH-DHGEX(04), and SECSH-NUMBERS(10). %package devel Summary: Development files for libssh2 -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} Requires: pkgconfig %description devel @@ -57,11 +43,8 @@ developing applications that use libssh2. %package docs Summary: Documentation for libssh2 -Group: Development/Libraries Requires: %{name} = %{version}-%{release} -%if %{noarch_docs_package} BuildArch: noarch -%endif %description docs The libssh2-docs package contains man pages and examples for @@ -70,9 +53,14 @@ developing applications that use libssh2. %prep %setup -q +# scp: do not NUL-terminate the command for remote exec +# https://bugzilla.redhat.com/show_bug.cgi?id=1489736 +# https://github.com/libssh2/libssh2/pull/208 +%patch1 -p1 + # Replace hard wired port number in the test suite to avoid collisions # between 32-bit and 64-bit builds running on a single build-host -sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} +sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh} # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) @@ -86,7 +74,6 @@ chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} | make %{?_smp_mflags} %install -rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" find %{buildroot} -name '*.la' -delete @@ -118,9 +105,6 @@ echo "exit 0" > tests/mansyntax.sh %endif make -C tests check -%clean -rm -rf %{buildroot} - %post -p /sbin/ldconfig %postun -p /sbin/ldconfig @@ -145,6 +129,15 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Sep 12 2017 Paul Howarth - 1.8.0-5 +- scp: Do not NUL-terminate the command for remote exec (#1489736, GH#208) +- Make devel package dependency on main package arch-specific +- Drop EL-5 support + - noarch sub-packages always available now + - Drop legacy Group: and BuildRoot: tags + - Drop explicit buildroot cleaning + - %%{__isa_bits} always defined now + * Thu Aug 03 2017 Fedora Release Engineering - 1.8.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild @@ -345,7 +338,7 @@ rm -rf %{buildroot} - OpenSSL EVP: fix threaded use of structs - _libssh2_channel_read: react on errors from receive_window_adjust - sftp_read: cap the read ahead maximum amount - - _libssh2_channel_read: fix non-blocking window adjusting + - _libssh2_channel_read: fix non-blocking window adjusting - add upstream patch fixing undefined function reference in libgcrypt backend - BR: /usr/bin/man for test suite From 2ee9663dd7145878d2e1809d144fcafa2add2f07 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Sat, 3 Feb 2018 16:28:53 +0100 Subject: [PATCH 83/93] Switch to %ldconfig_scriptlets Signed-off-by: Igor Gnatenko --- libssh2.spec | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index ef5d135..303f344 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.8.0 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ @@ -105,9 +105,7 @@ echo "exit 0" > tests/mansyntax.sh %endif make -C tests check -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig +%ldconfig_scriptlets %files %{!?_licensedir:%global license %%doc} @@ -129,6 +127,9 @@ make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sat Feb 03 2018 Igor Gnatenko - 1.8.0-6 +- Switch to %%ldconfig_scriptlets + * Tue Sep 12 2017 Paul Howarth - 1.8.0-5 - scp: Do not NUL-terminate the command for remote exec (#1489736, GH#208) - Make devel package dependency on main package arch-specific From 339e430067b87f7efb18282cd580208dd3b40e3e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 7 Feb 2018 23:25:06 +0000 Subject: [PATCH 84/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 303f344..0962fe4 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.8.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ @@ -127,6 +127,9 @@ make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Feb 07 2018 Fedora Release Engineering - 1.8.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + * Sat Feb 03 2018 Igor Gnatenko - 1.8.0-6 - Switch to %%ldconfig_scriptlets From d1bae723b78f53c9c223187a7ec08540a57a7666 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 13 Jul 2018 08:52:50 +0000 Subject: [PATCH 85/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 0962fe4..7378a82 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.8.0 -Release: 7%{?dist} +Release: 8%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ @@ -127,6 +127,9 @@ make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Fri Jul 13 2018 Fedora Release Engineering - 1.8.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Wed Feb 07 2018 Fedora Release Engineering - 1.8.0-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild From 4fcb4f9ea8a83f1a077e6c8b823c1d1edfc9f76b Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 1 Feb 2019 08:17:37 +0000 Subject: [PATCH 86/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index 7378a82..4728d9d 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.8.0 -Release: 8%{?dist} +Release: 9%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ @@ -127,6 +127,9 @@ make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Fri Feb 01 2019 Fedora Release Engineering - 1.8.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + * Fri Jul 13 2018 Fedora Release Engineering - 1.8.0-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild From ab0e53ac5277f1c0b5551142cc4145c5a4d08eb6 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Mon, 4 Feb 2019 12:09:52 +0000 Subject: [PATCH 87/93] Work around mock locale issues in test suite Explicitly run the test suite in the en_US.UTF-8 locale to work around flaky locale settings in mock builders. --- libssh2.spec | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libssh2.spec b/libssh2.spec index 4728d9d..92b352c 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.8.0 -Release: 9%{?dist} +Release: 10%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ @@ -18,6 +18,10 @@ BuildRequires: /usr/bin/man # Test suite requirements - we run the OpenSSH server and try to connect to it BuildRequires: openssh-server +# Need a valid locale to run the mansyntax check +%if 0%{?fedora} > 23 || 0%{?rhel} > 7 +BuildRequires: glibc-langpack-en +%endif # We use matchpathcon to get the correct SELinux context for the ssh server # initialization script so that it can transition correctly in an SELinux # environment @@ -103,7 +107,7 @@ echo "exit 0" > tests/ssh2.sh echo "Skipping mansyntax test on PPC* and aarch64" echo "exit 0" > tests/mansyntax.sh %endif -make -C tests check +LC_ALL=en_US.UTF-8 make -C tests check %ldconfig_scriptlets @@ -127,6 +131,10 @@ make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Mon Feb 4 2019 Paul Howarth - 1.8.0-10 +- Explicitly run the test suite in the en_US.UTF-8 locale to work around flaky + locale settings in mock builders + * Fri Feb 01 2019 Fedora Release Engineering - 1.8.0-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild From 7dfb17d3cbfbeab5f6730ce1bcfba1d79a72cd1f Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Tue, 19 Mar 2019 12:18:43 +0000 Subject: [PATCH 88/93] Update to 1.8.1 - New upstream release 1.8.1 - Fixed possible integer overflow when reading a specially crafted packet (CVE-2019-3855) - Fixed possible integer overflow in userauth_keyboard_interactive with a number of extremely long prompt strings (CVE-2019-3863) - Fixed possible integer overflow if the server sent an extremely large number of keyboard prompts (CVE-2019-3856) - Fixed possible out of bounds read when processing a specially crafted packet (CVE-2019-3861) - Fixed possible integer overflow when receiving a specially crafted exit signal message channel packet (CVE-2019-3857) - Fixed possible out of bounds read when receiving a specially crafted exit status message channel packet (CVE-2019-3862) - Fixed possible zero byte allocation when reading a specially crafted SFTP packet (CVE-2019-3858) - Fixed possible out of bounds reads when processing specially crafted SFTP packets (CVE-2019-3860) - Fixed possible out of bounds reads in _libssh2_packet_require(v) (CVE-2019-3859) - Fix mis-applied patch in the fix of CVE-2019-3859 - https://github.com/libssh2/libssh2/issues/325 - https://github.com/libssh2/libssh2/pull/327 --- 74ecd0e1.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ libssh2.spec | 34 ++++++++++++++++++++++++++++++++-- sources | 2 +- 3 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 74ecd0e1.patch diff --git a/74ecd0e1.patch b/74ecd0e1.patch new file mode 100644 index 0000000..9507602 --- /dev/null +++ b/74ecd0e1.patch @@ -0,0 +1,50 @@ +From 74ecd0e10ced2237f32d273784ef8eaf553b9c30 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Mon, 18 Mar 2019 17:36:04 -0700 +Subject: [PATCH] Fixed misapplied patch + +Fixes for user auth +--- + src/userauth.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/userauth.c b/src/userauth.c +index ed804629..c02d81d0 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -107,7 +107,7 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username, + LIBSSH2_FREE(session, session->userauth_list_data); + session->userauth_list_data = NULL; + +- if (rc || (session->userauth_list_data_len < 1)) { ++ if (rc) { + _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND, + "Unable to send userauth-none request"); + session->userauth_list_state = libssh2_NB_state_idle; +@@ -127,7 +127,7 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username, + _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, + "Would block requesting userauth list"); + return NULL; +- } else if (rc) { ++ } else if (rc || (session->userauth_list_data_len < 1)) { + _libssh2_error(session, rc, "Failed getting response"); + session->userauth_list_state = libssh2_NB_state_idle; + return NULL; +@@ -1172,7 +1172,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, + NULL, 0); + if (rc == LIBSSH2_ERROR_EAGAIN) + return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); +- else if (rc || (session->userauth_pblc_data_len < 1)) { ++ else if (rc) { + LIBSSH2_FREE(session, session->userauth_pblc_packet); + session->userauth_pblc_packet = NULL; + LIBSSH2_FREE(session, session->userauth_pblc_method); +@@ -1195,7 +1195,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, + if (rc == LIBSSH2_ERROR_EAGAIN) { + return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); + } +- else if (rc) { ++ else if (rc || (session->userauth_pblc_data_len < 1)) { + LIBSSH2_FREE(session, session->userauth_pblc_packet); + session->userauth_pblc_packet = NULL; + LIBSSH2_FREE(session, session->userauth_pblc_method); diff --git a/libssh2.spec b/libssh2.spec index 92b352c..36cd9ce 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,11 +1,12 @@ Name: libssh2 -Version: 1.8.0 -Release: 10%{?dist} +Version: 1.8.1 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch1: 0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch +Patch2: https://github.com/libssh2/libssh2/commit/74ecd0e1.patch BuildRequires: coreutils BuildRequires: findutils @@ -62,6 +63,11 @@ developing applications that use libssh2. # https://github.com/libssh2/libssh2/pull/208 %patch1 -p1 +# userauth: fix mis-applied patch in the fix of CVE-2019-3859 +# https://github.com/libssh2/libssh2/issues/325 +# https://github.com/libssh2/libssh2/pull/327 +%patch2 -p1 + # Replace hard wired port number in the test suite to avoid collisions # between 32-bit and 64-bit builds running on a single build-host sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh} @@ -131,6 +137,30 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Mar 19 2019 Paul Howarth - 1.8.1-1 +- Update to 1.8.1 + - Fixed possible integer overflow when reading a specially crafted packet + (CVE-2019-3855) + - Fixed possible integer overflow in userauth_keyboard_interactive with a + number of extremely long prompt strings (CVE-2019-3863) + - Fixed possible integer overflow if the server sent an extremely large + number of keyboard prompts (CVE-2019-3856) + - Fixed possible out of bounds read when processing a specially crafted + packet (CVE-2019-3861) + - Fixed possible integer overflow when receiving a specially crafted exit + signal message channel packet (CVE-2019-3857) + - Fixed possible out of bounds read when receiving a specially crafted exit + status message channel packet (CVE-2019-3862) + - Fixed possible zero byte allocation when reading a specially crafted SFTP + packet (CVE-2019-3858) + - Fixed possible out of bounds reads when processing specially crafted SFTP + packets (CVE-2019-3860) + - Fixed possible out of bounds reads in _libssh2_packet_require(v) + (CVE-2019-3859) +- Fix mis-applied patch in the fix of CVE-2019-3859 + - https://github.com/libssh2/libssh2/issues/325 + - https://github.com/libssh2/libssh2/pull/327 + * Mon Feb 4 2019 Paul Howarth - 1.8.0-10 - Explicitly run the test suite in the en_US.UTF-8 locale to work around flaky locale settings in mock builders diff --git a/sources b/sources index 8551b1a..d5b4033 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3d1147cae66e2959ea5441b183de1b1c libssh2-1.8.0.tar.gz +SHA512 (libssh2-1.8.1.tar.gz) = f09ad9ed04d25305b966e7f8c210082fe06c2b236dcd5018b009bd0bd6aaff123d16559d280892a5060760ed055ffe295bc02dc6e8dd1e7b8383c6c703f09290 From 69ee8f7637df22b55475829e19545a6efcd73f8f Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Tue, 26 Mar 2019 09:44:16 +0000 Subject: [PATCH 89/93] Update to 1.8.2 - New upstream release 1.8.2 - Fixed the misapplied userauth patch that broke 1.8.1 - Moved the MAX size declarations from the public header --- 74ecd0e1.patch | 50 -------------------------------------------------- libssh2.spec | 13 ++++++------- sources | 2 +- 3 files changed, 7 insertions(+), 58 deletions(-) delete mode 100644 74ecd0e1.patch diff --git a/74ecd0e1.patch b/74ecd0e1.patch deleted file mode 100644 index 9507602..0000000 --- a/74ecd0e1.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 74ecd0e10ced2237f32d273784ef8eaf553b9c30 Mon Sep 17 00:00:00 2001 -From: Will Cosgrove -Date: Mon, 18 Mar 2019 17:36:04 -0700 -Subject: [PATCH] Fixed misapplied patch - -Fixes for user auth ---- - src/userauth.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/userauth.c b/src/userauth.c -index ed804629..c02d81d0 100644 ---- a/src/userauth.c -+++ b/src/userauth.c -@@ -107,7 +107,7 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username, - LIBSSH2_FREE(session, session->userauth_list_data); - session->userauth_list_data = NULL; - -- if (rc || (session->userauth_list_data_len < 1)) { -+ if (rc) { - _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND, - "Unable to send userauth-none request"); - session->userauth_list_state = libssh2_NB_state_idle; -@@ -127,7 +127,7 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username, - _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, - "Would block requesting userauth list"); - return NULL; -- } else if (rc) { -+ } else if (rc || (session->userauth_list_data_len < 1)) { - _libssh2_error(session, rc, "Failed getting response"); - session->userauth_list_state = libssh2_NB_state_idle; - return NULL; -@@ -1172,7 +1172,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, - NULL, 0); - if (rc == LIBSSH2_ERROR_EAGAIN) - return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); -- else if (rc || (session->userauth_pblc_data_len < 1)) { -+ else if (rc) { - LIBSSH2_FREE(session, session->userauth_pblc_packet); - session->userauth_pblc_packet = NULL; - LIBSSH2_FREE(session, session->userauth_pblc_method); -@@ -1195,7 +1195,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, - if (rc == LIBSSH2_ERROR_EAGAIN) { - return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); - } -- else if (rc) { -+ else if (rc || (session->userauth_pblc_data_len < 1)) { - LIBSSH2_FREE(session, session->userauth_pblc_packet); - session->userauth_pblc_packet = NULL; - LIBSSH2_FREE(session, session->userauth_pblc_method); diff --git a/libssh2.spec b/libssh2.spec index 36cd9ce..c2f9c00 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,12 +1,11 @@ Name: libssh2 -Version: 1.8.1 +Version: 1.8.2 Release: 1%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch1: 0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch -Patch2: https://github.com/libssh2/libssh2/commit/74ecd0e1.patch BuildRequires: coreutils BuildRequires: findutils @@ -63,11 +62,6 @@ developing applications that use libssh2. # https://github.com/libssh2/libssh2/pull/208 %patch1 -p1 -# userauth: fix mis-applied patch in the fix of CVE-2019-3859 -# https://github.com/libssh2/libssh2/issues/325 -# https://github.com/libssh2/libssh2/pull/327 -%patch2 -p1 - # Replace hard wired port number in the test suite to avoid collisions # between 32-bit and 64-bit builds running on a single build-host sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh} @@ -137,6 +131,11 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Mar 26 2019 Paul Howarth - 1.8.2-1 +- Update to 1.8.2 + - Fixed the misapplied userauth patch that broke 1.8.1 + - Moved the MAX size declarations from the public header + * Tue Mar 19 2019 Paul Howarth - 1.8.1-1 - Update to 1.8.1 - Fixed possible integer overflow when reading a specially crafted packet diff --git a/sources b/sources index d5b4033..d84d497 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libssh2-1.8.1.tar.gz) = f09ad9ed04d25305b966e7f8c210082fe06c2b236dcd5018b009bd0bd6aaff123d16559d280892a5060760ed055ffe295bc02dc6e8dd1e7b8383c6c703f09290 +SHA512 (libssh2-1.8.2.tar.gz) = 390ab4ad93bb738415ec11a6eb92806c9b9e9e5d8ee7c442d841a58b4292c1c447a9bc99e153ba464e2e11f9c0d1913469303598c3046722d1ae821991e8cb93 From 8f106e1af22bed118382e15446f5229ce3fbfed2 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Thu, 20 Jun 2019 11:22:28 +0100 Subject: [PATCH 90/93] Update to 1.9.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - New upstream release 1.9.0 - Adds ECDSA keys and host key support when using OpenSSL - Adds ED25519 key and host key support when using OpenSSL 1.1.1 - Adds OpenSSH style key file reading - Adds AES CTR mode support when using WinCNG - Adds PEM passphrase protected file support for libgcrypt and WinCNG - Adds SHA256 hostkey fingerprint - Adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path() - Adds explicit zeroing of sensitive data in memory - Adds additional bounds checks to network buffer reads - Adds the ability to use the server default permissions when creating sftp directories - Adds support for building with OpenSSL no engine flag - Adds support for building with LibreSSL - Increased sftp packet size to 256k - Fixed oversized packet handling in sftp - Fixed building with OpenSSL 1.1 - Fixed a possible crash if sftp stat gets an unexpected response - Fixed incorrect parsing of the KEX preference string value - Fixed conditional RSA and AES-CTR support - Fixed a small memory leak during the key exchange process - Fixed a possible memory leak of the ssh banner string - Fixed various small memory leaks in the backends - Fixed possible out of bounds read when parsing public keys from the server - Fixed possible out of bounds read when parsing invalid PEM files - No longer null terminates the scp remote exec command - Now handle errors when Diffie Hellman key pair generation fails - Fixed compiling on Windows with the flag STDCALL=ON - Improved building instructions - Improved unit tests - Needs OpenSSL ≥ 1.0.1 now as ECC support is assumed - Modernize spec somewhat as EL-6 can no longer be supported --- ...erminate-the-command-for-remote-exec.patch | 45 -------------- libssh2.spec | 61 +++++++++++-------- sources | 2 +- 3 files changed, 38 insertions(+), 70 deletions(-) delete mode 100644 0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch diff --git a/0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch b/0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch deleted file mode 100644 index a6881dd..0000000 --- a/0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 819ef4f2037490b6aa2e870aea851b6364184090 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 11 Sep 2017 21:13:45 +0200 -Subject: [PATCH] scp: do not NUL-terminate the command for remote exec (#208) - -It breaks SCP download/upload from/to certain server implementations. - -The bug does not manifest with OpenSSH, which silently drops the NUL -byte (eventually with any garbage that follows the NUL byte) before -executing it. - -Bug: https://bugzilla.redhat.com/1489736 ---- - src/scp.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/scp.c b/src/scp.c -index 22778dd..d1665a6 100644 ---- a/src/scp.c -+++ b/src/scp.c -@@ -303,8 +303,8 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, libssh2_struct_stat * sb) - &session->scpRecv_command[cmd_len], - session->scpRecv_command_len - cmd_len); - -- session->scpRecv_command[cmd_len] = '\0'; -- session->scpRecv_command_len = cmd_len + 1; -+ /* the command to exec should _not_ be NUL-terminated */ -+ session->scpRecv_command_len = cmd_len; - - _libssh2_debug(session, LIBSSH2_TRACE_SCP, - "Opening channel for SCP receive"); -@@ -845,8 +845,8 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode, - &session->scpSend_command[cmd_len], - session->scpSend_command_len - cmd_len); - -- session->scpSend_command[cmd_len] = '\0'; -- session->scpSend_command_len = cmd_len + 1; -+ /* the command to exec should _not_ be NUL-terminated */ -+ session->scpSend_command_len = cmd_len; - - _libssh2_debug(session, LIBSSH2_TRACE_SCP, - "Opening channel for SCP send"); --- -2.9.5 - diff --git a/libssh2.spec b/libssh2.spec index c2f9c00..5b09a03 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,17 +1,16 @@ Name: libssh2 -Version: 1.8.2 +Version: 1.9.0 Release: 1%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz -Patch1: 0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch BuildRequires: coreutils BuildRequires: findutils BuildRequires: gcc BuildRequires: make -BuildRequires: openssl-devel +BuildRequires: openssl-devel > 1:1.0.1 BuildRequires: sed BuildRequires: zlib-devel BuildRequires: /usr/bin/man @@ -22,13 +21,6 @@ BuildRequires: openssh-server %if 0%{?fedora} > 23 || 0%{?rhel} > 7 BuildRequires: glibc-langpack-en %endif -# We use matchpathcon to get the correct SELinux context for the ssh server -# initialization script so that it can transition correctly in an SELinux -# environment -%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) -BuildRequires: libselinux-utils -BuildRequires: selinux-policy-targeted -%endif %description libssh2 is a library implementing the SSH2 protocol as defined by @@ -57,28 +49,16 @@ developing applications that use libssh2. %prep %setup -q -# scp: do not NUL-terminate the command for remote exec -# https://bugzilla.redhat.com/show_bug.cgi?id=1489736 -# https://github.com/libssh2/libssh2/pull/208 -%patch1 -p1 - # Replace hard wired port number in the test suite to avoid collisions # between 32-bit and 64-bit builds running on a single build-host sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh} -# Make sshd transition appropriately if building in an SELinux environment -%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) -chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : -chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || : -chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} || : -%endif - %build %configure --disable-silent-rules --disable-static --enable-shared -make %{?_smp_mflags} +%{make_build} %install -make install DESTDIR=%{buildroot} INSTALL="install -p" +%{make_install} INSTALL="install -p" find %{buildroot} -name '*.la' -delete # clean things up a bit for packaging @@ -131,6 +111,39 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Thu Jun 20 2019 Paul Howarth - 1.9.0-1 +- Update to 1.9.0 + - Adds ECDSA keys and host key support when using OpenSSL + - Adds ED25519 key and host key support when using OpenSSL 1.1.1 + - Adds OpenSSH style key file reading + - Adds AES CTR mode support when using WinCNG + - Adds PEM passphrase protected file support for libgcrypt and WinCNG + - Adds SHA256 hostkey fingerprint + - Adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path() + - Adds explicit zeroing of sensitive data in memory + - Adds additional bounds checks to network buffer reads + - Adds the ability to use the server default permissions when creating sftp directories + - Adds support for building with OpenSSL no engine flag + - Adds support for building with LibreSSL + - Increased sftp packet size to 256k + - Fixed oversized packet handling in sftp + - Fixed building with OpenSSL 1.1 + - Fixed a possible crash if sftp stat gets an unexpected response + - Fixed incorrect parsing of the KEX preference string value + - Fixed conditional RSA and AES-CTR support + - Fixed a small memory leak during the key exchange process + - Fixed a possible memory leak of the ssh banner string + - Fixed various small memory leaks in the backends + - Fixed possible out of bounds read when parsing public keys from the server + - Fixed possible out of bounds read when parsing invalid PEM files + - No longer null terminates the scp remote exec command + - Now handle errors when Diffie Hellman key pair generation fails + - Fixed compiling on Windows with the flag STDCALL=ON + - Improved building instructions + - Improved unit tests +- Needs OpenSSL ≥ 1.0.1 now as ECC support is assumed +- Modernize spec somewhat as EL-6 can no longer be supported + * Tue Mar 26 2019 Paul Howarth - 1.8.2-1 - Update to 1.8.2 - Fixed the misapplied userauth patch that broke 1.8.1 diff --git a/sources b/sources index d84d497..a8167df 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libssh2-1.8.2.tar.gz) = 390ab4ad93bb738415ec11a6eb92806c9b9e9e5d8ee7c442d841a58b4292c1c447a9bc99e153ba464e2e11f9c0d1913469303598c3046722d1ae821991e8cb93 +SHA512 (libssh2-1.9.0.tar.gz) = 41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 From 6957951772db6c2b0db0a03e087c06a8b84d2bd7 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 19 Jul 2019 09:44:33 +0100 Subject: [PATCH 91/93] Add changelog reference to CVE-2019-13115 --- libssh2.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/libssh2.spec b/libssh2.spec index 5b09a03..d9a858d 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -113,6 +113,7 @@ LC_ALL=en_US.UTF-8 make -C tests check %changelog * Thu Jun 20 2019 Paul Howarth - 1.9.0-1 - Update to 1.9.0 + - Fixed integer overflow leading to out-of-bounds read (CVE-2019-13115) - Adds ECDSA keys and host key support when using OpenSSL - Adds ED25519 key and host key support when using OpenSSL 1.1.1 - Adds OpenSSH style key file reading From 3d9150262d45fd116a775d06383c9cc9d84ab642 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 25 Jul 2019 14:27:39 +0000 Subject: [PATCH 92/93] - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- libssh2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libssh2.spec b/libssh2.spec index d9a858d..f9c8dfc 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.9.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ @@ -111,6 +111,9 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Thu Jul 25 2019 Fedora Release Engineering - 1.9.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Thu Jun 20 2019 Paul Howarth - 1.9.0-1 - Update to 1.9.0 - Fixed integer overflow leading to out-of-bounds read (CVE-2019-13115) From 41525baf3f2396b61f9ea90591deb1eb178912bc Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 30 Oct 2019 18:23:36 +0100 Subject: [PATCH 93/93] Resolves: CVE-2019-17498 - fix integer overflow in SSH_MSG_DISCONNECT logic --- 0001-libssh2-1.9.0-CVE-2019-17498.patch | 130 ++++++++++++++++++++++++ libssh2.spec | 9 +- 2 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 0001-libssh2-1.9.0-CVE-2019-17498.patch diff --git a/0001-libssh2-1.9.0-CVE-2019-17498.patch b/0001-libssh2-1.9.0-CVE-2019-17498.patch new file mode 100644 index 0000000..2e2a5ee --- /dev/null +++ b/0001-libssh2-1.9.0-CVE-2019-17498.patch @@ -0,0 +1,130 @@ +From a1554e78e15fc0daeb574c3dd5c87654469a3742 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Fri, 30 Aug 2019 09:57:38 -0700 +Subject: [PATCH] packet.c: improve message parsing (#402) + +* packet.c: improve parsing of packets + +file: packet.c + +notes: +Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. + +Upstream-commit: dedcbd106f8e52d5586b0205bc7677e4c9868f9c +Signed-off-by: Kamil Dudka +--- + src/packet.c | 68 ++++++++++++++++++++++------------------------------ + 1 file changed, 29 insertions(+), 39 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 38ab629..2e01bfc 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message = NULL; +- char *language = NULL; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; + size_t message_len = 0; + size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; +@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ + +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = +- _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len = 0; +- } + if(session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); +@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + int always_display = data[1]; + + if(datalen >= 6) { +- message_len = _libssh2_ntohu32(data + 2); +- +- if(message_len <= (datalen - 10)) { +- /* 6 = packet_type(1) + display(1) + message_len(4) */ +- message = (char *) data + 6; +- language_len = _libssh2_ntohu32(data + 6 + +- message_len); +- +- if(language_len <= (datalen - 10 - message_len)) +- language = (char *) data + 10 + message_len; +- } ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 2; /* advance past type & always display */ ++ ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + } + + if(session->ssh_msg_debug) { +- LIBSSH2_DEBUG(session, always_display, message, +- message_len, language, language_len); ++ LIBSSH2_DEBUG(session, always_display, ++ (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } + } ++ + /* + * _libssh2_debug will actually truncate this for us so + * that it's not an inordinate about of data +@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if(datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, +-- +2.20.1 + diff --git a/libssh2.spec b/libssh2.spec index f9c8dfc..54b61a4 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,11 +1,14 @@ Name: libssh2 Version: 1.9.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz +# fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498) +Patch1: 0001-libssh2-1.9.0-CVE-2019-17498.patch + BuildRequires: coreutils BuildRequires: findutils BuildRequires: gcc @@ -48,6 +51,7 @@ developing applications that use libssh2. %prep %setup -q +%patch1 -p1 # Replace hard wired port number in the test suite to avoid collisions # between 32-bit and 64-bit builds running on a single build-host @@ -111,6 +115,9 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Oct 30 2019 Kamil Dudka - 1.9.0-3 +- fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498) + * Thu Jul 25 2019 Fedora Release Engineering - 1.9.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild