From c797fc9e3e0a7c01918be7356ba3af192e39a076 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Thu, 1 Jun 2023 08:52:34 +0100 Subject: [PATCH] Update to 1.11.0 (rhbz#2211200) - New upstream release 1.11.0 - Adds support for encrypt-then-mac (ETM) MACs - Adds support for AES-GCM crypto protocols - Adds support for sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys - Adds support for RSA certificate authentication - Adds FIDO support with *_sk() functions - Adds RSA-SHA2 key upgrading to OpenSSL, WinCNG, mbedTLS, OS400 backends - Adds Agent Forwarding and libssh2_agent_sign() - Adds support for Channel Signal message libssh2_channel_signal_ex() - Adds support to get the user auth banner message libssh2_userauth_banner() - Adds LIBSSH2_NO_{MD5, HMAC_RIPEMD, DSA, RSA, RSA_SHA1, ECDSA, ED25519, AES_CBC, AES_CTR, BLOWFISH, RC4, CAST, 3DES} options - Adds direct stream UNIX sockets with libssh2_channel_direct_streamlocal_ex() - Adds wolfSSL support to CMake file - Adds mbedTLS 3.x support - Adds LibreSSL 3.5 support - Adds support for CMake "unity" builds - Adds CMake support for building shared and static libs in a single pass - Adds symbol hiding support to CMake - Adds support for libssh2.rc for all build tools - Adds .zip, .tar.xz and .tar.bz2 release tarballs - Enables ed25519 key support for LibreSSL 3.7.0 or higher - Improves OpenSSL 1.1 and 3 compatibility - Now requires OpenSSL 1.0.2 or newer - Now requires CMake 3.1 or newer - SFTP: Adds libssh2_sftp_open_ex_r() and libssh2_sftp_open_r() extended APIs - SFTP: No longer has a packet limit when reading a directory - SFTP: Now parses attribute extensions if they exist - SFTP: No longer will busy loop if SFTP fails to initialize - SFTP: Now clear various errors as expected - SFTP: No longer skips files if the line buffer is too small - SCP: Add option to not quote paths - SCP: Enables 64-bit offset support unconditionally - Now skips leading \r and \n characters in banner_receive() - Enables secure memory zeroing with all build tools on all platforms - No longer logs SSH_MSG_REQUEST_FAILURE packets from keepalive - Speed up base64 encoding by 7x Assert if there is an attempt to write a value that is too large - WinCNG: fix memory leak in _libssh2_dh_secret() - Added protection against possible null pointer dereferences - Agent now handles overly large comment lengths - Now ensure KEX replies don't include extra bytes - Fixed possible buffer overflow when receiving SSH_MSG_USERAUTH_BANNER - Fixed possible buffer overflow in keyboard interactive code path - Fixed overlapping memcpy() - Fixed Windows UWP builds - Fixed DLL import name - Renamed local RANDOM_PADDING macro to avoid unexpected define on Windows - Support for building with gcc versions older than 8 - Improvements to CMake, Makefile, NMakefile, GNUmakefile, autoreconf files - Restores ANSI C89 compliance - Enabled new compiler warnings and fixed/silenced them - Improved error messages - Now uses CIFuzz - Numerous minor code improvements - Improvements to CI builds - Improvements to unit tests - Improvements to doc files - Improvements to example files - Removed "old gex" build option - Removed no-encryption/no-mac builds - Removed support for NetWare and Watcom wmake build files - Avoid use of deprecated patch syntax - Build static library but don't package it since it's required for the test suite (https://github.com/libssh2/libssh2/issues/1056) - Remove redundant references to %{_libdir} from pkgconfig file - Add patch to work around strict permissions issues for sshd tests --- libssh2-1.10.0-ssh-rsa-test.patch | 19 ----- libssh2-1.11.0-ssh-rsa-test.patch | 17 +++++ libssh2-1.11.0-strict-modes.patch | 15 ++++ libssh2.spec | 116 ++++++++++++++++++++++++++---- sources | 4 +- 5 files changed, 137 insertions(+), 34 deletions(-) delete mode 100644 libssh2-1.10.0-ssh-rsa-test.patch create mode 100644 libssh2-1.11.0-ssh-rsa-test.patch create mode 100644 libssh2-1.11.0-strict-modes.patch diff --git a/libssh2-1.10.0-ssh-rsa-test.patch b/libssh2-1.10.0-ssh-rsa-test.patch deleted file mode 100644 index 8485f14..0000000 --- a/libssh2-1.10.0-ssh-rsa-test.patch +++ /dev/null @@ -1,19 +0,0 @@ -In 8.8 OpenSSH disabled sha1 rsa-sha keys out of the box, -so we need to re-enable them as a workaround for the test -suite until upstream updates the tests. - -See: https://github.com/libssh2/libssh2/issues/630 - ---- tests/ssh2.sh -+++ tests/ssh2.sh -@@ -25,7 +25,8 @@ $SSHD -f /dev/null -h "$srcdir"/etc/host - -o 'Port 4711' \ - -o 'Protocol 2' \ - -o "AuthorizedKeysFile $srcdir/etc/user.pub" \ -- -o 'UsePrivilegeSeparation no' \ -+ -o 'HostKeyAlgorithms +ssh-rsa' \ -+ -o 'PubkeyAcceptedAlgorithms +ssh-rsa' \ - -o 'StrictModes no' \ - -D \ - $libssh2_sshd_params & - diff --git a/libssh2-1.11.0-ssh-rsa-test.patch b/libssh2-1.11.0-ssh-rsa-test.patch new file mode 100644 index 0000000..2fa3f0a --- /dev/null +++ b/libssh2-1.11.0-ssh-rsa-test.patch @@ -0,0 +1,17 @@ +In 8.8 OpenSSH disabled sha1 rsa-sha keys out of the box, +so we need to re-enable them as a workaround for the test +suite until upstream updates the tests. + +See: https://github.com/libssh2/libssh2/issues/630 + +--- tests/test_sshd.test ++++ tests/test_sshd.test +@@ -79,6 +79,8 @@ chmod go-rwx \ + -o "AuthorizedKeysFile ${PUBKEY} ${d}/openssh_server/authorized_keys" \ + -o "TrustedUserCAKeys ${cakeys}" \ + -o 'PermitRootLogin yes' \ ++ -o 'HostKeyAlgorithms +ssh-rsa' \ ++ -o 'PubkeyAcceptedAlgorithms +ssh-rsa' \ + -D \ + ${SSHD_FLAGS} & + sshdpid=$! diff --git a/libssh2-1.11.0-strict-modes.patch b/libssh2-1.11.0-strict-modes.patch new file mode 100644 index 0000000..45a7cf3 --- /dev/null +++ b/libssh2-1.11.0-strict-modes.patch @@ -0,0 +1,15 @@ +Group-writeable directories in the hierarchy above where we +run the tests from can cause failures due to openssh's strict +permissions checks. Adding this option helps the tests to run +more reliably on a variety of build systems. + +--- tests/test_sshd.test ++++ tests/test_sshd.test +@@ -71,6 +71,7 @@ chmod go-rwx \ + # shellcheck disable=SC2086 + "${SSHD}" \ + -f "${SSHD_FIXTURE_CONFIG:-${d}/openssh_server/sshd_config}" \ ++ -o 'StrictModes no' \ + -o 'Port 4711' \ + -h "${d}/openssh_server/ssh_host_rsa_key" \ + -h "${d}/openssh_server/ssh_host_ecdsa_key" \ diff --git a/libssh2.spec b/libssh2.spec index e4e9a65..e762f87 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 -Version: 1.10.0 -Release: 7%{?dist} +Version: 1.11.0 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol License: BSD-3-Clause URL: https://www.libssh2.org/ @@ -8,14 +8,16 @@ Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz Source1: https://libssh2.org/download/libssh2-%{version}.tar.gz.asc # Daniel Stenberg's GPG keys; linked from https://daniel.haxx.se/address.html Source2: https://daniel.haxx.se/mykey.asc -Patch1: libssh2-1.10.0-ssh-rsa-test.patch +Patch1: libssh2-1.11.0-strict-modes.patch +Patch2: libssh2-1.11.0-ssh-rsa-test.patch BuildRequires: coreutils BuildRequires: findutils BuildRequires: gcc BuildRequires: gnupg2 BuildRequires: make -BuildRequires: openssl-devel > 1:1.0.1 +BuildRequires: openssl-devel > 1:1.0.2 +BuildRequires: pkgconfig BuildRequires: sed BuildRequires: zlib-devel BuildRequires: /usr/bin/man @@ -58,32 +60,51 @@ developing applications that use libssh2. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %setup -q +# Group-writeable directories in the hierarchy above where we +# run the tests from can cause failures due to openssh's strict +# permissions checks. Adding this option helps the tests to run +# more reliably on a variety of build systems. +%patch -P 1 + # In 8.8 OpenSSH disabled sha1 rsa-sha keys out of the box, # so we need to re-enable them as a workaround for the test # suite until upstream updates the tests. # See: https://github.com/libssh2/libssh2/issues/630 %if 0%{?fedora} > 33 || 0%{?rhel} > 8 -%patch1 +%patch -P 2 %endif # Replace hard wired port number in the test suite to avoid collisions # between 32-bit and 64-bit builds running on a single build-host -sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh} +sed -i s/4711/47%{?__isa_bits}/ tests/{openssh_fixture.c,test_ssh{2.c,d.test}} %build -%configure --disable-silent-rules --disable-static --enable-shared +# Test suite fails to compile if we use --disable-static +# https://github.com/libssh2/libssh2/issues/1056 +%configure \ + --disable-silent-rules \ + --enable-shared \ + --disable-docker-tests %{make_build} %install %{make_install} INSTALL="install -p" find %{buildroot} -name '*.la' -delete -# clean things up a bit for packaging -make -C example clean -rm -rf example/.deps -find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -delete +# Remove static library that we only built for testing +rm -v %{buildroot}%{_libdir}/libssh2.a -# avoid multilib conflict on libssh2-devel +# Clean things up a bit for packaging +make -C example clean +find example/ -type f \ + '(' -name '*.am' -o -name '*.in' -o -name CMakeLists.txt ')' \ + -print -delete + +# Remove redundant references to libdir in pkg-config file +sed -i -e 's|-L%{_libdir} ||g' \ + -e 's|-L[$]{libdir} ||g' %{buildroot}%{_libdir}/pkgconfig/libssh2.pc + +# Avoid multilib conflict on libssh2-devel mv -v example example.%{_arch} %check @@ -98,7 +119,7 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_libdir}/libssh2.so.1.* %files docs -%doc docs/BINDINGS docs/HACKING docs/TODO NEWS +%doc docs/BINDINGS.md docs/HACKING.md docs/TODO NEWS %{_mandir}/man3/libssh2_*.3* %files devel @@ -110,6 +131,75 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Thu Jun 1 2023 Paul Howarth - 1.11.0-1 +- Update to 1.11.0 (rhbz#2211200) + - Adds support for encrypt-then-mac (ETM) MACs + - Adds support for AES-GCM crypto protocols + - Adds support for sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys + - Adds support for RSA certificate authentication + - Adds FIDO support with *_sk() functions + - Adds RSA-SHA2 key upgrading to OpenSSL, WinCNG, mbedTLS, OS400 backends + - Adds Agent Forwarding and libssh2_agent_sign() + - Adds support for Channel Signal message libssh2_channel_signal_ex() + - Adds support to get the user auth banner message libssh2_userauth_banner() + - Adds LIBSSH2_NO_{MD5, HMAC_RIPEMD, DSA, RSA, RSA_SHA1, ECDSA, ED25519, + AES_CBC, AES_CTR, BLOWFISH, RC4, CAST, 3DES} options + - Adds direct stream UNIX sockets with libssh2_channel_direct_streamlocal_ex() + - Adds wolfSSL support to CMake file + - Adds mbedTLS 3.x support + - Adds LibreSSL 3.5 support + - Adds support for CMake "unity" builds + - Adds CMake support for building shared and static libs in a single pass + - Adds symbol hiding support to CMake + - Adds support for libssh2.rc for all build tools + - Adds .zip, .tar.xz and .tar.bz2 release tarballs + - Enables ed25519 key support for LibreSSL 3.7.0 or higher + - Improves OpenSSL 1.1 and 3 compatibility + - Now requires OpenSSL 1.0.2 or newer + - Now requires CMake 3.1 or newer + - SFTP: Adds libssh2_sftp_open_ex_r() and libssh2_sftp_open_r() extended APIs + - SFTP: No longer has a packet limit when reading a directory + - SFTP: Now parses attribute extensions if they exist + - SFTP: No longer will busy loop if SFTP fails to initialize + - SFTP: Now clear various errors as expected + - SFTP: No longer skips files if the line buffer is too small + - SCP: Add option to not quote paths + - SCP: Enables 64-bit offset support unconditionally + - Now skips leading \r and \n characters in banner_receive() + - Enables secure memory zeroing with all build tools on all platforms + - No longer logs SSH_MSG_REQUEST_FAILURE packets from keepalive + - Speed up base64 encoding by 7x + - Assert if there is an attempt to write a value that is too large + - WinCNG: fix memory leak in _libssh2_dh_secret() + - Added protection against possible null pointer dereferences + - Agent now handles overly large comment lengths + - Now ensure KEX replies don't include extra bytes + - Fixed possible buffer overflow when receiving SSH_MSG_USERAUTH_BANNER + - Fixed possible buffer overflow in keyboard interactive code path + - Fixed overlapping memcpy() + - Fixed Windows UWP builds + - Fixed DLL import name + - Renamed local RANDOM_PADDING macro to avoid unexpected define on Windows + - Support for building with gcc versions older than 8 + - Improvements to CMake, Makefile, NMakefile, GNUmakefile, autoreconf files + - Restores ANSI C89 compliance + - Enabled new compiler warnings and fixed/silenced them + - Improved error messages + - Now uses CIFuzz + - Numerous minor code improvements + - Improvements to CI builds + - Improvements to unit tests + - Improvements to doc files + - Improvements to example files + - Removed "old gex" build option + - Removed no-encryption/no-mac builds + - Removed support for NetWare and Watcom wmake build files +- Avoid use of deprecated patch syntax +- Build static library but don't package it since it's required for the + test suite (https://github.com/libssh2/libssh2/issues/1056) +- Remove redundant references to %%{_libdir} from pkgconfig file +- Add patch to work around strict permissions issues for sshd tests + * Thu Jan 19 2023 Fedora Release Engineering - 1.10.0-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild diff --git a/sources b/sources index fa93d12..bc2ad57 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (libssh2-1.10.0.tar.gz) = e064ee1089eb8e6cd5fa2617f4fd8ff56c2721c5476775a98bdb68c6c4ee4d05c706c3bb0eb479a27a8ec0b17a8a5ef43e1d028ad3f134519aa582d3981a3a30 -SHA512 (libssh2-1.10.0.tar.gz.asc) = cfdd59406f1c22bb2a9c6b7d43442630bc889a339cea7ac968edb638022918b1cc961caf3a2a4b6bf8fc8bc582deb6ac927b6be31a11325372eb017f2bf19cf4 +SHA512 (libssh2-1.11.0.tar.gz) = ef85e152dc252bd9b1c05276972b9c22313f5d492743dde090235742746d67f634f2a419eff9162132e2274c8582113b75279b074e0c7b34b2526b92fd1a1e8e +SHA512 (libssh2-1.11.0.tar.gz.asc) = 6187582a94be24d9ca68963b6d139982e8527378aee7ef8a4cbc0f5c2bae8aee4552e32ec85eb290ec4e940f1d6ebf6737f92468215e0b43b245762753bb2647