SLFO-pool/libssh
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: SLFO-pool:main
Branches Tags
SLFO-pool:main SLFO-pool:1.1
...
pull from: SLFO-pool:1.1
Branches Tags
SLFO-pool:1.1 SLFO-pool:main

2 Commits
main ... 1.1

Author SHA256 Message Date
Adrian Schröter
46321b4788 Sync from SUSE:SLFO:1.1 libssh revision 0c57b8c2c787c5feb374cae8cdcc0e2f 2025-08-14 11:45:18 +02:00
Adrian Schröter
41b586943e Sync from SUSE:SLFO:1.1 libssh revision e8972d7c99349ff1de8f2d7ab5c4a740 2025-04-15 21:30:40 +02:00
17 changed files with 3232 additions and 358 deletions
Expand all files Collapse all files

53
0001-disable-timeout-test-on-slow-buildsystems.patch Normal file
View File

@@ -0,0 +1,53 @@
Index: libssh-0.10.0/tests/unittests/torture_misc.c
===================================================================
--- libssh-0.10.0.orig/tests/unittests/torture_misc.c 2022-07-07 15:53:51.000000000 +0200
+++ libssh-0.10.0/tests/unittests/torture_misc.c 2022-08-26 14:19:01.827866890 +0200
@@ -211,11 +211,13 @@ static void torture_timeout_elapsed(void
ssh_timestamp_init(&ts);
usleep(30000);
+#ifndef SLOW_TEST_SYSTEM
assert_true(ssh_timeout_elapsed(&ts,25));
assert_false(ssh_timeout_elapsed(&ts,30000));
assert_false(ssh_timeout_elapsed(&ts,75));
assert_true(ssh_timeout_elapsed(&ts,0));
assert_false(ssh_timeout_elapsed(&ts,-1));
+#endif /* SLOW_TEST_SYSTEM */
}
static void torture_timeout_update(void **state){
@@ -223,11 +225,13 @@ static void torture_timeout_update(void
(void) state;
ssh_timestamp_init(&ts);
usleep(50000);
+#ifndef SLOW_TEST_SYSTEM
assert_int_equal(ssh_timeout_update(&ts,25), 0);
assert_in_range(ssh_timeout_update(&ts,30000),29000,29960);
assert_in_range(ssh_timeout_update(&ts,75),1,40);
assert_int_equal(ssh_timeout_update(&ts,0),0);
assert_int_equal(ssh_timeout_update(&ts,-1),-1);
+#endif /* SLOW_TEST_SYSTEM */
}
static void torture_ssh_analyze_banner(void **state) {
Index: libssh-0.10.0/DefineOptions.cmake
===================================================================
--- libssh-0.10.0.orig/DefineOptions.cmake 2022-07-07 15:53:51.000000000 +0200
+++ libssh-0.10.0/DefineOptions.cmake 2022-08-26 14:19:41.500119198 +0200
@@ -25,6 +25,7 @@ option(WITH_GEX "Enable DH Group exchang
option(WITH_INSECURE_NONE "Enable insecure none cipher and MAC algorithms (not suitable for production!)" OFF)
option(FUZZ_TESTING "Build with fuzzer for the server and client (automatically enables none cipher!)" OFF)
option(PICKY_DEVELOPER "Build with picky developer flags" OFF)
+option(SLOW_TEST_SYSTEM "Disable tests that fail on slow systems" OFF)
if (WITH_ZLIB)
set(WITH_LIBZ ON)
@@ -60,3 +61,8 @@ endif (NOT GLOBAL_CLIENT_CONFIG)
if (FUZZ_TESTING)
set(WITH_INSECURE_NONE ON)
endif (FUZZ_TESTING)
+
+if (SLOW_TEST_SYSTEM)
+ set (SLOW_TEST_SYSTEM ON)
+ add_definitions(-DSLOW_TEST_SYSTEM)
+endif (SLOW_TEST_SYSTEM)

BIN
libssh-0.10.6.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
libssh-0.10.6.tar.xz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmWAeGkACgkQfuD8TcwB
Tj2yAw//QOMEcCiijJvOgXCKsVoV9oSuK3aYxqpOS9cV2P40eev0KQrAZC2EXNt3
XAdfNhA21b2C6qSxckmkCWg3vwPmM6LousHG+zpyZkiSziolMoeBkvbEdU42fufE
SD39cA1bBEbZahyrILWT2I3Bi0d0G7FC13tIBXShS2zIITSXs/2SSRIhg3OXB979
FTwvEE4zHeSXO4itTMNA/sMJ/0qPccQIzisH0g/TF4318b0qjlQjkHJS1y0f3/PL
Ge3RORQVcZqGTnhJNlF/tKD8wZ9mfqqurQ9yNshiAu8hH8sDH5ZhI3o5pjQe0mGO
JNEwTw0X/vZ4iglWFmm2CusiHrh0KUFsrp8f3oaL3HU4i7yYgo0FhzFtgFVt0gXO
JQOhlSUq50yqbBj6S9C5ecuSR0uPgYA4d8qCFrt9oD77m7Qi3mMi+f/kP+HctIaV
4ro7lZf6IS54J4/m5hRY3F0nweFnZZL8gn8Da8mBZSvhXCqQL6qbD9buwrTzxGft
Fct7+PrRwz9igO7j2nNMyWxtX55/GpX06n7vuonRgQQQiT8eQ5R71STMHJaACFPS
CJHCpuVL28HGdyAxN5d65TCvkNo9/gFGM6ocIH3OlreTFUvy22qNrqwHpCkLgYWU
ylntVoE/VYtHtwFOe0uuCX+2TiM03P5UT2NqAAa/8D4Z5ur3qUY=
=nXW5
-----END PGP SIGNATURE-----

BIN
libssh-0.11.1.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

16
libssh-0.11.1.tar.xz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmbRl74ACgkQA9XfjP3T
6OdnSw/+IrXAbSSpjVNG5Wjz3WQjqXkWInCT+qNhcS5w+qasGW5i6mktoNJkg2Fd
P4iRCeJEuZbOHZLWXdUaDKjmlOUIda2xA8U01uw2VrleEu05JV/s5tS1MpVOPfDi
8+CTxPesFQ9uX9q+OojTr4QXqBDqv15sldwRVTKegNpLkk3xHUUaMjwikWKKxXG+
ypD4UCJWKVVhen9HPRSUOtruliZFPxQSLYvj4XKJxpr/QVaORS0EsTpdYP0h1+18
6epynp4e1/9GRTmrKa8/JcCd/4c2UnHBFpw0DU1YirLK+54/qD76o63MTbo7mKru
cgfypfA/sdeklGTZYLrCyizcrSc2poaTznczUZC6gi3FxivLoldFyDgXeSQWEieB
QTGgnaLkB2Y2XuBl9F9MatqFC35TBuUUwHBoEa31acQhmotui5tF4oq/JxRtZi8v
OyrTYc/xfmDh4SbWuEVqr6B2SZjhxrIvEGEe4adJQ/tVN2wweoNgTHt8XjBb1amB
M9RPeXG5Uon+gIXDVzjgx+DZ85FweCEngv+OdjHPIBWsJUEc722L/gypIFnBfaPV
JgM84wxQz2J8xyk2zEANog9M8ae5jG9TVJORO8to+gbRlKB2ZRDdDne0cgRUSWaj
0IKsnehsxjF2OqChjRqRMBhfVAA0hrYU1ngxwCcdAcdlbfgs5L0=
=P/pw
-----END PGP SIGNATURE-----

52
libssh-CVE-2025-4877.patch Normal file
View File

@@ -0,0 +1,52 @@
From 00f09acbec55962839fc7837ef14c56fb8fbaf72 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 15 Apr 2025 11:41:24 +0200
Subject: CVE-2025-4877 base64: Prevent integer overflow and potential OOB
Set maximum input to 256MB to have safe margin to the 1GB trigger point
for 32b arch.
The OOB should not be reachable by any internal code paths as most of
the buffers and strings we use as input for this operation already have
similar limit and none really allows this much of data.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
src/base64.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/base64.c b/src/base64.c
index 0d8e378a..73dd0f77 100644
--- a/src/base64.c
+++ b/src/base64.c
@@ -29,6 +29,9 @@
#include "libssh/priv.h"
#include "libssh/buffer.h"
+/* Do not allow encoding more than 256MB of data */
+#define BASE64_MAX_INPUT_LEN 256 * 1024 * 1024
+
static
const uint8_t alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
@@ -278,7 +281,15 @@ uint8_t *bin_to_base64(const uint8_t *source, size_t len)
{
uint8_t *base64 = NULL;
uint8_t *ptr = NULL;
- size_t flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
+ size_t flen = 0;
+
+ /* Set the artificial upper limit for the input. Otherwise on 32b arch, the
+ * following line could overflow for sizes larger than SIZE_MAX / 4 */
+ if (len > BASE64_MAX_INPUT_LEN) {
+ return NULL;
+ }
+
+ flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
flen = (4 * flen) / 3 + 1;
base64 = malloc(flen);
--
cgit v1.2.3

2536
libssh-CVE-2025-4878-1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

28
libssh-CVE-2025-4878-2.patch Normal file
View File

@@ -0,0 +1,28 @@
From 8dc29f140be33b34e6e4a0c228bdce18eb610441 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 28 Apr 2025 11:04:55 +0200
Subject: CVE-2025-4878 legacy: Properly check return value to avoid NULL
pointer dereference
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
src/legacy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/legacy.c b/src/legacy.c
index 6ba5c624..65a47d6e 100644
--- a/src/legacy.c
+++ b/src/legacy.c
@@ -441,7 +441,7 @@ ssh_private_key privatekey_from_file(ssh_session session,
auth_fn,
auth_data,
&key);
- if (rc == SSH_ERROR) {
+ if (rc != SSH_OK) {
return NULL;
}
--
cgit v1.2.3

24
libssh-CVE-2025-5318.patch Normal file
View File

@@ -0,0 +1,24 @@
From ae8881dfe54214c0c0eb88345c35e15a14081b3d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 22 Apr 2025 21:18:44 +0200
Subject: CVE-2025-5318: sftpserver: Fix possible buffer overrun
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
src/sftpserver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: libssh-0.10.6/src/sftpserver.c
===================================================================
--- libssh-0.10.6.orig/src/sftpserver.c
+++ libssh-0.10.6/src/sftpserver.c
@@ -538,7 +538,7 @@ void *sftp_handle(sftp_session sftp, ssh
memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
- if (val > SFTP_HANDLES) {
+ if (val >= SFTP_HANDLES) {
return NULL;
}

31
libssh-CVE-2025-5351.patch Normal file
View File

@@ -0,0 +1,31 @@
From acb158e8277adad473ed32ea1640a3d0b70d733b Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 6 May 2025 22:43:31 +0200
Subject: CVE-2025-5351 pki_crypto: Avoid double-free on low-memory conditions
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
src/pki_crypto.c | 2 ++
1 file changed, 2 insertions(+)
Index: libssh-0.10.6/src/pki_crypto.c
===================================================================
--- libssh-0.10.6.orig/src/pki_crypto.c
+++ libssh-0.10.6/src/pki_crypto.c
@@ -1962,6 +1962,7 @@ ssh_string pki_publickey_to_blob(const s
bignum_safe_free(bg);
bignum_safe_free(bpub_key);
OSSL_PARAM_free(params);
+ params = NULL;
#endif /* OPENSSL_VERSION_NUMBER */
break;
@@ -2023,6 +2024,7 @@ ssh_string pki_publickey_to_blob(const s
bignum_safe_free(bn);
bignum_safe_free(be);
OSSL_PARAM_free(params);
+ params = NULL;
#endif /* OPENSSL_VERSION_NUMBER */
break;
}

143
libssh-CVE-2025-5372.patch Normal file
View File

@@ -0,0 +1,143 @@
From e2afe196d8d77c42b2a764ae86f92c2964221f69 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 14 May 2025 14:07:58 +0200
Subject: CVE-2025-5372 libgcrypto: Simplify error checking and handling of
return codes in ssh_kdf()
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
src/libcrypto.c | 62 ++++++++++++++++++++++++++-------------------------------
1 file changed, 28 insertions(+), 34 deletions(-)
Index: libssh-0.10.6/src/libcrypto.c
===================================================================
--- libssh-0.10.6.orig/src/libcrypto.c
+++ libssh-0.10.6/src/libcrypto.c
@@ -163,7 +163,7 @@ int ssh_kdf(struct ssh_crypto_struct *cr
uint8_t key_type, unsigned char *output,
size_t requested_len)
{
- int rc = -1;
+ int ret = SSH_ERROR, rv;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
#else
@@ -185,81 +185,75 @@ int ssh_kdf(struct ssh_crypto_struct *cr
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
sshkdf_digest_to_md(crypto->digest_type));
- if (rc != 1) {
+ if (rv != 1) {
goto out;
}
- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
- if (rc != 1) {
+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
+ if (rv != 1) {
goto out;
}
- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
crypto->secret_hash, crypto->digest_len);
- if (rc != 1) {
+ if (rv != 1) {
goto out;
}
- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
- if (rc != 1) {
+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
+ if (rv != 1) {
goto out;
}
- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
crypto->session_id, crypto->session_id_len);
- if (rc != 1) {
+ if (rv != 1) {
goto out;
}
- rc = EVP_KDF_derive(ctx, output, requested_len);
- if (rc != 1) {
+ rv = EVP_KDF_derive(ctx, output, requested_len);
+ if (rv != 1) {
goto out;
}
#else
- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
+ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
md, strlen(md));
- if (rc != 1) {
- rc = -1;
+ if (rv != 1) {
goto out;
}
- rc = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
+ rv = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
key, key_len);
- if (rc != 1) {
- rc = -1;
+ if (rv != 1) {
goto out;
}
- rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
+ rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
OSSL_KDF_PARAM_SSHKDF_XCGHASH,
crypto->secret_hash,
crypto->digest_len);
- if (rc != 1) {
- rc = -1;
+ if (rv != 1) {
goto out;
}
- rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
+ rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
crypto->session_id,
crypto->session_id_len);
- if (rc != 1) {
- rc = -1;
+ if (rv != 1) {
goto out;
}
- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
+ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
(const char*)&key_type, 1);
- if (rc != 1) {
- rc = -1;
+ if (rv != 1) {
goto out;
}
params = OSSL_PARAM_BLD_to_param(param_bld);
if (params == NULL) {
- rc = -1;
goto out;
}
- rc = EVP_KDF_derive(ctx, output, requested_len, params);
- if (rc != 1) {
- rc = -1;
+ rv = EVP_KDF_derive(ctx, output, requested_len, params);
+ if (rv != 1) {
goto out;
}
#endif /* OPENSSL_VERSION_NUMBER */
+ ret = SSH_OK;
out:
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -267,8 +261,8 @@ out:
OSSL_PARAM_free(params);
#endif
EVP_KDF_CTX_free(ctx);
- if (rc < 0) {
- return rc;
+ if (ret < 0) {
+ return ret;
}
return 0;
}

28
libssh-CVE-2025-5987.patch Normal file
View File

@@ -0,0 +1,28 @@
From bc4804aa9bb1092a4ede288cb29cae4506c0e393 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 6 May 2025 22:51:41 +0200
Subject: CVE-2025-5987 libcrypto: Correctly detect failures of chacha
initialization
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
src/libcrypto.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: libssh-0.10.6/src/libcrypto.c
===================================================================
--- libssh-0.10.6.orig/src/libcrypto.c
+++ libssh-0.10.6/src/libcrypto.c
@@ -771,9 +771,9 @@ chacha20_poly1305_set_key(struct ssh_cip
SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed");
goto out;
}
- ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
+ rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
u8key + CHACHA20_KEYLEN, NULL);
- if (ret != 1) {
+ if (rv != 1) {
SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed");
goto out;
}

251
libssh-cmake-Add-option-WITH_HERMETIC_USR.patch
View File

@@ -1,251 +0,0 @@
From ae314e4a23178a355fb3e85e8a501efcbc1b9a74 Mon Sep 17 00:00:00 2001
From: Lucas Mulling <lucas.mulling@suse.com>
Date: Mon, 17 Feb 2025 14:13:53 -0300
Subject: [PATCH] cmake: Add option WITH_HERMETIC_USR
Introduce a ssh_config_parse primitive. This avoids convoluted checks for file
presence (without modifing the behaviour of ssh_config_parse_file) and allows
marking whether the config is global at the call site.
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
---
CMakeLists.txt | 8 +++++-
DefineOptions.cmake | 6 +++++
config.h.cmake | 2 ++
include/libssh/options.h | 1 +
src/config.c | 57 ++++++++++++++++++++++++++++------------
src/options.c | 28 +++++++++++++++++++-
6 files changed, 83 insertions(+), 19 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index d484bdfa..fee994cd 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -249,9 +249,15 @@ message(STATUS "Benchmarks: ${WITH_BENCHMARKS}")
message(STATUS "Symbol versioning: ${WITH_SYMBOL_VERSIONING}")
message(STATUS "Allow ABI break: ${WITH_ABI_BREAK}")
message(STATUS "Release is final: ${WITH_FINAL}")
+if (WITH_HERMETIC_USR)
+ message(STATUS "User global client config: ${USR_GLOBAL_CLIENT_CONFIG}")
+endif ()
message(STATUS "Global client config: ${GLOBAL_CLIENT_CONFIG}")
if (WITH_SERVER)
-message(STATUS "Global bind config: ${GLOBAL_BIND_CONFIG}")
+ if (WITH_HERMETIC_USR)
+ message(STATUS "User global bind config: ${USR_GLOBAL_BIND_CONFIG}")
+ endif ()
+ message(STATUS "Global bind config: ${GLOBAL_BIND_CONFIG}")
endif()
message(STATUS "********************************************")
diff --git a/DefineOptions.cmake b/DefineOptions.cmake
index f1a6a244..91bb96db 100644
--- a/DefineOptions.cmake
+++ b/DefineOptions.cmake
@@ -27,6 +27,7 @@ option(WITH_INSECURE_NONE "Enable insecure none cipher and MAC algorithms (not s
option(WITH_EXEC "Enable libssh to execute arbitrary commands from configuration files or options (match exec, proxy commands and OpenSSH-based proxy-jumps)." ON)
option(FUZZ_TESTING "Build with fuzzer for the server and client (automatically enables none cipher!)" OFF)
option(PICKY_DEVELOPER "Build with picky developer flags" OFF)
+option(WITH_HERMETIC_USR "Build with support for hermetic /usr/" OFF)
if (WITH_ZLIB)
set(WITH_LIBZ ON)
@@ -59,6 +60,11 @@ if (NOT GLOBAL_CLIENT_CONFIG)
set(GLOBAL_CLIENT_CONFIG "/etc/ssh/ssh_config")
endif (NOT GLOBAL_CLIENT_CONFIG)
+if (WITH_HERMETIC_USR)
+ set(USR_GLOBAL_BIND_CONFIG "/usr${GLOBAL_BIND_CONFIG}")
+ set(USR_GLOBAL_CLIENT_CONFIG "/usr${GLOBAL_CLIENT_CONFIG}")
+endif (WITH_HERMETIC_USR)
+
if (FUZZ_TESTING)
set(WITH_INSECURE_NONE ON)
endif (FUZZ_TESTING)
diff --git a/config.h.cmake b/config.h.cmake
index 8dce5273..b61ce1db 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -9,9 +9,11 @@
#cmakedefine SOURCEDIR "${SOURCEDIR}"
/* Global bind configuration file path */
+#cmakedefine USR_GLOBAL_BIND_CONFIG "${USR_GLOBAL_BIND_CONFIG}"
#cmakedefine GLOBAL_BIND_CONFIG "${GLOBAL_BIND_CONFIG}"
/* Global client configuration file path */
+#cmakedefine USR_GLOBAL_CLIENT_CONFIG "${USR_GLOBAL_CLIENT_CONFIG}"
#cmakedefine GLOBAL_CLIENT_CONFIG "${GLOBAL_CLIENT_CONFIG}"
/************************** HEADER FILES *************************/
diff --git a/include/libssh/options.h b/include/libssh/options.h
index d32e1589..63b207fa 100644
--- a/include/libssh/options.h
+++ b/include/libssh/options.h
@@ -25,6 +25,7 @@
extern "C" {
#endif
+int ssh_config_parse(ssh_session session, FILE *fp, bool global);
int ssh_config_parse_file(ssh_session session, const char *filename);
int ssh_config_parse_string(ssh_session session, const char *input);
int ssh_options_set_algo(ssh_session session,
diff --git a/src/config.c b/src/config.c
index 7bb0f50f..7ad3b620 100644
--- a/src/config.c
+++ b/src/config.c
@@ -1449,6 +1449,31 @@ ssh_config_parse_line(ssh_session session,
return 0;
}
+/* @brief Parse configuration from a file pointer
+ *
+ * @params[in] session The ssh session
+ * @params[in] fp A valid file pointer
+ * @params[in] global Whether the config is global or not
+ *
+ * @returns 0 on successful parsing the configuration file, -1 on error
+ */
+int ssh_config_parse(ssh_session session, FILE *fp, bool global) {
+ char line[MAX_LINE_SIZE] = {0};
+ unsigned int count = 0;
+ int parsing, rv;
+
+ parsing = 1;
+ while (fgets(line, sizeof(line), fp)) {
+ count++;
+ rv = ssh_config_parse_line(session, line, count, &parsing, 0, global);
+ if (rv < 0) {
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
/* @brief Parse configuration file and set the options to the given session
*
* @params[in] session The ssh session
@@ -1458,36 +1483,34 @@ ssh_config_parse_line(ssh_session session,
*/
int ssh_config_parse_file(ssh_session session, const char *filename)
{
- char line[MAX_LINE_SIZE] = {0};
- unsigned int count = 0;
- FILE *f;
- int parsing, rv;
+ FILE *fp;
+ int rv;
bool global = 0;
- f = fopen(filename, "r");
- if (f == NULL) {
+ fp = fopen(filename, "r");
+ if (fp == NULL) {
return 0;
}
+#ifdef USR_GLOBAL_CLIENT_CONFIG
+ rv = strcmp(filename, USR_GLOBAL_CLIENT_CONFIG);
+ if (rv != 0) {
+ rv = strcmp(filename, GLOBAL_CLIENT_CONFIG);
+ }
+#else
rv = strcmp(filename, GLOBAL_CLIENT_CONFIG);
+#endif
+
if (rv == 0) {
global = true;
}
SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", filename);
- parsing = 1;
- while (fgets(line, sizeof(line), f)) {
- count++;
- rv = ssh_config_parse_line(session, line, count, &parsing, 0, global);
- if (rv < 0) {
- fclose(f);
- return -1;
- }
- }
+ rv = ssh_config_parse(session, fp, global);
- fclose(f);
- return 0;
+ fclose(fp);
+ return rv;
}
/* @brief Parse configuration string and set the options to the given session
diff --git a/src/options.c b/src/options.c
index 55c7be39..45346fd1 100644
--- a/src/options.c
+++ b/src/options.c
@@ -26,6 +26,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <unistd.h>
#ifndef _WIN32
#include <pwd.h>
#else
@@ -1814,6 +1815,8 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
*
* @param filename The options file to use, if NULL the default
* ~/.ssh/config and /etc/ssh/ssh_config will be used.
+ * If complied with support for hermetic-usr,
+ * /usr/etc/ssh/ssh_config will be used last.
*
* @return 0 on success, < 0 on error.
*
@@ -1823,6 +1826,9 @@ int ssh_options_parse_config(ssh_session session, const char *filename)
{
char *expanded_filename;
int r;
+#ifdef USR_GLOBAL_CLIENT_CONFIG
+ FILE *fp;
+#endif
if (session == NULL) {
return -1;
@@ -1855,7 +1861,19 @@ int ssh_options_parse_config(ssh_session session, const char *filename)
goto out;
}
if (filename == NULL) {
- r = ssh_config_parse_file(session, GLOBAL_CLIENT_CONFIG);
+#ifdef USR_GLOBAL_CLIENT_CONFIG
+ if ((fp = fopen(GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
+ SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", GLOBAL_CLIENT_CONFIG);
+ r = ssh_config_parse(session, fp, true);
+ fclose(fp);
+ } else if ((fp = fopen(USR_GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
+ SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", USR_GLOBAL_CLIENT_CONFIG);
+ r = ssh_config_parse(session, fp, true);
+ fclose(fp);
+ }
+#else
+ r = ssh_config_parse_file(session, GLOBAL_CLIENT_CONFIG);
+#endif
}
/* Do not process the default configuration as part of connection again */
@@ -2706,7 +2724,15 @@ int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename)
/* If the global default configuration hasn't been processed yet, process it
* before the provided configuration. */
if (!(sshbind->config_processed)) {
+#ifdef USR_GLOBAL_BIND_CONFIG
+ if (access(GLOBAL_BIND_CONFIG, F_OK) == 0) {
+ rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
+ } else {
+ rc = ssh_bind_config_parse_file(sshbind, USR_GLOBAL_BIND_CONFIG);
+ }
+#else
rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
+#endif
if (rc != 0) {
return rc;
}
--
2.48.1

265
libssh-fix-ipv6-hostname-regression.patch Normal file
View File

@@ -0,0 +1,265 @@
From 66ac6343b246458a6645ae32f75556a1407031ec Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 22 Dec 2023 10:32:40 +0100
Subject: [PATCH 1/2] Fix regression in IPv6 addresses in hostname parsing
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
include/libssh/config_parser.h | 11 ++++++++---
src/config.c | 4 ++--
src/config_parser.c | 19 ++++++++++++++-----
src/options.c | 10 ++--------
4 files changed, 26 insertions(+), 18 deletions(-)
diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h
index a7dd42a2c..ca353432b 100644
--- a/include/libssh/config_parser.h
+++ b/include/libssh/config_parser.h
@@ -30,6 +30,8 @@
extern "C" {
#endif
+#include <stdbool.h>
+
char *ssh_config_get_cmd(char **str);
char *ssh_config_get_token(char **str);
@@ -49,14 +51,17 @@ int ssh_config_get_yesno(char **str, int notfound);
* be stored or NULL if we do not care about the result.
* @param[out] port Pointer to the location, where the new port will
* be stored or NULL if we do not care about the result.
+ * @param[in] ignore_port Set to true if the we should not attempt to parse
+ * port number.
*
* @returns SSH_OK if the provided string is in format of SSH URI,
* SSH_ERROR on failure
*/
int ssh_config_parse_uri(const char *tok,
- char **username,
- char **hostname,
- char **port);
+ char **username,
+ char **hostname,
+ char **port,
+ bool ignore_port);
#ifdef __cplusplus
}
diff --git a/src/config.c b/src/config.c
index 5eedbce96..7135c3b19 100644
--- a/src/config.c
+++ b/src/config.c
@@ -464,7 +464,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
}
if (parse_entry) {
/* We actually care only about the first item */
- rv = ssh_config_parse_uri(cp, &username, &hostname, &port);
+ rv = ssh_config_parse_uri(cp, &username, &hostname, &port, false);
/* The rest of the list needs to be passed on */
if (endp != NULL) {
next = strdup(endp + 1);
@@ -475,7 +475,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
}
} else {
/* The rest is just sanity-checked to avoid failures later */
- rv = ssh_config_parse_uri(cp, NULL, NULL, NULL);
+ rv = ssh_config_parse_uri(cp, NULL, NULL, NULL, false);
}
if (rv != SSH_OK) {
goto out;
diff --git a/src/config_parser.c b/src/config_parser.c
index 9ffc8b8b0..b30e94091 100644
--- a/src/config_parser.c
+++ b/src/config_parser.c
@@ -161,10 +161,14 @@ int ssh_config_get_yesno(char **str, int notfound)
return notfound;
}
+/* Parse the URI extracting parts such as a username, hostname and port.
+ * If the port is NULL, do not expect port present and be more lax for example
+ * with matching IPv6 address which have the same separators as host:port */
int ssh_config_parse_uri(const char *tok,
- char **username,
- char **hostname,
- char **port)
+ char **username,
+ char **hostname,
+ char **port,
+ bool ignore_port)
{
char *endp = NULL;
long port_n;
@@ -210,12 +214,17 @@ int ssh_config_parse_uri(const char *tok,
if (endp == NULL) {
goto error;
}
- } else {
- /* Hostnames or aliases expand to the last colon or to the end */
+ } else if (!ignore_port) {
+ /* Hostnames or aliases expand to the last colon (if port is requested)
+ * or to the end */
endp = strrchr(tok, ':');
if (endp == NULL) {
endp = strchr(tok, '\0');
}
+ } else {
+ /* If no port is requested, expand to the end of line
+ * (to accommodate the IPv6 addresses) */
+ endp = strchr(tok, '\0');
}
if (tok == endp) {
/* Zero-length hostnames are not valid */
diff --git a/src/options.c b/src/options.c
index 2e73be462..676c49e7a 100644
--- a/src/options.c
+++ b/src/options.c
@@ -634,17 +634,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
ssh_set_error_invalid(session);
return -1;
} else {
- char *username = NULL, *hostname = NULL, *port = NULL;
- rc = ssh_config_parse_uri(value, &username, &hostname, &port);
+ char *username = NULL, *hostname = NULL;
+ rc = ssh_config_parse_uri(value, &username, &hostname, NULL, true);
if (rc != SSH_OK) {
return -1;
}
- if (port != NULL) {
- SAFE_FREE(username);
- SAFE_FREE(hostname);
- SAFE_FREE(port);
- return -1;
- }
if (username != NULL) {
SAFE_FREE(session->opts.username);
session->opts.username = username;
--
GitLab
From f2ec751f09901b9c539ae096f5ee4fc63f305f30 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 22 Dec 2023 09:52:18 +0100
Subject: [PATCH 2/2] tests: Increase test coverage for IPv6 address parsing as
hostnames
This was an issue in cockpit:
https://github.com/cockpit-project/cockpit/issues/19772
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/unittests/torture_config.c | 49 +++++++++++++++++++++++++++++++
tests/unittests/torture_options.c | 16 ++++++++++
2 files changed, 65 insertions(+)
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
index bc6b08f94..751aa126c 100644
--- a/tests/unittests/torture_config.c
+++ b/tests/unittests/torture_config.c
@@ -2332,6 +2332,53 @@ static void torture_config_make_absolute_no_sshdir(void **state)
torture_config_make_absolute_int(state, 1);
}
+static void torture_config_parse_uri(void **state)
+{
+ char *username = NULL;
+ char *hostname = NULL;
+ char *port = NULL;
+ int rc;
+
+ (void)state; /* unused */
+
+ rc = ssh_config_parse_uri("localhost", &username, &hostname, &port, false);
+ assert_return_code(rc, errno);
+ assert_null(username);
+ assert_string_equal(hostname, "localhost");
+ SAFE_FREE(hostname);
+ assert_null(port);
+
+ rc = ssh_config_parse_uri("1.2.3.4", &username, &hostname, &port, false);
+ assert_return_code(rc, errno);
+ assert_null(username);
+ assert_string_equal(hostname, "1.2.3.4");
+ SAFE_FREE(hostname);
+ assert_null(port);
+
+ rc = ssh_config_parse_uri("1.2.3.4:2222", &username, &hostname, &port, false);
+ assert_return_code(rc, errno);
+ assert_null(username);
+ assert_string_equal(hostname, "1.2.3.4");
+ SAFE_FREE(hostname);
+ assert_string_equal(port, "2222");
+ SAFE_FREE(port);
+
+ rc = ssh_config_parse_uri("[1:2:3::4]:2222", &username, &hostname, &port, false);
+ assert_return_code(rc, errno);
+ assert_null(username);
+ assert_string_equal(hostname, "1:2:3::4");
+ SAFE_FREE(hostname);
+ assert_string_equal(port, "2222");
+ SAFE_FREE(port);
+
+ /* do not want port */
+ rc = ssh_config_parse_uri("1:2:3::4", &username, &hostname, NULL, true);
+ assert_return_code(rc, errno);
+ assert_null(username);
+ assert_string_equal(hostname, "1:2:3::4");
+ SAFE_FREE(hostname);
+}
+
int torture_run_tests(void)
{
int rc;
@@ -2424,6 +2471,8 @@ int torture_run_tests(void)
setup, teardown),
cmocka_unit_test_setup_teardown(torture_config_make_absolute_no_sshdir,
setup_no_sshdir, teardown),
+ cmocka_unit_test_setup_teardown(torture_config_parse_uri,
+ setup, teardown),
};
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
index 5ba3bdc6a..b07712d86 100644
--- a/tests/unittests/torture_options.c
+++ b/tests/unittests/torture_options.c
@@ -57,6 +57,20 @@ static void torture_options_set_host(void **state) {
assert_non_null(session->opts.host);
assert_string_equal(session->opts.host, "localhost");
+ /* IPv4 address */
+ rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.1.1.1");
+ assert_true(rc == 0);
+ assert_non_null(session->opts.host);
+ assert_string_equal(session->opts.host, "127.1.1.1");
+ assert_null(session->opts.username);
+
+ /* IPv6 address */
+ rc = ssh_options_set(session, SSH_OPTIONS_HOST, "::1");
+ assert_true(rc == 0);
+ assert_non_null(session->opts.host);
+ assert_string_equal(session->opts.host, "::1");
+ assert_null(session->opts.username);
+
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
assert_true(rc == 0);
assert_non_null(session->opts.host);
@@ -64,12 +78,14 @@ static void torture_options_set_host(void **state) {
assert_non_null(session->opts.username);
assert_string_equal(session->opts.username, "guru");
+ /* more @ in uri is OK -- it should go to the username */
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
assert_true(rc == 0);
assert_non_null(session->opts.host);
assert_string_equal(session->opts.host, "hostname");
assert_non_null(session->opts.username);
assert_string_equal(session->opts.username, "at@login");
+
}
static void torture_options_set_ciphers(void **state) {
--
GitLab

57
libssh.changes
View File

@@ -1,47 +1,20 @@
-------------------------------------------------------------------
Tue Feb 18 19:08:10 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
Wed Jun 25 15:49:50 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
- Move global config dir to /usr/etc/libssh (bsc#1222716)
* Add patch libssh-cmake-Add-option-WITH_HERMETIC_USR.patch
-------------------------------------------------------------------
Tue Feb 4 16:26:22 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
- Do not Require cmake from the devel package: there is no
requirement that consumers would be using cmake.
- Own %{_libdir}/cmake to not leave traces when uninstalling the
package and being the only one left installing files to that
directory.
-------------------------------------------------------------------
Fri Sep 13 07:42:23 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to version 0.11.1:
* Fixed default TTY modes that are set when stdin is not
connected to tty.
* Fixed zlib cleanup procedure, which could crash on i386.
* Various test fixes improving their stability.
* Remove 0001-disable-timeout-test-on-slow-buildsystems.patch
to enable slow tests also in s390 s390x ppc64le.
-------------------------------------------------------------------
Fri Sep 13 07:41:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Set BuildArch: noarch for the config package as it only ships
configuration files.
-------------------------------------------------------------------
Fri Aug 9 07:46:28 UTC 2024 - Andreas Schneider <asn@cryptomilk.org>
- Update to version 0.11.0
https://www.libssh.org/2024/08/08/libssh-0-11-0-release/
- Updated 0001-disable-timeout-test-on-slow-buildsystems.patch
- Removed libssh-fix-ipv6-hostname-regression.patch
-------------------------------------------------------------------
Fri Apr 12 08:46:41 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Don't change the path for crypto-policies libssh.config (bsc#1222716)
- Fix CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314)
* Add patch libssh-CVE-2025-5372.patch
- Fix CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend (bsc#1245317)
* Add patch libssh-CVE-2025-5987.patch
- Fix CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309)
* Add patch libssh-CVE-2025-4877.patch
- Fix CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
* Add patches:
- libssh-CVE-2025-4878-1.patch
- libssh-CVE-2025-4878-2.patch
- Fix CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311)
* Add patch libssh-CVE-2025-5318.patch
- Fix CVE-2025-5351: Double free in functions exporting keys (bsc#1245312)
* Add patch libssh-CVE-2025-5351.patch
-------------------------------------------------------------------
Sat Dec 23 10:35:07 UTC 2023 - Andreas Schneider <asn@cryptomilk.org>

BIN
libssh.keyring
View File

Binary file not shown.

84
libssh.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package libssh
# spec file
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,33 +19,46 @@
%global flavor @BUILD_FLAVOR@%{nil}
%if "%{flavor}" == "test"
%define pkg_suffix -test
%ifarch s390 s390x ppc64le
%define slow_test_system "ON"
%else
%define slow_test_system "OFF"
%endif
%bcond_without test
%else
%define pkg_suffix %{nil}
%bcond_with test
%endif
%if %{defined _distconfdir}
%define _configdir %{_distconfdir}
%else
%define _configdir %{_sysconfdir}
%endif
Name: libssh%{pkg_suffix}
Version: 0.11.1
Version: 0.10.6
Release: 0
Summary: The SSH library
License: LGPL-2.1-or-later
Group: Development/Libraries/C and C++
URL: https://www.libssh.org
Source0: https://www.libssh.org/files/0.11/libssh-%{version}.tar.xz
Source1: https://www.libssh.org/files/0.11/libssh-%{version}.tar.xz.asc
Source2: https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/libssh.keyring
Source0: https://www.libssh.org/files/0.10/libssh-%{version}.tar.xz
Source1: https://www.libssh.org/files/0.10/libssh-%{version}.tar.xz.asc
Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/libssh.keyring
Source3: libssh_client.config
Source4: libssh_server.config
Source99: baselibs.conf
# PATCH-FIX-UPSTREAM: libssh tries to read config from wrong crypto-policies location (bsc#1222716)
Patch0: libssh-cmake-Add-option-WITH_HERMETIC_USR.patch
Patch0: 0001-disable-timeout-test-on-slow-buildsystems.patch
Patch1: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/431.patch#/libssh-fix-ipv6-hostname-regression.patch
# PATCH-FIX-UPSTREAM: ssh_kdf() returns a success code on certain failures (CVE-2025-5372, bsc#1245314)
Patch100: libssh-CVE-2025-5372.patch
# PATCH-FIX-UPSTREAM: Invalid return code for chacha20 poly1305 with OpenSSL backend (CVE-2025-5987, bsc#1245317)
Patch101: libssh-CVE-2025-5987.patch
# PATCH-FIX-UPSTREAM: Write beyond bounds in binary to base64 conversion functions (CVE-2025-4877, bsc#1245309)
Patch102: libssh-CVE-2025-4877.patch
# PATCH-FIX-UPSTREAM: Use of uninitialized variable in privatekey_from_file() (CVE-2025-4878, bsc#1245310)
Patch103: libssh-CVE-2025-4878-1.patch
Patch104: libssh-CVE-2025-4878-2.patch
# PATCH-FIX-UPSTREAM: Likely read beyond bounds in sftp server handle management (CVE-2025-5318, bsc#1245311)
Patch105: libssh-CVE-2025-5318.patch
# PATCH-FIX-UPSTREAM: Double free in functions exporting keys (CVE-2025-5351, bsc#1245312)
Patch106: libssh-CVE-2025-5351.patch
BuildRequires: cmake
BuildRequires: gcc-c++
BuildRequires: krb5-devel
@@ -90,7 +103,6 @@ confused with libssh2 available from https://www.libssh2.org (libssh2 package)
%package config
Summary: SSH library configuration files
Group: Productivity/Networking/SSH
BuildArch: noarch
%description config
Configuration files for the SSH library.
@@ -98,6 +110,7 @@ Configuration files for the SSH library.
%package devel
Summary: SSH library development headers
Group: Development/Libraries/C and C++
Requires: cmake
Requires: libssh4 = %{version}
%description devel
@@ -111,6 +124,7 @@ Development headers for the SSH library.
-DCMAKE_C_FLAGS:STRING="%{optflags} -DOPENSSL_LOAD_CONF" \
%if %{with test}
-DUNIT_TESTING="ON" \
-DSLOW_TEST_SYSTEM=%{slow_test_system} \
%if 0%{?suse_version} > 1550
-DCLIENT_TESTING=ON \
-DSERVER_TESTING=ON \
@@ -118,9 +132,6 @@ Development headers for the SSH library.
%endif
-DWITH_GSSAPI=ON \
-DWITH_EXAMPLES="OFF" \
%if %{defined _distconfdir}
-DWITH_HERMETIC_USR=ON \
%endif
-DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
-DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
@@ -130,17 +141,14 @@ make %{?_smp_mflags}
%if !%{with test}
%cmake_install
install -d -m755 %{buildroot}%{_configdir}/libssh
install -m644 %{SOURCE3} %{buildroot}%{_configdir}/libssh/libssh_client.config
install -m644 %{SOURCE4} %{buildroot}%{_configdir}/libssh/libssh_server.config
install -d -m755 %{buildroot}%{_sysconfdir}/libssh
install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
# Fix incorrect include path, (boo#1211718).
%if 0%{?suse_version} > 1600
sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_configdir}/libssh/libssh_client.config
sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_configdir}/libssh/libssh_server.config
# Don't change the path for crypto-policies libssh.config (bsc#1222716)
sed -i '/^Include/ s|/usr/etc/crypto-policies|/etc/crypto-policies|' %{buildroot}%{_configdir}/libssh/libssh_client.config
sed -i '/^Include/ s|/usr/etc/crypto-policies|/etc/crypto-policies|' %{buildroot}%{_configdir}/libssh/libssh_server.config
sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
sed -i '/^Include/ s|/etc|/usr/etc|' %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
%endif
%endif
@@ -161,30 +169,14 @@ sed -i '/^Include/ s|/usr/etc/crypto-policies|/etc/crypto-policies|' %{buildroot
%{_libdir}/libssh.so.*
%files config
%dir %{_configdir}/libssh
%if %{defined _distconfdir}
%{_configdir}/libssh/libssh_client.config
%{_configdir}/libssh/libssh_server.config
%else
%config(noreplace) %{_configdir}/libssh/libssh_client.config
%config(noreplace) %{_configdir}/libssh/libssh_server.config
%endif
%if %{defined _distconfdir}
%pre config
test -f /etc/libssh/libssh_server.config.rpmsave && mv -v /etc/libssh/libssh_server.config.rpmsave /etc/libssh/libssh_server.config.rpmsave.old ||:
test -f /etc/libssh/libssh_client.config.rpmsave && mv -v /etc/libssh/libssh_client.config.rpmsave /etc/libssh/libssh_client.config.rpmsave.old ||:
%posttrans config
test -f /etc/libssh/libssh_server.config.rpmsave && mv -v /etc/libssh/libssh_server.config.rpmsave /etc/libssh/libssh_server.config ||:
test -f /etc/libssh/libssh_client.config.rpmsave && mv -v /etc/libssh/libssh_client.config.rpmsave /etc/libssh/libssh_client.config ||:
%endif
%dir %{_sysconfdir}/libssh
%config(noreplace) %{_sysconfdir}/libssh/libssh_client.config
%config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
%files devel
%{_includedir}/libssh
%{_libdir}/libssh.so
%{_libdir}/pkgconfig/libssh.pc
%dir %{_libdir}/cmake
%dir %{_libdir}/cmake/libssh
%{_libdir}/cmake/libssh/libssh-config.cmake
%{_libdir}/cmake/libssh/libssh-config-relwithdebinfo.cmake