import libssh-0.11.1-1.el10

3 months ago · 7affb53338
parent 603ee8d8fd
commit 7affb53338
13 changed files with 141 additions and 4554 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
-SOURCES/libssh-0.10.6.tar.xz
+SOURCES/libssh-0.11.1.tar.xz
 SOURCES/libssh.keyring
--- a/.libssh.metadata
+++ b/.libssh.metadata
@ -1,2 +1 @@
-e8fb3b4750db11d2483cac4b5f046e301c09b72f SOURCES/libssh-0.10.6.tar.xz
+1ddc90daacc4aedd3ab1c5407adc44925e0ba28e SOURCES/libssh-0.11.1.tar.xz
 3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring
--- a/SOURCES/libssh-0.10.6-compress.patch
+++ b/SOURCES/libssh-0.10.6-compress.patch
@ -1,41 +0,0 @@
 From c9cfeb9b838b801c3e2bb070c3db914e81ca4e68 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Mon, 12 Aug 2024 17:49:46 +0200
 Subject: [PATCH] wrapper: Avoid asymmetric termination of gzip context
 For some reason, both compress and decompress contexts were terminated
 with both compress and decompress end functions (if the deflateEnd worked),
 which was causing for some another unexplained reasons issues on i686
 architecture when running the torture_packet unit test.
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 ---
 src/wrapper.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)
 diff --git a/src/wrapper.c b/src/wrapper.c
 index bf949ea9..d9cf6db5 100644
 --- a/src/wrapper.c
 +++ b/src/wrapper.c
@@ -200,14 +200,12 @@ void crypto_free(struct ssh_crypto_struct *crypto)
         SAFE_FREE(crypto->secret_hash);
     }
 #ifdef WITH_ZLIB
 -    if (crypto->compress_out_ctx &&
 -        (deflateEnd(crypto->compress_out_ctx) != 0)) {
 -        inflateEnd(crypto->compress_out_ctx);
 +    if (crypto->compress_out_ctx) {
 +        deflateEnd(crypto->compress_out_ctx);
     }
     SAFE_FREE(crypto->compress_out_ctx);
 -    if (crypto->compress_in_ctx &&
 -        (deflateEnd(crypto->compress_in_ctx) != 0)) {
 +    if (crypto->compress_in_ctx) {
         inflateEnd(crypto->compress_in_ctx);
     }
     SAFE_FREE(crypto->compress_in_ctx);
 -- 
 2.46.0
--- a/SOURCES/libssh-0.10.6-ipv6-hostname.patch
+++ b/SOURCES/libssh-0.10.6-ipv6-hostname.patch
@ -1,263 +0,0 @@
 From 4f997aee7c7d7ea346b3e8ba505da0b7601ff318 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Fri, 22 Dec 2023 10:32:40 +0100
 Subject: [PATCH 1/2] Fix regression in IPv6 addresses in hostname parsing
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 ---
 include/libssh/config_parser.h | 11 ++++++++---
 src/config.c                   |  4 ++--
 src/config_parser.c            | 16 +++++++++++-----
 src/options.c                  | 10 ++--------
 4 files changed, 23 insertions(+), 18 deletions(-)
 diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h
 index a7dd42a2..ca353432 100644
 --- a/include/libssh/config_parser.h
 +++ b/include/libssh/config_parser.h
@@ -30,6 +30,8 @@
 extern "C" {
 #endif
 +#include <stdbool.h>
 +
 char *ssh_config_get_cmd(char **str);
 char *ssh_config_get_token(char **str);
@@ -49,14 +51,17 @@ int ssh_config_get_yesno(char **str, int notfound);
  *                       be stored or NULL if we do not care about the result.
  * @param[out]  port     Pointer to the location, where the new port will
  *                       be stored or NULL if we do not care about the result.
 + * @param[in]   ignore_port Set to true if the we should not attempt to parse
 + *                       port number.
  *
  * @returns     SSH_OK if the provided string is in format of SSH URI,
  *              SSH_ERROR on failure
  */
 int ssh_config_parse_uri(const char *tok,
 -        char **username,
 -        char **hostname,
 -        char **port);
 +                         char **username,
 +                         char **hostname,
 +                         char **port,
 +                         bool ignore_port);
 #ifdef __cplusplus
 }
 diff --git a/src/config.c b/src/config.c
 index 5eedbce9..7135c3b1 100644
 --- a/src/config.c
 +++ b/src/config.c
@@ -464,7 +464,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
         }
         if (parse_entry) {
             /* We actually care only about the first item */
 -            rv = ssh_config_parse_uri(cp, &username, &hostname, &port);
 +            rv = ssh_config_parse_uri(cp, &username, &hostname, &port, false);
             /* The rest of the list needs to be passed on */
             if (endp != NULL) {
                 next = strdup(endp + 1);
@@ -475,7 +475,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
             }
         } else {
             /* The rest is just sanity-checked to avoid failures later */
 -            rv = ssh_config_parse_uri(cp, NULL, NULL, NULL);
 +            rv = ssh_config_parse_uri(cp, NULL, NULL, NULL, false);
         }
         if (rv != SSH_OK) {
             goto out;
 diff --git a/src/config_parser.c b/src/config_parser.c
 index 9ffc8b8b..5f30cd3e 100644
 --- a/src/config_parser.c
 +++ b/src/config_parser.c
@@ -162,9 +162,10 @@ int ssh_config_get_yesno(char **str, int notfound)
 }
 int ssh_config_parse_uri(const char *tok,
 -        char **username,
 -        char **hostname,
 -        char **port)
 +                         char **username,
 +                         char **hostname,
 +                         char **port,
 +                         bool ignore_port)
 {
     char *endp = NULL;
     long port_n;
@@ -210,12 +211,17 @@ int ssh_config_parse_uri(const char *tok,
         if (endp == NULL) {
             goto error;
         }
 -    } else {
 -        /* Hostnames or aliases expand to the last colon or to the end */
 +    } else if (!ignore_port) {
 +        /* Hostnames or aliases expand to the last colon (if port is requested)
 +         * or to the end */
         endp = strrchr(tok, ':');
         if (endp == NULL) {
             endp = strchr(tok, '\0');
         }
 +    } else {
 +        /* If no port is requested, expand to the end of line
 +         * (to accommodate the IPv6 addresses) */
 +        endp = strchr(tok, '\0');
     }
     if (tok == endp) {
         /* Zero-length hostnames are not valid */
 diff --git a/src/options.c b/src/options.c
 index 2e73be46..676c49e7 100644
 --- a/src/options.c
 +++ b/src/options.c
@@ -634,17 +634,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                 ssh_set_error_invalid(session);
                 return -1;
             } else {
 -                char *username = NULL, *hostname = NULL, *port = NULL;
 -                rc = ssh_config_parse_uri(value, &username, &hostname, &port);
 +                char *username = NULL, *hostname = NULL;
 +                rc = ssh_config_parse_uri(value, &username, &hostname, NULL, true);
                 if (rc != SSH_OK) {
                     return -1;
                 }
 -                if (port != NULL) {
 -                    SAFE_FREE(username);
 -                    SAFE_FREE(hostname);
 -                    SAFE_FREE(port);
 -                    return -1;
 -                }
                 if (username != NULL) {
                     SAFE_FREE(session->opts.username);
                     session->opts.username = username;
 -- 
 2.43.0
 From 6f6e453d7b0ad4ee6a6f6a1c96a9a6b27821410d Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Fri, 22 Dec 2023 09:52:18 +0100
 Subject: [PATCH 2/2] tests: Increase test coverage for IPv6 address parsing as
 hostnames
 This was an issue in cockpit:
 https://github.com/cockpit-project/cockpit/issues/19772
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 ---
 tests/unittests/torture_config.c  | 49 +++++++++++++++++++++++++++++++
 tests/unittests/torture_options.c | 16 ++++++++++
 2 files changed, 65 insertions(+)
 diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
 index bc6b08f9..751aa126 100644
 --- a/tests/unittests/torture_config.c
 +++ b/tests/unittests/torture_config.c
@@ -2332,6 +2332,53 @@ static void torture_config_make_absolute_no_sshdir(void **state)
     torture_config_make_absolute_int(state, 1);
 }
 +static void torture_config_parse_uri(void **state)
 +{
 +    char *username = NULL;
 +    char *hostname = NULL;
 +    char *port = NULL;
 +    int rc;
 +
 +    (void)state; /* unused */
 +
 +    rc = ssh_config_parse_uri("localhost", &username, &hostname, &port, false);
 +    assert_return_code(rc, errno);
 +    assert_null(username);
 +    assert_string_equal(hostname, "localhost");
 +    SAFE_FREE(hostname);
 +    assert_null(port);
 +
 +    rc = ssh_config_parse_uri("1.2.3.4", &username, &hostname, &port, false);
 +    assert_return_code(rc, errno);
 +    assert_null(username);
 +    assert_string_equal(hostname, "1.2.3.4");
 +    SAFE_FREE(hostname);
 +    assert_null(port);
 +
 +    rc = ssh_config_parse_uri("1.2.3.4:2222", &username, &hostname, &port, false);
 +    assert_return_code(rc, errno);
 +    assert_null(username);
 +    assert_string_equal(hostname, "1.2.3.4");
 +    SAFE_FREE(hostname);
 +    assert_string_equal(port, "2222");
 +    SAFE_FREE(port);
 +
 +    rc = ssh_config_parse_uri("[1:2:3::4]:2222", &username, &hostname, &port, false);
 +    assert_return_code(rc, errno);
 +    assert_null(username);
 +    assert_string_equal(hostname, "1:2:3::4");
 +    SAFE_FREE(hostname);
 +    assert_string_equal(port, "2222");
 +    SAFE_FREE(port);
 +
 +    /* do not want port */
 +    rc = ssh_config_parse_uri("1:2:3::4", &username, &hostname, NULL, true);
 +    assert_return_code(rc, errno);
 +    assert_null(username);
 +    assert_string_equal(hostname, "1:2:3::4");
 +    SAFE_FREE(hostname);
 +}
 +
 int torture_run_tests(void)
 {
     int rc;
@@ -2424,6 +2471,8 @@ int torture_run_tests(void)
                                         setup, teardown),
         cmocka_unit_test_setup_teardown(torture_config_make_absolute_no_sshdir,
                                         setup_no_sshdir, teardown),
 +        cmocka_unit_test_setup_teardown(torture_config_parse_uri,
 +                                        setup, teardown),
     };
 diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
 index 5ba3bdc6..b07712d8 100644
 --- a/tests/unittests/torture_options.c
 +++ b/tests/unittests/torture_options.c
@@ -57,6 +57,20 @@ static void torture_options_set_host(void **state) {
     assert_non_null(session->opts.host);
     assert_string_equal(session->opts.host, "localhost");
 +    /* IPv4 address */
 +    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.1.1.1");
 +    assert_true(rc == 0);
 +    assert_non_null(session->opts.host);
 +    assert_string_equal(session->opts.host, "127.1.1.1");
 +    assert_null(session->opts.username);
 +
 +    /* IPv6 address */
 +    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "::1");
 +    assert_true(rc == 0);
 +    assert_non_null(session->opts.host);
 +    assert_string_equal(session->opts.host, "::1");
 +    assert_null(session->opts.username);
 +
     rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
     assert_true(rc == 0);
     assert_non_null(session->opts.host);
@@ -64,12 +78,14 @@ static void torture_options_set_host(void **state) {
     assert_non_null(session->opts.username);
     assert_string_equal(session->opts.username, "guru");
 +    /* more @ in uri is OK -- it should go to the username */
     rc = ssh_options_set(session, SSH_OPTIONS_HOST, "at@login@hostname");
     assert_true(rc == 0);
     assert_non_null(session->opts.host);
     assert_string_equal(session->opts.host, "hostname");
     assert_non_null(session->opts.username);
     assert_string_equal(session->opts.username, "at@login");
 +
 }
 static void torture_options_set_ciphers(void **state) {
 -- 
 2.43.0
--- a/SOURCES/libssh-0.10.6-no-engine.patch
+++ b/SOURCES/libssh-0.10.6-no-engine.patch
@ -1,48 +0,0 @@
 diff -up libssh-0.10.6/src/libcrypto.c.no-engine libssh-0.10.6/src/libcrypto.c
 --- libssh-0.10.6/src/libcrypto.c.no-engine	2024-07-31 09:25:56.460404672 +0200
 +++ libssh-0.10.6/src/libcrypto.c	2024-07-31 09:28:46.900273530 +0200
@@ -94,7 +94,7 @@ void ssh_reseed(void){
 #endif
 }
 -#ifndef WITH_PKCS11_PROVIDER
 +#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER)
 static ENGINE *engine = NULL;
 ENGINE *pki_get_engine(void)
@@ -126,7 +126,7 @@ ENGINE *pki_get_engine(void)
     }
     return engine;
 }
 -#endif /* WITH_PKCS11_PROVIDER */
 +#endif /* defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER) */
 #ifdef HAVE_OPENSSL_EVP_KDF_CTX
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 diff -up libssh-0.10.6/src/pki_crypto.c.no-engine libssh-0.10.6/src/pki_crypto.c
 --- libssh-0.10.6/src/pki_crypto.c.no-engine	2024-07-31 09:26:34.296823306 +0200
 +++ libssh-0.10.6/src/pki_crypto.c	2024-07-31 09:29:36.414810967 +0200
@@ -33,7 +33,9 @@
 #include <openssl/pem.h>
 #include <openssl/evp.h>
 +#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER)
 #include <openssl/engine.h>
 +#endif
 #include <openssl/err.h>
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 #include <openssl/dsa.h>
 diff -up libssh-0.10.6/src/libcrypto.c.no-engine libssh-0.10.6/src/libcrypto.c
 --- libssh-0.10.6/src/libcrypto.c.no-engine	2024-07-31 11:03:45.262319724 +0200
 +++ libssh-0.10.6/src/libcrypto.c	2024-07-31 11:04:59.842161279 +0200
@@ -53,7 +53,9 @@
 #include <openssl/core_names.h>
 #endif /* OPENSSL_VERSION_NUMBER */
 #include <openssl/rand.h>
 +#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER)
 #include <openssl/engine.h>
 +#endif
 #include "libcrypto-compat.h"
--- a/SOURCES/libssh-0.10.6-pkcs11-provider.patch
+++ b/SOURCES/libssh-0.10.6-pkcs11-provider.patch
--- a/SOURCES/libssh-0.10.6-rate-limit.patch
+++ b/SOURCES/libssh-0.10.6-rate-limit.patch
@ -1,47 +0,0 @@
 From 7b89ff760a2c7119916eaa8fd6a62afbd15fc3ad Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Fri, 9 Aug 2024 11:30:15 +0200
 Subject: [PATCH] test: Workaround the new OpenSSH failure rate limiting
 The new OpenSSH rate limits the failed authentication attempts per source
 address and drops connection when the amount is reached, which is happening
 in our testsuite.
 By whitelisting the IP address of the client on the socket wrapper,
 this allows the tests to pass.
 https://man.openbsd.org/sshd_config.5#PerSourcePenaltyExemptList
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 ---
 tests/torture.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/tests/torture.c b/tests/torture.c
 index c832dfa6..ad0a7836 100644
 --- a/tests/torture.c
 +++ b/tests/torture.c
@@ -755,6 +755,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
              "HostKeyAlgorithms " OPENSSH_KEYS "\n"
 #if OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2
              "CASignatureAlgorithms " OPENSSH_KEYS "\n"
 +#endif
 +#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
 +             "PerSourcePenaltyExemptList 127.0.0.21\n"
 #endif
              "Ciphers " OPENSSH_CIPHERS "\n"
              "KexAlgorithms " OPENSSH_KEX "\n"
@@ -786,6 +789,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
              "%s\n" /* Here comes UsePam */
              "%s" /* The space for test-specific options */
              "\n"
 +#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
 +             "PerSourcePenaltyExemptList 127.0.0.21\n"
 +#endif
              "Ciphers "
                 "aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,"
                 "aes128-gcm@openssh.com,aes128-ctr,aes128-cbc"
 -- 
 2.46.0
--- a/SOURCES/libssh-0.10.6-rekey-timeout.patch
+++ b/SOURCES/libssh-0.10.6-rekey-timeout.patch
@ -1,37 +0,0 @@
 From 96d76161666b117099696afebcef2fe42ae80715 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Tue, 16 May 2023 22:55:11 +0200
 Subject: [PATCH] tests: Give the server more time handle rekey
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 Reviewed-by: Norbert Pocs <npocs@redhat.com>
 ---
 tests/client/torture_rekey.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/tests/client/torture_rekey.c b/tests/client/torture_rekey.c
 index ccd5ae2cf..0fc13b8b3 100644
 --- a/tests/client/torture_rekey.c
 +++ b/tests/client/torture_rekey.c
@@ -505,7 +505,7 @@ static void torture_rekey_different_kex(void **state)
     memset(data, 'A', 128);
     for (i = 0; i < KEX_RETRY; i++) {
         ssh_send_ignore(s->ssh.session, data);
 -        ssh_handle_packets(s->ssh.session, 100);
 +        ssh_handle_packets(s->ssh.session, 1000);
         c = s->ssh.session->current_crypto;
         /* SHA256 len */
@@ -583,7 +583,7 @@ static void torture_rekey_server_different_kex(void **state)
     memset(data, 'A', 128);
     for (i = 0; i < KEX_RETRY; i++) {
         ssh_send_ignore(s->ssh.session, data);
 -        ssh_handle_packets(s->ssh.session, 100);
 +        ssh_handle_packets(s->ssh.session, 1000);
         c = s->ssh.session->current_crypto;
         /* SHA256 len */
 -- 
 GitLab
--- a/SOURCES/libssh-0.10.6.tar.xz.asc
+++ b/SOURCES/libssh-0.10.6.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmWAeGkACgkQfuD8TcwB
 Tj2yAw//QOMEcCiijJvOgXCKsVoV9oSuK3aYxqpOS9cV2P40eev0KQrAZC2EXNt3
 XAdfNhA21b2C6qSxckmkCWg3vwPmM6LousHG+zpyZkiSziolMoeBkvbEdU42fufE
 SD39cA1bBEbZahyrILWT2I3Bi0d0G7FC13tIBXShS2zIITSXs/2SSRIhg3OXB979
 FTwvEE4zHeSXO4itTMNA/sMJ/0qPccQIzisH0g/TF4318b0qjlQjkHJS1y0f3/PL
 Ge3RORQVcZqGTnhJNlF/tKD8wZ9mfqqurQ9yNshiAu8hH8sDH5ZhI3o5pjQe0mGO
 JNEwTw0X/vZ4iglWFmm2CusiHrh0KUFsrp8f3oaL3HU4i7yYgo0FhzFtgFVt0gXO
 JQOhlSUq50yqbBj6S9C5ecuSR0uPgYA4d8qCFrt9oD77m7Qi3mMi+f/kP+HctIaV
 4ro7lZf6IS54J4/m5hRY3F0nweFnZZL8gn8Da8mBZSvhXCqQL6qbD9buwrTzxGft
 Fct7+PrRwz9igO7j2nNMyWxtX55/GpX06n7vuonRgQQQiT8eQ5R71STMHJaACFPS
 CJHCpuVL28HGdyAxN5d65TCvkNo9/gFGM6ocIH3OlreTFUvy22qNrqwHpCkLgYWU
 ylntVoE/VYtHtwFOe0uuCX+2TiM03P5UT2NqAAa/8D4Z5ur3qUY=
 =nXW5
 -----END PGP SIGNATURE-----
--- a/SOURCES/libssh-0.11.1-fix-provider-loading.patch
+++ b/SOURCES/libssh-0.11.1-fix-provider-loading.patch
@ -0,0 +1,54 @@
 diff -up libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp libssh-0.11.1/tests/client/torture_auth_pkcs11.c
 --- libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp	2024-10-25 11:58:50.341126170 +0200
 +++ libssh-0.11.1/tests/client/torture_auth_pkcs11.c	2024-10-25 12:11:01.766453259 +0200
@@ -240,6 +240,14 @@ int torture_run_tests(void) {
                                         session_teardown),
     };
 +    /* Do not use system openssl.cnf for the pkcs11 uri tests.
 +     * It can load a pkcs11 provider too early before we will set up environment
 +     * variables that are needed for the pkcs11 provider to access correct
 +     * tokens, causing unexpected failures.
 +     * Make sure this comes before ssh_init(), which initializes OpenSSL!
 +     */
 +    setenv("OPENSSL_CONF", "/dev/null", 1);
 +
     ssh_init();
     torture_filter_tests(tests);
     rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
 diff -up libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c
 --- libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp	2024-10-25 11:59:22.964367137 +0200
 +++ libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c	2024-10-25 12:12:51.473625481 +0200
@@ -563,6 +563,14 @@ int torture_run_tests(void) {
     ssh_session session = ssh_new();
     int verbosity = SSH_LOG_FUNCTIONS;
 +    /* Do not use system openssl.cnf for the pkcs11 uri tests.
 +     * It can load a pkcs11 provider too early before we will set up environment
 +     * variables that are needed for the pkcs11 provider to access correct
 +     * tokens, causing unexpected failures.
 +     * Make sure this comes before ssh_init(), which initializes OpenSSL!
 +     */
 +    setenv("OPENSSL_CONF", "/dev/null", 1);
 +
     ssh_init();
     ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
 diff -up libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c
 --- libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp	2024-10-25 11:59:49.241336178 +0200
 +++ libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c	2024-10-25 12:12:10.985614709 +0200
@@ -285,6 +285,14 @@ torture_run_tests(void)
     ssh_session session = ssh_new();
     int verbosity = SSH_LOG_FUNCTIONS;
 +    /* Do not use system openssl.cnf for the pkcs11 uri tests.
 +     * It can load a pkcs11 provider too early before we will set up environment
 +     * variables that are needed for the pkcs11 provider to access correct
 +     * tokens, causing unexpected failures.
 +     * Make sure this comes before ssh_init(), which initializes OpenSSL!
 +     */
 +    setenv("OPENSSL_CONF", "/dev/null", 1);
 +
     ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
     ssh_init();
--- a/SOURCES/libssh-0.11.1.tar.xz.asc
+++ b/SOURCES/libssh-0.11.1.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmbRl74ACgkQA9XfjP3T
 6OdnSw/+IrXAbSSpjVNG5Wjz3WQjqXkWInCT+qNhcS5w+qasGW5i6mktoNJkg2Fd
 P4iRCeJEuZbOHZLWXdUaDKjmlOUIda2xA8U01uw2VrleEu05JV/s5tS1MpVOPfDi
 8+CTxPesFQ9uX9q+OojTr4QXqBDqv15sldwRVTKegNpLkk3xHUUaMjwikWKKxXG+
 ypD4UCJWKVVhen9HPRSUOtruliZFPxQSLYvj4XKJxpr/QVaORS0EsTpdYP0h1+18
 6epynp4e1/9GRTmrKa8/JcCd/4c2UnHBFpw0DU1YirLK+54/qD76o63MTbo7mKru
 cgfypfA/sdeklGTZYLrCyizcrSc2poaTznczUZC6gi3FxivLoldFyDgXeSQWEieB
 QTGgnaLkB2Y2XuBl9F9MatqFC35TBuUUwHBoEa31acQhmotui5tF4oq/JxRtZi8v
 OyrTYc/xfmDh4SbWuEVqr6B2SZjhxrIvEGEe4adJQ/tVN2wweoNgTHt8XjBb1amB
 M9RPeXG5Uon+gIXDVzjgx+DZ85FweCEngv+OdjHPIBWsJUEc722L/gypIFnBfaPV
 JgM84wxQz2J8xyk2zEANog9M8ae5jG9TVJORO8to+gbRlKB2ZRDdDne0cgRUSWaj
 0IKsnehsxjF2OqChjRqRMBhfVAA0hrYU1ngxwCcdAcdlbfgs5L0=
 =P/pw
 -----END PGP SIGNATURE-----
--- a/SOURCES/libssh.keyring
+++ b/SOURCES/libssh.keyring
@ -0,0 +1,52 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGZxQOQBEAC1EO1SSoQmzAyAyfQRRHcI4Je5E4mdTchhblLXmuxThquYZ6Xp
 MT3alO6UxDO6aulzd0/RpLviELRwXqEKuUVC9oNbsolWT3sCh0J6ju2LNtmixPIf
 5hd6UQRE32k7AXgwju7bn4TebVkl2fXsdtqSY+57Rs+8G7HiCRDoiYw1S4OwKsuI
 RU7F4VNTV3drfcqpY1JZhMM/oestGqhWfln59kRgvqPDdOlX6Jv1502lElRddHBl
 1f/SnE/mZQJ8Y+zfFuCxkhKZHYLzO3scudUIOHfVt2tLEYYsYK23NFAnF4ECYv+H
 F1PoITbd8WeXoFeMjSr1h19ElzW76eBPvOYzqlzEKQ8b8uQUTqmyZl7HhQOtsIXG
 YBYi3V30I+JBuEGkkhtkbXVET8sE1FCX2xSDOsqshqSiLchlVJxiQlThqZ4prtBC
 byaTmdxFKRsQmSvLv5V9Puel80mzvM/L85s+gop9btygJ+Vpo1Dtdkbvp/jz+k1f
 arZaqAFPE9/rJlMEW8HE12QBYpxiQAl6k0KUu/1MUcTbaZ7wbzQVGHXTmrP9mGff
 9DTPeK01UPJpR9lT/kFwo/ip7nkI0zHcoAgwCGLNHCnbWjjz6ZAzYS9Dj8RG1T13
 g/TjpQtmNWxdPIQ3yZDv30BKFv1aoWLejz4rj19dtPnVClUyMlRPonDDfwARAQAB
 tDRsaWJzc2ggcmVsZWFzZSBrZXkgKHJlbGVhc2Uga2V5KSA8bGlic3NoQGxpYnNz
 aC5vcmc+iQJXBBMBCABBFiEEiKIo2JsHwsd9DHgJA9XfjP3T6OcFAmZxQOQCGwMF
 CRLMAwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQA9XfjP3T6OfPBA//
 cQA2fdsNyIgAyhppHAtdmKtRaN5dWj9InKZTWRmWNMAU3lTrMCGVurz2tcg2X6Xz
 rVvZuXbLnb6GIRU0ly+nYiBZF4qDL088NtqN7AEEUaabOmlSZr5wXyJObMvlzDg9
 GkjKAKH2CBztROtG3P91uHQ12SDqqIGw5/LlWGUSBzDnChdaB7ntODmjJ8wHqyOy
 tD6GIfy7KkvnD6nyCXvqlZgo0/nr91otkDFbJrF/IobZD1hiBcps7b3oC3ms0e9T
 usk4wl+oUi2LdTIOVvAag17gdkbH7MXMMOwhbNrV5MEyKpleTfm+R+jo48hRwdrn
 LMrDR0+f26bIsWILvGE9GIqvoJD3rKDgjTFwmMcM4OLssCgTTy0h93gDbyBrOmA9
 gJDApWWLq26SkDGIrsp4JcYlcR3m4S2Bjg98PTbz96fATK+AZ/R1Kntbt1J7DcnT
 th3q4jXFIPUzvZA0r7Ul+UM/OfVr/Ryc023oID5po1zeO3HyVKVxXYY/DgpzWTcq
 iwGjWM18XRDhUVV7eOJZ4XRcyDhf4eEF8etwFFraXjVVimCCEqgukEQh9azr+kqi
 IWYoAH0fwVP85u38WqlLS+9in5mKq+lBFI201RpkzsdPDtJMtXTYgw1s6IrQntzF
 w1PIJ/49b7nZhqvp0sMQGlAKfYTQvQsiAuEfzNiFcTS5Ag0EZnFA5AEQAJNgU4Wg
 S+DUP9/wutGn9ADAEIZvD+dxpliKFmtfUeLiNAtaEfxmL7YCazlZbJ7tdhplwfJP
 Es9k7G0K+8k1t+gni9sc7/W/0bB12cbCOxDlfcWATP5RZUfCc7eQVsWm1Sq41W2C
 WGLqp9oC9jd2KGlReE4tj1PUmYtdHDOLBKr3PJrHHTGaF+4Qem5PVx+4ZmaH0qGT
 8CmKYdhE0P8EYNImkmYsCo2nf3tbnjxBNAvwb1ljwJ1djFO72huvHslo6oTuQ+W6
 Bam4m37b+AA/NiXk3RkrL8dwHB/D4G4fk0yflVQFx+0uwYj+Ik5HAri7WISOYfBN
 Yvb6VPm9cdw/ajF0sV4d1bChroLkw0Y9VW5jEkhwGeLexY+bLP+uLOn9CvSd5iZX
 kmamBA5c/jDWAibqgADux3OKNOa7JND38axuc67o5BynfW1iw3osU5fa/jdOxogJ
 xgRq+muWh8rpVGuJHLDcG2TWxC66zEA7Dp8UE/nToIZeP7m6Ihzpo37a33m0BfKH
 qG2cM4EYjIoFDFlbBbk7RogOXTshVc69JhKUaNNh8zSlCOTjwQedqPb7eW+zkPOc
 ZdII3a+oLe4j49+QBiRXoJT3QWhqbxQYF5gnv86o/ZhAUrzEW8KAk8vJAHiKJhe1
 sGHgu0yuiq5Ox4HHBrVBiEgZPxEYo4+xGLz7ABEBAAGJAjwEGAEIACYWIQSIoijY
 mwfCx30MeAkD1d+M/dPo5wUCZnFA5AIbDAUJEswDAAAKCRAD1d+M/dPo523QD/wM
 +Tf6y684Vn1HKMMyDLLCv1fFoSdialbf0gieXIlLm9yH0VaAcnMYFN7flYSekISq
 23uH6ZIcABSfvg4dCCKUUggR3CnUql0SjF9BtFisGiCsDGlH3fNH0d1Ts0FOUdkL
 TH/U676r08DQu1t0iSdOuDxM9FAo926gJSvyorLx7X94KhUeHhXfmzZ88ydz0ked
 KFTKoo/LVhxRIoAGUdl98uJ+oycoELAeg7u0djVk+Hkw6ZLnMsjJBYHV3SyOXBpy
 beQ9O3yK0oNqHW1oIAnHtX/Msqzj+x2+BMpjirsaHWsewnXgDUG/2h1MN67XW1zu
 boztT8zswALbPfkOxS4Y+evaSnq4W6xF4dGuh2sM6g82pyAHdpBPrp4WEKnAcvi4
 5EFNZYpKbQVXnDyK4899CCPcsxj56DlVtJRv167WNRBlU6k6MUVZH0F1JLQpxwx5
 TlohKUa2KBnBZofmCD0xRzV7GbT08KRObSrMqIQU4ILqs2TlhDJhYMurKh7sWKFO
 CX8wWu1TupOt7Zkf/OPapW2konKTu4h36yoPR6D4JZQhd6zZ+4+BsxgzdKCORPM5
 DfSh15+evGapxAdUZrt/N4q2o2TdMcaSu4cZQnqu2soBWiNEa1DeBurCwrHJu/tt
 dEyK6ESk4OGJ2ycirv4skD17gMHNRODFjhAgKgEybg==
 =m20i
 -----END PGP PUBLIC KEY BLOCK-----
--- a/SPECS/libssh.spec
+++ b/SPECS/libssh.spec
@ -1,37 +1,18 @@
 Name:           libssh
-Version:        0.10.6
+Version:        0.11.1
-Release:        8%{?dist}
+Release:        1%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPL-2.1-or-later
 URL:            http://www.libssh.org
-Source0:        https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz
+Source0:        https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz
-Source1:        https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc
+Source1:        https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz.asc
-Source2:        https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
+Source2:        https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/%{name}.keyring
 Source3:        libssh_client.config
 Source4:        libssh_server.config
-Patch1:         libssh-0.10.6-rekey-timeout.patch
+# Don't use global openssl.cnf for PKCS#11 URI Tests
-# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/431
+# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/543
-Patch2:         libssh-0.10.6-ipv6-hostname.patch
+Patch1:         libssh-0.11.1-fix-provider-loading.patch
 # Backport of the following commits from master before we will have the next 0.11.0 release:
 # 9717b99136cbff850000378f70d1391f348713f9 libcrypto-compat.c/h: Remove no longer supported openssl versions
 # 54c1703cb22b917222a6eb2a5d2fde22319d9b7a Move old DSA and RSA structs into EVP_PKEY
 # 1eb3df5254a4348eae6edbc8a2bf08fef4015897 Get rid of the deprecated OpenSSL API
 # 4fb5af1da5cb02933cb4cfa10f72484cca9ca961 src/pki_crypto.c: Fix errors introduced by EC rework
 # 2539d72b7c8d03d54538533db5b346dad52d6db3 Add support for PKCS#11 provider in OpenSSL 3.0
 # f8d7fee58842a11ad7a0386b4e829e36cd6e9432 pki: Use preference hints when loading keys from store
 # e0011a197009897fcba09229e76940d9f5b12404 pki: Avoid freeing static groups/points on OpenSSL<3
 # 9b263cf5e1da6e06f6ab90e3169409a7bed60835 pki_crypto: Fix ecdsa memory leak
 # baa773d1cd6838af33fedcd65ddbb4e46e2b06c0 pki: Calculate missing CRT parameters when building RSA Key
 # 2c876464ab0a27387a122c6a4b39ec187a6fc596 ecdh: Fix missing-prototype warning
 # 2c918aad6763754bdffb84796b410e21f24bb7ec tests: Use /tmp for tmpdirs that contain sockets
 Patch3:         libssh-0.10.6-pkcs11-provider.patch
 Patch4:         libssh-0.10.6-no-engine.patch
 # 7b89ff760a2c7119916eaa8fd6a62afbd15fc3ad
 Patch5:         libssh-0.10.6-rate-limit.patch
 # c9cfeb9b838b801c3e2bb070c3db914e81ca4e68
 Patch6:         libssh-0.10.6-compress.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@ -40,6 +21,8 @@ BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig
 BuildRequires:  zlib-devel
 BuildRequires:  krb5-devel
 BuildRequires:  krb5-server
 BuildRequires:  krb5-workstation
 BuildRequires:  libcmocka-devel
 BuildRequires:  pam_wrapper
 BuildRequires:  socket_wrapper
@ -92,7 +75,7 @@ Obsoletes:      %{name} < 0.9.0-3
 The %{name}-config package provides the default configuration files for %{name}.
 %prep
-gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1
 %build
@ -100,6 +83,7 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
    -DUNIT_TESTING=ON \
    -DCLIENT_TESTING=ON \
    -DSERVER_TESTING=ON \
    -DGSSAPI_TESTING=ON \
    -DWITH_PKCS11_URI=ON \
    -DWITH_PKCS11_PROVIDER=ON \
    -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
@ -157,9 +141,13 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 %changelog
-* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 0.10.6-8
+* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 0.11.1-1
 - Rebuilt for MSVSphere 10
 * Wed Oct 23 2024 Sahana Prasad <sahana@redhat.com> - 0.11.1-1
 - Rebase to new upstream version 0.11.1
 - Resolves: RHEL-64319
 * Tue Aug 20 2024 Jakub Jelen <jjelen@redhat.com> - 0.10.6-8
 - Remove the dependency on engine.h
`@ -1,2 +1 @@`
	`SOURCES/libssh-0.10.6.tar.xz`	`SOURCES/libssh-0.11.1.tar.xz`
	`SOURCES/libssh.keyring`
`@ -1,2 +1 @@`
	`e8fb3b4750db11d2483cac4b5f046e301c09b72f SOURCES/libssh-0.10.6.tar.xz`	`1ddc90daacc4aedd3ab1c5407adc44925e0ba28e SOURCES/libssh-0.11.1.tar.xz`
	`3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring`