libssh 0.11.1

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>

CHANGELOG

@@ -1,6 +1,12 @@
 CHANGELOG
 =========
 
+version 0.11.1 (released 2024-08-30)
+ * Fixed default TTY modes that are set when stdin is not connected to tty (#270)
+ * Fixed zlib cleanup procedure, which could crash on i386
+ * Various test fixes improving their stability
+ * Fixed cygwin build
+
 version 0.11.0 (released 2024-07-31)
   * Deprecations and Removals:
     * Dropped support for DSA

CMakeLists.txt

@@ -9,7 +9,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/Modules")
 include(DefineCMakeDefaults)
 include(DefineCompilerFlags)
 
-project(libssh VERSION 0.11.00 LANGUAGES C CXX)
+project(libssh VERSION 0.11.1 LANGUAGES C CXX)
 
 # global needed variable
 set(APPLICATION_NAME ${PROJECT_NAME})
@@ -21,7 +21,7 @@ set(APPLICATION_NAME ${PROJECT_NAME})
 #     Increment AGE. Set REVISION to 0
 #   If the source code was changed, but there were no interface changes:
 #     Increment REVISION.
-set(LIBRARY_VERSION "4.10.0")
+set(LIBRARY_VERSION "4.10.1")
 set(LIBRARY_SOVERSION "4")
 
 # where to look first for cmake modules, before ${CMAKE_ROOT}/Modules/ is checked

CPackConfig.cmake

@@ -10,7 +10,7 @@ set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION})
 
 # SOURCE GENERATOR
 set(CPACK_SOURCE_GENERATOR "TXZ")
-set(CPACK_SOURCE_IGNORE_FILES "~$;[.]swp$;/[.]git/;/[.]clangd/;/[.]cache/;.gitignore;/build*;/obj*;tags;cscope.*;compile_commands.json;.*\.patch")
+set(CPACK_SOURCE_IGNORE_FILES "~$;[.]swp$;/[.]bare/;/[.]git/;/[.]git;/[.]clangd/;/[.]cache/;.gitignore;/build*;/obj*;tags;cscope.*;compile_commands.json;.*\.patch")
 set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")
 
 ### NSIS INSTALLER

CompilerChecks.cmake

@@ -16,7 +16,6 @@ if (UNIX)
         endif()
     endif()
 
-    add_c_compiler_flag("-std=gnu99" SUPPORTED_COMPILER_FLAGS)
     add_c_compiler_flag("-Wpedantic" SUPPORTED_COMPILER_FLAGS)
     add_c_compiler_flag("-Wall" SUPPORTED_COMPILER_FLAGS)
     add_c_compiler_flag("-Wshadow" SUPPORTED_COMPILER_FLAGS)
@@ -49,6 +48,7 @@ if (UNIX)
     add_c_compiler_flag("-Werror=implicit-int" SUPPORTED_COMPILER_FLAGS)
     add_c_compiler_flag("-Wint-conversion" SUPPORTED_COMPILER_FLAGS)
     add_c_compiler_flag("-Werror=int-conversion" SUPPORTED_COMPILER_FLAGS)
+    add_c_compiler_flag("-Werror=unused-variable" SUPPORTED_COMPILER_FLAGS)
 
     check_c_compiler_flag("-Wformat" REQUIRED_FLAGS_WFORMAT)
     if (REQUIRED_FLAGS_WFORMAT)

ConfigureChecks.cmake

@@ -64,6 +64,7 @@ check_include_file(arpa/inet.h HAVE_ARPA_INET_H)
 check_include_file(byteswap.h HAVE_BYTESWAP_H)
 check_include_file(glob.h HAVE_GLOB_H)
 check_include_file(valgrind/valgrind.h HAVE_VALGRIND_VALGRIND_H)
+check_include_file(ifaddrs.h HAVE_IFADDRS_H)
 
 if (WIN32)
   check_include_file(io.h HAVE_IO_H)

config.h.cmake

@@ -58,6 +58,9 @@
 /* Define to 1 if you have the <stdint.h> header file. */
 #cmakedefine HAVE_STDINT_H 1
 
+/* Define to 1 if you have the <ifaddrs.h> header file. */
+#cmakedefine HAVE_IFADDRS_H 1
+
 /* Define to 1 if you have the <openssl/aes.h> header file. */
 #cmakedefine HAVE_OPENSSL_AES_H 1
 

examples/CMakeLists.txt

@@ -30,9 +30,11 @@ if (UNIX AND NOT WIN32)
         target_compile_options(samplesftp PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
         target_link_libraries(samplesftp ssh::ssh)
 
-        add_executable(sample_sftpserver sample_sftpserver.c ${examples_SRCS})
-        target_compile_options(sample_sftpserver PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
-        target_link_libraries(sample_sftpserver ssh::ssh ${ARGP_LIBRARIES})
+        if (WITH_SERVER)
+            add_executable(sample_sftpserver sample_sftpserver.c ${examples_SRCS})
+            target_compile_options(sample_sftpserver PRIVATE ${DEFAULT_C_COMPILE_FLAGS})
+            target_link_libraries(sample_sftpserver ssh::ssh ${ARGP_LIBRARIES})
+        endif (WITH_SERVER)
     endif (WITH_SFTP)
 
     add_executable(ssh-client ssh_client.c ${examples_SRCS})

src/ABI/current

@@ -1 +1 @@
-4.10.0
+4.10.1

src/ABI/libssh-4.10.1.symbols

@@ -0,0 +1,445 @@
+_ssh_log
+buffer_free
+buffer_get
+buffer_get_len
+buffer_new
+channel_accept_x11
+channel_change_pty_size
+channel_close
+channel_forward_accept
+channel_forward_cancel
+channel_forward_listen
+channel_free
+channel_get_exit_status
+channel_get_session
+channel_is_closed
+channel_is_eof
+channel_is_open
+channel_new
+channel_open_forward
+channel_open_session
+channel_poll
+channel_read
+channel_read_buffer
+channel_read_nonblocking
+channel_request_env
+channel_request_exec
+channel_request_pty
+channel_request_pty_size
+channel_request_send_signal
+channel_request_sftp
+channel_request_shell
+channel_request_subsystem
+channel_request_x11
+channel_select
+channel_send_eof
+channel_set_blocking
+channel_write
+channel_write_stderr
+privatekey_free
+privatekey_from_file
+publickey_free
+publickey_from_file
+publickey_from_privatekey
+publickey_to_string
+sftp_aio_begin_read
+sftp_aio_begin_write
+sftp_aio_free
+sftp_aio_wait_read
+sftp_aio_wait_write
+sftp_async_read
+sftp_async_read_begin
+sftp_attributes_free
+sftp_canonicalize_path
+sftp_channel_default_data_callback
+sftp_channel_default_subsystem_request
+sftp_chmod
+sftp_chown
+sftp_client_message_free
+sftp_client_message_get_data
+sftp_client_message_get_filename
+sftp_client_message_get_flags
+sftp_client_message_get_submessage
+sftp_client_message_get_type
+sftp_client_message_set_filename
+sftp_close
+sftp_closedir
+sftp_dir_eof
+sftp_expand_path
+sftp_extension_supported
+sftp_extensions_get_count
+sftp_extensions_get_data
+sftp_extensions_get_name
+sftp_file_set_blocking
+sftp_file_set_nonblocking
+sftp_free
+sftp_fstat
+sftp_fstatvfs
+sftp_fsync
+sftp_get_client_message
+sftp_get_error
+sftp_handle
+sftp_handle_alloc
+sftp_handle_remove
+sftp_hardlink
+sftp_home_directory
+sftp_init
+sftp_limits
+sftp_limits_free
+sftp_lsetstat
+sftp_lstat
+sftp_mkdir
+sftp_new
+sftp_new_channel
+sftp_open
+sftp_opendir
+sftp_read
+sftp_readdir
+sftp_readlink
+sftp_rename
+sftp_reply_attr
+sftp_reply_data
+sftp_reply_handle
+sftp_reply_name
+sftp_reply_names
+sftp_reply_names_add
+sftp_reply_status
+sftp_rewind
+sftp_rmdir
+sftp_seek
+sftp_seek64
+sftp_send_client_message
+sftp_server_free
+sftp_server_init
+sftp_server_new
+sftp_server_version
+sftp_setstat
+sftp_stat
+sftp_statvfs
+sftp_statvfs_free
+sftp_symlink
+sftp_tell
+sftp_tell64
+sftp_unlink
+sftp_utimes
+sftp_write
+ssh_accept
+ssh_add_channel_callbacks
+ssh_auth_list
+ssh_basename
+ssh_bind_accept
+ssh_bind_accept_fd
+ssh_bind_fd_toaccept
+ssh_bind_free
+ssh_bind_get_fd
+ssh_bind_listen
+ssh_bind_new
+ssh_bind_options_parse_config
+ssh_bind_options_set
+ssh_bind_set_blocking
+ssh_bind_set_callbacks
+ssh_bind_set_fd
+ssh_blocking_flush
+ssh_buffer_add_data
+ssh_buffer_free
+ssh_buffer_get
+ssh_buffer_get_data
+ssh_buffer_get_len
+ssh_buffer_new
+ssh_buffer_reinit
+ssh_channel_accept_forward
+ssh_channel_accept_x11
+ssh_channel_cancel_forward
+ssh_channel_change_pty_size
+ssh_channel_close
+ssh_channel_free
+ssh_channel_get_exit_state
+ssh_channel_get_exit_status
+ssh_channel_get_session
+ssh_channel_is_closed
+ssh_channel_is_eof
+ssh_channel_is_open
+ssh_channel_listen_forward
+ssh_channel_new
+ssh_channel_open_auth_agent
+ssh_channel_open_forward
+ssh_channel_open_forward_port
+ssh_channel_open_forward_unix
+ssh_channel_open_reverse_forward
+ssh_channel_open_session
+ssh_channel_open_x11
+ssh_channel_poll
+ssh_channel_poll_timeout
+ssh_channel_read
+ssh_channel_read_nonblocking
+ssh_channel_read_timeout
+ssh_channel_request_auth_agent
+ssh_channel_request_env
+ssh_channel_request_exec
+ssh_channel_request_pty
+ssh_channel_request_pty_size
+ssh_channel_request_pty_size_modes
+ssh_channel_request_send_break
+ssh_channel_request_send_exit_signal
+ssh_channel_request_send_exit_status
+ssh_channel_request_send_signal
+ssh_channel_request_sftp
+ssh_channel_request_shell
+ssh_channel_request_subsystem
+ssh_channel_request_x11
+ssh_channel_select
+ssh_channel_send_eof
+ssh_channel_set_blocking
+ssh_channel_set_counter
+ssh_channel_window_size
+ssh_channel_write
+ssh_channel_write_stderr
+ssh_clean_pubkey_hash
+ssh_connect
+ssh_connector_free
+ssh_connector_new
+ssh_connector_set_in_channel
+ssh_connector_set_in_fd
+ssh_connector_set_out_channel
+ssh_connector_set_out_fd
+ssh_copyright
+ssh_dirname
+ssh_disconnect
+ssh_dump_knownhost
+ssh_event_add_connector
+ssh_event_add_fd
+ssh_event_add_session
+ssh_event_dopoll
+ssh_event_free
+ssh_event_new
+ssh_event_remove_connector
+ssh_event_remove_fd
+ssh_event_remove_session
+ssh_execute_message_callbacks
+ssh_finalize
+ssh_forward_accept
+ssh_forward_cancel
+ssh_forward_listen
+ssh_free
+ssh_get_cipher_in
+ssh_get_cipher_out
+ssh_get_clientbanner
+ssh_get_disconnect_message
+ssh_get_error
+ssh_get_error_code
+ssh_get_fd
+ssh_get_fingerprint_hash
+ssh_get_hexa
+ssh_get_hmac_in
+ssh_get_hmac_out
+ssh_get_issue_banner
+ssh_get_kex_algo
+ssh_get_log_callback
+ssh_get_log_level
+ssh_get_log_userdata
+ssh_get_openssh_version
+ssh_get_poll_flags
+ssh_get_pubkey
+ssh_get_pubkey_hash
+ssh_get_publickey
+ssh_get_publickey_hash
+ssh_get_random
+ssh_get_server_publickey
+ssh_get_serverbanner
+ssh_get_status
+ssh_get_version
+ssh_getpass
+ssh_gssapi_get_creds
+ssh_gssapi_set_creds
+ssh_handle_key_exchange
+ssh_init
+ssh_is_blocking
+ssh_is_connected
+ssh_is_server_known
+ssh_key_cmp
+ssh_key_dup
+ssh_key_free
+ssh_key_is_private
+ssh_key_is_public
+ssh_key_new
+ssh_key_type
+ssh_key_type_from_name
+ssh_key_type_to_char
+ssh_known_hosts_parse_line
+ssh_knownhosts_entry_free
+ssh_log
+ssh_message_auth_interactive_request
+ssh_message_auth_kbdint_is_response
+ssh_message_auth_password
+ssh_message_auth_pubkey
+ssh_message_auth_publickey
+ssh_message_auth_publickey_state
+ssh_message_auth_reply_pk_ok
+ssh_message_auth_reply_pk_ok_simple
+ssh_message_auth_reply_success
+ssh_message_auth_set_methods
+ssh_message_auth_user
+ssh_message_channel_request_channel
+ssh_message_channel_request_command
+ssh_message_channel_request_env_name
+ssh_message_channel_request_env_value
+ssh_message_channel_request_open_destination
+ssh_message_channel_request_open_destination_port
+ssh_message_channel_request_open_originator
+ssh_message_channel_request_open_originator_port
+ssh_message_channel_request_open_reply_accept
+ssh_message_channel_request_open_reply_accept_channel
+ssh_message_channel_request_pty_height
+ssh_message_channel_request_pty_pxheight
+ssh_message_channel_request_pty_pxwidth
+ssh_message_channel_request_pty_term
+ssh_message_channel_request_pty_width
+ssh_message_channel_request_reply_success
+ssh_message_channel_request_subsystem
+ssh_message_channel_request_x11_auth_cookie
+ssh_message_channel_request_x11_auth_protocol
+ssh_message_channel_request_x11_screen_number
+ssh_message_channel_request_x11_single_connection
+ssh_message_free
+ssh_message_get
+ssh_message_global_request_address
+ssh_message_global_request_port
+ssh_message_global_request_reply_success
+ssh_message_reply_default
+ssh_message_retrieve
+ssh_message_service_reply_success
+ssh_message_service_service
+ssh_message_subtype
+ssh_message_type
+ssh_mkdir
+ssh_new
+ssh_options_copy
+ssh_options_get
+ssh_options_get_port
+ssh_options_getopt
+ssh_options_parse_config
+ssh_options_set
+ssh_pcap_file_close
+ssh_pcap_file_free
+ssh_pcap_file_new
+ssh_pcap_file_open
+ssh_pki_copy_cert_to_privkey
+ssh_pki_export_privkey_base64
+ssh_pki_export_privkey_base64_format
+ssh_pki_export_privkey_file
+ssh_pki_export_privkey_file_format
+ssh_pki_export_privkey_to_pubkey
+ssh_pki_export_pubkey_base64
+ssh_pki_export_pubkey_file
+ssh_pki_generate
+ssh_pki_import_cert_base64
+ssh_pki_import_cert_file
+ssh_pki_import_privkey_base64
+ssh_pki_import_privkey_file
+ssh_pki_import_pubkey_base64
+ssh_pki_import_pubkey_file
+ssh_pki_key_ecdsa_name
+ssh_print_hash
+ssh_print_hexa
+ssh_privatekey_type
+ssh_publickey_to_file
+ssh_remove_channel_callbacks
+ssh_request_no_more_sessions
+ssh_scp_accept_request
+ssh_scp_close
+ssh_scp_deny_request
+ssh_scp_free
+ssh_scp_init
+ssh_scp_leave_directory
+ssh_scp_new
+ssh_scp_pull_request
+ssh_scp_push_directory
+ssh_scp_push_file
+ssh_scp_push_file64
+ssh_scp_read
+ssh_scp_request_get_filename
+ssh_scp_request_get_permissions
+ssh_scp_request_get_size
+ssh_scp_request_get_size64
+ssh_scp_request_get_warning
+ssh_scp_write
+ssh_select
+ssh_send_debug
+ssh_send_ignore
+ssh_send_issue_banner
+ssh_send_keepalive
+ssh_server_init_kex
+ssh_service_request
+ssh_session_export_known_hosts_entry
+ssh_session_get_known_hosts_entry
+ssh_session_has_known_hosts_entry
+ssh_session_is_known_server
+ssh_session_set_disconnect_message
+ssh_session_update_known_hosts
+ssh_set_agent_channel
+ssh_set_agent_socket
+ssh_set_auth_methods
+ssh_set_blocking
+ssh_set_callbacks
+ssh_set_channel_callbacks
+ssh_set_counters
+ssh_set_fd_except
+ssh_set_fd_toread
+ssh_set_fd_towrite
+ssh_set_log_callback
+ssh_set_log_level
+ssh_set_log_userdata
+ssh_set_message_callback
+ssh_set_pcap_file
+ssh_set_server_callbacks
+ssh_silent_disconnect
+ssh_string_burn
+ssh_string_copy
+ssh_string_data
+ssh_string_fill
+ssh_string_free
+ssh_string_free_char
+ssh_string_from_char
+ssh_string_get_char
+ssh_string_len
+ssh_string_new
+ssh_string_to_char
+ssh_threads_get_default
+ssh_threads_get_noop
+ssh_threads_get_pthread
+ssh_threads_set_callbacks
+ssh_try_publickey_from_file
+ssh_userauth_agent
+ssh_userauth_agent_pubkey
+ssh_userauth_autopubkey
+ssh_userauth_gssapi
+ssh_userauth_kbdint
+ssh_userauth_kbdint_getanswer
+ssh_userauth_kbdint_getinstruction
+ssh_userauth_kbdint_getname
+ssh_userauth_kbdint_getnanswers
+ssh_userauth_kbdint_getnprompts
+ssh_userauth_kbdint_getprompt
+ssh_userauth_kbdint_setanswer
+ssh_userauth_list
+ssh_userauth_none
+ssh_userauth_offer_pubkey
+ssh_userauth_password
+ssh_userauth_privatekey_file
+ssh_userauth_pubkey
+ssh_userauth_publickey
+ssh_userauth_publickey_auto
+ssh_userauth_publickey_auto_get_current_identity
+ssh_userauth_try_publickey
+ssh_version
+ssh_vlog
+ssh_write_knownhost
+string_burn
+string_copy
+string_data
+string_fill
+string_free
+string_from_char
+string_len
+string_new
+string_to_char

src/CMakeLists.txt

@@ -355,6 +355,8 @@ endif (WITH_SYMBOL_VERSIONING AND HAVE_LD_VERSION_SCRIPT)
 
 set_target_properties(ssh
     PROPERTIES
+      C_STANDARD
+        99
       VERSION
         ${LIBRARY_VERSION}
       SOVERSION

src/client.c

@@ -47,6 +47,12 @@
 #include "libssh/pki.h"
 #include "libssh/kex.h"
 
+#ifndef _WIN32
+#ifdef HAVE_PTHREAD
+extern int proxy_disconnect;
+#endif /* HAVE_PTHREAD */
+#endif /* _WIN32 */
+
 #define set_status(session, status) do {\
         if (session->common.callbacks && session->common.callbacks->connect_status_function) \
             session->common.callbacks->connect_status_function(session->common.callbacks->userdata, status); \
@@ -765,8 +771,6 @@ ssh_session_set_disconnect_message(ssh_session session, const char *message)
     return SSH_OK;
 }
 
-extern int proxy_disconnect;
-
 /**
  * @brief Disconnect from a session (client or server).
  *
@@ -789,12 +793,14 @@ ssh_disconnect(ssh_session session)
     }
 
 #ifndef _WIN32
+#ifdef HAVE_PTHREAD
     /* Only send the disconnect to all other threads when the root session calls
      * ssh_disconnect() */
     if (session->proxy_root) {
         proxy_disconnect = 1;
     }
-#endif
+#endif /* HAVE_PTHREAD */
+#endif /* _WIN32 */
 
     if (session->disconnect_message == NULL) {
         session->disconnect_message = strdup("Bye Bye") ;

src/config.c

@@ -39,10 +39,12 @@
 # include <errno.h>
 # include <signal.h>
 # include <sys/wait.h>
-# include <ifaddrs.h>
 # include <net/if.h>
 # include <netinet/in.h>
 #endif
+#ifdef HAVE_IFADDRS_H
+#include <ifaddrs.h>
+#endif
 
 #include "libssh/config_parser.h"
 #include "libssh/config.h"
@@ -130,9 +132,9 @@ static struct ssh_config_keyword_table_s ssh_config_keyword_table[] = {
   { "verifyhostkeydns", SOC_UNSUPPORTED},
   { "visualhostkey", SOC_UNSUPPORTED},
   { "clearallforwardings", SOC_NA},
-  { "controlmaster", SOC_CONTROLMASTER},
+  { "controlmaster", SOC_NA},
   { "controlpersist", SOC_NA},
-  { "controlpath", SOC_CONTROLPATH},
+  { "controlpath", SOC_NA},
   { "dynamicforward", SOC_NA},
   { "escapechar", SOC_NA},
   { "exitonforwardfailure", SOC_NA},
@@ -639,7 +641,7 @@ ssh_config_make_absolute(ssh_session session,
     return out;
 }
 
-#ifndef _WIN32
+#ifdef HAVE_IFADDRS_H
 /**
  * @brief Checks if host address matches the local network specified.
  *
@@ -730,7 +732,7 @@ ssh_match_localnetwork(const char *addrlist, bool negate)
 
     return (found == (negate ? 0 : 1));
 }
-#endif
+#endif /* HAVE_IFADDRS_H */
 
 static int
 ssh_config_parse_line(ssh_session session,
@@ -955,7 +957,6 @@ ssh_config_parse_line(ssh_session session,
                 args++;
                 break;
 
-#ifndef _WIN32
             case MATCH_LOCALNETWORK:
                 /* Here we match only one argument */
                 p = ssh_config_get_str_tok(&s, NULL);
@@ -968,6 +969,7 @@ ssh_config_parse_line(ssh_session session,
                     SAFE_FREE(x);
                     return -1;
                 }
+#ifdef HAVE_IFADDRS_H
                 rv = match_cidr_address_list(NULL, p, -1);
                 if (rv == -1) {
                     ssh_set_error(session,
@@ -992,9 +994,17 @@ ssh_config_parse_line(ssh_session session,
                 }
 
                 result &= rv;
+#else /* HAVE_IFADDRS_H */
+                ssh_set_error(session,
+                              SSH_FATAL,
+                              "line %d: ERROR - match localnetwork "
+                              "not supported on this platform",
+                              count);
+                SAFE_FREE(x);
+                return -1;
+#endif /* HAVE_IFADDRS_H */
                 args++;
                 break;
-#endif
 
             case MATCH_UNKNOWN:
             default:

src/kex.c

@@ -351,7 +351,6 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
     int server_kex = session->server;
     ssh_string str = NULL;
     char *strings[SSH_KEX_METHODS] = {0};
-    char *rsa_sig_ext = NULL;
     int rc = SSH_ERROR;
     size_t len;
 
@@ -577,6 +576,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
              */
             if ((session->extensions & SSH_EXT_SIG_RSA_SHA256) &&
                 (session->extensions & SSH_EXT_SIG_RSA_SHA512)) {
+                char *rsa_sig_ext = NULL;
                 session->extensions &= ~(SSH_EXT_SIG_RSA_SHA256 | SSH_EXT_SIG_RSA_SHA512);
                 rsa_sig_ext = ssh_find_matching("rsa-sha2-512,rsa-sha2-256",
                                                 hostkeys);

src/match.c

@@ -46,6 +46,11 @@
 #include <sys/socket.h>
 #endif
 
+/* for systems without IPv6 support matching should still work */
+#ifndef INET6_ADDRSTRLEN
+#define INET6_ADDRSTRLEN 46
+#endif
+
 #include "libssh/priv.h"
 
 #define MAX_MATCH_RECURSION 16

src/misc.c

@@ -1971,7 +1971,7 @@ char *ssh_strreplace(const char *src, const char *pattern, const char *replace)
  */
 char *ssh_strerror(int err_num, char *buf, size_t buflen)
 {
-#if defined(__linux__) && defined(__GLIBC__) && defined(_GNU_SOURCE)
+#if ((defined(__linux__) && defined(__GLIBC__)) || defined(__CYGWIN__)) && defined(_GNU_SOURCE)
     /* GNU extension on Linux */
     return strerror_r(err_num, buf, buflen);
 #else
@@ -1989,7 +1989,7 @@ char *ssh_strerror(int err_num, char *buf, size_t buflen)
         buf[0] = '\0';
     }
     return buf;
-#endif /* defined(__linux__) && defined(__GLIBC__) && defined(_GNU_SOURCE) */
+#endif /* ((defined(__linux__) && defined(__GLIBC__)) || defined(__CYGWIN__)) && defined(_GNU_SOURCE) */
 }
 
 /**

src/ttyopts.c

@@ -264,7 +264,9 @@ encode_termios_opts(struct termios *attr, unsigned char *buf, size_t buflen)
     SSH_ENCODE_LOCAL_OPT(IEXTEN)
     SSH_ENCODE_LOCAL_OPT(ECHOCTL)
     SSH_ENCODE_LOCAL_OPT(ECHOKE)
+#ifdef PENDIN
     SSH_ENCODE_LOCAL_OPT(PENDIN)
+#endif
 #undef SSH_ENCODE_LOCAL_OPT
 
 #define SSH_ENCODE_CC_OPT(opt) SSH_ENCODE_OPT(TTY_OP_##opt, attr->c_cc[opt])
@@ -316,6 +318,9 @@ encode_termios_opts(struct termios *attr, unsigned char *buf, size_t buflen)
  * This function intentionally doesn't use the \c termios structure
  * to allow it to work on Windows as well.
  *
+ * The "sane" default set is derived from the `stty sane`, but iutf8 support is
+ * added on top of that.
+ *
  * @param[out] buf      Modes will be encoded into this buffer.
  *
  * @param[in]  buflen   The length of the buffer.
@@ -340,7 +345,7 @@ encode_default_opts(unsigned char *buf, size_t buflen)
     SSH_ENCODE_OPT(TTY_OP_VQUIT, 034)
     SSH_ENCODE_OPT(TTY_OP_VERASE, 0177)
     SSH_ENCODE_OPT(TTY_OP_VKILL, 025)
-    SSH_ENCODE_OPT(TTY_OP_VEOF, 0)
+    SSH_ENCODE_OPT(TTY_OP_VEOF, 004)
     SSH_ENCODE_OPT(TTY_OP_VEOL, 0)
     SSH_ENCODE_OPT(TTY_OP_VEOL2, 0)
     SSH_ENCODE_OPT(TTY_OP_VSTART, 021)
@@ -357,7 +362,7 @@ encode_default_opts(unsigned char *buf, size_t buflen)
     SSH_ENCODE_OPT(TTY_OP_ISTRIP, 0)
     SSH_ENCODE_OPT(TTY_OP_INLCR, 0)
     SSH_ENCODE_OPT(TTY_OP_IGNCR, 0)
-    SSH_ENCODE_OPT(TTY_OP_ICRNL, 0)
+    SSH_ENCODE_OPT(TTY_OP_ICRNL, 1)
     SSH_ENCODE_OPT(TTY_OP_IUCLC, 0)
     SSH_ENCODE_OPT(TTY_OP_IXON, 1)
     SSH_ENCODE_OPT(TTY_OP_IXANY, 0)
@@ -374,12 +379,12 @@ encode_default_opts(unsigned char *buf, size_t buflen)
     SSH_ENCODE_OPT(TTY_OP_NOFLSH, 0)
     SSH_ENCODE_OPT(TTY_OP_TOSTOP, 0)
     SSH_ENCODE_OPT(TTY_OP_IEXTEN, 1)
-    SSH_ENCODE_OPT(TTY_OP_ECHOCTL, 0)
+    SSH_ENCODE_OPT(TTY_OP_ECHOCTL, 1)
     SSH_ENCODE_OPT(TTY_OP_ECHOKE, 1)
     SSH_ENCODE_OPT(TTY_OP_PENDIN, 0)
     SSH_ENCODE_OPT(TTY_OP_OPOST, 1)
     SSH_ENCODE_OPT(TTY_OP_OLCUC, 0)
-    SSH_ENCODE_OPT(TTY_OP_ONLCR, 0)
+    SSH_ENCODE_OPT(TTY_OP_ONLCR, 1)
     SSH_ENCODE_OPT(TTY_OP_OCRNL, 0)
     SSH_ENCODE_OPT(TTY_OP_ONOCR, 0)
     SSH_ENCODE_OPT(TTY_OP_ONLRET, 0)

src/wrapper.c

@@ -154,11 +154,10 @@ struct ssh_crypto_struct *crypto_new(void)
 {
     struct ssh_crypto_struct *crypto;
 
-    crypto = malloc(sizeof(struct ssh_crypto_struct));
+    crypto = calloc(1, sizeof(struct ssh_crypto_struct));
     if (crypto == NULL) {
         return NULL;
     }
-    ZERO_STRUCTP(crypto);
     return crypto;
 }
 
@@ -200,14 +199,12 @@ void crypto_free(struct ssh_crypto_struct *crypto)
         SAFE_FREE(crypto->secret_hash);
     }
 #ifdef WITH_ZLIB
-    if (crypto->compress_out_ctx &&
-        (deflateEnd(crypto->compress_out_ctx) != 0)) {
-        inflateEnd(crypto->compress_out_ctx);
+    if (crypto->compress_out_ctx) {
+        deflateEnd(crypto->compress_out_ctx);
     }
     SAFE_FREE(crypto->compress_out_ctx);
 
-    if (crypto->compress_in_ctx &&
-        (deflateEnd(crypto->compress_in_ctx) != 0)) {
+    if (crypto->compress_in_ctx) {
         inflateEnd(crypto->compress_in_ctx);
     }
     SAFE_FREE(crypto->compress_in_ctx);

tests/client/torture_auth.c

@@ -729,7 +729,7 @@ static void torture_auth_agent_identities_only(void **state)
     char bob_ssh_key[1024];
     struct passwd *pwd = NULL;
     int rc;
-    int identities_only = 1;
+    bool identities_only = true;
     char *id = NULL;
 
     pwd = getpwnam("bob");
@@ -786,7 +786,7 @@ static void torture_auth_agent_identities_only_protected(void **state)
     char bob_ssh_key[1024];
     struct passwd *pwd;
     int rc;
-    int identities_only = 1;
+    bool identities_only = true;
     char *id = NULL;
 
     pwd = getpwnam("bob");

tests/client/torture_auth_cert.c

@@ -587,7 +587,7 @@ torture_auth_agent_cert_identities_only(void **state)
     ssh_session session = s->ssh.session;
     char doe_ssh_key[1024];
     struct passwd *pwd = NULL;
-    int identities_only = 1;
+    bool identities_only = true;
     char *id = NULL;
     int rc;
 
@@ -646,7 +646,7 @@ torture_auth_agent_cert_identities_only_nonblocking(void **state)
     ssh_session session = s->ssh.session;
     char doe_ssh_key[1024];
     struct passwd *pwd = NULL;
-    int identities_only = 1;
+    bool identities_only = true;
     char *id = NULL;
     int rc;
 
@@ -750,7 +750,7 @@ torture_auth_agent_cert_identities_only_explicit(void **state)
     char doe_ssh_key[1024];
     char doe_ssh_cert[1024];
     struct passwd *pwd = NULL;
-    int identities_only = 1;
+    bool identities_only = true;
     char *id = NULL;
     int rc;
 
@@ -815,7 +815,7 @@ torture_auth_agent_cert_identities_only_nonblocking_explicit(void **state)
     char doe_ssh_key[1024];
     char doe_ssh_cert[1024];
     struct passwd *pwd = NULL;
-    int identities_only = 1;
+    bool identities_only = true;
     char *id = NULL;
     int rc;
 
@@ -887,7 +887,7 @@ torture_auth_agent_cert_only_identities_only(void **state)
     ssh_session session = s->ssh.session;
     char doe_ssh_cert[1024];
     struct passwd *pwd = NULL;
-    int identities_only = 1;
+    bool identities_only = true;
     char *id = NULL;
     int rc;
 
@@ -945,7 +945,7 @@ torture_auth_agent_cert_only_identities_only_nonblocking(void **state)
     ssh_session session = s->ssh.session;
     char doe_ssh_cert[1024];
     struct passwd *pwd = NULL;
-    int identities_only = 1;
+    bool identities_only = true;
     char *id = NULL;
     int rc;
 

tests/client/torture_auth_pkcs11.c

@@ -103,7 +103,8 @@ static int session_teardown(void **state)
 
     return 0;
 }
-static int setup_session(void **state)
+
+static int setup_pkcs11(void **state)
 {
     struct torture_state *s = *state;
     struct pki_st *test_state = NULL;
@@ -144,7 +145,7 @@ static int sshd_setup(void **state)
 {
 
     torture_setup_sshd_server(state, true);
-    setup_session(state);
+    setup_pkcs11(state);
 
     return 0;
 }
@@ -155,18 +156,20 @@ static int sshd_teardown(void **state) {
     struct pki_st *test_state = s->private_data;
     int rc;
 
-    torture_cleanup_tokens(test_state->temp_dir);
+    if (test_state != NULL) {
+        torture_cleanup_tokens(test_state->temp_dir);
 
-    rc = torture_change_dir(test_state->orig_dir);
-    assert_int_equal(rc, 0);
+        rc = torture_change_dir(test_state->orig_dir);
+        assert_int_equal(rc, 0);
 
-    rc = torture_rmdirs(test_state->temp_dir);
-    assert_int_equal(rc, 0);
+        rc = torture_rmdirs(test_state->temp_dir);
+        assert_int_equal(rc, 0);
 
-    SAFE_FREE(test_state->temp_dir);
-    SAFE_FREE(test_state->orig_dir);
-    SAFE_FREE(test_state->keys_dir);
-    SAFE_FREE(test_state);
+        SAFE_FREE(test_state->temp_dir);
+        SAFE_FREE(test_state->orig_dir);
+        SAFE_FREE(test_state->keys_dir);
+        SAFE_FREE(test_state);
+    }
 
     torture_teardown_sshd_server(state);
 
@@ -177,15 +180,12 @@ static void torture_auth_autopubkey(void **state, const char *obj_name, const ch
     struct torture_state *s = *state;
     ssh_session session = s->ssh.session;
     int rc;
-    int verbosity = 4;
     char priv_uri[1042];
+
     /* Authenticate as charlie with bob his pubkey */
     rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_CHARLIE);
     assert_int_equal(rc, SSH_OK);
 
-    rc = ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
-    assert_int_equal(rc, SSH_OK);
-
     snprintf(priv_uri, sizeof(priv_uri), "pkcs11:token=%s;object=%s;type=private?pin-value=%s",
             obj_name, obj_name, pin);
 

tests/client/torture_request_pty_modes.c

@@ -84,18 +84,24 @@ static int session_teardown(void **state)
 static int check_channel_output(ssh_channel c, const char *expected)
 {
     char buffer[4096] = {0};
-    int nbytes;
+    int nbytes, offset = 0;
 
     nbytes = ssh_channel_read(c, buffer, sizeof(buffer) - 1, 0);
     while (nbytes > 0) {
-        buffer[nbytes]='\0';
-        ssh_log_hexdump("Read bytes:", (unsigned char *)buffer, nbytes);
+        buffer[offset + nbytes] = '\0';
+        ssh_log_hexdump("Read bytes:",
+                        (unsigned char *)buffer,
+                        offset + nbytes);
         if (strstr(buffer, expected) != NULL)
         {
             return 1;
         }
-
-        nbytes = ssh_channel_read(c, buffer, sizeof(buffer), 0);
+        /* read on */
+        offset = nbytes;
+        nbytes = ssh_channel_read(c,
+                                  buffer + offset,
+                                  sizeof(buffer) - offset - 1,
+                                  0);
     }
     return 0;
 }
@@ -225,8 +231,8 @@ static void torture_request_pty_modes_use_default_modes(void **state)
     rc = ssh_channel_request_exec(c, "/bin/echo -e '>TEST\\r\\n<'");
     assert_ssh_return_code(session, rc);
 
-    /* expect the input unmodified */
-    string_found = check_channel_output(c, ">TEST\r\n<");
+    /* expect the CRLF translated to newline */
+    string_found = check_channel_output(c, ">TEST\r\r\n<");
     assert_int_equal(string_found, 1);
 
     ssh_channel_close(c);

tests/client/torture_sftp_setstat.c

@@ -16,9 +16,10 @@ static int
 sshd_setup(void **state)
 {
     /*
-     * Without root permissions, the exec-ed SFTP server does not inherit some
-     * wrappers so we use internal-sftp for this test, which does not have this
-     * issue.
+     * The OpenSSH invokes the sftp server command with execve(), which does
+     * not inherit the environment variables (including LD_PRELOAD, which
+     * is needed for the fs_wrapper). Using `internal-sftp` works around this,
+     * keeping the old environment around.
      */
     setenv("TORTURE_SFTP_SERVER", "internal-sftp", 1);
 

tests/fs_wrapper.c

@@ -7,40 +7,32 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
-void destructor(void) __attribute__((destructor));
-
+/*******************************************************************************
+ *                            Structs
+ ******************************************************************************/
 struct file {
     char *name;
     uid_t uid;
     gid_t gid;
 } file = {0};
 
+/*******************************************************************************
+ *                            Destructor
+ ******************************************************************************/
+
+void destructor(void) __attribute__((destructor));
+
 void
 destructor(void)
 {
     free(file.name);
 }
 
-typedef int (*__libc_chown)(const char *pathname, uid_t owner, gid_t group);
-
-typedef int (*__libc_fchownat)(int dirfd,
-                               const char *pathname,
-                               uid_t owner,
-                               gid_t group,
-                               int flags);
-
-typedef int (*__libc_stat)(const char *pathname, struct stat *statbuf);
-
-typedef int (*__libc_xstat)(int ver,
-                            const char *pathname,
-                            struct stat *statbuf);
-
-typedef int (*__libc_lxstat)(int ver,
-                             const char *pathname,
-                             struct stat *statbuf);
-
-typedef int (*__libc_lstat)(const char *pathname, struct stat *statbuf);
+/*******************************************************************************
+ *                              Chown wrapping
+ ******************************************************************************/
 
+/** Records the UID and GID and pretend syscall worked */
 static int
 chown_helper(const char *pathname, uid_t owner, gid_t group)
 {
@@ -68,33 +60,36 @@ chown_helper(const char *pathname, uid_t owner, gid_t group)
     return -1;
 }
 
-static void
-stat_helper(const char *pathname, struct stat *statbuf)
-{
-    if (file.name != NULL && strcmp(pathname, file.name) == 0) {
-        statbuf->st_uid = file.uid;
-        statbuf->st_gid = file.gid;
+#define WRAP_CHOWN(syscall_name)                                      \
+    typedef int (*__libc_##syscall_name)(const char *pathname,        \
+                                         uid_t owner,                 \
+                                         gid_t group);                \
+    int syscall_name(const char *pathname, uid_t owner, gid_t group); \
+    int syscall_name(const char *pathname, uid_t owner, gid_t group)  \
+    {                                                                 \
+        __libc_##syscall_name original_##syscall_name = NULL;         \
+        int rc;                                                       \
+                                                                      \
+        rc = chown_helper(pathname, owner, group);                    \
+        if (rc == 0) {                                                \
+            return 0;                                                 \
+        }                                                             \
+        original_##syscall_name =                                     \
+            (__libc_##syscall_name)dlsym(RTLD_NEXT, #syscall_name);   \
+        return (*original_##syscall_name)(pathname, owner, group);    \
     }
-}
 
-/* silent gcc */
-int chown(const char *pathname, uid_t owner, gid_t group);
+WRAP_CHOWN(chown)
+WRAP_CHOWN(chown32)
+WRAP_CHOWN(lchown)
 
-int
-chown(const char *pathname, uid_t owner, gid_t group)
-{
-    __libc_chown original_chown = NULL;
-    int rc;
+/* fchownat */
+typedef int (*__libc_fchownat)(int dirfd,
+                               const char *pathname,
+                               uid_t owner,
+                               gid_t group,
+                               int flags);
 
-    rc = chown_helper(pathname, owner, group);
-    if (rc == 0) {
-        return 0;
-    }
-    original_chown = (__libc_chown)dlsym(RTLD_NEXT, "chown");
-    return (*original_chown)(pathname, owner, group);
-}
-
-/* SFTP Server calls fchownat for symlinks  */
 int
 fchownat(int dirfd, const char *pathname, uid_t owner, gid_t group, int flags);
 
@@ -112,62 +107,107 @@ fchownat(int dirfd, const char *pathname, uid_t owner, gid_t group, int flags)
     original_fchownat = (__libc_fchownat)dlsym(RTLD_NEXT, "fchownat");
     return (*original_fchownat)(dirfd, pathname, owner, group, flags);
 }
-int stat(const char *pathname, struct stat *statbuf);
 
+/*******************************************************************************
+ *                              Stat wrapping
+ ******************************************************************************/
+
+/** Returns previously set UID/GID for the filename */
+static void
+stat_helper(const char *pathname, struct stat *statbuf)
+{
+    if (file.name != NULL && strcmp(pathname, file.name) == 0) {
+        statbuf->st_uid = file.uid;
+        statbuf->st_gid = file.gid;
+    }
+}
+
+static void
+stat64_helper(const char *pathname, struct stat64 *statbuf)
+{
+    if (file.name != NULL && strcmp(pathname, file.name) == 0) {
+        statbuf->st_uid = file.uid;
+        statbuf->st_gid = file.gid;
+    }
+}
+
+#define WRAP_STAT(syscall_name, struct_name)                             \
+    typedef int (*__libc_##syscall_name)(const char *pathname,           \
+                                         struct struct_name *statbuf);   \
+    int syscall_name(const char *pathname, struct struct_name *statbuf); \
+    int syscall_name(const char *pathname, struct struct_name *statbuf)  \
+    {                                                                    \
+        int rc;                                                          \
+        __libc_##syscall_name original_##syscall_name = NULL;            \
+                                                                         \
+        original_##syscall_name =                                        \
+            (__libc_##syscall_name)dlsym(RTLD_NEXT, #syscall_name);      \
+        rc = (*original_##syscall_name)(pathname, statbuf);              \
+        struct_name##_helper(pathname, statbuf);                         \
+                                                                         \
+        return rc;                                                       \
+    }
+
+WRAP_STAT(stat, stat)
+WRAP_STAT(lstat, stat)
+/* i686 arch */
+WRAP_STAT(stat64, stat64)
+WRAP_STAT(lstat64, stat64)
+
+#define WRAP_XSTAT(syscall_name)                                           \
+    typedef int (*__libc_##syscall_name)(int ver,                          \
+                                         const char *pathname,             \
+                                         struct stat *statbuf);            \
+    int syscall_name(int ver, const char *pathname, struct stat *statbuf); \
+    int syscall_name(int ver, const char *pathname, struct stat *statbuf)  \
+    {                                                                      \
+        int rc;                                                            \
+        __libc_##syscall_name original_##syscall_name = NULL;              \
+                                                                           \
+        original_##syscall_name =                                          \
+            (__libc_##syscall_name)dlsym(RTLD_NEXT, #syscall_name);        \
+        rc = (*original_##syscall_name)(ver, pathname, statbuf);           \
+        stat_helper(pathname, statbuf);                                    \
+                                                                           \
+        return rc;                                                         \
+    }
+
+WRAP_XSTAT(__xstat) /* CentOS8 */
+WRAP_XSTAT(__lxstat)
+
+/* i686 arch (likely not wrappable) */
+static void
+statx_helper(const char *pathname, struct statx *statbuf)
+{
+    if (file.name != NULL && strcmp(pathname, file.name) == 0) {
+        statbuf->stx_uid = file.uid;
+        statbuf->stx_gid = file.gid;
+    }
+}
+
+typedef int (*__libc_statx)(int dirfd,
+                            const char *pathname,
+                            int flags,
+                            unsigned int mask,
+                            struct statx *statbuf);
+int statx(int dirfd,
+          const char *pathname,
+          int flags,
+          unsigned int mask,
+          struct statx *statbuf);
 int
-stat(const char *pathname, struct stat *statbuf)
+statx(int dirfd,
+      const char *pathname,
+      int flags,
+      unsigned int mask,
+      struct statx *statbuf)
 {
     int rc;
-    __libc_stat original_stat = NULL;
+    __libc_statx original_statx = NULL;
 
-    original_stat = (__libc_stat)dlsym(RTLD_NEXT, "stat");
-    rc = (*original_stat)(pathname, statbuf);
-    stat_helper(pathname, statbuf);
-
-    return rc;
-}
-
-/* CentOS8 calls xstat */
-int __xstat(int ver, const char *pathname, struct stat *statbuf);
-
-int
-__xstat(int ver, const char *pathname, struct stat *statbuf)
-{
-    int rc;
-    __libc_xstat original_xstat = NULL;
-
-    original_xstat = (__libc_xstat)dlsym(RTLD_NEXT, "__xstat");
-    rc = (*original_xstat)(ver, pathname, statbuf);
-    stat_helper(pathname, statbuf);
-
-    return rc;
-}
-
-int __lxstat(int ver, const char *pathname, struct stat *statbuf);
-
-int
-__lxstat(int ver, const char *pathname, struct stat *statbuf)
-{
-    int rc;
-    __libc_lxstat original_lxstat = NULL;
-
-    original_lxstat = (__libc_lxstat)dlsym(RTLD_NEXT, "__lxstat");
-    rc = (*original_lxstat)(ver, pathname, statbuf);
-    stat_helper(pathname, statbuf);
-
-    return rc;
-}
-int lstat(const char *pathname, struct stat *statbuf);
-
-int
-lstat(const char *pathname, struct stat *statbuf)
-{
-    int rc;
-    __libc_lstat original_lstat = NULL;
-
-    original_lstat = (__libc_lstat)dlsym(RTLD_NEXT, "lstat");
-    rc = (*original_lstat)(pathname, statbuf);
-    stat_helper(pathname, statbuf);
+    original_statx = (__libc_statx)dlsym(RTLD_NEXT, "statx");
+    rc = (*original_statx)(dirfd, pathname, flags, mask, statbuf);
+    statx_helper(pathname, statbuf);
 
     return rc;
 }

tests/fuzz/CMakeLists.txt

@@ -28,9 +28,11 @@ macro(fuzzer name)
 endmacro()
 
 fuzzer(ssh_client_fuzzer)
-fuzzer(ssh_server_fuzzer)
 fuzzer(ssh_client_config_fuzzer)
-fuzzer(ssh_bind_config_fuzzer)
 fuzzer(ssh_known_hosts_fuzzer)
 fuzzer(ssh_privkey_fuzzer)
 fuzzer(ssh_pubkey_fuzzer)
+if (WITH_SERVER)
+    fuzzer(ssh_server_fuzzer)
+    fuzzer(ssh_bind_config_fuzzer)
+endif (WITH_SERVER)

tests/server/torture_sftpserver.c

@@ -316,7 +316,6 @@ static int session_setup_sftp(void **state)
     /* init sftp session */
     tsftp = s->ssh.tsftp;
 
-    printf("in establish before sftp_new\n");
     sftp = sftp_new(session);
     assert_non_null(sftp);
     tsftp->sftp = sftp;

tests/torture.c

@@ -236,6 +236,10 @@ int torture_terminate_process(const char *pidfile)
 
     /* read the pidfile */
     pid = torture_read_pidfile(pidfile);
+    if (pid == -1) {
+        fprintf(stderr, "Failed to read PID file %s\n", pidfile);
+        return -1;
+    }
     assert_int_not_equal(pid, -1);
 
     for (count = 0; count < 10; count++) {
@@ -755,6 +759,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
              "HostKeyAlgorithms " OPENSSH_KEYS "\n"
 #if OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2
              "CASignatureAlgorithms " OPENSSH_KEYS "\n"
+#endif
+#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
+             "PerSourcePenaltyExemptList 127.0.0.21\n"
 #endif
              "Ciphers " OPENSSH_CIPHERS "\n"
              "KexAlgorithms " OPENSSH_KEX "\n"
@@ -786,6 +793,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
              "%s\n" /* Here comes UsePam */
              "%s" /* The space for test-specific options */
              "\n"
+#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
+             "PerSourcePenaltyExemptList 127.0.0.21\n"
+#endif
              "Ciphers "
                 "aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,"
                 "aes128-gcm@openssh.com,aes128-ctr,aes128-cbc"
@@ -1361,10 +1371,8 @@ torture_update_sshd_config(void **state, const char *config)
 void torture_teardown_sshd_server(void **state)
 {
     struct torture_state *s = *state;
-    int rc;
 
-    rc = torture_terminate_process(s->srv_pidfile);
-    assert_return_code(rc, errno);
+    torture_terminate_process(s->srv_pidfile);
     torture_teardown_socket_dir(state);
 }
 #endif /* SSHD_EXECUTABLE */
@@ -1377,7 +1385,9 @@ void torture_setup_tokens(const char *temp_dir,
 {
     char token_setup_start_cmd[1024] = {0};
     char socket_path[1204] = {0};
+#ifndef WITH_PKCS11_PROVIDER
     char conf_path[1024] = {0};
+#endif /* WITH_PKCS11_PROVIDER */
     char *env = NULL;
     int rc;
 
@@ -1394,8 +1404,8 @@ void torture_setup_tokens(const char *temp_dir,
                   P11_KIT_CLIENT
 #else
                   ""
-#endif
-                 );
+#endif /* WITH_PKCS11_PROVIDER */
+    );
     assert_int_not_equal(rc, sizeof(token_setup_start_cmd));
 
     rc = system(token_setup_start_cmd);
@@ -1419,7 +1429,7 @@ void torture_setup_tokens(const char *temp_dir,
         setenv("PKCS11_PROVIDER_MODULE", PKCS11SPY, 1);
 #else
         fprintf(stderr, "[ TORTURE  ] >>> pkcs11-spy not found\n");
-#endif
+#endif /* PKCS11SPY */
     }
 #else
     (void)env;
@@ -1431,11 +1441,9 @@ void torture_setup_tokens(const char *temp_dir,
 
 void torture_cleanup_tokens(const char *temp_dir)
 {
-    char pidfile[1024] = {0};
-    int rc;
-    pid_t pid;
-
 #ifdef WITH_PKCS11_PROVIDER
+    char pidfile[1024] = {0};
+
     snprintf(pidfile, sizeof(pidfile), "%s/p11-kit-server.pid", temp_dir);
     torture_terminate_process(pidfile);
 #else

tests/unittests/CMakeLists.txt

@@ -48,11 +48,15 @@ if (UNIX AND NOT WIN32)
         torture_pki_ed25519
         # requires /dev/null
         torture_channel
-        # requires some non-standard API from netdb.h, in.h
-        # and arpa/inet.h for handling IP addresses
-        torture_config_match_localnetwork
     )
-
+    if (HAVE_IFADDRS_H)
+        set(LIBSSH_UNIT_TESTS
+            ${LIBSSH_UNIT_TESTS}
+            # requires some non-standard API from netdb.h, in.h
+            # and arpa/inet.h for handling IP addresses
+            torture_config_match_localnetwork
+        )
+    endif (HAVE_IFADDRS_H)
     if (WITH_SERVER)
         set(LIBSSH_UNIT_TESTS
             ${LIBSSH_UNIT_TESTS}

tests/unittests/torture_config.c

@@ -1404,7 +1404,7 @@ static void torture_config_control_path(void **state,
     torture_reset_config(session);
     ssh_options_set(session, SSH_OPTIONS_HOST, "simple");
     _parse_config(session, file, string, SSH_OK);
-    assert_string_equal(session->opts.control_path, "/tmp/ssh-%r@%h:%p");
+    assert_null(session->opts.control_path);
 
     torture_reset_config(session);
     ssh_options_set(session, SSH_OPTIONS_HOST, "none");
@@ -1439,12 +1439,12 @@ static void torture_config_control_master(void **state,
     torture_reset_config(session);
     ssh_options_set(session, SSH_OPTIONS_HOST, "simple");
     _parse_config(session, file, string, SSH_OK);
-    assert_int_equal(session->opts.control_master, SSH_CONTROL_MASTER_AUTO);
+    assert_int_equal(session->opts.control_master, SSH_CONTROL_MASTER_NO);
 
     torture_reset_config(session);
     ssh_options_set(session, SSH_OPTIONS_HOST, "none");
     _parse_config(session, file, string, SSH_OK);
-    assert_int_equal(session->opts.control_master, SSH_CONTROL_MASTER_YES);
+    assert_int_equal(session->opts.control_master, SSH_CONTROL_MASTER_NO);
 }
 
 /**

tests/unittests/torture_config_match_localnetwork.c

@@ -3,7 +3,9 @@
 #include "libssh/options.h"
 #include "libssh/session.h"
 #include "match.c"
+#ifdef HAVE_IFADDRS_H
 #include <ifaddrs.h>
+#endif
 #include <net/if.h>
 #include <stdbool.h>
 
@@ -129,7 +131,10 @@ subnet_mask_to_prefix_length_6(struct in6_addr subnet_mask)
  * @brief helper function returning the IPv4 and IPv6 network ID
  * (in CIDR format) corresponding to any of the running local interfaces.
  * The network interface corresponding to IPv4 and IPv6 network ID may be
- * different ("loopback" local interface is ignored).
+ * different.
+ *
+ * @note If no non-loopback network interfaces are found for IPv4 or
+ * IPv6, the function will fall back to using the loopback addresses.
  */
 static int
 get_network_id(char *net_id_4, char *net_id_6)
@@ -140,8 +145,10 @@ get_network_id(char *net_id_4, char *net_id_6)
     struct sockaddr_in netmask;
     struct sockaddr_in6 netmask6;
     char address[NI_MAXHOST], *a = NULL;
-    char *network_id_str = NULL, network_id_str6[INET6_ADDRSTRLEN];
-    int i, prefix_length, rc, found_4 = 0, found_6 = 0;
+    char *network_id_str = NULL, network_id_str6[INET6_ADDRSTRLEN],
+         lo_net_id_4[NI_MAXHOST], lo_net_id_6[NI_MAXHOST];
+    int i, prefix_length, rc;
+    int found_4 = 0, found_lo_4 = 0, found_6 = 0, found_lo_6 = 0;
     socklen_t sa_len;
 
     ZERO_STRUCT(addr);
@@ -165,11 +172,6 @@ get_network_id(char *net_id_4, char *net_id_6)
             continue;
         }
 
-        /* Skip loopback interface */
-        if (strcmp(ifa->ifa_name, "lo") == 0) {
-            continue;
-        }
-
         switch (ifa->ifa_addr->sa_family) {
         case AF_INET:
             if (found_4) {
@@ -222,12 +224,22 @@ get_network_id(char *net_id_4, char *net_id_6)
                 continue;
             }
 
-            snprintf(net_id_4,
-                     NI_MAXHOST,
-                     "%s/%u",
-                     network_id_str,
-                     prefix_length);
-            found_4 = 1;
+            if (strcmp(ifa->ifa_name, "lo") == 0) {
+                /* Store it temporarily in case needed for fallback */
+                snprintf(lo_net_id_4,
+                         NI_MAXHOST,
+                         "%s/%u",
+                         network_id_str,
+                         prefix_length);
+                found_lo_4 = 1;
+            } else {
+                snprintf(net_id_4,
+                         NI_MAXHOST,
+                         "%s/%u",
+                         network_id_str,
+                         prefix_length);
+                found_4 = 1;
+            }
         } else if (ifa->ifa_addr->sa_family == AF_INET6) {
 
             /* Remove interface in case of IPv6 address: addr%interface */
@@ -263,15 +275,43 @@ get_network_id(char *net_id_4, char *net_id_6)
                 continue;
             }
 
-            snprintf(net_id_6,
-                     NI_MAXHOST,
-                     "%s/%u",
-                     network_id_str6,
-                     prefix_length);
-            found_6 = 1;
+            if (strcmp(ifa->ifa_name, "lo") == 0) {
+                /* Store it temporarily in case needed for fallback */
+                snprintf(lo_net_id_6,
+                         NI_MAXHOST,
+                         "%s/%u",
+                         network_id_str6,
+                         prefix_length);
+                found_lo_6 = 1;
+            } else {
+                snprintf(net_id_6,
+                         NI_MAXHOST,
+                         "%s/%u",
+                         network_id_str6,
+                         prefix_length);
+                found_6 = 1;
+            }
         }
     }
 
+    /*
+     * Fallback to the loopback network ID (127.0.0.0/8) if no other
+     * IPv4 network ID has been found.
+     */
+    if (!found_4 && found_lo_4) {
+        snprintf(net_id_4, NI_MAXHOST, "%s", lo_net_id_4);
+        found_4 = 1;
+    }
+
+    /*
+     * Fallback to the loopback network ID (::1/128) if no other
+     * IPv6 network ID has been found.
+     */
+    if (!found_6 && found_lo_6) {
+        snprintf(net_id_6, NI_MAXHOST, "%s", lo_net_id_6);
+        found_6 = 1;
+    }
+
     freeifaddrs(ifaddrs);
 
 out:

tests/unittests/torture_options.c

@@ -1350,7 +1350,7 @@ static void torture_options_copy(void **state)
     assert_string_equal(session->opts.pubkey_accepted_types,
                         new->opts.pubkey_accepted_types);
     assert_string_equal(session->opts.ProxyCommand, new->opts.ProxyCommand);
-    assert_string_equal(session->opts.control_path, new->opts.control_path);
+    assert_null(new->opts.control_path);
     /* TODO custombanner */
     assert_int_equal(session->opts.timeout, new->opts.timeout);
     assert_int_equal(session->opts.timeout_usec, new->opts.timeout_usec);