diff --git a/libssh2-1.2.2-padding.patch b/libssh2-1.2.2-padding.patch
new file mode 100644
index 0000000..127ad9d
--- /dev/null
+++ b/libssh2-1.2.2-padding.patch
@@ -0,0 +1,117 @@
+commit 1aba38cd7d2658146675ce1737e5090f879f3068
+Author: Peter Stuge <peter@stuge.se>
+Date:   Sun Dec 6 07:20:58 2009 +0100
+
+    Fix padding in ssh-dss signature blob encoding
+    
+    DSA signatures consist of two 160-bit integers called r and s. In ssh-dss
+    signature blobs r and s are stored directly after each other in binary
+    representation, making up a 320-bit (40 byte) string. (See RFC4253 p14.)
+    
+    The crypto wrappers in libssh2 would either pack r and s incorrectly, or
+    fail, when at least one integer was small enough to be stored in 19 bytes
+    or less.
+    
+    The patch ensures that r and s are always stored as two 160 bit numbers.
+
+diff --git a/src/libgcrypt.c b/src/libgcrypt.c
+index ba00284..b06be42 100644
+--- a/src/libgcrypt.c
++++ b/src/libgcrypt.c
+@@ -424,6 +424,8 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx,
+         return -1;
+     }
+ 
++    memset(sig, 0, 40);
++
+ /* Extract R. */
+ 
+     data = gcry_sexp_find_token(sig_sexp, "r", 0);
+@@ -433,22 +435,12 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx,
+     }
+ 
+     tmp = gcry_sexp_nth_data(data, 1, &size);
+-    if (!tmp) {
+-        ret = -1;
+-        goto out;
+-    }
+-
+-    if (tmp[0] == '\0') {
+-        tmp++;
+-        size--;
+-    }
+-
+-    if (size != 20) {
++    if (!tmp || size < 1 || size > 20) {
+         ret = -1;
+         goto out;
+     }
+ 
+-    memcpy(sig, tmp, 20);
++    memcpy(sig + (20 - size), tmp, size);
+ 
+     gcry_sexp_release(data);
+ 
+@@ -461,22 +453,12 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx,
+     }
+ 
+     tmp = gcry_sexp_nth_data(data, 1, &size);
+-    if (!tmp) {
+-        ret = -1;
+-        goto out;
+-    }
+-
+-    if (tmp[0] == '\0') {
+-        tmp++;
+-        size--;
+-    }
+-
+-    if (size != 20) {
++    if (!tmp || size < 1 || size > 20) {
+         ret = -1;
+         goto out;
+     }
+ 
+-    memcpy(sig + 20, tmp, 20);
++    memcpy(sig + 20 + (20 - size), tmp, size);
+ 
+     ret = 0;
+   out:
+diff --git a/src/openssl.c b/src/openssl.c
+index 250ea63..000c9ec 100644
+--- a/src/openssl.c
++++ b/src/openssl.c
+@@ -420,7 +420,7 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx,
+                        unsigned long hash_len, unsigned char *signature)
+ {
+     DSA_SIG *sig;
+-    int r_len, s_len, rs_pad;
++    int r_len, s_len;
+     (void) hash_len;
+ 
+     sig = DSA_do_sign(hash, SHA_DIGEST_LENGTH, dsactx);
+@@ -429,15 +429,20 @@ _libssh2_dsa_sha1_sign(libssh2_dsa_ctx * dsactx,
+     }
+ 
+     r_len = BN_num_bytes(sig->r);
++    if (r_len < 1 || r_len > 20) {
++        DSA_SIG_free(sig);
++        return -1;
++    }
+     s_len = BN_num_bytes(sig->s);
+-    rs_pad = (2 * SHA_DIGEST_LENGTH) - (r_len + s_len);
+-    if (rs_pad < 0) {
++    if (s_len < 1 || s_len > 20) {
+         DSA_SIG_free(sig);
+         return -1;
+     }
+ 
+-    BN_bn2bin(sig->r, signature + rs_pad);
+-    BN_bn2bin(sig->s, signature + rs_pad + r_len);
++    memset(signature, 0, 40);
++
++    BN_bn2bin(sig->r, signature + (20 - r_len));
++    BN_bn2bin(sig->s, signature + 20 + (20 - s_len));
+ 
+     DSA_SIG_free(sig);
+ 
diff --git a/libssh2.spec b/libssh2.spec
index 7e913b3..a56cba6 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -1,6 +1,6 @@
 Name:           libssh2
 Version:        1.2.2
-Release:        2%{?dist}
+Release:        4%{?dist}
 Summary:        A library implementing the SSH2 protocol
 
 Group:          System Environment/Libraries
@@ -9,9 +9,15 @@ URL:            http://www.libssh2.org
 Source0:        http://libssh2.org/download/libssh2-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
+# aka commit 1aba38cd7d2658146675ce1737e5090f879f306
+Patch0:         libssh2-1.2.2-padding.patch
+
 BuildRequires:  openssl-devel
 BuildRequires:  zlib-devel
 
+# tests
+BuildRequires:  openssh-server
+
 %description
 libssh2 is a library implementing the SSH2 protocol as defined by
 Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25),
@@ -41,6 +47,7 @@ developing applications that use %{name}.
 
 %prep
 %setup -q
+%patch0 -p1
 
 # make sure things are UTF-8...
 for i in ChangeLog NEWS ; do
@@ -66,8 +73,9 @@ rm -rf example/simple/.deps
 find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} +
 
 %check
-# tests are currently not doing so well under rpmbuild
-#(cd tests && make check)
+# sshd/loopback test fails under local build, with selinux enforcing 
+%{?_without_sshd_tests:echo "Skipping sshd tests" ; echo "exit 0" > tests/ssh2.sh }
+(cd tests && make check)
 
 %clean
 rm -rf %{buildroot}
@@ -96,6 +104,13 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/*
 
 %changelog
+* Mon Jan 18 2010 Chris Weyl <cweyl@alumni.drew.edu> 1.2.2-4
+- enable tests; conditionalize sshd test, which fails with a funky SElinux
+  error when run locally
+
+* Mon Jan 18 2010 Chris Weyl <cweyl@alumni.drew.edu> 1.2.2-3
+- patch w/1aba38cd7d2658146675ce1737e5090f879f306; not yet in a GA release
+
 * Thu Jan 14 2010 Chris Weyl <cweyl@alumni.drew.edu> 1.2.2-2
 - correct bad file entry under -devel