Accepting request 652023 from network

OBS-URL: https://build.opensuse.org/request/show/652023 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=123
2018-11-28 10:11:24 +00:00 · 2018-11-28 10:11:24 +00:00 · 7ca123a3a4
commit 7ca123a3a4
parent 2176dd1aa9 c41fcd05a7
22 changed files with 922 additions and 4184 deletions
--- a/README.SUSE
+++ b/README.SUSE
@ -5,16 +5,6 @@ There are following changes in default settings of ssh client and server:
 * PAM authentication is enabled and mostly even required, do not turn it off.
 * root authentiation with password is enabled by default (PermitRootLogin yes).
  NOTE: this has security implications and is only done in order to not change
  behaviour of the server in an update. We strongly suggest setting this option
  either "prohibit-password" or even better to "no" (which disables direct
  remote root login entirely).
 * SSH protocol version 1 is enabled for maximum compatibility.
  NOTE: do not use protocol version 1. It is less secure then v2 and should
  generally be phased out.
 * DSA authentication is enabled by default for maximum compatibility.
  NOTE: do not use DSA authentication since it is being phased out for a reason
  - the size of DSA keys is limited by the standard to 1024 bits which cannot
--- a/openssh-7.7p1-allow_root_password_login.patch
+++ b/openssh-7.7p1-allow_root_password_login.patch
@ -1,95 +0,0 @@
 # HG changeset patch
 # Parent  3bf0158be93bd08d60a30a320650ea7f9844ef50
 Allow root login with password by default. While less secure than upstream
 default of forbidding access to the root account with a password, we are
 temporarily introducing this change to keep the default used in older OpenSSH
 versions shipped with SLE.
 diff --git a/openssh-7.7p1/servconf.c b/openssh-7.7p1/servconf.c
 --- openssh-7.7p1/servconf.c
 +++ openssh-7.7p1/servconf.c
@@ -265,17 +265,17 @@ fill_default_server_options(ServerOption
 		options->address_family = AF_UNSPEC;
 	if (options->listen_addrs == NULL)
 		add_listen_addr(options, NULL, NULL, 0);
 	if (options->pid_file == NULL)
 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
 	if (options->login_grace_time == -1)
 		options->login_grace_time = 120;
 	if (options->permit_root_login == PERMIT_NOT_SET)
 -		options->permit_root_login = PERMIT_NO_PASSWD;
 +		options->permit_root_login = PERMIT_YES;
 	if (options->ignore_rhosts == -1)
 		options->ignore_rhosts = 1;
 	if (options->ignore_user_known_hosts == -1)
 		options->ignore_user_known_hosts = 0;
 	if (options->print_motd == -1)
 		options->print_motd = 1;
 	if (options->print_lastlog == -1)
 		options->print_lastlog = 1;
 diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
 --- openssh-7.7p1/sshd_config
 +++ openssh-7.7p1/sshd_config
@@ -24,17 +24,17 @@
 # Logging
 #SyslogFacility AUTH
 #LogLevel INFO
 # Authentication:
 #LoginGraceTime 2m
 -#PermitRootLogin prohibit-password
 +#PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
 #PubkeyAuthentication yes
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 diff --git a/openssh-7.7p1/sshd_config.0 b/openssh-7.7p1/sshd_config.0
 --- openssh-7.7p1/sshd_config.0
 +++ openssh-7.7p1/sshd_config.0
@@ -709,17 +709,17 @@ DESCRIPTION
              none can be used to prohibit all forwarding requests.  The
              wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
              ports, respectively.  By default all port forwarding requests are
              permitted.
      PermitRootLogin
              Specifies whether root can log in using ssh(1).  The argument
              must be yes, prohibit-password, forced-commands-only, or no.  The
 -             default is prohibit-password.
 +             default is yes.
              If this option is set to prohibit-password (or its deprecated
              alias, without-password), password and keyboard-interactive
              authentication are disabled for root.
              If this option is set to forced-commands-only, root login with
              public key authentication will be allowed, but only if the
              command option has been specified (which may be useful for taking
 diff --git a/openssh-7.7p1/sshd_config.5 b/openssh-7.7p1/sshd_config.5
 --- openssh-7.7p1/sshd_config.5
 +++ openssh-7.7p1/sshd_config.5
@@ -1220,17 +1220,17 @@ Specifies whether root can log in using
 .Xr ssh 1 .
 The argument must be
 .Cm yes ,
 .Cm prohibit-password ,
 .Cm forced-commands-only ,
 or
 .Cm no .
 The default is
 -.Cm prohibit-password .
 +.Cm yes .
 .Pp
 If this option is set to
 .Cm prohibit-password
 (or its deprecated alias,
 .Cm without-password ) ,
 password and keyboard-interactive authentication are disabled for root.
 .Pp
 If this option is set to
--- a/openssh-7.7p1-audit.patch
+++ b/openssh-7.7p1-audit.patch
@ -3,11 +3,11 @@
 Extended auditing through the Linux Auditing subsystem
 RH patch from git://pkgs.fedoraproject.org/openssh.git
-Index: openssh-7.8p1/Makefile.in
+Index: openssh-7.9p1/Makefile.in
 ===================================================================
--- openssh-7.8p1.orig/Makefile.in
+--- openssh-7.9p1.orig/Makefile.in
-+++ openssh-7.8p1/Makefile.in
+++ openssh-7.9p1/Makefile.in
-@@ -110,6 +110,8 @@ LIBSSH_OBJS += fips.o
+@@ -111,6 +111,8 @@ LIBSSH_OBJS += fips.o
 LIBSSH_OBJS += kexgssc.o kexgsss.o
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect2.o mux.o
-Index: openssh-7.8p1/audit-bsm.c
+Index: openssh-7.9p1/audit-bsm.c
 ===================================================================
--- openssh-7.8p1.orig/audit-bsm.c
+--- openssh-7.9p1.orig/audit-bsm.c
-+++ openssh-7.8p1/audit-bsm.c
+++ openssh-7.9p1/audit-bsm.c
@@ -372,10 +372,23 @@ audit_connection_from(const char *host,
 #endif
 }
@ -93,11 +93,11 @@ Index: openssh-7.8p1/audit-bsm.c
 +	/* not implemented */
 +}
 #endif /* BSM */
-Index: openssh-7.8p1/audit-linux.c
+Index: openssh-7.9p1/audit-linux.c
 ===================================================================
--- openssh-7.8p1.orig/audit-linux.c
+--- openssh-7.9p1.orig/audit-linux.c
-+++ openssh-7.8p1/audit-linux.c
+++ openssh-7.9p1/audit-linux.c
-@@ -33,27 +33,40 @@
+@@ -33,27 +33,41 @@
 #include "log.h"
 #include "audit.h"
@ -106,6 +106,7 @@ Index: openssh-7.8p1/audit-linux.c
 +#include "auth.h"
 +#include "misc.h"      /* servconf.h needs misc.h for struct ForwardOptions */
 +#include "servconf.h"
 +#include "ssherr.h"
 #include "canohost.h"
 #include "packet.h"
 -
@ -146,7 +147,7 @@ Index: openssh-7.8p1/audit-linux.c
 	saved_errno = errno;
 	close(audit_fd);
-@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
+@@ -65,9 +79,96 @@ linux_audit_record_event(int uid, const
 		rc = 0;
 	errno = saved_errno;
@ -244,7 +245,7 @@ Index: openssh-7.8p1/audit-linux.c
 /* Below is the sshd audit API code */
 void
-@@ -76,24 +176,55 @@ audit_connection_from(const char *host,
+@@ -76,24 +177,55 @@ audit_connection_from(const char *host,
 	/* not implemented */
 }
@ -306,7 +307,7 @@ Index: openssh-7.8p1/audit-linux.c
 }
 void
-@@ -102,25 +233,155 @@ audit_event(ssh_audit_event_t event)
+@@ -102,25 +234,155 @@ audit_event(ssh_audit_event_t event)
 	struct ssh *ssh = active_state; /* XXX */
 	switch(event) {
@ -468,10 +469,10 @@ Index: openssh-7.8p1/audit-linux.c
 +		error("cannot write into audit");
 +}
 #endif /* USE_LINUX_AUDIT */
-Index: openssh-7.8p1/audit.c
+Index: openssh-7.9p1/audit.c
 ===================================================================
--- openssh-7.8p1.orig/audit.c
+--- openssh-7.9p1.orig/audit.c
-+++ openssh-7.8p1/audit.c
+++ openssh-7.9p1/audit.c
@@ -34,13 +34,19 @@
 #include "log.h"
 #include "hostfile.h"
@ -648,10 +649,10 @@ Index: openssh-7.8p1/audit.c
 }
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-Index: openssh-7.8p1/audit.h
+Index: openssh-7.9p1/audit.h
 ===================================================================
--- openssh-7.8p1.orig/audit.h
+--- openssh-7.9p1.orig/audit.h
-+++ openssh-7.8p1/audit.h
+++ openssh-7.9p1/audit.h
@@ -26,6 +26,7 @@
 # define _SSH_AUDIT_H
@ -694,10 +695,10 @@ Index: openssh-7.8p1/audit.h
 +void	audit_destroy_sensitive_data(const char *, pid_t, uid_t);
 #endif /* _SSH_AUDIT_H */
-Index: openssh-7.8p1/auditstub.c
+Index: openssh-7.9p1/auditstub.c
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/auditstub.c
+++ openssh-7.9p1/auditstub.c
@@ -0,0 +1,50 @@
 +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
 +
@ -749,11 +750,11 @@ Index: openssh-7.8p1/auditstub.c
 +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
 +{
 +}
-Index: openssh-7.8p1/auth.c
+Index: openssh-7.9p1/auth.c
 ===================================================================
--- openssh-7.8p1.orig/auth.c
+--- openssh-7.9p1.orig/auth.c
-+++ openssh-7.8p1/auth.c
+++ openssh-7.9p1/auth.c
-@@ -362,7 +362,7 @@ auth_log(Authctxt *authctxt, int authent
+@@ -366,7 +366,7 @@ auth_log(Authctxt *authctxt, int authent
 # endif
 #endif
 #ifdef SSH_AUDIT_EVENTS
@ -762,7 +763,7 @@ Index: openssh-7.8p1/auth.c
 		audit_event(audit_classify_auth(method));
 #endif
 }
-@@ -601,9 +601,6 @@ getpwnamallow(const char *user)
+@@ -605,9 +605,6 @@ getpwnamallow(const char *user)
 		record_failed_login(user,
 		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
 #endif
@ -772,10 +773,10 @@ Index: openssh-7.8p1/auth.c
 		return (NULL);
 	}
 	if (!allowed_user(pw))
-Index: openssh-7.8p1/auth.h
+Index: openssh-7.9p1/auth.h
 ===================================================================
--- openssh-7.8p1.orig/auth.h
+--- openssh-7.9p1.orig/auth.h
-+++ openssh-7.8p1/auth.h
+++ openssh-7.9p1/auth.h
@@ -193,6 +193,8 @@ struct passwd * getpwnamallow(const char
 char	*expand_authorized_keys(const char *, struct passwd *pw);
@ -794,11 +795,11 @@ Index: openssh-7.8p1/auth.h
 /* Key / cert options linkage to auth layer */
 const struct sshauthopt *auth_options(struct ssh *);
-Index: openssh-7.8p1/auth2-hostbased.c
+Index: openssh-7.9p1/auth2-hostbased.c
 ===================================================================
--- openssh-7.8p1.orig/auth2-hostbased.c
+--- openssh-7.9p1.orig/auth2-hostbased.c
-+++ openssh-7.8p1/auth2-hostbased.c
+++ openssh-7.9p1/auth2-hostbased.c
-@@ -141,7 +141,7 @@ userauth_hostbased(struct ssh *ssh)
+@@ -148,7 +148,7 @@ userauth_hostbased(struct ssh *ssh)
 	/* test for allowed key and correct signature */
 	authenticated = 0;
 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@ -807,7 +808,7 @@ Index: openssh-7.8p1/auth2-hostbased.c
 	    sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
 		authenticated = 1;
-@@ -158,6 +158,19 @@ done:
+@@ -165,6 +165,19 @@ done:
 	return authenticated;
 }
@ -827,11 +828,11 @@ Index: openssh-7.8p1/auth2-hostbased.c
 /* return 1 if given hostkey is allowed */
 int
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
-Index: openssh-7.8p1/auth2-pubkey.c
+Index: openssh-7.9p1/auth2-pubkey.c
 ===================================================================
--- openssh-7.8p1.orig/auth2-pubkey.c
+--- openssh-7.9p1.orig/auth2-pubkey.c
-+++ openssh-7.8p1/auth2-pubkey.c
+++ openssh-7.9p1/auth2-pubkey.c
-@@ -187,7 +187,7 @@ userauth_pubkey(struct ssh *ssh)
+@@ -193,7 +193,7 @@ userauth_pubkey(struct ssh *ssh)
 		/* test for correct signature */
 		authenticated = 0;
 		if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@ -840,7 +841,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
 		    sshbuf_ptr(b), sshbuf_len(b),
 		    (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
 		    ssh->compat)) == 0) {
-@@ -246,6 +246,19 @@ done:
+@@ -252,6 +252,19 @@ done:
 	return authenticated;
 }
@ -860,7 +861,7 @@ Index: openssh-7.8p1/auth2-pubkey.c
 static int
 match_principals_option(const char *principal_list, struct sshkey_cert *cert)
 {
-@@ -767,7 +780,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
+@@ -773,7 +786,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
 		found_principal = 1;
 	/* If principals file or command is specified, then require a match */
 	use_authorized_principals = principals_file != NULL ||
@ -869,10 +870,10 @@ Index: openssh-7.8p1/auth2-pubkey.c
 	if (!found_principal && use_authorized_principals) {
 		reason = "Certificate does not contain an authorized principal";
 		goto fail_reason;
-Index: openssh-7.8p1/auth2.c
+Index: openssh-7.9p1/auth2.c
 ===================================================================
--- openssh-7.8p1.orig/auth2.c
+--- openssh-7.9p1.orig/auth2.c
-+++ openssh-7.8p1/auth2.c
+++ openssh-7.9p1/auth2.c
@@ -284,9 +284,6 @@ input_userauth_request(int type, u_int32
 		} else {
 			/* Invalid user, fake password information */
@ -883,10 +884,10 @@ Index: openssh-7.8p1/auth2.c
 		}
 #ifdef USE_PAM
 		if (options.use_pam)
-Index: openssh-7.8p1/cipher.c
+Index: openssh-7.9p1/cipher.c
 ===================================================================
--- openssh-7.8p1.orig/cipher.c
+--- openssh-7.9p1.orig/cipher.c
-+++ openssh-7.8p1/cipher.c
+++ openssh-7.9p1/cipher.c
@@ -54,25 +54,6 @@
 #include "fips.h"
 #include "log.h"
@ -922,10 +923,10 @@ Index: openssh-7.8p1/cipher.c
 		return;
 	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
 		explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
-Index: openssh-7.8p1/cipher.h
+Index: openssh-7.9p1/cipher.h
 ===================================================================
--- openssh-7.8p1.orig/cipher.h
+--- openssh-7.9p1.orig/cipher.h
-+++ openssh-7.8p1/cipher.h
+++ openssh-7.9p1/cipher.h
@@ -45,7 +45,25 @@
 #define CIPHER_ENCRYPT		1
 #define CIPHER_DECRYPT		0
@ -953,10 +954,10 @@ Index: openssh-7.8p1/cipher.h
 struct sshcipher_ctx {
 	int	plaintext;
 	int	encrypt;
-Index: openssh-7.8p1/kex.c
+Index: openssh-7.9p1/kex.c
 ===================================================================
--- openssh-7.8p1.orig/kex.c
+--- openssh-7.9p1.orig/kex.c
-+++ openssh-7.8p1/kex.c
+++ openssh-7.9p1/kex.c
@@ -53,6 +53,7 @@
 #include "ssherr.h"
 #include "sshbuf.h"
@ -1053,10 +1054,10 @@ Index: openssh-7.8p1/kex.c
 +	mac_destroy(&newkeys->mac);
 +	memset(&newkeys->comp, 0, sizeof(newkeys->comp));
 +}
-Index: openssh-7.8p1/kex.h
+Index: openssh-7.9p1/kex.h
 ===================================================================
--- openssh-7.8p1.orig/kex.h
+--- openssh-7.9p1.orig/kex.h
-+++ openssh-7.8p1/kex.h
+++ openssh-7.9p1/kex.h
@@ -213,6 +213,8 @@ int	 kexgss_client(struct ssh *);
 int	 kexgss_server(struct ssh *);
 #endif
@ -1066,10 +1067,10 @@ Index: openssh-7.8p1/kex.h
 int	 kex_dh_hash(int, const char *, const char *,
     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
     const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
-Index: openssh-7.8p1/mac.c
+Index: openssh-7.9p1/mac.c
 ===================================================================
--- openssh-7.8p1.orig/mac.c
+--- openssh-7.9p1.orig/mac.c
-+++ openssh-7.8p1/mac.c
+++ openssh-7.9p1/mac.c
@@ -280,6 +280,20 @@ mac_clear(struct sshmac *mac)
 	mac->umac_ctx = NULL;
 }
@ -1091,10 +1092,10 @@ Index: openssh-7.8p1/mac.c
 /* XXX copied from ciphers_valid */
 #define	MAC_SEP	","
 int
-Index: openssh-7.8p1/mac.h
+Index: openssh-7.9p1/mac.h
 ===================================================================
--- openssh-7.8p1.orig/mac.h
+--- openssh-7.9p1.orig/mac.h
-+++ openssh-7.8p1/mac.h
+++ openssh-7.9p1/mac.h
@@ -49,5 +49,6 @@ int	 mac_compute(struct sshmac *, u_int3
 int	 mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
     const u_char *, size_t);
@ -1102,11 +1103,11 @@ Index: openssh-7.8p1/mac.h
 +void	 mac_destroy(struct sshmac *);
 #endif /* SSHMAC_H */
-Index: openssh-7.8p1/monitor.c
+Index: openssh-7.9p1/monitor.c
 ===================================================================
--- openssh-7.8p1.orig/monitor.c
+--- openssh-7.9p1.orig/monitor.c
-+++ openssh-7.8p1/monitor.c
+++ openssh-7.9p1/monitor.c
-@@ -91,6 +91,7 @@
+@@ -93,6 +93,7 @@
 #include "compat.h"
 #include "ssh2.h"
 #include "authfd.h"
@ -1114,7 +1115,7 @@ Index: openssh-7.8p1/monitor.c
 #include "match.h"
 #include "ssherr.h"
-@@ -105,6 +106,8 @@ extern u_char session_id[];
+@@ -107,6 +108,8 @@ extern u_char session_id[];
 extern struct sshbuf *loginmsg;
 extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
@ -1123,7 +1124,7 @@ Index: openssh-7.8p1/monitor.c
 /* State exported from the child */
 static struct sshbuf *child_state;
-@@ -150,6 +153,11 @@ int mm_answer_gss_updatecreds(int, struc
+@@ -152,6 +155,11 @@ int mm_answer_gss_updatecreds(int, struc
 #ifdef SSH_AUDIT_EVENTS
 int mm_answer_audit_event(int, struct sshbuf *);
 int mm_answer_audit_command(int, struct sshbuf *);
@ -1135,7 +1136,7 @@ Index: openssh-7.8p1/monitor.c
 #endif
 static int monitor_read_log(struct monitor *);
-@@ -203,6 +211,11 @@ struct mon_table mon_dispatch_proto20[]
+@@ -205,6 +213,11 @@ struct mon_table mon_dispatch_proto20[]
 #endif
 #ifdef SSH_AUDIT_EVENTS
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -1147,7 +1148,7 @@ Index: openssh-7.8p1/monitor.c
 #endif
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-@@ -231,6 +244,11 @@ struct mon_table mon_dispatch_postauth20
+@@ -233,6 +246,11 @@ struct mon_table mon_dispatch_postauth20
 #ifdef SSH_AUDIT_EVENTS
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@ -1159,15 +1160,19 @@ Index: openssh-7.8p1/monitor.c
 #endif
 #ifdef GSSAPI
     {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
-@@ -1375,6 +1393,7 @@ mm_answer_keyverify(int sock, struct ssh
+@@ -1379,8 +1397,10 @@ mm_answer_keyverify(int sock, struct ssh
 	char *sigalg;
 	size_t signaturelen, datalen, bloblen;
 	int r, ret, valid_data = 0, encoded_ret;
 +	int type = 0;
- 	if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
+-	if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
 +	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
 +	    (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
 	    (r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
-@@ -1385,6 +1404,8 @@ mm_answer_keyverify(int sock, struct ssh
+ 	    (r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
 	    (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
@@ -1389,6 +1409,8 @@ mm_answer_keyverify(int sock, struct ssh
 	if (hostbased_cuser == NULL || hostbased_chost == NULL ||
 	  !monitor_allowed_key(blob, bloblen))
 		fatal("%s: bad key, not previously allowed", __func__);
@ -1176,7 +1181,7 @@ Index: openssh-7.8p1/monitor.c
 	/* Empty signature algorithm means NULL. */
 	if (*sigalg == '\0') {
-@@ -1399,22 +1420,25 @@ mm_answer_keyverify(int sock, struct ssh
+@@ -1403,22 +1425,25 @@ mm_answer_keyverify(int sock, struct ssh
 	switch (key_blobtype) {
 	case MM_USERKEY:
 		valid_data = monitor_valid_userblob(data, datalen);
@ -1204,7 +1209,7 @@ Index: openssh-7.8p1/monitor.c
 	debug3("%s: %s %p signature %s", __func__, auth_method, key,
 	    (ret == 0) ? "verified" : "unverified");
 	auth2_record_key(authctxt, ret == 0, key);
-@@ -1474,6 +1498,12 @@ mm_session_close(Session *s)
+@@ -1478,6 +1503,12 @@ mm_session_close(Session *s)
 		debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
 		session_pty_cleanup2(s);
 	}
@ -1217,7 +1222,7 @@ Index: openssh-7.8p1/monitor.c
 	session_unused(s->self);
 }
-@@ -1582,6 +1612,8 @@ mm_answer_term(int sock, struct sshbuf *
+@@ -1586,6 +1617,8 @@ mm_answer_term(int sock, struct sshbuf *
 		sshpam_cleanup();
 #endif
@ -1226,7 +1231,7 @@ Index: openssh-7.8p1/monitor.c
 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
 		if (errno != EINTR)
 			exit(1);
-@@ -1628,14 +1660,50 @@ mm_answer_audit_command(int socket, stru
+@@ -1632,14 +1665,50 @@ mm_answer_audit_command(int socket, stru
 {
 	char *cmd;
 	int r;
@ -1280,7 +1285,7 @@ Index: openssh-7.8p1/monitor.c
 }
 #endif /* SSH_AUDIT_EVENTS */
-@@ -1697,6 +1765,7 @@ monitor_apply_keystate(struct monitor *p
+@@ -1701,6 +1770,7 @@ monitor_apply_keystate(struct monitor *p
 void
 mm_get_keystate(struct monitor *pmonitor)
 {
@ -1288,7 +1293,7 @@ Index: openssh-7.8p1/monitor.c
 	debug3("%s: Waiting for new keys", __func__);
 	if ((child_state = sshbuf_new()) == NULL)
-@@ -1704,6 +1773,19 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -1708,6 +1778,19 @@ mm_get_keystate(struct monitor *pmonitor
 	mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
 	    child_state);
 	debug3("%s: GOT new keys", __func__);
@ -1308,33 +1313,16 @@ Index: openssh-7.8p1/monitor.c
 }
-@@ -1902,19 +1984,19 @@ mm_answer_gss_sign(int socket, struct ss
+@@ -1909,7 +1992,7 @@ mm_answer_gss_sign(int socket, struct ss
-        int r;
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        if (!options.gss_authentication && !options.gss_keyex)
 -               fatal("In GSSAPI monitor when GSSAPI is disabled");
 +	       fatal("In GSSAPI monitor when GSSAPI is disabled");
        if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
- 	 fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-	        fatal("%s: buffer error: %s", __func__, ssh_err(r));
 +	       fatal("%s: buffer error: %s", __func__, ssh_err(r));
        if (data.length != 20)
-               fatal("%s: data length incorrect: %d", __func__,
+                fatal("%s: data length incorrect: %d", __func__,
-                   (int) data.length);
+                    (int) data.length);
-+	       fatal("%s: data length incorrect: %d", __func__,
+@@ -1966,3 +2049,102 @@ mm_answer_gss_updatecreds(int socket, st
 +		   (int) data.length);
        /* Save the session ID on the first time around */
        if (session_id2_len == 0) {
 -               session_id2_len = data.length;
 -               session_id2 = xmalloc(session_id2_len);
 -               memcpy(session_id2, data.value, session_id2_len);
 +	       session_id2_len = data.length;
 +	       session_id2 = xmalloc(session_id2_len);
 +	       memcpy(session_id2, data.value, session_id2_len);
        }
        major = ssh_gssapi_sign(gsscontext, &data, &hash);
@@ -1962,3 +2044,102 @@ mm_answer_gss_updatecreds(int socket, st
 }
 #endif /* GSSAPI */
@ -1437,10 +1425,10 @@ Index: openssh-7.8p1/monitor.c
 +       return 0;
 +}
 +#endif /* SSH_AUDIT_EVENTS */
-Index: openssh-7.8p1/monitor.h
+Index: openssh-7.9p1/monitor.h
 ===================================================================
--- openssh-7.8p1.orig/monitor.h
+--- openssh-7.9p1.orig/monitor.h
-+++ openssh-7.8p1/monitor.h
+++ openssh-7.9p1/monitor.h
@@ -61,7 +61,13 @@ enum monitor_reqtype {
 	MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
 	MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1456,10 +1444,10 @@ Index: openssh-7.8p1/monitor.h
 	MONITOR_REQ_GSSSIGN = 201, MONITOR_ANS_GSSSIGN = 202,
 	MONITOR_REQ_GSSUPCREDS = 203, MONITOR_ANS_GSSUPCREDS = 204,
-Index: openssh-7.8p1/monitor_wrap.c
+Index: openssh-7.9p1/monitor_wrap.c
 ===================================================================
--- openssh-7.8p1.orig/monitor_wrap.c
+--- openssh-7.9p1.orig/monitor_wrap.c
-+++ openssh-7.8p1/monitor_wrap.c
+++ openssh-7.9p1/monitor_wrap.c
@@ -497,7 +497,7 @@ mm_key_allowed(enum mm_keytype type, con
  */
@ -1637,10 +1625,10 @@ Index: openssh-7.8p1/monitor_wrap.c
 +       sshbuf_free(m);
 +}
 +#endif /* SSH_AUDIT_EVENTS */
-Index: openssh-7.8p1/monitor_wrap.h
+Index: openssh-7.9p1/monitor_wrap.h
 ===================================================================
--- openssh-7.8p1.orig/monitor_wrap.h
+--- openssh-7.9p1.orig/monitor_wrap.h
-+++ openssh-7.8p1/monitor_wrap.h
+++ openssh-7.9p1/monitor_wrap.h
@@ -53,7 +53,9 @@ int mm_user_key_allowed(struct ssh *, st
     struct sshauthopt **);
 int mm_hostbased_key_allowed(struct passwd *, const char *,
@ -1666,10 +1654,10 @@ Index: openssh-7.8p1/monitor_wrap.h
 #endif
 struct Session;
-Index: openssh-7.8p1/packet.c
+Index: openssh-7.9p1/packet.c
 ===================================================================
--- openssh-7.8p1.orig/packet.c
+--- openssh-7.9p1.orig/packet.c
-+++ openssh-7.8p1/packet.c
+++ openssh-7.9p1/packet.c
@@ -76,6 +76,7 @@
 #include <zlib.h>
@ -1829,20 +1817,20 @@ Index: openssh-7.8p1/packet.c
 /* Reset after_authentication and reset compression in post-auth privsep */
 static int
 ssh_packet_set_postauth(struct ssh *ssh)
-Index: openssh-7.8p1/packet.h
+Index: openssh-7.9p1/packet.h
 ===================================================================
--- openssh-7.8p1.orig/packet.h
+--- openssh-7.9p1.orig/packet.h
-+++ openssh-7.8p1/packet.h
+++ openssh-7.9p1/packet.h
@@ -219,4 +219,5 @@ extern struct ssh *active_state;
 # undef EC_POINT
 #endif
 +void	 packet_destroy_all(int, int);
 #endif				/* PACKET_H */
-Index: openssh-7.8p1/session.c
+Index: openssh-7.9p1/session.c
 ===================================================================
--- openssh-7.8p1.orig/session.c
+--- openssh-7.9p1.orig/session.c
-+++ openssh-7.8p1/session.c
+++ openssh-7.9p1/session.c
@@ -139,7 +139,7 @@ extern char *__progname;
 extern int debug_flag;
 extern u_int utmp_len;
@ -1867,7 +1855,7 @@ Index: openssh-7.8p1/session.c
 	/* Enter interactive session. */
 	s->ptymaster = ptymaster;
 	packet_set_interactive(1, 
-@@ -739,15 +747,19 @@ do_exec(struct ssh *ssh, Session *s, con
+@@ -741,15 +749,19 @@ do_exec(struct ssh *ssh, Session *s, con
 	    s->self);
 #ifdef SSH_AUDIT_EVENTS
@ -1889,7 +1877,7 @@ Index: openssh-7.8p1/session.c
 #endif
 	if (s->ttyfd != -1)
 		ret = do_exec_pty(ssh, s, command);
-@@ -1551,8 +1563,11 @@ do_child(struct ssh *ssh, Session *s, co
+@@ -1553,8 +1565,11 @@ do_child(struct ssh *ssh, Session *s, co
 	int r = 0;
 	/* remove hostkey from the child's memory */
@ -1902,7 +1890,7 @@ Index: openssh-7.8p1/session.c
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
-@@ -1759,6 +1774,9 @@ session_unused(int id)
+@@ -1761,6 +1776,9 @@ session_unused(int id)
 	sessions[id].ttyfd = -1;
 	sessions[id].ptymaster = -1;
 	sessions[id].x11_chanids = NULL;
@ -1912,7 +1900,7 @@ Index: openssh-7.8p1/session.c
 	sessions[id].next_unused = sessions_first_unused;
 	sessions_first_unused = id;
 }
-@@ -1841,6 +1859,19 @@ session_open(Authctxt *authctxt, int cha
+@@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
 }
 Session *
@ -1932,7 +1920,7 @@ Index: openssh-7.8p1/session.c
 session_by_tty(char *tty)
 {
 	int i;
-@@ -2352,6 +2383,32 @@ session_exit_message(struct ssh *ssh, Se
+@@ -2428,6 +2459,32 @@ session_exit_message(struct ssh *ssh, Se
 		chan_write_failed(ssh, c);
 }
@ -1965,7 +1953,7 @@ Index: openssh-7.8p1/session.c
 void
 session_close(struct ssh *ssh, Session *s)
 {
-@@ -2393,6 +2450,10 @@ session_close(struct ssh *ssh, Session *
+@@ -2469,6 +2526,10 @@ session_close(struct ssh *ssh, Session *
 	if (s->ttyfd != -1)
 		session_pty_cleanup(s);
@ -1976,7 +1964,7 @@ Index: openssh-7.8p1/session.c
 	free(s->term);
 	free(s->display);
 	free(s->x11_chanids);
-@@ -2600,6 +2661,15 @@ do_authenticated2(struct ssh *ssh, Authc
+@@ -2677,6 +2738,15 @@ do_authenticated2(struct ssh *ssh, Authc
 	server_loop2(ssh, authctxt);
 }
@ -1992,7 +1980,7 @@ Index: openssh-7.8p1/session.c
 void
 do_cleanup(struct ssh *ssh, Authctxt *authctxt)
 {
-@@ -2657,7 +2727,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
+@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
 	 * or if running in monitor.
 	 */
 	if (!use_privsep || mm_is_monitor())
@ -2001,11 +1989,11 @@ Index: openssh-7.8p1/session.c
 }
 /* Return a name for the remote host that fits inside utmp_size */
-Index: openssh-7.8p1/session.h
+Index: openssh-7.9p1/session.h
 ===================================================================
--- openssh-7.8p1.orig/session.h
+--- openssh-7.9p1.orig/session.h
-+++ openssh-7.8p1/session.h
+++ openssh-7.9p1/session.h
-@@ -60,6 +60,12 @@ struct Session {
+@@ -61,6 +61,12 @@ struct Session {
 		char	*name;
 		char	*val;
 	} *env;
@ -2018,7 +2006,7 @@ Index: openssh-7.8p1/session.h
 };
 void	 do_authenticated(struct ssh *, Authctxt *);
-@@ -72,8 +78,10 @@ void	 session_close_by_pid(struct ssh *s
+@@ -73,8 +79,10 @@ void	 session_close_by_pid(struct ssh *s
 void	 session_close_by_channel(struct ssh *, int, void *);
 void	 session_destroy_all(struct ssh *, void (*)(Session *));
 void	 session_pty_cleanup2(Session *);
@ -2029,10 +2017,10 @@ Index: openssh-7.8p1/session.h
 Session	*session_by_tty(char *);
 void	 session_close(struct ssh *, Session *);
 void	 do_setusercontext(struct passwd *);
-Index: openssh-7.8p1/sshd.c
+Index: openssh-7.9p1/sshd.c
 ===================================================================
--- openssh-7.8p1.orig/sshd.c
+--- openssh-7.9p1.orig/sshd.c
-+++ openssh-7.8p1/sshd.c
+++ openssh-7.9p1/sshd.c
@@ -124,6 +124,7 @@
 #include "ssh-gss.h"
 #endif
@ -2091,24 +2079,24 @@ Index: openssh-7.8p1/sshd.c
 	for (i = 0; i < options.num_host_key_files; i++) {
 		if (sensitive_data.host_keys[i]) {
 -			sshkey_free(sensitive_data.host_keys[i]);
-+		  char *fp;
+			char *fp;
 +
-+		  if (sshkey_is_private(sensitive_data.host_keys[i]))
+			if (sshkey_is_private(sensitive_data.host_keys[i]))
-+		    fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+				fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
-+		  else
+		  	else
-+		    fp = NULL;
+				fp = NULL;
-+		  sshkey_free(sensitive_data.host_keys[i]);
+		  	sshkey_free(sensitive_data.host_keys[i]);
 			sensitive_data.host_keys[i] = NULL;
 +			if (fp != NULL) {
 +#ifdef SSH_AUDIT_EVENTS
-+			  if (privsep)
+				if (privsep)
-+			    PRIVSEP(audit_destroy_sensitive_data(fp,
+					PRIVSEP(audit_destroy_sensitive_data(fp,
-+								 pid, uid));
+						 pid, uid));
-+			  else
+				else
-+			    audit_destroy_sensitive_data(fp,
+					audit_destroy_sensitive_data(fp,
-+							 pid, uid);
+						 pid, uid);
 +#endif
-+			  free(fp);
+				free(fp);
 +			}
 		}
 -		if (sensitive_data.host_certificates[i]) {
@ -2117,30 +2105,28 @@ Index: openssh-7.8p1/sshd.c
 			sshkey_free(sensitive_data.host_certificates[i]);
 			sensitive_data.host_certificates[i] = NULL;
 		}
-@@ -513,9 +551,22 @@ demote_sensitive_data(void)
+@@ -513,8 +551,21 @@ demote_sensitive_data(void)
 	struct sshkey *tmp;
 	u_int i;
 	int r;
 +#ifdef SSH_AUDIT_EVENTS
-+       pid_t pid;
+	pid_t pid;
-+       uid_t uid;
+	uid_t uid;
- 
+
-	for (i = 0; i < options.num_host_key_files; i++) {
+	pid = getpid();
-+       pid = getpid();
+	uid = getuid();
 +       uid = getuid();
 +#endif
 	for (i = 0; i < options.num_host_key_files; i++) {
 +		char *fp;
 +
-+  for (i = 0; i < options.num_host_key_files; i++) {
+		if (sshkey_is_private(sensitive_data.host_keys[i]))
 +			fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
 +		else
 +			fp = NULL;
 		if (sensitive_data.host_keys[i]) {
-+			char *fp;
+ 			if ((r = sshkey_from_private(
-+
+ 			    sensitive_data.host_keys[i], &tmp)) != 0)
 +			if (sshkey_is_private(sensitive_data.host_keys[i]))
 +				fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
 +			else
 +				fp = NULL;
 			if ((r = sshkey_demote(sensitive_data.host_keys[i],
 			    &tmp)) != 0)
 				fatal("could not demote host %s key: %s",
@@ -523,6 +574,12 @@ demote_sensitive_data(void)
 				    ssh_err(r));
 			sshkey_free(sensitive_data.host_keys[i]);
@ -2213,48 +2199,11 @@ Index: openssh-7.8p1/sshd.c
 		audit_event(SSH_CONNECTION_ABANDON);
 #endif
 	_exit(i);
-Index: openssh-7.8p1/sshkey.c
+Index: openssh-7.9p1/sshkey.h
 ===================================================================
--- openssh-7.8p1.orig/sshkey.c
+--- openssh-7.9p1.orig/sshkey.h
-+++ openssh-7.8p1/sshkey.c
+++ openssh-7.9p1/sshkey.h
-@@ -326,6 +326,32 @@ sshkey_type_is_valid_ca(int type)
+@@ -147,6 +147,7 @@ u_int		 sshkey_size(const struct sshkey
 }
 int
 +sshkey_is_private(const struct sshkey *k)
 +{
 +      switch (k->type) {
 +#ifdef WITH_OPENSSL
 +      case KEY_RSA_CERT:
 +      case KEY_RSA:
 +              return k->rsa->d != NULL;
 +      case KEY_DSA_CERT:
 +      case KEY_DSA:
 +              return k->dsa->priv_key != NULL;
 +#ifdef OPENSSL_HAS_ECC
 +      case KEY_ECDSA_CERT:
 +      case KEY_ECDSA:
 +              return EC_KEY_get0_private_key(k->ecdsa) != NULL;
 +#endif /* OPENSSL_HAS_ECC */
 +#endif /* WITH_OPENSSL */
 +      case KEY_ED25519_CERT:
 +      case KEY_ED25519:
 +              return (k->ed25519_pk != NULL);
 +      default:
 +              /* fatal("key_is_private: bad key type %d", k->type); */
 +              return 0;
 +      }
 +}
 +
 +int
 sshkey_is_cert(const struct sshkey *k)
 {
 	if (k == NULL)
 Index: openssh-7.8p1/sshkey.h
 ===================================================================
 --- openssh-7.8p1.orig/sshkey.h
 +++ openssh-7.8p1/sshkey.h
@@ -148,6 +148,7 @@ u_int		 sshkey_size(const struct sshkey
 int		 sshkey_generate(int type, u_int bits, struct sshkey **keyp);
 int		 sshkey_from_private(const struct sshkey *, struct sshkey **);
 int	 sshkey_type_from_name(const char *);
@ -2262,3 +2211,46 @@ Index: openssh-7.8p1/sshkey.h
 int	 sshkey_is_cert(const struct sshkey *);
 int	 sshkey_type_is_cert(int);
 int	 sshkey_type_plain(int);
 Index: openssh-7.9p1/sshkey.c
 ===================================================================
 --- openssh-7.9p1.orig/sshkey.c
 +++ openssh-7.9p1/sshkey.c
@@ -331,6 +331,38 @@ sshkey_type_is_valid_ca(int type)
 }
 int
 +sshkey_is_private(const struct sshkey *k)
 +{
 +	switch (k->type) {
 +#ifdef WITH_OPENSSL
 +	case KEY_RSA_CERT:
 +	case KEY_RSA: {
 +		const BIGNUM *d;
 +		RSA_get0_key(k->rsa, NULL, NULL, &d);
 +		return d != NULL;
 +	}
 +	case KEY_DSA_CERT:
 +	case KEY_DSA: {
 +		const BIGNUM *priv_key;
 +		DSA_get0_key(k->dsa, NULL, &priv_key);
 +		return priv_key != NULL;
 +	}
 +#ifdef OPENSSL_HAS_ECC
 +	case KEY_ECDSA_CERT:
 +	case KEY_ECDSA:
 +		return EC_KEY_get0_private_key(k->ecdsa) != NULL;
 +#endif /* OPENSSL_HAS_ECC */
 +#endif /* WITH_OPENSSL */
 +	case KEY_ED25519_CERT:
 +	case KEY_ED25519:
 +		return (k->ed25519_pk != NULL);
 +	default:
 +		/* fatal("key_is_private: bad key type %d", k->type); */
 +		return 0;
 +	}
 +}
 +
 +int
 sshkey_is_cert(const struct sshkey *k)
 {
 	if (k == NULL)
--- a/openssh-7.7p1-blocksigalrm.patch
+++ b/openssh-7.7p1-blocksigalrm.patch
@ -1,75 +0,0 @@
 # HG changeset patch
 # Parent  2e66b48b2212113d9897a58aaada67557b7c4f35
 block SIGALRM while logging through syslog to prevent deadlocks
 (through grace_alarm_handler())
 bnc#57354
 diff --git a/openssh-7.7p1/log.c b/openssh-7.7p1/log.c
 --- openssh-7.7p1/log.c
 +++ openssh-7.7p1/log.c
@@ -46,16 +46,17 @@
 #include <syslog.h>
 #include <unistd.h>
 #include <errno.h>
 #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
 # include <vis.h>
 #endif
 #include "log.h"
 +#include <signal.h>
 static LogLevel log_level = SYSLOG_LEVEL_INFO;
 static int log_on_stderr = 1;
 static int log_stderr_fd = STDERR_FILENO;
 static int log_facility = LOG_AUTH;
 static char *argv0;
 static log_handler_fn *log_handler;
 static void *log_handler_ctx;
@@ -396,16 +397,17 @@ do_log(LogLevel level, const char *fmt, 
 {
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
 	struct syslog_data sdata = SYSLOG_DATA_INIT;
 #endif
 	char msgbuf[MSGBUFSIZ];
 	char fmtbuf[MSGBUFSIZ];
 	char *txt = NULL;
 	int pri = LOG_INFO;
 +	sigset_t nset, oset;
 	int saved_errno = errno;
 	log_handler_fn *tmp_handler;
 	if (level > log_level)
 		return;
 	switch (level) {
 	case SYSLOG_LEVEL_FATAL:
@@ -455,20 +457,28 @@ do_log(LogLevel level, const char *fmt, 
 		log_handler = NULL;
 		tmp_handler(level, fmtbuf, log_handler_ctx);
 		log_handler = tmp_handler;
 	} else if (log_on_stderr) {
 		snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
 		    (int)sizeof msgbuf - 3, fmtbuf);
 		(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
 	} else {
 +		/* Prevent a race between the grace_alarm which writes a
 +		 * log message and terminates and main sshd code that leads
 +		 * to deadlock as syslog is not async safe.
 +		 */ 
 +		sigemptyset(&nset);
 +		sigaddset(&nset, SIGALRM);
 +		sigprocmask(SIG_BLOCK, &nset, &oset);
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
 		openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
 		syslog_r(pri, &sdata, "%.500s", fmtbuf);
 		closelog_r(&sdata);
 #else
 		openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
 		syslog(pri, "%.500s", fmtbuf);
 		closelog();
 #endif
 +		sigprocmask(SIG_SETMASK, &oset, NULL);
 	}
 	errno = saved_errno;
 }
--- a/openssh-7.7p1-cavstest-ctr.patch
+++ b/openssh-7.7p1-cavstest-ctr.patch
@ -2,15 +2,11 @@
 # Parent  cc1022edba2c5eeb0facba08468f65afc2466b63
 CAVS test for OpenSSH's own CTR encryption mode implementation
-diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
+Index: openssh-7.9p1/Makefile.in
--- openssh-7.7p1/Makefile.in
+===================================================================
-+++ openssh-7.7p1/Makefile.in
+--- openssh-7.9p1.orig/Makefile.in
-@@ -19,16 +19,17 @@ top_srcdir=@top_srcdir@
+++ openssh-7.9p1/Makefile.in
- 
+@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
 DESTDIR=
 VPATH=@srcdir@
 SSH_PROGRAM=@bindir@/ssh
 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
 SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -18,17 +14,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
 PRIVSEP_PATH=@PRIVSEP_PATH@
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
 STRIP_OPT=@STRIP_OPT@
- TEST_SHELL=@TEST_SHELL@
+@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
 PATHS= -DSSHDIR=\"$(sysconfdir)\" \
 	-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
 	-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
@@ -57,16 +58,18 @@ ENT=@ENT@
 XAUTH_PATH=@XAUTH_PATH@
 LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
 EXEEXT=@EXEEXT@
 MANFMT=@MANFMT@
 MKDIR_P=@MKDIR_P@
 TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
@ -37,17 +23,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
 XMSS_OBJS=\
 	ssh-xmss.o \
 	sshkey-xmss.o \
- 	xmss_commons.o \
+@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
 	xmss_fast.o \
 	xmss_hash.o \
 	xmss_hash_address.o \
 	xmss_wots.o
@@ -199,16 +202,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
 	$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
@ -58,17 +34,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
 	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
- 
+@@ -348,6 +355,7 @@ install-files:
 $(MANPAGES): $(MANPAGES_IN)
 	if test "$(MANTYPE)" = "cat"; then \
 		manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
 	else \
@@ -339,16 +346,17 @@ install-files:
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -76,15 +42,10 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
 	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
- 	$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
+Index: openssh-7.9p1/cavstest-ctr.c
- 	$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
+===================================================================
 	$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
 	$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
 	$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
 diff --git a/openssh-7.7p1/cavstest-ctr.c b/openssh-7.7p1/cavstest-ctr.c
 new file mode 100644
 --- /dev/null
-+++ openssh-7.7p1/cavstest-ctr.c
+++ openssh-7.9p1/cavstest-ctr.c
@@ -0,0 +1,214 @@
 +/*
 + *
@ -238,7 +199,7 @@ new file mode 100644
 +		usage();
 +	}
 +
-+	SSLeay_add_all_algorithms();
+	OpenSSL_add_all_algorithms();
 +
 +	c = cipher_by_name(algo);
 +	if (c == NULL) {
@ -300,15 +261,11 @@ new file mode 100644
 +	printf("\n");
 +	return 0;
 +}
-diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
+Index: openssh-7.9p1/cipher.c
--- openssh-7.7p1/cipher.c
+===================================================================
-+++ openssh-7.7p1/cipher.c
+--- openssh-7.9p1.orig/cipher.c
-@@ -49,25 +49,16 @@
+++ openssh-7.9p1/cipher.c
- #include "ssherr.h"
+@@ -54,15 +54,6 @@
 #include "digest.h"
 #include "openbsd-compat/openssl-compat.h"
 #include "fips.h"
 #include "log.h"
@ -324,20 +281,11 @@ diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
 struct sshcipher {
 	char	*name;
 	u_int	block_size;
- 	u_int	key_len;
+Index: openssh-7.9p1/cipher.h
- 	u_int	iv_len;		/* defaults to block_size */
+===================================================================
- 	u_int	auth_len;
+--- openssh-7.9p1.orig/cipher.h
- 	u_int	flags;
+++ openssh-7.9p1/cipher.h
- #define CFLAG_CBC		(1<<0)
+@@ -46,7 +46,15 @@
 diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
 --- openssh-7.7p1/cipher.h
 +++ openssh-7.7p1/cipher.h
@@ -41,17 +41,25 @@
 #include <openssl/evp.h>
 #include "cipher-chachapoly.h"
 #include "cipher-aesctr.h"
 #define CIPHER_ENCRYPT		1
 #define CIPHER_DECRYPT		0
 struct sshcipher;
@ -354,8 +302,3 @@ diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
 const struct sshcipher *cipher_by_name(const char *);
 const char *cipher_warning_message(const struct sshcipher_ctx *);
 int	 ciphers_valid(const char *);
 char	*cipher_alg_list(char, int);
 int	 cipher_init(struct sshcipher_ctx **, const struct sshcipher *,
     const u_char *, u_int, const u_char *, u_int, int);
 int	 cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,
--- a/openssh-7.7p1-disable_short_DH_parameters.patch
+++ b/openssh-7.7p1-disable_short_DH_parameters.patch
@ -12,23 +12,23 @@ compliant) parameters.
 CVE-2015-4000 (LOGJAM)
 bsc#932483
-Index: openssh-7.8p1/dh.c
+Index: openssh-7.9p1/dh.c
 ===================================================================
--- openssh-7.8p1.orig/dh.c
+--- openssh-7.9p1.orig/dh.c
-+++ openssh-7.8p1/dh.c
+++ openssh-7.9p1/dh.c
-@@ -43,6 +43,8 @@
+@@ -45,6 +45,8 @@
- #include "misc.h"
+ 
- #include "ssherr.h"
+ #include "openbsd-compat/openssl-compat.h"
 +int dh_grp_min = DH_GRP_MIN;
 +
 static int
 parse_prime(int linenum, char *line, struct dhgroup *dhg)
 {
-Index: openssh-7.8p1/dh.h
+Index: openssh-7.9p1/dh.h
 ===================================================================
--- openssh-7.8p1.orig/dh.h
+--- openssh-7.9p1.orig/dh.h
-+++ openssh-7.8p1/dh.h
+++ openssh-7.9p1/dh.h
@@ -50,6 +50,7 @@ u_int	 dh_estimate(int);
  * Max value from RFC4419.
  * Miniumum increased in light of DH precomputation attacks.
@ -37,11 +37,11 @@ Index: openssh-7.8p1/dh.h
 #define DH_GRP_MIN	2048
 #define DH_GRP_MAX	8192
-Index: openssh-7.8p1/kexgexc.c
+Index: openssh-7.9p1/kexgexc.c
 ===================================================================
--- openssh-7.8p1.orig/kexgexc.c
+--- openssh-7.9p1.orig/kexgexc.c
-+++ openssh-7.8p1/kexgexc.c
+++ openssh-7.9p1/kexgexc.c
-@@ -51,6 +51,9 @@
+@@ -53,6 +53,9 @@
 #include "sshbuf.h"
 #include "misc.h"
@ -51,7 +51,7 @@ Index: openssh-7.8p1/kexgexc.c
 static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
 static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
-@@ -63,7 +66,7 @@ kexgex_client(struct ssh *ssh)
+@@ -65,7 +68,7 @@ kexgex_client(struct ssh *ssh)
 	nbits = dh_estimate(kex->dh_need * 8);
@ -60,7 +60,7 @@ Index: openssh-7.8p1/kexgexc.c
 	kex->max = DH_GRP_MAX;
 	kex->nbits = nbits;
 	if (datafellows & SSH_BUG_DHGEX_LARGE)
-@@ -108,6 +111,12 @@ input_kex_dh_gex_group(int type, u_int32
+@@ -111,6 +114,12 @@ input_kex_dh_gex_group(int type, u_int32
 		goto out;
 	if ((bits = BN_num_bits(p)) < 0 ||
 	    (u_int)bits < kex->min || (u_int)bits > kex->max) {
@ -73,11 +73,11 @@ Index: openssh-7.8p1/kexgexc.c
 		r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
 		goto out;
 	}
-Index: openssh-7.8p1/kexgexs.c
+Index: openssh-7.9p1/kexgexs.c
 ===================================================================
--- openssh-7.8p1.orig/kexgexs.c
+--- openssh-7.9p1.orig/kexgexs.c
-+++ openssh-7.8p1/kexgexs.c
+++ openssh-7.9p1/kexgexs.c
-@@ -54,6 +54,9 @@
+@@ -56,6 +56,9 @@
 #include "sshbuf.h"
 #include "misc.h"
@ -87,7 +87,7 @@ Index: openssh-7.8p1/kexgexs.c
 static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
 static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
-@@ -82,13 +85,19 @@ input_kex_dh_gex_request(int type, u_int
+@@ -85,13 +88,19 @@ input_kex_dh_gex_request(int type, u_int
 	kex->nbits = nbits;
 	kex->min = min;
 	kex->max = max;
@ -109,10 +109,10 @@ Index: openssh-7.8p1/kexgexs.c
 		r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
 		goto out;
 	}
-Index: openssh-7.8p1/readconf.c
+Index: openssh-7.9p1/readconf.c
 ===================================================================
--- openssh-7.8p1.orig/readconf.c
+--- openssh-7.9p1.orig/readconf.c
-+++ openssh-7.8p1/readconf.c
+++ openssh-7.9p1/readconf.c
@@ -67,6 +67,7 @@
 #include "uidswap.h"
 #include "myproposal.h"
@ -130,7 +130,7 @@ Index: openssh-7.8p1/readconf.c
 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -291,6 +292,7 @@ static struct {
+@@ -292,6 +293,7 @@ static struct {
 	{ "remotecommand", oRemoteCommand },
 	{ "visualhostkey", oVisualHostKey },
 	{ "kexalgorithms", oKexAlgorithms },
@ -138,7 +138,7 @@ Index: openssh-7.8p1/readconf.c
 	{ "ipqos", oIPQoS },
 	{ "requesttty", oRequestTTY },
 	{ "proxyusefdpass", oProxyUseFdpass },
-@@ -312,6 +314,9 @@ static struct {
+@@ -313,6 +315,9 @@ static struct {
 	{ NULL, oBadOption }
 };
@ -148,7 +148,7 @@ Index: openssh-7.8p1/readconf.c
 /*
  * Adds a local TCP/IP port forward to options.  Never returns if there is an
  * error.
-@@ -1206,6 +1211,10 @@ parse_int:
+@@ -1216,6 +1221,10 @@ parse_int:
 			options->kex_algorithms = xstrdup(arg);
 		break;
@ -159,15 +159,15 @@ Index: openssh-7.8p1/readconf.c
 	case oHostKeyAlgorithms:
 		charptr = &options->hostkeyalgorithms;
 parse_keytypes:
-@@ -1835,6 +1844,7 @@ initialize_options(Options * options)
+@@ -1860,6 +1869,7 @@ initialize_options(Options * options)
 	options->ciphers = NULL;
 	options->macs = NULL;
 	options->kex_algorithms = NULL;
 +	options->kex_dhmin = -1;
 	options->hostkeyalgorithms = NULL;
 	options->ca_sign_algorithms = NULL;
 	options->num_identity_files = 0;
- 	options->num_certificate_files = 0;
+@@ -2014,6 +2024,13 @@ fill_default_options(Options * options)
@@ -1988,6 +1998,13 @@ fill_default_options(Options * options)
 		options->connection_attempts = 1;
 	if (options->number_of_password_prompts == -1)
 		options->number_of_password_prompts = 3;
@ -181,22 +181,22 @@ Index: openssh-7.8p1/readconf.c
 	/* options->hostkeyalgorithms, default set in myproposals.h */
 	if (options->add_keys_to_agent == -1)
 		options->add_keys_to_agent = 0;
-Index: openssh-7.8p1/readconf.h
+Index: openssh-7.9p1/readconf.h
 ===================================================================
--- openssh-7.8p1.orig/readconf.h
+--- openssh-7.9p1.orig/readconf.h
-+++ openssh-7.8p1/readconf.h
+++ openssh-7.9p1/readconf.h
-@@ -67,6 +67,7 @@ typedef struct {
+@@ -68,6 +68,7 @@ typedef struct {
 	char   *macs;		/* SSH2 macs in order of preference. */
 	char   *hostkeyalgorithms;	/* SSH2 server key types in order of preference. */
 	char   *kex_algorithms;	/* SSH2 kex methods in order of preference. */
-+	int     kex_dhmin;	/* minimum bit length of the DH group parameter */
+ 	char   *ca_sign_algorithms;	/* Allowed CA signature algorithms */
 +	int     kex_dhmin;      /* minimum bit length of the DH group parameter */
 	char   *hostname;	/* Real host to connect. */
 	char   *host_key_alias;	/* hostname alias for .ssh/known_hosts */
 	char   *proxy_command;	/* Proxy command for connecting the host. */
-Index: openssh-7.8p1/servconf.c
+Index: openssh-7.9p1/servconf.c
 ===================================================================
--- openssh-7.8p1.orig/servconf.c
+--- openssh-7.9p1.orig/servconf.c
-+++ openssh-7.8p1/servconf.c
+++ openssh-7.9p1/servconf.c
@@ -64,6 +64,10 @@
 #include "auth.h"
 #include "myproposal.h"
@ -213,10 +213,10 @@ Index: openssh-7.8p1/servconf.c
 	options->macs = NULL;
 	options->kex_algorithms = NULL;
 +	options->kex_dhmin = -1;
 	options->ca_sign_algorithms = NULL;
 	options->fwd_opts.gateway_ports = -1;
 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
- 	options->fwd_opts.streamlocal_bind_unlink = -1;
+@@ -267,6 +272,14 @@ fill_default_server_options(ServerOption
@@ -263,6 +268,14 @@ fill_default_server_options(ServerOption
 	if (options->use_pam_check_locks == -1)
 		options->use_pam_check_locks = 0;
@ -231,16 +231,16 @@ Index: openssh-7.8p1/servconf.c
 	/* Standard Options */
 	if (options->num_host_key_files == 0) {
 		/* fill default hostkeys for protocols */
-@@ -490,7 +503,7 @@ typedef enum {
+@@ -494,7 +507,7 @@ typedef enum {
 	sHostCertificate,
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
-	sKexAlgorithms, sIPQoS, sVersionAddendum,
+-	sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
-+	sKexAlgorithms, sKexDHMin, sIPQoS, sVersionAddendum,
+	sKexAlgorithms, sKexDHMin, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
 	sStreamLocalBindMask, sStreamLocalBindUnlink,
-@@ -631,6 +644,7 @@ static struct {
+@@ -635,6 +648,7 @@ static struct {
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
@ -248,7 +248,7 @@ Index: openssh-7.8p1/servconf.c
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
-@@ -1726,6 +1740,10 @@ process_server_config_line(ServerOptions
+@@ -1735,6 +1749,10 @@ process_server_config_line(ServerOptions
 			options->kex_algorithms = xstrdup(arg);
 		break;
@ -259,7 +259,7 @@ Index: openssh-7.8p1/servconf.c
 	case sSubsystem:
 		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
 			fatal("%s line %d: too many subsystems defined.",
-@@ -2540,6 +2558,7 @@ dump_config(ServerOptions *o)
+@@ -2549,6 +2567,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
@ -267,10 +267,10 @@ Index: openssh-7.8p1/servconf.c
 	/* formatted integer arguments */
 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
-Index: openssh-7.8p1/servconf.h
+Index: openssh-7.9p1/servconf.h
 ===================================================================
--- openssh-7.8p1.orig/servconf.h
+--- openssh-7.9p1.orig/servconf.h
-+++ openssh-7.8p1/servconf.h
+++ openssh-7.9p1/servconf.h
@@ -103,6 +103,7 @@ typedef struct {
 	char   *ciphers;	/* Supported SSH2 ciphers. */
 	char   *macs;		/* Supported SSH2 macs. */
@ -279,10 +279,10 @@ Index: openssh-7.8p1/servconf.h
 	struct ForwardOptions fwd_opts;	/* forwarding options */
 	SyslogFacility log_facility;	/* Facility for system logging. */
 	LogLevel log_level;	/* Level for system logging. */
-Index: openssh-7.8p1/ssh_config
+Index: openssh-7.9p1/ssh_config
 ===================================================================
--- openssh-7.8p1.orig/ssh_config
+--- openssh-7.9p1.orig/ssh_config
-+++ openssh-7.8p1/ssh_config
+++ openssh-7.9p1/ssh_config
@@ -17,6 +17,11 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
@ -295,11 +295,11 @@ Index: openssh-7.8p1/ssh_config
 Host *
 #   ForwardAgent no
 #   ForwardX11 no
-Index: openssh-7.8p1/ssh_config.0
+Index: openssh-7.9p1/ssh_config.0
 ===================================================================
--- openssh-7.8p1.orig/ssh_config.0
+--- openssh-7.9p1.orig/ssh_config.0
-+++ openssh-7.8p1/ssh_config.0
+++ openssh-7.9p1/ssh_config.0
-@@ -595,6 +595,23 @@ DESCRIPTION
+@@ -610,6 +610,23 @@ DESCRIPTION
              The list of available key exchange algorithms may also be
              obtained using "ssh -Q kex".
@ -323,11 +323,11 @@ Index: openssh-7.8p1/ssh_config.0
      LocalCommand
              Specifies a command to execute on the local machine after
              successfully connecting to the server.  The command string
-Index: openssh-7.8p1/ssh_config.5
+Index: openssh-7.9p1/ssh_config.5
 ===================================================================
--- openssh-7.8p1.orig/ssh_config.5
+--- openssh-7.9p1.orig/ssh_config.5
-+++ openssh-7.8p1/ssh_config.5
+++ openssh-7.9p1/ssh_config.5
-@@ -1025,6 +1025,22 @@ diffie-hellman-group14-sha1
+@@ -1047,6 +1047,22 @@ diffie-hellman-group14-sha1
 .Pp
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q kex .
@ -350,10 +350,10 @@ Index: openssh-7.8p1/ssh_config.5
 .It Cm LocalCommand
 Specifies a command to execute on the local machine after successfully
 connecting to the server.
-Index: openssh-7.8p1/sshd_config
+Index: openssh-7.9p1/sshd_config
 ===================================================================
--- openssh-7.8p1.orig/sshd_config
+--- openssh-7.9p1.orig/sshd_config
-+++ openssh-7.8p1/sshd_config
+++ openssh-7.9p1/sshd_config
@@ -19,6 +19,13 @@
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
@ -368,11 +368,11 @@ Index: openssh-7.8p1/sshd_config
 # Ciphers and keying
 #RekeyLimit default none
-Index: openssh-7.8p1/sshd_config.0
+Index: openssh-7.9p1/sshd_config.0
 ===================================================================
--- openssh-7.8p1.orig/sshd_config.0
+--- openssh-7.9p1.orig/sshd_config.0
-+++ openssh-7.8p1/sshd_config.0
+++ openssh-7.9p1/sshd_config.0
-@@ -545,6 +545,23 @@ DESCRIPTION
+@@ -555,6 +555,23 @@ DESCRIPTION
              The list of available key exchange algorithms may also be
              obtained using "ssh -Q kex".
@ -396,11 +396,11 @@ Index: openssh-7.8p1/sshd_config.0
      ListenAddress
              Specifies the local addresses sshd(8) should listen on.  The
              following forms may be used:
-Index: openssh-7.8p1/sshd_config.5
+Index: openssh-7.9p1/sshd_config.5
 ===================================================================
--- openssh-7.8p1.orig/sshd_config.5
+--- openssh-7.9p1.orig/sshd_config.5
-+++ openssh-7.8p1/sshd_config.5
+++ openssh-7.9p1/sshd_config.5
-@@ -912,6 +912,22 @@ diffie-hellman-group14-sha256,diffie-hel
+@@ -923,6 +923,22 @@ diffie-hellman-group14-sha256,diffie-hel
 .Pp
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q kex .
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -3,10 +3,10 @@
 FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
 algorithms.
-Index: openssh-7.8p1/Makefile.in
+Index: openssh-7.9p1/Makefile.in
 ===================================================================
--- openssh-7.8p1.orig/Makefile.in
+--- openssh-7.9p1.orig/Makefile.in
-+++ openssh-7.8p1/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
 	platform-pledge.o platform-tracing.o platform-misc.o
@ -16,10 +16,10 @@ Index: openssh-7.8p1/Makefile.in
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect2.o mux.o
-Index: openssh-7.8p1/cipher-ctr.c
+Index: openssh-7.9p1/cipher-ctr.c
 ===================================================================
--- openssh-7.8p1.orig/cipher-ctr.c
+--- openssh-7.9p1.orig/cipher-ctr.c
-+++ openssh-7.8p1/cipher-ctr.c
+++ openssh-7.9p1/cipher-ctr.c
@@ -27,6 +27,8 @@
 #include "xmalloc.h"
 #include "log.h"
@ -38,10 +38,10 @@ Index: openssh-7.8p1/cipher-ctr.c
 #endif
 	return (&aes_ctr);
 }
-Index: openssh-7.8p1/cipher.c
+Index: openssh-7.9p1/cipher.c
 ===================================================================
--- openssh-7.8p1.orig/cipher.c
+--- openssh-7.9p1.orig/cipher.c
-+++ openssh-7.8p1/cipher.c
+++ openssh-7.9p1/cipher.c
@@ -51,6 +51,8 @@
 #include "openbsd-compat/openssl-compat.h"
@ -131,10 +131,10 @@ Index: openssh-7.8p1/cipher.c
 		if (strcmp(c->name, name) == 0)
 			return c;
 	return NULL;
-Index: openssh-7.8p1/dh.h
+Index: openssh-7.9p1/dh.h
 ===================================================================
--- openssh-7.8p1.orig/dh.h
+--- openssh-7.9p1.orig/dh.h
-+++ openssh-7.8p1/dh.h
+++ openssh-7.9p1/dh.h
@@ -52,6 +52,7 @@ u_int	 dh_estimate(int);
  */
 #define DH_GRP_MIN_RFC	1024
@ -143,10 +143,10 @@ Index: openssh-7.8p1/dh.h
 #define DH_GRP_MAX	8192
 /*
-Index: openssh-7.8p1/fips.c
+Index: openssh-7.9p1/fips.c
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/fips.c
+++ openssh-7.9p1/fips.c
@@ -0,0 +1,237 @@
 +/*
 + * Copyright (c) 2012 Petr Cerny.  All rights reserved.
@ -385,10 +385,10 @@ Index: openssh-7.8p1/fips.c
 +	return dh;
 +}
 +
-Index: openssh-7.8p1/fips.h
+Index: openssh-7.9p1/fips.h
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/fips.h
+++ openssh-7.9p1/fips.h
@@ -0,0 +1,45 @@
 +/*
 + * Copyright (c) 2012 Petr Cerny.  All rights reserved.
@ -435,10 +435,10 @@ Index: openssh-7.8p1/fips.h
 +
 +#endif
 +
-Index: openssh-7.8p1/hmac.c
+Index: openssh-7.9p1/hmac.c
 ===================================================================
--- openssh-7.8p1.orig/hmac.c
+--- openssh-7.9p1.orig/hmac.c
-+++ openssh-7.8p1/hmac.c
+++ openssh-7.9p1/hmac.c
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
 	size_t			 i;
 	u_char			 digest[16];
@ -448,10 +448,10 @@ Index: openssh-7.8p1/hmac.c
 		printf("ssh_hmac_start failed");
 	if (ssh_hmac_init(ctx, key, klen) < 0 ||
 	    ssh_hmac_update(ctx, m, mlen) < 0 ||
-Index: openssh-7.8p1/kex.c
+Index: openssh-7.9p1/kex.c
 ===================================================================
--- openssh-7.8p1.orig/kex.c
+--- openssh-7.9p1.orig/kex.c
-+++ openssh-7.8p1/kex.c
+++ openssh-7.9p1/kex.c
@@ -54,6 +54,8 @@
 #include "sshbuf.h"
 #include "digest.h"
@ -547,11 +547,11 @@ Index: openssh-7.8p1/kex.c
 			free(s);
 			return 0;
 		}
-Index: openssh-7.8p1/kexgexc.c
+Index: openssh-7.9p1/kexgexc.c
 ===================================================================
--- openssh-7.8p1.orig/kexgexc.c
+--- openssh-7.9p1.orig/kexgexc.c
-+++ openssh-7.8p1/kexgexc.c
+++ openssh-7.9p1/kexgexc.c
-@@ -51,8 +51,7 @@
+@@ -53,8 +53,7 @@
 #include "sshbuf.h"
 #include "misc.h"
@ -561,7 +561,7 @@ Index: openssh-7.8p1/kexgexc.c
 static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
 static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
-@@ -66,7 +65,7 @@ kexgex_client(struct ssh *ssh)
+@@ -68,7 +67,7 @@ kexgex_client(struct ssh *ssh)
 	nbits = dh_estimate(kex->dh_need * 8);
@ -570,11 +570,11 @@ Index: openssh-7.8p1/kexgexc.c
 	kex->max = DH_GRP_MAX;
 	kex->nbits = nbits;
 	if (datafellows & SSH_BUG_DHGEX_LARGE)
-Index: openssh-7.8p1/kexgexs.c
+Index: openssh-7.9p1/kexgexs.c
 ===================================================================
--- openssh-7.8p1.orig/kexgexs.c
+--- openssh-7.9p1.orig/kexgexs.c
-+++ openssh-7.8p1/kexgexs.c
+++ openssh-7.9p1/kexgexs.c
-@@ -54,8 +54,7 @@
+@@ -56,8 +56,7 @@
 #include "sshbuf.h"
 #include "misc.h"
@ -584,7 +584,7 @@ Index: openssh-7.8p1/kexgexs.c
 static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
 static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
-@@ -85,9 +84,9 @@ input_kex_dh_gex_request(int type, u_int
+@@ -88,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
 	kex->nbits = nbits;
 	kex->min = min;
 	kex->max = max;
@ -596,10 +596,10 @@ Index: openssh-7.8p1/kexgexs.c
 	nbits = MINIMUM(DH_GRP_MAX, nbits);
 	if (kex->max < kex->min || kex->nbits < kex->min ||
-Index: openssh-7.8p1/mac.c
+Index: openssh-7.9p1/mac.c
 ===================================================================
--- openssh-7.8p1.orig/mac.c
+--- openssh-7.9p1.orig/mac.c
-+++ openssh-7.8p1/mac.c
+++ openssh-7.9p1/mac.c
@@ -40,6 +40,9 @@
 #include "openbsd-compat/openssl-compat.h"
@ -679,11 +679,11 @@ Index: openssh-7.8p1/mac.c
 		if (strcmp(name, m->name) != 0)
 			continue;
 		if (mac != NULL)
-Index: openssh-7.8p1/myproposal.h
+Index: openssh-7.9p1/myproposal.h
 ===================================================================
--- openssh-7.8p1.orig/myproposal.h
+--- openssh-7.9p1.orig/myproposal.h
-+++ openssh-7.8p1/myproposal.h
+++ openssh-7.9p1/myproposal.h
-@@ -141,6 +141,8 @@
+@@ -151,6 +151,8 @@
 #else /* WITH_OPENSSL */
@ -692,10 +692,10 @@ Index: openssh-7.8p1/myproposal.h
 #define KEX_SERVER_KEX		\
 	"curve25519-sha256," \
 	"curve25519-sha256@libssh.org"
-Index: openssh-7.8p1/readconf.c
+Index: openssh-7.9p1/readconf.c
 ===================================================================
--- openssh-7.8p1.orig/readconf.c
+--- openssh-7.9p1.orig/readconf.c
-+++ openssh-7.8p1/readconf.c
+++ openssh-7.9p1/readconf.c
@@ -68,6 +68,7 @@
 #include "myproposal.h"
 #include "digest.h"
@ -704,7 +704,7 @@ Index: openssh-7.8p1/readconf.c
 /* Format of the configuration file:
-@@ -1800,6 +1801,23 @@ option_clear_or_none(const char *o)
+@@ -1825,6 +1826,23 @@ option_clear_or_none(const char *o)
 	return o == NULL || strcasecmp(o, "none") == 0;
 }
@ -728,7 +728,7 @@ Index: openssh-7.8p1/readconf.c
 /*
  * Initializes options to special values that indicate that they have not yet
  * been set.  Read_config_file will only set options with this value. Options
-@@ -1999,9 +2017,9 @@ fill_default_options(Options * options)
+@@ -2025,9 +2043,9 @@ fill_default_options(Options * options)
 	if (options->number_of_password_prompts == -1)
 		options->number_of_password_prompts = 3;
 	if (options->kex_dhmin == -1)
@ -740,7 +740,7 @@ Index: openssh-7.8p1/readconf.c
 		options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
 	}
 	dh_grp_min = options->kex_dhmin;
-@@ -2086,6 +2104,8 @@ fill_default_options(Options * options)
+@@ -2112,6 +2130,8 @@ fill_default_options(Options * options)
 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
 	if (options->fingerprint_hash == -1)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -749,19 +749,19 @@ Index: openssh-7.8p1/readconf.c
 	if (options->update_hostkeys == -1)
 		options->update_hostkeys = 0;
-@@ -2110,6 +2130,7 @@ fill_default_options(Options * options)
+@@ -2594,6 +2614,7 @@ dump_client_config(Options *o, const cha
- 	free(all_mac);
+ 	    KEX_DEFAULT_PK_ALG, all_key) != 0)
- 	free(all_kex);
+ 		fatal("%s: kex_assemble_names failed", __func__);
 	free(all_key);
-+	filter_fips_algorithms(options);
+	filter_fips_algorithms(o);
- #define CLEAR_ON_NONE(v) \
+ 	/* Most interesting options first: user, host, port */
- 	do { \
+ 	dump_cfg_string(oUser, o->user);
-Index: openssh-7.8p1/readconf.h
+Index: openssh-7.9p1/readconf.h
 ===================================================================
--- openssh-7.8p1.orig/readconf.h
+--- openssh-7.9p1.orig/readconf.h
-+++ openssh-7.8p1/readconf.h
+++ openssh-7.9p1/readconf.h
-@@ -197,6 +197,7 @@ typedef struct {
+@@ -198,6 +198,7 @@ typedef struct {
 #define SSH_STRICT_HOSTKEY_YES	2
 #define SSH_STRICT_HOSTKEY_ASK	3
@ -769,10 +769,10 @@ Index: openssh-7.8p1/readconf.h
 void     initialize_options(Options *);
 void     fill_default_options(Options *);
 void	 fill_default_options_for_canonicalization(Options *);
-Index: openssh-7.8p1/servconf.c
+Index: openssh-7.9p1/servconf.c
 ===================================================================
--- openssh-7.8p1.orig/servconf.c
+--- openssh-7.9p1.orig/servconf.c
-+++ openssh-7.8p1/servconf.c
+++ openssh-7.9p1/servconf.c
@@ -65,6 +65,7 @@
 #include "myproposal.h"
 #include "digest.h"
@ -781,7 +781,7 @@ Index: openssh-7.8p1/servconf.c
 /* import from dh.c */
 extern int dh_grp_min;
-@@ -194,6 +195,23 @@ option_clear_or_none(const char *o)
+@@ -195,6 +196,23 @@ option_clear_or_none(const char *o)
 	return o == NULL || strcasecmp(o, "none") == 0;
 }
@ -805,16 +805,16 @@ Index: openssh-7.8p1/servconf.c
 static void
 assemble_algorithms(ServerOptions *o)
 {
-@@ -220,6 +238,8 @@ assemble_algorithms(ServerOptions *o)
+@@ -224,6 +242,8 @@ assemble_algorithms(ServerOptions *o)
 	free(all_mac);
 	free(all_kex);
 	free(all_key);
 	free(all_sig);
 +
 +	filter_fips_algorithms_s(o);
 }
 static void
-@@ -269,9 +289,9 @@ fill_default_server_options(ServerOption
+@@ -273,9 +293,9 @@ fill_default_server_options(ServerOption
 		options->use_pam_check_locks = 0;
 	if (options->kex_dhmin == -1)
@ -826,7 +826,7 @@ Index: openssh-7.8p1/servconf.c
 		options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
 	}
 	dh_grp_min = options->kex_dhmin;
-@@ -419,6 +439,8 @@ fill_default_server_options(ServerOption
+@@ -423,6 +443,8 @@ fill_default_server_options(ServerOption
 		options->fwd_opts.streamlocal_bind_unlink = 0;
 	if (options->fingerprint_hash == -1)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -835,10 +835,10 @@ Index: openssh-7.8p1/servconf.c
 	if (options->disable_forwarding == -1)
 		options->disable_forwarding = 0;
 	if (options->expose_userauth_info == -1)
-Index: openssh-7.8p1/ssh-keygen.c
+Index: openssh-7.9p1/ssh-keygen.c
 ===================================================================
--- openssh-7.8p1.orig/ssh-keygen.c
+--- openssh-7.9p1.orig/ssh-keygen.c
-+++ openssh-7.8p1/ssh-keygen.c
+++ openssh-7.9p1/ssh-keygen.c
@@ -61,6 +61,8 @@
 #include "utf8.h"
 #include "authfd.h"
@ -848,7 +848,7 @@ Index: openssh-7.8p1/ssh-keygen.c
 #ifdef WITH_OPENSSL
 # define DEFAULT_KEY_TYPE_NAME "rsa"
 #else
-@@ -965,11 +967,13 @@ do_fingerprint(struct passwd *pw)
+@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
 static void
 do_gen_all_hostkeys(struct passwd *pw)
 {
@ -864,7 +864,7 @@ Index: openssh-7.8p1/ssh-keygen.c
 #ifdef WITH_OPENSSL
 		{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
 		{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
-@@ -984,6 +988,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
 		{ NULL, NULL, NULL }
 	};
@ -882,7 +882,7 @@ Index: openssh-7.8p1/ssh-keygen.c
 	int first = 0;
 	struct stat st;
 	struct sshkey *private, *public;
-@@ -991,6 +1006,12 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
 	int i, type, fd, r;
 	FILE *f;
@ -895,7 +895,7 @@ Index: openssh-7.8p1/ssh-keygen.c
 	for (i = 0; key_types[i].key_type; i++) {
 		public = private = NULL;
 		prv_tmp = pub_tmp = prv_file = pub_file = NULL;
-@@ -2727,6 +2748,15 @@ main(int argc, char **argv)
+@@ -2817,6 +2838,15 @@ main(int argc, char **argv)
 		key_type_name = DEFAULT_KEY_TYPE_NAME;
 	type = sshkey_type_from_name(key_type_name);
@ -911,11 +911,11 @@ Index: openssh-7.8p1/ssh-keygen.c
 	type_bits_valid(type, key_type_name, &bits);
 	if (!quiet)
-Index: openssh-7.8p1/ssh_config.0
+Index: openssh-7.9p1/ssh_config.0
 ===================================================================
--- openssh-7.8p1.orig/ssh_config.0
+--- openssh-7.9p1.orig/ssh_config.0
-+++ openssh-7.8p1/ssh_config.0
+++ openssh-7.9p1/ssh_config.0
-@@ -343,6 +343,9 @@ DESCRIPTION
+@@ -353,6 +353,9 @@ DESCRIPTION
              Specifies the hash algorithm used when displaying key
              fingerprints.  Valid options are: md5 and sha256 (the default).
@ -925,7 +925,7 @@ Index: openssh-7.8p1/ssh_config.0
      ForwardAgent
              Specifies whether the connection to the authentication agent (if
              any) will be forwarded to the remote machine.  The argument must
-@@ -612,6 +615,9 @@ DESCRIPTION
+@@ -627,6 +630,9 @@ DESCRIPTION
              resort and all efforts should be made to fix the (broken)
              counterparty.
@ -935,11 +935,11 @@ Index: openssh-7.8p1/ssh_config.0
      LocalCommand
              Specifies a command to execute on the local machine after
              successfully connecting to the server.  The command string
-Index: openssh-7.8p1/ssh_config.5
+Index: openssh-7.9p1/ssh_config.5
 ===================================================================
--- openssh-7.8p1.orig/ssh_config.5
+--- openssh-7.9p1.orig/ssh_config.5
-+++ openssh-7.8p1/ssh_config.5
+++ openssh-7.9p1/ssh_config.5
-@@ -628,6 +628,8 @@ Valid options are:
+@@ -642,6 +642,8 @@ Valid options are:
 and
 .Cm sha256
 (the default).
@ -948,7 +948,7 @@ Index: openssh-7.8p1/ssh_config.5
 .It Cm ForwardAgent
 Specifies whether the connection to the authentication agent (if any)
 will be forwarded to the remote machine.
-@@ -1041,6 +1043,9 @@ maximum backward compatibility, using it
+@@ -1063,6 +1065,9 @@ maximum backward compatibility, using it
 security and thus should be viewed as a temporary fix of last
 resort and all efforts should be made to fix the (broken)
 counterparty.
@ -958,10 +958,10 @@ Index: openssh-7.8p1/ssh_config.5
 .It Cm LocalCommand
 Specifies a command to execute on the local machine after successfully
 connecting to the server.
-Index: openssh-7.8p1/sshd.c
+Index: openssh-7.9p1/sshd.c
 ===================================================================
--- openssh-7.8p1.orig/sshd.c
+--- openssh-7.9p1.orig/sshd.c
-+++ openssh-7.8p1/sshd.c
+++ openssh-7.9p1/sshd.c
@@ -123,6 +123,8 @@
 #include "version.h"
 #include "ssherr.h"
@ -971,11 +971,11 @@ Index: openssh-7.8p1/sshd.c
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
-Index: openssh-7.8p1/sshd_config.0
+Index: openssh-7.9p1/sshd_config.0
 ===================================================================
--- openssh-7.8p1.orig/sshd_config.0
+--- openssh-7.9p1.orig/sshd_config.0
-+++ openssh-7.8p1/sshd_config.0
+++ openssh-7.9p1/sshd_config.0
-@@ -338,6 +338,9 @@ DESCRIPTION
+@@ -348,6 +348,9 @@ DESCRIPTION
              Specifies the hash algorithm used when logging key fingerprints.
              Valid options are: md5 and sha256.  The default is sha256.
@ -985,7 +985,7 @@ Index: openssh-7.8p1/sshd_config.0
      ForceCommand
              Forces the execution of the command specified by ForceCommand,
              ignoring any command supplied by the client and ~/.ssh/rc if
-@@ -562,6 +565,9 @@ DESCRIPTION
+@@ -572,6 +575,9 @@ DESCRIPTION
              resort and all efforts should be made to fix the (broken)
              counterparty.
@ -995,11 +995,11 @@ Index: openssh-7.8p1/sshd_config.0
      ListenAddress
              Specifies the local addresses sshd(8) should listen on.  The
              following forms may be used:
-Index: openssh-7.8p1/sshd_config.5
+Index: openssh-7.9p1/sshd_config.5
 ===================================================================
--- openssh-7.8p1.orig/sshd_config.5
+--- openssh-7.9p1.orig/sshd_config.5
-+++ openssh-7.8p1/sshd_config.5
+++ openssh-7.9p1/sshd_config.5
-@@ -592,6 +592,8 @@ and
+@@ -603,6 +603,8 @@ and
 .Cm sha256 .
 The default is
 .Cm sha256 .
--- a/openssh-7.7p1-gssapi_key_exchange.patch
+++ b/openssh-7.7p1-gssapi_key_exchange.patch
--- a/openssh-7.7p1-ldap.patch
+++ b/openssh-7.7p1-ldap.patch
@ -10,10 +10,10 @@
 # internal versions. ssh-keyconverter consequently fails to link as it lacks
 # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
-Index: openssh-7.8p1/HOWTO.ldap-keys
+Index: openssh-7.9p1/HOWTO.ldap-keys
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/HOWTO.ldap-keys
+++ openssh-7.9p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
 +
 +HOW TO START
@ -123,10 +123,10 @@ Index: openssh-7.8p1/HOWTO.ldap-keys
 +  - frederic peters.
 +  - Finlay dobbie.
 +  - Stefan Fisher.
-Index: openssh-7.8p1/Makefile.in
+Index: openssh-7.9p1/Makefile.in
 ===================================================================
--- openssh-7.8p1.orig/Makefile.in
+--- openssh-7.9p1.orig/Makefile.in
-+++ openssh-7.8p1/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
 SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -146,7 +146,7 @@ Index: openssh-7.8p1/Makefile.in
 XMSS_OBJS=\
 	ssh-xmss.o \
 	sshkey-xmss.o \
-@@ -132,8 +137,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
 	sandbox-solaris.o uidswap.o
@ -157,7 +157,7 @@ Index: openssh-7.8p1/Makefile.in
 MANTYPE		= @MANTYPE@
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@ -167,7 +167,7 @@ Index: openssh-7.8p1/Makefile.in
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-@@ -363,6 +371,10 @@ install-files:
+@@ -361,6 +369,10 @@ install-files:
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -178,7 +178,7 @@ Index: openssh-7.8p1/Makefile.in
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
-@@ -381,6 +393,10 @@ install-files:
+@@ -379,6 +391,10 @@ install-files:
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -189,7 +189,7 @@ Index: openssh-7.8p1/Makefile.in
 install-sysconf:
 	$(MKDIR_P) $(DESTDIR)$(sysconfdir)
-@@ -404,6 +420,13 @@ install-sysconf:
+@@ -402,6 +418,13 @@ install-sysconf:
 	else \
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
 	fi
@ -203,7 +203,7 @@ Index: openssh-7.8p1/Makefile.in
 host-key: ssh-keygen$(EXEEXT)
 	@if [ -z "$(DESTDIR)" ] ; then \
-@@ -441,6 +464,8 @@ uninstall:
+@@ -439,6 +462,8 @@ uninstall:
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -212,7 +212,7 @@ Index: openssh-7.8p1/Makefile.in
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -452,6 +477,7 @@ uninstall:
+@@ -450,6 +475,7 @@ uninstall:
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -220,11 +220,11 @@ Index: openssh-7.8p1/Makefile.in
 regress-prep:
 	$(MKDIR_P) `pwd`/regress/unittests/test_helper
-Index: openssh-7.8p1/configure.ac
+Index: openssh-7.9p1/configure.ac
 ===================================================================
--- openssh-7.8p1.orig/configure.ac
+--- openssh-7.9p1.orig/configure.ac
-+++ openssh-7.8p1/configure.ac
+++ openssh-7.9p1/configure.ac
-@@ -1680,6 +1680,106 @@ AC_ARG_WITH([audit],
+@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
 	esac ]
 )
@ -331,10 +331,10 @@ Index: openssh-7.8p1/configure.ac
 AC_ARG_WITH([pie],
     [  --with-pie              Build Position Independent Executables if possible], [
 	if test "x$withval" = "xno"; then
-Index: openssh-7.8p1/ldap-helper.c
+Index: openssh-7.9p1/ldap-helper.c
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ldap-helper.c
+++ openssh-7.9p1/ldap-helper.c
@@ -0,0 +1,155 @@
 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -491,10 +491,10 @@ Index: openssh-7.8p1/ldap-helper.c
 +void   *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
 +void    buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
 +
-Index: openssh-7.8p1/ldap-helper.h
+Index: openssh-7.9p1/ldap-helper.h
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ldap-helper.h
+++ openssh-7.9p1/ldap-helper.h
@@ -0,0 +1,32 @@
 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -528,10 +528,10 @@ Index: openssh-7.8p1/ldap-helper.h
 +extern int config_warning_config_file;
 +
 +#endif /* LDAP_HELPER_H */
-Index: openssh-7.8p1/ldap.conf
+Index: openssh-7.9p1/ldap.conf
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ldap.conf
+++ openssh-7.9p1/ldap.conf
@@ -0,0 +1,88 @@
 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
 +#
@ -621,10 +621,10 @@ Index: openssh-7.8p1/ldap.conf
 +#tls_cert
 +#tls_key
 +
-Index: openssh-7.8p1/ldapbody.c
+Index: openssh-7.9p1/ldapbody.c
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ldapbody.c
+++ openssh-7.9p1/ldapbody.c
@@ -0,0 +1,494 @@
 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1120,10 +1120,10 @@ Index: openssh-7.8p1/ldapbody.c
 +	return;
 +}
 +
-Index: openssh-7.8p1/ldapbody.h
+Index: openssh-7.9p1/ldapbody.h
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ldapbody.h
+++ openssh-7.9p1/ldapbody.h
@@ -0,0 +1,37 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1162,10 +1162,10 @@ Index: openssh-7.8p1/ldapbody.h
 +
 +#endif /* LDAPBODY_H */
 +
-Index: openssh-7.8p1/ldapconf.c
+Index: openssh-7.9p1/ldapconf.c
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ldapconf.c
+++ openssh-7.9p1/ldapconf.c
@@ -0,0 +1,711 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1878,10 +1878,10 @@ Index: openssh-7.8p1/ldapconf.c
 +	dump_cfg_string(lSSH_Filter, options.ssh_filter);
 +}
 +
-Index: openssh-7.8p1/ldapconf.h
+Index: openssh-7.9p1/ldapconf.h
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ldapconf.h
+++ openssh-7.9p1/ldapconf.h
@@ -0,0 +1,71 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1954,10 +1954,10 @@ Index: openssh-7.8p1/ldapconf.h
 +void dump_config(void);
 +
 +#endif /* LDAPCONF_H */
-Index: openssh-7.8p1/ldapincludes.h
+Index: openssh-7.9p1/ldapincludes.h
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ldapincludes.h
+++ openssh-7.9p1/ldapincludes.h
@@ -0,0 +1,41 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -2000,10 +2000,10 @@ Index: openssh-7.8p1/ldapincludes.h
 +#endif
 +
 +#endif /* LDAPINCLUDES_H */
-Index: openssh-7.8p1/ldapmisc.c
+Index: openssh-7.9p1/ldapmisc.c
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ldapmisc.c
+++ openssh-7.9p1/ldapmisc.c
@@ -0,0 +1,79 @@
 +
 +#include "ldapincludes.h"
@ -2084,10 +2084,10 @@ Index: openssh-7.8p1/ldapmisc.c
 +}
 +#endif
 +
-Index: openssh-7.8p1/ldapmisc.h
+Index: openssh-7.9p1/ldapmisc.h
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ldapmisc.h
+++ openssh-7.9p1/ldapmisc.h
@@ -0,0 +1,35 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -2124,10 +2124,10 @@ Index: openssh-7.8p1/ldapmisc.h
 +
 +#endif /* LDAPMISC_H */
 +
-Index: openssh-7.8p1/openbsd-compat/base64.c
+Index: openssh-7.9p1/openbsd-compat/base64.c
 ===================================================================
--- openssh-7.8p1.orig/openbsd-compat/base64.c
+--- openssh-7.9p1.orig/openbsd-compat/base64.c
-+++ openssh-7.8p1/openbsd-compat/base64.c
+++ openssh-7.9p1/openbsd-compat/base64.c
@@ -46,7 +46,7 @@
 #include "includes.h"
@ -2155,10 +2155,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.c
 /* skips all whitespace anywhere.
    converts characters, four at a time, starting at (or after)
-Index: openssh-7.8p1/openbsd-compat/base64.h
+Index: openssh-7.9p1/openbsd-compat/base64.h
 ===================================================================
--- openssh-7.8p1.orig/openbsd-compat/base64.h
+--- openssh-7.9p1.orig/openbsd-compat/base64.h
-+++ openssh-7.8p1/openbsd-compat/base64.h
+++ openssh-7.9p1/openbsd-compat/base64.h
@@ -45,16 +45,16 @@
 #include "includes.h"
@ -2180,10 +2180,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.h
 int b64_pton(char const *src, u_char *target, size_t targsize);
 # endif /* !HAVE_B64_PTON */
 # define __b64_pton(a,b,c) b64_pton(a,b,c)
-Index: openssh-7.8p1/openssh-lpk-openldap.schema
+Index: openssh-7.9p1/openssh-lpk-openldap.schema
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/openssh-lpk-openldap.schema
+++ openssh-7.9p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2206,10 +2206,10 @@ Index: openssh-7.8p1/openssh-lpk-openldap.schema
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-Index: openssh-7.8p1/openssh-lpk-sun.schema
+Index: openssh-7.9p1/openssh-lpk-sun.schema
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/openssh-lpk-sun.schema
+++ openssh-7.9p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2234,10 +2234,10 @@ Index: openssh-7.8p1/openssh-lpk-sun.schema
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-Index: openssh-7.8p1/ssh-ldap-helper.8
+Index: openssh-7.9p1/ssh-ldap-helper.8
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ssh-ldap-helper.8
+++ openssh-7.9p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
@ -2318,19 +2318,19 @@ Index: openssh-7.8p1/ssh-ldap-helper.8
 +OpenSSH 5.5 + PKA-LDAP .
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
-Index: openssh-7.8p1/ssh-ldap-wrapper
+Index: openssh-7.9p1/ssh-ldap-wrapper
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ssh-ldap-wrapper
+++ openssh-7.9p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
 +#!/bin/sh
 +
 +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
 +
-Index: openssh-7.8p1/ssh-ldap.conf.5
+Index: openssh-7.9p1/ssh-ldap.conf.5
 ===================================================================
 --- /dev/null
-+++ openssh-7.8p1/ssh-ldap.conf.5
+++ openssh-7.9p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
--- a/openssh-7.7p1-openssl_1.1.0.patch
+++ b/openssh-7.7p1-openssl_1.1.0.patch
--- a/openssh-7.7p1-seccomp_ipc_flock.patch
+++ b/openssh-7.7p1-seccomp_ipc_flock.patch
@ -15,15 +15,11 @@ this is only need on s390 architecture.
 Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
-diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
+Index: openssh-7.9p1/sandbox-seccomp-filter.c
--- openssh-7.7p1/sandbox-seccomp-filter.c
+===================================================================
-+++ openssh-7.7p1/sandbox-seccomp-filter.c
+--- openssh-7.9p1.orig/sandbox-seccomp-filter.c
-@@ -167,16 +167,19 @@ static const struct sock_filter preauth_
+++ openssh-7.9p1/sandbox-seccomp-filter.c
- 	SC_ALLOW(__NR_exit_group),
+@@ -175,6 +175,9 @@ static const struct sock_filter preauth_
 #endif
 #ifdef __NR_geteuid
 	SC_ALLOW(__NR_geteuid),
 #endif
 #ifdef __NR_geteuid32
 	SC_ALLOW(__NR_geteuid32),
 #endif
@ -33,17 +29,7 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
 #ifdef __NR_getpgid
 	SC_ALLOW(__NR_getpgid),
 #endif
- #ifdef __NR_getpid
+@@ -193,6 +196,9 @@ static const struct sock_filter preauth_
 	SC_ALLOW(__NR_getpid),
 #endif
 #ifdef __NR_getrandom
 	SC_ALLOW(__NR_getrandom),
@@ -185,16 +188,19 @@ static const struct sock_filter preauth_
 	SC_ALLOW(__NR_gettimeofday),
 #endif
 #ifdef __NR_getuid
 	SC_ALLOW(__NR_getuid),
 #endif
 #ifdef __NR_getuid32
 	SC_ALLOW(__NR_getuid32),
 #endif
@ -53,8 +39,3 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc
 #ifdef __NR_madvise
 	SC_ALLOW(__NR_madvise),
 #endif
 #ifdef __NR_mmap
 	SC_ALLOW(__NR_mmap),
 #endif
 #ifdef __NR_mmap2
 	SC_ALLOW(__NR_mmap2),
--- a/openssh-7.7p1-sftp_force_permissions.patch
+++ b/openssh-7.7p1-sftp_force_permissions.patch
@ -1,123 +1,100 @@
-# HG changeset patch
+--- original/sftp-server.8	2016-12-19 04:59:41.000000000 +0000
-# Parent  37bba3ff816d9ab93ddcf23389a4eb29d7716006
+++ original/sftp-server.8	2017-11-23 08:47:01.267239186 +0000
-additional option for sftp-server to force file mode for new files
+@@ -38,6 +38,7 @@ 
 FATE#312774
 http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
 http://marc.info/?l=openssh-unix-dev&m=128896838930893
 diff --git a/openssh-7.7p1/sftp-server.8 b/openssh-7.7p1/sftp-server.8
 --- openssh-7.7p1/sftp-server.8
 +++ openssh-7.7p1/sftp-server.8
@@ -33,16 +33,17 @@
 .Bk -words
 .Op Fl ehR
 .Op Fl d Ar start_directory
 .Op Fl f Ar log_facility
 .Op Fl l Ar log_level
 .Op Fl P Ar blacklisted_requests
 .Op Fl p Ar whitelisted_requests
 .Op Fl u Ar umask
-+.Op Fl m Ar force_file_permissions
+.Op Fl m Ar force_file_dir_perms
 .Ek
 .Nm
 .Fl Q Ar protocol_feature
- .Sh DESCRIPTION
+@@ -138,6 +139,10 @@ 
 .Nm
 is a program that speaks the server side of SFTP protocol
 to stdout and expects client requests from stdin.
 .Nm
@@ -133,16 +134,20 @@ Places this instance of
 into a read-only mode.
 Attempts to open files for writing, as well as other operations that change
 the state of the filesystem, will be denied.
 .It Fl u Ar umask
 Sets an explicit
 .Xr umask 2
 to be applied to newly-created files and directories, instead of the
 user's default mask.
-+.It Fl m Ar force_file_permissions
+.It Fl m Ar force_file_dir_perms
-+Sets explicit file permissions to be applied to newly-created files instead
+Sets explicit permissions to be applied to newly-created files and directories
-+of the default or client requested mode.  Numeric values include:
+instead of the default or client requested mode.  Numeric values include:
 +777, 755, 750, 666, 644, 640, etc.  Option -u is ineffective if -m is set.
 .El
 .Pp
 On some systems,
- .Nm
+--- original/sftp-server.c	2016-12-19 04:59:41.000000000 +0000
- must be able to access
+++ original/sftp-server.c	2017-11-23 13:07:08.481765581 +0000
- .Pa /dev/log
+@@ -65,6 +65,10 @@ 
- for logging to work, and use of
+ /* Version of client */
- .Nm
+ static u_int version;
 diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c
 --- openssh-7.7p1/sftp-server.c
 +++ openssh-7.7p1/sftp-server.c
@@ -71,16 +71,20 @@ static u_int version;
 static int init_done;
- /* Disable writes */
+/* Force file and directory permissions */
 static int readonly;
 /* Requests that are allowed/denied */
 static char *request_whitelist, *request_blacklist;
 +/* Force file permissions */
 +int permforce = 0;
 +long permforcemode;
 +
- /* portable attributes, etc. */
+ /* SSH2_FXP_INIT received */
- typedef struct Stat Stat;
+ static int init_done;
- struct Stat {
+@@ -679,6 +683,7 @@ 
 	Attrib a;
 	char *name;
- 	char *long_name;
+ 	int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
- 	Attrib attrib;
+	mode_t old_umask = 0;
- };
+ 
@@ -685,16 +689,20 @@ process_open(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
 	    (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
- 	    (r = decode_attrib(iqueue, &a)) != 0)
+@@ -688,6 +693,10 @@ 
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 	debug3("request %u: open flags %d", id, pflags);
 	flags = flags_from_portable(pflags);
 	mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
-+	if (permforce == 1) {
+	if (permforce == 1) {   /* Force perm if -m is set */
 +		mode = permforcemode;
-+		(void)umask(0); /* so umask does not interfere */
+		old_umask = umask(0); /* so umask does not interfere */
 +	}
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
- 	    ((flags & O_ACCMODE) != O_RDONLY ||
+@@ -709,6 +718,8 @@ 
- 	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
+ 			}
- 		verbose("Refusing open request in read-only mode");
+ 		}
- 		status = SSH2_FX_PERMISSION_DENIED;
+ 	}
- 	} else {
+	if (permforce == 1)
-@@ -1487,17 +1495,18 @@ sftp_server_cleanup_exit(int i)
+		(void) umask(old_umask); /* restore umask to something sane */
- static void
+ 	if (status != SSH2_FX_OK)
- sftp_server_usage(void)
+ 		send_status(id, status);
- {
+ 	free(name);
- 	extern char *__progname;
+@@ -1110,6 +1121,7 @@ 
 	Attrib a;
 	char *name;
 	int r, mode, status = SSH2_FX_FAILURE;
 +	mode_t old_umask = 0;
 	if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
 	    (r = decode_attrib(iqueue, &a)) != 0)
@@ -1117,9 +1129,16 @@ 
 	mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
 	    a.perm & 07777 : 0777;
 +	if (permforce == 1) {   /* Force perm if -m is set */
 +		mode = permforcemode;
 +		old_umask = umask(0); /* so umask does not interfere */
 +	}
 +
 	debug3("request %u: mkdir", id);
 	logit("mkdir name \"%s\" mode 0%o", name, mode);
 	r = mkdir(name, mode);
 +        if (permforce == 1)
 +                (void) umask(old_umask); /* restore umask to something sane */
 	status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
 	send_status(id, status);
 	free(name);
@@ -1490,7 +1509,7 @@ 
 	fprintf(stderr,
 	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
 	    "[-l log_level]\n\t[-P blacklisted_requests] "
 -	    "[-p whitelisted_requests] [-u umask]\n"
-+	    "[-p whitelisted_requests] [-u umask]\n\t"
+	    "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n"
 +	    "[-m force_file_permissions]\n"
 	    "       %s -Q protocol_feature\n",
 	    __progname, __progname);
 	exit(1);
- }
+@@ -1516,7 +1535,7 @@ 
 int
 sftp_server_main(int argc, char **argv, struct passwd *user_pw)
 {
@@ -1516,17 +1525,17 @@ sftp_server_main(int argc, char **argv, 
 	ssh_malloc_init();	/* must be called before any mallocs */
 	__progname = ssh_get_progname(argv[0]);
 	log_init(__progname, log_level, log_facility, log_stderr);
 	pw = pwcopy(user_pw);
 	while (!skipargs && (ch = getopt(argc, argv,
@ -126,32 +103,19 @@ diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c
 		switch (ch) {
 		case 'Q':
 			if (strcasecmp(optarg, "requests") != 0) {
- 				fprintf(stderr, "Invalid query type\n");
+@@ -1576,6 +1595,15 @@ 
 				exit(1);
 			}
 			for (i = 0; handlers[i].handler != NULL; i++)
 				printf("%s\n", handlers[i].name);
@@ -1576,16 +1585,23 @@ sftp_server_main(int argc, char **argv, 
 		case 'u':
 			errno = 0;
 			mask = strtol(optarg, &cp, 8);
 			if (mask < 0 || mask > 0777 || *cp != '\0' ||
 			    cp == optarg || (mask == 0 && errno != 0))
 				fatal("Invalid umask \"%s\"", optarg);
 			(void)umask((mode_t)mask);
 			break;
 +		case 'm':
 +			/* Force permissions on file and directory received via sftp */
 +			permforce = 1;
 +			permforcemode = strtol(optarg, &cp, 8);
-+			if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
+			if (permforcemode < 0 || permforcemode > 0777 ||
-+				cp == optarg || (permforcemode == 0 && errno != 0))
+			    *cp != '\0' || (permforcemode == 0 &&
-+				fatal("Invalid umask \"%s\"", optarg);
+			    errno != 0))
 +				fatal("Invalid file mode \"%s\"", optarg);
 +			break;
 		case 'h':
 		default:
 			sftp_server_usage();
 		}
 	}
 	log_init(__progname, log_level, log_facility, log_stderr);
--- a/openssh-7.8p1.tar.gz
+++ b/openssh-7.8p1.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca
 size 1548026
--- a/openssh-7.8p1.tar.gz.asc
+++ b/openssh-7.8p1.tar.gz.asc
@ -1,14 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlt+Xa8ACgkQ0+X1a22S
 DTAJPwx9HIW/obxNJYTU7M8trpalBekdl1SqUjxdDwInIsKTLSOpJCsnynBai/3c
 SuvZkBwcKwZZFe+xCvRQDHkf/YYLT+d7slUQolb0OJmzFKbvu6xwuv7q12ag9hQj
 /8BUfdYRKb63uemfKuVAHfcnUm9WlwSbif+Au/j1yg/MlETY47ezYA9/q75wignx
 3g38JVHVgKDenDd8o9/hgjeQpEHKNdCQo71nN2h3MYRlh4xrR9ENZj7y8x65Kp1j
 WoZEhlvjYkka4deSGwj2MIAJnzsc39uppEoEjkB7F9SUo4O7CxbWFein70Ct7Xbs
 VDWXQibnJGHKatHIecaPLUYexGWO1XYNZErDhY7fPw0ChfMGbz3+0eDfDJqGY49r
 Lo6wzsrgv2kDJMqwciT/D/Zb3ocHnCrq1Isnz/Ug2lW58LMk7Y1HisPteZFQ/pkC
 xKeO+K1RkaRUSCrB5iToqF+7i8eRNVROYmkKLgKcMrC0WYEjnbEoFdr4bktAS9QM
 BS6aIsh2cyg2H0FjDKmYvcKOUf0IgA==
 =ZiYm
 -----END PGP SIGNATURE-----
--- a/openssh-7.9p1.tar.gz
+++ b/openssh-7.9p1.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
 size 1565384
--- a/openssh-7.9p1.tar.gz.asc
+++ b/openssh-7.9p1.tar.gz.asc
@ -0,0 +1,14 @@
 -----BEGIN PGP SIGNATURE-----
 iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlvJLhsACgkQ0+X1a22S
 DTBjHwx/T3EX3EtCzB9I6zHFUgF2/0hEKVYZw2Yl4UbUvgjy/KdEdlJzdH3Hc/yU
 jJZzraDY7nJMrCly734FbFGKsKoRkxWMkeuQGOhvpzgTYg+fOa1J0a14xK/ub9Y0
 9Z/4zP0Zs7mn+8MApMS3XOZ+AJgdRiXN9i3PXmbYO9Gcg+QthtgE1DeG0d0vVTP/
 ipCBBg8mMlAANdlu9IUCv4CJPwJjQt2aYsvCiuUQuzrKYsV5noCOBaGRbmPcN9SM
 3cvSTZgDbK3kHdL1RnBgWpcO+o+D8sqSW2rm8xpCQv/ILo86/BLBjXDCYLEt0nSn
 +dONPytwhwwJWPPYe7+RSYWHS2cKwVTDk7lr2E636SwU1fM1NiNYle9hB6cUT0nU
 sypfHOIARAMSqepnaT3WgffM0jlEWrSB0PuDLTLTO5ZPmUijqqT6xGwWSUc4GQZY
 WNyGg1w0Ryj2pRd7DlXDDivTCneXFqV7JZiR3R4ZXJJV0uVQOUitCS/DnwSDpIfp
 HlVEWeRAszQFKLKttu0/4SY2NVrRBA==
 =4Z9x
 -----END PGP SIGNATURE-----
--- a/openssh-askpass-gnome.changes
+++ b/openssh-askpass-gnome.changes
@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 - Version update to 7.9p1
  * No actual changes for the askpass
  * See main package changelog for details
 -------------------------------------------------------------------
 Tue Oct  9 10:52:15 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@ -18,7 +18,7 @@
 %define _name openssh
 Name:           openssh-askpass-gnome
-Version:        7.8p1
+Version:        7.9p1
 Release:        0
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
 License:        BSD-2-Clause
--- a/openssh-openssl-1_0_0-compatibility.patch
+++ b/openssh-openssl-1_0_0-compatibility.patch
@ -0,0 +1,41 @@
 Index: openssh-7.9p1/openbsd-compat/openssl-compat.c
 ===================================================================
 --- openssh-7.9p1.orig/openbsd-compat/openssl-compat.c	2018-11-26 11:47:17.417925053 +0100
 +++ openssh-7.9p1/openbsd-compat/openssl-compat.c	2018-11-26 11:52:47.127727580 +0100
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
 	ENGINE_load_builtin_engines();
 	ENGINE_register_all_complete();
 -#if OPENSSL_VERSION_NUMBER < 0x10001000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	OPENSSL_config(NULL);
 #else
 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
 Index: openssh-7.9p1/gss-genr.c
 ===================================================================
 --- openssh-7.9p1.orig/gss-genr.c	2018-11-26 11:47:17.417925053 +0100
 +++ openssh-7.9p1/gss-genr.c	2018-11-26 12:01:40.354642746 +0100
@@ -114,7 +114,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
        if ((buf = sshbuf_new()) == NULL)
 	 fatal("%s: sshbuf_new failed", __func__);
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +       md = EVP_MD_CTX_create();
 +#else
        md = EVP_MD_CTX_new();
 +#endif
        oidpos = 0;
        for (i = 0; i < gss_supported->count; i++) {
 	       if (gss_supported->elements[i].length < 128 &&
@@ -156,7 +160,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
 		       oidpos++;
 	       }
        }
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +       EVP_MD_CTX_destroy(md);
 +#else
        EVP_MD_CTX_free(md);
 +#endif
        gss_enc2oid[oidpos].oid = NULL;
        gss_enc2oid[oidpos].encoded = NULL;
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,89 @@
 -------------------------------------------------------------------
 Mon Nov 26 11:07:42 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
 - Fix build with openssl < 1.1.0
  * add openssh-openssl-1_0_0-compatibility.patch
 -------------------------------------------------------------------
 Wed Oct 31 00:27:41 UTC 2018 - Cristian Rodríguez <crrodriguez@opensuse.org>
 - openssh-7.7p1-audit.patch: fix sshd fatal error in 
  mm_answer_keyverify: buffer error: incomplete message [bnc#1114008]
 -------------------------------------------------------------------
 Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 - Version update to 7.9p1
  * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
    option (see below) bans the use of DSA keys as certificate
    authorities.
  * sshd(8): the authentication success/failure log message has
    changed format slightly. It now includes the certificate
    fingerprint (previously it included only key ID and CA key
    fingerprint).
  * ssh(1), sshd(8): allow most port numbers to be specified using
    service names from getservbyname(3) (typically /etc/services).
  * sshd(8): support signalling sessions via the SSH protocol.
    A limited subset of signals is supported and only for login or
    command sessions (i.e. not subsystems) that were not subject to
    a forced command via authorized_keys or sshd_config. bz#1424
  * ssh(1): support "ssh -Q sig" to list supported signature options.
    Also "ssh -Q help" to show the full set of supported queries.
  * ssh(1), sshd(8): add a CASignatureAlgorithms option for the
    client and server configs to allow control over which signature
    formats are allowed for CAs to sign certificates. For example,
    this allows banning CAs that sign certificates using the RSA-SHA1
    signature algorithm.
  * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
    revoke keys specified by SHA256 hash.
  * ssh-keygen(1): allow creation of key revocation lists directly
    from base64-encoded SHA256 fingerprints. This supports revoking
    keys using only the information contained in sshd(8)
    authentication log messages.
 - Removed obsolete configuration option --with-tcp-wrappers, and
  --with-opensc for s390 and s390x.
 - Removed patch merged upstream
  * openssh-7.7p1-openssl_1.1.0.patch
 - Refreshed patches
  * openssh-7.7p1-audit.patch
  * openssh-7.7p1-disable_short_DH_parameters.patch
  * openssh-7.7p1-fips.patch
  * openssh-7.7p1-gssapi_key_exchange.patch
  * openssh-7.7p1-seccomp_ipc_flock.patch
  * openssh-7.7p1-cavstest-ctr.patch
  * openssh-7.7p1-ldap.patch 
 -------------------------------------------------------------------
 Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 - Mention upstream bugs on multiple local patches
 - Adjust service to not spam restart and reload only on fails
 -------------------------------------------------------------------
 Fri Oct 19 13:11:34 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 - Update openssh-7.7p1-sftp_force_permissions.patch from the
  upstream bug, and mention the bug in the spec
 -------------------------------------------------------------------
 Fri Oct 19 08:36:52 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 - Drop patch openssh-7.7p1-allow_root_password_login.patch
  * There is no reason to set less secure default value, if
    users need the behaviour they can still set it up themselves
 - Drop patch openssh-7.7p1-blocksigalrm.patch
  * We had a bug way in past about this but it was never reproduced
    or even confirmed in the ticket, thus rather drop the patch
 -------------------------------------------------------------------
 Wed Oct 17 09:22:36 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 - Disable ssh1 protocol support as neither RH or Debian enable
  this protocol by default anymore either.
 -------------------------------------------------------------------
 Wed Oct 17 08:42:12 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
--- a/openssh.spec
+++ b/openssh.spec
@ -27,8 +27,7 @@
 %bcond_without susefirewall
 %bcond_with tirpc
 %endif
-%define _fwdir   %{_sysconfdir}/sysconfig/SuSEfirewall2.d
+%define _fwdefdir   %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
 %define _fwdefdir   %{_fwdir}/services
 %define _appdefdir  %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
 %define CHECKSUM_SUFFIX .hmac
 %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
@ -37,7 +36,7 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           openssh
-Version:        7.8p1
+Version:        7.9p1
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
 License:        BSD-2-Clause AND MIT
@ -56,37 +55,49 @@ Source9:        sshd-gen-keys-start
 Source10:       sshd.service
 Source11:       README.FIPS
 Source12:       cavs_driver-ssh.pl
 Patch0:         openssh-7.7p1-allow_root_password_login.patch
 Patch1:         openssh-7.7p1-X11_trusted_forwarding.patch
 Patch3:         openssh-7.7p1-enable_PAM_by_default.patch
 Patch4:         openssh-7.7p1-eal3.patch
 Patch5:         openssh-7.7p1-blocksigalrm.patch
 Patch6:         openssh-7.7p1-send_locale.patch
 Patch7:         openssh-7.7p1-hostname_changes_when_forwarding_X.patch
 Patch8:         openssh-7.7p1-remove_xauth_cookies_on_exit.patch
 Patch9:         openssh-7.7p1-pts_names_formatting.patch
 Patch10:        openssh-7.7p1-pam_check_locks.patch
 Patch11:        openssh-7.7p1-disable_short_DH_parameters.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2752
 Patch14:        openssh-7.7p1-seccomp_stat.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2752
 Patch15:        openssh-7.7p1-seccomp_ipc_flock.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2752
 Patch16:        openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
 # Local FIPS patchset
 Patch17:        openssh-7.7p1-fips.patch
 # Local cavs patchset
 Patch18:        openssh-7.7p1-cavstest-ctr.patch
 # Local cavs patchset
 Patch19:        openssh-7.7p1-cavstest-kdf.patch
 # Local FIPS patchset
 Patch20:        openssh-7.7p1-fips_checks.patch
 Patch21:        openssh-7.7p1-seed-prng.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2641
 Patch22:        openssh-7.7p1-systemd-notify.patch
 Patch23:        openssh-7.7p1-gssapi_key_exchange.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=1402
 Patch24:        openssh-7.7p1-audit.patch
-Patch25:        openssh-7.7p1-openssl_1.1.0.patch
+# Local patch to disable runtime abi SSL checks, quite pointless for us
 Patch26:        openssh-7.7p1-disable_openssl_abi_check.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2641
 Patch27:        openssh-7.7p1-no_fork-no_pid_file.patch
 Patch28:        openssh-7.7p1-host_ident.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=1844
 Patch29:        openssh-7.7p1-sftp_force_permissions.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2143
 Patch30:        openssh-7.7p1-X_forward_with_disabled_ipv6.patch
 Patch31:        openssh-7.7p1-ldap.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2213
 Patch32:        openssh-7.7p1-IPv6_X_forwarding.patch
 Patch33:        openssh-7.7p1-sftp_print_diagnostic_messages.patch
 Patch34:        openssh-openssl-1_0_0-compatibility.patch
 BuildRequires:  audit-devel
 BuildRequires:  autoconf
 BuildRequires:  groff
@ -176,7 +187,6 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
 %configure \
    --sysconfdir=%{_sysconfdir}/ssh \
    --libexecdir=%{_libexecdir}/ssh \
    --with-tcp-wrappers \
    --with-selinux \
    --with-pid-dir=/run \
    --with-systemd \
@ -188,19 +198,14 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
    --with-sandbox=seccomp_filter \
 %else
    --with-sandbox=rlimit \
 %endif
 %ifnarch s390 s390x
    --with-opensc \
 %endif
    --disable-strip \
    --with-audit=linux \
    --with-ldap \
    --with-xauth=%{_bindir}/xauth \
    --with-libedit \
-    --with-ssh1 \
+    --target=%{_target_cpu}-suse-linux
    --target=%{_target_cpu}-suse-linux \
 ### configure end
 make %{?_smp_mflags}
 %install
--- a/sshd.service
+++ b/sshd.service
@ -10,7 +10,8 @@ ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
-Restart=always
+Restart=on-failure
 RestartPreventExitStatus=255
 TasksMax=infinity
 [Install]