Accepting request 738544 from network

- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). This attempts to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). - Add patch from upstream openssh-7.9p1-revert-new-qos-defaults.patch - Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes" in /etc/sysconfig/ssh. This is set to "yes" by default, but can be changed by the system administrator (bsc#1139089). - Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). This attempts to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). - Version update to 8.1p1: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). * ssh(1): Allow %n to be expanded in ProxyCommand strings * ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" * ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different OBS-URL: https://build.opensuse.org/request/show/738544 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=135
2019-10-25 16:39:52 +00:00 · 2019-10-25 16:39:52 +00:00 · a68d0c642d
commit a68d0c642d
parent 8c7e2eae29 5c5997059e
32 changed files with 5486 additions and 5807 deletions
--- a/0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
+++ b/0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
@ -1,252 +0,0 @@
 From 76a24b3fa193a9ca3e47a8779d497cb06500798b Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 1 Mar 2019 02:32:39 +0000
 Subject: upstream: Fix two race conditions in sshd relating to SIGHUP:
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 1. Recently-forked child processes will briefly remain listening to
  listen_socks. If the main server sshd process completes its restart
  via execv() before these sockets are closed by the child processes
  then it can fail to listen at the desired addresses/ports and/or
  fail to restart.
 2. When a SIGHUP is received, there may be forked child processes that
  are awaiting their reexecution state. If the main server sshd
  process restarts before passing this state, these child processes
  will yield errors and use a fallback path of reading the current
  sshd_config from the filesystem rather than use the one that sshd
  was started with.
 To fix both of these cases, we reuse the startup_pipes that are shared
 between the main server sshd and forked children. Previously this was
 used solely to implement tracking of pre-auth child processes for
 MaxStartups, but this extends the messaging over these pipes to include
 a child->parent message that the parent process is safe to restart. This
 message is sent from the child after it has completed its preliminaries:
 closing listen_socks and receiving its reexec state.
 bz#2953, reported by Michal Koutný; ok markus@ dtucker@
 OpenBSD-Commit-ID: 7df09eacfa3ce13e9a7b1e9f17276ecc924d65ab
 ---
 sshd.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 86 insertions(+), 28 deletions(-)
 Index: openssh-7.9p1/sshd.c
 ===================================================================
 --- openssh-7.9p1.orig/sshd.c	2019-03-11 15:26:34.532966127 +0100
 +++ openssh-7.9p1/sshd.c	2019-03-11 16:05:21.242748303 +0100
@@ -240,9 +240,26 @@ u_int session_id2_len = 0;
 /* record remote hostname or ip */
 u_int utmp_len = HOST_NAME_MAX+1;
 -/* options.max_startup sized array of fd ints */
 +/*
 + * startup_pipes/flags are used for tracking children of the listening sshd
 + * process early in their lifespans. This tracking is needed for three things:
 + *
 + * 1) Implementing the MaxStartups limit of concurrent unauthenticated
 + *    connections.
 + * 2) Avoiding a race condition for SIGHUP processing, where child processes
 + *    may have listen_socks open that could collide with main listener process
 + *    after it restarts.
 + * 3) Ensuring that rexec'd sshd processes have received their initial state
 + *    from the parent listen process before handling SIGHUP.
 + *
 + * Child processes signal that they have completed closure of the listen_socks
 + * and (if applicable) received their rexec state by sending a char over their
 + * sock. Child processes signal that authentication has completed by closing
 + * the sock (or by exiting).
 + */
 int *startup_pipes = NULL;
 -int startup_pipe;		/* in child */
 +static int *startup_flags = NULL;	/* Indicates child closed listener */
 +static int startup_pipe = -1;		/* in child */
 /* variables used for privilege separation */
 int use_privsep = -1;
@@ -1081,14 +1098,9 @@ server_accept_inetd(int *sock_in, int *s
 {
 	int fd;
 -	startup_pipe = -1;
 	if (rexeced_flag) {
 		close(REEXEC_CONFIG_PASS_FD);
 		*sock_in = *sock_out = dup(STDIN_FILENO);
 -		if (!debug_flag) {
 -			startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
 -			close(REEXEC_STARTUP_PIPE_FD);
 -		}
 	} else {
 		*sock_in = dup(STDIN_FILENO);
 		*sock_out = dup(STDOUT_FILENO);
@@ -1213,8 +1225,9 @@ server_accept_loop(int *sock_in, int *so
 {
 	fd_set *fdset;
 	int i, j, ret, maxfd;
 -	int startups = 0;
 +	int startups = 0, listening = 0, lameduck = 0;
 	int startup_p[2] = { -1 , -1 };
 +	char c = 0;
 	struct sockaddr_storage from;
 	socklen_t fromlen;
 	pid_t pid;
@@ -1228,6 +1241,7 @@ server_accept_loop(int *sock_in, int *so
 			maxfd = listen_socks[i];
 	/* pipes connected to unauthenticated childs */
 	startup_pipes = xcalloc(options.max_startups, sizeof(int));
 +	startup_flags = xcalloc(options.max_startups, sizeof(int));
 	for (i = 0; i < options.max_startups; i++)
 		startup_pipes[i] = -1;
@@ -1236,8 +1250,15 @@ server_accept_loop(int *sock_in, int *so
 	 * the daemon is killed with a signal.
 	 */
 	for (;;) {
 -		if (received_sighup)
 -			sighup_restart();
 +		if (received_sighup) {
 +			if (!lameduck) {
 +				debug("Received SIGHUP; waiting for children");
 +				close_listen_socks();
 +				lameduck = 1;
 +			}
 +			if (listening <= 0)
 +				sighup_restart();
 +		}
 		free(fdset);
 		fdset = xcalloc(howmany(maxfd + 1, NFDBITS),
 		    sizeof(fd_mask));
@@ -1264,19 +1285,37 @@ server_accept_loop(int *sock_in, int *so
 		if (ret < 0)
 			continue;
 -		for (i = 0; i < options.max_startups; i++)
 -			if (startup_pipes[i] != -1 &&
 -			    FD_ISSET(startup_pipes[i], fdset)) {
 -				/*
 -				 * the read end of the pipe is ready
 -				 * if the child has closed the pipe
 -				 * after successful authentication
 -				 * or if the child has died
 -				 */
 +		for (i = 0; i < options.max_startups; i++) {
 +			if (startup_pipes[i] == -1 ||
 +			    !FD_ISSET(startup_pipes[i], fdset))
 +				continue;
 +			switch (read(startup_pipes[i], &c, sizeof(c))) {
 +			case -1:
 +				if (errno == EINTR || errno == EAGAIN)
 +					continue;
 +				if (errno != EPIPE) {
 +					error("%s: startup pipe %d (fd=%d): "
 +					    "read %s", __func__, i,
 +					    startup_pipes[i], strerror(errno));
 +				}
 +				/* FALLTHROUGH */
 +			case 0:
 +				/* child exited or completed auth */
 				close(startup_pipes[i]);
 				startup_pipes[i] = -1;
 				startups--;
 +				if (startup_flags[i])
 +					listening--;
 +				break;
 +			case 1:
 +				/* child has finished preliminaries */
 +				if (startup_flags[i]) {
 +					listening--;
 +					startup_flags[i] = 0;
 +				}
 +				break;
 			}
 +		}
 		for (i = 0; i < num_listen_socks; i++) {
 			if (!FD_ISSET(listen_socks[i], fdset))
 				continue;
@@ -1330,6 +1369,7 @@ server_accept_loop(int *sock_in, int *so
 					if (maxfd < startup_p[0])
 						maxfd = startup_p[0];
 					startups++;
 +					startup_flags[j] = 1;
 					break;
 				}
 			if(!(--re_seeding_counter)) {
@@ -1359,7 +1399,7 @@ server_accept_loop(int *sock_in, int *so
 					send_rexec_state(config_s[0], cfg);
 					close(config_s[0]);
 				}
 -				break;
 +				return;
 			}
 			/*
@@ -1368,13 +1408,14 @@ server_accept_loop(int *sock_in, int *so
 			 * parent continues listening.
 			 */
 			platform_pre_fork();
 +			listening++;
 			if ((pid = fork()) == 0) {
 				/*
 				 * Child.  Close the listening and
 				 * max_startup sockets.  Start using
 				 * the accepted socket. Reinitialize
 				 * logging (since our pid has changed).
 -				 * We break out of the loop to handle
 +				 * We return from this function to handle
 				 * the connection.
 				 */
 				platform_post_fork_child();
@@ -1389,7 +1430,18 @@ server_accept_loop(int *sock_in, int *so
 				    log_stderr);
 				if (rexec_flag)
 					close(config_s[0]);
 -				break;
 +				else {
 +					/*
 +					 * Signal parent that the preliminaries
 +					 * for this child are complete. For the
 +					 * re-exec case, this happens after the
 +					 * child has received the rexec state
 +					 * from the server.
 +					 */
 +					(void)atomicio(vwrite, startup_pipe,
 +					    "\0", 1);
 +				}
 +				return;
 			}
 			/* Parent.  Stay in the loop. */
@@ -1421,10 +1473,6 @@ server_accept_loop(int *sock_in, int *so
 #endif
 			explicit_bzero(rnd, sizeof(rnd));
 		}
 -
 -		/* child process check (or debug mode) */
 -		if (num_listen_socks < 0)
 -			break;
 	}
 }
@@ -1760,8 +1808,18 @@ main(int ac, char **av)
 	/* Fetch our configuration */
 	if ((cfg = sshbuf_new()) == NULL)
 		fatal("%s: sshbuf_new failed", __func__);
 -	if (rexeced_flag)
 +	if (rexeced_flag) {
 		recv_rexec_state(REEXEC_CONFIG_PASS_FD, cfg);
 +		if (!debug_flag) {
 +			startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
 +			close(REEXEC_STARTUP_PIPE_FD);
 +			/*
 +			 * Signal parent that this child is at a point where
 +			 * they can go away if they have a SIGHUP pending.
 +			 */
 +			(void)atomicio(vwrite, startup_pipe, "\0", 1);
 +		}
 +	}
 	else if (strcasecmp(config_file_name, "none") != 0)
 		load_server_config(config_file_name, cfg);
--- a/openssh-7.7p1-X_forward_with_disabled_ipv6.patch
+++ b/openssh-7.7p1-X_forward_with_disabled_ipv6.patch
@ -3,15 +3,11 @@
 Do not throw away already open sockets for X11 forwarding if another socket
 family is not available for bind()
-diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
+diff --git a/channels.c b/channels.c
--- openssh-7.7p1/channels.c
+index f51b7e3..95af47e 100644
-+++ openssh-7.7p1/channels.c
+--- a/channels.c
-@@ -4421,16 +4421,23 @@ x11_create_display_inet(struct ssh *ssh,
+++ b/channels.c
- 			if (ai->ai_family == AF_INET6)
+@@ -4637,6 +4637,13 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
 				sock_set_v6only(sock);
 			if (x11_use_localhost)
 				set_reuseaddr(sock);
 			if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
 				debug2("%s: bind port %d: %.100s", __func__,
 				    port, strerror(errno));
 				close(sock);
@ -25,8 +21,3 @@ diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
 				for (n = 0; n < num_socks; n++)
 					close(socks[n]);
 				num_socks = 0;
 				break;
 			}
 			socks[num_socks++] = sock;
 			if (num_socks == NUM_SOCKS)
 				break;
--- a/openssh-7.7p1-cavstest-ctr.patch
+++ b/openssh-7.7p1-cavstest-ctr.patch
@ -2,11 +2,11 @@
 # Parent  cc1022edba2c5eeb0facba08468f65afc2466b63
 CAVS test for OpenSSH's own CTR encryption mode implementation
-Index: openssh-7.9p1/Makefile.in
+diff --git a/Makefile.in b/Makefile.in
-===================================================================
+index 7488595..d426006 100644
--- openssh-7.9p1.orig/Makefile.in
+--- a/Makefile.in
-+++ openssh-7.9p1/Makefile.in
+++ b/Makefile.in
-@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
+@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
 SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -23,7 +23,7 @@ Index: openssh-7.9p1/Makefile.in
 XMSS_OBJS=\
 	ssh-xmss.o \
 	sshkey-xmss.o \
-@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
+@@ -210,6 +213,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s
 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
 	$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
@ -34,7 +34,7 @@ Index: openssh-7.9p1/Makefile.in
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
 	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -348,6 +355,7 @@ install-files:
+@@ -354,6 +361,7 @@ install-files:
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -42,10 +42,11 @@ Index: openssh-7.9p1/Makefile.in
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
 	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-Index: openssh-7.9p1/cavstest-ctr.c
+diff --git a/cavstest-ctr.c b/cavstest-ctr.c
-===================================================================
+new file mode 100644
 index 0000000..f81cb72
 --- /dev/null
-+++ openssh-7.9p1/cavstest-ctr.c
+++ b/cavstest-ctr.c
@@ -0,0 +1,214 @@
 +/*
 + *
@ -261,13 +262,13 @@ Index: openssh-7.9p1/cavstest-ctr.c
 +	printf("\n");
 +	return 0;
 +}
-Index: openssh-7.9p1/cipher.c
+diff --git a/cipher.c b/cipher.c
-===================================================================
+index acca752..b67a4ff 100644
--- openssh-7.9p1.orig/cipher.c
+--- a/cipher.c
-+++ openssh-7.9p1/cipher.c
+++ b/cipher.c
-@@ -54,15 +54,6 @@
+@@ -58,15 +58,6 @@
- #include "fips.h"
+ #define EVP_CIPHER_CTX void
- #include "log.h"
+ #endif
 -struct sshcipher_ctx {
 -	int	plaintext;
@ -281,11 +282,11 @@ Index: openssh-7.9p1/cipher.c
 struct sshcipher {
 	char	*name;
 	u_int	block_size;
-Index: openssh-7.9p1/cipher.h
+diff --git a/cipher.h b/cipher.h
-===================================================================
+index 5843aab..d7d8c89 100644
--- openssh-7.9p1.orig/cipher.h
+--- a/cipher.h
-+++ openssh-7.9p1/cipher.h
+++ b/cipher.h
-@@ -46,7 +46,15 @@
+@@ -48,7 +48,15 @@
 #define CIPHER_DECRYPT		0
 struct sshcipher;
--- a/openssh-7.7p1-cavstest-kdf.patch
+++ b/openssh-7.7p1-cavstest-kdf.patch
@ -2,10 +2,10 @@
 # Parent  1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
 CAVS test for KDF implementation in OpenSSH
-Index: openssh-7.9p1/Makefile.in
+diff --git a/Makefile.in b/Makefile.in
-===================================================================
+index d426006..85818f4 100644
--- openssh-7.9p1.orig/Makefile.in	2019-03-12 16:12:42.213142294 +0100
+--- a/Makefile.in
-+++ openssh-7.9p1/Makefile.in	2019-03-28 13:49:37.150166231 +0100
+++ b/Makefile.in
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -23,7 +23,7 @@ Index: openssh-7.9p1/Makefile.in
 XMSS_OBJS=\
 	ssh-xmss.o \
-@@ -211,6 +212,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sft
+@@ -217,6 +218,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glo
 cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
 	$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@ -33,7 +33,7 @@ Index: openssh-7.9p1/Makefile.in
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
 	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -356,6 +360,7 @@ install-files:
+@@ -362,6 +366,7 @@ install-files:
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@ -41,11 +41,12 @@ Index: openssh-7.9p1/Makefile.in
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
 	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-Index: openssh-7.9p1/cavstest-kdf.c
+diff --git a/cavstest-kdf.c b/cavstest-kdf.c
-===================================================================
+new file mode 100644
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+index 0000000..a6ecf45
-+++ openssh-7.9p1/cavstest-kdf.c	2019-03-28 13:54:20.047709759 +0100
+--- /dev/null
-@@ -0,0 +1,384 @@
+++ b/cavstest-kdf.c
@@ -0,0 +1,402 @@
 +/*
 + * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
 + *
@ -93,6 +94,7 @@ Index: openssh-7.9p1/cavstest-kdf.c
 +#include <openssl/bn.h>
 +
 +#include "xmalloc.h"
 +#include "ssherr.h"
 +#include "sshbuf.h"
 +#include "sshkey.h"
 +#include "cipher.h"
@ -208,6 +210,23 @@ Index: openssh-7.9p1/cavstest-kdf.c
 +	unsigned int ik_len;
 +};
 +
 +#ifdef WITH_OPENSSL
 +static int
 +kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
 +    const BIGNUM *secret)
 +{
 +	struct sshbuf *shared_secret;
 +	int r;
 +
 +	if ((shared_secret = sshbuf_new()) == NULL)
 +		return SSH_ERR_ALLOC_FAIL;
 +	if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
 +		r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
 +	sshbuf_free(shared_secret);
 +	return r;
 +}
 +#endif
 +
 +static int sshkdf_cavs(struct kdf_cavs *test)
 +{
 +	int ret = 0;
--- a/openssh-7.7p1-disable_openssl_abi_check.patch
+++ b/openssh-7.7p1-disable_openssl_abi_check.patch
@ -4,15 +4,11 @@ disable run-time check for OpenSSL ABI by version number as that is not a
 reliable indicator of ABI changes and doesn't make much sense in a
 distribution package
-diff --git a/openssh-7.7p1/configure.ac b/openssh-7.7p1/configure.ac
+diff --git a/configure.ac b/configure.ac
--- openssh-7.7p1/configure.ac
+index 42ffd95..20a1884 100644
-+++ openssh-7.7p1/configure.ac
+--- a/configure.ac
-@@ -4895,16 +4895,29 @@ AC_ARG_WITH([bsd-auth],
+++ b/configure.ac
- 		if test "x$withval" != "xno" ; then
+@@ -4878,6 +4878,19 @@ AC_ARG_WITH([bsd-auth],
 			AC_DEFINE([BSD_AUTH], [1],
 				[Define if you have BSD auth support])
 			BSD_AUTH_MSG=yes
 		fi
 	]
 )
@ -32,33 +28,21 @@ diff --git a/openssh-7.7p1/configure.ac b/openssh-7.7p1/configure.ac
 # Where to place sshd.pid
 piddir=/var/run
 # make sure the directory exists
- if test ! -d $piddir ; then
+diff --git a/entropy.c b/entropy.c
- 	piddir=`eval echo ${sysconfdir}`
+index f8b9f42..4957b23 100644
- 	case $piddir in
+--- a/entropy.c
- 		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
+++ b/entropy.c
- 	esac
+@@ -223,11 +223,13 @@ seed_rng(void)
-diff --git a/openssh-7.7p1/entropy.c b/openssh-7.7p1/entropy.c
+ 	/* Initialise libcrypto */
--- openssh-7.7p1/entropy.c
+ 	ssh_libcrypto_init();
 +++ openssh-7.7p1/entropy.c
@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
 #endif /* OPENSSL_PRNG_ONLY */
 void
 seed_rng(void)
 {
 #ifndef OPENSSL_PRNG_ONLY
 	unsigned char buf[RANDOM_SEED_SIZE];
 #endif
 +#ifndef DISTRO_SSL
- 	if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
+ 	if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
 	    OpenSSL_version_num()))
 		fatal("OpenSSL version mismatch. Built against %lx, you "
- 		    "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+ 		    "have %lx", (u_long)OPENSSL_VERSION_NUMBER,
 		    OpenSSL_version_num());
 +#endif
 #ifndef OPENSSL_PRNG_ONLY
- 	if (RAND_status() == 1) {
+ 	if (RAND_status() == 1)
 		debug3("RNG is ready, skipping seeding");
 		return;
 	}
 	if (seed_from_prngd(buf, sizeof(buf)) == -1)
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -3,23 +3,23 @@
 FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
 algorithms.
-Index: openssh-7.9p1/Makefile.in
+diff --git a/Makefile.in b/Makefile.in
-===================================================================
+index 1d2b2d9..7488595 100644
--- openssh-7.9p1.orig/Makefile.in	2019-02-28 17:20:15.767164591 +0100
+--- a/Makefile.in
-+++ openssh-7.9p1/Makefile.in	2019-03-12 11:41:49.662894934 +0100
+++ b/Makefile.in
-@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -103,6 +103,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
 	platform-pledge.o platform-tracing.o platform-misc.o
 +LIBSSH_OBJS += fips.o
 +
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect2.o mux.o
-Index: openssh-7.9p1/cipher-ctr.c
+diff --git a/cipher-ctr.c b/cipher-ctr.c
-===================================================================
+index 32771f2..b66f92f 100644
--- openssh-7.9p1.orig/cipher-ctr.c	2018-10-17 02:01:20.000000000 +0200
+--- a/cipher-ctr.c
-+++ openssh-7.9p1/cipher-ctr.c	2019-02-28 17:20:15.919165544 +0100
+++ b/cipher-ctr.c
@@ -27,6 +27,8 @@
 #include "xmalloc.h"
 #include "log.h"
@ -38,20 +38,21 @@ Index: openssh-7.9p1/cipher-ctr.c
 #endif
 	return (&aes_ctr);
 }
-Index: openssh-7.9p1/cipher.c
+diff --git a/cipher.c b/cipher.c
-===================================================================
+index 25f98ba..acca752 100644
--- openssh-7.9p1.orig/cipher.c	2018-10-17 02:01:20.000000000 +0200
+--- a/cipher.c
-+++ openssh-7.9p1/cipher.c	2019-03-12 11:41:49.662894934 +0100
+++ b/cipher.c
-@@ -51,6 +51,8 @@
+@@ -51,6 +51,9 @@
 #include "openbsd-compat/openssl-compat.h"
 +#include "fips.h"
 +#include "log.h"
- 
+
- struct sshcipher_ctx {
+ #ifndef WITH_OPENSSL
- 	int	plaintext;
+ #define EVP_CIPHER_CTX void
-@@ -80,7 +82,7 @@ struct sshcipher {
+ #endif
@@ -83,7 +86,7 @@ struct sshcipher {
 #endif
 };
@ -60,7 +61,7 @@ Index: openssh-7.9p1/cipher.c
 #ifdef WITH_OPENSSL
 #ifndef OPENSSL_NO_DES
 	{ "3des-cbc",		8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-@@ -111,8 +113,52 @@ static const struct sshcipher ciphers[]
+@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] = {
 	{ NULL,			0, 0, 0, 0, 0, NULL }
 };
@ -113,7 +114,7 @@ Index: openssh-7.9p1/cipher.c
 /* Returns a comma-separated list of supported ciphers. */
 char *
 cipher_alg_list(char sep, int auth_only)
-@@ -121,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
+@@ -124,7 +171,7 @@ cipher_alg_list(char sep, int auth_only)
 	size_t nlen, rlen = 0;
 	const struct sshcipher *c;
@ -122,7 +123,7 @@ Index: openssh-7.9p1/cipher.c
 		if ((c->flags & CFLAG_INTERNAL) != 0)
 			continue;
 		if (auth_only && c->auth_len == 0)
-@@ -193,7 +239,7 @@ const struct sshcipher *
+@@ -196,7 +243,7 @@ const struct sshcipher *
 cipher_by_name(const char *name)
 {
 	const struct sshcipher *c;
@ -131,10 +132,11 @@ Index: openssh-7.9p1/cipher.c
 		if (strcmp(c->name, name) == 0)
 			return c;
 	return NULL;
-Index: openssh-7.9p1/fips.c
+diff --git a/fips.c b/fips.c
-===================================================================
+new file mode 100644
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+index 0000000..23e3876
-+++ openssh-7.9p1/fips.c	2019-03-12 11:42:10.971006569 +0100
+--- /dev/null
 +++ b/fips.c
@@ -0,0 +1,212 @@
 +/*
 + * Copyright (c) 2012 Petr Cerny.  All rights reserved.
@ -348,10 +350,11 @@ Index: openssh-7.9p1/fips.c
 +	return dgst;
 +}
 +
-Index: openssh-7.9p1/fips.h
+diff --git a/fips.h b/fips.h
-===================================================================
+new file mode 100644
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+index 0000000..a115a61
-+++ openssh-7.9p1/fips.h	2019-03-12 11:41:49.514894158 +0100
+--- /dev/null
 +++ b/fips.h
@@ -0,0 +1,44 @@
 +/*
 + * Copyright (c) 2012 Petr Cerny.  All rights reserved.
@ -397,11 +400,11 @@ Index: openssh-7.9p1/fips.h
 +
 +#endif
 +
-Index: openssh-7.9p1/hmac.c
+diff --git a/hmac.c b/hmac.c
-===================================================================
+index 3268887..b905a1e 100644
--- openssh-7.9p1.orig/hmac.c	2018-10-17 02:01:20.000000000 +0200
+--- a/hmac.c
-+++ openssh-7.9p1/hmac.c	2019-02-28 17:20:15.919165544 +0100
+++ b/hmac.c
-@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
+@@ -146,7 +146,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen)
 	size_t			 i;
 	u_char			 digest[16];
@ -410,11 +413,11 @@ Index: openssh-7.9p1/hmac.c
 		printf("ssh_hmac_start failed");
 	if (ssh_hmac_init(ctx, key, klen) < 0 ||
 	    ssh_hmac_update(ctx, m, mlen) < 0 ||
-Index: openssh-7.9p1/kex.c
+diff --git a/kex.c b/kex.c
-===================================================================
+index 49d7015..1f82c2e 100644
--- openssh-7.9p1.orig/kex.c	2018-10-17 02:01:20.000000000 +0200
+--- a/kex.c
-+++ openssh-7.9p1/kex.c	2019-02-28 17:20:15.919165544 +0100
+++ b/kex.c
-@@ -54,6 +54,8 @@
+@@ -60,6 +60,8 @@
 #include "sshbuf.h"
 #include "digest.h"
@ -423,7 +426,7 @@ Index: openssh-7.9p1/kex.c
 /* prototype */
 static int kex_choose_conf(struct ssh *);
 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
-@@ -77,7 +79,7 @@ struct kexalg {
+@@ -83,7 +85,7 @@ struct kexalg {
 	int ec_nid;
 	int hash_alg;
 };
@ -432,8 +435,8 @@ Index: openssh-7.9p1/kex.c
 #ifdef WITH_OPENSSL
 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
-@@ -106,6 +108,47 @@ static const struct kexalg kexalgs[] = {
+@@ -114,6 +116,47 @@ static const struct kexalg kexalgs[] = {
- 	{ NULL, -1, -1, -1},
+ 	{ NULL, 0, -1, -1},
 };
 +static const struct kexalg kexalgs_fips140_2[] = {
@ -480,7 +483,7 @@ Index: openssh-7.9p1/kex.c
 char *
 kex_alg_list(char sep)
 {
-@@ -113,7 +156,7 @@ kex_alg_list(char sep)
+@@ -121,7 +164,7 @@ kex_alg_list(char sep)
 	size_t nlen, rlen = 0;
 	const struct kexalg *k;
@ -489,7 +492,7 @@ Index: openssh-7.9p1/kex.c
 		if (ret != NULL)
 			ret[rlen++] = sep;
 		nlen = strlen(k->name);
-@@ -133,7 +176,7 @@ kex_alg_by_name(const char *name)
+@@ -141,7 +184,7 @@ kex_alg_by_name(const char *name)
 {
 	const struct kexalg *k;
@ -498,7 +501,7 @@ Index: openssh-7.9p1/kex.c
 		if (strcmp(k->name, name) == 0)
 			return k;
 	}
-@@ -153,7 +196,10 @@ kex_names_valid(const char *names)
+@@ -161,7 +204,10 @@ kex_names_valid(const char *names)
 	for ((p = strsep(&cp, ",")); p && *p != '\0';
 	    (p = strsep(&cp, ","))) {
 		if (kex_alg_by_name(p) == NULL) {
@ -509,11 +512,11 @@ Index: openssh-7.9p1/kex.c
 			free(s);
 			return 0;
 		}
-Index: openssh-7.9p1/mac.c
+diff --git a/mac.c b/mac.c
-===================================================================
+index f3dda66..90d71c8 100644
--- openssh-7.9p1.orig/mac.c	2018-10-17 02:01:20.000000000 +0200
+--- a/mac.c
-+++ openssh-7.9p1/mac.c	2019-02-28 17:20:15.923165569 +0100
+++ b/mac.c
-@@ -40,6 +40,9 @@
+@@ -41,6 +41,9 @@
 #include "openbsd-compat/openssl-compat.h"
@ -523,7 +526,7 @@ Index: openssh-7.9p1/mac.c
 #define SSH_DIGEST	1	/* SSH_DIGEST_XXX */
 #define SSH_UMAC	2	/* UMAC (not integrated with OpenSSL) */
 #define SSH_UMAC128	3
-@@ -54,7 +57,7 @@ struct macalg {
+@@ -55,7 +58,7 @@ struct macalg {
 	int		etm;		/* Encrypt-then-MAC */
 };
@ -532,7 +535,7 @@ Index: openssh-7.9p1/mac.c
 	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
 	{ "hmac-sha1",				SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
 	{ "hmac-sha1-96",			SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
-@@ -82,6 +85,41 @@ static const struct macalg macs[] = {
+@@ -79,6 +82,41 @@ static const struct macalg macs[] = {
 	{ NULL,					0, 0, 0, 0, 0, 0 }
 };
@ -574,7 +577,7 @@ Index: openssh-7.9p1/mac.c
 /* Returns a list of supported MACs separated by the specified char. */
 char *
 mac_alg_list(char sep)
-@@ -90,7 +128,7 @@ mac_alg_list(char sep)
+@@ -87,7 +125,7 @@ mac_alg_list(char sep)
 	size_t nlen, rlen = 0;
 	const struct macalg *m;
@ -583,7 +586,7 @@ Index: openssh-7.9p1/mac.c
 		if (ret != NULL)
 			ret[rlen++] = sep;
 		nlen = strlen(m->name);
-@@ -129,7 +167,7 @@ mac_setup(struct sshmac *mac, char *name
+@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name)
 {
 	const struct macalg *m;
@ -592,11 +595,11 @@ Index: openssh-7.9p1/mac.c
 		if (strcmp(name, m->name) != 0)
 			continue;
 		if (mac != NULL)
-Index: openssh-7.9p1/myproposal.h
+diff --git a/myproposal.h b/myproposal.h
-===================================================================
+index 34bd10c..e6be484 100644
--- openssh-7.9p1.orig/myproposal.h	2018-10-17 02:01:20.000000000 +0200
+--- a/myproposal.h
-+++ openssh-7.9p1/myproposal.h	2019-02-28 17:20:15.923165569 +0100
+++ b/myproposal.h
-@@ -151,6 +151,8 @@
+@@ -144,6 +144,8 @@
 #else /* WITH_OPENSSL */
@ -605,10 +608,10 @@ Index: openssh-7.9p1/myproposal.h
 #define KEX_SERVER_KEX		\
 	"curve25519-sha256," \
 	"curve25519-sha256@libssh.org"
-Index: openssh-7.9p1/readconf.c
+diff --git a/readconf.c b/readconf.c
-===================================================================
+index f78b4d6..228f481 100644
--- openssh-7.9p1.orig/readconf.c	2018-10-17 02:01:20.000000000 +0200
+--- a/readconf.c
-+++ openssh-7.9p1/readconf.c	2019-02-28 20:20:19.619112418 +0100
+++ b/readconf.c
@@ -68,6 +68,8 @@
 #include "myproposal.h"
 #include "digest.h"
@ -618,7 +621,7 @@ Index: openssh-7.9p1/readconf.c
 /* Format of the configuration file:
    # Configuration data is parsed as follows:
-@@ -1816,6 +1818,23 @@ option_clear_or_none(const char *o)
+@@ -1837,6 +1839,23 @@ option_clear_or_none(const char *o)
 	return o == NULL || strcasecmp(o, "none") == 0;
 }
@ -642,7 +645,7 @@ Index: openssh-7.9p1/readconf.c
 /*
  * Initializes options to special values that indicate that they have not yet
  * been set.  Read_config_file will only set options with this value. Options
-@@ -2095,6 +2114,8 @@ fill_default_options(Options * options)
+@@ -2116,6 +2135,8 @@ fill_default_options(Options * options)
 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
 	if (options->fingerprint_hash == -1)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -651,7 +654,7 @@ Index: openssh-7.9p1/readconf.c
 	if (options->update_hostkeys == -1)
 		options->update_hostkeys = 0;
-@@ -2122,6 +2143,7 @@ fill_default_options(Options * options)
+@@ -2143,6 +2164,7 @@ fill_default_options(Options * options)
 	free(all_kex);
 	free(all_key);
 	free(all_sig);
@ -659,10 +662,10 @@ Index: openssh-7.9p1/readconf.c
 #define CLEAR_ON_NONE(v) \
 	do { \
-Index: openssh-7.9p1/readconf.h
+diff --git a/readconf.h b/readconf.h
-===================================================================
+index 8e36bf3..67111e9 100644
--- openssh-7.9p1.orig/readconf.h	2018-10-17 02:01:20.000000000 +0200
+--- a/readconf.h
-+++ openssh-7.9p1/readconf.h	2019-02-28 17:20:15.923165569 +0100
+++ b/readconf.h
@@ -197,6 +197,7 @@ typedef struct {
 #define SSH_STRICT_HOSTKEY_YES	2
 #define SSH_STRICT_HOSTKEY_ASK	3
@ -671,10 +674,10 @@ Index: openssh-7.9p1/readconf.h
 void     initialize_options(Options *);
 void     fill_default_options(Options *);
 void	 fill_default_options_for_canonicalization(Options *);
-Index: openssh-7.9p1/servconf.c
+diff --git a/servconf.c b/servconf.c
-===================================================================
+index f58fecb..a8833a9 100644
--- openssh-7.9p1.orig/servconf.c	2019-02-28 17:20:15.851165117 +0100
+--- a/servconf.c
-+++ openssh-7.9p1/servconf.c	2019-02-28 17:20:15.923165569 +0100
+++ b/servconf.c
@@ -64,6 +64,7 @@
 #include "auth.h"
 #include "myproposal.h"
@ -716,7 +719,7 @@ Index: openssh-7.9p1/servconf.c
 }
 static void
-@@ -410,6 +430,8 @@ fill_default_server_options(ServerOption
+@@ -424,6 +444,8 @@ fill_default_server_options(ServerOptions *options)
 		options->fwd_opts.streamlocal_bind_unlink = 0;
 	if (options->fingerprint_hash == -1)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -725,20 +728,20 @@ Index: openssh-7.9p1/servconf.c
 	if (options->disable_forwarding == -1)
 		options->disable_forwarding = 0;
 	if (options->expose_userauth_info == -1)
-Index: openssh-7.9p1/ssh-keygen.c
+diff --git a/ssh-keygen.c b/ssh-keygen.c
-===================================================================
+index 8c829ca..da63fb0 100644
--- openssh-7.9p1.orig/ssh-keygen.c	2018-10-17 02:01:20.000000000 +0200
+--- a/ssh-keygen.c
-+++ openssh-7.9p1/ssh-keygen.c	2019-02-28 17:20:15.923165569 +0100
+++ b/ssh-keygen.c
-@@ -61,6 +61,8 @@
+@@ -64,6 +64,8 @@
 #include "utf8.h"
 #include "authfd.h"
 #include "sshsig.h"
 +#include "fips.h"
 +
 #ifdef WITH_OPENSSL
 # define DEFAULT_KEY_TYPE_NAME "rsa"
 #else
-@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
+@@ -1002,11 +1004,13 @@ do_fingerprint(struct passwd *pw)
 static void
 do_gen_all_hostkeys(struct passwd *pw)
 {
@ -754,7 +757,7 @@ Index: openssh-7.9p1/ssh-keygen.c
 #ifdef WITH_OPENSSL
 		{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
 		{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
-@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1021,6 +1025,17 @@ do_gen_all_hostkeys(struct passwd *pw)
 		{ NULL, NULL, NULL }
 	};
@ -769,10 +772,10 @@ Index: openssh-7.9p1/ssh-keygen.c
 +	};
 +
 +	struct Key_types *key_types;
 	u_int32_t bits = 0;
 	int first = 0;
 	struct stat st;
- 	struct sshkey *private, *public;
+@@ -1029,6 +1044,12 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
 	int i, type, fd, r;
 	FILE *f;
@ -785,7 +788,7 @@ Index: openssh-7.9p1/ssh-keygen.c
 	for (i = 0; key_types[i].key_type; i++) {
 		public = private = NULL;
 		prv_tmp = pub_tmp = prv_file = pub_file = NULL;
-@@ -2817,6 +2838,15 @@ main(int argc, char **argv)
+@@ -3215,6 +3236,15 @@ main(int argc, char **argv)
 		key_type_name = DEFAULT_KEY_TYPE_NAME;
 	type = sshkey_type_from_name(key_type_name);
@ -801,35 +804,11 @@ Index: openssh-7.9p1/ssh-keygen.c
 	type_bits_valid(type, key_type_name, &bits);
 	if (!quiet)
-Index: openssh-7.9p1/ssh_config.0
+diff --git a/ssh_config.5 b/ssh_config.5
-===================================================================
+index 02a8789..f0cb291 100644
--- openssh-7.9p1.orig/ssh_config.0	2018-10-19 03:06:19.000000000 +0200
+--- a/ssh_config.5
-+++ openssh-7.9p1/ssh_config.0	2019-02-28 17:20:15.923165569 +0100
+++ b/ssh_config.5
-@@ -353,6 +353,9 @@ DESCRIPTION
+@@ -664,6 +664,8 @@ Valid options are:
              Specifies the hash algorithm used when displaying key
              fingerprints.  Valid options are: md5 and sha256 (the default).
 +             In the FIPS mode the minimum of SHA-1 is enforced (which means
 +             sha256).
 +
      ForwardAgent
              Specifies whether the connection to the authentication agent (if
              any) will be forwarded to the remote machine.  The argument must
@@ -610,6 +613,9 @@ DESCRIPTION
              The list of available key exchange algorithms may also be
              obtained using "ssh -Q kex".
 +             In the FIPS mode the FIPS standard takes precedence over RFC and
 +             forces the minimum to a higher value, currently 2048 bits.
 +
      LocalCommand
              Specifies a command to execute on the local machine after
              successfully connecting to the server.  The command string
 Index: openssh-7.9p1/ssh_config.5
 ===================================================================
 --- openssh-7.9p1.orig/ssh_config.5	2018-10-17 02:01:20.000000000 +0200
 +++ openssh-7.9p1/ssh_config.5	2019-02-28 17:20:15.923165569 +0100
@@ -642,6 +642,8 @@ Valid options are:
 and
 .Cm sha256
 (the default).
@ -838,11 +817,11 @@ Index: openssh-7.9p1/ssh_config.5
 .It Cm ForwardAgent
 Specifies whether the connection to the authentication agent (if any)
 will be forwarded to the remote machine.
-Index: openssh-7.9p1/sshd.c
+diff --git a/sshd.c b/sshd.c
-===================================================================
+index 6b55ef7..c8086cd 100644
--- openssh-7.9p1.orig/sshd.c	2018-10-17 02:01:20.000000000 +0200
+--- a/sshd.c
-+++ openssh-7.9p1/sshd.c	2019-03-12 11:41:49.514894158 +0100
+++ b/sshd.c
-@@ -123,6 +123,8 @@
+@@ -127,6 +127,8 @@
 #include "version.h"
 #include "ssherr.h"
@ -851,35 +830,11 @@ Index: openssh-7.9p1/sshd.c
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
-Index: openssh-7.9p1/sshd_config.0
+diff --git a/sshd_config.5 b/sshd_config.5
-===================================================================
+index 0707b47..8818ea5 100644
--- openssh-7.9p1.orig/sshd_config.0	2019-02-28 17:20:15.851165117 +0100
+--- a/sshd_config.5
-+++ openssh-7.9p1/sshd_config.0	2019-02-28 17:20:15.927165594 +0100
+++ b/sshd_config.5
-@@ -348,6 +348,9 @@ DESCRIPTION
+@@ -605,6 +605,8 @@ and
              Specifies the hash algorithm used when logging key fingerprints.
              Valid options are: md5 and sha256.  The default is sha256.
 +             In the FIPS mode the minimum of SHA-1 is enforced (which means
 +             sha256).
 +
      ForceCommand
              Forces the execution of the command specified by ForceCommand,
              ignoring any command supplied by the client and ~/.ssh/rc if
@@ -555,6 +558,9 @@ DESCRIPTION
              The list of available key exchange algorithms may also be
              obtained using "ssh -Q kex".
 +             In the FIPS mode the FIPS standard takes precedence over RFC and
 +             forces the minimum to a higher value, currently 2048 bits.
 +
      ListenAddress
              Specifies the local addresses sshd(8) should listen on.  The
              following forms may be used:
 Index: openssh-7.9p1/sshd_config.5
 ===================================================================
 --- openssh-7.9p1.orig/sshd_config.5	2019-02-28 17:20:15.851165117 +0100
 +++ openssh-7.9p1/sshd_config.5	2019-02-28 17:20:15.927165594 +0100
@@ -603,6 +603,8 @@ and
 .Cm sha256 .
 The default is
 .Cm sha256 .
--- a/openssh-7.7p1-fips_checks.patch
+++ b/openssh-7.7p1-fips_checks.patch
@ -14,10 +14,11 @@
 # file is not found (or the hash matches), proceed in non-FIPS mode and abort
 # otherwise.
-Index: openssh-7.9p1/fips-check.c
+diff --git a/fips-check.c b/fips-check.c
-===================================================================
+new file mode 100644
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+index 0000000..eceb031
-+++ openssh-7.9p1/fips-check.c	2019-03-12 11:42:19.299050200 +0100
+--- /dev/null
 +++ b/fips-check.c
@@ -0,0 +1,34 @@
 +#include "includes.h"
 +#include <fcntl.h>
@ -53,10 +54,10 @@ Index: openssh-7.9p1/fips-check.c
 +    fips_ssh_init();
 +	return 0;
 +}
-Index: openssh-7.9p1/fips.c
+diff --git a/fips.c b/fips.c
-===================================================================
+index 23e3876..297ae99 100644
--- openssh-7.9p1.orig/fips.c	2019-03-12 11:42:19.299050200 +0100
+--- a/fips.c
-+++ openssh-7.9p1/fips.c	2019-03-12 11:43:02.363275819 +0100
+++ b/fips.c
@@ -35,30 +35,293 @@
 #include "log.h"
 #include "xmalloc.h"
@ -245,9 +246,7 @@ Index: openssh-7.9p1/fips.c
 {
 	int fips_required = 0;
 -	char *env = getenv(SSH_FORCE_FIPS_ENV);
-+	int fips_fd;
+-
 +	char fips_sys = 0;
 -	if (env) {
 -		errno = 0;
 -		fips_required = strtol(env, NULL, 10);
@ -257,6 +256,9 @@ Index: openssh-7.9p1/fips.c
 -			fips_required = 0;
 -		} else
 -			fips_required = 1;
 +	int fips_fd;
 +	char fips_sys = 0;
 +
 +	struct stat dummy;
 +	if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
 +		switch (errno) {
@ -362,10 +364,10 @@ Index: openssh-7.9p1/fips.c
 int
 fips_mode(void)
 {
-Index: openssh-7.9p1/fips.h
+diff --git a/fips.h b/fips.h
-===================================================================
+index a115a61..3404684 100644
--- openssh-7.9p1.orig/fips.h	2019-03-12 11:42:13.819021490 +0100
+--- a/fips.h
-+++ openssh-7.9p1/fips.h	2019-03-12 11:42:19.303050221 +0100
+++ b/fips.h
@@ -1,5 +1,5 @@
 /*
 - * Copyright (c) 2012 Petr Cerny.  All rights reserved.
@ -402,38 +404,38 @@ Index: openssh-7.9p1/fips.h
 int	 fips_mode(void);
 int	 fips_correct_dgst(int);
 int	 fips_dgst_min(void);
-@@ -41,4 +56,3 @@ enum fp_type	 fips_correct_fp_type(enum
+@@ -41,4 +56,3 @@ enum fp_type	 fips_correct_fp_type(enum fp_type);
 int	 fips_filter_crypto(char **, fips_filters);
 #endif
 -
-Index: openssh-7.9p1/sftp-server.c
+diff --git a/sftp-server.c b/sftp-server.c
-===================================================================
+index b133cbc..c3086b6 100644
--- openssh-7.9p1.orig/sftp-server.c	2019-03-12 11:42:13.819021490 +0100
+--- a/sftp-server.c
-+++ openssh-7.9p1/sftp-server.c	2019-03-12 11:42:19.303050221 +0100
+++ b/sftp-server.c
-@@ -51,6 +51,8 @@
+@@ -53,6 +53,8 @@
- #include "sftp.h"
+ 
- #include "sftp-common.h"
+ char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
 +#include "fips.h"
 +
 /* Our verbosity */
 static LogLevel log_level = SYSLOG_LEVEL_ERROR;
-@@ -1509,6 +1511,9 @@ sftp_server_main(int argc, char **argv,
+@@ -1595,6 +1597,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
 	extern char *optarg;
 	extern char *__progname;
 +	/* initialize fips */
 +	fips_ssh_init();
 +
 	ssh_malloc_init();	/* must be called before any mallocs */
 	__progname = ssh_get_progname(argv[0]);
 	log_init(__progname, log_level, log_facility, log_stderr);
-Index: openssh-7.9p1/ssh.c
+ 
-===================================================================
+diff --git a/ssh.c b/ssh.c
--- openssh-7.9p1.orig/ssh.c	2019-03-12 11:42:13.823021511 +0100
+index ee51823..882d1da 100644
-+++ openssh-7.9p1/ssh.c	2019-03-12 11:42:19.303050221 +0100
+--- a/ssh.c
 +++ b/ssh.c
@@ -113,6 +113,8 @@
 #include "ssh-pkcs11.h"
 #endif
@ -443,7 +445,7 @@ Index: openssh-7.9p1/ssh.c
 extern char *__progname;
 /* Saves a copy of argv for setproctitle emulation */
-@@ -593,6 +595,10 @@ main(int ac, char **av)
+@@ -596,6 +598,10 @@ main(int ac, char **av)
 	struct ssh_digest_ctx *md;
 	u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
@ -451,14 +453,14 @@ Index: openssh-7.9p1/ssh.c
 +	 * OpenBSD-only thing (as of OpenSSH 7.6p1) */
 +	fips_ssh_init();
 +
 	ssh_malloc_init();	/* must be called before any mallocs */
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
-Index: openssh-7.9p1/sshd.c
+ 
-===================================================================
+diff --git a/sshd.c b/sshd.c
--- openssh-7.9p1.orig/sshd.c	2019-03-12 11:42:13.823021511 +0100
+index c8086cd..bb20eec 100644
-+++ openssh-7.9p1/sshd.c	2019-03-12 11:42:19.303050221 +0100
+--- a/sshd.c
-@@ -1485,6 +1485,10 @@ main(int ac, char **av)
+++ b/sshd.c
@@ -1443,6 +1443,10 @@ main(int ac, char **av)
 	Authctxt *authctxt;
 	struct connection_info *connection_info = NULL;
@ -466,6 +468,6 @@ Index: openssh-7.9p1/sshd.c
 +	 * OpenBSD-only thing (as of OpenSSH 7.6p1) */
 +	fips_ssh_init();
 +
 	ssh_malloc_init();	/* must be called before any mallocs */
 #ifdef HAVE_SECUREWARE
 	(void)set_auth_parameters(ac, av);
 #endif
--- a/openssh-7.7p1-gssapi_key_exchange.patch
+++ b/openssh-7.7p1-gssapi_key_exchange.patch
--- a/openssh-7.7p1-hostname_changes_when_forwarding_X.patch
+++ b/openssh-7.7p1-hostname_changes_when_forwarding_X.patch
@ -5,11 +5,11 @@ handle hostname changes when forwarding X
 bnc#98627
-Index: openssh-7.8p1/session.c
+diff --git a/session.c b/session.c
-===================================================================
+index 94d7438..d81060c 100644
--- openssh-7.8p1.orig/session.c
+--- a/session.c
-+++ openssh-7.8p1/session.c
+++ b/session.c
-@@ -1009,7 +1009,7 @@ copy_environment(char **source, char ***
+@@ -981,7 +981,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
 }
 static char **
@ -18,7 +18,7 @@ Index: openssh-7.8p1/session.c
 {
 	char buf[256];
 	size_t n;
-@@ -1213,6 +1213,8 @@ do_setup_env(struct ssh *ssh, Session *s
+@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
 		for (i = 0; env[i]; i++)
 			fprintf(stderr, "  %.200s\n", env[i]);
 	}
@ -27,7 +27,7 @@ Index: openssh-7.8p1/session.c
 	return env;
 }
-@@ -1221,7 +1223,7 @@ do_setup_env(struct ssh *ssh, Session *s
+@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
  * first in this order).
  */
 static void
@ -36,7 +36,7 @@ Index: openssh-7.8p1/session.c
 {
 	FILE *f = NULL;
 	char cmd[1024];
-@@ -1276,12 +1278,20 @@ do_rc_files(struct ssh *ssh, Session *s,
+@@ -1254,12 +1256,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell)
 		    options.xauth_location);
 		f = popen(cmd, "w");
 		if (f) {
@ -57,15 +57,15 @@ Index: openssh-7.8p1/session.c
 		} else {
 			fprintf(stderr, "Could not run %s\n",
 			    cmd);
-@@ -1534,6 +1544,7 @@ do_child(struct ssh *ssh, Session *s, co
+@@ -1515,6 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
- {
+ 	char **env, *argv[ARGV_MAX], remote_id[512];
 	extern char **environ;
 	char **env;
 +	int env_size;
 	char *argv[ARGV_MAX];
 	const char *shell, *shell0;
 	struct passwd *pw = s->pw;
-@@ -1591,7 +1602,7 @@ do_child(struct ssh *ssh, Session *s, co
+	int env_size;
 	int r = 0;
 	sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
@@ -1571,7 +1582,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 	 * Make sure $SHELL points to the shell from the password file,
 	 * even if shell is overridden from login.conf
 	 */
@ -74,7 +74,7 @@ Index: openssh-7.8p1/session.c
 #ifdef HAVE_LOGIN_CAP
 	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1655,7 +1666,7 @@ do_child(struct ssh *ssh, Session *s, co
+@@ -1635,7 +1646,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 	closefrom(STDERR_FILENO + 1);
--- a/openssh-7.7p1-ldap.patch
+++ b/openssh-7.7p1-ldap.patch
@ -10,10 +10,11 @@
 # internal versions. ssh-keyconverter consequently fails to link as it lacks
 # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
-Index: openssh-7.9p1/HOWTO.ldap-keys
+diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys
-===================================================================
+new file mode 100644
 index 0000000..831d399
 --- /dev/null
-+++ openssh-7.9p1/HOWTO.ldap-keys
+++ b/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
 +
 +HOW TO START
@ -123,11 +124,11 @@ Index: openssh-7.9p1/HOWTO.ldap-keys
 +  - frederic peters.
 +  - Finlay dobbie.
 +  - Stefan Fisher.
-Index: openssh-7.9p1/Makefile.in
+diff --git a/Makefile.in b/Makefile.in
-===================================================================
+index 750aada..1baf5c6 100644
--- openssh-7.9p1.orig/Makefile.in
+--- a/Makefile.in
-+++ openssh-7.9p1/Makefile.in
+++ b/Makefile.in
-@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
+@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
 SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -136,7 +137,7 @@ Index: openssh-7.9p1/Makefile.in
 CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
 CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
 PRIVSEP_PATH=@PRIVSEP_PATH@
-@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
+@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
 TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@ -146,7 +147,7 @@ Index: openssh-7.9p1/Makefile.in
 XMSS_OBJS=\
 	ssh-xmss.o \
 	sshkey-xmss.o \
-@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+@@ -127,8 +132,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
 	sandbox-solaris.o uidswap.o
@ -157,17 +158,17 @@ Index: openssh-7.9p1/Makefile.in
 MANTYPE		= @MANTYPE@
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
 +	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 +
- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
- 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -361,6 +369,10 @@ install-files:
+@@ -363,6 +371,10 @@ install-files:
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -178,7 +179,7 @@ Index: openssh-7.9p1/Makefile.in
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
-@@ -379,6 +391,10 @@ install-files:
+@@ -381,6 +393,10 @@ install-files:
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -189,7 +190,7 @@ Index: openssh-7.9p1/Makefile.in
 install-sysconf:
 	$(MKDIR_P) $(DESTDIR)$(sysconfdir)
-@@ -402,6 +418,13 @@ install-sysconf:
+@@ -404,6 +420,13 @@ install-sysconf:
 	else \
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
 	fi
@ -203,7 +204,7 @@ Index: openssh-7.9p1/Makefile.in
 host-key: ssh-keygen$(EXEEXT)
 	@if [ -z "$(DESTDIR)" ] ; then \
-@@ -439,6 +462,8 @@ uninstall:
+@@ -441,6 +464,8 @@ uninstall:
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -212,7 +213,7 @@ Index: openssh-7.9p1/Makefile.in
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -450,6 +475,7 @@ uninstall:
+@@ -452,6 +477,7 @@ uninstall:
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -220,11 +221,11 @@ Index: openssh-7.9p1/Makefile.in
 regress-prep:
 	$(MKDIR_P) `pwd`/regress/unittests/test_helper
-Index: openssh-7.9p1/configure.ac
+diff --git a/configure.ac b/configure.ac
-===================================================================
+index 20a1884..ff9c11a 100644
--- openssh-7.9p1.orig/configure.ac
+--- a/configure.ac
-+++ openssh-7.9p1/configure.ac
+++ b/configure.ac
-@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
+@@ -1651,6 +1651,106 @@ AC_ARG_WITH([audit],
 	esac ]
 )
@ -331,10 +332,11 @@ Index: openssh-7.9p1/configure.ac
 AC_ARG_WITH([pie],
     [  --with-pie              Build Position Independent Executables if possible], [
 	if test "x$withval" = "xno"; then
-Index: openssh-7.9p1/ldap-helper.c
+diff --git a/ldap-helper.c b/ldap-helper.c
-===================================================================
+new file mode 100644
 index 0000000..0efff1f
 --- /dev/null
-+++ openssh-7.9p1/ldap-helper.c
+++ b/ldap-helper.c
@@ -0,0 +1,155 @@
 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -491,10 +493,11 @@ Index: openssh-7.9p1/ldap-helper.c
 +void   *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
 +void    buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
 +
-Index: openssh-7.9p1/ldap-helper.h
+diff --git a/ldap-helper.h b/ldap-helper.h
-===================================================================
+new file mode 100644
 index 0000000..14cb29a
 --- /dev/null
-+++ openssh-7.9p1/ldap-helper.h
+++ b/ldap-helper.h
@@ -0,0 +1,32 @@
 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -528,10 +531,11 @@ Index: openssh-7.9p1/ldap-helper.h
 +extern int config_warning_config_file;
 +
 +#endif /* LDAP_HELPER_H */
-Index: openssh-7.9p1/ldap.conf
+diff --git a/ldap.conf b/ldap.conf
-===================================================================
+new file mode 100644
 index 0000000..42e38d3
 --- /dev/null
-+++ openssh-7.9p1/ldap.conf
+++ b/ldap.conf
@@ -0,0 +1,88 @@
 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
 +#
@ -621,10 +625,11 @@ Index: openssh-7.9p1/ldap.conf
 +#tls_cert
 +#tls_key
 +
-Index: openssh-7.9p1/ldapbody.c
+diff --git a/ldapbody.c b/ldapbody.c
-===================================================================
+new file mode 100644
 index 0000000..032cc89
 --- /dev/null
-+++ openssh-7.9p1/ldapbody.c
+++ b/ldapbody.c
@@ -0,0 +1,494 @@
 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1120,10 +1125,11 @@ Index: openssh-7.9p1/ldapbody.c
 +	return;
 +}
 +
-Index: openssh-7.9p1/ldapbody.h
+diff --git a/ldapbody.h b/ldapbody.h
-===================================================================
+new file mode 100644
 index 0000000..665dca2
 --- /dev/null
-+++ openssh-7.9p1/ldapbody.h
+++ b/ldapbody.h
@@ -0,0 +1,37 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1162,10 +1168,11 @@ Index: openssh-7.9p1/ldapbody.h
 +
 +#endif /* LDAPBODY_H */
 +
-Index: openssh-7.9p1/ldapconf.c
+diff --git a/ldapconf.c b/ldapconf.c
-===================================================================
+new file mode 100644
 index 0000000..2e22438
 --- /dev/null
-+++ openssh-7.9p1/ldapconf.c
+++ b/ldapconf.c
@@ -0,0 +1,711 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1878,10 +1885,11 @@ Index: openssh-7.9p1/ldapconf.c
 +	dump_cfg_string(lSSH_Filter, options.ssh_filter);
 +}
 +
-Index: openssh-7.9p1/ldapconf.h
+diff --git a/ldapconf.h b/ldapconf.h
-===================================================================
+new file mode 100644
 index 0000000..c2aa704
 --- /dev/null
-+++ openssh-7.9p1/ldapconf.h
+++ b/ldapconf.h
@@ -0,0 +1,71 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1954,10 +1962,11 @@ Index: openssh-7.9p1/ldapconf.h
 +void dump_config(void);
 +
 +#endif /* LDAPCONF_H */
-Index: openssh-7.9p1/ldapincludes.h
+diff --git a/ldapincludes.h b/ldapincludes.h
-===================================================================
+new file mode 100644
 index 0000000..8539bdc
 --- /dev/null
-+++ openssh-7.9p1/ldapincludes.h
+++ b/ldapincludes.h
@@ -0,0 +1,41 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -2000,10 +2009,11 @@ Index: openssh-7.9p1/ldapincludes.h
 +#endif
 +
 +#endif /* LDAPINCLUDES_H */
-Index: openssh-7.9p1/ldapmisc.c
+diff --git a/ldapmisc.c b/ldapmisc.c
-===================================================================
+new file mode 100644
 index 0000000..de23c0c
 --- /dev/null
-+++ openssh-7.9p1/ldapmisc.c
+++ b/ldapmisc.c
@@ -0,0 +1,79 @@
 +
 +#include "ldapincludes.h"
@ -2084,10 +2094,11 @@ Index: openssh-7.9p1/ldapmisc.c
 +}
 +#endif
 +
-Index: openssh-7.9p1/ldapmisc.h
+diff --git a/ldapmisc.h b/ldapmisc.h
-===================================================================
+new file mode 100644
 index 0000000..4c271df
 --- /dev/null
-+++ openssh-7.9p1/ldapmisc.h
+++ b/ldapmisc.h
@@ -0,0 +1,35 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -2124,10 +2135,10 @@ Index: openssh-7.9p1/ldapmisc.h
 +
 +#endif /* LDAPMISC_H */
 +
-Index: openssh-7.9p1/openbsd-compat/base64.c
+diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c
-===================================================================
+index 9e74667..14824be 100644
--- openssh-7.9p1.orig/openbsd-compat/base64.c
+--- a/openbsd-compat/base64.c
-+++ openssh-7.9p1/openbsd-compat/base64.c
+++ b/openbsd-compat/base64.c
@@ -46,7 +46,7 @@
 #include "includes.h"
@ -2146,7 +2157,7 @@ Index: openssh-7.9p1/openbsd-compat/base64.c
 int
 b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
 {
-@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srcle
+@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
 }
 #endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */
@ -2155,10 +2166,10 @@ Index: openssh-7.9p1/openbsd-compat/base64.c
 /* skips all whitespace anywhere.
    converts characters, four at a time, starting at (or after)
-Index: openssh-7.9p1/openbsd-compat/base64.h
+diff --git a/openbsd-compat/base64.h b/openbsd-compat/base64.h
-===================================================================
+index bd77293..e27df9a 100644
--- openssh-7.9p1.orig/openbsd-compat/base64.h
+--- a/openbsd-compat/base64.h
-+++ openssh-7.9p1/openbsd-compat/base64.h
+++ b/openbsd-compat/base64.h
@@ -45,16 +45,16 @@
 #include "includes.h"
@ -2180,10 +2191,11 @@ Index: openssh-7.9p1/openbsd-compat/base64.h
 int b64_pton(char const *src, u_char *target, size_t targsize);
 # endif /* !HAVE_B64_PTON */
 # define __b64_pton(a,b,c) b64_pton(a,b,c)
-Index: openssh-7.9p1/openssh-lpk-openldap.schema
+diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema
-===================================================================
+new file mode 100644
 index 0000000..c84f90f
 --- /dev/null
-+++ openssh-7.9p1/openssh-lpk-openldap.schema
+++ b/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2206,10 +2218,11 @@ Index: openssh-7.9p1/openssh-lpk-openldap.schema
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-Index: openssh-7.9p1/openssh-lpk-sun.schema
+diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema
-===================================================================
+new file mode 100644
 index 0000000..3136673
 --- /dev/null
-+++ openssh-7.9p1/openssh-lpk-sun.schema
+++ b/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2234,10 +2247,11 @@ Index: openssh-7.9p1/openssh-lpk-sun.schema
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-Index: openssh-7.9p1/ssh-ldap-helper.8
+diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8
-===================================================================
+new file mode 100644
 index 0000000..f8440e4
 --- /dev/null
-+++ openssh-7.9p1/ssh-ldap-helper.8
+++ b/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
@ -2318,19 +2332,21 @@ Index: openssh-7.9p1/ssh-ldap-helper.8
 +OpenSSH 5.5 + PKA-LDAP .
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
-Index: openssh-7.9p1/ssh-ldap-wrapper
+diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper
-===================================================================
+new file mode 100644
 index 0000000..9fdfc37
 --- /dev/null
-+++ openssh-7.9p1/ssh-ldap-wrapper
+++ b/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
 +#!/bin/sh
 +
 +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
 +
-Index: openssh-7.9p1/ssh-ldap.conf.5
+diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5
-===================================================================
+new file mode 100644
 index 0000000..15eb03d
 --- /dev/null
-+++ openssh-7.9p1/ssh-ldap.conf.5
+++ b/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
--- a/openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
+++ b/openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
@ -1,36 +0,0 @@
 # HG changeset patch
 # Parent  a7b18fdd68dba10349e59a9085fd822343311f45
 Patch from IBM enabling use of EP11 hw crypto accelerator, submitted upstreams:
 From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
 To: openssh-unix-dev@mindrot.org
 Subject: [PATCH 3/3] Enable specific ioctl call for EP11 crypto card (s390)
 Date: Tue,  9 May 2017 14:27:15 -0300
 The EP11 crypto card needs to make an ioctl call, which receives an
 specific argument. This crypto card is for s390 only.
 Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
 diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
 --- openssh-7.7p1/sandbox-seccomp-filter.c
 +++ openssh-7.7p1/sandbox-seccomp-filter.c
@@ -248,16 +248,18 @@ static const struct sock_filter preauth_
 	SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
 	SC_DENY(__NR_socketcall, EACCES),
 #endif
 #if defined(__NR_ioctl) && defined(__s390__)
 	/* Allow ioctls for ICA crypto card on s390 */
 	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
 +	/* Allow ioctls for EP11 crypto card on s390 */
 +	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
 #endif
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
 	/*
 	 * On Linux x32, the clock_gettime VDSO falls back to the
 	 * x86-64 syscall under some circumstances, e.g.
 	 * https://bugs.debian.org/849923
 	 */
 	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
--- a/openssh-7.7p1-seed-prng.patch
+++ b/openssh-7.7p1-seed-prng.patch
@ -3,25 +3,71 @@
 # extended support for (re-)seeding the OpenSSL PRNG from /dev/random
 # bnc#703221, FATE#312172
-Index: openssh-7.8p1/entropy.c
+diff --git a/Makefile.in b/Makefile.in
-===================================================================
+index 85818f4..750aada 100644
--- openssh-7.8p1.orig/entropy.c
+--- a/Makefile.in
-+++ openssh-7.8p1/entropy.c
+++ b/Makefile.in
-@@ -235,6 +235,9 @@ seed_rng(void)
+@@ -182,13 +182,13 @@ libssh.a: $(LIBSSH_OBJS)
- 	memset(buf, '\0', sizeof(buf));
+ 	$(RANLIB) $@
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
 -	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
 +	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHLIBS) $(LIBS) $(GSSLIBS)
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 -	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
 	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -197,10 +197,10 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
 	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
 -	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
 -	$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -209,10 +209,10 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
 -	$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
 -	$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
 +	$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
 # FIPS tests
 cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
 diff --git a/entropy.c b/entropy.c
 index 5de6801..f8b9f42 100644
 --- a/entropy.c
 +++ b/entropy.c
@@ -239,6 +239,8 @@ seed_rng(void)
 	}
 #endif /* OPENSSL_PRNG_ONLY */
-+
+ 
 +	linux_seed();
 +
 	if (RAND_status() != 1)
 		fatal("PRNG is not seeded");
- }
+ 
-Index: openssh-7.8p1/openbsd-compat/Makefile.in
+diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
-===================================================================
+index 1162dc5..80fd688 100644
--- openssh-7.8p1.orig/openbsd-compat/Makefile.in
+--- a/openbsd-compat/Makefile.in
-+++ openssh-7.8p1/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
-@@ -90,6 +90,7 @@ COMPAT=	arc4random.o \
+@@ -91,6 +91,7 @@ COMPAT=	arc4random.o \
 PORTS=	port-aix.o \
 	port-irix.o \
 	port-linux.o \
@ -29,10 +75,11 @@ Index: openssh-7.8p1/openbsd-compat/Makefile.in
 	port-solaris.o \
 	port-net.o \
 	port-uw.o
-Index: openssh-7.8p1/openbsd-compat/port-linux-prng.c
+diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
-===================================================================
+new file mode 100644
 index 0000000..dfc4bdb
 --- /dev/null
-+++ openssh-7.8p1/openbsd-compat/port-linux-prng.c
+++ b/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,81 @@
 +/*
 + * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
@ -115,10 +162,10 @@ Index: openssh-7.8p1/openbsd-compat/port-linux-prng.c
 +			fatal ("EOF reading %s", rand_file);
 +	}
 +}
-Index: openssh-7.8p1/openbsd-compat/port-linux.h
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
-===================================================================
+index 3c22a85..2dc1fd0 100644
--- openssh-7.8p1.orig/openbsd-compat/port-linux.h
+--- a/openbsd-compat/port-linux.h
-+++ openssh-7.8p1/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -17,6 +17,10 @@
 #ifndef _PORT_LINUX_H
 #define _PORT_LINUX_H
@ -130,11 +177,11 @@ Index: openssh-7.8p1/openbsd-compat/port-linux.h
 #ifdef WITH_SELINUX
 int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
-Index: openssh-7.8p1/ssh-add.1
+diff --git a/ssh-add.1 b/ssh-add.1
-===================================================================
+index d4e1c60..6f76900 100644
--- openssh-7.8p1.orig/ssh-add.1
+--- a/ssh-add.1
-+++ openssh-7.8p1/ssh-add.1
+++ b/ssh-add.1
-@@ -172,6 +172,20 @@ to make this work.)
+@@ -189,6 +189,20 @@ to make this work.)
 Identifies the path of a
 .Ux Ns -domain
 socket used to communicate with the agent.
@ -155,11 +202,11 @@ Index: openssh-7.8p1/ssh-add.1
 .El
 .Sh FILES
 .Bl -tag -width Ds
-Index: openssh-7.8p1/ssh-agent.1
+diff --git a/ssh-agent.1 b/ssh-agent.1
-===================================================================
+index 83b2b41..9e187f2 100644
--- openssh-7.8p1.orig/ssh-agent.1
+--- a/ssh-agent.1
-+++ openssh-7.8p1/ssh-agent.1
+++ b/ssh-agent.1
-@@ -214,6 +214,23 @@ sockets used to contain the connection t
+@@ -214,6 +214,23 @@ sockets used to contain the connection to the authentication agent.
 These sockets should only be readable by the owner.
 The sockets should get automatically removed when the agent exits.
 .El
@ -183,11 +230,11 @@ Index: openssh-7.8p1/ssh-agent.1
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
-Index: openssh-7.8p1/ssh-keygen.1
+diff --git a/ssh-keygen.1 b/ssh-keygen.1
-===================================================================
+index 957d2f0..70c4a28 100644
--- openssh-7.8p1.orig/ssh-keygen.1
+--- a/ssh-keygen.1
-+++ openssh-7.8p1/ssh-keygen.1
+++ b/ssh-keygen.1
-@@ -869,6 +869,23 @@ Contains Diffie-Hellman groups used for
+@@ -1054,6 +1054,23 @@ Contains Diffie-Hellman groups used for DH-GEX.
 The file format is described in
 .Xr moduli 5 .
 .El
@ -211,11 +258,11 @@ Index: openssh-7.8p1/ssh-keygen.1
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
-Index: openssh-7.8p1/ssh-keysign.8
+diff --git a/ssh-keysign.8 b/ssh-keysign.8
-===================================================================
+index 19b0dbc..639b56e 100644
--- openssh-7.8p1.orig/ssh-keysign.8
+--- a/ssh-keysign.8
-+++ openssh-7.8p1/ssh-keysign.8
+++ b/ssh-keysign.8
-@@ -80,6 +80,23 @@ must be set-uid root if host-based authe
+@@ -80,6 +80,23 @@ must be set-uid root if host-based authentication is used.
 If these files exist they are assumed to contain public certificate
 information corresponding with the private keys above.
 .El
@ -239,11 +286,11 @@ Index: openssh-7.8p1/ssh-keysign.8
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-keygen 1 ,
-Index: openssh-7.8p1/ssh.1
+diff --git a/ssh.1 b/ssh.1
-===================================================================
+index 424d6c3..899a339 100644
--- openssh-7.8p1.orig/ssh.1
+--- a/ssh.1
-+++ openssh-7.8p1/ssh.1
+++ b/ssh.1
-@@ -1432,6 +1432,20 @@ For more information, see the
+@@ -1433,6 +1433,20 @@ For more information, see the
 .Cm PermitUserEnvironment
 option in
 .Xr sshd_config 5 .
@ -264,11 +311,11 @@ Index: openssh-7.8p1/ssh.1
 .Sh FILES
 .Bl -tag -width Ds -compact
 .It Pa ~/.rhosts
-Index: openssh-7.8p1/sshd.8
+diff --git a/sshd.8 b/sshd.8
-===================================================================
+index fb133c1..2f1d3ab 100644
--- openssh-7.8p1.orig/sshd.8
+--- a/sshd.8
-+++ openssh-7.8p1/sshd.8
+++ b/sshd.8
-@@ -966,6 +966,23 @@ concurrently for different ports, this c
+@@ -966,6 +966,23 @@ concurrently for different ports, this contains the process ID of the one
 started last).
 The content of this file is not sensitive; it can be world-readable.
 .El
@ -292,10 +339,10 @@ Index: openssh-7.8p1/sshd.8
 .Sh SEE ALSO
 .Xr scp 1 ,
 .Xr sftp 1 ,
-Index: openssh-7.8p1/sshd.c
+diff --git a/sshd.c b/sshd.c
-===================================================================
+index bb20eec..c562094 100644
--- openssh-7.8p1.orig/sshd.c
+--- a/sshd.c
-+++ openssh-7.8p1/sshd.c
+++ b/sshd.c
@@ -55,6 +55,8 @@
 #endif
 #include "openbsd-compat/sys-tree.h"
@ -305,7 +352,7 @@ Index: openssh-7.8p1/sshd.c
 #include <sys/wait.h>
 #include <errno.h>
-@@ -208,6 +210,13 @@ struct {
+@@ -205,6 +207,13 @@ struct {
 	int		have_ssh2_key;
 } sensitive_data;
@ -319,8 +366,8 @@ Index: openssh-7.8p1/sshd.c
 /* This is set to true when a signal is received. */
 static volatile sig_atomic_t received_sighup = 0;
 static volatile sig_atomic_t received_sigterm = 0;
-@@ -1252,6 +1261,10 @@ server_accept_loop(int *sock_in, int *so
+@@ -1201,6 +1210,10 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
- 					startups++;
+ 					startup_flags[j] = 1;
 					break;
 				}
 +			if(!(--re_seeding_counter)) {
--- a/openssh-7.7p1-sftp_print_diagnostic_messages.patch
+++ b/openssh-7.7p1-sftp_print_diagnostic_messages.patch
@ -3,26 +3,11 @@
 Put back sftp client diagnostic messages in batch mode
 bsc#1023275
-
+diff --git a/sftp.1 b/sftp.1
-Index: openssh-7.8p1/sftp.0
+index a52c1cf..7333de8 100644
-===================================================================
+--- a/sftp.1
--- openssh-7.8p1.orig/sftp.0
+++ b/sftp.1
-+++ openssh-7.8p1/sftp.0
+@@ -278,6 +278,9 @@ Specifies the port to connect to on the remote host.
@@ -160,6 +160,9 @@ DESCRIPTION
      -p      Preserves modification times, access times, and modes from the
              original files transferred.
 +     -Q      Not-so-quiet batch mode: forces printing of diagnostic messages
 +             in batch mode.
 +
      -q      Quiet mode: disables the progress meter as well as warning and
              diagnostic messages from ssh(1).
 Index: openssh-7.8p1/sftp.1
 ===================================================================
 --- openssh-7.8p1.orig/sftp.1
 +++ openssh-7.8p1/sftp.1
@@ -256,6 +256,9 @@ Specifies the port to connect to on the
 .It Fl p
 Preserves modification times, access times, and modes from the
 original files transferred.
@ -32,11 +17,11 @@ Index: openssh-7.8p1/sftp.1
 .It Fl q
 Quiet mode: disables the progress meter as well as warning and
 diagnostic messages from
-Index: openssh-7.8p1/sftp.c
+diff --git a/sftp.c b/sftp.c
-===================================================================
+index b66037f..6c94a38 100644
--- openssh-7.8p1.orig/sftp.c
+--- a/sftp.c
-+++ openssh-7.8p1/sftp.c
+++ b/sftp.c
-@@ -86,6 +86,9 @@ static volatile pid_t sshpid = -1;
+@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
 /* Suppress diagnositic messages */
 int quiet = 0;
@ -46,16 +31,16 @@ Index: openssh-7.8p1/sftp.c
 /* This is set to 0 if the progressmeter is not desired. */
 int showprogress = 1;
-@@ -2373,7 +2376,7 @@ main(int argc, char **argv)
+@@ -2406,7 +2409,7 @@ main(int argc, char **argv)
 	infile = stdin;
 	while ((ch = getopt(argc, argv,
-	    "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
+-	    "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
-+	    "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
+	    "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
 		switch (ch) {
 		/* Passed through to ssh(1) */
 		case '4':
-@@ -2389,6 +2392,9 @@ main(int argc, char **argv)
+@@ -2423,6 +2426,9 @@ main(int argc, char **argv)
 			addargs(&args, "-%c", ch);
 			addargs(&args, "%s", optarg);
 			break;
@ -65,7 +50,7 @@ Index: openssh-7.8p1/sftp.c
 		case 'q':
 			ll = SYSLOG_LEVEL_ERROR;
 			quiet = 1;
-@@ -2472,6 +2478,8 @@ main(int argc, char **argv)
+@@ -2506,6 +2512,8 @@ main(int argc, char **argv)
 			usage();
 		}
 	}
--- a/openssh-7.9p1-CVE-2018-20685.patch
+++ b/openssh-7.9p1-CVE-2018-20685.patch
@ -1,33 +0,0 @@
 From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 16 Nov 2018 03:03:10 +0000
 Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
 to the
 current directory; based on report/patch from Harry Sintonen
 OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
 ---
 scp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/scp.c b/scp.c
 index 60682c687..4f3fdcd3d 100644
 --- a/scp.c
 +++ b/scp.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
 +/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
 			SCREWUP("size out of range");
 		size = (off_t)ull;
 -		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
 +		if (*cp == '\0' || strchr(cp, '/') != NULL ||
 +		    strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
 			run_err("error: unexpected filename: %s", cp);
 			exit(1);
 		}
--- a/openssh-7.9p1-brace-expansion.patch
+++ b/openssh-7.9p1-brace-expansion.patch
@ -1,348 +0,0 @@
 From 3d896c157c722bc47adca51a58dca859225b5874 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Sun, 10 Feb 2019 11:15:52 +0000
 Subject: [PATCH] upstream: when checking that filenames sent by the server
 side
 match what the client requested, be prepared to handle shell-style brace
 alternations, e.g. "{foo,bar}".
 "looks good to me" millert@ + in snaps for the last week courtesy
 deraadt@
 OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
 ---
 scp.c | 282 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 270 insertions(+), 12 deletions(-)
 Index: openssh-7.9p1/scp.c
 ===================================================================
 --- openssh-7.9p1.orig/scp.c
 +++ openssh-7.9p1/scp.c
@@ -627,6 +627,253 @@ parse_scp_uri(const char *uri, char **us
 	return r;
 }
 +/* Appends a string to an array; returns 0 on success, -1 on alloc failure */
 +static int
 +append(char *cp, char ***ap, size_t *np)
 +{
 +	char **tmp;
 +
 +	if ((tmp = reallocarray(*ap, *np + 1, sizeof(*tmp))) == NULL)
 +		return -1;
 +	tmp[(*np)] = cp;
 +	(*np)++;
 +	*ap = tmp;
 +	return 0;
 +}
 +
 +/*
 + * Finds the start and end of the first brace pair in the pattern.
 + * returns 0 on success or -1 for invalid patterns.
 + */
 +static int
 +find_brace(const char *pattern, int *startp, int *endp)
 +{
 +	int i;
 +	int in_bracket, brace_level;
 +
 +	*startp = *endp = -1;
 +	in_bracket = brace_level = 0;
 +	for (i = 0; i < INT_MAX && *endp < 0 && pattern[i] != '\0'; i++) {
 +		switch (pattern[i]) {
 +		case '\\':
 +			/* skip next character */
 +			if (pattern[i + 1] != '\0')
 +				i++;
 +			break;
 +		case '[':
 +			in_bracket = 1;
 +			break;
 +		case ']':
 +			in_bracket = 0;
 +			break;
 +		case '{':
 +			if (in_bracket)
 +				break;
 +			if (pattern[i + 1] == '}') {
 +				/* Protect a single {}, for find(1), like csh */
 +				i++; /* skip */
 +				break;
 +			}
 +			if (*startp == -1)
 +				*startp = i;
 +			brace_level++;
 +			break;
 +		case '}':
 +			if (in_bracket)
 +				break;
 +			if (*startp < 0) {
 +				/* Unbalanced brace */
 +				return -1;
 +			}
 +			if (--brace_level <= 0)
 +				*endp = i;
 +			break;
 +		}
 +	}
 +	/* unbalanced brackets/braces */
 +	if (*endp < 0 && (*startp >= 0 || in_bracket))
 +		return -1;
 +	return 0;
 +}
 +
 +/*
 + * Assembles and records a successfully-expanded pattern, returns -1 on
 + * alloc failure.
 + */
 +static int
 +emit_expansion(const char *pattern, int brace_start, int brace_end,
 +    int sel_start, int sel_end, char ***patternsp, size_t *npatternsp)
 +{
 +	char *cp;
 +	int o = 0, tail_len = strlen(pattern + brace_end + 1);
 +
 +	if ((cp = malloc(brace_start + (sel_end - sel_start) +
 +	    tail_len + 1)) == NULL)
 +		return -1;
 +
 +	/* Pattern before initial brace */
 +	if (brace_start > 0) {
 +		memcpy(cp, pattern, brace_start);
 +		o = brace_start;
 +	}
 +	/* Current braced selection */
 +	if (sel_end - sel_start > 0) {
 +		memcpy(cp + o, pattern + sel_start,
 +		    sel_end - sel_start);
 +		o += sel_end - sel_start;
 +	}
 +	/* Remainder of pattern after closing brace */
 +	if (tail_len > 0) {
 +		memcpy(cp + o, pattern + brace_end + 1, tail_len);
 +		o += tail_len;
 +	}
 +	cp[o] = '\0';
 +	if (append(cp, patternsp, npatternsp) != 0) {
 +		free(cp);
 +		return -1;
 +	}
 +	return 0;
 +}
 +
 +/*
 + * Expand the first encountered brace in pattern, appending the expanded
 + * patterns it yielded to the *patternsp array.
 + *
 + * Returns 0 on success or -1 on allocation failure.
 + *
 + * Signals whether expansion was performed via *expanded and whether
 + * pattern was invalid via *invalid.
 + */
 +static int
 +brace_expand_one(const char *pattern, char ***patternsp, size_t *npatternsp,
 +    int *expanded, int *invalid)
 +{
 +	int i;
 +	int in_bracket, brace_start, brace_end, brace_level;
 +	int sel_start, sel_end;
 +
 +	*invalid = *expanded = 0;
 +
 +	if (find_brace(pattern, &brace_start, &brace_end) != 0) {
 +		*invalid = 1;
 +		return 0;
 +	} else if (brace_start == -1)
 +		return 0;
 +
 +	in_bracket = brace_level = 0;
 +	for (i = sel_start = brace_start + 1; i < brace_end; i++) {
 +		switch (pattern[i]) {
 +		case '{':
 +			if (in_bracket)
 +				break;
 +			brace_level++;
 +			break;
 +		case '}':
 +			if (in_bracket)
 +				break;
 +			brace_level--;
 +			break;
 +		case '[':
 +			in_bracket = 1;
 +			break;
 +		case ']':
 +			in_bracket = 0;
 +			break;
 +		case '\\':
 +			if (i < brace_end - 1)
 +				i++; /* skip */
 +			break;
 +		}
 +		if (pattern[i] == ',' || i == brace_end - 1) {
 +			if (in_bracket || brace_level > 0)
 +				continue;
 +			/* End of a selection, emit an expanded pattern */
 +
 +			/* Adjust end index for last selection */
 +			sel_end = (i == brace_end - 1) ? brace_end : i;
 +			if (emit_expansion(pattern, brace_start, brace_end,
 +			    sel_start, sel_end, patternsp, npatternsp) != 0)
 +				return -1;
 +			/* move on to the next selection */
 +			sel_start = i + 1;
 +			continue;
 +		}
 +	}
 +	if (in_bracket || brace_level > 0) {
 +		*invalid = 1;
 +		return 0;
 +	}
 +	/* success */
 +	*expanded = 1;
 +	return 0;
 +}
 +
 +/* Expand braces from pattern. Returns 0 on success, -1 on failure */
 +static int
 +brace_expand(const char *pattern, char ***patternsp, size_t *npatternsp)
 +{
 +	char *cp, *cp2, **active = NULL, **done = NULL;
 +	size_t i, nactive = 0, ndone = 0;
 +	int ret = -1, invalid = 0, expanded = 0;
 +
 +	*patternsp = NULL;
 +	*npatternsp = 0;
 +
 +	/* Start the worklist with the original pattern */
 +	if ((cp = strdup(pattern)) == NULL)
 +		return -1;
 +	if (append(cp, &active, &nactive) != 0) {
 +		free(cp);
 +		return -1;
 +	}
 +	while (nactive > 0) {
 +		cp = active[nactive - 1];
 +		nactive--;
 +		if (brace_expand_one(cp, &active, &nactive,
 +		    &expanded, &invalid) == -1) {
 +			free(cp);
 +			goto fail;
 +		}
 +		if (invalid)
 +			fatal("%s: invalid brace pattern \"%s\"", __func__, cp);
 +		if (expanded) {
 +			/*
 +			 * Current entry expanded to new entries on the
 +			 * active list; discard the progenitor pattern.
 +			 */
 +			free(cp);
 +			continue;
 +		}
 +		/*
 +		 * Pattern did not expand; append the finename component to
 +		 * the completed list
 +		 */
 +		if ((cp2 = strrchr(cp, '/')) != NULL)
 +			*cp2++ = '\0';
 +		else
 +			cp2 = cp;
 +		if (append(xstrdup(cp2), &done, &ndone) != 0) {
 +			free(cp);
 +			goto fail;
 +		}
 +		free(cp);
 +	}
 +	/* success */
 +	*patternsp = done;
 +	*npatternsp = ndone;
 +	done = NULL;
 +	ndone = 0;
 +	ret = 0;
 + fail:
 +	for (i = 0; i < nactive; i++)
 +		free(active[i]);
 +	free(active);
 +	for (i = 0; i < ndone; i++)
 +		free(done[i]);
 +	free(done);
 +	return ret;
 +}
 +
 void
 toremote(int argc, char **argv)
 {
@@ -990,7 +1237,8 @@ sink(int argc, char **argv, const char *
 	unsigned long long ull;
 	int setimes, targisdir, wrerrno = 0;
 	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
 -	char *src_copy = NULL, *restrict_pattern = NULL;
 +	char **patterns = NULL;
 +	size_t n, npatterns = 0;
 	struct timeval tv[2];
 #define	atime	tv[0]
@@ -1020,16 +1268,13 @@ sink(int argc, char **argv, const char *
 		 * Prepare to try to restrict incoming filenames to match
 		 * the requested destination file glob.
 		 */
 -		if ((src_copy = strdup(src)) == NULL)
 -			fatal("strdup failed");
 -		if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
 -			*restrict_pattern++ = '\0';
 -		}
 +		if (brace_expand(src, &patterns, &npatterns) != 0)
 +			fatal("%s: could not expand pattern", __func__);
 	}
 	for (first = 1;; first = 0) {
 		cp = buf;
 		if (atomicio(read, remin, cp, 1) != 1)
 -			return;
 +			goto done;
 		if (*cp++ == '\n')
 			SCREWUP("unexpected <newline>");
 		do {
@@ -1055,7 +1300,7 @@ sink(int argc, char **argv, const char *
 		}
 		if (buf[0] == 'E') {
 			(void) atomicio(vwrite, remout, "", 1);
 -			return;
 +			goto done;
 		}
 		if (ch == '\n')
 			*--cp = 0;
@@ -1130,9 +1375,14 @@ sink(int argc, char **argv, const char *
 			run_err("error: unexpected filename: %s", cp);
 			exit(1);
 		}
 -		if (restrict_pattern != NULL &&
 -		    fnmatch(restrict_pattern, cp, 0) != 0)
 -			SCREWUP("filename does not match request");
 +		if (npatterns > 0) {
 +			for (n = 0; n < npatterns; n++) {
 +				if (fnmatch(patterns[n], cp, 0) == 0)
 +					break;
 +			}
 +			if (n >= npatterns)
 +				SCREWUP("filename does not match request");
 +		}
 		if (targisdir) {
 			static char *namebuf;
 			static size_t cursize;
@@ -1291,7 +1541,15 @@ bad:			run_err("%s: %s", np, strerror(er
 			break;
 		}
 	}
 +done:
 +	for (n = 0; n < npatterns; n++)
 +		free(patterns[n]);
 +	free(patterns);
 +	return;
 screwup:
 +	for (n = 0; n < npatterns; n++)
 +		free(patterns[n]);
 +	free(patterns);
 	run_err("protocol error: %s", why);
 	exit(1);
 }
--- a/openssh-7.9p1-keygen-preserve-perms.patch
+++ b/openssh-7.9p1-keygen-preserve-perms.patch
@ -0,0 +1,39 @@
 commit 07ffb49749c310b82e44278ae05e081d6f4a82bf
 Author: Hans Petter Jansson <hpj@cl.no>
 Date:   Fri Sep 27 01:57:16 2019 +0200
    ssh-keygen: Preserve known_hosts permissions on rewrite
    Transfer the permissions of the old known_hosts file instead of
    just going with what mkstemp() gives us. This is useful in corner
    cases where known_hosts is shared between users.
 diff --git a/ssh-keygen.c b/ssh-keygen.c
 index 03a7fe5..ca8a309 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
@@ -1338,6 +1338,11 @@ do_known_hosts(struct passwd *pw, const char *name)
 		if (inplace)
 			unlink(tmp);
 	} else if (inplace) {
 +		struct stat st;
 +
 +		/* Get metadata for existing file */
 +		r = stat(identity_file, &st);
 +
 		/* Backup existing file */
 		if (unlink(old) == -1 && errno != ENOENT)
 			fatal("unlink %.100s: %s", old, strerror(errno));
@@ -1352,6 +1357,12 @@ do_known_hosts(struct passwd *pw, const char *name)
 			unlink(old);
 			exit(1);
 		}
 +		/* Preserve permissions; non-critical */
 +		if (r != -1)
 +			r = chown(identity_file, st.st_uid, st.st_gid);
 +		if (r != -1)
 +			chmod(identity_file,
 +			      st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO));
 		printf("%s updated.\n", identity_file);
 		printf("Original contents retained as %s\n", old);
--- a/openssh-7.9p1-revert-new-qos-defaults.patch
+++ b/openssh-7.9p1-revert-new-qos-defaults.patch
@ -0,0 +1,76 @@
 commit 101aa2f70c937abb428c9433c39ba0fd9a91fe6b
 Author: Hans Petter Jansson <hpj@cl.no>
 Date:   Thu Jun 20 23:54:11 2019 +0200
    Revert IPQoS DSCP AF21/CS1 from upstream due to bugs in other software
    Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
 diff --git a/readconf.c b/readconf.c
 index 24f2cb1..bbdea0d 100644
 --- a/readconf.c
 +++ b/readconf.c
@@ -2183,9 +2183,9 @@ fill_default_options(Options * options)
 	if (options->visual_host_key == -1)
 		options->visual_host_key = 0;
 	if (options->ip_qos_interactive == -1)
 -		options->ip_qos_interactive = IPTOS_DSCP_AF21;
 +		options->ip_qos_interactive = IPTOS_LOWDELAY;
 	if (options->ip_qos_bulk == -1)
 -		options->ip_qos_bulk = IPTOS_DSCP_CS1;
 +		options->ip_qos_bulk = IPTOS_THROUGHPUT;
 	if (options->request_tty == -1)
 		options->request_tty = REQUEST_TTY_AUTO;
 	if (options->proxy_use_fdpass == -1)
 diff --git a/servconf.c b/servconf.c
 index 13cf154..766ac6b 100644
 --- a/servconf.c
 +++ b/servconf.c
@@ -445,9 +445,9 @@ fill_default_server_options(ServerOptions *options)
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
 	if (options->ip_qos_interactive == -1)
 -		options->ip_qos_interactive = IPTOS_DSCP_AF21;
 +		options->ip_qos_interactive = IPTOS_LOWDELAY;
 	if (options->ip_qos_bulk == -1)
 -		options->ip_qos_bulk = IPTOS_DSCP_CS1;
 +		options->ip_qos_bulk = IPTOS_THROUGHPUT;
 	if (options->version_addendum == NULL)
 		options->version_addendum = xstrdup("");
 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
 diff --git a/ssh_config.5 b/ssh_config.5
 index 3bf0502..10246f8 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
@@ -1088,11 +1088,9 @@ If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
 interactive sessions and the second for non-interactive sessions.
 The default is
 -.Cm af21
 -(Low-Latency Data)
 +.Cm lowdelay
 for interactive sessions and
 -.Cm cs1
 -(Lower Effort)
 +.Cm throughput
 for non-interactive sessions.
 .It Cm KbdInteractiveAuthentication
 Specifies whether to use keyboard-interactive authentication.
 diff --git a/sshd_config.5 b/sshd_config.5
 index 50a4917..a276fcb 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
@@ -868,11 +868,9 @@ If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
 interactive sessions and the second for non-interactive sessions.
 The default is
 -.Cm af21
 -(Low-Latency Data)
 +.Cm lowdelay
 for interactive sessions and
 -.Cm cs1
 -(Lower Effort)
 +.Cm throughput
 for non-interactive sessions.
 .It Cm KbdInteractiveAuthentication
 Specifies whether to allow keyboard-interactive authentication.
--- a/openssh-7.9p1.tar.gz
+++ b/openssh-7.9p1.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
 size 1565384
--- a/openssh-7.9p1.tar.gz.asc
+++ b/openssh-7.9p1.tar.gz.asc
@ -1,14 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlvJLhsACgkQ0+X1a22S
 DTBjHwx/T3EX3EtCzB9I6zHFUgF2/0hEKVYZw2Yl4UbUvgjy/KdEdlJzdH3Hc/yU
 jJZzraDY7nJMrCly734FbFGKsKoRkxWMkeuQGOhvpzgTYg+fOa1J0a14xK/ub9Y0
 9Z/4zP0Zs7mn+8MApMS3XOZ+AJgdRiXN9i3PXmbYO9Gcg+QthtgE1DeG0d0vVTP/
 ipCBBg8mMlAANdlu9IUCv4CJPwJjQt2aYsvCiuUQuzrKYsV5noCOBaGRbmPcN9SM
 3cvSTZgDbK3kHdL1RnBgWpcO+o+D8sqSW2rm8xpCQv/ILo86/BLBjXDCYLEt0nSn
 +dONPytwhwwJWPPYe7+RSYWHS2cKwVTDk7lr2E636SwU1fM1NiNYle9hB6cUT0nU
 sypfHOIARAMSqepnaT3WgffM0jlEWrSB0PuDLTLTO5ZPmUijqqT6xGwWSUc4GQZY
 WNyGg1w0Ryj2pRd7DlXDDivTCneXFqV7JZiR3R4ZXJJV0uVQOUitCS/DnwSDpIfp
 HlVEWeRAszQFKLKttu0/4SY2NVrRBA==
 =4Z9x
 -----END PGP SIGNATURE-----
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
--- a/openssh-8.1p1-audit.patch
+++ b/openssh-8.1p1-audit.patch
--- a/openssh-8.1p1.tar.gz
+++ b/openssh-8.1p1.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff
 size 1625894
--- a/openssh-8.1p1.tar.gz.asc
+++ b/openssh-8.1p1.tar.gz.asc
@ -0,0 +1,14 @@
 -----BEGIN PGP SIGNATURE-----
 iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl2dLEgACgkQ0+X1a22S
 DTAcUgx7BcRCaH7fb0AeQGvIrxXlyeN3uL6HOyo8MKkryN+y9zpvpcU6T8FBjtoh
 zgjonewzodGj+C1ma0O9TgIfnUxdOVL+eQsPYgOWLJt2MzSnY/Ru+20J5ZGwGc+5
 pJcuV+xlAuwae/EL+Pk86CdQ0D6zaf9NBHGTNmrswwhT9B3UWSCbEmmc8jm0DChm
 F5+dW1nK0n6YSQ9dVUH17/ujvego5WQkOiaSxjaK29/xS39BD6jrbwfFpL3/iKru
 mWVzcNJaX5WL3ZUnyZRcIHzVpBdr2n0pLCnmqIT8LGPwI3razEbZKIDXf+q0ZA88
 wRfCL9aEVWjhG+v56c/NiM/wD3h3A4uh8fZeeeyP3hmgEv8Wp8g7fFxf5MaEJlGL
 Oy6LeH0+x/uPySxaEvy4kuo/hapX2ClM16EMCUXHPwGIYRWdbTL7rzMTaoG3thyz
 VO04LulI9Xmvadn6k3JR5mFPpIsV+LNwt3g+c+4rBWspOdTHnFqo+OO7Uk8Ee3E0
 /MeuPBtqQq9o7RkoY8wtVOqT8q9/6g==
 =mpF6
 -----END PGP SIGNATURE-----
--- a/openssh-CVE-2019-6109-force-progressmeter-update.patch
+++ b/openssh-CVE-2019-6109-force-progressmeter-update.patch
@ -1,110 +0,0 @@
 commit bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
 Author: dtucker@openbsd.org <dtucker@openbsd.org>
 Date:   Thu Jan 24 16:52:17 2019 +0000
    upstream: Have progressmeter force an update at the beginning and
    end of each transfer.  Fixes the problem recently introduces where very quick
    transfers do not display the progressmeter at all.  Spotted by naddy@
    OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
 Index: openssh-7.9p1/progressmeter.c
 ===================================================================
 --- openssh-7.9p1.orig/progressmeter.c
 +++ openssh-7.9p1/progressmeter.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
 +/* $OpenBSD: progressmeter.c,v 1.47 2019/01/24 16:52:17 dtucker Exp $ */
 /*
  * Copyright (c) 2003 Nils Nordman.  All rights reserved.
  *
@@ -59,9 +59,6 @@ static void format_rate(char *, int, off
 static void sig_winch(int);
 static void setscreensize(void);
 -/* updates the progressmeter to reflect the current state of the transfer */
 -void refresh_progress_meter(void);
 -
 /* signal handler for updating the progress meter */
 static void sig_alarm(int);
@@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t b
 }
 void
 -refresh_progress_meter(void)
 +refresh_progress_meter(int force_update)
 {
 	char buf[MAX_WINSIZE + 1];
 	off_t transferred;
@@ -131,7 +128,7 @@ refresh_progress_meter(void)
 	int hours, minutes, seconds;
 	int file_len;
 -	if ((!alarm_fired && !win_resized) || !can_output())
 +	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
 		return;
 	alarm_fired = 0;
@@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_
 	bytes_per_second = 0;
 	setscreensize();
 -	refresh_progress_meter();
 +	refresh_progress_meter(1);
 	signal(SIGALRM, sig_alarm);
 	signal(SIGWINCH, sig_winch);
@@ -271,7 +268,7 @@ stop_progress_meter(void)
 	/* Ensure we complete the progress */
 	if (cur_pos != end_pos)
 -		refresh_progress_meter();
 +		refresh_progress_meter(1);
 	atomicio(vwrite, STDOUT_FILENO, "\n", 1);
 }
 Index: openssh-7.9p1/progressmeter.h
 ===================================================================
 --- openssh-7.9p1.orig/progressmeter.h
 +++ openssh-7.9p1/progressmeter.h
@@ -1,4 +1,4 @@
 -/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
 +/* $OpenBSD: progressmeter.h,v 1.5 2019/01/24 16:52:17 dtucker Exp $ */
 /*
  * Copyright (c) 2002 Nils Nordman.  All rights reserved.
  *
@@ -24,5 +24,5 @@
  */
 void	start_progress_meter(const char *, off_t, off_t *);
 -void	refresh_progress_meter(void);
 +void	refresh_progress_meter(int);
 void	stop_progress_meter(void);
 Index: openssh-7.9p1/scp.c
 ===================================================================
 --- openssh-7.9p1.orig/scp.c
 +++ openssh-7.9p1/scp.c
@@ -585,7 +585,7 @@ scpio(void *_cnt, size_t s)
 	off_t *cnt = (off_t *)_cnt;
 	*cnt += s;
 -	refresh_progress_meter();
 +	refresh_progress_meter(0);
 	if (limit_kbps > 0)
 		bandwidth_limit(&bwlimit, s);
 	return 0;
 Index: openssh-7.9p1/sftp-client.c
 ===================================================================
 --- openssh-7.9p1.orig/sftp-client.c
 +++ openssh-7.9p1/sftp-client.c
@@ -101,7 +101,7 @@ sftpio(void *_bwlimit, size_t amount)
 {
 	struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
 -	refresh_progress_meter();
 +	refresh_progress_meter(0);
 	if (bwlimit != NULL)
 		bandwidth_limit(bwlimit, amount);
 	return 0;
--- a/openssh-CVE-2019-6109-sanitize-scp-filenames.patch
+++ b/openssh-CVE-2019-6109-sanitize-scp-filenames.patch
@ -1,262 +0,0 @@
 commit 8976f1c4b2721c26e878151f52bdf346dfe2d54c
 Author: dtucker@openbsd.org <dtucker@openbsd.org>
 Date:   Wed Jan 23 08:01:46 2019 +0000
    upstream: Sanitize scp filenames via snmprintf. To do this we move
    the progressmeter formatting outside of signal handler context and have the
    atomicio callback called for EINTR too.  bz#2434 with contributions from djm
    and jjelen at redhat.com, ok djm@
    OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
 Index: openssh-7.9p1/atomicio.c
 ===================================================================
 --- openssh-7.9p1.orig/atomicio.c
 +++ openssh-7.9p1/atomicio.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
 +/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
 /*
  * Copyright (c) 2006 Damien Miller. All rights reserved.
  * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, siz
 		res = (f) (fd, s + pos, n - pos);
 		switch (res) {
 		case -1:
 -			if (errno == EINTR)
 +		        if (errno == EINTR) {
 +			        /* possible SIGALARM, update callback */
 +                                if (cb != NULL && cb(cb_arg, 0) == -1) {
 +				        errno = EINTR;
 +					return pos;
 +				}
 				continue;
 -			if (errno == EAGAIN || errno == EWOULDBLOCK) {
 +			} else if (errno == EAGAIN || errno == EWOULDBLOCK) {
 #ifndef BROKEN_READ_COMPARISON
 				(void)poll(&pfd, 1, -1);
 #endif
@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const stru
 		res = (f) (fd, iov, iovcnt);
 		switch (res) {
 		case -1:
 -			if (errno == EINTR)
 +                        if (errno == EINTR) {
 +			        /* possible SIGALARM, update callback */
 +			        if (cb != NULL && cb(cb_arg, 0) == -1) {
 +				        errno = EINTR;
 +					return pos;
 +				}
 				continue;
 -			if (errno == EAGAIN || errno == EWOULDBLOCK) {
 +			} else if (errno == EAGAIN || errno == EWOULDBLOCK) {
 #ifndef BROKEN_READV_COMPARISON
 				(void)poll(&pfd, 1, -1);
 #endif
 Index: openssh-7.9p1/progressmeter.c
 ===================================================================
 --- openssh-7.9p1.orig/progressmeter.c
 +++ openssh-7.9p1/progressmeter.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
 +/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
 /*
  * Copyright (c) 2003 Nils Nordman.  All rights reserved.
  *
@@ -31,6 +31,7 @@
 #include <errno.h>
 #include <signal.h>
 +#include <stdarg.h>
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
@@ -39,6 +40,7 @@
 #include "progressmeter.h"
 #include "atomicio.h"
 #include "misc.h"
 +#include "utf8.h"
 #define DEFAULT_WINSIZE 80
 #define MAX_WINSIZE 512
@@ -61,7 +63,7 @@ static void setscreensize(void);
 void refresh_progress_meter(void);
 /* signal handler for updating the progress meter */
 -static void update_progress_meter(int);
 +static void sig_alarm(int);
 static double start;		/* start progress */
 static double last_update;	/* last progress update */
@@ -74,6 +76,7 @@ static long stalled;		/* how long we hav
 static int bytes_per_second;	/* current speed in bytes per second */
 static int win_size;		/* terminal window size */
 static volatile sig_atomic_t win_resized; /* for window resizing */
 +static volatile sig_atomic_t alarm_fired;
 /* units for format_size */
 static const char unit[] = " KMGT";
@@ -126,9 +129,17 @@ refresh_progress_meter(void)
 	off_t bytes_left;
 	int cur_speed;
 	int hours, minutes, seconds;
 -	int i, len;
 	int file_len;
 +	if ((!alarm_fired && !win_resized) || !can_output())
 +		return;
 +	alarm_fired = 0;
 +
 +	if (win_resized) {
 +		setscreensize();
 +		win_resized = 0;
 +	}
 +
 	transferred = *counter - (cur_pos ? cur_pos : start_pos);
 	cur_pos = *counter;
 	now = monotime_double();
@@ -158,16 +169,11 @@ refresh_progress_meter(void)
 	/* filename */
 	buf[0] = '\0';
 -	file_len = win_size - 35;
 +	file_len = win_size - 36;
 	if (file_len > 0) {
 -		len = snprintf(buf, file_len + 1, "\r%s", file);
 -		if (len < 0)
 -			len = 0;
 -		if (len >= file_len + 1)
 -			len = file_len;
 -		for (i = len; i < file_len; i++)
 -			buf[i] = ' ';
 -		buf[file_len] = '\0';
 +		buf[0] = '\r';
 +		snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
 +		    file_len * -1, file);
 	}
 	/* percent of transfer done */
@@ -228,22 +234,11 @@ refresh_progress_meter(void)
 /*ARGSUSED*/
 static void
 -update_progress_meter(int ignore)
 +sig_alarm(int ignore)
 {
 -	int save_errno;
 -
 -	save_errno = errno;
 -
 -	if (win_resized) {
 -		setscreensize();
 -		win_resized = 0;
 -	}
 -	if (can_output())
 -		refresh_progress_meter();
 -
 -	signal(SIGALRM, update_progress_meter);
 +	signal(SIGALRM, sig_alarm);
 +	alarm_fired = 1;
 	alarm(UPDATE_INTERVAL);
 -	errno = save_errno;
 }
 void
@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_
 	bytes_per_second = 0;
 	setscreensize();
 -	if (can_output())
 -		refresh_progress_meter();
 +	refresh_progress_meter();
 -	signal(SIGALRM, update_progress_meter);
 +	signal(SIGALRM, sig_alarm);
 	signal(SIGWINCH, sig_winch);
 	alarm(UPDATE_INTERVAL);
 }
@@ -286,6 +280,7 @@ stop_progress_meter(void)
 static void
 sig_winch(int sig)
 {
 +	signal(SIGWINCH, sig_winch);
 	win_resized = 1;
 }
 Index: openssh-7.9p1/progressmeter.h
 ===================================================================
 --- openssh-7.9p1.orig/progressmeter.h
 +++ openssh-7.9p1/progressmeter.h
@@ -1,4 +1,4 @@
 -/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
 +/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
 /*
  * Copyright (c) 2002 Nils Nordman.  All rights reserved.
  *
@@ -24,4 +24,5 @@
  */
 void	start_progress_meter(const char *, off_t, off_t *);
 +void	refresh_progress_meter(void);
 void	stop_progress_meter(void);
 Index: openssh-7.9p1/scp.c
 ===================================================================
 --- openssh-7.9p1.orig/scp.c
 +++ openssh-7.9p1/scp.c
@@ -585,6 +585,7 @@ scpio(void *_cnt, size_t s)
 	off_t *cnt = (off_t *)_cnt;
 	*cnt += s;
 +	refresh_progress_meter();
 	if (limit_kbps > 0)
 		bandwidth_limit(&bwlimit, s);
 	return 0;
 Index: openssh-7.9p1/sftp-client.c
 ===================================================================
 --- openssh-7.9p1.orig/sftp-client.c
 +++ openssh-7.9p1/sftp-client.c
@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
 {
 	struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
 -	bandwidth_limit(bwlimit, amount);
 +	refresh_progress_meter();
 +	if (bwlimit != NULL)
 +		bandwidth_limit(bwlimit, amount);
 	return 0;
 }
@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct
 	iov[1].iov_base = (u_char *)sshbuf_ptr(m);
 	iov[1].iov_len = sshbuf_len(m);
 -	if (atomiciov6(writev, conn->fd_out, iov, 2,
 -	    conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
 +	if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
 +	    conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
 	    sshbuf_len(m) + sizeof(mlen))
 		fatal("Couldn't send packet: %s", strerror(errno));
@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn,
 	if ((r = sshbuf_reserve(m, 4, &p)) != 0)
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 -	if (atomicio6(read, conn->fd_in, p, 4,
 -	    conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
 +	if (atomicio6(read, conn->fd_in, p, 4, sftpio,
 +	    conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
 		if (errno == EPIPE || errno == ECONNRESET)
 			fatal("Connection closed");
 		else
@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn,
 	if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 -	if (atomicio6(read, conn->fd_in, p, msg_len,
 -	    conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
 +	if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
 +	    conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
 	    != msg_len) {
 		if (errno == EPIPE)
 			fatal("Connection closed");
--- a/openssh-CVE-2019-6111-scp-client-wildcard.patch
+++ b/openssh-CVE-2019-6111-scp-client-wildcard.patch
@ -1,186 +0,0 @@
 commit 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
 Author: djm@openbsd.org <djm@openbsd.org>
 Date:   Sat Jan 26 22:41:28 2019 +0000
    upstream: check in scp client that filenames sent during
    remote->local directory copies satisfy the wildcard specified by the user.
    This checking provides some protection against a malicious server
    sending unexpected filenames, but it comes at a risk of rejecting wanted
    files due to differences between client and server wildcard expansion rules.
    For this reason, this also adds a new -T flag to disable the check.
    reported by Harry Sintonen
    fix approach suggested by markus@;
    has been in snaps for ~1wk courtesy deraadt@
    OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
 Index: openssh-7.9p1/scp.1
 ===================================================================
 --- openssh-7.9p1.orig/scp.1
 +++ openssh-7.9p1/scp.1
@@ -18,7 +18,7 @@
 .Nd secure copy (remote file copy program)
 .Sh SYNOPSIS
 .Nm scp
 -.Op Fl 346BCpqrv
 +.Op Fl 346BCpqrTv
 .Op Fl c Ar cipher
 .Op Fl F Ar ssh_config
 .Op Fl i Ar identity_file
@@ -208,6 +208,16 @@ to use for the encrypted connection.
 The program must understand
 .Xr ssh 1
 options.
 +.It Fl T
 +Disable strict filename checking.
 +By default when copying files from a remote host to a local directory
 +.Nm
 +checks that the received filenames match those requested on the command-line
 +to prevent the remote end from sending unexpected or unwanted files.
 +Because of differences in how various operating systems and shells interpret
 +filename wildcards, these checks may cause wanted files to be rejected.
 +This option disables these checks at the expense of fully trusting that
 +the server will not send unexpected filenames.
 .It Fl v
 Verbose mode.
 Causes
 Index: openssh-7.9p1/scp.c
 ===================================================================
 --- openssh-7.9p1.orig/scp.c
 +++ openssh-7.9p1/scp.c
@@ -94,6 +94,7 @@
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
 +#include <fnmatch.h>
 #include <limits.h>
 #include <locale.h>
 #include <pwd.h>
@@ -375,14 +376,14 @@ void verifydir(char *);
 struct passwd *pwd;
 uid_t userid;
 int errs, remin, remout;
 -int pflag, iamremote, iamrecursive, targetshouldbedirectory;
 +int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
 #define	CMDNEEDS	64
 char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
 int response(void);
 void rsource(char *, struct stat *);
 -void sink(int, char *[]);
 +void sink(int, char *[], const char *);
 void source(int, char *[]);
 void tolocal(int, char *[]);
 void toremote(int, char *[]);
@@ -421,8 +422,9 @@ main(int argc, char **argv)
 	addargs(&args, "-oRemoteCommand=none");
 	addargs(&args, "-oRequestTTY=no");
 -	fflag = tflag = 0;
 -	while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
 +	fflag = Tflag = tflag = 0;
 +	while ((ch = getopt(argc, argv,
 +	    "dfl:prtTvBCc:i:P:q12346S:o:F:J:")) != -1) {
 		switch (ch) {
 		/* User-visible flags. */
 		case '1':
@@ -501,9 +503,13 @@ main(int argc, char **argv)
 			setmode(0, O_BINARY);
 #endif
 			break;
 +		case 'T':
 +			Tflag = 1;
 +			break;
 		default:
 			usage();
 		}
 +	}
 	argc -= optind;
 	argv += optind;
@@ -534,7 +540,7 @@ main(int argc, char **argv)
 	}
 	if (tflag) {
 		/* Receive data. */
 -		sink(argc, argv);
 +		sink(argc, argv, NULL);
 		exit(errs != 0);
 	}
 	if (argc < 2)
@@ -792,7 +798,7 @@ tolocal(int argc, char **argv)
 			continue;
 		}
 		free(bp);
 -		sink(1, argv + argc - 1);
 +		sink(1, argv + argc - 1, src);
 		(void) close(remin);
 		remin = remout = -1;
 	}
@@ -968,7 +974,7 @@ rsource(char *name, struct stat *statp)
 	 (sizeof(type) != 4 && sizeof(type) != 8))
 void
 -sink(int argc, char **argv)
 +sink(int argc, char **argv, const char *src)
 {
 	static BUF buffer;
 	struct stat stb;
@@ -984,6 +990,7 @@ sink(int argc, char **argv)
 	unsigned long long ull;
 	int setimes, targisdir, wrerrno = 0;
 	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
 +	char *src_copy = NULL, *restrict_pattern = NULL;
 	struct timeval tv[2];
 #define	atime	tv[0]
@@ -1008,6 +1015,17 @@ sink(int argc, char **argv)
 	(void) atomicio(vwrite, remout, "", 1);
 	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
 		targisdir = 1;
 +	if (src != NULL && !iamrecursive && !Tflag) {
 +		/*
 +		 * Prepare to try to restrict incoming filenames to match
 +		 * the requested destination file glob.
 +		 */
 +		if ((src_copy = strdup(src)) == NULL)
 +			fatal("strdup failed");
 +		if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
 +			*restrict_pattern++ = '\0';
 +		}
 +	}
 	for (first = 1;; first = 0) {
 		cp = buf;
 		if (atomicio(read, remin, cp, 1) != 1)
@@ -1112,6 +1130,9 @@ sink(int argc, char **argv)
 			run_err("error: unexpected filename: %s", cp);
 			exit(1);
 		}
 +		if (restrict_pattern != NULL &&
 +		    fnmatch(restrict_pattern, cp, 0) != 0)
 +			SCREWUP("filename does not match request");
 		if (targisdir) {
 			static char *namebuf;
 			static size_t cursize;
@@ -1149,7 +1170,7 @@ sink(int argc, char **argv)
 					goto bad;
 			}
 			vect[0] = xstrdup(np);
 -			sink(1, vect);
 +			sink(1, vect, src);
 			if (setimes) {
 				setimes = 0;
 				if (utimes(vect[0], tv) < 0)
@@ -1317,7 +1338,7 @@ void
 usage(void)
 {
 	(void) fprintf(stderr,
 -	    "usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
 +	    "usage: scp [-346BCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
 	    "           [-l limit] [-o ssh_option] [-P port] [-S program] source ... target\n");
 	exit(1);
 }
--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@ -18,7 +18,7 @@
 %define _name openssh
 Name:           openssh-askpass-gnome
-Version:        7.9p1
+Version:        8.1p1
 Release:        0
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
 License:        BSD-2-Clause
--- a/openssh-openssl-1_0_0-compatibility.patch
+++ b/openssh-openssl-1_0_0-compatibility.patch
@ -1,41 +0,0 @@
 Index: openssh-7.9p1/openbsd-compat/openssl-compat.c
 ===================================================================
 --- openssh-7.9p1.orig/openbsd-compat/openssl-compat.c	2018-11-26 11:47:17.417925053 +0100
 +++ openssh-7.9p1/openbsd-compat/openssl-compat.c	2018-11-26 11:52:47.127727580 +0100
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
 	ENGINE_load_builtin_engines();
 	ENGINE_register_all_complete();
 -#if OPENSSL_VERSION_NUMBER < 0x10001000L
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	OPENSSL_config(NULL);
 #else
 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
 Index: openssh-7.9p1/gss-genr.c
 ===================================================================
 --- openssh-7.9p1.orig/gss-genr.c	2018-11-26 11:47:17.417925053 +0100
 +++ openssh-7.9p1/gss-genr.c	2018-11-26 12:01:40.354642746 +0100
@@ -114,7 +114,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
        if ((buf = sshbuf_new()) == NULL)
 	 fatal("%s: sshbuf_new failed", __func__);
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +       md = EVP_MD_CTX_create();
 +#else
        md = EVP_MD_CTX_new();
 +#endif
        oidpos = 0;
        for (i = 0; i < gss_supported->count; i++) {
 	       if (gss_supported->elements[i].length < 128 &&
@@ -156,7 +160,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
 		       oidpos++;
 	       }
        }
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +       EVP_MD_CTX_destroy(md);
 +#else
        EVP_MD_CTX_free(md);
 +#endif
        gss_enc2oid[oidpos].oid = NULL;
        gss_enc2oid[oidpos].encoded = NULL;
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,135 @@
 -------------------------------------------------------------------
 Mon Oct 14 23:58:39 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
 - Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
  This attempts to preserve the permissions of any existing
  known_hosts file when modified by ssh-keygen (for instance,
  with -R).
 - Add patch from upstream openssh-7.9p1-revert-new-qos-defaults.patch
 -------------------------------------------------------------------
 Mon Oct 14 23:56:42 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
 - Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes"
  in /etc/sysconfig/ssh. This is set to "yes" by default, but
  can be changed by the system administrator (bsc#1139089).
 -------------------------------------------------------------------
 Mon Oct 14 23:50:04 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
 - Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
  This attempts to preserve the permissions of any existing
  known_hosts file when modified by ssh-keygen (for instance,
  with -R).
 -------------------------------------------------------------------
 Thu Oct 10 00:41:18 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
 - Version update to 8.1p1:
  * ssh-keygen(1): when acting as a CA and signing certificates with
    an RSA key, default to using the rsa-sha2-512 signature algorithm.
    Certificates signed by RSA keys will therefore be incompatible
    with OpenSSH versions prior to 7.2 unless the default is
    overridden (using "ssh-keygen -t ssh-rsa -s ...").
  * ssh(1): Allow %n to be expanded in ProxyCommand strings
  * ssh(1), sshd(8): Allow prepending a list of algorithms to the
    default set by starting the list with the '^' character, E.g.
    "HostKeyAlgorithms ^ssh-ed25519"
  * ssh-keygen(1): add an experimental lightweight signature and
    verification ability. Signatures may be made using regular ssh keys
    held on disk or stored in a ssh-agent and verified against an
    authorized_keys-like list of allowed keys. Signatures embed a
    namespace that prevents confusion and attacks between different
    usage domains (e.g. files vs email).
  * ssh-keygen(1): print key comment when extracting public key from a
    private key.
  * ssh-keygen(1): accept the verbose flag when searching for host keys
    in known hosts (i.e. "ssh-keygen -vF host") to print the matching
    host's random-art signature too.
  * All: support PKCS8 as an optional format for storage of private
    keys to disk.  The OpenSSH native key format remains the default,
    but PKCS8 is a superior format to PEM if interoperability with
    non-OpenSSH software is required, as it may use a less insecure
    key derivation function than PEM's.
 - Additional changes from 8.0p1 release:
  * scp(1): Add "-T" flag to disable client-side filtering of
    server file list.
  * sshd(8): Remove support for obsolete "host/port" syntax.
  * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
    PKCS#11 tokens.
  * ssh(1), sshd(8): Add experimental quantum-computing resistant
    key exchange method, based on a combination of Streamlined NTRU
    Prime 4591^761 and X25519.
  * ssh-keygen(1): Increase the default RSA key size to 3072 bits,
    following NIST Special Publication 800-57's guidance for a
    128-bit equivalent symmetric security level.
  * ssh(1): Allow "PKCS11Provider=none" to override later instances of
    the PKCS11Provider directive in ssh_config,
  * sshd(8): Add a log message for situations where a connection is
    dropped for attempting to run a command but a sshd_config
    ForceCommand=internal-sftp restriction is in effect.
  * ssh(1): When prompting whether to record a new host key, accept
    the key fingerprint as a synonym for "yes". This allows the user
    to paste a fingerprint obtained out of band at the prompt and
    have the client do the comparison for you.
  * ssh-keygen(1): When signing multiple certificates on a single
    command-line invocation, allow automatically incrementing the
    certificate serial number.
  * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
    the scp and sftp command-lines.
  * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
    command-line flags to increase the verbosity of output; pass
    verbose flags though to subprocesses, such as ssh-pkcs11-helper
    started from ssh-agent.
  * ssh-add(1): Add a "-T" option to allowing testing whether keys in
    an agent are usable by performing a signature and a verification.
  * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
    that replicates the functionality of the existing SSH2_FXP_SETSTAT
    operation but does not follow symlinks.
  * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
    they do not follow symlinks.
  * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
    the connection 4-tuple available to PAM modules that wish to use
    it in decision-making.
  * sshd(8): Add a ssh_config "Match final" predicate Matches in same
    pass as "Match canonical" but doesn't require hostname
    canonicalisation be enabled.
  * sftp(1): Support a prefix of '@' to suppress echo of sftp batch
    commands.
  * ssh-keygen(1): When printing certificate contents using
    "ssh-keygen -Lf /path/certificate", include the algorithm that
    the CA used to sign the cert.
 - Rebased patches:
  * openssh-7.7p1-IPv6_X_forwarding.patch
  * openssh-7.7p1-X_forward_with_disabled_ipv6.patch
  * openssh-7.7p1-cavstest-ctr.patch
  * openssh-7.7p1-cavstest-kdf.patch
  * openssh-7.7p1-disable_openssl_abi_check.patch
  * openssh-7.7p1-fips.patch
  * openssh-7.7p1-fips_checks.patch
  * openssh-7.7p1-hostname_changes_when_forwarding_X.patch
  * openssh-7.7p1-ldap.patch
  * openssh-7.7p1-seed-prng.patch
  * openssh-7.7p1-sftp_force_permissions.patch
  * openssh-7.7p1-sftp_print_diagnostic_messages.patch
  * openssh-8.0p1-gssapi-keyex.patch (formerly
    openssh-7.7p1-gssapi_key_exchange.patch)
  * openssh-8.1p1-audit.patch (formerly openssh-7.7p1-audit.patch)
 - Removed patches (integrated upstream):
  * 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
  * openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
  * openssh-7.9p1-CVE-2018-20685.patch
  * openssh-7.9p1-brace-expansion.patch
  * openssh-CVE-2019-6109-force-progressmeter-update.patch
  * openssh-CVE-2019-6109-sanitize-scp-filenames.patch
  * openssh-CVE-2019-6111-scp-client-wildcard.patch
 - Removed patches (obsolete):
  * openssh-openssl-1_0_0-compatibility.patch
 -------------------------------------------------------------------
 Mon Aug 19 11:24:36 CEST 2019 - kukuk@suse.de
--- a/openssh.spec
+++ b/openssh.spec
@ -37,7 +37,7 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           openssh
-Version:        7.9p1
+Version:        8.1p1
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
 License:        BSD-2-Clause AND MIT
@ -70,7 +70,6 @@ Patch14:        openssh-7.7p1-seccomp_stat.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2752
 Patch15:        openssh-7.7p1-seccomp_ipc_flock.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2752
 Patch16:        openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
 # Local FIPS patchset
 Patch17:        openssh-7.7p1-fips.patch
 # Local cavs patchset
@ -82,9 +81,9 @@ Patch20:        openssh-7.7p1-fips_checks.patch
 Patch21:        openssh-7.7p1-seed-prng.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2641
 Patch22:        openssh-7.7p1-systemd-notify.patch
-Patch23:        openssh-7.7p1-gssapi_key_exchange.patch
+Patch23:        openssh-8.0p1-gssapi-keyex.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=1402
-Patch24:        openssh-7.7p1-audit.patch
+Patch24:        openssh-8.1p1-audit.patch
 # Local patch to disable runtime abi SSL checks, quite pointless for us
 Patch26:        openssh-7.7p1-disable_openssl_abi_check.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2641
@ -98,13 +97,8 @@ Patch31:        openssh-7.7p1-ldap.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2213
 Patch32:        openssh-7.7p1-IPv6_X_forwarding.patch
 Patch33:        openssh-7.7p1-sftp_print_diagnostic_messages.patch
-Patch34:        openssh-openssl-1_0_0-compatibility.patch
+Patch34:        openssh-7.9p1-keygen-preserve-perms.patch
-Patch35:        openssh-7.9p1-CVE-2018-20685.patch
+Patch35:        openssh-7.9p1-revert-new-qos-defaults.patch
 Patch36:        openssh-CVE-2019-6109-sanitize-scp-filenames.patch
 Patch37:        openssh-CVE-2019-6109-force-progressmeter-update.patch
 Patch38:        openssh-CVE-2019-6111-scp-client-wildcard.patch
 Patch39:        openssh-7.9p1-brace-expansion.patch
 Patch40:        0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
 BuildRequires:  audit-devel
 BuildRequires:  autoconf
 BuildRequires:  groff
--- a/5
+++ b/5
@ -1,5 +1,8 @@
 #!/bin/sh
-if ! grep -q '^[[:space:]]*HostKey[[:space:]]' /etc/ssh/sshd_config; then
+
 . /etc/sysconfig/ssh
 if [ "$SSHD_AUTO_KEYGEN" = "yes" ]; then
    echo "Checking for missing server keys in /etc/ssh"
    ssh-keygen -A
 fi
--- a/sysconfig.ssh
+++ b/sysconfig.ssh
@ -7,3 +7,8 @@
 # Options for sshd
 #
 SSHD_OPTS=""
 #
 # Whether to run ssh-keygen -A
 #
 SSHD_AUTO_KEYGEN="yes"