openssh: update to 9.6p1

openssh/openssh-6.6.1p1-selinux-contexts.patch

@@ -93,19 +93,17 @@ index 8f32464..18a2ca4 100644
  #endif
  
 diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
-index 22ea8ef..1fc963d 100644
+--- a/openbsd-compat/port-linux.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
---- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c	(date 1703108053912)
-+++ b/openbsd-compat/port-linux.c
+@@ -207,7 +207,7 @@
-@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
+ 	xasprintf(&newctx, "%.*s%s%s", (int)(cx - oldctx + 1), oldctx,
- 	strlcpy(newctx + len, newname, newlen - len);
+ 	    newname, cx2 == NULL ? "" : cx2);
- 	if ((cx = index(cx + 1, ':')))
+
- 		strlcat(newctx, cx, newlen);
+-	debug3_f("setting context from '%s' to '%s'", oldctx, newctx);
--	debug3("%s: setting context from '%s' to '%s'", __func__,
++	debug_f("setting context from '%s' to '%s'", oldctx, newctx);
-+	debug_f("setting context from '%s' to '%s'",
- 	    oldctx, newctx);
  	if (setcon(newctx) < 0)
- 		do_log2(log_level, "%s: setcon %s from %s failed with %s",
+ 		do_log2_f(log_level, "setcon %s from %s failed with %s",
-		    __func__, newctx, oldctx, strerror(errno));
+ 		    newctx, oldctx, strerror(errno));
 diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
 index cb51f99..8b7cda2 100644
 --- a/openbsd-compat/port-linux.h

openssh/openssh-6.7p1-coverity.patch

@@ -17,17 +17,6 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
  			return oerrno;
  		}
  		/* make sure the KRB5CCNAME is set for non-standard location */
-diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
---- openssh-8.5p1/auth-options.c.coverity	2021-03-02 11:31:47.000000000 +0100
-+++ openssh-8.5p1/auth-options.c	2021-03-24 12:03:33.782968159 +0100
-@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
- 		return r;
- 	}
- 	/* success */
-+	sshbuf_free(b);
- 	return 0;
- }
- 
 diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
 --- openssh-8.5p1/gss-genr.c.coverity	2021-03-26 11:52:46.613942552 +0100
 +++ openssh-8.5p1/gss-genr.c	2021-03-26 11:54:37.881726318 +0100
@@ -42,32 +31,9 @@ diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
  			for ((p = strsep(&cp, ",")); p && *p != '\0';
  				(p = strsep(&cp, ","))) {
  				if (sshbuf_len(buf) != 0 &&
-diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
---- openssh-8.5p1/kexgssc.c.coverity	2021-03-24 12:03:33.711967665 +0100
-+++ openssh-8.5p1/kexgssc.c	2021-03-24 12:03:33.783968166 +0100
-@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
- 	default:
- 		fatal_f("Unexpected KEX type %d", kex->kex_type);
- 	}
--	if (r != 0)
-+	if (r != 0) {
-+		ssh_gssapi_delete_ctx(&ctxt);
- 		return r;
-+	}
- 
- 	token_ptr = GSS_C_NO_BUFFER;
- 
 diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
 --- openssh-8.5p1/krl.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/krl.c	2021-03-24 12:03:33.783968166 +0100
-@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
- 	sshkey_free(key);
- 	sshbuf_free(copy);
- 	sshbuf_free(sect);
-+	/* coverity[leaked_storage : FALSE] */
- 	return r;
- }
- 
 @@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
  		return r;
  	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
@@ -164,23 +130,6 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
  	return (0);
  
   error:
-diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
---- openssh-7.4p1/monitor_wrap.c.coverity	2016-12-23 16:40:26.892788689 +0100
-+++ openssh-7.4p1/monitor_wrap.c	2016-12-23 16:40:26.900788691 +0100
-@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
- 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
- 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
- 		error_f("cannot allocate fds for pty");
--		if (tmp1 > 0)
-+		if (tmp1 >= 0)
- 			close(tmp1);
--		if (tmp2 > 0)
--			close(tmp2);
-+		/*DEAD CODE if (tmp2 >= 0)
-+			close(tmp2);*/
- 		return 0;
- 	}
- 	close(tmp1);
 diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
 --- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/openbsd-compat/bindresvport.c	2016-12-23 16:40:26.901788691 +0100
@@ -234,23 +183,6 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
  				goto out;
  			}
  			free(arg2);
-diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
---- openssh-8.7p1/scp.c.coverity	2021-08-30 16:23:35.389741329 +0200
-+++ openssh-8.7p1/scp.c	2021-08-30 16:27:04.854555296 +0200
-@@ -186,11 +186,11 @@ killchild(int signo)
- {
- 	if (do_cmd_pid > 1) {
- 		kill(do_cmd_pid, signo ? signo : SIGTERM);
--		waitpid(do_cmd_pid, NULL, 0);
-+		(void) waitpid(do_cmd_pid, NULL, 0);
- 	}
- 	if (do_cmd_pid2 > 1) {
- 		kill(do_cmd_pid2, signo ? signo : SIGTERM);
--		waitpid(do_cmd_pid2, NULL, 0);
-+		(void) waitpid(do_cmd_pid2, NULL, 0);
- 	}
- 
- 	if (signo)
 diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.coverity	2016-12-23 16:40:26.896788690 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 16:40:26.901788691 +0100
@@ -278,18 +210,6 @@ diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
  		if (tun != SSH_TUNID_ANY &&
  		    auth_opts->force_tun_device != (int)tun)
  			goto done;
-diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
---- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
-@@ -224,7 +224,7 @@ killchild(int signo)
- 	pid = sshpid;
- 	if (pid > 1) {
- 		kill(pid, SIGTERM);
--		waitpid(pid, NULL, 0);
-+		(void) waitpid(pid, NULL, 0);
- 	}
- 
- 	_exit(1);
 diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 --- openssh-7.4p1/ssh-agent.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/ssh-agent.c	2016-12-23 16:40:26.903788691 +0100
@@ -301,28 +221,6 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
  			return NULL;
  		}
  		/* validate also provider from URI */
-@@ -1220,8 +1220,8 @@ main(int ac, char **av)
- 	sanitise_stdfd();
- 
- 	/* drop */
--	setegid(getgid());
--	setgid(getgid());
-+	(void) setegid(getgid());
-+	(void) setgid(getgid());
- 
- 	platform_disable_tracing(0);	/* strict=no */
- 
-diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
---- openssh-8.5p1/ssh.c.coverity	2021-03-24 12:03:33.779968138 +0100
-+++ openssh-8.5p1/ssh.c	2021-03-24 12:03:33.786968187 +0100
-@@ -1746,6 +1746,7 @@ control_persist_detach(void)
- 		close(muxserver_sock);
- 		muxserver_sock = -1;
- 		options.control_master = SSHCTL_MASTER_NO;
-+		/* coverity[leaked_handle: FALSE]*/
- 		muxclient(options.control_path);
- 		/* muxclient() doesn't return on success. */
- 		fatal("Failed to connect to new control master");
 diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
 --- openssh-7.4p1/sshd.c.coverity	2016-12-23 16:40:26.897788690 +0100
 +++ openssh-7.4p1/sshd.c	2016-12-23 16:40:26.904788692 +0100

openssh/openssh-7.2p2-x11.patch

@@ -1,21 +1,23 @@
-diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
+diff --git a/channels.c b/channels.c
---- openssh-7.2p2/channels.c.x11	2016-03-09 19:04:48.000000000 +0100
+--- a/channels.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
-+++ openssh-7.2p2/channels.c	2016-06-03 10:42:04.775164520 +0200
++++ b/channels.c	(date 1703026069921)
-@@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_
+@@ -5075,11 +5075,13 @@
  }
- 
+
  static int
 -connect_local_xsocket_path(const char *pathname)
 +connect_local_xsocket_path(const char *pathname, int len)
  {
  	int sock;
  	struct sockaddr_un addr;
- 
+
-+	if (len <= 0)
++    if (len <= 0)
-+		return -1;
++        return -1;
  	sock = socket(AF_UNIX, SOCK_STREAM, 0);
- 	if (sock == -1)
+ 	if (sock == -1) {
  		error("socket: %.100s", strerror(errno));
+@@ -5087,11 +5089,12 @@
+ 	}
  	memset(&addr, 0, sizeof(addr));
  	addr.sun_family = AF_UNIX;
 -	strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
@@ -29,8 +31,8 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
 -	error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
  	return -1;
  }
- 
+
-@@ -4012,8 +4015,18 @@ static int
+@@ -5099,8 +5102,18 @@
  connect_local_xsocket(u_int dnr)
  {
  	char buf[1024];

openssh/openssh-7.8p1-role-mls.patch

@@ -23,7 +23,7 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
  	if ((style = strchr(user, ':')) != NULL)
  		*style++ = 0;
  
-@@ -296,8 +304,15 @@ input_userauth_request(int type, u_int32
+@@ -314,8 +314,15 @@ input_userauth_request(int type, u_int32
  		    use_privsep ? " [net]" : "");
  		authctxt->service = xstrdup(service);
  		authctxt->style = style ? xstrdup(style) : NULL;
@@ -34,12 +34,12 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
 +		if (use_privsep) {
  			mm_inform_authserv(service, style);
 +#ifdef WITH_SELINUX
-+			mm_inform_authrole(role);
++         	mm_inform_authrole(role);
 +#endif
-+		}
++        }
  		userauth_banner(ssh);
- 		if (auth2_setup_methods_lists(authctxt) != 0)
+ 		if ((r = kex_server_update_ext_info(ssh)) != 0)
- 			ssh_packet_disconnect(ssh,
+ 			fatal_fr(r, "kex_server_update_ext_info failed");
 diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 --- openssh/auth2-gss.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/auth2-gss.c	2018-08-22 11:15:42.459799171 +0200

openssh/openssh-8.7p1-minrsabits.patch

@@ -1,23 +1,21 @@
 diff --git a/readconf.c b/readconf.c
-index 7f26c680..42be690b 100644
+--- a/readconf.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
---- a/readconf.c
++++ b/readconf.c	(date 1703169891147)
-+++ b/readconf.c
+@@ -326,6 +326,7 @@
-@@ -320,6 +320,7 @@ static struct {
  	{ "securitykeyprovider", oSecurityKeyProvider },
  	{ "knownhostscommand", oKnownHostsCommand },
-	{ "requiredrsasize", oRequiredRSASize },
+ 	{ "requiredrsasize", oRequiredRSASize },
 +	{ "rsaminsize", oRequiredRSASize }, /* alias */
  	{ "enableescapecommandline", oEnableEscapeCommandline },
- 
+ 	{ "obscurekeystroketiming", oObscureKeystrokeTiming },
- 	{ NULL, oBadOption }
+ 	{ "channeltimeout", oChannelTimeout },
 diff --git a/servconf.c b/servconf.c
-index 29df0463..423772b1 100644
+--- a/servconf.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
---- a/servconf.c
++++ b/servconf.c	(date 1703169891148)
-+++ b/servconf.c
+@@ -691,6 +691,7 @@
-@@ -676,6 +680,7 @@ static struct {
  	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
  	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
-	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
+ 	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
 +	{ "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */
  	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
  	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },

openssh/openssh-8.7p1-recursive-scp.patch

@@ -1,28 +1,28 @@
-diff -up openssh-8.7p1/scp.c.scp-sftpdirs openssh-8.7p1/scp.c
+diff --git a/scp.c b/scp.c
---- openssh-8.7p1/scp.c.scp-sftpdirs	2022-02-07 12:31:07.407740407 +0100
+--- a/scp.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
-+++ openssh-8.7p1/scp.c	2022-02-07 12:31:07.409740424 +0100
++++ b/scp.c	(date 1703111453316)
-@@ -1324,7 +1324,7 @@ source_sftp(int argc, char *src, char *t
+@@ -1372,7 +1372,7 @@
- 
+
  	if (src_is_dir && iamrecursive) {
- 		if (upload_dir(conn, src, abs_dst, pflag,
+ 		if (sftp_upload_dir(conn, src, abs_dst, pflag,
 -		    SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
 +		    SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) {
-			error("failed to upload directory %s to %s", src, targ);
+ 			error("failed to upload directory %s to %s", src, targ);
-			errs = 1;
+ 			errs = 1;
-		}
+ 		}
-diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
+diff --git a/sftp-client.c b/sftp-client.c
---- openssh-8.7p1/sftp-client.c.scp-sftpdirs	2021-08-20 06:03:49.000000000 +0200
+--- a/sftp-client.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
-+++ openssh-8.7p1/sftp-client.c	2022-02-07 12:47:59.117516131 +0100
++++ b/sftp-client.c	(date 1703169614263)
-@@ -971,7 +971,7 @@ do_fsetstat(struct sftp_conn *conn, cons
+@@ -1003,7 +1003,7 @@
- 
+
  /* Implements both the realpath and expand-path operations */
  static char *
--do_realpath_expand(struct sftp_conn *conn, const char *path, int expand)
+-sftp_realpath_expand(struct sftp_conn *conn, const char *path, int expand)
-+do_realpath_expand(struct sftp_conn *conn, const char *path, int expand, int create_dir)
++sftp_realpath_expand(struct sftp_conn *conn, const char *path, int expand, int create_dir)
  {
  	struct sshbuf *msg;
  	u_int expected_id, count, id;
-@@ -1033,11 +1033,43 @@ do_realpath_expand(struct sftp_conn *con
+@@ -1049,11 +1049,43 @@
  		if ((r = sshbuf_get_u32(msg, &status)) != 0 ||
  		    (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)
  			fatal_fr(r, "parse status");
@@ -33,7 +33,7 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
 -		return NULL;
 +		if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir)  {
 +			memset(&a, '\0', sizeof(a));
-+			if ((r = do_mkdir(conn, path, &a, 0)) != 0) {
++			if ((r = sftp_mkdir(conn, path, &a, 0)) != 0) {
 +				sshbuf_free(msg);
 +				return NULL;
 +			}
@@ -71,111 +71,112 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
  	} else if (type != SSH2_FXP_NAME)
  		fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",
  		    SSH2_FXP_NAME, type);
-@@ -1039,9 +1067,9 @@ do_realpath_expand(struct sftp_conn *con
+@@ -1078,9 +1110,9 @@
  }
- 
+
  char *
--do_realpath(struct sftp_conn *conn, const char *path)
+-sftp_realpath(struct sftp_conn *conn, const char *path)
-+do_realpath(struct sftp_conn *conn, const char *path, int create_dir)
++sftp_realpath(struct sftp_conn *conn, const char *path, int create_dir)
  {
--	return do_realpath_expand(conn, path, 0);
+-	return sftp_realpath_expand(conn, path, 0);
-+	return do_realpath_expand(conn, path, 0, create_dir);
++	return sftp_realpath_expand(conn, path, 0, create_dir);
  }
- 
+
  int
-@@ -1055,9 +1083,9 @@ do_expand_path(struct sftp_conn *conn, c
+@@ -1094,9 +1126,9 @@
  {
- 	if (!can_expand_path(conn)) {
+ 	if (!sftp_can_expand_path(conn)) {
  		debug3_f("no server support, fallback to realpath");
--		return do_realpath_expand(conn, path, 0);
+-		return sftp_realpath_expand(conn, path, 0);
-+		return do_realpath_expand(conn, path, 0, 0);
++		return sftp_realpath_expand(conn, path, 0, 0);
  	}
--	return do_realpath_expand(conn, path, 1);
+-	return sftp_realpath_expand(conn, path, 1);
-+	return do_realpath_expand(conn, path, 1, 0);
++	return sftp_realpath_expand(conn, path, 1, 0);
  }
- 
+
  int
-@@ -1807,7 +1835,7 @@ download_dir(struct sftp_conn *conn, con
+@@ -2016,7 +2048,7 @@
  	char *src_canon;
  	int ret;
- 
+
--	if ((src_canon = do_realpath(conn, src)) == NULL) {
+-	if ((src_canon = sftp_realpath(conn, src)) == NULL) {
-+	if ((src_canon = do_realpath(conn, src, 0)) == NULL) {
++	if ((src_canon = sftp_realpath(conn, src, 0)) == NULL) {
-		error("download \"%s\": path canonicalization failed", src);
+ 		error("download \"%s\": path canonicalization failed", src);
-		return -1;
+ 		return -1;
-	}
+ 	}
-@@ -2115,12 +2143,12 @@ upload_dir_internal(struct sftp_conn *co
+@@ -2365,12 +2397,12 @@
  int
- upload_dir(struct sftp_conn *conn, const char *src, const char *dst,
+ sftp_upload_dir(struct sftp_conn *conn, const char *src, const char *dst,
      int preserve_flag, int print_flag, int resume, int fsync_flag,
 -    int follow_link_flag, int inplace_flag)
 +    int follow_link_flag, int inplace_flag, int create_dir)
  {
  	char *dst_canon;
  	int ret;
- 
+
--	if ((dst_canon = do_realpath(conn, dst)) == NULL) {
+-	if ((dst_canon = sftp_realpath(conn, dst)) == NULL) {
-+	if ((dst_canon = do_realpath(conn, dst, create_dir)) == NULL) {
++	if ((dst_canon = sftp_realpath(conn, dst, create_dir)) == NULL) {
-		error("upload \"%s\": path canonicalization failed", dst);
+ 		error("upload \"%s\": path canonicalization failed", dst);
-		return -1;
+ 		return -1;
-	}
+ 	}
-@@ -2557,7 +2585,7 @@ crossload_dir(struct sftp_conn *from, st
+@@ -2825,7 +2857,7 @@
  	char *from_path_canon;
  	int ret;
- 
+
--	if ((from_path_canon = do_realpath(from, from_path)) == NULL) {
+-	if ((from_path_canon = sftp_realpath(from, from_path)) == NULL) {
-+	if ((from_path_canon = do_realpath(from, from_path, 0)) == NULL) {
++	if ((from_path_canon = sftp_realpath(from, from_path, 0)) == NULL) {
-		error("crossload \"%s\": path canonicalization failed",
+ 		error("crossload \"%s\": path canonicalization failed",
-		    from_path);
+ 		    from_path);
-		return -1;
+ 		return -1;
-diff -up openssh-8.7p1/sftp-client.h.scp-sftpdirs openssh-8.7p1/sftp-client.h
+diff --git a/sftp-client.h b/sftp-client.h
---- openssh-8.7p1/sftp-client.h.scp-sftpdirs	2021-08-20 06:03:49.000000000 +0200
+--- a/sftp-client.h	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
-+++ openssh-8.7p1/sftp-client.h	2022-02-07 12:31:07.410740433 +0100
++++ b/sftp-client.h	(date 1703111691284)
-@@ -111,7 +111,7 @@ int do_fsetstat(struct sftp_conn *, cons
+@@ -111,7 +111,7 @@
- int do_lsetstat(struct sftp_conn *conn, const char *path, Attrib *a);
+ int sftp_lsetstat(struct sftp_conn *conn, const char *path, Attrib *a);
- 
+
  /* Canonicalise 'path' - caller must free result */
--char *do_realpath(struct sftp_conn *, const char *);
+-char *sftp_realpath(struct sftp_conn *, const char *);
-+char *do_realpath(struct sftp_conn *, const char *, int);
++char *sftp_realpath(struct sftp_conn *, const char *, int);
- 
+
  /* Canonicalisation with tilde expansion (requires server extension) */
- char *do_expand_path(struct sftp_conn *, const char *);
+ char *sftp_expand_path(struct sftp_conn *, const char *);
-@@ -159,7 +159,7 @@ int do_upload(struct sftp_conn *, const
+@@ -163,7 +163,7 @@
   * times if 'pflag' is set
   */
- int upload_dir(struct sftp_conn *, const char *, const char *,
+ int sftp_upload_dir(struct sftp_conn *, const char *, const char *,
 -    int, int, int, int, int, int);
 +    int, int, int, int, int, int, int);
- 
+
  /*
   * Download a 'from_path' from the 'from' connection and upload it to
-diff -up openssh-8.7p1/sftp.c.scp-sftpdirs openssh-8.7p1/sftp.c
+
---- openssh-8.7p1/sftp.c.scp-sftpdirs	2021-08-20 06:03:49.000000000 +0200
+diff --git a/sftp.c b/sftp.c
-+++ openssh-8.7p1/sftp.c	2022-02-07 12:31:07.411740442 +0100
+--- a/sftp.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
-@@ -760,7 +760,7 @@ process_put(struct sftp_conn *conn, cons
++++ b/sftp.c	(date 1703168795365)
- 		if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
+@@ -807,7 +807,7 @@
- 			if (upload_dir(conn, g.gl_pathv[i], abs_dst,
+ 		    (rflag || global_rflag)) {
+ 			if (sftp_upload_dir(conn, g.gl_pathv[i], abs_dst,
  			    pflag || global_pflag, 1, resume,
 -			    fflag || global_fflag, 0, 0) == -1)
 +			    fflag || global_fflag, 0, 0, 0) == -1)
  				err = -1;
  		} else {
- 			if (do_upload(conn, g.gl_pathv[i], abs_dst,
+ 			if (sftp_upload(conn, g.gl_pathv[i], abs_dst,
-@@ -1577,7 +1577,7 @@ parse_dispatch_command(struct sftp_conn
+@@ -1642,7 +1642,7 @@
  		if (path1 == NULL || *path1 == '\0')
  			path1 = xstrdup(startdir);
- 		path1 = make_absolute(path1, *pwd);
+ 		path1 = sftp_make_absolute(path1, *pwd);
--		if ((tmp = do_realpath(conn, path1)) == NULL) {
+-		if ((tmp = sftp_realpath(conn, path1)) == NULL) {
-+		if ((tmp = do_realpath(conn, path1, 0)) == NULL) {
++		if ((tmp = sftp_realpath(conn, path1, 0)) == NULL) {
  			err = 1;
  			break;
  		}
-@@ -2160,7 +2160,7 @@ interactive_loop(struct sftp_conn *conn,
+@@ -2247,7 +2247,7 @@
  	}
  #endif /* USE_LIBEDIT */
- 
+
--	remote_path = do_realpath(conn, ".");
+-	if ((remote_path = sftp_realpath(conn, ".")) == NULL)
-+	remote_path = do_realpath(conn, ".", 0);
++	if ((remote_path = sftp_realpath(conn, ".", 0)) == NULL)
- 	if (remote_path == NULL)
  		fatal("Need cwd");
  	startdir = xstrdup(remote_path);
+

openssh/openssh-9.3p1-merged-openssl-evp.patch

@@ -659,15 +659,15 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
  # ifdef OPENSSL_HAS_ECC
  #  include <openssl/ec.h>
  #  include <openssl/ecdsa.h>
-@@ -268,6 +271,10 @@
+@@ -266,6 +266,10 @@
  const char	*sshkey_ssh_name_plain(const struct sshkey *);
- int		 sshkey_names_valid2(const char *, int);
+ int		 sshkey_names_valid2(const char *, int, int);
  char		*sshkey_alg_list(int, int, int, char);
 +int		 sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
 +    int *, const u_char *, size_t);
 +int		 sshkey_verify_signature(EVP_PKEY *, int, const u_char *,
 +    size_t, u_char *, int);
- 
+
  int	 sshkey_from_blob(const u_char *, size_t, struct sshkey **);
  int	 sshkey_fromb(struct sshbuf *, struct sshkey **);
 @@ -324,6 +331,13 @@
@@ -695,11 +695,11 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
  #if !defined(WITH_OPENSSL)
  # undef RSA
  # undef DSA
-diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.c openssh-9.3p1-patched/ssh-pkcs11.c
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
---- openssh-9.3p1/ssh-pkcs11.c	2023-06-06 15:53:36.592443989 +0200
+--- a/ssh-pkcs11.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
-+++ openssh-9.3p1-patched/ssh-pkcs11.c	2023-06-06 15:52:25.626551768 +0200
++++ b/ssh-pkcs11.c	(date 1703110934679)
-@@ -777,8 +777,24 @@
+@@ -620,8 +620,24 @@
- 
+
  	return (0);
  }
 +
@@ -711,7 +711,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 +	return 0;
 +}
  #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
- 
+
 +int
 +is_rsa_pkcs11(RSA *rsa)
 +{
@@ -722,14 +722,14 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 +
  /* remove trailing spaces. Note, that this does NOT guarantee the buffer
   * will be null terminated if there are no trailing spaces! */
- static void
+ static char *
-diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11-client.c openssh-9.3p1-patched/ssh-pkcs11-client.c
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
---- openssh-9.3p1/ssh-pkcs11-client.c	2023-06-06 15:53:36.591443976 +0200
+--- a/ssh-pkcs11-client.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
-+++ openssh-9.3p1-patched/ssh-pkcs11-client.c	2023-06-06 15:52:25.626551768 +0200
++++ b/ssh-pkcs11-client.c	(date 1703110830967)
-@@ -225,8 +225,36 @@
+@@ -402,8 +402,36 @@
- static RSA_METHOD	*helper_rsa;
+ 	if (helper->nrsa == 0 && helper->nec == 0)
- #if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ 		helper_terminate(helper);
- static EC_KEY_METHOD	*helper_ecdsa;
+ }
 +
 +int
 +is_ecdsa_pkcs11(EC_KEY *ecdsa)
@@ -744,8 +744,8 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 +		return 1;
 +	return 0;
 +}
- #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ #endif /* defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) */
- 
+
 +int
 +is_rsa_pkcs11(RSA *rsa)
 +{
@@ -762,14 +762,15 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 +
  /* redirect private key crypto operations to the ssh-pkcs11-helper */
  static void
- wrap_key(struct sshkey *k)
+ wrap_key(struct helper *helper, struct sshkey *k)
-diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.h openssh-9.3p1-patched/ssh-pkcs11.h
+diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
---- openssh-9.3p1/ssh-pkcs11.h	2023-06-06 15:53:36.592443989 +0200
+--- a/ssh-pkcs11.h	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
-+++ openssh-9.3p1-patched/ssh-pkcs11.h	2023-06-06 15:52:25.626551768 +0200
++++ b/ssh-pkcs11.h	(date 1703111023334)
-@@ -39,6 +39,11 @@
+@@ -38,6 +38,12 @@
- 	    u_int32_t *);
+ /* Only available in ssh-pkcs11-client.c so far */
- #endif
+ int pkcs11_make_cert(const struct sshkey *,
- 
+     const struct sshkey *, struct sshkey **);
++
 +#ifdef HAVE_EC_KEY_METHOD_NEW
 +int is_ecdsa_pkcs11(EC_KEY *ecdsa);
 +#endif

openssh/openssh-9.3p1-openssl-compat.patch

@@ -1,40 +0,0 @@
---- openssh-9.3p1/openbsd-compat/openssl-compat.c	2023-03-15 22:28:19.000000000 +0100
-+++ /home/dbelyavs/work/upstream/openssh-portable/openbsd-compat/openssl-compat.c	2023-05-25 14:19:42.870841944 +0200
-@@ -33,10 +33,10 @@
- 
- /*
-  * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
-- * We match major, minor, fix and status (not patch) for <1.0.0.
-- * After that, we acceptable compatible fix versions (so we
-- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
-- * within a patch series.
-+ * Versions >=3 require only major versions to match.
-+ * For versions <3, we accept compatible fix versions (so we allow 1.0.1
-+ * to work with 1.0.0). Going backwards is only allowed within a patch series.
-+ * See https://www.openssl.org/policies/releasestrat.html
-  */
- 
- int
-@@ -48,15 +48,17 @@
- 	if (headerver == libver)
- 		return 1;
- 
--	/* for versions < 1.0.0, major,minor,fix,status must match */
--	if (headerver < 0x1000000f) {
--		mask = 0xfffff00fL; /* major,minor,fix,status */
-+	/*
-+	 * For versions >= 3.0, only the major and status must match.
-+	 */
-+	if (headerver >= 0x3000000f) {
-+		mask = 0xf000000fL; /* major,status */
- 		return (headerver & mask) == (libver & mask);
- 	}
- 
- 	/*
--	 * For versions >= 1.0.0, major,minor,status must match and library
--	 * fix version must be equal to or newer than the header.
-+	 * For versions >= 1.0.0, but <3, major,minor,status must match and
-+	 * library fix version must be equal to or newer than the header.
- 	 */
- 	mask = 0xfff0000fL; /* major,minor,status */
- 	hfix = (headerver & 0x000ff000) >> 12;

openssh/openssh-9.6p1-gssapi-keyex.patch

@@ -144,8 +144,8 @@ index 9351e042..d6446c0c 100644
 --- a/auth2-gss.c
 +++ b/auth2-gss.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */
+ /* $OpenBSD: auth2-gss.c,v 1.34 2023/03/31 04:22:27 djm Exp $ */
- 
+
  /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
 + * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -1268,7 +1268,7 @@ index ce85f043..574c7609 100644
 +#endif
 +
  /* prototype */
- static int kex_choose_conf(struct ssh *);
+ static int kex_choose_conf(struct ssh *, uint32_t seq);
  static int kex_input_newkeys(int, u_int32_t, struct ssh *);
 @@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = {
  #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
@@ -1488,7 +1488,7 @@ new file mode 100644
 index 00000000..f6e1405e
 --- /dev/null
 +++ b/kexgssc.c
-@@ -0,0 +1,600 @@
+@@ -0,0 +1,612 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@@ -1589,8 +1589,10 @@ index 00000000..f6e1405e
 +	default:
 +		fatal_f("Unexpected KEX type %d", kex->kex_type);
 +	}
-+	if (r != 0)
++	if (r != 0) {
++		ssh_gssapi_delete_ctx(&ctxt);
 +		return r;
++	}
 +
 +	token_ptr = GSS_C_NO_BUFFER;
 +
@@ -1653,11 +1655,16 @@ index 00000000..f6e1405e
 +			do {
 +				type = ssh_packet_read(ssh);
 +				if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
++					u_char *tmp = NULL;
++					size_t tmp_len = 0;
++
 +					debug("Received KEXGSS_HOSTKEY");
 +					if (server_host_key_blob)
 +						fatal("Server host key received more than once");
-+					if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
++					if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
 +						fatal("Failed to read server host key: %s", ssh_err(r));
++					if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
++						fatal("sshbuf_from failed");
 +				}
 +			} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
 +
@@ -1944,11 +1951,16 @@ index 00000000..f6e1405e
 +			do {
 +				type = ssh_packet_read(ssh);
 +				if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
++					u_char *tmp = NULL;
++					size_t tmp_len = 0;
++
 +					debug("Received KEXGSS_HOSTKEY");
 +					if (server_host_key_blob)
 +						fatal("Server host key received more than once");
-+					if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
++					if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
 +						fatal("sshpkt failed: %s", ssh_err(r));
++					if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
++						fatal("sshbuf_from failed");
 +				}
 +			} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
 +
@@ -2094,7 +2106,7 @@ new file mode 100644
 index 00000000..60bc02de
 --- /dev/null
 +++ b/kexgsss.c
-@@ -0,0 +1,474 @@
+@@ -0,0 +1,482 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@@ -2161,7 +2173,7 @@ index 00000000..60bc02de
 +	 */
 +
 +	OM_uint32 ret_flags = 0;
-+	gss_buffer_desc gssbuf, recv_tok, msg_tok;
++	gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 +	Gssctxt *ctxt = NULL;
 +	struct sshbuf *shared_secret = NULL;
@@ -2201,7 +2213,7 @@ index 00000000..60bc02de
 +		type = ssh_packet_read(ssh);
 +		switch(type) {
 +		case SSH2_MSG_KEXGSS_INIT:
-+			if (client_pubkey != NULL)
++			if (gssbuf.value != NULL)
 +				fatal("Received KEXGSS_INIT after initialising");
 +			if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
 +			        &recv_tok)) != 0 ||
@@ -2232,6 +2244,31 @@ index 00000000..60bc02de
 +				goto out;
 +
 +			/* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
++
++			/* Calculate the hash early so we can free the
++			* client_pubkey, which has reference to the parent
++			* buffer state->incoming_packet
++			*/
++			hashlen = sizeof(hash);
++			if ((r = kex_gen_hash(
++			    kex->hash_alg,
++			    kex->client_version,
++			    kex->server_version,
++			    kex->peer,
++			    kex->my,
++			    empty,
++			    client_pubkey,
++			    server_pubkey,
++			    shared_secret,
++			    hash, &hashlen)) != 0)
++				goto out;
++
++			gssbuf.value = hash;
++			gssbuf.length = hashlen;
++
++			sshbuf_free(client_pubkey);
++			client_pubkey = NULL;
++
 +			break;
 +		case SSH2_MSG_KEXGSS_CONTINUE:
 +			if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
@@ -2253,7 +2290,7 @@ index 00000000..60bc02de
 +		if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
 +			fatal("Zero length token output when incomplete");
 +
-+		if (client_pubkey == NULL)
++		if (gssbuf.value == NULL)
 +			fatal("No client public key");
 +
 +		if (maj_status & GSS_S_CONTINUE_NEEDED) {
@@ -2282,23 +2319,6 @@ index 00000000..60bc02de
 +	if (!(ret_flags & GSS_C_INTEG_FLAG))
 +		fatal("Integrity flag wasn't set");
 +
-+	hashlen = sizeof(hash);
-+	if ((r = kex_gen_hash(
-+	    kex->hash_alg,
-+	    kex->client_version,
-+	    kex->server_version,
-+	    kex->peer,
-+	    kex->my,
-+	    empty,
-+	    client_pubkey,
-+	    server_pubkey,
-+	    shared_secret,
-+	    hash, &hashlen)) != 0)
-+		goto out;
-+
-+	gssbuf.value = hash;
-+	gssbuf.length = hashlen;
-+
 +	if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
 +		fatal("Couldn't get MIC");
 +
@@ -3380,7 +3400,7 @@ index 60de6087..db5c65bc 100644
  .It HashKnownHosts
  .It Host
  .It HostbasedAcceptedAlgorithms
-@@ -579,6 +585,8 @@ flag),
+@@ -624,6 +624,8 @@
  (supported message integrity codes),
  .Ar kex
  (key exchange algorithms),
@@ -3388,7 +3408,7 @@ index 60de6087..db5c65bc 100644
 +(GSSAPI key exchange algorithms),
  .Ar key
  (key types),
- .Ar key-cert
+ .Ar key-ca-sign
 diff --git a/ssh.c b/ssh.c
 index 15aee569..110cf9c1 100644
 --- a/ssh.c
@@ -3424,7 +3444,7 @@ index 5e8ef548..1ff999b6 100644
 +#   GSSAPIKeyExchange no
 +#   GSSAPITrustDNS no
  #   BatchMode no
- #   CheckHostIP yes
+ #   CheckHostIP no
  #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
 index 06a32d31..3f490697 100644
@@ -3903,11 +3923,69 @@ diff --git a/sshkey.c b/sshkey.c
 index 57995ee6..fd5b7724 100644
 --- a/sshkey.c
 +++ b/sshkey.c
-@@ -127,6 +127,17 @@
+@@ -127,6 +127,75 @@ static const struct keytype keytypes[] = {
  extern const struct sshkey_impl sshkey_xmss_impl;
  extern const struct sshkey_impl sshkey_xmss_cert_impl;
  #endif
-+const struct sshkey_impl sshkey_null_impl = {
++
++static int ssh_gss_equal(const struct sshkey *, const struct sshkey *)
++{
++	return SSH_ERR_FEATURE_UNSUPPORTED;
++}
++
++static int ssh_gss_serialize_public(const struct sshkey *, struct sshbuf *,
++	enum sshkey_serialize_rep)
++{
++	return SSH_ERR_FEATURE_UNSUPPORTED;
++}
++
++static int ssh_gss_deserialize_public(const char *, struct sshbuf *,
++	     struct sshkey *)
++{
++	return SSH_ERR_FEATURE_UNSUPPORTED;
++}
++
++static int ssh_gss_serialize_private(const struct sshkey *, struct sshbuf *,
++	     enum sshkey_serialize_rep)
++{
++	return SSH_ERR_FEATURE_UNSUPPORTED;
++}
++
++static int ssh_gss_deserialize_private(const char *, struct sshbuf *,
++	     struct sshkey *)
++{
++	return SSH_ERR_FEATURE_UNSUPPORTED;
++}
++
++static int ssh_gss_copy_public(const struct sshkey *, struct sshkey *)
++{
++	return SSH_ERR_FEATURE_UNSUPPORTED;
++}
++
++static int ssh_gss_verify(const struct sshkey *, const u_char *, size_t,
++	    const u_char *, size_t, const char *, u_int,
++	    struct sshkey_sig_details **)
++{
++	return SSH_ERR_FEATURE_UNSUPPORTED;
++}
++
++static const struct sshkey_impl_funcs sshkey_gss_funcs = {
++	/* .size = */		NULL,
++	/* .alloc = */		NULL,
++	/* .cleanup = */	NULL,
++	/* .equal = */		ssh_gss_equal,
++	/* .ssh_serialize_public = */ ssh_gss_serialize_public,
++	/* .ssh_deserialize_public = */ ssh_gss_deserialize_public,
++	/* .ssh_serialize_private = */ ssh_gss_serialize_private,
++	/* .ssh_deserialize_private = */ ssh_gss_deserialize_private,
++	/* .generate = */	NULL,
++	/* .copy_public = */	ssh_gss_copy_public,
++	/* .sign = */		NULL,
++	/* .verify = */		ssh_gss_verify,
++};
++
++/* The struct is intentionally dummy and has no gss calls */
++static const struct sshkey_impl sshkey_gss_kex_impl = {
 +	/* .name = */		"null",
 +	/* .shortname = */	"null",
 +	/* .sigalg = */		NULL,
@@ -3915,21 +3993,21 @@ index 57995ee6..fd5b7724 100644
 +	/* .nid = */		0,
 +	/* .cert = */		0,
 +	/* .sigonly = */	0,
-+	/* .keybits = */	0,
++	/* .keybits = */	0, /* FIXME */
-+	/* .funcs = */		NULL,
++	/* .funcs = */		&sshkey_gss_funcs,
 +};
  
  const struct sshkey_impl * const keyimpls[] = {
  	&sshkey_ed25519_impl,
-@@ -162,6 +179,7 @@ static const struct keytype keytypes[] =
+@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = {
  	&sshkey_xmss_impl,
  	&sshkey_xmss_cert_impl,
  #endif
-+        &sshkey_null_impl,
++	&sshkey_gss_kex_impl,
  	NULL
  };
  
-@@ -286,7 +304,7 @@ sshkey_alg_list(int certs_only, int plai
+@@ -255,7 +256,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
  
  	for (i = 0; keyimpls[i] != NULL; i++) {
  		impl = keyimpls[i];
@@ -3950,3 +4028,47 @@ index 71a3fddc..37a43a67 100644
  	KEY_UNSPEC
  };
  
+diff --git a/packet.h b/packet.h
+--- a/packet.h	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
++++ b/packet.h	(date 1703172586447)
+@@ -124,6 +124,7 @@
+ int	 ssh_packet_send2(struct ssh *);
+
+ int      ssh_packet_read(struct ssh *);
++int	 ssh_packet_read_expect(struct ssh *, u_int type);
+ int      ssh_packet_read_poll(struct ssh *);
+ int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p);
+ int	 ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len);
+diff --git a/packet.c b/packet.c
+--- a/packet.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
++++ b/packet.c	(date 1703172586447)
+@@ -1425,6 +1416,29 @@
+ 	return type;
+ }
+
++/*
++ * Waits until a packet has been received, verifies that its type matches
++ * that given, and gives a fatal error and exits if there is a mismatch.
++ */
++
++int
++ssh_packet_read_expect(struct ssh *ssh, u_int expected_type)
++{
++	int r;
++	u_char type;
++
++	if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)
++		return r;
++	if (type != expected_type) {
++		if ((r = sshpkt_disconnect(ssh,
++		    "Protocol error: expected packet type %d, got %d",
++		    expected_type, type)) != 0)
++			return r;
++		return SSH_ERR_PROTOCOL_ERROR;
++	}
++	return 0;
++}
++
+ static int
+ ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ {

openssh/openssh.spec

@@ -56,10 +56,10 @@
 %{?static_openssl:%global static_libcrypto 1}
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 9.3p2
+%global openssh_ver 9.6p1
-%global openssh_rel 2
+%global openssh_rel 1
 %global pam_ssh_agent_ver 0.10.4
-%global pam_ssh_agent_rel 11
+%global pam_ssh_agent_rel 12
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@@ -164,7 +164,7 @@ Patch711: openssh-7.8p1-UsePAM-warning.patch
 # Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
 # upstream MR:
 # https://github.com/openssh-gsskex/openssh-gsskex/pull/21
-Patch800: openssh-9.3p1-gssapi-keyex.patch
+Patch800: openssh-9.6p1-gssapi-keyex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
 Patch801: openssh-6.6p1-force_krb.patch
 # add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
@@ -204,7 +204,7 @@ Patch950: openssh-7.5p1-sandbox.patch
 # PKCS#11 URIs (upstream #2817, 2nd iteration)
 # https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
 # git show > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch
-Patch951: openssh-9.3p2-pkcs11-uri.patch
+Patch951: openssh-9.6p1-pkcs11-uri.patch
 # Unbreak scp between two IPv6 hosts (#1620333)
 Patch953: openssh-7.8p1-scp-ipv6.patch
 # Mention crypto-policies in manual pages (#1668325)
@@ -252,9 +252,6 @@ Patch1012: openssh-9.0p1-evp-fips-dh.patch
 Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
 Patch1014: openssh-8.7p1-nohostsha1proof.patch
 
-# upstream b7afd8a4ecaca8afd3179b55e9db79c0ff210237 
-Patch1016: openssh-9.3p1-openssl-compat.patch
-
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
 
@@ -279,12 +276,12 @@ BuildRequires: systemd-rpm-macros
 %else
 BuildRequires: perl
 %endif
-%if 0%{?fedora} || 0%{?rhel} >= 7
+%if 0%{?fedora} || 0%{?rhel} != 7
 BuildRequires: gcc
 %else
 BuildRequires: devtoolset-8-gcc devtoolset-8-build
 %if 0%{?rhel} < 7
-BuildRequires: autoconf2.69 automake1.16 m4_next
+BuildRequires: autoconf2.69 automake1.16 m4
 %endif
 %endif
 BuildRequires: make
@@ -430,12 +427,12 @@ popd
 %patch703 -p1 -b .grab-info
 %patch707 -p1 -b .redhat
 %patch711 -p1 -b .log-usepam-no
-# 
+#
 %patch800 -p1 -b .gsskex
 %patch801 -p1 -b .force_krb
 %patch804 -p1 -b .ccache_name
 %patch805 -p1 -b .k5login
-# 
+#
 %patch901 -p1 -b .kuserok
 %patch906 -p1 -b .fromto-remote
 %patch916 -p1 -b .contexts
@@ -479,16 +476,10 @@ popd
 %patch1012 -p1 -b .evp-fips-dh
 %patch1013 -p1 -b .evp-fips-ecdh
 %patch1014 -p1 -b .nosha1hostproof
-%patch1016 -p1 -b .ossl-version
+
 
 %patch100 -p1 -b .coverity
 
-%if 0%{?rhel} < 7
-. /etc/profile.d/modules.sh
-module load autoconf
-module load automake
-module load m4
-%endif
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -496,18 +487,14 @@ autoreconf
 popd
 
 %build
-%if 0%{?rhel} < 8
+%if 0%{?rhel} == 7
 %enable_devtoolset8
 %endif
-%if 0%{?rhel} < 7
+
-. /etc/profile.d/modules.sh
-module load autoconf
-module load automake
-module load m4
-%endif
 %set_build_flags
 # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
 # it is needed for lib(open)ssh build too since it is linked to the pam module too
+
 CFLAGS="$CFLAGS -I%{_includedir}/openssl3 -fvisibility=hidden"; export CFLAGS
 %if %{pie}
 %ifarch s390 s390x sparc sparcv9 sparc64
@@ -869,6 +856,9 @@ fi
 %endif
 
 %changelog
+* Wed Feb 28 2024 Raven <raven@sysadmins.ws> - 9.6p2-1
+- New upstream release
+
 * Fri Oct 20 2023 Raven <raven@sysadmins.ws> - 9.3p2-1
 - add pam config ported from proper rhel versions