openssh: upgrade to 9.7p1

2024-03-22 09:12:50 +06:00 · 2024-03-22 09:12:50 +06:00 · e6f77535ec
commit e6f77535ec
parent 206625f14e
5 changed files with 4373 additions and 779 deletions
--- a/openssh/openssh-9.7p1-gssapi-keyex.patch
+++ b/openssh/openssh-9.7p1-gssapi-keyex.patch
--- a/openssh/openssh-9.7p1-negotiate-supported-algs.patch
+++ b/openssh/openssh-9.7p1-negotiate-supported-algs.patch
@ -0,0 +1,118 @@
+diff -up openssh-9.3p1/regress/hostkey-agent.sh.xxx openssh-9.3p1/regress/hostkey-agent.sh
+--- openssh-9.3p1/regress/hostkey-agent.sh.xxx	2023-05-29 18:15:56.311236887 +0200
+++ openssh-9.3p1/regress/hostkey-agent.sh	2023-05-29 18:16:07.598503551 +0200
+@@ -17,8 +17,21 @@ trace "make CA key"
+ 
+ ${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA"
+ 
+PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
+    grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
+SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
+echo $PUBKEY_ACCEPTED_ALGOS | grep "rsa"
+r=$?
+if [ $r == 0 ]; then
+echo $SSH_ACCEPTED_KEYTYPES | grep "rsa"
+r=$?
+if [ $r -ne 0 ]; then
+SSH_ACCEPTED_KEYTYPES="$SSH_ACCEPTED_KEYTYPES ssh-rsa"
+fi
+fi
+
+ trace "load hostkeys"
+-for k in $SSH_KEYTYPES ; do
+for k in $SSH_ACCEPTED_KEYTYPES ; do
+ 	${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
+ 	${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \
+ 		-I localhost-with-alias $OBJ/agent-key.$k.pub || \
+@@ -32,12 +48,16 @@ rm $OBJ/agent-ca # Don't need CA private
+ 
+ unset SSH_AUTH_SOCK
+ 
+-for k in $SSH_KEYTYPES ; do
+for k in $SSH_ACCEPTED_KEYTYPES ; do
+ 	verbose "key type $k"
+	hka=$k
+	if [ $k = "ssh-rsa" ]; then
+	   hka="rsa-sha2-512"
+	fi
+ 	cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+-	echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
+	echo "HostKeyAlgorithms $hka" >> $OBJ/sshd_proxy
+ 	echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy
+-	opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
+	opts="-oHostKeyAlgorithms=$hka -F $OBJ/ssh_proxy"
+ 	( printf 'localhost-with-alias,127.0.0.1,::1 ' ;
+ 	  cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts
+ 	SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
+@@ -50,15 +70,16 @@ for k in $SSH_KEYTYPES ; do
+ done
+ 
+ SSH_CERTTYPES=`ssh -Q key-sig | grep 'cert-v01@openssh.com'`
+SSH_ACCEPTED_CERTTYPES=`echo "$SSH_CERTTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
+ 
+ # Prepare sshd_proxy for certificates.
+ cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+ HOSTKEYALGS=""
+-for k in $SSH_CERTTYPES ; do
+for k in $SSH_ACCEPTED_CERTTYPES ; do
+ 	test -z "$HOSTKEYALGS" || HOSTKEYALGS="${HOSTKEYALGS},"
+ 	HOSTKEYALGS="${HOSTKEYALGS}${k}"
+ done
+-for k in $SSH_KEYTYPES ; do
+for k in $SSH_ACCEPTED_KEYTYPES ; do
+ 	echo "Hostkey $OBJ/agent-key.${k}.pub" >> $OBJ/sshd_proxy
+ 	echo "HostCertificate $OBJ/agent-key.${k}-cert.pub" >> $OBJ/sshd_proxy
+ 	test -f $OBJ/agent-key.${k}.pub || fatal "no $k key"
+@@ -70,7 +93,7 @@ echo "HostKeyAlgorithms $HOSTKEYALGS" >>
+ ( printf '@cert-authority localhost-with-alias ' ;
+   cat $OBJ/agent-ca.pub) > $OBJ/known_hosts
+ 
+-for k in $SSH_CERTTYPES ; do
+for k in $SSH_ACCEPTED_CERTTYPES ; do
+ 	verbose "cert type $k"
+ 	opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
+ 	SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
+diff -up openssh-9.3p1/sshconnect2.c.xxx openssh-9.3p1/sshconnect2.c
+--- openssh-9.3p1/sshconnect2.c.xxx	2023-04-26 17:37:35.100827792 +0200
+++ openssh-9.3p1/sshconnect2.c	2023-04-26 17:50:31.860748877 +0200
+@@ -221,7 +221,7 @@
+     const struct ssh_conn_info *cinfo)
+ {
+ 	char *myproposal[PROPOSAL_MAX];
+-	char *all_key, *hkalgs = NULL;
+	char *s, *all_key, *hkalgs = NULL, *filtered_algs = NULL;
+ 	int r, use_known_hosts_order = 0;
+ 
+ #if defined(GSSAPI) && defined(WITH_OPENSSL)
+@@ -257,10 +257,22 @@
+ 	if (use_known_hosts_order)
+ 		hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo);
+ 
+	filtered_algs = hkalgs ? match_filter_allowlist(hkalgs, options.pubkey_accepted_algos)
+		               : match_filter_allowlist(options.hostkeyalgorithms,
+				 options.pubkey_accepted_algos);
+	if (filtered_algs == NULL) {
+		if (hkalgs)
+			fatal_f("No match between algorithms for %s (host %s) and pubkey accepted algorithms %s",
+			       hkalgs, host, options.pubkey_accepted_algos);
+		else
+			fatal_f("No match between host key algorithms %s and pubkey accepted algorithms %s",
+			        options.hostkeyalgorithms, options.pubkey_accepted_algos);
+	}
+
+ 	kex_proposal_populate_entries(ssh, myproposal,
+ 	    options.kex_algorithms, options.ciphers, options.macs,
+ 	    compression_alg_list(options.compression),
+-	    hkalgs ? hkalgs : options.hostkeyalgorithms);
+	    filtered_algs);
+ 
+ #if defined(GSSAPI) && defined(WITH_OPENSSL)
+ 	if (options.gss_keyex) {
+@@ -304,6 +316,7 @@
+ #endif
+ 
+ 	free(hkalgs);
+	free(filtered_algs);
+ 
+ 	/* start key exchange */
+ 	if ((r = kex_setup(ssh, myproposal)) != 0)
--- a/openssh/openssh-9.7p1-nohostsha1proof.patch
+++ b/openssh/openssh-9.7p1-nohostsha1proof.patch
@ -0,0 +1,405 @@
+diff -up openssh-9.7p1/compat.c.sshrsacheck openssh-9.7p1/compat.c
+--- openssh-9.7p1/compat.c.sshrsacheck	2023-01-12 13:29:06.338710923 +0100
+++ openssh-9.7p1/compat.c	2023-01-12 13:29:06.357711165 +0100
+@@ -43,6 +43,7 @@ void
+ compat_banner(struct ssh *ssh, const char *version)
+ {
+ 	int i;
+	int forbid_ssh_rsa = 0;
+ 	static struct {
+ 		char	*pat;
+ 		int	bugs;
+@@ -145,16 +146,21 @@ compat_banner(struct ssh *ssh, const cha
+ 	};
+ 
+ 	/* process table, return first match */
+	forbid_ssh_rsa = (ssh->compat & SSH_RH_RSASIGSHA);
+ 	ssh->compat = 0;
+ 	for (i = 0; check[i].pat; i++) {
+ 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ 			debug_f("match: %s pat %s compat 0x%08x",
+ 			    version, check[i].pat, check[i].bugs);
+ 			ssh->compat = check[i].bugs;
+	if (forbid_ssh_rsa)
+		ssh->compat |= SSH_RH_RSASIGSHA;
+ 			return;
+ 		}
+ 	}
+ 	debug_f("no match: %s", version);
+	if (forbid_ssh_rsa)
+		ssh->compat |= SSH_RH_RSASIGSHA;
+ }
+ 
+ /* Always returns pointer to allocated memory, caller must free. */
+diff -up openssh-9.7p1/compat.h.sshrsacheck openssh-9.7p1/compat.h
+--- openssh-9.7p1/compat.h.sshrsacheck	2021-08-20 06:03:49.000000000 +0200
+++ openssh-9.7p1/compat.h	2023-01-12 13:29:06.358711178 +0100
+@@ -30,7 +30,7 @@
+ #define SSH_BUG_UTF8TTYMODE	0x00000001
+ #define SSH_BUG_SIGTYPE		0x00000002
+ #define SSH_BUG_SIGTYPE74	0x00000004
+-/* #define unused		0x00000008 */
+#define SSH_RH_RSASIGSHA	0x00000008
+ #define SSH_OLD_SESSIONID	0x00000010
+ /* #define unused		0x00000020 */
+ #define SSH_BUG_DEBUG		0x00000040
+diff -up openssh-9.7p1/monitor.c.sshrsacheck openssh-9.7p1/monitor.c
+--- openssh-9.7p1/monitor.c.sshrsacheck	2023-01-20 13:07:54.279676981 +0100
+++ openssh-9.7p1/monitor.c	2023-01-20 15:01:07.007821379 +0100
+@@ -660,11 +660,12 @@ mm_answer_sign(struct ssh *ssh, int sock
+ 	struct sshkey *key;
+ 	struct sshbuf *sigbuf = NULL;
+ 	u_char *p = NULL, *signature = NULL;
+-	char *alg = NULL;
+	char *alg = NULL, *effective_alg;
+ 	size_t datlen, siglen, alglen;
+ 	int r, is_proof = 0;
+ 	u_int keyid, compat;
+ 	const char proof_req[] = "hostkeys-prove-00@openssh.com";
+	const char safe_rsa[]  = "rsa-sha2-256";
+ 
+ 	debug3_f("entering");
+ 
+@@ -719,18 +720,30 @@ mm_answer_sign(struct ssh *ssh, int sock
+ 	}
+ 
+ 	if ((key = get_hostkey_by_index(keyid)) != NULL) {
+-		if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg,
+		if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0
+				&& (sshkey_type_plain(key->type) == KEY_RSA)) {
+			effective_alg = safe_rsa;
+		} else {
+			effective_alg = alg;
+		}
+		if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, effective_alg,
+ 		    options.sk_provider, NULL, compat)) != 0)
+ 			fatal_fr(r, "sign");
+ 	} else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL &&
+ 	    auth_sock > 0) {
+		if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0
+				&& (sshkey_type_plain(key->type) == KEY_RSA)) {
+			effective_alg = safe_rsa;
+		} else {
+			effective_alg = alg;
+		}
+ 		if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen,
+-		    p, datlen, alg, compat)) != 0)
+		    p, datlen, effective_alg, compat)) != 0)
+ 			fatal_fr(r, "agent sign");
+ 	} else
+ 		fatal_f("no hostkey from index %d", keyid);
+ 
+-	debug3_f("%s %s signature len=%zu", alg,
+	debug3_f("%s (effective: %s) %s signature len=%zu", alg, effective_alg,
+ 	    is_proof ? "hostkey proof" : "KEX", siglen);
+ 
+ 	sshbuf_reset(m);
+diff -up openssh-9.7p1/regress/cert-userkey.sh.sshrsacheck openssh-9.7p1/regress/cert-userkey.sh
+--- openssh-9.7p1/regress/cert-userkey.sh.sshrsacheck	2023-01-25 14:26:52.885963113 +0100
+++ openssh-9.7p1/regress/cert-userkey.sh	2023-01-25 14:27:25.757219800 +0100
+@@ -7,7 +7,8 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
+ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
+ 
+-PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+#ssh-dss keys are incompatible with DEFAULT crypto policy
+PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss' | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+ EXTRA_TYPES=""
+ rsa=""
+ 
+diff -up openssh-9.7p1/regress/Makefile.sshrsacheck openssh-9.7p1/regress/Makefile
+--- openssh-9.7p1/regress/Makefile.sshrsacheck	2023-01-20 13:07:54.169676051 +0100
+++ openssh-9.7p1/regress/Makefile	2023-01-20 13:07:54.290677074 +0100
+@@ -2,7 +2,8 @@
+ 
+ tests:		prep file-tests t-exec unit
+ 
+-REGRESS_TARGETS=	t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12
+#ssh-dss tests will not pass on DEFAULT crypto-policy because of SHA1, skipping
+REGRESS_TARGETS=	t1 t2 t3 t4 t5 t7 t8 t9 t10 t11 t12
+ 
+ # File based tests
+ file-tests: $(REGRESS_TARGETS)
+diff -up openssh-9.7p1/regress/test-exec.sh.sshrsacheck openssh-9.7p1/regress/test-exec.sh
+--- openssh-9.7p1/regress/test-exec.sh.sshrsacheck	2023-01-25 14:24:54.778040819 +0100
+++ openssh-9.7p1/regress/test-exec.sh	2023-01-25 14:26:39.500858590 +0100
+@@ -581,8 +581,9 @@ maybe_filter_sk() {
+ 	fi
+ }
+ 
+-SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
+-SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
+#ssh-dss keys are incompatible with DEFAULT crypto policy
+SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss'`
+SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss'`
+ 
+ for t in ${SSH_KEYTYPES}; do
+ 	# generate user key
+diff -up openssh-9.7p1/regress/unittests/kex/test_kex.c.sshrsacheck openssh-9.7p1/regress/unittests/kex/test_kex.c
+--- openssh-9.7p1/regress/unittests/kex/test_kex.c.nosha1hostproof	2024-03-11 11:20:49.000000000 +0600
+++ openssh-9.7p1/regress/unittests/kex/test_kex.c	2024-03-21 21:26:44.502547206 +0600
+@@ -96,7 +96,8 @@
+ 	memcpy(kex_params.proposal, myproposal, sizeof(myproposal));
+ 	if (kex != NULL)
+ 		kex_params.proposal[PROPOSAL_KEX_ALGS] = kex;
+-	keyname = strdup(sshkey_ssh_name(private));
+	keyname = (strcmp(sshkey_ssh_name(private), "ssh-rsa")) ?
+		strdup(sshkey_ssh_name(private)) : strdup("rsa-sha2-256");
+ 	ASSERT_PTR_NE(keyname, NULL);
+ 	kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
+ 	ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
+@@ -180,7 +181,7 @@
+ #ifdef WITH_OPENSSL
+ 	do_kex_with_key(kex, KEY_RSA, 2048);
+ #ifdef WITH_DSA
+-	do_kex_with_key(kex, KEY_DSA, 1024);
+	/* do_kex_with_key(kex, KEY_DSA, 1024); */
+ #endif
+ #ifdef OPENSSL_HAS_ECC
+ 	do_kex_with_key(kex, KEY_ECDSA, 256);
+
+diff -up openssh-9.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck openssh-9.7p1/regress/unittests/sshkey/test_file.c
+--- openssh-9.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck	2023-01-26 12:04:55.946343408 +0100
+++ openssh-9.7p1/regress/unittests/sshkey/test_file.c	2023-01-26 12:06:35.235164432 +0100
+@@ -110,6 +110,7 @@ sshkey_file_tests(void)
+ 	sshkey_free(k2);
+ 	TEST_DONE();
+ 
+	/* Skip this test, SHA1 signatures are not supported
+ 	TEST_START("load RSA cert with SHA1 signature");
+ 	ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1_sha1"), &k2), 0);
+ 	ASSERT_PTR_NE(k2, NULL);
+@@ -117,7 +118,7 @@ sshkey_file_tests(void)
+ 	ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1);
+ 	ASSERT_STRING_EQ(k2->cert->signature_type, "ssh-rsa");
+ 	sshkey_free(k2);
+-	TEST_DONE();
+	TEST_DONE(); */
+ 
+ 	TEST_START("load RSA cert with SHA512 signature");
+ 	ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1_sha512"), &k2), 0);
+diff -up openssh-9.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck openssh-9.7p1/regress/unittests/sshkey/test_fuzz.c
+--- openssh-9.7p1/regress/unittests/sshkey/test_fuzz.c.nosha1hostproof	2024-03-11 11:20:49.000000000 +0600
+++ openssh-9.7p1/regress/unittests/sshkey/test_fuzz.c	2024-03-21 21:28:07.606026626 +0600
+@@ -338,13 +338,14 @@
+ 	TEST_DONE();
+ 
+ #ifdef WITH_OPENSSL
+	/* Skip this test, SHA1 signatures are not supported
+ 	TEST_START("fuzz RSA sig");
+ 	buf = load_file("rsa_1");
+ 	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
+ 	sshbuf_free(buf);
+ 	sig_fuzz(k1, "ssh-rsa");
+ 	sshkey_free(k1);
+-	TEST_DONE();
+	TEST_DONE();*/
+ 
+ 	TEST_START("fuzz RSA SHA256 sig");
+ 	buf = load_file("rsa_1");
+@@ -362,6 +363,7 @@
+ 	sshkey_free(k1);
+ 	TEST_DONE();
+ 
+/* Skip this test, SHA1 signatures are not supported
+ #ifdef WITH_DSA
+ 	TEST_START("fuzz DSA sig");
+ 	buf = load_file("dsa_1");
+@@ -371,6 +373,7 @@
+ 	sshkey_free(k1);
+ 	TEST_DONE();
+ #endif
+*/
+ 
+ #ifdef OPENSSL_HAS_ECC
+ 	TEST_START("fuzz ECDSA sig");
+diff -up openssh-9.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openssh-9.7p1/regress/unittests/sshkey/test_sshkey.c
+--- openssh-9.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck	2023-01-26 11:02:52.339413463 +0100
+++ openssh-9.7p1/regress/unittests/sshkey/test_sshkey.c	2023-01-26 11:58:42.324253896 +0100
+@@ -60,6 +60,9 @@ build_cert(struct sshbuf *b, struct sshk
+ 	u_char *sigblob;
+ 	size_t siglen;
+ 
+	/* ssh-rsa implies SHA1, forbidden in DEFAULT cp */
+	int expected = (sig_alg == NULL || strcmp(sig_alg, "ssh-rsa") == 0) ? SSH_ERR_LIBCRYPTO_ERROR : 0;
+
+ 	ca_buf = sshbuf_new();
+ 	ASSERT_PTR_NE(ca_buf, NULL);
+ 	ASSERT_INT_EQ(sshkey_putb(ca_key, ca_buf), 0);
+@@ -101,8 +104,9 @@ build_cert(struct sshbuf *b, struct sshk
+ 	ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */
+ 	ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */
+ 	ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen,
+-	    sshbuf_ptr(b), sshbuf_len(b), sig_alg, NULL, NULL, 0), 0);
+-	ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */
+	    sshbuf_ptr(b), sshbuf_len(b), sig_alg, NULL, NULL, 0), expected);
+	if (expected == 0)
+		ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */
+ 
+ 	free(sigblob);
+ 	sshbuf_free(ca_buf);
+@@ -119,16 +123,22 @@ signature_test(struct sshkey *k, struct
+ {
+ 	size_t len;
+ 	u_char *sig;
+	/* ssh-rsa implies SHA1, forbidden in DEFAULT cp */
+	int expected = (sig_alg && strcmp(sig_alg, "ssh-rsa") == 0) ? SSH_ERR_LIBCRYPTO_ERROR : 0;
+	if (k && (sshkey_type_plain(k->type) == KEY_DSA || sshkey_type_plain(k->type) == KEY_DSA_CERT))
+		expected = SSH_ERR_LIBCRYPTO_ERROR;
+ 
+ 	ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg,
+-	    NULL, NULL, 0), 0);
+-	ASSERT_SIZE_T_GT(len, 8);
+-	ASSERT_PTR_NE(sig, NULL);
+-	ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0);
+-	ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0, NULL), 0);
+-	/* Fuzz test is more comprehensive, this is just a smoke test */
+-	sig[len - 5] ^= 0x10;
+-	ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0);
+	    NULL, NULL, 0), expected);
+	if (expected == 0) {
+		ASSERT_SIZE_T_GT(len, 8);
+		ASSERT_PTR_NE(sig, NULL);
+		ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0);
+		ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0, NULL), 0);
+		/* Fuzz test is more comprehensive, this is just a smoke test */
+		sig[len - 5] ^= 0x10;
+		ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0);
+	}
+ 	free(sig);
+ }
+ 
+@@ -514,7 +524,7 @@ sshkey_tests(void)
+ 	ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,
+ 	    NULL), 0);
+ 	k3 = get_private("rsa_1");
+-	build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, NULL);
+	build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, "rsa-sha2-256");
+ 	ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4),
+ 	    SSH_ERR_KEY_CERT_INVALID_SIGN_KEY);
+ 	ASSERT_PTR_EQ(k4, NULL);
+diff -up openssh-9.7p1/regress/unittests/sshsig/tests.c.sshrsacheck openssh-9.7p1/regress/unittests/sshsig/tests.c
+--- openssh-9.7p1/regress/unittests/sshsig/tests.c.nosha1hostproof	2024-03-11 11:20:49.000000000 +0600
+++ openssh-9.7p1/regress/unittests/sshsig/tests.c	2024-03-21 21:29:14.951604758 +0600
+@@ -103,11 +103,13 @@
+ 	check_sig("rsa.pub", "rsa.sig", msg, namespace);
+ 	TEST_DONE();
+ 
+/* Skip this test, SHA1 signatures are not supported
+ #ifdef WITH_DSA
+ 	TEST_START("check DSA signature");
+ 	check_sig("dsa.pub", "dsa.sig", msg, namespace);
+ 	TEST_DONE();
+ #endif
+*/
+ 
+ #ifdef OPENSSL_HAS_ECC
+ 	TEST_START("check ECDSA signature");
+diff -up openssh-9.7p1/serverloop.c.sshrsacheck openssh-9.7p1/serverloop.c
+--- openssh-9.7p1/serverloop.c.sshrsacheck	2023-01-12 14:57:08.118400073 +0100
+++ openssh-9.7p1/serverloop.c	2023-01-12 14:59:17.330470518 +0100
+@@ -80,6 +80,7 @@
+ #include "auth-options.h"
+ #include "serverloop.h"
+ #include "ssherr.h"
+#include "compat.h"
+ 
+ extern ServerOptions options;
+ 
+@@ -737,6 +737,10 @@ server_input_hostkeys_prove(struct ssh *
+ 			else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED)
+ 				sigalg = "rsa-sha2-256";
+ 		}
+		if (ssh->compat & SSH_RH_RSASIGSHA && sigalg == NULL) {
+			sigalg = "rsa-sha2-512";
+			debug3_f("SHA1 signature is not supported, falling back to %s", sigalg);
+		}
+ 		debug3_f("sign %s key (index %d) using sigalg %s",
+ 		    sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg);
+ 		if ((r = sshbuf_put_cstring(sigbuf,
+diff -up openssh-9.7p1/sshconnect2.c.sshrsacheck openssh-9.7p1/sshconnect2.c
+--- openssh-9.7p1/sshconnect2.c.sshrsacheck	2023-01-25 15:33:29.140353651 +0100
+++ openssh-9.7p1/sshconnect2.c	2023-01-25 15:59:34.225364883 +0100
+@@ -1461,6 +1464,14 @@ identity_sign(struct identity *id, u_cha
+ 			retried = 1;
+ 			goto retry_pin;
+ 		}
+		if ((r == SSH_ERR_LIBCRYPTO_ERROR) && strcmp("ssh-rsa", alg)) {
+			char rsa_safe_alg[] = "rsa-sha2-512";
+			debug3_f("trying to fallback to algorithm %s", rsa_safe_alg);
+
+			if ((r = sshkey_sign(sign_key, sigp, lenp, data, datalen,
+			rsa_safe_alg, options.sk_provider, pin, compat)) != 0)
+				debug_fr(r, "sshkey_sign - RSA fallback");
+		}
+ 		goto out;
+ 	}
+ 
+diff -up openssh-9.7p1/sshd.c.sshrsacheck openssh-9.7p1/sshd.c
+--- openssh-9.7p1/sshd.c.sshrsacheck	2023-01-12 13:29:06.355711140 +0100
+++ openssh-9.7p1/sshd.c	2023-01-12 13:29:06.358711178 +0100
+@@ -1640,6 +1651,7 @@ main(int ac, char **av)
+ 	Authctxt *authctxt;
+ 	struct connection_info *connection_info = NULL;
+ 	sigset_t sigmask;
+	int forbid_ssh_rsa = 0;
+ 
+ #ifdef HAVE_SECUREWARE
+ 	(void)set_auth_parameters(ac, av);
+@@ -1938,6 +1950,33 @@ main(int ac, char **av)
+ 		    key = NULL;
+ 		    continue;
+ 		}
+		if (key && (sshkey_type_plain(key->type) == KEY_RSA || sshkey_type_plain(key->type) == KEY_RSA_CERT)) {
+		    size_t sign_size = 0;
+		    u_char *tmp = NULL;
+		    u_char data[] = "Test SHA1 vector";
+		    int res;
+
+		    res = sshkey_sign(key, &tmp, &sign_size, data, sizeof(data), NULL, NULL, NULL, 0);
+		    free(tmp);
+		    if (res == SSH_ERR_LIBCRYPTO_ERROR) {
+			verbose_f("sshd: SHA1 in signatures is disabled for RSA keys");
+		    	forbid_ssh_rsa = 1;
+		    }
+		}
+		if (key && (sshkey_type_plain(key->type) == KEY_DSA || sshkey_type_plain(key->type) == KEY_DSA_CERT)) {
+		    size_t sign_size = 0;
+		    u_char *tmp = NULL;
+		    u_char data[] = "Test SHA1 vector";
+		    int res;
+
+		    res = sshkey_sign(key, &tmp, &sign_size, data, sizeof(data), NULL, NULL, NULL, 0);
+		    free(tmp);
+		    if (res == SSH_ERR_LIBCRYPTO_ERROR) {
+			logit_f("sshd: ssh-dss is disabled, skipping key file %s", options.host_key_files[i]);
+			key = NULL;
+			continue;
+		    }
+		}
+ 		if (sshkey_is_sk(key) &&
+ 		    key->sk_flags & SSH_SK_USER_PRESENCE_REQD) {
+ 			debug("host key %s requires user presence, ignoring",
+@@ -2275,6 +2306,9 @@ main(int ac, char **av)
+ 
+ 	check_ip_options(ssh);
+ 
+	if (forbid_ssh_rsa)
+		ssh->compat |= SSH_RH_RSASIGSHA;
+
+ 	/* Prepare the channels layer */
+ 	channel_init_channels(ssh);
+ 	channel_set_af(ssh, options.address_family);
+diff -up openssh-9.7p1/ssh-rsa.c.sshrsacheck openssh-9.7p1/ssh-rsa.c
+--- openssh-9.7p1/ssh-rsa.c.sshrsacheck	2023-01-20 13:07:54.180676144 +0100
+++ openssh-9.7p1/ssh-rsa.c	2023-01-20 13:07:54.290677074 +0100
+@@ -254,7 +254,8 @@ ssh_rsa_verify(const struct sshkey *key,
+ 			ret = SSH_ERR_INVALID_ARGUMENT;
+ 			goto out;
+ 		}
+-		if (hash_alg != want_alg) {
+		if (hash_alg != want_alg && want_alg != SSH_DIGEST_SHA1) {
+			debug_f("Unexpected digest algorithm: got %d, wanted %d", hash_alg, want_alg);
+ 			ret = SSH_ERR_SIGNATURE_INVALID;
+ 			goto out;
+ 		}
--- a/openssh/openssh-9.7p1-pkcs11-uri.patch
+++ b/openssh/openssh-9.7p1-pkcs11-uri.patch
--- a/openssh/openssh.spec
+++ b/openssh/openssh.spec
@ -56,10 +56,10 @@
 %{?static_openssl:%global static_libcrypto 1}

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 9.6p1
+%global openssh_ver 9.7p1
 %global openssh_rel 1
 %global pam_ssh_agent_ver 0.10.4
-%global pam_ssh_agent_rel 12
+%global pam_ssh_agent_rel 13

 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@ -164,7 +164,7 @@ Patch711: openssh-7.8p1-UsePAM-warning.patch
 # Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
 # upstream MR:
 # https://github.com/openssh-gsskex/openssh-gsskex/pull/21
-Patch800: openssh-9.6p1-gssapi-keyex.patch
+Patch800: openssh-9.7p1-gssapi-keyex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
 Patch801: openssh-6.6p1-force_krb.patch
 # add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
@ -204,7 +204,7 @@ Patch950: openssh-7.5p1-sandbox.patch
 # PKCS#11 URIs (upstream #2817, 2nd iteration)
 # https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
 # git show > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch
-Patch951: openssh-9.6p1-pkcs11-uri.patch
+Patch951: openssh-9.7p1-pkcs11-uri.patch
 # Unbreak scp between two IPv6 hosts (#1620333)
 Patch953: openssh-7.8p1-scp-ipv6.patch
 # Mention crypto-policies in manual pages (#1668325)
@ -246,11 +246,11 @@ Patch1002: openssh-8.7p1-ssh-manpage.patch
 # Don't propose disallowed algorithms during hostkey negotiation
 # upstream MR:
 # https://github.com/openssh/openssh-portable/pull/323
-Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
+Patch1006: openssh-9.7p1-negotiate-supported-algs.patch

 Patch1012: openssh-9.0p1-evp-fips-dh.patch
 Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
-Patch1014: openssh-8.7p1-nohostsha1proof.patch
+Patch1014: openssh-9.7p1-nohostsha1proof.patch

 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin