initial package creation

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>

SOURCES/openssh-7.7p1-fips.patch

@@ -81,7 +81,7 @@ diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
  #include <openssl/crypto.h>
 +#include <openssl/fips.h>
  #include <openssl/dh.h>
- # ifdef HAVE_EVP_KDF_CTX_NEW_ID
+ # ifdef HAVE_EVP_KDF_CTX_NEW
  # include <openssl/kdf.h>
 @@ -203,7 +203,10 @@ kex_names_valid(const char *names)
  	for ((p = strsep(&cp, ",")); p && *p != '\0';

SOURCES/openssh-8.0p1-openssl-kdf.patch

@@ -12,7 +12,7 @@ index 2a455e4e..e01c3d43 100644
  		HMAC_CTX_init \
  		RSA_generate_key_ex \
  		RSA_get_default_method \
-+		EVP_KDF_CTX_new_id \
++		EVP_KDF_CTX_new \
  	])
  
  	# OpenSSL_add_all_algorithms may be a macro.
@@ -20,33 +20,35 @@ diff --git a/kex.c b/kex.c
 index b6f041f4..1fbce2bb 100644
 --- a/kex.c
 +++ b/kex.c
-@@ -38,6 +38,9 @@
+@@ -38,6 +38,11 @@
  #ifdef WITH_OPENSSL
  #include <openssl/crypto.h>
  #include <openssl/dh.h>
-+# ifdef HAVE_EVP_KDF_CTX_NEW_ID
++# ifdef HAVE_EVP_KDF_CTX_NEW
 +# include <openssl/kdf.h>
++# include <openssl/param_build.h>
++# include <openssl/core_names.h>
 +# endif
  #endif
  
  #include "ssh.h"
-@@ -942,6 +945,95 @@ kex_choose_conf(struct ssh *ssh)
+@@ -942,6 +945,112 @@ kex_choose_conf(struct ssh *ssh)
  	return r;
  }
  
-+#ifdef HAVE_EVP_KDF_CTX_NEW_ID
-+static const EVP_MD *
++#ifdef HAVE_EVP_KDF_CTX_NEW
++static const char *
 +digest_to_md(int digest_type)
 +{
 +	switch (digest_type) {
 +	case SSH_DIGEST_SHA1:
-+		return EVP_sha1();
++		return SN_sha1;
 +	case SSH_DIGEST_SHA256:
-+		return EVP_sha256();
++		return SN_sha256;
 +	case SSH_DIGEST_SHA384:
-+		return EVP_sha384();
++		return SN_sha384;
 +	case SSH_DIGEST_SHA512:
-+		return EVP_sha512();
++		return SN_sha512;
 +	}
 +	return NULL;
 +}
@@ -56,52 +58,67 @@ index b6f041f4..1fbce2bb 100644
 +    const struct sshbuf *shared_secret, u_char **keyp)
 +{
 +	struct kex *kex = ssh->kex;
-+	EVP_KDF_CTX *ctx = NULL;
 +	u_char *key = NULL;
 +	int r, key_len;
 +
-+	if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0)
-+		return SSH_ERR_INVALID_ARGUMENT;
++	EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSHKDF", NULL);
++	EVP_KDF_CTX *ctx = NULL;
++	OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
++	OSSL_PARAM *params = NULL;
++       const char *md = digest_to_md(kex->hash_alg);
++       char keytype = (char)id;
++
++	if (!kdf) {
++		r = SSH_ERR_LIBCRYPTO_ERROR;
++		goto out;
++	}
++	ctx = EVP_KDF_CTX_new(kdf);
++	EVP_KDF_free(kdf);
++	if (!ctx) {
++		r = SSH_ERR_LIBCRYPTO_ERROR;
++		goto out;
++	}
++	if (md == NULL) {
++		r = SSH_ERR_INVALID_ARGUMENT;
++		goto out;
++	}
++
++	if (param_bld == NULL) {
++		EVP_KDF_CTX_free(ctx);
++		return -1;
++	}
++	if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0) {
++		r = SSH_ERR_INVALID_ARGUMENT;
++		goto out;
++	}
++
 +	key_len = ROUNDUP(need, key_len);
 +	if ((key = calloc(1, key_len)) == NULL) {
 +		r = SSH_ERR_ALLOC_FAIL;
 +		goto out;
 +	}
 +
-+	ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
-+	if (!ctx) {
++	r =     OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
++		                md, strlen(md)) && /* SN */
++		OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
++				sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)) &&
++		OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_SSHKDF_XCGHASH,
++				hash, hashlen) &&
++		OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
++				sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id)) &&
++		OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
++				&keytype, 1);
++	if (r != 1) {
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 +		goto out;
 +	}
 +
-+	r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, digest_to_md(kex->hash_alg));
-+	if (r != 1) {
++	params = OSSL_PARAM_BLD_to_param(param_bld);
++	if (params == NULL) {
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 +		goto out;
 +	}
-+	r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY,
-+	    sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
-+	if (r != 1) {
-+		r = SSH_ERR_LIBCRYPTO_ERROR;
-+		goto out;
-+	}
-+	r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, hash, hashlen);
-+	if (r != 1) {
-+		r = SSH_ERR_LIBCRYPTO_ERROR;
-+		goto out;
-+	}
-+	r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, id);
-+	if (r != 1) {
-+		r = SSH_ERR_LIBCRYPTO_ERROR;
-+		goto out;
-+	}
-+	r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
-+	    sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id));
-+	if (r != 1) {
-+		r = SSH_ERR_LIBCRYPTO_ERROR;
-+		goto out;
-+	}
-+	r = EVP_KDF_derive(ctx, key, key_len);
++	r = EVP_KDF_derive(ctx, key, key_len, params);
 +	if (r != 1) {
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 +		goto out;
@@ -115,6 +132,8 @@ index b6f041f4..1fbce2bb 100644
 +	r = 0;
 +
 +out:
++	OSSL_PARAM_BLD_free(param_bld);
++	OSSL_PARAM_free(params);
 +	free (key);
 +	EVP_KDF_CTX_free(ctx);
 +	if (r < 0) {
@@ -130,7 +149,7 @@ index b6f041f4..1fbce2bb 100644
  	ssh_digest_free(hashctx);
  	return r;
  }
-+#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID */
++#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW */
  
  #define NKEYS	6
  int

SOURCES/openssh-8.7p1-allow-duplicate-subsystem.patch

@@ -0,0 +1,32 @@
+diff --git a/servconf.c b/servconf.c
+index e16f9e90fc71..a3779a9d86ee 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -1942,13 +1942,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+ 			fatal("%s line %d: %s missing argument.",
+ 			    filename, linenum, keyword);
+ 		if (!*activep) {
+-			arg = argv_next(&ac, &av);
++			argv_consume(&ac);
++			break;
++		}
++		found = 0;
++		for (i = 0; i < options->num_subsystems; i++) {
++			if (strcmp(arg, options->subsystem_name[i]) == 0) {
++				found = 1;
++				break;
++			}
++		}
++		if (found) {
++			debug("%s line %d: Subsystem '%s' already defined.",
++			    filename, linenum, arg);
++			argv_consume(&ac);
+ 			break;
+ 		}
+-		for (i = 0; i < options->num_subsystems; i++)
+-			if (strcmp(arg, options->subsystem_name[i]) == 0)
+-				fatal("%s line %d: Subsystem '%s' "
+-				    "already defined.", filename, linenum, arg);
+ 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
+ 		arg = argv_next(&ac, &av);
+ 		if (!arg || *arg == '\0')

SOURCES/openssh-8.7p1-audit-hostname.patch

@@ -0,0 +1,106 @@
+diff --color -ruNp a/audit-linux.c b/audit-linux.c
+--- a/audit-linux.c	2024-05-09 12:38:08.843017319 +0200
++++ b/audit-linux.c	2024-05-09 12:47:05.162267634 +0200
+@@ -52,7 +52,7 @@ extern u_int utmp_len;
+ const char *audit_username(void);
+ 
+ static void
+-linux_audit_user_logxxx(int uid, const char *username,
++linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
+     const char *ip, const char *ttyn, int success, int event)
+ {
+ 	int audit_fd, rc, saved_errno;
+@@ -66,7 +66,7 @@ linux_audit_user_logxxx(int uid, const c
+ 	}
+ 	rc = audit_log_acct_message(audit_fd, event,
+ 	    NULL, "login", username ? username : "(unknown)",
+-	    username == NULL ? uid : -1, NULL, ip, ttyn, success);
++	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
+ 	saved_errno = errno;
+ 	close(audit_fd);
+ 
+@@ -181,9 +181,11 @@ audit_run_command(struct ssh *ssh, const
+ {
+ 	if (!user_login_count++)
+ 		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++		    options.use_dns ? remote_hostname(ssh) : NULL,
+ 		    ssh_remote_ipaddr(ssh),
+ 		    "ssh", 1, AUDIT_USER_LOGIN);
+ 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++	    options.use_dns ? remote_hostname(ssh) : NULL,
+ 	    ssh_remote_ipaddr(ssh),
+ 	    "ssh", 1, AUDIT_USER_START);
+ 	return 0;
+@@ -193,10 +195,12 @@ void
+ audit_end_command(struct ssh *ssh, int handle, const char *command)
+ {
+ 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++	    options.use_dns ? remote_hostname(ssh) : NULL,
+ 	    ssh_remote_ipaddr(ssh),
+ 	    "ssh", 1, AUDIT_USER_END);
+ 	if (user_login_count && !--user_login_count)
+ 		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++		    options.use_dns ? remote_hostname(ssh) : NULL,
+ 		    ssh_remote_ipaddr(ssh),
+ 		    "ssh", 1, AUDIT_USER_LOGOUT);
+ }
+@@ -211,19 +215,27 @@ void
+ audit_session_open(struct logininfo *li)
+ {
+ 	if (!user_login_count++)
+-		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++		linux_audit_user_logxxx(li->uid, NULL,
++		    options.use_dns ? li->hostname : NULL,
++		    options.use_dns ? NULL : li->hostname,
+ 		    li->line, 1, AUDIT_USER_LOGIN);
+-	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++	linux_audit_user_logxxx(li->uid, NULL,
++	    options.use_dns ? li->hostname : NULL,
++	    options.use_dns ? NULL : li->hostname,
+ 	    li->line, 1, AUDIT_USER_START);
+ }
+ 
+ void
+ audit_session_close(struct logininfo *li)
+ {
+-	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++	linux_audit_user_logxxx(li->uid, NULL,
++	    options.use_dns ? li->hostname : NULL,
++	    options.use_dns ? NULL : li->hostname,
+ 	    li->line, 1, AUDIT_USER_END);
+ 	if (user_login_count && !--user_login_count)
+-		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++		linux_audit_user_logxxx(li->uid, NULL,
++		    options.use_dns ? li->hostname : NULL,
++		    options.use_dns ? NULL : li->hostname,
+ 		    li->line, 1, AUDIT_USER_LOGOUT);
+ }
+ 
+@@ -236,6 +248,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
+ 		linux_audit_user_auth(-1, audit_username(),
+ 			ssh_remote_ipaddr(ssh), "ssh", 0, event);
+ 		linux_audit_user_logxxx(-1, audit_username(),
++			options.use_dns ? remote_hostname(ssh) : NULL,
+ 			ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
+ 		break;
+ 	case SSH_AUTH_FAIL_PASSWD:
+@@ -254,9 +267,11 @@ audit_event(struct ssh *ssh, ssh_audit_e
+ 		if (user_login_count) {
+ 			while (user_login_count--)
+ 				linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++				    options.use_dns ? remote_hostname(ssh) : NULL,
+ 				    ssh_remote_ipaddr(ssh),
+ 				    "ssh", 1, AUDIT_USER_END);
+ 			linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++			    options.use_dns ? remote_hostname(ssh) : NULL,
+ 			    ssh_remote_ipaddr(ssh),
+ 			    "ssh", 1, AUDIT_USER_LOGOUT);
+ 		}
+@@ -265,6 +280,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
+ 	case SSH_CONNECTION_ABANDON:
+ 	case SSH_INVALID_USER:
+ 		linux_audit_user_logxxx(-1, audit_username(),
++			options.use_dns ? remote_hostname(ssh) : NULL,
+ 			ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
+ 		break;
+ 	default:

SOURCES/openssh-8.7p1-openssl-log.patch

@@ -0,0 +1,65 @@
+diff -up openssh-8.7p1/log.c.xxx openssh-8.7p1/log.c
+--- openssh-8.7p1/log.c.xxx	2024-10-18 13:00:56.419560563 +0200
++++ openssh-8.7p1/log.c	2024-10-18 13:22:35.954819016 +0200
+@@ -438,6 +438,26 @@ sshlog(const char *file, const char *fun
+ 	va_end(args);
+ }
+ 
++#ifdef WITH_OPENSSL
++static int
++openssl_error_print_cb(const char *str, size_t len, void *u)
++{
++	sshlogdirect(SYSLOG_LEVEL_DEBUG1, 0, "openssl error %s", str);
++	return 0;
++}
++#endif
++
++void
++sshlog_openssl(int r)
++{
++#ifdef WITH_OPENSSL
++	if (r != SSH_ERR_LIBCRYPTO_ERROR) return;
++
++	ERR_print_errors_cb(openssl_error_print_cb, NULL);
++#endif
++	return;
++}
++
+ void
+ sshlogdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+diff -up openssh-8.7p1/log.h.xxx openssh-8.7p1/log.h
+--- openssh-8.7p1/log.h.xxx	2024-10-18 12:56:18.944971946 +0200
++++ openssh-8.7p1/log.h	2024-10-18 13:03:38.324351416 +0200
+@@ -71,6 +71,7 @@ void	 cleanup_exit(int) __attribute__((n
+ void	 sshlog(const char *, const char *, int, int,
+     LogLevel, const char *, const char *, ...)
+     __attribute__((format(printf, 7, 8)));
++void	 sshlog_openssl(int);
+ void	 sshlogv(const char *, const char *, int, int,
+     LogLevel, const char *, const char *, va_list);
+ void	 sshsigdie(const char *, const char *, int, int,
+diff -up openssh-8.7p1/auth2-pubkey.c.yyy openssh-8.7p1/auth2-pubkey.c
+--- openssh-8.7p1/auth2-pubkey.c.yyy	2024-10-18 13:27:00.709055845 +0200
++++ openssh-8.7p1/auth2-pubkey.c	2024-10-18 13:27:31.638784460 +0200
+@@ -131,6 +131,7 @@ userauth_pubkey(struct ssh *ssh)
+ 		goto done;
+ 	}
+ 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
++		sshlog_openssl(r);
+ 		error_fr(r, "parse key");
+ 		goto done;
+ 	}
+diff -up openssh-8.7p1/dispatch.c.yyy openssh-8.7p1/dispatch.c
+--- openssh-8.7p1/dispatch.c.yyy	2024-10-18 13:27:56.349366570 +0200
++++ openssh-8.7p1/dispatch.c	2024-10-18 13:28:17.921874757 +0200
+@@ -130,6 +130,8 @@ ssh_dispatch_run_fatal(struct ssh *ssh,
+ {
+ 	int r;
+ 
+-	if ((r = ssh_dispatch_run(ssh, mode, done)) != 0)
++	if ((r = ssh_dispatch_run(ssh, mode, done)) != 0) {
++		sshlog_openssl(r);
+ 		sshpkt_fatal(ssh, r, "%s", __func__);
++	}
+ }

SOURCES/openssh-8.7p1-redhat-help.patch

@@ -0,0 +1,40 @@
+diff -up openssh-8.7p1/ssh.c.xxx openssh-8.7p1/ssh.c
+--- openssh-8.7p1/ssh.c.xxx	2024-09-11 14:24:06.711088878 +0200
++++ openssh-8.7p1/ssh.c	2024-09-11 14:35:12.883765718 +0200
+@@ -175,6 +175,16 @@ extern int muxserver_sock;
+ extern u_int muxclient_command;
+ 
+ /* Prints a help message to the user.  This function never returns. */
++static void
++redhat_usage(void)
++{
++    if(isatty(fileno(stderr))) {
++	fprintf(stderr,
++"\nYou can find some explanations for typical errors at this link:\n"
++"	    https://red.ht/support_rhel_ssh\n"
++	);
++    }
++}
+ 
+ static void
+ usage(void)
+@@ -188,6 +196,7 @@ usage(void)
+ "           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n"
+ "           [-w local_tun[:remote_tun]] destination [command]\n"
+ 	);
++	redhat_usage();
+ 	exit(255);
+ }
+ 
+@@ -1609,8 +1618,10 @@ main(int ac, char **av)
+ 	/* Open a connection to the remote host. */
+ 	if (ssh_connect(ssh, host, host_arg, addrs, &hostaddr, options.port,
+ 	    options.connection_attempts,
+-	    &timeout_ms, options.tcp_keep_alive) != 0)
++	    &timeout_ms, options.tcp_keep_alive) != 0) {
++		redhat_usage();
+ 		exit(255);
++	}
+ 
+ 	if (addrs != NULL)
+ 		freeaddrinfo(addrs);

SOURCES/openssh-8.7p1-sigpipe.patch

@@ -0,0 +1,21 @@
+diff --git a/ssh.c b/ssh.c
+index 89ca1940..559bf2af 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -1124,6 +1124,8 @@ main(int ac, char **av)
+ 		}
+ 	}
+ 
++	ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
++
+ 	/*
+ 	 * Initialize "log" output.  Since we are the client all output
+ 	 * goes to stderr unless otherwise specified by -y or -E.
+@@ -1652,7 +1654,6 @@ main(int ac, char **av)
+ 	    options.num_system_hostfiles);
+ 	tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles);
+ 
+-	ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
+ 	ssh_signal(SIGCHLD, main_sigchld_handler);
+ 
+ 	/* Log into the remote system.  Never returns if the login fails. */

SOURCES/openssh-9.8p1-upstream-cve-2024-6387.patch

@@ -0,0 +1,30 @@
+diff -up openssh-8.7p1/log.c.xxx openssh-8.7p1/log.c
+--- openssh-8.7p1/log.c.xxx	2024-06-28 11:02:43.949912398 +0200
++++ openssh-8.7p1/log.c	2024-06-28 11:02:58.652297885 +0200
+@@ -455,12 +455,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+ 
+diff -up openssh-8.7p1/sshd.c.xxx openssh-8.7p1/sshd.c
+--- openssh-8.7p1/sshd.c.xxx	2024-07-01 10:33:04.332907749 +0200
++++ openssh-8.7p1/sshd.c	2024-07-01 10:33:47.843998038 +0200
+@@ -384,7 +384,7 @@ grace_alarm_handler(int sig)
+ 
+ 	/* Log error and exit. */
+ 	if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0)
+-		cleanup_exit(255); /* don't log in privsep child */
++		_exit(255); /* don't log in privsep child */
+ 	else {
+ 		sigdie("Timeout before authentication for %s port %d",
+ 		    ssh_remote_ipaddr(the_active_state),

SOURCES/openssh-9.9p2-error_processing.patch

@@ -0,0 +1,69 @@
+diff --git a/krl.c b/krl.c
+index e2efdf06..0d0f6953 100644
+--- a/krl.c
++++ b/krl.c
+@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
+ 			break;
+ 		case KRL_SECTION_CERT_SERIAL_BITMAP:
+ 			if (rs->lo - bitmap_start > INT_MAX) {
++				r = SSH_ERR_INVALID_FORMAT;
+ 				error_f("insane bitmap gap");
+ 				goto out;
+ 			}
+@@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp)
+ 		goto out;
+ 
+ 	if ((krl = ssh_krl_init()) == NULL) {
++		r = SSH_ERR_ALLOC_FAIL;
+ 		error_f("alloc failed");
+ 		goto out;
+ 	}
+diff --git a/sshconnect2.c b/sshconnect2.c
+index a69c4da1..1ee6000a 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -99,7 +99,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+ 	    options.required_rsa_size)) != 0)
+ 		fatal_r(r, "Bad server host key");
+ 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+-	    xxx_conn_info) == -1)
++	    xxx_conn_info) != 0)
+ 		fatal("Host key verification failed.");
+ 	return 0;
+ }
+@@ -699,6 +699,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 
+ 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
+ 		debug_f("server sent unknown pkalg %s", pkalg);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+@@ -709,6 +710,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		error("input_userauth_pk_ok: type mismatch "
+ 		    "for decoded key (received %d, expected %d)",
+ 		    key->type, pktype);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 
+@@ -728,6 +730,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		    SSH_FP_DEFAULT);
+ 		error_f("server replied with unknown key: %s %s",
+ 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	ident = format_identity(id);
+diff --git a/sshsig.c b/sshsig.c
+index 6e03c0b0..3da005d6 100644
+--- a/sshsig.c
++++ b/sshsig.c
+@@ -879,6 +879,7 @@ cert_filter_principals(const char *path, u_long linenum,
+ 	}
+ 	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+ 		error_f("buffer error");
++		r = SSH_ERR_ALLOC_FAIL;
+ 		goto out;
+ 	}
+ 	/* success */

SOURCES/sshd-keygen

@@ -9,8 +9,14 @@ case $KEYTYPE in
 		if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
 			exit 0
 		fi ;;
-	"rsa") ;; # always ok
-	"ecdsa") ;;
+	"rsa")
+		if [[ ! -z $SSH_RSA_BITS  ]]; then
+			SSH_KEYGEN_OPTIONS="-b $SSH_RSA_BITS"
+		fi ;; # always ok
+	"ecdsa") 
+		if [[ ! -z $SSH_ECDSA_BITS  ]]; then
+			SSH_KEYGEN_OPTIONS="-b $SSH_ECDSA_BITS"
+		fi ;;
 	*) # wrong argument
 		exit 12 ;;
 esac
@@ -25,7 +31,7 @@ fi
 rm -f $KEY{,.pub}
 
 # create new keys
-if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
+if ! $KEYGEN -q -t $KEYTYPE $SSH_KEYGEN_OPTIONS -f $KEY -C '' -N '' >&/dev/null; then
 	exit 1
 fi
 

SOURCES/sshd.sysconfig

@@ -5,3 +5,6 @@
 # example using  systemctl enable sshd-keygen@dsa.service  to allow creation
 # of DSA key or  systemctl mask sshd-keygen@rsa.service  to disable RSA key
 # creation.
+
+#SSH_RSA_BITS=3072
+#SSH_ECDSA_BITS=256

SPECS/openssh.spec

@@ -47,7 +47,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 38
+%global openssh_rel 45
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
 
@@ -57,8 +57,8 @@ Version: %{openssh_ver}
 Release: %{openssh_rel}%{?dist}
 URL: http://www.openssh.com/portable.html
 #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
-Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
-Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
+Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
+Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
 Source2: sshd.pam
 Source3: gpgkey-736060BA.gpg
 Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
@@ -84,6 +84,8 @@ Patch100: openssh-6.7p1-coverity.patch
 Patch200: openssh-7.6p1-audit.patch
 # Audit race condition in forked child (#1310684)
 Patch201: openssh-7.1p2-audit-race-condition.patch
+# Correctly audit hostname and IP address
+Patch202: openssh-8.7p1-audit-hostname.patch
 
 # --- pam_ssh-agent ---
 # make it build reusing the openssh sources
@@ -288,6 +290,16 @@ Patch1017: openssh-9.4p2-limit-delay.patch
 Patch1018: openssh-9.6p1-CVE-2023-48795.patch
 #upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
 Patch1019: openssh-9.6p1-CVE-2023-51385.patch
+#upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c
+Patch1020: openssh-8.7p1-sigpipe.patch
+Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch
+Patch1022: openssh-8.7p1-redhat-help.patch
+Patch1023: openssh-8.7p1-openssl-log.patch
+#upstream commit 52dfe3c72d98503d8b7c6f64fc7e19d685636c0b
+Patch1024: openssh-8.7p1-allow-duplicate-subsystem.patch
+# upstream 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2
+# upstream 0832aac79517611dd4de93ad0a83577994d9c907
+Patch1025: openssh-9.9p2-error_processing.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -484,6 +496,7 @@ popd
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
+%patch202 -p1 -b .audit-hostname
 %patch700 -p1 -b .fips
 
 %patch1000 -p1 -b .minimize-sha1-use
@@ -511,6 +524,12 @@ popd
 %patch1017 -p1 -b .limitdelay
 %patch1018 -p1 -b .cve-2023-48795
 %patch1019 -p1 -b .cve-2023-51385
+%patch1020 -p1 -b .earlypipe
+%patch1021 -p1 -b .cve-2024-6387
+%patch1022 -p1 -b .redhat-help
+%patch1023 -p1 -b .openssl-log
+%patch1024 -p1 -b .allow-dup-subsystem
+%patch1025 -p1 -b .errcode_set
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -798,6 +817,42 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Tue Feb 18 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-45
+- Fix missing error codes set and invalid error code checks in OpenSSH. It
+  prevents memory exhaustion attack and a MITM attack when VerifyHostKeyDNS
+  is on (CVE-2025-26465).
+  Resolves: RHEL-78700
+
+* Mon Oct 21 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-44
+- Add extra help information on ssh early failure
+  Resolves: RHEL-33809
+- Provide details on crypto error instead of "error in libcrypto"
+  Resolves: RHEL-52293
+- Allow duplicate Subsystem directive
+  Resolves: RHEL-47112
+
+* Tue Jul 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-43
+- Possible remote code execution due to a race condition (CVE-2024-6409)
+  Resolves: RHEL-45741
+
+* Thu Jul 04 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-42
+- Possible remote code execution due to a race condition (CVE-2024-6387)
+  Resolves: RHEL-45348
+
+* Mon Jun 03 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-41
+- Fix ssh multiplexing connect timeout processing
+  Resolves: RHEL-37748
+
+* Thu May 02 2024 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-40
+- Correctly audit hostname and IP address
+  Resolves: RHEL-22316
+- Make default key sizes configurable in sshd-keygen
+  Resolves: RHEL-26454
+
+* Wed Apr 24 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-39
+- Use FIPS-compatible API for key derivation
+  Resolves: RHEL-32809
+
 * Fri Jan 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-38
 - Fix Terrapin attack
   Resolves: CVE-2023-48795