1 files changed, 0 insertions, 117 deletions
diff --git a/openssh-8.7p1-negotiate-supported-algs.patch b/openssh-8.7p1-negotiate-supported-algs.patch
deleted file mode 100644
index ee3637f..0000000
--- a/openssh-8.7p1-negotiate-supported-algs.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-diff -up openssh-9.3p1/regress/hostkey-agent.sh.xxx openssh-9.3p1/regress/hostkey-agent.sh
---- openssh-9.3p1/regress/hostkey-agent.sh.xxx	2023-05-29 18:15:56.311236887 +0200
-+++ openssh-9.3p1/regress/hostkey-agent.sh	2023-05-29 18:16:07.598503551 +0200
-@@ -17,8 +17,21 @@ trace "make CA key"
- 
- ${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA"
- 
-+PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
-+    grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
-+SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
-+echo $PUBKEY_ACCEPTED_ALGOS | grep "rsa"
-+r=$?
-+if [ $r == 0 ]; then
-+echo $SSH_ACCEPTED_KEYTYPES | grep "rsa"
-+r=$?
-+if [ $r -ne 0 ]; then
-+SSH_ACCEPTED_KEYTYPES="$SSH_ACCEPTED_KEYTYPES ssh-rsa"
-+fi
-+fi
-+
- trace "load hostkeys"
--for k in $SSH_KEYTYPES ; do
-+for k in $SSH_ACCEPTED_KEYTYPES ; do
- 	${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
- 	${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \
- 		-I localhost-with-alias $OBJ/agent-key.$k.pub || \
-@@ -32,12 +48,16 @@ rm $OBJ/agent-ca # Don't need CA private
- 
- unset SSH_AUTH_SOCK
- 
--for k in $SSH_KEYTYPES ; do
-+for k in $SSH_ACCEPTED_KEYTYPES ; do
- 	verbose "key type $k"
-+	hka=$k
-+	if [ $k = "ssh-rsa" ]; then
-+	   hka="rsa-sha2-512"
-+	fi
- 	cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
--	echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
-+	echo "HostKeyAlgorithms $hka" >> $OBJ/sshd_proxy
- 	echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy
--	opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
-+	opts="-oHostKeyAlgorithms=$hka -F $OBJ/ssh_proxy"
- 	( printf 'localhost-with-alias,127.0.0.1,::1 ' ;
- 	  cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts
- 	SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
-@@ -50,15 +70,16 @@ for k in $SSH_KEYTYPES ; do
- done
- 
- SSH_CERTTYPES=`ssh -Q key-sig | grep 'cert-v01@openssh.com'`
-+SSH_ACCEPTED_CERTTYPES=`echo "$SSH_CERTTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
- 
- # Prepare sshd_proxy for certificates.
- cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
- HOSTKEYALGS=""
--for k in $SSH_CERTTYPES ; do
-+for k in $SSH_ACCEPTED_CERTTYPES ; do
- 	test -z "$HOSTKEYALGS" || HOSTKEYALGS="${HOSTKEYALGS},"
- 	HOSTKEYALGS="${HOSTKEYALGS}${k}"
- done
--for k in $SSH_KEYTYPES ; do
-+for k in $SSH_ACCEPTED_KEYTYPES ; do
- 	echo "Hostkey $OBJ/agent-key.${k}.pub" >> $OBJ/sshd_proxy
- 	echo "HostCertificate $OBJ/agent-key.${k}-cert.pub" >> $OBJ/sshd_proxy
- 	test -f $OBJ/agent-key.${k}.pub || fatal "no $k key"
-@@ -70,7 +93,7 @@ echo "HostKeyAlgorithms $HOSTKEYALGS" >>
- ( printf '@cert-authority localhost-with-alias ' ;
-   cat $OBJ/agent-ca.pub) > $OBJ/known_hosts
- 
--for k in $SSH_CERTTYPES ; do
-+for k in $SSH_ACCEPTED_CERTTYPES ; do
- 	verbose "cert type $k"
- 	opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
- 	SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
-diff -up openssh-9.3p1/sshconnect2.c.xxx openssh-9.3p1/sshconnect2.c
---- openssh-9.3p1/sshconnect2.c.xxx	2023-04-26 17:37:35.100827792 +0200
-+++ openssh-9.3p1/sshconnect2.c	2023-04-26 17:50:31.860748877 +0200
-@@ -221,7 +221,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
-     const struct ssh_conn_info *cinfo)
- {
- 	char *myproposal[PROPOSAL_MAX];
--	char *s, *all_key, *hkalgs = NULL;
-+	char *s, *all_key, *hkalgs = NULL, *filtered_algs = NULL;
- 	int r, use_known_hosts_order = 0;
- 
- #if defined(GSSAPI) && defined(WITH_OPENSSL)
-@@ -260,9 +260,21 @@ ssh_kex2(struct ssh *ssh, char *host, st
- 	if (use_known_hosts_order)
- 		hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo);
- 
-+	filtered_algs = hkalgs ? match_filter_allowlist(hkalgs, options.pubkey_accepted_algos)
-+		               : match_filter_allowlist(options.hostkeyalgorithms,
-+				 options.pubkey_accepted_algos);
-+	if (filtered_algs == NULL) {
-+		if (hkalgs)
-+			fatal_f("No match between algorithms for %s (host %s) and pubkey accepted algorithms %s",
-+			       hkalgs, host, options.pubkey_accepted_algos);
-+		else
-+			fatal_f("No match between host key algorithms %s and pubkey accepted algorithms %s",
-+			        options.hostkeyalgorithms, options.pubkey_accepted_algos);
-+	}
-+
- 	kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers,
- 	    options.macs, compression_alg_list(options.compression),
--	    hkalgs ? hkalgs : options.hostkeyalgorithms);
-+	    filtered_algs);
- 
- #if defined(GSSAPI) && defined(WITH_OPENSSL)
- 	if (options.gss_keyex) {
-@@ -303,6 +315,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
- #endif
- 
- 	free(hkalgs);
-+	free(filtered_algs);
- 
- 	/* start key exchange */
- 	if ((r = kex_setup(ssh, myproposal)) != 0)