1 files changed, 117 insertions, 0 deletions

diff --git a/openssh-8.7p1-negotiate-supported-algs.patch b/openssh-8.7p1-negotiate-supported-algs.patch
new file mode 100644
index 0000000..ee3637f
--- /dev/null
+++ b/openssh-8.7p1-negotiate-supported-algs.patch
@@ -0,0 +1,117 @@
+diff -up openssh-9.3p1/regress/hostkey-agent.sh.xxx openssh-9.3p1/regress/hostkey-agent.sh
+--- openssh-9.3p1/regress/hostkey-agent.sh.xxx	2023-05-29 18:15:56.311236887 +0200
++++ openssh-9.3p1/regress/hostkey-agent.sh	2023-05-29 18:16:07.598503551 +0200
+@@ -17,8 +17,21 @@ trace "make CA key"
+ 
+ ${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA"
+ 
++PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
++    grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
++SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
++echo $PUBKEY_ACCEPTED_ALGOS | grep "rsa"
++r=$?
++if [ $r == 0 ]; then
++echo $SSH_ACCEPTED_KEYTYPES | grep "rsa"
++r=$?
++if [ $r -ne 0 ]; then
++SSH_ACCEPTED_KEYTYPES="$SSH_ACCEPTED_KEYTYPES ssh-rsa"
++fi
++fi
++
+ trace "load hostkeys"
+-for k in $SSH_KEYTYPES ; do
++for k in $SSH_ACCEPTED_KEYTYPES ; do
+ 	${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
+ 	${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \
+ 		-I localhost-with-alias $OBJ/agent-key.$k.pub || \
+@@ -32,12 +48,16 @@ rm $OBJ/agent-ca # Don't need CA private
+ 
+ unset SSH_AUTH_SOCK
+ 
+-for k in $SSH_KEYTYPES ; do
++for k in $SSH_ACCEPTED_KEYTYPES ; do
+ 	verbose "key type $k"
++	hka=$k
++	if [ $k = "ssh-rsa" ]; then
++	   hka="rsa-sha2-512"
++	fi
+ 	cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+-	echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
++	echo "HostKeyAlgorithms $hka" >> $OBJ/sshd_proxy
+ 	echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy
+-	opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
++	opts="-oHostKeyAlgorithms=$hka -F $OBJ/ssh_proxy"
+ 	( printf 'localhost-with-alias,127.0.0.1,::1 ' ;
+ 	  cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts
+ 	SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
+@@ -50,15 +70,16 @@ for k in $SSH_KEYTYPES ; do
+ done
+ 
+ SSH_CERTTYPES=`ssh -Q key-sig | grep 'cert-v01@openssh.com'`
++SSH_ACCEPTED_CERTTYPES=`echo "$SSH_CERTTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
+ 
+ # Prepare sshd_proxy for certificates.
+ cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+ HOSTKEYALGS=""
+-for k in $SSH_CERTTYPES ; do
++for k in $SSH_ACCEPTED_CERTTYPES ; do
+ 	test -z "$HOSTKEYALGS" || HOSTKEYALGS="${HOSTKEYALGS},"
+ 	HOSTKEYALGS="${HOSTKEYALGS}${k}"
+ done
+-for k in $SSH_KEYTYPES ; do
++for k in $SSH_ACCEPTED_KEYTYPES ; do
+ 	echo "Hostkey $OBJ/agent-key.${k}.pub" >> $OBJ/sshd_proxy
+ 	echo "HostCertificate $OBJ/agent-key.${k}-cert.pub" >> $OBJ/sshd_proxy
+ 	test -f $OBJ/agent-key.${k}.pub || fatal "no $k key"
+@@ -70,7 +93,7 @@ echo "HostKeyAlgorithms $HOSTKEYALGS" >>
+ ( printf '@cert-authority localhost-with-alias ' ;
+   cat $OBJ/agent-ca.pub) > $OBJ/known_hosts
+ 
+-for k in $SSH_CERTTYPES ; do
++for k in $SSH_ACCEPTED_CERTTYPES ; do
+ 	verbose "cert type $k"
+ 	opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
+ 	SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
+diff -up openssh-9.3p1/sshconnect2.c.xxx openssh-9.3p1/sshconnect2.c
+--- openssh-9.3p1/sshconnect2.c.xxx	2023-04-26 17:37:35.100827792 +0200
++++ openssh-9.3p1/sshconnect2.c	2023-04-26 17:50:31.860748877 +0200
+@@ -221,7 +221,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
+     const struct ssh_conn_info *cinfo)
+ {
+ 	char *myproposal[PROPOSAL_MAX];
+-	char *s, *all_key, *hkalgs = NULL;
++	char *s, *all_key, *hkalgs = NULL, *filtered_algs = NULL;
+ 	int r, use_known_hosts_order = 0;
+ 
+ #if defined(GSSAPI) && defined(WITH_OPENSSL)
+@@ -260,9 +260,21 @@ ssh_kex2(struct ssh *ssh, char *host, st
+ 	if (use_known_hosts_order)
+ 		hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo);
+ 
++	filtered_algs = hkalgs ? match_filter_allowlist(hkalgs, options.pubkey_accepted_algos)
++		               : match_filter_allowlist(options.hostkeyalgorithms,
++				 options.pubkey_accepted_algos);
++	if (filtered_algs == NULL) {
++		if (hkalgs)
++			fatal_f("No match between algorithms for %s (host %s) and pubkey accepted algorithms %s",
++			       hkalgs, host, options.pubkey_accepted_algos);
++		else
++			fatal_f("No match between host key algorithms %s and pubkey accepted algorithms %s",
++			        options.hostkeyalgorithms, options.pubkey_accepted_algos);
++	}
++
+ 	kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers,
+ 	    options.macs, compression_alg_list(options.compression),
+-	    hkalgs ? hkalgs : options.hostkeyalgorithms);
++	    filtered_algs);
+ 
+ #if defined(GSSAPI) && defined(WITH_OPENSSL)
+ 	if (options.gss_keyex) {
+@@ -303,6 +315,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
+ #endif
+ 
+ 	free(hkalgs);
++	free(filtered_algs);
+ 
+ 	/* start key exchange */
+ 	if ((r = kex_setup(ssh, myproposal)) != 0)