update to 9.1p1

2023-02-02 16:09:45 +08:00 · 2023-02-02 16:09:45 +08:00 · fd7afa4f0a
commit fd7afa4f0a
parent 3c60a33f0d
35 changed files with 3708 additions and 3706 deletions
--- a/backport-Don-t-leak-the-strings-allocated-by-order_h.patch
+++ b/backport-Don-t-leak-the-strings-allocated-by-order_h.patch
@ -1,130 +0,0 @@
 From 6c31ba10e97b6953c4f325f526f3e846dfea647a Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Fri, 1 Jul 2022 03:39:44 +0000
 Subject: upstream: Don't leak the strings allocated by order_hostkeyalgs()
 and list_hostkey_types() that are passed to compat_pkalg_proposal(). Part of
 github PR#324 from ZoltanFridrich, ok djm@
 This is a roll-forward of the previous rollback now that the required
 changes in compat.c have been done.
 OpenBSD-Commit-ID: c7cd93730b3b9f53cdad3ae32462922834ef73eb
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=6c31ba10e97b6953c4f325f526f3e846dfea647a
 ---
 sshconnect2.c | 16 ++++++++++------
 sshd.c        | 17 +++++++++++------
 2 files changed, 21 insertions(+), 12 deletions(-)
 diff --git a/sshconnect2.c b/sshconnect2.c
 index 150d419..eb0df92 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: sshconnect2.c,v 1.351 2021/07/23 05:24:02 djm Exp $ */
 +/* $OpenBSD: sshconnect2.c,v 1.359 2022/07/01 03:39:44 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -218,6 +218,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
 {
 	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
 	char *s, *all_key;
 +	char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
 	int r, use_known_hosts_order = 0;
 #if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -248,10 +249,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
 		fatal_f("kex_names_cat");
 -	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
 +	myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s);
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 -	    compat_cipher_proposal(ssh, options.ciphers);
 -	myproposal[PROPOSAL_ENC_ALGS_STOC] =
 +	    myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
 	    compat_cipher_proposal(ssh, options.ciphers);
 	myproposal[PROPOSAL_COMP_ALGS_CTOS] =
 	    myproposal[PROPOSAL_COMP_ALGS_STOC] =
@@ -260,12 +260,12 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
 	    myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
 	if (use_known_hosts_order) {
 		/* Query known_hosts and prefer algorithms that appear there */
 -		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 +		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
 		    compat_pkalg_proposal(ssh,
 		    order_hostkeyalgs(host, hostaddr, port, cinfo));
 	} else {
 		/* Use specified HostkeyAlgorithms exactly */
 -		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 +		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
 		    compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
 	}
@@ -380,6 +380,10 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
 	    (r = ssh_packet_write_wait(ssh)) != 0)
 		fatal_fr(r, "send packet");
 #endif
 +	/* Free only parts of proposal that were dynamically allocated here. */
 +	free(prop_kex);
 +	free(prop_enc);
 +	free(prop_hostkey);
 }
 /*
 diff --git a/sshd.c b/sshd.c
 index 98a9754..6c77f07 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: sshd.c,v 1.578 2021/07/19 02:21:50 dtucker Exp $ */
 +/* $OpenBSD: sshd.c,v 1.589 2022/07/01 03:39:44 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2522,12 +2522,14 @@ do_ssh2_kex(struct ssh *ssh)
 {
 	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
 	struct kex *kex;
 +	char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
 	int r;
 -	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
 +	myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh,
 	    options.kex_algorithms);
 -	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
 -	    options.ciphers);
 +	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 +		myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
 +		compat_cipher_proposal(ssh, options.ciphers);
 	myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh,
 	    options.ciphers);
 	myproposal[PROPOSAL_MAC_ALGS_CTOS] =
@@ -2542,8 +2544,8 @@ do_ssh2_kex(struct ssh *ssh)
 		ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
 		    options.rekey_interval);
 	/* coverity[leaked_storage : FALSE]*/
 -	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
 -	    ssh, list_hostkey_types());
 +	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
 +		compat_pkalg_proposal(ssh, list_hostkey_types());
 #if defined(GSSAPI) && defined(WITH_OPENSSL)
 	{
@@ -2639,6 +2641,9 @@ do_ssh2_kex(struct ssh *ssh)
 	    (r = ssh_packet_write_wait(ssh)) != 0)
 		fatal_fr(r, "send test");
 #endif
 +	free(prop_kex);
 +	free(prop_enc);
 +	free(prop_hostkey);
 	debug("KEX done");
 }
 -- 
 2.33.0
--- a/backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
+++ b/backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
@ -1,43 +0,0 @@
 From 527cb43fa1b4e55df661feabbac51b8e608b6519 Mon Sep 17 00:00:00 2001
 From: Darren Tucker <dtucker@dtucker.net>
 Date: Thu, 14 Jul 2022 11:22:08 +1000
 Subject: Return ERANGE from getcwd() if buffer size is 1.
 If getcwd() is supplied a buffer size of exactly 1 and a path of "/", it
 could result in a nul byte being written out of array bounds.  POSIX says
 it should return ERANGE if the path will not fit in the available buffer
 (with terminating nul). 1 byte cannot fit any possible path with its nul,
 so immediately return ERANGE in that case.
 OpenSSH never uses getcwd() with this buffer size, and all current
 (and even quite old) platforms that we are currently known to work
 on have a native getcwd() so this code is not used on those anyway.
 Reported by Qualys, ok djm@
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=527cb43fa1b4e55df661feabbac51b8e608b6519
 Conflict:NA
 ---
 openbsd-compat/getcwd.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
 index e4f7f5a..a403a01 100644
 --- a/openbsd-compat/getcwd.c
 +++ b/openbsd-compat/getcwd.c
@@ -71,9 +71,12 @@ getcwd(char *pt, size_t size)
 	 */
 	if (pt) {
 		ptsize = 0;
 -		if (!size) {
 +		if (size == 0) {
 			errno = EINVAL;
 			return (NULL);
 +		} else if (size == 1) {
 +			errno = ERANGE;
 +			return (NULL);
 		}
 		ept = pt + size;
 	} else {
 -- 
 2.33.0
--- a/backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch
+++ b/backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch
@ -1,34 +0,0 @@
 From ea7ecc2c3ae39fdf5c6ad97b7bc0b47a98847f43 Mon Sep 17 00:00:00 2001
 From: Darren Tucker <dtucker@dtucker.net>
 Date: Sat, 23 Jul 2022 14:36:38 +1000
 Subject: [PATCH] Skip scp3 test if there's no scp on remote path.
 scp -3 ends up using the scp that's in the remote path and will fail if
 one is not available.  Based on a patch from rapier at psc.edu.
 Reference:https://github.com/openssh/openssh-portable/commit/ea7ecc2c3ae39fdf5c6ad97b7bc0b47a98847f43
 Conflict:NA
 ---
 regress/scp3.sh | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/regress/scp3.sh b/regress/scp3.sh
 index f71b1567..47db47cd 100644
 --- a/regress/scp3.sh
 +++ b/regress/scp3.sh
@@ -9,6 +9,12 @@ COPY2=${OBJ}/copy2
 DIR=${COPY}.dd
 DIR2=${COPY}.dd2
 +$SSH -F $OBJ/ssh_proxy somehost \
 +    'IFS=":"; for i in $PATH;do [ -x "$i/scp" ] && exit 0; done; exit 1'
 +if [ $? -eq 1 ]; then
 +	skip "No scp on remote path."
 +fi
 +
 SRC=`dirname ${SCRIPT}`
 cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp
 chmod 755 ${OBJ}/scp-ssh-wrapper.scp
 -- 
 2.23.0
--- a/backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
+++ b/backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
@ -1,33 +0,0 @@
 From 7d25b37fb2a5ff4dadabcbdac6087a97479434f5 Mon Sep 17 00:00:00 2001
 From: Damien Miller <djm@mindrot.org>
 Date: Fri, 24 Jun 2022 13:46:39 +1000
 Subject: [PATCH] fix possible NULL deref when built without FIDO
 Analysis/fix from kircher in bz3443; ok dtucker@
 Reference:https://github.com/openssh/openssh-portable/commit/7d25b37fb2a5ff
 Conflict:NA
 ---
 ssh-sk.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/ssh-sk.c b/ssh-sk.c
 index a1ff5cc4..ba514607 100644
 --- a/ssh-sk.c
 +++ b/ssh-sk.c
@@ -127,10 +127,11 @@ sshsk_open(const char *path)
 		ret->sk_enroll = ssh_sk_enroll;
 		ret->sk_sign = ssh_sk_sign;
 		ret->sk_load_resident_keys = ssh_sk_load_resident_keys;
 +		return ret;
 #else
 		error("internal security key support not enabled");
 +		goto fail;
 #endif
 -		return ret;
 	}
 	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
 		error("Provider \"%s\" dlopen failed: %s", path, dlerror());
 -- 
 2.23.0
--- a/backport-upstream-Always-return-allocated-strings-from-the-ke.patch
+++ b/backport-upstream-Always-return-allocated-strings-from-the-ke.patch
@ -1,88 +0,0 @@
 From 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Fri, 1 Jul 2022 03:35:45 +0000
 Subject: upstream: Always return allocated strings from the kex filtering so
 that we can free them later.  Fix one leak in compat_kex_proposal.  Based on
 github PR#324 from ZoltanFridrich with some simplications by me. ok djm@
 OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=486c4dc3b83b4b67d663fb0fa62bc24138ec3946
 ---
 compat.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)
 diff --git a/compat.c b/compat.c
 index 9120bd2..1d50349 100644
 --- a/compat.c
 +++ b/compat.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */
 +/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -156,11 +156,12 @@ compat_banner(struct ssh *ssh, const char *version)
 	debug_f("no match: %s", version);
 }
 +/* Always returns pointer to allocated memory, caller must free. */
 char *
 compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
 {
 	if (!(ssh->compat & SSH_BUG_BIGENDIANAES))
 -		return cipher_prop;
 +		return xstrdup(cipher_prop);
 	debug2_f("original cipher proposal: %s", cipher_prop);
 	if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL)
 		fatal("match_filter_denylist failed");
@@ -170,11 +171,12 @@ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
 	return cipher_prop;
 }
 +/* Always returns pointer to allocated memory, caller must free. */
 char *
 compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
 {
 	if (!(ssh->compat & SSH_BUG_RSASIGMD5))
 -		return pkalg_prop;
 +		return xstrdup(pkalg_prop);
 	debug2_f("original public key proposal: %s", pkalg_prop);
 	if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL)
 		fatal("match_filter_denylist failed");
@@ -184,11 +186,15 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
 	return pkalg_prop;
 }
 +/* Always returns pointer to allocated memory, caller must free. */
 char *
 compat_kex_proposal(struct ssh *ssh, char *p)
 {
 +	char *cp = NULL;
 +
 +
 	if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
 -		return p;
 +		return xstrdup(p);
 	debug2_f("original KEX proposal: %s", p);
 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
 		/* coverity[overwrite_var : FALSE] */
@@ -196,11 +202,13 @@ compat_kex_proposal(struct ssh *ssh, char *p)
 		    "curve25519-sha256@libssh.org")) == NULL)
 			fatal("match_filter_denylist failed");
 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
 +		cp = p;
 		/* coverity[overwrite_var : FALSE] */
 		if ((p = match_filter_denylist(p,
 		    "diffie-hellman-group-exchange-sha256,"
 		    "diffie-hellman-group-exchange-sha1")) == NULL)
 			fatal("match_filter_denylist failed");
 +		free(cp);
 	}
 	debug2_f("compat KEX proposal: %s", p);
 	if (*p == '\0')
 -- 
 2.33.0
--- a/backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
+++ b/backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
@ -1,37 +0,0 @@
 From f29d6cf98c25bf044079032d22c1a57c63ab9d8e Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Sat, 18 Jun 2022 02:17:16 +0000
 Subject: upstream: Don't attempt to fprintf a null identity comment. From
 Martin Vahlensieck via tech@.
 OpenBSD-Commit-ID: 4c54d20a8e8e4e9912c38a7b4ef5bfc5ca2e05c2
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=f29d6cf98c25bf044079032d22c1a57c63ab9d8e
 ---
 ssh-add.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/ssh-add.c b/ssh-add.c
 index 29c0b17..d60bafc 100644
 --- a/ssh-add.c
 +++ b/ssh-add.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: ssh-add.c,v 1.160 2021/04/03 06:18:41 djm Exp $ */
 +/* $OpenBSD: ssh-add.c,v 1.166 2022/06/18 02:17:16 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -125,7 +125,7 @@ delete_one(int agent_fd, const struct sshkey *key, const char *comment,
 	}
 	if (!qflag) {
 		fprintf(stderr, "Identity removed: %s %s (%s)\n", path,
 -		    sshkey_type(key), comment);
 +		    sshkey_type(key), comment ? comment : "no comment");
 	}
 	return 0;
 }
 -- 
 2.33.0
--- a/backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
+++ b/backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
@ -1,63 +0,0 @@
 From 17904f05802988d0bb9ed3c8d1d37411e8f459c3 Mon Sep 17 00:00:00 2001
 From: "tobhe@openbsd.org" <tobhe@openbsd.org>
 Date: Tue, 21 Jun 2022 14:52:13 +0000
 Subject: upstream: Make sure not to fclose() the same fd twice in case of an
 error.
 ok dtucker@
 OpenBSD-Commit-ID: e384c4e05d5521e7866b3d53ca59acd2a86eef99
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=17904f05802988d0bb9ed3c8d1d37411e8f459c3
 ---
 authfile.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)
 diff --git a/authfile.c b/authfile.c
 index 8990137..dce1e84 100644
 --- a/authfile.c
 +++ b/authfile.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: authfile.c,v 1.141 2020/06/18 23:33:38 djm Exp $ */
 +/* $OpenBSD: authfile.c,v 1.143 2022/06/21 14:52:13 tobhe Exp $ */
 /*
  * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
  *
@@ -515,20 +515,25 @@ sshkey_save_public(const struct sshkey *key, const char *path,
 		return SSH_ERR_SYSTEM_ERROR;
 	if ((f = fdopen(fd, "w")) == NULL) {
 		r = SSH_ERR_SYSTEM_ERROR;
 +		close(fd);
 		goto fail;
 	}
 	if ((r = sshkey_write(key, f)) != 0)
 		goto fail;
 	fprintf(f, " %s\n", comment);
 -	if (ferror(f) || fclose(f) != 0) {
 +	if (ferror(f)) {
 		r = SSH_ERR_SYSTEM_ERROR;
 +		goto fail;
 +	}
 +	if (fclose(f) != 0) {
 +		r = SSH_ERR_SYSTEM_ERROR;
 +		f = NULL;
  fail:
 -		oerrno = errno;
 -		if (f != NULL)
 +		if (f != NULL) {
 +			oerrno = errno;
 			fclose(f);
 -		else
 -			close(fd);
 -		errno = oerrno;
 +			errno = oerrno;
 +		}
 		return r;
 	}
 	return 0;
 -- 
 2.33.0
--- a/backport-upstream-a-little-extra-debugging.patch
+++ b/backport-upstream-a-little-extra-debugging.patch
@ -1,34 +0,0 @@
 From 940dc10729cb5a95b7ee82c10184e2b9621c8a1d Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Wed, 14 Sep 2022 00:13:13 +0000
 Subject: [PATCH] upstream: a little extra debugging
 OpenBSD-Commit-ID: edf1601c1d0905f6da4c713f4d9cecc7d1c0295a
 Reference:https://github.com/openssh/openssh-portable/commit/940dc10729cb5a95b7ee82c10184e2b9621c8a1d
 Conflict:NA
 ---
 ssh-agent.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/ssh-agent.c b/ssh-agent.c
 index ddda4d77..0aef07eb 100644
 --- a/ssh-agent.c
 +++ b/ssh-agent.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: ssh-agent.c,v 1.278 2021/04/03 06:18:41 djm Exp $ */
 +/* $OpenBSD: ssh-agent.c,v 1.291 2022/09/14 00:13:13 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -845,6 +845,7 @@ process_sign_request2(SocketEntry *e)
 	/* Success */
 	ok = 0;
  send:
 +	debug_f("good signature");
 	notify_complete(notifier, "User presence confirmed");
 	if (ok == 0) {
 -- 
 2.23.0
--- a/backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch
+++ b/backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch
@ -1,44 +0,0 @@
 From 32ebaa0dbca5d0bb86e384e72bebc153f48413e4 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Wed, 23 Feb 2022 11:18:13 +0000
 Subject: [PATCH] upstream: avoid integer overflow of auth attempts
 (harmless,caught by monitor)
 OpenBSD-Commit-ID: 488ad570b003b21e0cd9e7a00349cfc1003b4d86
 Reference:https://github.com/openssh/openssh-portable/commit/32ebaa0dbca5d0
 Conflict:NA
 ---
 auth2.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/auth2.c b/auth2.c
 index 7290d54..0de58e6 100644
 --- a/auth2.c
 +++ b/auth2.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: auth2.c,v 1.161 2021/04/03 06:18:40 djm Exp $ */
 +/* $OpenBSD: auth2.c,v 1.164 2022/02/23 11:18:13 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -290,6 +290,8 @@ if (options.check_user_splash)
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
 +	if (authctxt->attempt >= 1024)
 +		auth_maxtries_exceeded(ssh);
 	if (authctxt->attempt++ == 0) {
 		/* setup auth context */
 		authctxt->pw = PRIVSEP(getpwnamallow(ssh, user));
@@ -298,6 +300,7 @@ if (options.check_user_splash)
 			authctxt->valid = 1;
 			debug2_f("setting up authctxt for %s", user);
 		} else {
 +           authctxt->valid = 0;
 			/* Invalid user, fake password information */
 			authctxt->pw = fakepw();
 		}
 -- 
 2.23.0
--- a/backport-upstream-better-debugging-for-connect_next.patch
+++ b/backport-upstream-better-debugging-for-connect_next.patch
@ -1,66 +0,0 @@
 From 231a346c0c67cc7ca098360f9a554fa7d4f1eddb Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Mon, 19 Sep 2022 08:49:50 +0000
 Subject: [PATCH] upstream: better debugging for connect_next()
 OpenBSD-Commit-ID: d16a307a0711499c971807f324484ed3a6036640
 Reference:https://github.com/openssh/openssh-portable/commit/231a346c0c67cc7ca098360f9a554fa7d4f1eddb
 Conflict:NA
 ---
 channels.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)
 diff --git a/channels.c b/channels.c
 index 3ac51bac..6a78de9d 100644
 --- a/channels.c
 +++ b/channels.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: channels.c,v 1.408 2021/09/14 11:04:21 mbuhl Exp $ */
 +/* $OpenBSD: channels.c,v 1.420 2022/09/19 08:49:50 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -4403,13 +4403,15 @@ connect_next(struct channel_connect *cctx)
 			if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
 			    ntop, sizeof(ntop), strport, sizeof(strport),
 			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
 -				error("connect_next: getnameinfo failed");
 +				error_f("getnameinfo failed");
 				continue;
 			}
 			break;
 		default:
 			continue;
 		}
 +		debug_f("start for host %.100s ([%.100s]:%s)",
 +		    cctx->host, ntop, strport);
 		if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
 		    cctx->ai->ai_protocol)) == -1) {
 			if (cctx->ai->ai_next == NULL)
@@ -4422,9 +4424,8 @@ connect_next(struct channel_connect *cctx)
 			fatal_f("set_nonblock(%d)", sock);
 		if (connect(sock, cctx->ai->ai_addr,
 		    cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) {
 -			debug("connect_next: host %.100s ([%.100s]:%s): "
 -			    "%.100s", cctx->host, ntop, strport,
 -			    strerror(errno));
 +			debug_f("host %.100s ([%.100s]:%s): %.100s",
 +			    cctx->host, ntop, strport, strerror(errno));
 			saved_errno = errno;
 			close(sock);
 			errno = saved_errno;
@@ -4432,8 +4433,8 @@ connect_next(struct channel_connect *cctx)
 		}
 		if (cctx->ai->ai_family != AF_UNIX)
 			set_nodelay(sock);
 -		debug("connect_next: host %.100s ([%.100s]:%s) "
 -		    "in progress, fd=%d", cctx->host, ntop, strport, sock);
 +		debug_f("connect host %.100s ([%.100s]:%s) in progress, fd=%d",
 +		    cctx->host, ntop, strport, sock);
 		cctx->ai = cctx->ai->ai_next;
 		return sock;
 	}
 -- 
 2.23.0
--- a/backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
+++ b/backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
@ -1,56 +0,0 @@
 From 5062ad48814b06162511c4f5924a33d97b6b2566 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 19 Aug 2022 03:06:30 +0000
 Subject: upstream: double free() in error path; from Eusgor via GHPR333
 OpenBSD-Commit-ID: 39f35e16ba878c8d02b4d01d8826d9b321be26d4
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=5062ad48814b06162511c4f5924a33d97b6b2566
 ---
 sshsig.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/sshsig.c b/sshsig.c
 index 0e8abf1..58c7df4 100644
 --- a/sshsig.c
 +++ b/sshsig.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: sshsig.c,v 1.21 2021/07/23 04:00:59 djm Exp $ */
 +/* $OpenBSD: sshsig.c,v 1.30 2022/08/19 03:06:30 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
 {
 	char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
 	ssize_t n, total = 0;
 -	struct ssh_digest_ctx *ctx;
 +	struct ssh_digest_ctx *ctx = NULL;
 	int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
 	struct sshbuf *b = NULL;
@@ -514,7 +514,6 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
 				continue;
 			oerrno = errno;
 			error_f("read: %s", strerror(errno));
 -			ssh_digest_free(ctx);
 			ctx = NULL;
 			errno = oerrno;
 			r = SSH_ERR_SYSTEM_ERROR;
@@ -550,9 +549,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
 	/* success */
 	r = 0;
  out:
 +	oerrno = errno;
 	sshbuf_free(b);
 	ssh_digest_free(ctx);
 	explicit_bzero(hash, sizeof(hash));
 +	errno = oerrno;
 	return r;
 }
 -- 
 2.33.0
--- a/backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
+++ b/backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
@ -1,54 +0,0 @@
 From 2c334fd36f80cb91cc42e4b978b10aa35e0df236 Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Fri, 27 May 2022 04:29:40 +0000
 Subject: upstream: f sshpkt functions fail, then password is not cleared
 with freezero. Unconditionally call freezero to guarantee that password is
 removed from RAM.
 From tobias@ and c3h2_ctf via github PR#286, ok djm@
 OpenBSD-Commit-ID: 6b093619c9515328e25b0f8093779c52402c89cd
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/commit?id=2c334fd36f80cb91cc42e4b978b10aa35e0df236
 ---
 auth2-passwd.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
 diff --git a/auth2-passwd.c b/auth2-passwd.c
 index be4b860..1d80481 100644
 --- a/auth2-passwd.c
 +++ b/auth2-passwd.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: auth2-passwd.c,v 1.19 2020/10/18 11:32:01 djm Exp $ */
 +/* $OpenBSD: auth2-passwd.c,v 1.21 2022/05/27 04:29:40 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -51,16 +51,18 @@ extern ServerOptions options;
 static int
 userauth_passwd(struct ssh *ssh)
 {
 -	char *password;
 +	char *password = NULL;
 	int authenticated = 0, r;
 	u_char change;
 -	size_t len;
 +	size_t len = 0;
 	if ((r = sshpkt_get_u8(ssh, &change)) != 0 ||
 	    (r = sshpkt_get_cstring(ssh, &password, &len)) != 0 ||
 	    (change && (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0) ||
 -	    (r = sshpkt_get_end(ssh)) != 0)
 +	    (r = sshpkt_get_end(ssh)) != 0) {
 +		freezero(password, len);
 		fatal_fr(r, "parse packet");
 +	}
 	if (change)
 		logit("password change not supported");
 -- 
 2.33.0
--- a/backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
+++ b/backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
@ -1,46 +0,0 @@
 From 96faa0de6c673a2ce84736eba37fc9fb723d9e5c Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 1 Jul 2022 00:36:30 +0000
 Subject: upstream: ignore SIGPIPE earlier in main(), specifically before
 muxclient() which performs operations that could cause one; Reported by Noam
 Lewis via bz3454, ok dtucker@
 OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=96faa0de6c673a2ce84736eba37fc9fb723d9e5c
 ---
 ssh.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/ssh.c b/ssh.c
 index f55ff73..e987cd5 100644
 --- a/ssh.c
 +++ b/ssh.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: ssh.c,v 1.569 2021/09/20 04:02:13 dtucker Exp $ */
 +/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1135,6 +1135,8 @@ main(int ac, char **av)
 		}
 	}
 +	ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
 +
 	/*
 	 * Initialize "log" output.  Since we are the client all output
 	 * goes to stderr unless otherwise specified by -y or -E.
@@ -1660,7 +1662,6 @@ main(int ac, char **av)
 	    options.num_system_hostfiles);
 	tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles);
 -	ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
 	ssh_signal(SIGCHLD, main_sigchld_handler);
 	/* Log into the remote system.  Never returns if the login fails. */
 -- 
 2.33.0
--- a/backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
+++ b/backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
@ -1,41 +0,0 @@
 From a0b5816f8f1f645acdf74f7bc11b34455ec30bac Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 18 Mar 2022 02:31:25 +0000
 Subject: [PATCH] upstream: ssh-keygen -Y check-novalidate requires namespace
 or SEGV
 will ensue. Patch from Mateusz Adamowski via GHPR#307
 OpenBSD-Commit-ID: 99e8ec38f9feb38bce6de240335be34aedeba5fd
 Reference:https://github.com/openssh/openssh-portable/commit/a0b5816f8f1f645acdf74f7bc11b34455ec30bac
 Conflict:NA
 ---
 ssh-keygen.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/ssh-keygen.c b/ssh-keygen.c
 index 7fc616c..bd6ea16 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: ssh-keygen.c,v 1.437 2021/09/08 03:23:44 djm Exp $ */
 +/* $OpenBSD: ssh-keygen.c,v 1.449 2022/03/18 02:31:25 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3489,6 +3489,12 @@ main(int argc, char **argv)
 			return sig_sign(identity_file, cert_principals,
 			    argc, argv);
 		} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
 +            if (cert_principals == NULL ||
 +                *cert_principals == '\0') {
 +                error("Too few arguments for check-novalidate: "
 +                    "missing namespace");
 +                exit(1);
 +            }
 			if (ca_key_path == NULL) {
 				error("Too few arguments for check-novalidate: "
 				    "missing signature file");
 -- 
 2.23.0
--- a/bugfix-openssh-add-option-check-username-splash.patch
+++ b/bugfix-openssh-add-option-check-username-splash.patch
@ -6,7 +6,6 @@ Subject: [PATCH] openssh: add option check username splash
 add a check to inhibit username contains splash
 add an option 'CheckUserSplash' so that user can turn off
 this check
 ---
 auth2.c     | 4 +++-
 servconf.c  | 8 ++++++++
@ -15,10 +14,10 @@ this check
 4 files changed, 14 insertions(+), 1 deletion(-)
 diff --git a/auth2.c b/auth2.c
-index 4adc502..956b9cf 100644
+index 203ba01..284ea19 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -282,11 +282,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -281,11 +281,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -34,10 +33,10 @@ index 4adc502..956b9cf 100644
 		*style++ = 0;
 diff --git a/servconf.c b/servconf.c
-index 7001d56..76147f9 100644
+index d72fb62..6888971 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options)
+@@ -201,6 +201,7 @@ initialize_server_options(ServerOptions *options)
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
@ -45,7 +44,7 @@ index 7001d56..76147f9 100644
 	options->fingerprint_hash = -1;
 	options->disable_forwarding = -1;
 	options->expose_userauth_info = -1;
-@@ -473,6 +474,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -460,6 +461,8 @@ fill_default_server_options(ServerOptions *options)
 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
 	if (options->version_addendum == NULL)
 		options->version_addendum = xstrdup("");
@ -54,15 +53,15 @@ index 7001d56..76147f9 100644
 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
 		options->fwd_opts.streamlocal_bind_mask = 0177;
 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
-@@ -574,6 +577,7 @@ typedef enum {
+@@ -553,6 +556,7 @@ typedef enum {
 	sStreamLocalBindMask, sStreamLocalBindUnlink,
 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
 	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
 	sRequiredRSASize,
 +	sCheckUserSplash,
 	sDeprecated, sIgnore, sUnsupported
 } ServerOpCodes;
-@@ -740,6 +744,7 @@ static struct {
+@@ -726,6 +730,7 @@ static struct {
 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
@ -70,7 +69,7 @@ index 7001d56..76147f9 100644
 	{ "rdomain", sRDomain, SSHCFG_ALL },
 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
 	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
-@@ -1360,6 +1365,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1384,6 +1389,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 	case sUsePAM:
 		intptr = &options->use_pam;
 		goto parse_flag;
@ -81,30 +80,27 @@ index 7001d56..76147f9 100644
 	/* Standard Options */
 	case sBadOption:
 diff --git a/servconf.h b/servconf.h
-index a3827e5..2c16b5a 100644
+index 77fd779..694addf 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -226,6 +226,7 @@ typedef struct {
+@@ -237,6 +237,7 @@ typedef struct {
 	int	fingerprint_hash;
 	int	expose_userauth_info;
 	u_int64_t timing_secret;
 +	int	check_user_splash;      /* check whether splash exists in username, if exist, disable login */
 	char   *sk_provider;
 	int	required_rsa_size;	/* minimum size of RSA keys */
 }       ServerOptions;
 diff --git a/sshd_config b/sshd_config
-index ebc28b3..b121450 100644
+index 6d47368..973aecf 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -125,6 +125,8 @@ Subsystem	sftp	/usr/libexec/sftp-server
+@@ -128,3 +128,5 @@ Subsystem	sftp	/usr/libexec/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 +#CheckUserSplash yes
 +
 -- 
-2.23.0
+2.27.0
--- a/feature-add-SMx-support.patch
+++ b/feature-add-SMx-support.patch
@ -18,12 +18,12 @@ FingerprintHash sm3
 digest.h                              |   3 +-
 kex.c                                 |   1 +
 kex.h                                 |   3 +
- kexecdh.c                             |  22 ++-
+ kexecdh.c                             |  23 +-
 kexgen.c                              |   3 +
- kexsm2.c                              |  29 ++++
+ kexsm2.c                              | 406 ++++++++++++++++++++++++++
 mac.c                                 |   1 +
 pathnames.h                           |   1 +
- regress/agent.sh                      |   8 +
+ regress/agent.sh                      |   9 +
 regress/keytype.sh                    |   2 +
 regress/knownhosts-command.sh         |   1 +
 regress/misc/fuzz-harness/sig_fuzz.cc |   4 +
@ -31,18 +31,18 @@ FingerprintHash sm3
 ssh-ecdsa.c                           |   6 +-
 ssh-keygen.c                          |  12 +-
 ssh-keyscan.c                         |  12 +-
- ssh-sm2.c                             | 232 ++++++++++++++++++++++++++
+ ssh-sm2.c                             | 230 +++++++++++++++
 ssh_api.c                             |   2 +
 sshconnect2.c                         |   1 +
 sshd.c                                |   7 +
- sshkey.c                              |  62 ++++++-
+ sshkey.c                              |  62 +++-
 sshkey.h                              |   9 +
- 27 files changed, 417 insertions(+), 16 deletions(-)
+ 27 files changed, 794 insertions(+), 16 deletions(-)
 create mode 100644 kexsm2.c
 create mode 100644 ssh-sm2.c
 diff --git a/Makefile.in b/Makefile.in
-index 07bf440..fb8b006 100644
+index 07bf440..1393190 100644
 --- a/Makefile.in
 +++ b/Makefile.in
@@ -100,14 +100,14 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@ -50,7 +50,7 @@ index 07bf440..fb8b006 100644
 	readpass.o ttymodes.o xmalloc.o addr.o addrmatch.o \
 	atomicio.o dispatch.o mac.o misc.o utf8.o \
 -	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
-+	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o ssh-sm2.o \
+	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-sm2.o ssh-ecdsa-sk.o \
 	ssh-ed25519-sk.o ssh-rsa.o dh.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
 	ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \
@ -76,7 +76,7 @@ index 9f092f7..163b4b5 100644
 	case KEY_ECDSA_SK_CERT:
 #endif
 diff --git a/authfile.c b/authfile.c
-index d7827ed..8990137 100644
+index 666730b..dce1e84 100644
 --- a/authfile.c
 +++ b/authfile.c
@@ -343,6 +343,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
@ -88,7 +88,7 @@ index d7827ed..8990137 100644
 	case KEY_ED25519:
 	case KEY_XMSS:
 diff --git a/cipher.c b/cipher.c
-index b54b994..16bfdcb 100644
+index b54b994..039e414 100644
 --- a/cipher.c
 +++ b/cipher.c
@@ -88,6 +88,7 @@ static const struct sshcipher ciphers[] = {
@ -100,7 +100,7 @@ index b54b994..16bfdcb 100644
 	{ NULL,			0, 0, 0, 0, 0, NULL }
 diff --git a/digest-openssl.c b/digest-openssl.c
-index 94730e9..a93924b 100644
+index 94730e9..fa92360 100644
 --- a/digest-openssl.c
 +++ b/digest-openssl.c
@@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
@ -112,7 +112,7 @@ index 94730e9..a93924b 100644
 };
 diff --git a/digest.h b/digest.h
-index c7ceeb3..e42affe 100644
+index c7ceeb3..520722c 100644
 --- a/digest.h
 +++ b/digest.h
@@ -27,7 +27,8 @@
@ -159,7 +159,7 @@ index d26ba26..8b95227 100644
 void	dump_digest(const char *, const u_char *, int);
 #endif
 diff --git a/kexecdh.c b/kexecdh.c
-index efb2e55..a780517 100644
+index efb2e55..69ec13b 100644
 --- a/kexecdh.c
 +++ b/kexecdh.c
@@ -44,7 +44,7 @@
@ -176,7 +176,7 @@ index efb2e55..a780517 100644
 		goto out;
 	if ((r = kex_ecdh_dec_key_group(kex, client_blob, server_key, group,
 -	    shared_secretp)) != 0)
-+	    shared_secretp, 0)) != 0)
+	    shared_secretp, 1)) != 0)
 		goto out;
 	*server_blobp = server_blob;
 	server_blob = NULL;
@ -189,7 +189,7 @@ index efb2e55..a780517 100644
 {
 	struct sshbuf *buf = NULL;
 	BIGNUM *shared_secret = NULL;
-@@ -176,10 +176,18 @@ kex_ecdh_dec_key_group(struct kex *kex, const struct sshbuf *ec_blob,
+@@ -176,11 +176,20 @@ kex_ecdh_dec_key_group(struct kex *kex, const struct sshbuf *ec_blob,
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
@ -209,14 +209,16 @@ index efb2e55..a780517 100644
 +			goto out;
 +		}
 	}
 +
 #ifdef DEBUG_KEXECDH
 	dump_digest("shared secret", kbuf, klen);
-@@ -203,7 +211,7 @@ kex_ecdh_dec(struct kex *kex, const struct sshbuf *server_blob,
+ #endif
@@ -203,7 +212,7 @@ kex_ecdh_dec(struct kex *kex, const struct sshbuf *server_blob,
 	int r;
 	r = kex_ecdh_dec_key_group(kex, server_blob, kex->ec_client_key,
 -	    kex->ec_group, shared_secretp);
-+	    kex->ec_group, shared_secretp, 1);
+	    kex->ec_group, shared_secretp, 0);
 	EC_KEY_free(kex->ec_client_key);
 	kex->ec_client_key = NULL;
 	return r;
@ -250,17 +252,394 @@ index 31f90f5..f3eff47 100644
 		break;
 diff --git a/kexsm2.c b/kexsm2.c
 new file mode 100644
-index 0000000..f9b8bb9
+index 0000000..f507557
 --- /dev/null
 +++ b/kexsm2.c
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,406 @@
 +#include <openssl/err.h>
 +#include <openssl/evp.h>
 +#include <openssl/bn.h>
 +#include <string.h>
 +#include <openssl/ecdh.h>
 +#include <openssl/ec.h>
-+#include <openssl/sm2.h>
+
-+#include <string.h>
+int sm2_compute_z_digest(uint8_t *out,
 +                         const EVP_MD *digest,
 +                         const uint8_t *id,
 +                         const size_t id_len,
 +                         const EC_KEY *key)
 +{
 +    int rc = 0;
 +    const EC_GROUP *group = EC_KEY_get0_group(key);
 +    BN_CTX *ctx = NULL;
 +    EVP_MD_CTX *hash = NULL;
 +    BIGNUM *p = NULL;
 +    BIGNUM *a = NULL;
 +    BIGNUM *b = NULL;
 +    BIGNUM *xG = NULL;
 +    BIGNUM *yG = NULL;
 +    BIGNUM *xA = NULL;
 +    BIGNUM *yA = NULL;
 +    int p_bytes = 0;
 +    uint8_t *buf = NULL;
 +    uint16_t entl = 0;
 +    uint8_t e_byte = 0;
 +
 +    hash = EVP_MD_CTX_new();
 +    ctx = BN_CTX_new();
 +    if (hash == NULL || ctx == NULL) {
 +        goto done;
 +    }
 +
 +    p = BN_CTX_get(ctx);
 +    a = BN_CTX_get(ctx);
 +    b = BN_CTX_get(ctx);
 +    xG = BN_CTX_get(ctx);
 +    yG = BN_CTX_get(ctx);
 +    xA = BN_CTX_get(ctx);
 +    yA = BN_CTX_get(ctx);
 +
 +    if (yA == NULL) {
 +        goto done;
 +    }
 +
 +    if (!EVP_DigestInit(hash, digest)) {
 +        goto done;
 +    }
 +
 +    /* Z = h(ENTL || ID || a || b || xG || yG || xA || yA) */
 +
 +    if (id_len >= (UINT16_MAX / 8)) {
 +        /* too large */
 +        goto done;
 +    }
 +
 +    entl = (uint16_t)(8 * id_len);
 +
 +    e_byte = entl >> 8;
 +    if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
 +        goto done;
 +    }
 +    e_byte = entl & 0xFF;
 +    if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
 +        goto done;
 +    }
 +
 +    if (id_len > 0 && !EVP_DigestUpdate(hash, id, id_len)) {
 +        goto done;
 +    }
 +
 +    if (!EC_GROUP_get_curve(group, p, a, b, ctx)) {
 +        goto done;
 +    }
 +
 +    p_bytes = BN_num_bytes(p);
 +    buf = OPENSSL_zalloc(p_bytes);
 +    if (buf == NULL) {
 +        goto done;
 +    }
 +
 +    if (BN_bn2binpad(a, buf, p_bytes) < 0
 +            || !EVP_DigestUpdate(hash, buf, p_bytes)
 +            || BN_bn2binpad(b, buf, p_bytes) < 0
 +            || !EVP_DigestUpdate(hash, buf, p_bytes)
 +            || !EC_POINT_get_affine_coordinates(group,
 +                                                EC_GROUP_get0_generator(group),
 +                                                xG, yG, ctx)
 +            || BN_bn2binpad(xG, buf, p_bytes) < 0
 +            || !EVP_DigestUpdate(hash, buf, p_bytes)
 +            || BN_bn2binpad(yG, buf, p_bytes) < 0
 +            || !EVP_DigestUpdate(hash, buf, p_bytes)
 +            || !EC_POINT_get_affine_coordinates(group,
 +                                                EC_KEY_get0_public_key(key),
 +                                                xA, yA, ctx)
 +            || BN_bn2binpad(xA, buf, p_bytes) < 0
 +            || !EVP_DigestUpdate(hash, buf, p_bytes)
 +            || BN_bn2binpad(yA, buf, p_bytes) < 0
 +            || !EVP_DigestUpdate(hash, buf, p_bytes)
 +            || !EVP_DigestFinal(hash, out, NULL)) {
 +        goto done;
 +    }
 +
 +    rc = 1;
 +
 + done:
 +    OPENSSL_free(buf);
 +    BN_CTX_free(ctx);
 +    EVP_MD_CTX_free(hash);
 +    return rc;
 +}
 +
 +
 +/* GM/T003_2012 Defined Key Derive Function */
 +int kdf_gmt003_2012(unsigned char *out, size_t outlen, const unsigned char *Z, size_t Zlen, const unsigned char *SharedInfo, size_t SharedInfolen, const EVP_MD *md)
 +{
 +    EVP_MD_CTX *mctx = NULL;
 +    unsigned int counter;
 +    unsigned char ctr[4];
 +    size_t mdlen;
 +    int retval = 0;
 +    unsigned char dgst[EVP_MAX_MD_SIZE];
 +
 +    if (!out || !outlen) return retval;
 +    if (md == NULL) {
 +        md = EVP_sm3();
 +    }
 +    mdlen = EVP_MD_size(md);
 +    mctx = EVP_MD_CTX_new();
 +    if (mctx == NULL) {
 +        goto err;
 +    }
 +
 +    for (counter = 1;; counter++) {
 +        if (!EVP_DigestInit(mctx, md)) {
 +            goto err;
 +        }
 +        ctr[0] = (unsigned char)((counter >> 24) & 0xFF);
 +        ctr[1] = (unsigned char)((counter >> 16) & 0xFF);
 +        ctr[2] = (unsigned char)((counter >> 8) & 0xFF);
 +        ctr[3] = (unsigned char)(counter & 0xFF);
 +
 +        if (!EVP_DigestUpdate(mctx, Z, Zlen)) {
 +            goto err;
 +        }
 +        if (!EVP_DigestUpdate(mctx, ctr, sizeof(ctr))) {
 +            goto err;
 +        }
 +        if (!EVP_DigestUpdate(mctx, SharedInfo, SharedInfolen)) {
 +            goto err;
 +        }
 +        if (!EVP_DigestFinal(mctx, dgst, NULL)) {
 +            goto err;
 +        }
 +
 +        if (outlen > mdlen) {
 +            memcpy(out, dgst, mdlen);
 +            out += mdlen;
 +            outlen -= mdlen;
 +        } else {
 +            memcpy(out, dgst, outlen);
 +            memset(dgst, 0, mdlen);
 +            break;
 +        }
 +    }
 +
 +    retval = 1;
 +
 +err:
 +    EVP_MD_CTX_free(mctx);
 +    return retval;
 +}
 +
 +int sm2_kap_compute_key(void *out, size_t outlen, int server,\
 +    const uint8_t *peer_uid, int peer_uid_len, const uint8_t *self_uid, int self_uid_len, \
 +    const EC_KEY *peer_ecdhe_key, const EC_KEY *self_ecdhe_key, const EC_KEY *peer_pub_key, const EC_KEY *self_eckey, \
 +    const EVP_MD *md)
 +{
 +    BN_CTX *ctx = NULL;
 +    EC_POINT *UorV = NULL;
 +    const EC_POINT *Rs, *Rp;
 +    BIGNUM *Xs = NULL, *Xp = NULL, *h = NULL, *t = NULL, *two_power_w = NULL, *order = NULL;
 +    const BIGNUM *priv_key, *r;
 +    const EC_GROUP *group;
 +    int w;
 +    int ret = -1;
 +    size_t buflen, len;
 +    unsigned char *buf = NULL;
 +
 +    if (outlen > INT_MAX) {
 +        goto err;
 +    }
 +
 +    if (!peer_pub_key || !self_eckey) {
 +        goto err;
 +    }
 +
 +    priv_key = EC_KEY_get0_private_key(self_eckey);
 +    if (!priv_key) {
 +        goto err;
 +    }
 +
 +    if (!peer_ecdhe_key || !self_ecdhe_key) {
 +        goto err;
 +    }
 +
 +    Rs = EC_KEY_get0_public_key(self_ecdhe_key);
 +    Rp = EC_KEY_get0_public_key(peer_ecdhe_key);
 +    r = EC_KEY_get0_private_key(self_ecdhe_key);
 +
 +    if (!Rs || !Rp || !r) {
 +        goto err;
 +    }
 +
 +    ctx = BN_CTX_new();
 +    Xs = BN_new();
 +    Xp = BN_new();
 +    h = BN_new();
 +    t = BN_new();
 +    two_power_w = BN_new();
 +    order = BN_new();
 +    if (!Xs || !Xp || !h || !t || !two_power_w || !order) {
 +        goto err;
 +    }
 +
 +    group = EC_KEY_get0_group(self_eckey);
 +
 +    /*Second: Caculate -- w*/
 +    if (!EC_GROUP_get_order(group, order, ctx) || !EC_GROUP_get_cofactor(group, h, ctx)) {
 +        goto err;
 +    }
 +
 +    w = (BN_num_bits(order) + 1) / 2 - 1;
 +    if (!BN_lshift(two_power_w, BN_value_one(), w)) {
 +        goto err;
 +    }
 +
 +    /*Third: Caculate -- X =  2 ^ w + (x & (2 ^ w - 1)) = 2 ^ w + (x mod 2 ^ w)*/
 +    UorV = EC_POINT_new(group);
 +
 +    if (!UorV) {
 +        goto err;
 +    }
 +
 +    /*Test peer public key On curve*/
 +    if (!EC_POINT_is_on_curve(group, Rp, ctx)) {
 +        goto err;
 +    }
 +
 +    /*Get x*/
 +    if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) {
 +        if (!EC_POINT_get_affine_coordinates_GFp(group, Rs, Xs, NULL, ctx)) {
 +            goto err;
 +        }
 +
 +        if (!EC_POINT_get_affine_coordinates_GFp(group, Rp, Xp, NULL, ctx)) {
 +            goto err;
 +        }
 +    }
 +
 +    /*x mod 2 ^ w*/
 +    /*Caculate Self x*/
 +    if (!BN_nnmod(Xs, Xs, two_power_w, ctx)) {
 +        goto err;
 +    }
 +
 +    if (!BN_add(Xs, Xs, two_power_w)) {
 +        goto err;
 +    }
 +
 +    /*Caculate Peer x*/
 +    if (!BN_nnmod(Xp, Xp, two_power_w, ctx)) {
 +        goto err;
 +    }
 +
 +    if (!BN_add(Xp, Xp, two_power_w)) {
 +        goto err;
 +    }
 +
 +    /*Forth: Caculate t*/
 +    if (!BN_mod_mul(t, Xs, r, order, ctx)) {
 +        goto err;
 +    }
 +
 +    if (!BN_mod_add(t, t, priv_key, order, ctx)) {
 +        goto err;
 +    }
 +
 +    /*Fifth: Caculate V or U*/
 +    if (!BN_mul(t, t, h, ctx)) {
 +        goto err;
 +    }
 +
 +    /* [x]R */
 +    if (!EC_POINT_mul(group, UorV, NULL, Rp, Xp, ctx)) {
 +        goto err;
 +    }
 +
 +    /* P + [x]R */
 +    if (!EC_POINT_add(group, UorV, UorV, EC_KEY_get0_public_key(peer_pub_key), ctx)) {
 +        goto err;
 +    }
 +
 +    if (!EC_POINT_mul(group, UorV, NULL, UorV, t, ctx)) {
 +        goto err;
 +    }
 +
 +    /* Detect UorV is in */
 +    if (EC_POINT_is_at_infinity(group, UorV)) {
 +        goto err;
 +    }
 +
 +    /*Sixth: Caculate Key -- Need Xuorv, Yuorv, Zc, Zs, klen*/
 +    {
 +        /*
 +        size_t buflen, len;
 +        unsigned char *buf = NULL;
 +        */
 +        size_t elemet_len, idx;
 +
 +        elemet_len = (size_t)((EC_GROUP_get_degree(group) + 7) / 8);
 +        buflen = elemet_len * 2 + 32 * 2 + 1;    /*add 1 byte tag*/
 +        buf = (unsigned char *)OPENSSL_malloc(buflen + 10);
 +        if (!buf) {
 +            goto err;
 +        }
 +        memset(buf, 0, buflen + 10);
 +        /*1 : Get public key for UorV, Notice: the first byte is a tag, not a valid char*/
 +        idx = EC_POINT_point2oct(group, UorV, 4, buf, buflen, ctx);
 +        if (!idx) {
 +            goto err;
 +        }
 +
 +        if (!server) {
 +            /*SIDE A*/
 +            len = buflen - idx;
 +            if (!sm2_compute_z_digest( (unsigned char *)(buf + idx), md, (const uint8_t *)self_uid, self_uid_len, self_eckey)) {
 +                goto err;
 +            }
 +            len = 32;
 +            idx += len;
 +        }
 +
 +        /*Caculate Peer Z*/
 +        len = buflen - idx;
 +        if (!sm2_compute_z_digest( (unsigned char *)(buf + idx), md, (const uint8_t *)peer_uid, peer_uid_len, peer_pub_key)) {
 +            goto err;
 +        }
 +        len = 32;
 +        idx += len;
 +
 +        if (server) {
 +            /*SIDE B*/
 +            len = buflen - idx;
 +            if (!sm2_compute_z_digest( (unsigned char *)(buf + idx), md, (const uint8_t *)self_uid, self_uid_len, self_eckey)) {
 +                goto err;
 +            }
 +            len = 32;
 +            idx += len;
 +        }
 +
 +        len = outlen;
 +        if (!kdf_gmt003_2012(out, len, (const unsigned char *)(buf + 1), idx - 1, NULL, 0, md)) {
 +            goto err;
 +        }
 +    }
 +
 +    ret = outlen;
 +
 +err:
 +    if (Xs) BN_free(Xs);
 +    if (Xp) BN_free(Xp);
 +    if (h) BN_free(h);
 +    if (t) BN_free(t);
 +    if (two_power_w) BN_free(two_power_w);
 +    if (order) BN_free(order);
 +    if (UorV) EC_POINT_free(UorV);
 +    if (buf) OPENSSL_free(buf);
 +    if (ctx) BN_CTX_free(ctx);
 +
 +    return ret;
 +}
 +
 +int SM2KAP_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, const EC_KEY *eckey, int server)
 +{
@ -277,14 +656,14 @@ index 0000000..f9b8bb9
 +		goto out;
 +	}
 +
-+	ret = SM2_compute_key(out, outlen, server, id, sizeof(id), id, sizeof(id), pubkey, eckey, pubkey, eckey, (EVP_MD*)EVP_sm3());
+	ret = sm2_kap_compute_key(out, outlen, server, id, sizeof(id), id, sizeof(id), pubkey, eckey, pubkey, eckey, (EVP_MD*)EVP_sm3());
 +
 +out:
 +	EC_KEY_free(pubkey);
 +	return ret;
 +}
 diff --git a/mac.c b/mac.c
-index bf051ba..d643dc8 100644
+index bf051ba..2de17a0 100644
 --- a/mac.c
 +++ b/mac.c
@@ -65,6 +65,7 @@ static const struct macalg macs[] = {
@ -296,7 +675,7 @@ index bf051ba..d643dc8 100644
 	/* Encrypt-then-MAC variants */
 	{ "hmac-sha1-etm@openssh.com",		SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
 diff --git a/pathnames.h b/pathnames.h
-index a094888..0323fac 100644
+index a094888..0a805ad 100644
 --- a/pathnames.h
 +++ b/pathnames.h
@@ -80,6 +80,7 @@
@ -308,10 +687,10 @@ index a094888..0323fac 100644
 /*
  * Configuration file in user's home directory.  This file need not be
 diff --git a/regress/agent.sh b/regress/agent.sh
-index f187b67..046c2a6 100644
+index f187b67..42a5124 100644
 --- a/regress/agent.sh
 +++ b/regress/agent.sh
-@@ -87,9 +87,17 @@ fi
+@@ -87,9 +87,18 @@ fi
 for t in ${SSH_KEYTYPES}; do
 	trace "connect via agent using $t key"
 	if [ "$t" = "ssh-dss" ]; then
@ -326,6 +705,7 @@ index f187b67..046c2a6 100644
 +		echo "PubkeyAcceptedAlgorithms +sm2,sm2-cert" >> $OBJ/ssh_proxy
 +		echo "PubkeyAcceptedAlgorithms +sm2,sm2-cert" >> $OBJ/sshd_proxy
 +	fi
 +
 	${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
 		somehost exit 52
 	r=$?
@ -384,17 +764,17 @@ index b32502b..f260692 100644
   sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
   sshkey_sig_details_free(details);
 diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c
-index 3bd71a9..9c537d1 100644
+index 3bd71a9..312e8f2 100644
 --- a/regress/unittests/kex/test_kex.c
 +++ b/regress/unittests/kex/test_kex.c
-@@ -153,6 +153,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
+@@ -152,6 +152,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
 #endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 	server2->kex->kex[KEX_C25519_SHA256] = kex_gen_server;
 	server2->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
 +	server2->kex->kex[KEX_SM2_SM3] = kex_gen_server;
 	server2->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
 	server2->kex->load_host_public_key = server->kex->load_host_public_key;
 	server2->kex->load_host_private_key = server->kex->load_host_private_key;
 	server2->kex->sign = server->kex->sign;
@@ -186,6 +187,7 @@ do_kex(char *kex)
 #endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
@ -412,7 +792,7 @@ index 3bd71a9..9c537d1 100644
 	do_kex("sntrup761x25519-sha512@openssh.com");
 # endif /* USE_SNTRUP761X25519 */
 diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
-index b036796..7eed8ae 100644
+index b036796..6697be6 100644
 --- a/ssh-ecdsa.c
 +++ b/ssh-ecdsa.c
@@ -66,7 +66,8 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
@ -436,7 +816,7 @@ index b036796..7eed8ae 100644
 		return SSH_ERR_INVALID_ARGUMENT;
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index e04bade..7fc616c 100644
+index b9c4dce..bd6ea16 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
@@ -192,6 +192,7 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
@ -494,7 +874,7 @@ index e04bade..7fc616c 100644
 	    "       ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]\n"
 	    "                   [-P old_passphrase] [-Z cipher]\n"
 diff --git a/ssh-keyscan.c b/ssh-keyscan.c
-index 9ec4d9a..94a734c 100644
+index 9ec4d9a..be2af0a 100644
 --- a/ssh-keyscan.c
 +++ b/ssh-keyscan.c
@@ -63,9 +63,10 @@ int ssh_port = SSH_DEFAULT_PORT;
@ -541,10 +921,10 @@ index 9ec4d9a..94a734c 100644
 					break;
 diff --git a/ssh-sm2.c b/ssh-sm2.c
 new file mode 100644
-index 0000000..4d452e4
+index 0000000..c242139
 --- /dev/null
 +++ b/ssh-sm2.c
-@@ -0,0 +1,232 @@
+@@ -0,0 +1,220 @@
 +#include "includes.h"
 +#include <sys/types.h>
 +#include <openssl/bn.h>
@ -582,9 +962,8 @@ index 0000000..4d452e4
 +                *sigp = NULL;
 +
 +	if (key == NULL || key->ecdsa == NULL ||
-+	    sshkey_type_plain(key->type) != KEY_SM2) {
+	    sshkey_type_plain(key->type) != KEY_SM2)
 +		return SSH_ERR_INVALID_ARGUMENT;
 +	}
 +
 +	if ((key_sm2 = EVP_PKEY_new()) == NULL) {
 +		return SSH_ERR_ALLOC_FAIL;
@ -602,11 +981,6 @@ index 0000000..4d452e4
 +
 +	slen = pkey_len;
 +	
 +	if ((EVP_PKEY_set_alias_type(key_sm2, EVP_PKEY_SM2)) != 1) {
 +		ret = SSH_ERR_INTERNAL_ERROR;
 +		goto out;
 +	}
 +
 +   if ((sig = OPENSSL_malloc(pkey_len)) == NULL) {
 +		ret = SSH_ERR_ALLOC_FAIL;
 +		goto out;
@ -652,7 +1026,6 @@ index 0000000..4d452e4
 +        if ((r = sshbuf_put_cstring(b, "sm2")) != 0 ||
 +            (r = sshbuf_put_string(b, sig, slen)) != 0)
 +                goto out;
 +
 +	len = sshbuf_len(b);
 +	if (sigp != NULL) {
 +                if ((*sigp = malloc(len)) == NULL) {
@ -667,7 +1040,7 @@ index 0000000..4d452e4
 +
 +out:
 +	EVP_PKEY_free(key_sm2);
-+	if (sig != NULL){
+        if (sig != NULL) {
 +                explicit_bzero(sig, slen);
 +                OPENSSL_free(sig);
 +        }
@ -731,11 +1104,6 @@ index 0000000..4d452e4
 +                goto out;
 +        }
 +
 +	if ((EVP_PKEY_set_alias_type(key_sm2, EVP_PKEY_SM2)) != 1) {
 +		ret = SSH_ERR_INTERNAL_ERROR;
 +		goto out;
 +	}
 +
 +	if ((pctx = EVP_PKEY_CTX_new(key_sm2, NULL)) == NULL) {
 +                ret = SSH_ERR_ALLOC_FAIL;
 +                goto out;
@ -798,7 +1166,7 @@ index d3c6617..adc2598 100644
 #endif /* WITH_OPENSSL */
 		ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
 diff --git a/sshconnect2.c b/sshconnect2.c
-index aa32ece..e90eb89 100644
+index fafc0a2..9a01f1a 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
@@ -327,6 +327,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
@ -810,7 +1178,7 @@ index aa32ece..e90eb89 100644
 # ifdef GSSAPI
 	if (options.gss_keyex) {
 diff --git a/sshd.c b/sshd.c
-index b7b0c18..dd7cdee 100644
+index 8424e33..57d70fe 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -706,6 +706,7 @@ list_hostkey_types(void)
@ -856,7 +1224,7 @@ index b7b0c18..dd7cdee 100644
 		case KEY_ED25519:
 		case KEY_ECDSA_SK:
 		case KEY_ED25519_SK:
-@@ -2570,6 +2576,7 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2572,6 +2578,7 @@ do_ssh2_kex(struct ssh *ssh)
 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 # ifdef OPENSSL_HAS_ECC
 	kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
@ -865,7 +1233,7 @@ index b7b0c18..dd7cdee 100644
 # ifdef GSSAPI
 	if (options.gss_keyex) {
 diff --git a/sshkey.c b/sshkey.c
-index b0c2189..1b70488 100644
+index b0c2189..51f8e51 100644
 --- a/sshkey.c
 +++ b/sshkey.c
@@ -159,6 +159,8 @@ static const struct keytype keytypes[] = {
@ -886,15 +1254,15 @@ index b0c2189..1b70488 100644
 		return 1;
 	}
 	return 0;
-@@ -340,6 +344,8 @@ sshkey_size(const struct sshkey *k)
+@@ -342,6 +346,8 @@ sshkey_size(const struct sshkey *k)
 		return BN_num_bits(dsa_p);
 	case KEY_ECDSA:
 	case KEY_ECDSA_CERT:
 +	case KEY_SM2:
 +	case KEY_SM2_CERT:
 	case KEY_ECDSA_SK:
 	case KEY_ECDSA_SK_CERT:
 +	case KEY_SM2:
 +	case KEY_SM2_CERT:
 		return sshkey_curve_nid_to_bits(k->ecdsa_nid);
 #endif /* WITH_OPENSSL */
 	case KEY_ED25519:
@@ -366,6 +372,8 @@ sshkey_type_is_valid_ca(int type)
 	case KEY_ED25519:
 	case KEY_ED25519_SK:
@ -940,15 +1308,15 @@ index b0c2189..1b70488 100644
 	default:
 		return NULL;
 	}
-@@ -693,6 +709,8 @@ sshkey_new(int type)
+@@ -695,6 +711,8 @@ sshkey_new(int type)
 		break;
 	case KEY_ECDSA:
 	case KEY_ECDSA_CERT:
 +	case KEY_SM2:
 +	case KEY_SM2_CERT:
 	case KEY_ECDSA_SK:
 	case KEY_ECDSA_SK_CERT:
 +	case KEY_SM2:
 +	case KEY_SM2_CERT:
 		/* Cannot do anything until we know the group */
 		break;
 #endif /* WITH_OPENSSL */
@@ -749,6 +767,8 @@ sshkey_free(struct sshkey *k)
 		/* FALLTHROUGH */
 	case KEY_ECDSA:
@ -962,8 +1330,8 @@ index b0c2189..1b70488 100644
 		/* FALLTHROUGH */
 	case KEY_ECDSA_CERT:
 	case KEY_ECDSA:
 +	case KEY_SM2_CERT:
 +	case KEY_SM2:
 +	case KEY_SM2_CERT:
 		if (a->ecdsa == NULL || b->ecdsa == NULL ||
 		    EC_KEY_get0_public_key(a->ecdsa) == NULL ||
 		    EC_KEY_get0_public_key(b->ecdsa) == NULL)
@ -1049,14 +1417,14 @@ index b0c2189..1b70488 100644
 	case KEY_ECDSA_SK_CERT:
 		/* Skip nonce */
 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
-@@ -2556,6 +2593,7 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
+@@ -2557,6 +2594,7 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
 		}
 		/* FALLTHROUGH */
 	case KEY_ECDSA:
 +	case KEY_SM2:
 	case KEY_ECDSA_SK:
 +	case KEY_SM2:
 		if ((key = sshkey_new(type)) == NULL) {
 			ret = SSH_ERR_ALLOC_FAIL;
 			goto out;
@@ -2865,6 +2903,10 @@ sshkey_sign(struct sshkey *key,
 	case KEY_ECDSA:
 		r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
@ -1189,5 +1557,5 @@ index 43eef5e..3b84096 100644
 #if !defined(WITH_OPENSSL)
 -- 
-2.33.0
+2.23.0
--- a/feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
+++ b/feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
@ -1,19 +1,20 @@
 From 6d98c61e18fe65a52e21df9cece74675f9c18125 Mon Sep 17 00:00:00 2001
-From: s00467541 <shenyining@huawei.com>
+From: shenyining <shenyining@huawei.com>
 Date: Thu, 16 Apr 2020 17:13:24 +0800
 Subject: [PATCH] sync patch, add new judgement and
 delete default sftp-put-check.cfg
-Signed-off-by: s00467541 <shenyining@huawei.com>
+Signed-off-by: shenyining <shenyining@huawei.com>
 ---
- sftp-server.c | 703 +++++++++++++++++++++++++++++++++++++++++++++++++-
+ sftp-server.c | 702 +++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 691 insertions(+), 12 deletions(-)
+ 1 file changed, 690 insertions(+), 12 deletions(-)
 diff --git a/sftp-server.c b/sftp-server.c
-index 01d6f8f..682c19a 100644
+index 5677aa3..4eb06d1 100644
 --- a/sftp-server.c
 +++ b/sftp-server.c
-@@ -29,6 +29,12 @@
+@@ -30,6 +30,12 @@
 #include <sys/statvfs.h>
 #endif
@ -26,7 +27,7 @@ index 01d6f8f..682c19a 100644
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
-@@ -51,6 +57,17 @@
+@@ -57,6 +63,17 @@
 #include "sftp.h"
 #include "sftp-common.h"
@ -44,7 +45,7 @@ index 01d6f8f..682c19a 100644
 char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
 /* Maximum data read that we are willing to accept */
-@@ -89,6 +106,452 @@ struct Stat {
+@@ -98,6 +115,452 @@ struct Stat {
 	Attrib attrib;
 };
@ -497,7 +498,7 @@ index 01d6f8f..682c19a 100644
 /* Packet handlers */
 static void process_open(u_int32_t id);
 static void process_close(u_int32_t id);
-@@ -695,6 +1158,15 @@ process_open(u_int32_t id)
+@@ -755,6 +1218,15 @@ process_open(u_int32_t id)
 	    (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
 	    (r = decode_attrib(iqueue, &a)) != 0)
 		fatal_fr(r, "parse");
@ -513,7 +514,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: open flags %d", id, pflags);
 	flags = flags_from_portable(pflags);
-@@ -728,6 +1200,8 @@ process_open(u_int32_t id)
+@@ -788,6 +1260,8 @@ process_open(u_int32_t id)
 		(void) umask(old_umask); /* restore umask to something sane */
 	if (status != SSH2_FX_OK)
 		send_status(id, status);
@ -522,7 +523,7 @@ index 01d6f8f..682c19a 100644
 	free(name);
 }
-@@ -759,6 +1233,17 @@ process_read(u_int32_t id)
+@@ -820,6 +1294,17 @@ process_read(u_int32_t id)
 	    (r = sshbuf_get_u32(iqueue, &len)) != 0)
 		fatal_fr(r, "parse");
@ -540,7 +541,7 @@ index 01d6f8f..682c19a 100644
 	debug("request %u: read \"%s\" (handle %d) off %llu len %u",
 	    id, handle_to_name(handle), handle, (unsigned long long)off, len);
 	if ((fd = handle_to_fd(handle)) == -1)
-@@ -800,6 +1285,18 @@ process_write(u_int32_t id)
+@@ -874,6 +1359,18 @@ process_write(u_int32_t id)
 	    (r = sshbuf_get_string(iqueue, &data, &len)) != 0)
 		fatal_fr(r, "parse");
@ -559,7 +560,7 @@ index 01d6f8f..682c19a 100644
 	debug("request %u: write \"%s\" (handle %d) off %llu len %zu",
 	    id, handle_to_name(handle), handle, (unsigned long long)off, len);
 	fd = handle_to_fd(handle);
-@@ -813,17 +1310,30 @@ process_write(u_int32_t id)
+@@ -888,17 +1385,30 @@ process_write(u_int32_t id)
 			    strerror(errno));
 		} else {
 /* XXX ATOMICIO ? */
@ -600,7 +601,7 @@ index 01d6f8f..682c19a 100644
 			}
 		}
 	}
-@@ -841,6 +1352,16 @@ process_do_stat(u_int32_t id, int do_lstat)
+@@ -917,6 +1427,16 @@ process_do_stat(u_int32_t id, int do_lstat)
 	if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
 		fatal_fr(r, "parse");
@ -617,7 +618,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: %sstat", id, do_lstat ? "l" : "");
 	verbose("%sstat name \"%s\"", do_lstat ? "l" : "", name);
 	r = do_lstat ? lstat(name, &st) : stat(name, &st);
-@@ -877,6 +1398,16 @@ process_fstat(u_int32_t id)
+@@ -953,6 +1473,16 @@ process_fstat(u_int32_t id)
 	if ((r = get_handle(iqueue, &handle)) != 0)
 		fatal_fr(r, "parse");
@ -634,7 +635,7 @@ index 01d6f8f..682c19a 100644
 	debug("request %u: fstat \"%s\" (handle %u)",
 	    id, handle_to_name(handle), handle);
 	fd = handle_to_fd(handle);
-@@ -929,6 +1460,14 @@ process_setstat(u_int32_t id)
+@@ -1005,6 +1535,14 @@ process_setstat(u_int32_t id)
 	    (r = decode_attrib(iqueue, &a)) != 0)
 		fatal_fr(r, "parse");
@ -649,7 +650,7 @@ index 01d6f8f..682c19a 100644
 	debug("request %u: setstat name \"%s\"", id, name);
 	if (a.flags & SSH2_FILEXFER_ATTR_SIZE) {
 		logit("set \"%s\" size %llu",
-@@ -983,6 +1522,13 @@ process_fsetstat(u_int32_t id)
+@@ -1059,6 +1597,13 @@ process_fsetstat(u_int32_t id)
 	else {
 		char *name = handle_to_name(handle);
@ -663,7 +664,7 @@ index 01d6f8f..682c19a 100644
 		if (a.flags & SSH2_FILEXFER_ATTR_SIZE) {
 			logit("set \"%s\" size %llu",
 			    name, (unsigned long long)a.size);
-@@ -1040,6 +1586,14 @@ process_opendir(u_int32_t id)
+@@ -1116,6 +1661,14 @@ process_opendir(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
 		fatal_fr(r, "parse");
@ -678,18 +679,17 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: opendir", id);
 	logit("opendir \"%s\"", path);
 	dirp = opendir(path);
-@@ -1094,6 +1648,10 @@ process_readdir(u_int32_t id)
+@@ -1170,6 +1723,9 @@ process_readdir(u_int32_t id)
 			    strcmp(path, "/") ? "/" : "", dp->d_name);
 			if (lstat(pathname, &st) == -1)
 				continue;
-+			if (RETURN_OK != path_permition_check(pathname,FLAG_PERMITOP))
+			if (RETURN_OK != path_permition_check(pathname,FLAG_PERMITOP)) {
 +                        {
 +				continue;
 +			}
 			stat_to_attrib(&st, &(stats[count].attrib));
 			stats[count].name = xstrdup(dp->d_name);
- 			stats[count].long_name = ls_file(dp->d_name, &st, 0, 0);
+ 			stats[count].long_name = ls_file(dp->d_name, &st,
-@@ -1125,6 +1683,14 @@ process_remove(u_int32_t id)
+@@ -1202,6 +1758,14 @@ process_remove(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
 		fatal_fr(r, "parse");
@ -704,7 +704,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: remove", id);
 	logit("remove name \"%s\"", name);
 	r = unlink(name);
-@@ -1144,6 +1710,14 @@ process_mkdir(u_int32_t id)
+@@ -1221,6 +1785,14 @@ process_mkdir(u_int32_t id)
 	    (r = decode_attrib(iqueue, &a)) != 0)
 		fatal_fr(r, "parse");
@ -719,7 +719,7 @@ index 01d6f8f..682c19a 100644
 	mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
 	    a.perm & 07777 : 0777;
 	debug3("request %u: mkdir", id);
-@@ -1163,6 +1737,14 @@ process_rmdir(u_int32_t id)
+@@ -1240,6 +1812,14 @@ process_rmdir(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
 		fatal_fr(r, "parse");
@ -734,7 +734,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: rmdir", id);
 	logit("rmdir name \"%s\"", name);
 	r = rmdir(name);
-@@ -1187,8 +1769,12 @@ process_realpath(u_int32_t id)
+@@ -1264,8 +1844,12 @@ process_realpath(u_int32_t id)
 	}
 	debug3("request %u: realpath", id);
 	verbose("realpath \"%s\"", path);
@ -749,7 +749,7 @@ index 01d6f8f..682c19a 100644
 	} else {
 		Stat s;
 		attrib_clear(&s.attrib);
-@@ -1209,6 +1795,16 @@ process_rename(u_int32_t id)
+@@ -1286,6 +1870,16 @@ process_rename(u_int32_t id)
 	    (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
 		fatal_fr(r, "parse");
@ -766,7 +766,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: rename", id);
 	logit("rename old \"%s\" new \"%s\"", oldpath, newpath);
 	status = SSH2_FX_FAILURE;
-@@ -1268,6 +1864,14 @@ process_readlink(u_int32_t id)
+@@ -1345,6 +1939,14 @@ process_readlink(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
 		fatal_fr(r, "parse");
@ -781,7 +781,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: readlink", id);
 	verbose("readlink \"%s\"", path);
 	if ((len = readlink(path, buf, sizeof(buf) - 1)) == -1)
-@@ -1293,6 +1897,16 @@ process_symlink(u_int32_t id)
+@@ -1370,6 +1972,16 @@ process_symlink(u_int32_t id)
 	    (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
 		fatal_fr(r, "parse");
@ -798,7 +798,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: symlink", id);
 	logit("symlink old \"%s\" new \"%s\"", oldpath, newpath);
 	/* this will fail if 'newpath' exists */
-@@ -1313,6 +1927,16 @@ process_extended_posix_rename(u_int32_t id)
+@@ -1390,6 +2002,16 @@ process_extended_posix_rename(u_int32_t id)
 	    (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
 		fatal_fr(r, "parse");
@ -815,7 +815,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: posix-rename", id);
 	logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath);
 	r = rename(oldpath, newpath);
-@@ -1331,6 +1955,15 @@ process_extended_statvfs(u_int32_t id)
+@@ -1408,6 +2030,15 @@ process_extended_statvfs(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
 		fatal_fr(r, "parse");
@ -831,7 +831,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: statvfs", id);
 	logit("statvfs \"%s\"", path);
-@@ -1349,6 +1982,17 @@ process_extended_fstatvfs(u_int32_t id)
+@@ -1426,6 +2057,17 @@ process_extended_fstatvfs(u_int32_t id)
 	if ((r = get_handle(iqueue, &handle)) != 0)
 		fatal_fr(r, "parse");
@ -849,7 +849,7 @@ index 01d6f8f..682c19a 100644
 	debug("request %u: fstatvfs \"%s\" (handle %u)",
 	    id, handle_to_name(handle), handle);
 	if ((fd = handle_to_fd(handle)) < 0) {
-@@ -1371,6 +2015,15 @@ process_extended_hardlink(u_int32_t id)
+@@ -1448,6 +2090,15 @@ process_extended_hardlink(u_int32_t id)
 	    (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
 		fatal_fr(r, "parse");
@ -865,7 +865,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: hardlink", id);
 	logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath);
 	r = link(oldpath, newpath);
-@@ -1387,6 +2040,17 @@ process_extended_fsync(u_int32_t id)
+@@ -1464,6 +2115,17 @@ process_extended_fsync(u_int32_t id)
 	if ((r = get_handle(iqueue, &handle)) != 0)
 		fatal_fr(r, "parse");
@ -883,7 +883,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: fsync (handle %u)", id, handle);
 	verbose("fsync \"%s\"", handle_to_name(handle));
 	if ((fd = handle_to_fd(handle)) < 0)
-@@ -1672,6 +2336,22 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handle
+@@ -2006,6 +2668,22 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handle
 	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
@ -907,5 +907,5 @@ index 01d6f8f..682c19a 100644
 	 * On platforms where we can, avoid making /proc/self/{mem,maps}
 	 * available to the user so that sftp access doesn't automatically
 -- 
-2.23.0
+2.27.0
--- a/openssh-5.8p2-sigpipe.patch
+++ b/openssh-5.8p2-sigpipe.patch
@ -1,12 +1,15 @@
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.8p2-sigpipe.patch
 diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c
 --- openssh-5.8p2/ssh-keyscan.c.sigpipe	2011-08-23 18:30:33.873025916 +0200
 +++ openssh-5.8p2/ssh-keyscan.c	2011-08-23 18:32:24.574025362 +0200
-@@ -715,6 +715,8 @@ main(int argc, char **argv)
+@@ -715,6 +715,9 @@ main(int argc, char **argv)
 	if (maxfd > fdlim_get(0))
 		fdlim_set(maxfd);
 	fdcon = xcalloc(maxfd, sizeof(con));
- 
+ 
 +	signal(SIGPIPE, SIG_IGN);
 +
- 	read_wait_nfdset = howmany(maxfd, NFDBITS);
+	read_wait = xcalloc(maxfd, sizeof(struct pollfd));
- 	read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
+	for (j = 0; j < maxfd; j++)
 		read_wait[j].fd = -1;
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@ -1,3 +1,4 @@
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-log-in-chroot.patch
 diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
 --- openssh-8.6p1/log.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
 +++ openssh-8.6p1/log.c	2021-04-19 14:43:08.544843434 +0200
@ -207,8 +208,8 @@ diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
 -sftp_server_main(int argc, char **argv, struct passwd *user_pw)
 +sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
 {
- 	fd_set *rset, *wset;
+	int i, r, in, out, ch, skipargs = 0, log_stderr = 0;
- 	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
+	ssize_t len, olen;
@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
 	extern char *__progname;
--- a/openssh-6.6p1-keycat.patch
+++ b/openssh-6.6p1-keycat.patch
@ -1,3 +1,4 @@
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-keycat.patch
 diff -up openssh/misc.c.keycat openssh/misc.c
 --- openssh/misc.c.keycat	2015-06-24 10:57:50.158849606 +0200
 +++ openssh/misc.c	2015-06-24 11:04:23.989868638 +0200
@ -61,13 +62,13 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
 	ssh-xmss.o \
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
 ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
- 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
 +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
-+	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
+	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS) $(CHANNELLIBS)
 +
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
@@ -321,6 +325,7 @@ install-files:
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@ -1,41 +1,38 @@
-diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.7p1-coverity.patch
 --- openssh-8.5p1/addr.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/addr.c	2021-03-24 12:03:33.782968159 +0100
@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n
 	if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
 		return -1;
-	if (ai == NULL || ai->ai_addr == NULL)
+---
-+	if (ai == NULL || ai->ai_addr == NULL) {
+ auth-krb5.c                   | 2 ++
-+		freeaddrinfo(ai);
+ auth-options.c                | 1 +
- 		return -1;
+ channels.c                    | 6 ++++--
-+	}
+ dns.c                         | 1 +
 gss-genr.c                    | 3 ++-
 kexgssc.c                     | 4 +++-
 krl.c                         | 4 ++++
 loginrec.c                    | 4 ++++
 misc.c                        | 3 +++
 moduli.c                      | 1 +
 monitor.c                     | 4 ++--
 monitor_wrap.c                | 6 +++---
 openbsd-compat/bindresvport.c | 2 +-
 openbsd-compat/bsd-pselect.c  | 8 ++++----
 readconf.c                    | 1 +
 scp.c                         | 4 ++--
 servconf.c                    | 5 +++--
 serverloop.c                  | 2 +-
 session.c                     | 2 ++
 sftp.c                        | 3 ++-
 ssh-agent.c                   | 5 +++--
 ssh-keygen.c                  | 7 +++++++
 ssh.c                         | 1 +
 sshd.c                        | 9 +++++++--
 sshsig.c                      | 1 +
 25 files changed, 65 insertions(+), 24 deletions(-)
- 	if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen,
+diff --git a/auth-krb5.c b/auth-krb5.c
- 	    n) == -1) {
+index d80c3ab..71ea1e3 100644
-@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char *
+--- a/auth-krb5.c
- 	if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0)
+++ b/auth-krb5.c
- 		return -1;
+@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environm
 -	if (ai == NULL || ai->ai_addr == NULL)
 +	if (ai == NULL || ai->ai_addr == NULL) {
 +		freeaddrinfo(ai);
 		return -1;
 +	}
 	if (sa != NULL) {
 -		if (slen < ai->ai_addrlen)
 +		if (slen < ai->ai_addrlen) {
 +			freeaddrinfo(ai);
 			return -1;
 +		}
 		memcpy(sa, &ai->ai_addr, ai->ai_addrlen);
 	}
 diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
 --- openssh-8.5p1/auth-krb5.c.coverity	2021-03-24 12:03:33.724967756 +0100
 +++ openssh-8.5p1/auth-krb5.c	2021-03-24 12:03:33.782968159 +0100
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
 		umask(old_umask);
 		if (tmpfd == -1) {
 			logit("mkstemp(): %.100s", strerror(oerrno));
@ -43,7 +40,7 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
 			return oerrno;
 		}
-@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
+@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environm
 			oerrno = errno;
 			logit("fchmod(): %.100s", strerror(oerrno));
 			close(tmpfd);
@ -51,10 +48,11 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
 			return oerrno;
 		}
 		/* make sure the KRB5CCNAME is set for non-standard location */
-diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
+diff --git a/auth-options.c b/auth-options.c
--- openssh-8.5p1/auth-options.c.coverity	2021-03-02 11:31:47.000000000 +0100
+index 7cb2a64..a4b1db4 100644
-+++ openssh-8.5p1/auth-options.c	2021-03-24 12:03:33.782968159 +0100
+--- a/auth-options.c
-@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
+++ b/auth-options.c
@@ -723,6 +723,7 @@ serialise_array(struct sshbuf *m, char **a, size_t n)
 		return r;
 	}
 	/* success */
@ -62,19 +60,11 @@ diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
 	return 0;
 }
-diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
+diff --git a/channels.c b/channels.c
--- openssh-7.4p1/channels.c.coverity	2016-12-23 16:40:26.881788686 +0100
+index 300c753..ea4d8da 100644
-+++ openssh-7.4p1/channels.c	2016-12-23 16:42:36.244818763 +0100
+--- a/channels.c
-@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh,
+++ b/channels.c
- 		debug("channel %d: connection failed: %s",
+@@ -4081,7 +4081,7 @@ int
 		    c->self, strerror(err));
 		/* Try next address, if any */
 -		if ((sock = connect_next(&c->connect_ctx)) > 0) {
 +		if ((sock = connect_next(&c->connect_ctx)) >= 0) {
 			close(c->sock);
 			c->sock = c->rfd = c->wfd = sock;
 			channel_find_maxfd(ssh->chanctxt);
@@ -3804,7 +3804,7 @@ int
 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
 {
 	int r, success = 0, idx = -1;
@ -83,7 +73,7 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
 	int port_to_connect, listen_port;
 	/* Send the forward request to the remote side. */
-@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct
+@@ -4109,7 +4109,6 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
 	success = 1;
 	if (success) {
 		/* Record that connection to this host/port is permitted. */
@ -91,7 +81,7 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
 		port_to_connect = listen_port = 0;
 		if (fwd->connect_path != NULL) {
 			host_to_connect = xstrdup(fwd->connect_path);
-@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct
+@@ -4130,6 +4129,9 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
 		    host_to_connect, port_to_connect,
 		    listen_host, listen_path, listen_port, NULL);
 	}
@ -101,26 +91,11 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
 	return idx;
 }
-diff -up openssh-8.5p1/compat.c.coverity openssh-8.5p1/compat.c
+diff --git a/dns.c b/dns.c
--- openssh-8.5p1/compat.c.coverity	2021-03-24 12:03:33.768968062 +0100
+index f2310be..15218f1 100644
-+++ openssh-8.5p1/compat.c	2021-03-24 12:03:33.783968166 +0100
+--- a/dns.c
-@@ -191,10 +191,12 @@ compat_kex_proposal(struct ssh *ssh, cha
+++ b/dns.c
- 		return p;
+@@ -259,6 +259,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 	debug2_f("original KEX proposal: %s", p);
 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
 +		/* coverity[overwrite_var : FALSE] */
 		if ((p = match_filter_denylist(p,
 		    "curve25519-sha256@libssh.org")) == NULL)
 			fatal("match_filter_denylist failed");
 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
 +		/* coverity[overwrite_var : FALSE] */
 		if ((p = match_filter_denylist(p,
 		    "diffie-hellman-group-exchange-sha256,"
 		    "diffie-hellman-group-exchange-sha1")) == NULL)
 diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
 --- openssh-8.5p1/dns.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/dns.c	2021-03-24 12:03:33.783968166 +0100
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
 		    &hostkey_digest, &hostkey_digest_len, hostkey)) {
 			error("Error calculating key fingerprint.");
 			freerrset(fingerprints);
@ -128,10 +103,11 @@ diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
 			return -1;
 		}
-diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
+diff --git a/gss-genr.c b/gss-genr.c
--- openssh-8.5p1/gss-genr.c.coverity	2021-03-26 11:52:46.613942552 +0100
+index 9f9745b..810b382 100644
-+++ openssh-8.5p1/gss-genr.c	2021-03-26 11:54:37.881726318 +0100
+--- a/gss-genr.c
-@@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+++ b/gss-genr.c
@@ -168,8 +168,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
 			enclen = __b64_ntop(digest,
 			    ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
 			    ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
@ -142,9 +118,10 @@ diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
 			for ((p = strsep(&cp, ",")); p && *p != '\0';
 				(p = strsep(&cp, ","))) {
 				if (sshbuf_len(buf) != 0 &&
-diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
+diff --git a/kexgssc.c b/kexgssc.c
--- openssh-8.5p1/kexgssc.c.coverity	2021-03-24 12:03:33.711967665 +0100
+index 1c62740..080cf04 100644
-+++ openssh-8.5p1/kexgssc.c	2021-03-24 12:03:33.783968166 +0100
+--- a/kexgssc.c
 +++ b/kexgssc.c
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
 	default:
 		fatal_f("Unexpected KEX type %d", kex->kex_type);
@ -157,10 +134,11 @@ diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
 	token_ptr = GSS_C_NO_BUFFER;
-diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
+diff --git a/krl.c b/krl.c
--- openssh-8.5p1/krl.c.coverity	2021-03-02 11:31:47.000000000 +0100
+index 473a9d7..ae19762 100644
-+++ openssh-8.5p1/krl.c	2021-03-24 12:03:33.783968166 +0100
+--- a/krl.c
-@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
+++ b/krl.c
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
 	sshkey_free(key);
 	sshbuf_free(copy);
 	sshbuf_free(sect);
@ -168,7 +146,7 @@ diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
 	return r;
 }
-@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
+@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
 		return r;
 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
 	free(rb.blob);
@ -176,7 +154,7 @@ diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
 	if (erb != NULL) {
 		KRL_DBG(("revoked by key SHA1"));
 		return SSH_ERR_KEY_REVOKED;
-@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons
+@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
 		return r;
 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
 	free(rb.blob);
@ -184,7 +162,7 @@ diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
 	if (erb != NULL) {
 		KRL_DBG(("revoked by key SHA256"));
 		return SSH_ERR_KEY_REVOKED;
-@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons
+@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
 		return r;
 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
 	free(rb.blob);
@ -192,10 +170,11 @@ diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
 	if (erb != NULL) {
 		KRL_DBG(("revoked by explicit key"));
 		return SSH_ERR_KEY_REVOKED;
-diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
+diff --git a/loginrec.c b/loginrec.c
--- openssh-8.5p1/loginrec.c.coverity	2021-03-24 13:18:53.793225885 +0100
+index 4f21499..e0606be 100644
-+++ openssh-8.5p1/loginrec.c	2021-03-24 13:21:27.948404751 +0100
+--- a/loginrec.c
-@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li,
+++ b/loginrec.c
@@ -691,9 +691,11 @@ construct_utmp(struct logininfo *li,
 	 */
 	/* Use strncpy because we don't necessarily want null termination */
@ -207,7 +186,7 @@ diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
 	strncpy(ut->ut_host, li->hostname,
 	    MIN_SIZEOF(ut->ut_host, li->hostname));
 # endif
-@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con
+@@ -1691,6 +1693,7 @@ record_failed_login(struct ssh *ssh, const char *username, const char *hostname,
 	memset(&ut, 0, sizeof(ut));
 	/* strncpy because we don't necessarily want nul termination */
@ -215,7 +194,7 @@ diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
 	strncpy(ut.ut_user, username, sizeof(ut.ut_user));
 	strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
-@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con
+@@ -1700,6 +1703,7 @@ record_failed_login(struct ssh *ssh, const char *username, const char *hostname,
 	ut.ut_pid = getpid();
 	/* strncpy because we don't necessarily want nul termination */
@ -223,10 +202,11 @@ diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
 	strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
 	if (ssh_packet_connection_is_on_socket(ssh) &&
-diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
+diff --git a/misc.c b/misc.c
--- openssh-8.5p1/misc.c.coverity	2021-03-24 12:03:33.745967902 +0100
+index e4d3120..5420e24 100644
-+++ openssh-8.5p1/misc.c	2021-03-24 13:31:47.037079617 +0100
+--- a/misc.c
-@@ -1425,6 +1425,8 @@ sanitise_stdfd(void)
+++ b/misc.c
@@ -1492,6 +1492,8 @@ sanitise_stdfd(void)
 	}
 	if (nullfd > STDERR_FILENO)
 		close(nullfd);
@ -235,7 +215,7 @@ diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
 }
 char *
-@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou
+@@ -2625,6 +2627,7 @@ stdfd_devnull(int do_stdin, int do_stdout, int do_stderr)
 	}
 	if (devnull > STDERR_FILENO)
 		close(devnull);
@ -243,10 +223,11 @@ diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
 	return ret;
 }
-diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c
+diff --git a/moduli.c b/moduli.c
--- openssh-8.5p1/moduli.c.coverity	2021-03-02 11:31:47.000000000 +0100
+index 9f660ef..2669edd 100644
-+++ openssh-8.5p1/moduli.c	2021-03-24 12:03:33.784968173 +0100
+--- a/moduli.c
-@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t
+++ b/moduli.c
@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t lineno)
 	else
 		logit("failed to write to checkpoint file '%s': %s", cpfile,
 		    strerror(errno));
@ -254,10 +235,11 @@ diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c
 }
 static unsigned long
-diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
+diff --git a/monitor.c b/monitor.c
--- openssh-7.4p1/monitor.c.coverity	2016-12-23 16:40:26.888788688 +0100
+index fc05db6..dca2fe7 100644
-+++ openssh-7.4p1/monitor.c	2016-12-23 16:40:26.900788691 +0100
+--- a/monitor.c
-@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
+++ b/monitor.c
@@ -397,7 +397,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
 	mm_get_keystate(ssh, pmonitor);
 	/* Drain any buffered messages from the child */
@ -266,7 +248,7 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
 		;
 	if (pmonitor->m_recvfd >= 0)
-@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
+@@ -1684,7 +1684,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
 	s->ptymaster = s->ptyfd;
 	debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
@ -275,10 +257,11 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
 	return (0);
  error:
-diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
+diff --git a/monitor_wrap.c b/monitor_wrap.c
--- openssh-7.4p1/monitor_wrap.c.coverity	2016-12-23 16:40:26.892788689 +0100
+index e125eca..c394d68 100644
-+++ openssh-7.4p1/monitor_wrap.c	2016-12-23 16:40:26.900788691 +0100
+--- a/monitor_wrap.c
-@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
+++ b/monitor_wrap.c
@@ -612,10 +612,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
 		error_f("cannot allocate fds for pty");
@ -292,10 +275,11 @@ diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
 		return 0;
 	}
 	close(tmp1);
-diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
+diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity	2016-12-19 05:59:41.000000000 +0100
+index 346c7fe..f42792f 100644
-+++ openssh-7.4p1/openbsd-compat/bindresvport.c	2016-12-23 16:40:26.901788691 +0100
+--- a/openbsd-compat/bindresvport.c
-@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
+++ b/openbsd-compat/bindresvport.c
@@ -59,7 +59,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
 	struct sockaddr_in6 *in6;
 	u_int16_t *portp;
 	u_int16_t port;
@ -304,9 +288,10 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
 	int i;
 	if (sa == NULL) {
-diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
+diff --git a/openbsd-compat/bsd-pselect.c b/openbsd-compat/bsd-pselect.c
--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity	2021-08-30 16:36:11.357288009 +0200
+index b363208..cf7157c 100644
-+++ openssh-8.7p1/openbsd-compat/bsd-pselect.c	2021-08-30 16:37:21.791897976 +0200
+--- a/openbsd-compat/bsd-pselect.c
 +++ b/openbsd-compat/bsd-pselect.c
@@ -113,13 +113,13 @@ pselect_notify_setup(void)
 static void
 pselect_notify_parent(void)
@ -334,10 +319,11 @@ diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openb
 			debug2_f("reading");
 		FD_CLR(notify_pipe[0], readset);
 	}
-diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
+diff --git a/readconf.c b/readconf.c
--- openssh-8.5p1/readconf.c.coverity	2021-03-24 12:03:33.778968131 +0100
+index 1e1b78d..b6c998e 100644
-+++ openssh-8.5p1/readconf.c	2021-03-24 12:03:33.785968180 +0100
+--- a/readconf.c
-@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
+++ b/readconf.c
@@ -1933,6 +1933,7 @@ parse_pubkey_algos:
 			} else if (r != 0) {
 				error("%.200s line %d: glob failed for %s.",
 				    filename, linenum, arg2);
@ -345,10 +331,11 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
 				goto out;
 			}
 			free(arg2);
-diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
+diff --git a/scp.c b/scp.c
--- openssh-8.7p1/scp.c.coverity	2021-08-30 16:23:35.389741329 +0200
+index 6146260..74f5b10 100644
-+++ openssh-8.7p1/scp.c	2021-08-30 16:27:04.854555296 +0200
+--- a/scp.c
-@@ -186,11 +186,11 @@ killchild(int signo)
+++ b/scp.c
@@ -187,11 +187,11 @@ killchild(int signo)
 {
 	if (do_cmd_pid > 1) {
 		kill(do_cmd_pid, signo ? signo : SIGTERM);
@ -362,10 +349,11 @@ diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
 	}
 	if (signo)
-diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
+diff --git a/servconf.c b/servconf.c
--- openssh-7.4p1/servconf.c.coverity	2016-12-23 16:40:26.896788690 +0100
+index 8b9540d..d72fb62 100644
-+++ openssh-7.4p1/servconf.c	2016-12-23 16:40:26.901788691 +0100
+--- a/servconf.c
-@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
+++ b/servconf.c
@@ -2081,8 +2081,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 		if (*activep && *charptr == NULL) {
 			*charptr = tilde_expand_filename(arg, getuid());
 			/* increase optional counter */
@ -377,10 +365,11 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
 		}
 		break;
-diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
+diff --git a/serverloop.c b/serverloop.c
--- openssh-8.7p1/serverloop.c.coverity	2021-08-20 06:03:49.000000000 +0200
+index b4c0d82..62c7e90 100644
-+++ openssh-8.7p1/serverloop.c	2021-08-30 16:28:22.416226981 +0200
+--- a/serverloop.c
-@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
+++ b/serverloop.c
@@ -546,7 +546,7 @@ server_request_tun(struct ssh *ssh)
 		debug_f("invalid tun");
 		goto done;
 	}
@ -389,10 +378,11 @@ diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
 		if (tun != SSH_TUNID_ANY &&
 		    auth_opts->force_tun_device != (int)tun)
 			goto done;
-diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c
+diff --git a/session.c b/session.c
--- openssh-8.5p1/session.c.coverity	2021-03-24 12:03:33.777968124 +0100
+index 58cf557..cdb301b 100644
-+++ openssh-8.5p1/session.c	2021-03-24 12:03:33.786968187 +0100
+--- a/session.c
-@@ -1223,12 +1223,14 @@ do_setup_env(struct ssh *ssh, Session *s
+++ b/session.c
@@ -1222,12 +1222,14 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
 	/* Environment specified by admin */
 	for (i = 0; i < options.num_setenv; i++) {
 		cp = xstrdup(options.setenv[i]);
@ -407,10 +397,11 @@ diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c
 	}
 	/* SSH_CLIENT deprecated */
-diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
+diff --git a/sftp.c b/sftp.c
--- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
+index c3c347e..c18a354 100644
-+++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
+--- a/sftp.c
-@@ -224,7 +224,7 @@ killchild(int signo)
+++ b/sftp.c
@@ -226,7 +226,7 @@ killchild(int signo)
 	pid = sshpid;
 	if (pid > 1) {
 		kill(pid, SIGTERM);
@ -419,16 +410,7 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
 	}
 	_exit(1);
-@@ -762,6 +762,8 @@ process_put(struct sftp_conn *conn, cons
+@@ -1029,6 +1029,7 @@ do_globbed_ls(struct sftp_conn *conn, const char *path,
 			    fflag || global_fflag) == -1)
 				err = -1;
 		}
 +		free(abs_dst);
 +		abs_dst = NULL;
 	}
 out:
@@ -985,6 +987,7 @@ do_globbed_ls(struct sftp_conn *conn, co
 		if (lflag & LS_LONG_VIEW) {
 			if (g.gl_statv[i] == NULL) {
 				error("no stat information for %s", fname);
@ -436,21 +418,11 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
 				continue;
 			}
 			lname = ls_file(fname, g.gl_statv[i], 1,
-diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
+diff --git a/ssh-agent.c b/ssh-agent.c
--- openssh-8.5p1/sk-usbhid.c.coverity	2021-03-02 11:31:47.000000000 +0100
+index 50d0638..a292a9e 100644
-+++ openssh-8.5p1/sk-usbhid.c	2021-03-24 12:03:33.786968187 +0100
+--- a/ssh-agent.c
-@@ -1256,6 +1256,7 @@ sk_load_resident_keys(const char *pin, s
+++ b/ssh-agent.c
- 		freezero(rks[i], sizeof(*rks[i]));
+@@ -1391,6 +1391,7 @@ sanitize_pkcs11_provider(const char *provider)
 	}
 	free(rks);
 +	free(device);
 	return ret;
 }
 diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 --- openssh-7.4p1/ssh-agent.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/ssh-agent.c	2016-12-23 16:40:26.903788691 +0100
@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro
 		if (pkcs11_uri_parse(provider, uri) != 0) {
 			error("Failed to parse PKCS#11 URI");
@ -458,7 +430,7 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 			return NULL;
 		}
 		/* validate also provider from URI */
-@@ -1220,8 +1220,8 @@ main(int ac, char **av)
+@@ -2080,8 +2081,8 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	/* drop */
@ -469,10 +441,43 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 	platform_disable_tracing(0);	/* strict=no */
-diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
+diff --git a/ssh-keygen.c b/ssh-keygen.c
--- openssh-8.5p1/ssh.c.coverity	2021-03-24 12:03:33.779968138 +0100
+index 6ae72ab..076dd33 100644
-+++ openssh-8.5p1/ssh.c	2021-03-24 12:03:33.786968187 +0100
+--- a/ssh-keygen.c
-@@ -1746,6 +1746,7 @@ control_persist_detach(void)
+++ b/ssh-keygen.c
@@ -2365,6 +2365,9 @@ update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
 			r = ssh_krl_revoke_key_sha256(krl, blob, blen);
 			if (r != 0)
 				fatal_fr(r, "revoke key failed");
 +			freezero(blob, blen);
 +			blob = NULL;
 +			blen = 0;
 		} else {
 			if (strncasecmp(cp, "key:", 4) == 0) {
 				cp += 4;
@@ -3023,6 +3026,7 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts)
 		} else if (strncmp(opts[i], "start-line=", 11) == 0) {
 			start_lineno = strtoul(opts[i]+11, NULL, 10);
 		} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
 +			free(checkpoint);
 			checkpoint = xstrdup(opts[i]+11);
 		} else if (strncmp(opts[i], "generator=", 10) == 0) {
 			generator_wanted = (u_int32_t)strtonum(
@@ -3064,6 +3068,9 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts)
 #else /* WITH_OPENSSL */
 	fatal("Moduli screening is not supported");
 #endif /* WITH_OPENSSL */
 +	free(checkpoint);
 +	if (in != stdin)
 +		fclose(in);
 }
 /* Read and confirm a passphrase */
 diff --git a/ssh.c b/ssh.c
 index a5155f4..68558d4 100644
 --- a/ssh.c
 +++ b/ssh.c
@@ -1755,6 +1755,7 @@ control_persist_detach(void)
 		close(muxserver_sock);
 		muxserver_sock = -1;
 		options.control_master = SSHCTL_MASTER_NO;
@ -480,10 +485,11 @@ diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
 		muxclient(options.control_path);
 		/* muxclient() doesn't return on success. */
 		fatal("Failed to connect to new control master");
-diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
+diff --git a/sshd.c b/sshd.c
--- openssh-7.4p1/sshd.c.coverity	2016-12-23 16:40:26.897788690 +0100
+index e05dd82..a4a1b79 100644
-+++ openssh-7.4p1/sshd.c	2016-12-23 16:40:26.904788692 +0100
+--- a/sshd.c
-@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
+++ b/sshd.c
@@ -595,8 +595,10 @@ privsep_preauth(struct ssh *ssh)
 		privsep_preauth_child(ssh);
 		setproctitle("%s", "[net]");
@ -495,26 +501,7 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
 		return 0;
 	}
-@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
+@@ -2560,8 +2562,11 @@ do_ssh2_kex(struct ssh *ssh)
 			explicit_bzero(rnd, sizeof(rnd));
 		}
 	}
 +
 +	if (fdset != NULL)
 +		free(fdset);
 }
 /*
@@ -2474,7 +2479,7 @@ do_ssh2_kex(struct ssh *ssh)
 	if (options.rekey_limit || options.rekey_interval)
 		ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
 		    options.rekey_interval);
 -
 +	/* coverity[leaked_storage : FALSE]*/
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
 	    ssh, list_hostkey_types());
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
 	if (newstr)
 		myproposal[PROPOSAL_KEX_ALGS] = newstr;
@ -527,45 +514,18 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
 	}
 #endif
-diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
+diff --git a/sshsig.c b/sshsig.c
--- openssh-8.5p1/ssh-keygen.c.coverity	2021-03-24 12:03:33.780968145 +0100
+index eb2a931..3e91c14 100644
-+++ openssh-8.5p1/ssh-keygen.c	2021-03-24 12:03:33.787968194 +0100
+--- a/sshsig.c
-@@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw,
+++ b/sshsig.c
- 			r = ssh_krl_revoke_key_sha256(krl, blob, blen);
+@@ -551,6 +551,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
 			if (r != 0)
 				fatal_fr(r, "revoke key failed");
 +			freezero(blob, blen);
 +			blob = NULL;
 +			blen = 0;
 		} else {
 			if (strncasecmp(cp, "key:", 4) == 0) {
 				cp += 4;
@@ -2879,6 +2882,7 @@ do_moduli_screen(const char *out_file, c
 		} else if (strncmp(opts[i], "start-line=", 11) == 0) {
 			start_lineno = strtoul(opts[i]+11, NULL, 10);
 		} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
 +			free(checkpoint);
 			checkpoint = xstrdup(opts[i]+11);
 		} else if (strncmp(opts[i], "generator=", 10) == 0) {
 			generator_wanted = (u_int32_t)strtonum(
@@ -2920,6 +2924,9 @@ do_moduli_screen(const char *out_file, c
 #else /* WITH_OPENSSL */
 	fatal("Moduli screening is not supported");
 #endif /* WITH_OPENSSL */
 +	free(checkpoint);
 +	if (in != stdin)
 +		fclose(in);
 }
 static char *
 diff -up openssh-8.5p1/sshsig.c.coverity openssh-8.5p1/sshsig.c
 --- openssh-8.5p1/sshsig.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/sshsig.c	2021-03-24 12:03:33.787968194 +0100
@@ -515,6 +515,7 @@ hash_file(int fd, const char *hashalg, s
 	oerrno = errno;
- 			error_f("read: %s", strerror(errno));
+ 	sshbuf_free(b);
 	ssh_digest_free(ctx);
 +	ctx = NULL;
 	explicit_bzero(hash, sizeof(hash));
 	errno = oerrno;
- 			r = SSH_ERR_SYSTEM_ERROR;
+ 	return r;
- 			goto out;
+-- 
 2.27.0
--- a/openssh-7.3p1-x11-max-displays.patch
+++ b/openssh-7.3p1-x11-max-displays.patch
@ -1,7 +1,19 @@
-diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.3p1-x11-max-displays.patch
--- openssh-7.4p1/channels.c.x11max	2016-12-23 15:46:32.071506625 +0100
+
-+++ openssh-7.4p1/channels.c	2016-12-23 15:46:32.139506636 +0100
+---
-@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
+ channels.c    | 23 ++++++++++++++---------
 channels.h    |  2 +-
 servconf.c    | 12 +++++++++++-
 servconf.h    |  2 ++
 session.c     |  5 +++--
 sshd_config.5 |  7 +++++++
 6 files changed, 38 insertions(+), 13 deletions(-)
 diff --git a/channels.c b/channels.c
 index 7230540..040a4c6 100644
 --- a/channels.c
 +++ b/channels.c
@@ -101,8 +101,8 @@
 #define FWD_PERMIT_ANY_HOST	"*"
 /* -- X11 forwarding */
@ -10,9 +22,9 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 +/* Minimum port number for X11 forwarding */
 +#define X11_PORT_MIN 6000
- /* Per-channel callback for pre/post select() actions */
+ /* Per-channel callback for pre/post IO actions */
- typedef void chan_fn(struct ssh *, Channel *c,
+ typedef void chan_fn(struct ssh *, Channel *c);
-@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
+@@ -4801,7 +4801,7 @@ rdynamic_connect_finish(struct ssh *ssh, Channel *c)
  */
 int
 x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
@ -21,7 +33,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
     u_int *display_numberp, int **chanids)
 {
 	Channel *nc = NULL;
-@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
+@@ -4814,10 +4814,15 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
 	if (chanids == NULL)
 		return -1;
@ -39,7 +51,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 		memset(&hints, 0, sizeof(hints));
 		hints.ai_family = ssh->chanctxt->IPv4or6;
 		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
-@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
+@@ -4870,7 +4875,7 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
 		if (num_socks > 0)
 			break;
 	}
@ -48,7 +60,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 		error("Failed to allocate internet-domain X11 display socket.");
 		return -1;
 	}
-@@ -4441,7 +4447,7 @@ x11_connect_display(void)
+@@ -5054,7 +5059,7 @@ x11_connect_display(struct ssh *ssh)
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_family = ssh->chanctxt->IPv4or6;
 	hints.ai_socktype = SOCK_STREAM;
@ -57,7 +69,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 	if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
 		error("%.100s: unknown host. (%s)", buf,
 		ssh_gai_strerror(gaierr));
-@@ -4457,7 +4463,7 @@ x11_connect_display(void)
+@@ -5070,7 +5075,7 @@ x11_connect_display(struct ssh *ssh)
 		/* Connect it to the display. */
 		if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
 			debug2("connect %.100s port %u: %.100s", buf,
@ -66,21 +78,20 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 			close(sock);
 			continue;
 		}
-@@ -4466,8 +4472,8 @@ x11_connect_display(void)
+@@ -5080,7 +5085,7 @@ x11_connect_display(struct ssh *ssh)
 	}
 	freeaddrinfo(aitop);
 	if (!ai) {
-		error("connect %.100s port %u: %.100s", buf,
+ 		error("connect %.100s port %u: %.100s", buf,
 -		    6000 + display_number, strerror(errno));
 +		error("connect %.100s port %u: %.100s", buf,
 +		    X11_PORT_MIN + display_number, strerror(errno));
 		return -1;
 	}
 	set_nodelay(sock);
-diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
+diff --git a/channels.h b/channels.h
--- openssh-7.4p1/channels.h.x11max	2016-12-19 05:59:41.000000000 +0100
+index 828c1b6..7d8a83e 100644
-+++ openssh-7.4p1/channels.h	2016-12-23 15:46:32.139506636 +0100
+--- a/channels.h
-@@ -293,7 +293,7 @@ int	 permitopen_port(const char *);
+++ b/channels.h
@@ -361,7 +361,7 @@ int	 permitopen_port(const char *);
 void	 channel_set_x11_refuse_time(struct ssh *, u_int);
 int	 x11_connect_display(struct ssh *);
@ -89,10 +100,11 @@ diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
 void	 x11_request_forwarding_with_spoofing(struct ssh *, int,
 	    const char *, const char *, const char *, int);
-diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
+diff --git a/servconf.c b/servconf.c
--- openssh-7.4p1/servconf.c.x11max	2016-12-23 15:46:32.133506635 +0100
+index 13c4a08..fdba127 100644
-+++ openssh-7.4p1/servconf.c	2016-12-23 15:47:27.320519121 +0100
+--- a/servconf.c
-@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions
+++ b/servconf.c
@@ -115,6 +115,7 @@ initialize_server_options(ServerOptions *options)
 	options->print_lastlog = -1;
 	options->x11_forwarding = -1;
 	options->x11_display_offset = -1;
@ -100,7 +112,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 	options->x11_use_localhost = -1;
 	options->permit_tty = -1;
 	options->permit_user_rc = -1;
-@@ -243,6 +244,8 @@ fill_default_server_options(ServerOption
+@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
 		options->x11_forwarding = 0;
 	if (options->x11_display_offset == -1)
 		options->x11_display_offset = 10;
@ -109,7 +121,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 	if (options->x11_use_localhost == -1)
 		options->x11_use_localhost = 1;
 	if (options->xauth_location == NULL)
-@@ -419,7 +422,7 @@ typedef enum {
+@@ -518,7 +521,7 @@ typedef enum {
 	sPasswordAuthentication,
 	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@ -118,7 +130,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
-@@ -540,6 +543,7 @@ static struct {
+@@ -652,6 +655,7 @@ static struct {
 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
@ -126,7 +138,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
-@@ -1316,6 +1320,10 @@ process_server_config_line(ServerOptions
+@@ -1680,6 +1684,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 			*intptr = value;
 		break;
@ -137,7 +149,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 	case sX11UseLocalhost:
 		intptr = &options->x11_use_localhost;
 		goto parse_flag;
-@@ -2063,6 +2071,7 @@ copy_set_server_options(ServerOptions *d
+@@ -2678,6 +2686,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 	M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
 	M_CP_INTOPT(x11_display_offset);
 	M_CP_INTOPT(x11_forwarding);
@ -145,7 +157,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 	M_CP_INTOPT(x11_use_localhost);
 	M_CP_INTOPT(permit_tty);
 	M_CP_INTOPT(permit_user_rc);
-@@ -2315,6 +2324,7 @@ dump_config(ServerOptions *o)
+@@ -2953,6 +2962,7 @@ dump_config(ServerOptions *o)
 #endif
 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
@ -153,10 +165,11 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
 	dump_cfg_int(sMaxSessions, o->max_sessions);
 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
-diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
+diff --git a/servconf.h b/servconf.h
--- openssh-7.4p1/servconf.h.x11max	2016-12-23 15:46:32.133506635 +0100
+index 37d3a6f..77fd779 100644
-+++ openssh-7.4p1/servconf.h	2016-12-23 15:46:32.140506636 +0100
+--- a/servconf.h
-@@ -55,6 +55,7 @@
+++ b/servconf.h
@@ -45,6 +45,7 @@
 #define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */
 #define DEFAULT_SESSIONS_MAX	10	/* Default for MaxSessions */
@ -164,7 +177,7 @@ diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
 /* Magic name for internal sftp-server */
 #define INTERNAL_SFTP_NAME	"internal-sftp"
-@@ -85,6 +86,7 @@ typedef struct {
+@@ -105,6 +106,7 @@ typedef struct {
 	int     x11_forwarding;	/* If true, permit inet (spoofing) X11 fwd. */
 	int     x11_display_offset;	/* What DISPLAY number to start
 					 * searching at */
@ -172,10 +185,11 @@ diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
 	int     x11_use_localhost;	/* If true, use localhost for fake X11 server. */
 	char   *xauth_location;	/* Location of xauth program */
 	int	permit_tty;	/* If false, deny pty allocation */
-diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
+diff --git a/session.c b/session.c
--- openssh-7.4p1/session.c.x11max	2016-12-23 15:46:32.136506636 +0100
+index 6040d51..dd7d148 100644
-+++ openssh-7.4p1/session.c	2016-12-23 15:46:32.141506636 +0100
+--- a/session.c
-@@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
+++ b/session.c
@@ -2612,8 +2612,9 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
 		return 0;
 	}
 	if (x11_create_display_inet(ssh, options.x11_display_offset,
@ -187,10 +201,11 @@ diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
 		debug("x11_create_display_inet failed.");
 		return 0;
 	}
-diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
+diff --git a/sshd_config.5 b/sshd_config.5
--- openssh-7.4p1/sshd_config.5.x11max	2016-12-23 15:46:32.134506635 +0100
+index 4396b93..440fe92 100644
-+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:46:32.141506636 +0100
+--- a/sshd_config.5
-@@ -1133,6 +1133,7 @@ Available keywords are
+++ b/sshd_config.5
@@ -1280,6 +1280,7 @@ Available keywords are
 .Cm StreamLocalBindUnlink ,
 .Cm TrustedUserCAKeys ,
 .Cm X11DisplayOffset ,
@ -198,7 +213,7 @@ diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
 .Cm X11Forwarding
 and
 .Cm X11UseLocalhost .
-@@ -1566,6 +1567,12 @@ Specifies the first display number avail
+@@ -1847,6 +1848,12 @@ Specifies the first display number available for
 X11 forwarding.
 This prevents sshd from interfering with real X11 servers.
 The default is 10.
@ -211,3 +226,6 @@ diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
 .It Cm X11Forwarding
 Specifies whether X11 forwarding is permitted.
 The argument must be
 -- 
 2.27.0
--- a/openssh-7.4p1-systemd.patch
+++ b/openssh-7.4p1-systemd.patch
@ -1,16 +1,19 @@
-commit 0e22b79bfde45a7cf7a2e51a68ec11c4285f3b31
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.4p1-systemd.patch
 Author: Jakub Jelen <jjelen@redhat.com>
 Date:   Mon Nov 21 15:04:06 2016 +0100
-    systemd stuff
+---
 configure.ac         | 24 ++++++++++++++++++++++++
 contrib/sshd.service | 16 ++++++++++++++++
 sshd.c               |  9 +++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 contrib/sshd.service
 diff --git a/configure.ac b/configure.ac
-index 2ffc369..162ce92 100644
+index bbe133e..6f7dc48 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5],
+@@ -4822,6 +4822,29 @@ AC_SUBST([GSSLIBS])
 AC_SUBST([GSSLIBS])
 AC_SUBST([K5LIBS])
 AC_SUBST([CHANNELLIBS])
 +# Check whether user wants systemd support
 +SYSTEMD_MSG="no"
@ -34,12 +37,11 @@ index 2ffc369..162ce92 100644
 +		fi
 +	fi ]
 +)
 +
 +
 # Looking for programs, paths and files
 PRIVSEP_PATH=/var/empty
-@@ -5097,6 +5121,7 @@ echo "                   libedit support: $LIBEDIT_MSG"
+@@ -5621,6 +5644,7 @@ echo "                   libldns support: $LDNS_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
 echo "         Solaris privilege support: $SPP_MSG"
@ -70,10 +72,10 @@ index 0000000..e0d4923
 +WantedBy=multi-user.target
 +
 diff --git a/sshd.c b/sshd.c
-index 816611c..b8b9d13 100644
+index 0d4cfef..2a9b96d 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -85,6 +85,10 @@
+@@ -88,6 +88,10 @@
 #include <prot.h>
 #endif
@ -84,7 +86,7 @@ index 816611c..b8b9d13 100644
 #include "xmalloc.h"
 #include "ssh.h"
 #include "ssh2.h"
-@@ -1888,6 +1892,11 @@ main(int ac, char **av)
+@@ -2121,6 +2125,11 @@ main(int ac, char **av)
 			}
 		}
@ -96,3 +98,6 @@ index 816611c..b8b9d13 100644
 		/* Accept a connection and return in a forked child */
 		server_accept_loop(&sock_in, &sock_out,
 		    &newsock, config_s);
 -- 
 2.27.0
--- a/openssh-7.6p1-audit.patch
+++ b/openssh-7.6p1-audit.patch
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -1,25 +1,21 @@
-diff -up openssh-8.6p1/cipher-ctr.c.fips openssh-8.6p1/cipher-ctr.c
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-fips.patch
 --- openssh-8.6p1/cipher-ctr.c.fips	2021-04-19 16:53:02.994577324 +0200
 +++ openssh-8.6p1/cipher-ctr.c	2021-04-19 16:53:03.064577862 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
 	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
 -	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
 +	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
 +	    EVP_CIPH_FLAG_FIPS;
 #endif
 	return (&aes_ctr);
 }
 diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
 --- openssh-8.6p1/dh.c.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.6p1/dh.c	2021-04-19 16:58:47.750263410 +0200
+++ openssh-8.6p1/dh.c	2021-05-06 12:12:10.107634472 +0200
@@ -36,6 +36,7 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 +#include <openssl/fips.h>
 #include "dh.h"
 #include "pathnames.h"
@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
 	int best, bestcount, which, linenum;
 	struct dhgroup dhg;
 +	if (FIPS_mode()) {
-+		logit("Using arbitrary primes is not allowed in FIPS mode."
+		verbose("Using arbitrary primes is not allowed in FIPS mode."
 +		    " Falling back to known groups.");
 +		return (dh_new_group_fallback(max));
 +	}
@ -67,8 +63,8 @@ diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
 +
 #endif /* WITH_OPENSSL */
 diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
--- openssh-8.6p1/dh.h.fips	2021-04-19 16:53:03.064577862 +0200
+--- openssh-8.6p1/dh.h.fips	2021-05-06 12:08:36.498926877 +0200
-+++ openssh-8.6p1/dh.h	2021-04-19 16:59:31.951616078 +0200
+++ openssh-8.6p1/dh.h	2021-05-06 12:11:28.393298005 +0200
@@ -45,6 +45,7 @@ DH	*dh_new_group_fallback(int);
 int	 dh_gen_key(DH *, int);
@ -78,8 +74,16 @@ diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
 u_int	 dh_estimate(int);
 void	 dh_set_moduli_file(const char *);
 diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
--- openssh-8.6p1/kex.c.fips	2021-04-19 16:53:03.058577815 +0200
+--- openssh-8.6p1/kex.c.fips	2021-05-06 12:08:36.489926807 +0200
-+++ openssh-8.6p1/kex.c	2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/kex.c	2021-05-06 12:08:36.498926877 +0200
@@ -39,6 +39,7 @@
 #ifdef WITH_OPENSSL
 #include <openssl/crypto.h>
 +#include <openssl/fips.h>
 #include <openssl/dh.h>
 # ifdef HAVE_EVP_KDF_CTX_NEW_ID
 # include <openssl/kdf.h>
@@ -203,7 +203,10 @@ kex_names_valid(const char *names)
 	for ((p = strsep(&cp, ",")); p && *p != '\0';
 	    (p = strsep(&cp, ","))) {
@ -94,12 +98,12 @@ diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
 		}
 diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
 --- openssh-8.6p1/kexgexc.c.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.6p1/kexgexc.c	2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/kexgexc.c	2021-05-06 12:08:36.498926877 +0200
@@ -28,6 +28,7 @@
 #ifdef WITH_OPENSSL
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include <sys/types.h>
 #include <openssl/dh.h>
@ -116,7 +120,7 @@ diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
 	/* generate and send 'e', client DH public key */
 diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
 --- openssh-8.6p1/myproposal.h.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.6p1/myproposal.h	2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/myproposal.h	2021-05-06 12:08:36.498926877 +0200
@@ -57,6 +57,18 @@
 	"rsa-sha2-512," \
 	"rsa-sha2-256"
@ -131,7 +135,7 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
 +	"ecdsa-sha2-nistp384," \
 +	"ecdsa-sha2-nistp521," \
 +	"rsa-sha2-512," \
-+	"rsa-sha2-256," \
+	"rsa-sha2-256"
 +
 #define	KEX_SERVER_ENCRYPT \
 	"chacha20-poly1305@openssh.com," \
@ -165,8 +169,16 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
 #define	SSH_ALLOWED_CA_SIGALGS	\
 	"ssh-ed25519," \
 diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
--- openssh-8.6p1/readconf.c.fips	2021-04-19 16:53:02.999577362 +0200
+--- openssh-8.6p1/readconf.c.fips	2021-05-06 12:08:36.428926336 +0200
-+++ openssh-8.6p1/readconf.c	2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/readconf.c	2021-05-06 12:08:36.499926885 +0200
@@ -39,6 +39,7 @@
 #include <string.h>
 #include <stdarg.h>
 #include <unistd.h>
 +#include <openssl/fips.h>
 #ifdef USE_SYSTEM_GLOB
 # include <glob.h>
 #else
@@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
@ -190,8 +202,8 @@ diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
 	do { \
 		if ((r = kex_assemble_names(&options->what, \
 diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
--- openssh-8.6p1/sandbox-seccomp-filter.c.fips	2021-04-19 16:53:03.034577631 +0200
+--- openssh-8.6p1/sandbox-seccomp-filter.c.fips	2021-05-06 12:08:36.463926606 +0200
-+++ openssh-8.6p1/sandbox-seccomp-filter.c	2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/sandbox-seccomp-filter.c	2021-05-06 12:08:36.499926885 +0200
@@ -160,6 +160,9 @@ static const struct sock_filter preauth_
 #ifdef __NR_open
 	SC_DENY(__NR_open, EACCES),
@ -203,8 +215,16 @@ diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-secco
 	SC_DENY(__NR_openat, EACCES),
 #endif
 diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
--- openssh-8.6p1/servconf.c.fips	2021-04-19 16:53:03.027577577 +0200
+--- openssh-8.6p1/servconf.c.fips	2021-05-06 12:08:36.455926545 +0200
-+++ openssh-8.6p1/servconf.c	2021-04-19 16:53:03.066577877 +0200
+++ openssh-8.6p1/servconf.c	2021-05-06 12:08:36.500926893 +0200
@@ -38,6 +38,7 @@
 #include <limits.h>
 #include <stdarg.h>
 #include <errno.h>
 +#include <openssl/fips.h>
 #ifdef HAVE_UTIL_H
 #include <util.h>
 #endif
@@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
@ -228,13 +248,13 @@ diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
 	do { \
 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
 diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
--- openssh-8.6p1/ssh.c.fips	2021-04-19 16:53:03.038577662 +0200
+--- openssh-8.6p1/ssh.c.fips	2021-05-06 12:08:36.467926637 +0200
-+++ openssh-8.6p1/ssh.c	2021-04-19 16:53:03.066577877 +0200
+++ openssh-8.6p1/ssh.c	2021-05-06 12:08:36.500926893 +0200
@@ -77,6 +77,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #endif
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
@ -250,13 +270,13 @@ diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
 	if (options.sk_provider != NULL && *options.sk_provider == '$' &&
 	    strlen(options.sk_provider) > 1) {
 diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
--- openssh-8.6p1/sshconnect2.c.fips	2021-04-19 16:53:03.055577792 +0200
+--- openssh-8.6p1/sshconnect2.c.fips	2021-05-06 12:08:36.485926777 +0200
-+++ openssh-8.6p1/sshconnect2.c	2021-04-19 16:53:03.066577877 +0200
+++ openssh-8.6p1/sshconnect2.c	2021-05-06 12:08:36.501926900 +0200
@@ -45,6 +45,8 @@
 #include <vis.h>
 #endif
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 +
 #include "openbsd-compat/sys-queue.h"
@ -331,10 +351,10 @@ diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
 	}
 #endif
 diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.fips	2021-04-19 16:53:03.060577831 +0200
+--- openssh-8.6p1/sshd.c.fips	2021-05-06 12:08:36.493926838 +0200
-+++ openssh-8.6p1/sshd.c	2021-04-19 16:57:45.827769340 +0200
+++ openssh-8.6p1/sshd.c	2021-05-06 12:13:56.501492639 +0200
@@ -66,6 +66,7 @@
- #include <grp.h>
+ #endif
 #include <pwd.h>
 #include <signal.h>
 +#include <syslog.h>
@ -345,7 +365,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "openbsd-compat/openssl-compat.h"
 #endif
@ -357,6 +377,20 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
 	saved_argc = ac;
 	rexec_argc = ac;
@@ -1931,6 +1931,13 @@ main(int ac, char **av)
 		    &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR)
 			do_log2_r(r, ll, "Unable to load host key \"%s\"",
 			    options.host_key_files[i]);
 +		if (FIPS_mode() && key != NULL && (sshkey_type_plain(key->type) == KEY_ED25519_SK
 +				||  sshkey_type_plain(key->type) == KEY_ED25519)) {
 +		    logit_f("sshd: Ed25519 keys are not allowed in FIPS mode, skipping %s", options.host_key_files[i]);
 +		    sshkey_free(key);
 +		    key = NULL;
 +		    continue;
 +		}
 		if (sshkey_is_sk(key) &&
 		    key->sk_flags & SSH_SK_USER_PRESENCE_REQD) {
 			debug("host key %s requires user presence, ignoring",
@@ -2110,6 +2113,10 @@ main(int ac, char **av)
 	/* Reinitialize the log (because of the fork above). */
 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -388,13 +422,13 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
 	if (gss && orig)
 		xasprintf(&newstr, "%s,%s", gss, orig);
 diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
--- openssh-8.6p1/sshkey.c.fips	2021-04-19 16:53:03.061577838 +0200
+--- openssh-8.6p1/sshkey.c.fips	2021-05-06 12:08:36.493926838 +0200
-+++ openssh-8.6p1/sshkey.c	2021-04-19 16:53:03.067577885 +0200
+++ openssh-8.6p1/sshkey.c	2021-05-06 12:08:36.502926908 +0200
@@ -34,6 +34,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 #endif
 #include "crypto_api.h"
@ -406,18 +440,80 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
 #include "ssh-sk.h"
 #ifdef WITH_XMSS
-@@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
+@@ -285,6 +285,18 @@ sshkey_alg_list(int certs_only, int plai
- 	}
+ 	for (kt = keytypes; kt->type != -1; kt++) {
- 	if (!BN_set_word(f4, RSA_F4) ||
+ 		if (kt->name == NULL || kt->type == KEY_NULL)
- 	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
+ 			continue;
-+			if (FIPS_mode())
+		if (FIPS_mode()) {
-+				logit_f("the key length might be unsupported by FIPS mode approved key generation method");
+			switch (kt->type) {
- 		ret = SSH_ERR_LIBCRYPTO_ERROR;
+			case KEY_ED25519:
- 		goto out;
+			case KEY_ED25519_SK:
 +			case KEY_ED25519_CERT:
 +			case KEY_ED25519_SK_CERT:
 +			     continue;
 +			     break;
 +			default:
 +			     break;
 +			}
 +		}
 		if (!include_sigonly && kt->sigonly)
 			continue;
 		if ((certs_only && !kt->cert) || (plain_only && kt->cert))
@@ -1503,6 +1503,20 @@ sshkey_read(struct sshkey *ret, char **c
 		return SSH_ERR_EC_CURVE_MISMATCH;
 	}
 +	switch (type) {
 +	case KEY_ED25519:
 +	case KEY_ED25519_SK:
 +	case KEY_ED25519_CERT:
 +	case KEY_ED25519_SK_CERT:
 +		if (FIPS_mode()) {
 +		    sshkey_free(k);
 +		    logit_f("Ed25519 keys are not allowed in FIPS mode");
 +		    return SSH_ERR_INVALID_ARGUMENT;
 +		}
 +		break;
 +	default:
 +		break;
 +	}
 	/* Fill in ret from parsed key */
 	ret->type = type;
 	if (sshkey_is_cert(ret)) {
@@ -2916,6 +2916,11 @@ sshkey_sign(struct sshkey *key,
 		break;
 	case KEY_ED25519_SK:
 	case KEY_ED25519_SK_CERT:
 +		if (FIPS_mode()) {
 +		    logit_f("Ed25519 keys are not allowed in FIPS mode");
 +		    return SSH_ERR_INVALID_ARGUMENT;
 +		}
 +		/* Fallthrough */
 	case KEY_ECDSA_SK_CERT:
 	case KEY_ECDSA_SK:
 		r = sshsk_sign(sk_provider, key, sigp, lenp, data,
@@ -2973,6 +2978,10 @@ sshkey_verify(const struct sshkey *key,
 		return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
 	case KEY_ED25519_SK:
 	case KEY_ED25519_SK_CERT:
 +		if (FIPS_mode()) {
 +		    logit_f("Ed25519 keys are not allowed in FIPS mode");
 +		    return SSH_ERR_INVALID_ARGUMENT;
 +		}
 		return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen,
 		    compat, detailsp);
 #ifdef WITH_XMSS
 diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
--- openssh-8.6p1/ssh-keygen.c.fips	2021-04-19 16:53:03.038577662 +0200
+--- openssh-8.6p1/ssh-keygen.c.fips	2021-05-06 12:08:36.467926637 +0200
-+++ openssh-8.6p1/ssh-keygen.c	2021-04-19 16:53:03.068577892 +0200
+++ openssh-8.6p1/ssh-keygen.c	2021-05-06 12:08:36.503926916 +0200
@@ -20,6 +20,7 @@
 #ifdef WITH_OPENSSL
 #include <openssl/evp.h>
 +#include <openssl/fips.h>
 #include <openssl/pem.h>
 #include "openbsd-compat/openssl-compat.h"
 #endif
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
 #endif
 	}
@ -425,7 +521,7 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
 +	if (FIPS_mode()) {
 +		if (type == KEY_DSA)
 +			fatal("DSA keys are not allowed in FIPS mode");
-+		if (type == KEY_ED25519)
+		if (type == KEY_ED25519 || type == KEY_ED25519_SK)
 +			fatal("ED25519 keys are not allowed in FIPS mode");
 +	}
 	switch (type) {
@ -450,3 +546,122 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
 		if ((fd = mkstemp(prv_tmp)) == -1) {
 			error("Could not save your private key in %s: %s",
 			    prv_tmp, strerror(errno));
 diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
 --- openssh-8.7p1/kexgen.c.fips3	2022-07-11 16:11:21.973519913 +0200
 +++ openssh-8.7p1/kexgen.c	2022-07-11 16:25:31.172187365 +0200
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <signal.h>
 +#include <openssl/fips.h>
 #include "sshkey.h"
 #include "kex.h"
@@ -115,10 +116,20 @@ kex_gen_client(struct ssh *ssh)
 		break;
 #endif
 	case KEX_C25519_SHA256:
 -		r = kex_c25519_keypair(kex);
 +		if (FIPS_mode()) {
 +		    logit_f("Key exchange type c25519 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_c25519_keypair(kex);
 +		}
 		break;
 	case KEX_KEM_SNTRUP761X25519_SHA512:
 -		r = kex_kem_sntrup761x25519_keypair(kex);
 +		if (FIPS_mode()) {
 +		    logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_kem_sntrup761x25519_keypair(kex);
 +		}
 		break;
 	default:
 		r = SSH_ERR_INVALID_ARGUMENT;
@@ -186,11 +197,21 @@ input_kex_gen_reply(int type, u_int32_t
 		break;
 #endif
 	case KEX_C25519_SHA256:
 -		r = kex_c25519_dec(kex, server_blob, &shared_secret);
 +		if (FIPS_mode()) {
 +		    logit_f("Key exchange type c25519 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_c25519_dec(kex, server_blob, &shared_secret);
 +		}
 		break;
 	case KEX_KEM_SNTRUP761X25519_SHA512:
 -		r = kex_kem_sntrup761x25519_dec(kex, server_blob,
 -		    &shared_secret);
 +		if (FIPS_mode()) {
 +		    logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_kem_sntrup761x25519_dec(kex, server_blob,
 +		        &shared_secret);
 +		}
 		break;
 	default:
 		r = SSH_ERR_INVALID_ARGUMENT;
@@ -285,12 +306,22 @@ input_kex_gen_init(int type, u_int32_t s
 		break;
 #endif
 	case KEX_C25519_SHA256:
 -		r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
 -		    &shared_secret);
 +		if (FIPS_mode()) {
 +		    logit_f("Key exchange type c25519 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
 +		        &shared_secret);
 +		}
 		break;
 	case KEX_KEM_SNTRUP761X25519_SHA512:
 -		r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
 -		    &server_pubkey, &shared_secret);
 +		if (FIPS_mode()) {
 +		    logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
 +		        &server_pubkey, &shared_secret);
 +		}
 		break;
 	default:
 		r = SSH_ERR_INVALID_ARGUMENT;
 diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
 --- openssh-8.7p1/ssh-ed25519.c.fips3	2022-07-11 16:53:41.428343304 +0200
 +++ openssh-8.7p1/ssh-ed25519.c	2022-07-11 16:56:09.284663661 +0200
@@ -24,6 +24,7 @@
 #include <string.h>
 #include <stdarg.h>
 +#include <openssl/fips.h>
 #include "log.h"
 #include "sshbuf.h"
@@ -52,6 +53,10 @@ ssh_ed25519_sign(const struct sshkey *ke
 	    key->ed25519_sk == NULL ||
 	    datalen >= INT_MAX - crypto_sign_ed25519_BYTES)
 		return SSH_ERR_INVALID_ARGUMENT;
 +	if (FIPS_mode()) {
 +	    logit_f("Ed25519 keys are not allowed in FIPS mode");
 +	    return SSH_ERR_INVALID_ARGUMENT;
 +	}
 	smlen = slen = datalen + crypto_sign_ed25519_BYTES;
 	if ((sig = malloc(slen)) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
@@ -108,6 +113,10 @@ ssh_ed25519_verify(const struct sshkey *
 	    datalen >= INT_MAX - crypto_sign_ed25519_BYTES ||
 	    signature == NULL || signaturelen == 0)
 		return SSH_ERR_INVALID_ARGUMENT;
 +	if (FIPS_mode()) {
 +	    logit_f("Ed25519 keys are not allowed in FIPS mode");
 +	    return SSH_ERR_INVALID_ARGUMENT;
 +	}
 	if ((b = sshbuf_from(signature, signaturelen)) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
--- a/openssh-7.8p1-UsePAM-warning.patch
+++ b/openssh-7.8p1-UsePAM-warning.patch
@ -1,13 +1,14 @@
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-UsePAM-warning.patch
 diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
 --- openssh-8.6p1/sshd.c.log-usepam-no	2021-04-19 14:00:45.099735129 +0200
 +++ openssh-8.6p1/sshd.c	2021-04-19 14:03:21.140920974 +0200
@@ -1749,6 +1749,10 @@ main(int ac, char **av)
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
- 	    cfg, &includes, NULL);
+ 	    cfg, &includes, NULL, rexeced_flag);
-+	/* 'UsePAM no' is not supported in Fedora */
+	/* 'UsePAM no' is not supported in openEuler */
 +	if (! options.use_pam)
-+		logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+		logit("WARNING: 'UsePAM no' is not supported in openEuler and may cause several problems.");
 +
 #ifdef WITH_OPENSSL
 	if (options.moduli_file != NULL)
@ -19,7 +20,7 @@ diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
-+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# WARNING: 'UsePAM no' is not supported in openEuler and may cause several
 +# problems.
 #UsePAM no
--- a/openssh-7.8p1-role-mls.patch
+++ b/openssh-7.8p1-role-mls.patch
@ -93,7 +93,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
 	    (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
 +#endif
 	    (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
- 	    (r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
+ 	    (r = sshbuf_put_cstring(b, method)) != 0 ||
 	    (r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
 diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
 --- openssh/auth2-pubkey.c.role-mls	2018-08-22 11:14:56.816430924 +0200
@ -240,14 +240,14 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
 mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
 {
@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
 {
 	struct sshbuf *b;
 	struct sshkey *hostkey = NULL;
 	const u_char *p;
 -	char *userstyle, *cp;
 +	char *userstyle, *s, *cp;
 	size_t len;
 	u_char type;
- 	int r, fail = 0;
+ 	int hostbound = 0, r, fail = 0;
@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
 		fail++;
 	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
--- a/openssh-8.0p1-crypto-policies.patch
+++ b/openssh-8.0p1-crypto-policies.patch
@ -1,13 +1,14 @@
-diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-crypto-policies.patch
--- openssh-8.7p1/ssh_config.5.crypto-policies	2021-08-30 13:29:00.174292872 +0200
+diff --color -ru a/ssh_config.5 b/ssh_config.5
-+++ openssh-8.7p1/ssh_config.5	2021-08-30 13:31:32.009548808 +0200
+--- a/ssh_config.5	2022-07-12 15:05:22.550013071 +0200
-@@ -373,17 +373,13 @@ or
+++ b/ssh_config.5	2022-07-12 15:17:20.016704545 +0200
@@ -373,17 +373,13 @@
 causes no CNAMEs to be considered for canonicalization.
 This is the default behaviour.
 .It Cm CASignatureAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies which algorithms are allowed for signing of certificates
@ -24,13 +25,13 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 If the specified list begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
-@@ -445,20 +441,25 @@ If the option is set to
+@@ -445,20 +441,25 @@
 (the default),
 the check will not be executed.
 .It Cm Ciphers
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the ciphers allowed and their order of preference.
@ -54,7 +55,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 .Pp
 The supported ciphers are:
 .Bd -literal -offset indent
-@@ -474,13 +475,6 @@ aes256-gcm@openssh.com
+@@ -474,13 +475,6 @@
 chacha20-poly1305@openssh.com
 .Ed
 .Pp
@ -68,19 +69,19 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
 .It Cm ClearAllForwardings
-@@ -874,6 +868,11 @@ command line will be passed untouched to
+@@ -874,6 +868,11 @@
 The default is
 .Dq no .
 .It Cm GSSAPIKexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 The list of key exchange algorithms that are offered for GSSAPI
 key exchange. Possible values are
 .Bd -literal -offset 3n
-@@ -886,10 +885,8 @@ gss-nistp256-sha256-,
+@@ -886,10 +885,8 @@
 gss-curve25519-sha256-
 .Ed
 .Pp
@ -92,13 +93,58 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
-@@ -1219,29 +1216,25 @@ it may be zero or more of:
+@@ -913,36 +910,25 @@
 but may be manually hashed using
 .Xr ssh-keygen 1 .
 .It Cm HostbasedAcceptedAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the signature algorithms that will be used for hostbased
 authentication as a comma-separated list of patterns.
 Alternately if the specified list begins with a
 .Sq +
 character, then the specified signature algorithms will be appended
 -to the default set instead of replacing them.
 +to the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified signature algorithms (including wildcards)
 -will be removed from the default set instead of replacing them.
 +will be removed from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified signature algorithms will be placed
 -at the head of the default set.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ssh-ed25519-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256
 -.Ed
 +at the head of the built-in openssh default set.
 .Pp
 The
 .Fl Q
@@ -1219,30 +1216,25 @@
 and
 .Cm pam .
 .It Cm KexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the available KEX (Key Exchange) algorithms.
@ -107,7 +153,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 .Sq +
 -character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
-+character, then the specified algorithms will be appended to the built-in
+character, then the specified methods will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
@ -120,6 +166,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 -default set.
 -The default is:
 -.Bd -literal -offset indent
 -sntrup761x25519-sha512@openssh.com,
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
@ -131,13 +178,13 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 .Pp
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q kex .
-@@ -1351,37 +1344,33 @@ function, and all code in the
+@@ -1351,37 +1344,33 @@
 file.
 This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the MAC (message authentication code) algorithms
@ -178,13 +225,13 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm NoHostAuthenticationForLocalhost
-@@ -1553,36 +1542,25 @@ instead of continuing to execute and pas
+@@ -1553,36 +1542,25 @@
 The default is
 .Cm no .
 .It Cm PubkeyAcceptedAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the signature algorithms that will be used for public key
@ -224,16 +271,27 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q PubkeyAcceptedAlgorithms .
-diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
+@@ -2237,7 +2207,9 @@ for those users who do not have a config
--- openssh-8.7p1/sshd_config.5.crypto-policies	2021-08-30 13:29:00.157292731 +0200
+ This file must be world-readable.
-+++ openssh-8.7p1/sshd_config.5	2021-08-30 13:32:16.263918533 +0200
+ .El
-@@ -373,17 +373,13 @@ If the argument is
+ .Sh SEE ALSO
 -.Xr ssh 1
 +.Xr ssh 1 ,
 +.Xr crypto-policies 7 ,
 +.Xr update-crypto-policies 8
 .Sh AUTHORS
 .An -nosplit
 OpenSSH is a derivative of the original and free
 diff --color -ru a/sshd_config.5 b/sshd_config.5
 --- a/sshd_config.5	2022-07-12 15:05:22.535012771 +0200
 +++ b/sshd_config.5	2022-07-12 15:15:33.394809258 +0200
@@ -373,17 +373,13 @@
 then no banner is displayed.
 By default, no banner is displayed.
 .It Cm CASignatureAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies which algorithms are allowed for signing of certificates
@ -250,13 +308,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 If the specified list begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
-@@ -450,20 +446,25 @@ The default is
+@@ -450,20 +446,25 @@
 indicating not to
 .Xr chroot 2 .
 .It Cm Ciphers
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the ciphers allowed.
@ -280,7 +338,7 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 .Pp
 The supported ciphers are:
 .Pp
-@@ -490,13 +491,6 @@ aes256-gcm@openssh.com
+@@ -490,13 +491,6 @@
 chacha20-poly1305@openssh.com
 .El
 .Pp
@ -294,13 +352,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
 .It Cm ClientAliveCountMax
-@@ -685,21 +679,22 @@ For this to work
+@@ -685,53 +679,43 @@
 .Cm GSSAPIKeyExchange
 needs to be enabled in the server and also used by the client.
 .It Cm GSSAPIKexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 The list of key exchange algorithms that are accepted by GSSAPI
@ -326,18 +384,27 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 -gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
 This option only applies to connections using GSSAPI.
 .It Cm HostbasedAcceptedAlgorithms
 Specifies the signature algorithms that will be accepted for hostbased
@@ -799,26 +794,13 @@ is specified, the location of the socket
 .Ev SSH_AUTH_SOCK
 environment variable.
 .It Cm HostKeyAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
- Specifies the host key signature algorithms
+ Specifies the signature algorithms that will be accepted for hostbased
- that the server offers.
+ authentication as a list of comma-separated patterns.
 Alternately if the specified list begins with a
 .Sq +
 character, then the specified signature algorithms will be appended to
 -the default set instead of replacing them.
 +the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified signature algorithms (including wildcards)
 -will be removed from the default set instead of replacing them.
 +will be removed from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified signature algorithms will be placed at
 -the head of the default set.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ssh-ed25519-cert-v01@openssh.com,
@ -348,24 +415,54 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-rsa-sha2-512,rsa-sha2-256
 -.Ed
 +the head of the built-in openssh default set.
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q HostbasedAcceptedAlgorithms .
@@ -799,25 +794,14 @@
 .Ev SSH_AUTH_SOCK
 environment variable.
 .It Cm HostKeyAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the host key signature algorithms
 that the server offers.
 The default for this option is:
 -.Bd -literal -offset 3n
 -ssh-ed25519-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256
 -.Ed
 -.Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
 .It Cm IgnoreRhosts
-@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
+@@ -965,20 +947,25 @@
 The default is
 .Cm yes .
 .It Cm KexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the available KEX (Key Exchange) algorithms.
@ -374,7 +471,7 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 .Sq +
 -character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
-+character, then the specified algorithms will be appended to the built-in
+character, then the specified methods will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
@ -389,12 +486,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
-@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
+@@ -1010,16 +997,6 @@
 sntrup761x25519-sha512@openssh.com
 .El
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -sntrup761x25519-sha512@openssh.com,
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
@ -405,13 +503,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q KexAlgorithms .
 .It Cm ListenAddress
-@@ -1104,21 +1082,26 @@ function, and all code in the
+@@ -1104,21 +1082,26 @@
 file.
 This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the available MAC (message authentication code) algorithms.
@ -436,7 +534,7 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 .Pp
 The algorithms that contain
 .Qq -etm
-@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
+@@ -1161,15 +1144,6 @@
 umac-128-etm@openssh.com
 .El
 .Pp
@ -452,13 +550,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm Match
-@@ -1548,37 +1522,25 @@ or equivalent.)
+@@ -1548,36 +1522,25 @@
 The default is
 .Cm yes .
 .It Cm PubkeyAcceptedAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the signature algorithms that will be accepted for public key
@ -488,14 +586,24 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-rsa-sha2-512,rsa-sha2-256
 -.Ed
 +built-in openssh default set.
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q PubkeyAcceptedAlgorithms .
@@ -2011,7 +1968,9 @@ This file should be writable by root onl
 .El
 .Sh SEE ALSO
 .Xr sftp-server 8 ,
 -.Xr sshd 8
 +.Xr sshd 8 ,
 +.Xr crypto-policies 7 ,
 +.Xr update-crypto-policies 8
 .Sh AUTHORS
 .An -nosplit
 OpenSSH is a derivative of the original and free
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
--- a/openssh-8.0p1-pkcs11-uri.patch
+++ b/openssh-8.0p1-pkcs11-uri.patch
--- a/openssh-8.8p1.tar.gz
+++ b/openssh-8.8p1.tar.gz
--- a/openssh-8.8p1.tar.gz.asc
+++ b/openssh-8.8p1.tar.gz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmFQfp8ACgkQKj9BTnNg
 YLq2SQ/8C3iOHTkyqX82FYt0SKkybebe9b2iBPr91HQOUmx+U3I+vgrSWArXabWJ
 uSu0b685RQKlcr7UjEtPk6g0cm45NoJFjju9ljvnOFfZw73V3a5qX15Lx4xRnkRx
 v1LJn6Yh12PKLWL4/A1qPQnfAObVwq/BF0BR01FfXLAOt5+lFwYvg79HpE+69b0r
 KtcIEpsyTEn2lSKSWD7q4lpe6Z/iR+XzBKfnB6JJXhKyHiDV63hlAJk9Pt3mIvS6
 tnE9/7GDawvi+Tsl018kw3wsf6aHVSQ+O+vzcDgfy0vDJVGjD6Ec9it9FvikXJh6
 3pSTBYuUJdt+CAQYvmEui73v4nrkfouHXsxqgzEDZaTwIZC4wPrvNYxUaIyirWlc
 l4/YSnxSxSiYbvPa5eYRBvXvoWbnQXjPOkuhjETxz/KTcHirQpWE9eldi0jHcKUa
 FVu9YqMPAjIUd1Jj4vC5bgH7v5cLeEMm/AetMvKsJs+rhY9NZaKpiqOqU2m6Geb+
 sQSXHNTeA8uOlrHim4SmYHtmfglVbH5lIroiUqtRzjbOhMhqUb+yN9+aAxe0bwmN
 VcFMSThlbmYokb9bkQryY2I/FfXb997vxgF6v15Z8d9e8HH2zc2Irj1HYXG4Bf3o
 WCiSvd8+Tr/FxS2Gn8qj/vgSPWXT0d0Hy4zHW9JeT/jn3RtIYhU=
 =EnoG
 -----END PGP SIGNATURE-----
--- a/openssh-9.1p1.tar.gz
+++ b/openssh-9.1p1.tar.gz
--- a/openssh-9.1p1.tar.gz.asc
+++ b/openssh-9.1p1.tar.gz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmM6+qUACgkQKj9BTnNg
 YLqLSxAAi+hmachTcy9O2GNbCq4uPFlFqQ8hjZ697nhNvkIJtrtc2WSIg17ImN4E
 3ucWQLEqbytwsj67J1UFC4NyOmGo2mfsZ3BEDsgkkd0Tp2YO7UhkrVzTD0l0Wl7/
 qe0biPaYOLFptL+88wC3OdamNkWgHAtSYBizgHK4k2uEtLYsEXuC+0nnfqykL2vq
 UEB3MZ7C00JYmBVHFfMjtmGmt+Z3ahv5LSzFsj//c6hwkhdJHtv/V4UlCIVrrMdG
 XyTumREl+y5zuP5oGxsRU/LZNo7ncXYDUg2qE/FpR4o8giF9d1fm/aHuAmr+g03E
 Ev3uUcrgA+Kq95bbv7ubtO2JxFnuzUmJkUy6SNIcE1o4naxGejxlEw7nvtvf7auV
 BPqomw1yOWyQzbhXtD18OiSi1IJMXyDCei9HcsO+oM3aq8YQc9Bsed7UPhA36e6b
 GjuAIOPtee+JqxDj3psN39G+y4YUcxSPqC4gKL8cKfImbP2DlSoHPmZ1fDf/pKPj
 hWdNiA+a+KzsXR2fjBWMeUIkSvx2BYZC9NKFS/zN4X86jEdyOJtQJ4WQcIvekLIA
 Z/yP6UrzM+2jYYqix4PBocP1utEakFDYfLPJu0G2pK9meU4dz6EzNUT7J3daF2h7
 eaibQUZ0+wg+sI+MPys3INcqcKwv/5OVDl6wi7g2iNOdOII49VM=
 =xfW+
 -----END PGP SIGNATURE-----
--- a/openssh.spec
+++ b/openssh.spec
@ -6,10 +6,10 @@
 %{?no_gtk2:%global gtk2 0}
 %global sshd_uid    74
-%global openssh_release 17
+%global openssh_release 1
 Name:           openssh
-Version:        8.8p1
+Version:        9.1p1
 Release:        %{openssh_release}
 URL:            http://www.openssh.com/portable.html
 License:        BSD
@ -18,19 +18,19 @@ Summary:        An open source implementation of SSH protocol version 2
 Source0:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
 Source2:        sshd.pam
-Source4:        http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.4.tar.gz
+Source3:        http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.4.tar.gz
-Source5:        pam_ssh_agent-rmheaders
+Source4:        pam_ssh_agent-rmheaders
-Source6:        ssh-keycat.pam
+Source5:        ssh-keycat.pam
-Source7:        sshd.sysconfig
+Source6:        sshd.sysconfig
-Source9:        sshd@.service
+Source7:        sshd@.service
-Source10:       sshd.socket
+Source8:        sshd.socket
-Source11:       sshd.service
+Source9:        sshd.service
-Source12:       sshd-keygen@.service
+Source10:       sshd-keygen@.service
-Source13:       sshd-keygen
+Source11:       sshd-keygen
-Source14:       sshd.tmpfiles
+Source12:       sshd.tmpfiles
-Source15:       sshd-keygen.target
+Source13:       sshd-keygen.target
-Source16:       ssh-agent.service
+Source14:       ssh-agent.service
-Source17:       ssh-keygen-bash-completion.sh
+Source15:       ssh-keygen-bash-completion.sh
 Patch0:         openssh-6.7p1-coverity.patch
 Patch1:         openssh-7.6p1-audit.patch
 Patch2:         openssh-7.1p2-audit-race-condition.patch
@ -48,12 +48,10 @@ Patch14:        openssh-6.6p1-keyperm.patch
 Patch15:        openssh-5.9p1-ipv6man.patch
 Patch16:        openssh-5.8p2-sigpipe.patch
 Patch17:        openssh-7.2p2-x11.patch
 Patch18:        openssh-7.7p1-fips.patch
 Patch19:        openssh-5.1p1-askpass-progress.patch
 Patch20:        openssh-4.3p2-askpass-grab-info.patch
 Patch21:        openssh-7.7p1.patch
 Patch22:        openssh-7.8p1-UsePAM-warning.patch
 Patch23:        openssh-6.3p1-ctr-evp-fast.patch
 Patch26:        openssh-8.0p1-gssapi-keyex.patch
 Patch27:        openssh-6.6p1-force_krb.patch
 Patch28:        openssh-6.6p1-GSSAPIEnablek5users.patch
@ -82,31 +80,16 @@ Patch51:        openssh-8.0p1-keygen-strip-doseol.patch
 Patch52:        openssh-8.0p1-preserve-pam-errors.patch
 Patch53:        openssh-8.7p1-scp-kill-switch.patch
 Patch54:        bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
 Patch55:        bugfix-openssh-6.6p1-log-usepam-no.patch
 Patch56:        bugfix-openssh-add-option-check-username-splash.patch
 Patch57:        feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
 Patch58:        bugfix-openssh-fix-sftpserver.patch
 Patch59:        set-sshd-config.patch
 Patch60:        feature-add-SMx-support.patch
 Patch61:        backport-upstream-a-little-extra-debugging.patch
 Patch62:        backport-upstream-better-debugging-for-connect_next.patch
 Patch63:        add-loongarch.patch
 Patch64:        backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
 Patch65:        openssh-Add-sw64-architecture.patch
 Patch66:        backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
 Patch67:        backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
 Patch68:        backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
 Patch69:        backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
 Patch70:        backport-upstream-Always-return-allocated-strings-from-the-ke.patch
 Patch71:        backport-Don-t-leak-the-strings-allocated-by-order_h.patch
 Patch72:        backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
 Patch73:        backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
 Patch74:        add-strict-scp-check-for-CVE-2020-15778.patch
 Patch75:        backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch
 Patch76:        backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch
 Patch77:        skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
 Patch78:        skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
 Patch79:        backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -180,7 +163,7 @@ instance. The module is most useful for su and sudo service stacks.
 %package_help
 %prep
-%setup -q -a 4
+%setup -q -a 3
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
 %patch3 -p2 -b .psaa-build
@ -190,14 +173,13 @@ pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
 %patch6 -p2 -b .psaa-agent
 %patch8 -p2 -b .psaa-deref
 # Remove duplicate headers and library files
-rm -f $(cat %{SOURCE5})
+rm -f $(cat %{SOURCE4})
 popd
 %patch9 -p1 -b .role-mls
 %patch10 -p1 -b .privsep-selinux
 %patch12 -p1 -b .keycat
 %patch13 -p1 -b .ip-opts
 %patch14 -p1 -b .keyperm
 %patch15 -p1 -b .ipv6man
 %patch16 -p1 -b .sigpipe
 %patch17 -p1 -b .x11
@ -205,7 +187,6 @@ popd
 %patch20 -p1 -b .grab-info
 %patch21 -p1
 %patch22 -p1 -b .log-usepam-no
 %patch23 -p1 -b .evp-ctr
 %patch26 -p1 -b .gsskex
 %patch27 -p1 -b .force_krb
 %patch29 -p1 -b .ccache_name
@ -235,35 +216,18 @@ popd
 %patch53 -p1 -b .kill-scp
 %patch1 -p1 -b .audit
 %patch2 -p1 -b .audit-race
 %patch18 -p1 -b .fips
 %patch0 -p1 -b .coverity
 %patch54 -p1
 %patch55 -p1
 %patch56 -p1
 %patch57 -p1
 %patch58 -p1
 %patch59 -p1
 %patch60 -p1
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
 %patch68 -p1
 %patch69 -p1
 %patch70 -p1
 %patch71 -p1
 %patch72 -p1
 %patch73 -p1
 %patch74 -p1
 %patch75 -p1
 %patch76 -p1
 %patch77 -p1
 %patch78 -p1
 %patch79 -p1
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -350,23 +314,23 @@ install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/sysconfig/
 install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
 install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
-install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
+install -m644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
-install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
+install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/sysconfig/sshd
 install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf
 install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
-install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
+install -m644 %{SOURCE7} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
-install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
+install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
-install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
+install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
-install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
+install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
-install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
+install -m644 %{SOURCE13} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
 install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
-install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
+install -m644 %{SOURCE14} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
-install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
+install -m744 %{SOURCE11} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
-install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
+install -m644 -D %{SOURCE12} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
 install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
-install -m644 %{SOURCE17} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
+install -m644 %{SOURCE15} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
 ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
 install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@ -462,6 +426,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 %changelog
 * Mon Jan 30 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-1
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC:update to openssh-9.1p1
 * Mon Jan 9 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-17
 - Type:bugfix
 - CVE:NA