From 4c983d0192cb62cc26aee37e820c1d6a4ac5183d Mon Sep 17 00:00:00 2001
From: Raymond Colebaugh <raymondcolebaugh@gmail.com>
Date: Aug 03 2023 23:35:15 +0000
Subject: Merge upstream changes for 8.7p1-29.6


---

diff --git a/fb87_slog.patch b/fb87_slog.patch
index e6e907b..ffeb03d 100644
--- a/fb87_slog.patch
+++ b/fb87_slog.patch
@@ -1,7 +1,7 @@
-Index: b/slog.c
+Index: openssh-8.7p1/slog.c
 ===================================================================
 --- /dev/null
-+++ b/slog.c
++++ openssh-8.7p1/slog.c
 @@ -0,0 +1,619 @@
 +/*
 + * Copyright 2004-present Facebook. All Rights Reserved.
@@ -622,51 +622,51 @@ Index: b/slog.c
 +			return "Unknown session state";  // Should never happen
 +	}
 +}
-Index: b/servconf.c
+Index: openssh-8.7p1/servconf.c
 ===================================================================
---- b.orig/servconf.c
-+++ b/servconf.c
-@@ -204,6 +204,9 @@ initialize_server_options(ServerOptions
+--- openssh-8.7p1.orig/servconf.c
++++ openssh-8.7p1/servconf.c
+@@ -205,6 +205,9 @@ initialize_server_options(ServerOptions
  	options->disable_forwarding = -1;
  	options->expose_userauth_info = -1;
- 	options->rsa_min_size = -1;
-+	options->log_format_prefix = NULL;
-+	options->num_log_format_keys = 0;
-+	options->log_format_json = -1;
+ 	options->required_rsa_size = -1;
++ 	options->log_format_prefix = NULL;
++ 	options->num_log_format_keys = 0;
++ 	options->log_format_json = -1;
  }
  
  /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -473,6 +476,8 @@ fill_default_server_options(ServerOption
+@@ -474,6 +477,8 @@ fill_default_server_options(ServerOption
  		options->sk_provider = xstrdup("internal");
- 	if (options->rsa_min_size == -1)
- 		options->rsa_min_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
-+	if (options->log_format_json == -1)
-+		options->log_format_json = 0;
+ 	if (options->required_rsa_size == -1)
+ 		options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
++ 	if (options->log_format_json == -1)
++ 		options->log_format_json = 0;
  
  	assemble_algorithms(options);
  
-@@ -553,6 +558,10 @@ typedef enum {
+@@ -554,6 +559,10 @@ typedef enum {
  	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
  	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
- 	sRSAMinSize,
-+	/* Structured Logging options.  Unless sLogFormatKeys is set,
-+	    structured logging is disabled */
-+	sLogFormatPrefix, sLogFormatKeys, sLogFormatJson,
+ 	sRequiredRSASize,
++ 	/* Structured Logging options.  Unless sLogFormatKeys is set,
++ 	    structured logging is disabled */
++ 	sLogFormatPrefix, sLogFormatKeys, sLogFormatJson,
 +
  	sDeprecated, sIgnore, sUnsupported
  } ServerOpCodes;
  
-@@ -730,6 +739,9 @@ static struct {
- 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
+@@ -732,6 +741,9 @@ static struct {
  	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
- 	{ "rsaminsize", sRSAMinSize, SSHCFG_ALL },
-+	{ "logformatprefix", sLogFormatPrefix, SSHCFG_GLOBAL },
-+	{ "logformatkeys", sLogFormatKeys, SSHCFG_GLOBAL },
-+	{ "logformatjson", sLogFormatJson, SSHCFG_GLOBAL },
+ 	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
+ 	{ "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */
++ 	{ "logformatprefix", sLogFormatPrefix, SSHCFG_GLOBAL },
++ 	{ "logformatkeys", sLogFormatKeys, SSHCFG_GLOBAL },
++ 	{ "logformatjson", sLogFormatJson, SSHCFG_GLOBAL },
  	{ NULL, sBadOption, 0 }
  };
  
-@@ -2367,6 +2379,30 @@ process_server_config_line_depth(ServerO
+@@ -2369,6 +2381,30 @@ process_server_config_line_depth(ServerO
  		}
  		break;
  
@@ -697,7 +697,7 @@ Index: b/servconf.c
  	case sIPQoS:
  		arg = argv_next(&ac, &av);
  		if (!arg || *arg == '\0')
-@@ -3024,6 +3060,7 @@ dump_config(ServerOptions *o)
+@@ -3026,6 +3062,7 @@ dump_config(ServerOptions *o)
  	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
  	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
  	dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
@@ -705,7 +705,7 @@ Index: b/servconf.c
  
  	/* string arguments */
  	dump_cfg_string(sPidFile, o->pid_file);
-@@ -3054,6 +3091,7 @@ dump_config(ServerOptions *o)
+@@ -3056,6 +3093,7 @@ dump_config(ServerOptions *o)
  #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
  	dump_cfg_string(sRDomain, o->routing_domain);
  #endif
@@ -713,7 +713,7 @@ Index: b/servconf.c
  
  	/* string arguments requiring a lookup */
  	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
-@@ -3076,6 +3114,7 @@ dump_config(ServerOptions *o)
+@@ -3078,6 +3116,7 @@ dump_config(ServerOptions *o)
  	    o->num_auth_methods, o->auth_methods);
  	dump_cfg_strarray_oneline(sLogVerbose,
  	    o->num_log_verbose, o->log_verbose);
@@ -721,10 +721,10 @@ Index: b/servconf.c
  
  	/* other arguments */
  	for (i = 0; i < o->num_subsystems; i++)
-Index: b/auth2-pubkey.c
+Index: openssh-8.7p1/auth2-pubkey.c
 ===================================================================
---- b.orig/auth2-pubkey.c
-+++ b/auth2-pubkey.c
+--- openssh-8.7p1.orig/auth2-pubkey.c
++++ openssh-8.7p1/auth2-pubkey.c
 @@ -66,6 +66,7 @@
  #include "monitor_wrap.h"
  #include "authfile.h"
@@ -733,7 +733,7 @@ Index: b/auth2-pubkey.c
  #include "ssherr.h"
  #include "channels.h" /* XXX for session.h */
  #include "session.h" /* XXX for child_set_env(); refactor? */
-@@ -389,6 +390,7 @@ check_principals_line(struct ssh *ssh, c
+@@ -390,6 +391,7 @@ check_principals_line(struct ssh *ssh, c
  		debug3("%s: matched principal \"%.100s\"",
  		    loc, cert->principals[i]);
  		found = 1;
@@ -741,7 +741,7 @@ Index: b/auth2-pubkey.c
  	}
  	if (found && authoptsp != NULL) {
  		*authoptsp = opts;
-@@ -714,6 +716,7 @@ check_authkey_line(struct ssh *ssh, stru
+@@ -715,6 +717,7 @@ check_authkey_line(struct ssh *ssh, stru
  	    (unsigned long long)key->cert->serial,
  	    sshkey_type(found), fp, loc);
  
@@ -749,7 +749,7 @@ Index: b/auth2-pubkey.c
   success:
  	if (finalopts == NULL)
  		fatal_f("internal error: missing options");
-@@ -864,6 +867,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
+@@ -865,6 +868,7 @@ user_cert_trusted_ca(struct ssh *ssh, st
  		*authoptsp = final_opts;
  		final_opts = NULL;
  	}
@@ -757,10 +757,10 @@ Index: b/auth2-pubkey.c
  	ret = 1;
   out:
  	sshauthopt_free(principals_opts);
-Index: b/regress/test-exec.sh
+Index: openssh-8.7p1/regress/test-exec.sh
 ===================================================================
---- b.orig/regress/test-exec.sh
-+++ b/regress/test-exec.sh
+--- openssh-8.7p1.orig/regress/test-exec.sh
++++ openssh-8.7p1/regress/test-exec.sh
 @@ -689,7 +689,7 @@ start_sshd ()
  
  	trace "wait for sshd"
@@ -770,10 +770,10 @@ Index: b/regress/test-exec.sh
  		i=`expr $i + 1`
  		sleep $i
  	done
-Index: b/session.c
+Index: openssh-8.7p1/session.c
 ===================================================================
---- b.orig/session.c
-+++ b/session.c
+--- openssh-8.7p1.orig/session.c
++++ openssh-8.7p1/session.c
 @@ -96,6 +96,8 @@
  #include "monitor_wrap.h"
  #include "sftp.h"
@@ -813,10 +813,10 @@ Index: b/session.c
  	return remote;
  }
 -
-Index: b/log.h
+Index: openssh-8.7p1/log.h
 ===================================================================
---- b.orig/log.h
-+++ b/log.h
+--- openssh-8.7p1.orig/log.h
++++ openssh-8.7p1/log.h
 @@ -133,4 +133,6 @@ void	 sshlogdirect(LogLevel, int, const
  #define logdie_fr(r, ...)	sshlogdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__)
  #define sigdie_fr(r, ...)	sshsigdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__)
@@ -824,10 +824,10 @@ Index: b/log.h
 +void     do_log_slog_payload(const char *);
 +
  #endif
-Index: b/log.c
+Index: openssh-8.7p1/log.c
 ===================================================================
---- b.orig/log.c
-+++ b/log.c
+--- openssh-8.7p1.orig/log.c
++++ openssh-8.7p1/log.c
 @@ -529,3 +529,39 @@ sshlogdirect(LogLevel level, int forced,
  	do_log(level, forced, NULL, fmt, args);
  	va_end(args);
@@ -868,10 +868,10 @@ Index: b/log.c
 +	}
 +	errno = saved_errno;
 +}
-Index: b/slog.h
+Index: openssh-8.7p1/slog.h
 ===================================================================
 --- /dev/null
-+++ b/slog.h
++++ openssh-8.7p1/slog.h
 @@ -0,0 +1,41 @@
 +/*
 + * Copyright 2004-present Facebook. All Rights Reserved.
@@ -914,10 +914,10 @@ Index: b/slog.h
 +void	slog_log_session(void);
 +
 +#endif
-Index: b/sshd.c
+Index: openssh-8.7p1/sshd.c
 ===================================================================
---- b.orig/sshd.c
-+++ b/sshd.c
+--- openssh-8.7p1.orig/sshd.c
++++ openssh-8.7p1/sshd.c
 @@ -132,6 +132,8 @@
  #include "sk-api.h"
  #include "srclimit.h"
@@ -927,7 +927,7 @@ Index: b/sshd.c
  
  /* Re-exec fds */
  #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
-@@ -2149,6 +2151,7 @@ main(int ac, char **av)
+@@ -2163,6 +2165,7 @@ main(int ac, char **av)
  	}
  	/* Reinitialize the log (because of the fork above). */
  	log_init(__progname, options.log_level, options.log_facility, log_stderr);
@@ -935,7 +935,7 @@ Index: b/sshd.c
  
  	if (FIPS_mode()) {
  		debug("FIPS mode initialized");
-@@ -2315,8 +2318,15 @@ main(int ac, char **av)
+@@ -2332,8 +2335,15 @@ main(int ac, char **av)
  	    rdomain == NULL ? "" : " rdomain \"",
  	    rdomain == NULL ? "" : rdomain,
  	    rdomain == NULL ? "" : "\"");
@@ -952,7 +952,7 @@ Index: b/sshd.c
  	/*
  	 * We don't want to listen forever unless the other side
  	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2638,6 +2648,7 @@ cleanup_exit(int i)
+@@ -2655,6 +2665,7 @@ cleanup_exit(int i)
  	if (in_cleanup)
  		_exit(i);
  	in_cleanup = 1;
@@ -960,10 +960,10 @@ Index: b/sshd.c
  	if (the_active_state != NULL && the_authctxt != NULL) {
  		do_cleanup(the_active_state, the_authctxt);
  		if (use_privsep && privsep_is_preauth &&
-Index: b/sshd_config
+Index: openssh-8.7p1/sshd_config
 ===================================================================
---- b.orig/sshd_config
-+++ b/sshd_config
+--- openssh-8.7p1.orig/sshd_config
++++ openssh-8.7p1/sshd_config
 @@ -33,6 +33,15 @@ Include /etc/ssh/sshd_config.d/*.conf
  # Logging
  #SyslogFacility AUTH
@@ -980,10 +980,10 @@ Index: b/sshd_config
  
  # Authentication:
  
-Index: b/auth-pam.c
+Index: openssh-8.7p1/auth-pam.c
 ===================================================================
---- b.orig/auth-pam.c
-+++ b/auth-pam.c
+--- openssh-8.7p1.orig/auth-pam.c
++++ openssh-8.7p1/auth-pam.c
 @@ -94,6 +94,7 @@ extern char *__progname;
  #include "auth-pam.h"
  #include "canohost.h"
@@ -1006,10 +1006,10 @@ Index: b/auth-pam.c
  	else {
  		sshpam_session_open = 0;
  		auth_restrict_session(ssh);
-Index: b/servconf.h
+Index: openssh-8.7p1/servconf.h
 ===================================================================
---- b.orig/servconf.h
-+++ b/servconf.h
+--- openssh-8.7p1.orig/servconf.h
++++ openssh-8.7p1/servconf.h
 @@ -22,6 +22,8 @@
  
  #define MAX_SUBSYSTEMS		256	/* Max # subsystems. */
@@ -1022,20 +1022,20 @@ Index: b/servconf.h
 @@ -239,6 +241,12 @@ typedef struct {
  	u_int64_t timing_secret;
  	char   *sk_provider;
- 	int	rsa_min_size;	/* minimum size of RSA keys */
+ 	int	required_rsa_size;	/* minimum size of RSA keys */
 +
-+	char   *log_format_prefix;
-+	u_int  num_log_format_keys;
-+	char   *log_format_keys[MAX_LOGFORMAT_KEYS];
-+	int log_format_json;	/* 1 to return "token": "token_val" in log format */
++ 	char   *log_format_prefix;
++ 	u_int  num_log_format_keys;
++ 	char   *log_format_keys[MAX_LOGFORMAT_KEYS];
++ 	int log_format_json;	/* 1 to return "token": "token_val" in log format */
 +
  }       ServerOptions;
  
  /* Information about the incoming connection as used by Match */
-Index: b/regress/slog.sh
+Index: openssh-8.7p1/regress/slog.sh
 ===================================================================
 --- /dev/null
-+++ b/regress/slog.sh
++++ openssh-8.7p1/regress/slog.sh
 @@ -0,0 +1,59 @@
 +tid='structured log'
 +
@@ -1096,10 +1096,10 @@ Index: b/regress/slog.sh
 +
 +test_log_counts
 +test_json_valid
-Index: b/Makefile.in
+Index: openssh-8.7p1/Makefile.in
 ===================================================================
---- b.orig/Makefile.in
-+++ b/Makefile.in
+--- openssh-8.7p1.orig/Makefile.in
++++ openssh-8.7p1/Makefile.in
 @@ -129,7 +129,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
  	monitor.o monitor_wrap.o auth-krb5.o \
  	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
@@ -1118,10 +1118,10 @@ Index: b/Makefile.in
  	rm -rf autom4te.cache
  	rm -f regress/check-perm
  	rm -f regress/mkdtemp
-Index: b/auth.c
+Index: openssh-8.7p1/auth.c
 ===================================================================
---- b.orig/auth.c
-+++ b/auth.c
+--- openssh-8.7p1.orig/auth.c
++++ openssh-8.7p1/auth.c
 @@ -76,6 +76,7 @@
  #include "ssherr.h"
  #include "compat.h"
diff --git a/openssh.spec b/openssh.spec
index bde5c0b..350d05e 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -56,7 +56,7 @@
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
 %global openssh_rel 29
-%global hyperscale_rel 5
+%global hyperscale_rel 6
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
 
@@ -827,6 +827,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Mon Apr 24 2023 Raymond Colebaugh <raymondcolebaugh@gmail.com> - 8.7p1-29.6 + 0.10.4-5.6
+- Merge new changes from upstream
+
 * Thu Apr 06 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-29
 - Resolve possible self-DoS with some clients
   Resolves: rhbz#2186473