From 8dd0608e77084764a405ecf080233bb023ace5c2 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: May 06 2016 07:25:20 +0000
Subject: Regression in certificate-based authentication (#1333498)


---

diff --git a/openssh-7.2p2-certificats-regress.patch b/openssh-7.2p2-certificats-regress.patch
new file mode 100644
index 0000000..8b08319
--- /dev/null
+++ b/openssh-7.2p2-certificats-regress.patch
@@ -0,0 +1,38 @@
+commit c38905ba391434834da86abfc988a2b8b9b62477
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Mar 14 16:20:54 2016 +0000
+
+    upstream commit
+    
+    unbreak authentication using lone certificate keys in
+     ssh-agent: when attempting pubkey auth with a certificate, if no separate
+     private key is found among the keys then try with the certificate key itself.
+    
+    bz#2550 reported by Peter Moody
+    
+    Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
+
+diff --git a/sshconnect2.c b/sshconnect2.c
+index f79c96b..1cf48a2 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshconnect2.c,v 1.239 2016/02/23 01:34:14 djm Exp $ */
++/* $OpenBSD: sshconnect2.c,v 1.240 2016/03/14 16:20:54 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2008 Damien Miller.  All rights reserved.
+@@ -1112,12 +1112,8 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
+ 			    "certificate", __func__, id->filename,
+ 			    id->agent_fd != -1 ? " from agent" : "");
+ 		} else {
+-			/* XXX maybe verbose/error? */
+-			debug("%s: no private key for certificate "
++			debug("%s: no separate private key for certificate "
+ 			    "\"%s\"", __func__, id->filename);
+-			free(blob);
+-			buffer_free(&b);
+-			return 0;
+ 		}
+ 	}
+ 
diff --git a/openssh.spec b/openssh.spec
index 6025080..6e2606c 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -231,6 +231,8 @@ Patch933: openssh-7.0p1-show-more-fingerprints.patch
 Patch936: openssh-7.1p1-iutf8.patch
 # CVE-2015-8325: ignore PAM environment vars when UseLogin=yes
 Patch937: openssh-7.2p2-CVE-2015-8325.patch
+# Regression in certificate based authentication (#1333498)
+Patch938: openssh-7.2p2-certificats-regress.patch
 
 
 License: BSD
@@ -466,6 +468,7 @@ popd
 %patch933 -p1 -b .fingerprint
 %patch936 -p1 -b .iutf8
 %patch937 -p1 -b .pam_uselogin_cve
+%patch938 -p1 -b .certificates
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race