Update to OpenSSH 9.9p1

Resolves: RHEL-60564
2024-10-10 12:30:39 +02:00 · 2024-10-10 12:30:39 +02:00 · 07172f36c4
commit 07172f36c4
parent d84f5f5164
15 changed files with 1515 additions and 4451 deletions
--- a/.gitignore
+++ b/.gitignore
@ -62,3 +62,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-9.6p1.tar.gz.asc
 /openssh-9.8p1.tar.gz
 /openssh-9.8p1.tar.gz.asc
 /openssh-9.9p1.tar.gz
 /openssh-9.9p1.tar.gz.asc
--- a/openssh-6.6p1-allow-ip-opts.patch
+++ b/openssh-6.6p1-allow-ip-opts.patch
@ -38,5 +38,5 @@ diff -up openssh/sshd.c.ip-opts openssh/sshd.c
 +			}
 +		} while (i < option_size);
 	}
 	return;
 #endif /* IP_OPTIONS */
 }
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@ -73,22 +73,6 @@ diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
 	strncpy(ut->ut_host, li->hostname,
 	    MIN_SIZEOF(ut->ut_host, li->hostname));
 # endif
@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con
 	memset(&ut, 0, sizeof(ut));
 	/* strncpy because we don't necessarily want nul termination */
 +	/* coverity[buffer_size_warning : FALSE] */
 	strncpy(ut.ut_user, username, sizeof(ut.ut_user));
 	strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con
 	ut.ut_pid = getpid();
 	/* strncpy because we don't necessarily want nul termination */
 +	/* coverity[buffer_size_warning : FALSE] */
 	strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
 	if (ssh_packet_connection_is_on_socket(ssh) &&
 diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
 --- openssh-8.5p1/misc.c.coverity	2021-03-24 12:03:33.745967902 +0100
 +++ openssh-8.5p1/misc.c	2021-03-24 13:31:47.037079617 +0100
--- a/openssh-7.6p1-audit.patch
+++ b/openssh-7.6p1-audit.patch
@ -1086,7 +1086,7 @@ diff -up openssh-8.6p1/Makefile.in.audit openssh-8.6p1/Makefile.in
 --- openssh-8.6p1/Makefile.in.audit	2021-04-19 16:47:35.731061937 +0200
 +++ openssh-8.6p1/Makefile.in	2021-04-19 16:47:35.756062129 +0200
@@ -112,7 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
- 	kexsntrup761x25519.o sntrup761.o kexgen.o \
+ 	kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
 	kexgssc.o \
 	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
 -	sshbuf-io.o
@ -2056,7 +2056,7 @@ diff -up openssh-8.6p1/sshd-session.c.audit openssh-8.6p1/sshd-session.c
 #include "ssh-sandbox.h"
 #include "auth-options.h"
 #include "version.h"
-@@ -260,8 +261,8 @@ struct sshbuf *loginmsg;
+@@ -260,8 +261,44 @@ struct sshbuf *loginmsg;
 struct sshbuf *loginmsg;
 /* Prototypes for various functions defined later in this file. */
@ -2064,6 +2064,42 @@ diff -up openssh-8.6p1/sshd-session.c.audit openssh-8.6p1/sshd-session.c
 -void demote_sensitive_data(void);
 +void destroy_sensitive_data(struct ssh *);
 +void demote_sensitive_data(struct ssh *);
 +
 +static int
 +sshkey_is_private(const struct sshkey *k)
 +{
 +      switch (k->type) {
 +#ifdef WITH_OPENSSL
 +      case KEY_RSA_CERT:
 +      case KEY_RSA: {
 +              const BIGNUM *d;
 +              const RSA *rsa = EVP_PKEY_get0_RSA(k->pkey);
 +              RSA_get0_key(rsa, NULL, NULL, &d);
 +              return d != NULL;
 +          }
 +      case KEY_DSA_CERT:
 +      case KEY_DSA: {
 +              const BIGNUM *priv_key;
 +              DSA_get0_key(k->dsa, NULL, &priv_key);
 +              return priv_key != NULL;
 +          }
 +#ifdef OPENSSL_HAS_ECC
 +      case KEY_ECDSA_CERT:
 +      case KEY_ECDSA: {
 +              const EC_KEY * ecdsa = EVP_PKEY_get0_EC_KEY(k->pkey);
 +              return EC_KEY_get0_private_key(ecdsa) != NULL;
 +              }
 +#endif /* OPENSSL_HAS_ECC */
 +#endif /* WITH_OPENSSL */
 +      case KEY_ED25519_CERT:
 +      case KEY_ED25519:
 +              return (k->ed25519_pk != NULL);
 +      default:
 +              /* fatal("key_is_private: bad key type %d", k->type); */
 +              return 0;
 +      }
 +}
 +
 static void do_ssh2_kex(struct ssh *);
 /*
@ -2222,7 +2258,7 @@ diff -up openssh-8.6p1/sshd-session.c.audit openssh-8.6p1/sshd-session.c
 	if (the_active_state != NULL && the_authctxt != NULL) {
@@ -2525,7 +2593,9 @@ cleanup_exit(int i)
-		_exit(EXIT_AUTH_ATTEMPTED);
+ 	}
 #ifdef SSH_AUDIT_EVENTS
 	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
 -	if (the_active_state != NULL && mm_is_monitor())
@ -2231,57 +2267,4 @@ diff -up openssh-8.6p1/sshd-session.c.audit openssh-8.6p1/sshd-session.c
 +	    mm_is_monitor())
 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
 #endif
- 	_exit(i);
+ 	/* Override default fatal exit value when auth was attempted */
 diff -up openssh-8.6p1/sshkey.c.audit openssh-8.6p1/sshkey.c
 --- openssh-8.6p1/sshkey.c.audit	2021-04-19 16:47:35.741062014 +0200
 +++ openssh-8.6p1/sshkey.c	2021-04-19 16:47:35.759062152 +0200
@@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type)
 }
 int
 +sshkey_is_private(const struct sshkey *k)
 +{
 +      switch (k->type) {
 +#ifdef WITH_OPENSSL
 +      case KEY_RSA_CERT:
 +      case KEY_RSA: {
 +              const BIGNUM *d;
 +              RSA_get0_key(k->rsa, NULL, NULL, &d);
 +              return d != NULL;
 +          }
 +      case KEY_DSA_CERT:
 +      case KEY_DSA: {
 +              const BIGNUM *priv_key;
 +              DSA_get0_key(k->dsa, NULL, &priv_key);
 +              return priv_key != NULL;
 +          }
 +#ifdef OPENSSL_HAS_ECC
 +      case KEY_ECDSA_CERT:
 +      case KEY_ECDSA:
 +              return EC_KEY_get0_private_key(k->ecdsa) != NULL;
 +#endif /* OPENSSL_HAS_ECC */
 +#endif /* WITH_OPENSSL */
 +      case KEY_ED25519_CERT:
 +      case KEY_ED25519:
 +              return (k->ed25519_pk != NULL);
 +      default:
 +              /* fatal("key_is_private: bad key type %d", k->type); */
 +              return 0;
 +      }
 +}
 +
 +int
 sshkey_is_cert(const struct sshkey *k)
 {
 	if (k == NULL)
 diff -up openssh-8.6p1/sshkey.h.audit openssh-8.6p1/sshkey.h
 --- openssh-8.6p1/sshkey.h.audit	2021-04-19 16:47:35.741062014 +0200
 +++ openssh-8.6p1/sshkey.h	2021-04-19 16:47:35.759062152 +0200
@@ -189,6 +189,7 @@ int		 sshkey_shield_private(struct sshke
 int		 sshkey_unshield_private(struct sshkey *);
 int	 sshkey_type_from_name(const char *);
 +int	 sshkey_is_private(const struct sshkey *);
 int	 sshkey_is_cert(const struct sshkey *);
 int	 sshkey_is_sk(const struct sshkey *);
 int	 sshkey_type_is_cert(int);
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -427,9 +427,9 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
 --- openssh-8.6p1/sshkey.c.fips	2021-05-06 12:08:36.493926838 +0200
 +++ openssh-8.6p1/sshkey.c	2021-05-06 12:08:36.502926908 +0200
@@ -36,6 +36,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/core_names.h>
 #include <openssl/param_build.h>
 +#include <openssl/fips.h>
 #endif
@ -544,13 +544,13 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
 -		name = _PATH_SSH_CLIENT_ID_ED25519;
 +		name = FIPS_mode() ? _PATH_SSH_CLIENT_ID_RSA : _PATH_SSH_CLIENT_ID_ED25519;
 	else {
- 		switch (sshkey_type_from_name(key_type_name)) {
+ 		switch (sshkey_type_from_shortname(key_type_name)) {
 #ifdef WITH_DSA
@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
 			first = 1;
 			printf("%s: generating new host keys: ", __progname);
 		}
-+		type = sshkey_type_from_name(key_types[i].key_type);
+		type = sshkey_type_from_shortname(key_types[i].key_type);
 +
 +		/* Skip the keys that are not supported in FIPS mode */
 +		if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
@ -561,7 +561,7 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
 +
 		printf("%s ", key_types[i].key_type_display);
 		fflush(stdout);
-		type = sshkey_type_from_name(key_types[i].key_type);
+-		type = sshkey_type_from_shortname(key_types[i].key_type);
 		if ((fd = mkstemp(prv_tmp)) == -1) {
 			error("Could not save your private key in %s: %s",
 			    prv_tmp, strerror(errno));
@ -572,31 +572,31 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
 -		key_type_name = DEFAULT_KEY_TYPE_NAME;
 +		key_type_name = FIPS_mode() ? FIPS_DEFAULT_KEY_TYPE_NAME : DEFAULT_KEY_TYPE_NAME;
- 	type = sshkey_type_from_name(key_type_name);
+ 	type = sshkey_type_from_shortname(key_type_name);
 	type_bits_valid(type, key_type_name, &bits);
 diff -up openssh-9.3p1/ssh-rsa.c.evpgenrsa openssh-9.3p1/ssh-rsa.c
 --- openssh-9.3p1/ssh-rsa.c.evpgenrsa	2022-06-30 15:14:58.200518353 +0200
 +++ openssh-9.3p1/ssh-rsa.c	2022-06-30 15:24:31.499641196 +0200
@@ -33,6 +33,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <openssl/core_names.h>
 #include <openssl/param_build.h>
 +#include <openssl/fips.h>
 #include <stdarg.h>
 #include <string.h>
@@ -1705,6 +1707,8 @@ ssh_rsa_generate(u_int bits, RSA
 		goto out;
-
+ 	}
-	if (EVP_PKEY_keygen(ctx, &res) <= 0) {
+	if (EVP_PKEY_keygen(ctx, &res) <= 0 || res == NULL) {
 +		if (FIPS_mode())
 +			logit_f("the key length might be unsupported by FIPS mode approved key generation method");
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
-diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
+diff -up openssh-9.9p1/kexgen.c.xxx openssh-9.9p1/kexgen.c
--- openssh-8.7p1/kexgen.c.fips3	2022-07-11 16:11:21.973519913 +0200
+--- openssh-9.9p1/kexgen.c.xxx	2024-10-09 10:35:56.285946080 +0200
-+++ openssh-8.7p1/kexgen.c	2022-07-11 16:25:31.172187365 +0200
+++ openssh-9.9p1/kexgen.c	2024-10-09 10:41:52.792597194 +0200
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <string.h>
@ -605,7 +605,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
 #include "sshkey.h"
 #include "kex.h"
-@@ -115,10 +116,20 @@ kex_gen_client(struct ssh *ssh)
+@@ -115,13 +116,28 @@ kex_gen_client(struct ssh *ssh)
 		break;
 #endif
 	case KEX_C25519_SHA256:
@ -624,11 +624,20 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_kem_sntrup761x25519_keypair(kex);
 +		}
 		break;
 	case KEX_KEM_MLKEM768X25519_SHA256:
 -		r = kex_kem_mlkem768x25519_keypair(kex);
 +		if (FIPS_mode()) {
 +		    logit_f("Key exchange type mlkem768x25519 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_kem_mlkem768x25519_keypair(kex);
 +		}
 		break;
 	default:
 		r = SSH_ERR_INVALID_ARGUMENT;
-@@ -186,11 +197,21 @@ input_kex_gen_reply(int type, u_int32_t
+@@ -189,15 +205,30 @@ input_kex_gen_reply(int type, u_int32_t
 		break;
 #endif
 	case KEX_C25519_SHA256:
@ -649,11 +658,22 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
 +		} else {
 +		    r = kex_kem_sntrup761x25519_dec(kex, server_blob,
 +		        &shared_secret);
 +		}
 		break;
 	case KEX_KEM_MLKEM768X25519_SHA256:
 -		r = kex_kem_mlkem768x25519_dec(kex, server_blob,
 -		    &shared_secret);
 +		if (FIPS_mode()) {
 +		    logit_f("Key exchange type mlkem768x25519 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_kem_mlkem768x25519_dec(kex, server_blob,
 +		        &shared_secret);
 +		}
 		break;
 	default:
 		r = SSH_ERR_INVALID_ARGUMENT;
-@@ -285,12 +306,22 @@ input_kex_gen_init(int type, u_int32_t s
+@@ -312,16 +343,31 @@ input_kex_gen_init(int type, u_int32_t s
 		break;
 #endif
 	case KEX_C25519_SHA256:
@ -676,6 +696,17 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
 +		} else {
 +		    r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
 +		        &server_pubkey, &shared_secret);
 +		}
 		break;
 	case KEX_KEM_MLKEM768X25519_SHA256:
 -		r = kex_kem_mlkem768x25519_enc(kex, client_pubkey,
 -		    &server_pubkey, &shared_secret);
 +		if (FIPS_mode()) {
 +		    logit_f("Key exchange type mlkem768x25519 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_kem_mlkem768x25519_enc(kex, client_pubkey,
 +		        &server_pubkey, &shared_secret);
 +		}
 		break;
 	default:
--- a/openssh-8.0p1-crypto-policies.patch
+++ b/openssh-8.0p1-crypto-policies.patch
@ -166,8 +166,8 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 +.Pp
 Specifies the permitted KEX (Key Exchange) algorithms that will be used and
 their preference order.
- The selected algorithm will the the first algorithm in this list that
+ The selected algorithm will be the first algorithm in this list that
-@@ -1338,28 +1343,17 @@ Multiple algorithms must be comma-separa
+@@ -1338,29 +1343,17 @@ Multiple algorithms must be comma-separa
 .Pp
 If the specified list begins with a
 .Sq +
@ -187,7 +187,8 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 -.Pp
 -The default is:
 -.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
+-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
 -mlkem768x25519-sha256,
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
@ -517,13 +518,14 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 .Pp
 The supported algorithms are:
 .Pp
-@@ -1075,16 +1080,6 @@ ecdh-sha2-nistp521
+@@ -1075,17 +1080,6 @@ ecdh-sha2-nistp521
 sntrup761x25519-sha512@openssh.com
 .El
 .Pp
 -The default is:
 -.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
+-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
 -mlkem768x25519-sha256,
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
--- a/openssh-8.0p1-pkcs11-uri.patch
+++ b/openssh-8.0p1-pkcs11-uri.patch
@ -1353,9 +1353,17 @@ diff -up openssh-9.6p1/ssh-pkcs11-client.c.pkcs11-uri openssh-9.6p1/ssh-pkcs11-c
 		for (i = 0; i < nkeys; i++) {
 			/* XXX clean up properly instead of fatal() */
 			if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 ||
-diff -up openssh-9.6p1/ssh-pkcs11.c.pkcs11-uri openssh-9.6p1/ssh-pkcs11.c
+diff -up openssh-9.9p1/ssh-pkcs11.c.xxx openssh-9.9p1/ssh-pkcs11.c
--- openssh-9.6p1/ssh-pkcs11.c.pkcs11-uri	2023-12-18 15:59:50.000000000 +0100
+--- openssh-9.9p1/ssh-pkcs11.c.xxx	2024-10-09 11:56:35.890126144 +0200
-+++ openssh-9.6p1/ssh-pkcs11.c	2024-01-12 14:28:09.170975480 +0100
+++ openssh-9.9p1/ssh-pkcs11.c	2024-10-09 11:56:48.528459585 +0200
@@ -38,6 +38,7 @@
 #include <openssl/ecdsa.h>
 #include <openssl/x509.h>
 #include <openssl/err.h>
 +#include <openssl/evp.h>
 #define CRYPTOKI_COMPAT
 #include "pkcs11.h"
@@ -55,8 +55,8 @@ struct pkcs11_slotinfo {
 	int			logged_in;
 };
@ -1556,7 +1564,7 @@ diff -up openssh-9.6p1/ssh-pkcs11.c.pkcs11-uri openssh-9.6p1/ssh-pkcs11.c
 }
 static RSA_METHOD *rsa_method;
-@@ -195,6 +286,56 @@ static EC_KEY_METHOD *ec_key_method;
+@@ -195,6 +286,60 @@ static EC_KEY_METHOD *ec_key_method;
 static int ec_key_idx = 0;
 #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
@ -1573,13 +1581,17 @@ diff -up openssh-9.6p1/ssh-pkcs11.c.pkcs11-uri openssh-9.6p1/ssh-pkcs11.c
 +
 +	/* sanity - is it a RSA key with associated app_data? */
 +	switch (key->type) {
-+	case KEY_RSA:
+	case KEY_RSA: {
-+		k11 = RSA_get_ex_data(key->rsa, rsa_idx);
+               const RSA *rsa = EVP_PKEY_get0_RSA(key->pkey);
 +		k11 = RSA_get_ex_data(rsa, rsa_idx);
 +		break;
 +		}
 +#ifdef HAVE_EC_KEY_METHOD_NEW
-+	case KEY_ECDSA:
+	case KEY_ECDSA: {
-+		k11 = EC_KEY_get_ex_data(key->ecdsa, ec_key_idx);
+               const EC_KEY * ecdsa = EVP_PKEY_get0_EC_KEY(key->pkey);
 +		k11 = EC_KEY_get_ex_data(ecdsa, ec_key_idx);
 +		break;
 +		}
 +#endif
 +	default:
 +		error("Unknown key type %d", key->type);
@ -1733,9 +1745,9 @@ diff -up openssh-9.6p1/ssh-pkcs11.c.pkcs11-uri openssh-9.6p1/ssh-pkcs11.c
 +		k11->label[label_attrib->ulValueLen] = 0;
 +	}
 +
- 	RSA_set_method(rsa, rsa_method);
+ 	if (RSA_set_method(rsa, rsa_method) != 1)
- 	RSA_set_ex_data(rsa, rsa_idx, k11);
+ 		fatal_f("RSA_set_method failed");
- 	return (0);
+ 	if (RSA_set_ex_data(rsa, rsa_idx, k11) != 1)
@@ -532,8 +683,8 @@ ecdsa_do_sign(const unsigned char *dgst,
 		return (NULL);
 	}
@ -1766,9 +1778,9 @@ diff -up openssh-9.6p1/ssh-pkcs11.c.pkcs11-uri openssh-9.6p1/ssh-pkcs11.c
 +		k11->label[label_attrib->ulValueLen] = 0;
 +	}
 +
- 	EC_KEY_set_method(ec, ec_key_method);
+ 	if (EC_KEY_set_method(ec, ec_key_method) != 1)
- 	EC_KEY_set_ex_data(ec, ec_key_idx, k11);
+ 		fatal_f("EC_KEY_set_method failed");
- 
+ 	if (EC_KEY_set_ex_data(ec, ec_key_idx, k11) != 1)
@@ -622,7 +779,8 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider
 }
 #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
@ -1895,7 +1907,7 @@ diff -up openssh-9.6p1/ssh-pkcs11.c.pkcs11-uri openssh-9.6p1/ssh-pkcs11.c
 	key = sshkey_new(KEY_UNSPEC);
@@ -810,7 +970,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_
- 	ec = NULL;	/* now owned by key */
+ 	key->flags |= SSHKEY_FLAG_EXT;
 fail:
 -	for (i = 0; i < 3; i++)
@ -1979,7 +1991,7 @@ diff -up openssh-9.6p1/ssh-pkcs11.c.pkcs11-uri openssh-9.6p1/ssh-pkcs11.c
 	key = sshkey_new(KEY_UNSPEC);
@@ -905,7 +1067,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr
- 	rsa = NULL;	/* now owned by key */
+ 	key->flags |= SSHKEY_FLAG_EXT;
 fail:
 -	for (i = 0; i < 3; i++)
--- a/openssh-8.7p1-nohostsha1proof.patch
+++ b/openssh-8.7p1-nohostsha1proof.patch
@ -94,47 +94,6 @@ diff -up openssh-8.7p1/monitor.c.sshrsacheck openssh-8.7p1/monitor.c
 	    is_proof ? "hostkey proof" : "KEX", siglen);
 	sshbuf_reset(m);
 diff -up openssh-8.7p1/regress/cert-userkey.sh.sshrsacheck openssh-8.7p1/regress/cert-userkey.sh
 --- openssh-8.7p1/regress/cert-userkey.sh.sshrsacheck	2023-01-25 14:26:52.885963113 +0100
 +++ openssh-8.7p1/regress/cert-userkey.sh	2023-01-25 14:27:25.757219800 +0100
@@ -7,7 +7,8 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 -PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
 +#ssh-dss keys are incompatible with DEFAULT crypto policy
 +PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss' | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
 EXTRA_TYPES=""
 rsa=""
 diff -up openssh-8.7p1/regress/Makefile.sshrsacheck openssh-8.7p1/regress/Makefile
 --- openssh-8.7p1/regress/Makefile.sshrsacheck	2023-01-20 13:07:54.169676051 +0100
 +++ openssh-8.7p1/regress/Makefile	2023-01-20 13:07:54.290677074 +0100
@@ -2,7 +2,8 @@
 tests:		prep file-tests t-exec unit
 -REGRESS_TARGETS=	t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12
 +#ssh-dss tests will not pass on DEFAULT crypto-policy because of SHA1, skipping
 +REGRESS_TARGETS=	t1 t2 t3 t4 t5 t7 t8 t9 t10 t11 t12
 # File based tests
 file-tests: $(REGRESS_TARGETS)
 diff -up openssh-8.7p1/regress/test-exec.sh.sshrsacheck openssh-8.7p1/regress/test-exec.sh
 --- openssh-8.7p1/regress/test-exec.sh.sshrsacheck	2023-01-25 14:24:54.778040819 +0100
 +++ openssh-8.7p1/regress/test-exec.sh	2023-01-25 14:26:39.500858590 +0100
@@ -581,8 +581,9 @@ maybe_filter_sk() {
 	fi
 }
 -SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
 -SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
 +#ssh-dss keys are incompatible with DEFAULT crypto policy
 +SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss'`
 +SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss'`
 for t in ${SSH_KEYTYPES}; do
 	# generate user key
 diff -up openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck openssh-8.7p1/regress/unittests/kex/test_kex.c
 --- openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck	2023-01-26 13:34:52.645743677 +0100
 +++ openssh-8.7p1/regress/unittests/kex/test_kex.c	2023-01-26 13:36:56.220745823 +0100
--- a/openssh-9.0p1-evp-fips-ecdh.patch
+++ b/openssh-9.0p1-evp-fips-ecdh.patch
@ -1,207 +0,0 @@
 diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../openssh-8.7p1/kexecdh.c ./kexecdh.c
 --- ../openssh-8.7p1/kexecdh.c	2021-08-20 06:03:49.000000000 +0200
 +++ ./kexecdh.c	2023-04-13 14:30:14.882449593 +0200
@@ -35,17 +35,57 @@
 #include <signal.h>
 #include <openssl/ecdh.h>
 +#include <openssl/evp.h>
 +#include <openssl/core_names.h>
 +#include <openssl/param_build.h>
 +#include <openssl/err.h>
 #include "sshkey.h"
 #include "kex.h"
 #include "sshbuf.h"
 #include "digest.h"
 #include "ssherr.h"
 +#include "log.h"
 static int
 kex_ecdh_dec_key_group(struct kex *, const struct sshbuf *, EC_KEY *key,
     const EC_GROUP *, struct sshbuf **);
 +static EC_KEY *
 +generate_ec_keys(int ec_nid)
 +{
 +	EC_KEY *client_key = NULL;
 +	EVP_PKEY *pkey = NULL;
 +	EVP_PKEY_CTX *ctx = NULL;
 +	OSSL_PARAM_BLD *param_bld = NULL;
 +	OSSL_PARAM *params = NULL;
 +	const char *group_name;
 +
 +	if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL ||
 +	    (param_bld = OSSL_PARAM_BLD_new()) == NULL)
 +		goto out;
 +	if ((group_name = OSSL_EC_curve_nid2name(ec_nid)) == NULL ||
 +	    OSSL_PARAM_BLD_push_utf8_string(param_bld,
 +	        OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0) != 1 ||
 +	    (params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) {
 +		error_f("Could not create OSSL_PARAM");
 +		goto out;
 +	}
 +	if (EVP_PKEY_keygen_init(ctx) != 1 ||
 +	    EVP_PKEY_CTX_set_params(ctx, params) != 1 ||
 +	    EVP_PKEY_generate(ctx, &pkey) != 1 ||
 +	    (client_key = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) {
 +		error_f("Could not generate ec keys");
 +		goto out;
 +	}
 +out:
 +	EVP_PKEY_free(pkey);
 +	EVP_PKEY_CTX_free(ctx);
 +	OSSL_PARAM_BLD_free(param_bld);
 +	OSSL_PARAM_free(params);
 +	return client_key;
 +}
 +
 int
 kex_ecdh_keypair(struct kex *kex)
 {
@@ -55,11 +95,7 @@
 	struct sshbuf *buf = NULL;
 	int r;
 -	if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
 -		r = SSH_ERR_ALLOC_FAIL;
 -		goto out;
 -	}
 -	if (EC_KEY_generate_key(client_key) != 1) {
 +	if ((client_key = generate_ec_keys(kex->ec_nid)) == NULL) {
 		r = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
@@ -101,11 +137,7 @@
 	*server_blobp = NULL;
 	*shared_secretp = NULL;
 -	if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
 -		r = SSH_ERR_ALLOC_FAIL;
 -		goto out;
 -	}
 -	if (EC_KEY_generate_key(server_key) != 1) {
 +	if ((server_key = generate_ec_keys(kex->ec_nid)) == NULL) {
 		r = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
@@ -140,11 +172,21 @@
 {
 	struct sshbuf *buf = NULL;
 	BIGNUM *shared_secret = NULL;
 -	EC_POINT *dh_pub = NULL;
 -	u_char *kbuf = NULL;
 -	size_t klen = 0;
 +	EVP_PKEY_CTX *ctx = NULL;
 +	EVP_PKEY *pkey = NULL, *dh_pkey = NULL;
 +	OSSL_PARAM_BLD *param_bld = NULL;
 +	OSSL_PARAM *params = NULL;
 +	u_char *kbuf = NULL, *pub = NULL;
 +	size_t klen = 0, publen;
 +	const char *group_name;
 	int r;
 +	/* import EC_KEY to EVP_PKEY */
 +	if ((r = ssh_create_evp_ec(key, kex->ec_nid, &pkey)) != 0) {
 +		error_f("Could not create EVP_PKEY");
 +		goto out;
 +	}
 +
 	*shared_secretp = NULL;
 	if ((buf = sshbuf_new()) == NULL) {
@@ -153,45 +195,82 @@
 	}
 	if ((r = sshbuf_put_stringb(buf, ec_blob)) != 0)
 		goto out;
 -	if ((dh_pub = EC_POINT_new(group)) == NULL) {
 +
 +	/* the public key is in the buffer in octet string UNCOMPRESSED
 +	 * format. See sshbuf_put_ec */
 +	if ((r = sshbuf_get_string(buf, &pub, &publen)) != 0)
 +		goto out;
 +	sshbuf_reset(buf);
 +	if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL ||
 +	    (param_bld = OSSL_PARAM_BLD_new()) == NULL) {
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
 -	if ((r = sshbuf_get_ec(buf, dh_pub, group)) != 0) {
 +	if ((group_name = OSSL_EC_curve_nid2name(kex->ec_nid)) == NULL) {
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 +		goto out;
 +	}
 +	if (OSSL_PARAM_BLD_push_octet_string(param_bld,
 +	        OSSL_PKEY_PARAM_PUB_KEY, pub, publen) != 1 ||
 +	    OSSL_PARAM_BLD_push_utf8_string(param_bld,
 +	        OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0) != 1 ||
 +	    (params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) {
 +		error_f("Failed to set params for dh_pkey");
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 +		goto out;
 +	}
 +	if (EVP_PKEY_fromdata_init(ctx) != 1 ||
 +	    EVP_PKEY_fromdata(ctx, &dh_pkey,
 +	        EVP_PKEY_PUBLIC_KEY, params) != 1 ||
 +	    EVP_PKEY_public_check(ctx) != 1) {
 +		error_f("Peer public key import failed");
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
 -	sshbuf_reset(buf);
 #ifdef DEBUG_KEXECDH
 	fputs("public key:\n", stderr);
 -	sshkey_dump_ec_point(group, dh_pub);
 +	EVP_PKEY_print_public_fp(stderr, dh_pkey, 0, NULL);
 #endif
 -	if (sshkey_ec_validate_public(group, dh_pub) != 0) {
 -		r = SSH_ERR_MESSAGE_INCOMPLETE;
 +	EVP_PKEY_CTX_free(ctx);
 +	ctx = NULL;
 +	if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL ||
 +	    EVP_PKEY_derive_init(ctx) != 1 ||
 +	    EVP_PKEY_derive_set_peer(ctx, dh_pkey) != 1 ||
 +	    EVP_PKEY_derive(ctx, NULL, &klen) != 1) {
 +		error_f("Failed to get derive information");
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
 -	klen = (EC_GROUP_get_degree(group) + 7) / 8;
 -	if ((kbuf = malloc(klen)) == NULL ||
 -	    (shared_secret = BN_new()) == NULL) {
 +	if ((kbuf = malloc(klen)) == NULL) {
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
 -	if (ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen ||
 -	    BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
 +	if (EVP_PKEY_derive(ctx, kbuf, &klen) != 1) {
 		r = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
 #ifdef DEBUG_KEXECDH
 	dump_digest("shared secret", kbuf, klen);
 #endif
 +	if ((shared_secret = BN_new()) == NULL ||
 +	    (BN_bin2bn(kbuf, klen, shared_secret) == NULL)) {
 +		r = SSH_ERR_ALLOC_FAIL;
 +		goto out;
 +	}
 	if ((r = sshbuf_put_bignum2(buf, shared_secret)) != 0)
 		goto out;
 	*shared_secretp = buf;
 	buf = NULL;
  out:
 -	EC_POINT_clear_free(dh_pub);
 +	EVP_PKEY_CTX_free(ctx);
 +	EVP_PKEY_free(pkey);
 +	EVP_PKEY_free(dh_pkey);
 +	OSSL_PARAM_BLD_free(param_bld);
 +	OSSL_PARAM_free(params);
 	BN_clear_free(shared_secret);
 	freezero(kbuf, klen);
 +	freezero(pub, publen);
 	sshbuf_free(buf);
 	return r;
 }
--- a/openssh-9.0p1-evp-fips-kex.patch
+++ b/openssh-9.0p1-evp-fips-kex.patch
@ -128,7 +128,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/kex.c openssh-9.0p1-patched/kex.c
 --- openssh-9.0p1/kex.c	2023-05-25 09:24:28.731868327 +0200
 +++ openssh-9.0p1-patched/kex.c	2023-05-25 09:23:44.841379532 +0200
-@@ -1623,3 +1623,47 @@
+@@ -1623,3 +1623,142 @@
 	return r;
 }
@ -137,6 +137,101 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 + * Creates an EVP_PKEY from the given parameters and keys.
 + * The private key can be omitted.
 + */
 +EVP_PKEY *
 +sshkey_create_evp(OSSL_PARAM_BLD *param_bld, EVP_PKEY_CTX *ctx)
 +{
 +  	EVP_PKEY *ret = NULL;
 +  	OSSL_PARAM *params = NULL;
 +  	if (param_bld == NULL || ctx == NULL) {
 +  		debug2_f("param_bld or ctx is NULL");
 +  		return NULL;
 +  	}
 +  	if ((params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) {
 +  		debug2_f("Could not build param list");
 +  		return NULL;
 +  	}
 +  	if (EVP_PKEY_fromdata_init(ctx) != 1 ||
 +  	    EVP_PKEY_fromdata(ctx, &ret, EVP_PKEY_KEYPAIR, params) != 1) {
 +  		debug2_f("EVP_PKEY_fromdata failed");
 +  		OSSL_PARAM_free(params);
 +  		return NULL;
 +  	}
 +  	return ret;
 +}
 +
 +int
 +kex_create_evp_ec(EC_KEY *k, int ecdsa_nid, EVP_PKEY **pkey)
 +{
 +	OSSL_PARAM_BLD *param_bld = NULL;
 +	EVP_PKEY_CTX *ctx = NULL;
 +  	BN_CTX *bn_ctx = NULL;
 +  	uint8_t *pub_ser = NULL;
 +  	const char *group_name;
 +  	const EC_POINT *pub = NULL;
 +  	const BIGNUM *priv = NULL;
 +  	int ret = 0;
 +
 +	if (k == NULL)
 +    		return SSH_ERR_INVALID_ARGUMENT;
 +  	if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL ||
 +      	    (param_bld = OSSL_PARAM_BLD_new()) == NULL ||
 +      	    (bn_ctx = BN_CTX_new()) == NULL) {
 +    		ret = SSH_ERR_ALLOC_FAIL;
 +    		goto out;
 +  	}
 +
 +	if ((group_name = OSSL_EC_curve_nid2name(ecdsa_nid)) == NULL ||
 +     	    OSSL_PARAM_BLD_push_utf8_string(param_bld,
 +                OSSL_PKEY_PARAM_GROUP_NAME,
 +                group_name,
 +                strlen(group_name)) != 1) {
 +    		ret = SSH_ERR_LIBCRYPTO_ERROR;
 +    		goto out;
 +	}
 +  	if ((pub = EC_KEY_get0_public_key(k)) != NULL) {
 +    		const EC_GROUP *group;
 +    		size_t len;
 +
 +		group = EC_KEY_get0_group(k);
 +		len = EC_POINT_point2oct(group, pub,
 +		    POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
 +		if ((pub_ser = malloc(len)) == NULL) {
 +			ret = SSH_ERR_ALLOC_FAIL;
 +			goto out;
 +		}
 +		EC_POINT_point2oct(group,
 +		    pub,
 +		    POINT_CONVERSION_UNCOMPRESSED,
 +		    pub_ser,
 +		    len,
 +		    bn_ctx);
 +		if (OSSL_PARAM_BLD_push_octet_string(param_bld,
 +		    OSSL_PKEY_PARAM_PUB_KEY,
 +		    pub_ser,
 +		    len) != 1) {
 +			ret = SSH_ERR_LIBCRYPTO_ERROR;
 +			goto out;
 +		}
 +	}
 +  	if ((priv = EC_KEY_get0_private_key(k)) != NULL &&
 +	    OSSL_PARAM_BLD_push_BN(param_bld,
 +               OSSL_PKEY_PARAM_PRIV_KEY, priv) != 1) {
 +		ret = SSH_ERR_LIBCRYPTO_ERROR;
 +		goto out;
 +  	}
 +  	if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) {
 +    		ret = SSH_ERR_LIBCRYPTO_ERROR;
 +    		goto out;
 +  	}
 +
 +out:
 +  	OSSL_PARAM_BLD_free(param_bld);
 +  	EVP_PKEY_CTX_free(ctx);
 +  	BN_CTX_free(bn_ctx);
 +  	free(pub_ser);
 +  	return ret;
 +}
 +
 +int
 +kex_create_evp_dh(EVP_PKEY **pkey, const BIGNUM *p, const BIGNUM *q,
 +    const BIGNUM *g, const BIGNUM *pub, const BIGNUM *priv)
@ -281,12 +376,220 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 # ifdef OPENSSL_HAS_ECC
 #  include <openssl/ec.h>
 # else /* OPENSSL_HAS_ECC */
-@@ -283,6 +286,8 @@
+@@ -283,6 +286,9@@
     const u_char pub[CURVE25519_SIZE], struct sshbuf *out, int)
 	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
 	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
 +int	kex_create_evp_dh(EVP_PKEY **, const BIGNUM *, const BIGNUM *,
 +    const BIGNUM *, const BIGNUM *, const BIGNUM *);
 +int    kex_create_evp_ec(EC_KEY *k, int ecdsa_nid, EVP_PKEY **pkey);
 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
 void	dump_digest(const char *, const u_char *, int);
 diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../openssh-8.7p1/kexecdh.c ./kexecdh.c
 --- ../openssh-8.7p1/kexecdh.c	2021-08-20 06:03:49.000000000 +0200
 +++ ./kexecdh.c	2023-04-13 14:30:14.882449593 +0200
@@ -35,17 +35,57 @@
 #include <signal.h>
 #include <openssl/ecdh.h>
 +#include <openssl/evp.h>
 +#include <openssl/core_names.h>
 +#include <openssl/param_build.h>
 +#include <openssl/err.h>
 #include "sshkey.h"
 #include "kex.h"
 #include "sshbuf.h"
 #include "digest.h"
 #include "ssherr.h"
 +#include "log.h"
 static int
 kex_ecdh_dec_key_group(struct kex *, const struct sshbuf *, EC_KEY *key,
     const EC_GROUP *, struct sshbuf **);
 +static EC_KEY *
 +generate_ec_keys(int ec_nid)
 +{
 +	EC_KEY *client_key = NULL;
 +	EVP_PKEY *pkey = NULL;
 +	EVP_PKEY_CTX *ctx = NULL;
 +	OSSL_PARAM_BLD *param_bld = NULL;
 +	OSSL_PARAM *params = NULL;
 +	const char *group_name;
 +
 +	if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL ||
 +	    (param_bld = OSSL_PARAM_BLD_new()) == NULL)
 +		goto out;
 +	if ((group_name = OSSL_EC_curve_nid2name(ec_nid)) == NULL ||
 +	    OSSL_PARAM_BLD_push_utf8_string(param_bld,
 +	        OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0) != 1 ||
 +	    (params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) {
 +		error_f("Could not create OSSL_PARAM");
 +		goto out;
 +	}
 +	if (EVP_PKEY_keygen_init(ctx) != 1 ||
 +	    EVP_PKEY_CTX_set_params(ctx, params) != 1 ||
 +	    EVP_PKEY_generate(ctx, &pkey) != 1 ||
 +	    (client_key = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) {
 +		error_f("Could not generate ec keys");
 +		goto out;
 +	}
 +out:
 +	EVP_PKEY_free(pkey);
 +	EVP_PKEY_CTX_free(ctx);
 +	OSSL_PARAM_BLD_free(param_bld);
 +	OSSL_PARAM_free(params);
 +	return client_key;
 +}
 +
 int
 kex_ecdh_keypair(struct kex *kex)
 {
@@ -55,11 +95,7 @@
 	struct sshbuf *buf = NULL;
 	int r;
 -	if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
 -		r = SSH_ERR_ALLOC_FAIL;
 -		goto out;
 -	}
 -	if (EC_KEY_generate_key(client_key) != 1) {
 +	if ((client_key = generate_ec_keys(kex->ec_nid)) == NULL) {
 		r = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
@@ -101,11 +137,7 @@
 	*server_blobp = NULL;
 	*shared_secretp = NULL;
 -	if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
 -		r = SSH_ERR_ALLOC_FAIL;
 -		goto out;
 -	}
 -	if (EC_KEY_generate_key(server_key) != 1) {
 +	if ((server_key = generate_ec_keys(kex->ec_nid)) == NULL) {
 		r = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
@@ -140,11 +172,21 @@
 {
 	struct sshbuf *buf = NULL;
 	BIGNUM *shared_secret = NULL;
 -	EC_POINT *dh_pub = NULL;
 -	u_char *kbuf = NULL;
 -	size_t klen = 0;
 +	EVP_PKEY_CTX *ctx = NULL;
 +	EVP_PKEY *pkey = NULL, *dh_pkey = NULL;
 +	OSSL_PARAM_BLD *param_bld = NULL;
 +	OSSL_PARAM *params = NULL;
 +	u_char *kbuf = NULL, *pub = NULL;
 +	size_t klen = 0, publen;
 +	const char *group_name;
 	int r;
 +	/* import EC_KEY to EVP_PKEY */
 +	if ((r = kex_create_evp_ec(key, kex->ec_nid, &pkey)) != 0) {
 +		error_f("Could not create EVP_PKEY");
 +		goto out;
 +	}
 +
 	*shared_secretp = NULL;
 	if ((buf = sshbuf_new()) == NULL) {
@@ -153,45 +195,82 @@
 	}
 	if ((r = sshbuf_put_stringb(buf, ec_blob)) != 0)
 		goto out;
 -	if ((dh_pub = EC_POINT_new(group)) == NULL) {
 +
 +	/* the public key is in the buffer in octet string UNCOMPRESSED
 +	 * format. See sshbuf_put_ec */
 +	if ((r = sshbuf_get_string(buf, &pub, &publen)) != 0)
 +		goto out;
 +	sshbuf_reset(buf);
 +	if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL ||
 +	    (param_bld = OSSL_PARAM_BLD_new()) == NULL) {
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
 -	if ((r = sshbuf_get_ec(buf, dh_pub, group)) != 0) {
 +	if ((group_name = OSSL_EC_curve_nid2name(kex->ec_nid)) == NULL) {
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 +		goto out;
 +	}
 +	if (OSSL_PARAM_BLD_push_octet_string(param_bld,
 +	        OSSL_PKEY_PARAM_PUB_KEY, pub, publen) != 1 ||
 +	    OSSL_PARAM_BLD_push_utf8_string(param_bld,
 +	        OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0) != 1 ||
 +	    (params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) {
 +		error_f("Failed to set params for dh_pkey");
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 +		goto out;
 +	}
 +	if (EVP_PKEY_fromdata_init(ctx) != 1 ||
 +	    EVP_PKEY_fromdata(ctx, &dh_pkey,
 +	        EVP_PKEY_PUBLIC_KEY, params) != 1 ||
 +	    EVP_PKEY_public_check(ctx) != 1) {
 +		error_f("Peer public key import failed");
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
 -	sshbuf_reset(buf);
 #ifdef DEBUG_KEXECDH
 	fputs("public key:\n", stderr);
 -	sshkey_dump_ec_point(group, dh_pub);
 +	EVP_PKEY_print_public_fp(stderr, dh_pkey, 0, NULL);
 #endif
 -	if (sshkey_ec_validate_public(group, dh_pub) != 0) {
 -		r = SSH_ERR_MESSAGE_INCOMPLETE;
 +	EVP_PKEY_CTX_free(ctx);
 +	ctx = NULL;
 +	if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL ||
 +	    EVP_PKEY_derive_init(ctx) != 1 ||
 +	    EVP_PKEY_derive_set_peer(ctx, dh_pkey) != 1 ||
 +	    EVP_PKEY_derive(ctx, NULL, &klen) != 1) {
 +		error_f("Failed to get derive information");
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
 -	klen = (EC_GROUP_get_degree(group) + 7) / 8;
 -	if ((kbuf = malloc(klen)) == NULL ||
 -	    (shared_secret = BN_new()) == NULL) {
 +	if ((kbuf = malloc(klen)) == NULL) {
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
 -	if (ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen ||
 -	    BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
 +	if (EVP_PKEY_derive(ctx, kbuf, &klen) != 1) {
 		r = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
 #ifdef DEBUG_KEXECDH
 	dump_digest("shared secret", kbuf, klen);
 #endif
 +	if ((shared_secret = BN_new()) == NULL ||
 +	    (BN_bin2bn(kbuf, klen, shared_secret) == NULL)) {
 +		r = SSH_ERR_ALLOC_FAIL;
 +		goto out;
 +	}
 	if ((r = sshbuf_put_bignum2(buf, shared_secret)) != 0)
 		goto out;
 	*shared_secretp = buf;
 	buf = NULL;
  out:
 -	EC_POINT_clear_free(dh_pub);
 +	EVP_PKEY_CTX_free(ctx);
 +	EVP_PKEY_free(pkey);
 +	EVP_PKEY_free(dh_pkey);
 +	OSSL_PARAM_BLD_free(param_bld);
 +	OSSL_PARAM_free(params);
 	BN_clear_free(shared_secret);
 	freezero(kbuf, klen);
 +	freezero(pub, publen);
 	sshbuf_free(buf);
 	return r;
 }
--- a/openssh-9.3p1-merged-openssl-evp.patch
+++ b/openssh-9.3p1-merged-openssl-evp.patch
--- a/openssh-9.6p1-gssapi-keyex.patch
+++ b/openssh-9.6p1-gssapi-keyex.patch
--- a/openssh-9.6p1-gsskex-new-api.patch
+++ b/openssh-9.6p1-gsskex-new-api.patch
--- a/openssh.spec
+++ b/openssh.spec
@ -38,8 +38,8 @@
 # rpm -ba|--rebuild --define "static_openssl 1"
 %{?static_openssl:%global static_libcrypto 1}
-%global openssh_ver 9.8p1
+%global openssh_ver 9.9p1
-%global openssh_rel 6
+%global openssh_rel 1
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@ -113,7 +113,7 @@ Patch711: openssh-7.8p1-UsePAM-warning.patch
 # Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
 # upstream MR:
 # https://github.com/openssh-gsskex/openssh-gsskex/pull/21
-Patch800: openssh-8.0p1-gssapi-keyex.patch
+Patch800: openssh-9.6p1-gssapi-keyex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
 Patch801: openssh-6.6p1-force_krb.patch
 # add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
@ -124,8 +124,6 @@ Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
 Patch804: openssh-7.7p1-gssapi-new-unique.patch
 # Respect k5login_directory option in krk5.conf (#1328243)
 Patch805: openssh-7.2p2-k5login_directory.patch
 # Rewriting OpenSSH GSS KEX to use new packet API
 Patch806: openssh-9.6p1-gsskex-new-api.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
 Patch901: openssh-6.6p1-kuserok.patch
@ -158,9 +156,6 @@ Patch953: openssh-7.8p1-scp-ipv6.patch
 # Mention crypto-policies in manual pages (#1668325)
 # clarify rhbz#2068423 on the man page of ssh_config
 Patch962: openssh-8.0p1-crypto-policies.patch
 # Use OpenSSL high-level API to produce and verify signatures (#1707485)
 # TODO fix the comment above ^
 Patch963: openssh-9.3p1-merged-openssl-evp.patch
 # Use OpenSSL KDF (#1631761)
 Patch964: openssh-8.0p1-openssl-kdf.patch
 # sk-dummy.so built with -fvisibility=hidden does not work
@ -196,8 +191,7 @@ Patch1002: openssh-8.7p1-ssh-manpage.patch
 # https://github.com/openssh/openssh-portable/pull/323
 Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
-Patch1012: openssh-9.0p1-evp-fips-dh.patch
+Patch1012: openssh-9.0p1-evp-fips-kex.patch
 Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
 Patch1014: openssh-8.7p1-nohostsha1proof.patch
 Patch1015: openssh-9.6p1-pam-rhost.patch
@ -332,7 +326,6 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 801 -p1 -b .force_krb
 %patch -P 804 -p1 -b .ccache_name
 %patch -P 805 -p1 -b .k5login
 %patch -P 806 -p1 -b .gsskex-new-api
 # 
 %patch -P 901 -p1 -b .kuserok
 %patch -P 906 -p1 -b .fromto-remote
@ -349,7 +342,6 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 951 -p1 -b .pkcs11-uri
 %patch -P 953 -p1 -b .scp-ipv6
 %patch -P 962 -p1 -b .crypto-policies
 %patch -P 963 -p1 -b .openssl-evp
 %patch -P 964 -p1 -b .openssl-kdf
 %patch -P 965 -p1 -b .visibility
 %patch -P 966 -p1 -b .x11-ipv6
@ -373,7 +365,6 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1006 -p1 -b .negotiate-supported-algs
 %patch -P 1012 -p1 -b .evp-fips-dh
 %patch -P 1013 -p1 -b .evp-fips-ecdh
 %patch -P 1014 -p1 -b .nosha1hostproof
 %patch -P 1015 -p1 -b .pam-rhost
@ -474,7 +465,7 @@ popd
 %endif
 %check
-%{SOURCE22} %{SOURCE23}  # ./parallel_tests.sh parallel_tests.Makefile
+OPENSSL_CONF=/dev/null %{SOURCE22} %{SOURCE23}  # ./parallel_tests.sh parallel_tests.Makefile
 %install
 rm -rf $RPM_BUILD_ROOT
@ -653,6 +644,10 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 %changelog
 * Thu Oct 10 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-1
 - Update to OpenSSH 9.9p1
  Resolves: RHEL-60564
 * Mon Sep 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-6
 - rebuilt
  Related: RHEL-59024
--- a/4
+++ b/4
@ -1,3 +1,3 @@
-SHA512 (openssh-9.8p1.tar.gz) = 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a
+SHA512 (openssh-9.9p1.tar.gz) = 3cc0ed97f3e29ecbd882eca79239f02eb5a1606fce4f3119ddc3c5e86128aa3ff12dc85000879fccc87b60e7d651cfe37376607ac66075fede2118deaa685d6d
-SHA512 (openssh-9.8p1.tar.gz.asc) = 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7
+SHA512 (openssh-9.9p1.tar.gz.asc) = 916e975c54eb68c0b2f0b0006522b241cbe54c4caa88d31537a6278490c93d9d732c2ab3a080ac084bf75cbdd5402901ec68583cbe7c7cde4a8e40e7a8b78c28
 SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21