import openssh-8.0p1-10.el8

SOURCES/openssh-6.7p1-coverity.patch

@@ -1,25 +1,29 @@
-diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
---- openssh-7.4p1/channels.c.coverity	2016-12-23 16:40:26.881788686 +0100
-+++ openssh-7.4p1/channels.c	2016-12-23 16:42:36.244818763 +0100
-@@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
- 
- 	/* enable nonblocking mode */
- 	if (nonblock) {
--		if (rfd != -1)
-+		if (rfd >= 0)
+diff -up openssh-8.0p1/channels.c.coverity openssh-8.0p1/channels.c
+--- openssh-8.0p1/channels.c.coverity	2021-06-21 10:59:17.297473319 +0200
++++ openssh-8.0p1/channels.c	2021-06-21 11:11:32.467290400 +0200
+@@ -341,15 +341,15 @@ channel_register_fds(struct ssh *ssh, Ch
+ 		 * restore their blocking state on exit to avoid interfering
+ 		 * with other programs that follow.
+ 		 */
+-		if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
++		if (rfd >= 0 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
+ 			c->restore_block |= CHANNEL_RESTORE_RFD;
  			set_nonblock(rfd);
--		if (wfd != -1)
-+		if (wfd >= 0)
+ 		}
+-		if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
++		if (wfd >= 0 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
+ 			c->restore_block |= CHANNEL_RESTORE_WFD;
  			set_nonblock(wfd);
--		if (efd != -1)
-+		if (efd >= 0)
+ 		}
+-		if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
++		if (efd >= 0 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
+ 			c->restore_block |= CHANNEL_RESTORE_EFD;
  			set_nonblock(efd);
- 	}
- }
-diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
---- openssh-7.4p1/monitor.c.coverity	2016-12-23 16:40:26.888788688 +0100
-+++ openssh-7.4p1/monitor.c	2016-12-23 16:40:26.900788691 +0100
-@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
+ 		}
+diff -up openssh-8.0p1/monitor.c.coverity openssh-8.0p1/monitor.c
+--- openssh-8.0p1/monitor.c.coverity	2021-06-21 10:59:17.282473202 +0200
++++ openssh-8.0p1/monitor.c	2021-06-21 10:59:17.297473319 +0200
+@@ -401,7 +401,7 @@ monitor_child_preauth(struct ssh *ssh, s
  	mm_get_keystate(ssh, pmonitor);
  
  	/* Drain any buffered messages from the child */

SOURCES/openssh-7.7p1-fips.patch

@@ -296,17 +296,17 @@ diff -up openssh-7.9p1/sshconnect2.c.fips openssh-7.9p1/sshconnect2.c
  #include "openbsd-compat/sys-queue.h"
  
  #include "xmalloc.h"
-@@ -117,7 +117,8 @@ order_hostkeyalgs(char *host, struct soc
- 	for (i = 0; i < options.num_system_hostfiles; i++)
- 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
- 
+@@ -148,7 +150,8 @@ order_hostkeyalgs(char *host, struct soc
+ 	 * Otherwise, prefer the host key algorithms that match known keys
+ 	 * while keeping the ordering of HostkeyAlgorithms as much as possible.
+ 	 */
 -	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
 +	oavail = avail = xstrdup((FIPS_mode()
 +	    ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
  	maxlen = strlen(avail) + 1;
  	first = xmalloc(maxlen);
  	last = xmalloc(maxlen);
-@@ -185,14 +185,16 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -229,14 +232,16 @@ ssh_kex2(struct ssh *ssh, char *host, st
  	if (options.hostkeyalgorithms != NULL) {
  		all_key = sshkey_alg_list(0, 0, 1, ',');
  		if (kex_assemble_names(&options.hostkeyalgorithms,

SOURCES/openssh-7.8p1-role-mls.patch

@@ -284,7 +284,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
  		fail++;
  	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
  		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-+	if ((s = strchr(p, '/')) != NULL)
++	if ((s = strchr(cp, '/')) != NULL)
 +		*s = '\0';
  	xasprintf(&userstyle, "%s%s%s", authctxt->user,
  	    authctxt->style ? ":" : "",

SOURCES/openssh-7.9p1-ssh-copy-id.patch

@@ -11,6 +11,17 @@ diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh
    # implement something like getopt to avoid Solaris pain
    case "$1" in
      -i?*|-o?*|-p?*)
+@@ -185,8 +185,8 @@
+   usage
+ fi
+ 
+-# drop trailing colon
+-USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
++# don't drop trailing colon because it can be a valid ipv6 address
++USER_HOST=$(printf "%s\n" "$1")
+ # tack the hostname onto SSH_OPTS
+ SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
+ # and populate "$@" for later use (only way to get proper quoting of options)
 @@ -261,7 +262,7 @@ populate_new_ids() {
    fi
    if [ -z "$NEW_IDS" ] ; then

SOURCES/openssh-8.0p1-cve-2020-14145.patch

@@ -0,0 +1,127 @@
+diff -up openssh-8.0p1/hostfile.c.cve-2020-14145 openssh-8.0p1/hostfile.c
+--- openssh-8.0p1/hostfile.c.cve-2020-14145	2019-04-18 00:52:57.000000000 +0200
++++ openssh-8.0p1/hostfile.c	2021-05-17 16:53:38.694577251 +0200
+@@ -409,6 +409,18 @@ lookup_key_in_hostkeys_by_type(struct ho
+ 	    found) == HOST_FOUND);
+ }
+ 
++int
++lookup_marker_in_hostkeys(struct hostkeys *hostkeys, int want_marker)
++{
++	u_int i;
++
++	for (i = 0; i < hostkeys->num_entries; i++) {
++		if (hostkeys->entries[i].marker == (HostkeyMarker)want_marker)
++			return 1;
++	}
++	return 0;
++}
++
+ static int
+ write_host_entry(FILE *f, const char *host, const char *ip,
+     const struct sshkey *key, int store_hash)
+diff -up openssh-8.0p1/hostfile.h.cve-2020-14145 openssh-8.0p1/hostfile.h
+--- openssh-8.0p1/hostfile.h.cve-2020-14145	2019-04-18 00:52:57.000000000 +0200
++++ openssh-8.0p1/hostfile.h	2021-05-17 16:53:38.694577251 +0200
+@@ -39,6 +39,7 @@ HostStatus check_key_in_hostkeys(struct
+     const struct hostkey_entry **);
+ int	 lookup_key_in_hostkeys_by_type(struct hostkeys *, int,
+     const struct hostkey_entry **);
++int	 lookup_marker_in_hostkeys(struct hostkeys *, int);
+ 
+ int	 hostfile_read_key(char **, u_int *, struct sshkey *);
+ int	 add_host_to_hostfile(const char *, const char *,
+diff -up openssh-8.0p1/sshconnect2.c.cve-2020-14145 openssh-8.0p1/sshconnect2.c
+--- openssh-8.0p1/sshconnect2.c.cve-2020-14145	2021-05-17 16:53:38.610576561 +0200
++++ openssh-8.0p1/sshconnect2.c	2021-05-17 16:54:58.169230103 +0200
+@@ -98,12 +98,25 @@ verify_host_key_callback(struct sshkey *
+ 	return 0;
+ }
+ 
++/* Returns the first item from a comma-separated algorithm list */
++static char *
++first_alg(const char *algs)
++{
++	char *ret, *cp;
++
++	ret = xstrdup(algs);
++	if ((cp = strchr(ret, ',')) != NULL)
++		*cp = '\0';
++	return ret;
++}
++
+ static char *
+ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ {
+-	char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
++	char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
++	char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
+ 	size_t maxlen;
+-	struct hostkeys *hostkeys;
++	struct hostkeys *hostkeys = NULL;
+ 	int ktype;
+ 	u_int i;
+ 
+@@ -115,6 +128,26 @@ order_hostkeyalgs(char *host, struct soc
+ 	for (i = 0; i < options.num_system_hostfiles; i++)
+ 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+ 
++	/*
++	 * If a plain public key exists that matches the type of the best
++	 * preference HostkeyAlgorithms, then use the whole list as is.
++	 * Note that we ignore whether the best preference algorithm is a
++	 * certificate type, as sshconnect.c will downgrade certs to
++	 * plain keys if necessary.
++	 */
++	best = first_alg(options.hostkeyalgorithms);
++	if (lookup_key_in_hostkeys_by_type(hostkeys,
++	    sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
++		debug3("%s: have matching best-preference key type %s, "
++		    "using HostkeyAlgorithms verbatim", __func__, best);
++		ret = xstrdup(options.hostkeyalgorithms);
++		goto out;
++	}
++
++	/*
++	 * Otherwise, prefer the host key algorithms that match known keys
++	 * while keeping the ordering of HostkeyAlgorithms as much as possible.
++	 */
+ 	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+ 	maxlen = strlen(avail) + 1;
+ 	first = xmalloc(maxlen);
+@@ -131,11 +164,23 @@ order_hostkeyalgs(char *host, struct soc
+ 	while ((alg = strsep(&avail, ",")) && *alg != '\0') {
+ 		if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC)
+ 			fatal("%s: unknown alg %s", __func__, alg);
++		/*
++		 * If we have a @cert-authority marker in known_hosts then
++		 * prefer all certificate algorithms.
++		 */
++		if (sshkey_type_is_cert(ktype) &&
++		    lookup_marker_in_hostkeys(hostkeys, MRK_CA)) {
++			ALG_APPEND(first, alg);
++			continue;
++		}
++		/* If the key appears in known_hosts then prefer it */
+ 		if (lookup_key_in_hostkeys_by_type(hostkeys,
+-		    sshkey_type_plain(ktype), NULL))
++		    sshkey_type_plain(ktype), NULL)) {
+ 			ALG_APPEND(first, alg);
+-		else
+-			ALG_APPEND(last, alg);
++			continue;
++		}
++		/* Otherwise, put it last */
++		ALG_APPEND(last, alg);
+ 	}
+ #undef ALG_APPEND
+ 	xasprintf(&ret, "%s%s%s", first,
+@@ -143,6 +188,8 @@ order_hostkeyalgs(char *host, struct soc
+ 	if (*first != '\0')
+ 		debug3("%s: prefer hostkeyalgs: %s", __func__, first);
+ 
++ out:
++	free(best);
+ 	free(first);
+ 	free(last);
+ 	free(hostname);

SOURCES/openssh-8.0p1-keygen-strip-doseol.patch

@@ -0,0 +1,12 @@
+diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c
+--- openssh-8.0p1/ssh-keygen.c.strip-doseol	2021-03-18 17:41:34.472404994 +0100
++++ openssh-8.0p1/ssh-keygen.c	2021-03-18 17:41:55.255538761 +0100
+@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw)
+ 	while (getline(&line, &linesize, f) != -1) {
+ 		lnum++;
+ 		cp = line;
+-		cp[strcspn(cp, "\n")] = '\0';
++		cp[strcspn(cp, "\r\n")] = '\0';
+ 		/* Trim leading space and comments */
+ 		cp = line + strspn(line, " \t");
+ 		if (*cp == '#' || *cp == '\0')

SOURCES/openssh-8.0p1-pkcs11-uri.patch

@@ -1167,7 +1167,7 @@ new file mode 100644
 index 00000000..e1a7b4e0
 --- /dev/null
 +++ b/ssh-pkcs11-uri.c
-@@ -0,0 +1,421 @@
+@@ -0,0 +1,425 @@
 +/*
 + * Copyright (c) 2017 Red Hat
 + *
@@ -1419,6 +1419,10 @@ index 00000000..e1a7b4e0
 +void
 +pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11)
 +{
++	if (pkcs11 == NULL) {
++		return;
++	}
++
 +	free(pkcs11->id);
 +	free(pkcs11->module_path);
 +	free(pkcs11->token);
@@ -2677,6 +2681,9 @@ index 70f06bff..59332945 100644
 +	}
 +
 +	provider_uri = pkcs11_uri_get(uri);
++	if (pin == NULL && uri->pin != NULL) {
++		pin = uri->pin;
++	}
 +	nkeys = 0;
 +	for (i = 0; i < p->module->nslots; i++) {
 +		token = &p->module->slotinfo[i].token;
@@ -2712,9 +2719,6 @@ index 70f06bff..59332945 100644
 +		    provider_uri, (unsigned long)i,
  		    token->label, token->manufacturerID, token->model,
  		    token->serialNumber, token->flags);
-+		if (pin == NULL && uri->pin != NULL) {
-+			pin = uri->pin;
-+		}
  		/*
 -		 * open session, login with pin and retrieve public
 -		 * keys (if keyp is provided)
@@ -2741,8 +2745,8 @@ index 70f06bff..59332945 100644
 +				uri->object = label;
 +			}
  		}
-+		pin = NULL; /* Will be cleaned up with URI */
  	}
++	pin = NULL; /* Will be cleaned up with URI */
  
  	/* now owned by caller */
  	*providerp = p;

SOURCES/openssh-8.0p1-preserve-pam-errors.patch

@@ -0,0 +1,44 @@
+diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
+--- openssh-8.0p1/auth-pam.c.preserve-pam-errors	2021-03-31 17:03:15.618592347 +0200
++++ openssh-8.0p1/auth-pam.c	2021-03-31 17:06:58.115220014 +0200
+@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
+ 		goto auth_fail;
+ 
+ 	if (!do_pam_account()) {
+-		sshpam_err = PAM_ACCT_EXPIRED;
++		/* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
++		 * Backward compatibility for other errors. */
++		if (sshpam_err != PAM_PERM_DENIED
++			&& sshpam_err != PAM_USER_UNKNOWN)
++			sshpam_err = PAM_ACCT_EXPIRED;
+ 		goto auth_fail;
+ 	}
+ 	if (sshpam_authctxt->force_pwchange) {
+@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
+ 	    pam_strerror(sshpam_handle, sshpam_err))) != 0)
+ 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 	/* XXX - can't do much about an error here */
+-	if (sshpam_err == PAM_ACCT_EXPIRED)
+-		ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
++	if (sshpam_err == PAM_PERM_DENIED
++		|| sshpam_err == PAM_USER_UNKNOWN
++		|| sshpam_err == PAM_ACCT_EXPIRED)
++		ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
+ 	else if (sshpam_maxtries_reached)
+ 		ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
+ 	else
+@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
+ 			plen++;
+ 			free(msg);
+ 			break;
++		case PAM_USER_UNKNOWN:
++		case PAM_PERM_DENIED:
+ 		case PAM_ACCT_EXPIRED:
++			sshpam_account_status = 0;
++			/* FALLTHROUGH */
+ 		case PAM_MAXTRIES:
+-			if (type == PAM_ACCT_EXPIRED)
+-				sshpam_account_status = 0;
+ 			if (type == PAM_MAXTRIES)
+ 				sshpam_set_maxtries_reached(1);
+ 			/* FALLTHROUGH */

SOURCES/openssh-8.0p1-restore-nonblock.patch

@@ -0,0 +1,311 @@
+diff -up openssh-8.0p1/channels.c.restore-nonblock openssh-8.0p1/channels.c
+--- openssh-8.0p1/channels.c.restore-nonblock	2021-06-21 10:44:26.380559612 +0200
++++ openssh-8.0p1/channels.c	2021-06-21 10:48:47.754579151 +0200
+@@ -333,7 +333,27 @@ channel_register_fds(struct ssh *ssh, Ch
+ #endif
+ 
+ 	/* enable nonblocking mode */
+-	if (nonblock) {
++	c->restore_block = 0;
++	if (nonblock == CHANNEL_NONBLOCK_STDIO) {
++		/*
++		 * Special handling for stdio file descriptors: do not set
++		 * non-blocking mode if they are TTYs. Otherwise prepare to
++		 * restore their blocking state on exit to avoid interfering
++		 * with other programs that follow.
++		 */
++		if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
++			c->restore_block |= CHANNEL_RESTORE_RFD;
++			set_nonblock(rfd);
++		}
++		if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
++			c->restore_block |= CHANNEL_RESTORE_WFD;
++			set_nonblock(wfd);
++		}
++		if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
++			c->restore_block |= CHANNEL_RESTORE_EFD;
++			set_nonblock(efd);
++		}
++	} else if (nonblock) {
+ 		if (rfd != -1)
+ 			set_nonblock(rfd);
+ 		if (wfd != -1)
+@@ -422,17 +442,23 @@ channel_find_maxfd(struct ssh_channels *
+ }
+ 
+ int
+-channel_close_fd(struct ssh *ssh, int *fdp)
++channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
+ {
+ 	struct ssh_channels *sc = ssh->chanctxt;
+-	int ret = 0, fd = *fdp;
++	int ret, fd = *fdp;
+ 
+-	if (fd != -1) {
+-		ret = close(fd);
+-		*fdp = -1;
+-		if (fd == sc->channel_max_fd)
+-			channel_find_maxfd(sc);
+-	}
++	if (fd == -1)
++		return 0;
++
++	if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
++	   (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
++	   (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
++		(void)fcntl(*fdp, F_SETFL, 0);	/* restore blocking */
++
++	ret = close(fd);
++	*fdp = -1;
++	if (fd == sc->channel_max_fd)
++		channel_find_maxfd(sc);
+ 	return ret;
+ }
+ 
+@@ -442,13 +468,13 @@ channel_close_fds(struct ssh *ssh, Chann
+ {
+ 	int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
+ 
+-	channel_close_fd(ssh, &c->sock);
++	channel_close_fd(ssh, c, &c->sock);
+ 	if (rfd != sock)
+-		channel_close_fd(ssh, &c->rfd);
++		channel_close_fd(ssh, c, &c->rfd);
+ 	if (wfd != sock && wfd != rfd)
+-		channel_close_fd(ssh, &c->wfd);
++		channel_close_fd(ssh, c, &c->wfd);
+ 	if (efd != sock && efd != rfd && efd != wfd)
+-		channel_close_fd(ssh, &c->efd);
++		channel_close_fd(ssh, c, &c->efd);
+ }
+ 
+ static void
+@@ -681,7 +707,7 @@ channel_stop_listening(struct ssh *ssh)
+ 			case SSH_CHANNEL_X11_LISTENER:
+ 			case SSH_CHANNEL_UNIX_LISTENER:
+ 			case SSH_CHANNEL_RUNIX_LISTENER:
+-				channel_close_fd(ssh, &c->sock);
++				channel_close_fd(ssh, c, &c->sock);
+ 				channel_free(ssh, c);
+ 				break;
+ 			}
+@@ -1487,7 +1513,8 @@ channel_decode_socks5(Channel *c, struct
+ 
+ Channel *
+ channel_connect_stdio_fwd(struct ssh *ssh,
+-    const char *host_to_connect, u_short port_to_connect, int in, int out)
++    const char *host_to_connect, u_short port_to_connect,
++    int in, int out, int nonblock)
+ {
+ 	Channel *c;
+ 
+@@ -1495,7 +1522,7 @@ channel_connect_stdio_fwd(struct ssh *ss
+ 
+ 	c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
+ 	    -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+-	    0, "stdio-forward", /*nonblock*/0);
++	    0, "stdio-forward", nonblock);
+ 
+ 	c->path = xstrdup(host_to_connect);
+ 	c->host_port = port_to_connect;
+@@ -1650,7 +1677,7 @@ channel_post_x11_listener(struct ssh *ss
+ 	if (c->single_connection) {
+ 		oerrno = errno;
+ 		debug2("single_connection: closing X11 listener.");
+-		channel_close_fd(ssh, &c->sock);
++		channel_close_fd(ssh, c, &c->sock);
+ 		chan_mark_dead(ssh, c);
+ 		errno = oerrno;
+ 	}
+@@ -2087,7 +2114,7 @@ channel_handle_efd_write(struct ssh *ssh
+ 		return 1;
+ 	if (len <= 0) {
+ 		debug2("channel %d: closing write-efd %d", c->self, c->efd);
+-		channel_close_fd(ssh, &c->efd);
++		channel_close_fd(ssh, c, &c->efd);
+ 	} else {
+ 		if ((r = sshbuf_consume(c->extended, len)) != 0) {
+ 			fatal("%s: channel %d: consume: %s",
+@@ -2119,7 +2146,7 @@ channel_handle_efd_read(struct ssh *ssh,
+ 	if (len <= 0) {
+ 		debug2("channel %d: closing read-efd %d",
+ 		    c->self, c->efd);
+-		channel_close_fd(ssh, &c->efd);
++		channel_close_fd(ssh, c, &c->efd);
+ 	} else {
+ 		if (c->extended_usage == CHAN_EXTENDED_IGNORE) {
+ 			debug3("channel %d: discard efd",
+diff -up openssh-8.0p1/channels.h.restore-nonblock openssh-8.0p1/channels.h
+--- openssh-8.0p1/channels.h.restore-nonblock	2021-06-21 10:44:26.380559612 +0200
++++ openssh-8.0p1/channels.h	2021-06-21 10:44:26.387559665 +0200
+@@ -63,6 +63,16 @@
+ 
+ #define CHANNEL_CANCEL_PORT_STATIC	-1
+ 
++/* nonblocking flags for channel_new */
++#define CHANNEL_NONBLOCK_LEAVE	0 /* don't modify non-blocking state */
++#define CHANNEL_NONBLOCK_SET	1 /* set non-blocking state */
++#define CHANNEL_NONBLOCK_STDIO	2 /* set non-blocking and restore on close */
++
++/* c->restore_block mask flags */
++#define CHANNEL_RESTORE_RFD	0x01
++#define CHANNEL_RESTORE_WFD	0x02
++#define CHANNEL_RESTORE_EFD	0x04
++
+ /* TCP forwarding */
+ #define FORWARD_DENY		0
+ #define FORWARD_REMOTE		(1)
+@@ -131,6 +141,7 @@ struct Channel {
+ 				 * to a matching pre-select handler.
+ 				 * this way post-select handlers are not
+ 				 * accidentally called if a FD gets reused */
++	int	restore_block;	/* fd mask to restore blocking status */
+ 	struct sshbuf *input;	/* data read from socket, to be sent over
+ 				 * encrypted connection */
+ 	struct sshbuf *output;	/* data received over encrypted connection for
+@@ -258,7 +269,7 @@ void	 channel_register_filter(struct ssh
+ void	 channel_register_status_confirm(struct ssh *, int,
+ 	    channel_confirm_cb *, channel_confirm_abandon_cb *, void *);
+ void	 channel_cancel_cleanup(struct ssh *, int);
+-int	 channel_close_fd(struct ssh *, int *);
++int	 channel_close_fd(struct ssh *, Channel *, int *);
+ void	 channel_send_window_changes(struct ssh *);
+ 
+ /* mux proxy support */
+@@ -305,7 +316,7 @@ Channel	*channel_connect_to_port(struct
+ 	    char *, char *, int *, const char **);
+ Channel *channel_connect_to_path(struct ssh *, const char *, char *, char *);
+ Channel	*channel_connect_stdio_fwd(struct ssh *, const char*,
+-	    u_short, int, int);
++	    u_short, int, int, int);
+ Channel	*channel_connect_by_listen_address(struct ssh *, const char *,
+ 	    u_short, char *, char *);
+ Channel	*channel_connect_by_listen_path(struct ssh *, const char *,
+diff -up openssh-8.0p1/clientloop.c.restore-nonblock openssh-8.0p1/clientloop.c
+--- openssh-8.0p1/clientloop.c.restore-nonblock	2021-06-21 10:44:26.290558923 +0200
++++ openssh-8.0p1/clientloop.c	2021-06-21 10:44:26.387559665 +0200
+@@ -1436,14 +1436,6 @@ client_loop(struct ssh *ssh, int have_pt
+ 	if (have_pty)
+ 		leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
+ 
+-	/* restore blocking io */
+-	if (!isatty(fileno(stdin)))
+-		unset_nonblock(fileno(stdin));
+-	if (!isatty(fileno(stdout)))
+-		unset_nonblock(fileno(stdout));
+-	if (!isatty(fileno(stderr)))
+-		unset_nonblock(fileno(stderr));
+-
+ 	/*
+ 	 * If there was no shell or command requested, there will be no remote
+ 	 * exit status to be returned.  In that case, clear error code if the
+diff -up openssh-8.0p1/mux.c.restore-nonblock openssh-8.0p1/mux.c
+--- openssh-8.0p1/mux.c.restore-nonblock	2019-04-18 00:52:57.000000000 +0200
++++ openssh-8.0p1/mux.c	2021-06-21 10:50:51.007537336 +0200
+@@ -454,14 +454,6 @@ mux_master_process_new_session(struct ss
+ 	if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
+ 		error("%s: tcgetattr: %s", __func__, strerror(errno));
+ 
+-	/* enable nonblocking unless tty */
+-	if (!isatty(new_fd[0]))
+-		set_nonblock(new_fd[0]);
+-	if (!isatty(new_fd[1]))
+-		set_nonblock(new_fd[1]);
+-	if (!isatty(new_fd[2]))
+-		set_nonblock(new_fd[2]);
+-
+ 	window = CHAN_SES_WINDOW_DEFAULT;
+ 	packetmax = CHAN_SES_PACKET_DEFAULT;
+ 	if (cctx->want_tty) {
+@@ -471,7 +463,7 @@ mux_master_process_new_session(struct ss
+ 
+ 	nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
+ 	    new_fd[0], new_fd[1], new_fd[2], window, packetmax,
+-	    CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
++	    CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
+ 
+ 	nc->ctl_chan = c->self;		/* link session -> control channel */
+ 	c->remote_id = nc->self; 	/* link control -> session channel */
+@@ -1033,13 +1025,8 @@ mux_master_process_stdio_fwd(struct ssh
+ 		}
+ 	}
+ 
+-	/* enable nonblocking unless tty */
+-	if (!isatty(new_fd[0]))
+-		set_nonblock(new_fd[0]);
+-	if (!isatty(new_fd[1]))
+-		set_nonblock(new_fd[1]);
+-
+-	nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]);
++	nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
++	    CHANNEL_NONBLOCK_STDIO);
+ 	free(chost);
+ 
+ 	nc->ctl_chan = c->self;		/* link session -> control channel */
+diff -up openssh-8.0p1/nchan.c.restore-nonblock openssh-8.0p1/nchan.c
+--- openssh-8.0p1/nchan.c.restore-nonblock	2021-06-21 10:44:26.388559673 +0200
++++ openssh-8.0p1/nchan.c	2021-06-21 10:52:42.685405537 +0200
+@@ -387,7 +387,7 @@ chan_shutdown_write(struct ssh *ssh, Cha
+ 			    strerror(errno));
+ 		}
+ 	} else {
+-		if (channel_close_fd(ssh, &c->wfd) < 0) {
++		if (channel_close_fd(ssh, c, &c->wfd) < 0) {
+ 			logit("channel %d: %s: close() failed for "
+ 			    "fd %d [i%d o%d]: %.100s",
+ 			    c->self, __func__, c->wfd, c->istate, c->ostate,
+@@ -417,7 +417,7 @@ chan_shutdown_read(struct ssh *ssh, Chan
+  			    strerror(errno));
+ 		}
+ 	} else {
+-		if (channel_close_fd(ssh, &c->rfd) < 0) {
++		if (channel_close_fd(ssh, c, &c->rfd) < 0) {
+ 			logit("channel %d: %s: close() failed for "
+ 			    "fd %d [i%d o%d]: %.100s",
+ 			    c->self, __func__, c->rfd, c->istate, c->ostate,
+@@ -437,7 +437,7 @@ chan_shutdown_extended_read(struct ssh *
+ 	debug2("channel %d: %s (i%d o%d sock %d wfd %d efd %d [%s])",
+ 	    c->self, __func__, c->istate, c->ostate, c->sock, c->rfd, c->efd,
+ 	    channel_format_extended_usage(c));
+-	if (channel_close_fd(ssh, &c->efd) < 0) {
++	if (channel_close_fd(ssh, c, &c->efd) < 0) {
+ 		logit("channel %d: %s: close() failed for "
+ 		    "extended fd %d [i%d o%d]: %.100s",
+ 		    c->self, __func__, c->efd, c->istate, c->ostate,
+diff -up openssh-8.0p1/ssh.c.restore-nonblock openssh-8.0p1/ssh.c
+--- openssh-8.0p1/ssh.c.restore-nonblock	2021-06-21 10:44:26.389559681 +0200
++++ openssh-8.0p1/ssh.c	2021-06-21 10:54:47.651377045 +0200
+@@ -1709,7 +1709,8 @@ ssh_init_stdio_forwarding(struct ssh *ss
+ 	    (out = dup(STDOUT_FILENO)) < 0)
+ 		fatal("channel_connect_stdio_fwd: dup() in/out failed");
+ 	if ((c = channel_connect_stdio_fwd(ssh, options.stdio_forward_host,
+-	    options.stdio_forward_port, in, out)) == NULL)
++	    options.stdio_forward_port, in, out,
++	    CHANNEL_NONBLOCK_STDIO)) == NULL)
+ 		fatal("%s: channel_connect_stdio_fwd failed", __func__);
+ 	channel_register_cleanup(ssh, c->self, client_cleanup_stdio_fwd, 0);
+ 	channel_register_open_confirm(ssh, c->self, ssh_stdio_confirm, NULL);
+@@ -1862,14 +1863,6 @@ ssh_session2_open(struct ssh *ssh)
+ 	if (in < 0 || out < 0 || err < 0)
+ 		fatal("dup() in/out/err failed");
+ 
+-	/* enable nonblocking unless tty */
+-	if (!isatty(in))
+-		set_nonblock(in);
+-	if (!isatty(out))
+-		set_nonblock(out);
+-	if (!isatty(err))
+-		set_nonblock(err);
+-
+ 	window = CHAN_SES_WINDOW_DEFAULT;
+ 	packetmax = CHAN_SES_PACKET_DEFAULT;
+ 	if (tty_flag) {
+@@ -1879,7 +1872,7 @@ ssh_session2_open(struct ssh *ssh)
+ 	c = channel_new(ssh,
+ 	    "session", SSH_CHANNEL_OPENING, in, out, err,
+ 	    window, packetmax, CHAN_EXTENDED_WRITE,
+-	    "client-session", /*nonblock*/0);
++	    "client-session", CHANNEL_NONBLOCK_STDIO);
+ 
+ 	debug3("%s: channel_new: %d", __func__, c->self);
+ 

SOURCES/openssh-8.0p1-sftp-timespeccmp.patch

@@ -0,0 +1,16 @@
+diff -up openssh-8.0p1/sftp.c.original openssh-8.0p1/sftp.c
+--- openssh-8.0p1/sftp.c.original	2020-12-22 17:05:02.105698989 +0900
++++ openssh-8.0p1/sftp.c	2020-12-22 17:05:42.922035780 +0900
+@@ -937,7 +937,11 @@ sglob_comp(const void *aa, const void *b
+ 		return (rmul * strcmp(ap, bp));
+ 	else if (sort_flag & LS_TIME_SORT) {
+ #if defined(HAVE_STRUCT_STAT_ST_MTIM)
+-		return (rmul * timespeccmp(&as->st_mtim, &bs->st_mtim, <));
++		if (timespeccmp(&as->st_mtim, &bs->st_mtim, <)){
++			return rmul;
++		} else {
++			return -rmul;
++		}
+ #elif defined(HAVE_STRUCT_STAT_ST_MTIME)
+ 		return (rmul * NCMP(as->st_mtime, bs->st_mtime));
+ #else

SOURCES/openssh-8.0p1-sshd_config.patch

@@ -0,0 +1,97 @@
+diff --git a/servconf.c b/servconf.c
+index ffac5d2c..340045b2 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -1042,7 +1042,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
+ 			return -1;
+ 		}
+ 		if (strcasecmp(attrib, "user") == 0) {
+-			if (ci == NULL) {
++			if (ci == NULL || (ci->test && ci->user == NULL)) {
+ 				result = 0;
+ 				continue;
+ 			}
+@@ -1054,7 +1054,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
+ 				debug("user %.100s matched 'User %.100s' at "
+ 				    "line %d", ci->user, arg, line);
+ 		} else if (strcasecmp(attrib, "group") == 0) {
+-			if (ci == NULL) {
++			if (ci == NULL || (ci->test && ci->user == NULL)) {
+ 				result = 0;
+ 				continue;
+ 			}
+@@ -1067,7 +1067,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
+ 				result = 0;
+ 			}
+ 		} else if (strcasecmp(attrib, "host") == 0) {
+-			if (ci == NULL) {
++			if (ci == NULL || (ci->test && ci->host == NULL)) {
+ 				result = 0;
+ 				continue;
+ 			}
+@@ -1079,7 +1079,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
+ 				debug("connection from %.100s matched 'Host "
+ 				    "%.100s' at line %d", ci->host, arg, line);
+ 		} else if (strcasecmp(attrib, "address") == 0) {
+-			if (ci == NULL) {
++			if (ci == NULL || (ci->test && ci->address == NULL)) {
+ 				result = 0;
+ 				continue;
+ 			}
+@@ -1098,7 +1098,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
+ 				return -1;
+ 			}
+ 		} else if (strcasecmp(attrib, "localaddress") == 0){
+-			if (ci == NULL) {
++			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
+ 				result = 0;
+ 				continue;
+ 			}
+@@ -1124,7 +1124,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
+ 				    arg);
+ 				return -1;
+ 			}
+-			if (ci == NULL) {
++			if (ci == NULL || (ci->test && ci->lport == -1)) {
+ 				result = 0;
+ 				continue;
+ 			}
+@@ -1138,10 +1138,12 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
+ 			else
+ 				result = 0;
+ 		} else if (strcasecmp(attrib, "rdomain") == 0) {
+-			if (ci == NULL || ci->rdomain == NULL) {
++			if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
+ 				result = 0;
+ 				continue;
+ 			}
++			if (ci->rdomain == NULL)
++				match_test_missing_fatal("RDomain", "rdomain");
+ 			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
+ 				result = 0;
+ 			else
+diff --git a/servconf.h b/servconf.h
+index 54e0a8d8..5483da05 100644
+--- a/servconf.h
++++ b/servconf.h
+@@ -221,6 +221,8 @@ struct connection_info {
+ 	const char *laddress;	/* local address */
+ 	int lport;		/* local port */
+ 	const char *rdomain;	/* routing domain if available */
++	int test;		/* test mode, allow some attributes to be
++				 * unspecified */
+ };
+ 
+ 
+diff --git a/sshd.c b/sshd.c
+index cbd3bce9..1fcde502 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1843,6 +1843,7 @@ main(int ac, char **av)
+ 		 */
+ 		if (connection_info == NULL)
+ 			connection_info = get_connection_info(ssh, 0, 0);
++		connection_info->test = 1;
+ 		parse_server_match_config(&options, connection_info);
+ 		dump_config(&options);
+ 	}

SPECS/openssh.spec

@@ -66,14 +66,14 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 6
+%global openssh_rel 10
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}%{?rescue_rel}.2
+Release: %{openssh_rel}%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshagentauth.sourceforge.net
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -232,6 +232,19 @@ Patch970: openssh-8.0p1-rdomain.patch
 Patch971: openssh-8.0p1-x11-without-ipv6.patch
 # Client window fix (#1913041)
 Patch972: openssh-8.0p1-channel-limits.patch
+# SFTP sort upon the modification time (#1909988)
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3248
+Patch973: openssh-8.0p1-sftp-timespeccmp.patch
+# ssh-keygen printing fingerprint issue with Windows keys (#1901518)
+Patch974: openssh-8.0p1-keygen-strip-doseol.patch
+# sshd provides PAM an incorrect error code (#1879503)
+Patch975: openssh-8.0p1-preserve-pam-errors.patch
+# ssh incorrectly restores the blocking mode on standard output (#1942901)
+Patch976: openssh-8.0p1-restore-nonblock.patch
+# CVE 2020-14145
+Patch977: openssh-8.0p1-cve-2020-14145.patch
+# sshd -T requires -C when "Match" is used in sshd_config (#1836277)
+Patch978: openssh-8.0p1-sshd_config.patch
 
 License: BSD
 Group: Applications/Internet
@@ -324,7 +337,7 @@ Requires: openssh = %{version}-%{release}
 Summary: PAM module for authentication with ssh-agent
 Group: System Environment/Base
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.1
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
 License: BSD
 
 %description
@@ -451,6 +464,12 @@ popd
 %patch970 -p1 -b .rdomain
 %patch971 -p1 -b .x11-ipv6
 %patch972 -p1 -b .channel-limits
+%patch973 -p1 -b .sftp-timespeccmp
+%patch974 -p1 -b .keygen-strip-doseol
+%patch975 -p1 -b .preserve-pam-errors
+%patch976 -p1 -b .restore-nonblock
+%patch977 -p1 -b .cve-2020-14145
+%patch978 -p1 -b .sshd_config
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -742,14 +761,27 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
-* Wed Apr 14 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-6.2 + 0.10.3-7.1
-- rebuilt
+* Mon Jun 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-10
+- sshd -T requires -C when "Match" is used in sshd_config (#1836277)
 
-* Wed Apr 14 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-6.1 + 0.10.3-7
-- rebuilt
+* Wed Jun 02 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-9
+- CVE-2020-14145 openssh: Observable Discrepancy leading to an information
+  leak in the algorithm negotiation (#1882252)
+- Hostbased ssh authentication fails if session ID contains a '/' (#1944125)
 
-* Tue Mar 16 2021 Dmitry Belyavskiy - 8.0p1-6 + 0.10.3-7
-- Openssh client window fix (#1942364)
+* Mon Apr 26 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-8
+- ssh doesn't restore the blocking mode on standard output (#1942901)
+
+* Fri Apr 09 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-7 + 0.10.3-7
+- SFTP sort upon the modification time (#1909988)
+- ssh-keygen printing fingerprint issue with Windows keys (#1901518)
+- PIN is lost when iterating over tokens when adding pkcs11 keys to ssh-agent (#1843372)
+- ssh-agent segfaults during ssh-add -s pkcs11 (#1868996)
+- ssh-copy-id could not resolve ipv6 address ends with colon (#1933517)
+- sshd provides PAM an incorrect error code (#1879503)
+
+* Tue Mar 16 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-6 + 0.10.3-7
+- Openssh client window fix (#1913041)
 
 * Tue Mar 24 2020 Jakub Jelen <jjelen@redhat.com> - 8.0p1-5 + 0.10.3-7
 - Do not print "no slots" warning by default (#1744220)