From 303ff5b834e23e2da14f263602aef070299e9ceb Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Fri, 16 Aug 2024 13:23:18 +0200
Subject: [PATCH] Remove obsoleted patches

Related: RHEL-42635
---
 openssh-9.3p1-openssl-compat.patch          |  40 ------
 openssh-9.3p1-upstream-cve-2023-38408.patch | 130 --------------------
 openssh.spec                                |   2 +
 3 files changed, 2 insertions(+), 170 deletions(-)
 delete mode 100644 openssh-9.3p1-openssl-compat.patch
 delete mode 100644 openssh-9.3p1-upstream-cve-2023-38408.patch

diff --git a/openssh-9.3p1-openssl-compat.patch b/openssh-9.3p1-openssl-compat.patch
deleted file mode 100644
index cf512ef..0000000
--- a/openssh-9.3p1-openssl-compat.patch
+++ /dev/null
@@ -1,40 +0,0 @@
---- openssh-9.3p1/openbsd-compat/openssl-compat.c	2023-03-15 22:28:19.000000000 +0100
-+++ /home/dbelyavs/work/upstream/openssh-portable/openbsd-compat/openssl-compat.c	2023-05-25 14:19:42.870841944 +0200
-@@ -33,10 +33,10 @@
- 
- /*
-  * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
-- * We match major, minor, fix and status (not patch) for <1.0.0.
-- * After that, we acceptable compatible fix versions (so we
-- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
-- * within a patch series.
-+ * Versions >=3 require only major versions to match.
-+ * For versions <3, we accept compatible fix versions (so we allow 1.0.1
-+ * to work with 1.0.0). Going backwards is only allowed within a patch series.
-+ * See https://www.openssl.org/policies/releasestrat.html
-  */
- 
- int
-@@ -48,15 +48,17 @@
- 	if (headerver == libver)
- 		return 1;
- 
--	/* for versions < 1.0.0, major,minor,fix,status must match */
--	if (headerver < 0x1000000f) {
--		mask = 0xfffff00fL; /* major,minor,fix,status */
-+	/*
-+	 * For versions >= 3.0, only the major and status must match.
-+	 */
-+	if (headerver >= 0x3000000f) {
-+		mask = 0xf000000fL; /* major,status */
- 		return (headerver & mask) == (libver & mask);
- 	}
- 
- 	/*
--	 * For versions >= 1.0.0, major,minor,status must match and library
--	 * fix version must be equal to or newer than the header.
-+	 * For versions >= 1.0.0, but <3, major,minor,status must match and
-+	 * library fix version must be equal to or newer than the header.
- 	 */
- 	mask = 0xfff0000fL; /* major,minor,status */
- 	hfix = (headerver & 0x000ff000) >> 12;
diff --git a/openssh-9.3p1-upstream-cve-2023-38408.patch b/openssh-9.3p1-upstream-cve-2023-38408.patch
deleted file mode 100644
index e9ac2ae..0000000
--- a/openssh-9.3p1-upstream-cve-2023-38408.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-diff --git a/ssh-agent.c b/ssh-agent.c
-index 618bb198..8ea831f4 100644
-diff -up openssh-9.3p1/ssh-agent.c.cve openssh-9.3p1/ssh-agent.c
---- openssh-9.3p1/ssh-agent.c.cve	2023-07-21 15:38:13.237276580 +0200
-+++ openssh-9.3p1/ssh-agent.c	2023-07-21 15:41:30.269943569 +0200
-@@ -169,6 +169,12 @@ char socket_dir[PATH_MAX];
- /* Pattern-list of allowed PKCS#11/Security key paths */
- static char *allowed_providers;
- 
-+/*
-+ * Allows PKCS11 providers or SK keys that use non-internal providers to
-+ * be added over a remote connection (identified by session-bind@openssh.com).
-+ */
-+static int remote_add_provider;
-+
- /* locking */
- #define LOCK_SIZE	32
- #define LOCK_SALT_SIZE	16
-@@ -1228,6 +1234,12 @@ process_add_identity(SocketEntry *e)
- 		if (strcasecmp(sk_provider, "internal") == 0) {
- 			debug_f("internal provider");
- 		} else {
-+			if (e->nsession_ids != 0 && !remote_add_provider) {
-+				verbose("failed add of SK provider \"%.100s\": "
-+				    "remote addition of providers is disabled",
-+				    sk_provider);
-+				goto out;
-+			}
- 			if (realpath(sk_provider, canonical_provider) == NULL) {
- 				verbose("failed provider \"%.100s\": "
- 				    "realpath: %s", sk_provider,
-@@ -1368,7 +1380,7 @@ no_identities(SocketEntry *e)
- 
- #ifdef ENABLE_PKCS11
- static char *
--sanitize_pkcs11_provider(const char *provider)
-+sanitize_pkcs11_provider(SocketEntry *e, const char *provider)
- {
- 	struct pkcs11_uri *uri = NULL;
- 	char *sane_uri, *module_path = NULL; /* default path */
-@@ -1399,6 +1411,11 @@ sanitize_pkcs11_provider(const char *pro
- 		module_path = strdup(provider); /* simple path */
- 
- 	if (module_path != NULL) { /* do not validate default NULL path in URI */
-+		if (e->nsession_ids != 0 && !remote_add_provider) {
-+			verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
-+			    "providers is disabled", provider);
-+			return NULL;
-+		}
- 		if (realpath(module_path, canonical_provider) == NULL) {
- 			verbose("failed PKCS#11 provider \"%.100s\": realpath: %s",
- 			    module_path, strerror(errno));
-@@ -1455,7 +1472,7 @@ process_add_smartcard_key(SocketEntry *e
- 		goto send;
- 	}
- 
--	sane_uri = sanitize_pkcs11_provider(provider);
-+	sane_uri = sanitize_pkcs11_provider(e, provider);
- 	if (sane_uri == NULL)
- 		goto send;
- 
-@@ -1516,7 +1533,7 @@ process_remove_smartcard_key(SocketEntry
- 	}
- 	free(pin);
- 
--	sane_uri = sanitize_pkcs11_provider(provider);
-+	sane_uri = sanitize_pkcs11_provider(e, provider);
- 	if (sane_uri == NULL)
- 		goto send;
- 
-@@ -2108,7 +2125,9 @@ main(int ac, char **av)
- 			break;
- 		case 'O':
- 			if (strcmp(optarg, "no-restrict-websafe") == 0)
--				restrict_websafe  = 0;
-+				restrict_websafe = 0;
-+			else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
-+				remote_add_provider = 1;
- 			else
- 				fatal("Unknown -O option");
- 			break;
-diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
-index 6be647ec..ebddf6c3 100644
---- a/ssh-pkcs11.c
-+++ b/ssh-pkcs11.c
-@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
- 		error("dlopen %s failed: %s", provider_module, dlerror());
- 		goto fail;
- 	}
--	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
--		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
--		goto fail;
--	}
-+	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
-+		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
- 
- 	p->module->handle = handle;
- 	/* setup the pkcs11 callbacks */
---- a/ssh-agent.1	2023-03-15 22:28:19.000000000 +0100
-+++ b/ssh-agent.1	2023-07-19 21:39:17.981406432 +0200
-@@ -107,9 +107,27 @@
- .It Fl O Ar option
- Specify an option when starting
- .Nm .
--Currently only one option is supported:
-+Currently two options are supported:
-+.Cm allow-remote-pkcs11
-+and
- .Cm no-restrict-websafe .
--This instructs
-+.Pp
-+The
-+.Cm allow-remote-pkcs11
-+option allows clients of a forwarded
-+.Nm
-+to load PKCS#11 or FIDO provider libraries.
-+By default only local clients may perform this operation.
-+Note that signalling that a
-+.Nm
-+client remote is performed by
-+.Xr ssh 1 ,
-+and use of other tools to forward access to the agent socket may circumvent
-+this restriction.
-+.Pp
-+The
-+.Cm no-restrict-websafe ,
-+instructs
- .Nm
- to permit signatures using FIDO keys that might be web authentication
- requests.
diff --git a/openssh.spec b/openssh.spec
index aa1e5e7..b9f35bf 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -656,6 +656,8 @@ test -f %{sysconfig_anaconda} && \
 * Fri Aug 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-4
 - Address SAST scan issues
   Resolves: RHEL-36766
+- Remove obsoleted patches
+  Related: RHEL-42635
 
 * Mon Aug 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-3
 - sshd doesn't propose to enter password again when a non-existing user is specified