From 57e280d1f4ccf6d5ecc0b427517a67124430ee19 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 14 Nov 2018 09:54:54 +0100
Subject: [PATCH] Allow to disable RSA signatures with SHA-1

---
 openssh-7.9p1-disable-sha1.patch | 62 ++++++++++++++++++++++++++++++++
 openssh.spec                     |  4 +++
 2 files changed, 66 insertions(+)
 create mode 100644 openssh-7.9p1-disable-sha1.patch

diff --git a/openssh-7.9p1-disable-sha1.patch b/openssh-7.9p1-disable-sha1.patch
new file mode 100644
index 0000000..c157b3c
--- /dev/null
+++ b/openssh-7.9p1-disable-sha1.patch
@@ -0,0 +1,62 @@
+diff --git a/monitor.c b/monitor.c
+index 12b33e7..a1c3c97 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -875,6 +875,34 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m)
+ }
+ #endif
+ 
++/*
++ * Check that the key type appears in the supplied pattern list, ignoring
++ * mismastches in the signature algorithm. (Signature algorithm checks are
++ * performed in the unprivileged authentication code).
++ * Returns 1 on success, 0 otherwise.
++ */
++static int
++key_base_type_match(const struct sshkey *key, const char *list)
++{
++	char *s, *l, *ol = xstrdup(list);
++	int found = 0;
++
++	l = ol;
++	for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
++		if (sshkey_type_from_name(s) == key->type) {
++			found = 1;
++			break;
++		}
++	}
++	if (!found) {
++		debug("key type %s does not appear in list %s",
++		    sshkey_ssh_name(key), list);
++	}
++
++	free(ol);
++	return found;
++}
++
+ int
+ mm_answer_keyallowed(int sock, struct sshbuf *m)
+ {
+@@ -909,8 +937,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
+ 				break;
+ 			if (auth2_key_already_used(authctxt, key))
+ 				break;
+-			if (match_pattern_list(sshkey_ssh_name(key),
+-			    options.pubkey_key_types, 0) != 1)
++			if (!key_base_type_match(key,
++			    options.pubkey_key_types))
+ 				break;
+ 			allowed = user_key_allowed(ssh, authctxt->pw, key,
+ 			    pubkey_auth_attempt, &opts);
+@@ -921,8 +949,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
+ 				break;
+ 			if (auth2_key_already_used(authctxt, key))
+ 				break;
+-			if (match_pattern_list(sshkey_ssh_name(key),
+-			    options.hostbased_key_types, 0) != 1)
++			if (!key_base_type_match(key,
++			    options.hostbased_key_types))
+ 				break;
+ 			allowed = hostbased_key_allowed(authctxt->pw,
+ 			    cuser, chost, key);
+
diff --git a/openssh.spec b/openssh.spec
index 0b9d966..d0f517b 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -223,6 +223,9 @@ Patch951: openssh-7.6p1-pkcs11-uri.patch
 Patch952: openssh-7.6p1-pkcs11-ecdsa.patch
 # Unbreak scp between two IPv6 hosts (#1620333)
 Patch953: openssh-7.8p1-scp-ipv6.patch
+# Allow to disable RSA signatures with SHA-1 in server
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2746
+Patch954: openssh-7.9p1-disable-sha1.patch
 
 License: BSD
 Group: Applications/Internet
@@ -446,6 +449,7 @@ popd
 %patch952 -p1 -b .pkcs11-ecdsa
 %patch953 -p1 -b .scp-ipv6
 %patch808 -p1 -b .gsskex-method
+%patch954 -p1 -b .disable-sha1
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race