From 6a0769945432900cc01b395e5ba52cba33a2edee Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 19 Nov 2020 14:39:49 +0100
Subject: [PATCH] Compatibility with Debian's openssh-7.4p1 (#1881301)

This only version does incorrectly reports server_sig_algorithms
extension and in Fedora 33 with disabled SHA1, clients are unable
to connect to Debian servers
---
 openssh-8.4p1-debian-compat.patch | 57 +++++++++++++++++++++++++++++++
 openssh.spec                      |  3 ++
 2 files changed, 60 insertions(+)
 create mode 100644 openssh-8.4p1-debian-compat.patch

diff --git a/openssh-8.4p1-debian-compat.patch b/openssh-8.4p1-debian-compat.patch
new file mode 100644
index 0000000..0af1d3d
--- /dev/null
+++ b/openssh-8.4p1-debian-compat.patch
@@ -0,0 +1,57 @@
+--- compat.h.orig	2020-10-05 10:09:02.953505129 -0700
++++ compat.h	2020-10-05 10:10:17.587733113 -0700
+@@ -34,7 +34,7 @@
+ 
+ #define SSH_BUG_UTF8TTYMODE	0x00000001
+ #define SSH_BUG_SIGTYPE		0x00000002
+-/* #define unused		0x00000004 */
++#define SSH_BUG_SIGTYPE74	0x00000004
+ /* #define unused		0x00000008 */
+ #define SSH_OLD_SESSIONID	0x00000010
+ /* #define unused		0x00000020 */
+--- compat.c.orig	2020-10-05 10:25:02.088720562 -0700
++++ compat.c	2020-10-05 10:13:11.637282492 -0700
+@@ -65,11 +65,12 @@
+ 		{ "OpenSSH_6.5*,"
+ 		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
+ 					SSH_BUG_SIGTYPE},
++		{ "OpenSSH_7.4*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
++		  			SSH_BUG_SIGTYPE74},
+ 		{ "OpenSSH_7.0*,"
+ 		  "OpenSSH_7.1*,"
+ 		  "OpenSSH_7.2*,"
+ 		  "OpenSSH_7.3*,"
+-		  "OpenSSH_7.4*,"
+ 		  "OpenSSH_7.5*,"
+ 		  "OpenSSH_7.6*,"
+ 		  "OpenSSH_7.7*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
+--- sshconnect2.c.orig	2020-09-26 07:26:37.618010545 -0700
++++ sshconnect2.c	2020-10-05 10:47:22.116315148 -0700
+@@ -1305,6 +1305,26 @@
+ 			break;
+ 	}
+ 	free(oallowed);
++	/*
++	 * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
++	 * support.  For that release, check the local policy against the
++	 * SHA2 signature types.
++	 */
++	if (alg == NULL &&
++	    (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
++		oallowed = allowed = xstrdup(options.pubkey_key_types);
++		while ((cp = strsep(&allowed, ",")) != NULL) {
++			if (sshkey_type_from_name(cp) != key->type)
++				continue;
++			tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
++			if (tmp != NULL)
++				alg = xstrdup(cp);
++			free(tmp);
++			if (alg != NULL)
++				break;
++		}
++		free(oallowed);
++	}
+ 	return alg;
+ }
+ 
+
diff --git a/openssh.spec b/openssh.spec
index a712857..d88dd7b 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -199,6 +199,8 @@ Patch966: openssh-8.2p1-x11-without-ipv6.patch
 Patch967: openssh-8.4p1-ssh-copy-id.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=3232
 Patch968: openssh-8.4p1-sandbox-seccomp.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
+Patch969: openssh-8.4p1-debian-compat.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -384,6 +386,7 @@ popd
 %patch966 -p1 -b .x11-ipv6
 %patch967 -p1 -b .ssh-copy-id
 %patch968 -p1 -b .seccomp
+%patch969 -p0 -b .debian
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race