From a8bcabfed1b013cec7928cae00a71714c8073426 Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date: Thu, 31 Oct 2024 21:46:27 +0300
Subject: [PATCH] import openssh-9.9p1-4.el10

---
 SOURCES/openssh-8.7p1-openssl-log.patch | 75 +++++++++++++++++++
 SOURCES/openssh-8.7p1-redhat-help.patch |  4 +-
 SOURCES/openssh-9.9p1-mlkembe.patch     | 98 +++++++++++++++++++++++++
 SPECS/openssh.spec                      | 20 ++++-
 4 files changed, 194 insertions(+), 3 deletions(-)
 create mode 100644 SOURCES/openssh-8.7p1-openssl-log.patch
 create mode 100644 SOURCES/openssh-9.9p1-mlkembe.patch

diff --git a/SOURCES/openssh-8.7p1-openssl-log.patch b/SOURCES/openssh-8.7p1-openssl-log.patch
new file mode 100644
index 0000000..67a56e3
--- /dev/null
+++ b/SOURCES/openssh-8.7p1-openssl-log.patch
@@ -0,0 +1,75 @@
+diff -up openssh-9.9p1/log.c.xxx openssh-9.9p1/log.c
+--- openssh-9.9p1/log.c.xxx	2024-10-22 11:55:44.281939275 +0200
++++ openssh-9.9p1/log.c	2024-10-22 11:56:16.709676267 +0200
+@@ -52,6 +52,9 @@
+ 
+ #include "log.h"
+ #include "match.h"
++#ifdef WITH_OPENSSL
++#include <openssl/err.h>
++#endif
+ 
+ static LogLevel log_level = SYSLOG_LEVEL_INFO;
+ static int log_on_stderr = 1;
+@@ -438,6 +438,26 @@ sshlog(const char *file, const char *fun
+ 	va_end(args);
+ }
+ 
++#ifdef WITH_OPENSSL
++static int
++openssl_error_print_cb(const char *str, size_t len, void *u)
++{
++	sshlogdirect(SYSLOG_LEVEL_DEBUG1, 0, "openssl error %s", str);
++	return 0;
++}
++#endif
++
++void
++sshlog_openssl(int r)
++{
++#ifdef WITH_OPENSSL
++	if (r != SSH_ERR_LIBCRYPTO_ERROR) return;
++
++	ERR_print_errors_cb(openssl_error_print_cb, NULL);
++#endif
++	return;
++}
++
+ void
+ sshlogdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+diff -up openssh-8.7p1/log.h.xxx openssh-8.7p1/log.h
+--- openssh-8.7p1/log.h.xxx	2024-10-18 12:56:18.944971946 +0200
++++ openssh-8.7p1/log.h	2024-10-18 13:03:38.324351416 +0200
+@@ -71,6 +71,7 @@ void	 cleanup_exit(int) __attribute__((n
+ void	 sshlog(const char *, const char *, int, int,
+     LogLevel, const char *, const char *, ...)
+     __attribute__((format(printf, 7, 8)));
++void	 sshlog_openssl(int);
+ void	 sshlogv(const char *, const char *, int, int,
+     LogLevel, const char *, const char *, va_list);
+ void	 sshlogdie(const char *, const char *, int, int,
+diff -up openssh-8.7p1/auth2-pubkey.c.yyy openssh-8.7p1/auth2-pubkey.c
+--- openssh-8.7p1/auth2-pubkey.c.yyy	2024-10-18 13:27:00.709055845 +0200
++++ openssh-8.7p1/auth2-pubkey.c	2024-10-18 13:27:31.638784460 +0200
+@@ -131,6 +131,7 @@ userauth_pubkey(struct ssh *ssh)
+ 		goto done;
+ 	}
+ 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
++		sshlog_openssl(r);
+ 		error_fr(r, "parse key");
+ 		goto done;
+ 	}
+diff -up openssh-8.7p1/dispatch.c.yyy openssh-8.7p1/dispatch.c
+--- openssh-8.7p1/dispatch.c.yyy	2024-10-18 13:27:56.349366570 +0200
++++ openssh-8.7p1/dispatch.c	2024-10-18 13:28:17.921874757 +0200
+@@ -130,6 +130,8 @@ ssh_dispatch_run_fatal(struct ssh *ssh,
+ {
+ 	int r;
+ 
+-	if ((r = ssh_dispatch_run(ssh, mode, done)) != 0)
++	if ((r = ssh_dispatch_run(ssh, mode, done)) != 0) {
++		sshlog_openssl(r);
+ 		sshpkt_fatal(ssh, r, "%s", __func__);
++	}
+ }
diff --git a/SOURCES/openssh-8.7p1-redhat-help.patch b/SOURCES/openssh-8.7p1-redhat-help.patch
index 95d669c..3ffb657 100644
--- a/SOURCES/openssh-8.7p1-redhat-help.patch
+++ b/SOURCES/openssh-8.7p1-redhat-help.patch
@@ -1,17 +1,19 @@
 diff -up openssh-8.7p1/ssh.c.xxx openssh-8.7p1/ssh.c
 --- openssh-8.7p1/ssh.c.xxx	2024-09-11 14:24:06.711088878 +0200
 +++ openssh-8.7p1/ssh.c	2024-09-11 14:35:12.883765718 +0200
-@@ -175,6 +175,14 @@ extern int muxserver_sock;
+@@ -175,6 +175,16 @@ extern int muxserver_sock;
  extern u_int muxclient_command;
  
  /* Prints a help message to the user.  This function never returns. */
 +static void
 +redhat_usage(void)
 +{
++    if(isatty(fileno(stderr))) {
 +	fprintf(stderr,
 +"\nYou can find some explanations for typical errors at this link:\n"
 +"	    https://red.ht/support_rhel_ssh\n"
 +	);
++    }
 +}
  
  static void
diff --git a/SOURCES/openssh-9.9p1-mlkembe.patch b/SOURCES/openssh-9.9p1-mlkembe.patch
new file mode 100644
index 0000000..aa0c26c
--- /dev/null
+++ b/SOURCES/openssh-9.9p1-mlkembe.patch
@@ -0,0 +1,98 @@
+diff --git a/kexmlkem768x25519.c b/kexmlkem768x25519.c
+index 679446e9..2b5d3960 100644
+--- a/kexmlkem768x25519.c
++++ b/kexmlkem768x25519.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: kexmlkem768x25519.c,v 1.1 2024/09/02 12:13:56 djm Exp $ */
++/* $OpenBSD: kexmlkem768x25519.c,v 1.2 2024/10/27 02:06:59 djm Exp $ */
+ /*
+  * Copyright (c) 2023 Markus Friedl.  All rights reserved.
+  *
+@@ -34,6 +34,9 @@
+ #include <stdbool.h>
+ #include <string.h>
+ #include <signal.h>
++#ifdef HAVE_ENDIAN_H
++# include <endian.h>
++#endif
+ 
+ #include "sshkey.h"
+ #include "kex.h"
+diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h
+index a82d60e8..b8ac1436 100644
+--- a/libcrux_mlkem768_sha3.h
++++ b/libcrux_mlkem768_sha3.h
+@@ -1,4 +1,5 @@
+-/*  $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */
++/*  $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */
++
+ /* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */
+ 
+ /*
+@@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
+ // CORE STUFF (conversions, endianness, ...)
+ 
+ static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
++  v = htole64(v);
+   memcpy(buf, &v, sizeof(v));
+ }
+ static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
+   uint64_t v;
+   memcpy(&v, buf, sizeof(v));
+-  return v;
++  return le64toh(v);
+ }
+ 
+ static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
+   uint32_t v;
+   memcpy(&v, buf, sizeof(v));
+-  return v;
++  return le32toh(v);
+ }
+ 
+ static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
+diff --git a/mlkem768.sh b/mlkem768.sh
+index 2fdc2831..3d12b2ed 100644
+--- a/mlkem768.sh
++++ b/mlkem768.sh
+@@ -1,9 +1,10 @@
+ #!/bin/sh
+-#       $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $
++#       $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $
+ #       Placed in the Public Domain.
+ #
+ 
+-WANT_LIBCRUX_REVISION="origin/main"
++#WANT_LIBCRUX_REVISION="origin/main"
++WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35"
+ 
+ FILES="
+ 	libcrux/libcrux-ml-kem/cg/eurydice_glue.h
+@@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))'
+ echo '#define KRML_HOST_EPRINTF(...)'
+ echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
+ echo
++
+ for i in $FILES; do
+ 	echo "/* from $i */"
+ 	# Changes to all files:
+@@ -56,11 +58,16 @@ for i in $FILES; do
+ 	    -e 's/[	 ]*$//' \
+ 	    $i | \
+ 	case "$i" in
+-	# XXX per-file handling goes here.
++	*/libcrux-ml-kem/cg/eurydice_glue.h)
++		# Replace endian functions with versions that work.
++		perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1  v = htole64(v);\n\2/' |
++		perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
++		perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
++		;;
+ 	# Default: pass through.
+ 	*)
+-	    cat
+-	    ;;
++		cat
++		;;
+ 	esac
+ 	echo
+ done
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index 4f29b28..4f2963b 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -39,7 +39,7 @@
 %{?static_openssl:%global static_libcrypto 1}
 
 %global openssh_ver 9.9p1
-%global openssh_rel 2
+%global openssh_rel 4
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@@ -195,6 +195,10 @@ Patch1014: openssh-8.7p1-nohostsha1proof.patch
 Patch1015: openssh-9.6p1-pam-rhost.patch
 Patch1016: openssh-9.9p1-separate-keysign.patch
 Patch1017: openssh-8.7p1-redhat-help.patch
+Patch1018: openssh-8.7p1-openssl-log.patch
+# upstream cf3e48ee8ba1beeccddd2f203b558fa102be67a2
+# upstream 0c3927c45f8a57b511c874c4d51a8c89414f74ef
+Patch1019: openssh-9.9p1-mlkembe.patch
 
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -377,6 +381,8 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1015 -p1 -b .pam-rhost
 %patch -P 1016 -p1 -b .sep-keysign
 %patch -P 1017 -p1 -b .help
+%patch -P 1018 -p1 -b .openssl-log
+%patch -P 1019 -p1 -b .mlkembe
 
 %patch -P 100 -p1 -b .coverity
 
@@ -656,9 +662,19 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 
 %changelog
-* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 9.9p1-2
+* Mon Oct 28 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-4
+- Fix MLKEM for BE platforms
+  Related: RHEL-60564
+
+* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 9.9p1-3
 - Rebuilt for MSVSphere 10
 
+* Fri Oct 18 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-3
+- Extra help information should not be printed if stderr is not a TTY
+  Resolves: RHEL-63061
+- Provide details on crypto error instead of "error in libcrypto"
+  Resolves: RHEL-63190
+
 * Tue Oct 15 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-2
 - Resolve memory management issues after rebase
   Related: RHEL-60564