From f3c95f4ec62cc3ccd098cf81bb0ecb2e0e95a83a Mon Sep 17 00:00:00 2001
From: "Shencb@123" <1944340417@qq.com>
Date: Fri, 6 Sep 2024 22:07:48 +0800
Subject: [PATCH] support clang

---
 0001-add-a-header-file.patch |  39 ++++++++
 openssh.spec                 | 176 +++++++++++++++++++----------------
 2 files changed, 137 insertions(+), 78 deletions(-)
 create mode 100644 0001-add-a-header-file.patch

diff --git a/0001-add-a-header-file.patch b/0001-add-a-header-file.patch
new file mode 100644
index 0000000..c31b92f
--- /dev/null
+++ b/0001-add-a-header-file.patch
@@ -0,0 +1,39 @@
+From f3c2dc7ca2f9887e6a50369dde5e85ccbd0594d9 Mon Sep 17 00:00:00 2001
+From: "Shencb@123" <1944340417@qq.com>
+Date: Fri, 6 Sep 2024 21:56:04 +0800
+Subject: [PATCH] add a header file
+
+---
+ ssh-ecdsa.c | 2 +-
+ ssh-rsa.c   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
+index 341c324..6fe5e42 100644
+--- a/ssh-ecdsa.c
++++ b/ssh-ecdsa.c
+@@ -42,7 +42,7 @@
+ #include "digest.h"
+ #define SSHKEY_INTERNAL
+ #include "sshkey.h"
+-
++#include "ssh-pkcs11.h"
+ #include "openbsd-compat/openssl-compat.h"
+ 
+ static u_int
+diff --git a/ssh-rsa.c b/ssh-rsa.c
+index be8f51e..2c8b044 100644
+--- a/ssh-rsa.c
++++ b/ssh-rsa.c
+@@ -26,7 +26,7 @@
+ 
+ #include <stdarg.h>
+ #include <string.h>
+-
++#include "ssh-pkcs11.h"
+ #include "sshbuf.h"
+ #include "ssherr.h"
+ #define SSHKEY_INTERNAL
+-- 
+2.45.2.windows.1
+
diff --git a/openssh.spec b/openssh.spec
index 50b2c37..2f0bf06 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 5
+%global openssh_release 6
 
 Name:           openssh
 Version:        9.3p2
@@ -101,6 +101,7 @@ Patch78:        backport-CVE-2023-48795-upstream-implement-strict-key-exchange-i
 Patch79:        backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
 Patch80:        backport-fix-CVE-2024-6387.patch
 Patch81:        backport-CVE-2023-51384-upstream-apply-destination-constraints-to-all-p11-ke.patch
+Patch82:0001-add-a-header-file.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -177,80 +178,81 @@ instance. The module is most useful for su and sudo service stacks.
 %setup -q -a 3
 
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
-%patch3 -p2 -b .psaa-build
-%patch4 -p2 -b .psaa-seteuid
-%patch5 -p2 -b .psaa-visibility
-%patch7 -p2 -b .psaa-compat
-%patch6 -p2 -b .psaa-agent
-%patch8 -p2 -b .psaa-deref
-%patch9 -p2 -b .rsasha2
-%patch10 -p1 -b .psaa-configure-c99
+%patch 3 -p2 -b .psaa-build
+%patch 4 -p2 -b .psaa-seteuid
+%patch 5 -p2 -b .psaa-visibility
+%patch 7 -p2 -b .psaa-compat
+%patch 6 -p2 -b .psaa-agent
+%patch 8 -p2 -b .psaa-deref
+%patch 9 -p2 -b .rsasha2
+%patch 10 -p1 -b .psaa-configure-c99
 # Remove duplicate headers and library files
 rm -f $(cat %{SOURCE4})
 popd
 
-%patch11 -p1 -b .role-mls
-%patch12 -p1 -b .privsep-selinux
-%patch14 -p1 -b .keycat
-%patch15 -p1 -b .ip-opts
-%patch17 -p1 -b .ipv6man
-%patch18 -p1 -b .sigpipe
-%patch19 -p1 -b .x11
-%patch21 -p1 -b .progress
-%patch22 -p1 -b .grab-info
-%patch23 -p1
-%patch24 -p1 -b .log-usepam-no
-%patch28 -p1 -b .gsskex
-%patch29 -p1 -b .force_krb
-%patch31 -p1 -b .ccache_name
-%patch32 -p1 -b .k5login
-%patch33 -p1 -b .kuserok
-%patch34 -p1 -b .fromto-remote
-%patch35 -p1 -b .contexts
-%patch36 -p1 -b .log-in-chroot
-%patch37 -p1 -b .scp
-%patch30 -p1 -b .GSSAPIEnablek5users
-%patch38 -p1 -b .sshdt
-%patch39 -p1 -b .sftp-force-mode
-%patch40 -p1 -b .s390-dev
-%patch41 -p1 -b .x11max
-%patch42 -p1 -b .systemd
-%patch43 -p1 -b .refactor
-%patch44 -p1 -b .sandbox
-%patch45 -p1 -b .pkcs11-uri
-%patch46 -p1 -b .scp-ipv6
-%patch48 -p1 -b .crypto-policies
-%patch49 -p1 -b .openssl-evp
-%patch50 -p1 -b .openssl-kdf
-%patch51 -p1 -b .visibility
-%patch52 -p1 -b .x11-ipv6
-%patch53 -p1 -b .keygen-strip-doseol
-%patch54 -p1 -b .preserve-pam-errors
-%patch55 -p1 -b .kill-scp
-%patch56 -p1 -b .scp-sftpdirs
-%patch57 -p1 -b .minrsabits
-%patch58 -p1 -b .ibmca
-%patch60 -p1 -b .ssh-manpage
-%patch61 -p1 -b .negotiate-supported-algs
-%patch1 -p1 -b .audit
-%patch2 -p1 -b .audit-race
-%patch0 -p1 -b .coverity
-
-%patch66 -p1
-%patch67 -p1
-%patch68 -p1
-%patch69 -p1
-%patch70 -p1
-%patch71 -p1
-%patch72 -p1
-%patch73 -p1
-%patch74 -p1
-%patch75 -p1
-%patch77 -p1
-%patch78 -p1
-%patch79 -p1
-%patch80 -p1
-%patch81 -p1
+%patch 11 -p1 -b .role-mls
+%patch 12 -p1 -b .privsep-selinux
+%patch 14 -p1 -b .keycat
+%patch 15 -p1 -b .ip-opts
+%patch 17 -p1 -b .ipv6man
+%patch 18 -p1 -b .sigpipe
+%patch 19 -p1 -b .x11
+%patch 21 -p1 -b .progress
+%patch 22 -p1 -b .grab-info
+%patch 23 -p1
+%patch 24 -p1 -b .log-usepam-no
+%patch 28 -p1 -b .gsskex
+%patch 29 -p1 -b .force_krb
+%patch 31 -p1 -b .ccache_name
+%patch 32 -p1 -b .k5login
+%patch 33 -p1 -b .kuserok
+%patch 34 -p1 -b .fromto-remote
+%patch 35 -p1 -b .contexts
+%patch 36 -p1 -b .log-in-chroot
+%patch 37 -p1 -b .scp
+%patch 30 -p1 -b .GSSAPIEnablek5users
+%patch 38 -p1 -b .sshdt
+%patch 39 -p1 -b .sftp-force-mode
+%patch 40 -p1 -b .s390-dev
+%patch 41 -p1 -b .x11max
+%patch 42 -p1 -b .systemd
+%patch 43 -p1 -b .refactor
+%patch 44 -p1 -b .sandbox
+%patch 45 -p1 -b .pkcs11-uri
+%patch 46 -p1 -b .scp-ipv6
+%patch 48 -p1 -b .crypto-policies
+%patch 49 -p1 -b .openssl-evp
+%patch 50 -p1 -b .openssl-kdf
+%patch 51 -p1 -b .visibility
+%patch 52 -p1 -b .x11-ipv6
+%patch 53 -p1 -b .keygen-strip-doseol
+%patch 54 -p1 -b .preserve-pam-errors
+%patch 55 -p1 -b .kill-scp
+%patch 56 -p1 -b .scp-sftpdirs
+%patch 57 -p1 -b .minrsabits
+%patch 58 -p1 -b .ibmca
+%patch 60 -p1 -b .ssh-manpage
+%patch 61 -p1 -b .negotiate-supported-algs
+%patch 1 -p1 -b .audit
+%patch 2 -p1 -b .audit-race
+%patch 0 -p1 -b .coverity
+
+%patch 66 -p1
+%patch 67 -p1
+%patch 68 -p1
+%patch 69 -p1
+%patch 70 -p1
+%patch 71 -p1
+%patch 72 -p1
+%patch 73 -p1
+%patch 74 -p1
+%patch 75 -p1
+%patch 77 -p1
+%patch 78 -p1
+%patch 79 -p1
+%patch 80 -p1
+%patch 81 -p1
+%patch 82 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@@ -322,16 +324,28 @@ make
 popd
 
 %check
-if [ -e /sys/fs/selinux/enforce ]; then 
-    # Store the SElinux state
-    cat /sys/fs/selinux/enforce > selinux.tmp
-    setenforce 0
+if [ -e /sys/fs/selinux/enforce ]; then
+    # Store the SElinux state only if the file exists
+    if [ -w /sys/fs/selinux/enforce ] && [ -w. ]; then
+        cat /sys/fs/selinux/enforce > selinux.tmp
+        setenforce 0
+    else
+        echo "Insufficient permissions to handle SELinux state. Skipping modification."
+    fi
+else
+    echo "SELinux is not enabled or enforce file not found. Skipping modification."
 fi
+
 make tests
+
 if [ -e /sys/fs/selinux/enforce ]; then
-    # Restore the SElinux state
-    cat selinux.tmp > /sys/fs/selinux/enforce
-    rm -rf selinux.tmp
+    # Restore the SElinux state only if the file exists
+    if [ -w /sys/fs/selinux/enforce ] && [ -f selinux.tmp ]; then
+        cat selinux.tmp > /sys/fs/selinux/enforce
+        rm -rf selinux.tmp
+    else
+        echo "Insufficient permissions or temp file not found. Skipping restoration of SELinux state."
+    fi
 fi
 
 %install
@@ -467,6 +481,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Tue Aug 27 2024 shenchenbang <1944340417@qq.com> - 9.3p2-6
+- Type:CVE
+- CVE:CVE-2023-51384
+- SUG:NA
+- DESC:Fix add include pkcs11
+
 * Fri Jul 12 2024 renmingshuai <renmingshuai@huawei.com> - 9.3p2-5
 - Type:CVE
 - CVE:CVE-2023-51384
-- 
Gitee