[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/, net-misc/openssh/files/

["Patrick McLean" <chutzpah@gentoo.org>]

commit:     771040f0b9111b4125ec068b6fd1fe7d70fb319e
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Fri Sep  2 20:49:43 2016 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Fri Sep  2 20:49:58 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=771040f0

net-misc/openssh: Revision bump, re-enable the hpn USE flag

This is hard masked for now for further testing, see bug #577768, All
the tests pass on all of my machines with USE="hpn" and USE="hpn X509".

Since there does not appear to be a tarball for the upstream hpn for
openssh-7.2+, this ebuild downloads the kitchensink diff, then patches
it to apply against openssh-7.3p1 and remove the server logging stuff
that get dropped from other hpn patchsets.

We can unmask this once more people test it and sign off that is looks good.

Package-Manager: portage-2.3.0

 net-misc/openssh/Manifest                          |   1 +
 .../openssh/files/openssh-7.3_p1-hpn-update.patch  | 277 +++++++++++++++++
 .../files/openssh-7.3_p1-hpn-x509-glue.patch       |  33 ++
 net-misc/openssh/openssh-7.3_p1-r3.ebuild          | 343 +++++++++++++++++++++
 4 files changed, 654 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 7e2535f..c6667a5 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -9,6 +9,7 @@ DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee
 DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4
 DIST openssh-7.3p1+x509-9.1.diff.gz 584945 SHA256 1ce361813d585fb543f632d19f73a583e257a404c013587a2ee7a1c57710ae95 SHA512 11165544513eaff2b2e1f6dd11b9fb2870e59eb7e16377cf8fc1bf7e459cf8d09a91cf52f0d252df1bf618423ea8fb93099b96670cebc42aa2523dd439e59a89 WHIRLPOOL 8732cc52ef851a35c0dc8b35e8b6666d347f40ee60792aa23bae8e193ec6fa24928b67e6d8ebfc2c52090e78c525e908596020071495452965fa6244df1e459e
 DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
+DIST openssh-7_2_P2-hpn-14.10.diff 78587 SHA256 f083d4c4a2054808386e974accda385542ce150f0c0f079ec1a0d4fa78888b17 SHA512 49d772c6a071fe1883d5d2844aba1d327c40938af368ba349b44c643e10f4e2d02e5c889810f8914c61324fbf90e53547aa346fdbd47b22b2f8da6afc174692c WHIRLPOOL 516621cdbccae3ecc900fde1b1edd2bac807b628d631289e3002747901d7663f5a2545f6b0396415a850f9695dd57e2ab5dbc548584f2c973726b38ca4d57bac
 DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d
 DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c

diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch
new file mode 100644
index 00000000..2c4cc50
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch
@@ -0,0 +1,277 @@
+--- openssh-7_2_P2-hpn-14.10.diff.orig	2016-09-01 10:34:05.905112131 -0700
++++ openssh-7_2_P2-hpn-14.10.diff	2016-09-01 11:33:19.106664802 -0700
+@@ -156,145 +156,6 @@
+  	compat.o crc32.o deattack.o fatal.o hostfile.o \
+  	log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
+  	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
+-diff --git a/auth2.c b/auth2.c
+-index 7177962..4af53f0 100644
+---- a/auth2.c
+-+++ b/auth2.c
+-@@ -50,6 +50,7 @@
+- #include "dispatch.h"
+- #include "pathnames.h"
+- #include "buffer.h"
+-+#include "canohost.h"
+- 
+- #ifdef GSSAPI
+- #include "ssh-gss.h"
+-@@ -73,6 +74,8 @@ extern Authmethod method_hostbased;
+- extern Authmethod method_gssapi;
+- #endif
+- 
+-+static int log_flag = 0;
+-+
+- Authmethod *authmethods[] = {
+- 	&method_none,
+- 	&method_pubkey,
+-@@ -224,6 +227,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+- 	service = packet_get_cstring(NULL);
+- 	method = packet_get_cstring(NULL);
+- 	debug("userauth-request for user %s service %s method %s", user, service, method);
+-+	if (!log_flag) {
+-+		logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
+-+		      get_remote_ipaddr(), get_remote_port(), user);
+-+		log_flag = 1;
+-+	}
+- 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+- 
+- 	if ((style = strchr(user, ':')) != NULL)
+-diff --git a/canohost.c b/canohost.c
+-index 223964e..db35f73 100644
+---- a/canohost.c
+-+++ b/canohost.c
+-@@ -338,13 +338,13 @@ clear_cached_addr(void)
+-  */
+- 
+- const char *
+--get_remote_ipaddr(void)
+-+ssh_get_remote_ipaddr(struct ssh *ssh)
+- {
+- 	/* Check whether we have cached the ipaddr. */
+- 	if (canonical_host_ip == NULL) {
+--		if (packet_connection_is_on_socket()) {
+-+		if (ssh_packet_connection_is_on_socket(ssh)) {
+- 			canonical_host_ip =
+--			    get_peer_ipaddr(packet_get_connection_in());
+-+			    get_peer_ipaddr(ssh_packet_get_connection_in(ssh));
+- 			if (canonical_host_ip == NULL)
+- 				cleanup_exit(255);
+- 		} else {
+-@@ -356,6 +356,12 @@ get_remote_ipaddr(void)
+- }
+- 
+- const char *
+-+get_remote_ipaddr(void)
+-+{
+-+  return ssh_get_remote_ipaddr(active_state);
+-+}
+-+
+-+const char *
+- get_remote_name_or_ip(u_int utmp_len, int use_dns)
+- {
+- 	static const char *remote = "";
+-@@ -410,17 +416,17 @@ get_sock_port(int sock, int local)
+- /* Returns remote/local port number for the current connection. */
+- 
+- static int
+--get_port(int local)
+-+get_port(struct ssh *ssh, int local)
+- {
+- 	/*
+- 	 * If the connection is not a socket, return 65535.  This is
+- 	 * intentionally chosen to be an unprivileged port number.
+- 	 */
+--	if (!packet_connection_is_on_socket())
+-+	if (!ssh_packet_connection_is_on_socket(ssh))
+- 		return 65535;
+- 
+- 	/* Get socket and return the port number. */
+--	return get_sock_port(packet_get_connection_in(), local);
+-+	return get_sock_port(ssh_packet_get_connection_in(ssh), local);
+- }
+- 
+- int
+-@@ -430,17 +436,23 @@ get_peer_port(int sock)
+- }
+- 
+- int
+--get_remote_port(void)
+-+ssh_get_remote_port(struct ssh *ssh)
+- {
+- 	/* Cache to avoid getpeername() on a dead connection */
+- 	if (cached_port == -1)
+--		cached_port = get_port(0);
+-+		cached_port = get_port(ssh, 0);
+- 
+- 	return cached_port;
+- }
+- 
+- int
+-+get_remote_port(void)
+-+{
+-+	return ssh_get_remote_port(active_state);
+-+}
+-+
+-+int
+- get_local_port(void)
+- {
+--	return get_port(1);
+-+	return get_port(active_state, 1);
+- }
+-diff --git a/canohost.h b/canohost.h
+-index 4c8636f..4d60b27 100644
+---- a/canohost.h
+-+++ b/canohost.h
+-@@ -12,8 +12,11 @@
+-  * called by a name other than "ssh" or "Secure Shell".
+-  */
+- 
+-+struct ssh;
+-+
+- const char	*get_canonical_hostname(int);
+- const char	*get_remote_ipaddr(void);
+-+const char	*ssh_get_remote_ipaddr(struct ssh *);
+- const char	*get_remote_name_or_ip(u_int, int);
+- 
+- char		*get_peer_ipaddr(int);
+-@@ -22,6 +25,7 @@ char		*get_local_ipaddr(int);
+- char		*get_local_name(int);
+- 
+- int		 get_remote_port(void);
+-+int		 ssh_get_remote_port(struct ssh *);
+- int		 get_local_port(void);
+- int		 get_sock_port(int, int);
+- void		 clear_cached_addr(void);
+ diff --git a/channels.c b/channels.c
+ index c9d2015..13b30a1 100644
+ --- a/channels.c
+@@ -1270,7 +1131,7 @@
+  
+  #include "ssherr.h"
+  #include "sshbuf.h"
+-+#include "canohost.h"
+++#include "packet.h"
+  #include "digest.h"
+  
+  #if OPENSSL_VERSION_NUMBER >= 0x00907000L
+@@ -1312,8 +1173,8 @@
+ +		 */
+ +		if (ctos && !log_flag) {
+ +			logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
+-+			    ssh_get_remote_ipaddr(ssh),
+-+			    ssh_get_remote_port(ssh),
+++			    ssh_remote_ipaddr(ssh),
+++			    ssh_remote_port(ssh),
+ +			    newkeys->enc.name,
+ +			    authlen == 0 ? newkeys->mac.name : "<implicit>",
+ +			    newkeys->comp.name);
+@@ -1430,7 +1291,7 @@
+ +		rekey_requested = 0;
+ +		return 1;
+ +	}
+-+	
+++
+  	/* Time-based rekeying */
+  	if (state->rekey_interval != 0 &&
+  	    state->rekey_time + state->rekey_interval <= monotime())
+@@ -1490,7 +1351,7 @@
+  
+  	transferred = *counter - (cur_pos ? cur_pos : start_pos);
+  	cur_pos = *counter;
+- 	now = monotime();
++ 	now = monotime_double();
+  	bytes_left = end_pos - cur_pos;
+  
+ +	delta_pos = cur_pos - last_pos;
+@@ -1564,8 +1425,8 @@
+  	{ "canonicaldomains", oCanonicalDomains },
+  	{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
+ @@ -282,6 +287,11 @@ static struct {
+- 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+  	{ "ignoreunknown", oIgnoreUnknown },
++ 	{ "proxyjump", oProxyJump },
+  
+ +	{ "tcprcvbufpoll", oTcpRcvBufPoll },
+ +	{ "tcprcvbuf", oTcpRcvBuf },
+@@ -1736,8 +1597,8 @@
+  	off_t size, statbytes;
+  	unsigned long long ull;
+  	int setimes, targisdir, wrerrno = 0;
+--	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
+-+	char ch, *cp, *np, *targ, *why, *vect[1], buf[16384];
++-	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
+++	char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
+  	struct timeval tv[2];
+  
+  #define	atime	tv[0]
+@@ -1956,32 +1817,6 @@
+  }
+  
+  /*
+-@@ -820,11 +836,13 @@ void
+- server_loop2(Authctxt *authctxt)
+- {
+- 	fd_set *readset = NULL, *writeset = NULL;
+-+	double start_time, total_time;
+- 	int max_fd;
+- 	u_int nalloc = 0;
+- 	u_int64_t rekey_timeout_ms = 0;
+- 
+- 	debug("Entering interactive session for SSH2.");
+-+	start_time = get_current_time();
+- 
+- 	mysignal(SIGCHLD, sigchld_handler);
+- 	child_terminated = 0;
+-@@ -883,6 +901,11 @@ server_loop2(Authctxt *authctxt)
+- 
+- 	/* free remaining sessions, e.g. remove wtmp entries */
+- 	session_destroy_all(NULL);
+-+	total_time = get_current_time() - start_time;
+-+	logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f",
+-+	      get_remote_ipaddr(), get_remote_port(),
+-+	      stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time,
+-+	      fdout_bytes / total_time);
+- }
+- 
+- static int
+ @@ -1041,8 +1064,12 @@ server_request_tun(void)
+  	sock = tun_open(tun, mode);
+  	if (sock < 0)
+@@ -2372,10 +2207,10 @@
+  	debug("Client protocol version %d.%d; client software version %.100s",
+  	    remote_major, remote_minor, remote_version);
+ +	logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
+-+	      get_remote_ipaddr(), get_remote_port(),
+++	      ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ +	    remote_major, remote_minor, remote_version);
+  
+- 	active_state->compat = compat_datafellows(remote_version);
++ 	ssh->compat = compat_datafellows(remote_version);
+  
+ @@ -1160,6 +1163,8 @@ server_listen(void)
+  	int ret, listen_sock, on = 1;
+@@ -2413,7 +2248,7 @@
+  	if (options.challenge_response_authentication)
+  		options.kbd_interactive_authentication = 1;
+ @@ -2151,6 +2168,9 @@ main(int ac, char **av)
+- 	    remote_ip, remote_port, laddr,  get_local_port());
++ 	    remote_ip, remote_port, laddr,  ssh_local_port(ssh));
+  	free(laddr);
+  
+ +	/* set the HPN options for the child */
+@@ -2486,11 +2321,10 @@
+ index eb4e948..3692722 100644
+ --- a/version.h
+ +++ b/version.h
+-@@ -3,4 +3,6 @@
+- #define SSH_VERSION	"OpenSSH_7.2"
++@@ -3,4 +3,5 @@
++ #define SSH_VERSION	"OpenSSH_7.3"
+  
+- #define SSH_PORTABLE	"p2"
++ #define SSH_PORTABLE	"p1"
+ -#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+ +#define SSH_HPN         "-hpn14v11"
+ +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+-+

diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch
new file mode 100644
index 00000000..4433925
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch
@@ -0,0 +1,33 @@
+--- openssh-7_2_P2-hpn-14.10.diff.clean	2016-09-01 12:11:41.120750207 -0700
++++ openssh-7_2_P2-hpn-14.10.diff	2016-09-01 14:00:44.311487904 -0700
+@@ -141,7 +141,7 @@
+ @@ -44,7 +44,7 @@ CC=@CC@
+  LD=@LD@
+  CFLAGS=@CFLAGS@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+  K5LIBS=@K5LIBS@
+@@ -2098,7 +2098,7 @@
+ @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
+  	/* Send our own protocol version identification. */
+  	if (compat20) {
+- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
++ 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
+ -		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+ +		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+  	} else {
+@@ -2196,9 +2196,9 @@
+ @@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
+  	}
+  
+- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+--	    major, minor, SSH_VERSION,
+-+	    major, minor, SSH_RELEASE,
++ 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
++-	    major, minor, SSH_VERSION, comment,
+++	    major, minor, SSH_RELEASE, comment,
+  	    *options.version_addendum == '\0' ? "" : " ",
+  	    options.version_addendum, newline);
+  

diff --git a/net-misc/openssh/openssh-7.3_p1-r3.ebuild b/net-misc/openssh/openssh-7.3_p1-r3.ebuild
new file mode 100644
index 00000000..ddaf458
--- /dev/null
+++ b/net-misc/openssh/openssh-7.3_p1-r3.ebuild
@@ -0,0 +1,343 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+HPN_PV="7.2_p2"
+HPN_VER="14.10"
+
+HPN_DIR_PV="${HPN_PV/_}"
+HPN_PV="${HPN_PV/./_}"
+
+HPN_PATCH="${PN}-${HPN_PV/p/P}-hpn-14.10.diff"
+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
+X509_VER="9.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? (
+		mirror://gentoo/${HPN_PATCH}
+		mirror://sourceforge/project/hpnssh/HPN-SSH%20${HPN_VER/./v}%20${HPN_DIR_PV}/${HPN_PATCH}
+	)}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	ssh1? ( ssl )
+	static? ( !kerberos !pam )
+	X509? ( !ldap ssl )"
+
+LIB_DEPEND="
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl] )
+	)
+	libedit? ( dev-libs/libedit[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-0.9.8f:0[bindist=]
+			dev-libs/openssl:0[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	use hpn && cp -L "${DISTDIR}"/${HPN_PATCH} "${WORKDIR}"/${HPN_PATCH}
+
+	if use X509 ; then
+		pushd .. >/dev/null
+		if use hpn ; then
+			pushd "${WORKDIR}" >/dev/null
+			epatch "${FILESDIR}"/${P}-hpn-x509-glue.patch
+			popd >/dev/null
+		fi
+		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		#epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
+		#save_version X509
+	fi
+	if use ldap ; then
+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+	if use hpn ; then
+		#EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+		#	EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+		#	epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+		pushd "${WORKDIR}" >/dev/null
+		epatch "${FILESDIR}"/${P}-hpn-update.patch
+		popd >/dev/null
+		epatch "${WORKDIR}"/${HPN_PATCH}
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	epatch_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssh1)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+}