* [gentoo-commits] proj/musl:master commit in: net-misc/openssh/, net-misc/openssh/files/
@ 2015-09-03 21:54 Anthony G. Basile
0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2015-09-03 21:54 UTC (permalink / raw
To: gentoo-commits
commit: e9d6a1e0b883f7766516f48c1c097393ce8230ad
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 3 21:58:22 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Sep 3 21:58:22 2015 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=e9d6a1e0
net-misc/openssh: 6.9 fails on ppc because of __stack_chk_fail_local.
Package-Manager: portage-2.2.20.1
RepoMan-Options: --force
Manifest-Sign-Key: 0x9384FA6EF52D4BBA
net-misc/openssh/Manifest | 20 +-
.../openssh/files/openssh-6.4_p1-x509-glue.patch | 30 --
.../openssh-6.4p1-fix-typo-construct_utmpx.patch | 21 -
.../files/openssh-6.4p1-missing-sys_param_h.patch | 67 ----
.../files/openssh-6.7_p1-sctp-x509-glue.patch | 42 --
.../openssh-6.7_p1-sshd-gssapi-multihomed.patch | 162 --------
.../openssh/files/openssh-6.7_p1-x509-glue.patch | 46 ---
.../openssh/files/openssh-6.7p1-avoid-exit.patch | 441 ---------------------
.../openssh-6.8_p1-ssl-engine-configure.patch | 33 ++
...6.7_p1-r99.ebuild => openssh-6.9_p1-r99.ebuild} | 198 +++++----
10 files changed, 131 insertions(+), 929 deletions(-)
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 7ec1e09..93e1dc2 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,23 +1,17 @@
AUX openssh-4.7_p1-GSSAPI-dns.patch 4494 SHA256 88a08f349258d4be5b2faa838a89fe1aa0196502990b745ac0e3a70dda30a0d7 SHA512 4d00a9ed79f66b92502c3e5ee580523f63d7b3643fe1bd330ff97994acce527d4d285d38199cef66eddc0ef68afabf7b268abc60cba871bac5d2e99045d4ac11 WHIRLPOOL 2f118fd2f016c529dbc31e8f2b6b418931e6770ab02c28b7feeaba93e84e7fcd1c742f4420a43a9fec0bdfaa4d4bc7cf14fb860c0a56c68a30e7b136fb60bcdb
AUX openssh-6.3_p1-x509-hpn14v2-glue.patch 1451 SHA256 d7179b3c16edd065977aaf56a410e2b9b237206fb619474f312972b430b73c8d SHA512 02577e3f718ff994bb4e962189f17048b4c03104d0a1981683f3c6a1d6d30701db368e132102c8396da2c0f5eb2f6602b26f32f74d19382af34bd9a93fc508f3 WHIRLPOOL b7d224d71634f380bd31b3a1dd3e588a29582255f717a6a308738ad58b485b693d827a53704479995ec2ebca53c9dc9b2113d8de52a1336b67ce83943f946b77
-AUX openssh-6.4_p1-x509-glue.patch 1445 SHA256 cf18f17b12514692a4e33d5fb995f5ba1bc1ea258c80babb38516d8def7d0bc3 SHA512 e5c51fd639e95ca9c7820974684117861cc58cf5172c7c44deaaca106c1e91a931421720cb210652aef30ffa41bc96efe04dbedf996120b40143080fc6b2b47d WHIRLPOOL 7c7065a22cc6237a927e6d6c0f7b4bfa7b57e32ffd8b3d70ed9e70b9a882a95ce40478873374460a6173cc5a33c22ddfbbded783568049f1b4fccb5f5253d4bf
-AUX openssh-6.4p1-fix-typo-construct_utmpx.patch 796 SHA256 844bfa729eb63cd4c05c1dc518d34263f4da4e0f1510c39b27b8c15c0a23459c SHA512 d7d5dcee89b1b427098bcd8ff44d99aebb4ab077af450b89aa432796a4398e1516fe4a75fdb2ae6ef71b702ad1af5766af040316e37d3f71bce65de5be59830e WHIRLPOOL c01570bdcde7ca2c03df0db62c1c59486cf94380e6ce27104a897407d90c862e6f88ef3584f28c3c59a3744c64ad9405c6daf1053d241354bdc064d77520b03e
-AUX openssh-6.4p1-missing-sys_param_h.patch 2139 SHA256 0be81f4fbcabb1e8a5459f4b41f179498cef5e3411435c16fc9b36e3f619d79e SHA512 c7f997a5351d464b9d86f1b5ae221a9788a0c77ccaf7a4d2a4e266033fc58d0dede9c7fca8cfee36cfad328513d9ba6bb735be0e778a8ce489ad98d81110f579 WHIRLPOOL 1355becb4460a4749145fcc786fd45c260d779176761ae37e27de81072f8c84fdd16f2f1c6ea0d7576ba09e048d8be85a0449987ef2097ed5c5defca8ebb5b26
AUX openssh-6.7_p1-openssl-ignore-status.patch 765 SHA256 b068cc30d4bce5c457cea78233396c9793864ec909f810dd0be87d913673433a SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 WHIRLPOOL c0a4ff69d65eeb40c1ace8d5be6f8e59044a8f16dc6b37e87393e79ab80935abf30a9d2a6babc043aba0477f5f79412e1ae5d373daba580178fd85ca1f60e60b
-AUX openssh-6.7_p1-sctp-x509-glue.patch 1326 SHA256 42eb87eda1685e19add23c1304f17dabd99a1a38a57bfe2bfbb70ab85f6d385e SHA512 7f014e2b1893a5240680e2e14475d61b9b6047d1be3fe404d5971a899c122cc624546e9e5b31bfee5905cf7b4605a0871c3b00ed5c2bd28d84755a49392e1a69 WHIRLPOOL 8d6888163068dbc486bc4eff0dd7d4053f68b9848347eb520dd7d382b0b8c74e3016f7f3ed401c2c2dfd48e73a9077fb9777d39c0f236cc500c53393be426b42
-AUX openssh-6.7_p1-sshd-gssapi-multihomed.patch 5489 SHA256 d2a1735b523709a4b4ceaa57862ecb21a95656678bacc5b7da59dc46187ad997 SHA512 a8b8d2c2ab4520c8c7315f6130ee44fec48935a129ce7c7e51a068a4de2c7528980437246b61e4abc4cff614466f8054c554cdbaad4eb0d1f4afcfb434c30bbc WHIRLPOOL e4b97398c324360576a04792357f66be3ed9f17e4113f75275f8422ee0b7ecf28073c7cde01a63e24fa0901b14db822d22d7d2c5936bbee3bd5874a867066967
-AUX openssh-6.7_p1-x509-glue.patch 1633 SHA256 58031e90e0bf220028934ab590af6ccfc45722629b2416df13d84f10c9b94478 SHA512 364ca0280be5cc83d1dedf7727323fd5fc0093c6dbcf9cc8ccaa30ee754b866584be28da1166953f03faf8745d6364e33fad7daad9be9a29681a8674eb9d292b WHIRLPOOL b79a6cff897be78793bbf2ca03154103aa1380647b8c53e104155fd68122568a8e7dea23996213b192e4269f980b1035d3ca395dbd2c318fd81a45f44d110c31
-AUX openssh-6.7p1-avoid-exit.patch 9766 SHA256 a2ccd76c5ce0f5761c1cea49a7055c171c2be1cfe6bf20ae60ba6cbfe7c7d1f4 SHA512 524630996012c0cbbcc835519760808a52b68d9180b8d82bd3f596bbd3661bceec9e6163876a2bedf7b7ce0d869800801134f1f465c3e2a932f0d300a23ad172 WHIRLPOOL 0254a83459a480370e89556417e077d9f206bf3b34a1630019db619647c055d1c4e4d8570ba154666bf60b8dea60c3ed97a7ba9b7b81e9680f4a62a1a2d3198a
+AUX openssh-6.8_p1-ssl-engine-configure.patch 936 SHA256 cb3f34ef031aa5360b082468b4afb8b7fd2c778c990c2f20fda250167725ff88 SHA512 4b7840f719ad58c1f196327a52534f0a21264ce47e8df4a335e9f58d9d5eae33dbb9a75a2a714c3bdae6bee04728e66020ed57eb521fc1164521c4c5aa4a9a93 WHIRLPOOL 662d6eedb091021d5da4cdbd6d623e3678e54fb75cb52d8afdc4ef9c31f98d95f8445c2fde834d622b0aabf8b9593244847da574201ed176c350747526a28fe5
AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53
AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b
AUX sshd.rc6.4 2313 SHA256 97221a017d8ee9de996277c5a794d973a0b5e8180c29c97b3652bd1984a7b5d0 SHA512 88826bc9923299ac4c1502e7076483d6c197fd5a0e693bc2e1690f82bcd7d1bbd144aae2ffd92acb28d6fe912233aa93346e00c72917de65c22811ce9cd5bff7 WHIRLPOOL a77bad5891eb74770ae12e79131a99e5645a83841d14f1d60e39581a23b9d86e66b2e5fb7d0c989afac410eb5c6a627b83389d54085d1b78c89fc07852f8eb66
AUX sshd.service 242 SHA256 1351c43fe8287f61255ace9fa20790f770d69296b4dd31b0c583983d4cc59843 SHA512 77f50c85a2c944995a39819916eb860cfdc1aff90986e93282e669a0de73c287ecb92d550fd118cfcc8ab538eab677e0d103b23cd959b7e8d9801bc37250c39c WHIRLPOOL 0f5c48d709274c526ceee4f26e35dcb00816ffa9d6661acc1e4e462acb38c3c6108b0e87783eff9da1b1868127c5550c57a5a0a9d7270b927ac4b92191876989
AUX sshd.socket 136 SHA256 c055abcd10c5d372119cbc3708661ddffccdee7a1de1282559c54d03e2f109d9 SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 WHIRLPOOL 102d87b708c31e5994e8005437c78b1aa756c6def4ee9ae2fa9be1438f328fc28c9152a4ff2528941be18f1311594490ecd98b66716ec74e970aa3725a98e2e5
AUX sshd_at.service 176 SHA256 332f5ffc30456fe2494095c2aabd1e6e02075ce224e2d49708ac7ccf6d341998 SHA512 662a9c2668902633e6dbcb9435ac35bec3e224afdb2ab6a1df908618536ae9fc1958ba1d611e146c01fddb0c8f41eefdc26de78f45b7f165b1d6b2ee2f23be2a WHIRLPOOL aeb32351380dd674ef7a2e7b537f43116c189f7fddb8bdb8b2c109e9f62b0a73cc0f29f2d46270e658ab6409b8d3671ce9e0d0ba7c0d3674c2f85291a73e6df1
-DIST openssh-6.7_p1-sctp.patch.xz 7408 SHA256 b33e82309195f2a3f21a9fb14e6da2080b096dcf0d6f1c36c93cdeac683fdd59 SHA512 35da5e58f857e8b24e63b4058e946b71fdf0fecc637cb7af0ba8913869e5aadf8317805838936c84dc24421f03c5c91e1670761bed152fdf325c5a509f1b5d04 WHIRLPOOL cc7bace4aa60d720914e3a6a4ff650b7543d9e4963deab12c19cb5d798547b4fe547690946ff8955e121339e9a3d0ebe06f3ff758cca4bb81a09ac43fc877f58
-DIST openssh-6.7p1+x509-8.2.diff.gz 241798 SHA256 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f SHA512 d33ece7ddf382235b032875cf961845b308dc5e4cd1888cb68fee11c95066bb90938f9043cb9410f372efb578b61dfd5d50341da95a92fab5a4c209ac54e1f5e WHIRLPOOL b1fe2b88f0e77312099171f5c83dc670abc4c40d215fdff1e43161e44f806de9e0537cfa3a0001e1c7bbc0d0aed555079455f88b8ff313b00d8e9a19dabcb7d8
-DIST openssh-6.7p1-hpnssh14v5.tar.xz 25652 SHA256 7284db65548b6b04142930da86972f96b1f5aa8ad3fc125134412f904f369d7e SHA512 21929805f40c79684ee3ecdb2b495d3204dca90b932aa633c4e0f6a093a417259cdeee10b3e49f3dff426febc6792f45ee23cc0688f05bf047630f3016e0926a WHIRLPOOL 5515cd4c745b061a3e92ac03e8121fb3ffc4b2ff116140625ca7ab2c0211c673b6345e5b08134df8b1743e03f9964017e789e1f0b9da99a0fd5970e14665e681
-DIST openssh-6.7p1.tar.gz 1351367 SHA256 b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 SHA512 2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d WHIRLPOOL ac8ce86d0f6c78c4cb3624b480f189f951d508db38b22d7a5550b7302d5277c1c7d18eaa713d52139abc0f77edacfdb03ced2603125e3ddf9bc09c69e6b70518
-DIST openssh-lpk-6.7p1-0.3.14.patch.xz 16920 SHA256 0203e6e44e41d58ec46d1611d7efc985134e662bbee51632c29f43ae809003f0 SHA512 344ccde4a04aeb1500400f779e64b2d8a5ad2970de3c4c343ca9605758e22d3812ef5453cd3221b18ad74a9762583c62417879107e4e1dda1398a6a65bcd04b2 WHIRLPOOL 5b6beeb743d04deea70c8b471a328b5f056fd4651e1370c7882e5d12f54fa2170486dcd6f97aa8c58e80af9a2d4012e2dfbcf53185317976d309783ca8d6cf73
-EBUILD openssh-6.7_p1-r99.ebuild 10109 SHA256 3f94d0374656b23805d4d211bc6bf882814082a2d71a7f505e043550dedf029e SHA512 e311b8c49059904226b78bc4184e9e85c9c3e331f50937e20a8db8e337baa9ac8e6d12ab63642aa4247913ff5402fc532fa70192fdaef3072f790db2609a9297 WHIRLPOOL 6fb85a46881a1e226ac8a50fc8bd848d67f21689ff117f457882ae72faff424266816cbd078fea89464a55d3b33cf46bb49f8eaa80f252713d6b8b0ba06da246
+DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476
+DIST openssh-6.9p1+x509-8.4.diff.gz 425687 SHA256 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb SHA512 596cb65408db06fb299b92160147685b001dc23929ecf5c4bd11a8b0475d79695c7b4dbe8a878d7fbcd944155935fd62a14e35c79204b39e413f5eaa961ef76c WHIRLPOOL 771fa0f4f6a20ed49ba201605fcdcbfc41a0f094ef4a89ca2433ee51b7c8bf99cc266f26bd7877c61ff92e9a50c7d65119ba75ba64eaa029bd567bab3ee243c2
+DIST openssh-6.9p1-r1-hpnssh14v5.tar.xz 21396 SHA256 84e9e28a1488ccf66e29a7c90442b3bc4833a6fa186260fb6853b5a1b19c0beb SHA512 476064dbdb3d82b86ad7c481a4a301ff0d46bd281fe7ca0c29f34ae50b0034028760997ae2c934a265499c154f4534d35ead647aa63d1a4545ed503a5364eada WHIRLPOOL 74eaf2fe0a6ecd0e2fa5078034628d4c76c75b121f3c813ff8a098ab28363daa3800d03936046aa3aebbfdab3afd31ef30a207399f5e305d7f71e5f3c7e4f4a7
+DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe SHA512 68fec9b4e512fe126a5d35b01e2cc656d810b75052ed8a36bc85cd0a05de7318b15ed287bc95cf9bcb3fa2f385029151d85aced55e07fbcc79e6c779bee6751d WHIRLPOOL 1dcb291383c9f934b512f61ce9f6e0319f22e112ce3f6eace2a868ca0f99c709c65bae14a9815e2ef237f8132fe72c583cffb7ea20bdfa2aaa77cf347967be7f
+DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b
+EBUILD openssh-6.9_p1-r99.ebuild 9784 SHA256 41579ef5715c5a7a6b96b290830cf52189d26ddd73c932763e5078a9b27286e1 SHA512 3c6885e8f6ff5b43dfcf99c8dfc303fb01c31d383c51439a9bfd731a7111d4c79393f1df8567c028e6bd553958d381d6d0d2585b3f88273083e20a3e05fc941a WHIRLPOOL b669a92baf88cc26c024db804240a7f5bca2feef1bb634674837d6c83d78436e01008072e6d18682e2526e4b1427a753e46821495b768df2c49adef28addfd28
MISC metadata.xml 1912 SHA256 7b838285f09ad395f237a0d0b9963eee86d0e85b58e6e5b4d5edb093fa888a0a SHA512 e55c10ffd12488720c3da19e55942cfedec63fe767fc1608439b5a3932eeb5488086ad7ef4e1f858c89381e737426f035845ea5e8bede4ed8a0ccabdc656d9b5 WHIRLPOOL 5c07b3dd4a4002cff5df62133ecf570bf79f58e9477d0ad25d60f185ee029183d11118147e3adfec373542659d921e99e787054cfe9284031c974d694de6e9ed
diff --git a/net-misc/openssh/files/openssh-6.4_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.4_p1-x509-glue.patch
deleted file mode 100644
index 6aed19b..0000000
--- a/net-misc/openssh/files/openssh-6.4_p1-x509-glue.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch and remove
-redundant README.x509v3 directory.
-
---- openssh-6.4p1+x509-7.7.diff.orig 2013-11-09 14:51:13.400696545 -0800
-+++ openssh-6.4p1+x509-7.7.diff 2013-11-09 14:51:05.798786189 -0800
-@@ -6809,9 +6809,9 @@
-
- -$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
- +$OpenBSD$
--diff -ruN openssh-6.4p1/README.x509v3/README.x509v3 openssh-6.4p1+x509-7.7/README.x509v3/README.x509v3
----- openssh-6.4p1/README.x509v3/README.x509v3 1970-01-01 02:00:00.000000000 +0200
--+++ openssh-6.4p1+x509-7.7/README.x509v3/README.x509v3 2013-05-17 18:50:02.156263192 +0300
-+diff -ruN openssh-6.4p1/README.x509v3 openssh-6.4p1+x509-7.7/README.x509v3
-+--- openssh-6.4p1/README.x509v3 1970-01-01 02:00:00.000000000 +0200
-++++ openssh-6.4p1+x509-7.7/README.x509v3 2013-05-17 18:50:02.156263192 +0300
- @@ -0,0 +1,615 @@
- + Roumen Petrov
- + Sofia, Bulgaria
-@@ -14793,10 +14793,9 @@
- .It Cm ChallengeResponseAuthentication
- Specifies whether challenge-response authentication is allowed (e.g. via
- PAM or though authentication styles supported in
--@@ -490,6 +567,16 @@
-+@@ -490,5 +567,15 @@
- The default is
- .Dq yes .
-- Note that this option applies to protocol version 2 only.
- +.It Cm HostbasedAlgorithms
- +Specifies the protocol version 2 algorithms used in
- +.Dq hostbased
diff --git a/net-misc/openssh/files/openssh-6.4p1-fix-typo-construct_utmpx.patch b/net-misc/openssh/files/openssh-6.4p1-fix-typo-construct_utmpx.patch
deleted file mode 100644
index a3361ca..0000000
--- a/net-misc/openssh/files/openssh-6.4p1-fix-typo-construct_utmpx.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -Naur openssh-6.4p1.orig/loginrec.c openssh-6.4p1/loginrec.c
---- openssh-6.4p1.orig/loginrec.c 2014-01-22 17:33:12.380676129 +0000
-+++ openssh-6.4p1/loginrec.c 2014-01-22 17:55:40.957751536 +0000
-@@ -785,12 +785,12 @@
- /* this is just a 128-bit IPv6 address */
- if (li->hostaddr.sa.sa_family == AF_INET6) {
- sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
-- memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16);
-+ memcpy(utx->ut_addr_v6, sa6->sin6_addr.s6_addr, 16);
- if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) {
-- ut->ut_addr_v6[0] = ut->ut_addr_v6[3];
-- ut->ut_addr_v6[1] = 0;
-- ut->ut_addr_v6[2] = 0;
-- ut->ut_addr_v6[3] = 0;
-+ utx->ut_addr_v6[0] = utx->ut_addr_v6[3];
-+ utx->ut_addr_v6[1] = 0;
-+ utx->ut_addr_v6[2] = 0;
-+ utx->ut_addr_v6[3] = 0;
- }
- }
- # endif
diff --git a/net-misc/openssh/files/openssh-6.4p1-missing-sys_param_h.patch b/net-misc/openssh/files/openssh-6.4p1-missing-sys_param_h.patch
deleted file mode 100644
index 22b6ffa..0000000
--- a/net-misc/openssh/files/openssh-6.4p1-missing-sys_param_h.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-diff -Naur openssh-6.4p1.orig/channels.c openssh-6.4p1/channels.c
---- openssh-6.4p1.orig/channels.c 2014-01-22 17:14:19.508612783 +0000
-+++ openssh-6.4p1/channels.c 2014-01-22 17:18:18.176626129 +0000
-@@ -61,6 +61,7 @@
- #include <termios.h>
- #include <unistd.h>
- #include <stdarg.h>
-+#include <sys/param.h>
-
- #include "openbsd-compat/sys-queue.h"
- #include "xmalloc.h"
-diff -Naur openssh-6.4p1.orig/loginrec.c openssh-6.4p1/loginrec.c
---- openssh-6.4p1.orig/loginrec.c 2013-06-01 22:07:32.000000000 +0000
-+++ openssh-6.4p1/loginrec.c 2014-01-22 17:30:57.322668577 +0000
-@@ -162,6 +162,7 @@
- #include <stdarg.h>
- #include <string.h>
- #include <time.h>
-+#include <sys/time.h>
- #include <unistd.h>
-
- #include "xmalloc.h"
-diff -Naur openssh-6.4p1.orig/sshconnect.c openssh-6.4p1/sshconnect.c
---- openssh-6.4p1.orig/sshconnect.c 2014-01-22 17:16:53.809621411 +0000
-+++ openssh-6.4p1/sshconnect.c 2014-01-22 17:17:19.535622850 +0000
-@@ -40,6 +40,7 @@
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
-+#include <sys/param.h>
-
- #include "xmalloc.h"
- #include "key.h"
-diff -Naur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
---- openssh-6.4p1.orig/sshd.c 2014-01-22 17:14:19.517612784 +0000
-+++ openssh-6.4p1/sshd.c 2014-01-22 17:18:54.560628163 +0000
-@@ -83,6 +83,8 @@
- #include <prot.h>
- #endif
-
-+#include <sys/param.h>
-+
- #include "xmalloc.h"
- #include "ssh.h"
- #include "ssh1.h"
-diff -Naur openssh-6.4p1.orig/ssh-keyscan.c openssh-6.4p1/ssh-keyscan.c
---- openssh-6.4p1.orig/ssh-keyscan.c 2013-06-01 21:31:19.000000000 +0000
-+++ openssh-6.4p1/ssh-keyscan.c 2014-01-22 17:59:37.756764777 +0000
-@@ -29,6 +29,7 @@
- #include <signal.h>
- #include <string.h>
- #include <unistd.h>
-+#include <sys/param.h>
-
- #include "xmalloc.h"
- #include "ssh.h"
-diff -Naur openssh-6.4p1.orig/ssh-pkcs11-helper.c openssh-6.4p1/ssh-pkcs11-helper.c
---- openssh-6.4p1.orig/ssh-pkcs11-helper.c 2013-06-01 21:31:19.000000000 +0000
-+++ openssh-6.4p1/ssh-pkcs11-helper.c 2014-01-22 18:00:04.653766281 +0000
-@@ -28,6 +28,7 @@
- #include <string.h>
- #include <unistd.h>
- #include <errno.h>
-+#include <sys/param.h>
-
- #include "xmalloc.h"
- #include "buffer.h"
diff --git a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
deleted file mode 100644
index bd0b7ce..0000000
--- a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
+++ /dev/null
@@ -1,42 +0,0 @@
---- openssh-6.7_p1-sctp.patch.orig 2014-11-24 10:34:31.817538707 -0800
-+++ openssh-6.7_p1-sctp.patch 2014-11-24 10:38:52.744990154 -0800
-@@ -195,14 +195,6 @@
- .Op Fl c Ar cipher
- .Op Fl F Ar ssh_config
- .Op Fl i Ar identity_file
--@@ -178,6 +178,7 @@ For full details of the options listed b
-- .It ServerAliveCountMax
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It UsePrivilegedPort
-- .It User
-- .It UserKnownHostsFile
- @@ -218,6 +219,8 @@ and
- to print debugging messages about their progress.
- This is helpful in
-@@ -482,14 +474,6 @@
- .Op Fl b Ar bind_address
- .Op Fl c Ar cipher_spec
- .Op Fl D Oo Ar bind_address : Oc Ns Ar port
--@@ -473,6 +473,7 @@ For full details of the options listed b
-- .It StreamLocalBindUnlink
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It Tunnel
-- .It TunnelDevice
-- .It UsePrivilegedPort
- @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte
- controls.
- .It Fl y
-@@ -527,7 +511,7 @@
-- again:
-+
- - while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
- + while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
-- "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-+ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
- switch (opt) {
- case '1':
- @@ -732,6 +738,11 @@ main(int ac, char **av)
diff --git a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch
deleted file mode 100644
index 96818e4..0000000
--- a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-https://bugs.gentoo.org/378361
-https://bugzilla.mindrot.org/show_bug.cgi?id=928
-
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -41,9 +41,12 @@
- #include "channels.h"
- #include "session.h"
- #include "misc.h"
-+#include "servconf.h"
-
- #include "ssh-gss.h"
-
-+extern ServerOptions options;
-+
- static ssh_gssapi_client gssapi_client =
- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
-@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- char lname[NI_MAXHOST];
- gss_OID_set oidset;
-
-- gss_create_empty_oid_set(&status, &oidset);
-- gss_add_oid_set_member(&status, ctx->oid, &oidset);
--
-- if (gethostname(lname, sizeof(lname))) {
-- gss_release_oid_set(&status, &oidset);
-- return (-1);
-- }
-+ if (options.gss_strict_acceptor) {
-+ gss_create_empty_oid_set(&status, &oidset);
-+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
-+
-+ if (gethostname(lname, MAXHOSTNAMELEN)) {
-+ gss_release_oid_set(&status, &oidset);
-+ return (-1);
-+ }
-+
-+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
-+ gss_release_oid_set(&status, &oidset);
-+ return (ctx->major);
-+ }
-+
-+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
-+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
-+ NULL, NULL)))
-+ ssh_gssapi_error(ctx);
-
-- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
- gss_release_oid_set(&status, &oidset);
- return (ctx->major);
-+ } else {
-+ ctx->name = GSS_C_NO_NAME;
-+ ctx->creds = GSS_C_NO_CREDENTIAL;
- }
--
-- if ((ctx->major = gss_acquire_cred(&ctx->minor,
-- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
-- ssh_gssapi_error(ctx);
--
-- gss_release_oid_set(&status, &oidset);
-- return (ctx->major);
-+ return GSS_S_COMPLETE;
- }
-
- /* Privileged */
---- a/servconf.c
-+++ b/servconf.c
-@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
- options->kerberos_get_afs_token = -1;
- options->gss_authentication=-1;
- options->gss_cleanup_creds = -1;
-+ options->gss_strict_acceptor = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->challenge_response_authentication = -1;
-@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
- options->gss_authentication = 0;
- if (options->gss_cleanup_creds == -1)
- options->gss_cleanup_creds = 1;
-+ if (options->gss_strict_acceptor == -1)
-+ options->gss_strict_acceptor = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
-@@ -277,7 +280,8 @@ typedef enum {
- sBanner, sUseDNS, sHostbasedAuthentication,
- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
- sClientAliveCountMax, sAuthorizedKeysFile,
-- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
-+ sAcceptEnv, sPermitTunnel,
- sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- sUsePrivilegeSeparation, sAllowAgentForwarding,
- sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -327,9 +331,11 @@ static struct {
- #ifdef GSSAPI
- { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
- { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
- #else
- { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
- { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
- #endif
- { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
- { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
-
- case sGssCleanupCreds:
- intptr = &options->gss_cleanup_creds;
-+ goto parse_flag;
-+
-+ case sGssStrictAcceptor:
-+ intptr = &options->gss_strict_acceptor;
- goto parse_flag;
-
- case sPasswordAuthentication:
---- a/servconf.h
-+++ b/servconf.h
-@@ -92,6 +92,7 @@ typedef struct {
- * authenticated with Kerberos. */
- int gss_authentication; /* If true, permit GSSAPI authentication */
- int gss_cleanup_creds; /* If true, destroy cred cache on logout */
-+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
- int password_authentication; /* If true, permit password
- * authentication. */
- int kbd_interactive_authentication; /* If true, permit */
---- a/sshd_config
-+++ b/sshd_config
-@@ -69,6 +69,7 @@
- # GSSAPI options
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
-+#GSSAPIStrictAcceptorCheck yes
-
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -386,6 +386,21 @@ on logout.
- The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
-+.It Cm GSSAPIStrictAcceptorCheck
-+Determines whether to be strict about the identity of the GSSAPI acceptor
-+a client authenticates against.
-+If set to
-+.Dq yes
-+then the client must authenticate against the
-+.Pa host
-+service on the current hostname.
-+If set to
-+.Dq no
-+then the client may authenticate against any service key stored in the
-+machine's default store.
-+This facility is provided to assist with operation on multi homed machines.
-+The default is
-+.Dq yes .
- .It Cm HostbasedAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication together
- with successful public key client host authentication is allowed
diff --git a/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch
deleted file mode 100644
index 71b9c51..0000000
--- a/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch
+++ /dev/null
@@ -1,46 +0,0 @@
---- openssh-6.7p1.orig/sshd_config.5 2014-11-24 10:24:29.356244415 -0800
-+++ openssh-6.7p1/sshd_config.5 2014-11-24 10:23:49.415029039 -0800
-@@ -610,21 +610,6 @@
- The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
--.It Cm GSSAPIStrictAcceptorCheck
--Determines whether to be strict about the identity of the GSSAPI acceptor
--a client authenticates against.
--If set to
--.Dq yes
--then the client must authenticate against the
--.Pa host
--service on the current hostname.
--If set to
--.Dq no
--then the client may authenticate against any service key stored in the
--machine's default store.
--This facility is provided to assist with operation on multi homed machines.
--The default is
--.Dq yes .
- .It Cm HostbasedAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication together
- with successful public key client host authentication is allowed
-@@ -651,6 +636,21 @@
- attempting to resolve the name from the TCP connection itself.
- The default is
- .Dq no .
-+.It Cm GSSAPIStrictAcceptorCheck
-+Determines whether to be strict about the identity of the GSSAPI acceptor
-+a client authenticates against.
-+If set to
-+.Dq yes
-+then the client must authenticate against the
-+.Pa host
-+service on the current hostname.
-+If set to
-+.Dq no
-+then the client may authenticate against any service key stored in the
-+machine's default store.
-+This facility is provided to assist with operation on multi homed machines.
-+The default is
-+.Dq yes .
- .It Cm HostCertificate
- Specifies a file containing a public host certificate.
- The certificate's public key must match a private host key already specified
diff --git a/net-misc/openssh/files/openssh-6.7p1-avoid-exit.patch b/net-misc/openssh/files/openssh-6.7p1-avoid-exit.patch
deleted file mode 100644
index 4998a94..0000000
--- a/net-misc/openssh/files/openssh-6.7p1-avoid-exit.patch
+++ /dev/null
@@ -1,441 +0,0 @@
-diff -ur a/openssh-6.7p1/configure.ac b/openssh-6.7p1/configure.ac
---- a/openssh-6.7p1/configure.ac 2014-08-26 21:32:01.000000000 -0100
-+++ b/openssh-6.7p1/configure.ac 2014-12-08 20:55:47.281836604 -0100
-@@ -252,7 +252,7 @@
- [AC_LANG_PROGRAM([[
- #include <stdlib.h>
- __attribute__((__unused__)) static void foo(void){return;}]],
-- [[ exit(0); ]])],
-+ [[ return 0; ]])],
- [ AC_MSG_RESULT([yes]) ],
- [ AC_MSG_RESULT([no])
- AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
-@@ -442,7 +442,7 @@
- [AC_LANG_PROGRAM([[
- #define testmacro foo
- #define testmacro bar]],
-- [[ exit(0); ]])],
-+ [[ return 0; ]])],
- [ AC_MSG_RESULT([yes]) ],
- [ AC_MSG_RESULT([no])
- CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
-@@ -562,9 +562,9 @@
- AC_MSG_CHECKING([if we have working getaddrinfo])
- AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
- main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
-- exit(0);
-+ return 0;
- else
-- exit(1);
-+ return 1;
- }
- ]])],
- [AC_MSG_RESULT([working])],
-@@ -1067,7 +1067,7 @@
- esac
-
- AC_MSG_CHECKING([compiler and flags for sanity])
--AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
-+AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ return 0; ]])],
- [ AC_MSG_RESULT([yes]) ],
- [
- AC_MSG_RESULT([no])
-@@ -1099,9 +1099,9 @@
- strncpy(buf,"/etc", 32);
- s = dirname(buf);
- if (!s || strncmp(s, "/", 32) != 0) {
-- exit(1);
-+ return 1;
- } else {
-- exit(0);
-+ return 0;
- }
- }
- ]])],
-@@ -1191,19 +1191,19 @@
- int a=0, b=0, c=0, d=0, n, v;
- n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
- if (n != 3 && n != 4)
-- exit(1);
-+ return 1;
- v = a*1000000 + b*10000 + c*100 + d;
- fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
-
- /* 1.1.4 is OK */
- if (a == 1 && b == 1 && c >= 4)
-- exit(0);
-+ return 0;
-
- /* 1.2.3 and up are OK */
- if (v >= 1020300)
-- exit(0);
-+ return 0;
-
-- exit(2);
-+ return 2;
- ]])],
- AC_MSG_RESULT([no]),
- [ AC_MSG_RESULT([yes])
-@@ -1308,7 +1308,7 @@
- #include <dirent.h>]],
- [[
- struct dirent d;
-- exit(sizeof(d.d_name)<=sizeof(char));
-+ return sizeof(d.d_name)<=sizeof(char);
- ]])],
- [AC_MSG_RESULT([yes])],
- [
-@@ -1354,7 +1354,7 @@
- #include <skey.h>
- ]], [[
- char *ff = skey_keyinfo(""); ff="";
-- exit(0);
-+ return 0;
- ]])],
- [AC_MSG_RESULT([yes])],
- [
-@@ -1403,7 +1403,7 @@
- #include <stdlib.h>
- #include <stdint.h>
- #include <ldns/ldns.h>
--int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
-+int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; return 0; }
- ]])
- ],
- [AC_MSG_RESULT(yes)],
-@@ -1460,7 +1460,7 @@
- [[
- int i = H_SETSIZE;
- el_init("", NULL, NULL, NULL);
-- exit(0);
-+ return 0;
- ]])],
- [ AC_MSG_RESULT([yes]) ],
- [ AC_MSG_RESULT([no])
-@@ -1808,9 +1808,9 @@
- errno=0;
- setresuid(0,0,0);
- if (errno==ENOSYS)
-- exit(1);
-+ return 1;
- else
-- exit(0);
-+ return 0;
- ]])],
- [AC_MSG_RESULT([yes])],
- [AC_DEFINE([BROKEN_SETRESUID], [1],
-@@ -1831,9 +1831,9 @@
- errno=0;
- setresgid(0,0,0);
- if (errno==ENOSYS)
-- exit(1);
-+ return 1;
- else
-- exit(0);
-+ return 0;
- ]])],
- [AC_MSG_RESULT([yes])],
- [AC_DEFINE([BROKEN_SETRESGID], [1],
-@@ -1875,7 +1875,7 @@
- [[
- char b[5];
- snprintf(b,5,"123456789");
-- exit(b[4]!='\0');
-+ return b[4]!='\0';
- ]])],
- [AC_MSG_RESULT([yes])],
- [
-@@ -1966,9 +1966,9 @@
- ]], [[
- char template[]="conftest.mkstemp-test";
- if (mkstemp(template) == -1)
-- exit(1);
-+ return 1;
- unlink(template);
-- exit(0);
-+ return 0;
- ]])],
- [
- AC_MSG_RESULT([no])
-@@ -1999,22 +1999,22 @@
-
- pid = fork();
- if (pid < 0) { /* failed */
-- exit(1);
-+ return 1;
- } else if (pid > 0) { /* parent */
- waitpid(pid, &status, 0);
- if (WIFEXITED(status))
-- exit(WEXITSTATUS(status));
-+ return WEXITSTATUS(status);
- else
-- exit(2);
-+ return 2;
- } else { /* child */
- close(0); close(1); close(2);
- setsid();
- openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
- fd = open("/dev/tty", O_RDWR | O_NOCTTY);
- if (fd >= 0)
-- exit(3); /* Acquired ctty: broken */
-+ return 3; /* Acquired ctty: broken */
- else
-- exit(0); /* Did not acquire ctty: OK */
-+ return 0; /* Did not acquire ctty: OK */
- }
- ]])],
- [
-@@ -2055,7 +2055,7 @@
- err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
- if (err != 0) {
- fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
-- exit(1);
-+ return 1;
- }
-
- for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
-@@ -2072,7 +2072,7 @@
- else
- fprintf(stderr, "getnameinfo failed: %s\n",
- gai_strerror(err));
-- exit(2);
-+ return 2;
- }
-
- sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-@@ -2080,10 +2080,10 @@
- perror("socket");
- if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
- if (errno == EBADF)
-- exit(3);
-+ return 3;
- }
- }
-- exit(0);
-+ return 0;
- ]])],
- [
- AC_MSG_RESULT([yes])
-@@ -2123,7 +2123,7 @@
- err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
- if (err != 0) {
- fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
-- exit(1);
-+ return 1;
- }
-
- for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
-@@ -2136,10 +2136,10 @@
-
- if (ai->ai_family == AF_INET && err != 0) {
- perror("getnameinfo");
-- exit(2);
-+ return 2;
- }
- }
-- exit(0);
-+ return 0;
- ]])],
- [
- AC_MSG_RESULT([yes])
-@@ -2248,12 +2248,12 @@
-
- fd = fopen(DATA,"w");
- if(fd == NULL)
-- exit(1);
-+ return 1;
-
- if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
-- exit(1);
-+ return 1;
-
-- exit(0);
-+ return 0;
- ]])],
- [
- ssl_header_ver=`cat conftest.sslincver`
-@@ -2283,13 +2283,13 @@
-
- fd = fopen(DATA,"w");
- if(fd == NULL)
-- exit(1);
-+ return 1;
-
- if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
- SSLeay_version(SSLEAY_VERSION))) <0)
-- exit(1);
-+ return 1;
-
-- exit(0);
-+ return 0;
- ]])],
- [
- ssl_library_ver=`cat conftest.ssllibver`
-@@ -2330,7 +2330,7 @@
- #include <string.h>
- #include <openssl/opensslv.h>
- ]], [[
-- exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
-+ return SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1;
- ]])],
- [
- AC_MSG_RESULT([yes])
-@@ -2419,7 +2419,7 @@
- #include <string.h>
- #include <openssl/evp.h>
- ]], [[
-- exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
-+ return EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL;
- ]])],
- [
- AC_MSG_RESULT([no])
-@@ -2490,7 +2490,7 @@
- #include <openssl/evp.h>
- ]], [[
- if(EVP_DigestUpdate(NULL, NULL,0))
-- exit(0);
-+ return 0;
- ]])],
- [
- AC_MSG_RESULT([yes])
-@@ -2604,7 +2604,7 @@
- ]],[[
- EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
- const EVP_MD *m = EVP_sha512(); /* We need this too */
-- exit(e == NULL || m == NULL);
-+ return e == NULL || m == NULL;
- ]])],
- [ AC_MSG_RESULT([yes])
- enable_nistp521=1 ],
-@@ -2677,7 +2677,7 @@
- #include <string.h>
- #include <openssl/rand.h>
- ]], [[
-- exit(RAND_status() == 1 ? 0 : 1);
-+ return RAND_status() == 1 ? 0 : 1;
- ]])],
- [
- OPENSSL_SEEDS_ITSELF=yes
-@@ -2985,7 +2985,7 @@
- struct rlimit rl_zero;
-
- rl_zero.rlim_cur = rl_zero.rlim_max = 0;
-- exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
-+ return setrlimit(RLIMIT_FSIZE, &rl_zero) != 0;
- ]])],
- [AC_MSG_RESULT([yes])],
- [AC_MSG_RESULT([no])
-@@ -3119,7 +3119,7 @@
- long long i, llmin, llmax = 0;
-
- if((f = fopen(DATA,"w")) == NULL)
-- exit(1);
-+ return 1;
-
- #if defined(LLONG_MIN) && defined(LLONG_MAX)
- fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
-@@ -3138,16 +3138,16 @@
- || llmax - 1 > llmax || llmin == llmax || llmin == 0
- || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
- fprintf(f, "unknown unknown\n");
-- exit(2);
-+ return 2;
- }
-
- if (fprint_ll(f, llmin) < 0)
-- exit(3);
-+ return 3;
- if (fprint_ll(f, llmax) < 0)
-- exit(4);
-+ return 4;
- if (fclose(f) < 0)
-- exit(5);
-- exit(0);
-+ return 5;
-+ return 0;
- ]])],
- [
- llong_min=`$AWK '{print $1}' conftest.llminmax`
-@@ -3553,8 +3553,8 @@
- strcpy(expected_out, "9223372036854775807");
- snprintf(buf, mazsize, "%lld", num);
- if(strcmp(buf, expected_out) != 0)
-- exit(1);
-- exit(0);
-+ return 1;
-+ return 0;
- }
- #else
- main() { exit(0); }
-@@ -3641,11 +3641,11 @@
- ]], [[
- #ifdef msg_accrights
- #error "msg_accrights is a macro"
--exit(1);
-+return 1;
- #endif
- struct msghdr m;
- m.msg_accrights = 0;
--exit(0);
-+return 0;
- ]])],
- [ ac_cv_have_accrights_in_msghdr="yes" ],
- [ ac_cv_have_accrights_in_msghdr="no" ]
-@@ -3702,11 +3702,11 @@
- ]], [[
- #ifdef msg_control
- #error "msg_control is a macro"
--exit(1);
-+return 1;
- #endif
- struct msghdr m;
- m.msg_control = 0;
--exit(0);
-+return 0;
- ]])],
- [ ac_cv_have_control_in_msghdr="yes" ],
- [ ac_cv_have_control_in_msghdr="no" ]
-@@ -4128,22 +4128,22 @@
-
- fd = fopen(DATA,"w");
- if(fd == NULL)
-- exit(1);
-+ return 1;
-
- #if defined (_PATH_MAILDIR)
- if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
-- exit(1);
-+ return 1;
- #elif defined (MAILDIR)
- if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
-- exit(1);
-+ return 1;
- #elif defined (_PATH_MAIL)
- if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
-- exit(1);
-+ return 1;
- #else
- exit (2);
- #endif
-
-- exit(0);
-+ return 0;
- ]])],
- [
- maildir_what=`awk -F: '{print $1}' conftest.maildir`
-@@ -4378,12 +4378,12 @@
-
- fd = fopen(DATA,"w");
- if(fd == NULL)
-- exit(1);
-+ return 1;
-
- if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
-- exit(1);
-+ return 1;
-
-- exit(0);
-+ return 0;
- ]])],
- [ user_path=`cat conftest.stdpath` ],
- [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
new file mode 100644
index 0000000..a355e2c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
@@ -0,0 +1,33 @@
+https://github.com/openssh/openssh-portable/pull/29
+
+From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 18 Mar 2015 12:37:24 -0400
+Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is
+ set
+
+---
+ configure.ac | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index b4d6598..7806d20 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2276,10 +2276,10 @@ openssl_engine=no
+ AC_ARG_WITH([ssl-engine],
+ [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
+ [
+- if test "x$openssl" = "xno" ; then
+- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
+- fi
+ if test "x$withval" != "xno" ; then
++ if test "x$openssl" = "xno" ; then
++ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
++ fi
+ openssl_engine=yes
+ fi
+ ]
+--
+2.3.2
+
diff --git a/net-misc/openssh/openssh-6.7_p1-r99.ebuild b/net-misc/openssh/openssh-6.9_p1-r99.ebuild
similarity index 63%
rename from net-misc/openssh/openssh-6.7_p1-r99.ebuild
rename to net-misc/openssh/openssh-6.9_p1-r99.ebuild
index f6ad39c..d763f9b 100644
--- a/net-misc/openssh/openssh-6.7_p1-r99.ebuild
+++ b/net-misc/openssh/openssh-6.9_p1-r99.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.7_p1-r3.ebuild,v 1.1 2014/11/25 22:35:45 chutzpah Exp $
+# $Id$
EAPI="4"
inherit eutils user flag-o-matic multilib autotools pam systemd versionator
@@ -9,17 +9,17 @@ inherit eutils user flag-o-matic multilib autotools pam systemd versionator
# and _p? releases.
PARCH=${P/_}
-HPN_PATCH="${PN}-6.7p1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.7p1-0.3.14.patch.xz"
-X509_VER="8.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+HPN_PATCH="${PN}-6.9p1-r1-hpnssh14v5.tar.xz"
+LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
+X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.org/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- mirror://gentoo/${P}-sctp.patch.xz
+ mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
${HPN_PATCH:+hpn? (
mirror://gentoo/${HPN_PATCH}
- http://dev.gentoo.org/~vapier/dist/${HPN_PATCH}
+ https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
mirror://sourceforge/hpnssh/${HPN_PATCH}
)}
${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
@@ -28,36 +28,37 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
LICENSE="BSD GPL-2"
SLOT="0"
-KEYWORDS="amd64 arm ~mips ppc x86"
-IUSE="bindist ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey static X X509"
-REQUIRED_USE="pie? ( !static )"
-
-LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+KEYWORDS="ppc"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
+REQUIRED_USE="ldns? ( ssl )
+ pie? ( !static )
+ ssh1? ( ssl )
+ static? ( !kerberos !pam )
+ X509? ( !ldap ssl )"
+
+LIB_DEPEND="
+ ldns? (
+ net-libs/ldns[static-libs(+)]
+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
+ )
+ libedit? ( dev-libs/libedit[static-libs(+)] )
+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
- libedit? ( dev-libs/libedit[static-libs(+)] )
- >=dev-libs/openssl-0.9.6d:0[bindist=]
- dev-libs/openssl[static-libs(+)]
+ ssl? (
+ >=dev-libs/openssl-0.9.6d:0[bindist=]
+ dev-libs/openssl[static-libs(+)]
+ )
>=sys-libs/zlib-1.2.3[static-libs(+)]"
RDEPEND="
- !static? (
- ${LIB_DEPEND//\[static-libs(+)]}
- ldns? (
- !bindist? ( net-libs/ldns[ecdsa,ssl] )
- bindist? ( net-libs/ldns[-ecdsa,ssl] )
- )
- )
+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( virtual/pam )
kerberos? ( virtual/krb5 )
ldap? ( net-nds/openldap )"
DEPEND="${RDEPEND}
- static? (
- ${LIB_DEPEND}
- ldns? (
- !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
- bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
- )
- )
+ static? ( ${LIB_DEPEND} )
virtual/pkgconfig
virtual/os-headers
sys-devel/autoconf"
@@ -85,6 +86,12 @@ pkg_setup() {
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "booooo"
fi
+
+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
+ if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
+ fi
}
save_version() {
@@ -104,29 +111,29 @@ src_prepare() {
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
- epatch "${FILESDIR}"/${PN}-6.7_p1-sshd-gssapi-multihomed.patch #378361
if use X509 ; then
pushd .. >/dev/null
- epatch "${FILESDIR}"/${P}-x509-glue.patch
- epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch
+ #epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
+ epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch
popd >/dev/null
epatch "${WORKDIR}"/${X509_PATCH%.*}
epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
+ epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
save_version X509
fi
- if ! use X509 ; then
- if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
- epatch "${WORKDIR}"/${LDAP_PATCH%.*}
- save_version LPK
- fi
- else
- use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
+ if use ldap ; then
+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+ save_version LPK
fi
epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
- epatch "${WORKDIR}"/${PN}-6.7_p1-sctp.patch
- if [[ -n ${HPN_PATCH} ]] && use hpn; then
- epatch "${WORKDIR}"/${HPN_PATCH%.*}/*
+ # The X509 patchset fixes this independently.
+ use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
+ epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
+ if use hpn ; then
+ EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+ EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+ epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
save_version HPN
fi
@@ -145,10 +152,6 @@ src_prepare() {
)
sed -i "${sed_args[@]}" configure{.ac,} || die
- epatch "${FILESDIR}"/${PN}-6.7p1-avoid-exit.patch
- epatch "${FILESDIR}"/${PN}-6.4p1-missing-sys_param_h.patch
- epatch "${FILESDIR}"/${PN}-6.4p1-fix-typo-construct_utmpx.patch
-
epatch_user #473004
# Now we can build a sane merged version.h
@@ -162,58 +165,53 @@ src_prepare() {
eautoreconf
}
-static_use_with() {
- local flag=$1
- if use static && use ${flag} ; then
- ewarn "Disabling '${flag}' support because of USE='static'"
- # rebuild args so that we invert the first one (USE flag)
- # but otherwise leave everything else working so we can
- # just leverage use_with
- shift
- [[ -z $1 ]] && flag="${flag} ${flag}"
- set -- !${flag} "$@"
- fi
- use_with "$@"
-}
-
src_configure() {
- local myconf=()
addwrite /dev/ptmx
- addpredict /etc/skey/skeykeys #skey configure code triggers this
+ addpredict /etc/skey/skeykeys # skey configure code triggers this
+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
+ local myconf=(
+ --with-ldflags="${LDFLAGS}"
+ --disable-strip
+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+ --sysconfdir="${EPREFIX}"/etc/ssh
+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+ --datadir="${EPREFIX}"/usr/share/openssh
+ --with-privsep-path="${EPREFIX}"/var/empty
+ --with-privsep-user=sshd
+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+ # We apply the ldap patch conditionally, so can't pass --without-ldap
+ # unconditionally else we get unknown flag warnings.
+ $(use ldap && use_with ldap)
+ $(use_with ldns)
+ $(use_with libedit)
+ $(use_with pam)
+ $(use_with pie)
+ $(use_with sctp)
+ $(use_with selinux)
+ $(use_with skey)
+ $(use_with ssh1)
+ # The X509 patch deletes this option entirely.
+ $(use X509 || use_with ssl openssl)
+ $(use_with ssl md5-passwords)
+ $(use_with ssl ssl-engine)
+ )
+
+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+ # ppc musl lacks __stack_chk_fail_local()
+ myconf+=( --without-hardening )
+
# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
append-ldflags -lutil
fi
- # __stack_chk_fail_local
- use x86 && myconf+=( --without-stackprotect)
- use ppc && myconf+=( --without-stackprotect)
-
- econf \
- --with-ldflags="${LDFLAGS}" \
- --disable-strip \
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run \
- --sysconfdir="${EPREFIX}"/etc/ssh \
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \
- --datadir="${EPREFIX}"/usr/share/openssh \
- --with-privsep-path="${EPREFIX}"/var/empty \
- --with-privsep-user=sshd \
- --with-md5-passwords \
- --with-ssl-engine \
- $(static_use_with pam) \
- $(static_use_with kerberos kerberos5 "${EPREFIX}"/usr) \
- ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
- $(use_with ldns) \
- $(use_with libedit) \
- $(use_with pie) \
- $(use_with sctp) \
- $(use_with selinux) \
- $(use_with skey) \
- "${myconf[@]}"
+ econf "${myconf[@]}"
}
src_install() {
@@ -224,12 +222,6 @@ src_install() {
newconfd "${FILESDIR}"/sshd.confd sshd
keepdir /var/empty
- # not all openssl installs support ecc, or are functional #352645
- if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
- elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
- sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die
- fi
-
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
if use pam ; then
sed -i \
@@ -237,7 +229,7 @@ src_install() {
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed"
+ "${ED}"/etc/ssh/sshd_config || die
fi
# Gentoo tweaks to default config files
@@ -252,12 +244,6 @@ src_install() {
SendEnv LANG LC_*
EOF
- # This instruction is from the HPN webpage,
- # Used for the server logging functionality
- if [[ -n ${HPN_PATCH} ]] && use hpn ; then
- keepdir /var/empty/dev
- fi
-
if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
insinto /etc/openldap/schema/
newins openssh-lpk_openldap.schema openssh-lpk.schema
@@ -318,13 +304,11 @@ pkg_postinst() {
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+ fi
ewarn "Remember to merge your config files in /etc/ssh/ and then"
ewarn "reload sshd: '/etc/init.d/sshd reload'."
- # This instruction is from the HPN webpage,
- # Used for the server logging functionality
- if [[ -n ${HPN_PATCH} ]] && use hpn ; then
- echo
- einfo "For the HPN server logging patch, you must ensure that"
- einfo "your syslog application also listens at /var/empty/dev/log."
- fi
+ elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
+ elog " dropped it. Make sure to update any configs that you might have."
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/musl:master commit in: net-misc/openssh/, net-misc/openssh/files/
@ 2017-04-23 0:18 Anthony G. Basile
0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2017-04-23 0:18 UTC (permalink / raw
To: gentoo-commits
commit: 4be0e5dea987af9ee4f74de79fa48ae39b208774
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Apr 23 00:18:00 2017 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Apr 23 00:18:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=4be0e5de
net-misc/openssh: needs --without-stackprotect on i686 with gcc-5
net-misc/openssh/Manifest | 24 ++
.../openssh-6.7_p1-openssl-ignore-status.patch | 17 +
.../files/openssh-7.3-mips-seccomp-n32.patch | 21 ++
.../openssh/files/openssh-7.3_p1-GSSAPI-dns.patch | 351 ++++++++++++++++++++
.../files/openssh-7.3_p1-NEWKEYS_null_deref.patch | 29 ++
...egister-the-KEXINIT-handler-after-receive.patch | 32 ++
...ssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch | 34 ++
.../openssh-7.3_p1-hpn-12-x509-9.2-glue.patch | 39 +++
...ssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch | 245 ++++++++++++++
.../files/openssh-7.3_p1-hpn-x509-9.2-glue.patch | 41 +++
.../files/openssh-7.3_p1-sctp-x509-glue.patch | 67 ++++
.../files/openssh-7.3_p1-x509-9.2-warnings.patch | 109 +++++++
net-misc/openssh/files/sshd.confd | 21 ++
net-misc/openssh/files/sshd.pam_include.2 | 4 +
net-misc/openssh/files/sshd.rc6.4 | 84 +++++
net-misc/openssh/files/sshd.service | 11 +
net-misc/openssh/files/sshd.socket | 10 +
net-misc/openssh/files/sshd_at.service | 8 +
net-misc/openssh/metadata.xml | 40 +++
net-misc/openssh/openssh-7.3_p1-r7.ebuild | 352 +++++++++++++++++++++
20 files changed, 1539 insertions(+)
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
new file mode 100644
index 0000000..0d77c6c
--- /dev/null
+++ b/net-misc/openssh/Manifest
@@ -0,0 +1,24 @@
+AUX openssh-6.7_p1-openssl-ignore-status.patch 765 SHA256 b068cc30d4bce5c457cea78233396c9793864ec909f810dd0be87d913673433a SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 WHIRLPOOL c0a4ff69d65eeb40c1ace8d5be6f8e59044a8f16dc6b37e87393e79ab80935abf30a9d2a6babc043aba0477f5f79412e1ae5d373daba580178fd85ca1f60e60b
+AUX openssh-7.3-mips-seccomp-n32.patch 634 SHA256 a3d63f394e9ea692a5a515983f1ce85d2ba79ea6e6b0fd5659e05a18b753316a SHA512 eba3e843d3714501a1df3161d02134c54c8ce584db3af698b87d303fc17c16635bd06db4d7c2d9bb47f461c3b211d870b480fd927f4563207e11c9ed2c446770 WHIRLPOOL d1f87fbfd24694617ef1a03a55ba8f32ac6ac8c62541208f754df41bb30065a9f1bba640a645d9ef184aae2f7b35759b84d2564f38f9ab130cc2d282be203f75
+AUX openssh-7.3_p1-GSSAPI-dns.patch 11137 SHA256 081c1cee62b43aae1d84ee67e3b510f0775081c9901c971a6f60a35bb92046f1 SHA512 70db76a409d5a11513f57c67671131b95c83164af2ecafa423986def42a1a2a31c4653d06f510b8c440a974e03f0acad8cbe20d5a17cfb2ed4598a9b8ae60b91 WHIRLPOOL bd3f32d7b795d9d5948d1a2d38a3e9fc6380369378988da095e096a54bf8c41209bfa7955c04b68b3966a30ca10fd522778d76a0621d0858639f3e09f075b708
+AUX openssh-7.3_p1-NEWKEYS_null_deref.patch 857 SHA256 0d612c16c7b1b3b45fbe1c1507c4e80cfe001ab4fd7fbcfc80fb9cecc893d94a SHA512 2230ddd7473feaa22544eae5c1074981e5ade322a22016f245ec3a6b3bf260104909021497a728fbfaf5dbd6e81269b9b815a3a3de2bf8104f7b3d1bdacbcc06 WHIRLPOOL b927971ec7c07a8d350690280d9766f71ebeb03fc6ffefa2457801abf160ee331ec3bafca02acc3697899d9e2a56ce7b01e68b745cb6f5b491d8b30aea0b9366
+AUX openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch 953 SHA256 76059e75ba5f5d00c6ac74aa12017e98d1b401efb9f1c6073fa8013e5fc4204a SHA512 c705b08fa269d21da261cc9fce2ebcc409e252064d789b63ba14685495e46cb472a81fa563a74c80e4bf76e4982fba98ff5329a037f1fa4f28c75b4db18e7691 WHIRLPOOL 826f2e520742f65e0e7a2f183917483f4dd96c2fc52360d3307c41cc307eddb434e8205c7665a65eadde2e20a7a4b71020d2925ea59518234da2cbda6afb2b3b
+AUX openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch 1088 SHA256 5841cc4a42238202d6fa3ee5fbccacbfad7156eb9d9b361d251f693443a0b672 SHA512 967da12f9d15e8347d9832a7fc90e378e42a49c6fb63c8ff3a28e66601c9dab64d5d43c8da34aa3fb08466088eb725abebb4efcef95b1aa0ada86cab27584106 WHIRLPOOL 50bb4bd2ff23d9aff94fa12755aebd91d0088691fb9899169e3018d91679f014f012d3b2d9c5b87a8c3edcaa2b8a19f9ec49c6803d95731f8020442840d26bbf
+AUX openssh-7.3_p1-hpn-12-x509-9.2-glue.patch 1608 SHA256 9a85d7cd56be8276e6407fe70ea22554323143d57209e0881f6ec0cc16705765 SHA512 bbbeca5d683427347e9db8cdaa5c96bfdbae901245e508dec8927110e199798127b7c4df8ef2455c1fec53263d600c7957d5b55e1b78263776a45808b4c0b86a WHIRLPOOL 928a2603737c36a23d76145b0e11108645d13263ad955ad30de5a8ee7a008774cdb63ad144d141f7ed6f16f885ee427a7827ba7397a1cec465db3a32fd0ac215
+AUX openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch 7005 SHA256 44ae73966a98e0d7cf36f35b64472b62128040c86720a915b6e72ca269b72f13 SHA512 35cb90a5ebf85b31db902155a8d48a65d2734943cf46e2ac1fcbcb8a19e31d9bf6057ec3c0001a4cb14eac572e5d400087c3218c81df40146731472e406499d8 WHIRLPOOL ba47e8f157ecf448becef9f1c9dfb5bea9f6bd39b461c13cb265a7dc9fde31634a583db3849429ed27129e8c5e797eebe7141c310674126a9a0e2f232c92d8e1
+AUX openssh-7.3_p1-hpn-x509-9.2-glue.patch 1611 SHA256 7d04d19e62e688c9c12c25fd479933dd2c707f838ac810263dd1dc79a5ff55f1 SHA512 3604f0f1ea6c74b8418ac158df47910dfb2d54c7ce77f78f1a6c072acd20dc5751e24156acd9dda02aecaac250f43c8d968382f2f4b15b4706e4c4bde8ebde9a WHIRLPOOL b327a94c5b37da296caaa925bf13adf81ab3a53dffe691b33010b89b07366445613e553b4f486bacab658e2dcec143971001b4158f493e9b7e5bd427f0e072fb
+AUX openssh-7.3_p1-sctp-x509-glue.patch 2447 SHA256 a6758b9bff99022b1aa1bc729fcdcc8e4e91d0a617c903d72964cc1fca1ea061 SHA512 f48c2bba7707542741e52f5d794aaafe4468d088e28bc02878c0eb9aa76d31b57dca69b85705f7a9a2d745272df3fdc39a1d13ba337cab34dd0e9d545cee7d41 WHIRLPOOL 77e2574065a78a0f7014213f5e5d64651d41f24c7652542589f1106a6a114cf27d9922ef2cddee9e62c0f0f118691d91ebe9dc4a0ae04654843f18bdd20e2cef
+AUX openssh-7.3_p1-x509-9.2-warnings.patch 3060 SHA256 e7963f4946db01390831ee07a49c3a2291518b06144e95cfc47326c7209fa2e3 SHA512 f029d6f922e1632b32ac6e7b627378854f78c9d9b828dde37273b1b1a09167273fc6934bcb0653209b9e5ffd06c95d564d1bf5f1ea745993e19b062a4532f1c0 WHIRLPOOL cd4eb68bf861a50e9452c453c903946b8d067fd00171d39c6bad797d20c07631cda2379d9e41246bc93b22252a8d1bd55186e13ba492c7b8cf94048910f3a8a9
+AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53
+AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b
+AUX sshd.rc6.4 2108 SHA256 43a483014bf177f9238e54a7b8210d5a76830beb67c18999409e543fd744c9e4 SHA512 fe58e950514743a72467233ff2f2a63112c50e5db843d61e141a5ca3dd8ef8f42a616cd9de7748ae582054c47c2cc38ce48b638e2d88be39c1387f77e79c83e1 WHIRLPOOL ef30b1e3a118b40617e3c1de6b4ebb360f466e90e18157a08d0ed50a4acb488eb7f6159120525e2b7e85393cd19b062c97188460ea51959467eb6ab52632d064
+AUX sshd.service 242 SHA256 1351c43fe8287f61255ace9fa20790f770d69296b4dd31b0c583983d4cc59843 SHA512 77f50c85a2c944995a39819916eb860cfdc1aff90986e93282e669a0de73c287ecb92d550fd118cfcc8ab538eab677e0d103b23cd959b7e8d9801bc37250c39c WHIRLPOOL 0f5c48d709274c526ceee4f26e35dcb00816ffa9d6661acc1e4e462acb38c3c6108b0e87783eff9da1b1868127c5550c57a5a0a9d7270b927ac4b92191876989
+AUX sshd.socket 136 SHA256 c055abcd10c5d372119cbc3708661ddffccdee7a1de1282559c54d03e2f109d9 SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 WHIRLPOOL 102d87b708c31e5994e8005437c78b1aa756c6def4ee9ae2fa9be1438f328fc28c9152a4ff2528941be18f1311594490ecd98b66716ec74e970aa3725a98e2e5
+AUX sshd_at.service 176 SHA256 332f5ffc30456fe2494095c2aabd1e6e02075ce224e2d49708ac7ccf6d341998 SHA512 662a9c2668902633e6dbcb9435ac35bec3e224afdb2ab6a1df908618536ae9fc1958ba1d611e146c01fddb0c8f41eefdc26de78f45b7f165b1d6b2ee2f23be2a WHIRLPOOL aeb32351380dd674ef7a2e7b537f43116c189f7fddb8bdb8b2c109e9f62b0a73cc0f29f2d46270e658ab6409b8d3671ce9e0d0ba7c0d3674c2f85291a73e6df1
+DIST openssh-7.3_p1-hpn-14.10-r1.patch.xz 20584 SHA256 0bbbfeb1f9f975ad591ed4ec74927172c5299ec1a76210197c14575204efa85d SHA512 f0a1c84af85f7cfc7cb58b5117b3d0f57fc25ae0dd608e38b48ef42da43780fd5cf243d26ff9b3fbd6f4cb1567852b87bcb75f98791cf3ad1892e8579a7834d3 WHIRLPOOL b1a8bae14c8189745056c15c9ed45207aa06af1f4c598a1af7dc3cc56e47bd0211a63989a920727e20311a148bbcf3202c202eae94cd1512c7d87816a9f44bcb
+DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
+DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485
+DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
+DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c
+EBUILD openssh-7.3_p1-r7.ebuild 11539 SHA256 63fcb03fbc89af04ad3e72490cfd9ceb931699e3337b9e40aee15089bd769b36 SHA512 50b36971c70d87893374f9cd4176ddd13518d4c1a04e2682a1a7134d1d42f0fd18a69821b4d88010ef93f5432b646367c979ac02aeff66223546c41b18063a84 WHIRLPOOL 27c01ef1b50c7efeb452228c14e4b762c3c435dbfb9435bbb0f3b48cb3ea63e1592b5aabcecddb50cfd21b341a776e2df55933254ed27bd0194dfa2945dd604c
+MISC metadata.xml 2212 SHA256 50f6e3651c8aeb86cfe90d92cef6a2b55640c400584f5fdbb6418cef7ac16f25 SHA512 958845fbdfb4f1d267fdbc3a005c6338da54c6a0715180a1982416a841ab4865c536de5f10bb8493d07830e182786d0c3f2ac710c9168434b3d077a59ed2ddd5 WHIRLPOOL 6d1080bc5c3b10a63836b5286d0d66b925a9d27d35e9855c9f966445458c1d6a752854d019c1740420ea78aef6f60105bef4c771fe61a95aae898034cf100705
diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
new file mode 100644
index 0000000..fa33af3
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
@@ -0,0 +1,17 @@
+the last nibble of the openssl version represents the status. that is,
+whether it is a beta or release. when it comes to version checks in
+openssh, this component does not matter, so ignore it.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212
+
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
+ * For versions >= 1.0.0, major,minor,status must match and library
+ * fix version must be equal to or newer than the header.
+ */
+- mask = 0xfff0000fL; /* major,minor,status */
++ mask = 0xfff00000L; /* major,minor,status */
+ hfix = (headerver & 0x000ff000) >> 12;
+ lfix = (libver & 0x000ff000) >> 12;
+ if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
new file mode 100644
index 0000000..7eaadaf
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
@@ -0,0 +1,21 @@
+https://bugs.gentoo.org/591392
+https://bugzilla.mindrot.org/show_bug.cgi?id=2590
+
+7.3 added seccomp support to MIPS, but failed to handled the N32
+case. This patch is temporary until upstream fixes.
+
+--- openssh-7.3p1/configure.ac
++++ openssh-7.3p1/configure.ac
+@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL
+ ;;
+ mips64-*)
+- seccomp_audit_arch=AUDIT_ARCH_MIPS64
++ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
+ ;;
+ mips64el-*)
+- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
++ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
+ ;;
+ esac
+ if test "x$seccomp_audit_arch" != "x" ; then
diff --git a/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch
new file mode 100644
index 0000000..806b36d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch
@@ -0,0 +1,351 @@
+http://bugs.gentoo.org/165444
+https://bugzilla.mindrot.org/show_bug.cgi?id=1008
+
+--- a/readconf.c
++++ b/readconf.c
+@@ -148,6 +148,7 @@
+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++ oGssTrustDns,
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ oHashKnownHosts,
+@@ -194,9 +195,11 @@
+ #if defined(GSSAPI)
+ { "gssapiauthentication", oGssAuthentication },
+ { "gssapidelegatecredentials", oGssDelegateCreds },
++ { "gssapitrustdns", oGssTrustDns },
+ #else
+ { "gssapiauthentication", oUnsupported },
+ { "gssapidelegatecredentials", oUnsupported },
++ { "gssapitrustdns", oUnsupported },
+ #endif
+ { "fallbacktorsh", oDeprecated },
+ { "usersh", oDeprecated },
+@@ -930,6 +933,10 @@
+ intptr = &options->gss_deleg_creds;
+ goto parse_flag;
+
++ case oGssTrustDns:
++ intptr = &options->gss_trust_dns;
++ goto parse_flag;
++
+ case oBatchMode:
+ intptr = &options->batch_mode;
+ goto parse_flag;
+@@ -1649,6 +1656,7 @@
+ options->challenge_response_authentication = -1;
+ options->gss_authentication = -1;
+ options->gss_deleg_creds = -1;
++ options->gss_trust_dns = -1;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->kbd_interactive_devices = NULL;
+@@ -1779,6 +1787,8 @@
+ options->gss_authentication = 0;
+ if (options->gss_deleg_creds == -1)
+ options->gss_deleg_creds = 0;
++ if (options->gss_trust_dns == -1)
++ options->gss_trust_dns = 0;
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+--- a/readconf.h
++++ b/readconf.h
+@@ -46,6 +46,7 @@
+ /* Try S/Key or TIS, authentication. */
+ int gss_authentication; /* Try GSS authentication */
+ int gss_deleg_creds; /* Delegate GSS credentials */
++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
+ int password_authentication; /* Try password
+ * authentication. */
+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -830,6 +830,16 @@
+ Forward (delegate) credentials to the server.
+ The default is
+ .Dq no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -656,6 +656,13 @@
+ static u_int mech = 0;
+ OM_uint32 min;
+ int ok = 0;
++ const char *gss_host;
++
++ if (options.gss_trust_dns) {
++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++ gss_host = auth_get_canonical_hostname(active_state, 1);
++ } else
++ gss_host = authctxt->host;
+
+ /* Try one GSSAPI method at a time, rather than sending them all at
+ * once. */
+@@ -668,7 +674,7 @@
+ /* My DER encoding requires length<128 */
+ if (gss_supported->elements[mech].length < 128 &&
+ ssh_gssapi_check_mechanism(&gssctxt,
+- &gss_supported->elements[mech], authctxt->host)) {
++ &gss_supported->elements[mech], gss_host)) {
+ ok = 1; /* Mechanism works */
+ } else {
+ mech++;
+
+need to move these two funcs back to canohost so they're available to clients
+and the server. auth.c is only used in the server.
+
+--- a/auth.c
++++ b/auth.c
+@@ -784,117 +784,3 @@ fakepw(void)
+
+ return (&fake);
+ }
+-
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+- struct sockaddr_storage from;
+- socklen_t fromlen;
+- struct addrinfo hints, *ai, *aitop;
+- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+- const char *ntop = ssh_remote_ipaddr(ssh);
+-
+- /* Get IP address of client. */
+- fromlen = sizeof(from);
+- memset(&from, 0, sizeof(from));
+- if (getpeername(ssh_packet_get_connection_in(ssh),
+- (struct sockaddr *)&from, &fromlen) < 0) {
+- debug("getpeername failed: %.100s", strerror(errno));
+- return strdup(ntop);
+- }
+-
+- ipv64_normalise_mapped(&from, &fromlen);
+- if (from.ss_family == AF_INET6)
+- fromlen = sizeof(struct sockaddr_in6);
+-
+- debug3("Trying to reverse map address %.100s.", ntop);
+- /* Map the IP address to a host name. */
+- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+- NULL, 0, NI_NAMEREQD) != 0) {
+- /* Host name not found. Use ip address. */
+- return strdup(ntop);
+- }
+-
+- /*
+- * if reverse lookup result looks like a numeric hostname,
+- * someone is trying to trick us by PTR record like following:
+- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+- */
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+- hints.ai_flags = AI_NUMERICHOST;
+- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+- name, ntop);
+- freeaddrinfo(ai);
+- return strdup(ntop);
+- }
+-
+- /* Names are stored in lowercase. */
+- lowercase(name);
+-
+- /*
+- * Map it back to an IP address and check that the given
+- * address actually is an address of this host. This is
+- * necessary because anyone with access to a name server can
+- * define arbitrary names for an IP address. Mapping from
+- * name to IP address can be trusted better (but can still be
+- * fooled if the intruder has access to the name server of
+- * the domain).
+- */
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_family = from.ss_family;
+- hints.ai_socktype = SOCK_STREAM;
+- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+- logit("reverse mapping checking getaddrinfo for %.700s "
+- "[%s] failed.", name, ntop);
+- return strdup(ntop);
+- }
+- /* Look for the address from the list of addresses. */
+- for (ai = aitop; ai; ai = ai->ai_next) {
+- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+- (strcmp(ntop, ntop2) == 0))
+- break;
+- }
+- freeaddrinfo(aitop);
+- /* If we reached the end of the list, the address was not there. */
+- if (ai == NULL) {
+- /* Address not found for the host name. */
+- logit("Address %.100s maps to %.600s, but this does not "
+- "map back to the address.", ntop, name);
+- return strdup(ntop);
+- }
+- return strdup(name);
+-}
+-
+-/*
+- * Return the canonical name of the host in the other side of the current
+- * connection. The host name is cached, so it is efficient to call this
+- * several times.
+- */
+-
+-const char *
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+-{
+- static char *dnsname;
+-
+- if (!use_dns)
+- return ssh_remote_ipaddr(ssh);
+- else if (dnsname != NULL)
+- return dnsname;
+- else {
+- dnsname = remote_hostname(ssh);
+- return dnsname;
+- }
+-}
+--- a/canohost.c
++++ b/canohost.c
+@@ -202,3 +202,117 @@ get_local_port(int sock)
+ {
+ return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++static char *
++remote_hostname(struct ssh *ssh)
++{
++ struct sockaddr_storage from;
++ socklen_t fromlen;
++ struct addrinfo hints, *ai, *aitop;
++ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++ const char *ntop = ssh_remote_ipaddr(ssh);
++
++ /* Get IP address of client. */
++ fromlen = sizeof(from);
++ memset(&from, 0, sizeof(from));
++ if (getpeername(ssh_packet_get_connection_in(ssh),
++ (struct sockaddr *)&from, &fromlen) < 0) {
++ debug("getpeername failed: %.100s", strerror(errno));
++ return strdup(ntop);
++ }
++
++ ipv64_normalise_mapped(&from, &fromlen);
++ if (from.ss_family == AF_INET6)
++ fromlen = sizeof(struct sockaddr_in6);
++
++ debug3("Trying to reverse map address %.100s.", ntop);
++ /* Map the IP address to a host name. */
++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++ NULL, 0, NI_NAMEREQD) != 0) {
++ /* Host name not found. Use ip address. */
++ return strdup(ntop);
++ }
++
++ /*
++ * if reverse lookup result looks like a numeric hostname,
++ * someone is trying to trick us by PTR record like following:
++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
++ hints.ai_flags = AI_NUMERICHOST;
++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++ name, ntop);
++ freeaddrinfo(ai);
++ return strdup(ntop);
++ }
++
++ /* Names are stored in lowercase. */
++ lowercase(name);
++
++ /*
++ * Map it back to an IP address and check that the given
++ * address actually is an address of this host. This is
++ * necessary because anyone with access to a name server can
++ * define arbitrary names for an IP address. Mapping from
++ * name to IP address can be trusted better (but can still be
++ * fooled if the intruder has access to the name server of
++ * the domain).
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = from.ss_family;
++ hints.ai_socktype = SOCK_STREAM;
++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++ logit("reverse mapping checking getaddrinfo for %.700s "
++ "[%s] failed.", name, ntop);
++ return strdup(ntop);
++ }
++ /* Look for the address from the list of addresses. */
++ for (ai = aitop; ai; ai = ai->ai_next) {
++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++ (strcmp(ntop, ntop2) == 0))
++ break;
++ }
++ freeaddrinfo(aitop);
++ /* If we reached the end of the list, the address was not there. */
++ if (ai == NULL) {
++ /* Address not found for the host name. */
++ logit("Address %.100s maps to %.600s, but this does not "
++ "map back to the address.", ntop, name);
++ return strdup(ntop);
++ }
++ return strdup(name);
++}
++
++/*
++ * Return the canonical name of the host in the other side of the current
++ * connection. The host name is cached, so it is efficient to call this
++ * several times.
++ */
++
++const char *
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
++{
++ static char *dnsname;
++
++ if (!use_dns)
++ return ssh_remote_ipaddr(ssh);
++ else if (dnsname != NULL)
++ return dnsname;
++ else {
++ dnsname = remote_hostname(ssh);
++ return dnsname;
++ }
++}
diff --git a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch
new file mode 100644
index 0000000..784cd2a
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch
@@ -0,0 +1,29 @@
+https://bugs.gentoo.org/595342
+
+Backport of
+https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
+
+--- openssh-7.3p1/kex.c
++++ openssh-7.3p1/kex.c
+@@ -419,6 +419,8 @@
+ ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ return r;
++ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
++ return r;
+ kex->done = 1;
+ sshbuf_reset(kex->peer);
+ /* sshbuf_reset(kex->my); */
+--- openssh-7.3p1/packet.c
++++ openssh-7.3p1/packet.c
+@@ -1919,9 +1919,7 @@
+ return r;
+ return SSH_ERR_PROTOCOL_ERROR;
+ }
+- if (*typep == SSH2_MSG_NEWKEYS)
+- r = ssh_set_newkeys(ssh, MODE_IN);
+- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
++ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+ r = ssh_packet_enable_delayed_compress(ssh);
+ else
+ r = 0;
diff --git a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
new file mode 100644
index 0000000..8603601
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
@@ -0,0 +1,32 @@
+https://bugs.gentoo.org/597360
+
+From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
+From: "markus@openbsd.org" <markus@openbsd.org>
+Date: Mon, 10 Oct 2016 19:28:48 +0000
+Subject: [PATCH] upstream commit
+
+Unregister the KEXINIT handler after message has been
+received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
+allocation of up to 128MB -- until the connection is closed. Reported by
+shilei-c at 360.cn
+
+Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
+---
+ kex.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kex.c b/kex.c
+index 3f97f8c00919..6a94bc535bd7 100644
+--- a/kex.c
++++ b/kex.c
+@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
+ if (kex == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+
++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ ptr = sshpkt_ptr(ssh, &dlen);
+ if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ return r;
+--
+2.11.0.rc2
+
diff --git a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch
new file mode 100644
index 0000000..7fb0d80
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch
@@ -0,0 +1,34 @@
+https://bugs.gentoo.org/592122
+
+From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Wed, 3 Aug 2016 04:23:55 +0000
+Subject: [PATCH] upstream commit
+
+Fix bug introduced in rev 1.467 which causes
+"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1
+and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol
+2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de,
+ok deraadt@
+
+Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
+---
+ sshd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sshd.c b/sshd.c
+index 799c7711f49c..9fc829a91bc8 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ } else
+ #endif
+- if ((r = sshbuf_put_u32(m, 1)) != 0)
++ if ((r = sshbuf_put_u32(m, 0)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
+--
+2.11.0.rc2
+
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch
new file mode 100644
index 0000000..0602307
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch
@@ -0,0 +1,39 @@
+--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
++++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
+@@ -1155,7 +1155,7 @@
+ @@ -44,7 +44,7 @@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+ K5LIBS=@K5LIBS@
+--- a/0004-support-dynamically-sized-receive-buffers.patch
++++ b/0004-support-dynamically-sized-receive-buffers.patch
+@@ -2144,9 +2144,9 @@
+ @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
+ /* Send our own protocol version identification. */
+ if (compat20) {
+- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
+++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
+ } else {
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
+ - PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
+@@ -2163,9 +2163,9 @@
+ @@ -432,7 +432,7 @@
+ }
+
+- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+-- major, minor, SSH_VERSION,
+-+ major, minor, SSH_RELEASE,
++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
++- major, minor, SSH_VERSION, comment,
+++ major, minor, SSH_RELEASE, comment,
+ *options.version_addendum == '\0' ? "" : " ",
+ options.version_addendum, newline);
+
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch
new file mode 100644
index 0000000..9cc7b61
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch
@@ -0,0 +1,245 @@
+diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c
+index fdc9b2f..300cd90 100644
+--- a/cipher-ctr-mt.c
++++ b/cipher-ctr-mt.c
+@@ -127,7 +127,7 @@ struct kq {
+ u_char keys[KQLEN][AES_BLOCK_SIZE];
+ u_char ctr[AES_BLOCK_SIZE];
+ u_char pad0[CACHELINE_LEN];
+- volatile int qstate;
++ int qstate;
+ pthread_mutex_t lock;
+ pthread_cond_t cond;
+ u_char pad1[CACHELINE_LEN];
+@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx
+ STATS_STRUCT(stats);
+ u_char aes_counter[AES_BLOCK_SIZE];
+ pthread_t tid[CIPHER_THREADS];
++ pthread_rwlock_t tid_lock;
++#ifdef __APPLE__
++ pthread_rwlock_t stop_lock;
++ int exit_flag;
++#endif /* __APPLE__ */
+ int state;
+ int qidx;
+ int ridx;
+@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x)
+ pthread_mutex_unlock((pthread_mutex_t *)x);
+ }
+
++#ifdef __APPLE__
++/* Check if we should exit, we are doing both cancel and exit condition
++ * since on OSX threads seem to occasionally fail to notice when they have
++ * been cancelled. We want to have a backup to make sure that we won't hang
++ * when the main process join()-s the cancelled thread.
++ */
++static void
++thread_loop_check_exit(struct ssh_aes_ctr_ctx *c)
++{
++ int exit_flag;
++
++ pthread_rwlock_rdlock(&c->stop_lock);
++ exit_flag = c->exit_flag;
++ pthread_rwlock_unlock(&c->stop_lock);
++
++ if (exit_flag)
++ pthread_exit(NULL);
++}
++#else
++# define thread_loop_check_exit(s)
++#endif /* __APPLE__ */
++
++/*
++ * Helper function to terminate the helper threads
++ */
++static void
++stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c)
++{
++ int i;
++
++#ifdef __APPLE__
++ /* notify threads that they should exit */
++ pthread_rwlock_wrlock(&c->stop_lock);
++ c->exit_flag = TRUE;
++ pthread_rwlock_unlock(&c->stop_lock);
++#endif /* __APPLE__ */
++
++ /* Cancel pregen threads */
++ for (i = 0; i < CIPHER_THREADS; i++) {
++ pthread_cancel(c->tid[i]);
++ }
++ for (i = 0; i < NUMKQ; i++) {
++ pthread_mutex_lock(&c->q[i].lock);
++ pthread_cond_broadcast(&c->q[i].cond);
++ pthread_mutex_unlock(&c->q[i].lock);
++ }
++ for (i = 0; i < CIPHER_THREADS; i++) {
++ pthread_join(c->tid[i], NULL);
++ }
++}
++
+ /*
+ * The life of a pregen thread:
+ * Find empty keystream queues and fill them using their counter.
+@@ -201,6 +257,7 @@ thread_loop(void *x)
+ struct kq *q;
+ int i;
+ int qidx;
++ pthread_t first_tid;
+
+ /* Threads stats on cancellation */
+ STATS_INIT(stats);
+@@ -211,11 +268,15 @@ thread_loop(void *x)
+ /* Thread local copy of AES key */
+ memcpy(&key, &c->aes_ctx, sizeof(key));
+
++ pthread_rwlock_rdlock(&c->tid_lock);
++ first_tid = c->tid[0];
++ pthread_rwlock_unlock(&c->tid_lock);
++
+ /*
+ * Handle the special case of startup, one thread must fill
+ * the first KQ then mark it as draining. Lock held throughout.
+ */
+- if (pthread_equal(pthread_self(), c->tid[0])) {
++ if (pthread_equal(pthread_self(), first_tid)) {
+ q = &c->q[0];
+ pthread_mutex_lock(&q->lock);
+ if (q->qstate == KQINIT) {
+@@ -245,12 +306,16 @@ thread_loop(void *x)
+ /* Check if I was cancelled, also checked in cond_wait */
+ pthread_testcancel();
+
++ /* Check if we should exit as well */
++ thread_loop_check_exit(c);
++
+ /* Lock queue and block if its draining */
+ q = &c->q[qidx];
+ pthread_mutex_lock(&q->lock);
+ pthread_cleanup_push(thread_loop_cleanup, &q->lock);
+ while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
+ STATS_WAIT(stats);
++ thread_loop_check_exit(c);
+ pthread_cond_wait(&q->cond, &q->lock);
+ }
+ pthread_cleanup_pop(0);
+@@ -268,6 +333,7 @@ thread_loop(void *x)
+ * can see that it's being filled.
+ */
+ q->qstate = KQFILLING;
++ pthread_cond_broadcast(&q->cond);
+ pthread_mutex_unlock(&q->lock);
+ for (i = 0; i < KQLEN; i++) {
+ AES_encrypt(q->ctr, q->keys[i], &key);
+@@ -279,7 +345,7 @@ thread_loop(void *x)
+ ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
+ q->qstate = KQFULL;
+ STATS_FILL(stats);
+- pthread_cond_signal(&q->cond);
++ pthread_cond_broadcast(&q->cond);
+ pthread_mutex_unlock(&q->lock);
+ }
+
+@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
+ pthread_cond_wait(&q->cond, &q->lock);
+ }
+ q->qstate = KQDRAINING;
++ pthread_cond_broadcast(&q->cond);
+ pthread_mutex_unlock(&q->lock);
+
+ /* Mark consumed queue empty and signal producers */
+@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
+
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
+ c = xmalloc(sizeof(*c));
++ pthread_rwlock_init(&c->tid_lock, NULL);
++#ifdef __APPLE__
++ pthread_rwlock_init(&c->stop_lock, NULL);
++ c->exit_flag = FALSE;
++#endif /* __APPLE__ */
+
+ c->state = HAVE_NONE;
+ for (i = 0; i < NUMKQ; i++) {
+@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
+ }
+
+ if (c->state == (HAVE_KEY | HAVE_IV)) {
+- /* Cancel pregen threads */
+- for (i = 0; i < CIPHER_THREADS; i++)
+- pthread_cancel(c->tid[i]);
+- for (i = 0; i < CIPHER_THREADS; i++)
+- pthread_join(c->tid[i], NULL);
++ /* tell the pregen threads to exit */
++ stop_and_join_pregen_threads(c);
++
++#ifdef __APPLE__
++ /* reset the exit flag */
++ c->exit_flag = FALSE;
++#endif /* __APPLE__ */
++
+ /* Start over getting key & iv */
+ c->state = HAVE_NONE;
+ }
+@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
+ /* Start threads */
+ for (i = 0; i < CIPHER_THREADS; i++) {
+ debug("spawned a thread");
++ pthread_rwlock_wrlock(&c->tid_lock);
+ pthread_create(&c->tid[i], NULL, thread_loop, c);
++ pthread_rwlock_unlock(&c->tid_lock);
+ }
+ pthread_mutex_lock(&c->q[0].lock);
+- while (c->q[0].qstate != KQDRAINING)
++ while (c->q[0].qstate == KQINIT)
+ pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
+ pthread_mutex_unlock(&c->q[0].lock);
+ }
+@@ -461,15 +538,10 @@ void
+ ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx)
+ {
+ struct ssh_aes_ctr_ctx *c;
+- int i;
++
+ c = EVP_CIPHER_CTX_get_app_data(ctx);
+- /* destroy threads */
+- for (i = 0; i < CIPHER_THREADS; i++) {
+- pthread_cancel(c->tid[i]);
+- }
+- for (i = 0; i < CIPHER_THREADS; i++) {
+- pthread_join(c->tid[i], NULL);
+- }
++
++ stop_and_join_pregen_threads(c);
+ }
+
+ void
+@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx)
+ /* reconstruct threads */
+ for (i = 0; i < CIPHER_THREADS; i++) {
+ debug("spawned a thread");
++ pthread_rwlock_wrlock(&c->tid_lock);
+ pthread_create(&c->tid[i], NULL, thread_loop, c);
++ pthread_rwlock_unlock(&c->tid_lock);
+ }
+ }
+
+@@ -489,18 +563,13 @@ static int
+ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
+ {
+ struct ssh_aes_ctr_ctx *c;
+- int i;
+
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
+ #ifdef CIPHER_THREAD_STATS
+ debug("main thread: %u drains, %u waits", c->stats.drains,
+ c->stats.waits);
+ #endif
+- /* Cancel pregen threads */
+- for (i = 0; i < CIPHER_THREADS; i++)
+- pthread_cancel(c->tid[i]);
+- for (i = 0; i < CIPHER_THREADS; i++)
+- pthread_join(c->tid[i], NULL);
++ stop_and_join_pregen_threads(c);
+
+ memset(c, 0, sizeof(*c));
+ free(c);
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch
new file mode 100644
index 0000000..f077c05
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch
@@ -0,0 +1,41 @@
+--- a/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:00:21.561121417 -0700
++++ b/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:22:51.337118439 -0700
+@@ -1155,7 +1155,7 @@
+ @@ -44,7 +44,7 @@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+ K5LIBS=@K5LIBS@
+@@ -2144,12 +2144,12 @@
+ /* Bind the socket to an alternative local IP address */
+ if (options.bind_address == NULL && !privileged)
+ return sock;
+-@@ -527,10 +555,10 @@
++@@ -555,10 +583,10 @@
+ /* Send our own protocol version identification. */
+ if (compat20) {
+- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
+++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
+ } else {
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
+ - PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
+@@ -2163,9 +2163,9 @@
+ @@ -432,7 +432,7 @@
+ }
+
+- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+-- major, minor, SSH_VERSION,
+-+ major, minor, SSH_RELEASE,
++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
++- major, minor, SSH_VERSION, comment,
+++ major, minor, SSH_RELEASE, comment,
+ *options.version_addendum == '\0' ? "" : " ",
+ options.version_addendum, newline);
+
diff --git a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
new file mode 100644
index 0000000..2def699
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
@@ -0,0 +1,67 @@
+--- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700
++++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700
+@@ -226,14 +226,6 @@
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see
+- .It ServerAliveCountMax
+- .It StrictHostKeyChecking
+- .It TCPKeepAlive
+-+.It Transport
+- .It UpdateHostKeys
+- .It UsePrivilegedPort
+- .It User
+ @@ -224,6 +225,8 @@ and
+ to print debugging messages about their progress.
+ This is helpful in
+@@ -493,19 +485,11 @@
+ .Sh SYNOPSIS
+ .Nm ssh
+ .Bk -words
+--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
+-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
+++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
+ .Op Fl b Ar bind_address
+ .Op Fl c Ar cipher_spec
+ .Op Fl D Oo Ar bind_address : Oc Ns Ar port
+-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see
+- .It StreamLocalBindUnlink
+- .It StrictHostKeyChecking
+- .It TCPKeepAlive
+-+.It Transport
+- .It Tunnel
+- .It TunnelDevice
+- .It UpdateHostKeys
+ @@ -795,6 +796,8 @@ controls.
+ .Pp
+ .It Fl y
+@@ -533,18 +517,18 @@
+ usage(void)
+ {
+ fprintf(stderr,
+--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
+-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
+++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
+ " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
+- " [-F configfile] [-I pkcs11] [-i identity_file]\n"
+- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
++ " [-F configfile]\n"
++ #ifdef USE_OPENSSL_ENGINE
+ @@ -608,7 +613,7 @@ main(int ac, char **av)
+- argv0 = av[0];
++ # define ENGCONFIG ""
++ #endif
+
+- again:
+-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
+-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
+- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
++- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
+++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
++ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+ switch (opt) {
+ case '1':
+ @@ -857,6 +862,11 @@ main(int ac, char **av)
diff --git a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch
new file mode 100644
index 0000000..528dc6f
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch
@@ -0,0 +1,109 @@
+diff --git a/kex.c b/kex.c
+index 143227a..c9b84c2 100644
+--- a/kex.c
++++ b/kex.c
+@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh)
+ static int
+ kex_send_ext_info(struct ssh *ssh)
+ {
++#ifdef EXPERIMENTAL_RSA_SHA2_256
+ int r;
+
+-#ifdef EXPERIMENTAL_RSA_SHA2_256
+ /* IMPORTANT NOTE:
+ * Do not offer rsa-sha2-* until is resolved misconfiguration issue
+ * with allowed public key algorithms!
+diff --git a/key-eng.c b/key-eng.c
+index 9bc50fd..bc0d03d 100644
+--- a/key-eng.c
++++ b/key-eng.c
+@@ -786,7 +786,6 @@ ssh_engines_shutdown() {
+ while (buffer_len(&eng_list) > 0) {
+ u_int k = 0;
+ char *s;
+- ENGINE *e;
+
+ s = buffer_get_cstring_ret(&eng_list, &k);
+ ssh_engine_reset(s);
+diff --git a/monitor.c b/monitor.c
+index 345d3df..0de30ad 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m)
+ (r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
+ (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- if (keyid > INT_MAX)
++ if (keyid32 > INT_MAX)
+ fatal("%s: invalid key ID", __func__);
+
+ keyid = keyid32; /*save cast*/
+diff --git a/readconf.c b/readconf.c
+index beb38a0..1cbda7e 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -1459,7 +1459,9 @@ parse_int:
+
+ case oHostKeyAlgorithms:
+ charptr = &options->hostkeyalgorithms;
++# if 0
+ parse_keytypes:
++# endif
+ arg = strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+diff --git a/servconf.c b/servconf.c
+index a540138..e77a344 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -1574,7 +1573,9 @@ parse_string:
+
+ case sHostKeyAlgorithms:
+ charptr = &options->hostkeyalgorithms;
++# if 0
+ parse_keytypes:
++#endif
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: Missing argument.",
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 50f04b7..3f9a7bf 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa)
+ }
+
+ #ifdef OPENSSL_HAS_ECC
++#ifdef HAVE_EC_KEY_METHOD_NEW
+ /* openssl callback for freeing an EC key */
+ static void
+ pkcs11_ec_finish(EC_KEY *ec)
+ {
+ struct pkcs11_key *k11;
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+ k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
+ EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
+-#else
+- k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
+- ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
+-#endif
+ pkcs11_key_free(k11);
+ }
++#endif /*def HAVE_EC_KEY_METHOD_NEW*/
+ #endif /*def OPENSSL_HAS_ECC*/
+
+
+diff --git a/sshconnect.c b/sshconnect.c
+index fd2a70e..0960be1 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1)
+ {
+ /* Send our own protocol version identification. */
+ if (compat20) {
+- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n",
++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
+ } else {
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
new file mode 100644
index 0000000..28952b4
--- /dev/null
+++ b/net-misc/openssh/files/sshd.confd
@@ -0,0 +1,21 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="/var/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="/usr/sbin/sshd"
diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2
new file mode 100644
index 0000000..b801aaa
--- /dev/null
+++ b/net-misc/openssh/files/sshd.pam_include.2
@@ -0,0 +1,4 @@
+auth include system-remote-login
+account include system-remote-login
+password include system-remote-login
+session include system-remote-login
diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4
new file mode 100644
index 0000000..5e30142
--- /dev/null
+++ b/net-misc/openssh/files/sshd.rc6.4
@@ -0,0 +1,84 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=/usr/sbin/sshd}
+
+depend() {
+ use logger dns
+ if [ "${rc_need+set}" = "set" ] ; then
+ : # Do nothing, the user has explicitly set rc_need
+ else
+ local x warn_addr
+ for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+ case "${x}" in
+ 0.0.0.0|0.0.0.0:*) ;;
+ ::|\[::\]*) ;;
+ *) warn_addr="${warn_addr} ${x}" ;;
+ esac
+ done
+ if [ -n "${warn_addr}" ] ; then
+ need net
+ ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+ ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd"
+ ewarn "where FOO is the interface(s) providing the following address(es):"
+ ewarn "${warn_addr}"
+ fi
+ fi
+}
+
+checkconfig() {
+ if [ ! -d /var/empty ] ; then
+ mkdir -p /var/empty || return 1
+ fi
+
+ if [ ! -e "${SSHD_CONFIG}" ] ; then
+ eerror "You need an ${SSHD_CONFIG} file to run sshd"
+ eerror "There is a sample file in /usr/share/doc/openssh"
+ return 1
+ fi
+
+ ssh-keygen -A || return 1
+
+ [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
+ && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
+ [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \
+ && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}"
+
+ "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
+}
+
+start() {
+ checkconfig || return 1
+
+ ebegin "Starting ${SVCNAME}"
+ start-stop-daemon --start --exec "${SSHD_BINARY}" \
+ --pidfile "${SSHD_PIDFILE}" \
+ -- ${SSHD_OPTS}
+ eend $?
+}
+
+stop() {
+ if [ "${RC_CMD}" = "restart" ] ; then
+ checkconfig || return 1
+ fi
+
+ ebegin "Stopping ${SVCNAME}"
+ start-stop-daemon --stop --exec "${SSHD_BINARY}" \
+ --pidfile "${SSHD_PIDFILE}" --quiet
+ eend $?
+}
+
+reload() {
+ checkconfig || return 1
+ ebegin "Reloading ${SVCNAME}"
+ start-stop-daemon --signal HUP \
+ --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
+ eend $?
+}
diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service
new file mode 100644
index 0000000..b5e96b3
--- /dev/null
+++ b/net-misc/openssh/files/sshd.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenSSH server daemon
+After=syslog.target network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/bin/ssh-keygen -A
+ExecStart=/usr/sbin/sshd -D -e
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket
new file mode 100644
index 0000000..94b9533
--- /dev/null
+++ b/net-misc/openssh/files/sshd.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Server Socket
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service
new file mode 100644
index 0000000..2645ad0
--- /dev/null
+++ b/net-misc/openssh/files/sshd_at.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+After=syslog.target auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i -e
+StandardInput=socket
+StandardError=syslog
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
new file mode 100644
index 0000000..29134fc
--- /dev/null
+++ b/net-misc/openssh/metadata.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="project">
+ <email>base-system@gentoo.org</email>
+ <name>Gentoo Base System</name>
+ </maintainer>
+ <maintainer type="person">
+ <email>robbat2@gentoo.org</email>
+ <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description>
+ </maintainer>
+ <longdescription>
+OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
+increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
+rlogin, ftp, and other such programs might not realize that their password is transmitted
+across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
+to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
+Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
+of authentication methods.
+
+The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
+replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
+the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
+ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
+</longdescription>
+ <use>
+ <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
+ <flag name="hpn">Enable high performance ssh</flag>
+ <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
+ <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
+ <flag name="livecd">Enable root password logins for live-cd environment.</flag>
+ <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag>
+ <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
+ <flag name="X509">Adds support for X.509 certificate authentication</flag>
+ </use>
+ <upstream>
+ <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id>
+ <remote-id type="sourceforge">hpnssh</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-misc/openssh/openssh-7.3_p1-r7.ebuild b/net-misc/openssh/openssh-7.3_p1-r7.ebuild
new file mode 100644
index 0000000..6f494dc
--- /dev/null
+++ b/net-misc/openssh/openssh-7.3_p1-r7.ebuild
@@ -0,0 +1,352 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+HPN_PV="${PV}"
+HPN_VER="14.10"
+
+HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch"
+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
+X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+ ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
+ ${HPN_PATCH:+hpn? (
+ mirror://gentoo/${HPN_PATCH}.xz
+ http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
+ )}
+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+ "
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
+REQUIRED_USE="ldns? ( ssl )
+ pie? ( !static )
+ ssh1? ( ssl )
+ static? ( !kerberos !pam )
+ X509? ( !ldap ssl )
+ test? ( ssl )"
+
+LIB_DEPEND="
+ ldns? (
+ net-libs/ldns[static-libs(+)]
+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
+ )
+ libedit? ( dev-libs/libedit[static-libs(+)] )
+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+ ssl? (
+ !libressl? (
+ >=dev-libs/openssl-0.9.8f:0[bindist=]
+ dev-libs/openssl:0[static-libs(+)]
+ )
+ libressl? ( dev-libs/libressl[static-libs(+)] )
+ )
+ >=sys-libs/zlib-1.2.3[static-libs(+)]"
+RDEPEND="
+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+ pam? ( virtual/pam )
+ kerberos? ( virtual/krb5 )
+ ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+ static? ( ${LIB_DEPEND} )
+ virtual/pkgconfig
+ virtual/os-headers
+ sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+ pam? ( >=sys-auth/pambase-20081028 )
+ userland_GNU? ( virtual/shadow )
+ X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_pretend() {
+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
+ # than not be able to log in to their server any more
+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+ local fail="
+ $(use X509 && maybe_fail X509 X509_PATCH)
+ $(use ldap && maybe_fail ldap LDAP_PATCH)
+ $(use hpn && maybe_fail hpn HPN_PATCH)
+ "
+ fail=$(echo ${fail})
+ if [[ -n ${fail} ]] ; then
+ eerror "Sorry, but this version does not yet support features"
+ eerror "that you requested: ${fail}"
+ eerror "Please mask ${PF} for now and check back later:"
+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+ die "booooo"
+ fi
+
+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
+ if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
+ fi
+}
+
+save_version() {
+ # version.h patch conflict avoidence
+ mv version.h version.h.$1
+ cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+ sed -i \
+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+ pathnames.h || die
+ # keep this as we need it to avoid the conflict between LPK and HPN changing
+ # this file.
+ cp version.h version.h.pristine
+
+ # don't break .ssh/authorized_keys2 for fun
+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+ if use X509 ; then
+ pushd .. >/dev/null
+ if use hpn ; then
+ pushd "${WORKDIR}" >/dev/null
+ epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch
+ popd >/dev/null
+ fi
+ epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
+ sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die
+ popd >/dev/null
+ epatch "${WORKDIR}"/${X509_PATCH%.*}
+ epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
+ save_version X509
+ else
+ # bug #592122, fixed by X509 patch
+ epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch
+ fi
+ if use ldap ; then
+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+ save_version LPK
+ fi
+
+ epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+ epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+
+ if use hpn ; then
+ #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+ # EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+ # epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+ epatch "${WORKDIR}"/${HPN_PATCH}
+ epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
+ save_version HPN
+ fi
+
+ tc-export PKG_CONFIG
+ local sed_args=(
+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+ # Disable PATH reset, trust what portage gives us #254615
+ -e 's:^PATH=/:#PATH=/:'
+ # Disable fortify flags ... our gcc does this for us
+ -e 's:-D_FORTIFY_SOURCE=2::'
+ )
+ # The -ftrapv flag ICEs on hppa #505182
+ use hppa && sed_args+=(
+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+ )
+ sed -i "${sed_args[@]}" configure{.ac,} || die
+
+ # 7.3 added seccomp support to MIPS, but failed to handled the N32
+ # case. This patch is temporary until upstream fixes. See
+ # Gentoo bug #591392 or upstream #2590.
+ [[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \
+ && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+
+ epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342
+ epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360
+
+ epatch_user #473004
+
+ # Now we can build a sane merged version.h
+ (
+ sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+ macros=()
+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+ ) > version.h
+
+ eautoreconf
+}
+
+src_configure() {
+ addwrite /dev/ptmx
+
+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+ use static && append-ldflags -static
+
+ local myconf=(
+ --without-stackprotect
+ --with-ldflags="${LDFLAGS}"
+ --disable-strip
+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+ --sysconfdir="${EPREFIX}"/etc/ssh
+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+ --datadir="${EPREFIX}"/usr/share/openssh
+ --with-privsep-path="${EPREFIX}"/var/empty
+ --with-privsep-user=sshd
+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+ # We apply the ldap patch conditionally, so can't pass --without-ldap
+ # unconditionally else we get unknown flag warnings.
+ $(use ldap && use_with ldap)
+ $(use_with ldns)
+ $(use_with libedit)
+ $(use_with pam)
+ $(use_with pie)
+ $(use_with sctp)
+ $(use_with selinux)
+ $(use_with skey)
+ $(use_with ssh1)
+ $(use_with ssl openssl)
+ $(use_with ssl md5-passwords)
+ $(use_with ssl ssl-engine)
+ )
+
+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+ econf "${myconf[@]}"
+}
+
+src_install() {
+ emake install-nokeys DESTDIR="${D}"
+ fperms 600 /etc/ssh/sshd_config
+ dobin contrib/ssh-copy-id
+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+ newconfd "${FILESDIR}"/sshd.confd sshd
+ keepdir /var/empty
+
+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+ if use pam ; then
+ sed -i \
+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+ "${ED}"/etc/ssh/sshd_config || die
+ fi
+
+ # Gentoo tweaks to default config files
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+ # Allow client to pass locale environment variables #367017
+ AcceptEnv LANG LC_*
+ EOF
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+ # Send locale environment variables #367017
+ SendEnv LANG LC_*
+ EOF
+
+ if use livecd ; then
+ sed -i \
+ -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+ "${ED}"/etc/ssh/sshd_config || die
+ fi
+
+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+ insinto /etc/openldap/schema/
+ newins openssh-lpk_openldap.schema openssh-lpk.schema
+ fi
+
+ doman contrib/ssh-copy-id.1
+ dodoc CREDITS OVERVIEW README* TODO sshd_config
+ use X509 || dodoc ChangeLog
+
+ diropts -m 0700
+ dodir /etc/skel/.ssh
+
+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+ local t tests skipped failed passed shell
+ tests="interop-tests compat-tests"
+ skipped=""
+ shell=$(egetshell ${UID})
+ if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+ elog "Running the full OpenSSH testsuite"
+ elog "requires a usable shell for the 'portage'"
+ elog "user, so we will run a subset only."
+ skipped="${skipped} tests"
+ else
+ tests="${tests} tests"
+ fi
+ # It will also attempt to write to the homedir .ssh
+ local sshhome=${T}/homedir
+ mkdir -p "${sshhome}"/.ssh
+ for t in ${tests} ; do
+ # Some tests read from stdin ...
+ HOMEDIR="${sshhome}" HOME="${sshhome}" \
+ emake -k -j1 ${t} </dev/null \
+ && passed="${passed}${t} " \
+ || failed="${failed}${t} "
+ done
+ einfo "Passed tests: ${passed}"
+ ewarn "Skipped tests: ${skipped}"
+ if [[ -n ${failed} ]] ; then
+ ewarn "Failed tests: ${failed}"
+ die "Some tests failed: ${failed}"
+ else
+ einfo "Failed tests: ${failed}"
+ return 0
+ fi
+}
+
+pkg_preinst() {
+ enewgroup sshd 22
+ enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
+ fi
+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+ fi
+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+ elog "Make sure to update any configs that you might have. Note that xinetd might"
+ elog "be an alternative for you as it supports USE=tcpd."
+ fi
+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
+ elog "adding to your sshd_config or ~/.ssh/config files:"
+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
+ elog "You should however generate new keys using rsa or ed25519."
+
+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+ elog "to 'prohibit-password'. That means password auth for root users no longer works"
+ elog "out of the box. If you need this, please update your sshd_config explicitly."
+ fi
+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
+ elog "and update all clients/servers that utilize them."
+ fi
+}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/musl:master commit in: net-misc/openssh/, net-misc/openssh/files/
@ 2017-11-21 9:48 Anthony G. Basile
0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2017-11-21 9:48 UTC (permalink / raw
To: gentoo-commits
commit: 6b0dea5feb4e927a973caa037ebee05e46e081e1
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 21 09:47:33 2017 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Nov 21 09:47:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=6b0dea5f
net-misc/openssh: sync with tree version
Package-Manager: Portage-2.3.13, Repoman-2.3.3
RepoMan-Options: --force
net-misc/openssh/Manifest | 7 +-
.../files/openssh-7.5_p1-CVE-2017-15906.patch | 31 ++
net-misc/openssh/openssh-7.3_p1-r7.ebuild | 355 ---------------------
...h-7.5_p1-r1.ebuild => openssh-7.5_p1-r3.ebuild} | 8 +-
4 files changed, 36 insertions(+), 365 deletions(-)
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 4a1820a..bda2277 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,10 +1,5 @@
-DIST openssh-7.3_p1-hpn-14.10-r1.patch.xz 20584 SHA256 0bbbfeb1f9f975ad591ed4ec74927172c5299ec1a76210197c14575204efa85d SHA512 f0a1c84af85f7cfc7cb58b5117b3d0f57fc25ae0dd608e38b48ef42da43780fd5cf243d26ff9b3fbd6f4cb1567852b87bcb75f98791cf3ad1892e8579a7834d3 WHIRLPOOL b1a8bae14c8189745056c15c9ed45207aa06af1f4c598a1af7dc3cc56e47bd0211a63989a920727e20311a148bbcf3202c202eae94cd1512c7d87816a9f44bcb
-DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
-DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485
-DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09
-DIST openssh-7.5p1+x509-10.1.diff.gz 460721 SHA256 e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2 SHA512 d3b5a8f5e3a88eda7989b002236811867b7e2c39bf7cd29a6dbbce277fca3fbedbfdbeaf1fba7d8c19f3dea32a17790e90604765f18576bcc5627a9c1d39109c WHIRLPOOL 2d4f96b47bcde9eabd19cad2fdc4da01a3d207f6ad5f4f1ea5a7dbd708d61783ae6a53e4cb622feed838106f57dbe6a7ecd1b41426325870378caf44803ff9ef
+DIST openssh-7.5p1+x509-10.2.diff.gz 467040 SHA256 24d5c1949d245b432abf2db6c28554a09bcffdcb4f4247826c0a33bdbee8b92c SHA512 ec760d38771749d09afc8d720120ea2aa065c1c7983898b45dba74a4411f7e61e7705da226864e1e8e62e2261eecc3a4ab654b528c71512a07798824d9fb1a9a WHIRLPOOL 3291a3e39b1a47efe149cdf805de11217fd55c4260477f2a6c6cc0bfa376b98a5dc7f56a49ae184fb57bae6226c73d1794db7b2285e3ea26a8fea4bc9304655b
DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 SHA256 8a1ed99c121a4ad21d7a26cd32627a8dd51595fd3ee9f95dc70e6b50fe779ce2 SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9 WHIRLPOOL 6089ad8ae16c112a6f15d168c092e7f057b9e6d815724346b5a6a1cd0de932f779d5f410d48c904d935fcb3bad3f597fa4de075ab1f49cadc9842ce7bd8fdf42
DIST openssh-7.5p1.tar.gz 1510857 SHA256 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81 WHIRLPOOL 1a42c68d8e350bc4790dd4c1a98dd6571bfa353ad6871b1462c53b6412f752719daabd1a13bb4434d294de966a00428ac66334bab45f371420029b5e34a6914c
-DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c
DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 SHA256 11060be996b291b8d78de698c68a92428430e4ff440553f5045c6de5c0e1dab3 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b WHIRLPOOL 58526777475786bb5efa193f3a3ec0500c4d48b18fef67698f8b1999cb07f04fbca7b7d3ece469f3a1e1ceca5152cdd08d3dbe7cfa4e7494740dc2c233101b93
diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
new file mode 100644
index 0000000..b97ceb4
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
@@ -0,0 +1,31 @@
+From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
+From: djm <djm@openbsd.org>
+Date: Tue, 4 Apr 2017 00:24:56 +0000
+Subject: [PATCH] disallow creation (of empty files) in read-only mode;
+ reported by Michal Zalewski, feedback & ok deraadt@
+
+---
+ usr.bin/ssh/sftp-server.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
+index 2510d234a3a..42249ebd60d 100644
+--- a/usr.bin/ssh/sftp-server.c
++++ b/usr.bin/ssh/sftp-server.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
+ /*
+ * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
+ *
+@@ -683,8 +683,8 @@ process_open(u_int32_t id)
+ logit("open \"%s\" flags %s mode 0%o",
+ name, string_from_portable(pflags), mode);
+ if (readonly &&
+- ((flags & O_ACCMODE) == O_WRONLY ||
+- (flags & O_ACCMODE) == O_RDWR)) {
++ ((flags & O_ACCMODE) != O_RDONLY ||
++ (flags & (O_CREAT|O_TRUNC)) != 0)) {
+ verbose("Refusing open request in read-only mode");
+ status = SSH2_FX_PERMISSION_DENIED;
+ } else {
diff --git a/net-misc/openssh/openssh-7.3_p1-r7.ebuild b/net-misc/openssh/openssh-7.3_p1-r7.ebuild
deleted file mode 100644
index 681a5ee..0000000
--- a/net-misc/openssh/openssh-7.3_p1-r7.ebuild
+++ /dev/null
@@ -1,355 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-HPN_PV="${PV}"
-HPN_VER="14.10"
-
-HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch"
-SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
-X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
- ${HPN_PATCH:+hpn? (
- mirror://gentoo/${HPN_PATCH}.xz
- http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
- )}
- ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
- ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
- "
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
-REQUIRED_USE="ldns? ( ssl )
- pie? ( !static )
- ssh1? ( ssl )
- static? ( !kerberos !pam )
- X509? ( !ldap ssl )
- test? ( ssl )"
-
-LIB_DEPEND="
- ldns? (
- net-libs/ldns[static-libs(+)]
- !bindist? ( net-libs/ldns[ecdsa,ssl] )
- bindist? ( net-libs/ldns[-ecdsa,ssl] )
- )
- libedit? ( dev-libs/libedit[static-libs(+)] )
- sctp? ( net-misc/lksctp-tools[static-libs(+)] )
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
- ssl? (
- !libressl? (
- >=dev-libs/openssl-0.9.8f:0[bindist=]
- dev-libs/openssl:0[static-libs(+)]
- )
- libressl? ( dev-libs/libressl[static-libs(+)] )
- )
- >=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
- pam? ( virtual/pam )
- kerberos? ( virtual/krb5 )
- ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
- static? ( ${LIB_DEPEND} )
- virtual/pkgconfig
- virtual/os-headers
- sys-devel/autoconf"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )
- userland_GNU? ( virtual/shadow )
- X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_pretend() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use X509 && maybe_fail X509 X509_PATCH)
- $(use ldap && maybe_fail ldap LDAP_PATCH)
- $(use hpn && maybe_fail hpn HPN_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "booooo"
- fi
-
- # Make sure people who are using tcp wrappers are notified of its removal. #531156
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
- ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
- fi
-}
-
-save_version() {
- # version.h patch conflict avoidence
- mv version.h version.h.$1
- cp -f version.h.pristine version.h
-}
-
-src_prepare() {
- sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
- pathnames.h || die
- # keep this as we need it to avoid the conflict between LPK and HPN changing
- # this file.
- cp version.h version.h.pristine
-
- # don't break .ssh/authorized_keys2 for fun
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
- if use X509 ; then
- pushd .. >/dev/null
- if use hpn ; then
- pushd "${WORKDIR}" >/dev/null
- epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch
- popd >/dev/null
- fi
- epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
- sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die
- popd >/dev/null
- epatch "${WORKDIR}"/${X509_PATCH%.*}
- epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
- save_version X509
- else
- # bug #592122, fixed by X509 patch
- epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch
- fi
- if use ldap ; then
- epatch "${WORKDIR}"/${LDAP_PATCH%.*}
- save_version LPK
- fi
-
- epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
- epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-
- if use hpn ; then
- #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
- # EPATCH_MULTI_MSG="Applying HPN patchset ..." \
- # epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
- epatch "${WORKDIR}"/${HPN_PATCH}
- epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
- save_version HPN
- fi
-
- tc-export PKG_CONFIG
- local sed_args=(
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
- # Disable fortify flags ... our gcc does this for us
- -e 's:-D_FORTIFY_SOURCE=2::'
- )
- # The -ftrapv flag ICEs on hppa #505182
- use hppa && sed_args+=(
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
- )
- sed -i "${sed_args[@]}" configure{.ac,} || die
-
- # 7.3 added seccomp support to MIPS, but failed to handled the N32
- # case. This patch is temporary until upstream fixes. See
- # Gentoo bug #591392 or upstream #2590.
- [[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \
- && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
-
- epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342
- epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360
-
- epatch_user #473004
-
- # Now we can build a sane merged version.h
- (
- sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
- macros=()
- for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
- printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
- ) > version.h
-
- eautoreconf
-}
-
-src_configure() {
- addwrite /dev/ptmx
-
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
- use static && append-ldflags -static
-
- local myconf=(
- --with-ldflags="${LDFLAGS}"
- --disable-strip
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
- --sysconfdir="${EPREFIX}"/etc/ssh
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
- --datadir="${EPREFIX}"/usr/share/openssh
- --with-privsep-path="${EPREFIX}"/var/empty
- --with-privsep-user=sshd
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
- # We apply the ldap patch conditionally, so can't pass --without-ldap
- # unconditionally else we get unknown flag warnings.
- $(use ldap && use_with ldap)
- $(use_with ldns)
- $(use_with libedit)
- $(use_with pam)
- $(use_with pie)
- $(use_with sctp)
- $(use_with selinux)
- $(use_with skey)
- $(use_with ssh1)
- $(use_with ssl openssl)
- $(use_with ssl md5-passwords)
- $(use_with ssl ssl-engine)
- )
-
- if [[ $(tc-arch) == x86 ]]; then
- myconf+=( --without-stackprotect)
- fi
-
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
- econf "${myconf[@]}"
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}"
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd.rc6.4 sshd
- newconfd "${FILESDIR}"/sshd.confd sshd
- keepdir /var/empty
-
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-
- # Gentoo tweaks to default config files
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
- # Allow client to pass locale environment variables #367017
- AcceptEnv LANG LC_*
- EOF
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
- # Send locale environment variables #367017
- SendEnv LANG LC_*
- EOF
-
- if use livecd ; then
- sed -i \
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-
- if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
- insinto /etc/openldap/schema/
- newins openssh-lpk_openldap.schema openssh-lpk.schema
- fi
-
- doman contrib/ssh-copy-id.1
- dodoc CREDITS OVERVIEW README* TODO sshd_config
- use X509 || dodoc ChangeLog
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
- local t tests skipped failed passed shell
- tests="interop-tests compat-tests"
- skipped=""
- shell=$(egetshell ${UID})
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite"
- elog "requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped="${skipped} tests"
- else
- tests="${tests} tests"
- fi
- # It will also attempt to write to the homedir .ssh
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in ${tests} ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" HOME="${sshhome}" \
- emake -k -j1 ${t} </dev/null \
- && passed="${passed}${t} " \
- || failed="${failed}${t} "
- done
- einfo "Passed tests: ${passed}"
- ewarn "Skipped tests: ${skipped}"
- if [[ -n ${failed} ]] ; then
- ewarn "Failed tests: ${failed}"
- die "Some tests failed: ${failed}"
- else
- einfo "Failed tests: ${failed}"
- return 0
- fi
-}
-
-pkg_preinst() {
- enewgroup sshd 22
- enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
- elog "Starting with openssh-5.8p1, the server will default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
- fi
- if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
- elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
- fi
- if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
- elog "Make sure to update any configs that you might have. Note that xinetd might"
- elog "be an alternative for you as it supports USE=tcpd."
- fi
- if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
- elog "adding to your sshd_config or ~/.ssh/config files:"
- elog " PubkeyAcceptedKeyTypes=+ssh-dss"
- elog "You should however generate new keys using rsa or ed25519."
-
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
- elog "to 'prohibit-password'. That means password auth for root users no longer works"
- elog "out of the box. If you need this, please update your sshd_config explicitly."
- fi
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
- elog "Be aware that by disabling openssl support in openssh, the server and clients"
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
- elog "and update all clients/servers that utilize them."
- fi
-}
diff --git a/net-misc/openssh/openssh-7.5_p1-r1.ebuild b/net-misc/openssh/openssh-7.5_p1-r3.ebuild
similarity index 97%
rename from net-misc/openssh/openssh-7.5_p1-r1.ebuild
rename to net-misc/openssh/openssh-7.5_p1-r3.ebuild
index b35db78..e3d5da9 100644
--- a/net-misc/openssh/openssh-7.5_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-7.5_p1-r3.ebuild
@@ -12,7 +12,7 @@ PARCH=${P/_}
HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
-X509_VER="10.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.org/"
@@ -121,7 +121,6 @@ src_prepare() {
fi
save_version X509
epatch "${WORKDIR}"/${X509_PATCH%.*}
- use libressl && epatch "${FILESDIR}"/${PN}-7.5p1-x509-libressl.patch
fi
if use ldap ; then
@@ -132,6 +131,7 @@ src_prepare() {
epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
+ epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
@@ -168,8 +168,8 @@ src_prepare() {
(
sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
macros=()
- for p in HPN LPK X509 ; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
- printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+ for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
) > version.h
eautoreconf
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-11-21 9:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-21 9:48 [gentoo-commits] proj/musl:master commit in: net-misc/openssh/, net-misc/openssh/files/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2017-04-23 0:18 Anthony G. Basile
2015-09-03 21:54 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox