public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2015-08-12  8:09 Mike Frysinger
  0 siblings, 0 replies; 57+ messages in thread
From: Mike Frysinger @ 2015-08-12  8:09 UTC (permalink / raw
  To: gentoo-commits

commit:     b94b01110ca2fb427c039751c0b43cdc8dfd7bb6
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Aug 12 08:08:14 2015 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Aug 12 08:09:03 2015 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b94b0111

net-misc/openssh: version bump to 7.0_p1 #557340

 net-misc/openssh/Manifest                          |   2 +
 .../openssh-6.8_p1-ssl-engine-configure.patch      |   2 +
 net-misc/openssh/openssh-7.0_p1.ebuild             | 312 +++++++++++++++++++++
 3 files changed, 316 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 7daff62..d767086 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -11,5 +11,7 @@ DIST openssh-6.9p1+x509-8.4.diff.gz 425687 SHA256 0ed8bfff0d2ecd9f3791ae1f168ca3
 DIST openssh-6.9p1-hpnssh14v5.tar.xz 25164 SHA256 67c0b043525c838522d17ba8ed3ffa81aa212ae0f43c3d989a3e649fd0a2ca48 SHA512 bef32f6dd97e949e0973d30248401b86233ca66ace750c5050158a748fe279db46c8ee59b6f3de2193f52bab3a1c19372296b86136d7d65a312769008d0acf3a WHIRLPOOL 65241de2409bfe452b0bcf6282f0571a2bbf6d02d4d5cb97db78bd42e8be439c47da8a54d33272a85d50d648e2e4af56b574bc8add56c65e2ff9ccd59b90f65c
 DIST openssh-6.9p1-r1-hpnssh14v5.tar.xz 21396 SHA256 84e9e28a1488ccf66e29a7c90442b3bc4833a6fa186260fb6853b5a1b19c0beb SHA512 476064dbdb3d82b86ad7c481a4a301ff0d46bd281fe7ca0c29f34ae50b0034028760997ae2c934a265499c154f4534d35ead647aa63d1a4545ed503a5364eada WHIRLPOOL 74eaf2fe0a6ecd0e2fa5078034628d4c76c75b121f3c813ff8a098ab28363daa3800d03936046aa3aebbfdab3afd31ef30a207399f5e305d7f71e5f3c7e4f4a7
 DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe SHA512 68fec9b4e512fe126a5d35b01e2cc656d810b75052ed8a36bc85cd0a05de7318b15ed287bc95cf9bcb3fa2f385029151d85aced55e07fbcc79e6c779bee6751d WHIRLPOOL 1dcb291383c9f934b512f61ce9f6e0319f22e112ce3f6eace2a868ca0f99c709c65bae14a9815e2ef237f8132fe72c583cffb7ea20bdfa2aaa77cf347967be7f
+DIST openssh-7.0p1-hpnssh14v5.tar.xz 21428 SHA256 6032c4547c9f83a6f648ac7c39cdad2bd6fd725e5f3ab2411c5b30298aae1451 SHA512 d4cf4a628c11515bfe8c3a91b4b7039fca28c2f89ad1dde062c4cb433b984b10dec2d37b1f338f18aa7813e60d8608b65ca95b930edc33086710b82780875942 WHIRLPOOL 7b686f243c98017453b3da3e98b7524650b4a0a75fda6add80c7c233d468194d1d1333ffa4445c20856d807548aaa356c87a03ca87d8995a4b7ba350c7714d1e
+DIST openssh-7.0p1.tar.gz 1493376 SHA256 fd5932493a19f4c81153d812ee4e042b49bbd3b759ab3d9344abecc2bc1485e5 SHA512 d82aa8e85630c3e2102e69da477185e0d30d84211d7d4ee0a1d9822bd234d649fe369bf91ce3d2b5ef0caee687d383cb761b682d3bf24bccbd2ce9a1fe9d9f50 WHIRLPOOL bb8007450ffee580df5a73e3d6ab9b54b7151c46c3b996516e5cb776034be21cbef1281a520279655137e218a757d8092cba3f66e216c6b4c6828876540cb5df
 DIST openssh-lpk-6.7p1-0.3.14.patch.xz 16920 SHA256 0203e6e44e41d58ec46d1611d7efc985134e662bbee51632c29f43ae809003f0 SHA512 344ccde4a04aeb1500400f779e64b2d8a5ad2970de3c4c343ca9605758e22d3812ef5453cd3221b18ad74a9762583c62417879107e4e1dda1398a6a65bcd04b2 WHIRLPOOL 5b6beeb743d04deea70c8b471a328b5f056fd4651e1370c7882e5d12f54fa2170486dcd6f97aa8c58e80af9a2d4012e2dfbcf53185317976d309783ca8d6cf73
 DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b

diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
index 9fad386..a355e2c 100644
--- a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
+++ b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
@@ -1,3 +1,5 @@
+https://github.com/openssh/openssh-portable/pull/29
+
 From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001
 From: Mike Frysinger <vapier@gentoo.org>
 Date: Wed, 18 Mar 2015 12:37:24 -0400

diff --git a/net-misc/openssh/openssh-7.0_p1.ebuild b/net-misc/openssh/openssh-7.0_p1.ebuild
new file mode 100644
index 0000000..5d57f3b
--- /dev/null
+++ b/net-misc/openssh/openssh-7.0_p1.ebuild
@@ -0,0 +1,312 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="4"
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PN}-7.0p1-hpnssh14v5.tar.xz"
+LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
+#X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
+	${HPN_PATCH:+hpn? (
+		mirror://gentoo/${HPN_PATCH}
+		http://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
+		mirror://sourceforge/hpnssh/${HPN_PATCH}
+	)}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	ssh1? ( ssl )
+	static? ( !kerberos !pam )
+	X509? ( !ldap ssl )"
+
+LIB_DEPEND="
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl] )
+	)
+	libedit? ( dev-libs/libedit[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		>=dev-libs/openssl-0.9.6d:0[bindist=]
+		dev-libs/openssl[static-libs(+)]
+	)
+	>=sys-libs/zlib-1.2.3[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	if use X509 ; then
+		pushd .. >/dev/null
+		#epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
+		epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
+		epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
+		save_version X509
+	fi
+	if use ldap ; then
+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	# The X509 patchset fixes this independently.
+	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
+	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
+	if use hpn ; then
+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	epatch_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys # skey configure code triggers this
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssh1)
+		# The X509 patch deletes this option entirely.
+		$(use X509 || use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
+	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
+		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
+		append-ldflags -lutil
+	fi
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2015-08-24 21:26 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2015-08-24 21:26 UTC (permalink / raw
  To: gentoo-commits

commit:     86968deefadc66ea0572e6c0e346384f4e1e639e
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Mon Aug 24 21:26:32 2015 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Mon Aug 24 21:26:32 2015 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86968dee

net-misc/openssh: Re-enable the X509 USE flag for version 7.1p1

Package-Manager: portage-2.2.20.1

 net-misc/openssh/Manifest                                 |  1 +
 net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch | 11 +++++++++++
 net-misc/openssh/openssh-7.1_p1.ebuild                    |  4 ++--
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 09457f6..461d5c1 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -14,6 +14,7 @@ DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39
 DIST openssh-7.0p1+x509-8.5.diff.gz 411960 SHA256 6000557f1ddae06aff8837d440d93342a923fada571fec59fc5dedf388fb5f9e SHA512 1241419ea32a21b0ef15fb3845344c9b1126ecee94265b074e60af794eacdb39a98983040a61b9f169e0a6d5a0a248e1bbf9d9b3e56df50cb382441a26dddafd WHIRLPOOL 117e8c9bb05ded7fdf261e9aca709540e0a3817bc5b3e70472e8c802063e37ee24feae4c1b3a909177ab163e53c2d614b4f0fc75aad1ca44c0e0584eeff55a81
 DIST openssh-7.0p1-hpnssh14v5.tar.xz 21428 SHA256 6032c4547c9f83a6f648ac7c39cdad2bd6fd725e5f3ab2411c5b30298aae1451 SHA512 d4cf4a628c11515bfe8c3a91b4b7039fca28c2f89ad1dde062c4cb433b984b10dec2d37b1f338f18aa7813e60d8608b65ca95b930edc33086710b82780875942 WHIRLPOOL 7b686f243c98017453b3da3e98b7524650b4a0a75fda6add80c7c233d468194d1d1333ffa4445c20856d807548aaa356c87a03ca87d8995a4b7ba350c7714d1e
 DIST openssh-7.0p1.tar.gz 1493376 SHA256 fd5932493a19f4c81153d812ee4e042b49bbd3b759ab3d9344abecc2bc1485e5 SHA512 d82aa8e85630c3e2102e69da477185e0d30d84211d7d4ee0a1d9822bd234d649fe369bf91ce3d2b5ef0caee687d383cb761b682d3bf24bccbd2ce9a1fe9d9f50 WHIRLPOOL bb8007450ffee580df5a73e3d6ab9b54b7151c46c3b996516e5cb776034be21cbef1281a520279655137e218a757d8092cba3f66e216c6b4c6828876540cb5df
+DIST openssh-7.1p1+x509-8.6.diff.gz 413931 SHA256 cbf661a1fec080dc9ed335a290414154326c2a13f124985db050b86a91073d52 SHA512 c91d0f1b69b6d34984e94b391ad022271e73d0634cef2df355ba555366bc38d30649b478f245b6c51ce79d71adf1b693bc97826e6c6013a78e7ccfb7023b4bcc WHIRLPOOL 4ed4427e80026996c43a188d7d45f2c53fa6a7fd842a248b1225b27f3e9037e761f0ed172d79b53ada81c24d958a2193e94d918f6ca1320e45d5e68379845981
 DIST openssh-7.1p1.tar.gz 1493170 SHA256 fc0a6d2d1d063d5c66dffd952493d0cda256cad204f681de0f84ef85b2ad8428 SHA512 f1491ca5a0a733eb27ede966590642a412cb7be7178dcb7b9e5844bbdc8383032f4b00435192b95fc0365b6fe74d6c5ac8d6facbe9d51e1532d049e2f784e8f7 WHIRLPOOL a650a93657f930d20dc3fa24ab720857f63f7cd0a82d1906cf1e58145e866129207851d5e587d678655e5731fa73221ab9b6ea0754533100c25fe2acaa442e05
 DIST openssh-lpk-6.7p1-0.3.14.patch.xz 16920 SHA256 0203e6e44e41d58ec46d1611d7efc985134e662bbee51632c29f43ae809003f0 SHA512 344ccde4a04aeb1500400f779e64b2d8a5ad2970de3c4c343ca9605758e22d3812ef5453cd3221b18ad74a9762583c62417879107e4e1dda1398a6a65bcd04b2 WHIRLPOOL 5b6beeb743d04deea70c8b471a328b5f056fd4651e1370c7882e5d12f54fa2170486dcd6f97aa8c58e80af9a2d4012e2dfbcf53185317976d309783ca8d6cf73
 DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b

diff --git a/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch b/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch
new file mode 100644
index 0000000..393ea99
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch
@@ -0,0 +1,11 @@
+--- openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch.orig	2015-08-24 11:17:05.379280954 -0700
++++ openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch	2015-08-24 11:19:30.788424050 -0700
+@@ -80,7 +80,7 @@
+ +			else
+ +				fatal("Pre-authentication none cipher requests are not allowed.");
+ +		}
+- 		debug("kex: %s %s %s %s",
++ 		debug("kex: %s cipher: %s MAC: %s compression: %s",
+  		    ctos ? "client->server" : "server->client",
+  		    newkeys->enc.name,
+ diff --git a/myproposal.h b/myproposal.h

diff --git a/net-misc/openssh/openssh-7.1_p1.ebuild b/net-misc/openssh/openssh-7.1_p1.ebuild
index 820541a..709e6f9 100644
--- a/net-misc/openssh/openssh-7.1_p1.ebuild
+++ b/net-misc/openssh/openssh-7.1_p1.ebuild
@@ -11,7 +11,7 @@ PARCH=${P/_}
 
 HPN_PATCH="${PN}-7.0p1-hpnssh14v5.tar.xz"
 LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
-#X509_VER="8.5" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"
+X509_VER="8.6" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="http://www.openssh.org/"
@@ -113,7 +113,7 @@ src_prepare() {
 
 	if use X509 ; then
 		pushd .. >/dev/null
-		#epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
+		epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
 		epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
 		popd >/dev/null
 		epatch "${WORKDIR}"/${X509_PATCH%.*}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2016-01-14 15:49 Lars Wendler
  0 siblings, 0 replies; 57+ messages in thread
From: Lars Wendler @ 2016-01-14 15:49 UTC (permalink / raw
  To: gentoo-commits

commit:     15b76ad7d7924c0d21c1aa002ed8a89138732d4f
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 14 15:46:22 2016 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Thu Jan 14 15:49:05 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15b76ad7

net-misc/openssh: Removed old.

Package-Manager: portage-2.2.26
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 net-misc/openssh/Manifest                          |  16 -
 .../openssh/files/openssh-6.6.1_p1-x509-glue.patch |  17 --
 .../files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch |  26 --
 .../files/openssh-6.7_p1-sctp-x509-glue.patch      |  42 ---
 .../openssh-6.7_p1-sshd-gssapi-multihomed.patch    | 162 ----------
 .../openssh/files/openssh-6.7_p1-x509-glue.patch   |  46 ---
 .../files/openssh-6.7_p1-xmalloc-include.patch     |  11 -
 .../files/openssh-6.8_p1-sctp-x509-glue.patch      |  90 ------
 .../files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch  |  40 ---
 .../openssh-6.8_p1-sshd-gssapi-multihomed.patch    | 162 ----------
 .../files/openssh-6.8_p1-teraterm-hpn-glue.patch   |  15 -
 .../openssh/files/openssh-6.8_p1-teraterm.patch    |  69 -----
 net-misc/openssh/openssh-6.7_p1-r4.ebuild          | 323 --------------------
 net-misc/openssh/openssh-6.7_p1.ebuild             | 322 --------------------
 net-misc/openssh/openssh-6.8_p1-r5.ebuild          | 331 ---------------------
 net-misc/openssh/openssh-6.9_p1-r1.ebuild          | 322 --------------------
 net-misc/openssh/openssh-6.9_p1-r2.ebuild          | 310 -------------------
 net-misc/openssh/openssh-7.0_p1.ebuild             | 323 --------------------
 net-misc/openssh/openssh-7.1_p1-r1.ebuild          | 328 --------------------
 net-misc/openssh/openssh-7.1_p1.ebuild             | 325 --------------------
 20 files changed, 3280 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index cf1e7a0..c7e4e9d 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,21 +1,5 @@
-DIST openssh-6.7_p1-sctp.patch.xz 7408 SHA256 b33e82309195f2a3f21a9fb14e6da2080b096dcf0d6f1c36c93cdeac683fdd59 SHA512 35da5e58f857e8b24e63b4058e946b71fdf0fecc637cb7af0ba8913869e5aadf8317805838936c84dc24421f03c5c91e1670761bed152fdf325c5a509f1b5d04 WHIRLPOOL cc7bace4aa60d720914e3a6a4ff650b7543d9e4963deab12c19cb5d798547b4fe547690946ff8955e121339e9a3d0ebe06f3ff758cca4bb81a09ac43fc877f58
-DIST openssh-6.7p1+x509-8.2.diff.gz 241798 SHA256 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f SHA512 d33ece7ddf382235b032875cf961845b308dc5e4cd1888cb68fee11c95066bb90938f9043cb9410f372efb578b61dfd5d50341da95a92fab5a4c209ac54e1f5e WHIRLPOOL b1fe2b88f0e77312099171f5c83dc670abc4c40d215fdff1e43161e44f806de9e0537cfa3a0001e1c7bbc0d0aed555079455f88b8ff313b00d8e9a19dabcb7d8
-DIST openssh-6.7p1-hpnssh14v5.tar.xz 25652 SHA256 7284db65548b6b04142930da86972f96b1f5aa8ad3fc125134412f904f369d7e SHA512 21929805f40c79684ee3ecdb2b495d3204dca90b932aa633c4e0f6a093a417259cdeee10b3e49f3dff426febc6792f45ee23cc0688f05bf047630f3016e0926a WHIRLPOOL 5515cd4c745b061a3e92ac03e8121fb3ffc4b2ff116140625ca7ab2c0211c673b6345e5b08134df8b1743e03f9964017e789e1f0b9da99a0fd5970e14665e681
-DIST openssh-6.7p1.tar.gz 1351367 SHA256 b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 SHA512 2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d WHIRLPOOL ac8ce86d0f6c78c4cb3624b480f189f951d508db38b22d7a5550b7302d5277c1c7d18eaa713d52139abc0f77edacfdb03ced2603125e3ddf9bc09c69e6b70518
 DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476
-DIST openssh-6.8_p1-x509-8.3.1-glue.patch.xz 141096 SHA256 1e8c911b1403e47a37c24d0ebbfa36d46204c06b38d93ed9ae6d2a0953d3bba6 SHA512 942f09f20d898b4865707b5b48012545d7f8171353427ddb773cffaf1b8c664f48375cb85292592ccba63da695e99def42d17c52a61bb93b89827f53cf3ad918 WHIRLPOOL 66ace7a191a562485ee144516912dee52c84fcfbe8b710b3429211cd9d849dc24d4419c5fa6fd3968f9ab250cf474a692db326c2ac3ef930081b8a5777875a73
-DIST openssh-6.8p1+x509-8.3.1.diff.gz 351502 SHA256 64d0b7cd428352a2d77d9decb02ec744eca4433bcb35288745859eb19ccf4fcf SHA512 6525b7ddae13752f145bda42fe6d65ec40a8c9d44766b749cf49ff904d6b1941e088e560c2a532a3dc0003ac1e29d56a28ea3ed1533ee5abcd696cd80ae88d8e WHIRLPOOL 32f45411d250b7c46f2408bfca6b12223e901fa15c27db449c06cd5b1ab7a0e853fffed5971ca635c5080d1796196a8661b8d1503bdcdb28d61e0d082f28590b
-DIST openssh-6.8p1-r5-hpnssh14v5.tar.xz 27240 SHA256 4fe25701ea8717e88bf2355a76fb5370819f927af99efba3e4f06fe3264fbf58 SHA512 29a2086c6bf868bb1c8d2601e1ac83a82de48ed9f9cf6a3762b3f899112d939507b563d0117b4bec87008dd0434e0735e4a4f8c779a64d719d3873224918d16c WHIRLPOOL a4f3e841530d08363c94dfb55911e79f130668e459dc2e1ebb477c14dcf7d3bd71ad63c55e0ff2ba80684e67a8f40867b0a9fd01aabe3fe1533ef604f84a76b3
-DIST openssh-6.8p1.tar.gz 1475953 SHA256 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e SHA512 7c4457e4525a56cdabb1164ffaf6bed1c094294ae7d06dd3484dcffcd87738fcffe7019b6cae0032c254b0389832644522d5a9f2603b50637ffeb9999b5fcede WHIRLPOOL 3ac9cc4fe0b11ca66c0220618d0ef0c5925e5605d4d3d55c9579b708c478cf8613b7575fe213aba57054d97d3290baac4eba26b7a630d22477ec947f22327a5a
-DIST openssh-6.9p1+x509-8.4.diff.gz 425687 SHA256 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb SHA512 596cb65408db06fb299b92160147685b001dc23929ecf5c4bd11a8b0475d79695c7b4dbe8a878d7fbcd944155935fd62a14e35c79204b39e413f5eaa961ef76c WHIRLPOOL 771fa0f4f6a20ed49ba201605fcdcbfc41a0f094ef4a89ca2433ee51b7c8bf99cc266f26bd7877c61ff92e9a50c7d65119ba75ba64eaa029bd567bab3ee243c2
-DIST openssh-6.9p1-hpnssh14v5.tar.xz 25164 SHA256 67c0b043525c838522d17ba8ed3ffa81aa212ae0f43c3d989a3e649fd0a2ca48 SHA512 bef32f6dd97e949e0973d30248401b86233ca66ace750c5050158a748fe279db46c8ee59b6f3de2193f52bab3a1c19372296b86136d7d65a312769008d0acf3a WHIRLPOOL 65241de2409bfe452b0bcf6282f0571a2bbf6d02d4d5cb97db78bd42e8be439c47da8a54d33272a85d50d648e2e4af56b574bc8add56c65e2ff9ccd59b90f65c
-DIST openssh-6.9p1-r1-hpnssh14v5.tar.xz 21396 SHA256 84e9e28a1488ccf66e29a7c90442b3bc4833a6fa186260fb6853b5a1b19c0beb SHA512 476064dbdb3d82b86ad7c481a4a301ff0d46bd281fe7ca0c29f34ae50b0034028760997ae2c934a265499c154f4534d35ead647aa63d1a4545ed503a5364eada WHIRLPOOL 74eaf2fe0a6ecd0e2fa5078034628d4c76c75b121f3c813ff8a098ab28363daa3800d03936046aa3aebbfdab3afd31ef30a207399f5e305d7f71e5f3c7e4f4a7
-DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe SHA512 68fec9b4e512fe126a5d35b01e2cc656d810b75052ed8a36bc85cd0a05de7318b15ed287bc95cf9bcb3fa2f385029151d85aced55e07fbcc79e6c779bee6751d WHIRLPOOL 1dcb291383c9f934b512f61ce9f6e0319f22e112ce3f6eace2a868ca0f99c709c65bae14a9815e2ef237f8132fe72c583cffb7ea20bdfa2aaa77cf347967be7f
-DIST openssh-7.0p1+x509-8.5.diff.gz 411960 SHA256 6000557f1ddae06aff8837d440d93342a923fada571fec59fc5dedf388fb5f9e SHA512 1241419ea32a21b0ef15fb3845344c9b1126ecee94265b074e60af794eacdb39a98983040a61b9f169e0a6d5a0a248e1bbf9d9b3e56df50cb382441a26dddafd WHIRLPOOL 117e8c9bb05ded7fdf261e9aca709540e0a3817bc5b3e70472e8c802063e37ee24feae4c1b3a909177ab163e53c2d614b4f0fc75aad1ca44c0e0584eeff55a81
-DIST openssh-7.0p1-hpnssh14v5.tar.xz 21428 SHA256 6032c4547c9f83a6f648ac7c39cdad2bd6fd725e5f3ab2411c5b30298aae1451 SHA512 d4cf4a628c11515bfe8c3a91b4b7039fca28c2f89ad1dde062c4cb433b984b10dec2d37b1f338f18aa7813e60d8608b65ca95b930edc33086710b82780875942 WHIRLPOOL 7b686f243c98017453b3da3e98b7524650b4a0a75fda6add80c7c233d468194d1d1333ffa4445c20856d807548aaa356c87a03ca87d8995a4b7ba350c7714d1e
-DIST openssh-7.0p1.tar.gz 1493376 SHA256 fd5932493a19f4c81153d812ee4e042b49bbd3b759ab3d9344abecc2bc1485e5 SHA512 d82aa8e85630c3e2102e69da477185e0d30d84211d7d4ee0a1d9822bd234d649fe369bf91ce3d2b5ef0caee687d383cb761b682d3bf24bccbd2ce9a1fe9d9f50 WHIRLPOOL bb8007450ffee580df5a73e3d6ab9b54b7151c46c3b996516e5cb776034be21cbef1281a520279655137e218a757d8092cba3f66e216c6b4c6828876540cb5df
 DIST openssh-7.1p1+x509-8.6.diff.gz 413931 SHA256 cbf661a1fec080dc9ed335a290414154326c2a13f124985db050b86a91073d52 SHA512 c91d0f1b69b6d34984e94b391ad022271e73d0634cef2df355ba555366bc38d30649b478f245b6c51ce79d71adf1b693bc97826e6c6013a78e7ccfb7023b4bcc WHIRLPOOL 4ed4427e80026996c43a188d7d45f2c53fa6a7fd842a248b1225b27f3e9037e761f0ed172d79b53ada81c24d958a2193e94d918f6ca1320e45d5e68379845981
 DIST openssh-7.1p1-hpnssh14v9.tar.xz 21580 SHA256 a795c2f2621f537b3fd98172cbd1f7c71869e4da78cd280d123fa19ae4262b97 SHA512 6ce151949bf81b5518b95092a2f18d2f24581954e2c629deaf3c1d10136f32f830567aafb9b4045547e95e3ab63cf750e240eac40e2b9caa6d71cb2b132821ec WHIRLPOOL 8e3c9a1d79112092a6cb42c6766ccdf61e5d8fcd366ea5c7d3bab94cf309bcc12f3761476a288158638a340023aa24519d888caac19fb0ef25fa56bdab06412c
 DIST openssh-7.1p1.tar.gz 1493170 SHA256 fc0a6d2d1d063d5c66dffd952493d0cda256cad204f681de0f84ef85b2ad8428 SHA512 f1491ca5a0a733eb27ede966590642a412cb7be7178dcb7b9e5844bbdc8383032f4b00435192b95fc0365b6fe74d6c5ac8d6facbe9d51e1532d049e2f784e8f7 WHIRLPOOL a650a93657f930d20dc3fa24ab720857f63f7cd0a82d1906cf1e58145e866129207851d5e587d678655e5731fa73221ab9b6ea0754533100c25fe2acaa442e05
-DIST openssh-lpk-6.7p1-0.3.14.patch.xz 16920 SHA256 0203e6e44e41d58ec46d1611d7efc985134e662bbee51632c29f43ae809003f0 SHA512 344ccde4a04aeb1500400f779e64b2d8a5ad2970de3c4c343ca9605758e22d3812ef5453cd3221b18ad74a9762583c62417879107e4e1dda1398a6a65bcd04b2 WHIRLPOOL 5b6beeb743d04deea70c8b471a328b5f056fd4651e1370c7882e5d12f54fa2170486dcd6f97aa8c58e80af9a2d4012e2dfbcf53185317976d309783ca8d6cf73
 DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b

diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch
deleted file mode 100644
index 2a34ee9..0000000
--- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch.
-
---- openssh-6.6p1+x509-8.0.diff
-+++ openssh-6.6p1+x509-8.0.diff
-@@ -16337,10 +16337,10 @@
-  .It Cm ChallengeResponseAuthentication
-  Specifies whether challenge-response authentication is allowed (e.g. via
-  PAM or though authentication styles supported in
--@@ -499,6 +576,16 @@
-+@@ -514,6 +591,16 @@
-+ This facility is provided to assist with operation on multi homed machines.
-  The default is
-  .Dq yes .
-- Note that this option applies to protocol version 2 only.
- +.It Cm HostbasedAlgorithms
- +Specifies the protocol version 2 algorithms used in
- +.Dq hostbased

diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch
deleted file mode 100644
index beb2292..0000000
--- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-make the hpn patch apply when the x509 patch has also been applied
-
---- openssh-6.6.1p1-hpnssh14v5.diff
-+++ openssh-6.6.1p1-hpnssh14v5.diff
-@@ -1742,18 +1742,14 @@
-  	if (options->ip_qos_interactive == -1)
-  		options->ip_qos_interactive = IPTOS_LOWDELAY;
-  	if (options->ip_qos_bulk == -1)
--@@ -345,9 +392,10 @@
-+@@ -345,6 +392,7 @@
-  	sUsePrivilegeSeparation, sAllowAgentForwarding,
-  	sHostCertificate,
-  	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
--+	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
-++	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
-  	sKexAlgorithms, sIPQoS, sVersionAddendum,
-  	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
---	sAuthenticationMethods, sHostKeyAgent,
--+	sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
-- 	sDeprecated, sUnsupported
-- } ServerOpCodes;
-- 
-+ 	sAuthenticationMethods, sHostKeyAgent,
- @@ -468,6 +516,10 @@
-  	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
-  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },

diff --git a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
deleted file mode 100644
index bd0b7ce..0000000
--- a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
+++ /dev/null
@@ -1,42 +0,0 @@
---- openssh-6.7_p1-sctp.patch.orig	2014-11-24 10:34:31.817538707 -0800
-+++ openssh-6.7_p1-sctp.patch	2014-11-24 10:38:52.744990154 -0800
-@@ -195,14 +195,6 @@
-  .Op Fl c Ar cipher
-  .Op Fl F Ar ssh_config
-  .Op Fl i Ar identity_file
--@@ -178,6 +178,7 @@ For full details of the options listed b
-- .It ServerAliveCountMax
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It UsePrivilegedPort
-- .It User
-- .It UserKnownHostsFile
- @@ -218,6 +219,8 @@ and
-  to print debugging messages about their progress.
-  This is helpful in
-@@ -482,14 +474,6 @@
-  .Op Fl b Ar bind_address
-  .Op Fl c Ar cipher_spec
-  .Op Fl D Oo Ar bind_address : Oc Ns Ar port
--@@ -473,6 +473,7 @@ For full details of the options listed b
-- .It StreamLocalBindUnlink
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It Tunnel
-- .It TunnelDevice
-- .It UsePrivilegedPort
- @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte
-  controls.
-  .It Fl y
-@@ -527,7 +511,7 @@
--  again:
-+
- -	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
- +	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
-- 	    "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-+ 	    "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-  		switch (opt) {
-  		case '1':
- @@ -732,6 +738,11 @@ main(int ac, char **av)

diff --git a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch
deleted file mode 100644
index 96818e4..0000000
--- a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-https://bugs.gentoo.org/378361
-https://bugzilla.mindrot.org/show_bug.cgi?id=928
-
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -41,9 +41,12 @@
- #include "channels.h"
- #include "session.h"
- #include "misc.h"
-+#include "servconf.h"
- 
- #include "ssh-gss.h"
- 
-+extern ServerOptions options;
-+
- static ssh_gssapi_client gssapi_client =
-     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-     GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
-@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- 	char lname[NI_MAXHOST];
- 	gss_OID_set oidset;
- 
--	gss_create_empty_oid_set(&status, &oidset);
--	gss_add_oid_set_member(&status, ctx->oid, &oidset);
--
--	if (gethostname(lname, sizeof(lname))) {
--		gss_release_oid_set(&status, &oidset);
--		return (-1);
--	}
-+	if (options.gss_strict_acceptor) {
-+		gss_create_empty_oid_set(&status, &oidset);
-+		gss_add_oid_set_member(&status, ctx->oid, &oidset);
-+
-+		if (gethostname(lname, MAXHOSTNAMELEN)) {
-+			gss_release_oid_set(&status, &oidset);
-+			return (-1);
-+		}
-+
-+		if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
-+			gss_release_oid_set(&status, &oidset);
-+			return (ctx->major);
-+		}
-+
-+		if ((ctx->major = gss_acquire_cred(&ctx->minor,
-+		    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
-+		    NULL, NULL)))
-+			ssh_gssapi_error(ctx);
- 
--	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
- 		gss_release_oid_set(&status, &oidset);
- 		return (ctx->major);
-+	} else {
-+		ctx->name = GSS_C_NO_NAME;
-+		ctx->creds = GSS_C_NO_CREDENTIAL;
- 	}
--
--	if ((ctx->major = gss_acquire_cred(&ctx->minor,
--	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
--		ssh_gssapi_error(ctx);
--
--	gss_release_oid_set(&status, &oidset);
--	return (ctx->major);
-+	return GSS_S_COMPLETE;
- }
- 
- /* Privileged */
---- a/servconf.c
-+++ b/servconf.c
-@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions 
- 	options->kerberos_get_afs_token = -1;
- 	options->gss_authentication=-1;
- 	options->gss_cleanup_creds = -1;
-+	options->gss_strict_acceptor = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->challenge_response_authentication = -1;
-@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
- 		options->gss_authentication = 0;
- 	if (options->gss_cleanup_creds == -1)
- 		options->gss_cleanup_creds = 1;
-+	if (options->gss_strict_acceptor == -1)
-+		options->gss_strict_acceptor = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
-@@ -277,7 +280,8 @@ typedef enum {
- 	sBanner, sUseDNS, sHostbasedAuthentication,
- 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
- 	sClientAliveCountMax, sAuthorizedKeysFile,
--	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-+	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
-+	sAcceptEnv, sPermitTunnel,
- 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- 	sUsePrivilegeSeparation, sAllowAgentForwarding,
- 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -327,9 +331,11 @@ static struct {
- #ifdef GSSAPI
- 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
- 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-+	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
- #else
- 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
- 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-+	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
- #endif
- 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
- 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
- 
- 	case sGssCleanupCreds:
- 		intptr = &options->gss_cleanup_creds;
-+		goto parse_flag;
-+
-+	case sGssStrictAcceptor:
-+		intptr = &options->gss_strict_acceptor;
- 		goto parse_flag;
- 
- 	case sPasswordAuthentication:
---- a/servconf.h
-+++ b/servconf.h
-@@ -92,6 +92,7 @@ typedef struct {
- 						 * authenticated with Kerberos. */
- 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
- 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
-+	int 	gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
- 	int     password_authentication;	/* If true, permit password
- 						 * authentication. */
- 	int     kbd_interactive_authentication;	/* If true, permit */
---- a/sshd_config
-+++ b/sshd_config
-@@ -69,6 +69,7 @@
- # GSSAPI options
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
-+#GSSAPIStrictAcceptorCheck yes
- 
- # Set this to 'yes' to enable PAM authentication, account processing, 
- # and session processing. If this is enabled, PAM authentication will 
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -386,6 +386,21 @@ on logout.
- The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
-+.It Cm GSSAPIStrictAcceptorCheck
-+Determines whether to be strict about the identity of the GSSAPI acceptor
-+a client authenticates against.
-+If set to
-+.Dq yes
-+then the client must authenticate against the
-+.Pa host
-+service on the current hostname.
-+If set to
-+.Dq no
-+then the client may authenticate against any service key stored in the
-+machine's default store.
-+This facility is provided to assist with operation on multi homed machines.
-+The default is
-+.Dq yes .
- .It Cm HostbasedAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication together
- with successful public key client host authentication is allowed

diff --git a/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch
deleted file mode 100644
index 71b9c51..0000000
--- a/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch
+++ /dev/null
@@ -1,46 +0,0 @@
---- openssh-6.7p1.orig/sshd_config.5	2014-11-24 10:24:29.356244415 -0800
-+++ openssh-6.7p1/sshd_config.5	2014-11-24 10:23:49.415029039 -0800
-@@ -610,21 +610,6 @@
- The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
--.It Cm GSSAPIStrictAcceptorCheck
--Determines whether to be strict about the identity of the GSSAPI acceptor
--a client authenticates against.
--If set to
--.Dq yes
--then the client must authenticate against the
--.Pa host
--service on the current hostname.
--If set to
--.Dq no
--then the client may authenticate against any service key stored in the
--machine's default store.
--This facility is provided to assist with operation on multi homed machines.
--The default is
--.Dq yes .
- .It Cm HostbasedAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication together
- with successful public key client host authentication is allowed
-@@ -651,6 +636,21 @@
- attempting to resolve the name from the TCP connection itself.
- The default is
- .Dq no .
-+.It Cm GSSAPIStrictAcceptorCheck
-+Determines whether to be strict about the identity of the GSSAPI acceptor
-+a client authenticates against.
-+If set to
-+.Dq yes
-+then the client must authenticate against the
-+.Pa host
-+service on the current hostname.
-+If set to
-+.Dq no
-+then the client may authenticate against any service key stored in the
-+machine's default store.
-+This facility is provided to assist with operation on multi homed machines.
-+The default is
-+.Dq yes .
- .It Cm HostCertificate
- Specifies a file containing a public host certificate.
- The certificate's public key must match a private host key already specified

diff --git a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch b/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch
deleted file mode 100644
index 170031d..0000000
--- a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -ur openssh-6.7p1.orig/ssh-rsa.c openssh-6.7p1/ssh-rsa.c
---- openssh-6.7p1.orig/ssh-rsa.c	2015-02-24 14:52:54.512197868 -0800
-+++ openssh-6.7p1/ssh-rsa.c	2015-02-27 11:48:54.173951646 -0800
-@@ -34,6 +34,7 @@
- #include "sshkey.h"
- #include "digest.h"
- #include "evp-compat.h"
-+#include "xmalloc.h"
- 
- /*NOTE: Do not define USE_LEGACY_RSA_... if build
-   is with FIPS capable OpenSSL */

diff --git a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch
deleted file mode 100644
index 7b12e9a..0000000
--- a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch
+++ /dev/null
@@ -1,90 +0,0 @@
---- openssh-6.8_p1-sctp.patch.orig	2015-03-18 17:52:40.563506822 -0700
-+++ openssh-6.8_p1-sctp.patch	2015-03-18 18:14:30.919753194 -0700
-@@ -184,34 +184,6 @@
-  	int     port;		/* Port to connect. */
-  	int     address_family;
-  	int     connection_attempts;	/* Max attempts (seconds) before
----- a/scp.1
--+++ b/scp.1
--@@ -19,7 +19,7 @@
-- .Sh SYNOPSIS
-- .Nm scp
-- .Bk -words
---.Op Fl 12346BCpqrv
--+.Op Fl 12346BCpqrvz
-- .Op Fl c Ar cipher
-- .Op Fl F Ar ssh_config
-- .Op Fl i Ar identity_file
--@@ -178,6 +178,7 @@ For full details of the options listed b
-- .It ServerAliveCountMax
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It UpdateHostKeys
-- .It UsePrivilegedPort
-- .It User
--@@ -218,6 +219,8 @@ and
-- to print debugging messages about their progress.
-- This is helpful in
-- debugging connection, authentication, and configuration problems.
--+.It Fl z
--+Use the SCTP protocol for connection instead of TCP which is the default.
-- .El
-- .Sh EXIT STATUS
-- .Ex -std scp
- --- a/scp.c
- +++ b/scp.c
- @@ -395,7 +395,11 @@ main(int argc, char **argv)
-@@ -471,34 +443,6 @@
-  	int	protocol;	/* Supported protocol versions. */
-  	struct ForwardOptions fwd_opts;	/* forwarding options */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
----- a/ssh.1
--+++ b/ssh.1
--@@ -43,7 +43,7 @@
-- .Sh SYNOPSIS
-- .Nm ssh
-- .Bk -words
---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
--+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
-- .Op Fl b Ar bind_address
-- .Op Fl c Ar cipher_spec
-- .Op Fl D Oo Ar bind_address : Oc Ns Ar port
--@@ -473,6 +473,7 @@ For full details of the options listed b
-- .It StreamLocalBindUnlink
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It Tunnel
-- .It TunnelDevice
-- .It UsePrivilegedPort
--@@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte
-- controls.
-- .It Fl y
-- Send log information using the
--+.It Fl z
--+Use the SCTP protocol for connection instead of TCP which is the default.
-- .Xr syslog 3
-- system module.
-- By default this information is sent to stderr.
- --- a/ssh.c
- +++ b/ssh.c
- @@ -194,12 +194,17 @@ extern int muxserver_sock;
-@@ -520,13 +464,11 @@
-  "           [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
-  "           [-F configfile] [-I pkcs11] [-i identity_file]\n"
-  "           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n"
--@@ -506,7 +512,7 @@ main(int ac, char **av)
-- 	argv0 = av[0];
-+@@ -506,4 +512,4 @@ main(int ac, char **av)
-  
--  again:
---	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
--+	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
-- 	    "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-+-	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
-++	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
-+ 	    "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-  		switch (opt) {
-  		case '1':
- @@ -732,6 +738,11 @@ main(int ac, char **av)

diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch b/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch
deleted file mode 100644
index e14a728..0000000
--- a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-https://bugs.gentoo.org/544078
-https://bugzilla.mindrot.org/show_bug.cgi?id=2369
-
-From 117c961c8d1f0537973df5a6a937389b4b7b61b4 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Mon, 23 Mar 2015 06:06:38 +0000
-Subject: [PATCH] upstream commit
-
-for ssh-keygen -A, don't try (and fail) to generate ssh
- v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled
- without OpenSSL based on patch by Mike Frysinger; bz#2369
----
- ssh-keygen.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index a3c2362..96dd8b4 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -948,12 +948,16 @@ do_gen_all_hostkeys(struct passwd *pw)
- 		char *key_type_display;
- 		char *path;
- 	} key_types[] = {
-+#ifdef WITH_OPENSSL
-+#ifdef WITH_SSH1
- 		{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE },
-+#endif /* WITH_SSH1 */
- 		{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
- 		{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
- #ifdef OPENSSL_HAS_ECC
- 		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
--#endif
-+#endif /* OPENSSL_HAS_ECC */
-+#endif /* WITH_OPENSSL */
- 		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
- 		{ NULL, NULL, NULL }
- 	};
--- 
-2.3.3
-

diff --git a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch
deleted file mode 100644
index 48fce1e..0000000
--- a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-https://bugs.gentoo.org/378361
-https://bugzilla.mindrot.org/show_bug.cgi?id=928
-
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -41,9 +41,12 @@
- #include "channels.h"
- #include "session.h"
- #include "misc.h"
-+#include "servconf.h"
- 
- #include "ssh-gss.h"
- 
-+extern ServerOptions options;
-+
- static ssh_gssapi_client gssapi_client =
-     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-     GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
-@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- 	char lname[NI_MAXHOST];
- 	gss_OID_set oidset;
- 
--	gss_create_empty_oid_set(&status, &oidset);
--	gss_add_oid_set_member(&status, ctx->oid, &oidset);
--
--	if (gethostname(lname, sizeof(lname))) {
--		gss_release_oid_set(&status, &oidset);
--		return (-1);
--	}
-+	if (options.gss_strict_acceptor) {
-+		gss_create_empty_oid_set(&status, &oidset);
-+		gss_add_oid_set_member(&status, ctx->oid, &oidset);
-+
-+		if (gethostname(lname, MAXHOSTNAMELEN)) {
-+			gss_release_oid_set(&status, &oidset);
-+			return (-1);
-+		}
-+
-+		if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
-+			gss_release_oid_set(&status, &oidset);
-+			return (ctx->major);
-+		}
-+
-+		if ((ctx->major = gss_acquire_cred(&ctx->minor,
-+		    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
-+		    NULL, NULL)))
-+			ssh_gssapi_error(ctx);
- 
--	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
- 		gss_release_oid_set(&status, &oidset);
- 		return (ctx->major);
-+	} else {
-+		ctx->name = GSS_C_NO_NAME;
-+		ctx->creds = GSS_C_NO_CREDENTIAL;
- 	}
--
--	if ((ctx->major = gss_acquire_cred(&ctx->minor,
--	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
--		ssh_gssapi_error(ctx);
--
--	gss_release_oid_set(&status, &oidset);
--	return (ctx->major);
-+	return GSS_S_COMPLETE;
- }
- 
- /* Privileged */
---- a/servconf.c
-+++ b/servconf.c
-@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions 
- 	options->kerberos_get_afs_token = -1;
- 	options->gss_authentication=-1;
- 	options->gss_cleanup_creds = -1;
-+	options->gss_strict_acceptor = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->challenge_response_authentication = -1;
-@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
- 		options->gss_authentication = 0;
- 	if (options->gss_cleanup_creds == -1)
- 		options->gss_cleanup_creds = 1;
-+	if (options->gss_strict_acceptor == -1)
-+		options->gss_strict_acceptor = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
-@@ -277,7 +280,8 @@ typedef enum {
- 	sBanner, sUseDNS, sHostbasedAuthentication,
- 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
- 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
--	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-+	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
-+	sAcceptEnv, sPermitTunnel,
- 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- 	sUsePrivilegeSeparation, sAllowAgentForwarding,
- 	sHostCertificate,
-@@ -327,9 +331,11 @@ static struct {
- #ifdef GSSAPI
- 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
- 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-+	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
- #else
- 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
- 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-+	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
- #endif
- 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
- 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
- 
- 	case sGssCleanupCreds:
- 		intptr = &options->gss_cleanup_creds;
-+		goto parse_flag;
-+
-+	case sGssStrictAcceptor:
-+		intptr = &options->gss_strict_acceptor;
- 		goto parse_flag;
- 
- 	case sPasswordAuthentication:
---- a/servconf.h
-+++ b/servconf.h
-@@ -92,6 +92,7 @@ typedef struct {
- 						 * authenticated with Kerberos. */
- 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
- 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
-+	int     gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
- 	int     password_authentication;	/* If true, permit password
- 						 * authentication. */
- 	int     kbd_interactive_authentication;	/* If true, permit */
---- a/sshd_config
-+++ b/sshd_config
-@@ -69,6 +69,7 @@
- # GSSAPI options
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
-+#GSSAPIStrictAcceptorCheck yes
- 
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -386,6 +386,21 @@ on logout.
- The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
-+.It Cm GSSAPIStrictAcceptorCheck
-+Determines whether to be strict about the identity of the GSSAPI acceptor
-+a client authenticates against.
-+If set to
-+.Dq yes
-+then the client must authenticate against the
-+.Pa host
-+service on the current hostname.
-+If set to
-+.Dq no
-+then the client may authenticate against any service key stored in the
-+machine's default store.
-+This facility is provided to assist with operation on multi homed machines.
-+The default is
-+.Dq yes .
- .It Cm HostbasedAcceptedKeyTypes
- Specifies the key types that will be accepted for hostbased authentication
- as a comma-separated pattern list.

diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch
deleted file mode 100644
index e72b1e6..0000000
--- a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch
+++ /dev/null
@@ -1,15 +0,0 @@
---- a/0005-support-dynamically-sized-receive-buffers.patch
-+++ b/0005-support-dynamically-sized-receive-buffers.patch
-@@ -411,10 +411,10 @@ index af2f007..41b782b 100644
- --- a/compat.h
- +++ b/compat.h
- @@ -60,6 +60,7 @@
-- #define SSH_NEW_OPENSSH		0x04000000
-  #define SSH_BUG_DYNAMIC_RPORT	0x08000000
-  #define SSH_BUG_CURVE25519PAD	0x10000000
--+#define SSH_BUG_LARGEWINDOW	0x20000000
-+ #define SSH_BUG_HOSTKEYS	0x20000000
-++#define SSH_BUG_LARGEWINDOW	0x40000000
-  
-  void     enable_compat13(void);
-  void     enable_compat20(void);

diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch
deleted file mode 100644
index f99e92f..0000000
--- a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-https://bugs.gentoo.org/547944
-
-From d8f391caef62378463a0e6b36f940170dadfe605 Mon Sep 17 00:00:00 2001
-From: "dtucker@openbsd.org" <dtucker@openbsd.org>
-Date: Fri, 10 Apr 2015 05:16:50 +0000
-Subject: [PATCH] upstream commit
-
-Don't send hostkey advertisments
- (hostkeys-00@openssh.com) to current versions of Tera Term as they can't
- handle them.  Newer versions should be OK.  Patch from Bryan Drewery and
- IWAMOTO Kouichi, ok djm@
----
- compat.c | 13 ++++++++++++-
- compat.h |  3 ++-
- sshd.c   |  6 +++++-
- 3 files changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/compat.c b/compat.c
-index 2498168..0934de9 100644
---- a/compat.c
-+++ b/compat.c
-@@ -167,6 +167,17 @@ compat_datafellows(const char *version)
- 					SSH_BUG_SCANNER },
- 		{ "Probe-*",
- 					SSH_BUG_PROBE },
-+		{ "TeraTerm SSH*,"
-+		  "TTSSH/1.5.*,"
-+		  "TTSSH/2.1*,"
-+		  "TTSSH/2.2*,"
-+		  "TTSSH/2.3*,"
-+		  "TTSSH/2.4*,"
-+		  "TTSSH/2.5*,"
-+		  "TTSSH/2.6*,"
-+		  "TTSSH/2.70*,"
-+		  "TTSSH/2.71*,"
-+		  "TTSSH/2.72*",	SSH_BUG_HOSTKEYS },
- 		{ NULL,			0 }
- 	};
- 
-diff --git a/compat.h b/compat.h
-index af2f007..83507f0 100644
---- a/compat.h
-+++ b/compat.h
-@@ -60,6 +60,7 @@
- #define SSH_NEW_OPENSSH		0x04000000
- #define SSH_BUG_DYNAMIC_RPORT	0x08000000
- #define SSH_BUG_CURVE25519PAD	0x10000000
-+#define SSH_BUG_HOSTKEYS	0x20000000
- 
- void     enable_compat13(void);
- void     enable_compat20(void);
-diff --git a/sshd.c b/sshd.c
-index 6aa17fa..60b0cd4 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -928,6 +928,10 @@ notify_hostkeys(struct ssh *ssh)
- 	int i, nkeys, r;
- 	char *fp;
- 
-+	/* Some clients cannot cope with the hostkeys message, skip those. */
-+	if (datafellows & SSH_BUG_HOSTKEYS)
-+		return;
-+
- 	if ((buf = sshbuf_new()) == NULL)
- 		fatal("%s: sshbuf_new", __func__);
- 	for (i = nkeys = 0; i < options.num_host_key_files; i++) {
--- 
-2.3.6
-

diff --git a/net-misc/openssh/openssh-6.7_p1-r4.ebuild b/net-misc/openssh/openssh-6.7_p1-r4.ebuild
deleted file mode 100644
index 3398875..0000000
--- a/net-misc/openssh/openssh-6.7_p1-r4.ebuild
+++ /dev/null
@@ -1,323 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-6.7p1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.7p1-0.3.14.patch.xz"
-X509_VER="8.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${P}-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		https://dev.gentoo.org/~vapier/dist/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="bindist ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey static X X509"
-REQUIRED_USE="pie? ( !static )"
-
-LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	>=dev-libs/openssl-0.9.6d:0[bindist=]
-	dev-libs/openssl[static-libs(+)]
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? (
-		${LIB_DEPEND//\[static-libs(+)]}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl] )
-		)
-	)
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? (
-		${LIB_DEPEND}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
-		)
-	)
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	epatch "${FILESDIR}"/${PN}-6.7_p1-sshd-gssapi-multihomed.patch #378361
-	if use X509 ; then
-		pushd .. >/dev/null
-		epatch "${FILESDIR}"/${P}-x509-glue.patch
-		epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.7_p1-xmalloc-include.patch
-		save_version X509
-	fi
-	if ! use X509 ; then
-		if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-			epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-			save_version LPK
-		fi
-	else
-		use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${PN}-6.7_p1-sctp.patch
-	if [[ -n ${HPN_PATCH} ]] && use hpn; then
-		epatch "${WORKDIR}"/${HPN_PATCH%.*}/*
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-static_use_with() {
-	local flag=$1
-	if use static && use ${flag} ; then
-		ewarn "Disabling '${flag}' support because of USE='static'"
-		# rebuild args so that we invert the first one (USE flag)
-		# but otherwise leave everything else working so we can
-		# just leverage use_with
-		shift
-		[[ -z $1 ]] && flag="${flag} ${flag}"
-		set -- !${flag} "$@"
-	fi
-	use_with "$@"
-}
-
-src_configure() {
-	local myconf=()
-	addwrite /dev/ptmx
-
-	use static && append-ldflags -static
-
-	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
-	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
-		append-ldflags -lutil
-	fi
-
-	econf \
-		--with-ldflags="${LDFLAGS}" \
-		--disable-strip \
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run \
-		--sysconfdir="${EPREFIX}"/etc/ssh \
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \
-		--datadir="${EPREFIX}"/usr/share/openssh \
-		--with-privsep-path="${EPREFIX}"/var/empty \
-		--with-privsep-user=sshd \
-		--with-md5-passwords \
-		--with-ssl-engine \
-		$(static_use_with pam) \
-		$(static_use_with kerberos kerberos5 "${EPREFIX}"/usr) \
-		${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
-		$(use_with ldns) \
-		$(use_with libedit) \
-		$(use_with pie) \
-		$(use_with sctp) \
-		$(use_with selinux) \
-		$(use_with skey) \
-		"${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	# not all openssl installs support ecc, or are functional #352645
-	if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
-		elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
-		sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die
-	fi
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed"
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		keepdir /var/empty/dev
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	ewarn "Remember to merge your config files in /etc/ssh/ and then"
-	ewarn "reload sshd: '/etc/init.d/sshd reload'."
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		einfo "For the HPN server logging patch, you must ensure that"
-		einfo "your syslog application also listens at /var/empty/dev/log."
-	fi
-	elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
-	elog "      dropped it.  Make sure to update any configs that you might have."
-}

diff --git a/net-misc/openssh/openssh-6.7_p1.ebuild b/net-misc/openssh/openssh-6.7_p1.ebuild
deleted file mode 100644
index cb06aa7..0000000
--- a/net-misc/openssh/openssh-6.7_p1.ebuild
+++ /dev/null
@@ -1,322 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-6.7p1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.7p1-0.3.14.patch.xz"
-#X509_VER="8.1" X509_PATCH="${PARCH/6.7/6.6}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${P}-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		https://dev.gentoo.org/~vapier/dist/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam +pie sctp selinux skey static X X509"
-REQUIRED_USE="pie? ( !static )"
-
-LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	>=dev-libs/openssl-0.9.6d:0[bindist=]
-	dev-libs/openssl[static-libs(+)]
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? (
-		${LIB_DEPEND//\[static-libs(+)]}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl] )
-		)
-	)
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? (
-		${LIB_DEPEND}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
-		)
-	)
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	epatch "${FILESDIR}"/${PN}-6.7_p1-sshd-gssapi-multihomed.patch #378361
-	if use X509 ; then
-		pushd .. >/dev/null
-		epatch "${FILESDIR}"/${PN}-6.6.1_p1-x509-glue.patch
-		use hpn && epatch "${FILESDIR}"/${PN}-6.6.1_p1-x509-hpn14v5-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		save_version X509
-	fi
-	if ! use X509 ; then
-		if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-			epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-			save_version LPK
-		fi
-	else
-		use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${PN}-6.7_p1-sctp.patch
-	if [[ -n ${HPN_PATCH} ]] && use hpn; then
-		epatch "${WORKDIR}"/${HPN_PATCH%.*}/*
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-static_use_with() {
-	local flag=$1
-	if use static && use ${flag} ; then
-		ewarn "Disabling '${flag}' support because of USE='static'"
-		# rebuild args so that we invert the first one (USE flag)
-		# but otherwise leave everything else working so we can
-		# just leverage use_with
-		shift
-		[[ -z $1 ]] && flag="${flag} ${flag}"
-		set -- !${flag} "$@"
-	fi
-	use_with "$@"
-}
-
-src_configure() {
-	local myconf=()
-	addwrite /dev/ptmx
-
-	use static && append-ldflags -static
-
-	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
-	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
-		append-ldflags -lutil
-	fi
-
-	econf \
-		--with-ldflags="${LDFLAGS}" \
-		--disable-strip \
-		--with-pid-dir="${EPREFIX}"/var/run \
-		--sysconfdir="${EPREFIX}"/etc/ssh \
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \
-		--datadir="${EPREFIX}"/usr/share/openssh \
-		--with-privsep-path="${EPREFIX}"/var/empty \
-		--with-privsep-user=sshd \
-		--with-md5-passwords \
-		--with-ssl-engine \
-		$(static_use_with pam) \
-		$(static_use_with kerberos kerberos5 "${EPREFIX}"/usr) \
-		${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
-		$(use_with ldns) \
-		$(use_with libedit) \
-		$(use_with pie) \
-		$(use_with sctp) \
-		$(use_with selinux) \
-		$(use_with skey) \
-		"${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	# not all openssl installs support ecc, or are functional #352645
-	if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
-		elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
-		sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die
-	fi
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed"
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		keepdir /var/empty/dev
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	ewarn "Remember to merge your config files in /etc/ssh/ and then"
-	ewarn "reload sshd: '/etc/init.d/sshd reload'."
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		einfo "For the HPN server logging patch, you must ensure that"
-		einfo "your syslog application also listens at /var/empty/dev/log."
-	fi
-	elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
-	elog "      dropped it.  Make sure to update any configs that you might have."
-}

diff --git a/net-misc/openssh/openssh-6.8_p1-r5.ebuild b/net-misc/openssh/openssh-6.8_p1-r5.ebuild
deleted file mode 100644
index ed55efd..0000000
--- a/net-misc/openssh/openssh-6.8_p1-r5.ebuild
+++ /dev/null
@@ -1,331 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-6.8p1-r5-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
-X509_VER="8.3.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${P}-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		https://dev.gentoo.org/~vapier/dist/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? (
-		http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
-		mirror://gentoo/${P}-x509-${X509_VER}-glue.patch.xz
-	)}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssh1/ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey +ssh1 +ssl static X X509"
-REQUIRED_USE="pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	ssl? (
-		>=dev-libs/openssl-0.9.6d:0[bindist=]
-		dev-libs/openssl[static-libs(+)]
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? (
-		${LIB_DEPEND//\[static-libs(+)]}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl] )
-		)
-	)
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? (
-		${LIB_DEPEND}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
-		)
-	)
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		eerror "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-		die "USE=tcpd no longer works"
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	epatch "${FILESDIR}"/${PN}-6.8_p1-sshd-gssapi-multihomed.patch #378361
-	if use X509 ; then
-		pushd .. >/dev/null
-		epatch "${WORKDIR}"/${P}-x509-${X509_VER}-glue.patch
-		epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${FILESDIR}"/${PN}-6.8_p1-ssh-keygen-no-ssh1.patch #544078
-	epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm.patch #547944
-	# The X509 patchset fixes this independently.
-	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
-	epatch "${WORKDIR}"/${P}-sctp.patch
-	if use hpn ; then
-		# The teraterm patch pulled in an upstream update.
-		pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
-		epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm-hpn-glue.patch
-		popd >/dev/null
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		# The X509 patch deletes this option entirely.
-		$(use X509 || use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
-	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
-		append-ldflags -lutil
-	fi
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		keepdir /var/empty/dev
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	ewarn "Remember to merge your config files in /etc/ssh/ and then"
-	ewarn "reload sshd: '/etc/init.d/sshd reload'."
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		einfo "For the HPN server logging patch, you must ensure that"
-		einfo "your syslog application also listens at /var/empty/dev/log."
-	fi
-	elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
-	elog "      dropped it.  Make sure to update any configs that you might have."
-}

diff --git a/net-misc/openssh/openssh-6.9_p1-r1.ebuild b/net-misc/openssh/openssh-6.9_p1-r1.ebuild
deleted file mode 100644
index a7dc45a..0000000
--- a/net-misc/openssh/openssh-6.9_p1-r1.ebuild
+++ /dev/null
@@ -1,322 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-6.9p1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
-X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	ssl? (
-		>=dev-libs/openssl-0.9.6d:0[bindist=]
-		dev-libs/openssl[static-libs(+)]
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? (
-		${LIB_DEPEND//\[static-libs(+)]}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl] )
-		)
-	)
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? (
-		${LIB_DEPEND}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
-		)
-	)
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		eerror "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-		die "USE=tcpd no longer works"
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		#epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
-		save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	# The X509 patchset fixes this independently.
-	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
-	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		# The X509 patch deletes this option entirely.
-		$(use X509 || use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
-	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
-		append-ldflags -lutil
-	fi
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		keepdir /var/empty/dev
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	ewarn "Remember to merge your config files in /etc/ssh/ and then"
-	ewarn "reload sshd: '/etc/init.d/sshd reload'."
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		einfo "For the HPN server logging patch, you must ensure that"
-		einfo "your syslog application also listens at /var/empty/dev/log."
-	fi
-	elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
-	elog "      dropped it.  Make sure to update any configs that you might have."
-}

diff --git a/net-misc/openssh/openssh-6.9_p1-r2.ebuild b/net-misc/openssh/openssh-6.9_p1-r2.ebuild
deleted file mode 100644
index 40ad0d2..0000000
--- a/net-misc/openssh/openssh-6.9_p1-r2.ebuild
+++ /dev/null
@@ -1,310 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-6.9p1-r1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
-X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		>=dev-libs/openssl-0.9.8f:0[bindist=]
-		dev-libs/openssl:0[static-libs(+)]
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		#epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
-		save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	# The X509 patchset fixes this independently.
-	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
-	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		# The X509 patch deletes this option entirely.
-		$(use X509 || use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
-	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
-		append-ldflags -lutil
-	fi
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	ewarn "Remember to merge your config files in /etc/ssh/ and then"
-	ewarn "reload sshd: '/etc/init.d/sshd reload'."
-	elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
-	elog "      dropped it.  Make sure to update any configs that you might have."
-}

diff --git a/net-misc/openssh/openssh-7.0_p1.ebuild b/net-misc/openssh/openssh-7.0_p1.ebuild
deleted file mode 100644
index 9f3ff39..0000000
--- a/net-misc/openssh/openssh-7.0_p1.ebuild
+++ /dev/null
@@ -1,323 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-7.0p1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
-X509_VER="8.5" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		>=dev-libs/openssl-0.9.8f:0[bindist=]
-		dev-libs/openssl:0[static-libs(+)]
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		#epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
-		epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
-		save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	# The X509 patchset fixes this independently.
-	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
-	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		# The X509 patch deletes this option entirely.
-		$(use X509 || use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
-	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
-		append-ldflags -lutil
-	fi
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.1_p1-r1.ebuild b/net-misc/openssh/openssh-7.1_p1-r1.ebuild
deleted file mode 100644
index 2571fd0..0000000
--- a/net-misc/openssh/openssh-7.1_p1-r1.ebuild
+++ /dev/null
@@ -1,328 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-7.0p1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
-X509_VER="8.6" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
-			dev-libs/openssl:0[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		pushd ${HPN_PATCH%.*.*} >/dev/null
-		epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
-		popd >/dev/null
-		epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
-		save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	# The X509 patchset fixes this independently.
-	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
-	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		# The X509 patch deletes this option entirely.
-		$(use X509 || use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
-	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
-		append-ldflags -lutil
-	fi
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.1_p1.ebuild b/net-misc/openssh/openssh-7.1_p1.ebuild
deleted file mode 100644
index 895dc7f..0000000
--- a/net-misc/openssh/openssh-7.1_p1.ebuild
+++ /dev/null
@@ -1,325 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-7.0p1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
-X509_VER="8.6" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		>=dev-libs/openssl-0.9.8f:0[bindist=]
-		dev-libs/openssl:0[static-libs(+)]
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		pushd ${HPN_PATCH%.*.*} >/dev/null
-		epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
-		popd >/dev/null
-		epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
-		save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	# The X509 patchset fixes this independently.
-	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
-	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		# The X509 patch deletes this option entirely.
-		$(use X509 || use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
-	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
-		append-ldflags -lutil
-	fi
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2016-08-03 21:06 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2016-08-03 21:06 UTC (permalink / raw
  To: gentoo-commits

commit:     0b7038ba6edab3a037851c87160c2338314358ca
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Wed Aug  3 21:03:18 2016 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Wed Aug  3 21:06:09 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b7038ba

net-misc/openssh: Revision bump, enable the X509 patch

Package-Manager: portage-2.3.0

 net-misc/openssh/Manifest                          |   1 +
 .../files/openssh-7.3_p1-sctp-x509-glue.patch      |  67 +++++
 net-misc/openssh/openssh-7.3_p1-r1.ebuild          | 332 +++++++++++++++++++++
 3 files changed, 400 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index f3b4f04..958961b 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -6,6 +6,7 @@ DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac8
 DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe39e4cd2da043384ec2ca45296a60669589 SHA512 c7ed07aae72fd4f967ab5717831c51ad639ca59633c3768f6930bab0947f5429391e3911a7570288a1c688c8c21747f3cb722538ae96de6b50a021010e1506fa WHIRLPOOL 7c1328e471b0e5e9576117ec563b66fea142886b0666b6d51ac9b8ec09286ba7a965b62796c32206e855e484180797a2c31d500c27289f3bc8c7db2d3af95e6f
 DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386
 DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
+DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4
 DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
 DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d

diff --git a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
new file mode 100644
index 0000000..2def699
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
@@ -0,0 +1,67 @@
+--- a/openssh-7.3_p1-sctp.patch	2016-08-03 13:10:15.733228732 -0700
++++ b/openssh-7.3_p1-sctp.patch	2016-08-03 13:25:53.274630002 -0700
+@@ -226,14 +226,6 @@
+  .Op Fl c Ar cipher
+  .Op Fl F Ar ssh_config
+  .Op Fl i Ar identity_file
+-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see
+- .It ServerAliveCountMax
+- .It StrictHostKeyChecking
+- .It TCPKeepAlive
+-+.It Transport
+- .It UpdateHostKeys
+- .It UsePrivilegedPort
+- .It User
+ @@ -224,6 +225,8 @@ and
+  to print debugging messages about their progress.
+  This is helpful in
+@@ -493,19 +485,11 @@
+  .Sh SYNOPSIS
+  .Nm ssh
+  .Bk -words
+--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
+-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
+++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
+  .Op Fl b Ar bind_address
+  .Op Fl c Ar cipher_spec
+  .Op Fl D Oo Ar bind_address : Oc Ns Ar port
+-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see
+- .It StreamLocalBindUnlink
+- .It StrictHostKeyChecking
+- .It TCPKeepAlive
+-+.It Transport
+- .It Tunnel
+- .It TunnelDevice
+- .It UpdateHostKeys
+ @@ -795,6 +796,8 @@ controls.
+  .Pp
+  .It Fl y
+@@ -533,18 +517,18 @@
+  usage(void)
+  {
+  	fprintf(stderr,
+--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
+-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
+++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
+  "           [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
+- "           [-F configfile] [-I pkcs11] [-i identity_file]\n"
+- "           [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
++ "           [-F configfile]\n"
++ #ifdef USE_OPENSSL_ENGINE
+ @@ -608,7 +613,7 @@ main(int ac, char **av)
+- 	argv0 = av[0];
++ #  define ENGCONFIG ""
++ #endif
+  
+-  again:
+--	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
+-+	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
+- 	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
++-	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
+++	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
++ 	    "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+  		switch (opt) {
+  		case '1':
+ @@ -857,6 +862,11 @@ main(int ac, char **av)

diff --git a/net-misc/openssh/openssh-7.3_p1-r1.ebuild b/net-misc/openssh/openssh-7.3_p1-r1.ebuild
new file mode 100644
index 0000000..4a4a2e0
--- /dev/null
+++ b/net-misc/openssh/openssh-7.3_p1-r1.ebuild
@@ -0,0 +1,332 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
+X509_VER="9.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? (
+		mirror://gentoo/${HPN_PATCH}
+		mirror://sourceforge/hpnssh/${HPN_PATCH}
+	)}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	ssh1? ( ssl )
+	static? ( !kerberos !pam )
+	X509? ( !ldap ssl )"
+
+LIB_DEPEND="
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl] )
+	)
+	libedit? ( dev-libs/libedit[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-0.9.8f:0[bindist=]
+			dev-libs/openssl:0[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	if use X509 ; then
+		pushd .. >/dev/null
+		if use hpn ; then
+			pushd ${HPN_PATCH%.*.*} >/dev/null
+			epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
+			popd >/dev/null
+		fi
+		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		#epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
+		#save_version X509
+	fi
+	if use ldap ; then
+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+	epatch "${FILESDIR}"/${PN}-7.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+	if use hpn ; then
+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	epatch_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssh1)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2016-09-07 22:24 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2016-09-07 22:24 UTC (permalink / raw
  To: gentoo-commits

commit:     81329c816ddebc778e8c943ba6e4c5be0f09ad80
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Wed Sep  7 22:23:49 2016 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Wed Sep  7 22:24:07 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81329c81

net-misc/openssh: Update hpn patch to remove another theoretic race

Package-Manager: portage-2.3.0

 net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch | 10 +++++++---
 net-misc/openssh/openssh-7.3_p1-r3.ebuild              |  5 +++--
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch
index 34acd5d..e8d462c 100644
--- a/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch
+++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch
@@ -1,5 +1,5 @@
 --- openssh-7_2_P2-hpn-14.10.diff.orig	2016-09-01 10:34:05.905112131 -0700
-+++ openssh-7_2_P2-hpn-14.10.diff	2016-09-07 11:37:21.455870893 -0700
++++ openssh-7_2_P2-hpn-14.10.diff	2016-09-07 15:13:59.267910872 -0700
 @@ -156,145 +156,6 @@
   	compat.o crc32.o deattack.o fatal.o hostfile.o \
   	log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
@@ -221,7 +221,7 @@
  +
  +		c->state = HAVE_NONE;
  +		for (i = 0; i < NUMKQ; i++) {
-@@ -966,7 +836,9 @@
+@@ -966,10 +836,12 @@
  +		/* Start threads */
  +		for (i = 0; i < CIPHER_THREADS; i++) {
  +			debug("spawned a thread");
@@ -230,7 +230,11 @@
 ++			pthread_rwlock_unlock(&c->thread_lock);
  +		}
  +		pthread_mutex_lock(&c->q[0].lock);
- +		while (c->q[0].qstate != KQDRAINING)
+-+		while (c->q[0].qstate != KQDRAINING)
+++		while (c->q[0].qstate == KQINIT)
+ +			pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
+ +		pthread_mutex_unlock(&c->q[0].lock);
+ +	}
 @@ -1003,7 +875,9 @@
  +	/* reconstruct threads */
  +	for (i = 0; i < CIPHER_THREADS; i++) {

diff --git a/net-misc/openssh/openssh-7.3_p1-r3.ebuild b/net-misc/openssh/openssh-7.3_p1-r3.ebuild
index ddaf458..be91ad4 100644
--- a/net-misc/openssh/openssh-7.3_p1-r3.ebuild
+++ b/net-misc/openssh/openssh-7.3_p1-r3.ebuild
@@ -36,12 +36,13 @@ LICENSE="BSD GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
 REQUIRED_USE="ldns? ( ssl )
 	pie? ( !static )
 	ssh1? ( ssl )
 	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
+	X509? ( !ldap ssl )
+	test? ( ssl )"
 
 LIB_DEPEND="
 	ldns? (


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2016-09-20  1:42 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2016-09-20  1:42 UTC (permalink / raw
  To: gentoo-commits

commit:     82d72deec8357ab399ef96e4d4eda1b64bc37f6f
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Tue Sep 20 01:40:48 2016 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Tue Sep 20 01:40:48 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82d72dee

net-misc/openssh: Revision bump, update to version 9.2 of the X509 patch

- Clean up some warnings introduced by the X509 patch
- Add patch to fix compilation on MIPS64/N32 (bug #591392)
- Pull in patch from upstream cvs to fix ssh1 support (bug #592122)

Also bump the HPN patch to remove an unused function

Package-Manager: portage-2.3.1

 net-misc/openssh/Manifest                          |   2 +
 .../files/openssh-7.3-mips-seccomp-n32.patch       |  16 +
 ...ssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch |  13 +
 .../files/openssh-7.3_p1-hpn-x509-9.2-glue.patch   |  41 +++
 .../files/openssh-7.3_p1-x509-9.2-warnings.patch   | 109 +++++++
 net-misc/openssh/openssh-7.3_p1-r5.ebuild          | 349 +++++++++++++++++++++
 6 files changed, 530 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 81eba75..1d56f56 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -5,10 +5,12 @@ DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6
 DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac83ce84693162abb172afb46be4a666e SHA512 b287684337a101a26ab8df6894b679b063cdaa7dfc7b78fcc0ce8350c27526f150a6463c515019beb0af2ff005cc109d2913998f95f828e553b835a4df8b64df WHIRLPOOL 16646a896f746946af84961974be08418b951c80249dce2fd4ae533a4d66e79d4372fd979aeda9c51aff51b86edf4178af18379e948195696a6fa114e2757306
 DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe39e4cd2da043384ec2ca45296a60669589 SHA512 c7ed07aae72fd4f967ab5717831c51ad639ca59633c3768f6930bab0947f5429391e3911a7570288a1c688c8c21747f3cb722538ae96de6b50a021010e1506fa WHIRLPOOL 7c1328e471b0e5e9576117ec563b66fea142886b0666b6d51ac9b8ec09286ba7a965b62796c32206e855e484180797a2c31d500c27289f3bc8c7db2d3af95e6f
 DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386
+DIST openssh-7.3_p1-hpn-14.10-r1.patch.xz 20584 SHA256 0bbbfeb1f9f975ad591ed4ec74927172c5299ec1a76210197c14575204efa85d SHA512 f0a1c84af85f7cfc7cb58b5117b3d0f57fc25ae0dd608e38b48ef42da43780fd5cf243d26ff9b3fbd6f4cb1567852b87bcb75f98791cf3ad1892e8579a7834d3 WHIRLPOOL b1a8bae14c8189745056c15c9ed45207aa06af1f4c598a1af7dc3cc56e47bd0211a63989a920727e20311a148bbcf3202c202eae94cd1512c7d87816a9f44bcb
 DIST openssh-7.3_p1-hpn-14.10.patch.xz 20764 SHA256 1c3799d83b52fc5d9370a0d7ccc11f45db0cf089ece7b7b2f5f24943df16f918 SHA512 95e7dfbd3246678f997cb7818add9910136004b9e2e575122981f50b4eadd2517eb38a8de16bfe3a387e6cc65dbd15dae116649d55768767fc13f796a6d15a09 WHIRLPOOL 4167970087e17c8d9c2184109e85226f9a77d040868bd8b9ccab6ebc3d94f81b0d93489c3ad15b028e3fa842786cd2898dce54822b2e870470113634884285b4
 DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
 DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4
 DIST openssh-7.3p1+x509-9.1.diff.gz 584945 SHA256 1ce361813d585fb543f632d19f73a583e257a404c013587a2ee7a1c57710ae95 SHA512 11165544513eaff2b2e1f6dd11b9fb2870e59eb7e16377cf8fc1bf7e459cf8d09a91cf52f0d252df1bf618423ea8fb93099b96670cebc42aa2523dd439e59a89 WHIRLPOOL 8732cc52ef851a35c0dc8b35e8b6666d347f40ee60792aa23bae8e193ec6fa24928b67e6d8ebfc2c52090e78c525e908596020071495452965fa6244df1e459e
+DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485
 DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
 DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d

diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
new file mode 100644
index 00000000..0a4c0e7
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
@@ -0,0 +1,16 @@
+diff -Naurp openssh-7.3p1.orig/configure.ac openssh-7.3p1/configure.ac
+--- openssh-7.3p1.orig/configure.ac	2016-07-27 22:54:27.000000000 +0000
++++ openssh-7.3p1/configure.ac	2016-08-17 15:58:11.531465000 +0000
+@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
+ 		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
+ 		;;
+ 	mips64-*)
+-		seccomp_audit_arch=AUDIT_ARCH_MIPS64
++		seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
+ 		;;
+ 	mips64el-*)
+-		seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
++		seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
+ 		;;
+ 	esac
+ 	if test "x$seccomp_audit_arch" != "x" ; then

diff --git a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch
new file mode 100644
index 00000000..b0d8238
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch
@@ -0,0 +1,13 @@
+diff --git a/sshd.c b/sshd.c
+index 799c771..9fc829a 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
+ 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 	} else
+ #endif
+-		if ((r = sshbuf_put_u32(m, 1)) != 0)
++		if ((r = sshbuf_put_u32(m, 0)) != 0)
+ 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 
+ #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)

diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch
new file mode 100644
index 00000000..f077c05
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch
@@ -0,0 +1,41 @@
+--- a/openssh-7.3_p1-hpn-14.10-r1.patch	2016-09-19 15:00:21.561121417 -0700
++++ b/openssh-7.3_p1-hpn-14.10-r1.patch	2016-09-19 15:22:51.337118439 -0700
+@@ -1155,7 +1155,7 @@
+ @@ -44,7 +44,7 @@
+  LD=@LD@
+  CFLAGS=@CFLAGS@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+  K5LIBS=@K5LIBS@
+@@ -2144,12 +2144,12 @@
+  	/* Bind the socket to an alternative local IP address */
+  	if (options.bind_address == NULL && !privileged)
+  		return sock;
+-@@ -527,10 +555,10 @@
++@@ -555,10 +583,10 @@
+  	/* Send our own protocol version identification. */
+  	if (compat20) {
+- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+--		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+-+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
++ 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
++-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
+++		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
+  	} else {
+  		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
+ -		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
+@@ -2163,9 +2163,9 @@
+ @@ -432,7 +432,7 @@
+  	}
+  
+- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+--	    major, minor, SSH_VERSION,
+-+	    major, minor, SSH_RELEASE,
++ 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
++-	    major, minor, SSH_VERSION, comment,
+++	    major, minor, SSH_RELEASE, comment,
+  	    *options.version_addendum == '\0' ? "" : " ",
+  	    options.version_addendum, newline);
+  

diff --git a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch
new file mode 100644
index 00000000..528dc6f
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch
@@ -0,0 +1,109 @@
+diff --git a/kex.c b/kex.c
+index 143227a..c9b84c2 100644
+--- a/kex.c
++++ b/kex.c
+@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh)
+ static int
+ kex_send_ext_info(struct ssh *ssh)
+ {
++#ifdef EXPERIMENTAL_RSA_SHA2_256
+ 	int r;
+ 
+-#ifdef EXPERIMENTAL_RSA_SHA2_256
+ /* IMPORTANT NOTE:
+  * Do not offer rsa-sha2-* until is resolved misconfiguration issue
+  * with allowed public key algorithms!
+diff --git a/key-eng.c b/key-eng.c
+index 9bc50fd..bc0d03d 100644
+--- a/key-eng.c
++++ b/key-eng.c
+@@ -786,7 +786,6 @@ ssh_engines_shutdown() {
+ 	while (buffer_len(&eng_list) > 0) {
+ 		u_int   k = 0;
+ 		char    *s;
+-		ENGINE  *e;
+ 
+ 		s = buffer_get_cstring_ret(&eng_list, &k);
+ 		ssh_engine_reset(s);
+diff --git a/monitor.c b/monitor.c
+index 345d3df..0de30ad 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m)
+ 	    (r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
+ 	    (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
+ 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-	if (keyid > INT_MAX)
++	if (keyid32 > INT_MAX)
+ 		fatal("%s: invalid key ID", __func__);
+ 
+ 	keyid = keyid32; /*save cast*/
+diff --git a/readconf.c b/readconf.c
+index beb38a0..1cbda7e 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -1459,7 +1459,9 @@ parse_int:
+ 
+ 	case oHostKeyAlgorithms:
+ 		charptr = &options->hostkeyalgorithms;
++# if 0
+ parse_keytypes:
++# endif
+ 		arg = strdelim(&s);
+ 		if (!arg || *arg == '\0')
+ 			fatal("%.200s line %d: Missing argument.",
+diff --git a/servconf.c b/servconf.c
+index a540138..e77a344 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -1574,7 +1573,9 @@ parse_string:
+ 
+ 	case sHostKeyAlgorithms:
+ 		charptr = &options->hostkeyalgorithms;
++# if 0
+  parse_keytypes:
++#endif
+ 		arg = strdelim(&cp);
+ 		if (!arg || *arg == '\0')
+ 			fatal("%s line %d: Missing argument.",
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 50f04b7..3f9a7bf 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa)
+ }
+ 
+ #ifdef OPENSSL_HAS_ECC
++#ifdef HAVE_EC_KEY_METHOD_NEW
+ /* openssl callback for freeing an EC key */
+ static void
+ pkcs11_ec_finish(EC_KEY *ec)
+ {
+ 	struct pkcs11_key	*k11;
+ 
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+ 	k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
+ 	EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
+-#else
+-	k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
+-	ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
+-#endif
+ 	pkcs11_key_free(k11);
+ }
++#endif /*def HAVE_EC_KEY_METHOD_NEW*/
+ #endif /*def OPENSSL_HAS_ECC*/
+ 
+ 
+diff --git a/sshconnect.c b/sshconnect.c
+index fd2a70e..0960be1 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1)
+ {
+ 	/* Send our own protocol version identification. */
+ 	if (compat20) {
+-		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n",
++		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+ 		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
+ 	} else {
+ 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",

diff --git a/net-misc/openssh/openssh-7.3_p1-r5.ebuild b/net-misc/openssh/openssh-7.3_p1-r5.ebuild
new file mode 100644
index 00000000..7e320b5
--- /dev/null
+++ b/net-misc/openssh/openssh-7.3_p1-r5.ebuild
@@ -0,0 +1,349 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+HPN_PV="${PV}"
+HPN_VER="14.10"
+
+HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch"
+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
+X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? (
+		mirror://gentoo/${HPN_PATCH}.xz
+		http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
+	)}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	ssh1? ( ssl )
+	static? ( !kerberos !pam )
+	X509? ( !ldap ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl] )
+	)
+	libedit? ( dev-libs/libedit[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-0.9.8f:0[bindist=]
+			dev-libs/openssl:0[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	if use X509 ; then
+		pushd .. >/dev/null
+		if use hpn ; then
+			pushd "${WORKDIR}" >/dev/null
+			epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch
+			popd >/dev/null
+		fi
+		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
+		sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
+		save_version X509
+	else
+		# bug #592122, fixed by X509 patch
+		epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch
+	fi
+	if use ldap ; then
+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+
+	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+
+	if use hpn ; then
+		#EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+		#	EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+		#	epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+		epatch "${WORKDIR}"/${HPN_PATCH}
+		epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	# 7.3 added seccomp support to MIPS, but failed to handled the N32
+	# case.  This patch is temporary until upstream fixes.  See
+	# Gentoo bug #591392 or upstream #2590.
+	[[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \
+		&& epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+
+	epatch_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssh1)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2016-09-28  8:40 Lars Wendler
  0 siblings, 0 replies; 57+ messages in thread
From: Lars Wendler @ 2016-09-28  8:40 UTC (permalink / raw
  To: gentoo-commits

commit:     4af98ae59360be2700bff0db38445628705223ce
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Wed Sep 28 08:39:32 2016 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Wed Sep 28 08:40:13 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4af98ae5

net-misc/openssh: Removed old.

Package-Manager: portage-2.3.1
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   8 -
 .../openssh/files/openssh-4.7_p1-GSSAPI-dns.patch  | 127 --------
 .../openssh-6.8_p1-ssl-engine-configure.patch      |  33 --
 .../files/openssh-7.0_p1-sctp-x509-glue.patch      |  74 -----
 .../files/openssh-7.1_p2-x509-hpn14v10-glue.patch  |  51 ----
 .../openssh-7.3_p1-fix-segfault-with-x509.patch    |  12 -
 net-misc/openssh/openssh-7.1_p2-r1.ebuild          | 326 --------------------
 net-misc/openssh/openssh-7.3_p1-r1.ebuild          | 332 --------------------
 net-misc/openssh/openssh-7.3_p1-r2.ebuild          | 332 --------------------
 net-misc/openssh/openssh-7.3_p1-r3.ebuild          | 338 --------------------
 net-misc/openssh/openssh-7.3_p1-r4.ebuild          | 339 ---------------------
 net-misc/openssh/openssh-7.3_p1.ebuild             | 331 --------------------
 12 files changed, 2303 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 1d56f56..753ea13 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,17 +1,9 @@
-DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476
-DIST openssh-7.1p2+x509-8.7.diff.gz 438584 SHA256 23030dff924a78718686fad6442b1083293b0c2a057714291bd0af9ed8ef5868 SHA512 d9aa43f5fc06b88b442285a9f9a15d01b52796c36f0cb228c756edca473a89eadb296c45503a14514fdb156d3bc9d90ff33271ccfa9461a9bb2b798a581cc007 WHIRLPOOL ef3f4486fff0addad1a6bdcde3ba606d55d6e3ea5d2cd6e79bfe2494d660c38f0e9f1c157af72c3b6ad5e6eb3731168f975b26c94f8357154e54c08e5d876652
-DIST openssh-7.1p2-hpnssh14v10.tar.xz 22388 SHA256 729e20a2627ca403da6cfff8ef251c03421022123a21c68003181b4e5409bcc5 SHA512 b8e88ac5891ed632416db8da6377512614f19f5f7a7c093b55ecfe3e3f50979c61c0674e9381c316632d8daed90f8cce958c9b77bd00084a4ee1b0297cf321ba WHIRLPOOL c466cc33dc4a40e9466148beb154c539e095ac1b9cdcc5b3d235cbcf12ca10255d63da2f0e1da10d1afa1a0d2ebd436ca0d9e542c732df6ef67fb8f4d2d0192c
-DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd SHA512 d5be60f3645ec238b21e1f2dfd801b2136146674bbc086ebdb14be516c613819bc87c84b5089f3a45fe6e137a7458404f79f42572c69d91571e45ebed9d5e3af WHIRLPOOL 9f48952b82db3983c20e84bcff5b6761f5b284174072c828698dced3a53ca8bbc2e1f89d2e82b62a68f4606b52c980fcf097250f86c1a67ad343d20e3ec9d1f4
 DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac83ce84693162abb172afb46be4a666e SHA512 b287684337a101a26ab8df6894b679b063cdaa7dfc7b78fcc0ce8350c27526f150a6463c515019beb0af2ff005cc109d2913998f95f828e553b835a4df8b64df WHIRLPOOL 16646a896f746946af84961974be08418b951c80249dce2fd4ae533a4d66e79d4372fd979aeda9c51aff51b86edf4178af18379e948195696a6fa114e2757306
 DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe39e4cd2da043384ec2ca45296a60669589 SHA512 c7ed07aae72fd4f967ab5717831c51ad639ca59633c3768f6930bab0947f5429391e3911a7570288a1c688c8c21747f3cb722538ae96de6b50a021010e1506fa WHIRLPOOL 7c1328e471b0e5e9576117ec563b66fea142886b0666b6d51ac9b8ec09286ba7a965b62796c32206e855e484180797a2c31d500c27289f3bc8c7db2d3af95e6f
 DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386
 DIST openssh-7.3_p1-hpn-14.10-r1.patch.xz 20584 SHA256 0bbbfeb1f9f975ad591ed4ec74927172c5299ec1a76210197c14575204efa85d SHA512 f0a1c84af85f7cfc7cb58b5117b3d0f57fc25ae0dd608e38b48ef42da43780fd5cf243d26ff9b3fbd6f4cb1567852b87bcb75f98791cf3ad1892e8579a7834d3 WHIRLPOOL b1a8bae14c8189745056c15c9ed45207aa06af1f4c598a1af7dc3cc56e47bd0211a63989a920727e20311a148bbcf3202c202eae94cd1512c7d87816a9f44bcb
-DIST openssh-7.3_p1-hpn-14.10.patch.xz 20764 SHA256 1c3799d83b52fc5d9370a0d7ccc11f45db0cf089ece7b7b2f5f24943df16f918 SHA512 95e7dfbd3246678f997cb7818add9910136004b9e2e575122981f50b4eadd2517eb38a8de16bfe3a387e6cc65dbd15dae116649d55768767fc13f796a6d15a09 WHIRLPOOL 4167970087e17c8d9c2184109e85226f9a77d040868bd8b9ccab6ebc3d94f81b0d93489c3ad15b028e3fa842786cd2898dce54822b2e870470113634884285b4
 DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
-DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4
-DIST openssh-7.3p1+x509-9.1.diff.gz 584945 SHA256 1ce361813d585fb543f632d19f73a583e257a404c013587a2ee7a1c57710ae95 SHA512 11165544513eaff2b2e1f6dd11b9fb2870e59eb7e16377cf8fc1bf7e459cf8d09a91cf52f0d252df1bf618423ea8fb93099b96670cebc42aa2523dd439e59a89 WHIRLPOOL 8732cc52ef851a35c0dc8b35e8b6666d347f40ee60792aa23bae8e193ec6fa24928b67e6d8ebfc2c52090e78c525e908596020071495452965fa6244df1e459e
 DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485
 DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
-DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d
 DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c

diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
deleted file mode 100644
index c81ae5c..00000000
--- a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-http://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
-Index: readconf.c
-===================================================================
-RCS file: /cvs/openssh/readconf.c,v
-retrieving revision 1.135
-diff -u -r1.135 readconf.c
---- readconf.c	5 Aug 2006 02:39:40 -0000	1.135
-+++ readconf.c	19 Aug 2006 11:59:52 -0000
-@@ -126,6 +126,7 @@
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns, 
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
- 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-@@ -163,9 +164,11 @@
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- #else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- 	{ "fallbacktorsh", oDeprecated },
- 	{ "usersh", oDeprecated },
-@@ -444,6 +447,10 @@
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -1010,6 +1017,7 @@
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -1100,6 +1108,8 @@
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
-Index: readconf.h
-===================================================================
-RCS file: /cvs/openssh/readconf.h,v
-retrieving revision 1.63
-diff -u -r1.63 readconf.h
---- readconf.h	5 Aug 2006 02:39:40 -0000	1.63
-+++ readconf.h	19 Aug 2006 11:59:52 -0000
-@@ -45,6 +45,7 @@
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-Index: ssh_config.5
-===================================================================
-RCS file: /cvs/openssh/ssh_config.5,v
-retrieving revision 1.97
-diff -u -r1.97 ssh_config.5
---- ssh_config.5	5 Aug 2006 01:34:51 -0000	1.97
-+++ ssh_config.5	19 Aug 2006 11:59:53 -0000
-@@ -483,7 +483,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Dq no .
--Note that this option applies to protocol version 2 only.
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to 
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If 
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-Index: sshconnect2.c
-===================================================================
-RCS file: /cvs/openssh/sshconnect2.c,v
-retrieving revision 1.151
-diff -u -r1.151 sshconnect2.c
---- sshconnect2.c	18 Aug 2006 14:33:34 -0000	1.151
-+++ sshconnect2.c	19 Aug 2006 11:59:53 -0000
-@@ -499,6 +499,12 @@
- 	static u_int mech = 0;
- 	OM_uint32 min;
- 	int ok = 0;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns)
-+		gss_host = get_canonical_hostname(1);
-+	else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -511,7 +517,7 @@
- 		/* My DER encoding requires length<128 */
- 		if (gss_supported->elements[mech].length < 128 &&
- 		    ssh_gssapi_check_mechanism(&gssctxt, 
--		    &gss_supported->elements[mech], authctxt->host)) {
-+		    &gss_supported->elements[mech], gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			mech++;

diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
deleted file mode 100644
index a355e2c..00000000
--- a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-https://github.com/openssh/openssh-portable/pull/29
-
-From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Wed, 18 Mar 2015 12:37:24 -0400
-Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is
- set
-
----
- configure.ac | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index b4d6598..7806d20 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -2276,10 +2276,10 @@ openssl_engine=no
- AC_ARG_WITH([ssl-engine],
- 	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
- 	[
--		if test "x$openssl" = "xno" ; then
--			AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
--		fi
- 		if test "x$withval" != "xno" ; then
-+			if test "x$openssl" = "xno" ; then
-+				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
-+			fi
- 			openssl_engine=yes
- 		fi
- 	]
--- 
-2.3.2
-

diff --git a/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch
deleted file mode 100644
index d793f90..00000000
--- a/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch
+++ /dev/null
@@ -1,74 +0,0 @@
---- openssh-6.8_p1-sctp.patch.1	2015-08-12 16:01:13.854769013 -0700
-+++ openssh-6.8_p1-sctp.patch	2015-08-12 16:00:38.208488789 -0700
-@@ -195,14 +195,6 @@
-  .Op Fl c Ar cipher
-  .Op Fl F Ar ssh_config
-  .Op Fl i Ar identity_file
--@@ -178,6 +178,7 @@ For full details of the options listed b
-- .It ServerAliveCountMax
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It UpdateHostKeys
-- .It UsePrivilegedPort
-- .It User
- @@ -218,6 +219,8 @@ and
-  to print debugging messages about their progress.
-  This is helpful in
-@@ -477,19 +469,11 @@
-  .Sh SYNOPSIS
-  .Nm ssh
-  .Bk -words
---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
--+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
-+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
-++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
-  .Op Fl b Ar bind_address
-  .Op Fl c Ar cipher_spec
-  .Op Fl D Oo Ar bind_address : Oc Ns Ar port
--@@ -473,6 +473,7 @@ For full details of the options listed b
-- .It StreamLocalBindUnlink
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It Tunnel
-- .It TunnelDevice
-- .It UsePrivilegedPort
- @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte
-  controls.
-  .It Fl y
-@@ -501,7 +485,7 @@
-  By default this information is sent to stderr.
- --- a/ssh.c
- +++ b/ssh.c
--@@ -194,12 +194,17 @@ extern int muxserver_sock;
-+@@ -194,11 +194,16 @@ extern int muxserver_sock;
-  extern u_int muxclient_command;
-  
-  /* Prints a help message to the user.  This function never returns. */
-@@ -515,18 +499,17 @@
-  usage(void)
-  {
-  	fprintf(stderr,
---"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
--+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
-+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
-  "           [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
-  "           [-F configfile] [-I pkcs11] [-i identity_file]\n"
-- "           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n"
- @@ -506,7 +512,7 @@ main(int ac, char **av)
-- 	argv0 = av[0];
-+ #  define ENGCONFIG ""
-+ #endif
-  
--  again:
---	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
--+	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
-- 	    "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-+-	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
-++	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
-+ 	    "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-  		switch (opt) {
-  		case '1':
- @@ -732,6 +738,11 @@ main(int ac, char **av)

diff --git a/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch b/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch
deleted file mode 100644
index 5124569..00000000
--- a/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch
+++ /dev/null
@@ -1,51 +0,0 @@
---- openssh-7.1p2/Makefile.in
-+++ openssh-7.1p2/Makefile.in
-@@ -45,7 +45,7 @@
- CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
--CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- LIBS=@LIBS@
- K5LIBS=@K5LIBS@
- GSSLIBS=@GSSLIBS@
-@@ -53,6 +53,7 @@
- SSHDLIBS=@SSHDLIBS@
- LIBEDIT=@LIBEDIT@
- LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
-+CPPFLAGS+=@LDAP_CPPFLAGS@
- AR=@AR@
- AWK=@AWK@
- RANLIB=@RANLIB@
---- openssh-7.1p2/sshconnect.c
-+++ openssh-7.1p2/sshconnect.c
-@@ -465,7 +465,7 @@
- {
- 	/* Send our own protocol version identification. */
- 	if (compat20) {
--		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
-+		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
- 		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
- 	} else {
- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
---- openssh-7.1p2/sshd.c
-+++ openssh-7.1p2/sshd.c
-@@ -472,8 +472,8 @@
- 		comment = "";
- 	}
- 
--	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
--	    major, minor, SSH_VERSION, comment,
-+	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-+	    major, minor, SSH_VERSION,
- 	    *options.version_addendum == '\0' ? "" : " ",
- 	    options.version_addendum, newline);
- 
---- openssh-7.1p2/version.h
-+++ openssh-7.1p2/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION	"OpenSSH_7.1"
- 
- #define SSH_PORTABLE	"p2"
-+#define SSH_X509	" PKIX"
- #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE

diff --git a/net-misc/openssh/files/openssh-7.3_p1-fix-segfault-with-x509.patch b/net-misc/openssh/files/openssh-7.3_p1-fix-segfault-with-x509.patch
deleted file mode 100644
index dca4457..00000000
--- a/net-misc/openssh/files/openssh-7.3_p1-fix-segfault-with-x509.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/sshkey.c b/sshkey.c
-index c9f04cd..4f00e9a 100644
---- a/sshkey.c
-+++ b/sshkey.c
-@@ -1237,6 +1237,7 @@ sshkey_read(struct sshkey *ret, char **cpp)
- #endif /* WITH_SSH1 */
- 
- 	cp = *cpp;
-+	ep = cp;
- 
- 	switch (ret->type) {
- 	case KEY_RSA1:

diff --git a/net-misc/openssh/openssh-7.1_p2-r1.ebuild b/net-misc/openssh/openssh-7.1_p2-r1.ebuild
deleted file mode 100644
index 5c418d4..00000000
--- a/net-misc/openssh/openssh-7.1_p2-r1.ebuild
+++ /dev/null
@@ -1,326 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
-LDAP_PATCH="${PN}-lpk-7.1p2-0.3.14.patch.xz"
-X509_VER="8.7" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
-			dev-libs/openssl:0[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		if use hpn ; then
-			pushd ${HPN_PATCH%.*.*} >/dev/null
-			epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
-			popd >/dev/null
-		fi
-		epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
-		save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	# The X509 patchset fixes this independently.
-	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
-	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.3_p1-r1.ebuild b/net-misc/openssh/openssh-7.3_p1-r1.ebuild
deleted file mode 100644
index a915481..00000000
--- a/net-misc/openssh/openssh-7.3_p1-r1.ebuild
+++ /dev/null
@@ -1,332 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
-SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
-X509_VER="9.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
-			dev-libs/openssl:0[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		if use hpn ; then
-			pushd ${HPN_PATCH%.*.*} >/dev/null
-			epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
-			popd >/dev/null
-		fi
-		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		#epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
-		#save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.3_p1-r2.ebuild b/net-misc/openssh/openssh-7.3_p1-r2.ebuild
deleted file mode 100644
index 753d73e..00000000
--- a/net-misc/openssh/openssh-7.3_p1-r2.ebuild
+++ /dev/null
@@ -1,332 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
-SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
-X509_VER="9.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
-			dev-libs/openssl:0[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		if use hpn ; then
-			pushd ${HPN_PATCH%.*.*} >/dev/null
-			epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
-			popd >/dev/null
-		fi
-		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		#epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
-		#save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.3_p1-r3.ebuild b/net-misc/openssh/openssh-7.3_p1-r3.ebuild
deleted file mode 100644
index 0e26a92..00000000
--- a/net-misc/openssh/openssh-7.3_p1-r3.ebuild
+++ /dev/null
@@ -1,338 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-HPN_PV="${PV}"
-HPN_VER="14.10"
-
-HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10.patch"
-SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
-X509_VER="9.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}.xz
-		http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
-			dev-libs/openssl:0[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		if use hpn ; then
-			pushd "${WORKDIR}" >/dev/null
-			epatch "${FILESDIR}"/${P}-hpn-x509-glue.patch
-			popd >/dev/null
-		fi
-		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-
-	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-
-	if use hpn ; then
-		#EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-		#	EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-		#	epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		epatch "${WORKDIR}"/${HPN_PATCH}
-		epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.3_p1-r4.ebuild b/net-misc/openssh/openssh-7.3_p1-r4.ebuild
deleted file mode 100644
index 27291c9..00000000
--- a/net-misc/openssh/openssh-7.3_p1-r4.ebuild
+++ /dev/null
@@ -1,339 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-HPN_PV="${PV}"
-HPN_VER="14.10"
-
-HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10.patch"
-SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
-X509_VER="9.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}.xz
-		http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
-			dev-libs/openssl:0[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		if use hpn ; then
-			pushd "${WORKDIR}" >/dev/null
-			epatch "${FILESDIR}"/${P}-hpn-x509-glue.patch
-			popd >/dev/null
-		fi
-		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${P}-fix-segfault-with-x509.patch
-		#save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-
-	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-
-	if use hpn ; then
-		#EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-		#	EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-		#	epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		epatch "${WORKDIR}"/${HPN_PATCH}
-		epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.3_p1.ebuild b/net-misc/openssh/openssh-7.3_p1.ebuild
deleted file mode 100644
index 871c3c4..00000000
--- a/net-misc/openssh/openssh-7.3_p1.ebuild
+++ /dev/null
@@ -1,331 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
-SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
-#X509_VER="8.9" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
-			dev-libs/openssl:0[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		if use hpn ; then
-			pushd ${HPN_PATCH%.*.*} >/dev/null
-			epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
-			popd >/dev/null
-		fi
-		epatch "${FILESDIR}"/${PN}-7.2_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		#epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
-		#save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-7.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2016-10-17 17:51 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2016-10-17 17:51 UTC (permalink / raw
  To: gentoo-commits

commit:     4a9ab68a607415d932b524eab2f523d1e9ce77e1
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 17 17:48:45 2016 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Mon Oct 17 17:48:45 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a9ab68a

net-misc/openssh: Revision bump, add patch to fix a preauth memory consumption issue

Gentoo-Bug: 597360

Package-Manager: portage-2.3.2

 ...egister-the-KEXINIT-handler-after-receive.patch |  18 ++
 net-misc/openssh/openssh-7.3_p1-r7.ebuild          | 352 +++++++++++++++++++++
 2 files changed, 370 insertions(+)

diff --git a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
new file mode 100644
index 00000000..f7b41dc
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
@@ -0,0 +1,18 @@
+diff --git a/kex.c b/kex.c
+index 50c7a0f..d09c27b 100644
+--- a/kex.c
++++ b/kex.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: kex.c,v 1.118 2016/05/02 10:26:04 djm Exp $ */
++/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
+ /*
+  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
+  *
+@@ -472,6 +472,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
+ 	if (kex == NULL)
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;

diff --git a/net-misc/openssh/openssh-7.3_p1-r7.ebuild b/net-misc/openssh/openssh-7.3_p1-r7.ebuild
new file mode 100644
index 00000000..ad0950f
--- /dev/null
+++ b/net-misc/openssh/openssh-7.3_p1-r7.ebuild
@@ -0,0 +1,352 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+HPN_PV="${PV}"
+HPN_VER="14.10"
+
+HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch"
+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
+X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? (
+		mirror://gentoo/${HPN_PATCH}.xz
+		http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
+	)}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	ssh1? ( ssl )
+	static? ( !kerberos !pam )
+	X509? ( !ldap ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl] )
+	)
+	libedit? ( dev-libs/libedit[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-0.9.8f:0[bindist=]
+			dev-libs/openssl:0[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	if use X509 ; then
+		pushd .. >/dev/null
+		if use hpn ; then
+			pushd "${WORKDIR}" >/dev/null
+			epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch
+			popd >/dev/null
+		fi
+		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
+		sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
+		save_version X509
+	else
+		# bug #592122, fixed by X509 patch
+		epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch
+	fi
+	if use ldap ; then
+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+
+	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+
+	if use hpn ; then
+		#EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+		#	EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+		#	epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+		epatch "${WORKDIR}"/${HPN_PATCH}
+		epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	# 7.3 added seccomp support to MIPS, but failed to handled the N32
+	# case.  This patch is temporary until upstream fixes.  See
+	# Gentoo bug #591392 or upstream #2590.
+	[[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \
+		&& epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+
+	epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342
+	epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360
+
+	epatch_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssh1)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2016-12-22  7:39 Mike Frysinger
  0 siblings, 0 replies; 57+ messages in thread
From: Mike Frysinger @ 2016-12-22  7:39 UTC (permalink / raw
  To: gentoo-commits

commit:     ac8659d690d2c30d982fcf63eb4a162f9379acd5
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 22 07:39:39 2016 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Dec 22 07:39:39 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac8659d6

net-misc/openssh: version bump to 7.4_p1 #603100

 net-misc/openssh/Manifest                          |   4 +
 .../openssh/files/openssh-7.4_p1-GSSAPI-dns.patch  | 351 +++++++++++++++++++++
 .../files/openssh-7.4_p1-test-bashism.patch        |  29 ++
 net-misc/openssh/openssh-7.4_p1.ebuild             | 334 ++++++++++++++++++++
 4 files changed, 718 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 7dd1430..bf4a52a 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -6,5 +6,9 @@ DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee
 DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485
 DIST openssh-7.3p1-hpnssh14v12.tar.xz 23448 SHA256 45b8e10f731f160ea44126bf64314d850048d98059dc22f89b3f14f46f0dcc67 SHA512 f1ee37dfd1b717963ae519b725d481de2486c9c94fd80ccd12da2ac00d13be7b6e0284a1e9239a4704014810c086eaaa81cd02344372c65d0122a3eb1c2be83c WHIRLPOOL 1fdb4e99f9d6450af73a1202c2f80d4be454fbeab723a1cf833a37fc040dc8ede592129d4e4087cf247095dbf5fa782286ab0338fe8a55675efb4ea9bfaf651c
 DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
+DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09
+DIST openssh-7.4p1+x509-9.3.diff.gz 446572 SHA256 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee SHA512 7ebc8d1f6ec36d652bbb6fb13d6d86f7db1abf8710af7b56c52fad9a18d73c9028a3307daabfdda26483a3bd9196120f6d18b6fb2c89b597b0a9ad0554161dfc WHIRLPOOL f878346a3154b7dbb01de41830d5857064af96d3a709aed40a112fe9aaadbe4801e5c3a22a1d2c8437b74a890596211be37e26d691ff611981d7375d262598c1
+DIST openssh-7.4p1.tar.gz 1511780 SHA256 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 SHA512 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292 WHIRLPOOL 4ed9a277287d1f5c2fd371b53394d6dde36b25adf92d4b6b5b486a9d448648f2ecfbb721ae39ba8a129913c1148aa4db1e99f7960a7c69fa215dfa7b3b126029
 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d
 DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c
+DIST openssh-lpk-7.4p1-0.3.14.patch.xz 17076 SHA256 3a5e4104507d259ad15391136322ea5d067d7932199bbafde5cb478daf3595ad SHA512 1c91de291816ee0bb29ed3a2ffc42fb6fb4ba27a8616f8bd50accdf31d1fecc9b4fb3de6fb1ea6e722b69eb8cab68030ade87e126a4112667d14f3c2ef07d6cd WHIRLPOOL ea27224da952c6fe46b974a0e73d01e872a963e7e7cc7e9887a423357fb4ff82f4513ce48b6bbf7136afa8447bc6d93daa817cf5b2e24cb39dba15cbcff6d2cc

diff --git a/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch
new file mode 100644
index 00000000..ec2a6d8
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch
@@ -0,0 +1,351 @@
+http://bugs.gentoo.org/165444
+https://bugzilla.mindrot.org/show_bug.cgi?id=1008
+
+--- a/readconf.c
++++ b/readconf.c
+@@ -148,6 +148,7 @@
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++	oGssTrustDns,
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+@@ -194,9 +195,11 @@
+ #if defined(GSSAPI)
+ 	{ "gssapiauthentication", oGssAuthentication },
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
++	{ "gssapitrustdns", oGssTrustDns },
+ #else
+ 	{ "gssapiauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
++	{ "gssapitrustdns", oUnsupported },
+ #endif
+ 	{ "fallbacktorsh", oDeprecated },
+ 	{ "usersh", oDeprecated },
+@@ -930,6 +933,10 @@
+ 		intptr = &options->gss_deleg_creds;
+ 		goto parse_flag;
+ 
++	case oGssTrustDns:
++		intptr = &options->gss_trust_dns;
++		goto parse_flag;
++
+ 	case oBatchMode:
+ 		intptr = &options->batch_mode;
+ 		goto parse_flag;
+@@ -1649,6 +1656,7 @@
+ 	options->challenge_response_authentication = -1;
+ 	options->gss_authentication = -1;
+ 	options->gss_deleg_creds = -1;
++	options->gss_trust_dns = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->kbd_interactive_devices = NULL;
+@@ -1779,6 +1787,8 @@
+ 		options->gss_authentication = 0;
+ 	if (options->gss_deleg_creds == -1)
+ 		options->gss_deleg_creds = 0;
++	if (options->gss_trust_dns == -1)
++		options->gss_trust_dns = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+--- a/readconf.h
++++ b/readconf.h
+@@ -46,6 +46,7 @@
+ 					/* Try S/Key or TIS, authentication. */
+ 	int     gss_authentication;	/* Try GSS authentication */
+ 	int     gss_deleg_creds;	/* Delegate GSS credentials */
++	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
+ 	int     password_authentication;	/* Try password
+ 						 * authentication. */
+ 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -830,6 +830,16 @@
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -656,6 +656,13 @@
+ 	static u_int mech = 0;
+ 	OM_uint32 min;
+ 	int ok = 0;
++	const char *gss_host;
++
++	if (options.gss_trust_dns) {
++		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++		gss_host = auth_get_canonical_hostname(active_state, 1);
++	} else
++		gss_host = authctxt->host;
+ 
+ 	/* Try one GSSAPI method at a time, rather than sending them all at
+ 	 * once. */
+@@ -668,7 +674,7 @@
+ 		/* My DER encoding requires length<128 */
+ 		if (gss_supported->elements[mech].length < 128 &&
+ 		    ssh_gssapi_check_mechanism(&gssctxt, 
+-		    &gss_supported->elements[mech], authctxt->host)) {
++		    &gss_supported->elements[mech], gss_host)) {
+ 			ok = 1; /* Mechanism works */
+ 		} else {
+ 			mech++;
+
+need to move these two funcs back to canohost so they're available to clients
+and the server.  auth.c is only used in the server.
+
+--- a/auth.c
++++ b/auth.c
+@@ -784,117 +784,3 @@ fakepw(void)
+ 
+ 	return (&fake);
+ }
+-
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+-	struct sockaddr_storage from;
+-	socklen_t fromlen;
+-	struct addrinfo hints, *ai, *aitop;
+-	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+-	const char *ntop = ssh_remote_ipaddr(ssh);
+-
+-	/* Get IP address of client. */
+-	fromlen = sizeof(from);
+-	memset(&from, 0, sizeof(from));
+-	if (getpeername(ssh_packet_get_connection_in(ssh),
+-	    (struct sockaddr *)&from, &fromlen) < 0) {
+-		debug("getpeername failed: %.100s", strerror(errno));
+-		return strdup(ntop);
+-	}
+-
+-	ipv64_normalise_mapped(&from, &fromlen);
+-	if (from.ss_family == AF_INET6)
+-		fromlen = sizeof(struct sockaddr_in6);
+-
+-	debug3("Trying to reverse map address %.100s.", ntop);
+-	/* Map the IP address to a host name. */
+-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+-	    NULL, 0, NI_NAMEREQD) != 0) {
+-		/* Host name not found.  Use ip address. */
+-		return strdup(ntop);
+-	}
+-
+-	/*
+-	 * if reverse lookup result looks like a numeric hostname,
+-	 * someone is trying to trick us by PTR record like following:
+-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
+-	hints.ai_flags = AI_NUMERICHOST;
+-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+-		    name, ntop);
+-		freeaddrinfo(ai);
+-		return strdup(ntop);
+-	}
+-
+-	/* Names are stored in lowercase. */
+-	lowercase(name);
+-
+-	/*
+-	 * Map it back to an IP address and check that the given
+-	 * address actually is an address of this host.  This is
+-	 * necessary because anyone with access to a name server can
+-	 * define arbitrary names for an IP address. Mapping from
+-	 * name to IP address can be trusted better (but can still be
+-	 * fooled if the intruder has access to the name server of
+-	 * the domain).
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_family = from.ss_family;
+-	hints.ai_socktype = SOCK_STREAM;
+-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+-		logit("reverse mapping checking getaddrinfo for %.700s "
+-		    "[%s] failed.", name, ntop);
+-		return strdup(ntop);
+-	}
+-	/* Look for the address from the list of addresses. */
+-	for (ai = aitop; ai; ai = ai->ai_next) {
+-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+-		    (strcmp(ntop, ntop2) == 0))
+-				break;
+-	}
+-	freeaddrinfo(aitop);
+-	/* If we reached the end of the list, the address was not there. */
+-	if (ai == NULL) {
+-		/* Address not found for the host name. */
+-		logit("Address %.100s maps to %.600s, but this does not "
+-		    "map back to the address.", ntop, name);
+-		return strdup(ntop);
+-	}
+-	return strdup(name);
+-}
+-
+-/*
+- * Return the canonical name of the host in the other side of the current
+- * connection.  The host name is cached, so it is efficient to call this
+- * several times.
+- */
+-
+-const char *
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+-{
+-	static char *dnsname;
+-
+-	if (!use_dns)
+-		return ssh_remote_ipaddr(ssh);
+-	else if (dnsname != NULL)
+-		return dnsname;
+-	else {
+-		dnsname = remote_hostname(ssh);
+-		return dnsname;
+-	}
+-}
+--- a/canohost.c
++++ b/canohost.c
+@@ -202,3 +202,117 @@ get_local_port(int sock)
+ {
+ 	return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++static char *
++remote_hostname(struct ssh *ssh)
++{
++	struct sockaddr_storage from;
++	socklen_t fromlen;
++	struct addrinfo hints, *ai, *aitop;
++	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++	const char *ntop = ssh_remote_ipaddr(ssh);
++
++	/* Get IP address of client. */
++	fromlen = sizeof(from);
++	memset(&from, 0, sizeof(from));
++	if (getpeername(ssh_packet_get_connection_in(ssh),
++	    (struct sockaddr *)&from, &fromlen) < 0) {
++		debug("getpeername failed: %.100s", strerror(errno));
++		return strdup(ntop);
++	}
++
++	ipv64_normalise_mapped(&from, &fromlen);
++	if (from.ss_family == AF_INET6)
++		fromlen = sizeof(struct sockaddr_in6);
++
++	debug3("Trying to reverse map address %.100s.", ntop);
++	/* Map the IP address to a host name. */
++	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++	    NULL, 0, NI_NAMEREQD) != 0) {
++		/* Host name not found.  Use ip address. */
++		return strdup(ntop);
++	}
++
++	/*
++	 * if reverse lookup result looks like a numeric hostname,
++	 * someone is trying to trick us by PTR record like following:
++	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
++	hints.ai_flags = AI_NUMERICHOST;
++	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++		    name, ntop);
++		freeaddrinfo(ai);
++		return strdup(ntop);
++	}
++
++	/* Names are stored in lowercase. */
++	lowercase(name);
++
++	/*
++	 * Map it back to an IP address and check that the given
++	 * address actually is an address of this host.  This is
++	 * necessary because anyone with access to a name server can
++	 * define arbitrary names for an IP address. Mapping from
++	 * name to IP address can be trusted better (but can still be
++	 * fooled if the intruder has access to the name server of
++	 * the domain).
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_family = from.ss_family;
++	hints.ai_socktype = SOCK_STREAM;
++	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++		logit("reverse mapping checking getaddrinfo for %.700s "
++		    "[%s] failed.", name, ntop);
++		return strdup(ntop);
++	}
++	/* Look for the address from the list of addresses. */
++	for (ai = aitop; ai; ai = ai->ai_next) {
++		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++		    (strcmp(ntop, ntop2) == 0))
++				break;
++	}
++	freeaddrinfo(aitop);
++	/* If we reached the end of the list, the address was not there. */
++	if (ai == NULL) {
++		/* Address not found for the host name. */
++		logit("Address %.100s maps to %.600s, but this does not "
++		    "map back to the address.", ntop, name);
++		return strdup(ntop);
++	}
++	return strdup(name);
++}
++
++/*
++ * Return the canonical name of the host in the other side of the current
++ * connection.  The host name is cached, so it is efficient to call this
++ * several times.
++ */
++
++const char *
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
++{
++	static char *dnsname;
++
++	if (!use_dns)
++		return ssh_remote_ipaddr(ssh);
++	else if (dnsname != NULL)
++		return dnsname;
++	else {
++		dnsname = remote_hostname(ssh);
++		return dnsname;
++	}
++}

diff --git a/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch b/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch
new file mode 100644
index 00000000..3e02b6f
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch
@@ -0,0 +1,29 @@
+https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035604.html
+
+From dca2985bff146f756b0019b17f08c35f28841a04 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Mon, 19 Dec 2016 15:59:00 -0500
+Subject: [PATCH] regress/allow-deny-users.sh: fix bashism in test
+
+The test command uses = for string compares, not ==.  Using some POSIX
+shells will reject this statement with an error about an unknown operator.
+---
+ regress/allow-deny-users.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh
+index 32a269afa97c..86805e19322b 100644
+--- a/regress/allow-deny-users.sh
++++ b/regress/allow-deny-users.sh
+@@ -4,7 +4,7 @@
+ tid="AllowUsers/DenyUsers"
+ 
+ me="$LOGNAME"
+-if [ "x$me" == "x" ]; then
++if [ "x$me" = "x" ]; then
+ 	me=`whoami`
+ fi
+ other="nobody"
+-- 
+2.11.0.rc2
+

diff --git a/net-misc/openssh/openssh-7.4_p1.ebuild b/net-misc/openssh/openssh-7.4_p1.ebuild
new file mode 100644
index 00000000..db314b2
--- /dev/null
+++ b/net-misc/openssh/openssh-7.4_p1.ebuild
@@ -0,0 +1,334 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+#HPN_PATCH= #"${PARCH}-hpnssh14v12.tar.xz"
+SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.4p1-0.3.14.patch.xz"
+X509_VER="9.3" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	ssh1? ( ssl )
+	static? ( !kerberos !pam )
+	X509? ( !ldap ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl] )
+	)
+	libedit? ( dev-libs/libedit[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-0.9.8f:0[bindist=]
+			dev-libs/openssl:0[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	if use X509 ; then
+		pushd .. >/dev/null
+		if use hpn ; then
+			pushd ${HPN_PATCH%.*.*} >/dev/null
+			epatch "${FILESDIR}"/${P}-hpn-12-x509-9.2-glue.patch
+			popd >/dev/null
+		fi
+		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
+		sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
+		save_version X509
+	fi
+
+	if use ldap ; then
+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+
+	epatch "${FILESDIR}"/${PN}-7.4_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+	epatch "${FILESDIR}"/${P}-test-bashism.patch
+	use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+
+	if use hpn ; then
+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	epatch_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssh1)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2017-03-30 18:30 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2017-03-30 18:30 UTC (permalink / raw
  To: gentoo-commits

commit:     baf822f58e1e881b5f3dbf553ed550d93329fffa
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu Mar 30 18:30:18 2017 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 18:30:45 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=baf822f5

net-misc/openssh: Add patch to allow 7.4_p1 to build with X509+libressl

Package-Manager: Portage-2.3.5, Repoman-2.3.2

 .../files/openssh-7.5p1-x509-libressl.patch        | 202 +++++++++++++++++++++
 net-misc/openssh/openssh-7.5_p1-r1.ebuild          |   1 +
 2 files changed, 203 insertions(+)

diff --git a/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch b/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch
new file mode 100644
index 00000000000..b4f36a51318
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch
@@ -0,0 +1,202 @@
+diff -urN openssh-7.5p1.orig/a_utf8.c openssh-7.5p1/a_utf8.c
+--- openssh-7.5p1.orig/a_utf8.c	1970-01-01 00:00:00.000000000 +0000
++++ openssh-7.5p1/a_utf8.c	2017-03-30 17:38:25.179532110 +0000
+@@ -0,0 +1,186 @@
++/*
++ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <stdio.h>
++
++/* UTF8 utilities */
++
++/*-
++ * This parses a UTF8 string one character at a time. It is passed a pointer
++ * to the string and the length of the string. It sets 'value' to the value of
++ * the current character. It returns the number of characters read or a
++ * negative error code:
++ * -1 = string too short
++ * -2 = illegal character
++ * -3 = subsequent characters not of the form 10xxxxxx
++ * -4 = character encoded incorrectly (not minimal length).
++ */
++
++int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
++{
++    const unsigned char *p;
++    unsigned long value;
++    int ret;
++    if (len <= 0)
++        return 0;
++    p = str;
++
++    /* Check syntax and work out the encoded value (if correct) */
++    if ((*p & 0x80) == 0) {
++        value = *p++ & 0x7f;
++        ret = 1;
++    } else if ((*p & 0xe0) == 0xc0) {
++        if (len < 2)
++            return -1;
++        if ((p[1] & 0xc0) != 0x80)
++            return -3;
++        value = (*p++ & 0x1f) << 6;
++        value |= *p++ & 0x3f;
++        if (value < 0x80)
++            return -4;
++        ret = 2;
++    } else if ((*p & 0xf0) == 0xe0) {
++        if (len < 3)
++            return -1;
++        if (((p[1] & 0xc0) != 0x80)
++            || ((p[2] & 0xc0) != 0x80))
++            return -3;
++        value = (*p++ & 0xf) << 12;
++        value |= (*p++ & 0x3f) << 6;
++        value |= *p++ & 0x3f;
++        if (value < 0x800)
++            return -4;
++        ret = 3;
++    } else if ((*p & 0xf8) == 0xf0) {
++        if (len < 4)
++            return -1;
++        if (((p[1] & 0xc0) != 0x80)
++            || ((p[2] & 0xc0) != 0x80)
++            || ((p[3] & 0xc0) != 0x80))
++            return -3;
++        value = ((unsigned long)(*p++ & 0x7)) << 18;
++        value |= (*p++ & 0x3f) << 12;
++        value |= (*p++ & 0x3f) << 6;
++        value |= *p++ & 0x3f;
++        if (value < 0x10000)
++            return -4;
++        ret = 4;
++    } else if ((*p & 0xfc) == 0xf8) {
++        if (len < 5)
++            return -1;
++        if (((p[1] & 0xc0) != 0x80)
++            || ((p[2] & 0xc0) != 0x80)
++            || ((p[3] & 0xc0) != 0x80)
++            || ((p[4] & 0xc0) != 0x80))
++            return -3;
++        value = ((unsigned long)(*p++ & 0x3)) << 24;
++        value |= ((unsigned long)(*p++ & 0x3f)) << 18;
++        value |= ((unsigned long)(*p++ & 0x3f)) << 12;
++        value |= (*p++ & 0x3f) << 6;
++        value |= *p++ & 0x3f;
++        if (value < 0x200000)
++            return -4;
++        ret = 5;
++    } else if ((*p & 0xfe) == 0xfc) {
++        if (len < 6)
++            return -1;
++        if (((p[1] & 0xc0) != 0x80)
++            || ((p[2] & 0xc0) != 0x80)
++            || ((p[3] & 0xc0) != 0x80)
++            || ((p[4] & 0xc0) != 0x80)
++            || ((p[5] & 0xc0) != 0x80))
++            return -3;
++        value = ((unsigned long)(*p++ & 0x1)) << 30;
++        value |= ((unsigned long)(*p++ & 0x3f)) << 24;
++        value |= ((unsigned long)(*p++ & 0x3f)) << 18;
++        value |= ((unsigned long)(*p++ & 0x3f)) << 12;
++        value |= (*p++ & 0x3f) << 6;
++        value |= *p++ & 0x3f;
++        if (value < 0x4000000)
++            return -4;
++        ret = 6;
++    } else
++        return -2;
++    *val = value;
++    return ret;
++}
++
++/*
++ * This takes a character 'value' and writes the UTF8 encoded value in 'str'
++ * where 'str' is a buffer containing 'len' characters. Returns the number of
++ * characters written or -1 if 'len' is too small. 'str' can be set to NULL
++ * in which case it just returns the number of characters. It will need at
++ * most 6 characters.
++ */
++
++int UTF8_putc(unsigned char *str, int len, unsigned long value)
++{
++    if (!str)
++        len = 6;                /* Maximum we will need */
++    else if (len <= 0)
++        return -1;
++    if (value < 0x80) {
++        if (str)
++            *str = (unsigned char)value;
++        return 1;
++    }
++    if (value < 0x800) {
++        if (len < 2)
++            return -1;
++        if (str) {
++            *str++ = (unsigned char)(((value >> 6) & 0x1f) | 0xc0);
++            *str = (unsigned char)((value & 0x3f) | 0x80);
++        }
++        return 2;
++    }
++    if (value < 0x10000) {
++        if (len < 3)
++            return -1;
++        if (str) {
++            *str++ = (unsigned char)(((value >> 12) & 0xf) | 0xe0);
++            *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
++            *str = (unsigned char)((value & 0x3f) | 0x80);
++        }
++        return 3;
++    }
++    if (value < 0x200000) {
++        if (len < 4)
++            return -1;
++        if (str) {
++            *str++ = (unsigned char)(((value >> 18) & 0x7) | 0xf0);
++            *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
++            *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
++            *str = (unsigned char)((value & 0x3f) | 0x80);
++        }
++        return 4;
++    }
++    if (value < 0x4000000) {
++        if (len < 5)
++            return -1;
++        if (str) {
++            *str++ = (unsigned char)(((value >> 24) & 0x3) | 0xf8);
++            *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
++            *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
++            *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
++            *str = (unsigned char)((value & 0x3f) | 0x80);
++        }
++        return 5;
++    }
++    if (len < 6)
++        return -1;
++    if (str) {
++        *str++ = (unsigned char)(((value >> 30) & 0x1) | 0xfc);
++        *str++ = (unsigned char)(((value >> 24) & 0x3f) | 0x80);
++        *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
++        *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
++        *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
++        *str = (unsigned char)((value & 0x3f) | 0x80);
++    }
++    return 6;
++}
+diff -urN openssh-7.5p1.orig/Makefile.in openssh-7.5p1/Makefile.in
+--- openssh-7.5p1.orig/Makefile.in	2017-03-30 17:33:30.983830629 +0000
++++ openssh-7.5p1/Makefile.in	2017-03-30 17:39:28.392905858 +0000
+@@ -74,7 +74,7 @@
+ @OCSP_ON@OCSP_OBJS=ssh-ocsp.o
+ @OCSP_OFF@OCSP_OBJS=
+ 
+-SSHX509_OBJS=ssh-x509.o ssh-xkalg.o x509_nm_cmp.o key-eng.o
++SSHX509_OBJS=ssh-x509.o ssh-xkalg.o x509_nm_cmp.o key-eng.o a_utf8.o
+ X509STORE_OBJS=x509store.o $(LDAP_OBJS)
+ 
+ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)

diff --git a/net-misc/openssh/openssh-7.5_p1-r1.ebuild b/net-misc/openssh/openssh-7.5_p1-r1.ebuild
index 4ce0ad47678..9652d9263d6 100644
--- a/net-misc/openssh/openssh-7.5_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-7.5_p1-r1.ebuild
@@ -121,6 +121,7 @@ src_prepare() {
 		fi
 		save_version X509
 		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		use libressl && epatch "${FILESDIR}"/${PN}-7.5p1-x509-libressl.patch
 	fi
 
 	if use ldap ; then


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2017-10-10 13:26 Lars Wendler
  0 siblings, 0 replies; 57+ messages in thread
From: Lars Wendler @ 2017-10-10 13:26 UTC (permalink / raw
  To: gentoo-commits

commit:     8ead69692d0faa44e06a4d5c4164ac5f71c20c1a
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 10 13:25:35 2017 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Oct 10 13:25:46 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ead6969

net-misc/openssh: Removed old.

Package-Manager: Portage-2.3.11, Repoman-2.3.3

 net-misc/openssh/Manifest                          |   9 -
 .../openssh/files/openssh-7.3_p1-GSSAPI-dns.patch  | 351 ---------------------
 .../files/openssh-7.3_p1-NEWKEYS_null_deref.patch  |  29 --
 ...egister-the-KEXINIT-handler-after-receive.patch |  32 --
 ...ssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch |  34 --
 .../openssh-7.3_p1-hpn-12-x509-9.2-glue.patch      |  39 ---
 ...ssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch | 245 --------------
 .../files/openssh-7.3_p1-hpn-x509-9.2-glue.patch   |  41 ---
 .../files/openssh-7.3_p1-sctp-x509-glue.patch      |  67 ----
 .../files/openssh-7.3_p1-x509-9.2-warnings.patch   | 109 -------
 .../openssh/files/openssh-7.4_p1-GSSAPI-dns.patch  | 351 ---------------------
 .../files/openssh-7.4_p1-test-bashism.patch        |  29 --
 net-misc/openssh/openssh-7.3_p1-r7.ebuild          | 351 ---------------------
 net-misc/openssh/openssh-7.3_p1-r8.ebuild          | 337 --------------------
 net-misc/openssh/openssh-7.4_p1.ebuild             | 327 -------------------
 net-misc/openssh/openssh-7.5_p1.ebuild             | 326 -------------------
 16 files changed, 2677 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 981be351b29..7f5afd1e1c2 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,11 +1,4 @@
-DIST openssh-7.3_p1-hpn-14.10-r1.patch.xz 20584 SHA256 0bbbfeb1f9f975ad591ed4ec74927172c5299ec1a76210197c14575204efa85d SHA512 f0a1c84af85f7cfc7cb58b5117b3d0f57fc25ae0dd608e38b48ef42da43780fd5cf243d26ff9b3fbd6f4cb1567852b87bcb75f98791cf3ad1892e8579a7834d3 WHIRLPOOL b1a8bae14c8189745056c15c9ed45207aa06af1f4c598a1af7dc3cc56e47bd0211a63989a920727e20311a148bbcf3202c202eae94cd1512c7d87816a9f44bcb
-DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
-DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485
-DIST openssh-7.3p1-hpnssh14v12.tar.xz 23448 SHA256 45b8e10f731f160ea44126bf64314d850048d98059dc22f89b3f14f46f0dcc67 SHA512 f1ee37dfd1b717963ae519b725d481de2486c9c94fd80ccd12da2ac00d13be7b6e0284a1e9239a4704014810c086eaaa81cd02344372c65d0122a3eb1c2be83c WHIRLPOOL 1fdb4e99f9d6450af73a1202c2f80d4be454fbeab723a1cf833a37fc040dc8ede592129d4e4087cf247095dbf5fa782286ab0338fe8a55675efb4ea9bfaf651c
-DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
 DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09
-DIST openssh-7.4p1+x509-9.3.diff.gz 446572 SHA256 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee SHA512 7ebc8d1f6ec36d652bbb6fb13d6d86f7db1abf8710af7b56c52fad9a18d73c9028a3307daabfdda26483a3bd9196120f6d18b6fb2c89b597b0a9ad0554161dfc WHIRLPOOL f878346a3154b7dbb01de41830d5857064af96d3a709aed40a112fe9aaadbe4801e5c3a22a1d2c8437b74a890596211be37e26d691ff611981d7375d262598c1
-DIST openssh-7.4p1.tar.gz 1511780 SHA256 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 SHA512 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292 WHIRLPOOL 4ed9a277287d1f5c2fd371b53394d6dde36b25adf92d4b6b5b486a9d448648f2ecfbb721ae39ba8a129913c1148aa4db1e99f7960a7c69fa215dfa7b3b126029
 DIST openssh-7.5p1+x509-10.1.diff.gz 460721 SHA256 e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2 SHA512 d3b5a8f5e3a88eda7989b002236811867b7e2c39bf7cd29a6dbbce277fca3fbedbfdbeaf1fba7d8c19f3dea32a17790e90604765f18576bcc5627a9c1d39109c WHIRLPOOL 2d4f96b47bcde9eabd19cad2fdc4da01a3d207f6ad5f4f1ea5a7dbd708d61783ae6a53e4cb622feed838106f57dbe6a7ecd1b41426325870378caf44803ff9ef
 DIST openssh-7.5p1+x509-10.2.diff.gz 467040 SHA256 24d5c1949d245b432abf2db6c28554a09bcffdcb4f4247826c0a33bdbee8b92c SHA512 ec760d38771749d09afc8d720120ea2aa065c1c7983898b45dba74a4411f7e61e7705da226864e1e8e62e2261eecc3a4ab654b528c71512a07798824d9fb1a9a WHIRLPOOL 3291a3e39b1a47efe149cdf805de11217fd55c4260477f2a6c6cc0bfa376b98a5dc7f56a49ae184fb57bae6226c73d1794db7b2285e3ea26a8fea4bc9304655b
 DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 SHA256 8a1ed99c121a4ad21d7a26cd32627a8dd51595fd3ee9f95dc70e6b50fe779ce2 SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9 WHIRLPOOL 6089ad8ae16c112a6f15d168c092e7f057b9e6d815724346b5a6a1cd0de932f779d5f410d48c904d935fcb3bad3f597fa4de075ab1f49cadc9842ce7bd8fdf42
@@ -13,6 +6,4 @@ DIST openssh-7.5p1.tar.gz 1510857 SHA256 9846e3c5fab9f0547400b4d2c017992f914222b
 DIST openssh-7.6_p1-sctp.patch.xz 6996 SHA256 ca61f0b015d2f7131620a2a4901800b70026755a52a7b882d437cd9813c2652d SHA512 8445a9a8ae8e8baa67c8f386117877ba3f39f33c9cdaff341c8d5fb4ce9dfe22f26d5aedc2b0d4aab67864994ec5a6a487d18b728bd5d5c6efe14175eb9c8151 WHIRLPOOL 27125d4a7d45f0bc67f424598542cf97e123824bce7911732891531b6a0aa37b7598f636e1643a6114626c2ccc622a50928ffcdb4357c7dc3d9c3d8c161d9626
 DIST openssh-7.6p1+x509-11.0.diff.gz 440219 SHA256 bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e SHA512 add86ecdaa696d997f869e6878aaaef285590cc5eddf301be651944bbc6c80af6a891bad6f6aaa4b6e9919ad865a27dc6f45a6e0b923ca52c04f06523fa3197a WHIRLPOOL 1b324f72a6cb0c895b3994d59f3505ff2a4a0529829cea07344a33a68ee4d43c22ba534a55454792618cd9f766cd40fa5af73cc054ee3a08bccdb6e8d0073b29
 DIST openssh-7.6p1.tar.gz 1489788 SHA256 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 WHIRLPOOL 537b94555c7b36b2f7ef2ecd89e6671028f7cff9be758e631690ecd068510d59d6518077bf951e779e3c8a39706adb1682c6d5305edd6fc611ec19ce7953c751
-DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c
-DIST openssh-lpk-7.4p1-0.3.14.patch.xz 17076 SHA256 3a5e4104507d259ad15391136322ea5d067d7932199bbafde5cb478daf3595ad SHA512 1c91de291816ee0bb29ed3a2ffc42fb6fb4ba27a8616f8bd50accdf31d1fecc9b4fb3de6fb1ea6e722b69eb8cab68030ade87e126a4112667d14f3c2ef07d6cd WHIRLPOOL ea27224da952c6fe46b974a0e73d01e872a963e7e7cc7e9887a423357fb4ff82f4513ce48b6bbf7136afa8447bc6d93daa817cf5b2e24cb39dba15cbcff6d2cc
 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 SHA256 11060be996b291b8d78de698c68a92428430e4ff440553f5045c6de5c0e1dab3 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b WHIRLPOOL 58526777475786bb5efa193f3a3ec0500c4d48b18fef67698f8b1999cb07f04fbca7b7d3ece469f3a1e1ceca5152cdd08d3dbe7cfa4e7494740dc2c233101b93

diff --git a/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch
deleted file mode 100644
index 806b36d0ca9..00000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-http://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
---- a/readconf.c
-+++ b/readconf.c
-@@ -148,6 +148,7 @@
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -194,9 +195,11 @@
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- #else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- 	{ "fallbacktorsh", oDeprecated },
- 	{ "usersh", oDeprecated },
-@@ -930,6 +933,10 @@
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -1649,6 +1656,7 @@
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -1779,6 +1787,8 @@
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
---- a/readconf.h
-+++ b/readconf.h
-@@ -46,6 +46,7 @@
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -830,6 +830,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Dq no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -656,6 +656,13 @@
- 	static u_int mech = 0;
- 	OM_uint32 min;
- 	int ok = 0;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(active_state, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -668,7 +674,7 @@
- 		/* My DER encoding requires length<128 */
- 		if (gss_supported->elements[mech].length < 128 &&
- 		    ssh_gssapi_check_mechanism(&gssctxt, 
--		    &gss_supported->elements[mech], authctxt->host)) {
-+		    &gss_supported->elements[mech], gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			mech++;
-
-need to move these two funcs back to canohost so they're available to clients
-and the server.  auth.c is only used in the server.
-
---- a/auth.c
-+++ b/auth.c
-@@ -784,117 +784,3 @@ fakepw(void)
- 
- 	return (&fake);
- }
--
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) < 0) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return strdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return strdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return strdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return strdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return strdup(ntop);
--	}
--	return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) < 0) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return strdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return strdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return strdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return strdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return strdup(ntop);
-+	}
-+	return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}

diff --git a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch
deleted file mode 100644
index 784cd2aa7ef..00000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-https://bugs.gentoo.org/595342
-
-Backport of
-https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
-
---- openssh-7.3p1/kex.c
-+++ openssh-7.3p1/kex.c
-@@ -419,6 +419,8 @@
- 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
- 	if ((r = sshpkt_get_end(ssh)) != 0)
- 		return r;
-+	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
-+		return r;
- 	kex->done = 1;
- 	sshbuf_reset(kex->peer);
- 	/* sshbuf_reset(kex->my); */
---- openssh-7.3p1/packet.c
-+++ openssh-7.3p1/packet.c
-@@ -1919,9 +1919,7 @@
- 			return r;
- 		return SSH_ERR_PROTOCOL_ERROR;
- 	}
--	if (*typep == SSH2_MSG_NEWKEYS)
--		r = ssh_set_newkeys(ssh, MODE_IN);
--	else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
-+	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
- 		r = ssh_packet_enable_delayed_compress(ssh);
- 	else
- 		r = 0;

diff --git a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
deleted file mode 100644
index 8603601ca7b..00000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-https://bugs.gentoo.org/597360
-
-From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
-From: "markus@openbsd.org" <markus@openbsd.org>
-Date: Mon, 10 Oct 2016 19:28:48 +0000
-Subject: [PATCH] upstream commit
-
-Unregister the KEXINIT handler after message has been
-received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
-allocation of up to 128MB -- until the connection is closed. Reported by
-shilei-c at 360.cn
-
-Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
----
- kex.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/kex.c b/kex.c
-index 3f97f8c00919..6a94bc535bd7 100644
---- a/kex.c
-+++ b/kex.c
-@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
- 	if (kex == NULL)
- 		return SSH_ERR_INVALID_ARGUMENT;
- 
-+	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
- 	ptr = sshpkt_ptr(ssh, &dlen);
- 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
- 		return r;
--- 
-2.11.0.rc2
-

diff --git a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch
deleted file mode 100644
index 7fb0d8069b9..00000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://bugs.gentoo.org/592122
-
-From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001
-From: "dtucker@openbsd.org" <dtucker@openbsd.org>
-Date: Wed, 3 Aug 2016 04:23:55 +0000
-Subject: [PATCH] upstream commit
-
-Fix bug introduced in rev 1.467 which causes
-"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1
-and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol
-2", no SSH1 host key supplied).  Reported by rainer.laatsch at t-online.de,
-ok deraadt@
-
-Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
----
- sshd.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/sshd.c b/sshd.c
-index 799c7711f49c..9fc829a91bc8 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
- 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
- 	} else
- #endif
--		if ((r = sshbuf_put_u32(m, 1)) != 0)
-+		if ((r = sshbuf_put_u32(m, 0)) != 0)
- 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
- 
- #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
--- 
-2.11.0.rc2
-

diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch
deleted file mode 100644
index 0602307128f..00000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch
+++ /dev/null
@@ -1,39 +0,0 @@
---- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
-+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
-@@ -1155,7 +1155,7 @@
- @@ -44,7 +44,7 @@
-  LD=@LD@
-  CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
---- a/0004-support-dynamically-sized-receive-buffers.patch
-+++ b/0004-support-dynamically-sized-receive-buffers.patch
-@@ -2144,9 +2144,9 @@
- @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
-  	/* Send our own protocol version identification. */
-  	if (compat20) {
-- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
---		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
--+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
-+ 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
-+-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
-++		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
-  	} else {
-  		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- -		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-@@ -2163,9 +2163,9 @@
- @@ -432,7 +432,7 @@
-  	}
-  
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
---	    major, minor, SSH_VERSION,
--+	    major, minor, SSH_RELEASE,
-+ 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
-+-	    major, minor, SSH_VERSION, comment,
-++	    major, minor, SSH_RELEASE, comment,
-  	    *options.version_addendum == '\0' ? "" : " ",
-  	    options.version_addendum, newline);
-  

diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch
deleted file mode 100644
index 9cc7b61a6ab..00000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c
-index fdc9b2f..300cd90 100644
---- a/cipher-ctr-mt.c
-+++ b/cipher-ctr-mt.c
-@@ -127,7 +127,7 @@ struct kq {
- 	u_char		keys[KQLEN][AES_BLOCK_SIZE];
- 	u_char		ctr[AES_BLOCK_SIZE];
- 	u_char		pad0[CACHELINE_LEN];
--	volatile int	qstate;
-+	int		qstate;
- 	pthread_mutex_t	lock;
- 	pthread_cond_t	cond;
- 	u_char		pad1[CACHELINE_LEN];
-@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx
- 	STATS_STRUCT(stats);
- 	u_char		aes_counter[AES_BLOCK_SIZE];
- 	pthread_t	tid[CIPHER_THREADS];
-+	pthread_rwlock_t tid_lock;
-+#ifdef __APPLE__
-+	pthread_rwlock_t stop_lock;
-+	int		exit_flag;
-+#endif /* __APPLE__ */
- 	int		state;
- 	int		qidx;
- 	int		ridx;
-@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x)
- 	pthread_mutex_unlock((pthread_mutex_t *)x);
- }
- 
-+#ifdef __APPLE__
-+/* Check if we should exit, we are doing both cancel and exit condition
-+ * since on OSX threads seem to occasionally fail to notice when they have
-+ * been cancelled. We want to have a backup to make sure that we won't hang
-+ * when the main process join()-s the cancelled thread.
-+ */
-+static void
-+thread_loop_check_exit(struct ssh_aes_ctr_ctx *c)
-+{
-+	int exit_flag;
-+
-+	pthread_rwlock_rdlock(&c->stop_lock);
-+	exit_flag = c->exit_flag;
-+	pthread_rwlock_unlock(&c->stop_lock);
-+
-+	if (exit_flag)
-+		pthread_exit(NULL);
-+}
-+#else
-+# define thread_loop_check_exit(s)
-+#endif /* __APPLE__ */
-+
-+/*
-+ * Helper function to terminate the helper threads
-+ */
-+static void
-+stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c)
-+{
-+	int i;
-+
-+#ifdef __APPLE__
-+	/* notify threads that they should exit */
-+	pthread_rwlock_wrlock(&c->stop_lock);
-+	c->exit_flag = TRUE;
-+	pthread_rwlock_unlock(&c->stop_lock);
-+#endif /* __APPLE__ */
-+
-+	/* Cancel pregen threads */
-+	for (i = 0; i < CIPHER_THREADS; i++) {
-+		pthread_cancel(c->tid[i]);
-+	}
-+	for (i = 0; i < NUMKQ; i++) {
-+		pthread_mutex_lock(&c->q[i].lock);
-+		pthread_cond_broadcast(&c->q[i].cond);
-+		pthread_mutex_unlock(&c->q[i].lock);
-+	}
-+	for (i = 0; i < CIPHER_THREADS; i++) {
-+		pthread_join(c->tid[i], NULL);
-+	}
-+}
-+
- /*
-  * The life of a pregen thread:
-  *    Find empty keystream queues and fill them using their counter.
-@@ -201,6 +257,7 @@ thread_loop(void *x)
- 	struct kq *q;
- 	int i;
- 	int qidx;
-+	pthread_t first_tid;
- 
- 	/* Threads stats on cancellation */
- 	STATS_INIT(stats);
-@@ -211,11 +268,15 @@ thread_loop(void *x)
- 	/* Thread local copy of AES key */
- 	memcpy(&key, &c->aes_ctx, sizeof(key));
- 
-+	pthread_rwlock_rdlock(&c->tid_lock);
-+	first_tid = c->tid[0];
-+	pthread_rwlock_unlock(&c->tid_lock);
-+
- 	/*
- 	 * Handle the special case of startup, one thread must fill
- 	 * the first KQ then mark it as draining. Lock held throughout.
- 	 */
--	if (pthread_equal(pthread_self(), c->tid[0])) {
-+	if (pthread_equal(pthread_self(), first_tid)) {
- 		q = &c->q[0];
- 		pthread_mutex_lock(&q->lock);
- 		if (q->qstate == KQINIT) {
-@@ -245,12 +306,16 @@ thread_loop(void *x)
- 		/* Check if I was cancelled, also checked in cond_wait */
- 		pthread_testcancel();
- 
-+		/* Check if we should exit as well */
-+		thread_loop_check_exit(c);
-+
- 		/* Lock queue and block if its draining */
- 		q = &c->q[qidx];
- 		pthread_mutex_lock(&q->lock);
- 		pthread_cleanup_push(thread_loop_cleanup, &q->lock);
- 		while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
- 			STATS_WAIT(stats);
-+			thread_loop_check_exit(c);
- 			pthread_cond_wait(&q->cond, &q->lock);
- 		}
- 		pthread_cleanup_pop(0);
-@@ -268,6 +333,7 @@ thread_loop(void *x)
- 		 * can see that it's being filled.
- 		 */
- 		q->qstate = KQFILLING;
-+		pthread_cond_broadcast(&q->cond);
- 		pthread_mutex_unlock(&q->lock);
- 		for (i = 0; i < KQLEN; i++) {
- 			AES_encrypt(q->ctr, q->keys[i], &key);
-@@ -279,7 +345,7 @@ thread_loop(void *x)
- 		ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
- 		q->qstate = KQFULL;
- 		STATS_FILL(stats);
--		pthread_cond_signal(&q->cond);
-+		pthread_cond_broadcast(&q->cond);
- 		pthread_mutex_unlock(&q->lock);
- 	}
- 
-@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
- 				pthread_cond_wait(&q->cond, &q->lock);
- 			}
- 			q->qstate = KQDRAINING;
-+			pthread_cond_broadcast(&q->cond);
- 			pthread_mutex_unlock(&q->lock);
- 
- 			/* Mark consumed queue empty and signal producers */
-@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
- 
- 	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
- 		c = xmalloc(sizeof(*c));
-+		pthread_rwlock_init(&c->tid_lock, NULL);
-+#ifdef __APPLE__
-+		pthread_rwlock_init(&c->stop_lock, NULL);
-+		c->exit_flag = FALSE;
-+#endif /* __APPLE__ */
- 
- 		c->state = HAVE_NONE;
- 		for (i = 0; i < NUMKQ; i++) {
-@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
- 	}
- 
- 	if (c->state == (HAVE_KEY | HAVE_IV)) {
--		/* Cancel pregen threads */
--		for (i = 0; i < CIPHER_THREADS; i++)
--			pthread_cancel(c->tid[i]);
--		for (i = 0; i < CIPHER_THREADS; i++)
--			pthread_join(c->tid[i], NULL);
-+		/* tell the pregen threads to exit */
-+		stop_and_join_pregen_threads(c);
-+
-+#ifdef __APPLE__
-+		/* reset the exit flag */
-+		c->exit_flag = FALSE;
-+#endif /* __APPLE__ */
-+
- 		/* Start over getting key & iv */
- 		c->state = HAVE_NONE;
- 	}
-@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
- 		/* Start threads */
- 		for (i = 0; i < CIPHER_THREADS; i++) {
- 			debug("spawned a thread");
-+			pthread_rwlock_wrlock(&c->tid_lock);
- 			pthread_create(&c->tid[i], NULL, thread_loop, c);
-+			pthread_rwlock_unlock(&c->tid_lock);
- 		}
- 		pthread_mutex_lock(&c->q[0].lock);
--		while (c->q[0].qstate != KQDRAINING)
-+		while (c->q[0].qstate == KQINIT)
- 			pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
- 		pthread_mutex_unlock(&c->q[0].lock);
- 	}
-@@ -461,15 +538,10 @@ void
- ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx)
- {
- 	struct ssh_aes_ctr_ctx *c;
--	int i;
-+
- 	c = EVP_CIPHER_CTX_get_app_data(ctx);
--	/* destroy threads */
--	for (i = 0; i < CIPHER_THREADS; i++) {
--		pthread_cancel(c->tid[i]);
--	}
--	for (i = 0; i < CIPHER_THREADS; i++) {
--		pthread_join(c->tid[i], NULL);
--	}
-+
-+	stop_and_join_pregen_threads(c);
- }
- 
- void
-@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx)
- 	/* reconstruct threads */
- 	for (i = 0; i < CIPHER_THREADS; i++) {
- 		debug("spawned a thread");
-+		pthread_rwlock_wrlock(&c->tid_lock);
- 		pthread_create(&c->tid[i], NULL, thread_loop, c);
-+		pthread_rwlock_unlock(&c->tid_lock);
- 	}
- }
- 
-@@ -489,18 +563,13 @@ static int
- ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
- {
- 	struct ssh_aes_ctr_ctx *c;
--	int i;
- 
- 	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
- #ifdef CIPHER_THREAD_STATS
- 		debug("main thread: %u drains, %u waits", c->stats.drains,
- 				c->stats.waits);
- #endif
--		/* Cancel pregen threads */
--		for (i = 0; i < CIPHER_THREADS; i++)
--			pthread_cancel(c->tid[i]);
--		for (i = 0; i < CIPHER_THREADS; i++)
--			pthread_join(c->tid[i], NULL);
-+		stop_and_join_pregen_threads(c);
- 
- 		memset(c, 0, sizeof(*c));
- 		free(c);

diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch
deleted file mode 100644
index f077c0517fa..00000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch
+++ /dev/null
@@ -1,41 +0,0 @@
---- a/openssh-7.3_p1-hpn-14.10-r1.patch	2016-09-19 15:00:21.561121417 -0700
-+++ b/openssh-7.3_p1-hpn-14.10-r1.patch	2016-09-19 15:22:51.337118439 -0700
-@@ -1155,7 +1155,7 @@
- @@ -44,7 +44,7 @@
-  LD=@LD@
-  CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -2144,12 +2144,12 @@
-  	/* Bind the socket to an alternative local IP address */
-  	if (options.bind_address == NULL && !privileged)
-  		return sock;
--@@ -527,10 +555,10 @@
-+@@ -555,10 +583,10 @@
-  	/* Send our own protocol version identification. */
-  	if (compat20) {
-- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
---		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
--+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
-+ 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
-+-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
-++		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
-  	} else {
-  		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- -		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-@@ -2163,9 +2163,9 @@
- @@ -432,7 +432,7 @@
-  	}
-  
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
---	    major, minor, SSH_VERSION,
--+	    major, minor, SSH_RELEASE,
-+ 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
-+-	    major, minor, SSH_VERSION, comment,
-++	    major, minor, SSH_RELEASE, comment,
-  	    *options.version_addendum == '\0' ? "" : " ",
-  	    options.version_addendum, newline);
-  

diff --git a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
deleted file mode 100644
index 2def6993e6c..00000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
+++ /dev/null
@@ -1,67 +0,0 @@
---- a/openssh-7.3_p1-sctp.patch	2016-08-03 13:10:15.733228732 -0700
-+++ b/openssh-7.3_p1-sctp.patch	2016-08-03 13:25:53.274630002 -0700
-@@ -226,14 +226,6 @@
-  .Op Fl c Ar cipher
-  .Op Fl F Ar ssh_config
-  .Op Fl i Ar identity_file
--@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see
-- .It ServerAliveCountMax
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It UpdateHostKeys
-- .It UsePrivilegedPort
-- .It User
- @@ -224,6 +225,8 @@ and
-  to print debugging messages about their progress.
-  This is helpful in
-@@ -493,19 +485,11 @@
-  .Sh SYNOPSIS
-  .Nm ssh
-  .Bk -words
---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
--+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
-+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
-++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
-  .Op Fl b Ar bind_address
-  .Op Fl c Ar cipher_spec
-  .Op Fl D Oo Ar bind_address : Oc Ns Ar port
--@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see
-- .It StreamLocalBindUnlink
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It Tunnel
-- .It TunnelDevice
-- .It UpdateHostKeys
- @@ -795,6 +796,8 @@ controls.
-  .Pp
-  .It Fl y
-@@ -533,18 +517,18 @@
-  usage(void)
-  {
-  	fprintf(stderr,
---"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
--+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
-+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
-  "           [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
-- "           [-F configfile] [-I pkcs11] [-i identity_file]\n"
-- "           [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
-+ "           [-F configfile]\n"
-+ #ifdef USE_OPENSSL_ENGINE
- @@ -608,7 +613,7 @@ main(int ac, char **av)
-- 	argv0 = av[0];
-+ #  define ENGCONFIG ""
-+ #endif
-  
--  again:
---	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
--+	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
-- 	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-+-	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
-++	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
-+ 	    "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-  		switch (opt) {
-  		case '1':
- @@ -857,6 +862,11 @@ main(int ac, char **av)

diff --git a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch
deleted file mode 100644
index 528dc6f22a9..00000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-diff --git a/kex.c b/kex.c
-index 143227a..c9b84c2 100644
---- a/kex.c
-+++ b/kex.c
-@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh)
- static int
- kex_send_ext_info(struct ssh *ssh)
- {
-+#ifdef EXPERIMENTAL_RSA_SHA2_256
- 	int r;
- 
--#ifdef EXPERIMENTAL_RSA_SHA2_256
- /* IMPORTANT NOTE:
-  * Do not offer rsa-sha2-* until is resolved misconfiguration issue
-  * with allowed public key algorithms!
-diff --git a/key-eng.c b/key-eng.c
-index 9bc50fd..bc0d03d 100644
---- a/key-eng.c
-+++ b/key-eng.c
-@@ -786,7 +786,6 @@ ssh_engines_shutdown() {
- 	while (buffer_len(&eng_list) > 0) {
- 		u_int   k = 0;
- 		char    *s;
--		ENGINE  *e;
- 
- 		s = buffer_get_cstring_ret(&eng_list, &k);
- 		ssh_engine_reset(s);
-diff --git a/monitor.c b/monitor.c
-index 345d3df..0de30ad 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m)
- 	    (r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
- 	    (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
--	if (keyid > INT_MAX)
-+	if (keyid32 > INT_MAX)
- 		fatal("%s: invalid key ID", __func__);
- 
- 	keyid = keyid32; /*save cast*/
-diff --git a/readconf.c b/readconf.c
-index beb38a0..1cbda7e 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -1459,7 +1459,9 @@ parse_int:
- 
- 	case oHostKeyAlgorithms:
- 		charptr = &options->hostkeyalgorithms;
-+# if 0
- parse_keytypes:
-+# endif
- 		arg = strdelim(&s);
- 		if (!arg || *arg == '\0')
- 			fatal("%.200s line %d: Missing argument.",
-diff --git a/servconf.c b/servconf.c
-index a540138..e77a344 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -1574,7 +1573,9 @@ parse_string:
- 
- 	case sHostKeyAlgorithms:
- 		charptr = &options->hostkeyalgorithms;
-+# if 0
-  parse_keytypes:
-+#endif
- 		arg = strdelim(&cp);
- 		if (!arg || *arg == '\0')
- 			fatal("%s line %d: Missing argument.",
-diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
-index 50f04b7..3f9a7bf 100644
---- a/ssh-pkcs11.c
-+++ b/ssh-pkcs11.c
-@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa)
- }
- 
- #ifdef OPENSSL_HAS_ECC
-+#ifdef HAVE_EC_KEY_METHOD_NEW
- /* openssl callback for freeing an EC key */
- static void
- pkcs11_ec_finish(EC_KEY *ec)
- {
- 	struct pkcs11_key	*k11;
- 
--#ifdef HAVE_EC_KEY_METHOD_NEW
- 	k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
- 	EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
--#else
--	k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
--	ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
--#endif
- 	pkcs11_key_free(k11);
- }
-+#endif /*def HAVE_EC_KEY_METHOD_NEW*/
- #endif /*def OPENSSL_HAS_ECC*/
- 
- 
-diff --git a/sshconnect.c b/sshconnect.c
-index fd2a70e..0960be1 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1)
- {
- 	/* Send our own protocol version identification. */
- 	if (compat20) {
--		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n",
-+		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
- 		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
- 	} else {
- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",

diff --git a/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch
deleted file mode 100644
index ec2a6d89493..00000000000
--- a/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-http://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
---- a/readconf.c
-+++ b/readconf.c
-@@ -148,6 +148,7 @@
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -194,9 +195,11 @@
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- #else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- 	{ "fallbacktorsh", oDeprecated },
- 	{ "usersh", oDeprecated },
-@@ -930,6 +933,10 @@
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -1649,6 +1656,7 @@
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -1779,6 +1787,8 @@
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
---- a/readconf.h
-+++ b/readconf.h
-@@ -46,6 +46,7 @@
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -830,6 +830,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -656,6 +656,13 @@
- 	static u_int mech = 0;
- 	OM_uint32 min;
- 	int ok = 0;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(active_state, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -668,7 +674,7 @@
- 		/* My DER encoding requires length<128 */
- 		if (gss_supported->elements[mech].length < 128 &&
- 		    ssh_gssapi_check_mechanism(&gssctxt, 
--		    &gss_supported->elements[mech], authctxt->host)) {
-+		    &gss_supported->elements[mech], gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			mech++;
-
-need to move these two funcs back to canohost so they're available to clients
-and the server.  auth.c is only used in the server.
-
---- a/auth.c
-+++ b/auth.c
-@@ -784,117 +784,3 @@ fakepw(void)
- 
- 	return (&fake);
- }
--
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) < 0) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return strdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return strdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return strdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return strdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return strdup(ntop);
--	}
--	return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) < 0) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return strdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return strdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return strdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return strdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return strdup(ntop);
-+	}
-+	return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}

diff --git a/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch b/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch
deleted file mode 100644
index 3e02b6f8ccc..00000000000
--- a/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035604.html
-
-From dca2985bff146f756b0019b17f08c35f28841a04 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 19 Dec 2016 15:59:00 -0500
-Subject: [PATCH] regress/allow-deny-users.sh: fix bashism in test
-
-The test command uses = for string compares, not ==.  Using some POSIX
-shells will reject this statement with an error about an unknown operator.
----
- regress/allow-deny-users.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh
-index 32a269afa97c..86805e19322b 100644
---- a/regress/allow-deny-users.sh
-+++ b/regress/allow-deny-users.sh
-@@ -4,7 +4,7 @@
- tid="AllowUsers/DenyUsers"
- 
- me="$LOGNAME"
--if [ "x$me" == "x" ]; then
-+if [ "x$me" = "x" ]; then
- 	me=`whoami`
- fi
- other="nobody"
--- 
-2.11.0.rc2
-

diff --git a/net-misc/openssh/openssh-7.3_p1-r7.ebuild b/net-misc/openssh/openssh-7.3_p1-r7.ebuild
deleted file mode 100644
index 419efd3205b..00000000000
--- a/net-misc/openssh/openssh-7.3_p1-r7.ebuild
+++ /dev/null
@@ -1,351 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-HPN_PV="${PV}"
-HPN_VER="14.10"
-
-HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch"
-SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
-X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}.xz
-		https://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
-			dev-libs/openssl:0[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		if use hpn ; then
-			pushd "${WORKDIR}" >/dev/null
-			epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch
-			popd >/dev/null
-		fi
-		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
-		sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
-		save_version X509
-	else
-		# bug #592122, fixed by X509 patch
-		epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-
-	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-
-	if use hpn ; then
-		#EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-		#	EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-		#	epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		epatch "${WORKDIR}"/${HPN_PATCH}
-		epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	# 7.3 added seccomp support to MIPS, but failed to handled the N32
-	# case.  This patch is temporary until upstream fixes.  See
-	# Gentoo bug #591392 or upstream #2590.
-	[[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \
-		&& epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
-
-	epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342
-	epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.3_p1-r8.ebuild b/net-misc/openssh/openssh-7.3_p1-r8.ebuild
deleted file mode 100644
index 4f9371ee6a8..00000000000
--- a/net-misc/openssh/openssh-7.3_p1-r8.ebuild
+++ /dev/null
@@ -1,337 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
-SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
-X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
-			dev-libs/openssl:0[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		if use hpn ; then
-			pushd ${HPN_PATCH%.*.*} >/dev/null
-			epatch "${FILESDIR}"/${P}-hpn-12-x509-9.2-glue.patch
-			popd >/dev/null
-		fi
-		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
-		sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
-		save_version X509
-	else
-		epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch #592122 inc in X509 patch
-	fi
-
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-
-	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-	epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch #595342
-	epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch #597360
-	use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
-
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed+=( "${t}" ) \
-			|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.4_p1.ebuild b/net-misc/openssh/openssh-7.4_p1.ebuild
deleted file mode 100644
index 41790fb15b3..00000000000
--- a/net-misc/openssh/openssh-7.4_p1.ebuild
+++ /dev/null
@@ -1,327 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-#HPN_PATCH= #"${PARCH}-hpnssh14v12.tar.xz"
-SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.4p1-0.3.14.patch.xz"
-X509_VER="9.3" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !hpn !ldap !sctp ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-0.9.8f:0[bindist=]
-			dev-libs/openssl:0[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		# We no longer allow X509 to be used with anything else.
-		#save_version X509
-	fi
-
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-
-	epatch "${FILESDIR}"/${PN}-7.4_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-	epatch "${FILESDIR}"/${P}-test-bashism.patch
-	use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
-
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use X509 || use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed+=( "${t}" ) \
-			|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.5_p1.ebuild b/net-misc/openssh/openssh-7.5_p1.ebuild
deleted file mode 100644
index 220b1ad2898..00000000000
--- a/net-misc/openssh/openssh-7.5_p1.ebuild
+++ /dev/null
@@ -1,326 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
-SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
-#X509_VER="9.3" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !hpn !ldap !sctp ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-1.0.1:0=[bindist=]
-			dev-libs/openssl:0=[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		# We no longer allow X509 to be used with anything else.
-		#save_version X509
-	fi
-
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-
-	epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-	epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
-	use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
-
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use X509 || use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed+=( "${t}" ) \
-			|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2017-10-12  0:42 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2017-10-12  0:42 UTC (permalink / raw
  To: gentoo-commits

commit:     457856fd81528d41551c5fed457e1bd627498093
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 11 22:51:05 2017 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Oct 12 00:41:40 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=457856fd

net-misc/openssh: Add updated X509 patchset to 7.6_p1

Had to drop the multithreaded aes-ctr cipher as it seems to cause
test failures with OpenSSH 7.6p1. We can re-add in the future if
a fix is found.

Package-Manager: Portage-2.3.11, Repoman-2.3.3

 net-misc/openssh/Manifest                          |  1 +
 .../files/openssh-7.6_p1-hpn-x509-11.0-glue.patch  | 50 ++++++++++++++++++++++
 .../openssh/files/openssh-7.6_p1-warnings.patch    | 12 ++++++
 net-misc/openssh/openssh-7.6_p1.ebuild             | 12 +++++-
 4 files changed, 73 insertions(+), 2 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index df01594ce28..c9efd08b421 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -5,6 +5,7 @@ DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 SHA256 8a1ed99c121a4ad21d7a26cd32627
 DIST openssh-7.5p1.tar.gz 1510857 SHA256 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81 WHIRLPOOL 1a42c68d8e350bc4790dd4c1a98dd6571bfa353ad6871b1462c53b6412f752719daabd1a13bb4434d294de966a00428ac66334bab45f371420029b5e34a6914c
 DIST openssh-7.6_p1-sctp.patch.xz 6996 SHA256 ca61f0b015d2f7131620a2a4901800b70026755a52a7b882d437cd9813c2652d SHA512 8445a9a8ae8e8baa67c8f386117877ba3f39f33c9cdaff341c8d5fb4ce9dfe22f26d5aedc2b0d4aab67864994ec5a6a487d18b728bd5d5c6efe14175eb9c8151 WHIRLPOOL 27125d4a7d45f0bc67f424598542cf97e123824bce7911732891531b6a0aa37b7598f636e1643a6114626c2ccc622a50928ffcdb4357c7dc3d9c3d8c161d9626
 DIST openssh-7.6p1+x509-11.0.diff.gz 440219 SHA256 bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e SHA512 add86ecdaa696d997f869e6878aaaef285590cc5eddf301be651944bbc6c80af6a891bad6f6aaa4b6e9919ad865a27dc6f45a6e0b923ca52c04f06523fa3197a WHIRLPOOL 1b324f72a6cb0c895b3994d59f3505ff2a4a0529829cea07344a33a68ee4d43c22ba534a55454792618cd9f766cd40fa5af73cc054ee3a08bccdb6e8d0073b29
+DIST openssh-7.6p1-hpnssh14v12.tar.xz 15392 SHA256 4ccb05096556233d81b68b330463ef2bd84384734ff3a8693ad28ac2d4681227 SHA512 0e2c62cdec360090b359edfd5bbe894fb25d22e387677e8a5d6cf6a0807b0572fda30b90c30390d5b68e359e9958cb1c65abae4afd9af5892c3f64f6f8001956 WHIRLPOOL c7bdc79d849bacaf1a6fb262a11b3b6cf905e95c11e9818c4434559fcea3bc5273496bb8d29e3a5edb116420b4dabc3ef17789e66864c488006c660331c18bc4
 DIST openssh-7.6p1.tar.gz 1489788 SHA256 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 WHIRLPOOL 537b94555c7b36b2f7ef2ecd89e6671028f7cff9be758e631690ecd068510d59d6518077bf951e779e3c8a39706adb1682c6d5305edd6fc611ec19ce7953c751
 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 SHA256 11060be996b291b8d78de698c68a92428430e4ff440553f5045c6de5c0e1dab3 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b WHIRLPOOL 58526777475786bb5efa193f3a3ec0500c4d48b18fef67698f8b1999cb07f04fbca7b7d3ece469f3a1e1ceca5152cdd08d3dbe7cfa4e7494740dc2c233101b93
 DIST openssh-lpk-7.6p1-0.3.14.patch.xz 17044 SHA256 fd877cf084d4eb682c503b6e5f363b0564da2b50561367558a50ab239adf4017 SHA512 e9a2b18fd6a58354198b6e48199059d055451a5f09c99bf7293d0d54137a59c581a9cb3bd906f31589e03d8450fb017b9015e18c67b7b6ae840e336039436974 WHIRLPOOL 8410dc9dad24d8b3065ba85e7a7a66322b4d37eac0ef68e72143afa3aba2706e91c324798236b9d3e320e6903d27a7e426621bde92ded89ce26a16535e8c3d3c

diff --git a/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.0-glue.patch b/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.0-glue.patch
new file mode 100644
index 00000000000..d55656aae97
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.0-glue.patch
@@ -0,0 +1,50 @@
+--- a/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch	2017-10-11 15:02:11.850912525 -0700
++++ b/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch	2017-10-11 15:35:06.223424844 -0700
+@@ -907,9 +907,9 @@
+ @@ -517,7 +544,7 @@ send_client_banner(int connection_out, int minor1)
+  {
+  	/* Send our own protocol version identification. */
+- 	xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
++ 	xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
++-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
+++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
+  	if (atomicio(vwrite, connection_out, client_version_string,
+  	    strlen(client_version_string)) != strlen(client_version_string))
+  		fatal("write: %.100s", strerror(errno));
+@@ -918,11 +918,11 @@
+ --- a/sshd.c
+ +++ b/sshd.c
+ @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
+- 	char remote_version[256];	/* Must be at least as big as buf. */
++ 	}
+  
+- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
+--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
++	xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s\r\n",
++-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, pkix_comment,
+++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, pkix_comment,
+  	    *options.version_addendum == '\0' ? "" : " ",
+  	    options.version_addendum);
+  
+@@ -982,13 +982,14 @@
+ index e093f623..83f0932d 100644
+ --- a/version.h
+ +++ b/version.h
+-@@ -3,4 +3,5 @@
++@@ -3,3 +3,6 @@
+  #define SSH_VERSION	"OpenSSH_7.6"
+  
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
++-#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+++#define SSH_PORTABLE	"p1"
+ +#define SSH_HPN		"-hpn14v12"
+++#define SSH_X509		"-PKIXSSH-11.0"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+++#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1" SSH_HPN
+ -- 
+ 2.14.2
+ 

diff --git a/net-misc/openssh/files/openssh-7.6_p1-warnings.patch b/net-misc/openssh/files/openssh-7.6_p1-warnings.patch
new file mode 100644
index 00000000000..5843dd162cd
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.6_p1-warnings.patch
@@ -0,0 +1,12 @@
+diff --git a/openbsd-compat/freezero.c b/openbsd-compat/freezero.c
+index 3af8f4a7..7f6bc7fa 100644
+--- a/openbsd-compat/freezero.c
++++ b/openbsd-compat/freezero.c
+@@ -14,6 +14,7 @@
+  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
++#include <string.h>
+ #include "includes.h"
+ 
+ #ifndef HAVE_FREEZERO

diff --git a/net-misc/openssh/openssh-7.6_p1.ebuild b/net-misc/openssh/openssh-7.6_p1.ebuild
index 1c315b793a6..a15c07cdc85 100644
--- a/net-misc/openssh/openssh-7.6_p1.ebuild
+++ b/net-misc/openssh/openssh-7.6_p1.ebuild
@@ -9,7 +9,7 @@ inherit user flag-o-matic multilib autotools pam systemd versionator
 # and _p? releases.
 PARCH=${P/_}
 
-#HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
+HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
 SCTP_PATCH="${PN}-7.6_p1-sctp.patch.xz"
 LDAP_PATCH="${PN}-lpk-7.6p1-0.3.14.patch.xz"
 X509_VER="11.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
@@ -109,12 +109,14 @@ src_prepare() {
 	# this file.
 	cp version.h version.h.pristine
 
+	eapply "${FILESDIR}/${P}-warnings.patch"
+
 	# don't break .ssh/authorized_keys2 for fun
 	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
 
 	if use X509 ; then
 		if use hpn ; then
-			pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
+			pushd "${WORKDIR}" >/dev/null
 			eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
 			popd >/dev/null
 		fi
@@ -324,4 +326,10 @@ pkg_postinst() {
 		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
 		elog "and update all clients/servers that utilize them."
 	fi
+
+	# remove this if aes-ctr-mt gets fixed
+	if use hpn; then
+		elog "The multithreaded AES-CTR cipher has been temporarily dropped from the HPN patch"
+		elog "set since it does not (yet) work with >=openssh-7.6p1."
+	fi
 }


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2017-11-07  1:29 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2017-11-07  1:29 UTC (permalink / raw
  To: gentoo-commits

commit:     d657309748c91e5d9da246b434ed51916448b38a
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Tue Nov  7 01:29:03 2017 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Tue Nov  7 01:29:03 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6573097

net-misc/openssh: Make the 7.6p1 X509 patchset play nice with libressl

Package-Manager: Portage-2.3.13, Repoman-2.3.4

 .../openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch     | 11 +++++++++++
 net-misc/openssh/openssh-7.6_p1.ebuild                        |  1 +
 2 files changed, 12 insertions(+)

diff --git a/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch b/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch
new file mode 100644
index 00000000000..b84ee64e4f7
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch
@@ -0,0 +1,11 @@
+--- a/openssh-7.6p1+x509-11.0.diff	2017-11-06 17:16:28.334140140 -0800
++++ b/openssh-7.6p1+x509-11.0.diff	2017-11-06 17:16:55.338223563 -0800
+@@ -54732,7 +54732,7 @@
+ +int/*bool*/ ssh_x509store_addlocations(const X509StoreOptions *locations);
+ +
+ +typedef char SSHXSTOREPATH;
+-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ +DECLARE_STACK_OF(SSHXSTOREPATH)
+ +# define sk_SSHXSTOREPATH_new_null()	SKM_sk_new_null(SSHXSTOREPATH)
+ +# define sk_SSHXSTOREPATH_num(st)	SKM_sk_num(SSHXSTOREPATH, (st))

diff --git a/net-misc/openssh/openssh-7.6_p1.ebuild b/net-misc/openssh/openssh-7.6_p1.ebuild
index a15c07cdc85..a932f59b746 100644
--- a/net-misc/openssh/openssh-7.6_p1.ebuild
+++ b/net-misc/openssh/openssh-7.6_p1.ebuild
@@ -118,6 +118,7 @@ src_prepare() {
 		if use hpn ; then
 			pushd "${WORKDIR}" >/dev/null
 			eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
+			eapply "${FILESDIR}"/${P}-x509-${X509_VER}-libressl.patch
 			popd >/dev/null
 		fi
 		save_version X509


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2017-11-14 22:15 Thomas Deutschmann
  0 siblings, 0 replies; 57+ messages in thread
From: Thomas Deutschmann @ 2017-11-14 22:15 UTC (permalink / raw
  To: gentoo-commits

commit:     713e5d3b63b36aa4cc6e47fb47214142dbc8d23c
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 14 22:14:56 2017 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Tue Nov 14 22:15:11 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=713e5d3b

net-misc/openssh: Rev bump to fix CVE-2017-15906

Bug: https://bugs.gentoo.org/633428
Package-Manager: Portage-2.3.13, Repoman-2.3.4

 .../files/openssh-7.5_p1-CVE-2017-15906.patch      |  31 ++
 net-misc/openssh/openssh-7.5_p1-r3.ebuild          | 332 +++++++++++++++++++++
 2 files changed, 363 insertions(+)

diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
new file mode 100644
index 00000000000..b97ceb4b278
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
@@ -0,0 +1,31 @@
+From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
+From: djm <djm@openbsd.org>
+Date: Tue, 4 Apr 2017 00:24:56 +0000
+Subject: [PATCH] disallow creation (of empty files) in read-only mode;
+ reported by Michal Zalewski, feedback & ok deraadt@
+
+---
+ usr.bin/ssh/sftp-server.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
+index 2510d234a3a..42249ebd60d 100644
+--- a/usr.bin/ssh/sftp-server.c
++++ b/usr.bin/ssh/sftp-server.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
+ /*
+  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
+  *
+@@ -683,8 +683,8 @@ process_open(u_int32_t id)
+ 	logit("open \"%s\" flags %s mode 0%o",
+ 	    name, string_from_portable(pflags), mode);
+ 	if (readonly &&
+-	    ((flags & O_ACCMODE) == O_WRONLY ||
+-	    (flags & O_ACCMODE) == O_RDWR)) {
++	    ((flags & O_ACCMODE) != O_RDONLY ||
++	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
+ 		verbose("Refusing open request in read-only mode");
+ 		status = SSH2_FX_PERMISSION_DENIED;
+ 	} else {

diff --git a/net-misc/openssh/openssh-7.5_p1-r3.ebuild b/net-misc/openssh/openssh-7.5_p1-r3.ebuild
new file mode 100644
index 00000000000..d9cb2ffe89b
--- /dev/null
+++ b/net-misc/openssh/openssh-7.5_p1-r3.ebuild
@@ -0,0 +1,332 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
+SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
+X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	ssh1? ( ssl )
+	static? ( !kerberos !pam )
+	X509? ( !ldap !sctp ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-1.0.1:0=[bindist=]
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	if use X509 ; then
+		if use hpn ; then
+			pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
+			epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
+			popd >/dev/null
+		fi
+		save_version X509
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+	fi
+
+	if use ldap ; then
+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+
+	epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
+	epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
+	use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+	use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
+	use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+
+	if use hpn ; then
+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	epatch_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use X509 || use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssh1)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-01-23  1:42 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2018-01-23  1:42 UTC (permalink / raw
  To: gentoo-commits

commit:     4c8c40a4f54c9ec9632cf4ce424c629482541ee5
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Tue Jan 23 00:19:05 2018 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Tue Jan 23 01:42:39 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c8c40a4

net-misc/openssh: Revision bump, bump X509 patch to 11.1

Also re-enable hpn USE flag (disabled by default) since it has now
been package.use.mask-ed in the base profile.

Bug: https://bugs.gentoo.org/634594
Package-Manager: Portage-2.3.20, Repoman-2.3.6

 net-misc/openssh/Manifest                          |   1 +
 .../files/openssh-7.6_p1-hpn-x509-11.1-glue.patch  |  50 +++
 net-misc/openssh/openssh-7.6_p1-r3.ebuild          | 335 +++++++++++++++++++++
 3 files changed, 386 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index c8d339eba7b..c23db685249 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -4,6 +4,7 @@ DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 BLAKE2B 15702338877e50c2143b33b93bfc
 DIST openssh-7.5p1.tar.gz 1510857 BLAKE2B 505764a210018136456c0f5dd40ad9f1383551c3ae037593d4296305df189e0a6f1383adc89b1970d58b8dcfff391878b7a29b848cc244a99705a164bec5d734 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81
 DIST openssh-7.6_p1-sctp.patch.xz 6996 BLAKE2B 4a857afdc8fa5cb2bfb9dd1805ac6343e774ac7423e2f4439f2adf585aae18fcf55d63f7f5421e716d76e2dd0205b186b6fea1f53132453ea82f0821cea3124c SHA512 8445a9a8ae8e8baa67c8f386117877ba3f39f33c9cdaff341c8d5fb4ce9dfe22f26d5aedc2b0d4aab67864994ec5a6a487d18b728bd5d5c6efe14175eb9c8151
 DIST openssh-7.6p1+x509-11.0.diff.gz 440219 BLAKE2B 9329a7cf8575c21c31ec73f8ca1084708de34a5b530699d8be2a2a75e1ce0d37210a897c894ab75ee8e2ad0f0802d483d041b1bf3cf3ea46a4a423f1350f42d2 SHA512 add86ecdaa696d997f869e6878aaaef285590cc5eddf301be651944bbc6c80af6a891bad6f6aaa4b6e9919ad865a27dc6f45a6e0b923ca52c04f06523fa3197a
+DIST openssh-7.6p1+x509-11.1.diff.gz 451725 BLAKE2B 1397c05539ce7532f5e6bf33fc16d5661c32365e127ab1134c0a12c70f0645b05eb05d3ebd9bf64ed59cb94a63cbe8466ac87c9831605230d1ccd578a736904b SHA512 8d445911d8b28fb922a2a0ddb4b7783f81bc258af708148541d30cb79012789cc319bc2031b4584c4c5504480b70077e675be01070fd3065dc4f5ddee89ad8f1
 DIST openssh-7.6p1-hpnssh14v12.tar.xz 15392 BLAKE2B 6888ea4054a470116b2ab3d115f54e3ee54e0d05a24d3331613c241e684a43354b6100ee2be76e5b2dcc8f0444fbae5d146830d634e53a85124d5e553759a552 SHA512 0e2c62cdec360090b359edfd5bbe894fb25d22e387677e8a5d6cf6a0807b0572fda30b90c30390d5b68e359e9958cb1c65abae4afd9af5892c3f64f6f8001956
 DIST openssh-7.6p1.tar.gz 1489788 BLAKE2B 938bfeeff0a0aaa2fc7e4c345f04561c6c071c526e354a7d344a08742cb70ab1f4a41d325b31720f2fba5c4afa4db11f3fc87055c8c9c8bea37b29cc11dc8f39 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72
 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b

diff --git a/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.1-glue.patch b/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.1-glue.patch
new file mode 100644
index 00000000000..d55656aae97
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.1-glue.patch
@@ -0,0 +1,50 @@
+--- a/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch	2017-10-11 15:02:11.850912525 -0700
++++ b/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch	2017-10-11 15:35:06.223424844 -0700
+@@ -907,9 +907,9 @@
+ @@ -517,7 +544,7 @@ send_client_banner(int connection_out, int minor1)
+  {
+  	/* Send our own protocol version identification. */
+- 	xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
++ 	xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
++-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
+++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
+  	if (atomicio(vwrite, connection_out, client_version_string,
+  	    strlen(client_version_string)) != strlen(client_version_string))
+  		fatal("write: %.100s", strerror(errno));
+@@ -918,11 +918,11 @@
+ --- a/sshd.c
+ +++ b/sshd.c
+ @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
+- 	char remote_version[256];	/* Must be at least as big as buf. */
++ 	}
+  
+- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
+--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
++	xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s\r\n",
++-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, pkix_comment,
+++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, pkix_comment,
+  	    *options.version_addendum == '\0' ? "" : " ",
+  	    options.version_addendum);
+  
+@@ -982,13 +982,14 @@
+ index e093f623..83f0932d 100644
+ --- a/version.h
+ +++ b/version.h
+-@@ -3,4 +3,5 @@
++@@ -3,3 +3,6 @@
+  #define SSH_VERSION	"OpenSSH_7.6"
+  
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
++-#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+++#define SSH_PORTABLE	"p1"
+ +#define SSH_HPN		"-hpn14v12"
+++#define SSH_X509		"-PKIXSSH-11.0"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+++#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1" SSH_HPN
+ -- 
+ 2.14.2
+ 

diff --git a/net-misc/openssh/openssh-7.6_p1-r3.ebuild b/net-misc/openssh/openssh-7.6_p1-r3.ebuild
new file mode 100644
index 00000000000..e2e8bbe7114
--- /dev/null
+++ b/net-misc/openssh/openssh-7.6_p1-r3.ebuild
@@ -0,0 +1,335 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
+SCTP_PATCH="${PN}-7.6_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.6p1-0.3.14.patch.xz"
+X509_VER="11.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+https://dev.gentoo.org/~polynomial-c/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~polynomial-c/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( https://dev.gentoo.org/~chutzpah/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !ldap !sctp ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-1.0.1:0=[bindist=]
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S="${WORKDIR}/${PARCH}"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	eapply "${FILESDIR}/${P}-warnings.patch"
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	if use X509 ; then
+		if use hpn ; then
+			pushd "${WORKDIR}" >/dev/null
+			eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
+			popd >/dev/null
+		fi
+		save_version X509
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+	fi
+
+	if use ldap ; then
+		eapply "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+
+	eapply "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	use X509 || eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+	use abi_mips_n32 && eapply "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+
+	if use hpn ; then
+		elog "Applying HPN patchset ..."
+		eapply "${WORKDIR}"/${HPN_PATCH%.*.*}
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eapply_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use X509 || use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
+		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	# remove this if aes-ctr-mt gets fixed
+	if use hpn; then
+		elog "The multithreaded AES-CTR cipher has been temporarily dropped from the HPN patch"
+		elog "set since it does not (yet) work with >=openssh-7.6p1."
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-01-23 23:54 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2018-01-23 23:54 UTC (permalink / raw
  To: gentoo-commits

commit:     2803a8b211944e2f4f29c8ae92ba8eee86ba9d56
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Tue Jan 23 23:52:20 2018 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Tue Jan 23 23:52:20 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2803a8b2

net-misc/openssh: Add fix for bug 634594 from zmedico

Not revbumping since hpn has been package.use.mask-ed.

Closes: https://bugs.gentoo.org/634594
Package-Manager: Portage-2.3.20, Repoman-2.3.6

 net-misc/openssh/Manifest                                      | 1 +
 net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.1-glue.patch | 4 ++--
 net-misc/openssh/openssh-7.6_p1-r3.ebuild                      | 4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index c23db685249..bcaa83f5329 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -5,6 +5,7 @@ DIST openssh-7.5p1.tar.gz 1510857 BLAKE2B 505764a210018136456c0f5dd40ad9f1383551
 DIST openssh-7.6_p1-sctp.patch.xz 6996 BLAKE2B 4a857afdc8fa5cb2bfb9dd1805ac6343e774ac7423e2f4439f2adf585aae18fcf55d63f7f5421e716d76e2dd0205b186b6fea1f53132453ea82f0821cea3124c SHA512 8445a9a8ae8e8baa67c8f386117877ba3f39f33c9cdaff341c8d5fb4ce9dfe22f26d5aedc2b0d4aab67864994ec5a6a487d18b728bd5d5c6efe14175eb9c8151
 DIST openssh-7.6p1+x509-11.0.diff.gz 440219 BLAKE2B 9329a7cf8575c21c31ec73f8ca1084708de34a5b530699d8be2a2a75e1ce0d37210a897c894ab75ee8e2ad0f0802d483d041b1bf3cf3ea46a4a423f1350f42d2 SHA512 add86ecdaa696d997f869e6878aaaef285590cc5eddf301be651944bbc6c80af6a891bad6f6aaa4b6e9919ad865a27dc6f45a6e0b923ca52c04f06523fa3197a
 DIST openssh-7.6p1+x509-11.1.diff.gz 451725 BLAKE2B 1397c05539ce7532f5e6bf33fc16d5661c32365e127ab1134c0a12c70f0645b05eb05d3ebd9bf64ed59cb94a63cbe8466ac87c9831605230d1ccd578a736904b SHA512 8d445911d8b28fb922a2a0ddb4b7783f81bc258af708148541d30cb79012789cc319bc2031b4584c4c5504480b70077e675be01070fd3065dc4f5ddee89ad8f1
+DIST openssh-7.6p1-hpnssh14v12-r1.tar.xz 15440 BLAKE2B e140852a3ce63e4f744ed4b18b474cf88d09ca55509e5a16d26eef5cf8574466b472073eef56e19467932959d9ba7e941ab561d9ea0704dfee3fd08a6ba7ba8c SHA512 9d0450ec99fe550d790e471cb7815d0863788cf9c41dfef653d102f02be3d38a09e5103e537658279216a5815c1a075ded9f011e05ce216beee2c7daeea8c75a
 DIST openssh-7.6p1-hpnssh14v12.tar.xz 15392 BLAKE2B 6888ea4054a470116b2ab3d115f54e3ee54e0d05a24d3331613c241e684a43354b6100ee2be76e5b2dcc8f0444fbae5d146830d634e53a85124d5e553759a552 SHA512 0e2c62cdec360090b359edfd5bbe894fb25d22e387677e8a5d6cf6a0807b0572fda30b90c30390d5b68e359e9958cb1c65abae4afd9af5892c3f64f6f8001956
 DIST openssh-7.6p1.tar.gz 1489788 BLAKE2B 938bfeeff0a0aaa2fc7e4c345f04561c6c071c526e354a7d344a08742cb70ab1f4a41d325b31720f2fba5c4afa4db11f3fc87055c8c9c8bea37b29cc11dc8f39 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72
 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b

diff --git a/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.1-glue.patch b/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.1-glue.patch
index d55656aae97..2ed6a7b54a6 100644
--- a/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.1-glue.patch
+++ b/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.1-glue.patch
@@ -1,5 +1,5 @@
---- a/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch	2017-10-11 15:02:11.850912525 -0700
-+++ b/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch	2017-10-11 15:35:06.223424844 -0700
+--- a/openssh-7.6p1-hpnssh14v12-r1/0003-support-dynamically-sized-receive-buffers.patch	2017-10-11 15:02:11.850912525 -0700
++++ b/openssh-7.6p1-hpnssh14v12-r1/0003-support-dynamically-sized-receive-buffers.patch	2017-10-11 15:35:06.223424844 -0700
 @@ -907,9 +907,9 @@
  @@ -517,7 +544,7 @@ send_client_banner(int connection_out, int minor1)
   {

diff --git a/net-misc/openssh/openssh-7.6_p1-r3.ebuild b/net-misc/openssh/openssh-7.6_p1-r3.ebuild
index 635abd42b3d..d68f65f1d37 100644
--- a/net-misc/openssh/openssh-7.6_p1-r3.ebuild
+++ b/net-misc/openssh/openssh-7.6_p1-r3.ebuild
@@ -9,7 +9,7 @@ inherit user flag-o-matic multilib autotools pam systemd versionator
 # and _p? releases.
 PARCH=${P/_}
 
-HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
+HPN_PATCH="${PARCH}-hpnssh14v12-r1.tar.xz"
 SCTP_PATCH="${PN}-7.6_p1-sctp.patch.xz"
 LDAP_PATCH="${PN}-lpk-7.6p1-0.3.14.patch.xz"
 X509_VER="11.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
@@ -119,8 +119,8 @@ src_prepare() {
 			pushd "${WORKDIR}" >/dev/null
 			eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
 			popd >/dev/null
+			save_version X509
 		fi
-		save_version X509
 		eapply "${WORKDIR}"/${X509_PATCH%.*}
 	fi
 


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-02-12 19:25 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2018-02-12 19:25 UTC (permalink / raw
  To: gentoo-commits

commit:     fadaefcc70b0cf898dbdd403cee4211269605130
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Mon Feb 12 19:24:14 2018 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Mon Feb 12 19:24:38 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fadaefcc

net-misc/openssh: Revision bump, update X509 patch to 11.2

Package-Manager: Portage-2.3.24, Repoman-2.3.6

 net-misc/openssh/Manifest                          |   1 +
 .../files/openssh-7.6_p1-hpn-x509-11.2-glue.patch  |  50 +++
 .../files/openssh-7.6_p1-x509-11.2-libressl.patch  |  11 +
 net-misc/openssh/openssh-7.6_p1-r4.ebuild          | 336 +++++++++++++++++++++
 4 files changed, 398 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index bcaa83f5329..46bd6e354ab 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -5,6 +5,7 @@ DIST openssh-7.5p1.tar.gz 1510857 BLAKE2B 505764a210018136456c0f5dd40ad9f1383551
 DIST openssh-7.6_p1-sctp.patch.xz 6996 BLAKE2B 4a857afdc8fa5cb2bfb9dd1805ac6343e774ac7423e2f4439f2adf585aae18fcf55d63f7f5421e716d76e2dd0205b186b6fea1f53132453ea82f0821cea3124c SHA512 8445a9a8ae8e8baa67c8f386117877ba3f39f33c9cdaff341c8d5fb4ce9dfe22f26d5aedc2b0d4aab67864994ec5a6a487d18b728bd5d5c6efe14175eb9c8151
 DIST openssh-7.6p1+x509-11.0.diff.gz 440219 BLAKE2B 9329a7cf8575c21c31ec73f8ca1084708de34a5b530699d8be2a2a75e1ce0d37210a897c894ab75ee8e2ad0f0802d483d041b1bf3cf3ea46a4a423f1350f42d2 SHA512 add86ecdaa696d997f869e6878aaaef285590cc5eddf301be651944bbc6c80af6a891bad6f6aaa4b6e9919ad865a27dc6f45a6e0b923ca52c04f06523fa3197a
 DIST openssh-7.6p1+x509-11.1.diff.gz 451725 BLAKE2B 1397c05539ce7532f5e6bf33fc16d5661c32365e127ab1134c0a12c70f0645b05eb05d3ebd9bf64ed59cb94a63cbe8466ac87c9831605230d1ccd578a736904b SHA512 8d445911d8b28fb922a2a0ddb4b7783f81bc258af708148541d30cb79012789cc319bc2031b4584c4c5504480b70077e675be01070fd3065dc4f5ddee89ad8f1
+DIST openssh-7.6p1+x509-11.2.diff.gz 451725 BLAKE2B 1397c05539ce7532f5e6bf33fc16d5661c32365e127ab1134c0a12c70f0645b05eb05d3ebd9bf64ed59cb94a63cbe8466ac87c9831605230d1ccd578a736904b SHA512 8d445911d8b28fb922a2a0ddb4b7783f81bc258af708148541d30cb79012789cc319bc2031b4584c4c5504480b70077e675be01070fd3065dc4f5ddee89ad8f1
 DIST openssh-7.6p1-hpnssh14v12-r1.tar.xz 15440 BLAKE2B e140852a3ce63e4f744ed4b18b474cf88d09ca55509e5a16d26eef5cf8574466b472073eef56e19467932959d9ba7e941ab561d9ea0704dfee3fd08a6ba7ba8c SHA512 9d0450ec99fe550d790e471cb7815d0863788cf9c41dfef653d102f02be3d38a09e5103e537658279216a5815c1a075ded9f011e05ce216beee2c7daeea8c75a
 DIST openssh-7.6p1-hpnssh14v12.tar.xz 15392 BLAKE2B 6888ea4054a470116b2ab3d115f54e3ee54e0d05a24d3331613c241e684a43354b6100ee2be76e5b2dcc8f0444fbae5d146830d634e53a85124d5e553759a552 SHA512 0e2c62cdec360090b359edfd5bbe894fb25d22e387677e8a5d6cf6a0807b0572fda30b90c30390d5b68e359e9958cb1c65abae4afd9af5892c3f64f6f8001956
 DIST openssh-7.6p1.tar.gz 1489788 BLAKE2B 938bfeeff0a0aaa2fc7e4c345f04561c6c071c526e354a7d344a08742cb70ab1f4a41d325b31720f2fba5c4afa4db11f3fc87055c8c9c8bea37b29cc11dc8f39 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72

diff --git a/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.2-glue.patch b/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.2-glue.patch
new file mode 100644
index 00000000000..2ed6a7b54a6
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.2-glue.patch
@@ -0,0 +1,50 @@
+--- a/openssh-7.6p1-hpnssh14v12-r1/0003-support-dynamically-sized-receive-buffers.patch	2017-10-11 15:02:11.850912525 -0700
++++ b/openssh-7.6p1-hpnssh14v12-r1/0003-support-dynamically-sized-receive-buffers.patch	2017-10-11 15:35:06.223424844 -0700
+@@ -907,9 +907,9 @@
+ @@ -517,7 +544,7 @@ send_client_banner(int connection_out, int minor1)
+  {
+  	/* Send our own protocol version identification. */
+- 	xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
++ 	xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
++-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
+++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
+  	if (atomicio(vwrite, connection_out, client_version_string,
+  	    strlen(client_version_string)) != strlen(client_version_string))
+  		fatal("write: %.100s", strerror(errno));
+@@ -918,11 +918,11 @@
+ --- a/sshd.c
+ +++ b/sshd.c
+ @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
+- 	char remote_version[256];	/* Must be at least as big as buf. */
++ 	}
+  
+- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
+--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
++	xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s\r\n",
++-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, pkix_comment,
+++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, pkix_comment,
+  	    *options.version_addendum == '\0' ? "" : " ",
+  	    options.version_addendum);
+  
+@@ -982,13 +982,14 @@
+ index e093f623..83f0932d 100644
+ --- a/version.h
+ +++ b/version.h
+-@@ -3,4 +3,5 @@
++@@ -3,3 +3,6 @@
+  #define SSH_VERSION	"OpenSSH_7.6"
+  
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
++-#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+++#define SSH_PORTABLE	"p1"
+ +#define SSH_HPN		"-hpn14v12"
+++#define SSH_X509		"-PKIXSSH-11.0"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+++#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1" SSH_HPN
+ -- 
+ 2.14.2
+ 

diff --git a/net-misc/openssh/files/openssh-7.6_p1-x509-11.2-libressl.patch b/net-misc/openssh/files/openssh-7.6_p1-x509-11.2-libressl.patch
new file mode 100644
index 00000000000..17bc41e5a76
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.6_p1-x509-11.2-libressl.patch
@@ -0,0 +1,11 @@
+--- a/openssh-7.6p1+x509-11.2.diff	2017-11-06 17:16:28.334140140 -0800
++++ b/openssh-7.6p1+x509-11.2.diff	2017-11-06 17:16:55.338223563 -0800
+@@ -54732,7 +54732,7 @@
+ +int/*bool*/ ssh_x509store_addlocations(const X509StoreOptions *locations);
+ +
+ +typedef char SSHXSTOREPATH;
+-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ +DECLARE_STACK_OF(SSHXSTOREPATH)
+ +# define sk_SSHXSTOREPATH_new_null()	SKM_sk_new_null(SSHXSTOREPATH)
+ +# define sk_SSHXSTOREPATH_num(st)	SKM_sk_num(SSHXSTOREPATH, (st))

diff --git a/net-misc/openssh/openssh-7.6_p1-r4.ebuild b/net-misc/openssh/openssh-7.6_p1-r4.ebuild
new file mode 100644
index 00000000000..ae151823f60
--- /dev/null
+++ b/net-misc/openssh/openssh-7.6_p1-r4.ebuild
@@ -0,0 +1,336 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PARCH}-hpnssh14v12-r1.tar.xz"
+SCTP_PATCH="${PN}-7.6_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.6p1-0.3.14.patch.xz"
+X509_VER="11.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+https://dev.gentoo.org/~polynomial-c/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~chutzpah/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~polynomial-c/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( https://dev.gentoo.org/~chutzpah/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !ldap !sctp ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-1.0.1:0=[bindist=]
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S="${WORKDIR}/${PARCH}"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	eapply "${FILESDIR}/${P}-warnings.patch"
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	if use X509 ; then
+		if use hpn ; then
+			pushd "${WORKDIR}" >/dev/null
+			eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
+			eapply "${FILESDIR}"/${P}-x509-${X509_VER}-libressl.patch
+			popd >/dev/null
+			save_version X509
+		fi
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+	fi
+
+	if use ldap ; then
+		eapply "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+
+	eapply "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	use X509 || eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+	use abi_mips_n32 && eapply "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+
+	if use hpn ; then
+		elog "Applying HPN patchset ..."
+		eapply "${WORKDIR}"/${HPN_PATCH%.*.*}
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eapply_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use X509 || use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
+		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	# remove this if aes-ctr-mt gets fixed
+	if use hpn; then
+		elog "The multithreaded AES-CTR cipher has been temporarily dropped from the HPN patch"
+		elog "set since it does not (yet) work with >=openssh-7.6p1."
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-03-13 18:50 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2018-03-13 18:50 UTC (permalink / raw
  To: gentoo-commits

commit:     4de76a2e5a9e0687802b69749c195c7ecd463dd2
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 13 18:50:34 2018 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Tue Mar 13 18:50:34 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4de76a2e

net-misc/openssh: Add glue patch for X509 + permitopen in 7.6_p1-r5

Package-Manager: Portage-2.3.24, Repoman-2.3.6

 .../openssh-7.6_p1-permitopen-x509-glue.patch      | 44 ++++++++++++++++++++++
 net-misc/openssh/openssh-7.6_p1-r5.ebuild          |  5 +++
 2 files changed, 49 insertions(+)

diff --git a/net-misc/openssh/files/openssh-7.6_p1-permitopen-x509-glue.patch b/net-misc/openssh/files/openssh-7.6_p1-permitopen-x509-glue.patch
new file mode 100644
index 00000000000..9d8f9a6cdef
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.6_p1-permitopen-x509-glue.patch
@@ -0,0 +1,44 @@
+--- a/openssh-7.6p1+x509-11.2.diff	2018-03-13 10:48:08.755434051 -0700
++++ b/openssh-7.6p1+x509-11.2.diff	2018-03-13 10:51:27.217980071 -0700
+@@ -29025,13 +29025,6 @@
+ diff -ruN openssh-7.6p1/servconf.c openssh-7.6p1+x509-11.2/servconf.c
+ --- openssh-7.6p1/servconf.c	2017-10-02 22:34:26.000000000 +0300
+ +++ openssh-7.6p1+x509-11.2/servconf.c	2018-02-11 12:07:01.000000000 +0200
+-@@ -1,5 +1,5 @@
+- 
+--/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */
+-+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
+- /*
+-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+-  *                    All rights reserved
+ @@ -9,6 +9,29 @@
+   * software must be clearly marked as such, and if the derived work is
+   * incompatible with the protocol description in the RFC file, it must be
+@@ -29467,27 +29460,6 @@
+  	case sAllowUsers:
+  		while ((arg = strdelim(&cp)) && *arg != '\0') {
+  			if (options->num_allow_users >= MAX_ALLOW_USERS)
+-@@ -1663,9 +1931,9 @@
+- 		if (!arg || *arg == '\0')
+- 			fatal("%s line %d: missing PermitOpen specification",
+- 			    filename, linenum);
+--		i = options->num_permitted_opens;	/* modified later */
+-+		value = options->num_permitted_opens;	/* modified later */
+- 		if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
+--			if (*activep && i == 0) {
+-+			if (*activep && value == 0) {
+- 				options->num_permitted_opens = 1;
+- 				options->permitted_opens = xcalloc(1,
+- 				    sizeof(*options->permitted_opens));
+-@@ -1683,7 +1951,7 @@
+- 			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
+- 				fatal("%s line %d: bad port number in "
+- 				    "PermitOpen", filename, linenum);
+--			if (*activep && i == 0) {
+-+			if (*activep && value == 0) {
+- 				options->permitted_opens = xrecallocarray(
+- 				    options->permitted_opens,
+- 				    options->num_permitted_opens,
+ @@ -1885,11 +2153,20 @@
+  
+  	case sDeprecated:

diff --git a/net-misc/openssh/openssh-7.6_p1-r5.ebuild b/net-misc/openssh/openssh-7.6_p1-r5.ebuild
index e19d5f0f30b..46f1d676f5f 100644
--- a/net-misc/openssh/openssh-7.6_p1-r5.ebuild
+++ b/net-misc/openssh/openssh-7.6_p1-r5.ebuild
@@ -122,6 +122,11 @@ src_prepare() {
 			popd >/dev/null
 			save_version X509
 		fi
+		# remove this with the next version bump
+		pushd "${WORKDIR}" >/dev/null
+		eapply "${FILESDIR}/${P}-permitopen-x509-glue.patch"
+		popd >/dev/null
+
 		eapply "${WORKDIR}"/${X509_PATCH%.*}
 	fi
 


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-04-11  2:44 Thomas Deutschmann
  0 siblings, 0 replies; 57+ messages in thread
From: Thomas Deutschmann @ 2018-04-11  2:44 UTC (permalink / raw
  To: gentoo-commits

commit:     9b74fc16d7b050757989bd8ebba1366e3b8eeda1
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Wed Apr 11 02:16:28 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Wed Apr 11 02:43:57 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b74fc16

net-misc/openssh: Bump to v7.7_p1

Ebuild changes:
===============
- HPN patch set updated to v14.14. MT AES CTR cipher are still not
  working at the moment but we are working on this.

- SCTP patch updated for openssh-7.7_p1.

- LDAP patch is currently not available because patch isn't compatble
  with openssh-7.7_p1 and needs a major rewrite because upstream removed
  auth_parse_options() via commit 7c8568576071.

- X.509 patch updated to v11.3.1.

- Previously, SCTP patch sometimes got applied even when "sctp" USE flag
  wasn't set, this is now fixed.

- We now always expose applied patches in version string (previously
  this was only the case for some patches and was also depending on
  whether the "hpn" USE flag was enabled or not).

- Make sure "/var/empty" gets preserved by package manager. [Bug 647034]

- Runscript: "use" entropy. [Bug 470020]

- Runscript: Use "/run" instead of "/var/run". [Bug 555734]

- Runscript: Verify daemon is really up and running. [Bug 617596]

- Runscript: Simplified (thanks to Michael Orlitzky)

- Runscript: Add prefix support. [Bug 640666]

- Runscript: It is now possible to pass any by start-stop-daemon supported
             arguments (like "--ionice" or "--nicelevel" for example) to
             start-stop-daemon. [Bug 636764]

Closes: https://bugs.gentoo.org/470020
Closes: https://bugs.gentoo.org/555734
Closes: https://bugs.gentoo.org/617596
Closes: https://bugs.gentoo.org/636764
Closes: https://bugs.gentoo.org/640666
Closes: https://bugs.gentoo.org/647034
Closes: https://bugs.gentoo.org/652438
Package-Manager: Portage-2.3.28, Repoman-2.3.9

 net-misc/openssh/Manifest                          |   4 +
 .../openssh/files/openssh-7.7_p1-GSSAPI-dns.patch  | 351 ++++++++++++++++++
 net-misc/openssh/files/sshd-r1.confd               |  33 ++
 net-misc/openssh/files/sshd.rc6.5                  |  89 +++++
 net-misc/openssh/openssh-7.7_p1.ebuild             | 406 +++++++++++++++++++++
 5 files changed, 883 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 299ae83a14c..7817efe9f09 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -6,5 +6,9 @@ DIST openssh-7.6_p1-sctp.patch.xz 6996 BLAKE2B 4a857afdc8fa5cb2bfb9dd1805ac6343e
 DIST openssh-7.6p1+x509-11.2.diff.gz 466657 BLAKE2B 3f4f108e2d97eb292c215bc3a6e2c64ae6b9e49704f46f46a21496a71d5ebd051ab648446bf71ef141e2114f4a03363d8cd043f5813f957c2c5f2e2eb193931d SHA512 1c0fea91037bfcaed7aa3f0cb01d262410a99d3e1b98a25a012db5d683f3275ab52f78f1e446bd7e543c78f9d406b1dce2bb3997214534ae94e11c254658080f
 DIST openssh-7.6p1-hpnssh14v12-r1.tar.xz 15440 BLAKE2B e140852a3ce63e4f744ed4b18b474cf88d09ca55509e5a16d26eef5cf8574466b472073eef56e19467932959d9ba7e941ab561d9ea0704dfee3fd08a6ba7ba8c SHA512 9d0450ec99fe550d790e471cb7815d0863788cf9c41dfef653d102f02be3d38a09e5103e537658279216a5815c1a075ded9f011e05ce216beee2c7daeea8c75a
 DIST openssh-7.6p1.tar.gz 1489788 BLAKE2B 938bfeeff0a0aaa2fc7e4c345f04561c6c071c526e354a7d344a08742cb70ab1f4a41d325b31720f2fba5c4afa4db11f3fc87055c8c9c8bea37b29cc11dc8f39 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72
+DIST openssh-7.7p1-hpnssh14v14-gentoo1.patch.xz 21448 BLAKE2B 51d9324990d8098707359f355b9212679db38569e566f47659ffdae8046bdbb4e6873bd67ecb7da0b5706c5243f44f82089f08ecbc59c7e39062fceb4be78316 SHA512 63d2ffbcfe121ddedaa07955b1025d2c6e196ea694464610437368835cf46dd507d4d17361548cae93db53a1e3d93d9c409910620bbd0cd619d82b6215c833b5
+DIST openssh-7.7p1-sctp-1.0.patch.xz 7380 BLAKE2B 6ad40972ece131ff148ede6ba94d63bffc606e0bcabb959d4c9056196cb6f4fddc285f97d7b49b73fde7ee84e3c981c07bddb058ad88eb7c7c2fe716e657c630 SHA512 bc5f50805ba25415f93f61b6654e5bcbaef673b0af48d339116ca9c94b6152afae294c5a9144adeb40190da97c2fc73b43e3ac7ac34feb4a647628327a7cac0a
+DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
+DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b
 DIST openssh-lpk-7.6p1-0.3.14.patch.xz 17044 BLAKE2B a31dcb15848d3a22306108a4e181b1d52b195e6adcd2a78d5c7bf57f33c8ed62c3affa434c8d31c07eae84b59f1a3968a3f2a92e702f9225b121127616cb9d61 SHA512 e9a2b18fd6a58354198b6e48199059d055451a5f09c99bf7293d0d54137a59c581a9cb3bd906f31589e03d8450fb017b9015e18c67b7b6ae840e336039436974

diff --git a/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
new file mode 100644
index 00000000000..2840652a9b4
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
@@ -0,0 +1,351 @@
+https://bugs.gentoo.org/165444
+https://bugzilla.mindrot.org/show_bug.cgi?id=1008
+
+--- a/auth.c
++++ b/auth.c
+@@ -728,120 +728,6 @@ fakepw(void)
+ 	return (&fake);
+ }
+ 
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+-	struct sockaddr_storage from;
+-	socklen_t fromlen;
+-	struct addrinfo hints, *ai, *aitop;
+-	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+-	const char *ntop = ssh_remote_ipaddr(ssh);
+-
+-	/* Get IP address of client. */
+-	fromlen = sizeof(from);
+-	memset(&from, 0, sizeof(from));
+-	if (getpeername(ssh_packet_get_connection_in(ssh),
+-	    (struct sockaddr *)&from, &fromlen) < 0) {
+-		debug("getpeername failed: %.100s", strerror(errno));
+-		return strdup(ntop);
+-	}
+-
+-	ipv64_normalise_mapped(&from, &fromlen);
+-	if (from.ss_family == AF_INET6)
+-		fromlen = sizeof(struct sockaddr_in6);
+-
+-	debug3("Trying to reverse map address %.100s.", ntop);
+-	/* Map the IP address to a host name. */
+-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+-	    NULL, 0, NI_NAMEREQD) != 0) {
+-		/* Host name not found.  Use ip address. */
+-		return strdup(ntop);
+-	}
+-
+-	/*
+-	 * if reverse lookup result looks like a numeric hostname,
+-	 * someone is trying to trick us by PTR record like following:
+-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
+-	hints.ai_flags = AI_NUMERICHOST;
+-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+-		    name, ntop);
+-		freeaddrinfo(ai);
+-		return strdup(ntop);
+-	}
+-
+-	/* Names are stored in lowercase. */
+-	lowercase(name);
+-
+-	/*
+-	 * Map it back to an IP address and check that the given
+-	 * address actually is an address of this host.  This is
+-	 * necessary because anyone with access to a name server can
+-	 * define arbitrary names for an IP address. Mapping from
+-	 * name to IP address can be trusted better (but can still be
+-	 * fooled if the intruder has access to the name server of
+-	 * the domain).
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_family = from.ss_family;
+-	hints.ai_socktype = SOCK_STREAM;
+-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+-		logit("reverse mapping checking getaddrinfo for %.700s "
+-		    "[%s] failed.", name, ntop);
+-		return strdup(ntop);
+-	}
+-	/* Look for the address from the list of addresses. */
+-	for (ai = aitop; ai; ai = ai->ai_next) {
+-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+-		    (strcmp(ntop, ntop2) == 0))
+-				break;
+-	}
+-	freeaddrinfo(aitop);
+-	/* If we reached the end of the list, the address was not there. */
+-	if (ai == NULL) {
+-		/* Address not found for the host name. */
+-		logit("Address %.100s maps to %.600s, but this does not "
+-		    "map back to the address.", ntop, name);
+-		return strdup(ntop);
+-	}
+-	return strdup(name);
+-}
+-
+-/*
+- * Return the canonical name of the host in the other side of the current
+- * connection.  The host name is cached, so it is efficient to call this
+- * several times.
+- */
+-
+-const char *
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+-{
+-	static char *dnsname;
+-
+-	if (!use_dns)
+-		return ssh_remote_ipaddr(ssh);
+-	else if (dnsname != NULL)
+-		return dnsname;
+-	else {
+-		dnsname = remote_hostname(ssh);
+-		return dnsname;
+-	}
+-}
+-
+ /*
+  * Runs command in a subprocess wuth a minimal environment.
+  * Returns pid on success, 0 on failure.
+--- a/canohost.c
++++ b/canohost.c
+@@ -202,3 +202,117 @@ get_local_port(int sock)
+ {
+ 	return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++static char *
++remote_hostname(struct ssh *ssh)
++{
++	struct sockaddr_storage from;
++	socklen_t fromlen;
++	struct addrinfo hints, *ai, *aitop;
++	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++	const char *ntop = ssh_remote_ipaddr(ssh);
++
++	/* Get IP address of client. */
++	fromlen = sizeof(from);
++	memset(&from, 0, sizeof(from));
++	if (getpeername(ssh_packet_get_connection_in(ssh),
++	    (struct sockaddr *)&from, &fromlen) < 0) {
++		debug("getpeername failed: %.100s", strerror(errno));
++		return strdup(ntop);
++	}
++
++	ipv64_normalise_mapped(&from, &fromlen);
++	if (from.ss_family == AF_INET6)
++		fromlen = sizeof(struct sockaddr_in6);
++
++	debug3("Trying to reverse map address %.100s.", ntop);
++	/* Map the IP address to a host name. */
++	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++	    NULL, 0, NI_NAMEREQD) != 0) {
++		/* Host name not found.  Use ip address. */
++		return strdup(ntop);
++	}
++
++	/*
++	 * if reverse lookup result looks like a numeric hostname,
++	 * someone is trying to trick us by PTR record like following:
++	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
++	hints.ai_flags = AI_NUMERICHOST;
++	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++		    name, ntop);
++		freeaddrinfo(ai);
++		return strdup(ntop);
++	}
++
++	/* Names are stored in lowercase. */
++	lowercase(name);
++
++	/*
++	 * Map it back to an IP address and check that the given
++	 * address actually is an address of this host.  This is
++	 * necessary because anyone with access to a name server can
++	 * define arbitrary names for an IP address. Mapping from
++	 * name to IP address can be trusted better (but can still be
++	 * fooled if the intruder has access to the name server of
++	 * the domain).
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_family = from.ss_family;
++	hints.ai_socktype = SOCK_STREAM;
++	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++		logit("reverse mapping checking getaddrinfo for %.700s "
++		    "[%s] failed.", name, ntop);
++		return strdup(ntop);
++	}
++	/* Look for the address from the list of addresses. */
++	for (ai = aitop; ai; ai = ai->ai_next) {
++		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++		    (strcmp(ntop, ntop2) == 0))
++				break;
++	}
++	freeaddrinfo(aitop);
++	/* If we reached the end of the list, the address was not there. */
++	if (ai == NULL) {
++		/* Address not found for the host name. */
++		logit("Address %.100s maps to %.600s, but this does not "
++		    "map back to the address.", ntop, name);
++		return strdup(ntop);
++	}
++	return strdup(name);
++}
++
++/*
++ * Return the canonical name of the host in the other side of the current
++ * connection.  The host name is cached, so it is efficient to call this
++ * several times.
++ */
++
++const char *
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
++{
++	static char *dnsname;
++
++	if (!use_dns)
++		return ssh_remote_ipaddr(ssh);
++	else if (dnsname != NULL)
++		return dnsname;
++	else {
++		dnsname = remote_hostname(ssh);
++		return dnsname;
++	}
++}
+--- a/readconf.c
++++ b/readconf.c
+@@ -160,6 +160,7 @@ typedef enum {
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++	oGssTrustDns,
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+@@ -200,9 +201,11 @@ static struct {
+ #if defined(GSSAPI)
+ 	{ "gssapiauthentication", oGssAuthentication },
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
++	{ "gssapitrustdns", oGssTrustDns },
+ # else
+ 	{ "gssapiauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
++	{ "gssapitrustdns", oUnsupported },
+ #endif
+ #ifdef ENABLE_PKCS11
+ 	{ "smartcarddevice", oPKCS11Provider },
+@@ -954,6 +957,10 @@ parse_time:
+ 		intptr = &options->gss_deleg_creds;
+ 		goto parse_flag;
+ 
++	case oGssTrustDns:
++		intptr = &options->gss_trust_dns;
++		goto parse_flag;
++
+ 	case oBatchMode:
+ 		intptr = &options->batch_mode;
+ 		goto parse_flag;
+@@ -1766,6 +1773,7 @@ initialize_options(Options * options)
+ 	options->challenge_response_authentication = -1;
+ 	options->gss_authentication = -1;
+ 	options->gss_deleg_creds = -1;
++	options->gss_trust_dns = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->kbd_interactive_devices = NULL;
+@@ -1908,6 +1916,8 @@ fill_default_options(Options * options)
+ 		options->gss_authentication = 0;
+ 	if (options->gss_deleg_creds == -1)
+ 		options->gss_deleg_creds = 0;
++	if (options->gss_trust_dns == -1)
++		options->gss_trust_dns = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+--- a/readconf.h
++++ b/readconf.h
+@@ -43,6 +43,7 @@ typedef struct {
+ 					/* Try S/Key or TIS, authentication. */
+ 	int     gss_authentication;	/* Try GSS authentication */
+ 	int     gss_deleg_creds;	/* Delegate GSS credentials */
++	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
+ 	int     password_authentication;	/* Try password
+ 						 * authentication. */
+ 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -731,6 +731,16 @@ The default is
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -643,6 +643,13 @@ userauth_gssapi(Authctxt *authctxt)
+ 	static u_int mech = 0;
+ 	OM_uint32 min;
+ 	int ok = 0;
++	const char *gss_host;
++
++	if (options.gss_trust_dns) {
++		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++		gss_host = auth_get_canonical_hostname(active_state, 1);
++	} else
++		gss_host = authctxt->host;
+ 
+ 	/* Try one GSSAPI method at a time, rather than sending them all at
+ 	 * once. */
+@@ -655,7 +662,7 @@ userauth_gssapi(Authctxt *authctxt)
+ 		/* My DER encoding requires length<128 */
+ 		if (gss_supported->elements[mech].length < 128 &&
+ 		    ssh_gssapi_check_mechanism(&gssctxt, 
+-		    &gss_supported->elements[mech], authctxt->host)) {
++		    &gss_supported->elements[mech], gss_host)) {
+ 			ok = 1; /* Mechanism works */
+ 		} else {
+ 			mech++;
+-- 

diff --git a/net-misc/openssh/files/sshd-r1.confd b/net-misc/openssh/files/sshd-r1.confd
new file mode 100644
index 00000000000..cf430371bf0
--- /dev/null
+++ b/net-misc/openssh/files/sshd-r1.confd
@@ -0,0 +1,33 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress.
+
+#SSHD_SSD_OPTS="--wait 1000"
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
+
+
+# Path to the ssh-keygen binary (needs to be absolute path).
+
+#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"

diff --git a/net-misc/openssh/files/sshd.rc6.5 b/net-misc/openssh/files/sshd.rc6.5
new file mode 100644
index 00000000000..044cbe7268f
--- /dev/null
+++ b/net-misc/openssh/files/sshd.rc6.5
@@ -0,0 +1,89 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
+: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
+
+command="${SSHD_BINARY}"
+pidfile="${SSHD_PIDFILE}"
+command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress (bug 617596).
+: ${SSHD_SSD_OPTS:=--wait 1000}
+start_stop_daemon_args="${SSHD_SSD_OPTS}"
+
+depend() {
+	# Entropy can be used by ssh-keygen, among other things, but
+	# is not strictly required (bug 470020).
+	use logger dns entropy
+	if [ "${rc_need+set}" = "set" ] ; then
+		: # Do nothing, the user has explicitly set rc_need
+	else
+		local x warn_addr
+		for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+			case "${x}" in
+				0.0.0.0|0.0.0.0:*) ;;
+				::|\[::\]*) ;;
+				*) warn_addr="${warn_addr} ${x}" ;;
+			esac
+		done
+		if [ -n "${warn_addr}" ] ; then
+			need net
+			ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+			ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
+			ewarn "where FOO is the interface(s) providing the following address(es):"
+			ewarn "${warn_addr}"
+		fi
+	fi
+}
+
+checkconfig() {
+	checkpath --directory "${RC_PREFIX%/}/var/empty"
+
+	if [ ! -e "${SSHD_CONFIG}" ] ; then
+		eerror "You need an ${SSHD_CONFIG} file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	${SSHD_KEYGEN_BINARY} -A || return 2
+
+	"${command}" -t ${command_args} || return 3
+}
+
+start_pre() {
+	# If this isn't a restart, make sure that the user's config isn't
+	# busted before we try to start the daemon (this will produce
+	# better error messages than if we just try to start it blindly).
+	#
+	# If, on the other hand, this *is* a restart, then the stop_pre
+	# action will have ensured that the config is usable and we don't
+	# need to do that again.
+	if [ "${RC_CMD}" != "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+stop_pre() {
+	# If this is a restart, check to make sure the user's config
+	# isn't busted before we stop the running daemon.
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+reload() {
+	checkconfig || return $?
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${pidfile}"
+	eend $?
+}

diff --git a/net-misc/openssh/openssh-7.7_p1.ebuild b/net-misc/openssh/openssh-7.7_p1.ebuild
new file mode 100644
index 00000000000..ba76b889200
--- /dev/null
+++ b/net-misc/openssh/openssh-7.7_p1.ebuild
@@ -0,0 +1,406 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_VER="14v14-gentoo1" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz" HPN_DISABLE_MTAES=1
+SCTP_VER="1.0" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
+
+# Disable LDAP support until someone will rewrite the patch,
+# upstream removed auth_parse_options() via commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3
+#LDAP_VER="0.3.14" LDAP_PATCH="${PN}-lpk-7.7p1-${LDAP_VER}.patch.xz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~whissi/dist/openssh/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !ldap !sctp ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-1.0.1:0=[bindist=]
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S="${WORKDIR}/${PARCH}"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+
+		einfo "Disabling broken X.509 agent test ..."
+		sed -i \
+			-e "/^ agent$/d" \
+			"${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
+	fi
+
+	if use ldap ; then
+		eapply "${WORKDIR}"/${LDAP_PATCH%.*}
+
+		einfo "Patching version.h to expose LDAP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_LDAP               \"-ldap-${LDAP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in LDAP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_LDAP' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		eapply "${WORKDIR}"/${HPN_PATCH%.*}
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+			
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use hpn ; then
+		einfo "Patching packet.c for X509 and/or HPN patch set ..."
+		sed -i \
+			-e "s/const struct sshcipher/struct sshcipher/" \
+			"${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
+	fi
+
+	if use X509 || use sctp || use ldap || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eapply_user #473004
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX%/}"/etc/ssh
+		--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX%/}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX%/}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
+		# We apply the ldap and sctp patch conditionally, so can't pass --without-{ldap,sctp}
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use sctp && use_with sctp)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.5 sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+
+	if use ldap && [[ -n ${LDAP_PATCH} ]] ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	keepdir /var/empty
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
+		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-06-11 22:47 Thomas Deutschmann
  0 siblings, 0 replies; 57+ messages in thread
From: Thomas Deutschmann @ 2018-06-11 22:47 UTC (permalink / raw
  To: gentoo-commits

commit:     987bc3f518ed55f6e888a0c6c40182b956e9935c
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 11 22:44:35 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Mon Jun 11 22:46:57 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=987bc3f5

net-misc/openssh: disable conch interopt tests

Bug: https://bugs.gentoo.org/605446
Package-Manager: Portage-2.3.40, Repoman-2.3.9

 .../openssh-7.5_p1-disable-conch-interop-tests.patch | 20 ++++++++++++++++++++
 net-misc/openssh/openssh-7.5_p1-r4.ebuild            |  1 +
 net-misc/openssh/openssh-7.6_p1-r4.ebuild            |  1 +
 net-misc/openssh/openssh-7.6_p1-r5.ebuild            |  1 +
 net-misc/openssh/openssh-7.7_p1-r4.ebuild            |  1 +
 5 files changed, 24 insertions(+)

diff --git a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
new file mode 100644
index 00000000000..a5647ce9d8d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
@@ -0,0 +1,20 @@
+Disable conch interop tests which are failing when called
+via portage for yet unknown reason and because using conch
+seems to be flaky (test is failing when using Python2 but
+passing when using Python3).
+
+Bug: https://bugs.gentoo.org/605446
+
+--- a/regress/conch-ciphers.sh
++++ b/regress/conch-ciphers.sh
+@@ -3,6 +3,10 @@
+ 
+ tid="conch ciphers"
+ 
++# https://bugs.gentoo.org/605446
++echo "conch interop tests skipped due to Gentoo bug #605446"
++exit 0
++
+ if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
+ 	echo "conch interop tests not enabled"
+ 	exit 0

diff --git a/net-misc/openssh/openssh-7.5_p1-r4.ebuild b/net-misc/openssh/openssh-7.5_p1-r4.ebuild
index 5574b9b318c..3deb8a130f7 100644
--- a/net-misc/openssh/openssh-7.5_p1-r4.ebuild
+++ b/net-misc/openssh/openssh-7.5_p1-r4.ebuild
@@ -130,6 +130,7 @@ src_prepare() {
 
 	epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
 	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	epatch "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
 	epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
 	epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
 	use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-s390-seccomp.patch # already included in X509 patch set, #644252

diff --git a/net-misc/openssh/openssh-7.6_p1-r4.ebuild b/net-misc/openssh/openssh-7.6_p1-r4.ebuild
index 01600c378d2..68ad3c2a252 100644
--- a/net-misc/openssh/openssh-7.6_p1-r4.ebuild
+++ b/net-misc/openssh/openssh-7.6_p1-r4.ebuild
@@ -110,6 +110,7 @@ src_prepare() {
 	cp version.h version.h.pristine
 
 	eapply "${FILESDIR}/${P}-warnings.patch"
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
 
 	# don't break .ssh/authorized_keys2 for fun
 	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

diff --git a/net-misc/openssh/openssh-7.6_p1-r5.ebuild b/net-misc/openssh/openssh-7.6_p1-r5.ebuild
index 46f1d676f5f..4c84767d116 100644
--- a/net-misc/openssh/openssh-7.6_p1-r5.ebuild
+++ b/net-misc/openssh/openssh-7.6_p1-r5.ebuild
@@ -111,6 +111,7 @@ src_prepare() {
 
 	eapply "${FILESDIR}/${P}-warnings.patch"
 	eapply "${FILESDIR}/${P}-permitopen.patch"
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
 
 	# don't break .ssh/authorized_keys2 for fun
 	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

diff --git a/net-misc/openssh/openssh-7.7_p1-r4.ebuild b/net-misc/openssh/openssh-7.7_p1-r4.ebuild
index e884e0b9d3e..8c98892dfd2 100644
--- a/net-misc/openssh/openssh-7.7_p1-r4.ebuild
+++ b/net-misc/openssh/openssh-7.7_p1-r4.ebuild
@@ -112,6 +112,7 @@ src_prepare() {
 
 	eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
 	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
 
 	local PATCHSET_VERSION_MACROS=()
 


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-09-13  2:10 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2018-09-13  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     3604116e32e4a4d97b40c886b9cd4e797a1d9e13
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 13 01:54:00 2018 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Sep 13 02:09:52 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3604116e

net-misc/openssh: Version bump to 7.8_p1

Package-Manager: Portage-2.3.49, Repoman-2.3.10

 net-misc/openssh/Manifest                          |   5 +
 .../openssh/files/openssh-7.8_p1-GSSAPI-dns.patch  | 359 +++++++++++++++++
 .../files/openssh-7.8_p1-X509-no-version.patch     |  19 +
 .../files/openssh-7.8_p1-hpn-X509-glue.patch       |  79 ++++
 .../openssh/files/openssh-7.8_p1-hpn-glue.patch    | 112 ++++++
 .../files/openssh-7.8_p1-hpn-sctp-glue.patch       |  17 +
 net-misc/openssh/openssh-7.8_p1.ebuild             | 438 +++++++++++++++++++++
 7 files changed, 1029 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index fe07f89b363..73d61beed4a 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -7,4 +7,9 @@ DIST openssh-7.7p1-patches-1.2.tar.xz 17584 BLAKE2B 192ec01906c911197abec4606cdf
 DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
 DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
 DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
+DIST openssh-7.8p1+x509-11.4.diff.gz 536597 BLAKE2B 18593135d0d4010f40a6e0c99a6a2e9fb4ca98d00b4940be5cb547fcb647adc9663245274d4e792bcc7c2ec49accaceb7c3c489707bbb7aaeed260dd2e0eb1c3 SHA512 b95d46201626797f197c5aa8488b0543d2c7c5719b99fadd94ef2c888a96c6a7b649527b78b6d6014d953ae57e05ecf116192cf498687db8cb7669c3998deecc
+DIST openssh-7.8p1-sctp-1.1.patch.xz 7548 BLAKE2B d74010028f097812f554f9e788aa5e46d75c12edbef18aaeaa9866665025bdad04a1a028cc862d11d718208c1b63862780840332536a535bb2eaff7661c966ef SHA512 c084f6b2cfa9cb70f46ecc9edfce6e2843cd4cd5e36ac870f5ceaaedd056ba9aa2ce8769418239ad0fe5e7350573397a222b6525a029f4492feb7b144ee22aa3
+DIST openssh-7.8p1.tar.gz 1548026 BLAKE2B 938428408596d24d497f245e3662a0cff3d462645683bf75cd29a0ea56fa6c280e7fa866bedf0928dd5bc4085b82d5a4ce74b7eea0b45b86f879b69f74db1642 SHA512 8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705
+DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7
+DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08
 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b

diff --git a/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch
new file mode 100644
index 00000000000..989dc6cee68
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch
@@ -0,0 +1,359 @@
+diff --git a/auth.c b/auth.c
+index 9a3bc96f..fc2c3620 100644
+--- a/auth.c
++++ b/auth.c
+@@ -733,120 +733,6 @@ fakepw(void)
+ 	return (&fake);
+ }
+ 
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+-	struct sockaddr_storage from;
+-	socklen_t fromlen;
+-	struct addrinfo hints, *ai, *aitop;
+-	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+-	const char *ntop = ssh_remote_ipaddr(ssh);
+-
+-	/* Get IP address of client. */
+-	fromlen = sizeof(from);
+-	memset(&from, 0, sizeof(from));
+-	if (getpeername(ssh_packet_get_connection_in(ssh),
+-	    (struct sockaddr *)&from, &fromlen) < 0) {
+-		debug("getpeername failed: %.100s", strerror(errno));
+-		return strdup(ntop);
+-	}
+-
+-	ipv64_normalise_mapped(&from, &fromlen);
+-	if (from.ss_family == AF_INET6)
+-		fromlen = sizeof(struct sockaddr_in6);
+-
+-	debug3("Trying to reverse map address %.100s.", ntop);
+-	/* Map the IP address to a host name. */
+-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+-	    NULL, 0, NI_NAMEREQD) != 0) {
+-		/* Host name not found.  Use ip address. */
+-		return strdup(ntop);
+-	}
+-
+-	/*
+-	 * if reverse lookup result looks like a numeric hostname,
+-	 * someone is trying to trick us by PTR record like following:
+-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
+-	hints.ai_flags = AI_NUMERICHOST;
+-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+-		    name, ntop);
+-		freeaddrinfo(ai);
+-		return strdup(ntop);
+-	}
+-
+-	/* Names are stored in lowercase. */
+-	lowercase(name);
+-
+-	/*
+-	 * Map it back to an IP address and check that the given
+-	 * address actually is an address of this host.  This is
+-	 * necessary because anyone with access to a name server can
+-	 * define arbitrary names for an IP address. Mapping from
+-	 * name to IP address can be trusted better (but can still be
+-	 * fooled if the intruder has access to the name server of
+-	 * the domain).
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_family = from.ss_family;
+-	hints.ai_socktype = SOCK_STREAM;
+-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+-		logit("reverse mapping checking getaddrinfo for %.700s "
+-		    "[%s] failed.", name, ntop);
+-		return strdup(ntop);
+-	}
+-	/* Look for the address from the list of addresses. */
+-	for (ai = aitop; ai; ai = ai->ai_next) {
+-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+-		    (strcmp(ntop, ntop2) == 0))
+-				break;
+-	}
+-	freeaddrinfo(aitop);
+-	/* If we reached the end of the list, the address was not there. */
+-	if (ai == NULL) {
+-		/* Address not found for the host name. */
+-		logit("Address %.100s maps to %.600s, but this does not "
+-		    "map back to the address.", ntop, name);
+-		return strdup(ntop);
+-	}
+-	return strdup(name);
+-}
+-
+-/*
+- * Return the canonical name of the host in the other side of the current
+- * connection.  The host name is cached, so it is efficient to call this
+- * several times.
+- */
+-
+-const char *
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+-{
+-	static char *dnsname;
+-
+-	if (!use_dns)
+-		return ssh_remote_ipaddr(ssh);
+-	else if (dnsname != NULL)
+-		return dnsname;
+-	else {
+-		dnsname = remote_hostname(ssh);
+-		return dnsname;
+-	}
+-}
+-
+ /*
+  * Runs command in a subprocess with a minimal environment.
+  * Returns pid on success, 0 on failure.
+diff --git a/canohost.c b/canohost.c
+index f71a0856..3e162d8c 100644
+--- a/canohost.c
++++ b/canohost.c
+@@ -202,3 +202,117 @@ get_local_port(int sock)
+ {
+ 	return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++static char *
++remote_hostname(struct ssh *ssh)
++{
++	struct sockaddr_storage from;
++	socklen_t fromlen;
++	struct addrinfo hints, *ai, *aitop;
++	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++	const char *ntop = ssh_remote_ipaddr(ssh);
++
++	/* Get IP address of client. */
++	fromlen = sizeof(from);
++	memset(&from, 0, sizeof(from));
++	if (getpeername(ssh_packet_get_connection_in(ssh),
++	    (struct sockaddr *)&from, &fromlen) < 0) {
++		debug("getpeername failed: %.100s", strerror(errno));
++		return strdup(ntop);
++	}
++
++	ipv64_normalise_mapped(&from, &fromlen);
++	if (from.ss_family == AF_INET6)
++		fromlen = sizeof(struct sockaddr_in6);
++
++	debug3("Trying to reverse map address %.100s.", ntop);
++	/* Map the IP address to a host name. */
++	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++	    NULL, 0, NI_NAMEREQD) != 0) {
++		/* Host name not found.  Use ip address. */
++		return strdup(ntop);
++	}
++
++	/*
++	 * if reverse lookup result looks like a numeric hostname,
++	 * someone is trying to trick us by PTR record like following:
++	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
++	hints.ai_flags = AI_NUMERICHOST;
++	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++		    name, ntop);
++		freeaddrinfo(ai);
++		return strdup(ntop);
++	}
++
++	/* Names are stored in lowercase. */
++	lowercase(name);
++
++	/*
++	 * Map it back to an IP address and check that the given
++	 * address actually is an address of this host.  This is
++	 * necessary because anyone with access to a name server can
++	 * define arbitrary names for an IP address. Mapping from
++	 * name to IP address can be trusted better (but can still be
++	 * fooled if the intruder has access to the name server of
++	 * the domain).
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_family = from.ss_family;
++	hints.ai_socktype = SOCK_STREAM;
++	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++		logit("reverse mapping checking getaddrinfo for %.700s "
++		    "[%s] failed.", name, ntop);
++		return strdup(ntop);
++	}
++	/* Look for the address from the list of addresses. */
++	for (ai = aitop; ai; ai = ai->ai_next) {
++		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++		    (strcmp(ntop, ntop2) == 0))
++				break;
++	}
++	freeaddrinfo(aitop);
++	/* If we reached the end of the list, the address was not there. */
++	if (ai == NULL) {
++		/* Address not found for the host name. */
++		logit("Address %.100s maps to %.600s, but this does not "
++		    "map back to the address.", ntop, name);
++		return strdup(ntop);
++	}
++	return strdup(name);
++}
++
++/*
++ * Return the canonical name of the host in the other side of the current
++ * connection.  The host name is cached, so it is efficient to call this
++ * several times.
++ */
++
++const char *
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
++{
++	static char *dnsname;
++
++	if (!use_dns)
++		return ssh_remote_ipaddr(ssh);
++	else if (dnsname != NULL)
++		return dnsname;
++	else {
++		dnsname = remote_hostname(ssh);
++		return dnsname;
++	}
++}
+diff --git a/readconf.c b/readconf.c
+index db5f2d54..67feffa5 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -161,6 +161,7 @@ typedef enum {
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++	oGssTrustDns,
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+@@ -202,9 +203,11 @@ static struct {
+ #if defined(GSSAPI)
+ 	{ "gssapiauthentication", oGssAuthentication },
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
++	{ "gssapitrustdns", oGssTrustDns },
+ # else
+ 	{ "gssapiauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
++	{ "gssapitrustdns", oUnsupported },
+ #endif
+ #ifdef ENABLE_PKCS11
+ 	{ "smartcarddevice", oPKCS11Provider },
+@@ -977,6 +980,10 @@ parse_time:
+ 		intptr = &options->gss_deleg_creds;
+ 		goto parse_flag;
+ 
++	case oGssTrustDns:
++		intptr = &options->gss_trust_dns;
++		goto parse_flag;
++
+ 	case oBatchMode:
+ 		intptr = &options->batch_mode;
+ 		goto parse_flag;
+@@ -1818,6 +1825,7 @@ initialize_options(Options * options)
+ 	options->challenge_response_authentication = -1;
+ 	options->gss_authentication = -1;
+ 	options->gss_deleg_creds = -1;
++	options->gss_trust_dns = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->kbd_interactive_devices = NULL;
+@@ -1964,6 +1972,8 @@ fill_default_options(Options * options)
+ 		options->gss_authentication = 0;
+ 	if (options->gss_deleg_creds == -1)
+ 		options->gss_deleg_creds = 0;
++	if (options->gss_trust_dns == -1)
++		options->gss_trust_dns = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+diff --git a/readconf.h b/readconf.h
+index c5688781..af809cc8 100644
+--- a/readconf.h
++++ b/readconf.h
+@@ -41,6 +41,7 @@ typedef struct {
+ 					/* Try S/Key or TIS, authentication. */
+ 	int     gss_authentication;	/* Try GSS authentication */
+ 	int     gss_deleg_creds;	/* Delegate GSS credentials */
++	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
+ 	int     password_authentication;	/* Try password
+ 						 * authentication. */
+ 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+diff --git a/ssh_config.5 b/ssh_config.5
+index f499396a..be758544 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -722,6 +722,16 @@ The default is
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 10e4f0a0..4f7d49e3 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -657,6 +657,13 @@ userauth_gssapi(Authctxt *authctxt)
+ 	static u_int mech = 0;
+ 	OM_uint32 min;
+ 	int r, ok = 0;
++	const char *gss_host;
++
++	if (options.gss_trust_dns) {
++		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++		gss_host = auth_get_canonical_hostname(active_state, 1);
++	} else
++		gss_host = authctxt->host;
+ 
+ 	/* Try one GSSAPI method at a time, rather than sending them all at
+ 	 * once. */
+@@ -669,7 +676,7 @@ userauth_gssapi(Authctxt *authctxt)
+ 		/* My DER encoding requires length<128 */
+ 		if (gss_supported->elements[mech].length < 128 &&
+ 		    ssh_gssapi_check_mechanism(&gssctxt,
+-		    &gss_supported->elements[mech], authctxt->host)) {
++		    &gss_supported->elements[mech], gss_host)) {
+ 			ok = 1; /* Mechanism works */
+ 		} else {
+ 			mech++;

diff --git a/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch b/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch
new file mode 100644
index 00000000000..66641c27473
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch
@@ -0,0 +1,19 @@
+--- a/openssh-7.8p1+x509-11.4.diff	2018-08-24 14:55:19.153936872 -0700
++++ b/openssh-7.8p1+x509-11.4.diff	2018-08-24 14:55:58.116677254 -0700
+@@ -63643,16 +63643,6 @@
+  		    setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL))
+  			return;
+  		setlocale(LC_CTYPE, "C");
+-diff -ruN openssh-7.8p1/version.h openssh-7.8p1+x509-11.4/version.h
+---- openssh-7.8p1/version.h	2018-08-23 08:41:42.000000000 +0300
+-+++ openssh-7.8p1+x509-11.4/version.h	2018-08-24 20:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_7.8"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-7.8p1/version.m4 openssh-7.8p1+x509-11.4/version.m4
+ --- openssh-7.8p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-7.8p1+x509-11.4/version.m4	2018-08-24 20:00:00.000000000 +0300

diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch
new file mode 100644
index 00000000000..c76d454c92f
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch
@@ -0,0 +1,79 @@
+--- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig	2018-09-12 15:58:57.377986085 -0700
++++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff	2018-09-12 16:07:15.376711327 -0700
+@@ -4,8 +4,8 @@
+ +++ b/Makefile.in
+ @@ -42,7 +42,7 @@ CC=@CC@
+  LD=@LD@
+- CFLAGS=@CFLAGS@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+  K5LIBS=@K5LIBS@
+@@ -788,8 +788,8 @@
+  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
+  {
+  	struct session_state *state;
+--	const struct sshcipher *none = cipher_by_name("none");
+-+	struct sshcipher *none = cipher_by_name("none");
++-	const struct sshcipher *none = cipher_none();
+++	struct sshcipher *none = cipher_none();
+  	int r;
+
+  	if (none == NULL) {
+@@ -933,9 +933,9 @@
+  	/* Portable-specific options */
+  	sUsePAM,
+ +	sDisableMTAES,
+- 	/* Standard Options */
+- 	sPort, sHostKeyFile, sLoginGraceTime,
+- 	sPermitRootLogin, sLogFacility, sLogLevel,
++ 	/* X.509 Standard Options */
++ 	sHostbasedAlgorithms,
++ 	sPubkeyAlgorithms,
+ @@ -626,6 +630,7 @@ static struct {
+  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
+  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+--- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 16:38:16.947447218 -0700
++++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 16:32:35.479700864 -0700
+@@ -382,7 +382,7 @@
+ @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
+  	int nenc, nmac, ncomp;
+  	u_int mode, ctos, need, dh_need, authlen;
+- 	int r, first_kex_follows;
++ 	int r, first_kex_follows = 0;
+ +	int auth_flag;
+ +
+ +	auth_flag = packet_authentication_state(ssh);
+@@ -1125,15 +1125,6 @@
+ index a738c3a..b32dbe0 100644
+ --- a/sshd.c
+ +++ b/sshd.c
+-@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
+- 	char remote_version[256];	/* Must be at least as big as buf. */
+- 
+- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
+--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+- 	    *options.version_addendum == '\0' ? "" : " ",
+- 	    options.version_addendum);
+- 
+ @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
+  	int ret, listen_sock;
+  	struct addrinfo *ai;
+@@ -1213,14 +1204,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index f1bbf00..21a70c2 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_7.8"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+-+ 

diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch
new file mode 100644
index 00000000000..0561e381406
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch
@@ -0,0 +1,112 @@
+--- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-11 17:19:19.968420409 -0700
++++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-11 17:39:19.977535398 -0700
+@@ -409,18 +409,10 @@
+ index dcf35e6..da4ced0 100644
+ --- a/packet.c
+ +++ b/packet.c
+-@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+  	return 0;
+  }
+  
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+	rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -434,20 +426,6 @@
+  #define MAX_PACKETS	(1U<<31)
+  static int
+  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- 		return 0;
+- 
+-+	/* used to force rekeying when called for by the none
+-+         * cipher switch methods -cjr */
+-+        if (rekey_requested == 1) {
+-+                rekey_requested = 0;
+-+                return 1;
+-+        }
+-+
+- 	/* Time-based rekeying */
+- 	if (state->rekey_interval != 0 &&
+- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ diff --git a/packet.h b/packet.h
+ index 170203c..f4d9df2 100644
+ --- a/packet.h
+@@ -476,9 +454,9 @@
+  /* Format of the configuration file:
+  
+ @@ -166,6 +167,8 @@ typedef enum {
+- 	oHashKnownHosts,
+  	oTunnel, oTunnelDevice,
+  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
++ 	oDisableMTAES,
+ +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ +	oNoneEnabled, oNoneSwitch,
+  	oVisualHostKey,
+@@ -615,9 +593,9 @@
+  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
+  	SyslogFacility log_facility;	/* Facility for system logging. */
+ @@ -111,7 +115,10 @@ typedef struct {
+- 
+  	int	enable_ssh_keysign;
+  	int64_t rekey_limit;
++ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
+ +	int     none_switch;    /* Use none cipher */
+ +	int     none_enabled;   /* Allow none to be used */
+  	int	rekey_interval;
+@@ -673,9 +651,9 @@
+  	/* Portable-specific options */
+  	if (options->use_pam == -1)
+ @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
+- 	}
+- 	if (options->permit_tun == -1)
+  		options->permit_tun = SSH_TUNMODE_NO;
++ 	if (options->disable_multithreaded == -1)
++ 		options->disable_multithreaded = 0;
+ +	if (options->none_enabled == -1)
+ +		options->none_enabled = 0;
+ +	if (options->hpn_disabled == -1)
+@@ -1092,7 +1070,7 @@
+  	xxx_host = host;
+  	xxx_hostaddr = hostaddr;
+  
+-@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
++@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
+  
+  	if (!authctxt.success)
+  		fatal("Authentication failed.");
+@@ -1117,10 +1095,9 @@
+ +			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
+ +		}
+ +	}
+-+
+- 	debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+  
++ #ifdef WITH_OPENSSL
++ 	if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index a738c3a..b32dbe0 100644
+ --- a/sshd.c
+@@ -1217,11 +1194,10 @@
+ index f1bbf00..21a70c2 100644
+ --- a/version.h
+ +++ b/version.h
+-@@ -3,4 +3,6 @@
++@@ -3,4 +3,5 @@
+  #define SSH_VERSION	"OpenSSH_7.8"
+  
+  #define SSH_PORTABLE	"p1"
+ -#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN         "-hpn14v16"
+ +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+ + 

diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch
new file mode 100644
index 00000000000..a7d51ad9483
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch
@@ -0,0 +1,17 @@
+--- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 18:18:51.851536374 -0700
++++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 18:19:01.116475099 -0700
+@@ -1190,14 +1190,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index f1bbf00..21a70c2 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_7.8"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+-+ 

diff --git a/net-misc/openssh/openssh-7.8_p1.ebuild b/net-misc/openssh/openssh-7.8_p1.ebuild
new file mode 100644
index 00000000000..be98cf40b88
--- /dev/null
+++ b/net-misc/openssh/openssh-7.8_p1.ebuild
@@ -0,0 +1,438 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit user flag-o-matic multilib autotools pam systemd
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+CAP_PV="${PV^^}"
+
+HPN_VER="14.16"
+HPN_PATCHES=(
+	${PN}-${CAP_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${CAP_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+)
+HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
+SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="11.4" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_ver}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-1.0.1:0=[bindist=]
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S="${WORKDIR}/${PARCH}"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_VER)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" || die
+		eapply "${FILESDIR}/${P}-X509-no-version.patch"
+		popd || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}"
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
+		pushd "${hpn_patchdir}"
+		eapply "${FILESDIR}"/${P}-hpn-glue.patch
+		use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
+		use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
+		popd
+
+		eapply "${hpn_patchdir}"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	[[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
+
+	eapply_user #473004
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX%/}"/etc/ssh
+		--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX%/}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX%/}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	# stackprotect is broken on musl x86
+	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	keepdir /var/empty
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
+		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
+		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+		elog "if you need to authenticate against LDAP."
+		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-10-19 23:59 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2018-10-19 23:59 UTC (permalink / raw
  To: gentoo-commits

commit:     1e31c03626df1f0848684e56fb84f0697d038085
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Fri Oct 19 23:58:42 2018 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Fri Oct 19 23:59:17 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e31c036

net-misc/openssh: Version bump to 7.9_p1

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11

 net-misc/openssh/Manifest                          |   3 +
 .../openssh/files/openssh-7.9_p1-X509-glue.patch   |  28 ++
 .../files/openssh-7.9_p1-hpn-X509-glue.patch       |  79 ++++
 .../openssh/files/openssh-7.9_p1-hpn-glue.patch    | 112 ++++++
 .../files/openssh-7.9_p1-hpn-sctp-glue.patch       |  17 +
 .../openssh-7.9_p1-openssl-1.0.2-compat.patch      |  13 +
 net-misc/openssh/openssh-7.9_p1.ebuild             | 446 +++++++++++++++++++++
 7 files changed, 698 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 73d61beed4a..8a6aff714aa 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -10,6 +10,9 @@ DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05
 DIST openssh-7.8p1+x509-11.4.diff.gz 536597 BLAKE2B 18593135d0d4010f40a6e0c99a6a2e9fb4ca98d00b4940be5cb547fcb647adc9663245274d4e792bcc7c2ec49accaceb7c3c489707bbb7aaeed260dd2e0eb1c3 SHA512 b95d46201626797f197c5aa8488b0543d2c7c5719b99fadd94ef2c888a96c6a7b649527b78b6d6014d953ae57e05ecf116192cf498687db8cb7669c3998deecc
 DIST openssh-7.8p1-sctp-1.1.patch.xz 7548 BLAKE2B d74010028f097812f554f9e788aa5e46d75c12edbef18aaeaa9866665025bdad04a1a028cc862d11d718208c1b63862780840332536a535bb2eaff7661c966ef SHA512 c084f6b2cfa9cb70f46ecc9edfce6e2843cd4cd5e36ac870f5ceaaedd056ba9aa2ce8769418239ad0fe5e7350573397a222b6525a029f4492feb7b144ee22aa3
 DIST openssh-7.8p1.tar.gz 1548026 BLAKE2B 938428408596d24d497f245e3662a0cff3d462645683bf75cd29a0ea56fa6c280e7fa866bedf0928dd5bc4085b82d5a4ce74b7eea0b45b86f879b69f74db1642 SHA512 8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705
+DIST openssh-7.9p1+x509-11.5.diff.gz 594995 BLAKE2B 2c44df224e4114da0473cbbdfdcc4bd84b0b0235f80b43517d70fe1071f219d2631f784015ab1470eebcf8f3b6b5f8744862acebb22f217c6e76f79e6a49c099 SHA512 4d2fd950dee9721add822fdb54ff8c20fd18da85081ce8a2bd2a1050d3ff7900a7213782c479691de9dcfe4e2f91061e124d34b365edb3831e8bfe4aef3744f9
+DIST openssh-7.9p1-sctp-1.1.patch.xz 7552 BLAKE2B 0eeda7c8a50c0c98433b5ee0734b9f79043067be376a9ca724d574d4a595c3f7aed0626342300467b73ad9003392e22fda8abe778158ba5be5a50a57eeef79f8 SHA512 6cad32c40dd3901c4eadb0c463a35ec2d901e61220c333d3df7759f672259f66fc83e2b1ace8b0ef84cbc1a65397f00f9c670ffa23726d8309fa5060512d2c21
+DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
 DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7
 DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08
 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b

diff --git a/net-misc/openssh/files/openssh-7.9_p1-X509-glue.patch b/net-misc/openssh/files/openssh-7.9_p1-X509-glue.patch
new file mode 100644
index 00000000000..e1d63ecc8ae
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.9_p1-X509-glue.patch
@@ -0,0 +1,28 @@
+--- a/openssh-7.9p1+x509-11.5.diff	2018-10-19 11:41:13.791285390 -0700
++++ b/openssh-7.9p1+x509-11.5.diff	2018-10-19 11:45:42.584694215 -0700
+@@ -44045,7 +44045,7 @@
+  	ENGINE_register_all_complete();
+ +#endif
+  
+--#if OPENSSL_VERSION_NUMBER < 0x10001000L
++-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ +	/* OPENSSL_config will load buildin engines and engines
+ +	 * specified in configuration file, i.e. method call
+ +	 * ENGINE_load_builtin_engines. Latter is only for
+@@ -77691,16 +77691,6 @@
+  		    setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL))
+  			return;
+  		setlocale(LC_CTYPE, "C");
+-diff -ruN openssh-7.9p1/version.h openssh-7.9p1+x509-11.5/version.h
+---- openssh-7.9p1/version.h	2018-10-17 03:01:20.000000000 +0300
+-+++ openssh-7.9p1+x509-11.5/version.h	2018-10-19 19:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_7.9"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-7.9p1/version.m4 openssh-7.9p1+x509-11.5/version.m4
+ --- openssh-7.9p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-7.9p1+x509-11.5/version.m4	2018-10-19 18:13:58.000000000 +0300

diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch
new file mode 100644
index 00000000000..c76d454c92f
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch
@@ -0,0 +1,79 @@
+--- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig	2018-09-12 15:58:57.377986085 -0700
++++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff	2018-09-12 16:07:15.376711327 -0700
+@@ -4,8 +4,8 @@
+ +++ b/Makefile.in
+ @@ -42,7 +42,7 @@ CC=@CC@
+  LD=@LD@
+- CFLAGS=@CFLAGS@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+  K5LIBS=@K5LIBS@
+@@ -788,8 +788,8 @@
+  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
+  {
+  	struct session_state *state;
+--	const struct sshcipher *none = cipher_by_name("none");
+-+	struct sshcipher *none = cipher_by_name("none");
++-	const struct sshcipher *none = cipher_none();
+++	struct sshcipher *none = cipher_none();
+  	int r;
+
+  	if (none == NULL) {
+@@ -933,9 +933,9 @@
+  	/* Portable-specific options */
+  	sUsePAM,
+ +	sDisableMTAES,
+- 	/* Standard Options */
+- 	sPort, sHostKeyFile, sLoginGraceTime,
+- 	sPermitRootLogin, sLogFacility, sLogLevel,
++ 	/* X.509 Standard Options */
++ 	sHostbasedAlgorithms,
++ 	sPubkeyAlgorithms,
+ @@ -626,6 +630,7 @@ static struct {
+  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
+  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+--- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 16:38:16.947447218 -0700
++++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 16:32:35.479700864 -0700
+@@ -382,7 +382,7 @@
+ @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
+  	int nenc, nmac, ncomp;
+  	u_int mode, ctos, need, dh_need, authlen;
+- 	int r, first_kex_follows;
++ 	int r, first_kex_follows = 0;
+ +	int auth_flag;
+ +
+ +	auth_flag = packet_authentication_state(ssh);
+@@ -1125,15 +1125,6 @@
+ index a738c3a..b32dbe0 100644
+ --- a/sshd.c
+ +++ b/sshd.c
+-@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
+- 	char remote_version[256];	/* Must be at least as big as buf. */
+- 
+- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
+--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+- 	    *options.version_addendum == '\0' ? "" : " ",
+- 	    options.version_addendum);
+- 
+ @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
+  	int ret, listen_sock;
+  	struct addrinfo *ai;
+@@ -1213,14 +1204,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index f1bbf00..21a70c2 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_7.8"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+-+ 

diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch
new file mode 100644
index 00000000000..0561e381406
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch
@@ -0,0 +1,112 @@
+--- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-11 17:19:19.968420409 -0700
++++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-11 17:39:19.977535398 -0700
+@@ -409,18 +409,10 @@
+ index dcf35e6..da4ced0 100644
+ --- a/packet.c
+ +++ b/packet.c
+-@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+  	return 0;
+  }
+  
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+	rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -434,20 +426,6 @@
+  #define MAX_PACKETS	(1U<<31)
+  static int
+  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- 		return 0;
+- 
+-+	/* used to force rekeying when called for by the none
+-+         * cipher switch methods -cjr */
+-+        if (rekey_requested == 1) {
+-+                rekey_requested = 0;
+-+                return 1;
+-+        }
+-+
+- 	/* Time-based rekeying */
+- 	if (state->rekey_interval != 0 &&
+- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ diff --git a/packet.h b/packet.h
+ index 170203c..f4d9df2 100644
+ --- a/packet.h
+@@ -476,9 +454,9 @@
+  /* Format of the configuration file:
+  
+ @@ -166,6 +167,8 @@ typedef enum {
+- 	oHashKnownHosts,
+  	oTunnel, oTunnelDevice,
+  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
++ 	oDisableMTAES,
+ +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ +	oNoneEnabled, oNoneSwitch,
+  	oVisualHostKey,
+@@ -615,9 +593,9 @@
+  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
+  	SyslogFacility log_facility;	/* Facility for system logging. */
+ @@ -111,7 +115,10 @@ typedef struct {
+- 
+  	int	enable_ssh_keysign;
+  	int64_t rekey_limit;
++ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
+ +	int     none_switch;    /* Use none cipher */
+ +	int     none_enabled;   /* Allow none to be used */
+  	int	rekey_interval;
+@@ -673,9 +651,9 @@
+  	/* Portable-specific options */
+  	if (options->use_pam == -1)
+ @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
+- 	}
+- 	if (options->permit_tun == -1)
+  		options->permit_tun = SSH_TUNMODE_NO;
++ 	if (options->disable_multithreaded == -1)
++ 		options->disable_multithreaded = 0;
+ +	if (options->none_enabled == -1)
+ +		options->none_enabled = 0;
+ +	if (options->hpn_disabled == -1)
+@@ -1092,7 +1070,7 @@
+  	xxx_host = host;
+  	xxx_hostaddr = hostaddr;
+  
+-@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
++@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
+  
+  	if (!authctxt.success)
+  		fatal("Authentication failed.");
+@@ -1117,10 +1095,9 @@
+ +			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
+ +		}
+ +	}
+-+
+- 	debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+  
++ #ifdef WITH_OPENSSL
++ 	if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index a738c3a..b32dbe0 100644
+ --- a/sshd.c
+@@ -1217,11 +1194,10 @@
+ index f1bbf00..21a70c2 100644
+ --- a/version.h
+ +++ b/version.h
+-@@ -3,4 +3,6 @@
++@@ -3,4 +3,5 @@
+  #define SSH_VERSION	"OpenSSH_7.8"
+  
+  #define SSH_PORTABLE	"p1"
+ -#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN         "-hpn14v16"
+ +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+ + 

diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch
new file mode 100644
index 00000000000..a7d51ad9483
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch
@@ -0,0 +1,17 @@
+--- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 18:18:51.851536374 -0700
++++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 18:19:01.116475099 -0700
+@@ -1190,14 +1190,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index f1bbf00..21a70c2 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_7.8"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+-+ 

diff --git a/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch b/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch
new file mode 100644
index 00000000000..9fc6d0a9dce
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch
@@ -0,0 +1,13 @@
+diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
+index 8b4a3627..590b66d1 100644
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
+ 	ENGINE_load_builtin_engines();
+ 	ENGINE_register_all_complete();
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10001000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	OPENSSL_config(NULL);
+ #else
+ 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |

diff --git a/net-misc/openssh/openssh-7.9_p1.ebuild b/net-misc/openssh/openssh-7.9_p1.ebuild
new file mode 100644
index 00000000000..e92fbbc06ee
--- /dev/null
+++ b/net-misc/openssh/openssh-7.9_p1.ebuild
@@ -0,0 +1,446 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit user flag-o-matic multilib autotools pam systemd
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+#HPN_PV="${PV^^}"
+HPN_PV="7.8_P1"
+
+HPN_VER="14.16"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+)
+HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
+SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="11.5" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			|| (
+				(
+					>=dev-libs/openssl-1.0.1:0[bindist=]
+					<dev-libs/openssl-1.1.0:0[bindist=]
+				)
+				>=dev-libs/openssl-1.1.0g:0[bindist=]
+			)
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S="${WORKDIR}/${PARCH}"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_VER)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
+	eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" || die
+		eapply "${FILESDIR}/${P}-X509-glue.patch"
+		popd || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}"
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
+		pushd "${hpn_patchdir}"
+		eapply "${FILESDIR}"/${P}-hpn-glue.patch
+		use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
+		use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
+		popd
+
+		eapply "${hpn_patchdir}"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	[[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
+
+	eapply_user #473004
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX%/}"/etc/ssh
+		--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX%/}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX%/}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	# stackprotect is broken on musl x86
+	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	keepdir /var/empty
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
+		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
+		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+		elog "if you need to authenticate against LDAP."
+		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-10-22 17:32 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2018-10-22 17:32 UTC (permalink / raw
  To: gentoo-commits

commit:     7e539010154b1efd978198ddd8902cfc0a5be957
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Mon Oct 22 17:31:15 2018 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Mon Oct 22 17:31:30 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e539010

net-misc/openssh: Fix openssl-1.0.2 patch to fix libressl as well

This also adds a patch to fix a bunch of QA warnings with USE=-ssl

Closes: https://bugs.gentoo.org/669052
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11

 .../files/openssh-7.9_p1-include-stdlib.patch      | 48 ++++++++++++++++++++++
 .../openssh-7.9_p1-openssl-1.0.2-compat.patch      |  4 +-
 net-misc/openssh/openssh-7.9_p1.ebuild             |  1 +
 3 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch
new file mode 100644
index 00000000000..c5697c2b8bd
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch
@@ -0,0 +1,48 @@
+diff --git a/auth-options.c b/auth-options.c
+index b05d6d6f..d1f42f04 100644
+--- a/auth-options.c
++++ b/auth-options.c
+@@ -26,6 +26,7 @@
+ #include <stdarg.h>
+ #include <ctype.h>
+ #include <limits.h>
++#include <stdlib.h>
+ 
+ #include "openbsd-compat/sys-queue.h"
+ 
+diff --git a/hmac.c b/hmac.c
+index 1c879640..a29f32c5 100644
+--- a/hmac.c
++++ b/hmac.c
+@@ -19,6 +19,7 @@
+ 
+ #include <sys/types.h>
+ #include <string.h>
++#include <stdlib.h>
+ 
+ #include "sshbuf.h"
+ #include "digest.h"
+diff --git a/krl.c b/krl.c
+index 8e2d5d5d..c32e147a 100644
+--- a/krl.c
++++ b/krl.c
+@@ -28,6 +28,7 @@
+ #include <string.h>
+ #include <time.h>
+ #include <unistd.h>
++#include <stdlib.h>
+ 
+ #include "sshbuf.h"
+ #include "ssherr.h"
+diff --git a/mac.c b/mac.c
+index 51dc11d7..3d11eba6 100644
+--- a/mac.c
++++ b/mac.c
+@@ -29,6 +29,7 @@
+ 
+ #include <string.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ 
+ #include "digest.h"
+ #include "hmac.h"

diff --git a/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch b/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch
index 9fc6d0a9dce..c1c310e8f14 100644
--- a/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch
+++ b/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch
@@ -5,9 +5,9 @@ index 8b4a3627..590b66d1 100644
 @@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
  	ENGINE_load_builtin_engines();
  	ENGINE_register_all_complete();
- 
+
 -#if OPENSSL_VERSION_NUMBER < 0x10001000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
  	OPENSSL_config(NULL);
  #else
  	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |

diff --git a/net-misc/openssh/openssh-7.9_p1.ebuild b/net-misc/openssh/openssh-7.9_p1.ebuild
index e92fbbc06ee..c38afd6020c 100644
--- a/net-misc/openssh/openssh-7.9_p1.ebuild
+++ b/net-misc/openssh/openssh-7.9_p1.ebuild
@@ -114,6 +114,7 @@ src_prepare() {
 	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
 
 	eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
 	eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
 	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
 	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-12-20  0:51 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2018-12-20  0:51 UTC (permalink / raw
  To: gentoo-commits

commit:     9a5c54094bd4d908968c284152346ff9bdcd0f16
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Thu Dec 20 00:50:43 2018 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Dec 20 00:50:43 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9a5c5409

net-misc/openssh: Revbump to 7.9_p1-r1, update X509 patch to 11.6

Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   1 +
 .../files/openssh-7.9_p1-X509-11.6-tests.patch     |  12 +
 ...openssh-7.9_p1-X509-dont-make-piddir-11.6.patch |  16 +
 .../files/openssh-7.9_p1-X509-glue-11.6.patch      |  28 ++
 net-misc/openssh/openssh-7.9_p1-r1.ebuild          | 450 +++++++++++++++++++++
 5 files changed, 507 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 8a6aff714aa..e0c1d3402c2 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -11,6 +11,7 @@ DIST openssh-7.8p1+x509-11.4.diff.gz 536597 BLAKE2B 18593135d0d4010f40a6e0c99a6a
 DIST openssh-7.8p1-sctp-1.1.patch.xz 7548 BLAKE2B d74010028f097812f554f9e788aa5e46d75c12edbef18aaeaa9866665025bdad04a1a028cc862d11d718208c1b63862780840332536a535bb2eaff7661c966ef SHA512 c084f6b2cfa9cb70f46ecc9edfce6e2843cd4cd5e36ac870f5ceaaedd056ba9aa2ce8769418239ad0fe5e7350573397a222b6525a029f4492feb7b144ee22aa3
 DIST openssh-7.8p1.tar.gz 1548026 BLAKE2B 938428408596d24d497f245e3662a0cff3d462645683bf75cd29a0ea56fa6c280e7fa866bedf0928dd5bc4085b82d5a4ce74b7eea0b45b86f879b69f74db1642 SHA512 8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705
 DIST openssh-7.9p1+x509-11.5.diff.gz 594995 BLAKE2B 2c44df224e4114da0473cbbdfdcc4bd84b0b0235f80b43517d70fe1071f219d2631f784015ab1470eebcf8f3b6b5f8744862acebb22f217c6e76f79e6a49c099 SHA512 4d2fd950dee9721add822fdb54ff8c20fd18da85081ce8a2bd2a1050d3ff7900a7213782c479691de9dcfe4e2f91061e124d34b365edb3831e8bfe4aef3744f9
+DIST openssh-7.9p1+x509-11.6.diff.gz 655819 BLAKE2B f442bb993f89782b74b0cd28906c91edfcf5b1d42a4c8135a5ccf5045e7eb000eb7aa301685b748f707506ba20e3b842d684db436872ed82b6d9b9c086879515 SHA512 0ff6ed2822aaa43cf352134b90975fb663662c5ea3d73b690601f24342ea207aecda8cdb9c1bdc3e3656fb059d842dfb3bf22646b626c303240808286103d8bc
 DIST openssh-7.9p1-sctp-1.1.patch.xz 7552 BLAKE2B 0eeda7c8a50c0c98433b5ee0734b9f79043067be376a9ca724d574d4a595c3f7aed0626342300467b73ad9003392e22fda8abe778158ba5be5a50a57eeef79f8 SHA512 6cad32c40dd3901c4eadb0c463a35ec2d901e61220c333d3df7759f672259f66fc83e2b1ace8b0ef84cbc1a65397f00f9c670ffa23726d8309fa5060512d2c21
 DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
 DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7

diff --git a/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch b/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch
new file mode 100644
index 00000000000..9766b1594ea
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch
@@ -0,0 +1,12 @@
+diff -ur openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in openssh-7.9p1/openbsd-compat/regress/Makefile.in
+--- openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in	2018-10-16 17:01:20.000000000 -0700
++++ openssh-7.9p1/openbsd-compat/regress/Makefile.in	2018-12-19 11:03:14.421028691 -0800
+@@ -7,7 +7,7 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
++CPPFLAGS=-I. -I.. -I$(srcdir) -I../.. @CPPFLAGS@ @DEFS@
+ EXEEXT=@EXEEXT@
+ LIBCOMPAT=../libopenbsd-compat.a
+ LIBS=@LIBS@

diff --git a/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch b/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch
new file mode 100644
index 00000000000..487b239639a
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch
@@ -0,0 +1,16 @@
+--- a/openssh-7.9p1+x509-11.6.diff	2018-12-07 17:24:03.211328918 -0800
++++ b/openssh-7.9p1+x509-11.6.diff	2018-12-07 17:24:13.399262277 -0800
+@@ -40681,12 +40681,11 @@
+
+  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+  install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
+-@@ -333,6 +351,8 @@
++@@ -333,6 +351,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)

diff --git a/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch b/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch
new file mode 100644
index 00000000000..b807ac45f79
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch
@@ -0,0 +1,28 @@
+--- a/openssh-7.9p1+x509-11.6.diff	2018-12-19 10:42:01.241775036 -0800
++++ b/openssh-7.9p1+x509-11.6.diff	2018-12-19 10:43:33.383140818 -0800
+@@ -45862,7 +45862,7 @@
+  	ENGINE_register_all_complete();
+ +#endif
+  
+--#if OPENSSL_VERSION_NUMBER < 0x10001000L
++-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ +	/* OPENSSL_config will load buildin engines and engines
+ +	 * specified in configuration file, i.e. method call
+ +	 * ENGINE_load_builtin_engines. Latter is only for
+@@ -81123,16 +81123,6 @@
+  		    setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL))
+  			return;
+  		setlocale(LC_CTYPE, "C");
+-diff -ruN openssh-7.9p1/version.h openssh-7.9p1+x509-11.6/version.h
+---- openssh-7.9p1/version.h	2018-10-17 03:01:20.000000000 +0300
+-+++ openssh-7.9p1+x509-11.6/version.h	2018-12-18 20:07:00.000000000 +0200
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_7.9"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-7.9p1/version.m4 openssh-7.9p1+x509-11.6/version.m4
+ --- openssh-7.9p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-7.9p1+x509-11.6/version.m4	2018-12-18 20:07:00.000000000 +0200

diff --git a/net-misc/openssh/openssh-7.9_p1-r1.ebuild b/net-misc/openssh/openssh-7.9_p1-r1.ebuild
new file mode 100644
index 00000000000..af3fd632c5f
--- /dev/null
+++ b/net-misc/openssh/openssh-7.9_p1-r1.ebuild
@@ -0,0 +1,450 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit user flag-o-matic multilib autotools pam systemd
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+#HPN_PV="${PV^^}"
+HPN_PV="7.8_P1"
+
+HPN_VER="14.16"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+)
+HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
+SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="11.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			|| (
+				(
+					>=dev-libs/openssl-1.0.1:0[bindist=]
+					<dev-libs/openssl-1.1.0:0[bindist=]
+				)
+				>=dev-libs/openssl-1.1.0g:0[bindist=]
+			)
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S="${WORKDIR}/${PARCH}"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_VER)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" || die
+		eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch"
+		eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch"
+		popd || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+		eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}"
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
+		pushd "${hpn_patchdir}"
+		eapply "${FILESDIR}"/${P}-hpn-glue.patch
+		use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
+		use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
+		popd
+
+		eapply "${hpn_patchdir}"
+		eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	[[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
+
+	eapply_user #473004
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX%/}"/etc/ssh
+		--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX%/}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX%/}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	# stackprotect is broken on musl x86
+	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	keepdir /var/empty
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
+		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
+		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+		elog "if you need to authenticate against LDAP."
+		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2019-03-03 14:32 Lars Wendler
  0 siblings, 0 replies; 57+ messages in thread
From: Lars Wendler @ 2019-03-03 14:32 UTC (permalink / raw
  To: gentoo-commits

commit:     9d94101585a6991d03d1ef98226d315406d8bf06
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Sun Mar  3 14:32:25 2019 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Sun Mar  3 14:32:25 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d941015

net-misc/openssh: Removed old.

Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   4 -
 .../files/openssh-7.8_p1-X509-no-version.patch     |  19 -
 .../files/openssh-7.8_p1-hpn-X509-glue.patch       |  79 ----
 .../openssh/files/openssh-7.8_p1-hpn-glue.patch    | 112 -----
 .../files/openssh-7.8_p1-hpn-sctp-glue.patch       |  17 -
 net-misc/openssh/openssh-7.8_p1.ebuild             | 438 --------------------
 net-misc/openssh/openssh-7.9_p1-r1.ebuild          | 450 ---------------------
 net-misc/openssh/openssh-7.9_p1.ebuild             | 450 ---------------------
 8 files changed, 1569 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 42d69025fbd..11a121a2939 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -7,10 +7,6 @@ DIST openssh-7.7p1-patches-1.2.tar.xz 17584 BLAKE2B 192ec01906c911197abec4606cdf
 DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
 DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
 DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
-DIST openssh-7.8p1+x509-11.4.diff.gz 536597 BLAKE2B 18593135d0d4010f40a6e0c99a6a2e9fb4ca98d00b4940be5cb547fcb647adc9663245274d4e792bcc7c2ec49accaceb7c3c489707bbb7aaeed260dd2e0eb1c3 SHA512 b95d46201626797f197c5aa8488b0543d2c7c5719b99fadd94ef2c888a96c6a7b649527b78b6d6014d953ae57e05ecf116192cf498687db8cb7669c3998deecc
-DIST openssh-7.8p1-sctp-1.1.patch.xz 7548 BLAKE2B d74010028f097812f554f9e788aa5e46d75c12edbef18aaeaa9866665025bdad04a1a028cc862d11d718208c1b63862780840332536a535bb2eaff7661c966ef SHA512 c084f6b2cfa9cb70f46ecc9edfce6e2843cd4cd5e36ac870f5ceaaedd056ba9aa2ce8769418239ad0fe5e7350573397a222b6525a029f4492feb7b144ee22aa3
-DIST openssh-7.8p1.tar.gz 1548026 BLAKE2B 938428408596d24d497f245e3662a0cff3d462645683bf75cd29a0ea56fa6c280e7fa866bedf0928dd5bc4085b82d5a4ce74b7eea0b45b86f879b69f74db1642 SHA512 8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705
-DIST openssh-7.9p1+x509-11.5.diff.gz 594995 BLAKE2B 2c44df224e4114da0473cbbdfdcc4bd84b0b0235f80b43517d70fe1071f219d2631f784015ab1470eebcf8f3b6b5f8744862acebb22f217c6e76f79e6a49c099 SHA512 4d2fd950dee9721add822fdb54ff8c20fd18da85081ce8a2bd2a1050d3ff7900a7213782c479691de9dcfe4e2f91061e124d34b365edb3831e8bfe4aef3744f9
 DIST openssh-7.9p1+x509-11.6.diff.gz 655819 BLAKE2B f442bb993f89782b74b0cd28906c91edfcf5b1d42a4c8135a5ccf5045e7eb000eb7aa301685b748f707506ba20e3b842d684db436872ed82b6d9b9c086879515 SHA512 0ff6ed2822aaa43cf352134b90975fb663662c5ea3d73b690601f24342ea207aecda8cdb9c1bdc3e3656fb059d842dfb3bf22646b626c303240808286103d8bc
 DIST openssh-7.9p1-patches-1.0.tar.xz 9080 BLAKE2B c14106a875b6ea0672a03f6cb292386daba96da23fed4ebd04a75f712e252bc88a25116b0b3b27446421aadf112451cb3b8a96d2f7d437e6728fe782190bc69e SHA512 7903cdb4ce5be0f1b1b741788fb372e68b0c9c1d6da0d854d8bc62e4743ad7cd13101b867b541828d3786b0857783377457e5e87ba9b63bfd9afcdbfd93ac103
 DIST openssh-7.9p1-sctp-1.1.patch.xz 7552 BLAKE2B 0eeda7c8a50c0c98433b5ee0734b9f79043067be376a9ca724d574d4a595c3f7aed0626342300467b73ad9003392e22fda8abe778158ba5be5a50a57eeef79f8 SHA512 6cad32c40dd3901c4eadb0c463a35ec2d901e61220c333d3df7759f672259f66fc83e2b1ace8b0ef84cbc1a65397f00f9c670ffa23726d8309fa5060512d2c21

diff --git a/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch b/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch
deleted file mode 100644
index 66641c27473..00000000000
--- a/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch
+++ /dev/null
@@ -1,19 +0,0 @@
---- a/openssh-7.8p1+x509-11.4.diff	2018-08-24 14:55:19.153936872 -0700
-+++ b/openssh-7.8p1+x509-11.4.diff	2018-08-24 14:55:58.116677254 -0700
-@@ -63643,16 +63643,6 @@
-  		    setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL))
-  			return;
-  		setlocale(LC_CTYPE, "C");
--diff -ruN openssh-7.8p1/version.h openssh-7.8p1+x509-11.4/version.h
----- openssh-7.8p1/version.h	2018-08-23 08:41:42.000000000 +0300
--+++ openssh-7.8p1+x509-11.4/version.h	2018-08-24 20:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-7.8p1/version.m4 openssh-7.8p1+x509-11.4/version.m4
- --- openssh-7.8p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-7.8p1+x509-11.4/version.m4	2018-08-24 20:00:00.000000000 +0300

diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch
deleted file mode 100644
index c76d454c92f..00000000000
--- a/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch
+++ /dev/null
@@ -1,79 +0,0 @@
---- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig	2018-09-12 15:58:57.377986085 -0700
-+++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff	2018-09-12 16:07:15.376711327 -0700
-@@ -4,8 +4,8 @@
- +++ b/Makefile.in
- @@ -42,7 +42,7 @@ CC=@CC@
-  LD=@LD@
-- CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -788,8 +788,8 @@
-  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
-  {
-  	struct session_state *state;
---	const struct sshcipher *none = cipher_by_name("none");
--+	struct sshcipher *none = cipher_by_name("none");
-+-	const struct sshcipher *none = cipher_none();
-++	struct sshcipher *none = cipher_none();
-  	int r;
-
-  	if (none == NULL) {
-@@ -933,9 +933,9 @@
-  	/* Portable-specific options */
-  	sUsePAM,
- +	sDisableMTAES,
-- 	/* Standard Options */
-- 	sPort, sHostKeyFile, sLoginGraceTime,
-- 	sPermitRootLogin, sLogFacility, sLogLevel,
-+ 	/* X.509 Standard Options */
-+ 	sHostbasedAlgorithms,
-+ 	sPubkeyAlgorithms,
- @@ -626,6 +630,7 @@ static struct {
-  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
-  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 16:38:16.947447218 -0700
-+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 16:32:35.479700864 -0700
-@@ -382,7 +382,7 @@
- @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
-  	int nenc, nmac, ncomp;
-  	u_int mode, ctos, need, dh_need, authlen;
-- 	int r, first_kex_follows;
-+ 	int r, first_kex_follows = 0;
- +	int auth_flag;
- +
- +	auth_flag = packet_authentication_state(ssh);
-@@ -1125,15 +1125,6 @@
- index a738c3a..b32dbe0 100644
- --- a/sshd.c
- +++ b/sshd.c
--@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
-- 	char remote_version[256];	/* Must be at least as big as buf. */
-- 
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
---	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
--+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
-- 	    *options.version_addendum == '\0' ? "" : " ",
-- 	    options.version_addendum);
-- 
- @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
-  	int ret, listen_sock;
-  	struct addrinfo *ai;
-@@ -1213,14 +1204,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index f1bbf00..21a70c2 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--+ 

diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch
deleted file mode 100644
index 0561e381406..00000000000
--- a/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch
+++ /dev/null
@@ -1,112 +0,0 @@
---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-11 17:19:19.968420409 -0700
-+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-11 17:39:19.977535398 -0700
-@@ -409,18 +409,10 @@
- index dcf35e6..da4ced0 100644
- --- a/packet.c
- +++ b/packet.c
--@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-  	return 0;
-  }
-  
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+	rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -434,20 +426,6 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- 		return 0;
-- 
--+	/* used to force rekeying when called for by the none
--+         * cipher switch methods -cjr */
--+        if (rekey_requested == 1) {
--+                rekey_requested = 0;
--+                return 1;
--+        }
--+
-- 	/* Time-based rekeying */
-- 	if (state->rekey_interval != 0 &&
-- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- diff --git a/packet.h b/packet.h
- index 170203c..f4d9df2 100644
- --- a/packet.h
-@@ -476,9 +454,9 @@
-  /* Format of the configuration file:
-  
- @@ -166,6 +167,8 @@ typedef enum {
-- 	oHashKnownHosts,
-  	oTunnel, oTunnelDevice,
-  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
-+ 	oDisableMTAES,
- +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- +	oNoneEnabled, oNoneSwitch,
-  	oVisualHostKey,
-@@ -615,9 +593,9 @@
-  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
- @@ -111,7 +115,10 @@ typedef struct {
-- 
-  	int	enable_ssh_keysign;
-  	int64_t rekey_limit;
-+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
- +	int     none_switch;    /* Use none cipher */
- +	int     none_enabled;   /* Allow none to be used */
-  	int	rekey_interval;
-@@ -673,9 +651,9 @@
-  	/* Portable-specific options */
-  	if (options->use_pam == -1)
- @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
-- 	}
-- 	if (options->permit_tun == -1)
-  		options->permit_tun = SSH_TUNMODE_NO;
-+ 	if (options->disable_multithreaded == -1)
-+ 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
- +		options->none_enabled = 0;
- +	if (options->hpn_disabled == -1)
-@@ -1092,7 +1070,7 @@
-  	xxx_host = host;
-  	xxx_hostaddr = hostaddr;
-  
--@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
-+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
-  
-  	if (!authctxt.success)
-  		fatal("Authentication failed.");
-@@ -1117,10 +1095,9 @@
- +			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
- +		}
- +	}
--+
-- 	debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-  
-+ #ifdef WITH_OPENSSL
-+ 	if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index a738c3a..b32dbe0 100644
- --- a/sshd.c
-@@ -1217,11 +1194,10 @@
- index f1bbf00..21a70c2 100644
- --- a/version.h
- +++ b/version.h
--@@ -3,4 +3,6 @@
-+@@ -3,4 +3,5 @@
-  #define SSH_VERSION	"OpenSSH_7.8"
-  
-  #define SSH_PORTABLE	"p1"
- -#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn14v16"
- +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
- + 

diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch
deleted file mode 100644
index a7d51ad9483..00000000000
--- a/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 18:18:51.851536374 -0700
-+++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 18:19:01.116475099 -0700
-@@ -1190,14 +1190,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index f1bbf00..21a70c2 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--+ 

diff --git a/net-misc/openssh/openssh-7.8_p1.ebuild b/net-misc/openssh/openssh-7.8_p1.ebuild
deleted file mode 100644
index 3ce6916d6e9..00000000000
--- a/net-misc/openssh/openssh-7.8_p1.ebuild
+++ /dev/null
@@ -1,438 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit user flag-o-matic multilib autotools pam systemd
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-CAP_PV="${PV^^}"
-
-HPN_VER="14.16"
-HPN_PATCHES=(
-	${PN}-${CAP_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${CAP_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-)
-HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
-SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="11.4" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
-RESTRICT="!test? ( test )"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-1.0.1:0=[bindist=]
-			dev-libs/openssl:0=[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S="${WORKDIR}/${PARCH}"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_VER)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" || die
-		eapply "${FILESDIR}/${P}-X509-no-version.patch"
-		popd || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}"
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
-		pushd "${hpn_patchdir}"
-		eapply "${FILESDIR}"/${P}-hpn-glue.patch
-		use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
-		use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
-		popd
-
-		eapply "${hpn_patchdir}"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	[[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
-
-	eapply_user #473004
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX%/}"/etc/ssh
-		--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX%/}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX%/}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	# stackprotect is broken on musl x86
-	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed+=( "${t}" ) \
-			|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	keepdir /var/empty
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
-		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
-		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-		elog "if you need to authenticate against LDAP."
-		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.9_p1-r1.ebuild b/net-misc/openssh/openssh-7.9_p1-r1.ebuild
deleted file mode 100644
index af3fd632c5f..00000000000
--- a/net-misc/openssh/openssh-7.9_p1-r1.ebuild
+++ /dev/null
@@ -1,450 +0,0 @@
-# Copyright 1999-2018 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit user flag-o-matic multilib autotools pam systemd
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-#HPN_PV="${PV^^}"
-HPN_PV="7.8_P1"
-
-HPN_VER="14.16"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-)
-HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
-SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="11.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
-RESTRICT="!test? ( test )"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			|| (
-				(
-					>=dev-libs/openssl-1.0.1:0[bindist=]
-					<dev-libs/openssl-1.1.0:0[bindist=]
-				)
-				>=dev-libs/openssl-1.1.0g:0[bindist=]
-			)
-			dev-libs/openssl:0=[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S="${WORKDIR}/${PARCH}"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_VER)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" || die
-		eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch"
-		eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch"
-		popd || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-		eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}"
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
-		pushd "${hpn_patchdir}"
-		eapply "${FILESDIR}"/${P}-hpn-glue.patch
-		use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
-		use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
-		popd
-
-		eapply "${hpn_patchdir}"
-		eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	[[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
-
-	eapply_user #473004
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX%/}"/etc/ssh
-		--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX%/}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX%/}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	# stackprotect is broken on musl x86
-	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed+=( "${t}" ) \
-			|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	keepdir /var/empty
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
-		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
-		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-		elog "if you need to authenticate against LDAP."
-		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.9_p1.ebuild b/net-misc/openssh/openssh-7.9_p1.ebuild
deleted file mode 100644
index f39686f32b0..00000000000
--- a/net-misc/openssh/openssh-7.9_p1.ebuild
+++ /dev/null
@@ -1,450 +0,0 @@
-# Copyright 1999-2018 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit user flag-o-matic multilib autotools pam systemd
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-#HPN_PV="${PV^^}"
-HPN_PV="7.8_P1"
-
-HPN_VER="14.16"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-)
-HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
-SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="11.5" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
-RESTRICT="!test? ( test )"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			|| (
-				(
-					>=dev-libs/openssl-1.0.1:0[bindist=]
-					<dev-libs/openssl-1.1.0:0[bindist=]
-				)
-				>=dev-libs/openssl-1.1.0g:0[bindist=]
-			)
-			dev-libs/openssl:0=[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S="${WORKDIR}/${PARCH}"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_VER)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" || die
-		eapply "${FILESDIR}/${P}-X509-glue.patch"
-		eapply "${FILESDIR}/${P}-X509-dont-make-piddir.patch"
-		popd || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-		eapply "${FILESDIR}"/${PN}-7.9_p1-libressl-2.8.patch
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}"
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
-		pushd "${hpn_patchdir}"
-		eapply "${FILESDIR}"/${P}-hpn-glue.patch
-		use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
-		use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
-		popd
-
-		eapply "${hpn_patchdir}"
-		eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	[[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
-
-	eapply_user #473004
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX%/}"/etc/ssh
-		--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX%/}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX%/}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	# stackprotect is broken on musl x86
-	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed+=( "${t}" ) \
-			|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	keepdir /var/empty
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
-		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
-		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-		elog "if you need to authenticate against LDAP."
-		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2019-04-29 23:35 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2019-04-29 23:35 UTC (permalink / raw
  To: gentoo-commits

commit:     7351114de5d681350557fe029ce34159749d75a0
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Mon Apr 29 23:29:30 2019 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Mon Apr 29 23:35:26 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7351114d

net-misc/openssh: Revbump to 8.0_p1-r1, pick up 12.0.1 X509 bugfix

Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-2.3.65, Repoman-2.3.12
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   1 +
 ...enssh-8.0_p1-X509-dont-make-piddir-12.0.1.patch |  16 +
 .../files/openssh-8.0_p1-X509-glue-12.0.1.patch    |  19 +
 net-misc/openssh/openssh-8.0_p1-r1.ebuild          | 461 +++++++++++++++++++++
 4 files changed, 497 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index c37252ba192..8e4d889a09e 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -13,6 +13,7 @@ DIST openssh-7.9p1-sctp-1.2.patch.xz 7360 BLAKE2B 60e209371ecac24d0b60e48459d4d4
 DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
 DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7
 DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08
+DIST openssh-8.0p1+x509-12.0.1.diff.gz 629849 BLAKE2B 9366244434c525ddf8f19a476b8b49d13f8c54374986bda8585db1288e7b61c60e26e2a315bec71b52f5e0f5bf4131f0f325039909b91874baab401272418fab SHA512 c6ea243f49674bba64ee372e0532eb9fe6f109d0d5e70f10995d97b5ad5e340275b1b84c3c3bfc7eda1865619dea1370e06e34bbcc3d76af6aa7a00feccaea06
 DIST openssh-8.0p1+x509-12.0.diff.gz 623765 BLAKE2B b1c0d533a58c55b0f8451ce5aa8ee9b462afdc1eee44018f30962d3427c73b12a57c2c88bc8656c09c2b39a2ac72755539eeb29e7060ced5d3e8470647f88c0a SHA512 5f678fd303e39df7a2fb23af682c5a02b33f7fdcafe6171b9db2067098a2048677c415c3bee75225eb9fbaf308cfac7f37b0865951cdb6dda0577908499a8295
 DIST openssh-8.0p1-sctp-1.2.patch.xz 7348 BLAKE2B bc3d3815f1ef5dbab605b93182a00c2fec258f49d56684defb6564d2b60886429c615a7ab076cc071a590f9df0908b1862ceb0961b7e6f6d1090237fec9035d3 SHA512 2f9f774286db75d0240e6fb01655a8a193fb2a5dc4596ad68ed22d64f97c9c46dad61a06478f2e972fd37cbad4d9aca5829bb91097cc56638601ff94a972b24f
 DIST openssh-8.0p1.tar.gz 1597697 BLAKE2B 5ba79872eabb3b3964d95a8cdd690bfe0323f018d7f944d4e1acb52576c9f6d7a1ddac15e88dc42eac6ecbfabfad1c228e303a2262588769e307c38107a4cd54 SHA512 e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982

diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.0.1.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.0.1.patch
new file mode 100644
index 00000000000..e4aca305e00
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.0.1.patch
@@ -0,0 +1,16 @@
+--- a/openssh-8.0p1+x509-12.0.1.diff	2019-04-29 14:11:55.210175168 -0700
++++ b/openssh-8.0p1+x509-12.0.1.diff	2019-04-29 14:12:55.603761971 -0700
+@@ -34176,12 +34176,11 @@
+  
+  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+  install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
+-@@ -334,6 +352,8 @@
++@@ -334,6 +352,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)

diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.0.1.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.0.1.patch
new file mode 100644
index 00000000000..244aef4c399
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.0.1.patch
@@ -0,0 +1,19 @@
+--- a/openssh-8.0p1+x509-12.0.1.diff	2019-04-29 14:07:39.687923384 -0700
++++ b/openssh-8.0p1+x509-12.0.1.diff	2019-04-29 14:08:11.330706892 -0700
+@@ -76610,16 +76610,6 @@
+ +	return mbtowc(NULL, s, n);
+ +}
+ +#endif
+-diff -ruN openssh-8.0p1/version.h openssh-8.0p1+x509-12.0.1/version.h
+---- openssh-8.0p1/version.h	2019-04-18 01:52:57.000000000 +0300
+-+++ openssh-8.0p1+x509-12.0.1/version.h	2019-04-29 19:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_8.0"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.0p1/version.m4 openssh-8.0p1+x509-12.0.1/version.m4
+ --- openssh-8.0p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.0p1+x509-12.0.1/version.m4	2019-04-29 19:07:00.000000000 +0300

diff --git a/net-misc/openssh/openssh-8.0_p1-r1.ebuild b/net-misc/openssh/openssh-8.0_p1-r1.ebuild
new file mode 100644
index 00000000000..333774349e2
--- /dev/null
+++ b/net-misc/openssh/openssh-8.0_p1-r1.ebuild
@@ -0,0 +1,461 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit user eapi7-ver flag-o-matic multilib autotools pam systemd
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+#HPN_PV="${PV^^}"
+HPN_PV="7.8_P1"
+
+HPN_VER="14.16"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+)
+
+SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="12.0.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+PATCH_SET="openssh-7.9p1-patches-1.0"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			|| (
+				(
+					>=dev-libs/openssl-1.0.1:0[bindist=]
+					<dev-libs/openssl-1.1.0:0[bindist=]
+				)
+				>=dev-libs/openssl-1.1.0g:0[bindist=]
+			)
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S="${WORKDIR}/${PARCH}"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_VER)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" || die
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		eapply "${FILESDIR}/${P}-X509-dont-make-piddir-"${X509_VER}".patch"
+		popd || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+		eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}"
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
+		pushd "${hpn_patchdir}"
+		eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-glue.patch
+		if use X509; then
+			einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
+			# X509 and AES-CTR-MT don't get along, let's just drop it
+			rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
+			eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch
+		fi
+		use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch
+		popd
+
+		eapply "${hpn_patchdir}"
+
+		if ! use X509; then
+			eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
+			eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
+		fi
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX%/}"/etc/ssh
+		--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX%/}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX%/}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns ldns "${EPREFIX%/}"/usr)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	# stackprotect is broken on musl x86
+	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	keepdir /var/empty
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
+		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
+		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+		elog "if you need to authenticate against LDAP."
+		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2019-06-17 20:14 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2019-06-17 20:14 UTC (permalink / raw
  To: gentoo-commits

commit:     b2572e672b543f24f706a4604a5115e6311d3f85
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Mon Jun 17 20:12:43 2019 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Mon Jun 17 20:12:43 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2572e67

net-misc/openssh: Version bump to 8.0_p1-r2 for 12.1 X509 patch

Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-2.3.67, Repoman-2.3.14
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   1 +
 .../files/openssh-8.0_p1-X509-12.1-tests.patch     |  11 +
 ...openssh-8.0_p1-X509-dont-make-piddir-12.1.patch |  16 +
 .../files/openssh-8.0_p1-X509-glue-12.1.patch      |  19 +
 net-misc/openssh/openssh-8.0_p1-r2.ebuild          | 461 +++++++++++++++++++++
 5 files changed, 508 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 8e4d889a09e..07293b9d455 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -15,6 +15,7 @@ DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0b
 DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08
 DIST openssh-8.0p1+x509-12.0.1.diff.gz 629849 BLAKE2B 9366244434c525ddf8f19a476b8b49d13f8c54374986bda8585db1288e7b61c60e26e2a315bec71b52f5e0f5bf4131f0f325039909b91874baab401272418fab SHA512 c6ea243f49674bba64ee372e0532eb9fe6f109d0d5e70f10995d97b5ad5e340275b1b84c3c3bfc7eda1865619dea1370e06e34bbcc3d76af6aa7a00feccaea06
 DIST openssh-8.0p1+x509-12.0.diff.gz 623765 BLAKE2B b1c0d533a58c55b0f8451ce5aa8ee9b462afdc1eee44018f30962d3427c73b12a57c2c88bc8656c09c2b39a2ac72755539eeb29e7060ced5d3e8470647f88c0a SHA512 5f678fd303e39df7a2fb23af682c5a02b33f7fdcafe6171b9db2067098a2048677c415c3bee75225eb9fbaf308cfac7f37b0865951cdb6dda0577908499a8295
+DIST openssh-8.0p1+x509-12.1.diff.gz 680389 BLAKE2B b1e353c496dd6dbd104c32bc5e9a3f055673a7876944d39c80f185cdb589d09b8d509754f04f2e051ceef2b39a3d810ba00b8894a4b67c7a6a0170a4ed0518a5 SHA512 831988d636a19e89a881616e07e38bc6ca44e90443b2bbf290fab3f120877e2eef60f21ad6e0c64098d07e09379f9f73f0ce2e5df975aa1bd43944582f8b8b3e
 DIST openssh-8.0p1-sctp-1.2.patch.xz 7348 BLAKE2B bc3d3815f1ef5dbab605b93182a00c2fec258f49d56684defb6564d2b60886429c615a7ab076cc071a590f9df0908b1862ceb0961b7e6f6d1090237fec9035d3 SHA512 2f9f774286db75d0240e6fb01655a8a193fb2a5dc4596ad68ed22d64f97c9c46dad61a06478f2e972fd37cbad4d9aca5829bb91097cc56638601ff94a972b24f
 DIST openssh-8.0p1.tar.gz 1597697 BLAKE2B 5ba79872eabb3b3964d95a8cdd690bfe0323f018d7f944d4e1acb52576c9f6d7a1ddac15e88dc42eac6ecbfabfad1c228e303a2262588769e307c38107a4cd54 SHA512 e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b

diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-12.1-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-12.1-tests.patch
new file mode 100644
index 00000000000..67a93fe2a0b
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.0_p1-X509-12.1-tests.patch
@@ -0,0 +1,11 @@
+--- a/openbsd-compat/regress/Makefile.in	2019-06-17 10:59:01.210601434 -0700
++++ b/openbsd-compat/regress/Makefile.in	2019-06-17 10:59:18.753485852 -0700
+@@ -7,7 +7,7 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
++CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
+ EXEEXT=@EXEEXT@
+ LIBCOMPAT=../libopenbsd-compat.a
+ LIBS=@LIBS@

diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.1.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.1.patch
new file mode 100644
index 00000000000..9bb081a5091
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.1.patch
@@ -0,0 +1,16 @@
+--- a/openssh-8.0p1+x509-12.1.diff	2019-04-29 14:11:55.210175168 -0700
++++ b/openssh-8.0p1+x509-12.1.diff	2019-04-29 14:12:55.603761971 -0700
+@@ -34176,12 +34176,11 @@
+
+  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+  install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
+-@@ -334,6 +352,8 @@
++@@ -334,6 +352,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)

diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.1.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.1.patch
new file mode 100644
index 00000000000..d6b6c5ac2f7
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.1.patch
@@ -0,0 +1,19 @@
+--- a/openssh-8.0p1+x509-12.1.diff	2019-06-17 10:42:03.233392491 -0700
++++ b/openssh-8.0p1+x509-12.1.diff	2019-06-17 10:42:24.696248976 -0700
+@@ -78536,16 +78536,6 @@
+ +	return mbtowc(NULL, s, n);
+ +}
+ +#endif
+-diff -ruN openssh-8.0p1/version.h openssh-8.0p1+x509-12.1/version.h
+---- openssh-8.0p1/version.h	2019-04-18 01:52:57.000000000 +0300
+-+++ openssh-8.0p1+x509-12.1/version.h	2019-06-16 15:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_8.0"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.0p1/version.m4 openssh-8.0p1+x509-12.1/version.m4
+ --- openssh-8.0p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.0p1+x509-12.1/version.m4	2019-06-16 15:07:00.000000000 +0300

diff --git a/net-misc/openssh/openssh-8.0_p1-r2.ebuild b/net-misc/openssh/openssh-8.0_p1-r2.ebuild
new file mode 100644
index 00000000000..ef7bd3481fd
--- /dev/null
+++ b/net-misc/openssh/openssh-8.0_p1-r2.ebuild
@@ -0,0 +1,461 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit user eapi7-ver flag-o-matic multilib autotools pam systemd
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+#HPN_PV="${PV^^}"
+HPN_PV="7.8_P1"
+
+HPN_VER="14.16"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+)
+
+SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="12.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+PATCH_SET="openssh-7.9p1-patches-1.0"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			|| (
+				(
+					>=dev-libs/openssl-1.0.1:0[bindist=]
+					<dev-libs/openssl-1.1.0:0[bindist=]
+				)
+				>=dev-libs/openssl-1.1.0g:0[bindist=]
+			)
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S="${WORKDIR}/${PARCH}"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_VER)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+	use X509 || eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" || die
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		eapply "${FILESDIR}/${P}-X509-dont-make-piddir-"${X509_VER}".patch"
+		popd || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+		eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}"
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
+		pushd "${hpn_patchdir}"
+		eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-glue.patch
+		if use X509; then
+			einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
+			# X509 and AES-CTR-MT don't get along, let's just drop it
+			rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
+			eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch
+		fi
+		use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch
+		popd
+
+		eapply "${hpn_patchdir}"
+
+		if ! use X509; then
+			eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
+			eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
+		fi
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX%/}"/etc/ssh
+		--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX%/}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX%/}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns ldns "${EPREFIX%/}"/usr)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	# stackprotect is broken on musl x86 and ppc
+	use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED%/}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	keepdir /var/empty
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
+		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
+		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+		elog "if you need to authenticate against LDAP."
+		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2020-04-17 17:48 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2020-04-17 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     9dfa3ed00da28b34e98bf2d65cd25bcf55ac4d4b
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Fri Apr 17 17:47:55 2020 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Fri Apr 17 17:48:28 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dfa3ed0

net-misc/openssh-8.2_p1-r6: Add patch to fix build with USE=hpn and libressl

Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssh-8.2_p1-hpn-14.20-libressl.patch    | 20 ++++++++++++++++++++
 net-misc/openssh/openssh-8.2_p1-r6.ebuild            |  1 +
 2 files changed, 21 insertions(+)

diff --git a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch
new file mode 100644
index 00000000000..31796e754a1
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch
@@ -0,0 +1,20 @@
+--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff	2020-04-17 10:31:37.392120799 -0700
++++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff	2020-04-17 10:32:46.143684424 -0700
+@@ -672,7 +672,7 @@
+ +const EVP_CIPHER *
+ +evp_aes_ctr_mt(void)
+ +{
+-+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL
+++# ifdef HAVE_OPAQUE_STRUCTS
+ +	static EVP_CIPHER *aes_ctr;
+ +	aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
+ +	EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
+@@ -701,7 +701,7 @@
+ +		EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ +#  endif /*SSH_OLD_EVP*/
+ +        return &aes_ctr;
+-+# endif /*OPENSSH_VERSION_NUMBER*/
+++# endif /*HAVE_OPAQUE_STRUCTS*/
+ +}
+ +
+ +#endif /* defined(WITH_OPENSSL) */

diff --git a/net-misc/openssh/openssh-8.2_p1-r6.ebuild b/net-misc/openssh/openssh-8.2_p1-r6.ebuild
index 55d2852ebb9..c0ed8f5dec4 100644
--- a/net-misc/openssh/openssh-8.2_p1-r6.ebuild
+++ b/net-misc/openssh/openssh-8.2_p1-r6.ebuild
@@ -182,6 +182,7 @@ src_prepare() {
 		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
 		pushd "${hpn_patchdir}" &>/dev/null || die
 		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
+		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-libressl.patch
 		if use X509; then
 		#	einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
 		#	# X509 and AES-CTR-MT don't get along, let's just drop it


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2020-04-21 11:30 Thomas Deutschmann
  0 siblings, 0 replies; 57+ messages in thread
From: Thomas Deutschmann @ 2020-04-21 11:30 UTC (permalink / raw
  To: gentoo-commits

commit:     564f650e05897641af79a977599733c16dab7883
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 21 11:29:28 2020 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Tue Apr 21 11:29:49 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=564f650e

net-misc/openssh: security cleanup

Bug: https://bugs.gentoo.org/675522
Bug: https://bugs.gentoo.org/697046
Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 net-misc/openssh/Manifest                          |  19 -
 .../files/openssh-7.3-mips-seccomp-n32.patch       |  21 -
 .../files/openssh-7.5_p1-CVE-2017-15906.patch      |  31 --
 .../openssh/files/openssh-7.5_p1-GSSAPI-dns.patch  | 351 ----------------
 .../openssh/files/openssh-7.5_p1-cross-cache.patch |  39 --
 .../files/openssh-7.5_p1-hpn-x509-10.2-glue.patch  |  67 ---
 .../files/openssh-7.5_p1-s390-seccomp.patch        |  27 --
 .../openssh/files/openssh-7.5_p1-x32-typo.patch    |  25 --
 .../openssh/files/openssh-7.7_p1-GSSAPI-dns.patch  | 351 ----------------
 .../openssh/files/openssh-7.8_p1-GSSAPI-dns.patch  | 359 ----------------
 .../files/openssh-7.9_p1-CVE-2018-20685.patch      |  16 -
 .../files/openssh-7.9_p1-X509-11.6-tests.patch     |  12 -
 ...openssh-7.9_p1-X509-dont-make-piddir-11.6.patch |  16 -
 .../files/openssh-7.9_p1-X509-glue-11.6.patch      |  28 --
 .../files/openssh-7.9_p1-hpn-X509-glue.patch       |  79 ----
 .../openssh/files/openssh-7.9_p1-hpn-glue.patch    | 112 -----
 .../files/openssh-7.9_p1-hpn-openssl-1.1.patch     |  91 ----
 .../files/openssh-7.9_p1-hpn-sctp-glue.patch       |  17 -
 .../openssh-7.9_p1-openssl-1.0.2-compat.patch      |  13 -
 .../openssh/files/openssh-8.0_p1-GSSAPI-dns.patch  | 359 ----------------
 .../files/openssh-8.0_p1-X509-12.1-tests.patch     |  11 -
 ...integer-overflow-similar-to-the-XMSS-case.patch |  76 ----
 ...eger-overflow-in-XMSS-private-key-parsing.patch |  14 -
 .../files/openssh-8.0_p1-hpn-X509-glue.patch       | 114 -----
 .../openssh/files/openssh-8.0_p1-hpn-glue.patch    | 194 ---------
 net-misc/openssh/files/openssh-8.0_p1-tests.patch  |  43 --
 net-misc/openssh/metadata.xml                      |   2 -
 net-misc/openssh/openssh-7.5_p1-r5.ebuild          | 335 ---------------
 net-misc/openssh/openssh-7.7_p1-r10.ebuild         | 445 --------------------
 net-misc/openssh/openssh-7.9_p1-r5.ebuild          | 468 ---------------------
 net-misc/openssh/openssh-8.0_p1-r5.ebuild          | 465 --------------------
 31 files changed, 4200 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 2dca6d75493..9ab471f4d0d 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,21 +1,3 @@
-DIST openssh-7.4_p1-sctp.patch.xz 8220 BLAKE2B 2d571cacaab342b7950b42ec826bd896edf78780e9ee73fcd441cbc9764eb59e408e295062862db986918824d10498383bf34ae7c93df0da2c056eaec4d2c031 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4
-DIST openssh-7.5p1+x509-10.2.diff.gz 467040 BLAKE2B 4048b0f016bf7d43276f88117fc266d1a450d298563bfc6ce705ec2829b8f9d91af5c5232941d55004b5aea2d3e0fb682a9d4acd9510c9761ba7ede2f2f0e37f SHA512 ec760d38771749d09afc8d720120ea2aa065c1c7983898b45dba74a4411f7e61e7705da226864e1e8e62e2261eecc3a4ab654b528c71512a07798824d9fb1a9a
-DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 BLAKE2B 15702338877e50c2143b33b93bfc87d0aa0fa55915db1f0cab9c22e55f8aa0c6eeb5a56f438d849544d1650bdc574384b851292d621b79f673b78bc37617aa0b SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9
-DIST openssh-7.5p1.tar.gz 1510857 BLAKE2B 505764a210018136456c0f5dd40ad9f1383551c3ae037593d4296305df189e0a6f1383adc89b1970d58b8dcfff391878b7a29b848cc244a99705a164bec5d734 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81
-DIST openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz 22060 BLAKE2B 9ee654f689d4b90bd0fe4f71d57b4a8d9d957012be3a23ff2baa6c45ae99e2f1e4daf5de24479a6a3eb761ee6847deb3c6c3021d4cbabc9089f605d8d7270efc SHA512 856d28ac89c14d01c40c7d7e93cfaebd74b091188b5b469550eb62aa5445177aec1a5f47c1e2f7173013712e98e5f9f5e46bbb3dbd4ec7c5ee8256ef45cda0f8
-DIST openssh-7.7p1-patches-1.2.tar.xz 17584 BLAKE2B 192ec01906c911197abec4606cdf136cf26ac4ab4c405267cd98bafaea409d9d596b2b985eaeda6a1425d587d63b6f403b988f280aff989357586bf232d27712 SHA512 e646ec3674b5ef38abe823406d33c8a47c5f63fa962c41386709a7ad7115d968b70fbcf7a8f3efc67a3e80e0194e8e22a01c2342c830f99970fe02532cdee51b
-DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
-DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
-DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
-DIST openssh-7.9p1+x509-11.6.diff.gz 655819 BLAKE2B f442bb993f89782b74b0cd28906c91edfcf5b1d42a4c8135a5ccf5045e7eb000eb7aa301685b748f707506ba20e3b842d684db436872ed82b6d9b9c086879515 SHA512 0ff6ed2822aaa43cf352134b90975fb663662c5ea3d73b690601f24342ea207aecda8cdb9c1bdc3e3656fb059d842dfb3bf22646b626c303240808286103d8bc
-DIST openssh-7.9p1-patches-1.0.tar.xz 9080 BLAKE2B c14106a875b6ea0672a03f6cb292386daba96da23fed4ebd04a75f712e252bc88a25116b0b3b27446421aadf112451cb3b8a96d2f7d437e6728fe782190bc69e SHA512 7903cdb4ce5be0f1b1b741788fb372e68b0c9c1d6da0d854d8bc62e4743ad7cd13101b867b541828d3786b0857783377457e5e87ba9b63bfd9afcdbfd93ac103
-DIST openssh-7.9p1-sctp-1.2.patch.xz 7360 BLAKE2B 60e209371ecac24d0b60e48459d4d4044c0f364a2eea748cc4edd1501faec69a3c5b9e0b7db336968399ec684b6c8aceeac9196ba1ecf563ae3d660682cbc9a0 SHA512 d4d37a49cd43a3b9b7b173b0935267b84133b9b0954b7f71714ba781a6129c6d424f8b7a528dd7d4f287784c5517d57b1d6d7c6df8b5d738e34eb6dc7eae7191
-DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
-DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7
-DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08
-DIST openssh-8.0p1+x509-12.1-gentoo.diff.gz 680853 BLAKE2B b24ee61d6328bf2de8384d6ecbfc5ae0be4719a3c7a2d714be3a144d327bba5038e7e36ffcc313af2a8a94960ce1f56387654d2d21920af51826af61957aa4cc SHA512 178728139473b277fe50a03f37be50b3f8e539cea8f5937ddfe710082944e799d845cdb5994f585c13564c4a89b80ccf75e87753102aebacdb4c590f0b8a1482
-DIST openssh-8.0p1-sctp-1.2.patch.xz 7348 BLAKE2B bc3d3815f1ef5dbab605b93182a00c2fec258f49d56684defb6564d2b60886429c615a7ab076cc071a590f9df0908b1862ceb0961b7e6f6d1090237fec9035d3 SHA512 2f9f774286db75d0240e6fb01655a8a193fb2a5dc4596ad68ed22d64f97c9c46dad61a06478f2e972fd37cbad4d9aca5829bb91097cc56638601ff94a972b24f
-DIST openssh-8.0p1.tar.gz 1597697 BLAKE2B 5ba79872eabb3b3964d95a8cdd690bfe0323f018d7f944d4e1acb52576c9f6d7a1ddac15e88dc42eac6ecbfabfad1c228e303a2262588769e307c38107a4cd54 SHA512 e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
 DIST openssh-8.1_p1-glibc-2.31-patches.tar.xz 1752 BLAKE2B ccab53069c0058be7ba787281f5a1775d169a9dcda6f78742eb8cb3cce4ebe3a4c506c75a8ac142700669cf04b7475e35f6a06a4499d3d076e4e88e4fc59f3e6 SHA512 270d532fc7f4ec10c5ee56677f8280dec47a96e73f8032713b212cfad64a58ef142a7f49b7981dca80cbf0dd99753ef7a93b6af164cad9492fa224d546c27f14
 DIST openssh-8.1p1+x509-12.3.diff.gz 689934 BLAKE2B 57a302a25bec1d630b9c36f74ab490e11c97f9bcbaf8f527e46ae7fd5bade19feb3d8853079870b5c08b70a55e289cf4bf7981c11983973fa588841aeb21e650 SHA512 8d7c321423940f5a78a51a25ad5373f5db17a4a8ca7e85041e503998e0823ad22068bc652e907e9f5787858d45ce438a4bba18240fa72e088eb10b903e96b192
 DIST openssh-8.1p1-sctp-1.2.patch.xz 7672 BLAKE2B f1aa0713fcb114d8774bd8d524d106401a9d7c2c73a05fbde200ccbdd2562b3636ddd2d0bc3eae9f04b4d7c729c3dafd814ae8c530a76c4a0190fae71d1edcd2 SHA512 2bffab0bbae5a4c1875e0cc229bfd83d8565bd831309158cd489d8b877556c69b936243888a181bd9ff302e19f2c174156781574294d260b6384c464d003d566
@@ -27,4 +9,3 @@ DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf4
 DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221
 DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739
 DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d
-DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b

diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
deleted file mode 100644
index 7eaadaf11cd..00000000000
--- a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-https://bugs.gentoo.org/591392
-https://bugzilla.mindrot.org/show_bug.cgi?id=2590
-
-7.3 added seccomp support to MIPS, but failed to handled the N32
-case.  This patch is temporary until upstream fixes.
-
---- openssh-7.3p1/configure.ac
-+++ openssh-7.3p1/configure.ac
-@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
- 		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
- 		;;
- 	mips64-*)
--		seccomp_audit_arch=AUDIT_ARCH_MIPS64
-+		seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
- 		;;
- 	mips64el-*)
--		seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
-+		seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
- 		;;
- 	esac
- 	if test "x$seccomp_audit_arch" != "x" ; then

diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
deleted file mode 100644
index b97ceb4b278..00000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
-From: djm <djm@openbsd.org>
-Date: Tue, 4 Apr 2017 00:24:56 +0000
-Subject: [PATCH] disallow creation (of empty files) in read-only mode;
- reported by Michal Zalewski, feedback & ok deraadt@
-
----
- usr.bin/ssh/sftp-server.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
-index 2510d234a3a..42249ebd60d 100644
---- a/usr.bin/ssh/sftp-server.c
-+++ b/usr.bin/ssh/sftp-server.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
-+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
- /*
-  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
-  *
-@@ -683,8 +683,8 @@ process_open(u_int32_t id)
- 	logit("open \"%s\" flags %s mode 0%o",
- 	    name, string_from_portable(pflags), mode);
- 	if (readonly &&
--	    ((flags & O_ACCMODE) == O_WRONLY ||
--	    (flags & O_ACCMODE) == O_RDWR)) {
-+	    ((flags & O_ACCMODE) != O_RDONLY ||
-+	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
- 		verbose("Refusing open request in read-only mode");
- 		status = SSH2_FX_PERMISSION_DENIED;
- 	} else {

diff --git a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
deleted file mode 100644
index 6b1e6dd35a4..00000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-http://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
---- a/readconf.c
-+++ b/readconf.c
-@@ -148,6 +148,7 @@
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -194,9 +195,11 @@
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- # else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- 	{ "smartcarddevice", oPKCS11Provider },
-@@ -930,6 +933,10 @@
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -1649,6 +1656,7 @@
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -1779,6 +1787,8 @@
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
---- a/readconf.h
-+++ b/readconf.h
-@@ -46,6 +46,7 @@
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -830,6 +830,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -656,6 +656,13 @@
- 	static u_int mech = 0;
- 	OM_uint32 min;
- 	int ok = 0;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(active_state, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -668,7 +674,7 @@
- 		/* My DER encoding requires length<128 */
- 		if (gss_supported->elements[mech].length < 128 &&
- 		    ssh_gssapi_check_mechanism(&gssctxt, 
--		    &gss_supported->elements[mech], authctxt->host)) {
-+		    &gss_supported->elements[mech], gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			mech++;
-
-need to move these two funcs back to canohost so they're available to clients
-and the server.  auth.c is only used in the server.
-
---- a/auth.c
-+++ b/auth.c
-@@ -784,117 +784,3 @@ fakepw(void)
- 
- 	return (&fake);
- }
--
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) < 0) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return strdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return strdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return strdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return strdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return strdup(ntop);
--	}
--	return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) < 0) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return strdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return strdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return strdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return strdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return strdup(ntop);
-+	}
-+	return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}

diff --git a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
deleted file mode 100644
index 1c2b7b8a091..00000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@chromium.org>
-Date: Wed, 24 May 2017 23:18:41 -0400
-Subject: [PATCH] configure: actually set cache vars when cross-compiling
-
-The cross-compiling fallback message says it's assuming the test
-passed, but it didn't actually set the cache var which causes
-later tests to fail.
----
- configure.ac | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 5cfea38c0a6c..895c5211ea93 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE(
- 	 select_works_with_rlimit=yes],
- 	[AC_MSG_RESULT([no])
- 	 select_works_with_rlimit=no],
--	[AC_MSG_WARN([cross compiling: assuming yes])]
-+	[AC_MSG_WARN([cross compiling: assuming yes])
-+	 select_works_with_rlimit=yes]
- )
- 
- AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
-@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE(
- 	 rlimit_nofile_zero_works=yes],
- 	[AC_MSG_RESULT([no])
- 	 rlimit_nofile_zero_works=no],
--	[AC_MSG_WARN([cross compiling: assuming yes])]
-+	[AC_MSG_WARN([cross compiling: assuming yes])
-+	 rlimit_nofile_zero_works=yes]
- )
- 
- AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
--- 
-2.12.0
-

diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch
deleted file mode 100644
index 11a5b364be4..00000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
---- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch	2017-03-27 13:31:01.816551100 -0700
-+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch	2017-03-27 13:51:03.894805846 -0700
-@@ -40,7 +40,7 @@
- @@ -44,7 +44,7 @@ CC=@CC@
-  LD=@LD@
-  CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -1023,6 +1023,3 @@
-  	do_authenticated(authctxt);
-  
-  	/* The connection has been terminated. */
---- 
--2.12.0
--
-diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch
---- a/0004-support-dynamically-sized-receive-buffers.patch	2017-03-27 13:31:01.816551100 -0700
-+++ b/0004-support-dynamically-sized-receive-buffers.patch	2017-03-27 13:49:44.513498976 -0700
-@@ -926,9 +926,9 @@
- @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1)
-  	/* Send our own protocol version identification. */
-  	if (compat20) {
-- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
---		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
--+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
-+		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
-+-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
-++		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
-  	} else {
-  		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- -		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-@@ -943,11 +943,11 @@
- @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
-  	char remote_version[256];	/* Must be at least as big as buf. */
-  
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
---	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
--+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
-+	xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s%s",
-+-	    major, minor, SSH_VERSION, pkix_comment,
-++	    major, minor, SSH_RELEASE, pkix_comment,
-  	    *options.version_addendum == '\0' ? "" : " ",
-- 	    options.version_addendum);
-+ 	    options.version_addendum, newline);
-  
- @@ -1020,6 +1020,8 @@ server_listen(void)
-  	int ret, listen_sock, on = 1;
-@@ -1006,12 +1008,9 @@
- --- a/version.h
- +++ b/version.h
--@@ -3,4 +3,5 @@
-+@@ -3,4 +3,6 @@
-  #define SSH_VERSION	"OpenSSH_7.5"
-  
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
-+-#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
-++#define SSH_X509	", PKIX-SSH " PACKAGE_VERSION
- +#define SSH_HPN		"-hpn14v12"
- +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
---- 
--2.12.0
--

diff --git a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch b/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch
deleted file mode 100644
index d7932003f8f..00000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Wed, 22 Mar 2017 12:43:02 +1100
-Subject: [PATCH] Missing header on Linux/s390
-
-Patch from Jakub Jelen
----
- sandbox-seccomp-filter.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index a8d472a63ccb..2831e9d1083c 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -50,6 +50,9 @@
- #include <elf.h>
- 
- #include <asm/unistd.h>
-+#ifdef __s390__
-+#include <asm/zcrypt.h>
-+#endif
- 
- #include <errno.h>
- #include <signal.h>
--- 
-2.15.1
-

diff --git a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
deleted file mode 100644
index 5dca1b0e4e1..00000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 20 Mar 2017 14:57:40 -0400
-Subject: [PATCH] seccomp sandbox: fix typo w/x32 check
-
----
- sandbox-seccomp-filter.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 3a1aedce72c2..a8d472a63ccb 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
- 	 * x86-64 syscall under some circumstances, e.g.
- 	 * https://bugs.debian.org/849923
- 	 */
--	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
-+	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
- #endif
- 
- 	/* Default deny */
--- 
-2.12.0
-

diff --git a/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
deleted file mode 100644
index 2840652a9b4..00000000000
--- a/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-https://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
---- a/auth.c
-+++ b/auth.c
-@@ -728,120 +728,6 @@ fakepw(void)
- 	return (&fake);
- }
- 
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) < 0) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return strdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return strdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return strdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return strdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return strdup(ntop);
--	}
--	return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
--
- /*
-  * Runs command in a subprocess wuth a minimal environment.
-  * Returns pid on success, 0 on failure.
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) < 0) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return strdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return strdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return strdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return strdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return strdup(ntop);
-+	}
-+	return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}
---- a/readconf.c
-+++ b/readconf.c
-@@ -160,6 +160,7 @@ typedef enum {
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -200,9 +201,11 @@ static struct {
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- # else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- 	{ "smartcarddevice", oPKCS11Provider },
-@@ -954,6 +957,10 @@ parse_time:
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -1766,6 +1773,7 @@ initialize_options(Options * options)
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -1908,6 +1916,8 @@ fill_default_options(Options * options)
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
---- a/readconf.h
-+++ b/readconf.h
-@@ -43,6 +43,7 @@ typedef struct {
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -731,6 +731,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -643,6 +643,13 @@ userauth_gssapi(Authctxt *authctxt)
- 	static u_int mech = 0;
- 	OM_uint32 min;
- 	int ok = 0;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(active_state, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -655,7 +662,7 @@ userauth_gssapi(Authctxt *authctxt)
- 		/* My DER encoding requires length<128 */
- 		if (gss_supported->elements[mech].length < 128 &&
- 		    ssh_gssapi_check_mechanism(&gssctxt, 
--		    &gss_supported->elements[mech], authctxt->host)) {
-+		    &gss_supported->elements[mech], gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			mech++;
--- 

diff --git a/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch
deleted file mode 100644
index 989dc6cee68..00000000000
--- a/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,359 +0,0 @@
-diff --git a/auth.c b/auth.c
-index 9a3bc96f..fc2c3620 100644
---- a/auth.c
-+++ b/auth.c
-@@ -733,120 +733,6 @@ fakepw(void)
- 	return (&fake);
- }
- 
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) < 0) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return strdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return strdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return strdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return strdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return strdup(ntop);
--	}
--	return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
--
- /*
-  * Runs command in a subprocess with a minimal environment.
-  * Returns pid on success, 0 on failure.
-diff --git a/canohost.c b/canohost.c
-index f71a0856..3e162d8c 100644
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) < 0) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return strdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return strdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return strdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return strdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return strdup(ntop);
-+	}
-+	return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}
-diff --git a/readconf.c b/readconf.c
-index db5f2d54..67feffa5 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -161,6 +161,7 @@ typedef enum {
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -202,9 +203,11 @@ static struct {
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- # else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- 	{ "smartcarddevice", oPKCS11Provider },
-@@ -977,6 +980,10 @@ parse_time:
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -1818,6 +1825,7 @@ initialize_options(Options * options)
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -1964,6 +1972,8 @@ fill_default_options(Options * options)
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index c5688781..af809cc8 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -41,6 +41,7 @@ typedef struct {
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/ssh_config.5 b/ssh_config.5
-index f499396a..be758544 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -722,6 +722,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index 10e4f0a0..4f7d49e3 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -657,6 +657,13 @@ userauth_gssapi(Authctxt *authctxt)
- 	static u_int mech = 0;
- 	OM_uint32 min;
- 	int r, ok = 0;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(active_state, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -669,7 +676,7 @@ userauth_gssapi(Authctxt *authctxt)
- 		/* My DER encoding requires length<128 */
- 		if (gss_supported->elements[mech].length < 128 &&
- 		    ssh_gssapi_check_mechanism(&gssctxt,
--		    &gss_supported->elements[mech], authctxt->host)) {
-+		    &gss_supported->elements[mech], gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			mech++;

diff --git a/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch b/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch
deleted file mode 100644
index 3fa3e318af5..00000000000
--- a/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-CVE-2018-20685
-
-https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2
-
---- a/scp.c
-+++ b/scp.c
-@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
- 			SCREWUP("size out of range");
- 		size = (off_t)ull;
- 
--		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
-+		if (*cp == '\0' || strchr(cp, '/') != NULL ||
-+		    strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
- 			run_err("error: unexpected filename: %s", cp);
- 			exit(1);
- 		}

diff --git a/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch b/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch
deleted file mode 100644
index 9766b1594ea..00000000000
--- a/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -ur openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in openssh-7.9p1/openbsd-compat/regress/Makefile.in
---- openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in	2018-10-16 17:01:20.000000000 -0700
-+++ openssh-7.9p1/openbsd-compat/regress/Makefile.in	2018-12-19 11:03:14.421028691 -0800
-@@ -7,7 +7,7 @@
- CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
--CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
-+CPPFLAGS=-I. -I.. -I$(srcdir) -I../.. @CPPFLAGS@ @DEFS@
- EXEEXT=@EXEEXT@
- LIBCOMPAT=../libopenbsd-compat.a
- LIBS=@LIBS@

diff --git a/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch b/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch
deleted file mode 100644
index 487b239639a..00000000000
--- a/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch
+++ /dev/null
@@ -1,16 +0,0 @@
---- a/openssh-7.9p1+x509-11.6.diff	2018-12-07 17:24:03.211328918 -0800
-+++ b/openssh-7.9p1+x509-11.6.diff	2018-12-07 17:24:13.399262277 -0800
-@@ -40681,12 +40681,11 @@
-
-  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-  install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
--@@ -333,6 +351,8 @@
-+@@ -333,6 +351,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)

diff --git a/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch b/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch
deleted file mode 100644
index b807ac45f79..00000000000
--- a/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch
+++ /dev/null
@@ -1,28 +0,0 @@
---- a/openssh-7.9p1+x509-11.6.diff	2018-12-19 10:42:01.241775036 -0800
-+++ b/openssh-7.9p1+x509-11.6.diff	2018-12-19 10:43:33.383140818 -0800
-@@ -45862,7 +45862,7 @@
-  	ENGINE_register_all_complete();
- +#endif
-  
---#if OPENSSL_VERSION_NUMBER < 0x10001000L
-+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- +	/* OPENSSL_config will load buildin engines and engines
- +	 * specified in configuration file, i.e. method call
- +	 * ENGINE_load_builtin_engines. Latter is only for
-@@ -81123,16 +81123,6 @@
-  		    setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL))
-  			return;
-  		setlocale(LC_CTYPE, "C");
--diff -ruN openssh-7.9p1/version.h openssh-7.9p1+x509-11.6/version.h
----- openssh-7.9p1/version.h	2018-10-17 03:01:20.000000000 +0300
--+++ openssh-7.9p1+x509-11.6/version.h	2018-12-18 20:07:00.000000000 +0200
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_7.9"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-7.9p1/version.m4 openssh-7.9p1+x509-11.6/version.m4
- --- openssh-7.9p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-7.9p1+x509-11.6/version.m4	2018-12-18 20:07:00.000000000 +0200

diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch
deleted file mode 100644
index c76d454c92f..00000000000
--- a/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch
+++ /dev/null
@@ -1,79 +0,0 @@
---- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig	2018-09-12 15:58:57.377986085 -0700
-+++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff	2018-09-12 16:07:15.376711327 -0700
-@@ -4,8 +4,8 @@
- +++ b/Makefile.in
- @@ -42,7 +42,7 @@ CC=@CC@
-  LD=@LD@
-- CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -788,8 +788,8 @@
-  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
-  {
-  	struct session_state *state;
---	const struct sshcipher *none = cipher_by_name("none");
--+	struct sshcipher *none = cipher_by_name("none");
-+-	const struct sshcipher *none = cipher_none();
-++	struct sshcipher *none = cipher_none();
-  	int r;
-
-  	if (none == NULL) {
-@@ -933,9 +933,9 @@
-  	/* Portable-specific options */
-  	sUsePAM,
- +	sDisableMTAES,
-- 	/* Standard Options */
-- 	sPort, sHostKeyFile, sLoginGraceTime,
-- 	sPermitRootLogin, sLogFacility, sLogLevel,
-+ 	/* X.509 Standard Options */
-+ 	sHostbasedAlgorithms,
-+ 	sPubkeyAlgorithms,
- @@ -626,6 +630,7 @@ static struct {
-  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
-  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 16:38:16.947447218 -0700
-+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 16:32:35.479700864 -0700
-@@ -382,7 +382,7 @@
- @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
-  	int nenc, nmac, ncomp;
-  	u_int mode, ctos, need, dh_need, authlen;
-- 	int r, first_kex_follows;
-+ 	int r, first_kex_follows = 0;
- +	int auth_flag;
- +
- +	auth_flag = packet_authentication_state(ssh);
-@@ -1125,15 +1125,6 @@
- index a738c3a..b32dbe0 100644
- --- a/sshd.c
- +++ b/sshd.c
--@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
-- 	char remote_version[256];	/* Must be at least as big as buf. */
-- 
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
---	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
--+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
-- 	    *options.version_addendum == '\0' ? "" : " ",
-- 	    options.version_addendum);
-- 
- @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
-  	int ret, listen_sock;
-  	struct addrinfo *ai;
-@@ -1213,14 +1204,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index f1bbf00..21a70c2 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--+ 

diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch
deleted file mode 100644
index 0561e381406..00000000000
--- a/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch
+++ /dev/null
@@ -1,112 +0,0 @@
---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-11 17:19:19.968420409 -0700
-+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-11 17:39:19.977535398 -0700
-@@ -409,18 +409,10 @@
- index dcf35e6..da4ced0 100644
- --- a/packet.c
- +++ b/packet.c
--@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-  	return 0;
-  }
-  
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+	rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -434,20 +426,6 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- 		return 0;
-- 
--+	/* used to force rekeying when called for by the none
--+         * cipher switch methods -cjr */
--+        if (rekey_requested == 1) {
--+                rekey_requested = 0;
--+                return 1;
--+        }
--+
-- 	/* Time-based rekeying */
-- 	if (state->rekey_interval != 0 &&
-- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- diff --git a/packet.h b/packet.h
- index 170203c..f4d9df2 100644
- --- a/packet.h
-@@ -476,9 +454,9 @@
-  /* Format of the configuration file:
-  
- @@ -166,6 +167,8 @@ typedef enum {
-- 	oHashKnownHosts,
-  	oTunnel, oTunnelDevice,
-  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
-+ 	oDisableMTAES,
- +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- +	oNoneEnabled, oNoneSwitch,
-  	oVisualHostKey,
-@@ -615,9 +593,9 @@
-  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
- @@ -111,7 +115,10 @@ typedef struct {
-- 
-  	int	enable_ssh_keysign;
-  	int64_t rekey_limit;
-+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
- +	int     none_switch;    /* Use none cipher */
- +	int     none_enabled;   /* Allow none to be used */
-  	int	rekey_interval;
-@@ -673,9 +651,9 @@
-  	/* Portable-specific options */
-  	if (options->use_pam == -1)
- @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
-- 	}
-- 	if (options->permit_tun == -1)
-  		options->permit_tun = SSH_TUNMODE_NO;
-+ 	if (options->disable_multithreaded == -1)
-+ 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
- +		options->none_enabled = 0;
- +	if (options->hpn_disabled == -1)
-@@ -1092,7 +1070,7 @@
-  	xxx_host = host;
-  	xxx_hostaddr = hostaddr;
-  
--@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
-+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
-  
-  	if (!authctxt.success)
-  		fatal("Authentication failed.");
-@@ -1117,10 +1095,9 @@
- +			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
- +		}
- +	}
--+
-- 	debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-  
-+ #ifdef WITH_OPENSSL
-+ 	if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index a738c3a..b32dbe0 100644
- --- a/sshd.c
-@@ -1217,11 +1194,10 @@
- index f1bbf00..21a70c2 100644
- --- a/version.h
- +++ b/version.h
--@@ -3,4 +3,6 @@
-+@@ -3,4 +3,5 @@
-  #define SSH_VERSION	"OpenSSH_7.8"
-  
-  #define SSH_PORTABLE	"p1"
- -#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn14v16"
- +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
- + 

diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch
deleted file mode 100644
index 78b75453274..00000000000
--- a/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch
+++ /dev/null
@@ -1,91 +0,0 @@
---- openssh-7.9p1.orig/cipher-ctr-mt.c	2018-10-24 20:48:00.909255466 -0000
-+++ openssh-7.9p1/cipher-ctr-mt.c	2018-10-24 20:48:17.378155144 -0000
-@@ -46,7 +46,7 @@
-
- /*-------------------- TUNABLES --------------------*/
- /* maximum number of threads and queues */
--#define MAX_THREADS      32
-+#define MAX_THREADS      32
- #define MAX_NUMKQ        (MAX_THREADS * 2)
-
- /* Number of pregen threads to use */
-@@ -435,7 +435,7 @@
- 		destp.u += AES_BLOCK_SIZE;
- 		srcp.u += AES_BLOCK_SIZE;
- 		len -= AES_BLOCK_SIZE;
--		ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
-+		ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
-
- 		/* Increment read index, switch queues on rollover */
- 		if ((ridx = (ridx + 1) % KQLEN) == 0) {
-@@ -481,8 +481,6 @@
- 	/* get the number of cores in the system */
- 	/* if it's not linux it currently defaults to 2 */
- 	/* divide by 2 to get threads for each direction (MODE_IN||MODE_OUT) */
--	/* NB: assigning a float to an int discards the remainder which is */
--	/* acceptable (and wanted) in this case */
- #ifdef __linux__
- 	cipher_threads = sysconf(_SC_NPROCESSORS_ONLN) / 2;
- #endif /*__linux__*/
-@@ -551,16 +550,16 @@
- 	}
-
- 	if (iv != NULL) {
--		memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
-+		memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
- 		c->state |= HAVE_IV;
- 	}
-
- 	if (c->state == (HAVE_KEY | HAVE_IV)) {
- 		/* Clear queues */
--		memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE);
-+		memcpy(c->q[0].ctr, c->aes_counter, AES_BLOCK_SIZE);
- 		c->q[0].qstate = KQINIT;
- 		for (i = 1; i < numkq; i++) {
--			memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE);
-+			memcpy(c->q[i].ctr, c->aes_counter, AES_BLOCK_SIZE);
- 			ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE);
- 			c->q[i].qstate = KQEMPTY;
- 		}
-@@ -644,8 +643,22 @@
- const EVP_CIPHER *
- evp_aes_ctr_mt(void)
- {
-+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL && !defined(LIBRESSL_VERSION_NUMBER)
-+	static EVP_CIPHER *aes_ctr;
-+	aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
-+	EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
-+	EVP_CIPHER_meth_set_init(aes_ctr, ssh_aes_ctr_init);
-+	EVP_CIPHER_meth_set_cleanup(aes_ctr, ssh_aes_ctr_cleanup);
-+	EVP_CIPHER_meth_set_do_cipher(aes_ctr, ssh_aes_ctr);
-+#  ifndef SSH_OLD_EVP
-+	EVP_CIPHER_meth_set_flags(aes_ctr, EVP_CIPH_CBC_MODE
-+				      | EVP_CIPH_VARIABLE_LENGTH
-+				      | EVP_CIPH_ALWAYS_CALL_INIT
-+				      | EVP_CIPH_CUSTOM_IV);
-+#  endif /*SSH_OLD_EVP*/
-+	return (aes_ctr);
-+# else /*earlier version of openssl*/
- 	static EVP_CIPHER aes_ctr;
--
- 	memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
- 	aes_ctr.nid = NID_undef;
- 	aes_ctr.block_size = AES_BLOCK_SIZE;
-@@ -654,11 +667,12 @@
- 	aes_ctr.init = ssh_aes_ctr_init;
- 	aes_ctr.cleanup = ssh_aes_ctr_cleanup;
- 	aes_ctr.do_cipher = ssh_aes_ctr;
--#ifndef SSH_OLD_EVP
--	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
--	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
--#endif
--	return &aes_ctr;
-+#  ifndef SSH_OLD_EVP
-+        aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-+		EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-+#  endif /*SSH_OLD_EVP*/
-+        return &aes_ctr;
-+# endif /*OPENSSH_VERSION_NUMBER*/
- }
-
- #endif /* defined(WITH_OPENSSL) */

diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch
deleted file mode 100644
index a7d51ad9483..00000000000
--- a/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 18:18:51.851536374 -0700
-+++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 18:19:01.116475099 -0700
-@@ -1190,14 +1190,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index f1bbf00..21a70c2 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--+ 

diff --git a/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch b/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch
deleted file mode 100644
index c1c310e8f14..00000000000
--- a/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
-index 8b4a3627..590b66d1 100644
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
- 	ENGINE_load_builtin_engines();
- 	ENGINE_register_all_complete();
-
--#if OPENSSL_VERSION_NUMBER < 0x10001000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 	OPENSSL_config(NULL);
- #else
- 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |

diff --git a/net-misc/openssh/files/openssh-8.0_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.0_p1-GSSAPI-dns.patch
deleted file mode 100644
index 04d622191fa..00000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,359 +0,0 @@
-diff --git a/auth.c b/auth.c
-index 8696f258..f4cd70a3 100644
---- a/auth.c
-+++ b/auth.c
-@@ -723,120 +723,6 @@ fakepw(void)
- 	return (&fake);
- }
-
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) < 0) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return strdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return strdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return strdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return strdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return strdup(ntop);
--	}
--	return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
--
- /*
-  * Runs command in a subprocess with a minimal environment.
-  * Returns pid on success, 0 on failure.
-diff --git a/canohost.c b/canohost.c
-index f71a0856..3e162d8c 100644
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) < 0) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return strdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return strdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return strdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return strdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return strdup(ntop);
-+	}
-+	return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}
-diff --git a/readconf.c b/readconf.c
-index 71a5c795..2a8c6990 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -163,6 +163,7 @@ typedef enum {
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -204,9 +205,11 @@ static struct {
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- # else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- 	{ "pkcs11provider", oPKCS11Provider },
-@@ -993,6 +996,10 @@ parse_time:
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
-
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -1875,6 +1882,7 @@ initialize_options(Options * options)
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -2023,6 +2031,8 @@ fill_default_options(Options * options)
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index 69c24700..2758b633 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -45,6 +45,7 @@ typedef struct {
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/ssh_config.5 b/ssh_config.5
-index b7566782..64897e4e 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -758,6 +758,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index dffee90b..a25a32b9 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -698,6 +698,13 @@ userauth_gssapi(struct ssh *ssh)
- 	OM_uint32 min;
- 	int r, ok = 0;
- 	gss_OID mech = NULL;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(ssh, 1);
-+	} else
-+		gss_host = authctxt->host;
-
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -712,7 +719,7 @@ userauth_gssapi(struct ssh *ssh)
- 		    elements[authctxt->mech_tried];
- 		/* My DER encoding requires length<128 */
- 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
--		    mech, authctxt->host)) {
-+		    mech, gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			authctxt->mech_tried++;

diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-12.1-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-12.1-tests.patch
deleted file mode 100644
index 67a93fe2a0b..00000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-X509-12.1-tests.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/openbsd-compat/regress/Makefile.in	2019-06-17 10:59:01.210601434 -0700
-+++ b/openbsd-compat/regress/Makefile.in	2019-06-17 10:59:18.753485852 -0700
-@@ -7,7 +7,7 @@
- CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
--CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
-+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
- EXEEXT=@EXEEXT@
- LIBCOMPAT=../libopenbsd-compat.a
- LIBS=@LIBS@

diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch
deleted file mode 100644
index bffc591ef66..00000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-https://github.com/openssh/openssh-portable/commit/29e0ecd9b4eb3b9f305e2240351f0c59cad9ef81
-
---- a/sshkey.c
-+++ b/sshkey.c
-@@ -3209,6 +3209,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- 		if ((r = sshkey_froms(buf, &k)) != 0 ||
- 		    (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
- 			goto out;
-+		if (k->type != type) {
-+			r = SSH_ERR_INVALID_FORMAT;
-+			goto out;
-+		}
- 		if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) {
- 			r = SSH_ERR_LIBCRYPTO_ERROR;
- 			goto out;
-@@ -3252,6 +3256,11 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- 		if ((r = sshkey_froms(buf, &k)) != 0 ||
- 		    (r = sshbuf_get_bignum2(buf, &exponent)) != 0)
- 			goto out;
-+		if (k->type != type ||
-+		    k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
-+			r = SSH_ERR_INVALID_FORMAT;
-+			goto out;
-+		}
- 		if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
- 			r = SSH_ERR_LIBCRYPTO_ERROR;
- 			goto out;
-@@ -3296,6 +3305,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- 		    (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
- 		    (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
- 			goto out;
-+		if (k->type != type) {
-+			r = SSH_ERR_INVALID_FORMAT;
-+			goto out;
-+		}
- 		if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) {
- 			r = SSH_ERR_LIBCRYPTO_ERROR;
- 			goto out;
-@@ -3333,13 +3346,17 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- 		    (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
- 		    (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
- 			goto out;
-+		if (k->type != type) {
-+			r = SSH_ERR_INVALID_FORMAT;
-+			goto out;
-+		}
- 		if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
- 			r = SSH_ERR_INVALID_FORMAT;
- 			goto out;
- 		}
- 		k->ed25519_pk = ed25519_pk;
- 		k->ed25519_sk = ed25519_sk;
--		ed25519_pk = ed25519_sk = NULL;
-+		ed25519_pk = ed25519_sk = NULL; /* transferred */
- 		break;
- #ifdef WITH_XMSS
- 	case KEY_XMSS:
-@@ -3370,7 +3387,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
- 		    (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
- 		    (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
- 			goto out;
--		if (strcmp(xmss_name, k->xmss_name)) {
-+		if (k->type != type || strcmp(xmss_name, k->xmss_name) != 0) {
- 			r = SSH_ERR_INVALID_FORMAT;
- 			goto out;
- 		}
-@@ -3877,7 +3894,8 @@ sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
- 	}
- 
- 	/* check that an appropriate amount of auth data is present */
--	if (sshbuf_len(decoded) < encrypted_len + authlen) {
-+	if (sshbuf_len(decoded) < authlen ||
-+	    sshbuf_len(decoded) - authlen < encrypted_len) {
- 		r = SSH_ERR_INVALID_FORMAT;
- 		goto out;
- 	}

diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch
deleted file mode 100644
index ba0bd02371d..00000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a
-
---- a/sshkey-xmss.c
-+++ b/sshkey-xmss.c
-@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
- 		goto out;
- 	}
- 	/* check that an appropriate amount of auth data is present */
--	if (sshbuf_len(encoded) < encrypted_len + authlen) {
-+	if (sshbuf_len(encoded) < authlen ||
-+	    sshbuf_len(encoded) - authlen < encrypted_len) {
- 		r = SSH_ERR_INVALID_FORMAT;
- 		goto out;
- 	}

diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch
deleted file mode 100644
index 2a9d3bd2f33..00000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch
+++ /dev/null
@@ -1,114 +0,0 @@
---- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2019-04-18 17:07:59.413376785 -0700
-+++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2019-04-18 20:05:12.622588051 -0700
-@@ -382,7 +382,7 @@
- @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
-  	int nenc, nmac, ncomp;
-  	u_int mode, ctos, need, dh_need, authlen;
-- 	int r, first_kex_follows;
-+ 	int r, first_kex_follows = 0;
- +	int auth_flag;
- +
- +	auth_flag = packet_authentication_state(ssh);
-@@ -441,6 +441,39 @@
-  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
-  int	 ssh_packet_set_state(struct ssh *, struct sshbuf *);
-  
-+diff --git a/packet.c b/packet.c
-+index dcf35e6..9433f08 100644
-+--- a/packet.c
-++++ b/packet.c
-+@@ -920,6 +920,14 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+ 	return 0;
-+ }
-+ 
-++/* this supports the forced rekeying required for the NONE cipher */
-++int rekey_requested = 0;
-++void
-++packet_request_rekeying(void)
-++{
-++        rekey_requested = 1;
-++}
-++
-+ #define MAX_PACKETS	(1U<<31)
-+ static int
-+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-+@@ -946,6 +954,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-+ 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
-+ 		return 0;
-+ 
-++        /* used to force rekeying when called for by the none
-++         * cipher switch and aes-mt-ctr methods -cjr */
-++        if (rekey_requested == 1) {
-++                rekey_requested = 0;
-++                return 1;
-++        }
-++	
-+ 	/* Time-based rekeying */
-+ 	if (state->rekey_interval != 0 &&
-+ 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- diff --git a/readconf.c b/readconf.c
- index db5f2d5..33f18c9 100644
- --- a/readconf.c
-@@ -453,10 +486,9 @@
-  
-  /* Format of the configuration file:
-  
--@@ -166,6 +167,8 @@ typedef enum {
-+@@ -166,5 +167,7 @@ typedef enum {
-  	oTunnel, oTunnelDevice,
-  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
-- 	oDisableMTAES,
- +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- +	oNoneEnabled, oNoneSwitch,
-  	oVisualHostKey,
-@@ -592,10 +624,9 @@
-  	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
-  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
--@@ -111,7 +115,10 @@ typedef struct {
-+@@ -111,6 +115,9 @@ typedef struct {
-  	int	enable_ssh_keysign;
-  	int64_t rekey_limit;
-- 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
- +	int     none_switch;    /* Use none cipher */
- +	int     none_enabled;   /* Allow none to be used */
-  	int	rekey_interval;
-@@ -650,10 +681,8 @@
-  
-  	/* Portable-specific options */
-  	if (options->use_pam == -1)
--@@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
-+@@ -391,4 +400,41 @@ fill_default_server_options(ServerOptions *options)
-  		options->permit_tun = SSH_TUNMODE_NO;
-- 	if (options->disable_multithreaded == -1)
-- 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
- +		options->none_enabled = 0;
- +	if (options->hpn_disabled == -1)
-@@ -1095,9 +1124,9 @@
- +			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
- +		}
- +	}
-+ 	debug("Authentication succeeded (%s).", authctxt.method->name);
-+ }
-  
-- #ifdef WITH_OPENSSL
-- 	if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index a738c3a..b32dbe0 100644
- --- a/sshd.c
-@@ -1181,14 +1210,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index f1bbf00..21a70c2 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--+ 

diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-glue.patch
deleted file mode 100644
index adbfa87af68..00000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-hpn-glue.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-diff -ur --exclude '.*.un*' a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff
---- a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff	2019-04-18 15:07:06.748067368 -0700
-+++ b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff	2019-04-18 19:42:26.689298696 -0700
-@@ -998,7 +998,7 @@
- +		 * so we repoint the define to the multithreaded evp. To start the threads we
- +		 * then force a rekey
- +		 */
--+		const void *cc = ssh_packet_get_send_context(active_state);
-++		const void *cc = ssh_packet_get_send_context(ssh);
- +		
- +		/* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */
- +		if (strstr(cipher_ctx_name(cc), "ctr")) {
-@@ -1028,7 +1028,7 @@
- +		 * so we repoint the define to the multithreaded evp. To start the threads we
- +		 * then force a rekey
- +		 */
--+		const void *cc = ssh_packet_get_send_context(active_state);
-++		const void *cc = ssh_packet_get_send_context(ssh);
- +		
- +		/* only rekey if necessary. If we don't do this gcm mode cipher breaks */
- +		if (strstr(cipher_ctx_name(cc), "ctr")) {
-diff -ur --exclude '.*.un*' a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff
---- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2019-04-18 15:07:11.289035776 -0700
-+++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2019-04-18 17:07:59.413376785 -0700
-@@ -162,24 +162,24 @@
-  }
-  
- +static int
--+channel_tcpwinsz(void)
-++channel_tcpwinsz(struct ssh *ssh)
- +{
- +	u_int32_t tcpwinsz = 0;
- +	socklen_t optsz = sizeof(tcpwinsz);
- +	int ret = -1;
- +
- +	/* if we aren't on a socket return 128KB */
--+	if (!packet_connection_is_on_socket())
-++	if (!ssh_packet_connection_is_on_socket(ssh))
- +		return 128 * 1024;
- +
--+	ret = getsockopt(packet_get_connection_in(),
-++	ret = getsockopt(ssh_packet_get_connection_in(ssh),
- +			 SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
- +	/* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
- +	if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
- +		tcpwinsz = SSHBUF_SIZE_MAX;
- +
- +	debug2("tcpwinsz: tcp connection %d, Receive window: %d",
--+	       packet_get_connection_in(), tcpwinsz);
-++	       ssh_packet_get_connection_in(ssh), tcpwinsz);
- +	return tcpwinsz;
- +}
- +
-@@ -191,7 +191,7 @@
-  	    c->local_window < c->local_window_max/2) &&
-  	    c->local_consumed > 0) {
- +		u_int addition = 0;
--+		u_int32_t tcpwinsz = channel_tcpwinsz();
-++		u_int32_t tcpwinsz = channel_tcpwinsz(ssh);
- +		/* adjust max window size if we are in a dynamic environment */
- +		if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
- +			/* grow the window somewhat aggressively to maintain pressure */
-@@ -409,18 +409,10 @@
- index dcf35e6..da4ced0 100644
- --- a/packet.c
- +++ b/packet.c
--@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-  	return 0;
-  }
-  
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+	rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -434,20 +426,6 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- 		return 0;
-- 
--+	/* used to force rekeying when called for by the none
--+         * cipher switch methods -cjr */
--+        if (rekey_requested == 1) {
--+                rekey_requested = 0;
--+                return 1;
--+        }
--+
-- 	/* Time-based rekeying */
-- 	if (state->rekey_interval != 0 &&
-- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- diff --git a/packet.h b/packet.h
- index 170203c..f4d9df2 100644
- --- a/packet.h
-@@ -476,9 +454,9 @@
-  /* Format of the configuration file:
-  
- @@ -166,6 +167,8 @@ typedef enum {
-- 	oHashKnownHosts,
-  	oTunnel, oTunnelDevice,
-  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
-+ 	oDisableMTAES,
- +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- +	oNoneEnabled, oNoneSwitch,
-  	oVisualHostKey,
-@@ -615,9 +593,9 @@
-  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
- @@ -111,7 +115,10 @@ typedef struct {
-- 
-  	int	enable_ssh_keysign;
-  	int64_t rekey_limit;
-+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
- +	int     none_switch;    /* Use none cipher */
- +	int     none_enabled;   /* Allow none to be used */
-  	int	rekey_interval;
-@@ -673,9 +651,9 @@
-  	/* Portable-specific options */
-  	if (options->use_pam == -1)
- @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
-- 	}
-- 	if (options->permit_tun == -1)
-  		options->permit_tun = SSH_TUNMODE_NO;
-+ 	if (options->disable_multithreaded == -1)
-+ 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
- +		options->none_enabled = 0;
- +	if (options->hpn_disabled == -1)
-@@ -1092,7 +1070,7 @@
-  	xxx_host = host;
-  	xxx_hostaddr = hostaddr;
-  
--@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
-+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
-  
-  	if (!authctxt.success)
-  		fatal("Authentication failed.");
-@@ -1108,7 +1086,7 @@
- +			memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
- +			myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
- +			myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
--+			kex_prop2buf(active_state->kex->my, myproposal);
-++			kex_prop2buf(ssh->kex->my, myproposal);
- +			packet_request_rekeying();
- +			fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
- +		} else {
-@@ -1117,23 +1095,13 @@
- +			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
- +		}
- +	}
--+
-- 	debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-  
-+ #ifdef WITH_OPENSSL
-+ 	if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index a738c3a..b32dbe0 100644
- --- a/sshd.c
- +++ b/sshd.c
--@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
-- 	char remote_version[256];	/* Must be at least as big as buf. */
-- 
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
---	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
--+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
-- 	    *options.version_addendum == '\0' ? "" : " ",
-- 	    options.version_addendum);
-- 
- @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
-  	int ret, listen_sock;
-  	struct addrinfo *ai;
-@@ -1217,11 +1185,10 @@
- index f1bbf00..21a70c2 100644
- --- a/version.h
- +++ b/version.h
--@@ -3,4 +3,6 @@
-+@@ -3,4 +3,5 @@
-  #define SSH_VERSION	"OpenSSH_7.8"
-  
-  #define SSH_PORTABLE	"p1"
- -#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn14v16"
- +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
- + 

diff --git a/net-misc/openssh/files/openssh-8.0_p1-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-tests.patch
deleted file mode 100644
index 6b2ae489d0e..00000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-tests.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c
-index a7bc7634..46f79db2 100644
---- a/openbsd-compat/regress/utimensattest.c
-+++ b/openbsd-compat/regress/utimensattest.c
-@@ -23,6 +23,7 @@
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
-+#include <time.h>
- 
- #define TMPFILE "utimensat.tmp"
- #define TMPFILE2 "utimensat.tmp2"
-@@ -88,8 +89,30 @@ main(void)
- 	if (symlink(TMPFILE2, TMPFILE) == -1)
- 		fail("symlink", 0, 0);
- 
-+#ifdef __linux__
-+	/*
-+	 * The semantics of the original test are wrong on Linux
-+	 * From the man page for utimensat():
-+	 *   AT_SYMLINK_NOFOLLOW
-+	 *        If pathname specifies a symbolic link, then update the
-+	 *        timestamps of the link, rather than the file to which it refers.
-+	 *
-+	 *  So the call will succeed, and update the times on the symlink.
-+	 */
-+	if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1) {
-+		if (fstatat(AT_FDCWD, TMPFILE, &sb, 0) == -1)
-+			fail("could not follow and stat symlink", 0, 0);
-+
-+		if (sb.st_atim.tv_sec == ts[0].tv_sec
-+				&& sb.st_atim.tv_nsec == ts[0].tv_nsec
-+				&& sb.st_mtim.tv_nsec == ts[1].tv_sec
-+				&& sb.st_mtim.tv_nsec == ts[1].tv_nsec)
-+		fail("utimensat followed symlink", 0, 0);
-+	}
-+#else /* __linux__ */
- 	if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1)
- 		fail("utimensat followed symlink", 0, 0);
-+#endif /* __linux__ */
- 
- 	if (!(unlink(TMPFILE) == 0 && unlink(TMPFILE2) == 0))
- 		fail("unlink", 0, 0);

diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 22ea5e88361..bc9c3e6e16d 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -26,11 +26,9 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and
   <use>
     <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
     <flag name="hpn">Enable high performance ssh</flag>
-    <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
     <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
     <flag name="livecd">Enable root password logins for live-cd environment.</flag>
     <flag name="security-key">Include builtin U2F/FIDO support</flag>
-    <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag>
     <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
     <flag name="X509">Adds support for X.509 certificate authentication</flag>
     <flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>

diff --git a/net-misc/openssh/openssh-7.5_p1-r5.ebuild b/net-misc/openssh/openssh-7.5_p1-r5.ebuild
deleted file mode 100644
index aaa412fbd59..00000000000
--- a/net-misc/openssh/openssh-7.5_p1-r5.ebuild
+++ /dev/null
@@ -1,335 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-
-inherit eutils user flag-o-matic multilib autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
-SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
-X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
-RESTRICT="!test? ( test )"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap !sctp ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-1.0.1:0=[bindist=]
-			dev-libs/openssl:0=[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		if use hpn ; then
-			pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
-			epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
-			popd >/dev/null
-		fi
-		save_version X509
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-	fi
-
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-
-	epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-	epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
-	epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
-	use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-s390-seccomp.patch # already included in X509 patch set, #644252
-	use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
-	use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
-	use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
-
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use X509 || use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed+=( "${t}" ) \
-			|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
-		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.7_p1-r10.ebuild b/net-misc/openssh/openssh-7.7_p1-r10.ebuild
deleted file mode 100644
index b3e1efb3ae4..00000000000
--- a/net-misc/openssh/openssh-7.7_p1-r10.ebuild
+++ /dev/null
@@ -1,445 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit user flag-o-matic multilib autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
-SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
-
-PATCH_SET="openssh-7.7p1-patches-1.2"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
-	${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
-	${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
-RESTRICT="!test? ( test )"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			>=dev-libs/openssl-1.0.1:0=[bindist=]
-			dev-libs/openssl:0=[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
-	X? ( x11-apps/xauth )"
-
-S="${WORKDIR}/${PARCH}"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-
-		einfo "Disabling broken X.509 agent test ..."
-		sed -i \
-			-e "/^ agent$/d" \
-			"${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
-
-		# The following patches don't apply on top of X509 patch
-		rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
-		rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
-		rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
-		rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
-	else
-		rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
-		rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		eapply "${WORKDIR}"/${HPN_PATCH%.*}
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use hpn ; then
-		einfo "Patching packet.c for X509 and/or HPN patch set ..."
-		sed -i \
-			-e "s/const struct sshcipher/struct sshcipher/" \
-			"${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	eapply "${WORKDIR}"/patch/*.patch
-
-	eapply_user #473004
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	# stackprotect is broken on musl x86
-	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed+=( "${t}" ) \
-			|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	keepdir /var/empty
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
-		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
-		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-		elog "if you need to authenticate against LDAP."
-		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}

diff --git a/net-misc/openssh/openssh-7.9_p1-r5.ebuild b/net-misc/openssh/openssh-7.9_p1-r5.ebuild
deleted file mode 100644
index 5f510d127de..00000000000
--- a/net-misc/openssh/openssh-7.9_p1-r5.ebuild
+++ /dev/null
@@ -1,468 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit user flag-o-matic multilib autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-#HPN_PV="${PV^^}"
-HPN_PV="7.8_P1"
-
-HPN_VER="14.16"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="11.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-PATCH_SET="openssh-7.9p1-patches-1.0"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
-RESTRICT="!test? ( test )"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			|| (
-				(
-					>=dev-libs/openssl-1.0.1:0[bindist=]
-					<dev-libs/openssl-1.1.0:0[bindist=]
-				)
-				>=dev-libs/openssl-1.1.0g:0[bindist=]
-			)
-			dev-libs/openssl:0=[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
-RDEPEND="
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
-	X? ( x11-apps/xauth )"
-
-S="${WORKDIR}/${PARCH}"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_VER)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-
-	if use X509 ; then
-		# patch doesn't apply due to X509 modifications
-		rm \
-			"${WORKDIR}"/patches/0001-fix-key-type-check.patch \
-			"${WORKDIR}"/patches/0002-request-rsa-sha2-cert-signatures.patch \
-			|| die
-	else
-		eapply "${FILESDIR}"/${PN}-7.9_p1-CVE-2018-20685.patch # X509 patch set includes this patch
-	fi
-
-	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" || die
-		eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch"
-		eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch"
-		popd || die
-
-		if use hpn ; then
-			einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
-			HPN_DISABLE_MTAES=1
-		fi
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-		eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}"
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
-		pushd "${hpn_patchdir}"
-		eapply "${FILESDIR}"/${P}-hpn-glue.patch
-		use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
-		use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
-		popd
-
-		eapply "${hpn_patchdir}"
-		eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	eapply_user #473004
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns ldns "${EPREFIX}"/usr)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	# stackprotect is broken on musl x86 and ppc
-	use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed+=( "${t}" ) \
-			|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	keepdir /var/empty
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
-		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
-		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-		elog "if you need to authenticate against LDAP."
-		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}

diff --git a/net-misc/openssh/openssh-8.0_p1-r5.ebuild b/net-misc/openssh/openssh-8.0_p1-r5.ebuild
deleted file mode 100644
index 613742ec49a..00000000000
--- a/net-misc/openssh/openssh-8.0_p1-r5.ebuild
+++ /dev/null
@@ -1,465 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit user-info eapi7-ver flag-o-matic multilib autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-#HPN_PV="${PV^^}"
-HPN_PV="7.8_P1"
-
-HPN_VER="14.16"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="12.1-gentoo" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-PATCH_SET="openssh-7.9p1-patches-1.0"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss"
-RESTRICT="!test? ( test )"
-REQUIRED_USE="ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl )
-	test? ( ssl )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			|| (
-				(
-					>=dev-libs/openssl-1.0.1:0[bindist=]
-					<dev-libs/openssl-1.1.0:0[bindist=]
-				)
-				>=dev-libs/openssl-1.1.0g:0[bindist=]
-			)
-			dev-libs/openssl:0=[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
-	)
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
-RDEPEND="
-	acct-group/sshd
-	acct-user/sshd
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
-	X? ( x11-apps/xauth )"
-
-S="${WORKDIR}/${PARCH}"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_VER)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch
-	eapply "${FILESDIR}"/${PN}-8.1_p1-tests-2020.patch
-	use X509 || eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch
-
-	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		# X509 12.1-gentoo patch contains the changes from below
-		#pushd "${WORKDIR}" &>/dev/null || die
-		#eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
-		#eapply "${FILESDIR}/${P}-X509-dont-make-piddir-"${X509_VER}".patch"
-		#popd &>/dev/null || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-		eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}"
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
-		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-glue.patch
-		if use X509; then
-			einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
-			# X509 and AES-CTR-MT don't get along, let's just drop it
-			rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
-			eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch
-		fi
-		use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch
-		popd &>/dev/null || die
-
-		eapply "${hpn_patchdir}"
-
-		if ! use X509; then
-			eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
-			eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
-		fi
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	eapply_user #473004
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-	use xmss && append-cflags -DWITH_XMSS
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns ldns "${EPREFIX}"/usr)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	# stackprotect is broken on musl x86 and ppc
-	use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed+=( "${t}" ) \
-			|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED%/}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	keepdir /var/empty
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-		elog "Make sure to update any configs that you might have.  Note that xinetd might"
-		elog "be an alternative for you as it supports USE=tcpd."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-		elog "adding to your sshd_config or ~/.ssh/config files:"
-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-		elog "You should however generate new keys using rsa or ed25519."
-
-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-		elog "out of the box.  If you need this, please update your sshd_config explicitly."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
-		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-	fi
-	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
-		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-		elog "if you need to authenticate against LDAP."
-		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-	fi
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2020-05-31 21:14 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2020-05-31 21:14 UTC (permalink / raw
  To: gentoo-commits

commit:     16a0beb18b671c74fca99dfb678c21d15adcb34b
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Sun May 31 21:14:20 2020 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Sun May 31 21:14:44 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16a0beb1

net-misc/openssh-8.3_p1-r1: Revbump, reenable X509 USE flag

Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-2.3.100, Repoman-2.3.22
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |  1 +
 .../files/openssh-8.3_p1-X509-glue-12.5.patch      | 33 ++++++++++++++++++++++
 ...nssh-8.3_p1.ebuild => openssh-8.3_p1-r1.ebuild} |  8 +++---
 3 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index cdd391e5ba2..a30874e42c1 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -6,6 +6,7 @@ DIST openssh-8.2p1+x509-12.4.2.diff.gz 805574 BLAKE2B 4df31b634308ce074d820df249
 DIST openssh-8.2p1+x509-12.4.3.diff.gz 806905 BLAKE2B 8e0f0f3eeb2aafd9fc9e6eca80c0b51ffedbed9dfc46ff73bb1becd28f6ac013407d03107b59da05d9d56edbf283eef20891086867b79efd8aab81c3e9a4a32f SHA512 51117d7e4df2ff78c4fdfd08c2bb8f1739b1db064df65bab3872e1a956c277a4736c511794aa399061058fea666a76ee07bb50d83a0d077b7fa572d02c030b91
 DIST openssh-8.2p1-sctp-1.2.patch.xz 7668 BLAKE2B 717487cffd235a5dfa2d9d3f2c1983f410d400b0d23f71a9b74406ac3d2f448d76381a3b7a3244942bff4e6bdc3bc78d148b9949c78dc297d99c7330179f8176 SHA512 a5fbd827e62e91b762062a29c7bc3bf569a202bdc8c91da7d77566ff8bb958b5b9fb6f8d45df586e0d7ac07a83de6e82996e9c5cdd6b3bf43336c420d3099305
 DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf47161071aa81d0763f81b12fe4bc3d409c260783d995307d4e4ed2d16080fd74b15e4dc6dcc5648d7e66720c3ed SHA512 c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a
+DIST openssh-8.3p1+x509-12.5.diff.gz 798126 BLAKE2B 4258a7590d0ee185c46e449b20c2a9cc5cfc86bf53e1debd85649ecfad8da41801d74001a234412facb17b2fd3c0efeebdac243ba4ba3ed93c4e0e3174f33cd9 SHA512 741dd7a31c38b1d5c7e3897cff75f47be9fc08f84fce26bb0e62df26a06b5e552af76b00e54db98295d10877344f0541acafc66f24be559de8d503eff7dfa822
 DIST openssh-8.3p1-sctp-1.2.patch.xz 7668 BLAKE2B abbc65253d842c09a04811bdbafc175c5226996cdd190812b47ce9646853cd5c1b21d733e719b481cce9c7f4dc00894b6d6be732e311850963df23b9dc55a0e6 SHA512 4e0cc1707663f902dfbf331a431325da78759cc757a4aaae33e0c7f64f21830ec805168d8ae4d47a65a20c235fa534679e288f922df2b24655b7d1ee9a3bf014
 DIST openssh-8.3p1.tar.gz 1706358 BLAKE2B 0b53d92caa4a0f4cb40eee671ac889753d320b7c8e44df159a81dd8163c3663f07fa648f5dc506fb27d31893acf9701b997598c50bf204acf54172d72825a4d8 SHA512 b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
 DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221

diff --git a/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.patch b/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.patch
new file mode 100644
index 00000000000..d0de761fb80
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.patch
@@ -0,0 +1,33 @@
+--- a/openssh-8.3p1+x509-12.5.diff	2020-05-31 11:50:58.817094112 -0700
++++ b/openssh-8.3p1+x509-12.5.diff	2020-05-31 12:29:49.165030176 -0700
+@@ -35457,12 +35457,11 @@
+  
+  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+  install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
+-@@ -382,6 +361,8 @@
++@@ -382,6 +361,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -96530,16 +96529,6 @@
+ +int	 asnmprintf(char **, size_t, int *, const char *, ...)
+  	     __attribute__((format(printf, 4, 5)));
+  void	 msetlocale(void);
+-diff -ruN openssh-8.3p1/version.h openssh-8.3p1+x509-12.5/version.h
+---- openssh-8.3p1/version.h	2020-05-27 03:38:00.000000000 +0300
+-+++ openssh-8.3p1+x509-12.5/version.h	2020-05-31 18:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_8.3"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.3p1/version.m4 openssh-8.3p1+x509-12.5/version.m4
+ --- openssh-8.3p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.3p1+x509-12.5/version.m4	2020-05-31 18:07:00.000000000 +0300

diff --git a/net-misc/openssh/openssh-8.3_p1.ebuild b/net-misc/openssh/openssh-8.3_p1-r1.ebuild
similarity index 98%
rename from net-misc/openssh/openssh-8.3_p1.ebuild
rename to net-misc/openssh/openssh-8.3_p1-r1.ebuild
index 8238b501a1a..b164a15e79d 100644
--- a/net-misc/openssh/openssh-8.3_p1.ebuild
+++ b/net-misc/openssh/openssh-8.3_p1-r1.ebuild
@@ -21,7 +21,7 @@ HPN_PATCHES=(
 )
 
 SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-#X509_VER="12.4.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="12.5" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"
@@ -147,7 +147,6 @@ src_prepare() {
 		popd &>/dev/null || die
 
 		eapply "${WORKDIR}"/${X509_PATCH%.*}
-		eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
 
 		# We need to patch package version or any X.509 sshd will reject our ssh client
 		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
@@ -190,7 +189,8 @@ src_prepare() {
 		#	einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
 		#	# X509 and AES-CTR-MT don't get along, let's just drop it
 		#	rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
-			eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-X509-glue.patch
+
+			eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-X509-glue.patch
 		fi
 		use sctp && eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-sctp-glue.patch
 		popd &>/dev/null || die
@@ -305,7 +305,7 @@ src_configure() {
 		$(use_with pam)
 		$(use_with pie)
 		$(use_with selinux)
-		$(use_with security-key security-key-builtin)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
 		$(use_with ssl openssl)
 		$(use_with ssl md5-passwords)
 		$(use_with ssl ssl-engine)


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2020-06-08 17:49 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2020-06-08 17:49 UTC (permalink / raw
  To: gentoo-commits

commit:     66c2c7c046adce70edfde5dc7c9d8256b4dd8ccb
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Mon Jun  8 17:48:47 2020 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Mon Jun  8 17:49:12 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66c2c7c0

net-misc/openssh-8.3_p1-r2: revbump, bump X509 patch to 12.5.1

Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-2.3.100, Repoman-2.3.22
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |  2 +-
 ...patch => openssh-8.3_p1-X509-glue-12.5.1.patch} | 22 ++++++++++++----------
 ...h-8.3_p1-r1.ebuild => openssh-8.3_p1-r2.ebuild} |  2 +-
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index a30874e42c1..c423297d475 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -6,7 +6,7 @@ DIST openssh-8.2p1+x509-12.4.2.diff.gz 805574 BLAKE2B 4df31b634308ce074d820df249
 DIST openssh-8.2p1+x509-12.4.3.diff.gz 806905 BLAKE2B 8e0f0f3eeb2aafd9fc9e6eca80c0b51ffedbed9dfc46ff73bb1becd28f6ac013407d03107b59da05d9d56edbf283eef20891086867b79efd8aab81c3e9a4a32f SHA512 51117d7e4df2ff78c4fdfd08c2bb8f1739b1db064df65bab3872e1a956c277a4736c511794aa399061058fea666a76ee07bb50d83a0d077b7fa572d02c030b91
 DIST openssh-8.2p1-sctp-1.2.patch.xz 7668 BLAKE2B 717487cffd235a5dfa2d9d3f2c1983f410d400b0d23f71a9b74406ac3d2f448d76381a3b7a3244942bff4e6bdc3bc78d148b9949c78dc297d99c7330179f8176 SHA512 a5fbd827e62e91b762062a29c7bc3bf569a202bdc8c91da7d77566ff8bb958b5b9fb6f8d45df586e0d7ac07a83de6e82996e9c5cdd6b3bf43336c420d3099305
 DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf47161071aa81d0763f81b12fe4bc3d409c260783d995307d4e4ed2d16080fd74b15e4dc6dcc5648d7e66720c3ed SHA512 c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a
-DIST openssh-8.3p1+x509-12.5.diff.gz 798126 BLAKE2B 4258a7590d0ee185c46e449b20c2a9cc5cfc86bf53e1debd85649ecfad8da41801d74001a234412facb17b2fd3c0efeebdac243ba4ba3ed93c4e0e3174f33cd9 SHA512 741dd7a31c38b1d5c7e3897cff75f47be9fc08f84fce26bb0e62df26a06b5e552af76b00e54db98295d10877344f0541acafc66f24be559de8d503eff7dfa822
+DIST openssh-8.3p1+x509-12.5.1.diff.gz 803054 BLAKE2B ec88959b4e3328e70d6f136f3d5bebced2e555de3ea40f55c535ca8a30a0eed84d177ad966e5bda46e1fc61d42141b13e96d068f5abfd069ae81b131dfb5a66c SHA512 28166a1a1aeff0c65f36263c0009e82cda81fc8f4efe3d11fabd0312d199a4f935476cf7074fbce68787d2fec0fd42f00fef383bf856a5767ce9d0ca6bbc8ef0
 DIST openssh-8.3p1-sctp-1.2.patch.xz 7668 BLAKE2B abbc65253d842c09a04811bdbafc175c5226996cdd190812b47ce9646853cd5c1b21d733e719b481cce9c7f4dc00894b6d6be732e311850963df23b9dc55a0e6 SHA512 4e0cc1707663f902dfbf331a431325da78759cc757a4aaae33e0c7f64f21830ec805168d8ae4d47a65a20c235fa534679e288f922df2b24655b7d1ee9a3bf014
 DIST openssh-8.3p1.tar.gz 1706358 BLAKE2B 0b53d92caa4a0f4cb40eee671ac889753d320b7c8e44df159a81dd8163c3663f07fa648f5dc506fb27d31893acf9701b997598c50bf204acf54172d72825a4d8 SHA512 b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
 DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221

diff --git a/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.patch b/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.1.patch
similarity index 61%
rename from net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.patch
rename to net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.1.patch
index d0de761fb80..d1651bc187f 100644
--- a/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.patch
+++ b/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.1.patch
@@ -1,11 +1,13 @@
---- a/openssh-8.3p1+x509-12.5.diff	2020-05-31 11:50:58.817094112 -0700
-+++ b/openssh-8.3p1+x509-12.5.diff	2020-05-31 12:29:49.165030176 -0700
-@@ -35457,12 +35457,11 @@
+Only in b: .openssh-8.3p1+x509-12.5.1.diff.un~
+diff -u a/openssh-8.3p1+x509-12.5.1.diff b/openssh-8.3p1+x509-12.5.1.diff
+--- a/openssh-8.3p1+x509-12.5.1.diff	2020-06-08 10:13:08.937543708 -0700
++++ b/openssh-8.3p1+x509-12.5.1.diff	2020-06-08 10:16:33.417271984 -0700
+@@ -35541,12 +35541,11 @@
   
   install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
   install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
--@@ -382,6 +361,8 @@
-+@@ -382,6 +361,7 @@
+-@@ -382,6 +363,8 @@
++@@ -382,6 +363,7 @@
   	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
   	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
   	$(MKDIR_P) $(DESTDIR)$(libexecdir)
@@ -14,13 +16,13 @@
   	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
   	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
   	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -96530,16 +96529,6 @@
+@@ -97028,16 +97027,6 @@
  +int	 asnmprintf(char **, size_t, int *, const char *, ...)
   	     __attribute__((format(printf, 4, 5)));
   void	 msetlocale(void);
--diff -ruN openssh-8.3p1/version.h openssh-8.3p1+x509-12.5/version.h
+-diff -ruN openssh-8.3p1/version.h openssh-8.3p1+x509-12.5.1/version.h
 ---- openssh-8.3p1/version.h	2020-05-27 03:38:00.000000000 +0300
--+++ openssh-8.3p1+x509-12.5/version.h	2020-05-31 18:07:00.000000000 +0300
+-+++ openssh-8.3p1+x509-12.5.1/version.h	2020-06-07 11:07:00.000000000 +0300
 -@@ -2,5 +2,4 @@
 - 
 - #define SSH_VERSION	"OpenSSH_8.3"
@@ -28,6 +30,6 @@
 --#define SSH_PORTABLE	"p1"
 --#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 -+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.3p1/version.m4 openssh-8.3p1+x509-12.5/version.m4
+ diff -ruN openssh-8.3p1/version.m4 openssh-8.3p1+x509-12.5.1/version.m4
  --- openssh-8.3p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.3p1+x509-12.5/version.m4	2020-05-31 18:07:00.000000000 +0300
+ +++ openssh-8.3p1+x509-12.5.1/version.m4	2020-06-07 11:07:00.000000000 +0300

diff --git a/net-misc/openssh/openssh-8.3_p1-r1.ebuild b/net-misc/openssh/openssh-8.3_p1-r2.ebuild
similarity index 99%
rename from net-misc/openssh/openssh-8.3_p1-r1.ebuild
rename to net-misc/openssh/openssh-8.3_p1-r2.ebuild
index b164a15e79d..80dc7c3cd59 100644
--- a/net-misc/openssh/openssh-8.3_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-8.3_p1-r2.ebuild
@@ -21,7 +21,7 @@ HPN_PATCHES=(
 )
 
 SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="12.5" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="12.5.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2020-07-24 21:12 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2020-07-24 21:12 UTC (permalink / raw
  To: gentoo-commits

commit:     84307da6e74a53fbe45d0bad395f4984729298a4
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Fri Jul 24 21:12:19 2020 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Fri Jul 24 21:12:19 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84307da6

net-misc/openssh: remove unused patches and old version

Package-Manager: Portage-3.0.0, Repoman-2.3.23
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssh-8.2_p1-X509-12.4.2-tests.patch   |  11 -
 .../files/openssh-8.2_p1-X509-glue-12.4.2.patch    | 129 ------
 net-misc/openssh/openssh-8.3_p1-r2.ebuild          | 492 ---------------------
 3 files changed, 632 deletions(-)

diff --git a/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.2-tests.patch b/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.2-tests.patch
deleted file mode 100644
index 1c58d0d5d82..00000000000
--- a/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.2-tests.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/openbsd-compat/regress/Makefile.in	2020-02-15 10:59:01.210601434 -0700
-+++ b/openbsd-compat/regress/Makefile.in	2020-02-15 10:59:18.753485852 -0700
-@@ -7,7 +7,7 @@
- CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
--CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
-+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
- EXEEXT=@EXEEXT@
- LIBCOMPAT=../libopenbsd-compat.a
- LIBS=@LIBS@

diff --git a/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.2.patch b/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.2.patch
deleted file mode 100644
index 90a5d5a660f..00000000000
--- a/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.2.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-diff --exclude '*.un~' -ubr a/openssh-8.2p1+x509-12.4.2.diff b/openssh-8.2p1+x509-12.4.2.diff
---- a/openssh-8.2p1+x509-12.4.2.diff	2020-02-23 12:25:17.296737805 -0800
-+++ b/openssh-8.2p1+x509-12.4.2.diff	2020-02-23 12:26:25.347779673 -0800
-@@ -39236,16 +39236,15 @@
-  
-  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-  install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
--@@ -378,6 +379,8 @@
-+@@ -378,6 +379,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
--@@ -386,11 +389,14 @@
-+@@ -386,11 +388,14 @@
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-@@ -39264,7 +39263,7 @@
-  	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-  	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-  	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
--@@ -400,12 +406,12 @@
-+@@ -400,12 +405,12 @@
-  	$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
-  	$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
-  	$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
-@@ -39278,7 +39277,7 @@
-  
-  install-sysconf:
-  	$(MKDIR_P) $(DESTDIR)$(sysconfdir)
--@@ -463,10 +469,9 @@
-+@@ -463,10 +468,9 @@
-  	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-  	-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-  	-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-@@ -39292,7 +39291,7 @@
-  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
--@@ -478,7 +483,6 @@
-+@@ -478,7 +482,6 @@
-  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-@@ -39300,7 +39299,7 @@
-  
-  regress-prep:
-  	$(MKDIR_P) `pwd`/regress/unittests/test_helper
--@@ -491,11 +495,11 @@
-+@@ -491,11 +494,11 @@
-  	$(MKDIR_P) `pwd`/regress/unittests/match
-  	$(MKDIR_P) `pwd`/regress/unittests/utf8
-  	$(MKDIR_P) `pwd`/regress/misc/kexfuzz
-@@ -39314,7 +39313,7 @@
-  
-  regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS)
-  	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \
--@@ -546,8 +550,7 @@
-+@@ -546,8 +549,7 @@
-  	regress/unittests/sshkey/tests.o \
-  	regress/unittests/sshkey/common.o \
-  	regress/unittests/sshkey/test_file.o \
-@@ -39344,7 +39343,7 @@
-  
-  regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
-      ${UNITTESTS_TEST_HOSTKEYS_OBJS} \
--@@ -618,35 +619,18 @@
-+@@ -618,35 +618,18 @@
-  	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-  
-  MISC_KEX_FUZZ_OBJS=\
-@@ -39382,7 +39381,7 @@
-  	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
-  	regress/unittests/sshkey/test_sshkey$(EXEEXT) \
-  	regress/unittests/bitmap/test_bitmap$(EXEEXT) \
--@@ -657,36 +641,29 @@
-+@@ -657,36 +640,29 @@
-  	regress/unittests/utf8/test_utf8$(EXEEXT) \
-  	regress/misc/kexfuzz/kexfuzz$(EXEEXT)
-  
-@@ -39439,7 +39438,7 @@
-  	TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
-  	TEST_SSH_UTF8="@TEST_SSH_UTF8@" ; \
-  	TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
--@@ -708,8 +685,6 @@
-+@@ -708,8 +684,6 @@
-  		TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
-  		TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
-  		TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
-@@ -39448,7 +39447,7 @@
-  		TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
-  		TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
-  		TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
--@@ -717,17 +692,35 @@
-+@@ -717,17 +691,35 @@
-  		TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
-  		TEST_SSH_UTF8="$${TEST_SSH_UTF8}" \
-  		TEST_SSH_ECC="$${TEST_SSH_ECC}" \
-@@ -39487,7 +39486,7 @@
-  
-  survey: survey.sh ssh
-  	@$(SHELL) ./survey.sh > survey
--@@ -743,4 +736,8 @@
-+@@ -743,4 +735,8 @@
-  		sh buildpkg.sh; \
-  	fi
-  
-@@ -98042,16 +98041,6 @@
- +	return mbtowc(NULL, s, n);
- +}
- +#endif
--diff -ruN openssh-8.2p1/version.h openssh-8.2p1+x509-12.4.2/version.h
----- openssh-8.2p1/version.h	2020-02-14 02:40:54.000000000 +0200
--+++ openssh-8.2p1+x509-12.4.2/version.h	2020-02-23 11:07:00.000000000 +0200
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_8.2"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.2p1/version.m4 openssh-8.2p1+x509-12.4.2/version.m4
- --- openssh-8.2p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.2p1+x509-12.4.2/version.m4	2020-02-23 11:07:00.000000000 +0200

diff --git a/net-misc/openssh/openssh-8.3_p1-r2.ebuild b/net-misc/openssh/openssh-8.3_p1-r2.ebuild
deleted file mode 100644
index 80dc7c3cd59..00000000000
--- a/net-misc/openssh/openssh-8.3_p1-r2.ebuild
+++ /dev/null
@@ -1,492 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.1_P1"
-
-HPN_VER="14.20"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="12.5.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-"
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
-	ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp !security-key ssl !xmss )
-	xmss? ( || ( ssl libressl ) )
-	test? ( ssl )
-"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	security-key? ( >=dev-libs/libfido2-1.4.0:=[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-		!libressl? (
-			|| (
-				(
-					>=dev-libs/openssl-1.0.1:0[bindist=]
-					<dev-libs/openssl-1.1.0:0[bindist=]
-				)
-				>=dev-libs/openssl-1.1.0g:0[bindist=]
-			)
-			dev-libs/openssl:0=[static-libs(+)]
-		)
-		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
-	)
-	virtual/libcrypt:=[static-libs(+)]
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
-	acct-group/sshd
-	acct-user/sshd
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
-	static? ( ${LIB_DEPEND} )
-	virtual/os-headers
-"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
-	X? ( x11-apps/xauth )
-"
-BDEPEND="
-	virtual/pkgconfig
-	sys-devel/autoconf
-"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_VER)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-
-	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" &>/dev/null || die
-		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
-		popd &>/dev/null || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}" || die
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
-		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
-		eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-libressl.patch
-		if use X509; then
-		#	einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
-		#	# X509 and AES-CTR-MT don't get along, let's just drop it
-		#	rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
-
-			eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-X509-glue.patch
-		fi
-		use sctp && eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-sctp-glue.patch
-		popd &>/dev/null || die
-
-		eapply "${hpn_patchdir}"
-
-		use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	eapply_user #473004
-
-	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
-	sed -e '/\t\tpercent \\/ d' \
-		-i regress/Makefile || die
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-	use xmss && append-cflags -DWITH_XMSS
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns ldns "${EPREFIX}"/usr)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(usex X509 '' "$(use_with security-key security-key-builtin)")
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	# stackprotect is broken on musl x86 and ppc
-	use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
-			SUDO="" SSH_SK_PROVIDER="" \
-			TEST_SSH_UNSAFE_PERMISSIONS=1 \
-			emake -k -j1 ${t} </dev/null \
-				&& passed+=( "${t}" ) \
-				|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	keepdir /var/empty
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
-		show_ssl_warning=1
-	fi
-}
-
-pkg_postinst() {
-	local old_ver
-	for old_ver in ${REPLACING_VERSIONS}; do
-		if ver_test "${old_ver}" -lt "5.8_p1"; then
-			elog "Starting with openssh-5.8p1, the server will default to a newer key"
-			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-		fi
-		if ver_test "${old_ver}" -lt "7.0_p1"; then
-			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-			elog "Make sure to update any configs that you might have.  Note that xinetd might"
-			elog "be an alternative for you as it supports USE=tcpd."
-		fi
-		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
-			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-			elog "adding to your sshd_config or ~/.ssh/config files:"
-			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-			elog "You should however generate new keys using rsa or ed25519."
-
-			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-			elog "out of the box.  If you need this, please update your sshd_config explicitly."
-		fi
-		if ver_test "${old_ver}" -lt "7.6_p1"; then
-			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-		fi
-		if ver_test "${old_ver}" -lt "7.7_p1"; then
-			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-			elog "if you need to authenticate against LDAP."
-			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-		fi
-		if ver_test "${old_ver}" -lt "8.2_p1"; then
-			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
-			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
-			ewarn "connection is generally safe."
-		fi
-	done
-
-	if [[ -n ${show_ssl_warning} ]]; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2020-09-30 20:57 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2020-09-30 20:57 UTC (permalink / raw
  To: gentoo-commits

commit:     9b824f616093a8dc1a79eafba1e4c50d62c0ee1d
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Wed Sep 30 20:56:10 2020 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Wed Sep 30 20:56:10 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b824f61

net-misc/openssh-8.4_p1: Version bump (no X509 support yet)

Will revbump once the X509 patch gets updated.

Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-3.0.8, Repoman-3.0.1
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   5 +
 .../files/openssh-8.4_p1-hpn-14.22-glue.patch      |  94 ++++
 .../files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch |  18 +
 net-misc/openssh/openssh-8.4_p1.ebuild             | 508 +++++++++++++++++++++
 4 files changed, 625 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 6bc6b039349..8683815ce7d 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -8,6 +8,11 @@ DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf4
 DIST openssh-8.3p1+x509-12.5.1.diff.gz 803054 BLAKE2B ec88959b4e3328e70d6f136f3d5bebced2e555de3ea40f55c535ca8a30a0eed84d177ad966e5bda46e1fc61d42141b13e96d068f5abfd069ae81b131dfb5a66c SHA512 28166a1a1aeff0c65f36263c0009e82cda81fc8f4efe3d11fabd0312d199a4f935476cf7074fbce68787d2fec0fd42f00fef383bf856a5767ce9d0ca6bbc8ef0
 DIST openssh-8.3p1-sctp-1.2.patch.xz 7668 BLAKE2B abbc65253d842c09a04811bdbafc175c5226996cdd190812b47ce9646853cd5c1b21d733e719b481cce9c7f4dc00894b6d6be732e311850963df23b9dc55a0e6 SHA512 4e0cc1707663f902dfbf331a431325da78759cc757a4aaae33e0c7f64f21830ec805168d8ae4d47a65a20c235fa534679e288f922df2b24655b7d1ee9a3bf014
 DIST openssh-8.3p1.tar.gz 1706358 BLAKE2B 0b53d92caa4a0f4cb40eee671ac889753d320b7c8e44df159a81dd8163c3663f07fa648f5dc506fb27d31893acf9701b997598c50bf204acf54172d72825a4d8 SHA512 b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
+DIST openssh-8.4p1-sctp-1.2.patch.xz 7668 BLAKE2B 2e22d2a90723cea9ef958bd989b8c431fcb08b4dc5bfd3ebbf463ca9546dc37acdc185c35ddf3adbb90bde9b3902bf36524a456061a9bcbdef7a76ece79e2ff4 SHA512 90da34b7b86e52df9e0191c99c9d645a4d4671958adebeed46e1149102d4ba8c729eadb79d84fad9feac64aafa0541d2f1f4db8cdfe0af5ba893aac072ef2380
+DIST openssh-8.4p1.tar.gz 1742201 BLAKE2B 4b1e60d4962095df045c3a31bbf8af725b1c07324c4aa1f6b9a3ddb7e695c98e9aa01655b268f6fd6a400f511b23be91f6b89d07b14a6a2d92f873efb4d9c146 SHA512 d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
 DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221
 DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739
 DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d
+DIST openssh-8_3_P1-hpn-AES-CTR-14.22.diff 29963 BLAKE2B 19b82f4ff820f52dafaa5b3f09f8a0a67f318771c1c7276b9d37e4a6412052c9c53347f880f2d78981af3830432704b9ad74b375241965326530ae23ec8d74a2 SHA512 49f2778831dc768850870a1755da9cdd7d3bc83fa87069070f5a1d357ce9bdadeb2506c8ff3c6b055708da12a70e9ede7ed0e8a29fcab441abb55c9d483663be
+DIST openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 42783 BLAKE2B 10940c35ae6bdc33e58bc9abd9cd7a551d4ca76a175400acb872906805bd04d384f57e81049b183d7d892ce1b5f7a138e197366369fe12e5c9dc1349850b0582 SHA512 c09162b96e0ffadc59c6076507bc843e6f8f2fb372140b84181f5fb2894225b1e05a831d85ba689c35c322b5a99302b9db77c324f978f1a46a16b185b3cb28dd
+DIST openssh-8_3_P1-hpn-PeakTput-14.22.diff 2012 BLAKE2B 701f46da022e7ecf35b57f41bf5682a37be453c175928d3ff3df09292275e6021f6108a20c02eec9d636e85ee5a8e05b7233ada180edf1209a3dc4b139d58858 SHA512 026f65c62e4c05b69661094d41bf338df608e2a9b23ef95588062e3bd68729733dae32adab783609a6eca810ccdcbddee25e7649a534c9a283a03282f73438bb

diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
new file mode 100644
index 00000000000..884063c60f1
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
@@ -0,0 +1,94 @@
+diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
+--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff	2020-09-28 13:15:17.780747192 -0700
++++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff	2020-09-28 13:34:03.576552219 -0700
+@@ -409,18 +409,10 @@
+ index e7abb341..c23276d4 100644
+ --- a/packet.c
+ +++ b/packet.c
+-@@ -961,6 +961,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -961,6 +961,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+  	return 0;
+  }
+  
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+	rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -434,20 +426,6 @@
+  #define MAX_PACKETS	(1U<<31)
+  static int
+  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -987,6 +1005,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- 		return 0;
+- 
+-+	/* used to force rekeying when called for by the none
+-+         * cipher switch methods -cjr */
+-+        if (rekey_requested == 1) {
+-+                rekey_requested = 0;
+-+                return 1;
+-+        }
+-+
+- 	/* Time-based rekeying */
+- 	if (state->rekey_interval != 0 &&
+- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ diff --git a/packet.h b/packet.h
+ index c2544bd9..ebd85c88 100644
+ --- a/packet.h
+@@ -481,9 +459,9 @@
+  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ +	oNoneEnabled, oNoneSwitch,
++ 	oDisableMTAES,
+  	oVisualHostKey,
+  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ @@ -294,6 +297,8 @@ static struct {
+  	{ "kexalgorithms", oKexAlgorithms },
+  	{ "ipqos", oIPQoS },
+@@ -615,9 +593,9 @@
+  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
+  	SyslogFacility log_facility;	/* Facility for system logging. */
+ @@ -114,7 +118,10 @@ typedef struct {
+- 
+  	int	enable_ssh_keysign;
+  	int64_t rekey_limit;
++ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
+ +	int     none_switch;    /* Use none cipher */
+ +	int     none_enabled;   /* Allow none to be used */
+  	int	rekey_interval;
+@@ -700,9 +678,9 @@
+ +			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ +	}
+ +
++ 	if (options->disable_multithreaded == -1)
++ 		options->disable_multithreaded = 0;
+  	if (options->ip_qos_interactive == -1)
+- 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
+- 	if (options->ip_qos_bulk == -1)
+ @@ -519,6 +565,8 @@ typedef enum {
+  	sPasswordAuthentication, sKbdInteractiveAuthentication,
+  	sListenAddress, sAddressFamily,
+@@ -1081,11 +1059,11 @@
+  	xxx_host = host;
+  	xxx_hostaddr = hostaddr;
+  
+-@@ -435,6 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
++@@ -435,7 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
++ 		}
++ 	}
++ #endif
+  
+- 	if (!authctxt.success)
+- 		fatal("Authentication failed.");
+-+
+ +	/*
+ +	 * If the user wants to use the none cipher, do it post authentication
+ +	 * and only if the right conditions are met -- both of the NONE commands

diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
new file mode 100644
index 00000000000..52ec42e37fd
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
@@ -0,0 +1,18 @@
+diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
+--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff	2020-09-28 16:42:34.168386903 -0700
++++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff	2020-09-28 16:42:43.806325434 -0700
+@@ -1171,14 +1171,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index a2eca3ec..ff654fc3 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_8.3"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN         "-hpn14v22"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN

diff --git a/net-misc/openssh/openssh-8.4_p1.ebuild b/net-misc/openssh/openssh-8.4_p1.ebuild
new file mode 100644
index 00000000000..04544b8f1fd
--- /dev/null
+++ b/net-misc/openssh/openssh-8.4_p1.ebuild
@@ -0,0 +1,508 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+# PV to USE for HPN patches
+#HPN_PV="${PV^^}"
+HPN_PV="8.3_P1"
+
+HPN_VER="14.22"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+
+SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+#X509_VER="12.5.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+"
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp !security-key ssl !xmss )
+	xmss? ( || ( ssl libressl ) )
+	test? ( ssl )
+"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			|| (
+				(
+					>=dev-libs/openssl-1.0.1:0[bindist=]
+					<dev-libs/openssl-1.1.0:0[bindist=]
+				)
+				>=dev-libs/openssl-1.1.0g:0[bindist=]
+			)
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( >=sys-kernel/linux-headers-5.1 )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
+	X? ( x11-apps/xauth )
+"
+BDEPEND="
+	virtual/pkgconfig
+	sys-devel/autoconf
+"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_VER)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+
+	# workaround for https://bugs.gentoo.org/734984
+	use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
+		if use X509; then
+		#	einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
+		#	# X509 and AES-CTR-MT don't get along, let's just drop it
+		#	rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
+
+			eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-X509-glue.patch
+		fi
+		use sctp && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns ldns "${EPREFIX}"/usr)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	# stackprotect is broken on musl x86 and ppc
+	use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
+			SUDO="" SSH_SK_PROVIDER="" \
+			TEST_SSH_UNSAFE_PERMISSIONS=1 \
+			emake -k -j1 ${t} </dev/null \
+				&& passed+=( "${t}" ) \
+				|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	# https://bugs.gentoo.org/733802
+	if ! use scp; then
+		rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
+			|| die "failed to remove scp"
+	fi
+
+	keepdir /var/empty
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2020-10-01 17:46 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2020-10-01 17:46 UTC (permalink / raw
  To: gentoo-commits

commit:     f2e06ef88010e65b016a47d9086e12a206114c2f
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Thu Oct  1 17:46:05 2020 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Oct  1 17:46:24 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2e06ef8

net-misc/openssh-8.4_p1: port libressl patch for hpn (bug #745912)

Closes: https://bugs.gentoo.org/745912
Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-3.0.8, Repoman-3.0.1
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssh-8.4_p1-hpn-14.22-libressl.patch    | 20 ++++++++++++++++++++
 net-misc/openssh/openssh-8.4_p1.ebuild               |  1 +
 2 files changed, 21 insertions(+)

diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch
new file mode 100644
index 00000000000..79cc3e5c2d8
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch
@@ -0,0 +1,20 @@
+--- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff	2020-04-17 10:31:37.392120799 -0700
++++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff	2020-04-17 10:32:46.143684424 -0700
+@@ -672,7 +672,7 @@
+ +const EVP_CIPHER *
+ +evp_aes_ctr_mt(void)
+ +{
+-+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL
+++# if (OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS)) && !defined(LIBRESSL_VERSION_NUMBER)
+ +	static EVP_CIPHER *aes_ctr;
+ +	aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
+ +	EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
+@@ -701,7 +701,7 @@
+ +		EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ +#  endif /*SSH_OLD_EVP*/
+ +        return &aes_ctr;
+-+# endif /*OPENSSH_VERSION_NUMBER*/
+++# endif /*OPENSSL_VERSION_NUMBER*/
+ +}
+ +
+ +#endif /* defined(WITH_OPENSSL) */

diff --git a/net-misc/openssh/openssh-8.4_p1.ebuild b/net-misc/openssh/openssh-8.4_p1.ebuild
index 04544b8f1fd..6248805da22 100644
--- a/net-misc/openssh/openssh-8.4_p1.ebuild
+++ b/net-misc/openssh/openssh-8.4_p1.ebuild
@@ -188,6 +188,7 @@ src_prepare() {
 		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
 		pushd "${hpn_patchdir}" &>/dev/null || die
 		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
+		eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-libressl.patch
 		if use X509; then
 		#	einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
 		#	# X509 and AES-CTR-MT don't get along, let's just drop it


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2020-10-14 21:14 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2020-10-14 21:14 UTC (permalink / raw
  To: gentoo-commits

commit:     5483ca01f8bbc1d6ad960d1ef7846a10ab5044d9
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Wed Oct 14 21:14:24 2020 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Wed Oct 14 21:14:32 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5483ca01

net-misc/openssh-8.4_p1-r2: Pull in fix for ssh-copy-id (bug #749026)

Closes: https://bugs.gentoo.org/749026
Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-3.0.8, Repoman-3.0.1
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssh-8.4_p1-fix-ssh-copy-id.patch     | 30 ++++++++++++++++++++++
 ...h-8.4_p1-r1.ebuild => openssh-8.4_p1-r2.ebuild} |  3 +++
 2 files changed, 33 insertions(+)

diff --git a/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch b/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch
new file mode 100644
index 00000000000..32713d43ff3
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch
@@ -0,0 +1,30 @@
+From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001
+From: Oleg <Fallmay@users.noreply.github.com>
+Date: Thu, 1 Oct 2020 12:09:08 +0300
+Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
+
+---
+ contrib/ssh-copy-id | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 392f64f94..a76907717 100644
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -247,7 +247,7 @@ installkeys_sh() {
+   #    the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
+   #    the cat adds the keys we're getting via STDIN
+   #    and if available restorecon is used to restore the SELinux context
+-  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
++  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
+ 	cd;
+ 	umask 077;
+ 	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+@@ -258,6 +258,7 @@ installkeys_sh() {
+ 	  restorecon -F .ssh ${AUTH_KEY_FILE};
+ 	fi
+ EOF
++  )
+ 
+   # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
+   printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"

diff --git a/net-misc/openssh/openssh-8.4_p1-r1.ebuild b/net-misc/openssh/openssh-8.4_p1-r2.ebuild
similarity index 99%
rename from net-misc/openssh/openssh-8.4_p1-r1.ebuild
rename to net-misc/openssh/openssh-8.4_p1-r2.ebuild
index 6c183e64862..09691782910 100644
--- a/net-misc/openssh/openssh-8.4_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-8.4_p1-r2.ebuild
@@ -138,6 +138,9 @@ src_prepare() {
 	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
 	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
 
+	# https://bugs.gentoo.org/749026
+	use X509 || eapply "${FILESDIR}"/${PN}-8.4_p1-fix-ssh-copy-id.patch
+
 	# workaround for https://bugs.gentoo.org/734984
 	use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
 


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2021-03-04  7:04 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2021-03-04  7:04 UTC (permalink / raw
  To: gentoo-commits

commit:     77e3bbd9528150668daa02b6afffe1183a482782
Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>
AuthorDate: Thu Mar  4 07:03:14 2021 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Mar  4 07:03:14 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77e3bbd9

net-misc/openssh-8.5_p1: Version bump

Bug: https://bugs.gentoo.org/774090
Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-3.0.16, Repoman-3.0.2
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   6 +
 .../openssh/files/openssh-8.5_p1-GSSAPI-dns.patch  | 112 +++++
 .../files/openssh-8.5_p1-X509-glue-13.0.patch      |  73 +++
 .../files/openssh-8.5_p1-hpn-15.1-X509-glue.patch  | 325 +++++++++++++
 .../files/openssh-8.5_p1-hpn-15.1-glue.patch       | 242 ++++++++++
 .../files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch  |  18 +
 net-misc/openssh/openssh-8.5_p1.ebuild             | 515 +++++++++++++++++++++
 7 files changed, 1291 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 5b21cbdc99a..4c9fa8922fa 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,6 +1,12 @@
 DIST openssh-8.4p1+x509-12.6.diff.gz 857479 BLAKE2B ac8c3e8c1087ca571e5459c9826903410ff2d45de60151d9bd8e59da15805b75752f8f3ffc231c9f8aaa8f2b2c07a97a8296684f885e0d14b54ff5d7bc585588 SHA512 e56516b376ecc3e5464895744ce0616cf4446a891fbd3cbcb090d5f61ebc349d74f9c01e855ccd22e574dbfeec0cb2ba7daf582983010ff991243a6371cc5fe3
 DIST openssh-8.4p1-sctp-1.2.patch.xz 7668 BLAKE2B 2e22d2a90723cea9ef958bd989b8c431fcb08b4dc5bfd3ebbf463ca9546dc37acdc185c35ddf3adbb90bde9b3902bf36524a456061a9bcbdef7a76ece79e2ff4 SHA512 90da34b7b86e52df9e0191c99c9d645a4d4671958adebeed46e1149102d4ba8c729eadb79d84fad9feac64aafa0541d2f1f4db8cdfe0af5ba893aac072ef2380
 DIST openssh-8.4p1.tar.gz 1742201 BLAKE2B 4b1e60d4962095df045c3a31bbf8af725b1c07324c4aa1f6b9a3ddb7e695c98e9aa01655b268f6fd6a400f511b23be91f6b89d07b14a6a2d92f873efb4d9c146 SHA512 d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
+DIST openssh-8.5p1+x509-13.0.diff.gz 996872 BLAKE2B 136937e4e65e5e73d1d1b596ae6188f359daa8e95aafd57fab8cf947b59fde573ff4e6259781d1a0fd89718d14469ca4aed01bae6f37cc16df109c673fa2c73c SHA512 2276b0ac577162f7f6a56115637636a6eaaa8b3cc06e5ef053ec06e00a7c3459efe8de8dbc5f55c9f6a192534e2f7c8c7064fcdbf56d28b628bb301c5072802c
+DIST openssh-8.5p1-sctp-1.2.patch.xz 7692 BLAKE2B 298bf5e2004fd864bdbb6d6f354d1fbcb7052a9caaf8e39863b840a7af8e31f87790f6aa10ae84df177d450bb34a43c4a3aa87d7472e2505d727757c016ce92b SHA512 84990f95e22c90dbc4d04d47ea88b761ff1d0101018661ff2376ac2a726b5fca43f1b5f5d926ccbe1c8d0143ac36b104616bd1a6b5dcdba4addf48a5dd196e2b
+DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c804b003c74cc26f9dffae28f1b4006fc618580f0dc9c45f0b7361c24728c23688b45f41cb8a15cf6206c3f15c3 SHA512 af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
 DIST openssh-8_3_P1-hpn-AES-CTR-14.22.diff 29963 BLAKE2B 19b82f4ff820f52dafaa5b3f09f8a0a67f318771c1c7276b9d37e4a6412052c9c53347f880f2d78981af3830432704b9ad74b375241965326530ae23ec8d74a2 SHA512 49f2778831dc768850870a1755da9cdd7d3bc83fa87069070f5a1d357ce9bdadeb2506c8ff3c6b055708da12a70e9ede7ed0e8a29fcab441abb55c9d483663be
 DIST openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 42783 BLAKE2B 10940c35ae6bdc33e58bc9abd9cd7a551d4ca76a175400acb872906805bd04d384f57e81049b183d7d892ce1b5f7a138e197366369fe12e5c9dc1349850b0582 SHA512 c09162b96e0ffadc59c6076507bc843e6f8f2fb372140b84181f5fb2894225b1e05a831d85ba689c35c322b5a99302b9db77c324f978f1a46a16b185b3cb28dd
 DIST openssh-8_3_P1-hpn-PeakTput-14.22.diff 2012 BLAKE2B 701f46da022e7ecf35b57f41bf5682a37be453c175928d3ff3df09292275e6021f6108a20c02eec9d636e85ee5a8e05b7233ada180edf1209a3dc4b139d58858 SHA512 026f65c62e4c05b69661094d41bf338df608e2a9b23ef95588062e3bd68729733dae32adab783609a6eca810ccdcbddee25e7649a534c9a283a03282f73438bb
+DIST openssh-8_4_P1-hpn-AES-CTR-15.1.diff 29966 BLAKE2B 79dea4e16ffdda329131eb48a3c3dd40e167e5c6fa4dd2beb6c67e7e4f17a45c6645e84dcdc97baae90215a802cd1d723dfd88c981b1db826f61fca0a4e92ae1 SHA512 cdb7aa5737a1527d83ffa747d17ae997a64b7bc16e198d0721b690e5932446d30ba4129c122be2a457f261be7a11d944ef49ba2450ce90f552daab508b0c980b
+DIST openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 51327 BLAKE2B 6879df5bfb4c07c44b41620bd49433591711edb08ad6b5c09af8a5f754ca09f3ff6a066ffac3210fdad6dee47710221dca0a3dc47b919498ec6939b42a073418 SHA512 1e6471e88783acf764186577a767ea7c2071bcab1b803c18288f70166d87471703b332dae3bdcaf4318039089caebfba46e5b6da218912eff1103bd03d736a60
+DIST openssh-8_4_P1-hpn-PeakTput-15.1.diff 2429 BLAKE2B fc2140f4036ef57b7093696680b6e157c78bb431af9bc9e75f223c2b13693f0ec2ad214fbf6b2ba0059cbf3690a93235559f07b46dabd056d65ae1fc9d7418f0 SHA512 99801a743da8f108dcf883bc216f2abd3fc3071617566b83eb07b6627ed657cccf0ea93ea2a70eff1050a34a0e635e732665c5583e8aa35968fdeb839f837b63

diff --git a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
new file mode 100644
index 00000000000..718eacb8a7e
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
@@ -0,0 +1,112 @@
+diff --git a/readconf.c b/readconf.c
+index 724974b7..97a1ffd8 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -161,6 +161,7 @@ typedef enum {
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++	oGssTrustDns,
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+@@ -206,9 +207,11 @@ static struct {
+ #if defined(GSSAPI)
+ 	{ "gssapiauthentication", oGssAuthentication },
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
++	{ "gssapitrustdns", oGssTrustDns },
+ # else
+ 	{ "gssapiauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
++	{ "gssapitrustdns", oUnsupported },
+ #endif
+ #ifdef ENABLE_PKCS11
+ 	{ "pkcs11provider", oPKCS11Provider },
+@@ -1083,6 +1086,10 @@ parse_time:
+ 		intptr = &options->gss_deleg_creds;
+ 		goto parse_flag;
+ 
++	case oGssTrustDns:
++		intptr = &options->gss_trust_dns;
++		goto parse_flag;
++
+ 	case oBatchMode:
+ 		intptr = &options->batch_mode;
+ 		goto parse_flag;
+@@ -2183,6 +2190,7 @@ initialize_options(Options * options)
+ 	options->challenge_response_authentication = -1;
+ 	options->gss_authentication = -1;
+ 	options->gss_deleg_creds = -1;
++	options->gss_trust_dns = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->kbd_interactive_devices = NULL;
+@@ -2340,6 +2348,8 @@ fill_default_options(Options * options)
+ 		options->gss_authentication = 0;
+ 	if (options->gss_deleg_creds == -1)
+ 		options->gss_deleg_creds = 0;
++	if (options->gss_trust_dns == -1)
++		options->gss_trust_dns = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+diff --git a/readconf.h b/readconf.h
+index 2fba866e..da3ce87a 100644
+--- a/readconf.h
++++ b/readconf.h
+@@ -42,6 +42,7 @@ typedef struct {
+ 					/* Try S/Key or TIS, authentication. */
+ 	int     gss_authentication;	/* Try GSS authentication */
+ 	int     gss_deleg_creds;	/* Delegate GSS credentials */
++	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
+ 	int     password_authentication;	/* Try password
+ 						 * authentication. */
+ 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+diff --git a/ssh_config.5 b/ssh_config.5
+index f8119189..e0fd0d76 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -783,6 +783,16 @@ The default is
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 059c9480..ab6f6832 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh)
+ 	OM_uint32 min;
+ 	int r, ok = 0;
+ 	gss_OID mech = NULL;
++	const char *gss_host;
++
++	if (options.gss_trust_dns) {
++		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++		gss_host = auth_get_canonical_hostname(ssh, 1);
++	} else
++		gss_host = authctxt->host;
+ 
+ 	/* Try one GSSAPI method at a time, rather than sending them all at
+ 	 * once. */
+@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh)
+ 		    elements[authctxt->mech_tried];
+ 		/* My DER encoding requires length<128 */
+ 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
+-		    mech, authctxt->host)) {
++		    mech, gss_host)) {
+ 			ok = 1; /* Mechanism works */
+ 		} else {
+ 			authctxt->mech_tried++;

diff --git a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch
new file mode 100644
index 00000000000..71b27f284af
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch
@@ -0,0 +1,73 @@
+diff -ur a/openssh-8.5p1+x509-13.0.diff b/openssh-8.5p1+x509-13.0.diff
+--- a/openssh-8.5p1+x509-13.0.diff	2021-03-03 12:26:21.021212996 -0800
++++ b/openssh-8.5p1+x509-13.0.diff	2021-03-03 18:20:06.476490271 -0800
+@@ -46675,12 +46675,11 @@
+  
+  install-files:
+  	$(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -380,6 +364,8 @@
++@@ -380,6 +364,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -63967,7 +63966,7 @@
+ -	echo "putty interop tests not enabled"
+ -	exit 0
+ -fi
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
+  
+  for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
+  	verbose "$tid: cipher $c"
+@@ -63982,7 +63981,7 @@
+ -	echo "putty interop tests not enabled"
+ -	exit 0
+ -fi
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
+  
+  for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
+  	verbose "$tid: kex $k"
+@@ -63997,7 +63996,7 @@
+ -	echo "putty interop tests not enabled"
+ -	exit 0
+ -fi
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
+  
+  if [ "`${SSH} -Q compression`" = "none" ]; then
+  	comp="0"
+@@ -64129,9 +64128,9 @@
+  
+ +# cross-project configuration
+ +if test "$sshd_type" = "pkix" ; then
+-+  unset_arg=''
+++  unset_arg=
+ +else
+-+  unset_arg=none
+++  unset_arg=
+ +fi
+ +
+  cat > $OBJ/sshd_config.i << _EOF
+@@ -122238,16 +122237,6 @@
+ +int	 asnmprintf(char **, size_t, int *, const char *, ...)
+  	     __attribute__((format(printf, 4, 5)));
+  void	 msetlocale(void);
+-diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0/version.h
+---- openssh-8.5p1/version.h	2021-03-02 12:31:47.000000000 +0200
+-+++ openssh-8.5p1+x509-13.0/version.h	2021-03-03 19:07:00.000000000 +0200
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_8.5"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0/version.m4
+ --- openssh-8.5p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.5p1+x509-13.0/version.m4	2021-03-03 19:07:00.000000000 +0200

diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch
new file mode 100644
index 00000000000..e2d4ce826ea
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch
@@ -0,0 +1,325 @@
+diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
+--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff	2021-03-03 12:57:01.975827879 -0800
++++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff	2021-03-03 18:25:21.929305944 -0800
+@@ -3,9 +3,9 @@
+ --- a/Makefile.in
+ +++ b/Makefile.in
+ @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
+- CFLAGS_NOPIE=@CFLAGS_NOPIE@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+- PICFLAG=@PICFLAG@
++ LD=@LD@
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+  K5LIBS=@K5LIBS@
+@@ -803,8 +803,8 @@
+  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
+  {
+  	struct session_state *state;
+--	const struct sshcipher *none = cipher_by_name("none");
+-+	struct sshcipher *none = cipher_by_name("none");
++-	const struct sshcipher *none = cipher_none();
+++	struct sshcipher *none = cipher_none();
+  	int r;
+  
+  	if (none == NULL) {
+@@ -894,24 +894,24 @@
+  		intptr = &options->compression;
+  		multistate_ptr = multistate_compression;
+ @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
+- 	options->hostbased_accepted_algos = NULL;
+- 	options->pubkey_accepted_algos = NULL;
+- 	options->known_hosts_command = NULL;
++ 	options->revoked_host_keys = NULL;
++ 	options->fingerprint_hash = -1;
++ 	options->update_hostkeys = -1;
+ +	options->disable_multithreaded = -1;
+  }
+  
+  /*
+ @@ -2247,6 +2254,10 @@ fill_default_options(Options * options)
++ 		options->update_hostkeys = 0;
+  	if (options->sk_provider == NULL)
+  		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+- #endif
+ +	if (options->update_hostkeys == -1)
+ +		options->update_hostkeys = 0;
+ +	if (options->disable_multithreaded == -1)
+ +		options->disable_multithreaded = 0;
+  
+- 	/* Expand KEX name lists */
+- 	all_cipher = cipher_alg_list(',', 0);
++ 	/* expand KEX and etc. name lists */
++ {	char *all;
+ diff --git a/readconf.h b/readconf.h
+ index d6a15550..d2d20548 100644
+ --- a/readconf.h
+@@ -950,9 +950,9 @@
+  	/* Portable-specific options */
+  	sUsePAM,
+ +	sDisableMTAES,
+- 	/* Standard Options */
+- 	sPort, sHostKeyFile, sLoginGraceTime,
+- 	sPermitRootLogin, sLogFacility, sLogLevel,
++ 	/* X.509 Standard Options */
++ 	sHostbasedAlgorithms,
++ 	sPubkeyAlgorithms,
+ @@ -672,6 +676,7 @@ static struct {
+  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
+--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff	2021-03-03 19:05:28.942903961 -0800
++++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff	2021-03-03 20:36:34.702362020 -0800
+@@ -157,6 +157,36 @@
+ +	 Allan Jude provided the code for the NoneMac and buffer normalization.
+ +         This work was financed, in part, by Cisco System, Inc., the National
+ +         Library of Medicine, and the National Science Foundation.
++diff --git a/auth2.c b/auth2.c
++--- a/auth2.c	2021-03-03 20:34:51.312051369 -0800
+++++ b/auth2.c	2021-03-03 20:35:15.797888115 -0800
++@@ -229,16 +229,17 @@
++ 	double delay;
++ 
++ 	digest_alg = ssh_digest_maxbytes();
++-	len = ssh_digest_bytes(digest_alg);
++-	hash = xmalloc(len);
+++	if (len = ssh_digest_bytes(digest_alg) > 0) {
+++		hash = xmalloc(len);
++ 
++-	(void)snprintf(b, sizeof b, "%llu%s",
++-	     (unsigned long long)options.timing_secret, user);
++-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++-		fatal_f("ssh_digest_memory");
++-	/* 0-4.2 ms of delay */
++-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++-	freezero(hash, len);
+++		(void)snprintf(b, sizeof b, "%llu%s",
+++			(unsigned long long)options.timing_secret, user);
+++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+++			fatal_f("ssh_digest_memory");
+++		/* 0-4.2 ms of delay */
+++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+++		freezero(hash, len);
+++	}
++ 	debug3_f("user specific delay %0.3lfms", delay/1000);
++ 	return MIN_FAIL_DELAY_SECONDS + delay;
++ }
+ diff --git a/channels.c b/channels.c
+ index e4917f3c..e0db582e 100644
+ --- a/channels.c
+@@ -209,14 +239,14 @@
+  static void
+  channel_pre_open(struct ssh *ssh, Channel *c,
+      fd_set *readset, fd_set *writeset)
+-@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2179,21 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+  
+  	if (c->type == SSH_CHANNEL_OPEN &&
+  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+ -	    ((c->local_window_max - c->local_window >
+ -	    c->local_maxpacket*3) ||
+-+            ((ssh_packet_is_interactive(ssh) &&
+-+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+++	    ((ssh_packet_is_interactive(ssh) &&
+++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+  	    c->local_window < c->local_window_max/2) &&
+  	    c->local_consumed > 0) {
+ +		u_int addition = 0;
+@@ -234,10 +264,12 @@
+  		    SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
+  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
++-		    (r = sshpkt_send(ssh)) != 0)
++-			fatal_fr(r, "channel %d", c->self);
+ +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+- 		    (r = sshpkt_send(ssh)) != 0) {
+- 			fatal_fr(r, "channel %i", c->self);
+- 		}
+++		    (r = sshpkt_send(ssh)) != 0) {
+++			fatal_fr(r, "channel %i", c->self);
+++		}
+  		debug2("channel %d: window %d sent adjust %d", c->self,
+ -		    c->local_window, c->local_consumed);
+ -		c->local_window += c->local_consumed;
+@@ -384,20 +416,38 @@
+ index dec8e7e9..3c11558e 100644
+ --- a/compat.c
+ +++ b/compat.c
+-@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
+- 			debug_f("match: %s pat %s compat 0x%08x",
++@@ -43,7 +43,7 @@
++ static u_int
++ compat_datafellows(const char *version)
++ {
++-	int i;
+++	int i, bugs = 0;
++ 	static struct {
++ 		char	*pat;
++ 		int	bugs;
++@@ -147,11 +147,19 @@
++ 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
++ 			debug("match: %s pat %s compat 0x%08x",
+  			    version, check[i].pat, check[i].bugs);
+- 			ssh->compat = check[i].bugs;
+-+			/* Check to see if the remote side is OpenSSH and not HPN */
+-+			if (strstr(version, "OpenSSH") != NULL) {
+-+				if (strstr(version, "hpn") == NULL) {
+-+					ssh->compat |= SSH_BUG_LARGEWINDOW;
+-+					debug("Remote is NON-HPN aware");
+-+				}
+-+			}
+- 			return;
++-			return check[i].bugs;
+++			bugs |= check[i].bugs;
+  		}
+  	}
++-	debug("no match: %s", version);
++-	return 0;
+++	/* Check to see if the remote side is OpenSSH and not HPN */
+++	if (strstr(version, "OpenSSH") != NULL) {
+++		if (strstr(version, "hpn") == NULL) {
+++			bugs |= SSH_BUG_LARGEWINDOW;
+++			debug("Remote is NON-HPN aware");
+++		}
+++	}
+++	if (bugs == 0)
+++		debug("no match: %s", version);
+++	return bugs;
++ }
++ 
++ char *
+ diff --git a/compat.h b/compat.h
+ index 66db42cc..d4e811e4 100644
+ --- a/compat.h
+@@ -456,7 +506,7 @@
+ @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
+  	int nenc, nmac, ncomp;
+  	u_int mode, ctos, need, dh_need, authlen;
+- 	int r, first_kex_follows;
++ 	int r, first_kex_follows = 0;
+ +	int auth_flag = 0;
+ +
+ +	auth_flag = packet_authentication_state(ssh);
+@@ -1033,19 +1083,6 @@
+  
+  /* File to read commands from */
+  FILE* infile;
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index a12b79a5..8b839219 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2999,7 +2999,7 @@ do_download_sk(const char *skprovider, const char *device)
+- 			freezero(pin, strlen(pin));
+- 		error("Unable to load resident keys: %s", ssh_err(r));
+- 		return -1;
+--	}
+-+ 	}
+- 	if (nkeys == 0)
+- 		logit("No keys to download");
+- 	if (pin != NULL)
+ diff --git a/ssh.c b/ssh.c
+ index f34ca0d7..d7d134f7 100644
+ --- a/ssh.c
+@@ -1091,7 +1128,7 @@
+ +	else
+ +		options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+-+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ +		debug("HPN to Non-HPN Connection");
+ +	} else {
+ +		int sock, socksize;
+@@ -1331,6 +1368,26 @@
+  		/* Bind the socket to the desired port. */
+  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+  			error("Bind to port %s on %s failed: %.200s.",
++@@ -1625,12 +1625,13 @@
++ 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
++ 		    sshbuf_len(server_cfg)) != 0)
++ 			fatal_f("ssh_digest_update");
++-		len = ssh_digest_bytes(digest_alg);
++-		hash = xmalloc(len);
++-		if (ssh_digest_final(ctx, hash, len) != 0)
++-			fatal_f("ssh_digest_final");
++-		options.timing_secret = PEEK_U64(hash);
++-		freezero(hash, len);
+++		if (len = ssh_digest_bytes(digest_alg) > 0) {
+++			hash = xmalloc(len);
+++			if (ssh_digest_final(ctx, hash, len) != 0)
+++				fatal_f("ssh_digest_final");
+++			options.timing_secret = PEEK_U64(hash);
+++			freezero(hash, len);
+++		}
++ 		ssh_digest_free(ctx);
++ 		ctx = NULL;
++ 		return;
+ @@ -1746,6 +1753,19 @@ main(int ac, char **av)
+  	/* Fill in default values for those options not explicitly set. */
+  	fill_default_server_options(&options);
+@@ -1401,14 +1458,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index c2f9c55b..f2e7fa80 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_8.4"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN         "-hpn15v1"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+diff -ur a/openssh-8_4_P1-hpn-PeakTput-15.1.diff b/openssh-8_4_P1-hpn-PeakTput-15.1.diff
+--- a/openssh-8_4_P1-hpn-PeakTput-15.1.diff	2021-03-03 12:57:01.975827879 -0800
++++ b/openssh-8_4_P1-hpn-PeakTput-15.1.diff	2021-03-03 18:25:21.930305937 -0800
+@@ -12,9 +12,9 @@
+  static long stalled;		/* how long we have been stalled */
+  static int bytes_per_second;	/* current speed in bytes per second */
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
++ 	off_t bytes_left;
+  	int cur_speed;
+- 	int hours, minutes, seconds;
+- 	int file_len;
++ 	int len;
+ +	off_t delta_pos;
+  
+  	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+@@ -33,12 +33,12 @@
+ @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+  
+  	/* filename */
+- 	buf[0] = '\0';
+--	file_len = win_size - 36;
+-+	file_len = win_size - 45;
+- 	if (file_len > 0) {
+- 		buf[0] = '\r';
+- 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
++ 	if (win_size > 36) {
++-		int file_len = win_size - 36;
+++		int file_len = win_size - 45;
++ 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
++ 		    file_len, file);
++ 	}
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
+  	    (off_t)bytes_per_second);
+  	strlcat(buf, "/s ", win_size);
+@@ -63,15 +63,3 @@
+  }
+  
+  /*ARGSUSED*/
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index a12b79a5..76b22338 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2987,7 +2987,6 @@ do_download_sk(const char *skprovider, const char *device)
+- 
+- 	if (skprovider == NULL)
+- 		fatal("Cannot download keys without provider");
+--
+- 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
+- 	if (!quiet) {
+- 		printf("You may need to touch your authenticator "

diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
new file mode 100644
index 00000000000..ec6e687271c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
@@ -0,0 +1,242 @@
+diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
+--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff	2021-03-03 11:08:18.300474672 -0800
++++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff	2021-03-03 11:18:42.408298903 -0800
+@@ -894,9 +894,9 @@
+  		intptr = &options->compression;
+  		multistate_ptr = multistate_compression;
+ @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
+- 	options->update_hostkeys = -1;
+- 	options->hostbased_key_types = NULL;
+- 	options->pubkey_key_types = NULL;
++ 	options->hostbased_accepted_algos = NULL;
++ 	options->pubkey_accepted_algos = NULL;
++ 	options->known_hosts_command = NULL;
+ +	options->disable_multithreaded = -1;
+  }
+  
+diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
+--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff	2021-03-03 11:08:18.300474672 -0800
++++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff	2021-03-03 12:53:24.117319233 -0800
+@@ -209,7 +209,7 @@
+  static void
+  channel_pre_open(struct ssh *ssh, Channel *c,
+      fd_set *readset, fd_set *writeset)
+-@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+  
+  	if (c->type == SSH_CHANNEL_OPEN &&
+  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+@@ -229,22 +229,19 @@
+ +			debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
+ +		}
+  		if (!c->have_remote_id)
+- 			fatal(":%s: channel %d: no remote id",
+- 			    __func__, c->self);
++ 			fatal_f("channel %d: no remote id", c->self);
+  		if ((r = sshpkt_start(ssh,
+  		    SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
+  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+  		    (r = sshpkt_send(ssh)) != 0) {
+- 			fatal("%s: channel %i: %s", __func__,
+- 			    c->self, ssh_err(r));
++ 			fatal_fr(r, "channel %i", c->self);
+  		}
+- 		debug2("channel %d: window %d sent adjust %d",
+- 		    c->self, c->local_window,
+--		    c->local_consumed);
++ 		debug2("channel %d: window %d sent adjust %d", c->self,
++-		    c->local_window, c->local_consumed);
+ -		c->local_window += c->local_consumed;
+-+		    c->local_consumed + addition);
+++		    c->local_window, c->local_consumed + addition);
+ +		c->local_window += c->local_consumed + addition;
+  		c->local_consumed = 0;
+  	}
+@@ -387,18 +384,18 @@
+ index dec8e7e9..3c11558e 100644
+ --- a/compat.c
+ +++ b/compat.c
+-@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
+- 			debug("match: %s pat %s compat 0x%08x",
++@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
++ 			debug_f("match: %s pat %s compat 0x%08x",
+  			    version, check[i].pat, check[i].bugs);
+- 			datafellows = check[i].bugs;	/* XXX for now */
++ 			ssh->compat = check[i].bugs;
+ +			/* Check to see if the remote side is OpenSSH and not HPN */
+ +			if (strstr(version, "OpenSSH") != NULL) {
+ +				if (strstr(version, "hpn") == NULL) {
+-+					datafellows |= SSH_BUG_LARGEWINDOW;
+++					ssh->compat |= SSH_BUG_LARGEWINDOW;
+ +					debug("Remote is NON-HPN aware");
+ +				}
+ +			}
+- 			return check[i].bugs;
++ 			return;
+  		}
+  	}
+ diff --git a/compat.h b/compat.h
+@@ -431,9 +428,9 @@
+ --- a/digest-openssl.c
+ +++ b/digest-openssl.c
+ @@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
+- 	{ SSH_DIGEST_SHA256,	"SHA256", 	32,	EVP_sha256 },
++ 	{ SSH_DIGEST_SHA256,	"SHA256",	32,	EVP_sha256 },
+  	{ SSH_DIGEST_SHA384,	"SHA384",	48,	EVP_sha384 },
+- 	{ SSH_DIGEST_SHA512,	"SHA512", 	64,	EVP_sha512 },
++ 	{ SSH_DIGEST_SHA512,	"SHA512",	64,	EVP_sha512 },
+ +	{ SSH_DIGEST_NULL,      "NONEMAC",       0,     EVP_md_null},
+  	{ -1,			NULL,		0,	NULL },
+  };
+@@ -536,18 +533,10 @@
+  	if (state->rekey_limit)
+  		*max_blocks = MINIMUM(*max_blocks,
+  		    state->rekey_limit / enc->block_size);
+-@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+  	return 0;
+  }
+  
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+	rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,20 +550,6 @@
+  #define MAX_PACKETS	(1U<<31)
+  static int
+  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- 		return 0;
+- 
+-+	/* used to force rekeying when called for by the none
+-+         * cipher switch methods -cjr */
+-+        if (rekey_requested == 1) {
+-+                rekey_requested = 0;
+-+                return 1;
+-+        }
+-+
+- 	/* Time-based rekeying */
+- 	if (state->rekey_interval != 0 &&
+- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+  	struct session_state *state = ssh->state;
+  	int len, r, ms_remain;
+@@ -622,9 +597,9 @@
+  /* Format of the configuration file:
+  
+ @@ -165,6 +166,8 @@ typedef enum {
+- 	oHashKnownHosts,
+  	oTunnel, oTunnelDevice,
+  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
++ 	oDisableMTAES,
+ +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
+  	oVisualHostKey,
+@@ -778,9 +753,9 @@
+  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
+  	SyslogFacility log_facility;	/* Facility for system logging. */
+ @@ -115,7 +119,11 @@ typedef struct {
+- 
+  	int	enable_ssh_keysign;
+  	int64_t rekey_limit;
++ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
+ +	int     none_switch;    /* Use none cipher */
+ +	int     none_enabled;   /* Allow none cipher to be used */
+ +  	int     nonemac_enabled;   /* Allow none MAC to be used */
+@@ -888,9 +863,9 @@
+ +			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ +	}
+ +
++ 	if (options->disable_multithreaded == -1)
++ 		options->disable_multithreaded = 0;
+  	if (options->ip_qos_interactive == -1)
+- 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
+- 	if (options->ip_qos_bulk == -1)
+ @@ -511,6 +564,8 @@ typedef enum {
+  	sPasswordAuthentication, sKbdInteractiveAuthentication,
+  	sListenAddress, sAddressFamily,
+@@ -1091,7 +1066,7 @@
+  }
+  
+ +static void
+-+hpn_options_init(void)
+++hpn_options_init(struct ssh *ssh)
+ +{
+ +	/*
+ +	 * We need to check to see if what they want to do about buffer
+@@ -1116,7 +1091,7 @@
+ +	else
+ +		options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+-+	if (datafellows & SSH_BUG_LARGEWINDOW) {
+++	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+ +		debug("HPN to Non-HPN Connection");
+ +	} else {
+ +		int sock, socksize;
+@@ -1186,7 +1161,7 @@
+ +		c->dynamic_window = 1;
+ +		debug("Enabled Dynamic Window Scaling");
+ +	}
+- 	debug3("%s: channel_new: %d", __func__, c->self);
++ 	debug3_f("channel_new: %d", c->self);
+  
+  	channel_send_open(ssh, c->self);
+ @@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
+@@ -1198,7 +1173,7 @@
+ +	 * might open channels that use the hpn buffer sizes.  We can't send a
+ +	 * window of -1 (the default) to the server as it breaks things.
+ +	 */
+-+	hpn_options_init();
+++	hpn_options_init(ssh);
+ +
+  	/* XXX should be pre-session */
+  	if (!options.control_persist)
+@@ -1297,11 +1272,10 @@
+  	xxx_host = host;
+  	xxx_hostaddr = hostaddr;
+  
+-@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+- 
++@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+  	if (!authctxt.success)
+  		fatal("Authentication failed.");
+-+
++ 
+ +	/*
+ +	 * If the user wants to use the none cipher, do it post authentication
+ +	 * and only if the right conditions are met -- both of the NONE commands
+@@ -1329,9 +1303,9 @@
+ +		}
+ +	}
+ +
+- 	debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+- 
++ #ifdef WITH_OPENSSL
++ 	if (options.disable_multithreaded == 0) {
++ 		/* if we are using aes-ctr there can be issues in either a fork or sandbox
+ diff --git a/sshd.c b/sshd.c
+ index 8aa7f3df..d0e3f1b0 100644
+ --- a/sshd.c
+@@ -1397,9 +1371,9 @@
+ +	if (options.nonemac_enabled == 1)
+ +		debug("WARNING: None MAC enabled");
+ +	
+- 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
+  	    options.kex_algorithms);
+- 	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
++ 	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
+ diff --git a/sshd_config b/sshd_config
+ index 19b7c91a..cdd889b2 100644
+ --- a/sshd_config

diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch
new file mode 100644
index 00000000000..d4835d1209b
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch
@@ -0,0 +1,18 @@
+diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
+--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff	2021-03-03 15:36:29.211246123 -0800
++++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff	2021-03-03 15:36:53.607089097 -0800
+@@ -1401,14 +1401,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index c2f9c55b..f2e7fa80 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_8.4"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN         "-hpn15v1"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN

diff --git a/net-misc/openssh/openssh-8.5_p1.ebuild b/net-misc/openssh/openssh-8.5_p1.ebuild
new file mode 100644
index 00000000000..a5b7915c25d
--- /dev/null
+++ b/net-misc/openssh/openssh-8.5_p1.ebuild
@@ -0,0 +1,515 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+# PV to USE for HPN patches
+#HPN_PV="${PV^^}"
+HPN_PV="8.4_P1"
+
+HPN_VER="15.1"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+
+SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="13.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+"
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp !security-key ssl !xmss )
+	xmss? ( || ( ssl libressl ) )
+	test? ( ssl )
+"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			|| (
+				(
+					>=dev-libs/openssl-1.0.1:0[bindist=]
+					<dev-libs/openssl-1.1.0:0[bindist=]
+				)
+				>=dev-libs/openssl-1.1.0g:0[bindist=]
+			)
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
+	X? ( x11-apps/xauth )
+"
+BDEPEND="
+	virtual/pkgconfig
+	sys-devel/autoconf
+"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_VER)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+
+	# workaround for https://bugs.gentoo.org/734984
+	use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
+		use X509 && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-X509-glue.patch
+		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	# use replacement, RPF_ECHO_ON doesn't exist here
+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns ldns "${EPREFIX}"/usr)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	if use elibc_musl; then
+		# stackprotect is broken on musl x86 and ppc
+		if use x86 || use ppc; then
+			myconf+=( --without-stackprotect )
+		fi
+
+		# musl defines bogus values for UTMP_FILE and WTMP_FILE
+		# https://bugs.gentoo.org/753230
+		myconf+=( --disable-utmp --disable-wtmp )
+	fi
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
+			SUDO="" SSH_SK_PROVIDER="" \
+			TEST_SSH_UNSAFE_PERMISSIONS=1 \
+			emake -k -j1 ${t} </dev/null \
+				&& passed+=( "${t}" ) \
+				|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	if use pam; then
+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	fi
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	# https://bugs.gentoo.org/733802
+	if ! use scp; then
+		rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
+			|| die "failed to remove scp"
+	fi
+
+	rmdir "${ED}"/var/empty || die
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2021-08-27  0:13 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2021-08-27  0:13 UTC (permalink / raw
  To: gentoo-commits

commit:     4df896235ee386a1c1830b94bc86cb7a790c0fd7
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 26 21:28:53 2021 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Fri Aug 27 00:13:02 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4df89623

net-misc/openssh-8.7_p1: Version bump, no X509 yet

Package-Manager: Portage-3.0.22, Repoman-3.0.3
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   2 +
 .../openssh/files/openssh-8.7_p1-GSSAPI-dns.patch  | 357 ++++++++++++++
 .../files/openssh-8.7_p1-hpn-15.2-glue.patch       | 198 ++++++++
 net-misc/openssh/openssh-8.7_p1.ebuild             | 513 +++++++++++++++++++++
 4 files changed, 1070 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 7e7889daada..b6ea0efce2b 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -4,6 +4,8 @@ DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c
 DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251
 DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a
 DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
+DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
+DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
 DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
 DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914

diff --git a/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
new file mode 100644
index 00000000000..ffc40b70ae3
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
@@ -0,0 +1,357 @@
+diff --git a/auth.c b/auth.c
+index 00b168b4..8ee93581 100644
+--- a/auth.c
++++ b/auth.c
+@@ -729,118 +729,6 @@ fakepw(void)
+ 	return (&fake);
+ }
+ 
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on based on conflation of hostnames and IP addresses.
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+-	struct sockaddr_storage from;
+-	socklen_t fromlen;
+-	struct addrinfo hints, *ai, *aitop;
+-	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+-	const char *ntop = ssh_remote_ipaddr(ssh);
+-
+-	/* Get IP address of client. */
+-	fromlen = sizeof(from);
+-	memset(&from, 0, sizeof(from));
+-	if (getpeername(ssh_packet_get_connection_in(ssh),
+-	    (struct sockaddr *)&from, &fromlen) == -1) {
+-		debug("getpeername failed: %.100s", strerror(errno));
+-		return xstrdup(ntop);
+-	}
+-
+-	ipv64_normalise_mapped(&from, &fromlen);
+-	if (from.ss_family == AF_INET6)
+-		fromlen = sizeof(struct sockaddr_in6);
+-
+-	debug3("Trying to reverse map address %.100s.", ntop);
+-	/* Map the IP address to a host name. */
+-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+-	    NULL, 0, NI_NAMEREQD) != 0) {
+-		/* Host name not found.  Use ip address. */
+-		return xstrdup(ntop);
+-	}
+-
+-	/*
+-	 * if reverse lookup result looks like a numeric hostname,
+-	 * someone is trying to trick us by PTR record like following:
+-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
+-	hints.ai_flags = AI_NUMERICHOST;
+-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+-		    name, ntop);
+-		freeaddrinfo(ai);
+-		return xstrdup(ntop);
+-	}
+-
+-	/* Names are stored in lowercase. */
+-	lowercase(name);
+-
+-	/*
+-	 * Map it back to an IP address and check that the given
+-	 * address actually is an address of this host.  This is
+-	 * necessary because anyone with access to a name server can
+-	 * define arbitrary names for an IP address. Mapping from
+-	 * name to IP address can be trusted better (but can still be
+-	 * fooled if the intruder has access to the name server of
+-	 * the domain).
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_family = from.ss_family;
+-	hints.ai_socktype = SOCK_STREAM;
+-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+-		logit("reverse mapping checking getaddrinfo for %.700s "
+-		    "[%s] failed.", name, ntop);
+-		return xstrdup(ntop);
+-	}
+-	/* Look for the address from the list of addresses. */
+-	for (ai = aitop; ai; ai = ai->ai_next) {
+-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+-		    (strcmp(ntop, ntop2) == 0))
+-				break;
+-	}
+-	freeaddrinfo(aitop);
+-	/* If we reached the end of the list, the address was not there. */
+-	if (ai == NULL) {
+-		/* Address not found for the host name. */
+-		logit("Address %.100s maps to %.600s, but this does not "
+-		    "map back to the address.", ntop, name);
+-		return xstrdup(ntop);
+-	}
+-	return xstrdup(name);
+-}
+-
+-/*
+- * Return the canonical name of the host in the other side of the current
+- * connection.  The host name is cached, so it is efficient to call this
+- * several times.
+- */
+-
+-const char *
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+-{
+-	static char *dnsname;
+-
+-	if (!use_dns)
+-		return ssh_remote_ipaddr(ssh);
+-	else if (dnsname != NULL)
+-		return dnsname;
+-	else {
+-		dnsname = remote_hostname(ssh);
+-		return dnsname;
+-	}
+-}
+-
+ /* These functions link key/cert options to the auth framework */
+ 
+ /* Log sshauthopt options locally and (optionally) for remote transmission */
+diff --git a/canohost.c b/canohost.c
+index a810da0e..18e9d8d4 100644
+--- a/canohost.c
++++ b/canohost.c
+@@ -202,3 +202,117 @@ get_local_port(int sock)
+ {
+ 	return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++static char *
++remote_hostname(struct ssh *ssh)
++{
++	struct sockaddr_storage from;
++	socklen_t fromlen;
++	struct addrinfo hints, *ai, *aitop;
++	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++	const char *ntop = ssh_remote_ipaddr(ssh);
++
++	/* Get IP address of client. */
++	fromlen = sizeof(from);
++	memset(&from, 0, sizeof(from));
++	if (getpeername(ssh_packet_get_connection_in(ssh),
++	    (struct sockaddr *)&from, &fromlen) == -1) {
++		debug("getpeername failed: %.100s", strerror(errno));
++		return xstrdup(ntop);
++	}
++
++	ipv64_normalise_mapped(&from, &fromlen);
++	if (from.ss_family == AF_INET6)
++		fromlen = sizeof(struct sockaddr_in6);
++
++	debug3("Trying to reverse map address %.100s.", ntop);
++	/* Map the IP address to a host name. */
++	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++	    NULL, 0, NI_NAMEREQD) != 0) {
++		/* Host name not found.  Use ip address. */
++		return xstrdup(ntop);
++	}
++
++	/*
++	 * if reverse lookup result looks like a numeric hostname,
++	 * someone is trying to trick us by PTR record like following:
++	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
++	hints.ai_flags = AI_NUMERICHOST;
++	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++		    name, ntop);
++		freeaddrinfo(ai);
++		return xstrdup(ntop);
++	}
++
++	/* Names are stored in lowercase. */
++	lowercase(name);
++
++	/*
++	 * Map it back to an IP address and check that the given
++	 * address actually is an address of this host.  This is
++	 * necessary because anyone with access to a name server can
++	 * define arbitrary names for an IP address. Mapping from
++	 * name to IP address can be trusted better (but can still be
++	 * fooled if the intruder has access to the name server of
++	 * the domain).
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_family = from.ss_family;
++	hints.ai_socktype = SOCK_STREAM;
++	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++		logit("reverse mapping checking getaddrinfo for %.700s "
++		    "[%s] failed.", name, ntop);
++		return xstrdup(ntop);
++	}
++	/* Look for the address from the list of addresses. */
++	for (ai = aitop; ai; ai = ai->ai_next) {
++		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++		    (strcmp(ntop, ntop2) == 0))
++				break;
++	}
++	freeaddrinfo(aitop);
++	/* If we reached the end of the list, the address was not there. */
++	if (ai == NULL) {
++		/* Address not found for the host name. */
++		logit("Address %.100s maps to %.600s, but this does not "
++		    "map back to the address.", ntop, name);
++		return xstrdup(ntop);
++	}
++	return xstrdup(name);
++}
++
++/*
++ * Return the canonical name of the host in the other side of the current
++ * connection.  The host name is cached, so it is efficient to call this
++ * several times.
++ */
++
++const char *
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
++{
++	static char *dnsname;
++
++	if (!use_dns)
++		return ssh_remote_ipaddr(ssh);
++	else if (dnsname != NULL)
++		return dnsname;
++	else {
++		dnsname = remote_hostname(ssh);
++		return dnsname;
++	}
++}
+diff --git a/readconf.c b/readconf.c
+index 03369a08..b45898ce 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -161,6 +161,7 @@ typedef enum {
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++	oGssTrustDns,
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+@@ -207,9 +208,11 @@ static struct {
+ #if defined(GSSAPI)
+ 	{ "gssapiauthentication", oGssAuthentication },
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
++	{ "gssapitrustdns", oGssTrustDns },
+ # else
+ 	{ "gssapiauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
++	{ "gssapitrustdns", oUnsupported },
+ #endif
+ #ifdef ENABLE_PKCS11
+ 	{ "pkcs11provider", oPKCS11Provider },
+@@ -1117,6 +1120,10 @@ parse_time:
+ 		intptr = &options->gss_deleg_creds;
+ 		goto parse_flag;
+ 
++	case oGssTrustDns:
++		intptr = &options->gss_trust_dns;
++		goto parse_flag;
++
+ 	case oBatchMode:
+ 		intptr = &options->batch_mode;
+ 		goto parse_flag;
+@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
+ 	options->pubkey_authentication = -1;
+ 	options->gss_authentication = -1;
+ 	options->gss_deleg_creds = -1;
++	options->gss_trust_dns = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->kbd_interactive_devices = NULL;
+@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
+ 		options->gss_authentication = 0;
+ 	if (options->gss_deleg_creds == -1)
+ 		options->gss_deleg_creds = 0;
++	if (options->gss_trust_dns == -1)
++		options->gss_trust_dns = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+diff --git a/readconf.h b/readconf.h
+index f7d53b06..c3a91898 100644
+--- a/readconf.h
++++ b/readconf.h
+@@ -40,6 +40,7 @@ typedef struct {
+ 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
+ 	int     gss_authentication;	/* Try GSS authentication */
+ 	int     gss_deleg_creds;	/* Delegate GSS credentials */
++	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
+ 	int     password_authentication;	/* Try password
+ 						 * authentication. */
+ 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+diff --git a/ssh_config.5 b/ssh_config.5
+index cd0eea86..27101943 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -832,6 +832,16 @@ The default is
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+diff --git a/sshconnect2.c b/sshconnect2.c
+index fea50fab..aeff639b 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
+ 	OM_uint32 min;
+ 	int r, ok = 0;
+ 	gss_OID mech = NULL;
++	const char *gss_host;
++
++	if (options.gss_trust_dns) {
++		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++		gss_host = auth_get_canonical_hostname(ssh, 1);
++	} else
++		gss_host = authctxt->host;
+ 
+ 	/* Try one GSSAPI method at a time, rather than sending them all at
+ 	 * once. */
+@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
+ 		    elements[authctxt->mech_tried];
+ 		/* My DER encoding requires length<128 */
+ 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
+-		    mech, authctxt->host)) {
++		    mech, gss_host)) {
+ 			ok = 1; /* Mechanism works */
+ 		} else {
+ 			authctxt->mech_tried++;

diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
new file mode 100644
index 00000000000..309e57e8864
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
@@ -0,0 +1,198 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-20 11:49:32.351767063 -0700
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-20 11:58:08.746214945 -0700
+@@ -1026,9 +1026,9 @@
+ +	}
+ +#endif
+ +
+- 	debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+- 
++ 	if (ssh_packet_connection_is_on_socket(ssh)) {
++ 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
++ 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..bf3d6e4a 100644
+ --- a/sshd.c
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-20 11:49:32.351767063 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-20 12:04:45.008038085 -0700
+@@ -536,18 +536,10 @@
+  	if (state->rekey_limit)
+  		*max_blocks = MINIMUM(*max_blocks,
+  		    state->rekey_limit / enc->block_size);
+-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+  	return 0;
+  }
+  
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+	rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,20 +553,6 @@
+  #define MAX_PACKETS	(1U<<31)
+  static int
+  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- 		return 0;
+- 
+-+	/* used to force rekeying when called for by the none
+-+         * cipher switch methods -cjr */
+-+        if (rekey_requested == 1) {
+-+                rekey_requested = 0;
+-+                return 1;
+-+        }
+-+
+- 	/* Time-based rekeying */
+- 	if (state->rekey_interval != 0 &&
+- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+  	struct session_state *state = ssh->state;
+  	int len, r, ms_remain;
+@@ -598,12 +576,11 @@
+  };
+  
+  typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
+-@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
++@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
+  int	 ssh_packet_set_maxsize(struct ssh *, u_int);
+  u_int	 ssh_packet_get_maxsize(struct ssh *);
+  
+ +/* for forced packet rekeying post auth */
+-+void	 packet_request_rekeying(void);
+ +int	 packet_authentication_state(const struct ssh *);
+ +
+  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
+@@ -627,9 +604,9 @@
+  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
++ 	oDisableMTAES,
+  	oVisualHostKey,
+  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ @@ -297,6 +300,9 @@ static struct {
+  	{ "kexalgorithms", oKexAlgorithms },
+  	{ "ipqos", oIPQoS },
+@@ -637,9 +614,9 @@
+ +	{ "noneenabled", oNoneEnabled },
+ +	{ "nonemacenabled", oNoneMacEnabled },
+ +	{ "noneswitch", oNoneSwitch },
+- 	{ "proxyusefdpass", oProxyUseFdpass },
+- 	{ "canonicaldomains", oCanonicalDomains },
+- 	{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
++ 	{ "sessiontype", oSessionType },
++ 	{ "stdinnull", oStdinNull },
++ 	{ "forkafterauthentication", oForkAfterAuthentication },
+ @@ -317,6 +323,11 @@ static struct {
+  	{ "securitykeyprovider", oSecurityKeyProvider },
+  	{ "knownhostscommand", oKnownHostsCommand },
+@@ -717,9 +694,9 @@
+ +	options->hpn_buffer_size = -1;
+ +	options->tcp_rcv_buf_poll = -1;
+ +	options->tcp_rcv_buf = -1;
+- 	options->proxy_use_fdpass = -1;
+- 	options->ignored_unknown = NULL;
+- 	options->num_canonical_domains = 0;
++ 	options->session_type = -1;
++ 	options->stdin_null = -1;
++ 	options->fork_after_authentication = -1;
+ @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
+  		options->server_alive_interval = 0;
+  	if (options->server_alive_count_max == -1)
+@@ -778,9 +755,9 @@
+  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
+  	SyslogFacility log_facility;	/* Facility for system logging. */
+ @@ -120,7 +124,11 @@ typedef struct {
+- 
+  	int	enable_ssh_keysign;
+  	int64_t rekey_limit;
++ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
+ +	int     none_switch;    /* Use none cipher */
+ +	int     none_enabled;   /* Allow none cipher to be used */
+ +  	int     nonemac_enabled;   /* Allow none MAC to be used */
+@@ -842,9 +819,9 @@
+  	/* Portable-specific options */
+  	if (options->use_pam == -1)
+ @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
+- 	}
+- 	if (options->permit_tun == -1)
+  		options->permit_tun = SSH_TUNMODE_NO;
++ 	if (options->disable_multithreaded == -1)
++ 		options->disable_multithreaded = 0;
+ +	if (options->none_enabled == -1)
+ +		options->none_enabled = 0;
+ +	if (options->nonemac_enabled == -1)
+@@ -1047,17 +1024,17 @@
+  Note that
+ diff --git a/sftp.c b/sftp.c
+ index fb3c08d1..89bebbb2 100644
+---- a/sftp.c
+-+++ b/sftp.c
+-@@ -71,7 +71,7 @@ typedef void EditLine;
+- #include "sftp-client.h"
+- 
+- #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
+--#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
+-+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
++--- a/sftp-client.c
+++++ b/sftp-client.c
++@@ -65,7 +65,7 @@ typedef void EditLine;
++ #define DEFAULT_COPY_BUFLEN	32768
++ 
++ /* Default number of concurrent outstanding requests */
++-#define DEFAULT_NUM_REQUESTS	64
+++#define DEFAULT_NUM_REQUESTS	256
+  
+- /* File to read commands from */
+- FILE* infile;
++ /* Minimum amount of data to read at a time */
++ #define MIN_READ_SIZE	512
+ diff --git a/ssh-keygen.c b/ssh-keygen.c
+ index cfb5f115..36a6e519 100644
+ --- a/ssh-keygen.c
+@@ -1330,9 +1307,9 @@
+ +		}
+ +	}
+ +
+- 	debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+  
++ #ifdef WITH_OPENSSL
++ 	if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..d66fa41a 100644
+ --- a/sshd.c
+@@ -1359,8 +1336,8 @@
+  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+  			error("Bind to port %s on %s failed: %.200s.",
+ @@ -1727,6 +1734,19 @@ main(int ac, char **av)
+- 	/* Fill in default values for those options not explicitly set. */
+- 	fill_default_server_options(&options);
++ 		fatal("AuthorizedPrincipalsCommand set without "
++ 		    "AuthorizedPrincipalsCommandUser");
+  
+ +	if (options.none_enabled == 1) {
+ +		char *old_ciphers = options.ciphers;
+@@ -1375,9 +1352,9 @@
+ +		}
+ +	}
+ +
+- 	/* challenge-response is implemented via keyboard interactive */
+- 	if (options.challenge_response_authentication)
+- 		options.kbd_interactive_authentication = 1;
++ 	/*
++ 	 * Check whether there is any path through configured auth methods.
++ 	 * Unfortunately it is not possible to verify this generally before
+ @@ -2166,6 +2186,9 @@ main(int ac, char **av)
+  	    rdomain == NULL ? "" : "\"");
+  	free(laddr);

diff --git a/net-misc/openssh/openssh-8.7_p1.ebuild b/net-misc/openssh/openssh-8.7_p1.ebuild
new file mode 100644
index 00000000000..2b26a0f2548
--- /dev/null
+++ b/net-misc/openssh/openssh-8.7_p1.ebuild
@@ -0,0 +1,513 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+# PV to USE for HPN patches
+#HPN_PV="${PV^^}"
+HPN_PV="8.5_P1"
+
+HPN_VER="15.2"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+
+SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+#X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+"
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	hpn? ( ssl )
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp !security-key ssl !xmss )
+	xmss? ( ssl  )
+	test? ( ssl )
+"
+
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? (
+			|| (
+				(
+					>=dev-libs/openssl-1.0.1:0[bindist(-)=]
+					<dev-libs/openssl-1.1.0:0[bindist(-)=]
+				)
+				>=dev-libs/openssl-1.1.0g:0[bindist(-)=]
+			)
+			dev-libs/openssl:0=[static-libs(+)]
+	)
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
+	X? ( x11-apps/xauth )
+"
+BDEPEND="
+	virtual/pkgconfig
+	sys-devel/autoconf
+"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_VER)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "Missing requested third party patch."
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
+		use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch
+		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	# use replacement, RPF_ECHO_ON doesn't exist here
+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns ldns "${EPREFIX}"/usr)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	if use elibc_musl; then
+		# stackprotect is broken on musl x86 and ppc
+		if use x86 || use ppc; then
+			myconf+=( --without-stackprotect )
+		fi
+
+		# musl defines bogus values for UTMP_FILE and WTMP_FILE
+		# https://bugs.gentoo.org/753230
+		myconf+=( --disable-utmp --disable-wtmp )
+	fi
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
+			SUDO="" SSH_SK_PROVIDER="" \
+			TEST_SSH_UNSAFE_PERMISSIONS=1 \
+			emake -k -j1 ${t} </dev/null \
+				&& passed+=( "${t}" ) \
+				|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	if use pam; then
+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	fi
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	# https://bugs.gentoo.org/733802
+	if ! use scp; then
+		rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
+			|| die "failed to remove scp"
+	fi
+
+	rmdir "${ED}"/var/empty || die
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2021-09-09  0:02 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2021-09-09  0:02 UTC (permalink / raw
  To: gentoo-commits

commit:     d5e9f384abfbd15bc04b80033274cecc9eb0b7f4
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu Sep  9 00:02:10 2021 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Sep  9 00:02:13 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5e9f384

net-misc/openssh-8.7_p1-r2: Revbump, bump the X509 patch

Package-Manager: Portage-3.0.22, Repoman-3.0.3
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |  2 +-
 .../files/openssh-8.7_p1-X509-glue-13.2.1.patch    | 45 +++++++++++++
 .../files/openssh-8.7_p1-X509-glue-13.2.patch      | 73 ----------------------
 ...h-8.7_p1-r1.ebuild => openssh-8.7_p1-r2.ebuild} |  2 +-
 4 files changed, 47 insertions(+), 75 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index ba9efbc35e8..48110ee70d6 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -4,7 +4,7 @@ DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c
 DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251
 DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a
 DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
-DIST openssh-8.7p1+x509-13.2.diff.gz 1068695 BLAKE2B e542e5444f8360e0e28288d6a58d66995ff90e9f6bb1490b04a205162036e371a20d612655ca1bd479b8a04d5ccbfd9b7189b090d50ccbb019848e28571b036b SHA512 342e1ee050258c99f8f206664ef756e1be2c82e5faa5f966b80385aa2c6c601974681459ddba32c1ca5c33eda530af681e753471706c71902c1045a2913cd540
+DIST openssh-8.7p1+x509-13.2.1.diff.gz 1073420 BLAKE2B f9de9f797f1ec83cd56a983f5b9694b0297a60e586898a8c94b4aaa60e5f561bb3b7730590fc8f898c3de2340780d6a77d31bfcc50df0a55a0480051f37806fd SHA512 dd7afd351ddf33e8e74bceba56e5593a0546360efb34f3b954e1816751b5678da5d1bc3a9f2eaa4a745d86d96ae9b643bd549d39b59b22c8cf1a219b076c1db5
 DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
 DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f

diff --git a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.1.patch b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.1.patch
new file mode 100644
index 00000000000..be88d11ba80
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.1.patch
@@ -0,0 +1,45 @@
+--- a/openssh-8.7p1+x509-13.2.1.diff	2021-09-08 14:20:40.750542472 -0700
++++ b/openssh-8.7p1+x509-13.2.1.diff	2021-09-08 14:21:23.354736098 -0700
+@@ -51194,12 +51194,11 @@
+  
+  install-files:
+  	$(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -391,6 +368,8 @@
++@@ -391,6 +368,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -70464,9 +70463,9 @@
+  
+ +# cross-project configuration
+ +if test "$sshd_type" = "pkix" ; then
+-+  unset_arg=''
+++  unset_arg=
+ +else
+-+  unset_arg=none
+++  unset_arg=
+ +fi
+ +
+  cat > $OBJ/sshd_config.i << _EOF
+@@ -132131,16 +132130,6 @@
+ +int	 asnmprintf(char **, size_t, int *, const char *, ...)
+  	    __attribute__((format(printf, 4, 5)));
+  void	 msetlocale(void);
+-diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2.1/version.h
+---- openssh-8.7p1/version.h	2021-08-20 07:03:49.000000000 +0300
+-+++ openssh-8.7p1+x509-13.2.1/version.h	2021-09-08 21:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_8.7"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2.1/version.m4
+ --- openssh-8.7p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.7p1+x509-13.2.1/version.m4	2021-09-08 21:07:00.000000000 +0300

diff --git a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch
deleted file mode 100644
index d6f5e42027d..00000000000
--- a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8.7p1+x509-13.2.diff b/openssh-8.7p1+x509-13.2.diff
---- a/openssh-8.7p1+x509-13.2.diff	2021-08-30 17:47:40.415668320 -0700
-+++ b/openssh-8.7p1+x509-13.2.diff	2021-08-30 17:49:14.916114987 -0700
-@@ -51082,12 +51082,11 @@
-  
-  install-files:
-  	$(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -391,6 +368,8 @@
-+@@ -391,6 +368,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -69793,7 +69792,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
-  	verbose "$tid: cipher $c"
-@@ -69808,7 +69807,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
-  	verbose "$tid: kex $k"
-@@ -69823,7 +69822,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  if [ "`${SSH} -Q compression`" = "none" ]; then
-  	comp="0"
-@@ -70130,9 +70129,9 @@
-  
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+  unset_arg=''
-++  unset_arg=
- +else
--+  unset_arg=none
-++  unset_arg=
- +fi
- +
-  cat > $OBJ/sshd_config.i << _EOF
-@@ -131673,16 +131672,6 @@
- +int	 asnmprintf(char **, size_t, int *, const char *, ...)
-  	    __attribute__((format(printf, 4, 5)));
-  void	 msetlocale(void);
--diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2/version.h
----- openssh-8.7p1/version.h	2021-08-20 07:03:49.000000000 +0300
--+++ openssh-8.7p1+x509-13.2/version.h	2021-08-30 20:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_8.7"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2/version.m4
- --- openssh-8.7p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.7p1+x509-13.2/version.m4	2021-08-30 20:07:00.000000000 +0300

diff --git a/net-misc/openssh/openssh-8.7_p1-r1.ebuild b/net-misc/openssh/openssh-8.7_p1-r2.ebuild
similarity index 99%
rename from net-misc/openssh/openssh-8.7_p1-r1.ebuild
rename to net-misc/openssh/openssh-8.7_p1-r2.ebuild
index f5ffce0f449..d2f32ef627b 100644
--- a/net-misc/openssh/openssh-8.7_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-8.7_p1-r2.ebuild
@@ -21,7 +21,7 @@ HPN_PATCHES=(
 )
 
 SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="13.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2021-10-01  1:08 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2021-10-01  1:08 UTC (permalink / raw
  To: gentoo-commits

commit:     9431f858b4b325c47d87a82490ad35a978cfc8fb
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Fri Oct  1 01:06:30 2021 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Fri Oct  1 01:08:08 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9431f858

net-misc/openssh-8.8_p1: Version bump, no X509

Bug: https://bugs.gentoo.org/815010
Package-Manager: Portage-3.0.26, Repoman-3.0.3
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   2 +
 .../files/openssh-8.8_p1-hpn-15.2-glue.patch       |   1 +
 net-misc/openssh/openssh-8.8_p1.ebuild             | 513 +++++++++++++++++++++
 3 files changed, 516 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 48110ee70d6..1378008f277 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -7,6 +7,8 @@ DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c8683
 DIST openssh-8.7p1+x509-13.2.1.diff.gz 1073420 BLAKE2B f9de9f797f1ec83cd56a983f5b9694b0297a60e586898a8c94b4aaa60e5f561bb3b7730590fc8f898c3de2340780d6a77d31bfcc50df0a55a0480051f37806fd SHA512 dd7afd351ddf33e8e74bceba56e5593a0546360efb34f3b954e1816751b5678da5d1bc3a9f2eaa4a745d86d96ae9b643bd549d39b59b22c8cf1a219b076c1db5
 DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
 DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
+DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
+DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
 DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
 DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914

diff --git a/net-misc/openssh/files/openssh-8.8_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.8_p1-hpn-15.2-glue.patch
new file mode 120000
index 00000000000..7037b34b4e5
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.8_p1-hpn-15.2-glue.patch
@@ -0,0 +1 @@
+openssh-8.7_p1-hpn-15.2-glue.patch
\ No newline at end of file

diff --git a/net-misc/openssh/openssh-8.8_p1.ebuild b/net-misc/openssh/openssh-8.8_p1.ebuild
new file mode 100644
index 00000000000..a0557e249c1
--- /dev/null
+++ b/net-misc/openssh/openssh-8.8_p1.ebuild
@@ -0,0 +1,513 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+# PV to USE for HPN patches
+#HPN_PV="${PV^^}"
+HPN_PV="8.5_P1"
+
+HPN_VER="15.2"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+
+SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+#X509_VER="13.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+"
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	hpn? ( ssl )
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl !xmss )
+	xmss? ( ssl  )
+	test? ( ssl )
+"
+
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? (
+			|| (
+				(
+					>=dev-libs/openssl-1.0.1:0[bindist(-)=]
+					<dev-libs/openssl-1.1.0:0[bindist(-)=]
+				)
+				>=dev-libs/openssl-1.1.0g:0[bindist(-)=]
+			)
+			dev-libs/openssl:0=[static-libs(+)]
+	)
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
+	X? ( x11-apps/xauth )
+"
+BDEPEND="
+	virtual/pkgconfig
+	sys-devel/autoconf
+"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_VER)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "Missing requested third party patch."
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
+		use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
+		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	# use replacement, RPF_ECHO_ON doesn't exist here
+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns ldns "${EPREFIX}"/usr)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	if use elibc_musl; then
+		# stackprotect is broken on musl x86 and ppc
+		if use x86 || use ppc; then
+			myconf+=( --without-stackprotect )
+		fi
+
+		# musl defines bogus values for UTMP_FILE and WTMP_FILE
+		# https://bugs.gentoo.org/753230
+		myconf+=( --disable-utmp --disable-wtmp )
+	fi
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
+			SUDO="" SSH_SK_PROVIDER="" \
+			TEST_SSH_UNSAFE_PERMISSIONS=1 \
+			emake -k -j1 ${t} </dev/null \
+				&& passed+=( "${t}" ) \
+				|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	if use pam; then
+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	fi
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	# https://bugs.gentoo.org/733802
+	if ! use scp; then
+		rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
+			|| die "failed to remove scp"
+	fi
+
+	rmdir "${ED}"/var/empty || die
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2021-10-29 22:06 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2021-10-29 22:06 UTC (permalink / raw
  To: gentoo-commits

commit:     a224ec97fc8b9df416904257927185c3402dcad6
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 29 22:04:46 2021 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Fri Oct 29 22:05:00 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a224ec97

net-misc/openssh: Revbump, fix bug in X509 patchset

In user_specific_delay, the X509 patch adds a conditional that makes it the
delay could be uninitialized in some cases. This results in random hangs
when attempting to log in to the server. Fix this by initializing to 0.

Package-Manager: Portage-3.0.28, Repoman-3.0.3
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssh-8.8_p1-X509-glue-13.2.3.patch    | 30 ++++++++++++++++++----
 ...h-8.8_p1-r1.ebuild => openssh-8.8_p1-r2.ebuild} |  0
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
index 74f8a842e6b..b6827623cd6 100644
--- a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
+++ b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
@@ -1,7 +1,27 @@
 diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff
---- a/openssh-8.8p1+x509-13.2.3.diff	2021-10-25 10:23:20.264186260 -0700
-+++ b/openssh-8.8p1+x509-13.2.3.diff	2021-10-25 10:24:35.924443287 -0700
-@@ -51859,12 +51859,11 @@
+--- a/openssh-8.8p1+x509-13.2.3.diff	2021-10-29 14:59:17.070546984 -0700
++++ b/openssh-8.8p1+x509-13.2.3.diff	2021-10-29 14:59:55.086664489 -0700
+@@ -954,15 +954,16 @@
+  	char b[512];
+ -	size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
+ -	u_char *hash = xmalloc(len);
++-	double delay;
+ +	int digest_alg;
+ +	size_t len;
+ +	u_char *hash;
+- 	double delay;
+- 
+++	double delay = 0;
+++
+ +	digest_alg = ssh_digest_maxbytes();
+ +	len = ssh_digest_bytes(digest_alg);
+ +	hash = xmalloc(len);
+-+
++
+  	(void)snprintf(b, sizeof b, "%llu%s",
+  	    (unsigned long long)options.timing_secret, user);
+ -	if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
+@@ -51859,12 +51860,11 @@
   
   install-files:
   	$(MKDIR_P) $(DESTDIR)$(bindir)
@@ -15,7 +35,7 @@ diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x50
   	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
   	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
   	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -71985,7 +71984,7 @@
+@@ -71985,7 +71985,7 @@
  +if test "$sshd_type" = "pkix" ; then
  +  unset_arg=''
  +else
@@ -24,7 +44,7 @@ diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x50
  +fi
  +
   cat > $OBJ/sshd_config.i << _EOF
-@@ -132360,16 +132359,6 @@
+@@ -132360,16 +132360,6 @@
  +int	 asnmprintf(char **, size_t, int *, const char *, ...)
   	    __attribute__((format(printf, 4, 5)));
   void	 msetlocale(void);

diff --git a/net-misc/openssh/openssh-8.8_p1-r1.ebuild b/net-misc/openssh/openssh-8.8_p1-r2.ebuild
similarity index 100%
rename from net-misc/openssh/openssh-8.8_p1-r1.ebuild
rename to net-misc/openssh/openssh-8.8_p1-r2.ebuild


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2021-12-24 10:57 Marc Schiffbauer
  0 siblings, 0 replies; 57+ messages in thread
From: Marc Schiffbauer @ 2021-12-24 10:57 UTC (permalink / raw
  To: gentoo-commits

commit:     cb24554516cbb10be9b7c75328b46a620b83be75
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 22 22:15:48 2021 +0000
Commit:     Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
CommitDate: Fri Dec 24 10:39:01 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb245545

net-misc/openssh: drop 8.6_p1-r2, 8.7_p1-r2, 8.8_p1-r2

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
Signed-off-by: Marc Schiffbauer <mschiff <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   3 -
 .../openssh/files/openssh-8.0_p1-hpn-version.patch |  13 -
 .../openssh/files/openssh-8.5_p1-GSSAPI-dns.patch  | 354 --------------
 .../files/openssh-8.5_p1-X509-glue-13.0.1.patch    |  72 ---
 .../openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch | 328 -------------
 .../files/openssh-8.5_p1-hpn-15.2-glue.patch       | 104 -----
 .../files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch  |  18 -
 .../files/openssh-8.6_p1-X509-glue-13.1.patch      |  72 ---
 .../files/openssh-8.6_p1-hpn-15.2-X509-glue.patch  | 357 --------------
 .../files/openssh-8.6_p1-hpn-15.2-glue.patch       | 132 ------
 net-misc/openssh/metadata.xml                      |   1 -
 net-misc/openssh/openssh-8.6_p1-r2.ebuild          | 515 ---------------------
 net-misc/openssh/openssh-8.7_p1-r2.ebuild          | 513 --------------------
 net-misc/openssh/openssh-8.8_p1-r2.ebuild          | 508 --------------------
 14 files changed, 2990 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 91d4f77fa8f4..5e5c15efb159 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,6 +1,3 @@
-DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251
-DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a
-DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
 DIST openssh-8.7p1+x509-13.2.1.diff.gz 1073420 BLAKE2B f9de9f797f1ec83cd56a983f5b9694b0297a60e586898a8c94b4aaa60e5f561bb3b7730590fc8f898c3de2340780d6a77d31bfcc50df0a55a0480051f37806fd SHA512 dd7afd351ddf33e8e74bceba56e5593a0546360efb34f3b954e1816751b5678da5d1bc3a9f2eaa4a745d86d96ae9b643bd549d39b59b22c8cf1a219b076c1db5
 DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
 DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2

diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
deleted file mode 100644
index 37905ce6afca..000000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/kex.c b/kex.c
-index 34808b5c..88d7ccac 100644
---- a/kex.c
-+++ b/kex.c
-@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- 	if (version_addendum != NULL && *version_addendum == '\0')
- 		version_addendum = NULL;
- 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
--	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
- 	    version_addendum == NULL ? "" : " ",
- 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
- 		error("%s: sshbuf_putf: %s", __func__, ssh_err(r));

diff --git a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
deleted file mode 100644
index eec66ade4b4e..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,354 +0,0 @@
---- a/auth.c	2021-03-02 04:31:47.000000000 -0600
-+++ b/auth.c	2021-03-04 11:22:44.590041696 -0600
-@@ -727,119 +727,6 @@ fakepw(void)
- 	return (&fake);
- }
- 
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) == -1) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return xstrdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return xstrdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return xstrdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return xstrdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return xstrdup(ntop);
--	}
--	return xstrdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
- 
- /* These functions link key/cert options to the auth framework */
- 
---- a/canohost.c	2021-03-02 04:31:47.000000000 -0600
-+++ b/canohost.c	2021-03-04 11:22:54.854211183 -0600
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) == -1) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return xstrdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return xstrdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return xstrdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return xstrdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return xstrdup(ntop);
-+	}
-+	return xstrdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}
-diff --git a/readconf.c b/readconf.c
-index 724974b7..97a1ffd8 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -161,6 +161,7 @@ typedef enum {
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -206,9 +207,11 @@ static struct {
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- # else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- 	{ "pkcs11provider", oPKCS11Provider },
-@@ -1083,6 +1086,10 @@ parse_time:
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -2183,6 +2190,7 @@ initialize_options(Options * options)
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -2340,6 +2348,8 @@ fill_default_options(Options * options)
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index 2fba866e..da3ce87a 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -42,6 +42,7 @@ typedef struct {
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/ssh_config.5 b/ssh_config.5
-index f8119189..e0fd0d76 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -783,6 +783,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index 059c9480..ab6f6832 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh)
- 	OM_uint32 min;
- 	int r, ok = 0;
- 	gss_OID mech = NULL;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(ssh, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh)
- 		    elements[authctxt->mech_tried];
- 		/* My DER encoding requires length<128 */
- 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
--		    mech, authctxt->host)) {
-+		    mech, gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			authctxt->mech_tried++;

diff --git a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
deleted file mode 100644
index c7812c622c26..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
+++ /dev/null
@@ -1,72 +0,0 @@
---- a/openssh-8.5p1+x509-13.0.1.diff	2021-03-15 14:05:14.876485231 -0700
-+++ b/openssh-8.5p1+x509-13.0.1.diff	2021-03-15 14:06:05.389154451 -0700
-@@ -46675,12 +46675,11 @@
-  
-  install-files:
-  	$(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -380,6 +364,8 @@
-+@@ -380,6 +364,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -63967,7 +63966,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
-  	verbose "$tid: cipher $c"
-@@ -63982,7 +63981,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
-  	verbose "$tid: kex $k"
-@@ -63997,7 +63996,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  if [ "`${SSH} -Q compression`" = "none" ]; then
-  	comp="0"
-@@ -64129,9 +64128,9 @@
-  
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+  unset_arg=''
-++  unset_arg=
- +else
--+  unset_arg=none
-++  unset_arg=
- +fi
- +
-  cat > $OBJ/sshd_config.i << _EOF
-@@ -122247,16 +122246,6 @@
- +int	 asnmprintf(char **, size_t, int *, const char *, ...)
-  	     __attribute__((format(printf, 4, 5)));
-  void	 msetlocale(void);
--diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0.1/version.h
----- openssh-8.5p1/version.h	2021-03-02 12:31:47.000000000 +0200
--+++ openssh-8.5p1+x509-13.0.1/version.h	2021-03-15 20:07:00.000000000 +0200
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_8.5"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0.1/version.m4
- --- openssh-8.5p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.5p1+x509-13.0.1/version.m4	2021-03-15 20:07:00.000000000 +0200

diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
deleted file mode 100644
index 413cc8b9c3dc..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
+++ /dev/null
@@ -1,328 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-03-15 17:45:28.550606801 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-03-15 17:56:36.240309581 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
-  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
-  {
-  	struct session_state *state;
---	const struct sshcipher *none = cipher_by_name("none");
--+	struct sshcipher *none = cipher_by_name("none");
-+-	const struct sshcipher *none = cipher_none();
-++	struct sshcipher *none = cipher_none();
-  	int r;
-  
-  	if (none == NULL) {
-@@ -898,20 +898,20 @@
-  	options->fingerprint_hash = -1;
-  	options->update_hostkeys = -1;
- +	options->disable_multithreaded = -1;
-- 	options->hostbased_accepted_algos = NULL;
-- 	options->pubkey_accepted_algos = NULL;
-- 	options->known_hosts_command = NULL;
-+ }
-+ 
-+ /*
- @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
-+ 		options->update_hostkeys = 0;
-  	if (options->sk_provider == NULL)
-  		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- +	if (options->update_hostkeys == -1)
- +		options->update_hostkeys = 0;
- +	if (options->disable_multithreaded == -1)
- +		options->disable_multithreaded = 0;
-  
-- 	/* Expand KEX name lists */
-- 	all_cipher = cipher_alg_list(',', 0);
-+ 	/* expand KEX and etc. name lists */
-+ {	char *all;
- diff --git a/readconf.h b/readconf.h
- index 2fba866e..7f8f0227 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
-  	/* Portable-specific options */
-  	sUsePAM,
- +	sDisableMTAES,
-- 	/* Standard Options */
-- 	sPort, sHostKeyFile, sLoginGraceTime,
-- 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-+ 	/* X.509 Standard Options */
-+ 	sHostbasedAlgorithms,
-+ 	sPubkeyAlgorithms,
- @@ -662,6 +666,7 @@ static struct {
-  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:29:42.953733894 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:47:54.198893025 -0700
-@@ -157,6 +157,36 @@
- +	 Allan Jude provided the code for the NoneMac and buffer normalization.
- +         This work was financed, in part, by Cisco System, Inc., the National
- +         Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c	2021-03-15 19:30:45.404060786 -0700
-++++ b/auth2.c	2021-03-15 19:37:22.078476597 -0700
-+@@ -229,16 +229,17 @@
-+ 	double delay;
-+ 
-+ 	digest_alg = ssh_digest_maxbytes();
-+-	len = ssh_digest_bytes(digest_alg);
-+-	hash = xmalloc(len);
-++	if (len = ssh_digest_bytes(digest_alg) > 0) {
-++		hash = xmalloc(len);
-+ 
-+-	(void)snprintf(b, sizeof b, "%llu%s",
-+-	     (unsigned long long)options.timing_secret, user);
-+-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+-		fatal_f("ssh_digest_memory");
-+-	/* 0-4.2 ms of delay */
-+-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+-	freezero(hash, len);
-++		(void)snprintf(b, sizeof b, "%llu%s",
-++			 (unsigned long long)options.timing_secret, user);
-++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++			fatal_f("ssh_digest_memory");
-++		/* 0-4.2 ms of delay */
-++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++		freezero(hash, len);
-++	}
-+ 	debug3_f("user specific delay %0.3lfms", delay/1000);
-+ 	return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index b60d56c4..0e363c15 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
-  static void
-  channel_pre_open(struct ssh *ssh, Channel *c,
-      fd_set *readset, fd_set *writeset)
--@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2164,21 +2164,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-  
-  	if (c->type == SSH_CHANNEL_OPEN &&
-  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- -	    ((c->local_window_max - c->local_window >
- -	    c->local_maxpacket*3) ||
--+            ((ssh_packet_is_interactive(ssh) &&
--+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++	    ((ssh_packet_is_interactive(ssh) &&
-++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-  	    c->local_window < c->local_window_max/2) &&
-  	    c->local_consumed > 0) {
- +		u_int addition = 0;
-@@ -235,9 +265,8 @@
-  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- 		    (r = sshpkt_send(ssh)) != 0) {
-- 			fatal_fr(r, "channel %i", c->self);
-- 		}
-+ 		    (r = sshpkt_send(ssh)) != 0)
-+ 			fatal_fr(r, "channel %d", c->self);
- -		debug2("channel %d: window %d sent adjust %d", c->self,
- -		    c->local_window, c->local_consumed);
- -		c->local_window += c->local_consumed;
-@@ -386,21 +415,45 @@
- index 69befa96..90b5f338 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
-- 			debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+-	int i;
-++	int i, bugs = 0;
-+ 	static struct {
-+ 		char	*pat;
-+ 		int	bugs;
-+@@ -147,11 +147,26 @@
-+ 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ 			debug("match: %s pat %s compat 0x%08x",
-  			    version, check[i].pat, check[i].bugs);
-- 			ssh->compat = check[i].bugs;
- +			/* Check to see if the remote side is OpenSSH and not HPN */
--+			/* TODO: need to use new method to test for this */
- +			if (strstr(version, "OpenSSH") != NULL) {
- +				if (strstr(version, "hpn") == NULL) {
--+					ssh->compat |= SSH_BUG_LARGEWINDOW;
-++					bugs |= SSH_BUG_LARGEWINDOW;
- +					debug("Remote is NON-HPN aware");
- +				}
- +			}
-- 			return;
-+-			return check[i].bugs;
-++			bugs |= check[i].bugs;
-  		}
-  	}
-+-	debug("no match: %s", version);
-+-	return 0;
-++	/* Check to see if the remote side is OpenSSH and not HPN */
-++	if (strstr(version, "OpenSSH") != NULL) {
-++		if (strstr(version, "hpn") == NULL) {
-++			bugs |= SSH_BUG_LARGEWINDOW;
-++			debug("Remote is NON-HPN aware");
-++		}
-++	}
-++	if (bugs == 0)
-++		debug("no match: %s", version);
-++	return bugs;
-+ }
-+ 
-+ char *
- diff --git a/compat.h b/compat.h
- index c197fafc..ea2e17a7 100644
- --- a/compat.h
-@@ -459,7 +512,7 @@
- @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
-  	int nenc, nmac, ncomp;
-  	u_int mode, ctos, need, dh_need, authlen;
-- 	int r, first_kex_follows;
-+ 	int r, first_kex_follows = 0;
- +	int auth_flag = 0;
- +
- +	auth_flag = packet_authentication_state(ssh);
-@@ -1035,19 +1088,6 @@
-  
-  /* File to read commands from */
-  FILE* infile;
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..36a6e519 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
-- 			freezero(pin, strlen(pin));
-- 		error_r(r, "Unable to load resident keys");
-- 		return -1;
---	}
--+ 	}
-- 	if (nkeys == 0)
-- 		logit("No keys to download");
-- 	if (pin != NULL)
- diff --git a/ssh.c b/ssh.c
- index 53330da5..27b9770e 100644
- --- a/ssh.c
-@@ -1093,7 +1133,7 @@
- +	else
- +		options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- +		debug("HPN to Non-HPN Connection");
- +	} else {
- +		int sock, socksize;
-@@ -1335,6 +1375,28 @@
-  		/* Bind the socket to the desired port. */
-  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
-  			error("Bind to port %s on %s failed: %.200s.",
-+@@ -1625,13 +1625,14 @@
-+ 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ 		    sshbuf_len(server_cfg)) != 0)
-+ 			fatal_f("ssh_digest_update");
-+-		len = ssh_digest_bytes(digest_alg);
-+-		hash = xmalloc(len);
-+-		if (ssh_digest_final(ctx, hash, len) != 0)
-+-			fatal_f("ssh_digest_final");
-+-		options.timing_secret = PEEK_U64(hash);
-+-		freezero(hash, len);
-+-		ssh_digest_free(ctx);
-++		if ((len = ssh_digest_bytes(digest_alg)) > 0) {
-++			hash = xmalloc(len);
-++			if (ssh_digest_final(ctx, hash, len) != 0)
-++				fatal_f("ssh_digest_final");
-++			options.timing_secret = PEEK_U64(hash);
-++			freezero(hash, len);
-++			ssh_digest_free(ctx);
-++		}
-+ 		ctx = NULL;
-+ 		return;
-+ 	}
- @@ -1727,6 +1734,19 @@ main(int ac, char **av)
-  	/* Fill in default values for those options not explicitly set. */
-  	fill_default_server_options(&options);
-@@ -1405,14 +1467,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_8.5"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn15v2"
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -u a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-03-15 17:45:28.550606801 -0700
-+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-03-15 18:39:10.262087944 -0700
-@@ -12,9 +12,9 @@
-  static long stalled;		/* how long we have been stalled */
-  static int bytes_per_second;	/* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ 	off_t bytes_left;
-  	int cur_speed;
-- 	int hours, minutes, seconds;
-- 	int file_len;
-+ 	int len;
- +	off_t delta_pos;
-  
-  	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
-  	if (bytes_left > 0)
-  		elapsed = now - last_update;
-  	else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-- 
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ 	buf[1] = '\0';
-+
-  	/* filename */
-- 	buf[0] = '\0';
---	file_len = win_size - 36;
--+	file_len = win_size - 45;
-- 	if (file_len > 0) {
-- 		buf[0] = '\r';
-- 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+-	if (win_size > 36) {
-++	if (win_size > 45) {
-+-		int file_len = win_size - 36;
-++		int file_len = win_size - 45;
-+ 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ 		    file_len, file);
-+ 	}
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
-  	    (off_t)bytes_per_second);
-  	strlcat(buf, "/s ", win_size);
-@@ -63,15 +65,3 @@
-  }
-  
-  /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..986ff59b 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-- 
-- 	if (skprovider == NULL)
-- 		fatal("Cannot download keys without provider");
---
-- 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- 	if (!quiet) {
-- 		printf("You may need to touch your authenticator "

diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch
deleted file mode 100644
index 8827fe88d7aa..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-15 15:10:45.680967455 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:25:14.710431930 -0700
-@@ -536,18 +536,10 @@
-  	if (state->rekey_limit)
-  		*max_blocks = MINIMUM(*max_blocks,
-  		    state->rekey_limit / enc->block_size);
--@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-  	return 0;
-  }
-  
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+	rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +553,6 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- 		return 0;
-- 
--+	/* used to force rekeying when called for by the none
--+         * cipher switch methods -cjr */
--+        if (rekey_requested == 1) {
--+                rekey_requested = 0;
--+                return 1;
--+        }
--+
-- 	/* Time-based rekeying */
-- 	if (state->rekey_interval != 0 &&
-- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-  	struct session_state *state = ssh->state;
-  	int len, r, ms_remain;
-@@ -598,12 +576,11 @@
-  };
-  
-  typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
--@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
-+@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
-  int	 ssh_packet_set_maxsize(struct ssh *, u_int);
-  u_int	 ssh_packet_get_maxsize(struct ssh *);
-  
- +/* for forced packet rekeying post auth */
--+void	 packet_request_rekeying(void);
- +int	 packet_authentication_state(const struct ssh *);
- +
-  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
-@@ -627,9 +604,9 @@
-  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
-+ 	oDisableMTAES,
-  	oVisualHostKey,
-  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -297,6 +300,9 @@ static struct {
-  	{ "kexalgorithms", oKexAlgorithms },
-  	{ "ipqos", oIPQoS },
-@@ -778,9 +755,9 @@
-  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
- @@ -120,7 +124,11 @@ typedef struct {
-- 
-  	int	enable_ssh_keysign;
-  	int64_t rekey_limit;
-+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
- +	int     none_switch;    /* Use none cipher */
- +	int     none_enabled;   /* Allow none cipher to be used */
- +  	int     nonemac_enabled;   /* Allow none MAC to be used */
-@@ -842,9 +819,9 @@
-  	/* Portable-specific options */
-  	if (options->use_pam == -1)
- @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
-- 	}
-- 	if (options->permit_tun == -1)
-  		options->permit_tun = SSH_TUNMODE_NO;
-+ 	if (options->disable_multithreaded == -1)
-+ 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
- +		options->none_enabled = 0;
- +	if (options->nonemac_enabled == -1)
-@@ -1330,9 +1307,9 @@
- +		}
- +	}
- +
-- 	debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-  
-+ #ifdef WITH_OPENSSL
-+ 	if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..d66fa41a 100644
- --- a/sshd.c

diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
deleted file mode 100644
index 7199227589c6..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:06:45.020527770 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:07:01.294423665 -0700
-@@ -1414,14 +1414,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_8.5"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn15v2"
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN

diff --git a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch b/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
deleted file mode 100644
index e23063b5db2e..000000000000
--- a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
+++ /dev/null
@@ -1,72 +0,0 @@
---- a/openssh-8.6p1+x509-13.1.diff	2021-04-23 14:46:58.184683047 -0700
-+++ b/openssh-8.6p1+x509-13.1.diff	2021-04-23 15:00:08.455087549 -0700
-@@ -47728,12 +47728,11 @@
-  
-  install-files:
-  	$(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -389,6 +366,8 @@
-+@@ -389,6 +366,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -65001,7 +65000,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
-  	verbose "$tid: cipher $c"
-@@ -65016,7 +65015,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
-  	verbose "$tid: kex $k"
-@@ -65031,7 +65030,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  if [ "`${SSH} -Q compression`" = "none" ]; then
-  	comp="0"
-@@ -65163,9 +65162,9 @@
-  
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+  unset_arg=''
-++  unset_arg=
- +else
--+  unset_arg=none
-++  unset_arg=
- +fi
- +
-  cat > $OBJ/sshd_config.i << _EOF
-@@ -124084,16 +124083,6 @@
- +int	 asnmprintf(char **, size_t, int *, const char *, ...)
-  	    __attribute__((format(printf, 4, 5)));
-  void	 msetlocale(void);
--diff -ruN openssh-8.6p1/version.h openssh-8.6p1+x509-13.1/version.h
----- openssh-8.6p1/version.h	2021-04-16 06:55:25.000000000 +0300
--+++ openssh-8.6p1+x509-13.1/version.h	2021-04-21 21:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_8.6"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.6p1/version.m4 openssh-8.6p1+x509-13.1/version.m4
- --- openssh-8.6p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.6p1+x509-13.1/version.m4	2021-04-21 21:07:00.000000000 +0300

diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
deleted file mode 100644
index 714dffc41712..000000000000
--- a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-04-23 15:31:47.247434467 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-04-23 15:32:29.807508606 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
-  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
-  {
-  	struct session_state *state;
---	const struct sshcipher *none = cipher_by_name("none");
--+	struct sshcipher *none = cipher_by_name("none");
-+-	const struct sshcipher *none = cipher_none();
-++	struct sshcipher *none = cipher_none();
-  	int r;
-  
-  	if (none == NULL) {
-@@ -898,20 +898,20 @@
-  	options->fingerprint_hash = -1;
-  	options->update_hostkeys = -1;
- +	options->disable_multithreaded = -1;
-- 	options->hostbased_accepted_algos = NULL;
-- 	options->pubkey_accepted_algos = NULL;
-- 	options->known_hosts_command = NULL;
-+ }
-+ 
-+ /*
- @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
-+ 		options->update_hostkeys = 0;
-  	if (options->sk_provider == NULL)
-  		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- +	if (options->update_hostkeys == -1)
- +		options->update_hostkeys = 0;
- +	if (options->disable_multithreaded == -1)
- +		options->disable_multithreaded = 0;
-  
-- 	/* Expand KEX name lists */
-- 	all_cipher = cipher_alg_list(',', 0);
-+ 	/* expand KEX and etc. name lists */
-+ {	char *all;
- diff --git a/readconf.h b/readconf.h
- index 2fba866e..7f8f0227 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
-  	/* Portable-specific options */
-  	sUsePAM,
- +	sDisableMTAES,
-- 	/* Standard Options */
-- 	sPort, sHostKeyFile, sLoginGraceTime,
-- 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-+ 	/* X.509 Standard Options */
-+ 	sHostbasedAlgorithms,
-+ 	sPubkeyAlgorithms,
- @@ -662,6 +666,7 @@ static struct {
-  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-04-23 15:31:47.247434467 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-04-23 15:46:32.296026606 -0700
-@@ -157,6 +157,36 @@
- +	 Allan Jude provided the code for the NoneMac and buffer normalization.
- +         This work was financed, in part, by Cisco System, Inc., the National
- +         Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c	2021-03-15 19:30:45.404060786 -0700
-++++ b/auth2.c	2021-03-15 19:37:22.078476597 -0700
-+@@ -229,16 +229,17 @@
-+ 	double delay;
-+ 
-+ 	digest_alg = ssh_digest_maxbytes();
-+-	len = ssh_digest_bytes(digest_alg);
-+-	hash = xmalloc(len);
-++	if (len = ssh_digest_bytes(digest_alg) > 0) {
-++		hash = xmalloc(len);
-+ 
-+-	(void)snprintf(b, sizeof b, "%llu%s",
-+-	    (unsigned long long)options.timing_secret, user);
-+-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+-		fatal_f("ssh_digest_memory");
-+-	/* 0-4.2 ms of delay */
-+-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+-	freezero(hash, len);
-++		(void)snprintf(b, sizeof b, "%llu%s",
-++		    (unsigned long long)options.timing_secret, user);
-++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++			fatal_f("ssh_digest_memory");
-++		/* 0-4.2 ms of delay */
-++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++		freezero(hash, len);
-++	}
-+ 	debug3_f("user specific delay %0.3lfms", delay/1000);
-+ 	return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index b60d56c4..0e363c15 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
-  static void
-  channel_pre_open(struct ssh *ssh, Channel *c,
-      fd_set *readset, fd_set *writeset)
--@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-  
-  	if (c->type == SSH_CHANNEL_OPEN &&
-  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- -	    ((c->local_window_max - c->local_window >
- -	    c->local_maxpacket*3) ||
--+            ((ssh_packet_is_interactive(ssh) &&
--+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++	    ((ssh_packet_is_interactive(ssh) &&
-++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-  	    c->local_window < c->local_window_max/2) &&
-  	    c->local_consumed > 0) {
- +		u_int addition = 0;
-@@ -235,9 +265,8 @@
-  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- 		    (r = sshpkt_send(ssh)) != 0) {
-- 			fatal_fr(r, "channel %i", c->self);
-- 		}
-+ 		    (r = sshpkt_send(ssh)) != 0)
-+ 			fatal_fr(r, "channel %d", c->self);
- -		debug2("channel %d: window %d sent adjust %d", c->self,
- -		    c->local_window, c->local_consumed);
- -		c->local_window += c->local_consumed;
-@@ -386,21 +415,45 @@
- index 69befa96..90b5f338 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
-- 			debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+-	int i;
-++	int i, bugs = 0;
-+ 	static struct {
-+ 		char	*pat;
-+ 		int	bugs;
-+@@ -147,11 +147,26 @@
-+ 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ 			debug("match: %s pat %s compat 0x%08x",
-  			    version, check[i].pat, check[i].bugs);
-- 			ssh->compat = check[i].bugs;
- +			/* Check to see if the remote side is OpenSSH and not HPN */
--+			/* TODO: need to use new method to test for this */
- +			if (strstr(version, "OpenSSH") != NULL) {
- +				if (strstr(version, "hpn") == NULL) {
--+					ssh->compat |= SSH_BUG_LARGEWINDOW;
-++					bugs |= SSH_BUG_LARGEWINDOW;
- +					debug("Remote is NON-HPN aware");
- +				}
- +			}
-- 			return;
-+-			return check[i].bugs;
-++			bugs |= check[i].bugs;
-  		}
-  	}
-+-	debug("no match: %s", version);
-+-	return 0;
-++	/* Check to see if the remote side is OpenSSH and not HPN */
-++	if (strstr(version, "OpenSSH") != NULL) {
-++		if (strstr(version, "hpn") == NULL) {
-++			bugs |= SSH_BUG_LARGEWINDOW;
-++			debug("Remote is NON-HPN aware");
-++		}
-++	}
-++	if (bugs == 0)
-++		debug("no match: %s", version);
-++	return bugs;
-+ }
-+ 
-+ char *
- diff --git a/compat.h b/compat.h
- index c197fafc..ea2e17a7 100644
- --- a/compat.h
-@@ -459,7 +512,7 @@
- @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
-  	int nenc, nmac, ncomp;
-  	u_int mode, ctos, need, dh_need, authlen;
-- 	int r, first_kex_follows;
-+ 	int r, first_kex_follows = 0;
- +	int auth_flag = 0;
- +
- +	auth_flag = packet_authentication_state(ssh);
-@@ -553,7 +606,7 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-  	struct session_state *state = ssh->state;
-  	int len, r, ms_remain;
-  	fd_set *setp;
-@@ -1035,19 +1088,6 @@
-  
-  /* Minimum amount of data to read at a time */
-  #define MIN_READ_SIZE	512
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..36a6e519 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
-- 			freezero(pin, strlen(pin));
-- 		error_r(r, "Unable to load resident keys");
-- 		return -1;
---	}
--+ 	}
-- 	if (nkeys == 0)
-- 		logit("No keys to download");
-- 	if (pin != NULL)
- diff --git a/ssh.c b/ssh.c
- index 53330da5..27b9770e 100644
- --- a/ssh.c
-@@ -1093,7 +1133,7 @@
- +	else
- +		options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- +		debug("HPN to Non-HPN Connection");
- +	} else {
- +		int sock, socksize;
-@@ -1335,7 +1375,29 @@
-  		/* Bind the socket to the desired port. */
-  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
-  			error("Bind to port %s on %s failed: %.200s.",
--@@ -1727,6 +1734,19 @@ main(int ac, char **av)
-+@@ -1625,13 +1632,14 @@
-+ 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ 		    sshbuf_len(server_cfg)) != 0)
-+ 			fatal_f("ssh_digest_update");
-+-		len = ssh_digest_bytes(digest_alg);
-+-		hash = xmalloc(len);
-+-		if (ssh_digest_final(ctx, hash, len) != 0)
-+-			fatal_f("ssh_digest_final");
-+-		options.timing_secret = PEEK_U64(hash);
-+-		freezero(hash, len);
-+-		ssh_digest_free(ctx);
-++		if ((len = ssh_digest_bytes(digest_alg)) > 0) {
-++			hash = xmalloc(len);
-++			if (ssh_digest_final(ctx, hash, len) != 0)
-++				fatal_f("ssh_digest_final");
-++			options.timing_secret = PEEK_U64(hash);
-++			freezero(hash, len);
-++			ssh_digest_free(ctx);
-++		}
-+ 		ctx = NULL;
-+ 		return;
-+ 	}
-+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
-  	/* Fill in default values for those options not explicitly set. */
-  	fill_default_server_options(&options);
-  
-@@ -1355,7 +1417,7 @@
-  	/* challenge-response is implemented via keyboard interactive */
-  	if (options.challenge_response_authentication)
-  		options.kbd_interactive_authentication = 1;
--@@ -2166,6 +2186,9 @@ main(int ac, char **av)
-+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
-  	    rdomain == NULL ? "" : "\"");
-  	free(laddr);
-  
-@@ -1365,7 +1427,7 @@
-  	/*
-  	 * We don't want to listen forever unless the other side
-  	 * successfully authenticates itself.  So we set up an alarm which is
--@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
-+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
-  	struct kex *kex;
-  	int r;
-  
-@@ -1405,14 +1467,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_8.5"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn15v2"
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -ur a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-04-23 15:31:47.247434467 -0700
-+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-04-23 15:32:29.808508608 -0700
-@@ -12,9 +12,9 @@
-  static long stalled;		/* how long we have been stalled */
-  static int bytes_per_second;	/* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ 	off_t bytes_left;
-  	int cur_speed;
-- 	int hours, minutes, seconds;
-- 	int file_len;
-+ 	int len;
- +	off_t delta_pos;
-  
-  	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
-  	if (bytes_left > 0)
-  		elapsed = now - last_update;
-  	else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-- 
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ 	buf[1] = '\0';
-+
-  	/* filename */
-- 	buf[0] = '\0';
---	file_len = win_size - 36;
--+	file_len = win_size - 45;
-- 	if (file_len > 0) {
-- 		buf[0] = '\r';
-- 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+-	if (win_size > 36) {
-++	if (win_size > 45) {
-+-		int file_len = win_size - 36;
-++		int file_len = win_size - 45;
-+ 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ 		    file_len, file);
-+ 	}
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
-  	    (off_t)bytes_per_second);
-  	strlcat(buf, "/s ", win_size);
-@@ -63,15 +65,3 @@
-  }
-  
-  /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..986ff59b 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-- 
-- 	if (skprovider == NULL)
-- 		fatal("Cannot download keys without provider");
---
-- 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- 	if (!quiet) {
-- 		printf("You may need to touch your authenticator "

diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch
deleted file mode 100644
index 30c0252ccb55..000000000000
--- a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-04-19 13:36:51.659996653 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-04-19 13:42:23.302377465 -0700
-@@ -536,18 +536,10 @@
-  	if (state->rekey_limit)
-  		*max_blocks = MINIMUM(*max_blocks,
-  		    state->rekey_limit / enc->block_size);
--@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-  	return 0;
-  }
-  
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+	rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +553,6 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- 		return 0;
-- 
--+	/* used to force rekeying when called for by the none
--+         * cipher switch methods -cjr */
--+        if (rekey_requested == 1) {
--+                rekey_requested = 0;
--+                return 1;
--+        }
--+
-- 	/* Time-based rekeying */
-- 	if (state->rekey_interval != 0 &&
-- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-  	struct session_state *state = ssh->state;
-  	int len, r, ms_remain;
-@@ -598,12 +576,11 @@
-  };
-  
-  typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
--@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
-+@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
-  int	 ssh_packet_set_maxsize(struct ssh *, u_int);
-  u_int	 ssh_packet_get_maxsize(struct ssh *);
-  
- +/* for forced packet rekeying post auth */
--+void	 packet_request_rekeying(void);
- +int	 packet_authentication_state(const struct ssh *);
- +
-  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
-@@ -627,9 +604,9 @@
-  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
-+ 	oDisableMTAES,
-  	oVisualHostKey,
-  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -297,6 +300,9 @@ static struct {
-  	{ "kexalgorithms", oKexAlgorithms },
-  	{ "ipqos", oIPQoS },
-@@ -778,9 +755,9 @@
-  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
- @@ -120,7 +124,11 @@ typedef struct {
-- 
-  	int	enable_ssh_keysign;
-  	int64_t rekey_limit;
-+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
- +	int     none_switch;    /* Use none cipher */
- +	int     none_enabled;   /* Allow none cipher to be used */
- +  	int     nonemac_enabled;   /* Allow none MAC to be used */
-@@ -842,9 +819,9 @@
-  	/* Portable-specific options */
-  	if (options->use_pam == -1)
- @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
-- 	}
-- 	if (options->permit_tun == -1)
-  		options->permit_tun = SSH_TUNMODE_NO;
-+ 	if (options->disable_multithreaded == -1)
-+ 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
- +		options->none_enabled = 0;
- +	if (options->nonemac_enabled == -1)
-@@ -1047,17 +1024,17 @@
-  Note that
- diff --git a/sftp.c b/sftp.c
- index fb3c08d1..89bebbb2 100644
----- a/sftp.c
--+++ b/sftp.c
--@@ -71,7 +71,7 @@ typedef void EditLine;
-- #include "sftp-client.h"
-- 
-- #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
---#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
--+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
-+--- a/sftp-client.c
-++++ b/sftp-client.c
-+@@ -65,7 +65,7 @@ typedef void EditLine;
-+ #define DEFAULT_COPY_BUFLEN	32768
-+ 
-+ /* Default number of concurrent outstanding requests */
-+-#define DEFAULT_NUM_REQUESTS	64
-++#define DEFAULT_NUM_REQUESTS	256
-  
-- /* File to read commands from */
-- FILE* infile;
-+ /* Minimum amount of data to read at a time */
-+ #define MIN_READ_SIZE	512
- diff --git a/ssh-keygen.c b/ssh-keygen.c
- index cfb5f115..36a6e519 100644
- --- a/ssh-keygen.c
-@@ -1330,9 +1307,9 @@
- +		}
- +	}
- +
-- 	debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-  
-+ #ifdef WITH_OPENSSL
-+ 	if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..d66fa41a 100644
- --- a/sshd.c

diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 58ff739e1d4c..f23eae1e1222 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -20,7 +20,6 @@ the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign,
 ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
 </longdescription>
   <use>
-    <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
     <flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
     <flag name="hpn">Enable high performance ssh</flag>
     <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>

diff --git a/net-misc/openssh/openssh-8.6_p1-r2.ebuild b/net-misc/openssh/openssh-8.6_p1-r2.ebuild
deleted file mode 100644
index f896a51951ac..000000000000
--- a/net-misc/openssh/openssh-8.6_p1-r2.ebuild
+++ /dev/null
@@ -1,515 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-"
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
-	ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp !security-key ssl !xmss )
-	xmss? ( ssl  )
-	test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-			|| (
-				(
-					>=dev-libs/openssl-1.0.1:0[bindist(-)=]
-					<dev-libs/openssl-1.1.0:0[bindist(-)=]
-				)
-				>=dev-libs/openssl-1.1.0g:0[bindist(-)=]
-			)
-			dev-libs/openssl:0=[static-libs(+)]
-	)
-	virtual/libcrypt:=[static-libs(+)]
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
-	acct-group/sshd
-	acct-user/sshd
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
-	virtual/os-headers
-	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
-	static? ( ${LIB_DEPEND} )
-"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
-	X? ( x11-apps/xauth )
-"
-BDEPEND="
-	virtual/pkgconfig
-	sys-devel/autoconf
-"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_VER)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "Missing requested third party patch."
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-
-	# workaround for https://bugs.gentoo.org/734984
-	use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
-
-	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" &>/dev/null || die
-		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
-		popd &>/dev/null || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}" || die
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
-		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
-		use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch
-		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
-		popd &>/dev/null || die
-
-		eapply "${hpn_patchdir}"
-
-		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	eapply_user #473004
-
-	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
-	sed -e '/\t\tpercent \\/ d' \
-		-i regress/Makefile || die
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-	use xmss && append-cflags -DWITH_XMSS
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
-		# doesn't check for this, so force the replacement to be put in
-		# place
-		append-cppflags -DBROKEN_GLOB
-	fi
-
-	# use replacement, RPF_ECHO_ON doesn't exist here
-	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns ldns "${EPREFIX}"/usr)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(usex X509 '' "$(use_with security-key security-key-builtin)")
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	if use elibc_musl; then
-		# stackprotect is broken on musl x86 and ppc
-		if use x86 || use ppc; then
-			myconf+=( --without-stackprotect )
-		fi
-
-		# musl defines bogus values for UTMP_FILE and WTMP_FILE
-		# https://bugs.gentoo.org/753230
-		myconf+=( --disable-utmp --disable-wtmp )
-	fi
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
-			SUDO="" SSH_SK_PROVIDER="" \
-			TEST_SSH_UNSAFE_PERMISSIONS=1 \
-			emake -k -j1 ${t} </dev/null \
-				&& passed+=( "${t}" ) \
-				|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	if use pam; then
-		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	fi
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	# https://bugs.gentoo.org/733802
-	if ! use scp; then
-		rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
-			|| die "failed to remove scp"
-	fi
-
-	rmdir "${ED}"/var/empty || die
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
-		show_ssl_warning=1
-	fi
-}
-
-pkg_postinst() {
-	local old_ver
-	for old_ver in ${REPLACING_VERSIONS}; do
-		if ver_test "${old_ver}" -lt "5.8_p1"; then
-			elog "Starting with openssh-5.8p1, the server will default to a newer key"
-			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-		fi
-		if ver_test "${old_ver}" -lt "7.0_p1"; then
-			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-			elog "Make sure to update any configs that you might have.  Note that xinetd might"
-			elog "be an alternative for you as it supports USE=tcpd."
-		fi
-		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
-			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-			elog "adding to your sshd_config or ~/.ssh/config files:"
-			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-			elog "You should however generate new keys using rsa or ed25519."
-
-			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-			elog "out of the box.  If you need this, please update your sshd_config explicitly."
-		fi
-		if ver_test "${old_ver}" -lt "7.6_p1"; then
-			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-		fi
-		if ver_test "${old_ver}" -lt "7.7_p1"; then
-			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-			elog "if you need to authenticate against LDAP."
-			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-		fi
-		if ver_test "${old_ver}" -lt "8.2_p1"; then
-			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
-			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
-			ewarn "connection is generally safe."
-		fi
-	done
-
-	if [[ -n ${show_ssl_warning} ]]; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}

diff --git a/net-misc/openssh/openssh-8.7_p1-r2.ebuild b/net-misc/openssh/openssh-8.7_p1-r2.ebuild
deleted file mode 100644
index c44fb1a6f829..000000000000
--- a/net-misc/openssh/openssh-8.7_p1-r2.ebuild
+++ /dev/null
@@ -1,513 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-"
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
-	hpn? ( ssl )
-	ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl !xmss )
-	xmss? ( ssl  )
-	test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-			|| (
-				(
-					>=dev-libs/openssl-1.0.1:0[bindist(-)=]
-					<dev-libs/openssl-1.1.0:0[bindist(-)=]
-				)
-				>=dev-libs/openssl-1.1.0g:0[bindist(-)=]
-			)
-			dev-libs/openssl:0=[static-libs(+)]
-	)
-	virtual/libcrypt:=[static-libs(+)]
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
-	acct-group/sshd
-	acct-user/sshd
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
-	virtual/os-headers
-	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
-	static? ( ${LIB_DEPEND} )
-"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
-	X? ( x11-apps/xauth )
-"
-BDEPEND="
-	virtual/pkgconfig
-	sys-devel/autoconf
-"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_VER)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "Missing requested third party patch."
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-
-	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" &>/dev/null || die
-		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
-		popd &>/dev/null || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}" || die
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
-		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
-		use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
-		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
-		popd &>/dev/null || die
-
-		eapply "${hpn_patchdir}"
-
-		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	eapply_user #473004
-
-	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
-	sed -e '/\t\tpercent \\/ d' \
-		-i regress/Makefile || die
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-	use xmss && append-cflags -DWITH_XMSS
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
-		# doesn't check for this, so force the replacement to be put in
-		# place
-		append-cppflags -DBROKEN_GLOB
-	fi
-
-	# use replacement, RPF_ECHO_ON doesn't exist here
-	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns ldns "${EPREFIX}"/usr)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(usex X509 '' "$(use_with security-key security-key-builtin)")
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	if use elibc_musl; then
-		# stackprotect is broken on musl x86 and ppc
-		if use x86 || use ppc; then
-			myconf+=( --without-stackprotect )
-		fi
-
-		# musl defines bogus values for UTMP_FILE and WTMP_FILE
-		# https://bugs.gentoo.org/753230
-		myconf+=( --disable-utmp --disable-wtmp )
-	fi
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
-			SUDO="" SSH_SK_PROVIDER="" \
-			TEST_SSH_UNSAFE_PERMISSIONS=1 \
-			emake -k -j1 ${t} </dev/null \
-				&& passed+=( "${t}" ) \
-				|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	if use pam; then
-		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	fi
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	# https://bugs.gentoo.org/733802
-	if ! use scp; then
-		rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
-			|| die "failed to remove scp"
-	fi
-
-	rmdir "${ED}"/var/empty || die
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
-		show_ssl_warning=1
-	fi
-}
-
-pkg_postinst() {
-	local old_ver
-	for old_ver in ${REPLACING_VERSIONS}; do
-		if ver_test "${old_ver}" -lt "5.8_p1"; then
-			elog "Starting with openssh-5.8p1, the server will default to a newer key"
-			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-		fi
-		if ver_test "${old_ver}" -lt "7.0_p1"; then
-			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-			elog "Make sure to update any configs that you might have.  Note that xinetd might"
-			elog "be an alternative for you as it supports USE=tcpd."
-		fi
-		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
-			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-			elog "adding to your sshd_config or ~/.ssh/config files:"
-			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-			elog "You should however generate new keys using rsa or ed25519."
-
-			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-			elog "out of the box.  If you need this, please update your sshd_config explicitly."
-		fi
-		if ver_test "${old_ver}" -lt "7.6_p1"; then
-			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-		fi
-		if ver_test "${old_ver}" -lt "7.7_p1"; then
-			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-			elog "if you need to authenticate against LDAP."
-			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-		fi
-		if ver_test "${old_ver}" -lt "8.2_p1"; then
-			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
-			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
-			ewarn "connection is generally safe."
-		fi
-	done
-
-	if [[ -n ${show_ssl_warning} ]]; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}

diff --git a/net-misc/openssh/openssh-8.8_p1-r2.ebuild b/net-misc/openssh/openssh-8.8_p1-r2.ebuild
deleted file mode 100644
index a8039cdc405f..000000000000
--- a/net-misc/openssh/openssh-8.8_p1-r2.ebuild
+++ /dev/null
@@ -1,508 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-"
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
-	hpn? ( ssl )
-	ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl !xmss )
-	xmss? ( ssl  )
-	test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-			|| (
-				(
-					>=dev-libs/openssl-1.0.1:0[bindist(-)=]
-					<dev-libs/openssl-1.1.0:0[bindist(-)=]
-				)
-				>=dev-libs/openssl-1.1.0g:0[bindist(-)=]
-			)
-			dev-libs/openssl:0=[static-libs(+)]
-	)
-	virtual/libcrypt:=[static-libs(+)]
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
-	acct-group/sshd
-	acct-user/sshd
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
-	virtual/os-headers
-	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
-	static? ( ${LIB_DEPEND} )
-"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
-	X? ( x11-apps/xauth )
-"
-BDEPEND="
-	virtual/pkgconfig
-	sys-devel/autoconf
-"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_VER)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "Missing requested third party patch."
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-
-	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" &>/dev/null || die
-		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
-		popd &>/dev/null || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}" || die
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
-		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch
-		use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
-		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
-		popd &>/dev/null || die
-
-		eapply "${hpn_patchdir}"
-
-		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	eapply_user #473004
-
-	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
-	sed -e '/\t\tpercent \\/ d' \
-		-i regress/Makefile || die
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-	use xmss && append-cflags -DWITH_XMSS
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
-		# doesn't check for this, so force the replacement to be put in
-		# place
-		append-cppflags -DBROKEN_GLOB
-	fi
-
-	# use replacement, RPF_ECHO_ON doesn't exist here
-	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns ldns "${EPREFIX}"/usr)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(usex X509 '' "$(use_with security-key security-key-builtin)")
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	if use elibc_musl; then
-		# musl defines bogus values for UTMP_FILE and WTMP_FILE
-		# https://bugs.gentoo.org/753230
-		myconf+=( --disable-utmp --disable-wtmp )
-	fi
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
-			SUDO="" SSH_SK_PROVIDER="" \
-			TEST_SSH_UNSAFE_PERMISSIONS=1 \
-			emake -k -j1 ${t} </dev/null \
-				&& passed+=( "${t}" ) \
-				|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	if use pam; then
-		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	fi
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	# https://bugs.gentoo.org/733802
-	if ! use scp; then
-		rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
-			|| die "failed to remove scp"
-	fi
-
-	rmdir "${ED}"/var/empty || die
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
-		show_ssl_warning=1
-	fi
-}
-
-pkg_postinst() {
-	local old_ver
-	for old_ver in ${REPLACING_VERSIONS}; do
-		if ver_test "${old_ver}" -lt "5.8_p1"; then
-			elog "Starting with openssh-5.8p1, the server will default to a newer key"
-			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-		fi
-		if ver_test "${old_ver}" -lt "7.0_p1"; then
-			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-			elog "Make sure to update any configs that you might have.  Note that xinetd might"
-			elog "be an alternative for you as it supports USE=tcpd."
-		fi
-		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
-			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-			elog "adding to your sshd_config or ~/.ssh/config files:"
-			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-			elog "You should however generate new keys using rsa or ed25519."
-
-			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-			elog "out of the box.  If you need this, please update your sshd_config explicitly."
-		fi
-		if ver_test "${old_ver}" -lt "7.6_p1"; then
-			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-		fi
-		if ver_test "${old_ver}" -lt "7.7_p1"; then
-			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-			elog "if you need to authenticate against LDAP."
-			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-		fi
-		if ver_test "${old_ver}" -lt "8.2_p1"; then
-			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
-			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
-			ewarn "connection is generally safe."
-		fi
-	done
-
-	if [[ -n ${show_ssl_warning} ]]; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2022-01-17  0:37 Mike Gilbert
  0 siblings, 0 replies; 57+ messages in thread
From: Mike Gilbert @ 2022-01-17  0:37 UTC (permalink / raw
  To: gentoo-commits

commit:     bb4654720b3405481804db01513b88f3e0d5c93b
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Mon Jan 17 00:34:36 2022 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Mon Jan 17 00:37:31 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb465472

net-misc/openssh: drop 8.7_p1-r4

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   3 -
 .../files/openssh-8.3_p1-sha2-include.patch        |  13 -
 .../files/openssh-8.7_p1-X509-glue-13.2.1.patch    |  45 --
 net-misc/openssh/openssh-8.7_p1-r4.ebuild          | 498 ---------------------
 4 files changed, 559 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 5e5c15efb159..883f7ee765bf 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,6 +1,3 @@
-DIST openssh-8.7p1+x509-13.2.1.diff.gz 1073420 BLAKE2B f9de9f797f1ec83cd56a983f5b9694b0297a60e586898a8c94b4aaa60e5f561bb3b7730590fc8f898c3de2340780d6a77d31bfcc50df0a55a0480051f37806fd SHA512 dd7afd351ddf33e8e74bceba56e5593a0546360efb34f3b954e1816751b5678da5d1bc3a9f2eaa4a745d86d96ae9b643bd549d39b59b22c8cf1a219b076c1db5
-DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
-DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
 DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
 DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
 DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df

diff --git a/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch b/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch
deleted file mode 100644
index 6bd716619701..000000000000
--- a/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/Makefile.in b/Makefile.in
-index c9e4294d..2dbfac24 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -44,7 +44,7 @@ CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
--CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+CPPFLAGS=-I. -I$(srcdir) -I$(srcdir)/openbsd-compat @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
- LIBS=@LIBS@
- K5LIBS=@K5LIBS@

diff --git a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.1.patch b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.1.patch
deleted file mode 100644
index be88d11ba803..000000000000
--- a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.1.patch
+++ /dev/null
@@ -1,45 +0,0 @@
---- a/openssh-8.7p1+x509-13.2.1.diff	2021-09-08 14:20:40.750542472 -0700
-+++ b/openssh-8.7p1+x509-13.2.1.diff	2021-09-08 14:21:23.354736098 -0700
-@@ -51194,12 +51194,11 @@
-  
-  install-files:
-  	$(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -391,6 +368,8 @@
-+@@ -391,6 +368,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -70464,9 +70463,9 @@
-  
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+  unset_arg=''
-++  unset_arg=
- +else
--+  unset_arg=none
-++  unset_arg=
- +fi
- +
-  cat > $OBJ/sshd_config.i << _EOF
-@@ -132131,16 +132130,6 @@
- +int	 asnmprintf(char **, size_t, int *, const char *, ...)
-  	    __attribute__((format(printf, 4, 5)));
-  void	 msetlocale(void);
--diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2.1/version.h
----- openssh-8.7p1/version.h	2021-08-20 07:03:49.000000000 +0300
--+++ openssh-8.7p1+x509-13.2.1/version.h	2021-09-08 21:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_8.7"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2.1/version.m4
- --- openssh-8.7p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.7p1+x509-13.2.1/version.m4	2021-09-08 21:07:00.000000000 +0300

diff --git a/net-misc/openssh/openssh-8.7_p1-r4.ebuild b/net-misc/openssh/openssh-8.7_p1-r4.ebuild
deleted file mode 100644
index d38be351907d..000000000000
--- a/net-misc/openssh/openssh-8.7_p1-r4.ebuild
+++ /dev/null
@@ -1,498 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-"
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
-	hpn? ( ssl )
-	ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl !xmss )
-	xmss? ( ssl  )
-	test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		net-libs/ldns[ecdsa(+),ssl(+)]
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
-	virtual/libcrypt:=[static-libs(+)]
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
-	acct-group/sshd
-	acct-user/sshd
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
-	virtual/os-headers
-	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
-	static? ( ${LIB_DEPEND} )
-"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	!prefix? ( sys-apps/shadow )
-	X? ( x11-apps/xauth )
-"
-BDEPEND="
-	virtual/pkgconfig
-	sys-devel/autoconf
-"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use hpn && maybe_fail hpn HPN_VER)
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
-		$(use X509 && maybe_fail X509 X509_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "Missing requested third party patch."
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-
-	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" &>/dev/null || die
-		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
-		popd &>/dev/null || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}" || die
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
-		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
-		use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
-		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
-		popd &>/dev/null || die
-
-		eapply "${hpn_patchdir}"
-
-		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	eapply_user #473004
-
-	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
-	sed -e '/\t\tpercent \\/ d' \
-		-i regress/Makefile || die
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-	use xmss && append-cflags -DWITH_XMSS
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
-		# doesn't check for this, so force the replacement to be put in
-		# place
-		append-cppflags -DBROKEN_GLOB
-	fi
-
-	# use replacement, RPF_ECHO_ON doesn't exist here
-	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns ldns "${EPREFIX}"/usr)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(usex X509 '' "$(use_with security-key security-key-builtin)")
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	if use elibc_musl; then
-		# musl defines bogus values for UTMP_FILE and WTMP_FILE
-		# https://bugs.gentoo.org/753230
-		myconf+=( --disable-utmp --disable-wtmp )
-	fi
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local t skipped=() failed=() passed=()
-	local tests=( interop-tests compat-tests )
-
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped+=( tests )
-	else
-		tests+=( tests )
-	fi
-
-	# It will also attempt to write to the homedir .ssh.
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in "${tests[@]}" ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
-			SUDO="" SSH_SK_PROVIDER="" \
-			TEST_SSH_UNSAFE_PERMISSIONS=1 \
-			emake -k -j1 ${t} </dev/null \
-				&& passed+=( "${t}" ) \
-				|| failed+=( "${t}" )
-	done
-
-	einfo "Passed tests: ${passed[*]}"
-	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
-	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	if use pam; then
-		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	fi
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	# https://bugs.gentoo.org/733802
-	if ! use scp; then
-		rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
-			|| die "failed to remove scp"
-	fi
-
-	rmdir "${ED}"/var/empty || die
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
-		show_ssl_warning=1
-	fi
-}
-
-pkg_postinst() {
-	local old_ver
-	for old_ver in ${REPLACING_VERSIONS}; do
-		if ver_test "${old_ver}" -lt "5.8_p1"; then
-			elog "Starting with openssh-5.8p1, the server will default to a newer key"
-			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-		fi
-		if ver_test "${old_ver}" -lt "7.0_p1"; then
-			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-			elog "Make sure to update any configs that you might have.  Note that xinetd might"
-			elog "be an alternative for you as it supports USE=tcpd."
-		fi
-		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
-			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-			elog "adding to your sshd_config or ~/.ssh/config files:"
-			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-			elog "You should however generate new keys using rsa or ed25519."
-
-			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-			elog "out of the box.  If you need this, please update your sshd_config explicitly."
-		fi
-		if ver_test "${old_ver}" -lt "7.6_p1"; then
-			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-		fi
-		if ver_test "${old_ver}" -lt "7.7_p1"; then
-			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-			elog "if you need to authenticate against LDAP."
-			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-		fi
-		if ver_test "${old_ver}" -lt "8.2_p1"; then
-			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
-			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
-			ewarn "connection is generally safe."
-		fi
-	done
-
-	if [[ -n ${show_ssl_warning} ]]; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2022-02-26  1:07 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2022-02-26  1:07 UTC (permalink / raw
  To: gentoo-commits

commit:     9cbbc55aee6b2534bbc8d8fe12128c1083ee6850
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 26 01:06:59 2022 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Sat Feb 26 01:06:59 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9cbbc55a

net-misc/openssh: Add patches for bugs #834019 and #834037

Bug: https://bugs.gentoo.org/834019
Bug: https://bugs.gentoo.org/834037
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssh-8.9_p1-X509-glue-13.3.patch      | 34 +++++++++++++++++++---
 .../files/openssh-8.9_p1-allow-ppoll_time64.patch  | 14 +++++++++
 .../openssh-8.9_p1-fzero-call-used-regs.patch      | 32 ++++++++++++++++++++
 net-misc/openssh/openssh-8.9_p1.ebuild             |  2 ++
 4 files changed, 78 insertions(+), 4 deletions(-)

diff --git a/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch
index 91da09971acc..66617a17af2a 100644
--- a/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch
+++ b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch
@@ -1,6 +1,6 @@
 diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-13.3.diff
 --- a/openssh-8.9p1+x509-13.3.diff	2022-02-24 17:19:30.830285922 -0800
-+++ b/openssh-8.9p1+x509-13.3.diff	2022-02-24 17:22:12.374625809 -0800
++++ b/openssh-8.9p1+x509-13.3.diff	2022-02-25 16:56:00.750829460 -0800
 @@ -993,15 +993,16 @@
   	char b[512];
  -	size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
@@ -21,7 +21,33 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
   	(void)snprintf(b, sizeof b, "%llu%s",
   	    (unsigned long long)options.timing_secret, user);
  -	if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
-@@ -52711,12 +52712,11 @@
+@@ -51970,7 +51971,7 @@
+ diff -ruN openssh-8.9p1/m4/openssh.m4 openssh-8.9p1+x509-13.3/m4/openssh.m4
+ --- openssh-8.9p1/m4/openssh.m4	2022-02-23 13:31:11.000000000 +0200
+ +++ openssh-8.9p1+x509-13.3/m4/openssh.m4	1970-01-01 02:00:00.000000000 +0200
+-@@ -1,200 +0,0 @@
++@@ -1,203 +0,0 @@
+ -dnl OpenSSH-specific autoconf macros
+ -dnl
+ -
+@@ -51987,6 +51988,8 @@
+ -	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
+ -#include <stdlib.h>
+ -#include <stdio.h>
++-/* Trivial function to help test for -fzero-call-used-regs */
++-void f(int n) {}
+ -int main(int argc, char **argv) {
+ -	(void)argv;
+ -	/* Some math to catch -ftrapv problems in the toolchain */
+@@ -51994,6 +51997,7 @@
+ -	float l = i * 2.1;
+ -	double m = l / 0.5;
+ -	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
++-	f(0);
+ -	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+ -	/*
+ -	 * Test fallthrough behaviour.  clang 10's -Wimplicit-fallthrough does
+@@ -52711,12 +52715,11 @@
   
   install-files:
   	$(MKDIR_P) $(DESTDIR)$(bindir)
@@ -35,7 +61,7 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
   	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
   	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
   	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -73508,7 +73508,7 @@
+@@ -73508,7 +73511,7 @@
  +if test "$sshd_type" = "pkix" ; then
  +  unset_arg=''
  +else
@@ -44,7 +70,7 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
  +fi
  +
   cat > $OBJ/sshd_config.i << _EOF
-@@ -137555,16 +137555,6 @@
+@@ -137555,16 +137558,6 @@
  +int	 asnmprintf(char **, size_t, int *, const char *, ...)
   	    __attribute__((format(printf, 4, 5)));
   void	 msetlocale(void);

diff --git a/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch
new file mode 100644
index 000000000000..8c46625aa29c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch
@@ -0,0 +1,14 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 2e065ba3..4ce80cb2 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_ppoll
+ 	SC_ALLOW(__NR_ppoll),
+ #endif
++#ifdef __NR_ppoll_time64
++	SC_ALLOW(__NR_ppoll_time64),
++#endif
+ #ifdef __NR_poll
+ 	SC_ALLOW(__NR_poll),
+ #endif

diff --git a/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch b/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch
new file mode 100644
index 000000000000..0231ce46d7b1
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch
@@ -0,0 +1,32 @@
+From f107467179428a0e3ea9e4aa9738ac12ff02822d Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Thu, 24 Feb 2022 16:04:18 +0000
+Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support
+
+GCC doesn't tell us whether this option is supported unless it runs into
+the situation where it would need to emit corresponding code.
+---
+ m4/openssh.m4 | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/m4/openssh.m4 b/m4/openssh.m4
+index 4f9c3792dc1..8c33c701b8b 100644
+--- a/m4/openssh.m4
++++ b/m4/openssh.m4
+@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
+ 	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
+ #include <stdlib.h>
+ #include <stdio.h>
++/* Trivial function to help test for -fzero-call-used-regs */
++void f(int n) {}
+ int main(int argc, char **argv) {
+ 	(void)argv;
+ 	/* Some math to catch -ftrapv problems in the toolchain */
+@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
+ 	float l = i * 2.1;
+ 	double m = l / 0.5;
+ 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
++	f(0);
+ 	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+ 	/*
+ 	 * Test fallthrough behaviour.  clang 10's -Wimplicit-fallthrough does

diff --git a/net-misc/openssh/openssh-8.9_p1.ebuild b/net-misc/openssh/openssh-8.9_p1.ebuild
index 5b7b5d1c44db..bb334274000e 100644
--- a/net-misc/openssh/openssh-8.9_p1.ebuild
+++ b/net-misc/openssh/openssh-8.9_p1.ebuild
@@ -126,6 +126,8 @@ src_prepare() {
 	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
 	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
 	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+	eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
+	eapply "${FILESDIR}"/${PN}-8.9_p1-fzero-call-used-regs.patch #834037
 
 	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
 


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2022-02-26  1:38 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2022-02-26  1:38 UTC (permalink / raw
  To: gentoo-commits

commit:     126e92820579e58d391f55fdfefe425a685fc217
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 26 01:37:51 2022 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Sat Feb 26 01:37:51 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=126e9282

net-misc/openssh: Add patch to fix #834044

I can't reproduce this locally, however this should be a fairly simple
fix.
Closes: https://bugs.gentoo.org/834044
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssh-8.9_p1-X509-glue-13.3.patch      | 13 ++++++++++-
 .../openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch     | 27 ++++++++++++++++++++++
 net-misc/openssh/openssh-8.9_p1.ebuild             |  1 +
 3 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch
index 66617a17af2a..7c7767109dd5 100644
--- a/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch
+++ b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch
@@ -1,6 +1,6 @@
 diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-13.3.diff
 --- a/openssh-8.9p1+x509-13.3.diff	2022-02-24 17:19:30.830285922 -0800
-+++ b/openssh-8.9p1+x509-13.3.diff	2022-02-25 16:56:00.750829460 -0800
++++ b/openssh-8.9p1+x509-13.3.diff	2022-02-25 17:35:40.885492007 -0800
 @@ -993,15 +993,16 @@
   	char b[512];
  -	size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
@@ -21,6 +21,17 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
   	(void)snprintf(b, sizeof b, "%llu%s",
   	    (unsigned long long)options.timing_secret, user);
  -	if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
+@@ -44573,8 +44574,8 @@
+  		gss_create_empty_oid_set(&status, &oidset);
+  		gss_add_oid_set_member(&status, ctx->oid, &oidset);
+  
+--		if (gethostname(lname, MAXHOSTNAMELEN)) {
+-+		if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
++-		if (gethostname(lname, HOST_NAME_MAX)) {
+++		if (gethostname(lname, HOST_NAME_MAX) == -1) {
+  			gss_release_oid_set(&status, &oidset);
+  			return (-1);
+  		}
 @@ -51970,7 +51971,7 @@
  diff -ruN openssh-8.9p1/m4/openssh.m4 openssh-8.9p1+x509-13.3/m4/openssh.m4
  --- openssh-8.9p1/m4/openssh.m4	2022-02-23 13:31:11.000000000 +0200

diff --git a/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
new file mode 100644
index 000000000000..98c87ecf5f47
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
@@ -0,0 +1,27 @@
+diff --git a/gss-serv.c b/gss-serv.c
+index b5d4bb2d..00e3d118 100644
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ 		gss_create_empty_oid_set(&status, &oidset);
+ 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
+ 
+-		if (gethostname(lname, MAXHOSTNAMELEN)) {
++		if (gethostname(lname, HOST_NAME_MAX)) {
+ 			gss_release_oid_set(&status, &oidset);
+ 			return (-1);
+ 		}
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 2e065ba3..4ce80cb2 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_ppoll
+ 	SC_ALLOW(__NR_ppoll),
+ #endif
++#ifdef __NR_ppoll_time64
++	SC_ALLOW(__NR_ppoll_time64),
++#endif
+ #ifdef __NR_poll
+ 	SC_ALLOW(__NR_poll),
+ #endif

diff --git a/net-misc/openssh/openssh-8.9_p1.ebuild b/net-misc/openssh/openssh-8.9_p1.ebuild
index bb334274000e..562d5b5a4914 100644
--- a/net-misc/openssh/openssh-8.9_p1.ebuild
+++ b/net-misc/openssh/openssh-8.9_p1.ebuild
@@ -128,6 +128,7 @@ src_prepare() {
 	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
 	eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
 	eapply "${FILESDIR}"/${PN}-8.9_p1-fzero-call-used-regs.patch #834037
+	eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
 
 	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
 


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2022-03-06  7:22 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2022-03-06  7:22 UTC (permalink / raw
  To: gentoo-commits

commit:     5ec2abcc9cbcc9a06475968044b841c129f1ee88
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Sun Mar  6 07:22:27 2022 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Sun Mar  6 07:22:27 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ec2abcc

net-misc/openssh: Revbump, update X509 patch

Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |  2 +-
 ...patch => openssh-8.9_p1-X509-glue-13.3.1.patch} | 60 ++++++++++++++++------
 ...h-8.9_p1-r1.ebuild => openssh-8.9_p1-r2.ebuild} |  2 +-
 3 files changed, 45 insertions(+), 19 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 799f15e8b2a8..90b2cf0c98f7 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,7 +1,7 @@
 DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
 DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
 DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
-DIST openssh-8.9p1+x509-13.3.diff.gz 1109839 BLAKE2B 64bbb5afcffe11ae31fa9cb21a8668e50a08012079108cbb7444412eb05a0fbfd10fce82b347bfd9a68b765fffaa09eb30dd7d70801f723d79f45a3b5858fef9 SHA512 fb54ed71eb0c37236ea3fe6e5be77aba56d511d6d087e374059ddc21f42aa9b75d832b8a927d082b71ac41de8bc9760f3e6f6335a88af023d5618c74872f9611
+DIST openssh-8.9p1+x509-13.3.1.diff.gz 1113333 BLAKE2B 01fc34ed5c5c64a97db99f8f5a98f5917519474b4c22a2372f76a9c36d5dfc4efe1d03fcc43ed3d1602177f7e674a58676b9d04444d7bb66bc1c096136fd2ed0 SHA512 4fea3cf0dd0f6e0b9e28c16fb88f2a125c3ec7f86111d33e040664ab4976e697b137ffe80d02c979e2eb55a5c004f597299cfec22e730b80279665de61cb1f13
 DIST openssh-8.9p1-sctp-1.2.patch.xz 6752 BLAKE2B 8f87a4e604ce412f45432ae29b6ccb5a10f6bd6ddc3c688b85d75c2126387dc5d4ed2b2396691db016cc0dee3e71a557611bcf34066dee075d62c9e69e887f14 SHA512 88a36e2d87bb8b6136885094729d001953e15799e06885ff1c489300458b6e412520f7a78c48dfd24df46e58f2561051212d7948f8af63082edcb85c33b4d32b
 DIST openssh-8.9p1.tar.gz 1820282 BLAKE2B 02934da7f7a2954141888e63e81e38fad4fb8558ddd1032de44f69684802c62771fdd7e9e470e0715059635999c8f9d2ab95f6351217e236573ead83a867f59b SHA512 04bd38ea6fe4be31acc8c4e83de7d3dda66fb7207be2e4ba25d3b8118d13d098a283769da9e8ce1fc4fba7edf739c14efcc6c9137132919261a7f882314b0f6b
 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f

diff --git a/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
similarity index 64%
rename from net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch
rename to net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
index 7c7767109dd5..eab5b5344d6a 100644
--- a/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.patch
+++ b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
@@ -1,7 +1,7 @@
-diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-13.3.diff
---- a/openssh-8.9p1+x509-13.3.diff	2022-02-24 17:19:30.830285922 -0800
-+++ b/openssh-8.9p1+x509-13.3.diff	2022-02-25 17:35:40.885492007 -0800
-@@ -993,15 +993,16 @@
+diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.1.diff b/openssh-8.9p1+x509-13.3.1.diff
+--- a/openssh-8.9p1+x509-13.3.1.diff	2022-03-05 21:49:32.673126122 -0800
++++ b/openssh-8.9p1+x509-13.3.1.diff	2022-03-05 21:52:52.581776560 -0800
+@@ -1002,15 +1002,16 @@
   	char b[512];
  -	size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
  -	u_char *hash = xmalloc(len);
@@ -21,7 +21,7 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
   	(void)snprintf(b, sizeof b, "%llu%s",
   	    (unsigned long long)options.timing_secret, user);
  -	if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
-@@ -44573,8 +44574,8 @@
+@@ -44746,8 +44747,8 @@
   		gss_create_empty_oid_set(&status, &oidset);
   		gss_add_oid_set_member(&status, ctx->oid, &oidset);
   
@@ -32,16 +32,16 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
   			gss_release_oid_set(&status, &oidset);
   			return (-1);
   		}
-@@ -51970,7 +51971,7 @@
- diff -ruN openssh-8.9p1/m4/openssh.m4 openssh-8.9p1+x509-13.3/m4/openssh.m4
+@@ -52143,7 +52144,7 @@
+ diff -ruN openssh-8.9p1/m4/openssh.m4 openssh-8.9p1+x509-13.3.1/m4/openssh.m4
  --- openssh-8.9p1/m4/openssh.m4	2022-02-23 13:31:11.000000000 +0200
- +++ openssh-8.9p1+x509-13.3/m4/openssh.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.9p1+x509-13.3.1/m4/openssh.m4	1970-01-01 02:00:00.000000000 +0200
 -@@ -1,200 +0,0 @@
 +@@ -1,203 +0,0 @@
  -dnl OpenSSH-specific autoconf macros
  -dnl
  -
-@@ -51987,6 +51988,8 @@
+@@ -52160,6 +52161,8 @@
  -	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
  -#include <stdlib.h>
  -#include <stdio.h>
@@ -50,7 +50,7 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
  -int main(int argc, char **argv) {
  -	(void)argv;
  -	/* Some math to catch -ftrapv problems in the toolchain */
-@@ -51994,6 +51997,7 @@
+@@ -52167,6 +52170,7 @@
  -	float l = i * 2.1;
  -	double m = l / 0.5;
  -	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
@@ -58,7 +58,7 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
  -	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
  -	/*
  -	 * Test fallthrough behaviour.  clang 10's -Wimplicit-fallthrough does
-@@ -52711,12 +52715,11 @@
+@@ -52884,12 +52888,11 @@
   
   install-files:
   	$(MKDIR_P) $(DESTDIR)$(bindir)
@@ -72,7 +72,7 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
   	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
   	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
   	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -73508,7 +73511,7 @@
+@@ -73836,7 +73839,7 @@
  +if test "$sshd_type" = "pkix" ; then
  +  unset_arg=''
  +else
@@ -81,13 +81,39 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
  +fi
  +
   cat > $OBJ/sshd_config.i << _EOF
-@@ -137555,16 +137558,6 @@
+@@ -79691,25 +79694,6 @@
+  #ifdef __NR_getrandom
+  	SC_ALLOW(__NR_getrandom),
+  #endif
+-@@ -267,15 +273,15 @@
+- #ifdef __NR_clock_nanosleep_time64
+- 	SC_ALLOW(__NR_clock_nanosleep_time64),
+- #endif
+--#ifdef __NR_clock_gettime64
+--	SC_ALLOW(__NR_clock_gettime64),
+--#endif
+- #ifdef __NR__newselect
+- 	SC_ALLOW(__NR__newselect),
+- #endif
+- #ifdef __NR_ppoll
+- 	SC_ALLOW(__NR_ppoll),
+- #endif
+-+#ifdef __NR_ppoll_time64
+-+	SC_ALLOW(__NR_ppoll_time64),
+-+#endif
+- #ifdef __NR_poll
+- 	SC_ALLOW(__NR_poll),
+- #endif
+ @@ -288,6 +294,9 @@
+  #ifdef __NR_read
+  	SC_ALLOW(__NR_read),
+@@ -137848,16 +137832,6 @@
  +int	 asnmprintf(char **, size_t, int *, const char *, ...)
   	    __attribute__((format(printf, 4, 5)));
   void	 msetlocale(void);
--diff -ruN openssh-8.9p1/version.h openssh-8.9p1+x509-13.3/version.h
+-diff -ruN openssh-8.9p1/version.h openssh-8.9p1+x509-13.3.1/version.h
 ---- openssh-8.9p1/version.h	2022-02-23 13:31:11.000000000 +0200
--+++ openssh-8.9p1+x509-13.3/version.h	2022-02-24 20:07:00.000000000 +0200
+-+++ openssh-8.9p1+x509-13.3.1/version.h	2022-03-05 10:07:00.000000000 +0200
 -@@ -2,5 +2,4 @@
 - 
 - #define SSH_VERSION	"OpenSSH_8.9"
@@ -95,6 +121,6 @@ diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.diff b/openssh-8.9p1+x509-
 --#define SSH_PORTABLE	"p1"
 --#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 -+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.9p1/version.m4 openssh-8.9p1+x509-13.3/version.m4
+ diff -ruN openssh-8.9p1/version.m4 openssh-8.9p1+x509-13.3.1/version.m4
  --- openssh-8.9p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.9p1+x509-13.3/version.m4	2022-02-24 20:07:00.000000000 +0200
+ +++ openssh-8.9p1+x509-13.3.1/version.m4	2022-03-05 10:07:00.000000000 +0200

diff --git a/net-misc/openssh/openssh-8.9_p1-r1.ebuild b/net-misc/openssh/openssh-8.9_p1-r2.ebuild
similarity index 99%
rename from net-misc/openssh/openssh-8.9_p1-r1.ebuild
rename to net-misc/openssh/openssh-8.9_p1-r2.ebuild
index 562d5b5a4914..a6888564f58a 100644
--- a/net-misc/openssh/openssh-8.9_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-8.9_p1-r2.ebuild
@@ -21,7 +21,7 @@ HPN_PATCHES=(
 )
 
 SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="13.3.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2022-04-11 20:57 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2022-04-11 20:57 UTC (permalink / raw
  To: gentoo-commits

commit:     65eb435aaada201aa4447f13911db365513c9bdd
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 11 20:56:56 2022 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Mon Apr 11 20:57:13 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65eb435a

net-misc/openssh: add 9.0_p1

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   4 +
 .../files/openssh-9.0_p1-X509-glue-13.3.2.patch    |  54 +++
 net-misc/openssh/openssh-9.0_p1.ebuild             | 485 +++++++++++++++++++++
 3 files changed, 543 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index dc2617579f57..3142cc61e56b 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -9,3 +9,7 @@ DIST openssh-8.9p1.tar.gz.asc 833 BLAKE2B fd44a5545bd0795ee335e480011dbe3c12011d
 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
 DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
 DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
+DIST openssh-9.0p1+x509-13.3.2.diff.gz 1128591 BLAKE2B fb560e2f1803ceb946a1ba8bd53a1f9fd262896b820c23d4b0015218433d2200f1fd9df5b1889a670261f13936d8153da1ab4beb2a5d52ede78168189c522bf3 SHA512 e643168d7098c44f85a9bac9894a936a3480ec843162197ce56e016dd4f634ef182dcfae1f7e18408f6a18832e0a95d2d249a23fdbc3dc46df76989ca0a0c7fc
+DIST openssh-9.0p1-sctp-1.2.patch.xz 6768 BLAKE2B 8a18aea57b0b3f8f0a641870f0cd1570c6cc48d1e28ef7261344918905e94a548d3a3acb6feb1c6ef13f0c6cacf2b845163cad2b96ab20cb9fc58a49aeb699c1 SHA512 d6aa5f32464d5f3e2e63e9ba82108f33bdaa890e2adf2ccc47ce0d672979fc67510d9dd7561b17eaba0c2f11a8eb565029b0ebff3b2d050e9e04e6143aedb8a3
+DIST openssh-9.0p1.tar.gz 1822183 BLAKE2B 49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2 SHA512 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9
+DIST openssh-9.0p1.tar.gz.asc 833 BLAKE2B e29ff08f10feee7347c02a7ce4b33b8d9c71a26656f0430a2511c25bc6b5006f1683d845826a68ff4eed068b30c911e273cb34e5b4880854d55a776415474019 SHA512 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f

diff --git a/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.3.2.patch b/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.3.2.patch
new file mode 100644
index 000000000000..3d702eb35be8
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.3.2.patch
@@ -0,0 +1,54 @@
+diff -ur '--exclude=.*.un~' a/openssh-9.0p1+x509-13.3.2.diff b/openssh-9.0p1+x509-13.3.2.diff
+--- a/openssh-9.0p1+x509-13.3.2.diff	2022-04-11 10:32:02.364576985 -0700
++++ b/openssh-9.0p1+x509-13.3.2.diff	2022-04-11 10:38:29.267348410 -0700
+@@ -47526,8 +47526,8 @@
+  		gss_create_empty_oid_set(&status, &oidset);
+  		gss_add_oid_set_member(&status, ctx->oid, &oidset);
+  
+--		if (gethostname(lname, MAXHOSTNAMELEN)) {
+-+		if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
++-		if (gethostname(lname, HOST_NAME_MAX)) {
+++		if (gethostname(lname, HOST_NAME_MAX) == -1) {
+  			gss_release_oid_set(&status, &oidset);
+  			return (-1);
+  		}
+@@ -55662,12 +55662,11 @@
+  
+  install-files:
+  	$(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -395,6 +372,8 @@
++@@ -395,6 +372,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -76764,7 +76763,7 @@
+ +if test "$sshd_type" = "pkix" ; then
+ +  unset_arg=''
+ +else
+-+  unset_arg=none
+++  unset_arg=''
+ +fi
+ +
+  cat > $OBJ/sshd_config.i << _EOF
+@@ -141144,16 +141143,6 @@
+ +int	 asnmprintf(char **, size_t, int *, const char *, ...)
+  	    __attribute__((format(printf, 4, 5)));
+  void	 msetlocale(void);
+-diff -ruN openssh-9.0p1/version.h openssh-9.0p1+x509-13.3.2/version.h
+---- openssh-9.0p1/version.h	2022-04-06 03:47:48.000000000 +0300
+-+++ openssh-9.0p1+x509-13.3.2/version.h	2022-04-11 09:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_9.0"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-9.0p1/version.m4 openssh-9.0p1+x509-13.3.2/version.m4
+ --- openssh-9.0p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-9.0p1+x509-13.3.2/version.m4	2022-04-11 09:07:00.000000000 +0300

diff --git a/net-misc/openssh/openssh-9.0_p1.ebuild b/net-misc/openssh/openssh-9.0_p1.ebuild
new file mode 100644
index 000000000000..6e16f5eb038c
--- /dev/null
+++ b/net-misc/openssh/openssh-9.0_p1.ebuild
@@ -0,0 +1,485 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+# PV to USE for HPN patches
+#HPN_PV="${PV^^}"
+HPN_PV="8.5_P1"
+
+HPN_VER="15.2"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+
+SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="13.3.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
+"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	hpn? ( ssl )
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl !xmss )
+	xmss? ( ssl  )
+	test? ( ssl )
+"
+
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		net-libs/ldns[ecdsa(+),ssl(+)]
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	!prefix? ( sys-apps/shadow )
+	X? ( x11-apps/xauth )
+"
+BDEPEND="
+	virtual/pkgconfig
+	sys-devel/autoconf
+	verify-sig? ( sec-keys/openpgp-keys-openssh )
+"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	local missing=()
+	check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
+	check_feature hpn HPN_VER
+	check_feature sctp SCTP_PATCH
+	check_feature X509 X509_PATCH
+	if [[ ${#missing[@]} -ne 0 ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested: ${missing[*]}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "Missing requested third party patch."
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_unpack() {
+	default
+
+	# We don't have signatures for HPN, X509, so we have to write this ourselves
+	use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+	eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
+	eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
+		use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
+		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	# use replacement, RPF_ECHO_ON doesn't exist here
+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with ssl openssl)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	if use elibc_musl; then
+		# musl defines bogus values for UTMP_FILE and WTMP_FILE
+		# https://bugs.gentoo.org/753230
+		myconf+=( --disable-utmp --disable-wtmp )
+	fi
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local tests=( compat-tests )
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		ewarn "user, so we will run a subset only."
+		tests+=( interop-tests )
+	else
+		tests+=( tests )
+	fi
+
+	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
+	mkdir -p "${HOME}"/.ssh || die
+	emake -j1 "${tests[@]}" </dev/null
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	if use pam; then
+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	fi
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+	rmdir "${ED}"/var/empty || die
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2022-05-10 17:32 Mike Gilbert
  0 siblings, 0 replies; 57+ messages in thread
From: Mike Gilbert @ 2022-05-10 17:32 UTC (permalink / raw
  To: gentoo-commits

commit:     05be256e7a3d80ab9855a183cdcb3fb260ecd6be
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Tue May 10 17:31:44 2022 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Tue May 10 17:31:44 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05be256e

net-misc/openssh: drop 8.8_p1-r4

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   4 -
 .../files/openssh-8.7_p1-hpn-15.2-X509-glue.patch  | 447 -------------------
 .../files/openssh-8.7_p1-hpn-15.2-glue.patch       | 198 ---------
 .../files/openssh-8.8_p1-X509-glue-13.2.3.patch    |  63 ---
 net-misc/openssh/openssh-8.8_p1-r4.ebuild          | 491 ---------------------
 5 files changed, 1203 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 3142cc61e56b..029c76bb16d1 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,7 +1,3 @@
-DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
-DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
-DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
-DIST openssh-8.8p1.tar.gz.asc 833 BLAKE2B ffe78af226b9c8395e60ca54bcb626cc933ee069f9f0f17f408ca1493cb346aa3fb878efeaccc646f8fa7bf1c40d6d61a81e37342ccf56ae601403bf9d59f4d6 SHA512 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4
 DIST openssh-8.9p1+x509-13.3.1.diff.gz 1113333 BLAKE2B 01fc34ed5c5c64a97db99f8f5a98f5917519474b4c22a2372f76a9c36d5dfc4efe1d03fcc43ed3d1602177f7e674a58676b9d04444d7bb66bc1c096136fd2ed0 SHA512 4fea3cf0dd0f6e0b9e28c16fb88f2a125c3ec7f86111d33e040664ab4976e697b137ffe80d02c979e2eb55a5c004f597299cfec22e730b80279665de61cb1f13
 DIST openssh-8.9p1-sctp-1.2.patch.xz 6752 BLAKE2B 8f87a4e604ce412f45432ae29b6ccb5a10f6bd6ddc3c688b85d75c2126387dc5d4ed2b2396691db016cc0dee3e71a557611bcf34066dee075d62c9e69e887f14 SHA512 88a36e2d87bb8b6136885094729d001953e15799e06885ff1c489300458b6e412520f7a78c48dfd24df46e58f2561051212d7948f8af63082edcb85c33b4d32b
 DIST openssh-8.9p1.tar.gz 1820282 BLAKE2B 02934da7f7a2954141888e63e81e38fad4fb8558ddd1032de44f69684802c62771fdd7e9e470e0715059635999c8f9d2ab95f6351217e236573ead83a867f59b SHA512 04bd38ea6fe4be31acc8c4e83de7d3dda66fb7207be2e4ba25d3b8118d13d098a283769da9e8ce1fc4fba7edf739c14efcc6c9137132919261a7f882314b0f6b

diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
deleted file mode 100644
index 49c05917779a..000000000000
--- a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
+++ /dev/null
@@ -1,447 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-31 11:12:46.412119817 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-31 11:26:11.116026151 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
-  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
-  {
-  	struct session_state *state;
---	const struct sshcipher *none = cipher_by_name("none");
--+	struct sshcipher *none = cipher_by_name("none");
-+-	const struct sshcipher *none = cipher_none();
-++	struct sshcipher *none = cipher_none();
-  	int r;
-  
-  	if (none == NULL) {
-@@ -894,24 +894,24 @@
-  		intptr = &options->compression;
-  		multistate_ptr = multistate_compression;
- @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
-- 	options->revoked_host_keys = NULL;
-  	options->fingerprint_hash = -1;
-  	options->update_hostkeys = -1;
-+	options->known_hosts_command = NULL;
- +	options->disable_multithreaded = -1;
-- 	options->hostbased_accepted_algos = NULL;
-- 	options->pubkey_accepted_algos = NULL;
-- 	options->known_hosts_command = NULL;
-+ }
-+ 
-+ /*
- @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
-+ 		options->update_hostkeys = 0;
-  	if (options->sk_provider == NULL)
-  		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- +	if (options->update_hostkeys == -1)
- +		options->update_hostkeys = 0;
- +	if (options->disable_multithreaded == -1)
- +		options->disable_multithreaded = 0;
-  
-- 	/* Expand KEX name lists */
-- 	all_cipher = cipher_alg_list(',', 0);
-+ 	/* expand KEX and etc. name lists */
-+ {	char *all;
- diff --git a/readconf.h b/readconf.h
- index 2fba866e..7f8f0227 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
-  	/* Portable-specific options */
-  	sUsePAM,
- +	sDisableMTAES,
-- 	/* Standard Options */
-- 	sPort, sHostKeyFile, sLoginGraceTime,
-- 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-+ 	/* X.509 Standard Options */
-+ 	sHostbasedAlgorithms,
-+ 	sPubkeyAlgorithms,
- @@ -662,6 +666,7 @@ static struct {
-  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-31 11:12:46.412119817 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-31 14:17:59.366248683 -0700
-@@ -157,6 +157,36 @@
- +	 Allan Jude provided the code for the NoneMac and buffer normalization.
- +         This work was financed, in part, by Cisco System, Inc., the National
- +         Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c	2021-03-15 19:30:45.404060786 -0700
-++++ b/auth2.c	2021-03-15 19:37:22.078476597 -0700
-+@@ -229,16 +229,17 @@
-+ 	double delay;
-+ 
-+ 	digest_alg = ssh_digest_maxbytes();
-+-	len = ssh_digest_bytes(digest_alg);
-+-	hash = xmalloc(len);
-++	if (len = ssh_digest_bytes(digest_alg) > 0) {
-++		hash = xmalloc(len);
-+ 
-+-	(void)snprintf(b, sizeof b, "%llu%s",
-+-	    (unsigned long long)options.timing_secret, user);
-+-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+-		fatal_f("ssh_digest_memory");
-+-	/* 0-4.2 ms of delay */
-+-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+-	freezero(hash, len);
-++		(void)snprintf(b, sizeof b, "%llu%s",
-++		    (unsigned long long)options.timing_secret, user);
-++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++			fatal_f("ssh_digest_memory");
-++		/* 0-4.2 ms of delay */
-++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++		freezero(hash, len);
-++	}
-+ 	debug3_f("user specific delay %0.3lfms", delay/1000);
-+ 	return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index b60d56c4..0e363c15 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
-  static void
-  channel_pre_open(struct ssh *ssh, Channel *c,
-      fd_set *readset, fd_set *writeset)
--@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-  
-  	if (c->type == SSH_CHANNEL_OPEN &&
-  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- -	    ((c->local_window_max - c->local_window >
- -	    c->local_maxpacket*3) ||
--+            ((ssh_packet_is_interactive(ssh) &&
--+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++	    ((ssh_packet_is_interactive(ssh) &&
-++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-  	    c->local_window < c->local_window_max/2) &&
-  	    c->local_consumed > 0) {
- +		u_int addition = 0;
-@@ -235,9 +265,8 @@
-  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- 		    (r = sshpkt_send(ssh)) != 0) {
-- 			fatal_fr(r, "channel %i", c->self);
-- 		}
-+ 		    (r = sshpkt_send(ssh)) != 0)
-+ 			fatal_fr(r, "channel %d", c->self);
- -		debug2("channel %d: window %d sent adjust %d", c->self,
- -		    c->local_window, c->local_consumed);
- -		c->local_window += c->local_consumed;
-@@ -337,70 +366,92 @@
- index 70f492f8..5503af1d 100644
- --- a/clientloop.c
- +++ b/clientloop.c
--@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
-+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
-  	sock = x11_connect_display(ssh);
-  	if (sock < 0)
-  		return NULL;
- -	c = channel_new(ssh, "x11",
- -	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
---	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
--+        c = channel_new(ssh, "x11",
--+			SSH_CHANNEL_X11_OPEN, sock, sock, -1,
--+			/* again is this really necessary for X11? */
--+			options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
--+			CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-+-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
-+-	    CHANNEL_NONBLOCK_SET);
-++	c = channel_new(ssh, "x11",
-++	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-++	    /* again is this really necessary for X11? */
-++	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
-++	    CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
-  	c->force_drain = 1;
-  	return c;
-  }
--@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
-+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
-  		return NULL;
-  	}
-  	c = channel_new(ssh, "authentication agent connection",
- -	    SSH_CHANNEL_OPEN, sock, sock, -1,
- -	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
---	    "authentication agent connection", 1);
--+			SSH_CHANNEL_OPEN, sock, sock, -1,
--+			options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
--+			CHAN_TCP_PACKET_DEFAULT, 0,
--+			"authentication agent connection", 1);
-+-	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
-++	    SSH_CHANNEL_OPEN, sock, sock, -1,
-++	    options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
-++	    CHAN_TCP_PACKET_DEFAULT, 0,
-++	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
-  	c->force_drain = 1;
-  	return c;
-  }
--@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
-+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
-  	}
-  	debug("Tunnel forwarding using interface %s", ifname);
-  
- -	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
---	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
--+        c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-+-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
-+-	    CHANNEL_NONBLOCK_SET);
-++	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
- +	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
--+	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-++	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
-  	c->datagram = 1;
-  
--+
--+
-  #if defined(SSH_TUN_FILTER)
-- 	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
-- 		channel_register_filter(ssh, c->self, sys_tun_infilter,
- diff --git a/compat.c b/compat.c
- index 69befa96..90b5f338 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
-- 			debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+-	int i;
-++	int i, bugs = 0;
-+ 	static struct {
-+ 		char	*pat;
-+ 		int	bugs;
-+@@ -147,11 +147,26 @@
-+ 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ 			debug("match: %s pat %s compat 0x%08x",
-  			    version, check[i].pat, check[i].bugs);
-- 			ssh->compat = check[i].bugs;
- +			/* Check to see if the remote side is OpenSSH and not HPN */
--+			/* TODO: need to use new method to test for this */
- +			if (strstr(version, "OpenSSH") != NULL) {
- +				if (strstr(version, "hpn") == NULL) {
--+					ssh->compat |= SSH_BUG_LARGEWINDOW;
-++					bugs |= SSH_BUG_LARGEWINDOW;
- +					debug("Remote is NON-HPN aware");
- +				}
- +			}
-- 			return;
-+-			return check[i].bugs;
-++			bugs |= check[i].bugs;
-  		}
-  	}
-+-	debug("no match: %s", version);
-+-	return 0;
-++	/* Check to see if the remote side is OpenSSH and not HPN */
-++	if (strstr(version, "OpenSSH") != NULL) {
-++		if (strstr(version, "hpn") == NULL) {
-++			bugs |= SSH_BUG_LARGEWINDOW;
-++			debug("Remote is NON-HPN aware");
-++		}
-++	}
-++	if (bugs == 0)
-++		debug("no match: %s", version);
-++	return bugs;
-+ }
-+ 
-+ char *
- diff --git a/compat.h b/compat.h
- index c197fafc..ea2e17a7 100644
- --- a/compat.h
-@@ -459,7 +510,7 @@
- @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
-  	int nenc, nmac, ncomp;
-  	u_int mode, ctos, need, dh_need, authlen;
-- 	int r, first_kex_follows;
-+ 	int r, first_kex_follows = 0;
- +	int auth_flag = 0;
- +
- +	auth_flag = packet_authentication_state(ssh);
-@@ -553,7 +604,7 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-  	struct session_state *state = ssh->state;
-  	int len, r, ms_remain;
-  	fd_set *setp;
-@@ -1035,19 +1086,6 @@
-  
-  /* Minimum amount of data to read at a time */
-  #define MIN_READ_SIZE	512
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..36a6e519 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
-- 			freezero(pin, strlen(pin));
-- 		error_r(r, "Unable to load resident keys");
-- 		return -1;
---	}
--+ 	}
-- 	if (nkeys == 0)
-- 		logit("No keys to download");
-- 	if (pin != NULL)
- diff --git a/ssh.c b/ssh.c
- index 53330da5..27b9770e 100644
- --- a/ssh.c
-@@ -1093,7 +1131,7 @@
- +	else
- +		options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- +		debug("HPN to Non-HPN Connection");
- +	} else {
- +		int sock, socksize;
-@@ -1157,14 +1195,14 @@
-  	}
- @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
-  	    window, packetmax, CHAN_EXTENDED_WRITE,
-- 	    "client-session", /*nonblock*/0);
-+ 	    "client-session", CHANNEL_NONBLOCK_STDIO);
-  
- +	if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
- +		c->dynamic_window = 1;
- +		debug("Enabled Dynamic Window Scaling");
- +	}
- +
-- 	debug3_f("channel_new: %d", c->self);
-+ 	debug2_f("channel %d", c->self);
-  
-  	channel_send_open(ssh, c->self);
- @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
-@@ -1335,7 +1373,29 @@
-  		/* Bind the socket to the desired port. */
-  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
-  			error("Bind to port %s on %s failed: %.200s.",
--@@ -1727,6 +1734,19 @@ main(int ac, char **av)
-+@@ -1625,13 +1632,14 @@
-+ 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ 		    sshbuf_len(server_cfg)) != 0)
-+ 			fatal_f("ssh_digest_update");
-+-		len = ssh_digest_bytes(digest_alg);
-+-		hash = xmalloc(len);
-+-		if (ssh_digest_final(ctx, hash, len) != 0)
-+-			fatal_f("ssh_digest_final");
-+-		options.timing_secret = PEEK_U64(hash);
-+-		freezero(hash, len);
-+-		ssh_digest_free(ctx);
-++		if ((len = ssh_digest_bytes(digest_alg)) > 0) {
-++			hash = xmalloc(len);
-++			if (ssh_digest_final(ctx, hash, len) != 0)
-++				fatal_f("ssh_digest_final");
-++			options.timing_secret = PEEK_U64(hash);
-++			freezero(hash, len);
-++			ssh_digest_free(ctx);
-++		}
-+ 		ctx = NULL;
-+ 		return;
-+ 	}
-+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
-  		fatal("AuthorizedPrincipalsCommand set without "
-  		    "AuthorizedPrincipalsCommandUser");
-  
-@@ -1355,7 +1415,7 @@
-  	/*
-  	 * Check whether there is any path through configured auth methods.
-  	 * Unfortunately it is not possible to verify this generally before
--@@ -2166,6 +2186,9 @@ main(int ac, char **av)
-+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
-  	    rdomain == NULL ? "" : "\"");
-  	free(laddr);
-  
-@@ -1365,7 +1425,7 @@
-  	/*
-  	 * We don't want to listen forever unless the other side
-  	 * successfully authenticates itself.  So we set up an alarm which is
--@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
-+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
-  	struct kex *kex;
-  	int r;
-  
-@@ -1405,14 +1465,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_8.5"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn15v2"
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-08-31 11:12:16.778011216 -0700
-+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-08-31 11:13:11.573211934 -0700
-@@ -12,9 +12,9 @@
-  static long stalled;		/* how long we have been stalled */
-  static int bytes_per_second;	/* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ 	off_t bytes_left;
-  	int cur_speed;
-- 	int hours, minutes, seconds;
-- 	int file_len;
-+ 	int len;
- +	off_t delta_pos;
-  
-  	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
-  	if (bytes_left > 0)
-  		elapsed = now - last_update;
-  	else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-- 
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ 	buf[1] = '\0';
-+
-  	/* filename */
-- 	buf[0] = '\0';
---	file_len = win_size - 36;
--+	file_len = win_size - 45;
-- 	if (file_len > 0) {
-- 		buf[0] = '\r';
-- 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+-	if (win_size > 36) {
-++	if (win_size > 45) {
-+-		int file_len = win_size - 36;
-++		int file_len = win_size - 45;
-+ 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ 		    file_len, file);
-+ 	}
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
-  	    (off_t)bytes_per_second);
-  	strlcat(buf, "/s ", win_size);
-@@ -63,15 +65,3 @@
-  }
-  
-  /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..986ff59b 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-- 
-- 	if (skprovider == NULL)
-- 		fatal("Cannot download keys without provider");
---
-- 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- 	if (!quiet) {
-- 		printf("You may need to touch your authenticator "

diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
deleted file mode 100644
index 309e57e88643..000000000000
--- a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
+++ /dev/null
@@ -1,198 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-20 11:49:32.351767063 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-20 11:58:08.746214945 -0700
-@@ -1026,9 +1026,9 @@
- +	}
- +#endif
- +
-- 	debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-- 
-+ 	if (ssh_packet_connection_is_on_socket(ssh)) {
-+ 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
-+ 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..bf3d6e4a 100644
- --- a/sshd.c
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-20 11:49:32.351767063 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-20 12:04:45.008038085 -0700
-@@ -536,18 +536,10 @@
-  	if (state->rekey_limit)
-  		*max_blocks = MINIMUM(*max_blocks,
-  		    state->rekey_limit / enc->block_size);
--@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-  	return 0;
-  }
-  
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+	rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +553,6 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- 		return 0;
-- 
--+	/* used to force rekeying when called for by the none
--+         * cipher switch methods -cjr */
--+        if (rekey_requested == 1) {
--+                rekey_requested = 0;
--+                return 1;
--+        }
--+
-- 	/* Time-based rekeying */
-- 	if (state->rekey_interval != 0 &&
-- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-  	struct session_state *state = ssh->state;
-  	int len, r, ms_remain;
-@@ -598,12 +576,11 @@
-  };
-  
-  typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
--@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
-+@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
-  int	 ssh_packet_set_maxsize(struct ssh *, u_int);
-  u_int	 ssh_packet_get_maxsize(struct ssh *);
-  
- +/* for forced packet rekeying post auth */
--+void	 packet_request_rekeying(void);
- +int	 packet_authentication_state(const struct ssh *);
- +
-  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
-@@ -627,9 +604,9 @@
-  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
-+ 	oDisableMTAES,
-  	oVisualHostKey,
-  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -297,6 +300,9 @@ static struct {
-  	{ "kexalgorithms", oKexAlgorithms },
-  	{ "ipqos", oIPQoS },
-@@ -637,9 +614,9 @@
- +	{ "noneenabled", oNoneEnabled },
- +	{ "nonemacenabled", oNoneMacEnabled },
- +	{ "noneswitch", oNoneSwitch },
-- 	{ "proxyusefdpass", oProxyUseFdpass },
-- 	{ "canonicaldomains", oCanonicalDomains },
-- 	{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
-+ 	{ "sessiontype", oSessionType },
-+ 	{ "stdinnull", oStdinNull },
-+ 	{ "forkafterauthentication", oForkAfterAuthentication },
- @@ -317,6 +323,11 @@ static struct {
-  	{ "securitykeyprovider", oSecurityKeyProvider },
-  	{ "knownhostscommand", oKnownHostsCommand },
-@@ -717,9 +694,9 @@
- +	options->hpn_buffer_size = -1;
- +	options->tcp_rcv_buf_poll = -1;
- +	options->tcp_rcv_buf = -1;
-- 	options->proxy_use_fdpass = -1;
-- 	options->ignored_unknown = NULL;
-- 	options->num_canonical_domains = 0;
-+ 	options->session_type = -1;
-+ 	options->stdin_null = -1;
-+ 	options->fork_after_authentication = -1;
- @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
-  		options->server_alive_interval = 0;
-  	if (options->server_alive_count_max == -1)
-@@ -778,9 +755,9 @@
-  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
- @@ -120,7 +124,11 @@ typedef struct {
-- 
-  	int	enable_ssh_keysign;
-  	int64_t rekey_limit;
-+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
- +	int     none_switch;    /* Use none cipher */
- +	int     none_enabled;   /* Allow none cipher to be used */
- +  	int     nonemac_enabled;   /* Allow none MAC to be used */
-@@ -842,9 +819,9 @@
-  	/* Portable-specific options */
-  	if (options->use_pam == -1)
- @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
-- 	}
-- 	if (options->permit_tun == -1)
-  		options->permit_tun = SSH_TUNMODE_NO;
-+ 	if (options->disable_multithreaded == -1)
-+ 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
- +		options->none_enabled = 0;
- +	if (options->nonemac_enabled == -1)
-@@ -1047,17 +1024,17 @@
-  Note that
- diff --git a/sftp.c b/sftp.c
- index fb3c08d1..89bebbb2 100644
----- a/sftp.c
--+++ b/sftp.c
--@@ -71,7 +71,7 @@ typedef void EditLine;
-- #include "sftp-client.h"
-- 
-- #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
---#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
--+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
-+--- a/sftp-client.c
-++++ b/sftp-client.c
-+@@ -65,7 +65,7 @@ typedef void EditLine;
-+ #define DEFAULT_COPY_BUFLEN	32768
-+ 
-+ /* Default number of concurrent outstanding requests */
-+-#define DEFAULT_NUM_REQUESTS	64
-++#define DEFAULT_NUM_REQUESTS	256
-  
-- /* File to read commands from */
-- FILE* infile;
-+ /* Minimum amount of data to read at a time */
-+ #define MIN_READ_SIZE	512
- diff --git a/ssh-keygen.c b/ssh-keygen.c
- index cfb5f115..36a6e519 100644
- --- a/ssh-keygen.c
-@@ -1330,9 +1307,9 @@
- +		}
- +	}
- +
-- 	debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-  
-+ #ifdef WITH_OPENSSL
-+ 	if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..d66fa41a 100644
- --- a/sshd.c
-@@ -1359,8 +1336,8 @@
-  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
-  			error("Bind to port %s on %s failed: %.200s.",
- @@ -1727,6 +1734,19 @@ main(int ac, char **av)
-- 	/* Fill in default values for those options not explicitly set. */
-- 	fill_default_server_options(&options);
-+ 		fatal("AuthorizedPrincipalsCommand set without "
-+ 		    "AuthorizedPrincipalsCommandUser");
-  
- +	if (options.none_enabled == 1) {
- +		char *old_ciphers = options.ciphers;
-@@ -1375,9 +1352,9 @@
- +		}
- +	}
- +
-- 	/* challenge-response is implemented via keyboard interactive */
-- 	if (options.challenge_response_authentication)
-- 		options.kbd_interactive_authentication = 1;
-+ 	/*
-+ 	 * Check whether there is any path through configured auth methods.
-+ 	 * Unfortunately it is not possible to verify this generally before
- @@ -2166,6 +2186,9 @@ main(int ac, char **av)
-  	    rdomain == NULL ? "" : "\"");
-  	free(laddr);

diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
deleted file mode 100644
index b6827623cd66..000000000000
--- a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff
---- a/openssh-8.8p1+x509-13.2.3.diff	2021-10-29 14:59:17.070546984 -0700
-+++ b/openssh-8.8p1+x509-13.2.3.diff	2021-10-29 14:59:55.086664489 -0700
-@@ -954,15 +954,16 @@
-  	char b[512];
- -	size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
- -	u_char *hash = xmalloc(len);
-+-	double delay;
- +	int digest_alg;
- +	size_t len;
- +	u_char *hash;
-- 	double delay;
-- 
-++	double delay = 0;
-++
- +	digest_alg = ssh_digest_maxbytes();
- +	len = ssh_digest_bytes(digest_alg);
- +	hash = xmalloc(len);
--+
-+
-  	(void)snprintf(b, sizeof b, "%llu%s",
-  	    (unsigned long long)options.timing_secret, user);
- -	if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
-@@ -51859,12 +51860,11 @@
-  
-  install-files:
-  	$(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -391,6 +372,8 @@
-+@@ -391,6 +372,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -71985,7 +71985,7 @@
- +if test "$sshd_type" = "pkix" ; then
- +  unset_arg=''
- +else
--+  unset_arg=none
-++  unset_arg=
- +fi
- +
-  cat > $OBJ/sshd_config.i << _EOF
-@@ -132360,16 +132360,6 @@
- +int	 asnmprintf(char **, size_t, int *, const char *, ...)
-  	    __attribute__((format(printf, 4, 5)));
-  void	 msetlocale(void);
--diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h
----- openssh-8.8p1/version.h	2021-09-26 17:03:19.000000000 +0300
--+++ openssh-8.8p1+x509-13.2.3/version.h	2021-10-23 16:27:00.000000000 +0300
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_8.8"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4
- --- openssh-8.8p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.8p1+x509-13.2.3/version.m4	2021-10-23 16:27:00.000000000 +0300

diff --git a/net-misc/openssh/openssh-8.8_p1-r4.ebuild b/net-misc/openssh/openssh-8.8_p1-r4.ebuild
deleted file mode 100644
index 561dc2dd6076..000000000000
--- a/net-misc/openssh/openssh-8.8_p1-r4.ebuild
+++ /dev/null
@@ -1,491 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
-"
-VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
-	hpn? ( ssl )
-	ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl !xmss )
-	xmss? ( ssl  )
-	test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		net-libs/ldns[ecdsa(+),ssl(+)]
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
-	virtual/libcrypt:=[static-libs(+)]
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
-	acct-group/sshd
-	acct-user/sshd
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
-	virtual/os-headers
-	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
-	static? ( ${LIB_DEPEND} )
-"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	!prefix? ( sys-apps/shadow )
-	X? ( x11-apps/xauth )
-"
-BDEPEND="
-	virtual/pkgconfig
-	sys-devel/autoconf
-	verify-sig? ( sec-keys/openpgp-keys-openssh )
-"
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	local missing=()
-	check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
-	check_feature hpn HPN_VER
-	check_feature sctp SCTP_PATCH
-	check_feature X509 X509_PATCH
-	if [[ ${#missing[@]} -ne 0 ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested: ${missing[*]}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "Missing requested third party patch."
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_unpack() {
-	default
-
-	# We don't have signatures for HPN, X509, so we have to write this ourselves
-	use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
-	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-
-	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" &>/dev/null || die
-		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
-		popd &>/dev/null || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}" || die
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
-		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch
-		use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
-		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
-		popd &>/dev/null || die
-
-		eapply "${hpn_patchdir}"
-
-		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	sed -i \
-		-e "/#UseLogin no/d" \
-		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
-	eapply_user #473004
-
-	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
-	sed -e '/\t\tpercent \\/ d' \
-		-i regress/Makefile || die
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-	use xmss && append-cflags -DWITH_XMSS
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
-		# doesn't check for this, so force the replacement to be put in
-		# place
-		append-cppflags -DBROKEN_GLOB
-	fi
-
-	# use replacement, RPF_ECHO_ON doesn't exist here
-	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(usex X509 '' "$(use_with security-key security-key-builtin)")
-		$(use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	if use elibc_musl; then
-		# musl defines bogus values for UTMP_FILE and WTMP_FILE
-		# https://bugs.gentoo.org/753230
-		myconf+=( --disable-utmp --disable-wtmp )
-	fi
-
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local tests=( compat-tests )
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		ewarn "user, so we will run a subset only."
-		tests+=( interop-tests )
-	else
-		tests+=( tests )
-	fi
-
-	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
-	mkdir -p "${HOME}"/.ssh || die
-	emake -j1 "${tests[@]}" </dev/null
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	if use pam; then
-		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	fi
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	# https://bugs.gentoo.org/733802
-	if ! use scp; then
-		rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
-			|| die "failed to remove scp"
-	fi
-
-	rmdir "${ED}"/var/empty || die
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
-		show_ssl_warning=1
-	fi
-}
-
-pkg_postinst() {
-	local old_ver
-	for old_ver in ${REPLACING_VERSIONS}; do
-		if ver_test "${old_ver}" -lt "5.8_p1"; then
-			elog "Starting with openssh-5.8p1, the server will default to a newer key"
-			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-		fi
-		if ver_test "${old_ver}" -lt "7.0_p1"; then
-			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-			elog "Make sure to update any configs that you might have.  Note that xinetd might"
-			elog "be an alternative for you as it supports USE=tcpd."
-		fi
-		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
-			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-			elog "adding to your sshd_config or ~/.ssh/config files:"
-			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-			elog "You should however generate new keys using rsa or ed25519."
-
-			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-			elog "out of the box.  If you need this, please update your sshd_config explicitly."
-		fi
-		if ver_test "${old_ver}" -lt "7.6_p1"; then
-			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-		fi
-		if ver_test "${old_ver}" -lt "7.7_p1"; then
-			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-			elog "if you need to authenticate against LDAP."
-			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-		fi
-		if ver_test "${old_ver}" -lt "8.2_p1"; then
-			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
-			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
-			ewarn "connection is generally safe."
-		fi
-	done
-
-	if [[ -n ${show_ssl_warning} ]]; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2022-05-19 23:08 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2022-05-19 23:08 UTC (permalink / raw
  To: gentoo-commits

commit:     f7dcc5db3065338bf5b1951ca897cb0042de2c8f
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu May 19 23:08:05 2022 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu May 19 23:08:33 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7dcc5db

net-misc/openssh: Bump 9.0_p1 to fix random hangs with X509

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 .../files/openssh-9.0_p1-X509-uninitialized-delay.patch      | 12 ++++++++++++
 .../{openssh-9.0_p1.ebuild => openssh-9.0_p1-r1.ebuild}      |  1 +
 2 files changed, 13 insertions(+)

diff --git a/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch b/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch
new file mode 100644
index 000000000000..2a83ed37d138
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch
@@ -0,0 +1,12 @@
+diff -ur a/auth2.c b/auth2.c
+--- a/auth2.c	2022-05-19 15:59:32.875160028 -0700
++++ b/auth2.c	2022-05-19 16:03:44.291594908 -0700
+@@ -226,7 +226,7 @@
+ 	int digest_alg;
+ 	size_t len;
+ 	u_char *hash;
+-	double delay;
++	double delay = 0;
+ 
+ 	digest_alg = ssh_digest_maxbytes();
+ 	if (len = ssh_digest_bytes(digest_alg) > 0) {

diff --git a/net-misc/openssh/openssh-9.0_p1.ebuild b/net-misc/openssh/openssh-9.0_p1-r1.ebuild
similarity index 99%
rename from net-misc/openssh/openssh-9.0_p1.ebuild
rename to net-misc/openssh/openssh-9.0_p1-r1.ebuild
index 13c0bb4fa5c5..9fc26e8968bf 100644
--- a/net-misc/openssh/openssh-9.0_p1.ebuild
+++ b/net-misc/openssh/openssh-9.0_p1-r1.ebuild
@@ -149,6 +149,7 @@ src_prepare() {
 		popd &>/dev/null || die
 
 		eapply "${WORKDIR}"/${X509_PATCH%.*}
+		eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
 
 		# We need to patch package version or any X.509 sshd will reject our ssh client
 		# with "userauth_pubkey: could not parse key: string is too large [preauth]"


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2022-06-23 22:35 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2022-06-23 22:35 UTC (permalink / raw
  To: gentoo-commits

commit:     c0bab04c8f67b3fcd16ef21a3aa009c265e6e7b0
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu Jun 23 22:35:07 2022 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Jun 23 22:35:42 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0bab04c

net-misc/openssh: Revbump, bump X509 patch to 13.4.1

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   1 +
 .../files/openssh-9.0_p1-X509-glue-13.4.1.patch    |  54 +++
 net-misc/openssh/openssh-9.0_p1-r2.ebuild          | 485 +++++++++++++++++++++
 3 files changed, 540 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 029c76bb16d1..2992675630dd 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -6,6 +6,7 @@ DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a
 DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
 DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
 DIST openssh-9.0p1+x509-13.3.2.diff.gz 1128591 BLAKE2B fb560e2f1803ceb946a1ba8bd53a1f9fd262896b820c23d4b0015218433d2200f1fd9df5b1889a670261f13936d8153da1ab4beb2a5d52ede78168189c522bf3 SHA512 e643168d7098c44f85a9bac9894a936a3480ec843162197ce56e016dd4f634ef182dcfae1f7e18408f6a18832e0a95d2d249a23fdbc3dc46df76989ca0a0c7fc
+DIST openssh-9.0p1+x509-13.4.1.diff.gz 1146757 BLAKE2B 070d6bc23179a581e4fe79412274f11399009ba69ad643cc354ec9cd6392ffb0a651fd2d7f310c52c60a9c626140b9c823e2f19c600f15ac9cdf992707274bcb SHA512 4aaa86c1a785741b28c5e2738cf6de6fa7965ac8692165a8b18fe7677aeb0996979f23b45306781e6be75d34fb39294659be5ae016ab4a82ef2a73bedcc6e8e7
 DIST openssh-9.0p1-sctp-1.2.patch.xz 6768 BLAKE2B 8a18aea57b0b3f8f0a641870f0cd1570c6cc48d1e28ef7261344918905e94a548d3a3acb6feb1c6ef13f0c6cacf2b845163cad2b96ab20cb9fc58a49aeb699c1 SHA512 d6aa5f32464d5f3e2e63e9ba82108f33bdaa890e2adf2ccc47ce0d672979fc67510d9dd7561b17eaba0c2f11a8eb565029b0ebff3b2d050e9e04e6143aedb8a3
 DIST openssh-9.0p1.tar.gz 1822183 BLAKE2B 49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2 SHA512 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9
 DIST openssh-9.0p1.tar.gz.asc 833 BLAKE2B e29ff08f10feee7347c02a7ce4b33b8d9c71a26656f0430a2511c25bc6b5006f1683d845826a68ff4eed068b30c911e273cb34e5b4880854d55a776415474019 SHA512 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f

diff --git a/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch b/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch
new file mode 100644
index 000000000000..dc93182e1d4c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch
@@ -0,0 +1,54 @@
+diff -ur '--exclude=.*.un~' a/openssh-9.0p1+x509-13.4.1.diff b/openssh-9.0p1+x509-13.4.1.diff
+--- a/openssh-9.0p1+x509-13.4.1.diff	2022-06-23 10:43:33.957093896 -0700
++++ b/openssh-9.0p1+x509-13.4.1.diff	2022-06-23 10:44:17.232396805 -0700
+@@ -48941,8 +48941,8 @@
+  		gss_create_empty_oid_set(&status, &oidset);
+  		gss_add_oid_set_member(&status, ctx->oid, &oidset);
+  
+--		if (gethostname(lname, MAXHOSTNAMELEN)) {
+-+		if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
++-		if (gethostname(lname, HOST_NAME_MAX)) {
+++		if (gethostname(lname, HOST_NAME_MAX) == -1) {
+  			gss_release_oid_set(&status, &oidset);
+  			return (-1);
+  		}
+@@ -57102,12 +57102,11 @@
+  
+  install-files:
+  	$(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -395,6 +372,8 @@
++@@ -395,6 +372,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -78638,7 +78637,7 @@
+ +if test "$sshd_type" = "pkix" ; then
+ +  unset_arg=''
+ +else
+-+  unset_arg=none
+++  unset_arg=''
+ +fi
+ +
+  cat > $OBJ/sshd_config.i << _EOF
+@@ -143777,16 +143776,6 @@
+ +int	 asnmprintf(char **, size_t, int *, const char *, ...)
+  	    __attribute__((format(printf, 4, 5)));
+  void	 msetlocale(void);
+-diff -ruN openssh-9.0p1/version.h openssh-9.0p1+x509-13.4.1/version.h
+---- openssh-9.0p1/version.h	2022-04-06 03:47:48.000000000 +0300
+-+++ openssh-9.0p1+x509-13.4.1/version.h	2022-06-23 09:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_9.0"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-9.0p1/version.m4 openssh-9.0p1+x509-13.4.1/version.m4
+ --- openssh-9.0p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-9.0p1+x509-13.4.1/version.m4	2022-06-23 09:07:00.000000000 +0300

diff --git a/net-misc/openssh/openssh-9.0_p1-r2.ebuild b/net-misc/openssh/openssh-9.0_p1-r2.ebuild
new file mode 100644
index 000000000000..9402ad203dc3
--- /dev/null
+++ b/net-misc/openssh/openssh-9.0_p1-r2.ebuild
@@ -0,0 +1,485 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+# PV to USE for HPN patches
+#HPN_PV="${PV^^}"
+HPN_PV="8.5_P1"
+
+HPN_VER="15.2"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+
+SCTP_VER="1.2"
+SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="13.4.1"
+X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
+"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	hpn? ( ssl )
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl !xmss )
+	xmss? ( ssl  )
+	test? ( ssl )
+"
+
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		net-libs/ldns[ecdsa(+),ssl(+)]
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	!prefix? ( sys-apps/shadow )
+	X? ( x11-apps/xauth )
+"
+BDEPEND="
+	virtual/pkgconfig
+	sys-devel/autoconf
+	verify-sig? ( sec-keys/openpgp-keys-openssh )
+"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	local missing=()
+	check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
+	check_feature hpn HPN_VER
+	check_feature sctp SCTP_PATCH
+	check_feature X509 X509_PATCH
+	if [[ ${#missing[@]} -ne 0 ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested: ${missing[*]}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "Missing requested third party patch."
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_unpack() {
+	default
+
+	# We don't have signatures for HPN, X509, so we have to write this ourselves
+	use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+	eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
+	eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+		eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
+		use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
+		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	# use replacement, RPF_ECHO_ON doesn't exist here
+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with ssl openssl)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	if use elibc_musl; then
+		# musl defines bogus values for UTMP_FILE and WTMP_FILE
+		# https://bugs.gentoo.org/753230
+		myconf+=( --disable-utmp --disable-wtmp )
+	fi
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local tests=( compat-tests )
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		ewarn "user, so we will run a subset only."
+		tests+=( interop-tests )
+	else
+		tests+=( tests )
+	fi
+
+	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
+	mkdir -p "${HOME}"/.ssh || die
+	emake -j1 "${tests[@]}" </dev/null
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	if use pam; then
+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	fi
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+	rmdir "${ED}"/var/empty || die
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2022-10-06 23:12 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2022-10-06 23:12 UTC (permalink / raw
  To: gentoo-commits

commit:     567b2821e0cfeeecb5205e6d8320c90bf5038547
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu Oct  6 23:12:05 2022 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Oct  6 23:12:22 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=567b2821

net-misc/openssh: add 9.1_p1

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   7 +
 .../openssh/files/openssh-9.1_p1-build-tests.patch |  13 +
 net-misc/openssh/openssh-9.1_p1.ebuild             | 514 +++++++++++++++++++++
 3 files changed, 534 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 2992675630dd..bf68be53332e 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -10,3 +10,10 @@ DIST openssh-9.0p1+x509-13.4.1.diff.gz 1146757 BLAKE2B 070d6bc23179a581e4fe79412
 DIST openssh-9.0p1-sctp-1.2.patch.xz 6768 BLAKE2B 8a18aea57b0b3f8f0a641870f0cd1570c6cc48d1e28ef7261344918905e94a548d3a3acb6feb1c6ef13f0c6cacf2b845163cad2b96ab20cb9fc58a49aeb699c1 SHA512 d6aa5f32464d5f3e2e63e9ba82108f33bdaa890e2adf2ccc47ce0d672979fc67510d9dd7561b17eaba0c2f11a8eb565029b0ebff3b2d050e9e04e6143aedb8a3
 DIST openssh-9.0p1.tar.gz 1822183 BLAKE2B 49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2 SHA512 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9
 DIST openssh-9.0p1.tar.gz.asc 833 BLAKE2B e29ff08f10feee7347c02a7ce4b33b8d9c71a26656f0430a2511c25bc6b5006f1683d845826a68ff4eed068b30c911e273cb34e5b4880854d55a776415474019 SHA512 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f
+DIST openssh-9.1_p1-X509-glue-13.5.patch.xz 1092 BLAKE2B 19da945547472048d01a6ec26f28cba11afe1a0590a115582d1e21a852b6b66589b091ab4440d57952200522318aeffb7d9404e53f9532ae80e47685c24c4097 SHA512 96de9f59bacfd99aa9ef03362d55d88b3eea0acc57a11fb72e5c612bfb0f5e48455b0a0d0add9a8a5524b9d4701f47db1ff7859f1d3c2a12947b27292961cbd5
+DIST openssh-9.1_p1-hpn-15.2-X509-glue.patch.xz 5504 BLAKE2B 776b467ddde16e268536c5632b028a32db22b26d7bc11e2a9fa6c8e29528be3eb781066d6b30fb2f561a73a24c34a29963fcd7c872aa92dc19d715d8ffbf2cbe SHA512 aa753da5f75d90165f5922ead1dd495a15a4c581360d5862ec6f802caea54055da8e308c1919efa8e78b31a7ea082f8693dda0ab84ccee414c562ec062c50fb1
+DIST openssh-9.1_p1-hpn-15.2-glue.patch.xz 3840 BLAKE2B 06fb14d8c6f52f1c6fae7971fc4da810c814d7b52063f8cc7e83356baa7ed70c84476c1d1cc896eba6d0d51813dc994e3c82278e66c04998431c8123a09fe7df SHA512 99c88c08fb384336a9680629bc04a89121780d64ee8b03ac164c4e446cc30b865004292e98516b6f857bd75e1b4393291427c046ffcabc1578629e6075636cbf
+DIST openssh-9.1p1+x509-13.5.diff.gz 1213948 BLAKE2B 5663a1c865c80f590642bb855f7d7a17e71e0db099deb4cea5750cfe734bd506b70a1b266fccc2a58174ae2b1b96a7f1ced56382d5d7e741b07e46422b03f7e6 SHA512 70a1f12e98b8fa8170c208803ee482aea2fcf6b9e41ecada5fabaa0288ed5a32574f42a7b50718bb484978f3c65f50e55966c9f555a9de100dc8d695b9aec531
+DIST openssh-9.1p1-sctp-1.2.patch.xz 6772 BLAKE2B 8393c1ca5f0df7e4d490cef5c38d50d45da83a9c3f650e9af15d95825f9e682a6aaf6a0e85fc1704d41d6567aec8f0b34e43b20652e0141008ccdbe91426dfac SHA512 6750394d0fb7b7f93a0e4f94204e53277cc341c5b2427130559e443557dbb95f2e85a71cfe8d40cfa17dd015b0f3880f79a1f868374e60e94e8385c9b45acec5
+DIST openssh-9.1p1.tar.gz 1838747 BLAKE2B 287b6b1cc4858b27af88f4a4674670afff1fb5b99461892083393c53ef3747c5a0fcd90cba95d2c27465a919e00f7f42732c93af4f306665ba0393bbb7a534f5 SHA512 a1f02c407f6b621b1d0817d1a0c9a6839b67e416c84f3b76c63003b119035b24c19a1564b22691d1152e1d2d55f4dc7eb1af2d2318751e431a99c4efa77edc70
+DIST openssh-9.1p1.tar.gz.asc 833 BLAKE2B 83efe3c705f6a02c25a9fc9bac2a4efd77470598d9e0fcb86dff2d265c58cffec1afecad3621769b2bd78ac25884f0ee20ae9b311e895db93e3bb552dffd6e74 SHA512 47dc7295f9694250bcbb86d7ca0830a47da4f3df7795bb05ebaf1590284ccce5317022c536bea1b09bd2fa4d8013295cc0de287ebe3f9dc605582077e9f11ddd

diff --git a/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch b/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch
new file mode 100644
index 000000000000..62f51a87823d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch
@@ -0,0 +1,13 @@
+diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
+index dd8cdc4b7..c446f0aa2 100644
+--- a/openbsd-compat/regress/Makefile.in
++++ b/openbsd-compat/regress/Makefile.in
+@@ -10,7 +10,7 @@ CFLAGS=@CFLAGS@
+ CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. -I$(srcdir)/../.. @CPPFLAGS@ @DEFS@
+ EXEEXT=@EXEEXT@
+ LIBCOMPAT=../libopenbsd-compat.a
+-LIBS=@LIBS@
++LIBS=@LIBS@ -lssl -lcrypto
+ LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
+ 
+ TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \

diff --git a/net-misc/openssh/openssh-9.1_p1.ebuild b/net-misc/openssh/openssh-9.1_p1.ebuild
new file mode 100644
index 000000000000..823f2305834f
--- /dev/null
+++ b/net-misc/openssh/openssh-9.1_p1.ebuild
@@ -0,0 +1,514 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+# PV to USE for HPN patches
+#HPN_PV="${PV^^}"
+HPN_PV="8.5_P1"
+
+HPN_VER="15.2"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-glue.patch"
+
+SCTP_VER="1.2"
+SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+
+X509_VER="13.5"
+X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
+X509_HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-X509-glue.patch"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? (
+		$(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}")
+		https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
+	)}
+	${X509_PATCH:+X509? (
+		https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
+		https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
+		${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
+	)}
+	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
+"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	hpn? ( ssl )
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl !xmss )
+	xmss? ( ssl  )
+	test? ( ssl )
+"
+
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
+# Blocker on older gcc-config for bug #872416
+LIB_DEPEND="
+	!<sys-devel/gcc-config-2.6
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		net-libs/ldns[ecdsa(+),ssl(+)]
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	!prefix? ( sys-apps/shadow )
+	X? ( x11-apps/xauth )
+"
+# Weird dep construct for newer gcc-config for bug #872416
+BDEPEND="
+	sys-devel/autoconf
+	virtual/pkgconfig
+	|| (
+		>=sys-devel/gcc-config-2.6
+		>=sys-devel/clang-toolchain-symlinks-14-r1:14
+		>=sys-devel/clang-toolchain-symlinks-15-r1:15
+		>=sys-devel/clang-toolchain-symlinks-16-r1:*
+	)
+	verify-sig? ( sec-keys/openpgp-keys-openssh )
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
+	"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
+	"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
+	"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
+	"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
+	"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
+	"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
+	"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
+	"${FILESDIR}/${PN}-9.1_p1-build-tests.patch"
+)
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	local missing=()
+	check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
+	check_feature hpn HPN_VER
+	check_feature sctp SCTP_PATCH
+	check_feature X509 X509_PATCH
+	if [[ ${#missing[@]} -ne 0 ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested: ${missing[*]}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "Missing requested third party patch."
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_unpack() {
+	default
+
+	# We don't have signatures for HPN, X509, so we have to write this ourselves
+	use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${PATCHES[@]}"
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${WORKDIR}/${X509_GLUE_PATCH}"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+		eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
+		use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
+		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	# use replacement, RPF_ECHO_ON doesn't exist here
+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with ssl openssl)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	if use elibc_musl; then
+		# musl defines bogus values for UTMP_FILE and WTMP_FILE
+		# https://bugs.gentoo.org/753230
+		myconf+=( --disable-utmp --disable-wtmp )
+	fi
+
+	# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
+	# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
+	tc-is-clang && myconf+=( --without-hardening )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local tests=( compat-tests )
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		ewarn "user, so we will run a subset only."
+		tests+=( interop-tests )
+	else
+		tests+=( tests )
+	fi
+
+	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
+	mkdir -p "${HOME}"/.ssh || die
+	emake -j1 "${tests[@]}" </dev/null
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	if use pam; then
+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	fi
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+	rmdir "${ED}"/var/empty || die
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2023-03-15  3:14 Sam James
  0 siblings, 0 replies; 57+ messages in thread
From: Sam James @ 2023-03-15  3:14 UTC (permalink / raw
  To: gentoo-commits

commit:     268d1040b0682edf6f042269a33a32315590547b
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 15 03:10:39 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Mar 15 03:10:39 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=268d1040

net-misc/openssh: add OpenSSL version compatibility fix

Without this, openssh wrongly thinks a rebuild is needed between openssl 3.0.x
and 3.1.x.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3548
Signed-off-by: Sam James <sam <AT> gentoo.org>

 ...enssh-9.1_p2-openssl-version-compat-check.patch |  42 ++
 net-misc/openssh/openssh-9.2_p1-r3.ebuild          | 518 +++++++++++++++++++++
 2 files changed, 560 insertions(+)

diff --git a/net-misc/openssh/files/openssh-9.1_p2-openssl-version-compat-check.patch b/net-misc/openssh/files/openssh-9.1_p2-openssl-version-compat-check.patch
new file mode 100644
index 000000000000..530d96e11ce2
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.1_p2-openssl-version-compat-check.patch
@@ -0,0 +1,42 @@
+https://bugzilla.mindrot.org/show_bug.cgi?id=3548
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -33,10 +33,10 @@
+ 
+ /*
+  * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
+- * We match major, minor, fix and status (not patch) for <1.0.0.
+- * After that, we acceptable compatible fix versions (so we
+- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+- * within a patch series.
++ * Versions >=3 require only major versions to match.
++ * For versions <3, we accept compatible fix versions (so we allow 1.0.1
++ * to work with 1.0.0). Going backwards is only allowed within a patch series.
++ * See https://www.openssl.org/policies/releasestrat.html
+  */
+ 
+ int
+@@ -48,15 +48,17 @@ ssh_compatible_openssl(long headerver, long libver)
+ 	if (headerver == libver)
+ 		return 1;
+ 
+-	/* for versions < 1.0.0, major,minor,fix,status must match */
+-	if (headerver < 0x1000000f) {
+-		mask = 0xfffff00fL; /* major,minor,fix,status */
++	/*
++	 * For versions >= 3.0, only the major and status must match.
++	 */
++	if (headerver >= 0x3000000f) {
++		mask = 0xf000000fL; /* major,status */
+ 		return (headerver & mask) == (libver & mask);
+ 	}
+ 
+ 	/*
+-	 * For versions >= 1.0.0, major,minor,status must match and library
+-	 * fix version must be equal to or newer than the header.
++	 * For versions >= 1.0.0, but <3, major,minor,status must match and
++	 * library fix version must be equal to or newer than the header.
+ 	 */
+ 	mask = 0xfff0000fL; /* major,minor,status */
+ 	hfix = (headerver & 0x000ff000) >> 12;
+

diff --git a/net-misc/openssh/openssh-9.2_p1-r3.ebuild b/net-misc/openssh/openssh-9.2_p1-r3.ebuild
new file mode 100644
index 000000000000..0c12a424605e
--- /dev/null
+++ b/net-misc/openssh/openssh-9.2_p1-r3.ebuild
@@ -0,0 +1,518 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+# PV to USE for HPN patches
+#HPN_PV="${PV^^}"
+HPN_PV="8.5_P1"
+
+HPN_VER="15.2"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+HPN_GLUE_PATCH="${PN}-9.2_p1-hpn-${HPN_VER}-glue.patch"
+HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}"
+
+SCTP_VER="1.2"
+SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+
+X509_VER="14.1"
+X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
+X509_HPN_GLUE_PATCH="${PN}-9.2_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? (
+		$(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}")
+		https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
+	)}
+	${X509_PATCH:+X509? (
+		https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
+		https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
+		${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
+	)}
+	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
+"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	hpn? ( ssl )
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl !xmss )
+	xmss? ( ssl  )
+	test? ( ssl )
+"
+
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
+# Blocker on older gcc-config for bug #872416
+LIB_DEPEND="
+	!<sys-devel/gcc-config-2.6
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		net-libs/ldns[ecdsa(+),ssl(+)]
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	!prefix? ( sys-apps/shadow )
+	X? ( x11-apps/xauth )
+"
+# Weird dep construct for newer gcc-config for bug #872416
+BDEPEND="
+	sys-devel/autoconf
+	virtual/pkgconfig
+	|| (
+		>=sys-devel/gcc-config-2.6
+		>=sys-devel/clang-toolchain-symlinks-14-r1:14
+		>=sys-devel/clang-toolchain-symlinks-15-r1:15
+		>=sys-devel/clang-toolchain-symlinks-16-r1:*
+	)
+	verify-sig? ( sec-keys/openpgp-keys-openssh )
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
+	"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
+	"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
+	"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
+	"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
+	"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
+	"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
+	"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
+	"${FILESDIR}/${PN}-9.1_p2-openssl-version-compat-check.patch"
+)
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	local missing=()
+	check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
+	check_feature hpn HPN_VER
+	check_feature sctp SCTP_PATCH
+	check_feature X509 X509_PATCH
+	if [[ ${#missing[@]} -ne 0 ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested: ${missing[*]}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "Missing requested third party patch."
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_unpack() {
+	default
+
+	# We don't have signatures for HPN, X509, so we have to write this ourselves
+	use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply -- "${PATCHES[@]}"
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${WORKDIR}/${X509_GLUE_PATCH}"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+		eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
+		use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
+		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	# use replacement, RPF_ECHO_ON doesn't exist here
+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with ssl openssl)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	if use elibc_musl; then
+		# musl defines bogus values for UTMP_FILE and WTMP_FILE
+		# https://bugs.gentoo.org/753230
+		myconf+=( --disable-utmp --disable-wtmp )
+	fi
+
+	# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
+	# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
+	tc-is-clang && myconf+=( --without-hardening )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local tests=( compat-tests )
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		ewarn "user, so we will run a subset only."
+		tests+=( interop-tests )
+	else
+		tests+=( tests )
+	fi
+
+	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
+	mkdir -p "${HOME}"/.ssh || die
+	emake -j1 "${tests[@]}" </dev/null
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	if use pam; then
+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	fi
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+	rmdir "${ED}"/var/empty || die
+
+	systemd_dounit "${FILESDIR}"/sshd.socket
+	systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
+	systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+		if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
+			ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
+			ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
+			ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
+			ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
+			ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
+			ewarn "set 'Restart=no' in your sshd unit file."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2023-03-17  3:58 Patrick McLean
  0 siblings, 0 replies; 57+ messages in thread
From: Patrick McLean @ 2023-03-17  3:58 UTC (permalink / raw
  To: gentoo-commits

commit:     2c9ebdc2c763bd969cab9d503f00665076dab871
Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Fri Mar 17 03:58:02 2023 +0000
Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Fri Mar 17 03:58:09 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c9ebdc2

net-misc/openssh: add 9.3_p1

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   7 +
 ...mget-shmat-shmdt-in-preauth-privsep-child.patch |  20 +
 ...enssh-9.3_p1-openssl-version-compat-check.patch |  61 +++
 net-misc/openssh/openssh-9.3_p1.ebuild             | 518 +++++++++++++++++++++
 4 files changed, 606 insertions(+)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index d16682cf7844..1feba2f14167 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -17,3 +17,10 @@ DIST openssh-9.2p1+x509-14.1.diff.gz 1210737 BLAKE2B 6b1cb2392c3fdbc7627b44a055d
 DIST openssh-9.2p1-sctp-1.2.patch.xz 6828 BLAKE2B 8a57b85ce5d18dca34ef71b486f2f24bbc82f6bf263a4f162a1222d96ef2adc469cce62f368c9192512efaa8e1e2496a7bd8f79a11698bf0118eee07a703e6ef SHA512 3713847ef7b280f8b74a1b493644152c948ce74e06c1d0bff52996647963ca156cbc845b4459bcdbd4745eb440e409af07af2f0b696c65950a8a6d7ddb46f6c8
 DIST openssh-9.2p1.tar.gz 1852380 BLAKE2B 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21 SHA512 c4b79ef3a05b96bfc477ffb31f734635bffd5be213ab58e043111c3232dbe999ff24665fa1069518237cffa5126ded0dda8984e1b8f098f4f09b8c1dae20e604
 DIST openssh-9.2p1.tar.gz.asc 833 BLAKE2B 36210757aaa4ee8e6bdf4cfbb5590e6c54a617817d1657ebb446e54530d01a9e9f5559408b3d424d5efdb4ba06f0c02755637f5480dc81f9b4e32963de91087a SHA512 2a56f8946ed00fcd5a92935e090523d40b5c3747e25661d575b799b1825bf5e47a95eed5e7ed968fe042349c2c7d94d6b0e6bf2d9145b5c6ff5df2ca538d56e5
+DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d
+DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387
+DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909
+DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d
+DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71
+DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19
+DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4

diff --git a/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
new file mode 100644
index 000000000000..4d098b2231c7
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
@@ -0,0 +1,20 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 23b40b643..d93a357c6 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_statx
+ 	SC_DENY(__NR_statx, EACCES),
+ #endif
++#ifdef __NR_shmget
++	SC_DENY(__NR_shmget, EACCES),
++#endif
++#ifdef __NR_shmat
++	SC_DENY(__NR_shmat, EACCES),
++#endif
++#ifdef __NR_shmdt
++	SC_DENY(__NR_shmdt, EACCES),
++#endif
+ 
+ 	/* Syscalls to permit */
+ #ifdef __NR_brk

diff --git a/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch b/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch
new file mode 100644
index 000000000000..caccfd17c11d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch
@@ -0,0 +1,61 @@
+diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
+index 033f35763..efc387fa7 100644
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver)
+ 	if (headerver == libver)
+ 		return 1;
+ 
+-	/* for versions < 1.0.0, major,minor,fix,status must match */
+-	if (headerver < 0x1000000f) {
+-		mask = 0xfffff00fL; /* major,minor,fix,status */
+-		return (headerver & mask) == (libver & mask);
++	/*
++	 * For versions < 3.0.0, major,minor,status must match and library
++	 * fix version must be equal to or newer than the header.
++	 */
++	if (headerver < 0x3000000f) {
++		mask = 0xfff0000fL; /* major,minor,status */
++		hfix = (headerver & 0x000ff000) >> 12;
++		lfix = (libver & 0x000ff000) >> 12;
++		if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
++			return 1;
+ 	}
+ 
+ 	/*
+-	 * For versions >= 1.0.0, major,minor,status must match and library
+-	 * fix version must be equal to or newer than the header.
++	 * For versions >= 3.0.0, major must match and minor,status must be
++	 * equal to or greater than the header.
+ 	 */
+-	mask = 0xfff00000L; /* major,minor,status */
+-	hfix = (headerver & 0x000ff000) >> 12;
+-	lfix = (libver & 0x000ff000) >> 12;
++	mask = 0xf000000fL; /* major, status */
++	hfix = (headerver & 0x0ffffff0L) >> 12;
++	lfix = (libver & 0x0ffffff0L) >> 12;
+ 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
+ 		return 1;
+ 	return 0;
+diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
+index d50066609..60a8a4e6c 100644
+--- a/openbsd-compat/regress/opensslvertest.c
++++ b/openbsd-compat/regress/opensslvertest.c
+@@ -31,7 +31,7 @@ struct version_test {
+ 	{ 0x0090802fL, 0x0090804fL, 1},	/* newer library fix version: ok */
+ 	{ 0x0090802fL, 0x0090801fL, 1},	/* older library fix version: ok */
+ 	{ 0x0090802fL, 0x0090702fL, 0},	/* older library minor version: NO */
+-	{ 0x0090802fL, 0x0090902fL, 0},	/* newer library minor version: NO */
++	{ 0x0090802fL, 0x0090902fL, 1},	/* newer library minor version: ok */
+ 	{ 0x0090802fL, 0x0080802fL, 0},	/* older library major version: NO */
+ 	{ 0x0090802fL, 0x1000100fL, 0},	/* newer library major version: NO */
+ 
+@@ -41,7 +41,7 @@ struct version_test {
+ 	{ 0x1000101fL, 0x1000100fL, 1},	/* older library patch version: ok */
+ 	{ 0x1000101fL, 0x1000201fL, 1},	/* newer library fix version: ok */
+ 	{ 0x1000101fL, 0x1000001fL, 0},	/* older library fix version: NO */
+-	{ 0x1000101fL, 0x1010101fL, 0},	/* newer library minor version: NO */
++	{ 0x1000101fL, 0x1010101fL, 1},	/* newer library minor version: ok */
+ 	{ 0x1000101fL, 0x0000101fL, 0},	/* older library major version: NO */
+ 	{ 0x1000101fL, 0x2000101fL, 0},	/* newer library major version: NO */
+ };

diff --git a/net-misc/openssh/openssh-9.3_p1.ebuild b/net-misc/openssh/openssh-9.3_p1.ebuild
new file mode 100644
index 000000000000..3173cbc8d705
--- /dev/null
+++ b/net-misc/openssh/openssh-9.3_p1.ebuild
@@ -0,0 +1,518 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+# PV to USE for HPN patches
+#HPN_PV="${PV^^}"
+HPN_PV="8.5_P1"
+
+HPN_VER="15.2"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-glue.patch"
+HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}"
+
+SCTP_VER="1.2"
+SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+
+X509_VER="14.1.1"
+X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
+X509_HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? (
+		$(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}")
+		https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
+	)}
+	${X509_VER:+X509? (
+		https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
+		https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
+		${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
+	)}
+	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
+"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	hpn? ( ssl )
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp ssl !xmss )
+	xmss? ( ssl  )
+	test? ( ssl )
+"
+
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
+# Blocker on older gcc-config for bug #872416
+LIB_DEPEND="
+	!<sys-devel/gcc-config-2.6
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		net-libs/ldns[ecdsa(+),ssl(+)]
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	!prefix? ( sys-apps/shadow )
+	X? ( x11-apps/xauth )
+"
+# Weird dep construct for newer gcc-config for bug #872416
+BDEPEND="
+	sys-devel/autoconf
+	virtual/pkgconfig
+	|| (
+		>=sys-devel/gcc-config-2.6
+		>=sys-devel/clang-toolchain-symlinks-14-r1:14
+		>=sys-devel/clang-toolchain-symlinks-15-r1:15
+		>=sys-devel/clang-toolchain-symlinks-16-r1:*
+	)
+	verify-sig? ( sec-keys/openpgp-keys-openssh )
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
+	"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
+	"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
+	"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
+	"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
+	"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
+	"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
+	"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
+	"${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
+)
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	local missing=()
+	check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
+	check_feature hpn HPN_VER
+	check_feature sctp SCTP_PATCH
+	check_feature X509 X509_PATCH
+	if [[ ${#missing[@]} -ne 0 ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested: ${missing[*]}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "Missing requested third party patch."
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_unpack() {
+	default
+
+	# We don't have signatures for HPN, X509, so we have to write this ourselves
+	use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply -- "${PATCHES[@]}"
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${WORKDIR}/${X509_GLUE_PATCH}"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+		eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
+		use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
+		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	# use replacement, RPF_ECHO_ON doesn't exist here
+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(usex X509 '' "$(use_with security-key security-key-builtin)")
+		$(use_with ssl openssl)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	if use elibc_musl; then
+		# musl defines bogus values for UTMP_FILE and WTMP_FILE
+		# https://bugs.gentoo.org/753230
+		myconf+=( --disable-utmp --disable-wtmp )
+	fi
+
+	# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
+	# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
+	tc-is-clang && myconf+=( --without-hardening )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local tests=( compat-tests )
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		ewarn "user, so we will run a subset only."
+		tests+=( interop-tests )
+	else
+		tests+=( tests )
+	fi
+
+	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
+	mkdir -p "${HOME}"/.ssh || die
+	emake -j1 "${tests[@]}" </dev/null
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	if use pam; then
+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	fi
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+	rmdir "${ED}"/var/empty || die
+
+	systemd_dounit "${FILESDIR}"/sshd.socket
+	systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
+	systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+		if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
+			ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
+			ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
+			ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
+			ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
+			ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
+			ewarn "set 'Restart=no' in your sshd unit file."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2023-05-06 15:08 David Seifert
  0 siblings, 0 replies; 57+ messages in thread
From: David Seifert @ 2023-05-06 15:08 UTC (permalink / raw
  To: gentoo-commits

commit:     781d6a979c5c181587b6289ef56c2eec627e43bf
Author:     David Seifert <soap <AT> gentoo <DOT> org>
AuthorDate: Sat May  6 15:08:02 2023 +0000
Commit:     David Seifert <soap <AT> gentoo <DOT> org>
CommitDate: Sat May  6 15:08:02 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=781d6a97

net-misc/openssh: drop 9.2_p1-r2

Signed-off-by: David Seifert <soap <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   7 -
 ...mget-shmat-shmdt-in-preauth-privsep-child.patch |  31 --
 net-misc/openssh/openssh-9.2_p1-r2.ebuild          | 517 ---------------------
 3 files changed, 555 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 5bde55aac9be..680eb4cd062e 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,13 +1,6 @@
 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
 DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
 DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
-DIST openssh-9.2_p1-X509-glue-14.1.patch.xz 900 BLAKE2B 1cfde24cdd636390bcd9b546da182b0848d637c366ff387f045e8d9158e94ff9577c0dff9d87a552208a56aac4ae8319bb17fd772719a7aa2cbc8baf2bfe59fc SHA512 b3f87fb0c339ffe627b347b4cc56fc6a056e5e9a4f23481bb18fc55262e1de3f0394d2f7a85c4fa120f74616a5872cf6628118bcda6973dfa9baec8d7e0e65b1
-DIST openssh-9.2_p1-hpn-15.2-X509-14.1-glue.patch.xz 6040 BLAKE2B d032d1f03ab1bd310af055a452375e6b85ebe40f3d09effdfb07085981155b751c6fdc74a9ee10afe807c2cd10be3444baf712eb0b211bdaff4dc43dc4f65938 SHA512 696f5ee26eeef7a1d56c212eb8bf7c7a568ded2a576eddae92b98b9b3b6bd5bd66e0944b9328e93ec4d55d16f72215a13c25d27de81f75aaae8fdbe68e3df51e
-DIST openssh-9.2_p1-hpn-15.2-glue.patch.xz 4172 BLAKE2B 7bec61008f02c07bf24112995066bcd434820354155eb022ffa550baa8f7be896d915423698427ec921473190eb8e83739d2ceff04f79967759fc82b74435dac SHA512 c669a70611479f4ee0f3ba8417afc052f0212cb2d338c524fb3bf6c52a1bf3ca78fe78ab04118de5aa472a10d30b95f084c3ed00a542a8b3d0f541f8ea3f26af
-DIST openssh-9.2p1+x509-14.1.diff.gz 1210737 BLAKE2B 6b1cb2392c3fdbc7627b44a055da7662c686786cddaefcdf63f33fa92c1d97a5fb9ff54d03b7aef700715baa44f4485ad2dd73f59aac5b19617597832e135773 SHA512 88ba0dfd6e7eddf06e47d27299ee900dd1a9dc24df706bde51231b290f666848935204281577a9e47267939e7ee852f7232caaccdae6ac3eb503e53c075e630d
-DIST openssh-9.2p1-sctp-1.2.patch.xz 6828 BLAKE2B 8a57b85ce5d18dca34ef71b486f2f24bbc82f6bf263a4f162a1222d96ef2adc469cce62f368c9192512efaa8e1e2496a7bd8f79a11698bf0118eee07a703e6ef SHA512 3713847ef7b280f8b74a1b493644152c948ce74e06c1d0bff52996647963ca156cbc845b4459bcdbd4745eb440e409af07af2f0b696c65950a8a6d7ddb46f6c8
-DIST openssh-9.2p1.tar.gz 1852380 BLAKE2B 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21 SHA512 c4b79ef3a05b96bfc477ffb31f734635bffd5be213ab58e043111c3232dbe999ff24665fa1069518237cffa5126ded0dda8984e1b8f098f4f09b8c1dae20e604
-DIST openssh-9.2p1.tar.gz.asc 833 BLAKE2B 36210757aaa4ee8e6bdf4cfbb5590e6c54a617817d1657ebb446e54530d01a9e9f5559408b3d424d5efdb4ba06f0c02755637f5480dc81f9b4e32963de91087a SHA512 2a56f8946ed00fcd5a92935e090523d40b5c3747e25661d575b799b1825bf5e47a95eed5e7ed968fe042349c2c7d94d6b0e6bf2d9145b5c6ff5df2ca538d56e5
 DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d
 DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387
 DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909

diff --git a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
deleted file mode 100644
index fe3be2409e2a..000000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lonnie@abelbeck.com>
-Date: Tue, 1 Oct 2019 09:05:09 -0500
-Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
-
-New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
-in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
----
- sandbox-seccomp-filter.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 840c5232b..39dc289e3 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_stat64
- 	SC_DENY(__NR_stat64, EACCES),
- #endif
-+#ifdef __NR_shmget
-+	SC_DENY(__NR_shmget, EACCES),
-+#endif
-+#ifdef __NR_shmat
-+	SC_DENY(__NR_shmat, EACCES),
-+#endif
-+#ifdef __NR_shmdt
-+	SC_DENY(__NR_shmdt, EACCES),
-+#endif
- 
- 	/* Syscalls to permit */
- #ifdef __NR_brk

diff --git a/net-misc/openssh/openssh-9.2_p1-r2.ebuild b/net-misc/openssh/openssh-9.2_p1-r2.ebuild
deleted file mode 100644
index 0a724fc1e142..000000000000
--- a/net-misc/openssh/openssh-9.2_p1-r2.ebuild
+++ /dev/null
@@ -1,517 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-HPN_GLUE_PATCH="${PN}-9.2_p1-hpn-${HPN_VER}-glue.patch"
-HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}"
-
-SCTP_VER="1.2"
-SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-
-X509_VER="14.1"
-X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
-X509_HPN_GLUE_PATCH="${PN}-9.2_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? (
-		$(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}")
-		https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
-	)}
-	${X509_PATCH:+X509? (
-		https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
-		https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
-		${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
-	)}
-	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
-"
-VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
-	hpn? ( ssl )
-	ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	X509? ( !sctp ssl !xmss )
-	xmss? ( ssl  )
-	test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-# Blocker on older gcc-config for bug #872416
-LIB_DEPEND="
-	!<sys-devel/gcc-config-2.6
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		net-libs/ldns[ecdsa(+),ssl(+)]
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
-	virtual/libcrypt:=[static-libs(+)]
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
-	acct-group/sshd
-	acct-user/sshd
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
-	virtual/os-headers
-	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
-	static? ( ${LIB_DEPEND} )
-"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	!prefix? ( sys-apps/shadow )
-	X? ( x11-apps/xauth )
-"
-# Weird dep construct for newer gcc-config for bug #872416
-BDEPEND="
-	sys-devel/autoconf
-	virtual/pkgconfig
-	|| (
-		>=sys-devel/gcc-config-2.6
-		>=sys-devel/clang-toolchain-symlinks-14-r1:14
-		>=sys-devel/clang-toolchain-symlinks-15-r1:15
-		>=sys-devel/clang-toolchain-symlinks-16-r1:*
-	)
-	verify-sig? ( sec-keys/openpgp-keys-openssh )
-"
-
-PATCHES=(
-	"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
-	"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
-	"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
-	"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
-	"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
-	"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
-	"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
-	"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
-)
-
-pkg_pretend() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	local missing=()
-	check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
-	check_feature hpn HPN_VER
-	check_feature sctp SCTP_PATCH
-	check_feature X509 X509_PATCH
-	if [[ ${#missing[@]} -ne 0 ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested: ${missing[*]}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "Missing requested third party patch."
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_unpack() {
-	default
-
-	# We don't have signatures for HPN, X509, so we have to write this ourselves
-	use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	eapply -- "${PATCHES[@]}"
-
-	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
-	local PATCHSET_VERSION_MACROS=()
-
-	if use X509 ; then
-		pushd "${WORKDIR}" &>/dev/null || die
-		eapply "${WORKDIR}/${X509_GLUE_PATCH}"
-		popd &>/dev/null || die
-
-		eapply "${WORKDIR}"/${X509_PATCH%.*}
-		eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
-
-		# We need to patch package version or any X.509 sshd will reject our ssh client
-		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
-		# error
-		einfo "Patching package version for X.509 patch set ..."
-		sed -i \
-			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
-			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
-		einfo "Patching version.h to expose X.509 patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-	fi
-
-	if use sctp ; then
-		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
-		einfo "Patching version.h to expose SCTP patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
-			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
-		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
-		sed -i \
-			-e "/\t\tcfgparse \\\/d" \
-			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
-	fi
-
-	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}" || die
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
-		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
-		use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
-		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
-		popd &>/dev/null || die
-
-		eapply "${hpn_patchdir}"
-
-		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
-		einfo "Patching Makefile.in for HPN patch set ..."
-		sed -i \
-			-e "/^LIBS=/ s/\$/ -lpthread/" \
-			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
-		einfo "Patching version.h to expose HPN patch set ..."
-		sed -i \
-			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
-			"${S}"/version.h || die "Failed to sed-in HPN patch version"
-		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
-		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-			einfo "Disabling known non-working MT AES cipher per default ..."
-
-			cat > "${T}"/disable_mtaes.conf <<- EOF
-
-			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
-			# and therefore disabled per default.
-			DisableMTAES yes
-			EOF
-			sed -i \
-				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
-				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
-			sed -i \
-				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
-				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
-		fi
-	fi
-
-	if use X509 || use sctp || use hpn ; then
-		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
-		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
-		sed -i \
-			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
-			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
-		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
-		sed -i \
-			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
-			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
-	fi
-
-	eapply_user #473004
-
-	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
-	sed -e '/\t\tpercent \\/ d' \
-		-i regress/Makefile || die
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-	use xmss && append-cflags -DWITH_XMSS
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
-		# doesn't check for this, so force the replacement to be put in
-		# place
-		append-cppflags -DBROKEN_GLOB
-	fi
-
-	# use replacement, RPF_ECHO_ON doesn't exist here
-	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the sctp patch conditionally, so can't pass --without-sctp
-		# unconditionally else we get unknown flag warnings.
-		$(use sctp && use_with sctp)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(usex X509 '' "$(use_with security-key security-key-builtin)")
-		$(use_with ssl openssl)
-		$(use_with ssl ssl-engine)
-		$(use_with !elibc_Cygwin hardening) #659210
-	)
-
-	if use elibc_musl; then
-		# musl defines bogus values for UTMP_FILE and WTMP_FILE
-		# https://bugs.gentoo.org/753230
-		myconf+=( --disable-utmp --disable-wtmp )
-	fi
-
-	# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
-	# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
-	tc-is-clang && myconf+=( --without-hardening )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local tests=( compat-tests )
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		ewarn "user, so we will run a subset only."
-		tests+=( interop-tests )
-	else
-		tests+=( tests )
-	fi
-
-	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
-	mkdir -p "${HOME}"/.ssh || die
-	emake -j1 "${tests[@]}" </dev/null
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	# First the server config.
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
-	EOF
-
-	# Then the client config.
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	if use pam; then
-		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	fi
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc CREDITS OVERVIEW README* TODO sshd_config
-	use hpn && dodoc HPN-README
-	use X509 || dodoc ChangeLog
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-	rmdir "${ED}"/var/empty || die
-
-	systemd_dounit "${FILESDIR}"/sshd.socket
-	systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
-	systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
-}
-
-pkg_preinst() {
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
-		show_ssl_warning=1
-	fi
-}
-
-pkg_postinst() {
-	local old_ver
-	for old_ver in ${REPLACING_VERSIONS}; do
-		if ver_test "${old_ver}" -lt "5.8_p1"; then
-			elog "Starting with openssh-5.8p1, the server will default to a newer key"
-			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-		fi
-		if ver_test "${old_ver}" -lt "7.0_p1"; then
-			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-			elog "Make sure to update any configs that you might have.  Note that xinetd might"
-			elog "be an alternative for you as it supports USE=tcpd."
-		fi
-		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
-			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-			elog "adding to your sshd_config or ~/.ssh/config files:"
-			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-			elog "You should however generate new keys using rsa or ed25519."
-
-			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-			elog "out of the box.  If you need this, please update your sshd_config explicitly."
-		fi
-		if ver_test "${old_ver}" -lt "7.6_p1"; then
-			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-		fi
-		if ver_test "${old_ver}" -lt "7.7_p1"; then
-			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-			elog "if you need to authenticate against LDAP."
-			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-		fi
-		if ver_test "${old_ver}" -lt "8.2_p1"; then
-			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
-			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
-			ewarn "connection is generally safe."
-		fi
-		if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
-			ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
-			ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
-			ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
-			ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
-			ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
-			ewarn "set 'Restart=no' in your sshd unit file."
-		fi
-	done
-
-	if [[ -n ${show_ssl_warning} ]]; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-
-	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
-		elog ""
-		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
-		elog "and therefore disabled at runtime per default."
-		elog "Make sure your sshd_config is up to date and contains"
-		elog ""
-		elog "  DisableMTAES yes"
-		elog ""
-		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
-		elog ""
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2023-08-21 17:49 Sam James
  0 siblings, 0 replies; 57+ messages in thread
From: Sam James @ 2023-08-21 17:49 UTC (permalink / raw
  To: gentoo-commits

commit:     5b974a3c903327b37f46a0212bf397ef634a67fd
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Aug 21 17:48:31 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Aug 21 17:48:31 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b974a3c

net-misc/openssh: fix configure check for zlib-1.3

Closes: https://bugs.gentoo.org/912766
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../openssh/files/openssh-9.3_p2-zlib-1.3.patch     | 21 +++++++++++++++++++++
 net-misc/openssh/openssh-9.3_p1-r1.ebuild           |  1 +
 net-misc/openssh/openssh-9.3_p2.ebuild              |  1 +
 net-misc/openssh/openssh-9.4_p1.ebuild              |  1 +
 4 files changed, 24 insertions(+)

diff --git a/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch b/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch
new file mode 100644
index 000000000000..f1336bbe0380
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch
@@ -0,0 +1,21 @@
+https://bugs.gentoo.org/912766
+https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621
+
+From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Sat, 19 Aug 2023 07:39:08 +1000
+Subject: [PATCH] Fix zlib version check for 1.3 and future version.
+
+bz#3604.
+--- a/configure.ac
++++ b/configure.ac
+@@ -1464,7 +1464,7 @@ else
+ 	[[
+ 	int a=0, b=0, c=0, d=0, n, v;
+ 	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
+-	if (n != 3 && n != 4)
++	if (n < 1)
+ 		exit(1);
+ 	v = a*1000000 + b*10000 + c*100 + d;
+ 	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
+

diff --git a/net-misc/openssh/openssh-9.3_p1-r1.ebuild b/net-misc/openssh/openssh-9.3_p1-r1.ebuild
index e3184f35c252..2624fa94f0ee 100644
--- a/net-misc/openssh/openssh-9.3_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-9.3_p1-r1.ebuild
@@ -88,6 +88,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
 	"${FILESDIR}/${PN}-9.3_p1-gss-use-HOST_NAME_MAX.patch" #834044
 	"${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
+	"${FILESDIR}/${PN}-9.3_p2-zlib-1.3.patch" #912766
 )
 
 pkg_pretend() {

diff --git a/net-misc/openssh/openssh-9.3_p2.ebuild b/net-misc/openssh/openssh-9.3_p2.ebuild
index 8e57bfe2061c..3013b70ed4bc 100644
--- a/net-misc/openssh/openssh-9.3_p2.ebuild
+++ b/net-misc/openssh/openssh-9.3_p2.ebuild
@@ -88,6 +88,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
 	"${FILESDIR}/${PN}-9.3_p1-gss-use-HOST_NAME_MAX.patch" #834044
 	"${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
+	"${FILESDIR}/${PN}-9.3_p2-zlib-1.3.patch" #912766
 )
 
 pkg_pretend() {

diff --git a/net-misc/openssh/openssh-9.4_p1.ebuild b/net-misc/openssh/openssh-9.4_p1.ebuild
index ec36f3445783..5d1ffb94eba4 100644
--- a/net-misc/openssh/openssh-9.4_p1.ebuild
+++ b/net-misc/openssh/openssh-9.4_p1.ebuild
@@ -86,6 +86,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch"
 	"${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch"
 	"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
+	"${FILESDIR}/${PN}-9.3_p2-zlib-1.3.patch" #912766
 )
 
 pkg_pretend() {


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2024-07-06 23:44 Mike Gilbert
  0 siblings, 0 replies; 57+ messages in thread
From: Mike Gilbert @ 2024-07-06 23:44 UTC (permalink / raw
  To: gentoo-commits

commit:     3438f3cce5a672670679a6d091b547cd78d01054
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Sat Jul  6 23:42:50 2024 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Jul  6 23:43:17 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3438f3cc

net-misc/openssh: sshd.service: set Type=notify-reload

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 net-misc/openssh/files/sshd.service.2                     | 15 +++++++++++++++
 ...{openssh-9.8_p1-r1.ebuild => openssh-9.8_p1-r2.ebuild} |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/net-misc/openssh/files/sshd.service.2 b/net-misc/openssh/files/sshd.service.2
new file mode 100644
index 000000000000..d935ea763f0d
--- /dev/null
+++ b/net-misc/openssh/files/sshd.service.2
@@ -0,0 +1,15 @@
+[Unit]
+Description=OpenSSH server daemon
+After=network.target auditd.service
+
+[Service]
+Type=notify-reload
+ExecStartPre=/usr/bin/ssh-keygen -A
+ExecStart=/usr/sbin/sshd -D -e
+KillMode=process
+OOMPolicy=continue
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target

diff --git a/net-misc/openssh/openssh-9.8_p1-r1.ebuild b/net-misc/openssh/openssh-9.8_p1-r2.ebuild
similarity index 99%
rename from net-misc/openssh/openssh-9.8_p1-r1.ebuild
rename to net-misc/openssh/openssh-9.8_p1-r2.ebuild
index 6633e212c19c..b1c11e3796c9 100644
--- a/net-misc/openssh/openssh-9.8_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-9.8_p1-r2.ebuild
@@ -318,7 +318,7 @@ src_install() {
 	rmdir "${ED}"/var/empty || die
 
 	systemd_dounit "${FILESDIR}"/sshd.socket
-	systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
+	systemd_newunit "${FILESDIR}"/sshd.service.2 sshd.service
 	systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
 
 	# Install dropins with explicit mode, bug 906638, 915840


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2024-07-07  8:44 Sam James
  0 siblings, 0 replies; 57+ messages in thread
From: Sam James @ 2024-07-07  8:44 UTC (permalink / raw
  To: gentoo-commits

commit:     452e53a96051ccb5000b6d1b923bc5f25aade72d
Author:     Quincy Fleming <quincyf467 <AT> protonmail <DOT> com>
AuthorDate: Thu Jul  4 22:00:27 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Jul  7 08:43:56 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=452e53a9

net-misc/openssh: Fix compile error on musl

Closes: https://github.com/gentoo/gentoo/pull/37440
Closes: https://bugs.gentoo.org/935353
Signed-off-by: Quincy Fleming <quincyf467 <AT> protonmail.com>
Signed-off-by: Sam James <sam <AT> gentoo.org>

 net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch | 13 +++++++++++++
 net-misc/openssh/openssh-9.8_p1-r2.ebuild                |  1 +
 2 files changed, 14 insertions(+)

diff --git a/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch b/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch
new file mode 100644
index 000000000000..98c480445f53
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch
@@ -0,0 +1,13 @@
+# Pulled patch from Voidlinux
+# Bug: https://bugs.gentoo.org/935353
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -366,7 +366,7 @@
+ 		error_f("socket \"%s\": %s", path, strerror(errno));
+ 		goto out;
+ 	}
+-	if (connect(fd, &addr, sizeof(addr)) != 0) {
++	if (connect(fd, (const struct sockaddr *)&addr, sizeof(addr)) != 0) {
+ 		error_f("socket \"%s\" connect: %s", path, strerror(errno));
+ 		goto out;
+ 	}

diff --git a/net-misc/openssh/openssh-9.8_p1-r2.ebuild b/net-misc/openssh/openssh-9.8_p1-r2.ebuild
index b1c11e3796c9..8c6f3c5cb671 100644
--- a/net-misc/openssh/openssh-9.8_p1-r2.ebuild
+++ b/net-misc/openssh/openssh-9.8_p1-r2.ebuild
@@ -79,6 +79,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
 	"${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch"
 	"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
+	"${FILESDIR}/${PN}-9.8_p1-musl-connect.patch"
 )
 
 pkg_pretend() {


^ permalink raw reply related	[flat|nested] 57+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2024-10-29  1:13 Sam James
  0 siblings, 0 replies; 57+ messages in thread
From: Sam James @ 2024-10-29  1:13 UTC (permalink / raw
  To: gentoo-commits

commit:     e864506f68f2bf004b84d5f52a7a81dd128d336b
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 29 01:12:43 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Oct 29 01:12:43 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e864506f

net-misc/openssh: drop 9.6_p1-r3, 9.6_p1-r5

Signed-off-by: Sam James <sam <AT> gentoo.org>

 net-misc/openssh/Manifest                          |   2 -
 ...penssh-9.3_p1-disable-conch-interop-tests.patch |  20 --
 .../files/openssh-9.3_p1-fix-putty-tests.patch     |  57 ---
 net-misc/openssh/openssh-9.6_p1-r3.ebuild          | 389 --------------------
 net-misc/openssh/openssh-9.6_p1-r5.ebuild          | 392 ---------------------
 5 files changed, 860 deletions(-)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index bcd96bf1865a..6417c6188e01 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,5 +1,3 @@
-DIST openssh-9.6p1.tar.gz 1857862 BLAKE2B dd7f6747fe89f7b386be4faaf7fc43398a9bf439e45608ae61c2126cf8743c64ef7b5af45c75e9007b0bda525f8809261ca0f2fc47ce60177ba769a5324719dd SHA512 0ebf81e39914c3a90d7777a001ec7376a94b37e6024baf3e972c58f0982b7ddef942315f5e01d56c00ff95603b4a20ee561ab918ecc55511df007ac138160509
-DIST openssh-9.6p1.tar.gz.asc 833 BLAKE2B 9363d02f85457aa90069020827306a2f49d8406e32f5ee1d231844648dd2ffa02fa9b7325b8677a11e46a0ba0d9ffc86d9c989435d691a02f5354a956c49f9f9 SHA512 aec5a5bd6ce480a8e5b5879dc55f8186aec90fe61f085aa92ad7d07f324574aa781be09c83b7443a32848d091fd44fb12c1842d49cee77afc351e550ffcc096d
 DIST openssh-9.7p1.tar.gz 1848766 BLAKE2B 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b SHA512 0cafc17d22851605a4a5495a1d82c2b3fbbe6643760aad226dbf2a25b5f49d4375c3172833706ea3cb6c05d5d02a40feb9a7e790eae5c4570dd344a43e94ca55
 DIST openssh-9.7p1.tar.gz.asc 833 BLAKE2B a95e952be48bd55a07d0a95a49dc06c326816c67b8b5d40bd3f64c28aa43122253817b8a088e7a3b8a190375ea39f9fc3400b22d035561f9643c1d32b5caef27 SHA512 e028978e4266de9ad513626b13d70249e4166923fc15f38751178e2b3522ff6ebb9a7ca7dc32d1bb42d42fb92adf9903dba1b734bec083010ed7323aadad8baf
 DIST openssh-9.8p1.tar.gz 1910393 BLAKE2B 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 SHA512 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a

diff --git a/net-misc/openssh/files/openssh-9.3_p1-disable-conch-interop-tests.patch b/net-misc/openssh/files/openssh-9.3_p1-disable-conch-interop-tests.patch
deleted file mode 100644
index a5647ce9d8d3..000000000000
--- a/net-misc/openssh/files/openssh-9.3_p1-disable-conch-interop-tests.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Disable conch interop tests which are failing when called
-via portage for yet unknown reason and because using conch
-seems to be flaky (test is failing when using Python2 but
-passing when using Python3).
-
-Bug: https://bugs.gentoo.org/605446
-
---- a/regress/conch-ciphers.sh
-+++ b/regress/conch-ciphers.sh
-@@ -3,6 +3,10 @@
- 
- tid="conch ciphers"
- 
-+# https://bugs.gentoo.org/605446
-+echo "conch interop tests skipped due to Gentoo bug #605446"
-+exit 0
-+
- if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
- 	echo "conch interop tests not enabled"
- 	exit 0

diff --git a/net-misc/openssh/files/openssh-9.3_p1-fix-putty-tests.patch b/net-misc/openssh/files/openssh-9.3_p1-fix-putty-tests.patch
deleted file mode 100644
index 9ac02c188000..000000000000
--- a/net-misc/openssh/files/openssh-9.3_p1-fix-putty-tests.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-Make sure that host keys are already accepted before
-running tests.
-
-https://bugs.gentoo.org/493866
-
---- a/regress/putty-ciphers.sh
-+++ b/regress/putty-ciphers.sh
-@@ -16,11 +16,17 @@
- 
- for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
- 	verbose "$tid: cipher $c"
-+	rm -f ${COPY}
- 	cp ${OBJ}/.putty/sessions/localhost_proxy \
- 	    ${OBJ}/.putty/sessions/cipher_$c
- 	echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
- 
--	rm -f ${COPY}
-+	env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
-+	    -i ${OBJ}/putty.rsa2 "exit"
-+	if [ $? -ne 0 ]; then
-+		fail "failed to pre-cache host key"
-+	fi
-+
- 	env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
- 	    cat ${DATA} > ${COPY}
- 	if [ $? -ne 0 ]; then
---- a/regress/putty-kex.sh
-+++ b/regress/putty-kex.sh
-@@ -20,6 +20,12 @@
- 	    ${OBJ}/.putty/sessions/kex_$k
- 	echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
- 
-+	env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
-+	    -i ${OBJ}/putty.rsa2 "exit"
-+	if [ $? -ne 0 ]; then
-+		fail "failed to pre-cache host key"
-+	fi
-+
- 	env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
- 	if [ $? -ne 0 ]; then
- 		fail "KEX $k failed"
---- a/regress/putty-transfer.sh
-+++ b/regress/putty-transfer.sh
-@@ -26,6 +26,13 @@
- 	cp ${OBJ}/.putty/sessions/localhost_proxy \
- 	    ${OBJ}/.putty/sessions/compression_$c
- 	echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
-+
-+	env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
-+	    -i ${OBJ}/putty.rsa2 "exit"
-+	if [ $? -ne 0 ]; then
-+		fail "failed to pre-cache host key"
-+	fi
-+
- 	env HOME=$PWD ${PLINK} -load compression_$c -batch \
- 	    -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
- 	if [ $? -ne 0 ]; then

diff --git a/net-misc/openssh/openssh-9.6_p1-r3.ebuild b/net-misc/openssh/openssh-9.6_p1-r3.ebuild
deleted file mode 100644
index c0ac935c3c80..000000000000
--- a/net-misc/openssh/openssh-9.6_p1-r3.ebuild
+++ /dev/null
@@ -1,389 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc
-inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="
-	mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
-"
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
-	ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	xmss? ( ssl  )
-	test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		net-libs/ldns[ecdsa(+),ssl(+)]
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
-	virtual/libcrypt:=[static-libs(+)]
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
-	acct-group/sshd
-	acct-user/sshd
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )
-"
-DEPEND="
-	${RDEPEND}
-	virtual/os-headers
-	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
-	static? ( ${LIB_DEPEND} )
-"
-RDEPEND="
-	${RDEPEND}
-	!net-misc/openssh-contrib
-	pam? ( >=sys-auth/pambase-20081028 )
-	!prefix? ( sys-apps/shadow )
-"
-BDEPEND="
-	dev-build/autoconf
-	virtual/pkgconfig
-	verify-sig? ( sec-keys/openpgp-keys-openssh )
-"
-
-PATCHES=(
-	"${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch"
-	"${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch"
-	"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
-)
-
-pkg_pretend() {
-	local i enabled_eol_flags disabled_eol_flags
-	for i in hpn sctp X509; do
-		if has_version "net-misc/openssh[${i}]"; then
-			enabled_eol_flags+="${i},"
-			disabled_eol_flags+="-${i},"
-		fi
-	done
-
-	if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
-		# Skip for binary packages entirely because of environment saving, bug #907892
-		[[ ${MERGE_TYPE} == binary ]] && return
-
-		ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
-		ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
-		ewarn "since these USE flags required third-party patches that often trigger bugs"
-		ewarn "and are of questionable provenance."
-		ewarn
-		ewarn "If you must continue relying on this functionality, switch to"
-		ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
-		ewarn "world file first: 'emerge --deselect net-misc/openssh'"
-		ewarn
-		ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
-		ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
-		ewarn "variant, when re-emerging you will have to set"
-		ewarn
-		ewarn "  OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
-
-		die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	[[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
-
-	default
-
-	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
-	sed -e '/\t\tpercent \\/ d' \
-		-i regress/Makefile || die
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-	use xmss && append-cflags -DWITH_XMSS
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
-		# doesn't check for this, so force the replacement to be put in
-		# place
-		append-cppflags -DBROKEN_GLOB
-	fi
-
-	# use replacement, RPF_ECHO_ON doesn't exist here
-	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		# optional at runtime; guarantee a known path
-		--with-xauth="${EPREFIX}"/usr/bin/xauth
-
-		# --with-hardening adds the following in addition to flags we
-		# already set in our toolchain:
-		# * -ftrapv (which is broken with GCC anyway),
-		# * -ftrivial-auto-var-init=zero (which is nice, but not the end of
-		#    the world to not have)
-		# * -fzero-call-used-regs=used (history of miscompilations with
-		#    Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086,
-		#    gcc PR104820, gcc PR104817, gcc PR110934)).
-		#
-		# Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK,
-		# so we cannot just disable -fzero-call-used-regs=used.
-		#
-		# Therefore, just pass --without-hardening, given it doesn't negate
-		# our already hardened toolchain defaults, and avoids adding flags
-		# which are known-broken in both Clang and GCC and haven't been
-		# proven reliable.
-		--without-hardening
-
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(use_with security-key security-key-builtin)
-		$(use_with ssl openssl)
-		$(use_with ssl ssl-engine)
-	)
-
-	if use elibc_musl; then
-		# musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230)
-		myconf+=( --disable-utmp --disable-wtmp )
-	fi
-
-	# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
-	# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
-	tc-is-clang && myconf+=( --without-hardening )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local tests=( compat-tests )
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		ewarn "user, so we will run a subset only."
-		tests+=( interop-tests )
-	else
-		tests+=( tests )
-	fi
-
-	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
-	mkdir -p "${HOME}"/.ssh || die
-	emake -j1 "${tests[@]}" </dev/null
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
-	Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
-	Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
-	EOF
-
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
-	# Send locale environment variables (bug #367017)
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM (bug #658540)
-	SendEnv COLORTERM
-	EOF
-
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
-	RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
-	EOF
-
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
-	# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
-	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
-	EOF
-
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
-	# Allow client to pass locale environment variables (bug #367017)
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM (bug #658540)
-	AcceptEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
-		UsePAM yes
-		# This interferes with PAM.
-		PasswordAuthentication no
-		# PAM can do its own handling of MOTD.
-		PrintMotd no
-		PrintLastLog no
-		EOF
-	fi
-
-	if use livecd ; then
-		cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
-		# Allow root login with password on livecds.
-		PermitRootLogin Yes
-		EOF
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	if use pam; then
-		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	fi
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-	rmdir "${ED}"/var/empty || die
-
-	systemd_dounit "${FILESDIR}"/sshd.socket
-	systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
-	systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
-}
-
-pkg_preinst() {
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
-		show_ssl_warning=1
-	fi
-}
-
-pkg_postinst() {
-	# bug #139235
-	optfeature "x11 forwarding" x11-apps/xauth
-
-	local old_ver
-	for old_ver in ${REPLACING_VERSIONS}; do
-		if ver_test "${old_ver}" -lt "5.8_p1"; then
-			elog "Starting with openssh-5.8p1, the server will default to a newer key"
-			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-		fi
-		if ver_test "${old_ver}" -lt "7.0_p1"; then
-			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-			elog "Make sure to update any configs that you might have.  Note that xinetd might"
-			elog "be an alternative for you as it supports USE=tcpd."
-		fi
-		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
-			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-			elog "adding to your sshd_config or ~/.ssh/config files:"
-			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-			elog "You should however generate new keys using rsa or ed25519."
-
-			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-			elog "out of the box.  If you need this, please update your sshd_config explicitly."
-		fi
-		if ver_test "${old_ver}" -lt "7.6_p1"; then
-			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-		fi
-		if ver_test "${old_ver}" -lt "7.7_p1"; then
-			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-			elog "if you need to authenticate against LDAP."
-			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-		fi
-		if ver_test "${old_ver}" -lt "8.2_p1"; then
-			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
-			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
-			ewarn "connection is generally safe."
-		fi
-		if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
-			ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
-			ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
-			ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
-			ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
-			ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
-			ewarn "set 'Restart=no' in your sshd unit file."
-		fi
-	done
-
-	if [[ -n ${show_ssl_warning} ]]; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}

diff --git a/net-misc/openssh/openssh-9.6_p1-r5.ebuild b/net-misc/openssh/openssh-9.6_p1-r5.ebuild
deleted file mode 100644
index bfdeed1812a1..000000000000
--- a/net-misc/openssh/openssh-9.6_p1-r5.ebuild
+++ /dev/null
@@ -1,392 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc
-inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="
-	mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
-"
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
-	ldns? ( ssl )
-	pie? ( !static )
-	static? ( !kerberos !pam )
-	xmss? ( ssl  )
-	test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
-	audit? ( sys-process/audit[static-libs(+)] )
-	ldns? (
-		net-libs/ldns[static-libs(+)]
-		net-libs/ldns[ecdsa(+),ssl(+)]
-	)
-	libedit? ( dev-libs/libedit:=[static-libs(+)] )
-	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
-	virtual/libcrypt:=[static-libs(+)]
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
-	acct-group/sshd
-	acct-user/sshd
-	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )
-"
-DEPEND="
-	${RDEPEND}
-	virtual/os-headers
-	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
-	static? ( ${LIB_DEPEND} )
-"
-RDEPEND="
-	${RDEPEND}
-	!net-misc/openssh-contrib
-	pam? ( >=sys-auth/pambase-20081028 )
-	!prefix? ( sys-apps/shadow )
-"
-BDEPEND="
-	dev-build/autoconf
-	virtual/pkgconfig
-	verify-sig? ( sec-keys/openpgp-keys-openssh )
-"
-
-PATCHES=(
-	"${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch"
-	"${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch"
-	"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
-	"${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch"
-	"${FILESDIR}/${PN}-9.6_p1-CVE-2024-6387.patch"
-	"${FILESDIR}/${PN}-9.6_p1-chaff-logic.patch"
-)
-
-pkg_pretend() {
-	local i enabled_eol_flags disabled_eol_flags
-	for i in hpn sctp X509; do
-		if has_version "net-misc/openssh[${i}]"; then
-			enabled_eol_flags+="${i},"
-			disabled_eol_flags+="-${i},"
-		fi
-	done
-
-	if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
-		# Skip for binary packages entirely because of environment saving, bug #907892
-		[[ ${MERGE_TYPE} == binary ]] && return
-
-		ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
-		ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
-		ewarn "since these USE flags required third-party patches that often trigger bugs"
-		ewarn "and are of questionable provenance."
-		ewarn
-		ewarn "If you must continue relying on this functionality, switch to"
-		ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
-		ewarn "world file first: 'emerge --deselect net-misc/openssh'"
-		ewarn
-		ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
-		ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
-		ewarn "variant, when re-emerging you will have to set"
-		ewarn
-		ewarn "  OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
-
-		die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
-	fi
-}
-
-src_prepare() {
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	[[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
-
-	default
-
-	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
-	sed -e '/\t\tpercent \\/ d' \
-		-i regress/Makefile || die
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-
-	# _XOPEN_SOURCE causes header conflicts on Solaris
-	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-		-e 's/-D_XOPEN_SOURCE//'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-	use xmss && append-cflags -DWITH_XMSS
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
-		# doesn't check for this, so force the replacement to be put in
-		# place
-		append-cppflags -DBROKEN_GLOB
-	fi
-
-	# use replacement, RPF_ECHO_ON doesn't exist here
-	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		# optional at runtime; guarantee a known path
-		--with-xauth="${EPREFIX}"/usr/bin/xauth
-
-		# --with-hardening adds the following in addition to flags we
-		# already set in our toolchain:
-		# * -ftrapv (which is broken with GCC anyway),
-		# * -ftrivial-auto-var-init=zero (which is nice, but not the end of
-		#    the world to not have)
-		# * -fzero-call-used-regs=used (history of miscompilations with
-		#    Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086,
-		#    gcc PR104820, gcc PR104817, gcc PR110934)).
-		#
-		# Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK,
-		# so we cannot just disable -fzero-call-used-regs=used.
-		#
-		# Therefore, just pass --without-hardening, given it doesn't negate
-		# our already hardened toolchain defaults, and avoids adding flags
-		# which are known-broken in both Clang and GCC and haven't been
-		# proven reliable.
-		--without-hardening
-
-		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with selinux)
-		$(use_with security-key security-key-builtin)
-		$(use_with ssl openssl)
-		$(use_with ssl ssl-engine)
-	)
-
-	if use elibc_musl; then
-		# musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230)
-		myconf+=( --disable-utmp --disable-wtmp )
-	fi
-
-	# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
-	# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
-	tc-is-clang && myconf+=( --without-hardening )
-
-	econf "${myconf[@]}"
-}
-
-src_test() {
-	local tests=( compat-tests )
-	local shell=$(egetshell "${UID}")
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		ewarn "user, so we will run a subset only."
-		tests+=( interop-tests )
-	else
-		tests+=( tests )
-	fi
-
-	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
-	mkdir -p "${HOME}"/.ssh || die
-	emake -j1 "${tests[@]}" </dev/null
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
-	local locale_vars=(
-		# These are language variables that POSIX defines.
-		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
-		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
-		# These are the GNU extensions.
-		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
-		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-	)
-
-	dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
-	Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
-	Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
-	EOF
-
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
-	# Send locale environment variables (bug #367017)
-	SendEnv ${locale_vars[*]}
-
-	# Send COLORTERM to match TERM (bug #658540)
-	SendEnv COLORTERM
-	EOF
-
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
-	RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
-	EOF
-
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
-	# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
-	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
-	EOF
-
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
-	# Allow client to pass locale environment variables (bug #367017)
-	AcceptEnv ${locale_vars[*]}
-
-	# Allow client to pass COLORTERM to match TERM (bug #658540)
-	AcceptEnv COLORTERM
-	EOF
-
-	if use pam ; then
-		cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
-		UsePAM yes
-		# This interferes with PAM.
-		PasswordAuthentication no
-		# PAM can do its own handling of MOTD.
-		PrintMotd no
-		PrintLastLog no
-		EOF
-	fi
-
-	if use livecd ; then
-		cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
-		# Allow root login with password on livecds.
-		PermitRootLogin Yes
-		EOF
-	fi
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
-	if use pam; then
-		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	fi
-
-	tweak_ssh_configs
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-	rmdir "${ED}"/var/empty || die
-
-	systemd_dounit "${FILESDIR}"/sshd.socket
-	systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
-	systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
-}
-
-pkg_preinst() {
-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
-		show_ssl_warning=1
-	fi
-}
-
-pkg_postinst() {
-	# bug #139235
-	optfeature "x11 forwarding" x11-apps/xauth
-
-	local old_ver
-	for old_ver in ${REPLACING_VERSIONS}; do
-		if ver_test "${old_ver}" -lt "5.8_p1"; then
-			elog "Starting with openssh-5.8p1, the server will default to a newer key"
-			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-		fi
-		if ver_test "${old_ver}" -lt "7.0_p1"; then
-			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-			elog "Make sure to update any configs that you might have.  Note that xinetd might"
-			elog "be an alternative for you as it supports USE=tcpd."
-		fi
-		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
-			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-			elog "adding to your sshd_config or ~/.ssh/config files:"
-			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-			elog "You should however generate new keys using rsa or ed25519."
-
-			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-			elog "out of the box.  If you need this, please update your sshd_config explicitly."
-		fi
-		if ver_test "${old_ver}" -lt "7.6_p1"; then
-			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-		fi
-		if ver_test "${old_ver}" -lt "7.7_p1"; then
-			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-			elog "if you need to authenticate against LDAP."
-			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-		fi
-		if ver_test "${old_ver}" -lt "8.2_p1"; then
-			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
-			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
-			ewarn "connection is generally safe."
-		fi
-		if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
-			ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
-			ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
-			ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
-			ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
-			ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
-			ewarn "set 'Restart=no' in your sshd unit file."
-		fi
-	done
-
-	if [[ -n ${show_ssl_warning} ]]; then
-		elog "Be aware that by disabling openssl support in openssh, the server and clients"
-		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
-		elog "and update all clients/servers that utilize them."
-	fi
-}


^ permalink raw reply related	[flat|nested] 57+ messages in thread

end of thread, other threads:[~2024-10-29  1:13 UTC | newest]

Thread overview: 57+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-14 21:14 [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/ Patrick McLean
  -- strict thread matches above, loose matches on Subject: below --
2024-10-29  1:13 Sam James
2024-07-07  8:44 Sam James
2024-07-06 23:44 Mike Gilbert
2023-08-21 17:49 Sam James
2023-05-06 15:08 David Seifert
2023-03-17  3:58 Patrick McLean
2023-03-15  3:14 Sam James
2022-10-06 23:12 Patrick McLean
2022-06-23 22:35 Patrick McLean
2022-05-19 23:08 Patrick McLean
2022-05-10 17:32 Mike Gilbert
2022-04-11 20:57 Patrick McLean
2022-03-06  7:22 Patrick McLean
2022-02-26  1:38 Patrick McLean
2022-02-26  1:07 Patrick McLean
2022-01-17  0:37 Mike Gilbert
2021-12-24 10:57 Marc Schiffbauer
2021-10-29 22:06 Patrick McLean
2021-10-01  1:08 Patrick McLean
2021-09-09  0:02 Patrick McLean
2021-08-27  0:13 Patrick McLean
2021-03-04  7:04 Patrick McLean
2020-10-01 17:46 Patrick McLean
2020-09-30 20:57 Patrick McLean
2020-07-24 21:12 Patrick McLean
2020-06-08 17:49 Patrick McLean
2020-05-31 21:14 Patrick McLean
2020-04-21 11:30 Thomas Deutschmann
2020-04-17 17:48 Patrick McLean
2019-06-17 20:14 Patrick McLean
2019-04-29 23:35 Patrick McLean
2019-03-03 14:32 Lars Wendler
2018-12-20  0:51 Patrick McLean
2018-10-22 17:32 Patrick McLean
2018-10-19 23:59 Patrick McLean
2018-09-13  2:10 Patrick McLean
2018-06-11 22:47 Thomas Deutschmann
2018-04-11  2:44 Thomas Deutschmann
2018-03-13 18:50 Patrick McLean
2018-02-12 19:25 Patrick McLean
2018-01-23 23:54 Patrick McLean
2018-01-23  1:42 Patrick McLean
2017-11-14 22:15 Thomas Deutschmann
2017-11-07  1:29 Patrick McLean
2017-10-12  0:42 Patrick McLean
2017-10-10 13:26 Lars Wendler
2017-03-30 18:30 Patrick McLean
2016-12-22  7:39 Mike Frysinger
2016-10-17 17:51 Patrick McLean
2016-09-28  8:40 Lars Wendler
2016-09-20  1:42 Patrick McLean
2016-09-07 22:24 Patrick McLean
2016-08-03 21:06 Patrick McLean
2016-01-14 15:49 Lars Wendler
2015-08-24 21:26 Patrick McLean
2015-08-12  8:09 Mike Frysinger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox