Revert "openssh: Upgraded the package to upstream."
This reverts commit 427a90a8788020a7141386d6f5d2298f3ba559ea.
Reason for revert: k8s_e2e tests are failing.
Change-Id: I6cc66dbc6fb6a434dc86d0877b6fa748dfe0f6f8
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/33660
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Dexter Rivera <riverade@google.com>
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 3142cc6..adff194 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,15 +1,6 @@
-DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
-DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
-DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
-DIST openssh-8.8p1.tar.gz.asc 833 BLAKE2B ffe78af226b9c8395e60ca54bcb626cc933ee069f9f0f17f408ca1493cb346aa3fb878efeaccc646f8fa7bf1c40d6d61a81e37342ccf56ae601403bf9d59f4d6 SHA512 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4
-DIST openssh-8.9p1+x509-13.3.1.diff.gz 1113333 BLAKE2B 01fc34ed5c5c64a97db99f8f5a98f5917519474b4c22a2372f76a9c36d5dfc4efe1d03fcc43ed3d1602177f7e674a58676b9d04444d7bb66bc1c096136fd2ed0 SHA512 4fea3cf0dd0f6e0b9e28c16fb88f2a125c3ec7f86111d33e040664ab4976e697b137ffe80d02c979e2eb55a5c004f597299cfec22e730b80279665de61cb1f13
-DIST openssh-8.9p1-sctp-1.2.patch.xz 6752 BLAKE2B 8f87a4e604ce412f45432ae29b6ccb5a10f6bd6ddc3c688b85d75c2126387dc5d4ed2b2396691db016cc0dee3e71a557611bcf34066dee075d62c9e69e887f14 SHA512 88a36e2d87bb8b6136885094729d001953e15799e06885ff1c489300458b6e412520f7a78c48dfd24df46e58f2561051212d7948f8af63082edcb85c33b4d32b
-DIST openssh-8.9p1.tar.gz 1820282 BLAKE2B 02934da7f7a2954141888e63e81e38fad4fb8558ddd1032de44f69684802c62771fdd7e9e470e0715059635999c8f9d2ab95f6351217e236573ead83a867f59b SHA512 04bd38ea6fe4be31acc8c4e83de7d3dda66fb7207be2e4ba25d3b8118d13d098a283769da9e8ce1fc4fba7edf739c14efcc6c9137132919261a7f882314b0f6b
-DIST openssh-8.9p1.tar.gz.asc 833 BLAKE2B fd44a5545bd0795ee335e480011dbe3c12011dc05b8722fb257bf4c7e8067ab4b515293cf73d23d57b6cf6980eb4e49251b026af9498a237365c5b0440226898 SHA512 fd0bbd285ff2f8791f5a512f087f32bce026b716d5ac213cd4ef28f08722601fb943514bee71b2ac4b9f9363e2f120ce6c60fed952d1d8e53dbcf2a6fe2e706b
-DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
-DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
-DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
-DIST openssh-9.0p1+x509-13.3.2.diff.gz 1128591 BLAKE2B fb560e2f1803ceb946a1ba8bd53a1f9fd262896b820c23d4b0015218433d2200f1fd9df5b1889a670261f13936d8153da1ab4beb2a5d52ede78168189c522bf3 SHA512 e643168d7098c44f85a9bac9894a936a3480ec843162197ce56e016dd4f634ef182dcfae1f7e18408f6a18832e0a95d2d249a23fdbc3dc46df76989ca0a0c7fc
-DIST openssh-9.0p1-sctp-1.2.patch.xz 6768 BLAKE2B 8a18aea57b0b3f8f0a641870f0cd1570c6cc48d1e28ef7261344918905e94a548d3a3acb6feb1c6ef13f0c6cacf2b845163cad2b96ab20cb9fc58a49aeb699c1 SHA512 d6aa5f32464d5f3e2e63e9ba82108f33bdaa890e2adf2ccc47ce0d672979fc67510d9dd7561b17eaba0c2f11a8eb565029b0ebff3b2d050e9e04e6143aedb8a3
-DIST openssh-9.0p1.tar.gz 1822183 BLAKE2B 49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2 SHA512 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9
-DIST openssh-9.0p1.tar.gz.asc 833 BLAKE2B e29ff08f10feee7347c02a7ce4b33b8d9c71a26656f0430a2511c25bc6b5006f1683d845826a68ff4eed068b30c911e273cb34e5b4880854d55a776415474019 SHA512 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f
+DIST openssh-8.5p1+x509-13.0.diff.gz 996872 BLAKE2B 136937e4e65e5e73d1d1b596ae6188f359daa8e95aafd57fab8cf947b59fde573ff4e6259781d1a0fd89718d14469ca4aed01bae6f37cc16df109c673fa2c73c SHA512 2276b0ac577162f7f6a56115637636a6eaaa8b3cc06e5ef053ec06e00a7c3459efe8de8dbc5f55c9f6a192534e2f7c8c7064fcdbf56d28b628bb301c5072802c
+DIST openssh-8.5p1-sctp-1.2.patch.xz 7692 BLAKE2B 298bf5e2004fd864bdbb6d6f354d1fbcb7052a9caaf8e39863b840a7af8e31f87790f6aa10ae84df177d450bb34a43c4a3aa87d7472e2505d727757c016ce92b SHA512 84990f95e22c90dbc4d04d47ea88b761ff1d0101018661ff2376ac2a726b5fca43f1b5f5d926ccbe1c8d0143ac36b104616bd1a6b5dcdba4addf48a5dd196e2b
+DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c804b003c74cc26f9dffae28f1b4006fc618580f0dc9c45f0b7361c24728c23688b45f41cb8a15cf6206c3f15c3 SHA512 af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
+DIST openssh-8_4_P1-hpn-AES-CTR-15.1.diff 29966 BLAKE2B 79dea4e16ffdda329131eb48a3c3dd40e167e5c6fa4dd2beb6c67e7e4f17a45c6645e84dcdc97baae90215a802cd1d723dfd88c981b1db826f61fca0a4e92ae1 SHA512 cdb7aa5737a1527d83ffa747d17ae997a64b7bc16e198d0721b690e5932446d30ba4129c122be2a457f261be7a11d944ef49ba2450ce90f552daab508b0c980b
+DIST openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 51327 BLAKE2B 6879df5bfb4c07c44b41620bd49433591711edb08ad6b5c09af8a5f754ca09f3ff6a066ffac3210fdad6dee47710221dca0a3dc47b919498ec6939b42a073418 SHA512 1e6471e88783acf764186577a767ea7c2071bcab1b803c18288f70166d87471703b332dae3bdcaf4318039089caebfba46e5b6da218912eff1103bd03d736a60
+DIST openssh-8_4_P1-hpn-PeakTput-15.1.diff 2429 BLAKE2B fc2140f4036ef57b7093696680b6e157c78bb431af9bc9e75f223c2b13693f0ec2ad214fbf6b2ba0059cbf3690a93235559f07b46dabd056d65ae1fc9d7418f0 SHA512 99801a743da8f108dcf883bc216f2abd3fc3071617566b83eb07b6627ed657cccf0ea93ea2a70eff1050a34a0e635e732665c5583e8aa35968fdeb839f837b63
diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
similarity index 61%
rename from net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
rename to net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
index 6dc290d..37905ce 100644
--- a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
+++ b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
@@ -2,12 +2,12 @@
index 34808b5c..88d7ccac 100644
--- a/kex.c
+++ b/kex.c
-@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
- oerrno = errno;
+ error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch
new file mode 100644
index 0000000..90fa248
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch
@@ -0,0 +1,105 @@
+diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
+--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800
+@@ -409,18 +409,10 @@
+ index 817da43b..b2bcf78f 100644
+ --- a/packet.c
+ +++ b/packet.c
+-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+ rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -434,20 +426,6 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- return 0;
+-
+-+ /* used to force rekeying when called for by the none
+-+ * cipher switch methods -cjr */
+-+ if (rekey_requested == 1) {
+-+ rekey_requested = 0;
+-+ return 1;
+-+ }
+-+
+- /* Time-based rekeying */
+- if (state->rekey_interval != 0 &&
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ diff --git a/packet.h b/packet.h
+ index 8ccfd2e0..1ad9bc06 100644
+ --- a/packet.h
+@@ -476,9 +454,9 @@
+ /* Format of the configuration file:
+
+ @@ -167,6 +168,8 @@ typedef enum {
+- oHashKnownHosts,
+ oTunnel, oTunnelDevice,
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
++ oDisableMTAES,
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ + oNoneEnabled, oNoneSwitch,
+ oVisualHostKey,
+@@ -615,9 +593,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ @@ -112,7 +116,10 @@ typedef struct {
+-
+ int enable_ssh_keysign;
+ int64_t rekey_limit;
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ + int none_switch; /* Use none cipher */
+ + int none_enabled; /* Allow none to be used */
+ int rekey_interval;
+@@ -700,9 +678,9 @@
+ + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ + }
+ +
++ if (options->disable_multithreaded == -1)
++ options->disable_multithreaded = 0;
+ if (options->ip_qos_interactive == -1)
+- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+- if (options->ip_qos_bulk == -1)
+ @@ -486,6 +532,8 @@ typedef enum {
+ sPasswordAuthentication, sKbdInteractiveAuthentication,
+ sListenAddress, sAddressFamily,
+@@ -1079,11 +1057,11 @@
+ xxx_host = host;
+ xxx_hostaddr = hostaddr;
+
+-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
++@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+
+ if (!authctxt.success)
+ fatal("Authentication failed.");
+-+
++
+ + /*
+ + * If the user wants to use the none cipher, do it post authentication
+ + * and only if the right conditions are met -- both of the NONE commands
+@@ -1105,9 +1083,9 @@
+ + }
+ + }
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+-
++ #ifdef WITH_OPENSSL
++ if (options.disable_multithreaded == 0) {
++ /* if we are using aes-ctr there can be issues in either a fork or sandbox
+ diff --git a/sshd.c b/sshd.c
+ index 11571c01..23a06022 100644
+ --- a/sshd.c
diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch
new file mode 100644
index 0000000..3f5c7a4
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch
@@ -0,0 +1,19 @@
+diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
+--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 16:36:51.394069720 -0800
+@@ -1191,15 +1191,3 @@
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b3fadf8..ec1d2e27 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,6 @@
+- #define SSH_VERSION "OpenSSH_8.1"
+-
+- #define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN "-hpn14v20"
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+-+
diff --git a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch
new file mode 100644
index 0000000..505e34d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch
@@ -0,0 +1,26 @@
+diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
+index 86ea6250..844adabc 100644
+--- a/regress/cert-hostkey.sh
++++ b/regress/cert-hostkey.sh
+@@ -252,7 +252,7 @@ test_one() {
+ test_one "user-certificate" failure "-n $HOSTS"
+ test_one "empty principals" success "-h"
+ test_one "wrong principals" failure "-h -n foo"
+-test_one "cert not yet valid" failure "-h -V20200101:20300101"
++test_one "cert not yet valid" failure "-h -V20300101:20320101"
+ test_one "cert expired" failure "-h -V19800101:19900101"
+ test_one "cert valid interval" success "-h -V-1w:+2w"
+ test_one "cert has constraints" failure "-h -Oforce-command=false"
+diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
+index 38c14a69..5cd02fc3 100644
+--- a/regress/cert-userkey.sh
++++ b/regress/cert-userkey.sh
+@@ -338,7 +338,7 @@ test_one() {
+ test_one "correct principal" success "-n ${USER}"
+ test_one "host-certificate" failure "-n ${USER} -h"
+ test_one "wrong principals" failure "-n foo"
+-test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
++test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101"
+ test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
+ test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
+ test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
diff --git a/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch
similarity index 89%
copy from net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
copy to net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch
index ffc40b7..d4db77b 100644
--- a/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
+++ b/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch
@@ -1,8 +1,8 @@
diff --git a/auth.c b/auth.c
-index 00b168b4..8ee93581 100644
+index 086b8ebb..a267353c 100644
--- a/auth.c
+++ b/auth.c
-@@ -729,118 +729,6 @@ fakepw(void)
+@@ -724,120 +724,6 @@ fakepw(void)
return (&fake);
}
@@ -11,7 +11,9 @@
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
-- * attacks on based on conflation of hostnames and IP addresses.
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- */
-
-static char *
@@ -118,11 +120,11 @@
- }
-}
-
- /* These functions link key/cert options to the auth framework */
-
- /* Log sshauthopt options locally and (optionally) for remote transmission */
+ /*
+ * Runs command in a subprocess with a minimal environment.
+ * Returns pid on success, 0 on failure.
diff --git a/canohost.c b/canohost.c
-index a810da0e..18e9d8d4 100644
+index abea9c6e..4f4524d2 100644
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
@@ -153,9 +155,9 @@
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getpeername(ssh_packet_get_connection_in(ssh),
-+ (struct sockaddr *)&from, &fromlen) == -1) {
++ (struct sockaddr *)&from, &fromlen) < 0) {
+ debug("getpeername failed: %.100s", strerror(errno));
-+ return xstrdup(ntop);
++ return strdup(ntop);
+ }
+
+ ipv64_normalise_mapped(&from, &fromlen);
@@ -167,7 +169,7 @@
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+ NULL, 0, NI_NAMEREQD) != 0) {
+ /* Host name not found. Use ip address. */
-+ return xstrdup(ntop);
++ return strdup(ntop);
+ }
+
+ /*
@@ -182,7 +184,7 @@
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
-+ return xstrdup(ntop);
++ return strdup(ntop);
+ }
+
+ /* Names are stored in lowercase. */
@@ -203,7 +205,7 @@
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+ logit("reverse mapping checking getaddrinfo for %.700s "
+ "[%s] failed.", name, ntop);
-+ return xstrdup(ntop);
++ return strdup(ntop);
+ }
+ /* Look for the address from the list of addresses. */
+ for (ai = aitop; ai; ai = ai->ai_next) {
@@ -218,9 +220,9 @@
+ /* Address not found for the host name. */
+ logit("Address %.100s maps to %.600s, but this does not "
+ "map back to the address.", ntop, name);
-+ return xstrdup(ntop);
++ return strdup(ntop);
+ }
-+ return xstrdup(name);
++ return strdup(name);
+}
+
+/*
@@ -244,10 +246,10 @@
+ }
+}
diff --git a/readconf.c b/readconf.c
-index 03369a08..b45898ce 100644
+index f3cac6b3..adfd7a4e 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -161,6 +161,7 @@ typedef enum {
+@@ -160,6 +160,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -255,7 +257,7 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -207,9 +208,11 @@ static struct {
+@@ -205,9 +206,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -267,7 +269,7 @@
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
-@@ -1117,6 +1120,10 @@ parse_time:
+@@ -1033,6 +1036,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
@@ -278,15 +280,15 @@
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
- options->pubkey_authentication = -1;
+@@ -1912,6 +1919,7 @@ initialize_options(Options * options)
+ options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
+@@ -2061,6 +2069,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
@@ -296,11 +298,11 @@
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
-index f7d53b06..c3a91898 100644
+index feedb3d2..c7139c1b 100644
--- a/readconf.h
+++ b/readconf.h
-@@ -40,6 +40,7 @@ typedef struct {
- int hostbased_authentication; /* ssh2's rhosts_rsa */
+@@ -42,6 +42,7 @@ typedef struct {
+ /* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
@@ -308,10 +310,10 @@
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
-index cd0eea86..27101943 100644
+index 06a32d31..6871ff36 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -832,6 +832,16 @@ The default is
+@@ -770,6 +770,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
@@ -329,10 +331,10 @@
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
-index fea50fab..aeff639b 100644
+index af00fb30..652463c5 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
-@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
+@@ -716,6 +716,13 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@@ -346,7 +348,7 @@
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
-@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
+@@ -730,7 +737,7 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
diff --git a/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch b/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch
new file mode 100644
index 0000000..6bd7166
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch
@@ -0,0 +1,13 @@
+diff --git a/Makefile.in b/Makefile.in
+index c9e4294d..2dbfac24 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -44,7 +44,7 @@ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+ CFLAGS_NOPIE=@CFLAGS_NOPIE@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) -I$(srcdir)/openbsd-compat @CPPFLAGS@ $(PATHS) @DEFS@
+ PICFLAG=@PICFLAG@
+ LIBS=@LIBS@
+ K5LIBS=@K5LIBS@
diff --git a/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch b/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch
new file mode 100644
index 0000000..f12a309
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch
@@ -0,0 +1,34 @@
+diff -u a/openssh-8.4p1+x509-12.6.diff b/openssh-8.4p1+x509-12.6.diff
+--- a/openssh-8.4p1+x509-12.6.diff 2020-10-04 10:58:16.980495330 -0700
++++ b/openssh-8.4p1+x509-12.6.diff 2020-10-04 11:02:31.951966223 -0700
+@@ -39348,12 +39348,11 @@
+
+ install-files:
+ $(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -384,6 +365,8 @@
++@@ -384,6 +365,7 @@
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+ $(MKDIR_P) $(DESTDIR)$(libexecdir)
+ + $(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+ $(MKDIR_P) $(DESTDIR)$(piddir)
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -103950,16 +103949,6 @@
+ +int asnmprintf(char **, size_t, int *, const char *, ...)
+ __attribute__((format(printf, 4, 5)));
+ void msetlocale(void);
+-diff -ruN openssh-8.4p1/version.h openssh-8.4p1+x509-12.6/version.h
+---- openssh-8.4p1/version.h 2020-09-27 10:25:01.000000000 +0300
+-+++ openssh-8.4p1+x509-12.6/version.h 2020-10-03 10:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+-
+- #define SSH_VERSION "OpenSSH_8.4"
+-
+--#define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.4p1/version.m4 openssh-8.4p1+x509-12.6/version.m4
+ --- openssh-8.4p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.4p1+x509-12.6/version.m4 2020-10-03 10:07:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch b/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch
new file mode 100644
index 0000000..32713d4
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch
@@ -0,0 +1,30 @@
+From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001
+From: Oleg <Fallmay@users.noreply.github.com>
+Date: Thu, 1 Oct 2020 12:09:08 +0300
+Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
+
+---
+ contrib/ssh-copy-id | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 392f64f94..a76907717 100644
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -247,7 +247,7 @@ installkeys_sh() {
+ # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
+ # the cat adds the keys we're getting via STDIN
+ # and if available restorecon is used to restore the SELinux context
+- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
++ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
+ cd;
+ umask 077;
+ mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+@@ -258,6 +258,7 @@ installkeys_sh() {
+ restorecon -F .ssh ${AUTH_KEY_FILE};
+ fi
+ EOF
++ )
+
+ # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
+ printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch
new file mode 100644
index 0000000..9bd600b
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch
@@ -0,0 +1,129 @@
+diff -u a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff
+--- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:04:44.495171346 -0700
++++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:48:05.099637206 -0700
+@@ -3,9 +3,9 @@
+ --- a/Makefile.in
+ +++ b/Makefile.in
+ @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
+- CFLAGS_NOPIE=@CFLAGS_NOPIE@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+- PICFLAG=@PICFLAG@
++ LD=@LD@
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+ K5LIBS=@K5LIBS@
+@@ -803,7 +803,7 @@
+ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
+ {
+ struct session_state *state;
+-- const struct sshcipher *none = cipher_by_name("none");
++- const struct sshcipher *none = cipher_none();
+ + struct sshcipher *none = cipher_by_name("none");
+ int r;
+
+@@ -901,17 +901,18 @@
+ }
+
+ /*
+-@@ -2203,6 +2210,10 @@ fill_default_options(Options * options)
++@@ -2203,5 +2210,10 @@ fill_default_options(Options * options)
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+- #endif
++
+ + if (options->update_hostkeys == -1)
+ + options->update_hostkeys = 0;
+ + if (options->disable_multithreaded == -1)
+ + options->disable_multithreaded = 0;
+-
+- /* Expand KEX name lists */
+- all_cipher = cipher_alg_list(',', 0);
+++
++ /* expand KEX and etc. name lists */
++ { char *all;
++ #define ASSEMBLE(what, defaults, all) \
+ diff --git a/readconf.h b/readconf.h
+ index e143a108..1383a3cd 100644
+ --- a/readconf.h
+@@ -950,9 +951,9 @@
+ /* Portable-specific options */
+ sUsePAM,
+ + sDisableMTAES,
+- /* Standard Options */
+- sPort, sHostKeyFile, sLoginGraceTime,
+- sPermitRootLogin, sLogFacility, sLogLevel,
++ /* X.509 Standard Options */
++ sHostbasedAlgorithms,
++ sPubkeyAlgorithms,
+ @@ -679,6 +683,7 @@ static struct {
+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+diff -u a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
+--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:04:37.441213650 -0700
++++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:50:55.865616716 -0700
+@@ -382,7 +382,7 @@
+ @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
+ int nenc, nmac, ncomp;
+ u_int mode, ctos, need, dh_need, authlen;
+- int r, first_kex_follows;
++ int r, first_kex_follows = 0;
+ + int auth_flag;
+ +
+ + auth_flag = packet_authentication_state(ssh);
+@@ -1193,14 +1193,3 @@
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+-diff --git a/version.h b/version.h
+-index a2eca3ec..ff654fc3 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION "OpenSSH_8.3"
+-
+- #define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN "-hpn14v22"
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+diff -u a/openssh-8_3_P1-hpn-PeakTput-14.22.diff b/openssh-8_3_P1-hpn-PeakTput-14.22.diff
+--- a/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:51:46.409313155 -0700
++++ b/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:56:57.407445258 -0700
+@@ -12,9 +12,9 @@
+ static long stalled; /* how long we have been stalled */
+ static int bytes_per_second; /* current speed in bytes per second */
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
++ off_t bytes_left;
+ int cur_speed;
+- int hours, minutes, seconds;
+- int file_len;
++ int len;
+ + off_t delta_pos;
+
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+@@ -30,15 +30,17 @@
+ if (bytes_left > 0)
+ elapsed = now - last_update;
+ else {
+-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
++@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
++ buf[1] = '\0';
+
+ /* filename */
+- buf[0] = '\0';
+-- file_len = win_size - 36;
+-+ file_len = win_size - 45;
+- if (file_len > 0) {
+- buf[0] = '\r';
+- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
++- if (win_size > 36) {
++- int file_len = win_size - 36;
+++ if (win_size > 45) {
+++ int file_len = win_size - 45;
++ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
++ file_len, file);
++ }
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
+ (off_t)bytes_per_second);
+ strlcat(buf, "/s ", win_size);
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
new file mode 100644
index 0000000..884063c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
@@ -0,0 +1,94 @@
+diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
+--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:15:17.780747192 -0700
++++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:34:03.576552219 -0700
+@@ -409,18 +409,10 @@
+ index e7abb341..c23276d4 100644
+ --- a/packet.c
+ +++ b/packet.c
+-@@ -961,6 +961,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -961,6 +961,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+ rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -434,20 +426,6 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -987,6 +1005,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- return 0;
+-
+-+ /* used to force rekeying when called for by the none
+-+ * cipher switch methods -cjr */
+-+ if (rekey_requested == 1) {
+-+ rekey_requested = 0;
+-+ return 1;
+-+ }
+-+
+- /* Time-based rekeying */
+- if (state->rekey_interval != 0 &&
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ diff --git a/packet.h b/packet.h
+ index c2544bd9..ebd85c88 100644
+ --- a/packet.h
+@@ -481,9 +459,9 @@
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ + oNoneEnabled, oNoneSwitch,
++ oDisableMTAES,
+ oVisualHostKey,
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ @@ -294,6 +297,8 @@ static struct {
+ { "kexalgorithms", oKexAlgorithms },
+ { "ipqos", oIPQoS },
+@@ -615,9 +593,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ @@ -114,7 +118,10 @@ typedef struct {
+-
+ int enable_ssh_keysign;
+ int64_t rekey_limit;
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ + int none_switch; /* Use none cipher */
+ + int none_enabled; /* Allow none to be used */
+ int rekey_interval;
+@@ -700,9 +678,9 @@
+ + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ + }
+ +
++ if (options->disable_multithreaded == -1)
++ options->disable_multithreaded = 0;
+ if (options->ip_qos_interactive == -1)
+- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+- if (options->ip_qos_bulk == -1)
+ @@ -519,6 +565,8 @@ typedef enum {
+ sPasswordAuthentication, sKbdInteractiveAuthentication,
+ sListenAddress, sAddressFamily,
+@@ -1081,11 +1059,11 @@
+ xxx_host = host;
+ xxx_hostaddr = hostaddr;
+
+-@@ -435,6 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
++@@ -435,7 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
++ }
++ }
++ #endif
+
+- if (!authctxt.success)
+- fatal("Authentication failed.");
+-+
+ + /*
+ + * If the user wants to use the none cipher, do it post authentication
+ + * and only if the right conditions are met -- both of the NONE commands
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch
new file mode 100644
index 0000000..79cc3e5
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch
@@ -0,0 +1,20 @@
+--- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-04-17 10:31:37.392120799 -0700
++++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-04-17 10:32:46.143684424 -0700
+@@ -672,7 +672,7 @@
+ +const EVP_CIPHER *
+ +evp_aes_ctr_mt(void)
+ +{
+-+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL
+++# if (OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS)) && !defined(LIBRESSL_VERSION_NUMBER)
+ + static EVP_CIPHER *aes_ctr;
+ + aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
+ + EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
+@@ -701,7 +701,7 @@
+ + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ +# endif /*SSH_OLD_EVP*/
+ + return &aes_ctr;
+-+# endif /*OPENSSH_VERSION_NUMBER*/
+++# endif /*OPENSSL_VERSION_NUMBER*/
+ +}
+ +
+ +#endif /* defined(WITH_OPENSSL) */
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
new file mode 100644
index 0000000..52ec42e
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
@@ -0,0 +1,18 @@
+diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
+--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:34.168386903 -0700
++++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:43.806325434 -0700
+@@ -1171,14 +1171,3 @@
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+-diff --git a/version.h b/version.h
+-index a2eca3ec..ff654fc3 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION "OpenSSH_8.3"
+-
+- #define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN "-hpn14v22"
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
similarity index 91%
rename from net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
rename to net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
index ffc40b7..eec66ad 100644
--- a/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
+++ b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
@@ -1,8 +1,6 @@
-diff --git a/auth.c b/auth.c
-index 00b168b4..8ee93581 100644
---- a/auth.c
-+++ b/auth.c
-@@ -729,118 +729,6 @@ fakepw(void)
+--- a/auth.c 2021-03-02 04:31:47.000000000 -0600
++++ b/auth.c 2021-03-04 11:22:44.590041696 -0600
+@@ -727,119 +727,6 @@ fakepw(void)
return (&fake);
}
@@ -11,7 +9,9 @@
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
-- * attacks on based on conflation of hostnames and IP addresses.
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- */
-
-static char *
@@ -117,14 +117,11 @@
- return dnsname;
- }
-}
--
+
/* These functions link key/cert options to the auth framework */
- /* Log sshauthopt options locally and (optionally) for remote transmission */
-diff --git a/canohost.c b/canohost.c
-index a810da0e..18e9d8d4 100644
---- a/canohost.c
-+++ b/canohost.c
+--- a/canohost.c 2021-03-02 04:31:47.000000000 -0600
++++ b/canohost.c 2021-03-04 11:22:54.854211183 -0600
@@ -202,3 +202,117 @@ get_local_port(int sock)
{
return get_sock_port(sock, 1);
@@ -244,7 +241,7 @@
+ }
+}
diff --git a/readconf.c b/readconf.c
-index 03369a08..b45898ce 100644
+index 724974b7..97a1ffd8 100644
--- a/readconf.c
+++ b/readconf.c
@@ -161,6 +161,7 @@ typedef enum {
@@ -255,7 +252,7 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -207,9 +208,11 @@ static struct {
+@@ -206,9 +207,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -267,7 +264,7 @@
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
-@@ -1117,6 +1120,10 @@ parse_time:
+@@ -1083,6 +1086,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
@@ -278,15 +275,15 @@
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
- options->pubkey_authentication = -1;
+@@ -2183,6 +2190,7 @@ initialize_options(Options * options)
+ options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
+@@ -2340,6 +2348,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
@@ -296,11 +293,11 @@
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
-index f7d53b06..c3a91898 100644
+index 2fba866e..da3ce87a 100644
--- a/readconf.h
+++ b/readconf.h
-@@ -40,6 +40,7 @@ typedef struct {
- int hostbased_authentication; /* ssh2's rhosts_rsa */
+@@ -42,6 +42,7 @@ typedef struct {
+ /* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
@@ -308,10 +305,10 @@
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
-index cd0eea86..27101943 100644
+index f8119189..e0fd0d76 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -832,6 +832,16 @@ The default is
+@@ -783,6 +783,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
@@ -329,10 +326,10 @@
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
-index fea50fab..aeff639b 100644
+index 059c9480..ab6f6832 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
-@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
+@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@@ -346,7 +343,7 @@
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
-@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
+@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
diff --git a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch
new file mode 100644
index 0000000..71b27f2
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch
@@ -0,0 +1,73 @@
+diff -ur a/openssh-8.5p1+x509-13.0.diff b/openssh-8.5p1+x509-13.0.diff
+--- a/openssh-8.5p1+x509-13.0.diff 2021-03-03 12:26:21.021212996 -0800
++++ b/openssh-8.5p1+x509-13.0.diff 2021-03-03 18:20:06.476490271 -0800
+@@ -46675,12 +46675,11 @@
+
+ install-files:
+ $(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -380,6 +364,8 @@
++@@ -380,6 +364,7 @@
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+ $(MKDIR_P) $(DESTDIR)$(libexecdir)
+ + $(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+ $(MKDIR_P) $(DESTDIR)$(piddir)
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -63967,7 +63966,7 @@
+ - echo "putty interop tests not enabled"
+ - exit 0
+ -fi
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
+
+ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
+ verbose "$tid: cipher $c"
+@@ -63982,7 +63981,7 @@
+ - echo "putty interop tests not enabled"
+ - exit 0
+ -fi
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
+
+ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
+ verbose "$tid: kex $k"
+@@ -63997,7 +63996,7 @@
+ - echo "putty interop tests not enabled"
+ - exit 0
+ -fi
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
+
+ if [ "`${SSH} -Q compression`" = "none" ]; then
+ comp="0"
+@@ -64129,9 +64128,9 @@
+
+ +# cross-project configuration
+ +if test "$sshd_type" = "pkix" ; then
+-+ unset_arg=''
+++ unset_arg=
+ +else
+-+ unset_arg=none
+++ unset_arg=
+ +fi
+ +
+ cat > $OBJ/sshd_config.i << _EOF
+@@ -122238,16 +122237,6 @@
+ +int asnmprintf(char **, size_t, int *, const char *, ...)
+ __attribute__((format(printf, 4, 5)));
+ void msetlocale(void);
+-diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0/version.h
+---- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200
+-+++ openssh-8.5p1+x509-13.0/version.h 2021-03-03 19:07:00.000000000 +0200
+-@@ -2,5 +2,4 @@
+-
+- #define SSH_VERSION "OpenSSH_8.5"
+-
+--#define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0/version.m4
+ --- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.5p1+x509-13.0/version.m4 2021-03-03 19:07:00.000000000 +0200
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch
new file mode 100644
index 0000000..e2d4ce8
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch
@@ -0,0 +1,325 @@
+diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
+--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 12:57:01.975827879 -0800
++++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 18:25:21.929305944 -0800
+@@ -3,9 +3,9 @@
+ --- a/Makefile.in
+ +++ b/Makefile.in
+ @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
+- CFLAGS_NOPIE=@CFLAGS_NOPIE@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+- PICFLAG=@PICFLAG@
++ LD=@LD@
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+ K5LIBS=@K5LIBS@
+@@ -803,8 +803,8 @@
+ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
+ {
+ struct session_state *state;
+-- const struct sshcipher *none = cipher_by_name("none");
+-+ struct sshcipher *none = cipher_by_name("none");
++- const struct sshcipher *none = cipher_none();
+++ struct sshcipher *none = cipher_none();
+ int r;
+
+ if (none == NULL) {
+@@ -894,24 +894,24 @@
+ intptr = &options->compression;
+ multistate_ptr = multistate_compression;
+ @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
+- options->hostbased_accepted_algos = NULL;
+- options->pubkey_accepted_algos = NULL;
+- options->known_hosts_command = NULL;
++ options->revoked_host_keys = NULL;
++ options->fingerprint_hash = -1;
++ options->update_hostkeys = -1;
+ + options->disable_multithreaded = -1;
+ }
+
+ /*
+ @@ -2247,6 +2254,10 @@ fill_default_options(Options * options)
++ options->update_hostkeys = 0;
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+- #endif
+ + if (options->update_hostkeys == -1)
+ + options->update_hostkeys = 0;
+ + if (options->disable_multithreaded == -1)
+ + options->disable_multithreaded = 0;
+
+- /* Expand KEX name lists */
+- all_cipher = cipher_alg_list(',', 0);
++ /* expand KEX and etc. name lists */
++ { char *all;
+ diff --git a/readconf.h b/readconf.h
+ index d6a15550..d2d20548 100644
+ --- a/readconf.h
+@@ -950,9 +950,9 @@
+ /* Portable-specific options */
+ sUsePAM,
+ + sDisableMTAES,
+- /* Standard Options */
+- sPort, sHostKeyFile, sLoginGraceTime,
+- sPermitRootLogin, sLogFacility, sLogLevel,
++ /* X.509 Standard Options */
++ sHostbasedAlgorithms,
++ sPubkeyAlgorithms,
+ @@ -672,6 +676,7 @@ static struct {
+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
+--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 19:05:28.942903961 -0800
++++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 20:36:34.702362020 -0800
+@@ -157,6 +157,36 @@
+ + Allan Jude provided the code for the NoneMac and buffer normalization.
+ + This work was financed, in part, by Cisco System, Inc., the National
+ + Library of Medicine, and the National Science Foundation.
++diff --git a/auth2.c b/auth2.c
++--- a/auth2.c 2021-03-03 20:34:51.312051369 -0800
+++++ b/auth2.c 2021-03-03 20:35:15.797888115 -0800
++@@ -229,16 +229,17 @@
++ double delay;
++
++ digest_alg = ssh_digest_maxbytes();
++- len = ssh_digest_bytes(digest_alg);
++- hash = xmalloc(len);
+++ if (len = ssh_digest_bytes(digest_alg) > 0) {
+++ hash = xmalloc(len);
++
++- (void)snprintf(b, sizeof b, "%llu%s",
++- (unsigned long long)options.timing_secret, user);
++- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++- fatal_f("ssh_digest_memory");
++- /* 0-4.2 ms of delay */
++- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++- freezero(hash, len);
+++ (void)snprintf(b, sizeof b, "%llu%s",
+++ (unsigned long long)options.timing_secret, user);
+++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+++ fatal_f("ssh_digest_memory");
+++ /* 0-4.2 ms of delay */
+++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+++ freezero(hash, len);
+++ }
++ debug3_f("user specific delay %0.3lfms", delay/1000);
++ return MIN_FAIL_DELAY_SECONDS + delay;
++ }
+ diff --git a/channels.c b/channels.c
+ index e4917f3c..e0db582e 100644
+ --- a/channels.c
+@@ -209,14 +239,14 @@
+ static void
+ channel_pre_open(struct ssh *ssh, Channel *c,
+ fd_set *readset, fd_set *writeset)
+-@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2179,21 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+
+ if (c->type == SSH_CHANNEL_OPEN &&
+ !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+ - ((c->local_window_max - c->local_window >
+ - c->local_maxpacket*3) ||
+-+ ((ssh_packet_is_interactive(ssh) &&
+-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+++ ((ssh_packet_is_interactive(ssh) &&
+++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+ c->local_window < c->local_window_max/2) &&
+ c->local_consumed > 0) {
+ + u_int addition = 0;
+@@ -234,10 +264,12 @@
+ SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
++- (r = sshpkt_send(ssh)) != 0)
++- fatal_fr(r, "channel %d", c->self);
+ + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+- (r = sshpkt_send(ssh)) != 0) {
+- fatal_fr(r, "channel %i", c->self);
+- }
+++ (r = sshpkt_send(ssh)) != 0) {
+++ fatal_fr(r, "channel %i", c->self);
+++ }
+ debug2("channel %d: window %d sent adjust %d", c->self,
+ - c->local_window, c->local_consumed);
+ - c->local_window += c->local_consumed;
+@@ -384,20 +416,38 @@
+ index dec8e7e9..3c11558e 100644
+ --- a/compat.c
+ +++ b/compat.c
+-@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
+- debug_f("match: %s pat %s compat 0x%08x",
++@@ -43,7 +43,7 @@
++ static u_int
++ compat_datafellows(const char *version)
++ {
++- int i;
+++ int i, bugs = 0;
++ static struct {
++ char *pat;
++ int bugs;
++@@ -147,11 +147,19 @@
++ if (match_pattern_list(version, check[i].pat, 0) == 1) {
++ debug("match: %s pat %s compat 0x%08x",
+ version, check[i].pat, check[i].bugs);
+- ssh->compat = check[i].bugs;
+-+ /* Check to see if the remote side is OpenSSH and not HPN */
+-+ if (strstr(version, "OpenSSH") != NULL) {
+-+ if (strstr(version, "hpn") == NULL) {
+-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
+-+ debug("Remote is NON-HPN aware");
+-+ }
+-+ }
+- return;
++- return check[i].bugs;
+++ bugs |= check[i].bugs;
+ }
+ }
++- debug("no match: %s", version);
++- return 0;
+++ /* Check to see if the remote side is OpenSSH and not HPN */
+++ if (strstr(version, "OpenSSH") != NULL) {
+++ if (strstr(version, "hpn") == NULL) {
+++ bugs |= SSH_BUG_LARGEWINDOW;
+++ debug("Remote is NON-HPN aware");
+++ }
+++ }
+++ if (bugs == 0)
+++ debug("no match: %s", version);
+++ return bugs;
++ }
++
++ char *
+ diff --git a/compat.h b/compat.h
+ index 66db42cc..d4e811e4 100644
+ --- a/compat.h
+@@ -456,7 +506,7 @@
+ @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
+ int nenc, nmac, ncomp;
+ u_int mode, ctos, need, dh_need, authlen;
+- int r, first_kex_follows;
++ int r, first_kex_follows = 0;
+ + int auth_flag = 0;
+ +
+ + auth_flag = packet_authentication_state(ssh);
+@@ -1033,19 +1083,6 @@
+
+ /* File to read commands from */
+ FILE* infile;
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index a12b79a5..8b839219 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2999,7 +2999,7 @@ do_download_sk(const char *skprovider, const char *device)
+- freezero(pin, strlen(pin));
+- error("Unable to load resident keys: %s", ssh_err(r));
+- return -1;
+-- }
+-+ }
+- if (nkeys == 0)
+- logit("No keys to download");
+- if (pin != NULL)
+ diff --git a/ssh.c b/ssh.c
+ index f34ca0d7..d7d134f7 100644
+ --- a/ssh.c
+@@ -1091,7 +1128,7 @@
+ + else
+ + options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ + debug("HPN to Non-HPN Connection");
+ + } else {
+ + int sock, socksize;
+@@ -1331,6 +1368,26 @@
+ /* Bind the socket to the desired port. */
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+ error("Bind to port %s on %s failed: %.200s.",
++@@ -1625,12 +1625,13 @@
++ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
++ sshbuf_len(server_cfg)) != 0)
++ fatal_f("ssh_digest_update");
++- len = ssh_digest_bytes(digest_alg);
++- hash = xmalloc(len);
++- if (ssh_digest_final(ctx, hash, len) != 0)
++- fatal_f("ssh_digest_final");
++- options.timing_secret = PEEK_U64(hash);
++- freezero(hash, len);
+++ if (len = ssh_digest_bytes(digest_alg) > 0) {
+++ hash = xmalloc(len);
+++ if (ssh_digest_final(ctx, hash, len) != 0)
+++ fatal_f("ssh_digest_final");
+++ options.timing_secret = PEEK_U64(hash);
+++ freezero(hash, len);
+++ }
++ ssh_digest_free(ctx);
++ ctx = NULL;
++ return;
+ @@ -1746,6 +1753,19 @@ main(int ac, char **av)
+ /* Fill in default values for those options not explicitly set. */
+ fill_default_server_options(&options);
+@@ -1401,14 +1458,3 @@
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+-diff --git a/version.h b/version.h
+-index c2f9c55b..f2e7fa80 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION "OpenSSH_8.4"
+-
+- #define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN "-hpn15v1"
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+diff -ur a/openssh-8_4_P1-hpn-PeakTput-15.1.diff b/openssh-8_4_P1-hpn-PeakTput-15.1.diff
+--- a/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 12:57:01.975827879 -0800
++++ b/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 18:25:21.930305937 -0800
+@@ -12,9 +12,9 @@
+ static long stalled; /* how long we have been stalled */
+ static int bytes_per_second; /* current speed in bytes per second */
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
++ off_t bytes_left;
+ int cur_speed;
+- int hours, minutes, seconds;
+- int file_len;
++ int len;
+ + off_t delta_pos;
+
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+@@ -33,12 +33,12 @@
+ @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+
+ /* filename */
+- buf[0] = '\0';
+-- file_len = win_size - 36;
+-+ file_len = win_size - 45;
+- if (file_len > 0) {
+- buf[0] = '\r';
+- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
++ if (win_size > 36) {
++- int file_len = win_size - 36;
+++ int file_len = win_size - 45;
++ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
++ file_len, file);
++ }
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
+ (off_t)bytes_per_second);
+ strlcat(buf, "/s ", win_size);
+@@ -63,15 +63,3 @@
+ }
+
+ /*ARGSUSED*/
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index a12b79a5..76b22338 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2987,7 +2987,6 @@ do_download_sk(const char *skprovider, const char *device)
+-
+- if (skprovider == NULL)
+- fatal("Cannot download keys without provider");
+--
+- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
+- if (!quiet) {
+- printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
new file mode 100644
index 0000000..ec6e687
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
@@ -0,0 +1,242 @@
+diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
+--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800
++++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800
+@@ -894,9 +894,9 @@
+ intptr = &options->compression;
+ multistate_ptr = multistate_compression;
+ @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
+- options->update_hostkeys = -1;
+- options->hostbased_key_types = NULL;
+- options->pubkey_key_types = NULL;
++ options->hostbased_accepted_algos = NULL;
++ options->pubkey_accepted_algos = NULL;
++ options->known_hosts_command = NULL;
+ + options->disable_multithreaded = -1;
+ }
+
+diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
+--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800
++++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800
+@@ -209,7 +209,7 @@
+ static void
+ channel_pre_open(struct ssh *ssh, Channel *c,
+ fd_set *readset, fd_set *writeset)
+-@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+
+ if (c->type == SSH_CHANNEL_OPEN &&
+ !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+@@ -229,22 +229,19 @@
+ + debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
+ + }
+ if (!c->have_remote_id)
+- fatal(":%s: channel %d: no remote id",
+- __func__, c->self);
++ fatal_f("channel %d: no remote id", c->self);
+ if ((r = sshpkt_start(ssh,
+ SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0) {
+- fatal("%s: channel %i: %s", __func__,
+- c->self, ssh_err(r));
++ fatal_fr(r, "channel %i", c->self);
+ }
+- debug2("channel %d: window %d sent adjust %d",
+- c->self, c->local_window,
+-- c->local_consumed);
++ debug2("channel %d: window %d sent adjust %d", c->self,
++- c->local_window, c->local_consumed);
+ - c->local_window += c->local_consumed;
+-+ c->local_consumed + addition);
+++ c->local_window, c->local_consumed + addition);
+ + c->local_window += c->local_consumed + addition;
+ c->local_consumed = 0;
+ }
+@@ -387,18 +384,18 @@
+ index dec8e7e9..3c11558e 100644
+ --- a/compat.c
+ +++ b/compat.c
+-@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
+- debug("match: %s pat %s compat 0x%08x",
++@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
++ debug_f("match: %s pat %s compat 0x%08x",
+ version, check[i].pat, check[i].bugs);
+- datafellows = check[i].bugs; /* XXX for now */
++ ssh->compat = check[i].bugs;
+ + /* Check to see if the remote side is OpenSSH and not HPN */
+ + if (strstr(version, "OpenSSH") != NULL) {
+ + if (strstr(version, "hpn") == NULL) {
+-+ datafellows |= SSH_BUG_LARGEWINDOW;
+++ ssh->compat |= SSH_BUG_LARGEWINDOW;
+ + debug("Remote is NON-HPN aware");
+ + }
+ + }
+- return check[i].bugs;
++ return;
+ }
+ }
+ diff --git a/compat.h b/compat.h
+@@ -431,9 +428,9 @@
+ --- a/digest-openssl.c
+ +++ b/digest-openssl.c
+ @@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
+- { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
++ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
+ { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
+- { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
++ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
+ + { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null},
+ { -1, NULL, 0, NULL },
+ };
+@@ -536,18 +533,10 @@
+ if (state->rekey_limit)
+ *max_blocks = MINIMUM(*max_blocks,
+ state->rekey_limit / enc->block_size);
+-@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+ rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,20 +550,6 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- return 0;
+-
+-+ /* used to force rekeying when called for by the none
+-+ * cipher switch methods -cjr */
+-+ if (rekey_requested == 1) {
+-+ rekey_requested = 0;
+-+ return 1;
+-+ }
+-+
+- /* Time-based rekeying */
+- if (state->rekey_interval != 0 &&
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+@@ -622,9 +597,9 @@
+ /* Format of the configuration file:
+
+ @@ -165,6 +166,8 @@ typedef enum {
+- oHashKnownHosts,
+ oTunnel, oTunnelDevice,
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
++ oDisableMTAES,
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
+ oVisualHostKey,
+@@ -778,9 +753,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ @@ -115,7 +119,11 @@ typedef struct {
+-
+ int enable_ssh_keysign;
+ int64_t rekey_limit;
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ + int none_switch; /* Use none cipher */
+ + int none_enabled; /* Allow none cipher to be used */
+ + int nonemac_enabled; /* Allow none MAC to be used */
+@@ -888,9 +863,9 @@
+ + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ + }
+ +
++ if (options->disable_multithreaded == -1)
++ options->disable_multithreaded = 0;
+ if (options->ip_qos_interactive == -1)
+- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+- if (options->ip_qos_bulk == -1)
+ @@ -511,6 +564,8 @@ typedef enum {
+ sPasswordAuthentication, sKbdInteractiveAuthentication,
+ sListenAddress, sAddressFamily,
+@@ -1091,7 +1066,7 @@
+ }
+
+ +static void
+-+hpn_options_init(void)
+++hpn_options_init(struct ssh *ssh)
+ +{
+ + /*
+ + * We need to check to see if what they want to do about buffer
+@@ -1116,7 +1091,7 @@
+ + else
+ + options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+-+ if (datafellows & SSH_BUG_LARGEWINDOW) {
+++ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+ + debug("HPN to Non-HPN Connection");
+ + } else {
+ + int sock, socksize;
+@@ -1186,7 +1161,7 @@
+ + c->dynamic_window = 1;
+ + debug("Enabled Dynamic Window Scaling");
+ + }
+- debug3("%s: channel_new: %d", __func__, c->self);
++ debug3_f("channel_new: %d", c->self);
+
+ channel_send_open(ssh, c->self);
+ @@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
+@@ -1198,7 +1173,7 @@
+ + * might open channels that use the hpn buffer sizes. We can't send a
+ + * window of -1 (the default) to the server as it breaks things.
+ + */
+-+ hpn_options_init();
+++ hpn_options_init(ssh);
+ +
+ /* XXX should be pre-session */
+ if (!options.control_persist)
+@@ -1297,11 +1272,10 @@
+ xxx_host = host;
+ xxx_hostaddr = hostaddr;
+
+-@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+-
++@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+ if (!authctxt.success)
+ fatal("Authentication failed.");
+-+
++
+ + /*
+ + * If the user wants to use the none cipher, do it post authentication
+ + * and only if the right conditions are met -- both of the NONE commands
+@@ -1329,9 +1303,9 @@
+ + }
+ + }
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+-
++ #ifdef WITH_OPENSSL
++ if (options.disable_multithreaded == 0) {
++ /* if we are using aes-ctr there can be issues in either a fork or sandbox
+ diff --git a/sshd.c b/sshd.c
+ index 8aa7f3df..d0e3f1b0 100644
+ --- a/sshd.c
+@@ -1397,9 +1371,9 @@
+ + if (options.nonemac_enabled == 1)
+ + debug("WARNING: None MAC enabled");
+ +
+- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
+ options.kex_algorithms);
+- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
+ diff --git a/sshd_config b/sshd_config
+ index 19b7c91a..cdd889b2 100644
+ --- a/sshd_config
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch
new file mode 100644
index 0000000..d4835d1
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch
@@ -0,0 +1,18 @@
+diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
+--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:29.211246123 -0800
++++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:53.607089097 -0800
+@@ -1401,14 +1401,3 @@
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+-diff --git a/version.h b/version.h
+-index c2f9c55b..f2e7fa80 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION "OpenSSH_8.4"
+-
+- #define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN "-hpn15v1"
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
deleted file mode 100644
index 7199227..0000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700
-@@ -1414,14 +1414,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.5"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v2"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh/files/openssh-8.5_p1-upstream-cve-2021-41617.patch b/net-misc/openssh/files/openssh-8.5_p1-upstream-cve-2021-41617.patch
new file mode 100644
index 0000000..8b7a5ba
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-upstream-cve-2021-41617.patch
@@ -0,0 +1,26 @@
+diff --git a/misc.c b/misc.c
+index d988ce3b..33eca1c1 100644
+--- a/misc.c
++++ b/misc.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_PATHS_H
+ # include <paths.h>
+ #include <pwd.h>
++#include <grp.h>
+ #endif
+ #ifdef SSH_TUN_OPENBSD
+ #include <net/if.h>
+@@ -2629,6 +2630,13 @@ subprocess(const char *tag, const char *command,
+ }
+ closefrom(STDERR_FILENO + 1);
+
++ if (geteuid() == 0 &&
++ initgroups(pw->pw_name, pw->pw_gid) == -1) {
++ error("%s: initgroups(%s, %u): %s", tag,
++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++ _exit(1);
++ }
++
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+ strerror(errno));
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
deleted file mode 100644
index 49c0591..0000000
--- a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
+++ /dev/null
@@ -1,447 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
- {
- struct session_state *state;
--- const struct sshcipher *none = cipher_by_name("none");
--+ struct sshcipher *none = cipher_by_name("none");
-+- const struct sshcipher *none = cipher_none();
-++ struct sshcipher *none = cipher_none();
- int r;
-
- if (none == NULL) {
-@@ -894,24 +894,24 @@
- intptr = &options->compression;
- multistate_ptr = multistate_compression;
- @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
-- options->revoked_host_keys = NULL;
- options->fingerprint_hash = -1;
- options->update_hostkeys = -1;
-+ options->known_hosts_command = NULL;
- + options->disable_multithreaded = -1;
-- options->hostbased_accepted_algos = NULL;
-- options->pubkey_accepted_algos = NULL;
-- options->known_hosts_command = NULL;
-+ }
-+
-+ /*
- @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
-+ options->update_hostkeys = 0;
- if (options->sk_provider == NULL)
- options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- + if (options->update_hostkeys == -1)
- + options->update_hostkeys = 0;
- + if (options->disable_multithreaded == -1)
- + options->disable_multithreaded = 0;
-
-- /* Expand KEX name lists */
-- all_cipher = cipher_alg_list(',', 0);
-+ /* expand KEX and etc. name lists */
-+ { char *all;
- diff --git a/readconf.h b/readconf.h
- index 2fba866e..7f8f0227 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
- /* Portable-specific options */
- sUsePAM,
- + sDisableMTAES,
-- /* Standard Options */
-- sPort, sHostKeyFile, sLoginGraceTime,
-- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-+ /* X.509 Standard Options */
-+ sHostbasedAlgorithms,
-+ sPubkeyAlgorithms,
- @@ -662,6 +666,7 @@ static struct {
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700
-@@ -157,6 +157,36 @@
- + Allan Jude provided the code for the NoneMac and buffer normalization.
- + This work was financed, in part, by Cisco System, Inc., the National
- + Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
-++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
-+@@ -229,16 +229,17 @@
-+ double delay;
-+
-+ digest_alg = ssh_digest_maxbytes();
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-++ if (len = ssh_digest_bytes(digest_alg) > 0) {
-++ hash = xmalloc(len);
-+
-+- (void)snprintf(b, sizeof b, "%llu%s",
-+- (unsigned long long)options.timing_secret, user);
-+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+- fatal_f("ssh_digest_memory");
-+- /* 0-4.2 ms of delay */
-+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+- freezero(hash, len);
-++ (void)snprintf(b, sizeof b, "%llu%s",
-++ (unsigned long long)options.timing_secret, user);
-++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++ fatal_f("ssh_digest_memory");
-++ /* 0-4.2 ms of delay */
-++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++ freezero(hash, len);
-++ }
-+ debug3_f("user specific delay %0.3lfms", delay/1000);
-+ return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index b60d56c4..0e363c15 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
- static void
- channel_pre_open(struct ssh *ssh, Channel *c,
- fd_set *readset, fd_set *writeset)
--@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-
- if (c->type == SSH_CHANNEL_OPEN &&
- !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- - ((c->local_window_max - c->local_window >
- - c->local_maxpacket*3) ||
--+ ((ssh_packet_is_interactive(ssh) &&
--+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++ ((ssh_packet_is_interactive(ssh) &&
-++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
- c->local_window < c->local_window_max/2) &&
- c->local_consumed > 0) {
- + u_int addition = 0;
-@@ -235,9 +265,8 @@
- (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- (r = sshpkt_send(ssh)) != 0) {
-- fatal_fr(r, "channel %i", c->self);
-- }
-+ (r = sshpkt_send(ssh)) != 0)
-+ fatal_fr(r, "channel %d", c->self);
- - debug2("channel %d: window %d sent adjust %d", c->self,
- - c->local_window, c->local_consumed);
- - c->local_window += c->local_consumed;
-@@ -337,70 +366,92 @@
- index 70f492f8..5503af1d 100644
- --- a/clientloop.c
- +++ b/clientloop.c
--@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
-+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
- sock = x11_connect_display(ssh);
- if (sock < 0)
- return NULL;
- - c = channel_new(ssh, "x11",
- - SSH_CHANNEL_X11_OPEN, sock, sock, -1,
--- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
--+ c = channel_new(ssh, "x11",
--+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
--+ /* again is this really necessary for X11? */
--+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
--+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
-+- CHANNEL_NONBLOCK_SET);
-++ c = channel_new(ssh, "x11",
-++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-++ /* again is this really necessary for X11? */
-++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
-++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
- c->force_drain = 1;
- return c;
- }
--@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
-+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
- return NULL;
- }
- c = channel_new(ssh, "authentication agent connection",
- - SSH_CHANNEL_OPEN, sock, sock, -1,
- - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
--- "authentication agent connection", 1);
--+ SSH_CHANNEL_OPEN, sock, sock, -1,
--+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
--+ CHAN_TCP_PACKET_DEFAULT, 0,
--+ "authentication agent connection", 1);
-+- "authentication agent connection", CHANNEL_NONBLOCK_SET);
-++ SSH_CHANNEL_OPEN, sock, sock, -1,
-++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
-++ CHAN_TCP_PACKET_DEFAULT, 0,
-++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
- c->force_drain = 1;
- return c;
- }
--@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
-+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
- }
- debug("Tunnel forwarding using interface %s", ifname);
-
- - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
--- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
--+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
-+- CHANNEL_NONBLOCK_SET);
-++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
- + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
--+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
- c->datagram = 1;
-
--+
--+
- #if defined(SSH_TUN_FILTER)
-- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
-- channel_register_filter(ssh, c->self, sys_tun_infilter,
- diff --git a/compat.c b/compat.c
- index 69befa96..90b5f338 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
-- debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+- int i;
-++ int i, bugs = 0;
-+ static struct {
-+ char *pat;
-+ int bugs;
-+@@ -147,11 +147,26 @@
-+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ debug("match: %s pat %s compat 0x%08x",
- version, check[i].pat, check[i].bugs);
-- ssh->compat = check[i].bugs;
- + /* Check to see if the remote side is OpenSSH and not HPN */
--+ /* TODO: need to use new method to test for this */
- + if (strstr(version, "OpenSSH") != NULL) {
- + if (strstr(version, "hpn") == NULL) {
--+ ssh->compat |= SSH_BUG_LARGEWINDOW;
-++ bugs |= SSH_BUG_LARGEWINDOW;
- + debug("Remote is NON-HPN aware");
- + }
- + }
-- return;
-+- return check[i].bugs;
-++ bugs |= check[i].bugs;
- }
- }
-+- debug("no match: %s", version);
-+- return 0;
-++ /* Check to see if the remote side is OpenSSH and not HPN */
-++ if (strstr(version, "OpenSSH") != NULL) {
-++ if (strstr(version, "hpn") == NULL) {
-++ bugs |= SSH_BUG_LARGEWINDOW;
-++ debug("Remote is NON-HPN aware");
-++ }
-++ }
-++ if (bugs == 0)
-++ debug("no match: %s", version);
-++ return bugs;
-+ }
-+
-+ char *
- diff --git a/compat.h b/compat.h
- index c197fafc..ea2e17a7 100644
- --- a/compat.h
-@@ -459,7 +510,7 @@
- @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, dh_need, authlen;
-- int r, first_kex_follows;
-+ int r, first_kex_follows = 0;
- + int auth_flag = 0;
- +
- + auth_flag = packet_authentication_state(ssh);
-@@ -553,7 +604,7 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
- fd_set *setp;
-@@ -1035,19 +1086,6 @@
-
- /* Minimum amount of data to read at a time */
- #define MIN_READ_SIZE 512
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..36a6e519 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
-- freezero(pin, strlen(pin));
-- error_r(r, "Unable to load resident keys");
-- return -1;
--- }
--+ }
-- if (nkeys == 0)
-- logit("No keys to download");
-- if (pin != NULL)
- diff --git a/ssh.c b/ssh.c
- index 53330da5..27b9770e 100644
- --- a/ssh.c
-@@ -1093,7 +1131,7 @@
- + else
- + options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- + debug("HPN to Non-HPN Connection");
- + } else {
- + int sock, socksize;
-@@ -1157,14 +1195,14 @@
- }
- @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
- window, packetmax, CHAN_EXTENDED_WRITE,
-- "client-session", /*nonblock*/0);
-+ "client-session", CHANNEL_NONBLOCK_STDIO);
-
- + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
- + c->dynamic_window = 1;
- + debug("Enabled Dynamic Window Scaling");
- + }
- +
-- debug3_f("channel_new: %d", c->self);
-+ debug2_f("channel %d", c->self);
-
- channel_send_open(ssh, c->self);
- @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
-@@ -1335,7 +1373,29 @@
- /* Bind the socket to the desired port. */
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- error("Bind to port %s on %s failed: %.200s.",
--@@ -1727,6 +1734,19 @@ main(int ac, char **av)
-+@@ -1625,13 +1632,14 @@
-+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ sshbuf_len(server_cfg)) != 0)
-+ fatal_f("ssh_digest_update");
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-+- if (ssh_digest_final(ctx, hash, len) != 0)
-+- fatal_f("ssh_digest_final");
-+- options.timing_secret = PEEK_U64(hash);
-+- freezero(hash, len);
-+- ssh_digest_free(ctx);
-++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
-++ hash = xmalloc(len);
-++ if (ssh_digest_final(ctx, hash, len) != 0)
-++ fatal_f("ssh_digest_final");
-++ options.timing_secret = PEEK_U64(hash);
-++ freezero(hash, len);
-++ ssh_digest_free(ctx);
-++ }
-+ ctx = NULL;
-+ return;
-+ }
-+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
- fatal("AuthorizedPrincipalsCommand set without "
- "AuthorizedPrincipalsCommandUser");
-
-@@ -1355,7 +1415,7 @@
- /*
- * Check whether there is any path through configured auth methods.
- * Unfortunately it is not possible to verify this generally before
--@@ -2166,6 +2186,9 @@ main(int ac, char **av)
-+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
- rdomain == NULL ? "" : "\"");
- free(laddr);
-
-@@ -1365,7 +1425,7 @@
- /*
- * We don't want to listen forever unless the other side
- * successfully authenticates itself. So we set up an alarm which is
--@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
-+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
- struct kex *kex;
- int r;
-
-@@ -1405,14 +1465,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.5"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v2"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700
-+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700
-@@ -12,9 +12,9 @@
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ off_t bytes_left;
- int cur_speed;
-- int hours, minutes, seconds;
-- int file_len;
-+ int len;
- + off_t delta_pos;
-
- if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
--
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ buf[1] = '\0';
-+
- /* filename */
-- buf[0] = '\0';
--- file_len = win_size - 36;
--+ file_len = win_size - 45;
-- if (file_len > 0) {
-- buf[0] = '\r';
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+- if (win_size > 36) {
-++ if (win_size > 45) {
-+- int file_len = win_size - 36;
-++ int file_len = win_size - 45;
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ file_len, file);
-+ }
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
-@@ -63,15 +65,3 @@
- }
-
- /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..986ff59b 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
--
-- if (skprovider == NULL)
-- fatal("Cannot download keys without provider");
---
-- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- if (!quiet) {
-- printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
deleted file mode 100644
index 309e57e..0000000
--- a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
+++ /dev/null
@@ -1,198 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700
-@@ -1026,9 +1026,9 @@
- + }
- +#endif
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
--
-+ if (ssh_packet_connection_is_on_socket(ssh)) {
-+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
-+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..bf3d6e4a 100644
- --- a/sshd.c
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700
-@@ -536,18 +536,10 @@
- if (state->rekey_limit)
- *max_blocks = MINIMUM(*max_blocks,
- state->rekey_limit / enc->block_size);
--@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +553,6 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
-@@ -598,12 +576,11 @@
- };
-
- typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
--@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
-+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
- int ssh_packet_set_maxsize(struct ssh *, u_int);
- u_int ssh_packet_get_maxsize(struct ssh *);
-
- +/* for forced packet rekeying post auth */
--+void packet_request_rekeying(void);
- +int packet_authentication_state(const struct ssh *);
- +
- int ssh_packet_get_state(struct ssh *, struct sshbuf *);
-@@ -627,9 +604,9 @@
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
-+ oDisableMTAES,
- oVisualHostKey,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -297,6 +300,9 @@ static struct {
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
-@@ -637,9 +614,9 @@
- + { "noneenabled", oNoneEnabled },
- + { "nonemacenabled", oNoneMacEnabled },
- + { "noneswitch", oNoneSwitch },
-- { "proxyusefdpass", oProxyUseFdpass },
-- { "canonicaldomains", oCanonicalDomains },
-- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
-+ { "sessiontype", oSessionType },
-+ { "stdinnull", oStdinNull },
-+ { "forkafterauthentication", oForkAfterAuthentication },
- @@ -317,6 +323,11 @@ static struct {
- { "securitykeyprovider", oSecurityKeyProvider },
- { "knownhostscommand", oKnownHostsCommand },
-@@ -717,9 +694,9 @@
- + options->hpn_buffer_size = -1;
- + options->tcp_rcv_buf_poll = -1;
- + options->tcp_rcv_buf = -1;
-- options->proxy_use_fdpass = -1;
-- options->ignored_unknown = NULL;
-- options->num_canonical_domains = 0;
-+ options->session_type = -1;
-+ options->stdin_null = -1;
-+ options->fork_after_authentication = -1;
- @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
- options->server_alive_interval = 0;
- if (options->server_alive_count_max == -1)
-@@ -778,9 +755,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -120,7 +124,11 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none cipher to be used */
- + int nonemac_enabled; /* Allow none MAC to be used */
-@@ -842,9 +819,9 @@
- /* Portable-specific options */
- if (options->use_pam == -1)
- @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
-- }
-- if (options->permit_tun == -1)
- options->permit_tun = SSH_TUNMODE_NO;
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- + if (options->none_enabled == -1)
- + options->none_enabled = 0;
- + if (options->nonemac_enabled == -1)
-@@ -1047,17 +1024,17 @@
- Note that
- diff --git a/sftp.c b/sftp.c
- index fb3c08d1..89bebbb2 100644
----- a/sftp.c
--+++ b/sftp.c
--@@ -71,7 +71,7 @@ typedef void EditLine;
-- #include "sftp-client.h"
--
-- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
---#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
--+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
-+--- a/sftp-client.c
-++++ b/sftp-client.c
-+@@ -65,7 +65,7 @@ typedef void EditLine;
-+ #define DEFAULT_COPY_BUFLEN 32768
-+
-+ /* Default number of concurrent outstanding requests */
-+-#define DEFAULT_NUM_REQUESTS 64
-++#define DEFAULT_NUM_REQUESTS 256
-
-- /* File to read commands from */
-- FILE* infile;
-+ /* Minimum amount of data to read at a time */
-+ #define MIN_READ_SIZE 512
- diff --git a/ssh-keygen.c b/ssh-keygen.c
- index cfb5f115..36a6e519 100644
- --- a/ssh-keygen.c
-@@ -1330,9 +1307,9 @@
- + }
- + }
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-
-+ #ifdef WITH_OPENSSL
-+ if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..d66fa41a 100644
- --- a/sshd.c
-@@ -1359,8 +1336,8 @@
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- error("Bind to port %s on %s failed: %.200s.",
- @@ -1727,6 +1734,19 @@ main(int ac, char **av)
-- /* Fill in default values for those options not explicitly set. */
-- fill_default_server_options(&options);
-+ fatal("AuthorizedPrincipalsCommand set without "
-+ "AuthorizedPrincipalsCommandUser");
-
- + if (options.none_enabled == 1) {
- + char *old_ciphers = options.ciphers;
-@@ -1375,9 +1352,9 @@
- + }
- + }
- +
-- /* challenge-response is implemented via keyboard interactive */
-- if (options.challenge_response_authentication)
-- options.kbd_interactive_authentication = 1;
-+ /*
-+ * Check whether there is any path through configured auth methods.
-+ * Unfortunately it is not possible to verify this generally before
- @@ -2166,6 +2186,9 @@ main(int ac, char **av)
- rdomain == NULL ? "" : "\"");
- free(laddr);
diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
deleted file mode 100644
index b682762..0000000
--- a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff
---- a/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:17.070546984 -0700
-+++ b/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:55.086664489 -0700
-@@ -954,15 +954,16 @@
- char b[512];
- - size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
- - u_char *hash = xmalloc(len);
-+- double delay;
- + int digest_alg;
- + size_t len;
- + u_char *hash;
-- double delay;
--
-++ double delay = 0;
-++
- + digest_alg = ssh_digest_maxbytes();
- + len = ssh_digest_bytes(digest_alg);
- + hash = xmalloc(len);
--+
-+
- (void)snprintf(b, sizeof b, "%llu%s",
- (unsigned long long)options.timing_secret, user);
- - if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
-@@ -51859,12 +51860,11 @@
-
- install-files:
- $(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -391,6 +372,8 @@
-+@@ -391,6 +372,7 @@
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
- $(MKDIR_P) $(DESTDIR)$(libexecdir)
- + $(MKDIR_P) $(DESTDIR)$(sshcadir)
--+ $(MKDIR_P) $(DESTDIR)$(piddir)
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -71985,7 +71985,7 @@
- +if test "$sshd_type" = "pkix" ; then
- + unset_arg=''
- +else
--+ unset_arg=none
-++ unset_arg=
- +fi
- +
- cat > $OBJ/sshd_config.i << _EOF
-@@ -132360,16 +132360,6 @@
- +int asnmprintf(char **, size_t, int *, const char *, ...)
- __attribute__((format(printf, 4, 5)));
- void msetlocale(void);
--diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h
----- openssh-8.8p1/version.h 2021-09-26 17:03:19.000000000 +0300
--+++ openssh-8.8p1+x509-13.2.3/version.h 2021-10-23 16:27:00.000000000 +0300
--@@ -2,5 +2,4 @@
--
-- #define SSH_VERSION "OpenSSH_8.8"
--
---#define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4
- --- openssh-8.8p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.8p1+x509-13.2.3/version.m4 2021-10-23 16:27:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
deleted file mode 100644
index eab5b53..0000000
--- a/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.1.diff b/openssh-8.9p1+x509-13.3.1.diff
---- a/openssh-8.9p1+x509-13.3.1.diff 2022-03-05 21:49:32.673126122 -0800
-+++ b/openssh-8.9p1+x509-13.3.1.diff 2022-03-05 21:52:52.581776560 -0800
-@@ -1002,15 +1002,16 @@
- char b[512];
- - size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
- - u_char *hash = xmalloc(len);
-+- double delay;
- + int digest_alg;
- + size_t len;
- + u_char *hash;
-- double delay;
--
-++ double delay = 0;
-++
- + digest_alg = ssh_digest_maxbytes();
- + len = ssh_digest_bytes(digest_alg);
- + hash = xmalloc(len);
--+
-+
- (void)snprintf(b, sizeof b, "%llu%s",
- (unsigned long long)options.timing_secret, user);
- - if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
-@@ -44746,8 +44747,8 @@
- gss_create_empty_oid_set(&status, &oidset);
- gss_add_oid_set_member(&status, ctx->oid, &oidset);
-
--- if (gethostname(lname, MAXHOSTNAMELEN)) {
--+ if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
-+- if (gethostname(lname, HOST_NAME_MAX)) {
-++ if (gethostname(lname, HOST_NAME_MAX) == -1) {
- gss_release_oid_set(&status, &oidset);
- return (-1);
- }
-@@ -52143,7 +52144,7 @@
- diff -ruN openssh-8.9p1/m4/openssh.m4 openssh-8.9p1+x509-13.3.1/m4/openssh.m4
- --- openssh-8.9p1/m4/openssh.m4 2022-02-23 13:31:11.000000000 +0200
- +++ openssh-8.9p1+x509-13.3.1/m4/openssh.m4 1970-01-01 02:00:00.000000000 +0200
--@@ -1,200 +0,0 @@
-+@@ -1,203 +0,0 @@
- -dnl OpenSSH-specific autoconf macros
- -dnl
- -
-@@ -52160,6 +52161,8 @@
- - AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
- -#include <stdlib.h>
- -#include <stdio.h>
-+-/* Trivial function to help test for -fzero-call-used-regs */
-+-void f(int n) {}
- -int main(int argc, char **argv) {
- - (void)argv;
- - /* Some math to catch -ftrapv problems in the toolchain */
-@@ -52167,6 +52170,7 @@
- - float l = i * 2.1;
- - double m = l / 0.5;
- - long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
-+- f(0);
- - printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
- - /*
- - * Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does
-@@ -52884,12 +52888,11 @@
-
- install-files:
- $(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -396,6 +372,8 @@
-+@@ -396,6 +372,7 @@
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
- $(MKDIR_P) $(DESTDIR)$(libexecdir)
- + $(MKDIR_P) $(DESTDIR)$(sshcadir)
--+ $(MKDIR_P) $(DESTDIR)$(piddir)
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -73836,7 +73839,7 @@
- +if test "$sshd_type" = "pkix" ; then
- + unset_arg=''
- +else
--+ unset_arg=none
-++ unset_arg=
- +fi
- +
- cat > $OBJ/sshd_config.i << _EOF
-@@ -79691,25 +79694,6 @@
- #ifdef __NR_getrandom
- SC_ALLOW(__NR_getrandom),
- #endif
--@@ -267,15 +273,15 @@
-- #ifdef __NR_clock_nanosleep_time64
-- SC_ALLOW(__NR_clock_nanosleep_time64),
-- #endif
---#ifdef __NR_clock_gettime64
--- SC_ALLOW(__NR_clock_gettime64),
---#endif
-- #ifdef __NR__newselect
-- SC_ALLOW(__NR__newselect),
-- #endif
-- #ifdef __NR_ppoll
-- SC_ALLOW(__NR_ppoll),
-- #endif
--+#ifdef __NR_ppoll_time64
--+ SC_ALLOW(__NR_ppoll_time64),
--+#endif
-- #ifdef __NR_poll
-- SC_ALLOW(__NR_poll),
-- #endif
- @@ -288,6 +294,9 @@
- #ifdef __NR_read
- SC_ALLOW(__NR_read),
-@@ -137848,16 +137832,6 @@
- +int asnmprintf(char **, size_t, int *, const char *, ...)
- __attribute__((format(printf, 4, 5)));
- void msetlocale(void);
--diff -ruN openssh-8.9p1/version.h openssh-8.9p1+x509-13.3.1/version.h
----- openssh-8.9p1/version.h 2022-02-23 13:31:11.000000000 +0200
--+++ openssh-8.9p1+x509-13.3.1/version.h 2022-03-05 10:07:00.000000000 +0200
--@@ -2,5 +2,4 @@
--
-- #define SSH_VERSION "OpenSSH_8.9"
--
---#define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.9p1/version.m4 openssh-8.9p1+x509-13.3.1/version.m4
- --- openssh-8.9p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.9p1+x509-13.3.1/version.m4 2022-03-05 10:07:00.000000000 +0200
diff --git a/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch
deleted file mode 100644
index 8c46625..0000000
--- a/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 2e065ba3..4ce80cb2 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_ppoll
- SC_ALLOW(__NR_ppoll),
- #endif
-+#ifdef __NR_ppoll_time64
-+ SC_ALLOW(__NR_ppoll_time64),
-+#endif
- #ifdef __NR_poll
- SC_ALLOW(__NR_poll),
- #endif
diff --git a/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch b/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch
deleted file mode 100644
index 0231ce4..0000000
--- a/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From f107467179428a0e3ea9e4aa9738ac12ff02822d Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Thu, 24 Feb 2022 16:04:18 +0000
-Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support
-
-GCC doesn't tell us whether this option is supported unless it runs into
-the situation where it would need to emit corresponding code.
----
- m4/openssh.m4 | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/m4/openssh.m4 b/m4/openssh.m4
-index 4f9c3792dc1..8c33c701b8b 100644
---- a/m4/openssh.m4
-+++ b/m4/openssh.m4
-@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
- AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
- #include <stdlib.h>
- #include <stdio.h>
-+/* Trivial function to help test for -fzero-call-used-regs */
-+void f(int n) {}
- int main(int argc, char **argv) {
- (void)argv;
- /* Some math to catch -ftrapv problems in the toolchain */
-@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
- float l = i * 2.1;
- double m = l / 0.5;
- long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
-+ f(0);
- printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
- /*
- * Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does
diff --git a/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
deleted file mode 100644
index 9e08b2a..0000000
--- a/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/gss-serv.c b/gss-serv.c
-index b5d4bb2d..00e3d118 100644
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- gss_create_empty_oid_set(&status, &oidset);
- gss_add_oid_set_member(&status, ctx->oid, &oidset);
-
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
-+ if (gethostname(lname, HOST_NAME_MAX)) {
- gss_release_oid_set(&status, &oidset);
- return (-1);
- }
diff --git a/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch
deleted file mode 100644
index a98e1ad..0000000
--- a/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch
+++ /dev/null
@@ -1,431 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-24 18:48:19.078457000 -0800
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-24 18:49:22.195632128 -0800
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
- {
- struct session_state *state;
--- const struct sshcipher *none = cipher_by_name("none");
--+ struct sshcipher *none = cipher_by_name("none");
-+- const struct sshcipher *none = cipher_none();
-++ struct sshcipher *none = cipher_none();
- int r;
-
- if (none == NULL) {
-@@ -894,24 +894,24 @@
- intptr = &options->compression;
- multistate_ptr = multistate_compression;
- @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
-- options->revoked_host_keys = NULL;
- options->fingerprint_hash = -1;
- options->update_hostkeys = -1;
-+ options->known_hosts_command = NULL;
- + options->disable_multithreaded = -1;
-- options->hostbased_accepted_algos = NULL;
-- options->pubkey_accepted_algos = NULL;
-- options->known_hosts_command = NULL;
-+ }
-+
-+ /*
- @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
-+ options->update_hostkeys = 0;
- if (options->sk_provider == NULL)
- options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- + if (options->update_hostkeys == -1)
- + options->update_hostkeys = 0;
- + if (options->disable_multithreaded == -1)
- + options->disable_multithreaded = 0;
-
-- /* Expand KEX name lists */
-- all_cipher = cipher_alg_list(',', 0);
-+ /* expand KEX and etc. name lists */
-+ { char *all;
- diff --git a/readconf.h b/readconf.h
- index 2fba866e..7f8f0227 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
- /* Portable-specific options */
- sUsePAM,
- + sDisableMTAES,
-- /* Standard Options */
-- sPort, sHostKeyFile, sLoginGraceTime,
-- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-+ /* X.509 Standard Options */
-+ sHostbasedAlgorithms,
-+ sPubkeyAlgorithms,
- @@ -662,6 +666,7 @@ static struct {
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-24 18:48:19.078457000 -0800
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-24 18:54:51.800546480 -0800
-@@ -157,6 +157,36 @@
- + Allan Jude provided the code for the NoneMac and buffer normalization.
- + This work was financed, in part, by Cisco System, Inc., the National
- + Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
-++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
-+@@ -229,16 +229,17 @@
-+ double delay;
-+
-+ digest_alg = ssh_digest_maxbytes();
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-++ if (len = ssh_digest_bytes(digest_alg) > 0) {
-++ hash = xmalloc(len);
-+
-+- (void)snprintf(b, sizeof b, "%llu%s",
-+- (unsigned long long)options.timing_secret, user);
-+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+- fatal_f("ssh_digest_memory");
-+- /* 0-4.2 ms of delay */
-+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+- freezero(hash, len);
-++ (void)snprintf(b, sizeof b, "%llu%s",
-++ (unsigned long long)options.timing_secret, user);
-++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++ fatal_f("ssh_digest_memory");
-++ /* 0-4.2 ms of delay */
-++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++ freezero(hash, len);
-++ }
-+ debug3_f("user specific delay %0.3lfms", delay/1000);
-+ return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index b60d56c4..0e363c15 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
- static void
- channel_pre_open(struct ssh *ssh, Channel *c,
- fd_set *readset, fd_set *writeset)
--@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-
- if (c->type == SSH_CHANNEL_OPEN &&
- !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- - ((c->local_window_max - c->local_window >
- - c->local_maxpacket*3) ||
--+ ((ssh_packet_is_interactive(ssh) &&
--+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++ ((ssh_packet_is_interactive(ssh) &&
-++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
- c->local_window < c->local_window_max/2) &&
- c->local_consumed > 0) {
- + u_int addition = 0;
-@@ -235,9 +265,8 @@
- (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- (r = sshpkt_send(ssh)) != 0) {
-- fatal_fr(r, "channel %i", c->self);
-- }
-+ (r = sshpkt_send(ssh)) != 0)
-+ fatal_fr(r, "channel %d", c->self);
- - debug2("channel %d: window %d sent adjust %d", c->self,
- - c->local_window, c->local_consumed);
- - c->local_window += c->local_consumed;
-@@ -337,70 +366,92 @@
- index 70f492f8..5503af1d 100644
- --- a/clientloop.c
- +++ b/clientloop.c
--@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
-+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
- sock = x11_connect_display(ssh);
- if (sock < 0)
- return NULL;
- - c = channel_new(ssh, "x11",
- - SSH_CHANNEL_X11_OPEN, sock, sock, -1,
--- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
--+ c = channel_new(ssh, "x11",
--+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
--+ /* again is this really necessary for X11? */
--+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
--+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
-+- CHANNEL_NONBLOCK_SET);
-++ c = channel_new(ssh, "x11",
-++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-++ /* again is this really necessary for X11? */
-++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
-++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
- c->force_drain = 1;
- return c;
- }
--@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
-+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
- return NULL;
- }
- c = channel_new(ssh, "authentication agent connection",
- - SSH_CHANNEL_OPEN, sock, sock, -1,
- - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
--- "authentication agent connection", 1);
--+ SSH_CHANNEL_OPEN, sock, sock, -1,
--+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
--+ CHAN_TCP_PACKET_DEFAULT, 0,
--+ "authentication agent connection", 1);
-+- "authentication agent connection", CHANNEL_NONBLOCK_SET);
-++ SSH_CHANNEL_OPEN, sock, sock, -1,
-++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
-++ CHAN_TCP_PACKET_DEFAULT, 0,
-++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
- c->force_drain = 1;
- return c;
- }
--@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
-+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
- }
- debug("Tunnel forwarding using interface %s", ifname);
-
- - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
--- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
--+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
-+- CHANNEL_NONBLOCK_SET);
-++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
- + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
--+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
- c->datagram = 1;
-
--+
--+
- #if defined(SSH_TUN_FILTER)
-- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
-- channel_register_filter(ssh, c->self, sys_tun_infilter,
- diff --git a/compat.c b/compat.c
- index 69befa96..90b5f338 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
-- debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+- int i;
-++ int i, bugs = 0;
-+ static struct {
-+ char *pat;
-+ int bugs;
-+@@ -147,11 +147,26 @@
-+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ debug("match: %s pat %s compat 0x%08x",
- version, check[i].pat, check[i].bugs);
-- ssh->compat = check[i].bugs;
- + /* Check to see if the remote side is OpenSSH and not HPN */
--+ /* TODO: need to use new method to test for this */
- + if (strstr(version, "OpenSSH") != NULL) {
- + if (strstr(version, "hpn") == NULL) {
--+ ssh->compat |= SSH_BUG_LARGEWINDOW;
-++ bugs |= SSH_BUG_LARGEWINDOW;
- + debug("Remote is NON-HPN aware");
- + }
- + }
-- return;
-+- return check[i].bugs;
-++ bugs |= check[i].bugs;
- }
- }
-+- debug("no match: %s", version);
-+- return 0;
-++ /* Check to see if the remote side is OpenSSH and not HPN */
-++ if (strstr(version, "OpenSSH") != NULL) {
-++ if (strstr(version, "hpn") == NULL) {
-++ bugs |= SSH_BUG_LARGEWINDOW;
-++ debug("Remote is NON-HPN aware");
-++ }
-++ }
-++ if (bugs == 0)
-++ debug("no match: %s", version);
-++ return bugs;
-+ }
-+
-+ char *
- diff --git a/compat.h b/compat.h
- index c197fafc..ea2e17a7 100644
- --- a/compat.h
-@@ -459,7 +510,7 @@
- @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, dh_need, authlen;
-- int r, first_kex_follows;
-+ int r, first_kex_follows = 0;
- + int auth_flag = 0;
- +
- + auth_flag = packet_authentication_state(ssh);
-@@ -553,10 +604,10 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-+ {
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
-- struct pollfd pfd;
- - char buf[8192];
- + char buf[SSH_IOBUFSZ];
- struct timeval start;
-@@ -1072,7 +1123,7 @@
- + else
- + options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- + debug("HPN to Non-HPN Connection");
- + } else {
- + int sock, socksize;
-@@ -1136,14 +1187,14 @@
- }
- @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
- window, packetmax, CHAN_EXTENDED_WRITE,
-- "client-session", /*nonblock*/0);
-+ "client-session", CHANNEL_NONBLOCK_STDIO);
-
- + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
- + c->dynamic_window = 1;
- + debug("Enabled Dynamic Window Scaling");
- + }
- +
-- debug3_f("channel_new: %d", c->self);
-+ debug2_f("channel %d", c->self);
-
- channel_send_open(ssh, c->self);
- @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
-@@ -1314,7 +1365,29 @@
- /* Bind the socket to the desired port. */
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- error("Bind to port %s on %s failed: %.200s.",
--@@ -1727,6 +1734,19 @@ main(int ac, char **av)
-+@@ -1625,13 +1632,14 @@
-+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ sshbuf_len(server_cfg)) != 0)
-+ fatal_f("ssh_digest_update");
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-+- if (ssh_digest_final(ctx, hash, len) != 0)
-+- fatal_f("ssh_digest_final");
-+- options.timing_secret = PEEK_U64(hash);
-+- freezero(hash, len);
-+- ssh_digest_free(ctx);
-++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
-++ hash = xmalloc(len);
-++ if (ssh_digest_final(ctx, hash, len) != 0)
-++ fatal_f("ssh_digest_final");
-++ options.timing_secret = PEEK_U64(hash);
-++ freezero(hash, len);
-++ ssh_digest_free(ctx);
-++ }
-+ ctx = NULL;
-+ return;
-+ }
-+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
- fatal("AuthorizedPrincipalsCommand set without "
- "AuthorizedPrincipalsCommandUser");
-
-@@ -1334,7 +1407,7 @@
- /*
- * Check whether there is any path through configured auth methods.
- * Unfortunately it is not possible to verify this generally before
--@@ -2166,6 +2186,9 @@ main(int ac, char **av)
-+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
- rdomain == NULL ? "" : "\"");
- free(laddr);
-
-@@ -1344,7 +1417,7 @@
- /*
- * We don't want to listen forever unless the other side
- * successfully authenticates itself. So we set up an alarm which is
--@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
-+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
- struct kex *kex;
- int r;
-
-@@ -1384,14 +1457,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.5"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v2"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2022-02-24 18:48:19.078457000 -0800
-+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2022-02-24 18:49:22.196632131 -0800
-@@ -12,9 +12,9 @@
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ off_t bytes_left;
- int cur_speed;
-- int hours, minutes, seconds;
-- int file_len;
-+ int len;
- + off_t delta_pos;
-
- if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
--
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ buf[1] = '\0';
-+
- /* filename */
-- buf[0] = '\0';
--- file_len = win_size - 36;
--+ file_len = win_size - 45;
-- if (file_len > 0) {
-- buf[0] = '\r';
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+- if (win_size > 36) {
-++ if (win_size > 45) {
-+- int file_len = win_size - 36;
-++ int file_len = win_size - 45;
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ file_len, file);
-+ }
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
-@@ -63,15 +65,3 @@
- }
-
- /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..986ff59b 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
--
-- if (skprovider == NULL)
-- fatal("Cannot download keys without provider");
---
-- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- if (!quiet) {
-- printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
deleted file mode 100644
index 272270b..0000000
--- a/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
+++ /dev/null
@@ -1,238 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:24.843395097 -0800
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:38.206451595 -0800
-@@ -1026,9 +1026,9 @@
- + }
- +#endif
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
--
-+ if (ssh_packet_connection_is_on_socket(ssh)) {
-+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
-+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..bf3d6e4a 100644
- --- a/sshd.c
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:08:38.124943587 -0800
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:20:59.432070316 -0800
-@@ -536,18 +536,10 @@
- if (state->rekey_limit)
- *max_blocks = MINIMUM(*max_blocks,
- state->rekey_limit / enc->block_size);
--@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,27 +553,14 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
-- fd_set *setp;
-+ struct pollfd pfd;
- - char buf[8192];
- + char buf[SSH_IOBUFSZ];
-- struct timeval timeout, start, *timeoutp = NULL;
-+ struct timeval start;
-+ struct timespec timespec, *timespecp = NULL;
-
- DBG(debug("packet_read()"));
- diff --git a/packet.h b/packet.h
-@@ -598,12 +577,11 @@
- };
-
- typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
--@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
-+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
- int ssh_packet_set_maxsize(struct ssh *, u_int);
- u_int ssh_packet_get_maxsize(struct ssh *);
-
- +/* for forced packet rekeying post auth */
--+void packet_request_rekeying(void);
- +int packet_authentication_state(const struct ssh *);
- +
- int ssh_packet_get_state(struct ssh *, struct sshbuf *);
-@@ -627,9 +605,9 @@
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
-+ oDisableMTAES,
- oVisualHostKey,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -297,6 +300,9 @@ static struct {
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
-@@ -637,9 +615,9 @@
- + { "noneenabled", oNoneEnabled },
- + { "nonemacenabled", oNoneMacEnabled },
- + { "noneswitch", oNoneSwitch },
-- { "proxyusefdpass", oProxyUseFdpass },
-- { "canonicaldomains", oCanonicalDomains },
-- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
-+ { "sessiontype", oSessionType },
-+ { "stdinnull", oStdinNull },
-+ { "forkafterauthentication", oForkAfterAuthentication },
- @@ -317,6 +323,11 @@ static struct {
- { "securitykeyprovider", oSecurityKeyProvider },
- { "knownhostscommand", oKnownHostsCommand },
-@@ -717,9 +695,9 @@
- + options->hpn_buffer_size = -1;
- + options->tcp_rcv_buf_poll = -1;
- + options->tcp_rcv_buf = -1;
-- options->proxy_use_fdpass = -1;
-- options->ignored_unknown = NULL;
-- options->num_canonical_domains = 0;
-+ options->session_type = -1;
-+ options->stdin_null = -1;
-+ options->fork_after_authentication = -1;
- @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
- options->server_alive_interval = 0;
- if (options->server_alive_count_max == -1)
-@@ -778,9 +756,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -120,7 +124,11 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none cipher to be used */
- + int nonemac_enabled; /* Allow none MAC to be used */
-@@ -842,9 +820,9 @@
- /* Portable-specific options */
- if (options->use_pam == -1)
- @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
-- }
-- if (options->permit_tun == -1)
- options->permit_tun = SSH_TUNMODE_NO;
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- + if (options->none_enabled == -1)
- + options->none_enabled = 0;
- + if (options->nonemac_enabled == -1)
-@@ -975,15 +953,6 @@
- index 306658cb..d4309903 100644
- --- a/serverloop.c
- +++ b/serverloop.c
--@@ -322,7 +322,7 @@ static int
-- process_input(struct ssh *ssh, fd_set *readset, int connection_in)
-- {
-- int r, len;
--- char buf[16384];
--+ char buf[SSH_IOBUFSZ];
--
-- /* Read and buffer any input data from the client. */
-- if (FD_ISSET(connection_in, readset)) {
- @@ -608,7 +608,8 @@ server_request_tun(struct ssh *ssh)
- debug("Tunnel forwarding using interface %s", ifname);
-
-@@ -1047,30 +1016,17 @@
- Note that
- diff --git a/sftp.c b/sftp.c
- index fb3c08d1..89bebbb2 100644
----- a/sftp.c
--+++ b/sftp.c
--@@ -71,7 +71,7 @@ typedef void EditLine;
-- #include "sftp-client.h"
--
-- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
---#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
--+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
--
-- /* File to read commands from */
-- FILE* infile;
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..36a6e519 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
-- freezero(pin, strlen(pin));
-- error_r(r, "Unable to load resident keys");
-- return -1;
--- }
--+ }
-- if (nkeys == 0)
-- logit("No keys to download");
-- if (pin != NULL)
-+--- a/sftp-client.c
-++++ b/sftp-client.c
-+@@ -65,7 +65,7 @@ typedef void EditLine;
-+ #define DEFAULT_COPY_BUFLEN 32768
-+
-+ /* Default number of concurrent outstanding requests */
-+-#define DEFAULT_NUM_REQUESTS 64
-++#define DEFAULT_NUM_REQUESTS 256
-+
-+ /* Minimum amount of data to read at a time */
-+ #define MIN_READ_SIZE 512
- diff --git a/ssh.c b/ssh.c
- index 53330da5..27b9770e 100644
- --- a/ssh.c
-@@ -1330,9 +1286,9 @@
- + }
- + }
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-
-+ #ifdef WITH_OPENSSL
-+ if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..d66fa41a 100644
- --- a/sshd.c
-@@ -1359,8 +1315,8 @@
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- error("Bind to port %s on %s failed: %.200s.",
- @@ -1727,6 +1734,19 @@ main(int ac, char **av)
-- /* Fill in default values for those options not explicitly set. */
-- fill_default_server_options(&options);
-+ fatal("AuthorizedPrincipalsCommand set without "
-+ "AuthorizedPrincipalsCommandUser");
-
- + if (options.none_enabled == 1) {
- + char *old_ciphers = options.ciphers;
-@@ -1375,9 +1331,9 @@
- + }
- + }
- +
-- /* challenge-response is implemented via keyboard interactive */
-- if (options.challenge_response_authentication)
-- options.kbd_interactive_authentication = 1;
-+ /*
-+ * Check whether there is any path through configured auth methods.
-+ * Unfortunately it is not possible to verify this generally before
- @@ -2166,6 +2186,9 @@ main(int ac, char **av)
- rdomain == NULL ? "" : "\"");
- free(laddr);
diff --git a/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.3.2.patch b/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.3.2.patch
deleted file mode 100644
index 3d702eb..0000000
--- a/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.3.2.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-9.0p1+x509-13.3.2.diff b/openssh-9.0p1+x509-13.3.2.diff
---- a/openssh-9.0p1+x509-13.3.2.diff 2022-04-11 10:32:02.364576985 -0700
-+++ b/openssh-9.0p1+x509-13.3.2.diff 2022-04-11 10:38:29.267348410 -0700
-@@ -47526,8 +47526,8 @@
- gss_create_empty_oid_set(&status, &oidset);
- gss_add_oid_set_member(&status, ctx->oid, &oidset);
-
--- if (gethostname(lname, MAXHOSTNAMELEN)) {
--+ if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
-+- if (gethostname(lname, HOST_NAME_MAX)) {
-++ if (gethostname(lname, HOST_NAME_MAX) == -1) {
- gss_release_oid_set(&status, &oidset);
- return (-1);
- }
-@@ -55662,12 +55662,11 @@
-
- install-files:
- $(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -395,6 +372,8 @@
-+@@ -395,6 +372,7 @@
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
- $(MKDIR_P) $(DESTDIR)$(libexecdir)
- + $(MKDIR_P) $(DESTDIR)$(sshcadir)
--+ $(MKDIR_P) $(DESTDIR)$(piddir)
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -76764,7 +76763,7 @@
- +if test "$sshd_type" = "pkix" ; then
- + unset_arg=''
- +else
--+ unset_arg=none
-++ unset_arg=''
- +fi
- +
- cat > $OBJ/sshd_config.i << _EOF
-@@ -141144,16 +141143,6 @@
- +int asnmprintf(char **, size_t, int *, const char *, ...)
- __attribute__((format(printf, 4, 5)));
- void msetlocale(void);
--diff -ruN openssh-9.0p1/version.h openssh-9.0p1+x509-13.3.2/version.h
----- openssh-9.0p1/version.h 2022-04-06 03:47:48.000000000 +0300
--+++ openssh-9.0p1+x509-13.3.2/version.h 2022-04-11 09:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
--
-- #define SSH_VERSION "OpenSSH_9.0"
--
---#define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-9.0p1/version.m4 openssh-9.0p1+x509-13.3.2/version.m4
- --- openssh-9.0p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-9.0p1+x509-13.3.2/version.m4 2022-04-11 09:07:00.000000000 +0300
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index f23eae1..9ce34e6 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
@@ -20,6 +20,7 @@
ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
</longdescription>
<use>
+ <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
<flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
<flag name="hpn">Enable high performance ssh</flag>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
diff --git a/net-misc/openssh/openssh-8.5_p1-r3.ebuild b/net-misc/openssh/openssh-8.5_p1-r3.ebuild
new file mode 120000
index 0000000..3804654
--- /dev/null
+++ b/net-misc/openssh/openssh-8.5_p1-r3.ebuild
@@ -0,0 +1 @@
+openssh-8.5_p1.ebuild
\ No newline at end of file
diff --git a/net-misc/openssh/openssh-9.0_p1.ebuild b/net-misc/openssh/openssh-8.5_p1.ebuild
similarity index 83%
rename from net-misc/openssh/openssh-9.0_p1.ebuild
rename to net-misc/openssh/openssh-8.5_p1.ebuild
index f24641a..c89ac3d 100644
--- a/net-misc/openssh/openssh-9.0_p1.ebuild
+++ b/net-misc/openssh/openssh-8.5_p1.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
+inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
@@ -11,9 +11,9 @@
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
+HPN_PV="8.4_P1"
-HPN_VER="15.2"
+HPN_VER="15.1"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
@@ -21,7 +21,7 @@
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.3.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="13.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
@@ -29,43 +29,50 @@
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
- verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
"
-VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="*"
# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
- hpn? ( ssl )
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
- X509? ( !sctp ssl !xmss )
- xmss? ( ssl )
+ X509? ( !sctp !security-key ssl !xmss )
+ xmss? ( || ( ssl libressl ) )
test? ( ssl )
"
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
- net-libs/ldns[ecdsa(+),ssl(+)]
+ !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
+ ssl? (
+ !libressl? (
+ || (
+ (
+ >=dev-libs/openssl-1.0.1:0[bindist=]
+ <dev-libs/openssl-1.1.0:0[bindist=]
+ )
+ >=dev-libs/openssl-1.1.0g:0[bindist=]
+ )
+ dev-libs/openssl:0=[static-libs(+)]
+ )
+ libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+ )
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
@@ -83,29 +90,30 @@
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
- !prefix? ( sys-apps/shadow )
+ userland_GNU? ( !prefix? ( sys-apps/shadow ) )
X? ( x11-apps/xauth )
"
BDEPEND="
virtual/pkgconfig
sys-devel/autoconf
- verify-sig? ( sec-keys/openpgp-keys-openssh )
"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
- local missing=()
- check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
- check_feature hpn HPN_VER
- check_feature sctp SCTP_PATCH
- check_feature X509 X509_PATCH
- if [[ ${#missing[@]} -ne 0 ]] ; then
+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+ local fail="
+ $(use hpn && maybe_fail hpn HPN_VER)
+ $(use sctp && maybe_fail sctp SCTP_PATCH)
+ $(use X509 && maybe_fail X509 X509_PATCH)
+ "
+ fail=$(echo ${fail})
+ if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${missing[*]}"
+ eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "Missing requested third party patch."
+ die "booooo"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
@@ -115,13 +123,6 @@
fi
}
-src_unpack() {
- default
-
- # We don't have signatures for HPN, X509, so we have to write this ourselves
- use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
-}
-
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
@@ -131,13 +132,15 @@
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
- eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
- eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
- eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
+ eapply "${FILESDIR}"/${PN}-8.5_p1-upstream-cve-2021-41617.patch
+
+ # workaround for https://bugs.gentoo.org/734984
+ use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
@@ -174,7 +177,7 @@
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
- einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
+ einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
@@ -185,14 +188,14 @@
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
- eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
- use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
+ eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
+ use X509 && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-X509-glue.patch
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
- use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
+ use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
@@ -305,18 +308,24 @@
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
- $(use_with ldns)
+ $(use_with ldns ldns "${EPREFIX}"/usr)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with ssl openssl)
+ $(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
if use elibc_musl; then
+ # stackprotect is broken on musl x86 and ppc
+ if use x86 || use ppc; then
+ myconf+=( --without-stackprotect )
+ fi
+
# musl defines bogus values for UTMP_FILE and WTMP_FILE
# https://bugs.gentoo.org/753230
myconf+=( --disable-utmp --disable-wtmp )
@@ -329,19 +338,34 @@
}
src_test() {
- local tests=( compat-tests )
+ local t skipped=() failed=() passed=()
+ local tests=( interop-tests compat-tests )
+
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
- ewarn "user, so we will run a subset only."
- tests+=( interop-tests )
+ elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+ elog "user, so we will run a subset only."
+ skipped+=( tests )
else
tests+=( tests )
fi
- local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
- mkdir -p "${HOME}"/.ssh || die
- emake -j1 "${tests[@]}" </dev/null
+ # It will also attempt to write to the homedir .ssh.
+ local sshhome=${T}/homedir
+ mkdir -p "${sshhome}"/.ssh
+ for t in "${tests[@]}" ; do
+ # Some tests read from stdin ...
+ HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
+ SUDO="" SSH_SK_PROVIDER="" \
+ TEST_SSH_UNSAFE_PERMISSIONS=1 \
+ emake -k -j1 ${t} </dev/null \
+ && passed+=( "${t}" ) \
+ || failed+=( "${t}" )
+ done
+
+ einfo "Passed tests: ${passed[*]}"
+ [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+ [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
# Gentoo tweaks to default config files.
@@ -412,10 +436,14 @@
diropts -m 0700
dodir /etc/skel/.ssh
- if [[ -d "${ED}"/var/empty ]]; then
- rmdir "${ED}"/var/empty || die
+
+ # https://bugs.gentoo.org/733802
+ if ! use scp; then
+ rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
+ || die "failed to remove scp"
fi
+
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}