openssh: Upgraded the package to upstream.
Upgraded net-misc/openssh package to version 9.0 on amd64, arm64.
Removed linux-headers version restriction and added condition
on removing dir var/empty to make it work in COS.
BUG=None
TEST=presubmit, validation
RELEASE_NOTE=Upgraded openssh package to v9.0_p1.
Change-Id: I1e2c36c1742613d6095cb89d11dc075f824ee80c
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/31902
Reviewed-by: He Gao <hegao@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index adff194..3142cc6 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,6 +1,15 @@
-DIST openssh-8.5p1+x509-13.0.diff.gz 996872 BLAKE2B 136937e4e65e5e73d1d1b596ae6188f359daa8e95aafd57fab8cf947b59fde573ff4e6259781d1a0fd89718d14469ca4aed01bae6f37cc16df109c673fa2c73c SHA512 2276b0ac577162f7f6a56115637636a6eaaa8b3cc06e5ef053ec06e00a7c3459efe8de8dbc5f55c9f6a192534e2f7c8c7064fcdbf56d28b628bb301c5072802c
-DIST openssh-8.5p1-sctp-1.2.patch.xz 7692 BLAKE2B 298bf5e2004fd864bdbb6d6f354d1fbcb7052a9caaf8e39863b840a7af8e31f87790f6aa10ae84df177d450bb34a43c4a3aa87d7472e2505d727757c016ce92b SHA512 84990f95e22c90dbc4d04d47ea88b761ff1d0101018661ff2376ac2a726b5fca43f1b5f5d926ccbe1c8d0143ac36b104616bd1a6b5dcdba4addf48a5dd196e2b
-DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c804b003c74cc26f9dffae28f1b4006fc618580f0dc9c45f0b7361c24728c23688b45f41cb8a15cf6206c3f15c3 SHA512 af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
-DIST openssh-8_4_P1-hpn-AES-CTR-15.1.diff 29966 BLAKE2B 79dea4e16ffdda329131eb48a3c3dd40e167e5c6fa4dd2beb6c67e7e4f17a45c6645e84dcdc97baae90215a802cd1d723dfd88c981b1db826f61fca0a4e92ae1 SHA512 cdb7aa5737a1527d83ffa747d17ae997a64b7bc16e198d0721b690e5932446d30ba4129c122be2a457f261be7a11d944ef49ba2450ce90f552daab508b0c980b
-DIST openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 51327 BLAKE2B 6879df5bfb4c07c44b41620bd49433591711edb08ad6b5c09af8a5f754ca09f3ff6a066ffac3210fdad6dee47710221dca0a3dc47b919498ec6939b42a073418 SHA512 1e6471e88783acf764186577a767ea7c2071bcab1b803c18288f70166d87471703b332dae3bdcaf4318039089caebfba46e5b6da218912eff1103bd03d736a60
-DIST openssh-8_4_P1-hpn-PeakTput-15.1.diff 2429 BLAKE2B fc2140f4036ef57b7093696680b6e157c78bb431af9bc9e75f223c2b13693f0ec2ad214fbf6b2ba0059cbf3690a93235559f07b46dabd056d65ae1fc9d7418f0 SHA512 99801a743da8f108dcf883bc216f2abd3fc3071617566b83eb07b6627ed657cccf0ea93ea2a70eff1050a34a0e635e732665c5583e8aa35968fdeb839f837b63
+DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
+DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
+DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
+DIST openssh-8.8p1.tar.gz.asc 833 BLAKE2B ffe78af226b9c8395e60ca54bcb626cc933ee069f9f0f17f408ca1493cb346aa3fb878efeaccc646f8fa7bf1c40d6d61a81e37342ccf56ae601403bf9d59f4d6 SHA512 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4
+DIST openssh-8.9p1+x509-13.3.1.diff.gz 1113333 BLAKE2B 01fc34ed5c5c64a97db99f8f5a98f5917519474b4c22a2372f76a9c36d5dfc4efe1d03fcc43ed3d1602177f7e674a58676b9d04444d7bb66bc1c096136fd2ed0 SHA512 4fea3cf0dd0f6e0b9e28c16fb88f2a125c3ec7f86111d33e040664ab4976e697b137ffe80d02c979e2eb55a5c004f597299cfec22e730b80279665de61cb1f13
+DIST openssh-8.9p1-sctp-1.2.patch.xz 6752 BLAKE2B 8f87a4e604ce412f45432ae29b6ccb5a10f6bd6ddc3c688b85d75c2126387dc5d4ed2b2396691db016cc0dee3e71a557611bcf34066dee075d62c9e69e887f14 SHA512 88a36e2d87bb8b6136885094729d001953e15799e06885ff1c489300458b6e412520f7a78c48dfd24df46e58f2561051212d7948f8af63082edcb85c33b4d32b
+DIST openssh-8.9p1.tar.gz 1820282 BLAKE2B 02934da7f7a2954141888e63e81e38fad4fb8558ddd1032de44f69684802c62771fdd7e9e470e0715059635999c8f9d2ab95f6351217e236573ead83a867f59b SHA512 04bd38ea6fe4be31acc8c4e83de7d3dda66fb7207be2e4ba25d3b8118d13d098a283769da9e8ce1fc4fba7edf739c14efcc6c9137132919261a7f882314b0f6b
+DIST openssh-8.9p1.tar.gz.asc 833 BLAKE2B fd44a5545bd0795ee335e480011dbe3c12011dc05b8722fb257bf4c7e8067ab4b515293cf73d23d57b6cf6980eb4e49251b026af9498a237365c5b0440226898 SHA512 fd0bbd285ff2f8791f5a512f087f32bce026b716d5ac213cd4ef28f08722601fb943514bee71b2ac4b9f9363e2f120ce6c60fed952d1d8e53dbcf2a6fe2e706b
+DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
+DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
+DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
+DIST openssh-9.0p1+x509-13.3.2.diff.gz 1128591 BLAKE2B fb560e2f1803ceb946a1ba8bd53a1f9fd262896b820c23d4b0015218433d2200f1fd9df5b1889a670261f13936d8153da1ab4beb2a5d52ede78168189c522bf3 SHA512 e643168d7098c44f85a9bac9894a936a3480ec843162197ce56e016dd4f634ef182dcfae1f7e18408f6a18832e0a95d2d249a23fdbc3dc46df76989ca0a0c7fc
+DIST openssh-9.0p1-sctp-1.2.patch.xz 6768 BLAKE2B 8a18aea57b0b3f8f0a641870f0cd1570c6cc48d1e28ef7261344918905e94a548d3a3acb6feb1c6ef13f0c6cacf2b845163cad2b96ab20cb9fc58a49aeb699c1 SHA512 d6aa5f32464d5f3e2e63e9ba82108f33bdaa890e2adf2ccc47ce0d672979fc67510d9dd7561b17eaba0c2f11a8eb565029b0ebff3b2d050e9e04e6143aedb8a3
+DIST openssh-9.0p1.tar.gz 1822183 BLAKE2B 49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2 SHA512 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9
+DIST openssh-9.0p1.tar.gz.asc 833 BLAKE2B e29ff08f10feee7347c02a7ce4b33b8d9c71a26656f0430a2511c25bc6b5006f1683d845826a68ff4eed068b30c911e273cb34e5b4880854d55a776415474019 SHA512 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f
diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch
deleted file mode 100644
index 90fa248..0000000
--- a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800
-@@ -409,18 +409,10 @@
- index 817da43b..b2bcf78f 100644
- --- a/packet.c
- +++ b/packet.c
--@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -434,20 +426,6 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- diff --git a/packet.h b/packet.h
- index 8ccfd2e0..1ad9bc06 100644
- --- a/packet.h
-@@ -476,9 +454,9 @@
- /* Format of the configuration file:
-
- @@ -167,6 +168,8 @@ typedef enum {
-- oHashKnownHosts,
- oTunnel, oTunnelDevice,
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
-+ oDisableMTAES,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneSwitch,
- oVisualHostKey,
-@@ -615,9 +593,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -112,7 +116,10 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none to be used */
- int rekey_interval;
-@@ -700,9 +678,9 @@
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
- + }
- +
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- if (options->ip_qos_interactive == -1)
-- options->ip_qos_interactive = IPTOS_DSCP_AF21;
-- if (options->ip_qos_bulk == -1)
- @@ -486,6 +532,8 @@ typedef enum {
- sPasswordAuthentication, sKbdInteractiveAuthentication,
- sListenAddress, sAddressFamily,
-@@ -1079,11 +1057,11 @@
- xxx_host = host;
- xxx_hostaddr = hostaddr;
-
--@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-
- if (!authctxt.success)
- fatal("Authentication failed.");
--+
-+
- + /*
- + * If the user wants to use the none cipher, do it post authentication
- + * and only if the right conditions are met -- both of the NONE commands
-@@ -1105,9 +1083,9 @@
- + }
- + }
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
--
-+ #ifdef WITH_OPENSSL
-+ if (options.disable_multithreaded == 0) {
-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
- diff --git a/sshd.c b/sshd.c
- index 11571c01..23a06022 100644
- --- a/sshd.c
diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch
deleted file mode 100644
index 3f5c7a4..0000000
--- a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 16:36:51.394069720 -0800
-@@ -1191,15 +1191,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b3fadf8..ec1d2e27 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,6 @@
-- #define SSH_VERSION "OpenSSH_8.1"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn14v20"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
--+
diff --git a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch
deleted file mode 100644
index 505e34d..0000000
--- a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
-index 86ea6250..844adabc 100644
---- a/regress/cert-hostkey.sh
-+++ b/regress/cert-hostkey.sh
-@@ -252,7 +252,7 @@ test_one() {
- test_one "user-certificate" failure "-n $HOSTS"
- test_one "empty principals" success "-h"
- test_one "wrong principals" failure "-h -n foo"
--test_one "cert not yet valid" failure "-h -V20200101:20300101"
-+test_one "cert not yet valid" failure "-h -V20300101:20320101"
- test_one "cert expired" failure "-h -V19800101:19900101"
- test_one "cert valid interval" success "-h -V-1w:+2w"
- test_one "cert has constraints" failure "-h -Oforce-command=false"
-diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
-index 38c14a69..5cd02fc3 100644
---- a/regress/cert-userkey.sh
-+++ b/regress/cert-userkey.sh
-@@ -338,7 +338,7 @@ test_one() {
- test_one "correct principal" success "-n ${USER}"
- test_one "host-certificate" failure "-n ${USER} -h"
- test_one "wrong principals" failure "-n foo"
--test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
-+test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101"
- test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
- test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
- test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
diff --git a/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch
deleted file mode 100644
index d4db77b..0000000
--- a/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,359 +0,0 @@
-diff --git a/auth.c b/auth.c
-index 086b8ebb..a267353c 100644
---- a/auth.c
-+++ b/auth.c
-@@ -724,120 +724,6 @@ fakepw(void)
- return (&fake);
- }
-
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
-- struct sockaddr_storage from;
-- socklen_t fromlen;
-- struct addrinfo hints, *ai, *aitop;
-- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-- const char *ntop = ssh_remote_ipaddr(ssh);
--
-- /* Get IP address of client. */
-- fromlen = sizeof(from);
-- memset(&from, 0, sizeof(from));
-- if (getpeername(ssh_packet_get_connection_in(ssh),
-- (struct sockaddr *)&from, &fromlen) == -1) {
-- debug("getpeername failed: %.100s", strerror(errno));
-- return xstrdup(ntop);
-- }
--
-- ipv64_normalise_mapped(&from, &fromlen);
-- if (from.ss_family == AF_INET6)
-- fromlen = sizeof(struct sockaddr_in6);
--
-- debug3("Trying to reverse map address %.100s.", ntop);
-- /* Map the IP address to a host name. */
-- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-- NULL, 0, NI_NAMEREQD) != 0) {
-- /* Host name not found. Use ip address. */
-- return xstrdup(ntop);
-- }
--
-- /*
-- * if reverse lookup result looks like a numeric hostname,
-- * someone is trying to trick us by PTR record like following:
-- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-- hints.ai_flags = AI_NUMERICHOST;
-- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-- name, ntop);
-- freeaddrinfo(ai);
-- return xstrdup(ntop);
-- }
--
-- /* Names are stored in lowercase. */
-- lowercase(name);
--
-- /*
-- * Map it back to an IP address and check that the given
-- * address actually is an address of this host. This is
-- * necessary because anyone with access to a name server can
-- * define arbitrary names for an IP address. Mapping from
-- * name to IP address can be trusted better (but can still be
-- * fooled if the intruder has access to the name server of
-- * the domain).
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_family = from.ss_family;
-- hints.ai_socktype = SOCK_STREAM;
-- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-- logit("reverse mapping checking getaddrinfo for %.700s "
-- "[%s] failed.", name, ntop);
-- return xstrdup(ntop);
-- }
-- /* Look for the address from the list of addresses. */
-- for (ai = aitop; ai; ai = ai->ai_next) {
-- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-- (strcmp(ntop, ntop2) == 0))
-- break;
-- }
-- freeaddrinfo(aitop);
-- /* If we reached the end of the list, the address was not there. */
-- if (ai == NULL) {
-- /* Address not found for the host name. */
-- logit("Address %.100s maps to %.600s, but this does not "
-- "map back to the address.", ntop, name);
-- return xstrdup(ntop);
-- }
-- return xstrdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection. The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
-- static char *dnsname;
--
-- if (!use_dns)
-- return ssh_remote_ipaddr(ssh);
-- else if (dnsname != NULL)
-- return dnsname;
-- else {
-- dnsname = remote_hostname(ssh);
-- return dnsname;
-- }
--}
--
- /*
- * Runs command in a subprocess with a minimal environment.
- * Returns pid on success, 0 on failure.
-diff --git a/canohost.c b/canohost.c
-index abea9c6e..4f4524d2 100644
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+ struct sockaddr_storage from;
-+ socklen_t fromlen;
-+ struct addrinfo hints, *ai, *aitop;
-+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+ const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+ /* Get IP address of client. */
-+ fromlen = sizeof(from);
-+ memset(&from, 0, sizeof(from));
-+ if (getpeername(ssh_packet_get_connection_in(ssh),
-+ (struct sockaddr *)&from, &fromlen) < 0) {
-+ debug("getpeername failed: %.100s", strerror(errno));
-+ return strdup(ntop);
-+ }
-+
-+ ipv64_normalise_mapped(&from, &fromlen);
-+ if (from.ss_family == AF_INET6)
-+ fromlen = sizeof(struct sockaddr_in6);
-+
-+ debug3("Trying to reverse map address %.100s.", ntop);
-+ /* Map the IP address to a host name. */
-+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+ NULL, 0, NI_NAMEREQD) != 0) {
-+ /* Host name not found. Use ip address. */
-+ return strdup(ntop);
-+ }
-+
-+ /*
-+ * if reverse lookup result looks like a numeric hostname,
-+ * someone is trying to trick us by PTR record like following:
-+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-+ hints.ai_flags = AI_NUMERICHOST;
-+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+ name, ntop);
-+ freeaddrinfo(ai);
-+ return strdup(ntop);
-+ }
-+
-+ /* Names are stored in lowercase. */
-+ lowercase(name);
-+
-+ /*
-+ * Map it back to an IP address and check that the given
-+ * address actually is an address of this host. This is
-+ * necessary because anyone with access to a name server can
-+ * define arbitrary names for an IP address. Mapping from
-+ * name to IP address can be trusted better (but can still be
-+ * fooled if the intruder has access to the name server of
-+ * the domain).
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_family = from.ss_family;
-+ hints.ai_socktype = SOCK_STREAM;
-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+ logit("reverse mapping checking getaddrinfo for %.700s "
-+ "[%s] failed.", name, ntop);
-+ return strdup(ntop);
-+ }
-+ /* Look for the address from the list of addresses. */
-+ for (ai = aitop; ai; ai = ai->ai_next) {
-+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+ (strcmp(ntop, ntop2) == 0))
-+ break;
-+ }
-+ freeaddrinfo(aitop);
-+ /* If we reached the end of the list, the address was not there. */
-+ if (ai == NULL) {
-+ /* Address not found for the host name. */
-+ logit("Address %.100s maps to %.600s, but this does not "
-+ "map back to the address.", ntop, name);
-+ return strdup(ntop);
-+ }
-+ return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection. The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+ static char *dnsname;
-+
-+ if (!use_dns)
-+ return ssh_remote_ipaddr(ssh);
-+ else if (dnsname != NULL)
-+ return dnsname;
-+ else {
-+ dnsname = remote_hostname(ssh);
-+ return dnsname;
-+ }
-+}
-diff --git a/readconf.c b/readconf.c
-index f3cac6b3..adfd7a4e 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -160,6 +160,7 @@ typedef enum {
- oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+ oGssTrustDns,
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
- oHashKnownHosts,
-@@ -205,9 +206,11 @@ static struct {
- #if defined(GSSAPI)
- { "gssapiauthentication", oGssAuthentication },
- { "gssapidelegatecredentials", oGssDelegateCreds },
-+ { "gssapitrustdns", oGssTrustDns },
- # else
- { "gssapiauthentication", oUnsupported },
- { "gssapidelegatecredentials", oUnsupported },
-+ { "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- { "pkcs11provider", oPKCS11Provider },
-@@ -1033,6 +1036,10 @@ parse_time:
- intptr = &options->gss_deleg_creds;
- goto parse_flag;
-
-+ case oGssTrustDns:
-+ intptr = &options->gss_trust_dns;
-+ goto parse_flag;
-+
- case oBatchMode:
- intptr = &options->batch_mode;
- goto parse_flag;
-@@ -1912,6 +1919,7 @@ initialize_options(Options * options)
- options->challenge_response_authentication = -1;
- options->gss_authentication = -1;
- options->gss_deleg_creds = -1;
-+ options->gss_trust_dns = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->kbd_interactive_devices = NULL;
-@@ -2061,6 +2069,8 @@ fill_default_options(Options * options)
- options->gss_authentication = 0;
- if (options->gss_deleg_creds == -1)
- options->gss_deleg_creds = 0;
-+ if (options->gss_trust_dns == -1)
-+ options->gss_trust_dns = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index feedb3d2..c7139c1b 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -42,6 +42,7 @@ typedef struct {
- /* Try S/Key or TIS, authentication. */
- int gss_authentication; /* Try GSS authentication */
- int gss_deleg_creds; /* Delegate GSS credentials */
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
- int password_authentication; /* Try password
- * authentication. */
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/ssh_config.5 b/ssh_config.5
-index 06a32d31..6871ff36 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -770,6 +770,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index af00fb30..652463c5 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -716,6 +716,13 @@ userauth_gssapi(struct ssh *ssh)
- OM_uint32 min;
- int r, ok = 0;
- gss_OID mech = NULL;
-+ const char *gss_host;
-+
-+ if (options.gss_trust_dns) {
-+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+ gss_host = auth_get_canonical_hostname(ssh, 1);
-+ } else
-+ gss_host = authctxt->host;
-
- /* Try one GSSAPI method at a time, rather than sending them all at
- * once. */
-@@ -730,7 +737,7 @@ userauth_gssapi(struct ssh *ssh)
- elements[authctxt->mech_tried];
- /* My DER encoding requires length<128 */
- if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
-- mech, authctxt->host)) {
-+ mech, gss_host)) {
- ok = 1; /* Mechanism works */
- } else {
- authctxt->mech_tried++;
diff --git a/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch b/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch
deleted file mode 100644
index 6bd7166..0000000
--- a/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/Makefile.in b/Makefile.in
-index c9e4294d..2dbfac24 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -44,7 +44,7 @@ CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
--CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+CPPFLAGS=-I. -I$(srcdir) -I$(srcdir)/openbsd-compat @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
- LIBS=@LIBS@
- K5LIBS=@K5LIBS@
diff --git a/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch b/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch
deleted file mode 100644
index f12a309..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-diff -u a/openssh-8.4p1+x509-12.6.diff b/openssh-8.4p1+x509-12.6.diff
---- a/openssh-8.4p1+x509-12.6.diff 2020-10-04 10:58:16.980495330 -0700
-+++ b/openssh-8.4p1+x509-12.6.diff 2020-10-04 11:02:31.951966223 -0700
-@@ -39348,12 +39348,11 @@
-
- install-files:
- $(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -384,6 +365,8 @@
-+@@ -384,6 +365,7 @@
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
- $(MKDIR_P) $(DESTDIR)$(libexecdir)
- + $(MKDIR_P) $(DESTDIR)$(sshcadir)
--+ $(MKDIR_P) $(DESTDIR)$(piddir)
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -103950,16 +103949,6 @@
- +int asnmprintf(char **, size_t, int *, const char *, ...)
- __attribute__((format(printf, 4, 5)));
- void msetlocale(void);
--diff -ruN openssh-8.4p1/version.h openssh-8.4p1+x509-12.6/version.h
----- openssh-8.4p1/version.h 2020-09-27 10:25:01.000000000 +0300
--+++ openssh-8.4p1+x509-12.6/version.h 2020-10-03 10:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
--
-- #define SSH_VERSION "OpenSSH_8.4"
--
---#define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.4p1/version.m4 openssh-8.4p1+x509-12.6/version.m4
- --- openssh-8.4p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.4p1+x509-12.6/version.m4 2020-10-03 10:07:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch b/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch
deleted file mode 100644
index 32713d4..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001
-From: Oleg <Fallmay@users.noreply.github.com>
-Date: Thu, 1 Oct 2020 12:09:08 +0300
-Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
-
----
- contrib/ssh-copy-id | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
-index 392f64f94..a76907717 100644
---- a/contrib/ssh-copy-id
-+++ b/contrib/ssh-copy-id
-@@ -247,7 +247,7 @@ installkeys_sh() {
- # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
- # the cat adds the keys we're getting via STDIN
- # and if available restorecon is used to restore the SELinux context
-- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
-+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
- cd;
- umask 077;
- mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
-@@ -258,6 +258,7 @@ installkeys_sh() {
- restorecon -F .ssh ${AUTH_KEY_FILE};
- fi
- EOF
-+ )
-
- # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
- printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch
deleted file mode 100644
index 9bd600b..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-diff -u a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff
---- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:04:44.495171346 -0700
-+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:48:05.099637206 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- K5LIBS=@K5LIBS@
-@@ -803,7 +803,7 @@
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
- {
- struct session_state *state;
--- const struct sshcipher *none = cipher_by_name("none");
-+- const struct sshcipher *none = cipher_none();
- + struct sshcipher *none = cipher_by_name("none");
- int r;
-
-@@ -901,17 +901,18 @@
- }
-
- /*
--@@ -2203,6 +2210,10 @@ fill_default_options(Options * options)
-+@@ -2203,5 +2210,10 @@ fill_default_options(Options * options)
- if (options->sk_provider == NULL)
- options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
-+
- + if (options->update_hostkeys == -1)
- + options->update_hostkeys = 0;
- + if (options->disable_multithreaded == -1)
- + options->disable_multithreaded = 0;
--
-- /* Expand KEX name lists */
-- all_cipher = cipher_alg_list(',', 0);
-++
-+ /* expand KEX and etc. name lists */
-+ { char *all;
-+ #define ASSEMBLE(what, defaults, all) \
- diff --git a/readconf.h b/readconf.h
- index e143a108..1383a3cd 100644
- --- a/readconf.h
-@@ -950,9 +951,9 @@
- /* Portable-specific options */
- sUsePAM,
- + sDisableMTAES,
-- /* Standard Options */
-- sPort, sHostKeyFile, sLoginGraceTime,
-- sPermitRootLogin, sLogFacility, sLogLevel,
-+ /* X.509 Standard Options */
-+ sHostbasedAlgorithms,
-+ sPubkeyAlgorithms,
- @@ -679,6 +683,7 @@ static struct {
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -u a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:04:37.441213650 -0700
-+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:50:55.865616716 -0700
-@@ -382,7 +382,7 @@
- @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, dh_need, authlen;
-- int r, first_kex_follows;
-+ int r, first_kex_follows = 0;
- + int auth_flag;
- +
- + auth_flag = packet_authentication_state(ssh);
-@@ -1193,14 +1193,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index a2eca3ec..ff654fc3 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.3"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn14v22"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -u a/openssh-8_3_P1-hpn-PeakTput-14.22.diff b/openssh-8_3_P1-hpn-PeakTput-14.22.diff
---- a/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:51:46.409313155 -0700
-+++ b/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:56:57.407445258 -0700
-@@ -12,9 +12,9 @@
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ off_t bytes_left;
- int cur_speed;
-- int hours, minutes, seconds;
-- int file_len;
-+ int len;
- + off_t delta_pos;
-
- if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ buf[1] = '\0';
-
- /* filename */
-- buf[0] = '\0';
--- file_len = win_size - 36;
--+ file_len = win_size - 45;
-- if (file_len > 0) {
-- buf[0] = '\r';
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+- if (win_size > 36) {
-+- int file_len = win_size - 36;
-++ if (win_size > 45) {
-++ int file_len = win_size - 45;
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ file_len, file);
-+ }
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
deleted file mode 100644
index 884063c..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:15:17.780747192 -0700
-+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:34:03.576552219 -0700
-@@ -409,18 +409,10 @@
- index e7abb341..c23276d4 100644
- --- a/packet.c
- +++ b/packet.c
--@@ -961,6 +961,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -961,6 +961,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -434,20 +426,6 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -987,6 +1005,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- diff --git a/packet.h b/packet.h
- index c2544bd9..ebd85c88 100644
- --- a/packet.h
-@@ -481,9 +459,9 @@
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneSwitch,
-+ oDisableMTAES,
- oVisualHostKey,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -294,6 +297,8 @@ static struct {
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
-@@ -615,9 +593,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -114,7 +118,10 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none to be used */
- int rekey_interval;
-@@ -700,9 +678,9 @@
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
- + }
- +
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- if (options->ip_qos_interactive == -1)
-- options->ip_qos_interactive = IPTOS_DSCP_AF21;
-- if (options->ip_qos_bulk == -1)
- @@ -519,6 +565,8 @@ typedef enum {
- sPasswordAuthentication, sKbdInteractiveAuthentication,
- sListenAddress, sAddressFamily,
-@@ -1081,11 +1059,11 @@
- xxx_host = host;
- xxx_hostaddr = hostaddr;
-
--@@ -435,6 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-+@@ -435,7 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-+ }
-+ }
-+ #endif
-
-- if (!authctxt.success)
-- fatal("Authentication failed.");
--+
- + /*
- + * If the user wants to use the none cipher, do it post authentication
- + * and only if the right conditions are met -- both of the NONE commands
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch
deleted file mode 100644
index 79cc3e5..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-04-17 10:31:37.392120799 -0700
-+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-04-17 10:32:46.143684424 -0700
-@@ -672,7 +672,7 @@
- +const EVP_CIPHER *
- +evp_aes_ctr_mt(void)
- +{
--+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL
-++# if (OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS)) && !defined(LIBRESSL_VERSION_NUMBER)
- + static EVP_CIPHER *aes_ctr;
- + aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
- + EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
-@@ -701,7 +701,7 @@
- + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
- +# endif /*SSH_OLD_EVP*/
- + return &aes_ctr;
--+# endif /*OPENSSH_VERSION_NUMBER*/
-++# endif /*OPENSSL_VERSION_NUMBER*/
- +}
- +
- +#endif /* defined(WITH_OPENSSL) */
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
deleted file mode 100644
index 52ec42e..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:34.168386903 -0700
-+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:43.806325434 -0700
-@@ -1171,14 +1171,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index a2eca3ec..ff654fc3 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.3"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn14v22"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch
deleted file mode 100644
index 71b27f2..0000000
--- a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-diff -ur a/openssh-8.5p1+x509-13.0.diff b/openssh-8.5p1+x509-13.0.diff
---- a/openssh-8.5p1+x509-13.0.diff 2021-03-03 12:26:21.021212996 -0800
-+++ b/openssh-8.5p1+x509-13.0.diff 2021-03-03 18:20:06.476490271 -0800
-@@ -46675,12 +46675,11 @@
-
- install-files:
- $(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -380,6 +364,8 @@
-+@@ -380,6 +364,7 @@
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
- $(MKDIR_P) $(DESTDIR)$(libexecdir)
- + $(MKDIR_P) $(DESTDIR)$(sshcadir)
--+ $(MKDIR_P) $(DESTDIR)$(piddir)
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -63967,7 +63966,7 @@
- - echo "putty interop tests not enabled"
- - exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
-
- for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
- verbose "$tid: cipher $c"
-@@ -63982,7 +63981,7 @@
- - echo "putty interop tests not enabled"
- - exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
-
- for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
- verbose "$tid: kex $k"
-@@ -63997,7 +63996,7 @@
- - echo "putty interop tests not enabled"
- - exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
-
- if [ "`${SSH} -Q compression`" = "none" ]; then
- comp="0"
-@@ -64129,9 +64128,9 @@
-
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+ unset_arg=''
-++ unset_arg=
- +else
--+ unset_arg=none
-++ unset_arg=
- +fi
- +
- cat > $OBJ/sshd_config.i << _EOF
-@@ -122238,16 +122237,6 @@
- +int asnmprintf(char **, size_t, int *, const char *, ...)
- __attribute__((format(printf, 4, 5)));
- void msetlocale(void);
--diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0/version.h
----- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200
--+++ openssh-8.5p1+x509-13.0/version.h 2021-03-03 19:07:00.000000000 +0200
--@@ -2,5 +2,4 @@
--
-- #define SSH_VERSION "OpenSSH_8.5"
--
---#define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0/version.m4
- --- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.5p1+x509-13.0/version.m4 2021-03-03 19:07:00.000000000 +0200
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch
deleted file mode 100644
index e2d4ce8..0000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch
+++ /dev/null
@@ -1,325 +0,0 @@
-diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
---- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 12:57:01.975827879 -0800
-+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 18:25:21.929305944 -0800
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
- {
- struct session_state *state;
--- const struct sshcipher *none = cipher_by_name("none");
--+ struct sshcipher *none = cipher_by_name("none");
-+- const struct sshcipher *none = cipher_none();
-++ struct sshcipher *none = cipher_none();
- int r;
-
- if (none == NULL) {
-@@ -894,24 +894,24 @@
- intptr = &options->compression;
- multistate_ptr = multistate_compression;
- @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
-- options->hostbased_accepted_algos = NULL;
-- options->pubkey_accepted_algos = NULL;
-- options->known_hosts_command = NULL;
-+ options->revoked_host_keys = NULL;
-+ options->fingerprint_hash = -1;
-+ options->update_hostkeys = -1;
- + options->disable_multithreaded = -1;
- }
-
- /*
- @@ -2247,6 +2254,10 @@ fill_default_options(Options * options)
-+ options->update_hostkeys = 0;
- if (options->sk_provider == NULL)
- options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- + if (options->update_hostkeys == -1)
- + options->update_hostkeys = 0;
- + if (options->disable_multithreaded == -1)
- + options->disable_multithreaded = 0;
-
-- /* Expand KEX name lists */
-- all_cipher = cipher_alg_list(',', 0);
-+ /* expand KEX and etc. name lists */
-+ { char *all;
- diff --git a/readconf.h b/readconf.h
- index d6a15550..d2d20548 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
- /* Portable-specific options */
- sUsePAM,
- + sDisableMTAES,
-- /* Standard Options */
-- sPort, sHostKeyFile, sLoginGraceTime,
-- sPermitRootLogin, sLogFacility, sLogLevel,
-+ /* X.509 Standard Options */
-+ sHostbasedAlgorithms,
-+ sPubkeyAlgorithms,
- @@ -672,6 +676,7 @@ static struct {
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
---- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 19:05:28.942903961 -0800
-+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 20:36:34.702362020 -0800
-@@ -157,6 +157,36 @@
- + Allan Jude provided the code for the NoneMac and buffer normalization.
- + This work was financed, in part, by Cisco System, Inc., the National
- + Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c 2021-03-03 20:34:51.312051369 -0800
-++++ b/auth2.c 2021-03-03 20:35:15.797888115 -0800
-+@@ -229,16 +229,17 @@
-+ double delay;
-+
-+ digest_alg = ssh_digest_maxbytes();
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-++ if (len = ssh_digest_bytes(digest_alg) > 0) {
-++ hash = xmalloc(len);
-+
-+- (void)snprintf(b, sizeof b, "%llu%s",
-+- (unsigned long long)options.timing_secret, user);
-+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+- fatal_f("ssh_digest_memory");
-+- /* 0-4.2 ms of delay */
-+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+- freezero(hash, len);
-++ (void)snprintf(b, sizeof b, "%llu%s",
-++ (unsigned long long)options.timing_secret, user);
-++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++ fatal_f("ssh_digest_memory");
-++ /* 0-4.2 ms of delay */
-++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++ freezero(hash, len);
-++ }
-+ debug3_f("user specific delay %0.3lfms", delay/1000);
-+ return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index e4917f3c..e0db582e 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
- static void
- channel_pre_open(struct ssh *ssh, Channel *c,
- fd_set *readset, fd_set *writeset)
--@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2179,21 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-
- if (c->type == SSH_CHANNEL_OPEN &&
- !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- - ((c->local_window_max - c->local_window >
- - c->local_maxpacket*3) ||
--+ ((ssh_packet_is_interactive(ssh) &&
--+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++ ((ssh_packet_is_interactive(ssh) &&
-++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
- c->local_window < c->local_window_max/2) &&
- c->local_consumed > 0) {
- + u_int addition = 0;
-@@ -234,10 +264,12 @@
- SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
-+- (r = sshpkt_send(ssh)) != 0)
-+- fatal_fr(r, "channel %d", c->self);
- + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- (r = sshpkt_send(ssh)) != 0) {
-- fatal_fr(r, "channel %i", c->self);
-- }
-++ (r = sshpkt_send(ssh)) != 0) {
-++ fatal_fr(r, "channel %i", c->self);
-++ }
- debug2("channel %d: window %d sent adjust %d", c->self,
- - c->local_window, c->local_consumed);
- - c->local_window += c->local_consumed;
-@@ -384,20 +416,38 @@
- index dec8e7e9..3c11558e 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
-- debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+- int i;
-++ int i, bugs = 0;
-+ static struct {
-+ char *pat;
-+ int bugs;
-+@@ -147,11 +147,19 @@
-+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ debug("match: %s pat %s compat 0x%08x",
- version, check[i].pat, check[i].bugs);
-- ssh->compat = check[i].bugs;
--+ /* Check to see if the remote side is OpenSSH and not HPN */
--+ if (strstr(version, "OpenSSH") != NULL) {
--+ if (strstr(version, "hpn") == NULL) {
--+ ssh->compat |= SSH_BUG_LARGEWINDOW;
--+ debug("Remote is NON-HPN aware");
--+ }
--+ }
-- return;
-+- return check[i].bugs;
-++ bugs |= check[i].bugs;
- }
- }
-+- debug("no match: %s", version);
-+- return 0;
-++ /* Check to see if the remote side is OpenSSH and not HPN */
-++ if (strstr(version, "OpenSSH") != NULL) {
-++ if (strstr(version, "hpn") == NULL) {
-++ bugs |= SSH_BUG_LARGEWINDOW;
-++ debug("Remote is NON-HPN aware");
-++ }
-++ }
-++ if (bugs == 0)
-++ debug("no match: %s", version);
-++ return bugs;
-+ }
-+
-+ char *
- diff --git a/compat.h b/compat.h
- index 66db42cc..d4e811e4 100644
- --- a/compat.h
-@@ -456,7 +506,7 @@
- @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, dh_need, authlen;
-- int r, first_kex_follows;
-+ int r, first_kex_follows = 0;
- + int auth_flag = 0;
- +
- + auth_flag = packet_authentication_state(ssh);
-@@ -1033,19 +1083,6 @@
-
- /* File to read commands from */
- FILE* infile;
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index a12b79a5..8b839219 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2999,7 +2999,7 @@ do_download_sk(const char *skprovider, const char *device)
-- freezero(pin, strlen(pin));
-- error("Unable to load resident keys: %s", ssh_err(r));
-- return -1;
--- }
--+ }
-- if (nkeys == 0)
-- logit("No keys to download");
-- if (pin != NULL)
- diff --git a/ssh.c b/ssh.c
- index f34ca0d7..d7d134f7 100644
- --- a/ssh.c
-@@ -1091,7 +1128,7 @@
- + else
- + options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- + debug("HPN to Non-HPN Connection");
- + } else {
- + int sock, socksize;
-@@ -1331,6 +1368,26 @@
- /* Bind the socket to the desired port. */
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- error("Bind to port %s on %s failed: %.200s.",
-+@@ -1625,12 +1625,13 @@
-+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ sshbuf_len(server_cfg)) != 0)
-+ fatal_f("ssh_digest_update");
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-+- if (ssh_digest_final(ctx, hash, len) != 0)
-+- fatal_f("ssh_digest_final");
-+- options.timing_secret = PEEK_U64(hash);
-+- freezero(hash, len);
-++ if (len = ssh_digest_bytes(digest_alg) > 0) {
-++ hash = xmalloc(len);
-++ if (ssh_digest_final(ctx, hash, len) != 0)
-++ fatal_f("ssh_digest_final");
-++ options.timing_secret = PEEK_U64(hash);
-++ freezero(hash, len);
-++ }
-+ ssh_digest_free(ctx);
-+ ctx = NULL;
-+ return;
- @@ -1746,6 +1753,19 @@ main(int ac, char **av)
- /* Fill in default values for those options not explicitly set. */
- fill_default_server_options(&options);
-@@ -1401,14 +1458,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index c2f9c55b..f2e7fa80 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.4"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v1"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -ur a/openssh-8_4_P1-hpn-PeakTput-15.1.diff b/openssh-8_4_P1-hpn-PeakTput-15.1.diff
---- a/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 12:57:01.975827879 -0800
-+++ b/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 18:25:21.930305937 -0800
-@@ -12,9 +12,9 @@
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ off_t bytes_left;
- int cur_speed;
-- int hours, minutes, seconds;
-- int file_len;
-+ int len;
- + off_t delta_pos;
-
- if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -33,12 +33,12 @@
- @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-
- /* filename */
-- buf[0] = '\0';
--- file_len = win_size - 36;
--+ file_len = win_size - 45;
-- if (file_len > 0) {
-- buf[0] = '\r';
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+ if (win_size > 36) {
-+- int file_len = win_size - 36;
-++ int file_len = win_size - 45;
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ file_len, file);
-+ }
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
-@@ -63,15 +63,3 @@
- }
-
- /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index a12b79a5..76b22338 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2987,7 +2987,6 @@ do_download_sk(const char *skprovider, const char *device)
--
-- if (skprovider == NULL)
-- fatal("Cannot download keys without provider");
---
-- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- if (!quiet) {
-- printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
deleted file mode 100644
index ec6e687..0000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
+++ /dev/null
@@ -1,242 +0,0 @@
-diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
---- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800
-+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800
-@@ -894,9 +894,9 @@
- intptr = &options->compression;
- multistate_ptr = multistate_compression;
- @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
-- options->update_hostkeys = -1;
-- options->hostbased_key_types = NULL;
-- options->pubkey_key_types = NULL;
-+ options->hostbased_accepted_algos = NULL;
-+ options->pubkey_accepted_algos = NULL;
-+ options->known_hosts_command = NULL;
- + options->disable_multithreaded = -1;
- }
-
-diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
---- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800
-+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800
-@@ -209,7 +209,7 @@
- static void
- channel_pre_open(struct ssh *ssh, Channel *c,
- fd_set *readset, fd_set *writeset)
--@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-
- if (c->type == SSH_CHANNEL_OPEN &&
- !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
-@@ -229,22 +229,19 @@
- + debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
- + }
- if (!c->have_remote_id)
-- fatal(":%s: channel %d: no remote id",
-- __func__, c->self);
-+ fatal_f("channel %d: no remote id", c->self);
- if ((r = sshpkt_start(ssh,
- SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
-- fatal("%s: channel %i: %s", __func__,
-- c->self, ssh_err(r));
-+ fatal_fr(r, "channel %i", c->self);
- }
-- debug2("channel %d: window %d sent adjust %d",
-- c->self, c->local_window,
--- c->local_consumed);
-+ debug2("channel %d: window %d sent adjust %d", c->self,
-+- c->local_window, c->local_consumed);
- - c->local_window += c->local_consumed;
--+ c->local_consumed + addition);
-++ c->local_window, c->local_consumed + addition);
- + c->local_window += c->local_consumed + addition;
- c->local_consumed = 0;
- }
-@@ -387,18 +384,18 @@
- index dec8e7e9..3c11558e 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
-- debug("match: %s pat %s compat 0x%08x",
-+@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
-+ debug_f("match: %s pat %s compat 0x%08x",
- version, check[i].pat, check[i].bugs);
-- datafellows = check[i].bugs; /* XXX for now */
-+ ssh->compat = check[i].bugs;
- + /* Check to see if the remote side is OpenSSH and not HPN */
- + if (strstr(version, "OpenSSH") != NULL) {
- + if (strstr(version, "hpn") == NULL) {
--+ datafellows |= SSH_BUG_LARGEWINDOW;
-++ ssh->compat |= SSH_BUG_LARGEWINDOW;
- + debug("Remote is NON-HPN aware");
- + }
- + }
-- return check[i].bugs;
-+ return;
- }
- }
- diff --git a/compat.h b/compat.h
-@@ -431,9 +428,9 @@
- --- a/digest-openssl.c
- +++ b/digest-openssl.c
- @@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
-- { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
-+ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
- { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
-- { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
-+ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
- + { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null},
- { -1, NULL, 0, NULL },
- };
-@@ -536,18 +533,10 @@
- if (state->rekey_limit)
- *max_blocks = MINIMUM(*max_blocks,
- state->rekey_limit / enc->block_size);
--@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +550,6 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
-@@ -622,9 +597,9 @@
- /* Format of the configuration file:
-
- @@ -165,6 +166,8 @@ typedef enum {
-- oHashKnownHosts,
- oTunnel, oTunnelDevice,
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
-+ oDisableMTAES,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
- oVisualHostKey,
-@@ -778,9 +753,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -115,7 +119,11 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none cipher to be used */
- + int nonemac_enabled; /* Allow none MAC to be used */
-@@ -888,9 +863,9 @@
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
- + }
- +
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- if (options->ip_qos_interactive == -1)
-- options->ip_qos_interactive = IPTOS_DSCP_AF21;
-- if (options->ip_qos_bulk == -1)
- @@ -511,6 +564,8 @@ typedef enum {
- sPasswordAuthentication, sKbdInteractiveAuthentication,
- sListenAddress, sAddressFamily,
-@@ -1091,7 +1066,7 @@
- }
-
- +static void
--+hpn_options_init(void)
-++hpn_options_init(struct ssh *ssh)
- +{
- + /*
- + * We need to check to see if what they want to do about buffer
-@@ -1116,7 +1091,7 @@
- + else
- + options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+ if (datafellows & SSH_BUG_LARGEWINDOW) {
-++ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
- + debug("HPN to Non-HPN Connection");
- + } else {
- + int sock, socksize;
-@@ -1186,7 +1161,7 @@
- + c->dynamic_window = 1;
- + debug("Enabled Dynamic Window Scaling");
- + }
-- debug3("%s: channel_new: %d", __func__, c->self);
-+ debug3_f("channel_new: %d", c->self);
-
- channel_send_open(ssh, c->self);
- @@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
-@@ -1198,7 +1173,7 @@
- + * might open channels that use the hpn buffer sizes. We can't send a
- + * window of -1 (the default) to the server as it breaks things.
- + */
--+ hpn_options_init();
-++ hpn_options_init(ssh);
- +
- /* XXX should be pre-session */
- if (!options.control_persist)
-@@ -1297,11 +1272,10 @@
- xxx_host = host;
- xxx_hostaddr = hostaddr;
-
--@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
--
-+@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
- if (!authctxt.success)
- fatal("Authentication failed.");
--+
-+
- + /*
- + * If the user wants to use the none cipher, do it post authentication
- + * and only if the right conditions are met -- both of the NONE commands
-@@ -1329,9 +1303,9 @@
- + }
- + }
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
--
-+ #ifdef WITH_OPENSSL
-+ if (options.disable_multithreaded == 0) {
-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
- diff --git a/sshd.c b/sshd.c
- index 8aa7f3df..d0e3f1b0 100644
- --- a/sshd.c
-@@ -1397,9 +1371,9 @@
- + if (options.nonemac_enabled == 1)
- + debug("WARNING: None MAC enabled");
- +
-- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
- options.kex_algorithms);
-- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
-+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
- diff --git a/sshd_config b/sshd_config
- index 19b7c91a..cdd889b2 100644
- --- a/sshd_config
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch
deleted file mode 100644
index d4835d1..0000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
---- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:29.211246123 -0800
-+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:53.607089097 -0800
-@@ -1401,14 +1401,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index c2f9c55b..f2e7fa80 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.4"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v1"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
new file mode 100644
index 0000000..7199227
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
@@ -0,0 +1,18 @@
+diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700
+@@ -1414,14 +1414,3 @@
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b4fa372..332fb486 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION "OpenSSH_8.5"
+-
+- #define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN "-hpn15v2"
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh/files/openssh-8.5_p1-upstream-cve-2021-41617.patch b/net-misc/openssh/files/openssh-8.5_p1-upstream-cve-2021-41617.patch
deleted file mode 100644
index 8b7a5ba..0000000
--- a/net-misc/openssh/files/openssh-8.5_p1-upstream-cve-2021-41617.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/misc.c b/misc.c
-index d988ce3b..33eca1c1 100644
---- a/misc.c
-+++ b/misc.c
-@@ -56,6 +56,7 @@
- #ifdef HAVE_PATHS_H
- # include <paths.h>
- #include <pwd.h>
-+#include <grp.h>
- #endif
- #ifdef SSH_TUN_OPENBSD
- #include <net/if.h>
-@@ -2629,6 +2630,13 @@ subprocess(const char *tag, const char *command,
- }
- closefrom(STDERR_FILENO + 1);
-
-+ if (geteuid() == 0 &&
-+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
-+ error("%s: initgroups(%s, %u): %s", tag,
-+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
-+ _exit(1);
-+ }
-+
- if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
- error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
- strerror(errno));
diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
similarity index 61%
rename from net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
rename to net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
index 37905ce..6dc290d 100644
--- a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
+++ b/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
@@ -2,12 +2,12 @@
index 34808b5c..88d7ccac 100644
--- a/kex.c
+++ b/kex.c
-@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
- error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
+ oerrno = errno;
diff --git a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
similarity index 91%
rename from net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
rename to net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
index eec66ad..ffc40b7 100644
--- a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
+++ b/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
@@ -1,6 +1,8 @@
---- a/auth.c 2021-03-02 04:31:47.000000000 -0600
-+++ b/auth.c 2021-03-04 11:22:44.590041696 -0600
-@@ -727,119 +727,6 @@ fakepw(void)
+diff --git a/auth.c b/auth.c
+index 00b168b4..8ee93581 100644
+--- a/auth.c
++++ b/auth.c
+@@ -729,118 +729,6 @@ fakepw(void)
return (&fake);
}
@@ -9,9 +11,7 @@
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- * attacks on based on conflation of hostnames and IP addresses.
- */
-
-static char *
@@ -117,11 +117,14 @@
- return dnsname;
- }
-}
-
+-
/* These functions link key/cert options to the auth framework */
---- a/canohost.c 2021-03-02 04:31:47.000000000 -0600
-+++ b/canohost.c 2021-03-04 11:22:54.854211183 -0600
+ /* Log sshauthopt options locally and (optionally) for remote transmission */
+diff --git a/canohost.c b/canohost.c
+index a810da0e..18e9d8d4 100644
+--- a/canohost.c
++++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
{
return get_sock_port(sock, 1);
@@ -241,7 +244,7 @@
+ }
+}
diff --git a/readconf.c b/readconf.c
-index 724974b7..97a1ffd8 100644
+index 03369a08..b45898ce 100644
--- a/readconf.c
+++ b/readconf.c
@@ -161,6 +161,7 @@ typedef enum {
@@ -252,7 +255,7 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -206,9 +207,11 @@ static struct {
+@@ -207,9 +208,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -264,7 +267,7 @@
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
-@@ -1083,6 +1086,10 @@ parse_time:
+@@ -1117,6 +1120,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
@@ -275,15 +278,15 @@
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -2183,6 +2190,7 @@ initialize_options(Options * options)
- options->challenge_response_authentication = -1;
+@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
+ options->pubkey_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -2340,6 +2348,8 @@ fill_default_options(Options * options)
+@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
@@ -293,11 +296,11 @@
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
-index 2fba866e..da3ce87a 100644
+index f7d53b06..c3a91898 100644
--- a/readconf.h
+++ b/readconf.h
-@@ -42,6 +42,7 @@ typedef struct {
- /* Try S/Key or TIS, authentication. */
+@@ -40,6 +40,7 @@ typedef struct {
+ int hostbased_authentication; /* ssh2's rhosts_rsa */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
@@ -305,10 +308,10 @@
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
-index f8119189..e0fd0d76 100644
+index cd0eea86..27101943 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -783,6 +783,16 @@ The default is
+@@ -832,6 +832,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
@@ -326,10 +329,10 @@
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
-index 059c9480..ab6f6832 100644
+index fea50fab..aeff639b 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
-@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh)
+@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@@ -343,7 +346,7 @@
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
-@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh)
+@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
new file mode 100644
index 0000000..49c0591
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
@@ -0,0 +1,447 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700
+@@ -3,9 +3,9 @@
+ --- a/Makefile.in
+ +++ b/Makefile.in
+ @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
+- CFLAGS_NOPIE=@CFLAGS_NOPIE@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+- PICFLAG=@PICFLAG@
++ LD=@LD@
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+ K5LIBS=@K5LIBS@
+@@ -803,8 +803,8 @@
+ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
+ {
+ struct session_state *state;
+-- const struct sshcipher *none = cipher_by_name("none");
+-+ struct sshcipher *none = cipher_by_name("none");
++- const struct sshcipher *none = cipher_none();
+++ struct sshcipher *none = cipher_none();
+ int r;
+
+ if (none == NULL) {
+@@ -894,24 +894,24 @@
+ intptr = &options->compression;
+ multistate_ptr = multistate_compression;
+ @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
+- options->revoked_host_keys = NULL;
+ options->fingerprint_hash = -1;
+ options->update_hostkeys = -1;
++ options->known_hosts_command = NULL;
+ + options->disable_multithreaded = -1;
+- options->hostbased_accepted_algos = NULL;
+- options->pubkey_accepted_algos = NULL;
+- options->known_hosts_command = NULL;
++ }
++
++ /*
+ @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
++ options->update_hostkeys = 0;
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+- #endif
+ + if (options->update_hostkeys == -1)
+ + options->update_hostkeys = 0;
+ + if (options->disable_multithreaded == -1)
+ + options->disable_multithreaded = 0;
+
+- /* Expand KEX name lists */
+- all_cipher = cipher_alg_list(',', 0);
++ /* expand KEX and etc. name lists */
++ { char *all;
+ diff --git a/readconf.h b/readconf.h
+ index 2fba866e..7f8f0227 100644
+ --- a/readconf.h
+@@ -950,9 +950,9 @@
+ /* Portable-specific options */
+ sUsePAM,
+ + sDisableMTAES,
+- /* Standard Options */
+- sPort, sHostKeyFile, sLoginGraceTime,
+- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
++ /* X.509 Standard Options */
++ sHostbasedAlgorithms,
++ sPubkeyAlgorithms,
+ @@ -662,6 +666,7 @@ static struct {
+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700
+@@ -157,6 +157,36 @@
+ + Allan Jude provided the code for the NoneMac and buffer normalization.
+ + This work was financed, in part, by Cisco System, Inc., the National
+ + Library of Medicine, and the National Science Foundation.
++diff --git a/auth2.c b/auth2.c
++--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
+++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
++@@ -229,16 +229,17 @@
++ double delay;
++
++ digest_alg = ssh_digest_maxbytes();
++- len = ssh_digest_bytes(digest_alg);
++- hash = xmalloc(len);
+++ if (len = ssh_digest_bytes(digest_alg) > 0) {
+++ hash = xmalloc(len);
++
++- (void)snprintf(b, sizeof b, "%llu%s",
++- (unsigned long long)options.timing_secret, user);
++- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++- fatal_f("ssh_digest_memory");
++- /* 0-4.2 ms of delay */
++- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++- freezero(hash, len);
+++ (void)snprintf(b, sizeof b, "%llu%s",
+++ (unsigned long long)options.timing_secret, user);
+++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+++ fatal_f("ssh_digest_memory");
+++ /* 0-4.2 ms of delay */
+++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+++ freezero(hash, len);
+++ }
++ debug3_f("user specific delay %0.3lfms", delay/1000);
++ return MIN_FAIL_DELAY_SECONDS + delay;
++ }
+ diff --git a/channels.c b/channels.c
+ index b60d56c4..0e363c15 100644
+ --- a/channels.c
+@@ -209,14 +239,14 @@
+ static void
+ channel_pre_open(struct ssh *ssh, Channel *c,
+ fd_set *readset, fd_set *writeset)
+-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+
+ if (c->type == SSH_CHANNEL_OPEN &&
+ !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+ - ((c->local_window_max - c->local_window >
+ - c->local_maxpacket*3) ||
+-+ ((ssh_packet_is_interactive(ssh) &&
+-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+++ ((ssh_packet_is_interactive(ssh) &&
+++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+ c->local_window < c->local_window_max/2) &&
+ c->local_consumed > 0) {
+ + u_int addition = 0;
+@@ -235,9 +265,8 @@
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+- (r = sshpkt_send(ssh)) != 0) {
+- fatal_fr(r, "channel %i", c->self);
+- }
++ (r = sshpkt_send(ssh)) != 0)
++ fatal_fr(r, "channel %d", c->self);
+ - debug2("channel %d: window %d sent adjust %d", c->self,
+ - c->local_window, c->local_consumed);
+ - c->local_window += c->local_consumed;
+@@ -337,70 +366,92 @@
+ index 70f492f8..5503af1d 100644
+ --- a/clientloop.c
+ +++ b/clientloop.c
+-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
++@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
+ sock = x11_connect_display(ssh);
+ if (sock < 0)
+ return NULL;
+ - c = channel_new(ssh, "x11",
+ - SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+-+ c = channel_new(ssh, "x11",
+-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+-+ /* again is this really necessary for X11? */
+-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
++- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
++- CHANNEL_NONBLOCK_SET);
+++ c = channel_new(ssh, "x11",
+++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+++ /* again is this really necessary for X11? */
+++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
+ c->force_drain = 1;
+ return c;
+ }
+-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
++@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
+ return NULL;
+ }
+ c = channel_new(ssh, "authentication agent connection",
+ - SSH_CHANNEL_OPEN, sock, sock, -1,
+ - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+-- "authentication agent connection", 1);
+-+ SSH_CHANNEL_OPEN, sock, sock, -1,
+-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+ CHAN_TCP_PACKET_DEFAULT, 0,
+-+ "authentication agent connection", 1);
++- "authentication agent connection", CHANNEL_NONBLOCK_SET);
+++ SSH_CHANNEL_OPEN, sock, sock, -1,
+++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
+++ CHAN_TCP_PACKET_DEFAULT, 0,
+++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
+ c->force_drain = 1;
+ return c;
+ }
+-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
++@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+ }
+ debug("Tunnel forwarding using interface %s", ifname);
+
+ - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
++- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
++- CHANNEL_NONBLOCK_SET);
+++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
+ c->datagram = 1;
+
+-+
+-+
+ #if defined(SSH_TUN_FILTER)
+- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
+- channel_register_filter(ssh, c->self, sys_tun_infilter,
+ diff --git a/compat.c b/compat.c
+ index 69befa96..90b5f338 100644
+ --- a/compat.c
+ +++ b/compat.c
+-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
+- debug_f("match: %s pat %s compat 0x%08x",
++@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
++ static u_int
++ compat_datafellows(const char *version)
++ {
++- int i;
+++ int i, bugs = 0;
++ static struct {
++ char *pat;
++ int bugs;
++@@ -147,11 +147,26 @@
++ if (match_pattern_list(version, check[i].pat, 0) == 1) {
++ debug("match: %s pat %s compat 0x%08x",
+ version, check[i].pat, check[i].bugs);
+- ssh->compat = check[i].bugs;
+ + /* Check to see if the remote side is OpenSSH and not HPN */
+-+ /* TODO: need to use new method to test for this */
+ + if (strstr(version, "OpenSSH") != NULL) {
+ + if (strstr(version, "hpn") == NULL) {
+-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
+++ bugs |= SSH_BUG_LARGEWINDOW;
+ + debug("Remote is NON-HPN aware");
+ + }
+ + }
+- return;
++- return check[i].bugs;
+++ bugs |= check[i].bugs;
+ }
+ }
++- debug("no match: %s", version);
++- return 0;
+++ /* Check to see if the remote side is OpenSSH and not HPN */
+++ if (strstr(version, "OpenSSH") != NULL) {
+++ if (strstr(version, "hpn") == NULL) {
+++ bugs |= SSH_BUG_LARGEWINDOW;
+++ debug("Remote is NON-HPN aware");
+++ }
+++ }
+++ if (bugs == 0)
+++ debug("no match: %s", version);
+++ return bugs;
++ }
++
++ char *
+ diff --git a/compat.h b/compat.h
+ index c197fafc..ea2e17a7 100644
+ --- a/compat.h
+@@ -459,7 +510,7 @@
+ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
+ int nenc, nmac, ncomp;
+ u_int mode, ctos, need, dh_need, authlen;
+- int r, first_kex_follows;
++ int r, first_kex_follows = 0;
+ + int auth_flag = 0;
+ +
+ + auth_flag = packet_authentication_state(ssh);
+@@ -553,7 +604,7 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
++@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+ fd_set *setp;
+@@ -1035,19 +1086,6 @@
+
+ /* Minimum amount of data to read at a time */
+ #define MIN_READ_SIZE 512
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..36a6e519 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
+- freezero(pin, strlen(pin));
+- error_r(r, "Unable to load resident keys");
+- return -1;
+-- }
+-+ }
+- if (nkeys == 0)
+- logit("No keys to download");
+- if (pin != NULL)
+ diff --git a/ssh.c b/ssh.c
+ index 53330da5..27b9770e 100644
+ --- a/ssh.c
+@@ -1093,7 +1131,7 @@
+ + else
+ + options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ + debug("HPN to Non-HPN Connection");
+ + } else {
+ + int sock, socksize;
+@@ -1157,14 +1195,14 @@
+ }
+ @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
+ window, packetmax, CHAN_EXTENDED_WRITE,
+- "client-session", /*nonblock*/0);
++ "client-session", CHANNEL_NONBLOCK_STDIO);
+
+ + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
+ + c->dynamic_window = 1;
+ + debug("Enabled Dynamic Window Scaling");
+ + }
+ +
+- debug3_f("channel_new: %d", c->self);
++ debug2_f("channel %d", c->self);
+
+ channel_send_open(ssh, c->self);
+ @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
+@@ -1335,7 +1373,29 @@
+ /* Bind the socket to the desired port. */
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+ error("Bind to port %s on %s failed: %.200s.",
+-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
++@@ -1625,13 +1632,14 @@
++ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
++ sshbuf_len(server_cfg)) != 0)
++ fatal_f("ssh_digest_update");
++- len = ssh_digest_bytes(digest_alg);
++- hash = xmalloc(len);
++- if (ssh_digest_final(ctx, hash, len) != 0)
++- fatal_f("ssh_digest_final");
++- options.timing_secret = PEEK_U64(hash);
++- freezero(hash, len);
++- ssh_digest_free(ctx);
+++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
+++ hash = xmalloc(len);
+++ if (ssh_digest_final(ctx, hash, len) != 0)
+++ fatal_f("ssh_digest_final");
+++ options.timing_secret = PEEK_U64(hash);
+++ freezero(hash, len);
+++ ssh_digest_free(ctx);
+++ }
++ ctx = NULL;
++ return;
++ }
++@@ -1727,6 +1735,19 @@ main(int ac, char **av)
+ fatal("AuthorizedPrincipalsCommand set without "
+ "AuthorizedPrincipalsCommandUser");
+
+@@ -1355,7 +1415,7 @@
+ /*
+ * Check whether there is any path through configured auth methods.
+ * Unfortunately it is not possible to verify this generally before
+-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
++@@ -2166,6 +2187,9 @@ main(int ac, char **av)
+ rdomain == NULL ? "" : "\"");
+ free(laddr);
+
+@@ -1365,7 +1425,7 @@
+ /*
+ * We don't want to listen forever unless the other side
+ * successfully authenticates itself. So we set up an alarm which is
+-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
++@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
+ struct kex *kex;
+ int r;
+
+@@ -1405,14 +1465,3 @@
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b4fa372..332fb486 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION "OpenSSH_8.5"
+-
+- #define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN "-hpn15v2"
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
+--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700
++++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700
+@@ -12,9 +12,9 @@
+ static long stalled; /* how long we have been stalled */
+ static int bytes_per_second; /* current speed in bytes per second */
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
++ off_t bytes_left;
+ int cur_speed;
+- int hours, minutes, seconds;
+- int file_len;
++ int len;
+ + off_t delta_pos;
+
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+@@ -30,15 +30,17 @@
+ if (bytes_left > 0)
+ elapsed = now - last_update;
+ else {
+-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+-
++@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
++ buf[1] = '\0';
++
+ /* filename */
+- buf[0] = '\0';
+-- file_len = win_size - 36;
+-+ file_len = win_size - 45;
+- if (file_len > 0) {
+- buf[0] = '\r';
+- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
++- if (win_size > 36) {
+++ if (win_size > 45) {
++- int file_len = win_size - 36;
+++ int file_len = win_size - 45;
++ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
++ file_len, file);
++ }
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
+ (off_t)bytes_per_second);
+ strlcat(buf, "/s ", win_size);
+@@ -63,15 +65,3 @@
+ }
+
+ /*ARGSUSED*/
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..986ff59b 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
+-
+- if (skprovider == NULL)
+- fatal("Cannot download keys without provider");
+--
+- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
+- if (!quiet) {
+- printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
new file mode 100644
index 0000000..309e57e
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
@@ -0,0 +1,198 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700
+@@ -1026,9 +1026,9 @@
+ + }
+ +#endif
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+-
++ if (ssh_packet_connection_is_on_socket(ssh)) {
++ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..bf3d6e4a 100644
+ --- a/sshd.c
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700
+@@ -536,18 +536,10 @@
+ if (state->rekey_limit)
+ *max_blocks = MINIMUM(*max_blocks,
+ state->rekey_limit / enc->block_size);
+-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+ rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,20 +553,6 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- return 0;
+-
+-+ /* used to force rekeying when called for by the none
+-+ * cipher switch methods -cjr */
+-+ if (rekey_requested == 1) {
+-+ rekey_requested = 0;
+-+ return 1;
+-+ }
+-+
+- /* Time-based rekeying */
+- if (state->rekey_interval != 0 &&
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+@@ -598,12 +576,11 @@
+ };
+
+ typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
+-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
++@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+ int ssh_packet_set_maxsize(struct ssh *, u_int);
+ u_int ssh_packet_get_maxsize(struct ssh *);
+
+ +/* for forced packet rekeying post auth */
+-+void packet_request_rekeying(void);
+ +int packet_authentication_state(const struct ssh *);
+ +
+ int ssh_packet_get_state(struct ssh *, struct sshbuf *);
+@@ -627,9 +604,9 @@
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
++ oDisableMTAES,
+ oVisualHostKey,
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ @@ -297,6 +300,9 @@ static struct {
+ { "kexalgorithms", oKexAlgorithms },
+ { "ipqos", oIPQoS },
+@@ -637,9 +614,9 @@
+ + { "noneenabled", oNoneEnabled },
+ + { "nonemacenabled", oNoneMacEnabled },
+ + { "noneswitch", oNoneSwitch },
+- { "proxyusefdpass", oProxyUseFdpass },
+- { "canonicaldomains", oCanonicalDomains },
+- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
++ { "sessiontype", oSessionType },
++ { "stdinnull", oStdinNull },
++ { "forkafterauthentication", oForkAfterAuthentication },
+ @@ -317,6 +323,11 @@ static struct {
+ { "securitykeyprovider", oSecurityKeyProvider },
+ { "knownhostscommand", oKnownHostsCommand },
+@@ -717,9 +694,9 @@
+ + options->hpn_buffer_size = -1;
+ + options->tcp_rcv_buf_poll = -1;
+ + options->tcp_rcv_buf = -1;
+- options->proxy_use_fdpass = -1;
+- options->ignored_unknown = NULL;
+- options->num_canonical_domains = 0;
++ options->session_type = -1;
++ options->stdin_null = -1;
++ options->fork_after_authentication = -1;
+ @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
+ options->server_alive_interval = 0;
+ if (options->server_alive_count_max == -1)
+@@ -778,9 +755,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ @@ -120,7 +124,11 @@ typedef struct {
+-
+ int enable_ssh_keysign;
+ int64_t rekey_limit;
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ + int none_switch; /* Use none cipher */
+ + int none_enabled; /* Allow none cipher to be used */
+ + int nonemac_enabled; /* Allow none MAC to be used */
+@@ -842,9 +819,9 @@
+ /* Portable-specific options */
+ if (options->use_pam == -1)
+ @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
+- }
+- if (options->permit_tun == -1)
+ options->permit_tun = SSH_TUNMODE_NO;
++ if (options->disable_multithreaded == -1)
++ options->disable_multithreaded = 0;
+ + if (options->none_enabled == -1)
+ + options->none_enabled = 0;
+ + if (options->nonemac_enabled == -1)
+@@ -1047,17 +1024,17 @@
+ Note that
+ diff --git a/sftp.c b/sftp.c
+ index fb3c08d1..89bebbb2 100644
+---- a/sftp.c
+-+++ b/sftp.c
+-@@ -71,7 +71,7 @@ typedef void EditLine;
+- #include "sftp-client.h"
+-
+- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
+--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
+-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
++--- a/sftp-client.c
+++++ b/sftp-client.c
++@@ -65,7 +65,7 @@ typedef void EditLine;
++ #define DEFAULT_COPY_BUFLEN 32768
++
++ /* Default number of concurrent outstanding requests */
++-#define DEFAULT_NUM_REQUESTS 64
+++#define DEFAULT_NUM_REQUESTS 256
+
+- /* File to read commands from */
+- FILE* infile;
++ /* Minimum amount of data to read at a time */
++ #define MIN_READ_SIZE 512
+ diff --git a/ssh-keygen.c b/ssh-keygen.c
+ index cfb5f115..36a6e519 100644
+ --- a/ssh-keygen.c
+@@ -1330,9 +1307,9 @@
+ + }
+ + }
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+
++ #ifdef WITH_OPENSSL
++ if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..d66fa41a 100644
+ --- a/sshd.c
+@@ -1359,8 +1336,8 @@
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+ error("Bind to port %s on %s failed: %.200s.",
+ @@ -1727,6 +1734,19 @@ main(int ac, char **av)
+- /* Fill in default values for those options not explicitly set. */
+- fill_default_server_options(&options);
++ fatal("AuthorizedPrincipalsCommand set without "
++ "AuthorizedPrincipalsCommandUser");
+
+ + if (options.none_enabled == 1) {
+ + char *old_ciphers = options.ciphers;
+@@ -1375,9 +1352,9 @@
+ + }
+ + }
+ +
+- /* challenge-response is implemented via keyboard interactive */
+- if (options.challenge_response_authentication)
+- options.kbd_interactive_authentication = 1;
++ /*
++ * Check whether there is any path through configured auth methods.
++ * Unfortunately it is not possible to verify this generally before
+ @@ -2166,6 +2186,9 @@ main(int ac, char **av)
+ rdomain == NULL ? "" : "\"");
+ free(laddr);
diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
new file mode 100644
index 0000000..b682762
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
@@ -0,0 +1,63 @@
+diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff
+--- a/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:17.070546984 -0700
++++ b/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:55.086664489 -0700
+@@ -954,15 +954,16 @@
+ char b[512];
+ - size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
+ - u_char *hash = xmalloc(len);
++- double delay;
+ + int digest_alg;
+ + size_t len;
+ + u_char *hash;
+- double delay;
+-
+++ double delay = 0;
+++
+ + digest_alg = ssh_digest_maxbytes();
+ + len = ssh_digest_bytes(digest_alg);
+ + hash = xmalloc(len);
+-+
++
+ (void)snprintf(b, sizeof b, "%llu%s",
+ (unsigned long long)options.timing_secret, user);
+ - if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
+@@ -51859,12 +51860,11 @@
+
+ install-files:
+ $(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -391,6 +372,8 @@
++@@ -391,6 +372,7 @@
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+ $(MKDIR_P) $(DESTDIR)$(libexecdir)
+ + $(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+ $(MKDIR_P) $(DESTDIR)$(piddir)
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -71985,7 +71985,7 @@
+ +if test "$sshd_type" = "pkix" ; then
+ + unset_arg=''
+ +else
+-+ unset_arg=none
+++ unset_arg=
+ +fi
+ +
+ cat > $OBJ/sshd_config.i << _EOF
+@@ -132360,16 +132360,6 @@
+ +int asnmprintf(char **, size_t, int *, const char *, ...)
+ __attribute__((format(printf, 4, 5)));
+ void msetlocale(void);
+-diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h
+---- openssh-8.8p1/version.h 2021-09-26 17:03:19.000000000 +0300
+-+++ openssh-8.8p1+x509-13.2.3/version.h 2021-10-23 16:27:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+-
+- #define SSH_VERSION "OpenSSH_8.8"
+-
+--#define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4
+ --- openssh-8.8p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.8p1+x509-13.2.3/version.m4 2021-10-23 16:27:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
new file mode 100644
index 0000000..eab5b53
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
@@ -0,0 +1,126 @@
+diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.1.diff b/openssh-8.9p1+x509-13.3.1.diff
+--- a/openssh-8.9p1+x509-13.3.1.diff 2022-03-05 21:49:32.673126122 -0800
++++ b/openssh-8.9p1+x509-13.3.1.diff 2022-03-05 21:52:52.581776560 -0800
+@@ -1002,15 +1002,16 @@
+ char b[512];
+ - size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
+ - u_char *hash = xmalloc(len);
++- double delay;
+ + int digest_alg;
+ + size_t len;
+ + u_char *hash;
+- double delay;
+-
+++ double delay = 0;
+++
+ + digest_alg = ssh_digest_maxbytes();
+ + len = ssh_digest_bytes(digest_alg);
+ + hash = xmalloc(len);
+-+
++
+ (void)snprintf(b, sizeof b, "%llu%s",
+ (unsigned long long)options.timing_secret, user);
+ - if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
+@@ -44746,8 +44747,8 @@
+ gss_create_empty_oid_set(&status, &oidset);
+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
+
+-- if (gethostname(lname, MAXHOSTNAMELEN)) {
+-+ if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
++- if (gethostname(lname, HOST_NAME_MAX)) {
+++ if (gethostname(lname, HOST_NAME_MAX) == -1) {
+ gss_release_oid_set(&status, &oidset);
+ return (-1);
+ }
+@@ -52143,7 +52144,7 @@
+ diff -ruN openssh-8.9p1/m4/openssh.m4 openssh-8.9p1+x509-13.3.1/m4/openssh.m4
+ --- openssh-8.9p1/m4/openssh.m4 2022-02-23 13:31:11.000000000 +0200
+ +++ openssh-8.9p1+x509-13.3.1/m4/openssh.m4 1970-01-01 02:00:00.000000000 +0200
+-@@ -1,200 +0,0 @@
++@@ -1,203 +0,0 @@
+ -dnl OpenSSH-specific autoconf macros
+ -dnl
+ -
+@@ -52160,6 +52161,8 @@
+ - AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
+ -#include <stdlib.h>
+ -#include <stdio.h>
++-/* Trivial function to help test for -fzero-call-used-regs */
++-void f(int n) {}
+ -int main(int argc, char **argv) {
+ - (void)argv;
+ - /* Some math to catch -ftrapv problems in the toolchain */
+@@ -52167,6 +52170,7 @@
+ - float l = i * 2.1;
+ - double m = l / 0.5;
+ - long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
++- f(0);
+ - printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+ - /*
+ - * Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does
+@@ -52884,12 +52888,11 @@
+
+ install-files:
+ $(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -396,6 +372,8 @@
++@@ -396,6 +372,7 @@
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+ $(MKDIR_P) $(DESTDIR)$(libexecdir)
+ + $(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+ $(MKDIR_P) $(DESTDIR)$(piddir)
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -73836,7 +73839,7 @@
+ +if test "$sshd_type" = "pkix" ; then
+ + unset_arg=''
+ +else
+-+ unset_arg=none
+++ unset_arg=
+ +fi
+ +
+ cat > $OBJ/sshd_config.i << _EOF
+@@ -79691,25 +79694,6 @@
+ #ifdef __NR_getrandom
+ SC_ALLOW(__NR_getrandom),
+ #endif
+-@@ -267,15 +273,15 @@
+- #ifdef __NR_clock_nanosleep_time64
+- SC_ALLOW(__NR_clock_nanosleep_time64),
+- #endif
+--#ifdef __NR_clock_gettime64
+-- SC_ALLOW(__NR_clock_gettime64),
+--#endif
+- #ifdef __NR__newselect
+- SC_ALLOW(__NR__newselect),
+- #endif
+- #ifdef __NR_ppoll
+- SC_ALLOW(__NR_ppoll),
+- #endif
+-+#ifdef __NR_ppoll_time64
+-+ SC_ALLOW(__NR_ppoll_time64),
+-+#endif
+- #ifdef __NR_poll
+- SC_ALLOW(__NR_poll),
+- #endif
+ @@ -288,6 +294,9 @@
+ #ifdef __NR_read
+ SC_ALLOW(__NR_read),
+@@ -137848,16 +137832,6 @@
+ +int asnmprintf(char **, size_t, int *, const char *, ...)
+ __attribute__((format(printf, 4, 5)));
+ void msetlocale(void);
+-diff -ruN openssh-8.9p1/version.h openssh-8.9p1+x509-13.3.1/version.h
+---- openssh-8.9p1/version.h 2022-02-23 13:31:11.000000000 +0200
+-+++ openssh-8.9p1+x509-13.3.1/version.h 2022-03-05 10:07:00.000000000 +0200
+-@@ -2,5 +2,4 @@
+-
+- #define SSH_VERSION "OpenSSH_8.9"
+-
+--#define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.9p1/version.m4 openssh-8.9p1+x509-13.3.1/version.m4
+ --- openssh-8.9p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.9p1+x509-13.3.1/version.m4 2022-03-05 10:07:00.000000000 +0200
diff --git a/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch
new file mode 100644
index 0000000..8c46625
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch
@@ -0,0 +1,14 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 2e065ba3..4ce80cb2 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_ppoll
+ SC_ALLOW(__NR_ppoll),
+ #endif
++#ifdef __NR_ppoll_time64
++ SC_ALLOW(__NR_ppoll_time64),
++#endif
+ #ifdef __NR_poll
+ SC_ALLOW(__NR_poll),
+ #endif
diff --git a/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch b/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch
new file mode 100644
index 0000000..0231ce4
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch
@@ -0,0 +1,32 @@
+From f107467179428a0e3ea9e4aa9738ac12ff02822d Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Thu, 24 Feb 2022 16:04:18 +0000
+Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support
+
+GCC doesn't tell us whether this option is supported unless it runs into
+the situation where it would need to emit corresponding code.
+---
+ m4/openssh.m4 | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/m4/openssh.m4 b/m4/openssh.m4
+index 4f9c3792dc1..8c33c701b8b 100644
+--- a/m4/openssh.m4
++++ b/m4/openssh.m4
+@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
+ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
+ #include <stdlib.h>
+ #include <stdio.h>
++/* Trivial function to help test for -fzero-call-used-regs */
++void f(int n) {}
+ int main(int argc, char **argv) {
+ (void)argv;
+ /* Some math to catch -ftrapv problems in the toolchain */
+@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
+ float l = i * 2.1;
+ double m = l / 0.5;
+ long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
++ f(0);
+ printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+ /*
+ * Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does
diff --git a/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
new file mode 100644
index 0000000..9e08b2a
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
@@ -0,0 +1,13 @@
+diff --git a/gss-serv.c b/gss-serv.c
+index b5d4bb2d..00e3d118 100644
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ gss_create_empty_oid_set(&status, &oidset);
+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
+
+- if (gethostname(lname, MAXHOSTNAMELEN)) {
++ if (gethostname(lname, HOST_NAME_MAX)) {
+ gss_release_oid_set(&status, &oidset);
+ return (-1);
+ }
diff --git a/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch
new file mode 100644
index 0000000..a98e1ad
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch
@@ -0,0 +1,431 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-24 18:48:19.078457000 -0800
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-24 18:49:22.195632128 -0800
+@@ -3,9 +3,9 @@
+ --- a/Makefile.in
+ +++ b/Makefile.in
+ @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
+- CFLAGS_NOPIE=@CFLAGS_NOPIE@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+- PICFLAG=@PICFLAG@
++ LD=@LD@
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+ K5LIBS=@K5LIBS@
+@@ -803,8 +803,8 @@
+ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
+ {
+ struct session_state *state;
+-- const struct sshcipher *none = cipher_by_name("none");
+-+ struct sshcipher *none = cipher_by_name("none");
++- const struct sshcipher *none = cipher_none();
+++ struct sshcipher *none = cipher_none();
+ int r;
+
+ if (none == NULL) {
+@@ -894,24 +894,24 @@
+ intptr = &options->compression;
+ multistate_ptr = multistate_compression;
+ @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
+- options->revoked_host_keys = NULL;
+ options->fingerprint_hash = -1;
+ options->update_hostkeys = -1;
++ options->known_hosts_command = NULL;
+ + options->disable_multithreaded = -1;
+- options->hostbased_accepted_algos = NULL;
+- options->pubkey_accepted_algos = NULL;
+- options->known_hosts_command = NULL;
++ }
++
++ /*
+ @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
++ options->update_hostkeys = 0;
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+- #endif
+ + if (options->update_hostkeys == -1)
+ + options->update_hostkeys = 0;
+ + if (options->disable_multithreaded == -1)
+ + options->disable_multithreaded = 0;
+
+- /* Expand KEX name lists */
+- all_cipher = cipher_alg_list(',', 0);
++ /* expand KEX and etc. name lists */
++ { char *all;
+ diff --git a/readconf.h b/readconf.h
+ index 2fba866e..7f8f0227 100644
+ --- a/readconf.h
+@@ -950,9 +950,9 @@
+ /* Portable-specific options */
+ sUsePAM,
+ + sDisableMTAES,
+- /* Standard Options */
+- sPort, sHostKeyFile, sLoginGraceTime,
+- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
++ /* X.509 Standard Options */
++ sHostbasedAlgorithms,
++ sPubkeyAlgorithms,
+ @@ -662,6 +666,7 @@ static struct {
+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-24 18:48:19.078457000 -0800
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-24 18:54:51.800546480 -0800
+@@ -157,6 +157,36 @@
+ + Allan Jude provided the code for the NoneMac and buffer normalization.
+ + This work was financed, in part, by Cisco System, Inc., the National
+ + Library of Medicine, and the National Science Foundation.
++diff --git a/auth2.c b/auth2.c
++--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
+++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
++@@ -229,16 +229,17 @@
++ double delay;
++
++ digest_alg = ssh_digest_maxbytes();
++- len = ssh_digest_bytes(digest_alg);
++- hash = xmalloc(len);
+++ if (len = ssh_digest_bytes(digest_alg) > 0) {
+++ hash = xmalloc(len);
++
++- (void)snprintf(b, sizeof b, "%llu%s",
++- (unsigned long long)options.timing_secret, user);
++- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++- fatal_f("ssh_digest_memory");
++- /* 0-4.2 ms of delay */
++- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++- freezero(hash, len);
+++ (void)snprintf(b, sizeof b, "%llu%s",
+++ (unsigned long long)options.timing_secret, user);
+++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+++ fatal_f("ssh_digest_memory");
+++ /* 0-4.2 ms of delay */
+++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+++ freezero(hash, len);
+++ }
++ debug3_f("user specific delay %0.3lfms", delay/1000);
++ return MIN_FAIL_DELAY_SECONDS + delay;
++ }
+ diff --git a/channels.c b/channels.c
+ index b60d56c4..0e363c15 100644
+ --- a/channels.c
+@@ -209,14 +239,14 @@
+ static void
+ channel_pre_open(struct ssh *ssh, Channel *c,
+ fd_set *readset, fd_set *writeset)
+-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+
+ if (c->type == SSH_CHANNEL_OPEN &&
+ !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+ - ((c->local_window_max - c->local_window >
+ - c->local_maxpacket*3) ||
+-+ ((ssh_packet_is_interactive(ssh) &&
+-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+++ ((ssh_packet_is_interactive(ssh) &&
+++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+ c->local_window < c->local_window_max/2) &&
+ c->local_consumed > 0) {
+ + u_int addition = 0;
+@@ -235,9 +265,8 @@
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+- (r = sshpkt_send(ssh)) != 0) {
+- fatal_fr(r, "channel %i", c->self);
+- }
++ (r = sshpkt_send(ssh)) != 0)
++ fatal_fr(r, "channel %d", c->self);
+ - debug2("channel %d: window %d sent adjust %d", c->self,
+ - c->local_window, c->local_consumed);
+ - c->local_window += c->local_consumed;
+@@ -337,70 +366,92 @@
+ index 70f492f8..5503af1d 100644
+ --- a/clientloop.c
+ +++ b/clientloop.c
+-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
++@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
+ sock = x11_connect_display(ssh);
+ if (sock < 0)
+ return NULL;
+ - c = channel_new(ssh, "x11",
+ - SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+-+ c = channel_new(ssh, "x11",
+-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+-+ /* again is this really necessary for X11? */
+-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
++- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
++- CHANNEL_NONBLOCK_SET);
+++ c = channel_new(ssh, "x11",
+++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+++ /* again is this really necessary for X11? */
+++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
+ c->force_drain = 1;
+ return c;
+ }
+-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
++@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
+ return NULL;
+ }
+ c = channel_new(ssh, "authentication agent connection",
+ - SSH_CHANNEL_OPEN, sock, sock, -1,
+ - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+-- "authentication agent connection", 1);
+-+ SSH_CHANNEL_OPEN, sock, sock, -1,
+-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+ CHAN_TCP_PACKET_DEFAULT, 0,
+-+ "authentication agent connection", 1);
++- "authentication agent connection", CHANNEL_NONBLOCK_SET);
+++ SSH_CHANNEL_OPEN, sock, sock, -1,
+++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
+++ CHAN_TCP_PACKET_DEFAULT, 0,
+++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
+ c->force_drain = 1;
+ return c;
+ }
+-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
++@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+ }
+ debug("Tunnel forwarding using interface %s", ifname);
+
+ - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
++- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
++- CHANNEL_NONBLOCK_SET);
+++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
+ c->datagram = 1;
+
+-+
+-+
+ #if defined(SSH_TUN_FILTER)
+- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
+- channel_register_filter(ssh, c->self, sys_tun_infilter,
+ diff --git a/compat.c b/compat.c
+ index 69befa96..90b5f338 100644
+ --- a/compat.c
+ +++ b/compat.c
+-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
+- debug_f("match: %s pat %s compat 0x%08x",
++@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
++ static u_int
++ compat_datafellows(const char *version)
++ {
++- int i;
+++ int i, bugs = 0;
++ static struct {
++ char *pat;
++ int bugs;
++@@ -147,11 +147,26 @@
++ if (match_pattern_list(version, check[i].pat, 0) == 1) {
++ debug("match: %s pat %s compat 0x%08x",
+ version, check[i].pat, check[i].bugs);
+- ssh->compat = check[i].bugs;
+ + /* Check to see if the remote side is OpenSSH and not HPN */
+-+ /* TODO: need to use new method to test for this */
+ + if (strstr(version, "OpenSSH") != NULL) {
+ + if (strstr(version, "hpn") == NULL) {
+-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
+++ bugs |= SSH_BUG_LARGEWINDOW;
+ + debug("Remote is NON-HPN aware");
+ + }
+ + }
+- return;
++- return check[i].bugs;
+++ bugs |= check[i].bugs;
+ }
+ }
++- debug("no match: %s", version);
++- return 0;
+++ /* Check to see if the remote side is OpenSSH and not HPN */
+++ if (strstr(version, "OpenSSH") != NULL) {
+++ if (strstr(version, "hpn") == NULL) {
+++ bugs |= SSH_BUG_LARGEWINDOW;
+++ debug("Remote is NON-HPN aware");
+++ }
+++ }
+++ if (bugs == 0)
+++ debug("no match: %s", version);
+++ return bugs;
++ }
++
++ char *
+ diff --git a/compat.h b/compat.h
+ index c197fafc..ea2e17a7 100644
+ --- a/compat.h
+@@ -459,7 +510,7 @@
+ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
+ int nenc, nmac, ncomp;
+ u_int mode, ctos, need, dh_need, authlen;
+- int r, first_kex_follows;
++ int r, first_kex_follows = 0;
+ + int auth_flag = 0;
+ +
+ + auth_flag = packet_authentication_state(ssh);
+@@ -553,10 +604,10 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
++@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
++ {
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+- struct pollfd pfd;
+ - char buf[8192];
+ + char buf[SSH_IOBUFSZ];
+ struct timeval start;
+@@ -1072,7 +1123,7 @@
+ + else
+ + options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ + debug("HPN to Non-HPN Connection");
+ + } else {
+ + int sock, socksize;
+@@ -1136,14 +1187,14 @@
+ }
+ @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
+ window, packetmax, CHAN_EXTENDED_WRITE,
+- "client-session", /*nonblock*/0);
++ "client-session", CHANNEL_NONBLOCK_STDIO);
+
+ + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
+ + c->dynamic_window = 1;
+ + debug("Enabled Dynamic Window Scaling");
+ + }
+ +
+- debug3_f("channel_new: %d", c->self);
++ debug2_f("channel %d", c->self);
+
+ channel_send_open(ssh, c->self);
+ @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
+@@ -1314,7 +1365,29 @@
+ /* Bind the socket to the desired port. */
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+ error("Bind to port %s on %s failed: %.200s.",
+-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
++@@ -1625,13 +1632,14 @@
++ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
++ sshbuf_len(server_cfg)) != 0)
++ fatal_f("ssh_digest_update");
++- len = ssh_digest_bytes(digest_alg);
++- hash = xmalloc(len);
++- if (ssh_digest_final(ctx, hash, len) != 0)
++- fatal_f("ssh_digest_final");
++- options.timing_secret = PEEK_U64(hash);
++- freezero(hash, len);
++- ssh_digest_free(ctx);
+++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
+++ hash = xmalloc(len);
+++ if (ssh_digest_final(ctx, hash, len) != 0)
+++ fatal_f("ssh_digest_final");
+++ options.timing_secret = PEEK_U64(hash);
+++ freezero(hash, len);
+++ ssh_digest_free(ctx);
+++ }
++ ctx = NULL;
++ return;
++ }
++@@ -1727,6 +1735,19 @@ main(int ac, char **av)
+ fatal("AuthorizedPrincipalsCommand set without "
+ "AuthorizedPrincipalsCommandUser");
+
+@@ -1334,7 +1407,7 @@
+ /*
+ * Check whether there is any path through configured auth methods.
+ * Unfortunately it is not possible to verify this generally before
+-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
++@@ -2166,6 +2187,9 @@ main(int ac, char **av)
+ rdomain == NULL ? "" : "\"");
+ free(laddr);
+
+@@ -1344,7 +1417,7 @@
+ /*
+ * We don't want to listen forever unless the other side
+ * successfully authenticates itself. So we set up an alarm which is
+-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
++@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
+ struct kex *kex;
+ int r;
+
+@@ -1384,14 +1457,3 @@
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b4fa372..332fb486 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION "OpenSSH_8.5"
+-
+- #define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN "-hpn15v2"
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
+--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2022-02-24 18:48:19.078457000 -0800
++++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2022-02-24 18:49:22.196632131 -0800
+@@ -12,9 +12,9 @@
+ static long stalled; /* how long we have been stalled */
+ static int bytes_per_second; /* current speed in bytes per second */
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
++ off_t bytes_left;
+ int cur_speed;
+- int hours, minutes, seconds;
+- int file_len;
++ int len;
+ + off_t delta_pos;
+
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+@@ -30,15 +30,17 @@
+ if (bytes_left > 0)
+ elapsed = now - last_update;
+ else {
+-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+-
++@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
++ buf[1] = '\0';
++
+ /* filename */
+- buf[0] = '\0';
+-- file_len = win_size - 36;
+-+ file_len = win_size - 45;
+- if (file_len > 0) {
+- buf[0] = '\r';
+- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
++- if (win_size > 36) {
+++ if (win_size > 45) {
++- int file_len = win_size - 36;
+++ int file_len = win_size - 45;
++ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
++ file_len, file);
++ }
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
+ (off_t)bytes_per_second);
+ strlcat(buf, "/s ", win_size);
+@@ -63,15 +65,3 @@
+ }
+
+ /*ARGSUSED*/
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..986ff59b 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
+-
+- if (skprovider == NULL)
+- fatal("Cannot download keys without provider");
+--
+- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
+- if (!quiet) {
+- printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
new file mode 100644
index 0000000..272270b
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
@@ -0,0 +1,238 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:24.843395097 -0800
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:38.206451595 -0800
+@@ -1026,9 +1026,9 @@
+ + }
+ +#endif
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+-
++ if (ssh_packet_connection_is_on_socket(ssh)) {
++ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..bf3d6e4a 100644
+ --- a/sshd.c
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:08:38.124943587 -0800
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:20:59.432070316 -0800
+@@ -536,18 +536,10 @@
+ if (state->rekey_limit)
+ *max_blocks = MINIMUM(*max_blocks,
+ state->rekey_limit / enc->block_size);
+-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+ rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,27 +553,14 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- return 0;
+-
+-+ /* used to force rekeying when called for by the none
+-+ * cipher switch methods -cjr */
+-+ if (rekey_requested == 1) {
+-+ rekey_requested = 0;
+-+ return 1;
+-+ }
+-+
+- /* Time-based rekeying */
+- if (state->rekey_interval != 0 &&
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+- fd_set *setp;
++ struct pollfd pfd;
+ - char buf[8192];
+ + char buf[SSH_IOBUFSZ];
+- struct timeval timeout, start, *timeoutp = NULL;
++ struct timeval start;
++ struct timespec timespec, *timespecp = NULL;
+
+ DBG(debug("packet_read()"));
+ diff --git a/packet.h b/packet.h
+@@ -598,12 +577,11 @@
+ };
+
+ typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
+-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
++@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+ int ssh_packet_set_maxsize(struct ssh *, u_int);
+ u_int ssh_packet_get_maxsize(struct ssh *);
+
+ +/* for forced packet rekeying post auth */
+-+void packet_request_rekeying(void);
+ +int packet_authentication_state(const struct ssh *);
+ +
+ int ssh_packet_get_state(struct ssh *, struct sshbuf *);
+@@ -627,9 +605,9 @@
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
++ oDisableMTAES,
+ oVisualHostKey,
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ @@ -297,6 +300,9 @@ static struct {
+ { "kexalgorithms", oKexAlgorithms },
+ { "ipqos", oIPQoS },
+@@ -637,9 +615,9 @@
+ + { "noneenabled", oNoneEnabled },
+ + { "nonemacenabled", oNoneMacEnabled },
+ + { "noneswitch", oNoneSwitch },
+- { "proxyusefdpass", oProxyUseFdpass },
+- { "canonicaldomains", oCanonicalDomains },
+- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
++ { "sessiontype", oSessionType },
++ { "stdinnull", oStdinNull },
++ { "forkafterauthentication", oForkAfterAuthentication },
+ @@ -317,6 +323,11 @@ static struct {
+ { "securitykeyprovider", oSecurityKeyProvider },
+ { "knownhostscommand", oKnownHostsCommand },
+@@ -717,9 +695,9 @@
+ + options->hpn_buffer_size = -1;
+ + options->tcp_rcv_buf_poll = -1;
+ + options->tcp_rcv_buf = -1;
+- options->proxy_use_fdpass = -1;
+- options->ignored_unknown = NULL;
+- options->num_canonical_domains = 0;
++ options->session_type = -1;
++ options->stdin_null = -1;
++ options->fork_after_authentication = -1;
+ @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
+ options->server_alive_interval = 0;
+ if (options->server_alive_count_max == -1)
+@@ -778,9 +756,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ @@ -120,7 +124,11 @@ typedef struct {
+-
+ int enable_ssh_keysign;
+ int64_t rekey_limit;
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ + int none_switch; /* Use none cipher */
+ + int none_enabled; /* Allow none cipher to be used */
+ + int nonemac_enabled; /* Allow none MAC to be used */
+@@ -842,9 +820,9 @@
+ /* Portable-specific options */
+ if (options->use_pam == -1)
+ @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
+- }
+- if (options->permit_tun == -1)
+ options->permit_tun = SSH_TUNMODE_NO;
++ if (options->disable_multithreaded == -1)
++ options->disable_multithreaded = 0;
+ + if (options->none_enabled == -1)
+ + options->none_enabled = 0;
+ + if (options->nonemac_enabled == -1)
+@@ -975,15 +953,6 @@
+ index 306658cb..d4309903 100644
+ --- a/serverloop.c
+ +++ b/serverloop.c
+-@@ -322,7 +322,7 @@ static int
+- process_input(struct ssh *ssh, fd_set *readset, int connection_in)
+- {
+- int r, len;
+-- char buf[16384];
+-+ char buf[SSH_IOBUFSZ];
+-
+- /* Read and buffer any input data from the client. */
+- if (FD_ISSET(connection_in, readset)) {
+ @@ -608,7 +608,8 @@ server_request_tun(struct ssh *ssh)
+ debug("Tunnel forwarding using interface %s", ifname);
+
+@@ -1047,30 +1016,17 @@
+ Note that
+ diff --git a/sftp.c b/sftp.c
+ index fb3c08d1..89bebbb2 100644
+---- a/sftp.c
+-+++ b/sftp.c
+-@@ -71,7 +71,7 @@ typedef void EditLine;
+- #include "sftp-client.h"
+-
+- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
+--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
+-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
+-
+- /* File to read commands from */
+- FILE* infile;
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..36a6e519 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
+- freezero(pin, strlen(pin));
+- error_r(r, "Unable to load resident keys");
+- return -1;
+-- }
+-+ }
+- if (nkeys == 0)
+- logit("No keys to download");
+- if (pin != NULL)
++--- a/sftp-client.c
+++++ b/sftp-client.c
++@@ -65,7 +65,7 @@ typedef void EditLine;
++ #define DEFAULT_COPY_BUFLEN 32768
++
++ /* Default number of concurrent outstanding requests */
++-#define DEFAULT_NUM_REQUESTS 64
+++#define DEFAULT_NUM_REQUESTS 256
++
++ /* Minimum amount of data to read at a time */
++ #define MIN_READ_SIZE 512
+ diff --git a/ssh.c b/ssh.c
+ index 53330da5..27b9770e 100644
+ --- a/ssh.c
+@@ -1330,9 +1286,9 @@
+ + }
+ + }
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+
++ #ifdef WITH_OPENSSL
++ if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..d66fa41a 100644
+ --- a/sshd.c
+@@ -1359,8 +1315,8 @@
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+ error("Bind to port %s on %s failed: %.200s.",
+ @@ -1727,6 +1734,19 @@ main(int ac, char **av)
+- /* Fill in default values for those options not explicitly set. */
+- fill_default_server_options(&options);
++ fatal("AuthorizedPrincipalsCommand set without "
++ "AuthorizedPrincipalsCommandUser");
+
+ + if (options.none_enabled == 1) {
+ + char *old_ciphers = options.ciphers;
+@@ -1375,9 +1331,9 @@
+ + }
+ + }
+ +
+- /* challenge-response is implemented via keyboard interactive */
+- if (options.challenge_response_authentication)
+- options.kbd_interactive_authentication = 1;
++ /*
++ * Check whether there is any path through configured auth methods.
++ * Unfortunately it is not possible to verify this generally before
+ @@ -2166,6 +2186,9 @@ main(int ac, char **av)
+ rdomain == NULL ? "" : "\"");
+ free(laddr);
diff --git a/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.3.2.patch b/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.3.2.patch
new file mode 100644
index 0000000..3d702eb
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.3.2.patch
@@ -0,0 +1,54 @@
+diff -ur '--exclude=.*.un~' a/openssh-9.0p1+x509-13.3.2.diff b/openssh-9.0p1+x509-13.3.2.diff
+--- a/openssh-9.0p1+x509-13.3.2.diff 2022-04-11 10:32:02.364576985 -0700
++++ b/openssh-9.0p1+x509-13.3.2.diff 2022-04-11 10:38:29.267348410 -0700
+@@ -47526,8 +47526,8 @@
+ gss_create_empty_oid_set(&status, &oidset);
+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
+
+-- if (gethostname(lname, MAXHOSTNAMELEN)) {
+-+ if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
++- if (gethostname(lname, HOST_NAME_MAX)) {
+++ if (gethostname(lname, HOST_NAME_MAX) == -1) {
+ gss_release_oid_set(&status, &oidset);
+ return (-1);
+ }
+@@ -55662,12 +55662,11 @@
+
+ install-files:
+ $(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -395,6 +372,8 @@
++@@ -395,6 +372,7 @@
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+ $(MKDIR_P) $(DESTDIR)$(libexecdir)
+ + $(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+ $(MKDIR_P) $(DESTDIR)$(piddir)
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -76764,7 +76763,7 @@
+ +if test "$sshd_type" = "pkix" ; then
+ + unset_arg=''
+ +else
+-+ unset_arg=none
+++ unset_arg=''
+ +fi
+ +
+ cat > $OBJ/sshd_config.i << _EOF
+@@ -141144,16 +141143,6 @@
+ +int asnmprintf(char **, size_t, int *, const char *, ...)
+ __attribute__((format(printf, 4, 5)));
+ void msetlocale(void);
+-diff -ruN openssh-9.0p1/version.h openssh-9.0p1+x509-13.3.2/version.h
+---- openssh-9.0p1/version.h 2022-04-06 03:47:48.000000000 +0300
+-+++ openssh-9.0p1+x509-13.3.2/version.h 2022-04-11 09:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+-
+- #define SSH_VERSION "OpenSSH_9.0"
+-
+--#define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-9.0p1/version.m4 openssh-9.0p1+x509-13.3.2/version.m4
+ --- openssh-9.0p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-9.0p1+x509-13.3.2/version.m4 2022-04-11 09:07:00.000000000 +0300
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 9ce34e6..f23eae1 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
@@ -20,7 +20,6 @@
ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
</longdescription>
<use>
- <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
<flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
<flag name="hpn">Enable high performance ssh</flag>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
diff --git a/net-misc/openssh/openssh-8.5_p1-r3.ebuild b/net-misc/openssh/openssh-8.5_p1-r3.ebuild
deleted file mode 120000
index 3804654..0000000
--- a/net-misc/openssh/openssh-8.5_p1-r3.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-openssh-8.5_p1.ebuild
\ No newline at end of file
diff --git a/net-misc/openssh/openssh-8.5_p1.ebuild b/net-misc/openssh/openssh-9.0_p1.ebuild
similarity index 83%
rename from net-misc/openssh/openssh-8.5_p1.ebuild
rename to net-misc/openssh/openssh-9.0_p1.ebuild
index c89ac3d..f24641a 100644
--- a/net-misc/openssh/openssh-8.5_p1.ebuild
+++ b/net-misc/openssh/openssh-9.0_p1.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
-inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
# Make it more portable between straight releases
# and _p? releases.
@@ -11,9 +11,9 @@
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
-HPN_PV="8.4_P1"
+HPN_PV="8.5_P1"
-HPN_VER="15.1"
+HPN_VER="15.2"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
@@ -21,7 +21,7 @@
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="13.3.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
@@ -29,50 +29,43 @@
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+ verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="*"
# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
+IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
+ hpn? ( ssl )
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
- X509? ( !sctp !security-key ssl !xmss )
- xmss? ( || ( ssl libressl ) )
+ X509? ( !sctp ssl !xmss )
+ xmss? ( ssl )
test? ( ssl )
"
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
- !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
- bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+ net-libs/ldns[ecdsa(+),ssl(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- ssl? (
- !libressl? (
- || (
- (
- >=dev-libs/openssl-1.0.1:0[bindist=]
- <dev-libs/openssl-1.1.0:0[bindist=]
- )
- >=dev-libs/openssl-1.1.0g:0[bindist=]
- )
- dev-libs/openssl:0=[static-libs(+)]
- )
- libressl? ( dev-libs/libressl:0=[static-libs(+)] )
- )
+ ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
@@ -90,30 +83,29 @@
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
- userland_GNU? ( !prefix? ( sys-apps/shadow ) )
+ !prefix? ( sys-apps/shadow )
X? ( x11-apps/xauth )
"
BDEPEND="
virtual/pkgconfig
sys-devel/autoconf
+ verify-sig? ( sec-keys/openpgp-keys-openssh )
"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use hpn && maybe_fail hpn HPN_VER)
- $(use sctp && maybe_fail sctp SCTP_PATCH)
- $(use X509 && maybe_fail X509 X509_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
+ local missing=()
+ check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
+ check_feature hpn HPN_VER
+ check_feature sctp SCTP_PATCH
+ check_feature X509 X509_PATCH
+ if [[ ${#missing[@]} -ne 0 ]] ; then
eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
+ eerror "that you requested: ${missing[*]}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "booooo"
+ die "Missing requested third party patch."
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
@@ -123,6 +115,13 @@
fi
}
+src_unpack() {
+ default
+
+ # We don't have signatures for HPN, X509, so we have to write this ourselves
+ use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
+}
+
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
@@ -132,15 +131,13 @@
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
- eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
- eapply "${FILESDIR}"/${PN}-8.5_p1-upstream-cve-2021-41617.patch
-
- # workaround for https://bugs.gentoo.org/734984
- use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
+ eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
+ eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
@@ -177,7 +174,7 @@
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
- einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+ einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
@@ -188,14 +185,14 @@
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
- eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
- use X509 && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-X509-glue.patch
+ eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
+ use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
- use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
+ use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
@@ -308,24 +305,18 @@
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
- $(use_with ldns ldns "${EPREFIX}"/usr)
+ $(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with ssl openssl)
- $(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
if use elibc_musl; then
- # stackprotect is broken on musl x86 and ppc
- if use x86 || use ppc; then
- myconf+=( --without-stackprotect )
- fi
-
# musl defines bogus values for UTMP_FILE and WTMP_FILE
# https://bugs.gentoo.org/753230
myconf+=( --disable-utmp --disable-wtmp )
@@ -338,34 +329,19 @@
}
src_test() {
- local t skipped=() failed=() passed=()
- local tests=( interop-tests compat-tests )
-
+ local tests=( compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped+=( tests )
+ ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+ ewarn "user, so we will run a subset only."
+ tests+=( interop-tests )
else
tests+=( tests )
fi
- # It will also attempt to write to the homedir .ssh.
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in "${tests[@]}" ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
- SUDO="" SSH_SK_PROVIDER="" \
- TEST_SSH_UNSAFE_PERMISSIONS=1 \
- emake -k -j1 ${t} </dev/null \
- && passed+=( "${t}" ) \
- || failed+=( "${t}" )
- done
-
- einfo "Passed tests: ${passed[*]}"
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+ local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
+ mkdir -p "${HOME}"/.ssh || die
+ emake -j1 "${tests[@]}" </dev/null
}
# Gentoo tweaks to default config files.
@@ -436,14 +412,10 @@
diropts -m 0700
dodir /etc/skel/.ssh
-
- # https://bugs.gentoo.org/733802
- if ! use scp; then
- rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
- || die "failed to remove scp"
+ if [[ -d "${ED}"/var/empty ]]; then
+ rmdir "${ED}"/var/empty || die
fi
-
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}