openssh: upgraded package to upstream
Upgraded net-misc/openssh to version 8.8_p1-r2 on amd64, arm64
Removed linux-headers version restriction and added condition
on removing dir var/empty to make it work in COS.
diff --git a/net-misc/openssh/openssh-8.8_p1-r2.ebuild b/net-misc/openssh/openssh-8.8_p1-r2.ebuild
index 275cee9a5..88d4712cb 100644
--- a/net-misc/openssh/openssh-8.8_p1-r2.ebuild
+++ b/net-misc/openssh/openssh-8.8_p1-r2.ebuild
@@ -86,7 +86,7 @@ RDEPEND="
"
DEPEND="${RDEPEND}
virtual/os-headers
- kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+ kernel_linux? ( !prefix-guest? ( sys-kernel/linux-headers ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="${RDEPEND}
@@ -440,7 +440,9 @@ src_install() {
|| die "failed to remove scp"
fi
- rmdir "${ED}"/var/empty || die
+ if [[ -d "${ED}"/var/empty ]]; then
+ rmdir "${ED}"/var/empty || die
+ fi
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
BUG=b/205336232,b/205267203
TEST=presubmit
RELEASE_NOTE=Upgraded net-misc/openssh to v8.8_p1-r2. This resolved
CVE-2016-20012 and CVE-2021-41617.
Change-Id: I4e7e7799470a7c4cbd9a1ea115bfefc225281d1f
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/24984
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
diff --git a/metadata/md5-cache/net-misc/openssh-8.5_p1 b/metadata/md5-cache/net-misc/openssh-8.5_p1
deleted file mode 100644
index 746bcf3..0000000
--- a/metadata/md5-cache/net-misc/openssh-8.5_p1
+++ /dev/null
@@ -1,16 +0,0 @@
-BDEPEND=virtual/pkgconfig sys-devel/autoconf >=app-portage/elt-patches-20170815 virtual/pkgconfig
-DEFINED_PHASES=configure install postinst preinst prepare pretend test
-DEPEND=acct-group/sshd acct-user/sshd !static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( !libressl? ( || ( ( >=dev-libs/openssl-1.0.1:0[bindist=] <dev-libs/openssl-1.1.0:0[bindist=] ) >=dev-libs/openssl-1.1.0g:0[bindist=] ) dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) virtual/os-headers kernel_linux? ( !prefix-guest? ( sys-kernel/linux-headers ) ) static? ( audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( !libressl? ( || ( ( >=dev-libs/openssl-1.0.1:0[bindist=] <dev-libs/openssl-1.1.0:0[bindist=] ) >=dev-libs/openssl-1.1.0g:0[bindist=] ) dev-libs/openssl:0=[static-libs(+)] ) libressl? ( dev-libs/libressl:0=[static-libs(+)] ) ) virtual/libcrypt:=[static-libs(+)] >=sys-libs/zlib-1.2.3:=[static-libs(+)] ) !<sys-devel/gettext-0.18.1.1-r3 || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4
-DESCRIPTION=Port of OpenBSD's free SSH release
-EAPI=7
-HOMEPAGE=https://www.openssh.com/
-IUSE=abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss
-KEYWORDS=*
-LICENSE=BSD GPL-2
-RDEPEND=acct-group/sshd acct-user/sshd !static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( !libressl? ( || ( ( >=dev-libs/openssl-1.0.1:0[bindist=] <dev-libs/openssl-1.1.0:0[bindist=] ) >=dev-libs/openssl-1.1.0g:0[bindist=] ) dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) pam? ( >=sys-auth/pambase-20081028 ) userland_GNU? ( !prefix? ( sys-apps/shadow ) ) X? ( x11-apps/xauth )
-REQUIRED_USE=ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp !security-key ssl !xmss ) xmss? ( || ( ssl libressl ) ) test? ( ssl )
-RESTRICT=!test? ( test )
-SLOT=0
-SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-8.5p1.tar.gz sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-8.5p1-sctp-1.2.patch.xz ) hpn? ( mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v1%208.4p1/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v1%208.4p1/openssh-8_4_P1-hpn-AES-CTR-15.1.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v1%208.4p1/openssh-8_4_P1-hpn-PeakTput-15.1.diff ) X509? ( https://roumenpetrov.info/openssh/x509-13.0/openssh-8.5p1+x509-13.0.diff.gz )
-_eclasses_=autotools d0e5375d47f4c809f406eb892e531513 eutils fcb2aa98e1948b835b5ae66ca52868c5 flag-o-matic 5d5921a298e95441da2f85be419894c0 libtool f143db5a74ccd9ca28c1234deffede96 multilib 2477ebe553d3e4d2c606191fe6c33602 pam 3f746974e1cc47cabe3bd488c08cdc8e systemd 71fd8d2065d102753fb9e4d20eaf3e9f toolchain-funcs 605c126bed8d87e4378d5ff1645330cb user-info a2abd4e2f4c3b9b06d64bf1329359a02
-_md5_=34b27dc88eea576b07b11113b4ab15ad
diff --git a/metadata/md5-cache/net-misc/openssh-8.8_p1-r2 b/metadata/md5-cache/net-misc/openssh-8.8_p1-r2
new file mode 100644
index 0000000..ee40af0
--- /dev/null
+++ b/metadata/md5-cache/net-misc/openssh-8.8_p1-r2
@@ -0,0 +1,16 @@
+BDEPEND=virtual/pkgconfig sys-devel/autoconf >=app-portage/elt-patches-20170815 virtual/pkgconfig
+DEFINED_PHASES=configure install postinst preinst prepare pretend test
+DEPEND=acct-group/sshd acct-user/sshd !static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( || ( ( >=dev-libs/openssl-1.0.1:0[bindist(-)=] <dev-libs/openssl-1.1.0:0[bindist(-)=] ) >=dev-libs/openssl-1.1.0g:0[bindist(-)=] ) dev-libs/openssl:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) virtual/os-headers kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) static? ( audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( || ( ( >=dev-libs/openssl-1.0.1:0[bindist(-)=] <dev-libs/openssl-1.1.0:0[bindist(-)=] ) >=dev-libs/openssl-1.1.0g:0[bindist(-)=] ) dev-libs/openssl:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] >=sys-libs/zlib-1.2.3:=[static-libs(+)] ) !<sys-devel/gettext-0.18.1.1-r3 || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4
+DESCRIPTION=Port of OpenBSD's free SSH release
+EAPI=7
+HOMEPAGE=https://www.openssh.com/
+IUSE=abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss
+KEYWORDS=*
+LICENSE=BSD GPL-2
+RDEPEND=acct-group/sshd acct-user/sshd !static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( || ( ( >=dev-libs/openssl-1.0.1:0[bindist(-)=] <dev-libs/openssl-1.1.0:0[bindist(-)=] ) >=dev-libs/openssl-1.1.0g:0[bindist(-)=] ) dev-libs/openssl:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) pam? ( >=sys-auth/pambase-20081028 ) userland_GNU? ( !prefix? ( sys-apps/shadow ) ) X? ( x11-apps/xauth )
+REQUIRED_USE=hpn? ( ssl ) ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp ssl !xmss ) xmss? ( ssl ) test? ( ssl ) test? ( !xmss )
+RESTRICT=!test? ( test )
+SLOT=0
+SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-8.8p1.tar.gz sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-8.8p1-sctp-1.2.patch.xz ) hpn? ( mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-AES-CTR-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-PeakTput-15.2.diff ) X509? ( https://roumenpetrov.info/openssh/x509-13.2.3/openssh-8.8p1+x509-13.2.3.diff.gz )
+_eclasses_=autotools d0e5375d47f4c809f406eb892e531513 eutils fcb2aa98e1948b835b5ae66ca52868c5 flag-o-matic 5d5921a298e95441da2f85be419894c0 libtool f143db5a74ccd9ca28c1234deffede96 multilib 2477ebe553d3e4d2c606191fe6c33602 pam 3f746974e1cc47cabe3bd488c08cdc8e systemd 71fd8d2065d102753fb9e4d20eaf3e9f toolchain-funcs f783d68a26b62d6b19e070e6bcada5e6 user-info a2abd4e2f4c3b9b06d64bf1329359a02
+_md5_=9eb152578f528eb321da3dfcabf9b26c
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index adff194..e3a9ef1 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,6 +1,15 @@
-DIST openssh-8.5p1+x509-13.0.diff.gz 996872 BLAKE2B 136937e4e65e5e73d1d1b596ae6188f359daa8e95aafd57fab8cf947b59fde573ff4e6259781d1a0fd89718d14469ca4aed01bae6f37cc16df109c673fa2c73c SHA512 2276b0ac577162f7f6a56115637636a6eaaa8b3cc06e5ef053ec06e00a7c3459efe8de8dbc5f55c9f6a192534e2f7c8c7064fcdbf56d28b628bb301c5072802c
+DIST openssh-8.5p1+x509-13.0.1.diff.gz 997005 BLAKE2B b6cdc9ba12dc642c7073463fb8b153a32019e8bc4c1778c2371d89cdc8d9b43e86523d0c03ebeeafa7004a16ad46dfbc18b338bf95f46101d8865709d45aa6b0 SHA512 b0247885d3a0718eb4df123c552f9e95ad9ffd55f96189aca35006c23d76ec76b28420cac4d7b2167c07f2e0a0652edfa20c2ce60aea3f7607a1e747f836ff91
DIST openssh-8.5p1-sctp-1.2.patch.xz 7692 BLAKE2B 298bf5e2004fd864bdbb6d6f354d1fbcb7052a9caaf8e39863b840a7af8e31f87790f6aa10ae84df177d450bb34a43c4a3aa87d7472e2505d727757c016ce92b SHA512 84990f95e22c90dbc4d04d47ea88b761ff1d0101018661ff2376ac2a726b5fca43f1b5f5d926ccbe1c8d0143ac36b104616bd1a6b5dcdba4addf48a5dd196e2b
DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c804b003c74cc26f9dffae28f1b4006fc618580f0dc9c45f0b7361c24728c23688b45f41cb8a15cf6206c3f15c3 SHA512 af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
-DIST openssh-8_4_P1-hpn-AES-CTR-15.1.diff 29966 BLAKE2B 79dea4e16ffdda329131eb48a3c3dd40e167e5c6fa4dd2beb6c67e7e4f17a45c6645e84dcdc97baae90215a802cd1d723dfd88c981b1db826f61fca0a4e92ae1 SHA512 cdb7aa5737a1527d83ffa747d17ae997a64b7bc16e198d0721b690e5932446d30ba4129c122be2a457f261be7a11d944ef49ba2450ce90f552daab508b0c980b
-DIST openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 51327 BLAKE2B 6879df5bfb4c07c44b41620bd49433591711edb08ad6b5c09af8a5f754ca09f3ff6a066ffac3210fdad6dee47710221dca0a3dc47b919498ec6939b42a073418 SHA512 1e6471e88783acf764186577a767ea7c2071bcab1b803c18288f70166d87471703b332dae3bdcaf4318039089caebfba46e5b6da218912eff1103bd03d736a60
-DIST openssh-8_4_P1-hpn-PeakTput-15.1.diff 2429 BLAKE2B fc2140f4036ef57b7093696680b6e157c78bb431af9bc9e75f223c2b13693f0ec2ad214fbf6b2ba0059cbf3690a93235559f07b46dabd056d65ae1fc9d7418f0 SHA512 99801a743da8f108dcf883bc216f2abd3fc3071617566b83eb07b6627ed657cccf0ea93ea2a70eff1050a34a0e635e732665c5583e8aa35968fdeb839f837b63
+DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251
+DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a
+DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
+DIST openssh-8.7p1+x509-13.2.1.diff.gz 1073420 BLAKE2B f9de9f797f1ec83cd56a983f5b9694b0297a60e586898a8c94b4aaa60e5f561bb3b7730590fc8f898c3de2340780d6a77d31bfcc50df0a55a0480051f37806fd SHA512 dd7afd351ddf33e8e74bceba56e5593a0546360efb34f3b954e1816751b5678da5d1bc3a9f2eaa4a745d86d96ae9b643bd549d39b59b22c8cf1a219b076c1db5
+DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
+DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
+DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
+DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
+DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
+DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
+DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
+DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch
deleted file mode 100644
index 90fa248..0000000
--- a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800
-@@ -409,18 +409,10 @@
- index 817da43b..b2bcf78f 100644
- --- a/packet.c
- +++ b/packet.c
--@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -434,20 +426,6 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- diff --git a/packet.h b/packet.h
- index 8ccfd2e0..1ad9bc06 100644
- --- a/packet.h
-@@ -476,9 +454,9 @@
- /* Format of the configuration file:
-
- @@ -167,6 +168,8 @@ typedef enum {
-- oHashKnownHosts,
- oTunnel, oTunnelDevice,
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
-+ oDisableMTAES,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneSwitch,
- oVisualHostKey,
-@@ -615,9 +593,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -112,7 +116,10 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none to be used */
- int rekey_interval;
-@@ -700,9 +678,9 @@
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
- + }
- +
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- if (options->ip_qos_interactive == -1)
-- options->ip_qos_interactive = IPTOS_DSCP_AF21;
-- if (options->ip_qos_bulk == -1)
- @@ -486,6 +532,8 @@ typedef enum {
- sPasswordAuthentication, sKbdInteractiveAuthentication,
- sListenAddress, sAddressFamily,
-@@ -1079,11 +1057,11 @@
- xxx_host = host;
- xxx_hostaddr = hostaddr;
-
--@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-
- if (!authctxt.success)
- fatal("Authentication failed.");
--+
-+
- + /*
- + * If the user wants to use the none cipher, do it post authentication
- + * and only if the right conditions are met -- both of the NONE commands
-@@ -1105,9 +1083,9 @@
- + }
- + }
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
--
-+ #ifdef WITH_OPENSSL
-+ if (options.disable_multithreaded == 0) {
-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
- diff --git a/sshd.c b/sshd.c
- index 11571c01..23a06022 100644
- --- a/sshd.c
diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch
deleted file mode 100644
index 3f5c7a4..0000000
--- a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 16:36:51.394069720 -0800
-@@ -1191,15 +1191,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b3fadf8..ec1d2e27 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,6 @@
-- #define SSH_VERSION "OpenSSH_8.1"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn14v20"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
--+
diff --git a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch
deleted file mode 100644
index 505e34d..0000000
--- a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
-index 86ea6250..844adabc 100644
---- a/regress/cert-hostkey.sh
-+++ b/regress/cert-hostkey.sh
-@@ -252,7 +252,7 @@ test_one() {
- test_one "user-certificate" failure "-n $HOSTS"
- test_one "empty principals" success "-h"
- test_one "wrong principals" failure "-h -n foo"
--test_one "cert not yet valid" failure "-h -V20200101:20300101"
-+test_one "cert not yet valid" failure "-h -V20300101:20320101"
- test_one "cert expired" failure "-h -V19800101:19900101"
- test_one "cert valid interval" success "-h -V-1w:+2w"
- test_one "cert has constraints" failure "-h -Oforce-command=false"
-diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
-index 38c14a69..5cd02fc3 100644
---- a/regress/cert-userkey.sh
-+++ b/regress/cert-userkey.sh
-@@ -338,7 +338,7 @@ test_one() {
- test_one "correct principal" success "-n ${USER}"
- test_one "host-certificate" failure "-n ${USER} -h"
- test_one "wrong principals" failure "-n foo"
--test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
-+test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101"
- test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
- test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
- test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
diff --git a/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch b/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch
deleted file mode 100644
index f12a309..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-diff -u a/openssh-8.4p1+x509-12.6.diff b/openssh-8.4p1+x509-12.6.diff
---- a/openssh-8.4p1+x509-12.6.diff 2020-10-04 10:58:16.980495330 -0700
-+++ b/openssh-8.4p1+x509-12.6.diff 2020-10-04 11:02:31.951966223 -0700
-@@ -39348,12 +39348,11 @@
-
- install-files:
- $(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -384,6 +365,8 @@
-+@@ -384,6 +365,7 @@
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
- $(MKDIR_P) $(DESTDIR)$(libexecdir)
- + $(MKDIR_P) $(DESTDIR)$(sshcadir)
--+ $(MKDIR_P) $(DESTDIR)$(piddir)
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -103950,16 +103949,6 @@
- +int asnmprintf(char **, size_t, int *, const char *, ...)
- __attribute__((format(printf, 4, 5)));
- void msetlocale(void);
--diff -ruN openssh-8.4p1/version.h openssh-8.4p1+x509-12.6/version.h
----- openssh-8.4p1/version.h 2020-09-27 10:25:01.000000000 +0300
--+++ openssh-8.4p1+x509-12.6/version.h 2020-10-03 10:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
--
-- #define SSH_VERSION "OpenSSH_8.4"
--
---#define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.4p1/version.m4 openssh-8.4p1+x509-12.6/version.m4
- --- openssh-8.4p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.4p1+x509-12.6/version.m4 2020-10-03 10:07:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch b/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch
deleted file mode 100644
index 32713d4..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001
-From: Oleg <Fallmay@users.noreply.github.com>
-Date: Thu, 1 Oct 2020 12:09:08 +0300
-Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
-
----
- contrib/ssh-copy-id | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
-index 392f64f94..a76907717 100644
---- a/contrib/ssh-copy-id
-+++ b/contrib/ssh-copy-id
-@@ -247,7 +247,7 @@ installkeys_sh() {
- # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
- # the cat adds the keys we're getting via STDIN
- # and if available restorecon is used to restore the SELinux context
-- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
-+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
- cd;
- umask 077;
- mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
-@@ -258,6 +258,7 @@ installkeys_sh() {
- restorecon -F .ssh ${AUTH_KEY_FILE};
- fi
- EOF
-+ )
-
- # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
- printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch
deleted file mode 100644
index 9bd600b..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-diff -u a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff
---- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:04:44.495171346 -0700
-+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:48:05.099637206 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- K5LIBS=@K5LIBS@
-@@ -803,7 +803,7 @@
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
- {
- struct session_state *state;
--- const struct sshcipher *none = cipher_by_name("none");
-+- const struct sshcipher *none = cipher_none();
- + struct sshcipher *none = cipher_by_name("none");
- int r;
-
-@@ -901,17 +901,18 @@
- }
-
- /*
--@@ -2203,6 +2210,10 @@ fill_default_options(Options * options)
-+@@ -2203,5 +2210,10 @@ fill_default_options(Options * options)
- if (options->sk_provider == NULL)
- options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
-+
- + if (options->update_hostkeys == -1)
- + options->update_hostkeys = 0;
- + if (options->disable_multithreaded == -1)
- + options->disable_multithreaded = 0;
--
-- /* Expand KEX name lists */
-- all_cipher = cipher_alg_list(',', 0);
-++
-+ /* expand KEX and etc. name lists */
-+ { char *all;
-+ #define ASSEMBLE(what, defaults, all) \
- diff --git a/readconf.h b/readconf.h
- index e143a108..1383a3cd 100644
- --- a/readconf.h
-@@ -950,9 +951,9 @@
- /* Portable-specific options */
- sUsePAM,
- + sDisableMTAES,
-- /* Standard Options */
-- sPort, sHostKeyFile, sLoginGraceTime,
-- sPermitRootLogin, sLogFacility, sLogLevel,
-+ /* X.509 Standard Options */
-+ sHostbasedAlgorithms,
-+ sPubkeyAlgorithms,
- @@ -679,6 +683,7 @@ static struct {
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -u a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:04:37.441213650 -0700
-+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:50:55.865616716 -0700
-@@ -382,7 +382,7 @@
- @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, dh_need, authlen;
-- int r, first_kex_follows;
-+ int r, first_kex_follows = 0;
- + int auth_flag;
- +
- + auth_flag = packet_authentication_state(ssh);
-@@ -1193,14 +1193,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index a2eca3ec..ff654fc3 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.3"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn14v22"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -u a/openssh-8_3_P1-hpn-PeakTput-14.22.diff b/openssh-8_3_P1-hpn-PeakTput-14.22.diff
---- a/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:51:46.409313155 -0700
-+++ b/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:56:57.407445258 -0700
-@@ -12,9 +12,9 @@
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ off_t bytes_left;
- int cur_speed;
-- int hours, minutes, seconds;
-- int file_len;
-+ int len;
- + off_t delta_pos;
-
- if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ buf[1] = '\0';
-
- /* filename */
-- buf[0] = '\0';
--- file_len = win_size - 36;
--+ file_len = win_size - 45;
-- if (file_len > 0) {
-- buf[0] = '\r';
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+- if (win_size > 36) {
-+- int file_len = win_size - 36;
-++ if (win_size > 45) {
-++ int file_len = win_size - 45;
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ file_len, file);
-+ }
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
deleted file mode 100644
index 884063c..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:15:17.780747192 -0700
-+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:34:03.576552219 -0700
-@@ -409,18 +409,10 @@
- index e7abb341..c23276d4 100644
- --- a/packet.c
- +++ b/packet.c
--@@ -961,6 +961,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -961,6 +961,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -434,20 +426,6 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -987,6 +1005,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- diff --git a/packet.h b/packet.h
- index c2544bd9..ebd85c88 100644
- --- a/packet.h
-@@ -481,9 +459,9 @@
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneSwitch,
-+ oDisableMTAES,
- oVisualHostKey,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -294,6 +297,8 @@ static struct {
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
-@@ -615,9 +593,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -114,7 +118,10 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none to be used */
- int rekey_interval;
-@@ -700,9 +678,9 @@
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
- + }
- +
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- if (options->ip_qos_interactive == -1)
-- options->ip_qos_interactive = IPTOS_DSCP_AF21;
-- if (options->ip_qos_bulk == -1)
- @@ -519,6 +565,8 @@ typedef enum {
- sPasswordAuthentication, sKbdInteractiveAuthentication,
- sListenAddress, sAddressFamily,
-@@ -1081,11 +1059,11 @@
- xxx_host = host;
- xxx_hostaddr = hostaddr;
-
--@@ -435,6 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-+@@ -435,7 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-+ }
-+ }
-+ #endif
-
-- if (!authctxt.success)
-- fatal("Authentication failed.");
--+
- + /*
- + * If the user wants to use the none cipher, do it post authentication
- + * and only if the right conditions are met -- both of the NONE commands
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch
deleted file mode 100644
index 79cc3e5..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-04-17 10:31:37.392120799 -0700
-+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-04-17 10:32:46.143684424 -0700
-@@ -672,7 +672,7 @@
- +const EVP_CIPHER *
- +evp_aes_ctr_mt(void)
- +{
--+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL
-++# if (OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS)) && !defined(LIBRESSL_VERSION_NUMBER)
- + static EVP_CIPHER *aes_ctr;
- + aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
- + EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
-@@ -701,7 +701,7 @@
- + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
- +# endif /*SSH_OLD_EVP*/
- + return &aes_ctr;
--+# endif /*OPENSSH_VERSION_NUMBER*/
-++# endif /*OPENSSL_VERSION_NUMBER*/
- +}
- +
- +#endif /* defined(WITH_OPENSSL) */
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
deleted file mode 100644
index 52ec42e..0000000
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:34.168386903 -0700
-+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:43.806325434 -0700
-@@ -1171,14 +1171,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index a2eca3ec..ff654fc3 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.3"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn14v22"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
similarity index 80%
rename from net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch
rename to net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
index 71b27f2..c7812c6 100644
--- a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch
+++ b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
@@ -1,6 +1,5 @@
-diff -ur a/openssh-8.5p1+x509-13.0.diff b/openssh-8.5p1+x509-13.0.diff
---- a/openssh-8.5p1+x509-13.0.diff 2021-03-03 12:26:21.021212996 -0800
-+++ b/openssh-8.5p1+x509-13.0.diff 2021-03-03 18:20:06.476490271 -0800
+--- a/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:05:14.876485231 -0700
++++ b/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:06:05.389154451 -0700
@@ -46675,12 +46675,11 @@
install-files:
@@ -54,13 +53,13 @@
+fi
+
cat > $OBJ/sshd_config.i << _EOF
-@@ -122238,16 +122237,6 @@
+@@ -122247,16 +122246,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
--diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0/version.h
+-diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0.1/version.h
---- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200
--+++ openssh-8.5p1+x509-13.0/version.h 2021-03-03 19:07:00.000000000 +0200
+-+++ openssh-8.5p1+x509-13.0.1/version.h 2021-03-15 20:07:00.000000000 +0200
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.5"
@@ -68,6 +67,6 @@
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0/version.m4
+ diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0.1/version.m4
--- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.5p1+x509-13.0/version.m4 2021-03-03 19:07:00.000000000 +0200
+ +++ openssh-8.5p1+x509-13.0.1/version.m4 2021-03-15 20:07:00.000000000 +0200
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
deleted file mode 100644
index ec6e687..0000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch
+++ /dev/null
@@ -1,242 +0,0 @@
-diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
---- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800
-+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800
-@@ -894,9 +894,9 @@
- intptr = &options->compression;
- multistate_ptr = multistate_compression;
- @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
-- options->update_hostkeys = -1;
-- options->hostbased_key_types = NULL;
-- options->pubkey_key_types = NULL;
-+ options->hostbased_accepted_algos = NULL;
-+ options->pubkey_accepted_algos = NULL;
-+ options->known_hosts_command = NULL;
- + options->disable_multithreaded = -1;
- }
-
-diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
---- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800
-+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800
-@@ -209,7 +209,7 @@
- static void
- channel_pre_open(struct ssh *ssh, Channel *c,
- fd_set *readset, fd_set *writeset)
--@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-
- if (c->type == SSH_CHANNEL_OPEN &&
- !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
-@@ -229,22 +229,19 @@
- + debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
- + }
- if (!c->have_remote_id)
-- fatal(":%s: channel %d: no remote id",
-- __func__, c->self);
-+ fatal_f("channel %d: no remote id", c->self);
- if ((r = sshpkt_start(ssh,
- SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
-- fatal("%s: channel %i: %s", __func__,
-- c->self, ssh_err(r));
-+ fatal_fr(r, "channel %i", c->self);
- }
-- debug2("channel %d: window %d sent adjust %d",
-- c->self, c->local_window,
--- c->local_consumed);
-+ debug2("channel %d: window %d sent adjust %d", c->self,
-+- c->local_window, c->local_consumed);
- - c->local_window += c->local_consumed;
--+ c->local_consumed + addition);
-++ c->local_window, c->local_consumed + addition);
- + c->local_window += c->local_consumed + addition;
- c->local_consumed = 0;
- }
-@@ -387,18 +384,18 @@
- index dec8e7e9..3c11558e 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
-- debug("match: %s pat %s compat 0x%08x",
-+@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
-+ debug_f("match: %s pat %s compat 0x%08x",
- version, check[i].pat, check[i].bugs);
-- datafellows = check[i].bugs; /* XXX for now */
-+ ssh->compat = check[i].bugs;
- + /* Check to see if the remote side is OpenSSH and not HPN */
- + if (strstr(version, "OpenSSH") != NULL) {
- + if (strstr(version, "hpn") == NULL) {
--+ datafellows |= SSH_BUG_LARGEWINDOW;
-++ ssh->compat |= SSH_BUG_LARGEWINDOW;
- + debug("Remote is NON-HPN aware");
- + }
- + }
-- return check[i].bugs;
-+ return;
- }
- }
- diff --git a/compat.h b/compat.h
-@@ -431,9 +428,9 @@
- --- a/digest-openssl.c
- +++ b/digest-openssl.c
- @@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
-- { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
-+ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
- { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
-- { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
-+ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
- + { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null},
- { -1, NULL, 0, NULL },
- };
-@@ -536,18 +533,10 @@
- if (state->rekey_limit)
- *max_blocks = MINIMUM(*max_blocks,
- state->rekey_limit / enc->block_size);
--@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +550,6 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
-@@ -622,9 +597,9 @@
- /* Format of the configuration file:
-
- @@ -165,6 +166,8 @@ typedef enum {
-- oHashKnownHosts,
- oTunnel, oTunnelDevice,
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
-+ oDisableMTAES,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
- oVisualHostKey,
-@@ -778,9 +753,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -115,7 +119,11 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none cipher to be used */
- + int nonemac_enabled; /* Allow none MAC to be used */
-@@ -888,9 +863,9 @@
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
- + }
- +
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- if (options->ip_qos_interactive == -1)
-- options->ip_qos_interactive = IPTOS_DSCP_AF21;
-- if (options->ip_qos_bulk == -1)
- @@ -511,6 +564,8 @@ typedef enum {
- sPasswordAuthentication, sKbdInteractiveAuthentication,
- sListenAddress, sAddressFamily,
-@@ -1091,7 +1066,7 @@
- }
-
- +static void
--+hpn_options_init(void)
-++hpn_options_init(struct ssh *ssh)
- +{
- + /*
- + * We need to check to see if what they want to do about buffer
-@@ -1116,7 +1091,7 @@
- + else
- + options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+ if (datafellows & SSH_BUG_LARGEWINDOW) {
-++ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
- + debug("HPN to Non-HPN Connection");
- + } else {
- + int sock, socksize;
-@@ -1186,7 +1161,7 @@
- + c->dynamic_window = 1;
- + debug("Enabled Dynamic Window Scaling");
- + }
-- debug3("%s: channel_new: %d", __func__, c->self);
-+ debug3_f("channel_new: %d", c->self);
-
- channel_send_open(ssh, c->self);
- @@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
-@@ -1198,7 +1173,7 @@
- + * might open channels that use the hpn buffer sizes. We can't send a
- + * window of -1 (the default) to the server as it breaks things.
- + */
--+ hpn_options_init();
-++ hpn_options_init(ssh);
- +
- /* XXX should be pre-session */
- if (!options.control_persist)
-@@ -1297,11 +1272,10 @@
- xxx_host = host;
- xxx_hostaddr = hostaddr;
-
--@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
--
-+@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
- if (!authctxt.success)
- fatal("Authentication failed.");
--+
-+
- + /*
- + * If the user wants to use the none cipher, do it post authentication
- + * and only if the right conditions are met -- both of the NONE commands
-@@ -1329,9 +1303,9 @@
- + }
- + }
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
--
-+ #ifdef WITH_OPENSSL
-+ if (options.disable_multithreaded == 0) {
-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
- diff --git a/sshd.c b/sshd.c
- index 8aa7f3df..d0e3f1b0 100644
- --- a/sshd.c
-@@ -1397,9 +1371,9 @@
- + if (options.nonemac_enabled == 1)
- + debug("WARNING: None MAC enabled");
- +
-- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
- options.kex_algorithms);
-- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
-+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
- diff --git a/sshd_config b/sshd_config
- index 19b7c91a..cdd889b2 100644
- --- a/sshd_config
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch
deleted file mode 100644
index d4835d1..0000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
---- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:29.211246123 -0800
-+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:53.607089097 -0800
-@@ -1401,14 +1401,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index c2f9c55b..f2e7fa80 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.4"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v1"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
similarity index 72%
rename from net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch
rename to net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
index e2d4ce8..413cc8b 100644
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
@@ -1,6 +1,6 @@
-diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
---- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 12:57:01.975827879 -0800
-+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 18:25:21.929305944 -0800
+diff -u a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:45:28.550606801 -0700
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:56:36.240309581 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -25,21 +25,17 @@
int r;
if (none == NULL) {
-@@ -894,24 +894,24 @@
- intptr = &options->compression;
- multistate_ptr = multistate_compression;
- @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
+@@ -898,20 +898,20 @@
+ options->fingerprint_hash = -1;
+ options->update_hostkeys = -1;
+ + options->disable_multithreaded = -1;
- options->hostbased_accepted_algos = NULL;
- options->pubkey_accepted_algos = NULL;
- options->known_hosts_command = NULL;
-+ options->revoked_host_keys = NULL;
-+ options->fingerprint_hash = -1;
-+ options->update_hostkeys = -1;
- + options->disable_multithreaded = -1;
- }
-
- /*
- @@ -2247,6 +2254,10 @@ fill_default_options(Options * options)
++ }
++
++ /*
+ @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
+ options->update_hostkeys = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
@@ -54,7 +50,7 @@
+ /* expand KEX and etc. name lists */
+ { char *all;
diff --git a/readconf.h b/readconf.h
- index d6a15550..d2d20548 100644
+ index 2fba866e..7f8f0227 100644
--- a/readconf.h
@@ -950,9 +950,9 @@
/* Portable-specific options */
@@ -62,23 +58,23 @@
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
-- sPermitRootLogin, sLogFacility, sLogLevel,
+- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
- @@ -672,6 +676,7 @@ static struct {
+ @@ -662,6 +666,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
---- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 19:05:28.942903961 -0800
-+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 20:36:34.702362020 -0800
+diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:29:42.953733894 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:47:54.198893025 -0700
@@ -157,6 +157,36 @@
+ Allan Jude provided the code for the NoneMac and buffer normalization.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c 2021-03-03 20:34:51.312051369 -0800
-++++ b/auth2.c 2021-03-03 20:35:15.797888115 -0800
++--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
+++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
+@@ -229,16 +229,17 @@
+ double delay;
+
@@ -96,7 +92,7 @@
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+- freezero(hash, len);
++ (void)snprintf(b, sizeof b, "%llu%s",
-++ (unsigned long long)options.timing_secret, user);
+++ (unsigned long long)options.timing_secret, user);
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++ fatal_f("ssh_digest_memory");
++ /* 0-4.2 ms of delay */
@@ -107,14 +103,14 @@
+ return MIN_FAIL_DELAY_SECONDS + delay;
+ }
diff --git a/channels.c b/channels.c
- index e4917f3c..e0db582e 100644
+ index b60d56c4..0e363c15 100644
--- a/channels.c
@@ -209,14 +239,14 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
--@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2179,21 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2164,21 +2164,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
@@ -127,29 +123,25 @@
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
-@@ -234,10 +264,12 @@
- SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
+@@ -235,9 +265,8 @@
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
-+- (r = sshpkt_send(ssh)) != 0)
-+- fatal_fr(r, "channel %d", c->self);
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
- fatal_fr(r, "channel %i", c->self);
- }
-++ (r = sshpkt_send(ssh)) != 0) {
-++ fatal_fr(r, "channel %i", c->self);
-++ }
- debug2("channel %d: window %d sent adjust %d", c->self,
++ (r = sshpkt_send(ssh)) != 0)
++ fatal_fr(r, "channel %d", c->self);
+ - debug2("channel %d: window %d sent adjust %d", c->self,
- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
-@@ -384,20 +416,38 @@
- index dec8e7e9..3c11558e 100644
+@@ -386,21 +415,45 @@
+ index 69befa96..90b5f338 100644
--- a/compat.c
+++ b/compat.c
--@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
+-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
- debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@
++@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
+ static u_int
+ compat_datafellows(const char *version)
+ {
@@ -158,18 +150,20 @@
+ static struct {
+ char *pat;
+ int bugs;
-+@@ -147,11 +147,19 @@
++@@ -147,11 +147,26 @@
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- ssh->compat = check[i].bugs;
--+ /* Check to see if the remote side is OpenSSH and not HPN */
--+ if (strstr(version, "OpenSSH") != NULL) {
--+ if (strstr(version, "hpn") == NULL) {
+ + /* Check to see if the remote side is OpenSSH and not HPN */
+-+ /* TODO: need to use new method to test for this */
+ + if (strstr(version, "OpenSSH") != NULL) {
+ + if (strstr(version, "hpn") == NULL) {
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
--+ debug("Remote is NON-HPN aware");
--+ }
--+ }
+++ bugs |= SSH_BUG_LARGEWINDOW;
+ + debug("Remote is NON-HPN aware");
+ + }
+ + }
- return;
+- return check[i].bugs;
++ bugs |= check[i].bugs;
@@ -191,10 +185,10 @@
+
+ char *
diff --git a/compat.h b/compat.h
- index 66db42cc..d4e811e4 100644
+ index c197fafc..ea2e17a7 100644
--- a/compat.h
-@@ -456,7 +506,7 @@
- @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
+@@ -459,7 +512,7 @@
+ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
@@ -202,17 +196,17 @@
+ int auth_flag = 0;
+
+ auth_flag = packet_authentication_state(ssh);
-@@ -1033,19 +1083,6 @@
+@@ -1035,19 +1088,6 @@
/* File to read commands from */
FILE* infile;
-diff --git a/ssh-keygen.c b/ssh-keygen.c
--index a12b79a5..8b839219 100644
+-index cfb5f115..36a6e519 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
--@@ -2999,7 +2999,7 @@ do_download_sk(const char *skprovider, const char *device)
+-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
- freezero(pin, strlen(pin));
-- error("Unable to load resident keys: %s", ssh_err(r));
+- error_r(r, "Unable to load resident keys");
- return -1;
-- }
-+ }
@@ -220,9 +214,9 @@
- logit("No keys to download");
- if (pin != NULL)
diff --git a/ssh.c b/ssh.c
- index f34ca0d7..d7d134f7 100644
+ index 53330da5..27b9770e 100644
--- a/ssh.c
-@@ -1091,7 +1128,7 @@
+@@ -1093,7 +1133,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
@@ -231,11 +225,11 @@
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
-@@ -1331,6 +1368,26 @@
+@@ -1335,6 +1375,28 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
-+@@ -1625,12 +1625,13 @@
++@@ -1625,13 +1625,14 @@
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
+ sshbuf_len(server_cfg)) != 0)
+ fatal_f("ssh_digest_update");
@@ -245,37 +239,39 @@
+- fatal_f("ssh_digest_final");
+- options.timing_secret = PEEK_U64(hash);
+- freezero(hash, len);
-++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++- ssh_digest_free(ctx);
+++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
++ hash = xmalloc(len);
++ if (ssh_digest_final(ctx, hash, len) != 0)
++ fatal_f("ssh_digest_final");
++ options.timing_secret = PEEK_U64(hash);
++ freezero(hash, len);
+++ ssh_digest_free(ctx);
++ }
-+ ssh_digest_free(ctx);
+ ctx = NULL;
+ return;
- @@ -1746,6 +1753,19 @@ main(int ac, char **av)
++ }
+ @@ -1727,6 +1734,19 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
-@@ -1401,14 +1458,3 @@
+@@ -1405,14 +1467,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
--index c2f9c55b..f2e7fa80 100644
+-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.4"
+- #define SSH_VERSION "OpenSSH_8.5"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v1"
+-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -ur a/openssh-8_4_P1-hpn-PeakTput-15.1.diff b/openssh-8_4_P1-hpn-PeakTput-15.1.diff
---- a/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 12:57:01.975827879 -0800
-+++ b/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 18:25:21.930305937 -0800
+diff -u a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
+--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 17:45:28.550606801 -0700
++++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 18:39:10.262087944 -0700
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -288,9 +284,15 @@
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -33,12 +33,12 @@
- @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-
+@@ -30,15 +30,17 @@
+ if (bytes_left > 0)
+ elapsed = now - last_update;
+ else {
+-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+-
++@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
++ buf[1] = '\0';
++
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
@@ -298,7 +300,8 @@
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+ if (win_size > 36) {
++- if (win_size > 36) {
+++ if (win_size > 45) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
@@ -307,15 +310,15 @@
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
-@@ -63,15 +63,3 @@
+@@ -63,15 +65,3 @@
}
/*ARGSUSED*/
-diff --git a/ssh-keygen.c b/ssh-keygen.c
--index a12b79a5..76b22338 100644
+-index cfb5f115..986ff59b 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
--@@ -2987,7 +2987,6 @@ do_download_sk(const char *skprovider, const char *device)
+-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-
- if (skprovider == NULL)
- fatal("Cannot download keys without provider");
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch
new file mode 100644
index 0000000..8827fe8
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch
@@ -0,0 +1,104 @@
+diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-15 15:10:45.680967455 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:25:14.710431930 -0700
+@@ -536,18 +536,10 @@
+ if (state->rekey_limit)
+ *max_blocks = MINIMUM(*max_blocks,
+ state->rekey_limit / enc->block_size);
+-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+ rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,20 +553,6 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- return 0;
+-
+-+ /* used to force rekeying when called for by the none
+-+ * cipher switch methods -cjr */
+-+ if (rekey_requested == 1) {
+-+ rekey_requested = 0;
+-+ return 1;
+-+ }
+-+
+- /* Time-based rekeying */
+- if (state->rekey_interval != 0 &&
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+@@ -598,12 +576,11 @@
+ };
+
+ typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
+-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
++@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+ int ssh_packet_set_maxsize(struct ssh *, u_int);
+ u_int ssh_packet_get_maxsize(struct ssh *);
+
+ +/* for forced packet rekeying post auth */
+-+void packet_request_rekeying(void);
+ +int packet_authentication_state(const struct ssh *);
+ +
+ int ssh_packet_get_state(struct ssh *, struct sshbuf *);
+@@ -627,9 +604,9 @@
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
++ oDisableMTAES,
+ oVisualHostKey,
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ @@ -297,6 +300,9 @@ static struct {
+ { "kexalgorithms", oKexAlgorithms },
+ { "ipqos", oIPQoS },
+@@ -778,9 +755,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ @@ -120,7 +124,11 @@ typedef struct {
+-
+ int enable_ssh_keysign;
+ int64_t rekey_limit;
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ + int none_switch; /* Use none cipher */
+ + int none_enabled; /* Allow none cipher to be used */
+ + int nonemac_enabled; /* Allow none MAC to be used */
+@@ -842,9 +819,9 @@
+ /* Portable-specific options */
+ if (options->use_pam == -1)
+ @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
+- }
+- if (options->permit_tun == -1)
+ options->permit_tun = SSH_TUNMODE_NO;
++ if (options->disable_multithreaded == -1)
++ options->disable_multithreaded = 0;
+ + if (options->none_enabled == -1)
+ + options->none_enabled = 0;
+ + if (options->nonemac_enabled == -1)
+@@ -1330,9 +1307,9 @@
+ + }
+ + }
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+
++ #ifdef WITH_OPENSSL
++ if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..d66fa41a 100644
+ --- a/sshd.c
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
new file mode 100644
index 0000000..7199227
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
@@ -0,0 +1,18 @@
+diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700
+@@ -1414,14 +1414,3 @@
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b4fa372..332fb486 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION "OpenSSH_8.5"
+-
+- #define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN "-hpn15v2"
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch b/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
similarity index 67%
copy from net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch
copy to net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
index 71b27f2..e23063b 100644
--- a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch
+++ b/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
@@ -1,12 +1,11 @@
-diff -ur a/openssh-8.5p1+x509-13.0.diff b/openssh-8.5p1+x509-13.0.diff
---- a/openssh-8.5p1+x509-13.0.diff 2021-03-03 12:26:21.021212996 -0800
-+++ b/openssh-8.5p1+x509-13.0.diff 2021-03-03 18:20:06.476490271 -0800
-@@ -46675,12 +46675,11 @@
+--- a/openssh-8.6p1+x509-13.1.diff 2021-04-23 14:46:58.184683047 -0700
++++ b/openssh-8.6p1+x509-13.1.diff 2021-04-23 15:00:08.455087549 -0700
+@@ -47728,12 +47728,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -380,6 +364,8 @@
-+@@ -380,6 +364,7 @@
+-@@ -389,6 +366,8 @@
++@@ -389,6 +366,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
@@ -15,7 +14,7 @@
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -63967,7 +63966,7 @@
+@@ -65001,7 +65000,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
@@ -24,7 +23,7 @@
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
verbose "$tid: cipher $c"
-@@ -63982,7 +63981,7 @@
+@@ -65016,7 +65015,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
@@ -33,7 +32,7 @@
for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
verbose "$tid: kex $k"
-@@ -63997,7 +63996,7 @@
+@@ -65031,7 +65030,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
@@ -42,7 +41,7 @@
if [ "`${SSH} -Q compression`" = "none" ]; then
comp="0"
-@@ -64129,9 +64128,9 @@
+@@ -65163,9 +65162,9 @@
+# cross-project configuration
+if test "$sshd_type" = "pkix" ; then
@@ -54,20 +53,20 @@
+fi
+
cat > $OBJ/sshd_config.i << _EOF
-@@ -122238,16 +122237,6 @@
+@@ -124084,16 +124083,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
- __attribute__((format(printf, 4, 5)));
+ __attribute__((format(printf, 4, 5)));
void msetlocale(void);
--diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0/version.h
----- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200
--+++ openssh-8.5p1+x509-13.0/version.h 2021-03-03 19:07:00.000000000 +0200
+-diff -ruN openssh-8.6p1/version.h openssh-8.6p1+x509-13.1/version.h
+---- openssh-8.6p1/version.h 2021-04-16 06:55:25.000000000 +0300
+-+++ openssh-8.6p1+x509-13.1/version.h 2021-04-21 21:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
-- #define SSH_VERSION "OpenSSH_8.5"
+- #define SSH_VERSION "OpenSSH_8.6"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0/version.m4
- --- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.5p1+x509-13.0/version.m4 2021-03-03 19:07:00.000000000 +0200
+ diff -ruN openssh-8.6p1/version.m4 openssh-8.6p1+x509-13.1/version.m4
+ --- openssh-8.6p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.6p1+x509-13.1/version.m4 2021-04-21 21:07:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
similarity index 64%
copy from net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch
copy to net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
index e2d4ce8..714dffc 100644
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch
+++ b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
@@ -1,6 +1,6 @@
-diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
---- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 12:57:01.975827879 -0800
-+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 18:25:21.929305944 -0800
+diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:31:47.247434467 -0700
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:32:29.807508606 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -25,21 +25,17 @@
int r;
if (none == NULL) {
-@@ -894,24 +894,24 @@
- intptr = &options->compression;
- multistate_ptr = multistate_compression;
- @@ -2062,6 +2068,7 @@ initialize_options(Options * options)
+@@ -898,20 +898,20 @@
+ options->fingerprint_hash = -1;
+ options->update_hostkeys = -1;
+ + options->disable_multithreaded = -1;
- options->hostbased_accepted_algos = NULL;
- options->pubkey_accepted_algos = NULL;
- options->known_hosts_command = NULL;
-+ options->revoked_host_keys = NULL;
-+ options->fingerprint_hash = -1;
-+ options->update_hostkeys = -1;
- + options->disable_multithreaded = -1;
- }
-
- /*
- @@ -2247,6 +2254,10 @@ fill_default_options(Options * options)
++ }
++
++ /*
+ @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
+ options->update_hostkeys = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
@@ -54,7 +50,7 @@
+ /* expand KEX and etc. name lists */
+ { char *all;
diff --git a/readconf.h b/readconf.h
- index d6a15550..d2d20548 100644
+ index 2fba866e..7f8f0227 100644
--- a/readconf.h
@@ -950,9 +950,9 @@
/* Portable-specific options */
@@ -62,23 +58,23 @@
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
-- sPermitRootLogin, sLogFacility, sLogLevel,
+- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
- @@ -672,6 +676,7 @@ static struct {
+ @@ -662,6 +666,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
---- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 19:05:28.942903961 -0800
-+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 20:36:34.702362020 -0800
+diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:31:47.247434467 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:46:32.296026606 -0700
@@ -157,6 +157,36 @@
+ Allan Jude provided the code for the NoneMac and buffer normalization.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c 2021-03-03 20:34:51.312051369 -0800
-++++ b/auth2.c 2021-03-03 20:35:15.797888115 -0800
++--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
+++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
+@@ -229,16 +229,17 @@
+ double delay;
+
@@ -89,14 +85,14 @@
++ hash = xmalloc(len);
+
+- (void)snprintf(b, sizeof b, "%llu%s",
-+- (unsigned long long)options.timing_secret, user);
++- (unsigned long long)options.timing_secret, user);
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+- fatal_f("ssh_digest_memory");
+- /* 0-4.2 ms of delay */
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+- freezero(hash, len);
++ (void)snprintf(b, sizeof b, "%llu%s",
-++ (unsigned long long)options.timing_secret, user);
+++ (unsigned long long)options.timing_secret, user);
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++ fatal_f("ssh_digest_memory");
++ /* 0-4.2 ms of delay */
@@ -107,14 +103,14 @@
+ return MIN_FAIL_DELAY_SECONDS + delay;
+ }
diff --git a/channels.c b/channels.c
- index e4917f3c..e0db582e 100644
+ index b60d56c4..0e363c15 100644
--- a/channels.c
@@ -209,14 +239,14 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
--@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2179,21 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
@@ -127,29 +123,25 @@
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
-@@ -234,10 +264,12 @@
- SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
+@@ -235,9 +265,8 @@
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
-+- (r = sshpkt_send(ssh)) != 0)
-+- fatal_fr(r, "channel %d", c->self);
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
- fatal_fr(r, "channel %i", c->self);
- }
-++ (r = sshpkt_send(ssh)) != 0) {
-++ fatal_fr(r, "channel %i", c->self);
-++ }
- debug2("channel %d: window %d sent adjust %d", c->self,
++ (r = sshpkt_send(ssh)) != 0)
++ fatal_fr(r, "channel %d", c->self);
+ - debug2("channel %d: window %d sent adjust %d", c->self,
- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
-@@ -384,20 +416,38 @@
- index dec8e7e9..3c11558e 100644
+@@ -386,21 +415,45 @@
+ index 69befa96..90b5f338 100644
--- a/compat.c
+++ b/compat.c
--@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
+-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
- debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@
++@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
+ static u_int
+ compat_datafellows(const char *version)
+ {
@@ -158,18 +150,20 @@
+ static struct {
+ char *pat;
+ int bugs;
-+@@ -147,11 +147,19 @@
++@@ -147,11 +147,26 @@
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- ssh->compat = check[i].bugs;
--+ /* Check to see if the remote side is OpenSSH and not HPN */
--+ if (strstr(version, "OpenSSH") != NULL) {
--+ if (strstr(version, "hpn") == NULL) {
+ + /* Check to see if the remote side is OpenSSH and not HPN */
+-+ /* TODO: need to use new method to test for this */
+ + if (strstr(version, "OpenSSH") != NULL) {
+ + if (strstr(version, "hpn") == NULL) {
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
--+ debug("Remote is NON-HPN aware");
--+ }
--+ }
+++ bugs |= SSH_BUG_LARGEWINDOW;
+ + debug("Remote is NON-HPN aware");
+ + }
+ + }
- return;
+- return check[i].bugs;
++ bugs |= check[i].bugs;
@@ -191,10 +185,10 @@
+
+ char *
diff --git a/compat.h b/compat.h
- index 66db42cc..d4e811e4 100644
+ index c197fafc..ea2e17a7 100644
--- a/compat.h
-@@ -456,7 +506,7 @@
- @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
+@@ -459,7 +512,7 @@
+ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
@@ -202,17 +196,26 @@
+ int auth_flag = 0;
+
+ auth_flag = packet_authentication_state(ssh);
-@@ -1033,19 +1083,6 @@
+@@ -553,7 +606,7 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
++@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+ fd_set *setp;
+@@ -1035,19 +1088,6 @@
- /* File to read commands from */
- FILE* infile;
+ /* Minimum amount of data to read at a time */
+ #define MIN_READ_SIZE 512
-diff --git a/ssh-keygen.c b/ssh-keygen.c
--index a12b79a5..8b839219 100644
+-index cfb5f115..36a6e519 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
--@@ -2999,7 +2999,7 @@ do_download_sk(const char *skprovider, const char *device)
+-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
- freezero(pin, strlen(pin));
-- error("Unable to load resident keys: %s", ssh_err(r));
+- error_r(r, "Unable to load resident keys");
- return -1;
-- }
-+ }
@@ -220,9 +223,9 @@
- logit("No keys to download");
- if (pin != NULL)
diff --git a/ssh.c b/ssh.c
- index f34ca0d7..d7d134f7 100644
+ index 53330da5..27b9770e 100644
--- a/ssh.c
-@@ -1091,7 +1128,7 @@
+@@ -1093,7 +1133,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
@@ -231,11 +234,12 @@
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
-@@ -1331,6 +1368,26 @@
+@@ -1335,7 +1375,29 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
-+@@ -1625,12 +1625,13 @@
+-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
++@@ -1625,13 +1632,14 @@
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
+ sshbuf_len(server_cfg)) != 0)
+ fatal_f("ssh_digest_update");
@@ -245,37 +249,58 @@
+- fatal_f("ssh_digest_final");
+- options.timing_secret = PEEK_U64(hash);
+- freezero(hash, len);
-++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++- ssh_digest_free(ctx);
+++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
++ hash = xmalloc(len);
++ if (ssh_digest_final(ctx, hash, len) != 0)
++ fatal_f("ssh_digest_final");
++ options.timing_secret = PEEK_U64(hash);
++ freezero(hash, len);
+++ ssh_digest_free(ctx);
++ }
-+ ssh_digest_free(ctx);
+ ctx = NULL;
+ return;
- @@ -1746,6 +1753,19 @@ main(int ac, char **av)
++ }
++@@ -1727,6 +1735,19 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
-@@ -1401,14 +1458,3 @@
+
+@@ -1355,7 +1417,7 @@
+ /* challenge-response is implemented via keyboard interactive */
+ if (options.challenge_response_authentication)
+ options.kbd_interactive_authentication = 1;
+-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
++@@ -2166,6 +2187,9 @@ main(int ac, char **av)
+ rdomain == NULL ? "" : "\"");
+ free(laddr);
+
+@@ -1365,7 +1427,7 @@
+ /*
+ * We don't want to listen forever unless the other side
+ * successfully authenticates itself. So we set up an alarm which is
+-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
++@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
+ struct kex *kex;
+ int r;
+
+@@ -1405,14 +1467,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
--index c2f9c55b..f2e7fa80 100644
+-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.4"
+- #define SSH_VERSION "OpenSSH_8.5"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v1"
+-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -ur a/openssh-8_4_P1-hpn-PeakTput-15.1.diff b/openssh-8_4_P1-hpn-PeakTput-15.1.diff
---- a/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 12:57:01.975827879 -0800
-+++ b/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 18:25:21.930305937 -0800
+diff -ur a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
+--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:31:47.247434467 -0700
++++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:32:29.808508608 -0700
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -288,9 +313,15 @@
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -33,12 +33,12 @@
- @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-
+@@ -30,15 +30,17 @@
+ if (bytes_left > 0)
+ elapsed = now - last_update;
+ else {
+-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+-
++@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
++ buf[1] = '\0';
++
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
@@ -298,7 +329,8 @@
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+ if (win_size > 36) {
++- if (win_size > 36) {
+++ if (win_size > 45) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
@@ -307,15 +339,15 @@
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
-@@ -63,15 +63,3 @@
+@@ -63,15 +65,3 @@
}
/*ARGSUSED*/
-diff --git a/ssh-keygen.c b/ssh-keygen.c
--index a12b79a5..76b22338 100644
+-index cfb5f115..986ff59b 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
--@@ -2987,7 +2987,6 @@ do_download_sk(const char *skprovider, const char *device)
+-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-
- if (skprovider == NULL)
- fatal("Cannot download keys without provider");
diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch
new file mode 100644
index 0000000..30c0252
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch
@@ -0,0 +1,132 @@
+diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:36:51.659996653 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:42:23.302377465 -0700
+@@ -536,18 +536,10 @@
+ if (state->rekey_limit)
+ *max_blocks = MINIMUM(*max_blocks,
+ state->rekey_limit / enc->block_size);
+-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+ rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,20 +553,6 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- return 0;
+-
+-+ /* used to force rekeying when called for by the none
+-+ * cipher switch methods -cjr */
+-+ if (rekey_requested == 1) {
+-+ rekey_requested = 0;
+-+ return 1;
+-+ }
+-+
+- /* Time-based rekeying */
+- if (state->rekey_interval != 0 &&
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+@@ -598,12 +576,11 @@
+ };
+
+ typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
+-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
++@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+ int ssh_packet_set_maxsize(struct ssh *, u_int);
+ u_int ssh_packet_get_maxsize(struct ssh *);
+
+ +/* for forced packet rekeying post auth */
+-+void packet_request_rekeying(void);
+ +int packet_authentication_state(const struct ssh *);
+ +
+ int ssh_packet_get_state(struct ssh *, struct sshbuf *);
+@@ -627,9 +604,9 @@
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
++ oDisableMTAES,
+ oVisualHostKey,
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ @@ -297,6 +300,9 @@ static struct {
+ { "kexalgorithms", oKexAlgorithms },
+ { "ipqos", oIPQoS },
+@@ -778,9 +755,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ @@ -120,7 +124,11 @@ typedef struct {
+-
+ int enable_ssh_keysign;
+ int64_t rekey_limit;
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ + int none_switch; /* Use none cipher */
+ + int none_enabled; /* Allow none cipher to be used */
+ + int nonemac_enabled; /* Allow none MAC to be used */
+@@ -842,9 +819,9 @@
+ /* Portable-specific options */
+ if (options->use_pam == -1)
+ @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
+- }
+- if (options->permit_tun == -1)
+ options->permit_tun = SSH_TUNMODE_NO;
++ if (options->disable_multithreaded == -1)
++ options->disable_multithreaded = 0;
+ + if (options->none_enabled == -1)
+ + options->none_enabled = 0;
+ + if (options->nonemac_enabled == -1)
+@@ -1047,17 +1024,17 @@
+ Note that
+ diff --git a/sftp.c b/sftp.c
+ index fb3c08d1..89bebbb2 100644
+---- a/sftp.c
+-+++ b/sftp.c
+-@@ -71,7 +71,7 @@ typedef void EditLine;
+- #include "sftp-client.h"
+-
+- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
+--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
+-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
++--- a/sftp-client.c
+++++ b/sftp-client.c
++@@ -65,7 +65,7 @@ typedef void EditLine;
++ #define DEFAULT_COPY_BUFLEN 32768
++
++ /* Default number of concurrent outstanding requests */
++-#define DEFAULT_NUM_REQUESTS 64
+++#define DEFAULT_NUM_REQUESTS 256
+
+- /* File to read commands from */
+- FILE* infile;
++ /* Minimum amount of data to read at a time */
++ #define MIN_READ_SIZE 512
+ diff --git a/ssh-keygen.c b/ssh-keygen.c
+ index cfb5f115..36a6e519 100644
+ --- a/ssh-keygen.c
+@@ -1330,9 +1307,9 @@
+ + }
+ + }
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+
++ #ifdef WITH_OPENSSL
++ if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..d66fa41a 100644
+ --- a/sshd.c
diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
new file mode 100644
index 0000000..6dc290d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
@@ -0,0 +1,13 @@
+diff --git a/kex.c b/kex.c
+index 34808b5c..88d7ccac 100644
+--- a/kex.c
++++ b/kex.c
+@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+ if (version_addendum != NULL && *version_addendum == '\0')
+ version_addendum = NULL;
+ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ version_addendum == NULL ? "" : " ",
+ version_addendum == NULL ? "" : version_addendum)) != 0) {
+ oerrno = errno;
diff --git a/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
similarity index 89%
rename from net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch
rename to net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
index d4db77b..ffc40b7 100644
--- a/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch
+++ b/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
@@ -1,8 +1,8 @@
diff --git a/auth.c b/auth.c
-index 086b8ebb..a267353c 100644
+index 00b168b4..8ee93581 100644
--- a/auth.c
+++ b/auth.c
-@@ -724,120 +724,6 @@ fakepw(void)
+@@ -729,118 +729,6 @@ fakepw(void)
return (&fake);
}
@@ -11,9 +11,7 @@
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- * attacks on based on conflation of hostnames and IP addresses.
- */
-
-static char *
@@ -120,11 +118,11 @@
- }
-}
-
- /*
- * Runs command in a subprocess with a minimal environment.
- * Returns pid on success, 0 on failure.
+ /* These functions link key/cert options to the auth framework */
+
+ /* Log sshauthopt options locally and (optionally) for remote transmission */
diff --git a/canohost.c b/canohost.c
-index abea9c6e..4f4524d2 100644
+index a810da0e..18e9d8d4 100644
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
@@ -155,9 +153,9 @@
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getpeername(ssh_packet_get_connection_in(ssh),
-+ (struct sockaddr *)&from, &fromlen) < 0) {
++ (struct sockaddr *)&from, &fromlen) == -1) {
+ debug("getpeername failed: %.100s", strerror(errno));
-+ return strdup(ntop);
++ return xstrdup(ntop);
+ }
+
+ ipv64_normalise_mapped(&from, &fromlen);
@@ -169,7 +167,7 @@
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+ NULL, 0, NI_NAMEREQD) != 0) {
+ /* Host name not found. Use ip address. */
-+ return strdup(ntop);
++ return xstrdup(ntop);
+ }
+
+ /*
@@ -184,7 +182,7 @@
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
-+ return strdup(ntop);
++ return xstrdup(ntop);
+ }
+
+ /* Names are stored in lowercase. */
@@ -205,7 +203,7 @@
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+ logit("reverse mapping checking getaddrinfo for %.700s "
+ "[%s] failed.", name, ntop);
-+ return strdup(ntop);
++ return xstrdup(ntop);
+ }
+ /* Look for the address from the list of addresses. */
+ for (ai = aitop; ai; ai = ai->ai_next) {
@@ -220,9 +218,9 @@
+ /* Address not found for the host name. */
+ logit("Address %.100s maps to %.600s, but this does not "
+ "map back to the address.", ntop, name);
-+ return strdup(ntop);
++ return xstrdup(ntop);
+ }
-+ return strdup(name);
++ return xstrdup(name);
+}
+
+/*
@@ -246,10 +244,10 @@
+ }
+}
diff --git a/readconf.c b/readconf.c
-index f3cac6b3..adfd7a4e 100644
+index 03369a08..b45898ce 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -160,6 +160,7 @@ typedef enum {
+@@ -161,6 +161,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -257,7 +255,7 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -205,9 +206,11 @@ static struct {
+@@ -207,9 +208,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -269,7 +267,7 @@
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
-@@ -1033,6 +1036,10 @@ parse_time:
+@@ -1117,6 +1120,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
@@ -280,15 +278,15 @@
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -1912,6 +1919,7 @@ initialize_options(Options * options)
- options->challenge_response_authentication = -1;
+@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
+ options->pubkey_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -2061,6 +2069,8 @@ fill_default_options(Options * options)
+@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
@@ -298,11 +296,11 @@
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
-index feedb3d2..c7139c1b 100644
+index f7d53b06..c3a91898 100644
--- a/readconf.h
+++ b/readconf.h
-@@ -42,6 +42,7 @@ typedef struct {
- /* Try S/Key or TIS, authentication. */
+@@ -40,6 +40,7 @@ typedef struct {
+ int hostbased_authentication; /* ssh2's rhosts_rsa */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
@@ -310,10 +308,10 @@
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
-index 06a32d31..6871ff36 100644
+index cd0eea86..27101943 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -770,6 +770,16 @@ The default is
+@@ -832,6 +832,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
@@ -331,10 +329,10 @@
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
-index af00fb30..652463c5 100644
+index fea50fab..aeff639b 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
-@@ -716,6 +716,13 @@ userauth_gssapi(struct ssh *ssh)
+@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@@ -348,7 +346,7 @@
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
-@@ -730,7 +737,7 @@ userauth_gssapi(struct ssh *ssh)
+@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
diff --git a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.1.patch b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.1.patch
new file mode 100644
index 0000000..be88d11
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.1.patch
@@ -0,0 +1,45 @@
+--- a/openssh-8.7p1+x509-13.2.1.diff 2021-09-08 14:20:40.750542472 -0700
++++ b/openssh-8.7p1+x509-13.2.1.diff 2021-09-08 14:21:23.354736098 -0700
+@@ -51194,12 +51194,11 @@
+
+ install-files:
+ $(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -391,6 +368,8 @@
++@@ -391,6 +368,7 @@
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+ $(MKDIR_P) $(DESTDIR)$(libexecdir)
+ + $(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+ $(MKDIR_P) $(DESTDIR)$(piddir)
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -70464,9 +70463,9 @@
+
+ +# cross-project configuration
+ +if test "$sshd_type" = "pkix" ; then
+-+ unset_arg=''
+++ unset_arg=
+ +else
+-+ unset_arg=none
+++ unset_arg=
+ +fi
+ +
+ cat > $OBJ/sshd_config.i << _EOF
+@@ -132131,16 +132130,6 @@
+ +int asnmprintf(char **, size_t, int *, const char *, ...)
+ __attribute__((format(printf, 4, 5)));
+ void msetlocale(void);
+-diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2.1/version.h
+---- openssh-8.7p1/version.h 2021-08-20 07:03:49.000000000 +0300
+-+++ openssh-8.7p1+x509-13.2.1/version.h 2021-09-08 21:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+-
+- #define SSH_VERSION "OpenSSH_8.7"
+-
+--#define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2.1/version.m4
+ --- openssh-8.7p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.7p1+x509-13.2.1/version.m4 2021-09-08 21:07:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
new file mode 100644
index 0000000..49c0591
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
@@ -0,0 +1,447 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700
+@@ -3,9 +3,9 @@
+ --- a/Makefile.in
+ +++ b/Makefile.in
+ @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
+- CFLAGS_NOPIE=@CFLAGS_NOPIE@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+- PICFLAG=@PICFLAG@
++ LD=@LD@
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+ K5LIBS=@K5LIBS@
+@@ -803,8 +803,8 @@
+ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
+ {
+ struct session_state *state;
+-- const struct sshcipher *none = cipher_by_name("none");
+-+ struct sshcipher *none = cipher_by_name("none");
++- const struct sshcipher *none = cipher_none();
+++ struct sshcipher *none = cipher_none();
+ int r;
+
+ if (none == NULL) {
+@@ -894,24 +894,24 @@
+ intptr = &options->compression;
+ multistate_ptr = multistate_compression;
+ @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
+- options->revoked_host_keys = NULL;
+ options->fingerprint_hash = -1;
+ options->update_hostkeys = -1;
++ options->known_hosts_command = NULL;
+ + options->disable_multithreaded = -1;
+- options->hostbased_accepted_algos = NULL;
+- options->pubkey_accepted_algos = NULL;
+- options->known_hosts_command = NULL;
++ }
++
++ /*
+ @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
++ options->update_hostkeys = 0;
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+- #endif
+ + if (options->update_hostkeys == -1)
+ + options->update_hostkeys = 0;
+ + if (options->disable_multithreaded == -1)
+ + options->disable_multithreaded = 0;
+
+- /* Expand KEX name lists */
+- all_cipher = cipher_alg_list(',', 0);
++ /* expand KEX and etc. name lists */
++ { char *all;
+ diff --git a/readconf.h b/readconf.h
+ index 2fba866e..7f8f0227 100644
+ --- a/readconf.h
+@@ -950,9 +950,9 @@
+ /* Portable-specific options */
+ sUsePAM,
+ + sDisableMTAES,
+- /* Standard Options */
+- sPort, sHostKeyFile, sLoginGraceTime,
+- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
++ /* X.509 Standard Options */
++ sHostbasedAlgorithms,
++ sPubkeyAlgorithms,
+ @@ -662,6 +666,7 @@ static struct {
+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700
+@@ -157,6 +157,36 @@
+ + Allan Jude provided the code for the NoneMac and buffer normalization.
+ + This work was financed, in part, by Cisco System, Inc., the National
+ + Library of Medicine, and the National Science Foundation.
++diff --git a/auth2.c b/auth2.c
++--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
+++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
++@@ -229,16 +229,17 @@
++ double delay;
++
++ digest_alg = ssh_digest_maxbytes();
++- len = ssh_digest_bytes(digest_alg);
++- hash = xmalloc(len);
+++ if (len = ssh_digest_bytes(digest_alg) > 0) {
+++ hash = xmalloc(len);
++
++- (void)snprintf(b, sizeof b, "%llu%s",
++- (unsigned long long)options.timing_secret, user);
++- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++- fatal_f("ssh_digest_memory");
++- /* 0-4.2 ms of delay */
++- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++- freezero(hash, len);
+++ (void)snprintf(b, sizeof b, "%llu%s",
+++ (unsigned long long)options.timing_secret, user);
+++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+++ fatal_f("ssh_digest_memory");
+++ /* 0-4.2 ms of delay */
+++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+++ freezero(hash, len);
+++ }
++ debug3_f("user specific delay %0.3lfms", delay/1000);
++ return MIN_FAIL_DELAY_SECONDS + delay;
++ }
+ diff --git a/channels.c b/channels.c
+ index b60d56c4..0e363c15 100644
+ --- a/channels.c
+@@ -209,14 +239,14 @@
+ static void
+ channel_pre_open(struct ssh *ssh, Channel *c,
+ fd_set *readset, fd_set *writeset)
+-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+
+ if (c->type == SSH_CHANNEL_OPEN &&
+ !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+ - ((c->local_window_max - c->local_window >
+ - c->local_maxpacket*3) ||
+-+ ((ssh_packet_is_interactive(ssh) &&
+-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+++ ((ssh_packet_is_interactive(ssh) &&
+++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+ c->local_window < c->local_window_max/2) &&
+ c->local_consumed > 0) {
+ + u_int addition = 0;
+@@ -235,9 +265,8 @@
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+- (r = sshpkt_send(ssh)) != 0) {
+- fatal_fr(r, "channel %i", c->self);
+- }
++ (r = sshpkt_send(ssh)) != 0)
++ fatal_fr(r, "channel %d", c->self);
+ - debug2("channel %d: window %d sent adjust %d", c->self,
+ - c->local_window, c->local_consumed);
+ - c->local_window += c->local_consumed;
+@@ -337,70 +366,92 @@
+ index 70f492f8..5503af1d 100644
+ --- a/clientloop.c
+ +++ b/clientloop.c
+-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
++@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
+ sock = x11_connect_display(ssh);
+ if (sock < 0)
+ return NULL;
+ - c = channel_new(ssh, "x11",
+ - SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+-+ c = channel_new(ssh, "x11",
+-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+-+ /* again is this really necessary for X11? */
+-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
++- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
++- CHANNEL_NONBLOCK_SET);
+++ c = channel_new(ssh, "x11",
+++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+++ /* again is this really necessary for X11? */
+++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
+ c->force_drain = 1;
+ return c;
+ }
+-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
++@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
+ return NULL;
+ }
+ c = channel_new(ssh, "authentication agent connection",
+ - SSH_CHANNEL_OPEN, sock, sock, -1,
+ - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+-- "authentication agent connection", 1);
+-+ SSH_CHANNEL_OPEN, sock, sock, -1,
+-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+ CHAN_TCP_PACKET_DEFAULT, 0,
+-+ "authentication agent connection", 1);
++- "authentication agent connection", CHANNEL_NONBLOCK_SET);
+++ SSH_CHANNEL_OPEN, sock, sock, -1,
+++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
+++ CHAN_TCP_PACKET_DEFAULT, 0,
+++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
+ c->force_drain = 1;
+ return c;
+ }
+-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
++@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+ }
+ debug("Tunnel forwarding using interface %s", ifname);
+
+ - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
++- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
++- CHANNEL_NONBLOCK_SET);
+++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
+ c->datagram = 1;
+
+-+
+-+
+ #if defined(SSH_TUN_FILTER)
+- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
+- channel_register_filter(ssh, c->self, sys_tun_infilter,
+ diff --git a/compat.c b/compat.c
+ index 69befa96..90b5f338 100644
+ --- a/compat.c
+ +++ b/compat.c
+-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
+- debug_f("match: %s pat %s compat 0x%08x",
++@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
++ static u_int
++ compat_datafellows(const char *version)
++ {
++- int i;
+++ int i, bugs = 0;
++ static struct {
++ char *pat;
++ int bugs;
++@@ -147,11 +147,26 @@
++ if (match_pattern_list(version, check[i].pat, 0) == 1) {
++ debug("match: %s pat %s compat 0x%08x",
+ version, check[i].pat, check[i].bugs);
+- ssh->compat = check[i].bugs;
+ + /* Check to see if the remote side is OpenSSH and not HPN */
+-+ /* TODO: need to use new method to test for this */
+ + if (strstr(version, "OpenSSH") != NULL) {
+ + if (strstr(version, "hpn") == NULL) {
+-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
+++ bugs |= SSH_BUG_LARGEWINDOW;
+ + debug("Remote is NON-HPN aware");
+ + }
+ + }
+- return;
++- return check[i].bugs;
+++ bugs |= check[i].bugs;
+ }
+ }
++- debug("no match: %s", version);
++- return 0;
+++ /* Check to see if the remote side is OpenSSH and not HPN */
+++ if (strstr(version, "OpenSSH") != NULL) {
+++ if (strstr(version, "hpn") == NULL) {
+++ bugs |= SSH_BUG_LARGEWINDOW;
+++ debug("Remote is NON-HPN aware");
+++ }
+++ }
+++ if (bugs == 0)
+++ debug("no match: %s", version);
+++ return bugs;
++ }
++
++ char *
+ diff --git a/compat.h b/compat.h
+ index c197fafc..ea2e17a7 100644
+ --- a/compat.h
+@@ -459,7 +510,7 @@
+ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
+ int nenc, nmac, ncomp;
+ u_int mode, ctos, need, dh_need, authlen;
+- int r, first_kex_follows;
++ int r, first_kex_follows = 0;
+ + int auth_flag = 0;
+ +
+ + auth_flag = packet_authentication_state(ssh);
+@@ -553,7 +604,7 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
++@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+ fd_set *setp;
+@@ -1035,19 +1086,6 @@
+
+ /* Minimum amount of data to read at a time */
+ #define MIN_READ_SIZE 512
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..36a6e519 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
+- freezero(pin, strlen(pin));
+- error_r(r, "Unable to load resident keys");
+- return -1;
+-- }
+-+ }
+- if (nkeys == 0)
+- logit("No keys to download");
+- if (pin != NULL)
+ diff --git a/ssh.c b/ssh.c
+ index 53330da5..27b9770e 100644
+ --- a/ssh.c
+@@ -1093,7 +1131,7 @@
+ + else
+ + options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ + debug("HPN to Non-HPN Connection");
+ + } else {
+ + int sock, socksize;
+@@ -1157,14 +1195,14 @@
+ }
+ @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
+ window, packetmax, CHAN_EXTENDED_WRITE,
+- "client-session", /*nonblock*/0);
++ "client-session", CHANNEL_NONBLOCK_STDIO);
+
+ + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
+ + c->dynamic_window = 1;
+ + debug("Enabled Dynamic Window Scaling");
+ + }
+ +
+- debug3_f("channel_new: %d", c->self);
++ debug2_f("channel %d", c->self);
+
+ channel_send_open(ssh, c->self);
+ @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
+@@ -1335,7 +1373,29 @@
+ /* Bind the socket to the desired port. */
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+ error("Bind to port %s on %s failed: %.200s.",
+-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
++@@ -1625,13 +1632,14 @@
++ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
++ sshbuf_len(server_cfg)) != 0)
++ fatal_f("ssh_digest_update");
++- len = ssh_digest_bytes(digest_alg);
++- hash = xmalloc(len);
++- if (ssh_digest_final(ctx, hash, len) != 0)
++- fatal_f("ssh_digest_final");
++- options.timing_secret = PEEK_U64(hash);
++- freezero(hash, len);
++- ssh_digest_free(ctx);
+++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
+++ hash = xmalloc(len);
+++ if (ssh_digest_final(ctx, hash, len) != 0)
+++ fatal_f("ssh_digest_final");
+++ options.timing_secret = PEEK_U64(hash);
+++ freezero(hash, len);
+++ ssh_digest_free(ctx);
+++ }
++ ctx = NULL;
++ return;
++ }
++@@ -1727,6 +1735,19 @@ main(int ac, char **av)
+ fatal("AuthorizedPrincipalsCommand set without "
+ "AuthorizedPrincipalsCommandUser");
+
+@@ -1355,7 +1415,7 @@
+ /*
+ * Check whether there is any path through configured auth methods.
+ * Unfortunately it is not possible to verify this generally before
+-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
++@@ -2166,6 +2187,9 @@ main(int ac, char **av)
+ rdomain == NULL ? "" : "\"");
+ free(laddr);
+
+@@ -1365,7 +1425,7 @@
+ /*
+ * We don't want to listen forever unless the other side
+ * successfully authenticates itself. So we set up an alarm which is
+-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
++@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
+ struct kex *kex;
+ int r;
+
+@@ -1405,14 +1465,3 @@
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+ # X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b4fa372..332fb486 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION "OpenSSH_8.5"
+-
+- #define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN "-hpn15v2"
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
+--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700
++++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700
+@@ -12,9 +12,9 @@
+ static long stalled; /* how long we have been stalled */
+ static int bytes_per_second; /* current speed in bytes per second */
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
++ off_t bytes_left;
+ int cur_speed;
+- int hours, minutes, seconds;
+- int file_len;
++ int len;
+ + off_t delta_pos;
+
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+@@ -30,15 +30,17 @@
+ if (bytes_left > 0)
+ elapsed = now - last_update;
+ else {
+-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+-
++@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
++ buf[1] = '\0';
++
+ /* filename */
+- buf[0] = '\0';
+-- file_len = win_size - 36;
+-+ file_len = win_size - 45;
+- if (file_len > 0) {
+- buf[0] = '\r';
+- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
++- if (win_size > 36) {
+++ if (win_size > 45) {
++- int file_len = win_size - 36;
+++ int file_len = win_size - 45;
++ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
++ file_len, file);
++ }
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
+ (off_t)bytes_per_second);
+ strlcat(buf, "/s ", win_size);
+@@ -63,15 +65,3 @@
+ }
+
+ /*ARGSUSED*/
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..986ff59b 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
+-
+- if (skprovider == NULL)
+- fatal("Cannot download keys without provider");
+--
+- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
+- if (!quiet) {
+- printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
new file mode 100644
index 0000000..309e57e
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
@@ -0,0 +1,198 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700
+@@ -1026,9 +1026,9 @@
+ + }
+ +#endif
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+-
++ if (ssh_packet_connection_is_on_socket(ssh)) {
++ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..bf3d6e4a 100644
+ --- a/sshd.c
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700
+@@ -536,18 +536,10 @@
+ if (state->rekey_limit)
+ *max_blocks = MINIMUM(*max_blocks,
+ state->rekey_limit / enc->block_size);
+-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+ rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,20 +553,6 @@
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- return 0;
+-
+-+ /* used to force rekeying when called for by the none
+-+ * cipher switch methods -cjr */
+-+ if (rekey_requested == 1) {
+-+ rekey_requested = 0;
+-+ return 1;
+-+ }
+-+
+- /* Time-based rekeying */
+- if (state->rekey_interval != 0 &&
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ struct session_state *state = ssh->state;
+ int len, r, ms_remain;
+@@ -598,12 +576,11 @@
+ };
+
+ typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
+-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
++@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+ int ssh_packet_set_maxsize(struct ssh *, u_int);
+ u_int ssh_packet_get_maxsize(struct ssh *);
+
+ +/* for forced packet rekeying post auth */
+-+void packet_request_rekeying(void);
+ +int packet_authentication_state(const struct ssh *);
+ +
+ int ssh_packet_get_state(struct ssh *, struct sshbuf *);
+@@ -627,9 +604,9 @@
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
++ oDisableMTAES,
+ oVisualHostKey,
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ @@ -297,6 +300,9 @@ static struct {
+ { "kexalgorithms", oKexAlgorithms },
+ { "ipqos", oIPQoS },
+@@ -637,9 +614,9 @@
+ + { "noneenabled", oNoneEnabled },
+ + { "nonemacenabled", oNoneMacEnabled },
+ + { "noneswitch", oNoneSwitch },
+- { "proxyusefdpass", oProxyUseFdpass },
+- { "canonicaldomains", oCanonicalDomains },
+- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
++ { "sessiontype", oSessionType },
++ { "stdinnull", oStdinNull },
++ { "forkafterauthentication", oForkAfterAuthentication },
+ @@ -317,6 +323,11 @@ static struct {
+ { "securitykeyprovider", oSecurityKeyProvider },
+ { "knownhostscommand", oKnownHostsCommand },
+@@ -717,9 +694,9 @@
+ + options->hpn_buffer_size = -1;
+ + options->tcp_rcv_buf_poll = -1;
+ + options->tcp_rcv_buf = -1;
+- options->proxy_use_fdpass = -1;
+- options->ignored_unknown = NULL;
+- options->num_canonical_domains = 0;
++ options->session_type = -1;
++ options->stdin_null = -1;
++ options->fork_after_authentication = -1;
+ @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
+ options->server_alive_interval = 0;
+ if (options->server_alive_count_max == -1)
+@@ -778,9 +755,9 @@
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ @@ -120,7 +124,11 @@ typedef struct {
+-
+ int enable_ssh_keysign;
+ int64_t rekey_limit;
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ + int none_switch; /* Use none cipher */
+ + int none_enabled; /* Allow none cipher to be used */
+ + int nonemac_enabled; /* Allow none MAC to be used */
+@@ -842,9 +819,9 @@
+ /* Portable-specific options */
+ if (options->use_pam == -1)
+ @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
+- }
+- if (options->permit_tun == -1)
+ options->permit_tun = SSH_TUNMODE_NO;
++ if (options->disable_multithreaded == -1)
++ options->disable_multithreaded = 0;
+ + if (options->none_enabled == -1)
+ + options->none_enabled = 0;
+ + if (options->nonemac_enabled == -1)
+@@ -1047,17 +1024,17 @@
+ Note that
+ diff --git a/sftp.c b/sftp.c
+ index fb3c08d1..89bebbb2 100644
+---- a/sftp.c
+-+++ b/sftp.c
+-@@ -71,7 +71,7 @@ typedef void EditLine;
+- #include "sftp-client.h"
+-
+- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
+--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
+-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
++--- a/sftp-client.c
+++++ b/sftp-client.c
++@@ -65,7 +65,7 @@ typedef void EditLine;
++ #define DEFAULT_COPY_BUFLEN 32768
++
++ /* Default number of concurrent outstanding requests */
++-#define DEFAULT_NUM_REQUESTS 64
+++#define DEFAULT_NUM_REQUESTS 256
+
+- /* File to read commands from */
+- FILE* infile;
++ /* Minimum amount of data to read at a time */
++ #define MIN_READ_SIZE 512
+ diff --git a/ssh-keygen.c b/ssh-keygen.c
+ index cfb5f115..36a6e519 100644
+ --- a/ssh-keygen.c
+@@ -1330,9 +1307,9 @@
+ + }
+ + }
+ +
+- debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+
++ #ifdef WITH_OPENSSL
++ if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..d66fa41a 100644
+ --- a/sshd.c
+@@ -1359,8 +1336,8 @@
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+ error("Bind to port %s on %s failed: %.200s.",
+ @@ -1727,6 +1734,19 @@ main(int ac, char **av)
+- /* Fill in default values for those options not explicitly set. */
+- fill_default_server_options(&options);
++ fatal("AuthorizedPrincipalsCommand set without "
++ "AuthorizedPrincipalsCommandUser");
+
+ + if (options.none_enabled == 1) {
+ + char *old_ciphers = options.ciphers;
+@@ -1375,9 +1352,9 @@
+ + }
+ + }
+ +
+- /* challenge-response is implemented via keyboard interactive */
+- if (options.challenge_response_authentication)
+- options.kbd_interactive_authentication = 1;
++ /*
++ * Check whether there is any path through configured auth methods.
++ * Unfortunately it is not possible to verify this generally before
+ @@ -2166,6 +2186,9 @@ main(int ac, char **av)
+ rdomain == NULL ? "" : "\"");
+ free(laddr);
diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
new file mode 100644
index 0000000..b682762
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
@@ -0,0 +1,63 @@
+diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff
+--- a/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:17.070546984 -0700
++++ b/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:55.086664489 -0700
+@@ -954,15 +954,16 @@
+ char b[512];
+ - size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
+ - u_char *hash = xmalloc(len);
++- double delay;
+ + int digest_alg;
+ + size_t len;
+ + u_char *hash;
+- double delay;
+-
+++ double delay = 0;
+++
+ + digest_alg = ssh_digest_maxbytes();
+ + len = ssh_digest_bytes(digest_alg);
+ + hash = xmalloc(len);
+-+
++
+ (void)snprintf(b, sizeof b, "%llu%s",
+ (unsigned long long)options.timing_secret, user);
+ - if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
+@@ -51859,12 +51860,11 @@
+
+ install-files:
+ $(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -391,6 +372,8 @@
++@@ -391,6 +372,7 @@
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+ $(MKDIR_P) $(DESTDIR)$(libexecdir)
+ + $(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+ $(MKDIR_P) $(DESTDIR)$(piddir)
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -71985,7 +71985,7 @@
+ +if test "$sshd_type" = "pkix" ; then
+ + unset_arg=''
+ +else
+-+ unset_arg=none
+++ unset_arg=
+ +fi
+ +
+ cat > $OBJ/sshd_config.i << _EOF
+@@ -132360,16 +132360,6 @@
+ +int asnmprintf(char **, size_t, int *, const char *, ...)
+ __attribute__((format(printf, 4, 5)));
+ void msetlocale(void);
+-diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h
+---- openssh-8.8p1/version.h 2021-09-26 17:03:19.000000000 +0300
+-+++ openssh-8.8p1+x509-13.2.3/version.h 2021-10-23 16:27:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+-
+- #define SSH_VERSION "OpenSSH_8.8"
+-
+--#define SSH_PORTABLE "p1"
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4
+ --- openssh-8.8p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.8p1+x509-13.2.3/version.m4 2021-10-23 16:27:00.000000000 +0300
diff --git a/net-misc/openssh/files/sshd-r2.initd b/net-misc/openssh/files/sshd-r2.initd
new file mode 100644
index 0000000..3381fb9
--- /dev/null
+++ b/net-misc/openssh/files/sshd-r2.initd
@@ -0,0 +1,100 @@
+#!/sbin/openrc-run
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
+: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
+
+command="${SSHD_BINARY}"
+pidfile="${SSHD_PIDFILE}"
+command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress (bug 617596).
+: ${SSHD_SSD_OPTS:=--wait 1000}
+start_stop_daemon_args="${SSHD_SSD_OPTS}"
+
+depend() {
+ # Entropy can be used by ssh-keygen, among other things, but
+ # is not strictly required (bug 470020).
+ use logger dns entropy
+ if [ "${rc_need+set}" = "set" ] ; then
+ : # Do nothing, the user has explicitly set rc_need
+ else
+ local x warn_addr
+ for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+ case "${x}" in
+ 0.0.0.0|0.0.0.0:*) ;;
+ ::|\[::\]*) ;;
+ *) warn_addr="${warn_addr} ${x}" ;;
+ esac
+ done
+ if [ -n "${warn_addr}" ] ; then
+ need net
+ ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+ ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
+ ewarn "where FOO is the interface(s) providing the following address(es):"
+ ewarn "${warn_addr}"
+ fi
+ fi
+}
+
+checkconfig() {
+ checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
+
+ if [ ! -e "${SSHD_CONFIG}" ] ; then
+ eerror "You need an ${SSHD_CONFIG} file to run sshd"
+ eerror "There is a sample file in /usr/share/doc/openssh"
+ return 1
+ fi
+
+ ${SSHD_KEYGEN_BINARY} -A || return 2
+
+ "${command}" -t ${command_args} || return 3
+}
+
+start_pre() {
+ # Make sure that the user's config isn't busted before we try
+ # to start the daemon (this will produce better error messages
+ # than if we just try to start it blindly).
+ #
+ # We always need to call checkconfig because this function will
+ # also generate any missing host key and you can start a
+ # non-running service with "restart" argument.
+ checkconfig || return $?
+}
+
+stop_pre() {
+ if [ "${RC_CMD}" = "restart" ] ; then
+ # If this is a restart, check to make sure the user's config
+ # isn't busted before we stop the running daemon.
+ checkconfig || return $?
+ elif yesno "${RC_GOINGDOWN}" && [ -s "${pidfile}" ] && hash pgrep 2>/dev/null ; then
+ # Disconnect any clients before killing the master process
+ local pid=$(cat "${pidfile}" 2>/dev/null)
+ if [ -n "${pid}" ] ; then
+ local ssh_session_pattern='sshd: \S.*@pts/[0-9]+'
+
+ IFS="${IFS}@"
+ local daemon pid pty user
+ pgrep -a -P ${pid} -f "$ssh_session_pattern" | while read pid daemon user pty ; do
+ ewarn "Found ${daemon%:} session ${pid} on ${pty}; sending SIGTERM ..."
+ kill "${pid}" || true
+ done
+ fi
+ fi
+}
+
+reload() {
+ checkconfig || return $?
+ ebegin "Reloading ${SVCNAME}"
+ start-stop-daemon --signal HUP --pidfile "${pidfile}"
+ eend $?
+}
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 9ce34e6..58ff739 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
diff --git a/net-misc/openssh/openssh-8.5_p1.ebuild b/net-misc/openssh/openssh-8.8_p1-r2.ebuild
similarity index 94%
rename from net-misc/openssh/openssh-8.5_p1.ebuild
rename to net-misc/openssh/openssh-8.8_p1-r2.ebuild
index 4450212..88d4712 100644
--- a/net-misc/openssh/openssh-8.5_p1.ebuild
+++ b/net-misc/openssh/openssh-8.8_p1-r2.ebuild
@@ -3,7 +3,7 @@
EAPI=7
-inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
@@ -11,9 +11,9 @@
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
-HPN_PV="8.4_P1"
+HPN_PV="8.5_P1"
-HPN_VER="15.1"
+HPN_VER="15.2"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
@@ -21,7 +21,7 @@
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
@@ -36,19 +36,23 @@
SLOT="0"
KEYWORDS="*"
# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
+ hpn? ( ssl )
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
- X509? ( !sctp !security-key ssl !xmss )
- xmss? ( || ( ssl libressl ) )
+ X509? ( !sctp ssl !xmss )
+ xmss? ( ssl )
test? ( ssl )
"
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
@@ -61,17 +65,14 @@
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? (
- !libressl? (
|| (
(
- >=dev-libs/openssl-1.0.1:0[bindist=]
- <dev-libs/openssl-1.1.0:0[bindist=]
+ >=dev-libs/openssl-1.0.1:0[bindist(-)=]
+ <dev-libs/openssl-1.1.0:0[bindist(-)=]
)
- >=dev-libs/openssl-1.1.0g:0[bindist=]
+ >=dev-libs/openssl-1.1.0g:0[bindist(-)=]
)
dev-libs/openssl:0=[static-libs(+)]
- )
- libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
@@ -113,7 +114,7 @@
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "booooo"
+ die "Missing requested third party patch."
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
@@ -132,15 +133,12 @@
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
- eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
- # workaround for https://bugs.gentoo.org/734984
- use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
-
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
@@ -176,7 +174,7 @@
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
- einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+ einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
@@ -187,14 +185,14 @@
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
- eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
- use X509 && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-X509-glue.patch
+ eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch
+ use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
- use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
+ use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
@@ -442,6 +440,9 @@
|| die "failed to remove scp"
fi
+ if [[ -d "${ED}"/var/empty ]]; then
+ rmdir "${ED}"/var/empty || die
+ fi
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'