Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Quentin Retornaz <gentoo@××××××××.com>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/proj/libressl:master commit in: net-misc/openssh/, net-misc/openssh/files/
Date: Sun, 03 Jul 2022 17:47:41
Message-Id: 1656870420.ed7be3a97e16371d731c736d36ba24a23e00bb33.quentin@gentoo
1 commit: ed7be3a97e16371d731c736d36ba24a23e00bb33
2 Author: orbea <orbea <AT> riseup <DOT> net>
3 AuthorDate: Sun Jul 3 02:50:51 2022 +0000
4 Commit: Quentin Retornaz <gentoo <AT> retornaz <DOT> com>
5 CommitDate: Sun Jul 3 17:47:00 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=ed7be3a9
7
8 net-misc/openssh: Remove package
9
10 Works with libress-3.5.x and openssh-8.9_p1-r2::gentoo.
11
12 Signed-off-by: orbea <orbea <AT> riseup.net>
13 Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com>
14
15 net-misc/openssh/Manifest | 15 -
16 .../openssh-6.7_p1-openssl-ignore-status.patch | 17 -
17 ...penssh-7.5_p1-disable-conch-interop-tests.patch | 20 -
18 .../files/openssh-7.9_p1-include-stdlib.patch | 48 --
19 ...mget-shmat-shmdt-in-preauth-privsep-child.patch | 31 --
20 .../files/openssh-8.0_p1-fix-putty-tests.patch | 57 ---
21 .../files/openssh-8.0_p1-hpn-14.20-X509-glue.patch | 111 -----
22 .../openssh/files/openssh-8.0_p1-hpn-version.patch | 13 -
23 .../openssh/files/openssh-8.1_p1-GSSAPI-dns.patch | 359 ---------------
24 .../files/openssh-8.1_p1-X509-12.3-tests.patch | 11 -
25 .../files/openssh-8.1_p1-X509-glue-12.3.patch | 35 --
26 .../files/openssh-8.1_p1-hpn-14.20-glue.patch | 105 -----
27 .../files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch | 19 -
28 .../openssh/files/openssh-8.1_p1-tests-2020.patch | 26 --
29 .../openssh/files/openssh-8.2_p1-GSSAPI-dns.patch | 359 ---------------
30 .../files/openssh-8.2_p1-X509-12.4.3-tests.patch | 11 -
31 .../files/openssh-8.2_p1-X509-glue-12.4.3.patch | 128 ------
32 .../files/openssh-8.2_p1-hpn-14.20-X509-glue.patch | 133 ------
33 .../files/openssh-8.2_p1-hpn-14.20-glue.patch | 151 ------
34 .../files/openssh-8.2_p1-hpn-14.20-libressl.patch | 20 -
35 .../files/openssh-8.2_p1-hpn-14.20-sctp-glue.patch | 19 -
36 .../files/openssh-8.3_p1-X509-glue-12.5.1.patch | 35 --
37 .../files/openssh-8.3_p1-hpn-14.20-glue.patch | 177 -------
38 .../files/openssh-8.3_p1-sha2-include.patch | 13 -
39 .../files/openssh-8.4_p1-X509-glue-12.6.patch | 34 --
40 .../files/openssh-8.4_p1-fix-ssh-copy-id.patch | 30 --
41 .../files/openssh-8.4_p1-hpn-14.22-X509-glue.patch | 129 ------
42 .../files/openssh-8.4_p1-hpn-14.22-glue.patch | 94 ----
43 .../files/openssh-8.4_p1-hpn-14.22-libressl.patch | 20 -
44 .../files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch | 18 -
45 net-misc/openssh/files/sshd-r1.confd | 33 --
46 net-misc/openssh/files/sshd-r1.initd | 87 ----
47 net-misc/openssh/files/sshd.pam_include.2 | 4 -
48 net-misc/openssh/files/sshd.service | 11 -
49 net-misc/openssh/files/sshd.socket | 10 -
50 net-misc/openssh/files/sshd_at.service | 8 -
51 net-misc/openssh/metadata.xml | 37 --
52 net-misc/openssh/openssh-8.2_p1-r7.ebuild | 481 -------------------
53 net-misc/openssh/openssh-8.3_p1-r5.ebuild | 506 --------------------
54 net-misc/openssh/openssh-8.4_p1-r2.ebuild | 511 ---------------------
55 40 files changed, 3926 deletions(-)
56
57 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
58 deleted file mode 100644
59 index a67588c..0000000
60 --- a/net-misc/openssh/Manifest
61 +++ /dev/null
62 @@ -1,15 +0,0 @@
63 -DIST openssh-8.2p1+x509-12.4.3.diff.gz 806905 BLAKE2B 8e0f0f3eeb2aafd9fc9e6eca80c0b51ffedbed9dfc46ff73bb1becd28f6ac013407d03107b59da05d9d56edbf283eef20891086867b79efd8aab81c3e9a4a32f SHA512 51117d7e4df2ff78c4fdfd08c2bb8f1739b1db064df65bab3872e1a956c277a4736c511794aa399061058fea666a76ee07bb50d83a0d077b7fa572d02c030b91
64 -DIST openssh-8.2p1-sctp-1.2.patch.xz 7668 BLAKE2B 717487cffd235a5dfa2d9d3f2c1983f410d400b0d23f71a9b74406ac3d2f448d76381a3b7a3244942bff4e6bdc3bc78d148b9949c78dc297d99c7330179f8176 SHA512 a5fbd827e62e91b762062a29c7bc3bf569a202bdc8c91da7d77566ff8bb958b5b9fb6f8d45df586e0d7ac07a83de6e82996e9c5cdd6b3bf43336c420d3099305
65 -DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf47161071aa81d0763f81b12fe4bc3d409c260783d995307d4e4ed2d16080fd74b15e4dc6dcc5648d7e66720c3ed SHA512 c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a
66 -DIST openssh-8.3p1+x509-12.5.1.diff.gz 803054 BLAKE2B ec88959b4e3328e70d6f136f3d5bebced2e555de3ea40f55c535ca8a30a0eed84d177ad966e5bda46e1fc61d42141b13e96d068f5abfd069ae81b131dfb5a66c SHA512 28166a1a1aeff0c65f36263c0009e82cda81fc8f4efe3d11fabd0312d199a4f935476cf7074fbce68787d2fec0fd42f00fef383bf856a5767ce9d0ca6bbc8ef0
67 -DIST openssh-8.3p1-sctp-1.2.patch.xz 7668 BLAKE2B abbc65253d842c09a04811bdbafc175c5226996cdd190812b47ce9646853cd5c1b21d733e719b481cce9c7f4dc00894b6d6be732e311850963df23b9dc55a0e6 SHA512 4e0cc1707663f902dfbf331a431325da78759cc757a4aaae33e0c7f64f21830ec805168d8ae4d47a65a20c235fa534679e288f922df2b24655b7d1ee9a3bf014
68 -DIST openssh-8.3p1.tar.gz 1706358 BLAKE2B 0b53d92caa4a0f4cb40eee671ac889753d320b7c8e44df159a81dd8163c3663f07fa648f5dc506fb27d31893acf9701b997598c50bf204acf54172d72825a4d8 SHA512 b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
69 -DIST openssh-8.4p1+x509-12.6.diff.gz 857479 BLAKE2B ac8c3e8c1087ca571e5459c9826903410ff2d45de60151d9bd8e59da15805b75752f8f3ffc231c9f8aaa8f2b2c07a97a8296684f885e0d14b54ff5d7bc585588 SHA512 e56516b376ecc3e5464895744ce0616cf4446a891fbd3cbcb090d5f61ebc349d74f9c01e855ccd22e574dbfeec0cb2ba7daf582983010ff991243a6371cc5fe3
70 -DIST openssh-8.4p1-sctp-1.2.patch.xz 7668 BLAKE2B 2e22d2a90723cea9ef958bd989b8c431fcb08b4dc5bfd3ebbf463ca9546dc37acdc185c35ddf3adbb90bde9b3902bf36524a456061a9bcbdef7a76ece79e2ff4 SHA512 90da34b7b86e52df9e0191c99c9d645a4d4671958adebeed46e1149102d4ba8c729eadb79d84fad9feac64aafa0541d2f1f4db8cdfe0af5ba893aac072ef2380
71 -DIST openssh-8.4p1.tar.gz 1742201 BLAKE2B 4b1e60d4962095df045c3a31bbf8af725b1c07324c4aa1f6b9a3ddb7e695c98e9aa01655b268f6fd6a400f511b23be91f6b89d07b14a6a2d92f873efb4d9c146 SHA512 d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
72 -DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221
73 -DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739
74 -DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d
75 -DIST openssh-8_3_P1-hpn-AES-CTR-14.22.diff 29963 BLAKE2B 19b82f4ff820f52dafaa5b3f09f8a0a67f318771c1c7276b9d37e4a6412052c9c53347f880f2d78981af3830432704b9ad74b375241965326530ae23ec8d74a2 SHA512 49f2778831dc768850870a1755da9cdd7d3bc83fa87069070f5a1d357ce9bdadeb2506c8ff3c6b055708da12a70e9ede7ed0e8a29fcab441abb55c9d483663be
76 -DIST openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 42783 BLAKE2B 10940c35ae6bdc33e58bc9abd9cd7a551d4ca76a175400acb872906805bd04d384f57e81049b183d7d892ce1b5f7a138e197366369fe12e5c9dc1349850b0582 SHA512 c09162b96e0ffadc59c6076507bc843e6f8f2fb372140b84181f5fb2894225b1e05a831d85ba689c35c322b5a99302b9db77c324f978f1a46a16b185b3cb28dd
77 -DIST openssh-8_3_P1-hpn-PeakTput-14.22.diff 2012 BLAKE2B 701f46da022e7ecf35b57f41bf5682a37be453c175928d3ff3df09292275e6021f6108a20c02eec9d636e85ee5a8e05b7233ada180edf1209a3dc4b139d58858 SHA512 026f65c62e4c05b69661094d41bf338df608e2a9b23ef95588062e3bd68729733dae32adab783609a6eca810ccdcbddee25e7649a534c9a283a03282f73438bb
78
79 diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
80 deleted file mode 100644
81 index fa33af3..0000000
82 --- a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
83 +++ /dev/null
84 @@ -1,17 +0,0 @@
85 -the last nibble of the openssl version represents the status. that is,
86 -whether it is a beta or release. when it comes to version checks in
87 -openssh, this component does not matter, so ignore it.
88 -
89 -https://bugzilla.mindrot.org/show_bug.cgi?id=2212
90 -
91 ---- a/openbsd-compat/openssl-compat.c
92 -+++ b/openbsd-compat/openssl-compat.c
93 -@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
94 - * For versions >= 1.0.0, major,minor,status must match and library
95 - * fix version must be equal to or newer than the header.
96 - */
97 -- mask = 0xfff0000fL; /* major,minor,status */
98 -+ mask = 0xfff00000L; /* major,minor,status */
99 - hfix = (headerver & 0x000ff000) >> 12;
100 - lfix = (libver & 0x000ff000) >> 12;
101 - if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
102
103 diff --git a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
104 deleted file mode 100644
105 index a5647ce..0000000
106 --- a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
107 +++ /dev/null
108 @@ -1,20 +0,0 @@
109 -Disable conch interop tests which are failing when called
110 -via portage for yet unknown reason and because using conch
111 -seems to be flaky (test is failing when using Python2 but
112 -passing when using Python3).
113 -
114 -Bug: https://bugs.gentoo.org/605446
115 -
116 ---- a/regress/conch-ciphers.sh
117 -+++ b/regress/conch-ciphers.sh
118 -@@ -3,6 +3,10 @@
119 -
120 - tid="conch ciphers"
121 -
122 -+# https://bugs.gentoo.org/605446
123 -+echo "conch interop tests skipped due to Gentoo bug #605446"
124 -+exit 0
125 -+
126 - if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
127 - echo "conch interop tests not enabled"
128 - exit 0
129
130 diff --git a/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch
131 deleted file mode 100644
132 index c5697c2..0000000
133 --- a/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch
134 +++ /dev/null
135 @@ -1,48 +0,0 @@
136 -diff --git a/auth-options.c b/auth-options.c
137 -index b05d6d6f..d1f42f04 100644
138 ---- a/auth-options.c
139 -+++ b/auth-options.c
140 -@@ -26,6 +26,7 @@
141 - #include <stdarg.h>
142 - #include <ctype.h>
143 - #include <limits.h>
144 -+#include <stdlib.h>
145 -
146 - #include "openbsd-compat/sys-queue.h"
147 -
148 -diff --git a/hmac.c b/hmac.c
149 -index 1c879640..a29f32c5 100644
150 ---- a/hmac.c
151 -+++ b/hmac.c
152 -@@ -19,6 +19,7 @@
153 -
154 - #include <sys/types.h>
155 - #include <string.h>
156 -+#include <stdlib.h>
157 -
158 - #include "sshbuf.h"
159 - #include "digest.h"
160 -diff --git a/krl.c b/krl.c
161 -index 8e2d5d5d..c32e147a 100644
162 ---- a/krl.c
163 -+++ b/krl.c
164 -@@ -28,6 +28,7 @@
165 - #include <string.h>
166 - #include <time.h>
167 - #include <unistd.h>
168 -+#include <stdlib.h>
169 -
170 - #include "sshbuf.h"
171 - #include "ssherr.h"
172 -diff --git a/mac.c b/mac.c
173 -index 51dc11d7..3d11eba6 100644
174 ---- a/mac.c
175 -+++ b/mac.c
176 -@@ -29,6 +29,7 @@
177 -
178 - #include <string.h>
179 - #include <stdio.h>
180 -+#include <stdlib.h>
181 -
182 - #include "digest.h"
183 - #include "hmac.h"
184
185 diff --git a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
186 deleted file mode 100644
187 index fe3be24..0000000
188 --- a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
189 +++ /dev/null
190 @@ -1,31 +0,0 @@
191 -From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001
192 -From: Lonnie Abelbeck <lonnie@××××××××.com>
193 -Date: Tue, 1 Oct 2019 09:05:09 -0500
194 -Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
195 -
196 -New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
197 -in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
198 ----
199 - sandbox-seccomp-filter.c | 9 +++++++++
200 - 1 file changed, 9 insertions(+)
201 -
202 -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
203 -index 840c5232b..39dc289e3 100644
204 ---- a/sandbox-seccomp-filter.c
205 -+++ b/sandbox-seccomp-filter.c
206 -@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = {
207 - #ifdef __NR_stat64
208 - SC_DENY(__NR_stat64, EACCES),
209 - #endif
210 -+#ifdef __NR_shmget
211 -+ SC_DENY(__NR_shmget, EACCES),
212 -+#endif
213 -+#ifdef __NR_shmat
214 -+ SC_DENY(__NR_shmat, EACCES),
215 -+#endif
216 -+#ifdef __NR_shmdt
217 -+ SC_DENY(__NR_shmdt, EACCES),
218 -+#endif
219 -
220 - /* Syscalls to permit */
221 - #ifdef __NR_brk
222
223 diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch
224 deleted file mode 100644
225 index 4310aa1..0000000
226 --- a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch
227 +++ /dev/null
228 @@ -1,57 +0,0 @@
229 -Make sure that host keys are already accepted before
230 -running tests.
231 -
232 -https://bugs.gentoo.org/493866
233 -
234 ---- a/regress/putty-ciphers.sh
235 -+++ b/regress/putty-ciphers.sh
236 -@@ -10,11 +10,17 @@ fi
237 -
238 - for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
239 - verbose "$tid: cipher $c"
240 -+ rm -f ${COPY}
241 - cp ${OBJ}/.putty/sessions/localhost_proxy \
242 - ${OBJ}/.putty/sessions/cipher_$c
243 - echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
244 -
245 -- rm -f ${COPY}
246 -+ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
247 -+ -i ${OBJ}/putty.rsa2 "exit"
248 -+ if [ $? -ne 0 ]; then
249 -+ fail "failed to pre-cache host key"
250 -+ fi
251 -+
252 - env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
253 - cat ${DATA} > ${COPY}
254 - if [ $? -ne 0 ]; then
255 ---- a/regress/putty-kex.sh
256 -+++ b/regress/putty-kex.sh
257 -@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
258 - ${OBJ}/.putty/sessions/kex_$k
259 - echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
260 -
261 -+ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
262 -+ -i ${OBJ}/putty.rsa2 "exit"
263 -+ if [ $? -ne 0 ]; then
264 -+ fail "failed to pre-cache host key"
265 -+ fi
266 -+
267 - env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
268 - if [ $? -ne 0 ]; then
269 - fail "KEX $k failed"
270 ---- a/regress/putty-transfer.sh
271 -+++ b/regress/putty-transfer.sh
272 -@@ -14,6 +14,13 @@ for c in 0 1 ; do
273 - cp ${OBJ}/.putty/sessions/localhost_proxy \
274 - ${OBJ}/.putty/sessions/compression_$c
275 - echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
276 -+
277 -+ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
278 -+ -i ${OBJ}/putty.rsa2 "exit"
279 -+ if [ $? -ne 0 ]; then
280 -+ fail "failed to pre-cache host key"
281 -+ fi
282 -+
283 - env HOME=$PWD ${PLINK} -load compression_$c -batch \
284 - -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
285 - if [ $? -ne 0 ]; then
286
287 diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch
288 deleted file mode 100644
289 index 167adfc..0000000
290 --- a/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch
291 +++ /dev/null
292 @@ -1,111 +0,0 @@
293 -diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
294 ---- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:15.746095444 -0800
295 -+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:54.181853707 -0800
296 -@@ -4,8 +4,8 @@
297 - +++ b/Makefile.in
298 - @@ -42,7 +42,7 @@ CC=@CC@
299 - LD=@LD@
300 -- CFLAGS=@CFLAGS@
301 -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
302 -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
303 -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
304 - -LIBS=@LIBS@
305 - +LIBS=@LIBS@ -lpthread
306 - K5LIBS=@K5LIBS@
307 -@@ -803,8 +803,8 @@
308 - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
309 - {
310 - struct session_state *state;
311 --- const struct sshcipher *none = cipher_by_name("none");
312 --+ struct sshcipher *none = cipher_by_name("none");
313 -+- const struct sshcipher *none = cipher_none();
314 -++ struct sshcipher *none = cipher_none();
315 - int r;
316 -
317 - if (none == NULL) {
318 -@@ -948,9 +948,9 @@
319 - /* Portable-specific options */
320 - sUsePAM,
321 - + sDisableMTAES,
322 -- /* Standard Options */
323 -- sPort, sHostKeyFile, sLoginGraceTime,
324 -- sPermitRootLogin, sLogFacility, sLogLevel,
325 -+ /* X.509 Standard Options */
326 -+ sHostbasedAlgorithms,
327 -+ sPubkeyAlgorithms,
328 - @@ -643,6 +647,7 @@ static struct {
329 - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
330 - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
331 -diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
332 ---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:41:42.512910357 -0800
333 -+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:56:40.323299499 -0800
334 -@@ -382,7 +382,7 @@
335 - @@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh)
336 - int nenc, nmac, ncomp;
337 - u_int mode, ctos, need, dh_need, authlen;
338 -- int r, first_kex_follows;
339 -+ int r, first_kex_follows = 0;
340 - + int auth_flag;
341 - +
342 - + auth_flag = packet_authentication_state(ssh);
343 -@@ -391,8 +391,8 @@
344 - debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
345 - if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
346 - @@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh)
347 -- peer[ncomp] = NULL;
348 -- goto out;
349 -+ else
350 -+ fatal("Pre-authentication none cipher requests are not allowed.");
351 - }
352 - + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
353 - + if (strcmp(newkeys->enc.name, "none") == 0) {
354 -@@ -1169,15 +1169,3 @@
355 - # Example of overriding settings on a per-user basis
356 - #Match User anoncvs
357 - # X11Forwarding no
358 --diff --git a/version.h b/version.h
359 --index 6b3fadf8..ec1d2e27 100644
360 ----- a/version.h
361 --+++ b/version.h
362 --@@ -3,4 +3,6 @@
363 -- #define SSH_VERSION "OpenSSH_8.1"
364 --
365 -- #define SSH_PORTABLE "p1"
366 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
367 --+#define SSH_HPN "-hpn14v20"
368 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
369 --+
370 -diff -ur a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff
371 ---- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 15:41:42.512910357 -0800
372 -+++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 16:02:42.203023609 -0800
373 -@@ -12,9 +12,9 @@
374 - static long stalled; /* how long we have been stalled */
375 - static int bytes_per_second; /* current speed in bytes per second */
376 - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
377 -+ off_t bytes_left;
378 - int cur_speed;
379 -- int hours, minutes, seconds;
380 -- int file_len;
381 -+ int len;
382 - + off_t delta_pos;
383 -
384 - if ((!force_update && !alarm_fired && !win_resized) || !can_output())
385 -@@ -33,12 +33,12 @@
386 - @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
387 -
388 - /* filename */
389 -- buf[0] = '\0';
390 --- file_len = win_size - 36;
391 --+ file_len = win_size - 45;
392 -- if (file_len > 0) {
393 -- buf[0] = '\r';
394 -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
395 -+ if (win_size > 36) {
396 -+- int file_len = win_size - 36;
397 -++ int file_len = win_size - 45;
398 -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
399 -+ file_len, file);
400 -+ }
401 - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
402 - (off_t)bytes_per_second);
403 - strlcat(buf, "/s ", win_size);
404
405 diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
406 deleted file mode 100644
407 index 37905ce..0000000
408 --- a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
409 +++ /dev/null
410 @@ -1,13 +0,0 @@
411 -diff --git a/kex.c b/kex.c
412 -index 34808b5c..88d7ccac 100644
413 ---- a/kex.c
414 -+++ b/kex.c
415 -@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
416 - if (version_addendum != NULL && *version_addendum == '\0')
417 - version_addendum = NULL;
418 - if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
419 -- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
420 -+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
421 - version_addendum == NULL ? "" : " ",
422 - version_addendum == NULL ? "" : version_addendum)) != 0) {
423 - error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
424
425 diff --git a/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch
426 deleted file mode 100644
427 index 6aba6f2..0000000
428 --- a/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch
429 +++ /dev/null
430 @@ -1,359 +0,0 @@
431 -diff --git a/auth.c b/auth.c
432 -index ca450f4e..2994a4e4 100644
433 ---- a/auth.c
434 -+++ b/auth.c
435 -@@ -723,120 +723,6 @@ fakepw(void)
436 - return (&fake);
437 - }
438 -
439 --/*
440 -- * Returns the remote DNS hostname as a string. The returned string must not
441 -- * be freed. NB. this will usually trigger a DNS query the first time it is
442 -- * called.
443 -- * This function does additional checks on the hostname to mitigate some
444 -- * attacks on legacy rhosts-style authentication.
445 -- * XXX is RhostsRSAAuthentication vulnerable to these?
446 -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
447 -- */
448 --
449 --static char *
450 --remote_hostname(struct ssh *ssh)
451 --{
452 -- struct sockaddr_storage from;
453 -- socklen_t fromlen;
454 -- struct addrinfo hints, *ai, *aitop;
455 -- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
456 -- const char *ntop = ssh_remote_ipaddr(ssh);
457 --
458 -- /* Get IP address of client. */
459 -- fromlen = sizeof(from);
460 -- memset(&from, 0, sizeof(from));
461 -- if (getpeername(ssh_packet_get_connection_in(ssh),
462 -- (struct sockaddr *)&from, &fromlen) == -1) {
463 -- debug("getpeername failed: %.100s", strerror(errno));
464 -- return strdup(ntop);
465 -- }
466 --
467 -- ipv64_normalise_mapped(&from, &fromlen);
468 -- if (from.ss_family == AF_INET6)
469 -- fromlen = sizeof(struct sockaddr_in6);
470 --
471 -- debug3("Trying to reverse map address %.100s.", ntop);
472 -- /* Map the IP address to a host name. */
473 -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
474 -- NULL, 0, NI_NAMEREQD) != 0) {
475 -- /* Host name not found. Use ip address. */
476 -- return strdup(ntop);
477 -- }
478 --
479 -- /*
480 -- * if reverse lookup result looks like a numeric hostname,
481 -- * someone is trying to trick us by PTR record like following:
482 -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
483 -- */
484 -- memset(&hints, 0, sizeof(hints));
485 -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
486 -- hints.ai_flags = AI_NUMERICHOST;
487 -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
488 -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
489 -- name, ntop);
490 -- freeaddrinfo(ai);
491 -- return strdup(ntop);
492 -- }
493 --
494 -- /* Names are stored in lowercase. */
495 -- lowercase(name);
496 --
497 -- /*
498 -- * Map it back to an IP address and check that the given
499 -- * address actually is an address of this host. This is
500 -- * necessary because anyone with access to a name server can
501 -- * define arbitrary names for an IP address. Mapping from
502 -- * name to IP address can be trusted better (but can still be
503 -- * fooled if the intruder has access to the name server of
504 -- * the domain).
505 -- */
506 -- memset(&hints, 0, sizeof(hints));
507 -- hints.ai_family = from.ss_family;
508 -- hints.ai_socktype = SOCK_STREAM;
509 -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
510 -- logit("reverse mapping checking getaddrinfo for %.700s "
511 -- "[%s] failed.", name, ntop);
512 -- return strdup(ntop);
513 -- }
514 -- /* Look for the address from the list of addresses. */
515 -- for (ai = aitop; ai; ai = ai->ai_next) {
516 -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
517 -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
518 -- (strcmp(ntop, ntop2) == 0))
519 -- break;
520 -- }
521 -- freeaddrinfo(aitop);
522 -- /* If we reached the end of the list, the address was not there. */
523 -- if (ai == NULL) {
524 -- /* Address not found for the host name. */
525 -- logit("Address %.100s maps to %.600s, but this does not "
526 -- "map back to the address.", ntop, name);
527 -- return strdup(ntop);
528 -- }
529 -- return strdup(name);
530 --}
531 --
532 --/*
533 -- * Return the canonical name of the host in the other side of the current
534 -- * connection. The host name is cached, so it is efficient to call this
535 -- * several times.
536 -- */
537 --
538 --const char *
539 --auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
540 --{
541 -- static char *dnsname;
542 --
543 -- if (!use_dns)
544 -- return ssh_remote_ipaddr(ssh);
545 -- else if (dnsname != NULL)
546 -- return dnsname;
547 -- else {
548 -- dnsname = remote_hostname(ssh);
549 -- return dnsname;
550 -- }
551 --}
552 --
553 - /*
554 - * Runs command in a subprocess with a minimal environment.
555 - * Returns pid on success, 0 on failure.
556 -diff --git a/canohost.c b/canohost.c
557 -index abea9c6e..4f4524d2 100644
558 ---- a/canohost.c
559 -+++ b/canohost.c
560 -@@ -202,3 +202,117 @@ get_local_port(int sock)
561 - {
562 - return get_sock_port(sock, 1);
563 - }
564 -+
565 -+/*
566 -+ * Returns the remote DNS hostname as a string. The returned string must not
567 -+ * be freed. NB. this will usually trigger a DNS query the first time it is
568 -+ * called.
569 -+ * This function does additional checks on the hostname to mitigate some
570 -+ * attacks on legacy rhosts-style authentication.
571 -+ * XXX is RhostsRSAAuthentication vulnerable to these?
572 -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
573 -+ */
574 -+
575 -+static char *
576 -+remote_hostname(struct ssh *ssh)
577 -+{
578 -+ struct sockaddr_storage from;
579 -+ socklen_t fromlen;
580 -+ struct addrinfo hints, *ai, *aitop;
581 -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
582 -+ const char *ntop = ssh_remote_ipaddr(ssh);
583 -+
584 -+ /* Get IP address of client. */
585 -+ fromlen = sizeof(from);
586 -+ memset(&from, 0, sizeof(from));
587 -+ if (getpeername(ssh_packet_get_connection_in(ssh),
588 -+ (struct sockaddr *)&from, &fromlen) < 0) {
589 -+ debug("getpeername failed: %.100s", strerror(errno));
590 -+ return strdup(ntop);
591 -+ }
592 -+
593 -+ ipv64_normalise_mapped(&from, &fromlen);
594 -+ if (from.ss_family == AF_INET6)
595 -+ fromlen = sizeof(struct sockaddr_in6);
596 -+
597 -+ debug3("Trying to reverse map address %.100s.", ntop);
598 -+ /* Map the IP address to a host name. */
599 -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
600 -+ NULL, 0, NI_NAMEREQD) != 0) {
601 -+ /* Host name not found. Use ip address. */
602 -+ return strdup(ntop);
603 -+ }
604 -+
605 -+ /*
606 -+ * if reverse lookup result looks like a numeric hostname,
607 -+ * someone is trying to trick us by PTR record like following:
608 -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
609 -+ */
610 -+ memset(&hints, 0, sizeof(hints));
611 -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
612 -+ hints.ai_flags = AI_NUMERICHOST;
613 -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
614 -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
615 -+ name, ntop);
616 -+ freeaddrinfo(ai);
617 -+ return strdup(ntop);
618 -+ }
619 -+
620 -+ /* Names are stored in lowercase. */
621 -+ lowercase(name);
622 -+
623 -+ /*
624 -+ * Map it back to an IP address and check that the given
625 -+ * address actually is an address of this host. This is
626 -+ * necessary because anyone with access to a name server can
627 -+ * define arbitrary names for an IP address. Mapping from
628 -+ * name to IP address can be trusted better (but can still be
629 -+ * fooled if the intruder has access to the name server of
630 -+ * the domain).
631 -+ */
632 -+ memset(&hints, 0, sizeof(hints));
633 -+ hints.ai_family = from.ss_family;
634 -+ hints.ai_socktype = SOCK_STREAM;
635 -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
636 -+ logit("reverse mapping checking getaddrinfo for %.700s "
637 -+ "[%s] failed.", name, ntop);
638 -+ return strdup(ntop);
639 -+ }
640 -+ /* Look for the address from the list of addresses. */
641 -+ for (ai = aitop; ai; ai = ai->ai_next) {
642 -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
643 -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
644 -+ (strcmp(ntop, ntop2) == 0))
645 -+ break;
646 -+ }
647 -+ freeaddrinfo(aitop);
648 -+ /* If we reached the end of the list, the address was not there. */
649 -+ if (ai == NULL) {
650 -+ /* Address not found for the host name. */
651 -+ logit("Address %.100s maps to %.600s, but this does not "
652 -+ "map back to the address.", ntop, name);
653 -+ return strdup(ntop);
654 -+ }
655 -+ return strdup(name);
656 -+}
657 -+
658 -+/*
659 -+ * Return the canonical name of the host in the other side of the current
660 -+ * connection. The host name is cached, so it is efficient to call this
661 -+ * several times.
662 -+ */
663 -+
664 -+const char *
665 -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
666 -+{
667 -+ static char *dnsname;
668 -+
669 -+ if (!use_dns)
670 -+ return ssh_remote_ipaddr(ssh);
671 -+ else if (dnsname != NULL)
672 -+ return dnsname;
673 -+ else {
674 -+ dnsname = remote_hostname(ssh);
675 -+ return dnsname;
676 -+ }
677 -+}
678 -diff --git a/readconf.c b/readconf.c
679 -index f78b4d6f..747287f7 100644
680 ---- a/readconf.c
681 -+++ b/readconf.c
682 -@@ -162,6 +162,7 @@ typedef enum {
683 - oClearAllForwardings, oNoHostAuthenticationForLocalhost,
684 - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
685 - oAddressFamily, oGssAuthentication, oGssDelegateCreds,
686 -+ oGssTrustDns,
687 - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
688 - oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
689 - oHashKnownHosts,
690 -@@ -203,9 +204,11 @@ static struct {
691 - #if defined(GSSAPI)
692 - { "gssapiauthentication", oGssAuthentication },
693 - { "gssapidelegatecredentials", oGssDelegateCreds },
694 -+ { "gssapitrustdns", oGssTrustDns },
695 - # else
696 - { "gssapiauthentication", oUnsupported },
697 - { "gssapidelegatecredentials", oUnsupported },
698 -+ { "gssapitrustdns", oUnsupported },
699 - #endif
700 - #ifdef ENABLE_PKCS11
701 - { "pkcs11provider", oPKCS11Provider },
702 -@@ -992,6 +995,10 @@ parse_time:
703 - intptr = &options->gss_deleg_creds;
704 - goto parse_flag;
705 -
706 -+ case oGssTrustDns:
707 -+ intptr = &options->gss_trust_dns;
708 -+ goto parse_flag;
709 -+
710 - case oBatchMode:
711 - intptr = &options->batch_mode;
712 - goto parse_flag;
713 -@@ -1864,6 +1871,7 @@ initialize_options(Options * options)
714 - options->challenge_response_authentication = -1;
715 - options->gss_authentication = -1;
716 - options->gss_deleg_creds = -1;
717 -+ options->gss_trust_dns = -1;
718 - options->password_authentication = -1;
719 - options->kbd_interactive_authentication = -1;
720 - options->kbd_interactive_devices = NULL;
721 -@@ -2011,6 +2019,8 @@ fill_default_options(Options * options)
722 - options->gss_authentication = 0;
723 - if (options->gss_deleg_creds == -1)
724 - options->gss_deleg_creds = 0;
725 -+ if (options->gss_trust_dns == -1)
726 -+ options->gss_trust_dns = 0;
727 - if (options->password_authentication == -1)
728 - options->password_authentication = 1;
729 - if (options->kbd_interactive_authentication == -1)
730 -diff --git a/readconf.h b/readconf.h
731 -index 8e36bf32..c9e4718d 100644
732 ---- a/readconf.h
733 -+++ b/readconf.h
734 -@@ -41,6 +41,7 @@ typedef struct {
735 - /* Try S/Key or TIS, authentication. */
736 - int gss_authentication; /* Try GSS authentication */
737 - int gss_deleg_creds; /* Delegate GSS credentials */
738 -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
739 - int password_authentication; /* Try password
740 - * authentication. */
741 - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
742 -diff --git a/ssh_config.5 b/ssh_config.5
743 -index 02a87892..95de538b 100644
744 ---- a/ssh_config.5
745 -+++ b/ssh_config.5
746 -@@ -762,6 +762,16 @@ The default is
747 - Forward (delegate) credentials to the server.
748 - The default is
749 - .Cm no .
750 -+Note that this option applies to protocol version 2 connections using GSSAPI.
751 -+.It Cm GSSAPITrustDns
752 -+Set to
753 -+.Dq yes to indicate that the DNS is trusted to securely canonicalize
754 -+the name of the host being connected to. If
755 -+.Dq no, the hostname entered on the
756 -+command line will be passed untouched to the GSSAPI library.
757 -+The default is
758 -+.Dq no .
759 -+This option only applies to protocol version 2 connections using GSSAPI.
760 - .It Cm HashKnownHosts
761 - Indicates that
762 - .Xr ssh 1
763 -diff --git a/sshconnect2.c b/sshconnect2.c
764 -index 87fa70a4..a6ffdc96 100644
765 ---- a/sshconnect2.c
766 -+++ b/sshconnect2.c
767 -@@ -697,6 +697,13 @@ userauth_gssapi(struct ssh *ssh)
768 - OM_uint32 min;
769 - int r, ok = 0;
770 - gss_OID mech = NULL;
771 -+ const char *gss_host;
772 -+
773 -+ if (options.gss_trust_dns) {
774 -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
775 -+ gss_host = auth_get_canonical_hostname(ssh, 1);
776 -+ } else
777 -+ gss_host = authctxt->host;
778 -
779 - /* Try one GSSAPI method at a time, rather than sending them all at
780 - * once. */
781 -@@ -711,7 +718,7 @@ userauth_gssapi(struct ssh *ssh)
782 - elements[authctxt->mech_tried];
783 - /* My DER encoding requires length<128 */
784 - if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
785 -- mech, authctxt->host)) {
786 -+ mech, gss_host)) {
787 - ok = 1; /* Mechanism works */
788 - } else {
789 - authctxt->mech_tried++;
790
791 diff --git a/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch b/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch
792 deleted file mode 100644
793 index 67a93fe..0000000
794 --- a/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch
795 +++ /dev/null
796 @@ -1,11 +0,0 @@
797 ---- a/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:01.210601434 -0700
798 -+++ b/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:18.753485852 -0700
799 -@@ -7,7 +7,7 @@
800 - CC=@CC@
801 - LD=@LD@
802 - CFLAGS=@CFLAGS@
803 --CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
804 -+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
805 - EXEEXT=@EXEEXT@
806 - LIBCOMPAT=../libopenbsd-compat.a
807 - LIBS=@LIBS@
808
809 diff --git a/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch b/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch
810 deleted file mode 100644
811 index 48cce79..0000000
812 --- a/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch
813 +++ /dev/null
814 @@ -1,35 +0,0 @@
815 -Only in b: .openssh-8.1p1+x509-12.3.diff.un~
816 -diff -ur a/openssh-8.1p1+x509-12.3.diff b/openssh-8.1p1+x509-12.3.diff
817 ---- a/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:33:45.796485604 -0700
818 -+++ b/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:39:44.960312587 -0700
819 -@@ -35343,12 +35343,11 @@
820 -
821 - install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
822 - install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
823 --@@ -339,6 +360,8 @@
824 -+@@ -339,6 +360,7 @@
825 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
826 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
827 - $(MKDIR_P) $(DESTDIR)$(libexecdir)
828 - + $(MKDIR_P) $(DESTDIR)$(sshcadir)
829 --+ $(MKDIR_P) $(DESTDIR)$(piddir)
830 - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
831 - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
832 - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
833 -@@ -83536,16 +83535,6 @@
834 - + return mbtowc(NULL, s, n);
835 - +}
836 - +#endif
837 --diff -ruN openssh-8.1p1/version.h openssh-8.1p1+x509-12.3/version.h
838 ----- openssh-8.1p1/version.h 2019-10-09 03:31:03.000000000 +0300
839 --+++ openssh-8.1p1+x509-12.3/version.h 2019-10-13 09:07:00.000000000 +0300
840 --@@ -2,5 +2,4 @@
841 --
842 -- #define SSH_VERSION "OpenSSH_8.1"
843 --
844 ---#define SSH_PORTABLE "p1"
845 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
846 --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
847 - diff -ruN openssh-8.1p1/version.m4 openssh-8.1p1+x509-12.3/version.m4
848 - --- openssh-8.1p1/version.m4 1970-01-01 02:00:00.000000000 +0200
849 - +++ openssh-8.1p1+x509-12.3/version.m4 2019-10-13 09:07:00.000000000 +0300
850
851 diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch
852 deleted file mode 100644
853 index 90fa248..0000000
854 --- a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch
855 +++ /dev/null
856 @@ -1,105 +0,0 @@
857 -diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
858 ---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
859 -+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800
860 -@@ -409,18 +409,10 @@
861 - index 817da43b..b2bcf78f 100644
862 - --- a/packet.c
863 - +++ b/packet.c
864 --@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
865 -+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
866 - return 0;
867 - }
868 -
869 --+/* this supports the forced rekeying required for the NONE cipher */
870 --+int rekey_requested = 0;
871 --+void
872 --+packet_request_rekeying(void)
873 --+{
874 --+ rekey_requested = 1;
875 --+}
876 --+
877 - +/* used to determine if pre or post auth when rekeying for aes-ctr
878 - + * and none cipher switch */
879 - +int
880 -@@ -434,20 +426,6 @@
881 - #define MAX_PACKETS (1U<<31)
882 - static int
883 - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
884 --@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
885 -- if (state->p_send.packets == 0 && state->p_read.packets == 0)
886 -- return 0;
887 --
888 --+ /* used to force rekeying when called for by the none
889 --+ * cipher switch methods -cjr */
890 --+ if (rekey_requested == 1) {
891 --+ rekey_requested = 0;
892 --+ return 1;
893 --+ }
894 --+
895 -- /* Time-based rekeying */
896 -- if (state->rekey_interval != 0 &&
897 -- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
898 - diff --git a/packet.h b/packet.h
899 - index 8ccfd2e0..1ad9bc06 100644
900 - --- a/packet.h
901 -@@ -476,9 +454,9 @@
902 - /* Format of the configuration file:
903 -
904 - @@ -167,6 +168,8 @@ typedef enum {
905 -- oHashKnownHosts,
906 - oTunnel, oTunnelDevice,
907 - oLocalCommand, oPermitLocalCommand, oRemoteCommand,
908 -+ oDisableMTAES,
909 - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
910 - + oNoneEnabled, oNoneSwitch,
911 - oVisualHostKey,
912 -@@ -615,9 +593,9 @@
913 - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
914 - SyslogFacility log_facility; /* Facility for system logging. */
915 - @@ -112,7 +116,10 @@ typedef struct {
916 --
917 - int enable_ssh_keysign;
918 - int64_t rekey_limit;
919 -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
920 - + int none_switch; /* Use none cipher */
921 - + int none_enabled; /* Allow none to be used */
922 - int rekey_interval;
923 -@@ -700,9 +678,9 @@
924 - + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
925 - + }
926 - +
927 -+ if (options->disable_multithreaded == -1)
928 -+ options->disable_multithreaded = 0;
929 - if (options->ip_qos_interactive == -1)
930 -- options->ip_qos_interactive = IPTOS_DSCP_AF21;
931 -- if (options->ip_qos_bulk == -1)
932 - @@ -486,6 +532,8 @@ typedef enum {
933 - sPasswordAuthentication, sKbdInteractiveAuthentication,
934 - sListenAddress, sAddressFamily,
935 -@@ -1079,11 +1057,11 @@
936 - xxx_host = host;
937 - xxx_hostaddr = hostaddr;
938 -
939 --@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
940 -+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
941 -
942 - if (!authctxt.success)
943 - fatal("Authentication failed.");
944 --+
945 -+
946 - + /*
947 - + * If the user wants to use the none cipher, do it post authentication
948 - + * and only if the right conditions are met -- both of the NONE commands
949 -@@ -1105,9 +1083,9 @@
950 - + }
951 - + }
952 - +
953 -- debug("Authentication succeeded (%s).", authctxt.method->name);
954 -- }
955 --
956 -+ #ifdef WITH_OPENSSL
957 -+ if (options.disable_multithreaded == 0) {
958 -+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
959 - diff --git a/sshd.c b/sshd.c
960 - index 11571c01..23a06022 100644
961 - --- a/sshd.c
962
963 diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch
964 deleted file mode 100644
965 index 3f5c7a4..0000000
966 --- a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch
967 +++ /dev/null
968 @@ -1,19 +0,0 @@
969 -diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
970 ---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
971 -+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 16:36:51.394069720 -0800
972 -@@ -1191,15 +1191,3 @@
973 - # Example of overriding settings on a per-user basis
974 - #Match User anoncvs
975 - # X11Forwarding no
976 --diff --git a/version.h b/version.h
977 --index 6b3fadf8..ec1d2e27 100644
978 ----- a/version.h
979 --+++ b/version.h
980 --@@ -3,4 +3,6 @@
981 -- #define SSH_VERSION "OpenSSH_8.1"
982 --
983 -- #define SSH_PORTABLE "p1"
984 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
985 --+#define SSH_HPN "-hpn14v20"
986 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
987 --+
988
989 diff --git a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch
990 deleted file mode 100644
991 index 505e34d..0000000
992 --- a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch
993 +++ /dev/null
994 @@ -1,26 +0,0 @@
995 -diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
996 -index 86ea6250..844adabc 100644
997 ---- a/regress/cert-hostkey.sh
998 -+++ b/regress/cert-hostkey.sh
999 -@@ -252,7 +252,7 @@ test_one() {
1000 - test_one "user-certificate" failure "-n $HOSTS"
1001 - test_one "empty principals" success "-h"
1002 - test_one "wrong principals" failure "-h -n foo"
1003 --test_one "cert not yet valid" failure "-h -V20200101:20300101"
1004 -+test_one "cert not yet valid" failure "-h -V20300101:20320101"
1005 - test_one "cert expired" failure "-h -V19800101:19900101"
1006 - test_one "cert valid interval" success "-h -V-1w:+2w"
1007 - test_one "cert has constraints" failure "-h -Oforce-command=false"
1008 -diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
1009 -index 38c14a69..5cd02fc3 100644
1010 ---- a/regress/cert-userkey.sh
1011 -+++ b/regress/cert-userkey.sh
1012 -@@ -338,7 +338,7 @@ test_one() {
1013 - test_one "correct principal" success "-n ${USER}"
1014 - test_one "host-certificate" failure "-n ${USER} -h"
1015 - test_one "wrong principals" failure "-n foo"
1016 --test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
1017 -+test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101"
1018 - test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
1019 - test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
1020 - test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
1021
1022 diff --git a/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch
1023 deleted file mode 100644
1024 index d4db77b..0000000
1025 --- a/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch
1026 +++ /dev/null
1027 @@ -1,359 +0,0 @@
1028 -diff --git a/auth.c b/auth.c
1029 -index 086b8ebb..a267353c 100644
1030 ---- a/auth.c
1031 -+++ b/auth.c
1032 -@@ -724,120 +724,6 @@ fakepw(void)
1033 - return (&fake);
1034 - }
1035 -
1036 --/*
1037 -- * Returns the remote DNS hostname as a string. The returned string must not
1038 -- * be freed. NB. this will usually trigger a DNS query the first time it is
1039 -- * called.
1040 -- * This function does additional checks on the hostname to mitigate some
1041 -- * attacks on legacy rhosts-style authentication.
1042 -- * XXX is RhostsRSAAuthentication vulnerable to these?
1043 -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
1044 -- */
1045 --
1046 --static char *
1047 --remote_hostname(struct ssh *ssh)
1048 --{
1049 -- struct sockaddr_storage from;
1050 -- socklen_t fromlen;
1051 -- struct addrinfo hints, *ai, *aitop;
1052 -- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
1053 -- const char *ntop = ssh_remote_ipaddr(ssh);
1054 --
1055 -- /* Get IP address of client. */
1056 -- fromlen = sizeof(from);
1057 -- memset(&from, 0, sizeof(from));
1058 -- if (getpeername(ssh_packet_get_connection_in(ssh),
1059 -- (struct sockaddr *)&from, &fromlen) == -1) {
1060 -- debug("getpeername failed: %.100s", strerror(errno));
1061 -- return xstrdup(ntop);
1062 -- }
1063 --
1064 -- ipv64_normalise_mapped(&from, &fromlen);
1065 -- if (from.ss_family == AF_INET6)
1066 -- fromlen = sizeof(struct sockaddr_in6);
1067 --
1068 -- debug3("Trying to reverse map address %.100s.", ntop);
1069 -- /* Map the IP address to a host name. */
1070 -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
1071 -- NULL, 0, NI_NAMEREQD) != 0) {
1072 -- /* Host name not found. Use ip address. */
1073 -- return xstrdup(ntop);
1074 -- }
1075 --
1076 -- /*
1077 -- * if reverse lookup result looks like a numeric hostname,
1078 -- * someone is trying to trick us by PTR record like following:
1079 -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
1080 -- */
1081 -- memset(&hints, 0, sizeof(hints));
1082 -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
1083 -- hints.ai_flags = AI_NUMERICHOST;
1084 -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
1085 -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
1086 -- name, ntop);
1087 -- freeaddrinfo(ai);
1088 -- return xstrdup(ntop);
1089 -- }
1090 --
1091 -- /* Names are stored in lowercase. */
1092 -- lowercase(name);
1093 --
1094 -- /*
1095 -- * Map it back to an IP address and check that the given
1096 -- * address actually is an address of this host. This is
1097 -- * necessary because anyone with access to a name server can
1098 -- * define arbitrary names for an IP address. Mapping from
1099 -- * name to IP address can be trusted better (but can still be
1100 -- * fooled if the intruder has access to the name server of
1101 -- * the domain).
1102 -- */
1103 -- memset(&hints, 0, sizeof(hints));
1104 -- hints.ai_family = from.ss_family;
1105 -- hints.ai_socktype = SOCK_STREAM;
1106 -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
1107 -- logit("reverse mapping checking getaddrinfo for %.700s "
1108 -- "[%s] failed.", name, ntop);
1109 -- return xstrdup(ntop);
1110 -- }
1111 -- /* Look for the address from the list of addresses. */
1112 -- for (ai = aitop; ai; ai = ai->ai_next) {
1113 -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
1114 -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
1115 -- (strcmp(ntop, ntop2) == 0))
1116 -- break;
1117 -- }
1118 -- freeaddrinfo(aitop);
1119 -- /* If we reached the end of the list, the address was not there. */
1120 -- if (ai == NULL) {
1121 -- /* Address not found for the host name. */
1122 -- logit("Address %.100s maps to %.600s, but this does not "
1123 -- "map back to the address.", ntop, name);
1124 -- return xstrdup(ntop);
1125 -- }
1126 -- return xstrdup(name);
1127 --}
1128 --
1129 --/*
1130 -- * Return the canonical name of the host in the other side of the current
1131 -- * connection. The host name is cached, so it is efficient to call this
1132 -- * several times.
1133 -- */
1134 --
1135 --const char *
1136 --auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
1137 --{
1138 -- static char *dnsname;
1139 --
1140 -- if (!use_dns)
1141 -- return ssh_remote_ipaddr(ssh);
1142 -- else if (dnsname != NULL)
1143 -- return dnsname;
1144 -- else {
1145 -- dnsname = remote_hostname(ssh);
1146 -- return dnsname;
1147 -- }
1148 --}
1149 --
1150 - /*
1151 - * Runs command in a subprocess with a minimal environment.
1152 - * Returns pid on success, 0 on failure.
1153 -diff --git a/canohost.c b/canohost.c
1154 -index abea9c6e..4f4524d2 100644
1155 ---- a/canohost.c
1156 -+++ b/canohost.c
1157 -@@ -202,3 +202,117 @@ get_local_port(int sock)
1158 - {
1159 - return get_sock_port(sock, 1);
1160 - }
1161 -+
1162 -+/*
1163 -+ * Returns the remote DNS hostname as a string. The returned string must not
1164 -+ * be freed. NB. this will usually trigger a DNS query the first time it is
1165 -+ * called.
1166 -+ * This function does additional checks on the hostname to mitigate some
1167 -+ * attacks on legacy rhosts-style authentication.
1168 -+ * XXX is RhostsRSAAuthentication vulnerable to these?
1169 -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
1170 -+ */
1171 -+
1172 -+static char *
1173 -+remote_hostname(struct ssh *ssh)
1174 -+{
1175 -+ struct sockaddr_storage from;
1176 -+ socklen_t fromlen;
1177 -+ struct addrinfo hints, *ai, *aitop;
1178 -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
1179 -+ const char *ntop = ssh_remote_ipaddr(ssh);
1180 -+
1181 -+ /* Get IP address of client. */
1182 -+ fromlen = sizeof(from);
1183 -+ memset(&from, 0, sizeof(from));
1184 -+ if (getpeername(ssh_packet_get_connection_in(ssh),
1185 -+ (struct sockaddr *)&from, &fromlen) < 0) {
1186 -+ debug("getpeername failed: %.100s", strerror(errno));
1187 -+ return strdup(ntop);
1188 -+ }
1189 -+
1190 -+ ipv64_normalise_mapped(&from, &fromlen);
1191 -+ if (from.ss_family == AF_INET6)
1192 -+ fromlen = sizeof(struct sockaddr_in6);
1193 -+
1194 -+ debug3("Trying to reverse map address %.100s.", ntop);
1195 -+ /* Map the IP address to a host name. */
1196 -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
1197 -+ NULL, 0, NI_NAMEREQD) != 0) {
1198 -+ /* Host name not found. Use ip address. */
1199 -+ return strdup(ntop);
1200 -+ }
1201 -+
1202 -+ /*
1203 -+ * if reverse lookup result looks like a numeric hostname,
1204 -+ * someone is trying to trick us by PTR record like following:
1205 -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
1206 -+ */
1207 -+ memset(&hints, 0, sizeof(hints));
1208 -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
1209 -+ hints.ai_flags = AI_NUMERICHOST;
1210 -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
1211 -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
1212 -+ name, ntop);
1213 -+ freeaddrinfo(ai);
1214 -+ return strdup(ntop);
1215 -+ }
1216 -+
1217 -+ /* Names are stored in lowercase. */
1218 -+ lowercase(name);
1219 -+
1220 -+ /*
1221 -+ * Map it back to an IP address and check that the given
1222 -+ * address actually is an address of this host. This is
1223 -+ * necessary because anyone with access to a name server can
1224 -+ * define arbitrary names for an IP address. Mapping from
1225 -+ * name to IP address can be trusted better (but can still be
1226 -+ * fooled if the intruder has access to the name server of
1227 -+ * the domain).
1228 -+ */
1229 -+ memset(&hints, 0, sizeof(hints));
1230 -+ hints.ai_family = from.ss_family;
1231 -+ hints.ai_socktype = SOCK_STREAM;
1232 -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
1233 -+ logit("reverse mapping checking getaddrinfo for %.700s "
1234 -+ "[%s] failed.", name, ntop);
1235 -+ return strdup(ntop);
1236 -+ }
1237 -+ /* Look for the address from the list of addresses. */
1238 -+ for (ai = aitop; ai; ai = ai->ai_next) {
1239 -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
1240 -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
1241 -+ (strcmp(ntop, ntop2) == 0))
1242 -+ break;
1243 -+ }
1244 -+ freeaddrinfo(aitop);
1245 -+ /* If we reached the end of the list, the address was not there. */
1246 -+ if (ai == NULL) {
1247 -+ /* Address not found for the host name. */
1248 -+ logit("Address %.100s maps to %.600s, but this does not "
1249 -+ "map back to the address.", ntop, name);
1250 -+ return strdup(ntop);
1251 -+ }
1252 -+ return strdup(name);
1253 -+}
1254 -+
1255 -+/*
1256 -+ * Return the canonical name of the host in the other side of the current
1257 -+ * connection. The host name is cached, so it is efficient to call this
1258 -+ * several times.
1259 -+ */
1260 -+
1261 -+const char *
1262 -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
1263 -+{
1264 -+ static char *dnsname;
1265 -+
1266 -+ if (!use_dns)
1267 -+ return ssh_remote_ipaddr(ssh);
1268 -+ else if (dnsname != NULL)
1269 -+ return dnsname;
1270 -+ else {
1271 -+ dnsname = remote_hostname(ssh);
1272 -+ return dnsname;
1273 -+ }
1274 -+}
1275 -diff --git a/readconf.c b/readconf.c
1276 -index f3cac6b3..adfd7a4e 100644
1277 ---- a/readconf.c
1278 -+++ b/readconf.c
1279 -@@ -160,6 +160,7 @@ typedef enum {
1280 - oClearAllForwardings, oNoHostAuthenticationForLocalhost,
1281 - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
1282 - oAddressFamily, oGssAuthentication, oGssDelegateCreds,
1283 -+ oGssTrustDns,
1284 - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
1285 - oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
1286 - oHashKnownHosts,
1287 -@@ -205,9 +206,11 @@ static struct {
1288 - #if defined(GSSAPI)
1289 - { "gssapiauthentication", oGssAuthentication },
1290 - { "gssapidelegatecredentials", oGssDelegateCreds },
1291 -+ { "gssapitrustdns", oGssTrustDns },
1292 - # else
1293 - { "gssapiauthentication", oUnsupported },
1294 - { "gssapidelegatecredentials", oUnsupported },
1295 -+ { "gssapitrustdns", oUnsupported },
1296 - #endif
1297 - #ifdef ENABLE_PKCS11
1298 - { "pkcs11provider", oPKCS11Provider },
1299 -@@ -1033,6 +1036,10 @@ parse_time:
1300 - intptr = &options->gss_deleg_creds;
1301 - goto parse_flag;
1302 -
1303 -+ case oGssTrustDns:
1304 -+ intptr = &options->gss_trust_dns;
1305 -+ goto parse_flag;
1306 -+
1307 - case oBatchMode:
1308 - intptr = &options->batch_mode;
1309 - goto parse_flag;
1310 -@@ -1912,6 +1919,7 @@ initialize_options(Options * options)
1311 - options->challenge_response_authentication = -1;
1312 - options->gss_authentication = -1;
1313 - options->gss_deleg_creds = -1;
1314 -+ options->gss_trust_dns = -1;
1315 - options->password_authentication = -1;
1316 - options->kbd_interactive_authentication = -1;
1317 - options->kbd_interactive_devices = NULL;
1318 -@@ -2061,6 +2069,8 @@ fill_default_options(Options * options)
1319 - options->gss_authentication = 0;
1320 - if (options->gss_deleg_creds == -1)
1321 - options->gss_deleg_creds = 0;
1322 -+ if (options->gss_trust_dns == -1)
1323 -+ options->gss_trust_dns = 0;
1324 - if (options->password_authentication == -1)
1325 - options->password_authentication = 1;
1326 - if (options->kbd_interactive_authentication == -1)
1327 -diff --git a/readconf.h b/readconf.h
1328 -index feedb3d2..c7139c1b 100644
1329 ---- a/readconf.h
1330 -+++ b/readconf.h
1331 -@@ -42,6 +42,7 @@ typedef struct {
1332 - /* Try S/Key or TIS, authentication. */
1333 - int gss_authentication; /* Try GSS authentication */
1334 - int gss_deleg_creds; /* Delegate GSS credentials */
1335 -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
1336 - int password_authentication; /* Try password
1337 - * authentication. */
1338 - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
1339 -diff --git a/ssh_config.5 b/ssh_config.5
1340 -index 06a32d31..6871ff36 100644
1341 ---- a/ssh_config.5
1342 -+++ b/ssh_config.5
1343 -@@ -770,6 +770,16 @@ The default is
1344 - Forward (delegate) credentials to the server.
1345 - The default is
1346 - .Cm no .
1347 -+Note that this option applies to protocol version 2 connections using GSSAPI.
1348 -+.It Cm GSSAPITrustDns
1349 -+Set to
1350 -+.Dq yes to indicate that the DNS is trusted to securely canonicalize
1351 -+the name of the host being connected to. If
1352 -+.Dq no, the hostname entered on the
1353 -+command line will be passed untouched to the GSSAPI library.
1354 -+The default is
1355 -+.Dq no .
1356 -+This option only applies to protocol version 2 connections using GSSAPI.
1357 - .It Cm HashKnownHosts
1358 - Indicates that
1359 - .Xr ssh 1
1360 -diff --git a/sshconnect2.c b/sshconnect2.c
1361 -index af00fb30..652463c5 100644
1362 ---- a/sshconnect2.c
1363 -+++ b/sshconnect2.c
1364 -@@ -716,6 +716,13 @@ userauth_gssapi(struct ssh *ssh)
1365 - OM_uint32 min;
1366 - int r, ok = 0;
1367 - gss_OID mech = NULL;
1368 -+ const char *gss_host;
1369 -+
1370 -+ if (options.gss_trust_dns) {
1371 -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
1372 -+ gss_host = auth_get_canonical_hostname(ssh, 1);
1373 -+ } else
1374 -+ gss_host = authctxt->host;
1375 -
1376 - /* Try one GSSAPI method at a time, rather than sending them all at
1377 - * once. */
1378 -@@ -730,7 +737,7 @@ userauth_gssapi(struct ssh *ssh)
1379 - elements[authctxt->mech_tried];
1380 - /* My DER encoding requires length<128 */
1381 - if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
1382 -- mech, authctxt->host)) {
1383 -+ mech, gss_host)) {
1384 - ok = 1; /* Mechanism works */
1385 - } else {
1386 - authctxt->mech_tried++;
1387
1388 diff --git a/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.3-tests.patch b/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.3-tests.patch
1389 deleted file mode 100644
1390 index 1c58d0d..0000000
1391 --- a/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.3-tests.patch
1392 +++ /dev/null
1393 @@ -1,11 +0,0 @@
1394 ---- a/openbsd-compat/regress/Makefile.in 2020-02-15 10:59:01.210601434 -0700
1395 -+++ b/openbsd-compat/regress/Makefile.in 2020-02-15 10:59:18.753485852 -0700
1396 -@@ -7,7 +7,7 @@
1397 - CC=@CC@
1398 - LD=@LD@
1399 - CFLAGS=@CFLAGS@
1400 --CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
1401 -+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
1402 - EXEEXT=@EXEEXT@
1403 - LIBCOMPAT=../libopenbsd-compat.a
1404 - LIBS=@LIBS@
1405
1406 diff --git a/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.3.patch b/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.3.patch
1407 deleted file mode 100644
1408 index e73c499..0000000
1409 --- a/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.3.patch
1410 +++ /dev/null
1411 @@ -1,128 +0,0 @@
1412 ---- a/openssh-8.2p1+x509-12.4.3.diff 2020-03-21 11:15:05.939809371 -0700
1413 -+++ b/openssh-8.2p1+x509-12.4.3.diff 2020-03-21 11:23:15.424752355 -0700
1414 -@@ -39298,16 +39298,15 @@
1415 -
1416 - install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
1417 - install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
1418 --@@ -378,6 +379,8 @@
1419 -+@@ -378,6 +379,7 @@
1420 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
1421 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
1422 - $(MKDIR_P) $(DESTDIR)$(libexecdir)
1423 - + $(MKDIR_P) $(DESTDIR)$(sshcadir)
1424 --+ $(MKDIR_P) $(DESTDIR)$(piddir)
1425 - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
1426 - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
1427 - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
1428 --@@ -386,11 +389,14 @@
1429 -+@@ -386,11 +388,14 @@
1430 - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
1431 - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
1432 - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
1433 -@@ -39326,7 +39325,7 @@
1434 - $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
1435 - $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
1436 - $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
1437 --@@ -400,12 +406,12 @@
1438 -+@@ -400,12 +405,12 @@
1439 - $(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
1440 - $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
1441 - $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
1442 -@@ -39340,7 +39339,7 @@
1443 -
1444 - install-sysconf:
1445 - $(MKDIR_P) $(DESTDIR)$(sysconfdir)
1446 --@@ -463,10 +469,9 @@
1447 -+@@ -463,10 +468,9 @@
1448 - -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
1449 - -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
1450 - -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
1451 -@@ -39354,7 +39353,7 @@
1452 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
1453 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
1454 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
1455 --@@ -478,7 +483,6 @@
1456 -+@@ -478,7 +482,6 @@
1457 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
1458 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
1459 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
1460 -@@ -39362,7 +39361,7 @@
1461 -
1462 - regress-prep:
1463 - $(MKDIR_P) `pwd`/regress/unittests/test_helper
1464 --@@ -491,11 +495,11 @@
1465 -+@@ -491,11 +494,11 @@
1466 - $(MKDIR_P) `pwd`/regress/unittests/match
1467 - $(MKDIR_P) `pwd`/regress/unittests/utf8
1468 - $(MKDIR_P) `pwd`/regress/misc/kexfuzz
1469 -@@ -39376,7 +39375,7 @@
1470 -
1471 - regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS)
1472 - $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \
1473 --@@ -546,8 +550,7 @@
1474 -+@@ -546,8 +549,7 @@
1475 - regress/unittests/sshkey/tests.o \
1476 - regress/unittests/sshkey/common.o \
1477 - regress/unittests/sshkey/test_file.o \
1478 -@@ -39406,7 +39405,7 @@
1479 -
1480 - regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
1481 - ${UNITTESTS_TEST_HOSTKEYS_OBJS} \
1482 --@@ -618,35 +619,18 @@
1483 -+@@ -618,35 +618,18 @@
1484 - -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
1485 -
1486 - MISC_KEX_FUZZ_OBJS=\
1487 -@@ -39444,7 +39443,7 @@
1488 - regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
1489 - regress/unittests/sshkey/test_sshkey$(EXEEXT) \
1490 - regress/unittests/bitmap/test_bitmap$(EXEEXT) \
1491 --@@ -657,36 +641,29 @@
1492 -+@@ -657,36 +640,29 @@
1493 - regress/unittests/utf8/test_utf8$(EXEEXT) \
1494 - regress/misc/kexfuzz/kexfuzz$(EXEEXT)
1495 -
1496 -@@ -39501,7 +39500,7 @@
1497 - TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
1498 - TEST_SSH_UTF8="@TEST_SSH_UTF8@" ; \
1499 - TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
1500 --@@ -708,8 +685,6 @@
1501 -+@@ -708,8 +684,6 @@
1502 - TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
1503 - TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
1504 - TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
1505 -@@ -39510,7 +39509,7 @@
1506 - TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
1507 - TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
1508 - TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
1509 --@@ -717,17 +692,35 @@
1510 -+@@ -717,17 +691,35 @@
1511 - TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
1512 - TEST_SSH_UTF8="$${TEST_SSH_UTF8}" \
1513 - TEST_SSH_ECC="$${TEST_SSH_ECC}" \
1514 -@@ -39549,7 +39548,7 @@
1515 -
1516 - survey: survey.sh ssh
1517 - @$(SHELL) ./survey.sh > survey
1518 --@@ -743,4 +736,8 @@
1519 -+@@ -743,4 +735,8 @@
1520 - sh buildpkg.sh; \
1521 - fi
1522 -
1523 -@@ -98215,16 +98214,6 @@
1524 - + return mbtowc(NULL, s, n);
1525 - +}
1526 - +#endif
1527 --diff -ruN openssh-8.2p1/version.h openssh-8.2p1+x509-12.4.3/version.h
1528 ----- openssh-8.2p1/version.h 2020-02-14 02:40:54.000000000 +0200
1529 --+++ openssh-8.2p1+x509-12.4.3/version.h 2020-03-21 19:07:00.000000000 +0200
1530 --@@ -2,5 +2,4 @@
1531 --
1532 -- #define SSH_VERSION "OpenSSH_8.2"
1533 --
1534 ---#define SSH_PORTABLE "p1"
1535 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
1536 --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
1537 - diff -ruN openssh-8.2p1/version.m4 openssh-8.2p1+x509-12.4.3/version.m4
1538 - --- openssh-8.2p1/version.m4 1970-01-01 02:00:00.000000000 +0200
1539 - +++ openssh-8.2p1+x509-12.4.3/version.m4 2020-03-21 19:07:00.000000000 +0200
1540
1541 diff --git a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-X509-glue.patch b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-X509-glue.patch
1542 deleted file mode 100644
1543 index 5af4534..0000000
1544 --- a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-X509-glue.patch
1545 +++ /dev/null
1546 @@ -1,133 +0,0 @@
1547 -diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
1548 ---- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 13:41:56.143193830 -0800
1549 -+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 13:46:40.060133610 -0800
1550 -@@ -3,9 +3,9 @@
1551 - --- a/Makefile.in
1552 - +++ b/Makefile.in
1553 - @@ -42,7 +42,7 @@ CC=@CC@
1554 -- CFLAGS_NOPIE=@CFLAGS_NOPIE@
1555 -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
1556 -- PICFLAG=@PICFLAG@
1557 -+ LD=@LD@
1558 -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
1559 -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
1560 - -LIBS=@LIBS@
1561 - +LIBS=@LIBS@ -lpthread
1562 - K5LIBS=@K5LIBS@
1563 -@@ -803,8 +803,8 @@
1564 - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
1565 - {
1566 - struct session_state *state;
1567 --- const struct sshcipher *none = cipher_by_name("none");
1568 --+ struct sshcipher *none = cipher_by_name("none");
1569 -+- const struct sshcipher *none = cipher_none();
1570 -++ struct sshcipher *none = cipher_none();
1571 - int r;
1572 -
1573 - if (none == NULL) {
1574 -@@ -902,14 +902,14 @@
1575 -
1576 - /*
1577 - @@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
1578 -- options->canonicalize_hostname = SSH_CANONICALISE_NO;
1579 -- if (options->fingerprint_hash == -1)
1580 - options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
1581 -+ if (options->update_hostkeys == -1)
1582 -+ options->update_hostkeys = 0;
1583 - + if (options->disable_multithreaded == -1)
1584 - + options->disable_multithreaded = 0;
1585 -- #ifdef ENABLE_SK_INTERNAL
1586 - if (options->sk_provider == NULL)
1587 -- options->sk_provider = xstrdup("internal");
1588 -+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
1589 -+
1590 - diff --git a/readconf.h b/readconf.h
1591 - index 8e36bf32..c803eca7 100644
1592 - --- a/readconf.h
1593 -@@ -948,9 +948,9 @@
1594 - /* Portable-specific options */
1595 - sUsePAM,
1596 - + sDisableMTAES,
1597 -- /* Standard Options */
1598 -- sPort, sHostKeyFile, sLoginGraceTime,
1599 -- sPermitRootLogin, sLogFacility, sLogLevel,
1600 -+ /* X.509 Standard Options */
1601 -+ sHostbasedAlgorithms,
1602 -+ sPubkeyAlgorithms,
1603 - @@ -643,6 +647,7 @@ static struct {
1604 - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
1605 - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
1606 -Only in b: openssh-8_1_P1-hpn-AES-CTR-14.20.diff.orig
1607 -diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
1608 ---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 13:41:56.144193830 -0800
1609 -+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 13:45:36.665147504 -0800
1610 -@@ -382,7 +382,7 @@
1611 - @@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh)
1612 - int nenc, nmac, ncomp;
1613 - u_int mode, ctos, need, dh_need, authlen;
1614 -- int r, first_kex_follows;
1615 -+ int r, first_kex_follows = 0;
1616 - + int auth_flag;
1617 - +
1618 - + auth_flag = packet_authentication_state(ssh);
1619 -@@ -391,8 +391,8 @@
1620 - debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
1621 - if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
1622 - @@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh)
1623 -- peer[ncomp] = NULL;
1624 -- goto out;
1625 -+ else
1626 -+ fatal("Pre-authentication none cipher requests are not allowed.");
1627 - }
1628 - + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
1629 - + if (strcmp(newkeys->enc.name, "none") == 0) {
1630 -@@ -1169,15 +1169,3 @@
1631 - # Example of overriding settings on a per-user basis
1632 - #Match User anoncvs
1633 - # X11Forwarding no
1634 --diff --git a/version.h b/version.h
1635 --index 6b3fadf8..ec1d2e27 100644
1636 ----- a/version.h
1637 --+++ b/version.h
1638 --@@ -3,4 +3,6 @@
1639 -- #define SSH_VERSION "OpenSSH_8.1"
1640 --
1641 -- #define SSH_PORTABLE "p1"
1642 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
1643 --+#define SSH_HPN "-hpn14v20"
1644 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
1645 --+
1646 -diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff
1647 ---- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-15 13:41:43.834196317 -0800
1648 -+++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-15 13:45:36.665147504 -0800
1649 -@@ -12,9 +12,9 @@
1650 - static long stalled; /* how long we have been stalled */
1651 - static int bytes_per_second; /* current speed in bytes per second */
1652 - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
1653 -+ off_t bytes_left;
1654 - int cur_speed;
1655 -- int hours, minutes, seconds;
1656 -- int file_len;
1657 -+ int len;
1658 - + off_t delta_pos;
1659 -
1660 - if ((!force_update && !alarm_fired && !win_resized) || !can_output())
1661 -@@ -33,12 +33,12 @@
1662 - @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
1663 -
1664 - /* filename */
1665 -- buf[0] = '\0';
1666 --- file_len = win_size - 36;
1667 --+ file_len = win_size - 45;
1668 -- if (file_len > 0) {
1669 -- buf[0] = '\r';
1670 -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
1671 -+ if (win_size > 36) {
1672 -+- int file_len = win_size - 36;
1673 -++ int file_len = win_size - 45;
1674 -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
1675 -+ file_len, file);
1676 -+ }
1677 - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
1678 - (off_t)bytes_per_second);
1679 - strlcat(buf, "/s ", win_size);
1680
1681 diff --git a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-glue.patch
1682 deleted file mode 100644
1683 index b2163fe..0000000
1684 --- a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-glue.patch
1685 +++ /dev/null
1686 @@ -1,151 +0,0 @@
1687 -diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
1688 ---- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:50:44.413776914 -0800
1689 -+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:53:06.190742744 -0800
1690 -@@ -3,9 +3,9 @@
1691 - --- a/Makefile.in
1692 - +++ b/Makefile.in
1693 - @@ -42,7 +42,7 @@ CC=@CC@
1694 -- LD=@LD@
1695 -- CFLAGS=@CFLAGS@
1696 -+ CFLAGS_NOPIE=@CFLAGS_NOPIE@
1697 - CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
1698 -+ PICFLAG=@PICFLAG@
1699 - -LIBS=@LIBS@
1700 - +LIBS=@LIBS@ -lpthread
1701 - K5LIBS=@K5LIBS@
1702 -@@ -902,14 +902,14 @@
1703 -
1704 - /*
1705 - @@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
1706 -+ options->canonicalize_hostname = SSH_CANONICALISE_NO;
1707 -+ if (options->fingerprint_hash == -1)
1708 - options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
1709 -- if (options->update_hostkeys == -1)
1710 -- options->update_hostkeys = 0;
1711 - + if (options->disable_multithreaded == -1)
1712 - + options->disable_multithreaded = 0;
1713 --
1714 -- /* Expand KEX name lists */
1715 -- all_cipher = cipher_alg_list(',', 0);
1716 -+ #ifdef ENABLE_SK_INTERNAL
1717 -+ if (options->sk_provider == NULL)
1718 -+ options->sk_provider = xstrdup("internal");
1719 - diff --git a/readconf.h b/readconf.h
1720 - index 8e36bf32..c803eca7 100644
1721 - --- a/readconf.h
1722 -@@ -952,9 +952,9 @@
1723 - sPort, sHostKeyFile, sLoginGraceTime,
1724 - sPermitRootLogin, sLogFacility, sLogLevel,
1725 - @@ -643,6 +647,7 @@ static struct {
1726 -- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
1727 - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
1728 - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
1729 -+ { "include", sInclude, SSHCFG_ALL },
1730 - + { "disableMTAES", sDisableMTAES, SSHCFG_ALL },
1731 - { "ipqos", sIPQoS, SSHCFG_ALL },
1732 - { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
1733 -diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
1734 ---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:50:44.413776914 -0800
1735 -+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:51:19.541768656 -0800
1736 -@@ -409,18 +409,10 @@
1737 - index 817da43b..b2bcf78f 100644
1738 - --- a/packet.c
1739 - +++ b/packet.c
1740 --@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
1741 -+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
1742 - return 0;
1743 - }
1744 -
1745 --+/* this supports the forced rekeying required for the NONE cipher */
1746 --+int rekey_requested = 0;
1747 --+void
1748 --+packet_request_rekeying(void)
1749 --+{
1750 --+ rekey_requested = 1;
1751 --+}
1752 --+
1753 - +/* used to determine if pre or post auth when rekeying for aes-ctr
1754 - + * and none cipher switch */
1755 - +int
1756 -@@ -434,20 +426,6 @@
1757 - #define MAX_PACKETS (1U<<31)
1758 - static int
1759 - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
1760 --@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
1761 -- if (state->p_send.packets == 0 && state->p_read.packets == 0)
1762 -- return 0;
1763 --
1764 --+ /* used to force rekeying when called for by the none
1765 --+ * cipher switch methods -cjr */
1766 --+ if (rekey_requested == 1) {
1767 --+ rekey_requested = 0;
1768 --+ return 1;
1769 --+ }
1770 --+
1771 -- /* Time-based rekeying */
1772 -- if (state->rekey_interval != 0 &&
1773 -- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
1774 - diff --git a/packet.h b/packet.h
1775 - index 8ccfd2e0..1ad9bc06 100644
1776 - --- a/packet.h
1777 -@@ -476,9 +454,9 @@
1778 - /* Format of the configuration file:
1779 -
1780 - @@ -167,6 +168,8 @@ typedef enum {
1781 -- oHashKnownHosts,
1782 - oTunnel, oTunnelDevice,
1783 - oLocalCommand, oPermitLocalCommand, oRemoteCommand,
1784 -+ oDisableMTAES,
1785 - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
1786 - + oNoneEnabled, oNoneSwitch,
1787 - oVisualHostKey,
1788 -@@ -615,9 +593,9 @@
1789 - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
1790 - SyslogFacility log_facility; /* Facility for system logging. */
1791 - @@ -112,7 +116,10 @@ typedef struct {
1792 --
1793 - int enable_ssh_keysign;
1794 - int64_t rekey_limit;
1795 -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
1796 - + int none_switch; /* Use none cipher */
1797 - + int none_enabled; /* Allow none to be used */
1798 - int rekey_interval;
1799 -@@ -700,9 +678,9 @@
1800 - + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
1801 - + }
1802 - +
1803 -+ if (options->disable_multithreaded == -1)
1804 -+ options->disable_multithreaded = 0;
1805 - if (options->ip_qos_interactive == -1)
1806 -- options->ip_qos_interactive = IPTOS_DSCP_AF21;
1807 -- if (options->ip_qos_bulk == -1)
1808 - @@ -486,6 +532,8 @@ typedef enum {
1809 - sPasswordAuthentication, sKbdInteractiveAuthentication,
1810 - sListenAddress, sAddressFamily,
1811 -@@ -1079,11 +1057,11 @@
1812 - xxx_host = host;
1813 - xxx_hostaddr = hostaddr;
1814 -
1815 --@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
1816 -+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
1817 -
1818 - if (!authctxt.success)
1819 - fatal("Authentication failed.");
1820 --+
1821 -+
1822 - + /*
1823 - + * If the user wants to use the none cipher, do it post authentication
1824 - + * and only if the right conditions are met -- both of the NONE commands
1825 -@@ -1105,9 +1083,9 @@
1826 - + }
1827 - + }
1828 - +
1829 -- debug("Authentication succeeded (%s).", authctxt.method->name);
1830 -- }
1831 --
1832 -+ #ifdef WITH_OPENSSL
1833 -+ if (options.disable_multithreaded == 0) {
1834 -+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
1835 - diff --git a/sshd.c b/sshd.c
1836 - index 11571c01..23a06022 100644
1837 - --- a/sshd.c
1838
1839 diff --git a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch
1840 deleted file mode 100644
1841 index 69dd22a..0000000
1842 --- a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch
1843 +++ /dev/null
1844 @@ -1,20 +0,0 @@
1845 ---- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-04-17 10:31:37.392120799 -0700
1846 -+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-04-17 10:32:46.143684424 -0700
1847 -@@ -672,7 +672,7 @@
1848 - +const EVP_CIPHER *
1849 - +evp_aes_ctr_mt(void)
1850 - +{
1851 --+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL
1852 -++# if (OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS)) && !defined(LIBRESSL_VERSION_NUMBER)
1853 - + static EVP_CIPHER *aes_ctr;
1854 - + aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
1855 - + EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
1856 -@@ -701,7 +701,7 @@
1857 - + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
1858 - +# endif /*SSH_OLD_EVP*/
1859 - + return &aes_ctr;
1860 --+# endif /*OPENSSH_VERSION_NUMBER*/
1861 -++# endif /*OPENSSL_VERSION_NUMBER*/
1862 - +}
1863 - +
1864 - +#endif /* defined(WITH_OPENSSL) */
1865
1866 diff --git a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-sctp-glue.patch b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-sctp-glue.patch
1867 deleted file mode 100644
1868 index 2397aad..0000000
1869 --- a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-sctp-glue.patch
1870 +++ /dev/null
1871 @@ -1,19 +0,0 @@
1872 -diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
1873 ---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:10:00.321998279 -0800
1874 -+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:10:21.759980508 -0800
1875 -@@ -1169,15 +1169,3 @@
1876 - # Example of overriding settings on a per-user basis
1877 - #Match User anoncvs
1878 - # X11Forwarding no
1879 --diff --git a/version.h b/version.h
1880 --index 6b3fadf8..ec1d2e27 100644
1881 ----- a/version.h
1882 --+++ b/version.h
1883 --@@ -3,4 +3,6 @@
1884 -- #define SSH_VERSION "OpenSSH_8.1"
1885 --
1886 -- #define SSH_PORTABLE "p1"
1887 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
1888 --+#define SSH_HPN "-hpn14v20"
1889 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
1890 --+
1891
1892 diff --git a/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.1.patch b/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.1.patch
1893 deleted file mode 100644
1894 index d1651bc..0000000
1895 --- a/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.1.patch
1896 +++ /dev/null
1897 @@ -1,35 +0,0 @@
1898 -Only in b: .openssh-8.3p1+x509-12.5.1.diff.un~
1899 -diff -u a/openssh-8.3p1+x509-12.5.1.diff b/openssh-8.3p1+x509-12.5.1.diff
1900 ---- a/openssh-8.3p1+x509-12.5.1.diff 2020-06-08 10:13:08.937543708 -0700
1901 -+++ b/openssh-8.3p1+x509-12.5.1.diff 2020-06-08 10:16:33.417271984 -0700
1902 -@@ -35541,12 +35541,11 @@
1903 -
1904 - install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
1905 - install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
1906 --@@ -382,6 +363,8 @@
1907 -+@@ -382,6 +363,7 @@
1908 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
1909 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
1910 - $(MKDIR_P) $(DESTDIR)$(libexecdir)
1911 - + $(MKDIR_P) $(DESTDIR)$(sshcadir)
1912 --+ $(MKDIR_P) $(DESTDIR)$(piddir)
1913 - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
1914 - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
1915 - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
1916 -@@ -97028,16 +97027,6 @@
1917 - +int asnmprintf(char **, size_t, int *, const char *, ...)
1918 - __attribute__((format(printf, 4, 5)));
1919 - void msetlocale(void);
1920 --diff -ruN openssh-8.3p1/version.h openssh-8.3p1+x509-12.5.1/version.h
1921 ----- openssh-8.3p1/version.h 2020-05-27 03:38:00.000000000 +0300
1922 --+++ openssh-8.3p1+x509-12.5.1/version.h 2020-06-07 11:07:00.000000000 +0300
1923 --@@ -2,5 +2,4 @@
1924 --
1925 -- #define SSH_VERSION "OpenSSH_8.3"
1926 --
1927 ---#define SSH_PORTABLE "p1"
1928 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
1929 --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
1930 - diff -ruN openssh-8.3p1/version.m4 openssh-8.3p1+x509-12.5.1/version.m4
1931 - --- openssh-8.3p1/version.m4 1970-01-01 02:00:00.000000000 +0200
1932 - +++ openssh-8.3p1+x509-12.5.1/version.m4 2020-06-07 11:07:00.000000000 +0300
1933
1934 diff --git a/net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch
1935 deleted file mode 100644
1936 index 4414f9b..0000000
1937 --- a/net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch
1938 +++ /dev/null
1939 @@ -1,177 +0,0 @@
1940 -Only in b: .openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff.un~
1941 -diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
1942 ---- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-05-27 13:52:27.704108928 -0700
1943 -+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-05-27 13:52:49.803967500 -0700
1944 -@@ -3,9 +3,9 @@
1945 - --- a/Makefile.in
1946 - +++ b/Makefile.in
1947 - @@ -42,7 +42,7 @@ CC=@CC@
1948 -- LD=@LD@
1949 -- CFLAGS=@CFLAGS@
1950 -+ CFLAGS_NOPIE=@CFLAGS_NOPIE@
1951 - CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
1952 -+ PICFLAG=@PICFLAG@
1953 - -LIBS=@LIBS@
1954 - +LIBS=@LIBS@ -lpthread
1955 - K5LIBS=@K5LIBS@
1956 -@@ -902,14 +902,14 @@
1957 -
1958 - /*
1959 - @@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
1960 -+ options->canonicalize_hostname = SSH_CANONICALISE_NO;
1961 -+ if (options->fingerprint_hash == -1)
1962 - options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
1963 -- if (options->update_hostkeys == -1)
1964 -- options->update_hostkeys = 0;
1965 - + if (options->disable_multithreaded == -1)
1966 - + options->disable_multithreaded = 0;
1967 --
1968 -- /* Expand KEX name lists */
1969 -- all_cipher = cipher_alg_list(',', 0);
1970 -+ #ifdef ENABLE_SK_INTERNAL
1971 -+ if (options->sk_provider == NULL)
1972 -+ options->sk_provider = xstrdup("internal");
1973 - diff --git a/readconf.h b/readconf.h
1974 - index 8e36bf32..c803eca7 100644
1975 - --- a/readconf.h
1976 -@@ -952,9 +952,9 @@
1977 - sPort, sHostKeyFile, sLoginGraceTime,
1978 - sPermitRootLogin, sLogFacility, sLogLevel,
1979 - @@ -643,6 +647,7 @@ static struct {
1980 -- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
1981 - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
1982 - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
1983 -+ { "include", sInclude, SSHCFG_ALL },
1984 - + { "disableMTAES", sDisableMTAES, SSHCFG_ALL },
1985 - { "ipqos", sIPQoS, SSHCFG_ALL },
1986 - { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
1987 -diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
1988 ---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-05-27 13:52:27.705108921 -0700
1989 -+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-05-27 14:03:57.888683100 -0700
1990 -@@ -409,18 +409,10 @@
1991 - index 817da43b..b2bcf78f 100644
1992 - --- a/packet.c
1993 - +++ b/packet.c
1994 --@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
1995 -+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
1996 - return 0;
1997 - }
1998 -
1999 --+/* this supports the forced rekeying required for the NONE cipher */
2000 --+int rekey_requested = 0;
2001 --+void
2002 --+packet_request_rekeying(void)
2003 --+{
2004 --+ rekey_requested = 1;
2005 --+}
2006 --+
2007 - +/* used to determine if pre or post auth when rekeying for aes-ctr
2008 - + * and none cipher switch */
2009 - +int
2010 -@@ -434,20 +426,6 @@
2011 - #define MAX_PACKETS (1U<<31)
2012 - static int
2013 - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
2014 --@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
2015 -- if (state->p_send.packets == 0 && state->p_read.packets == 0)
2016 -- return 0;
2017 --
2018 --+ /* used to force rekeying when called for by the none
2019 --+ * cipher switch methods -cjr */
2020 --+ if (rekey_requested == 1) {
2021 --+ rekey_requested = 0;
2022 --+ return 1;
2023 --+ }
2024 --+
2025 -- /* Time-based rekeying */
2026 -- if (state->rekey_interval != 0 &&
2027 -- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
2028 - diff --git a/packet.h b/packet.h
2029 - index 8ccfd2e0..1ad9bc06 100644
2030 - --- a/packet.h
2031 -@@ -476,9 +454,9 @@
2032 - /* Format of the configuration file:
2033 -
2034 - @@ -167,6 +168,8 @@ typedef enum {
2035 -- oHashKnownHosts,
2036 - oTunnel, oTunnelDevice,
2037 - oLocalCommand, oPermitLocalCommand, oRemoteCommand,
2038 -+ oDisableMTAES,
2039 - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
2040 - + oNoneEnabled, oNoneSwitch,
2041 - oVisualHostKey,
2042 -@@ -615,9 +593,9 @@
2043 - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
2044 - SyslogFacility log_facility; /* Facility for system logging. */
2045 - @@ -112,7 +116,10 @@ typedef struct {
2046 --
2047 - int enable_ssh_keysign;
2048 - int64_t rekey_limit;
2049 -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
2050 - + int none_switch; /* Use none cipher */
2051 - + int none_enabled; /* Allow none to be used */
2052 - int rekey_interval;
2053 -@@ -700,9 +678,9 @@
2054 - + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
2055 - + }
2056 - +
2057 -+ if (options->disable_multithreaded == -1)
2058 -+ options->disable_multithreaded = 0;
2059 - if (options->ip_qos_interactive == -1)
2060 -- options->ip_qos_interactive = IPTOS_DSCP_AF21;
2061 -- if (options->ip_qos_bulk == -1)
2062 - @@ -486,6 +532,8 @@ typedef enum {
2063 - sPasswordAuthentication, sKbdInteractiveAuthentication,
2064 - sListenAddress, sAddressFamily,
2065 -@@ -731,11 +709,10 @@
2066 - *flags = keywords[i].flags;
2067 - return keywords[i].opcode;
2068 - }
2069 --@@ -1424,10 +1477,27 @@ process_server_config_line(ServerOptions *options, char *line,
2070 -- multistate_ptr = multistate_flag;
2071 -+@@ -1424,12 +1477,28 @@ process_server_config_line(ServerOptions *options, char *line,
2072 -+ multistate_ptr = multistate_ignore_rhosts;
2073 - goto parse_multistate;
2074 -
2075 --+
2076 - + case sTcpRcvBufPoll:
2077 - + intptr = &options->tcp_rcv_buf_poll;
2078 - + goto parse_flag;
2079 -@@ -750,7 +727,9 @@
2080 - +
2081 - case sIgnoreUserKnownHosts:
2082 - intptr = &options->ignore_user_known_hosts;
2083 -- goto parse_flag;
2084 -+ parse_flag:
2085 -+ multistate_ptr = multistate_flag;
2086 -+ goto parse_multistate;
2087 -
2088 - + case sNoneEnabled:
2089 - + intptr = &options->none_enabled;
2090 -@@ -1079,11 +1058,11 @@
2091 - xxx_host = host;
2092 - xxx_hostaddr = hostaddr;
2093 -
2094 --@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
2095 -+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
2096 -
2097 - if (!authctxt.success)
2098 - fatal("Authentication failed.");
2099 --+
2100 -+
2101 - + /*
2102 - + * If the user wants to use the none cipher, do it post authentication
2103 - + * and only if the right conditions are met -- both of the NONE commands
2104 -@@ -1105,9 +1084,9 @@
2105 - + }
2106 - + }
2107 - +
2108 -- debug("Authentication succeeded (%s).", authctxt.method->name);
2109 -- }
2110 --
2111 -+ #ifdef WITH_OPENSSL
2112 -+ if (options.disable_multithreaded == 0) {
2113 -+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
2114 - diff --git a/sshd.c b/sshd.c
2115 - index 11571c01..23a06022 100644
2116 - --- a/sshd.c
2117
2118 diff --git a/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch b/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch
2119 deleted file mode 100644
2120 index 6bd7166..0000000
2121 --- a/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch
2122 +++ /dev/null
2123 @@ -1,13 +0,0 @@
2124 -diff --git a/Makefile.in b/Makefile.in
2125 -index c9e4294d..2dbfac24 100644
2126 ---- a/Makefile.in
2127 -+++ b/Makefile.in
2128 -@@ -44,7 +44,7 @@ CC=@CC@
2129 - LD=@LD@
2130 - CFLAGS=@CFLAGS@
2131 - CFLAGS_NOPIE=@CFLAGS_NOPIE@
2132 --CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
2133 -+CPPFLAGS=-I. -I$(srcdir) -I$(srcdir)/openbsd-compat @CPPFLAGS@ $(PATHS) @DEFS@
2134 - PICFLAG=@PICFLAG@
2135 - LIBS=@LIBS@
2136 - K5LIBS=@K5LIBS@
2137
2138 diff --git a/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch b/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch
2139 deleted file mode 100644
2140 index f12a309..0000000
2141 --- a/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch
2142 +++ /dev/null
2143 @@ -1,34 +0,0 @@
2144 -diff -u a/openssh-8.4p1+x509-12.6.diff b/openssh-8.4p1+x509-12.6.diff
2145 ---- a/openssh-8.4p1+x509-12.6.diff 2020-10-04 10:58:16.980495330 -0700
2146 -+++ b/openssh-8.4p1+x509-12.6.diff 2020-10-04 11:02:31.951966223 -0700
2147 -@@ -39348,12 +39348,11 @@
2148 -
2149 - install-files:
2150 - $(MKDIR_P) $(DESTDIR)$(bindir)
2151 --@@ -384,6 +365,8 @@
2152 -+@@ -384,6 +365,7 @@
2153 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
2154 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
2155 - $(MKDIR_P) $(DESTDIR)$(libexecdir)
2156 - + $(MKDIR_P) $(DESTDIR)$(sshcadir)
2157 --+ $(MKDIR_P) $(DESTDIR)$(piddir)
2158 - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
2159 - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
2160 - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
2161 -@@ -103950,16 +103949,6 @@
2162 - +int asnmprintf(char **, size_t, int *, const char *, ...)
2163 - __attribute__((format(printf, 4, 5)));
2164 - void msetlocale(void);
2165 --diff -ruN openssh-8.4p1/version.h openssh-8.4p1+x509-12.6/version.h
2166 ----- openssh-8.4p1/version.h 2020-09-27 10:25:01.000000000 +0300
2167 --+++ openssh-8.4p1+x509-12.6/version.h 2020-10-03 10:07:00.000000000 +0300
2168 --@@ -2,5 +2,4 @@
2169 --
2170 -- #define SSH_VERSION "OpenSSH_8.4"
2171 --
2172 ---#define SSH_PORTABLE "p1"
2173 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
2174 --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
2175 - diff -ruN openssh-8.4p1/version.m4 openssh-8.4p1+x509-12.6/version.m4
2176 - --- openssh-8.4p1/version.m4 1970-01-01 02:00:00.000000000 +0200
2177 - +++ openssh-8.4p1+x509-12.6/version.m4 2020-10-03 10:07:00.000000000 +0300
2178
2179 diff --git a/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch b/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch
2180 deleted file mode 100644
2181 index 32713d4..0000000
2182 --- a/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch
2183 +++ /dev/null
2184 @@ -1,30 +0,0 @@
2185 -From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001
2186 -From: Oleg <Fallmay@××××××××××××××××××××.com>
2187 -Date: Thu, 1 Oct 2020 12:09:08 +0300
2188 -Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
2189 -
2190 ----
2191 - contrib/ssh-copy-id | 3 ++-
2192 - 1 file changed, 2 insertions(+), 1 deletion(-)
2193 -
2194 -diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
2195 -index 392f64f94..a76907717 100644
2196 ---- a/contrib/ssh-copy-id
2197 -+++ b/contrib/ssh-copy-id
2198 -@@ -247,7 +247,7 @@ installkeys_sh() {
2199 - # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
2200 - # the cat adds the keys we're getting via STDIN
2201 - # and if available restorecon is used to restore the SELinux context
2202 -- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
2203 -+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
2204 - cd;
2205 - umask 077;
2206 - mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
2207 -@@ -258,6 +258,7 @@ installkeys_sh() {
2208 - restorecon -F .ssh ${AUTH_KEY_FILE};
2209 - fi
2210 - EOF
2211 -+ )
2212 -
2213 - # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
2214 - printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
2215
2216 diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch
2217 deleted file mode 100644
2218 index 9bd600b..0000000
2219 --- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch
2220 +++ /dev/null
2221 @@ -1,129 +0,0 @@
2222 -diff -u a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff
2223 ---- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:04:44.495171346 -0700
2224 -+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:48:05.099637206 -0700
2225 -@@ -3,9 +3,9 @@
2226 - --- a/Makefile.in
2227 - +++ b/Makefile.in
2228 - @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
2229 -- CFLAGS_NOPIE=@CFLAGS_NOPIE@
2230 -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
2231 -- PICFLAG=@PICFLAG@
2232 -+ LD=@LD@
2233 -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
2234 -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
2235 - -LIBS=@LIBS@
2236 - +LIBS=@LIBS@ -lpthread
2237 - K5LIBS=@K5LIBS@
2238 -@@ -803,7 +803,7 @@
2239 - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
2240 - {
2241 - struct session_state *state;
2242 --- const struct sshcipher *none = cipher_by_name("none");
2243 -+- const struct sshcipher *none = cipher_none();
2244 - + struct sshcipher *none = cipher_by_name("none");
2245 - int r;
2246 -
2247 -@@ -901,17 +901,18 @@
2248 - }
2249 -
2250 - /*
2251 --@@ -2203,6 +2210,10 @@ fill_default_options(Options * options)
2252 -+@@ -2203,5 +2210,10 @@ fill_default_options(Options * options)
2253 - if (options->sk_provider == NULL)
2254 - options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
2255 -- #endif
2256 -+
2257 - + if (options->update_hostkeys == -1)
2258 - + options->update_hostkeys = 0;
2259 - + if (options->disable_multithreaded == -1)
2260 - + options->disable_multithreaded = 0;
2261 --
2262 -- /* Expand KEX name lists */
2263 -- all_cipher = cipher_alg_list(',', 0);
2264 -++
2265 -+ /* expand KEX and etc. name lists */
2266 -+ { char *all;
2267 -+ #define ASSEMBLE(what, defaults, all) \
2268 - diff --git a/readconf.h b/readconf.h
2269 - index e143a108..1383a3cd 100644
2270 - --- a/readconf.h
2271 -@@ -950,9 +951,9 @@
2272 - /* Portable-specific options */
2273 - sUsePAM,
2274 - + sDisableMTAES,
2275 -- /* Standard Options */
2276 -- sPort, sHostKeyFile, sLoginGraceTime,
2277 -- sPermitRootLogin, sLogFacility, sLogLevel,
2278 -+ /* X.509 Standard Options */
2279 -+ sHostbasedAlgorithms,
2280 -+ sPubkeyAlgorithms,
2281 - @@ -679,6 +683,7 @@ static struct {
2282 - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
2283 - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
2284 -diff -u a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
2285 ---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:04:37.441213650 -0700
2286 -+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:50:55.865616716 -0700
2287 -@@ -382,7 +382,7 @@
2288 - @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
2289 - int nenc, nmac, ncomp;
2290 - u_int mode, ctos, need, dh_need, authlen;
2291 -- int r, first_kex_follows;
2292 -+ int r, first_kex_follows = 0;
2293 - + int auth_flag;
2294 - +
2295 - + auth_flag = packet_authentication_state(ssh);
2296 -@@ -1193,14 +1193,3 @@
2297 - # Example of overriding settings on a per-user basis
2298 - #Match User anoncvs
2299 - # X11Forwarding no
2300 --diff --git a/version.h b/version.h
2301 --index a2eca3ec..ff654fc3 100644
2302 ----- a/version.h
2303 --+++ b/version.h
2304 --@@ -3,4 +3,5 @@
2305 -- #define SSH_VERSION "OpenSSH_8.3"
2306 --
2307 -- #define SSH_PORTABLE "p1"
2308 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
2309 --+#define SSH_HPN "-hpn14v22"
2310 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
2311 -diff -u a/openssh-8_3_P1-hpn-PeakTput-14.22.diff b/openssh-8_3_P1-hpn-PeakTput-14.22.diff
2312 ---- a/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:51:46.409313155 -0700
2313 -+++ b/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:56:57.407445258 -0700
2314 -@@ -12,9 +12,9 @@
2315 - static long stalled; /* how long we have been stalled */
2316 - static int bytes_per_second; /* current speed in bytes per second */
2317 - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
2318 -+ off_t bytes_left;
2319 - int cur_speed;
2320 -- int hours, minutes, seconds;
2321 -- int file_len;
2322 -+ int len;
2323 - + off_t delta_pos;
2324 -
2325 - if ((!force_update && !alarm_fired && !win_resized) || !can_output())
2326 -@@ -30,15 +30,17 @@
2327 - if (bytes_left > 0)
2328 - elapsed = now - last_update;
2329 - else {
2330 --@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
2331 -+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
2332 -+ buf[1] = '\0';
2333 -
2334 - /* filename */
2335 -- buf[0] = '\0';
2336 --- file_len = win_size - 36;
2337 --+ file_len = win_size - 45;
2338 -- if (file_len > 0) {
2339 -- buf[0] = '\r';
2340 -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
2341 -+- if (win_size > 36) {
2342 -+- int file_len = win_size - 36;
2343 -++ if (win_size > 45) {
2344 -++ int file_len = win_size - 45;
2345 -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
2346 -+ file_len, file);
2347 -+ }
2348 - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
2349 - (off_t)bytes_per_second);
2350 - strlcat(buf, "/s ", win_size);
2351
2352 diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
2353 deleted file mode 100644
2354 index 884063c..0000000
2355 --- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
2356 +++ /dev/null
2357 @@ -1,94 +0,0 @@
2358 -diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
2359 ---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:15:17.780747192 -0700
2360 -+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:34:03.576552219 -0700
2361 -@@ -409,18 +409,10 @@
2362 - index e7abb341..c23276d4 100644
2363 - --- a/packet.c
2364 - +++ b/packet.c
2365 --@@ -961,6 +961,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
2366 -+@@ -961,6 +961,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
2367 - return 0;
2368 - }
2369 -
2370 --+/* this supports the forced rekeying required for the NONE cipher */
2371 --+int rekey_requested = 0;
2372 --+void
2373 --+packet_request_rekeying(void)
2374 --+{
2375 --+ rekey_requested = 1;
2376 --+}
2377 --+
2378 - +/* used to determine if pre or post auth when rekeying for aes-ctr
2379 - + * and none cipher switch */
2380 - +int
2381 -@@ -434,20 +426,6 @@
2382 - #define MAX_PACKETS (1U<<31)
2383 - static int
2384 - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
2385 --@@ -987,6 +1005,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
2386 -- if (state->p_send.packets == 0 && state->p_read.packets == 0)
2387 -- return 0;
2388 --
2389 --+ /* used to force rekeying when called for by the none
2390 --+ * cipher switch methods -cjr */
2391 --+ if (rekey_requested == 1) {
2392 --+ rekey_requested = 0;
2393 --+ return 1;
2394 --+ }
2395 --+
2396 -- /* Time-based rekeying */
2397 -- if (state->rekey_interval != 0 &&
2398 -- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
2399 - diff --git a/packet.h b/packet.h
2400 - index c2544bd9..ebd85c88 100644
2401 - --- a/packet.h
2402 -@@ -481,9 +459,9 @@
2403 - oLocalCommand, oPermitLocalCommand, oRemoteCommand,
2404 - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
2405 - + oNoneEnabled, oNoneSwitch,
2406 -+ oDisableMTAES,
2407 - oVisualHostKey,
2408 - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
2409 -- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
2410 - @@ -294,6 +297,8 @@ static struct {
2411 - { "kexalgorithms", oKexAlgorithms },
2412 - { "ipqos", oIPQoS },
2413 -@@ -615,9 +593,9 @@
2414 - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
2415 - SyslogFacility log_facility; /* Facility for system logging. */
2416 - @@ -114,7 +118,10 @@ typedef struct {
2417 --
2418 - int enable_ssh_keysign;
2419 - int64_t rekey_limit;
2420 -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
2421 - + int none_switch; /* Use none cipher */
2422 - + int none_enabled; /* Allow none to be used */
2423 - int rekey_interval;
2424 -@@ -700,9 +678,9 @@
2425 - + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
2426 - + }
2427 - +
2428 -+ if (options->disable_multithreaded == -1)
2429 -+ options->disable_multithreaded = 0;
2430 - if (options->ip_qos_interactive == -1)
2431 -- options->ip_qos_interactive = IPTOS_DSCP_AF21;
2432 -- if (options->ip_qos_bulk == -1)
2433 - @@ -519,6 +565,8 @@ typedef enum {
2434 - sPasswordAuthentication, sKbdInteractiveAuthentication,
2435 - sListenAddress, sAddressFamily,
2436 -@@ -1081,11 +1059,11 @@
2437 - xxx_host = host;
2438 - xxx_hostaddr = hostaddr;
2439 -
2440 --@@ -435,6 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
2441 -+@@ -435,7 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
2442 -+ }
2443 -+ }
2444 -+ #endif
2445 -
2446 -- if (!authctxt.success)
2447 -- fatal("Authentication failed.");
2448 --+
2449 - + /*
2450 - + * If the user wants to use the none cipher, do it post authentication
2451 - + * and only if the right conditions are met -- both of the NONE commands
2452
2453 diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch
2454 deleted file mode 100644
2455 index 79cc3e5..0000000
2456 --- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch
2457 +++ /dev/null
2458 @@ -1,20 +0,0 @@
2459 ---- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-04-17 10:31:37.392120799 -0700
2460 -+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-04-17 10:32:46.143684424 -0700
2461 -@@ -672,7 +672,7 @@
2462 - +const EVP_CIPHER *
2463 - +evp_aes_ctr_mt(void)
2464 - +{
2465 --+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL
2466 -++# if (OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS)) && !defined(LIBRESSL_VERSION_NUMBER)
2467 - + static EVP_CIPHER *aes_ctr;
2468 - + aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
2469 - + EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
2470 -@@ -701,7 +701,7 @@
2471 - + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
2472 - +# endif /*SSH_OLD_EVP*/
2473 - + return &aes_ctr;
2474 --+# endif /*OPENSSH_VERSION_NUMBER*/
2475 -++# endif /*OPENSSL_VERSION_NUMBER*/
2476 - +}
2477 - +
2478 - +#endif /* defined(WITH_OPENSSL) */
2479
2480 diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
2481 deleted file mode 100644
2482 index 52ec42e..0000000
2483 --- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
2484 +++ /dev/null
2485 @@ -1,18 +0,0 @@
2486 -diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
2487 ---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:34.168386903 -0700
2488 -+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:43.806325434 -0700
2489 -@@ -1171,14 +1171,3 @@
2490 - # Example of overriding settings on a per-user basis
2491 - #Match User anoncvs
2492 - # X11Forwarding no
2493 --diff --git a/version.h b/version.h
2494 --index a2eca3ec..ff654fc3 100644
2495 ----- a/version.h
2496 --+++ b/version.h
2497 --@@ -3,4 +3,5 @@
2498 -- #define SSH_VERSION "OpenSSH_8.3"
2499 --
2500 -- #define SSH_PORTABLE "p1"
2501 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
2502 --+#define SSH_HPN "-hpn14v22"
2503 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
2504
2505 diff --git a/net-misc/openssh/files/sshd-r1.confd b/net-misc/openssh/files/sshd-r1.confd
2506 deleted file mode 100644
2507 index cf43037..0000000
2508 --- a/net-misc/openssh/files/sshd-r1.confd
2509 +++ /dev/null
2510 @@ -1,33 +0,0 @@
2511 -# /etc/conf.d/sshd: config file for /etc/init.d/sshd
2512 -
2513 -# Where is your sshd_config file stored?
2514 -
2515 -SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
2516 -
2517 -
2518 -# Any random options you want to pass to sshd.
2519 -# See the sshd(8) manpage for more info.
2520 -
2521 -SSHD_OPTS=""
2522 -
2523 -
2524 -# Wait one second (length chosen arbitrarily) to see if sshd actually
2525 -# creates a PID file, or if it crashes for some reason like not being
2526 -# able to bind to the address in ListenAddress.
2527 -
2528 -#SSHD_SSD_OPTS="--wait 1000"
2529 -
2530 -
2531 -# Pid file to use (needs to be absolute path).
2532 -
2533 -#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
2534 -
2535 -
2536 -# Path to the sshd binary (needs to be absolute path).
2537 -
2538 -#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
2539 -
2540 -
2541 -# Path to the ssh-keygen binary (needs to be absolute path).
2542 -
2543 -#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
2544
2545 diff --git a/net-misc/openssh/files/sshd-r1.initd b/net-misc/openssh/files/sshd-r1.initd
2546 deleted file mode 100644
2547 index f6cd2e2..0000000
2548 --- a/net-misc/openssh/files/sshd-r1.initd
2549 +++ /dev/null
2550 @@ -1,87 +0,0 @@
2551 -#!/sbin/openrc-run
2552 -# Copyright 1999-2021 Gentoo Authors
2553 -# Distributed under the terms of the GNU General Public License v2
2554 -
2555 -extra_commands="checkconfig"
2556 -extra_started_commands="reload"
2557 -
2558 -: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
2559 -: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
2560 -: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
2561 -: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
2562 -: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
2563 -
2564 -command="${SSHD_BINARY}"
2565 -pidfile="${SSHD_PIDFILE}"
2566 -command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
2567 -
2568 -# Wait one second (length chosen arbitrarily) to see if sshd actually
2569 -# creates a PID file, or if it crashes for some reason like not being
2570 -# able to bind to the address in ListenAddress (bug 617596).
2571 -: ${SSHD_SSD_OPTS:=--wait 1000}
2572 -start_stop_daemon_args="${SSHD_SSD_OPTS}"
2573 -
2574 -depend() {
2575 - # Entropy can be used by ssh-keygen, among other things, but
2576 - # is not strictly required (bug 470020).
2577 - use logger dns entropy
2578 - if [ "${rc_need+set}" = "set" ] ; then
2579 - : # Do nothing, the user has explicitly set rc_need
2580 - else
2581 - local x warn_addr
2582 - for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
2583 - case "${x}" in
2584 - 0.0.0.0|0.0.0.0:*) ;;
2585 - ::|\[::\]*) ;;
2586 - *) warn_addr="${warn_addr} ${x}" ;;
2587 - esac
2588 - done
2589 - if [ -n "${warn_addr}" ] ; then
2590 - need net
2591 - ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
2592 - ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
2593 - ewarn "where FOO is the interface(s) providing the following address(es):"
2594 - ewarn "${warn_addr}"
2595 - fi
2596 - fi
2597 -}
2598 -
2599 -checkconfig() {
2600 - checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
2601 -
2602 - if [ ! -e "${SSHD_CONFIG}" ] ; then
2603 - eerror "You need an ${SSHD_CONFIG} file to run sshd"
2604 - eerror "There is a sample file in /usr/share/doc/openssh"
2605 - return 1
2606 - fi
2607 -
2608 - ${SSHD_KEYGEN_BINARY} -A || return 2
2609 -
2610 - "${command}" -t ${command_args} || return 3
2611 -}
2612 -
2613 -start_pre() {
2614 - # Make sure that the user's config isn't busted before we try
2615 - # to start the daemon (this will produce better error messages
2616 - # than if we just try to start it blindly).
2617 - #
2618 - # We always need to call checkconfig because this function will
2619 - # also generate any missing host key and you can start a
2620 - # non-running service with "restart" argument.
2621 - checkconfig || return $?
2622 -}
2623 -
2624 -stop_pre() {
2625 - # If this is a restart, check to make sure the user's config
2626 - # isn't busted before we stop the running daemon.
2627 - if [ "${RC_CMD}" = "restart" ] ; then
2628 - checkconfig || return $?
2629 - fi
2630 -}
2631 -
2632 -reload() {
2633 - checkconfig || return $?
2634 - ebegin "Reloading ${SVCNAME}"
2635 - start-stop-daemon --signal HUP --pidfile "${pidfile}"
2636 - eend $?
2637 -}
2638
2639 diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2
2640 deleted file mode 100644
2641 index b801aaa..0000000
2642 --- a/net-misc/openssh/files/sshd.pam_include.2
2643 +++ /dev/null
2644 @@ -1,4 +0,0 @@
2645 -auth include system-remote-login
2646 -account include system-remote-login
2647 -password include system-remote-login
2648 -session include system-remote-login
2649
2650 diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service
2651 deleted file mode 100644
2652 index b5e96b3..0000000
2653 --- a/net-misc/openssh/files/sshd.service
2654 +++ /dev/null
2655 @@ -1,11 +0,0 @@
2656 -[Unit]
2657 -Description=OpenSSH server daemon
2658 -After=syslog.target network.target auditd.service
2659 -
2660 -[Service]
2661 -ExecStartPre=/usr/bin/ssh-keygen -A
2662 -ExecStart=/usr/sbin/sshd -D -e
2663 -ExecReload=/bin/kill -HUP $MAINPID
2664 -
2665 -[Install]
2666 -WantedBy=multi-user.target
2667
2668 diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket
2669 deleted file mode 100644
2670 index 94b9533..0000000
2671 --- a/net-misc/openssh/files/sshd.socket
2672 +++ /dev/null
2673 @@ -1,10 +0,0 @@
2674 -[Unit]
2675 -Description=OpenSSH Server Socket
2676 -Conflicts=sshd.service
2677 -
2678 -[Socket]
2679 -ListenStream=22
2680 -Accept=yes
2681 -
2682 -[Install]
2683 -WantedBy=sockets.target
2684
2685 diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service
2686 deleted file mode 100644
2687 index ec2907b..0000000
2688 --- a/net-misc/openssh/files/sshd_at.service
2689 +++ /dev/null
2690 @@ -1,8 +0,0 @@
2691 -[Unit]
2692 -Description=OpenSSH per-connection server daemon
2693 -After=syslog.target auditd.service
2694 -
2695 -[Service]
2696 -ExecStart=-/usr/sbin/sshd -i -e
2697 -StandardInput=socket
2698 -StandardError=journal
2699
2700 diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
2701 deleted file mode 100644
2702 index 9ce34e6..0000000
2703 --- a/net-misc/openssh/metadata.xml
2704 +++ /dev/null
2705 @@ -1,37 +0,0 @@
2706 -<?xml version="1.0" encoding="UTF-8"?>
2707 -<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
2708 -<pkgmetadata>
2709 - <maintainer type="project">
2710 - <email>base-system@g.o</email>
2711 - <name>Gentoo Base System</name>
2712 - </maintainer>
2713 - <longdescription>
2714 -OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
2715 -increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
2716 -rlogin, ftp, and other such programs might not realize that their password is transmitted
2717 -across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
2718 -to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
2719 -Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
2720 -of authentication methods.
2721 -
2722 -The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
2723 -replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
2724 -the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
2725 -ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
2726 -</longdescription>
2727 - <use>
2728 - <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
2729 - <flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
2730 - <flag name="hpn">Enable high performance ssh</flag>
2731 - <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
2732 - <flag name="livecd">Enable root password logins for live-cd environment.</flag>
2733 - <flag name="security-key">Include builtin U2F/FIDO support</flag>
2734 - <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
2735 - <flag name="X509">Adds support for X.509 certificate authentication</flag>
2736 - <flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
2737 - </use>
2738 - <upstream>
2739 - <remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
2740 - <remote-id type="sourceforge">hpnssh</remote-id>
2741 - </upstream>
2742 -</pkgmetadata>
2743
2744 diff --git a/net-misc/openssh/openssh-8.2_p1-r7.ebuild b/net-misc/openssh/openssh-8.2_p1-r7.ebuild
2745 deleted file mode 100644
2746 index 8895334..0000000
2747 --- a/net-misc/openssh/openssh-8.2_p1-r7.ebuild
2748 +++ /dev/null
2749 @@ -1,481 +0,0 @@
2750 -# Copyright 1999-2021 Gentoo Authors
2751 -# Distributed under the terms of the GNU General Public License v2
2752 -
2753 -EAPI=7
2754 -
2755 -inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
2756 -
2757 -# Make it more portable between straight releases
2758 -# and _p? releases.
2759 -PARCH=${P/_}
2760 -HPN_PV="8.1_P1"
2761 -
2762 -HPN_VER="14.20"
2763 -HPN_PATCHES=(
2764 - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
2765 - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
2766 - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
2767 -)
2768 -
2769 -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
2770 -X509_VER="12.4.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
2771 -
2772 -DESCRIPTION="Port of OpenBSD's free SSH release"
2773 -HOMEPAGE="https://www.openssh.com/"
2774 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
2775 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
2776 - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
2777 - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
2778 -"
2779 -S="${WORKDIR}/${PARCH}"
2780 -
2781 -LICENSE="BSD GPL-2"
2782 -SLOT="0"
2783 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
2784 -# Probably want to drop ssl defaulting to on in a future version.
2785 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
2786 -
2787 -RESTRICT="!test? ( test )"
2788 -
2789 -REQUIRED_USE="
2790 - ldns? ( ssl )
2791 - pie? ( !static )
2792 - static? ( !kerberos !pam )
2793 - X509? ( !sctp !security-key ssl !xmss )
2794 - xmss? ( ssl )
2795 - test? ( ssl )
2796 -"
2797 -
2798 -LIB_DEPEND="
2799 - audit? ( sys-process/audit[static-libs(+)] )
2800 - ldns? (
2801 - net-libs/ldns[static-libs(+)]
2802 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
2803 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
2804 - )
2805 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
2806 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
2807 - security-key? ( dev-libs/libfido2:=[static-libs(+)] )
2808 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
2809 - ssl? (
2810 - || (
2811 - (
2812 - >=dev-libs/openssl-1.0.1:0[bindist=]
2813 - <dev-libs/openssl-1.1.0:0[bindist=]
2814 - )
2815 - >=dev-libs/openssl-1.1.0g:0[bindist=]
2816 - )
2817 - dev-libs/openssl:0=[static-libs(+)]
2818 - )
2819 - virtual/libcrypt:=[static-libs(+)]
2820 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]
2821 -"
2822 -RDEPEND="
2823 - acct-group/sshd
2824 - acct-user/sshd
2825 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
2826 - pam? ( sys-libs/pam )
2827 - kerberos? ( virtual/krb5 )
2828 -"
2829 -DEPEND="${RDEPEND}
2830 - virtual/os-headers
2831 - kernel_linux? ( >=sys-kernel/linux-headers-5.1 )
2832 - static? ( ${LIB_DEPEND} )
2833 -"
2834 -RDEPEND="${RDEPEND}
2835 - pam? ( >=sys-auth/pambase-20081028 )
2836 - userland_GNU? ( !prefix? ( sys-apps/shadow ) )
2837 - X? ( x11-apps/xauth )
2838 -"
2839 -BDEPEND="
2840 - virtual/pkgconfig
2841 - sys-devel/autoconf
2842 -"
2843 -
2844 -pkg_pretend() {
2845 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
2846 - # than not be able to log in to their server any more
2847 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
2848 - local fail="
2849 - $(use hpn && maybe_fail hpn HPN_VER)
2850 - $(use sctp && maybe_fail sctp SCTP_PATCH)
2851 - $(use X509 && maybe_fail X509 X509_PATCH)
2852 - "
2853 - fail=$(echo ${fail})
2854 - if [[ -n ${fail} ]] ; then
2855 - eerror "Sorry, but this version does not yet support features"
2856 - eerror "that you requested: ${fail}"
2857 - eerror "Please mask ${PF} for now and check back later:"
2858 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
2859 - die "booooo"
2860 - fi
2861 -
2862 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
2863 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
2864 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
2865 - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
2866 - fi
2867 -}
2868 -
2869 -src_prepare() {
2870 - sed -i \
2871 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
2872 - pathnames.h || die
2873 -
2874 - # don't break .ssh/authorized_keys2 for fun
2875 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
2876 -
2877 - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
2878 - eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
2879 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
2880 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
2881 - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
2882 - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
2883 -
2884 - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
2885 -
2886 - local PATCHSET_VERSION_MACROS=()
2887 -
2888 - if use X509 ; then
2889 - pushd "${WORKDIR}" &>/dev/null || die
2890 - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
2891 - popd &>/dev/null || die
2892 -
2893 - eapply "${WORKDIR}"/${X509_PATCH%.*}
2894 - eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
2895 -
2896 - # We need to patch package version or any X.509 sshd will reject our ssh client
2897 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
2898 - # error
2899 - einfo "Patching package version for X.509 patch set ..."
2900 - sed -i \
2901 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
2902 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
2903 -
2904 - einfo "Patching version.h to expose X.509 patch set ..."
2905 - sed -i \
2906 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
2907 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
2908 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
2909 - fi
2910 -
2911 - if use sctp ; then
2912 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
2913 -
2914 - einfo "Patching version.h to expose SCTP patch set ..."
2915 - sed -i \
2916 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
2917 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
2918 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
2919 -
2920 - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
2921 - sed -i \
2922 - -e "/\t\tcfgparse \\\/d" \
2923 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
2924 - fi
2925 -
2926 - if use hpn ; then
2927 - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
2928 - mkdir "${hpn_patchdir}" || die
2929 - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
2930 - pushd "${hpn_patchdir}" &>/dev/null || die
2931 - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
2932 - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-libressl.patch
2933 - if use X509; then
2934 - # einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
2935 - # # X509 and AES-CTR-MT don't get along, let's just drop it
2936 - # rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
2937 - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-X509-glue.patch
2938 - fi
2939 - use sctp && eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-sctp-glue.patch
2940 - popd &>/dev/null || die
2941 -
2942 - eapply "${hpn_patchdir}"
2943 -
2944 - use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
2945 -
2946 - einfo "Patching Makefile.in for HPN patch set ..."
2947 - sed -i \
2948 - -e "/^LIBS=/ s/\$/ -lpthread/" \
2949 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
2950 -
2951 - einfo "Patching version.h to expose HPN patch set ..."
2952 - sed -i \
2953 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
2954 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
2955 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
2956 -
2957 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2958 - einfo "Disabling known non-working MT AES cipher per default ..."
2959 -
2960 - cat > "${T}"/disable_mtaes.conf <<- EOF
2961 -
2962 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
2963 - # and therefore disabled per default.
2964 - DisableMTAES yes
2965 - EOF
2966 - sed -i \
2967 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
2968 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
2969 -
2970 - sed -i \
2971 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
2972 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
2973 - fi
2974 - fi
2975 -
2976 - if use X509 || use sctp || use hpn ; then
2977 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
2978 - sed -i \
2979 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2980 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
2981 -
2982 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
2983 - sed -i \
2984 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2985 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
2986 -
2987 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
2988 - sed -i \
2989 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
2990 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
2991 - fi
2992 -
2993 - sed -i \
2994 - -e "/#UseLogin no/d" \
2995 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
2996 -
2997 - eapply_user #473004
2998 -
2999 - tc-export PKG_CONFIG
3000 - local sed_args=(
3001 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
3002 - # Disable PATH reset, trust what portage gives us #254615
3003 - -e 's:^PATH=/:#PATH=/:'
3004 - # Disable fortify flags ... our gcc does this for us
3005 - -e 's:-D_FORTIFY_SOURCE=2::'
3006 - )
3007 -
3008 - # The -ftrapv flag ICEs on hppa #505182
3009 - use hppa && sed_args+=(
3010 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
3011 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
3012 - )
3013 - # _XOPEN_SOURCE causes header conflicts on Solaris
3014 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
3015 - -e 's/-D_XOPEN_SOURCE//'
3016 - )
3017 - sed -i "${sed_args[@]}" configure{.ac,} || die
3018 -
3019 - eautoreconf
3020 -}
3021 -
3022 -src_configure() {
3023 - addwrite /dev/ptmx
3024 -
3025 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
3026 - use static && append-ldflags -static
3027 - use xmss && append-cflags -DWITH_XMSS
3028 -
3029 - local myconf=(
3030 - --with-ldflags="${LDFLAGS}"
3031 - --disable-strip
3032 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
3033 - --sysconfdir="${EPREFIX}"/etc/ssh
3034 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
3035 - --datadir="${EPREFIX}"/usr/share/openssh
3036 - --with-privsep-path="${EPREFIX}"/var/empty
3037 - --with-privsep-user=sshd
3038 - $(use_with audit audit linux)
3039 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
3040 - # We apply the sctp patch conditionally, so can't pass --without-sctp
3041 - # unconditionally else we get unknown flag warnings.
3042 - $(use sctp && use_with sctp)
3043 - $(use_with ldns ldns "${EPREFIX}"/usr)
3044 - $(use_with libedit)
3045 - $(use_with pam)
3046 - $(use_with pie)
3047 - $(use_with selinux)
3048 - $(use_with security-key security-key-builtin)
3049 - $(use_with ssl openssl)
3050 - $(use_with ssl md5-passwords)
3051 - $(use_with ssl ssl-engine)
3052 - $(use_with !elibc_Cygwin hardening) #659210
3053 - )
3054 -
3055 - # stackprotect is broken on musl x86 and ppc
3056 - use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
3057 -
3058 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
3059 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
3060 -
3061 - econf "${myconf[@]}"
3062 -}
3063 -
3064 -src_test() {
3065 - local t skipped=() failed=() passed=()
3066 - local tests=( interop-tests compat-tests )
3067 -
3068 - local shell=$(egetshell "${UID}")
3069 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
3070 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
3071 - elog "user, so we will run a subset only."
3072 - skipped+=( tests )
3073 - else
3074 - tests+=( tests )
3075 - fi
3076 -
3077 - # It will also attempt to write to the homedir .ssh.
3078 - local sshhome=${T}/homedir
3079 - mkdir -p "${sshhome}"/.ssh
3080 - for t in "${tests[@]}" ; do
3081 - # Some tests read from stdin ...
3082 - HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
3083 - emake -k -j1 ${t} </dev/null \
3084 - && passed+=( "${t}" ) \
3085 - || failed+=( "${t}" )
3086 - done
3087 -
3088 - einfo "Passed tests: ${passed[*]}"
3089 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
3090 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
3091 -}
3092 -
3093 -# Gentoo tweaks to default config files.
3094 -tweak_ssh_configs() {
3095 - local locale_vars=(
3096 - # These are language variables that POSIX defines.
3097 - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
3098 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
3099 -
3100 - # These are the GNU extensions.
3101 - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
3102 - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
3103 - )
3104 -
3105 - # First the server config.
3106 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
3107 -
3108 - # Allow client to pass locale environment variables. #367017
3109 - AcceptEnv ${locale_vars[*]}
3110 -
3111 - # Allow client to pass COLORTERM to match TERM. #658540
3112 - AcceptEnv COLORTERM
3113 - EOF
3114 -
3115 - # Then the client config.
3116 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
3117 -
3118 - # Send locale environment variables. #367017
3119 - SendEnv ${locale_vars[*]}
3120 -
3121 - # Send COLORTERM to match TERM. #658540
3122 - SendEnv COLORTERM
3123 - EOF
3124 -
3125 - if use pam ; then
3126 - sed -i \
3127 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
3128 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
3129 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
3130 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
3131 - "${ED}"/etc/ssh/sshd_config || die
3132 - fi
3133 -
3134 - if use livecd ; then
3135 - sed -i \
3136 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
3137 - "${ED}"/etc/ssh/sshd_config || die
3138 - fi
3139 -}
3140 -
3141 -src_install() {
3142 - emake install-nokeys DESTDIR="${D}"
3143 - fperms 600 /etc/ssh/sshd_config
3144 - dobin contrib/ssh-copy-id
3145 - newinitd "${FILESDIR}"/sshd-r1.initd sshd
3146 - newconfd "${FILESDIR}"/sshd-r1.confd sshd
3147 -
3148 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
3149 -
3150 - tweak_ssh_configs
3151 -
3152 - doman contrib/ssh-copy-id.1
3153 - dodoc CREDITS OVERVIEW README* TODO sshd_config
3154 - use hpn && dodoc HPN-README
3155 - use X509 || dodoc ChangeLog
3156 -
3157 - diropts -m 0700
3158 - dodir /etc/skel/.ssh
3159 -
3160 - keepdir /var/empty
3161 -
3162 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
3163 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
3164 -}
3165 -
3166 -pkg_preinst() {
3167 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
3168 - show_ssl_warning=1
3169 - fi
3170 -}
3171 -
3172 -pkg_postinst() {
3173 - local old_ver
3174 - for old_ver in ${REPLACING_VERSIONS}; do
3175 - if ver_test "${old_ver}" -lt "5.8_p1"; then
3176 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
3177 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
3178 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
3179 - fi
3180 - if ver_test "${old_ver}" -lt "7.0_p1"; then
3181 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
3182 - elog "Make sure to update any configs that you might have. Note that xinetd might"
3183 - elog "be an alternative for you as it supports USE=tcpd."
3184 - fi
3185 - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
3186 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
3187 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
3188 - elog "adding to your sshd_config or ~/.ssh/config files:"
3189 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
3190 - elog "You should however generate new keys using rsa or ed25519."
3191 -
3192 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
3193 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
3194 - elog "out of the box. If you need this, please update your sshd_config explicitly."
3195 - fi
3196 - if ver_test "${old_ver}" -lt "7.6_p1"; then
3197 - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
3198 - elog "Furthermore, rsa keys with less than 1024 bits will be refused."
3199 - fi
3200 - if ver_test "${old_ver}" -lt "7.7_p1"; then
3201 - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
3202 - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
3203 - elog "if you need to authenticate against LDAP."
3204 - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
3205 - fi
3206 - if ver_test "${old_ver}" -lt "8.2_p1"; then
3207 - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
3208 - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
3209 - ewarn "connection is generally safe."
3210 - fi
3211 - done
3212 -
3213 - if [[ -n ${show_ssl_warning} ]]; then
3214 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
3215 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
3216 - elog "and update all clients/servers that utilize them."
3217 - fi
3218 -
3219 - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
3220 - elog ""
3221 - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
3222 - elog "and therefore disabled at runtime per default."
3223 - elog "Make sure your sshd_config is up to date and contains"
3224 - elog ""
3225 - elog " DisableMTAES yes"
3226 - elog ""
3227 - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
3228 - elog ""
3229 - fi
3230 -}
3231
3232 diff --git a/net-misc/openssh/openssh-8.3_p1-r5.ebuild b/net-misc/openssh/openssh-8.3_p1-r5.ebuild
3233 deleted file mode 100644
3234 index 543622f..0000000
3235 --- a/net-misc/openssh/openssh-8.3_p1-r5.ebuild
3236 +++ /dev/null
3237 @@ -1,506 +0,0 @@
3238 -# Copyright 1999-2021 Gentoo Authors
3239 -# Distributed under the terms of the GNU General Public License v2
3240 -
3241 -EAPI=7
3242 -
3243 -inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
3244 -
3245 -# Make it more portable between straight releases
3246 -# and _p? releases.
3247 -PARCH=${P/_}
3248 -
3249 -# PV to USE for HPN patches
3250 -#HPN_PV="${PV^^}"
3251 -HPN_PV="8.1_P1"
3252 -
3253 -HPN_VER="14.20"
3254 -HPN_PATCHES=(
3255 - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
3256 - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
3257 - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
3258 -)
3259 -
3260 -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
3261 -X509_VER="12.5.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
3262 -
3263 -DESCRIPTION="Port of OpenBSD's free SSH release"
3264 -HOMEPAGE="https://www.openssh.com/"
3265 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
3266 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
3267 - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
3268 - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
3269 -"
3270 -S="${WORKDIR}/${PARCH}"
3271 -
3272 -LICENSE="BSD GPL-2"
3273 -SLOT="0"
3274 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
3275 -# Probably want to drop ssl defaulting to on in a future version.
3276 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
3277 -
3278 -RESTRICT="!test? ( test )"
3279 -
3280 -REQUIRED_USE="
3281 - ldns? ( ssl )
3282 - pie? ( !static )
3283 - static? ( !kerberos !pam )
3284 - X509? ( !sctp !security-key ssl !xmss )
3285 - xmss? ( ssl )
3286 - test? ( ssl )
3287 -"
3288 -
3289 -LIB_DEPEND="
3290 - audit? ( sys-process/audit[static-libs(+)] )
3291 - ldns? (
3292 - net-libs/ldns[static-libs(+)]
3293 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
3294 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
3295 - )
3296 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
3297 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
3298 - security-key? ( >=dev-libs/libfido2-1.4.0:=[static-libs(+)] )
3299 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
3300 - ssl? (
3301 - || (
3302 - (
3303 - >=dev-libs/openssl-1.0.1:0[bindist=]
3304 - <dev-libs/openssl-1.1.0:0[bindist=]
3305 - )
3306 - >=dev-libs/openssl-1.1.0g:0[bindist=]
3307 - )
3308 - dev-libs/openssl:0=[static-libs(+)]
3309 - )
3310 - virtual/libcrypt:=[static-libs(+)]
3311 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]
3312 -"
3313 -RDEPEND="
3314 - acct-group/sshd
3315 - acct-user/sshd
3316 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
3317 - pam? ( sys-libs/pam )
3318 - kerberos? ( virtual/krb5 )
3319 -"
3320 -DEPEND="${RDEPEND}
3321 - virtual/os-headers
3322 - kernel_linux? ( >=sys-kernel/linux-headers-5.1 )
3323 - static? ( ${LIB_DEPEND} )
3324 -"
3325 -RDEPEND="${RDEPEND}
3326 - pam? ( >=sys-auth/pambase-20081028 )
3327 - userland_GNU? ( !prefix? ( sys-apps/shadow ) )
3328 - X? ( x11-apps/xauth )
3329 -"
3330 -BDEPEND="
3331 - virtual/pkgconfig
3332 - sys-devel/autoconf
3333 -"
3334 -
3335 -pkg_pretend() {
3336 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
3337 - # than not be able to log in to their server any more
3338 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
3339 - local fail="
3340 - $(use hpn && maybe_fail hpn HPN_VER)
3341 - $(use sctp && maybe_fail sctp SCTP_PATCH)
3342 - $(use X509 && maybe_fail X509 X509_PATCH)
3343 - "
3344 - fail=$(echo ${fail})
3345 - if [[ -n ${fail} ]] ; then
3346 - eerror "Sorry, but this version does not yet support features"
3347 - eerror "that you requested: ${fail}"
3348 - eerror "Please mask ${PF} for now and check back later:"
3349 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
3350 - die "booooo"
3351 - fi
3352 -
3353 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
3354 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
3355 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
3356 - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
3357 - fi
3358 -}
3359 -
3360 -src_prepare() {
3361 - sed -i \
3362 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
3363 - pathnames.h || die
3364 -
3365 - # don't break .ssh/authorized_keys2 for fun
3366 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
3367 -
3368 - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
3369 - eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
3370 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
3371 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
3372 - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
3373 - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
3374 -
3375 - # workaround for https://bugs.gentoo.org/734984
3376 - use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
3377 -
3378 - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
3379 -
3380 - local PATCHSET_VERSION_MACROS=()
3381 -
3382 - if use X509 ; then
3383 - pushd "${WORKDIR}" &>/dev/null || die
3384 - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
3385 - popd &>/dev/null || die
3386 -
3387 - eapply "${WORKDIR}"/${X509_PATCH%.*}
3388 -
3389 - # We need to patch package version or any X.509 sshd will reject our ssh client
3390 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
3391 - # error
3392 - einfo "Patching package version for X.509 patch set ..."
3393 - sed -i \
3394 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
3395 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
3396 -
3397 - einfo "Patching version.h to expose X.509 patch set ..."
3398 - sed -i \
3399 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
3400 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
3401 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
3402 - fi
3403 -
3404 - if use sctp ; then
3405 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
3406 -
3407 - einfo "Patching version.h to expose SCTP patch set ..."
3408 - sed -i \
3409 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
3410 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
3411 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
3412 -
3413 - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
3414 - sed -i \
3415 - -e "/\t\tcfgparse \\\/d" \
3416 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
3417 - fi
3418 -
3419 - if use hpn ; then
3420 - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
3421 - mkdir "${hpn_patchdir}" || die
3422 - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
3423 - pushd "${hpn_patchdir}" &>/dev/null || die
3424 - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
3425 - eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-libressl.patch
3426 - if use X509; then
3427 - # einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
3428 - # # X509 and AES-CTR-MT don't get along, let's just drop it
3429 - # rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
3430 -
3431 - eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-X509-glue.patch
3432 - fi
3433 - use sctp && eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-sctp-glue.patch
3434 - popd &>/dev/null || die
3435 -
3436 - eapply "${hpn_patchdir}"
3437 -
3438 - use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
3439 -
3440 - einfo "Patching Makefile.in for HPN patch set ..."
3441 - sed -i \
3442 - -e "/^LIBS=/ s/\$/ -lpthread/" \
3443 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
3444 -
3445 - einfo "Patching version.h to expose HPN patch set ..."
3446 - sed -i \
3447 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
3448 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
3449 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
3450 -
3451 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
3452 - einfo "Disabling known non-working MT AES cipher per default ..."
3453 -
3454 - cat > "${T}"/disable_mtaes.conf <<- EOF
3455 -
3456 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
3457 - # and therefore disabled per default.
3458 - DisableMTAES yes
3459 - EOF
3460 - sed -i \
3461 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
3462 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
3463 -
3464 - sed -i \
3465 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
3466 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
3467 - fi
3468 - fi
3469 -
3470 - if use X509 || use sctp || use hpn ; then
3471 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
3472 - sed -i \
3473 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
3474 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
3475 -
3476 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
3477 - sed -i \
3478 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
3479 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
3480 -
3481 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
3482 - sed -i \
3483 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
3484 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
3485 - fi
3486 -
3487 - sed -i \
3488 - -e "/#UseLogin no/d" \
3489 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
3490 -
3491 - eapply_user #473004
3492 -
3493 - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
3494 - sed -e '/\t\tpercent \\/ d' \
3495 - -i regress/Makefile || die
3496 -
3497 - tc-export PKG_CONFIG
3498 - local sed_args=(
3499 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
3500 - # Disable PATH reset, trust what portage gives us #254615
3501 - -e 's:^PATH=/:#PATH=/:'
3502 - # Disable fortify flags ... our gcc does this for us
3503 - -e 's:-D_FORTIFY_SOURCE=2::'
3504 - )
3505 -
3506 - # The -ftrapv flag ICEs on hppa #505182
3507 - use hppa && sed_args+=(
3508 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
3509 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
3510 - )
3511 - # _XOPEN_SOURCE causes header conflicts on Solaris
3512 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
3513 - -e 's/-D_XOPEN_SOURCE//'
3514 - )
3515 - sed -i "${sed_args[@]}" configure{.ac,} || die
3516 -
3517 - eautoreconf
3518 -}
3519 -
3520 -src_configure() {
3521 - addwrite /dev/ptmx
3522 -
3523 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
3524 - use static && append-ldflags -static
3525 - use xmss && append-cflags -DWITH_XMSS
3526 -
3527 - if [[ ${CHOST} == *-solaris* ]] ; then
3528 - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
3529 - # doesn't check for this, so force the replacement to be put in
3530 - # place
3531 - append-cppflags -DBROKEN_GLOB
3532 - fi
3533 -
3534 - local myconf=(
3535 - --with-ldflags="${LDFLAGS}"
3536 - --disable-strip
3537 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
3538 - --sysconfdir="${EPREFIX}"/etc/ssh
3539 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
3540 - --datadir="${EPREFIX}"/usr/share/openssh
3541 - --with-privsep-path="${EPREFIX}"/var/empty
3542 - --with-privsep-user=sshd
3543 - $(use_with audit audit linux)
3544 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
3545 - # We apply the sctp patch conditionally, so can't pass --without-sctp
3546 - # unconditionally else we get unknown flag warnings.
3547 - $(use sctp && use_with sctp)
3548 - $(use_with ldns ldns "${EPREFIX}"/usr)
3549 - $(use_with libedit)
3550 - $(use_with pam)
3551 - $(use_with pie)
3552 - $(use_with selinux)
3553 - $(usex X509 '' "$(use_with security-key security-key-builtin)")
3554 - $(use_with ssl openssl)
3555 - $(use_with ssl md5-passwords)
3556 - $(use_with ssl ssl-engine)
3557 - $(use_with !elibc_Cygwin hardening) #659210
3558 - )
3559 -
3560 - # stackprotect is broken on musl x86 and ppc
3561 - use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
3562 -
3563 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
3564 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
3565 -
3566 - econf "${myconf[@]}"
3567 -}
3568 -
3569 -src_test() {
3570 - local t skipped=() failed=() passed=()
3571 - local tests=( interop-tests compat-tests )
3572 -
3573 - local shell=$(egetshell "${UID}")
3574 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
3575 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
3576 - elog "user, so we will run a subset only."
3577 - skipped+=( tests )
3578 - else
3579 - tests+=( tests )
3580 - fi
3581 -
3582 - # It will also attempt to write to the homedir .ssh.
3583 - local sshhome=${T}/homedir
3584 - mkdir -p "${sshhome}"/.ssh
3585 - for t in "${tests[@]}" ; do
3586 - # Some tests read from stdin ...
3587 - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
3588 - SUDO="" SSH_SK_PROVIDER="" \
3589 - TEST_SSH_UNSAFE_PERMISSIONS=1 \
3590 - emake -k -j1 ${t} </dev/null \
3591 - && passed+=( "${t}" ) \
3592 - || failed+=( "${t}" )
3593 - done
3594 -
3595 - einfo "Passed tests: ${passed[*]}"
3596 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
3597 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
3598 -}
3599 -
3600 -# Gentoo tweaks to default config files.
3601 -tweak_ssh_configs() {
3602 - local locale_vars=(
3603 - # These are language variables that POSIX defines.
3604 - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
3605 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
3606 -
3607 - # These are the GNU extensions.
3608 - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
3609 - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
3610 - )
3611 -
3612 - # First the server config.
3613 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
3614 -
3615 - # Allow client to pass locale environment variables. #367017
3616 - AcceptEnv ${locale_vars[*]}
3617 -
3618 - # Allow client to pass COLORTERM to match TERM. #658540
3619 - AcceptEnv COLORTERM
3620 - EOF
3621 -
3622 - # Then the client config.
3623 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
3624 -
3625 - # Send locale environment variables. #367017
3626 - SendEnv ${locale_vars[*]}
3627 -
3628 - # Send COLORTERM to match TERM. #658540
3629 - SendEnv COLORTERM
3630 - EOF
3631 -
3632 - if use pam ; then
3633 - sed -i \
3634 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
3635 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
3636 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
3637 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
3638 - "${ED}"/etc/ssh/sshd_config || die
3639 - fi
3640 -
3641 - if use livecd ; then
3642 - sed -i \
3643 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
3644 - "${ED}"/etc/ssh/sshd_config || die
3645 - fi
3646 -}
3647 -
3648 -src_install() {
3649 - emake install-nokeys DESTDIR="${D}"
3650 - fperms 600 /etc/ssh/sshd_config
3651 - dobin contrib/ssh-copy-id
3652 - newinitd "${FILESDIR}"/sshd-r1.initd sshd
3653 - newconfd "${FILESDIR}"/sshd-r1.confd sshd
3654 -
3655 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
3656 -
3657 - tweak_ssh_configs
3658 -
3659 - doman contrib/ssh-copy-id.1
3660 - dodoc CREDITS OVERVIEW README* TODO sshd_config
3661 - use hpn && dodoc HPN-README
3662 - use X509 || dodoc ChangeLog
3663 -
3664 - diropts -m 0700
3665 - dodir /etc/skel/.ssh
3666 -
3667 - # https://bugs.gentoo.org/733802
3668 - if ! use scp; then
3669 - rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
3670 - || die "failed to remove scp"
3671 - fi
3672 -
3673 - keepdir /var/empty
3674 -
3675 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
3676 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
3677 -}
3678 -
3679 -pkg_preinst() {
3680 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
3681 - show_ssl_warning=1
3682 - fi
3683 -}
3684 -
3685 -pkg_postinst() {
3686 - local old_ver
3687 - for old_ver in ${REPLACING_VERSIONS}; do
3688 - if ver_test "${old_ver}" -lt "5.8_p1"; then
3689 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
3690 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
3691 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
3692 - fi
3693 - if ver_test "${old_ver}" -lt "7.0_p1"; then
3694 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
3695 - elog "Make sure to update any configs that you might have. Note that xinetd might"
3696 - elog "be an alternative for you as it supports USE=tcpd."
3697 - fi
3698 - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
3699 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
3700 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
3701 - elog "adding to your sshd_config or ~/.ssh/config files:"
3702 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
3703 - elog "You should however generate new keys using rsa or ed25519."
3704 -
3705 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
3706 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
3707 - elog "out of the box. If you need this, please update your sshd_config explicitly."
3708 - fi
3709 - if ver_test "${old_ver}" -lt "7.6_p1"; then
3710 - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
3711 - elog "Furthermore, rsa keys with less than 1024 bits will be refused."
3712 - fi
3713 - if ver_test "${old_ver}" -lt "7.7_p1"; then
3714 - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
3715 - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
3716 - elog "if you need to authenticate against LDAP."
3717 - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
3718 - fi
3719 - if ver_test "${old_ver}" -lt "8.2_p1"; then
3720 - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
3721 - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
3722 - ewarn "connection is generally safe."
3723 - fi
3724 - done
3725 -
3726 - if [[ -n ${show_ssl_warning} ]]; then
3727 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
3728 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
3729 - elog "and update all clients/servers that utilize them."
3730 - fi
3731 -
3732 - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
3733 - elog ""
3734 - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
3735 - elog "and therefore disabled at runtime per default."
3736 - elog "Make sure your sshd_config is up to date and contains"
3737 - elog ""
3738 - elog " DisableMTAES yes"
3739 - elog ""
3740 - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
3741 - elog ""
3742 - fi
3743 -}
3744
3745 diff --git a/net-misc/openssh/openssh-8.4_p1-r2.ebuild b/net-misc/openssh/openssh-8.4_p1-r2.ebuild
3746 deleted file mode 100644
3747 index 67e9aad..0000000
3748 --- a/net-misc/openssh/openssh-8.4_p1-r2.ebuild
3749 +++ /dev/null
3750 @@ -1,511 +0,0 @@
3751 -# Copyright 1999-2021 Gentoo Authors
3752 -# Distributed under the terms of the GNU General Public License v2
3753 -
3754 -EAPI=7
3755 -
3756 -inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
3757 -
3758 -# Make it more portable between straight releases
3759 -# and _p? releases.
3760 -PARCH=${P/_}
3761 -
3762 -# PV to USE for HPN patches
3763 -#HPN_PV="${PV^^}"
3764 -HPN_PV="8.3_P1"
3765 -
3766 -HPN_VER="14.22"
3767 -HPN_PATCHES=(
3768 - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
3769 - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
3770 - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
3771 -)
3772 -
3773 -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
3774 -X509_VER="12.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
3775 -
3776 -DESCRIPTION="Port of OpenBSD's free SSH release"
3777 -HOMEPAGE="https://www.openssh.com/"
3778 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
3779 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
3780 - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
3781 - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
3782 -"
3783 -S="${WORKDIR}/${PARCH}"
3784 -
3785 -LICENSE="BSD GPL-2"
3786 -SLOT="0"
3787 -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
3788 -# Probably want to drop ssl defaulting to on in a future version.
3789 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
3790 -
3791 -RESTRICT="!test? ( test )"
3792 -
3793 -REQUIRED_USE="
3794 - ldns? ( ssl )
3795 - pie? ( !static )
3796 - static? ( !kerberos !pam )
3797 - X509? ( !sctp !security-key ssl !xmss )
3798 - xmss? ( ssl )
3799 - test? ( ssl )
3800 -"
3801 -
3802 -LIB_DEPEND="
3803 - audit? ( sys-process/audit[static-libs(+)] )
3804 - ldns? (
3805 - net-libs/ldns[static-libs(+)]
3806 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
3807 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
3808 - )
3809 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
3810 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
3811 - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
3812 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
3813 - ssl? (
3814 - || (
3815 - (
3816 - >=dev-libs/openssl-1.0.1:0[bindist=]
3817 - <dev-libs/openssl-1.1.0:0[bindist=]
3818 - )
3819 - >=dev-libs/openssl-1.1.0g:0[bindist=]
3820 - )
3821 - dev-libs/openssl:0=[static-libs(+)]
3822 - )
3823 - virtual/libcrypt:=[static-libs(+)]
3824 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]
3825 -"
3826 -RDEPEND="
3827 - acct-group/sshd
3828 - acct-user/sshd
3829 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
3830 - pam? ( sys-libs/pam )
3831 - kerberos? ( virtual/krb5 )
3832 -"
3833 -DEPEND="${RDEPEND}
3834 - virtual/os-headers
3835 - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
3836 - static? ( ${LIB_DEPEND} )
3837 -"
3838 -RDEPEND="${RDEPEND}
3839 - pam? ( >=sys-auth/pambase-20081028 )
3840 - userland_GNU? ( !prefix? ( sys-apps/shadow ) )
3841 - X? ( x11-apps/xauth )
3842 -"
3843 -BDEPEND="
3844 - virtual/pkgconfig
3845 - sys-devel/autoconf
3846 -"
3847 -
3848 -pkg_pretend() {
3849 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
3850 - # than not be able to log in to their server any more
3851 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
3852 - local fail="
3853 - $(use hpn && maybe_fail hpn HPN_VER)
3854 - $(use sctp && maybe_fail sctp SCTP_PATCH)
3855 - $(use X509 && maybe_fail X509 X509_PATCH)
3856 - "
3857 - fail=$(echo ${fail})
3858 - if [[ -n ${fail} ]] ; then
3859 - eerror "Sorry, but this version does not yet support features"
3860 - eerror "that you requested: ${fail}"
3861 - eerror "Please mask ${PF} for now and check back later:"
3862 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
3863 - die "booooo"
3864 - fi
3865 -
3866 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
3867 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
3868 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
3869 - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
3870 - fi
3871 -}
3872 -
3873 -src_prepare() {
3874 - sed -i \
3875 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
3876 - pathnames.h || die
3877 -
3878 - # don't break .ssh/authorized_keys2 for fun
3879 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
3880 -
3881 - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
3882 - eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
3883 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
3884 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
3885 - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
3886 - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
3887 -
3888 - # https://bugs.gentoo.org/749026
3889 - use X509 || eapply "${FILESDIR}"/${PN}-8.4_p1-fix-ssh-copy-id.patch
3890 -
3891 - # workaround for https://bugs.gentoo.org/734984
3892 - use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
3893 -
3894 - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
3895 -
3896 - local PATCHSET_VERSION_MACROS=()
3897 -
3898 - if use X509 ; then
3899 - pushd "${WORKDIR}" &>/dev/null || die
3900 - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
3901 - popd &>/dev/null || die
3902 -
3903 - eapply "${WORKDIR}"/${X509_PATCH%.*}
3904 -
3905 - # We need to patch package version or any X.509 sshd will reject our ssh client
3906 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
3907 - # error
3908 - einfo "Patching package version for X.509 patch set ..."
3909 - sed -i \
3910 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
3911 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
3912 -
3913 - einfo "Patching version.h to expose X.509 patch set ..."
3914 - sed -i \
3915 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
3916 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
3917 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
3918 - fi
3919 -
3920 - if use sctp ; then
3921 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
3922 -
3923 - einfo "Patching version.h to expose SCTP patch set ..."
3924 - sed -i \
3925 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
3926 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
3927 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
3928 -
3929 - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
3930 - sed -i \
3931 - -e "/\t\tcfgparse \\\/d" \
3932 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
3933 - fi
3934 -
3935 - if use hpn ; then
3936 - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
3937 - mkdir "${hpn_patchdir}" || die
3938 - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
3939 - pushd "${hpn_patchdir}" &>/dev/null || die
3940 - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
3941 - eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-libressl.patch
3942 - use X509 && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-X509-glue.patch
3943 - use sctp && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-sctp-glue.patch
3944 - popd &>/dev/null || die
3945 -
3946 - eapply "${hpn_patchdir}"
3947 -
3948 - use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
3949 -
3950 - einfo "Patching Makefile.in for HPN patch set ..."
3951 - sed -i \
3952 - -e "/^LIBS=/ s/\$/ -lpthread/" \
3953 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
3954 -
3955 - einfo "Patching version.h to expose HPN patch set ..."
3956 - sed -i \
3957 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
3958 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
3959 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
3960 -
3961 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
3962 - einfo "Disabling known non-working MT AES cipher per default ..."
3963 -
3964 - cat > "${T}"/disable_mtaes.conf <<- EOF
3965 -
3966 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
3967 - # and therefore disabled per default.
3968 - DisableMTAES yes
3969 - EOF
3970 - sed -i \
3971 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
3972 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
3973 -
3974 - sed -i \
3975 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
3976 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
3977 - fi
3978 - fi
3979 -
3980 - if use X509 || use sctp || use hpn ; then
3981 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
3982 - sed -i \
3983 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
3984 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
3985 -
3986 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
3987 - sed -i \
3988 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
3989 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
3990 -
3991 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
3992 - sed -i \
3993 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
3994 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
3995 - fi
3996 -
3997 - sed -i \
3998 - -e "/#UseLogin no/d" \
3999 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
4000 -
4001 - eapply_user #473004
4002 -
4003 - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
4004 - sed -e '/\t\tpercent \\/ d' \
4005 - -i regress/Makefile || die
4006 -
4007 - tc-export PKG_CONFIG
4008 - local sed_args=(
4009 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
4010 - # Disable PATH reset, trust what portage gives us #254615
4011 - -e 's:^PATH=/:#PATH=/:'
4012 - # Disable fortify flags ... our gcc does this for us
4013 - -e 's:-D_FORTIFY_SOURCE=2::'
4014 - )
4015 -
4016 - # The -ftrapv flag ICEs on hppa #505182
4017 - use hppa && sed_args+=(
4018 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
4019 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
4020 - )
4021 - # _XOPEN_SOURCE causes header conflicts on Solaris
4022 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
4023 - -e 's/-D_XOPEN_SOURCE//'
4024 - )
4025 - sed -i "${sed_args[@]}" configure{.ac,} || die
4026 -
4027 - eautoreconf
4028 -}
4029 -
4030 -src_configure() {
4031 - addwrite /dev/ptmx
4032 -
4033 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
4034 - use static && append-ldflags -static
4035 - use xmss && append-cflags -DWITH_XMSS
4036 -
4037 - if [[ ${CHOST} == *-solaris* ]] ; then
4038 - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
4039 - # doesn't check for this, so force the replacement to be put in
4040 - # place
4041 - append-cppflags -DBROKEN_GLOB
4042 - fi
4043 -
4044 - local myconf=(
4045 - --with-ldflags="${LDFLAGS}"
4046 - --disable-strip
4047 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
4048 - --sysconfdir="${EPREFIX}"/etc/ssh
4049 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
4050 - --datadir="${EPREFIX}"/usr/share/openssh
4051 - --with-privsep-path="${EPREFIX}"/var/empty
4052 - --with-privsep-user=sshd
4053 - $(use_with audit audit linux)
4054 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
4055 - # We apply the sctp patch conditionally, so can't pass --without-sctp
4056 - # unconditionally else we get unknown flag warnings.
4057 - $(use sctp && use_with sctp)
4058 - $(use_with ldns ldns "${EPREFIX}"/usr)
4059 - $(use_with libedit)
4060 - $(use_with pam)
4061 - $(use_with pie)
4062 - $(use_with selinux)
4063 - $(usex X509 '' "$(use_with security-key security-key-builtin)")
4064 - $(use_with ssl openssl)
4065 - $(use_with ssl md5-passwords)
4066 - $(use_with ssl ssl-engine)
4067 - $(use_with !elibc_Cygwin hardening) #659210
4068 - )
4069 -
4070 - if use elibc_musl; then
4071 - # stackprotect is broken on musl x86 and ppc
4072 - if use x86 || use ppc; then
4073 - myconf+=( --without-stackprotect )
4074 - fi
4075 -
4076 - # musl defines bogus values for UTMP_FILE and WTMP_FILE
4077 - # https://bugs.gentoo.org/753230
4078 - myconf+=( --disable-utmp --disable-wtmp )
4079 - fi
4080 -
4081 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
4082 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
4083 -
4084 - econf "${myconf[@]}"
4085 -}
4086 -
4087 -src_test() {
4088 - local t skipped=() failed=() passed=()
4089 - local tests=( interop-tests compat-tests )
4090 -
4091 - local shell=$(egetshell "${UID}")
4092 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
4093 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
4094 - elog "user, so we will run a subset only."
4095 - skipped+=( tests )
4096 - else
4097 - tests+=( tests )
4098 - fi
4099 -
4100 - # It will also attempt to write to the homedir .ssh.
4101 - local sshhome=${T}/homedir
4102 - mkdir -p "${sshhome}"/.ssh
4103 - for t in "${tests[@]}" ; do
4104 - # Some tests read from stdin ...
4105 - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
4106 - SUDO="" SSH_SK_PROVIDER="" \
4107 - TEST_SSH_UNSAFE_PERMISSIONS=1 \
4108 - emake -k -j1 ${t} </dev/null \
4109 - && passed+=( "${t}" ) \
4110 - || failed+=( "${t}" )
4111 - done
4112 -
4113 - einfo "Passed tests: ${passed[*]}"
4114 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
4115 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
4116 -}
4117 -
4118 -# Gentoo tweaks to default config files.
4119 -tweak_ssh_configs() {
4120 - local locale_vars=(
4121 - # These are language variables that POSIX defines.
4122 - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
4123 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
4124 -
4125 - # These are the GNU extensions.
4126 - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
4127 - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
4128 - )
4129 -
4130 - # First the server config.
4131 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
4132 -
4133 - # Allow client to pass locale environment variables. #367017
4134 - AcceptEnv ${locale_vars[*]}
4135 -
4136 - # Allow client to pass COLORTERM to match TERM. #658540
4137 - AcceptEnv COLORTERM
4138 - EOF
4139 -
4140 - # Then the client config.
4141 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
4142 -
4143 - # Send locale environment variables. #367017
4144 - SendEnv ${locale_vars[*]}
4145 -
4146 - # Send COLORTERM to match TERM. #658540
4147 - SendEnv COLORTERM
4148 - EOF
4149 -
4150 - if use pam ; then
4151 - sed -i \
4152 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
4153 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
4154 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
4155 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
4156 - "${ED}"/etc/ssh/sshd_config || die
4157 - fi
4158 -
4159 - if use livecd ; then
4160 - sed -i \
4161 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
4162 - "${ED}"/etc/ssh/sshd_config || die
4163 - fi
4164 -}
4165 -
4166 -src_install() {
4167 - emake install-nokeys DESTDIR="${D}"
4168 - fperms 600 /etc/ssh/sshd_config
4169 - dobin contrib/ssh-copy-id
4170 - newinitd "${FILESDIR}"/sshd-r1.initd sshd
4171 - newconfd "${FILESDIR}"/sshd-r1.confd sshd
4172 -
4173 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
4174 -
4175 - tweak_ssh_configs
4176 -
4177 - doman contrib/ssh-copy-id.1
4178 - dodoc CREDITS OVERVIEW README* TODO sshd_config
4179 - use hpn && dodoc HPN-README
4180 - use X509 || dodoc ChangeLog
4181 -
4182 - diropts -m 0700
4183 - dodir /etc/skel/.ssh
4184 -
4185 - # https://bugs.gentoo.org/733802
4186 - if ! use scp; then
4187 - rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
4188 - || die "failed to remove scp"
4189 - fi
4190 -
4191 - rmdir "${ED}"/var/empty || die
4192 -
4193 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
4194 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
4195 -}
4196 -
4197 -pkg_preinst() {
4198 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
4199 - show_ssl_warning=1
4200 - fi
4201 -}
4202 -
4203 -pkg_postinst() {
4204 - local old_ver
4205 - for old_ver in ${REPLACING_VERSIONS}; do
4206 - if ver_test "${old_ver}" -lt "5.8_p1"; then
4207 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
4208 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
4209 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
4210 - fi
4211 - if ver_test "${old_ver}" -lt "7.0_p1"; then
4212 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
4213 - elog "Make sure to update any configs that you might have. Note that xinetd might"
4214 - elog "be an alternative for you as it supports USE=tcpd."
4215 - fi
4216 - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
4217 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
4218 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
4219 - elog "adding to your sshd_config or ~/.ssh/config files:"
4220 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
4221 - elog "You should however generate new keys using rsa or ed25519."
4222 -
4223 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
4224 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
4225 - elog "out of the box. If you need this, please update your sshd_config explicitly."
4226 - fi
4227 - if ver_test "${old_ver}" -lt "7.6_p1"; then
4228 - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
4229 - elog "Furthermore, rsa keys with less than 1024 bits will be refused."
4230 - fi
4231 - if ver_test "${old_ver}" -lt "7.7_p1"; then
4232 - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
4233 - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
4234 - elog "if you need to authenticate against LDAP."
4235 - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
4236 - fi
4237 - if ver_test "${old_ver}" -lt "8.2_p1"; then
4238 - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
4239 - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
4240 - ewarn "connection is generally safe."
4241 - fi
4242 - done
4243 -
4244 - if [[ -n ${show_ssl_warning} ]]; then
4245 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
4246 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
4247 - elog "and update all clients/servers that utilize them."
4248 - fi
4249 -
4250 - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
4251 - elog ""
4252 - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
4253 - elog "and therefore disabled at runtime per default."
4254 - elog "Make sure your sshd_config is up to date and contains"
4255 - elog ""
4256 - elog " DisableMTAES yes"
4257 - elog ""
4258 - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
4259 - elog ""
4260 - fi
4261 -}
Report Message
Find on MARC Find on Google Groups