Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Marc Schiffbauer <mschiff@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
Date: Fri, 24 Dec 2021 10:57:46
Message-Id: 1640342341.cb24554516cbb10be9b7c75328b46a620b83be75.mschiff@gentoo
1 commit: cb24554516cbb10be9b7c75328b46a620b83be75
2 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
3 AuthorDate: Wed Dec 22 22:15:48 2021 +0000
4 Commit: Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
5 CommitDate: Fri Dec 24 10:39:01 2021 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb245545
7
8 net-misc/openssh: drop 8.6_p1-r2, 8.7_p1-r2, 8.8_p1-r2
9
10 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
11 Signed-off-by: Marc Schiffbauer <mschiff <AT> gentoo.org>
12
13 net-misc/openssh/Manifest | 3 -
14 .../openssh/files/openssh-8.0_p1-hpn-version.patch | 13 -
15 .../openssh/files/openssh-8.5_p1-GSSAPI-dns.patch | 354 --------------
16 .../files/openssh-8.5_p1-X509-glue-13.0.1.patch | 72 ---
17 .../openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch | 328 -------------
18 .../files/openssh-8.5_p1-hpn-15.2-glue.patch | 104 -----
19 .../files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch | 18 -
20 .../files/openssh-8.6_p1-X509-glue-13.1.patch | 72 ---
21 .../files/openssh-8.6_p1-hpn-15.2-X509-glue.patch | 357 --------------
22 .../files/openssh-8.6_p1-hpn-15.2-glue.patch | 132 ------
23 net-misc/openssh/metadata.xml | 1 -
24 net-misc/openssh/openssh-8.6_p1-r2.ebuild | 515 ---------------------
25 net-misc/openssh/openssh-8.7_p1-r2.ebuild | 513 --------------------
26 net-misc/openssh/openssh-8.8_p1-r2.ebuild | 508 --------------------
27 14 files changed, 2990 deletions(-)
28
29 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
30 index 91d4f77fa8f4..5e5c15efb159 100644
31 --- a/net-misc/openssh/Manifest
32 +++ b/net-misc/openssh/Manifest
33 @@ -1,6 +1,3 @@
34 -DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251
35 -DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a
36 -DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
37 DIST openssh-8.7p1+x509-13.2.1.diff.gz 1073420 BLAKE2B f9de9f797f1ec83cd56a983f5b9694b0297a60e586898a8c94b4aaa60e5f561bb3b7730590fc8f898c3de2340780d6a77d31bfcc50df0a55a0480051f37806fd SHA512 dd7afd351ddf33e8e74bceba56e5593a0546360efb34f3b954e1816751b5678da5d1bc3a9f2eaa4a745d86d96ae9b643bd549d39b59b22c8cf1a219b076c1db5
38 DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
39 DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
40
41 diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
42 deleted file mode 100644
43 index 37905ce6afca..000000000000
44 --- a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
45 +++ /dev/null
46 @@ -1,13 +0,0 @@
47 -diff --git a/kex.c b/kex.c
48 -index 34808b5c..88d7ccac 100644
49 ---- a/kex.c
50 -+++ b/kex.c
51 -@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
52 - if (version_addendum != NULL && *version_addendum == '\0')
53 - version_addendum = NULL;
54 - if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
55 -- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
56 -+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
57 - version_addendum == NULL ? "" : " ",
58 - version_addendum == NULL ? "" : version_addendum)) != 0) {
59 - error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
60
61 diff --git a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
62 deleted file mode 100644
63 index eec66ade4b4e..000000000000
64 --- a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
65 +++ /dev/null
66 @@ -1,354 +0,0 @@
67 ---- a/auth.c 2021-03-02 04:31:47.000000000 -0600
68 -+++ b/auth.c 2021-03-04 11:22:44.590041696 -0600
69 -@@ -727,119 +727,6 @@ fakepw(void)
70 - return (&fake);
71 - }
72 -
73 --/*
74 -- * Returns the remote DNS hostname as a string. The returned string must not
75 -- * be freed. NB. this will usually trigger a DNS query the first time it is
76 -- * called.
77 -- * This function does additional checks on the hostname to mitigate some
78 -- * attacks on legacy rhosts-style authentication.
79 -- * XXX is RhostsRSAAuthentication vulnerable to these?
80 -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
81 -- */
82 --
83 --static char *
84 --remote_hostname(struct ssh *ssh)
85 --{
86 -- struct sockaddr_storage from;
87 -- socklen_t fromlen;
88 -- struct addrinfo hints, *ai, *aitop;
89 -- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
90 -- const char *ntop = ssh_remote_ipaddr(ssh);
91 --
92 -- /* Get IP address of client. */
93 -- fromlen = sizeof(from);
94 -- memset(&from, 0, sizeof(from));
95 -- if (getpeername(ssh_packet_get_connection_in(ssh),
96 -- (struct sockaddr *)&from, &fromlen) == -1) {
97 -- debug("getpeername failed: %.100s", strerror(errno));
98 -- return xstrdup(ntop);
99 -- }
100 --
101 -- ipv64_normalise_mapped(&from, &fromlen);
102 -- if (from.ss_family == AF_INET6)
103 -- fromlen = sizeof(struct sockaddr_in6);
104 --
105 -- debug3("Trying to reverse map address %.100s.", ntop);
106 -- /* Map the IP address to a host name. */
107 -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
108 -- NULL, 0, NI_NAMEREQD) != 0) {
109 -- /* Host name not found. Use ip address. */
110 -- return xstrdup(ntop);
111 -- }
112 --
113 -- /*
114 -- * if reverse lookup result looks like a numeric hostname,
115 -- * someone is trying to trick us by PTR record like following:
116 -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
117 -- */
118 -- memset(&hints, 0, sizeof(hints));
119 -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
120 -- hints.ai_flags = AI_NUMERICHOST;
121 -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
122 -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
123 -- name, ntop);
124 -- freeaddrinfo(ai);
125 -- return xstrdup(ntop);
126 -- }
127 --
128 -- /* Names are stored in lowercase. */
129 -- lowercase(name);
130 --
131 -- /*
132 -- * Map it back to an IP address and check that the given
133 -- * address actually is an address of this host. This is
134 -- * necessary because anyone with access to a name server can
135 -- * define arbitrary names for an IP address. Mapping from
136 -- * name to IP address can be trusted better (but can still be
137 -- * fooled if the intruder has access to the name server of
138 -- * the domain).
139 -- */
140 -- memset(&hints, 0, sizeof(hints));
141 -- hints.ai_family = from.ss_family;
142 -- hints.ai_socktype = SOCK_STREAM;
143 -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
144 -- logit("reverse mapping checking getaddrinfo for %.700s "
145 -- "[%s] failed.", name, ntop);
146 -- return xstrdup(ntop);
147 -- }
148 -- /* Look for the address from the list of addresses. */
149 -- for (ai = aitop; ai; ai = ai->ai_next) {
150 -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
151 -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
152 -- (strcmp(ntop, ntop2) == 0))
153 -- break;
154 -- }
155 -- freeaddrinfo(aitop);
156 -- /* If we reached the end of the list, the address was not there. */
157 -- if (ai == NULL) {
158 -- /* Address not found for the host name. */
159 -- logit("Address %.100s maps to %.600s, but this does not "
160 -- "map back to the address.", ntop, name);
161 -- return xstrdup(ntop);
162 -- }
163 -- return xstrdup(name);
164 --}
165 --
166 --/*
167 -- * Return the canonical name of the host in the other side of the current
168 -- * connection. The host name is cached, so it is efficient to call this
169 -- * several times.
170 -- */
171 --
172 --const char *
173 --auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
174 --{
175 -- static char *dnsname;
176 --
177 -- if (!use_dns)
178 -- return ssh_remote_ipaddr(ssh);
179 -- else if (dnsname != NULL)
180 -- return dnsname;
181 -- else {
182 -- dnsname = remote_hostname(ssh);
183 -- return dnsname;
184 -- }
185 --}
186 -
187 - /* These functions link key/cert options to the auth framework */
188 -
189 ---- a/canohost.c 2021-03-02 04:31:47.000000000 -0600
190 -+++ b/canohost.c 2021-03-04 11:22:54.854211183 -0600
191 -@@ -202,3 +202,117 @@ get_local_port(int sock)
192 - {
193 - return get_sock_port(sock, 1);
194 - }
195 -+
196 -+/*
197 -+ * Returns the remote DNS hostname as a string. The returned string must not
198 -+ * be freed. NB. this will usually trigger a DNS query the first time it is
199 -+ * called.
200 -+ * This function does additional checks on the hostname to mitigate some
201 -+ * attacks on legacy rhosts-style authentication.
202 -+ * XXX is RhostsRSAAuthentication vulnerable to these?
203 -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
204 -+ */
205 -+
206 -+static char *
207 -+remote_hostname(struct ssh *ssh)
208 -+{
209 -+ struct sockaddr_storage from;
210 -+ socklen_t fromlen;
211 -+ struct addrinfo hints, *ai, *aitop;
212 -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
213 -+ const char *ntop = ssh_remote_ipaddr(ssh);
214 -+
215 -+ /* Get IP address of client. */
216 -+ fromlen = sizeof(from);
217 -+ memset(&from, 0, sizeof(from));
218 -+ if (getpeername(ssh_packet_get_connection_in(ssh),
219 -+ (struct sockaddr *)&from, &fromlen) == -1) {
220 -+ debug("getpeername failed: %.100s", strerror(errno));
221 -+ return xstrdup(ntop);
222 -+ }
223 -+
224 -+ ipv64_normalise_mapped(&from, &fromlen);
225 -+ if (from.ss_family == AF_INET6)
226 -+ fromlen = sizeof(struct sockaddr_in6);
227 -+
228 -+ debug3("Trying to reverse map address %.100s.", ntop);
229 -+ /* Map the IP address to a host name. */
230 -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
231 -+ NULL, 0, NI_NAMEREQD) != 0) {
232 -+ /* Host name not found. Use ip address. */
233 -+ return xstrdup(ntop);
234 -+ }
235 -+
236 -+ /*
237 -+ * if reverse lookup result looks like a numeric hostname,
238 -+ * someone is trying to trick us by PTR record like following:
239 -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
240 -+ */
241 -+ memset(&hints, 0, sizeof(hints));
242 -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
243 -+ hints.ai_flags = AI_NUMERICHOST;
244 -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
245 -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
246 -+ name, ntop);
247 -+ freeaddrinfo(ai);
248 -+ return xstrdup(ntop);
249 -+ }
250 -+
251 -+ /* Names are stored in lowercase. */
252 -+ lowercase(name);
253 -+
254 -+ /*
255 -+ * Map it back to an IP address and check that the given
256 -+ * address actually is an address of this host. This is
257 -+ * necessary because anyone with access to a name server can
258 -+ * define arbitrary names for an IP address. Mapping from
259 -+ * name to IP address can be trusted better (but can still be
260 -+ * fooled if the intruder has access to the name server of
261 -+ * the domain).
262 -+ */
263 -+ memset(&hints, 0, sizeof(hints));
264 -+ hints.ai_family = from.ss_family;
265 -+ hints.ai_socktype = SOCK_STREAM;
266 -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
267 -+ logit("reverse mapping checking getaddrinfo for %.700s "
268 -+ "[%s] failed.", name, ntop);
269 -+ return xstrdup(ntop);
270 -+ }
271 -+ /* Look for the address from the list of addresses. */
272 -+ for (ai = aitop; ai; ai = ai->ai_next) {
273 -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
274 -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
275 -+ (strcmp(ntop, ntop2) == 0))
276 -+ break;
277 -+ }
278 -+ freeaddrinfo(aitop);
279 -+ /* If we reached the end of the list, the address was not there. */
280 -+ if (ai == NULL) {
281 -+ /* Address not found for the host name. */
282 -+ logit("Address %.100s maps to %.600s, but this does not "
283 -+ "map back to the address.", ntop, name);
284 -+ return xstrdup(ntop);
285 -+ }
286 -+ return xstrdup(name);
287 -+}
288 -+
289 -+/*
290 -+ * Return the canonical name of the host in the other side of the current
291 -+ * connection. The host name is cached, so it is efficient to call this
292 -+ * several times.
293 -+ */
294 -+
295 -+const char *
296 -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
297 -+{
298 -+ static char *dnsname;
299 -+
300 -+ if (!use_dns)
301 -+ return ssh_remote_ipaddr(ssh);
302 -+ else if (dnsname != NULL)
303 -+ return dnsname;
304 -+ else {
305 -+ dnsname = remote_hostname(ssh);
306 -+ return dnsname;
307 -+ }
308 -+}
309 -diff --git a/readconf.c b/readconf.c
310 -index 724974b7..97a1ffd8 100644
311 ---- a/readconf.c
312 -+++ b/readconf.c
313 -@@ -161,6 +161,7 @@ typedef enum {
314 - oClearAllForwardings, oNoHostAuthenticationForLocalhost,
315 - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
316 - oAddressFamily, oGssAuthentication, oGssDelegateCreds,
317 -+ oGssTrustDns,
318 - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
319 - oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
320 - oHashKnownHosts,
321 -@@ -206,9 +207,11 @@ static struct {
322 - #if defined(GSSAPI)
323 - { "gssapiauthentication", oGssAuthentication },
324 - { "gssapidelegatecredentials", oGssDelegateCreds },
325 -+ { "gssapitrustdns", oGssTrustDns },
326 - # else
327 - { "gssapiauthentication", oUnsupported },
328 - { "gssapidelegatecredentials", oUnsupported },
329 -+ { "gssapitrustdns", oUnsupported },
330 - #endif
331 - #ifdef ENABLE_PKCS11
332 - { "pkcs11provider", oPKCS11Provider },
333 -@@ -1083,6 +1086,10 @@ parse_time:
334 - intptr = &options->gss_deleg_creds;
335 - goto parse_flag;
336 -
337 -+ case oGssTrustDns:
338 -+ intptr = &options->gss_trust_dns;
339 -+ goto parse_flag;
340 -+
341 - case oBatchMode:
342 - intptr = &options->batch_mode;
343 - goto parse_flag;
344 -@@ -2183,6 +2190,7 @@ initialize_options(Options * options)
345 - options->challenge_response_authentication = -1;
346 - options->gss_authentication = -1;
347 - options->gss_deleg_creds = -1;
348 -+ options->gss_trust_dns = -1;
349 - options->password_authentication = -1;
350 - options->kbd_interactive_authentication = -1;
351 - options->kbd_interactive_devices = NULL;
352 -@@ -2340,6 +2348,8 @@ fill_default_options(Options * options)
353 - options->gss_authentication = 0;
354 - if (options->gss_deleg_creds == -1)
355 - options->gss_deleg_creds = 0;
356 -+ if (options->gss_trust_dns == -1)
357 -+ options->gss_trust_dns = 0;
358 - if (options->password_authentication == -1)
359 - options->password_authentication = 1;
360 - if (options->kbd_interactive_authentication == -1)
361 -diff --git a/readconf.h b/readconf.h
362 -index 2fba866e..da3ce87a 100644
363 ---- a/readconf.h
364 -+++ b/readconf.h
365 -@@ -42,6 +42,7 @@ typedef struct {
366 - /* Try S/Key or TIS, authentication. */
367 - int gss_authentication; /* Try GSS authentication */
368 - int gss_deleg_creds; /* Delegate GSS credentials */
369 -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
370 - int password_authentication; /* Try password
371 - * authentication. */
372 - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
373 -diff --git a/ssh_config.5 b/ssh_config.5
374 -index f8119189..e0fd0d76 100644
375 ---- a/ssh_config.5
376 -+++ b/ssh_config.5
377 -@@ -783,6 +783,16 @@ The default is
378 - Forward (delegate) credentials to the server.
379 - The default is
380 - .Cm no .
381 -+Note that this option applies to protocol version 2 connections using GSSAPI.
382 -+.It Cm GSSAPITrustDns
383 -+Set to
384 -+.Dq yes to indicate that the DNS is trusted to securely canonicalize
385 -+the name of the host being connected to. If
386 -+.Dq no, the hostname entered on the
387 -+command line will be passed untouched to the GSSAPI library.
388 -+The default is
389 -+.Dq no .
390 -+This option only applies to protocol version 2 connections using GSSAPI.
391 - .It Cm HashKnownHosts
392 - Indicates that
393 - .Xr ssh 1
394 -diff --git a/sshconnect2.c b/sshconnect2.c
395 -index 059c9480..ab6f6832 100644
396 ---- a/sshconnect2.c
397 -+++ b/sshconnect2.c
398 -@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh)
399 - OM_uint32 min;
400 - int r, ok = 0;
401 - gss_OID mech = NULL;
402 -+ const char *gss_host;
403 -+
404 -+ if (options.gss_trust_dns) {
405 -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
406 -+ gss_host = auth_get_canonical_hostname(ssh, 1);
407 -+ } else
408 -+ gss_host = authctxt->host;
409 -
410 - /* Try one GSSAPI method at a time, rather than sending them all at
411 - * once. */
412 -@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh)
413 - elements[authctxt->mech_tried];
414 - /* My DER encoding requires length<128 */
415 - if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
416 -- mech, authctxt->host)) {
417 -+ mech, gss_host)) {
418 - ok = 1; /* Mechanism works */
419 - } else {
420 - authctxt->mech_tried++;
421
422 diff --git a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
423 deleted file mode 100644
424 index c7812c622c26..000000000000
425 --- a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
426 +++ /dev/null
427 @@ -1,72 +0,0 @@
428 ---- a/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:05:14.876485231 -0700
429 -+++ b/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:06:05.389154451 -0700
430 -@@ -46675,12 +46675,11 @@
431 -
432 - install-files:
433 - $(MKDIR_P) $(DESTDIR)$(bindir)
434 --@@ -380,6 +364,8 @@
435 -+@@ -380,6 +364,7 @@
436 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
437 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
438 - $(MKDIR_P) $(DESTDIR)$(libexecdir)
439 - + $(MKDIR_P) $(DESTDIR)$(sshcadir)
440 --+ $(MKDIR_P) $(DESTDIR)$(piddir)
441 - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
442 - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
443 - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
444 -@@ -63967,7 +63966,7 @@
445 - - echo "putty interop tests not enabled"
446 - - exit 0
447 - -fi
448 --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
449 -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
450 -
451 - for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
452 - verbose "$tid: cipher $c"
453 -@@ -63982,7 +63981,7 @@
454 - - echo "putty interop tests not enabled"
455 - - exit 0
456 - -fi
457 --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
458 -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
459 -
460 - for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
461 - verbose "$tid: kex $k"
462 -@@ -63997,7 +63996,7 @@
463 - - echo "putty interop tests not enabled"
464 - - exit 0
465 - -fi
466 --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
467 -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
468 -
469 - if [ "`${SSH} -Q compression`" = "none" ]; then
470 - comp="0"
471 -@@ -64129,9 +64128,9 @@
472 -
473 - +# cross-project configuration
474 - +if test "$sshd_type" = "pkix" ; then
475 --+ unset_arg=''
476 -++ unset_arg=
477 - +else
478 --+ unset_arg=none
479 -++ unset_arg=
480 - +fi
481 - +
482 - cat > $OBJ/sshd_config.i << _EOF
483 -@@ -122247,16 +122246,6 @@
484 - +int asnmprintf(char **, size_t, int *, const char *, ...)
485 - __attribute__((format(printf, 4, 5)));
486 - void msetlocale(void);
487 --diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0.1/version.h
488 ----- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200
489 --+++ openssh-8.5p1+x509-13.0.1/version.h 2021-03-15 20:07:00.000000000 +0200
490 --@@ -2,5 +2,4 @@
491 --
492 -- #define SSH_VERSION "OpenSSH_8.5"
493 --
494 ---#define SSH_PORTABLE "p1"
495 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
496 --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
497 - diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0.1/version.m4
498 - --- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200
499 - +++ openssh-8.5p1+x509-13.0.1/version.m4 2021-03-15 20:07:00.000000000 +0200
500
501 diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
502 deleted file mode 100644
503 index 413cc8b9c3dc..000000000000
504 --- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
505 +++ /dev/null
506 @@ -1,328 +0,0 @@
507 -diff -u a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
508 ---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:45:28.550606801 -0700
509 -+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:56:36.240309581 -0700
510 -@@ -3,9 +3,9 @@
511 - --- a/Makefile.in
512 - +++ b/Makefile.in
513 - @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
514 -- CFLAGS_NOPIE=@CFLAGS_NOPIE@
515 -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
516 -- PICFLAG=@PICFLAG@
517 -+ LD=@LD@
518 -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
519 -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
520 - -LIBS=@LIBS@
521 - +LIBS=@LIBS@ -lpthread
522 - K5LIBS=@K5LIBS@
523 -@@ -803,8 +803,8 @@
524 - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
525 - {
526 - struct session_state *state;
527 --- const struct sshcipher *none = cipher_by_name("none");
528 --+ struct sshcipher *none = cipher_by_name("none");
529 -+- const struct sshcipher *none = cipher_none();
530 -++ struct sshcipher *none = cipher_none();
531 - int r;
532 -
533 - if (none == NULL) {
534 -@@ -898,20 +898,20 @@
535 - options->fingerprint_hash = -1;
536 - options->update_hostkeys = -1;
537 - + options->disable_multithreaded = -1;
538 -- options->hostbased_accepted_algos = NULL;
539 -- options->pubkey_accepted_algos = NULL;
540 -- options->known_hosts_command = NULL;
541 -+ }
542 -+
543 -+ /*
544 - @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
545 -+ options->update_hostkeys = 0;
546 - if (options->sk_provider == NULL)
547 - options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
548 -- #endif
549 - + if (options->update_hostkeys == -1)
550 - + options->update_hostkeys = 0;
551 - + if (options->disable_multithreaded == -1)
552 - + options->disable_multithreaded = 0;
553 -
554 -- /* Expand KEX name lists */
555 -- all_cipher = cipher_alg_list(',', 0);
556 -+ /* expand KEX and etc. name lists */
557 -+ { char *all;
558 - diff --git a/readconf.h b/readconf.h
559 - index 2fba866e..7f8f0227 100644
560 - --- a/readconf.h
561 -@@ -950,9 +950,9 @@
562 - /* Portable-specific options */
563 - sUsePAM,
564 - + sDisableMTAES,
565 -- /* Standard Options */
566 -- sPort, sHostKeyFile, sLoginGraceTime,
567 -- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
568 -+ /* X.509 Standard Options */
569 -+ sHostbasedAlgorithms,
570 -+ sPubkeyAlgorithms,
571 - @@ -662,6 +666,7 @@ static struct {
572 - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
573 - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
574 -diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
575 ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:29:42.953733894 -0700
576 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:47:54.198893025 -0700
577 -@@ -157,6 +157,36 @@
578 - + Allan Jude provided the code for the NoneMac and buffer normalization.
579 - + This work was financed, in part, by Cisco System, Inc., the National
580 - + Library of Medicine, and the National Science Foundation.
581 -+diff --git a/auth2.c b/auth2.c
582 -+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
583 -++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
584 -+@@ -229,16 +229,17 @@
585 -+ double delay;
586 -+
587 -+ digest_alg = ssh_digest_maxbytes();
588 -+- len = ssh_digest_bytes(digest_alg);
589 -+- hash = xmalloc(len);
590 -++ if (len = ssh_digest_bytes(digest_alg) > 0) {
591 -++ hash = xmalloc(len);
592 -+
593 -+- (void)snprintf(b, sizeof b, "%llu%s",
594 -+- (unsigned long long)options.timing_secret, user);
595 -+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
596 -+- fatal_f("ssh_digest_memory");
597 -+- /* 0-4.2 ms of delay */
598 -+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
599 -+- freezero(hash, len);
600 -++ (void)snprintf(b, sizeof b, "%llu%s",
601 -++ (unsigned long long)options.timing_secret, user);
602 -++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
603 -++ fatal_f("ssh_digest_memory");
604 -++ /* 0-4.2 ms of delay */
605 -++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
606 -++ freezero(hash, len);
607 -++ }
608 -+ debug3_f("user specific delay %0.3lfms", delay/1000);
609 -+ return MIN_FAIL_DELAY_SECONDS + delay;
610 -+ }
611 - diff --git a/channels.c b/channels.c
612 - index b60d56c4..0e363c15 100644
613 - --- a/channels.c
614 -@@ -209,14 +239,14 @@
615 - static void
616 - channel_pre_open(struct ssh *ssh, Channel *c,
617 - fd_set *readset, fd_set *writeset)
618 --@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
619 -+@@ -2164,21 +2164,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
620 -
621 - if (c->type == SSH_CHANNEL_OPEN &&
622 - !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
623 - - ((c->local_window_max - c->local_window >
624 - - c->local_maxpacket*3) ||
625 --+ ((ssh_packet_is_interactive(ssh) &&
626 --+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
627 -++ ((ssh_packet_is_interactive(ssh) &&
628 -++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
629 - c->local_window < c->local_window_max/2) &&
630 - c->local_consumed > 0) {
631 - + u_int addition = 0;
632 -@@ -235,9 +265,8 @@
633 - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
634 - - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
635 - + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
636 -- (r = sshpkt_send(ssh)) != 0) {
637 -- fatal_fr(r, "channel %i", c->self);
638 -- }
639 -+ (r = sshpkt_send(ssh)) != 0)
640 -+ fatal_fr(r, "channel %d", c->self);
641 - - debug2("channel %d: window %d sent adjust %d", c->self,
642 - - c->local_window, c->local_consumed);
643 - - c->local_window += c->local_consumed;
644 -@@ -386,21 +415,45 @@
645 - index 69befa96..90b5f338 100644
646 - --- a/compat.c
647 - +++ b/compat.c
648 --@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
649 -- debug_f("match: %s pat %s compat 0x%08x",
650 -+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
651 -+ static u_int
652 -+ compat_datafellows(const char *version)
653 -+ {
654 -+- int i;
655 -++ int i, bugs = 0;
656 -+ static struct {
657 -+ char *pat;
658 -+ int bugs;
659 -+@@ -147,11 +147,26 @@
660 -+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
661 -+ debug("match: %s pat %s compat 0x%08x",
662 - version, check[i].pat, check[i].bugs);
663 -- ssh->compat = check[i].bugs;
664 - + /* Check to see if the remote side is OpenSSH and not HPN */
665 --+ /* TODO: need to use new method to test for this */
666 - + if (strstr(version, "OpenSSH") != NULL) {
667 - + if (strstr(version, "hpn") == NULL) {
668 --+ ssh->compat |= SSH_BUG_LARGEWINDOW;
669 -++ bugs |= SSH_BUG_LARGEWINDOW;
670 - + debug("Remote is NON-HPN aware");
671 - + }
672 - + }
673 -- return;
674 -+- return check[i].bugs;
675 -++ bugs |= check[i].bugs;
676 - }
677 - }
678 -+- debug("no match: %s", version);
679 -+- return 0;
680 -++ /* Check to see if the remote side is OpenSSH and not HPN */
681 -++ if (strstr(version, "OpenSSH") != NULL) {
682 -++ if (strstr(version, "hpn") == NULL) {
683 -++ bugs |= SSH_BUG_LARGEWINDOW;
684 -++ debug("Remote is NON-HPN aware");
685 -++ }
686 -++ }
687 -++ if (bugs == 0)
688 -++ debug("no match: %s", version);
689 -++ return bugs;
690 -+ }
691 -+
692 -+ char *
693 - diff --git a/compat.h b/compat.h
694 - index c197fafc..ea2e17a7 100644
695 - --- a/compat.h
696 -@@ -459,7 +512,7 @@
697 - @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
698 - int nenc, nmac, ncomp;
699 - u_int mode, ctos, need, dh_need, authlen;
700 -- int r, first_kex_follows;
701 -+ int r, first_kex_follows = 0;
702 - + int auth_flag = 0;
703 - +
704 - + auth_flag = packet_authentication_state(ssh);
705 -@@ -1035,19 +1088,6 @@
706 -
707 - /* File to read commands from */
708 - FILE* infile;
709 --diff --git a/ssh-keygen.c b/ssh-keygen.c
710 --index cfb5f115..36a6e519 100644
711 ----- a/ssh-keygen.c
712 --+++ b/ssh-keygen.c
713 --@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
714 -- freezero(pin, strlen(pin));
715 -- error_r(r, "Unable to load resident keys");
716 -- return -1;
717 --- }
718 --+ }
719 -- if (nkeys == 0)
720 -- logit("No keys to download");
721 -- if (pin != NULL)
722 - diff --git a/ssh.c b/ssh.c
723 - index 53330da5..27b9770e 100644
724 - --- a/ssh.c
725 -@@ -1093,7 +1133,7 @@
726 - + else
727 - + options.hpn_buffer_size = 2 * 1024 * 1024;
728 - +
729 --+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
730 -++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
731 - + debug("HPN to Non-HPN Connection");
732 - + } else {
733 - + int sock, socksize;
734 -@@ -1335,6 +1375,28 @@
735 - /* Bind the socket to the desired port. */
736 - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
737 - error("Bind to port %s on %s failed: %.200s.",
738 -+@@ -1625,13 +1625,14 @@
739 -+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
740 -+ sshbuf_len(server_cfg)) != 0)
741 -+ fatal_f("ssh_digest_update");
742 -+- len = ssh_digest_bytes(digest_alg);
743 -+- hash = xmalloc(len);
744 -+- if (ssh_digest_final(ctx, hash, len) != 0)
745 -+- fatal_f("ssh_digest_final");
746 -+- options.timing_secret = PEEK_U64(hash);
747 -+- freezero(hash, len);
748 -+- ssh_digest_free(ctx);
749 -++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
750 -++ hash = xmalloc(len);
751 -++ if (ssh_digest_final(ctx, hash, len) != 0)
752 -++ fatal_f("ssh_digest_final");
753 -++ options.timing_secret = PEEK_U64(hash);
754 -++ freezero(hash, len);
755 -++ ssh_digest_free(ctx);
756 -++ }
757 -+ ctx = NULL;
758 -+ return;
759 -+ }
760 - @@ -1727,6 +1734,19 @@ main(int ac, char **av)
761 - /* Fill in default values for those options not explicitly set. */
762 - fill_default_server_options(&options);
763 -@@ -1405,14 +1467,3 @@
764 - # Example of overriding settings on a per-user basis
765 - #Match User anoncvs
766 - # X11Forwarding no
767 --diff --git a/version.h b/version.h
768 --index 6b4fa372..332fb486 100644
769 ----- a/version.h
770 --+++ b/version.h
771 --@@ -3,4 +3,5 @@
772 -- #define SSH_VERSION "OpenSSH_8.5"
773 --
774 -- #define SSH_PORTABLE "p1"
775 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
776 --+#define SSH_HPN "-hpn15v2"
777 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
778 -diff -u a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
779 ---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 17:45:28.550606801 -0700
780 -+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 18:39:10.262087944 -0700
781 -@@ -12,9 +12,9 @@
782 - static long stalled; /* how long we have been stalled */
783 - static int bytes_per_second; /* current speed in bytes per second */
784 - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
785 -+ off_t bytes_left;
786 - int cur_speed;
787 -- int hours, minutes, seconds;
788 -- int file_len;
789 -+ int len;
790 - + off_t delta_pos;
791 -
792 - if ((!force_update && !alarm_fired && !win_resized) || !can_output())
793 -@@ -30,15 +30,17 @@
794 - if (bytes_left > 0)
795 - elapsed = now - last_update;
796 - else {
797 --@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
798 --
799 -+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
800 -+ buf[1] = '\0';
801 -+
802 - /* filename */
803 -- buf[0] = '\0';
804 --- file_len = win_size - 36;
805 --+ file_len = win_size - 45;
806 -- if (file_len > 0) {
807 -- buf[0] = '\r';
808 -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
809 -+- if (win_size > 36) {
810 -++ if (win_size > 45) {
811 -+- int file_len = win_size - 36;
812 -++ int file_len = win_size - 45;
813 -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
814 -+ file_len, file);
815 -+ }
816 - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
817 - (off_t)bytes_per_second);
818 - strlcat(buf, "/s ", win_size);
819 -@@ -63,15 +65,3 @@
820 - }
821 -
822 - /*ARGSUSED*/
823 --diff --git a/ssh-keygen.c b/ssh-keygen.c
824 --index cfb5f115..986ff59b 100644
825 ----- a/ssh-keygen.c
826 --+++ b/ssh-keygen.c
827 --@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
828 --
829 -- if (skprovider == NULL)
830 -- fatal("Cannot download keys without provider");
831 ---
832 -- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
833 -- if (!quiet) {
834 -- printf("You may need to touch your authenticator "
835
836 diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch
837 deleted file mode 100644
838 index 8827fe88d7aa..000000000000
839 --- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch
840 +++ /dev/null
841 @@ -1,104 +0,0 @@
842 -diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
843 ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-15 15:10:45.680967455 -0700
844 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:25:14.710431930 -0700
845 -@@ -536,18 +536,10 @@
846 - if (state->rekey_limit)
847 - *max_blocks = MINIMUM(*max_blocks,
848 - state->rekey_limit / enc->block_size);
849 --@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
850 -+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
851 - return 0;
852 - }
853 -
854 --+/* this supports the forced rekeying required for the NONE cipher */
855 --+int rekey_requested = 0;
856 --+void
857 --+packet_request_rekeying(void)
858 --+{
859 --+ rekey_requested = 1;
860 --+}
861 --+
862 - +/* used to determine if pre or post auth when rekeying for aes-ctr
863 - + * and none cipher switch */
864 - +int
865 -@@ -561,20 +553,6 @@
866 - #define MAX_PACKETS (1U<<31)
867 - static int
868 - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
869 --@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
870 -- if (state->p_send.packets == 0 && state->p_read.packets == 0)
871 -- return 0;
872 --
873 --+ /* used to force rekeying when called for by the none
874 --+ * cipher switch methods -cjr */
875 --+ if (rekey_requested == 1) {
876 --+ rekey_requested = 0;
877 --+ return 1;
878 --+ }
879 --+
880 -- /* Time-based rekeying */
881 -- if (state->rekey_interval != 0 &&
882 -- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
883 - @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
884 - struct session_state *state = ssh->state;
885 - int len, r, ms_remain;
886 -@@ -598,12 +576,11 @@
887 - };
888 -
889 - typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
890 --@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
891 -+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
892 - int ssh_packet_set_maxsize(struct ssh *, u_int);
893 - u_int ssh_packet_get_maxsize(struct ssh *);
894 -
895 - +/* for forced packet rekeying post auth */
896 --+void packet_request_rekeying(void);
897 - +int packet_authentication_state(const struct ssh *);
898 - +
899 - int ssh_packet_get_state(struct ssh *, struct sshbuf *);
900 -@@ -627,9 +604,9 @@
901 - oLocalCommand, oPermitLocalCommand, oRemoteCommand,
902 - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
903 - + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
904 -+ oDisableMTAES,
905 - oVisualHostKey,
906 - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
907 -- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
908 - @@ -297,6 +300,9 @@ static struct {
909 - { "kexalgorithms", oKexAlgorithms },
910 - { "ipqos", oIPQoS },
911 -@@ -778,9 +755,9 @@
912 - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
913 - SyslogFacility log_facility; /* Facility for system logging. */
914 - @@ -120,7 +124,11 @@ typedef struct {
915 --
916 - int enable_ssh_keysign;
917 - int64_t rekey_limit;
918 -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
919 - + int none_switch; /* Use none cipher */
920 - + int none_enabled; /* Allow none cipher to be used */
921 - + int nonemac_enabled; /* Allow none MAC to be used */
922 -@@ -842,9 +819,9 @@
923 - /* Portable-specific options */
924 - if (options->use_pam == -1)
925 - @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
926 -- }
927 -- if (options->permit_tun == -1)
928 - options->permit_tun = SSH_TUNMODE_NO;
929 -+ if (options->disable_multithreaded == -1)
930 -+ options->disable_multithreaded = 0;
931 - + if (options->none_enabled == -1)
932 - + options->none_enabled = 0;
933 - + if (options->nonemac_enabled == -1)
934 -@@ -1330,9 +1307,9 @@
935 - + }
936 - + }
937 - +
938 -- debug("Authentication succeeded (%s).", authctxt.method->name);
939 -- }
940 -
941 -+ #ifdef WITH_OPENSSL
942 -+ if (options.disable_multithreaded == 0) {
943 - diff --git a/sshd.c b/sshd.c
944 - index 6277e6d6..d66fa41a 100644
945 - --- a/sshd.c
946
947 diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
948 deleted file mode 100644
949 index 7199227589c6..000000000000
950 --- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
951 +++ /dev/null
952 @@ -1,18 +0,0 @@
953 -diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
954 ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700
955 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700
956 -@@ -1414,14 +1414,3 @@
957 - # Example of overriding settings on a per-user basis
958 - #Match User anoncvs
959 - # X11Forwarding no
960 --diff --git a/version.h b/version.h
961 --index 6b4fa372..332fb486 100644
962 ----- a/version.h
963 --+++ b/version.h
964 --@@ -3,4 +3,5 @@
965 -- #define SSH_VERSION "OpenSSH_8.5"
966 --
967 -- #define SSH_PORTABLE "p1"
968 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
969 --+#define SSH_HPN "-hpn15v2"
970 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
971
972 diff --git a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch b/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
973 deleted file mode 100644
974 index e23063b5db2e..000000000000
975 --- a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
976 +++ /dev/null
977 @@ -1,72 +0,0 @@
978 ---- a/openssh-8.6p1+x509-13.1.diff 2021-04-23 14:46:58.184683047 -0700
979 -+++ b/openssh-8.6p1+x509-13.1.diff 2021-04-23 15:00:08.455087549 -0700
980 -@@ -47728,12 +47728,11 @@
981 -
982 - install-files:
983 - $(MKDIR_P) $(DESTDIR)$(bindir)
984 --@@ -389,6 +366,8 @@
985 -+@@ -389,6 +366,7 @@
986 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
987 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
988 - $(MKDIR_P) $(DESTDIR)$(libexecdir)
989 - + $(MKDIR_P) $(DESTDIR)$(sshcadir)
990 --+ $(MKDIR_P) $(DESTDIR)$(piddir)
991 - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
992 - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
993 - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
994 -@@ -65001,7 +65000,7 @@
995 - - echo "putty interop tests not enabled"
996 - - exit 0
997 - -fi
998 --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
999 -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
1000 -
1001 - for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
1002 - verbose "$tid: cipher $c"
1003 -@@ -65016,7 +65015,7 @@
1004 - - echo "putty interop tests not enabled"
1005 - - exit 0
1006 - -fi
1007 --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
1008 -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
1009 -
1010 - for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
1011 - verbose "$tid: kex $k"
1012 -@@ -65031,7 +65030,7 @@
1013 - - echo "putty interop tests not enabled"
1014 - - exit 0
1015 - -fi
1016 --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
1017 -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
1018 -
1019 - if [ "`${SSH} -Q compression`" = "none" ]; then
1020 - comp="0"
1021 -@@ -65163,9 +65162,9 @@
1022 -
1023 - +# cross-project configuration
1024 - +if test "$sshd_type" = "pkix" ; then
1025 --+ unset_arg=''
1026 -++ unset_arg=
1027 - +else
1028 --+ unset_arg=none
1029 -++ unset_arg=
1030 - +fi
1031 - +
1032 - cat > $OBJ/sshd_config.i << _EOF
1033 -@@ -124084,16 +124083,6 @@
1034 - +int asnmprintf(char **, size_t, int *, const char *, ...)
1035 - __attribute__((format(printf, 4, 5)));
1036 - void msetlocale(void);
1037 --diff -ruN openssh-8.6p1/version.h openssh-8.6p1+x509-13.1/version.h
1038 ----- openssh-8.6p1/version.h 2021-04-16 06:55:25.000000000 +0300
1039 --+++ openssh-8.6p1+x509-13.1/version.h 2021-04-21 21:07:00.000000000 +0300
1040 --@@ -2,5 +2,4 @@
1041 --
1042 -- #define SSH_VERSION "OpenSSH_8.6"
1043 --
1044 ---#define SSH_PORTABLE "p1"
1045 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
1046 --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
1047 - diff -ruN openssh-8.6p1/version.m4 openssh-8.6p1+x509-13.1/version.m4
1048 - --- openssh-8.6p1/version.m4 1970-01-01 02:00:00.000000000 +0200
1049 - +++ openssh-8.6p1+x509-13.1/version.m4 2021-04-21 21:07:00.000000000 +0300
1050
1051 diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
1052 deleted file mode 100644
1053 index 714dffc41712..000000000000
1054 --- a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
1055 +++ /dev/null
1056 @@ -1,357 +0,0 @@
1057 -diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
1058 ---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:31:47.247434467 -0700
1059 -+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:32:29.807508606 -0700
1060 -@@ -3,9 +3,9 @@
1061 - --- a/Makefile.in
1062 - +++ b/Makefile.in
1063 - @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
1064 -- CFLAGS_NOPIE=@CFLAGS_NOPIE@
1065 -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
1066 -- PICFLAG=@PICFLAG@
1067 -+ LD=@LD@
1068 -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
1069 -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
1070 - -LIBS=@LIBS@
1071 - +LIBS=@LIBS@ -lpthread
1072 - K5LIBS=@K5LIBS@
1073 -@@ -803,8 +803,8 @@
1074 - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
1075 - {
1076 - struct session_state *state;
1077 --- const struct sshcipher *none = cipher_by_name("none");
1078 --+ struct sshcipher *none = cipher_by_name("none");
1079 -+- const struct sshcipher *none = cipher_none();
1080 -++ struct sshcipher *none = cipher_none();
1081 - int r;
1082 -
1083 - if (none == NULL) {
1084 -@@ -898,20 +898,20 @@
1085 - options->fingerprint_hash = -1;
1086 - options->update_hostkeys = -1;
1087 - + options->disable_multithreaded = -1;
1088 -- options->hostbased_accepted_algos = NULL;
1089 -- options->pubkey_accepted_algos = NULL;
1090 -- options->known_hosts_command = NULL;
1091 -+ }
1092 -+
1093 -+ /*
1094 - @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
1095 -+ options->update_hostkeys = 0;
1096 - if (options->sk_provider == NULL)
1097 - options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
1098 -- #endif
1099 - + if (options->update_hostkeys == -1)
1100 - + options->update_hostkeys = 0;
1101 - + if (options->disable_multithreaded == -1)
1102 - + options->disable_multithreaded = 0;
1103 -
1104 -- /* Expand KEX name lists */
1105 -- all_cipher = cipher_alg_list(',', 0);
1106 -+ /* expand KEX and etc. name lists */
1107 -+ { char *all;
1108 - diff --git a/readconf.h b/readconf.h
1109 - index 2fba866e..7f8f0227 100644
1110 - --- a/readconf.h
1111 -@@ -950,9 +950,9 @@
1112 - /* Portable-specific options */
1113 - sUsePAM,
1114 - + sDisableMTAES,
1115 -- /* Standard Options */
1116 -- sPort, sHostKeyFile, sLoginGraceTime,
1117 -- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
1118 -+ /* X.509 Standard Options */
1119 -+ sHostbasedAlgorithms,
1120 -+ sPubkeyAlgorithms,
1121 - @@ -662,6 +666,7 @@ static struct {
1122 - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
1123 - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
1124 -diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
1125 ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:31:47.247434467 -0700
1126 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:46:32.296026606 -0700
1127 -@@ -157,6 +157,36 @@
1128 - + Allan Jude provided the code for the NoneMac and buffer normalization.
1129 - + This work was financed, in part, by Cisco System, Inc., the National
1130 - + Library of Medicine, and the National Science Foundation.
1131 -+diff --git a/auth2.c b/auth2.c
1132 -+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
1133 -++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
1134 -+@@ -229,16 +229,17 @@
1135 -+ double delay;
1136 -+
1137 -+ digest_alg = ssh_digest_maxbytes();
1138 -+- len = ssh_digest_bytes(digest_alg);
1139 -+- hash = xmalloc(len);
1140 -++ if (len = ssh_digest_bytes(digest_alg) > 0) {
1141 -++ hash = xmalloc(len);
1142 -+
1143 -+- (void)snprintf(b, sizeof b, "%llu%s",
1144 -+- (unsigned long long)options.timing_secret, user);
1145 -+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
1146 -+- fatal_f("ssh_digest_memory");
1147 -+- /* 0-4.2 ms of delay */
1148 -+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
1149 -+- freezero(hash, len);
1150 -++ (void)snprintf(b, sizeof b, "%llu%s",
1151 -++ (unsigned long long)options.timing_secret, user);
1152 -++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
1153 -++ fatal_f("ssh_digest_memory");
1154 -++ /* 0-4.2 ms of delay */
1155 -++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
1156 -++ freezero(hash, len);
1157 -++ }
1158 -+ debug3_f("user specific delay %0.3lfms", delay/1000);
1159 -+ return MIN_FAIL_DELAY_SECONDS + delay;
1160 -+ }
1161 - diff --git a/channels.c b/channels.c
1162 - index b60d56c4..0e363c15 100644
1163 - --- a/channels.c
1164 -@@ -209,14 +239,14 @@
1165 - static void
1166 - channel_pre_open(struct ssh *ssh, Channel *c,
1167 - fd_set *readset, fd_set *writeset)
1168 --@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
1169 -+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
1170 -
1171 - if (c->type == SSH_CHANNEL_OPEN &&
1172 - !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1173 - - ((c->local_window_max - c->local_window >
1174 - - c->local_maxpacket*3) ||
1175 --+ ((ssh_packet_is_interactive(ssh) &&
1176 --+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
1177 -++ ((ssh_packet_is_interactive(ssh) &&
1178 -++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
1179 - c->local_window < c->local_window_max/2) &&
1180 - c->local_consumed > 0) {
1181 - + u_int addition = 0;
1182 -@@ -235,9 +265,8 @@
1183 - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1184 - - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
1185 - + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
1186 -- (r = sshpkt_send(ssh)) != 0) {
1187 -- fatal_fr(r, "channel %i", c->self);
1188 -- }
1189 -+ (r = sshpkt_send(ssh)) != 0)
1190 -+ fatal_fr(r, "channel %d", c->self);
1191 - - debug2("channel %d: window %d sent adjust %d", c->self,
1192 - - c->local_window, c->local_consumed);
1193 - - c->local_window += c->local_consumed;
1194 -@@ -386,21 +415,45 @@
1195 - index 69befa96..90b5f338 100644
1196 - --- a/compat.c
1197 - +++ b/compat.c
1198 --@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
1199 -- debug_f("match: %s pat %s compat 0x%08x",
1200 -+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
1201 -+ static u_int
1202 -+ compat_datafellows(const char *version)
1203 -+ {
1204 -+- int i;
1205 -++ int i, bugs = 0;
1206 -+ static struct {
1207 -+ char *pat;
1208 -+ int bugs;
1209 -+@@ -147,11 +147,26 @@
1210 -+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
1211 -+ debug("match: %s pat %s compat 0x%08x",
1212 - version, check[i].pat, check[i].bugs);
1213 -- ssh->compat = check[i].bugs;
1214 - + /* Check to see if the remote side is OpenSSH and not HPN */
1215 --+ /* TODO: need to use new method to test for this */
1216 - + if (strstr(version, "OpenSSH") != NULL) {
1217 - + if (strstr(version, "hpn") == NULL) {
1218 --+ ssh->compat |= SSH_BUG_LARGEWINDOW;
1219 -++ bugs |= SSH_BUG_LARGEWINDOW;
1220 - + debug("Remote is NON-HPN aware");
1221 - + }
1222 - + }
1223 -- return;
1224 -+- return check[i].bugs;
1225 -++ bugs |= check[i].bugs;
1226 - }
1227 - }
1228 -+- debug("no match: %s", version);
1229 -+- return 0;
1230 -++ /* Check to see if the remote side is OpenSSH and not HPN */
1231 -++ if (strstr(version, "OpenSSH") != NULL) {
1232 -++ if (strstr(version, "hpn") == NULL) {
1233 -++ bugs |= SSH_BUG_LARGEWINDOW;
1234 -++ debug("Remote is NON-HPN aware");
1235 -++ }
1236 -++ }
1237 -++ if (bugs == 0)
1238 -++ debug("no match: %s", version);
1239 -++ return bugs;
1240 -+ }
1241 -+
1242 -+ char *
1243 - diff --git a/compat.h b/compat.h
1244 - index c197fafc..ea2e17a7 100644
1245 - --- a/compat.h
1246 -@@ -459,7 +512,7 @@
1247 - @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
1248 - int nenc, nmac, ncomp;
1249 - u_int mode, ctos, need, dh_need, authlen;
1250 -- int r, first_kex_follows;
1251 -+ int r, first_kex_follows = 0;
1252 - + int auth_flag = 0;
1253 - +
1254 - + auth_flag = packet_authentication_state(ssh);
1255 -@@ -553,7 +606,7 @@
1256 - #define MAX_PACKETS (1U<<31)
1257 - static int
1258 - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
1259 --@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1260 -+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1261 - struct session_state *state = ssh->state;
1262 - int len, r, ms_remain;
1263 - fd_set *setp;
1264 -@@ -1035,19 +1088,6 @@
1265 -
1266 - /* Minimum amount of data to read at a time */
1267 - #define MIN_READ_SIZE 512
1268 --diff --git a/ssh-keygen.c b/ssh-keygen.c
1269 --index cfb5f115..36a6e519 100644
1270 ----- a/ssh-keygen.c
1271 --+++ b/ssh-keygen.c
1272 --@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
1273 -- freezero(pin, strlen(pin));
1274 -- error_r(r, "Unable to load resident keys");
1275 -- return -1;
1276 --- }
1277 --+ }
1278 -- if (nkeys == 0)
1279 -- logit("No keys to download");
1280 -- if (pin != NULL)
1281 - diff --git a/ssh.c b/ssh.c
1282 - index 53330da5..27b9770e 100644
1283 - --- a/ssh.c
1284 -@@ -1093,7 +1133,7 @@
1285 - + else
1286 - + options.hpn_buffer_size = 2 * 1024 * 1024;
1287 - +
1288 --+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
1289 -++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
1290 - + debug("HPN to Non-HPN Connection");
1291 - + } else {
1292 - + int sock, socksize;
1293 -@@ -1335,7 +1375,29 @@
1294 - /* Bind the socket to the desired port. */
1295 - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
1296 - error("Bind to port %s on %s failed: %.200s.",
1297 --@@ -1727,6 +1734,19 @@ main(int ac, char **av)
1298 -+@@ -1625,13 +1632,14 @@
1299 -+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
1300 -+ sshbuf_len(server_cfg)) != 0)
1301 -+ fatal_f("ssh_digest_update");
1302 -+- len = ssh_digest_bytes(digest_alg);
1303 -+- hash = xmalloc(len);
1304 -+- if (ssh_digest_final(ctx, hash, len) != 0)
1305 -+- fatal_f("ssh_digest_final");
1306 -+- options.timing_secret = PEEK_U64(hash);
1307 -+- freezero(hash, len);
1308 -+- ssh_digest_free(ctx);
1309 -++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
1310 -++ hash = xmalloc(len);
1311 -++ if (ssh_digest_final(ctx, hash, len) != 0)
1312 -++ fatal_f("ssh_digest_final");
1313 -++ options.timing_secret = PEEK_U64(hash);
1314 -++ freezero(hash, len);
1315 -++ ssh_digest_free(ctx);
1316 -++ }
1317 -+ ctx = NULL;
1318 -+ return;
1319 -+ }
1320 -+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
1321 - /* Fill in default values for those options not explicitly set. */
1322 - fill_default_server_options(&options);
1323 -
1324 -@@ -1355,7 +1417,7 @@
1325 - /* challenge-response is implemented via keyboard interactive */
1326 - if (options.challenge_response_authentication)
1327 - options.kbd_interactive_authentication = 1;
1328 --@@ -2166,6 +2186,9 @@ main(int ac, char **av)
1329 -+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
1330 - rdomain == NULL ? "" : "\"");
1331 - free(laddr);
1332 -
1333 -@@ -1365,7 +1427,7 @@
1334 - /*
1335 - * We don't want to listen forever unless the other side
1336 - * successfully authenticates itself. So we set up an alarm which is
1337 --@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
1338 -+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
1339 - struct kex *kex;
1340 - int r;
1341 -
1342 -@@ -1405,14 +1467,3 @@
1343 - # Example of overriding settings on a per-user basis
1344 - #Match User anoncvs
1345 - # X11Forwarding no
1346 --diff --git a/version.h b/version.h
1347 --index 6b4fa372..332fb486 100644
1348 ----- a/version.h
1349 --+++ b/version.h
1350 --@@ -3,4 +3,5 @@
1351 -- #define SSH_VERSION "OpenSSH_8.5"
1352 --
1353 -- #define SSH_PORTABLE "p1"
1354 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
1355 --+#define SSH_HPN "-hpn15v2"
1356 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
1357 -diff -ur a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
1358 ---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:31:47.247434467 -0700
1359 -+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:32:29.808508608 -0700
1360 -@@ -12,9 +12,9 @@
1361 - static long stalled; /* how long we have been stalled */
1362 - static int bytes_per_second; /* current speed in bytes per second */
1363 - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
1364 -+ off_t bytes_left;
1365 - int cur_speed;
1366 -- int hours, minutes, seconds;
1367 -- int file_len;
1368 -+ int len;
1369 - + off_t delta_pos;
1370 -
1371 - if ((!force_update && !alarm_fired && !win_resized) || !can_output())
1372 -@@ -30,15 +30,17 @@
1373 - if (bytes_left > 0)
1374 - elapsed = now - last_update;
1375 - else {
1376 --@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
1377 --
1378 -+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
1379 -+ buf[1] = '\0';
1380 -+
1381 - /* filename */
1382 -- buf[0] = '\0';
1383 --- file_len = win_size - 36;
1384 --+ file_len = win_size - 45;
1385 -- if (file_len > 0) {
1386 -- buf[0] = '\r';
1387 -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
1388 -+- if (win_size > 36) {
1389 -++ if (win_size > 45) {
1390 -+- int file_len = win_size - 36;
1391 -++ int file_len = win_size - 45;
1392 -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
1393 -+ file_len, file);
1394 -+ }
1395 - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
1396 - (off_t)bytes_per_second);
1397 - strlcat(buf, "/s ", win_size);
1398 -@@ -63,15 +65,3 @@
1399 - }
1400 -
1401 - /*ARGSUSED*/
1402 --diff --git a/ssh-keygen.c b/ssh-keygen.c
1403 --index cfb5f115..986ff59b 100644
1404 ----- a/ssh-keygen.c
1405 --+++ b/ssh-keygen.c
1406 --@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
1407 --
1408 -- if (skprovider == NULL)
1409 -- fatal("Cannot download keys without provider");
1410 ---
1411 -- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
1412 -- if (!quiet) {
1413 -- printf("You may need to touch your authenticator "
1414
1415 diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch
1416 deleted file mode 100644
1417 index 30c0252ccb55..000000000000
1418 --- a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch
1419 +++ /dev/null
1420 @@ -1,132 +0,0 @@
1421 -diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
1422 ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:36:51.659996653 -0700
1423 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:42:23.302377465 -0700
1424 -@@ -536,18 +536,10 @@
1425 - if (state->rekey_limit)
1426 - *max_blocks = MINIMUM(*max_blocks,
1427 - state->rekey_limit / enc->block_size);
1428 --@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
1429 -+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
1430 - return 0;
1431 - }
1432 -
1433 --+/* this supports the forced rekeying required for the NONE cipher */
1434 --+int rekey_requested = 0;
1435 --+void
1436 --+packet_request_rekeying(void)
1437 --+{
1438 --+ rekey_requested = 1;
1439 --+}
1440 --+
1441 - +/* used to determine if pre or post auth when rekeying for aes-ctr
1442 - + * and none cipher switch */
1443 - +int
1444 -@@ -561,20 +553,6 @@
1445 - #define MAX_PACKETS (1U<<31)
1446 - static int
1447 - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
1448 --@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
1449 -- if (state->p_send.packets == 0 && state->p_read.packets == 0)
1450 -- return 0;
1451 --
1452 --+ /* used to force rekeying when called for by the none
1453 --+ * cipher switch methods -cjr */
1454 --+ if (rekey_requested == 1) {
1455 --+ rekey_requested = 0;
1456 --+ return 1;
1457 --+ }
1458 --+
1459 -- /* Time-based rekeying */
1460 -- if (state->rekey_interval != 0 &&
1461 -- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
1462 - @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1463 - struct session_state *state = ssh->state;
1464 - int len, r, ms_remain;
1465 -@@ -598,12 +576,11 @@
1466 - };
1467 -
1468 - typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
1469 --@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
1470 -+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
1471 - int ssh_packet_set_maxsize(struct ssh *, u_int);
1472 - u_int ssh_packet_get_maxsize(struct ssh *);
1473 -
1474 - +/* for forced packet rekeying post auth */
1475 --+void packet_request_rekeying(void);
1476 - +int packet_authentication_state(const struct ssh *);
1477 - +
1478 - int ssh_packet_get_state(struct ssh *, struct sshbuf *);
1479 -@@ -627,9 +604,9 @@
1480 - oLocalCommand, oPermitLocalCommand, oRemoteCommand,
1481 - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
1482 - + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
1483 -+ oDisableMTAES,
1484 - oVisualHostKey,
1485 - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
1486 -- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
1487 - @@ -297,6 +300,9 @@ static struct {
1488 - { "kexalgorithms", oKexAlgorithms },
1489 - { "ipqos", oIPQoS },
1490 -@@ -778,9 +755,9 @@
1491 - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
1492 - SyslogFacility log_facility; /* Facility for system logging. */
1493 - @@ -120,7 +124,11 @@ typedef struct {
1494 --
1495 - int enable_ssh_keysign;
1496 - int64_t rekey_limit;
1497 -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
1498 - + int none_switch; /* Use none cipher */
1499 - + int none_enabled; /* Allow none cipher to be used */
1500 - + int nonemac_enabled; /* Allow none MAC to be used */
1501 -@@ -842,9 +819,9 @@
1502 - /* Portable-specific options */
1503 - if (options->use_pam == -1)
1504 - @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
1505 -- }
1506 -- if (options->permit_tun == -1)
1507 - options->permit_tun = SSH_TUNMODE_NO;
1508 -+ if (options->disable_multithreaded == -1)
1509 -+ options->disable_multithreaded = 0;
1510 - + if (options->none_enabled == -1)
1511 - + options->none_enabled = 0;
1512 - + if (options->nonemac_enabled == -1)
1513 -@@ -1047,17 +1024,17 @@
1514 - Note that
1515 - diff --git a/sftp.c b/sftp.c
1516 - index fb3c08d1..89bebbb2 100644
1517 ----- a/sftp.c
1518 --+++ b/sftp.c
1519 --@@ -71,7 +71,7 @@ typedef void EditLine;
1520 -- #include "sftp-client.h"
1521 --
1522 -- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
1523 ---#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
1524 --+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
1525 -+--- a/sftp-client.c
1526 -++++ b/sftp-client.c
1527 -+@@ -65,7 +65,7 @@ typedef void EditLine;
1528 -+ #define DEFAULT_COPY_BUFLEN 32768
1529 -+
1530 -+ /* Default number of concurrent outstanding requests */
1531 -+-#define DEFAULT_NUM_REQUESTS 64
1532 -++#define DEFAULT_NUM_REQUESTS 256
1533 -
1534 -- /* File to read commands from */
1535 -- FILE* infile;
1536 -+ /* Minimum amount of data to read at a time */
1537 -+ #define MIN_READ_SIZE 512
1538 - diff --git a/ssh-keygen.c b/ssh-keygen.c
1539 - index cfb5f115..36a6e519 100644
1540 - --- a/ssh-keygen.c
1541 -@@ -1330,9 +1307,9 @@
1542 - + }
1543 - + }
1544 - +
1545 -- debug("Authentication succeeded (%s).", authctxt.method->name);
1546 -- }
1547 -
1548 -+ #ifdef WITH_OPENSSL
1549 -+ if (options.disable_multithreaded == 0) {
1550 - diff --git a/sshd.c b/sshd.c
1551 - index 6277e6d6..d66fa41a 100644
1552 - --- a/sshd.c
1553
1554 diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
1555 index 58ff739e1d4c..f23eae1e1222 100644
1556 --- a/net-misc/openssh/metadata.xml
1557 +++ b/net-misc/openssh/metadata.xml
1558 @@ -20,7 +20,6 @@ the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign,
1559 ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
1560 </longdescription>
1561 <use>
1562 - <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
1563 <flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
1564 <flag name="hpn">Enable high performance ssh</flag>
1565 <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
1566
1567 diff --git a/net-misc/openssh/openssh-8.6_p1-r2.ebuild b/net-misc/openssh/openssh-8.6_p1-r2.ebuild
1568 deleted file mode 100644
1569 index f896a51951ac..000000000000
1570 --- a/net-misc/openssh/openssh-8.6_p1-r2.ebuild
1571 +++ /dev/null
1572 @@ -1,515 +0,0 @@
1573 -# Copyright 1999-2021 Gentoo Authors
1574 -# Distributed under the terms of the GNU General Public License v2
1575 -
1576 -EAPI=7
1577 -
1578 -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
1579 -
1580 -# Make it more portable between straight releases
1581 -# and _p? releases.
1582 -PARCH=${P/_}
1583 -
1584 -# PV to USE for HPN patches
1585 -#HPN_PV="${PV^^}"
1586 -HPN_PV="8.5_P1"
1587 -
1588 -HPN_VER="15.2"
1589 -HPN_PATCHES=(
1590 - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
1591 - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
1592 - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
1593 -)
1594 -
1595 -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
1596 -X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
1597 -
1598 -DESCRIPTION="Port of OpenBSD's free SSH release"
1599 -HOMEPAGE="https://www.openssh.com/"
1600 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
1601 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
1602 - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
1603 - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
1604 -"
1605 -S="${WORKDIR}/${PARCH}"
1606 -
1607 -LICENSE="BSD GPL-2"
1608 -SLOT="0"
1609 -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
1610 -# Probably want to drop ssl defaulting to on in a future version.
1611 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
1612 -
1613 -RESTRICT="!test? ( test )"
1614 -
1615 -REQUIRED_USE="
1616 - ldns? ( ssl )
1617 - pie? ( !static )
1618 - static? ( !kerberos !pam )
1619 - X509? ( !sctp !security-key ssl !xmss )
1620 - xmss? ( ssl )
1621 - test? ( ssl )
1622 -"
1623 -
1624 -# tests currently fail with XMSS
1625 -REQUIRED_USE+="test? ( !xmss )"
1626 -
1627 -LIB_DEPEND="
1628 - audit? ( sys-process/audit[static-libs(+)] )
1629 - ldns? (
1630 - net-libs/ldns[static-libs(+)]
1631 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
1632 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
1633 - )
1634 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
1635 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
1636 - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
1637 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
1638 - ssl? (
1639 - || (
1640 - (
1641 - >=dev-libs/openssl-1.0.1:0[bindist(-)=]
1642 - <dev-libs/openssl-1.1.0:0[bindist(-)=]
1643 - )
1644 - >=dev-libs/openssl-1.1.0g:0[bindist(-)=]
1645 - )
1646 - dev-libs/openssl:0=[static-libs(+)]
1647 - )
1648 - virtual/libcrypt:=[static-libs(+)]
1649 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]
1650 -"
1651 -RDEPEND="
1652 - acct-group/sshd
1653 - acct-user/sshd
1654 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
1655 - pam? ( sys-libs/pam )
1656 - kerberos? ( virtual/krb5 )
1657 -"
1658 -DEPEND="${RDEPEND}
1659 - virtual/os-headers
1660 - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
1661 - static? ( ${LIB_DEPEND} )
1662 -"
1663 -RDEPEND="${RDEPEND}
1664 - pam? ( >=sys-auth/pambase-20081028 )
1665 - userland_GNU? ( !prefix? ( sys-apps/shadow ) )
1666 - X? ( x11-apps/xauth )
1667 -"
1668 -BDEPEND="
1669 - virtual/pkgconfig
1670 - sys-devel/autoconf
1671 -"
1672 -
1673 -pkg_pretend() {
1674 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
1675 - # than not be able to log in to their server any more
1676 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
1677 - local fail="
1678 - $(use hpn && maybe_fail hpn HPN_VER)
1679 - $(use sctp && maybe_fail sctp SCTP_PATCH)
1680 - $(use X509 && maybe_fail X509 X509_PATCH)
1681 - "
1682 - fail=$(echo ${fail})
1683 - if [[ -n ${fail} ]] ; then
1684 - eerror "Sorry, but this version does not yet support features"
1685 - eerror "that you requested: ${fail}"
1686 - eerror "Please mask ${PF} for now and check back later:"
1687 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
1688 - die "Missing requested third party patch."
1689 - fi
1690 -
1691 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
1692 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
1693 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
1694 - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
1695 - fi
1696 -}
1697 -
1698 -src_prepare() {
1699 - sed -i \
1700 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
1701 - pathnames.h || die
1702 -
1703 - # don't break .ssh/authorized_keys2 for fun
1704 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
1705 -
1706 - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
1707 - eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
1708 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
1709 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
1710 - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
1711 - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
1712 -
1713 - # workaround for https://bugs.gentoo.org/734984
1714 - use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
1715 -
1716 - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
1717 -
1718 - local PATCHSET_VERSION_MACROS=()
1719 -
1720 - if use X509 ; then
1721 - pushd "${WORKDIR}" &>/dev/null || die
1722 - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
1723 - popd &>/dev/null || die
1724 -
1725 - eapply "${WORKDIR}"/${X509_PATCH%.*}
1726 -
1727 - # We need to patch package version or any X.509 sshd will reject our ssh client
1728 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
1729 - # error
1730 - einfo "Patching package version for X.509 patch set ..."
1731 - sed -i \
1732 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
1733 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
1734 -
1735 - einfo "Patching version.h to expose X.509 patch set ..."
1736 - sed -i \
1737 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
1738 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
1739 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
1740 - fi
1741 -
1742 - if use sctp ; then
1743 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
1744 -
1745 - einfo "Patching version.h to expose SCTP patch set ..."
1746 - sed -i \
1747 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
1748 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
1749 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
1750 -
1751 - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
1752 - sed -i \
1753 - -e "/\t\tcfgparse \\\/d" \
1754 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
1755 - fi
1756 -
1757 - if use hpn ; then
1758 - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
1759 - mkdir "${hpn_patchdir}" || die
1760 - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
1761 - pushd "${hpn_patchdir}" &>/dev/null || die
1762 - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
1763 - use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch
1764 - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
1765 - popd &>/dev/null || die
1766 -
1767 - eapply "${hpn_patchdir}"
1768 -
1769 - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
1770 -
1771 - einfo "Patching Makefile.in for HPN patch set ..."
1772 - sed -i \
1773 - -e "/^LIBS=/ s/\$/ -lpthread/" \
1774 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
1775 -
1776 - einfo "Patching version.h to expose HPN patch set ..."
1777 - sed -i \
1778 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
1779 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
1780 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
1781 -
1782 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
1783 - einfo "Disabling known non-working MT AES cipher per default ..."
1784 -
1785 - cat > "${T}"/disable_mtaes.conf <<- EOF
1786 -
1787 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
1788 - # and therefore disabled per default.
1789 - DisableMTAES yes
1790 - EOF
1791 - sed -i \
1792 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
1793 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
1794 -
1795 - sed -i \
1796 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
1797 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
1798 - fi
1799 - fi
1800 -
1801 - if use X509 || use sctp || use hpn ; then
1802 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
1803 - sed -i \
1804 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
1805 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
1806 -
1807 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
1808 - sed -i \
1809 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
1810 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
1811 -
1812 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
1813 - sed -i \
1814 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
1815 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
1816 - fi
1817 -
1818 - sed -i \
1819 - -e "/#UseLogin no/d" \
1820 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
1821 -
1822 - eapply_user #473004
1823 -
1824 - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
1825 - sed -e '/\t\tpercent \\/ d' \
1826 - -i regress/Makefile || die
1827 -
1828 - tc-export PKG_CONFIG
1829 - local sed_args=(
1830 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
1831 - # Disable PATH reset, trust what portage gives us #254615
1832 - -e 's:^PATH=/:#PATH=/:'
1833 - # Disable fortify flags ... our gcc does this for us
1834 - -e 's:-D_FORTIFY_SOURCE=2::'
1835 - )
1836 -
1837 - # The -ftrapv flag ICEs on hppa #505182
1838 - use hppa && sed_args+=(
1839 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
1840 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
1841 - )
1842 - # _XOPEN_SOURCE causes header conflicts on Solaris
1843 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
1844 - -e 's/-D_XOPEN_SOURCE//'
1845 - )
1846 - sed -i "${sed_args[@]}" configure{.ac,} || die
1847 -
1848 - eautoreconf
1849 -}
1850 -
1851 -src_configure() {
1852 - addwrite /dev/ptmx
1853 -
1854 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
1855 - use static && append-ldflags -static
1856 - use xmss && append-cflags -DWITH_XMSS
1857 -
1858 - if [[ ${CHOST} == *-solaris* ]] ; then
1859 - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
1860 - # doesn't check for this, so force the replacement to be put in
1861 - # place
1862 - append-cppflags -DBROKEN_GLOB
1863 - fi
1864 -
1865 - # use replacement, RPF_ECHO_ON doesn't exist here
1866 - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
1867 -
1868 - local myconf=(
1869 - --with-ldflags="${LDFLAGS}"
1870 - --disable-strip
1871 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
1872 - --sysconfdir="${EPREFIX}"/etc/ssh
1873 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
1874 - --datadir="${EPREFIX}"/usr/share/openssh
1875 - --with-privsep-path="${EPREFIX}"/var/empty
1876 - --with-privsep-user=sshd
1877 - $(use_with audit audit linux)
1878 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
1879 - # We apply the sctp patch conditionally, so can't pass --without-sctp
1880 - # unconditionally else we get unknown flag warnings.
1881 - $(use sctp && use_with sctp)
1882 - $(use_with ldns ldns "${EPREFIX}"/usr)
1883 - $(use_with libedit)
1884 - $(use_with pam)
1885 - $(use_with pie)
1886 - $(use_with selinux)
1887 - $(usex X509 '' "$(use_with security-key security-key-builtin)")
1888 - $(use_with ssl openssl)
1889 - $(use_with ssl md5-passwords)
1890 - $(use_with ssl ssl-engine)
1891 - $(use_with !elibc_Cygwin hardening) #659210
1892 - )
1893 -
1894 - if use elibc_musl; then
1895 - # stackprotect is broken on musl x86 and ppc
1896 - if use x86 || use ppc; then
1897 - myconf+=( --without-stackprotect )
1898 - fi
1899 -
1900 - # musl defines bogus values for UTMP_FILE and WTMP_FILE
1901 - # https://bugs.gentoo.org/753230
1902 - myconf+=( --disable-utmp --disable-wtmp )
1903 - fi
1904 -
1905 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
1906 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
1907 -
1908 - econf "${myconf[@]}"
1909 -}
1910 -
1911 -src_test() {
1912 - local t skipped=() failed=() passed=()
1913 - local tests=( interop-tests compat-tests )
1914 -
1915 - local shell=$(egetshell "${UID}")
1916 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
1917 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
1918 - elog "user, so we will run a subset only."
1919 - skipped+=( tests )
1920 - else
1921 - tests+=( tests )
1922 - fi
1923 -
1924 - # It will also attempt to write to the homedir .ssh.
1925 - local sshhome=${T}/homedir
1926 - mkdir -p "${sshhome}"/.ssh
1927 - for t in "${tests[@]}" ; do
1928 - # Some tests read from stdin ...
1929 - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
1930 - SUDO="" SSH_SK_PROVIDER="" \
1931 - TEST_SSH_UNSAFE_PERMISSIONS=1 \
1932 - emake -k -j1 ${t} </dev/null \
1933 - && passed+=( "${t}" ) \
1934 - || failed+=( "${t}" )
1935 - done
1936 -
1937 - einfo "Passed tests: ${passed[*]}"
1938 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
1939 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
1940 -}
1941 -
1942 -# Gentoo tweaks to default config files.
1943 -tweak_ssh_configs() {
1944 - local locale_vars=(
1945 - # These are language variables that POSIX defines.
1946 - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
1947 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
1948 -
1949 - # These are the GNU extensions.
1950 - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
1951 - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
1952 - )
1953 -
1954 - # First the server config.
1955 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
1956 -
1957 - # Allow client to pass locale environment variables. #367017
1958 - AcceptEnv ${locale_vars[*]}
1959 -
1960 - # Allow client to pass COLORTERM to match TERM. #658540
1961 - AcceptEnv COLORTERM
1962 - EOF
1963 -
1964 - # Then the client config.
1965 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
1966 -
1967 - # Send locale environment variables. #367017
1968 - SendEnv ${locale_vars[*]}
1969 -
1970 - # Send COLORTERM to match TERM. #658540
1971 - SendEnv COLORTERM
1972 - EOF
1973 -
1974 - if use pam ; then
1975 - sed -i \
1976 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
1977 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
1978 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
1979 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
1980 - "${ED}"/etc/ssh/sshd_config || die
1981 - fi
1982 -
1983 - if use livecd ; then
1984 - sed -i \
1985 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
1986 - "${ED}"/etc/ssh/sshd_config || die
1987 - fi
1988 -}
1989 -
1990 -src_install() {
1991 - emake install-nokeys DESTDIR="${D}"
1992 - fperms 600 /etc/ssh/sshd_config
1993 - dobin contrib/ssh-copy-id
1994 - newinitd "${FILESDIR}"/sshd-r1.initd sshd
1995 - newconfd "${FILESDIR}"/sshd-r1.confd sshd
1996 -
1997 - if use pam; then
1998 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
1999 - fi
2000 -
2001 - tweak_ssh_configs
2002 -
2003 - doman contrib/ssh-copy-id.1
2004 - dodoc CREDITS OVERVIEW README* TODO sshd_config
2005 - use hpn && dodoc HPN-README
2006 - use X509 || dodoc ChangeLog
2007 -
2008 - diropts -m 0700
2009 - dodir /etc/skel/.ssh
2010 -
2011 - # https://bugs.gentoo.org/733802
2012 - if ! use scp; then
2013 - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
2014 - || die "failed to remove scp"
2015 - fi
2016 -
2017 - rmdir "${ED}"/var/empty || die
2018 -
2019 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
2020 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
2021 -}
2022 -
2023 -pkg_preinst() {
2024 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
2025 - show_ssl_warning=1
2026 - fi
2027 -}
2028 -
2029 -pkg_postinst() {
2030 - local old_ver
2031 - for old_ver in ${REPLACING_VERSIONS}; do
2032 - if ver_test "${old_ver}" -lt "5.8_p1"; then
2033 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
2034 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
2035 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
2036 - fi
2037 - if ver_test "${old_ver}" -lt "7.0_p1"; then
2038 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
2039 - elog "Make sure to update any configs that you might have. Note that xinetd might"
2040 - elog "be an alternative for you as it supports USE=tcpd."
2041 - fi
2042 - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
2043 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
2044 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
2045 - elog "adding to your sshd_config or ~/.ssh/config files:"
2046 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
2047 - elog "You should however generate new keys using rsa or ed25519."
2048 -
2049 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
2050 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
2051 - elog "out of the box. If you need this, please update your sshd_config explicitly."
2052 - fi
2053 - if ver_test "${old_ver}" -lt "7.6_p1"; then
2054 - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
2055 - elog "Furthermore, rsa keys with less than 1024 bits will be refused."
2056 - fi
2057 - if ver_test "${old_ver}" -lt "7.7_p1"; then
2058 - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
2059 - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
2060 - elog "if you need to authenticate against LDAP."
2061 - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
2062 - fi
2063 - if ver_test "${old_ver}" -lt "8.2_p1"; then
2064 - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
2065 - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
2066 - ewarn "connection is generally safe."
2067 - fi
2068 - done
2069 -
2070 - if [[ -n ${show_ssl_warning} ]]; then
2071 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
2072 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
2073 - elog "and update all clients/servers that utilize them."
2074 - fi
2075 -
2076 - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2077 - elog ""
2078 - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
2079 - elog "and therefore disabled at runtime per default."
2080 - elog "Make sure your sshd_config is up to date and contains"
2081 - elog ""
2082 - elog " DisableMTAES yes"
2083 - elog ""
2084 - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
2085 - elog ""
2086 - fi
2087 -}
2088
2089 diff --git a/net-misc/openssh/openssh-8.7_p1-r2.ebuild b/net-misc/openssh/openssh-8.7_p1-r2.ebuild
2090 deleted file mode 100644
2091 index c44fb1a6f829..000000000000
2092 --- a/net-misc/openssh/openssh-8.7_p1-r2.ebuild
2093 +++ /dev/null
2094 @@ -1,513 +0,0 @@
2095 -# Copyright 1999-2021 Gentoo Authors
2096 -# Distributed under the terms of the GNU General Public License v2
2097 -
2098 -EAPI=7
2099 -
2100 -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
2101 -
2102 -# Make it more portable between straight releases
2103 -# and _p? releases.
2104 -PARCH=${P/_}
2105 -
2106 -# PV to USE for HPN patches
2107 -#HPN_PV="${PV^^}"
2108 -HPN_PV="8.5_P1"
2109 -
2110 -HPN_VER="15.2"
2111 -HPN_PATCHES=(
2112 - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
2113 - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
2114 - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
2115 -)
2116 -
2117 -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
2118 -X509_VER="13.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
2119 -
2120 -DESCRIPTION="Port of OpenBSD's free SSH release"
2121 -HOMEPAGE="https://www.openssh.com/"
2122 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
2123 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
2124 - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
2125 - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
2126 -"
2127 -S="${WORKDIR}/${PARCH}"
2128 -
2129 -LICENSE="BSD GPL-2"
2130 -SLOT="0"
2131 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
2132 -# Probably want to drop ssl defaulting to on in a future version.
2133 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
2134 -
2135 -RESTRICT="!test? ( test )"
2136 -
2137 -REQUIRED_USE="
2138 - hpn? ( ssl )
2139 - ldns? ( ssl )
2140 - pie? ( !static )
2141 - static? ( !kerberos !pam )
2142 - X509? ( !sctp ssl !xmss )
2143 - xmss? ( ssl )
2144 - test? ( ssl )
2145 -"
2146 -
2147 -# tests currently fail with XMSS
2148 -REQUIRED_USE+="test? ( !xmss )"
2149 -
2150 -LIB_DEPEND="
2151 - audit? ( sys-process/audit[static-libs(+)] )
2152 - ldns? (
2153 - net-libs/ldns[static-libs(+)]
2154 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
2155 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
2156 - )
2157 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
2158 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
2159 - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
2160 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
2161 - ssl? (
2162 - || (
2163 - (
2164 - >=dev-libs/openssl-1.0.1:0[bindist(-)=]
2165 - <dev-libs/openssl-1.1.0:0[bindist(-)=]
2166 - )
2167 - >=dev-libs/openssl-1.1.0g:0[bindist(-)=]
2168 - )
2169 - dev-libs/openssl:0=[static-libs(+)]
2170 - )
2171 - virtual/libcrypt:=[static-libs(+)]
2172 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]
2173 -"
2174 -RDEPEND="
2175 - acct-group/sshd
2176 - acct-user/sshd
2177 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
2178 - pam? ( sys-libs/pam )
2179 - kerberos? ( virtual/krb5 )
2180 -"
2181 -DEPEND="${RDEPEND}
2182 - virtual/os-headers
2183 - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
2184 - static? ( ${LIB_DEPEND} )
2185 -"
2186 -RDEPEND="${RDEPEND}
2187 - pam? ( >=sys-auth/pambase-20081028 )
2188 - userland_GNU? ( !prefix? ( sys-apps/shadow ) )
2189 - X? ( x11-apps/xauth )
2190 -"
2191 -BDEPEND="
2192 - virtual/pkgconfig
2193 - sys-devel/autoconf
2194 -"
2195 -
2196 -pkg_pretend() {
2197 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
2198 - # than not be able to log in to their server any more
2199 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
2200 - local fail="
2201 - $(use hpn && maybe_fail hpn HPN_VER)
2202 - $(use sctp && maybe_fail sctp SCTP_PATCH)
2203 - $(use X509 && maybe_fail X509 X509_PATCH)
2204 - "
2205 - fail=$(echo ${fail})
2206 - if [[ -n ${fail} ]] ; then
2207 - eerror "Sorry, but this version does not yet support features"
2208 - eerror "that you requested: ${fail}"
2209 - eerror "Please mask ${PF} for now and check back later:"
2210 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
2211 - die "Missing requested third party patch."
2212 - fi
2213 -
2214 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
2215 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
2216 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
2217 - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
2218 - fi
2219 -}
2220 -
2221 -src_prepare() {
2222 - sed -i \
2223 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
2224 - pathnames.h || die
2225 -
2226 - # don't break .ssh/authorized_keys2 for fun
2227 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
2228 -
2229 - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
2230 - eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
2231 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
2232 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
2233 - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
2234 - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
2235 -
2236 - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
2237 -
2238 - local PATCHSET_VERSION_MACROS=()
2239 -
2240 - if use X509 ; then
2241 - pushd "${WORKDIR}" &>/dev/null || die
2242 - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
2243 - popd &>/dev/null || die
2244 -
2245 - eapply "${WORKDIR}"/${X509_PATCH%.*}
2246 -
2247 - # We need to patch package version or any X.509 sshd will reject our ssh client
2248 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
2249 - # error
2250 - einfo "Patching package version for X.509 patch set ..."
2251 - sed -i \
2252 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
2253 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
2254 -
2255 - einfo "Patching version.h to expose X.509 patch set ..."
2256 - sed -i \
2257 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
2258 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
2259 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
2260 - fi
2261 -
2262 - if use sctp ; then
2263 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
2264 -
2265 - einfo "Patching version.h to expose SCTP patch set ..."
2266 - sed -i \
2267 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
2268 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
2269 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
2270 -
2271 - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
2272 - sed -i \
2273 - -e "/\t\tcfgparse \\\/d" \
2274 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
2275 - fi
2276 -
2277 - if use hpn ; then
2278 - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
2279 - mkdir "${hpn_patchdir}" || die
2280 - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
2281 - pushd "${hpn_patchdir}" &>/dev/null || die
2282 - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
2283 - use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
2284 - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
2285 - popd &>/dev/null || die
2286 -
2287 - eapply "${hpn_patchdir}"
2288 -
2289 - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
2290 -
2291 - einfo "Patching Makefile.in for HPN patch set ..."
2292 - sed -i \
2293 - -e "/^LIBS=/ s/\$/ -lpthread/" \
2294 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
2295 -
2296 - einfo "Patching version.h to expose HPN patch set ..."
2297 - sed -i \
2298 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
2299 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
2300 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
2301 -
2302 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2303 - einfo "Disabling known non-working MT AES cipher per default ..."
2304 -
2305 - cat > "${T}"/disable_mtaes.conf <<- EOF
2306 -
2307 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
2308 - # and therefore disabled per default.
2309 - DisableMTAES yes
2310 - EOF
2311 - sed -i \
2312 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
2313 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
2314 -
2315 - sed -i \
2316 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
2317 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
2318 - fi
2319 - fi
2320 -
2321 - if use X509 || use sctp || use hpn ; then
2322 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
2323 - sed -i \
2324 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2325 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
2326 -
2327 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
2328 - sed -i \
2329 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2330 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
2331 -
2332 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
2333 - sed -i \
2334 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
2335 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
2336 - fi
2337 -
2338 - sed -i \
2339 - -e "/#UseLogin no/d" \
2340 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
2341 -
2342 - eapply_user #473004
2343 -
2344 - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
2345 - sed -e '/\t\tpercent \\/ d' \
2346 - -i regress/Makefile || die
2347 -
2348 - tc-export PKG_CONFIG
2349 - local sed_args=(
2350 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
2351 - # Disable PATH reset, trust what portage gives us #254615
2352 - -e 's:^PATH=/:#PATH=/:'
2353 - # Disable fortify flags ... our gcc does this for us
2354 - -e 's:-D_FORTIFY_SOURCE=2::'
2355 - )
2356 -
2357 - # The -ftrapv flag ICEs on hppa #505182
2358 - use hppa && sed_args+=(
2359 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
2360 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
2361 - )
2362 - # _XOPEN_SOURCE causes header conflicts on Solaris
2363 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
2364 - -e 's/-D_XOPEN_SOURCE//'
2365 - )
2366 - sed -i "${sed_args[@]}" configure{.ac,} || die
2367 -
2368 - eautoreconf
2369 -}
2370 -
2371 -src_configure() {
2372 - addwrite /dev/ptmx
2373 -
2374 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
2375 - use static && append-ldflags -static
2376 - use xmss && append-cflags -DWITH_XMSS
2377 -
2378 - if [[ ${CHOST} == *-solaris* ]] ; then
2379 - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
2380 - # doesn't check for this, so force the replacement to be put in
2381 - # place
2382 - append-cppflags -DBROKEN_GLOB
2383 - fi
2384 -
2385 - # use replacement, RPF_ECHO_ON doesn't exist here
2386 - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
2387 -
2388 - local myconf=(
2389 - --with-ldflags="${LDFLAGS}"
2390 - --disable-strip
2391 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
2392 - --sysconfdir="${EPREFIX}"/etc/ssh
2393 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
2394 - --datadir="${EPREFIX}"/usr/share/openssh
2395 - --with-privsep-path="${EPREFIX}"/var/empty
2396 - --with-privsep-user=sshd
2397 - $(use_with audit audit linux)
2398 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
2399 - # We apply the sctp patch conditionally, so can't pass --without-sctp
2400 - # unconditionally else we get unknown flag warnings.
2401 - $(use sctp && use_with sctp)
2402 - $(use_with ldns ldns "${EPREFIX}"/usr)
2403 - $(use_with libedit)
2404 - $(use_with pam)
2405 - $(use_with pie)
2406 - $(use_with selinux)
2407 - $(usex X509 '' "$(use_with security-key security-key-builtin)")
2408 - $(use_with ssl openssl)
2409 - $(use_with ssl md5-passwords)
2410 - $(use_with ssl ssl-engine)
2411 - $(use_with !elibc_Cygwin hardening) #659210
2412 - )
2413 -
2414 - if use elibc_musl; then
2415 - # stackprotect is broken on musl x86 and ppc
2416 - if use x86 || use ppc; then
2417 - myconf+=( --without-stackprotect )
2418 - fi
2419 -
2420 - # musl defines bogus values for UTMP_FILE and WTMP_FILE
2421 - # https://bugs.gentoo.org/753230
2422 - myconf+=( --disable-utmp --disable-wtmp )
2423 - fi
2424 -
2425 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
2426 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
2427 -
2428 - econf "${myconf[@]}"
2429 -}
2430 -
2431 -src_test() {
2432 - local t skipped=() failed=() passed=()
2433 - local tests=( interop-tests compat-tests )
2434 -
2435 - local shell=$(egetshell "${UID}")
2436 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2437 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
2438 - elog "user, so we will run a subset only."
2439 - skipped+=( tests )
2440 - else
2441 - tests+=( tests )
2442 - fi
2443 -
2444 - # It will also attempt to write to the homedir .ssh.
2445 - local sshhome=${T}/homedir
2446 - mkdir -p "${sshhome}"/.ssh
2447 - for t in "${tests[@]}" ; do
2448 - # Some tests read from stdin ...
2449 - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
2450 - SUDO="" SSH_SK_PROVIDER="" \
2451 - TEST_SSH_UNSAFE_PERMISSIONS=1 \
2452 - emake -k -j1 ${t} </dev/null \
2453 - && passed+=( "${t}" ) \
2454 - || failed+=( "${t}" )
2455 - done
2456 -
2457 - einfo "Passed tests: ${passed[*]}"
2458 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
2459 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
2460 -}
2461 -
2462 -# Gentoo tweaks to default config files.
2463 -tweak_ssh_configs() {
2464 - local locale_vars=(
2465 - # These are language variables that POSIX defines.
2466 - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
2467 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
2468 -
2469 - # These are the GNU extensions.
2470 - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
2471 - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
2472 - )
2473 -
2474 - # First the server config.
2475 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
2476 -
2477 - # Allow client to pass locale environment variables. #367017
2478 - AcceptEnv ${locale_vars[*]}
2479 -
2480 - # Allow client to pass COLORTERM to match TERM. #658540
2481 - AcceptEnv COLORTERM
2482 - EOF
2483 -
2484 - # Then the client config.
2485 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
2486 -
2487 - # Send locale environment variables. #367017
2488 - SendEnv ${locale_vars[*]}
2489 -
2490 - # Send COLORTERM to match TERM. #658540
2491 - SendEnv COLORTERM
2492 - EOF
2493 -
2494 - if use pam ; then
2495 - sed -i \
2496 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
2497 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
2498 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
2499 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
2500 - "${ED}"/etc/ssh/sshd_config || die
2501 - fi
2502 -
2503 - if use livecd ; then
2504 - sed -i \
2505 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
2506 - "${ED}"/etc/ssh/sshd_config || die
2507 - fi
2508 -}
2509 -
2510 -src_install() {
2511 - emake install-nokeys DESTDIR="${D}"
2512 - fperms 600 /etc/ssh/sshd_config
2513 - dobin contrib/ssh-copy-id
2514 - newinitd "${FILESDIR}"/sshd-r1.initd sshd
2515 - newconfd "${FILESDIR}"/sshd-r1.confd sshd
2516 -
2517 - if use pam; then
2518 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
2519 - fi
2520 -
2521 - tweak_ssh_configs
2522 -
2523 - doman contrib/ssh-copy-id.1
2524 - dodoc CREDITS OVERVIEW README* TODO sshd_config
2525 - use hpn && dodoc HPN-README
2526 - use X509 || dodoc ChangeLog
2527 -
2528 - diropts -m 0700
2529 - dodir /etc/skel/.ssh
2530 -
2531 - # https://bugs.gentoo.org/733802
2532 - if ! use scp; then
2533 - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
2534 - || die "failed to remove scp"
2535 - fi
2536 -
2537 - rmdir "${ED}"/var/empty || die
2538 -
2539 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
2540 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
2541 -}
2542 -
2543 -pkg_preinst() {
2544 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
2545 - show_ssl_warning=1
2546 - fi
2547 -}
2548 -
2549 -pkg_postinst() {
2550 - local old_ver
2551 - for old_ver in ${REPLACING_VERSIONS}; do
2552 - if ver_test "${old_ver}" -lt "5.8_p1"; then
2553 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
2554 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
2555 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
2556 - fi
2557 - if ver_test "${old_ver}" -lt "7.0_p1"; then
2558 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
2559 - elog "Make sure to update any configs that you might have. Note that xinetd might"
2560 - elog "be an alternative for you as it supports USE=tcpd."
2561 - fi
2562 - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
2563 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
2564 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
2565 - elog "adding to your sshd_config or ~/.ssh/config files:"
2566 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
2567 - elog "You should however generate new keys using rsa or ed25519."
2568 -
2569 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
2570 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
2571 - elog "out of the box. If you need this, please update your sshd_config explicitly."
2572 - fi
2573 - if ver_test "${old_ver}" -lt "7.6_p1"; then
2574 - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
2575 - elog "Furthermore, rsa keys with less than 1024 bits will be refused."
2576 - fi
2577 - if ver_test "${old_ver}" -lt "7.7_p1"; then
2578 - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
2579 - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
2580 - elog "if you need to authenticate against LDAP."
2581 - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
2582 - fi
2583 - if ver_test "${old_ver}" -lt "8.2_p1"; then
2584 - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
2585 - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
2586 - ewarn "connection is generally safe."
2587 - fi
2588 - done
2589 -
2590 - if [[ -n ${show_ssl_warning} ]]; then
2591 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
2592 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
2593 - elog "and update all clients/servers that utilize them."
2594 - fi
2595 -
2596 - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2597 - elog ""
2598 - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
2599 - elog "and therefore disabled at runtime per default."
2600 - elog "Make sure your sshd_config is up to date and contains"
2601 - elog ""
2602 - elog " DisableMTAES yes"
2603 - elog ""
2604 - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
2605 - elog ""
2606 - fi
2607 -}
2608
2609 diff --git a/net-misc/openssh/openssh-8.8_p1-r2.ebuild b/net-misc/openssh/openssh-8.8_p1-r2.ebuild
2610 deleted file mode 100644
2611 index a8039cdc405f..000000000000
2612 --- a/net-misc/openssh/openssh-8.8_p1-r2.ebuild
2613 +++ /dev/null
2614 @@ -1,508 +0,0 @@
2615 -# Copyright 1999-2021 Gentoo Authors
2616 -# Distributed under the terms of the GNU General Public License v2
2617 -
2618 -EAPI=7
2619 -
2620 -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
2621 -
2622 -# Make it more portable between straight releases
2623 -# and _p? releases.
2624 -PARCH=${P/_}
2625 -
2626 -# PV to USE for HPN patches
2627 -#HPN_PV="${PV^^}"
2628 -HPN_PV="8.5_P1"
2629 -
2630 -HPN_VER="15.2"
2631 -HPN_PATCHES=(
2632 - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
2633 - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
2634 - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
2635 -)
2636 -
2637 -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
2638 -X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
2639 -
2640 -DESCRIPTION="Port of OpenBSD's free SSH release"
2641 -HOMEPAGE="https://www.openssh.com/"
2642 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
2643 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
2644 - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
2645 - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
2646 -"
2647 -S="${WORKDIR}/${PARCH}"
2648 -
2649 -LICENSE="BSD GPL-2"
2650 -SLOT="0"
2651 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
2652 -# Probably want to drop ssl defaulting to on in a future version.
2653 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
2654 -
2655 -RESTRICT="!test? ( test )"
2656 -
2657 -REQUIRED_USE="
2658 - hpn? ( ssl )
2659 - ldns? ( ssl )
2660 - pie? ( !static )
2661 - static? ( !kerberos !pam )
2662 - X509? ( !sctp ssl !xmss )
2663 - xmss? ( ssl )
2664 - test? ( ssl )
2665 -"
2666 -
2667 -# tests currently fail with XMSS
2668 -REQUIRED_USE+="test? ( !xmss )"
2669 -
2670 -LIB_DEPEND="
2671 - audit? ( sys-process/audit[static-libs(+)] )
2672 - ldns? (
2673 - net-libs/ldns[static-libs(+)]
2674 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
2675 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
2676 - )
2677 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
2678 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
2679 - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
2680 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
2681 - ssl? (
2682 - || (
2683 - (
2684 - >=dev-libs/openssl-1.0.1:0[bindist(-)=]
2685 - <dev-libs/openssl-1.1.0:0[bindist(-)=]
2686 - )
2687 - >=dev-libs/openssl-1.1.0g:0[bindist(-)=]
2688 - )
2689 - dev-libs/openssl:0=[static-libs(+)]
2690 - )
2691 - virtual/libcrypt:=[static-libs(+)]
2692 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]
2693 -"
2694 -RDEPEND="
2695 - acct-group/sshd
2696 - acct-user/sshd
2697 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
2698 - pam? ( sys-libs/pam )
2699 - kerberos? ( virtual/krb5 )
2700 -"
2701 -DEPEND="${RDEPEND}
2702 - virtual/os-headers
2703 - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
2704 - static? ( ${LIB_DEPEND} )
2705 -"
2706 -RDEPEND="${RDEPEND}
2707 - pam? ( >=sys-auth/pambase-20081028 )
2708 - userland_GNU? ( !prefix? ( sys-apps/shadow ) )
2709 - X? ( x11-apps/xauth )
2710 -"
2711 -BDEPEND="
2712 - virtual/pkgconfig
2713 - sys-devel/autoconf
2714 -"
2715 -
2716 -pkg_pretend() {
2717 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
2718 - # than not be able to log in to their server any more
2719 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
2720 - local fail="
2721 - $(use hpn && maybe_fail hpn HPN_VER)
2722 - $(use sctp && maybe_fail sctp SCTP_PATCH)
2723 - $(use X509 && maybe_fail X509 X509_PATCH)
2724 - "
2725 - fail=$(echo ${fail})
2726 - if [[ -n ${fail} ]] ; then
2727 - eerror "Sorry, but this version does not yet support features"
2728 - eerror "that you requested: ${fail}"
2729 - eerror "Please mask ${PF} for now and check back later:"
2730 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
2731 - die "Missing requested third party patch."
2732 - fi
2733 -
2734 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
2735 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
2736 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
2737 - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
2738 - fi
2739 -}
2740 -
2741 -src_prepare() {
2742 - sed -i \
2743 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
2744 - pathnames.h || die
2745 -
2746 - # don't break .ssh/authorized_keys2 for fun
2747 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
2748 -
2749 - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
2750 - eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
2751 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
2752 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
2753 - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
2754 - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
2755 -
2756 - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
2757 -
2758 - local PATCHSET_VERSION_MACROS=()
2759 -
2760 - if use X509 ; then
2761 - pushd "${WORKDIR}" &>/dev/null || die
2762 - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
2763 - popd &>/dev/null || die
2764 -
2765 - eapply "${WORKDIR}"/${X509_PATCH%.*}
2766 -
2767 - # We need to patch package version or any X.509 sshd will reject our ssh client
2768 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
2769 - # error
2770 - einfo "Patching package version for X.509 patch set ..."
2771 - sed -i \
2772 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
2773 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
2774 -
2775 - einfo "Patching version.h to expose X.509 patch set ..."
2776 - sed -i \
2777 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
2778 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
2779 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
2780 - fi
2781 -
2782 - if use sctp ; then
2783 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
2784 -
2785 - einfo "Patching version.h to expose SCTP patch set ..."
2786 - sed -i \
2787 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
2788 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
2789 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
2790 -
2791 - einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
2792 - sed -i \
2793 - -e "/\t\tcfgparse \\\/d" \
2794 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
2795 - fi
2796 -
2797 - if use hpn ; then
2798 - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
2799 - mkdir "${hpn_patchdir}" || die
2800 - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
2801 - pushd "${hpn_patchdir}" &>/dev/null || die
2802 - eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch
2803 - use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
2804 - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
2805 - popd &>/dev/null || die
2806 -
2807 - eapply "${hpn_patchdir}"
2808 -
2809 - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
2810 -
2811 - einfo "Patching Makefile.in for HPN patch set ..."
2812 - sed -i \
2813 - -e "/^LIBS=/ s/\$/ -lpthread/" \
2814 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
2815 -
2816 - einfo "Patching version.h to expose HPN patch set ..."
2817 - sed -i \
2818 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
2819 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
2820 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
2821 -
2822 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2823 - einfo "Disabling known non-working MT AES cipher per default ..."
2824 -
2825 - cat > "${T}"/disable_mtaes.conf <<- EOF
2826 -
2827 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
2828 - # and therefore disabled per default.
2829 - DisableMTAES yes
2830 - EOF
2831 - sed -i \
2832 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
2833 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
2834 -
2835 - sed -i \
2836 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
2837 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
2838 - fi
2839 - fi
2840 -
2841 - if use X509 || use sctp || use hpn ; then
2842 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
2843 - sed -i \
2844 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2845 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
2846 -
2847 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
2848 - sed -i \
2849 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2850 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
2851 -
2852 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
2853 - sed -i \
2854 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
2855 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
2856 - fi
2857 -
2858 - sed -i \
2859 - -e "/#UseLogin no/d" \
2860 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
2861 -
2862 - eapply_user #473004
2863 -
2864 - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
2865 - sed -e '/\t\tpercent \\/ d' \
2866 - -i regress/Makefile || die
2867 -
2868 - tc-export PKG_CONFIG
2869 - local sed_args=(
2870 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
2871 - # Disable PATH reset, trust what portage gives us #254615
2872 - -e 's:^PATH=/:#PATH=/:'
2873 - # Disable fortify flags ... our gcc does this for us
2874 - -e 's:-D_FORTIFY_SOURCE=2::'
2875 - )
2876 -
2877 - # The -ftrapv flag ICEs on hppa #505182
2878 - use hppa && sed_args+=(
2879 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
2880 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
2881 - )
2882 - # _XOPEN_SOURCE causes header conflicts on Solaris
2883 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
2884 - -e 's/-D_XOPEN_SOURCE//'
2885 - )
2886 - sed -i "${sed_args[@]}" configure{.ac,} || die
2887 -
2888 - eautoreconf
2889 -}
2890 -
2891 -src_configure() {
2892 - addwrite /dev/ptmx
2893 -
2894 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
2895 - use static && append-ldflags -static
2896 - use xmss && append-cflags -DWITH_XMSS
2897 -
2898 - if [[ ${CHOST} == *-solaris* ]] ; then
2899 - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
2900 - # doesn't check for this, so force the replacement to be put in
2901 - # place
2902 - append-cppflags -DBROKEN_GLOB
2903 - fi
2904 -
2905 - # use replacement, RPF_ECHO_ON doesn't exist here
2906 - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
2907 -
2908 - local myconf=(
2909 - --with-ldflags="${LDFLAGS}"
2910 - --disable-strip
2911 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
2912 - --sysconfdir="${EPREFIX}"/etc/ssh
2913 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
2914 - --datadir="${EPREFIX}"/usr/share/openssh
2915 - --with-privsep-path="${EPREFIX}"/var/empty
2916 - --with-privsep-user=sshd
2917 - $(use_with audit audit linux)
2918 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
2919 - # We apply the sctp patch conditionally, so can't pass --without-sctp
2920 - # unconditionally else we get unknown flag warnings.
2921 - $(use sctp && use_with sctp)
2922 - $(use_with ldns ldns "${EPREFIX}"/usr)
2923 - $(use_with libedit)
2924 - $(use_with pam)
2925 - $(use_with pie)
2926 - $(use_with selinux)
2927 - $(usex X509 '' "$(use_with security-key security-key-builtin)")
2928 - $(use_with ssl openssl)
2929 - $(use_with ssl md5-passwords)
2930 - $(use_with ssl ssl-engine)
2931 - $(use_with !elibc_Cygwin hardening) #659210
2932 - )
2933 -
2934 - if use elibc_musl; then
2935 - # musl defines bogus values for UTMP_FILE and WTMP_FILE
2936 - # https://bugs.gentoo.org/753230
2937 - myconf+=( --disable-utmp --disable-wtmp )
2938 - fi
2939 -
2940 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
2941 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
2942 -
2943 - econf "${myconf[@]}"
2944 -}
2945 -
2946 -src_test() {
2947 - local t skipped=() failed=() passed=()
2948 - local tests=( interop-tests compat-tests )
2949 -
2950 - local shell=$(egetshell "${UID}")
2951 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2952 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
2953 - elog "user, so we will run a subset only."
2954 - skipped+=( tests )
2955 - else
2956 - tests+=( tests )
2957 - fi
2958 -
2959 - # It will also attempt to write to the homedir .ssh.
2960 - local sshhome=${T}/homedir
2961 - mkdir -p "${sshhome}"/.ssh
2962 - for t in "${tests[@]}" ; do
2963 - # Some tests read from stdin ...
2964 - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
2965 - SUDO="" SSH_SK_PROVIDER="" \
2966 - TEST_SSH_UNSAFE_PERMISSIONS=1 \
2967 - emake -k -j1 ${t} </dev/null \
2968 - && passed+=( "${t}" ) \
2969 - || failed+=( "${t}" )
2970 - done
2971 -
2972 - einfo "Passed tests: ${passed[*]}"
2973 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
2974 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
2975 -}
2976 -
2977 -# Gentoo tweaks to default config files.
2978 -tweak_ssh_configs() {
2979 - local locale_vars=(
2980 - # These are language variables that POSIX defines.
2981 - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
2982 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
2983 -
2984 - # These are the GNU extensions.
2985 - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
2986 - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
2987 - )
2988 -
2989 - # First the server config.
2990 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
2991 -
2992 - # Allow client to pass locale environment variables. #367017
2993 - AcceptEnv ${locale_vars[*]}
2994 -
2995 - # Allow client to pass COLORTERM to match TERM. #658540
2996 - AcceptEnv COLORTERM
2997 - EOF
2998 -
2999 - # Then the client config.
3000 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
3001 -
3002 - # Send locale environment variables. #367017
3003 - SendEnv ${locale_vars[*]}
3004 -
3005 - # Send COLORTERM to match TERM. #658540
3006 - SendEnv COLORTERM
3007 - EOF
3008 -
3009 - if use pam ; then
3010 - sed -i \
3011 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
3012 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
3013 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
3014 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
3015 - "${ED}"/etc/ssh/sshd_config || die
3016 - fi
3017 -
3018 - if use livecd ; then
3019 - sed -i \
3020 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
3021 - "${ED}"/etc/ssh/sshd_config || die
3022 - fi
3023 -}
3024 -
3025 -src_install() {
3026 - emake install-nokeys DESTDIR="${D}"
3027 - fperms 600 /etc/ssh/sshd_config
3028 - dobin contrib/ssh-copy-id
3029 - newinitd "${FILESDIR}"/sshd-r1.initd sshd
3030 - newconfd "${FILESDIR}"/sshd-r1.confd sshd
3031 -
3032 - if use pam; then
3033 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
3034 - fi
3035 -
3036 - tweak_ssh_configs
3037 -
3038 - doman contrib/ssh-copy-id.1
3039 - dodoc CREDITS OVERVIEW README* TODO sshd_config
3040 - use hpn && dodoc HPN-README
3041 - use X509 || dodoc ChangeLog
3042 -
3043 - diropts -m 0700
3044 - dodir /etc/skel/.ssh
3045 -
3046 - # https://bugs.gentoo.org/733802
3047 - if ! use scp; then
3048 - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
3049 - || die "failed to remove scp"
3050 - fi
3051 -
3052 - rmdir "${ED}"/var/empty || die
3053 -
3054 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
3055 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
3056 -}
3057 -
3058 -pkg_preinst() {
3059 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
3060 - show_ssl_warning=1
3061 - fi
3062 -}
3063 -
3064 -pkg_postinst() {
3065 - local old_ver
3066 - for old_ver in ${REPLACING_VERSIONS}; do
3067 - if ver_test "${old_ver}" -lt "5.8_p1"; then
3068 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
3069 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
3070 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
3071 - fi
3072 - if ver_test "${old_ver}" -lt "7.0_p1"; then
3073 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
3074 - elog "Make sure to update any configs that you might have. Note that xinetd might"
3075 - elog "be an alternative for you as it supports USE=tcpd."
3076 - fi
3077 - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
3078 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
3079 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
3080 - elog "adding to your sshd_config or ~/.ssh/config files:"
3081 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
3082 - elog "You should however generate new keys using rsa or ed25519."
3083 -
3084 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
3085 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
3086 - elog "out of the box. If you need this, please update your sshd_config explicitly."
3087 - fi
3088 - if ver_test "${old_ver}" -lt "7.6_p1"; then
3089 - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
3090 - elog "Furthermore, rsa keys with less than 1024 bits will be refused."
3091 - fi
3092 - if ver_test "${old_ver}" -lt "7.7_p1"; then
3093 - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
3094 - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
3095 - elog "if you need to authenticate against LDAP."
3096 - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
3097 - fi
3098 - if ver_test "${old_ver}" -lt "8.2_p1"; then
3099 - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
3100 - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
3101 - ewarn "connection is generally safe."
3102 - fi
3103 - done
3104 -
3105 - if [[ -n ${show_ssl_warning} ]]; then
3106 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
3107 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
3108 - elog "and update all clients/servers that utilize them."
3109 - fi
3110 -
3111 - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
3112 - elog ""
3113 - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
3114 - elog "and therefore disabled at runtime per default."
3115 - elog "Make sure your sshd_config is up to date and contains"
3116 - elog ""
3117 - elog " DisableMTAES yes"
3118 - elog ""
3119 - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
3120 - elog ""
3121 - fi
3122 -}
Report Message
Find on MARC Find on Google Groups