summaryrefslogtreecommitdiff
path: root/net-misc/openssh
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2021-12-25 20:34:27 +0000
committerV3n3RiX <venerix@koprulu.sector>2021-12-25 20:34:27 +0000
commit0f15659d48c193027158492acb726297501202c5 (patch)
tree5502ba879a78b759da28441d418dbbfe08bd8f03 /net-misc/openssh
parent93a93e9a3b53c1a73142a305ea1f8136846942ee (diff)
gentoo xmass resync : 25.12.2021
Diffstat (limited to 'net-misc/openssh')
-rw-r--r--net-misc/openssh/Manifest20
-rw-r--r--net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch13
-rw-r--r--net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch354
-rw-r--r--net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch72
-rw-r--r--net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch328
-rw-r--r--net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch104
-rw-r--r--net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch72
-rw-r--r--net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch357
-rw-r--r--net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch132
-rw-r--r--net-misc/openssh/metadata.xml1
-rw-r--r--net-misc/openssh/openssh-8.6_p1-r2.ebuild515
-rw-r--r--net-misc/openssh/openssh-8.7_p1-r2.ebuild513
-rw-r--r--net-misc/openssh/openssh-8.7_p1-r4.ebuild (renamed from net-misc/openssh/openssh-8.7_p1-r3.ebuild)2
-rw-r--r--net-misc/openssh/openssh-8.8_p1-r2.ebuild508
-rw-r--r--net-misc/openssh/openssh-8.8_p1-r4.ebuild (renamed from net-misc/openssh/openssh-8.8_p1-r3.ebuild)49
15 files changed, 20 insertions, 3020 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index e64565fab4f3..5348d4d51e55 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -3,16 +3,8 @@ AUX openssh-7.5_p1-disable-conch-interop-tests.patch 554 BLAKE2B f5f45c000ec26c1
AUX openssh-7.9_p1-include-stdlib.patch 914 BLAKE2B 9c7eb79f87ecd657a80821dfa979d8b0cc12a08d385ec085724f20aa6f5332593ffc7481bb9f816e91df3eb4d75d8f7b66383ff473d271270de128c3b2bf92e5 SHA512 7dade73bdafb0da484cbd396b4a644442f8ea12fef54c07e6308ae2e73a587fa4ddf401e8a0c467469b46fe7f00585e047462545182924c157b4d3894c707a70
AUX openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 977 BLAKE2B b2e28683176c4678f51a9a0be3e29496620ac795c7de4649fb3cc0bd076682e42bc1c606b17a76e140f51319e4c4a1cc890c3a37c4bc3cf9222a88e31b8a773f SHA512 8c2567ae16dccc73e302ba90c1bb03e19d4afc3892dd8e1636d7c8853932662eccbda3957e4db55a21bd37d2e65abe74b0b2c1efb74e31751335eb523759d945
AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310
-AUX openssh-8.0_p1-hpn-version.patch 590 BLAKE2B 1ff20ab17e7e1a20f7a96ded56ff7c059fd509d7773d9abaeac83743102385d9713284c630dc932d40672a9bfc8a894b57c6b073e93a7b024de7490ea54a589c SHA512 37250881f17a44e4a4b0ac164d06961e0731528847d5cbbb263e3f9a286a192c8dae92250b85db3f2e1f280a464c7b3bfc8a7c9e85552375c013e16a6fcf28ed
AUX openssh-8.3_p1-sha2-include.patch 370 BLAKE2B 3d9ee891d9d647f4ff3b42d47cae4c7a32533bce917b35101fd3c5549717a6b285423894b3372ecb6983d4425c712f4b0590fc95799fd521523d9d74860863c6 SHA512 a1edda5dc43af79e9e4e7d3bcd78cc1c2dbf40e94f22189022dcaf1107c8f2cb2a37c949af5955144f6ada210417a695fe0c4d05d52ba2dbafb1dddf6a1bac3f
-AUX openssh-8.5_p1-GSSAPI-dns.patch 11631 BLAKE2B 9ed39b04f320612f166b091979a21e7765d19afc3947a95dd3019da25eefcad32fcf2a3f17813441fce87cc03a28e0a52ac1aad3ac4b5b7ecdf3f4f8c391ba4a SHA512 d28f7df54af4cc998e1978a6c0fcb28f88affaad4a347084e429549bc0f74347dd8ad79c0ced0ca5a739e2c3cc19f6516aeb678f3a9709c40f1d0fa16d93b9e4
-AUX openssh-8.5_p1-X509-glue-13.0.1.patch 2714 BLAKE2B 03a00a1b9c62d75688706e3f4950510bafea6ae524a3bdbd08a7f059663eae3ff386ffa1ea1edfbf3349231a53b314625778043f39bb52395ffe9ef2a45a8400 SHA512 1ddf7c62ff3e73278a88f9afe5085c4101ef2cae4383cfa7bddc90403db5ea2c9c0fc630d31dc72072c4c008034f02b30cfea149aeb95e70c74292f3b978471b
-AUX openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch 11238 BLAKE2B 3d16907f7330b3e30705610c10f5b5037837442df6840231073ae8d0202543b006bf9b9597df50a3173bbb823050e9c2cb5a391ed5f96c4ac2194fb1e97316a9 SHA512 d1fea164d8431282c150a513886c428f7225eb11980bd7c9cae88754d1165ec799e1ef30b17ffa38990b6c58d9626a412abd550909e34f623f311444e097baaa
-AUX openssh-8.5_p1-hpn-15.2-glue.patch 3856 BLAKE2B 1661bb20e523141aae3f988f5dac664ec6f3d6517512596183c9c26d051a75b8d013e0d6e7c21aabb597b5c1a7e768c429bdef70bbfe59071f6e4cbb0956960d SHA512 0439ad0f0ab6dc21dd4279c6d252884e3c2ddaba76a207b3b26c88d8a6b8d873cc08345a1a90b8046ec79d33f47395d87e52d5b44b155a186a8aa16d316b82a9
AUX openssh-8.5_p1-hpn-15.2-sctp-glue.patch 727 BLAKE2B fafb6bc3ec680327abf01a7a2f673d4be601094d518d74f5afd0c596c1d60ddfc6f31add6b5533f85bc09cf2122b9e3f7243d5d26a2d6923c88c2f6a811ea2b8 SHA512 eda1c1613e94a7b10df9cc08c87ed8a39edb3f8a160600a74780877772bbd76cc9842d5d5d68ed6a9554e1e310675a1e461d894144d514b8e482d4a1affbc9bd
-AUX openssh-8.6_p1-X509-glue-13.1.patch 2701 BLAKE2B bb1ec4018e23213117bae52c83100e47818898e06890448a82371cbd2f3f96832350c2d4fb5a7455d8d97f3ddef61cfdb106b14ed9985d741f417741dffdf328 SHA512 922d7be6671cfaeac47b28dd73e57f3f20ba10c308aa5812dec965cb0a348724a7936bbbc79a2d2987762e4fa4989f9c85963f4eddab9ca103971a61925f7c47
-AUX openssh-8.6_p1-hpn-15.2-X509-glue.patch 12374 BLAKE2B adb5327ca665f2dc89517882a78299b27dcbcffd07d304be9967900a4955464cc8fb8c5fb30124a562bc3ab98922b7ef72e7119f226e42987c0ea59ca9251b5c SHA512 b68334674c7cdb78a78af1711a822913be37a8ebaf34822d16db05e884a0b3cf576647955776df018c1e61ab9ba50ddb25f9888e0d50a9042c7942b609b34274
-AUX openssh-8.6_p1-hpn-15.2-glue.patch 4773 BLAKE2B c0db810f7c6e73b307cd9f89b9c4e8a858fde9e5fcc2f39ce02dde213d632b04edf246ec84ff69511b6e74cf4ca67395763b501cb2ddb738c20f9fa48cd4a79b SHA512 8774305853029eee9b024bc1da68134e061aa7ac1087a950e23e39160e11435b0ea9787d3490cc7f1854a9608f11abda9d271fcdce28aceb7089cfa03304e585
AUX openssh-8.6_p1-hpn-version.patch 556 BLAKE2B 26ef960db46c82ee62e6a6f1be15c2897855caa6cbd05db87d3e606ce42d03fb6e88916f0c6644f67dc008ca802617d0f63e5e8e35d1a6c6076188ba19009186 SHA512 c13d14dc496863bd6bbbf08940322a60e74fa1cc2171f81132dfd874b9371ee0edd77f75ffd606f874fa2de498b174be91da5c641029abff2d2a8503c2f0fc02
AUX openssh-8.7_p1-GSSAPI-dns.patch 11576 BLAKE2B 84aa0128ddeccf67e14c20f9d2acb61226c5091a3e3106285c79db4a297dbd781eddf7a6d4cb3b1a5a5dcbbcd158d32dbca5986b6fbf15f62cd3928cf125b083 SHA512 794b06c6ee6acd1bcd861753970cfc4d04f42499d48ff4119746dbcab8643f75761fddb9f52f49fe01e356740eb3882671ac3ae209e0e45745d195a219ffe5dd
AUX openssh-8.7_p1-X509-glue-13.2.1.patch 1679 BLAKE2B 2f79c3bc5b3fd93cce0aea23cd16b98fd8031b2ebed21a5360ec84e43ec02565e464fa47db99421f8b94994073823e4dfe590bd5374bf803c8065f1a8c065d6b SHA512 05796a8c6e01456d4e6ad0cc66490b7a9479f8f36854532b392b49c20d3a62e77e13f067b77460b2b3098a6ada3944f821220aa663d6a766cb9d9e1f9bcc6b9d
@@ -26,9 +18,6 @@ AUX sshd.pam_include.2 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391a
AUX sshd.service 259 BLAKE2B e65ea7227658295584c3fdee3bf46f098c1c5a53a0b433e88ae8d43f0823fade25846a5f3abbacf939a13af8195a888d0ffb937e8da943478e76eea7c0e13c82 SHA512 9656ae4c045ba47ad28f983e50d1119d51c1d0a7471fe8e792d6f734a71c8d4d900431b591f2f40bb8af3a382e6215933ae32eff56de6da0f2f166d6fb855987
AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6fe3d52d4b0ac3b957da58f816950669d0a6f8f2786251c6dfc31bbb863f837a3f52631341dc2e SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42
AUX sshd_at.service 177 BLAKE2B 0e78184f58cb4c68fb834953fac3ce01f9e39e9eb1a84c03f720205f5b611365c9a48fba445962c06c7e18bdb310cdb9ffe4fc49e95f69608922d224b00c890b SHA512 423120ea2e1ac0b92575ce4eb05347483f902238dc104848e74088f49483c37d30c27364e7fe8599b3e85562159c69284ecf25a4c5394b4cfa18c5c77c6beacd
-DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251
-DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a
-DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
DIST openssh-8.7p1+x509-13.2.1.diff.gz 1073420 BLAKE2B f9de9f797f1ec83cd56a983f5b9694b0297a60e586898a8c94b4aaa60e5f561bb3b7730590fc8f898c3de2340780d6a77d31bfcc50df0a55a0480051f37806fd SHA512 dd7afd351ddf33e8e74bceba56e5593a0546360efb34f3b954e1816751b5678da5d1bc3a9f2eaa4a745d86d96ae9b643bd549d39b59b22c8cf1a219b076c1db5
DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
@@ -38,9 +27,6 @@ DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4
DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
-EBUILD openssh-8.6_p1-r2.ebuild 17655 BLAKE2B 51c2e441eebfab62ebb34eb83ab11ca024ff50a8a3444db82014e554c7d89de10757a45b0f81f4d704977cc7c75a55bae46dbd32bb88132950b72c8cb583073e SHA512 5014bbcde62554e03814906c13521a2db2dcb8df1107d1b2825a9296c85fa76a68c70f07317e57145b46f28b0d5a772aaa03b9e3f6b42db2b3fc0f3be416e527
-EBUILD openssh-8.7_p1-r2.ebuild 17549 BLAKE2B 00b3970d5724d32f81935906c8d63be1bae00a2dc5e753c039cba60ed0f1fba13c6de4a34202c34581ddb4ffe04e9a63f1268880ba2528b8f184db50276a3dd8 SHA512 ef26ff570235d2f0557ac98471f8d9eb9645d925e45d426f89981d8ace599257e5e479d920280a7bdb35ef74918fb629f6a3e5bbb6a26a265cbc667687875bdb
-EBUILD openssh-8.7_p1-r3.ebuild 17203 BLAKE2B fb53113ee453fd7a6373761fe0f8f5981fd97acd0f9388710a891f481d681cd3ad491071153e80cb3e7988e189b3f5f6b81de777094e4bd7e6da1a4009179206 SHA512 8cfe82b6d523bd5584eadc5b2469cf3f509051068596160b7a39ee3d887aa5ecc6b7c805e321aa29fe84340872572fb46771ab1bf6c917c69d56518286b6cce7
-EBUILD openssh-8.8_p1-r2.ebuild 17437 BLAKE2B 774044490edbe4b1c7b3b187fbad7f94a347ad28d750153b4a7b73a5b6897ffc8f95dfd01603351b99cbfab9a432224adc53ef5e65b5ba3610de30c88976c215 SHA512 bb7d9707cde3070ed5826a473909022eaaebca2a0d8f2b4b18aafc325a0b22ce0e38fc5f387260e243506413a177ab78dd31288c354c5606a4076d385e03f481
-EBUILD openssh-8.8_p1-r3.ebuild 17220 BLAKE2B 3451f58d25412f8ed8e7d8211196beee2c8904eb00c74cc1a99df03cc285ef4dcb2bc73a0afe9c729cde8e446a5f6096bdeb7f2864bb8dc271507fdbc5b5faa5 SHA512 7865293de246ca81061a73899f0d2ee8d4348928febb6850da36d270c6d4336b98c290c75a4eca69cc30d0cc4f2b5e4679d7f50aeee347a680e0a7f35e7fea90
-MISC metadata.xml 2102 BLAKE2B 4b1464bbe657cd70e0787f1030354bf5cd87d43f4e19fbaf3686ffdf4c001449511d93d2549a29b4f11faa7901476d85ea7e2555b31f94a97bf73b7912230439 SHA512 ee3fd9db64eced5ef136dec87e5fe965381d2b83247af6e65c9f205adc8758b7bf90a3e45c0fe15dfe82e9aa0f6f25411b58183b8a56ef0ad51026cacbcd89a1
+EBUILD openssh-8.7_p1-r4.ebuild 17206 BLAKE2B b730e377c8b6f9f5c20c37cb902e17415cc70d3a64f5043ba8e9195ed8912942686febd1e411d45155fc6abe9f81f6118fd83a2a66f25fcf0aebc371494c28a2 SHA512 741b4e2b9c0adf1b9c5042f338ddc42728a60aef904d3b04b9a06893e1d1562b6ec6c7decab4694381346cebc0dbcf29e908fa8028617ebe72a70ed1c0351109
+EBUILD openssh-8.8_p1-r4.ebuild 16716 BLAKE2B 922069eff2e0eaa56e07bbb70c0390ea98b769eb88184b5d224c1c6c1b385a0820168c5da2c9dd51e61fb8d4f342eba69d1468e8fbc13f287095c1df89b25857 SHA512 a884880cbe92972f47d7ef8785f0a0945c3d2176d75d608b96042cb7c6d0157c8e06a6addb92962a58e4ec700df2ce8f920d53a5b22f1a56336b3b4cae635379
+MISC metadata.xml 2013 BLAKE2B 5d452c9b16516ff3a7e01ae7a6f95102bec19b3f0df1aa4607558b012718e14e72e24fa09c1bd3ea6bc48506a7fc55180a9e4735809381bf4535569de59b1409 SHA512 5b56870f1e203f339b57792fca7ddcdf488be2f010c0a23e0b811825e0d8f2f5823c2f4ae8a2ec05b27ffd663fac4f8029a3b2bede9fa1beac067f5b5a57d6bd
diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
deleted file mode 100644
index 37905ce6afca..000000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/kex.c b/kex.c
-index 34808b5c..88d7ccac 100644
---- a/kex.c
-+++ b/kex.c
-@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- if (version_addendum != NULL && *version_addendum == '\0')
- version_addendum = NULL;
- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
- version_addendum == NULL ? "" : " ",
- version_addendum == NULL ? "" : version_addendum)) != 0) {
- error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
diff --git a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
deleted file mode 100644
index eec66ade4b4e..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,354 +0,0 @@
---- a/auth.c 2021-03-02 04:31:47.000000000 -0600
-+++ b/auth.c 2021-03-04 11:22:44.590041696 -0600
-@@ -727,119 +727,6 @@ fakepw(void)
- return (&fake);
- }
-
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
-- struct sockaddr_storage from;
-- socklen_t fromlen;
-- struct addrinfo hints, *ai, *aitop;
-- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-- const char *ntop = ssh_remote_ipaddr(ssh);
--
-- /* Get IP address of client. */
-- fromlen = sizeof(from);
-- memset(&from, 0, sizeof(from));
-- if (getpeername(ssh_packet_get_connection_in(ssh),
-- (struct sockaddr *)&from, &fromlen) == -1) {
-- debug("getpeername failed: %.100s", strerror(errno));
-- return xstrdup(ntop);
-- }
--
-- ipv64_normalise_mapped(&from, &fromlen);
-- if (from.ss_family == AF_INET6)
-- fromlen = sizeof(struct sockaddr_in6);
--
-- debug3("Trying to reverse map address %.100s.", ntop);
-- /* Map the IP address to a host name. */
-- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-- NULL, 0, NI_NAMEREQD) != 0) {
-- /* Host name not found. Use ip address. */
-- return xstrdup(ntop);
-- }
--
-- /*
-- * if reverse lookup result looks like a numeric hostname,
-- * someone is trying to trick us by PTR record like following:
-- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-- hints.ai_flags = AI_NUMERICHOST;
-- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-- name, ntop);
-- freeaddrinfo(ai);
-- return xstrdup(ntop);
-- }
--
-- /* Names are stored in lowercase. */
-- lowercase(name);
--
-- /*
-- * Map it back to an IP address and check that the given
-- * address actually is an address of this host. This is
-- * necessary because anyone with access to a name server can
-- * define arbitrary names for an IP address. Mapping from
-- * name to IP address can be trusted better (but can still be
-- * fooled if the intruder has access to the name server of
-- * the domain).
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_family = from.ss_family;
-- hints.ai_socktype = SOCK_STREAM;
-- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-- logit("reverse mapping checking getaddrinfo for %.700s "
-- "[%s] failed.", name, ntop);
-- return xstrdup(ntop);
-- }
-- /* Look for the address from the list of addresses. */
-- for (ai = aitop; ai; ai = ai->ai_next) {
-- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-- (strcmp(ntop, ntop2) == 0))
-- break;
-- }
-- freeaddrinfo(aitop);
-- /* If we reached the end of the list, the address was not there. */
-- if (ai == NULL) {
-- /* Address not found for the host name. */
-- logit("Address %.100s maps to %.600s, but this does not "
-- "map back to the address.", ntop, name);
-- return xstrdup(ntop);
-- }
-- return xstrdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection. The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
-- static char *dnsname;
--
-- if (!use_dns)
-- return ssh_remote_ipaddr(ssh);
-- else if (dnsname != NULL)
-- return dnsname;
-- else {
-- dnsname = remote_hostname(ssh);
-- return dnsname;
-- }
--}
-
- /* These functions link key/cert options to the auth framework */
-
---- a/canohost.c 2021-03-02 04:31:47.000000000 -0600
-+++ b/canohost.c 2021-03-04 11:22:54.854211183 -0600
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+ struct sockaddr_storage from;
-+ socklen_t fromlen;
-+ struct addrinfo hints, *ai, *aitop;
-+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+ const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+ /* Get IP address of client. */
-+ fromlen = sizeof(from);
-+ memset(&from, 0, sizeof(from));
-+ if (getpeername(ssh_packet_get_connection_in(ssh),
-+ (struct sockaddr *)&from, &fromlen) == -1) {
-+ debug("getpeername failed: %.100s", strerror(errno));
-+ return xstrdup(ntop);
-+ }
-+
-+ ipv64_normalise_mapped(&from, &fromlen);
-+ if (from.ss_family == AF_INET6)
-+ fromlen = sizeof(struct sockaddr_in6);
-+
-+ debug3("Trying to reverse map address %.100s.", ntop);
-+ /* Map the IP address to a host name. */
-+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+ NULL, 0, NI_NAMEREQD) != 0) {
-+ /* Host name not found. Use ip address. */
-+ return xstrdup(ntop);
-+ }
-+
-+ /*
-+ * if reverse lookup result looks like a numeric hostname,
-+ * someone is trying to trick us by PTR record like following:
-+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-+ hints.ai_flags = AI_NUMERICHOST;
-+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+ name, ntop);
-+ freeaddrinfo(ai);
-+ return xstrdup(ntop);
-+ }
-+
-+ /* Names are stored in lowercase. */
-+ lowercase(name);
-+
-+ /*
-+ * Map it back to an IP address and check that the given
-+ * address actually is an address of this host. This is
-+ * necessary because anyone with access to a name server can
-+ * define arbitrary names for an IP address. Mapping from
-+ * name to IP address can be trusted better (but can still be
-+ * fooled if the intruder has access to the name server of
-+ * the domain).
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_family = from.ss_family;
-+ hints.ai_socktype = SOCK_STREAM;
-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+ logit("reverse mapping checking getaddrinfo for %.700s "
-+ "[%s] failed.", name, ntop);
-+ return xstrdup(ntop);
-+ }
-+ /* Look for the address from the list of addresses. */
-+ for (ai = aitop; ai; ai = ai->ai_next) {
-+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+ (strcmp(ntop, ntop2) == 0))
-+ break;
-+ }
-+ freeaddrinfo(aitop);
-+ /* If we reached the end of the list, the address was not there. */
-+ if (ai == NULL) {
-+ /* Address not found for the host name. */
-+ logit("Address %.100s maps to %.600s, but this does not "
-+ "map back to the address.", ntop, name);
-+ return xstrdup(ntop);
-+ }
-+ return xstrdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection. The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+ static char *dnsname;
-+
-+ if (!use_dns)
-+ return ssh_remote_ipaddr(ssh);
-+ else if (dnsname != NULL)
-+ return dnsname;
-+ else {
-+ dnsname = remote_hostname(ssh);
-+ return dnsname;
-+ }
-+}
-diff --git a/readconf.c b/readconf.c
-index 724974b7..97a1ffd8 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -161,6 +161,7 @@ typedef enum {
- oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+ oGssTrustDns,
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
- oHashKnownHosts,
-@@ -206,9 +207,11 @@ static struct {
- #if defined(GSSAPI)
- { "gssapiauthentication", oGssAuthentication },
- { "gssapidelegatecredentials", oGssDelegateCreds },
-+ { "gssapitrustdns", oGssTrustDns },
- # else
- { "gssapiauthentication", oUnsupported },
- { "gssapidelegatecredentials", oUnsupported },
-+ { "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- { "pkcs11provider", oPKCS11Provider },
-@@ -1083,6 +1086,10 @@ parse_time:
- intptr = &options->gss_deleg_creds;
- goto parse_flag;
-
-+ case oGssTrustDns:
-+ intptr = &options->gss_trust_dns;
-+ goto parse_flag;
-+
- case oBatchMode:
- intptr = &options->batch_mode;
- goto parse_flag;
-@@ -2183,6 +2190,7 @@ initialize_options(Options * options)
- options->challenge_response_authentication = -1;
- options->gss_authentication = -1;
- options->gss_deleg_creds = -1;
-+ options->gss_trust_dns = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->kbd_interactive_devices = NULL;
-@@ -2340,6 +2348,8 @@ fill_default_options(Options * options)
- options->gss_authentication = 0;
- if (options->gss_deleg_creds == -1)
- options->gss_deleg_creds = 0;
-+ if (options->gss_trust_dns == -1)
-+ options->gss_trust_dns = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index 2fba866e..da3ce87a 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -42,6 +42,7 @@ typedef struct {
- /* Try S/Key or TIS, authentication. */
- int gss_authentication; /* Try GSS authentication */
- int gss_deleg_creds; /* Delegate GSS credentials */
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
- int password_authentication; /* Try password
- * authentication. */
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/ssh_config.5 b/ssh_config.5
-index f8119189..e0fd0d76 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -783,6 +783,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index 059c9480..ab6f6832 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh)
- OM_uint32 min;
- int r, ok = 0;
- gss_OID mech = NULL;
-+ const char *gss_host;
-+
-+ if (options.gss_trust_dns) {
-+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+ gss_host = auth_get_canonical_hostname(ssh, 1);
-+ } else
-+ gss_host = authctxt->host;
-
- /* Try one GSSAPI method at a time, rather than sending them all at
- * once. */
-@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh)
- elements[authctxt->mech_tried];
- /* My DER encoding requires length<128 */
- if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
-- mech, authctxt->host)) {
-+ mech, gss_host)) {
- ok = 1; /* Mechanism works */
- } else {
- authctxt->mech_tried++;
diff --git a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
deleted file mode 100644
index c7812c622c26..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
+++ /dev/null
@@ -1,72 +0,0 @@
---- a/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:05:14.876485231 -0700
-+++ b/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:06:05.389154451 -0700
-@@ -46675,12 +46675,11 @@
-
- install-files:
- $(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -380,6 +364,8 @@
-+@@ -380,6 +364,7 @@
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
- $(MKDIR_P) $(DESTDIR)$(libexecdir)
- + $(MKDIR_P) $(DESTDIR)$(sshcadir)
--+ $(MKDIR_P) $(DESTDIR)$(piddir)
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -63967,7 +63966,7 @@
- - echo "putty interop tests not enabled"
- - exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
-
- for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
- verbose "$tid: cipher $c"
-@@ -63982,7 +63981,7 @@
- - echo "putty interop tests not enabled"
- - exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
-
- for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
- verbose "$tid: kex $k"
-@@ -63997,7 +63996,7 @@
- - echo "putty interop tests not enabled"
- - exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
-
- if [ "`${SSH} -Q compression`" = "none" ]; then
- comp="0"
-@@ -64129,9 +64128,9 @@
-
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+ unset_arg=''
-++ unset_arg=
- +else
--+ unset_arg=none
-++ unset_arg=
- +fi
- +
- cat > $OBJ/sshd_config.i << _EOF
-@@ -122247,16 +122246,6 @@
- +int asnmprintf(char **, size_t, int *, const char *, ...)
- __attribute__((format(printf, 4, 5)));
- void msetlocale(void);
--diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0.1/version.h
----- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200
--+++ openssh-8.5p1+x509-13.0.1/version.h 2021-03-15 20:07:00.000000000 +0200
--@@ -2,5 +2,4 @@
--
-- #define SSH_VERSION "OpenSSH_8.5"
--
---#define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0.1/version.m4
- --- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.5p1+x509-13.0.1/version.m4 2021-03-15 20:07:00.000000000 +0200
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
deleted file mode 100644
index 413cc8b9c3dc..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
+++ /dev/null
@@ -1,328 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:45:28.550606801 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:56:36.240309581 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
- {
- struct session_state *state;
--- const struct sshcipher *none = cipher_by_name("none");
--+ struct sshcipher *none = cipher_by_name("none");
-+- const struct sshcipher *none = cipher_none();
-++ struct sshcipher *none = cipher_none();
- int r;
-
- if (none == NULL) {
-@@ -898,20 +898,20 @@
- options->fingerprint_hash = -1;
- options->update_hostkeys = -1;
- + options->disable_multithreaded = -1;
-- options->hostbased_accepted_algos = NULL;
-- options->pubkey_accepted_algos = NULL;
-- options->known_hosts_command = NULL;
-+ }
-+
-+ /*
- @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
-+ options->update_hostkeys = 0;
- if (options->sk_provider == NULL)
- options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- + if (options->update_hostkeys == -1)
- + options->update_hostkeys = 0;
- + if (options->disable_multithreaded == -1)
- + options->disable_multithreaded = 0;
-
-- /* Expand KEX name lists */
-- all_cipher = cipher_alg_list(',', 0);
-+ /* expand KEX and etc. name lists */
-+ { char *all;
- diff --git a/readconf.h b/readconf.h
- index 2fba866e..7f8f0227 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
- /* Portable-specific options */
- sUsePAM,
- + sDisableMTAES,
-- /* Standard Options */
-- sPort, sHostKeyFile, sLoginGraceTime,
-- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-+ /* X.509 Standard Options */
-+ sHostbasedAlgorithms,
-+ sPubkeyAlgorithms,
- @@ -662,6 +666,7 @@ static struct {
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:29:42.953733894 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:47:54.198893025 -0700
-@@ -157,6 +157,36 @@
- + Allan Jude provided the code for the NoneMac and buffer normalization.
- + This work was financed, in part, by Cisco System, Inc., the National
- + Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
-++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
-+@@ -229,16 +229,17 @@
-+ double delay;
-+
-+ digest_alg = ssh_digest_maxbytes();
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-++ if (len = ssh_digest_bytes(digest_alg) > 0) {
-++ hash = xmalloc(len);
-+
-+- (void)snprintf(b, sizeof b, "%llu%s",
-+- (unsigned long long)options.timing_secret, user);
-+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+- fatal_f("ssh_digest_memory");
-+- /* 0-4.2 ms of delay */
-+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+- freezero(hash, len);
-++ (void)snprintf(b, sizeof b, "%llu%s",
-++ (unsigned long long)options.timing_secret, user);
-++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++ fatal_f("ssh_digest_memory");
-++ /* 0-4.2 ms of delay */
-++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++ freezero(hash, len);
-++ }
-+ debug3_f("user specific delay %0.3lfms", delay/1000);
-+ return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index b60d56c4..0e363c15 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
- static void
- channel_pre_open(struct ssh *ssh, Channel *c,
- fd_set *readset, fd_set *writeset)
--@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2164,21 +2164,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-
- if (c->type == SSH_CHANNEL_OPEN &&
- !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- - ((c->local_window_max - c->local_window >
- - c->local_maxpacket*3) ||
--+ ((ssh_packet_is_interactive(ssh) &&
--+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++ ((ssh_packet_is_interactive(ssh) &&
-++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
- c->local_window < c->local_window_max/2) &&
- c->local_consumed > 0) {
- + u_int addition = 0;
-@@ -235,9 +265,8 @@
- (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- (r = sshpkt_send(ssh)) != 0) {
-- fatal_fr(r, "channel %i", c->self);
-- }
-+ (r = sshpkt_send(ssh)) != 0)
-+ fatal_fr(r, "channel %d", c->self);
- - debug2("channel %d: window %d sent adjust %d", c->self,
- - c->local_window, c->local_consumed);
- - c->local_window += c->local_consumed;
-@@ -386,21 +415,45 @@
- index 69befa96..90b5f338 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
-- debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+- int i;
-++ int i, bugs = 0;
-+ static struct {
-+ char *pat;
-+ int bugs;
-+@@ -147,11 +147,26 @@
-+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ debug("match: %s pat %s compat 0x%08x",
- version, check[i].pat, check[i].bugs);
-- ssh->compat = check[i].bugs;
- + /* Check to see if the remote side is OpenSSH and not HPN */
--+ /* TODO: need to use new method to test for this */
- + if (strstr(version, "OpenSSH") != NULL) {
- + if (strstr(version, "hpn") == NULL) {
--+ ssh->compat |= SSH_BUG_LARGEWINDOW;
-++ bugs |= SSH_BUG_LARGEWINDOW;
- + debug("Remote is NON-HPN aware");
- + }
- + }
-- return;
-+- return check[i].bugs;
-++ bugs |= check[i].bugs;
- }
- }
-+- debug("no match: %s", version);
-+- return 0;
-++ /* Check to see if the remote side is OpenSSH and not HPN */
-++ if (strstr(version, "OpenSSH") != NULL) {
-++ if (strstr(version, "hpn") == NULL) {
-++ bugs |= SSH_BUG_LARGEWINDOW;
-++ debug("Remote is NON-HPN aware");
-++ }
-++ }
-++ if (bugs == 0)
-++ debug("no match: %s", version);
-++ return bugs;
-+ }
-+
-+ char *
- diff --git a/compat.h b/compat.h
- index c197fafc..ea2e17a7 100644
- --- a/compat.h
-@@ -459,7 +512,7 @@
- @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, dh_need, authlen;
-- int r, first_kex_follows;
-+ int r, first_kex_follows = 0;
- + int auth_flag = 0;
- +
- + auth_flag = packet_authentication_state(ssh);
-@@ -1035,19 +1088,6 @@
-
- /* File to read commands from */
- FILE* infile;
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..36a6e519 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
-- freezero(pin, strlen(pin));
-- error_r(r, "Unable to load resident keys");
-- return -1;
--- }
--+ }
-- if (nkeys == 0)
-- logit("No keys to download");
-- if (pin != NULL)
- diff --git a/ssh.c b/ssh.c
- index 53330da5..27b9770e 100644
- --- a/ssh.c
-@@ -1093,7 +1133,7 @@
- + else
- + options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- + debug("HPN to Non-HPN Connection");
- + } else {
- + int sock, socksize;
-@@ -1335,6 +1375,28 @@
- /* Bind the socket to the desired port. */
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- error("Bind to port %s on %s failed: %.200s.",
-+@@ -1625,13 +1625,14 @@
-+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ sshbuf_len(server_cfg)) != 0)
-+ fatal_f("ssh_digest_update");
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-+- if (ssh_digest_final(ctx, hash, len) != 0)
-+- fatal_f("ssh_digest_final");
-+- options.timing_secret = PEEK_U64(hash);
-+- freezero(hash, len);
-+- ssh_digest_free(ctx);
-++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
-++ hash = xmalloc(len);
-++ if (ssh_digest_final(ctx, hash, len) != 0)
-++ fatal_f("ssh_digest_final");
-++ options.timing_secret = PEEK_U64(hash);
-++ freezero(hash, len);
-++ ssh_digest_free(ctx);
-++ }
-+ ctx = NULL;
-+ return;
-+ }
- @@ -1727,6 +1734,19 @@ main(int ac, char **av)
- /* Fill in default values for those options not explicitly set. */
- fill_default_server_options(&options);
-@@ -1405,14 +1467,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.5"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v2"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -u a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 17:45:28.550606801 -0700
-+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 18:39:10.262087944 -0700
-@@ -12,9 +12,9 @@
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ off_t bytes_left;
- int cur_speed;
-- int hours, minutes, seconds;
-- int file_len;
-+ int len;
- + off_t delta_pos;
-
- if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
--
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ buf[1] = '\0';
-+
- /* filename */
-- buf[0] = '\0';
--- file_len = win_size - 36;
--+ file_len = win_size - 45;
-- if (file_len > 0) {
-- buf[0] = '\r';
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+- if (win_size > 36) {
-++ if (win_size > 45) {
-+- int file_len = win_size - 36;
-++ int file_len = win_size - 45;
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ file_len, file);
-+ }
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
-@@ -63,15 +65,3 @@
- }
-
- /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..986ff59b 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
--
-- if (skprovider == NULL)
-- fatal("Cannot download keys without provider");
---
-- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- if (!quiet) {
-- printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch
deleted file mode 100644
index 8827fe88d7aa..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-15 15:10:45.680967455 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:25:14.710431930 -0700
-@@ -536,18 +536,10 @@
- if (state->rekey_limit)
- *max_blocks = MINIMUM(*max_blocks,
- state->rekey_limit / enc->block_size);
--@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +553,6 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
-@@ -598,12 +576,11 @@
- };
-
- typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
--@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
-+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
- int ssh_packet_set_maxsize(struct ssh *, u_int);
- u_int ssh_packet_get_maxsize(struct ssh *);
-
- +/* for forced packet rekeying post auth */
--+void packet_request_rekeying(void);
- +int packet_authentication_state(const struct ssh *);
- +
- int ssh_packet_get_state(struct ssh *, struct sshbuf *);
-@@ -627,9 +604,9 @@
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
-+ oDisableMTAES,
- oVisualHostKey,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -297,6 +300,9 @@ static struct {
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
-@@ -778,9 +755,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -120,7 +124,11 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none cipher to be used */
- + int nonemac_enabled; /* Allow none MAC to be used */
-@@ -842,9 +819,9 @@
- /* Portable-specific options */
- if (options->use_pam == -1)
- @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
-- }
-- if (options->permit_tun == -1)
- options->permit_tun = SSH_TUNMODE_NO;
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- + if (options->none_enabled == -1)
- + options->none_enabled = 0;
- + if (options->nonemac_enabled == -1)
-@@ -1330,9 +1307,9 @@
- + }
- + }
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-
-+ #ifdef WITH_OPENSSL
-+ if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..d66fa41a 100644
- --- a/sshd.c
diff --git a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch b/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
deleted file mode 100644
index e23063b5db2e..000000000000
--- a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
+++ /dev/null
@@ -1,72 +0,0 @@
---- a/openssh-8.6p1+x509-13.1.diff 2021-04-23 14:46:58.184683047 -0700
-+++ b/openssh-8.6p1+x509-13.1.diff 2021-04-23 15:00:08.455087549 -0700
-@@ -47728,12 +47728,11 @@
-
- install-files:
- $(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -389,6 +366,8 @@
-+@@ -389,6 +366,7 @@
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
- $(MKDIR_P) $(DESTDIR)$(libexecdir)
- + $(MKDIR_P) $(DESTDIR)$(sshcadir)
--+ $(MKDIR_P) $(DESTDIR)$(piddir)
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -65001,7 +65000,7 @@
- - echo "putty interop tests not enabled"
- - exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
-
- for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
- verbose "$tid: cipher $c"
-@@ -65016,7 +65015,7 @@
- - echo "putty interop tests not enabled"
- - exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
-
- for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
- verbose "$tid: kex $k"
-@@ -65031,7 +65030,7 @@
- - echo "putty interop tests not enabled"
- - exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
-
- if [ "`${SSH} -Q compression`" = "none" ]; then
- comp="0"
-@@ -65163,9 +65162,9 @@
-
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+ unset_arg=''
-++ unset_arg=
- +else
--+ unset_arg=none
-++ unset_arg=
- +fi
- +
- cat > $OBJ/sshd_config.i << _EOF
-@@ -124084,16 +124083,6 @@
- +int asnmprintf(char **, size_t, int *, const char *, ...)
- __attribute__((format(printf, 4, 5)));
- void msetlocale(void);
--diff -ruN openssh-8.6p1/version.h openssh-8.6p1+x509-13.1/version.h
----- openssh-8.6p1/version.h 2021-04-16 06:55:25.000000000 +0300
--+++ openssh-8.6p1+x509-13.1/version.h 2021-04-21 21:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
--
-- #define SSH_VERSION "OpenSSH_8.6"
--
---#define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.6p1/version.m4 openssh-8.6p1+x509-13.1/version.m4
- --- openssh-8.6p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.6p1+x509-13.1/version.m4 2021-04-21 21:07:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
deleted file mode 100644
index 714dffc41712..000000000000
--- a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:31:47.247434467 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:32:29.807508606 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
- {
- struct session_state *state;
--- const struct sshcipher *none = cipher_by_name("none");
--+ struct sshcipher *none = cipher_by_name("none");
-+- const struct sshcipher *none = cipher_none();
-++ struct sshcipher *none = cipher_none();
- int r;
-
- if (none == NULL) {
-@@ -898,20 +898,20 @@
- options->fingerprint_hash = -1;
- options->update_hostkeys = -1;
- + options->disable_multithreaded = -1;
-- options->hostbased_accepted_algos = NULL;
-- options->pubkey_accepted_algos = NULL;
-- options->known_hosts_command = NULL;
-+ }
-+
-+ /*
- @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
-+ options->update_hostkeys = 0;
- if (options->sk_provider == NULL)
- options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- + if (options->update_hostkeys == -1)
- + options->update_hostkeys = 0;
- + if (options->disable_multithreaded == -1)
- + options->disable_multithreaded = 0;
-
-- /* Expand KEX name lists */
-- all_cipher = cipher_alg_list(',', 0);
-+ /* expand KEX and etc. name lists */
-+ { char *all;
- diff --git a/readconf.h b/readconf.h
- index 2fba866e..7f8f0227 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
- /* Portable-specific options */
- sUsePAM,
- + sDisableMTAES,
-- /* Standard Options */
-- sPort, sHostKeyFile, sLoginGraceTime,
-- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-+ /* X.509 Standard Options */
-+ sHostbasedAlgorithms,
-+ sPubkeyAlgorithms,
- @@ -662,6 +666,7 @@ static struct {
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:31:47.247434467 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:46:32.296026606 -0700
-@@ -157,6 +157,36 @@
- + Allan Jude provided the code for the NoneMac and buffer normalization.
- + This work was financed, in part, by Cisco System, Inc., the National
- + Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
-++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
-+@@ -229,16 +229,17 @@
-+ double delay;
-+
-+ digest_alg = ssh_digest_maxbytes();
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-++ if (len = ssh_digest_bytes(digest_alg) > 0) {
-++ hash = xmalloc(len);
-+
-+- (void)snprintf(b, sizeof b, "%llu%s",
-+- (unsigned long long)options.timing_secret, user);
-+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+- fatal_f("ssh_digest_memory");
-+- /* 0-4.2 ms of delay */
-+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+- freezero(hash, len);
-++ (void)snprintf(b, sizeof b, "%llu%s",
-++ (unsigned long long)options.timing_secret, user);
-++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++ fatal_f("ssh_digest_memory");
-++ /* 0-4.2 ms of delay */
-++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++ freezero(hash, len);
-++ }
-+ debug3_f("user specific delay %0.3lfms", delay/1000);
-+ return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index b60d56c4..0e363c15 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
- static void
- channel_pre_open(struct ssh *ssh, Channel *c,
- fd_set *readset, fd_set *writeset)
--@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-
- if (c->type == SSH_CHANNEL_OPEN &&
- !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- - ((c->local_window_max - c->local_window >
- - c->local_maxpacket*3) ||
--+ ((ssh_packet_is_interactive(ssh) &&
--+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++ ((ssh_packet_is_interactive(ssh) &&
-++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
- c->local_window < c->local_window_max/2) &&
- c->local_consumed > 0) {
- + u_int addition = 0;
-@@ -235,9 +265,8 @@
- (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- (r = sshpkt_send(ssh)) != 0) {
-- fatal_fr(r, "channel %i", c->self);
-- }
-+ (r = sshpkt_send(ssh)) != 0)
-+ fatal_fr(r, "channel %d", c->self);
- - debug2("channel %d: window %d sent adjust %d", c->self,
- - c->local_window, c->local_consumed);
- - c->local_window += c->local_consumed;
-@@ -386,21 +415,45 @@
- index 69befa96..90b5f338 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
-- debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+- int i;
-++ int i, bugs = 0;
-+ static struct {
-+ char *pat;
-+ int bugs;
-+@@ -147,11 +147,26 @@
-+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ debug("match: %s pat %s compat 0x%08x",
- version, check[i].pat, check[i].bugs);
-- ssh->compat = check[i].bugs;
- + /* Check to see if the remote side is OpenSSH and not HPN */
--+ /* TODO: need to use new method to test for this */
- + if (strstr(version, "OpenSSH") != NULL) {
- + if (strstr(version, "hpn") == NULL) {
--+ ssh->compat |= SSH_BUG_LARGEWINDOW;
-++ bugs |= SSH_BUG_LARGEWINDOW;
- + debug("Remote is NON-HPN aware");
- + }
- + }
-- return;
-+- return check[i].bugs;
-++ bugs |= check[i].bugs;
- }
- }
-+- debug("no match: %s", version);
-+- return 0;
-++ /* Check to see if the remote side is OpenSSH and not HPN */
-++ if (strstr(version, "OpenSSH") != NULL) {
-++ if (strstr(version, "hpn") == NULL) {
-++ bugs |= SSH_BUG_LARGEWINDOW;
-++ debug("Remote is NON-HPN aware");
-++ }
-++ }
-++ if (bugs == 0)
-++ debug("no match: %s", version);
-++ return bugs;
-+ }
-+
-+ char *
- diff --git a/compat.h b/compat.h
- index c197fafc..ea2e17a7 100644
- --- a/compat.h
-@@ -459,7 +512,7 @@
- @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, dh_need, authlen;
-- int r, first_kex_follows;
-+ int r, first_kex_follows = 0;
- + int auth_flag = 0;
- +
- + auth_flag = packet_authentication_state(ssh);
-@@ -553,7 +606,7 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
- fd_set *setp;
-@@ -1035,19 +1088,6 @@
-
- /* Minimum amount of data to read at a time */
- #define MIN_READ_SIZE 512
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..36a6e519 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
-- freezero(pin, strlen(pin));
-- error_r(r, "Unable to load resident keys");
-- return -1;
--- }
--+ }
-- if (nkeys == 0)
-- logit("No keys to download");
-- if (pin != NULL)
- diff --git a/ssh.c b/ssh.c
- index 53330da5..27b9770e 100644
- --- a/ssh.c
-@@ -1093,7 +1133,7 @@
- + else
- + options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- + debug("HPN to Non-HPN Connection");
- + } else {
- + int sock, socksize;
-@@ -1335,7 +1375,29 @@
- /* Bind the socket to the desired port. */
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- error("Bind to port %s on %s failed: %.200s.",
--@@ -1727,6 +1734,19 @@ main(int ac, char **av)
-+@@ -1625,13 +1632,14 @@
-+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ sshbuf_len(server_cfg)) != 0)
-+ fatal_f("ssh_digest_update");
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-+- if (ssh_digest_final(ctx, hash, len) != 0)
-+- fatal_f("ssh_digest_final");
-+- options.timing_secret = PEEK_U64(hash);
-+- freezero(hash, len);
-+- ssh_digest_free(ctx);
-++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
-++ hash = xmalloc(len);
-++ if (ssh_digest_final(ctx, hash, len) != 0)
-++ fatal_f("ssh_digest_final");
-++ options.timing_secret = PEEK_U64(hash);
-++ freezero(hash, len);
-++ ssh_digest_free(ctx);
-++ }
-+ ctx = NULL;
-+ return;
-+ }
-+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
- /* Fill in default values for those options not explicitly set. */
- fill_default_server_options(&options);
-
-@@ -1355,7 +1417,7 @@
- /* challenge-response is implemented via keyboard interactive */
- if (options.challenge_response_authentication)
- options.kbd_interactive_authentication = 1;
--@@ -2166,6 +2186,9 @@ main(int ac, char **av)
-+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
- rdomain == NULL ? "" : "\"");
- free(laddr);
-
-@@ -1365,7 +1427,7 @@
- /*
- * We don't want to listen forever unless the other side
- * successfully authenticates itself. So we set up an alarm which is
--@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
-+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
- struct kex *kex;
- int r;
-
-@@ -1405,14 +1467,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.5"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v2"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -ur a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:31:47.247434467 -0700
-+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:32:29.808508608 -0700
-@@ -12,9 +12,9 @@
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ off_t bytes_left;
- int cur_speed;
-- int hours, minutes, seconds;
-- int file_len;
-+ int len;
- + off_t delta_pos;
-
- if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
--
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ buf[1] = '\0';
-+
- /* filename */
-- buf[0] = '\0';
--- file_len = win_size - 36;
--+ file_len = win_size - 45;
-- if (file_len > 0) {
-- buf[0] = '\r';
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+- if (win_size > 36) {
-++ if (win_size > 45) {
-+- int file_len = win_size - 36;
-++ int file_len = win_size - 45;
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ file_len, file);
-+ }
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
-@@ -63,15 +65,3 @@
- }
-
- /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..986ff59b 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
--
-- if (skprovider == NULL)
-- fatal("Cannot download keys without provider");
---
-- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- if (!quiet) {
-- printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch
deleted file mode 100644
index 30c0252ccb55..000000000000
--- a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:36:51.659996653 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:42:23.302377465 -0700
-@@ -536,18 +536,10 @@
- if (state->rekey_limit)
- *max_blocks = MINIMUM(*max_blocks,
- state->rekey_limit / enc->block_size);
--@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +553,6 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
-@@ -598,12 +576,11 @@
- };
-
- typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
--@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
-+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
- int ssh_packet_set_maxsize(struct ssh *, u_int);
- u_int ssh_packet_get_maxsize(struct ssh *);
-
- +/* for forced packet rekeying post auth */
--+void packet_request_rekeying(void);
- +int packet_authentication_state(const struct ssh *);
- +
- int ssh_packet_get_state(struct ssh *, struct sshbuf *);
-@@ -627,9 +604,9 @@
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
-+ oDisableMTAES,
- oVisualHostKey,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -297,6 +300,9 @@ static struct {
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
-@@ -778,9 +755,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -120,7 +124,11 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none cipher to be used */
- + int nonemac_enabled; /* Allow none MAC to be used */
-@@ -842,9 +819,9 @@
- /* Portable-specific options */
- if (options->use_pam == -1)
- @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
-- }
-- if (options->permit_tun == -1)
- options->permit_tun = SSH_TUNMODE_NO;
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- + if (options->none_enabled == -1)
- + options->none_enabled = 0;
- + if (options->nonemac_enabled == -1)
-@@ -1047,17 +1024,17 @@
- Note that
- diff --git a/sftp.c b/sftp.c
- index fb3c08d1..89bebbb2 100644
----- a/sftp.c
--+++ b/sftp.c
--@@ -71,7 +71,7 @@ typedef void EditLine;
-- #include "sftp-client.h"
--
-- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
---#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
--+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
-+--- a/sftp-client.c
-++++ b/sftp-client.c
-+@@ -65,7 +65,7 @@ typedef void EditLine;
-+ #define DEFAULT_COPY_BUFLEN 32768
-+
-+ /* Default number of concurrent outstanding requests */
-+-#define DEFAULT_NUM_REQUESTS 64
-++#define DEFAULT_NUM_REQUESTS 256
-
-- /* File to read commands from */
-- FILE* infile;
-+ /* Minimum amount of data to read at a time */
-+ #define MIN_READ_SIZE 512
- diff --git a/ssh-keygen.c b/ssh-keygen.c
- index cfb5f115..36a6e519 100644
- --- a/ssh-keygen.c
-@@ -1330,9 +1307,9 @@
- + }
- + }
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-
-+ #ifdef WITH_OPENSSL
-+ if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..d66fa41a 100644
- --- a/sshd.c
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 58ff739e1d4c..f23eae1e1222 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -20,7 +20,6 @@ the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign,
ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
</longdescription>
<use>
- <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
<flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
<flag name="hpn">Enable high performance ssh</flag>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
diff --git a/net-misc/openssh/openssh-8.6_p1-r2.ebuild b/net-misc/openssh/openssh-8.6_p1-r2.ebuild
deleted file mode 100644
index f896a51951ac..000000000000
--- a/net-misc/openssh/openssh-8.6_p1-r2.ebuild
+++ /dev/null
@@ -1,515 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
- ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
- ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
- ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
- ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
- ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-"
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
- ldns? ( ssl )
- pie? ( !static )
- static? ( !kerberos !pam )
- X509? ( !sctp !security-key ssl !xmss )
- xmss? ( ssl )
- test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
- audit? ( sys-process/audit[static-libs(+)] )
- ldns? (
- net-libs/ldns[static-libs(+)]
- !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
- bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
- )
- libedit? ( dev-libs/libedit:=[static-libs(+)] )
- sctp? ( net-misc/lksctp-tools[static-libs(+)] )
- security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- ssl? (
- || (
- (
- >=dev-libs/openssl-1.0.1:0[bindist(-)=]
- <dev-libs/openssl-1.1.0:0[bindist(-)=]
- )
- >=dev-libs/openssl-1.1.0g:0[bindist(-)=]
- )
- dev-libs/openssl:0=[static-libs(+)]
- )
- virtual/libcrypt:=[static-libs(+)]
- >=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
- acct-group/sshd
- acct-user/sshd
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
- pam? ( sys-libs/pam )
- kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
- virtual/os-headers
- kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
- static? ( ${LIB_DEPEND} )
-"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )
- userland_GNU? ( !prefix? ( sys-apps/shadow ) )
- X? ( x11-apps/xauth )
-"
-BDEPEND="
- virtual/pkgconfig
- sys-devel/autoconf
-"
-
-pkg_pretend() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use hpn && maybe_fail hpn HPN_VER)
- $(use sctp && maybe_fail sctp SCTP_PATCH)
- $(use X509 && maybe_fail X509 X509_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "Missing requested third party patch."
- fi
-
- # Make sure people who are using tcp wrappers are notified of its removal. #531156
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
- ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
- fi
-}
-
-src_prepare() {
- sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
- pathnames.h || die
-
- # don't break .ssh/authorized_keys2 for fun
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
- eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
- eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
- eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
- eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
- eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-
- # workaround for https://bugs.gentoo.org/734984
- use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
-
- [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
- local PATCHSET_VERSION_MACROS=()
-
- if use X509 ; then
- pushd "${WORKDIR}" &>/dev/null || die
- eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
- popd &>/dev/null || die
-
- eapply "${WORKDIR}"/${X509_PATCH%.*}
-
- # We need to patch package version or any X.509 sshd will reject our ssh client
- # with "userauth_pubkey: could not parse key: string is too large [preauth]"
- # error
- einfo "Patching package version for X.509 patch set ..."
- sed -i \
- -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
- "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
- einfo "Patching version.h to expose X.509 patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in X.509 patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
- fi
-
- if use sctp ; then
- eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
- einfo "Patching version.h to expose SCTP patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in SCTP patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
- einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
- sed -i \
- -e "/\t\tcfgparse \\\/d" \
- "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
- fi
-
- if use hpn ; then
- local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
- mkdir "${hpn_patchdir}" || die
- cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
- pushd "${hpn_patchdir}" &>/dev/null || die
- eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
- use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch
- use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
- popd &>/dev/null || die
-
- eapply "${hpn_patchdir}"
-
- use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
- einfo "Patching Makefile.in for HPN patch set ..."
- sed -i \
- -e "/^LIBS=/ s/\$/ -lpthread/" \
- "${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
- einfo "Patching version.h to expose HPN patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
- "${S}"/version.h || die "Failed to sed-in HPN patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
- if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- einfo "Disabling known non-working MT AES cipher per default ..."
-
- cat > "${T}"/disable_mtaes.conf <<- EOF
-
- # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
- # and therefore disabled per default.
- DisableMTAES yes
- EOF
- sed -i \
- -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
- "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
- sed -i \
- -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
- "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
- fi
- fi
-
- if use X509 || use sctp || use hpn ; then
- einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
- einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
- einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
- sed -i \
- -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
- "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
- fi
-
- sed -i \
- -e "/#UseLogin no/d" \
- "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
- eapply_user #473004
-
- # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
- sed -e '/\t\tpercent \\/ d' \
- -i regress/Makefile || die
-
- tc-export PKG_CONFIG
- local sed_args=(
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
- # Disable fortify flags ... our gcc does this for us
- -e 's:-D_FORTIFY_SOURCE=2::'
- )
-
- # The -ftrapv flag ICEs on hppa #505182
- use hppa && sed_args+=(
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
- )
- # _XOPEN_SOURCE causes header conflicts on Solaris
- [[ ${CHOST} == *-solaris* ]] && sed_args+=(
- -e 's/-D_XOPEN_SOURCE//'
- )
- sed -i "${sed_args[@]}" configure{.ac,} || die
-
- eautoreconf
-}
-
-src_configure() {
- addwrite /dev/ptmx
-
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
- use static && append-ldflags -static
- use xmss && append-cflags -DWITH_XMSS
-
- if [[ ${CHOST} == *-solaris* ]] ; then
- # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
- # doesn't check for this, so force the replacement to be put in
- # place
- append-cppflags -DBROKEN_GLOB
- fi
-
- # use replacement, RPF_ECHO_ON doesn't exist here
- [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
- local myconf=(
- --with-ldflags="${LDFLAGS}"
- --disable-strip
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
- --sysconfdir="${EPREFIX}"/etc/ssh
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
- --datadir="${EPREFIX}"/usr/share/openssh
- --with-privsep-path="${EPREFIX}"/var/empty
- --with-privsep-user=sshd
- $(use_with audit audit linux)
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
- # We apply the sctp patch conditionally, so can't pass --without-sctp
- # unconditionally else we get unknown flag warnings.
- $(use sctp && use_with sctp)
- $(use_with ldns ldns "${EPREFIX}"/usr)
- $(use_with libedit)
- $(use_with pam)
- $(use_with pie)
- $(use_with selinux)
- $(usex X509 '' "$(use_with security-key security-key-builtin)")
- $(use_with ssl openssl)
- $(use_with ssl md5-passwords)
- $(use_with ssl ssl-engine)
- $(use_with !elibc_Cygwin hardening) #659210
- )
-
- if use elibc_musl; then
- # stackprotect is broken on musl x86 and ppc
- if use x86 || use ppc; then
- myconf+=( --without-stackprotect )
- fi
-
- # musl defines bogus values for UTMP_FILE and WTMP_FILE
- # https://bugs.gentoo.org/753230
- myconf+=( --disable-utmp --disable-wtmp )
- fi
-
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
- econf "${myconf[@]}"
-}
-
-src_test() {
- local t skipped=() failed=() passed=()
- local tests=( interop-tests compat-tests )
-
- local shell=$(egetshell "${UID}")
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped+=( tests )
- else
- tests+=( tests )
- fi
-
- # It will also attempt to write to the homedir .ssh.
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in "${tests[@]}" ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
- SUDO="" SSH_SK_PROVIDER="" \
- TEST_SSH_UNSAFE_PERMISSIONS=1 \
- emake -k -j1 ${t} </dev/null \
- && passed+=( "${t}" ) \
- || failed+=( "${t}" )
- done
-
- einfo "Passed tests: ${passed[*]}"
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
- local locale_vars=(
- # These are language variables that POSIX defines.
- # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
- LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
- # These are the GNU extensions.
- # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
- LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
- )
-
- # First the server config.
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
- # Allow client to pass locale environment variables. #367017
- AcceptEnv ${locale_vars[*]}
-
- # Allow client to pass COLORTERM to match TERM. #658540
- AcceptEnv COLORTERM
- EOF
-
- # Then the client config.
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
- # Send locale environment variables. #367017
- SendEnv ${locale_vars[*]}
-
- # Send COLORTERM to match TERM. #658540
- SendEnv COLORTERM
- EOF
-
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-
- if use livecd ; then
- sed -i \
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}"
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd-r1.initd sshd
- newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
- if use pam; then
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
- fi
-
- tweak_ssh_configs
-
- doman contrib/ssh-copy-id.1
- dodoc CREDITS OVERVIEW README* TODO sshd_config
- use hpn && dodoc HPN-README
- use X509 || dodoc ChangeLog
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-
- # https://bugs.gentoo.org/733802
- if ! use scp; then
- rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
- || die "failed to remove scp"
- fi
-
- rmdir "${ED}"/var/empty || die
-
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
- show_ssl_warning=1
- fi
-}
-
-pkg_postinst() {
- local old_ver
- for old_ver in ${REPLACING_VERSIONS}; do
- if ver_test "${old_ver}" -lt "5.8_p1"; then
- elog "Starting with openssh-5.8p1, the server will default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
- fi
- if ver_test "${old_ver}" -lt "7.0_p1"; then
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
- elog "Make sure to update any configs that you might have. Note that xinetd might"
- elog "be an alternative for you as it supports USE=tcpd."
- fi
- if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
- elog "adding to your sshd_config or ~/.ssh/config files:"
- elog " PubkeyAcceptedKeyTypes=+ssh-dss"
- elog "You should however generate new keys using rsa or ed25519."
-
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
- elog "to 'prohibit-password'. That means password auth for root users no longer works"
- elog "out of the box. If you need this, please update your sshd_config explicitly."
- fi
- if ver_test "${old_ver}" -lt "7.6_p1"; then
- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
- elog "Furthermore, rsa keys with less than 1024 bits will be refused."
- fi
- if ver_test "${old_ver}" -lt "7.7_p1"; then
- elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
- elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
- elog "if you need to authenticate against LDAP."
- elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
- fi
- if ver_test "${old_ver}" -lt "8.2_p1"; then
- ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
- ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
- ewarn "connection is generally safe."
- fi
- done
-
- if [[ -n ${show_ssl_warning} ]]; then
- elog "Be aware that by disabling openssl support in openssh, the server and clients"
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
- elog "and update all clients/servers that utilize them."
- fi
-
- if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- elog ""
- elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
- elog "and therefore disabled at runtime per default."
- elog "Make sure your sshd_config is up to date and contains"
- elog ""
- elog " DisableMTAES yes"
- elog ""
- elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
- elog ""
- fi
-}
diff --git a/net-misc/openssh/openssh-8.7_p1-r2.ebuild b/net-misc/openssh/openssh-8.7_p1-r2.ebuild
deleted file mode 100644
index c44fb1a6f829..000000000000
--- a/net-misc/openssh/openssh-8.7_p1-r2.ebuild
+++ /dev/null
@@ -1,513 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
- ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
- ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
- ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
- ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
- ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-"
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
- hpn? ( ssl )
- ldns? ( ssl )
- pie? ( !static )
- static? ( !kerberos !pam )
- X509? ( !sctp ssl !xmss )
- xmss? ( ssl )
- test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
- audit? ( sys-process/audit[static-libs(+)] )
- ldns? (
- net-libs/ldns[static-libs(+)]
- !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
- bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
- )
- libedit? ( dev-libs/libedit:=[static-libs(+)] )
- sctp? ( net-misc/lksctp-tools[static-libs(+)] )
- security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- ssl? (
- || (
- (
- >=dev-libs/openssl-1.0.1:0[bindist(-)=]
- <dev-libs/openssl-1.1.0:0[bindist(-)=]
- )
- >=dev-libs/openssl-1.1.0g:0[bindist(-)=]
- )
- dev-libs/openssl:0=[static-libs(+)]
- )
- virtual/libcrypt:=[static-libs(+)]
- >=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
- acct-group/sshd
- acct-user/sshd
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
- pam? ( sys-libs/pam )
- kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
- virtual/os-headers
- kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
- static? ( ${LIB_DEPEND} )
-"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )
- userland_GNU? ( !prefix? ( sys-apps/shadow ) )
- X? ( x11-apps/xauth )
-"
-BDEPEND="
- virtual/pkgconfig
- sys-devel/autoconf
-"
-
-pkg_pretend() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use hpn && maybe_fail hpn HPN_VER)
- $(use sctp && maybe_fail sctp SCTP_PATCH)
- $(use X509 && maybe_fail X509 X509_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "Missing requested third party patch."
- fi
-
- # Make sure people who are using tcp wrappers are notified of its removal. #531156
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
- ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
- fi
-}
-
-src_prepare() {
- sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
- pathnames.h || die
-
- # don't break .ssh/authorized_keys2 for fun
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
- eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
- eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
- eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
- eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
- eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-
- [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
- local PATCHSET_VERSION_MACROS=()
-
- if use X509 ; then
- pushd "${WORKDIR}" &>/dev/null || die
- eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
- popd &>/dev/null || die
-
- eapply "${WORKDIR}"/${X509_PATCH%.*}
-
- # We need to patch package version or any X.509 sshd will reject our ssh client
- # with "userauth_pubkey: could not parse key: string is too large [preauth]"
- # error
- einfo "Patching package version for X.509 patch set ..."
- sed -i \
- -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
- "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
- einfo "Patching version.h to expose X.509 patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in X.509 patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
- fi
-
- if use sctp ; then
- eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
- einfo "Patching version.h to expose SCTP patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in SCTP patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
- einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
- sed -i \
- -e "/\t\tcfgparse \\\/d" \
- "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
- fi
-
- if use hpn ; then
- local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
- mkdir "${hpn_patchdir}" || die
- cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
- pushd "${hpn_patchdir}" &>/dev/null || die
- eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
- use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
- use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
- popd &>/dev/null || die
-
- eapply "${hpn_patchdir}"
-
- use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
- einfo "Patching Makefile.in for HPN patch set ..."
- sed -i \
- -e "/^LIBS=/ s/\$/ -lpthread/" \
- "${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
- einfo "Patching version.h to expose HPN patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
- "${S}"/version.h || die "Failed to sed-in HPN patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
- if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- einfo "Disabling known non-working MT AES cipher per default ..."
-
- cat > "${T}"/disable_mtaes.conf <<- EOF
-
- # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
- # and therefore disabled per default.
- DisableMTAES yes
- EOF
- sed -i \
- -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
- "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
- sed -i \
- -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
- "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
- fi
- fi
-
- if use X509 || use sctp || use hpn ; then
- einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
- einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
- einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
- sed -i \
- -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
- "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
- fi
-
- sed -i \
- -e "/#UseLogin no/d" \
- "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
- eapply_user #473004
-
- # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
- sed -e '/\t\tpercent \\/ d' \
- -i regress/Makefile || die
-
- tc-export PKG_CONFIG
- local sed_args=(
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
- # Disable fortify flags ... our gcc does this for us
- -e 's:-D_FORTIFY_SOURCE=2::'
- )
-
- # The -ftrapv flag ICEs on hppa #505182
- use hppa && sed_args+=(
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
- )
- # _XOPEN_SOURCE causes header conflicts on Solaris
- [[ ${CHOST} == *-solaris* ]] && sed_args+=(
- -e 's/-D_XOPEN_SOURCE//'
- )
- sed -i "${sed_args[@]}" configure{.ac,} || die
-
- eautoreconf
-}
-
-src_configure() {
- addwrite /dev/ptmx
-
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
- use static && append-ldflags -static
- use xmss && append-cflags -DWITH_XMSS
-
- if [[ ${CHOST} == *-solaris* ]] ; then
- # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
- # doesn't check for this, so force the replacement to be put in
- # place
- append-cppflags -DBROKEN_GLOB
- fi
-
- # use replacement, RPF_ECHO_ON doesn't exist here
- [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
- local myconf=(
- --with-ldflags="${LDFLAGS}"
- --disable-strip
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
- --sysconfdir="${EPREFIX}"/etc/ssh
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
- --datadir="${EPREFIX}"/usr/share/openssh
- --with-privsep-path="${EPREFIX}"/var/empty
- --with-privsep-user=sshd
- $(use_with audit audit linux)
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
- # We apply the sctp patch conditionally, so can't pass --without-sctp
- # unconditionally else we get unknown flag warnings.
- $(use sctp && use_with sctp)
- $(use_with ldns ldns "${EPREFIX}"/usr)
- $(use_with libedit)
- $(use_with pam)
- $(use_with pie)
- $(use_with selinux)
- $(usex X509 '' "$(use_with security-key security-key-builtin)")
- $(use_with ssl openssl)
- $(use_with ssl md5-passwords)
- $(use_with ssl ssl-engine)
- $(use_with !elibc_Cygwin hardening) #659210
- )
-
- if use elibc_musl; then
- # stackprotect is broken on musl x86 and ppc
- if use x86 || use ppc; then
- myconf+=( --without-stackprotect )
- fi
-
- # musl defines bogus values for UTMP_FILE and WTMP_FILE
- # https://bugs.gentoo.org/753230
- myconf+=( --disable-utmp --disable-wtmp )
- fi
-
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
- econf "${myconf[@]}"
-}
-
-src_test() {
- local t skipped=() failed=() passed=()
- local tests=( interop-tests compat-tests )
-
- local shell=$(egetshell "${UID}")
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped+=( tests )
- else
- tests+=( tests )
- fi
-
- # It will also attempt to write to the homedir .ssh.
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in "${tests[@]}" ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
- SUDO="" SSH_SK_PROVIDER="" \
- TEST_SSH_UNSAFE_PERMISSIONS=1 \
- emake -k -j1 ${t} </dev/null \
- && passed+=( "${t}" ) \
- || failed+=( "${t}" )
- done
-
- einfo "Passed tests: ${passed[*]}"
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
- local locale_vars=(
- # These are language variables that POSIX defines.
- # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
- LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
- # These are the GNU extensions.
- # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
- LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
- )
-
- # First the server config.
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
- # Allow client to pass locale environment variables. #367017
- AcceptEnv ${locale_vars[*]}
-
- # Allow client to pass COLORTERM to match TERM. #658540
- AcceptEnv COLORTERM
- EOF
-
- # Then the client config.
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
- # Send locale environment variables. #367017
- SendEnv ${locale_vars[*]}
-
- # Send COLORTERM to match TERM. #658540
- SendEnv COLORTERM
- EOF
-
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-
- if use livecd ; then
- sed -i \
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}"
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd-r1.initd sshd
- newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
- if use pam; then
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
- fi
-
- tweak_ssh_configs
-
- doman contrib/ssh-copy-id.1
- dodoc CREDITS OVERVIEW README* TODO sshd_config
- use hpn && dodoc HPN-README
- use X509 || dodoc ChangeLog
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-
- # https://bugs.gentoo.org/733802
- if ! use scp; then
- rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
- || die "failed to remove scp"
- fi
-
- rmdir "${ED}"/var/empty || die
-
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
- show_ssl_warning=1
- fi
-}
-
-pkg_postinst() {
- local old_ver
- for old_ver in ${REPLACING_VERSIONS}; do
- if ver_test "${old_ver}" -lt "5.8_p1"; then
- elog "Starting with openssh-5.8p1, the server will default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
- fi
- if ver_test "${old_ver}" -lt "7.0_p1"; then
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
- elog "Make sure to update any configs that you might have. Note that xinetd might"
- elog "be an alternative for you as it supports USE=tcpd."
- fi
- if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
- elog "adding to your sshd_config or ~/.ssh/config files:"
- elog " PubkeyAcceptedKeyTypes=+ssh-dss"
- elog "You should however generate new keys using rsa or ed25519."
-
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
- elog "to 'prohibit-password'. That means password auth for root users no longer works"
- elog "out of the box. If you need this, please update your sshd_config explicitly."
- fi
- if ver_test "${old_ver}" -lt "7.6_p1"; then
- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
- elog "Furthermore, rsa keys with less than 1024 bits will be refused."
- fi
- if ver_test "${old_ver}" -lt "7.7_p1"; then
- elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
- elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
- elog "if you need to authenticate against LDAP."
- elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
- fi
- if ver_test "${old_ver}" -lt "8.2_p1"; then
- ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
- ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
- ewarn "connection is generally safe."
- fi
- done
-
- if [[ -n ${show_ssl_warning} ]]; then
- elog "Be aware that by disabling openssl support in openssh, the server and clients"
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
- elog "and update all clients/servers that utilize them."
- fi
-
- if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- elog ""
- elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
- elog "and therefore disabled at runtime per default."
- elog "Make sure your sshd_config is up to date and contains"
- elog ""
- elog " DisableMTAES yes"
- elog ""
- elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
- elog ""
- fi
-}
diff --git a/net-misc/openssh/openssh-8.7_p1-r3.ebuild b/net-misc/openssh/openssh-8.7_p1-r4.ebuild
index 488f832c164c..0d7b0c47c069 100644
--- a/net-misc/openssh/openssh-8.7_p1-r3.ebuild
+++ b/net-misc/openssh/openssh-8.7_p1-r4.ebuild
@@ -57,7 +57,7 @@ LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
- net-libs/ldns[ecdsa,ssl(+)]
+ net-libs/ldns[ecdsa(+),ssl(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
diff --git a/net-misc/openssh/openssh-8.8_p1-r2.ebuild b/net-misc/openssh/openssh-8.8_p1-r2.ebuild
deleted file mode 100644
index a8039cdc405f..000000000000
--- a/net-misc/openssh/openssh-8.8_p1-r2.ebuild
+++ /dev/null
@@ -1,508 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
- ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
- ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
- ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
- ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
- ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-"
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
- hpn? ( ssl )
- ldns? ( ssl )
- pie? ( !static )
- static? ( !kerberos !pam )
- X509? ( !sctp ssl !xmss )
- xmss? ( ssl )
- test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
- audit? ( sys-process/audit[static-libs(+)] )
- ldns? (
- net-libs/ldns[static-libs(+)]
- !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
- bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
- )
- libedit? ( dev-libs/libedit:=[static-libs(+)] )
- sctp? ( net-misc/lksctp-tools[static-libs(+)] )
- security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- ssl? (
- || (
- (
- >=dev-libs/openssl-1.0.1:0[bindist(-)=]
- <dev-libs/openssl-1.1.0:0[bindist(-)=]
- )
- >=dev-libs/openssl-1.1.0g:0[bindist(-)=]
- )
- dev-libs/openssl:0=[static-libs(+)]
- )
- virtual/libcrypt:=[static-libs(+)]
- >=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
- acct-group/sshd
- acct-user/sshd
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
- pam? ( sys-libs/pam )
- kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
- virtual/os-headers
- kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
- static? ( ${LIB_DEPEND} )
-"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )
- userland_GNU? ( !prefix? ( sys-apps/shadow ) )
- X? ( x11-apps/xauth )
-"
-BDEPEND="
- virtual/pkgconfig
- sys-devel/autoconf
-"
-
-pkg_pretend() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use hpn && maybe_fail hpn HPN_VER)
- $(use sctp && maybe_fail sctp SCTP_PATCH)
- $(use X509 && maybe_fail X509 X509_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "Missing requested third party patch."
- fi
-
- # Make sure people who are using tcp wrappers are notified of its removal. #531156
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
- ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
- fi
-}
-
-src_prepare() {
- sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
- pathnames.h || die
-
- # don't break .ssh/authorized_keys2 for fun
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
- eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
- eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
- eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
- eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
- eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-
- [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
- local PATCHSET_VERSION_MACROS=()
-
- if use X509 ; then
- pushd "${WORKDIR}" &>/dev/null || die
- eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
- popd &>/dev/null || die
-
- eapply "${WORKDIR}"/${X509_PATCH%.*}
-
- # We need to patch package version or any X.509 sshd will reject our ssh client
- # with "userauth_pubkey: could not parse key: string is too large [preauth]"
- # error
- einfo "Patching package version for X.509 patch set ..."
- sed -i \
- -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
- "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
- einfo "Patching version.h to expose X.509 patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in X.509 patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
- fi
-
- if use sctp ; then
- eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
- einfo "Patching version.h to expose SCTP patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in SCTP patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
- einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
- sed -i \
- -e "/\t\tcfgparse \\\/d" \
- "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
- fi
-
- if use hpn ; then
- local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
- mkdir "${hpn_patchdir}" || die
- cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
- pushd "${hpn_patchdir}" &>/dev/null || die
- eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch
- use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
- use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
- popd &>/dev/null || die
-
- eapply "${hpn_patchdir}"
-
- use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
- einfo "Patching Makefile.in for HPN patch set ..."
- sed -i \
- -e "/^LIBS=/ s/\$/ -lpthread/" \
- "${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
- einfo "Patching version.h to expose HPN patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
- "${S}"/version.h || die "Failed to sed-in HPN patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
- if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- einfo "Disabling known non-working MT AES cipher per default ..."
-
- cat > "${T}"/disable_mtaes.conf <<- EOF
-
- # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
- # and therefore disabled per default.
- DisableMTAES yes
- EOF
- sed -i \
- -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
- "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
- sed -i \
- -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
- "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
- fi
- fi
-
- if use X509 || use sctp || use hpn ; then
- einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
- einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
- einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
- sed -i \
- -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
- "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
- fi
-
- sed -i \
- -e "/#UseLogin no/d" \
- "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
- eapply_user #473004
-
- # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
- sed -e '/\t\tpercent \\/ d' \
- -i regress/Makefile || die
-
- tc-export PKG_CONFIG
- local sed_args=(
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
- # Disable fortify flags ... our gcc does this for us
- -e 's:-D_FORTIFY_SOURCE=2::'
- )
-
- # The -ftrapv flag ICEs on hppa #505182
- use hppa && sed_args+=(
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
- )
- # _XOPEN_SOURCE causes header conflicts on Solaris
- [[ ${CHOST} == *-solaris* ]] && sed_args+=(
- -e 's/-D_XOPEN_SOURCE//'
- )
- sed -i "${sed_args[@]}" configure{.ac,} || die
-
- eautoreconf
-}
-
-src_configure() {
- addwrite /dev/ptmx
-
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
- use static && append-ldflags -static
- use xmss && append-cflags -DWITH_XMSS
-
- if [[ ${CHOST} == *-solaris* ]] ; then
- # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
- # doesn't check for this, so force the replacement to be put in
- # place
- append-cppflags -DBROKEN_GLOB
- fi
-
- # use replacement, RPF_ECHO_ON doesn't exist here
- [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
- local myconf=(
- --with-ldflags="${LDFLAGS}"
- --disable-strip
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
- --sysconfdir="${EPREFIX}"/etc/ssh
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
- --datadir="${EPREFIX}"/usr/share/openssh
- --with-privsep-path="${EPREFIX}"/var/empty
- --with-privsep-user=sshd
- $(use_with audit audit linux)
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
- # We apply the sctp patch conditionally, so can't pass --without-sctp
- # unconditionally else we get unknown flag warnings.
- $(use sctp && use_with sctp)
- $(use_with ldns ldns "${EPREFIX}"/usr)
- $(use_with libedit)
- $(use_with pam)
- $(use_with pie)
- $(use_with selinux)
- $(usex X509 '' "$(use_with security-key security-key-builtin)")
- $(use_with ssl openssl)
- $(use_with ssl md5-passwords)
- $(use_with ssl ssl-engine)
- $(use_with !elibc_Cygwin hardening) #659210
- )
-
- if use elibc_musl; then
- # musl defines bogus values for UTMP_FILE and WTMP_FILE
- # https://bugs.gentoo.org/753230
- myconf+=( --disable-utmp --disable-wtmp )
- fi
-
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
- econf "${myconf[@]}"
-}
-
-src_test() {
- local t skipped=() failed=() passed=()
- local tests=( interop-tests compat-tests )
-
- local shell=$(egetshell "${UID}")
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped+=( tests )
- else
- tests+=( tests )
- fi
-
- # It will also attempt to write to the homedir .ssh.
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in "${tests[@]}" ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
- SUDO="" SSH_SK_PROVIDER="" \
- TEST_SSH_UNSAFE_PERMISSIONS=1 \
- emake -k -j1 ${t} </dev/null \
- && passed+=( "${t}" ) \
- || failed+=( "${t}" )
- done
-
- einfo "Passed tests: ${passed[*]}"
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
- local locale_vars=(
- # These are language variables that POSIX defines.
- # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
- LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
- # These are the GNU extensions.
- # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
- LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
- )
-
- # First the server config.
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
- # Allow client to pass locale environment variables. #367017
- AcceptEnv ${locale_vars[*]}
-
- # Allow client to pass COLORTERM to match TERM. #658540
- AcceptEnv COLORTERM
- EOF
-
- # Then the client config.
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
- # Send locale environment variables. #367017
- SendEnv ${locale_vars[*]}
-
- # Send COLORTERM to match TERM. #658540
- SendEnv COLORTERM
- EOF
-
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-
- if use livecd ; then
- sed -i \
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}"
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd-r1.initd sshd
- newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
- if use pam; then
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
- fi
-
- tweak_ssh_configs
-
- doman contrib/ssh-copy-id.1
- dodoc CREDITS OVERVIEW README* TODO sshd_config
- use hpn && dodoc HPN-README
- use X509 || dodoc ChangeLog
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-
- # https://bugs.gentoo.org/733802
- if ! use scp; then
- rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
- || die "failed to remove scp"
- fi
-
- rmdir "${ED}"/var/empty || die
-
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
- show_ssl_warning=1
- fi
-}
-
-pkg_postinst() {
- local old_ver
- for old_ver in ${REPLACING_VERSIONS}; do
- if ver_test "${old_ver}" -lt "5.8_p1"; then
- elog "Starting with openssh-5.8p1, the server will default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
- fi
- if ver_test "${old_ver}" -lt "7.0_p1"; then
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
- elog "Make sure to update any configs that you might have. Note that xinetd might"
- elog "be an alternative for you as it supports USE=tcpd."
- fi
- if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
- elog "adding to your sshd_config or ~/.ssh/config files:"
- elog " PubkeyAcceptedKeyTypes=+ssh-dss"
- elog "You should however generate new keys using rsa or ed25519."
-
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
- elog "to 'prohibit-password'. That means password auth for root users no longer works"
- elog "out of the box. If you need this, please update your sshd_config explicitly."
- fi
- if ver_test "${old_ver}" -lt "7.6_p1"; then
- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
- elog "Furthermore, rsa keys with less than 1024 bits will be refused."
- fi
- if ver_test "${old_ver}" -lt "7.7_p1"; then
- elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
- elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
- elog "if you need to authenticate against LDAP."
- elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
- fi
- if ver_test "${old_ver}" -lt "8.2_p1"; then
- ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
- ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
- ewarn "connection is generally safe."
- fi
- done
-
- if [[ -n ${show_ssl_warning} ]]; then
- elog "Be aware that by disabling openssl support in openssh, the server and clients"
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
- elog "and update all clients/servers that utilize them."
- fi
-
- if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- elog ""
- elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
- elog "and therefore disabled at runtime per default."
- elog "Make sure your sshd_config is up to date and contains"
- elog ""
- elog " DisableMTAES yes"
- elog ""
- elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
- elog ""
- fi
-}
diff --git a/net-misc/openssh/openssh-8.8_p1-r3.ebuild b/net-misc/openssh/openssh-8.8_p1-r4.ebuild
index 1c1068878712..cc2c72f2fd25 100644
--- a/net-misc/openssh/openssh-8.8_p1-r3.ebuild
+++ b/net-misc/openssh/openssh-8.8_p1-r4.ebuild
@@ -34,7 +34,7 @@ S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
@@ -57,7 +57,7 @@ LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
- net-libs/ldns[ecdsa,ssl(+)]
+ net-libs/ldns[ecdsa(+),ssl(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
@@ -92,16 +92,14 @@ BDEPEND="
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use hpn && maybe_fail hpn HPN_VER)
- $(use sctp && maybe_fail sctp SCTP_PATCH)
- $(use X509 && maybe_fail X509 X509_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
+ local missing=()
+ check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
+ check_feature hpn HPN_VER
+ check_feature sctp SCTP_PATCH
+ check_feature X509 X509_PATCH
+ if [[ ${#missing[@]} -ne 0 ]] ; then
eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
+ eerror "that you requested: ${missing[*]}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "Missing requested third party patch."
@@ -320,34 +318,19 @@ src_configure() {
}
src_test() {
- local t skipped=() failed=() passed=()
- local tests=( interop-tests compat-tests )
-
+ local tests=( compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped+=( tests )
+ ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+ ewarn "user, so we will run a subset only."
+ tests+=( interop-tests )
else
tests+=( tests )
fi
- # It will also attempt to write to the homedir .ssh.
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in "${tests[@]}" ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
- SUDO="" SSH_SK_PROVIDER="" \
- TEST_SSH_UNSAFE_PERMISSIONS=1 \
- emake -k -j1 ${t} </dev/null \
- && passed+=( "${t}" ) \
- || failed+=( "${t}" )
- done
-
- einfo "Passed tests: ${passed[*]}"
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+ local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
+ mkdir -p "${HOME}"/.ssh || die
+ emake -j1 "${tests[@]}" </dev/null
}
# Gentoo tweaks to default config files.