gentoo auto-resync : 11:05:2023 - 23:47:37

18 files changed, 804 insertions, 0 deletions

diff --git a/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch
new file mode 100644
index 000000000000..fa33af39b6f8
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch
@@ -0,0 +1,17 @@
+the last nibble of the openssl version represents the status.  that is,
+whether it is a beta or release.  when it comes to version checks in
+openssh, this component does not matter, so ignore it.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212
+
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
+ 	 * For versions >= 1.0.0, major,minor,status must match and library
+ 	 * fix version must be equal to or newer than the header.
+ 	 */
+-	mask = 0xfff0000fL; /* major,minor,status */
++	mask = 0xfff00000L; /* major,minor,status */
+ 	hfix = (headerver & 0x000ff000) >> 12;
+ 	lfix = (libver & 0x000ff000) >> 12;
+ 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch
new file mode 100644
index 000000000000..a5647ce9d8d3
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch
@@ -0,0 +1,20 @@
+Disable conch interop tests which are failing when called
+via portage for yet unknown reason and because using conch
+seems to be flaky (test is failing when using Python2 but
+passing when using Python3).
+
+Bug: https://bugs.gentoo.org/605446
+
+--- a/regress/conch-ciphers.sh
++++ b/regress/conch-ciphers.sh
+@@ -3,6 +3,10 @@
+ 
+ tid="conch ciphers"
+ 
++# https://bugs.gentoo.org/605446
++echo "conch interop tests skipped due to Gentoo bug #605446"
++exit 0
++
+ if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
+ 	echo "conch interop tests not enabled"
+ 	exit 0
diff --git a/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch
new file mode 100644
index 000000000000..c5697c2b8bd1
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch
@@ -0,0 +1,48 @@
+diff --git a/auth-options.c b/auth-options.c
+index b05d6d6f..d1f42f04 100644
+--- a/auth-options.c
++++ b/auth-options.c
+@@ -26,6 +26,7 @@
+ #include <stdarg.h>
+ #include <ctype.h>
+ #include <limits.h>
++#include <stdlib.h>
+ 
+ #include "openbsd-compat/sys-queue.h"
+ 
+diff --git a/hmac.c b/hmac.c
+index 1c879640..a29f32c5 100644
+--- a/hmac.c
++++ b/hmac.c
+@@ -19,6 +19,7 @@
+ 
+ #include <sys/types.h>
+ #include <string.h>
++#include <stdlib.h>
+ 
+ #include "sshbuf.h"
+ #include "digest.h"
+diff --git a/krl.c b/krl.c
+index 8e2d5d5d..c32e147a 100644
+--- a/krl.c
++++ b/krl.c
+@@ -28,6 +28,7 @@
+ #include <string.h>
+ #include <time.h>
+ #include <unistd.h>
++#include <stdlib.h>
+ 
+ #include "sshbuf.h"
+ #include "ssherr.h"
+diff --git a/mac.c b/mac.c
+index 51dc11d7..3d11eba6 100644
+--- a/mac.c
++++ b/mac.c
+@@ -29,6 +29,7 @@
+ 
+ #include <string.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ 
+ #include "digest.h"
+ #include "hmac.h"
diff --git a/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch
new file mode 100644
index 000000000000..4310aa123fc8
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch
@@ -0,0 +1,57 @@
+Make sure that host keys are already accepted before
+running tests.
+
+https://bugs.gentoo.org/493866
+
+--- a/regress/putty-ciphers.sh
++++ b/regress/putty-ciphers.sh
+@@ -10,11 +10,17 @@ fi
+ 
+ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
+ 	verbose "$tid: cipher $c"
++	rm -f ${COPY}
+ 	cp ${OBJ}/.putty/sessions/localhost_proxy \
+ 	    ${OBJ}/.putty/sessions/cipher_$c
+ 	echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+ 
+-	rm -f ${COPY}
++	env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
++	    -i ${OBJ}/putty.rsa2 "exit"
++	if [ $? -ne 0 ]; then
++		fail "failed to pre-cache host key"
++	fi
++
+ 	env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
+ 	    cat ${DATA} > ${COPY}
+ 	if [ $? -ne 0 ]; then
+--- a/regress/putty-kex.sh
++++ b/regress/putty-kex.sh
+@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
+ 	    ${OBJ}/.putty/sessions/kex_$k
+ 	echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
+ 
++	env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
++	    -i ${OBJ}/putty.rsa2 "exit"
++	if [ $? -ne 0 ]; then
++		fail "failed to pre-cache host key"
++	fi
++
+ 	env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
+ 	if [ $? -ne 0 ]; then
+ 		fail "KEX $k failed"
+--- a/regress/putty-transfer.sh
++++ b/regress/putty-transfer.sh
+@@ -14,6 +14,13 @@ for c in 0 1 ; do
+ 	cp ${OBJ}/.putty/sessions/localhost_proxy \
+ 	    ${OBJ}/.putty/sessions/compression_$c
+ 	echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
++
++	env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
++	    -i ${OBJ}/putty.rsa2 "exit"
++	if [ $? -ne 0 ]; then
++		fail "failed to pre-cache host key"
++	fi
++
+ 	env HOME=$PWD ${PLINK} -load compression_$c -batch \
+ 	    -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
+ 	if [ $? -ne 0 ]; then
diff --git a/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
new file mode 100644
index 000000000000..7199227589c6
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
@@ -0,0 +1,18 @@
+diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:06:45.020527770 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:07:01.294423665 -0700
+@@ -1414,14 +1414,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b4fa372..332fb486 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_8.5"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN         "-hpn15v2"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch
new file mode 100644
index 000000000000..6dc290d6737b
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch
@@ -0,0 +1,13 @@
+diff --git a/kex.c b/kex.c
+index 34808b5c..88d7ccac 100644
+--- a/kex.c
++++ b/kex.c
+@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+ 	if (version_addendum != NULL && *version_addendum == '\0')
+ 		version_addendum = NULL;
+ 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ 	    version_addendum == NULL ? "" : " ",
+ 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
+ 		oerrno = errno;
diff --git a/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch
new file mode 100644
index 000000000000..ffc40b70ae3d
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch
@@ -0,0 +1,357 @@
+diff --git a/auth.c b/auth.c
+index 00b168b4..8ee93581 100644
+--- a/auth.c
++++ b/auth.c
+@@ -729,118 +729,6 @@ fakepw(void)
+ 	return (&fake);
+ }
+ 
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on based on conflation of hostnames and IP addresses.
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+-	struct sockaddr_storage from;
+-	socklen_t fromlen;
+-	struct addrinfo hints, *ai, *aitop;
+-	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+-	const char *ntop = ssh_remote_ipaddr(ssh);
+-
+-	/* Get IP address of client. */
+-	fromlen = sizeof(from);
+-	memset(&from, 0, sizeof(from));
+-	if (getpeername(ssh_packet_get_connection_in(ssh),
+-	    (struct sockaddr *)&from, &fromlen) == -1) {
+-		debug("getpeername failed: %.100s", strerror(errno));
+-		return xstrdup(ntop);
+-	}
+-
+-	ipv64_normalise_mapped(&from, &fromlen);
+-	if (from.ss_family == AF_INET6)
+-		fromlen = sizeof(struct sockaddr_in6);
+-
+-	debug3("Trying to reverse map address %.100s.", ntop);
+-	/* Map the IP address to a host name. */
+-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+-	    NULL, 0, NI_NAMEREQD) != 0) {
+-		/* Host name not found.  Use ip address. */
+-		return xstrdup(ntop);
+-	}
+-
+-	/*
+-	 * if reverse lookup result looks like a numeric hostname,
+-	 * someone is trying to trick us by PTR record like following:
+-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
+-	hints.ai_flags = AI_NUMERICHOST;
+-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+-		    name, ntop);
+-		freeaddrinfo(ai);
+-		return xstrdup(ntop);
+-	}
+-
+-	/* Names are stored in lowercase. */
+-	lowercase(name);
+-
+-	/*
+-	 * Map it back to an IP address and check that the given
+-	 * address actually is an address of this host.  This is
+-	 * necessary because anyone with access to a name server can
+-	 * define arbitrary names for an IP address. Mapping from
+-	 * name to IP address can be trusted better (but can still be
+-	 * fooled if the intruder has access to the name server of
+-	 * the domain).
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_family = from.ss_family;
+-	hints.ai_socktype = SOCK_STREAM;
+-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+-		logit("reverse mapping checking getaddrinfo for %.700s "
+-		    "[%s] failed.", name, ntop);
+-		return xstrdup(ntop);
+-	}
+-	/* Look for the address from the list of addresses. */
+-	for (ai = aitop; ai; ai = ai->ai_next) {
+-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+-		    (strcmp(ntop, ntop2) == 0))
+-				break;
+-	}
+-	freeaddrinfo(aitop);
+-	/* If we reached the end of the list, the address was not there. */
+-	if (ai == NULL) {
+-		/* Address not found for the host name. */
+-		logit("Address %.100s maps to %.600s, but this does not "
+-		    "map back to the address.", ntop, name);
+-		return xstrdup(ntop);
+-	}
+-	return xstrdup(name);
+-}
+-
+-/*
+- * Return the canonical name of the host in the other side of the current
+- * connection.  The host name is cached, so it is efficient to call this
+- * several times.
+- */
+-
+-const char *
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+-{
+-	static char *dnsname;
+-
+-	if (!use_dns)
+-		return ssh_remote_ipaddr(ssh);
+-	else if (dnsname != NULL)
+-		return dnsname;
+-	else {
+-		dnsname = remote_hostname(ssh);
+-		return dnsname;
+-	}
+-}
+-
+ /* These functions link key/cert options to the auth framework */
+ 
+ /* Log sshauthopt options locally and (optionally) for remote transmission */
+diff --git a/canohost.c b/canohost.c
+index a810da0e..18e9d8d4 100644
+--- a/canohost.c
++++ b/canohost.c
+@@ -202,3 +202,117 @@ get_local_port(int sock)
+ {
+ 	return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++static char *
++remote_hostname(struct ssh *ssh)
++{
++	struct sockaddr_storage from;
++	socklen_t fromlen;
++	struct addrinfo hints, *ai, *aitop;
++	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++	const char *ntop = ssh_remote_ipaddr(ssh);
++
++	/* Get IP address of client. */
++	fromlen = sizeof(from);
++	memset(&from, 0, sizeof(from));
++	if (getpeername(ssh_packet_get_connection_in(ssh),
++	    (struct sockaddr *)&from, &fromlen) == -1) {
++		debug("getpeername failed: %.100s", strerror(errno));
++		return xstrdup(ntop);
++	}
++
++	ipv64_normalise_mapped(&from, &fromlen);
++	if (from.ss_family == AF_INET6)
++		fromlen = sizeof(struct sockaddr_in6);
++
++	debug3("Trying to reverse map address %.100s.", ntop);
++	/* Map the IP address to a host name. */
++	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++	    NULL, 0, NI_NAMEREQD) != 0) {
++		/* Host name not found.  Use ip address. */
++		return xstrdup(ntop);
++	}
++
++	/*
++	 * if reverse lookup result looks like a numeric hostname,
++	 * someone is trying to trick us by PTR record like following:
++	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
++	hints.ai_flags = AI_NUMERICHOST;
++	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++		    name, ntop);
++		freeaddrinfo(ai);
++		return xstrdup(ntop);
++	}
++
++	/* Names are stored in lowercase. */
++	lowercase(name);
++
++	/*
++	 * Map it back to an IP address and check that the given
++	 * address actually is an address of this host.  This is
++	 * necessary because anyone with access to a name server can
++	 * define arbitrary names for an IP address. Mapping from
++	 * name to IP address can be trusted better (but can still be
++	 * fooled if the intruder has access to the name server of
++	 * the domain).
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_family = from.ss_family;
++	hints.ai_socktype = SOCK_STREAM;
++	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++		logit("reverse mapping checking getaddrinfo for %.700s "
++		    "[%s] failed.", name, ntop);
++		return xstrdup(ntop);
++	}
++	/* Look for the address from the list of addresses. */
++	for (ai = aitop; ai; ai = ai->ai_next) {
++		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++		    (strcmp(ntop, ntop2) == 0))
++				break;
++	}
++	freeaddrinfo(aitop);
++	/* If we reached the end of the list, the address was not there. */
++	if (ai == NULL) {
++		/* Address not found for the host name. */
++		logit("Address %.100s maps to %.600s, but this does not "
++		    "map back to the address.", ntop, name);
++		return xstrdup(ntop);
++	}
++	return xstrdup(name);
++}
++
++/*
++ * Return the canonical name of the host in the other side of the current
++ * connection.  The host name is cached, so it is efficient to call this
++ * several times.
++ */
++
++const char *
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
++{
++	static char *dnsname;
++
++	if (!use_dns)
++		return ssh_remote_ipaddr(ssh);
++	else if (dnsname != NULL)
++		return dnsname;
++	else {
++		dnsname = remote_hostname(ssh);
++		return dnsname;
++	}
++}
+diff --git a/readconf.c b/readconf.c
+index 03369a08..b45898ce 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -161,6 +161,7 @@ typedef enum {
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++	oGssTrustDns,
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+@@ -207,9 +208,11 @@ static struct {
+ #if defined(GSSAPI)
+ 	{ "gssapiauthentication", oGssAuthentication },
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
++	{ "gssapitrustdns", oGssTrustDns },
+ # else
+ 	{ "gssapiauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
++	{ "gssapitrustdns", oUnsupported },
+ #endif
+ #ifdef ENABLE_PKCS11
+ 	{ "pkcs11provider", oPKCS11Provider },
+@@ -1117,6 +1120,10 @@ parse_time:
+ 		intptr = &options->gss_deleg_creds;
+ 		goto parse_flag;
+ 
++	case oGssTrustDns:
++		intptr = &options->gss_trust_dns;
++		goto parse_flag;
++
+ 	case oBatchMode:
+ 		intptr = &options->batch_mode;
+ 		goto parse_flag;
+@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
+ 	options->pubkey_authentication = -1;
+ 	options->gss_authentication = -1;
+ 	options->gss_deleg_creds = -1;
++	options->gss_trust_dns = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->kbd_interactive_devices = NULL;
+@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
+ 		options->gss_authentication = 0;
+ 	if (options->gss_deleg_creds == -1)
+ 		options->gss_deleg_creds = 0;
++	if (options->gss_trust_dns == -1)
++		options->gss_trust_dns = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+diff --git a/readconf.h b/readconf.h
+index f7d53b06..c3a91898 100644
+--- a/readconf.h
++++ b/readconf.h
+@@ -40,6 +40,7 @@ typedef struct {
+ 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
+ 	int     gss_authentication;	/* Try GSS authentication */
+ 	int     gss_deleg_creds;	/* Delegate GSS credentials */
++	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
+ 	int     password_authentication;	/* Try password
+ 						 * authentication. */
+ 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+diff --git a/ssh_config.5 b/ssh_config.5
+index cd0eea86..27101943 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -832,6 +832,16 @@ The default is
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+diff --git a/sshconnect2.c b/sshconnect2.c
+index fea50fab..aeff639b 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
+ 	OM_uint32 min;
+ 	int r, ok = 0;
+ 	gss_OID mech = NULL;
++	const char *gss_host;
++
++	if (options.gss_trust_dns) {
++		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++		gss_host = auth_get_canonical_hostname(ssh, 1);
++	} else
++		gss_host = authctxt->host;
+ 
+ 	/* Try one GSSAPI method at a time, rather than sending them all at
+ 	 * once. */
+@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
+ 		    elements[authctxt->mech_tried];
+ 		/* My DER encoding requires length<128 */
+ 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
+-		    mech, authctxt->host)) {
++		    mech, gss_host)) {
+ 			ok = 1; /* Mechanism works */
+ 		} else {
+ 			authctxt->mech_tried++;
diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch
new file mode 100644
index 000000000000..8c46625aa29c
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch
@@ -0,0 +1,14 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 2e065ba3..4ce80cb2 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_ppoll
+ 	SC_ALLOW(__NR_ppoll),
+ #endif
++#ifdef __NR_ppoll_time64
++	SC_ALLOW(__NR_ppoll_time64),
++#endif
+ #ifdef __NR_poll
+ 	SC_ALLOW(__NR_poll),
+ #endif
diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
new file mode 100644
index 000000000000..9e08b2a553c2
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
@@ -0,0 +1,13 @@
+diff --git a/gss-serv.c b/gss-serv.c
+index b5d4bb2d..00e3d118 100644
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ 		gss_create_empty_oid_set(&status, &oidset);
+ 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
+ 
+-		if (gethostname(lname, MAXHOSTNAMELEN)) {
++		if (gethostname(lname, HOST_NAME_MAX)) {
+ 			gss_release_oid_set(&status, &oidset);
+ 			return (-1);
+ 		}
diff --git a/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch b/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch
new file mode 100644
index 000000000000..2a83ed37d138
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch
@@ -0,0 +1,12 @@
+diff -ur a/auth2.c b/auth2.c
+--- a/auth2.c	2022-05-19 15:59:32.875160028 -0700
++++ b/auth2.c	2022-05-19 16:03:44.291594908 -0700
+@@ -226,7 +226,7 @@
+ 	int digest_alg;
+ 	size_t len;
+ 	u_char *hash;
+-	double delay;
++	double delay = 0;
+ 
+ 	digest_alg = ssh_digest_maxbytes();
+ 	if (len = ssh_digest_bytes(digest_alg) > 0) {
diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
new file mode 100644
index 000000000000..4d098b2231c7
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
@@ -0,0 +1,20 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 23b40b643..d93a357c6 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_statx
+ 	SC_DENY(__NR_statx, EACCES),
+ #endif
++#ifdef __NR_shmget
++	SC_DENY(__NR_shmget, EACCES),
++#endif
++#ifdef __NR_shmat
++	SC_DENY(__NR_shmat, EACCES),
++#endif
++#ifdef __NR_shmdt
++	SC_DENY(__NR_shmdt, EACCES),
++#endif
+ 
+ 	/* Syscalls to permit */
+ #ifdef __NR_brk
diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch
new file mode 100644
index 000000000000..b571ae253fff
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch
@@ -0,0 +1,58 @@
+https://bugzilla.mindrot.org/show_bug.cgi?id=3548
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver)
+ 	if (headerver == libver)
+ 		return 1;
+ 
+-	/* for versions < 1.0.0, major,minor,fix,status must match */
+-	if (headerver < 0x1000000f) {
+-		mask = 0xfffff00fL; /* major,minor,fix,status */
+-		return (headerver & mask) == (libver & mask);
++	/*
++	 * For versions < 3.0.0, major,minor,status must match and library
++	 * fix version must be equal to or newer than the header.
++	 */
++	if (headerver < 0x3000000f) {
++		mask = 0xfff0000fL; /* major,minor,status */
++		hfix = (headerver & 0x000ff000) >> 12;
++		lfix = (libver & 0x000ff000) >> 12;
++		if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
++			return 1;
+ 	}
+ 
+ 	/*
+-	 * For versions >= 1.0.0, major,minor,status must match and library
+-	 * fix version must be equal to or newer than the header.
++	 * For versions >= 3.0.0, major must match and minor,status must be
++	 * equal to or greater than the header.
+ 	 */
+-	mask = 0xfff00000L; /* major,minor,status */
+-	hfix = (headerver & 0x000ff000) >> 12;
+-	lfix = (libver & 0x000ff000) >> 12;
++	mask = 0xf000000fL; /* major, status */
++	hfix = (headerver & 0x0ffffff0L) >> 12;
++	lfix = (libver & 0x0ffffff0L) >> 12;
+ 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
+ 		return 1;
+ 	return 0;
+--- a/openbsd-compat/regress/opensslvertest.c
++++ b/openbsd-compat/regress/opensslvertest.c
+@@ -31,7 +31,7 @@ struct version_test {
+ 	{ 0x0090802fL, 0x0090804fL, 1},	/* newer library fix version: ok */
+ 	{ 0x0090802fL, 0x0090801fL, 1},	/* older library fix version: ok */
+ 	{ 0x0090802fL, 0x0090702fL, 0},	/* older library minor version: NO */
+-	{ 0x0090802fL, 0x0090902fL, 0},	/* newer library minor version: NO */
++	{ 0x0090802fL, 0x0090902fL, 1},	/* newer library minor version: ok */
+ 	{ 0x0090802fL, 0x0080802fL, 0},	/* older library major version: NO */
+ 	{ 0x0090802fL, 0x1000100fL, 0},	/* newer library major version: NO */
+ 
+@@ -41,7 +41,7 @@ struct version_test {
+ 	{ 0x1000101fL, 0x1000100fL, 1},	/* older library patch version: ok */
+ 	{ 0x1000101fL, 0x1000201fL, 1},	/* newer library fix version: ok */
+ 	{ 0x1000101fL, 0x1000001fL, 0},	/* older library fix version: NO */
+-	{ 0x1000101fL, 0x1010101fL, 0},	/* newer library minor version: NO */
++	{ 0x1000101fL, 0x1010101fL, 1},	/* newer library minor version: ok */
+ 	{ 0x1000101fL, 0x0000101fL, 0},	/* older library major version: NO */
+ 	{ 0x1000101fL, 0x2000101fL, 0},	/* newer library major version: NO */
+ };
diff --git a/net-misc/openssh-contrib/files/sshd-r1.confd b/net-misc/openssh-contrib/files/sshd-r1.confd
new file mode 100644
index 000000000000..cf430371bf0f
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd-r1.confd
@@ -0,0 +1,33 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress.
+
+#SSHD_SSD_OPTS="--wait 1000"
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
+
+
+# Path to the ssh-keygen binary (needs to be absolute path).
+
+#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
diff --git a/net-misc/openssh-contrib/files/sshd-r1.initd b/net-misc/openssh-contrib/files/sshd-r1.initd
new file mode 100644
index 000000000000..e91cd0116cd4
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd-r1.initd
@@ -0,0 +1,87 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
+: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
+
+command="${SSHD_BINARY}"
+pidfile="${SSHD_PIDFILE}"
+command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress (bug 617596).
+: ${SSHD_SSD_OPTS:=--wait 1000}
+start_stop_daemon_args="${SSHD_SSD_OPTS}"
+
+depend() {
+	# Entropy can be used by ssh-keygen, among other things, but
+	# is not strictly required (bug 470020).
+	use logger dns entropy
+	if [ "${rc_need+set}" = "set" ] ; then
+		: # Do nothing, the user has explicitly set rc_need
+	else
+		local x warn_addr
+		for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+			case "${x}" in
+				0.0.0.0|0.0.0.0:*) ;;
+				::|\[::\]*) ;;
+				*) warn_addr="${warn_addr} ${x}" ;;
+			esac
+		done
+		if [ -n "${warn_addr}" ] ; then
+			need net
+			ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+			ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
+			ewarn "where FOO is the interface(s) providing the following address(es):"
+			ewarn "${warn_addr}"
+		fi
+	fi
+}
+
+checkconfig() {
+	checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
+
+	if [ ! -e "${SSHD_CONFIG}" ] ; then
+		eerror "You need an ${SSHD_CONFIG} file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	${SSHD_KEYGEN_BINARY} -A || return 2
+
+	"${command}" -t ${command_args} || return 3
+}
+
+start_pre() {
+	# Make sure that the user's config isn't busted before we try
+	# to start the daemon (this will produce better error messages
+	# than if we just try to start it blindly).
+	#
+	# We always need to call checkconfig because this function will
+	# also generate any missing host key and you can start a
+	# non-running service with "restart" argument.
+	checkconfig || return $?
+}
+
+stop_pre() {
+	# If this is a restart, check to make sure the user's config
+	# isn't busted before we stop the running daemon.
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+reload() {
+	checkconfig || return $?
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${pidfile}"
+	eend $?
+}
diff --git a/net-misc/openssh-contrib/files/sshd.pam_include.2 b/net-misc/openssh-contrib/files/sshd.pam_include.2
new file mode 100644
index 000000000000..b801aaafa0f9
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd.pam_include.2
@@ -0,0 +1,4 @@
+auth       include	system-remote-login
+account    include	system-remote-login
+password   include	system-remote-login
+session	   include	system-remote-login
diff --git a/net-misc/openssh-contrib/files/sshd.service.1 b/net-misc/openssh-contrib/files/sshd.service.1
new file mode 100644
index 000000000000..a541164cd7f2
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd.service.1
@@ -0,0 +1,15 @@
+[Unit]
+Description=OpenSSH server daemon
+After=network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/bin/ssh-keygen -A
+ExecStart=/usr/sbin/sshd -D -e
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+OOMPolicy=continue
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openssh-contrib/files/sshd.socket b/net-misc/openssh-contrib/files/sshd.socket
new file mode 100644
index 000000000000..94b9533180da
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Server Socket
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/net-misc/openssh-contrib/files/sshd_at.service.1 b/net-misc/openssh-contrib/files/sshd_at.service.1
new file mode 100644
index 000000000000..e43a457994f4
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd_at.service.1
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+After=auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i -e
+StandardInput=socket
+StandardError=journal