gentoo xmass resync : 25.12.2021

8 files changed, 0 insertions, 1432 deletions

diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
deleted file mode 100644
index 37905ce6afca..000000000000
--- a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/kex.c b/kex.c
-index 34808b5c..88d7ccac 100644
---- a/kex.c
-+++ b/kex.c
-@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- 	if (version_addendum != NULL && *version_addendum == '\0')
- 		version_addendum = NULL;
- 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
--	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
- 	    version_addendum == NULL ? "" : " ",
- 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
- 		error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
diff --git a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
deleted file mode 100644
index eec66ade4b4e..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,354 +0,0 @@
---- a/auth.c	2021-03-02 04:31:47.000000000 -0600
-+++ b/auth.c	2021-03-04 11:22:44.590041696 -0600
-@@ -727,119 +727,6 @@ fakepw(void)
- 	return (&fake);
- }
- 
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) == -1) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return xstrdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return xstrdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return xstrdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return xstrdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return xstrdup(ntop);
--	}
--	return xstrdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
- 
- /* These functions link key/cert options to the auth framework */
- 
---- a/canohost.c	2021-03-02 04:31:47.000000000 -0600
-+++ b/canohost.c	2021-03-04 11:22:54.854211183 -0600
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) == -1) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return xstrdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return xstrdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return xstrdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return xstrdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return xstrdup(ntop);
-+	}
-+	return xstrdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}
-diff --git a/readconf.c b/readconf.c
-index 724974b7..97a1ffd8 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -161,6 +161,7 @@ typedef enum {
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -206,9 +207,11 @@ static struct {
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- # else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- 	{ "pkcs11provider", oPKCS11Provider },
-@@ -1083,6 +1086,10 @@ parse_time:
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -2183,6 +2190,7 @@ initialize_options(Options * options)
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -2340,6 +2348,8 @@ fill_default_options(Options * options)
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index 2fba866e..da3ce87a 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -42,6 +42,7 @@ typedef struct {
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/ssh_config.5 b/ssh_config.5
-index f8119189..e0fd0d76 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -783,6 +783,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index 059c9480..ab6f6832 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh)
- 	OM_uint32 min;
- 	int r, ok = 0;
- 	gss_OID mech = NULL;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(ssh, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh)
- 		    elements[authctxt->mech_tried];
- 		/* My DER encoding requires length<128 */
- 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
--		    mech, authctxt->host)) {
-+		    mech, gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			authctxt->mech_tried++;
diff --git a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
deleted file mode 100644
index c7812c622c26..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch
+++ /dev/null
@@ -1,72 +0,0 @@
---- a/openssh-8.5p1+x509-13.0.1.diff	2021-03-15 14:05:14.876485231 -0700
-+++ b/openssh-8.5p1+x509-13.0.1.diff	2021-03-15 14:06:05.389154451 -0700
-@@ -46675,12 +46675,11 @@
-  
-  install-files:
-  	$(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -380,6 +364,8 @@
-+@@ -380,6 +364,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -63967,7 +63966,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
-  	verbose "$tid: cipher $c"
-@@ -63982,7 +63981,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
-  	verbose "$tid: kex $k"
-@@ -63997,7 +63996,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  if [ "`${SSH} -Q compression`" = "none" ]; then
-  	comp="0"
-@@ -64129,9 +64128,9 @@
-  
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+  unset_arg=''
-++  unset_arg=
- +else
--+  unset_arg=none
-++  unset_arg=
- +fi
- +
-  cat > $OBJ/sshd_config.i << _EOF
-@@ -122247,16 +122246,6 @@
- +int	 asnmprintf(char **, size_t, int *, const char *, ...)
-  	     __attribute__((format(printf, 4, 5)));
-  void	 msetlocale(void);
--diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0.1/version.h
----- openssh-8.5p1/version.h	2021-03-02 12:31:47.000000000 +0200
--+++ openssh-8.5p1+x509-13.0.1/version.h	2021-03-15 20:07:00.000000000 +0200
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_8.5"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0.1/version.m4
- --- openssh-8.5p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.5p1+x509-13.0.1/version.m4	2021-03-15 20:07:00.000000000 +0200
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
deleted file mode 100644
index 413cc8b9c3dc..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch
+++ /dev/null
@@ -1,328 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-03-15 17:45:28.550606801 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-03-15 17:56:36.240309581 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
-  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
-  {
-  	struct session_state *state;
---	const struct sshcipher *none = cipher_by_name("none");
--+	struct sshcipher *none = cipher_by_name("none");
-+-	const struct sshcipher *none = cipher_none();
-++	struct sshcipher *none = cipher_none();
-  	int r;
-  
-  	if (none == NULL) {
-@@ -898,20 +898,20 @@
-  	options->fingerprint_hash = -1;
-  	options->update_hostkeys = -1;
- +	options->disable_multithreaded = -1;
-- 	options->hostbased_accepted_algos = NULL;
-- 	options->pubkey_accepted_algos = NULL;
-- 	options->known_hosts_command = NULL;
-+ }
-+ 
-+ /*
- @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
-+ 		options->update_hostkeys = 0;
-  	if (options->sk_provider == NULL)
-  		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- +	if (options->update_hostkeys == -1)
- +		options->update_hostkeys = 0;
- +	if (options->disable_multithreaded == -1)
- +		options->disable_multithreaded = 0;
-  
-- 	/* Expand KEX name lists */
-- 	all_cipher = cipher_alg_list(',', 0);
-+ 	/* expand KEX and etc. name lists */
-+ {	char *all;
- diff --git a/readconf.h b/readconf.h
- index 2fba866e..7f8f0227 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
-  	/* Portable-specific options */
-  	sUsePAM,
- +	sDisableMTAES,
-- 	/* Standard Options */
-- 	sPort, sHostKeyFile, sLoginGraceTime,
-- 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-+ 	/* X.509 Standard Options */
-+ 	sHostbasedAlgorithms,
-+ 	sPubkeyAlgorithms,
- @@ -662,6 +666,7 @@ static struct {
-  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:29:42.953733894 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:47:54.198893025 -0700
-@@ -157,6 +157,36 @@
- +	 Allan Jude provided the code for the NoneMac and buffer normalization.
- +         This work was financed, in part, by Cisco System, Inc., the National
- +         Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c	2021-03-15 19:30:45.404060786 -0700
-++++ b/auth2.c	2021-03-15 19:37:22.078476597 -0700
-+@@ -229,16 +229,17 @@
-+ 	double delay;
-+ 
-+ 	digest_alg = ssh_digest_maxbytes();
-+-	len = ssh_digest_bytes(digest_alg);
-+-	hash = xmalloc(len);
-++	if (len = ssh_digest_bytes(digest_alg) > 0) {
-++		hash = xmalloc(len);
-+ 
-+-	(void)snprintf(b, sizeof b, "%llu%s",
-+-	     (unsigned long long)options.timing_secret, user);
-+-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+-		fatal_f("ssh_digest_memory");
-+-	/* 0-4.2 ms of delay */
-+-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+-	freezero(hash, len);
-++		(void)snprintf(b, sizeof b, "%llu%s",
-++			 (unsigned long long)options.timing_secret, user);
-++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++			fatal_f("ssh_digest_memory");
-++		/* 0-4.2 ms of delay */
-++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++		freezero(hash, len);
-++	}
-+ 	debug3_f("user specific delay %0.3lfms", delay/1000);
-+ 	return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index b60d56c4..0e363c15 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
-  static void
-  channel_pre_open(struct ssh *ssh, Channel *c,
-      fd_set *readset, fd_set *writeset)
--@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2164,21 +2164,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-  
-  	if (c->type == SSH_CHANNEL_OPEN &&
-  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- -	    ((c->local_window_max - c->local_window >
- -	    c->local_maxpacket*3) ||
--+            ((ssh_packet_is_interactive(ssh) &&
--+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++	    ((ssh_packet_is_interactive(ssh) &&
-++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-  	    c->local_window < c->local_window_max/2) &&
-  	    c->local_consumed > 0) {
- +		u_int addition = 0;
-@@ -235,9 +265,8 @@
-  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- 		    (r = sshpkt_send(ssh)) != 0) {
-- 			fatal_fr(r, "channel %i", c->self);
-- 		}
-+ 		    (r = sshpkt_send(ssh)) != 0)
-+ 			fatal_fr(r, "channel %d", c->self);
- -		debug2("channel %d: window %d sent adjust %d", c->self,
- -		    c->local_window, c->local_consumed);
- -		c->local_window += c->local_consumed;
-@@ -386,21 +415,45 @@
- index 69befa96..90b5f338 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
-- 			debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+-	int i;
-++	int i, bugs = 0;
-+ 	static struct {
-+ 		char	*pat;
-+ 		int	bugs;
-+@@ -147,11 +147,26 @@
-+ 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ 			debug("match: %s pat %s compat 0x%08x",
-  			    version, check[i].pat, check[i].bugs);
-- 			ssh->compat = check[i].bugs;
- +			/* Check to see if the remote side is OpenSSH and not HPN */
--+			/* TODO: need to use new method to test for this */
- +			if (strstr(version, "OpenSSH") != NULL) {
- +				if (strstr(version, "hpn") == NULL) {
--+					ssh->compat |= SSH_BUG_LARGEWINDOW;
-++					bugs |= SSH_BUG_LARGEWINDOW;
- +					debug("Remote is NON-HPN aware");
- +				}
- +			}
-- 			return;
-+-			return check[i].bugs;
-++			bugs |= check[i].bugs;
-  		}
-  	}
-+-	debug("no match: %s", version);
-+-	return 0;
-++	/* Check to see if the remote side is OpenSSH and not HPN */
-++	if (strstr(version, "OpenSSH") != NULL) {
-++		if (strstr(version, "hpn") == NULL) {
-++			bugs |= SSH_BUG_LARGEWINDOW;
-++			debug("Remote is NON-HPN aware");
-++		}
-++	}
-++	if (bugs == 0)
-++		debug("no match: %s", version);
-++	return bugs;
-+ }
-+ 
-+ char *
- diff --git a/compat.h b/compat.h
- index c197fafc..ea2e17a7 100644
- --- a/compat.h
-@@ -459,7 +512,7 @@
- @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
-  	int nenc, nmac, ncomp;
-  	u_int mode, ctos, need, dh_need, authlen;
-- 	int r, first_kex_follows;
-+ 	int r, first_kex_follows = 0;
- +	int auth_flag = 0;
- +
- +	auth_flag = packet_authentication_state(ssh);
-@@ -1035,19 +1088,6 @@
-  
-  /* File to read commands from */
-  FILE* infile;
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..36a6e519 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
-- 			freezero(pin, strlen(pin));
-- 		error_r(r, "Unable to load resident keys");
-- 		return -1;
---	}
--+ 	}
-- 	if (nkeys == 0)
-- 		logit("No keys to download");
-- 	if (pin != NULL)
- diff --git a/ssh.c b/ssh.c
- index 53330da5..27b9770e 100644
- --- a/ssh.c
-@@ -1093,7 +1133,7 @@
- +	else
- +		options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- +		debug("HPN to Non-HPN Connection");
- +	} else {
- +		int sock, socksize;
-@@ -1335,6 +1375,28 @@
-  		/* Bind the socket to the desired port. */
-  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
-  			error("Bind to port %s on %s failed: %.200s.",
-+@@ -1625,13 +1625,14 @@
-+ 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ 		    sshbuf_len(server_cfg)) != 0)
-+ 			fatal_f("ssh_digest_update");
-+-		len = ssh_digest_bytes(digest_alg);
-+-		hash = xmalloc(len);
-+-		if (ssh_digest_final(ctx, hash, len) != 0)
-+-			fatal_f("ssh_digest_final");
-+-		options.timing_secret = PEEK_U64(hash);
-+-		freezero(hash, len);
-+-		ssh_digest_free(ctx);
-++		if ((len = ssh_digest_bytes(digest_alg)) > 0) {
-++			hash = xmalloc(len);
-++			if (ssh_digest_final(ctx, hash, len) != 0)
-++				fatal_f("ssh_digest_final");
-++			options.timing_secret = PEEK_U64(hash);
-++			freezero(hash, len);
-++			ssh_digest_free(ctx);
-++		}
-+ 		ctx = NULL;
-+ 		return;
-+ 	}
- @@ -1727,6 +1734,19 @@ main(int ac, char **av)
-  	/* Fill in default values for those options not explicitly set. */
-  	fill_default_server_options(&options);
-@@ -1405,14 +1467,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_8.5"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn15v2"
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -u a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-03-15 17:45:28.550606801 -0700
-+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-03-15 18:39:10.262087944 -0700
-@@ -12,9 +12,9 @@
-  static long stalled;		/* how long we have been stalled */
-  static int bytes_per_second;	/* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ 	off_t bytes_left;
-  	int cur_speed;
-- 	int hours, minutes, seconds;
-- 	int file_len;
-+ 	int len;
- +	off_t delta_pos;
-  
-  	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
-  	if (bytes_left > 0)
-  		elapsed = now - last_update;
-  	else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-- 
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ 	buf[1] = '\0';
-+
-  	/* filename */
-- 	buf[0] = '\0';
---	file_len = win_size - 36;
--+	file_len = win_size - 45;
-- 	if (file_len > 0) {
-- 		buf[0] = '\r';
-- 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+-	if (win_size > 36) {
-++	if (win_size > 45) {
-+-		int file_len = win_size - 36;
-++		int file_len = win_size - 45;
-+ 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ 		    file_len, file);
-+ 	}
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
-  	    (off_t)bytes_per_second);
-  	strlcat(buf, "/s ", win_size);
-@@ -63,15 +65,3 @@
-  }
-  
-  /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..986ff59b 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-- 
-- 	if (skprovider == NULL)
-- 		fatal("Cannot download keys without provider");
---
-- 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- 	if (!quiet) {
-- 		printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch
deleted file mode 100644
index 8827fe88d7aa..000000000000
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-15 15:10:45.680967455 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:25:14.710431930 -0700
-@@ -536,18 +536,10 @@
-  	if (state->rekey_limit)
-  		*max_blocks = MINIMUM(*max_blocks,
-  		    state->rekey_limit / enc->block_size);
--@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-  	return 0;
-  }
-  
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+	rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +553,6 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- 		return 0;
-- 
--+	/* used to force rekeying when called for by the none
--+         * cipher switch methods -cjr */
--+        if (rekey_requested == 1) {
--+                rekey_requested = 0;
--+                return 1;
--+        }
--+
-- 	/* Time-based rekeying */
-- 	if (state->rekey_interval != 0 &&
-- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-  	struct session_state *state = ssh->state;
-  	int len, r, ms_remain;
-@@ -598,12 +576,11 @@
-  };
-  
-  typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
--@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
-+@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
-  int	 ssh_packet_set_maxsize(struct ssh *, u_int);
-  u_int	 ssh_packet_get_maxsize(struct ssh *);
-  
- +/* for forced packet rekeying post auth */
--+void	 packet_request_rekeying(void);
- +int	 packet_authentication_state(const struct ssh *);
- +
-  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
-@@ -627,9 +604,9 @@
-  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
-+ 	oDisableMTAES,
-  	oVisualHostKey,
-  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -297,6 +300,9 @@ static struct {
-  	{ "kexalgorithms", oKexAlgorithms },
-  	{ "ipqos", oIPQoS },
-@@ -778,9 +755,9 @@
-  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
- @@ -120,7 +124,11 @@ typedef struct {
-- 
-  	int	enable_ssh_keysign;
-  	int64_t rekey_limit;
-+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
- +	int     none_switch;    /* Use none cipher */
- +	int     none_enabled;   /* Allow none cipher to be used */
- +  	int     nonemac_enabled;   /* Allow none MAC to be used */
-@@ -842,9 +819,9 @@
-  	/* Portable-specific options */
-  	if (options->use_pam == -1)
- @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
-- 	}
-- 	if (options->permit_tun == -1)
-  		options->permit_tun = SSH_TUNMODE_NO;
-+ 	if (options->disable_multithreaded == -1)
-+ 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
- +		options->none_enabled = 0;
- +	if (options->nonemac_enabled == -1)
-@@ -1330,9 +1307,9 @@
- +		}
- +	}
- +
-- 	debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-  
-+ #ifdef WITH_OPENSSL
-+ 	if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..d66fa41a 100644
- --- a/sshd.c
diff --git a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch b/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
deleted file mode 100644
index e23063b5db2e..000000000000
--- a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch
+++ /dev/null
@@ -1,72 +0,0 @@
---- a/openssh-8.6p1+x509-13.1.diff	2021-04-23 14:46:58.184683047 -0700
-+++ b/openssh-8.6p1+x509-13.1.diff	2021-04-23 15:00:08.455087549 -0700
-@@ -47728,12 +47728,11 @@
-  
-  install-files:
-  	$(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -389,6 +366,8 @@
-+@@ -389,6 +366,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -65001,7 +65000,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
-  	verbose "$tid: cipher $c"
-@@ -65016,7 +65015,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
-  	verbose "$tid: kex $k"
-@@ -65031,7 +65030,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  if [ "`${SSH} -Q compression`" = "none" ]; then
-  	comp="0"
-@@ -65163,9 +65162,9 @@
-  
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+  unset_arg=''
-++  unset_arg=
- +else
--+  unset_arg=none
-++  unset_arg=
- +fi
- +
-  cat > $OBJ/sshd_config.i << _EOF
-@@ -124084,16 +124083,6 @@
- +int	 asnmprintf(char **, size_t, int *, const char *, ...)
-  	    __attribute__((format(printf, 4, 5)));
-  void	 msetlocale(void);
--diff -ruN openssh-8.6p1/version.h openssh-8.6p1+x509-13.1/version.h
----- openssh-8.6p1/version.h	2021-04-16 06:55:25.000000000 +0300
--+++ openssh-8.6p1+x509-13.1/version.h	2021-04-21 21:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_8.6"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.6p1/version.m4 openssh-8.6p1+x509-13.1/version.m4
- --- openssh-8.6p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.6p1+x509-13.1/version.m4	2021-04-21 21:07:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
deleted file mode 100644
index 714dffc41712..000000000000
--- a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-04-23 15:31:47.247434467 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-04-23 15:32:29.807508606 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
-  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
-  {
-  	struct session_state *state;
---	const struct sshcipher *none = cipher_by_name("none");
--+	struct sshcipher *none = cipher_by_name("none");
-+-	const struct sshcipher *none = cipher_none();
-++	struct sshcipher *none = cipher_none();
-  	int r;
-  
-  	if (none == NULL) {
-@@ -898,20 +898,20 @@
-  	options->fingerprint_hash = -1;
-  	options->update_hostkeys = -1;
- +	options->disable_multithreaded = -1;
-- 	options->hostbased_accepted_algos = NULL;
-- 	options->pubkey_accepted_algos = NULL;
-- 	options->known_hosts_command = NULL;
-+ }
-+ 
-+ /*
- @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
-+ 		options->update_hostkeys = 0;
-  	if (options->sk_provider == NULL)
-  		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- +	if (options->update_hostkeys == -1)
- +		options->update_hostkeys = 0;
- +	if (options->disable_multithreaded == -1)
- +		options->disable_multithreaded = 0;
-  
-- 	/* Expand KEX name lists */
-- 	all_cipher = cipher_alg_list(',', 0);
-+ 	/* expand KEX and etc. name lists */
-+ {	char *all;
- diff --git a/readconf.h b/readconf.h
- index 2fba866e..7f8f0227 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
-  	/* Portable-specific options */
-  	sUsePAM,
- +	sDisableMTAES,
-- 	/* Standard Options */
-- 	sPort, sHostKeyFile, sLoginGraceTime,
-- 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-+ 	/* X.509 Standard Options */
-+ 	sHostbasedAlgorithms,
-+ 	sPubkeyAlgorithms,
- @@ -662,6 +666,7 @@ static struct {
-  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-04-23 15:31:47.247434467 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-04-23 15:46:32.296026606 -0700
-@@ -157,6 +157,36 @@
- +	 Allan Jude provided the code for the NoneMac and buffer normalization.
- +         This work was financed, in part, by Cisco System, Inc., the National
- +         Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c	2021-03-15 19:30:45.404060786 -0700
-++++ b/auth2.c	2021-03-15 19:37:22.078476597 -0700
-+@@ -229,16 +229,17 @@
-+ 	double delay;
-+ 
-+ 	digest_alg = ssh_digest_maxbytes();
-+-	len = ssh_digest_bytes(digest_alg);
-+-	hash = xmalloc(len);
-++	if (len = ssh_digest_bytes(digest_alg) > 0) {
-++		hash = xmalloc(len);
-+ 
-+-	(void)snprintf(b, sizeof b, "%llu%s",
-+-	    (unsigned long long)options.timing_secret, user);
-+-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+-		fatal_f("ssh_digest_memory");
-+-	/* 0-4.2 ms of delay */
-+-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+-	freezero(hash, len);
-++		(void)snprintf(b, sizeof b, "%llu%s",
-++		    (unsigned long long)options.timing_secret, user);
-++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++			fatal_f("ssh_digest_memory");
-++		/* 0-4.2 ms of delay */
-++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++		freezero(hash, len);
-++	}
-+ 	debug3_f("user specific delay %0.3lfms", delay/1000);
-+ 	return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index b60d56c4..0e363c15 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
-  static void
-  channel_pre_open(struct ssh *ssh, Channel *c,
-      fd_set *readset, fd_set *writeset)
--@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-  
-  	if (c->type == SSH_CHANNEL_OPEN &&
-  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- -	    ((c->local_window_max - c->local_window >
- -	    c->local_maxpacket*3) ||
--+            ((ssh_packet_is_interactive(ssh) &&
--+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++	    ((ssh_packet_is_interactive(ssh) &&
-++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-  	    c->local_window < c->local_window_max/2) &&
-  	    c->local_consumed > 0) {
- +		u_int addition = 0;
-@@ -235,9 +265,8 @@
-  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- 		    (r = sshpkt_send(ssh)) != 0) {
-- 			fatal_fr(r, "channel %i", c->self);
-- 		}
-+ 		    (r = sshpkt_send(ssh)) != 0)
-+ 			fatal_fr(r, "channel %d", c->self);
- -		debug2("channel %d: window %d sent adjust %d", c->self,
- -		    c->local_window, c->local_consumed);
- -		c->local_window += c->local_consumed;
-@@ -386,21 +415,45 @@
- index 69befa96..90b5f338 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
-- 			debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+-	int i;
-++	int i, bugs = 0;
-+ 	static struct {
-+ 		char	*pat;
-+ 		int	bugs;
-+@@ -147,11 +147,26 @@
-+ 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ 			debug("match: %s pat %s compat 0x%08x",
-  			    version, check[i].pat, check[i].bugs);
-- 			ssh->compat = check[i].bugs;
- +			/* Check to see if the remote side is OpenSSH and not HPN */
--+			/* TODO: need to use new method to test for this */
- +			if (strstr(version, "OpenSSH") != NULL) {
- +				if (strstr(version, "hpn") == NULL) {
--+					ssh->compat |= SSH_BUG_LARGEWINDOW;
-++					bugs |= SSH_BUG_LARGEWINDOW;
- +					debug("Remote is NON-HPN aware");
- +				}
- +			}
-- 			return;
-+-			return check[i].bugs;
-++			bugs |= check[i].bugs;
-  		}
-  	}
-+-	debug("no match: %s", version);
-+-	return 0;
-++	/* Check to see if the remote side is OpenSSH and not HPN */
-++	if (strstr(version, "OpenSSH") != NULL) {
-++		if (strstr(version, "hpn") == NULL) {
-++			bugs |= SSH_BUG_LARGEWINDOW;
-++			debug("Remote is NON-HPN aware");
-++		}
-++	}
-++	if (bugs == 0)
-++		debug("no match: %s", version);
-++	return bugs;
-+ }
-+ 
-+ char *
- diff --git a/compat.h b/compat.h
- index c197fafc..ea2e17a7 100644
- --- a/compat.h
-@@ -459,7 +512,7 @@
- @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
-  	int nenc, nmac, ncomp;
-  	u_int mode, ctos, need, dh_need, authlen;
-- 	int r, first_kex_follows;
-+ 	int r, first_kex_follows = 0;
- +	int auth_flag = 0;
- +
- +	auth_flag = packet_authentication_state(ssh);
-@@ -553,7 +606,7 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-  	struct session_state *state = ssh->state;
-  	int len, r, ms_remain;
-  	fd_set *setp;
-@@ -1035,19 +1088,6 @@
-  
-  /* Minimum amount of data to read at a time */
-  #define MIN_READ_SIZE	512
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..36a6e519 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
-- 			freezero(pin, strlen(pin));
-- 		error_r(r, "Unable to load resident keys");
-- 		return -1;
---	}
--+ 	}
-- 	if (nkeys == 0)
-- 		logit("No keys to download");
-- 	if (pin != NULL)
- diff --git a/ssh.c b/ssh.c
- index 53330da5..27b9770e 100644
- --- a/ssh.c
-@@ -1093,7 +1133,7 @@
- +	else
- +		options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- +		debug("HPN to Non-HPN Connection");
- +	} else {
- +		int sock, socksize;
-@@ -1335,7 +1375,29 @@
-  		/* Bind the socket to the desired port. */
-  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
-  			error("Bind to port %s on %s failed: %.200s.",
--@@ -1727,6 +1734,19 @@ main(int ac, char **av)
-+@@ -1625,13 +1632,14 @@
-+ 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ 		    sshbuf_len(server_cfg)) != 0)
-+ 			fatal_f("ssh_digest_update");
-+-		len = ssh_digest_bytes(digest_alg);
-+-		hash = xmalloc(len);
-+-		if (ssh_digest_final(ctx, hash, len) != 0)
-+-			fatal_f("ssh_digest_final");
-+-		options.timing_secret = PEEK_U64(hash);
-+-		freezero(hash, len);
-+-		ssh_digest_free(ctx);
-++		if ((len = ssh_digest_bytes(digest_alg)) > 0) {
-++			hash = xmalloc(len);
-++			if (ssh_digest_final(ctx, hash, len) != 0)
-++				fatal_f("ssh_digest_final");
-++			options.timing_secret = PEEK_U64(hash);
-++			freezero(hash, len);
-++			ssh_digest_free(ctx);
-++		}
-+ 		ctx = NULL;
-+ 		return;
-+ 	}
-+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
-  	/* Fill in default values for those options not explicitly set. */
-  	fill_default_server_options(&options);
-  
-@@ -1355,7 +1417,7 @@
-  	/* challenge-response is implemented via keyboard interactive */
-  	if (options.challenge_response_authentication)
-  		options.kbd_interactive_authentication = 1;
--@@ -2166,6 +2186,9 @@ main(int ac, char **av)
-+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
-  	    rdomain == NULL ? "" : "\"");
-  	free(laddr);
-  
-@@ -1365,7 +1427,7 @@
-  	/*
-  	 * We don't want to listen forever unless the other side
-  	 * successfully authenticates itself.  So we set up an alarm which is
--@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
-+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
-  	struct kex *kex;
-  	int r;
-  
-@@ -1405,14 +1467,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_8.5"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn15v2"
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -ur a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-04-23 15:31:47.247434467 -0700
-+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-04-23 15:32:29.808508608 -0700
-@@ -12,9 +12,9 @@
-  static long stalled;		/* how long we have been stalled */
-  static int bytes_per_second;	/* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ 	off_t bytes_left;
-  	int cur_speed;
-- 	int hours, minutes, seconds;
-- 	int file_len;
-+ 	int len;
- +	off_t delta_pos;
-  
-  	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
-  	if (bytes_left > 0)
-  		elapsed = now - last_update;
-  	else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-- 
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ 	buf[1] = '\0';
-+
-  	/* filename */
-- 	buf[0] = '\0';
---	file_len = win_size - 36;
--+	file_len = win_size - 45;
-- 	if (file_len > 0) {
-- 		buf[0] = '\r';
-- 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+-	if (win_size > 36) {
-++	if (win_size > 45) {
-+-		int file_len = win_size - 36;
-++		int file_len = win_size - 45;
-+ 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ 		    file_len, file);
-+ 	}
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
-  	    (off_t)bytes_per_second);
-  	strlcat(buf, "/s ", win_size);
-@@ -63,15 +65,3 @@
-  }
-  
-  /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..986ff59b 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-- 
-- 	if (skprovider == NULL)
-- 		fatal("Cannot download keys without provider");
---
-- 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- 	if (!quiet) {
-- 		printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch
deleted file mode 100644
index 30c0252ccb55..000000000000
--- a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-04-19 13:36:51.659996653 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-04-19 13:42:23.302377465 -0700
-@@ -536,18 +536,10 @@
-  	if (state->rekey_limit)
-  		*max_blocks = MINIMUM(*max_blocks,
-  		    state->rekey_limit / enc->block_size);
--@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-  	return 0;
-  }
-  
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+	rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +553,6 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- 		return 0;
-- 
--+	/* used to force rekeying when called for by the none
--+         * cipher switch methods -cjr */
--+        if (rekey_requested == 1) {
--+                rekey_requested = 0;
--+                return 1;
--+        }
--+
-- 	/* Time-based rekeying */
-- 	if (state->rekey_interval != 0 &&
-- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-  	struct session_state *state = ssh->state;
-  	int len, r, ms_remain;
-@@ -598,12 +576,11 @@
-  };
-  
-  typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
--@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
-+@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
-  int	 ssh_packet_set_maxsize(struct ssh *, u_int);
-  u_int	 ssh_packet_get_maxsize(struct ssh *);
-  
- +/* for forced packet rekeying post auth */
--+void	 packet_request_rekeying(void);
- +int	 packet_authentication_state(const struct ssh *);
- +
-  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
-@@ -627,9 +604,9 @@
-  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
-+ 	oDisableMTAES,
-  	oVisualHostKey,
-  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -297,6 +300,9 @@ static struct {
-  	{ "kexalgorithms", oKexAlgorithms },
-  	{ "ipqos", oIPQoS },
-@@ -778,9 +755,9 @@
-  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
- @@ -120,7 +124,11 @@ typedef struct {
-- 
-  	int	enable_ssh_keysign;
-  	int64_t rekey_limit;
-+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
- +	int     none_switch;    /* Use none cipher */
- +	int     none_enabled;   /* Allow none cipher to be used */
- +  	int     nonemac_enabled;   /* Allow none MAC to be used */
-@@ -842,9 +819,9 @@
-  	/* Portable-specific options */
-  	if (options->use_pam == -1)
- @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
-- 	}
-- 	if (options->permit_tun == -1)
-  		options->permit_tun = SSH_TUNMODE_NO;
-+ 	if (options->disable_multithreaded == -1)
-+ 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
- +		options->none_enabled = 0;
- +	if (options->nonemac_enabled == -1)
-@@ -1047,17 +1024,17 @@
-  Note that
- diff --git a/sftp.c b/sftp.c
- index fb3c08d1..89bebbb2 100644
----- a/sftp.c
--+++ b/sftp.c
--@@ -71,7 +71,7 @@ typedef void EditLine;
-- #include "sftp-client.h"
-- 
-- #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
---#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
--+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
-+--- a/sftp-client.c
-++++ b/sftp-client.c
-+@@ -65,7 +65,7 @@ typedef void EditLine;
-+ #define DEFAULT_COPY_BUFLEN	32768
-+ 
-+ /* Default number of concurrent outstanding requests */
-+-#define DEFAULT_NUM_REQUESTS	64
-++#define DEFAULT_NUM_REQUESTS	256
-  
-- /* File to read commands from */
-- FILE* infile;
-+ /* Minimum amount of data to read at a time */
-+ #define MIN_READ_SIZE	512
- diff --git a/ssh-keygen.c b/ssh-keygen.c
- index cfb5f115..36a6e519 100644
- --- a/ssh-keygen.c
-@@ -1330,9 +1307,9 @@
- +		}
- +	}
- +
-- 	debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-  
-+ #ifdef WITH_OPENSSL
-+ 	if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..d66fa41a 100644
- --- a/sshd.c