gentoo resync : 20.03.2022

7 files changed, 854 insertions, 100 deletions

diff --git a/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
new file mode 100644
index 000000000000..eab5b5344d6a
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
@@ -0,0 +1,126 @@
+diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.1.diff b/openssh-8.9p1+x509-13.3.1.diff
+--- a/openssh-8.9p1+x509-13.3.1.diff	2022-03-05 21:49:32.673126122 -0800
++++ b/openssh-8.9p1+x509-13.3.1.diff	2022-03-05 21:52:52.581776560 -0800
+@@ -1002,15 +1002,16 @@
+  	char b[512];
+ -	size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
+ -	u_char *hash = xmalloc(len);
++-	double delay;
+ +	int digest_alg;
+ +	size_t len;
+ +	u_char *hash;
+- 	double delay;
+- 
+++	double delay = 0;
+++
+ +	digest_alg = ssh_digest_maxbytes();
+ +	len = ssh_digest_bytes(digest_alg);
+ +	hash = xmalloc(len);
+-+
++
+  	(void)snprintf(b, sizeof b, "%llu%s",
+  	    (unsigned long long)options.timing_secret, user);
+ -	if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
+@@ -44746,8 +44747,8 @@
+  		gss_create_empty_oid_set(&status, &oidset);
+  		gss_add_oid_set_member(&status, ctx->oid, &oidset);
+  
+--		if (gethostname(lname, MAXHOSTNAMELEN)) {
+-+		if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
++-		if (gethostname(lname, HOST_NAME_MAX)) {
+++		if (gethostname(lname, HOST_NAME_MAX) == -1) {
+  			gss_release_oid_set(&status, &oidset);
+  			return (-1);
+  		}
+@@ -52143,7 +52144,7 @@
+ diff -ruN openssh-8.9p1/m4/openssh.m4 openssh-8.9p1+x509-13.3.1/m4/openssh.m4
+ --- openssh-8.9p1/m4/openssh.m4	2022-02-23 13:31:11.000000000 +0200
+ +++ openssh-8.9p1+x509-13.3.1/m4/openssh.m4	1970-01-01 02:00:00.000000000 +0200
+-@@ -1,200 +0,0 @@
++@@ -1,203 +0,0 @@
+ -dnl OpenSSH-specific autoconf macros
+ -dnl
+ -
+@@ -52160,6 +52161,8 @@
+ -	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
+ -#include <stdlib.h>
+ -#include <stdio.h>
++-/* Trivial function to help test for -fzero-call-used-regs */
++-void f(int n) {}
+ -int main(int argc, char **argv) {
+ -	(void)argv;
+ -	/* Some math to catch -ftrapv problems in the toolchain */
+@@ -52167,6 +52170,7 @@
+ -	float l = i * 2.1;
+ -	double m = l / 0.5;
+ -	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
++-	f(0);
+ -	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+ -	/*
+ -	 * Test fallthrough behaviour.  clang 10's -Wimplicit-fallthrough does
+@@ -52884,12 +52888,11 @@
+  
+  install-files:
+  	$(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -396,6 +372,8 @@
++@@ -396,6 +372,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -73836,7 +73839,7 @@
+ +if test "$sshd_type" = "pkix" ; then
+ +  unset_arg=''
+ +else
+-+  unset_arg=none
+++  unset_arg=
+ +fi
+ +
+  cat > $OBJ/sshd_config.i << _EOF
+@@ -79691,25 +79694,6 @@
+  #ifdef __NR_getrandom
+  	SC_ALLOW(__NR_getrandom),
+  #endif
+-@@ -267,15 +273,15 @@
+- #ifdef __NR_clock_nanosleep_time64
+- 	SC_ALLOW(__NR_clock_nanosleep_time64),
+- #endif
+--#ifdef __NR_clock_gettime64
+--	SC_ALLOW(__NR_clock_gettime64),
+--#endif
+- #ifdef __NR__newselect
+- 	SC_ALLOW(__NR__newselect),
+- #endif
+- #ifdef __NR_ppoll
+- 	SC_ALLOW(__NR_ppoll),
+- #endif
+-+#ifdef __NR_ppoll_time64
+-+	SC_ALLOW(__NR_ppoll_time64),
+-+#endif
+- #ifdef __NR_poll
+- 	SC_ALLOW(__NR_poll),
+- #endif
+ @@ -288,6 +294,9 @@
+  #ifdef __NR_read
+  	SC_ALLOW(__NR_read),
+@@ -137848,16 +137832,6 @@
+ +int	 asnmprintf(char **, size_t, int *, const char *, ...)
+  	    __attribute__((format(printf, 4, 5)));
+  void	 msetlocale(void);
+-diff -ruN openssh-8.9p1/version.h openssh-8.9p1+x509-13.3.1/version.h
+---- openssh-8.9p1/version.h	2022-02-23 13:31:11.000000000 +0200
+-+++ openssh-8.9p1+x509-13.3.1/version.h	2022-03-05 10:07:00.000000000 +0200
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_8.9"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.9p1/version.m4 openssh-8.9p1+x509-13.3.1/version.m4
+ --- openssh-8.9p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.9p1+x509-13.3.1/version.m4	2022-03-05 10:07:00.000000000 +0200
diff --git a/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch
new file mode 100644
index 000000000000..8c46625aa29c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch
@@ -0,0 +1,14 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 2e065ba3..4ce80cb2 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_ppoll
+ 	SC_ALLOW(__NR_ppoll),
+ #endif
++#ifdef __NR_ppoll_time64
++	SC_ALLOW(__NR_ppoll_time64),
++#endif
+ #ifdef __NR_poll
+ 	SC_ALLOW(__NR_poll),
+ #endif
diff --git a/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch b/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch
new file mode 100644
index 000000000000..0231ce46d7b1
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-fzero-call-used-regs.patch
@@ -0,0 +1,32 @@
+From f107467179428a0e3ea9e4aa9738ac12ff02822d Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Thu, 24 Feb 2022 16:04:18 +0000
+Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support
+
+GCC doesn't tell us whether this option is supported unless it runs into
+the situation where it would need to emit corresponding code.
+---
+ m4/openssh.m4 | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/m4/openssh.m4 b/m4/openssh.m4
+index 4f9c3792dc1..8c33c701b8b 100644
+--- a/m4/openssh.m4
++++ b/m4/openssh.m4
+@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
+ 	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
+ #include <stdlib.h>
+ #include <stdio.h>
++/* Trivial function to help test for -fzero-call-used-regs */
++void f(int n) {}
+ int main(int argc, char **argv) {
+ 	(void)argv;
+ 	/* Some math to catch -ftrapv problems in the toolchain */
+@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
+ 	float l = i * 2.1;
+ 	double m = l / 0.5;
+ 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
++	f(0);
+ 	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+ 	/*
+ 	 * Test fallthrough behaviour.  clang 10's -Wimplicit-fallthrough does
diff --git a/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
new file mode 100644
index 000000000000..9e08b2a553c2
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
@@ -0,0 +1,13 @@
+diff --git a/gss-serv.c b/gss-serv.c
+index b5d4bb2d..00e3d118 100644
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ 		gss_create_empty_oid_set(&status, &oidset);
+ 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
+ 
+-		if (gethostname(lname, MAXHOSTNAMELEN)) {
++		if (gethostname(lname, HOST_NAME_MAX)) {
+ 			gss_release_oid_set(&status, &oidset);
+ 			return (-1);
+ 		}
diff --git a/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch
new file mode 100644
index 000000000000..a98e1adcb54c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch
@@ -0,0 +1,431 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2022-02-24 18:48:19.078457000 -0800
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2022-02-24 18:49:22.195632128 -0800
+@@ -3,9 +3,9 @@
+ --- a/Makefile.in
+ +++ b/Makefile.in
+ @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
+- CFLAGS_NOPIE=@CFLAGS_NOPIE@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+- PICFLAG=@PICFLAG@
++ LD=@LD@
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+  K5LIBS=@K5LIBS@
+@@ -803,8 +803,8 @@
+  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
+  {
+  	struct session_state *state;
+--	const struct sshcipher *none = cipher_by_name("none");
+-+	struct sshcipher *none = cipher_by_name("none");
++-	const struct sshcipher *none = cipher_none();
+++	struct sshcipher *none = cipher_none();
+  	int r;
+  
+  	if (none == NULL) {
+@@ -894,24 +894,24 @@
+  		intptr = &options->compression;
+  		multistate_ptr = multistate_compression;
+ @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
+- 	options->revoked_host_keys = NULL;
+  	options->fingerprint_hash = -1;
+  	options->update_hostkeys = -1;
++	options->known_hosts_command = NULL;
+ +	options->disable_multithreaded = -1;
+- 	options->hostbased_accepted_algos = NULL;
+- 	options->pubkey_accepted_algos = NULL;
+- 	options->known_hosts_command = NULL;
++ }
++ 
++ /*
+ @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
++ 		options->update_hostkeys = 0;
+  	if (options->sk_provider == NULL)
+  		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+- #endif
+ +	if (options->update_hostkeys == -1)
+ +		options->update_hostkeys = 0;
+ +	if (options->disable_multithreaded == -1)
+ +		options->disable_multithreaded = 0;
+  
+- 	/* Expand KEX name lists */
+- 	all_cipher = cipher_alg_list(',', 0);
++ 	/* expand KEX and etc. name lists */
++ {	char *all;
+ diff --git a/readconf.h b/readconf.h
+ index 2fba866e..7f8f0227 100644
+ --- a/readconf.h
+@@ -950,9 +950,9 @@
+  	/* Portable-specific options */
+  	sUsePAM,
+ +	sDisableMTAES,
+- 	/* Standard Options */
+- 	sPort, sHostKeyFile, sLoginGraceTime,
+- 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
++ 	/* X.509 Standard Options */
++ 	sHostbasedAlgorithms,
++ 	sPubkeyAlgorithms,
+ @@ -662,6 +666,7 @@ static struct {
+  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2022-02-24 18:48:19.078457000 -0800
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2022-02-24 18:54:51.800546480 -0800
+@@ -157,6 +157,36 @@
+ +	 Allan Jude provided the code for the NoneMac and buffer normalization.
+ +         This work was financed, in part, by Cisco System, Inc., the National
+ +         Library of Medicine, and the National Science Foundation.
++diff --git a/auth2.c b/auth2.c
++--- a/auth2.c	2021-03-15 19:30:45.404060786 -0700
+++++ b/auth2.c	2021-03-15 19:37:22.078476597 -0700
++@@ -229,16 +229,17 @@
++ 	double delay;
++ 
++ 	digest_alg = ssh_digest_maxbytes();
++-	len = ssh_digest_bytes(digest_alg);
++-	hash = xmalloc(len);
+++	if (len = ssh_digest_bytes(digest_alg) > 0) {
+++		hash = xmalloc(len);
++ 
++-	(void)snprintf(b, sizeof b, "%llu%s",
++-	    (unsigned long long)options.timing_secret, user);
++-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++-		fatal_f("ssh_digest_memory");
++-	/* 0-4.2 ms of delay */
++-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++-	freezero(hash, len);
+++		(void)snprintf(b, sizeof b, "%llu%s",
+++		    (unsigned long long)options.timing_secret, user);
+++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+++			fatal_f("ssh_digest_memory");
+++		/* 0-4.2 ms of delay */
+++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+++		freezero(hash, len);
+++	}
++ 	debug3_f("user specific delay %0.3lfms", delay/1000);
++ 	return MIN_FAIL_DELAY_SECONDS + delay;
++ }
+ diff --git a/channels.c b/channels.c
+ index b60d56c4..0e363c15 100644
+ --- a/channels.c
+@@ -209,14 +239,14 @@
+  static void
+  channel_pre_open(struct ssh *ssh, Channel *c,
+      fd_set *readset, fd_set *writeset)
+-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+  
+  	if (c->type == SSH_CHANNEL_OPEN &&
+  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+ -	    ((c->local_window_max - c->local_window >
+ -	    c->local_maxpacket*3) ||
+-+            ((ssh_packet_is_interactive(ssh) &&
+-+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+++	    ((ssh_packet_is_interactive(ssh) &&
+++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+  	    c->local_window < c->local_window_max/2) &&
+  	    c->local_consumed > 0) {
+ +		u_int addition = 0;
+@@ -235,9 +265,8 @@
+  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+- 		    (r = sshpkt_send(ssh)) != 0) {
+- 			fatal_fr(r, "channel %i", c->self);
+- 		}
++ 		    (r = sshpkt_send(ssh)) != 0)
++ 			fatal_fr(r, "channel %d", c->self);
+ -		debug2("channel %d: window %d sent adjust %d", c->self,
+ -		    c->local_window, c->local_consumed);
+ -		c->local_window += c->local_consumed;
+@@ -337,70 +366,92 @@
+ index 70f492f8..5503af1d 100644
+ --- a/clientloop.c
+ +++ b/clientloop.c
+-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
++@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
+  	sock = x11_connect_display(ssh);
+  	if (sock < 0)
+  		return NULL;
+ -	c = channel_new(ssh, "x11",
+ -	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+--	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+-+        c = channel_new(ssh, "x11",
+-+			SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+-+			/* again is this really necessary for X11? */
+-+			options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+			CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
++-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
++-	    CHANNEL_NONBLOCK_SET);
+++	c = channel_new(ssh, "x11",
+++	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+++	    /* again is this really necessary for X11? */
+++	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+++	    CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
+  	c->force_drain = 1;
+  	return c;
+  }
+-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
++@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
+  		return NULL;
+  	}
+  	c = channel_new(ssh, "authentication agent connection",
+ -	    SSH_CHANNEL_OPEN, sock, sock, -1,
+ -	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+--	    "authentication agent connection", 1);
+-+			SSH_CHANNEL_OPEN, sock, sock, -1,
+-+			options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+			CHAN_TCP_PACKET_DEFAULT, 0,
+-+			"authentication agent connection", 1);
++-	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
+++	    SSH_CHANNEL_OPEN, sock, sock, -1,
+++	    options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
+++	    CHAN_TCP_PACKET_DEFAULT, 0,
+++	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
+  	c->force_drain = 1;
+  	return c;
+  }
+-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
++@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+  	}
+  	debug("Tunnel forwarding using interface %s", ifname);
+  
+ -	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+--	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+-+        c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
++-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
++-	    CHANNEL_NONBLOCK_SET);
+++	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ +	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+++	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
+  	c->datagram = 1;
+  
+-+
+-+
+  #if defined(SSH_TUN_FILTER)
+- 	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
+- 		channel_register_filter(ssh, c->self, sys_tun_infilter,
+ diff --git a/compat.c b/compat.c
+ index 69befa96..90b5f338 100644
+ --- a/compat.c
+ +++ b/compat.c
+-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
+- 			debug_f("match: %s pat %s compat 0x%08x",
++@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
++ static u_int
++ compat_datafellows(const char *version)
++ {
++-	int i;
+++	int i, bugs = 0;
++ 	static struct {
++ 		char	*pat;
++ 		int	bugs;
++@@ -147,11 +147,26 @@
++ 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
++ 			debug("match: %s pat %s compat 0x%08x",
+  			    version, check[i].pat, check[i].bugs);
+- 			ssh->compat = check[i].bugs;
+ +			/* Check to see if the remote side is OpenSSH and not HPN */
+-+			/* TODO: need to use new method to test for this */
+ +			if (strstr(version, "OpenSSH") != NULL) {
+ +				if (strstr(version, "hpn") == NULL) {
+-+					ssh->compat |= SSH_BUG_LARGEWINDOW;
+++					bugs |= SSH_BUG_LARGEWINDOW;
+ +					debug("Remote is NON-HPN aware");
+ +				}
+ +			}
+- 			return;
++-			return check[i].bugs;
+++			bugs |= check[i].bugs;
+  		}
+  	}
++-	debug("no match: %s", version);
++-	return 0;
+++	/* Check to see if the remote side is OpenSSH and not HPN */
+++	if (strstr(version, "OpenSSH") != NULL) {
+++		if (strstr(version, "hpn") == NULL) {
+++			bugs |= SSH_BUG_LARGEWINDOW;
+++			debug("Remote is NON-HPN aware");
+++		}
+++	}
+++	if (bugs == 0)
+++		debug("no match: %s", version);
+++	return bugs;
++ }
++ 
++ char *
+ diff --git a/compat.h b/compat.h
+ index c197fafc..ea2e17a7 100644
+ --- a/compat.h
+@@ -459,7 +510,7 @@
+ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
+  	int nenc, nmac, ncomp;
+  	u_int mode, ctos, need, dh_need, authlen;
+- 	int r, first_kex_follows;
++ 	int r, first_kex_follows = 0;
+ +	int auth_flag = 0;
+ +
+ +	auth_flag = packet_authentication_state(ssh);
+@@ -553,10 +604,10 @@
+  #define MAX_PACKETS	(1U<<31)
+  static int
+  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
++@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
++ {
+  	struct session_state *state = ssh->state;
+  	int len, r, ms_remain;
+- 	struct pollfd pfd;
+ -	char buf[8192];
+ +	char buf[SSH_IOBUFSZ];
+  	struct timeval start;
+@@ -1072,7 +1123,7 @@
+ +	else
+ +		options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+-+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ +		debug("HPN to Non-HPN Connection");
+ +	} else {
+ +		int sock, socksize;
+@@ -1136,14 +1187,14 @@
+  	}
+ @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
+  	    window, packetmax, CHAN_EXTENDED_WRITE,
+- 	    "client-session", /*nonblock*/0);
++ 	    "client-session", CHANNEL_NONBLOCK_STDIO);
+  
+ +	if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
+ +		c->dynamic_window = 1;
+ +		debug("Enabled Dynamic Window Scaling");
+ +	}
+ +
+- 	debug3_f("channel_new: %d", c->self);
++ 	debug2_f("channel %d", c->self);
+  
+  	channel_send_open(ssh, c->self);
+ @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
+@@ -1314,7 +1365,29 @@
+  		/* Bind the socket to the desired port. */
+  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+  			error("Bind to port %s on %s failed: %.200s.",
+-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
++@@ -1625,13 +1632,14 @@
++ 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
++ 		    sshbuf_len(server_cfg)) != 0)
++ 			fatal_f("ssh_digest_update");
++-		len = ssh_digest_bytes(digest_alg);
++-		hash = xmalloc(len);
++-		if (ssh_digest_final(ctx, hash, len) != 0)
++-			fatal_f("ssh_digest_final");
++-		options.timing_secret = PEEK_U64(hash);
++-		freezero(hash, len);
++-		ssh_digest_free(ctx);
+++		if ((len = ssh_digest_bytes(digest_alg)) > 0) {
+++			hash = xmalloc(len);
+++			if (ssh_digest_final(ctx, hash, len) != 0)
+++				fatal_f("ssh_digest_final");
+++			options.timing_secret = PEEK_U64(hash);
+++			freezero(hash, len);
+++			ssh_digest_free(ctx);
+++		}
++ 		ctx = NULL;
++ 		return;
++ 	}
++@@ -1727,6 +1735,19 @@ main(int ac, char **av)
+  		fatal("AuthorizedPrincipalsCommand set without "
+  		    "AuthorizedPrincipalsCommandUser");
+  
+@@ -1334,7 +1407,7 @@
+  	/*
+  	 * Check whether there is any path through configured auth methods.
+  	 * Unfortunately it is not possible to verify this generally before
+-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
++@@ -2166,6 +2187,9 @@ main(int ac, char **av)
+  	    rdomain == NULL ? "" : "\"");
+  	free(laddr);
+  
+@@ -1344,7 +1417,7 @@
+  	/*
+  	 * We don't want to listen forever unless the other side
+  	 * successfully authenticates itself.  So we set up an alarm which is
+-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
++@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
+  	struct kex *kex;
+  	int r;
+  
+@@ -1384,14 +1457,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b4fa372..332fb486 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_8.5"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN         "-hpn15v2"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
+--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2022-02-24 18:48:19.078457000 -0800
++++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2022-02-24 18:49:22.196632131 -0800
+@@ -12,9 +12,9 @@
+  static long stalled;		/* how long we have been stalled */
+  static int bytes_per_second;	/* current speed in bytes per second */
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
++ 	off_t bytes_left;
+  	int cur_speed;
+- 	int hours, minutes, seconds;
+- 	int file_len;
++ 	int len;
+ +	off_t delta_pos;
+  
+  	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+@@ -30,15 +30,17 @@
+  	if (bytes_left > 0)
+  		elapsed = now - last_update;
+  	else {
+-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+- 
++@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
++ 	buf[1] = '\0';
++
+  	/* filename */
+- 	buf[0] = '\0';
+--	file_len = win_size - 36;
+-+	file_len = win_size - 45;
+- 	if (file_len > 0) {
+- 		buf[0] = '\r';
+- 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
++-	if (win_size > 36) {
+++	if (win_size > 45) {
++-		int file_len = win_size - 36;
+++		int file_len = win_size - 45;
++ 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
++ 		    file_len, file);
++ 	}
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
+  	    (off_t)bytes_per_second);
+  	strlcat(buf, "/s ", win_size);
+@@ -63,15 +65,3 @@
+  }
+  
+  /*ARGSUSED*/
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..986ff59b 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
+- 
+- 	if (skprovider == NULL)
+- 		fatal("Cannot download keys without provider");
+--
+- 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
+- 	if (!quiet) {
+- 		printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
new file mode 100644
index 000000000000..272270b7e985
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
@@ -0,0 +1,238 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2022-02-23 17:10:24.843395097 -0800
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2022-02-23 17:10:38.206451595 -0800
+@@ -1026,9 +1026,9 @@
+ +	}
+ +#endif
+ +
+- 	debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+- 
++ 	if (ssh_packet_connection_is_on_socket(ssh)) {
++ 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
++ 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..bf3d6e4a 100644
+ --- a/sshd.c
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2022-02-23 17:08:38.124943587 -0800
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2022-02-23 17:20:59.432070316 -0800
+@@ -536,18 +536,10 @@
+  	if (state->rekey_limit)
+  		*max_blocks = MINIMUM(*max_blocks,
+  		    state->rekey_limit / enc->block_size);
+-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+  	return 0;
+  }
+  
+-+/* this supports the forced rekeying required for the NONE cipher */
+-+int rekey_requested = 0;
+-+void
+-+packet_request_rekeying(void)
+-+{
+-+	rekey_requested = 1;
+-+}
+-+
+ +/* used to determine if pre or post auth when rekeying for aes-ctr
+ + * and none cipher switch */
+ +int
+@@ -561,27 +553,14 @@
+  #define MAX_PACKETS	(1U<<31)
+  static int
+  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
+- 		return 0;
+- 
+-+	/* used to force rekeying when called for by the none
+-+         * cipher switch methods -cjr */
+-+        if (rekey_requested == 1) {
+-+                rekey_requested = 0;
+-+                return 1;
+-+        }
+-+
+- 	/* Time-based rekeying */
+- 	if (state->rekey_interval != 0 &&
+- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+  	struct session_state *state = ssh->state;
+  	int len, r, ms_remain;
+- 	fd_set *setp;
++ 	struct pollfd pfd;
+ -	char buf[8192];
+ +	char buf[SSH_IOBUFSZ];
+- 	struct timeval timeout, start, *timeoutp = NULL;
++ 	struct timeval start;
++ 	struct timespec timespec, *timespecp = NULL;
+  
+  	DBG(debug("packet_read()"));
+ diff --git a/packet.h b/packet.h
+@@ -598,12 +577,11 @@
+  };
+  
+  typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
+-@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
++@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
+  int	 ssh_packet_set_maxsize(struct ssh *, u_int);
+  u_int	 ssh_packet_get_maxsize(struct ssh *);
+  
+ +/* for forced packet rekeying post auth */
+-+void	 packet_request_rekeying(void);
+ +int	 packet_authentication_state(const struct ssh *);
+ +
+  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
+@@ -627,9 +605,9 @@
+  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
++ 	oDisableMTAES,
+  	oVisualHostKey,
+  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ @@ -297,6 +300,9 @@ static struct {
+  	{ "kexalgorithms", oKexAlgorithms },
+  	{ "ipqos", oIPQoS },
+@@ -637,9 +615,9 @@
+ +	{ "noneenabled", oNoneEnabled },
+ +	{ "nonemacenabled", oNoneMacEnabled },
+ +	{ "noneswitch", oNoneSwitch },
+- 	{ "proxyusefdpass", oProxyUseFdpass },
+- 	{ "canonicaldomains", oCanonicalDomains },
+- 	{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
++ 	{ "sessiontype", oSessionType },
++ 	{ "stdinnull", oStdinNull },
++ 	{ "forkafterauthentication", oForkAfterAuthentication },
+ @@ -317,6 +323,11 @@ static struct {
+  	{ "securitykeyprovider", oSecurityKeyProvider },
+  	{ "knownhostscommand", oKnownHostsCommand },
+@@ -717,9 +695,9 @@
+ +	options->hpn_buffer_size = -1;
+ +	options->tcp_rcv_buf_poll = -1;
+ +	options->tcp_rcv_buf = -1;
+- 	options->proxy_use_fdpass = -1;
+- 	options->ignored_unknown = NULL;
+- 	options->num_canonical_domains = 0;
++ 	options->session_type = -1;
++ 	options->stdin_null = -1;
++ 	options->fork_after_authentication = -1;
+ @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
+  		options->server_alive_interval = 0;
+  	if (options->server_alive_count_max == -1)
+@@ -778,9 +756,9 @@
+  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
+  	SyslogFacility log_facility;	/* Facility for system logging. */
+ @@ -120,7 +124,11 @@ typedef struct {
+- 
+  	int	enable_ssh_keysign;
+  	int64_t rekey_limit;
++ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
+ +	int     none_switch;    /* Use none cipher */
+ +	int     none_enabled;   /* Allow none cipher to be used */
+ +  	int     nonemac_enabled;   /* Allow none MAC to be used */
+@@ -842,9 +820,9 @@
+  	/* Portable-specific options */
+  	if (options->use_pam == -1)
+ @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
+- 	}
+- 	if (options->permit_tun == -1)
+  		options->permit_tun = SSH_TUNMODE_NO;
++ 	if (options->disable_multithreaded == -1)
++ 		options->disable_multithreaded = 0;
+ +	if (options->none_enabled == -1)
+ +		options->none_enabled = 0;
+ +	if (options->nonemac_enabled == -1)
+@@ -975,15 +953,6 @@
+ index 306658cb..d4309903 100644
+ --- a/serverloop.c
+ +++ b/serverloop.c
+-@@ -322,7 +322,7 @@ static int
+- process_input(struct ssh *ssh, fd_set *readset, int connection_in)
+- {
+- 	int r, len;
+--	char buf[16384];
+-+	char buf[SSH_IOBUFSZ];
+- 
+- 	/* Read and buffer any input data from the client. */
+- 	if (FD_ISSET(connection_in, readset)) {
+ @@ -608,7 +608,8 @@ server_request_tun(struct ssh *ssh)
+  	debug("Tunnel forwarding using interface %s", ifname);
+  
+@@ -1047,30 +1016,17 @@
+  Note that
+ diff --git a/sftp.c b/sftp.c
+ index fb3c08d1..89bebbb2 100644
+---- a/sftp.c
+-+++ b/sftp.c
+-@@ -71,7 +71,7 @@ typedef void EditLine;
+- #include "sftp-client.h"
+- 
+- #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
+--#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
+-+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
+- 
+- /* File to read commands from */
+- FILE* infile;
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..36a6e519 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
+- 			freezero(pin, strlen(pin));
+- 		error_r(r, "Unable to load resident keys");
+- 		return -1;
+--	}
+-+ 	}
+- 	if (nkeys == 0)
+- 		logit("No keys to download");
+- 	if (pin != NULL)
++--- a/sftp-client.c
+++++ b/sftp-client.c
++@@ -65,7 +65,7 @@ typedef void EditLine;
++ #define DEFAULT_COPY_BUFLEN	32768
++ 
++ /* Default number of concurrent outstanding requests */
++-#define DEFAULT_NUM_REQUESTS	64
+++#define DEFAULT_NUM_REQUESTS	256
++ 
++ /* Minimum amount of data to read at a time */
++ #define MIN_READ_SIZE	512
+ diff --git a/ssh.c b/ssh.c
+ index 53330da5..27b9770e 100644
+ --- a/ssh.c
+@@ -1330,9 +1286,9 @@
+ +		}
+ +	}
+ +
+- 	debug("Authentication succeeded (%s).", authctxt.method->name);
+- }
+  
++ #ifdef WITH_OPENSSL
++ 	if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index 6277e6d6..d66fa41a 100644
+ --- a/sshd.c
+@@ -1359,8 +1315,8 @@
+  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+  			error("Bind to port %s on %s failed: %.200s.",
+ @@ -1727,6 +1734,19 @@ main(int ac, char **av)
+- 	/* Fill in default values for those options not explicitly set. */
+- 	fill_default_server_options(&options);
++ 		fatal("AuthorizedPrincipalsCommand set without "
++ 		    "AuthorizedPrincipalsCommandUser");
+  
+ +	if (options.none_enabled == 1) {
+ +		char *old_ciphers = options.ciphers;
+@@ -1375,9 +1331,9 @@
+ +		}
+ +	}
+ +
+- 	/* challenge-response is implemented via keyboard interactive */
+- 	if (options.challenge_response_authentication)
+- 		options.kbd_interactive_authentication = 1;
++ 	/*
++ 	 * Check whether there is any path through configured auth methods.
++ 	 * Unfortunately it is not possible to verify this generally before
+ @@ -2166,6 +2186,9 @@ main(int ac, char **av)
+  	    rdomain == NULL ? "" : "\"");
+  	free(laddr);
diff --git a/net-misc/openssh/files/sshd-r2.initd b/net-misc/openssh/files/sshd-r2.initd
deleted file mode 100644
index 3381fb965dd8..000000000000
--- a/net-misc/openssh/files/sshd-r2.initd
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-extra_commands="checkconfig"
-extra_started_commands="reload"
-
-: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
-: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
-: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
-: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
-: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
-
-command="${SSHD_BINARY}"
-pidfile="${SSHD_PIDFILE}"
-command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
-
-# Wait one second (length chosen arbitrarily) to see if sshd actually
-# creates a PID file, or if it crashes for some reason like not being
-# able to bind to the address in ListenAddress (bug 617596).
-: ${SSHD_SSD_OPTS:=--wait 1000}
-start_stop_daemon_args="${SSHD_SSD_OPTS}"
-
-depend() {
-	# Entropy can be used by ssh-keygen, among other things, but
-	# is not strictly required (bug 470020).
-	use logger dns entropy
-	if [ "${rc_need+set}" = "set" ] ; then
-		: # Do nothing, the user has explicitly set rc_need
-	else
-		local x warn_addr
-		for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
-			case "${x}" in
-				0.0.0.0|0.0.0.0:*) ;;
-				::|\[::\]*) ;;
-				*) warn_addr="${warn_addr} ${x}" ;;
-			esac
-		done
-		if [ -n "${warn_addr}" ] ; then
-			need net
-			ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
-			ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
-			ewarn "where FOO is the interface(s) providing the following address(es):"
-			ewarn "${warn_addr}"
-		fi
-	fi
-}
-
-checkconfig() {
-	checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
-
-	if [ ! -e "${SSHD_CONFIG}" ] ; then
-		eerror "You need an ${SSHD_CONFIG} file to run sshd"
-		eerror "There is a sample file in /usr/share/doc/openssh"
-		return 1
-	fi
-
-	${SSHD_KEYGEN_BINARY} -A || return 2
-
-	"${command}" -t ${command_args} || return 3
-}
-
-start_pre() {
-	# Make sure that the user's config isn't busted before we try
-	# to start the daemon (this will produce better error messages
-	# than if we just try to start it blindly).
-	#
-	# We always need to call checkconfig because this function will
-	# also generate any missing host key and you can start a
-	# non-running service with "restart" argument.
-	checkconfig || return $?
-}
-
-stop_pre() {
-	if [ "${RC_CMD}" = "restart" ] ; then
-		# If this is a restart, check to make sure the user's config
-		# isn't busted before we stop the running daemon.
-		checkconfig || return $?
-	elif yesno "${RC_GOINGDOWN}" && [ -s "${pidfile}" ] && hash pgrep 2>/dev/null ; then
-		# Disconnect any clients before killing the master process
-		local pid=$(cat "${pidfile}" 2>/dev/null)
-		if [ -n "${pid}" ] ; then
-			local ssh_session_pattern='sshd: \S.*@pts/[0-9]+'
-
-			IFS="${IFS}@"
-			local daemon pid pty user
-			pgrep -a -P ${pid} -f "$ssh_session_pattern" | while read pid daemon user pty ; do
-				ewarn "Found ${daemon%:} session ${pid} on ${pty}; sending SIGTERM ..."
-				kill "${pid}" || true
-			done
-		fi
-	fi
-}
-
-reload() {
-	checkconfig || return $?
-	ebegin "Reloading ${SVCNAME}"
-	start-stop-daemon --signal HUP --pidfile "${pidfile}"
-	eend $?
-}