gentoo Easter resync : 12.04.2020

author: V3n3RiX <venerix@redcorelinux.org> 2020-04-12 03:41:30 +0100
committer: V3n3RiX <venerix@redcorelinux.org> 2020-04-12 03:41:30 +0100
commit: 623ee73d661e5ed8475cb264511f683407d87365 (patch)
tree: 993eb27c93ec7a2d2d19550300d888fc1fed9e69 /net-misc/openssh
parent: ceeeb463cc1eef97fd62eaee8bf2196ba04bc384 (diff)
11 files changed, 645 insertions, 20 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index f3816a61d6ba..77a187243ea2 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -39,7 +39,9 @@ AUX openssh-8.1_p1-hpn-glue.patch 7830 BLAKE2B 81c239f57d252b3a9bb1c7aed56ac6719
 AUX openssh-8.1_p1-tests-2020.patch 1332 BLAKE2B a400f6859a5d096729c9cb6047dce8612da7fe5f8d06cc891cfb6a4c88b568be3dfc7872d5be78ef349798f501828e1505bbd5ebd49d548dbbdc6bbf987dc843 SHA512 8f4c535d3ab15e4c761f6f5d4efe762ec2bc9b5de49ee369ce9186fe40095d2065418249c89161a8ef53e893079264fd9c95b73cd74937b08fa9f563a4f00290
 AUX openssh-8.2_p1-GSSAPI-dns.patch 11647 BLAKE2B b904922f809a6616f488509a962c778837bc6003138efe79fb1ce9edf9611f14c209c11559a922497c50c3dff450286e40dfcb929414cb7f705357d2c4e3603d SHA512 f9256a80c75ae0db11df0e562ace026614f2f6d0f6c91eaed7786b2a3c37608e18ca45242385813fa34487e50f21e5d3a13bfb66adc854b7c34d278a164c3dc4
 AUX openssh-8.2_p1-X509-12.4.2-tests.patch 405 BLAKE2B cfdd9b557d69b9230dd24fce00504f96ec3349712b1ca8667bb60fc9619d7fbfe44d2de847fc8b06c31de434fcab6e53ec4cd373a20a701372fdb0516ca14839 SHA512 788f6e1a522773bb322d70be6edd32734034c35073eea417d3895ecd176b3cc3ebd228285441ec12e75c991121e40eaa6b75b8be76a05167a0419773ae13018a
+AUX openssh-8.2_p1-X509-12.4.3-tests.patch 405 BLAKE2B cfdd9b557d69b9230dd24fce00504f96ec3349712b1ca8667bb60fc9619d7fbfe44d2de847fc8b06c31de434fcab6e53ec4cd373a20a701372fdb0516ca14839 SHA512 788f6e1a522773bb322d70be6edd32734034c35073eea417d3895ecd176b3cc3ebd228285441ec12e75c991121e40eaa6b75b8be76a05167a0419773ae13018a
 AUX openssh-8.2_p1-X509-glue-12.4.2.patch 5118 BLAKE2B 6adb167f27a926ac591c023e0bec87d3d5df9fd331338eea16240133bb1f637c5b2b8c44358ace9d390c2e8ed5f627360b8928ab47415fc89dcc44c1c8f1de5a SHA512 e4121c9b454445613a38d68a6dcb7be27ede1878fba811678d8a8b4cd185db609b4ffe7efb6cab0121e00af84aa86c798ebcedfe43a1b1ba4c200fe8600ba7b5
+AUX openssh-8.2_p1-X509-glue-12.4.3.patch 5024 BLAKE2B 96568de2316e50d8390654aecbec7751eb9eb333b30fb30700161c626f93e97c5fb244d96baf32fa12d31760efdb10c80012f872412e90837f8b294082d7b087 SHA512 85c635ed067ec3c829fe4caee6bfe84e0f986f0513d744476e637c1af16af910604b879e6894300be1ce8a6a6e397149329e8fe09246e3654dcdef1ff44da4ed
 AUX openssh-8.2_p1-hpn-14.20-X509-glue.patch 4881 BLAKE2B 899065ef3b781e7e67ea630ff26ac8c3975073e9ef5b0cc345c6cee9fb2e45d2ff549b716a76211c88efb1e540ed7d79c4467e0342cfbea64fef8e6cafddac85 SHA512 d37d4fd8614bed8b1592697b911a04e2ca7d14d24e9c315a6695b4c88cdb5b4ae980e8cb68040fe54b4587675ebb3ac5694ea0d09093f8451aa65e427b6a5d95
 AUX openssh-8.2_p1-hpn-14.20-glue.patch 5294 BLAKE2B 6a778eab95e05d371fd92a02f96b926cec5c6ff90dea36065b4857ddf243b5f95bb25aa339fddb1c662b628f26d0c11858d1ca0badece0a7268d6a51e99a09be SHA512 50289c60df01a59f134a0b283ec21d6a06beccdb68de67a46b4e0e9a9bc47855b0e4dbed47300c2f042f2eb9f63e4d6d0683f3092ee358a82e9d6337a3b173fe
 AUX openssh-8.2_p1-hpn-14.20-sctp-glue.patch 755 BLAKE2B 091a7cf60907c142d28b7f20a9fe4e1db8f2ce7f268ea4e0f206de89ea4ce560e82c2e91a9281a664868628426ad8c262667b7e6ad4e35247422937b98034855 SHA512 cff282e6a35a109794fca25b724b8e5024e7ded07b5dd3646489f384bdd5a42726d7cf9f814b8ebc20caed02a1a70d80e0396626bdfc13302096e15c11433dde
@@ -75,16 +77,18 @@ DIST openssh-8.1p1+x509-12.3.diff.gz 689934 BLAKE2B 57a302a25bec1d630b9c36f74ab4
 DIST openssh-8.1p1-sctp-1.2.patch.xz 7672 BLAKE2B f1aa0713fcb114d8774bd8d524d106401a9d7c2c73a05fbde200ccbdd2562b3636ddd2d0bc3eae9f04b4d7c729c3dafd814ae8c530a76c4a0190fae71d1edcd2 SHA512 2bffab0bbae5a4c1875e0cc229bfd83d8565bd831309158cd489d8b877556c69b936243888a181bd9ff302e19f2c174156781574294d260b6384c464d003d566
 DIST openssh-8.1p1.tar.gz 1625894 BLAKE2B d525be921a6f49420a58df5ac434d43a0c85e0f6bf8428ecebf04117c50f473185933e6e4485e506ac614f71887a513b9962d7b47969ba785da8e3a38f767322 SHA512 b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925
 DIST openssh-8.2p1+x509-12.4.2.diff.gz 805574 BLAKE2B 4df31b634308ce074d820df24984d44fdde48e115f8c2ac62afb09f28602acf9e4b080a13e5ba2e6033fe92bc4289ef00ed7adbb4af334462fbc9c82c4e7b64f SHA512 770b269929df0b7c9709fa2d07693a3ae9ebaca12fe463f7eabdaab66ee115fc02afa46dc847493d5050bff105740f2c1453fc456271d723c6e5b98d5bf7fd43
+DIST openssh-8.2p1+x509-12.4.3.diff.gz 806905 BLAKE2B 8e0f0f3eeb2aafd9fc9e6eca80c0b51ffedbed9dfc46ff73bb1becd28f6ac013407d03107b59da05d9d56edbf283eef20891086867b79efd8aab81c3e9a4a32f SHA512 51117d7e4df2ff78c4fdfd08c2bb8f1739b1db064df65bab3872e1a956c277a4736c511794aa399061058fea666a76ee07bb50d83a0d077b7fa572d02c030b91
 DIST openssh-8.2p1-sctp-1.2.patch.xz 7668 BLAKE2B 717487cffd235a5dfa2d9d3f2c1983f410d400b0d23f71a9b74406ac3d2f448d76381a3b7a3244942bff4e6bdc3bc78d148b9949c78dc297d99c7330179f8176 SHA512 a5fbd827e62e91b762062a29c7bc3bf569a202bdc8c91da7d77566ff8bb958b5b9fb6f8d45df586e0d7ac07a83de6e82996e9c5cdd6b3bf43336c420d3099305
 DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf47161071aa81d0763f81b12fe4bc3d409c260783d995307d4e4ed2d16080fd74b15e4dc6dcc5648d7e66720c3ed SHA512 c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a
 DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221
 DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739
 DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d
 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b
-EBUILD openssh-7.5_p1-r4.ebuild 11181 BLAKE2B 05ab7ab14082824bc936d189cd72087e795d02b98ab73a1161ebd5ead95c9f466763f7a13aeb151edf99fc18d89d2fe4cd04ed1d514c97bf0139376e3eaad53b SHA512 7f94963a12667c41ce2a73d17ce8528fefe60a04b7c3a33daf76fb8066a1d9fcc3632925cdf338846e35234e6412dfb3d64485d810e18575ca3db1303de79d91
-EBUILD openssh-7.7_p1-r9.ebuild 15924 BLAKE2B b4c978f231feeadbd3ed5bde9424bc4ad0533ca6ac0cafe1a33417dbd1d04182e92444f4553c1762a0aa97c45cc20dc2f869638a788b1a2df9e89cfdfeba9f8d SHA512 6104ca756ad931f08b27e9f3b3ed6519ee5f89e30ece3607a4cee81081c9d15d7c39776dd3629671cc44074d79a96e923f5d08c8dc5920f77be03c174567d6c6
-EBUILD openssh-7.9_p1-r4.ebuild 16296 BLAKE2B 836063b7f82a97e473f042ef2f2fe87521f4c72f9a4d4289205f5530bce5cb7e14ac5fac889634f82cc01a6e5bf5b9907aad57ff5040a2b5587682f44580d092 SHA512 41c100d9918aac6fae825aee354329dc8eaf63361c3125636369441eed98e1e96831f5e7dc623958d56d62ec09e5f2f74c9f93da6af9e00f220c36b7cd3f2e49
-EBUILD openssh-8.0_p1-r4.ebuild 16679 BLAKE2B cc2c63682376443a11036e10182b7bef0c61bbb0a33fb3bf8e806a79d13f1bf9208f7c47519ddc35a95b3025b91026144e60480c92954eefff62791281d6c006 SHA512 674208389a7b7b28495a5145a948f1083a25b7697b6620677b3035111e8b73d9fcfeb091b516026c0edcd6dd4c37b939a1dc21738b372029acb68e0bbcdfaa5a
-EBUILD openssh-8.1_p1-r2.ebuild 16426 BLAKE2B 42562396d6bc711b5489375dc76ecc4b3307a366e9a8500f483973a7b401f1e2b4e5dd1aba79cd4d307fee80429efa3d1d90c2acc76bd71a8f7687e3a5fddc9e SHA512 73d077862441a26a20c41acbc59bd047854bfaa77fe3ad64125ec7011bb6941147bff005310deacd0550c2156e6632732543835bb128856b83a55a553987f5da
-EBUILD openssh-8.2_p1-r3.ebuild 16788 BLAKE2B f5b7d8c76dd487da270c3f4370fb69389855a2b816ecff6bda726cf6b58676f187766f521ded13c0fda33dab89acdd45d2d05a5595b0bec437e079a741a7250e SHA512 5d8bdc782ae8bc26cf534d6871dda1aef53d9bb2bde4b3ecf8999407c5b2b33c193b9be10b9076dad99bef00c5cadfb3d56d9101b03c1b49af4dd5c9735c3390
-MISC metadata.xml 2361 BLAKE2B 695d283e9b32826edf5d86ed1a26f3182d09ddf5ec40a35ac8273cf99ba042f4b6aeec563946e8c2b2ab5de798258c95810c8b23b9b725d1633b8ea7b0a105e7 SHA512 a532edee5daadb1390a02c124cf4dd0c80b956676bfe833bb5ffccc1cdc0d2aa9c5f9d10f61cb24af74aa7b731c2cc2f4b4418d94a2a75cc8f0c57ea98d57707
+EBUILD openssh-7.5_p1-r5.ebuild 11193 BLAKE2B 62b884f5ec9924d199c7c14a91aeed198013cba04716a0010c8254382dd55e95783fbc8641005cf1929900ed04804573ed39a407349ec1a450f6582bca6ba9aa SHA512 82b9eca54d021b995832b28f97dfae75e38dcdf426581dfe75704280b0a2818cafbc09f82ff7a43bbc7fd68e49a441844d1163411723d474bccd8905b82359b2
+EBUILD openssh-7.7_p1-r10.ebuild 15936 BLAKE2B 54042c1bf3f7d19e58c9d6e1970f3a3194e73d716652a669a1ea04c066112dae6dcd7e09fe2ae20e4a21a8dc18d513231bcf26b1917ab877b93c0e2fb18e3de3 SHA512 33896ad4ba6ee7b7238d8b1cc3ed04993e8e07e2456cd70295656b1522ad9eb2caeecdb897568ca13cb6f4f9e70fff7b238b634a8102ef5bff87f9654d11ddfc
+EBUILD openssh-7.9_p1-r5.ebuild 16308 BLAKE2B ad98ce6cfd5be009c649c698993be93bdadcc959fc9bc4d43a4bbc45865c8bc802f6a4e179ed7d24af0181f3f454cb4c62992e1f66d86b475a48ccf995ce0ced SHA512 c5783252f16e4010c1466033c49e5a261206dd00203e9e01b55f09d9ad414def0532fc9067e1bf3cfb1e37b19db1bec2cd4c54dc89056c00f4d7c1f30d38a0fc
+EBUILD openssh-8.0_p1-r5.ebuild 16691 BLAKE2B 901cd0ea83d38a5f611690ec603965923e0bae4ada7553ec7d8ed8aeac05588e81d21425f9808d245427af73f3be7023b759f69da4db84b7c6b70ee362ee0a65 SHA512 b4ffe6b7b488b27f38cf7948b81924aea39062443653f499682b3e45905598b1c882a0413dd042d9ff234af555bd21db574f732f9551f86c8d2e815ed49d5125
+EBUILD openssh-8.1_p1-r3.ebuild 16430 BLAKE2B 5f87ff43f472c467a8e4dc359556b970a2d9889d45d5eb09c5eac5c0d245027764ec4d6b99853baaf7324883e5be426e20515b53f48fcc7a445a05e84fb0edde SHA512 e07cf259d7a6476c5efa4db22710bd533f86188bd1f5139e2c306858dd67e3b2a83cf5c9236c9441171e25af20a14e9f1d04aa058020ac9a20e0b0d6e7d8d89d
+EBUILD openssh-8.2_p1-r5.ebuild 16798 BLAKE2B 03dd8a663c89cb2185188a0fa9f72af49def3f44a9eaaa989c95f8b2812aab7a335547ff9d22edf64522576a04705e1f957d0edfe2ecf397df760f077eb846c5 SHA512 2a1714d7c8fa18a7b3bf5333625773e2125ca21dd3096766aad341663510503276db61fa42b9cc99d0531b4fcc55ae81e31c47de7502f7c2d83bdb49b91f1448
+EBUILD openssh-8.2_p1-r6.ebuild 16798 BLAKE2B 873c0b86b6c7613d7259e83f9b0377cdc9cc0b3a8dfb8db2821812a33f90f834714995c1c3d045f15691fd25412730165cc6b2fcbcc75d4f2ebfdff7824c1ccb SHA512 fa4007ec3b566c448d7fa5e257dc09aff7ab64491a7c54a19234bfd71fb165f5e46941e91c7d44f98c6819ae54b41c596869afe3e2da6a663dfab9e5db0e1c45
+MISC metadata.xml 2361 BLAKE2B c6fa43fd5cf20d97fa4d135bdef21d81b5b2ead3bcacbb9b9d7ceba7a699c9cbe7895a68a3d79e3d6afb145c8c35ed6a9a35ef7858a9474b26ee00137ea3f0f2 SHA512 7a2dacdc2a7ea1c1181b59152faeaa56c3ec563db2adb2e3b125a3819e32826edf6e8945d1a7c0328fa56f15c3d86d4dbe6afdad717cdcb0c1e92a08991d8f3e
diff --git a/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.3-tests.patch b/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.3-tests.patch
new file mode 100644
index 000000000000..1c58d0d5d823
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.3-tests.patch
@@ -0,0 +1,11 @@
+--- a/openbsd-compat/regress/Makefile.in	2020-02-15 10:59:01.210601434 -0700
++++ b/openbsd-compat/regress/Makefile.in	2020-02-15 10:59:18.753485852 -0700
+@@ -7,7 +7,7 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
++CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
+ EXEEXT=@EXEEXT@
+ LIBCOMPAT=../libopenbsd-compat.a
+ LIBS=@LIBS@
diff --git a/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.3.patch b/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.3.patch
new file mode 100644
index 000000000000..e73c499d5c4e
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.3.patch
@@ -0,0 +1,128 @@
+--- a/openssh-8.2p1+x509-12.4.3.diff	2020-03-21 11:15:05.939809371 -0700
++++ b/openssh-8.2p1+x509-12.4.3.diff	2020-03-21 11:23:15.424752355 -0700
+@@ -39298,16 +39298,15 @@
+  
+  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+  install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
+-@@ -378,6 +379,8 @@
++@@ -378,6 +379,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+-@@ -386,11 +389,14 @@
++@@ -386,11 +388,14 @@
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+@@ -39326,7 +39325,7 @@
+  	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
+  	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
+  	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
+-@@ -400,12 +406,12 @@
++@@ -400,12 +405,12 @@
+  	$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
+  	$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
+  	$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
+@@ -39340,7 +39339,7 @@
+  
+  install-sysconf:
+  	$(MKDIR_P) $(DESTDIR)$(sysconfdir)
+-@@ -463,10 +469,9 @@
++@@ -463,10 +468,9 @@
+  	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
+  	-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
+  	-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+@@ -39354,7 +39353,7 @@
+  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
+  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
+  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
+-@@ -478,7 +483,6 @@
++@@ -478,7 +482,6 @@
+  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
+  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+@@ -39362,7 +39361,7 @@
+  
+  regress-prep:
+  	$(MKDIR_P) `pwd`/regress/unittests/test_helper
+-@@ -491,11 +495,11 @@
++@@ -491,11 +494,11 @@
+  	$(MKDIR_P) `pwd`/regress/unittests/match
+  	$(MKDIR_P) `pwd`/regress/unittests/utf8
+  	$(MKDIR_P) `pwd`/regress/misc/kexfuzz
+@@ -39376,7 +39375,7 @@
+  
+  regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS)
+  	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \
+-@@ -546,8 +550,7 @@
++@@ -546,8 +549,7 @@
+  	regress/unittests/sshkey/tests.o \
+  	regress/unittests/sshkey/common.o \
+  	regress/unittests/sshkey/test_file.o \
+@@ -39406,7 +39405,7 @@
+  
+  regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
+      ${UNITTESTS_TEST_HOSTKEYS_OBJS} \
+-@@ -618,35 +619,18 @@
++@@ -618,35 +618,18 @@
+  	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+  
+  MISC_KEX_FUZZ_OBJS=\
+@@ -39444,7 +39443,7 @@
+  	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
+  	regress/unittests/sshkey/test_sshkey$(EXEEXT) \
+  	regress/unittests/bitmap/test_bitmap$(EXEEXT) \
+-@@ -657,36 +641,29 @@
++@@ -657,36 +640,29 @@
+  	regress/unittests/utf8/test_utf8$(EXEEXT) \
+  	regress/misc/kexfuzz/kexfuzz$(EXEEXT)
+  
+@@ -39501,7 +39500,7 @@
+  	TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
+  	TEST_SSH_UTF8="@TEST_SSH_UTF8@" ; \
+  	TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
+-@@ -708,8 +685,6 @@
++@@ -708,8 +684,6 @@
+  		TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
+  		TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
+  		TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
+@@ -39510,7 +39509,7 @@
+  		TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
+  		TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
+  		TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
+-@@ -717,17 +692,35 @@
++@@ -717,17 +691,35 @@
+  		TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
+  		TEST_SSH_UTF8="$${TEST_SSH_UTF8}" \
+  		TEST_SSH_ECC="$${TEST_SSH_ECC}" \
+@@ -39549,7 +39548,7 @@
+  
+  survey: survey.sh ssh
+  	@$(SHELL) ./survey.sh > survey
+-@@ -743,4 +736,8 @@
++@@ -743,4 +735,8 @@
+  		sh buildpkg.sh; \
+  	fi
+  
+@@ -98215,16 +98214,6 @@
+ +	return mbtowc(NULL, s, n);
+ +}
+ +#endif
+-diff -ruN openssh-8.2p1/version.h openssh-8.2p1+x509-12.4.3/version.h
+---- openssh-8.2p1/version.h	2020-02-14 02:40:54.000000000 +0200
+-+++ openssh-8.2p1+x509-12.4.3/version.h	2020-03-21 19:07:00.000000000 +0200
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_8.2"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.2p1/version.m4 openssh-8.2p1+x509-12.4.3/version.m4
+ --- openssh-8.2p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.2p1+x509-12.4.3/version.m4	2020-03-21 19:07:00.000000000 +0200
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 6cc1ea784228..22ea5e88361e 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -36,7 +36,7 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and
     <flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
   </use>
   <upstream>
-    <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id>
+    <remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
     <remote-id type="sourceforge">hpnssh</remote-id>
   </upstream>
 </pkgmetadata>
diff --git a/net-misc/openssh/openssh-7.5_p1-r4.ebuild b/net-misc/openssh/openssh-7.5_p1-r5.ebuild
index 1614b7a9c148..ed2f28ee78ec 100644
--- a/net-misc/openssh/openssh-7.5_p1-r4.ebuild
+++ b/net-misc/openssh/openssh-7.5_p1-r5.ebuild
@@ -25,7 +25,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 m68k ~mips ppc ppc64 s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
 RESTRICT="!test? ( test )"
@@ -67,7 +67,7 @@ DEPEND="${RDEPEND}
 	sys-devel/autoconf"
 RDEPEND="${RDEPEND}
 	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
 	X? ( x11-apps/xauth )"
 
 S=${WORKDIR}/${PARCH}
diff --git a/net-misc/openssh/openssh-7.7_p1-r9.ebuild b/net-misc/openssh/openssh-7.7_p1-r10.ebuild
index 675ab6bdd43e..9a0e976efb97 100644
--- a/net-misc/openssh/openssh-7.7_p1-r9.ebuild
+++ b/net-misc/openssh/openssh-7.7_p1-r10.ebuild
@@ -26,7 +26,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 m68k ~mips ppc ppc64 s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
 RESTRICT="!test? ( test )"
@@ -66,7 +66,7 @@ DEPEND="${RDEPEND}
 	sys-devel/autoconf"
 RDEPEND="${RDEPEND}
 	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
 	X? ( x11-apps/xauth )"
 
 S="${WORKDIR}/${PARCH}"
diff --git a/net-misc/openssh/openssh-7.9_p1-r4.ebuild b/net-misc/openssh/openssh-7.9_p1-r5.ebuild
index 0a3da9ab28e2..0eedfd4b682e 100644
--- a/net-misc/openssh/openssh-7.9_p1-r4.ebuild
+++ b/net-misc/openssh/openssh-7.9_p1-r5.ebuild
@@ -33,7 +33,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 m68k ~mips ppc ppc64 s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
 RESTRICT="!test? ( test )"
@@ -78,7 +78,7 @@ DEPEND="${RDEPEND}
 	sys-devel/autoconf"
 RDEPEND="${RDEPEND}
 	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
 	X? ( x11-apps/xauth )"
 
 S="${WORKDIR}/${PARCH}"
diff --git a/net-misc/openssh/openssh-8.0_p1-r4.ebuild b/net-misc/openssh/openssh-8.0_p1-r5.ebuild
index 5153ebc19847..f292c8e6b003 100644
--- a/net-misc/openssh/openssh-8.0_p1-r4.ebuild
+++ b/net-misc/openssh/openssh-8.0_p1-r5.ebuild
@@ -32,7 +32,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss"
 RESTRICT="!test? ( test )"
@@ -79,7 +79,7 @@ DEPEND="${RDEPEND}
 	sys-devel/autoconf"
 RDEPEND="${RDEPEND}
 	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
 	X? ( x11-apps/xauth )"
 
 S="${WORKDIR}/${PARCH}"
diff --git a/net-misc/openssh/openssh-8.1_p1-r2.ebuild b/net-misc/openssh/openssh-8.1_p1-r3.ebuild
index 5921f6945b0c..75b805da4ddb 100644
--- a/net-misc/openssh/openssh-8.1_p1-r2.ebuild
+++ b/net-misc/openssh/openssh-8.1_p1-r3.ebuild
@@ -34,7 +34,7 @@ S="${WORKDIR}/${PARCH}"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss"
 
@@ -87,7 +87,7 @@ DEPEND="${RDEPEND}
 "
 RDEPEND="${RDEPEND}
 	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
 	X? ( x11-apps/xauth )
 "
 BDEPEND="
diff --git a/net-misc/openssh/openssh-8.2_p1-r3.ebuild b/net-misc/openssh/openssh-8.2_p1-r5.ebuild
index 0579a0af345e..83bb3bd37ed4 100644
--- a/net-misc/openssh/openssh-8.2_p1-r3.ebuild
+++ b/net-misc/openssh/openssh-8.2_p1-r5.ebuild
@@ -31,7 +31,7 @@ S="${WORKDIR}/${PARCH}"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
 
@@ -86,7 +86,7 @@ DEPEND="${RDEPEND}
 "
 RDEPEND="${RDEPEND}
 	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
 	X? ( x11-apps/xauth )
 "
 BDEPEND="
diff --git a/net-misc/openssh/openssh-8.2_p1-r6.ebuild b/net-misc/openssh/openssh-8.2_p1-r6.ebuild
new file mode 100644
index 000000000000..55d2852ebb93
--- /dev/null
+++ b/net-misc/openssh/openssh-8.2_p1-r6.ebuild
@@ -0,0 +1,482 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+HPN_PV="8.1_P1"
+
+HPN_VER="14.20"
+HPN_PATCHES=(
+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+)
+
+SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="12.4.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+"
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !sctp !security-key ssl !xmss )
+	xmss? ( || ( ssl libressl ) )
+	test? ( ssl )
+"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	security-key? ( dev-libs/libfido2:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			|| (
+				(
+					>=dev-libs/openssl-1.0.1:0[bindist=]
+					<dev-libs/openssl-1.1.0:0[bindist=]
+				)
+				>=dev-libs/openssl-1.1.0g:0[bindist=]
+			)
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/os-headers
+"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
+	X? ( x11-apps/xauth )
+"
+BDEPEND="
+	virtual/pkgconfig
+	sys-devel/autoconf
+"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use hpn && maybe_fail hpn HPN_VER)
+		$(use sctp && maybe_fail sctp SCTP_PATCH)
+		$(use X509 && maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
+	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	local PATCHSET_VERSION_MACROS=()
+
+	if use X509 ; then
+		pushd "${WORKDIR}" &>/dev/null || die
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		popd &>/dev/null || die
+
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+		eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
+
+		# We need to patch package version or any X.509 sshd will reject our ssh client
+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
+		# error
+		einfo "Patching package version for X.509 patch set ..."
+		sed -i \
+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+		einfo "Patching version.h to expose X.509 patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+	fi
+
+	if use sctp ; then
+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+		einfo "Patching version.h to expose SCTP patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		sed -i \
+			-e "/\t\tcfgparse \\\/d" \
+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+	fi
+
+	if use hpn ; then
+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		mkdir "${hpn_patchdir}" || die
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
+		pushd "${hpn_patchdir}" &>/dev/null || die
+		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
+		if use X509; then
+		#	einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
+		#	# X509 and AES-CTR-MT don't get along, let's just drop it
+		#	rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
+			eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-X509-glue.patch
+		fi
+		use sctp && eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
+
+		eapply "${hpn_patchdir}"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
+
+		einfo "Patching Makefile.in for HPN patch set ..."
+		sed -i \
+			-e "/^LIBS=/ s/\$/ -lpthread/" \
+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+		einfo "Patching version.h to expose HPN patch set ..."
+		sed -i \
+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
+			"${S}"/version.h || die "Failed to sed-in HPN patch version"
+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			einfo "Disabling known non-working MT AES cipher per default ..."
+
+			cat > "${T}"/disable_mtaes.conf <<- EOF
+
+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+			# and therefore disabled per default.
+			DisableMTAES yes
+			EOF
+			sed -i \
+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+			sed -i \
+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+		fi
+	fi
+
+	if use X509 || use sctp || use hpn ; then
+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+		sed -i \
+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+		sed -i \
+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
+	fi
+
+	sed -i \
+		-e "/#UseLogin no/d" \
+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+	eapply_user #473004
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the sctp patch conditionally, so can't pass --without-sctp
+		# unconditionally else we get unknown flag warnings.
+		$(use sctp && use_with sctp)
+		$(use_with ldns ldns "${EPREFIX}"/usr)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(use_with security-key security-key-builtin)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	# stackprotect is broken on musl x86 and ppc
+	use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	# First the server config.
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables. #367017
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM. #658540
+	AcceptEnv COLORTERM
+	EOF
+
+	# Then the client config.
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables. #367017
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM. #658540
+	SendEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use hpn && dodoc HPN-README
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	keepdir /var/empty
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+		elog ""
+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+		elog "and therefore disabled at runtime per default."
+		elog "Make sure your sshd_config is up to date and contains"
+		elog ""
+		elog "  DisableMTAES yes"
+		elog ""
+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+		elog ""
+	fi
+}
author	V3n3RiX <venerix@redcorelinux.org>	2020-04-12 03:41:30 +0100
committer	V3n3RiX <venerix@redcorelinux.org>	2020-04-12 03:41:30 +0100
commit	623ee73d661e5ed8475cb264511f683407d87365 (patch)
tree	993eb27c93ec7a2d2d19550300d888fc1fed9e69 /net-misc/openssh
parent	ceeeb463cc1eef97fd62eaee8bf2196ba04bc384 (diff)