gentoo resync : 10.11.2017

4 files changed, 351 insertions, 1 deletions

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index d999d7a1dd21..75ba7332c235 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -8,6 +8,7 @@ AUX openssh-7.5_p1-x32-typo.patch 772 SHA256 17f2baad36e5b6d270d7377db4ebdf157f2
 AUX openssh-7.5p1-x509-libressl.patch 7027 SHA256 8e9a7f0c891ae2324d756dc4fb93943eb39f3799d2dedccdcfdff0ad1c0067d6 SHA512 0b5fcb58ee55de7ce61bf2bcad23e4a5cdc941d81121bbf8f0dadf5e1e158c055f45a2ef1aebe8fcb1856a33e079282f4c9f21d9da6892808d7e3c172dca3365 WHIRLPOOL f5d43a4de22c70f75607f2d22251072f88d4715d207e74052f2009e6073706da2978ecb183e6c4c10cebd328ac924f33cc8cd149c7072cda3c2f084ec8ef9948
 AUX openssh-7.6_p1-hpn-x509-11.0-glue.patch 2182 SHA256 9cd4ddb9ddd2256df9b3527fde949d4aead350987580abb87547cf3ca49bbe70 SHA512 387222fe9b46f0f2df3cb9f6125995c46f7428955784175c718e902a36e90994f5bcecfbbe160d28fc810e4e43e6f070937c39546f0df36ebb9b47bda3c3e032 WHIRLPOOL 2aa9fe17a8cc95d60488cd427ef04d29785f4f60025f053f45604ceead4570cc71ddcaebb1312915c20156b37ebf889aad865b6bb19fe3203ae57133d0776521
 AUX openssh-7.6_p1-warnings.patch 324 SHA256 761b92cda371cd06dc904027f6bc0d51656b0e3420ab4ca6609cbbb17874c12d SHA512 08a9caf1cbb4dbde2828f14075b41762dad24a8a88882cc61cb133783caa1200f63f052824409b0334c832365c0d934f44b2eeac947228ff52be24a09548cd22 WHIRLPOOL 0b05331c1b7f67931a09e29d43a45f8c96f35575af87bdb5b6f1e983297e8c43597e2124646fd79e723fe8014d6563a6e65aef1fc6ac7ce1f95c11079bc5ff9f
+AUX openssh-7.6_p1-x509-11.0-libressl.patch 570 SHA256 7a65b32ea6c2074b84de979f6b9ceb8ed64c83733c676399a50a436f4d466eed SHA512 795d3e99d81cbd76533196b6a73a9c9a6db800f9de1f6c7860b56058d0a319c6633ab09b8a149ed6d840b3c9a43162ce299e2a16e334a66802260fbdc35b2b17 WHIRLPOOL 817f61ae591b2b225a37753771f2d214cf411c2d8932a083de5c87d744f79e9068f272e627175130d5315ddc12cfbfbaeb47997b4045f0d352c3094efb521242
 AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53
 AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b
 AUX sshd.rc6.4 2108 SHA256 43a483014bf177f9238e54a7b8210d5a76830beb67c18999409e543fd744c9e4 SHA512 fe58e950514743a72467233ff2f2a63112c50e5db843d61e141a5ca3dd8ef8f42a616cd9de7748ae582054c47c2cc38ce48b638e2d88be39c1387f77e79c83e1 WHIRLPOOL ef30b1e3a118b40617e3c1de6b4ebb360f466e90e18157a08d0ed50a4acb488eb7f6159120525e2b7e85393cd19b062c97188460ea51959467eb6ab52632d064
@@ -27,7 +28,8 @@ DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 SHA256 11060be996b291b8d78de698c68a
 DIST openssh-lpk-7.6p1-0.3.14.patch.xz 17044 SHA256 fd877cf084d4eb682c503b6e5f363b0564da2b50561367558a50ab239adf4017 SHA512 e9a2b18fd6a58354198b6e48199059d055451a5f09c99bf7293d0d54137a59c581a9cb3bd906f31589e03d8450fb017b9015e18c67b7b6ae840e336039436974 WHIRLPOOL 8410dc9dad24d8b3065ba85e7a7a66322b4d37eac0ef68e72143afa3aba2706e91c324798236b9d3e320e6903d27a7e426621bde92ded89ce26a16535e8c3d3c
 EBUILD openssh-7.5_p1-r1.ebuild 11026 SHA256 4454081691292f2bc218292e09724693fb1b9fc54e65d31042a93bf329728a96 SHA512 2441bff83bba61ead49ce69f7682d6ff9e6629eebc7dd9208da86043c07519a4ee1b9639b5ab22b04298b214ef8ccf94149269d3980d5d48ed01bfde409e015d WHIRLPOOL a0e20cbbe1899a18697e64f33c2bf8d4f9ae51c777032d2f994eda31dc70ac6c0a66c65a9fc46783419656554ac6098b32bb27132becb284c8ccfbdc36e44aff
 EBUILD openssh-7.5_p1-r2.ebuild 10966 SHA256 9aa4c233f5832ae36ea3c793828d240577f37ae96b28d3cf60c62df51623e15d SHA512 a461598a75ecb04c04c1c7e7bac216bb8a0e47ea493e8ce95d1545e96f9d0109cfd63b8be3845f31ba53b6d54e2ca99a9416c94ac9428c51666475a0ae65d3ef WHIRLPOOL a97c29508e3359d1d26d7c6f470fd96194e55fa4564e6692153385d839c5f64d37788026ba6123d8350615a515246404ef691ab6bcf079fe1e3ac8d6b05bfde3
-EBUILD openssh-7.6_p1.ebuild 11116 SHA256 8c05ff1848e984b61d79b660d49724e9ebfa5072938bb2ef713720c392401f61 SHA512 ac09c8dd15d6f5eb04d6f60fc560205160d167855f436dde6fc66dc7fb4b59162eecc64724a1a004022f9d1ee80c748667526f089b9631f184990281f919f18d WHIRLPOOL 9205a2c6767bdaa1997716c116e13636cdd241a8f332c48b45ec7b858f5e10554b7d97f1574f92aeef05abe7a161f052decbf3f81eb096a03085ead8bcb2d28b
+EBUILD openssh-7.6_p1-r1.ebuild 11178 SHA256 1ad539dbf506ce51952326cd2856475caf99ff3fdfca391925f260a8f637d3f8 SHA512 104338ec2dc27e632a47117684805abc0a65c549bed4d7cc45e33a3f3875b7650b241b8c92956498e4d2e2ec170f96e731c392bcf4c67a35810daa691b00f70f WHIRLPOOL 77c184f0803ba6b5b44f8b9b28573b1374fdeddc0a02e46b6ef612529d3fad1e8e205b33f45788820bf8cb03e5558da432c657b001d945d30ddac00da63d1f90
+EBUILD openssh-7.6_p1.ebuild 11177 SHA256 3df0b2d33d7d4b672edf0e2d681b7796709b2731ba6d7b757e34d725ca9b20b7 SHA512 1c8703088b8c16db32f46f6794d182cb37e7da86fa4baa5a2f74cf4ed8240fbac8710be08086f8ada096d4cfa831910205b64c5dd502b7a3edd98784f6fe1aad WHIRLPOOL b04012a4430e2ab1a58947edf2ad23cfbf91fcbea0233d8a501d0286b65aa53b58586487747b859ec37b6c993539e416ffb8bbe5ea73e6f5e78a932b7ca8c5ad
 MISC ChangeLog 25370 SHA256 ad091426a190d89906e9f866e3f9545599b156b39e4b0feeb4f862997faab147 SHA512 cff2020279e7738e82fd0202b0e6de74c837d64a95f931c5ba159a8cc557f596d4b750c1527b96b9a74a8ec16bdaf0ed51457d074046f8049fdf262599394644 WHIRLPOOL ddb4f6ea4aa8051dac3da94bd4ffd94168d4e2cf2030de7841f10384c17f2e803847ccb6777c92ea5e48ce9b65d0bb5d9c77d04aa8e34fcc8fd5cfce04d8e304
 MISC ChangeLog-2015 95783 SHA256 53b51ee42a1faf42d80733382986e4fd606366b7bb6350c76f44df851e071890 SHA512 95a4f4243cb8cd8901208adc3632e191ab27a5ea2ce947e832264833262d8bd1e74a7e4f3545d6f2da8d2b473a59cfc7014aa88d5b0ea30e348c4f5d9323c8e5 WHIRLPOOL 5b56a38ddcf0308b681fc1c1fe8107c37ea1385e30ebc435d22f73c38947f9afdbb37ffb1c22bc48c83117cb91b946831cd83bab2807c248292fd2822002f828
 MISC metadata.xml 2212 SHA256 50f6e3651c8aeb86cfe90d92cef6a2b55640c400584f5fdbb6418cef7ac16f25 SHA512 958845fbdfb4f1d267fdbc3a005c6338da54c6a0715180a1982416a841ab4865c536de5f10bb8493d07830e182786d0c3f2ac710c9168434b3d077a59ed2ddd5 WHIRLPOOL 6d1080bc5c3b10a63836b5286d0d66b925a9d27d35e9855c9f966445458c1d6a752854d019c1740420ea78aef6f60105bef4c771fe61a95aae898034cf100705
diff --git a/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch b/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch
new file mode 100644
index 000000000000..b84ee64e4f7c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch
@@ -0,0 +1,11 @@
+--- a/openssh-7.6p1+x509-11.0.diff	2017-11-06 17:16:28.334140140 -0800
++++ b/openssh-7.6p1+x509-11.0.diff	2017-11-06 17:16:55.338223563 -0800
+@@ -54732,7 +54732,7 @@
+ +int/*bool*/ ssh_x509store_addlocations(const X509StoreOptions *locations);
+ +
+ +typedef char SSHXSTOREPATH;
+-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ +DECLARE_STACK_OF(SSHXSTOREPATH)
+ +# define sk_SSHXSTOREPATH_new_null()	SKM_sk_new_null(SSHXSTOREPATH)
+ +# define sk_SSHXSTOREPATH_num(st)	SKM_sk_num(SSHXSTOREPATH, (st))
diff --git a/net-misc/openssh/openssh-7.6_p1-r1.ebuild b/net-misc/openssh/openssh-7.6_p1-r1.ebuild
new file mode 100644
index 000000000000..8bf58476566a
--- /dev/null
+++ b/net-misc/openssh/openssh-7.6_p1-r1.ebuild
@@ -0,0 +1,336 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+#HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
+SCTP_PATCH="${PN}-7.6_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.6p1-0.3.14.patch.xz"
+X509_VER="11.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+https://dev.gentoo.org/~polynomial-c/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~polynomial-c/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	X509? ( !ldap !sctp ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl] )
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-1.0.1:0=[bindist=]
+			dev-libs/openssl:0=[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S="${WORKDIR}/${PARCH}"
+
+pkg_pretend() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	eapply "${FILESDIR}/${P}-warnings.patch"
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	if use X509 ; then
+		if use hpn ; then
+			pushd "${WORKDIR}" >/dev/null
+			eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
+			eapply "${FILESDIR}"/${P}-x509-${X509_VER}-libressl.patch
+			popd >/dev/null
+		fi
+		save_version X509
+		eapply "${WORKDIR}"/${X509_PATCH%.*}
+	fi
+
+	if use ldap ; then
+		eapply "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+
+	eapply "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	use X509 || eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+	use abi_mips_n32 && eapply "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+
+	if use hpn ; then
+		elog "Applying HPN patchset ..."
+		eapply "${WORKDIR}"/${HPN_PATCH%.*.*}
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eapply_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use X509 || use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped+=( tests )
+	else
+		tests+=( tests )
+	fi
+
+	# It will also attempt to write to the homedir .ssh.
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in "${tests[@]}" ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
+	done
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
+		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+
+	# remove this if aes-ctr-mt gets fixed
+	if use hpn; then
+		elog "The multithreaded AES-CTR cipher has been temporarily dropped from the HPN patch"
+		elog "set since it does not (yet) work with >=openssh-7.6p1."
+	fi
+}
diff --git a/net-misc/openssh/openssh-7.6_p1.ebuild b/net-misc/openssh/openssh-7.6_p1.ebuild
index a15c07cdc85d..a932f59b746c 100644
--- a/net-misc/openssh/openssh-7.6_p1.ebuild
+++ b/net-misc/openssh/openssh-7.6_p1.ebuild
@@ -118,6 +118,7 @@ src_prepare() {
 		if use hpn ; then
 			pushd "${WORKDIR}" >/dev/null
 			eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
+			eapply "${FILESDIR}"/${P}-x509-${X509_VER}-libressl.patch
 			popd >/dev/null
 		fi
 		save_version X509