Added openssh-7.5_p1 SSHv1-client only package.

2019-12-10 05:03:25 +01:00 · 2019-12-10 05:03:25 +01:00 · 2a11982e38
parent e0f4c6072f
commit 2a11982e38
12 changed files with 1013 additions and 0 deletions
--- a/net-misc/openssh1/Manifest
+++ b/net-misc/openssh1/Manifest
@ -0,0 +1,16 @@
 AUX openssh1-6.7_p1-openssl-ignore-status.patch 765 BLAKE2B 6ddc498cef115a38054eb8f1fddac34048b94592e54f8e31dc11717fe872f3d66a7e6877d2449102fbe18a0ee2a35732991abe946b1fe10abfa48bbec6871b26 SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7
 AUX openssh1-7.3-mips-seccomp-n32.patch 634 BLAKE2B 12e931e6c2364d4cdd3f0d9ef8cf72665b65fedc7e8211a75250abe1bf359460afdf9707fdd7f9be8b8f8fd8fe40fdaddcd842da741c4b63fef94c364738cd26 SHA512 eba3e843d3714501a1df3161d02134c54c8ce584db3af698b87d303fc17c16635bd06db4d7c2d9bb47f461c3b211d870b480fd927f4563207e11c9ed2c446770
 AUX openssh1-7.5_p1-CVE-2017-15906.patch 1180 BLAKE2B 37fca347fc1fa969f410d514a76b3d7133914aa14c7ef577e6eb0b2f96b936313b20635c6cc23b5e91e3643e26c899e992b82769a5df6568d058eb4f7a43fab8 SHA512 dfba25e9962e4398688d5e6f9311de44931ea5292d7d50c69d8056838ceb41ce099c44f849c204f7b421515c3aa40bde6e9b98b80b9e99aa113c222841daecd4
 AUX openssh1-7.5_p1-GSSAPI-dns.patch 11137 BLAKE2B a54ed4d6f81632ae03523b7b61f750402d178d3213ec310bc0e57c0705ed67607a89a786d429599395722eaf40b2fb591c5b8de87ffc4f1dd7f6713b543c31c2 SHA512 f84e1d3fdda7a534d9351884caaefc136be7599e735200f0393db0acad03a57abe6585f9402018b50e3454e6842c3281d630120d479ff819f591c4693252dd0e
 AUX openssh1-7.5_p1-cross-cache.patch 1220 BLAKE2B 7176b86024b072ff601421143f8567e4e47de3d89b1d865bc92405da75bf7c64fa50b9f746d9c494dbf64bc09e04afc1960f673e68ea1d072a5381027afea63d SHA512 03cf3b5556fcf43c7053d1550c8aa35189759a0a2274a67427b28176ba7938b8d0019992de25fb614dc556c5f45a67649bb5d2d82889ac2c37edd986fc632550
 AUX openssh1-7.5_p1-disable-conch-interop-tests.patch 554 BLAKE2B f5f45c000ec26c1f783669c3447ea3c80c5c0f9b971b86ca1e79e99e906a90a519abb6b14db462f5766572e9759180719ea44f048ef5aa8efc37efb61d2b6ef7 SHA512 f35b15f1e8d0eb276d748ee14c71004c6599ddb124c33e2f84623bc9eb02bb4fd4680d25d0ba0289d6a723a526c95c9a56b30496bdaa565bae853bf3d1bab61f
 AUX openssh1-7.5_p1-hpn-x509-10.2-glue.patch 2847 BLAKE2B 8a6151ab121871e4f2d93ace0e07dce1106c6841031cacfb197e00cc76fc1d0cf153aae52757dcf98a5fb89971125493d0572bd4964d0e59cb3f391fd1256aef SHA512 bc23fdf5995ae38ff166f12f64082f79a2135ca28f2240e89bee42b1e3ba39ce94467ece9ddea99173f1829b09b069dbf56a0bce7dfd1ae5f63c12f73b5ffba7
 AUX openssh1-7.5_p1-s390-seccomp.patch 624 BLAKE2B 0bf595d72cd65993dde4e5aae0a3e091bb48021ef8affa84c988d55d9fe6a823b0329b6d9707c88e1556d45c304b6630ade7008f63fd649975594a75f570bb33 SHA512 058dc269eb032151e88e0ac79a0b0fd6fcd56d489e90e299ee431b1475a8f8080e8f4649244864af33e743820b081c9f90b32a1a93b8b60feeb491c0201a4d61
 AUX openssh1-7.5_p1-ssh1.patch 5863 BLAKE2B 5c8ba0d856174f6f8a9a3be10a9f5ca5682dc4771c6660faed32d4c53cc4db4b5b0242513012d38ced7a6d666c20d8a5a0638f831e12ab4fe5a873243a4c1432 SHA512 75763f9c03cc5bfd86bfeb9f78df93a908fff5ff2fad4458aa2a1bd7eecd0fc25702d032b36b8bf5572e69e88ea60918ddf99c7b7a0ee5f7fb66e29cf87ad657
 AUX openssh1-7.5_p1-x32-typo.patch 772 BLAKE2B 3f27d669ee76e191f2f6f7c7d86b1d9cb7297cecf17b2d88d86ef498c9ca35231adb0edc9fb811698ec86fd65527cc3fe9f2ce514836aebe5dc27bca2a3a55dc SHA512 20d19301873d4b8e908527f462f40c2f4a513d0bb89d4c7b885f9fc7eb5d483eea544eb108d87ff6aaa3d988d360c2029910c18f7125c96e8367485553f59a5e
 DIST openssh-7.4_p1-sctp.patch.xz 8220 BLAKE2B 2d571cacaab342b7950b42ec826bd896edf78780e9ee73fcd441cbc9764eb59e408e295062862db986918824d10498383bf34ae7c93df0da2c056eaec4d2c031 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4
 DIST openssh-7.5p1+x509-10.2.diff.gz 467040 BLAKE2B 4048b0f016bf7d43276f88117fc266d1a450d298563bfc6ce705ec2829b8f9d91af5c5232941d55004b5aea2d3e0fb682a9d4acd9510c9761ba7ede2f2f0e37f SHA512 ec760d38771749d09afc8d720120ea2aa065c1c7983898b45dba74a4411f7e61e7705da226864e1e8e62e2261eecc3a4ab654b528c71512a07798824d9fb1a9a
 DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 BLAKE2B 15702338877e50c2143b33b93bfc87d0aa0fa55915db1f0cab9c22e55f8aa0c6eeb5a56f438d849544d1650bdc574384b851292d621b79f673b78bc37617aa0b SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9
 DIST openssh-7.5p1.tar.gz 1510857 BLAKE2B 505764a210018136456c0f5dd40ad9f1383551c3ae037593d4296305df189e0a6f1383adc89b1970d58b8dcfff391878b7a29b848cc244a99705a164bec5d734 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81
 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b
 EBUILD openssh1-7.5_p1-r4.ebuild 9661 BLAKE2B 2010f80bed82b0040072b1c794754113a35bd8881593c41290946a054182c25fd6bf0d6a1793545cdea4eee507a1323bbaeae162b026d9d205a39189ed536c93 SHA512 32f11830bef448380d516718998b04c47482cb523010645d7d09b978e2dbebc71aeb2e441a8b41300482260c49a8824b9444fb374e675253359d98701d24ad9e
--- a/net-misc/openssh1/files/openssh1-6.7_p1-openssl-ignore-status.patch
+++ b/net-misc/openssh1/files/openssh1-6.7_p1-openssl-ignore-status.patch
@ -0,0 +1,17 @@
 the last nibble of the openssl version represents the status.  that is,
 whether it is a beta or release.  when it comes to version checks in
 openssh, this component does not matter, so ignore it.
 https://bugzilla.mindrot.org/show_bug.cgi?id=2212
 --- a/openbsd-compat/openssl-compat.c
 +++ b/openbsd-compat/openssl-compat.c
@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
 	 * For versions >= 1.0.0, major,minor,status must match and library
 	 * fix version must be equal to or newer than the header.
 	 */
 -	mask = 0xfff0000fL; /* major,minor,status */
 +	mask = 0xfff00000L; /* major,minor,status */
 	hfix = (headerver & 0x000ff000) >> 12;
 	lfix = (libver & 0x000ff000) >> 12;
 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
--- a/net-misc/openssh1/files/openssh1-7.3-mips-seccomp-n32.patch
+++ b/net-misc/openssh1/files/openssh1-7.3-mips-seccomp-n32.patch
@ -0,0 +1,21 @@
 https://bugs.gentoo.org/591392
 https://bugzilla.mindrot.org/show_bug.cgi?id=2590
 7.3 added seccomp support to MIPS, but failed to handled the N32
 case.  This patch is temporary until upstream fixes.
 --- openssh-7.3p1/configure.ac
 +++ openssh-7.3p1/configure.ac
@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
 		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
 		;;
 	mips64-*)
 -		seccomp_audit_arch=AUDIT_ARCH_MIPS64
 +		seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
 		;;
 	mips64el-*)
 -		seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
 +		seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
 		;;
 	esac
 	if test "x$seccomp_audit_arch" != "x" ; then
--- a/net-misc/openssh1/files/openssh1-7.5_p1-CVE-2017-15906.patch
+++ b/net-misc/openssh1/files/openssh1-7.5_p1-CVE-2017-15906.patch
@ -0,0 +1,31 @@
 From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
 From: djm <djm@openbsd.org>
 Date: Tue, 4 Apr 2017 00:24:56 +0000
 Subject: [PATCH] disallow creation (of empty files) in read-only mode;
 reported by Michal Zalewski, feedback & ok deraadt@
 ---
 usr.bin/ssh/sftp-server.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
 index 2510d234a3a..42249ebd60d 100644
 --- a/usr.bin/ssh/sftp-server.c
 +++ b/usr.bin/ssh/sftp-server.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
 +/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
 /*
  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
  *
@@ -683,8 +683,8 @@ process_open(u_int32_t id)
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
 -	    ((flags & O_ACCMODE) == O_WRONLY ||
 -	    (flags & O_ACCMODE) == O_RDWR)) {
 +	    ((flags & O_ACCMODE) != O_RDONLY ||
 +	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
 		verbose("Refusing open request in read-only mode");
 		status = SSH2_FX_PERMISSION_DENIED;
 	} else {
--- a/net-misc/openssh1/files/openssh1-7.5_p1-GSSAPI-dns.patch
+++ b/net-misc/openssh1/files/openssh1-7.5_p1-GSSAPI-dns.patch
@ -0,0 +1,351 @@
 http://bugs.gentoo.org/165444
 https://bugzilla.mindrot.org/show_bug.cgi?id=1008
 --- a/readconf.c
 +++ b/readconf.c
@@ -148,6 +148,7 @@
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
 +	oGssTrustDns,
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
 	oHashKnownHosts,
@@ -194,9 +195,11 @@
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
 	{ "gssapidelegatecredentials", oGssDelegateCreds },
 +	{ "gssapitrustdns", oGssTrustDns },
 # else
 	{ "gssapiauthentication", oUnsupported },
 	{ "gssapidelegatecredentials", oUnsupported },
 +	{ "gssapitrustdns", oUnsupported },
 #endif
 #ifdef ENABLE_PKCS11
 	{ "smartcarddevice", oPKCS11Provider },
@@ -930,6 +933,10 @@
 		intptr = &options->gss_deleg_creds;
 		goto parse_flag;
 +	case oGssTrustDns:
 +		intptr = &options->gss_trust_dns;
 +		goto parse_flag;
 +
 	case oBatchMode:
 		intptr = &options->batch_mode;
 		goto parse_flag;
@@ -1649,6 +1656,7 @@
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
 	options->gss_deleg_creds = -1;
 +	options->gss_trust_dns = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
@@ -1779,6 +1787,8 @@
 		options->gss_authentication = 0;
 	if (options->gss_deleg_creds == -1)
 		options->gss_deleg_creds = 0;
 +	if (options->gss_trust_dns == -1)
 +		options->gss_trust_dns = 0;
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
 --- a/readconf.h
 +++ b/readconf.h
@@ -46,6 +46,7 @@
 					/* Try S/Key or TIS, authentication. */
 	int     gss_authentication;	/* Try GSS authentication */
 	int     gss_deleg_creds;	/* Delegate GSS credentials */
 +	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 --- a/ssh_config.5
 +++ b/ssh_config.5
@@ -830,6 +830,16 @@
 Forward (delegate) credentials to the server.
 The default is
 .Cm no .
 +Note that this option applies to protocol version 2 connections using GSSAPI.
 +.It Cm GSSAPITrustDns
 +Set to
 +.Dq yes to indicate that the DNS is trusted to securely canonicalize
 +the name of the host being connected to. If
 +.Dq no, the hostname entered on the
 +command line will be passed untouched to the GSSAPI library.
 +The default is
 +.Dq no .
 +This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
@@ -656,6 +656,13 @@
 	static u_int mech = 0;
 	OM_uint32 min;
 	int ok = 0;
 +	const char *gss_host;
 +
 +	if (options.gss_trust_dns) {
 +		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
 +		gss_host = auth_get_canonical_hostname(active_state, 1);
 +	} else
 +		gss_host = authctxt->host;
 	/* Try one GSSAPI method at a time, rather than sending them all at
 	 * once. */
@@ -668,7 +674,7 @@
 		/* My DER encoding requires length<128 */
 		if (gss_supported->elements[mech].length < 128 &&
 		    ssh_gssapi_check_mechanism(&gssctxt, 
 -		    &gss_supported->elements[mech], authctxt->host)) {
 +		    &gss_supported->elements[mech], gss_host)) {
 			ok = 1; /* Mechanism works */
 		} else {
 			mech++;
 need to move these two funcs back to canohost so they're available to clients
 and the server.  auth.c is only used in the server.
 --- a/auth.c
 +++ b/auth.c
@@ -784,117 +784,3 @@ fakepw(void)
 	return (&fake);
 }
 -
 -/*
 - * Returns the remote DNS hostname as a string. The returned string must not
 - * be freed. NB. this will usually trigger a DNS query the first time it is
 - * called.
 - * This function does additional checks on the hostname to mitigate some
 - * attacks on legacy rhosts-style authentication.
 - * XXX is RhostsRSAAuthentication vulnerable to these?
 - * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
 - */
 -
 -static char *
 -remote_hostname(struct ssh *ssh)
 -{
 -	struct sockaddr_storage from;
 -	socklen_t fromlen;
 -	struct addrinfo hints, *ai, *aitop;
 -	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
 -	const char *ntop = ssh_remote_ipaddr(ssh);
 -
 -	/* Get IP address of client. */
 -	fromlen = sizeof(from);
 -	memset(&from, 0, sizeof(from));
 -	if (getpeername(ssh_packet_get_connection_in(ssh),
 -	    (struct sockaddr *)&from, &fromlen) < 0) {
 -		debug("getpeername failed: %.100s", strerror(errno));
 -		return strdup(ntop);
 -	}
 -
 -	ipv64_normalise_mapped(&from, &fromlen);
 -	if (from.ss_family == AF_INET6)
 -		fromlen = sizeof(struct sockaddr_in6);
 -
 -	debug3("Trying to reverse map address %.100s.", ntop);
 -	/* Map the IP address to a host name. */
 -	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
 -	    NULL, 0, NI_NAMEREQD) != 0) {
 -		/* Host name not found.  Use ip address. */
 -		return strdup(ntop);
 -	}
 -
 -	/*
 -	 * if reverse lookup result looks like a numeric hostname,
 -	 * someone is trying to trick us by PTR record like following:
 -	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
 -	 */
 -	memset(&hints, 0, sizeof(hints));
 -	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
 -	hints.ai_flags = AI_NUMERICHOST;
 -	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
 -		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
 -		    name, ntop);
 -		freeaddrinfo(ai);
 -		return strdup(ntop);
 -	}
 -
 -	/* Names are stored in lowercase. */
 -	lowercase(name);
 -
 -	/*
 -	 * Map it back to an IP address and check that the given
 -	 * address actually is an address of this host.  This is
 -	 * necessary because anyone with access to a name server can
 -	 * define arbitrary names for an IP address. Mapping from
 -	 * name to IP address can be trusted better (but can still be
 -	 * fooled if the intruder has access to the name server of
 -	 * the domain).
 -	 */
 -	memset(&hints, 0, sizeof(hints));
 -	hints.ai_family = from.ss_family;
 -	hints.ai_socktype = SOCK_STREAM;
 -	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
 -		logit("reverse mapping checking getaddrinfo for %.700s "
 -		    "[%s] failed.", name, ntop);
 -		return strdup(ntop);
 -	}
 -	/* Look for the address from the list of addresses. */
 -	for (ai = aitop; ai; ai = ai->ai_next) {
 -		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
 -		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
 -		    (strcmp(ntop, ntop2) == 0))
 -				break;
 -	}
 -	freeaddrinfo(aitop);
 -	/* If we reached the end of the list, the address was not there. */
 -	if (ai == NULL) {
 -		/* Address not found for the host name. */
 -		logit("Address %.100s maps to %.600s, but this does not "
 -		    "map back to the address.", ntop, name);
 -		return strdup(ntop);
 -	}
 -	return strdup(name);
 -}
 -
 -/*
 - * Return the canonical name of the host in the other side of the current
 - * connection.  The host name is cached, so it is efficient to call this
 - * several times.
 - */
 -
 -const char *
 -auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
 -{
 -	static char *dnsname;
 -
 -	if (!use_dns)
 -		return ssh_remote_ipaddr(ssh);
 -	else if (dnsname != NULL)
 -		return dnsname;
 -	else {
 -		dnsname = remote_hostname(ssh);
 -		return dnsname;
 -	}
 -}
 --- a/canohost.c
 +++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
 {
 	return get_sock_port(sock, 1);
 }
 +
 +/*
 + * Returns the remote DNS hostname as a string. The returned string must not
 + * be freed. NB. this will usually trigger a DNS query the first time it is
 + * called.
 + * This function does additional checks on the hostname to mitigate some
 + * attacks on legacy rhosts-style authentication.
 + * XXX is RhostsRSAAuthentication vulnerable to these?
 + * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
 + */
 +
 +static char *
 +remote_hostname(struct ssh *ssh)
 +{
 +	struct sockaddr_storage from;
 +	socklen_t fromlen;
 +	struct addrinfo hints, *ai, *aitop;
 +	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
 +	const char *ntop = ssh_remote_ipaddr(ssh);
 +
 +	/* Get IP address of client. */
 +	fromlen = sizeof(from);
 +	memset(&from, 0, sizeof(from));
 +	if (getpeername(ssh_packet_get_connection_in(ssh),
 +	    (struct sockaddr *)&from, &fromlen) < 0) {
 +		debug("getpeername failed: %.100s", strerror(errno));
 +		return strdup(ntop);
 +	}
 +
 +	ipv64_normalise_mapped(&from, &fromlen);
 +	if (from.ss_family == AF_INET6)
 +		fromlen = sizeof(struct sockaddr_in6);
 +
 +	debug3("Trying to reverse map address %.100s.", ntop);
 +	/* Map the IP address to a host name. */
 +	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
 +	    NULL, 0, NI_NAMEREQD) != 0) {
 +		/* Host name not found.  Use ip address. */
 +		return strdup(ntop);
 +	}
 +
 +	/*
 +	 * if reverse lookup result looks like a numeric hostname,
 +	 * someone is trying to trick us by PTR record like following:
 +	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
 +	 */
 +	memset(&hints, 0, sizeof(hints));
 +	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
 +	hints.ai_flags = AI_NUMERICHOST;
 +	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
 +		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
 +		    name, ntop);
 +		freeaddrinfo(ai);
 +		return strdup(ntop);
 +	}
 +
 +	/* Names are stored in lowercase. */
 +	lowercase(name);
 +
 +	/*
 +	 * Map it back to an IP address and check that the given
 +	 * address actually is an address of this host.  This is
 +	 * necessary because anyone with access to a name server can
 +	 * define arbitrary names for an IP address. Mapping from
 +	 * name to IP address can be trusted better (but can still be
 +	 * fooled if the intruder has access to the name server of
 +	 * the domain).
 +	 */
 +	memset(&hints, 0, sizeof(hints));
 +	hints.ai_family = from.ss_family;
 +	hints.ai_socktype = SOCK_STREAM;
 +	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
 +		logit("reverse mapping checking getaddrinfo for %.700s "
 +		    "[%s] failed.", name, ntop);
 +		return strdup(ntop);
 +	}
 +	/* Look for the address from the list of addresses. */
 +	for (ai = aitop; ai; ai = ai->ai_next) {
 +		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
 +		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
 +		    (strcmp(ntop, ntop2) == 0))
 +				break;
 +	}
 +	freeaddrinfo(aitop);
 +	/* If we reached the end of the list, the address was not there. */
 +	if (ai == NULL) {
 +		/* Address not found for the host name. */
 +		logit("Address %.100s maps to %.600s, but this does not "
 +		    "map back to the address.", ntop, name);
 +		return strdup(ntop);
 +	}
 +	return strdup(name);
 +}
 +
 +/*
 + * Return the canonical name of the host in the other side of the current
 + * connection.  The host name is cached, so it is efficient to call this
 + * several times.
 + */
 +
 +const char *
 +auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
 +{
 +	static char *dnsname;
 +
 +	if (!use_dns)
 +		return ssh_remote_ipaddr(ssh);
 +	else if (dnsname != NULL)
 +		return dnsname;
 +	else {
 +		dnsname = remote_hostname(ssh);
 +		return dnsname;
 +	}
 +}
--- a/net-misc/openssh1/files/openssh1-7.5_p1-cross-cache.patch
+++ b/net-misc/openssh1/files/openssh1-7.5_p1-cross-cache.patch
@ -0,0 +1,39 @@
 From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001
 From: Mike Frysinger <vapier@chromium.org>
 Date: Wed, 24 May 2017 23:18:41 -0400
 Subject: [PATCH] configure: actually set cache vars when cross-compiling
 The cross-compiling fallback message says it's assuming the test
 passed, but it didn't actually set the cache var which causes
 later tests to fail.
 ---
 configure.ac | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 5cfea38c0a6c..895c5211ea93 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE(
 	 select_works_with_rlimit=yes],
 	[AC_MSG_RESULT([no])
 	 select_works_with_rlimit=no],
 -	[AC_MSG_WARN([cross compiling: assuming yes])]
 +	[AC_MSG_WARN([cross compiling: assuming yes])
 +	 select_works_with_rlimit=yes]
 )
 AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE(
 	 rlimit_nofile_zero_works=yes],
 	[AC_MSG_RESULT([no])
 	 rlimit_nofile_zero_works=no],
 -	[AC_MSG_WARN([cross compiling: assuming yes])]
 +	[AC_MSG_WARN([cross compiling: assuming yes])
 +	 rlimit_nofile_zero_works=yes]
 )
 AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
 -- 
 2.12.0
--- a/net-misc/openssh1/files/openssh1-7.5_p1-disable-conch-interop-tests.patch
+++ b/net-misc/openssh1/files/openssh1-7.5_p1-disable-conch-interop-tests.patch
@ -0,0 +1,20 @@
 Disable conch interop tests which are failing when called
 via portage for yet unknown reason and because using conch
 seems to be flaky (test is failing when using Python2 but
 passing when using Python3).
 Bug: https://bugs.gentoo.org/605446
 --- a/regress/conch-ciphers.sh
 +++ b/regress/conch-ciphers.sh
@@ -3,6 +3,10 @@
 tid="conch ciphers"
 +# https://bugs.gentoo.org/605446
 +echo "conch interop tests skipped due to Gentoo bug #605446"
 +exit 0
 +
 if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
 	echo "conch interop tests not enabled"
 	exit 0
--- a/net-misc/openssh1/files/openssh1-7.5_p1-hpn-x509-10.2-glue.patch
+++ b/net-misc/openssh1/files/openssh1-7.5_p1-hpn-x509-10.2-glue.patch
@ -0,0 +1,67 @@
 diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
 --- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch	2017-03-27 13:31:01.816551100 -0700
 +++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch	2017-03-27 13:51:03.894805846 -0700
@@ -40,7 +40,7 @@
 @@ -44,7 +44,7 @@ CC=@CC@
  LD=@LD@
  CFLAGS=@CFLAGS@
 - CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 + CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
 -LIBS=@LIBS@
 +LIBS=@LIBS@ -lpthread
  K5LIBS=@K5LIBS@
@@ -1023,6 +1023,3 @@
  	do_authenticated(authctxt);
  	/* The connection has been terminated. */
 --- 
 -2.12.0
 -
 diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch
 --- a/0004-support-dynamically-sized-receive-buffers.patch	2017-03-27 13:31:01.816551100 -0700
 +++ b/0004-support-dynamically-sized-receive-buffers.patch	2017-03-27 13:49:44.513498976 -0700
@@ -926,9 +926,9 @@
 @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1)
  	/* Send our own protocol version identification. */
  	if (compat20) {
 - 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
 --		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
 -+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
 +		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
 +-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
 ++		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
  	} else {
  		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
 -		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
@@ -943,11 +943,11 @@
 @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
  	char remote_version[256];	/* Must be at least as big as buf. */
 - 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
 --	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 -+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
 +	xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s%s",
 +-	    major, minor, SSH_VERSION, pkix_comment,
 ++	    major, minor, SSH_RELEASE, pkix_comment,
  	    *options.version_addendum == '\0' ? "" : " ",
 - 	    options.version_addendum);
 + 	    options.version_addendum, newline);
 @@ -1020,6 +1020,8 @@ server_listen(void)
  	int ret, listen_sock, on = 1;
@@ -1006,12 +1008,9 @@
 --- a/version.h
 +++ b/version.h
 -@@ -3,4 +3,5 @@
 +@@ -3,4 +3,6 @@
  #define SSH_VERSION	"OpenSSH_7.5"
 - #define SSH_PORTABLE	"p1"
 --#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 +-#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
 ++#define SSH_X509	", PKIX-SSH " PACKAGE_VERSION
 +#define SSH_HPN		"-hpn14v12"
 +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
 --- 
 -2.12.0
 -
--- a/net-misc/openssh1/files/openssh1-7.5_p1-s390-seccomp.patch
+++ b/net-misc/openssh1/files/openssh1-7.5_p1-s390-seccomp.patch
@ -0,0 +1,27 @@
 From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
 From: Damien Miller <djm@mindrot.org>
 Date: Wed, 22 Mar 2017 12:43:02 +1100
 Subject: [PATCH] Missing header on Linux/s390
 Patch from Jakub Jelen
 ---
 sandbox-seccomp-filter.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 index a8d472a63ccb..2831e9d1083c 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
@@ -50,6 +50,9 @@
 #include <elf.h>
 #include <asm/unistd.h>
 +#ifdef __s390__
 +#include <asm/zcrypt.h>
 +#endif
 #include <errno.h>
 #include <signal.h>
 -- 
 2.15.1
--- a/net-misc/openssh1/files/openssh1-7.5_p1-ssh1.patch
+++ b/net-misc/openssh1/files/openssh1-7.5_p1-ssh1.patch
@ -0,0 +1,105 @@
 --- openssh-7.5p1/Makefile.in	2017-03-20 03:39:27.000000000 +0100
 +++ openssh-7.5p1/Makefile.in	2019-12-10 04:41:20.845611305 +0100
@@ -62,7 +62,7 @@
 EXEEXT=@EXEEXT@
 MANFMT=@MANFMT@
 -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
 +TARGETS=ssh$(EXEEXT) ssh-keygen$(EXEEXT) scp$(EXEEXT)
 LIBOPENSSH_OBJS=\
 	ssh_api.o \
@@ -112,12 +112,12 @@
 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
 	sandbox-solaris.o
 -MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 -MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
 +MANPAGES	= scp.1.out ssh-keygen.1.out ssh.1.out ssh_config.5.out
 +MANPAGES_IN	= scp.1 ssh-keygen.1 ssh.1 ssh_config.5
 MANTYPE		= @MANTYPE@
 -CONFIGFILES=sshd_config.out ssh_config.out moduli.out
 -CONFIGFILES_IN=sshd_config ssh_config moduli
 +CONFIGFILES=ssh_config.out
 +CONFIGFILES_IN=ssh_config
 PATHSUBS	= \
 	-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
@@ -301,47 +301,22 @@
 	$(AUTORECONF)
 	-rm -rf autom4te.cache
 -install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
 +install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key
 install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
 install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
 -check-config:
 -	-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
 -
 install-files:
 	$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
 -	$(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
 	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
 	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
 	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
 -	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
 -	$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
 -	(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
 -	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
 -	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
 -	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
 -	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
 -	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
 -	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
 -	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
 -	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 -	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
 -	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 -	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 -	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 -	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
 -	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
 -	$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
 -	$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
 -	$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
 -	$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
 -	$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh1$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp1$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen1$(EXEEXT)
 +	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh1.1
 +	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp1.1
 +	$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen1.1
 	$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
 -	$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
 -	$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
 -	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 -	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 -	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
 install-sysconf:
 	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
@@ -352,21 +327,6 @@
 	else \
 		echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \
 	fi
 -	@if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
 -		$(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \
 -	else \
 -		echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \
 -	fi
 -	@if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \
 -		if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \
 -			echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
 -			mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
 -		else \
 -			$(INSTALL) -m 644 moduli.out $(DESTDIR)$(sysconfdir)/moduli; \
 -		fi ; \
 -	else \
 -		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
 -	fi
 host-key: ssh-keygen$(EXEEXT)
 	@if [ -z "$(DESTDIR)" ] ; then \
--- a/net-misc/openssh1/files/openssh1-7.5_p1-x32-typo.patch
+++ b/net-misc/openssh1/files/openssh1-7.5_p1-x32-typo.patch
@ -0,0 +1,25 @@
 From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001
 From: Mike Frysinger <vapier@gentoo.org>
 Date: Mon, 20 Mar 2017 14:57:40 -0400
 Subject: [PATCH] seccomp sandbox: fix typo w/x32 check
 ---
 sandbox-seccomp-filter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 index 3a1aedce72c2..a8d472a63ccb 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
 	 * x86-64 syscall under some circumstances, e.g.
 	 * https://bugs.debian.org/849923
 	 */
 -	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
 +	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
 #endif
 	/* Default deny */
 -- 
 2.12.0
--- a/net-misc/openssh1/openssh1-7.5_p1-r4.ebuild
+++ b/net-misc/openssh1/openssh1-7.5_p1-r4.ebuild
@ -0,0 +1,294 @@
 # Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI="5"
 inherit eutils user flag-o-matic multilib autotools pam systemd
 # Make it more portable between straight releases
 # and _p? releases.
 PARCH=openssh-7.5p1
 HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
 SCTP_PATCH="openssh-7.4_p1-sctp.patch.xz"
 LDAP_PATCH="openssh-lpk-7.5p1-0.3.14.patch.xz"
 X509_VER="10.2" X509_PATCH="openssh-${PV/_}+x509-${X509_VER}.diff.gz"
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="http://www.openssh.org/"
 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
 	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
 	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
 	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
 	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
 	"
 LICENSE="BSD GPL-2"
 SLOT="0"
 KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssh1 +ssl static test X X509"
 REQUIRED_USE="ldns? ( ssl )
 	pie? ( !static )
 	ssh1? ( ssl )
 	static? ( !kerberos !pam )
 	X509? ( !ldap !sctp ssl )
 	test? ( ssl )"
 LIB_DEPEND="
 	audit? ( sys-process/audit[static-libs(+)] )
 	ldns? (
 		net-libs/ldns[static-libs(+)]
 		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
 		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
 	)
 	libedit? ( dev-libs/libedit:=[static-libs(+)] )
 	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
 	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
 	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
 	ssl? (
 		!libressl? (
 			>=dev-libs/openssl-1.0.1:0=[bindist=]
 			dev-libs/openssl:0=[static-libs(+)]
 		)
 		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
 	)
 	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
 RDEPEND="
 	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
 	pam? ( sys-libs/pam )
 	kerberos? ( virtual/krb5 )
 	ldap? ( net-nds/openldap )"
 DEPEND="${RDEPEND}
 	static? ( ${LIB_DEPEND} )
 	virtual/pkgconfig
 	virtual/os-headers
 	sys-devel/autoconf"
 RDEPEND="${RDEPEND}
 	pam? ( >=sys-auth/pambase-20081028 )
 	userland_GNU? ( virtual/shadow )
 	X? ( x11-apps/xauth )"
 S=${WORKDIR}/${PARCH}
 pkg_pretend() {
 	# this sucks, but i'd rather have people unable to `emerge -u openssh`
 	# than not be able to log in to their server any more
 	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
 	local fail="
 		$(use X509 && maybe_fail X509 X509_PATCH)
 		$(use ldap && maybe_fail ldap LDAP_PATCH)
 		$(use hpn && maybe_fail hpn HPN_PATCH)
 	"
 	fail=$(echo ${fail})
 	if [[ -n ${fail} ]] ; then
 		eerror "Sorry, but this version does not yet support features"
 		eerror "that you requested:	 ${fail}"
 		eerror "Please mask ${PF} for now and check back later:"
 		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
 		die "booooo"
 	fi
 }
 save_version() {
 	# version.h patch conflict avoidence
 	mv version.h version.h.$1
 	cp -f version.h.pristine version.h
 }
 src_prepare() {
 	sed -i \
 		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
 		pathnames.h || die
 	# keep this as we need it to avoid the conflict between LPK and HPN changing
 	# this file.
 	cp version.h version.h.pristine
 	if use X509 ; then
 		if use hpn ; then
 			pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
 			epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
 			popd >/dev/null
 		fi
 		save_version X509
 		epatch "${WORKDIR}"/${X509_PATCH%.*}
 	fi
 	if use ldap ; then
 		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
 		save_version LPK
 	fi
 	epatch "${FILESDIR}"/${PN}-7.5_p1-ssh1.patch
 	epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
 	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
 	epatch "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
 	epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
 	epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
 	use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-s390-seccomp.patch # already included in X509 patch set, #644252
 	use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
 	use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
 	use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
 	if use hpn ; then
 		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
 			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
 			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
 		save_version HPN
 	fi
 	tc-export PKG_CONFIG
 	local sed_args=(
 		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
 		# Disable PATH reset, trust what portage gives us #254615
 		-e 's:^PATH=/:#PATH=/:'
 		# Disable fortify flags ... our gcc does this for us
 		-e 's:-D_FORTIFY_SOURCE=2::'
 	)
 	# The -ftrapv flag ICEs on hppa #505182
 	use hppa && sed_args+=(
 		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
 		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
 	)
 	# _XOPEN_SOURCE causes header conflicts on Solaris
 	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
 		-e 's/-D_XOPEN_SOURCE//'
 	)
 	sed -i "${sed_args[@]}" configure{.ac,} || die
 	epatch_user #473004
 	# Now we can build a sane merged version.h
 	(
 		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
 		macros=()
 		for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
 		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
 	) > version.h
 	eautoreconf
 }
 src_configure() {
 	addwrite /dev/ptmx
 	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
 	use static && append-ldflags -static
 	local myconf=(
 		--with-ldflags="${LDFLAGS}"
 		--disable-strip
 		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
 		--sysconfdir="${EPREFIX}"/etc/ssh
 		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
 		--datadir="${EPREFIX}"/usr/share/openssh
 		--with-sandbox==no
 		$(use_with audit audit linux)
 		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
 		# We apply the ldap patch conditionally, so can't pass --without-ldap
 		# unconditionally else we get unknown flag warnings.
 		$(use ldap && use_with ldap)
 		$(use_with ldns)
 		$(use_with libedit)
 		$(use_with pam)
 		$(use_with pie)
 		$(use X509 || use_with sctp)
 		$(use_with selinux)
 		$(use_with skey)
 		$(use_with ssh1)
 		$(use_with ssl openssl)
 		$(use_with ssl md5-passwords)
 		$(use_with ssl ssl-engine)
 	)
 	econf "${myconf[@]}"
 }
 src_compile() {
 	emake ssh scp ssh-keygen
 }
 src_install() {
 	emake install-nokeys DESTDIR="${D}"
 	# Allow client to pass locale environment variables #367017
 	AcceptEnv LANG LC_*
 	EOF
 	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
 	# Send locale environment variables #367017
 	SendEnv LANG LC_*
 	EOF
 	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
 		insinto /etc/openldap/schema/
 		newins openssh-lpk_openldap.schema openssh-lpk.schema
 	fi
 	dodoc CREDITS OVERVIEW README* TODO
 	use X509 || dodoc ChangeLog
 	diropts -m 0700
 	dodir /etc/skel/.ssh
 }
 src_test() {
 	local t skipped=() failed=() passed=()
 	local tests=( interop-tests compat-tests )
 	local shell=$(egetshell "${UID}")
 	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
 		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
 		elog "user, so we will run a subset only."
 		skipped+=( tests )
 	else
 		tests+=( tests )
 	fi
 	# It will also attempt to write to the homedir .ssh.
 	local sshhome=${T}/homedir
 	mkdir -p "${sshhome}"/.ssh
 	for t in "${tests[@]}" ; do
 		# Some tests read from stdin ...
 		HOMEDIR="${sshhome}" HOME="${sshhome}" \
 		emake -k -j1 ${t} </dev/null \
 			&& passed+=( "${t}" ) \
 			|| failed+=( "${t}" )
 	done
 	einfo "Passed tests: ${passed[*]}"
 	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
 	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
 }
 pkg_postinst() {
 	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
 		elog "Starting with openssh-5.8p1, the server will default to a newer key"
 		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
 		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
 	fi
 	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
 		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
 	fi
 	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
 		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
 		elog "Make sure to update any configs that you might have.  Note that xinetd might"
 		elog "be an alternative for you as it supports USE=tcpd."
 	fi
 	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
 		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
 		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
 		elog "adding to your sshd_config or ~/.ssh/config files:"
 		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
 		elog "You should however generate new keys using rsa or ed25519."
 		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
 		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
 		elog "out of the box.  If you need this, please update your sshd_config explicitly."
 	fi
 	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
 		elog "Be aware that by disabling openssl support in openssh, the server and clients"
 		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
 		elog "and update all clients/servers that utilize them."
 	fi
 }