net-misc/openssh-8.7_p1-r1: Revbump, add X509 patch

Package-Manager: Portage-3.0.22, Repoman-3.0.3
Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

4 files changed, 523 insertions, 2 deletions

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index b6ea0efce2b3..ba9efbc35e80 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -4,6 +4,7 @@ DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c
 DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251
 DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a
 DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
+DIST openssh-8.7p1+x509-13.2.diff.gz 1068695 BLAKE2B e542e5444f8360e0e28288d6a58d66995ff90e9f6bb1490b04a205162036e371a20d612655ca1bd479b8a04d5ccbfd9b7189b090d50ccbb019848e28571b036b SHA512 342e1ee050258c99f8f206664ef756e1be2c82e5faa5f966b80385aa2c6c601974681459ddba32c1ca5c33eda530af681e753471706c71902c1045a2913cd540
 DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
 DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
diff --git a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch
new file mode 100644
index 000000000000..d6f5e42027d1
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch
@@ -0,0 +1,73 @@
+diff -ur '--exclude=.*.un~' a/openssh-8.7p1+x509-13.2.diff b/openssh-8.7p1+x509-13.2.diff
+--- a/openssh-8.7p1+x509-13.2.diff	2021-08-30 17:47:40.415668320 -0700
++++ b/openssh-8.7p1+x509-13.2.diff	2021-08-30 17:49:14.916114987 -0700
+@@ -51082,12 +51082,11 @@
+  
+  install-files:
+  	$(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -391,6 +368,8 @@
++@@ -391,6 +368,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -69793,7 +69792,7 @@
+ -	echo "putty interop tests not enabled"
+ -	exit 0
+ -fi
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
+  
+  for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
+  	verbose "$tid: cipher $c"
+@@ -69808,7 +69807,7 @@
+ -	echo "putty interop tests not enabled"
+ -	exit 0
+ -fi
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
+  
+  for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
+  	verbose "$tid: kex $k"
+@@ -69823,7 +69822,7 @@
+ -	echo "putty interop tests not enabled"
+ -	exit 0
+ -fi
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
+  
+  if [ "`${SSH} -Q compression`" = "none" ]; then
+  	comp="0"
+@@ -70130,9 +70129,9 @@
+  
+ +# cross-project configuration
+ +if test "$sshd_type" = "pkix" ; then
+-+  unset_arg=''
+++  unset_arg=
+ +else
+-+  unset_arg=none
+++  unset_arg=
+ +fi
+ +
+  cat > $OBJ/sshd_config.i << _EOF
+@@ -131673,16 +131672,6 @@
+ +int	 asnmprintf(char **, size_t, int *, const char *, ...)
+  	    __attribute__((format(printf, 4, 5)));
+  void	 msetlocale(void);
+-diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2/version.h
+---- openssh-8.7p1/version.h	2021-08-20 07:03:49.000000000 +0300
+-+++ openssh-8.7p1+x509-13.2/version.h	2021-08-30 20:07:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_8.7"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2/version.m4
+ --- openssh-8.7p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.7p1+x509-13.2/version.m4	2021-08-30 20:07:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
new file mode 100644
index 000000000000..49c05917779a
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
@@ -0,0 +1,447 @@
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-31 11:12:46.412119817 -0700
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-31 11:26:11.116026151 -0700
+@@ -3,9 +3,9 @@
+ --- a/Makefile.in
+ +++ b/Makefile.in
+ @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
+- CFLAGS_NOPIE=@CFLAGS_NOPIE@
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+- PICFLAG=@PICFLAG@
++ LD=@LD@
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+ -LIBS=@LIBS@
+ +LIBS=@LIBS@ -lpthread
+  K5LIBS=@K5LIBS@
+@@ -803,8 +803,8 @@
+  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
+  {
+  	struct session_state *state;
+--	const struct sshcipher *none = cipher_by_name("none");
+-+	struct sshcipher *none = cipher_by_name("none");
++-	const struct sshcipher *none = cipher_none();
+++	struct sshcipher *none = cipher_none();
+  	int r;
+  
+  	if (none == NULL) {
+@@ -894,24 +894,24 @@
+  		intptr = &options->compression;
+  		multistate_ptr = multistate_compression;
+ @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
+- 	options->revoked_host_keys = NULL;
+  	options->fingerprint_hash = -1;
+  	options->update_hostkeys = -1;
++	options->known_hosts_command = NULL;
+ +	options->disable_multithreaded = -1;
+- 	options->hostbased_accepted_algos = NULL;
+- 	options->pubkey_accepted_algos = NULL;
+- 	options->known_hosts_command = NULL;
++ }
++ 
++ /*
+ @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
++ 		options->update_hostkeys = 0;
+  	if (options->sk_provider == NULL)
+  		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+- #endif
+ +	if (options->update_hostkeys == -1)
+ +		options->update_hostkeys = 0;
+ +	if (options->disable_multithreaded == -1)
+ +		options->disable_multithreaded = 0;
+  
+- 	/* Expand KEX name lists */
+- 	all_cipher = cipher_alg_list(',', 0);
++ 	/* expand KEX and etc. name lists */
++ {	char *all;
+ diff --git a/readconf.h b/readconf.h
+ index 2fba866e..7f8f0227 100644
+ --- a/readconf.h
+@@ -950,9 +950,9 @@
+  	/* Portable-specific options */
+  	sUsePAM,
+ +	sDisableMTAES,
+- 	/* Standard Options */
+- 	sPort, sHostKeyFile, sLoginGraceTime,
+- 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
++ 	/* X.509 Standard Options */
++ 	sHostbasedAlgorithms,
++ 	sPubkeyAlgorithms,
+ @@ -662,6 +666,7 @@ static struct {
+  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-31 11:12:46.412119817 -0700
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-31 14:17:59.366248683 -0700
+@@ -157,6 +157,36 @@
+ +	 Allan Jude provided the code for the NoneMac and buffer normalization.
+ +         This work was financed, in part, by Cisco System, Inc., the National
+ +         Library of Medicine, and the National Science Foundation.
++diff --git a/auth2.c b/auth2.c
++--- a/auth2.c	2021-03-15 19:30:45.404060786 -0700
+++++ b/auth2.c	2021-03-15 19:37:22.078476597 -0700
++@@ -229,16 +229,17 @@
++ 	double delay;
++ 
++ 	digest_alg = ssh_digest_maxbytes();
++-	len = ssh_digest_bytes(digest_alg);
++-	hash = xmalloc(len);
+++	if (len = ssh_digest_bytes(digest_alg) > 0) {
+++		hash = xmalloc(len);
++ 
++-	(void)snprintf(b, sizeof b, "%llu%s",
++-	    (unsigned long long)options.timing_secret, user);
++-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++-		fatal_f("ssh_digest_memory");
++-	/* 0-4.2 ms of delay */
++-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++-	freezero(hash, len);
+++		(void)snprintf(b, sizeof b, "%llu%s",
+++		    (unsigned long long)options.timing_secret, user);
+++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+++			fatal_f("ssh_digest_memory");
+++		/* 0-4.2 ms of delay */
+++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+++		freezero(hash, len);
+++	}
++ 	debug3_f("user specific delay %0.3lfms", delay/1000);
++ 	return MIN_FAIL_DELAY_SECONDS + delay;
++ }
+ diff --git a/channels.c b/channels.c
+ index b60d56c4..0e363c15 100644
+ --- a/channels.c
+@@ -209,14 +239,14 @@
+  static void
+  channel_pre_open(struct ssh *ssh, Channel *c,
+      fd_set *readset, fd_set *writeset)
+-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
++@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+  
+  	if (c->type == SSH_CHANNEL_OPEN &&
+  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+ -	    ((c->local_window_max - c->local_window >
+ -	    c->local_maxpacket*3) ||
+-+            ((ssh_packet_is_interactive(ssh) &&
+-+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+++	    ((ssh_packet_is_interactive(ssh) &&
+++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
+  	    c->local_window < c->local_window_max/2) &&
+  	    c->local_consumed > 0) {
+ +		u_int addition = 0;
+@@ -235,9 +265,8 @@
+  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+- 		    (r = sshpkt_send(ssh)) != 0) {
+- 			fatal_fr(r, "channel %i", c->self);
+- 		}
++ 		    (r = sshpkt_send(ssh)) != 0)
++ 			fatal_fr(r, "channel %d", c->self);
+ -		debug2("channel %d: window %d sent adjust %d", c->self,
+ -		    c->local_window, c->local_consumed);
+ -		c->local_window += c->local_consumed;
+@@ -337,70 +366,92 @@
+ index 70f492f8..5503af1d 100644
+ --- a/clientloop.c
+ +++ b/clientloop.c
+-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
++@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
+  	sock = x11_connect_display(ssh);
+  	if (sock < 0)
+  		return NULL;
+ -	c = channel_new(ssh, "x11",
+ -	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+--	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+-+        c = channel_new(ssh, "x11",
+-+			SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+-+			/* again is this really necessary for X11? */
+-+			options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+			CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
++-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
++-	    CHANNEL_NONBLOCK_SET);
+++	c = channel_new(ssh, "x11",
+++	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+++	    /* again is this really necessary for X11? */
+++	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+++	    CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
+  	c->force_drain = 1;
+  	return c;
+  }
+-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
++@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
+  		return NULL;
+  	}
+  	c = channel_new(ssh, "authentication agent connection",
+ -	    SSH_CHANNEL_OPEN, sock, sock, -1,
+ -	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+--	    "authentication agent connection", 1);
+-+			SSH_CHANNEL_OPEN, sock, sock, -1,
+-+			options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+			CHAN_TCP_PACKET_DEFAULT, 0,
+-+			"authentication agent connection", 1);
++-	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
+++	    SSH_CHANNEL_OPEN, sock, sock, -1,
+++	    options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
+++	    CHAN_TCP_PACKET_DEFAULT, 0,
+++	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
+  	c->force_drain = 1;
+  	return c;
+  }
+-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
++@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+  	}
+  	debug("Tunnel forwarding using interface %s", ifname);
+  
+ -	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+--	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+-+        c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
++-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
++-	    CHANNEL_NONBLOCK_SET);
+++	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ +	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
+-+	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+++	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
+  	c->datagram = 1;
+  
+-+
+-+
+  #if defined(SSH_TUN_FILTER)
+- 	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
+- 		channel_register_filter(ssh, c->self, sys_tun_infilter,
+ diff --git a/compat.c b/compat.c
+ index 69befa96..90b5f338 100644
+ --- a/compat.c
+ +++ b/compat.c
+-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
+- 			debug_f("match: %s pat %s compat 0x%08x",
++@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
++ static u_int
++ compat_datafellows(const char *version)
++ {
++-	int i;
+++	int i, bugs = 0;
++ 	static struct {
++ 		char	*pat;
++ 		int	bugs;
++@@ -147,11 +147,26 @@
++ 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
++ 			debug("match: %s pat %s compat 0x%08x",
+  			    version, check[i].pat, check[i].bugs);
+- 			ssh->compat = check[i].bugs;
+ +			/* Check to see if the remote side is OpenSSH and not HPN */
+-+			/* TODO: need to use new method to test for this */
+ +			if (strstr(version, "OpenSSH") != NULL) {
+ +				if (strstr(version, "hpn") == NULL) {
+-+					ssh->compat |= SSH_BUG_LARGEWINDOW;
+++					bugs |= SSH_BUG_LARGEWINDOW;
+ +					debug("Remote is NON-HPN aware");
+ +				}
+ +			}
+- 			return;
++-			return check[i].bugs;
+++			bugs |= check[i].bugs;
+  		}
+  	}
++-	debug("no match: %s", version);
++-	return 0;
+++	/* Check to see if the remote side is OpenSSH and not HPN */
+++	if (strstr(version, "OpenSSH") != NULL) {
+++		if (strstr(version, "hpn") == NULL) {
+++			bugs |= SSH_BUG_LARGEWINDOW;
+++			debug("Remote is NON-HPN aware");
+++		}
+++	}
+++	if (bugs == 0)
+++		debug("no match: %s", version);
+++	return bugs;
++ }
++ 
++ char *
+ diff --git a/compat.h b/compat.h
+ index c197fafc..ea2e17a7 100644
+ --- a/compat.h
+@@ -459,7 +510,7 @@
+ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
+  	int nenc, nmac, ncomp;
+  	u_int mode, ctos, need, dh_need, authlen;
+- 	int r, first_kex_follows;
++ 	int r, first_kex_follows = 0;
+ +	int auth_flag = 0;
+ +
+ +	auth_flag = packet_authentication_state(ssh);
+@@ -553,7 +604,7 @@
+  #define MAX_PACKETS	(1U<<31)
+  static int
+  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
++@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+  	struct session_state *state = ssh->state;
+  	int len, r, ms_remain;
+  	fd_set *setp;
+@@ -1035,19 +1086,6 @@
+  
+  /* Minimum amount of data to read at a time */
+  #define MIN_READ_SIZE	512
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..36a6e519 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
+- 			freezero(pin, strlen(pin));
+- 		error_r(r, "Unable to load resident keys");
+- 		return -1;
+--	}
+-+ 	}
+- 	if (nkeys == 0)
+- 		logit("No keys to download");
+- 	if (pin != NULL)
+ diff --git a/ssh.c b/ssh.c
+ index 53330da5..27b9770e 100644
+ --- a/ssh.c
+@@ -1093,7 +1131,7 @@
+ +	else
+ +		options.hpn_buffer_size = 2 * 1024 * 1024;
+ +
+-+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ +		debug("HPN to Non-HPN Connection");
+ +	} else {
+ +		int sock, socksize;
+@@ -1157,14 +1195,14 @@
+  	}
+ @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
+  	    window, packetmax, CHAN_EXTENDED_WRITE,
+- 	    "client-session", /*nonblock*/0);
++ 	    "client-session", CHANNEL_NONBLOCK_STDIO);
+  
+ +	if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
+ +		c->dynamic_window = 1;
+ +		debug("Enabled Dynamic Window Scaling");
+ +	}
+ +
+- 	debug3_f("channel_new: %d", c->self);
++ 	debug2_f("channel %d", c->self);
+  
+  	channel_send_open(ssh, c->self);
+ @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
+@@ -1335,7 +1373,29 @@
+  		/* Bind the socket to the desired port. */
+  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
+  			error("Bind to port %s on %s failed: %.200s.",
+-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
++@@ -1625,13 +1632,14 @@
++ 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
++ 		    sshbuf_len(server_cfg)) != 0)
++ 			fatal_f("ssh_digest_update");
++-		len = ssh_digest_bytes(digest_alg);
++-		hash = xmalloc(len);
++-		if (ssh_digest_final(ctx, hash, len) != 0)
++-			fatal_f("ssh_digest_final");
++-		options.timing_secret = PEEK_U64(hash);
++-		freezero(hash, len);
++-		ssh_digest_free(ctx);
+++		if ((len = ssh_digest_bytes(digest_alg)) > 0) {
+++			hash = xmalloc(len);
+++			if (ssh_digest_final(ctx, hash, len) != 0)
+++				fatal_f("ssh_digest_final");
+++			options.timing_secret = PEEK_U64(hash);
+++			freezero(hash, len);
+++			ssh_digest_free(ctx);
+++		}
++ 		ctx = NULL;
++ 		return;
++ 	}
++@@ -1727,6 +1735,19 @@ main(int ac, char **av)
+  		fatal("AuthorizedPrincipalsCommand set without "
+  		    "AuthorizedPrincipalsCommandUser");
+  
+@@ -1355,7 +1415,7 @@
+  	/*
+  	 * Check whether there is any path through configured auth methods.
+  	 * Unfortunately it is not possible to verify this generally before
+-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
++@@ -2166,6 +2187,9 @@ main(int ac, char **av)
+  	    rdomain == NULL ? "" : "\"");
+  	free(laddr);
+  
+@@ -1365,7 +1425,7 @@
+  	/*
+  	 * We don't want to listen forever unless the other side
+  	 * successfully authenticates itself.  So we set up an alarm which is
+-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
++@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
+  	struct kex *kex;
+  	int r;
+  
+@@ -1405,14 +1465,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b4fa372..332fb486 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_8.5"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN         "-hpn15v2"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
+--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-08-31 11:12:16.778011216 -0700
++++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-08-31 11:13:11.573211934 -0700
+@@ -12,9 +12,9 @@
+  static long stalled;		/* how long we have been stalled */
+  static int bytes_per_second;	/* current speed in bytes per second */
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
++ 	off_t bytes_left;
+  	int cur_speed;
+- 	int hours, minutes, seconds;
+- 	int file_len;
++ 	int len;
+ +	off_t delta_pos;
+  
+  	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+@@ -30,15 +30,17 @@
+  	if (bytes_left > 0)
+  		elapsed = now - last_update;
+  	else {
+-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+- 
++@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
++ 	buf[1] = '\0';
++
+  	/* filename */
+- 	buf[0] = '\0';
+--	file_len = win_size - 36;
+-+	file_len = win_size - 45;
+- 	if (file_len > 0) {
+- 		buf[0] = '\r';
+- 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
++-	if (win_size > 36) {
+++	if (win_size > 45) {
++-		int file_len = win_size - 36;
+++		int file_len = win_size - 45;
++ 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
++ 		    file_len, file);
++ 	}
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
+  	    (off_t)bytes_per_second);
+  	strlcat(buf, "/s ", win_size);
+@@ -63,15 +65,3 @@
+  }
+  
+  /*ARGSUSED*/
+-diff --git a/ssh-keygen.c b/ssh-keygen.c
+-index cfb5f115..986ff59b 100644
+---- a/ssh-keygen.c
+-+++ b/ssh-keygen.c
+-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
+- 
+- 	if (skprovider == NULL)
+- 		fatal("Cannot download keys without provider");
+--
+- 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
+- 	if (!quiet) {
+- 		printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/openssh-8.7_p1.ebuild b/net-misc/openssh/openssh-8.7_p1-r1.ebuild
index 2b26a0f2548b..f5ffce0f4495 100644
--- a/net-misc/openssh/openssh-8.7_p1.ebuild
+++ b/net-misc/openssh/openssh-8.7_p1-r1.ebuild
@@ -21,7 +21,7 @@ HPN_PATCHES=(
 )
 
 SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-#X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="13.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"
@@ -186,7 +186,7 @@ src_prepare() {
 		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
 		pushd "${hpn_patchdir}" &>/dev/null || die
 		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
-		use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch
+		use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
 		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
 		popd &>/dev/null || die