net-misc/openssh: Removed old.

Package-Manager: Portage-2.3.59, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

11 files changed, 0 insertions, 788 deletions

diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
deleted file mode 100644
index 7eaadaf11cda..000000000000
--- a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-https://bugs.gentoo.org/591392
-https://bugzilla.mindrot.org/show_bug.cgi?id=2590
-
-7.3 added seccomp support to MIPS, but failed to handled the N32
-case.  This patch is temporary until upstream fixes.
-
---- openssh-7.3p1/configure.ac
-+++ openssh-7.3p1/configure.ac
-@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
- 		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
- 		;;
- 	mips64-*)
--		seccomp_audit_arch=AUDIT_ARCH_MIPS64
-+		seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
- 		;;
- 	mips64el-*)
--		seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
-+		seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
- 		;;
- 	esac
- 	if test "x$seccomp_audit_arch" != "x" ; then
diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
deleted file mode 100644
index b97ceb4b2789..000000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
-From: djm <djm@openbsd.org>
-Date: Tue, 4 Apr 2017 00:24:56 +0000
-Subject: [PATCH] disallow creation (of empty files) in read-only mode;
- reported by Michal Zalewski, feedback & ok deraadt@
-
----
- usr.bin/ssh/sftp-server.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
-index 2510d234a3a..42249ebd60d 100644
---- a/usr.bin/ssh/sftp-server.c
-+++ b/usr.bin/ssh/sftp-server.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
-+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
- /*
-  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
-  *
-@@ -683,8 +683,8 @@ process_open(u_int32_t id)
- 	logit("open \"%s\" flags %s mode 0%o",
- 	    name, string_from_portable(pflags), mode);
- 	if (readonly &&
--	    ((flags & O_ACCMODE) == O_WRONLY ||
--	    (flags & O_ACCMODE) == O_RDWR)) {
-+	    ((flags & O_ACCMODE) != O_RDONLY ||
-+	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
- 		verbose("Refusing open request in read-only mode");
- 		status = SSH2_FX_PERMISSION_DENIED;
- 	} else {
diff --git a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
deleted file mode 100644
index 6b1e6dd35a41..000000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-http://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
---- a/readconf.c
-+++ b/readconf.c
-@@ -148,6 +148,7 @@
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -194,9 +195,11 @@
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- # else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- 	{ "smartcarddevice", oPKCS11Provider },
-@@ -930,6 +933,10 @@
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -1649,6 +1656,7 @@
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -1779,6 +1787,8 @@
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
---- a/readconf.h
-+++ b/readconf.h
-@@ -46,6 +46,7 @@
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -830,6 +830,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -656,6 +656,13 @@
- 	static u_int mech = 0;
- 	OM_uint32 min;
- 	int ok = 0;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(active_state, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -668,7 +674,7 @@
- 		/* My DER encoding requires length<128 */
- 		if (gss_supported->elements[mech].length < 128 &&
- 		    ssh_gssapi_check_mechanism(&gssctxt, 
--		    &gss_supported->elements[mech], authctxt->host)) {
-+		    &gss_supported->elements[mech], gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			mech++;
-
-need to move these two funcs back to canohost so they're available to clients
-and the server.  auth.c is only used in the server.
-
---- a/auth.c
-+++ b/auth.c
-@@ -784,117 +784,3 @@ fakepw(void)
- 
- 	return (&fake);
- }
--
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) < 0) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return strdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return strdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return strdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return strdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return strdup(ntop);
--	}
--	return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) < 0) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return strdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return strdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return strdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return strdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return strdup(ntop);
-+	}
-+	return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}
diff --git a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
deleted file mode 100644
index 1c2b7b8a091a..000000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@chromium.org>
-Date: Wed, 24 May 2017 23:18:41 -0400
-Subject: [PATCH] configure: actually set cache vars when cross-compiling
-
-The cross-compiling fallback message says it's assuming the test
-passed, but it didn't actually set the cache var which causes
-later tests to fail.
----
- configure.ac | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 5cfea38c0a6c..895c5211ea93 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE(
- 	 select_works_with_rlimit=yes],
- 	[AC_MSG_RESULT([no])
- 	 select_works_with_rlimit=no],
--	[AC_MSG_WARN([cross compiling: assuming yes])]
-+	[AC_MSG_WARN([cross compiling: assuming yes])
-+	 select_works_with_rlimit=yes]
- )
- 
- AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
-@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE(
- 	 rlimit_nofile_zero_works=yes],
- 	[AC_MSG_RESULT([no])
- 	 rlimit_nofile_zero_works=no],
--	[AC_MSG_WARN([cross compiling: assuming yes])]
-+	[AC_MSG_WARN([cross compiling: assuming yes])
-+	 rlimit_nofile_zero_works=yes]
- )
- 
- AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
--- 
-2.12.0
-
diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch
deleted file mode 100644
index 11a5b364be4d..000000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
---- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch	2017-03-27 13:31:01.816551100 -0700
-+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch	2017-03-27 13:51:03.894805846 -0700
-@@ -40,7 +40,7 @@
- @@ -44,7 +44,7 @@ CC=@CC@
-  LD=@LD@
-  CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -1023,6 +1023,3 @@
-  	do_authenticated(authctxt);
-  
-  	/* The connection has been terminated. */
---- 
--2.12.0
--
-diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch
---- a/0004-support-dynamically-sized-receive-buffers.patch	2017-03-27 13:31:01.816551100 -0700
-+++ b/0004-support-dynamically-sized-receive-buffers.patch	2017-03-27 13:49:44.513498976 -0700
-@@ -926,9 +926,9 @@
- @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1)
-  	/* Send our own protocol version identification. */
-  	if (compat20) {
-- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
---		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
--+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
-+		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
-+-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
-++		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
-  	} else {
-  		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- -		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-@@ -943,11 +943,11 @@
- @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
-  	char remote_version[256];	/* Must be at least as big as buf. */
-  
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
---	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
--+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
-+	xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s%s",
-+-	    major, minor, SSH_VERSION, pkix_comment,
-++	    major, minor, SSH_RELEASE, pkix_comment,
-  	    *options.version_addendum == '\0' ? "" : " ",
-- 	    options.version_addendum);
-+ 	    options.version_addendum, newline);
-  
- @@ -1020,6 +1020,8 @@ server_listen(void)
-  	int ret, listen_sock, on = 1;
-@@ -1006,12 +1008,9 @@
- --- a/version.h
- +++ b/version.h
--@@ -3,4 +3,5 @@
-+@@ -3,4 +3,6 @@
-  #define SSH_VERSION	"OpenSSH_7.5"
-  
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
-+-#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
-++#define SSH_X509	", PKIX-SSH " PACKAGE_VERSION
- +#define SSH_HPN		"-hpn14v12"
- +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
---- 
--2.12.0
--
diff --git a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch b/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch
deleted file mode 100644
index d7932003f8f8..000000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Wed, 22 Mar 2017 12:43:02 +1100
-Subject: [PATCH] Missing header on Linux/s390
-
-Patch from Jakub Jelen
----
- sandbox-seccomp-filter.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index a8d472a63ccb..2831e9d1083c 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -50,6 +50,9 @@
- #include <elf.h>
- 
- #include <asm/unistd.h>
-+#ifdef __s390__
-+#include <asm/zcrypt.h>
-+#endif
- 
- #include <errno.h>
- #include <signal.h>
--- 
-2.15.1
-
diff --git a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
deleted file mode 100644
index 5dca1b0e4e16..000000000000
--- a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 20 Mar 2017 14:57:40 -0400
-Subject: [PATCH] seccomp sandbox: fix typo w/x32 check
-
----
- sandbox-seccomp-filter.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 3a1aedce72c2..a8d472a63ccb 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
- 	 * x86-64 syscall under some circumstances, e.g.
- 	 * https://bugs.debian.org/849923
- 	 */
--	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
-+	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
- #endif
- 
- 	/* Default deny */
--- 
-2.12.0
-
diff --git a/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch b/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch
deleted file mode 100644
index 66641c27473e..000000000000
--- a/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch
+++ /dev/null
@@ -1,19 +0,0 @@
---- a/openssh-7.8p1+x509-11.4.diff	2018-08-24 14:55:19.153936872 -0700
-+++ b/openssh-7.8p1+x509-11.4.diff	2018-08-24 14:55:58.116677254 -0700
-@@ -63643,16 +63643,6 @@
-  		    setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL))
-  			return;
-  		setlocale(LC_CTYPE, "C");
--diff -ruN openssh-7.8p1/version.h openssh-7.8p1+x509-11.4/version.h
----- openssh-7.8p1/version.h	2018-08-23 08:41:42.000000000 +0300
--+++ openssh-7.8p1+x509-11.4/version.h	2018-08-24 20:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-7.8p1/version.m4 openssh-7.8p1+x509-11.4/version.m4
- --- openssh-7.8p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-7.8p1+x509-11.4/version.m4	2018-08-24 20:00:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch
deleted file mode 100644
index c76d454c92f8..000000000000
--- a/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch
+++ /dev/null
@@ -1,79 +0,0 @@
---- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig	2018-09-12 15:58:57.377986085 -0700
-+++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff	2018-09-12 16:07:15.376711327 -0700
-@@ -4,8 +4,8 @@
- +++ b/Makefile.in
- @@ -42,7 +42,7 @@ CC=@CC@
-  LD=@LD@
-- CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -788,8 +788,8 @@
-  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
-  {
-  	struct session_state *state;
---	const struct sshcipher *none = cipher_by_name("none");
--+	struct sshcipher *none = cipher_by_name("none");
-+-	const struct sshcipher *none = cipher_none();
-++	struct sshcipher *none = cipher_none();
-  	int r;
-
-  	if (none == NULL) {
-@@ -933,9 +933,9 @@
-  	/* Portable-specific options */
-  	sUsePAM,
- +	sDisableMTAES,
-- 	/* Standard Options */
-- 	sPort, sHostKeyFile, sLoginGraceTime,
-- 	sPermitRootLogin, sLogFacility, sLogLevel,
-+ 	/* X.509 Standard Options */
-+ 	sHostbasedAlgorithms,
-+ 	sPubkeyAlgorithms,
- @@ -626,6 +630,7 @@ static struct {
-  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
-  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 16:38:16.947447218 -0700
-+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 16:32:35.479700864 -0700
-@@ -382,7 +382,7 @@
- @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
-  	int nenc, nmac, ncomp;
-  	u_int mode, ctos, need, dh_need, authlen;
-- 	int r, first_kex_follows;
-+ 	int r, first_kex_follows = 0;
- +	int auth_flag;
- +
- +	auth_flag = packet_authentication_state(ssh);
-@@ -1125,15 +1125,6 @@
- index a738c3a..b32dbe0 100644
- --- a/sshd.c
- +++ b/sshd.c
--@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
-- 	char remote_version[256];	/* Must be at least as big as buf. */
-- 
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
---	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
--+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
-- 	    *options.version_addendum == '\0' ? "" : " ",
-- 	    options.version_addendum);
-- 
- @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
-  	int ret, listen_sock;
-  	struct addrinfo *ai;
-@@ -1213,14 +1204,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index f1bbf00..21a70c2 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--+ 
diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch
deleted file mode 100644
index 0561e3814067..000000000000
--- a/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch
+++ /dev/null
@@ -1,112 +0,0 @@
---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-11 17:19:19.968420409 -0700
-+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-11 17:39:19.977535398 -0700
-@@ -409,18 +409,10 @@
- index dcf35e6..da4ced0 100644
- --- a/packet.c
- +++ b/packet.c
--@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-  	return 0;
-  }
-  
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+	rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -434,20 +426,6 @@
-  #define MAX_PACKETS	(1U<<31)
-  static int
-  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- 		return 0;
-- 
--+	/* used to force rekeying when called for by the none
--+         * cipher switch methods -cjr */
--+        if (rekey_requested == 1) {
--+                rekey_requested = 0;
--+                return 1;
--+        }
--+
-- 	/* Time-based rekeying */
-- 	if (state->rekey_interval != 0 &&
-- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- diff --git a/packet.h b/packet.h
- index 170203c..f4d9df2 100644
- --- a/packet.h
-@@ -476,9 +454,9 @@
-  /* Format of the configuration file:
-  
- @@ -166,6 +167,8 @@ typedef enum {
-- 	oHashKnownHosts,
-  	oTunnel, oTunnelDevice,
-  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
-+ 	oDisableMTAES,
- +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- +	oNoneEnabled, oNoneSwitch,
-  	oVisualHostKey,
-@@ -615,9 +593,9 @@
-  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
-  	SyslogFacility log_facility;	/* Facility for system logging. */
- @@ -111,7 +115,10 @@ typedef struct {
-- 
-  	int	enable_ssh_keysign;
-  	int64_t rekey_limit;
-+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
- +	int     none_switch;    /* Use none cipher */
- +	int     none_enabled;   /* Allow none to be used */
-  	int	rekey_interval;
-@@ -673,9 +651,9 @@
-  	/* Portable-specific options */
-  	if (options->use_pam == -1)
- @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
-- 	}
-- 	if (options->permit_tun == -1)
-  		options->permit_tun = SSH_TUNMODE_NO;
-+ 	if (options->disable_multithreaded == -1)
-+ 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
- +		options->none_enabled = 0;
- +	if (options->hpn_disabled == -1)
-@@ -1092,7 +1070,7 @@
-  	xxx_host = host;
-  	xxx_hostaddr = hostaddr;
-  
--@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
-+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
-  
-  	if (!authctxt.success)
-  		fatal("Authentication failed.");
-@@ -1117,10 +1095,9 @@
- +			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
- +		}
- +	}
--+
-- 	debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-  
-+ #ifdef WITH_OPENSSL
-+ 	if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index a738c3a..b32dbe0 100644
- --- a/sshd.c
-@@ -1217,11 +1194,10 @@
- index f1bbf00..21a70c2 100644
- --- a/version.h
- +++ b/version.h
--@@ -3,4 +3,6 @@
-+@@ -3,4 +3,5 @@
-  #define SSH_VERSION	"OpenSSH_7.8"
-  
-  #define SSH_PORTABLE	"p1"
- -#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn14v16"
- +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
- + 
diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch
deleted file mode 100644
index a7d51ad94839..000000000000
--- a/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 18:18:51.851536374 -0700
-+++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 18:19:01.116475099 -0700
-@@ -1190,14 +1190,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index f1bbf00..21a70c2 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--+