net-misc/openssh: Removed old.

Package-Manager: Portage-2.3.11, Repoman-2.3.3

11 files changed, 0 insertions, 1327 deletions

diff --git a/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch
deleted file mode 100644
index 806b36d0ca94..000000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-http://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
---- a/readconf.c
-+++ b/readconf.c
-@@ -148,6 +148,7 @@
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -194,9 +195,11 @@
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- #else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- 	{ "fallbacktorsh", oDeprecated },
- 	{ "usersh", oDeprecated },
-@@ -930,6 +933,10 @@
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -1649,6 +1656,7 @@
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -1779,6 +1787,8 @@
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
---- a/readconf.h
-+++ b/readconf.h
-@@ -46,6 +46,7 @@
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -830,6 +830,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Dq no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -656,6 +656,13 @@
- 	static u_int mech = 0;
- 	OM_uint32 min;
- 	int ok = 0;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(active_state, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -668,7 +674,7 @@
- 		/* My DER encoding requires length<128 */
- 		if (gss_supported->elements[mech].length < 128 &&
- 		    ssh_gssapi_check_mechanism(&gssctxt, 
--		    &gss_supported->elements[mech], authctxt->host)) {
-+		    &gss_supported->elements[mech], gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			mech++;
-
-need to move these two funcs back to canohost so they're available to clients
-and the server.  auth.c is only used in the server.
-
---- a/auth.c
-+++ b/auth.c
-@@ -784,117 +784,3 @@ fakepw(void)
- 
- 	return (&fake);
- }
--
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) < 0) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return strdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return strdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return strdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return strdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return strdup(ntop);
--	}
--	return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) < 0) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return strdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return strdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return strdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return strdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return strdup(ntop);
-+	}
-+	return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}
diff --git a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch
deleted file mode 100644
index 784cd2aa7efb..000000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-https://bugs.gentoo.org/595342
-
-Backport of
-https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
-
---- openssh-7.3p1/kex.c
-+++ openssh-7.3p1/kex.c
-@@ -419,6 +419,8 @@
- 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
- 	if ((r = sshpkt_get_end(ssh)) != 0)
- 		return r;
-+	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
-+		return r;
- 	kex->done = 1;
- 	sshbuf_reset(kex->peer);
- 	/* sshbuf_reset(kex->my); */
---- openssh-7.3p1/packet.c
-+++ openssh-7.3p1/packet.c
-@@ -1919,9 +1919,7 @@
- 			return r;
- 		return SSH_ERR_PROTOCOL_ERROR;
- 	}
--	if (*typep == SSH2_MSG_NEWKEYS)
--		r = ssh_set_newkeys(ssh, MODE_IN);
--	else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
-+	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
- 		r = ssh_packet_enable_delayed_compress(ssh);
- 	else
- 		r = 0;
diff --git a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
deleted file mode 100644
index 8603601ca7b6..000000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-https://bugs.gentoo.org/597360
-
-From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
-From: "markus@openbsd.org" <markus@openbsd.org>
-Date: Mon, 10 Oct 2016 19:28:48 +0000
-Subject: [PATCH] upstream commit
-
-Unregister the KEXINIT handler after message has been
-received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
-allocation of up to 128MB -- until the connection is closed. Reported by
-shilei-c at 360.cn
-
-Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
----
- kex.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/kex.c b/kex.c
-index 3f97f8c00919..6a94bc535bd7 100644
---- a/kex.c
-+++ b/kex.c
-@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
- 	if (kex == NULL)
- 		return SSH_ERR_INVALID_ARGUMENT;
- 
-+	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
- 	ptr = sshpkt_ptr(ssh, &dlen);
- 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
- 		return r;
--- 
-2.11.0.rc2
-
diff --git a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch
deleted file mode 100644
index 7fb0d8069b94..000000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://bugs.gentoo.org/592122
-
-From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001
-From: "dtucker@openbsd.org" <dtucker@openbsd.org>
-Date: Wed, 3 Aug 2016 04:23:55 +0000
-Subject: [PATCH] upstream commit
-
-Fix bug introduced in rev 1.467 which causes
-"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1
-and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol
-2", no SSH1 host key supplied).  Reported by rainer.laatsch at t-online.de,
-ok deraadt@
-
-Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
----
- sshd.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/sshd.c b/sshd.c
-index 799c7711f49c..9fc829a91bc8 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
- 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
- 	} else
- #endif
--		if ((r = sshbuf_put_u32(m, 1)) != 0)
-+		if ((r = sshbuf_put_u32(m, 0)) != 0)
- 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
- 
- #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
--- 
-2.11.0.rc2
-
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch
deleted file mode 100644
index 0602307128f0..000000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch
+++ /dev/null
@@ -1,39 +0,0 @@
---- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
-+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
-@@ -1155,7 +1155,7 @@
- @@ -44,7 +44,7 @@
-  LD=@LD@
-  CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
---- a/0004-support-dynamically-sized-receive-buffers.patch
-+++ b/0004-support-dynamically-sized-receive-buffers.patch
-@@ -2144,9 +2144,9 @@
- @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
-  	/* Send our own protocol version identification. */
-  	if (compat20) {
-- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
---		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
--+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
-+ 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
-+-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
-++		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
-  	} else {
-  		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- -		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-@@ -2163,9 +2163,9 @@
- @@ -432,7 +432,7 @@
-  	}
-  
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
---	    major, minor, SSH_VERSION,
--+	    major, minor, SSH_RELEASE,
-+ 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
-+-	    major, minor, SSH_VERSION, comment,
-++	    major, minor, SSH_RELEASE, comment,
-  	    *options.version_addendum == '\0' ? "" : " ",
-  	    options.version_addendum, newline);
-  
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch
deleted file mode 100644
index 9cc7b61a6ab5..000000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c
-index fdc9b2f..300cd90 100644
---- a/cipher-ctr-mt.c
-+++ b/cipher-ctr-mt.c
-@@ -127,7 +127,7 @@ struct kq {
- 	u_char		keys[KQLEN][AES_BLOCK_SIZE];
- 	u_char		ctr[AES_BLOCK_SIZE];
- 	u_char		pad0[CACHELINE_LEN];
--	volatile int	qstate;
-+	int		qstate;
- 	pthread_mutex_t	lock;
- 	pthread_cond_t	cond;
- 	u_char		pad1[CACHELINE_LEN];
-@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx
- 	STATS_STRUCT(stats);
- 	u_char		aes_counter[AES_BLOCK_SIZE];
- 	pthread_t	tid[CIPHER_THREADS];
-+	pthread_rwlock_t tid_lock;
-+#ifdef __APPLE__
-+	pthread_rwlock_t stop_lock;
-+	int		exit_flag;
-+#endif /* __APPLE__ */
- 	int		state;
- 	int		qidx;
- 	int		ridx;
-@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x)
- 	pthread_mutex_unlock((pthread_mutex_t *)x);
- }
- 
-+#ifdef __APPLE__
-+/* Check if we should exit, we are doing both cancel and exit condition
-+ * since on OSX threads seem to occasionally fail to notice when they have
-+ * been cancelled. We want to have a backup to make sure that we won't hang
-+ * when the main process join()-s the cancelled thread.
-+ */
-+static void
-+thread_loop_check_exit(struct ssh_aes_ctr_ctx *c)
-+{
-+	int exit_flag;
-+
-+	pthread_rwlock_rdlock(&c->stop_lock);
-+	exit_flag = c->exit_flag;
-+	pthread_rwlock_unlock(&c->stop_lock);
-+
-+	if (exit_flag)
-+		pthread_exit(NULL);
-+}
-+#else
-+# define thread_loop_check_exit(s)
-+#endif /* __APPLE__ */
-+
-+/*
-+ * Helper function to terminate the helper threads
-+ */
-+static void
-+stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c)
-+{
-+	int i;
-+
-+#ifdef __APPLE__
-+	/* notify threads that they should exit */
-+	pthread_rwlock_wrlock(&c->stop_lock);
-+	c->exit_flag = TRUE;
-+	pthread_rwlock_unlock(&c->stop_lock);
-+#endif /* __APPLE__ */
-+
-+	/* Cancel pregen threads */
-+	for (i = 0; i < CIPHER_THREADS; i++) {
-+		pthread_cancel(c->tid[i]);
-+	}
-+	for (i = 0; i < NUMKQ; i++) {
-+		pthread_mutex_lock(&c->q[i].lock);
-+		pthread_cond_broadcast(&c->q[i].cond);
-+		pthread_mutex_unlock(&c->q[i].lock);
-+	}
-+	for (i = 0; i < CIPHER_THREADS; i++) {
-+		pthread_join(c->tid[i], NULL);
-+	}
-+}
-+
- /*
-  * The life of a pregen thread:
-  *    Find empty keystream queues and fill them using their counter.
-@@ -201,6 +257,7 @@ thread_loop(void *x)
- 	struct kq *q;
- 	int i;
- 	int qidx;
-+	pthread_t first_tid;
- 
- 	/* Threads stats on cancellation */
- 	STATS_INIT(stats);
-@@ -211,11 +268,15 @@ thread_loop(void *x)
- 	/* Thread local copy of AES key */
- 	memcpy(&key, &c->aes_ctx, sizeof(key));
- 
-+	pthread_rwlock_rdlock(&c->tid_lock);
-+	first_tid = c->tid[0];
-+	pthread_rwlock_unlock(&c->tid_lock);
-+
- 	/*
- 	 * Handle the special case of startup, one thread must fill
- 	 * the first KQ then mark it as draining. Lock held throughout.
- 	 */
--	if (pthread_equal(pthread_self(), c->tid[0])) {
-+	if (pthread_equal(pthread_self(), first_tid)) {
- 		q = &c->q[0];
- 		pthread_mutex_lock(&q->lock);
- 		if (q->qstate == KQINIT) {
-@@ -245,12 +306,16 @@ thread_loop(void *x)
- 		/* Check if I was cancelled, also checked in cond_wait */
- 		pthread_testcancel();
- 
-+		/* Check if we should exit as well */
-+		thread_loop_check_exit(c);
-+
- 		/* Lock queue and block if its draining */
- 		q = &c->q[qidx];
- 		pthread_mutex_lock(&q->lock);
- 		pthread_cleanup_push(thread_loop_cleanup, &q->lock);
- 		while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
- 			STATS_WAIT(stats);
-+			thread_loop_check_exit(c);
- 			pthread_cond_wait(&q->cond, &q->lock);
- 		}
- 		pthread_cleanup_pop(0);
-@@ -268,6 +333,7 @@ thread_loop(void *x)
- 		 * can see that it's being filled.
- 		 */
- 		q->qstate = KQFILLING;
-+		pthread_cond_broadcast(&q->cond);
- 		pthread_mutex_unlock(&q->lock);
- 		for (i = 0; i < KQLEN; i++) {
- 			AES_encrypt(q->ctr, q->keys[i], &key);
-@@ -279,7 +345,7 @@ thread_loop(void *x)
- 		ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
- 		q->qstate = KQFULL;
- 		STATS_FILL(stats);
--		pthread_cond_signal(&q->cond);
-+		pthread_cond_broadcast(&q->cond);
- 		pthread_mutex_unlock(&q->lock);
- 	}
- 
-@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
- 				pthread_cond_wait(&q->cond, &q->lock);
- 			}
- 			q->qstate = KQDRAINING;
-+			pthread_cond_broadcast(&q->cond);
- 			pthread_mutex_unlock(&q->lock);
- 
- 			/* Mark consumed queue empty and signal producers */
-@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
- 
- 	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
- 		c = xmalloc(sizeof(*c));
-+		pthread_rwlock_init(&c->tid_lock, NULL);
-+#ifdef __APPLE__
-+		pthread_rwlock_init(&c->stop_lock, NULL);
-+		c->exit_flag = FALSE;
-+#endif /* __APPLE__ */
- 
- 		c->state = HAVE_NONE;
- 		for (i = 0; i < NUMKQ; i++) {
-@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
- 	}
- 
- 	if (c->state == (HAVE_KEY | HAVE_IV)) {
--		/* Cancel pregen threads */
--		for (i = 0; i < CIPHER_THREADS; i++)
--			pthread_cancel(c->tid[i]);
--		for (i = 0; i < CIPHER_THREADS; i++)
--			pthread_join(c->tid[i], NULL);
-+		/* tell the pregen threads to exit */
-+		stop_and_join_pregen_threads(c);
-+
-+#ifdef __APPLE__
-+		/* reset the exit flag */
-+		c->exit_flag = FALSE;
-+#endif /* __APPLE__ */
-+
- 		/* Start over getting key & iv */
- 		c->state = HAVE_NONE;
- 	}
-@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
- 		/* Start threads */
- 		for (i = 0; i < CIPHER_THREADS; i++) {
- 			debug("spawned a thread");
-+			pthread_rwlock_wrlock(&c->tid_lock);
- 			pthread_create(&c->tid[i], NULL, thread_loop, c);
-+			pthread_rwlock_unlock(&c->tid_lock);
- 		}
- 		pthread_mutex_lock(&c->q[0].lock);
--		while (c->q[0].qstate != KQDRAINING)
-+		while (c->q[0].qstate == KQINIT)
- 			pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
- 		pthread_mutex_unlock(&c->q[0].lock);
- 	}
-@@ -461,15 +538,10 @@ void
- ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx)
- {
- 	struct ssh_aes_ctr_ctx *c;
--	int i;
-+
- 	c = EVP_CIPHER_CTX_get_app_data(ctx);
--	/* destroy threads */
--	for (i = 0; i < CIPHER_THREADS; i++) {
--		pthread_cancel(c->tid[i]);
--	}
--	for (i = 0; i < CIPHER_THREADS; i++) {
--		pthread_join(c->tid[i], NULL);
--	}
-+
-+	stop_and_join_pregen_threads(c);
- }
- 
- void
-@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx)
- 	/* reconstruct threads */
- 	for (i = 0; i < CIPHER_THREADS; i++) {
- 		debug("spawned a thread");
-+		pthread_rwlock_wrlock(&c->tid_lock);
- 		pthread_create(&c->tid[i], NULL, thread_loop, c);
-+		pthread_rwlock_unlock(&c->tid_lock);
- 	}
- }
- 
-@@ -489,18 +563,13 @@ static int
- ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
- {
- 	struct ssh_aes_ctr_ctx *c;
--	int i;
- 
- 	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
- #ifdef CIPHER_THREAD_STATS
- 		debug("main thread: %u drains, %u waits", c->stats.drains,
- 				c->stats.waits);
- #endif
--		/* Cancel pregen threads */
--		for (i = 0; i < CIPHER_THREADS; i++)
--			pthread_cancel(c->tid[i]);
--		for (i = 0; i < CIPHER_THREADS; i++)
--			pthread_join(c->tid[i], NULL);
-+		stop_and_join_pregen_threads(c);
- 
- 		memset(c, 0, sizeof(*c));
- 		free(c);
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch
deleted file mode 100644
index f077c0517fa2..000000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch
+++ /dev/null
@@ -1,41 +0,0 @@
---- a/openssh-7.3_p1-hpn-14.10-r1.patch	2016-09-19 15:00:21.561121417 -0700
-+++ b/openssh-7.3_p1-hpn-14.10-r1.patch	2016-09-19 15:22:51.337118439 -0700
-@@ -1155,7 +1155,7 @@
- @@ -44,7 +44,7 @@
-  LD=@LD@
-  CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -2144,12 +2144,12 @@
-  	/* Bind the socket to an alternative local IP address */
-  	if (options.bind_address == NULL && !privileged)
-  		return sock;
--@@ -527,10 +555,10 @@
-+@@ -555,10 +583,10 @@
-  	/* Send our own protocol version identification. */
-  	if (compat20) {
-- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
---		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
--+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
-+ 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
-+-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
-++		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
-  	} else {
-  		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- -		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-@@ -2163,9 +2163,9 @@
- @@ -432,7 +432,7 @@
-  	}
-  
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
---	    major, minor, SSH_VERSION,
--+	    major, minor, SSH_RELEASE,
-+ 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
-+-	    major, minor, SSH_VERSION, comment,
-++	    major, minor, SSH_RELEASE, comment,
-  	    *options.version_addendum == '\0' ? "" : " ",
-  	    options.version_addendum, newline);
-  
diff --git a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
deleted file mode 100644
index 2def6993e6c3..000000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
+++ /dev/null
@@ -1,67 +0,0 @@
---- a/openssh-7.3_p1-sctp.patch	2016-08-03 13:10:15.733228732 -0700
-+++ b/openssh-7.3_p1-sctp.patch	2016-08-03 13:25:53.274630002 -0700
-@@ -226,14 +226,6 @@
-  .Op Fl c Ar cipher
-  .Op Fl F Ar ssh_config
-  .Op Fl i Ar identity_file
--@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see
-- .It ServerAliveCountMax
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It UpdateHostKeys
-- .It UsePrivilegedPort
-- .It User
- @@ -224,6 +225,8 @@ and
-  to print debugging messages about their progress.
-  This is helpful in
-@@ -493,19 +485,11 @@
-  .Sh SYNOPSIS
-  .Nm ssh
-  .Bk -words
---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
--+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
-+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
-++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
-  .Op Fl b Ar bind_address
-  .Op Fl c Ar cipher_spec
-  .Op Fl D Oo Ar bind_address : Oc Ns Ar port
--@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see
-- .It StreamLocalBindUnlink
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It Tunnel
-- .It TunnelDevice
-- .It UpdateHostKeys
- @@ -795,6 +796,8 @@ controls.
-  .Pp
-  .It Fl y
-@@ -533,18 +517,18 @@
-  usage(void)
-  {
-  	fprintf(stderr,
---"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
--+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
-+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
-  "           [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
-- "           [-F configfile] [-I pkcs11] [-i identity_file]\n"
-- "           [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
-+ "           [-F configfile]\n"
-+ #ifdef USE_OPENSSL_ENGINE
- @@ -608,7 +613,7 @@ main(int ac, char **av)
-- 	argv0 = av[0];
-+ #  define ENGCONFIG ""
-+ #endif
-  
--  again:
---	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
--+	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
-- 	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-+-	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
-++	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
-+ 	    "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-  		switch (opt) {
-  		case '1':
- @@ -857,6 +862,11 @@ main(int ac, char **av)
diff --git a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch
deleted file mode 100644
index 528dc6f22a94..000000000000
--- a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-diff --git a/kex.c b/kex.c
-index 143227a..c9b84c2 100644
---- a/kex.c
-+++ b/kex.c
-@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh)
- static int
- kex_send_ext_info(struct ssh *ssh)
- {
-+#ifdef EXPERIMENTAL_RSA_SHA2_256
- 	int r;
- 
--#ifdef EXPERIMENTAL_RSA_SHA2_256
- /* IMPORTANT NOTE:
-  * Do not offer rsa-sha2-* until is resolved misconfiguration issue
-  * with allowed public key algorithms!
-diff --git a/key-eng.c b/key-eng.c
-index 9bc50fd..bc0d03d 100644
---- a/key-eng.c
-+++ b/key-eng.c
-@@ -786,7 +786,6 @@ ssh_engines_shutdown() {
- 	while (buffer_len(&eng_list) > 0) {
- 		u_int   k = 0;
- 		char    *s;
--		ENGINE  *e;
- 
- 		s = buffer_get_cstring_ret(&eng_list, &k);
- 		ssh_engine_reset(s);
-diff --git a/monitor.c b/monitor.c
-index 345d3df..0de30ad 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m)
- 	    (r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
- 	    (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
--	if (keyid > INT_MAX)
-+	if (keyid32 > INT_MAX)
- 		fatal("%s: invalid key ID", __func__);
- 
- 	keyid = keyid32; /*save cast*/
-diff --git a/readconf.c b/readconf.c
-index beb38a0..1cbda7e 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -1459,7 +1459,9 @@ parse_int:
- 
- 	case oHostKeyAlgorithms:
- 		charptr = &options->hostkeyalgorithms;
-+# if 0
- parse_keytypes:
-+# endif
- 		arg = strdelim(&s);
- 		if (!arg || *arg == '\0')
- 			fatal("%.200s line %d: Missing argument.",
-diff --git a/servconf.c b/servconf.c
-index a540138..e77a344 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -1574,7 +1573,9 @@ parse_string:
- 
- 	case sHostKeyAlgorithms:
- 		charptr = &options->hostkeyalgorithms;
-+# if 0
-  parse_keytypes:
-+#endif
- 		arg = strdelim(&cp);
- 		if (!arg || *arg == '\0')
- 			fatal("%s line %d: Missing argument.",
-diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
-index 50f04b7..3f9a7bf 100644
---- a/ssh-pkcs11.c
-+++ b/ssh-pkcs11.c
-@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa)
- }
- 
- #ifdef OPENSSL_HAS_ECC
-+#ifdef HAVE_EC_KEY_METHOD_NEW
- /* openssl callback for freeing an EC key */
- static void
- pkcs11_ec_finish(EC_KEY *ec)
- {
- 	struct pkcs11_key	*k11;
- 
--#ifdef HAVE_EC_KEY_METHOD_NEW
- 	k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
- 	EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
--#else
--	k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
--	ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
--#endif
- 	pkcs11_key_free(k11);
- }
-+#endif /*def HAVE_EC_KEY_METHOD_NEW*/
- #endif /*def OPENSSL_HAS_ECC*/
- 
- 
-diff --git a/sshconnect.c b/sshconnect.c
-index fd2a70e..0960be1 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1)
- {
- 	/* Send our own protocol version identification. */
- 	if (compat20) {
--		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n",
-+		xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
- 		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
- 	} else {
- 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
diff --git a/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch
deleted file mode 100644
index ec2a6d894938..000000000000
--- a/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-http://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
---- a/readconf.c
-+++ b/readconf.c
-@@ -148,6 +148,7 @@
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -194,9 +195,11 @@
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- #else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- 	{ "fallbacktorsh", oDeprecated },
- 	{ "usersh", oDeprecated },
-@@ -930,6 +933,10 @@
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -1649,6 +1656,7 @@
- 	options->challenge_response_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -1779,6 +1787,8 @@
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
---- a/readconf.h
-+++ b/readconf.h
-@@ -46,6 +46,7 @@
- 					/* Try S/Key or TIS, authentication. */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -830,6 +830,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -656,6 +656,13 @@
- 	static u_int mech = 0;
- 	OM_uint32 min;
- 	int ok = 0;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(active_state, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -668,7 +674,7 @@
- 		/* My DER encoding requires length<128 */
- 		if (gss_supported->elements[mech].length < 128 &&
- 		    ssh_gssapi_check_mechanism(&gssctxt, 
--		    &gss_supported->elements[mech], authctxt->host)) {
-+		    &gss_supported->elements[mech], gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			mech++;
-
-need to move these two funcs back to canohost so they're available to clients
-and the server.  auth.c is only used in the server.
-
---- a/auth.c
-+++ b/auth.c
-@@ -784,117 +784,3 @@ fakepw(void)
- 
- 	return (&fake);
- }
--
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) < 0) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return strdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return strdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return strdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return strdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return strdup(ntop);
--	}
--	return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) < 0) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return strdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return strdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return strdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return strdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return strdup(ntop);
-+	}
-+	return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}
diff --git a/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch b/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch
deleted file mode 100644
index 3e02b6f8ccc0..000000000000
--- a/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035604.html
-
-From dca2985bff146f756b0019b17f08c35f28841a04 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 19 Dec 2016 15:59:00 -0500
-Subject: [PATCH] regress/allow-deny-users.sh: fix bashism in test
-
-The test command uses = for string compares, not ==.  Using some POSIX
-shells will reject this statement with an error about an unknown operator.
----
- regress/allow-deny-users.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh
-index 32a269afa97c..86805e19322b 100644
---- a/regress/allow-deny-users.sh
-+++ b/regress/allow-deny-users.sh
-@@ -4,7 +4,7 @@
- tid="AllowUsers/DenyUsers"
- 
- me="$LOGNAME"
--if [ "x$me" == "x" ]; then
-+if [ "x$me" = "x" ]; then
- 	me=`whoami`
- fi
- other="nobody"
--- 
-2.11.0.rc2
-