Merge pull request #2404 from dm0-/bugs-1773

Upgrade to OpenSSH 7.4_p1

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest

@@ -1,4 +1,4 @@
-DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
-DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485
-DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
-DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c
+DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09
+DIST openssh-7.4p1+x509-9.3.diff.gz 446572 SHA256 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee SHA512 7ebc8d1f6ec36d652bbb6fb13d6d86f7db1abf8710af7b56c52fad9a18d73c9028a3307daabfdda26483a3bd9196120f6d18b6fb2c89b597b0a9ad0554161dfc WHIRLPOOL f878346a3154b7dbb01de41830d5857064af96d3a709aed40a112fe9aaadbe4801e5c3a22a1d2c8437b74a890596211be37e26d691ff611981d7375d262598c1
+DIST openssh-7.4p1.tar.gz 1511780 SHA256 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 SHA512 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292 WHIRLPOOL 4ed9a277287d1f5c2fd371b53394d6dde36b25adf92d4b6b5b486a9d448648f2ecfbb721ae39ba8a129913c1148aa4db1e99f7960a7c69fa215dfa7b3b126029
+DIST openssh-lpk-7.4p1-0.3.14.patch.xz 17076 SHA256 3a5e4104507d259ad15391136322ea5d067d7932199bbafde5cb478daf3595ad SHA512 1c91de291816ee0bb29ed3a2ffc42fb6fb4ba27a8616f8bd50accdf31d1fecc9b4fb3de6fb1ea6e722b69eb8cab68030ade87e126a4112667d14f3c2ef07d6cd WHIRLPOOL ea27224da952c6fe46b974a0e73d01e872a963e7e7cc7e9887a423357fb4ff82f4513ce48b6bbf7136afa8447bc6d93daa817cf5b2e24cb39dba15cbcff6d2cc

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-krb5-config.patch

@@ -1,25 +0,0 @@
-From 56d0bb7810042e3967a377cda4e321685e173969 Mon Sep 17 00:00:00 2001
-From: David Michael <david.michael@coreos.com>
-Date: Tue, 6 Dec 2016 17:52:31 -0800
-Subject: [PATCH] Find a host-prefixed krb5-config when cross-compiling
-
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 88c4633..4d9382c 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -4151,7 +4151,7 @@ AC_ARG_WITH([kerberos5],
- 		AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support])
- 		KRB5_MSG="yes"
- 
--		AC_PATH_PROG([KRB5CONF], [krb5-config],
-+		AC_PATH_TOOL([KRB5CONF], [krb5-config],
- 			     [$KRB5ROOT/bin/krb5-config],
- 			     [$KRB5ROOT/bin:$PATH])
- 		if test -x $KRB5CONF ; then
--- 
-2.7.4
-

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch

@@ -0,0 +1,351 @@
+http://bugs.gentoo.org/165444
+https://bugzilla.mindrot.org/show_bug.cgi?id=1008
+
+--- a/readconf.c
++++ b/readconf.c
+@@ -148,6 +148,7 @@
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++	oGssTrustDns,
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+@@ -194,9 +195,11 @@
+ #if defined(GSSAPI)
+ 	{ "gssapiauthentication", oGssAuthentication },
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
++	{ "gssapitrustdns", oGssTrustDns },
+ #else
+ 	{ "gssapiauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
++	{ "gssapitrustdns", oUnsupported },
+ #endif
+ 	{ "fallbacktorsh", oDeprecated },
+ 	{ "usersh", oDeprecated },
+@@ -930,6 +933,10 @@
+ 		intptr = &options->gss_deleg_creds;
+ 		goto parse_flag;
+ 
++	case oGssTrustDns:
++		intptr = &options->gss_trust_dns;
++		goto parse_flag;
++
+ 	case oBatchMode:
+ 		intptr = &options->batch_mode;
+ 		goto parse_flag;
+@@ -1649,6 +1656,7 @@
+ 	options->challenge_response_authentication = -1;
+ 	options->gss_authentication = -1;
+ 	options->gss_deleg_creds = -1;
++	options->gss_trust_dns = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->kbd_interactive_devices = NULL;
+@@ -1779,6 +1787,8 @@
+ 		options->gss_authentication = 0;
+ 	if (options->gss_deleg_creds == -1)
+ 		options->gss_deleg_creds = 0;
++	if (options->gss_trust_dns == -1)
++		options->gss_trust_dns = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+--- a/readconf.h
++++ b/readconf.h
+@@ -46,6 +46,7 @@
+ 					/* Try S/Key or TIS, authentication. */
+ 	int     gss_authentication;	/* Try GSS authentication */
+ 	int     gss_deleg_creds;	/* Delegate GSS credentials */
++	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
+ 	int     password_authentication;	/* Try password
+ 						 * authentication. */
+ 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -830,6 +830,16 @@
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -656,6 +656,13 @@
+ 	static u_int mech = 0;
+ 	OM_uint32 min;
+ 	int ok = 0;
++	const char *gss_host;
++
++	if (options.gss_trust_dns) {
++		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++		gss_host = auth_get_canonical_hostname(active_state, 1);
++	} else
++		gss_host = authctxt->host;
+ 
+ 	/* Try one GSSAPI method at a time, rather than sending them all at
+ 	 * once. */
+@@ -668,7 +674,7 @@
+ 		/* My DER encoding requires length<128 */
+ 		if (gss_supported->elements[mech].length < 128 &&
+ 		    ssh_gssapi_check_mechanism(&gssctxt, 
+-		    &gss_supported->elements[mech], authctxt->host)) {
++		    &gss_supported->elements[mech], gss_host)) {
+ 			ok = 1; /* Mechanism works */
+ 		} else {
+ 			mech++;
+
+need to move these two funcs back to canohost so they're available to clients
+and the server.  auth.c is only used in the server.
+
+--- a/auth.c
++++ b/auth.c
+@@ -784,117 +784,3 @@ fakepw(void)
+ 
+ 	return (&fake);
+ }
+-
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+-	struct sockaddr_storage from;
+-	socklen_t fromlen;
+-	struct addrinfo hints, *ai, *aitop;
+-	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+-	const char *ntop = ssh_remote_ipaddr(ssh);
+-
+-	/* Get IP address of client. */
+-	fromlen = sizeof(from);
+-	memset(&from, 0, sizeof(from));
+-	if (getpeername(ssh_packet_get_connection_in(ssh),
+-	    (struct sockaddr *)&from, &fromlen) < 0) {
+-		debug("getpeername failed: %.100s", strerror(errno));
+-		return strdup(ntop);
+-	}
+-
+-	ipv64_normalise_mapped(&from, &fromlen);
+-	if (from.ss_family == AF_INET6)
+-		fromlen = sizeof(struct sockaddr_in6);
+-
+-	debug3("Trying to reverse map address %.100s.", ntop);
+-	/* Map the IP address to a host name. */
+-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+-	    NULL, 0, NI_NAMEREQD) != 0) {
+-		/* Host name not found.  Use ip address. */
+-		return strdup(ntop);
+-	}
+-
+-	/*
+-	 * if reverse lookup result looks like a numeric hostname,
+-	 * someone is trying to trick us by PTR record like following:
+-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
+-	hints.ai_flags = AI_NUMERICHOST;
+-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+-		    name, ntop);
+-		freeaddrinfo(ai);
+-		return strdup(ntop);
+-	}
+-
+-	/* Names are stored in lowercase. */
+-	lowercase(name);
+-
+-	/*
+-	 * Map it back to an IP address and check that the given
+-	 * address actually is an address of this host.  This is
+-	 * necessary because anyone with access to a name server can
+-	 * define arbitrary names for an IP address. Mapping from
+-	 * name to IP address can be trusted better (but can still be
+-	 * fooled if the intruder has access to the name server of
+-	 * the domain).
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_family = from.ss_family;
+-	hints.ai_socktype = SOCK_STREAM;
+-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+-		logit("reverse mapping checking getaddrinfo for %.700s "
+-		    "[%s] failed.", name, ntop);
+-		return strdup(ntop);
+-	}
+-	/* Look for the address from the list of addresses. */
+-	for (ai = aitop; ai; ai = ai->ai_next) {
+-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+-		    (strcmp(ntop, ntop2) == 0))
+-				break;
+-	}
+-	freeaddrinfo(aitop);
+-	/* If we reached the end of the list, the address was not there. */
+-	if (ai == NULL) {
+-		/* Address not found for the host name. */
+-		logit("Address %.100s maps to %.600s, but this does not "
+-		    "map back to the address.", ntop, name);
+-		return strdup(ntop);
+-	}
+-	return strdup(name);
+-}
+-
+-/*
+- * Return the canonical name of the host in the other side of the current
+- * connection.  The host name is cached, so it is efficient to call this
+- * several times.
+- */
+-
+-const char *
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+-{
+-	static char *dnsname;
+-
+-	if (!use_dns)
+-		return ssh_remote_ipaddr(ssh);
+-	else if (dnsname != NULL)
+-		return dnsname;
+-	else {
+-		dnsname = remote_hostname(ssh);
+-		return dnsname;
+-	}
+-}
+--- a/canohost.c
++++ b/canohost.c
+@@ -202,3 +202,117 @@ get_local_port(int sock)
+ {
+ 	return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++static char *
++remote_hostname(struct ssh *ssh)
++{
++	struct sockaddr_storage from;
++	socklen_t fromlen;
++	struct addrinfo hints, *ai, *aitop;
++	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++	const char *ntop = ssh_remote_ipaddr(ssh);
++
++	/* Get IP address of client. */
++	fromlen = sizeof(from);
++	memset(&from, 0, sizeof(from));
++	if (getpeername(ssh_packet_get_connection_in(ssh),
++	    (struct sockaddr *)&from, &fromlen) < 0) {
++		debug("getpeername failed: %.100s", strerror(errno));
++		return strdup(ntop);
++	}
++
++	ipv64_normalise_mapped(&from, &fromlen);
++	if (from.ss_family == AF_INET6)
++		fromlen = sizeof(struct sockaddr_in6);
++
++	debug3("Trying to reverse map address %.100s.", ntop);
++	/* Map the IP address to a host name. */
++	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++	    NULL, 0, NI_NAMEREQD) != 0) {
++		/* Host name not found.  Use ip address. */
++		return strdup(ntop);
++	}
++
++	/*
++	 * if reverse lookup result looks like a numeric hostname,
++	 * someone is trying to trick us by PTR record like following:
++	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
++	hints.ai_flags = AI_NUMERICHOST;
++	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++		    name, ntop);
++		freeaddrinfo(ai);
++		return strdup(ntop);
++	}
++
++	/* Names are stored in lowercase. */
++	lowercase(name);
++
++	/*
++	 * Map it back to an IP address and check that the given
++	 * address actually is an address of this host.  This is
++	 * necessary because anyone with access to a name server can
++	 * define arbitrary names for an IP address. Mapping from
++	 * name to IP address can be trusted better (but can still be
++	 * fooled if the intruder has access to the name server of
++	 * the domain).
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_family = from.ss_family;
++	hints.ai_socktype = SOCK_STREAM;
++	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++		logit("reverse mapping checking getaddrinfo for %.700s "
++		    "[%s] failed.", name, ntop);
++		return strdup(ntop);
++	}
++	/* Look for the address from the list of addresses. */
++	for (ai = aitop; ai; ai = ai->ai_next) {
++		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++		    (strcmp(ntop, ntop2) == 0))
++				break;
++	}
++	freeaddrinfo(aitop);
++	/* If we reached the end of the list, the address was not there. */
++	if (ai == NULL) {
++		/* Address not found for the host name. */
++		logit("Address %.100s maps to %.600s, but this does not "
++		    "map back to the address.", ntop, name);
++		return strdup(ntop);
++	}
++	return strdup(name);
++}
++
++/*
++ * Return the canonical name of the host in the other side of the current
++ * connection.  The host name is cached, so it is efficient to call this
++ * several times.
++ */
++
++const char *
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
++{
++	static char *dnsname;
++
++	if (!use_dns)
++		return ssh_remote_ipaddr(ssh);
++	else if (dnsname != NULL)
++		return dnsname;
++	else {
++		dnsname = remote_hostname(ssh);
++		return dnsname;
++	}
++}

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch

@@ -0,0 +1,29 @@
+https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035604.html
+
+From dca2985bff146f756b0019b17f08c35f28841a04 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Mon, 19 Dec 2016 15:59:00 -0500
+Subject: [PATCH] regress/allow-deny-users.sh: fix bashism in test
+
+The test command uses = for string compares, not ==.  Using some POSIX
+shells will reject this statement with an error about an unknown operator.
+---
+ regress/allow-deny-users.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh
+index 32a269afa97c..86805e19322b 100644
+--- a/regress/allow-deny-users.sh
++++ b/regress/allow-deny-users.sh
+@@ -4,7 +4,7 @@
+ tid="AllowUsers/DenyUsers"
+ 
+ me="$LOGNAME"
+-if [ "x$me" == "x" ]; then
++if [ "x$me" = "x" ]; then
+ 	me=`whoami`
+ fi
+ other="nobody"
+-- 
+2.11.0.rc2
+

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1.ebuild

@@ -1,6 +1,5 @@
-# Copyright 1999-2016 Gentoo Foundation
+# Copyright 1999-2017 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Id$
 
 EAPI="5"
 
@@ -9,36 +8,31 @@ inherit eutils user flag-o-matic multilib autotools pam systemd versionator
 # Make it more portable between straight releases
 # and _p? releases.
 PARCH=${P/_}
-HPN_PV="${PV}"
-HPN_VER="14.10"
 
-HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch"
-SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
-X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+#HPN_PATCH= #"${PARCH}-hpnssh14v12.tar.xz"
+SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.4p1-0.3.14.patch.xz"
+X509_VER="9.3" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="http://www.openssh.org/"
 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
 	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}.xz
-		http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
-	)}
+	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
 	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
 	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
 	"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
+IUSE="abi_mips_n32 debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
 REQUIRED_USE="ldns? ( ssl )
 	pie? ( !static )
 	ssh1? ( ssl )
 	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )
+	X509? ( !hpn !ldap !sctp ssl )
 	test? ( ssl )"
 
 LIB_DEPEND="
@@ -74,7 +68,7 @@ RDEPEND="${RDEPEND}
 
 S=${WORKDIR}/${PARCH}
 
-pkg_setup() {
+pkg_pretend() {
 	# this sucks, but i'd rather have people unable to `emerge -u openssh`
 	# than not be able to log in to their server any more
 	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
@@ -117,37 +111,26 @@ src_prepare() {
 	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
 
 	if use X509 ; then
-		pushd .. >/dev/null
-		if use hpn ; then
-			pushd "${WORKDIR}" >/dev/null
-			epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch
-			popd >/dev/null
-		fi
-		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
-		sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die
-		popd >/dev/null
 		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
-		save_version X509
-	else
-		# bug #592122, fixed by X509 patch
-		epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch
+		# We no longer allow X509 to be used with anything else.
+		#save_version X509
 	fi
+
 	if use ldap ; then
 		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
 		save_version LPK
 	fi
 
-	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	epatch "${FILESDIR}"/${PN}-7.4_p1-GSSAPI-dns.patch #165444 integrated into gsskex
 	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+	use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+	epatch "${FILESDIR}"/${P}-test-bashism.patch
+	use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
 
 	if use hpn ; then
-		#EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-		#	EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-		#	epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		epatch "${WORKDIR}"/${HPN_PATCH}
-		epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
 		save_version HPN
 	fi
 
@@ -164,19 +147,12 @@ src_prepare() {
 		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
 		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
 	)
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
 	sed -i "${sed_args[@]}" configure{.ac,} || die
 
-	# 7.3 added seccomp support to MIPS, but failed to handled the N32
-	# case.  This patch is temporary until upstream fixes.  See
-	# Gentoo bug #591392 or upstream #2590.
-	[[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \
-		&& epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
-
-	epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342
-	epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360
-
-	epatch "${FILESDIR}"/${PN}-7.3_p1-fix-krb5-config.patch
-
 	epatch_user #473004
 
 	# Now we can build a sane merged version.h
@@ -213,7 +189,7 @@ src_configure() {
 		$(use_with libedit)
 		$(use_with pam)
 		$(use_with pie)
-		$(use_with sctp)
+		$(use X509 || use_with sctp)
 		$(use_with selinux)
 		$(use_with skey)
 		$(use_with ssh1)
@@ -279,37 +255,32 @@ src_install() {
 }
 
 src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
+	local t skipped=() failed=() passed=()
+	local tests=( interop-tests compat-tests )
+
+	local shell=$(egetshell "${UID}")
 	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
 		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
+		skipped+=( tests )
 	else
-		tests="${tests} tests"
+		tests+=( tests )
 	fi
-	# It will also attempt to write to the homedir .ssh
+
+	# It will also attempt to write to the homedir .ssh.
 	local sshhome=${T}/homedir
 	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
+	for t in "${tests[@]}" ; do
 		# Some tests read from stdin ...
 		HOMEDIR="${sshhome}" HOME="${sshhome}" \
 		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
+			&& passed+=( "${t}" ) \
+			|| failed+=( "${t}" )
 	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
+
+	einfo "Passed tests: ${passed[*]}"
+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
 }
 
 pkg_preinst() {