[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/files/

[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/files/

[David Seifert]

commit:     0104890e0756d76bcc03443bc0f35b9833c735bd
Author:     Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Sat Feb 17 14:35:25 2024 +0000
Commit:     David Seifert <soap <AT> gentoo <DOT> org>
CommitDate: Sat Feb 17 14:35:25 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0104890e

net-misc/openssh-contrib: remove unused patches

Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: David Seifert <soap <AT> gentoo.org>

 .../files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch  | 18 -------
 .../openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch     | 13 -----
 ...enssh-9.3_p1-openssl-version-compat-check.patch | 58 ----------------------
 .../files/openssh-9.3_p2-zlib-1.3.patch            | 21 --------
 4 files changed, 110 deletions(-)

diff --git a/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
deleted file mode 100644
index 7199227589c6..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:06:45.020527770 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:07:01.294423665 -0700
-@@ -1414,14 +1414,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_8.5"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn15v2"
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN

diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
deleted file mode 100644
index 9e08b2a553c2..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/gss-serv.c b/gss-serv.c
-index b5d4bb2d..00e3d118 100644
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- 		gss_create_empty_oid_set(&status, &oidset);
- 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
- 
--		if (gethostname(lname, MAXHOSTNAMELEN)) {
-+		if (gethostname(lname, HOST_NAME_MAX)) {
- 			gss_release_oid_set(&status, &oidset);
- 			return (-1);
- 		}

diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch
deleted file mode 100644
index b571ae253fff..000000000000
--- a/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-https://bugzilla.mindrot.org/show_bug.cgi?id=3548
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver)
- 	if (headerver == libver)
- 		return 1;
- 
--	/* for versions < 1.0.0, major,minor,fix,status must match */
--	if (headerver < 0x1000000f) {
--		mask = 0xfffff00fL; /* major,minor,fix,status */
--		return (headerver & mask) == (libver & mask);
-+	/*
-+	 * For versions < 3.0.0, major,minor,status must match and library
-+	 * fix version must be equal to or newer than the header.
-+	 */
-+	if (headerver < 0x3000000f) {
-+		mask = 0xfff0000fL; /* major,minor,status */
-+		hfix = (headerver & 0x000ff000) >> 12;
-+		lfix = (libver & 0x000ff000) >> 12;
-+		if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
-+			return 1;
- 	}
- 
- 	/*
--	 * For versions >= 1.0.0, major,minor,status must match and library
--	 * fix version must be equal to or newer than the header.
-+	 * For versions >= 3.0.0, major must match and minor,status must be
-+	 * equal to or greater than the header.
- 	 */
--	mask = 0xfff00000L; /* major,minor,status */
--	hfix = (headerver & 0x000ff000) >> 12;
--	lfix = (libver & 0x000ff000) >> 12;
-+	mask = 0xf000000fL; /* major, status */
-+	hfix = (headerver & 0x0ffffff0L) >> 12;
-+	lfix = (libver & 0x0ffffff0L) >> 12;
- 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
- 		return 1;
- 	return 0;
---- a/openbsd-compat/regress/opensslvertest.c
-+++ b/openbsd-compat/regress/opensslvertest.c
-@@ -31,7 +31,7 @@ struct version_test {
- 	{ 0x0090802fL, 0x0090804fL, 1},	/* newer library fix version: ok */
- 	{ 0x0090802fL, 0x0090801fL, 1},	/* older library fix version: ok */
- 	{ 0x0090802fL, 0x0090702fL, 0},	/* older library minor version: NO */
--	{ 0x0090802fL, 0x0090902fL, 0},	/* newer library minor version: NO */
-+	{ 0x0090802fL, 0x0090902fL, 1},	/* newer library minor version: ok */
- 	{ 0x0090802fL, 0x0080802fL, 0},	/* older library major version: NO */
- 	{ 0x0090802fL, 0x1000100fL, 0},	/* newer library major version: NO */
- 
-@@ -41,7 +41,7 @@ struct version_test {
- 	{ 0x1000101fL, 0x1000100fL, 1},	/* older library patch version: ok */
- 	{ 0x1000101fL, 0x1000201fL, 1},	/* newer library fix version: ok */
- 	{ 0x1000101fL, 0x1000001fL, 0},	/* older library fix version: NO */
--	{ 0x1000101fL, 0x1010101fL, 0},	/* newer library minor version: NO */
-+	{ 0x1000101fL, 0x1010101fL, 1},	/* newer library minor version: ok */
- 	{ 0x1000101fL, 0x0000101fL, 0},	/* older library major version: NO */
- 	{ 0x1000101fL, 0x2000101fL, 0},	/* newer library major version: NO */
- };

diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p2-zlib-1.3.patch b/net-misc/openssh-contrib/files/openssh-9.3_p2-zlib-1.3.patch
deleted file mode 100644
index f1336bbe0380..000000000000
--- a/net-misc/openssh-contrib/files/openssh-9.3_p2-zlib-1.3.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-https://bugs.gentoo.org/912766
-https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621
-
-From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
-From: Darren Tucker <dtucker@dtucker.net>
-Date: Sat, 19 Aug 2023 07:39:08 +1000
-Subject: [PATCH] Fix zlib version check for 1.3 and future version.
-
-bz#3604.
---- a/configure.ac
-+++ b/configure.ac
-@@ -1464,7 +1464,7 @@ else
- 	[[
- 	int a=0, b=0, c=0, d=0, n, v;
- 	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
--	if (n != 3 && n != 4)
-+	if (n < 1)
- 		exit(1);
- 	v = a*1000000 + b*10000 + c*100 + d;
- 	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
-

[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/files/

[Conrad Kostecki]

commit:     e72afe2da1a4936ca807afe37799f8442e569c7c
Author:     Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Thu Apr 18 18:14:24 2024 +0000
Commit:     Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Thu Apr 18 19:31:48 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e72afe2d

net-misc/openssh-contrib: remove unused patch

Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>

 .../openssh-contrib/files/openssh-8.6_p1-hpn-version.patch  | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch
deleted file mode 100644
index 6dc290d6737b..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/kex.c b/kex.c
-index 34808b5c..88d7ccac 100644
---- a/kex.c
-+++ b/kex.c
-@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- 	if (version_addendum != NULL && *version_addendum == '\0')
- 		version_addendum = NULL;
- 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
- 	    version_addendum == NULL ? "" : " ",
- 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
- 		oerrno = errno;

[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/files/

[Conrad Kostecki]

commit:     1269a83244e2c7aa6e32f9a3bc8bdec8fa7f569f
Author:     Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Thu Jul  4 06:59:58 2024 +0000
Commit:     Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Fri Jul  5 17:41:16 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1269a832

net-misc/openssh-contrib: remove unused patches

Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/37421
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>

 .../openssh-6.7_p1-openssl-ignore-status.patch     |  17 -
 ...penssh-7.5_p1-disable-conch-interop-tests.patch |  20 --
 .../files/openssh-7.9_p1-include-stdlib.patch      |  48 ---
 .../files/openssh-8.0_p1-fix-putty-tests.patch     |  57 ----
 .../files/openssh-8.7_p1-GSSAPI-dns.patch          | 357 ---------------------
 .../files/openssh-8.9_p1-allow-ppoll_time64.patch  |  14 -
 ...mget-shmat-shmdt-in-preauth-privsep-child.patch |  20 --
 7 files changed, 533 deletions(-)

diff --git a/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch
deleted file mode 100644
index fa33af39b6f8..000000000000
--- a/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-the last nibble of the openssl version represents the status.  that is,
-whether it is a beta or release.  when it comes to version checks in
-openssh, this component does not matter, so ignore it.
-
-https://bugzilla.mindrot.org/show_bug.cgi?id=2212
-
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
- 	 * For versions >= 1.0.0, major,minor,status must match and library
- 	 * fix version must be equal to or newer than the header.
- 	 */
--	mask = 0xfff0000fL; /* major,minor,status */
-+	mask = 0xfff00000L; /* major,minor,status */
- 	hfix = (headerver & 0x000ff000) >> 12;
- 	lfix = (libver & 0x000ff000) >> 12;
- 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)

diff --git a/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch
deleted file mode 100644
index a5647ce9d8d3..000000000000
--- a/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Disable conch interop tests which are failing when called
-via portage for yet unknown reason and because using conch
-seems to be flaky (test is failing when using Python2 but
-passing when using Python3).
-
-Bug: https://bugs.gentoo.org/605446
-
---- a/regress/conch-ciphers.sh
-+++ b/regress/conch-ciphers.sh
-@@ -3,6 +3,10 @@
- 
- tid="conch ciphers"
- 
-+# https://bugs.gentoo.org/605446
-+echo "conch interop tests skipped due to Gentoo bug #605446"
-+exit 0
-+
- if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
- 	echo "conch interop tests not enabled"
- 	exit 0

diff --git a/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch
deleted file mode 100644
index c5697c2b8bd1..000000000000
--- a/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff --git a/auth-options.c b/auth-options.c
-index b05d6d6f..d1f42f04 100644
---- a/auth-options.c
-+++ b/auth-options.c
-@@ -26,6 +26,7 @@
- #include <stdarg.h>
- #include <ctype.h>
- #include <limits.h>
-+#include <stdlib.h>
- 
- #include "openbsd-compat/sys-queue.h"
- 
-diff --git a/hmac.c b/hmac.c
-index 1c879640..a29f32c5 100644
---- a/hmac.c
-+++ b/hmac.c
-@@ -19,6 +19,7 @@
- 
- #include <sys/types.h>
- #include <string.h>
-+#include <stdlib.h>
- 
- #include "sshbuf.h"
- #include "digest.h"
-diff --git a/krl.c b/krl.c
-index 8e2d5d5d..c32e147a 100644
---- a/krl.c
-+++ b/krl.c
-@@ -28,6 +28,7 @@
- #include <string.h>
- #include <time.h>
- #include <unistd.h>
-+#include <stdlib.h>
- 
- #include "sshbuf.h"
- #include "ssherr.h"
-diff --git a/mac.c b/mac.c
-index 51dc11d7..3d11eba6 100644
---- a/mac.c
-+++ b/mac.c
-@@ -29,6 +29,7 @@
- 
- #include <string.h>
- #include <stdio.h>
-+#include <stdlib.h>
- 
- #include "digest.h"
- #include "hmac.h"

diff --git a/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch
deleted file mode 100644
index 4310aa123fc8..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-Make sure that host keys are already accepted before
-running tests.
-
-https://bugs.gentoo.org/493866
-
---- a/regress/putty-ciphers.sh
-+++ b/regress/putty-ciphers.sh
-@@ -10,11 +10,17 @@ fi
- 
- for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
- 	verbose "$tid: cipher $c"
-+	rm -f ${COPY}
- 	cp ${OBJ}/.putty/sessions/localhost_proxy \
- 	    ${OBJ}/.putty/sessions/cipher_$c
- 	echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
- 
--	rm -f ${COPY}
-+	env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
-+	    -i ${OBJ}/putty.rsa2 "exit"
-+	if [ $? -ne 0 ]; then
-+		fail "failed to pre-cache host key"
-+	fi
-+
- 	env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
- 	    cat ${DATA} > ${COPY}
- 	if [ $? -ne 0 ]; then
---- a/regress/putty-kex.sh
-+++ b/regress/putty-kex.sh
-@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
- 	    ${OBJ}/.putty/sessions/kex_$k
- 	echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
- 
-+	env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
-+	    -i ${OBJ}/putty.rsa2 "exit"
-+	if [ $? -ne 0 ]; then
-+		fail "failed to pre-cache host key"
-+	fi
-+
- 	env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
- 	if [ $? -ne 0 ]; then
- 		fail "KEX $k failed"
---- a/regress/putty-transfer.sh
-+++ b/regress/putty-transfer.sh
-@@ -14,6 +14,13 @@ for c in 0 1 ; do
- 	cp ${OBJ}/.putty/sessions/localhost_proxy \
- 	    ${OBJ}/.putty/sessions/compression_$c
- 	echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
-+
-+	env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
-+	    -i ${OBJ}/putty.rsa2 "exit"
-+	if [ $? -ne 0 ]; then
-+		fail "failed to pre-cache host key"
-+	fi
-+
- 	env HOME=$PWD ${PLINK} -load compression_$c -batch \
- 	    -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
- 	if [ $? -ne 0 ]; then

diff --git a/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch
deleted file mode 100644
index ffc40b70ae3d..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-diff --git a/auth.c b/auth.c
-index 00b168b4..8ee93581 100644
---- a/auth.c
-+++ b/auth.c
-@@ -729,118 +729,6 @@ fakepw(void)
- 	return (&fake);
- }
- 
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on based on conflation of hostnames and IP addresses.
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) == -1) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return xstrdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return xstrdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return xstrdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return xstrdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return xstrdup(ntop);
--	}
--	return xstrdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
--
- /* These functions link key/cert options to the auth framework */
- 
- /* Log sshauthopt options locally and (optionally) for remote transmission */
-diff --git a/canohost.c b/canohost.c
-index a810da0e..18e9d8d4 100644
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) == -1) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return xstrdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return xstrdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return xstrdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return xstrdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return xstrdup(ntop);
-+	}
-+	return xstrdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}
-diff --git a/readconf.c b/readconf.c
-index 03369a08..b45898ce 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -161,6 +161,7 @@ typedef enum {
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -207,9 +208,11 @@ static struct {
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- # else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- 	{ "pkcs11provider", oPKCS11Provider },
-@@ -1117,6 +1120,10 @@ parse_time:
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
- 	options->pubkey_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index f7d53b06..c3a91898 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -40,6 +40,7 @@ typedef struct {
- 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/ssh_config.5 b/ssh_config.5
-index cd0eea86..27101943 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -832,6 +832,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index fea50fab..aeff639b 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
- 	OM_uint32 min;
- 	int r, ok = 0;
- 	gss_OID mech = NULL;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(ssh, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
- 		    elements[authctxt->mech_tried];
- 		/* My DER encoding requires length<128 */
- 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
--		    mech, authctxt->host)) {
-+		    mech, gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			authctxt->mech_tried++;

diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch
deleted file mode 100644
index 8c46625aa29c..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 2e065ba3..4ce80cb2 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_ppoll
- 	SC_ALLOW(__NR_ppoll),
- #endif
-+#ifdef __NR_ppoll_time64
-+	SC_ALLOW(__NR_ppoll_time64),
-+#endif
- #ifdef __NR_poll
- 	SC_ALLOW(__NR_poll),
- #endif

diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
deleted file mode 100644
index 4d098b2231c7..000000000000
--- a/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 23b40b643..d93a357c6 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_statx
- 	SC_DENY(__NR_statx, EACCES),
- #endif
-+#ifdef __NR_shmget
-+	SC_DENY(__NR_shmget, EACCES),
-+#endif
-+#ifdef __NR_shmat
-+	SC_DENY(__NR_shmat, EACCES),
-+#endif
-+#ifdef __NR_shmdt
-+	SC_DENY(__NR_shmdt, EACCES),
-+#endif
- 
- 	/* Syscalls to permit */
- #ifdef __NR_brk