From f4dbc372a77a705021ad9697ed10539653a9ca8f Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Mon, 6 Dec 2021 17:41:57 +0100
Subject: [PATCH 1/5] net-misc/openssh: Sync with Gentoo upstream; updates to
 8.8_p1

gentoo ref: https://github.com/gentoo/gentoo/commit/91c1a70f4c8d56e56e2445bbd123ed286f8d1444

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Dongsu Park <dpark@linux.microsoft.com>
---
 net-misc/openssh/Manifest                     |  6 +-
 .../files/openssh-8.7_p1-X509-glue-13.2.patch | 73 ----------------
 .../openssh-8.8_p1-X509-glue-13.2.3.patch     | 63 ++++++++++++++
 net-misc/openssh/files/sshd-r1.confd          | 33 +++++++
 net-misc/openssh/files/sshd-r1.initd          | 87 +++++++++++++++++++
 net-misc/openssh/files/sshd.socket            |  1 -
 net-misc/openssh/metadata.xml                 |  2 +-
 ..._p1-r1.ebuild => openssh-8.8_p1-r3.ebuild} | 34 ++------
 8 files changed, 196 insertions(+), 103 deletions(-)
 delete mode 100644 net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch
 create mode 100644 net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
 create mode 100644 net-misc/openssh/files/sshd-r1.confd
 create mode 100644 net-misc/openssh/files/sshd-r1.initd
 rename net-misc/openssh/{openssh-8.7_p1-r1.ebuild => openssh-8.8_p1-r3.ebuild} (94%)

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index abbd256887f..883f7ee765b 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,6 +1,6 @@
-DIST openssh-8.7p1+x509-13.2.diff.gz 1068695 BLAKE2B e542e5444f8360e0e28288d6a58d66995ff90e9f6bb1490b04a205162036e371a20d612655ca1bd479b8a04d5ccbfd9b7189b090d50ccbb019848e28571b036b SHA512 342e1ee050258c99f8f206664ef756e1be2c82e5faa5f966b80385aa2c6c601974681459ddba32c1ca5c33eda530af681e753471706c71902c1045a2913cd540
-DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
-DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
+DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
+DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
+DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
 DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
 DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
diff --git a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch
deleted file mode 100644
index d6f5e42027d..00000000000
--- a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8.7p1+x509-13.2.diff b/openssh-8.7p1+x509-13.2.diff
---- a/openssh-8.7p1+x509-13.2.diff	2021-08-30 17:47:40.415668320 -0700
-+++ b/openssh-8.7p1+x509-13.2.diff	2021-08-30 17:49:14.916114987 -0700
-@@ -51082,12 +51082,11 @@
-  
-  install-files:
-  	$(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -391,6 +368,8 @@
-+@@ -391,6 +368,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -69793,7 +69792,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
-  	verbose "$tid: cipher $c"
-@@ -69808,7 +69807,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
-  	verbose "$tid: kex $k"
-@@ -69823,7 +69822,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  if [ "`${SSH} -Q compression`" = "none" ]; then
-  	comp="0"
-@@ -70130,9 +70129,9 @@
-  
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+  unset_arg=''
-++  unset_arg=
- +else
--+  unset_arg=none
-++  unset_arg=
- +fi
- +
-  cat > $OBJ/sshd_config.i << _EOF
-@@ -131673,16 +131672,6 @@
- +int	 asnmprintf(char **, size_t, int *, const char *, ...)
-  	    __attribute__((format(printf, 4, 5)));
-  void	 msetlocale(void);
--diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2/version.h
----- openssh-8.7p1/version.h	2021-08-20 07:03:49.000000000 +0300
--+++ openssh-8.7p1+x509-13.2/version.h	2021-08-30 20:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_8.7"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2/version.m4
- --- openssh-8.7p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.7p1+x509-13.2/version.m4	2021-08-30 20:07:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
new file mode 100644
index 00000000000..b6827623cd6
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
@@ -0,0 +1,63 @@
+diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff
+--- a/openssh-8.8p1+x509-13.2.3.diff	2021-10-29 14:59:17.070546984 -0700
++++ b/openssh-8.8p1+x509-13.2.3.diff	2021-10-29 14:59:55.086664489 -0700
+@@ -954,15 +954,16 @@
+  	char b[512];
+ -	size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
+ -	u_char *hash = xmalloc(len);
++-	double delay;
+ +	int digest_alg;
+ +	size_t len;
+ +	u_char *hash;
+- 	double delay;
+- 
+++	double delay = 0;
+++
+ +	digest_alg = ssh_digest_maxbytes();
+ +	len = ssh_digest_bytes(digest_alg);
+ +	hash = xmalloc(len);
+-+
++
+  	(void)snprintf(b, sizeof b, "%llu%s",
+  	    (unsigned long long)options.timing_secret, user);
+ -	if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
+@@ -51859,12 +51860,11 @@
+  
+  install-files:
+  	$(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -391,6 +372,8 @@
++@@ -391,6 +372,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -71985,7 +71985,7 @@
+ +if test "$sshd_type" = "pkix" ; then
+ +  unset_arg=''
+ +else
+-+  unset_arg=none
+++  unset_arg=
+ +fi
+ +
+  cat > $OBJ/sshd_config.i << _EOF
+@@ -132360,16 +132360,6 @@
+ +int	 asnmprintf(char **, size_t, int *, const char *, ...)
+  	    __attribute__((format(printf, 4, 5)));
+  void	 msetlocale(void);
+-diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h
+---- openssh-8.8p1/version.h	2021-09-26 17:03:19.000000000 +0300
+-+++ openssh-8.8p1+x509-13.2.3/version.h	2021-10-23 16:27:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_8.8"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4
+ --- openssh-8.8p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.8p1+x509-13.2.3/version.m4	2021-10-23 16:27:00.000000000 +0300
diff --git a/net-misc/openssh/files/sshd-r1.confd b/net-misc/openssh/files/sshd-r1.confd
new file mode 100644
index 00000000000..cf430371bf0
--- /dev/null
+++ b/net-misc/openssh/files/sshd-r1.confd
@@ -0,0 +1,33 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress.
+
+#SSHD_SSD_OPTS="--wait 1000"
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
+
+
+# Path to the ssh-keygen binary (needs to be absolute path).
+
+#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
diff --git a/net-misc/openssh/files/sshd-r1.initd b/net-misc/openssh/files/sshd-r1.initd
new file mode 100644
index 00000000000..e91cd0116cd
--- /dev/null
+++ b/net-misc/openssh/files/sshd-r1.initd
@@ -0,0 +1,87 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
+: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
+
+command="${SSHD_BINARY}"
+pidfile="${SSHD_PIDFILE}"
+command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress (bug 617596).
+: ${SSHD_SSD_OPTS:=--wait 1000}
+start_stop_daemon_args="${SSHD_SSD_OPTS}"
+
+depend() {
+	# Entropy can be used by ssh-keygen, among other things, but
+	# is not strictly required (bug 470020).
+	use logger dns entropy
+	if [ "${rc_need+set}" = "set" ] ; then
+		: # Do nothing, the user has explicitly set rc_need
+	else
+		local x warn_addr
+		for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+			case "${x}" in
+				0.0.0.0|0.0.0.0:*) ;;
+				::|\[::\]*) ;;
+				*) warn_addr="${warn_addr} ${x}" ;;
+			esac
+		done
+		if [ -n "${warn_addr}" ] ; then
+			need net
+			ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+			ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
+			ewarn "where FOO is the interface(s) providing the following address(es):"
+			ewarn "${warn_addr}"
+		fi
+	fi
+}
+
+checkconfig() {
+	checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
+
+	if [ ! -e "${SSHD_CONFIG}" ] ; then
+		eerror "You need an ${SSHD_CONFIG} file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	${SSHD_KEYGEN_BINARY} -A || return 2
+
+	"${command}" -t ${command_args} || return 3
+}
+
+start_pre() {
+	# Make sure that the user's config isn't busted before we try
+	# to start the daemon (this will produce better error messages
+	# than if we just try to start it blindly).
+	#
+	# We always need to call checkconfig because this function will
+	# also generate any missing host key and you can start a
+	# non-running service with "restart" argument.
+	checkconfig || return $?
+}
+
+stop_pre() {
+	# If this is a restart, check to make sure the user's config
+	# isn't busted before we stop the running daemon.
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+reload() {
+	checkconfig || return $?
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${pidfile}"
+	eend $?
+}
diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket
index d19f34be865..94b9533180d 100644
--- a/net-misc/openssh/files/sshd.socket
+++ b/net-misc/openssh/files/sshd.socket
@@ -5,7 +5,6 @@ Conflicts=sshd.service
 [Socket]
 ListenStream=22
 Accept=yes
-TriggerLimitBurst=0
 
 [Install]
 WantedBy=sockets.target
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 9ce34e61070..58ff739e1d4 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
   <maintainer type="project">
     <email>base-system@gentoo.org</email>
diff --git a/net-misc/openssh/openssh-8.7_p1-r1.ebuild b/net-misc/openssh/openssh-8.8_p1-r3.ebuild
similarity index 94%
rename from net-misc/openssh/openssh-8.7_p1-r1.ebuild
rename to net-misc/openssh/openssh-8.8_p1-r3.ebuild
index 6f85969abea..1c106887871 100644
--- a/net-misc/openssh/openssh-8.7_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-8.8_p1-r3.ebuild
@@ -1,6 +1,3 @@
-# Difference to upstream from ./update_ebuilds:
-# - Ported changes from 11d6f23704e7ab84191e28e034816bfdb151d406
-#
 # Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
@@ -24,7 +21,7 @@ HPN_PATCHES=(
 )
 
 SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"
@@ -39,7 +36,7 @@ LICENSE="BSD GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
+IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
 
 RESTRICT="!test? ( test )"
 
@@ -48,7 +45,7 @@ REQUIRED_USE="
 	ldns? ( ssl )
 	pie? ( !static )
 	static? ( !kerberos !pam )
-	X509? ( !sctp !security-key ssl !xmss )
+	X509? ( !sctp ssl !xmss )
 	xmss? ( ssl  )
 	test? ( ssl )
 "
@@ -60,23 +57,13 @@ LIB_DEPEND="
 	audit? ( sys-process/audit[static-libs(+)] )
 	ldns? (
 		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+		net-libs/ldns[ecdsa,ssl(+)]
 	)
 	libedit? ( dev-libs/libedit:=[static-libs(+)] )
 	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
 	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
 	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-			|| (
-				(
-					>=dev-libs/openssl-1.0.1:0[bindist(-)=]
-					<dev-libs/openssl-1.1.0:0[bindist(-)=]
-				)
-				>=dev-libs/openssl-1.1.0g:0[bindist(-)=]
-			)
-			dev-libs/openssl:0=[static-libs(+)]
-	)
+	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
 	virtual/libcrypt:=[static-libs(+)]
 	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
 "
@@ -177,7 +164,7 @@ src_prepare() {
 			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
 		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
 
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
 		sed -i \
 			-e "/\t\tcfgparse \\\/d" \
 			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
@@ -188,7 +175,7 @@ src_prepare() {
 		mkdir "${hpn_patchdir}" || die
 		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
 		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
+		eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch
 		use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
 		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
 		popd &>/dev/null || die
@@ -321,11 +308,6 @@ src_configure() {
 	)
 
 	if use elibc_musl; then
-		# stackprotect is broken on musl x86 and ppc
-		if use x86 || use ppc; then
-			myconf+=( --without-stackprotect )
-		fi
-
 		# musl defines bogus values for UTMP_FILE and WTMP_FILE
 		# https://bugs.gentoo.org/753230
 		myconf+=( --disable-utmp --disable-wtmp )
@@ -420,6 +402,8 @@ src_install() {
 	emake install-nokeys DESTDIR="${D}"
 	fperms 600 /etc/ssh/sshd_config
 	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
 
 	if use pam; then
 		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

From 392c3af8f43615fd6b64554077e75fa85f9beef9 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Tue, 12 Oct 2021 11:50:27 +0530
Subject: [PATCH 2/5] profiles: accept ~arm64, ~amd64 for openssh 8.8_p1

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 profiles/coreos/base/package.accept_keywords | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/coreos/base/package.accept_keywords b/profiles/coreos/base/package.accept_keywords
index 620e3a28216..36e8c9307b3 100644
--- a/profiles/coreos/base/package.accept_keywords
+++ b/profiles/coreos/base/package.accept_keywords
@@ -31,7 +31,7 @@ dev-util/checkbashisms
 
 =net-libs/gnutls-3.7.1 ~amd64 ~arm64
 
-=net-misc/openssh-8.7_p1-r1 ~amd64 ~arm64
+=net-misc/openssh-8.8_p1-r3 ~amd64 ~arm64
 
 =net-misc/rsync-3.2.3-r5 ~amd64 ~arm64
 

From 452af427dabae442b8606e6175ba98757ef1e071 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Tue, 12 Oct 2021 11:56:41 +0530
Subject: [PATCH 3/5] net-misc/openssh: Apply Flatcar patches

- Drop the init.d files.
- Remove the socket unit's rate limiting.

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
Signed-off-by: Dongsu Park <dpark@linux.microsoft.com>
---
 net-misc/openssh/files/sshd-r1.confd      | 33 ---------
 net-misc/openssh/files/sshd-r1.initd      | 87 -----------------------
 net-misc/openssh/files/sshd.socket        |  1 +
 net-misc/openssh/openssh-8.8_p1-r3.ebuild |  2 -
 4 files changed, 1 insertion(+), 122 deletions(-)
 delete mode 100644 net-misc/openssh/files/sshd-r1.confd
 delete mode 100644 net-misc/openssh/files/sshd-r1.initd

diff --git a/net-misc/openssh/files/sshd-r1.confd b/net-misc/openssh/files/sshd-r1.confd
deleted file mode 100644
index cf430371bf0..00000000000
--- a/net-misc/openssh/files/sshd-r1.confd
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/conf.d/sshd: config file for /etc/init.d/sshd
-
-# Where is your sshd_config file stored?
-
-SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
-
-
-# Any random options you want to pass to sshd.
-# See the sshd(8) manpage for more info.
-
-SSHD_OPTS=""
-
-
-# Wait one second (length chosen arbitrarily) to see if sshd actually
-# creates a PID file, or if it crashes for some reason like not being
-# able to bind to the address in ListenAddress.
-
-#SSHD_SSD_OPTS="--wait 1000"
-
-
-# Pid file to use (needs to be absolute path).
-
-#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
-
-
-# Path to the sshd binary (needs to be absolute path).
-
-#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
-
-
-# Path to the ssh-keygen binary (needs to be absolute path).
-
-#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
diff --git a/net-misc/openssh/files/sshd-r1.initd b/net-misc/openssh/files/sshd-r1.initd
deleted file mode 100644
index e91cd0116cd..00000000000
--- a/net-misc/openssh/files/sshd-r1.initd
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-extra_commands="checkconfig"
-extra_started_commands="reload"
-
-: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
-: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
-: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
-: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
-: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
-
-command="${SSHD_BINARY}"
-pidfile="${SSHD_PIDFILE}"
-command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
-
-# Wait one second (length chosen arbitrarily) to see if sshd actually
-# creates a PID file, or if it crashes for some reason like not being
-# able to bind to the address in ListenAddress (bug 617596).
-: ${SSHD_SSD_OPTS:=--wait 1000}
-start_stop_daemon_args="${SSHD_SSD_OPTS}"
-
-depend() {
-	# Entropy can be used by ssh-keygen, among other things, but
-	# is not strictly required (bug 470020).
-	use logger dns entropy
-	if [ "${rc_need+set}" = "set" ] ; then
-		: # Do nothing, the user has explicitly set rc_need
-	else
-		local x warn_addr
-		for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
-			case "${x}" in
-				0.0.0.0|0.0.0.0:*) ;;
-				::|\[::\]*) ;;
-				*) warn_addr="${warn_addr} ${x}" ;;
-			esac
-		done
-		if [ -n "${warn_addr}" ] ; then
-			need net
-			ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
-			ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
-			ewarn "where FOO is the interface(s) providing the following address(es):"
-			ewarn "${warn_addr}"
-		fi
-	fi
-}
-
-checkconfig() {
-	checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
-
-	if [ ! -e "${SSHD_CONFIG}" ] ; then
-		eerror "You need an ${SSHD_CONFIG} file to run sshd"
-		eerror "There is a sample file in /usr/share/doc/openssh"
-		return 1
-	fi
-
-	${SSHD_KEYGEN_BINARY} -A || return 2
-
-	"${command}" -t ${command_args} || return 3
-}
-
-start_pre() {
-	# Make sure that the user's config isn't busted before we try
-	# to start the daemon (this will produce better error messages
-	# than if we just try to start it blindly).
-	#
-	# We always need to call checkconfig because this function will
-	# also generate any missing host key and you can start a
-	# non-running service with "restart" argument.
-	checkconfig || return $?
-}
-
-stop_pre() {
-	# If this is a restart, check to make sure the user's config
-	# isn't busted before we stop the running daemon.
-	if [ "${RC_CMD}" = "restart" ] ; then
-		checkconfig || return $?
-	fi
-}
-
-reload() {
-	checkconfig || return $?
-	ebegin "Reloading ${SVCNAME}"
-	start-stop-daemon --signal HUP --pidfile "${pidfile}"
-	eend $?
-}
diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket
index 94b9533180d..d19f34be865 100644
--- a/net-misc/openssh/files/sshd.socket
+++ b/net-misc/openssh/files/sshd.socket
@@ -5,6 +5,7 @@ Conflicts=sshd.service
 [Socket]
 ListenStream=22
 Accept=yes
+TriggerLimitBurst=0
 
 [Install]
 WantedBy=sockets.target
diff --git a/net-misc/openssh/openssh-8.8_p1-r3.ebuild b/net-misc/openssh/openssh-8.8_p1-r3.ebuild
index 1c106887871..49d9f7b6e12 100644
--- a/net-misc/openssh/openssh-8.8_p1-r3.ebuild
+++ b/net-misc/openssh/openssh-8.8_p1-r3.ebuild
@@ -402,8 +402,6 @@ src_install() {
 	emake install-nokeys DESTDIR="${D}"
 	fperms 600 /etc/ssh/sshd_config
 	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd-r1.initd sshd
-	newconfd "${FILESDIR}"/sshd-r1.confd sshd
 
 	if use pam; then
 		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

From 30941263b6eb2cec5841167aed4371440d6ddf8f Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Wed, 8 Dec 2021 10:55:40 +0100
Subject: [PATCH 4/5] coreos-base/coreos-init: allow ssh-rsa in sshd_config

Temporarily accept ssh-rsa algorithm in sshd_config for openssh >= 8.8,
until most ssh clients could deprecate ssh-rsa.

Pulls in https://github.com/flatcar-linux/init/pull/54 .
---
 ...eos-init-0.0.1-r171.ebuild => coreos-init-0.0.1-r172.ebuild} | 0
 coreos-base/coreos-init/coreos-init-9999.ebuild                 | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename coreos-base/coreos-init/{coreos-init-0.0.1-r171.ebuild => coreos-init-0.0.1-r172.ebuild} (100%)

diff --git a/coreos-base/coreos-init/coreos-init-0.0.1-r171.ebuild b/coreos-base/coreos-init/coreos-init-0.0.1-r172.ebuild
similarity index 100%
rename from coreos-base/coreos-init/coreos-init-0.0.1-r171.ebuild
rename to coreos-base/coreos-init/coreos-init-0.0.1-r172.ebuild
diff --git a/coreos-base/coreos-init/coreos-init-9999.ebuild b/coreos-base/coreos-init/coreos-init-9999.ebuild
index e9419b49a53..de1299b28cf 100644
--- a/coreos-base/coreos-init/coreos-init-9999.ebuild
+++ b/coreos-base/coreos-init/coreos-init-9999.ebuild
@@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="58360ed0da957c2cd0ae9eeab645735d814f565c" # flatcar-master
+	CROS_WORKON_COMMIT="80b3b3cd021b4120cd9218b33b1f92936abe00bb" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 

From a37258971cdbdac039c571a00d92c934e09f8737 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Thu, 9 Dec 2021 10:07:58 +0100
Subject: [PATCH 5/5] changelog: add changelog for openssh 8.8

---
 changelog/security/2021-12-09-openssh-8.8.md | 1 +
 changelog/updates/2021-12-09-openssh-8.8.md  | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 changelog/security/2021-12-09-openssh-8.8.md
 create mode 100644 changelog/updates/2021-12-09-openssh-8.8.md

diff --git a/changelog/security/2021-12-09-openssh-8.8.md b/changelog/security/2021-12-09-openssh-8.8.md
new file mode 100644
index 00000000000..4d2a415c61c
--- /dev/null
+++ b/changelog/security/2021-12-09-openssh-8.8.md
@@ -0,0 +1 @@
+- [CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617)
diff --git a/changelog/updates/2021-12-09-openssh-8.8.md b/changelog/updates/2021-12-09-openssh-8.8.md
new file mode 100644
index 00000000000..4ccf56de642
--- /dev/null
+++ b/changelog/updates/2021-12-09-openssh-8.8.md
@@ -0,0 +1 @@
+- openssh ([8.8](http://www.openssh.com/txt/release-8.8))