From 9199729df44d01385159776fd9e315b3789524f0 Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Thu, 22 Aug 2019 13:58:33 -0500
Subject: [PATCH 1/4] openssh: 7.9p1 -> 8.1p1

https://www.openwall.com/lists/oss-security/2019/04/18/1
---
 pkgs/tools/networking/openssh/default.nix | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index bb51e3153e13..e2fd4e3e1ff1 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -13,16 +13,16 @@ let
   gssapiPatch = fetchpatch {
     name = "openssh-gssapi.patch";
     url = "https://salsa.debian.org/ssh-team/openssh/raw/"
-      + "d80ebbf028196b2478beebf5a290b97f35e1eed9"
+      + "e50a98bda787a3b9f53ed67bdccbbac0bde1f9ae"
       + "/debian/patches/gssapi.patch";
-    sha256 = "14j9cabb3gkhkjc641zbiv29mbvsmgsvis3fbj8ywsd21zc7m2wv";
+    sha256 = "14j9cabb3gkhkjc641zbiv29mbvsmgsvis3fbj8ywsd21zc7m2hv";
   };
 
 in
 with stdenv.lib;
 stdenv.mkDerivation rec {
   pname = "openssh";
-  version = if hpnSupport then "7.8p1" else "7.9p1";
+  version = if hpnSupport then "7.8p1" else "8.1p1";
 
   src = if hpnSupport then
       fetchurl {
@@ -32,7 +32,7 @@ stdenv.mkDerivation rec {
     else
       fetchurl {
         url = "mirror://openbsd/OpenSSH/portable/${pname}-${version}.tar.gz";
-        sha256 = "1b8sy6v0b8v4ggmknwcqx3y1rjcpsll0f1f8f4vyv11x4ni3njvb";
+        sha256 = "1zwk3g57gb13br206k6jdhgnp6y1nibwswzraqspbl1m73pxpx82";
       };
 
   patches =
@@ -42,6 +42,8 @@ stdenv.mkDerivation rec {
       # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
       ./dont_create_privsep_path.patch
 
+      ./ssh-keysign.patch
+    ] ++ optional hpnSupport
       # CVE-2018-20685, can probably be dropped with next version bump
       # See https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
       # for details
@@ -50,9 +52,6 @@ stdenv.mkDerivation rec {
         url = https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2.patch;
         sha256 = "0q27i9ymr97yb628y44qi4m11hk5qikb1ji1vhvax8hp18lwskds";
       })
-
-      ./ssh-keysign.patch
-    ]
     ++ optional withGssapiPatches (assert withKerberos; gssapiPatch);
 
   postPatch =

From 6db7c9cf1d6c1c1fdc365a1214e6bbbb36a2acb8 Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Tue, 21 May 2019 03:24:47 -0500
Subject: [PATCH 2/4] nixos: add release note for openssh upgrade \o/

---
 nixos/doc/manual/release-notes/rl-2003.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml
index bdf56acd5451..f4962420fcb0 100644
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@@ -88,6 +88,14 @@
    <listitem>
      <para>SD images are now compressed by default using <literal>bzip2</literal>.</para>
    </listitem>
+   <listitem>
+    <para>
+     OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features
+     but with potential incompatibilities.  Consult the
+     <link xlink:href="https://www.openssh.com/txt/release-8.1">
+     release announcement</link> for more information.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 </section>

From e6d641d957c8bc63c470d08ca43f111377a8693e Mon Sep 17 00:00:00 2001
From: edef <edef@edef.eu>
Date: Wed, 4 Sep 2019 21:00:11 +0000
Subject: [PATCH 3/4] openssh: mark hpnSupport as broken

We're hoping to deprecate HPN support, given that as far as we
can tell, nobody is using it, and the patches seem rather unmaintained.
---
 pkgs/tools/networking/openssh/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index e2fd4e3e1ff1..d592d6da8f2b 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -110,5 +110,6 @@ stdenv.mkDerivation rec {
     license = stdenv.lib.licenses.bsd2;
     platforms = platforms.unix ++ platforms.windows;
     maintainers = with maintainers; [ eelco aneeshusa ];
+    broken = hpnSupport;
   };
 }

From 9bfec806dfcc0f0ae43f17ab5a139c5a45aaf5e0 Mon Sep 17 00:00:00 2001
From: edef <edef@edef.eu>
Date: Thu, 20 Jun 2019 17:15:33 +0000
Subject: [PATCH 4/4] openssh: don't let configure override SSH_KEYSIGN

While 9fe10288f01984963faf47e21bf1bae4d7d37962 ensured that the
ssh-keysign path is searched for in PATH if not absolute,
it doesn't prevent the configure script from defaulting to an
absolute path in $out/libexec, making the whole effort rather
pointless.
---
 pkgs/tools/networking/openssh/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index d592d6da8f2b..2a1122029c12 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -88,6 +88,8 @@ stdenv.mkDerivation rec {
     ++ optional stdenv.isDarwin "--disable-libutil"
     ++ optional (!linkOpenssl) "--without-openssl";
 
+  buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
+
   enableParallelBuilding = true;
 
   hardeningEnable = [ "pie" ];