openssh: update to OpenSSH v8.7p1

Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985

1 files changed, 10 insertions, 9 deletions

diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile
index aa3dc27fb526..b97bd7f2693f 100644
--- a/secure/lib/libssh/Makefile
+++ b/secure/lib/libssh/Makefile
@@ -10,20 +10,21 @@ SRCS=	ssh_api.c ssherr.c sshbuf.c sshkey.c sshbuf-getput-basic.c \
 SRCS+=	authfd.c authfile.c \
 	canohost.c channels.c cipher.c cipher-aes.c cipher-aesctr.c \
 	cipher-ctr.c cleanup.c \
-	compat.c crc32.c fatal.c hostfile.c \
-	log.c match.c moduli.c nchan.c packet.c opacket.c \
-	readpass.c ttymodes.c xmalloc.c addrmatch.c \
-	atomicio.c dispatch.c mac.c uuencode.c misc.c utf8.c \
+	compat.c fatal.c hostfile.c \
+	log.c match.c moduli.c nchan.c packet.c \
+	readpass.c ttymodes.c xmalloc.c addr.c addrmatch.c \
+	atomicio.c dispatch.c mac.c misc.c utf8.c \
 	monitor_fdpass.c rijndael.c ssh-dss.c ssh-ecdsa.c ssh-rsa.c dh.c \
 	msg.c progressmeter.c dns.c entropy.c umac.c umac128.c \
 	ssh-pkcs11.c smult_curve25519_ref.c \
-	poly1305.c chacha.c cipher-chachapoly.c \
+	poly1305.c chacha.c cipher-chachapoly.c cipher-chachapoly-libcrypto.c \
 	ssh-ed25519.c digest-openssl.c digest-libc.c hmac.c \
 	sc25519.c ge25519.c fe25519.c ed25519.c verify.c hash.c \
 	kex.c kexdh.c kexgex.c kexecdh.c kexc25519.c \
-	kexdhc.c kexgexc.c kexecdhc.c kexc25519c.c \
-	kexdhs.c kexgexs.c kexecdhs.c kexc25519s.c \
-	platform-pledge.c platform-tracing.c platform-misc.c
+	kexgexc.c kexgexs.c \
+	kexsntrup761x25519.c sntrup761.c kexgen.c \
+	sftp-realpath.c platform-pledge.c platform-tracing.c platform-misc.c \
+	sshbuf-io.c
 PACKAGE=	ssh
 
 # gss-genr.c should be in $SRCS but causes linking problems, so it is
@@ -34,7 +35,7 @@ SRCS+=	bcrypt_pbkdf.c blowfish.c bsd-misc.c bsd-signal.c explicit_bzero.c \
 	fmt_scaled.c freezero.c glob.c \
 	libressl-api-compat.c \
 	openssl-compat.c port-net.c \
-	realpath.c recallocarray.c strtonum.c timingsafe_bcmp.c vis.c xcrypt.c
+	recallocarray.c strtonum.c timingsafe_bcmp.c vis.c xcrypt.c
 
 .if ${MK_LDNS} == "no"
 SRCS+=	getrrsetbyname.c