openssh_{hpn,gssapi}: add backported security fix patches

    extraPatches = let url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/b3f86656fc67aa397f60747c85f7f7b967c3279d/security/openssh-portable/files/extra-patch-hpn"; in

    [

      ./ssh-keysign-8.5.patch

      ./openssh-9.6_p1-CVE-2024-6387.patch

      ./openssh-9.6_p1-chaff-logic.patch

      # HPN Patch from FreeBSD ports

      (fetchpatch {

    extraPatches = [

      ./ssh-keysign-8.5.patch

      ./openssh-9.6_p1-CVE-2024-6387.patch

      ./openssh-9.6_p1-chaff-logic.patch

      (fetchpatch {

        name = "openssh-gssapi.patch";

https://bugs.gentoo.org/935271

Backport proposed by upstream at https://marc.info/?l=oss-security&m=171982317624594&w=2.

--- a/log.c

+++ b/log.c

@@ -451,12 +451,14 @@ void

 sshsigdie(const char *file, const char *func, int line, int showfunc,

     LogLevel level, const char *suffix, const char *fmt, ...)

 {

+#ifdef SYSLOG_R_SAFE_IN_SIGHAND

 	va_list args;

 	va_start(args, fmt);

 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,

 	    suffix, fmt, args);

 	va_end(args);

+#endif

 	_exit(1);

 }

"Minor logic error in ObscureKeystrokeTiming"

https://marc.info/?l=oss-security&m=171982317624594&w=2

--- a/clientloop.c

+++ b/clientloop.c

@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,

 		if (timespeccmp(&now, &chaff_until, >=)) {

 			/* Stop if there have been no keystrokes for a while */

 			stop_reason = "chaff time expired";

-		} else if (timespeccmp(&now, &next_interval, >=)) {

-			/* Otherwise if we were due to send, then send chaff */

+		} else if (timespeccmp(&now, &next_interval, >=) &&

+		    !ssh_packet_have_data_to_write(ssh)) {

+			/* If due to send but have no data, then send chaff */

 			if (send_chaff(ssh))

 				nchaff++;

 		}