aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEd Maste <emaste@FreeBSD.org>2020-02-14 19:47:15 +0000
committerEd Maste <emaste@FreeBSD.org>2020-02-14 19:47:15 +0000
commitf02e39982452024dafcf0ea6e536ebff586ffce4 (patch)
tree78cdaad953cc879dc7d97272436a4d84b228d94c
parentdc9e8d9c8401178683a1f53bc816389a1160dc41 (diff)
downloadsrc-f02e39982452024dafcf0ea6e536ebff586ffce4.tar.gz
src-f02e39982452024dafcf0ea6e536ebff586ffce4.zip
Vendor import of OpenSSH 8.0p1.vendor/openssh/8.0p1
Notes
Notes: svn path=/vendor-crypto/openssh/dist/; revision=357933 svn path=/vendor-crypto/openssh/8.0p1/; revision=357934; tag=vendor/openssh/8.0p1
Diffstat
-rw-r--r--.depend112
-rw-r--r--.gitignore1
-rw-r--r--.skipped-commit-ids1
-rw-r--r--ChangeLog4562
-rw-r--r--INSTALL10
-rw-r--r--Makefile.in10
-rw-r--r--OVERVIEW7
-rw-r--r--PROTOCOL.certkeys3
-rw-r--r--README2
-rw-r--r--README.md74
-rw-r--r--atomicio.c32
-rw-r--r--atomicio.h4
-rw-r--r--audit-bsm.c2
-rw-r--r--audit-linux.c4
-rw-r--r--audit.c2
-rw-r--r--audit.h4
-rw-r--r--auth-pam.c60
-rw-r--r--auth-pam.h2
-rw-r--r--auth.c56
-rw-r--r--auth.h24
-rw-r--r--auth2-hostbased.c10
-rw-r--r--auth2-pubkey.c18
-rw-r--r--auth2.c131
-rw-r--r--authfd.c12
-rw-r--r--channels.c79
-rw-r--r--clientloop.c353
-rw-r--r--config.h.in94
-rwxr-xr-xconfigure2408
-rw-r--r--configure.ac284
-rw-r--r--contrib/cygwin/ssh-host-config59
-rw-r--r--contrib/redhat/openssh.spec2
-rw-r--r--contrib/suse/openssh.spec2
-rw-r--r--crypto_api.h18
-rw-r--r--dh.c6
-rw-r--r--dh.h4
-rw-r--r--dispatch.c6
-rw-r--r--dispatch.h9
-rw-r--r--entropy.c41
-rw-r--r--groupaccess.c5
-rw-r--r--kex.c350
-rw-r--r--kex.h81
-rw-r--r--kexc25519.c182
-rw-r--r--kexc25519c.c169
-rw-r--r--kexc25519s.c158
-rw-r--r--kexdh.c203
-rw-r--r--kexdhc.c224
-rw-r--r--kexdhs.c222
-rw-r--r--kexecdh.c211
-rw-r--r--kexecdhc.c222
-rw-r--r--kexecdhs.c203
-rw-r--r--kexgen.c339
-rw-r--r--kexgex.c30
-rw-r--r--kexgexc.c109
-rw-r--r--kexgexs.c114
-rw-r--r--kexsntrup4591761x25519.c219
-rw-r--r--loginrec.c8
-rw-r--r--loginrec.h5
-rw-r--r--match.c15
-rw-r--r--match.h3
-rw-r--r--misc.c93
-rw-r--r--misc.h11
-rw-r--r--moduli878
-rw-r--r--moduli.02
-rw-r--r--moduli.c21
-rw-r--r--monitor.c234
-rw-r--r--monitor.h13
-rw-r--r--monitor_wrap.c28
-rw-r--r--monitor_wrap.h20
-rw-r--r--mux.c16
-rw-r--r--myproposal.h15
-rw-r--r--opacket.c320
-rw-r--r--opacket.h154
-rw-r--r--openbsd-compat/bsd-cygwin_util.c149
-rw-r--r--openbsd-compat/bsd-cygwin_util.h1
-rw-r--r--openbsd-compat/bsd-misc.c101
-rw-r--r--openbsd-compat/bsd-misc.h20
-rw-r--r--openbsd-compat/libressl-api-compat.c4
-rw-r--r--openbsd-compat/openbsd-compat.h1
-rw-r--r--openbsd-compat/openssl-compat.c22
-rw-r--r--openbsd-compat/openssl-compat.h43
-rw-r--r--openbsd-compat/port-aix.c3
-rw-r--r--openbsd-compat/port-aix.h5
-rw-r--r--openbsd-compat/regress/Makefile.in2
-rw-r--r--openbsd-compat/regress/utimensattest.c97
-rw-r--r--openbsd-compat/sys-queue.h1
-rw-r--r--packet.c94
-rw-r--r--packet.h12
-rw-r--r--progressmeter.c60
-rw-r--r--progressmeter.h3
-rw-r--r--readconf.c55
-rw-r--r--readconf.h6
-rw-r--r--readpass.c15
-rw-r--r--regress/Makefile15
-rwxr-xr-xregress/agent-pkcs11.sh97
-rw-r--r--regress/agent-timeout.sh8
-rw-r--r--regress/agent.sh7
-rwxr-xr-xregress/cert-hostkey.sh6
-rwxr-xr-xregress/cert-userkey.sh4
-rwxr-xr-xregress/keys-command.sh7
-rw-r--r--regress/keyscan.sh14
-rw-r--r--regress/misc/kexfuzz/Makefile21
-rw-r--r--regress/misc/kexfuzz/kexfuzz.c18
-rw-r--r--regress/multiplex.sh8
-rwxr-xr-xregress/multipubkey.sh4
-rwxr-xr-xregress/principals-command.sh7
-rwxr-xr-xregress/sftp-chroot.sh7
-rw-r--r--regress/sftp-cmds.sh4
-rw-r--r--regress/test-exec.sh10
-rw-r--r--regress/unittests/Makefile.inc35
-rw-r--r--regress/unittests/kex/Makefile21
-rw-r--r--regress/unittests/kex/test_kex.c13
-rw-r--r--regress/unittests/sshbuf/Makefile5
-rw-r--r--regress/unittests/sshbuf/test_sshbuf_fuzz.c9
-rw-r--r--regress/unittests/sshbuf/test_sshbuf_getput_crypto.c157
-rw-r--r--regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c23
-rw-r--r--regress/unittests/sshkey/Makefile4
-rw-r--r--regress/unittests/sshkey/test_fuzz.c57
-rw-r--r--regress/unittests/sshkey/tests.c5
-rw-r--r--regress/unittests/test_helper/test_helper.c33
-rw-r--r--regress/unittests/test_helper/test_helper.h4
-rw-r--r--scp.025
-rw-r--r--scp.118
-rw-r--r--scp.c12
-rw-r--r--servconf.c70
-rw-r--r--servconf.h7
-rw-r--r--serverloop.c383
-rw-r--r--session.c217
-rw-r--r--sftp-client.c58
-rw-r--r--sftp-client.h5
-rw-r--r--sftp-common.c1
-rw-r--r--sftp-server-main.c2
-rw-r--r--sftp-server.02
-rw-r--r--sftp-server.c79
-rw-r--r--sftp.051
-rw-r--r--sftp.154
-rw-r--r--sftp.c118
-rw-r--r--sntrup4591761.c1083
-rw-r--r--sntrup4591761.sh57
-rw-r--r--ssh-add.014
-rw-r--r--ssh-add.123
-rw-r--r--ssh-add.c66
-rw-r--r--ssh-agent.02
-rw-r--r--ssh-agent.c28
-rw-r--r--ssh-ecdsa.c14
-rw-r--r--ssh-keygen.076
-rw-r--r--ssh-keygen.154
-rw-r--r--ssh-keygen.c220
-rw-r--r--ssh-keyscan.02
-rw-r--r--ssh-keyscan.c25
-rw-r--r--ssh-keysign.02
-rw-r--r--ssh-keysign.c17
-rw-r--r--ssh-pkcs11-client.c167
-rw-r--r--ssh-pkcs11-helper.014
-rw-r--r--ssh-pkcs11-helper.827
-rw-r--r--ssh-pkcs11-helper.c106
-rw-r--r--ssh-pkcs11.c1619
-rw-r--r--ssh-pkcs11.h18
-rw-r--r--ssh.044
-rw-r--r--ssh.159
-rw-r--r--ssh.c107
-rw-r--r--ssh.h6
-rw-r--r--ssh_api.c174
-rw-r--r--ssh_config3
-rw-r--r--ssh_config.052
-rw-r--r--ssh_config.549
-rw-r--r--sshbuf-getput-crypto.c63
-rw-r--r--sshbuf.c17
-rw-r--r--sshbuf.h6
-rw-r--r--sshconnect.c278
-rw-r--r--sshconnect.h16
-rw-r--r--sshconnect2.c335
-rw-r--r--sshd.02
-rw-r--r--sshd.c441
-rw-r--r--sshd_config.010
-rw-r--r--sshd_config.58
-rw-r--r--sshkey.c96
-rw-r--r--sshkey.h3
-rw-r--r--version.h4
178 files changed, 11288 insertions, 9903 deletions
diff --git a/.depend b/.depend
index 2b29e3879da1..c6725ec77125 100644
--- a/.depend
+++ b/.depend
@@ -6,47 +6,47 @@ audit-bsm.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-com
audit-linux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
audit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
auth-bsdauth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-auth-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h sshbuf.h sshkey.h misc.h servconf.h uidswap.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
+auth-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h sshbuf.h sshkey.h misc.h servconf.h uidswap.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
auth-options.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssherr.h log.h sshbuf.h misc.h sshkey.h match.h ssh2.h auth-options.h
auth-pam.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-auth-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h sshbuf.h ssherr.h log.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h
-auth-rhosts.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h uidswap.h pathnames.h log.h misc.h sshbuf.h sshkey.h servconf.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
+auth-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h sshbuf.h ssherr.h log.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h
+auth-rhosts.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h uidswap.h pathnames.h log.h misc.h sshbuf.h sshkey.h servconf.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
auth-shadow.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
auth-sia.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
auth-skey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h groupaccess.h log.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h canohost.h uidswap.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h
-auth.o: authfile.h monitor_wrap.h ssherr.h compat.h channels.h
-auth2-chall.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h ssherr.h log.h misc.h servconf.h
+auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h groupaccess.h log.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h canohost.h uidswap.h packet.h openbsd-compat/sys-queue.h dispatch.h authfile.h
+auth.o: monitor_wrap.h ssherr.h compat.h channels.h
+auth2-chall.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h misc.h servconf.h
auth2-gss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-auth2-hostbased.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h sshbuf.h log.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h canohost.h monitor_wrap.h
-auth2-hostbased.o: pathnames.h ssherr.h match.h
-auth2-kbdint.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h hostfile.h auth.h auth-pam.h audit.h loginrec.h log.h misc.h servconf.h ssherr.h
-auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h misc.h servconf.h compat.h ssh2.h ssherr.h monitor_wrap.h
-auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h ssherr.h log.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h monitor_wrap.h misc.h servconf.h
-auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h sshbuf.h log.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h uidswap.h
-auth2-pubkey.o: auth-options.h canohost.h monitor_wrap.h authfile.h match.h ssherr.h channels.h session.h
-auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h sshbuf.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h ssherr.h
-auth2.o: monitor_wrap.h digest.h
+auth2-hostbased.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h sshbuf.h log.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h canohost.h monitor_wrap.h pathnames.h
+auth2-hostbased.o: ssherr.h match.h
+auth2-kbdint.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h log.h misc.h servconf.h ssherr.h
+auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h misc.h servconf.h compat.h ssh2.h ssherr.h monitor_wrap.h
+auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h monitor_wrap.h misc.h servconf.h
+auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h sshbuf.h log.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h uidswap.h auth-options.h
+auth2-pubkey.o: canohost.h monitor_wrap.h authfile.h match.h ssherr.h channels.h session.h
+auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h sshbuf.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h ssherr.h monitor_wrap.h
+auth2.o: digest.h
authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h compat.h log.h atomicio.h misc.h ssherr.h
authfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h ssh.h log.h authfile.h misc.h atomicio.h sshkey.h sshbuf.h ssherr.h krl.h
bitmap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h bitmap.h
-canohost.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h canohost.h misc.h
+canohost.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h canohost.h misc.h
chacha.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h chacha.h
-channels.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h ssherr.h sshbuf.h packet.h dispatch.h opacket.h log.h misc.h channels.h compat.h canohost.h sshkey.h authfd.h pathnames.h match.h
+channels.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h ssherr.h sshbuf.h packet.h dispatch.h log.h misc.h channels.h compat.h canohost.h sshkey.h authfd.h pathnames.h match.h
cipher-aes.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h
cipher-aesctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher-aesctr.h rijndael.h
cipher-chachapoly.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h sshbuf.h ssherr.h cipher-chachapoly.h chacha.h poly1305.h
cipher-ctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
cipher.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h misc.h sshbuf.h ssherr.h digest.h openbsd-compat/openssl-compat.h
cleanup.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h
-clientloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h packet.h dispatch.h opacket.h sshbuf.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h
+clientloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h packet.h dispatch.h sshbuf.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h
clientloop.o: myproposal.h log.h misc.h readconf.h clientloop.h sshconnect.h authfd.h atomicio.h sshpty.h match.h msg.h ssherr.h hostfile.h
-compat.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h compat.h log.h match.h kex.h mac.h
+compat.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h log.h match.h kex.h mac.h crypto_api.h
crc32.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crc32.h
dh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
digest-libc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h digest.h
digest-openssl.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-dispatch.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh2.h log.h dispatch.h packet.h openbsd-compat/sys-queue.h opacket.h compat.h ssherr.h
+dispatch.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh2.h log.h dispatch.h packet.h openbsd-compat/sys-queue.h compat.h ssherr.h
dns.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h ssherr.h dns.h log.h digest.h
ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h ge25519.h fe25519.h sc25519.h
entropy.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
@@ -60,23 +60,19 @@ gss-serv.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-comp
hash.o: crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h digest.h log.h ssherr.h
hmac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h digest.h hmac.h
hostfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h sshkey.h hostfile.h log.h misc.h ssherr.h digest.h hmac.h
-kex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h log.h match.h misc.h monitor.h ssherr.h sshbuf.h
-kex.o: digest.h
-kexc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h ssh2.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h log.h digest.h ssherr.h
-kexc25519c.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h log.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h ssh2.h sshbuf.h digest.h ssherr.h
-kexc25519s.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h kex.h mac.h log.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h ssh2.h sshbuf.h ssherr.h
+kex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h ssh2.h atomicio.h version.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h log.h match.h
+kex.o: misc.h monitor.h ssherr.h sshbuf.h digest.h
+kexc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h kex.h mac.h crypto_api.h sshbuf.h digest.h ssherr.h ssh2.h
kexdh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-kexdhc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-kexdhs.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
kexecdh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-kexecdhc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-kexecdhs.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
+kexgen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h kex.h mac.h crypto_api.h log.h packet.h openbsd-compat/sys-queue.h dispatch.h ssh2.h sshbuf.h digest.h ssherr.h
kexgex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
kexgexc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
kexgexs.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
+kexsntrup4591761x25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h kex.h mac.h crypto_api.h sshbuf.h digest.h ssherr.h
krl.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h sshbuf.h ssherr.h sshkey.h authfile.h misc.h log.h digest.h bitmap.h krl.h
log.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h
-loginrec.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h hostfile.h ssh.h loginrec.h log.h atomicio.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h canohost.h auth.h auth-pam.h audit.h sshbuf.h ssherr.h
+loginrec.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h hostfile.h ssh.h loginrec.h log.h atomicio.h packet.h openbsd-compat/sys-queue.h dispatch.h canohost.h auth.h auth-pam.h audit.h sshbuf.h ssherr.h
logintest.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h loginrec.h
mac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h digest.h hmac.h umac.h mac.h misc.h ssherr.h sshbuf.h openbsd-compat/openssl-compat.h
match.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h misc.h
@@ -84,24 +80,23 @@ md5crypt.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-comp
misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h misc.h log.h ssh.h sshbuf.h ssherr.h
moduli.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
monitor.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h openbsd-compat/openssl-compat.h atomicio.h xmalloc.h ssh.h sshkey.h sshbuf.h hostfile.h auth.h auth-pam.h audit.h loginrec.h cipher.h cipher-chachapoly.h
-monitor.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h dh.h packet.h dispatch.h opacket.h auth-options.h sshpty.h channels.h session.h sshlogin.h canohost.h log.h misc.h servconf.h monitor.h monitor_wrap.h monitor_fdpass.h compat.h ssh2.h authfd.h match.h ssherr.h
+monitor.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h dh.h packet.h dispatch.h auth-options.h sshpty.h channels.h session.h sshlogin.h canohost.h log.h misc.h servconf.h monitor.h monitor_wrap.h monitor_fdpass.h compat.h ssh2.h authfd.h match.h ssherr.h
monitor_fdpass.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h monitor_fdpass.h
-monitor_wrap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
-monitor_wrap.o: auth-options.h packet.h dispatch.h opacket.h log.h monitor.h monitor_wrap.h atomicio.h monitor_fdpass.h misc.h channels.h session.h servconf.h ssherr.h
+monitor_wrap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
+monitor_wrap.o: auth-options.h packet.h dispatch.h log.h monitor.h monitor_wrap.h atomicio.h monitor_fdpass.h misc.h channels.h session.h servconf.h ssherr.h
msg.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h ssherr.h log.h atomicio.h msg.h misc.h
-mux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h log.h ssh.h ssh2.h pathnames.h misc.h match.h sshbuf.h channels.h msg.h packet.h dispatch.h opacket.h monitor_fdpass.h sshpty.h sshkey.h readconf.h clientloop.h ssherr.h
-nchan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h ssh2.h sshbuf.h ssherr.h packet.h dispatch.h opacket.h channels.h compat.h log.h
-opacket.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h
-packet.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h crc32.h compat.h ssh2.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h digest.h log.h canohost.h misc.h channels.h ssh.h
-packet.o: packet.h dispatch.h opacket.h ssherr.h sshbuf.h
+mux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h log.h ssh.h ssh2.h pathnames.h misc.h match.h sshbuf.h channels.h msg.h packet.h dispatch.h monitor_fdpass.h sshpty.h sshkey.h readconf.h clientloop.h ssherr.h
+nchan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h ssh2.h sshbuf.h ssherr.h packet.h dispatch.h channels.h compat.h log.h
+packet.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h crc32.h compat.h ssh2.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h digest.h log.h canohost.h misc.h channels.h
+packet.o: ssh.h packet.h dispatch.h ssherr.h sshbuf.h
platform-misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
platform-pledge.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
platform-tracing.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h
platform.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
poly1305.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h poly1305.h
-progressmeter.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h progressmeter.h atomicio.h misc.h
-readconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h ssherr.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h pathnames.h log.h sshkey.h misc.h readconf.h match.h kex.h mac.h uidswap.h
-readconf.o: myproposal.h digest.h
+progressmeter.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h progressmeter.h atomicio.h misc.h utf8.h
+readconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h ssherr.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h pathnames.h log.h sshkey.h misc.h readconf.h match.h kex.h mac.h crypto_api.h
+readconf.o: uidswap.h myproposal.h digest.h
readpass.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h misc.h pathnames.h log.h ssh.h uidswap.h
rijndael.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h rijndael.h
sandbox-capsicum.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
@@ -114,25 +109,26 @@ sandbox-solaris.o: includes.h config.h defines.h platform.h openbsd-compat/openb
sandbox-systrace.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sc25519.h crypto_api.h
scp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h atomicio.h pathnames.h log.h misc.h progressmeter.h utf8.h
-servconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h log.h sshbuf.h misc.h servconf.h compat.h pathnames.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h match.h channels.h
-servconf.o: groupaccess.h canohost.h packet.h dispatch.h opacket.h ssherr.h hostfile.h auth.h auth-pam.h audit.h loginrec.h myproposal.h digest.h
-serverloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h packet.h dispatch.h opacket.h sshbuf.h log.h misc.h servconf.h canohost.h sshpty.h channels.h compat.h ssh2.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h
-serverloop.o: cipher-aesctr.h rijndael.h kex.h mac.h hostfile.h auth.h auth-pam.h audit.h loginrec.h session.h auth-options.h serverloop.h ssherr.h
-session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h opacket.h sshbuf.h ssherr.h match.h uidswap.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h
-session.o: cipher-aesctr.h rijndael.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfd.h pathnames.h log.h misc.h servconf.h sshlogin.h serverloop.h canohost.h session.h kex.h mac.h monitor_wrap.h sftp.h atomicio.h
+servconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h log.h sshbuf.h misc.h servconf.h compat.h pathnames.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h
+servconf.o: match.h channels.h groupaccess.h canohost.h packet.h dispatch.h ssherr.h hostfile.h auth.h auth-pam.h audit.h loginrec.h myproposal.h digest.h
+serverloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h packet.h dispatch.h sshbuf.h log.h misc.h servconf.h canohost.h sshpty.h channels.h compat.h ssh2.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h
+serverloop.o: rijndael.h kex.h mac.h crypto_api.h hostfile.h auth.h auth-pam.h audit.h loginrec.h session.h auth-options.h serverloop.h ssherr.h
+session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h sshbuf.h ssherr.h match.h uidswap.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h
+session.o: rijndael.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfd.h pathnames.h log.h misc.h servconf.h sshlogin.h serverloop.h canohost.h session.h kex.h mac.h crypto_api.h monitor_wrap.h sftp.h atomicio.h
sftp-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssherr.h sshbuf.h log.h atomicio.h progressmeter.h misc.h utf8.h sftp.h sftp-common.h sftp-client.h openbsd-compat/glob.h
sftp-common.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssherr.h sshbuf.h log.h misc.h sftp.h sftp-common.h
sftp-glob.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sftp.h sftp-common.h sftp-client.h openbsd-compat/glob.h
sftp-server-main.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h sftp.h misc.h xmalloc.h
sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshbuf.h ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h
sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h pathnames.h misc.h utf8.h sftp.h ssherr.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h
+sntrup4591761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h
ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h xmalloc.h ssh.h log.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h ssherr.h digest.h
ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h compat.h log.h misc.h digest.h ssherr.h match.h
ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
ssh-ecdsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
ssh-ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h log.h sshbuf.h sshkey.h ssherr.h ssh.h
ssh-keygen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h authfile.h uuencode.h sshbuf.h pathnames.h log.h misc.h match.h hostfile.h dns.h ssh.h ssh2.h ssherr.h ssh-pkcs11.h atomicio.h krl.h digest.h utf8.h authfd.h
-ssh-keyscan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h compat.h myproposal.h packet.h dispatch.h opacket.h log.h
+ssh-keyscan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h compat.h myproposal.h packet.h dispatch.h log.h
ssh-keyscan.o: atomicio.h misc.h hostfile.h ssherr.h ssh_api.h ssh2.h dns.h
ssh-keysign.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h sshkey.h ssh.h ssh2.h misc.h sshbuf.h authfile.h msg.h canohost.h pathnames.h readconf.h uidswap.h ssherr.h
ssh-pkcs11-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
@@ -140,27 +136,27 @@ ssh-pkcs11-helper.o: includes.h config.h defines.h platform.h openbsd-compat/ope
ssh-pkcs11.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
ssh-rsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
ssh-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-ssh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h canohost.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h packet.h dispatch.h opacket.h
-ssh.o: sshbuf.h channels.h sshkey.h authfd.h authfile.h pathnames.h clientloop.h log.h misc.h readconf.h sshconnect.h kex.h mac.h sshpty.h match.h msg.h version.h ssherr.h myproposal.h utf8.h
-ssh_api.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh_api.h openbsd-compat/sys-queue.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h ssh.h ssh2.h packet.h dispatch.h opacket.h compat.h log.h authfile.h misc.h
-ssh_api.o: version.h myproposal.h ssherr.h sshbuf.h
+ssh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h canohost.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h packet.h dispatch.h sshbuf.h
+ssh.o: channels.h sshkey.h authfd.h authfile.h pathnames.h clientloop.h log.h misc.h readconf.h sshconnect.h kex.h mac.h crypto_api.h sshpty.h match.h msg.h version.h ssherr.h myproposal.h utf8.h
+ssh_api.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh_api.h openbsd-compat/sys-queue.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h ssh.h ssh2.h packet.h dispatch.h compat.h log.h authfile.h misc.h
+ssh_api.o: version.h myproposal.h ssherr.h sshbuf.h openbsd-compat/openssl-compat.h
sshbuf-getput-basic.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h
sshbuf-getput-crypto.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h
sshbuf-misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h
sshbuf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h misc.h
-sshconnect.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h hostfile.h ssh.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h compat.h sshkey.h sshconnect.h log.h misc.h readconf.h atomicio.h dns.h monitor_fdpass.h ssh2.h version.h authfile.h
-sshconnect.o: ssherr.h authfd.h
-sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h packet.h dispatch.h opacket.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h myproposal.h
+sshconnect.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h hostfile.h ssh.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h sshkey.h sshconnect.h log.h misc.h readconf.h atomicio.h dns.h monitor_fdpass.h ssh2.h version.h authfile.h ssherr.h
+sshconnect.o: authfd.h kex.h mac.h crypto_api.h
+sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h packet.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h myproposal.h
sshconnect2.o: sshconnect.h authfile.h dh.h authfd.h log.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h ssherr.h utf8.h
-sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h opacket.h log.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h
-sshd.o: poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h myproposal.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h ssherr.h
+sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h log.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h
+sshd.o: cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h myproposal.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h ssherr.h
ssherr.o: ssherr.h
sshkey-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sshkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h ssh2.h ssherr.h misc.h sshbuf.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h sshkey-xmss.h match.h xmss_fast.h openbsd-compat/openssl-compat.h
sshlogin.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshlogin.h ssherr.h loginrec.h log.h sshbuf.h misc.h servconf.h
sshpty.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshpty.h log.h misc.h
sshtty.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshpty.h
-ttymodes.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h compat.h sshbuf.h ssherr.h ttymodes.h
+ttymodes.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h compat.h sshbuf.h ssherr.h ttymodes.h
uidswap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h uidswap.h xmalloc.h
umac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h umac.h misc.h rijndael.h
umac128.o: umac.c includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h umac.h misc.h rijndael.h
diff --git a/.gitignore b/.gitignore
index 650eb3c3c90c..e7e02ea720df 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,3 +26,4 @@ ssh-keysign
ssh-pkcs11-helper
sshd
!regress/misc/fuzz-harness/Makefile
+tags
diff --git a/.skipped-commit-ids b/.skipped-commit-ids
index f1b3b7640a3f..01d447a49c43 100644
--- a/.skipped-commit-ids
+++ b/.skipped-commit-ids
@@ -5,6 +5,7 @@ fa728823ba21c4b45212750e1d3a4b2086fd1a62 more Makefile refactoring
1de0e85522051eb2ffa00437e1885e9d7b3e0c2e moduli update
814b2f670df75759e1581ecef530980b2b3d7e0f remove redundant make defs
04431e8e7872f49a2129bf080a6b73c19d576d40 moduli update
+c07772f58028fda683ee6abd41c73da3ff70d403 moduli update
Old upstream tree:
diff --git a/ChangeLog b/ChangeLog
index 0307f62e0557..fdc0a0619c63 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,2602 @@
+commit fd0fa130ecf06d7d092932adcd5d77f1549bfc8d
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Apr 18 08:52:57 2019 +1000
+
+ makedepend
+
+commit 5de397a876b587ba05a9169237deffdc71f273b0
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Apr 5 11:29:51 2019 -0700
+
+ second thoughts: leave README in place
+
+ A number of contrib/* files refer to the existing README so let's leave
+ it in place for release and add the new markdown version in parallel.
+
+ I'll get rid of README after release.
+
+commit 5d3127d9274519b25ed10e320f45045ba8d7f3be
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Apr 5 11:29:31 2019 -0700
+
+ Revert "rewrite README"
+
+ This reverts commit 9444d82678cb7781820da4d1c23b3c2b9fb1e12f.
+
+commit 9444d82678cb7781820da4d1c23b3c2b9fb1e12f
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Apr 5 11:21:48 2019 -0700
+
+ rewrite README
+
+ Include basic build instructions and comments on commonly-used build-
+ time flags, links to the manual pages and other resources.
+
+ Now in Markdown format for better viewing on github, etc.
+
+commit a924de0c4908902433813ba205bee1446bd1a157
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Apr 5 03:41:52 2019 +1100
+
+ update versions
+
+commit 312dcee739bca5d6878c536537b2a8a497314b75
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Apr 3 15:48:45 2019 +0000
+
+ upstream: openssh-8.0
+
+ OpenBSD-Commit-ID: 5aafdf218679dab982fea20771afd643be9a127b
+
+commit 885bc114692046d55e2a170b932bdc0092fa3456
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Apr 4 02:47:40 2019 +1100
+
+ session: Do not use removed API
+
+ from Jakub Jelen
+
+commit 9d7b2882b0c9a5e9bf8312ce4075bf178e2b98be
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Mar 29 11:31:40 2019 +0000
+
+ upstream: when logging/fataling on error, include a bit more detail
+
+ than just the function name and the error message
+
+ OpenBSD-Commit-ID: dd72d7eba2215fcb89be516c378f633ea5bcca9f
+
+commit 79a87d32783d6c9db40af8f35e091d9d30365ae7
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Apr 3 06:27:45 2019 +1100
+
+ Remove "struct ssh" from sys_auth_record_login.
+
+ It's not needed, and is not available from the call site in loginrec.c
+ Should only affect AIX, spotted by Kevin Brott.
+
+commit 138c0d52cdc90f9895333b82fc57d81cce7a3d90
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Apr 2 18:21:35 2019 +1100
+
+ Adapt custom_failed_login to new prototype.
+
+ Spotted by Kevin Brott.
+
+commit a0ca4009ab2f0b1007ec8ab6864dbf9b760a8ed5
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Apr 1 20:07:23 2019 +1100
+
+ Add includes.h for compat layer.
+
+ Should fix build on AIX 7.2.
+
+commit 00991151786ce9b1d577bdad1f83a81d19c8236d
+Author: Tim Rice <tim@multitalents.net>
+Date: Sun Mar 31 22:14:22 2019 -0700
+
+ Stop USL compilers for erroring with "integral constant expression expected"
+
+commit 43f47ebbdd4037b569c23b8f4f7981f53b567f1d
+Author: Tim Rice <tim@multitalents.net>
+Date: Sun Mar 31 19:22:19 2019 -0700
+
+ Only use O_NOFOLLOW in fchownat and fchmodat if defined
+
+commit 342d6e51589b184c337cccfc4c788b60ff8b3765
+Author: Jakub Jelen <jjelen@redhat.com>
+Date: Fri Mar 29 12:29:41 2019 +0100
+
+ Adjust softhsm2 path on Fedora Linux for regress
+
+ The SoftHSM lives in Fedora in /usr/lib64/pkcs11/libsofthsm2.so
+
+commit f5abb05f8c7358dacdcb866fe2813f6d8efd5830
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Mar 28 09:26:14 2019 +1100
+
+ Only use O_NOFOLLOW in utimensat if defined.
+
+ Fixes build on systems that don't have it (Solaris <=9) Found by
+ Tom G. Christensen.
+
+commit 786cd4c1837fdc3fe7b4befe54a3f37db7df8715
+Author: Corinna Vinschen <vinschen@redhat.com>
+Date: Wed Mar 27 18:18:21 2019 +0100
+
+ drop old Cygwin considerations
+
+ - Cygwin supports non-DOS characters in filenames
+ - Cygwin does not support Windows XP anymore
+
+ Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
+
+commit 21da87f439b48a85b951ef1518fe85ac0273e719
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Mar 27 09:29:14 2019 +0000
+
+ upstream: fix interaction between ClientAliveInterval and RekeyLimit
+
+ that could cause connection to close incorrectly; Report and patch from Jakub
+ Jelen in bz#2757; ok dtucker@ markus@
+
+ OpenBSD-Commit-ID: 17229a8a65bd8e6c2080318ec2b7a61e1aede3fb
+
+commit 4f0019a9afdb4a94d83b75e82dbbbe0cbe826c56
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Mar 25 22:34:52 2019 +0000
+
+ upstream: Fix authentication failures when "AuthenticationMethods
+
+ any" in a Match block overrides a more restrictive global default.
+
+ Spotted by jmc@, ok markus@
+
+ OpenBSD-Commit-ID: a90a4fe2ab81d0eeeb8fdfc21af81f7eabda6666
+
+commit d6e5def308610f194c0ec3ef97a34a3e9630e190
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Mar 25 22:33:44 2019 +0000
+
+ upstream: whitespace
+
+ OpenBSD-Commit-ID: 106e853ae8a477e8385bc53824d3884a8159db07
+
+commit 26e0cef07b04479537c971dec898741df1290fe5
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Mar 25 16:19:44 2019 +0000
+
+ upstream: Expand comment to document rationale for default key
+
+ sizes. "seems worthwhile" deraadt.
+
+ OpenBSD-Commit-ID: 72e5c0983d7da1fb72f191870f36cb58263a2456
+
+commit f47269ea67eb4ff87454bf0d2a03e55532786482
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Mar 25 15:49:00 2019 +0000
+
+ upstream: Increase the default RSA key size to 3072 bits. Based on
+
+ the estimates from NIST Special Publication 800-57, 3k bits provides security
+ equivalent to 128 bits which is the smallest symmetric cipher we enable by
+ default. ok markus@ deraadt@
+
+ OpenBSD-Commit-ID: 461dd32ebe808f88f4fc3ec74749b0e6bef2276b
+
+commit 62949c5b37af28d8490d94866e314a76be683a5e
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Fri Mar 22 20:58:34 2019 +0000
+
+ upstream: full stop in the wrong place;
+
+ OpenBSD-Commit-ID: 478a0567c83553a2aebf95d0f1bd67ac1b1253e4
+
+commit 1b1332b5bb975d759a50b37f0e8bc8cfb07a0bb0
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Sat Mar 16 19:14:21 2019 +0000
+
+ upstream: benno helped me clean up the tcp forwarding section;
+
+ OpenBSD-Commit-ID: d4bec27edefde636fb632b7f0b7c656b9c7b7f08
+
+commit 2aee9a49f668092ac5c9d34e904ef7a9722e541d
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Fri Mar 8 17:24:43 2019 +0000
+
+ upstream: fix use-after-free in ssh-pkcs11; found by hshoexer w/AFL
+
+ OpenBSD-Commit-ID: febce81cca72b71f70513fbee4ff52ca050f675c
+
+commit 9edbd7821e6837e98e7e95546cede804dac96754
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Mar 14 10:17:28 2019 +1100
+
+ Fix build when configured --without-openssl.
+
+ ok djm@
+
+commit 825ab32f0d04a791e9d19d743c61ff8ed9b4d8e5
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Mar 14 08:51:17 2019 +1100
+
+ On Cygwin run sshd as SYSTEM where possible.
+
+ Seteuid now creates user token using S4U. We don't create a token
+ from scratch anymore, so we don't need the "Create a process token"
+ privilege. The service can run under SYSTEM again...
+
+ ...unless Cygwin is running on Windows Vista or Windows 7 in the
+ WOW64 32 bit emulation layer. It turns out that WOW64 on these systems
+ didn't implement MsV1_0 S4U Logon so we still need the fallback
+ to NtCreateToken for these systems.
+
+ Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
+
+commit a212107bfdf4d3e870ab7a443e4d906e5b9578c3
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Mar 13 10:49:16 2019 +1100
+
+ Replace alloca with xcalloc.
+
+ The latter checks for memory exhaustion and integer overflow and may be
+ at a less predictable place. Sanity check by vinschen at redhat.com, ok
+ djm@
+
+commit daa7505aadca68ba1a2c70cbdfce423208eb91ee
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Mar 12 09:19:19 2019 +1100
+
+ Use Cygwin-specific matching only for users+groups.
+
+ Patch from vinschen at redhat.com, updated a little by me.
+
+commit fd10cf027b56f9aaa80c9e3844626a05066589a4
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Mar 6 22:14:23 2019 +0000
+
+ upstream: Move checks for lists of users or groups into their own
+
+ function. This is a no-op on OpenBSD but will make things easier in
+ -portable, eg on systems where these checks should be case-insensitive. ok
+ djm@
+
+ OpenBSD-Commit-ID: 8bc9c8d98670e23f8eaaaefe29c1f98e7ba0487e
+
+commit ab5fee8eb6a011002fd9e32b1597f02aa8804a25
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Mar 6 21:06:59 2019 +0000
+
+ upstream: Reset last-seen time when sending a keepalive. Prevents
+
+ sending two keepalives successively and prematurely terminating connection
+ when ClientAliveCount=1. While there, collapse two similar tests into one.
+ ok markus@
+
+ OpenBSD-Commit-ID: 043670d201dfe222537a2a4bed16ce1087de5ddd
+
+commit c13b74530f9f1d9df7aeae012004b31b2de4438e
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Tue Mar 5 16:17:12 2019 +0000
+
+ upstream: PKCS#11 support is no longer limited to RSA; ok benno@
+
+ kn@
+
+ OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
+
+commit e9552d6043db7cd170ac6ba1b4d2c7a5eb2c3201
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Mar 1 03:29:32 2019 +0000
+
+ upstream: in ssh_set_newkeys(), mention the direction that we're
+
+ keying in debug messages. Previously it would be difficult to tell which
+ direction it was talking about
+
+ OpenBSD-Commit-ID: c2b71bfcceb2a7389b9d0b497fb2122a406a522d
+
+commit 76a24b3fa193a9ca3e47a8779d497cb06500798b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Mar 1 02:32:39 2019 +0000
+
+ upstream: Fix two race conditions in sshd relating to SIGHUP:
+
+ 1. Recently-forked child processes will briefly remain listening to
+ listen_socks. If the main server sshd process completes its restart
+ via execv() before these sockets are closed by the child processes
+ then it can fail to listen at the desired addresses/ports and/or
+ fail to restart.
+
+ 2. When a SIGHUP is received, there may be forked child processes that
+ are awaiting their reexecution state. If the main server sshd
+ process restarts before passing this state, these child processes
+ will yield errors and use a fallback path of reading the current
+ sshd_config from the filesystem rather than use the one that sshd
+ was started with.
+
+ To fix both of these cases, we reuse the startup_pipes that are shared
+ between the main server sshd and forked children. Previously this was
+ used solely to implement tracking of pre-auth child processes for
+ MaxStartups, but this extends the messaging over these pipes to include
+ a child->parent message that the parent process is safe to restart. This
+ message is sent from the child after it has completed its preliminaries:
+ closing listen_socks and receiving its reexec state.
+
+ bz#2953, reported by Michal Koutný; ok markus@ dtucker@
+
+ OpenBSD-Commit-ID: 7df09eacfa3ce13e9a7b1e9f17276ecc924d65ab
+
+commit de817e9dfab99473017d28cdf69e60397d00ea21
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Mar 1 02:16:47 2019 +0000
+
+ upstream: mention PKCS11Provide=none, reword a little and remove
+
+ mention of RSA keys only (since we support ECDSA now and might support others
+ in the future). Inspired by Jakub Jelen via bz#2974
+
+ OpenBSD-Commit-ID: a92e3686561bf624ccc64ab320c96c9e9a263aa5
+
+commit 95a8058c1a90a27acbb91392ba206854abc85226
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Mar 1 02:08:50 2019 +0000
+
+ upstream: let PKCS11Provider=none do what users expect
+
+ print PKCS11Provider instead of obsolete SmartcardDevice in config dump.
+
+ bz#2974 ok dtucker@
+
+ OpenBSD-Commit-ID: c303d6f0230a33aa2dd92dc9b68843d56a64f846
+
+commit 8e7bac35aa576d2fd7560836da83733e864ce649
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Wed Feb 27 19:37:01 2019 +0000
+
+ upstream: dup stdout/in for proxycommand=-, otherwise stdout might
+
+ be redirected to /dev/null; ok djm@
+
+ OpenBSD-Commit-ID: 97dfce4c47ed4055042de8ebde85b7d88793e595
+
+commit 9b61130fbd95d196bce81ebeca94a4cb7c0d5ba0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Feb 23 08:20:43 2019 +0000
+
+ upstream: openssh-7.9 accidentally reused the server's algorithm lists
+
+ in the client for KEX, ciphers and MACs. The ciphers and MACs were identical
+ between the client and server, but the error accidentially disabled the
+ diffie-hellman-group-exchange-sha1 KEX method.
+
+ This fixes the client code to use the correct method list, but
+ because nobody complained, it also disables the
+ diffie-hellman-group-exchange-sha1 KEX method.
+
+ Reported by nuxi AT vault24.org via bz#2697; ok dtucker
+
+ OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57
+
+commit 37638c752041d591371900df820f070037878a2d
+Author: Corinna Vinschen <vinschen@redhat.com>
+Date: Wed Feb 20 13:41:25 2019 +0100
+
+ Cygwin: implement case-insensitive Unicode user and group name matching
+
+ The previous revert enabled case-insensitive user names again. This
+ patch implements the case-insensitive user and group name matching.
+ To allow Unicode chars, implement the matcher using wchar_t chars in
+ Cygwin-specific code. Keep the generic code changes as small as possible.
+ Cygwin: implement case-insensitive Unicode user and group name matching
+
+ Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
+
+commit bed1d43698807a07bb4ddb93a46b0bd84b9970b3
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Feb 22 15:21:21 2019 +1100
+
+ Revert unintended parts of previous commit.
+
+commit f02afa350afac1b2f2d1413259a27a4ba1e2ca24
+Author: Corinna Vinschen <vinschen@redhat.com>
+Date: Wed Feb 20 13:41:24 2019 +0100
+
+ Revert "[auth.c] On Cygwin, refuse usernames that have differences in case"
+
+ This reverts commit acc9b29486dfd649dfda474e5c1a03b317449f1c.
+
+ Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
+
+commit 4c55b674835478eb80a1a7aeae588aa654e2a433
+Author: Corinna Vinschen <vinschen@redhat.com>
+Date: Sat Feb 16 14:13:43 2019 +0100
+
+ Add tags to .gitignore
+
+ Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
+
+commit 625b62634c33eaef4b80d07529954fe5c6435fe5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Feb 22 03:37:11 2019 +0000
+
+ upstream: perform removal of agent-forwarding directory in forward
+
+ setup error path with user's privileged. This is a no-op as this code always
+ runs with user privilege now that we no longer support running sshd with
+ privilege separation disabled, but as long as the privsep skeleton is there
+ we should follow the rules.
+ MIME-Version: 1.0
+ Content-Type: text/plain; charset=UTF-8
+ Content-Transfer-Encoding: 8bit
+
+ bz#2969 with patch from Erik Sjölund
+
+ OpenBSD-Commit-ID: 2b708401a5a8d6133c865d7698d9852210dca846
+
+commit d9ecfaba0b2f1887d20e4368230632e709ca83be
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Mon Feb 18 07:02:34 2019 +0000
+
+ upstream: sync the description of ~/.ssh/config with djm's updated
+
+ description in ssh.1; issue pointed out by andreas kahari
+
+ ok dtucker djm
+
+ OpenBSD-Commit-ID: 1b01ef0ae2c6328165150badae317ec92e52b01c
+
+commit 38e83e4f219c752ebb1560633b73f06f0392018b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Feb 12 23:53:10 2019 +0000
+
+ upstream: fix regression in r1.302 reported by naddy@ - only the first
+
+ public key from the agent was being attempted for use.
+
+ OpenBSD-Commit-ID: 07116aea521a04888718b2157f1ca723b2f46c8d
+
+commit 5c68ea8da790d711e6dd5f4c30d089c54032c59a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Feb 11 09:44:42 2019 +0000
+
+ upstream: cleanup GSSAPI authentication context after completion of the
+
+ authmethod. Move function-static GSSAPI state to the client Authctxt
+ structure. Make static a bunch of functions that aren't used outside this
+ file.
+
+ Based on patch from Markus Schmidt <markus@blueflash.cc>; ok markus@
+
+ OpenBSD-Commit-ID: 497fb792c0ddb4f1ba631b6eed526861f115dbe5
+
+commit a8c807f1956f81a92a758d3d0237d0ff06d0be5d
+Author: benno@openbsd.org <benno@openbsd.org>
+Date: Sun Feb 10 16:35:41 2019 +0000
+
+ upstream: ssh-keygen -D pkcs11.so needs to initialize pkcs11
+
+ interactive, so it can ask for the smartcards PIN. ok markus@
+
+ OpenBSD-Commit-ID: 1be7ccf88f1876e0fc4d7c9b3f96019ac5655bab
+
+commit 3d896c157c722bc47adca51a58dca859225b5874
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Feb 10 11:15:52 2019 +0000
+
+ upstream: when checking that filenames sent by the server side
+
+ match what the client requested, be prepared to handle shell-style brace
+ alternations, e.g. "{foo,bar}".
+
+ "looks good to me" millert@ + in snaps for the last week courtesy
+ deraadt@
+
+ OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
+
+commit 318e4f8548a4f5c0c913f61e27d4fc21ffb1eaae
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Feb 10 11:10:57 2019 +0000
+
+ upstream: syslog when connection is dropped for attempting to run a
+
+ command when ForceCommand=internal-sftp is in effect; bz2960; ok dtucker@
+
+ OpenBSD-Commit-ID: 8c87fa66d7fc6c0fffa3a3c28e8ab5e8dde234b8
+
+commit 2ff2e19653b8c0798b8b8eff209651bdb1be2761
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Feb 8 14:53:35 2019 +1100
+
+ don't set $MAIL if UsePam=yes
+
+ PAM typically specifies the user environment if it's enabled, so don't
+ second guess. bz#2937; ok dtucker@
+
+commit 03e92dd27d491fe6d1a54e7b2f44ef1b0a916e52
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Feb 8 14:50:36 2019 +1100
+
+ use same close logic for stderr as stdout
+
+ Avoids sending SIGPIPE to child processes after their parent exits
+ if they attempt to write to stderr.
+
+ Analysis and patch from JD Paul; patch reworked by Jakub Jelen and
+ myself. bz#2071; ok dtucker@
+
+commit 8c53d409baeeaf652c0c125a9b164edc9dbeb6de
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Feb 5 11:35:56 2019 +0000
+
+ upstream: Adapt code in the non-USE_PIPES codepath to the new packet
+
+ API. This code is not normally reachable since USE_PIPES is always defined.
+ bz#2961, patch from adrian.fita at gmail com.
+
+ OpenBSD-Commit-ID: 8d8428d678d1d5eb4bb21921df34e8173e6d238a
+
+commit 7a7fdca78de4b4774950be056099e579ef595414
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Feb 4 23:37:54 2019 +0000
+
+ upstream: fix NULL-deref crash in PKCS#11 code when attempting
+
+ login to a token requiring a PIN; reported by benno@ fix mostly by markus@
+
+ OpenBSD-Commit-ID: 438d0b114b1b4ba25a9869733db1921209aa9a31
+
+commit cac302a4b42a988e54d32eb254b29b79b648dbf5
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Feb 4 02:39:42 2019 +0000
+
+ upstream: Remove obsolete "Protocol" from commented out examples. Patch
+
+ from samy.mahmoudi at gmail com.
+
+ OpenBSD-Commit-ID: 16aede33dae299725a03abdac5dcb4d73f5d0cbf
+
+commit 483b3b638500fd498b4b529356e5a0e18cf76891
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Feb 1 03:52:23 2019 +0000
+
+ upstream: Save connection timeout and restore for 2nd and
+
+ subsequent attempts, preventing them from having no timeout. bz#2918, ok
+ djm@
+
+ OpenBSD-Commit-ID: 4977f1d0521d9b6bba0c9a20d3d226cefac48292
+
+commit 5f004620fdc1b2108139300ee12f4014530fb559
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Wed Jan 30 19:51:15 2019 +0000
+
+ upstream: Add authors for public domain sntrup4591761 code;
+
+ confirmed by Daniel J. Bernstein
+
+ OpenBSD-Commit-ID: b4621f22b8b8ef13e063c852af5e54dbbfa413c1
+
+commit 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Sun Jan 27 07:14:11 2019 +0000
+
+ upstream: add -T to usage();
+
+ OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899
+
+commit 19a0f0529d3df04118da829528cac7ceff380b24
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Jan 28 03:50:39 2019 +0000
+
+ upstream: The test sshd_config in in $OBJ.
+
+ OpenBSD-Regress-ID: 1e5d908a286d8e7de3a15a0020c8857f3a7c9172
+
+commit 8fe25440206319d15b52d12b948a5dfdec14dca3
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Jan 28 03:28:10 2019 +0000
+
+ upstream: Remove leftover debugging.
+
+ OpenBSD-Regress-ID: 3d86c3d4867e46b35af3fd2ac8c96df0ffdcfeb9
+
+commit e30d32364d12c351eec9e14be6c61116f9d6cc90
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Jan 28 00:12:36 2019 +0000
+
+ upstream: Enable ssh-dss for the agent test. Disable it for the
+
+ certificate test.
+
+ OpenBSD-Regress-ID: 388c1e03e1def539d350f139b37d69f12334668d
+
+commit ffdde469ed56249f5dc8af98da468dde35531398
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Jan 28 00:08:26 2019 +0000
+
+ upstream: Count the number of key types instead of assuming there
+
+ are only two.
+
+ OpenBSD-Regress-ID: 0998702c41235782cf0beee396ec49b5056eaed9
+
+commit 1d05b4adcba08ab068466e5c08dee2f5417ec53a
+Author: Corinna Vinschen <vinschen@redhat.com>
+Date: Sat Jan 26 23:42:40 2019 +0100
+
+ Cygwin: only tweak sshd_config file if it's new, drop creating sshd user
+
+ The sshd_config tweaks were executed even if the old file was
+ still in place. Fix that. Also disable sshd user creation.
+ It's not used on Cygwin.
+
+commit 89843de0c4c733501f6b4f988098e6e06963df37
+Author: Corinna Vinschen <vinschen@redhat.com>
+Date: Sat Jan 26 23:03:12 2019 +0100
+
+ Cygwin: Change service name to cygsshd
+
+ Microsoft hijacked the sshd service name without asking.
+
+commit 2a9b3a2ce411d16cda9c79ab713c55f65b0ec257
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Sun Jan 27 06:30:53 2019 +0000
+
+ upstream: Generate all key supported key types and enable for keyscan
+
+ test.
+
+ OpenBSD-Regress-ID: 72f72ff49946c61bc949e1692dd9e3d71370891b
+
+commit 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 26 22:41:28 2019 +0000
+
+ upstream: check in scp client that filenames sent during
+
+ remote->local directory copies satisfy the wildcard specified by the user.
+
+ This checking provides some protection against a malicious server
+ sending unexpected filenames, but it comes at a risk of rejecting wanted
+ files due to differences between client and server wildcard expansion rules.
+
+ For this reason, this also adds a new -T flag to disable the check.
+
+ reported by Harry Sintonen
+ fix approach suggested by markus@;
+ has been in snaps for ~1wk courtesy deraadt@
+
+ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
+
+commit c2c18a39683db382a15b438632afab3f551d50ce
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 26 22:35:01 2019 +0000
+
+ upstream: make ssh-keyscan return a non-zero exit status if it
+
+ finds no keys. bz#2903
+
+ OpenBSD-Commit-ID: 89f1081fb81d950ebb48e6e73d21807b2723d488
+
+commit 05b9a466700b44d49492edc2aa415fc2e8913dfe
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Thu Jan 24 17:00:29 2019 +0000
+
+ upstream: Accept the host key fingerprint as a synonym for "yes"
+
+ when accepting an unknown host key. This allows you to paste a fingerprint
+ obtained out of band into the yes/no prompt and have the client do the
+ comparison for you. ok markus@ djm@
+
+ OpenBSD-Commit-ID: 3c47d10b9f43d3d345e044fd9ec09709583a2767
+
+commit bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Thu Jan 24 16:52:17 2019 +0000
+
+ upstream: Have progressmeter force an update at the beginning and
+
+ end of each transfer. Fixes the problem recently introduces where very quick
+ transfers do not display the progressmeter at all. Spotted by naddy@
+
+ OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
+
+commit 258e6ca003e47f944688ad8b8de087b58a7d966c
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Thu Jan 24 02:42:23 2019 +0000
+
+ upstream: Check for both EAGAIN and EWOULDBLOCK. This is a no-op
+
+ in OpenBSD (they are the same value) but makes things easier in -portable
+ where they may be distinct values. "sigh ok" deraadt@
+
+ (ID sync only, portable already had this change).
+
+ OpenBSD-Commit-ID: 91f2bc7c0ecec905915ed59fa37feb9cc90e17d7
+
+commit 281ce042579b834cdc1e74314f1fb2eeb75d2612
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Thu Jan 24 02:34:52 2019 +0000
+
+ upstream: Always initialize 2nd arg to hpdelim2. It populates that
+
+ *ONLY IF* there's a delimiter. If there's not (the common case) it checked
+ uninitialized memory, which usually passed, but if not would cause spurious
+ failures when the uninitialized memory happens to contain "/". ok deraadt.
+
+ OpenBSD-Commit-ID: 4291611eaf2a53d4c92f4a57c7f267c9f944e0d3
+
+commit d05ea255678d9402beda4416cd0360f3e5dfe938
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Jan 23 21:50:56 2019 +0000
+
+ upstream: Remove support for obsolete host/port syntax.
+
+ host/port was added in 2001 as an alternative to host:port syntax for
+ the benefit of IPv6 users. These days there are establised standards
+ for this like [::1]:22 and the slash syntax is easily mistaken for CIDR
+ notation, which OpenSSH now supports for some things. Remove the slash
+ notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen
+ at redhat.com, ok markus@
+
+ OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7
+
+commit 177d6c80c557a5e060cd343a0c116a2f1a7f43db
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Jan 23 20:48:52 2019 +0000
+
+ upstream: Remove duplicate word. bz#2958, patch from jjelen at
+
+ redhat.com
+
+ OpenBSD-Commit-ID: cca3965a8333f2b6aae48b79ec1d72f7a830dd2c
+
+commit be3e6cba95dffe5fcf190c713525b48c837e7875
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Jan 23 09:49:00 2019 +0000
+
+ upstream: Remove 3 as a guess for possible generator during moduli
+
+ generation. It's not mentioned in RFC4419 and it's not possible for
+ Sophie-Germain primes greater than 5. bz#2330, from Christian Wittenhorst ,
+ ok djm@ tb@
+
+ OpenBSD-Commit-ID: 1467652e6802ad3333b0959282d8d49dfe22c8cd
+
+commit 8976f1c4b2721c26e878151f52bdf346dfe2d54c
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Jan 23 08:01:46 2019 +0000
+
+ upstream: Sanitize scp filenames via snmprintf. To do this we move
+
+ the progressmeter formatting outside of signal handler context and have the
+ atomicio callback called for EINTR too. bz#2434 with contributions from djm
+ and jjelen at redhat.com, ok djm@
+
+ OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
+
+commit 6249451f381755f792c6b9e2c2f80cdc699c14e2
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Jan 24 10:00:20 2019 +1100
+
+ For broken read/readv comparisons, poll(RW).
+
+ In the cases where we can't compare to read or readv function pointers
+ for some reason we currently ifdef out the poll() used to block while
+ waiting for reads or writes, falling back to busy waiting. This restores
+ the poll() in this case, but has it always check for read or write,
+ removing an inline ifdef in the process.
+
+commit 5cb503dff4db251520e8bf7d23b9c97c06eee031
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Jan 24 09:55:16 2019 +1100
+
+ Include unistd.h for strmode().
+
+commit f236ca2741f29b5c443c0b2db3aa9afb9ad9befe
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Jan 24 09:50:58 2019 +1100
+
+ Also undef SIMPLEQ_FOREACH_SAFE.
+
+ Prevents macro redefinition warning on at least NetBSD 6.1.
+
+commit be063945e4e7d46b1734d973bf244c350fae172a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jan 23 04:51:02 2019 +0000
+
+ upstream: allow auto-incrementing certificate serial number for certs
+
+ signed in a single commandline.
+
+ OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
+
+commit 851f80328931975fe68f71af363c4537cb896da2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jan 23 04:16:22 2019 +0000
+
+ upstream: move a bunch of global flag variables to main(); make the
+
+ rest static
+
+ OpenBSD-Commit-ID: fa431d92584e81fe99f95882f4c56b43fe3242dc
+
+commit 2265402dc7d701a9aca9f8a7b7b0fd45b65c479f
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Jan 23 13:03:16 2019 +1100
+
+ depend
+
+commit 2c223878e53cc46def760add459f5f7c4fb43e35
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jan 23 02:01:10 2019 +0000
+
+ upstream: switch mainloop from select(2) to poll(2); ok deraadt@
+
+ OpenBSD-Commit-ID: 37645419a330037d297f6f0adc3b3663e7ae7b2e
+
+commit bb956eaa94757ad058ff43631c3a7d6c94d38c2f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jan 23 00:30:41 2019 +0000
+
+ upstream: pass most arguments to the KEX hash functions as sshbuf
+
+ rather than pointer+length; ok markus@
+
+ OpenBSD-Commit-ID: ef0c89c52ccc89817a13a5205725148a28492bf7
+
+commit d691588b8e29622c66abf8932362b522cf7f4051
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 22 22:58:50 2019 +0000
+
+ upstream: backoff reading messages from active connections when the
+
+ input buffer is too full to read one, or if the output buffer is too full to
+ enqueue a response; feedback & ok dtucker@
+
+ OpenBSD-Commit-ID: df3c5b6d57c968975875de40d8955cbfed05a6c8
+
+commit f99ef8de967949a1fc25a5c28263ea32736e5943
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 22 20:48:01 2019 +0000
+
+ upstream: add -m to usage(); reminded by jmc@
+
+ OpenBSD-Commit-ID: bca476a5236e8f94210290b3e6a507af0434613e
+
+commit 41923ce06ac149453debe472238e0cca7d5a2e5f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 22 12:03:58 2019 +0000
+
+ upstream: Correct some bugs in PKCS#11 token PIN handling at
+
+ initial login, the attempt at reading the PIN could be skipped in some cases
+ especially on devices with integrated PIN readers.
+
+ based on patch from Daniel Kucera in bz#2652; ok markus@
+
+ OpenBSD-Commit-ID: fad70a61c60610afe8bb0db538c90e343e75e58e
+
+commit 2162171ad517501ba511fa9f8191945d01857bb4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 22 12:00:50 2019 +0000
+
+ upstream: Support keys that set the CKA_ALWAYS_AUTHENTICATE by
+
+ requring a fresh login after the C_SignInit operation.
+
+ based on patch from Jakub Jelen in bz#2638; ok markus
+
+ OpenBSD-Commit-ID: a76e66996ba7c0923b46b74d46d499b811786661
+
+commit 7a2cb18a215b2cb335da3dc99489c52a91f4925b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 22 11:51:25 2019 +0000
+
+ upstream: Mention that configuration for the destination host is
+
+ not applied to any ProxyJump/-J hosts. This has confused a few people...
+
+ OpenBSD-Commit-ID: 03f4f641df6ca236c1bfc69836a256b873db868b
+
+commit ecd2f33cb772db4fa76776543599f1c1ab6f9fa0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 22 11:40:42 2019 +0000
+
+ upstream: Include -m in the synopsis for a few more commands that
+
+ support it
+
+ Be more explicit in the description of -m about where it may be used
+
+ Prompted by Jakub Jelen in bz2904
+
+ OpenBSD-Commit-ID: 3b398ac5e05d8a6356710d0ff114536c9d71046c
+
+commit ff5d2cf4ca373bb4002eef395ed2cbe2ff0826c1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 22 11:26:16 2019 +0000
+
+ upstream: print the full pubkey being attempted at loglevel >=
+
+ debug2; bz2939
+
+ OpenBSD-Commit-ID: ac0fe5ca1429ebf4d460bad602adc96de0d7e290
+
+commit 180b520e2bab33b566b4b0cbac7d5f9940935011
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 22 11:19:42 2019 +0000
+
+ upstream: clarify: ssh-keygen -e only writes public keys, never
+
+ private
+
+ OpenBSD-Commit-ID: 7de7ff6d274d82febf9feb641e2415ffd6a30bfb
+
+commit c45616a199c322ca674315de88e788f1d2596e26
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 22 11:00:15 2019 +0000
+
+ upstream: mention the new vs. old key formats in the introduction
+
+ and give some hints on how keys may be converted or written in the old
+ format.
+
+ OpenBSD-Commit-ID: 9c90a9f92eddc249e07fad1204d0e15c8aa13823
+
+commit fd8eb1383a34c986a00ef13d745ae9bd3ea21760
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Tue Jan 22 06:58:31 2019 +0000
+
+ upstream: tweak previous;
+
+ OpenBSD-Commit-ID: d2a80e389da8e7ed71978643d8cbaa8605b597a8
+
+commit 68e924d5473c00057f8532af57741d258c478223
+Author: tb@openbsd.org <tb@openbsd.org>
+Date: Mon Jan 21 23:55:12 2019 +0000
+
+ upstream: Forgot to add -J to the synopsis.
+
+ OpenBSD-Commit-ID: 26d95e409a0b72526526fc56ca1caca5cc3d3c5e
+
+commit 622dedf1a884f2927a9121e672bd9955e12ba108
+Author: tb@openbsd.org <tb@openbsd.org>
+Date: Mon Jan 21 22:50:42 2019 +0000
+
+ upstream: Add a -J option as a shortcut for -o Proxyjump= to scp(1)
+
+ and sftp(1) to match ssh(1)'s interface.
+
+ ok djm
+
+ OpenBSD-Commit-ID: a75bc2d5f329caa7229a7e9fe346c4f41c2663fc
+
+commit c882d74652800150d538e22c80dd2bd3cdd5fae2
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Jan 22 20:38:40 2019 +1100
+
+ Allow building against OpenSSL dev (3.x) version.
+
+commit d5520393572eb24aa0e001a1c61f49b104396e45
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Jan 22 10:50:40 2019 +1100
+
+ typo
+
+commit 2de9cec54230998ab10161576f77860a2559ccb7
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Jan 22 10:49:52 2019 +1100
+
+ add missing header
+
+commit 533cfb01e49a2a30354e191669dc3159e03e99a7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 22:18:24 2019 +0000
+
+ upstream: switch sntrup implementation source from supercop to
+
+ libpqcrypto; the latter is almost identical but doesn't rely on signed
+ underflow to implement an optimised integer sort; from markus@
+
+ OpenBSD-Commit-ID: cd09bbf0e0fcef1bedca69fdf7990dc360567cf8
+
+commit d50ab3cd6fb859888a26b4d4e333239b4f6bf573
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Jan 22 00:02:23 2019 +1100
+
+ new files need includes.h
+
+commit c7670b091a7174760d619ef6738b4f26b2093301
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 12:53:35 2019 +0000
+
+ upstream: add "-v" flags to ssh-add and ssh-pkcs11-helper to turn up
+
+ debug verbosity.
+
+ Make ssh-agent turn on ssh-pkcs11-helper's verbosity when it is run
+ in debug mode ("ssh-agent -d"), so we get to see errors from the
+ PKCS#11 code.
+
+ ok markus@
+
+ OpenBSD-Commit-ID: 0a798643c6a92a508df6bd121253ba1c8bee659d
+
+commit 49d8c8e214d39acf752903566b105d06c565442a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 12:50:12 2019 +0000
+
+ upstream: adapt to changes in KEX APIs and file removals
+
+ OpenBSD-Regress-ID: 54d6857e7c58999c7a6d40942ab0fed3529f43ca
+
+commit 35ecc53a83f8e8baab2e37549addfd05c73c30f1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 12:35:20 2019 +0000
+
+ upstream: adapt to changes in KEX API and file removals
+
+ OpenBSD-Regress-ID: 92cad022d3b0d11e08f3e0055d6a14b8f994c0d7
+
+commit 7d69aae64c35868cc4f644583ab973113a79480e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 12:29:35 2019 +0000
+
+ upstream: adapt to bignum1 API removal and bignum2 API change
+
+ OpenBSD-Regress-ID: cea6ff270f3d560de86b355a87a2c95b55a5ca63
+
+commit beab553f0a9578ef9bffe28b2c779725e77b39ec
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 09:13:41 2019 +0000
+
+ upstream: remove hack to use non-system libcrypto
+
+ OpenBSD-Regress-ID: ce72487327eee4dfae1ab0212a1f33871fe0809f
+
+commit 4dc06bd57996f1a46b4c3bababe0d09bc89098f7
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jan 21 23:14:04 2019 +1100
+
+ depend
+
+commit 70edd73edc4df54e5eee50cd27c25427b34612f8
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 12:08:13 2019 +0000
+
+ upstream: fix reversed arguments to kex_load_hostkey(); manifested as
+
+ errors in cert-hostkey.sh regress failures.
+
+ OpenBSD-Commit-ID: 12dab63850b844f84d5a67e86d9e21a42fba93ba
+
+commit f1185abbf0c9108e639297addc77f8757ee00eb3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 11:22:00 2019 +0000
+
+ upstream: forgot to cvs add this file in previous series of commits;
+
+ grrr
+
+ OpenBSD-Commit-ID: bcff316c3e7da8fd15333e05d244442c3aaa66b0
+
+commit 7bef390b625bdc080f0fd4499ef03cef60fca4fa
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:44:21 2019 +0000
+
+ upstream: nothing shall escape this purge
+
+ OpenBSD-Commit-ID: 4795b0ff142b45448f7e15f3c2f77a947191b217
+
+commit aaca72d6f1279b842066e07bff797019efeb2c23
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:40:11 2019 +0000
+
+ upstream: rename kex->kem_client_pub -> kex->client_pub now that
+
+ KEM has been renamed to kexgen
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
+
+commit 70867e1ca2eb08bbd494fe9c568df4fd3b35b867
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:38:54 2019 +0000
+
+ upstream: merge kexkem[cs] into kexgen
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: 87d886b7f1812ff9355fda1435f6ea9b71a0ac89
+
+commit 71e67fff946396caa110a7964da23480757258ff
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:35:09 2019 +0000
+
+ upstream: pass values used in KEX hash computation as sshbuf
+
+ rather than pointer+len
+
+ suggested by me; implemented by markus@ ok me
+
+ OpenBSD-Commit-ID: 994f33c464f4a9e0f1d21909fa3e379f5a0910f0
+
+commit 4b83e2a2cc0c12e671a77eaba1c1245894f4e884
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:33:49 2019 +0000
+
+ upstream: remove kex_derive_keys_bn wrapper; no unused since the
+
+ DH-like KEX methods have moved to KEM
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060
+
+commit 92dda34e373832f34a1944e5d9ebbebb184dedc1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:29:56 2019 +0000
+
+ upstream: use KEM API for vanilla ECDH
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
+
+commit b72357217cbe510a3ae155307a7be6b9181f1d1b
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jan 21 23:11:21 2019 +1100
+
+ fixup missing ssherr.h
+
+commit 9c9c97e14fe190931f341876ad98213e1e1dc19f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:28:01 2019 +0000
+
+ upstream: use KEM API for vanilla DH KEX
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
+
+commit 2f6a9ddbbf6ca8623c53c323ff17fb6d68d66970
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:24:09 2019 +0000
+
+ upstream: use KEM API for vanilla c25519 KEX
+
+ OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
+
+commit dfd591618cdf2c96727ac0eb65f89cf54af0d97e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:20:12 2019 +0000
+
+ upstream: Add support for a PQC KEX/KEM:
+
+ sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
+ 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
+ enabled by default.
+
+ introduce KEM API; a simplified framework for DH-ish KEX methods.
+
+ from markus@ feedback & ok djm@
+
+ OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
+
+commit b1b2ff4ed559051d1035419f8f236275fa66d5d6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:07:22 2019 +0000
+
+ upstream: factor out kex_verify_hostkey() - again, duplicated
+
+ almost exactly across client and server for several KEX methods.
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
+
+commit bb39bafb6dc520cc097780f4611a52da7f19c3e2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:05:09 2019 +0000
+
+ upstream: factor out kex_load_hostkey() - this is duplicated in
+
+ both the client and server implementations for most KEX methods.
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
+
+commit dec5e9d33891e3bc3f1395d7db0e56fdc7f86dfc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:03:37 2019 +0000
+
+ upstream: factor out kex_dh_compute_key() - it's shared between
+
+ plain DH KEX and DH GEX in both the client and server implementations
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: 12186e18791fffcd4642c82e7e0cfdd7ea37e2ec
+
+commit e93bd98eab79b9a78f64ee8dd4dffc4d3979c7ae
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 10:00:23 2019 +0000
+
+ upstream: factor out DH keygen; it's identical between the client
+
+ and the server
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: 2be57f6a0d44f1ab2c8de2b1b5d6f530c387fae9
+
+commit 5ae3f6d314465026d028af82609c1d49ad197655
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 09:55:52 2019 +0000
+
+ upstream: save the derived session id in kex_derive_keys() rather
+
+ than making each kex method implementation do it.
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: d61ade9c8d1e13f665f8663c552abff8c8a30673
+
+commit 7be8572b32a15d5c3dba897f252e2e04e991c307
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 09:54:11 2019 +0000
+
+ upstream: Make sshpkt_get_bignum2() allocate the bignum it is
+
+ parsing rather than make the caller do it. Saves a lot of boilerplate code.
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
+
+commit 803178bd5da7e72be94ba5b4c4c196d4b542da4d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 09:52:25 2019 +0000
+
+ upstream: remove obsolete (SSH v.1) sshbuf_get/put_bignum1
+
+ functions
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: 0380b1b2d9de063de3c5a097481a622e6a04943e
+
+commit f3ebaffd8714be31d4345f90af64992de4b3bba2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 09:49:37 2019 +0000
+
+ upstream: fix all-zero check in kexc25519_shared_key
+
+ from markus@ ok djm@
+
+ OpenBSD-Commit-ID: 60b1d364e0d9d34d1d1ef1620cb92e36cf06712d
+
+commit 9d1a9771d0ad3a83af733bf3d2650b53f43c269f
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Mon Jan 21 07:09:10 2019 +0000
+
+ upstream: - -T was added to the first synopsis by mistake - since
+
+ "..." denotes optional, no need to surround it in []
+
+ ok djm
+
+ OpenBSD-Commit-ID: 918f6d8eed4e0d8d9ef5eadae1b8983d796f0e25
+
+commit 2f0bad2bf85391dbb41315ab55032ec522660617
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Jan 21 21:28:27 2019 +1100
+
+ Make --with-rpath take a flag instead of yes/no.
+
+ Linkers need various flags for -rpath and similar, so make --with-rpath
+ take an optional flag argument which is passed to the linker. ok djm@
+
+commit 23490a6c970ea1d03581a3b4208f2eb7a675f453
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jan 21 15:05:43 2019 +1100
+
+ fix previous test
+
+commit b6dd3277f2c49f9584a2097bc792e8f480397e87
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Jan 21 13:50:17 2019 +1100
+
+ Wrap ECC static globals in EC_KEY_METHOD_NEW too.
+
+commit b2eb9db35b7191613f2f4b934d57b25938bb34b3
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jan 21 12:53:40 2019 +1100
+
+ pass TEST_SSH_SSHPKCS11HELPER to regress tests
+
+commit ba58a529f45b3dae2db68607d8c54ae96e90e705
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jan 21 12:31:29 2019 +1100
+
+ make agent-pkcs11 search harder for softhsm2.so
+
+commit 662be40c62339ab645113c930ce689466f028938
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 02:05:38 2019 +0000
+
+ upstream: always print the caller's error message in ossl_error(),
+
+ even when there are no libcrypto errors to report.
+
+ OpenBSD-Commit-ID: 09ebaa8f706e0eccedd209775baa1eee2ada806a
+
+commit ce46c3a077dfb4c531ccffcfff03f37775725b75
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 02:01:03 2019 +0000
+
+ upstream: get the ex_data (pkcs11_key object) back from the keys at
+
+ the index at which it was inserted, rather than assuming index 0
+
+ OpenBSD-Commit-ID: 1f3a6ce0346c8014e895e50423bef16401510aa8
+
+commit 0a5f2ea35626022299ece3c8817a1abe8cf37b3e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 01:05:00 2019 +0000
+
+ upstream: GSSAPI code got missed when converting to new packet API
+
+ OpenBSD-Commit-ID: 37e4f06ab4a0f4214430ff462ba91acba28b7851
+
+commit 2efcf812b4c1555ca3aff744820a3b3bccd68298
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jan 21 11:57:21 2019 +1100
+
+ Fix -Wunused when compiling PKCS#11 without ECDSA
+
+commit 3c0c657ed7cd335fc05c0852d88232ca7e92a5d9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:26:44 2019 +0000
+
+ upstream: allow override of ssh-pkcs11-helper binary via
+
+ $TEST_SSH_SSHPKCS11HELPER from markus@
+
+ OpenBSD-Regress-ID: 7382a3d76746f5a792d106912a5819fd5e49e469
+
+commit 760ae37b4505453c6fa4faf1aa39a8671ab053af
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:25:25 2019 +0000
+
+ upstream: adapt agent-pkcs11.sh test to softhsm2 and add support
+
+ for ECDSA keys
+
+ work by markus@, ok djm@
+
+ OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe
+
+commit b2ce8b31a1f974a13e6d12e0a0c132b50bc45115
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:24:19 2019 +0000
+
+ upstream: add "extra:" target to run some extra tests that are not
+
+ enabled by default (currently includes agent-pkcs11.sh); from markus@
+
+ OpenBSD-Regress-ID: 9a969e1adcd117fea174d368dcb9c61eb50a2a3c
+
+commit 632976418d60b7193597bbc6ac7ca33981a41aab
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Jan 21 00:47:34 2019 +0000
+
+ upstream: use ECDSA_SIG_set0() instead of poking signature values into
+
+ structure directly; the latter works on LibreSSL but not on OpenSSL. From
+ portable.
+
+ OpenBSD-Commit-ID: 5b22a1919d9cee907d3f8a029167f70a481891c6
+
+commit 5de6ac2bad11175135d9b819b3546db0ca0b4878
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jan 21 11:44:19 2019 +1100
+
+ remove HAVE_DLOPEN that snuck in
+
+ portable doesn't use this
+
+commit e2cb445d786f7572da2af93e3433308eaed1093a
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Jan 21 11:32:28 2019 +1100
+
+ conditionalise ECDSA PKCS#11 support
+
+ Require EC_KEY_METHOD support in libcrypto, evidenced by presence
+ of EC_KEY_METHOD_new() function.
+
+commit fcb1b0937182d0137a3c357c89735d0dc5869d54
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:12:35 2019 +0000
+
+ upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD
+
+ now, so there is no need to keep a copy of each in the pkcs11_key object.
+
+ work by markus@, ok djm@
+
+ OpenBSD-Commit-ID: 43b4856516e45c0595f17a8e95b2daee05f12faa
+
+commit 6529409e85890cd6df7e5e81d04e393b1d2e4b0b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:11:11 2019 +0000
+
+ upstream: KNF previous; from markus@
+
+ OpenBSD-Commit-ID: 3dfe35e25b310c3968b1e4e53a0cb1d03bda5395
+
+commit 58622a8c82f4e2aad630580543f51ba537c1f39e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:10:33 2019 +0000
+
+ upstream: use OpenSSL's RSA reference counting hooks to
+
+ implicitly clean up pkcs11_key objects when their owning RSA object's
+ reference count drops to zero. Simplifies the cleanup path and makes it more
+ like ECDSA's
+
+ work by markus@, ok djm@
+
+ OpenBSD-Commit-ID: 74b9c98f405cd78f7148e9e4a4982336cd3df25c
+
+commit f118542fc82a3b3ab0360955b33bc5a271ea709f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:08:24 2019 +0000
+
+ upstream: make the PKCS#11 RSA code more like the new PKCS#11
+
+ ECDSA code: use a single custom RSA_METHOD instead of a method per key
+
+ suggested by me, but markus@ did all the work.
+ ok djm@
+
+ OpenBSD-Commit-ID: 8aafcebe923dc742fc5537a995cee549d07e4b2e
+
+commit 445cfce49dfc904c6b8ab25afa2f43130296c1a5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:05:52 2019 +0000
+
+ upstream: fix leak of ECDSA pkcs11_key objects
+
+ work by markus, ok djm@
+
+ OpenBSD-Commit-ID: 9fc0c4f1d640aaa5f19b8d70f37ea19b8ad284a1
+
+commit 8a2467583f0b5760787273796ec929190c3f16ee
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:03:26 2019 +0000
+
+ upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access of
+
+ EC_KEY internals as that won't work on OpenSSL
+
+ work by markus@, feedback and ok djm@
+
+ OpenBSD-Commit-ID: 4a99cdb89fbd6f5155ef8c521c99dc66e2612700
+
+commit 24757c1ae309324e98d50e5935478655be04e549
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:01:59 2019 +0000
+
+ upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned
+
+ object should never have a DER header
+
+ work by markus; feedback and ok djm@
+
+ OpenBSD-Commit-ID: b617fa585eddbbf0b1245b58b7a3c4b8d613db17
+
+commit 749aef30321595435ddacef2f31d7a8f2b289309
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 23:00:12 2019 +0000
+
+ upstream: cleanup unnecessary code in ECDSA pkcs#11 signature
+
+ work by markus@, feedback and ok djm@
+
+ OpenBSD-Commit-ID: affa5ca7d58d59fbd16169f77771dcdbd2b0306d
+
+commit 0c50992af49b562970dd0ba3f8f151f1119e260e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 22:57:45 2019 +0000
+
+ upstream: cleanup pkcs#11 client code: use sshkey_new in instead
+
+ of stack- allocating a sshkey
+
+ work by markus@, ok djm@
+
+ OpenBSD-Commit-ID: a048eb6ec8aa7fa97330af927022c0da77521f91
+
+commit 854bd8674ee5074a239f7cadf757d55454802e41
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 22:54:30 2019 +0000
+
+ upstream: allow override of the pkcs#11 helper binary via
+
+ $SSH_PKCS11_HELPER; needed for regress tests.
+
+ work by markus@, ok me
+
+ OpenBSD-Commit-ID: f78d8185500bd7c37aeaf7bd27336db62f0f7a83
+
+commit 93f02107f44d63a016d8c23ebd2ca9205c495c48
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 22:51:37 2019 +0000
+
+ upstream: add support for ECDSA keys in PKCS#11 tokens
+
+ Work by markus@ and Pedro Martelletto, feedback and ok me@
+
+ OpenBSD-Commit-ID: a37d651e221341376636056512bddfc16efb4424
+
+commit aa22c20e0c36c2fc610cfcc793b0d14079c38814
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Jan 20 22:03:29 2019 +0000
+
+ upstream: add option to test whether keys in an agent are usable,
+
+ by performing a signature and a verification using each key "ssh-add -T
+ pubkey [...]"
+
+ work by markus@, ok djm@
+
+ OpenBSD-Commit-ID: 931b888a600b6a883f65375bd5f73a4776c6d19b
+
+commit a36b0b14a12971086034d53c0c3dfbad07665abe
+Author: tb@openbsd.org <tb@openbsd.org>
+Date: Sun Jan 20 02:01:59 2019 +0000
+
+ upstream: Fix BN_is_prime_* calls in SSH, the API returns -1 on
+
+ error.
+
+ Found thanks to BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd
+ by David Benjamin.
+
+ ok djm, dtucker
+
+ OpenBSD-Commit-ID: 1ee832be3c44b1337f76b8562ec6d203f3b072f8
+
+commit ec4776bb01dd8d61fddc7d2a31ab10bf3d3d829a
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Sun Jan 20 01:12:40 2019 +0000
+
+ upstream: DH-GEX min value is now specified in RFC8270. ok djm@
+
+ OpenBSD-Commit-ID: 1229d0feb1d0ecefe05bf67a17578b263e991acc
+
+commit c90a7928c4191303e76a8c58b9008d464287ae1b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Jan 21 09:22:36 2019 +1100
+
+ Check for cc before gcc.
+
+ If cc is something other than gcc and is the system compiler prefer using
+ that, unless otherwise told via $CC. ok djm@
+
+commit 9b655dc9c9a353f0a527f0c6c43a5e35653c9503
+Author: Damien Miller <djm@mindrot.org>
+Date: Sun Jan 20 14:55:27 2019 +1100
+
+ last bits of old packet API / active_state global
+
+commit 3f0786bbe73609ac96e5a0d91425ee21129f8e04
+Author: Damien Miller <djm@mindrot.org>
+Date: Sun Jan 20 10:22:18 2019 +1100
+
+ remove PAM dependencies on old packet API
+
+ Requires some caching of values, because the PAM code isn't
+ always called with packet context.
+
+commit 08f66d9f17e12c1140d1f1cf5c4dce67e915d3cc
+Author: Damien Miller <djm@mindrot.org>
+Date: Sun Jan 20 09:58:45 2019 +1100
+
+ remove vestiges of old packet API from loginrec.c
+
+commit c327813ea1d740e3e367109c17873815aba1328e
+Author: Damien Miller <djm@mindrot.org>
+Date: Sun Jan 20 09:45:38 2019 +1100
+
+ depend
+
+commit 135e302cfdbe91817294317c337cc38c3ff01cba
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 22:30:52 2019 +0000
+
+ upstream: fix error in refactor: use ssh_packet_disconnect() instead of
+
+ sshpkt_error(). The first one logs the error and exits (what we want) instead
+ of just logging and blundering on.
+
+ OpenBSD-Commit-ID: 39f51b43641dce9ce0f408ea6c0e6e077e2e91ae
+
+commit 245c6a0b220b58686ee35bc5fc1c359e9be2faaa
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:45:31 2019 +0000
+
+ upstream: remove last traces of old packet API!
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 9bd10437026423eb8245636ad34797a20fbafd7d
+
+commit 04c091fc199f17dacf8921df0a06634b454e2722
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:43:56 2019 +0000
+
+ upstream: remove last references to active_state
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2
+
+commit ec00f918b8ad90295044266c433340a8adc93452
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:43:07 2019 +0000
+
+ upstream: convert monitor.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 61ecd154bd9804461a0cf5f495a29d919e0014d5
+
+commit 6350e0316981489d4205952d6904d6fedba5bfe0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:42:30 2019 +0000
+
+ upstream: convert sshd.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: ea569d3eaf9b5cf1bad52779fbfa5fa0b28af891
+
+commit a5e2ad88acff2b7d131ee6d5dc5d339b0f8c6a6d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:41:53 2019 +0000
+
+ upstream: convert session.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: fae817207e23099ddd248960c984f7b7f26ea68e
+
+commit 3a00a921590d4c4b7e96df11bb10e6f9253ad45e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:41:18 2019 +0000
+
+ upstream: convert auth.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 7e10359f614ff522b52a3f05eec576257794e8e4
+
+commit 7ec5cb4d15ed2f2c5c9f5d00e6b361d136fc1e2d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:40:48 2019 +0000
+
+ upstream: convert serverloop.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: c92dd19b55457541478f95c0d6b318426d86d885
+
+commit 64c9598ac05332d1327cbf55334dee4172d216c4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:40:21 2019 +0000
+
+ upstream: convert the remainder of sshconnect2.c to new packet
+
+ API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 0986d324f2ceb5e8a12ac21c1bb10b3b4b1e0f71
+
+commit bc5e1169d101d16e3a5962a928db2bc49a8ef5a3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:39:12 2019 +0000
+
+ upstream: convert the remainder of clientloop.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: ce2fbbacb86a290f31da1e7bf04cddf2bdae3d1e
+
+commit 5ebce136a6105f084db8f0d7ee41981d42daec40
+Author: Damien Miller <djm@mindrot.org>
+Date: Sun Jan 20 09:44:53 2019 +1100
+
+ upstream: convert auth2.c to new packet API
+
+ OpenBSD-Commit-ID: ed831bb95ad228c6791bc18b60ce7a2edef2c999
+
+commit 172a592a53ebe8649c4ac0d7946e6c08eb151af6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:37:48 2019 +0000
+
+ upstream: convert servconf.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 126553aecca302c9e02fd77e333b9cb217e623b4
+
+commit 8cc7a679d29cf6ecccfa08191e688c7f81ef95c2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:37:13 2019 +0000
+
+ upstream: convert channels.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 0b8279b56113cbd4011fc91315c0796b63dc862c
+
+commit 06232038c794c7dfcb087be0ab0b3e65b09fd396
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:36:38 2019 +0000
+
+ upstream: convert sshconnect.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 222337cf6c96c347f1022d976fac74b4257c061f
+
+commit 25b2ed667216314471bb66752442c55b95792dc3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:36:06 2019 +0000
+
+ upstream: convert ssh.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: eb146878b24e85c2a09ee171afa6797c166a2e21
+
+commit e3128b38623eef2fa8d6e7ae934d3bd08c7e973e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:35:25 2019 +0000
+
+ upstream: convert mux.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 4e3893937bae66416e984b282d8f0f800aafd802
+
+commit ed1df7226caf3a943a36d580d4d4e9275f8a61ee
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:34:45 2019 +0000
+
+ upstream: convert sshconnect2.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 1cb869e0d6e03539f943235641ea070cae2ebc58
+
+commit 23f22a4aaa923c61ec49a99ebaa383656e87fa40
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:33:57 2019 +0000
+
+ upstream: convert clientloop.c to new packet API
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 497b36500191f452a22abf283aa8d4a9abaee7fa
+
+commit ad60b1179c9682ca5aef0b346f99ef68cbbbc4e5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:33:13 2019 +0000
+
+ upstream: allow sshpkt_fatal() to take a varargs format; we'll
+
+ use this to give packet-related fatal error messages more context (esp. the
+ remote endpoint) ok markus@
+
+ OpenBSD-Commit-ID: de57211f9543426b515a8a10a4f481666b2b2a50
+
+commit 0fa174ebe129f3d0aeaf4e2d1dd8de745870d0ff
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Jan 19 21:31:32 2019 +0000
+
+ upstream: begin landing remaining refactoring of packet parsing
+
+ API, started almost exactly six years ago.
+
+ This change stops including the old packet_* API by default and makes
+ each file that requires the old API include it explicitly. We will
+ commit file-by-file refactoring to remove the old API in consistent
+ steps.
+
+ with & ok markus@
+
+ OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
+
+commit 4ae7f80dfd02f2bde912a67c9f338f61e90fa79f
+Author: tb@openbsd.org <tb@openbsd.org>
+Date: Sat Jan 19 04:15:56 2019 +0000
+
+ upstream: Print an \r in front of the password prompt so parts of
+
+ a password that was entered too early are likely clobbered by the prompt.
+ Idea from doas.
+
+ from and ok djm
+ "i like it" deraadt
+
+ OpenBSD-Commit-ID: 5fb97c68df6d8b09ab37f77bca1d84d799c4084e
+
+commit a6258e5dc314c7d504ac9f0fbc3be96475581dbe
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Jan 18 11:09:01 2019 +1100
+
+ Add minimal fchownat and fchmodat implementations.
+
+ Fixes builds on at least OS X Lion, NetBSD 6 and Solaris 10.
+
+commit 091093d25802b87d3b2b09f2c88d9f33e1ae5562
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Jan 18 12:11:42 2019 +1300
+
+ Add a minimal implementation of utimensat().
+
+ Some systems (eg older OS X) do not have utimensat, so provide minimal
+ implementation in compat layer. Fixes build on at least El Capitan.
+
+commit 609644027dde1f82213699cb6599e584c7efcb75
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 1 22:20:16 2019 +0000
+
+ upstream: regress bits for banner processing refactor (this test was
+
+ depending on ssh returning a particular error message for banner parsing
+ failure)
+
+ reminded by bluhm@
+
+ OpenBSD-Regress-ID: f24fc303d40931157431df589b386abf5e1be575
+
+commit f47d72ddad75b93d3cbc781718b0fa9046c03df8
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jan 17 04:45:09 2019 +0000
+
+ upstream: tun_fwd_ifnames variable should b
+
+ =?UTF-8?q?e=20extern;=20from=20Hanno=20B=C3=B6ck?=
+ MIME-Version: 1.0
+ Content-Type: text/plain; charset=UTF-8
+ Content-Transfer-Encoding: 8bit
+
+ OpenBSD-Commit-ID: d53dede6e521161bf04d39d09947db6253a38271
+
+commit 943d0965263cae1c080ce5a9d0b5aa341885e55d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jan 17 04:20:53 2019 +0000
+
+ upstream: include time.h for time(3)/nanosleep(2); from Ian
+
+ McKellar
+
+ OpenBSD-Commit-ID: 6412ccd06a88f65b207a1089345f51fa1244ea51
+
+commit dbb4dec6d5d671b5e9d67ef02162a610ad052068
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jan 17 01:50:24 2019 +0000
+
+ upstream: many of the global variables in this file can be made static;
+
+ patch from Markus Schmidt
+
+ OpenBSD-Commit-ID: f3db619f67beb53257b21bac0e92b4fb7d5d5737
+
+commit 60d8c84e0887514c99c9ce071965fafaa1c3d34a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jan 16 23:23:45 2019 +0000
+
+ upstream: Add "-h" flag to sftp chown/chgrp/chmod commands to
+
+ request they do not follow symlinks. Requires recently-committed
+ lsetstat@openssh.com extension on the server side.
+
+ ok markus@ dtucker@
+
+ OpenBSD-Commit-ID: f93bb3f6f7eb2fb7ef1e59126e72714f1626d604
+
+commit dbbc7e0eab7262f34b8e0cd6efecd1c77b905ed0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Jan 16 23:22:10 2019 +0000
+
+ upstream: add support for a "lsetstat@openssh.com" extension. This
+
+ replicates the functionality of the existing SSH2_FXP_SETSTAT operation but
+ does not follow symlinks. Based on a patch from Bert Haverkamp in bz#2067 but
+ with more attribute modifications supported.
+
+ ok markus@ dtucker@
+
+ OpenBSD-Commit-ID: f7234f6e90db19655d55d936a115ee4ccb6aaf80
+
+commit 4a526941d328fc3d97068c6a4cbd9b71b70fe5e1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Jan 4 03:27:50 2019 +0000
+
+ upstream: eliminate function-static attempt counters for
+
+ passwd/kbdint authmethods by moving them to the client authctxt; Patch from
+ Markus Schmidt, ok markus@
+
+ OpenBSD-Commit-ID: 4df4404a5d5416eb056f68e0e2f4fa91ba3b3f7f
+
+commit 8a8183474c41bd6cebaa917346b549af2239ba2f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Jan 4 03:23:00 2019 +0000
+
+ upstream: fix memory leak of ciphercontext when rekeying; bz#2942
+
+ Patch from Markus Schmidt; ok markus@
+
+ OpenBSD-Commit-ID: 7877f1b82e249986f1ef98d0ae76ce987d332bdd
+
+commit 5bed70afce0907b6217418d0655724c99b683d93
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 1 23:10:53 2019 +0000
+
+ upstream: static on global vars, const on handler tables that contain
+
+ function pointers; from Mike Frysinger
+
+ OpenBSD-Commit-ID: 7ef2305e50d3caa6326286db43cf2cfaf03960e0
+
+commit 007a88b48c97d092ed2f501bbdcb70d9925277be
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Dec 27 23:02:11 2018 +0000
+
+ upstream: Request RSA-SHA2 signatures for
+
+ rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@
+
+ OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033
+
+commit eb347d086c35428c47fe52b34588cbbc9b49d9a6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Dec 27 03:37:49 2018 +0000
+
+ upstream: ssh_packet_set_state() now frees ssh->kex implicitly, so
+
+ don't do explicit kex_free() beforehand
+
+ OpenBSD-Regress-ID: f2f73bad47f62a2040ccba0a72cadcb12eda49cf
+
+commit bb542f0cf6f7511a22a08c492861e256a82376a9
+Author: tedu@openbsd.org <tedu@openbsd.org>
+Date: Sat Dec 15 00:50:21 2018 +0000
+
+ upstream: remove unused and problematic sudo clean. ok espie
+
+ OpenBSD-Regress-ID: ca90c20a15a85b661e13e98b80c10e65cd662f7b
+
+commit 0a843d9a0e805f14653a555f5c7a8ba99d62c12d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Dec 27 03:25:24 2018 +0000
+
+ upstream: move client/server SSH-* banners to buffers under
+
+ ssh->kex and factor out the banner exchange. This eliminates some common code
+ from the client and server.
+
+ Also be more strict about handling \r characters - these should only
+ be accepted immediately before \n (pointed out by Jann Horn).
+
+ Inspired by a patch from Markus Schmidt.
+ (lots of) feedback and ok markus@
+
+ OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
+
+commit 434b587afe41c19391821e7392005068fda76248
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Dec 7 04:36:09 2018 +0000
+
+ upstream: Fix calculation of initial bandwidth limits. Account for
+
+ written bytes before the initial timer check so that the first buffer written
+ is accounted. Set the threshold after which the timer is checked such that
+ the limit starts being computed as soon as possible, ie after the second
+ buffer is written. This prevents an initial burst of traffic and provides a
+ more accurate bandwidth limit. bz#2927, ok djm.
+
+ OpenBSD-Commit-ID: ff3ef76e4e43040ec198c2718d5682c36b255cb6
+
+commit a6a0788cbbe8dfce2819ee43b09c80725742e21c
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 7 03:39:40 2018 +0000
+
+ upstream: only consider the ext-info-c extension during the initial
+
+ KEX. It shouldn't be sent in subsequent ones, but if it is present we should
+ ignore it.
+
+ This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
+ these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
+
+ OpenBSD-Commit-ID: 91564118547f7807030ec537480303e2371902f9
+
+commit 63bba57a32c5bb6158d57cf4c47022daf89c14a0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 7 03:33:18 2018 +0000
+
+ upstream: fix option letter pasto in previous
+
+ OpenBSD-Commit-ID: e26c8bf2f2a808f3c47960e1e490d2990167ec39
+
+commit 737e4edd82406595815efadc28ed5161b8b0c01a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 7 03:32:26 2018 +0000
+
+ upstream: mention that the ssh-keygen -F (find host in
+
+ authorized_keys) and -R (remove host from authorized_keys) options may accept
+ either a bare hostname or a [hostname]:port combo. bz#2935
+
+ OpenBSD-Commit-ID: 5535cf4ce78375968b0d2cd7aa316fa3eb176780
+
+commit 8a22ffaa13391cfe5b40316d938fe0fb931e9296
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Dec 7 15:41:16 2018 +1100
+
+ expose $SSH_CONNECTION in the PAM environment
+
+ This makes the connection 4-tuple available to PAM modules that
+ wish to use it in decision-making. bz#2741
+
+commit a784fa8c7a7b084d63bae82ccfea902131bb45c5
+Author: Kevin Adler <kadler@us.ibm.com>
+Date: Wed Dec 12 22:12:45 2018 -0600
+
+ Don't pass loginmsg by address now that it's an sshbuf*
+
+ In 120a1ec74, loginmsg was changed from the legacy Buffer type
+ to struct sshbuf*, but it missed changing calls to
+ sys_auth_allowed_user and sys_auth_record_login which passed
+ loginmsg by address. Now that it's a pointer, just pass it directly.
+
+ This only affects AIX, unless there are out of tree users.
+
+commit 285310b897969a63ef224d39e7cc2b7316d86940
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 7 02:31:20 2018 +0000
+
+ upstream: no need to allocate channels_pre/channels_post in
+
+ channel_init_channels() as we do it anyway in channel_handler_init() that we
+ call at the end of the function. Fix from Markus Schmidt via bz#2938
+
+ OpenBSD-Commit-ID: 74893638af49e3734f1e33a54af1b7ea533373ed
+
+commit 87d6cf1cbc91df6815db8fe0acc7c910bc3d18e4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 30 02:24:52 2018 +0000
+
+ upstream: don't attempt to connect to empty SSH_AUTH_SOCK; bz#293
+
+ OpenBSD-Commit-ID: 0e8fc8f19f14b21adef7109e0faa583d87c0e929
+
+commit 91b19198c3f604f5eef2c56dbe36f29478243141
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Nov 28 06:00:38 2018 +0000
+
+ upstream: don't truncate user or host name in "user@host's
+
+ OpenBSD-Commit-ID: e6ca01a8d58004b7f2cac0b1b7ce8f87e425e360
+
+commit dd0cf6318d9b4b3533bda1e3bc021b2cd7246b7a
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Fri Nov 23 06:58:28 2018 +0000
+
+ upstream: tweak previous;
+
+ OpenBSD-Commit-ID: 08f096922eb00c98251501c193ff9e83fbb5de4f
+
+commit 8a85f5458d1c802471ca899c97f89946f6666e61
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Nov 25 21:44:05 2018 +1100
+
+ Include stdio.h for FILE if needed.
+
+commit 16fb23f25454991272bfe4598cc05d20fcd25116
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Nov 25 14:05:57 2018 +1100
+
+ Reverse order of OpenSSL init functions.
+
+ Try the new init function (OPENSSL_init_crypto) before falling back to
+ the old one (OpenSSL_add_all_algorithms).
+
+commit 98f878d2272bf8dff21f2a0265d963c29e33fed2
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Nov 25 14:05:08 2018 +1100
+
+ Improve OpenSSL_add_all_algorithms check.
+
+ OpenSSL_add_all_algorithms() may be a macro so check for that too.
+
+commit 9e34e0c59ab04514f9de9934a772283f7f372afe
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 23 05:08:07 2018 +0000
+
+ upstream: add a ssh_config "Match final" predicate
+
+ Matches in same pass as "Match canonical" but doesn't require
+ hostname canonicalisation be enabled. bz#2906 ok markus
+
+ OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa
+
+commit 4da58d58736b065b1182b563d10ad6765d811c6d
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Nov 23 02:53:57 2018 +0000
+
+ upstream: Remove now-unneeded ifdef SIGINFO around handler since it is
+
+ now always used for SIGUSR1 even when SIGINFO is not defined. This will make
+ things simpler in -portable.
+
+ OpenBSD-Regress-ID: 4ff0265b335820b0646d37beb93f036ded0dc43f
+
+commit c721d5877509875c8515df0215fa1dab862013bc
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Nov 23 14:11:20 2018 +1100
+
+ Move RANDOM_SEED_SIZE outside ifdef.
+
+ RANDOM_SEED_SIZE is used by both the OpenSSL and non-OpenSSL code
+ This fixes the build with configureed --without-openssl.
+
+commit deb51552c3ce7ce72c8d0232e4f36f2e7c118c7d
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Nov 22 19:59:28 2018 +1100
+
+ Resync with OpenBSD by pulling in an ifdef SIGINFO.
+
+commit 28c7b2cd050f4416bfcf3869a20e3ea138aa52fe
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Nov 23 10:45:20 2018 +1100
+
+ fix configure test for OpenSSL version
+
+ square brackets in case statements may be eaten by autoconf.
+
+ Report and fix from Filipp Gunbin; tweaked by naddy@
+
+commit 42c5ec4b97b6a1bae70f323952d0646af16ce710
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Nov 23 10:40:06 2018 +1100
+
+ refactor libcrypto initialisation
+
+ Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually
+ supports it.
+
+ Move all libcrypto initialisation to a single function, and call that
+ from seed_rng() that is called early in each tool's main().
+
+ Prompted by patch from Rosen Penev
+
+commit 5b60b6c02009547a3e2a99d4886965de2a4719da
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Thu Nov 22 08:59:11 2018 +0000
+
+ upstream: Output info on SIGUSR1 as well as
+
+ SIGINFO to resync with portable. (ID sync only).
+
+ OpenBSD-Regress-ID: 699d153e2de22dce51a1b270c40a98472d1a1b16
+
+commit e4ae345dc75b34fd870c2e8690d831d2c1088eb7
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Thu Nov 22 08:48:32 2018 +0000
+
+ upstream: Append pid to temp files in /var/run and set a cleanup
+
+ trap for them. This allows multiple instances of tests to run without
+ colliding.
+
+ OpenBSD-Regress-ID: 57add105ecdfc54752d8003acdd99eb68c3e0b4c
+
+commit f72d0f52effca5aa20a193217346615ecd3eed53
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Oct 31 11:09:27 2018 +0000
+
+ upstream: UsePrivilegeSeparation no is deprecated
+
+ test "yes" and "sandbox".
+
+ OpenBSD-Regress-ID: 80e685ed8990766527dc629b1affc09a75bfe2da
+
+commit 35d0e5fefc419bddcbe09d7fc163d8cd3417125b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 17 23:28:05 2018 +0000
+
+ upstream: add some knobs:
+
+ UNITTEST_FAST?= no # Skip slow tests (e.g. less intensive fuzzing).
+ UNITTEST_SLOW?= no # Include slower tests (e.g. more intensive fuzzing).
+ UNITTEST_VERBOSE?= no # Verbose test output (inc. per-test names).
+
+ useful if you want to run the tests as a smoke test to exercise the
+ functionality without waiting for all the fuzzers to run.
+
+ OpenBSD-Regress-ID: e04d82ebec86068198cd903acf1c67563c57315e
+
+commit c1941293d9422a14dda372b4c21895e72aa7a063
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Nov 22 15:52:26 2018 +1100
+
+ Resync Makefile.inc with upstream.
+
+ It's unused in -portable, but having it out of sync makes other syncs
+ fail to apply.
+
+commit 928f1231f65f88cd4c73e6e0edd63d2cf6295d77
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Nov 19 04:12:32 2018 +0000
+
+ upstream: silence (to log level debug2) failure messages when
+
+ loading the default hostkeys. Hostkeys explicitly specified in the
+ configuration or on the command-line are still reported as errors, and
+ failure to load at least one host key remains a fatal error.
+ MIME-Version: 1.0
+ Content-Type: text/plain; charset=UTF-8
+ Content-Transfer-Encoding: 8bit
+
+ Based on patch from Dag-Erling Smørgrav via
+ https://github.com/openssh/openssh-portable/pull/103
+
+ ok markus@
+
+ OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684
+
+commit 7fca94edbe8ca9f879da9fdd2afd959c4180f4c7
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Sun Nov 18 22:43:29 2018 +0000
+
+ upstream: Fix inverted logic for redirecting ProxyCommand stderr to
+
+ /dev/null. Fixes mosh in proxycommand mode that was broken by the previous
+ ProxyCommand change that was reported by matthieu@. ok djm@ danj@
+
+ OpenBSD-Commit-ID: c6fc9641bc250221a0a81c6beb2e72d603f8add6
+
+commit ccef7c4faf914993b53035cd2b25ce02ab039c9d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 16 06:17:38 2018 +0000
+
+ upstream: redirect stderr of ProxyCommands to /dev/null when ssh is
+
+ started with ControlPersist; based on patch from Steffen Prohaska
+
+ OpenBSD-Commit-ID: 1bcaa14a03ae80369d31021271ec75dce2597957
+
+commit 15182fd96845a03216d7ac5a2cf31c4e77e406e3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 16 06:10:29 2018 +0000
+
+ upstream: make grandparent-parent-child sshbuf chains robust to
+
+ use-after-free faults if the ancestors are freed before the descendents.
+ Nothing in OpenSSH uses this deallocation pattern. Reported by Jann Horn
+
+ OpenBSD-Commit-ID: d93501d1d2734245aac802a252b9bb2eccdba0f2
+
+commit 2a35862e664afde774d4a72497d394fe7306ccb5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 16 03:26:01 2018 +0000
+
+ upstream: use path_absolute() for pathname checks; from Manoj Ampalam
+
+ OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
+
+commit d0d1dfa55be1c5c0d77ab3096b198a64235f936d
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Nov 16 14:11:44 2018 +1100
+
+ Test for OPENSSL_init_crypto before using.
+
+ Check for the presence of OPENSSL_init_crypto and all the flags we want
+ before trying to use it (bz#2931).
+
+commit 6010c0303a422a9c5fa8860c061bf7105eb7f8b2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 16 03:03:10 2018 +0000
+
+ upstream: disallow empty incoming filename or ones that refer to the
+
+ current directory; based on report/patch from Harry Sintonen
+
+ OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
+
+commit aaed635e3a401cfcc4cc97f33788179c458901c3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 16 02:46:20 2018 +0000
+
+ upstream: fix bug in client that was keeping a redundant ssh-agent
+
+ socket around for the life of the connection; bz#2912; reported by Simon
+ Tatham; ok dtucker@
+
+ OpenBSD-Commit-ID: 4ded588301183d343dce3e8c5fc1398e35058478
+
+commit e76135e3007f1564427b2956c628923d8dc2f75a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 16 02:43:56 2018 +0000
+
+ upstream: fix bug in HostbasedAcceptedKeyTypes and
+
+ PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
+ specified, then authentication would always fail for RSA keys as the monitor
+ checks only the base key (not the signature algorithm) type against
+ *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
+
+ OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
+
+commit 5c1a63562cac0574c226224075b0829a50b48c9d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 16 02:30:20 2018 +0000
+
+ upstream: support a prefix of '@' to suppress echo of sftp batch
+
+ commands; bz#2926; ok dtucker@
+
+ OpenBSD-Commit-ID: 9d635636bc84aeae796467e059f7634de990a79d
+
+commit 90ef45f7aac33eaf55ec344e101548a01e570f29
+Author: schwarze@openbsd.org <schwarze@openbsd.org>
+Date: Tue Nov 13 07:22:45 2018 +0000
+
+ upstream: fix markup error (missing blank before delimiter); from
+
+ Mike Frysinger <vapier at gentoo dot org>
+
+ OpenBSD-Commit-ID: 1bc5392f795ca86318d695e0947eaf71a5a4f6d9
+
+commit 960e7c672dc106f3b759c081de3edb4d1138b36e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 9 02:57:58 2018 +0000
+
+ upstream: typo in error message; caught by Debian lintian, via
+
+ Colin Watson
+
+ OpenBSD-Commit-ID: bff614c7bd1f4ca491a84e9b5999f848d0d66758
+
+commit 81f1620c836e6c79c0823ba44acca605226a80f1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Nov 9 02:56:22 2018 +0000
+
+ upstream: correct local variable name; from yawang AT microsoft.com
+
+ OpenBSD-Commit-ID: a0c228390856a215bb66319c89cb3959d3af8c87
+
+commit 1293740e800fa2e5ccd38842a2e4970c6f3b9831
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Oct 31 11:20:05 2018 +0000
+
+ upstream: Import new moduli.
+
+ OpenBSD-Commit-ID: c07772f58028fda683ee6abd41c73da3ff70d403
+
+commit 46925ae28e53fc9add336a4fcdb7ed4b86c3591c
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Oct 26 01:23:03 2018 +0000
+
+ upstream: mention ssh-ed25519-cert-v01@openssh.com in list of cert
+
+ key type at start of doc
+
+ OpenBSD-Commit-ID: b46b0149256d67f05f2d5d01e160634ed1a67324
+
+commit 8d8340e2c215155637fe19cb1a837f71b2d55f7b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Nov 16 13:32:13 2018 +1100
+
+ Remove fallback check for /usr/local/ssl.
+
+ If configure could not find a working OpenSSL installation it would
+ fall back to checking in /usr/local/ssl. This made sense back when
+ systems did not ship with OpenSSL, but most do and OpenSSL 1.1 doesn't
+ use that as a default any more. The fallback behaviour also meant
+ that if you pointed --with-ssl-dir at a specific directory and it
+ didn't work, it would silently use either the system libs or the ones
+ in /usr/local/ssl. If you want to use /usr/local/ssl you'll need to
+ pass configure --with-ssl-dir=/usr/local/ssl. ok djm@
+
+commit ce93472134fb22eff73edbcd173a21ae38889331
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Nov 16 12:44:01 2018 +1100
+
+ Fix check for OpenSSL 1.0.1 exactly.
+
+ Both INSTALL and configure.ac claim OpenSSL >= 1.0.1 is supported; fix
+ compile-time check for 1.0.1 to match.
+
+commit f2970868f86161a22b2c377057fa3891863a692a
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Nov 11 15:58:20 2018 +1100
+
+ Improve warnings in cygwin service setup.
+
+ bz#2922, patch from vinschen at redhat.com.
+
+commit bd2d54fc1eee84bf87158a1277a50e6c8a303339
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Nov 11 15:54:54 2018 +1100
+
+ Remove hardcoded service name in cygwin setup.
+
+ bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check
+ by vinschen at redhat.com.
+
+commit d0153c77bf7964e694f1d26c56c41a571b8e9466
+Author: Dag-Erling Smørgrav <des@des.no>
+Date: Tue Oct 9 23:03:40 2018 +0200
+
+ AC_CHECK_SIZEOF() no longer needs a second argument.
+
+commit 9b47b083ca9d866249ada9f02dbd57c87b13806e
+Author: Manoj Ampalam <manojamp@microsoft.com>
+Date: Thu Nov 8 22:41:59 2018 -0800
+
+ Fix error message w/out nistp521.
+
+ Correct error message when OpenSSL doesn't support certain ECDSA key
+ lengths.
+
+commit 624d19ac2d56fa86a22417c35536caceb3be346f
+Author: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Tue Oct 9 16:17:42 2018 -0300
+
+ fix compilation with openssl built without ECC
+
+ ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be
+ guarded by OPENSSL_HAS_ECC
+
+ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+commit 1801cd11d99d05a66ab5248c0555f55909a355ce
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Nov 8 15:03:11 2018 +1100
+
+ Simplify OpenSSL 1.1 function checks.
+
+ Replace AC_SEARCH_LIBS checks for OpenSSL 1.1 functions with a single
+ AC_CHECK_FUNCS. ok djm@
+
+commit bc32f118d484e4d71d2a0828fd4eab7e4176c9af
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Nov 5 17:31:24 2018 +1100
+
+ Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.
+
+ Prevents unnecessary redefinition. Patch from mforney at mforney.org.
+
+commit 3719df60c66abc4b47200d41f571d67772f293ba
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Oct 31 22:21:03 2018 +1100
+
+ Import new moduli.
+
+commit 595605d4abede475339d6a1f07a8cc674c11d1c3
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Oct 28 15:18:13 2018 +1100
+
+ Update check for minimum OpenSSL version.
+
+commit 6ab75aba340d827140d7ba719787aabaf39a0355
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Oct 28 15:16:31 2018 +1100
+
+ Update required OpenSSL versions to match current.
+
+commit c801b0e38eae99427f37869370151b78f8e15c5d
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Oct 28 14:34:12 2018 +1100
+
+ Use detected version functions in openssl compat.
+
+ Use detected functions in compat layer instead of guessing based on
+ versions. Really fixes builds with LibreSSL, not just configure.
+
+commit 262d81a259d4aa1507c709ec9d5caa21c7740722
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Oct 27 16:45:59 2018 +1100
+
+ Check for the existence of openssl version funcs.
+
+ Check for the existence of openssl version functions and use the ones
+ detected instead of trying to guess based on the int32 version
+ identifier. Fixes builds with LibreSSL.
+
+commit 406a24b25d6a2bdd70cacd16de7e899dcb2a8829
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Oct 26 13:43:28 2018 +1100
+
+ fix builds on OpenSSL <= 1.0.x
+
+ I thought OpenSSL 1.0.x offered the new-style OpenSSL_version_num() API
+ to obtain version number, but they don't.
+
+commit 859754bdeb41373d372e36b5dc89c547453addb3
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Oct 23 17:10:41 2018 +1100
+
+ remove remaining references to SSLeay
+
+ Prompted by Rosen Penev
+
+commit b9fea45a68946c8dfeace72ad1f6657c18f2a98a
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Oct 23 17:10:35 2018 +1100
+
+ regen depend
+
+commit a65784c9f9c5d00cf1a0e235090170abc8d07c73
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Oct 23 05:56:35 2018 +0000
+
+ upstream: refer to OpenSSL not SSLeay;
+
+ we're old, but we don't have to act it
+
+ OpenBSD-Commit-ID: 9ca38d11f8ed19e61a55108d1e892d696cee08ec
+
+commit c0a35265907533be10ca151ac797f34ae0d68969
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Oct 22 11:22:50 2018 +1100
+
+ fix compile for openssl 1.0.x w/ --with-ssl-engine
+
+ bz#2921, patch from cotequeiroz
+
+commit 31b49525168245abe16ad49d7b7f519786b53a38
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Oct 22 20:05:18 2018 +1100
+
+ Include openssl compatibility.
+
+ Patch from rosenp at gmail.com via openssh-unix-dev.
+
+commit a4fc253f5f44f0e4c47aafe2a17d2c46481d3c04
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Oct 19 03:12:42 2018 +0000
+
+ upstream: when printing certificate contents "ssh-keygen -Lf
+
+ /path/certificate", include the algorithm that the CA used to sign the cert.
+
+ OpenBSD-Commit-ID: 1ea20b5048a851a7a0758dcb9777a211a2c0dddd
+
+commit 83b3d99d2b47321b7ebb8db6f6ea04f3808bc069
+Author: florian@openbsd.org <florian@openbsd.org>
+Date: Mon Oct 15 11:28:50 2018 +0000
+
+ upstream: struct sockaddr_storage is guaranteed to be large enough,
+
+ no need to check the size. OK kn, deraadt
+
+ OpenBSD-Commit-ID: 0aa56e92eb49c79f495b31a5093109ec5841f439
+
commit aede1c34243a6f7feae2fb2cb686ade5f9be6f3d
Author: Damien Miller <djm@mindrot.org>
Date: Wed Oct 17 11:01:20 2018 +1100
@@ -7741,1966 +10340,3 @@ Date: Mon Apr 17 11:02:31 2017 +0000
-Wpointer-sign and -Wold-style-definition.
Upstream-ID: 5cbe348aa76dc1adf55be6c0e388fafaa945439a
-
-commit 4d827f0d75a53d3952288ab882efbddea7ffadfe
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Apr 4 00:24:56 2017 +0000
-
- upstream commit
-
- disallow creation (of empty files) in read-only mode;
- reported by Michal Zalewski, feedback & ok deraadt@
-
- Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b
-
-commit ef47843af0a904a21c920e619c5aec97b65dd9ac
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date: Sun Mar 26 00:18:52 2017 +0000
-
- upstream commit
-
- incorrect renditions of this quote bother me
-
- Upstream-ID: 1662be3ebb7a71d543da088119c31d4d463a9e49
-
-commit d9048861bea842c4eba9c2dbbf97064cc2a5ef02
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Mar 31 11:04:43 2017 +1100
-
- Check for and use gcc's -pipe.
-
- Speeds up configure and build by a couple of percent. ok djm@
-
-commit 282cad2240c4fbc104c2f2df86d688192cbbe4bb
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Mar 29 16:34:44 2017 +1100
-
- Import fmt_scaled.c rev 1.16 from OpenBSD.
-
- Fix overly-conservative overflow checks on mulitplications and add checks
- on additions. This allows scan_scaled to work up to +/-LLONG_MAX (LLONG_MIN
- will still be flagged as a range error). ok millert@
-
-commit c73a229e4edf98920f395e19fd310684fc6bb951
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Mar 29 16:34:02 2017 +1100
-
- Import fmt_scaled.c rev 1.15 from OpenBSD.
-
- Collapse underflow and overflow checks into a single block.
- ok djm@ millert@
-
-commit d427b73bf5a564f663d16546dbcbd84ba8b9d4af
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Mar 29 16:32:57 2017 +1100
-
- Import fmt_scaled.c rev 1.14 from OpenBSD.
-
- Catch integer underflow in scan_scaled reported by Nicolas Iooss.
- ok deraadt@ djm@
-
-commit d13281f2964abc5f2e535e1613c77fc61b0c53e7
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Mar 29 12:39:39 2017 +1100
-
- Don't check privsep user or path when unprivileged
-
- If running with privsep (mandatory now) as a non-privileged user, we
- don't chroot or change to an unprivileged user however we still checked
- the existence of the user and directory. Don't do those checks if we're
- not going to use them. Based in part on a patch from Lionel Fourquaux
- via Corinna Vinschen, ok djm@
-
-commit f2742a481fe151e493765a3fbdef200df2ea7037
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Mar 29 10:50:31 2017 +1100
-
- Remove SHA256 EVP wrapper implementation.
-
- All supported versions of OpenSSL should now have SHA256 so remove our
- EVP wrapper implementaion. ok djm@
-
-commit 5346f271fc76549caf4a8e65b5fba319be422fe9
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Mar 29 10:23:58 2017 +1100
-
- Remove check for OpenSSL < 0.9.8g.
-
- We no longer support OpenSSL < 1.0.1 so remove check for unreliable ECC
- in OpenSSL < 0.9.8g.
-
-commit 8fed0a5fe7b4e78a6810b133d8e91be9742ee0a1
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Mar 29 10:16:15 2017 +1100
-
- Remove compat code for OpenSSL < 0.9.7.
-
- Resyncs that code with OpenBSD upstream.
-
-commit 608ec1f62ff22fdccc3952e51463d79c43cbd0d3
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Mar 29 09:50:54 2017 +1100
-
- Remove SSHv1 code path.
-
- Server-side support for Protocol 1 has been removed so remove !compat20
- PAM code path.
-
-commit 7af27bf538cbc493d609753f9a6d43168d438f1b
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Mar 24 09:44:56 2017 +1100
-
- Enable ldns when using ldns-config.
-
- Actually enable ldns when attempting to use ldns-config. bz#2697, patch
- from fredrik at fornwall.net.
-
-commit 58b8cfa2a062b72139d7229ae8de567f55776f24
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Mar 22 12:43:02 2017 +1100
-
- Missing header on Linux/s390
-
- Patch from Jakub Jelen
-
-commit 096fb65084593f9f3c1fc91b6d9052759a272a00
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Mar 20 22:08:06 2017 +0000
-
- upstream commit
-
- remove /usr/bin/time calls around tests, makes diffing test
- runs harder. Based on patch from Mike Frysinger
-
- Upstream-Regress-ID: 81c1083b14dcf473b23d2817882f40b346ebc95c
-
-commit 6b853c6f8ba5eecc50f3b57af8e63f8184eb0fa6
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 21 08:47:55 2017 +1100
-
- Fix syntax error on Linux/X32
-
- Patch from Mike Frysinger
-
-commit d38f05dbdd291212bc95ea80648b72b7177e9f4e
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Mon Mar 20 13:38:27 2017 +1100
-
- Add llabs() implementation.
-
-commit 72536316a219b7394996a74691a5d4ec197480f7
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Mar 20 12:23:04 2017 +1100
-
- crank version numbers
-
-commit 3be52bc36bdfd24ded7e0f46999e7db520fb4e3f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Mar 20 01:18:59 2017 +0000
-
- upstream commit
-
- openssh-7.5
-
- Upstream-ID: b8b9a4a949427c393cd868215e1724ceb3467ee5
-
-commit db84e52fe9cfad57f22e7e23c5fbf00092385129
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Mar 20 12:07:20 2017 +1100
-
- I'm a doofus.
-
- Unbreak obvious syntax error.
-
-commit 89f04852db27643717c9c3a2b0dde97ae50099ee
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Mar 20 11:53:34 2017 +1100
-
- on Cygwin, check paths from server for backslashes
-
- Pointed out by Jann Horn of Google Project Zero
-
-commit 7ef1f9bafc2cc8d97ff2fbd4f280002b6e8ea5d9
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Mar 20 11:48:34 2017 +1100
-
- Yet another synonym for ASCII: "646"
-
- Used by NetBSD; this unbreaks mprintf() and friends there for the C
- locale (caught by dtucker@ and his menagerie of test systems).
-
-commit 9165abfea3f68a0c684a6ed2e575e59bc31a3a6b
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Mar 20 09:58:34 2017 +1100
-
- create test mux socket in /tmp
-
- Creating the socket in $OBJ could blow past the (quite limited)
- path limit for Unix domain sockets. As a bandaid for bz#2660,
- reported by Colin Watson; ok dtucker@
-
-commit 2adbe1e63bc313d03e8e84e652cc623af8ebb163
-Author: markus@openbsd.org <markus@openbsd.org>
-Date: Wed Mar 15 07:07:39 2017 +0000
-
- upstream commit
-
- disallow KEXINIT before NEWKEYS; ok djm; report by
- vegard.nossum at oracle.com
-
- Upstream-ID: 3668852d1f145050e62f1da08917de34cb0c5234
-
-commit 2fbf91684d76d38b9cf06550b69c9e41bca5a71c
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Thu Mar 16 14:05:46 2017 +1100
-
- Include includes.h for compat bits.
-
-commit b55f634e96b9c5b0cd991e23a9ca181bec4bdbad
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Thu Mar 16 13:45:17 2017 +1100
-
- Wrap stdint.h in #ifdef HAVE_STDINT_H
-
-commit 55a1117d7342a0bf8b793250cf314bab6b482b99
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Mar 16 11:22:42 2017 +1100
-
- Adapt Cygwin config script to privsep knob removal
-
- Patch from Corinna Vinschen.
-
-commit 1a321bfdb91defe3c4d9cca5651724ae167e5436
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date: Wed Mar 15 03:52:30 2017 +0000
-
- upstream commit
-
- accidents happen to the best of us; ok djm
-
- Upstream-ID: b7a9dbd71011ffde95e06f6945fe7197dedd1604
-
-commit 25f837646be8c2017c914d34be71ca435dfc0e07
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Mar 15 02:25:09 2017 +0000
-
- upstream commit
-
- fix regression in 7.4: deletion of PKCS#11-hosted keys
- would fail unless they were specified by full physical pathname. Report and
- fix from Jakub Jelen via bz#2682; ok dtucker@
-
- Upstream-ID: 5b5bc20ca11cacb5d5eb29c3f93fd18425552268
-
-commit a8c5eeacf032a7d3408957e45dd7603cc1baf55f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Mar 15 02:19:09 2017 +0000
-
- upstream commit
-
- Fix segfault when sshd attempts to load RSA1 keys (can
- only happen when protocol v.1 support is enabled for the client). Reported by
- Jakub Jelen in bz#2686; ok dtucker
-
- Upstream-ID: 8fdaec2ba4b5f65db1d094f6714ce64b25d871d7
-
-commit 66705948c0639a7061a0d0753266da7685badfec
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Mar 14 07:19:07 2017 +0000
-
- upstream commit
-
- Mark the sshd_config UsePrivilegeSeparation option as
- deprecated, effectively making privsep mandatory in sandboxing mode. ok
- markus@ deraadt@
-
- (note: this doesn't remove the !privsep code paths, though that will
- happen eventually).
-
- Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
-
-commit f86586b03fe6cd8f595289bde200a94bc2c191af
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 14 18:26:29 2017 +1100
-
- Make seccomp-bpf sandbox work on Linux/X32
-
- Allow clock_gettime syscall with X32 bit masked off. Apparently
- this is required for at least some kernel versions. bz#2142
- Patch mostly by Colin Watson. ok dtucker@
-
-commit 2429cf78dd2a9741ce27ba25ac41c535274a0af6
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 14 18:01:52 2017 +1100
-
- require OpenSSL >=1.0.1
-
-commit e3ea335abeab731c68f2b2141bee85a4b0bf680f
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 14 17:48:43 2017 +1100
-
- Remove macro trickery; no binary change
-
- This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros
- prepending __NR_ to the syscall number parameter and just makes
- them explicit in the macro invocations.
-
- No binary change in stripped object file before/after.
-
-commit 5f1596e11d55539678c41f68aed358628d33d86f
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 14 13:15:18 2017 +1100
-
- support ioctls for ICA crypto card on Linux/s390
-
- Based on patch from Eduardo Barretto; ok dtucker@
-
-commit b1b22dd0df2668b322dda174e501dccba2cf5c44
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Mar 14 14:19:36 2017 +1100
-
- Plumb conversion test into makefile.
-
-commit f57783f1ddfb4cdfbd612c6beb5ec01cb5b9a6b9
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Tue Mar 14 01:20:29 2017 +0000
-
- upstream commit
-
- Add unit test for convtime().
-
- Upstream-Regress-ID: 8717bc0ca4c21120f6dd3a1d3b7a363f707c31e1
-
-commit 8884b7247d094cd11ff9e39c325ba928c5bdbc6c
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Tue Mar 14 01:10:07 2017 +0000
-
- upstream commit
-
- Add ASSERT_LONG_* helpers.
-
- Upstream-Regress-ID: fe15beaea8f5063c7f21b0660c722648e3d76431
-
-commit c6774d21185220c0ba11e8fd204bf0ad1a432071
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Tue Mar 14 00:55:37 2017 +0000
-
- upstream commit
-
- Fix convtime() overflow test on boundary condition,
- spotted by & ok djm.
-
- Upstream-ID: 51f14c507ea87a3022e63f574100613ab2ba5708
-
-commit f5746b40cfe6d767c8e128fe50c43274b31cd594
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Tue Mar 14 00:25:03 2017 +0000
-
- upstream commit
-
- Check for integer overflow when parsing times in
- convtime(). Reported by nicolas.iooss at m4x.org, ok djm@
-
- Upstream-ID: 35e6a4e98f6fa24df50bfb8ba1307cf70e966f13
-
-commit f5907982f42a8d88a430b8a46752cbb7859ba979
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Mar 14 13:38:15 2017 +1100
-
- Add a "unit" target to run only unit tests.
-
-commit 9e96b41682aed793fadbea5ccd472f862179fb02
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 14 12:24:47 2017 +1100
-
- Fix weakness in seccomp-bpf sandbox arg inspection
-
- Syscall arguments are passed via an array of 64-bit values in struct
- seccomp_data, but we were only inspecting the bottom 32 bits and not
- even those correctly for BE systems.
-
- Fortunately, the only case argument inspection was used was in the
- socketcall filtering so using this for sandbox escape seems
- impossible.
-
- ok dtucker
-
-commit 8ff3fc3f2f7c13e8968717bc2b895ee32c441275
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sat Mar 11 23:44:16 2017 +0000
-
- upstream commit
-
- regress tests for loading certificates without public keys;
- bz#2617 based on patch from Adam Eijdenberg; ok markus@ dtucker@
-
- Upstream-Regress-ID: 0145d19328ed995b73fe2d9da33596b17429d0d0
-
-commit 1e24552716194db8f2f620587b876158a9ef56ad
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sat Mar 11 23:40:26 2017 +0000
-
- upstream commit
-
- allow ssh to use certificates accompanied by a private
- key file but no corresponding plain *.pub public key. bz#2617 based on patch
- from Adam Eijdenberg; ok dtucker@ markus@
-
- Upstream-ID: 295668dca2c39505281577217583ddd2bd4b00b9
-
-commit 0fb1a617a07b8df5de188dd5a0c8bf293d4bfc0e
-Author: markus@openbsd.org <markus@openbsd.org>
-Date: Sat Mar 11 13:07:35 2017 +0000
-
- upstream commit
-
- Don't count the initial block twice when computing how
- many bytes to discard for the work around for the attacks against CBC-mode.
- ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
-
- Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
-
-commit ef653dd5bd5777132d9f9ee356225f9ee3379504
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Mar 10 07:18:32 2017 +0000
-
- upstream commit
-
- krl.c
-
- Upstream-ID: fc5e695d5d107d730182e2da7b23f00b489e0ee1
-
-commit d94c1dfef2ea30ca67b1204ada7c3b537c54f4d0
-Author: Damien Miller <djm@mindrot.org>
-Date: Sun Mar 12 10:48:14 2017 +1100
-
- sync fmt_scaled.c with OpenBSD
-
- revision 1.13
- date: 2017/03/11 23:37:23; author: djm; state: Exp; lines: +14 -1; commitid: jnFKyHkB3CEiEZ2R;
- fix signed integer overflow in scan_scaled. Found by Nicolas Iooss
- using AFL against ssh_config. ok deraadt@ millert@
- ----------------------------
- revision 1.12
- date: 2013/11/29 19:00:51; author: deraadt; state: Exp; lines: +6 -5;
- fairly simple unsigned char casts for ctype
- ok krw
- ----------------------------
- revision 1.11
- date: 2012/11/12 14:07:20; author: halex; state: Exp; lines: +4 -2;
- make scan_scaled set errno to EINVAL rather than ERANGE if it encounters
- an invalid multiplier, like the man page says it should
-
- "looks sensible" deraadt@, ok ian@
- ----------------------------
- revision 1.10
- date: 2009/06/20 15:00:04; author: martynas; state: Exp; lines: +4 -4;
- use llabs instead of the home-grown version; and some comment changes
- ok ian@, millert@
- ----------------------------
-
-commit 894221a63fa061e52e414ca58d47edc5fe645968
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 10 05:01:13 2017 +0000
-
- upstream commit
-
- When updating hostkeys, accept RSA keys if
- HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA
- keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms
- nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok
- dtucker@
-
- Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2
-
-commit dd3e2298663f4cc1a06bc69582d00dcfee27d73c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 10 04:24:55 2017 +0000
-
- upstream commit
-
- make hostname matching really insensitive to case;
- bz#2685, reported by Petr Cerny; ok dtucker@
-
- Upstream-ID: e467622ff154269e36ba8b6c9e3d105e1c4a9253
-
-commit 77a9be9446697fe8b5499fe651f4a82a71a4b51f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 10 03:52:48 2017 +0000
-
- upstream commit
-
- reword a comment to make it fit 80 columns
-
- Upstream-ID: 4ef509a66b96c7314bbcc87027c2af71fa9d0ba4
-
-commit 61b8ef6a66efaec07e023342cb94a10bdc2254dc
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 10 04:27:32 2017 +0000
-
- upstream commit
-
- better match sshd config parser behaviour: fatal() if
- line is overlong, increase line buffer to match sshd's; bz#2651 reported by
- Don Fong; ok dtucker@
-
- Upstream-ID: b175ae7e0ba403833f1ee566edf10f67443ccd18
-
-commit db2597207e69912f2592cd86a1de8e948a9d7ffb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 10 04:26:06 2017 +0000
-
- upstream commit
-
- ensure hostname is lower-case before hashing it;
- bz#2591 reported by Griff Miller II; ok dtucker@
-
- Upstream-ID: c3b8b93804f376bd00d859b8bcd9fc0d86b4db17
-
-commit df9936936c695f85c1038bd706d62edf752aca4b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 10 04:24:55 2017 +0000
-
- upstream commit
-
- make hostname matching really insensitive to case;
- bz#2685, reported by Petr Cerny; ok dtucker@
-
- Upstream-ID: e632b7a9bf0d0558d5ff56dab98b7cca6c3db549
-
-commit 67eed24bfa7645d88fa0b883745fccb22a0e527e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Mar 10 04:11:00 2017 +0000
-
- upstream commit
-
- Remove old null check from config dumper. Patch from
- jjelen at redhat.com vi bz#2687, ok djm@
-
- Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528
-
-commit 183ba55aaaecca0206184b854ad6155df237adbe
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 10 04:07:20 2017 +0000
-
- upstream commit
-
- fix regression in 7.4 server-sig-algs, where we were
- accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
- Goncalves; ok dtucker@
-
- Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
-
-commit 66be4fe8c4435af5bbc82998501a142a831f1181
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Mar 10 03:53:11 2017 +0000
-
- upstream commit
-
- Check for NULL return value from key_new. Patch from
- jjelen at redhat.com via bz#2687, ok djm@
-
- Upstream-ID: 059e33cd43cba88dc8caf0b1936fd4dd88fd5b8e
-
-commit ec2892b5c7fea199914cb3a6afb3af38f84990bf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 10 03:52:48 2017 +0000
-
- upstream commit
-
- reword a comment to make it fit 80 columns
-
- Upstream-ID: b4b48b4487c0821d16e812c40c9b09f03b28e349
-
-commit 7fadbb6da3f4122de689165651eb39985e1cba85
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Mar 10 03:48:57 2017 +0000
-
- upstream commit
-
- Check for NULL argument to sshkey_read. Patch from
- jjelen at redhat.com via bz#2687, ok djm@
-
- Upstream-ID: c2d00c2ea50c4861d271d0a586f925cc64a87e0e
-
-commit 5a06b9e019e2b0b0f65a223422935b66f3749de3
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Mar 10 03:45:40 2017 +0000
-
- upstream commit
-
- Plug some mem leaks mostly on error paths. From jjelen
- at redhat.com via bz#2687, ok djm@
-
- Upstream-ID: 3fb030149598957a51b7c8beb32bf92cf30c96f2
-
-commit f6edbe9febff8121f26835996b1229b5064d31b7
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Mar 10 03:24:48 2017 +0000
-
- upstream commit
-
- Plug mem leak on GLOB_NOMATCH case. From jjelen at
- redhat.com via bz#2687, ok djm@
-
- Upstream-ID: 8016a7ae97719d3aa55fb723fc2ad3200058340d
-
-commit 566b3a46e89a2fda2db46f04f2639e92da64a120
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Mar 10 03:22:40 2017 +0000
-
- upstream commit
-
- Plug descriptor leaks of auth_sock. From jjelen at
- redhat.com via bz#2687, ok djm@
-
- Upstream-ID: 248acb99a5ed2fdca37d1aa33c0fcee7be286d88
-
-commit 8a2834454c73dfc1eb96453c0e97690595f3f4c2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 10 03:18:24 2017 +0000
-
- upstream commit
-
- correctly hash hosts with a port number. Reported by Josh
- Powers in bz#2692; ok dtucker@
-
- Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
-
-commit 9747b9c742de409633d4753bf1a752cbd211e2d3
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 10 03:15:58 2017 +0000
-
- upstream commit
-
- don't truncate off \r\n from long stderr lines; bz#2688,
- reported by Brian Dyson; ok dtucker@
-
- Upstream-ID: cdfdc4ba90639af807397ce996153c88af046ca4
-
-commit 4a4b75adac862029a1064577eb5af299b1580cdd
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Mar 10 02:59:51 2017 +0000
-
- upstream commit
-
- Validate digest arg in ssh_digest_final; from jjelen at
- redhat.com via bz#2687, ok djm@
-
- Upstream-ID: dbe5494dfddfe523fab341a3dab5a79e7338f878
-
-commit bee0167be2340d8de4bdc1ab1064ec957c85a447
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Mar 10 13:40:18 2017 +1100
-
- Check for NULL from malloc.
-
- Part of bz#2687, from jjelen at redhat.com.
-
-commit da39b09d43b137a5a3d071b51589e3efb3701238
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Mar 10 13:22:32 2017 +1100
-
- If OSX is using launchd, remove screen no.
-
- Check for socket with and without screen number. From Apple and Jakob
- Schlyter via bz#2341, with contributions from Ron Frederick, ok djm@
-
-commit 8fb15311a011517eb2394bb95a467c209b8b336c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Mar 8 12:07:47 2017 +0000
-
- upstream commit
-
- quote [host]:port in generated ProxyJump commandline; the
- [ / ] characters can confuse some shells (e.g. zsh). Reported by Lauri
- Tirkkonen via bugs@
-
- Upstream-ID: 65cdd161460e1351c3d778e974c1c2a4fa4bc182
-
-commit 18501151cf272a15b5f2c5e777f2e0933633c513
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Mon Mar 6 02:03:20 2017 +0000
-
- upstream commit
-
- Check l->hosts before dereferencing; fixes potential null
- pointer deref. ok djm@
-
- Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301
-
-commit d072370793f1a20f01ad827ba8fcd3b8f2c46165
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Mon Mar 6 00:44:51 2017 +0000
-
- upstream commit
-
- linenum is unsigned long so use %lu in log formats. ok
- deraadt@
-
- Upstream-ID: 9dc582d9bb887ebe0164e030d619fc20b1a4ea08
-
-commit 12d3767ba4c84c32150cbe6ff6494498780f12c9
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 3 06:13:11 2017 +0000
-
- upstream commit
-
- fix ssh-keygen -H accidentally corrupting known_hosts that
- contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
- hostkeys_foreach() when hostname matching is in use, so we need to look for
- the hash marker explicitly.
-
- Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
-
-commit d7abb771bd5a941b26144ba400a34563a1afa589
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Feb 28 06:10:08 2017 +0000
-
- upstream commit
-
- small memleak: free fd_set on connection timeout (though
- we are heading to exit anyway). From Tom Rix in bz#2683
-
- Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4
-
-commit 78142e3ab3887e53a968d6e199bcb18daaf2436e
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Mon Feb 27 14:30:33 2017 +0000
-
- upstream commit
-
- errant dot; from klemens nanni
-
- Upstream-ID: 83d93366a5acf47047298c5d3ebc5e7426f37921
-
-commit 8071a6924c12bb51406a9a64a4b2892675112c87
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 24 03:16:34 2017 +0000
-
- upstream commit
-
- might as well set the listener socket CLOEXEC
-
- Upstream-ID: 9c538433d6a0ca79f5f21decc5620e46fb68ab57
-
-commit d5499190559ebe374bcdfa8805408646ceffad64
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Feb 19 00:11:29 2017 +0000
-
- upstream commit
-
- add test cases for C locale; ok schwarze@
-
- Upstream-Regress-ID: 783d75de35fbc923d46e2a5e6cee30f8f381ba87
-
-commit 011c8ffbb0275281a0cf330054cf21be10c43e37
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Feb 19 00:10:57 2017 +0000
-
- upstream commit
-
- Add a common nl_langinfo(CODESET) alias for US-ASCII
- "ANSI_X3.4-1968" that is used by Linux. Fixes mprintf output truncation for
- non-UTF-8 locales on Linux spotted by dtucker@; ok deraadt@ schwarze@
-
- Upstream-ID: c6808956ebffd64066f9075d839f74ff0dd60719
-
-commit 0c4430a19b73058a569573492f55e4c9eeaae67b
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Tue Feb 7 23:03:11 2017 +0000
-
- upstream commit
-
- Remove deprecated SSH1 options RSAAuthentication and
- RhostsRSAAuthentication from regression test sshd_config.
-
- Upstream-Regress-ID: 8066b753d9dce7cf02ff87af5c727ff680d99491
-
-commit 3baa4cdd197c95d972ec3d07f1c0d08f2d7d9199
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Feb 17 02:32:05 2017 +0000
-
- upstream commit
-
- Do not show rsa1 key type in usage when compiled without
- SSH1 support.
-
- Upstream-ID: 068b5c41357a02f319957746fa4e84ea73960f57
-
-commit ecc35893715f969e98fee118481f404772de4132
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Feb 17 02:31:14 2017 +0000
-
- upstream commit
-
- ifdef out "rsa1" from the list of supported keytypes when
- compiled without SSH1 support. Found by kdunlop at guralp.com, ok djm@
-
- Upstream-ID: cea93a26433d235bb1d64b1d990f19a9c160a70f
-
-commit 10577c6d96a55b877a960b2d0b75edef1b9945af
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 17 02:04:15 2017 +0000
-
- upstream commit
-
- For ProxyJump/-J, surround host name with brackets to
- allow literal IPv6 addresses. From Dick Visser; ok dtucker@
-
- Upstream-ID: 3a5d3b0171250daf6a5235e91bce09c1d5746bf1
-
-commit b2afdaf1b52231aa23d2153f4a8c5a60a694dda4
-Author: jsg@openbsd.org <jsg@openbsd.org>
-Date: Wed Feb 15 23:38:31 2017 +0000
-
- upstream commit
-
- Fix memory leaks in match_filter_list() error paths.
-
- ok dtucker@ markus@
-
- Upstream-ID: c7f96ac0877f6dc9188bbc908100a8d246cc7f0e
-
-commit 6d5a41b38b55258213ecfaae9df7a758caa752a1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Feb 15 01:46:47 2017 +0000
-
- upstream commit
-
- fix division by zero crash in "df" output when server
- returns zero total filesystem blocks/inodes. Spotted by Guido Vranken; ok
- dtucker@
-
- Upstream-ID: 6fb6c2ae6b289aa07b6232dbc0be54682ef5419f
-
-commit bd5d7d239525d595ecea92765334af33a45d9d63
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Sun Feb 12 15:45:15 2017 +1100
-
- ifdef out EVP_R_PRIVATE_KEY_DECODE_ERROR
-
- EVP_R_PRIVATE_KEY_DECODE_ERROR was added in OpenSSL 1.0.0 so ifdef out
- for the benefit of OpenSSL versions prior to that.
-
-commit 155d540d00ff55f063421ec182ec8ff2b7ab6cbe
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 10 04:34:50 2017 +0000
-
- upstream commit
-
- bring back r1.34 that was backed out for problems loading
- public keys:
-
- translate OpenSSL error codes to something more
- meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@
-
- with additional fix from Jakub Jelen to solve the backout.
- bz#2525 bz#2523 re-ok dtucker@
-
- Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031
-
-commit a287c5ad1e0bf9811c7b9221979b969255076019
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 10 03:36:40 2017 +0000
-
- upstream commit
-
- Sanitise escape sequences in key comments sent to printf
- but preserve valid UTF-8 when the locale supports it; bz#2520 ok dtucker@
-
- Upstream-ID: e8eed28712ba7b22d49be534237eed019875bd1e
-
-commit e40269be388972848aafcca7060111c70aab5b87
-Author: millert@openbsd.org <millert@openbsd.org>
-Date: Wed Feb 8 20:32:43 2017 +0000
-
- upstream commit
-
- Avoid printf %s NULL. From semarie@, OK djm@
-
- Upstream-ID: 06beef7344da0208efa9275d504d60d2a5b9266c
-
-commit 5b90709ab8704dafdb31e5651073b259d98352bc
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Feb 6 09:22:51 2017 +0000
-
- upstream commit
-
- Restore \r\n newline sequence for server ident string. The CR
- got lost in the flensing of SSHv1. Pointed out by Stef Bon
-
- Upstream-ID: 5333fd43ce5396bf5999496096fac5536e678fac
-
-commit 97c31c46ee2e6b46dfffdfc4f90bbbf188064cbc
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 3 23:01:42 2017 +0000
-
- upstream commit
-
- unit test for match_filter_list() function; still want a
- better name for this...
-
- Upstream-Regress-ID: 840ad6118552c35111f0a897af9c8d93ab8de92a
-
-commit f1a193464a7b77646f0d0cedc929068e4a413ab4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 3 23:05:57 2017 +0000
-
- upstream commit
-
- use ssh_packet_set_log_preamble() to include connection
- username in packet log messages, e.g.
-
- Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
-
- ok markus@ bz#113
-
- Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15
-
-commit 07edd7e9537ab32aa52abb5fb2a915c350fcf441
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 3 23:03:33 2017 +0000
-
- upstream commit
-
- add ssh_packet_set_log_preamble() to allow inclusion of a
- preamble string in disconnect messages; ok markus@
-
- Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
-
-commit 68bc8cfa7642d3ccbf2cd64281c16b8b9205be59
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 3 23:01:19 2017 +0000
-
- upstream commit
-
- support =- for removing methods from algorithms lists,
- e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
- it" markus@
-
- Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
-
-commit c924b2ef941028a1f31e6e94f54dfeeeef462a4e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 3 05:05:56 2017 +0000
-
- upstream commit
-
- allow form-feed characters at EOL; bz#2431 ok dtucker@
-
- Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
-
-commit 523db8540b720c4d21ab0ff6f928476c70c38aab
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Feb 3 16:01:22 2017 +1100
-
- prefer to use ldns-config to find libldns
-
- Should fix bz#2603 - "Build with ldns and without kerberos support
- fails if ldns compiled with kerberos support" by including correct
- cflags/libs
-
- ok dtucker@
-
-commit c998bf0afa1a01257a53793eba57941182e9e0b7
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Feb 3 02:56:00 2017 +0000
-
- upstream commit
-
- Make ssh_packet_set_rekey_limits take u32 for the number of
- seconds until rekeying (negative values are rejected at config parse time).
- This allows the removal of some casts and a signed vs unsigned comparison
- warning.
-
- rekey_time is cast to int64 for the comparison which is a no-op
- on OpenBSD, but should also do the right thing in -portable on
- anything still using 32bit time_t (until the system time actually
- wraps, anyway).
-
- some early guidance deraadt@, ok djm@
-
- Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c
-
-commit 3ec5fa4ba97d4c4853620daea26a33b9f1fe3422
-Author: jsg@openbsd.org <jsg@openbsd.org>
-Date: Thu Feb 2 10:54:25 2017 +0000
-
- upstream commit
-
- In vasnmprintf() return an error if malloc fails and
- don't set a function argument to the address of free'd memory.
-
- ok djm@
-
- Upstream-ID: 1efffffff2f51d53c9141f245b90ac23d33b9779
-
-commit 858252fb1d451ebb0969cf9749116c8f0ee42753
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Feb 1 02:59:09 2017 +0000
-
- upstream commit
-
- Return true reason for port forwarding failures where
- feasible rather than always "administratively prohibited". bz#2674, ok djm@
-
- Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
-
-commit 6ba9f893838489add6ec4213c7a997b425e4a9e0
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Mon Jan 30 23:27:39 2017 +0000
-
- upstream commit
-
- Small correction to the known_hosts section on when it is
- updated. Patch from lkppo at free.fr some time ago, pointed out by smallm at
- sdf.org
-
- Upstream-ID: 1834d7af179dea1a12ad2137f84566664af225d5
-
-commit c61d5ec3c11e7ff9779b6127421d9f166cf10915
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Feb 3 14:10:34 2017 +1100
-
- Remove _XOPEN_SOURCE from wide char detection.
-
- Having _XOPEN_SOURCE unconditionally causes problems on some platforms
- and configurations, notably Solaris 64-bit binaries. It was there for
- the benefit of Linux put the required bits in the *-*linux* section.
-
- Patch from yvoinov at gmail.com.
-
-commit f25ee13b3e81fd80efeb871dc150fe49d7fc8afd
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Jan 30 05:22:14 2017 +0000
-
- upstream commit
-
- fully unbreak: some $SSH invocations did not have -F
- specified and could pick up the ~/.ssh/config of the user running the tests
-
- Upstream-Regress-ID: f362d1892c0d3e66212d5d3fc02d915c58ef6b89
-
-commit 6956e21fb26652887475fe77ea40d2efcf25908b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Jan 30 04:54:07 2017 +0000
-
- upstream commit
-
- partially unbreak: was not specifying hostname on some
- $SSH invocations
-
- Upstream-Regress-ID: bc8a5e98e57bad0a92ef4f34ed91c1d18294e2cc
-
-commit 52763dd3fe0a4678dafdf7aeb32286e514130afc
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Jan 30 01:03:00 2017 +0000
-
- upstream commit
-
- revise keys/principals command hang fix (bz#2655) to
- consume entire output, avoiding sending SIGPIPE to subprocesses early; ok
- dtucker@
-
- Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc
-
-commit 381a2615a154a82c4c53b787f4a564ef894fe9ac
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Jan 30 00:38:50 2017 +0000
-
- upstream commit
-
- small cleanup post SSHv1 removal:
-
- remove SSHv1-isms in commented examples
-
- reorder token table to group deprecated and compile-time conditional tokens
- better
-
- fix config dumping code for some compile-time conditional options that
- weren't being correctly skipped (SSHv1 and PKCS#11)
-
- Upstream-ID: f2e96b3cb3158d857c5a91ad2e15925df3060105
-
-commit 4833d01591b7eb049489d9558b65f5553387ed43
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Jan 30 00:34:01 2017 +0000
-
- upstream commit
-
- some explicit NULL tests when dumping configured
- forwardings; from Karsten Weiss
-
- Upstream-ID: 40957b8dea69672b0e50df6b4a91a94e3e37f72d
-
-commit 326e2fae9f2e3e067b5651365eba86b35ee5a6b2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Jan 30 00:32:28 2017 +0000
-
- upstream commit
-
- misplaced braces in test; from Karsten Weiss
-
- Upstream-ID: f7b794074d3aae8e35b69a91d211c599c94afaae
-
-commit 3e032a95e46bfaea9f9e857678ac8fa5f63997fb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Jan 30 00:32:03 2017 +0000
-
- upstream commit
-
- don't dereference authctxt before testing != NULL, it
- causes compilers to make assumptions; from Karsten Weiss
-
- Upstream-ID: 794243aad1e976ebc717885b7a97a25e00c031b2
-
-commit 01cfaa2b1cfb84f3cdd32d1bf82b120a8d30e057
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jan 6 02:51:16 2017 +0000
-
- upstream commit
-
- use correct ssh-add program; bz#2654, from Colin Watson
-
- Upstream-Regress-ID: 7042a36e1bdaec6562f6e57e9d047efe9c7a6030
-
-commit e5c7ec67cdc42ae2584085e0fc5cc5ee91133cf5
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jan 6 02:26:10 2017 +0000
-
- upstream commit
-
- Account for timeouts in the integrity tests as failures.
-
- If the first test in a series for a given MAC happens to modify the low
- bytes of a packet length, then ssh will time out and this will be
- interpreted as a test failure. Patch from cjwatson at debian.org via
- bz#2658.
-
- Upstream-Regress-ID: e7467613b0badedaa300bc6fc7495ec2f44e2fb9
-
-commit dbaf599b61bd6e0f8469363a8c8e7f633b334018
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jan 6 02:09:25 2017 +0000
-
- upstream commit
-
- Make forwarding test less racy by using unix domain
- sockets instead of TCP ports where possible. Patch from cjwatson at
- debian.org via bz#2659.
-
- Upstream-Regress-ID: 4756375aac5916ef9d25452a1c1d5fa9e90299a9
-
-commit 9390b0031ebd6eb5488d3bc4d4333c528dffc0a6
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Sun Jan 29 21:35:23 2017 +0000
-
- upstream commit
-
- Fix typo in ~C error message for bad port forward
- cancellation. bz#2672, from Brad Marshall via Colin Watson and Ubuntu's
- bugtracker.
-
- Upstream-ID: 0d4a7e5ead6cc59c9a44b4c1e5435ab3aada09af
-
-commit 4ba15462ca38883b8a61a1eccc093c79462d5414
-Author: guenther@openbsd.org <guenther@openbsd.org>
-Date: Sat Jan 21 11:32:04 2017 +0000
-
- upstream commit
-
- The POSIX APIs that that sockaddrs all ignore the s*_len
- field in the incoming socket, so userspace doesn't need to set it unless it
- has its own reasons for tracking the size along with the sockaddr.
-
- ok phessler@ deraadt@ florian@
-
- Upstream-ID: ca6e49e2f22f2b9e81d6d924b90ecd7e422e7437
-
-commit a1187bd3ef3e4940af849ca953a1b849dae78445
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Fri Jan 6 16:28:12 2017 +0000
-
- upstream commit
-
- keep the tokens list sorted;
-
- Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638
-
-commit b64077f9767634715402014f509e58decf1e140d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jan 6 09:27:52 2017 +0000
-
- upstream commit
-
- fix previous
-
- Upstream-ID: c107d6a69bc22325d79fbf78a2a62e04bcac6895
-
-commit 5e820e9ea2e949aeb93071fe31c80b0c42f2b2de
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jan 6 03:53:58 2017 +0000
-
- upstream commit
-
- show a useful error message when included config files
- can't be opened; bz#2653, ok dtucker@
-
- Upstream-ID: f598b73b5dfe497344cec9efc9386b4e5a3cb95b
-
-commit 13bd2e2d622d01dc85d22b94520a5b243d006049
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jan 6 03:45:41 2017 +0000
-
- upstream commit
-
- sshd_config is documented to set
- GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
- bz#2637 ok dtucker
-
- Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
-
-commit f89b928534c9e77f608806a217d39a2960cc7fd0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jan 6 03:41:58 2017 +0000
-
- upstream commit
-
- Avoid confusing error message when attempting to use
- ssh-keyscan built without SSH protocol v.1 to scan for v.1 keys; bz#2583
-
- Upstream-ID: 5d214abd3a21337d67c6dcc5aa6f313298d0d165
-
-commit 0999533014784579aa6f01c2d3a06e3e8804b680
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jan 6 02:34:54 2017 +0000
-
- upstream commit
-
- Re-add '%k' token for AuthorizedKeysCommand which was
- lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com.
-
- Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
-
-commit 51045869fa084cdd016fdd721ea760417c0a3bf3
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Jan 4 05:37:40 2017 +0000
-
- upstream commit
-
- unbreak Unix domain socket forwarding for root; ok
- markus@
-
- Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
-
-commit 58fca12ba967ea5c768653535604e1522d177e44
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Mon Jan 16 09:08:32 2017 +1100
-
- Remove LOGIN_PROGRAM.
-
- UseLogin is gone, remove leftover. bz#2665, from cjwatson at debian.org
-
-commit b108ce92aae0ca0376dce9513d953be60e449ae1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Jan 4 02:21:43 2017 +0000
-
- upstream commit
-
- relax PKCS#11 whitelist a bit to allow libexec as well as
- lib directories.
-
- Upstream-ID: cf5617958e2e2d39f8285fd3bc63b557da484702
-
-commit c7995f296b9222df2846f56ecf61e5ae13d7a53d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Jan 3 05:46:51 2017 +0000
-
- upstream commit
-
- check number of entries in SSH2_FXP_NAME response; avoids
- unreachable overflow later. Reported by Jann Horn
-
- Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f
-
-commit ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Dec 30 22:08:02 2016 +0000
-
- upstream commit
-
- fix deadlock when keys/principals command produces a lot of
- output and a key is matched early; bz#2655, patch from jboning AT gmail.com
-
- Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
-
-commit 30eee7d1b2fec33c14870cc11910610be5d2aa6f
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Dec 20 12:16:11 2016 +1100
-
- Re-add missing "Prerequisites" header and fix typo
-
- Patch from HARUYAMA Seigo <haruyama at unixuser org>.
-
-commit c8c60f3663165edd6a52632c6ddbfabfce1ca865
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 19 22:35:23 2016 +0000
-
- upstream commit
-
- use standard /bin/sh equality test; from Mike Frysinger
-
- Upstream-Regress-ID: 7b6f0b63525f399844c8ac211003acb8e4b0bec2
-
-commit 4a354fc231174901f2629437c2a6e924a2dd6772
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Dec 19 15:59:26 2016 +1100
-
- crank version numbers for release
-
-commit 5f8d0bb8413d4d909cc7aa3c616fb0538224c3c9
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 19 04:55:51 2016 +0000
-
- upstream commit
-
- openssh-7.4
-
- Upstream-ID: 1ee404adba6bbe10ae9277cbae3a94abe2867b79
-
-commit 3a8213ea0ed843523e34e55ab9c852332bab4c7b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 19 04:55:18 2016 +0000
-
- upstream commit
-
- remove testcase that depends on exact output and
- behaviour of snprintf(..., "%s", NULL)
-
- Upstream-Regress-ID: cab4288531766bd9593cb556613b91a2eeefb56f
-
-commit eae735a82d759054f6ec7b4e887fb7a5692c66d7
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Mon Dec 19 03:32:57 2016 +0000
-
- upstream commit
-
- Use LOGNAME to get current user and fall back to whoami if
- not set. Mainly to benefit -portable since some platforms don't have whoami.
-
- Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa
-
-commit 0d2f88428487518eea60602bd593989013831dcf
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Dec 16 03:51:19 2016 +0000
-
- upstream commit
-
- Add regression test for AllowUsers and DenyUsers. Patch from
- Zev Weiss <zev at bewilderbeest.net>
-
- Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9
-
-commit 3bc8180a008929f6fe98af4a56fb37d04444b417
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Dec 16 15:02:24 2016 +1100
-
- Add missing monitor.h include.
-
- Fixes warning pointed out by Zev Weiss <zev at bewilderbeest.net>
-
-commit 410681f9015d76cc7b137dd90dac897f673244a0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Dec 16 02:48:55 2016 +0000
-
- upstream commit
-
- revert to rev1.2; the new bits in this test depend on changes
- to ssh that aren't yet committed
-
- Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123
-
-commit 2f2ffa4fbe4b671bbffa0611f15ba44cff64d58e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Dec 16 01:06:27 2016 +0000
-
- upstream commit
-
- Move the "stop sshd" code into its own helper function.
- Patch from Zev Weiss <zev at bewilderbeest.net>, ok djm@
-
- Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329
-
-commit e15e7152331e3976b35475fd4e9c72897ad0f074
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Dec 16 01:01:07 2016 +0000
-
- upstream commit
-
- regression test for certificates along with private key
- with no public half. bz#2617, mostly from Adam Eijdenberg
-
- Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115
-
-commit 9a70ec085faf6e55db311cd1a329f1a35ad2a500
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Thu Dec 15 23:50:37 2016 +0000
-
- upstream commit
-
- Use $SUDO to read pidfile in case root's umask is
- restricted. From portable.
-
- Upstream-Regress-ID: f6b1c7ffbc5a0dfb7d430adb2883344899174a98
-
-commit fe06b68f824f8f55670442fb31f2c03526dd326c
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Thu Dec 15 21:29:05 2016 +0000
-
- upstream commit
-
- Add missing braces in DenyUsers code. Patch from zev at
- bewilderbeest.net, ok deraadt@
-
- Upstream-ID: d747ace338dcf943b077925f90f85f789714b54e
-
-commit dcc7d74242a574fd5c4afbb4224795b1644321e7
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Thu Dec 15 21:20:41 2016 +0000
-
- upstream commit
-
- Fix text in error message. Patch from zev at
- bewilderbeest.net.
-
- Upstream-ID: deb0486e175e7282f98f9a15035d76c55c84f7f6
-
-commit b737e4d7433577403a31cff6614f6a1b0b5e22f4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Dec 14 00:36:34 2016 +0000
-
- upstream commit
-
- disable Unix-domain socket forwarding when privsep is
- disabled
-
- Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0
-
-commit 08a1e7014d65c5b59416a0e138c1f73f417496eb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Dec 9 03:04:29 2016 +0000
-
- upstream commit
-
- log connections dropped in excess of MaxStartups at
- verbose LogLevel; bz#2613 based on diff from Tomas Kuthan; ok dtucker@
-
- Upstream-ID: 703ae690dbf9b56620a6018f8a3b2389ce76d92b
-
-commit 10e290ec00964b2bf70faab15a10a5574bb80527
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Dec 13 13:51:32 2016 +1100
-
- Get default of TEST_SSH_UTF8 from environment.
-
-commit b9b8ba3f9ed92c6220b58d70d1e6d8aa3eea1104
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Dec 13 12:56:40 2016 +1100
-
- Remove commented-out includes.
-
- These commented-out includes have "Still needed?" comments. Since
- they've been commented out for ~13 years I assert that they're not.
-
-commit 25275f1c9d5f01a0877d39444e8f90521a598ea0
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Dec 13 12:54:23 2016 +1100
-
- Add prototype for strcasestr in compat library.
-
-commit afec07732aa2985142f3e0b9a01eb6391f523dec
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Dec 13 10:23:03 2016 +1100
-
- Add strcasestr to compat library.
-
- Fixes build on (at least) Solaris 10.
-
-commit dda78a03af32e7994f132d923c2046e98b7c56c8
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Dec 12 13:57:10 2016 +1100
-
- Force Turkish locales back to C/POSIX; bz#2643
-
- Turkish locales are unique in their handling of the letters 'i' and
- 'I' (yes, they are different letters) and OpenSSH isn't remotely
- prepared to deal with that. For now, the best we can do is to force
- OpenSSH to use the C/POSIX locale and try to preserve the UTF-8
- encoding if possible.
-
- ok dtucker@
-
-commit c35995048f41239fc8895aadc3374c5f75180554
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Dec 9 12:52:02 2016 +1100
-
- exit is in stdlib.h not unistd.h (that's _exit).
-
-commit d399a8b914aace62418c0cfa20341aa37a192f98
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Dec 9 12:33:25 2016 +1100
-
- Include <unistd.h> for exit in utf8 locale test.
-
-commit 47b8c99ab3221188ad3926108dd9d36da3b528ec
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Thu Dec 8 15:48:34 2016 +1100
-
- Check for utf8 local support before testing it.
-
- Check for utf8 local support and if not found, do not attempt to run the
- utf8 tests. Suggested by djm@
-
-commit 4089fc1885b3a2822204effbb02b74e3da58240d
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Thu Dec 8 12:57:24 2016 +1100
-
- Use AC_PATH_TOOL for krb5-config.
-
- This will use the host-prefixed version when cross compiling; patch from
- david.michael at coreos.com.
-
-commit b4867e0712c89b93be905220c82f0a15e6865d1e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Dec 6 07:48:01 2016 +0000
-
- upstream commit
-
- make IdentityFile successfully load and use certificates that
- have no corresponding bare public key. E.g. just a private id_rsa and
- certificate id_rsa-cert.pub (and no id_rsa.pub).
-
- bz#2617 ok dtucker@
-
- Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
-
-commit c9792783a98881eb7ed295680013ca97a958f8ac
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Nov 25 14:04:21 2016 +1100
-
- Add a gnome-ssh-askpass3 target for GTK+3 version
-
- Based on patch from Colin Watson via bz#2640
-
-commit 7be85ae02b9de0993ce0a1d1e978e11329f6e763
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Nov 25 14:03:53 2016 +1100
-
- Make gnome-ssh-askpass2.c GTK+3-friendly
-
- Patch from Colin Watson via bz#2640
-
-commit b9844a45c7f0162fd1b5465683879793d4cc4aaa
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Dec 4 23:54:02 2016 +0000
-
- upstream commit
-
- Fix public key authentication when multiple
- authentication is in use. Instead of deleting and re-preparing the entire
- keys list, just reset the 'used' flags; the keys list is already in a good
- order (with already- tried keys at the back)
-
- Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@
-
- Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
-
-commit f2398eb774075c687b13af5bc22009eb08889abe
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Sun Dec 4 22:27:25 2016 +0000
-
- upstream commit
-
- Unlink PidFile on SIGHUP and always recreate it when the
- new sshd starts. Regression tests (and possibly other things) depend on the
- pidfile being recreated after SIGHUP, and unlinking it means it won't contain
- a stale pid if sshd fails to restart. ok djm@ markus@
-
- Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870
-
-commit 85aa2efeba51a96bf6834f9accf2935d96150296
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Nov 30 03:01:33 2016 +0000
-
- upstream commit
-
- test new behaviour of cert force-command restriction vs.
- authorized_key/ principals
-
- Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c
-
-commit 5d333131cd8519d022389cfd3236280818dae1bc
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Wed Nov 30 06:54:26 2016 +0000
-
- upstream commit
-
- tweak previous; while here fix up FILES and AUTHORS;
-
- Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa
-
-commit 786d5994da79151180cb14a6cf157ebbba61c0cc
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Nov 30 03:07:37 2016 +0000
-
- upstream commit
-
- add a whitelist of paths from which ssh-agent will load
- (via ssh-pkcs11-helper) a PKCS#11 module; ok markus@
-
- Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f
-
-commit 7844f357cdd90530eec81340847783f1f1da010b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Nov 30 03:00:05 2016 +0000
-
- upstream commit
-
- Add a sshd_config DisableForwaring option that disables
- X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
- anything else we might implement in the future.
-
- This, like the 'restrict' authorized_keys flag, is intended to be a
- simple and future-proof way of restricting an account. Suggested as
- a complement to 'restrict' by Jann Horn; ok markus@
-
- Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
-
-commit fd6dcef2030d23c43f986d26979f84619c10589d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Nov 30 02:57:40 2016 +0000
-
- upstream commit
-
- When a forced-command appears in both a certificate and
- an authorized keys/principals command= restriction, refuse to accept the
- certificate unless they are identical.
-
- The previous (documented) behaviour of having the certificate forced-
- command override the other could be a bit confused and more error-prone.
-
- Pointed out by Jann Horn of Project Zero; ok dtucker@
-
- Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
-
-commit 7fc4766ac78abae81ee75b22b7550720bfa28a33
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Nov 30 00:28:31 2016 +0000
-
- upstream commit
-
- On startup, check to see if sshd is already daemonized
- and if so, skip the call to daemon() and do not rewrite the PidFile. This
- means that when sshd re-execs itself on SIGHUP the process ID will no longer
- change. Should address bz#2641. ok djm@ markus@.
-
- Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9
-
-commit c9f880c195c65f1dddcbc4ce9d6bfea7747debcc
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Nov 30 13:51:49 2016 +1100
-
- factor out common PRNG reseed before privdrop
-
- Add a call to RAND_poll() to ensure than more than pid+time gets
- stirred into child processes states. Prompted by analysis from Jann
- Horn at Project Zero. ok dtucker@
-
-commit 79e4829ec81dead1b30999e1626eca589319a47f
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Nov 25 03:02:01 2016 +0000
-
- upstream commit
-
- Allow PuTTY interop tests to run unattended. bz#2639,
- patch from cjwatson at debian.org.
-
- Upstream-Regress-ID: 4345253558ac23b2082aebabccd48377433b6fe0
-
-commit 504c3a9a1bf090f6b27260fc3e8ea7d984d163dc
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Nov 25 02:56:49 2016 +0000
-
- upstream commit
-
- Reverse args to sshd-log-wrapper. Matches change in
- portable, where it allows sshd do be optionally run under Valgrind.
-
- Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906
-
-commit bd13017736ec2f8f9ca498fe109fb0035f322733
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Nov 25 02:49:18 2016 +0000
-
- upstream commit
-
- Fix typo in trace message; from portable.
-
- Upstream-Regress-ID: 4c4a2ba0d37faf5fd230a91b4c7edb5699fbd73a
-
-commit 7da751d8b007c7f3e814fd5737c2351440d78b4c
-Author: tb@openbsd.org <tb@openbsd.org>
-Date: Tue Nov 1 13:43:27 2016 +0000
-
- upstream commit
-
- Clean up MALLOC_OPTIONS. For the unittests, move
- MALLOC_OPTIONS and TEST_ENV to unittets/Makefile.inc.
-
- ok otto
-
- Upstream-Regress-ID: 890d497e0a38eeddfebb11cc429098d76cf29f12
-
-commit 36f58e68221bced35e06d1cca8d97c48807a8b71
-Author: tb@openbsd.org <tb@openbsd.org>
-Date: Mon Oct 31 23:45:08 2016 +0000
-
- upstream commit
-
- Remove the obsolete A and P flags from MALLOC_OPTIONS.
-
- ok dtucker
-
- Upstream-Regress-ID: 6cc25024c8174a87e5734a0dc830194be216dd59
-
-commit b0899ee26a6630883c0f2350098b6a35e647f512
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Tue Nov 29 03:54:50 2016 +0000
-
- upstream commit
-
- Factor out code to disconnect from controlling terminal
- into its own function. ok djm@
-
- Upstream-ID: 39fd9e8ebd7222615a837312face5cc7ae962885
-
-commit 54d022026aae4f53fa74cc636e4a032d9689b64d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Nov 25 23:24:45 2016 +0000
-
- upstream commit
-
- use sshbuf_allocate() to pre-allocate the buffer used for
- loading keys. This avoids implicit realloc inside the buffer code, which
- might theoretically leave fragments of the key on the heap. This doesn't
- appear to happen in practice for normal sized keys, but was observed for
- novelty oversize ones.
-
- Pointed out by Jann Horn of Project Zero; ok markus@
-
- Upstream-ID: d620e1d46a29fdea56aeadeda120879eddc60ab1
-
-commit a9c746088787549bb5b1ae3add7d06a1b6d93d5e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Nov 25 23:22:04 2016 +0000
-
- upstream commit
-
- split allocation out of sshbuf_reserve() into a separate
- sshbuf_allocate() function; ok markus@
-
- Upstream-ID: 11b8a2795afeeb1418d508a2c8095b3355577ec2
-
-commit f0ddedee460486fa0e32fefb2950548009e5026e
-Author: markus@openbsd.org <markus@openbsd.org>
-Date: Wed Nov 23 23:14:15 2016 +0000
-
- upstream commit
-
- allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
- djm
-
- Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
-
-commit 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Nov 8 22:04:34 2016 +0000
-
- upstream commit
-
- unbreak DenyUsers; reported by henning@
-
- Upstream-ID: 1c67d4148f5e953c35acdb62e7c08ae8e33f7cb2
-
-commit 010359b32659f455fddd2bd85fd7cc4d7a3b994a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Nov 6 05:46:37 2016 +0000
-
- upstream commit
-
- Validate address ranges for AllowUser/DenyUsers at
- configuration load time and refuse to accept bad ones. It was previously
- possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
- these would always match.
-
- Thanks to Laurence Parry for a detailed bug report. ok markus (for
- a previous diff version)
-
- Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
-
-commit efb494e81d1317209256b38b49f4280897c61e69
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Oct 28 03:33:52 2016 +0000
-
- upstream commit
-
- Improve pkcs11_add_provider() logging: demote some
- excessively verbose error()s to debug()s, include PKCS#11 provider name and
- slot in log messages where possible. bz#2610, based on patch from Jakub Jelen
-
- Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
-
-commit 5ee3fb5affd7646f141749483205ade5fc54adaf
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Nov 1 08:12:33 2016 +1100
-
- Use ptrace(PT_DENY_ATTACH, ..) on OS X.
-
-commit 315d2a4e674d0b7115574645cb51f968420ebb34
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Oct 28 14:34:07 2016 +1100
-
- Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL
-
- ok dtucker@
-
-commit a9ff3950b8e80ff971b4d44bbce96df27aed28af
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Oct 28 14:26:58 2016 +1100
-
- Move OPENSSL_NO_RIPEMD160 to compat.
-
- Move OPENSSL_NO_RIPEMD160 to compat and add ifdefs to mac.c around the
- ripemd160 MACs.
-
-commit bce58885160e5db2adda3054c3b81fe770f7285a
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Oct 28 13:52:31 2016 +1100
-
- Check if RIPEMD160 is disabled in OpenSSL.
-
-commit d924640d4c355d1b5eca1f4cc60146a9975dbbff
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Oct 28 13:38:19 2016 +1100
-
- Skip ssh1 specfic ciphers.
-
- cipher-3des1.c and cipher-bf1.c are specific to sshv1 so don't even try
- to compile them when Protocol 1 is not enabled.
-
-commit 79d078e7a49caef746516d9710ec369ba45feab6
-Author: jsg@openbsd.org <jsg@openbsd.org>
-Date: Tue Oct 25 04:08:13 2016 +0000
-
- upstream commit
-
- Fix logic in add_local_forward() that inverted a test
- when code was refactored out into bind_permitted(). This broke ssh port
- forwarding for non-priv ports as a non root user.
-
- ok dtucker@ 'looks good' deraadt@
-
- Upstream-ID: ddb8156ca03cc99997de284ce7777536ff9570c9
-
-commit a903e315dee483e555c8a3a02c2946937f9b4e5d
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Mon Oct 24 01:09:17 2016 +0000
-
- upstream commit
-
- Remove dead breaks, found via opencoverage.net. ok
- deraadt@
-
- Upstream-ID: ad9cc655829d67fad219762810770787ba913069
-
-commit b4e96b4c9bea4182846e4942ba2048e6d708ee54
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Oct 26 08:43:25 2016 +1100
-
- Use !=NULL instead of >0 for getdefaultproj.
-
- getdefaultproj() returns a pointer so test it for NULL inequality
- instead of >0. Fixes compiler warning and is more correct. Patch from
- David Binderman.
-
-commit 1c4ef0b808d3d38232aeeb1cebb7e9a43def42c5
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Sun Oct 23 22:04:05 2016 +0000
-
- upstream commit
-
- Factor out "can bind to low ports" check into its own function. This will
- make it easier for Portable to support platforms with permissions models
- other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much"
- deraadt@.
-
- Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
-
-commit 0b9ee623d57e5de7e83e66fd61a7ba9a5be98894
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Oct 19 23:21:56 2016 +0000
-
- upstream commit
-
- When tearing down ControlMaster connecctions, don't
- pollute stderr when LogLevel=quiet. Patch from Tim Kuijsten via tech@.
-
- Upstream-ID: d9b3a68b2a7c2f2fc7f74678e29a4618d55ceced
-
-commit 09e6a7d8354224933febc08ddcbc2010f542284e
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Mon Oct 24 09:06:18 2016 +1100
-
- Wrap stdint.h include in ifdef.
-
-commit 08d9e9516e587b25127545c029e5464b2e7f2919
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Oct 21 09:46:46 2016 +1100
-
- Fix formatting.
-
-commit 461f50e7ab8751d3a55e9158c44c13031db7ba1d
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Oct 21 06:55:58 2016 +1100
-
- Update links to https.
-
- www.openssh.com now supports https and ftp.openbsd.org no longer
- supports ftp. Make all links to these https.
-
-commit dd4e7212a6141f37742de97795e79db51e4427ad
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Oct 21 06:48:46 2016 +1100
-
- Update host key generation examples.
-
- Remove ssh1 host key generation, add ssh-keygen -A
-
-commit 6d49ae82634c67e9a4d4af882bee20b40bb8c639
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Oct 21 05:22:55 2016 +1100
-
- Update links.
-
- Make links to openssh.com HTTPS now that it's supported, point release
- notes link to the HTML release notes page, and update a couple of other
- links and bits of text.
-
-commit fe0d1ca6ace06376625084b004ee533f2c2ea9d6
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Thu Oct 20 03:42:09 2016 +1100
-
- Remote channels .orig and .rej files.
-
- These files were incorrectly added during an OpenBSD sync.
diff --git a/INSTALL b/INSTALL
index 3fd265dbfaea..f1f8f00f3390 100644
--- a/INSTALL
+++ b/INSTALL
@@ -13,15 +13,15 @@ OpenSSL)
Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
http://www.gzip.org/zlib/
-libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0)
-LibreSSL http://www.libressl.org/ ; or
-OpenSSL http://www.openssl.org/
+libcrypto from either of:
+ - LibreSSL (http://www.libressl.org/)
+ - OpenSSL 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g (http://www.openssl.org/)
LibreSSL/OpenSSL should be compiled as a position-independent library
(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
If you must use a non-position-independent libcrypto, then you may need
-to configure OpenSSH --without-pie. Note that because of API changes,
-OpenSSL 1.1.x is not currently supported.
+to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit
+OpenSSL 1.1 versions prior to 1.1.0g can't be used.
The remaining items are optional.
diff --git a/Makefile.in b/Makefile.in
index 126b2c742bd3..6f001bb360df 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -88,7 +88,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
cipher-ctr.o cleanup.o \
compat.o crc32.o fatal.o hostfile.o \
- log.o match.o moduli.o nchan.o packet.o opacket.o \
+ log.o match.o moduli.o nchan.o packet.o \
readpass.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o dispatch.o mac.o uuencode.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
@@ -98,10 +98,11 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
- kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
+ kexgexc.o kexgexs.o \
+ sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
platform-pledge.o platform-tracing.o platform-misc.o
+
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o
@@ -186,7 +187,7 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o
+ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
@@ -598,6 +599,7 @@ tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)
TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \
TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \
TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \
+ TEST_SSH_SSHPKCS11HELPER="$${BUILDDIR}/ssh-pkcs11-helper"; \
TEST_SSH_PLINK="plink"; \
TEST_SSH_PUTTYGEN="puttygen"; \
TEST_SSH_CONCH="conch"; \
diff --git a/OVERVIEW b/OVERVIEW
index 515567f45b0c..cec7cd75b51c 100644
--- a/OVERVIEW
+++ b/OVERVIEW
@@ -34,11 +34,12 @@ these programs.
- Ssh contains several encryption algorithms. These are all
accessed through the cipher.h interface. The interface code is
- in cipher.c, and the implementations are in libc.
+ in cipher.c, and the implementations are either in libc or
+ LibreSSL.
Multiple Precision Integer Library
- - Uses the SSLeay BIGNUM sublibrary.
+ - Uses the LibreSSL BIGNUM sublibrary.
Random Numbers
@@ -158,4 +159,4 @@ these programs.
uidswap.c uid-swapping
xmalloc.c "safe" malloc routines
-$OpenBSD: OVERVIEW,v 1.14 2018/07/27 03:55:22 dtucker Exp $
+$OpenBSD: OVERVIEW,v 1.15 2018/10/23 05:56:35 djm Exp $
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 11363fdc370e..48338e671cc5 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -36,6 +36,7 @@ Certified keys are represented using new key types:
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
+ ssh-ed25519-cert-v01@openssh.com
Two additional types exist for RSA certificates to force use of
SHA-2 signatures (SHA-256 and SHA-512 respectively):
@@ -303,4 +304,4 @@ permit-user-rc empty Flag indicating that execution of
of this script will not be permitted if
this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.15 2018/07/03 11:39:54 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.16 2018/10/26 01:23:03 djm Exp $
diff --git a/README b/README
index 05916459c08b..77cb0ef3ad52 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-See https://www.openssh.com/releasenotes.html#7.9p1 for the release notes.
+See https://www.openssh.com/releasenotes.html#8.0p1 for the release notes.
Please read https://www.openssh.com/report.html for bug reporting
instructions and note that we do not use Github for bug reporting or
diff --git a/README.md b/README.md
new file mode 100644
index 000000000000..4e2624161b93
--- /dev/null
+++ b/README.md
@@ -0,0 +1,74 @@
+# Portable OpenSSH
+
+OpenSSH is a complete implementation of the SSH protocol (version 2) for secure remote login, command execution and file transfer. It includes a client ``ssh`` and server ``sshd``, file transfer utilities ``scp`` and ``sftp`` as well as tools for key generation (``ssh-keygen``), run-time key storage (``ssh-agent``) and a number of supporting programs.
+
+This is a port of OpenBSD's [OpenSSH](https://openssh.com) to most Unix-like operating systems, including Linux, OS X and Cygwin. Portable OpenSSH polyfills OpenBSD APIs that are not available elsewhere, adds sshd sandboxing for more operating systems and includes support for OS-native authentication and auditing (e.g. using PAM).
+
+## Documentation
+
+The official documentation for OpenSSH are the man pages for each tool:
+
+* [ssh(1)](https://man.openbsd.org/ssh.1)
+* [sshd(8)](https://man.openbsd.org/sshd.8)
+* [ssh-keygen(1)](https://man.openbsd.org/ssh-keygen.1)
+* [ssh-agent(1)](https://man.openbsd.org/ssh-agent.1)
+* [scp(1)](https://man.openbsd.org/scp.1)
+* [sftp(1)](https://man.openbsd.org/sftp.1)
+* [ssh-keyscan(8)](https://man.openbsd.org/ssh-keyscan.8)
+* [sftp-server(8)](https://man.openbsd.org/sftp-server.8)
+
+## Stable Releases
+
+Stable release tarballs are available from a number of [download mirrors](https://www.openssh.com/portable.html#downloads). We recommend the use of a stable release for most users. Please read the [release notes](https://www.openssh.com/releasenotes.html) for details of recent changes and potential incompatibilities.
+
+## Building Portable OpenSSH
+
+### Dependencies
+
+Portable OpenSSH is built using autoconf and make. It requires a working C compiler, standard library and headers, as well as [zlib](https://www.zlib.net/) and ``libcrypto`` from either [LibreSSL](https://www.libressl.org/) or [OpenSSL](https://www.openssl.org) to build. Certain platforms and build-time options may require additional dependencies.
+
+### Building a release
+
+Releases include a pre-built copy of the ``configure`` script and may be built using:
+
+```
+tar zxvf openssh-X.Y.tar.gz
+cd openssh
+./configure # [options]
+make && make tests
+```
+
+See the [Build-time Customisation](#build-time-customisation) section below for configure options. If you plan on installing OpenSSH to your system, then you will usually want to specify destination paths.
+
+### Building from git
+
+If building from git, you'll need [autoconf](https://www.gnu.org/software/autoconf/) installed to build the ``configure`` script. The following commands will check out and build portable OpenSSH from git:
+
+```
+git clone https://github.com/openssh/openssh-portable # or https://anongit.mindrot.org/openssh.git
+cd openssh-portable
+autoreconf
+./configure
+make && make tests
+```
+
+### Build-time Customisation
+
+There are many build-time customisation options available. All Autoconf destination path flags (e.g. ``--prefix``) are supported (and are usually required if you want to install OpenSSH).
+
+For a full list of available flags, run ``configure --help`` but a few of the more frequently-used ones are described below. Some of these flags will require additional libraries and/or headers be installed.
+
+Flag | Meaning
+--- | ---
+``--with-pam`` | Enable [PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) support. [OpenPAM](https://www.openpam.org/), [Linux PAM](http://www.linux-pam.org/) and Solaris PAM are supported.
+``--with-libedit`` | Enable [libedit](https://www.thrysoee.dk/editline/) support for sftp.
+``--with-kerberos5`` | Enable Kerberos/GSSAPI support. Both [Heimdal](https://www.h5l.org/) and [MIT](https://web.mit.edu/kerberos/) Kerberos implementations are supported.
+``--with-selinux`` | Enable [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) support.
+
+## Development
+
+Portable OpenSSH development is discussed on the [openssh-unix-dev mailing list](https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev) ([archive mirror](https://marc.info/?l=openssh-unix-dev)). Bugs and feature requests are tracked on our [Bugzilla](https://bugzilla.mindrot.org/).
+
+## Reporting bugs
+
+_Non-security_ bugs may be reported to the developers via [Bugzilla](https://bugzilla.mindrot.org/) or via the mailing list above. Security bugs should be reported to [openssh@openssh.com](mailto:openssh.openssh.com).
diff --git a/atomicio.c b/atomicio.c
index f854a06f5f50..e00c9f0d4e22 100644
--- a/atomicio.c
+++ b/atomicio.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
+/* $OpenBSD: atomicio.c,v 1.30 2019/01/24 02:42:23 dtucker Exp $ */
/*
* Copyright (c) 2006 Damien Miller. All rights reserved.
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@@ -57,20 +57,25 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
ssize_t res;
struct pollfd pfd;
-#ifndef BROKEN_READ_COMPARISON
pfd.fd = fd;
+#ifndef BROKEN_READ_COMPARISON
pfd.events = f == read ? POLLIN : POLLOUT;
+#else
+ pfd.events = POLLIN|POLLOUT;
#endif
while (n > pos) {
res = (f) (fd, s + pos, n - pos);
switch (res) {
case -1:
- if (errno == EINTR)
+ if (errno == EINTR) {
+ /* possible SIGALARM, update callback */
+ if (cb != NULL && cb(cb_arg, 0) == -1) {
+ errno = EINTR;
+ return pos;
+ }
continue;
- if (errno == EAGAIN || errno == EWOULDBLOCK) {
-#ifndef BROKEN_READ_COMPARISON
+ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
(void)poll(&pfd, 1, -1);
-#endif
continue;
}
return 0;
@@ -114,20 +119,25 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
/* Make a copy of the iov array because we may modify it below */
memcpy(iov, _iov, (size_t)iovcnt * sizeof(*_iov));
-#ifndef BROKEN_READV_COMPARISON
pfd.fd = fd;
+#ifndef BROKEN_READV_COMPARISON
pfd.events = f == readv ? POLLIN : POLLOUT;
+#else
+ pfd.events = POLLIN|POLLOUT;
#endif
for (; iovcnt > 0 && iov[0].iov_len > 0;) {
res = (f) (fd, iov, iovcnt);
switch (res) {
case -1:
- if (errno == EINTR)
+ if (errno == EINTR) {
+ /* possible SIGALARM, update callback */
+ if (cb != NULL && cb(cb_arg, 0) == -1) {
+ errno = EINTR;
+ return pos;
+ }
continue;
- if (errno == EAGAIN || errno == EWOULDBLOCK) {
-#ifndef BROKEN_READV_COMPARISON
+ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
(void)poll(&pfd, 1, -1);
-#endif
continue;
}
return 0;
diff --git a/atomicio.h b/atomicio.h
index 0d728ac86ea9..8b3cc6e211bd 100644
--- a/atomicio.h
+++ b/atomicio.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: atomicio.h,v 1.11 2010/09/22 22:58:51 djm Exp $ */
+/* $OpenBSD: atomicio.h,v 1.12 2018/12/27 03:25:25 djm Exp $ */
/*
* Copyright (c) 2006 Damien Miller. All rights reserved.
@@ -29,6 +29,8 @@
#ifndef _ATOMICIO_H
#define _ATOMICIO_H
+struct iovec;
+
/*
* Ensure all of data on socket comes through. f==read || f==vwrite
*/
diff --git a/audit-bsm.c b/audit-bsm.c
index 1409f69aeb90..0ba16c72c820 100644
--- a/audit-bsm.c
+++ b/audit-bsm.c
@@ -391,7 +391,7 @@ audit_session_close(struct logininfo *li)
}
void
-audit_event(ssh_audit_event_t event)
+audit_event(struct ssh *ssh, ssh_audit_event_t event)
{
char textbuf[BSM_TEXTBUFSZ];
static int logged_in = 0;
diff --git a/audit-linux.c b/audit-linux.c
index 136ed76bbe4b..3fcbe5c53ef9 100644
--- a/audit-linux.c
+++ b/audit-linux.c
@@ -97,10 +97,8 @@ audit_session_close(struct logininfo *li)
}
void
-audit_event(ssh_audit_event_t event)
+audit_event(struct ssh *ssh, ssh_audit_event_t event)
{
- struct ssh *ssh = active_state; /* XXX */
-
switch(event) {
case SSH_AUTH_SUCCESS:
case SSH_CONNECTION_CLOSE:
diff --git a/audit.c b/audit.c
index 33a04376dd6e..dd2f03558fe9 100644
--- a/audit.c
+++ b/audit.c
@@ -131,7 +131,7 @@ audit_connection_from(const char *host, int port)
* events and what they mean).
*/
void
-audit_event(ssh_audit_event_t event)
+audit_event(struct ssh *ssh, ssh_audit_event_t event)
{
debug("audit event euid %d user %s event %d (%s)", geteuid(),
audit_username(), event, audit_event_lookup(event));
diff --git a/audit.h b/audit.h
index 0b593666d9e1..38cb5ad31d4a 100644
--- a/audit.h
+++ b/audit.h
@@ -27,6 +27,8 @@
#include "loginrec.h"
+struct ssh;
+
enum ssh_audit_event_type {
SSH_LOGIN_EXCEED_MAXTRIES,
SSH_LOGIN_ROOT_DENIED,
@@ -46,7 +48,7 @@ enum ssh_audit_event_type {
typedef enum ssh_audit_event_type ssh_audit_event_t;
void audit_connection_from(const char *, int);
-void audit_event(ssh_audit_event_t);
+void audit_event(struct ssh *, ssh_audit_event_t);
void audit_session_open(struct logininfo *);
void audit_session_close(struct logininfo *);
void audit_run_command(const char *);
diff --git a/auth-pam.c b/auth-pam.c
index 1dec53e929d9..bde0a8f561f2 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -248,6 +248,9 @@ static int sshpam_maxtries_reached = 0;
static char **sshpam_env = NULL;
static Authctxt *sshpam_authctxt = NULL;
static const char *sshpam_password = NULL;
+static char *sshpam_rhost = NULL;
+static char *sshpam_laddr = NULL;
+static char *sshpam_conninfo = NULL;
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
@@ -669,13 +672,17 @@ sshpam_cleanup(void)
}
static int
-sshpam_init(Authctxt *authctxt)
+sshpam_init(struct ssh *ssh, Authctxt *authctxt)
{
- const char *pam_rhost, *pam_user, *user = authctxt->user;
+ const char *pam_user, *user = authctxt->user;
const char **ptr_pam_user = &pam_user;
- struct ssh *ssh = active_state; /* XXX */
- if (sshpam_handle != NULL) {
+ if (sshpam_handle == NULL) {
+ if (ssh == NULL) {
+ fatal("%s: called initially with no "
+ "packet context", __func__);
+ }
+ } if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
sshpam_err = pam_get_item(sshpam_handle,
PAM_USER, (sshpam_const void **)ptr_pam_user);
@@ -694,14 +701,33 @@ sshpam_init(Authctxt *authctxt)
sshpam_handle = NULL;
return (-1);
}
- pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns);
- debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
- sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
- if (sshpam_err != PAM_SUCCESS) {
- pam_end(sshpam_handle, sshpam_err);
- sshpam_handle = NULL;
- return (-1);
+
+ if (ssh != NULL && sshpam_rhost == NULL) {
+ /*
+ * We need to cache these as we don't have packet context
+ * during the kbdint flow.
+ */
+ sshpam_rhost = xstrdup(auth_get_canonical_hostname(ssh,
+ options.use_dns));
+ sshpam_laddr = get_local_ipaddr(
+ ssh_packet_get_connection_in(ssh));
+ xasprintf(&sshpam_conninfo, "SSH_CONNECTION=%.50s %d %.50s %d",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ sshpam_laddr, ssh_local_port(ssh));
}
+ if (sshpam_rhost != NULL) {
+ debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
+ sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
+ sshpam_rhost);
+ if (sshpam_err != PAM_SUCCESS) {
+ pam_end(sshpam_handle, sshpam_err);
+ sshpam_handle = NULL;
+ return (-1);
+ }
+ /* Put SSH_CONNECTION in the PAM environment too */
+ pam_putenv(sshpam_handle, sshpam_conninfo);
+ }
+
#ifdef PAM_TTY_KLUDGE
/*
* Some silly PAM modules (e.g. pam_time) require a TTY to operate.
@@ -755,7 +781,7 @@ sshpam_init_ctx(Authctxt *authctxt)
return NULL;
/* Initialize PAM */
- if (sshpam_init(authctxt) == -1) {
+ if (sshpam_init(NULL, authctxt) == -1) {
error("PAM: initialization failed");
return (NULL);
}
@@ -787,7 +813,6 @@ static int
sshpam_query(void *ctx, char **name, char **info,
u_int *num, char ***prompts, u_int **echo_on)
{
- struct ssh *ssh = active_state; /* XXX */
struct sshbuf *buffer;
struct pam_ctxt *ctxt = ctx;
size_t plen;
@@ -877,8 +902,7 @@ sshpam_query(void *ctx, char **name, char **info,
}
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
- sshpam_authctxt->user,
- auth_get_canonical_hostname(ssh, options.use_dns));
+ sshpam_authctxt->user, sshpam_rhost);
/* FALLTHROUGH */
default:
*num = 0;
@@ -995,12 +1019,14 @@ KbdintDevice mm_sshpam_device = {
* This replaces auth-pam.c
*/
void
-start_pam(Authctxt *authctxt)
+start_pam(struct ssh *ssh)
{
+ Authctxt *authctxt = (Authctxt *)ssh->authctxt;
+
if (!options.use_pam)
fatal("PAM: initialisation requested when UsePAM=no");
- if (sshpam_init(authctxt) == -1)
+ if (sshpam_init(ssh, authctxt) == -1)
fatal("PAM: initialisation failed");
}
diff --git a/auth-pam.h b/auth-pam.h
index 4198607454fb..9fcea270faec 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -27,7 +27,7 @@
struct ssh;
-void start_pam(Authctxt *);
+void start_pam(struct ssh *);
void finish_pam(void);
u_int do_pam_account(void);
void do_pam_session(struct ssh *);
diff --git a/auth.c b/auth.c
index 3ca3762cc612..8696f258e883 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.133 2018/09/12 01:19:12 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.138 2019/01/19 21:41:18 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -50,6 +50,7 @@
#include <unistd.h>
#include <limits.h>
#include <netdb.h>
+#include <time.h>
#include "xmalloc.h"
#include "match.h"
@@ -96,9 +97,8 @@ static struct sshbuf *auth_debug;
* Otherwise true is returned.
*/
int
-allowed_user(struct passwd * pw)
+allowed_user(struct ssh *ssh, struct passwd * pw)
{
- struct ssh *ssh = active_state; /* XXX */
struct stat st;
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
u_int i;
@@ -258,7 +258,7 @@ allowed_user(struct passwd * pw)
}
#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
- if (!sys_auth_allowed_user(pw, &loginmsg))
+ if (!sys_auth_allowed_user(pw, loginmsg))
return 0;
#endif
@@ -308,10 +308,10 @@ format_method_key(Authctxt *authctxt)
}
void
-auth_log(Authctxt *authctxt, int authenticated, int partial,
+auth_log(struct ssh *ssh, int authenticated, int partial,
const char *method, const char *submethod)
{
- struct ssh *ssh = active_state; /* XXX */
+ Authctxt *authctxt = (Authctxt *)ssh->authctxt;
int level = SYSLOG_LEVEL_VERBOSE;
const char *authmsg;
char *extra = NULL;
@@ -356,26 +356,26 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
(strcmp(method, "password") == 0 ||
strncmp(method, "keyboard-interactive", 20) == 0 ||
strcmp(method, "challenge-response") == 0))
- record_failed_login(authctxt->user,
+ record_failed_login(ssh, authctxt->user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
# ifdef WITH_AIXAUTHENTICATE
if (authenticated)
sys_auth_record_login(authctxt->user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh",
- &loginmsg);
+ loginmsg);
# endif
#endif
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
- audit_event(audit_classify_auth(method));
+ audit_event(ssh, audit_classify_auth(method));
#endif
}
void
-auth_maxtries_exceeded(Authctxt *authctxt)
+auth_maxtries_exceeded(struct ssh *ssh)
{
- struct ssh *ssh = active_state; /* XXX */
+ Authctxt *authctxt = (Authctxt *)ssh->authctxt;
error("maximum authentication attempts exceeded for "
"%s%.100s from %.200s port %d ssh2",
@@ -383,7 +383,7 @@ auth_maxtries_exceeded(Authctxt *authctxt)
authctxt->user,
ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh));
- packet_disconnect("Too many authentication failures");
+ ssh_packet_disconnect(ssh, "Too many authentication failures");
/* NOTREACHED */
}
@@ -437,7 +437,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw)
* Ensure that filename starts anchored. If not, be backward
* compatible and prepend the '%h/'
*/
- if (*file == '/')
+ if (path_absolute(file))
return (file);
i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
@@ -558,9 +558,8 @@ auth_openprincipals(const char *file, struct passwd *pw, int strict_modes)
}
struct passwd *
-getpwnamallow(const char *user)
+getpwnamallow(struct ssh *ssh, const char *user)
{
- struct ssh *ssh = active_state; /* XXX */
#ifdef HAVE_LOGIN_CAP
extern login_cap_t *lc;
#ifdef BSD_AUTH
@@ -568,8 +567,9 @@ getpwnamallow(const char *user)
#endif
#endif
struct passwd *pw;
- struct connection_info *ci = get_connection_info(1, options.use_dns);
+ struct connection_info *ci;
+ ci = get_connection_info(ssh, 1, options.use_dns);
ci->user = user;
parse_server_match_config(&options, ci);
log_change_level(options.log_level);
@@ -584,32 +584,19 @@ getpwnamallow(const char *user)
#if defined(_AIX) && defined(HAVE_SETAUTHDB)
aix_restoreauthdb();
#endif
-#ifdef HAVE_CYGWIN
- /*
- * Windows usernames are case-insensitive. To avoid later problems
- * when trying to match the username, the user is only allowed to
- * login if the username is given in the same case as stored in the
- * user database.
- */
- if (pw != NULL && strcmp(user, pw->pw_name) != 0) {
- logit("Login name %.100s does not match stored username %.100s",
- user, pw->pw_name);
- pw = NULL;
- }
-#endif
if (pw == NULL) {
logit("Invalid user %.100s from %.100s port %d",
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
#ifdef CUSTOM_FAILED_LOGIN
- record_failed_login(user,
+ record_failed_login(ssh, user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
#endif
#ifdef SSH_AUDIT_EVENTS
- audit_event(SSH_INVALID_USER);
+ audit_event(ssh, SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */
return (NULL);
}
- if (!allowed_user(pw))
+ if (!allowed_user(ssh, pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
if ((lc = login_getclass(pw->pw_class)) == NULL) {
@@ -688,9 +675,8 @@ auth_debug_add(const char *fmt,...)
}
void
-auth_debug_send(void)
+auth_debug_send(struct ssh *ssh)
{
- struct ssh *ssh = active_state; /* XXX */
char *msg;
int r;
@@ -893,7 +879,7 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
* If executing an explicit binary, then verify the it exists
* and appears safe-ish to execute
*/
- if (*av[0] != '/') {
+ if (!path_absolute(av[0])) {
error("%s path is not absolute", tag);
return 0;
}
diff --git a/auth.h b/auth.h
index 977562f0a6f3..bf393e75537c 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.96 2018/04/10 00:10:49 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.99 2019/01/19 21:43:56 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -132,8 +132,8 @@ auth_rhosts2(struct passwd *, const char *, const char *, const char *);
int auth_password(struct ssh *, const char *);
-int hostbased_key_allowed(struct passwd *, const char *, char *,
- struct sshkey *);
+int hostbased_key_allowed(struct ssh *, struct passwd *,
+ const char *, char *, struct sshkey *);
int user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
struct sshauthopt **);
int auth2_key_already_used(Authctxt *, const struct sshkey *);
@@ -166,15 +166,13 @@ int auth_shadow_pwexpired(Authctxt *);
#include "audit.h"
void remove_kbdint_device(const char *);
-void do_authentication2(Authctxt *);
+void do_authentication2(struct ssh *);
-void auth_log(Authctxt *, int, int, const char *, const char *);
-void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
+void auth_log(struct ssh *, int, int, const char *, const char *);
+void auth_maxtries_exceeded(struct ssh *) __attribute__((noreturn));
void userauth_finish(struct ssh *, int, const char *, const char *);
int auth_root_allowed(struct ssh *, const char *);
-void userauth_send_banner(const char *);
-
char *auth2_read_banner(void);
int auth2_methods_valid(const char *, int);
int auth2_update_methods_lists(Authctxt *, const char *, const char *);
@@ -188,8 +186,8 @@ void auth2_challenge_stop(struct ssh *);
int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
int bsdauth_respond(void *, u_int, char **);
-int allowed_user(struct passwd *);
-struct passwd * getpwnamallow(const char *user);
+int allowed_user(struct ssh *, struct passwd *);
+struct passwd * getpwnamallow(struct ssh *, const char *user);
char *expand_authorized_keys(const char *, struct passwd *pw);
char *authorized_principals_file(struct passwd *);
@@ -210,8 +208,8 @@ struct sshkey *get_hostkey_public_by_index(int, struct ssh *);
struct sshkey *get_hostkey_public_by_type(int, int, struct ssh *);
struct sshkey *get_hostkey_private_by_type(int, int, struct ssh *);
int get_hostkey_index(struct sshkey *, int, struct ssh *);
-int sshd_hostkey_sign(struct sshkey *, struct sshkey *, u_char **,
- size_t *, const u_char *, size_t, const char *, u_int);
+int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
+ u_char **, size_t *, const u_char *, size_t, const char *);
/* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *);
@@ -224,7 +222,7 @@ void auth_log_authopts(const char *, const struct sshauthopt *, int);
/* debug messages during authentication */
void auth_debug_add(const char *fmt,...)
__attribute__((format(printf, 1, 2)));
-void auth_debug_send(void);
+void auth_debug_send(struct ssh *);
void auth_debug_reset(void);
struct passwd *fakepw(void);
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 764ceff74ee6..0c40fad4ed31 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.38 2018/09/20 03:28:06 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.40 2019/01/19 21:43:56 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -147,7 +147,8 @@ userauth_hostbased(struct ssh *ssh)
/* test for allowed key and correct signature */
authenticated = 0;
- if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
+ if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
+ chost, key)) &&
PRIVSEP(sshkey_verify(key, sig, slen,
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
authenticated = 1;
@@ -167,10 +168,9 @@ done:
/* return 1 if given hostkey is allowed */
int
-hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
- struct sshkey *key)
+hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
+ const char *cuser, char *chost, struct sshkey *key)
{
- struct ssh *ssh = active_state; /* XXX */
const char *resolvedname, *ipaddr, *lookup, *reason;
HostStatus host_status;
int len;
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2fb5950ea608..0b3975a74d2c 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.86 2018/09/20 03:28:06 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.87 2019/01/22 11:26:16 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -102,6 +102,22 @@ userauth_pubkey(struct ssh *ssh)
(r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
fatal("%s: parse request failed: %s", __func__, ssh_err(r));
+
+ if (log_level_get() >= SYSLOG_LEVEL_DEBUG2) {
+ char *keystring;
+ struct sshbuf *pkbuf;
+
+ if ((pkbuf = sshbuf_from(pkblob, blen)) == NULL)
+ fatal("%s: sshbuf_from failed", __func__);
+ if ((keystring = sshbuf_dtob64(pkbuf)) == NULL)
+ fatal("%s: sshbuf_dtob64 failed", __func__);
+ debug2("%s: %s user %s %s public key %s %s", __func__,
+ authctxt->valid ? "valid" : "invalid", authctxt->user,
+ have_sig ? "attempting" : "querying", pkalg, keystring);
+ sshbuf_free(pkbuf);
+ free(keystring);
+ }
+
pktype = sshkey_type_from_name(pkalg);
if (pktype == KEY_UNSPEC) {
/* this is perfectly legal */
diff --git a/auth2.c b/auth2.c
index 4d19957a6ed3..16ae1a3635e5 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.149 2018/07/11 18:53:29 markus Exp $ */
+/* $OpenBSD: auth2.c,v 1.155 2019/03/25 22:34:52 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -35,6 +35,7 @@
#include <stdarg.h>
#include <string.h>
#include <unistd.h>
+#include <time.h>
#include "atomicio.h"
#include "xmalloc.h"
@@ -137,18 +138,21 @@ auth2_read_banner(void)
return (banner);
}
-void
-userauth_send_banner(const char *msg)
+static void
+userauth_send_banner(struct ssh *ssh, const char *msg)
{
- packet_start(SSH2_MSG_USERAUTH_BANNER);
- packet_put_cstring(msg);
- packet_put_cstring(""); /* language, unused */
- packet_send();
+ int r;
+
+ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_BANNER)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, msg)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "")) != 0 || /* language, unused */
+ (r = sshpkt_send(ssh)) != 0)
+ fatal("%s: %s", __func__, ssh_err(r));
debug("%s: sent", __func__);
}
static void
-userauth_banner(void)
+userauth_banner(struct ssh *ssh)
{
char *banner = NULL;
@@ -157,7 +161,7 @@ userauth_banner(void)
if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
goto done;
- userauth_send_banner(banner);
+ userauth_send_banner(ssh, banner);
done:
free(banner);
@@ -167,10 +171,10 @@ done:
* loop until authctxt->success == TRUE
*/
void
-do_authentication2(Authctxt *authctxt)
+do_authentication2(struct ssh *ssh)
{
- struct ssh *ssh = active_state; /* XXX */
- ssh->authctxt = authctxt; /* XXX move to caller */
+ Authctxt *authctxt = ssh->authctxt;
+
ssh_dispatch_init(ssh, &dispatch_protocol_error);
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_REQUEST, &input_service_request);
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt->success);
@@ -182,10 +186,12 @@ static int
input_service_request(int type, u_int32_t seq, struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
- u_int len;
- int acceptit = 0;
- char *service = packet_get_cstring(&len);
- packet_check_eom();
+ char *service = NULL;
+ int r, acceptit = 0;
+
+ if ((r = sshpkt_get_cstring(ssh, &service, NULL)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0)
+ goto out;
if (authctxt == NULL)
fatal("input_service_request: no authctxt");
@@ -194,20 +200,24 @@ input_service_request(int type, u_int32_t seq, struct ssh *ssh)
if (!authctxt->success) {
acceptit = 1;
/* now we can handle user-auth requests */
- ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
+ ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST,
+ &input_userauth_request);
}
}
/* XXX all other service requests are denied */
if (acceptit) {
- packet_start(SSH2_MSG_SERVICE_ACCEPT);
- packet_put_cstring(service);
- packet_send();
- packet_write_wait();
+ if ((r = sshpkt_start(ssh, SSH2_MSG_SERVICE_ACCEPT)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, service)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0 ||
+ (r = ssh_packet_write_wait(ssh)) != 0)
+ goto out;
} else {
debug("bad service request %s", service);
- packet_disconnect("bad service request %s", service);
+ ssh_packet_disconnect(ssh, "bad service request %s", service);
}
+ r = 0;
+ out:
free(service);
return 0;
}
@@ -255,16 +265,17 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL;
- char *user, *service, *method, *style = NULL;
- int authenticated = 0;
+ char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+ int r, authenticated = 0;
double tstart = monotime_double();
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
- user = packet_get_cstring(NULL);
- service = packet_get_cstring(NULL);
- method = packet_get_cstring(NULL);
+ if ((r = sshpkt_get_cstring(ssh, &user, NULL)) != 0 ||
+ (r = sshpkt_get_cstring(ssh, &service, NULL)) != 0 ||
+ (r = sshpkt_get_cstring(ssh, &method, NULL)) != 0)
+ goto out;
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@@ -273,7 +284,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
if (authctxt->attempt++ == 0) {
/* setup auth context */
- authctxt->pw = PRIVSEP(getpwnamallow(user));
+ authctxt->pw = PRIVSEP(getpwnamallow(ssh, user));
authctxt->user = xstrdup(user);
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
authctxt->valid = 1;
@@ -283,12 +294,12 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
/* Invalid user, fake password information */
authctxt->pw = fakepw();
#ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(SSH_INVALID_USER));
+ PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
#endif
}
#ifdef USE_PAM
if (options.use_pam)
- PRIVSEP(start_pam(authctxt));
+ PRIVSEP(start_pam(ssh));
#endif
ssh_packet_set_log_preamble(ssh, "%suser %s",
authctxt->valid ? "authenticating " : "invalid ", user);
@@ -298,13 +309,14 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
authctxt->style = style ? xstrdup(style) : NULL;
if (use_privsep)
mm_inform_authserv(service, style);
- userauth_banner();
+ userauth_banner(ssh);
if (auth2_setup_methods_lists(authctxt) != 0)
- packet_disconnect("no authentication methods enabled");
+ ssh_packet_disconnect(ssh,
+ "no authentication methods enabled");
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
- packet_disconnect("Change of username or service not allowed: "
- "(%s,%s) -> (%s,%s)",
+ ssh_packet_disconnect(ssh, "Change of username or service "
+ "not allowed: (%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
/* reset state */
@@ -330,11 +342,12 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
ensure_minimum_time_since(tstart,
user_specific_delay(authctxt->user));
userauth_finish(ssh, authenticated, method, NULL);
-
+ r = 0;
+ out:
free(service);
free(user);
free(method);
- return 0;
+ return r;
}
void
@@ -343,7 +356,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
{
Authctxt *authctxt = ssh->authctxt;
char *methods;
- int partial = 0;
+ int r, partial = 0;
if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s",
@@ -356,7 +369,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
!auth_root_allowed(ssh, method)) {
authenticated = 0;
#ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
+ PRIVSEP(audit_event(ssh, SSH_LOGIN_ROOT_DENIED));
#endif
}
@@ -368,7 +381,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
}
/* Log before sending the reply */
- auth_log(authctxt, authenticated, partial, method, submethod);
+ auth_log(ssh, authenticated, partial, method, submethod);
/* Update information exposed to session */
if (authenticated || partial)
@@ -387,8 +400,11 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
if ((r = sshbuf_put(loginmsg, "\0", 1)) != 0)
fatal("%s: buffer error: %s",
__func__, ssh_err(r));
- userauth_send_banner(sshbuf_ptr(loginmsg));
- packet_write_wait();
+ userauth_send_banner(ssh, sshbuf_ptr(loginmsg));
+ if ((r = ssh_packet_write_wait(ssh)) != 0) {
+ sshpkt_fatal(ssh, r,
+ "%s: send PAM banner", __func__);
+ }
}
fatal("Access denied for user %s by PAM account "
"configuration", authctxt->user);
@@ -398,10 +414,12 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
if (authenticated == 1) {
/* turn off userauth */
- ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
- packet_start(SSH2_MSG_USERAUTH_SUCCESS);
- packet_send();
- packet_write_wait();
+ ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST,
+ &dispatch_protocol_ignore);
+ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_SUCCESS)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0 ||
+ (r = ssh_packet_write_wait(ssh)) != 0)
+ fatal("%s: %s", __func__, ssh_err(r));
/* now we can break out */
authctxt->success = 1;
ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);
@@ -412,18 +430,19 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
authctxt->failures++;
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
+ PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
#endif
- auth_maxtries_exceeded(authctxt);
+ auth_maxtries_exceeded(ssh);
}
methods = authmethods_get(authctxt);
debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
partial, methods);
- packet_start(SSH2_MSG_USERAUTH_FAILURE);
- packet_put_cstring(methods);
- packet_put_char(partial);
- packet_send();
- packet_write_wait();
+ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_FAILURE)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, methods)) != 0 ||
+ (r = sshpkt_put_u8(ssh, partial)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0 ||
+ (r = ssh_packet_write_wait(ssh)) != 0)
+ fatal("%s: %s", __func__, ssh_err(r));
free(methods);
}
}
@@ -558,6 +577,14 @@ auth2_setup_methods_lists(Authctxt *authctxt)
{
u_int i;
+ /* First, normalise away the "any" pseudo-method */
+ if (options.num_auth_methods == 1 &&
+ strcmp(options.auth_methods[0], "any") == 0) {
+ free(options.auth_methods[0]);
+ options.auth_methods[0] = NULL;
+ options.num_auth_methods = 0;
+ }
+
if (options.num_auth_methods == 0)
return 0;
debug3("%s: checking methods", __func__);
diff --git a/authfd.c b/authfd.c
index ecdd869abf01..95348abfceca 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.111 2018/07/09 21:59:10 markus Exp $ */
+/* $OpenBSD: authfd.c,v 1.113 2018/12/27 23:02:11 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -94,7 +94,7 @@ ssh_get_authentication_socket(int *fdp)
*fdp = -1;
authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
- if (!authsocket)
+ if (authsocket == NULL || *authsocket == '\0')
return SSH_ERR_AGENT_NOT_PRESENT;
memset(&sunaddr, 0, sizeof(sunaddr));
@@ -327,10 +327,12 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
static u_int
agent_encode_alg(const struct sshkey *key, const char *alg)
{
- if (alg != NULL && key->type == KEY_RSA) {
- if (strcmp(alg, "rsa-sha2-256") == 0)
+ if (alg != NULL && sshkey_type_plain(key->type) == KEY_RSA) {
+ if (strcmp(alg, "rsa-sha2-256") == 0 ||
+ strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0)
return SSH_AGENT_RSA_SHA2_256;
- else if (strcmp(alg, "rsa-sha2-512") == 0)
+ if (strcmp(alg, "rsa-sha2-512") == 0 ||
+ strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0)
return SSH_AGENT_RSA_SHA2_512;
}
return 0;
diff --git a/channels.c b/channels.c
index c85d46abd762..657381b8037d 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.386 2018/10/04 01:04:52 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.389 2019/01/19 21:37:13 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -227,11 +227,7 @@ channel_init_channels(struct ssh *ssh)
{
struct ssh_channels *sc;
- if ((sc = calloc(1, sizeof(*sc))) == NULL ||
- (sc->channel_pre = calloc(SSH_CHANNEL_MAX_TYPE,
- sizeof(*sc->channel_pre))) == NULL ||
- (sc->channel_post = calloc(SSH_CHANNEL_MAX_TYPE,
- sizeof(*sc->channel_post))) == NULL)
+ if ((sc = calloc(1, sizeof(*sc))) == NULL)
fatal("%s: allocation failed", __func__);
sc->channels_alloc = 10;
sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels));
@@ -2104,16 +2100,18 @@ channel_handle_efd_read(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
{
char buf[CHAN_RBUF];
- int r;
ssize_t len;
+ int r, force;
+
+ force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED;
- if (!c->detach_close && !FD_ISSET(c->efd, readset))
+ if (c->efd == -1 || (!force && !FD_ISSET(c->efd, readset)))
return 1;
len = read(c->efd, buf, sizeof(buf));
debug2("channel %d: read %zd from efd %d", c->self, len, c->efd);
if (len < 0 && (errno == EINTR || ((errno == EAGAIN ||
- errno == EWOULDBLOCK) && !c->detach_close)))
+ errno == EWOULDBLOCK) && !force)))
return 1;
if (len <= 0) {
debug2("channel %d: closing read-efd %d",
@@ -2995,10 +2993,10 @@ channel_input_data(int type, u_int32_t seq, struct ssh *ssh)
return 0;
/* Get the data. */
- if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0)
+ if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0)
fatal("%s: channel %d: get data: %s", __func__,
c->self, ssh_err(r));
- ssh_packet_check_eom(ssh);
win_len = data_len;
if (c->datagram)
@@ -3072,11 +3070,11 @@ channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh)
logit("channel %d: bad ext data", c->self);
return 0;
}
- if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0) {
+ if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0) {
error("%s: parse data: %s", __func__, ssh_err(r));
ssh_packet_disconnect(ssh, "Invalid extended_data message");
}
- ssh_packet_check_eom(ssh);
if (data_len > c->local_window) {
logit("channel %d: rcvd too much extended_data %zu, win %u",
@@ -3095,8 +3093,12 @@ int
channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh)
{
Channel *c = channel_from_packet_id(ssh, __func__, "ieof");
+ int r;
- ssh_packet_check_eom(ssh);
+ if ((r = sshpkt_get_end(ssh)) != 0) {
+ error("%s: parse data: %s", __func__, ssh_err(r));
+ ssh_packet_disconnect(ssh, "Invalid ieof message");
+ }
if (channel_proxy_upstream(c, type, seq, ssh))
return 0;
@@ -3116,10 +3118,14 @@ int
channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh)
{
Channel *c = channel_from_packet_id(ssh, __func__, "oclose");
+ int r;
if (channel_proxy_upstream(c, type, seq, ssh))
return 0;
- ssh_packet_check_eom(ssh);
+ if ((r = sshpkt_get_end(ssh)) != 0) {
+ error("%s: parse data: %s", __func__, ssh_err(r));
+ ssh_packet_disconnect(ssh, "Invalid oclose message");
+ }
chan_rcvd_oclose(ssh, c);
return 0;
}
@@ -3134,7 +3140,7 @@ channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh)
if (channel_proxy_upstream(c, type, seq, ssh))
return 0;
if (c->type != SSH_CHANNEL_OPENING)
- packet_disconnect("Received open confirmation for "
+ ssh_packet_disconnect(ssh, "Received open confirmation for "
"non-opening channel %d.", c->self);
/*
* Record the remote channel number and mark that the channel
@@ -3142,11 +3148,11 @@ channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh)
*/
if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 ||
(r = sshpkt_get_u32(ssh, &remote_window)) != 0 ||
- (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0) {
+ (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0) {
error("%s: window/maxpacket: %s", __func__, ssh_err(r));
- packet_disconnect("Invalid open confirmation message");
+ ssh_packet_disconnect(ssh, "Invalid open confirmation message");
}
- ssh_packet_check_eom(ssh);
c->have_remote_id = 1;
c->remote_window = remote_window;
@@ -3189,19 +3195,19 @@ channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh)
if (channel_proxy_upstream(c, type, seq, ssh))
return 0;
if (c->type != SSH_CHANNEL_OPENING)
- packet_disconnect("Received open failure for "
+ ssh_packet_disconnect(ssh, "Received open failure for "
"non-opening channel %d.", c->self);
if ((r = sshpkt_get_u32(ssh, &reason)) != 0) {
error("%s: reason: %s", __func__, ssh_err(r));
- packet_disconnect("Invalid open failure message");
+ ssh_packet_disconnect(ssh, "Invalid open failure message");
}
/* skip language */
if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 ||
- (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0) {
+ (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0) {
error("%s: message/lang: %s", __func__, ssh_err(r));
- packet_disconnect("Invalid open failure message");
+ ssh_packet_disconnect(ssh, "Invalid open failure message");
}
- ssh_packet_check_eom(ssh);
logit("channel %d: open failed: %s%s%s", c->self,
reason2txt(reason), msg ? ": ": "", msg ? msg : "");
free(msg);
@@ -3231,11 +3237,11 @@ channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh)
if (channel_proxy_upstream(c, type, seq, ssh))
return 0;
- if ((r = sshpkt_get_u32(ssh, &adjust)) != 0) {
+ if ((r = sshpkt_get_u32(ssh, &adjust)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0) {
error("%s: adjust: %s", __func__, ssh_err(r));
- packet_disconnect("Invalid window adjust message");
+ ssh_packet_disconnect(ssh, "Invalid window adjust message");
}
- ssh_packet_check_eom(ssh);
debug2("channel %d: rcvd adjust %u", c->self, adjust);
if ((new_rwin = c->remote_window + adjust) < c->remote_window) {
fatal("channel %d: adjust %u overflows remote window %u",
@@ -3251,9 +3257,10 @@ channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh)
int id = channel_parse_id(ssh, __func__, "status confirm");
Channel *c;
struct channel_confirm *cc;
+ int r;
/* Reset keepalive timeout */
- packet_set_alive_timeouts(0);
+ ssh_packet_set_alive_timeouts(ssh, 0);
debug2("%s: type %d id %d", __func__, type, id);
@@ -3263,7 +3270,8 @@ channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh)
}
if (channel_proxy_upstream(c, type, seq, ssh))
return 0;
- ssh_packet_check_eom(ssh);
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ ssh_packet_disconnect(ssh, "Invalid status confirm message");
if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL)
return 0;
cc->cb(ssh, type, c, cc->ctx);
@@ -3298,7 +3306,7 @@ channel_set_af(struct ssh *ssh, int af)
* "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set
*/
static const char *
-channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
+channel_fwd_bind_addr(struct ssh *ssh, const char *listen_addr, int *wildcardp,
int is_client, struct ForwardOptions *fwd_opts)
{
const char *addr = NULL;
@@ -3321,7 +3329,8 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
if (*listen_addr != '\0' &&
strcmp(listen_addr, "0.0.0.0") != 0 &&
strcmp(listen_addr, "*") != 0) {
- packet_send_debug("Forwarding listen address "
+ ssh_packet_send_debug(ssh,
+ "Forwarding listen address "
"\"%s\" overridden by server "
"GatewayPorts", listen_addr);
}
@@ -3375,7 +3384,7 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
}
/* Determine the bind address, cf. channel_fwd_bind_addr() comment */
- addr = channel_fwd_bind_addr(fwd->listen_host, &wildcard,
+ addr = channel_fwd_bind_addr(ssh, fwd->listen_host, &wildcard,
is_client, fwd_opts);
debug3("%s: type %d wildcard %d addr %s", __func__,
type, wildcard, (addr == NULL) ? "NULL" : addr);
@@ -3392,7 +3401,7 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
if (addr == NULL) {
/* This really shouldn't happen */
- packet_disconnect("getaddrinfo: fatal error: %s",
+ ssh_packet_disconnect(ssh, "getaddrinfo: fatal error: %s",
ssh_gai_strerror(r));
} else {
error("%s: getaddrinfo(%.64s): %s", __func__, addr,
@@ -3641,7 +3650,7 @@ channel_cancel_lport_listener_tcpip(struct ssh *ssh,
{
u_int i;
int found = 0;
- const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, fwd_opts);
+ const char *addr = channel_fwd_bind_addr(ssh, lhost, NULL, 1, fwd_opts);
for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
Channel *c = ssh->chanctxt->channels[i];
@@ -3793,7 +3802,7 @@ channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd,
int *allocated_listen_port, struct ForwardOptions *fwd_opts)
{
if (!check_rfwd_permission(ssh, fwd)) {
- packet_send_debug("port forwarding refused");
+ ssh_packet_send_debug(ssh, "port forwarding refused");
return 0;
}
if (fwd->listen_path != NULL) {
diff --git a/clientloop.c b/clientloop.c
index 8d312cdaa755..086c0dfe8e6b 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.318 2018/09/21 12:46:22 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.322 2019/03/29 11:31:40 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -160,7 +160,7 @@ static int need_rekeying; /* Set to non-zero if rekeying is requested. */
static int session_closed; /* In SSH2: login session closed. */
static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
-static void client_init_dispatch(void);
+static void client_init_dispatch(struct ssh *ssh);
int session_ident = -1;
/* Track escape per proto2 channel */
@@ -364,7 +364,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
SSH_X11_PROTO, x11_timeout_real,
_PATH_DEVNULL);
}
- debug2("%s: %s", __func__, cmd);
+ debug2("%s: xauth command: %s", __func__, cmd);
if (timeout != 0 && x11_refuse_time == 0) {
now = monotime() + 1;
@@ -475,21 +475,24 @@ client_global_request_reply(int type, u_int32_t seq, struct ssh *ssh)
free(gc);
}
- packet_set_alive_timeouts(0);
+ ssh_packet_set_alive_timeouts(ssh, 0);
return 0;
}
static void
-server_alive_check(void)
+server_alive_check(struct ssh *ssh)
{
- if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
+ int r;
+
+ if (ssh_packet_inc_alive_timeouts(ssh) > options.server_alive_count_max) {
logit("Timeout, server %s not responding.", host);
cleanup_exit(255);
}
- packet_start(SSH2_MSG_GLOBAL_REQUEST);
- packet_put_cstring("keepalive@openssh.com");
- packet_put_char(1); /* boolean: want reply */
- packet_send();
+ if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "keepalive@openssh.com")) != 0 ||
+ (r = sshpkt_put_u8(ssh, 1)) != 0 || /* boolean: want reply */
+ (r = sshpkt_send(ssh)) != 0)
+ fatal("%s: send packet: %s", __func__, ssh_err(r));
/* Insert an empty placeholder to maintain ordering */
client_register_global_confirm(NULL, NULL);
}
@@ -509,12 +512,12 @@ client_wait_until_can_do_something(struct ssh *ssh,
int r, ret;
/* Add any selections by the channel mechanism. */
- channel_prepare_select(active_state, readsetp, writesetp, maxfdp,
+ channel_prepare_select(ssh, readsetp, writesetp, maxfdp,
nallocp, &minwait_secs);
/* channel_prepare_select could have closed the last channel */
if (session_closed && !channel_still_open(ssh) &&
- !packet_have_data_to_write()) {
+ !ssh_packet_have_data_to_write(ssh)) {
/* clear mask since we did not call select() */
memset(*readsetp, 0, *nallocp);
memset(*writesetp, 0, *nallocp);
@@ -524,7 +527,7 @@ client_wait_until_can_do_something(struct ssh *ssh,
FD_SET(connection_in, *readsetp);
/* Select server connection if have data to write to the server. */
- if (packet_have_data_to_write())
+ if (ssh_packet_have_data_to_write(ssh))
FD_SET(connection_out, *writesetp);
/*
@@ -539,7 +542,8 @@ client_wait_until_can_do_something(struct ssh *ssh,
server_alive_time = now + options.server_alive_interval;
}
if (options.rekey_interval > 0 && !rekeying)
- timeout_secs = MINIMUM(timeout_secs, packet_get_rekey_timeout());
+ timeout_secs = MINIMUM(timeout_secs,
+ ssh_packet_get_rekey_timeout(ssh));
set_control_persist_exit_time(ssh);
if (control_persist_exit_time > 0) {
timeout_secs = MINIMUM(timeout_secs,
@@ -580,7 +584,7 @@ client_wait_until_can_do_something(struct ssh *ssh,
* Keepalive we check here, rekeying is checked in clientloop.
*/
if (server_alive_time != 0 && server_alive_time <= monotime())
- server_alive_check();
+ server_alive_check(ssh);
}
}
@@ -612,7 +616,7 @@ client_suspend_self(struct sshbuf *bin, struct sshbuf *bout, struct sshbuf *berr
}
static void
-client_process_net_input(fd_set *readset)
+client_process_net_input(struct ssh *ssh, fd_set *readset)
{
char buf[SSH_IOBUFSZ];
int r, len;
@@ -658,7 +662,7 @@ client_process_net_input(fd_set *readset)
quit_pending = 1;
return;
}
- packet_process_incoming(buf, len);
+ ssh_packet_process_incoming(ssh, buf, len);
}
}
@@ -1031,7 +1035,7 @@ process_escapes(struct ssh *ssh, Channel *c,
channel_request_start(ssh, c->self, "break", 0);
if ((r = sshpkt_put_u32(ssh, 1000)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
- fatal("%s: %s", __func__,
+ fatal("%s: send packet: %s", __func__,
ssh_err(r));
continue;
@@ -1182,9 +1186,9 @@ process_escapes(struct ssh *ssh, Channel *c,
*/
static void
-client_process_buffered_input_packets(void)
+client_process_buffered_input_packets(struct ssh *ssh)
{
- ssh_dispatch_run_fatal(active_state, DISPATCH_NONBLOCK, &quit_pending);
+ ssh_dispatch_run_fatal(ssh, DISPATCH_NONBLOCK, &quit_pending);
}
/* scan buf[] for '~' before sending data to the peer */
@@ -1281,8 +1285,8 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
/* Initialize variables. */
last_was_cr = 1;
exit_status = -1;
- connection_in = packet_get_connection_in();
- connection_out = packet_get_connection_out();
+ connection_in = ssh_packet_get_connection_in(ssh);
+ connection_out = ssh_packet_get_connection_out(ssh);
max_fd = MAXIMUM(connection_in, connection_out);
quit_pending = 0;
@@ -1291,7 +1295,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
if ((stderr_buffer = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
- client_init_dispatch();
+ client_init_dispatch(ssh);
/*
* Set signal handlers, (e.g. to restore non-blocking mode)
@@ -1327,7 +1331,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
while (!quit_pending) {
/* Process buffered packets sent by the server. */
- client_process_buffered_input_packets();
+ client_process_buffered_input_packets(ssh);
if (session_closed && !channel_still_open(ssh))
break;
@@ -1346,7 +1350,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
* Make packets from buffered channel data, and
* enqueue them for sending to the server.
*/
- if (packet_not_very_much_data_to_write())
+ if (ssh_packet_not_very_much_data_to_write(ssh))
channel_output_poll(ssh);
/*
@@ -1374,7 +1378,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
channel_after_select(ssh, readset, writeset);
/* Buffer input from the connection. */
- client_process_net_input(readset);
+ client_process_net_input(ssh, readset);
if (quit_pending)
break;
@@ -1384,7 +1388,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
* sender.
*/
if (FD_ISSET(connection_out, writeset))
- packet_write_poll();
+ ssh_packet_write_poll(ssh);
/*
* If we are a backgrounded control master, and the
@@ -1406,12 +1410,13 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
/* Stop watching for window change. */
signal(SIGWINCH, SIG_DFL);
- packet_start(SSH2_MSG_DISCONNECT);
- packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
- packet_put_cstring("disconnected by user");
- packet_put_cstring(""); /* language tag */
- packet_send();
- packet_write_wait();
+ if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
+ (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_BY_APPLICATION)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "disconnected by user")) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "")) != 0 || /* language tag */
+ (r = sshpkt_send(ssh)) != 0 ||
+ (r = ssh_packet_write_wait(ssh)) != 0)
+ fatal("%s: send disconnect: %s", __func__, ssh_err(r));
channel_free_all(ssh);
@@ -1468,7 +1473,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
/* Report bytes transferred, and transfer rates. */
total_time = monotime_double() - start_time;
- packet_get_bytes(&ibytes, &obytes);
+ ssh_packet_get_bytes(ssh, &ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes, in %.1f seconds",
(unsigned long long)obytes, (unsigned long long)ibytes, total_time);
if (total_time > 0)
@@ -1488,21 +1493,29 @@ client_request_forwarded_tcpip(struct ssh *ssh, const char *request_type,
Channel *c = NULL;
struct sshbuf *b = NULL;
char *listen_address, *originator_address;
- u_short listen_port, originator_port;
+ u_int listen_port, originator_port;
int r;
/* Get rest of the packet */
- listen_address = packet_get_string(NULL);
- listen_port = packet_get_int();
- originator_address = packet_get_string(NULL);
- originator_port = packet_get_int();
- packet_check_eom();
+ if ((r = sshpkt_get_cstring(ssh, &listen_address, NULL)) != 0 ||
+ (r = sshpkt_get_u32(ssh, &listen_port)) != 0 ||
+ (r = sshpkt_get_cstring(ssh, &originator_address, NULL)) != 0 ||
+ (r = sshpkt_get_u32(ssh, &originator_port)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0)
+ fatal("%s: parse packet: %s", __func__, ssh_err(r));
debug("%s: listen %s port %d, originator %s port %d", __func__,
listen_address, listen_port, originator_address, originator_port);
- c = channel_connect_by_listen_address(ssh, listen_address, listen_port,
- "forwarded-tcpip", originator_address);
+ if (listen_port > 0xffff)
+ error("%s: invalid listen port", __func__);
+ else if (originator_port > 0xffff)
+ error("%s: invalid originator port", __func__);
+ else {
+ c = channel_connect_by_listen_address(ssh,
+ listen_address, listen_port, "forwarded-tcpip",
+ originator_address);
+ }
if (c != NULL && c->type == SSH_CHANNEL_MUX_CLIENT) {
if ((b = sshbuf_new()) == NULL) {
@@ -1540,15 +1553,15 @@ client_request_forwarded_streamlocal(struct ssh *ssh,
{
Channel *c = NULL;
char *listen_path;
+ int r;
/* Get the remote path. */
- listen_path = packet_get_string(NULL);
- /* XXX: Skip reserved field for now. */
- if (packet_get_string_ptr(NULL) == NULL)
- fatal("%s: packet_get_string_ptr failed", __func__);
- packet_check_eom();
+ if ((r = sshpkt_get_cstring(ssh, &listen_path, NULL)) != 0 ||
+ (r = sshpkt_get_string(ssh, NULL, NULL)) != 0 || /* reserved */
+ (r = sshpkt_get_end(ssh)) != 0)
+ fatal("%s: parse packet: %s", __func__, ssh_err(r));
- debug("%s: %s", __func__, listen_path);
+ debug("%s: request: %s", __func__, listen_path);
c = channel_connect_by_listen_path(ssh, listen_path,
"forwarded-streamlocal@openssh.com", "forwarded-streamlocal");
@@ -1561,8 +1574,8 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
{
Channel *c = NULL;
char *originator;
- u_short originator_port;
- int sock;
+ u_int originator_port;
+ int r, sock;
if (!options.forward_x11) {
error("Warning: ssh server tried X11 forwarding.");
@@ -1575,11 +1588,13 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
"expired");
return NULL;
}
- originator = packet_get_string(NULL);
- originator_port = packet_get_int();
- packet_check_eom();
+ if ((r = sshpkt_get_cstring(ssh, &originator, NULL)) != 0 ||
+ (r = sshpkt_get_u32(ssh, &originator_port)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0)
+ fatal("%s: parse packet: %s", __func__, ssh_err(r));
/* XXX check permission */
- debug("client_request_x11: request from %s %d", originator,
+ /* XXX range check originator port? */
+ debug("client_request_x11: request from %s %u", originator,
originator_port);
free(originator);
sock = x11_connect_display(ssh);
@@ -1623,7 +1638,7 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
int local_tun, int remote_tun)
{
Channel *c;
- int fd;
+ int r, fd;
char *ifname = NULL;
if (tun_mode == SSH_TUNMODE_NO)
@@ -1648,14 +1663,15 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
sys_tun_outfilter, NULL, NULL);
#endif
- packet_start(SSH2_MSG_CHANNEL_OPEN);
- packet_put_cstring("tun@openssh.com");
- packet_put_int(c->self);
- packet_put_int(c->local_window_max);
- packet_put_int(c->local_maxpacket);
- packet_put_int(tun_mode);
- packet_put_int(remote_tun);
- packet_send();
+ if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "tun@openssh.com")) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_window_max)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 ||
+ (r = sshpkt_put_u32(ssh, tun_mode)) != 0 ||
+ (r = sshpkt_put_u32(ssh, remote_tun)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ sshpkt_fatal(ssh, r, "%s: send reply", __func__);
return ifname;
}
@@ -1665,14 +1681,17 @@ static int
client_input_channel_open(int type, u_int32_t seq, struct ssh *ssh)
{
Channel *c = NULL;
- char *ctype;
- int rchan;
- u_int rmaxpack, rwindow, len;
-
- ctype = packet_get_string(&len);
- rchan = packet_get_int();
- rwindow = packet_get_int();
- rmaxpack = packet_get_int();
+ char *ctype = NULL;
+ int r;
+ u_int rchan;
+ size_t len;
+ u_int rmaxpack, rwindow;
+
+ if ((r = sshpkt_get_cstring(ssh, &ctype, &len)) != 0 ||
+ (r = sshpkt_get_u32(ssh, &rchan)) != 0 ||
+ (r = sshpkt_get_u32(ssh, &rwindow)) != 0 ||
+ (r = sshpkt_get_u32(ssh, &rmaxpack)) != 0)
+ goto out;
debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
ctype, rchan, rwindow, rmaxpack);
@@ -1696,57 +1715,66 @@ client_input_channel_open(int type, u_int32_t seq, struct ssh *ssh)
c->remote_window = rwindow;
c->remote_maxpacket = rmaxpack;
if (c->type != SSH_CHANNEL_CONNECTING) {
- packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
- packet_put_int(c->remote_id);
- packet_put_int(c->self);
- packet_put_int(c->local_window);
- packet_put_int(c->local_maxpacket);
- packet_send();
+ if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ sshpkt_fatal(ssh, r, "%s: send reply", __func__);
}
} else {
debug("failure %s", ctype);
- packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
- packet_put_int(rchan);
- packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
- packet_put_cstring("open failed");
- packet_put_cstring("");
- packet_send();
+ if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 ||
+ (r = sshpkt_put_u32(ssh, rchan)) != 0 ||
+ (r = sshpkt_put_u32(ssh, SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "open failed")) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "")) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ sshpkt_fatal(ssh, r, "%s: send failure", __func__);
}
+ r = 0;
+ out:
free(ctype);
- return 0;
+ return r;
}
static int
client_input_channel_req(int type, u_int32_t seq, struct ssh *ssh)
{
Channel *c = NULL;
- int exitval, id, reply, success = 0;
- char *rtype;
-
- id = packet_get_int();
- c = channel_lookup(ssh, id);
+ char *rtype = NULL;
+ u_char reply;
+ u_int id, exitval;
+ int r, success = 0;
+
+ if ((r = sshpkt_get_u32(ssh, &id)) != 0)
+ return r;
+ if (id <= INT_MAX)
+ c = channel_lookup(ssh, id);
if (channel_proxy_upstream(c, type, seq, ssh))
return 0;
- rtype = packet_get_string(NULL);
- reply = packet_get_char();
+ if ((r = sshpkt_get_cstring(ssh, &rtype, NULL)) != 0 ||
+ (r = sshpkt_get_u8(ssh, &reply)) != 0)
+ goto out;
- debug("client_input_channel_req: channel %d rtype %s reply %d",
+ debug("client_input_channel_req: channel %u rtype %s reply %d",
id, rtype, reply);
- if (id == -1) {
- error("client_input_channel_req: request for channel -1");
- } else if (c == NULL) {
+ if (c == NULL) {
error("client_input_channel_req: channel %d: "
"unknown channel", id);
} else if (strcmp(rtype, "eow@openssh.com") == 0) {
- packet_check_eom();
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ goto out;
chan_rcvd_eow(ssh, c);
} else if (strcmp(rtype, "exit-status") == 0) {
- exitval = packet_get_int();
+ if ((r = sshpkt_get_u32(ssh, &exitval)) != 0)
+ goto out;
if (c->ctl_chan != -1) {
mux_exit_message(ssh, c, exitval);
success = 1;
- } else if (id == session_ident) {
+ } else if ((int)id == session_ident) {
/* Record exit value of local session */
success = 1;
exit_status = exitval;
@@ -1755,19 +1783,23 @@ client_input_channel_req(int type, u_int32_t seq, struct ssh *ssh)
debug("%s: no sink for exit-status on channel %d",
__func__, id);
}
- packet_check_eom();
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ goto out;
}
if (reply && c != NULL && !(c->flags & CHAN_CLOSE_SENT)) {
if (!c->have_remote_id)
fatal("%s: channel %d: no remote_id",
__func__, c->self);
- packet_start(success ?
- SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
- packet_put_int(c->remote_id);
- packet_send();
+ if ((r = sshpkt_start(ssh, success ?
+ SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ sshpkt_fatal(ssh, r, "%s: send failure", __func__);
}
+ r = 0;
+ out:
free(rtype);
- return 0;
+ return r;
}
struct hostkeys_update_ctx {
@@ -1984,7 +2016,10 @@ client_global_hostkeys_private_confirm(struct ssh *ssh, int type,
if (ndone != ctx->nnew)
fatal("%s: ndone != ctx->nnew (%zu / %zu)", __func__,
ndone, ctx->nnew); /* Shouldn't happen */
- ssh_packet_check_eom(ssh);
+ if ((r = sshpkt_get_end(ssh)) != 0) {
+ error("%s: protocol error", __func__);
+ goto out;
+ }
/* Make the edits to known_hosts */
update_known_hosts(ctx);
@@ -2018,9 +2053,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
* HostkeyAlgorithms preference before they are accepted.
*/
static int
-client_input_hostkeys(void)
+client_input_hostkeys(struct ssh *ssh)
{
- struct ssh *ssh = active_state; /* XXX */
const u_char *blob = NULL;
size_t i, len = 0;
struct sshbuf *buf = NULL;
@@ -2171,23 +2205,27 @@ static int
client_input_global_request(int type, u_int32_t seq, struct ssh *ssh)
{
char *rtype;
- int want_reply;
- int success = 0;
+ u_char want_reply;
+ int r, success = 0;
- rtype = packet_get_cstring(NULL);
- want_reply = packet_get_char();
+ if ((r = sshpkt_get_cstring(ssh, &rtype, NULL)) != 0 ||
+ (r = sshpkt_get_u8(ssh, &want_reply)) != 0)
+ goto out;
debug("client_input_global_request: rtype %s want_reply %d",
rtype, want_reply);
if (strcmp(rtype, "hostkeys-00@openssh.com") == 0)
- success = client_input_hostkeys();
+ success = client_input_hostkeys(ssh);
if (want_reply) {
- packet_start(success ?
- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
- packet_send();
- packet_write_wait();
+ if ((r = sshpkt_start(ssh, success ? SSH2_MSG_REQUEST_SUCCESS :
+ SSH2_MSG_REQUEST_FAILURE)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0 ||
+ (r = ssh_packet_write_wait(ssh)) != 0)
+ goto out;
}
+ r = 0;
+ out:
free(rtype);
- return 0;
+ return r;
}
void
@@ -2195,7 +2233,7 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
const char *term, struct termios *tiop, int in_fd, struct sshbuf *cmd,
char **env)
{
- int i, j, matched, len;
+ int i, j, matched, len, r;
char *name, *val;
Channel *c = NULL;
@@ -2204,7 +2242,7 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
if ((c = channel_lookup(ssh, id)) == NULL)
fatal("%s: channel %d: unknown channel", __func__, id);
- packet_set_interactive(want_tty,
+ ssh_packet_set_interactive(ssh, want_tty,
options.ip_qos_interactive, options.ip_qos_bulk);
if (want_tty) {
@@ -2216,15 +2254,18 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
channel_request_start(ssh, id, "pty-req", 1);
client_expect_confirm(ssh, id, "PTY allocation", CONFIRM_TTY);
- packet_put_cstring(term != NULL ? term : "");
- packet_put_int((u_int)ws.ws_col);
- packet_put_int((u_int)ws.ws_row);
- packet_put_int((u_int)ws.ws_xpixel);
- packet_put_int((u_int)ws.ws_ypixel);
+ if ((r = sshpkt_put_cstring(ssh, term != NULL ? term : ""))
+ != 0 ||
+ (r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 ||
+ (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 ||
+ (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 ||
+ (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0)
+ fatal("%s: build packet: %s", __func__, ssh_err(r));
if (tiop == NULL)
tiop = get_saved_tio();
ssh_tty_make_modes(ssh, -1, tiop);
- packet_send();
+ if ((r = sshpkt_send(ssh)) != 0)
+ fatal("%s: send packet: %s", __func__, ssh_err(r));
/* XXX wait for reply */
c->client_tty = 1;
}
@@ -2256,9 +2297,12 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
debug("Sending env %s = %s", name, val);
channel_request_start(ssh, id, "env", 0);
- packet_put_cstring(name);
- packet_put_cstring(val);
- packet_send();
+ if ((r = sshpkt_put_cstring(ssh, name)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, val)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0) {
+ fatal("%s: send packet: %s",
+ __func__, ssh_err(r));
+ }
free(name);
}
}
@@ -2273,9 +2317,10 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
debug("Setting env %s = %s", name, val);
channel_request_start(ssh, id, "env", 0);
- packet_put_cstring(name);
- packet_put_cstring(val);
- packet_send();
+ if ((r = sshpkt_put_cstring(ssh, name)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, val)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ fatal("%s: send packet: %s", __func__, ssh_err(r));
free(name);
}
@@ -2295,39 +2340,43 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
channel_request_start(ssh, id, "exec", 1);
client_expect_confirm(ssh, id, "exec", CONFIRM_CLOSE);
}
- packet_put_string(sshbuf_ptr(cmd), sshbuf_len(cmd));
- packet_send();
+ if ((r = sshpkt_put_stringb(ssh, cmd)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ fatal("%s: send command: %s", __func__, ssh_err(r));
} else {
channel_request_start(ssh, id, "shell", 1);
client_expect_confirm(ssh, id, "shell", CONFIRM_CLOSE);
- packet_send();
+ if ((r = sshpkt_send(ssh)) != 0) {
+ fatal("%s: send shell request: %s",
+ __func__, ssh_err(r));
+ }
}
}
static void
-client_init_dispatch(void)
+client_init_dispatch(struct ssh *ssh)
{
- dispatch_init(&dispatch_protocol_error);
-
- dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
- dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
- dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
- dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);
- dispatch_set(SSH2_MSG_CHANNEL_OPEN, &client_input_channel_open);
- dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
- dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
- dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req);
- dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
- dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &channel_input_status_confirm);
- dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &channel_input_status_confirm);
- dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &client_input_global_request);
+ ssh_dispatch_init(ssh, &dispatch_protocol_error);
+
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_DATA, &channel_input_data);
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN, &client_input_channel_open);
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req);
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_SUCCESS, &channel_input_status_confirm);
+ ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_FAILURE, &channel_input_status_confirm);
+ ssh_dispatch_set(ssh, SSH2_MSG_GLOBAL_REQUEST, &client_input_global_request);
/* rekeying */
- dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
/* global request reply messages */
- dispatch_set(SSH2_MSG_REQUEST_FAILURE, &client_global_request_reply);
- dispatch_set(SSH2_MSG_REQUEST_SUCCESS, &client_global_request_reply);
+ ssh_dispatch_set(ssh, SSH2_MSG_REQUEST_FAILURE, &client_global_request_reply);
+ ssh_dispatch_set(ssh, SSH2_MSG_REQUEST_SUCCESS, &client_global_request_reply);
}
void
diff --git a/config.h.in b/config.h.in
index 91b65db8f349..05b7206df17f 100644
--- a/config.h.in
+++ b/config.h.in
@@ -393,19 +393,19 @@
/* Define if you have /dev/ptc */
#undef HAVE_DEV_PTS_AND_PTC
-/* Define if libcrypto has DH_get0_key */
+/* Define to 1 if you have the `DH_get0_key' function. */
#undef HAVE_DH_GET0_KEY
-/* Define if libcrypto has DH_get0_pqg */
+/* Define to 1 if you have the `DH_get0_pqg' function. */
#undef HAVE_DH_GET0_PQG
-/* Define if libcrypto has DH_set0_key */
+/* Define to 1 if you have the `DH_set0_key' function. */
#undef HAVE_DH_SET0_KEY
-/* Define if libcrypto has DH_set0_pqg */
+/* Define to 1 if you have the `DH_set0_pqg' function. */
#undef HAVE_DH_SET0_PQG
-/* Define if libcrypto has DH_set_length */
+/* Define to 1 if you have the `DH_set_length' function. */
#undef HAVE_DH_SET_LENGTH
/* Define to 1 if you have the <dirent.h> header file. */
@@ -420,30 +420,33 @@
/* Define to 1 if you have the `DSA_generate_parameters_ex' function. */
#undef HAVE_DSA_GENERATE_PARAMETERS_EX
-/* Define if libcrypto has DSA_get0_key */
+/* Define to 1 if you have the `DSA_get0_key' function. */
#undef HAVE_DSA_GET0_KEY
-/* Define if libcrypto has DSA_get0_pqg */
+/* Define to 1 if you have the `DSA_get0_pqg' function. */
#undef HAVE_DSA_GET0_PQG
-/* Define if libcrypto has DSA_set0_key */
+/* Define to 1 if you have the `DSA_set0_key' function. */
#undef HAVE_DSA_SET0_KEY
-/* Define if libcrypto has DSA_set0_pqg */
+/* Define to 1 if you have the `DSA_set0_pqg' function. */
#undef HAVE_DSA_SET0_PQG
-/* Define if libcrypto has DSA_SIG_get0 */
+/* Define to 1 if you have the `DSA_SIG_get0' function. */
#undef HAVE_DSA_SIG_GET0
-/* Define if libcrypto has DSA_SIG_set0 */
+/* Define to 1 if you have the `DSA_SIG_set0' function. */
#undef HAVE_DSA_SIG_SET0
-/* Define if libcrypto has ECDSA_SIG_get0 */
+/* Define to 1 if you have the `ECDSA_SIG_get0' function. */
#undef HAVE_ECDSA_SIG_GET0
-/* Define if libcrypto has ECDSA_SIG_set0 */
+/* Define to 1 if you have the `ECDSA_SIG_set0' function. */
#undef HAVE_ECDSA_SIG_SET0
+/* Define to 1 if you have the `EC_KEY_METHOD_new' function. */
+#undef HAVE_EC_KEY_METHOD_NEW
+
/* Define to 1 if you have the <elf.h> header file. */
#undef HAVE_ELF_H
@@ -471,18 +474,21 @@
/* Define if your system has /etc/default/login */
#undef HAVE_ETC_DEFAULT_LOGIN
-/* Define if libcrypto has EVP_CIPHER_CTX_ctrl */
+/* Define to 1 if you have the `EVP_CIPHER_CTX_ctrl' function. */
#undef HAVE_EVP_CIPHER_CTX_CTRL
-/* Define if libcrypto has EVP_CIPHER_CTX_set_iv */
+/* Define to 1 if you have the `EVP_CIPHER_CTX_get_iv' function. */
#undef HAVE_EVP_CIPHER_CTX_GET_IV
-/* Define if libcrypto has EVP_CIPHER_CTX_iv */
+/* Define to 1 if you have the `EVP_CIPHER_CTX_iv' function. */
#undef HAVE_EVP_CIPHER_CTX_IV
-/* Define if libcrypto has EVP_CIPHER_CTX_iv_noconst */
+/* Define to 1 if you have the `EVP_CIPHER_CTX_iv_noconst' function. */
#undef HAVE_EVP_CIPHER_CTX_IV_NOCONST
+/* Define to 1 if you have the `EVP_CIPHER_CTX_set_iv' function. */
+#undef HAVE_EVP_CIPHER_CTX_SET_IV
+
/* Define to 1 if you have the `EVP_DigestFinal_ex' function. */
#undef HAVE_EVP_DIGESTFINAL_EX
@@ -495,16 +501,16 @@
/* Define to 1 if you have the `EVP_MD_CTX_copy_ex' function. */
#undef HAVE_EVP_MD_CTX_COPY_EX
-/* Define if libcrypto has EVP_MD_CTX_free */
+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
#undef HAVE_EVP_MD_CTX_FREE
/* Define to 1 if you have the `EVP_MD_CTX_init' function. */
#undef HAVE_EVP_MD_CTX_INIT
-/* Define if libcrypto has EVP_MD_CTX_new */
+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
#undef HAVE_EVP_MD_CTX_NEW
-/* Define if libcrypto has EVP_PKEY_get0_RSA */
+/* Define to 1 if you have the `EVP_PKEY_get0_RSA' function. */
#undef HAVE_EVP_PKEY_GET0_RSA
/* Define to 1 if you have the `EVP_ripemd160' function. */
@@ -522,9 +528,15 @@
/* Define to 1 if you have the `fchmod' function. */
#undef HAVE_FCHMOD
+/* Define to 1 if you have the `fchmodat' function. */
+#undef HAVE_FCHMODAT
+
/* Define to 1 if you have the `fchown' function. */
#undef HAVE_FCHOWN
+/* Define to 1 if you have the `fchownat' function. */
+#undef HAVE_FCHOWNAT
+
/* Use F_CLOSEM fcntl for closefrom */
#undef HAVE_FCNTL_CLOSEM
@@ -935,8 +947,17 @@
/* Define to 1 if you have the `openpty' function. */
#undef HAVE_OPENPTY
-/* Define if your ssl headers are included with #include <openssl/header.h> */
-#undef HAVE_OPENSSL
+/* as a macro */
+#undef HAVE_OPENSSL_ADD_ALL_ALGORITHMS
+
+/* Define to 1 if you have the `OPENSSL_init_crypto' function. */
+#undef HAVE_OPENSSL_INIT_CRYPTO
+
+/* Define to 1 if you have the `OpenSSL_version' function. */
+#undef HAVE_OPENSSL_VERSION
+
+/* Define to 1 if you have the `OpenSSL_version_num' function. */
+#undef HAVE_OPENSSL_VERSION_NUM
/* Define if you have Digital Unix Security Integration Architecture */
#undef HAVE_OSF_SIA
@@ -1029,46 +1050,46 @@
/* Define to 1 if you have the `RSA_generate_key_ex' function. */
#undef HAVE_RSA_GENERATE_KEY_EX
-/* Define if libcrypto has RSA_get0_crt_params */
+/* Define to 1 if you have the `RSA_get0_crt_params' function. */
#undef HAVE_RSA_GET0_CRT_PARAMS
-/* Define if libcrypto has RSA_get0_factors */
+/* Define to 1 if you have the `RSA_get0_factors' function. */
#undef HAVE_RSA_GET0_FACTORS
-/* Define if libcrypto has RSA_get0_key */
+/* Define to 1 if you have the `RSA_get0_key' function. */
#undef HAVE_RSA_GET0_KEY
/* Define to 1 if you have the `RSA_get_default_method' function. */
#undef HAVE_RSA_GET_DEFAULT_METHOD
-/* Define if libcrypto has RSA_meth_dup */
+/* Define to 1 if you have the `RSA_meth_dup' function. */
#undef HAVE_RSA_METH_DUP
-/* Define if libcrypto has RSA_meth_free */
+/* Define to 1 if you have the `RSA_meth_free' function. */
#undef HAVE_RSA_METH_FREE
-/* Define if libcrypto has RSA_meth_get_finish */
+/* Define to 1 if you have the `RSA_meth_get_finish' function. */
#undef HAVE_RSA_METH_GET_FINISH
-/* Define if libcrypto has RSA_meth_set1_name */
+/* Define to 1 if you have the `RSA_meth_set1_name' function. */
#undef HAVE_RSA_METH_SET1_NAME
-/* Define if libcrypto has RSA_meth_set_finish */
+/* Define to 1 if you have the `RSA_meth_set_finish' function. */
#undef HAVE_RSA_METH_SET_FINISH
-/* Define if libcrypto has RSA_meth_set_priv_dec */
+/* Define to 1 if you have the `RSA_meth_set_priv_dec' function. */
#undef HAVE_RSA_METH_SET_PRIV_DEC
-/* Define if libcrypto has RSA_meth_set_priv_enc */
+/* Define to 1 if you have the `RSA_meth_set_priv_enc' function. */
#undef HAVE_RSA_METH_SET_PRIV_ENC
-/* Define if libcrypto has RSA_get0_srt_params */
+/* Define to 1 if you have the `RSA_set0_crt_params' function. */
#undef HAVE_RSA_SET0_CRT_PARAMS
-/* Define if libcrypto has RSA_set0_factors */
+/* Define to 1 if you have the `RSA_set0_factors' function. */
#undef HAVE_RSA_SET0_FACTORS
-/* Define if libcrypto has RSA_set0_key */
+/* Define to 1 if you have the `RSA_set0_key' function. */
#undef HAVE_RSA_SET0_KEY
/* Define to 1 if you have the <sandbox.h> header file. */
@@ -1512,6 +1533,9 @@
/* Define to 1 if you have the <util.h> header file. */
#undef HAVE_UTIL_H
+/* Define to 1 if you have the `utimensat' function. */
+#undef HAVE_UTIMENSAT
+
/* Define to 1 if you have the `utimes' function. */
#undef HAVE_UTIMES
diff --git a/configure b/configure
index 21a41103f91a..d276473cac11 100755
--- a/configure
+++ b/configure
@@ -2625,197 +2625,7 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
if test -n "$ac_tool_prefix"; then
- # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}gcc; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_CC+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_CC="${ac_tool_prefix}gcc"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
- done
-IFS=$as_save_IFS
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-$as_echo "$CC" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_prog_CC"; then
- ac_ct_CC=$CC
- # Extract the first word of "gcc", so it can be a program name with args.
-set dummy gcc; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_ac_ct_CC+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- if test -n "$ac_ct_CC"; then
- ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_ac_ct_CC="gcc"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
- done
-IFS=$as_save_IFS
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
-$as_echo "$ac_ct_CC" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
- if test "x$ac_ct_CC" = x; then
- CC=""
- else
- case $cross_compiling:$ac_tool_warned in
-yes:)
-{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
-ac_tool_warned=yes ;;
-esac
- CC=$ac_ct_CC
- fi
-else
- CC="$ac_cv_prog_CC"
-fi
-
-if test -z "$CC"; then
- if test -n "$ac_tool_prefix"; then
- # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}cc; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_CC+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_CC="${ac_tool_prefix}cc"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
- done
-IFS=$as_save_IFS
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-$as_echo "$CC" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
- fi
-fi
-if test -z "$CC"; then
- # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_CC+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- if test -n "$CC"; then
- ac_cv_prog_CC="$CC" # Let the user override the test.
-else
- ac_prog_rejected=no
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
- ac_prog_rejected=yes
- continue
- fi
- ac_cv_prog_CC="cc"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
- done
-IFS=$as_save_IFS
-
-if test $ac_prog_rejected = yes; then
- # We found a bogon in the path, so make sure we never use it.
- set dummy $ac_cv_prog_CC
- shift
- if test $# != 0; then
- # We chose a different compiler from the bogus one.
- # However, it has the same basename, so the bogon will be chosen
- # first if we set CC to just the basename; use the full file name.
- shift
- ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
- fi
-fi
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
-$as_echo "$CC" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
-fi
-if test -z "$CC"; then
- if test -n "$ac_tool_prefix"; then
- for ac_prog in cl.exe
+ for ac_prog in cc gcc
do
# Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
set dummy $ac_tool_prefix$ac_prog; ac_word=$2
@@ -2859,7 +2669,7 @@ fi
fi
if test -z "$CC"; then
ac_ct_CC=$CC
- for ac_prog in cl.exe
+ for ac_prog in cc gcc
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
@@ -2914,8 +2724,6 @@ esac
fi
fi
-fi
-
test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
@@ -6735,10 +6543,11 @@ fi
if test "${with_rpath+set}" = set; then :
withval=$with_rpath;
if test "x$withval" = "xno" ; then
- need_dash_r=""
- fi
- if test "x$withval" = "xyes" ; then
- need_dash_r=1
+ rpath_opt=""
+ elif test "x$withval" = "xyes" ; then
+ rpath_opt="-R"
+ else
+ rpath_opt="$withval"
fi
@@ -8059,7 +7868,7 @@ $as_echo "#define NEED_SETPGRP 1" >>confdefs.h
*-*-netbsd*)
check_for_libcrypt_before=1
if test "x$withval" != "xno" ; then
- need_dash_r=1
+ rpath_opt="-R"
fi
CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
@@ -8153,7 +7962,7 @@ $as_echo "#define SYSLOG_R_SAFE_IN_SIGHAND 1" >>confdefs.h
;;
*-*-solaris*)
if test "x$withval" != "xno" ; then
- need_dash_r=1
+ rpath_opt="-R"
fi
$as_echo "#define PAM_SUN_CODEBASE 1" >>confdefs.h
@@ -9083,14 +8892,14 @@ if test "${with_zlib+set}" = set; then :
as_fn_error $? "*** zlib is required ***" "$LINENO" 5
elif test "x$withval" != "xyes"; then
if test -d "$withval/lib"; then
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
else
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
fi
else
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
else
LDFLAGS="-L${withval} ${LDFLAGS}"
fi
@@ -9161,8 +8970,8 @@ else
saved_CPPFLAGS="$CPPFLAGS"
saved_LDFLAGS="$LDFLAGS"
save_LIBS="$LIBS"
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
else
LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
fi
@@ -10607,8 +10416,8 @@ $as_echo "no" >&6; }
fi
else
CPPFLAGS="$CPPFLAGS -I${withval}/include"
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
else
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
fi
@@ -11030,7 +10839,9 @@ for ac_func in \
errx \
explicit_bzero \
fchmod \
+ fchmodat \
fchown \
+ fchownat \
flock \
freeaddrinfo \
freezero \
@@ -11123,6 +10934,7 @@ for ac_func in \
truncate \
unsetenv \
updwtmpx \
+ utimensat \
user_from_uid \
usleep \
vasprintf \
@@ -12742,20 +12554,20 @@ if test "${with_ssl_dir+set}" = set; then :
./*|../*) withval="`pwd`/$withval"
esac
if test -d "$withval/lib"; then
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
else
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
fi
elif test -d "$withval/lib64"; then
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval}/lib64 -R${withval}/lib64 ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
else
LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
fi
else
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
else
LDFLAGS="-L${withval} ${LDFLAGS}"
fi
@@ -12821,17 +12633,12 @@ return RAND_add ();
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
-$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
-
else
-
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
- else
- LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
- fi
- CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
- ac_fn_c_check_header_mongrel "$LINENO" "openssl/opensslv.h" "ac_cv_header_openssl_opensslv_h" "$ac_includes_default"
+ as_fn_error $? "*** working libcrypto not found, check config.log" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ ac_fn_c_check_header_mongrel "$LINENO" "openssl/opensslv.h" "ac_cv_header_openssl_opensslv_h" "$ac_includes_default"
if test "x$ac_cv_header_openssl_opensslv_h" = xyes; then :
else
@@ -12839,40 +12646,6 @@ else
fi
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RAND_add ();
-int
-main ()
-{
-return RAND_add ();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
-
-else
-
- as_fn_error $? "*** Can't find recent OpenSSL libcrypto (see config.log for details) ***" "$LINENO" 5
-
-
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-
-
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
# Determine OpenSSL header version
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenSSL header version" >&5
@@ -12933,6 +12706,20 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
fi
+ # Determining OpenSSL library version is version dependent.
+ for ac_func in OpenSSL_version OpenSSL_version_num
+do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
# Determine OpenSSL library version
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenSSL library version" >&5
$as_echo_n "checking OpenSSL library version... " >&6; }
@@ -12962,9 +12749,18 @@ main ()
fd = fopen(DATA,"w");
if(fd == NULL)
exit(1);
-
- if ((rc = fprintf(fd, "%08lx (%s)\n", (unsigned long)SSLeay(),
- SSLeay_version(SSLEAY_VERSION))) < 0)
+#ifndef OPENSSL_VERSION
+# define OPENSSL_VERSION SSLEAY_VERSION
+#endif
+#ifndef HAVE_OPENSSL_VERSION
+# define OpenSSL_version SSLeay_version
+#endif
+#ifndef HAVE_OPENSSL_VERSION_NUM
+# define OpenSSL_version_num SSLeay
+#endif
+ if ((rc = fprintf(fd, "%08lx (%s)\n",
+ (unsigned long)OpenSSL_version_num(),
+ OpenSSL_version(OPENSSL_VERSION))) < 0)
exit(1);
exit(0);
@@ -12982,14 +12778,15 @@ if ac_fn_c_try_run "$LINENO"; then :
as_fn_error $? "OpenSSL >= 1.0.1 required (have \"$ssl_library_ver\")" "$LINENO" 5
;;
100*) ;; # 1.0.x
- 1010000123456*)
+ 101000[0123456]*)
# https://github.com/openssl/openssl/pull/4613
as_fn_error $? "OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have \"$ssl_library_ver\")" "$LINENO" 5
;;
101*) ;; # 1.1.x
200*) ;; # LibreSSL
+ 300*) ;; # OpenSSL development branch.
*)
- as_fn_error $? "OpenSSL > 1.1.x is not yet supported (have \"$ssl_library_ver\")" "$LINENO" 5
+ as_fn_error $? "Unknown/unsupported OpenSSL version (\"$ssl_library_ver\")" "$LINENO" 5
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ssl_library_ver" >&5
@@ -13028,7 +12825,10 @@ int
main ()
{
- exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
+#ifndef HAVE_OPENSSL_VERSION_NUM
+# define OpenSSL_version_num SSLeay
+#endif
+ exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
;
return 0;
@@ -13069,11 +12869,11 @@ fi
$as_echo_n "checking if programs using OpenSSL functions will link... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
- #include <openssl/evp.h>
+ #include <openssl/err.h>
int
main ()
{
- SSLeay_add_all_algorithms();
+ ERR_load_crypto_strings();
;
return 0;
}
@@ -13093,11 +12893,11 @@ $as_echo "no" >&6; }
$as_echo_n "checking if programs using OpenSSL need -ldl... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
- #include <openssl/evp.h>
+ #include <openssl/err.h>
int
main ()
{
- SSLeay_add_all_algorithms();
+ ERR_load_crypto_strings();
;
return 0;
}
@@ -13126,11 +12926,12 @@ rm -f core conftest.err conftest.$ac_objext \
for ac_func in \
BN_is_prime_ex \
DSA_generate_parameters_ex \
- EVP_DigestInit_ex \
+ EVP_CIPHER_CTX_ctrl \
EVP_DigestFinal_ex \
- EVP_MD_CTX_init \
+ EVP_DigestInit_ex \
EVP_MD_CTX_cleanup \
EVP_MD_CTX_copy_ex \
+ EVP_MD_CTX_init \
HMAC_CTX_init \
RSA_generate_key_ex \
RSA_get_default_method \
@@ -13147,6 +12948,75 @@ fi
done
+ # OpenSSL_add_all_algorithms may be a macro.
+ ac_fn_c_check_func "$LINENO" "OpenSSL_add_all_algorithms" "ac_cv_func_OpenSSL_add_all_algorithms"
+if test "x$ac_cv_func_OpenSSL_add_all_algorithms" = xyes; then :
+
+$as_echo "#define HAVE_OPENSSL_ADD_ALL_ALGORITHMS 1" >>confdefs.h
+
+else
+ ac_fn_c_check_decl "$LINENO" "OpenSSL_add_all_algorithms" "ac_cv_have_decl_OpenSSL_add_all_algorithms" "#include <openssl/evp.h>
+
+"
+if test "x$ac_cv_have_decl_OpenSSL_add_all_algorithms" = xyes; then :
+
+$as_echo "#define HAVE_OPENSSL_ADD_ALL_ALGORITHMS 1" >>confdefs.h
+
+fi
+
+
+fi
+
+
+ # LibreSSL/OpenSSL 1.1x API
+ for ac_func in \
+ OPENSSL_init_crypto \
+ DH_get0_key \
+ DH_get0_pqg \
+ DH_set0_key \
+ DH_set_length \
+ DH_set0_pqg \
+ DSA_get0_key \
+ DSA_get0_pqg \
+ DSA_set0_key \
+ DSA_set0_pqg \
+ DSA_SIG_get0 \
+ DSA_SIG_set0 \
+ ECDSA_SIG_get0 \
+ ECDSA_SIG_set0 \
+ EVP_CIPHER_CTX_iv \
+ EVP_CIPHER_CTX_iv_noconst \
+ EVP_CIPHER_CTX_get_iv \
+ EVP_CIPHER_CTX_set_iv \
+ RSA_get0_crt_params \
+ RSA_get0_factors \
+ RSA_get0_key \
+ RSA_set0_crt_params \
+ RSA_set0_factors \
+ RSA_set0_key \
+ RSA_meth_free \
+ RSA_meth_dup \
+ RSA_meth_set1_name \
+ RSA_meth_get_finish \
+ RSA_meth_set_priv_enc \
+ RSA_meth_set_priv_dec \
+ RSA_meth_set_finish \
+ EVP_PKEY_get0_RSA \
+ EVP_MD_CTX_new \
+ EVP_MD_CTX_free \
+
+do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
if test "x$openssl_engine" = "xyes" ; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL ENGINE support" >&5
$as_echo_n "checking for OpenSSL ENGINE support... " >&6; }
@@ -13302,1989 +13172,6 @@ fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_CIPHER_CTX_ctrl" >&5
-$as_echo_n "checking for library containing EVP_CIPHER_CTX_ctrl... " >&6; }
-if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char EVP_CIPHER_CTX_ctrl ();
-int
-main ()
-{
-return EVP_CIPHER_CTX_ctrl ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_EVP_CIPHER_CTX_ctrl=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then :
-
-else
- ac_cv_search_EVP_CIPHER_CTX_ctrl=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_CIPHER_CTX_ctrl" >&5
-$as_echo "$ac_cv_search_EVP_CIPHER_CTX_ctrl" >&6; }
-ac_res=$ac_cv_search_EVP_CIPHER_CTX_ctrl
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_EVP_CIPHER_CTX_CTRL 1" >>confdefs.h
-
-fi
-
-
- # LibreSSL/OpenSSL 1.1x API
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DH_get0_key" >&5
-$as_echo_n "checking for library containing DH_get0_key... " >&6; }
-if ${ac_cv_search_DH_get0_key+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DH_get0_key ();
-int
-main ()
-{
-return DH_get0_key ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DH_get0_key=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DH_get0_key+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DH_get0_key+:} false; then :
-
-else
- ac_cv_search_DH_get0_key=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DH_get0_key" >&5
-$as_echo "$ac_cv_search_DH_get0_key" >&6; }
-ac_res=$ac_cv_search_DH_get0_key
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DH_GET0_KEY 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DH_get0_pqg" >&5
-$as_echo_n "checking for library containing DH_get0_pqg... " >&6; }
-if ${ac_cv_search_DH_get0_pqg+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DH_get0_pqg ();
-int
-main ()
-{
-return DH_get0_pqg ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DH_get0_pqg=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DH_get0_pqg+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DH_get0_pqg+:} false; then :
-
-else
- ac_cv_search_DH_get0_pqg=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DH_get0_pqg" >&5
-$as_echo "$ac_cv_search_DH_get0_pqg" >&6; }
-ac_res=$ac_cv_search_DH_get0_pqg
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DH_GET0_PQG 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DH_set0_key" >&5
-$as_echo_n "checking for library containing DH_set0_key... " >&6; }
-if ${ac_cv_search_DH_set0_key+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DH_set0_key ();
-int
-main ()
-{
-return DH_set0_key ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DH_set0_key=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DH_set0_key+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DH_set0_key+:} false; then :
-
-else
- ac_cv_search_DH_set0_key=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DH_set0_key" >&5
-$as_echo "$ac_cv_search_DH_set0_key" >&6; }
-ac_res=$ac_cv_search_DH_set0_key
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DH_SET0_KEY 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DH_set_length" >&5
-$as_echo_n "checking for library containing DH_set_length... " >&6; }
-if ${ac_cv_search_DH_set_length+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DH_set_length ();
-int
-main ()
-{
-return DH_set_length ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DH_set_length=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DH_set_length+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DH_set_length+:} false; then :
-
-else
- ac_cv_search_DH_set_length=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DH_set_length" >&5
-$as_echo "$ac_cv_search_DH_set_length" >&6; }
-ac_res=$ac_cv_search_DH_set_length
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DH_SET_LENGTH 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DH_set0_pqg" >&5
-$as_echo_n "checking for library containing DH_set0_pqg... " >&6; }
-if ${ac_cv_search_DH_set0_pqg+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DH_set0_pqg ();
-int
-main ()
-{
-return DH_set0_pqg ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DH_set0_pqg=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DH_set0_pqg+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DH_set0_pqg+:} false; then :
-
-else
- ac_cv_search_DH_set0_pqg=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DH_set0_pqg" >&5
-$as_echo "$ac_cv_search_DH_set0_pqg" >&6; }
-ac_res=$ac_cv_search_DH_set0_pqg
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DH_SET0_PQG 1" >>confdefs.h
-
-fi
-
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DSA_get0_key" >&5
-$as_echo_n "checking for library containing DSA_get0_key... " >&6; }
-if ${ac_cv_search_DSA_get0_key+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DSA_get0_key ();
-int
-main ()
-{
-return DSA_get0_key ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DSA_get0_key=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DSA_get0_key+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DSA_get0_key+:} false; then :
-
-else
- ac_cv_search_DSA_get0_key=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DSA_get0_key" >&5
-$as_echo "$ac_cv_search_DSA_get0_key" >&6; }
-ac_res=$ac_cv_search_DSA_get0_key
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DSA_GET0_KEY 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DSA_get0_pqg" >&5
-$as_echo_n "checking for library containing DSA_get0_pqg... " >&6; }
-if ${ac_cv_search_DSA_get0_pqg+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DSA_get0_pqg ();
-int
-main ()
-{
-return DSA_get0_pqg ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DSA_get0_pqg=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DSA_get0_pqg+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DSA_get0_pqg+:} false; then :
-
-else
- ac_cv_search_DSA_get0_pqg=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DSA_get0_pqg" >&5
-$as_echo "$ac_cv_search_DSA_get0_pqg" >&6; }
-ac_res=$ac_cv_search_DSA_get0_pqg
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DSA_GET0_PQG 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DSA_set0_key" >&5
-$as_echo_n "checking for library containing DSA_set0_key... " >&6; }
-if ${ac_cv_search_DSA_set0_key+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DSA_set0_key ();
-int
-main ()
-{
-return DSA_set0_key ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DSA_set0_key=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DSA_set0_key+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DSA_set0_key+:} false; then :
-
-else
- ac_cv_search_DSA_set0_key=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DSA_set0_key" >&5
-$as_echo "$ac_cv_search_DSA_set0_key" >&6; }
-ac_res=$ac_cv_search_DSA_set0_key
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DSA_SET0_KEY 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DSA_set0_pqg" >&5
-$as_echo_n "checking for library containing DSA_set0_pqg... " >&6; }
-if ${ac_cv_search_DSA_set0_pqg+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DSA_set0_pqg ();
-int
-main ()
-{
-return DSA_set0_pqg ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DSA_set0_pqg=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DSA_set0_pqg+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DSA_set0_pqg+:} false; then :
-
-else
- ac_cv_search_DSA_set0_pqg=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DSA_set0_pqg" >&5
-$as_echo "$ac_cv_search_DSA_set0_pqg" >&6; }
-ac_res=$ac_cv_search_DSA_set0_pqg
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DSA_SET0_PQG 1" >>confdefs.h
-
-fi
-
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DSA_SIG_get0" >&5
-$as_echo_n "checking for library containing DSA_SIG_get0... " >&6; }
-if ${ac_cv_search_DSA_SIG_get0+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DSA_SIG_get0 ();
-int
-main ()
-{
-return DSA_SIG_get0 ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DSA_SIG_get0=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DSA_SIG_get0+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DSA_SIG_get0+:} false; then :
-
-else
- ac_cv_search_DSA_SIG_get0=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DSA_SIG_get0" >&5
-$as_echo "$ac_cv_search_DSA_SIG_get0" >&6; }
-ac_res=$ac_cv_search_DSA_SIG_get0
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DSA_SIG_GET0 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DSA_SIG_set0" >&5
-$as_echo_n "checking for library containing DSA_SIG_set0... " >&6; }
-if ${ac_cv_search_DSA_SIG_set0+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DSA_SIG_set0 ();
-int
-main ()
-{
-return DSA_SIG_set0 ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DSA_SIG_set0=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DSA_SIG_set0+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DSA_SIG_set0+:} false; then :
-
-else
- ac_cv_search_DSA_SIG_set0=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DSA_SIG_set0" >&5
-$as_echo "$ac_cv_search_DSA_SIG_set0" >&6; }
-ac_res=$ac_cv_search_DSA_SIG_set0
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_DSA_SIG_SET0 1" >>confdefs.h
-
-fi
-
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing ECDSA_SIG_get0" >&5
-$as_echo_n "checking for library containing ECDSA_SIG_get0... " >&6; }
-if ${ac_cv_search_ECDSA_SIG_get0+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char ECDSA_SIG_get0 ();
-int
-main ()
-{
-return ECDSA_SIG_get0 ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_ECDSA_SIG_get0=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_ECDSA_SIG_get0+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_ECDSA_SIG_get0+:} false; then :
-
-else
- ac_cv_search_ECDSA_SIG_get0=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_ECDSA_SIG_get0" >&5
-$as_echo "$ac_cv_search_ECDSA_SIG_get0" >&6; }
-ac_res=$ac_cv_search_ECDSA_SIG_get0
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_ECDSA_SIG_GET0 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing ECDSA_SIG_set0" >&5
-$as_echo_n "checking for library containing ECDSA_SIG_set0... " >&6; }
-if ${ac_cv_search_ECDSA_SIG_set0+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char ECDSA_SIG_set0 ();
-int
-main ()
-{
-return ECDSA_SIG_set0 ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_ECDSA_SIG_set0=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_ECDSA_SIG_set0+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_ECDSA_SIG_set0+:} false; then :
-
-else
- ac_cv_search_ECDSA_SIG_set0=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_ECDSA_SIG_set0" >&5
-$as_echo "$ac_cv_search_ECDSA_SIG_set0" >&6; }
-ac_res=$ac_cv_search_ECDSA_SIG_set0
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_ECDSA_SIG_SET0 1" >>confdefs.h
-
-fi
-
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_CIPHER_CTX_iv" >&5
-$as_echo_n "checking for library containing EVP_CIPHER_CTX_iv... " >&6; }
-if ${ac_cv_search_EVP_CIPHER_CTX_iv+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char EVP_CIPHER_CTX_iv ();
-int
-main ()
-{
-return EVP_CIPHER_CTX_iv ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_EVP_CIPHER_CTX_iv=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_EVP_CIPHER_CTX_iv+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_EVP_CIPHER_CTX_iv+:} false; then :
-
-else
- ac_cv_search_EVP_CIPHER_CTX_iv=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_CIPHER_CTX_iv" >&5
-$as_echo "$ac_cv_search_EVP_CIPHER_CTX_iv" >&6; }
-ac_res=$ac_cv_search_EVP_CIPHER_CTX_iv
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_EVP_CIPHER_CTX_IV 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_CIPHER_CTX_iv_noconst" >&5
-$as_echo_n "checking for library containing EVP_CIPHER_CTX_iv_noconst... " >&6; }
-if ${ac_cv_search_EVP_CIPHER_CTX_iv_noconst+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char EVP_CIPHER_CTX_iv_noconst ();
-int
-main ()
-{
-return EVP_CIPHER_CTX_iv_noconst ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_EVP_CIPHER_CTX_iv_noconst=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_EVP_CIPHER_CTX_iv_noconst+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_EVP_CIPHER_CTX_iv_noconst+:} false; then :
-
-else
- ac_cv_search_EVP_CIPHER_CTX_iv_noconst=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_CIPHER_CTX_iv_noconst" >&5
-$as_echo "$ac_cv_search_EVP_CIPHER_CTX_iv_noconst" >&6; }
-ac_res=$ac_cv_search_EVP_CIPHER_CTX_iv_noconst
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_EVP_CIPHER_CTX_IV_NOCONST 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_CIPHER_CTX_get_iv" >&5
-$as_echo_n "checking for library containing EVP_CIPHER_CTX_get_iv... " >&6; }
-if ${ac_cv_search_EVP_CIPHER_CTX_get_iv+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char EVP_CIPHER_CTX_get_iv ();
-int
-main ()
-{
-return EVP_CIPHER_CTX_get_iv ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_EVP_CIPHER_CTX_get_iv=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_EVP_CIPHER_CTX_get_iv+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_EVP_CIPHER_CTX_get_iv+:} false; then :
-
-else
- ac_cv_search_EVP_CIPHER_CTX_get_iv=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_CIPHER_CTX_get_iv" >&5
-$as_echo "$ac_cv_search_EVP_CIPHER_CTX_get_iv" >&6; }
-ac_res=$ac_cv_search_EVP_CIPHER_CTX_get_iv
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_EVP_CIPHER_CTX_GET_IV 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_CIPHER_CTX_set_iv" >&5
-$as_echo_n "checking for library containing EVP_CIPHER_CTX_set_iv... " >&6; }
-if ${ac_cv_search_EVP_CIPHER_CTX_set_iv+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char EVP_CIPHER_CTX_set_iv ();
-int
-main ()
-{
-return EVP_CIPHER_CTX_set_iv ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_EVP_CIPHER_CTX_set_iv=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_EVP_CIPHER_CTX_set_iv+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_EVP_CIPHER_CTX_set_iv+:} false; then :
-
-else
- ac_cv_search_EVP_CIPHER_CTX_set_iv=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_CIPHER_CTX_set_iv" >&5
-$as_echo "$ac_cv_search_EVP_CIPHER_CTX_set_iv" >&6; }
-ac_res=$ac_cv_search_EVP_CIPHER_CTX_set_iv
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_EVP_CIPHER_CTX_GET_IV 1" >>confdefs.h
-
-fi
-
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_get0_crt_params" >&5
-$as_echo_n "checking for library containing RSA_get0_crt_params... " >&6; }
-if ${ac_cv_search_RSA_get0_crt_params+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_get0_crt_params ();
-int
-main ()
-{
-return RSA_get0_crt_params ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_get0_crt_params=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_get0_crt_params+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_get0_crt_params+:} false; then :
-
-else
- ac_cv_search_RSA_get0_crt_params=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_get0_crt_params" >&5
-$as_echo "$ac_cv_search_RSA_get0_crt_params" >&6; }
-ac_res=$ac_cv_search_RSA_get0_crt_params
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_GET0_CRT_PARAMS 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_get0_factors" >&5
-$as_echo_n "checking for library containing RSA_get0_factors... " >&6; }
-if ${ac_cv_search_RSA_get0_factors+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_get0_factors ();
-int
-main ()
-{
-return RSA_get0_factors ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_get0_factors=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_get0_factors+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_get0_factors+:} false; then :
-
-else
- ac_cv_search_RSA_get0_factors=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_get0_factors" >&5
-$as_echo "$ac_cv_search_RSA_get0_factors" >&6; }
-ac_res=$ac_cv_search_RSA_get0_factors
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_GET0_FACTORS 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_get0_key" >&5
-$as_echo_n "checking for library containing RSA_get0_key... " >&6; }
-if ${ac_cv_search_RSA_get0_key+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_get0_key ();
-int
-main ()
-{
-return RSA_get0_key ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_get0_key=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_get0_key+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_get0_key+:} false; then :
-
-else
- ac_cv_search_RSA_get0_key=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_get0_key" >&5
-$as_echo "$ac_cv_search_RSA_get0_key" >&6; }
-ac_res=$ac_cv_search_RSA_get0_key
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_GET0_KEY 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_set0_crt_params" >&5
-$as_echo_n "checking for library containing RSA_set0_crt_params... " >&6; }
-if ${ac_cv_search_RSA_set0_crt_params+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_set0_crt_params ();
-int
-main ()
-{
-return RSA_set0_crt_params ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_set0_crt_params=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_set0_crt_params+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_set0_crt_params+:} false; then :
-
-else
- ac_cv_search_RSA_set0_crt_params=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_set0_crt_params" >&5
-$as_echo "$ac_cv_search_RSA_set0_crt_params" >&6; }
-ac_res=$ac_cv_search_RSA_set0_crt_params
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_SET0_CRT_PARAMS 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_set0_factors" >&5
-$as_echo_n "checking for library containing RSA_set0_factors... " >&6; }
-if ${ac_cv_search_RSA_set0_factors+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_set0_factors ();
-int
-main ()
-{
-return RSA_set0_factors ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_set0_factors=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_set0_factors+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_set0_factors+:} false; then :
-
-else
- ac_cv_search_RSA_set0_factors=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_set0_factors" >&5
-$as_echo "$ac_cv_search_RSA_set0_factors" >&6; }
-ac_res=$ac_cv_search_RSA_set0_factors
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_SET0_FACTORS 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_set0_key" >&5
-$as_echo_n "checking for library containing RSA_set0_key... " >&6; }
-if ${ac_cv_search_RSA_set0_key+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_set0_key ();
-int
-main ()
-{
-return RSA_set0_key ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_set0_key=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_set0_key+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_set0_key+:} false; then :
-
-else
- ac_cv_search_RSA_set0_key=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_set0_key" >&5
-$as_echo "$ac_cv_search_RSA_set0_key" >&6; }
-ac_res=$ac_cv_search_RSA_set0_key
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_SET0_KEY 1" >>confdefs.h
-
-fi
-
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_meth_free" >&5
-$as_echo_n "checking for library containing RSA_meth_free... " >&6; }
-if ${ac_cv_search_RSA_meth_free+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_meth_free ();
-int
-main ()
-{
-return RSA_meth_free ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_meth_free=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_meth_free+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_meth_free+:} false; then :
-
-else
- ac_cv_search_RSA_meth_free=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_meth_free" >&5
-$as_echo "$ac_cv_search_RSA_meth_free" >&6; }
-ac_res=$ac_cv_search_RSA_meth_free
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_METH_FREE 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_meth_dup" >&5
-$as_echo_n "checking for library containing RSA_meth_dup... " >&6; }
-if ${ac_cv_search_RSA_meth_dup+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_meth_dup ();
-int
-main ()
-{
-return RSA_meth_dup ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_meth_dup=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_meth_dup+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_meth_dup+:} false; then :
-
-else
- ac_cv_search_RSA_meth_dup=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_meth_dup" >&5
-$as_echo "$ac_cv_search_RSA_meth_dup" >&6; }
-ac_res=$ac_cv_search_RSA_meth_dup
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_METH_DUP 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_meth_set1_name" >&5
-$as_echo_n "checking for library containing RSA_meth_set1_name... " >&6; }
-if ${ac_cv_search_RSA_meth_set1_name+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_meth_set1_name ();
-int
-main ()
-{
-return RSA_meth_set1_name ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_meth_set1_name=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_meth_set1_name+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_meth_set1_name+:} false; then :
-
-else
- ac_cv_search_RSA_meth_set1_name=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_meth_set1_name" >&5
-$as_echo "$ac_cv_search_RSA_meth_set1_name" >&6; }
-ac_res=$ac_cv_search_RSA_meth_set1_name
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_METH_SET1_NAME 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_meth_get_finish" >&5
-$as_echo_n "checking for library containing RSA_meth_get_finish... " >&6; }
-if ${ac_cv_search_RSA_meth_get_finish+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_meth_get_finish ();
-int
-main ()
-{
-return RSA_meth_get_finish ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_meth_get_finish=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_meth_get_finish+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_meth_get_finish+:} false; then :
-
-else
- ac_cv_search_RSA_meth_get_finish=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_meth_get_finish" >&5
-$as_echo "$ac_cv_search_RSA_meth_get_finish" >&6; }
-ac_res=$ac_cv_search_RSA_meth_get_finish
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_METH_GET_FINISH 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_meth_set_priv_enc" >&5
-$as_echo_n "checking for library containing RSA_meth_set_priv_enc... " >&6; }
-if ${ac_cv_search_RSA_meth_set_priv_enc+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_meth_set_priv_enc ();
-int
-main ()
-{
-return RSA_meth_set_priv_enc ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_meth_set_priv_enc=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_meth_set_priv_enc+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_meth_set_priv_enc+:} false; then :
-
-else
- ac_cv_search_RSA_meth_set_priv_enc=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_meth_set_priv_enc" >&5
-$as_echo "$ac_cv_search_RSA_meth_set_priv_enc" >&6; }
-ac_res=$ac_cv_search_RSA_meth_set_priv_enc
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_METH_SET_PRIV_ENC 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_meth_set_priv_dec" >&5
-$as_echo_n "checking for library containing RSA_meth_set_priv_dec... " >&6; }
-if ${ac_cv_search_RSA_meth_set_priv_dec+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_meth_set_priv_dec ();
-int
-main ()
-{
-return RSA_meth_set_priv_dec ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_meth_set_priv_dec=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_meth_set_priv_dec+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_meth_set_priv_dec+:} false; then :
-
-else
- ac_cv_search_RSA_meth_set_priv_dec=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_meth_set_priv_dec" >&5
-$as_echo "$ac_cv_search_RSA_meth_set_priv_dec" >&6; }
-ac_res=$ac_cv_search_RSA_meth_set_priv_dec
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_METH_SET_PRIV_DEC 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing RSA_meth_set_finish" >&5
-$as_echo_n "checking for library containing RSA_meth_set_finish... " >&6; }
-if ${ac_cv_search_RSA_meth_set_finish+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char RSA_meth_set_finish ();
-int
-main ()
-{
-return RSA_meth_set_finish ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_RSA_meth_set_finish=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_RSA_meth_set_finish+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_RSA_meth_set_finish+:} false; then :
-
-else
- ac_cv_search_RSA_meth_set_finish=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_RSA_meth_set_finish" >&5
-$as_echo "$ac_cv_search_RSA_meth_set_finish" >&6; }
-ac_res=$ac_cv_search_RSA_meth_set_finish
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_RSA_METH_SET_FINISH 1" >>confdefs.h
-
-fi
-
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_PKEY_get0_RSA" >&5
-$as_echo_n "checking for library containing EVP_PKEY_get0_RSA... " >&6; }
-if ${ac_cv_search_EVP_PKEY_get0_RSA+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char EVP_PKEY_get0_RSA ();
-int
-main ()
-{
-return EVP_PKEY_get0_RSA ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_EVP_PKEY_get0_RSA=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_EVP_PKEY_get0_RSA+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_EVP_PKEY_get0_RSA+:} false; then :
-
-else
- ac_cv_search_EVP_PKEY_get0_RSA=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_PKEY_get0_RSA" >&5
-$as_echo "$ac_cv_search_EVP_PKEY_get0_RSA" >&6; }
-ac_res=$ac_cv_search_EVP_PKEY_get0_RSA
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_EVP_PKEY_GET0_RSA 1" >>confdefs.h
-
-fi
-
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_MD_CTX_new" >&5
-$as_echo_n "checking for library containing EVP_MD_CTX_new... " >&6; }
-if ${ac_cv_search_EVP_MD_CTX_new+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char EVP_MD_CTX_new ();
-int
-main ()
-{
-return EVP_MD_CTX_new ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_EVP_MD_CTX_new=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_EVP_MD_CTX_new+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_EVP_MD_CTX_new+:} false; then :
-
-else
- ac_cv_search_EVP_MD_CTX_new=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_MD_CTX_new" >&5
-$as_echo "$ac_cv_search_EVP_MD_CTX_new" >&6; }
-ac_res=$ac_cv_search_EVP_MD_CTX_new
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_EVP_MD_CTX_NEW 1" >>confdefs.h
-
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_MD_CTX_free" >&5
-$as_echo_n "checking for library containing EVP_MD_CTX_free... " >&6; }
-if ${ac_cv_search_EVP_MD_CTX_free+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char EVP_MD_CTX_free ();
-int
-main ()
-{
-return EVP_MD_CTX_free ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' crypto; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_EVP_MD_CTX_free=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_EVP_MD_CTX_free+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_EVP_MD_CTX_free+:} false; then :
-
-else
- ac_cv_search_EVP_MD_CTX_free=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_MD_CTX_free" >&5
-$as_echo "$ac_cv_search_EVP_MD_CTX_free" >&6; }
-ac_res=$ac_cv_search_EVP_MD_CTX_free
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-$as_echo "#define HAVE_EVP_MD_CTX_FREE 1" >>confdefs.h
-
-fi
-
-
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if EVP_DigestUpdate returns an int" >&5
$as_echo_n "checking if EVP_DigestUpdate returns an int... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -15626,6 +13513,17 @@ rm -f core conftest.err conftest.$ac_objext \
$as_echo "#define OPENSSL_HAS_ECC 1" >>confdefs.h
+ for ac_func in EC_KEY_METHOD_new
+do :
+ ac_fn_c_check_func "$LINENO" "EC_KEY_METHOD_new" "ac_cv_func_EC_KEY_METHOD_new"
+if test "x$ac_cv_func_EC_KEY_METHOD_new" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_EC_KEY_METHOD_NEW 1
+_ACEOF
+
+fi
+done
+
fi
if test x$enable_nistp256 = x1; then
@@ -20190,8 +18088,8 @@ fi
fi
- if test ! -z "$need_dash_r" ; then
- LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
+ if test -n "${rpath_opt}" ; then
+ LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
fi
if test ! -z "$blibpath" ; then
blibpath="$blibpath:${KRB5ROOT}/lib"
diff --git a/configure.ac b/configure.ac
index 7379ab3589e1..30be6c18266d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@ AC_CONFIG_SRCDIR([ssh.c])
AC_LANG([C])
AC_CONFIG_HEADER([config.h])
-AC_PROG_CC
+AC_PROG_CC([cc gcc])
AC_CANONICAL_HOST
AC_C_BIGENDIAN
@@ -285,10 +285,11 @@ AC_ARG_WITH([rpath],
[ --without-rpath Disable auto-added -R linker paths],
[
if test "x$withval" = "xno" ; then
- need_dash_r=""
- fi
- if test "x$withval" = "xyes" ; then
- need_dash_r=1
+ rpath_opt=""
+ elif test "x$withval" = "xyes" ; then
+ rpath_opt="-R"
+ else
+ rpath_opt="$withval"
fi
]
)
@@ -911,7 +912,7 @@ mips-sony-bsd|mips-sony-newsos4)
*-*-netbsd*)
check_for_libcrypt_before=1
if test "x$withval" != "xno" ; then
- need_dash_r=1
+ rpath_opt="-R"
fi
CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
@@ -962,7 +963,7 @@ mips-sony-bsd|mips-sony-newsos4)
;;
*-*-solaris*)
if test "x$withval" != "xno" ; then
- need_dash_r=1
+ rpath_opt="-R"
fi
AC_DEFINE([PAM_SUN_CODEBASE])
AC_DEFINE([LOGIN_NEEDS_UTMPX])
@@ -1263,14 +1264,14 @@ AC_ARG_WITH([zlib],
AC_MSG_ERROR([*** zlib is required ***])
elif test "x$withval" != "xyes"; then
if test -d "$withval/lib"; then
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
else
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
fi
else
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
else
LDFLAGS="-L${withval} ${LDFLAGS}"
fi
@@ -1290,8 +1291,8 @@ AC_CHECK_LIB([z], [deflate], ,
saved_LDFLAGS="$LDFLAGS"
save_LIBS="$LIBS"
dnl Check default zlib install dir
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
else
LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
fi
@@ -1558,8 +1559,8 @@ AC_ARG_WITH([libedit],
fi
else
CPPFLAGS="$CPPFLAGS -I${withval}/include"
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
else
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
fi
@@ -1719,7 +1720,9 @@ AC_CHECK_FUNCS([ \
errx \
explicit_bzero \
fchmod \
+ fchmodat \
fchown \
+ fchownat \
flock \
freeaddrinfo \
freezero \
@@ -1812,6 +1815,7 @@ AC_CHECK_FUNCS([ \
truncate \
unsetenv \
updwtmpx \
+ utimensat \
user_from_uid \
usleep \
vasprintf \
@@ -2476,20 +2480,20 @@ AC_ARG_WITH([ssl-dir],
./*|../*) withval="`pwd`/$withval"
esac
if test -d "$withval/lib"; then
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
else
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
fi
elif test -d "$withval/lib64"; then
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval}/lib64 -R${withval}/lib64 ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib64 ${rpath_opt}${withval}/lib64 ${LDFLAGS}"
else
LDFLAGS="-L${withval}/lib64 ${LDFLAGS}"
fi
else
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
else
LDFLAGS="-L${withval} ${LDFLAGS}"
fi
@@ -2527,26 +2531,10 @@ AC_ARG_WITH([ssl-engine],
if test "x$openssl" = "xyes" ; then
LIBS="-lcrypto $LIBS"
- AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
- [Define if your ssl headers are included
- with #include <openssl/header.h>])],
- [
- dnl Check default openssl install dir
- if test -n "${need_dash_r}"; then
- LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
- else
- LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
- fi
- CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
- AC_CHECK_HEADER([openssl/opensslv.h], ,
- [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
- AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
- [
- AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
- ]
- )
- ]
- )
+ AC_TRY_LINK_FUNC([RAND_add], ,
+ [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
+ AC_CHECK_HEADER([openssl/opensslv.h], ,
+ [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
# Determine OpenSSL header version
AC_MSG_CHECKING([OpenSSL header version])
@@ -2585,6 +2573,9 @@ if test "x$openssl" = "xyes" ; then
]
)
+ # Determining OpenSSL library version is version dependent.
+ AC_CHECK_FUNCS([OpenSSL_version OpenSSL_version_num])
+
# Determine OpenSSL library version
AC_MSG_CHECKING([OpenSSL library version])
AC_RUN_IFELSE(
@@ -2601,9 +2592,18 @@ if test "x$openssl" = "xyes" ; then
fd = fopen(DATA,"w");
if(fd == NULL)
exit(1);
-
- if ((rc = fprintf(fd, "%08lx (%s)\n", (unsigned long)SSLeay(),
- SSLeay_version(SSLEAY_VERSION))) < 0)
+#ifndef OPENSSL_VERSION
+# define OPENSSL_VERSION SSLEAY_VERSION
+#endif
+#ifndef HAVE_OPENSSL_VERSION
+# define OpenSSL_version SSLeay_version
+#endif
+#ifndef HAVE_OPENSSL_VERSION_NUM
+# define OpenSSL_version_num SSLeay
+#endif
+ if ((rc = fprintf(fd, "%08lx (%s)\n",
+ (unsigned long)OpenSSL_version_num(),
+ OpenSSL_version(OPENSSL_VERSION))) < 0)
exit(1);
exit(0);
@@ -2616,14 +2616,15 @@ if test "x$openssl" = "xyes" ; then
AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
;;
100*) ;; # 1.0.x
- 101000[0123456]*)
+ 101000[[0123456]]*)
# https://github.com/openssl/openssl/pull/4613
AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
;;
101*) ;; # 1.1.x
200*) ;; # LibreSSL
+ 300*) ;; # OpenSSL development branch.
*)
- AC_MSG_ERROR([OpenSSL > 1.1.x is not yet supported (have "$ssl_library_ver")])
+ AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
;;
esac
AC_MSG_RESULT([$ssl_library_ver])
@@ -2645,7 +2646,10 @@ if test "x$openssl" = "xyes" ; then
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
]], [[
- exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
+#ifndef HAVE_OPENSSL_VERSION_NUM
+# define OpenSSL_version_num SSLeay
+#endif
+ exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
]])],
[
AC_MSG_RESULT([yes])
@@ -2672,8 +2676,8 @@ if test "x$openssl" = "xyes" ; then
AC_MSG_CHECKING([if programs using OpenSSL functions will link])
AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
- [[ SSLeay_add_all_algorithms(); ]])],
+ [AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
+ [[ ERR_load_crypto_strings(); ]])],
[
AC_MSG_RESULT([yes])
],
@@ -2683,8 +2687,8 @@ if test "x$openssl" = "xyes" ; then
LIBS="$LIBS -ldl"
AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
- [[ SSLeay_add_all_algorithms(); ]])],
+ [AC_LANG_PROGRAM([[ #include <openssl/err.h> ]],
+ [[ ERR_load_crypto_strings(); ]])],
[
AC_MSG_RESULT([yes])
],
@@ -2699,16 +2703,64 @@ if test "x$openssl" = "xyes" ; then
AC_CHECK_FUNCS([ \
BN_is_prime_ex \
DSA_generate_parameters_ex \
- EVP_DigestInit_ex \
+ EVP_CIPHER_CTX_ctrl \
EVP_DigestFinal_ex \
- EVP_MD_CTX_init \
+ EVP_DigestInit_ex \
EVP_MD_CTX_cleanup \
EVP_MD_CTX_copy_ex \
+ EVP_MD_CTX_init \
HMAC_CTX_init \
RSA_generate_key_ex \
RSA_get_default_method \
])
+ # OpenSSL_add_all_algorithms may be a macro.
+ AC_CHECK_FUNC(OpenSSL_add_all_algorithms,
+ AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a function]),
+ AC_CHECK_DECL(OpenSSL_add_all_algorithms,
+ AC_DEFINE(HAVE_OPENSSL_ADD_ALL_ALGORITHMS, 1, [as a macro]), ,
+ [[#include <openssl/evp.h>]]
+ )
+ )
+
+ # LibreSSL/OpenSSL 1.1x API
+ AC_CHECK_FUNCS([ \
+ OPENSSL_init_crypto \
+ DH_get0_key \
+ DH_get0_pqg \
+ DH_set0_key \
+ DH_set_length \
+ DH_set0_pqg \
+ DSA_get0_key \
+ DSA_get0_pqg \
+ DSA_set0_key \
+ DSA_set0_pqg \
+ DSA_SIG_get0 \
+ DSA_SIG_set0 \
+ ECDSA_SIG_get0 \
+ ECDSA_SIG_set0 \
+ EVP_CIPHER_CTX_iv \
+ EVP_CIPHER_CTX_iv_noconst \
+ EVP_CIPHER_CTX_get_iv \
+ EVP_CIPHER_CTX_set_iv \
+ RSA_get0_crt_params \
+ RSA_get0_factors \
+ RSA_get0_key \
+ RSA_set0_crt_params \
+ RSA_set0_factors \
+ RSA_set0_key \
+ RSA_meth_free \
+ RSA_meth_dup \
+ RSA_meth_set1_name \
+ RSA_meth_get_finish \
+ RSA_meth_set_priv_enc \
+ RSA_meth_set_priv_dec \
+ RSA_meth_set_finish \
+ EVP_PKEY_get0_RSA \
+ EVP_MD_CTX_new \
+ EVP_MD_CTX_free \
+ ])
+
if test "x$openssl_engine" = "xyes" ; then
AC_MSG_CHECKING([for OpenSSL ENGINE support])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
@@ -2792,119 +2844,6 @@ if test "x$openssl" = "xyes" ; then
]
)
- AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
- [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
- [Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
-
- # LibreSSL/OpenSSL 1.1x API
- AC_SEARCH_LIBS([DH_get0_key], [crypto],
- [AC_DEFINE([HAVE_DH_GET0_KEY], [1],
- [Define if libcrypto has DH_get0_key])])
- AC_SEARCH_LIBS([DH_get0_pqg], [crypto],
- [AC_DEFINE([HAVE_DH_GET0_PQG], [1],
- [Define if libcrypto has DH_get0_pqg])])
- AC_SEARCH_LIBS([DH_set0_key], [crypto],
- [AC_DEFINE([HAVE_DH_SET0_KEY], [1],
- [Define if libcrypto has DH_set0_key])])
- AC_SEARCH_LIBS([DH_set_length], [crypto],
- [AC_DEFINE([HAVE_DH_SET_LENGTH], [1],
- [Define if libcrypto has DH_set_length])])
- AC_SEARCH_LIBS([DH_set0_pqg], [crypto],
- [AC_DEFINE([HAVE_DH_SET0_PQG], [1],
- [Define if libcrypto has DH_set0_pqg])])
-
- AC_SEARCH_LIBS([DSA_get0_key], [crypto],
- [AC_DEFINE([HAVE_DSA_GET0_KEY], [1],
- [Define if libcrypto has DSA_get0_key])])
- AC_SEARCH_LIBS([DSA_get0_pqg], [crypto],
- [AC_DEFINE([HAVE_DSA_GET0_PQG], [1],
- [Define if libcrypto has DSA_get0_pqg])])
- AC_SEARCH_LIBS([DSA_set0_key], [crypto],
- [AC_DEFINE([HAVE_DSA_SET0_KEY], [1],
- [Define if libcrypto has DSA_set0_key])])
- AC_SEARCH_LIBS([DSA_set0_pqg], [crypto],
- [AC_DEFINE([HAVE_DSA_SET0_PQG], [1],
- [Define if libcrypto has DSA_set0_pqg])])
-
- AC_SEARCH_LIBS([DSA_SIG_get0], [crypto],
- [AC_DEFINE([HAVE_DSA_SIG_GET0], [1],
- [Define if libcrypto has DSA_SIG_get0])])
- AC_SEARCH_LIBS([DSA_SIG_set0], [crypto],
- [AC_DEFINE([HAVE_DSA_SIG_SET0], [1],
- [Define if libcrypto has DSA_SIG_set0])])
-
- AC_SEARCH_LIBS([ECDSA_SIG_get0], [crypto],
- [AC_DEFINE([HAVE_ECDSA_SIG_GET0], [1],
- [Define if libcrypto has ECDSA_SIG_get0])])
- AC_SEARCH_LIBS([ECDSA_SIG_set0], [crypto],
- [AC_DEFINE([HAVE_ECDSA_SIG_SET0], [1],
- [Define if libcrypto has ECDSA_SIG_set0])])
-
- AC_SEARCH_LIBS([EVP_CIPHER_CTX_iv], [crypto],
- [AC_DEFINE([HAVE_EVP_CIPHER_CTX_IV], [1],
- [Define if libcrypto has EVP_CIPHER_CTX_iv])])
- AC_SEARCH_LIBS([EVP_CIPHER_CTX_iv_noconst], [crypto],
- [AC_DEFINE([HAVE_EVP_CIPHER_CTX_IV_NOCONST], [1],
- [Define if libcrypto has EVP_CIPHER_CTX_iv_noconst])])
- AC_SEARCH_LIBS([EVP_CIPHER_CTX_get_iv], [crypto],
- [AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
- [Define if libcrypto has EVP_CIPHER_CTX_get_iv])])
- AC_SEARCH_LIBS([EVP_CIPHER_CTX_set_iv], [crypto],
- [AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
- [Define if libcrypto has EVP_CIPHER_CTX_set_iv])])
-
- AC_SEARCH_LIBS([RSA_get0_crt_params], [crypto],
- [AC_DEFINE([HAVE_RSA_GET0_CRT_PARAMS], [1],
- [Define if libcrypto has RSA_get0_crt_params])])
- AC_SEARCH_LIBS([RSA_get0_factors], [crypto],
- [AC_DEFINE([HAVE_RSA_GET0_FACTORS], [1],
- [Define if libcrypto has RSA_get0_factors])])
- AC_SEARCH_LIBS([RSA_get0_key], [crypto],
- [AC_DEFINE([HAVE_RSA_GET0_KEY], [1],
- [Define if libcrypto has RSA_get0_key])])
- AC_SEARCH_LIBS([RSA_set0_crt_params], [crypto],
- [AC_DEFINE([HAVE_RSA_SET0_CRT_PARAMS], [1],
- [Define if libcrypto has RSA_get0_srt_params])])
- AC_SEARCH_LIBS([RSA_set0_factors], [crypto],
- [AC_DEFINE([HAVE_RSA_SET0_FACTORS], [1],
- [Define if libcrypto has RSA_set0_factors])])
- AC_SEARCH_LIBS([RSA_set0_key], [crypto],
- [AC_DEFINE([HAVE_RSA_SET0_KEY], [1],
- [Define if libcrypto has RSA_set0_key])])
-
- AC_SEARCH_LIBS([RSA_meth_free], [crypto],
- [AC_DEFINE([HAVE_RSA_METH_FREE], [1],
- [Define if libcrypto has RSA_meth_free])])
- AC_SEARCH_LIBS([RSA_meth_dup], [crypto],
- [AC_DEFINE([HAVE_RSA_METH_DUP], [1],
- [Define if libcrypto has RSA_meth_dup])])
- AC_SEARCH_LIBS([RSA_meth_set1_name], [crypto],
- [AC_DEFINE([HAVE_RSA_METH_SET1_NAME], [1],
- [Define if libcrypto has RSA_meth_set1_name])])
- AC_SEARCH_LIBS([RSA_meth_get_finish], [crypto],
- [AC_DEFINE([HAVE_RSA_METH_GET_FINISH], [1],
- [Define if libcrypto has RSA_meth_get_finish])])
- AC_SEARCH_LIBS([RSA_meth_set_priv_enc], [crypto],
- [AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1],
- [Define if libcrypto has RSA_meth_set_priv_enc])])
- AC_SEARCH_LIBS([RSA_meth_set_priv_dec], [crypto],
- [AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1],
- [Define if libcrypto has RSA_meth_set_priv_dec])])
- AC_SEARCH_LIBS([RSA_meth_set_finish], [crypto],
- [AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1],
- [Define if libcrypto has RSA_meth_set_finish])])
-
- AC_SEARCH_LIBS([EVP_PKEY_get0_RSA], [crypto],
- [AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1],
- [Define if libcrypto has EVP_PKEY_get0_RSA])])
-
- AC_SEARCH_LIBS([EVP_MD_CTX_new], [crypto],
- [AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1],
- [Define if libcrypto has EVP_MD_CTX_new])])
- AC_SEARCH_LIBS([EVP_MD_CTX_free], [crypto],
- [AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1],
- [Define if libcrypto has EVP_MD_CTX_free])])
-
AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
@@ -3036,6 +2975,7 @@ if test "x$openssl" = "xyes" ; then
if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
test x$enable_nistp521 = x1; then
AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
+ AC_CHECK_FUNCS([EC_KEY_METHOD_new])
fi
if test x$enable_nistp256 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
@@ -3516,10 +3456,10 @@ fi
AC_CHECK_TYPES([long long, unsigned long long, long double])
# Check datatype sizes
-AC_CHECK_SIZEOF([short int], [2])
-AC_CHECK_SIZEOF([int], [4])
-AC_CHECK_SIZEOF([long int], [4])
-AC_CHECK_SIZEOF([long long int], [8])
+AC_CHECK_SIZEOF([short int])
+AC_CHECK_SIZEOF([int])
+AC_CHECK_SIZEOF([long int])
+AC_CHECK_SIZEOF([long long int])
# Sanity check long long for some platforms (AIX)
if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
@@ -4468,8 +4408,8 @@ AC_ARG_WITH([kerberos5],
[ CPPFLAGS="$oldCPP" ])
fi
- if test ! -z "$need_dash_r" ; then
- LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
+ if test -n "${rpath_opt}" ; then
+ LDFLAGS="$LDFLAGS ${rpath_opt}${KRB5ROOT}/lib"
fi
if test ! -z "$blibpath" ; then
blibpath="$blibpath:${KRB5ROOT}/lib"
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 261020af33e8..a8572e2ac879 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -61,7 +61,7 @@ LOCALSTATEDIR=/var
sshd_config_configured=no
port_number=22
-service_name=sshd
+service_name=cygsshd
strictmodes=yes
cygwin_value=""
user_account=
@@ -307,7 +307,7 @@ check_service_files_ownership() {
if [ -z "${run_service_as}" ]
then
- accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
+ accnt_name=$(/usr/bin/cygrunsrv -VQ "${service_name}" |
/usr/bin/sed -ne 's/^Account *: *//gp')
if [ "${accnt_name}" = "LocalSystem" ]
then
@@ -329,9 +329,9 @@ check_service_files_ownership() {
fi
if [ -z "${run_service_as}" ]
then
- csih_warning "Couldn't determine name of user running sshd service from account database!"
+ csih_warning "Couldn't determine name of user running ${service_name} service from account database!"
csih_warning "As a result, this script cannot make sure that the files used"
- csih_warning "by the sshd service belong to the user running the service."
+ csih_warning "by the ${service_name} service belong to the user running the service."
return 1
fi
fi
@@ -367,8 +367,8 @@ check_service_files_ownership() {
if [ $ret -ne 0 ]
then
csih_warning "Couldn't change owner of important files to ${run_service_as}!"
- csih_warning "This may cause the sshd service to fail! Please make sure that"
- csih_warning "you have suufficient permissions to change the ownership of files"
+ csih_warning "This may cause the ${service_name} service to fail! Please make sure that"
+ csih_warning "you have sufficient permissions to change the ownership of files"
csih_warning "and try to run the ssh-host-config script again."
fi
return $ret
@@ -394,14 +394,24 @@ install_service() {
then
csih_get_cygenv "${cygwin_value}"
- if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+ if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] )
then
- csih_inform "On Windows Server 2003, Windows Vista, and above, the"
- csih_inform "SYSTEM account cannot setuid to other users -- a capability"
- csih_inform "sshd requires. You need to have or to create a privileged"
- csih_inform "account. This script will help you do so."
- echo
+ # Enforce using privileged user on 64 bit Vista or W7 under WOW64
+ is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1 || echo 0)
+ if ( csih_is_nt2003 && ! csih_is_windows8 && [ "${is_wow64}" = "1" ] )
+ then
+ csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows 7"
+ csih_inform "the SYSTEM account is not sufficient to setuid to a local"
+ csih_inform "user account. You need to have or to create a privileged"
+ csih_inform "account. This script will help you do so."
+ echo
+ csih_FORCE_PRIVILEGED_USER=yes
+ fi
+ fi
+
+ if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+ then
[ "${opt_force}" = "yes" ] && opt_f=-f
[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
csih_select_privileged_username ${opt_f} ${opt_u} sshd
@@ -412,11 +422,12 @@ install_service() {
csih_request "Do you want to proceed anyway?" || exit 1
let ++ret
fi
+ # Never returns empty if NT or above
+ run_service_as=$(csih_service_should_run_as)
+ else
+ run_service_as="SYSTEM"
fi
- # Never returns empty if NT or above
- run_service_as=$(csih_service_should_run_as)
-
if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
then
password="${csih_PRIVILEGED_PASSWORD}"
@@ -446,7 +457,7 @@ install_service() {
echo
csih_inform "The sshd service has been installed under the LocalSystem"
csih_inform "account (also known as SYSTEM). To start the service now, call"
- csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
+ csih_inform "\`net start ${service_name}' or \`cygrunsrv -S ${service_name}'. Otherwise, it"
csih_inform "will start automatically after the next reboot."
fi
else
@@ -669,14 +680,24 @@ then
fi
# handle sshd_config
+# make sure not to change the existing file
+mod_before=""
+if [ -e "${SYSCONFDIR}/sshd_config" ]
+then
+ mod_before=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:')
+fi
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
+mod_now=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:')
if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
sshd_config_configured=yes
fi
-sshd_strictmodes || let warning_cnt+=$?
-sshd_privsep || let warning_cnt+=$?
-sshd_config_tweak || let warning_cnt+=$?
+if [ "${mod_before}" != "${mod_now}" ]
+then
+ sshd_strictmodes || let warning_cnt+=$?
+ sshd_config_tweak || let warning_cnt+=$?
+fi
+#sshd_privsep || let warning_cnt+=$?
update_services_file || let warning_cnt+=$?
update_inetd_conf || let warning_cnt+=$?
install_service || let warning_cnt+=$?
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index d7823483d10d..f3c175523a63 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 7.9p1
+%define ver 8.0p1
%define rel 1%{?dist}
# OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index b43d8985abaf..4788718156a4 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
-Version: 7.9p1
+Version: 8.0p1
URL: https://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
diff --git a/crypto_api.h b/crypto_api.h
index 7f45bbd69e77..eb05251ff164 100644
--- a/crypto_api.h
+++ b/crypto_api.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto_api.h,v 1.4 2017/12/14 21:07:39 naddy Exp $ */
+/* $OpenBSD: crypto_api.h,v 1.5 2019/01/21 10:20:12 djm Exp $ */
/*
* Assembled from generated headers and source files by Markus Friedl.
@@ -15,10 +15,15 @@
#endif
#include <stdlib.h>
+typedef int8_t crypto_int8;
+typedef uint8_t crypto_uint8;
+typedef int16_t crypto_int16;
+typedef uint16_t crypto_uint16;
typedef int32_t crypto_int32;
typedef uint32_t crypto_uint32;
#define randombytes(buf, buf_len) arc4random_buf((buf), (buf_len))
+#define small_random32() arc4random()
#define crypto_hash_sha512_BYTES 64U
@@ -37,4 +42,15 @@ int crypto_sign_ed25519_open(unsigned char *, unsigned long long *,
const unsigned char *, unsigned long long, const unsigned char *);
int crypto_sign_ed25519_keypair(unsigned char *, unsigned char *);
+#define crypto_kem_sntrup4591761_PUBLICKEYBYTES 1218
+#define crypto_kem_sntrup4591761_SECRETKEYBYTES 1600
+#define crypto_kem_sntrup4591761_CIPHERTEXTBYTES 1047
+#define crypto_kem_sntrup4591761_BYTES 32
+
+int crypto_kem_sntrup4591761_enc(unsigned char *cstr, unsigned char *k,
+ const unsigned char *pk);
+int crypto_kem_sntrup4591761_dec(unsigned char *k,
+ const unsigned char *cstr, const unsigned char *sk);
+int crypto_kem_sntrup4591761_keypair(unsigned char *pk, unsigned char *sk);
+
#endif /* crypto_api_h */
diff --git a/dh.c b/dh.c
index 657b32da3d98..a98d39ed5ff4 100644
--- a/dh.c
+++ b/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.68 2018/09/17 15:40:14 millert Exp $ */
+/* $OpenBSD: dh.c,v 1.69 2018/11/09 02:56:22 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
*
@@ -406,7 +406,7 @@ dh_new_group16(void)
DH *
dh_new_group18(void)
{
- static char *gen = "2", *group16 =
+ static char *gen = "2", *group18 =
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
@@ -451,7 +451,7 @@ dh_new_group18(void)
"9558E447" "5677E9AA" "9E3050E2" "765694DF" "C81F56E8" "80B96E71"
"60C980DD" "98EDD3DF" "FFFFFFFF" "FFFFFFFF";
- return (dh_new_group_asc(gen, group16));
+ return (dh_new_group_asc(gen, group18));
}
/* Select fallback group used by DH-GEX if moduli file cannot be read. */
diff --git a/dh.h b/dh.h
index 344b29e356ce..adb643a75343 100644
--- a/dh.h
+++ b/dh.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.h,v 1.15 2016/05/02 10:26:04 djm Exp $ */
+/* $OpenBSD: dh.h,v 1.17 2019/01/20 01:12:40 dtucker Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
@@ -48,7 +48,7 @@ u_int dh_estimate(int);
/*
* Max value from RFC4419.
- * Miniumum increased in light of DH precomputation attacks.
+ * Min value from RFC8270.
*/
#define DH_GRP_MIN 2048
#define DH_GRP_MAX 8192
diff --git a/dispatch.c b/dispatch.c
index 0b3ea614e150..6e4c501e0573 100644
--- a/dispatch.c
+++ b/dispatch.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dispatch.c,v 1.31 2017/05/31 07:00:13 markus Exp $ */
+/* $OpenBSD: dispatch.c,v 1.32 2019/01/19 21:33:13 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -47,7 +47,7 @@ dispatch_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
(r = sshpkt_put_u32(ssh, seq)) != 0 ||
(r = sshpkt_send(ssh)) != 0 ||
(r = ssh_packet_write_wait(ssh)) != 0)
- sshpkt_fatal(ssh, __func__, r);
+ sshpkt_fatal(ssh, r, "%s", __func__);
return 0;
}
@@ -131,5 +131,5 @@ ssh_dispatch_run_fatal(struct ssh *ssh, int mode, volatile sig_atomic_t *done)
int r;
if ((r = ssh_dispatch_run(ssh, mode, done)) != 0)
- sshpkt_fatal(ssh, __func__, r);
+ sshpkt_fatal(ssh, r, "%s", __func__);
}
diff --git a/dispatch.h b/dispatch.h
index 17a6f3db6338..a22d7749febb 100644
--- a/dispatch.h
+++ b/dispatch.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dispatch.h,v 1.14 2017/05/31 07:00:13 markus Exp $ */
+/* $OpenBSD: dispatch.h,v 1.15 2019/01/19 21:45:31 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -46,11 +46,4 @@ void ssh_dispatch_range(struct ssh *, u_int, u_int, dispatch_fn *);
int ssh_dispatch_run(struct ssh *, int, volatile sig_atomic_t *);
void ssh_dispatch_run_fatal(struct ssh *, int, volatile sig_atomic_t *);
-#define dispatch_init(dflt) \
- ssh_dispatch_init(active_state, (dflt))
-#define dispatch_range(from, to, fn) \
- ssh_dispatch_range(active_state, (from), (to), (fn))
-#define dispatch_set(type, fn) \
- ssh_dispatch_set(active_state, (type), (fn))
-
#endif
diff --git a/entropy.c b/entropy.c
index c178c00cf61c..31a7f1c3ef54 100644
--- a/entropy.c
+++ b/entropy.c
@@ -24,6 +24,8 @@
#include "includes.h"
+#define RANDOM_SEED_SIZE 48
+
#ifdef WITH_OPENSSL
#include <sys/types.h>
@@ -64,8 +66,6 @@
*/
#ifndef OPENSSL_PRNG_ONLY
-#define RANDOM_SEED_SIZE 48
-
/*
* Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon
* listening either on 'tcp_port', or via Unix domain socket at *
@@ -216,35 +216,46 @@ rexec_recv_rng_seed(struct sshbuf *m)
void
seed_rng(void)
{
-#ifndef OPENSSL_PRNG_ONLY
unsigned char buf[RANDOM_SEED_SIZE];
-#endif
- if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
+
+ /* Initialise libcrypto */
+ ssh_libcrypto_init();
+
+ if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
+ OpenSSL_version_num()))
fatal("OpenSSL version mismatch. Built against %lx, you "
- "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+ "have %lx", (u_long)OPENSSL_VERSION_NUMBER,
+ OpenSSL_version_num());
#ifndef OPENSSL_PRNG_ONLY
- if (RAND_status() == 1) {
+ if (RAND_status() == 1)
debug3("RNG is ready, skipping seeding");
- return;
+ else {
+ if (seed_from_prngd(buf, sizeof(buf)) == -1)
+ fatal("Could not obtain seed from PRNGd");
+ RAND_add(buf, sizeof(buf), sizeof(buf));
}
-
- if (seed_from_prngd(buf, sizeof(buf)) == -1)
- fatal("Could not obtain seed from PRNGd");
- RAND_add(buf, sizeof(buf), sizeof(buf));
- memset(buf, '\0', sizeof(buf));
-
#endif /* OPENSSL_PRNG_ONLY */
+
if (RAND_status() != 1)
fatal("PRNG is not seeded");
+
+ /* Ensure arc4random() is primed */
+ arc4random_buf(buf, sizeof(buf));
+ explicit_bzero(buf, sizeof(buf));
}
#else /* WITH_OPENSSL */
-/* Handled in arc4random() */
+/* Acutal initialisation is handled in arc4random() */
void
seed_rng(void)
{
+ unsigned char buf[RANDOM_SEED_SIZE];
+
+ /* Ensure arc4random() is primed */
+ arc4random_buf(buf, sizeof(buf));
+ explicit_bzero(buf, sizeof(buf));
}
#endif /* WITH_OPENSSL */
diff --git a/groupaccess.c b/groupaccess.c
index 9e4d25521647..80d3019152c2 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: groupaccess.c,v 1.16 2015/05/04 06:10:48 djm Exp $ */
+/* $OpenBSD: groupaccess.c,v 1.17 2019/03/06 22:14:23 dtucker Exp $ */
/*
* Copyright (c) 2001 Kevin Steves. All rights reserved.
*
@@ -103,7 +103,8 @@ ga_match_pattern_list(const char *group_pattern)
int i, found = 0;
for (i = 0; i < ngroups; i++) {
- switch (match_pattern_list(groups_byname[i], group_pattern, 0)) {
+ switch (match_usergroup_pattern_list(groups_byname[i],
+ group_pattern)) {
case -1:
return 0; /* Negated match wins */
case 0:
diff --git a/kex.c b/kex.c
index 25f9f66f69af..34808b5c39da 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.141 2018/07/09 13:37:10 sf Exp $ */
+/* $OpenBSD: kex.c,v 1.150 2019/01/21 12:08:13 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -25,19 +25,25 @@
#include "includes.h"
-
+#include <sys/types.h>
+#include <errno.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <unistd.h>
+#include <poll.h>
#ifdef WITH_OPENSSL
#include <openssl/crypto.h>
#include <openssl/dh.h>
#endif
+#include "ssh.h"
#include "ssh2.h"
+#include "atomicio.h"
+#include "version.h"
#include "packet.h"
#include "compat.h"
#include "cipher.h"
@@ -102,6 +108,8 @@ static const struct kexalg kexalgs[] = {
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
+ { KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0,
+ SSH_DIGEST_SHA512 },
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, -1, -1, -1},
};
@@ -487,6 +495,7 @@ kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
return r;
kex->done = 1;
+ kex->flags &= ~KEX_INITIAL;
sshbuf_reset(kex->peer);
/* sshbuf_reset(kex->my); */
kex->flags &= ~KEX_INIT_SENT;
@@ -577,31 +586,20 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
return SSH_ERR_INTERNAL_ERROR;
}
-int
-kex_new(struct ssh *ssh, char *proposal[PROPOSAL_MAX], struct kex **kexp)
+struct kex *
+kex_new(void)
{
struct kex *kex;
- int r;
- *kexp = NULL;
- if ((kex = calloc(1, sizeof(*kex))) == NULL)
- return SSH_ERR_ALLOC_FAIL;
- if ((kex->peer = sshbuf_new()) == NULL ||
- (kex->my = sshbuf_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = kex_prop2buf(kex->my, proposal)) != 0)
- goto out;
- kex->done = 0;
- kex_reset_dispatch(ssh);
- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
- r = 0;
- *kexp = kex;
- out:
- if (r != 0)
+ if ((kex = calloc(1, sizeof(*kex))) == NULL ||
+ (kex->peer = sshbuf_new()) == NULL ||
+ (kex->my = sshbuf_new()) == NULL ||
+ (kex->client_version = sshbuf_new()) == NULL ||
+ (kex->server_version = sshbuf_new()) == NULL) {
kex_free(kex);
- return r;
+ return NULL;
+ }
+ return kex;
}
void
@@ -640,6 +638,9 @@ kex_free(struct kex *kex)
{
u_int mode;
+ if (kex == NULL)
+ return;
+
#ifdef WITH_OPENSSL
DH_free(kex->dh);
#ifdef OPENSSL_HAS_ECC
@@ -652,9 +653,10 @@ kex_free(struct kex *kex)
}
sshbuf_free(kex->peer);
sshbuf_free(kex->my);
+ sshbuf_free(kex->client_version);
+ sshbuf_free(kex->server_version);
+ sshbuf_free(kex->client_pub);
free(kex->session_id);
- free(kex->client_version_string);
- free(kex->server_version_string);
free(kex->failed_choice);
free(kex->hostkey_alg);
free(kex->name);
@@ -662,11 +664,24 @@ kex_free(struct kex *kex)
}
int
+kex_ready(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
+{
+ int r;
+
+ if ((r = kex_prop2buf(ssh->kex->my, proposal)) != 0)
+ return r;
+ ssh->kex->flags = KEX_INITIAL;
+ kex_reset_dispatch(ssh);
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
+ return 0;
+}
+
+int
kex_setup(struct ssh *ssh, char *proposal[PROPOSAL_MAX])
{
int r;
- if ((r = kex_new(ssh, proposal, &ssh->kex)) != 0)
+ if ((r = kex_ready(ssh, proposal)) != 0)
return r;
if ((r = kex_send_kexinit(ssh)) != 0) { /* we start */
kex_free(ssh->kex);
@@ -839,7 +854,7 @@ kex_choose_conf(struct ssh *ssh)
}
/* Check whether client supports ext_info_c */
- if (kex->server) {
+ if (kex->server && (kex->flags & KEX_INITIAL)) {
char *ext;
ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
@@ -997,6 +1012,14 @@ kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
u_int i, j, mode, ctos;
int r;
+ /* save initial hash as session id */
+ if (kex->session_id == NULL) {
+ kex->session_id_len = hashlen;
+ kex->session_id = malloc(kex->session_id_len);
+ if (kex->session_id == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ memcpy(kex->session_id, hash, kex->session_id_len);
+ }
for (i = 0; i < NKEYS; i++) {
if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
shared_secret, &keys[i])) != 0) {
@@ -1015,29 +1038,276 @@ kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
return 0;
}
-#ifdef WITH_OPENSSL
int
-kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
- const BIGNUM *secret)
+kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp)
{
- struct sshbuf *shared_secret;
- int r;
+ struct kex *kex = ssh->kex;
- if ((shared_secret = sshbuf_new()) == NULL)
- return SSH_ERR_ALLOC_FAIL;
- if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
- r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
- sshbuf_free(shared_secret);
- return r;
+ *pubp = NULL;
+ *prvp = NULL;
+ if (kex->load_host_public_key == NULL ||
+ kex->load_host_private_key == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+ *pubp = kex->load_host_public_key(kex->hostkey_type,
+ kex->hostkey_nid, ssh);
+ *prvp = kex->load_host_private_key(kex->hostkey_type,
+ kex->hostkey_nid, ssh);
+ if (*pubp == NULL)
+ return SSH_ERR_NO_HOSTKEY_LOADED;
+ return 0;
}
-#endif
+int
+kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
+{
+ struct kex *kex = ssh->kex;
+
+ if (kex->verify_host_key == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+ if (server_host_key->type != kex->hostkey_type ||
+ (kex->hostkey_type == KEY_ECDSA &&
+ server_host_key->ecdsa_nid != kex->hostkey_nid))
+ return SSH_ERR_KEY_TYPE_MISMATCH;
+ if (kex->verify_host_key(server_host_key, ssh) == -1)
+ return SSH_ERR_SIGNATURE_INVALID;
+ return 0;
+}
#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
void
-dump_digest(char *msg, u_char *digest, int len)
+dump_digest(const char *msg, const u_char *digest, int len)
{
fprintf(stderr, "%s\n", msg);
sshbuf_dump_data(digest, len, stderr);
}
#endif
+
+/*
+ * Send a plaintext error message to the peer, suffixed by \r\n.
+ * Only used during banner exchange, and there only for the server.
+ */
+static void
+send_error(struct ssh *ssh, char *msg)
+{
+ char *crnl = "\r\n";
+
+ if (!ssh->kex->server)
+ return;
+
+ if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
+ msg, strlen(msg)) != strlen(msg) ||
+ atomicio(vwrite, ssh_packet_get_connection_out(ssh),
+ crnl, strlen(crnl)) != strlen(crnl))
+ error("%s: write: %.100s", __func__, strerror(errno));
+}
+
+/*
+ * Sends our identification string and waits for the peer's. Will block for
+ * up to timeout_ms (or indefinitely if timeout_ms <= 0).
+ * Returns on 0 success or a ssherr.h code on failure.
+ */
+int
+kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+ const char *version_addendum)
+{
+ int remote_major, remote_minor, mismatch;
+ size_t len, i, n;
+ int r, expect_nl;
+ u_char c;
+ struct sshbuf *our_version = ssh->kex->server ?
+ ssh->kex->server_version : ssh->kex->client_version;
+ struct sshbuf *peer_version = ssh->kex->server ?
+ ssh->kex->client_version : ssh->kex->server_version;
+ char *our_version_string = NULL, *peer_version_string = NULL;
+ char *cp, *remote_version = NULL;
+
+ /* Prepare and send our banner */
+ sshbuf_reset(our_version);
+ if (version_addendum != NULL && *version_addendum == '\0')
+ version_addendum = NULL;
+ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ version_addendum == NULL ? "" : " ",
+ version_addendum == NULL ? "" : version_addendum)) != 0) {
+ error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
+ goto out;
+ }
+
+ if (atomicio(vwrite, ssh_packet_get_connection_out(ssh),
+ sshbuf_mutable_ptr(our_version),
+ sshbuf_len(our_version)) != sshbuf_len(our_version)) {
+ error("%s: write: %.100s", __func__, strerror(errno));
+ r = SSH_ERR_SYSTEM_ERROR;
+ goto out;
+ }
+ if ((r = sshbuf_consume_end(our_version, 2)) != 0) { /* trim \r\n */
+ error("%s: sshbuf_consume_end: %s", __func__, ssh_err(r));
+ goto out;
+ }
+ our_version_string = sshbuf_dup_string(our_version);
+ if (our_version_string == NULL) {
+ error("%s: sshbuf_dup_string failed", __func__);
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ debug("Local version string %.100s", our_version_string);
+
+ /* Read other side's version identification. */
+ for (n = 0; ; n++) {
+ if (n >= SSH_MAX_PRE_BANNER_LINES) {
+ send_error(ssh, "No SSH identification string "
+ "received.");
+ error("%s: No SSH version received in first %u lines "
+ "from server", __func__, SSH_MAX_PRE_BANNER_LINES);
+ r = SSH_ERR_INVALID_FORMAT;
+ goto out;
+ }
+ sshbuf_reset(peer_version);
+ expect_nl = 0;
+ for (i = 0; ; i++) {
+ if (timeout_ms > 0) {
+ r = waitrfd(ssh_packet_get_connection_in(ssh),
+ &timeout_ms);
+ if (r == -1 && errno == ETIMEDOUT) {
+ send_error(ssh, "Timed out waiting "
+ "for SSH identification string.");
+ error("Connection timed out during "
+ "banner exchange");
+ r = SSH_ERR_CONN_TIMEOUT;
+ goto out;
+ } else if (r == -1) {
+ error("%s: %s",
+ __func__, strerror(errno));
+ r = SSH_ERR_SYSTEM_ERROR;
+ goto out;
+ }
+ }
+
+ len = atomicio(read, ssh_packet_get_connection_in(ssh),
+ &c, 1);
+ if (len != 1 && errno == EPIPE) {
+ error("%s: Connection closed by remote host",
+ __func__);
+ r = SSH_ERR_CONN_CLOSED;
+ goto out;
+ } else if (len != 1) {
+ error("%s: read: %.100s",
+ __func__, strerror(errno));
+ r = SSH_ERR_SYSTEM_ERROR;
+ goto out;
+ }
+ if (c == '\r') {
+ expect_nl = 1;
+ continue;
+ }
+ if (c == '\n')
+ break;
+ if (c == '\0' || expect_nl) {
+ error("%s: banner line contains invalid "
+ "characters", __func__);
+ goto invalid;
+ }
+ if ((r = sshbuf_put_u8(peer_version, c)) != 0) {
+ error("%s: sshbuf_put: %s",
+ __func__, ssh_err(r));
+ goto out;
+ }
+ if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
+ error("%s: banner line too long", __func__);
+ goto invalid;
+ }
+ }
+ /* Is this an actual protocol banner? */
+ if (sshbuf_len(peer_version) > 4 &&
+ memcmp(sshbuf_ptr(peer_version), "SSH-", 4) == 0)
+ break;
+ /* If not, then just log the line and continue */
+ if ((cp = sshbuf_dup_string(peer_version)) == NULL) {
+ error("%s: sshbuf_dup_string failed", __func__);
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ /* Do not accept lines before the SSH ident from a client */
+ if (ssh->kex->server) {
+ error("%s: client sent invalid protocol identifier "
+ "\"%.256s\"", __func__, cp);
+ free(cp);
+ goto invalid;
+ }
+ debug("%s: banner line %zu: %s", __func__, n, cp);
+ free(cp);
+ }
+ peer_version_string = sshbuf_dup_string(peer_version);
+ if (peer_version_string == NULL)
+ error("%s: sshbuf_dup_string failed", __func__);
+ /* XXX must be same size for sscanf */
+ if ((remote_version = calloc(1, sshbuf_len(peer_version))) == NULL) {
+ error("%s: calloc failed", __func__);
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+
+ /*
+ * Check that the versions match. In future this might accept
+ * several versions and set appropriate flags to handle them.
+ */
+ if (sscanf(peer_version_string, "SSH-%d.%d-%[^\n]\n",
+ &remote_major, &remote_minor, remote_version) != 3) {
+ error("Bad remote protocol version identification: '%.100s'",
+ peer_version_string);
+ invalid:
+ send_error(ssh, "Invalid SSH identification string.");
+ r = SSH_ERR_INVALID_FORMAT;
+ goto out;
+ }
+ debug("Remote protocol version %d.%d, remote software version %.100s",
+ remote_major, remote_minor, remote_version);
+ ssh->compat = compat_datafellows(remote_version);
+
+ mismatch = 0;
+ switch (remote_major) {
+ case 2:
+ break;
+ case 1:
+ if (remote_minor != 99)
+ mismatch = 1;
+ break;
+ default:
+ mismatch = 1;
+ break;
+ }
+ if (mismatch) {
+ error("Protocol major versions differ: %d vs. %d",
+ PROTOCOL_MAJOR_2, remote_major);
+ send_error(ssh, "Protocol major versions differ.");
+ r = SSH_ERR_NO_PROTOCOL_VERSION;
+ goto out;
+ }
+
+ if (ssh->kex->server && (ssh->compat & SSH_BUG_PROBE) != 0) {
+ logit("probed from %s port %d with %s. Don't panic.",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ peer_version_string);
+ r = SSH_ERR_CONN_CLOSED; /* XXX */
+ goto out;
+ }
+ if (ssh->kex->server && (ssh->compat & SSH_BUG_SCANNER) != 0) {
+ logit("scanned from %s port %d with %s. Don't panic.",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+ peer_version_string);
+ r = SSH_ERR_CONN_CLOSED; /* XXX */
+ goto out;
+ }
+ if ((ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
+ logit("Remote version \"%.100s\" uses unsafe RSA signature "
+ "scheme; disabling use of RSA keys", remote_version);
+ }
+ /* success */
+ r = 0;
+ out:
+ free(our_version_string);
+ free(peer_version_string);
+ free(remote_version);
+ return r;
+}
+
diff --git a/kex.h b/kex.h
index 593de120836e..6d446d1ccbb5 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.91 2018/07/11 18:53:29 markus Exp $ */
+/* $OpenBSD: kex.h,v 1.107 2019/01/23 00:30:41 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -27,6 +27,7 @@
#define KEX_H
#include "mac.h"
+#include "crypto_api.h"
#ifdef WITH_LEAKMALLOC
#include "leakmalloc.h"
@@ -62,6 +63,7 @@
#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
#define KEX_CURVE25519_SHA256 "curve25519-sha256"
#define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org"
+#define KEX_SNTRUP4591761X25519_SHA512 "sntrup4591761x25519-sha512@tinyssh.org"
#define COMP_NONE 0
/* pre-auth compression (COMP_ZLIB) is only supported in the client */
@@ -100,10 +102,12 @@ enum kex_exchange {
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
KEX_C25519_SHA256,
+ KEX_KEM_SNTRUP4591761X25519_SHA512,
KEX_MAX
};
#define KEX_INIT_SENT 0x0001
+#define KEX_INITIAL 0x0002
struct sshenc {
char *name;
@@ -144,27 +148,29 @@ struct kex {
int ext_info_c;
struct sshbuf *my;
struct sshbuf *peer;
+ struct sshbuf *client_version;
+ struct sshbuf *server_version;
sig_atomic_t done;
u_int flags;
int hash_alg;
int ec_nid;
- char *client_version_string;
- char *server_version_string;
char *failed_choice;
int (*verify_host_key)(struct sshkey *, struct ssh *);
struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
struct sshkey *(*load_host_private_key)(int, int, struct ssh *);
int (*host_key_index)(struct sshkey *, int, struct ssh *);
- int (*sign)(struct sshkey *, struct sshkey *, u_char **, size_t *,
- const u_char *, size_t, const char *, u_int);
+ int (*sign)(struct ssh *, struct sshkey *, struct sshkey *,
+ u_char **, size_t *, const u_char *, size_t, const char *);
int (*kex[KEX_MAX])(struct ssh *);
/* kex specific state */
DH *dh; /* DH */
u_int min, max, nbits; /* GEX */
EC_KEY *ec_client_key; /* ECDH */
const EC_GROUP *ec_group; /* ECDH */
- u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 */
+ u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 + KEM */
u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */
+ u_char sntrup4591761_client_key[crypto_kem_sntrup4591761_SECRETKEYBYTES]; /* KEM */
+ struct sshbuf *client_pub;
};
int kex_names_valid(const char *);
@@ -172,7 +178,10 @@ char *kex_alg_list(char);
char *kex_names_cat(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
-int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
+int kex_exchange_identification(struct ssh *, int, const char *);
+
+struct kex *kex_new(void);
+int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
int kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
void kex_free_newkeys(struct newkeys *);
void kex_free(struct kex *);
@@ -180,44 +189,52 @@ void kex_free(struct kex *);
int kex_buf2prop(struct sshbuf *, int *, char ***);
int kex_prop2buf(struct sshbuf *, char *proposal[PROPOSAL_MAX]);
void kex_prop_free(char **);
+int kex_load_hostkey(struct ssh *, struct sshkey **, struct sshkey **);
+int kex_verify_host_key(struct ssh *, struct sshkey *);
int kex_send_kexinit(struct ssh *);
int kex_input_kexinit(int, u_int32_t, struct ssh *);
int kex_input_ext_info(int, u_int32_t, struct ssh *);
int kex_derive_keys(struct ssh *, u_char *, u_int, const struct sshbuf *);
-int kex_derive_keys_bn(struct ssh *, u_char *, u_int, const BIGNUM *);
int kex_send_newkeys(struct ssh *);
int kex_start_rekex(struct ssh *);
-int kexdh_client(struct ssh *);
-int kexdh_server(struct ssh *);
int kexgex_client(struct ssh *);
int kexgex_server(struct ssh *);
-int kexecdh_client(struct ssh *);
-int kexecdh_server(struct ssh *);
-int kexc25519_client(struct ssh *);
-int kexc25519_server(struct ssh *);
+int kex_gen_client(struct ssh *);
+int kex_gen_server(struct ssh *);
+
+int kex_dh_keypair(struct kex *);
+int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
+ struct sshbuf **);
+int kex_dh_dec(struct kex *, const struct sshbuf *, struct sshbuf **);
+
+int kex_ecdh_keypair(struct kex *);
+int kex_ecdh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
+ struct sshbuf **);
+int kex_ecdh_dec(struct kex *, const struct sshbuf *, struct sshbuf **);
+
+int kex_c25519_keypair(struct kex *);
+int kex_c25519_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
+ struct sshbuf **);
+int kex_c25519_dec(struct kex *, const struct sshbuf *, struct sshbuf **);
+
+int kex_kem_sntrup4591761x25519_keypair(struct kex *);
+int kex_kem_sntrup4591761x25519_enc(struct kex *, const struct sshbuf *,
+ struct sshbuf **, struct sshbuf **);
+int kex_kem_sntrup4591761x25519_dec(struct kex *, const struct sshbuf *,
+ struct sshbuf **);
-int kex_dh_hash(int, const char *, const char *,
- const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
- const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
+int kex_dh_keygen(struct kex *);
+int kex_dh_compute_key(struct kex *, BIGNUM *, struct sshbuf *);
-int kexgex_hash(int, const char *, const char *,
- const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
+int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
+ const struct sshbuf *, const struct sshbuf *, const struct sshbuf *,
int, int, int,
const BIGNUM *, const BIGNUM *, const BIGNUM *,
- const BIGNUM *, const BIGNUM *,
+ const BIGNUM *, const u_char *, size_t,
u_char *, size_t *);
-int kex_ecdh_hash(int, const EC_GROUP *, const char *, const char *,
- const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
- const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *);
-
-int kex_c25519_hash(int, const char *, const char *,
- const u_char *, size_t, const u_char *, size_t,
- const u_char *, size_t, const u_char *, const u_char *,
- const u_char *, size_t, u_char *, size_t *);
-
void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
@@ -225,9 +242,13 @@ int kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
+int kexc25519_shared_key_ext(const u_char key[CURVE25519_SIZE],
+ const u_char pub[CURVE25519_SIZE], struct sshbuf *out, int)
+ __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
+ __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
-void dump_digest(char *, u_char *, int);
+void dump_digest(const char *, const u_char *, int);
#endif
#if !defined(WITH_OPENSSL) || !defined(OPENSSL_HAS_ECC)
diff --git a/kexc25519.c b/kexc25519.c
index 0897b8c5190a..f13d766d7247 100644
--- a/kexc25519.c
+++ b/kexc25519.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: kexc25519.c,v 1.10 2016/05/02 08:49:03 djm Exp $ */
+/* $OpenBSD: kexc25519.c,v 1.17 2019/01/21 10:40:11 djm Exp $ */
/*
- * Copyright (c) 2001, 2013 Markus Friedl. All rights reserved.
+ * Copyright (c) 2019 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
* Copyright (c) 2013 Aris Adamantiadis. All rights reserved.
*
@@ -29,20 +29,16 @@
#include <sys/types.h>
-#include <signal.h>
+#include <stdio.h>
#include <string.h>
+#include <signal.h>
-#include <openssl/bn.h>
-#include <openssl/evp.h>
-
-#include "sshbuf.h"
-#include "ssh2.h"
#include "sshkey.h"
-#include "cipher.h"
#include "kex.h"
-#include "log.h"
+#include "sshbuf.h"
#include "digest.h"
#include "ssherr.h"
+#include "ssh2.h"
extern int crypto_scalarmult_curve25519(u_char a[CURVE25519_SIZE],
const u_char b[CURVE25519_SIZE], const u_char c[CURVE25519_SIZE])
@@ -60,74 +56,144 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
}
int
-kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
- const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
+kexc25519_shared_key_ext(const u_char key[CURVE25519_SIZE],
+ const u_char pub[CURVE25519_SIZE], struct sshbuf *out, int raw)
{
u_char shared_key[CURVE25519_SIZE];
+ u_char zero[CURVE25519_SIZE];
int r;
- /* Check for all-zero public key */
- explicit_bzero(shared_key, CURVE25519_SIZE);
- if (timingsafe_bcmp(pub, shared_key, CURVE25519_SIZE) == 0)
+ crypto_scalarmult_curve25519(shared_key, key, pub);
+
+ /* Check for all-zero shared secret */
+ explicit_bzero(zero, CURVE25519_SIZE);
+ if (timingsafe_bcmp(zero, shared_key, CURVE25519_SIZE) == 0)
return SSH_ERR_KEY_INVALID_EC_VALUE;
- crypto_scalarmult_curve25519(shared_key, key, pub);
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", shared_key, CURVE25519_SIZE);
#endif
- sshbuf_reset(out);
- r = sshbuf_put_bignum2_bytes(out, shared_key, CURVE25519_SIZE);
+ if (raw)
+ r = sshbuf_put(out, shared_key, CURVE25519_SIZE);
+ else
+ r = sshbuf_put_bignum2_bytes(out, shared_key, CURVE25519_SIZE);
explicit_bzero(shared_key, CURVE25519_SIZE);
return r;
}
int
-kex_c25519_hash(
- int hash_alg,
- const char *client_version_string,
- const char *server_version_string,
- const u_char *ckexinit, size_t ckexinitlen,
- const u_char *skexinit, size_t skexinitlen,
- const u_char *serverhostkeyblob, size_t sbloblen,
- const u_char client_dh_pub[CURVE25519_SIZE],
- const u_char server_dh_pub[CURVE25519_SIZE],
- const u_char *shared_secret, size_t secretlen,
- u_char *hash, size_t *hashlen)
+kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
+ const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
+{
+ return kexc25519_shared_key_ext(key, pub, out, 0);
+}
+
+int
+kex_c25519_keypair(struct kex *kex)
{
- struct sshbuf *b;
+ struct sshbuf *buf = NULL;
+ u_char *cp = NULL;
int r;
- if (*hashlen < ssh_digest_bytes(hash_alg))
- return SSH_ERR_INVALID_ARGUMENT;
- if ((b = sshbuf_new()) == NULL)
+ if ((buf = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
- if ((r = sshbuf_put_cstring(b, client_version_string)) < 0 ||
- (r = sshbuf_put_cstring(b, server_version_string)) < 0 ||
- /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
- (r = sshbuf_put_u32(b, ckexinitlen+1)) < 0 ||
- (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) < 0 ||
- (r = sshbuf_put(b, ckexinit, ckexinitlen)) < 0 ||
- (r = sshbuf_put_u32(b, skexinitlen+1)) < 0 ||
- (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) < 0 ||
- (r = sshbuf_put(b, skexinit, skexinitlen)) < 0 ||
- (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) < 0 ||
- (r = sshbuf_put_string(b, client_dh_pub, CURVE25519_SIZE)) < 0 ||
- (r = sshbuf_put_string(b, server_dh_pub, CURVE25519_SIZE)) < 0 ||
- (r = sshbuf_put(b, shared_secret, secretlen)) < 0) {
- sshbuf_free(b);
- return r;
+ if ((r = sshbuf_reserve(buf, CURVE25519_SIZE, &cp)) != 0)
+ goto out;
+ kexc25519_keygen(kex->c25519_client_key, cp);
+#ifdef DEBUG_KEXECDH
+ dump_digest("client public key c25519:", cp, CURVE25519_SIZE);
+#endif
+ kex->client_pub = buf;
+ buf = NULL;
+ out:
+ sshbuf_free(buf);
+ return r;
+}
+
+int
+kex_c25519_enc(struct kex *kex, const struct sshbuf *client_blob,
+ struct sshbuf **server_blobp, struct sshbuf **shared_secretp)
+{
+ struct sshbuf *server_blob = NULL;
+ struct sshbuf *buf = NULL;
+ const u_char *client_pub;
+ u_char *server_pub;
+ u_char server_key[CURVE25519_SIZE];
+ int r;
+
+ *server_blobp = NULL;
+ *shared_secretp = NULL;
+
+ if (sshbuf_len(client_blob) != CURVE25519_SIZE) {
+ r = SSH_ERR_SIGNATURE_INVALID;
+ goto out;
}
-#ifdef DEBUG_KEX
- sshbuf_dump(b, stderr);
+ client_pub = sshbuf_ptr(client_blob);
+#ifdef DEBUG_KEXECDH
+ dump_digest("client public key 25519:", client_pub, CURVE25519_SIZE);
#endif
- if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
- sshbuf_free(b);
- return SSH_ERR_LIBCRYPTO_ERROR;
+ /* allocate space for encrypted KEM key and ECDH pub key */
+ if ((server_blob = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
}
- sshbuf_free(b);
- *hashlen = ssh_digest_bytes(hash_alg);
-#ifdef DEBUG_KEX
- dump_digest("hash", hash, *hashlen);
+ if ((r = sshbuf_reserve(server_blob, CURVE25519_SIZE, &server_pub)) != 0)
+ goto out;
+ kexc25519_keygen(server_key, server_pub);
+ /* allocate shared secret */
+ if ((buf = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 0)) < 0)
+ goto out;
+#ifdef DEBUG_KEXECDH
+ dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE);
+ dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
#endif
- return 0;
+ *server_blobp = server_blob;
+ *shared_secretp = buf;
+ server_blob = NULL;
+ buf = NULL;
+ out:
+ explicit_bzero(server_key, sizeof(server_key));
+ sshbuf_free(server_blob);
+ sshbuf_free(buf);
+ return r;
+}
+
+int
+kex_c25519_dec(struct kex *kex, const struct sshbuf *server_blob,
+ struct sshbuf **shared_secretp)
+{
+ struct sshbuf *buf = NULL;
+ const u_char *server_pub;
+ int r;
+
+ *shared_secretp = NULL;
+
+ if (sshbuf_len(server_blob) != CURVE25519_SIZE) {
+ r = SSH_ERR_SIGNATURE_INVALID;
+ goto out;
+ }
+ server_pub = sshbuf_ptr(server_blob);
+#ifdef DEBUG_KEXECDH
+ dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE);
+#endif
+ /* shared secret */
+ if ((buf = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub,
+ buf, 0)) < 0)
+ goto out;
+#ifdef DEBUG_KEXECDH
+ dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
+#endif
+ *shared_secretp = buf;
+ buf = NULL;
+ out:
+ sshbuf_free(buf);
+ return r;
}
diff --git a/kexc25519c.c b/kexc25519c.c
deleted file mode 100644
index a8d92149c3fd..000000000000
--- a/kexc25519c.c
+++ /dev/null
@@ -1,169 +0,0 @@
-/* $OpenBSD: kexc25519c.c,v 1.9 2017/12/18 02:25:15 djm Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl. All rights reserved.
- * Copyright (c) 2010 Damien Miller. All rights reserved.
- * Copyright (c) 2013 Aris Adamantiadis. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-
-#include "sshkey.h"
-#include "cipher.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "ssh2.h"
-#include "sshbuf.h"
-#include "digest.h"
-#include "ssherr.h"
-
-static int
-input_kex_c25519_reply(int type, u_int32_t seq, struct ssh *ssh);
-
-int
-kexc25519_client(struct ssh *ssh)
-{
- struct kex *kex = ssh->kex;
- int r;
-
- kexc25519_keygen(kex->c25519_client_key, kex->c25519_client_pubkey);
-#ifdef DEBUG_KEXECDH
- dump_digest("client private key:", kex->c25519_client_key,
- sizeof(kex->c25519_client_key));
-#endif
- if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_INIT)) != 0 ||
- (r = sshpkt_put_string(ssh, kex->c25519_client_pubkey,
- sizeof(kex->c25519_client_pubkey))) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- return r;
-
- debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
- ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_c25519_reply);
- return 0;
-}
-
-static int
-input_kex_c25519_reply(int type, u_int32_t seq, struct ssh *ssh)
-{
- struct kex *kex = ssh->kex;
- struct sshkey *server_host_key = NULL;
- struct sshbuf *shared_secret = NULL;
- u_char *server_pubkey = NULL;
- u_char *server_host_key_blob = NULL, *signature = NULL;
- u_char hash[SSH_DIGEST_MAX_LENGTH];
- size_t slen, pklen, sbloblen, hashlen;
- int r;
-
- if (kex->verify_host_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
-
- /* hostkey */
- if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
- &sbloblen)) != 0 ||
- (r = sshkey_from_blob(server_host_key_blob, sbloblen,
- &server_host_key)) != 0)
- goto out;
- if (server_host_key->type != kex->hostkey_type ||
- (kex->hostkey_type == KEY_ECDSA &&
- server_host_key->ecdsa_nid != kex->hostkey_nid)) {
- r = SSH_ERR_KEY_TYPE_MISMATCH;
- goto out;
- }
- if (kex->verify_host_key(server_host_key, ssh) == -1) {
- r = SSH_ERR_SIGNATURE_INVALID;
- goto out;
- }
-
- /* Q_S, server public key */
- /* signed H */
- if ((r = sshpkt_get_string(ssh, &server_pubkey, &pklen)) != 0 ||
- (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
- (r = sshpkt_get_end(ssh)) != 0)
- goto out;
- if (pklen != CURVE25519_SIZE) {
- r = SSH_ERR_SIGNATURE_INVALID;
- goto out;
- }
-
-#ifdef DEBUG_KEXECDH
- dump_digest("server public key:", server_pubkey, CURVE25519_SIZE);
-#endif
-
- if ((shared_secret = sshbuf_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = kexc25519_shared_key(kex->c25519_client_key, server_pubkey,
- shared_secret)) < 0)
- goto out;
-
- /* calc and verify H */
- hashlen = sizeof(hash);
- if ((r = kex_c25519_hash(
- kex->hash_alg,
- kex->client_version_string,
- kex->server_version_string,
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
- server_host_key_blob, sbloblen,
- kex->c25519_client_pubkey,
- server_pubkey,
- sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
- hash, &hashlen)) < 0)
- goto out;
-
- if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen,
- kex->hostkey_alg, ssh->compat)) != 0)
- goto out;
-
- /* save session id */
- if (kex->session_id == NULL) {
- kex->session_id_len = hashlen;
- kex->session_id = malloc(kex->session_id_len);
- if (kex->session_id == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- memcpy(kex->session_id, hash, kex->session_id_len);
- }
-
- if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
- r = kex_send_newkeys(ssh);
-out:
- explicit_bzero(hash, sizeof(hash));
- explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key));
- free(server_host_key_blob);
- free(server_pubkey);
- free(signature);
- sshkey_free(server_host_key);
- sshbuf_free(shared_secret);
- return r;
-}
diff --git a/kexc25519s.c b/kexc25519s.c
deleted file mode 100644
index 0800a7a4bcf4..000000000000
--- a/kexc25519s.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/* $OpenBSD: kexc25519s.c,v 1.11 2017/05/31 04:19:28 djm Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl. All rights reserved.
- * Copyright (c) 2010 Damien Miller. All rights reserved.
- * Copyright (c) 2013 Aris Adamantiadis. All rights reserved.
- *
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-
-#include "sshkey.h"
-#include "cipher.h"
-#include "digest.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "ssh2.h"
-#include "sshbuf.h"
-#include "ssherr.h"
-
-static int input_kex_c25519_init(int, u_int32_t, struct ssh *);
-
-int
-kexc25519_server(struct ssh *ssh)
-{
- debug("expecting SSH2_MSG_KEX_ECDH_INIT");
- ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_INIT, &input_kex_c25519_init);
- return 0;
-}
-
-static int
-input_kex_c25519_init(int type, u_int32_t seq, struct ssh *ssh)
-{
- struct kex *kex = ssh->kex;
- struct sshkey *server_host_private, *server_host_public;
- struct sshbuf *shared_secret = NULL;
- u_char *server_host_key_blob = NULL, *signature = NULL;
- u_char server_key[CURVE25519_SIZE];
- u_char *client_pubkey = NULL;
- u_char server_pubkey[CURVE25519_SIZE];
- u_char hash[SSH_DIGEST_MAX_LENGTH];
- size_t slen, pklen, sbloblen, hashlen;
- int r;
-
- /* generate private key */
- kexc25519_keygen(server_key, server_pubkey);
-#ifdef DEBUG_KEXECDH
- dump_digest("server private key:", server_key, sizeof(server_key));
-#endif
- if (kex->load_host_public_key == NULL ||
- kex->load_host_private_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
- server_host_public = kex->load_host_public_key(kex->hostkey_type,
- kex->hostkey_nid, ssh);
- server_host_private = kex->load_host_private_key(kex->hostkey_type,
- kex->hostkey_nid, ssh);
- if (server_host_public == NULL) {
- r = SSH_ERR_NO_HOSTKEY_LOADED;
- goto out;
- }
-
- if ((r = sshpkt_get_string(ssh, &client_pubkey, &pklen)) != 0 ||
- (r = sshpkt_get_end(ssh)) != 0)
- goto out;
- if (pklen != CURVE25519_SIZE) {
- r = SSH_ERR_SIGNATURE_INVALID;
- goto out;
- }
-#ifdef DEBUG_KEXECDH
- dump_digest("client public key:", client_pubkey, CURVE25519_SIZE);
-#endif
-
- if ((shared_secret = sshbuf_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = kexc25519_shared_key(server_key, client_pubkey,
- shared_secret)) < 0)
- goto out;
-
- /* calc H */
- if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
- &sbloblen)) != 0)
- goto out;
- hashlen = sizeof(hash);
- if ((r = kex_c25519_hash(
- kex->hash_alg,
- kex->client_version_string,
- kex->server_version_string,
- sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- server_host_key_blob, sbloblen,
- client_pubkey,
- server_pubkey,
- sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
- hash, &hashlen)) < 0)
- goto out;
-
- /* save session id := H */
- if (kex->session_id == NULL) {
- kex->session_id_len = hashlen;
- kex->session_id = malloc(kex->session_id_len);
- if (kex->session_id == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- memcpy(kex->session_id, hash, kex->session_id_len);
- }
-
- /* sign H */
- if ((r = kex->sign(server_host_private, server_host_public, &signature,
- &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
- goto out;
-
- /* send server hostkey, ECDH pubkey 'Q_S' and signed H */
- if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_REPLY)) != 0 ||
- (r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
- (r = sshpkt_put_string(ssh, server_pubkey, sizeof(server_pubkey))) != 0 ||
- (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- goto out;
-
- if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
- r = kex_send_newkeys(ssh);
-out:
- explicit_bzero(hash, sizeof(hash));
- explicit_bzero(server_key, sizeof(server_key));
- free(server_host_key_blob);
- free(signature);
- free(client_pubkey);
- sshbuf_free(shared_secret);
- return r;
-}
diff --git a/kexdh.c b/kexdh.c
index e6925b186d82..67133e339481 100644
--- a/kexdh.c
+++ b/kexdh.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: kexdh.c,v 1.26 2016/05/02 10:26:04 djm Exp $ */
+/* $OpenBSD: kexdh.c,v 1.32 2019/01/21 10:40:11 djm Exp $ */
/*
- * Copyright (c) 2001 Markus Friedl. All rights reserved.
+ * Copyright (c) 2019 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,67 +30,172 @@
#include <sys/types.h>
#include <signal.h>
-
-#include <openssl/evp.h>
+#include <stdio.h>
+#include <string.h>
#include "openbsd-compat/openssl-compat.h"
+#include <openssl/dh.h>
-#include "ssh2.h"
#include "sshkey.h"
-#include "cipher.h"
#include "kex.h"
-#include "ssherr.h"
#include "sshbuf.h"
#include "digest.h"
+#include "ssherr.h"
+#include "dh.h"
int
-kex_dh_hash(
- int hash_alg,
- const char *client_version_string,
- const char *server_version_string,
- const u_char *ckexinit, size_t ckexinitlen,
- const u_char *skexinit, size_t skexinitlen,
- const u_char *serverhostkeyblob, size_t sbloblen,
- const BIGNUM *client_dh_pub,
- const BIGNUM *server_dh_pub,
- const BIGNUM *shared_secret,
- u_char *hash, size_t *hashlen)
+kex_dh_keygen(struct kex *kex)
{
- struct sshbuf *b;
- int r;
-
- if (*hashlen < ssh_digest_bytes(hash_alg))
+ switch (kex->kex_type) {
+ case KEX_DH_GRP1_SHA1:
+ kex->dh = dh_new_group1();
+ break;
+ case KEX_DH_GRP14_SHA1:
+ case KEX_DH_GRP14_SHA256:
+ kex->dh = dh_new_group14();
+ break;
+ case KEX_DH_GRP16_SHA512:
+ kex->dh = dh_new_group16();
+ break;
+ case KEX_DH_GRP18_SHA512:
+ kex->dh = dh_new_group18();
+ break;
+ default:
return SSH_ERR_INVALID_ARGUMENT;
- if ((b = sshbuf_new()) == NULL)
- return SSH_ERR_ALLOC_FAIL;
- if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 ||
- (r = sshbuf_put_cstring(b, server_version_string)) != 0 ||
- /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
- (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||
- (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
- (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||
- (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||
- (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
- (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||
- (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
- (r = sshbuf_put_bignum2(b, client_dh_pub)) != 0 ||
- (r = sshbuf_put_bignum2(b, server_dh_pub)) != 0 ||
- (r = sshbuf_put_bignum2(b, shared_secret)) != 0) {
- sshbuf_free(b);
- return r;
}
-#ifdef DEBUG_KEX
- sshbuf_dump(b, stderr);
+ if (kex->dh == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ return (dh_gen_key(kex->dh, kex->we_need * 8));
+}
+
+int
+kex_dh_compute_key(struct kex *kex, BIGNUM *dh_pub, struct sshbuf *out)
+{
+ BIGNUM *shared_secret = NULL;
+ u_char *kbuf = NULL;
+ size_t klen = 0;
+ int kout, r;
+
+#ifdef DEBUG_KEXDH
+ fprintf(stderr, "dh_pub= ");
+ BN_print_fp(stderr, dh_pub);
+ fprintf(stderr, "\n");
+ debug("bits %d", BN_num_bits(dh_pub));
+ DHparams_print_fp(stderr, kex->dh);
+ fprintf(stderr, "\n");
#endif
- if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
- sshbuf_free(b);
- return SSH_ERR_LIBCRYPTO_ERROR;
+
+ if (!dh_pub_is_valid(kex->dh, dh_pub)) {
+ r = SSH_ERR_MESSAGE_INCOMPLETE;
+ goto out;
+ }
+ klen = DH_size(kex->dh);
+ if ((kbuf = malloc(klen)) == NULL ||
+ (shared_secret = BN_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((kout = DH_compute_key(kbuf, dh_pub, kex->dh)) < 0 ||
+ BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
}
- sshbuf_free(b);
- *hashlen = ssh_digest_bytes(hash_alg);
-#ifdef DEBUG_KEX
- dump_digest("hash", hash, *hashlen);
+#ifdef DEBUG_KEXDH
+ dump_digest("shared secret", kbuf, kout);
#endif
- return 0;
+ r = sshbuf_put_bignum2(out, shared_secret);
+ out:
+ freezero(kbuf, klen);
+ BN_clear_free(shared_secret);
+ return r;
+}
+
+int
+kex_dh_keypair(struct kex *kex)
+{
+ const BIGNUM *pub_key;
+ struct sshbuf *buf = NULL;
+ int r;
+
+ if ((r = kex_dh_keygen(kex)) != 0)
+ return r;
+ DH_get0_key(kex->dh, &pub_key, NULL);
+ if ((buf = sshbuf_new()) == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ if ((r = sshbuf_put_bignum2(buf, pub_key)) != 0 ||
+ (r = sshbuf_get_u32(buf, NULL)) != 0)
+ goto out;
+#ifdef DEBUG_KEXDH
+ DHparams_print_fp(stderr, kex->dh);
+ fprintf(stderr, "pub= ");
+ BN_print_fp(stderr, pub_key);
+ fprintf(stderr, "\n");
+#endif
+ kex->client_pub = buf;
+ buf = NULL;
+ out:
+ sshbuf_free(buf);
+ return r;
+}
+
+int
+kex_dh_enc(struct kex *kex, const struct sshbuf *client_blob,
+ struct sshbuf **server_blobp, struct sshbuf **shared_secretp)
+{
+ const BIGNUM *pub_key;
+ struct sshbuf *server_blob = NULL;
+ int r;
+
+ *server_blobp = NULL;
+ *shared_secretp = NULL;
+
+ if ((r = kex_dh_keygen(kex)) != 0)
+ goto out;
+ DH_get0_key(kex->dh, &pub_key, NULL);
+ if ((server_blob = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_put_bignum2(server_blob, pub_key)) != 0 ||
+ (r = sshbuf_get_u32(server_blob, NULL)) != 0)
+ goto out;
+ if ((r = kex_dh_dec(kex, client_blob, shared_secretp)) != 0)
+ goto out;
+ *server_blobp = server_blob;
+ server_blob = NULL;
+ out:
+ DH_free(kex->dh);
+ kex->dh = NULL;
+ sshbuf_free(server_blob);
+ return r;
+}
+
+int
+kex_dh_dec(struct kex *kex, const struct sshbuf *dh_blob,
+ struct sshbuf **shared_secretp)
+{
+ struct sshbuf *buf = NULL;
+ BIGNUM *dh_pub = NULL;
+ int r;
+
+ *shared_secretp = NULL;
+
+ if ((buf = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_put_stringb(buf, dh_blob)) != 0 ||
+ (r = sshbuf_get_bignum2(buf, &dh_pub)) != 0)
+ goto out;
+ sshbuf_reset(buf);
+ if ((r = kex_dh_compute_key(kex, dh_pub, buf)) != 0)
+ goto out;
+ *shared_secretp = buf;
+ buf = NULL;
+ out:
+ DH_free(kex->dh);
+ kex->dh = NULL;
+ sshbuf_free(buf);
+ return r;
}
#endif /* WITH_OPENSSL */
diff --git a/kexdhc.c b/kexdhc.c
deleted file mode 100644
index 8b56377ad09d..000000000000
--- a/kexdhc.c
+++ /dev/null
@@ -1,224 +0,0 @@
-/* $OpenBSD: kexdhc.c,v 1.22 2018/02/07 02:06:51 jsing Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef WITH_OPENSSL
-
-#include <sys/types.h>
-
-#include <openssl/dh.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-
-#include "openbsd-compat/openssl-compat.h"
-
-#include "sshkey.h"
-#include "cipher.h"
-#include "digest.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "dh.h"
-#include "ssh2.h"
-#include "dispatch.h"
-#include "compat.h"
-#include "ssherr.h"
-#include "sshbuf.h"
-
-static int input_kex_dh(int, u_int32_t, struct ssh *);
-
-int
-kexdh_client(struct ssh *ssh)
-{
- struct kex *kex = ssh->kex;
- int r;
- const BIGNUM *pub_key;
-
- /* generate and send 'e', client DH public key */
- switch (kex->kex_type) {
- case KEX_DH_GRP1_SHA1:
- kex->dh = dh_new_group1();
- break;
- case KEX_DH_GRP14_SHA1:
- case KEX_DH_GRP14_SHA256:
- kex->dh = dh_new_group14();
- break;
- case KEX_DH_GRP16_SHA512:
- kex->dh = dh_new_group16();
- break;
- case KEX_DH_GRP18_SHA512:
- kex->dh = dh_new_group18();
- break;
- default:
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
- if (kex->dh == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- debug("sending SSH2_MSG_KEXDH_INIT");
- if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
- goto out;
- DH_get0_key(kex->dh, &pub_key, NULL);
- if ((r = sshpkt_start(ssh, SSH2_MSG_KEXDH_INIT)) != 0 ||
- (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- goto out;
-#ifdef DEBUG_KEXDH
- DHparams_print_fp(stderr, kex->dh);
- fprintf(stderr, "pub= ");
- BN_print_fp(stderr, pub_key);
- fprintf(stderr, "\n");
-#endif
- debug("expecting SSH2_MSG_KEXDH_REPLY");
- ssh_dispatch_set(ssh, SSH2_MSG_KEXDH_REPLY, &input_kex_dh);
- r = 0;
- out:
- return r;
-}
-
-static int
-input_kex_dh(int type, u_int32_t seq, struct ssh *ssh)
-{
- struct kex *kex = ssh->kex;
- BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
- const BIGNUM *pub_key;
- struct sshkey *server_host_key = NULL;
- u_char *kbuf = NULL, *server_host_key_blob = NULL, *signature = NULL;
- u_char hash[SSH_DIGEST_MAX_LENGTH];
- size_t klen = 0, slen, sbloblen, hashlen;
- int kout, r;
-
- if (kex->verify_host_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
- /* key, cert */
- if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
- &sbloblen)) != 0 ||
- (r = sshkey_from_blob(server_host_key_blob, sbloblen,
- &server_host_key)) != 0)
- goto out;
- if (server_host_key->type != kex->hostkey_type ||
- (kex->hostkey_type == KEY_ECDSA &&
- server_host_key->ecdsa_nid != kex->hostkey_nid)) {
- r = SSH_ERR_KEY_TYPE_MISMATCH;
- goto out;
- }
- if (kex->verify_host_key(server_host_key, ssh) == -1) {
- r = SSH_ERR_SIGNATURE_INVALID;
- goto out;
- }
- /* DH parameter f, server public DH key */
- if ((dh_server_pub = BN_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- /* signed H */
- if ((r = sshpkt_get_bignum2(ssh, dh_server_pub)) != 0 ||
- (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
- (r = sshpkt_get_end(ssh)) != 0)
- goto out;
-#ifdef DEBUG_KEXDH
- fprintf(stderr, "dh_server_pub= ");
- BN_print_fp(stderr, dh_server_pub);
- fprintf(stderr, "\n");
- debug("bits %d", BN_num_bits(dh_server_pub));
-#endif
- if (!dh_pub_is_valid(kex->dh, dh_server_pub)) {
- sshpkt_disconnect(ssh, "bad server public DH value");
- r = SSH_ERR_MESSAGE_INCOMPLETE;
- goto out;
- }
-
- klen = DH_size(kex->dh);
- if ((kbuf = malloc(klen)) == NULL ||
- (shared_secret = BN_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((kout = DH_compute_key(kbuf, dh_server_pub, kex->dh)) < 0 ||
- BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
-#ifdef DEBUG_KEXDH
- dump_digest("shared secret", kbuf, kout);
-#endif
-
- /* calc and verify H */
- DH_get0_key(kex->dh, &pub_key, NULL);
- hashlen = sizeof(hash);
- if ((r = kex_dh_hash(
- kex->hash_alg,
- kex->client_version_string,
- kex->server_version_string,
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
- server_host_key_blob, sbloblen,
- pub_key,
- dh_server_pub,
- shared_secret,
- hash, &hashlen)) != 0)
- goto out;
-
- if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen,
- kex->hostkey_alg, ssh->compat)) != 0)
- goto out;
-
- /* save session id */
- if (kex->session_id == NULL) {
- kex->session_id_len = hashlen;
- kex->session_id = malloc(kex->session_id_len);
- if (kex->session_id == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- memcpy(kex->session_id, hash, kex->session_id_len);
- }
-
- if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
- r = kex_send_newkeys(ssh);
- out:
- explicit_bzero(hash, sizeof(hash));
- DH_free(kex->dh);
- kex->dh = NULL;
- BN_clear_free(dh_server_pub);
- if (kbuf) {
- explicit_bzero(kbuf, klen);
- free(kbuf);
- }
- BN_clear_free(shared_secret);
- sshkey_free(server_host_key);
- free(server_host_key_blob);
- free(signature);
- return r;
-}
-#endif /* WITH_OPENSSL */
diff --git a/kexdhs.c b/kexdhs.c
deleted file mode 100644
index 337aab5beb41..000000000000
--- a/kexdhs.c
+++ /dev/null
@@ -1,222 +0,0 @@
-/* $OpenBSD: kexdhs.c,v 1.27 2018/04/10 00:10:49 djm Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef WITH_OPENSSL
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <string.h>
-#include <signal.h>
-
-#include <openssl/dh.h>
-
-#include "openbsd-compat/openssl-compat.h"
-
-#include "sshkey.h"
-#include "cipher.h"
-#include "digest.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "dh.h"
-#include "ssh2.h"
-
-#include "dispatch.h"
-#include "compat.h"
-#include "ssherr.h"
-#include "sshbuf.h"
-
-static int input_kex_dh_init(int, u_int32_t, struct ssh *);
-
-int
-kexdh_server(struct ssh *ssh)
-{
- struct kex *kex = ssh->kex;
- int r;
-
- /* generate server DH public key */
- switch (kex->kex_type) {
- case KEX_DH_GRP1_SHA1:
- kex->dh = dh_new_group1();
- break;
- case KEX_DH_GRP14_SHA1:
- case KEX_DH_GRP14_SHA256:
- kex->dh = dh_new_group14();
- break;
- case KEX_DH_GRP16_SHA512:
- kex->dh = dh_new_group16();
- break;
- case KEX_DH_GRP18_SHA512:
- kex->dh = dh_new_group18();
- break;
- default:
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
- if (kex->dh == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
- goto out;
-
- debug("expecting SSH2_MSG_KEXDH_INIT");
- ssh_dispatch_set(ssh, SSH2_MSG_KEXDH_INIT, &input_kex_dh_init);
- r = 0;
- out:
- return r;
-}
-
-int
-input_kex_dh_init(int type, u_int32_t seq, struct ssh *ssh)
-{
- struct kex *kex = ssh->kex;
- BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
- const BIGNUM *pub_key;
- struct sshkey *server_host_public, *server_host_private;
- u_char *kbuf = NULL, *signature = NULL, *server_host_key_blob = NULL;
- u_char hash[SSH_DIGEST_MAX_LENGTH];
- size_t sbloblen, slen;
- size_t klen = 0, hashlen;
- int kout, r;
-
- if (kex->load_host_public_key == NULL ||
- kex->load_host_private_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
- server_host_public = kex->load_host_public_key(kex->hostkey_type,
- kex->hostkey_nid, ssh);
- server_host_private = kex->load_host_private_key(kex->hostkey_type,
- kex->hostkey_nid, ssh);
- if (server_host_public == NULL) {
- r = SSH_ERR_NO_HOSTKEY_LOADED;
- goto out;
- }
-
- /* key, cert */
- if ((dh_client_pub = BN_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- DH_get0_key(kex->dh, &pub_key, NULL);
- if ((r = sshpkt_get_bignum2(ssh, dh_client_pub)) != 0 ||
- (r = sshpkt_get_end(ssh)) != 0)
- goto out;
-
-#ifdef DEBUG_KEXDH
- fprintf(stderr, "dh_client_pub= ");
- BN_print_fp(stderr, dh_client_pub);
- fprintf(stderr, "\n");
- debug("bits %d", BN_num_bits(dh_client_pub));
- DHparams_print_fp(stderr, kex->dh);
- fprintf(stderr, "pub= ");
- BN_print_fp(stderr, pub_key);
- fprintf(stderr, "\n");
-#endif
- if (!dh_pub_is_valid(kex->dh, dh_client_pub)) {
- sshpkt_disconnect(ssh, "bad client public DH value");
- r = SSH_ERR_MESSAGE_INCOMPLETE;
- goto out;
- }
-
- klen = DH_size(kex->dh);
- if ((kbuf = malloc(klen)) == NULL ||
- (shared_secret = BN_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((kout = DH_compute_key(kbuf, dh_client_pub, kex->dh)) < 0 ||
- BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
-#ifdef DEBUG_KEXDH
- dump_digest("shared secret", kbuf, kout);
-#endif
- if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
- &sbloblen)) != 0)
- goto out;
- /* calc H */
- hashlen = sizeof(hash);
- if ((r = kex_dh_hash(
- kex->hash_alg,
- kex->client_version_string,
- kex->server_version_string,
- sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- server_host_key_blob, sbloblen,
- dh_client_pub,
- pub_key,
- shared_secret,
- hash, &hashlen)) != 0)
- goto out;
-
- /* save session id := H */
- if (kex->session_id == NULL) {
- kex->session_id_len = hashlen;
- kex->session_id = malloc(kex->session_id_len);
- if (kex->session_id == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- memcpy(kex->session_id, hash, kex->session_id_len);
- }
-
- /* sign H */
- if ((r = kex->sign(server_host_private, server_host_public, &signature,
- &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
- goto out;
-
- /* destroy_sensitive_data(); */
-
- /* send server hostkey, DH pubkey 'f' and signed H */
- if ((r = sshpkt_start(ssh, SSH2_MSG_KEXDH_REPLY)) != 0 ||
- (r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
- (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */
- (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- goto out;
-
- if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
- r = kex_send_newkeys(ssh);
- out:
- explicit_bzero(hash, sizeof(hash));
- DH_free(kex->dh);
- kex->dh = NULL;
- BN_clear_free(dh_client_pub);
- if (kbuf) {
- explicit_bzero(kbuf, klen);
- free(kbuf);
- }
- BN_clear_free(shared_secret);
- free(server_host_key_blob);
- free(signature);
- return r;
-}
-#endif /* WITH_OPENSSL */
diff --git a/kexecdh.c b/kexecdh.c
index 2a4fec6b124c..0aeab2e9b13b 100644
--- a/kexecdh.c
+++ b/kexecdh.c
@@ -1,7 +1,7 @@
-/* $OpenBSD: kexecdh.c,v 1.6 2015/01/19 20:16:15 markus Exp $ */
+/* $OpenBSD: kexecdh.c,v 1.10 2019/01/21 10:40:11 djm Exp $ */
/*
- * Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
+ * Copyright (c) 2019 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,71 +30,182 @@
#include <sys/types.h>
-#include <signal.h>
+#include <stdio.h>
#include <string.h>
+#include <signal.h>
-#include <openssl/bn.h>
-#include <openssl/evp.h>
-#include <openssl/ec.h>
#include <openssl/ecdh.h>
-#include "ssh2.h"
#include "sshkey.h"
-#include "cipher.h"
#include "kex.h"
#include "sshbuf.h"
#include "digest.h"
#include "ssherr.h"
+static int
+kex_ecdh_dec_key_group(struct kex *, const struct sshbuf *, EC_KEY *key,
+ const EC_GROUP *, struct sshbuf **);
+
int
-kex_ecdh_hash(
- int hash_alg,
- const EC_GROUP *ec_group,
- const char *client_version_string,
- const char *server_version_string,
- const u_char *ckexinit, size_t ckexinitlen,
- const u_char *skexinit, size_t skexinitlen,
- const u_char *serverhostkeyblob, size_t sbloblen,
- const EC_POINT *client_dh_pub,
- const EC_POINT *server_dh_pub,
- const BIGNUM *shared_secret,
- u_char *hash, size_t *hashlen)
+kex_ecdh_keypair(struct kex *kex)
{
- struct sshbuf *b;
+ EC_KEY *client_key = NULL;
+ const EC_GROUP *group;
+ const EC_POINT *public_key;
+ struct sshbuf *buf = NULL;
int r;
- if (*hashlen < ssh_digest_bytes(hash_alg))
- return SSH_ERR_INVALID_ARGUMENT;
- if ((b = sshbuf_new()) == NULL)
- return SSH_ERR_ALLOC_FAIL;
- if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 ||
- (r = sshbuf_put_cstring(b, server_version_string)) != 0 ||
- /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
- (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||
- (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
- (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||
- (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||
- (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
- (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||
- (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
- (r = sshbuf_put_ec(b, client_dh_pub, ec_group)) != 0 ||
- (r = sshbuf_put_ec(b, server_dh_pub, ec_group)) != 0 ||
- (r = sshbuf_put_bignum2(b, shared_secret)) != 0) {
- sshbuf_free(b);
- return r;
+ if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if (EC_KEY_generate_key(client_key) != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+ group = EC_KEY_get0_group(client_key);
+ public_key = EC_KEY_get0_public_key(client_key);
+
+ if ((buf = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
}
-#ifdef DEBUG_KEX
- sshbuf_dump(b, stderr);
+ if ((r = sshbuf_put_ec(buf, public_key, group)) != 0 ||
+ (r = sshbuf_get_u32(buf, NULL)) != 0)
+ goto out;
+#ifdef DEBUG_KEXECDH
+ fputs("client private key:\n", stderr);
+ sshkey_dump_ec_key(client_key);
#endif
- if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
- sshbuf_free(b);
- return SSH_ERR_LIBCRYPTO_ERROR;
+ kex->ec_client_key = client_key;
+ kex->ec_group = group;
+ client_key = NULL; /* owned by the kex */
+ kex->client_pub = buf;
+ buf = NULL;
+ out:
+ EC_KEY_free(client_key);
+ sshbuf_free(buf);
+ return r;
+}
+
+int
+kex_ecdh_enc(struct kex *kex, const struct sshbuf *client_blob,
+ struct sshbuf **server_blobp, struct sshbuf **shared_secretp)
+{
+ const EC_GROUP *group;
+ const EC_POINT *pub_key;
+ EC_KEY *server_key = NULL;
+ struct sshbuf *server_blob = NULL;
+ int r;
+
+ *server_blobp = NULL;
+ *shared_secretp = NULL;
+
+ if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
}
- sshbuf_free(b);
- *hashlen = ssh_digest_bytes(hash_alg);
-#ifdef DEBUG_KEX
- dump_digest("hash", hash, *hashlen);
+ if (EC_KEY_generate_key(server_key) != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+ group = EC_KEY_get0_group(server_key);
+
+#ifdef DEBUG_KEXECDH
+ fputs("server private key:\n", stderr);
+ sshkey_dump_ec_key(server_key);
#endif
- return 0;
+ pub_key = EC_KEY_get0_public_key(server_key);
+ if ((server_blob = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_put_ec(server_blob, pub_key, group)) != 0 ||
+ (r = sshbuf_get_u32(server_blob, NULL)) != 0)
+ goto out;
+ if ((r = kex_ecdh_dec_key_group(kex, client_blob, server_key, group,
+ shared_secretp)) != 0)
+ goto out;
+ *server_blobp = server_blob;
+ server_blob = NULL;
+ out:
+ EC_KEY_free(server_key);
+ sshbuf_free(server_blob);
+ return r;
+}
+
+static int
+kex_ecdh_dec_key_group(struct kex *kex, const struct sshbuf *ec_blob,
+ EC_KEY *key, const EC_GROUP *group, struct sshbuf **shared_secretp)
+{
+ struct sshbuf *buf = NULL;
+ BIGNUM *shared_secret = NULL;
+ EC_POINT *dh_pub = NULL;
+ u_char *kbuf = NULL;
+ size_t klen = 0;
+ int r;
+
+ *shared_secretp = NULL;
+
+ if ((buf = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_put_stringb(buf, ec_blob)) != 0)
+ goto out;
+ if ((dh_pub = EC_POINT_new(group)) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_get_ec(buf, dh_pub, group)) != 0) {
+ goto out;
+ }
+ sshbuf_reset(buf);
+
+#ifdef DEBUG_KEXECDH
+ fputs("public key:\n", stderr);
+ sshkey_dump_ec_point(group, dh_pub);
+#endif
+ if (sshkey_ec_validate_public(group, dh_pub) != 0) {
+ r = SSH_ERR_MESSAGE_INCOMPLETE;
+ goto out;
+ }
+ klen = (EC_GROUP_get_degree(group) + 7) / 8;
+ if ((kbuf = malloc(klen)) == NULL ||
+ (shared_secret = BN_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if (ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen ||
+ BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+#ifdef DEBUG_KEXECDH
+ dump_digest("shared secret", kbuf, klen);
+#endif
+ if ((r = sshbuf_put_bignum2(buf, shared_secret)) != 0)
+ goto out;
+ *shared_secretp = buf;
+ buf = NULL;
+ out:
+ EC_POINT_clear_free(dh_pub);
+ BN_clear_free(shared_secret);
+ freezero(kbuf, klen);
+ sshbuf_free(buf);
+ return r;
+}
+
+int
+kex_ecdh_dec(struct kex *kex, const struct sshbuf *server_blob,
+ struct sshbuf **shared_secretp)
+{
+ int r;
+
+ r = kex_ecdh_dec_key_group(kex, server_blob, kex->ec_client_key,
+ kex->ec_group, shared_secretp);
+ EC_KEY_free(kex->ec_client_key);
+ kex->ec_client_key = NULL;
+ return r;
}
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
diff --git a/kexecdhc.c b/kexecdhc.c
deleted file mode 100644
index ac146a362ee0..000000000000
--- a/kexecdhc.c
+++ /dev/null
@@ -1,222 +0,0 @@
-/* $OpenBSD: kexecdhc.c,v 1.13 2018/02/07 02:06:51 jsing Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl. All rights reserved.
- * Copyright (c) 2010 Damien Miller. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
-
-#include <sys/types.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-
-#include <openssl/ecdh.h>
-
-#include "sshkey.h"
-#include "cipher.h"
-#include "digest.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "dh.h"
-#include "ssh2.h"
-#include "dispatch.h"
-#include "compat.h"
-#include "ssherr.h"
-#include "sshbuf.h"
-
-static int input_kex_ecdh_reply(int, u_int32_t, struct ssh *);
-
-int
-kexecdh_client(struct ssh *ssh)
-{
- struct kex *kex = ssh->kex;
- EC_KEY *client_key = NULL;
- const EC_GROUP *group;
- const EC_POINT *public_key;
- int r;
-
- if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if (EC_KEY_generate_key(client_key) != 1) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
- group = EC_KEY_get0_group(client_key);
- public_key = EC_KEY_get0_public_key(client_key);
-
- if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_INIT)) != 0 ||
- (r = sshpkt_put_ec(ssh, public_key, group)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- goto out;
- debug("sending SSH2_MSG_KEX_ECDH_INIT");
-
-#ifdef DEBUG_KEXECDH
- fputs("client private key:\n", stderr);
- sshkey_dump_ec_key(client_key);
-#endif
- kex->ec_client_key = client_key;
- kex->ec_group = group;
- client_key = NULL; /* owned by the kex */
-
- debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
- ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_ecdh_reply);
- r = 0;
- out:
- EC_KEY_free(client_key);
- return r;
-}
-
-static int
-input_kex_ecdh_reply(int type, u_int32_t seq, struct ssh *ssh)
-{
- struct kex *kex = ssh->kex;
- const EC_GROUP *group;
- EC_POINT *server_public = NULL;
- EC_KEY *client_key;
- BIGNUM *shared_secret = NULL;
- struct sshkey *server_host_key = NULL;
- u_char *server_host_key_blob = NULL, *signature = NULL;
- u_char *kbuf = NULL;
- u_char hash[SSH_DIGEST_MAX_LENGTH];
- size_t slen, sbloblen;
- size_t klen = 0, hashlen;
- int r;
-
- if (kex->verify_host_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
- group = kex->ec_group;
- client_key = kex->ec_client_key;
-
- /* hostkey */
- if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
- &sbloblen)) != 0 ||
- (r = sshkey_from_blob(server_host_key_blob, sbloblen,
- &server_host_key)) != 0)
- goto out;
- if (server_host_key->type != kex->hostkey_type ||
- (kex->hostkey_type == KEY_ECDSA &&
- server_host_key->ecdsa_nid != kex->hostkey_nid)) {
- r = SSH_ERR_KEY_TYPE_MISMATCH;
- goto out;
- }
- if (kex->verify_host_key(server_host_key, ssh) == -1) {
- r = SSH_ERR_SIGNATURE_INVALID;
- goto out;
- }
-
- /* Q_S, server public key */
- /* signed H */
- if ((server_public = EC_POINT_new(group)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = sshpkt_get_ec(ssh, server_public, group)) != 0 ||
- (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
- (r = sshpkt_get_end(ssh)) != 0)
- goto out;
-
-#ifdef DEBUG_KEXECDH
- fputs("server public key:\n", stderr);
- sshkey_dump_ec_point(group, server_public);
-#endif
- if (sshkey_ec_validate_public(group, server_public) != 0) {
- sshpkt_disconnect(ssh, "invalid server public key");
- r = SSH_ERR_MESSAGE_INCOMPLETE;
- goto out;
- }
-
- klen = (EC_GROUP_get_degree(group) + 7) / 8;
- if ((kbuf = malloc(klen)) == NULL ||
- (shared_secret = BN_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if (ECDH_compute_key(kbuf, klen, server_public,
- client_key, NULL) != (int)klen ||
- BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
-
-#ifdef DEBUG_KEXECDH
- dump_digest("shared secret", kbuf, klen);
-#endif
- /* calc and verify H */
- hashlen = sizeof(hash);
- if ((r = kex_ecdh_hash(
- kex->hash_alg,
- group,
- kex->client_version_string,
- kex->server_version_string,
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
- server_host_key_blob, sbloblen,
- EC_KEY_get0_public_key(client_key),
- server_public,
- shared_secret,
- hash, &hashlen)) != 0)
- goto out;
-
- if ((r = sshkey_verify(server_host_key, signature, slen, hash,
- hashlen, kex->hostkey_alg, ssh->compat)) != 0)
- goto out;
-
- /* save session id */
- if (kex->session_id == NULL) {
- kex->session_id_len = hashlen;
- kex->session_id = malloc(kex->session_id_len);
- if (kex->session_id == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- memcpy(kex->session_id, hash, kex->session_id_len);
- }
-
- if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
- r = kex_send_newkeys(ssh);
- out:
- explicit_bzero(hash, sizeof(hash));
- EC_KEY_free(kex->ec_client_key);
- kex->ec_client_key = NULL;
- EC_POINT_clear_free(server_public);
- if (kbuf) {
- explicit_bzero(kbuf, klen);
- free(kbuf);
- }
- BN_clear_free(shared_secret);
- sshkey_free(server_host_key);
- free(server_host_key_blob);
- free(signature);
- return r;
-}
-#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
-
diff --git a/kexecdhs.c b/kexecdhs.c
deleted file mode 100644
index af4f30309971..000000000000
--- a/kexecdhs.c
+++ /dev/null
@@ -1,203 +0,0 @@
-/* $OpenBSD: kexecdhs.c,v 1.17 2018/02/07 02:06:51 jsing Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl. All rights reserved.
- * Copyright (c) 2010 Damien Miller. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
-
-#include <sys/types.h>
-#include <string.h>
-#include <signal.h>
-
-#include <openssl/ecdh.h>
-
-#include "sshkey.h"
-#include "cipher.h"
-#include "digest.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "ssh2.h"
-
-#include "dispatch.h"
-#include "compat.h"
-#include "ssherr.h"
-#include "sshbuf.h"
-
-static int input_kex_ecdh_init(int, u_int32_t, struct ssh *);
-
-int
-kexecdh_server(struct ssh *ssh)
-{
- debug("expecting SSH2_MSG_KEX_ECDH_INIT");
- ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_INIT, &input_kex_ecdh_init);
- return 0;
-}
-
-static int
-input_kex_ecdh_init(int type, u_int32_t seq, struct ssh *ssh)
-{
- struct kex *kex = ssh->kex;
- EC_POINT *client_public;
- EC_KEY *server_key = NULL;
- const EC_GROUP *group;
- const EC_POINT *public_key;
- BIGNUM *shared_secret = NULL;
- struct sshkey *server_host_private, *server_host_public;
- u_char *server_host_key_blob = NULL, *signature = NULL;
- u_char *kbuf = NULL;
- u_char hash[SSH_DIGEST_MAX_LENGTH];
- size_t slen, sbloblen;
- size_t klen = 0, hashlen;
- int r;
-
- if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if (EC_KEY_generate_key(server_key) != 1) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
- group = EC_KEY_get0_group(server_key);
-
-#ifdef DEBUG_KEXECDH
- fputs("server private key:\n", stderr);
- sshkey_dump_ec_key(server_key);
-#endif
-
- if (kex->load_host_public_key == NULL ||
- kex->load_host_private_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
- server_host_public = kex->load_host_public_key(kex->hostkey_type,
- kex->hostkey_nid, ssh);
- server_host_private = kex->load_host_private_key(kex->hostkey_type,
- kex->hostkey_nid, ssh);
- if (server_host_public == NULL) {
- r = SSH_ERR_NO_HOSTKEY_LOADED;
- goto out;
- }
- if ((client_public = EC_POINT_new(group)) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = sshpkt_get_ec(ssh, client_public, group)) != 0 ||
- (r = sshpkt_get_end(ssh)) != 0)
- goto out;
-
-#ifdef DEBUG_KEXECDH
- fputs("client public key:\n", stderr);
- sshkey_dump_ec_point(group, client_public);
-#endif
- if (sshkey_ec_validate_public(group, client_public) != 0) {
- sshpkt_disconnect(ssh, "invalid client public key");
- r = SSH_ERR_MESSAGE_INCOMPLETE;
- goto out;
- }
-
- /* Calculate shared_secret */
- klen = (EC_GROUP_get_degree(group) + 7) / 8;
- if ((kbuf = malloc(klen)) == NULL ||
- (shared_secret = BN_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if (ECDH_compute_key(kbuf, klen, client_public,
- server_key, NULL) != (int)klen ||
- BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
-
-#ifdef DEBUG_KEXECDH
- dump_digest("shared secret", kbuf, klen);
-#endif
- /* calc H */
- if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
- &sbloblen)) != 0)
- goto out;
- hashlen = sizeof(hash);
- if ((r = kex_ecdh_hash(
- kex->hash_alg,
- group,
- kex->client_version_string,
- kex->server_version_string,
- sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- server_host_key_blob, sbloblen,
- client_public,
- EC_KEY_get0_public_key(server_key),
- shared_secret,
- hash, &hashlen)) != 0)
- goto out;
-
- /* save session id := H */
- if (kex->session_id == NULL) {
- kex->session_id_len = hashlen;
- kex->session_id = malloc(kex->session_id_len);
- if (kex->session_id == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- memcpy(kex->session_id, hash, kex->session_id_len);
- }
-
- /* sign H */
- if ((r = kex->sign(server_host_private, server_host_public, &signature,
- &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
- goto out;
-
- /* destroy_sensitive_data(); */
-
- public_key = EC_KEY_get0_public_key(server_key);
- /* send server hostkey, ECDH pubkey 'Q_S' and signed H */
- if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_REPLY)) != 0 ||
- (r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
- (r = sshpkt_put_ec(ssh, public_key, group)) != 0 ||
- (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- goto out;
-
- if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
- r = kex_send_newkeys(ssh);
- out:
- explicit_bzero(hash, sizeof(hash));
- EC_KEY_free(kex->ec_client_key);
- kex->ec_client_key = NULL;
- EC_KEY_free(server_key);
- if (kbuf) {
- explicit_bzero(kbuf, klen);
- free(kbuf);
- }
- BN_clear_free(shared_secret);
- free(server_host_key_blob);
- free(signature);
- return r;
-}
-#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
-
diff --git a/kexgen.c b/kexgen.c
new file mode 100644
index 000000000000..2abbb9ef6f04
--- /dev/null
+++ b/kexgen.c
@@ -0,0 +1,339 @@
+/* $OpenBSD: kexgen.c,v 1.2 2019/01/23 00:30:41 djm Exp $ */
+/*
+ * Copyright (c) 2019 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
+
+#include "sshkey.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "ssh2.h"
+#include "sshbuf.h"
+#include "digest.h"
+#include "ssherr.h"
+
+static int input_kex_gen_init(int, u_int32_t, struct ssh *);
+static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh);
+
+static int
+kex_gen_hash(
+ int hash_alg,
+ const struct sshbuf *client_version,
+ const struct sshbuf *server_version,
+ const struct sshbuf *client_kexinit,
+ const struct sshbuf *server_kexinit,
+ const struct sshbuf *server_host_key_blob,
+ const struct sshbuf *client_pub,
+ const struct sshbuf *server_pub,
+ const struct sshbuf *shared_secret,
+ u_char *hash, size_t *hashlen)
+{
+ struct sshbuf *b;
+ int r;
+
+ if (*hashlen < ssh_digest_bytes(hash_alg))
+ return SSH_ERR_INVALID_ARGUMENT;
+ if ((b = sshbuf_new()) == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ if ((r = sshbuf_put_stringb(b, client_version)) != 0 ||
+ (r = sshbuf_put_stringb(b, server_version)) != 0 ||
+ /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
+ (r = sshbuf_put_u32(b, sshbuf_len(client_kexinit) + 1)) != 0 ||
+ (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
+ (r = sshbuf_putb(b, client_kexinit)) != 0 ||
+ (r = sshbuf_put_u32(b, sshbuf_len(server_kexinit) + 1)) != 0 ||
+ (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
+ (r = sshbuf_putb(b, server_kexinit)) != 0 ||
+ (r = sshbuf_put_stringb(b, server_host_key_blob)) != 0 ||
+ (r = sshbuf_put_stringb(b, client_pub)) != 0 ||
+ (r = sshbuf_put_stringb(b, server_pub)) != 0 ||
+ (r = sshbuf_putb(b, shared_secret)) != 0) {
+ sshbuf_free(b);
+ return r;
+ }
+#ifdef DEBUG_KEX
+ sshbuf_dump(b, stderr);
+#endif
+ if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
+ sshbuf_free(b);
+ return SSH_ERR_LIBCRYPTO_ERROR;
+ }
+ sshbuf_free(b);
+ *hashlen = ssh_digest_bytes(hash_alg);
+#ifdef DEBUG_KEX
+ dump_digest("hash", hash, *hashlen);
+#endif
+ return 0;
+}
+
+int
+kex_gen_client(struct ssh *ssh)
+{
+ struct kex *kex = ssh->kex;
+ int r;
+
+ switch (kex->kex_type) {
+#ifdef WITH_OPENSSL
+ case KEX_DH_GRP1_SHA1:
+ case KEX_DH_GRP14_SHA1:
+ case KEX_DH_GRP14_SHA256:
+ case KEX_DH_GRP16_SHA512:
+ case KEX_DH_GRP18_SHA512:
+ r = kex_dh_keypair(kex);
+ break;
+ case KEX_ECDH_SHA2:
+ r = kex_ecdh_keypair(kex);
+ break;
+#endif
+ case KEX_C25519_SHA256:
+ r = kex_c25519_keypair(kex);
+ break;
+ case KEX_KEM_SNTRUP4591761X25519_SHA512:
+ r = kex_kem_sntrup4591761x25519_keypair(kex);
+ break;
+ default:
+ r = SSH_ERR_INVALID_ARGUMENT;
+ break;
+ }
+ if (r != 0)
+ return r;
+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_INIT)) != 0 ||
+ (r = sshpkt_put_stringb(ssh, kex->client_pub)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ return r;
+ debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
+ ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_gen_reply);
+ return 0;
+}
+
+static int
+input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh)
+{
+ struct kex *kex = ssh->kex;
+ struct sshkey *server_host_key = NULL;
+ struct sshbuf *shared_secret = NULL;
+ struct sshbuf *server_blob = NULL;
+ struct sshbuf *tmp = NULL, *server_host_key_blob = NULL;
+ u_char *signature = NULL;
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
+ size_t slen, hashlen;
+ int r;
+
+ /* hostkey */
+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
+ goto out;
+ /* sshkey_fromb() consumes its buffer, so make a copy */
+ if ((tmp = sshbuf_fromb(server_host_key_blob)) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshkey_fromb(tmp, &server_host_key)) != 0)
+ goto out;
+ if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
+ goto out;
+
+ /* Q_S, server public key */
+ /* signed H */
+ if ((r = sshpkt_getb_froms(ssh, &server_blob)) != 0 ||
+ (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0)
+ goto out;
+
+ /* compute shared secret */
+ switch (kex->kex_type) {
+#ifdef WITH_OPENSSL
+ case KEX_DH_GRP1_SHA1:
+ case KEX_DH_GRP14_SHA1:
+ case KEX_DH_GRP14_SHA256:
+ case KEX_DH_GRP16_SHA512:
+ case KEX_DH_GRP18_SHA512:
+ r = kex_dh_dec(kex, server_blob, &shared_secret);
+ break;
+ case KEX_ECDH_SHA2:
+ r = kex_ecdh_dec(kex, server_blob, &shared_secret);
+ break;
+#endif
+ case KEX_C25519_SHA256:
+ r = kex_c25519_dec(kex, server_blob, &shared_secret);
+ break;
+ case KEX_KEM_SNTRUP4591761X25519_SHA512:
+ r = kex_kem_sntrup4591761x25519_dec(kex, server_blob,
+ &shared_secret);
+ break;
+ default:
+ r = SSH_ERR_INVALID_ARGUMENT;
+ break;
+ }
+ if (r !=0 )
+ goto out;
+
+ /* calc and verify H */
+ hashlen = sizeof(hash);
+ if ((r = kex_gen_hash(
+ kex->hash_alg,
+ kex->client_version,
+ kex->server_version,
+ kex->my,
+ kex->peer,
+ server_host_key_blob,
+ kex->client_pub,
+ server_blob,
+ shared_secret,
+ hash, &hashlen)) != 0)
+ goto out;
+
+ if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen,
+ kex->hostkey_alg, ssh->compat)) != 0)
+ goto out;
+
+ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
+ r = kex_send_newkeys(ssh);
+out:
+ explicit_bzero(hash, sizeof(hash));
+ explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key));
+ explicit_bzero(kex->sntrup4591761_client_key,
+ sizeof(kex->sntrup4591761_client_key));
+ sshbuf_free(server_host_key_blob);
+ free(signature);
+ sshbuf_free(tmp);
+ sshkey_free(server_host_key);
+ sshbuf_free(server_blob);
+ sshbuf_free(shared_secret);
+ sshbuf_free(kex->client_pub);
+ kex->client_pub = NULL;
+ return r;
+}
+
+int
+kex_gen_server(struct ssh *ssh)
+{
+ debug("expecting SSH2_MSG_KEX_ECDH_INIT");
+ ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_INIT, &input_kex_gen_init);
+ return 0;
+}
+
+static int
+input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh)
+{
+ struct kex *kex = ssh->kex;
+ struct sshkey *server_host_private, *server_host_public;
+ struct sshbuf *shared_secret = NULL;
+ struct sshbuf *server_pubkey = NULL;
+ struct sshbuf *client_pubkey = NULL;
+ struct sshbuf *server_host_key_blob = NULL;
+ u_char *signature = NULL, hash[SSH_DIGEST_MAX_LENGTH];
+ size_t slen, hashlen;
+ int r;
+
+ if ((r = kex_load_hostkey(ssh, &server_host_private,
+ &server_host_public)) != 0)
+ goto out;
+
+ if ((r = sshpkt_getb_froms(ssh, &client_pubkey)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0)
+ goto out;
+
+ /* compute shared secret */
+ switch (kex->kex_type) {
+#ifdef WITH_OPENSSL
+ case KEX_DH_GRP1_SHA1:
+ case KEX_DH_GRP14_SHA1:
+ case KEX_DH_GRP14_SHA256:
+ case KEX_DH_GRP16_SHA512:
+ case KEX_DH_GRP18_SHA512:
+ r = kex_dh_enc(kex, client_pubkey, &server_pubkey,
+ &shared_secret);
+ break;
+ case KEX_ECDH_SHA2:
+ r = kex_ecdh_enc(kex, client_pubkey, &server_pubkey,
+ &shared_secret);
+ break;
+#endif
+ case KEX_C25519_SHA256:
+ r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
+ &shared_secret);
+ break;
+ case KEX_KEM_SNTRUP4591761X25519_SHA512:
+ r = kex_kem_sntrup4591761x25519_enc(kex, client_pubkey,
+ &server_pubkey, &shared_secret);
+ break;
+ default:
+ r = SSH_ERR_INVALID_ARGUMENT;
+ break;
+ }
+ if (r !=0 )
+ goto out;
+
+ /* calc H */
+ if ((server_host_key_blob = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshkey_putb(server_host_public, server_host_key_blob)) != 0)
+ goto out;
+ hashlen = sizeof(hash);
+ if ((r = kex_gen_hash(
+ kex->hash_alg,
+ kex->client_version,
+ kex->server_version,
+ kex->peer,
+ kex->my,
+ server_host_key_blob,
+ client_pubkey,
+ server_pubkey,
+ shared_secret,
+ hash, &hashlen)) != 0)
+ goto out;
+
+ /* sign H */
+ if ((r = kex->sign(ssh, server_host_private, server_host_public,
+ &signature, &slen, hash, hashlen, kex->hostkey_alg)) != 0)
+ goto out;
+
+ /* send server hostkey, ECDH pubkey 'Q_S' and signed H */
+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_REPLY)) != 0 ||
+ (r = sshpkt_put_stringb(ssh, server_host_key_blob)) != 0 ||
+ (r = sshpkt_put_stringb(ssh, server_pubkey)) != 0 ||
+ (r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+ goto out;
+
+ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
+ r = kex_send_newkeys(ssh);
+out:
+ explicit_bzero(hash, sizeof(hash));
+ sshbuf_free(server_host_key_blob);
+ free(signature);
+ sshbuf_free(shared_secret);
+ sshbuf_free(client_pubkey);
+ sshbuf_free(server_pubkey);
+ return r;
+}
diff --git a/kexgex.c b/kexgex.c
index 3ca4bd37000b..8040a13202fc 100644
--- a/kexgex.c
+++ b/kexgex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgex.c,v 1.29 2015/01/19 20:16:15 markus Exp $ */
+/* $OpenBSD: kexgex.c,v 1.32 2019/01/23 00:30:41 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -46,17 +46,17 @@
int
kexgex_hash(
int hash_alg,
- const char *client_version_string,
- const char *server_version_string,
- const u_char *ckexinit, size_t ckexinitlen,
- const u_char *skexinit, size_t skexinitlen,
- const u_char *serverhostkeyblob, size_t sbloblen,
+ const struct sshbuf *client_version,
+ const struct sshbuf *server_version,
+ const struct sshbuf *client_kexinit,
+ const struct sshbuf *server_kexinit,
+ const struct sshbuf *server_host_key_blob,
int min, int wantbits, int max,
const BIGNUM *prime,
const BIGNUM *gen,
const BIGNUM *client_dh_pub,
const BIGNUM *server_dh_pub,
- const BIGNUM *shared_secret,
+ const u_char *shared_secret, size_t secretlen,
u_char *hash, size_t *hashlen)
{
struct sshbuf *b;
@@ -66,16 +66,16 @@ kexgex_hash(
return SSH_ERR_INVALID_ARGUMENT;
if ((b = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
- if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 ||
- (r = sshbuf_put_cstring(b, server_version_string)) != 0 ||
+ if ((r = sshbuf_put_stringb(b, client_version)) < 0 ||
+ (r = sshbuf_put_stringb(b, server_version)) < 0 ||
/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
- (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||
+ (r = sshbuf_put_u32(b, sshbuf_len(client_kexinit) + 1)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
- (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||
- (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||
+ (r = sshbuf_putb(b, client_kexinit)) != 0 ||
+ (r = sshbuf_put_u32(b, sshbuf_len(server_kexinit) + 1)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
- (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||
- (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
+ (r = sshbuf_putb(b, server_kexinit)) != 0 ||
+ (r = sshbuf_put_stringb(b, server_host_key_blob)) != 0 ||
(min != -1 && (r = sshbuf_put_u32(b, min)) != 0) ||
(r = sshbuf_put_u32(b, wantbits)) != 0 ||
(max != -1 && (r = sshbuf_put_u32(b, max)) != 0) ||
@@ -83,7 +83,7 @@ kexgex_hash(
(r = sshbuf_put_bignum2(b, gen)) != 0 ||
(r = sshbuf_put_bignum2(b, client_dh_pub)) != 0 ||
(r = sshbuf_put_bignum2(b, server_dh_pub)) != 0 ||
- (r = sshbuf_put_bignum2(b, shared_secret)) != 0) {
+ (r = sshbuf_put(b, shared_secret, secretlen)) != 0) {
sshbuf_free(b);
return r;
}
diff --git a/kexgexc.c b/kexgexc.c
index 0d07f73c794c..1c65b8a18016 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexc.c,v 1.27 2018/02/07 02:06:51 jsing Exp $ */
+/* $OpenBSD: kexgexc.c,v 1.34 2019/01/23 00:30:41 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -100,13 +100,8 @@ input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh)
debug("got SSH2_MSG_KEX_DH_GEX_GROUP");
- if ((p = BN_new()) == NULL ||
- (g = BN_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = sshpkt_get_bignum2(ssh, p)) != 0 ||
- (r = sshpkt_get_bignum2(ssh, g)) != 0 ||
+ if ((r = sshpkt_get_bignum2(ssh, &p)) != 0 ||
+ (r = sshpkt_get_bignum2(ssh, &g)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
if ((bits = BN_num_bits(p)) < 0 ||
@@ -148,71 +143,39 @@ static int
input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh)
{
struct kex *kex = ssh->kex;
- BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
+ BIGNUM *dh_server_pub = NULL;
const BIGNUM *pub_key, *dh_p, *dh_g;
+ struct sshbuf *shared_secret = NULL;
+ struct sshbuf *tmp = NULL, *server_host_key_blob = NULL;
struct sshkey *server_host_key = NULL;
- u_char *kbuf = NULL, *signature = NULL, *server_host_key_blob = NULL;
+ u_char *signature = NULL;
u_char hash[SSH_DIGEST_MAX_LENGTH];
- size_t klen = 0, slen, sbloblen, hashlen;
- int kout, r;
+ size_t slen, hashlen;
+ int r;
debug("got SSH2_MSG_KEX_DH_GEX_REPLY");
- if (kex->verify_host_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
/* key, cert */
- if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
- &sbloblen)) != 0 ||
- (r = sshkey_from_blob(server_host_key_blob, sbloblen,
- &server_host_key)) != 0)
+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
goto out;
- if (server_host_key->type != kex->hostkey_type ||
- (kex->hostkey_type == KEY_ECDSA &&
- server_host_key->ecdsa_nid != kex->hostkey_nid)) {
- r = SSH_ERR_KEY_TYPE_MISMATCH;
- goto out;
- }
- if (kex->verify_host_key(server_host_key, ssh) == -1) {
- r = SSH_ERR_SIGNATURE_INVALID;
- goto out;
- }
- /* DH parameter f, server public DH key */
- if ((dh_server_pub = BN_new()) == NULL) {
+ /* sshkey_fromb() consumes its buffer, so make a copy */
+ if ((tmp = sshbuf_fromb(server_host_key_blob)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
- /* signed H */
- if ((r = sshpkt_get_bignum2(ssh, dh_server_pub)) != 0 ||
+ if ((r = sshkey_fromb(tmp, &server_host_key)) != 0 ||
+ (r = kex_verify_host_key(ssh, server_host_key)) != 0)
+ goto out;
+ /* DH parameter f, server public DH key, signed H */
+ if ((r = sshpkt_get_bignum2(ssh, &dh_server_pub)) != 0 ||
(r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
-#ifdef DEBUG_KEXDH
- fprintf(stderr, "dh_server_pub= ");
- BN_print_fp(stderr, dh_server_pub);
- fprintf(stderr, "\n");
- debug("bits %d", BN_num_bits(dh_server_pub));
-#endif
- if (!dh_pub_is_valid(kex->dh, dh_server_pub)) {
- sshpkt_disconnect(ssh, "bad server public DH value");
- r = SSH_ERR_MESSAGE_INCOMPLETE;
- goto out;
- }
-
- klen = DH_size(kex->dh);
- if ((kbuf = malloc(klen)) == NULL ||
- (shared_secret = BN_new()) == NULL) {
+ if ((shared_secret = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
- if ((kout = DH_compute_key(kbuf, dh_server_pub, kex->dh)) < 0 ||
- BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
+ if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0)
goto out;
- }
-#ifdef DEBUG_KEXDH
- dump_digest("shared secret", kbuf, kout);
-#endif
if (ssh->compat & SSH_OLD_DHGEX)
kex->min = kex->max = -1;
@@ -222,16 +185,16 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh)
hashlen = sizeof(hash);
if ((r = kexgex_hash(
kex->hash_alg,
- kex->client_version_string,
- kex->server_version_string,
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
- server_host_key_blob, sbloblen,
+ kex->client_version,
+ kex->server_version,
+ kex->my,
+ kex->peer,
+ server_host_key_blob,
kex->min, kex->nbits, kex->max,
dh_p, dh_g,
pub_key,
dh_server_pub,
- shared_secret,
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
hash, &hashlen)) != 0)
goto out;
@@ -239,31 +202,17 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh)
hashlen, kex->hostkey_alg, ssh->compat)) != 0)
goto out;
- /* save session id */
- if (kex->session_id == NULL) {
- kex->session_id_len = hashlen;
- kex->session_id = malloc(kex->session_id_len);
- if (kex->session_id == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- memcpy(kex->session_id, hash, kex->session_id_len);
- }
-
- if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
+ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
DH_free(kex->dh);
kex->dh = NULL;
BN_clear_free(dh_server_pub);
- if (kbuf) {
- explicit_bzero(kbuf, klen);
- free(kbuf);
- }
- BN_clear_free(shared_secret);
+ sshbuf_free(shared_secret);
sshkey_free(server_host_key);
- free(server_host_key_blob);
+ sshbuf_free(tmp);
+ sshbuf_free(server_host_key_blob);
free(signature);
return r;
}
diff --git a/kexgexs.c b/kexgexs.c
index dc9c0bc6024d..8ee3aaccb992 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.35 2018/10/04 00:04:41 djm Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.42 2019/01/23 00:30:41 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -126,130 +126,78 @@ static int
input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
{
struct kex *kex = ssh->kex;
- BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
+ BIGNUM *dh_client_pub = NULL;
const BIGNUM *pub_key, *dh_p, *dh_g;
+ struct sshbuf *shared_secret = NULL;
+ struct sshbuf *server_host_key_blob = NULL;
struct sshkey *server_host_public, *server_host_private;
- u_char *kbuf = NULL, *signature = NULL, *server_host_key_blob = NULL;
+ u_char *signature = NULL;
u_char hash[SSH_DIGEST_MAX_LENGTH];
- size_t sbloblen, slen;
- size_t klen = 0, hashlen;
- int kout, r;
+ size_t slen, hashlen;
+ int r;
- if (kex->load_host_public_key == NULL ||
- kex->load_host_private_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
- server_host_public = kex->load_host_public_key(kex->hostkey_type,
- kex->hostkey_nid, ssh);
- server_host_private = kex->load_host_private_key(kex->hostkey_type,
- kex->hostkey_nid, ssh);
- if (server_host_public == NULL) {
- r = SSH_ERR_NO_HOSTKEY_LOADED;
+ if ((r = kex_load_hostkey(ssh, &server_host_private,
+ &server_host_public)) != 0)
goto out;
- }
/* key, cert */
- if ((dh_client_pub = BN_new()) == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- if ((r = sshpkt_get_bignum2(ssh, dh_client_pub)) != 0 ||
+ if ((r = sshpkt_get_bignum2(ssh, &dh_client_pub)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
-
- DH_get0_key(kex->dh, &pub_key, NULL);
- DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
-
-#ifdef DEBUG_KEXDH
- fprintf(stderr, "dh_client_pub= ");
- BN_print_fp(stderr, dh_client_pub);
- fprintf(stderr, "\n");
- debug("bits %d", BN_num_bits(dh_client_pub));
- DHparams_print_fp(stderr, kex->dh);
- fprintf(stderr, "pub= ");
- BN_print_fp(stderr, pub_key);
- fprintf(stderr, "\n");
-#endif
- if (!dh_pub_is_valid(kex->dh, dh_client_pub)) {
- sshpkt_disconnect(ssh, "bad client public DH value");
- r = SSH_ERR_MESSAGE_INCOMPLETE;
- goto out;
- }
-
- klen = DH_size(kex->dh);
- if ((kbuf = malloc(klen)) == NULL ||
- (shared_secret = BN_new()) == NULL) {
+ if ((shared_secret = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
- if ((kout = DH_compute_key(kbuf, dh_client_pub, kex->dh)) < 0 ||
- BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
- r = SSH_ERR_LIBCRYPTO_ERROR;
+ if ((r = kex_dh_compute_key(kex, dh_client_pub, shared_secret)) != 0)
+ goto out;
+ if ((server_host_key_blob = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
-#ifdef DEBUG_KEXDH
- dump_digest("shared secret", kbuf, kout);
-#endif
- if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
- &sbloblen)) != 0)
+ if ((r = sshkey_putb(server_host_public, server_host_key_blob)) != 0)
goto out;
+
/* calc H */
+ DH_get0_key(kex->dh, &pub_key, NULL);
+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
hashlen = sizeof(hash);
if ((r = kexgex_hash(
kex->hash_alg,
- kex->client_version_string,
- kex->server_version_string,
- sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
- sshbuf_ptr(kex->my), sshbuf_len(kex->my),
- server_host_key_blob, sbloblen,
+ kex->client_version,
+ kex->server_version,
+ kex->peer,
+ kex->my,
+ server_host_key_blob,
kex->min, kex->nbits, kex->max,
dh_p, dh_g,
dh_client_pub,
pub_key,
- shared_secret,
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
hash, &hashlen)) != 0)
goto out;
- /* save session id := H */
- if (kex->session_id == NULL) {
- kex->session_id_len = hashlen;
- kex->session_id = malloc(kex->session_id_len);
- if (kex->session_id == NULL) {
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
- memcpy(kex->session_id, hash, kex->session_id_len);
- }
-
/* sign H */
- if ((r = kex->sign(server_host_private, server_host_public, &signature,
- &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
+ if ((r = kex->sign(ssh, server_host_private, server_host_public,
+ &signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
goto out;
- /* destroy_sensitive_data(); */
-
/* send server hostkey, DH pubkey 'f' and signed H */
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REPLY)) != 0 ||
- (r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
+ (r = sshpkt_put_stringb(ssh, server_host_key_blob)) != 0 ||
(r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */
(r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
goto out;
- if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
+ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
DH_free(kex->dh);
kex->dh = NULL;
BN_clear_free(dh_client_pub);
- if (kbuf) {
- explicit_bzero(kbuf, klen);
- free(kbuf);
- }
- BN_clear_free(shared_secret);
- free(server_host_key_blob);
+ sshbuf_free(shared_secret);
+ sshbuf_free(server_host_key_blob);
free(signature);
return r;
}
diff --git a/kexsntrup4591761x25519.c b/kexsntrup4591761x25519.c
new file mode 100644
index 000000000000..3b9b664f8b1f
--- /dev/null
+++ b/kexsntrup4591761x25519.c
@@ -0,0 +1,219 @@
+/* $OpenBSD: kexsntrup4591761x25519.c,v 1.3 2019/01/21 10:40:11 djm Exp $ */
+/*
+ * Copyright (c) 2019 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
+
+#include "sshkey.h"
+#include "kex.h"
+#include "sshbuf.h"
+#include "digest.h"
+#include "ssherr.h"
+
+int
+kex_kem_sntrup4591761x25519_keypair(struct kex *kex)
+{
+ struct sshbuf *buf = NULL;
+ u_char *cp = NULL;
+ size_t need;
+ int r;
+
+ if ((buf = sshbuf_new()) == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ need = crypto_kem_sntrup4591761_PUBLICKEYBYTES + CURVE25519_SIZE;
+ if ((r = sshbuf_reserve(buf, need, &cp)) != 0)
+ goto out;
+ crypto_kem_sntrup4591761_keypair(cp, kex->sntrup4591761_client_key);
+#ifdef DEBUG_KEXECDH
+ dump_digest("client public key sntrup4591761:", cp,
+ crypto_kem_sntrup4591761_PUBLICKEYBYTES);
+#endif
+ cp += crypto_kem_sntrup4591761_PUBLICKEYBYTES;
+ kexc25519_keygen(kex->c25519_client_key, cp);
+#ifdef DEBUG_KEXECDH
+ dump_digest("client public key c25519:", cp, CURVE25519_SIZE);
+#endif
+ kex->client_pub = buf;
+ buf = NULL;
+ out:
+ sshbuf_free(buf);
+ return r;
+}
+
+int
+kex_kem_sntrup4591761x25519_enc(struct kex *kex,
+ const struct sshbuf *client_blob, struct sshbuf **server_blobp,
+ struct sshbuf **shared_secretp)
+{
+ struct sshbuf *server_blob = NULL;
+ struct sshbuf *buf = NULL;
+ const u_char *client_pub;
+ u_char *kem_key, *ciphertext, *server_pub;
+ u_char server_key[CURVE25519_SIZE];
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
+ size_t need;
+ int r;
+
+ *server_blobp = NULL;
+ *shared_secretp = NULL;
+
+ /* client_blob contains both KEM and ECDH client pubkeys */
+ need = crypto_kem_sntrup4591761_PUBLICKEYBYTES + CURVE25519_SIZE;
+ if (sshbuf_len(client_blob) != need) {
+ r = SSH_ERR_SIGNATURE_INVALID;
+ goto out;
+ }
+ client_pub = sshbuf_ptr(client_blob);
+#ifdef DEBUG_KEXECDH
+ dump_digest("client public key sntrup4591761:", client_pub,
+ crypto_kem_sntrup4591761_PUBLICKEYBYTES);
+ dump_digest("client public key 25519:",
+ client_pub + crypto_kem_sntrup4591761_PUBLICKEYBYTES,
+ CURVE25519_SIZE);
+#endif
+ /* allocate buffer for concatenation of KEM key and ECDH shared key */
+ /* the buffer will be hashed and the result is the shared secret */
+ if ((buf = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_reserve(buf, crypto_kem_sntrup4591761_BYTES,
+ &kem_key)) != 0)
+ goto out;
+ /* allocate space for encrypted KEM key and ECDH pub key */
+ if ((server_blob = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ need = crypto_kem_sntrup4591761_CIPHERTEXTBYTES + CURVE25519_SIZE;
+ if ((r = sshbuf_reserve(server_blob, need, &ciphertext)) != 0)
+ goto out;
+ /* generate and encrypt KEM key with client key */
+ crypto_kem_sntrup4591761_enc(ciphertext, kem_key, client_pub);
+ /* generate ECDH key pair, store server pubkey after ciphertext */
+ server_pub = ciphertext + crypto_kem_sntrup4591761_CIPHERTEXTBYTES;
+ kexc25519_keygen(server_key, server_pub);
+ /* append ECDH shared key */
+ client_pub += crypto_kem_sntrup4591761_PUBLICKEYBYTES;
+ if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 1)) < 0)
+ goto out;
+ if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0)
+ goto out;
+#ifdef DEBUG_KEXECDH
+ dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE);
+ dump_digest("server cipher text:", ciphertext,
+ crypto_kem_sntrup4591761_CIPHERTEXTBYTES);
+ dump_digest("server kem key:", kem_key, sizeof(kem_key));
+ dump_digest("concatenation of KEM key and ECDH shared key:",
+ sshbuf_ptr(buf), sshbuf_len(buf));
+#endif
+ /* string-encoded hash is resulting shared secret */
+ sshbuf_reset(buf);
+ if ((r = sshbuf_put_string(buf, hash,
+ ssh_digest_bytes(kex->hash_alg))) != 0)
+ goto out;
+#ifdef DEBUG_KEXECDH
+ dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
+#endif
+ *server_blobp = server_blob;
+ *shared_secretp = buf;
+ server_blob = NULL;
+ buf = NULL;
+ out:
+ explicit_bzero(hash, sizeof(hash));
+ explicit_bzero(server_key, sizeof(server_key));
+ sshbuf_free(server_blob);
+ sshbuf_free(buf);
+ return r;
+}
+
+int
+kex_kem_sntrup4591761x25519_dec(struct kex *kex,
+ const struct sshbuf *server_blob, struct sshbuf **shared_secretp)
+{
+ struct sshbuf *buf = NULL;
+ u_char *kem_key = NULL;
+ const u_char *ciphertext, *server_pub;
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
+ size_t need;
+ int r, decoded;
+
+ *shared_secretp = NULL;
+
+ need = crypto_kem_sntrup4591761_CIPHERTEXTBYTES + CURVE25519_SIZE;
+ if (sshbuf_len(server_blob) != need) {
+ r = SSH_ERR_SIGNATURE_INVALID;
+ goto out;
+ }
+ ciphertext = sshbuf_ptr(server_blob);
+ server_pub = ciphertext + crypto_kem_sntrup4591761_CIPHERTEXTBYTES;
+#ifdef DEBUG_KEXECDH
+ dump_digest("server cipher text:", ciphertext,
+ crypto_kem_sntrup4591761_CIPHERTEXTBYTES);
+ dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE);
+#endif
+ /* hash concatenation of KEM key and ECDH shared key */
+ if ((buf = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_reserve(buf, crypto_kem_sntrup4591761_BYTES,
+ &kem_key)) != 0)
+ goto out;
+ decoded = crypto_kem_sntrup4591761_dec(kem_key, ciphertext,
+ kex->sntrup4591761_client_key);
+ if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub,
+ buf, 1)) < 0)
+ goto out;
+ if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0)
+ goto out;
+#ifdef DEBUG_KEXECDH
+ dump_digest("client kem key:", kem_key, sizeof(kem_key));
+ dump_digest("concatenation of KEM key and ECDH shared key:",
+ sshbuf_ptr(buf), sshbuf_len(buf));
+#endif
+ sshbuf_reset(buf);
+ if ((r = sshbuf_put_string(buf, hash,
+ ssh_digest_bytes(kex->hash_alg))) != 0)
+ goto out;
+#ifdef DEBUG_KEXECDH
+ dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
+#endif
+ if (decoded != 0) {
+ r = SSH_ERR_SIGNATURE_INVALID;
+ goto out;
+ }
+ *shared_secretp = buf;
+ buf = NULL;
+ out:
+ explicit_bzero(hash, sizeof(hash));
+ sshbuf_free(buf);
+ return r;
+}
diff --git a/loginrec.c b/loginrec.c
index 9a427dec4125..5f2a47797be9 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -467,7 +467,7 @@ login_write(struct logininfo *li)
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line,
- &loginmsg))
+ loginmsg))
logit("Writing login record failed for %s", li->username);
#endif
#ifdef SSH_AUDIT_EVENTS
@@ -1653,7 +1653,7 @@ utmpx_get_entry(struct logininfo *li)
*/
void
-record_failed_login(const char *username, const char *hostname,
+record_failed_login(struct ssh *ssh, const char *username, const char *hostname,
const char *ttyn)
{
int fd;
@@ -1696,8 +1696,8 @@ record_failed_login(const char *username, const char *hostname,
/* strncpy because we don't necessarily want nul termination */
strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
- if (packet_connection_is_on_socket() &&
- getpeername(packet_get_connection_in(),
+ if (ssh_packet_connection_is_on_socket(ssh) &&
+ getpeername(ssh_packet_get_connection_in(ssh),
(struct sockaddr *)&from, &fromlen) == 0) {
ipv64_normalise_mapped(&from, &fromlen);
if (from.ss_family == AF_INET) {
diff --git a/loginrec.h b/loginrec.h
index 28923e7812e5..62cc0e78c945 100644
--- a/loginrec.h
+++ b/loginrec.h
@@ -31,6 +31,8 @@
#include "includes.h"
+struct ssh;
+
/**
** you should use the login_* calls to work around platform dependencies
**/
@@ -126,6 +128,7 @@ char *line_fullname(char *dst, const char *src, u_int dstsize);
char *line_stripname(char *dst, const char *src, int dstsize);
char *line_abbrevname(char *dst, const char *src, int dstsize);
-void record_failed_login(const char *, const char *, const char *);
+void record_failed_login(struct ssh *, const char *, const char *,
+ const char *);
#endif /* _HAVE_LOGINREC_H_ */
diff --git a/match.c b/match.c
index bb3e95f678ca..fcf69596d56e 100644
--- a/match.c
+++ b/match.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.c,v 1.38 2018/07/04 13:49:31 djm Exp $ */
+/* $OpenBSD: match.c,v 1.39 2019/03/06 22:14:23 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -170,6 +170,19 @@ match_pattern_list(const char *string, const char *pattern, int dolower)
return got_positive;
}
+/* Match a list representing users or groups. */
+int
+match_usergroup_pattern_list(const char *string, const char *pattern)
+{
+#ifdef HAVE_CYGWIN
+ /* Windows usernames may be Unicode and are not case sensitive */
+ return cygwin_ug_match_pattern_list(string, pattern);
+#else
+ /* Case insensitive match */
+ return match_pattern_list(string, pattern, 0);
+#endif
+}
+
/*
* Tries to match the host name (which must be in all lowercase) against the
* comma-separated sequence of subpatterns (each possibly preceded by ! to
diff --git a/match.h b/match.h
index 852b1a5cb164..3a8a6ecdc1da 100644
--- a/match.h
+++ b/match.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.h,v 1.18 2018/07/04 13:49:31 djm Exp $ */
+/* $OpenBSD: match.h,v 1.19 2019/03/06 22:14:23 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,6 +16,7 @@
int match_pattern(const char *, const char *);
int match_pattern_list(const char *, const char *, int);
+int match_usergroup_pattern_list(const char *, const char *);
int match_hostname(const char *, const char *);
int match_host_and_ip(const char *, const char *, const char *);
int match_user(const char *, const char *, const char *, const char *);
diff --git a/misc.c b/misc.c
index bdc06fdb3332..009e02bc55c1 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.133 2018/10/05 14:26:09 naddy Exp $ */
+/* $OpenBSD: misc.c,v 1.137 2019/01/23 21:50:56 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@@ -38,6 +38,7 @@
#ifdef HAVE_LIBGEN_H
# include <libgen.h>
#endif
+#include <poll.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
@@ -234,6 +235,80 @@ set_rdomain(int fd, const char *name)
#endif
}
+/*
+ * Wait up to *timeoutp milliseconds for fd to be readable. Updates
+ * *timeoutp with time remaining.
+ * Returns 0 if fd ready or -1 on timeout or error (see errno).
+ */
+int
+waitrfd(int fd, int *timeoutp)
+{
+ struct pollfd pfd;
+ struct timeval t_start;
+ int oerrno, r;
+
+ monotime_tv(&t_start);
+ pfd.fd = fd;
+ pfd.events = POLLIN;
+ for (; *timeoutp >= 0;) {
+ r = poll(&pfd, 1, *timeoutp);
+ oerrno = errno;
+ ms_subtract_diff(&t_start, timeoutp);
+ errno = oerrno;
+ if (r > 0)
+ return 0;
+ else if (r == -1 && errno != EAGAIN)
+ return -1;
+ else if (r == 0)
+ break;
+ }
+ /* timeout */
+ errno = ETIMEDOUT;
+ return -1;
+}
+
+/*
+ * Attempt a non-blocking connect(2) to the specified address, waiting up to
+ * *timeoutp milliseconds for the connection to complete. If the timeout is
+ * <=0, then wait indefinitely.
+ *
+ * Returns 0 on success or -1 on failure.
+ */
+int
+timeout_connect(int sockfd, const struct sockaddr *serv_addr,
+ socklen_t addrlen, int *timeoutp)
+{
+ int optval = 0;
+ socklen_t optlen = sizeof(optval);
+
+ /* No timeout: just do a blocking connect() */
+ if (timeoutp == NULL || *timeoutp <= 0)
+ return connect(sockfd, serv_addr, addrlen);
+
+ set_nonblock(sockfd);
+ if (connect(sockfd, serv_addr, addrlen) == 0) {
+ /* Succeeded already? */
+ unset_nonblock(sockfd);
+ return 0;
+ } else if (errno != EINPROGRESS)
+ return -1;
+
+ if (waitrfd(sockfd, timeoutp) == -1)
+ return -1;
+
+ /* Completed or failed */
+ if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, &optlen) == -1) {
+ debug("getsockopt: %s", strerror(errno));
+ return -1;
+ }
+ if (optval != 0) {
+ errno = optval;
+ return -1;
+ }
+ unset_nonblock(sockfd);
+ return 0;
+}
+
/* Characters considered whitespace in strsep calls. */
#define WHITESPACE " \t\r\n"
#define QUOTE "\""
@@ -489,7 +564,7 @@ put_host_port(const char *host, u_short port)
* The delimiter char, if present, is stored in delim.
* If this is the last field, *cp is set to NULL.
*/
-static char *
+char *
hpdelim2(char **cp, char *delim)
{
char *s, *old;
@@ -1335,11 +1410,11 @@ bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen)
{
bw->buflen = buflen;
bw->rate = kbps;
- bw->thresh = bw->rate;
+ bw->thresh = buflen;
bw->lamt = 0;
timerclear(&bw->bwstart);
timerclear(&bw->bwend);
-}
+}
/* Callback from read/write loop to insert bandwidth-limiting delays */
void
@@ -1348,12 +1423,11 @@ bandwidth_limit(struct bwlimit *bw, size_t read_len)
u_int64_t waitlen;
struct timespec ts, rm;
+ bw->lamt += read_len;
if (!timerisset(&bw->bwstart)) {
monotime_tv(&bw->bwstart);
return;
}
-
- bw->lamt += read_len;
if (bw->lamt < bw->thresh)
return;
@@ -2037,3 +2111,10 @@ format_absolute_time(uint64_t t, char *buf, size_t len)
localtime_r(&tt, &tm);
strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm);
}
+
+/* check if path is absolute */
+int
+path_absolute(const char *path)
+{
+ return (*path == '/') ? 1 : 0;
+}
diff --git a/misc.h b/misc.h
index 31b207a8d9d9..5b4325aba2b8 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.75 2018/10/03 06:38:35 djm Exp $ */
+/* $OpenBSD: misc.h,v 1.79 2019/01/23 21:50:56 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -17,6 +17,7 @@
#include <sys/time.h>
#include <sys/types.h>
+#include <sys/socket.h>
/* Data structure for representing a forwarding request. */
struct Forward {
@@ -51,9 +52,12 @@ void set_nodelay(int);
int set_reuseaddr(int);
char *get_rdomain(int);
int set_rdomain(int, const char *);
+int waitrfd(int, int *);
+int timeout_connect(int, const struct sockaddr *, socklen_t, int *);
int a2port(const char *);
int a2tun(const char *, int *);
char *put_host_port(const char *, u_short);
+char *hpdelim2(char **, char *);
char *hpdelim(char **);
char *cleanhostname(char *);
char *colon(char *);
@@ -78,6 +82,7 @@ int valid_env_name(const char *);
const char *atoi_err(const char *, int *);
int parse_absolute_time(const char *, uint64_t *);
void format_absolute_time(uint64_t, char *, size_t);
+int path_absolute(const char *);
void sock_set_v6only(int);
@@ -134,7 +139,9 @@ void put_u32_le(void *, u_int32_t)
struct bwlimit {
size_t buflen;
- u_int64_t rate, thresh, lamt;
+ u_int64_t rate; /* desired rate in kbit/s */
+ u_int64_t thresh; /* threshold after which we'll check timers */
+ u_int64_t lamt; /* amount written in last timer interval */
struct timeval bwstart, bwend;
};
diff --git a/moduli b/moduli
index 372c382a270c..4c694736119b 100644
--- a/moduli
+++ b/moduli
@@ -1,428 +1,452 @@
-# $OpenBSD: moduli,v 1.22 2018/09/20 08:07:03 dtucker Exp $
+# $OpenBSD: moduli,v 1.23 2018/10/31 11:20:04 dtucker Exp $
# Time Type Tests Tries Size Generator Modulus
-20180403031539 2 6 100 2047 5 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A591E4B57
-20180403031604 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5923D0DB
-20180403031626 2 6 100 2047 5 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A592B11B7
-20180403031845 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A59715A73
-20180403032143 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A59CDE963
-20180403032347 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5A11B463
-20180403032438 2 6 100 2047 5 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5A2BBC5F
-20180403032617 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5A6308C3
-20180403032923 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5ADA5523
-20180403033405 2 6 100 2047 5 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5B9A6B37
-20180403033427 2 6 100 2047 5 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5B9F8E27
-20180403033655 2 6 100 2047 5 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5C00897F
-20180403033742 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5C172DBB
-20180403033837 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5C33AEAB
-20180403033952 2 6 100 2047 5 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5C5F6067
-20180403034409 2 6 100 2047 5 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5CEE2AD7
-20180403034453 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5CFFE4F3
-20180403034601 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199BB168C93F96F71974181F898D6C56C02D9DABA852E7E51CA0DC723255B49CAA122D2A6CC64F1389128A0E3298B0E155EC8A4D9BF1D1671B808DDD835015381C1F16C35A84D20A5D1A691B
-20180403035311 2 6 100 2047 2 F78A3F3A47AFE34101F186DF022B970FB51586E65B1D1875E41D02EDDD4BDF6D6D8BA1CC296EA6A8BD7036297A0C01C636A55493E3ADEC2F1DAB9D8D7E0CCD39D7FFC9D4011C3F57A944AA1EEB1AC1784E28ACF7B6FB3AC49185F4E638B567DA6B4903CB8C6D815ED1253D512670FAF71E6BF1ED6669863B552B3BB2173A7F16262454142B7B928F91E60EED00BDFA465F2C46665BD30C1426F9B8D9611D086D6BAB672CB472E8F8E6990F623C2E7458991D982E199