aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.depend182
-rw-r--r--.skipped-commit-ids7
-rw-r--r--ChangeLog4925
-rw-r--r--INSTALL20
-rw-r--r--Makefile.in101
-rw-r--r--PROTOCOL14
-rw-r--r--PROTOCOL.certkeys8
-rw-r--r--README20
-rw-r--r--README.privsep4
-rw-r--r--auth-options.c1199
-rw-r--r--auth-options.h107
-rw-r--r--auth-pam.c25
-rw-r--r--auth-pam.h4
-rw-r--r--auth-passwd.c30
-rw-r--r--auth-sia.c4
-rw-r--r--auth.c351
-rw-r--r--auth.h34
-rw-r--r--auth2-hostbased.c10
-rw-r--r--auth2-none.c4
-rw-r--r--auth2-passwd.c4
-rw-r--r--auth2-pubkey.c615
-rw-r--r--auth2.c17
-rw-r--r--authfd.c43
-rw-r--r--authfd.h7
-rw-r--r--authfile.c8
-rw-r--r--bitmap.c1
-rw-r--r--bitmap.h1
-rw-r--r--blocks.c248
-rw-r--r--channels.c84
-rw-r--r--cipher.c21
-rw-r--r--clientloop.c57
-rw-r--r--clientloop.h4
-rw-r--r--compat.c73
-rw-r--r--compat.h28
-rw-r--r--config.h.in72
-rwxr-xr-xconfigure716
-rw-r--r--configure.ac217
-rw-r--r--contrib/aix/README1
-rwxr-xr-xcontrib/aix/buildbff.sh1
-rwxr-xr-xcontrib/aix/inventory.sh1
-rw-r--r--contrib/cygwin/Makefile11
-rwxr-xr-xcontrib/findssl.sh2
-rw-r--r--contrib/redhat/openssh.spec69
-rwxr-xr-xcontrib/redhat/sshd.init1
-rwxr-xr-xcontrib/redhat/sshd.init.old17
-rw-r--r--contrib/suse/openssh.spec2
-rw-r--r--crypto_api.h10
-rw-r--r--defines.h24
-rw-r--r--dh.c11
-rw-r--r--dns.c7
-rw-r--r--dns.h5
-rw-r--r--entropy.c4
-rwxr-xr-xfixprogs72
-rw-r--r--hash.c83
-rwxr-xr-xinstall-sh682
-rw-r--r--kex.c14
-rw-r--r--kexc25519c.c4
-rw-r--r--kexc25519s.c2
-rw-r--r--kexdhc.c10
-rw-r--r--kexdhs.c8
-rw-r--r--kexecdhc.c19
-rw-r--r--kexecdhs.c14
-rw-r--r--kexgexc.c16
-rw-r--r--kexgexs.c8
-rw-r--r--key.c17
-rw-r--r--key.h3
-rw-r--r--krl.c4
-rw-r--r--loginrec.c6
-rw-r--r--md5crypt.c4
-rw-r--r--mdoc2man.awk2
-rw-r--r--misc.c696
-rw-r--r--misc.h21
-rwxr-xr-xmkinstalldirs2
-rw-r--r--moduli836
-rw-r--r--moduli.c6
-rw-r--r--monitor.c116
-rw-r--r--monitor_wrap.c56
-rw-r--r--monitor_wrap.h13
-rw-r--r--opacket.c1
-rw-r--r--opacket.h1
-rw-r--r--openbsd-compat/Makefile.in81
-rw-r--r--openbsd-compat/bsd-cray.c816
-rw-r--r--openbsd-compat/bsd-cray.h59
-rw-r--r--openbsd-compat/bsd-flock.c81
-rw-r--r--openbsd-compat/bsd-getpagesize.c2
-rw-r--r--openbsd-compat/bsd-malloc.c2
-rw-r--r--openbsd-compat/bsd-misc.c81
-rw-r--r--openbsd-compat/bsd-misc.h34
-rw-r--r--openbsd-compat/bsd-openpty.c25
-rw-r--r--openbsd-compat/bsd-signal.c62
-rw-r--r--openbsd-compat/bsd-signal.h39
-rw-r--r--openbsd-compat/bsd-statvfs.c8
-rw-r--r--openbsd-compat/bsd-statvfs.h3
-rw-r--r--openbsd-compat/freezero.c4
-rw-r--r--openbsd-compat/openbsd-compat.h14
-rw-r--r--openbsd-compat/port-aix.c4
-rw-r--r--openbsd-compat/port-linux.c9
-rw-r--r--openbsd-compat/port-net.c (renamed from openbsd-compat/port-tun.c)101
-rw-r--r--openbsd-compat/port-net.h (renamed from openbsd-compat/port-tun.h)16
-rw-r--r--openbsd-compat/port-uw.c4
-rw-r--r--openbsd-compat/readpassphrase.c8
-rw-r--r--openbsd-compat/regress/Makefile.in2
-rw-r--r--openbsd-compat/strndup.c43
-rw-r--r--openbsd-compat/strnlen.c2
-rwxr-xr-xopensshd.init.in4
-rw-r--r--packet.c32
-rw-r--r--packet.h5
-rw-r--r--pathnames.h4
-rw-r--r--readconf.c76
-rw-r--r--readconf.h4
-rw-r--r--regress/Makefile5
-rw-r--r--regress/README.regress2
-rw-r--r--regress/agent-getpeereid.sh3
-rw-r--r--regress/agent-ptrace.sh2
-rw-r--r--regress/agent.sh144
-rw-r--r--regress/allow-deny-users.sh1
-rw-r--r--regress/authinfo.sh4
-rwxr-xr-xregress/cert-userkey.sh5
-rw-r--r--regress/cfgmatch.sh6
-rw-r--r--regress/connect-uri.sh29
-rwxr-xr-xregress/forward-control.sh29
-rwxr-xr-xregress/key-options.sh68
-rwxr-xr-xregress/keys-command.sh2
-rwxr-xr-xregress/keytype.sh14
-rwxr-xr-xregress/limit-keytype.sh9
-rw-r--r--regress/misc/fuzz-harness/sig_fuzz.cc12
-rw-r--r--regress/misc/kexfuzz/Makefile32
-rw-r--r--regress/misc/kexfuzz/README2
-rw-r--r--regress/netcat.c7
-rw-r--r--regress/proxy-connect.sh30
-rwxr-xr-xregress/putty-ciphers.sh2
-rwxr-xr-xregress/putty-kex.sh2
-rwxr-xr-xregress/putty-transfer.sh6
-rw-r--r--regress/scp-uri.sh70
-rwxr-xr-xregress/sftp-chroot.sh7
-rw-r--r--regress/sftp-uri.sh63
-rw-r--r--regress/sftp.sh6
-rw-r--r--regress/sshd-log-wrapper.sh2
-rw-r--r--regress/test-exec.sh6
-rw-r--r--regress/unittests/Makefile3
-rw-r--r--regress/unittests/Makefile.inc16
-rw-r--r--regress/unittests/authopt/testdata/all_permit.cert1
-rw-r--r--regress/unittests/authopt/testdata/bad_sourceaddr.cert1
-rw-r--r--regress/unittests/authopt/testdata/force_command.cert1
-rw-r--r--regress/unittests/authopt/testdata/host.cert1
-rw-r--r--regress/unittests/authopt/testdata/mktestdata.sh48
-rw-r--r--regress/unittests/authopt/testdata/no_agentfwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/no_permit.cert1
-rw-r--r--regress/unittests/authopt/testdata/no_portfwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/no_pty.cert1
-rw-r--r--regress/unittests/authopt/testdata/no_user_rc.cert1
-rw-r--r--regress/unittests/authopt/testdata/no_x11fwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/only_agentfwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/only_portfwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/only_pty.cert1
-rw-r--r--regress/unittests/authopt/testdata/only_user_rc.cert1
-rw-r--r--regress/unittests/authopt/testdata/only_x11fwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/sourceaddr.cert1
-rw-r--r--regress/unittests/authopt/testdata/unknown_critical.cert1
-rw-r--r--regress/unittests/authopt/tests.c573
-rw-r--r--regress/unittests/bitmap/Makefile6
-rw-r--r--regress/unittests/conversion/Makefile7
-rw-r--r--regress/unittests/hostkeys/Makefile15
-rw-r--r--regress/unittests/kex/Makefile19
-rw-r--r--regress/unittests/match/Makefile8
-rw-r--r--regress/unittests/sshbuf/Makefile12
-rw-r--r--regress/unittests/sshkey/Makefile15
-rw-r--r--regress/unittests/sshkey/test_fuzz.c6
-rw-r--r--regress/unittests/sshkey/test_sshkey.c8
-rw-r--r--regress/unittests/test_helper/test_helper.c14
-rw-r--r--regress/unittests/test_helper/test_helper.h4
-rw-r--r--regress/unittests/utf8/Makefile6
-rw-r--r--regress/yes-head.sh2
-rw-r--r--scp.019
-rw-r--r--scp.145
-rw-r--r--scp.c222
-rw-r--r--servconf.c567
-rw-r--r--servconf.h77
-rw-r--r--serverloop.c82
-rw-r--r--session.c120
-rw-r--r--sftp-client.c20
-rw-r--r--sftp.067
-rw-r--r--sftp.192
-rw-r--r--sftp.c88
-rw-r--r--ssh-add.c74
-rw-r--r--ssh-agent.c64
-rw-r--r--ssh-dss.c87
-rw-r--r--ssh-ecdsa.c8
-rw-r--r--ssh-keygen.033
-rw-r--r--ssh-keygen.129
-rw-r--r--ssh-keygen.c98
-rw-r--r--ssh-keyscan.080
-rw-r--r--ssh-keyscan.1102
-rw-r--r--ssh-keyscan.c38
-rw-r--r--ssh-keysign.c7
-rw-r--r--ssh-pkcs11-client.c5
-rw-r--r--ssh-pkcs11-helper.c183
-rw-r--r--ssh-pkcs11.c5
-rw-r--r--ssh-rsa.c57
-rw-r--r--ssh-xmss.c192
-rw-r--r--ssh.050
-rw-r--r--ssh.157
-rw-r--r--ssh.c344
-rw-r--r--ssh_config.053
-rw-r--r--ssh_config.552
-rw-r--r--sshconnect.c197
-rw-r--r--sshconnect.h4
-rw-r--r--sshconnect2.c99
-rw-r--r--sshd.031
-rw-r--r--sshd.832
-rw-r--r--sshd.c218
-rw-r--r--sshd_config3
-rw-r--r--sshd_config.076
-rw-r--r--sshd_config.574
-rw-r--r--sshkey-xmss.c1055
-rw-r--r--sshkey-xmss.h56
-rw-r--r--sshkey.c743
-rw-r--r--sshkey.h45
-rw-r--r--sshpty.c25
-rw-r--r--ttymodes.c13
-rw-r--r--umac.c194
-rw-r--r--umac128.c10
-rw-r--r--version.h4
-rw-r--r--xmss_commons.c36
-rw-r--r--xmss_commons.h21
-rw-r--r--xmss_fast.c1106
-rw-r--r--xmss_fast.h111
-rw-r--r--xmss_hash.c140
-rw-r--r--xmss_hash.h22
-rw-r--r--xmss_hash_address.c66
-rw-r--r--xmss_hash_address.h40
-rw-r--r--xmss_wots.c192
-rw-r--r--xmss_wots.h64
233 files changed, 14907 insertions, 7908 deletions
diff --git a/.depend b/.depend
new file mode 100644
index 000000000000..0893a87ab026
--- /dev/null
+++ b/.depend
@@ -0,0 +1,182 @@
+# DO NOT DELETE
+
+addrmatch.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h match.h log.h
+atomicio.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h atomicio.h
+audit-bsm.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+audit-linux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+audit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+auth-bsdauth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+auth-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h ssh.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h misc.h servconf.h uidswap.h key.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
+auth-options.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h ssherr.h log.h misc.h sshkey.h match.h ssh2.h auth-options.h
+auth-pam.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+auth-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h misc.h servconf.h key.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h
+auth-rhosts.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h uidswap.h pathnames.h log.h misc.h key.h sshkey.h servconf.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
+auth-shadow.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+auth-sia.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+auth-skey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h match.h groupaccess.h log.h misc.h servconf.h key.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h canohost.h uidswap.h packet.h openbsd-compat/sys-queue.h
+auth.o: dispatch.h opacket.h authfile.h monitor_wrap.h ssherr.h compat.h channels.h
+auth2-chall.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h ssh2.h key.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h misc.h servconf.h
+auth2-gss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+auth2-hostbased.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h canohost.h
+auth2-hostbased.o: monitor_wrap.h pathnames.h ssherr.h match.h
+auth2-kbdint.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h key.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h log.h misc.h servconf.h
+auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h atomicio.h xmalloc.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h misc.h servconf.h compat.h ssh2.h ssherr.h
+auth2-none.o: monitor_wrap.h
+auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h ssherr.h log.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h monitor_wrap.h misc.h servconf.h
+auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h uidswap.h
+auth2-pubkey.o: auth-options.h canohost.h monitor_wrap.h authfile.h match.h ssherr.h channels.h session.h
+auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h misc.h servconf.h compat.h key.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h
+auth2.o: monitor_wrap.h ssherr.h
+authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h ssh.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h compat.h log.h atomicio.h misc.h ssherr.h
+authfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h ssh.h log.h authfile.h misc.h atomicio.h sshkey.h ssherr.h krl.h
+bitmap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h bitmap.h
+bufaux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h ssherr.h
+bufbn.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+bufec.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h ssherr.h
+buffer.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h ssherr.h
+canohost.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h canohost.h misc.h
+chacha.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h chacha.h
+channels.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h ssherr.h packet.h dispatch.h opacket.h log.h misc.h channels.h compat.h canohost.h key.h sshkey.h authfd.h pathnames.h
+cipher-aes.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/openssl-compat.h
+cipher-aesctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h cipher-aesctr.h rijndael.h
+cipher-chachapoly.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h ssherr.h cipher-chachapoly.h chacha.h poly1305.h
+cipher-ctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+cipher.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h misc.h ssherr.h digest.h openbsd-compat/openssl-compat.h
+cleanup.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h
+clientloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h packet.h dispatch.h opacket.h compat.h channels.h key.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h
+clientloop.o: kex.h mac.h myproposal.h log.h misc.h readconf.h clientloop.h sshconnect.h authfd.h atomicio.h sshpty.h match.h msg.h ssherr.h hostfile.h
+compat.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h compat.h log.h match.h kex.h mac.h key.h sshkey.h
+crc32.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h crc32.h
+dh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+digest-libc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssherr.h digest.h
+digest-openssl.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+dispatch.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssh2.h log.h dispatch.h packet.h openbsd-compat/sys-queue.h opacket.h compat.h ssherr.h
+dns.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h sshkey.h ssherr.h dns.h log.h digest.h
+ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h crypto_api.h ge25519.h fe25519.h sc25519.h
+entropy.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+fatal.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h
+fe25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h fe25519.h crypto_api.h
+ge25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h fe25519.h crypto_api.h sc25519.h ge25519.h ge25519_base.data
+groupaccess.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h groupaccess.h match.h log.h
+gss-genr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+gss-serv-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+gss-serv.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+hash.o: crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h digest.h log.h ssherr.h
+hmac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h digest.h hmac.h
+hostfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h match.h sshkey.h hostfile.h log.h misc.h ssherr.h digest.h hmac.h
+kex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h key.h log.h match.h misc.h
+kex.o: monitor.h ssherr.h digest.h
+kexc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssh2.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h key.h log.h digest.h ssherr.h
+kexc25519c.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h key.h log.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h ssh2.h digest.h ssherr.h
+kexc25519s.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h kex.h mac.h key.h log.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h ssh2.h ssherr.h
+kexdh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+kexdhc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+kexdhs.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+kexecdh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+kexecdhc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+kexecdhs.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+kexgex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+kexgexc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+kexgexs.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+key.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h key.h sshkey.h compat.h ssherr.h log.h authfile.h
+krl.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h ssherr.h sshkey.h authfile.h misc.h log.h digest.h bitmap.h krl.h
+log.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h
+loginrec.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h key.h sshkey.h hostfile.h ssh.h loginrec.h log.h atomicio.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h canohost.h auth.h auth-pam.h audit.h
+logintest.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h loginrec.h
+mac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h digest.h hmac.h umac.h mac.h misc.h ssherr.h openbsd-compat/openssl-compat.h
+match.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h match.h misc.h
+md5crypt.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h misc.h log.h ssh.h ssherr.h uidswap.h
+moduli.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+monitor.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h atomicio.h xmalloc.h ssh.h key.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h cipher.h cipher-chachapoly.h chacha.h poly1305.h
+monitor.o: cipher-aesctr.h rijndael.h kex.h mac.h dh.h packet.h dispatch.h opacket.h auth-options.h sshpty.h channels.h session.h sshlogin.h canohost.h log.h misc.h servconf.h monitor.h monitor_wrap.h monitor_fdpass.h compat.h ssh2.h authfd.h match.h ssherr.h
+monitor_fdpass.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h monitor_fdpass.h
+monitor_wrap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h ssh.h key.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h hostfile.h auth.h auth-pam.h audit.h
+monitor_wrap.o: loginrec.h auth-options.h packet.h dispatch.h opacket.h log.h monitor.h monitor_wrap.h atomicio.h monitor_fdpass.h misc.h channels.h session.h servconf.h ssherr.h
+msg.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssherr.h log.h atomicio.h msg.h misc.h
+mux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h log.h ssh.h ssh2.h pathnames.h misc.h match.h channels.h msg.h packet.h dispatch.h opacket.h monitor_fdpass.h sshpty.h key.h sshkey.h readconf.h clientloop.h
+mux.o: ssherr.h
+nchan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h ssh2.h ssherr.h packet.h dispatch.h opacket.h channels.h compat.h log.h
+opacket.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssherr.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h
+packet.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h key.h sshkey.h xmalloc.h crc32.h compat.h ssh2.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h digest.h log.h canohost.h misc.h
+packet.o: channels.h ssh.h packet.h dispatch.h opacket.h ssherr.h
+platform-misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+platform-pledge.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+platform-tracing.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h
+platform.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h misc.h servconf.h key.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
+poly1305.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h poly1305.h
+progressmeter.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h progressmeter.h atomicio.h misc.h
+readconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/glob.h xmalloc.h ssh.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h pathnames.h log.h sshkey.h misc.h readconf.h match.h kex.h mac.h key.h
+readconf.o: uidswap.h myproposal.h digest.h
+readpass.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h misc.h pathnames.h log.h ssh.h uidswap.h
+rijndael.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h rijndael.h
+sandbox-capsicum.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+sandbox-darwin.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+sandbox-null.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+sandbox-pledge.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+sandbox-rlimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+sandbox-seccomp-filter.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+sandbox-solaris.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+sandbox-systrace.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+sc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h sc25519.h crypto_api.h
+scp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h ssh.h atomicio.h pathnames.h log.h misc.h progressmeter.h utf8.h
+servconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h ssh.h log.h misc.h servconf.h compat.h pathnames.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h key.h sshkey.h kex.h mac.h
+servconf.o: match.h channels.h groupaccess.h canohost.h packet.h dispatch.h opacket.h hostfile.h auth.h auth-pam.h audit.h loginrec.h myproposal.h digest.h
+serverloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h packet.h dispatch.h opacket.h log.h misc.h servconf.h canohost.h sshpty.h channels.h compat.h ssh2.h key.h sshkey.h cipher.h cipher-chachapoly.h chacha.h
+serverloop.o: poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h hostfile.h auth.h auth-pam.h audit.h loginrec.h session.h auth-options.h serverloop.h ssherr.h
+session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h opacket.h match.h uidswap.h compat.h channels.h key.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h
+session.o: cipher-aesctr.h rijndael.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfd.h pathnames.h log.h misc.h servconf.h sshlogin.h serverloop.h canohost.h session.h kex.h mac.h monitor_wrap.h sftp.h atomicio.h
+sftp-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h ssherr.h log.h atomicio.h progressmeter.h misc.h utf8.h sftp.h sftp-common.h sftp-client.h openbsd-compat/glob.h
+sftp-common.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h ssherr.h log.h misc.h sftp.h sftp-common.h
+sftp-glob.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h sftp.h sftp-common.h sftp-client.h openbsd-compat/glob.h
+sftp-server-main.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h sftp.h misc.h xmalloc.h
+sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h
+sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h log.h pathnames.h misc.h utf8.h sftp.h ssherr.h sftp-common.h sftp-client.h openbsd-compat/glob.h
+ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/openssl-compat.h xmalloc.h ssh.h log.h sshkey.h authfd.h authfile.h pathnames.h misc.h ssherr.h digest.h
+ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshkey.h authfd.h compat.h log.h misc.h digest.h ssherr.h match.h
+ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+ssh-ecdsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+ssh-ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h crypto_api.h log.h sshkey.h ssherr.h ssh.h
+ssh-keygen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h sshkey.h authfile.h uuencode.h pathnames.h log.h misc.h match.h hostfile.h dns.h ssh.h ssh2.h ssherr.h ssh-pkcs11.h atomicio.h krl.h digest.h utf8.h authfd.h
+ssh-keyscan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h key.h compat.h myproposal.h packet.h dispatch.h
+ssh-keyscan.o: opacket.h log.h atomicio.h misc.h hostfile.h ssherr.h ssh_api.h ssh2.h dns.h
+ssh-keysign.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h log.h sshkey.h ssh.h ssh2.h misc.h authfile.h msg.h canohost.h pathnames.h readconf.h uidswap.h ssherr.h
+ssh-pkcs11-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+ssh-pkcs11-helper.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h log.h misc.h sshkey.h authfd.h ssh-pkcs11.h ssherr.h
+ssh-pkcs11.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+ssh-rsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+ssh-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+ssh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/openssl-compat.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h canohost.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h packet.h
+ssh.o: dispatch.h opacket.h channels.h key.h sshkey.h authfd.h authfile.h pathnames.h clientloop.h log.h misc.h readconf.h sshconnect.h kex.h mac.h sshpty.h match.h msg.h uidswap.h version.h ssherr.h myproposal.h utf8.h
+ssh_api.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssh_api.h openbsd-compat/sys-queue.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h key.h ssh.h ssh2.h packet.h dispatch.h opacket.h compat.h
+ssh_api.o: log.h authfile.h misc.h version.h myproposal.h ssherr.h
+sshbuf-getput-basic.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssherr.h
+sshbuf-getput-crypto.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssherr.h
+sshbuf-misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssherr.h
+sshbuf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ssherr.h misc.h
+sshconnect.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h key.h sshkey.h hostfile.h ssh.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h uidswap.h compat.h sshconnect.h log.h misc.h readconf.h atomicio.h dns.h monitor_fdpass.h
+sshconnect.o: ssh2.h version.h authfile.h ssherr.h authfd.h
+sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h packet.h dispatch.h opacket.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h key.h sshkey.h kex.h mac.h
+sshconnect2.o: myproposal.h sshconnect.h authfile.h dh.h authfd.h log.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h ssherr.h utf8.h
+sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h opacket.h log.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h
+sshd.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h key.h sshkey.h kex.h mac.h myproposal.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h ssherr.h
+ssherr.o: ssherr.h
+sshkey-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+sshkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h crypto_api.h ssh2.h ssherr.h misc.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h sshkey-xmss.h match.h xmss_fast.h
+sshlogin.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h loginrec.h log.h misc.h servconf.h
+sshpty.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h sshpty.h log.h misc.h
+sshtty.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h sshpty.h
+ttymodes.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h opacket.h log.h compat.h ttymodes.h
+uidswap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h log.h uidswap.h xmalloc.h
+umac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h umac.h misc.h rijndael.h
+umac128.o: umac.c includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h umac.h misc.h rijndael.h
+utf8.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h utf8.h
+uuencode.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h uuencode.h
+verify.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h crypto_api.h
+xmalloc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h xmalloc.h log.h
+xmss_commons.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+xmss_fast.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+xmss_hash.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+xmss_hash_address.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
+xmss_wots.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h buffer.h sshbuf.h
diff --git a/.skipped-commit-ids b/.skipped-commit-ids
index 7c03c9db827a..b51baf90d75c 100644
--- a/.skipped-commit-ids
+++ b/.skipped-commit-ids
@@ -1,3 +1,10 @@
+5317f294d63a876bfc861e19773b1575f96f027d remove libssh from makefiles
+a337e886a49f96701ccbc4832bed086a68abfa85 Makefile changes
+f2c9feb26963615c4fece921906cf72e248b61ee more Makefile
+fa728823ba21c4b45212750e1d3a4b2086fd1a62 more Makefile refactoring
+
+Old upstream tree:
+
321065a95a7ccebdd5fd08482a1e19afbf524e35 Update DH groups
d4f699a421504df35254cf1c6f1a7c304fb907ca Remove 1k bit groups
aafe246655b53b52bc32c8a24002bc262f4230f7 Remove intermediate moduli
diff --git a/ChangeLog b/ChangeLog
index e008ec9f383f..bb729917c333 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,2689 @@
+commit a0349a1cc4a18967ad1dbff5389bcdf9da098814
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Apr 2 15:38:28 2018 +1000
+
+ update versions in .spec files
+
+commit 816ad38f79792f5617e3913be306ddb27e91091c
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Apr 2 15:38:20 2018 +1000
+
+ update version number
+
+commit 2c71ca1dd1efe458cb7dee3f8a1a566f913182c2
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Mar 30 18:23:07 2018 +1100
+
+ Disable native strndup and strnlen on AIX.
+
+ On at least some revisions of AIX, strndup returns unterminated strings
+ under some conditions, apparently because strnlen returns incorrect
+ values in those cases. Disable both on AIX and use the replacements
+ from openbsd-compat. Fixes problem with ECDSA keys there, ok djm.
+
+commit 6b5a17bc14e896e3904dc58d889b58934cfacd24
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 26 13:12:44 2018 +1100
+
+ Include ssh_api.h for struct ssh.
+
+ struct ssh is needed by implementations of sys_auth_passwd() that were
+ converted in commit bba02a50. Needed to fix build on AIX, I assume for
+ the other platforms too (although it should be harmless if not needed).
+
+commit bc3f80e4d191b8e48650045dfa8a682cd3aabd4d
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 26 12:58:09 2018 +1100
+
+ Remove UNICOS code missed during removal.
+
+ Fixes compile error on AIX.
+
+commit 9d57762c24882e2f000a21a0ffc8c5908a1fa738
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Sat Mar 24 19:29:03 2018 +0000
+
+ upstream: openssh-7.7
+
+ OpenBSD-Commit-ID: 274e614352460b9802c905f38fb5ea7ed5db3d41
+
+commit 4b7d8acdbbceef247dc035e611e577174ed8a87e
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Mar 26 09:37:02 2018 +1100
+
+ Remove authinfo.sh test dependency on printenv
+
+ Some platforms lack printenv in the default $PATH.
+ Reported by Tom G. Christensen
+
+commit 4afeaf3dcb7dc70efd98fcfcb0ed28a6b40b820e
+Author: Tim Rice <tim@multitalents.net>
+Date: Sun Mar 25 10:00:21 2018 -0700
+
+ Use libiaf on all sysv5 systems
+
+commit bba02a5094b3db228ceac41cb4bfca165d0735f3
+Author: Tim Rice <tim@multitalents.net>
+Date: Sun Mar 25 09:17:33 2018 -0700
+
+ modified: auth-sia.c
+ modified: openbsd-compat/port-aix.c
+ modified: openbsd-compat/port-uw.c
+
+ propogate changes to auth-passwd.c in commit
+ 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 to other providers
+ of sys_auth_passwd()
+
+commit d7a7a39168bdfe273587bf85d779d60569100a3f
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Sat Mar 24 19:29:03 2018 +0000
+
+ upstream: openssh-7.7
+
+ OpenBSD-Commit-ID: 274e614352460b9802c905f38fb5ea7ed5db3d41
+
+commit 9efcaaac314c611c6c0326e8bac5b486c424bbd2
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Sat Mar 24 19:28:43 2018 +0000
+
+ upstream: fix bogus warning when signing cert keys using agent;
+
+ from djm; ok deraadt dtucker
+
+ OpenBSD-Commit-ID: 12e50836ba2040042383a8b71e12d7ea06e9633d
+
+commit 393436024d2e4b4c7a01f9cfa5854e7437896d11
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Mar 25 09:40:46 2018 +1100
+
+ Replace /dev/stdin with "-".
+
+ For some reason sftp -b doesn't work with /dev/stdin on Cygwin, as noted
+ and suggested by vinschen at redhat.com.
+
+commit b5974de1a1d419e316ffb6524b1b277dda2f3b49
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Mar 23 13:21:14 2018 +1100
+
+ Provide $OBJ to paths in PuTTY interop tests.
+
+commit dc31e79454e9b9140b33ad380565fdb59b9c4f33
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Mar 16 09:06:31 2018 +0000
+
+ upstream: Tell puttygen to use /dev/urandom instead of /dev/random. On
+
+ OpenBSD they are both non-blocking, but on many other -portable platforms it
+ blocks, stalling tests.
+
+ OpenBSD-Regress-ID: 397d0d4c719c353f24d79f5b14775e0cfdf0e1cc
+
+commit cb1f94431ef319cd48618b8b771b58739a8210cf
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Thu Mar 22 07:06:11 2018 +0000
+
+ upstream: ssh/xmss: fix build; ok djm@
+
+ OpenBSD-Commit-ID: c9374ca41d4497f1c673ab681cc33f6e7c5dd186
+
+commit 27979da9e4074322611355598f69175b9ff10d39
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Thu Mar 22 07:05:48 2018 +0000
+
+ upstream: ssh/xmss: fix deserialize for certs; ok djm@
+
+ OpenBSD-Commit-ID: f44c41636c16ec83502039828beaf521c057dddc
+
+commit c6cb2565c9285eb54fa9dfbb3890f5464aff410f
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Mar 22 17:00:28 2018 +1100
+
+ Save $? before case statement.
+
+ In some shells (FreeBSD 9, ash) the case statement resets $?, so save
+ for later testing.
+
+commit 4c4e7f783b43b264c247233acb887ee10ed4ce4d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Mar 14 05:35:40 2018 +0000
+
+ upstream: rename recently-added "valid-before" key restriction to
+
+ "expiry-time" as the former is confusing wrt similar terminology in X.509;
+ pointed out by jsing@
+
+ OpenBSD-Regress-ID: ac8b41dbfd90cffd525d58350c327195b0937793
+
+commit 500396b204c58e78ad9d081516a365a9f28dc3fd
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Mar 12 00:56:03 2018 +0000
+
+ upstream: check valid-before option in authorized_keys
+
+ OpenBSD-Regress-ID: 7e1e4a84f7f099a290e5a4cbf4196f90ff2d7e11
+
+commit a76b5d26c2a51d7dd7a5164e683ab3f4419be215
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Mar 12 00:54:04 2018 +0000
+
+ upstream: explicitly specify RSA/SHA-2 keytype here too
+
+ OpenBSD-Regress-ID: 74d7b24e8c72c27af6b481198344eb077e993a62
+
+commit 3a43297ce29d37c64e37c7e21282cb219e28d3d1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Mar 12 00:52:57 2018 +0000
+
+ upstream: exlicitly include RSA/SHA-2 keytypes in
+
+ PubkeyAcceptedKeyTypes here
+
+ OpenBSD-Regress-ID: 954d19e0032a74e31697fb1dc7e7d3d1b2d65fe9
+
+commit 037fdc1dc2d68e1d43f9c9e2586c02cabc8f7cc8
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Wed Mar 14 06:56:20 2018 +0000
+
+ upstream: sort expiry-time;
+
+ OpenBSD-Commit-ID: 8c7d82ee1e63e26ceb2b3d3a16514019f984f6bf
+
+commit abc0fa38c9bc136871f28e452c3465c3051fc785
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Mar 14 05:35:40 2018 +0000
+
+ upstream: rename recently-added "valid-before" key restriction to
+
+ "expiry-time" as the former is confusing wrt similar terminology in X.509;
+ pointed out by jsing@
+
+ OpenBSD-Commit-ID: 376939466a1f562f3950a22314bc6505733aaae6
+
+commit bf0fbf2b11a44f06a64b620af7d01ff171c28e13
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Mar 12 00:52:01 2018 +0000
+
+ upstream: add valid-before="[time]" authorized_keys option. A
+
+ simple way of giving a key an expiry date. ok markus@
+
+ OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
+
+commit fbd733ab7adc907118a6cf56c08ed90c7000043f
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 12 19:17:26 2018 +1100
+
+ Add AC_LANG_PROGRAM to AC_COMPILE_IFELSE.
+
+ The recently added MIPS ABI tests need AC_LANG_PROGRAM to prevent
+ warnings from autoconf. Pointed out by klausz at haus-gisela.de.
+
+commit c7c458e8261b04d161763cd333d74e7a5842e917
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Mar 7 23:53:08 2018 +0000
+
+ upstream: revert recent strdelim() change, it causes problems with
+
+ some configs.
+
+ revision 1.124
+ date: 2018/03/02 03:02:11; author: djm; state: Exp; lines: +19 -8; commitid: nNRsCijZiGG6SUTT;
+ Allow escaped quotes \" and \' in ssh_config and sshd_config quotes
+ option strings. bz#1596 ok markus@
+
+ OpenBSD-Commit-ID: 59c40b1b81206d713c06b49d8477402c86babda5
+
+commit 0bcd871ccdf3baf2b642509ba4773d5be067cfa2
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Mon Mar 5 07:03:18 2018 +0000
+
+ upstream: move the input format details to -f; remove the output
+
+ format details and point to sshd(8), where it is documented;
+
+ ok dtucker
+
+ OpenBSD-Commit-ID: 95f17e47dae02a6ac7329708c8c893d4cad0004a
+
+commit 45011511a09e03493568506ce32f4891a174a3bd
+Author: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
+Date: Tue Jun 20 16:42:28 2017 +0100
+
+ configure.ac: properly set seccomp_audit_arch for MIPS64
+
+ Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or
+ AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built
+ for MIPS64. However, that's only valid for n64 ABI. The right macros for
+ n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and
+ AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively.
+
+ Because of that an sshd built for MIPS64 n32 rejects connection attempts
+ and the output of strace reveals that the problem is related to seccomp
+ audit:
+
+ [pid 194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57,
+ filter=0x555d5da0}) = 0
+ [pid 194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ?
+ [pid 193] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN|POLLHUP},
+ {fd=6, revents=POLLHUP}])
+ [pid 194] +++ killed by SIGSYS +++
+
+ This patch fixes that problem by setting the right value to
+ seccomp_audit_arch taking into account the MIPS64 ABI.
+
+ Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
+
+commit 580086704c31de91dc7ba040a28e416bf1fefbca
+Author: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
+Date: Tue Jun 20 16:42:11 2017 +0100
+
+ configure.ac: detect MIPS ABI
+
+ Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
+
+commit cd4e937aa701f70366cd5b5969af525dff6fdf15
+Author: Alan Yee <alyee@ucsd.edu>
+Date: Wed Mar 7 15:12:14 2018 -0800
+
+ Use https URLs for links that support it.
+
+commit c0a0c3fc4a76b682db22146b28ddc46566db1ce9
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 5 20:03:07 2018 +1100
+
+ Disable UTMPX on SunOS4.
+
+commit 58fd4c5c0140f6636227ca7acbb149ab0c2509b9
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 5 19:28:08 2018 +1100
+
+ Check for and work around buggy fflush(NULL).
+
+ Some really old platforms (eg SunOS4) segfault on fflush(NULL) so check
+ for and work around. With klausz at haus-gisela.de.
+
+commit 71e48bc7945f867029e50e06c665c66aed6d3c64
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Mar 5 10:22:32 2018 +1100
+
+ Remove extra XMSS #endif
+
+ Extra #endif breaks compile with -DWITH_XMSS. Pointed out by Jack
+ Schmidt via github.
+
+commit 055e09e2212ff52067786bf6d794ca9512ff7f0c
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Sat Mar 3 06:37:53 2018 +0000
+
+ upstream: Update RSA minimum modulus size to 1024. sshkey.h rev 1.18
+
+ bumped the minimum from 768 to 1024, update man page accordingly.
+
+ OpenBSD-Commit-ID: 27563ab4e866cd2aac40a5247876f6787c08a338
+
+commit 7e4fadd3248d6bb7d39d6688c76a613d35d2efc1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sun Mar 4 01:46:48 2018 +0000
+
+ upstream: for the pty control tests, just check that the PTY path
+
+ points to something in /dev (rather than checking the device node itself);
+ makes life easier for portable, where systems with dynamic ptys can delete
+ nodes before we get around to testing their existence.
+
+ OpenBSD-Regress-ID: b1e455b821e62572bccd98102f8dd9d09bb94994
+
+commit 13ef4cf53f24753fe920832b990b25c9c9cd0530
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Mar 3 16:21:20 2018 +1100
+
+ Update PAM password change to new opts API.
+
+commit 33561e68e0b27366cb769295a077aabc6a49d2a1
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Mar 3 14:56:09 2018 +1100
+
+ Add strndup for platforms that need it.
+
+ Some platforms don't have strndup, which includes Solaris 10, NetBSD 3
+ and FreeBSD 6.
+
+commit e8a17feba95eef424303fb94441008f6c5347aaf
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Mar 3 14:49:07 2018 +1100
+
+ Flatten and alphabetize object file lists.
+
+ This will make maintenance and changes easier. "no objection" tim@
+
+commit de1920d743d295f50e6905e5957c4172c038e8eb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Mar 3 03:16:17 2018 +0000
+
+ upstream: unit tests for new authorized_keys options API
+
+ OpenBSD-Regress-ID: 820f9ec9c6301f6ca330ad4052d85f0e67d0bdc1
+
+commit dc3e92df17556dc5b0ab19cee8dcb2a6ba348717
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Mar 2 02:53:27 2018 +0000
+
+ upstream: fix testing of pty option, include positive test and
+
+ testing of restrict keyword
+
+ OpenBSD-Regress-ID: 4268f27c2706a0a95e725d9518c5bcbec9814c6d
+
+commit 3d1edd1ebbc0aabea8bbe61903060f37137f7c61
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Mar 2 02:51:55 2018 +0000
+
+ upstream: better testing for port-forwarding and restrict flags in
+
+ authorized_keys
+
+ OpenBSD-Regress-ID: ee771df8955f2735df54746872c6228aff381daa
+
+commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Mar 3 03:15:51 2018 +0000
+
+ upstream: switch over to the new authorized_keys options API and
+
+ remove the legacy one.
+
+ Includes a fairly big refactor of auth2-pubkey.c to retain less state
+ between key file lines.
+
+ feedback and ok markus@
+
+ OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
+
+commit 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Mar 3 03:06:02 2018 +0000
+
+ upstream: Introduce a new API for handling authorized_keys options.
+
+ This API parses options to a dedicated structure rather than the old API's
+ approach of setting global state. It also includes support for merging
+ options, e.g. from authorized_keys, authorized_principals and/or
+ certificates.
+
+ feedback and ok markus@
+
+ OpenBSD-Commit-ID: 98badda102cd575210d7802943e93a34232c80a2
+
+commit 26074380767e639ef89321610e146ae11016b385
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Mar 3 03:01:50 2018 +0000
+
+ upstream: warn when the agent returns a signature type that was
+
+ different to what was requested. This might happen when an old/non-OpenSSH
+ agent is asked to make a rsa-sha2-256/512 signature but only supports
+ ssh-rsa. bz#2799 feedback and ok markus@
+
+ OpenBSD-Commit-ID: 760c0f9438c5c58abc16b5f98008ff2d95cb13ce
+
+commit f493d2b0b66fb003ed29f31dd66ff1aeb64be1fc
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Fri Mar 2 21:40:15 2018 +0000
+
+ upstream: apply a lick of paint; tweaks/ok dtucker
+
+ OpenBSD-Commit-ID: 518a6736338045e0037f503c21027d958d05e703
+
+commit 713d9cb510e0e7759398716cbe6dcf43e574be71
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Mar 2 03:02:11 2018 +0000
+
+ upstream: Allow escaped quotes \" and \' in ssh_config and
+
+ sshd_config quotes option strings. bz#1596 ok markus@
+
+ OpenBSD-Commit-ID: dd3a29fc2dc905e8780198e5a6a30b096de1a1cb
+
+commit 94b4e2d29afaaaef89a95289b16c18bf5627f7cd
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Mar 2 02:08:03 2018 +0000
+
+ upstream: refactor sshkey_read() to make it a little more, err,
+
+ readable. ok markus
+
+ OpenBSD-Commit-ID: 2e9247b5762fdac3b6335dc606d3822121714c28
+
+commit 5886b92968b360623491699247caddfb77a74d80
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Thu Mar 1 20:32:16 2018 +0000
+
+ upstream: missing #ifdef for _PATH_HOST_XMSS_KEY_FILE; report by
+
+ jmc@
+
+ OpenBSD-Commit-ID: 9039cb69a3f9886bfef096891a9e7fcbd620280b
+
+commit 3b36bed3d26f17f6a2b7e036e01777770fe1bcd4
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Feb 26 12:14:53 2018 +0000
+
+ upstream: Remove unneeded (local) include. ok markus@
+
+ OpenBSD-Commit-ID: 132812dd2296b1caa8cb07d2408afc28e4e60f93
+
+commit 27b9f3950e0289e225b57b7b880a8f1859dcd70b
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Feb 26 03:56:44 2018 +0000
+
+ upstream: Add $OpenBSD$ markers to xmss files to help keep synced
+
+ with portable. ok djm@.
+
+ OpenBSD-Commit-ID: 5233a27aafd1dfadad4b957225f95ae51eb365c1
+
+commit afd830847a82ebbd5aeab05bad6d2c8ce74df1cd
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Feb 26 03:03:05 2018 +0000
+
+ upstream: Add newline at end of file to prevent compiler warnings.
+
+ OpenBSD-Commit-ID: 52f247d4eafe840c7c14c8befa71a760a8eeb063
+
+commit 941e0d3e9bb8d5e4eb70cc694441445faf037c84
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Feb 28 19:59:35 2018 +1100
+
+ Add WITH_XMSS, move to prevent conflicts.
+
+ Add #ifdef WITH_XMSS to ssh-xmss.c, move it in the other files to after
+ includes.h so it's less likely to conflict and will pick up WITH_XMSS if
+ added to config.h.
+
+commit a10d8552d0d2438da4ed539275abcbf557d1e7a8
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Feb 27 14:45:17 2018 +1100
+
+ Conditionally compile XMSS code.
+
+ The XMSS code is currently experimental and, unlike the rest of OpenSSH
+ cannot currently be compiled with a c89 compiler.
+
+commit 146c3bd28c8dbee9c4b06465d9c9facab96b1e9b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 26 12:51:29 2018 +1100
+
+ Check dlopen has RTLD_NOW before enabling pkcs11.
+
+commit 1323f120d06a26074c4d154fcbe7f49bcad3d741
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Feb 27 08:41:25 2018 +1100
+
+ Check for attributes on prototype args.
+
+ Some compilers (gcc 2.9.53, 3.0 and probably others, see gcc bug #3481)
+ do not accept __attribute__ on function pointer prototype args. Check for
+ this and hide them if they're not accepted.
+
+commit f0b245b0439e600fab782d19e97980e9f2c2533c
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 26 11:43:48 2018 +1100
+
+ Check if HAVE_DECL_BZERO correctly.
+
+commit c7ef4a399155e1621a532cc5e08e6fa773658dd4
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 26 17:42:56 2018 +1100
+
+ Wrap <stdint.h> in #ifdef HAVE_STDINT_H.
+
+commit ac53ce46cf8165cbda7f57ee045f9f32e1e92b31
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 26 16:24:23 2018 +1100
+
+ Replace $(CURDIR) with $(PWD).
+
+ The former doesn't work on Solaris or BSDs.
+
+commit 534b2680a15d14e7e60274d5b29b812d44cc5a44
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 26 14:51:59 2018 +1100
+
+ Comment out hexdump().
+
+ Nothing currently uses them but they cause conflicts on at least
+ FreeBSD, possibly others. ok djm@
+
+commit 5aea4aa522f61bb2f34c3055a7de203909dfae77
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 26 14:39:14 2018 +1100
+
+ typo: missing ;
+
+commit cd3ab57f9b388f8b1abf601dc4d78ff82d83b75e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 26 14:37:06 2018 +1100
+
+ Hook up flock() compat code.
+
+ Also a couple of minor changes: fail if we can't lock instead of
+ silently succeeding, and apply a couple of minor style fixes.
+
+commit b087998d1ba90dd1ddb6bfdb17873dc3e7392798
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 26 14:27:02 2018 +1100
+
+ Import flock() compat from NetBSD.
+
+ From NetBSD's src/trunk/tools/compat/flock.c, no OpenSSH changes yet.
+
+commit 89212533dde6798324e835b1499084658df4579e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 26 12:32:14 2018 +1100
+
+ Fix breakage when REGRESSTMP not set.
+
+ BUILDDIR is not set where used for REGRESSTMP, use make's CURDIR
+ instead. Pointed out by djm@.
+
+commit f885474137df4b89498c0b8834c2ac72c47aa4bd
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Feb 26 12:18:14 2018 +1100
+
+ XMSS-related files get includes.h
+
+commit 612faa34c72e421cdc9e63f624526bae62d557cc
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Feb 26 12:17:55 2018 +1100
+
+ object files end with .o - not .c
+
+commit bda709b8e13d3eef19e69c2d1684139e3af728f5
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Feb 26 12:17:22 2018 +1100
+
+ avoid inclusion of deprecated selinux/flask.h
+
+ Use string_to_security_class() instead.
+
+commit 2e396439365c4ca352cac222717d09b14f8a0dfd
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Feb 26 11:48:27 2018 +1100
+
+ updatedepend
+
+commit 1b11ea7c58cd5c59838b5fa574cd456d6047b2d4
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Fri Feb 23 15:58:37 2018 +0000
+
+ upstream: Add experimental support for PQC XMSS keys (Extended
+
+ Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
+ in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
+ https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
+ djm@
+
+ OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
+
+commit 7d330a1ac02076de98cfc8fda05353d57b603755
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Fri Feb 23 07:38:09 2018 +0000
+
+ upstream: some cleanup for BindInterface and ssh-keyscan;
+
+ OpenBSD-Commit-ID: 1a719ebeae22a166adf05bea5009add7075acc8c
+
+commit c7b5a47e3b9db9a0f0198f9c90c705f6307afc2b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Feb 25 23:55:41 2018 +1100
+
+ Invert sense of getpgrp test.
+
+ AC_FUNC_GETPGRP tests if getpgrp(0) works, which it does if it's not
+ declared. Instead, test if the zero-arg version we want to use works.
+
+commit b39593a6de5290650a01adf8699c6460570403c2
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Feb 25 13:25:15 2018 +1100
+
+ Add no-op getsid implmentation.
+
+commit 11057564eb6ab8fd987de50c3d7f394c6f6632b7
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Feb 25 11:22:57 2018 +1100
+
+ bsd-statvfs: include sys/vfs.h, check for f_flags.
+
+commit e9dede06e5bc582a4aeb5b1cd5a7a640d7de3609
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Feb 25 10:20:31 2018 +1100
+
+ Handle calloc(0,x) where different from malloc.
+
+ Configure assumes that if malloc(0) returns null then calloc(0,n)
+ also does. On some old platforms (SunOS4) malloc behaves as expected
+ (as determined by AC_FUNC_MALLOC) but calloc doesn't. Test for this
+ at configure time and activate the replacement function if found, plus
+ handle this case in rpl_calloc.
+
+commit 2eb4041493fd2635ffdc64a852d02b38c4955e0b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 24 21:06:48 2018 +1100
+
+ Add prototype for readv if needed.
+
+commit 6c8c9a615b6d31db8a87bc25033f053d5b0a831e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 24 20:46:37 2018 +1100
+
+ Check for raise and supply if needed.
+
+commit a9004425a032d7a7141a5437cfabfd02431e2a74
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 24 20:25:22 2018 +1100
+
+ Check for bzero and supply if needed.
+
+ Since explicit_bzero uses it via an indirect it needs to be a function
+ not just a macro.
+
+commit 1a348359e4d2876203b5255941bae348557f4f54
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Feb 23 05:14:05 2018 +0000
+
+ upstream: Add ssh-keyscan -D option to make it print its results in
+
+ SSHFP format bz#2821, ok dtucker@
+
+ OpenBSD-Commit-ID: 831446b582e0f298ca15c9d99c415c899e392221
+
+commit 3e19fb976a47b44b3d7c4f8355269f7f2c5dd82c
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Feb 23 04:18:46 2018 +0000
+
+ upstream: Add missing braces.
+
+ Caught by the tinderbox's -Werror=misleading-indentation, ok djm@
+
+ OpenBSD-Commit-ID: d44656af594c3b2366eb87d6abcef83e1c88a6ca
+
+commit b59162da99399d89bd57f71c170c0003c55b1583
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Feb 23 15:20:42 2018 +1100
+
+ Check for ifaddrs.h for BindInterface.
+
+ BindInterface required getifaddr and friends so disable if not available
+ (eg Solaris 10). We should be able to add support for some systems with
+ a bit more work but this gets the building again.
+
+commit a8dd6fe0aa10b6866830b4688a73ef966f0aed88
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Feb 23 14:19:11 2018 +1100
+
+ space before tab in previous
+
+commit b5e9263c7704247f9624c8f5c458e9181fcdbc09
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Feb 9 03:40:22 2018 +0000
+
+ upstream: Replace fatal with exit in the case that we do not have
+
+ $SUDO set. Prevents test failures when neither sudo nor doas are configured.
+
+ OpenBSD-Regress-ID: 6a0464decc4f8ac7d6eded556a032b0fc521bc7b
+
+commit 3e9d3192ad43758ef761c5b0aa3ac5ccf8121ef2
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Feb 23 14:10:53 2018 +1100
+
+ Use portable syntax for REGRESSTMP.
+
+commit 73282b61187883a2b2bb48e087fdda1d751d6059
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Feb 23 03:03:00 2018 +0000
+
+ upstream: unbreak interop test after SSHv1 purge; patch from Colin
+
+ Watson via bz#2823
+
+ OpenBSD-Regress-ID: 807d30a597756ed6612bdf46dfebca74f49cb31a
+
+commit f8985dde5f46aedade0373365cbf86ed3f1aead2
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Feb 9 03:42:57 2018 +0000
+
+ upstream: Skip sftp-chroot test when SUDO not set instead of
+
+ fatal().
+
+ OpenBSD-Regress-ID: cd4b5f1109b0dc09af4e5ea7d4968c43fbcbde88
+
+commit df88551c02d4e3445c44ff67ba8757cff718609a
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Feb 9 03:40:22 2018 +0000
+
+ upstream: Replace fatal with exit in the case that we do not have
+
+ $SUDO set. Prevents test failures when neither sudo nor doas are configured.
+
+ OpenBSD-Regress-ID: 6a0464decc4f8ac7d6eded556a032b0fc521bc7b
+
+commit 3b252c20b19f093e87363de197f1100b79705dd3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Feb 8 08:46:20 2018 +0000
+
+ upstream: some helpers to check verbose/quiet mode
+
+ OpenBSD-Regress-ID: e736aac39e563f5360a0935080a71d5fdcb976de
+
+commit ac2e3026bbee1367e4cda34765d1106099be3287
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Feb 23 02:34:33 2018 +0000
+
+ upstream: Add BindInterface ssh_config directive and -B
+
+ command-line argument to ssh(1) that directs it to bind its outgoing
+ connection to the address of the specified network interface.
+
+ BindInterface prefers to use addresses that aren't loopback or link-
+ local, but will fall back to those if no other addresses of the
+ required family are available on that interface.
+
+ Based on patch by Mike Manning in bz#2820, ok dtucker@
+
+ OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713
+
+commit fcdb9d777839a3fa034b3bc3067ba8c1f6886679
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Feb 19 00:55:02 2018 +0000
+
+ upstream: emphasise that the hostkey rotation may send key types
+
+ that the client may not support, and that the client should simply disregard
+ such keys (this is what ssh does already).
+
+ OpenBSD-Commit-ID: 65f8ffbc32ac8d12be8f913d7c0ea55bef8622bf
+
+commit ce066f688dc166506c082dac41ca686066e3de5f
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 22 20:45:09 2018 +1100
+
+ Add headers for sys/audit.h.
+
+ On some older platforms (at least sunos4, probably others) sys/audit.h
+ requires some other headers. Patch from klausz at haus-gisela.de.
+
+commit 3fd2d2291a695c96a54269deae079bacce6e3fb9
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 19 18:37:40 2018 +1100
+
+ Add REGRESSTMP make var override.
+
+ Defaults to original location ($srcdir/regress) but allows overriding
+ if desired, eg a directory in /tmp.
+
+commit f8338428588f3ecb5243c86336eccaa28809f97e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Feb 18 15:53:15 2018 +1100
+
+ Remove now-unused check for getrusage.
+
+ getrusage was used in ssh-rand-helper but that's now long gone.
+ Patch from klauszh at haus-gisela.de.
+
+commit 8570177195f6a4b3173c0a25484a83641ee3faa6
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Feb 16 04:43:11 2018 +0000
+
+ upstream: Don't send IUTF8 to servers that don't like them.
+
+ Some SSH servers eg "ConfD" drop the connection if the client sends the
+ new IUTF8 (RFC8160) terminal mode even if it's not set. Add a bug bit
+ for such servers and avoid sending IUTF8 to them. ok djm@
+
+ OpenBSD-Commit-ID: 26425855402d870c3c0a90491e72e2a8a342ceda
+
+commit f6dc2ba3c9d12be53057b9371f5109ec553a399f
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Feb 16 17:32:28 2018 +1100
+
+ freezero should check for NULL.
+
+commit 680321f3eb46773883111e234b3c262142ff7c5b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Feb 16 02:40:45 2018 +0000
+
+ upstream: Mention recent DH KEX methods:
+
+ diffie-hellman-group14-sha256
+ diffie-hellman-group16-sha512
+ diffie-hellman-group18-sha512
+
+ From Jakub Jelen via bz#2826
+
+ OpenBSD-Commit-ID: 51bf769f06e55447f4bfa7306949e62d2401907a
+
+commit 88c50a5ae20902715f0fca306bb9c38514f71679
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Feb 16 02:32:40 2018 +0000
+
+ upstream: stop loading DSA keys by default, remove sshd_config
+
+ stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@
+
+ OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
+
+commit d2b3db2860c962927def39a52f67f1c23f7b201a
+Author: jsing@openbsd.org <jsing@openbsd.org>
+Date: Wed Feb 14 16:27:24 2018 +0000
+
+ upstream: Ensure that D mod (P-1) and D mod (Q-1) are calculated in
+
+ constant time.
+
+ This avoids a potential side channel timing leak.
+
+ ok djm@ markus@
+
+ OpenBSD-Commit-ID: 71ff3c16be03290e63d8edab8fac053d8a82968c
+
+commit 4270efad7048535b4f250f493d70f9acfb201593
+Author: jsing@openbsd.org <jsing@openbsd.org>
+Date: Wed Feb 14 16:03:32 2018 +0000
+
+ upstream: Some obvious freezero() conversions.
+
+ This also zeros an ed25519_pk when it was not being zeroed previously.
+
+ ok djm@ dtucker@
+
+ OpenBSD-Commit-ID: 5c196a3c85c23ac0bd9b11bcadaedd90b7a2ce82
+
+commit affa6ba67ffccc30b85d6e98f36eb5afd9386882
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 15 22:32:04 2018 +1100
+
+ Remove execute bit from modpipe.c.
+
+commit 9879dca438526ae6dfd656fecb26b0558c29c731
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 15 22:26:16 2018 +1100
+
+ Update prngd link to point to sourceforge.
+
+commit b6973fa5152b1a0bafd2417b7c3ad96f6e87d014
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 15 22:22:38 2018 +1100
+
+ Remove references to UNICOS.
+
+commit f1ca487940449f0b64f38f1da575078257609966
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 15 22:18:37 2018 +1100
+
+ Remove extra newline.
+
+commit 6d4e980f3cf27f409489cf89cd46c21501b13731
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 15 22:16:54 2018 +1100
+
+ OpenSSH's builtin entropy gathering is long gone.
+
+commit 389125b25d1a1d7f22e907463b7e8eca74af79ea
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 15 21:43:01 2018 +1100
+
+ Replace remaining mysignal() with signal().
+
+ These seem to have been missed during the replacement of mysignal
+ with #define signal in commit 5ade9ab. Both include the requisite
+ headers to pick up the #define.
+
+commit 265d88d4e61e352de6791733c8b29fa3d7d0c26d
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 15 20:06:19 2018 +1100
+
+ Remove remaining now-obsolete cvs $Ids.
+
+commit 015749e9b1d2f6e14733466d19ba72f014d0845c
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 15 17:01:54 2018 +1100
+
+ Regenerate dependencies after UNICOS removal.
+
+commit ddc0f3814881ea279a6b6d4d98e03afc60ae1ed7
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Feb 13 09:10:46 2018 +1100
+
+ Remove UNICOS support.
+
+ The code required to support it is quite invasive to the mainline
+ code that is synced with upstream and is an ongoing maintenance burden.
+ Both the hardware and software are literal museum pieces these days and
+ we could not find anyone still running OpenSSH on one.
+
+commit 174bed686968494723e6db881208cc4dac0d020f
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Feb 13 18:12:47 2018 +1100
+
+ Retpoline linker flag only needed for linking.
+
+commit 075e258c2cc41e1d7f3ea2d292c5342091728d40
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Feb 13 17:36:43 2018 +1100
+
+ Default PidFile is sshd.pid not ssh.pid.
+
+commit 49f3c0ec47730ea264e2bd1e6ece11167d6384df
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Feb 13 16:27:09 2018 +1100
+
+ Remove assigned-to-but-never-used variable.
+
+ 'p' was removed in previous change but I neglected to remove the
+ otherwise-unused assignment to it.
+
+commit b8bbff3b3fc823bf80c5ab226c94f13cb887d5b1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Feb 13 03:36:56 2018 +0000
+
+ upstream: remove space before tab
+
+ OpenBSD-Commit-ID: 674edd214d0a7332dd4623c9cf8117301b012890
+
+commit 05046d907c211cb9b4cd21b8eff9e7a46cd6c5ab
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Sun Feb 11 21:16:56 2018 +0000
+
+ upstream Don't reset signal handlers inside handlers.
+
+ The signal handlers from the original ssh1 code on which OpenSSH
+ is based assume unreliable signals and reinstall their handlers.
+ Since OpenBSD (and pretty much every current system) has reliable
+ signals this is not needed. In the unlikely even that -portable
+ is still being used on such systems we will deal with it in the
+ compat layer. ok deraadt@
+
+ OpenBSD-Commit-ID: f53a1015cb6908431b92116130d285d71589612c
+
+commit 3c51143c639ac686687c7acf9b373b8c08195ffb
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Feb 13 09:07:29 2018 +1100
+
+ Whitespace sync with upstream.
+
+commit 19edfd4af746bedf0df17f01953ba8c6d3186eb7
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Feb 13 08:25:46 2018 +1100
+
+ Whitespace sync with upstream.
+
+commit fbfa6f980d7460b3e12b0ce88ed3b6018edf4711
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Feb 11 21:25:11 2018 +1300
+
+ Move signal compat code into bsd-signal.{c,h}
+
+commit 24d2a33bd3bf5170700bfdd8675498aa09a79eab
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Feb 11 21:20:39 2018 +1300
+
+ Include headers for linux/if.h.
+
+ Prevents configure-time "present but cannot be compiled" warning.
+
+commit bc02181c24fc551aab85eb2cff0f90380928ef43
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Feb 11 19:45:47 2018 +1300
+
+ Fix test for -z,retpolineplt linker flag.
+
+commit 3377df00ea3fece5293db85fe63baef33bf5152e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Feb 11 09:32:37 2018 +1100
+
+ Add checks for Spectre v2 mitigation (retpoline)
+
+ This adds checks for gcc and clang flags for mitigations for Spectre
+ variant 2, ie "retpoline". It'll automatically enabled if the compiler
+ supports it as part of toolchain hardening flag. ok djm@
+
+commit d9e5cf078ea5380da6df767bb1773802ec557ef0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Feb 10 09:25:34 2018 +0000
+
+ upstream commit
+
+ constify some private key-related functions; based on
+ https://github.com/openssh/openssh-portable/pull/56 by Vincent Brillault
+
+ OpenBSD-Commit-ID: dcb94a41834a15f4d00275cb5051616fdc4c988c
+
+commit a7c38215d564bf98e8e9eb40c1079e3adf686f15
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Feb 10 09:03:54 2018 +0000
+
+ upstream commit
+
+ Mention ServerAliveTimeout in context of TCPKeepAlives;
+ prompted by Christoph Anton Mitterer via github
+
+ OpenBSD-Commit-ID: f0cf1b5bd3f1fbf41d71c88d75d93afc1c880ca2
+
+commit 62562ceae61e4f7cf896566592bb840216e71061
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Feb 10 06:54:38 2018 +0000
+
+ upstream commit
+
+ clarify IgnoreUserKnownHosts; based on github PR from
+ Christoph Anton Mitterer.
+
+ OpenBSD-Commit-ID: 4fff2c17620c342fb2f1f9c2d2e679aab3e589c3
+
+commit 4f011daa4cada6450fa810f7563b8968639bb562
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Feb 10 06:40:28 2018 +0000
+
+ upstream commit
+
+ Shorter, more accurate explanation of
+ NoHostAuthenticationForLocalhost without the confusing example. Prompted by
+ Christoph Anton Mitterer via github and bz#2293.
+
+ OpenBSD-Commit-ID: 19dc96bea25b80d78d416b581fb8506f1e7b76df
+
+commit 77e05394af21d3f5faa0c09ed3855e4505a5cf9f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Feb 10 06:15:12 2018 +0000
+
+ upstream commit
+
+ Disable RemoteCommand and RequestTTY in the ssh session
+ started by scp. sftp is already doing this. From Camden Narzt via github; ok
+ dtucker
+
+ OpenBSD-Commit-ID: 59e2611141c0b2ee579c6866e8eb9d7d8217bc6b
+
+commit ca613249a00b64b2eea9f52d3834b55c28cf2862
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Feb 10 05:48:46 2018 +0000
+
+ upstream commit
+
+ Refuse to create a certificate with an unusable number of
+ principals; Prompted by gdestuynder via github
+
+ OpenBSD-Commit-ID: 8cfae2451e8f07810e3e2546dfdcce66984cbd29
+
+commit b56ac069d46b6f800de34e1e935f98d050731d14
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Sat Feb 10 05:43:26 2018 +0000
+
+ upstream commit
+
+ fatal if we're unable to write all the public key; previously
+ we would silently ignore errors writing the comment and terminating newline.
+ Prompted by github PR from WillerZ; ok dtucker
+
+ OpenBSD-Commit-ID: 18fbfcfd4e8c6adbc84820039b64d70906e49831
+
+commit cdb10bd431f9f6833475c27e9a82ebb36fdb12db
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 10 11:18:38 2018 +1100
+
+ Add changelog entry for binary strip change.
+
+commit fbddd91897cfaf456bfc2081f39fb4a2208a0ebf
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 10 11:14:54 2018 +1100
+
+ Remove unused variables.
+
+commit 937d96587df99c16c611d828cded292fa474a32b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 10 11:12:45 2018 +1100
+
+ Don't strip binaries so debuginfo gets built.
+
+ Tell install not to strip binaries during package creation so that the
+ debuginfo package can be built.
+
+commit eb0865f330f59c889ec92696b97bd397090e720c
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 10 10:33:11 2018 +1100
+
+ Fix bogus dates in changelog.
+
+commit 7fbde1b34c1f6c9ca9e9d10805ba1e5e4538e165
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 10 10:25:15 2018 +1100
+
+ Remove SSH1 from description.
+
+commit 9c34a76f099c4e0634bf6ecc2f40ce93925402c4
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 10 10:19:16 2018 +1100
+
+ Add support for compat-openssl10 build dep.
+
+commit 04f4e8193cb5a5a751fcc356bd6656291fec539e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 10 09:57:04 2018 +1100
+
+ Add leading zero so it'll work when rhel not set.
+
+ When rhel is not set it will error out with "bad if". Add leading zero
+ as per https://fedoraproject.org/wiki/Packaging:DistTag so it'll work
+ on non-RHEL.
+
+commit 12abd67a6af28476550807a443b38def2076bb92
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sat Feb 10 09:56:34 2018 +1100
+
+ Update openssl-devel dependency.
+
+commit b33e7645f8813719d7f9173fef24463c8833ebb3
+Author: nkadel <nkadel@gmail.com>
+Date: Sun Nov 16 18:19:58 2014 -0500
+
+ Add mandir with-mandir' for RHEL 5 compatibility.
+
+ Activate '--mandir' and '--with-mandir' settings in setup for RHEL
+ 5 compatibility.
+
+commit 94f8bf360eb0162e39ddf39d69925c2e93511e40
+Author: nkadel <nkadel@gmail.com>
+Date: Sun Nov 16 18:18:51 2014 -0500
+
+ Discard 'K5DIR' reporting.
+
+ It does not work inside 'mock' build environment.
+
+commit bb7e54dbaf34b70b3e57acf7982f3a2136c94ee5
+Author: nkadel <nkadel@gmail.com>
+Date: Sun Nov 16 18:17:15 2014 -0500
+
+ Add 'dist' to 'rel' for OS specific RPM names.
+
+commit 87346f1f57f71150a9b8c7029d8c210e27027716
+Author: nkadel <nkadel@gmail.com>
+Date: Sun Nov 16 14:17:38 2014 -0500
+
+ Add openssh-devel >= 0.9.8f for redhat spec file.
+
+commit bec1478d710866d3c1b119343a35567a8fc71ec3
+Author: nkadel <nkadel@gmail.com>
+Date: Sun Nov 16 13:10:24 2014 -0500
+
+ Enhance BuildRequires for openssh-x11-askpass.
+
+commit 3104fcbdd3c70aefcb0cdc3ee24948907db8dc8f
+Author: nkadel <nkadel@gmail.com>
+Date: Sun Nov 16 13:04:14 2014 -0500
+
+ Always include x11-ssh-askpass SRPM.
+
+ Always include x11-ssh-askpass tarball in redhat SRPM, even if unused.
+
+commit c61d0d038d58eebc365f31830be6e04ce373ad1b
+Author: Damien Miller <djm@mindrot.org>
+Date: Sat Feb 10 09:43:12 2018 +1100
+
+ this is long unused; prompted by dtucker@
+
+commit 745771fb788e41bb7cdad34e5555bf82da3af7ed
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Feb 9 02:37:36 2018 +0000
+
+ upstream commit
+
+ Remove unused sKerberosTgtPassing from enum. From
+ calestyo via github pull req #11, ok djm@
+
+ OpenBSD-Commit-ID: 1008f8870865a7c4968b7aed402a0a9e3e5b9540
+
+commit 1f385f55332db830b0ae22a7663b98279ca2d657
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Thu Feb 8 04:12:32 2018 +0000
+
+ upstream commit
+
+ Rename struct umac_ctx to umac128_ctx too. In portable
+ some linkers complain about two symbols with the same name having differing
+ sizes. ok djm@
+
+ OpenBSD-Commit-ID: cbebf8bdd3310a9795b4939a1e112cfe24061ca3
+
+commit f1f047fb031c0081dbc8738f05bf5d4cc47acadf
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Feb 7 22:52:45 2018 +0000
+
+ upstream commit
+
+ ssh_free checks for and handles NULL args, remove NULL
+ checks from remaining callers. ok djm@
+
+ OpenBSD-Commit-ID: bb926825c53724c069df68a93a2597f9192f7e7b
+
+commit aee49b2a89b6b323c80dd3b431bd486e51f94c8c
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 8 12:36:22 2018 +1100
+
+ Set SO_REUSEADDR in regression test netcat.
+
+ Sometimes multiplex tests fail on Solaris with "netcat: local_listen:
+ Address already in use" which is likely due to previous invocations
+ leaving the port in TIME_WAIT. Set SO_REUSEADDR (in addition to
+ SO_REUSEPORT which is alread set on platforms that support it). ok djm@
+
+commit 1749991c55bab716877b7c687cbfbf19189ac6f1
+Author: jsing@openbsd.org <jsing@openbsd.org>
+Date: Wed Feb 7 05:17:56 2018 +0000
+
+ upstream commit
+
+ Convert some explicit_bzero()/free() calls to freezero().
+
+ ok deraadt@ dtucker@
+
+ OpenBSD-Commit-ID: f566ab99149650ebe58b1d4b946ea726c3829609
+
+commit 94ec2b69d403f4318b7a0d9b17f8bc3efbf4d0d2
+Author: jsing@openbsd.org <jsing@openbsd.org>
+Date: Wed Feb 7 05:15:49 2018 +0000
+
+ upstream commit
+
+ Remove some #ifdef notyet code from OpenSSL 0.9.8 days.
+
+ These functions have never appeared in OpenSSL and are likely never to do
+ so.
+
+ "kill it with fire" djm@
+
+ OpenBSD-Commit-ID: fee9560e283fd836efc2631ef381658cc673d23e
+
+commit 7cd31632e3a6607170ed0c9ed413a7ded5b9b377
+Author: jsing@openbsd.org <jsing@openbsd.org>
+Date: Wed Feb 7 02:06:50 2018 +0000
+
+ upstream commit
+
+ Remove all guards for calls to OpenSSL free functions -
+ all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.
+
+ Prompted by dtucker@ asking about guards for RSA_free(), when looking at
+ openssh-portable pr#84 on github.
+
+ ok deraadt@ dtucker@
+
+ OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
+
+commit 3c000d57d46882eb736c6563edfc4995915c24a2
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Wed Feb 7 09:19:38 2018 +1100
+
+ Remove obsolete "Smartcard support" message
+
+ The configure checks that populated $SCARD_MSG were removed in commits
+ 7ea845e4 and d8f60022 when the smartcard support was replaced with
+ PKCS#11.
+
+commit 3e615090de0ce36a833d811e01c28aec531247c4
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Feb 6 06:01:54 2018 +0000
+
+ upstream commit
+
+ Replace "trojan horse" with the correct term (MITM).
+ From maikel at predikkta.com via bz#2822, ok markus@
+
+ OpenBSD-Commit-ID: e86ac64c512057c89edfadb43302ac0aa81a6c53
+
+commit 3484380110d437c50e17f87d18544286328c75cb
+Author: tb@openbsd.org <tb@openbsd.org>
+Date: Mon Feb 5 05:37:46 2018 +0000
+
+ upstream commit
+
+ Add a couple of non-negativity checks to avoid close(-1).
+
+ ok djm
+
+ OpenBSD-Commit-ID: 4701ce0b37161c891c838d0931305f1d37a50880
+
+commit 5069320be93c8b2a6584b9f944c86f60c2b04e48
+Author: tb@openbsd.org <tb@openbsd.org>
+Date: Mon Feb 5 05:36:49 2018 +0000
+
+ upstream commit
+
+ The file descriptors for socket, stdin, stdout and stderr
+ aren't necessarily distinct, so check if they are the same to avoid closing
+ the same fd several times.
+
+ ok djm
+
+ OpenBSD-Commit-ID: 60d71fd22e9a32f5639d4ba6e25a2f417fc36ac1
+
+commit 2b428f90ea1b21d7a7c68ec1ee334253b3f9324d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Feb 5 04:02:53 2018 +0000
+
+ upstream commit
+
+ I accidentially a word
+
+ OpenBSD-Commit-ID: 4547ee713fa941da861e83ae7a3e6432f915e14a
+
+commit 130283d5c2545ff017c2162dc1258c5354e29399
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Jan 25 03:34:43 2018 +0000
+
+ upstream commit
+
+ certificate options are case-sensitive; fix case on one
+ that had it wrong.
+
+ move a badly-place sentence to a less bad place
+
+ OpenBSD-Commit-ID: 231e516bba860699a1eece6d48532d825f5f747b
+
+commit 89f09ee68730337015bf0c3f138504494a34e9a6
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Jan 24 12:20:44 2018 +1100
+
+ crypto_api.h needs includes.h
+
+commit c9c1bba06ad1c7cad8548549a68c071bd807af60
+Author: stsp@openbsd.org <stsp@openbsd.org>
+Date: Tue Jan 23 20:00:58 2018 +0000
+
+ upstream commit
+
+ Fix a logic bug in sshd_exchange_identification which
+ prevented clients using major protocol version 2 from connecting to the
+ server. ok millert@
+
+ OpenBSD-Commit-ID: 8668dec04586e27f1c0eb039ef1feb93d80a5ee9
+
+commit a60c5dcfa2538ffc94dc5b5adb3db5b6ed905bdb
+Author: stsp@openbsd.org <stsp@openbsd.org>
+Date: Tue Jan 23 18:33:49 2018 +0000
+
+ upstream commit
+
+ Add missing braces; fixes 'write: Socket is not
+ connected' error in ssh. ok deraadt@
+
+ OpenBSD-Commit-ID: db73a3a9e147722d410866cac34d43ed52e1ad24
+
+commit 20d53ac283e1c60245ea464bdedd015ed9b38f4a
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Jan 23 16:49:43 2018 +1100
+
+ rebuild depends
+
+commit 552ea155be44f9c439c1f9f0c38f9e593428f838
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Jan 23 16:49:22 2018 +1100
+
+ one SSH_BUG_BANNER instance that got away
+
+commit 14b5c635d1190633b23ac3372379517fb645b0c2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 23 05:27:21 2018 +0000
+
+ upstream commit
+
+ Drop compatibility hacks for some ancient SSH
+ implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
+
+ These versions were all released in or before 2001 and predate the
+ final SSH RFCs. The hacks in question aren't necessary for RFC-
+ compliant SSH implementations.
+
+ ok markus@
+
+ OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
+
+commit 7c77991f5de5d8475cbeb7cbb06d0c7d1611d7bb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 23 05:17:04 2018 +0000
+
+ upstream commit
+
+ try harder to preserve errno during
+ ssh_connect_direct() to make the final error message possibly accurate;
+ bz#2814, ok dtucker@
+
+ OpenBSD-Commit-ID: 57de882cb47381c319b04499fef845dd0c2b46ca
+
+commit 9e9c4a7e57b96ab29fe6d7545ed09d2e5bddbdec
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 23 05:12:12 2018 +0000
+
+ upstream commit
+
+ unbreak support for clients that advertise a protocol
+ version of "1.99" (indicating both v2 and v1 support). Busted by me during
+ SSHv1 purge in r1.358; bz2810, ok dtucker
+
+ OpenBSD-Commit-ID: e8f9c2bee11afc16c872bb79d6abe9c555bd0e4b
+
+commit fc21ea97968264ad9bb86b13fedaaec8fd3bf97d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 23 05:06:25 2018 +0000
+
+ upstream commit
+
+ don't attempt to force hostnames that are addresses to
+ lowercase, but instead canonicalise them through getnameinfo/getaddrinfo to
+ remove ambiguities (e.g. ::0001 => ::1) before they are matched against
+ known_hosts; bz#2763, ok dtucker@
+
+ OpenBSD-Commit-ID: ba0863ff087e61e5c65efdbe53be3cb92c9aefa0
+
+commit d6364f6fb1a3d753d7ca9bf15b2adce961324513
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Jan 23 05:01:15 2018 +0000
+
+ upstream commit
+
+ avoid modifying pw->pw_passwd; let endpwent() clean up
+ for us, but keep a scrubbed copy; bz2777, ok dtucker@
+
+ OpenBSD-Commit-ID: 715afc0f59c6b82c4929a73279199ed241ce0752
+
+commit a69bbb07cd6fb4dfb9bdcacd370ab26d0a2b4215
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Sat Jan 13 00:24:09 2018 +0000
+
+ upstream commit
+
+ clarify authorship; prodded by and ok markus@
+
+ OpenBSD-Commit-ID: e1938eee58c89b064befdabe232835fa83bb378c
+
+commit 04214b30be3d3e73a01584db4e040d5ccbaaddd4
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Mon Jan 8 15:37:21 2018 +0000
+
+ upstream commit
+
+ group shared source files (e.g. SRCS_KEX) and allow
+ compilation w/o OPENSSL ok djm@
+
+ OpenBSD-Commit-ID: fa728823ba21c4b45212750e1d3a4b2086fd1a62
+
+commit 25cf9105b849932fc3b141590c009e704f2eeba6
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Mon Jan 8 15:21:49 2018 +0000
+
+ upstream commit
+
+ move subprocess() so scp/sftp do not need uidswap.o; ok
+ djm@
+
+ OpenBSD-Commit-ID: 6601b8360388542c2e5fef0f4085f8e54750bea8
+
+commit b0d34132b3ca26fe94013f01d7b92101e70b68bb
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Mon Jan 8 15:18:46 2018 +0000
+
+ upstream commit
+
+ switch ssh-pkcs11-helper to new API; ok djm@
+
+ OpenBSD-Commit-ID: e0c0ed2a568e25b1d2024f3e630f3fea837c2a42
+
+commit ec4a9831184c0c6ed5f7f0cfff01ede5455465a3
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Mon Jan 8 15:15:36 2018 +0000
+
+ upstream commit
+
+ split client/server kex; only ssh-keygen needs
+ uuencode.o; only scp/sftp use progressmeter.o; ok djm@
+
+ OpenBSD-Commit-ID: f2c9feb26963615c4fece921906cf72e248b61ee
+
+commit ec77efeea06ac62ee1d76fe0b3225f3000775a9e
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Mon Jan 8 15:15:17 2018 +0000
+
+ upstream commit
+
+ only ssh-keygen needs uuencode.o; only scp/sftp use
+ progressmeter.o
+
+ OpenBSD-Commit-ID: a337e886a49f96701ccbc4832bed086a68abfa85
+
+commit 25aae35d3d6ee86a8c4c0b1896acafc1eab30172
+Author: markus@openbsd.org <markus@openbsd.org>
+Date: Mon Jan 8 15:14:44 2018 +0000
+
+ upstream commit
+
+ uuencode.h is not used
+
+ OpenBSD-Commit-ID: 238eb4659f3c119904326b9e94a5e507a912796c
+
+commit 4f29309c4cb19bcb1774931db84cacc414f17d29
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Jan 3 19:50:43 2018 +1100
+
+ unbreak fuzz harness
+
+commit f6b50bf84dc0b61f22c887c00423e0ea7644e844
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Dec 21 05:46:35 2017 +0000
+
+ upstream commit
+
+ another libssh casualty
+
+ OpenBSD-Regress-ID: 839b970560246de23e7c50215095fb527a5a83ec
+
+commit 5fb4fb5a0158318fb8ed7dbb32f3869bbf221f13
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Dec 21 03:01:49 2017 +0000
+
+ upstream commit
+
+ missed one (unbreak after ssh/lib removal)
+
+ OpenBSD-Regress-ID: cfdd132143131769e2d2455e7892b5d55854c322
+
+commit e6c4134165d05447009437a96e7201276688807f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Dec 21 00:41:22 2017 +0000
+
+ upstream commit
+
+ unbreak unit tests after removal of src/usr.bin/ssh/lib
+
+ OpenBSD-Regress-ID: 3a79760494147b20761cbd2bd5c20e86c63dc8f9
+
+commit d45d69f2a937cea215c7f0424e5a4677b6d8c7fe
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Dec 21 00:00:28 2017 +0000
+
+ upstream commit
+
+ revert stricter key type / signature type checking in
+ userauth path; too much software generates inconsistent messages, so we need
+ a better plan.
+
+ OpenBSD-Commit-ID: 4a44ddc991c803c4ecc8f1ad40e0ab4d22e1c519
+
+commit c5a6cbdb79752f7e761074abdb487953ea6db671
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Dec 19 00:49:30 2017 +0000
+
+ upstream commit
+
+ explicitly test all key types and their certificate
+ counterparts
+
+ refactor a little
+
+ OpenBSD-Regress-ID: e9ecd5580821b9ef8b7106919c6980d8e45ca8c4
+
+commit f689adb7a370b5572612d88be9837ca9aea75447
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Dec 11 11:41:56 2017 +0000
+
+ upstream commit
+
+ use cmp in a loop instead of diff -N to compare
+ directories. The former works on more platforms for Portable.
+
+ OpenBSD-Regress-ID: c3aa72807f9c488e8829a26ae50fe5bcc5b57099
+
+commit 748dd8e5de332b24c40f4b3bbedb902acb048c98
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Dec 19 16:17:59 2017 +1100
+
+ remove blocks.c from Makefile
+
+commit 278856320520e851063b06cef6ef1c60d4c5d652
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Dec 19 00:24:34 2017 +0000
+
+ upstream commit
+
+ include signature type and CA key (if applicable) in some
+ debug messages
+
+ OpenBSD-Commit-ID: b71615cc20e78cec7105bb6e940c03ce9ae414a5
+
+commit 7860731ef190b52119fa480f8064ab03c44a120a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Dec 18 23:16:23 2017 +0000
+
+ upstream commit
+
+ unbreak hostkey rotation; attempting to sign with a
+ desired signature algorithm of kex->hostkey_alg is incorrect when the key
+ type isn't capable of making those signatures. ok markus@
+
+ OpenBSD-Commit-ID: 35ae46864e1f5859831ec0d115ee5ea50953a906
+
+commit 966ef478339ad5e631fb684d2a8effe846ce3fd4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Dec 18 23:14:34 2017 +0000
+
+ upstream commit
+
+ log mismatched RSA signature types; ok markus@
+
+ OpenBSD-Commit-ID: 381bddfcc1e297a42292222f3bcb5ac2b7ea2418
+
+commit 349ecd4da3a985359694a74635748009be6baca6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Dec 18 23:13:42 2017 +0000
+
+ upstream commit
+
+ pass kex->hostkey_alg and kex->hostkey_nid from pre-auth
+ to post-auth unpriviledged child processes; ok markus@
+
+ OpenBSD-Commit-ID: 4a35bc7af0a5f8a232d1361f79f4ebc376137302
+
+commit c9e37a8725c083441dd34a8a53768aa45c3c53fe
+Author: millert@openbsd.org <millert@openbsd.org>
+Date: Mon Dec 18 17:28:54 2017 +0000
+
+ upstream commit
+
+ Add helper function for uri handing in scp where a
+ missing path simply means ".". Also fix exit code and add warnings when an
+ invalid uri is encountered. OK otto@
+
+ OpenBSD-Commit-ID: 47dcf872380586dabf7fcc6e7baf5f8ad508ae1a
+
+commit 04c7e28f83062dc42f2380d1bb3a6bf0190852c0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Dec 18 02:25:15 2017 +0000
+
+ upstream commit
+
+ pass negotiated signing algorithm though to
+ sshkey_verify() and check that the negotiated algorithm matches the type in
+ the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
+
+ OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
+
+commit 931c78dfd7fe30669681a59e536bbe66535f3ee9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Dec 18 02:22:29 2017 +0000
+
+ upstream commit
+
+ sshkey_sigtype() function to return the type of a
+ signature; ok markus@
+
+ OpenBSD-Commit-ID: d3772b065ad6eed97285589bfb544befed9032e8
+
+commit 4cdc5956f2fcc9e9078938db833142dc07d8f523
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Thu Dec 14 21:07:39 2017 +0000
+
+ upstream commit
+
+ Replace ED25519's private SHA-512 implementation with a
+ call to the regular digest code. This speeds up compilation considerably. ok
+ markus@
+
+ OpenBSD-Commit-ID: fcce8c3bcfe7389462a28228f63c823e80ade41c
+
+commit 012e5cb839faf76549e3b6101b192fe1a74d367e
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date: Tue Dec 12 15:06:12 2017 +0000
+
+ upstream commit
+
+ Create a persistent umac128.c source file: #define the
+ output size and the name of the entry points for UMAC-128 before including
+ umac.c. Idea from FreeBSD. ok dtucker@
+
+ OpenBSD-Commit-ID: 463cfacfa07cb8060a4d4961e63dca307bf3f4b1
+
+commit b35addfb4cd3b5cdb56a2a489d38e940ada926c7
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Mon Dec 11 16:23:28 2017 +1100
+
+ Update .depend with empty config.h
+
+commit 2d96f28246938e0ca474a939d8ac82ecd0de27e3
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Mon Dec 11 16:21:55 2017 +1100
+
+ Ensure config.h is always in dependencies.
+
+ Put an empty config.h into the dependency list to ensure that it's
+ always listed and consistent.
+
+commit ac4987a55ee5d4dcc8e87f7ae7c1f87be7257d71
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Sun Dec 10 19:37:57 2017 +0000
+
+ upstream commit
+
+ ssh/lib hasn't worked towards our code-sharing goals for
+ a quit while, perhaps it is too verbose? Change each */Makefile to
+ specifying exactly what sources that program requires, compiling it seperate.
+ Maybe we'll iterate by sorting those into seperatable chunks, splitting up
+ files which contain common code + server/client specific code, or whatnot.
+ But this isn't one step, or we'd have done it a long time ago.. ok dtucker
+ markus djm
+
+ OpenBSD-Commit-ID: 5317f294d63a876bfc861e19773b1575f96f027d
+
+commit 48c23a39a8f1069a57264dd826f6c90aa12778d5
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Sun Dec 10 05:55:29 2017 +0000
+
+ upstream commit
+
+ Put remote client info back into the ClientAlive
+ connection termination message. Based in part on diff from lars.nooden at
+ gmail, ok djm
+
+ OpenBSD-Commit-ID: 80a0f619a29bbf2f32eb5297a69978a0e05d0ee0
+
+commit aabd75ec76575c1b17232e6526a644097cd798e5
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date: Fri Dec 8 03:45:52 2017 +0000
+
+ upstream commit
+
+ time_t printing needs %lld and (long long) casts ok djm
+
+ OpenBSD-Commit-ID: 4a93bc2b0d42a39b8f8de8bb74d07ad2e5e83ef7
+
+commit fd4eeeec16537870bd40d04836c7906ec141c17d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 8 02:14:33 2017 +0000
+
+ upstream commit
+
+ fix ordering in previous to ensure errno isn't clobbered
+ before logging.
+
+ OpenBSD-Commit-ID: e260bc1e145a9690dcb0d5aa9460c7b96a0c8ab2
+
+commit 155072fdb0d938015df828836beb2f18a294ab8a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Dec 8 02:13:02 2017 +0000
+
+ upstream commit
+
+ for some reason unix_listener() logged most errors twice
+ with each message containing only some of the useful information; merge these
+
+ OpenBSD-Commit-ID: 1978a7594a9470c0dddcd719586066311b7c9a4a
+
+commit 79c0e1d29959304e5a49af1dbc58b144628c09f3
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Mon Dec 11 14:38:33 2017 +1100
+
+ Add autogenerated dependency info to Makefile.
+
+ Adds a .depend file containing dependency information generated by
+ makedepend, which is appended to the generated Makefile by configure.
+
+ You can regen the file with "make -f Makefile.in depend" if necessary,
+ but we'll be looking at some way to automatically keep this up to date.
+
+ "no objection" djm@
+
+commit f001de8fbf7f3faddddd8efd03df18e57601f7eb
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Mon Dec 11 13:42:51 2017 +1100
+
+ Fix pasto in ldns handling.
+
+ When ldns-config is not found, configure would check the wrong variable.
+ ok djm@
+
+commit c5bfe83f67cb64e71cf2fe0d1500f6904b0099ee
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Sat Dec 9 10:12:23 2017 +1100
+
+ Portable switched to git so s/CVS/git/.
+
+commit bb82e61a40a4ee52e4eb904caaee2c27b763ab5b
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Sat Dec 9 08:06:00 2017 +1100
+
+ Remove now-used check for perl.
+
+commit e0ce54c0b9ca3a9388f9c50f4fa6cc25c28a3240
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Dec 6 05:06:21 2017 +0000
+
+ upstream commit
+
+ don't accept junk after "yes" or "no" responses to
+ hostkey prompts. bz#2803 reported by Maksim Derbasov; ok dtucker@
+
+ OpenBSD-Commit-ID: e1b159fb2253be973ce25eb7a7be26e6f967717c
+
+commit 609d96b3d58475a15b2eb6b3d463f2c5d8e510c0
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Dec 5 23:59:47 2017 +0000
+
+ upstream commit
+
+ Replace atoi and strtol conversions for integer arguments
+ to config keywords with a checking wrapper around strtonum. This will
+ prevent and flag invalid and negative arguments to these keywords. ok djm@
+
+ OpenBSD-Commit-ID: 99ae3981f3d608a219ccb8d2fff635ae52c17998
+
+commit 168ecec13f9d7cb80c07df3bf7d414f4e4165e84
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Dec 5 23:56:07 2017 +0000
+
+ upstream commit
+
+ Add missing break for rdomain. Prevents spurious
+ "Deprecated option" warnings. ok djm@
+
+ OpenBSD-Commit-ID: ba28a675d39bb04a974586241c3cba71a9c6099a
+
+commit 927f8514ceffb1af380a5f63ab4d3f7709b1b198
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Dec 5 01:30:19 2017 +0000
+
+ upstream commit
+
+ include the addr:port in bind/listen failure messages
+
+ OpenBSD-Commit-ID: fdadb69fe1b38692608809cf0376b71c2c28e58e
+
+commit a8c89499543e2d889629c4e5e8dcf47a655cf889
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Wed Nov 29 05:49:54 2017 +0000
+
+ upstream commit
+
+ Import updated moduli.
+
+ OpenBSD-Commit-ID: 524d210f982af6007aa936ca7f4c977f4d32f38a
+
+commit 3dde09ab38c8e1cfc28252be473541a81bc57097
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Nov 28 21:10:22 2017 +0000
+
+ upstream commit
+
+ Have sftp print a warning about shell cleanliness when
+ decoding the first packet fails, which is usually caused by shells polluting
+ stdout of non-interactive starups. bz#2800, ok markus@ deraadt@.
+
+ OpenBSD-Commit-ID: 88d6a9bf3470f9324b76ba1cbd53e50120f685b5
+
+commit 6c8a246437f612ada8541076be2414846d767319
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Fri Dec 1 17:11:47 2017 +1100
+
+ Replace mkinstalldirs with mkdir -p.
+
+ Check for MIKDIR_P and use it instead of mkinstalldirs. Should fix "mkdir:
+ cannot create directory:... File exists" during "make install".
+ Patch from eb at emlix.com.
+
+commit 3058dd78d2e43ed0f82ad8eab8bb04b043a72023
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Fri Dec 1 17:07:08 2017 +1100
+
+ Pull in newer install-sh from autoconf-2.69.
+
+ Suggested by eb at emlix.com
+
+commit 79226e5413c5b0fda3511351a8511ff457e306d8
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Fri Dec 1 16:55:35 2017 +1100
+
+ Remove RSA1 host key generation.
+
+ SSH1 support is now gone, remove SSH1 key generation.
+ Patch from eb at emlix.com.
+
+commit 2937dd02c572a12f33d5c334d518f6cbe0b645eb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Tue Nov 28 06:09:38 2017 +0000
+
+ upstream commit
+
+ more whitespace errors
+
+ OpenBSD-Commit-ID: 5e11c125378327b648940b90145e0d98beb05abb
+
+commit 7f257bf3fd3a759f31098960cbbd1453fafc4164
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Tue Nov 28 06:04:51 2017 +0000
+
+ upstream commit
+
+ whitespace at EOL
+
+ OpenBSD-Commit-ID: 76d3965202b22d59c2784a8df3a8bfa5ee67b96a
+
+commit 5db6fbf1438b108e5df3e79a1b4de544373bc2d4
+Author: dtucker@openbsd.org@openbsd.org <dtucker@openbsd.org@openbsd.org>
+Date: Sat Nov 25 06:46:22 2017 +0000
+
+ upstream commit
+
+ Add monotime_ts and monotime_tv that return monotonic
+ timespec and timeval respectively. Replace calls to gettimeofday() in packet
+ timing with monotime_tv so that the callers will work over a clock step.
+ Should prevent integer overflow during clock steps reported by wangle6 at
+ huawei.com. "I like" markus@
+
+ OpenBSD-Commit-ID: 74d684264814ff806f197948b87aa732cb1b0b8a
+
+commit 2d638e986085bdf1a40310ed6e2307463db96ea0
+Author: dtucker@openbsd.org@openbsd.org <dtucker@openbsd.org@openbsd.org>
+Date: Sat Nov 25 05:58:47 2017 +0000
+
+ upstream commit
+
+ Remove get_current_time() and replace with calls to
+ monotime_double() which uses CLOCK_MONOTONIC and works over clock steps. "I
+ like" markus@
+
+ OpenBSD-Commit-ID: 3ad2f7d2414e2cfcaef99877a7a5b0baf2242952
+
+commit ba460acae48a36ef749cb23068f968f4d5d90a24
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Fri Nov 24 16:24:31 2017 +1100
+
+ Include string.h for explicit_bzero.
+
+commit a65655fb1a12b77fb22f9e71559b9d73030ec8ff
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Nov 24 10:23:47 2017 +1100
+
+ fix incorrect range of OpenSSL versions supported
+
+ Pointed out by Solar Designer
+
+commit 83a1e5dbec52d05775174f368e0c44b08619a308
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Wed Nov 15 02:10:16 2017 +0000
+
+ upstream commit
+
+ downgrade a couple more request parsing errors from
+ process-fatal to just returning failure, making them consistent with the
+ others that were already like that.
+
+ OpenBSD-Commit-ID: c111461f7a626690a2d53018ef26557b34652918
+
+commit 93c68a8f3da8e5e6acdc3396f54d73919165e242
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Wed Nov 15 00:13:40 2017 +0000
+
+ upstream commit
+
+ fix regression in 7.6: failure to parse a signature request
+ message shouldn't be fatal to the process, just the request. Reported by Ron
+ Frederick
+
+ OpenBSD-Commit-ID: e5d01b3819caa1a2ad51fc57d6ded43f48bbcc05
+
+commit 548d3a66feb64c405733932a6b1abeaf7198fa71
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Tue Nov 14 00:45:29 2017 +0000
+
+ upstream commit
+
+ fix problem in configuration parsing when in config dump mode
+ (sshd -T) without providing a full connection specification (sshd -T -C ...)
+
+ spotted by bluhm@
+
+ OpenBSD-Commit-ID: 7125faf5740eaa9d3a2f25400a0bc85e94e28b8f
+
+commit 33edb6ebdc2f81ebed1bceadacdfb8910b64fb88
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Fri Nov 3 05:18:44 2017 +0000
+
+ upstream commit
+
+ reuse parse_multistate for parse_flag (yes/no arguments).
+ Saves a few lines of code and makes the parser more consistent wrt case-
+ sensitivity. bz#2664 ok dtucker@
+
+ OpenBSD-Commit-ID: b2ad1b6086858d5db71c7b11e5a74dba6d60efef
+
+commit d52131a98316e76c0caa348f09bf6f7b9b01a1b9
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Fri Nov 3 05:14:04 2017 +0000
+
+ upstream commit
+
+ allow certificate validity intervals that specify only a
+ start or stop time (we already support specifying both or neither)
+
+ OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
+
+commit fbe8e7ac94c2fa380421a9205a8bc966549c2f91
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Fri Nov 3 03:46:52 2017 +0000
+
+ upstream commit
+
+ allow "cd" and "lcd" commands with no explicit path
+ argument. lcd will change to the local user's home directory as usual. cd
+ will change to the starting directory for session (because the protocol
+ offers no way to obtain the remote user's home directory). bz#2760 ok
+ dtucker@
+
+ OpenBSD-Commit-ID: 15333f5087cee8c1ed1330cac1bd0a3e6a767393
+
+commit 0208a48517b5e8e8b091f32fa4addcd67c31ca9e
+Author: dtucker@openbsd.org@openbsd.org <dtucker@openbsd.org@openbsd.org>
+Date: Fri Nov 3 03:18:53 2017 +0000
+
+ upstream commit
+
+ When doing a config test with sshd -T, only require the
+ attributes that are actually used in Match criteria rather than (an
+ incomplete list of) all criteria. ok djm@, man page help jmc@
+
+ OpenBSD-Commit-ID: b4e773c4212d3dea486d0259ae977551aab2c1fc
+
+commit c357eed5a52cd2f4ff358b17e30e3f9a800644da
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Fri Nov 3 02:32:19 2017 +0000
+
+ upstream commit
+
+ typos in ECDSA certificate names; bz#2787 reported by
+ Mike Gerow
+
+ OpenBSD-Commit-ID: 824938b6aba1b31321324ba1f56c05f84834b163
+
+commit ecbf005b8fd80b81d0c61dfc1e96fe3da6099395
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Fri Nov 3 02:29:17 2017 +0000
+
+ upstream commit
+
+ Private keys in PEM format have been encrypted by AES-128 for
+ a while (not 3DES). bz#2788 reported by Calum Mackay
+
+ OpenBSD-Commit-ID: bd33da7acbbb3c882f0a0ee56007a35ce0d8a11a
+
+commit 81c9ccdbf6ddbf9bfbd6f1f775a5a7c13e47e185
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Fri Nov 3 14:52:51 2017 +1100
+
+ Check for linux/if.h when enabling rdomain.
+
+ musl libc doesn't seem to have linux/if.h, so check for its presence
+ before enabling rdomain support on Linux.
+
+commit fa1b834cce41a1ce3e6a8d57fb67ef18c9dd803f
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Fri Nov 3 14:09:45 2017 +1100
+
+ Add headers for sys/sysctl.h and net/route.h
+
+ On at least older OpenBSDs, sys/sysctl.h and net/route.h require
+ sys/types and, in the case of sys/sysctl.h, sys/param.h for MAXLOGNAME.
+
+commit 41bff4da21fcd8a7c6a83a7e0f92b018f904f6fb
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Fri Nov 3 02:22:41 2017 +0000
+
+ upstream commit
+
+ avoid unused variable warnings for !WITH_OPENSSL; patch from
+ Marcus Folkesson
+
+ OpenBSD-Commit-ID: c01d27a3f907acdc3dd4ea48170fac3ba236d229
+
+commit 6b373e4635a7470baa94253dd1dc8953663da9e8
+Author: Marcus Folkesson <marcus.folkesson@gmail.com>
+Date: Sat Oct 28 19:48:39 2017 +0200
+
+ only enable functions in dh.c when openssl is used
+
+ Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
+
+commit 939b30ba23848b572e15bf92f0f1a3d9cf3acc2b
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Wed Nov 1 00:04:15 2017 +0000
+
+ upstream commit
+
+ fix broken stdout in ControlPersist mode, introduced by me in
+ r1.467 and reported by Alf Schlichting
+
+ OpenBSD-Commit-ID: 3750a16e02108fc25f747e4ebcedb7123c1ef509
+
+commit f21455a084f9cc3942cf1bde64055a4916849fed
+Author: Darren Tucker <dtucker@zip.com.au>
+Date: Tue Oct 31 10:09:33 2017 +1100
+
+ Include includes.h for HAVE_GETPAGESIZE.
+
+ The configure script checks for getpagesize() and sets HAVE_GETPAGESIZE in
+ config.h, but bsd-getpagesize.c forgot to include includes.h (which
+ indirectly includes config.h) so the checks always fails, causing linker
+ issues when linking statically on systems with getpagesize().
+
+ Patch from Peter Korsgaard <peter at korsgaard.com>
+
+commit f2ad63c0718b93ac1d1e85f53fee33b06eef86b5
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Mon Oct 30 22:01:52 2017 +0000
+
+ upstream commit
+
+ whitespace at EOL
+
+ OpenBSD-Regress-ID: f4b5df99b28c6f63478deb916c6ed0e794685f07
+
+commit c6415b1f8f1d0c2735564371647fd6a177fb9a3e
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Mon Oct 30 21:59:43 2017 +0000
+
+ upstream commit
+
+ whitespace at EOL
+
+ OpenBSD-Regress-ID: 19b1394393deee4c8a2114a3b7d18189f27a15cd
+
+commit e4d4ddbbba0e585ca3ec3a455430750b4622a6d3
+Author: millert@openbsd.org@openbsd.org <millert@openbsd.org@openbsd.org>
+Date: Wed Oct 25 20:08:36 2017 +0000
+
+ upstream commit
+
+ Use printenv to test whether an SSH_USER_AUTH is set
+ instead of using $SSH_USER_AUTH. The latter won't work with csh which treats
+ unknown variables as an error when expanding them. OK markus@
+
+ OpenBSD-Regress-ID: f601e878dd8b71aa40381573dde3a8f567e6f2d1
+
+commit 116b1b439413a724ebb3320633a64dd0f3ee1fe7
+Author: millert@openbsd.org@openbsd.org <millert@openbsd.org@openbsd.org>
+Date: Tue Oct 24 19:33:32 2017 +0000
+
+ upstream commit
+
+ Add tests for URI parsing. OK markus@
+
+ OpenBSD-Regress-ID: 5d1df19874f3b916d1a2256a905526e17a98bd3b
+
+commit dbe0662e9cd482593a4a8bf58c6481bfe8a747a4
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Fri Oct 27 01:57:06 2017 +0000
+
+ upstream commit
+
+ whitespace at EOL
+
+ OpenBSD-Commit-ID: c95549cf5a07d56ea11aaff818415118720214f6
+
+commit d2135474344335a7c6ee643b6ade6db400fa76ee
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Fri Oct 27 01:01:17 2017 +0000
+
+ upstream commit
+
+ whitespace at EOL (lots)
+
+ OpenBSD-Commit-ID: 757257dd44116794ee1b5a45c6724973de181747
+
+commit b77c29a07f5a02c7c1998701c73d92bde7ae1608
+Author: djm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>
+Date: Fri Oct 27 00:18:41 2017 +0000
+
+ upstream commit
+
+ improve printing of rdomain on accept() a little
+
+ OpenBSD-Commit-ID: 5da58db2243606899cedaa646c70201b2d12247a
+
+commit 68d3bbb2e6dfbf117c46e942142795b2cdd0274b
+Author: jmc@openbsd.org@openbsd.org <jmc@openbsd.org@openbsd.org>
+Date: Thu Oct 26 06:44:01 2017 +0000
+
+ upstream commit
+
+ mark up the rdomain keyword;
+
+ OpenBSD-Commit-ID: 1b597d0ad0ad20e94dbd61ca066057e6f6313b8a
+
+commit 0b2e2896b9d0d6cfb59e9ec8271085296bd4e99b
+Author: jmc@openbsd.org@openbsd.org <jmc@openbsd.org@openbsd.org>
+Date: Wed Oct 25 06:19:46 2017 +0000
+
+ upstream commit
+
+ tweak the uri text, specifically removing some markup to
+ make it a bit more readable;
+
+ issue reported by - and diff ok - millert
+
+ OpenBSD-Commit-ID: 8b56a20208040b2d0633536fd926e992de37ef3f
+
+commit 7530e77bdc9415386d2a8ea3d086e8b611b2ba40
+Author: jmc@openbsd.org@openbsd.org <jmc@openbsd.org@openbsd.org>
+Date: Wed Oct 25 06:18:06 2017 +0000
+
+ upstream commit
+
+ simplify macros in previous, and some minor tweaks;
+
+ OpenBSD-Commit-ID: 6efeca3d8b095b76e21b484607d9cc67ac9a11ca
+
+commit eb9c582b710dc48976b48eb2204218f6863bae9a
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Oct 31 00:46:29 2017 +1100
+
+ Switch upstream git repository.
+
+ Previously portable OpenSSH has synced against a conversion of OpenBSD's
+ CVS repository made using the git cvsimport tool, but this has become
+ increasingly unreliable.
+
+ As of this commit, portable OpenSSH now tracks a conversion of the
+ OpenBSD CVS upstream made using the excellent cvs2gitdump tool from
+ YASUOKA Masahiko: https://github.com/yasuoka/cvs2gitdump
+
+ cvs2gitdump is considerably more reliable than gitcvsimport and the old
+ version of cvsps that it uses under the hood, and is the same tool used
+ to export the entire OpenBSD repository to git (so we know it can cope
+ with future growth).
+
+ These new conversions are mirrored at github, so interested parties can
+ match portable OpenSSH commits to their upstream counterparts.
+
+ https://github.com/djmdjm/openbsd-openssh-src
+ https://github.com/djmdjm/openbsd-openssh-regress
+
+ An unfortunate side effect of switching upstreams is that we must have
+ a flag day, across which the upstream commit IDs will be inconsistent.
+ The old commit IDs are recorded with the tags "Upstream-ID" for main
+ directory commits and "Upstream-Regress-ID" for regress commits.
+
+ To make it clear that the commit IDs do not refer to the same
+ things, the new repository will instead use "OpenBSD-ID" and
+ "OpenBSD-Regress-ID" tags instead.
+
+ Apart from being a longwinded explanation of what is going on, this
+ commit message also serves to synchronise our tools with the state of
+ the tree, which happens to be:
+
+ OpenBSD-ID: 9c43a9968c7929613284ea18e9fb92e4e2a8e4c1
+ OpenBSD-Regress-ID: b33b385719420bf3bc57d664feda6f699c147fef
+
+commit 2de5c6b53bf063ac698596ef4e23d8e3099656ea
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Oct 27 08:42:33 2017 +1100
+
+ fix rdomain compilation errors
+
+commit 6bd5b569fd6dfd5e8c8af20bbc41e45c2d6462ab
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 25 14:15:42 2017 +1100
+
+ autoconf glue to enable Linux VRF
+
+commit 97c5aaf925d61641d599071abb56012cde265978
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 25 14:09:56 2017 +1100
+
+ basic valid_rdomain() implementation for Linux
+
+commit ce1cca39d7935dd394080ce2df62f5ce5b51f485
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 25 13:47:59 2017 +1100
+
+ implement get/set_rdomain() for Linux
+
+ Not enabled, pending implementation of valid_rdomain() and autoconf glue
+
+commit 6eee79f9b8d4a3b113b698383948a119acb82415
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 25 13:22:29 2017 +1100
+
+ stubs for rdomain replacement functions
+
+commit f5594f939f844bbb688313697d6676238da355b3
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 25 13:13:57 2017 +1100
+
+ rename port-tun.[ch] => port-net.[ch]
+
+ Ahead of adding rdomain support
+
+commit d685e5a31feea35fb99e1a31a70b3c60a7f2a0eb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 25 02:10:39 2017 +0000
+
+ upstream commit
+
+ uninitialised variable in PermitTunnel printing code
+
+ Upstream-ID: f04dc33e42855704e116b8da61095ecc71bc9e9a
+
+commit 43c29bb7cfd46bbbc61e0ffa61a11e74d49a712f
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 25 13:10:59 2017 +1100
+
+ provide hooks and fallbacks for rdomain support
+
+commit 3235473bc8e075fad7216b7cd62fcd2b0320ea04
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Oct 25 11:25:43 2017 +1100
+
+ check for net/route.h and sys/sysctl.h
+
+commit 4d5456c7de108e17603a0920c4d15bca87244921
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 25 00:21:37 2017 +0000
+
+ upstream commit
+
+ transfer ownership of stdout to the session channel by
+ dup2'ing /dev/null to fd 1. This allows propagation of remote stdout close to
+ the local side; reported by David Newall, ok markus@
+
+ Upstream-ID: 8d9ac18a11d89e6b0415f0cbf67b928ac67f0e79
+
+commit 68af80e6fdeaeb79432209db614386ff0f37e75f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 25 00:19:47 2017 +0000
+
+ upstream commit
+
+ add a "rdomain" criteria for the sshd_config Match
+ keyword to allow conditional configuration that depends on which rdomain(4) a
+ connection was recevied on. ok markus@
+
+ Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
+
+commit 35eb33fb957979e3fcbe6ea0eaee8bf4a217421a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 25 00:17:08 2017 +0000
+
+ upstream commit
+
+ add sshd_config RDomain keyword to place sshd and the
+ subsequent user session (including the shell and any TCP/IP forwardings) into
+ the specified rdomain(4)
+
+ ok markus@
+
+ Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
+
+commit acf559e1cffbd1d6167cc1742729fc381069f06b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 25 00:15:35 2017 +0000
+
+ upstream commit
+
+ Add optional rdomain qualifier to sshd_config's
+ ListenAddress option to allow listening on a different rdomain(4), e.g.
+
+ ListenAddress 0.0.0.0 rdomain 4
+
+ Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
+
+commit b9903ee8ee8671b447fc260c2bee3761e26c7227
+Author: millert@openbsd.org <millert@openbsd.org>
+Date: Tue Oct 24 19:41:45 2017 +0000
+
+ upstream commit
+
+ Kill dead store and some spaces vs. tabs indent in
+ parse_user_host_path(). Noticed by markus@
+
+ Upstream-ID: 114fec91dadf9af46c7c94fd40fc630ea2de8200
+
+commit 0869627e00f4ee2a038cb62d7bd9ffad405e1800
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Tue Oct 24 06:27:42 2017 +0000
+
+ upstream commit
+
+ tweak previous; ok djm
+
+ Upstream-ID: 7d913981ab315296be1f759c67b6e17aea38fca9
+
+commit e3fa20e2e58fdc88a0e842358778f2de448b771b
+Author: Damien Miller <djm@mindrot.org>
+Date: Mon Oct 23 16:25:24 2017 +1100
+
+ avoid -Wsign-compare warning in argv copying
+
+commit b7548b12a6b2b4abf4d057192c353147e0abba08
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Mon Oct 23 05:08:00 2017 +0000
+
+ upstream commit
+
+ Expose devices allocated for tun/tap forwarding.
+
+ At the client, the device may be obtained from a new %T expansion
+ for LocalCommand.
+
+ At the server, the allocated devices will be listed in a
+ SSH_TUNNEL variable exposed to the environment of any user sessions
+ started after the tunnel forwarding was established.
+
+ ok markus
+
+ Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
+
+commit 887669ef032d63cf07f53cada216fa8a0c9a7d72
+Author: millert@openbsd.org <millert@openbsd.org>
+Date: Sat Oct 21 23:06:24 2017 +0000
+
+ upstream commit
+
+ Add URI support to ssh, sftp and scp. For example
+ ssh://user@host or sftp://user@host/path. The connection parameters
+ described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since
+ the ssh fingerprint format in the draft uses md5 with no way to specify the
+ hash function type. OK djm@
+
+ Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
+
+commit d27bff293cfeb2252f4c7a58babe5ad3262c6c98
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Oct 20 13:22:00 2017 +1100
+
+ Fix missed RCSID merges
+
+commit d3b6aeb546242c9e61721225ac4387d416dd3d5e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Oct 20 02:13:41 2017 +0000
+
+ upstream commit
+
+ more RCSIDs
+
+ Upstream-Regress-ID: 1aecbe3f8224793f0ec56741a86d619830eb33be
+
+commit b011edbb32e41aaab01386ce4c0efcc9ff681c4a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Oct 20 01:56:39 2017 +0000
+
+ upstream commit
+
+ add RCSIDs to these; they make syncing portable a bit
+ easier
+
+ Upstream-ID: 56cb7021faea599736dd7e7f09c2e714425b1e68
+
+commit 6eb27597781dccaf0ec2b80107a9f0592a0cb464
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Oct 20 12:54:15 2017 +1100
+
+ upstream commit
+
+ Apply missing commit 1.11 to kexc25519s.c
+
+ Upstream-ID: 5f020e23a1ee6c3597af1f91511e68552cdf15e8
+
+commit 6f72280553cb6918859ebcacc717f2d2fafc1a27
+Author: Damien Miller <djm@mindrot.org>
+Date: Fri Oct 20 12:52:50 2017 +1100
+
+ upstream commit
+
+ Apply missing commit 1.127 to servconf.h
+
+ Upstream-ID: f14c4bac74a2b7cf1e3cff6bea5c447f192a7d15
+
+commit bb3e16ab25cb911238c2eb7455f9cf490cb143cc
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Wed Oct 18 05:36:59 2017 +0000
+
+ upstream commit
+
+ remove unused Pp;
+
+ Upstream-ID: 8ad26467f1f6a40be887234085a8e01a61a00550
+
+commit 05b69e99570553c8e1eafb895b1fbf1d098d2e14
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 18 02:49:44 2017 +0000
+
+ upstream commit
+
+ In the description of pattern-lists, clarify negated
+ matches by explicitly stating that a negated match will never yield a
+ positive result, and that at least one positive term in the pattern-list must
+ match. bz#1918
+
+ Upstream-ID: 652d2f9d993f158fc5f83cef4a95cd9d95ae6a14
+
+commit eb80e26a15c10bc65fed8b8cdb476819a713c0fd
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Oct 13 21:13:54 2017 +0000
+
+ upstream commit
+
+ log debug messages sent to peer; ok deraadt markus
+
+ Upstream-ID: 3b4fdc0a06ea5083f61d96e20043000f477103d9
+
+commit 071325f458d615d7740da5c1c1d5a8b68a0b4605
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Fri Oct 13 16:50:45 2017 +0000
+
+ upstream commit
+
+ trim permitrootlogin description somewhat, to avoid
+ ambiguity; original diff from walter alejandro iglesias, tweaked by sthen and
+ myself
+
+ ok sthen schwarze deraadt
+
+ Upstream-ID: 1749418b2bc073f3fdd25fe21f8263c3637fe5d2
+
+commit 10727487becb897a15f658e0cb2d05466236e622
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Oct 13 06:45:18 2017 +0000
+
+ upstream commit
+
+ mention SSH_USER_AUTH in the list of environment
+ variables
+
+ Upstream-ID: 1083397c3ee54b4933121ab058c70a0fc6383691
+
+commit 224f193d6a4b57e7a0cb2b9ecd3b6c54d721d8c2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Fri Oct 13 06:24:51 2017 +0000
+
+ upstream commit
+
+ BIO_get_mem_data() is supposed to take a char* as pointer
+ argument, so don't pass it a const char*
+
+ Upstream-ID: 1ccd91eb7f4dd4f0fa812d4f956987cd00b5f6ec
+
+commit cfa46825b5ef7097373ed8e31b01a4538a8db565
+Author: benno@openbsd.org <benno@openbsd.org>
+Date: Mon Oct 9 20:12:51 2017 +0000
+
+ upstream commit
+
+ clarify the order in which config statements are used. ok
+ jmc@ djm@
+
+ Upstream-ID: e37e27bb6bbac71315e22cb9690fd8a556a501ed
+
+commit dceabc7ad7ebc7769c8214a1647af64c9a1d92e5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Thu Oct 5 15:52:03 2017 +0000
+
+ upstream commit
+
+ replace statically-sized arrays in ServerOptions with
+ dynamic ones managed by xrecallocarray, removing some arbitrary (though
+ large) limits and saving a bit of memory; "much nicer" markus@
+
+ Upstream-ID: 1732720b2f478fe929d6687ac7b0a97ff2efe9d2
+
+commit 2b4f3ab050c2aaf6977604dd037041372615178d
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date: Thu Oct 5 12:56:50 2017 +0000
+
+ upstream commit
+
+ %C is hashed; from klemens nanni ok markus
+
+ Upstream-ID: 6ebed7b2e1b6ee5402a67875d74f5e2859d8f998
+
+commit a66714508b86d6814e9055fefe362d9fe4d49ab3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 4 18:50:23 2017 +0000
+
+ upstream commit
+
+ exercise PermitOpen a little more thoroughly
+
+ Upstream-Regress-ID: f41592334e227a4c1f9a983044522de4502d5eac
+
+commit 609ecc8e57eb88e2eac976bd3cae7f7889aaeff6
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Tue Sep 26 22:39:25 2017 +0000
+
+ upstream commit
+
+ UsePrivilegeSeparation is gone, stop trying to test it.
+
+ Upstream-Regress-ID: 796a5057cfd79456a20ea935cc53f6eb80ace191
+
+commit 69bda0228861f3dacd4fb3d28b60ce9d103d254b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Oct 4 18:49:30 2017 +0000
+
+ upstream commit
+
+ fix (another) problem in PermitOpen introduced during the
+ channels.c refactor: the third and subsequent arguments to PermitOpen were
+ being silently ignored; ok markus@
+
+ Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
+
commit 66bf74a92131b7effe49fb0eefe5225151869dc5
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Oct 2 19:33:20 2017 +0000
@@ -7110,2242 +9796,3 @@ Author: Darren Tucker <dtucker@zip.com.au>
Date: Mon Apr 4 11:07:59 2016 +1000
Fix configure-time warnings for openssl test.
-
-commit 95687f5831ae680f7959446d8ae4b52452ee05dd
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Apr 1 02:34:10 2016 +0000
-
- upstream commit
-
- whitespace at EOL
-
- Upstream-ID: 40ae2203d07cb14e0a89e1a0d4c6120ee8fd8c3a
-
-commit fdfbf4580de09d84a974211715e14f88a5704b8e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Thu Mar 31 05:24:06 2016 +0000
-
- upstream commit
-
- Remove fallback from moduli to "primes" file that was
- deprecated in 2001 and fix log messages referring to primes file. Based on
- patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@
-
- Upstream-ID: 0d4f8c70e2fa7431a83b95f8ca81033147ba8713
-
-commit 0235a5fa67fcac51adb564cba69011a535f86f6b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Mar 17 17:19:43 2016 +0000
-
- upstream commit
-
- UseDNS affects ssh hostname processing in authorized_keys,
- not known_hosts; bz#2554 reported by jjelen AT redhat.com
-
- Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
-
-commit 8c4739338f5e379d05b19d6e544540114965f07e
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Mar 15 09:24:43 2016 +1100
-
- Don't call Solaris setproject() with UsePAM=yes.
-
- When Solaris Projects are enabled along with PAM setting the project
- is PAM's responsiblity. bz#2425, based on patch from
- brent.paulson at gmail.com.
-
-commit cff26f373c58457a32cb263e212cfff53fca987b
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 15 04:30:21 2016 +1100
-
- remove slogin from *.spec
-
-commit c38905ba391434834da86abfc988a2b8b9b62477
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Mar 14 16:20:54 2016 +0000
-
- upstream commit
-
- unbreak authentication using lone certificate keys in
- ssh-agent: when attempting pubkey auth with a certificate, if no separate
- private key is found among the keys then try with the certificate key itself.
-
- bz#2550 reported by Peter Moody
-
- Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
-
-commit 4b4bfb01cd40b9ddb948e6026ddd287cc303d871
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Mar 10 11:47:57 2016 +0000
-
- upstream commit
-
- sanitise characters destined for xauth reported by
- github.com/tintinweb feedback and ok deraadt and markus
-
- Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
-
-commit 732b463d37221722b1206f43aa59563766a6a968
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Mon Mar 14 16:04:23 2016 +1100
-
- Pass supported malloc options to connect-privsep.
-
- This allows us to activate only the supported options during the malloc
- option portion of the connect-privsep test.
-
-commit d29c5b9b3e9f27394ca97a364ed4bb4a55a59744
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Mon Mar 14 09:30:58 2016 +1100
-
- Remove leftover roaming.h file.
-
- Pointed out by des at des.no.
-
-commit 8ff20ec95f4377021ed5e9b2331320f5c5a34cea
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Mon Mar 14 09:24:03 2016 +1100
-
- Quote variables that may contain whitespace.
-
- The variable $L_TMP_ID_FILE needs to be surrounded by quotes in order to
- survive paths containing whitespace. bz#2551, from Corinna Vinschen via
- Philip Hands.
-
-commit 627824480c01f0b24541842c7206ab9009644d02
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Mar 11 14:47:41 2016 +1100
-
- Include priv.h for priv_set_t.
-
- From alex at cooperi.net.
-
-commit e960051f9a264f682c4d2fefbeecffcfc66b0ddf
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Mar 9 13:14:18 2016 +1100
-
- Wrap stdint.h inside #ifdef HAVE_STDINT_H.
-
-commit 2c48bd344d2c4b5e08dae9aea5ff44fc19a5e363
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Mar 9 12:46:50 2016 +1100
-
- Add compat to monotime_double().
-
- Apply all of the portability changes in monotime() to monotime() double.
- Fixes build on at least older FreeBSD systems.
-
-commit 7b40ef6c2eef40c339f6ea8920cb8a44838e10c9
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 8 14:12:58 2016 -0800
-
- make a regress-binaries target
-
- Easier to build all the regression/unit test binaries in one pass
- than going through all of ${REGRESS_BINARIES}
-
-commit c425494d6b6181beb54a1b3763ef9e944fd3c214
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 8 14:03:54 2016 -0800
-
- unbreak kexfuzz for -Werror without __bounded__
-
-commit 3ed9218c336607846563daea5d5ab4f701f4e042
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Mar 8 14:01:29 2016 -0800
-
- unbreak PAM after canohost refactor
-
-commit 885fb2a44ff694f01e4f6470f803629e11f62961
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Mar 8 11:58:43 2016 +1100
-
- auth_get_canonical_hostname in portable code.
-
- "refactor canohost.c" replaced get_canonical_hostname, this makes the
- same change to some portable-specific code.
-
-commit 95767262caa6692eff1e1565be1f5cb297949a89
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Mar 7 19:02:43 2016 +0000
-
- upstream commit
-
- refactor canohost.c: move functions that cache results closer
- to the places that use them (authn and session code). After this, no state is
- cached in canohost.c
-
- feedback and ok markus@
-
- Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
-
-commit af0bb38ffd1f2c4f9f43b0029be2efe922815255
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Mar 4 15:11:55 2016 +1100
-
- hook unittests/misc/kexfuzz into build
-
-commit 331b8e07ee5bcbdca12c11cc8f51a7e8de09b248
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Mar 4 02:48:06 2016 +0000
-
- upstream commit
-
- Filter debug messages out of log before picking the last
- two lines. Should prevent problems if any more debug output is added late in
- the connection.
-
- Upstream-Regress-ID: 345d0a9589c381e7d640a4ead06cfaadf4db1363
-
-commit 0892edaa3ce623381d3a7635544cbc69b31cf9cb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 4 02:30:36 2016 +0000
-
- upstream commit
-
- add KEX fuzzer harness; ok deraadt@
-
- Upstream-Regress-ID: 3df5242d30551b12b828aa9ba4a4cec0846be8d1
-
-commit ae2562c47d41b68dbb00240fd6dd60bed205367a
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Thu Mar 3 00:46:53 2016 +0000
-
- upstream commit
-
- Look back 3 lines for possible error messages. Changes
- to the code mean that "Bad packet length" errors are 3 lines back instead of
- the previous two, which meant we didn't skip some offsets that we intended
- to.
-
- Upstream-Regress-ID: 24f36912740a634d509a3144ebc8eb7c09b9c684
-
-commit 988e429d903acfb298bfddfd75e7994327adfed0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Mar 4 03:35:44 2016 +0000
-
- upstream commit
-
- fix ClientAliveInterval when a time-based RekeyLimit is
- set; previously keepalive packets were not being sent. bz#2252 report and
- analysis by Christian Wittenhorst and Garrett Lee feedback and ok dtucker@
-
- Upstream-ID: d48f9deadd35fdacdd5106b41bb07630ddd4aa81
-
-commit 8ef04d7a94bcdb8b0085fdd2a79a844b7d40792d
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Mar 2 22:43:52 2016 +0000
-
- upstream commit
-
- Improve accuracy of reported transfer speeds by waiting
- for the ack from the other end. Pointed out by mmcc@, ok deraadt@ markus@
-
- Upstream-ID: 99f1cf15c9a8f161086b814d414d862795ae153d
-
-commit b8d4eafe29684fe4f5bb587f7eab948e6ed62723
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Mar 2 22:42:40 2016 +0000
-
- upstream commit
-
- Improve precision of progressmeter for sftp and scp by
- storing sub-second timestamps. Pointed out by mmcc@, ok deraadt@ markus@
-
- Upstream-ID: 38fd83a3d83dbf81c8ff7b5d1302382fe54970ab
-
-commit 18f64b969c70ed00e74b9d8e50359dbe698ce4c0
-Author: jca@openbsd.org <jca@openbsd.org>
-Date: Mon Feb 29 20:22:36 2016 +0000
-
- upstream commit
-
- Print ssize_t with %zd; ok deraadt@ mmcc@
-
- Upstream-ID: 0590313bbb013ff6692298c98f7e0be349d124bd
-
-commit 6e7f68ce38130c794ec1fb8d2a6091fbe982628d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Feb 28 22:27:00 2016 +0000
-
- upstream commit
-
- rearrange DH public value tests to be a little more clear
-
- rearrange DH private value generation to explain rationale more
- clearly and include an extra sanity check.
-
- ok deraadt
-
- Upstream-ID: 9ad8a07e1a12684e1b329f9bd88941b249d4b2ad
-
-commit 2ed17aa34008bdfc8db674315adc425a0712be11
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Mar 1 15:24:20 2016 +1100
-
- Import updated moduli file from OpenBSD.
-
- Note that 1.5k bit groups have been removed.
-
-commit 72b061d4ba0f909501c595d709ea76e06b01e5c9
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Feb 26 14:40:04 2016 +1100
-
- Add a note about using xlc on AIX.
-
-commit fd4e4f2416baa2e6565ea49d52aade296bad3e28
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Feb 24 10:44:25 2016 +1100
-
- Skip PrintLastLog in config dump mode.
-
- When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
- config dump since it'll be reported as UNKNOWN.
-
-commit 99135c764fa250801da5ec3b8d06cbd0111caae8
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 23 20:17:23 2016 +1100
-
- update spec/README versions ahead of release
-
-commit b86a334aaaa4d1e643eb1fd71f718573d6d948b5
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 23 20:16:53 2016 +1100
-
- put back portable patchlevel to p1
-
-commit 555dd35ff176847e3c6bd068ba2e8db4022eb24f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Feb 23 09:14:34 2016 +0000
-
- upstream commit
-
- openssh-7.2
-
- Upstream-ID: 9db776b26014147fc907ece8460ef2bcb0f11e78
-
-commit 1acc058d0a7913838c830ed998a1a1fb5b7864bf
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 23 16:12:13 2016 +1100
-
- Disable tests where fs perms are incorrect
-
- Some tests have strict requirements on the filesystem permissions
- for certain files and directories. This adds a regress/check-perm
- tool that copies the relevant logic from sshd to exactly test
- the paths in question. This lets us skip tests when the local
- filesystem doesn't conform to our expectations rather than
- continuing and failing the test run.
-
- ok dtucker@
-
-commit 39f303b1f36d934d8410b05625f25c7bcb75db4d
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 23 12:56:59 2016 +1100
-
- fix sandbox on OSX Lion
-
- sshd was failing with:
-
- ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw
- image not found [preauth]
-
- caused by chroot before sandboxing. Avoid by explicitly linking libsandbox
- to sshd. Spotted by Darren.
-
-commit 0d1451a32c7436e6d3d482351e776bc5e7824ce4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Feb 23 01:34:14 2016 +0000
-
- upstream commit
-
- fix spurious error message when incorrect passphrase
- entered for keys; reported by espie@ ok deraadt@
-
- Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899
-
-commit 09d87d79741beb85768b5e788d7dfdf4bc3543dc
-Author: sobrado@openbsd.org <sobrado@openbsd.org>
-Date: Sat Feb 20 23:06:23 2016 +0000
-
- upstream commit
-
- set ssh(1) protocol version to 2 only.
-
- ok djm@
-
- Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10
-
-commit 9262e07826ba5eebf8423f7ac9e47ec488c47869
-Author: sobrado@openbsd.org <sobrado@openbsd.org>
-Date: Sat Feb 20 23:02:39 2016 +0000
-
- upstream commit
-
- add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to
- IdentityFile.
-
- ok djm@
-
- Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf
-
-commit c12f0fdce8f985fca8d71829fd64c5b89dc777f5
-Author: sobrado@openbsd.org <sobrado@openbsd.org>
-Date: Sat Feb 20 23:01:46 2016 +0000
-
- upstream commit
-
- AddressFamily defaults to any.
-
- ok djm@
-
- Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c
-
-commit 907091acb188b1057d50c2158f74c3ecf1c2302b
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Fri Feb 19 09:05:39 2016 +1100
-
- Make Solaris privs code build on older systems.
-
- Not all systems with Solaris privs have priv_basicset so factor that
- out and provide backward compatibility code. Similarly, not all have
- PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from
- alex at cooperi.net and djm@ with help from carson at taltos.org and
- wieland at purdue.edu.
-
-commit 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Feb 17 22:20:14 2016 +0000
-
- upstream commit
-
- rekey refactor broke SSH1; spotted by Tom G. Christensen
-
- Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243
-
-commit 3a13cb543df9919aec2fc6b75f3dd3802facaeca
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Feb 17 08:57:34 2016 +0000
-
- upstream commit
-
- rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
- in *KeyTypes options yet. Remove them from the lists of algorithms for now.
- committing on behalf of markus@ ok djm@
-
- Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
-
-commit a685ae8d1c24fb7c712c55a4f3280ee76f5f1e4b
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Wed Feb 17 07:38:19 2016 +0000
-
- upstream commit
-
- since these pages now clearly tell folks to avoid v1,
- normalise the docs from a v2 perspective (i.e. stop pointing out which bits
- are v2 only);
-
- ok/tweaks djm ok markus
-
- Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
-
-commit c5c3f3279a0e4044b8de71b70d3570d692d0f29d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Feb 17 05:29:04 2016 +0000
-
- upstream commit
-
- make sandboxed privilege separation the default, not just
- for new installs; "absolutely" deraadt@
-
- Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
-
-commit eb3f7337a651aa01d5dec019025e6cdc124ed081
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Tue Feb 16 07:47:54 2016 +0000
-
- upstream commit
-
- no need to state that protocol 2 is the default twice;
-
- Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
-
-commit e7901efa9b24e5b0c7e74f2c5520d47eead4d005
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Feb 16 05:11:04 2016 +0000
-
- upstream commit
-
- Replace list of ciphers and MACs adjacent to -1/-2 flag
- descriptions in ssh(1) with a strong recommendation not to use protocol 1.
- Add a similar warning to the Protocol option descriptions in ssh_config(5)
- and sshd_config(5);
-
- prompted by and ok mmcc@
-
- Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
-
-commit 5a0fcb77287342e2fc2ba1cee79b6af108973dc2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Feb 16 03:37:48 2016 +0000
-
- upstream commit
-
- add a "Close session" log entry (at loglevel=verbose) to
- correspond to the existing "Starting session" one. Also include the session
- id number to make multiplexed sessions more apparent.
-
- feedback and ok dtucker@
-
- Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
-
-commit 624fd395b559820705171f460dd33d67743d13d6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Feb 17 02:24:17 2016 +0000
-
- upstream commit
-
- include bad $SSH_CONNECTION in failure output
-
- Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529
-
-commit 60d860e54b4f199e5e89963b1c086981309753cb
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Feb 17 13:37:09 2016 +1100
-
- Rollback addition of va_start.
-
- va_start was added in 0f754e29dd3760fc0b172c1220f18b753fb0957e, however
- it has the wrong number of args and it's not usable in non-variadic
- functions anyway so it breaks things (for example Solaris 2.6 as
- reported by Tom G. Christensen).i ok djm@
-
-commit 2fee909c3cee2472a98b26eb82696297b81e0d38
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Wed Feb 17 09:48:15 2016 +1100
-
- Look for gethostbyname in libresolv and libnsl.
-
- Should fix build problem on Solaris 2.6 reported by Tom G. Christensen.
-
-commit 5ac712d81a84396aab441a272ec429af5b738302
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 16 10:45:02 2016 +1100
-
- make existing ssh_malloc_init only for __OpenBSD__
-
-commit 24c9bded569d9f2449ded73f92fb6d12db7a9eec
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Feb 15 23:32:37 2016 +0000
-
- upstream commit
-
- memleak of algorithm name in mm_answer_sign; reported by
- Jakub Jelen
-
- Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08
-
-commit ffb1e7e896139a42ceb78676f637658f44612411
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Mon Feb 15 09:47:49 2016 +0000
-
- upstream commit
-
- Add a function to enable security-related malloc_options.
- With and ok deraadt@, something similar has been in the snaps for a while.
-
- Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
-
-commit ef39e8c0497ff0564990a4f9e8b7338b3ba3507c
-Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 16 10:34:39 2016 +1100
-
- sync ssh-copy-id with upstream 783ef08b0a75
-
-commit d2d772f55b19bb0e8d03c2fe1b9bb176d9779efd
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 12 00:20:30 2016 +0000
-
- upstream commit
-
- avoid fatal() for PKCS11 tokens that present empty key IDs
- bz#1773, ok markus@
-
- Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
-
-commit e4c918a6c721410792b287c9fd21356a1bed5805
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Feb 11 02:56:32 2016 +0000
-
- upstream commit
-
- sync crypto algorithm lists in ssh_config(5) and
- sshd_config(5) with current reality. bz#2527
-
- Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
-
-commit e30cabfa4ab456a30b3224f7f545f1bdfc4a2517
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Feb 11 02:21:34 2016 +0000
-
- upstream commit
-
- fix regression in openssh-6.8 sftp client: existing
- destination directories would incorrectly terminate recursive uploads;
- bz#2528
-
- Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18
-
-commit 714e367226ded4dc3897078be48b961637350b05
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Feb 9 05:30:04 2016 +0000
-
- upstream commit
-
- turn off more old crypto in the client: hmac-md5, ripemd,
- truncated HMACs, RC4, blowfish. ok markus@ dtucker@
-
- Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
-
-commit 5a622844ff7f78dcb75e223399f9ef0977e8d0a3
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Feb 8 23:40:12 2016 +0000
-
- upstream commit
-
- don't attempt to percent_expand() already-canonicalised
- addresses, avoiding unnecessary failures when attempting to connect to scoped
- IPv6 addresses (that naturally contain '%' characters)
-
- Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a
-
-commit 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Feb 8 10:57:07 2016 +0000
-
- upstream commit
-
- refactor activation of rekeying
-
- This makes automatic rekeying internal to the packet code (previously
- the server and client loops needed to assist). In doing to it makes
- application of rekey limits more accurate by accounting for packets
- about to be sent as well as packets queued during rekeying events
- themselves.
-
- Based on a patch from dtucker@ which was in turn based on a patch
- Aleksander Adamowski in bz#2521; ok markus@
-
- Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
-
-commit 603ba41179e4b53951c7b90ee95b6ef3faa3f15d
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date: Fri Feb 5 13:28:19 2016 +0000
-
- upstream commit
-
- Only check errno if read() has returned an error. EOF is
- not an error. This fixes a problem where the mux master would sporadically
- fail to notice that the client had exited. ok mikeb@ djm@
-
- Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53
-
-commit 56d7dac790693ce420d225119283bc355cff9185
-Author: jsg@openbsd.org <jsg@openbsd.org>
-Date: Fri Feb 5 04:31:21 2016 +0000
-
- upstream commit
-
- avoid an uninitialised value when NumberOfPasswordPrompts
- is 0 ok markus@ djm@
-
- Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b
-
-commit deae7d52d59c5019c528f977360d87fdda15d20b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 5 03:07:06 2016 +0000
-
- upstream commit
-
- mention internal DH-GEX fallback groups; bz#2302
-
- Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
-
-commit cac3b6665f884d46192c0dc98a64112e8b11a766
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Feb 5 02:37:56 2016 +0000
-
- upstream commit
-
- better description for MaxSessions; bz#2531
-
- Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
-
-commit 5ef4b0fdcc7a239577a754829b50022b91ab4712
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Jan 27 17:45:56 2016 +1100
-
- avoid FreeBSD RCS Id in comment
-
- Change old $FreeBSD version string in comment so it doesn't
- become an RCS ident downstream; requested by des AT des.no
-
-commit 696d12683c90d20a0a9c5f4275fc916b7011fb04
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Feb 4 23:43:48 2016 +0000
-
- upstream commit
-
- printf argument casts to avoid warnings on strict
- compilers
-
- Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c
-
-commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a
-Author: millert@openbsd.org <millert@openbsd.org>
-Date: Mon Feb 1 21:18:17 2016 +0000
-
- upstream commit
-
- Avoid ugly "DISPLAY "(null)" invalid; disabling X11
- forwarding" message when DISPLAY is not set. This could also result in a
- crash on systems with a printf that doesn't handle NULL. OK djm@
-
- Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
-
-commit 537f88ec7bcf40bd444ac5584c707c5588c55c43
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jan 29 05:18:15 2016 +0000
-
- upstream commit
-
- Add regression test for RekeyLimit parsing of >32bit values
- (4G and 8G).
-
- Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328
-
-commit 4c6cb8330460f94e6c7ae28a364236d4188156a3
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jan 29 23:04:46 2016 +0000
-
- upstream commit
-
- Remove leftover roaming dead code. ok djm markus.
-
- Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be
-
-commit 28136471809806d6246ef41e4341467a39fe2f91
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Jan 29 05:46:01 2016 +0000
-
- upstream commit
-
- include packet type of non-data packets in debug3 output;
- ok markus dtucker
-
- Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41
-
-commit 6fd6e28daccafaa35f02741036abe64534c361a1
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jan 29 03:31:03 2016 +0000
-
- upstream commit
-
- Revert "account for packets buffered but not yet
- processed" change as it breaks for very small RekeyLimit values due to
- continuous rekeying. ok djm@
-
- Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19
-
-commit 921ff00b0ac429666fb361d2d6cb1c8fff0006cb
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jan 29 02:54:45 2016 +0000
-
- upstream commit
-
- Allow RekeyLimits in excess of 4G up to 2**63 bits
- (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
-
- Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
-
-commit c0060a65296f01d4634f274eee184c0e93ba0f23
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Jan 29 02:42:46 2016 +0000
-
- upstream commit
-
- Account for packets buffered but not yet processed when
- computing whether or not it is time to perform rekeying. bz#2521, based
- loosely on a patch from olo at fb.com, ok djm@
-
- Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c
-
-commit 44cf930e670488c85c9efeb373fa5f4b455692ac
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Jan 27 06:44:58 2016 +0000
-
- upstream commit
-
- change old $FreeBSD version string in comment so it doesn't
- become an RCS ident downstream; requested by des AT des.no
-
- Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722
-
-commit ebacd377769ac07d1bf3c75169644336056b7060
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Jan 27 00:53:12 2016 +0000
-
- upstream commit
-
- make the debug messages a bit more useful here
-
- Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64
-
-commit 458abc2934e82034c5c281336d8dc0f910aecad3
-Author: jsg@openbsd.org <jsg@openbsd.org>
-Date: Sat Jan 23 05:31:35 2016 +0000
-
- upstream commit
-
- Zero a stack buffer with explicit_bzero() instead of
- memset() when returning from client_loop() for consistency with
- buffer_free()/sshbuf_free().
-
- ok dtucker@ deraadt@ djm@
-
- Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66
-
-commit 65a3c0dacbc7dbb75ddb6a70ebe22d8de084d0b0
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Wed Jan 20 09:22:39 2016 +0000
-
- upstream commit
-
- Include sys/time.h for gettimeofday. From sortie at
- maxsi.org.
-
- Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b
-
-commit fc77ccdc2ce6d5d06628b8da5048a6a5f6ffca5a
-Author: markus@openbsd.org <markus@openbsd.org>
-Date: Thu Jan 14 22:56:56 2016 +0000
-
- upstream commit
-
- fd leaks; report Qualys Security Advisory team; ok
- deraadt@
-
- Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d
-
-commit a306863831c57ec5fad918687cc5d289ee8e2635
-Author: markus@openbsd.org <markus@openbsd.org>
-Date: Thu Jan 14 16:17:39 2016 +0000
-
- upstream commit
-
- remove roaming support; ok djm@
-
- Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
-
-commit 6ef49e83e30688504552ac10875feabd5521565f
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date: Thu Jan 14 14:34:34 2016 +0000
-
- upstream commit
-
- Disable experimental client-side roaming support. Server
- side was disabled/gutted for years already, but this aspect was surprisingly
- forgotten. Thanks for report from Qualys
-
- Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
-
-commit 8d7b523b96d3be180572d9d338cedaafc0570f60
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 14 11:08:19 2016 +1100
-
- bump version numbers
-
-commit 8c3d512a1fac8b9c83b4d0c9c3f2376290bd84ca
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Jan 14 11:04:04 2016 +1100
-
- openssh-7.1p2
-
-commit e6c85f8889c5c9eb04796fdb76d2807636b9eef5
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Jan 15 01:30:36 2016 +1100
-
- forcibly disable roaming support in the client
-
-commit ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Jan 13 23:04:47 2016 +0000
-
- upstream commit
-
- eliminate fallback from untrusted X11 forwarding to trusted
- forwarding when the X server disables the SECURITY extension; Reported by
- Thomas Hoger; ok deraadt@
-
- Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
-
-commit 9a728cc918fad67c8a9a71201088b1e150340ba4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Jan 12 23:42:54 2016 +0000
-
- upstream commit
-
- use explicit_bzero() more liberally in the buffer code; ok
- deraadt
-
- Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
-
-commit 4626cbaf78767fc8e9c86dd04785386c59ae0839
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Jan 8 14:24:56 2016 +1100
-
- Support Illumos/Solaris fine-grained privileges
-
- Includes a pre-auth privsep sandbox and several pledge()
- emulations. bz#2511, patch by Alex Wilson.
-
- ok dtucker@
-
-commit 422d1b3ee977ff4c724b597fb2e437d38fc8de9d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Dec 31 00:33:52 2015 +0000
-
- upstream commit
-
- fix three bugs in KRL code related to (unused) signature
- support: verification length was being incorrectly calculated, multiple
- signatures were being incorrectly processed and a NULL dereference that
- occurred when signatures were verified. Reported by Carl Jackson
-
- Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b
-
-commit 6074c84bf95d00f29cc7d5d3cd3798737851aa1a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Dec 30 23:46:14 2015 +0000
-
- upstream commit
-
- unused prototype
-
- Upstream-ID: f3eef4389d53ed6c0d5c77dcdcca3060c745da97
-
-commit 6213f0e180e54122bb1ba928e11c784e2b4e5380
-Author: guenther@openbsd.org <guenther@openbsd.org>
-Date: Sat Dec 26 20:51:35 2015 +0000
-
- upstream commit
-
- Use pread/pwrite instead separate lseek+read/write for
- lastlog. Cast to off_t before multiplication to avoid truncation on ILP32
-
- ok kettenis@ mmcc@
-
- Upstream-ID: fc40092568cd195719ddf1a00aa0742340d616cf
-
-commit d7d2bc95045a43dd56ea696cc1d030ac9d77e81f
-Author: semarie@openbsd.org <semarie@openbsd.org>
-Date: Sat Dec 26 07:46:03 2015 +0000
-
- upstream commit
-
- adjust pledge promises for ControlMaster: when using
- "ask" or "autoask", the process will use ssh-askpass for asking confirmation.
-
- problem found by halex@
-
- ok halex@
-
- Upstream-ID: 38a58b30ae3eef85051c74d3c247216ec0735f80
-
-commit 271df8185d9689b3fb0523f58514481b858f6843
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Dec 13 22:42:23 2015 +0000
-
- upstream commit
-
- unbreak connections with peers that set
- first_kex_follows; fix from Matt Johnston va bz#2515
-
- Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b
-
-commit 43849a47c5f8687699eafbcb5604f6b9c395179f
-Author: doug@openbsd.org <doug@openbsd.org>
-Date: Fri Dec 11 17:41:37 2015 +0000
-
- upstream commit
-
- Add "id" to ssh-agent pledge for subprocess support.
-
- Found the hard way by Jan Johansson when using ssh-agent with X. Also,
- rearranged proc/exec and retval to match other pledge calls in the tree.
-
- ok djm@
-
- Upstream-ID: 914255f6850e5e7fa830a2de6c38605333b584db
-
-commit 52d7078421844b2f88329f5be3de370b0a938636
-Author: mmcc@openbsd.org <mmcc@openbsd.org>
-Date: Fri Dec 11 04:21:11 2015 +0000
-
- upstream commit
-
- Remove NULL-checks before sshbuf_free().
-
- ok djm@
-
- Upstream-ID: 5ebed00ed5f9f03b119a345085e8774565466917
-
-commit a4b9e0f4e4a6980a0eb8072f76ea611cab5b77e7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Dec 11 03:24:25 2015 +0000
-
- upstream commit
-
- include remote port number in a few more messages; makes
- tying log messages together into a session a bit easier; bz#2503 ok dtucker@
-
- Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e
-
-commit 6091c362e89079397e68744ae30df121b0a72c07
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Dec 11 03:20:09 2015 +0000
-
- upstream commit
-
- don't try to load SSHv1 private key when compiled without
- SSHv1 support. From Iain Morgan bz#2505
-
- Upstream-ID: 8b8e7b02a448cf5e5635979df2d83028f58868a7
-
-commit cce6a36bb95e81fa8bfb46daf22eabcf13afc352
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Dec 11 03:19:09 2015 +0000
-
- upstream commit
-
- use SSH_MAX_PUBKEY_BYTES consistently as buffer size when
- reading key files. Increase it to match the size of the buffers already being
- used.
-
- Upstream-ID: 1b60586b484b55a947d99a0b32bd25e0ced56fae
-
-commit 89540b6de025b80404a0cb8418c06377f3f98848
-Author: mmcc@openbsd.org <mmcc@openbsd.org>
-Date: Fri Dec 11 02:31:47 2015 +0000
-
- upstream commit
-
- Remove NULL-checks before sshkey_free().
-
- ok djm@
-
- Upstream-ID: 3e35afe8a25e021216696b5d6cde7f5d2e5e3f52
-
-commit 79394ed6d74572c2d2643d73937dad33727fc240
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Dec 11 02:29:03 2015 +0000
-
- upstream commit
-
- fflush stdout so that output is seen even when running in
- debug mode when output may otherwise not be flushed. Patch from dustin at
- null-ptr.net.
-
- Upstream-ID: b0c6b4cd2cdb01d7e9eefbffdc522e35b5bc4acc
-
-commit ee607cccb6636eb543282ba90e0677b0604d8b7a
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Dec 15 15:23:49 2015 +1100
-
- Increase robustness of redhat/openssh.spec
-
- - remove configure --with-rsh, because this option isn't supported anymore
- - replace last occurrence of BuildPreReq by BuildRequires
- - update grep statement to query the krb5 include directory
-
- Patch from CarstenGrohmann via github, ok djm.
-
-commit b5fa0cd73555b991a543145603658d7088ec6b60
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Dec 15 15:10:32 2015 +1100
-
- Allow --without-ssl-engine with --without-openssl
-
- Patch from Mike Frysinger via github.
-
-commit c1d7e546f6029024f3257cc25c92f2bddf163125
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Dec 15 14:27:09 2015 +1100
-
- Include openssl crypto.h for SSLeay.
-
- Patch from doughdemon via github.
-
-commit c6f5f01651526e88c00d988ce59d71f481ebac62
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Dec 15 13:59:12 2015 +1100
-
- Add sys/time.h for gettimeofday.
-
- Should allow it it compile with MUSL libc. Based on patch from
- doughdemon via github.
-
-commit 39736be06c7498ef57d6970f2d85cf066ae57c82
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Dec 11 02:20:28 2015 +0000
-
- upstream commit
-
- correct error messages; from Tomas Kuthan bz#2507
-
- Upstream-ID: 7454a0affeab772398052954c79300aa82077093
-
-commit 94141b7ade24afceeb6762a3f99e09e47a6c42b6
-Author: mmcc@openbsd.org <mmcc@openbsd.org>
-Date: Fri Dec 11 00:20:04 2015 +0000
-
- upstream commit
-
- Pass (char *)NULL rather than (char *)0 to execl and
- execlp.
-
- ok dtucker@
-
- Upstream-ID: 56c955106cbddba86c3dd9bbf786ac0d1b361492
-
-commit d59ce08811bf94111c2f442184cf7d1257ffae24
-Author: mmcc@openbsd.org <mmcc@openbsd.org>
-Date: Thu Dec 10 17:08:40 2015 +0000
-
- upstream commit
-
- Remove NULL-checks before free().
-
- ok dtucker@
-
- Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
-
-commit 8e56dd46cb37879c73bce2d6032cf5e7f82d5a71
-Author: mmcc@openbsd.org <mmcc@openbsd.org>
-Date: Thu Dec 10 07:01:35 2015 +0000
-
- upstream commit
-
- Fix a couple "the the" typos. ok dtucker@
-
- Upstream-ID: ec364c5af32031f013001fd28d1bd3dfacfe9a72
-
-commit 6262a0522ddc2c0f2e9358dcb68d59b46e9c533e
-Author: markus@openbsd.org <markus@openbsd.org>
-Date: Mon Dec 7 20:04:09 2015 +0000
-
- upstream commit
-
- stricter encoding type checks for ssh-rsa; ok djm@
-
- Upstream-ID: 8cca7c787599a5e8391e184d0b4f36fdc3665650
-
-commit d86a3ba7af160c13496102aed861ae48a4297072
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Dec 9 09:18:45 2015 +1100
-
- Don't set IPV6_V6ONLY on OpenBSD
-
- It isn't necessary and runs afoul of pledge(2) restrictions.
-
-commit da98c11d03d819a15429d8fff9688acd7505439f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Dec 7 02:20:46 2015 +0000
-
- upstream commit
-
- basic unit tests for rsa-sha2-* signature types
-
- Upstream-Regress-ID: 7dc4b9db809d578ff104d591b4d86560c3598d3c
-
-commit 3da893fdec9936dd2c23739cdb3c0c9d4c59fca0
-Author: markus@openbsd.org <markus@openbsd.org>
-Date: Sat Dec 5 20:53:21 2015 +0000
-
- upstream commit
-
- prefer rsa-sha2-512 over -256 for hostkeys, too; noticed
- by naddy@
-
- Upstream-ID: 685f55f7ec566a8caca587750672723a0faf3ffe
-
-commit 8b56e59714d87181505e4678f0d6d39955caf10e
-Author: tobias@openbsd.org <tobias@openbsd.org>
-Date: Fri Dec 4 21:51:06 2015 +0000
-
- upstream commit
-
- Properly handle invalid %-format by calling fatal.
-
- ok deraadt, djm
-
- Upstream-ID: 5692bce7d9f6eaa9c488cb93d3b55e758bef1eac
-
-commit 76c9fbbe35aabc1db977fb78e827644345e9442e
-Author: markus@openbsd.org <markus@openbsd.org>
-Date: Fri Dec 4 16:41:28 2015 +0000
-
- upstream commit
-
- implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
- (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
- draft-ssh-ext-info-04.txt; with & ok djm@
-
- Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
-
-commit 6064a8b8295cb5a17b5ebcfade53053377714f40
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Dec 4 00:24:55 2015 +0000
-
- upstream commit
-
- clean up agent_fd handling; properly initialise it to -1
- and make tests consistent
-
- ok markus@
-
- Upstream-ID: ac9554323d5065745caf17b5e37cb0f0d4825707
-
-commit b91926a97620f3e51761c271ba57aa5db790f48d
-Author: semarie@openbsd.org <semarie@openbsd.org>
-Date: Thu Dec 3 17:00:18 2015 +0000
-
- upstream commit
-
- pledges ssh client: - mux client: which is used when
- ControlMaster is in use. will end with "stdio proc tty" (proc is to
- permit sending SIGWINCH to mux master on window resize)
-
- - client loop: several levels of pledging depending of your used options
-
- ok deraadt@
-
- Upstream-ID: 21676155a700e51f2ce911e33538e92a2cd1d94b
-
-commit bcce47466bbc974636f588b5e4a9a18ae386f64a
-Author: doug@openbsd.org <doug@openbsd.org>
-Date: Wed Dec 2 08:30:50 2015 +0000
-
- upstream commit
-
- Add "cpath" to the ssh-agent pledge so the cleanup
- handler can unlink().
-
- ok djm@
-
- Upstream-ID: 9e632991d48241d56db645602d381253a3d8c29d
-
-commit a90d001543f46716b6590c6dcc681d5f5322f8cf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Dec 2 08:00:58 2015 +0000
-
- upstream commit
-
- ssh-agent pledge needs proc for askpass; spotted by todd@
-
- Upstream-ID: 349aa261b29cc0e7de47ef56167769c432630b2a
-
-commit d952162b3c158a8f23220587bb6c8fcda75da551
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Dec 1 23:29:24 2015 +0000
-
- upstream commit
-
- basic pledge() for ssh-agent, more refinement needed
-
- Upstream-ID: 5b5b03c88162fce549e45e1b6dd833f20bbb5e13
-
-commit f0191d7c8e76e30551084b79341886d9bb38e453
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Nov 30 10:53:25 2015 +1100
-
- Revert "stub for pledge(2) for systems that lack it"
-
- This reverts commit 14c887c8393adde2d9fd437d498be30f8c98535c.
-
- dtucker beat me to it :/
-
-commit 6283cc72eb0e49a3470d30e07ca99a1ba9e89676
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Nov 30 10:37:03 2015 +1100
-
- revert 7d4c7513: bring back S/Key prototypes
-
- (but leave RCSID changes)
-
-commit 14c887c8393adde2d9fd437d498be30f8c98535c
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Nov 30 09:45:29 2015 +1100
-
- stub for pledge(2) for systems that lack it
-
-commit 452c0b6af5d14c37553e30059bf74456012493f3
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Nov 29 22:18:37 2015 +0000
-
- upstream commit
-
- pledge, better fatal() messages; feedback deraadt@
-
- Upstream-ID: 3e00f6ccfe2b9a7a2d1dbba5409586180801488f
-
-commit 6da413c085dba37127687b2617a415602505729b
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date: Sat Nov 28 06:50:52 2015 +0000
-
- upstream commit
-
- do not leak temp file if there is no known_hosts file
- from craig leres, ok djm
-
- Upstream-ID: c820497fd5574844c782e79405c55860f170e426
-
-commit 3ddd15e1b63a4d4f06c8ab16fbdd8a5a61764f16
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Mon Nov 30 07:23:53 2015 +1100
-
- Add a null implementation of pledge.
-
- Fixes builds on almost everything.
-
-commit b1d6b3971ef256a08692efc409fc9ada719111cc
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sat Nov 28 06:41:03 2015 +0000
-
- upstream commit
-
- don't include port number in tcpip-forward replies for
- requests that don't allocate a port; bz#2509 diagnosed by Ron Frederick ok
- markus
-
- Upstream-ID: 77efad818addb61ec638b5a2362f1554e21a970a
-
-commit 9080bd0b9cf10d0f13b1f642f20cb84285cb8d65
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date: Fri Nov 27 00:49:31 2015 +0000
-
- upstream commit
-
- pledge "stdio rpath wpath cpath fattr tty proc exec"
- except for the -p option (which sadly has insane semantics...) ok semarie
- dtucker
-
- Upstream-ID: 8854bbd58279abe00f6c33f8094bdc02c8c65059
-
-commit 4d90625b229cf6b3551d81550a9861897509a65f
-Author: halex@openbsd.org <halex@openbsd.org>
-Date: Fri Nov 20 23:04:01 2015 +0000
-
- upstream commit
-
- allow comment change for all supported formats
-
- ok djm@
-
- Upstream-ID: 5fc477cf2f119b2d44aa9c683af16cb00bb3744b
-
-commit 8ca915fc761519dd1f7766a550ec597a81db5646
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Nov 20 01:45:29 2015 +0000
-
- upstream commit
-
- add cast to make -Werror clean
-
- Upstream-ID: 288db4f8f810bd475be01320c198250a04ff064d
-
-commit ac9473580dcd401f8281305af98635cdaae9bf96
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Nov 20 12:35:41 2015 +1100
-
- fix multiple authentication using S/Key w/ privsep
-
- bz#2502, patch from Kevin Korb and feandil_
-
-commit 88b6fcdeb87a2fb76767854d9eb15006662dca57
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Nov 19 08:23:27 2015 +0000
-
- upstream commit
-
- ban ConnectionAttempts=0, it makes no sense and would cause
- ssh_connect_direct() to print an uninitialised stack variable; bz#2500
- reported by dvw AT phas.ubc.ca
-
- Upstream-ID: 32b5134c608270583a90b93a07b3feb3cbd5f7d5
-
-commit 964ab3ee7a8f96bdbc963d5b5a91933d6045ebe7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Nov 19 01:12:32 2015 +0000
-
- upstream commit
-
- trailing whitespace
-
- Upstream-ID: 31fe0ad7c4d08e87f1d69c79372f5e3c5cd79051
-
-commit f96516d052dbe38561f6b92b0e4365d8e24bb686
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Nov 19 01:09:38 2015 +0000
-
- upstream commit
-
- print host certificate contents at debug level
-
- Upstream-ID: 39354cdd8a2b32b308fd03f98645f877f540f00d
-
-commit 499cf36fecd6040e30e2912dd25655bc574739a7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Nov 19 01:08:55 2015 +0000
-
- upstream commit
-
- move the certificate validity formatting code to
- sshkey.[ch]
-
- Upstream-ID: f05f7c78fab20d02ff1d5ceeda533ef52e8fe523
-
-commit bcb7bc77bbb1535d1008c7714085556f3065d99d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Nov 18 08:37:28 2015 +0000
-
- upstream commit
-
- fix "ssh-keygen -l" of private key, broken in support for
- multiple plain keys on stdin
-
- Upstream-ID: 6b3132d2c62d03d0bad6f2bcd7e2d8b7dab5cd9d
-
-commit 259adb6179e23195c8f6913635ea71040d1ccd63
-Author: millert@openbsd.org <millert@openbsd.org>
-Date: Mon Nov 16 23:47:52 2015 +0000
-
- upstream commit
-
- Replace remaining calls to index(3) with strchr(3). OK
- jca@ krw@
-
- Upstream-ID: 33837d767a0cf1db1489b96055f9e330bc0bab6d
-
-commit c56a255162c2166884539c0a1f7511575325b477
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Nov 16 22:53:07 2015 +0000
-
- upstream commit
-
- Allow fingerprinting from standard input "ssh-keygen -lf
- -"
-
- Support fingerprinting multiple plain keys in a file and authorized_keys
- files too (bz#1319)
-
- ok markus@
-
- Upstream-ID: 903f8b4502929d6ccf53509e4e07eae084574b77
-
-commit 5b4010d9b923cf1b46c9c7b1887c013c2967e204
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Nov 16 22:51:05 2015 +0000
-
- upstream commit
-
- always call privsep_preauth_child() regardless of whether
- sshd was started by root; it does important priming before sandboxing and
- failing to call it could result in sandbox violations later; ok markus@
-
- Upstream-ID: c8a6d0d56c42f3faab38460dc917ca0d1705d383
-
-commit 3a9f84b58b0534bbb485f1eeab75665e2d03371f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Nov 16 22:50:01 2015 +0000
-
- upstream commit
-
- improve sshkey_read() semantics; only update *cpp when a
- key is successfully read; ok markus@
-
- Upstream-ID: f371e78e8f4fab366cf69a42bdecedaed5d1b089
-
-commit db6f8dc5dd5655b59368efd074994d4568bc3556
-Author: logan@openbsd.org <logan@openbsd.org>
-Date: Mon Nov 16 06:13:04 2015 +0000
-
- upstream commit
-
- 1) Use xcalloc() instead of xmalloc() to check for
- potential overflow. (Feedback from both mmcc@ and djm@) 2) move set_size
- just before the for loop. (suggested by djm@)
-
- OK djm@
-
- Upstream-ID: 013534c308187284756c3141f11d2c0f33c47213
-
-commit 383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Nov 16 00:30:02 2015 +0000
-
- upstream commit
-
- Add a new authorized_keys option "restrict" that
- includes all current and future key restrictions (no-*-forwarding, etc). Also
- add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
- This simplifies the task of setting up restricted keys and ensures they are
- maximally-restricted, regardless of any permissions we might implement in the
- future.
-
- Example:
-
- restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...
-
- Idea from Jann Horn; ok markus@
-
- Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
-
-commit e41a071f7bda6af1fb3f081bed0151235fa61f15
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Sun Nov 15 23:58:04 2015 +0000
-
- upstream commit
-
- correct section number for ssh-agent;
-
- Upstream-ID: 44be72fd8bcc167635c49b357b1beea8d5674bd6
-
-commit 1a11670286acddcc19f5eff0966c380831fc4638
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Sun Nov 15 23:54:15 2015 +0000
-
- upstream commit
-
- do not confuse mandoc by presenting "Dd";
-
- Upstream-ID: 1470fce171c47b60bbc7ecd0fc717a442c2cfe65
-
-commit f361df474c49a097bfcf16d1b7b5c36fcd844b4b
-Author: jcs@openbsd.org <jcs@openbsd.org>
-Date: Sun Nov 15 22:26:49 2015 +0000
-
- upstream commit
-
- Add an AddKeysToAgent client option which can be set to
- 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
- private key that is used during authentication will be added to ssh-agent if
- it is running (with confirmation enabled if set to 'confirm').
-
- Initial version from Joachim Schipper many years ago.
-
- ok markus@
-
- Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
-
-commit d87063d9baf5479b6e813d47dfb694a97df6f6f5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Nov 13 04:39:35 2015 +0000
-
- upstream commit
-
- send SSH2_MSG_UNIMPLEMENTED replies to unexpected
- messages during KEX; bz#2949, ok dtucker@
-
- Upstream-ID: 2b3abdff344d53c8d505f45c83a7b12e84935786
-
-commit 9fd04681a1e9b0af21e08ff82eb674cf0a499bfc
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Nov 13 04:38:06 2015 +0000
-
- upstream commit
-
- Support "none" as an argument for sshd_config
- ForceCommand and ChrootDirectory. Useful inside Match blocks to override a
- global default. bz#2486 ok dtucker@
-
- Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
-
-commit 94bc0b72c29e511cbbc5772190d43282e5acfdfe
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Nov 13 04:34:15 2015 +0000
-
- upstream commit
-
- support multiple certificates (one per line) and
- reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@
-
- Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db
-
-commit b6b9108f5b561c83612cb97ece4134eb59fde071
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Nov 13 02:57:46 2015 +0000
-
- upstream commit
-
- list a couple more options usable in Match blocks;
- bz#2489
-
- Upstream-ID: e4d03f39d254db4c0cc54101921bb89fbda19879
-
-commit a7994b3f5a5a5a33b52b0a6065d08e888f0a99fb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Nov 11 04:56:39 2015 +0000
-
- upstream commit
-
- improve PEEK/POKE macros: better casts, don't multiply
- evaluate arguments; ok deraadt@
-
- Upstream-ID: 9a1889e19647615ededbbabab89064843ba92d3e
-
-commit 7d4c7513a7f209cb303a608ac6e46b3f1dfc11ec
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Nov 11 01:48:01 2015 +0000
-
- upstream commit
-
- remove prototypes for long-gone s/key support; ok
- dtucker@
-
- Upstream-ID: db5bed3c57118af986490ab23d399df807359a79
-
-commit 07889c75926c040b8e095949c724e66af26441cb
-Author: Damien Miller <djm@mindrot.org>
-Date: Sat Nov 14 18:44:49 2015 +1100
-
- read back from libcrypto RAND when privdropping
-
- makes certain libcrypto implementations cache a /dev/urandom fd
- in preparation of sandboxing. Based on patch by Greg Hartman.
-
-commit 1560596f44c01bb0cef977816410950ed17b8ecd
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Tue Nov 10 11:14:47 2015 +1100
-
- Fix compiler warnings in the openssl header check.
-
- Noted by Austin English.
-
-commit e72a8575ffe1d8adff42c9abe9ca36938acc036b
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Sun Nov 8 23:24:03 2015 +0000
-
- upstream commit
-
- -c before -H, in SYNOPSIS and usage();
-
- Upstream-ID: 25e8c58a69e1f37fcd54ac2cd1699370acb5e404
-
-commit 3a424cdd21db08c7b0ded902f97b8f02af5aa485
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Nov 8 22:30:20 2015 +0000
-
- upstream commit
-
- Add "ssh-keyscan -c ..." flag to allow fetching
- certificates instead of plain keys; ok markus@
-
- Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82
-
-commit 69fead5d7cdaa73bdece9fcba80f8e8e70b90346
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Sun Nov 8 22:08:38 2015 +0000
-
- upstream commit
-
- remove slogin links; ok deraadt markus djm
-
- Upstream-ID: 39ba08548acde4c54f2d4520c202c2a863a3c730
-
-commit 2fecfd486bdba9f51b3a789277bb0733ca36e1c0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Nov 8 21:59:11 2015 +0000
-
- upstream commit
-
- fix OOB read in packet code caused by missing return
- statement found by Ben Hawkes; ok markus@ deraadt@
-
- Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
-
-commit 5e288923a303ca672b686908320bc5368ebec6e6
-Author: mmcc@openbsd.org <mmcc@openbsd.org>
-Date: Fri Nov 6 00:31:41 2015 +0000
-
- upstream commit
-
- 1. rlogin and rsh are long gone 2. protocol version isn't
- of core relevance here, and v1 is going away
-
- ok markus@, deraadt@
-
- Upstream-ID: 8b46bc94cf1ca7c8c1a75b1c958b2bb38d7579c8
-
-commit 8b29008bbe97f33381d9b4b93fcfa304168d0286
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Thu Nov 5 09:48:05 2015 +0000
-
- upstream commit
-
- "commandline" -> "command line", since there are so few
- examples of the former in the pages, so many of the latter, and in some of
- these pages we had multiple spellings;
-
- prompted by tj
-
- Upstream-ID: 78459d59bff74223f8139d9001ccd56fc4310659
-
-commit 996b24cebf20077fbe5db07b3a2c20c2d9db736e
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Thu Oct 29 20:57:34 2015 +1100
-
- (re)wrap SYS_sendsyslog in ifdef.
-
- Replace ifdef that went missing in commit
- c61b42f2678f21f05653ac2d3d241b48ab5d59ac. Fixes build on older
- OpenBSDs.
-
-commit b67e2e76fcf1ae7c802eb27ca927e16c91a513ff
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Oct 29 08:05:17 2015 +0000
-
- upstream commit
-
- regress test for "PubkeyAcceptedKeyTypes +..." inside a
- Match block
-
- Upstream-Regress-ID: 246c37ed64a2e5704d4c158ccdca1ff700e10647
-
-commit abd9dbc3c0d8c8c7561347cfa22166156e78c077
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Mon Oct 26 02:50:58 2015 +0000
-
- upstream commit
-
- Fix typo certopt->certopts in shell variable. This would
- cause the test to hang at a host key prompt if you have an A or CNAME for
- "proxy" in your local domain.
-
- Upstream-Regress-ID: 6ea03bcd39443a83c89e2c5606392ceb9585836a
-
-commit ed08510d38aef930a061ae30d10f2a9cf233bafa
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Oct 29 08:05:01 2015 +0000
-
- upstream commit
-
- Fix "PubkeyAcceptedKeyTypes +..." inside a Match block;
- ok dtucker@
-
- Upstream-ID: 853662c4036730b966aab77684390c47b9738c69
-
-commit a4aef3ed29071719b2af82fdf1ac3c2514f82bc5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Oct 27 08:54:52 2015 +0000
-
- upstream commit
-
- fix execv arguments in a way less likely to cause grief
- for -portable; ok dtucker@
-
- Upstream-ID: 5902bf0ea0371f39f1300698dc3b8e4105fc0fc5
-
-commit 63d188175accea83305e89fafa011136ff3d96ad
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Oct 27 01:44:45 2015 +0000
-
- upstream commit
-
- log certificate serial in verbose() messages to match the
- main auth success/fail message; ok dtucker@
-
- Upstream-ID: dfc48b417c320b97c36ff351d303c142f2186288
-
-commit 2aaba0cfd560ecfe92aa50c00750e6143842cf1f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Oct 27 00:49:53 2015 +0000
-
- upstream commit
-
- avoid de-const warning & shrink; ok dtucker@
-
- Upstream-ID: 69a85ef94832378952a22c172009cbf52aaa11db
-
-commit 03239c18312b9bab7d1c3b03062c61e8bbc1ca6e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Sun Oct 25 23:42:00 2015 +0000
-
- upstream commit
-
- Expand tildes in filenames passed to -i before checking
- whether or not the identity file exists. This means that if the shell
- doesn't do the expansion (eg because the option and filename were given as a
- single argument) then we'll still add the key. bz#2481, ok markus@
-
- Upstream-ID: db1757178a14ac519e9a3e1a2dbd21113cb3bfc6
-
-commit 97e184e508dd33c37860c732c0eca3fc57698b40
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Sun Oct 25 23:14:03 2015 +0000
-
- upstream commit
-
- Do not prepend "exec" to the shell command run by "Match
- exec" in a config file. It's an unnecessary optimization from repurposed
- ProxyCommand code and prevents some things working with some shells.
- bz#2471, pointed out by res at qoxp.net. ok markus@
-
- Upstream-ID: a1ead25ae336bfa15fb58d8c6b5589f85b4c33a3
-
-commit 8db134e7f457bcb069ec72bc4ee722e2af557c69
-Author: Darren Tucker <dtucker@zip.com.au>
-Date: Thu Oct 29 10:48:23 2015 +1100
-
- Prevent name collisions with system glob (bz#2463)
-
- Move glob.h from includes.h to the only caller (sftp) and override the
- names for the symbols. This prevents name collisions with the system glob
- in the case where something other than ssh uses it (eg kerberos). With
- jjelen at redhat.com, ok djm@
-
-commit 86c10dbbef6a5800d2431a66cf7f41a954bb62b5
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Fri Oct 23 02:22:01 2015 +0000
-
- upstream commit
-
- Update expected group sizes to match recent code changes.
-
- Upstream-Regress-ID: 0004f0ea93428969fe75bcfff0d521c553977794
-
-commit 9ada37d36003a77902e90a3214981e417457cf13
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sat Oct 24 22:56:19 2015 +0000
-
- upstream commit
-
- fix keyscan output for multiple hosts/addrs on one line
- when host hashing or a non standard port is in use; bz#2479 ok dtucker@
-
- Upstream-ID: 5321dabfaeceba343da3c8a8b5754c6f4a0a307b
-
-commit 44fc7cd7dcef6c52c6b7e9ff830dfa32879bd319
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sat Oct 24 22:52:22 2015 +0000
-
- upstream commit
-
- skip "Could not chdir to home directory" message when
- chrooted
-
- patch from Christian Hesse in bz#2485 ok dtucker@
-
- Upstream-ID: 86783c1953da426dff5b03b03ce46e699d9e5431
-
-commit a820a8618ec44735dabc688fab96fba38ad66bb2
-Author: sthen@openbsd.org <sthen@openbsd.org>
-Date: Sat Oct 24 08:34:09 2015 +0000
-
- upstream commit
-
- Handle the split of tun(4) "link0" into tap(4) in ssh
- tun-forwarding. Adapted from portable (using separate devices for this is the
- normal case in most OS). ok djm@
-
- Upstream-ID: 90facf4c59ce73d6741db1bc926e578ef465cd39
-
-commit 66d2e229baa9fe57b868c373b05f7ff3bb20055b
-Author: gsoares@openbsd.org <gsoares@openbsd.org>
-Date: Wed Oct 21 11:33:03 2015 +0000
-
- upstream commit
-
- fix memory leak in error path ok djm@
-
- Upstream-ID: dd2f402b0a0029b755df029fc7f0679e1365ce35
-
-commit 7d6c0362039ceacdc1366b5df29ad5d2693c13e5
-Author: mmcc@openbsd.org <mmcc@openbsd.org>
-Date: Tue Oct 20 23:24:25 2015 +0000
-
- upstream commit
-
- Compare pointers to NULL rather than 0.
-
- ok djm@
-
- Upstream-ID: 21616cfea27eda65a06e772cc887530b9a1a27f8
-
-commit f98a09cacff7baad8748c9aa217afd155a4d493f
-Author: mmcc@openbsd.org <mmcc@openbsd.org>
-Date: Tue Oct 20 03:36:35 2015 +0000
-
- upstream commit
-
- Replace a function-local allocation with stack memory.
-
- ok djm@
-
- Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
-
-commit ac908c1eeacccfa85659594d92428659320fd57e
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Oct 22 09:35:24 2015 +1100
-
- turn off PrintLastLog when --disable-lastlog
-
- bz#2278 from Brent Paulson
-
-commit b56deb847f4a0115a8bf488bf6ee8524658162fd
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Oct 16 22:32:22 2015 +0000
-
- upstream commit
-
- increase the minimum modulus that we will send or accept in
- diffie-hellman-group-exchange to 2048 bits; ok markus@
-
- Upstream-ID: 06dce7a24c17b999a0f5fadfe95de1ed6a1a9b6a
-
-commit 5ee0063f024bf5b3f3ffb275b8cd20055d62b4b9
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Fri Oct 16 18:40:49 2015 +0000
-
- upstream commit
-
- better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
- hostname canonicalisation - treat them as already canonical and remove the
- trailing '.' before matching ssh_config; ok markus@
-
- Upstream-ID: f7619652e074ac3febe8363f19622aa4853b679a
-
-commit e92c499a75477ecfe94dd7b4aed89f20b1fac5a7
-Author: mmcc@openbsd.org <mmcc@openbsd.org>
-Date: Fri Oct 16 17:07:24 2015 +0000
-
- upstream commit
-
- 0 -> NULL when comparing with a char*.
-
- ok dtucker@, djm@.
-
- Upstream-ID: a928e9c21c0a9020727d99738ff64027c1272300
-
-commit b1d38a3cc6fe349feb8d16a5f520ef12d1de7cb2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Oct 15 23:51:40 2015 +0000
-
- upstream commit
-
- fix some signed/unsigned integer type mismatches in
- format strings; reported by Nicholas Lemonias
-
- Upstream-ID: 78cd55420a0eef68c4095bdfddd1af84afe5f95c
-
-commit 1a2663a15d356bb188196b6414b4c50dc12fd42b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Oct 15 23:08:23 2015 +0000
-
- upstream commit
-
- argument to sshkey_from_private() and sshkey_demote()
- can't be NULL
-
- Upstream-ID: 0111245b1641d387977a9b38da15916820a5fd1f
-
-commit 0f754e29dd3760fc0b172c1220f18b753fb0957e
-Author: Damien Miller <djm@mindrot.org>
-Date: Fri Oct 16 10:53:14 2015 +1100
-
- need va_copy before va_start
-
- reported by Nicholas Lemonias
-
-commit eb6c50d82aa1f0d3fc95f5630ea69761e918bfcd
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Oct 15 15:48:28 2015 -0700
-
- fix compilation on systems without SYMLOOP_MAX
-
-commit fafe1d84a210fb3dae7744f268059cc583db8c12
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 14 09:22:15 2015 -0700
-
- s/SANDBOX_TAME/SANDBOX_PLEDGE/g
-
-commit 8f22911027ff6c17d7226d232ccd20727f389310
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 14 08:28:19 2015 +1100
-
- upstream commit
-
- revision 1.20
- date: 2015/10/13 20:55:37; author: millert; state: Exp; lines: +2 -2; commitid: X39sl5ay1czgFIgp;
- In rev 1.15 the sizeof argument was fixed in a strlcat() call but
- the truncation check immediately following it was not updated to
- match. Not an issue in practice since the buffers are the same
- size. OK deraadt@
-
-commit 23fa695bb735f54f04d46123662609edb6c76767
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 14 08:27:51 2015 +1100
-
- upstream commit
-
- revision 1.19
- date: 2015/01/16 16:48:51; author: deraadt; state: Exp; lines: +3 -3; commitid: 0DYulI8hhujBHMcR;
- Move to the <limits.h> universe.
- review by millert, binary checking process with doug, concept with guenther
-
-commit c71be375a69af00c2d0a0c24d8752bec12d8fd1b
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 14 08:27:08 2015 +1100
-
- upstream commit
-
- revision 1.18
- date: 2014/10/19 03:56:28; author: doug; state: Exp; lines: +9 -9; commitid: U6QxmtbXrGoc02S5;
- Revert last commit due to changed semantics found by make release.
-
-commit c39ad23b06e9aecc3ff788e92f787a08472905b1
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 14 08:26:24 2015 +1100
-
- upstream commit
-
- revision 1.17
- date: 2014/10/18 20:43:52; author: doug; state: Exp; lines: +10 -10; commitid: I74hI1tVZtsspKEt;
- Better POSIX compliance in realpath(3).
-
- millert@ made changes to realpath.c based on FreeBSD's version. I merged
- Todd's changes into dl_realpath.c.
-
- ok millert@, guenther@
-
-commit e929a43f957dbd1254aca2aaf85c8c00cbfc25f4
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 14 08:25:55 2015 +1100
-
- upstream commit
-
- revision 1.16
- date: 2013/04/05 12:59:54; author: kurt; state: Exp; lines: +3 -1;
- - Add comments regarding copies of these files also in libexec/ld.so
- okay guenther@
-
-commit 5225db68e58a1048cb17f0e36e0d33bc4a8fc410
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 14 08:25:32 2015 +1100
-
- upstream commit
-
- revision 1.15
- date: 2012/09/13 15:39:05; author: deraadt; state: Exp; lines: +2 -2;
- specify the bounds of the dst to strlcat (both values were static and
- equal, but it is more correct)
- from Michal Mazurek
-
-commit 7365fe5b4859de2305e40ea132da3823830fa710
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 14 08:25:09 2015 +1100
-
- upstream commit
-
- revision 1.14
- date: 2011/07/24 21:03:00; author: miod; state: Exp; lines: +35 -13;
- Recent Single Unix will malloc memory if the second argument of realpath()
- is NULL, and third-party software is starting to rely upon this.
- Adapted from FreeBSD via Jona Joachim (jaj ; hcl-club , .lu), with minor
- tweaks from nicm@ and yours truly.
-
-commit e679c09cd1951f963793aa3d9748d1c3fdcf808f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Oct 13 16:15:21 2015 +0000
-
- upstream commit
-
- apply PubkeyAcceptedKeyTypes filtering earlier, so all
- skipped keys are noted before pubkey authentication starts. ok dtucker@
-
- Upstream-ID: ba4f52f54268a421a2a5f98bb375403f4cb044b8
-
-commit 179c353f564ec7ada64b87730b25fb41107babd7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Oct 13 00:21:27 2015 +0000
-
- upstream commit
-
- free the correct IV length, don't assume it's always the
- cipher blocksize; ok dtucker@
-
- Upstream-ID: c260d9e5ec73628d9ff4b067fbb060eff5a7d298
-
-commit 2539dce2a049a8f6bb0d44cac51f07ad48e691d3
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date: Fri Oct 9 01:37:08 2015 +0000
-
- upstream commit
-
- Change all tame callers to namechange to pledge(2).
-
- Upstream-ID: 17e654fc27ceaf523c60f4ffd9ec7ae4e7efc7f2
-
-commit 9846a2f4067383bb76b4e31a9d2303e0a9c13a73
-Author: Damien Miller <djm@mindrot.org>
-Date: Thu Oct 8 04:30:48 2015 +1100
-
- hook tame(2) sandbox up to build
-
- OpenBSD only for now
-
-commit 0c46bbe68b70bdf0d6d20588e5847e71f3739fe6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Oct 7 15:59:12 2015 +0000
-
- upstream commit
-
- include PubkeyAcceptedKeyTypes in ssh -G config dump
-
- Upstream-ID: 6c097ce6ffebf6fe393fb7988b5d152a5d6b36bb
-
-commit bdcb73fb7641b1cf73c0065d1a0dd57b1e8b778e
-Author: sobrado@openbsd.org <sobrado@openbsd.org>
-Date: Wed Oct 7 14:45:30 2015 +0000
-
- upstream commit
-
- UsePrivilegeSeparation defaults to sandbox now.
-
- ok djm@
-
- Upstream-ID: bff136c38bcae89df82e044d2f42de21e1ad914f
-
-commit 2905d6f99c837bb699b6ebc61711b19acd030709
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Oct 7 00:54:06 2015 +0000
-
- upstream commit
-
- don't try to change tun device flags if they are already
- what we need; makes it possible to use tun/tap networking as non- root user
- if device permissions and interface flags are pre-established; based on patch
- by Ossi Herrala
-
- Upstream-ID: 89099ac4634cd477b066865acf54cb230780fd21
-
-commit 0dc74512bdb105b048883f07de538b37e5e024d4
-Author: Damien Miller <djm@mindrot.org>
-Date: Mon Oct 5 18:33:05 2015 -0700
-
- unbreak merge botch
-
-commit fdd020e86439afa7f537e2429d29d4b744c94331
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Oct 6 01:20:59 2015 +0000
-
- upstream commit
-
- adapt to recent sshkey_parse_private_fileblob() API
- change
-
- Upstream-Regress-ID: 5c0d818da511e33e0abf6a92a31bd7163b7ad988
-
-commit 21ae8ee3b630b0925f973db647a1b9aa5fcdd4c5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 24 07:15:39 2015 +0000
-
- upstream commit
-
- fix command-line option to match what was actually
- committed
-
- Upstream-Regress-ID: 3e8c24a2044e8afd37e7ce17b69002ca817ac699
-
-commit e14ac43b75e68f1ffbd3e1a5e44143c8ae578dcd
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 24 06:16:53 2015 +0000
-
- upstream commit
-
- regress test for CertificateFile; patch from Meghana Bhat
- via bz#2436
-
- Upstream-Regress-ID: e7a6e980cbe0f8081ba2e83de40d06c17be8bd25
-
-commit 905b054ed24e0d5b4ef226ebf2c8bfc02ae6d4ad
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Oct 5 17:11:21 2015 +0000
-
- upstream commit
-
- some more bzero->explicit_bzero, from Michael McConville
-
- Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0
-
-commit b007159a0acdbcf65814b3ee05dbe2cf4ea46011
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date: Fri Oct 2 15:52:55 2015 +0000
-
- upstream commit
-
- fix email
-
- Upstream-ID: 72150f2d54b94de14ebef1ea054ef974281bf834
-
-commit b19e1b4ab11884c4f62aee9f8ab53127a4732658
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date: Fri Oct 2 01:39:52 2015 +0000
-
- upstream commit
-
- a sandbox using tame ok djm
-
- Upstream-ID: 4ca24e47895e72f5daaa02f3e3d3e5ca2d820fa3
-
-commit c61b42f2678f21f05653ac2d3d241b48ab5d59ac
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date: Fri Oct 2 01:39:26 2015 +0000
-
- upstream commit
-
- re-order system calls in order of risk, ok i'll be
- honest, ordered this way they look like tame... ok djm
-
- Upstream-ID: 42a1e6d251fd8be13c8262bee026059ae6328813
-
-commit c5f7c0843cb6e6074a93c8ac34e49ce33a6f5546
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date: Fri Sep 25 18:19:54 2015 +0000
-
- upstream commit
-
- some certificatefile tweaks; ok djm
-
- Upstream-ID: 0e5a7852c28c05fc193419cc7e50e64c1c535af0
-
-commit 4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 24 06:15:11 2015 +0000
-
- upstream commit
-
- add ssh_config CertificateFile option to explicitly list
- a certificate; patch from Meghana Bhat on bz#2436; ok markus@
-
- Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
-
-commit e3cbb06ade83c72b640a53728d362bbefa0008e2
-Author: sobrado@openbsd.org <sobrado@openbsd.org>
-Date: Tue Sep 22 08:33:23 2015 +0000
-
- upstream commit
-
- fix two typos.
-
- Upstream-ID: 424402c0d8863a11b51749bacd7f8d932083b709
diff --git a/INSTALL b/INSTALL
index e4865bbb4d9a..7f552bf7683f 100644
--- a/INSTALL
+++ b/INSTALL
@@ -13,7 +13,7 @@ OpenSSL)
Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
http://www.gzip.org/zlib/
-libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0)
+libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0)
LibreSSL http://www.libressl.org/ ; or
OpenSSL http://www.openssl.org/
@@ -91,7 +91,7 @@ http://nlnetlabs.nl/projects/ldns/
Autoconf:
If you modify configure.ac or configure doesn't exist (eg if you checked
-the code out of CVS yourself) then you will need autoconf-2.69 to rebuild
+the code out of git yourself) then you will need autoconf-2.69 to rebuild
the automatically generated files by running "autoreconf". Earlier
versions may also work but this is not guaranteed.
@@ -103,6 +103,13 @@ Native BSM support is known to exist in Solaris from at least 2.5.1,
FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
implementation (http://www.openbsm.org).
+makedepend:
+
+https://www.x.org/archive/individual/util/
+
+If you are making significant changes to the code you may need to rebuild
+the dependency (.depend) file using "make depend", which requires the
+"makedepend" tool from the X11 distribution.
2. Building / Installation
--------------------------
@@ -162,13 +169,11 @@ also be enabled in sshd_config (refer to the UsePAM directive).
--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
support and to specify a PRNGd socket. Use this if your Unix lacks
-/dev/random and you don't want to use OpenSSH's builtin entropy
-collection support.
+/dev/random.
--with-prngd-port=portnum allows you to enable EGD or PRNGD support
and to specify a EGD localhost TCP port. Use this if your Unix lacks
-/dev/random and you don't want to use OpenSSH's builtin entropy
-collection support.
+/dev/random.
--with-lastlog=FILE will specify the location of the lastlog file.
./configure searches a few locations for lastlog, but may not find
@@ -204,8 +209,7 @@ created.
--with-xauth=PATH specifies the location of the xauth binary
--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
-libraries
-are installed.
+libraries are installed.
--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
diff --git a/Makefile.in b/Makefile.in
index c52ce191fe95..04e1c8e5345b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,5 +1,3 @@
-# $Id: Makefile.in,v 1.365 2014/08/30 06:23:07 djm Exp $
-
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@@ -54,16 +52,25 @@ AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
INSTALL=@INSTALL@
-PERL=@PERL@
SED=@SED@
ENT=@ENT@
XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
+MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
+XMSS_OBJS=\
+ ssh-xmss.o \
+ sshkey-xmss.o \
+ xmss_commons.o \
+ xmss_fast.o \
+ xmss_hash.o \
+ xmss_hash_address.o \
+ xmss_wots.o
+
LIBOPENSSH_OBJS=\
ssh_api.o \
ssherr.o \
@@ -73,7 +80,8 @@ LIBOPENSSH_OBJS=\
sshbuf-misc.o \
sshbuf-getput-crypto.o \
krl.o \
- bitmap.o
+ bitmap.o \
+ ${XMSS_OBJS}
LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
@@ -88,7 +96,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
ssh-pkcs11.o smult_curve25519_ref.o \
poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
- sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
@@ -218,13 +226,6 @@ $(CONFIGFILES): $(CONFIGFILES_IN)
moduli:
echo
-# special case target for umac128
-umac128.o: umac.c
- $(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
- -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
- -Dumac_update=umac128_update -Dumac_final=umac128_final \
- -Dumac_delete=umac128_delete -Dumac_ctx=umac128_ctx
-
clean: regressclean
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
rm -f *.out core survey
@@ -298,9 +299,21 @@ catman-do:
>$$base.0 ; \
done
-distprep: catman-do
+depend: depend-rebuild
+ rm -f .depend.bak
+
+depend-rebuild:
+ rm -f config.h
+ touch config.h
+ makedepend -w1000 -Y. -f .depend *.c 2>/dev/null
+ rm -f config.h
+
+depend-check: depend-rebuild
+ cmp .depend .depend.bak || (echo .depend stale && exit 1)
+
+distprep: catman-do depend-check
$(AUTORECONF)
- -rm -rf autom4te.cache
+ -rm -rf autom4te.cache .depend.bak
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
@@ -310,14 +323,13 @@ check-config:
-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
install-files:
- $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
- $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
- $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
- $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
- $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
- $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
- $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
- (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
+ $(MKDIR_P) $(DESTDIR)$(bindir)
+ $(MKDIR_P) $(DESTDIR)$(sbindir)
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)1
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+ $(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
@@ -345,9 +357,7 @@ install-files:
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
install-sysconf:
- if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
- $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
- fi
+ $(MKDIR_P) $(DESTDIR)$(sysconfdir)
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
else \
@@ -375,9 +385,6 @@ host-key: ssh-keygen$(EXEEXT)
fi
host-key-force: ssh-keygen$(EXEEXT) ssh$(EXEEXT)
- if ./ssh -Q protocol-version | grep '^1$$' >/dev/null; then \
- ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""; \
- fi
./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
@@ -421,28 +428,16 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
regress-prep:
- [ -d `pwd`/regress ] || mkdir -p `pwd`/regress
- [ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
- [ -d `pwd`/regress/unittests/test_helper ] || \
- mkdir -p `pwd`/regress/unittests/test_helper
- [ -d `pwd`/regress/unittests/sshbuf ] || \
- mkdir -p `pwd`/regress/unittests/sshbuf
- [ -d `pwd`/regress/unittests/sshkey ] || \
- mkdir -p `pwd`/regress/unittests/sshkey
- [ -d `pwd`/regress/unittests/bitmap ] || \
- mkdir -p `pwd`/regress/unittests/bitmap
- [ -d `pwd`/regress/unittests/conversion ] || \
- mkdir -p `pwd`/regress/unittests/conversion
- [ -d `pwd`/regress/unittests/hostkeys ] || \
- mkdir -p `pwd`/regress/unittests/hostkeys
- [ -d `pwd`/regress/unittests/kex ] || \
- mkdir -p `pwd`/regress/unittests/kex
- [ -d `pwd`/regress/unittests/match ] || \
- mkdir -p `pwd`/regress/unittests/match
- [ -d `pwd`/regress/unittests/utf8 ] || \
- mkdir -p `pwd`/regress/unittests/utf8
- [ -d `pwd`/regress/misc/kexfuzz ] || \
- mkdir -p `pwd`/regress/misc/kexfuzz
+ $(MKDIR_P) `pwd`/regress/unittests/test_helper
+ $(MKDIR_P) `pwd`/regress/unittests/sshbuf
+ $(MKDIR_P) `pwd`/regress/unittests/sshkey
+ $(MKDIR_P) `pwd`/regress/unittests/bitmap
+ $(MKDIR_P) `pwd`/regress/unittests/conversion
+ $(MKDIR_P) `pwd`/regress/unittests/hostkeys
+ $(MKDIR_P) `pwd`/regress/unittests/kex
+ $(MKDIR_P) `pwd`/regress/unittests/match
+ $(MKDIR_P) `pwd`/regress/unittests/utf8
+ $(MKDIR_P) `pwd`/regress/misc/kexfuzz
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
@@ -582,6 +577,8 @@ regress-binaries: regress/modpipe$(EXEEXT) \
regress/unittests/utf8/test_utf8$(EXEEXT) \
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
+REGRESSTMP = "$(PWD)/regress"
+
tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)
BUILDDIR=`pwd`; \
TEST_SSH_SCP="$${BUILDDIR}/scp"; \
@@ -605,7 +602,7 @@ tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)
.OBJDIR="$${BUILDDIR}/regress" \
.CURDIR="`pwd`" \
BUILDDIR="$${BUILDDIR}" \
- OBJ="$${BUILDDIR}/regress/" \
+ OBJ="$(REGRESSTMP)" \
PATH="$${BUILDDIR}:$${PATH}" \
TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
TEST_MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
@@ -650,3 +647,5 @@ package: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
sh buildpkg.sh; \
fi
+
+# @DEPEND@
diff --git a/PROTOCOL b/PROTOCOL
index 4e9e8757566f..b1fc00691c0d 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -295,10 +295,14 @@ has completed.
string[] hostkeys
Upon receiving this message, a client should check which of the
-supplied host keys are present in known_hosts. For keys that are
-not present, it should send a "hostkeys-prove@openssh.com" message
-to request the server prove ownership of the private half of the
-key.
+supplied host keys are present in known_hosts.
+
+Note that the server may send key types that the client does not
+support. The client should disgregard such keys if they are received.
+
+If the client identifies any keys that are not present for the host,
+it should send a "hostkeys-prove@openssh.com" message to request the
+server prove ownership of the private half of the key.
byte SSH_MSG_GLOBAL_REQUEST
string "hostkeys-prove-00@openssh.com"
@@ -454,4 +458,4 @@ respond with a SSH_FXP_STATUS message.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
-$OpenBSD: PROTOCOL,v 1.31 2017/05/26 01:40:07 djm Exp $
+$OpenBSD: PROTOCOL,v 1.32 2018/02/19 00:55:02 djm Exp $
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 42aa8c2a1734..64cb18700ee1 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -100,9 +100,9 @@ DSA certificate
ECDSA certificate
- string "ecdsa-sha2-nistp256-v01@openssh.com" |
- "ecdsa-sha2-nistp384-v01@openssh.com" |
- "ecdsa-sha2-nistp521-v01@openssh.com"
+ string "ecdsa-sha2-nistp256-cert-v01@openssh.com" |
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com" |
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com"
string nonce
string curve
string public_key
@@ -291,4 +291,4 @@ permit-user-rc empty Flag indicating that execution of
of this script will not be permitted if
this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.12 2017/05/31 04:29:44 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.13 2017/11/03 02:32:19 djm Exp $
diff --git a/README b/README
index 103d43e9b7b7..fb8e21743b00 100644
--- a/README
+++ b/README
@@ -1,11 +1,11 @@
-See https://www.openssh.com/releasenotes.html#7.6p1 for the release notes.
+See https://www.openssh.com/releasenotes.html#7.7p1 for the release notes.
Please read https://www.openssh.com/report.html for bug reporting
instructions and note that we do not use Github for bug reporting or
patch/pull-request management.
- A Japanese translation of this document and of the release notes is
-- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
+- available at https://www.unixuser.org/~haruyama/security/openssh/index.html
- Thanks to HARUYAMA Seigo <haruyama@unixuser.org>
This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
@@ -22,7 +22,7 @@ This port consists of the re-introduction of autoconf support, PAM
support, EGD[1]/PRNGD[2] support and replacements for OpenBSD library
functions that are (regrettably) absent from other unices. This port
has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X,
-NetBSD, OpenBSD, OpenServer, Solaris, Unicos, and UnixWare.
+NetBSD, OpenBSD, OpenServer, Solaris and UnixWare.
This version actively tracks changes in the OpenBSD CVS repository.
@@ -56,11 +56,11 @@ References -
[0] https://www.openssh.com/
[1] http://www.lothar.com/tech/crypto/
-[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
-[3] http://www.gzip.org/zlib/
-[4] http://www.openssl.org/
-[5] http://www.openpam.org
- http://www.kernel.org/pub/linux/libs/pam/
+[2] http://prngd.sourceforge.net/
+[3] https://www.zlib.net/
+[4] https://www.openssl.org/
+[5] https://www.openpam.org
+ https://www.kernel.org/pub/linux/libs/pam/
(PAM also is standard on Solaris and HP-UX 11)
-[6] http://thrysoee.dk/editline/ (portable version)
-[7] http://man.openbsd.org/style.9
+[6] https://thrysoee.dk/editline/ (portable version)
+[7] https://man.openbsd.org/style.9
diff --git a/README.privsep b/README.privsep
index 2120544c7973..460e90565202 100644
--- a/README.privsep
+++ b/README.privsep
@@ -34,8 +34,8 @@ privsep user and chroot directory:
PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
-On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
-part of privsep is supported. Post-authentication privsep is disabled
+On Cygwin, Tru64 Unix and OpenServer only the pre-authentication part
+of privsep is supported. Post-authentication privsep is disabled
automatically (so you won't see the additional process mentioned below).
Note that for a normal interactive login with a shell, enabling privsep
diff --git a/auth-options.c b/auth-options.c
index bed00eef0fe3..b528c197ab26 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,13 +1,18 @@
-/* $OpenBSD: auth-options.c,v 1.74 2017/09/12 06:32:07 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.78 2018/03/14 05:35:40 djm Exp $ */
/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- * All rights reserved
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose. Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
+ * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
@@ -19,88 +24,33 @@
#include <string.h>
#include <stdio.h>
#include <stdarg.h>
+#include <ctype.h>
+#include <limits.h>
#include "openbsd-compat/sys-queue.h"
-#include "key.h" /* XXX for typedef */
-#include "buffer.h" /* XXX for typedef */
#include "xmalloc.h"
-#include "match.h"
#include "ssherr.h"
#include "log.h"
-#include "canohost.h"
-#include "packet.h"
#include "sshbuf.h"
#include "misc.h"
-#include "channels.h"
-#include "servconf.h"
#include "sshkey.h"
+#include "match.h"
+#include "ssh2.h"
#include "auth-options.h"
-#include "hostfile.h"
-#include "auth.h"
-
-/* Flags set authorized_keys flags */
-int no_port_forwarding_flag = 0;
-int no_agent_forwarding_flag = 0;
-int no_x11_forwarding_flag = 0;
-int no_pty_flag = 0;
-int no_user_rc = 0;
-int key_is_cert_authority = 0;
-
-/* "command=" option. */
-char *forced_command = NULL;
-
-/* "environment=" options. */
-struct envstring *custom_environment = NULL;
-
-/* "tunnel=" option. */
-int forced_tun_device = -1;
-
-/* "principals=" option. */
-char *authorized_principals = NULL;
-
-extern ServerOptions options;
-
-/* XXX refactor to be stateless */
-
-void
-auth_clear_options(void)
-{
- struct ssh *ssh = active_state; /* XXX */
-
- no_agent_forwarding_flag = 0;
- no_port_forwarding_flag = 0;
- no_pty_flag = 0;
- no_x11_forwarding_flag = 0;
- no_user_rc = 0;
- key_is_cert_authority = 0;
- while (custom_environment) {
- struct envstring *ce = custom_environment;
- custom_environment = ce->next;
- free(ce->s);
- free(ce);
- }
- free(forced_command);
- forced_command = NULL;
- free(authorized_principals);
- authorized_principals = NULL;
- forced_tun_device = -1;
- channel_clear_permitted_opens(ssh);
-}
/*
* Match flag 'opt' in *optsp, and if allow_negate is set then also match
* 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
- * if negated option matches.
+ * if negated option matches.
* If the option or negated option matches, then *optsp is updated to
- * point to the first character after the option and, if 'msg' is not NULL
- * then a message based on it added via auth_debug_add().
+ * point to the first character after the option.
*/
static int
-match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
+opt_flag(const char *opt, int allow_negate, const char **optsp)
{
size_t opt_len = strlen(opt);
- char *opts = *optsp;
+ const char *opts = *optsp;
int negate = 0;
if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
@@ -109,368 +59,92 @@ match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
}
if (strncasecmp(opts, opt, opt_len) == 0) {
*optsp = opts + opt_len;
- if (msg != NULL) {
- auth_debug_add("%s %s.", msg,
- negate ? "disabled" : "enabled");
- }
return negate ? 0 : 1;
}
return -1;
}
-/*
- * return 1 if access is granted, 0 if not.
- * side effect: sets key option flags
- * XXX remove side effects; fill structure instead.
- */
-int
-auth_parse_options(struct passwd *pw, char *opts, const char *file,
- u_long linenum)
+static char *
+opt_dequote(const char **sp, const char **errstrp)
{
- struct ssh *ssh = active_state; /* XXX */
- const char *cp;
- int i, r;
-
- /* reset options */
- auth_clear_options();
+ const char *s = *sp;
+ char *ret;
+ size_t i;
+
+ *errstrp = NULL;
+ if (*s != '"') {
+ *errstrp = "missing start quote";
+ return NULL;
+ }
+ s++;
+ if ((ret = malloc(strlen((s)) + 1)) == NULL) {
+ *errstrp = "memory allocation failed";
+ return NULL;
+ }
+ for (i = 0; *s != '\0' && *s != '"';) {
+ if (s[0] == '\\' && s[1] == '"')
+ s++;
+ ret[i++] = *s++;
+ }
+ if (*s == '\0') {
+ *errstrp = "missing end quote";
+ free(ret);
+ return NULL;
+ }
+ ret[i] = '\0';
+ s++;
+ *sp = s;
+ return ret;
+}
- if (!opts)
+static int
+opt_match(const char **opts, const char *term)
+{
+ if (strncasecmp((*opts), term, strlen(term)) == 0 &&
+ (*opts)[strlen(term)] == '=') {
+ *opts += strlen(term) + 1;
return 1;
-
- while (*opts && *opts != ' ' && *opts != '\t') {
- if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
- key_is_cert_authority = r;
- goto next_option;
- }
- if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
- auth_debug_add("Key is restricted.");
- no_port_forwarding_flag = 1;
- no_agent_forwarding_flag = 1;
- no_x11_forwarding_flag = 1;
- no_pty_flag = 1;
- no_user_rc = 1;
- goto next_option;
- }
- if ((r = match_flag("port-forwarding", 1, &opts,
- "Port forwarding")) != -1) {
- no_port_forwarding_flag = r != 1;
- goto next_option;
- }
- if ((r = match_flag("agent-forwarding", 1, &opts,
- "Agent forwarding")) != -1) {
- no_agent_forwarding_flag = r != 1;
- goto next_option;
- }
- if ((r = match_flag("x11-forwarding", 1, &opts,
- "X11 forwarding")) != -1) {
- no_x11_forwarding_flag = r != 1;
- goto next_option;
- }
- if ((r = match_flag("pty", 1, &opts,
- "PTY allocation")) != -1) {
- no_pty_flag = r != 1;
- goto next_option;
- }
- if ((r = match_flag("user-rc", 1, &opts,
- "User rc execution")) != -1) {
- no_user_rc = r != 1;
- goto next_option;
- }
- cp = "command=\"";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- opts += strlen(cp);
- free(forced_command);
- forced_command = xmalloc(strlen(opts) + 1);
- i = 0;
- while (*opts) {
- if (*opts == '"')
- break;
- if (*opts == '\\' && opts[1] == '"') {
- opts += 2;
- forced_command[i++] = '"';
- continue;
- }
- forced_command[i++] = *opts++;
- }
- if (!*opts) {
- debug("%.100s, line %lu: missing end quote",
- file, linenum);
- auth_debug_add("%.100s, line %lu: missing end quote",
- file, linenum);
- free(forced_command);
- forced_command = NULL;
- goto bad_option;
- }
- forced_command[i] = '\0';
- auth_debug_add("Forced command.");
- opts++;
- goto next_option;
- }
- cp = "principals=\"";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- opts += strlen(cp);
- free(authorized_principals);
- authorized_principals = xmalloc(strlen(opts) + 1);
- i = 0;
- while (*opts) {
- if (*opts == '"')
- break;
- if (*opts == '\\' && opts[1] == '"') {
- opts += 2;
- authorized_principals[i++] = '"';
- continue;
- }
- authorized_principals[i++] = *opts++;
- }
- if (!*opts) {
- debug("%.100s, line %lu: missing end quote",
- file, linenum);
- auth_debug_add("%.100s, line %lu: missing end quote",
- file, linenum);
- free(authorized_principals);
- authorized_principals = NULL;
- goto bad_option;
- }
- authorized_principals[i] = '\0';
- auth_debug_add("principals: %.900s",
- authorized_principals);
- opts++;
- goto next_option;
- }
- cp = "environment=\"";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- char *s;
- struct envstring *new_envstring;
-
- opts += strlen(cp);
- s = xmalloc(strlen(opts) + 1);
- i = 0;
- while (*opts) {
- if (*opts == '"')
- break;
- if (*opts == '\\' && opts[1] == '"') {
- opts += 2;
- s[i++] = '"';
- continue;
- }
- s[i++] = *opts++;
- }
- if (!*opts) {
- debug("%.100s, line %lu: missing end quote",
- file, linenum);
- auth_debug_add("%.100s, line %lu: missing end quote",
- file, linenum);
- free(s);
- goto bad_option;
- }
- s[i] = '\0';
- opts++;
- if (options.permit_user_env) {
- auth_debug_add("Adding to environment: "
- "%.900s", s);
- debug("Adding to environment: %.900s", s);
- new_envstring = xcalloc(1,
- sizeof(*new_envstring));
- new_envstring->s = s;
- new_envstring->next = custom_environment;
- custom_environment = new_envstring;
- s = NULL;
- }
- free(s);
- goto next_option;
- }
- cp = "from=\"";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- const char *remote_ip = ssh_remote_ipaddr(ssh);
- const char *remote_host = auth_get_canonical_hostname(
- ssh, options.use_dns);
- char *patterns = xmalloc(strlen(opts) + 1);
-
- opts += strlen(cp);
- i = 0;
- while (*opts) {
- if (*opts == '"')
- break;
- if (*opts == '\\' && opts[1] == '"') {
- opts += 2;
- patterns[i++] = '"';
- continue;
- }
- patterns[i++] = *opts++;
- }
- if (!*opts) {
- debug("%.100s, line %lu: missing end quote",
- file, linenum);
- auth_debug_add("%.100s, line %lu: missing end quote",
- file, linenum);
- free(patterns);
- goto bad_option;
- }
- patterns[i] = '\0';
- opts++;
- switch (match_host_and_ip(remote_host, remote_ip,
- patterns)) {
- case 1:
- free(patterns);
- /* Host name matches. */
- goto next_option;
- case -1:
- debug("%.100s, line %lu: invalid criteria",
- file, linenum);
- auth_debug_add("%.100s, line %lu: "
- "invalid criteria", file, linenum);
- /* FALLTHROUGH */
- case 0:
- free(patterns);
- logit("Authentication tried for %.100s with "
- "correct key but not from a permitted "
- "host (host=%.200s, ip=%.200s).",
- pw->pw_name, remote_host, remote_ip);
- auth_debug_add("Your host '%.200s' is not "
- "permitted to use this key for login.",
- remote_host);
- break;
- }
- /* deny access */
- return 0;
- }
- cp = "permitopen=\"";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- char *host, *p;
- int port;
- char *patterns = xmalloc(strlen(opts) + 1);
-
- opts += strlen(cp);
- i = 0;
- while (*opts) {
- if (*opts == '"')
- break;
- if (*opts == '\\' && opts[1] == '"') {
- opts += 2;
- patterns[i++] = '"';
- continue;
- }
- patterns[i++] = *opts++;
- }
- if (!*opts) {
- debug("%.100s, line %lu: missing end quote",
- file, linenum);
- auth_debug_add("%.100s, line %lu: missing "
- "end quote", file, linenum);
- free(patterns);
- goto bad_option;
- }
- patterns[i] = '\0';
- opts++;
- p = patterns;
- /* XXX - add streamlocal support */
- host = hpdelim(&p);
- if (host == NULL || strlen(host) >= NI_MAXHOST) {
- debug("%.100s, line %lu: Bad permitopen "
- "specification <%.100s>", file, linenum,
- patterns);
- auth_debug_add("%.100s, line %lu: "
- "Bad permitopen specification", file,
- linenum);
- free(patterns);
- goto bad_option;
- }
- host = cleanhostname(host);
- if (p == NULL || (port = permitopen_port(p)) < 0) {
- debug("%.100s, line %lu: Bad permitopen port "
- "<%.100s>", file, linenum, p ? p : "");
- auth_debug_add("%.100s, line %lu: "
- "Bad permitopen port", file, linenum);
- free(patterns);
- goto bad_option;
- }
- if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
- channel_add_permitted_opens(ssh, host, port);
- free(patterns);
- goto next_option;
- }
- cp = "tunnel=\"";
- if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- char *tun = NULL;
- opts += strlen(cp);
- tun = xmalloc(strlen(opts) + 1);
- i = 0;
- while (*opts) {
- if (*opts == '"')
- break;
- tun[i++] = *opts++;
- }
- if (!*opts) {
- debug("%.100s, line %lu: missing end quote",
- file, linenum);
- auth_debug_add("%.100s, line %lu: missing end quote",
- file, linenum);
- free(tun);
- forced_tun_device = -1;
- goto bad_option;
- }
- tun[i] = '\0';
- forced_tun_device = a2tun(tun, NULL);
- free(tun);
- if (forced_tun_device == SSH_TUNID_ERR) {
- debug("%.100s, line %lu: invalid tun device",
- file, linenum);
- auth_debug_add("%.100s, line %lu: invalid tun device",
- file, linenum);
- forced_tun_device = -1;
- goto bad_option;
- }
- auth_debug_add("Forced tun device: %d", forced_tun_device);
- opts++;
- goto next_option;
- }
-next_option:
- /*
- * Skip the comma, and move to the next option
- * (or break out if there are no more).
- */
- if (!*opts)
- fatal("Bugs in auth-options.c option processing.");
- if (*opts == ' ' || *opts == '\t')
- break; /* End of options. */
- if (*opts != ',')
- goto bad_option;
- opts++;
- /* Process the next option. */
}
+ return 0;
+}
- /* grant access */
- return 1;
+static int
+dup_strings(char ***dstp, size_t *ndstp, char **src, size_t nsrc)
+{
+ char **dst;
+ size_t i, j;
-bad_option:
- logit("Bad options in %.100s file, line %lu: %.50s",
- file, linenum, opts);
- auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
- file, linenum, opts);
+ *dstp = NULL;
+ *ndstp = 0;
+ if (nsrc == 0)
+ return 0;
- /* deny access */
+ if ((dst = calloc(nsrc, sizeof(*src))) == NULL)
+ return -1;
+ for (i = 0; i < nsrc; i++) {
+ if ((dst[i] = strdup(src[i])) == NULL) {
+ for (j = 0; j < i; j++)
+ free(dst[j]);
+ free(dst);
+ return -1;
+ }
+ }
+ /* success */
+ *dstp = dst;
+ *ndstp = nsrc;
return 0;
}
#define OPTIONS_CRITICAL 1
#define OPTIONS_EXTENSIONS 2
static int
-parse_option_list(struct sshbuf *oblob, struct passwd *pw,
- u_int which, int crit,
- int *cert_no_port_forwarding_flag,
- int *cert_no_agent_forwarding_flag,
- int *cert_no_x11_forwarding_flag,
- int *cert_no_pty_flag,
- int *cert_no_user_rc,
- char **cert_forced_command,
- int *cert_source_address_done)
+cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob,
+ u_int which, int crit)
{
- struct ssh *ssh = active_state; /* XXX */
char *command, *allowed;
- const char *remote_ip;
char *name = NULL;
struct sshbuf *c = NULL, *data = NULL;
- int r, ret = -1, result, found;
+ int r, ret = -1, found;
if ((c = sshbuf_fromb(oblob)) == NULL) {
error("%s: sshbuf_fromb failed", __func__);
@@ -491,21 +165,21 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
found = 0;
if ((which & OPTIONS_EXTENSIONS) != 0) {
if (strcmp(name, "permit-X11-forwarding") == 0) {
- *cert_no_x11_forwarding_flag = 0;
+ opts->permit_x11_forwarding_flag = 1;
found = 1;
} else if (strcmp(name,
"permit-agent-forwarding") == 0) {
- *cert_no_agent_forwarding_flag = 0;
+ opts->permit_agent_forwarding_flag = 1;
found = 1;
} else if (strcmp(name,
"permit-port-forwarding") == 0) {
- *cert_no_port_forwarding_flag = 0;
+ opts->permit_port_forwarding_flag = 1;
found = 1;
} else if (strcmp(name, "permit-pty") == 0) {
- *cert_no_pty_flag = 0;
+ opts->permit_pty_flag = 1;
found = 1;
} else if (strcmp(name, "permit-user-rc") == 0) {
- *cert_no_user_rc = 0;
+ opts->permit_user_rc = 1;
found = 1;
}
}
@@ -517,13 +191,13 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
"section: %s", name, ssh_err(r));
goto out;
}
- if (*cert_forced_command != NULL) {
+ if (opts->force_command != NULL) {
error("Certificate has multiple "
"force-command options");
free(command);
goto out;
}
- *cert_forced_command = command;
+ opts->force_command = command;
found = 1;
}
if (strcmp(name, "source-address") == 0) {
@@ -533,38 +207,19 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
"section: %s", name, ssh_err(r));
goto out;
}
- if ((*cert_source_address_done)++) {
+ if (opts->required_from_host_cert != NULL) {
error("Certificate has multiple "
"source-address options");
free(allowed);
goto out;
}
- remote_ip = ssh_remote_ipaddr(ssh);
- result = addr_match_cidr_list(remote_ip,
- allowed);
- free(allowed);
- switch (result) {
- case 1:
- /* accepted */
- break;
- case 0:
- /* no match */
- logit("Authentication tried for %.100s "
- "with valid certificate but not "
- "from a permitted host "
- "(ip=%.200s).", pw->pw_name,
- remote_ip);
- auth_debug_add("Your address '%.200s' "
- "is not permitted to use this "
- "certificate for login.",
- remote_ip);
- goto out;
- case -1:
- default:
+ /* Check syntax */
+ if (addr_match_cidr_list(NULL, allowed) == -1) {
error("Certificate source-address "
"contents invalid");
goto out;
}
+ opts->required_from_host_cert = allowed;
found = 1;
}
}
@@ -590,74 +245,628 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
ret = 0;
out:
- if (ret != 0 &&
- cert_forced_command != NULL &&
- *cert_forced_command != NULL) {
- free(*cert_forced_command);
- *cert_forced_command = NULL;
- }
free(name);
sshbuf_free(data);
sshbuf_free(c);
return ret;
}
+struct sshauthopt *
+sshauthopt_new(void)
+{
+ struct sshauthopt *ret;
+
+ if ((ret = calloc(1, sizeof(*ret))) == NULL)
+ return NULL;
+ ret->force_tun_device = -1;
+ return ret;
+}
+
+void
+sshauthopt_free(struct sshauthopt *opts)
+{
+ size_t i;
+
+ if (opts == NULL)
+ return;
+
+ free(opts->cert_principals);
+ free(opts->force_command);
+ free(opts->required_from_host_cert);
+ free(opts->required_from_host_keys);
+
+ for (i = 0; i < opts->nenv; i++)
+ free(opts->env[i]);
+ free(opts->env);
+
+ for (i = 0; i < opts->npermitopen; i++)
+ free(opts->permitopen[i]);
+ free(opts->permitopen);
+
+ explicit_bzero(opts, sizeof(*opts));
+ free(opts);
+}
+
+struct sshauthopt *
+sshauthopt_new_with_keys_defaults(void)
+{
+ struct sshauthopt *ret = NULL;
+
+ if ((ret = sshauthopt_new()) == NULL)
+ return NULL;
+
+ /* Defaults for authorized_keys flags */
+ ret->permit_port_forwarding_flag = 1;
+ ret->permit_agent_forwarding_flag = 1;
+ ret->permit_x11_forwarding_flag = 1;
+ ret->permit_pty_flag = 1;
+ ret->permit_user_rc = 1;
+ return ret;
+}
+
+struct sshauthopt *
+sshauthopt_parse(const char *opts, const char **errstrp)
+{
+ char **oarray, *opt, *cp, *tmp, *host;
+ int r;
+ struct sshauthopt *ret = NULL;
+ const char *errstr = "unknown error";
+ uint64_t valid_before;
+
+ if (errstrp != NULL)
+ *errstrp = NULL;
+ if ((ret = sshauthopt_new_with_keys_defaults()) == NULL)
+ goto alloc_fail;
+
+ if (opts == NULL)
+ return ret;
+
+ while (*opts && *opts != ' ' && *opts != '\t') {
+ /* flag options */
+ if ((r = opt_flag("restrict", 0, &opts)) != -1) {
+ ret->restricted = 1;
+ ret->permit_port_forwarding_flag = 0;
+ ret->permit_agent_forwarding_flag = 0;
+ ret->permit_x11_forwarding_flag = 0;
+ ret->permit_pty_flag = 0;
+ ret->permit_user_rc = 0;
+ } else if ((r = opt_flag("cert-authority", 0, &opts)) != -1) {
+ ret->cert_authority = r;
+ } else if ((r = opt_flag("port-forwarding", 1, &opts)) != -1) {
+ ret->permit_port_forwarding_flag = r == 1;
+ } else if ((r = opt_flag("agent-forwarding", 1, &opts)) != -1) {
+ ret->permit_agent_forwarding_flag = r == 1;
+ } else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) {
+ ret->permit_x11_forwarding_flag = r == 1;
+ } else if ((r = opt_flag("pty", 1, &opts)) != -1) {
+ ret->permit_pty_flag = r == 1;
+ } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) {
+ ret->permit_user_rc = r == 1;
+ } else if (opt_match(&opts, "command")) {
+ if (ret->force_command != NULL) {
+ errstr = "multiple \"command\" clauses";
+ goto fail;
+ }
+ ret->force_command = opt_dequote(&opts, &errstr);
+ if (ret->force_command == NULL)
+ goto fail;
+ } else if (opt_match(&opts, "principals")) {
+ if (ret->cert_principals != NULL) {
+ errstr = "multiple \"principals\" clauses";
+ goto fail;
+ }
+ ret->cert_principals = opt_dequote(&opts, &errstr);
+ if (ret->cert_principals == NULL)
+ goto fail;
+ } else if (opt_match(&opts, "from")) {
+ if (ret->required_from_host_keys != NULL) {
+ errstr = "multiple \"from\" clauses";
+ goto fail;
+ }
+ ret->required_from_host_keys = opt_dequote(&opts,
+ &errstr);
+ if (ret->required_from_host_keys == NULL)
+ goto fail;
+ } else if (opt_match(&opts, "expiry-time")) {
+ if ((opt = opt_dequote(&opts, &errstr)) == NULL)
+ goto fail;
+ if (parse_absolute_time(opt, &valid_before) != 0 ||
+ valid_before == 0) {
+ free(opt);
+ errstr = "invalid expires time";
+ goto fail;
+ }
+ free(opt);
+ if (ret->valid_before == 0 ||
+ valid_before < ret->valid_before)
+ ret->valid_before = valid_before;
+ } else if (opt_match(&opts, "environment")) {
+ if (ret->nenv > INT_MAX) {
+ errstr = "too many environment strings";
+ goto fail;
+ }
+ if ((opt = opt_dequote(&opts, &errstr)) == NULL)
+ goto fail;
+ /* env name must be alphanumeric and followed by '=' */
+ if ((tmp = strchr(opt, '=')) == NULL) {
+ free(opt);
+ errstr = "invalid environment string";
+ goto fail;
+ }
+ for (cp = opt; cp < tmp; cp++) {
+ if (!isalnum((u_char)*cp)) {
+ free(opt);
+ errstr = "invalid environment string";
+ goto fail;
+ }
+ }
+ /* Append it. */
+ oarray = ret->env;
+ if ((ret->env = recallocarray(ret->env, ret->nenv,
+ ret->nenv + 1, sizeof(*ret->env))) == NULL) {
+ free(opt);
+ ret->env = oarray; /* put it back for cleanup */
+ goto alloc_fail;
+ }
+ ret->env[ret->nenv++] = opt;
+ } else if (opt_match(&opts, "permitopen")) {
+ if (ret->npermitopen > INT_MAX) {
+ errstr = "too many permitopens";
+ goto fail;
+ }
+ if ((opt = opt_dequote(&opts, &errstr)) == NULL)
+ goto fail;
+ if ((tmp = strdup(opt)) == NULL) {
+ free(opt);
+ goto alloc_fail;
+ }
+ cp = tmp;
+ /* validate syntax of permitopen before recording it. */
+ host = hpdelim(&cp);
+ if (host == NULL || strlen(host) >= NI_MAXHOST) {
+ free(tmp);
+ free(opt);
+ errstr = "invalid permitopen hostname";
+ goto fail;
+ }
+ /*
+ * don't want to use permitopen_port to avoid
+ * dependency on channels.[ch] here.
+ */
+ if (cp == NULL ||
+ (strcmp(cp, "*") != 0 && a2port(cp) <= 0)) {
+ free(tmp);
+ free(opt);
+ errstr = "invalid permitopen port";
+ goto fail;
+ }
+ /* XXX - add streamlocal support */
+ free(tmp);
+ /* Record it */
+ oarray = ret->permitopen;
+ if ((ret->permitopen = recallocarray(ret->permitopen,
+ ret->npermitopen, ret->npermitopen + 1,
+ sizeof(*ret->permitopen))) == NULL) {
+ free(opt);
+ ret->permitopen = oarray;
+ goto alloc_fail;
+ }
+ ret->permitopen[ret->npermitopen++] = opt;
+ } else if (opt_match(&opts, "tunnel")) {
+ if ((opt = opt_dequote(&opts, &errstr)) == NULL)
+ goto fail;
+ ret->force_tun_device = a2tun(opt, NULL);
+ free(opt);
+ if (ret->force_tun_device == SSH_TUNID_ERR) {
+ errstr = "invalid tun device";
+ goto fail;
+ }
+ }
+ /*
+ * Skip the comma, and move to the next option
+ * (or break out if there are no more).
+ */
+ if (*opts == '\0' || *opts == ' ' || *opts == '\t')
+ break; /* End of options. */
+ /* Anything other than a comma is an unknown option */
+ if (*opts != ',') {
+ errstr = "unknown key option";
+ goto fail;
+ }
+ opts++;
+ if (*opts == '\0') {
+ errstr = "unexpected end-of-options";
+ goto fail;
+ }
+ }
+
+ /* success */
+ if (errstrp != NULL)
+ *errstrp = NULL;
+ return ret;
+
+alloc_fail:
+ errstr = "memory allocation failed";
+fail:
+ sshauthopt_free(ret);
+ if (errstrp != NULL)
+ *errstrp = errstr;
+ return NULL;
+}
+
+struct sshauthopt *
+sshauthopt_from_cert(struct sshkey *k)
+{
+ struct sshauthopt *ret;
+
+ if (k == NULL || !sshkey_type_is_cert(k->type) || k->cert == NULL ||
+ k->cert->type != SSH2_CERT_TYPE_USER)
+ return NULL;
+
+ if ((ret = sshauthopt_new()) == NULL)
+ return NULL;
+
+ /* Handle options and critical extensions separately */
+ if (cert_option_list(ret, k->cert->critical,
+ OPTIONS_CRITICAL, 1) == -1) {
+ sshauthopt_free(ret);
+ return NULL;
+ }
+ if (cert_option_list(ret, k->cert->extensions,
+ OPTIONS_EXTENSIONS, 0) == -1) {
+ sshauthopt_free(ret);
+ return NULL;
+ }
+ /* success */
+ return ret;
+}
+
/*
- * Set options from critical certificate options. These supersede user key
- * options so this must be called after auth_parse_options().
+ * Merges "additional" options to "primary" and returns the result.
+ * NB. Some options from primary have primacy.
*/
-int
-auth_cert_options(struct sshkey *k, struct passwd *pw, const char **reason)
+struct sshauthopt *
+sshauthopt_merge(const struct sshauthopt *primary,
+ const struct sshauthopt *additional, const char **errstrp)
{
- int cert_no_port_forwarding_flag = 1;
- int cert_no_agent_forwarding_flag = 1;
- int cert_no_x11_forwarding_flag = 1;
- int cert_no_pty_flag = 1;
- int cert_no_user_rc = 1;
- char *cert_forced_command = NULL;
- int cert_source_address_done = 0;
-
- *reason = "invalid certificate options";
-
- /* Separate options and extensions for v01 certs */
- if (parse_option_list(k->cert->critical, pw,
- OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
- &cert_forced_command,
- &cert_source_address_done) == -1)
- return -1;
- if (parse_option_list(k->cert->extensions, pw,
- OPTIONS_EXTENSIONS, 0,
- &cert_no_port_forwarding_flag,
- &cert_no_agent_forwarding_flag,
- &cert_no_x11_forwarding_flag,
- &cert_no_pty_flag,
- &cert_no_user_rc,
- NULL, NULL) == -1)
- return -1;
+ struct sshauthopt *ret;
+ const char *errstr = "internal error";
+ const char *tmp;
+
+ if (errstrp != NULL)
+ *errstrp = NULL;
+
+ if ((ret = sshauthopt_new()) == NULL)
+ goto alloc_fail;
+
+ /* cert_authority and cert_principals are cleared in result */
+
+ /* Prefer access lists from primary. */
+ /* XXX err is both set and mismatch? */
+ tmp = primary->required_from_host_cert;
+ if (tmp == NULL)
+ tmp = additional->required_from_host_cert;
+ if (tmp != NULL && (ret->required_from_host_cert = strdup(tmp)) == NULL)
+ goto alloc_fail;
+ tmp = primary->required_from_host_keys;
+ if (tmp == NULL)
+ tmp = additional->required_from_host_keys;
+ if (tmp != NULL && (ret->required_from_host_keys = strdup(tmp)) == NULL)
+ goto alloc_fail;
+
+ /* force_tun_device, permitopen and environment prefer the primary. */
+ ret->force_tun_device = primary->force_tun_device;
+ if (ret->force_tun_device == -1)
+ ret->force_tun_device = additional->force_tun_device;
+ if (primary->nenv > 0) {
+ if (dup_strings(&ret->env, &ret->nenv,
+ primary->env, primary->nenv) != 0)
+ goto alloc_fail;
+ } else if (additional->nenv) {
+ if (dup_strings(&ret->env, &ret->nenv,
+ additional->env, additional->nenv) != 0)
+ goto alloc_fail;
+ }
+ if (primary->npermitopen > 0) {
+ if (dup_strings(&ret->permitopen, &ret->npermitopen,
+ primary->permitopen, primary->npermitopen) != 0)
+ goto alloc_fail;
+ } else if (additional->npermitopen > 0) {
+ if (dup_strings(&ret->permitopen, &ret->npermitopen,
+ additional->permitopen, additional->npermitopen) != 0)
+ goto alloc_fail;
+ }
+
+ /* Flags are logical-AND (i.e. must be set in both for permission) */
+#define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1)
+ OPTFLAG(permit_port_forwarding_flag);
+ OPTFLAG(permit_agent_forwarding_flag);
+ OPTFLAG(permit_x11_forwarding_flag);
+ OPTFLAG(permit_pty_flag);
+ OPTFLAG(permit_user_rc);
+#undef OPTFLAG
+
+ /* Earliest expiry time should win */
+ if (primary->valid_before != 0)
+ ret->valid_before = primary->valid_before;
+ if (additional->valid_before != 0 &&
+ additional->valid_before < ret->valid_before)
+ ret->valid_before = additional->valid_before;
- no_port_forwarding_flag |= cert_no_port_forwarding_flag;
- no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
- no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
- no_pty_flag |= cert_no_pty_flag;
- no_user_rc |= cert_no_user_rc;
/*
- * Only permit both CA and key option forced-command if they match.
- * Otherwise refuse the certificate.
+ * When both multiple forced-command are specified, only
+ * proceed if they are identical, otherwise fail.
*/
- if (cert_forced_command != NULL && forced_command != NULL) {
- if (strcmp(forced_command, cert_forced_command) == 0) {
- free(forced_command);
- forced_command = cert_forced_command;
+ if (primary->force_command != NULL &&
+ additional->force_command != NULL) {
+ if (strcmp(primary->force_command,
+ additional->force_command) == 0) {
+ /* ok */
+ ret->force_command = strdup(primary->force_command);
+ if (ret->force_command == NULL)
+ goto alloc_fail;
} else {
- *reason = "certificate and key options forced command "
- "do not match";
- free(cert_forced_command);
- return -1;
+ errstr = "forced command options do not match";
+ goto fail;
}
- } else if (cert_forced_command != NULL)
- forced_command = cert_forced_command;
+ } else if (primary->force_command != NULL) {
+ if ((ret->force_command = strdup(
+ primary->force_command)) == NULL)
+ goto alloc_fail;
+ } else if (additional->force_command != NULL) {
+ if ((ret->force_command = strdup(
+ additional->force_command)) == NULL)
+ goto alloc_fail;
+ }
+ /* success */
+ if (errstrp != NULL)
+ *errstrp = NULL;
+ return ret;
+
+ alloc_fail:
+ errstr = "memory allocation failed";
+ fail:
+ if (errstrp != NULL)
+ *errstrp = errstr;
+ sshauthopt_free(ret);
+ return NULL;
+}
+
+/*
+ * Copy options
+ */
+struct sshauthopt *
+sshauthopt_copy(const struct sshauthopt *orig)
+{
+ struct sshauthopt *ret;
+
+ if ((ret = sshauthopt_new()) == NULL)
+ return NULL;
+
+#define OPTSCALAR(x) ret->x = orig->x
+ OPTSCALAR(permit_port_forwarding_flag);
+ OPTSCALAR(permit_agent_forwarding_flag);
+ OPTSCALAR(permit_x11_forwarding_flag);
+ OPTSCALAR(permit_pty_flag);
+ OPTSCALAR(permit_user_rc);
+ OPTSCALAR(restricted);
+ OPTSCALAR(cert_authority);
+ OPTSCALAR(force_tun_device);
+ OPTSCALAR(valid_before);
+#undef OPTSCALAR
+#define OPTSTRING(x) \
+ do { \
+ if (orig->x != NULL && (ret->x = strdup(orig->x)) == NULL) { \
+ sshauthopt_free(ret); \
+ return NULL; \
+ } \
+ } while (0)
+ OPTSTRING(cert_principals);
+ OPTSTRING(force_command);
+ OPTSTRING(required_from_host_cert);
+ OPTSTRING(required_from_host_keys);
+#undef OPTSTRING
+
+ if (dup_strings(&ret->env, &ret->nenv, orig->env, orig->nenv) != 0 ||
+ dup_strings(&ret->permitopen, &ret->npermitopen,
+ orig->permitopen, orig->npermitopen) != 0) {
+ sshauthopt_free(ret);
+ return NULL;
+ }
+ return ret;
+}
+
+static int
+serialise_array(struct sshbuf *m, char **a, size_t n)
+{
+ struct sshbuf *b;
+ size_t i;
+ int r;
+
+ if (n > INT_MAX)
+ return SSH_ERR_INTERNAL_ERROR;
+
+ if ((b = sshbuf_new()) == NULL) {
+ return SSH_ERR_ALLOC_FAIL;
+ }
+ for (i = 0; i < n; i++) {
+ if ((r = sshbuf_put_cstring(b, a[i])) != 0) {
+ sshbuf_free(b);
+ return r;
+ }
+ }
+ if ((r = sshbuf_put_u32(m, n)) != 0 ||
+ (r = sshbuf_put_stringb(m, b)) != 0) {
+ sshbuf_free(b);
+ return r;
+ }
/* success */
- *reason = NULL;
return 0;
}
+static int
+deserialise_array(struct sshbuf *m, char ***ap, size_t *np)
+{
+ char **a = NULL;
+ size_t i, n = 0;
+ struct sshbuf *b = NULL;
+ u_int tmp;
+ int r = SSH_ERR_INTERNAL_ERROR;
+
+ if ((r = sshbuf_get_u32(m, &tmp)) != 0 ||
+ (r = sshbuf_froms(m, &b)) != 0)
+ goto out;
+ if (tmp > INT_MAX) {
+ r = SSH_ERR_INVALID_FORMAT;
+ goto out;
+ }
+ n = tmp;
+ if (n > 0 && (a = calloc(n, sizeof(*a))) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ for (i = 0; i < n; i++) {
+ if ((r = sshbuf_get_cstring(b, &a[i], NULL)) != 0)
+ goto out;
+ }
+ /* success */
+ r = 0;
+ *ap = a;
+ a = NULL;
+ *np = n;
+ n = 0;
+ out:
+ for (i = 0; i < n; i++)
+ free(a[i]);
+ free(a);
+ sshbuf_free(b);
+ return r;
+}
+
+static int
+serialise_nullable_string(struct sshbuf *m, const char *s)
+{
+ int r;
+
+ if ((r = sshbuf_put_u8(m, s == NULL)) != 0 ||
+ (r = sshbuf_put_cstring(m, s)) != 0)
+ return r;
+ return 0;
+}
+
+static int
+deserialise_nullable_string(struct sshbuf *m, char **sp)
+{
+ int r;
+ u_char flag;
+
+ *sp = NULL;
+ if ((r = sshbuf_get_u8(m, &flag)) != 0 ||
+ (r = sshbuf_get_cstring(m, flag ? NULL : sp, NULL)) != 0)
+ return r;
+ return 0;
+}
+
+int
+sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m,
+ int untrusted)
+{
+ int r = SSH_ERR_INTERNAL_ERROR;
+
+ /* Flag and simple integer options */
+ if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 ||
+ (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 ||
+ (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 ||
+ (r = sshbuf_put_u8(m, opts->permit_pty_flag)) != 0 ||
+ (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 ||
+ (r = sshbuf_put_u8(m, opts->restricted)) != 0 ||
+ (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 ||
+ (r = sshbuf_put_u64(m, opts->valid_before)) != 0)
+ return r;
+
+ /* tunnel number can be negative to indicate "unset" */
+ if ((r = sshbuf_put_u8(m, opts->force_tun_device == -1)) != 0 ||
+ (r = sshbuf_put_u32(m, (opts->force_tun_device < 0) ?
+ 0 : (u_int)opts->force_tun_device)) != 0)
+ return r;
+
+ /* String options; these may be NULL */
+ if ((r = serialise_nullable_string(m,
+ untrusted ? "yes" : opts->cert_principals)) != 0 ||
+ (r = serialise_nullable_string(m,
+ untrusted ? "true" : opts->force_command)) != 0 ||
+ (r = serialise_nullable_string(m,
+ untrusted ? NULL : opts->required_from_host_cert)) != 0 ||
+ (r = serialise_nullable_string(m,
+ untrusted ? NULL : opts->required_from_host_keys)) != 0)
+ return r;
+
+ /* Array options */
+ if ((r = serialise_array(m, opts->env,
+ untrusted ? 0 : opts->nenv)) != 0 ||
+ (r = serialise_array(m, opts->permitopen,
+ untrusted ? 0 : opts->npermitopen)) != 0)
+ return r;
+
+ /* success */
+ return 0;
+}
+
+int
+sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp)
+{
+ struct sshauthopt *opts = NULL;
+ int r = SSH_ERR_INTERNAL_ERROR;
+ u_char f;
+ u_int tmp;
+
+ if ((opts = calloc(1, sizeof(*opts))) == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+
+#define OPT_FLAG(x) \
+ do { \
+ if ((r = sshbuf_get_u8(m, &f)) != 0) \
+ goto out; \
+ opts->x = f; \
+ } while (0)
+ OPT_FLAG(permit_port_forwarding_flag);
+ OPT_FLAG(permit_agent_forwarding_flag);
+ OPT_FLAG(permit_x11_forwarding_flag);
+ OPT_FLAG(permit_pty_flag);
+ OPT_FLAG(permit_user_rc);
+ OPT_FLAG(restricted);
+ OPT_FLAG(cert_authority);
+#undef OPT_FLAG
+
+ if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0)
+ goto out;
+
+ /* tunnel number can be negative to indicate "unset" */
+ if ((r = sshbuf_get_u8(m, &f)) != 0 ||
+ (r = sshbuf_get_u32(m, &tmp)) != 0)
+ goto out;
+ opts->force_tun_device = f ? -1 : (int)tmp;
+
+ /* String options may be NULL */
+ if ((r = deserialise_nullable_string(m, &opts->cert_principals)) != 0 ||
+ (r = deserialise_nullable_string(m, &opts->force_command)) != 0 ||
+ (r = deserialise_nullable_string(m,
+ &opts->required_from_host_cert)) != 0 ||
+ (r = deserialise_nullable_string(m,
+ &opts->required_from_host_keys)) != 0)
+ goto out;
+
+ /* Array options */
+ if ((r = deserialise_array(m, &opts->env, &opts->nenv)) != 0 ||
+ (r = deserialise_array(m,
+ &opts->permitopen, &opts->npermitopen)) != 0)
+ goto out;
+
+ /* success */
+ r = 0;
+ *optsp = opts;
+ opts = NULL;
+ out:
+ sshauthopt_free(opts);
+ return r;
+}
diff --git a/auth-options.h b/auth-options.h
index 547f016355a9..bf59b30be138 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -1,40 +1,91 @@
-/* $OpenBSD: auth-options.h,v 1.23 2017/05/31 10:54:00 markus Exp $ */
+/* $OpenBSD: auth-options.h,v 1.26 2018/03/12 00:52:01 djm Exp $ */
/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- * All rights reserved
+ * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
*
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose. Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef AUTH_OPTIONS_H
#define AUTH_OPTIONS_H
-/* Linked list of custom environment strings */
-struct envstring {
- struct envstring *next;
- char *s;
+struct passwd;
+struct sshkey;
+
+/*
+ * sshauthopt represents key options parsed from authorized_keys or
+ * from certificate extensions/options.
+ */
+struct sshauthopt {
+ /* Feature flags */
+ int permit_port_forwarding_flag;
+ int permit_agent_forwarding_flag;
+ int permit_x11_forwarding_flag;
+ int permit_pty_flag;
+ int permit_user_rc;
+
+ /* "restrict" keyword was invoked */
+ int restricted;
+
+ /* key/principal expiry date */
+ uint64_t valid_before;
+
+ /* Certificate-related options */
+ int cert_authority;
+ char *cert_principals;
+
+ int force_tun_device;
+ char *force_command;
+
+ /* Custom environment */
+ size_t nenv;
+ char **env;
+
+ /* Permitted port forwardings */
+ size_t npermitopen;
+ char **permitopen;
+
+ /*
+ * Permitted host/addresses (comma-separated)
+ * Caller must check source address matches both lists (if present).
+ */
+ char *required_from_host_cert;
+ char *required_from_host_keys;
};
-/* Flags that may be set in authorized_keys options. */
-extern int no_port_forwarding_flag;
-extern int no_agent_forwarding_flag;
-extern int no_x11_forwarding_flag;
-extern int no_pty_flag;
-extern int no_user_rc;
-extern char *forced_command;
-extern struct envstring *custom_environment;
-extern int forced_tun_device;
-extern int key_is_cert_authority;
-extern char *authorized_principals;
-
-int auth_parse_options(struct passwd *, char *, const char *, u_long);
-void auth_clear_options(void);
-int auth_cert_options(struct sshkey *, struct passwd *, const char **);
+struct sshauthopt *sshauthopt_new(void);
+struct sshauthopt *sshauthopt_new_with_keys_defaults(void);
+void sshauthopt_free(struct sshauthopt *opts);
+struct sshauthopt *sshauthopt_copy(const struct sshauthopt *orig);
+int sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, int);
+int sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **opts);
+
+/*
+ * Parse authorized_keys options. Returns an options structure on success
+ * or NULL on failure. Will set errstr on failure.
+ */
+struct sshauthopt *sshauthopt_parse(const char *s, const char **errstr);
+
+/*
+ * Parse certification options to a struct sshauthopt.
+ * Returns options on success or NULL on failure.
+ */
+struct sshauthopt *sshauthopt_from_cert(struct sshkey *k);
+
+/*
+ * Merge key options.
+ */
+struct sshauthopt *sshauthopt_merge(const struct sshauthopt *primary,
+ const struct sshauthopt *additional, const char **errstrp);
#endif
diff --git a/auth-pam.c b/auth-pam.c
index de29c04c9c81..00ba87775511 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -287,18 +287,27 @@ sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags)
void
sshpam_password_change_required(int reqd)
{
+ extern struct sshauthopt *auth_opts;
+ static int saved_port, saved_agent, saved_x11;
+
debug3("%s %d", __func__, reqd);
if (sshpam_authctxt == NULL)
fatal("%s: PAM authctxt not initialized", __func__);
sshpam_authctxt->force_pwchange = reqd;
if (reqd) {
- no_port_forwarding_flag |= 2;
- no_agent_forwarding_flag |= 2;
- no_x11_forwarding_flag |= 2;
+ saved_port = auth_opts->permit_port_forwarding_flag;
+ saved_agent = auth_opts->permit_agent_forwarding_flag;
+ saved_x11 = auth_opts->permit_x11_forwarding_flag;
+ auth_opts->permit_port_forwarding_flag = 0;
+ auth_opts->permit_agent_forwarding_flag = 0;
+ auth_opts->permit_x11_forwarding_flag = 0;
} else {
- no_port_forwarding_flag &= ~2;
- no_agent_forwarding_flag &= ~2;
- no_x11_forwarding_flag &= ~2;
+ if (saved_port)
+ auth_opts->permit_port_forwarding_flag = saved_port;
+ if (saved_agent)
+ auth_opts->permit_agent_forwarding_flag = saved_agent;
+ if (saved_x11)
+ auth_opts->permit_x11_forwarding_flag = saved_x11;
}
}
@@ -1077,7 +1086,7 @@ do_pam_chauthtok(void)
}
void
-do_pam_session(void)
+do_pam_session(struct ssh *ssh)
{
debug3("PAM: opening session");
@@ -1093,7 +1102,7 @@ do_pam_session(void)
sshpam_session_open = 1;
else {
sshpam_session_open = 0;
- disable_forwarding();
+ auth_restrict_session(ssh);
error("PAM: pam_open_session(): %s",
pam_strerror(sshpam_handle, sshpam_err));
}
diff --git a/auth-pam.h b/auth-pam.h
index c47b442e48a5..4198607454fb 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -25,10 +25,12 @@
#include "includes.h"
#ifdef USE_PAM
+struct ssh;
+
void start_pam(Authctxt *);
void finish_pam(void);
u_int do_pam_account(void);
-void do_pam_session(void);
+void do_pam_session(struct ssh *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
int do_pam_putenv(char *, char *);
diff --git a/auth-passwd.c b/auth-passwd.c
index 996c2cf71b00..6097fdd243ea 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
+/* $OpenBSD: auth-passwd.c,v 1.46 2018/03/03 03:15:51 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -68,22 +68,15 @@ extern login_cap_t *lc;
#define MAX_PASSWORD_LEN 1024
-void
-disable_forwarding(void)
-{
- no_port_forwarding_flag = 1;
- no_agent_forwarding_flag = 1;
- no_x11_forwarding_flag = 1;
-}
-
/*
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
*/
int
-auth_password(Authctxt *authctxt, const char *password)
+auth_password(struct ssh *ssh, const char *password)
{
- struct passwd * pw = authctxt->pw;
+ Authctxt *authctxt = ssh->authctxt;
+ struct passwd *pw = authctxt->pw;
int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
static int expire_checked = 0;
@@ -128,9 +121,9 @@ auth_password(Authctxt *authctxt, const char *password)
authctxt->force_pwchange = 1;
}
#endif
- result = sys_auth_passwd(authctxt, password);
+ result = sys_auth_passwd(ssh, password);
if (authctxt->force_pwchange)
- disable_forwarding();
+ auth_restrict_session(ssh);
return (result && ok);
}
@@ -170,19 +163,19 @@ warn_expiry(Authctxt *authctxt, auth_session_t *as)
}
int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
+sys_auth_passwd(struct ssh *ssh, const char *password)
{
- struct passwd *pw = authctxt->pw;
+ Authctxt *authctxt = ssh->authctxt;
auth_session_t *as;
static int expire_checked = 0;
- as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
+ as = auth_usercheck(authctxt->pw->pw_name, authctxt->style, "auth-ssh",
(char *)password);
if (as == NULL)
return (0);
if (auth_getstate(as) & AUTH_PWEXPIRED) {
auth_close(as);
- disable_forwarding();
+ auth_restrict_session(ssh);
authctxt->force_pwchange = 1;
return (1);
} else {
@@ -195,8 +188,9 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
}
#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
+sys_auth_passwd(struct ssh *ssh, const char *password)
{
+ Authctxt *authctxt = ssh->authctxt;
struct passwd *pw = authctxt->pw;
char *encrypted_password, *salt = NULL;
diff --git a/auth-sia.c b/auth-sia.c
index a9e1c258ca61..7c97f03e51e6 100644
--- a/auth-sia.c
+++ b/auth-sia.c
@@ -36,6 +36,7 @@
#include <string.h>
#include "ssh.h"
+#include "ssh_api.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
@@ -50,11 +51,12 @@ extern int saved_argc;
extern char **saved_argv;
int
-sys_auth_passwd(Authctxt *authctxt, const char *pass)
+sys_auth_passwd(struct ssh *ssh, const char *pass)
{
int ret;
SIAENTITY *ent = NULL;
const char *host;
+ Authctxt *authctxt = ssh->authctxt;
host = get_canonical_hostname(options.use_dns);
diff --git a/auth.c b/auth.c
index a449061741af..63366768a019 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.124 2017/09/12 06:32:07 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -28,6 +28,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
+#include <sys/wait.h>
#include <netinet/in.h>
@@ -73,12 +74,14 @@
#include "authfile.h"
#include "ssherr.h"
#include "compat.h"
+#include "channels.h"
/* import */
extern ServerOptions options;
extern int use_privsep;
extern Buffer loginmsg;
extern struct passwd *privsep_pw;
+extern struct sshauthopt *auth_opts;
/* Debugging messages */
Buffer auth_debug;
@@ -385,10 +388,8 @@ auth_maxtries_exceeded(Authctxt *authctxt)
* Check whether root logins are disallowed.
*/
int
-auth_root_allowed(const char *method)
+auth_root_allowed(struct ssh *ssh, const char *method)
{
- struct ssh *ssh = active_state; /* XXX */
-
switch (options.permit_root_login) {
case PERMIT_YES:
return 1;
@@ -399,7 +400,7 @@ auth_root_allowed(const char *method)
return 1;
break;
case PERMIT_FORCED_ONLY:
- if (forced_command) {
+ if (auth_opts->force_command != NULL) {
logit("Root login accepted for forced command.");
return 1;
}
@@ -840,3 +841,343 @@ auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
return dnsname;
}
}
+
+/*
+ * Runs command in a subprocess wuth a minimal environment.
+ * Returns pid on success, 0 on failure.
+ * The child stdout and stderr maybe captured, left attached or sent to
+ * /dev/null depending on the contents of flags.
+ * "tag" is prepended to log messages.
+ * NB. "command" is only used for logging; the actual command executed is
+ * av[0].
+ */
+pid_t
+subprocess(const char *tag, struct passwd *pw, const char *command,
+ int ac, char **av, FILE **child, u_int flags)
+{
+ FILE *f = NULL;
+ struct stat st;
+ int fd, devnull, p[2], i;
+ pid_t pid;
+ char *cp, errmsg[512];
+ u_int envsize;
+ char **child_env;
+
+ if (child != NULL)
+ *child = NULL;
+
+ debug3("%s: %s command \"%s\" running as %s (flags 0x%x)", __func__,
+ tag, command, pw->pw_name, flags);
+
+ /* Check consistency */
+ if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
+ (flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) {
+ error("%s: inconsistent flags", __func__);
+ return 0;
+ }
+ if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) {
+ error("%s: inconsistent flags/output", __func__);
+ return 0;
+ }
+
+ /*
+ * If executing an explicit binary, then verify the it exists
+ * and appears safe-ish to execute
+ */
+ if (*av[0] != '/') {
+ error("%s path is not absolute", tag);
+ return 0;
+ }
+ temporarily_use_uid(pw);
+ if (stat(av[0], &st) < 0) {
+ error("Could not stat %s \"%s\": %s", tag,
+ av[0], strerror(errno));
+ restore_uid();
+ return 0;
+ }
+ if (safe_path(av[0], &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) {
+ error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);
+ restore_uid();
+ return 0;
+ }
+ /* Prepare to keep the child's stdout if requested */
+ if (pipe(p) != 0) {
+ error("%s: pipe: %s", tag, strerror(errno));
+ restore_uid();
+ return 0;
+ }
+ restore_uid();
+
+ switch ((pid = fork())) {
+ case -1: /* error */
+ error("%s: fork: %s", tag, strerror(errno));
+ close(p[0]);
+ close(p[1]);
+ return 0;
+ case 0: /* child */
+ /* Prepare a minimal environment for the child. */
+ envsize = 5;
+ child_env = xcalloc(sizeof(*child_env), envsize);
+ child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH);
+ child_set_env(&child_env, &envsize, "USER", pw->pw_name);
+ child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name);
+ child_set_env(&child_env, &envsize, "HOME", pw->pw_dir);
+ if ((cp = getenv("LANG")) != NULL)
+ child_set_env(&child_env, &envsize, "LANG", cp);
+
+ for (i = 0; i < NSIG; i++)
+ signal(i, SIG_DFL);
+
+ if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
+ error("%s: open %s: %s", tag, _PATH_DEVNULL,
+ strerror(errno));
+ _exit(1);
+ }
+ if (dup2(devnull, STDIN_FILENO) == -1) {
+ error("%s: dup2: %s", tag, strerror(errno));
+ _exit(1);
+ }
+
+ /* Set up stdout as requested; leave stderr in place for now. */
+ fd = -1;
+ if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0)
+ fd = p[1];
+ else if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0)
+ fd = devnull;
+ if (fd != -1 && dup2(fd, STDOUT_FILENO) == -1) {
+ error("%s: dup2: %s", tag, strerror(errno));
+ _exit(1);
+ }
+ closefrom(STDERR_FILENO + 1);
+
+ /* Don't use permanently_set_uid() here to avoid fatal() */
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
+ error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+ strerror(errno));
+ _exit(1);
+ }
+ if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
+ error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid,
+ strerror(errno));
+ _exit(1);
+ }
+ /* stdin is pointed to /dev/null at this point */
+ if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
+ dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
+ error("%s: dup2: %s", tag, strerror(errno));
+ _exit(1);
+ }
+
+ execve(av[0], av, child_env);
+ error("%s exec \"%s\": %s", tag, command, strerror(errno));
+ _exit(127);
+ default: /* parent */
+ break;
+ }
+
+ close(p[1]);
+ if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0)
+ close(p[0]);
+ else if ((f = fdopen(p[0], "r")) == NULL) {
+ error("%s: fdopen: %s", tag, strerror(errno));
+ close(p[0]);
+ /* Don't leave zombie child */
+ kill(pid, SIGTERM);
+ while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
+ ;
+ return 0;
+ }
+ /* Success */
+ debug3("%s: %s pid %ld", __func__, tag, (long)pid);
+ if (child != NULL)
+ *child = f;
+ return pid;
+}
+
+/* These functions link key/cert options to the auth framework */
+
+/* Log sshauthopt options locally and (optionally) for remote transmission */
+void
+auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
+{
+ int do_env = options.permit_user_env && opts->nenv > 0;
+ int do_permitopen = opts->npermitopen > 0 &&
+ (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0;
+ size_t i;
+ char msg[1024], buf[64];
+
+ snprintf(buf, sizeof(buf), "%d", opts->force_tun_device);
+ /* Try to keep this alphabetically sorted */
+ snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s",
+ opts->permit_agent_forwarding_flag ? " agent-forwarding" : "",
+ opts->force_command == NULL ? "" : " command",
+ do_env ? " environment" : "",
+ opts->valid_before == 0 ? "" : "expires",
+ do_permitopen ? " permitopen" : "",
+ opts->permit_port_forwarding_flag ? " port-forwarding" : "",
+ opts->cert_principals == NULL ? "" : " principals",
+ opts->permit_pty_flag ? " pty" : "",
+ opts->force_tun_device == -1 ? "" : " tun=",
+ opts->force_tun_device == -1 ? "" : buf,
+ opts->permit_user_rc ? " user-rc" : "",
+ opts->permit_x11_forwarding_flag ? " x11-forwarding" : "");
+
+ debug("%s: %s", loc, msg);
+ if (do_remote)
+ auth_debug_add("%s: %s", loc, msg);
+
+ if (options.permit_user_env) {
+ for (i = 0; i < opts->nenv; i++) {
+ debug("%s: environment: %s", loc, opts->env[i]);
+ if (do_remote) {
+ auth_debug_add("%s: environment: %s",
+ loc, opts->env[i]);
+ }
+ }
+ }
+
+ /* Go into a little more details for the local logs. */
+ if (opts->valid_before != 0) {
+ format_absolute_time(opts->valid_before, buf, sizeof(buf));
+ debug("%s: expires at %s", loc, buf);
+ }
+ if (opts->cert_principals != NULL) {
+ debug("%s: authorized principals: \"%s\"",
+ loc, opts->cert_principals);
+ }
+ if (opts->force_command != NULL)
+ debug("%s: forced command: \"%s\"", loc, opts->force_command);
+ if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) {
+ for (i = 0; i < opts->npermitopen; i++) {
+ debug("%s: permitted open: %s",
+ loc, opts->permitopen[i]);
+ }
+ }
+}
+
+/* Activate a new set of key/cert options; merging with what is there. */
+int
+auth_activate_options(struct ssh *ssh, struct sshauthopt *opts)
+{
+ struct sshauthopt *old = auth_opts;
+ const char *emsg = NULL;
+
+ debug("%s: setting new authentication options", __func__);
+ if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) {
+ error("Inconsistent authentication options: %s", emsg);
+ return -1;
+ }
+ return 0;
+}
+
+/* Disable forwarding, etc for the session */
+void
+auth_restrict_session(struct ssh *ssh)
+{
+ struct sshauthopt *restricted;
+
+ debug("%s: restricting session", __func__);
+
+ /* A blank sshauthopt defaults to permitting nothing */
+ restricted = sshauthopt_new();
+ restricted->restricted = 1;
+
+ if (auth_activate_options(ssh, restricted) != 0)
+ fatal("%s: failed to restrict session", __func__);
+ sshauthopt_free(restricted);
+}
+
+int
+auth_authorise_keyopts(struct ssh *ssh, struct passwd *pw,
+ struct sshauthopt *opts, int allow_cert_authority, const char *loc)
+{
+ const char *remote_ip = ssh_remote_ipaddr(ssh);
+ const char *remote_host = auth_get_canonical_hostname(ssh,
+ options.use_dns);
+ time_t now = time(NULL);
+ char buf[64];
+
+ /*
+ * Check keys/principals file expiry time.
+ * NB. validity interval in certificate is handled elsewhere.
+ */
+ if (opts->valid_before && now > 0 &&
+ opts->valid_before < (uint64_t)now) {
+ format_absolute_time(opts->valid_before, buf, sizeof(buf));
+ debug("%s: entry expired at %s", loc, buf);
+ auth_debug_add("%s: entry expired at %s", loc, buf);
+ return -1;
+ }
+ /* Consistency checks */
+ if (opts->cert_principals != NULL && !opts->cert_authority) {
+ debug("%s: principals on non-CA key", loc);
+ auth_debug_add("%s: principals on non-CA key", loc);
+ /* deny access */
+ return -1;
+ }
+ /* cert-authority flag isn't valid in authorized_principals files */
+ if (!allow_cert_authority && opts->cert_authority) {
+ debug("%s: cert-authority flag invalid here", loc);
+ auth_debug_add("%s: cert-authority flag invalid here", loc);
+ /* deny access */
+ return -1;
+ }
+
+ /* Perform from= checks */
+ if (opts->required_from_host_keys != NULL) {
+ switch (match_host_and_ip(remote_host, remote_ip,
+ opts->required_from_host_keys )) {
+ case 1:
+ /* Host name matches. */
+ break;
+ case -1:
+ default:
+ debug("%s: invalid from criteria", loc);
+ auth_debug_add("%s: invalid from criteria", loc);
+ /* FALLTHROUGH */
+ case 0:
+ logit("%s: Authentication tried for %.100s with "
+ "correct key but not from a permitted "
+ "host (host=%.200s, ip=%.200s, required=%.200s).",
+ loc, pw->pw_name, remote_host, remote_ip,
+ opts->required_from_host_keys);
+ auth_debug_add("%s: Your host '%.200s' is not "
+ "permitted to use this key for login.",
+ loc, remote_host);
+ /* deny access */
+ return -1;
+ }
+ }
+ /* Check source-address restriction from certificate */
+ if (opts->required_from_host_cert != NULL) {
+ switch (addr_match_cidr_list(remote_ip,
+ opts->required_from_host_cert)) {
+ case 1:
+ /* accepted */
+ break;
+ case -1:
+ default:
+ /* invalid */
+ error("%s: Certificate source-address invalid",
+ loc);
+ /* FALLTHROUGH */
+ case 0:
+ logit("%s: Authentication tried for %.100s with valid "
+ "certificate but not from a permitted source "
+ "address (%.200s).", loc, pw->pw_name, remote_ip);
+ auth_debug_add("%s: Your address '%.200s' is not "
+ "permitted to use this certificate for login.",
+ loc, remote_ip);
+ return -1;
+ }
+ }
+ /*
+ *
+ * XXX this is spammy. We should report remotely only for keys
+ * that are successful in actual auth attempts, and not PK_OK
+ * tests.
+ */
+ auth_log_authopts(loc, opts, 1);
+
+ return 0;
+}
diff --git a/auth.h b/auth.h
index 29835ae92750..23ce67cafe41 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.93 2017/08/18 05:36:45 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.95 2018/03/03 03:15:51 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -42,9 +42,11 @@
#include <krb5.h>
#endif
+struct passwd;
struct ssh;
-struct sshkey;
struct sshbuf;
+struct sshkey;
+struct sshauthopt;
typedef struct Authctxt Authctxt;
typedef struct Authmethod Authmethod;
@@ -128,11 +130,12 @@ struct KbdintDevice
int
auth_rhosts2(struct passwd *, const char *, const char *, const char *);
-int auth_password(Authctxt *, const char *);
+int auth_password(struct ssh *, const char *);
int hostbased_key_allowed(struct passwd *, const char *, char *,
struct sshkey *);
-int user_key_allowed(struct passwd *, struct sshkey *, int);
+int user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
+ struct sshauthopt **);
int auth2_key_already_used(Authctxt *, const struct sshkey *);
/*
@@ -163,14 +166,12 @@ int auth_shadow_pwexpired(Authctxt *);
#include "audit.h"
void remove_kbdint_device(const char *);
-void disable_forwarding(void);
-
void do_authentication2(Authctxt *);
void auth_log(Authctxt *, int, int, const char *, const char *);
void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
void userauth_finish(struct ssh *, int, const char *, const char *);
-int auth_root_allowed(const char *);
+int auth_root_allowed(struct ssh *, const char *);
void userauth_send_banner(const char *);
@@ -214,14 +215,29 @@ int get_hostkey_index(struct sshkey *, int, struct ssh *);
int sshd_hostkey_sign(struct sshkey *, struct sshkey *, u_char **,
size_t *, const u_char *, size_t, const char *, u_int);
+/* Key / cert options linkage to auth layer */
+const struct sshauthopt *auth_options(struct ssh *);
+int auth_activate_options(struct ssh *, struct sshauthopt *);
+void auth_restrict_session(struct ssh *);
+int auth_authorise_keyopts(struct ssh *, struct passwd *pw,
+ struct sshauthopt *, int, const char *);
+void auth_log_authopts(const char *, const struct sshauthopt *, int);
+
/* debug messages during authentication */
-void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void auth_debug_add(const char *fmt,...)
+ __attribute__((format(printf, 1, 2)));
void auth_debug_send(void);
void auth_debug_reset(void);
struct passwd *fakepw(void);
-int sys_auth_passwd(Authctxt *, const char *);
+#define SSH_SUBPROCESS_STDOUT_DISCARD (1) /* Discard stdout */
+#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
+#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
+pid_t subprocess(const char *, struct passwd *,
+ const char *, int, char **, FILE **, u_int flags);
+
+int sys_auth_passwd(struct ssh *, const char *);
#define SKEY_PROMPT "\nS/Key Password: "
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 92758b38c19d..8996f7e05211 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.31 2017/06/24 06:34:38 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.33 2018/01/23 05:27:21 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -62,7 +62,7 @@ userauth_hostbased(struct ssh *ssh)
Authctxt *authctxt = ssh->authctxt;
struct sshbuf *b;
struct sshkey *key = NULL;
- char *pkalg, *cuser, *chost, *service;
+ char *pkalg, *cuser, *chost;
u_char *pkblob, *sig;
size_t alen, blen, slen;
int r, pktype, authenticated = 0;
@@ -118,15 +118,13 @@ userauth_hostbased(struct ssh *ssh)
goto done;
}
- service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :
- authctxt->service;
if ((b = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
/* reconstruct packet */
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
- (r = sshbuf_put_cstring(b, service)) != 0 ||
+ (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
(r = sshbuf_put_string(b, pkblob, blen)) != 0 ||
@@ -144,7 +142,7 @@ userauth_hostbased(struct ssh *ssh)
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
PRIVSEP(sshkey_verify(key, sig, slen,
- sshbuf_ptr(b), sshbuf_len(b), ssh->compat)) == 0)
+ sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
authenticated = 1;
auth2_record_key(authctxt, authenticated, key);
diff --git a/auth2-none.c b/auth2-none.c
index 35d25fa6349f..8d4e9bb8c815 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-none.c,v 1.20 2017/05/30 14:29:59 markus Exp $ */
+/* $OpenBSD: auth2-none.c,v 1.21 2018/03/03 03:15:51 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -68,7 +68,7 @@ userauth_none(struct ssh *ssh)
if ((r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
if (options.permit_empty_passwd && options.password_authentication)
- return (PRIVSEP(auth_password(ssh->authctxt, "")));
+ return (PRIVSEP(auth_password(ssh, "")));
return (0);
}
diff --git a/auth2-passwd.c b/auth2-passwd.c
index 5f7ba32440b0..445016aec477 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-passwd.c,v 1.14 2017/05/30 14:29:59 markus Exp $ */
+/* $OpenBSD: auth2-passwd.c,v 1.15 2018/03/03 03:15:51 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -63,7 +63,7 @@ userauth_passwd(struct ssh *ssh)
if (change)
logit("password change not supported");
- else if (PRIVSEP(auth_password(ssh->authctxt, password)) == 1)
+ else if (PRIVSEP(auth_password(ssh, password)) == 1)
authenticated = 1;
explicit_bzero(password, len);
free(password);
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 169839b01ed7..8024b1d6a976 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.71 2017/09/07 23:48:09 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.77 2018/03/03 03:15:51 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -73,42 +73,39 @@ extern ServerOptions options;
extern u_char *session_id2;
extern u_int session_id2_len;
+static char *
+format_key(const struct sshkey *key)
+{
+ char *ret, *fp = sshkey_fingerprint(key,
+ options.fingerprint_hash, SSH_FP_DEFAULT);
+
+ xasprintf(&ret, "%s %s", sshkey_type(key), fp);
+ free(fp);
+ return ret;
+}
+
static int
userauth_pubkey(struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
+ struct passwd *pw = authctxt->pw;
struct sshbuf *b;
struct sshkey *key = NULL;
- char *pkalg, *userstyle = NULL, *fp = NULL;
+ char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
u_char *pkblob, *sig, have_sig;
size_t blen, slen;
int r, pktype;
int authenticated = 0;
+ struct sshauthopt *authopts = NULL;
if (!authctxt->valid) {
debug2("%s: disabled because of invalid user", __func__);
return 0;
}
- if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)
- fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));
- if (ssh->compat & SSH_BUG_PKAUTH) {
- debug2("%s: SSH_BUG_PKAUTH", __func__);
- if ((b = sshbuf_new()) == NULL)
- fatal("%s: sshbuf_new failed", __func__);
- /* no explicit pkalg given */
- /* so we have to extract the pkalg from the pkblob */
- /* XXX use sshbuf_from() */
- if ((r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
- (r = sshbuf_put(b, pkblob, blen)) != 0 ||
- (r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0)
- fatal("%s: failed: %s", __func__, ssh_err(r));
- sshbuf_free(b);
- } else {
- if ((r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
- (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
- fatal("%s: sshpkt_get_cstring failed: %s",
- __func__, ssh_err(r));
- }
+ if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
+ (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
+ (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
+ fatal("%s: parse request failed: %s", __func__, ssh_err(r));
pktype = sshkey_type_from_name(pkalg);
if (pktype == KEY_UNSPEC) {
/* this is perfectly legal */
@@ -135,7 +132,6 @@ userauth_pubkey(struct ssh *ssh)
"signature scheme");
goto done;
}
- fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
if (auth2_key_already_used(authctxt, key)) {
logit("refusing previously-used %s key", sshkey_type(key));
goto done;
@@ -147,9 +143,15 @@ userauth_pubkey(struct ssh *ssh)
goto done;
}
+ key_s = format_key(key);
+ if (sshkey_is_cert(key))
+ ca_s = format_key(key->cert->signature_key);
+
if (have_sig) {
- debug3("%s: have signature for %s %s",
- __func__, sshkey_type(key), fp);
+ debug3("%s: have %s signature for %s%s%s",
+ __func__, pkalg, key_s,
+ ca_s == NULL ? "" : " CA ",
+ ca_s == NULL ? "" : ca_s);
if ((r = sshpkt_get_string(ssh, &sig, &slen)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
@@ -172,22 +174,11 @@ userauth_pubkey(struct ssh *ssh)
authctxt->style ? authctxt->style : "");
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
- (r = sshbuf_put_cstring(b, ssh->compat & SSH_BUG_PKSERVICE ?
- "ssh-userauth" : authctxt->service)) != 0)
- fatal("%s: build packet failed: %s",
- __func__, ssh_err(r));
- if (ssh->compat & SSH_BUG_PKAUTH) {
- if ((r = sshbuf_put_u8(b, have_sig)) != 0)
- fatal("%s: build packet failed: %s",
- __func__, ssh_err(r));
- } else {
- if ((r = sshbuf_put_cstring(b, "publickey")) != 0 ||
- (r = sshbuf_put_u8(b, have_sig)) != 0 ||
- (r = sshbuf_put_cstring(b, pkalg) != 0))
- fatal("%s: build packet failed: %s",
- __func__, ssh_err(r));
- }
- if ((r = sshbuf_put_string(b, pkblob, blen)) != 0)
+ (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
+ (r = sshbuf_put_cstring(b, "publickey")) != 0 ||
+ (r = sshbuf_put_u8(b, have_sig)) != 0 ||
+ (r = sshbuf_put_cstring(b, pkalg) != 0) ||
+ (r = sshbuf_put_string(b, pkblob, blen)) != 0)
fatal("%s: build packet failed: %s",
__func__, ssh_err(r));
#ifdef DEBUG_PK
@@ -196,17 +187,20 @@ userauth_pubkey(struct ssh *ssh)
/* test for correct signature */
authenticated = 0;
- if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
+ if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b),
- sshbuf_len(b), ssh->compat)) == 0) {
+ sshbuf_len(b), NULL, ssh->compat)) == 0) {
authenticated = 1;
}
sshbuf_free(b);
free(sig);
auth2_record_key(authctxt, authenticated, key);
} else {
- debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
- __func__, sshkey_type(key), fp);
+ debug("%s: test pkalg %s pkblob %s%s%s",
+ __func__, pkalg, key_s,
+ ca_s == NULL ? "" : " CA ",
+ ca_s == NULL ? "" : ca_s);
+
if ((r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
@@ -218,7 +212,7 @@ userauth_pubkey(struct ssh *ssh)
* if a user is not allowed to login. is this an
* issue? -markus
*/
- if (PRIVSEP(user_key_allowed(authctxt->pw, key, 0))) {
+ if (PRIVSEP(user_key_allowed(ssh, pw, key, 0, NULL))) {
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_PK_OK))
!= 0 ||
(r = sshpkt_put_cstring(ssh, pkalg)) != 0 ||
@@ -229,15 +223,20 @@ userauth_pubkey(struct ssh *ssh)
authctxt->postponed = 1;
}
}
- if (authenticated != 1)
- auth_clear_options();
done:
+ if (authenticated == 1 && auth_activate_options(ssh, authopts) != 0) {
+ debug("%s: key options inconsistent with existing", __func__);
+ authenticated = 0;
+ }
debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg);
+
+ sshauthopt_free(authopts);
sshkey_free(key);
free(userstyle);
free(pkalg);
free(pkblob);
- free(fp);
+ free(key_s);
+ free(ca_s);
return authenticated;
}
@@ -261,18 +260,77 @@ match_principals_option(const char *principal_list, struct sshkey_cert *cert)
return 0;
}
+/*
+ * Process a single authorized_principals format line. Returns 0 and sets
+ * authoptsp is principal is authorised, -1 otherwise. "loc" is used as a
+ * log preamble for file/line information.
+ */
+static int
+check_principals_line(struct ssh *ssh, char *cp, const struct sshkey_cert *cert,
+ const char *loc, struct sshauthopt **authoptsp)
+{
+ u_int i, found = 0;
+ char *ep, *line_opts;
+ const char *reason = NULL;
+ struct sshauthopt *opts = NULL;
+
+ if (authoptsp != NULL)
+ *authoptsp = NULL;
+
+ /* Trim trailing whitespace. */
+ ep = cp + strlen(cp) - 1;
+ while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t'))
+ *ep-- = '\0';
+
+ /*
+ * If the line has internal whitespace then assume it has
+ * key options.
+ */
+ line_opts = NULL;
+ if ((ep = strrchr(cp, ' ')) != NULL ||
+ (ep = strrchr(cp, '\t')) != NULL) {
+ for (; *ep == ' ' || *ep == '\t'; ep++)
+ ;
+ line_opts = cp;
+ cp = ep;
+ }
+ if ((opts = sshauthopt_parse(line_opts, &reason)) == NULL) {
+ debug("%s: bad principals options: %s", loc, reason);
+ auth_debug_add("%s: bad principals options: %s", loc, reason);
+ return -1;
+ }
+ /* Check principals in cert against those on line */
+ for (i = 0; i < cert->nprincipals; i++) {
+ if (strcmp(cp, cert->principals[i]) != 0)
+ continue;
+ debug3("%s: matched principal \"%.100s\"",
+ loc, cert->principals[i]);
+ found = 1;
+ }
+ if (found && authoptsp != NULL) {
+ *authoptsp = opts;
+ opts = NULL;
+ }
+ sshauthopt_free(opts);
+ return found ? 0 : -1;
+}
+
static int
-process_principals(FILE *f, const char *file, struct passwd *pw,
- const struct sshkey_cert *cert)
+process_principals(struct ssh *ssh, FILE *f, const char *file,
+ const struct sshkey_cert *cert, struct sshauthopt **authoptsp)
{
- char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
+ char loc[256], line[SSH_MAX_PUBKEY_BYTES], *cp, *ep;
u_long linenum = 0;
- u_int i, found_principal = 0;
+ u_int found_principal = 0;
+
+ if (authoptsp != NULL)
+ *authoptsp = NULL;
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
/* Always consume entire input */
if (found_principal)
continue;
+
/* Skip leading whitespace. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
;
@@ -281,50 +339,33 @@ process_principals(FILE *f, const char *file, struct passwd *pw,
*ep = '\0';
if (!*cp || *cp == '\n')
continue;
- /* Trim trailing whitespace. */
- ep = cp + strlen(cp) - 1;
- while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t'))
- *ep-- = '\0';
- /*
- * If the line has internal whitespace then assume it has
- * key options.
- */
- line_opts = NULL;
- if ((ep = strrchr(cp, ' ')) != NULL ||
- (ep = strrchr(cp, '\t')) != NULL) {
- for (; *ep == ' ' || *ep == '\t'; ep++)
- ;
- line_opts = cp;
- cp = ep;
- }
- for (i = 0; i < cert->nprincipals; i++) {
- if (strcmp(cp, cert->principals[i]) == 0) {
- debug3("%s:%lu: matched principal \"%.100s\"",
- file, linenum, cert->principals[i]);
- if (auth_parse_options(pw, line_opts,
- file, linenum) != 1)
- continue;
- found_principal = 1;
- continue;
- }
- }
+
+ snprintf(loc, sizeof(loc), "%.200s:%lu", file, linenum);
+ if (check_principals_line(ssh, cp, cert, loc, authoptsp) == 0)
+ found_principal = 1;
}
return found_principal;
}
+/* XXX remove pw args here and elsewhere once ssh->authctxt is guaranteed */
+
static int
-match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert)
+match_principals_file(struct ssh *ssh, struct passwd *pw, char *file,
+ struct sshkey_cert *cert, struct sshauthopt **authoptsp)
{
FILE *f;
int success;
+ if (authoptsp != NULL)
+ *authoptsp = NULL;
+
temporarily_use_uid(pw);
debug("trying authorized principals file %s", file);
if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) {
restore_uid();
return 0;
}
- success = process_principals(f, file, pw, cert);
+ success = process_principals(ssh, f, file, cert, authoptsp);
fclose(f);
restore_uid();
return success;
@@ -335,12 +376,13 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert)
* returns 1 if the principal is allowed or 0 otherwise.
*/
static int
-match_principals_command(struct passwd *user_pw, const struct sshkey *key)
+match_principals_command(struct ssh *ssh, struct passwd *user_pw,
+ const struct sshkey *key, struct sshauthopt **authoptsp)
{
+ struct passwd *runas_pw = NULL;
const struct sshkey_cert *cert = key->cert;
FILE *f = NULL;
int r, ok, found_principal = 0;
- struct passwd *pw;
int i, ac = 0, uid_swapped = 0;
pid_t pid;
char *tmp, *username = NULL, *command = NULL, **av = NULL;
@@ -348,6 +390,8 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
char serial_s[16];
void (*osigchld)(int);
+ if (authoptsp != NULL)
+ *authoptsp = NULL;
if (options.authorized_principals_command == NULL)
return 0;
if (options.authorized_principals_command_user == NULL) {
@@ -365,8 +409,8 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
/* Prepare and verify the user for the command */
username = percent_expand(options.authorized_principals_command_user,
"u", user_pw->pw_name, (char *)NULL);
- pw = getpwnam(username);
- if (pw == NULL) {
+ runas_pw = getpwnam(username);
+ if (runas_pw == NULL) {
error("AuthorizedPrincipalsCommandUser \"%s\" not found: %s",
username, strerror(errno));
goto out;
@@ -424,15 +468,15 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
/* Prepare a printable command for logs, etc. */
command = argv_assemble(ac, av);
- if ((pid = subprocess("AuthorizedPrincipalsCommand", pw, command,
+ if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
ac, av, &f,
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
goto out;
uid_swapped = 1;
- temporarily_use_uid(pw);
+ temporarily_use_uid(runas_pw);
- ok = process_principals(f, "(command)", pw, cert);
+ ok = process_principals(ssh, f, "(command)", cert, authoptsp);
fclose(f);
f = NULL;
@@ -459,132 +503,225 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
free(keytext);
return found_principal;
}
+
+static void
+skip_space(char **cpp)
+{
+ char *cp;
+
+ for (cp = *cpp; *cp == ' ' || *cp == '\t'; cp++)
+ ;
+ *cpp = cp;
+}
+
+/*
+ * Advanced *cpp past the end of key options, defined as the first unquoted
+ * whitespace character. Returns 0 on success or -1 on failure (e.g.
+ * unterminated quotes).
+ */
+static int
+advance_past_options(char **cpp)
+{
+ char *cp = *cpp;
+ int quoted = 0;
+
+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+ if (*cp == '\\' && cp[1] == '"')
+ cp++; /* Skip both */
+ else if (*cp == '"')
+ quoted = !quoted;
+ }
+ *cpp = cp;
+ /* return failure for unterminated quotes */
+ return (*cp == '\0' && quoted) ? -1 : 0;
+}
+
+/*
+ * Check a single line of an authorized_keys-format file. Returns 0 if key
+ * matches, -1 otherwise. Will return key/cert options via *authoptsp
+ * on success. "loc" is used as file/line location in log messages.
+ */
+static int
+check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
+ char *cp, const char *loc, struct sshauthopt **authoptsp)
+{
+ int want_keytype = sshkey_is_cert(key) ? KEY_UNSPEC : key->type;
+ struct sshkey *found = NULL;
+ struct sshauthopt *keyopts = NULL, *certopts = NULL, *finalopts = NULL;
+ char *key_options = NULL, *fp = NULL;
+ const char *reason = NULL;
+ int ret = -1;
+
+ if (authoptsp != NULL)
+ *authoptsp = NULL;
+
+ if ((found = sshkey_new(want_keytype)) == NULL) {
+ debug3("%s: keytype %d failed", __func__, want_keytype);
+ goto out;
+ }
+
+ /* XXX djm: peek at key type in line and skip if unwanted */
+
+ if (sshkey_read(found, &cp) != 0) {
+ /* no key? check for options */
+ debug2("%s: check options: '%s'", loc, cp);
+ key_options = cp;
+ if (advance_past_options(&cp) != 0) {
+ reason = "invalid key option string";
+ goto fail_reason;
+ }
+ skip_space(&cp);
+ if (sshkey_read(found, &cp) != 0) {
+ /* still no key? advance to next line*/
+ debug2("%s: advance: '%s'", loc, cp);
+ goto out;
+ }
+ }
+ /* Parse key options now; we need to know if this is a CA key */
+ if ((keyopts = sshauthopt_parse(key_options, &reason)) == NULL) {
+ debug("%s: bad key options: %s", loc, reason);
+ auth_debug_add("%s: bad key options: %s", loc, reason);
+ goto out;
+ }
+ /* Ignore keys that don't match or incorrectly marked as CAs */
+ if (sshkey_is_cert(key)) {
+ /* Certificate; check signature key against CA */
+ if (!sshkey_equal(found, key->cert->signature_key) ||
+ !keyopts->cert_authority)
+ goto out;
+ } else {
+ /* Plain key: check it against key found in file */
+ if (!sshkey_equal(found, key) || keyopts->cert_authority)
+ goto out;
+ }
+
+ /* We have a candidate key, perform authorisation checks */
+ if ((fp = sshkey_fingerprint(found,
+ options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
+ fatal("%s: fingerprint failed", __func__);
+
+ debug("%s: matching %s found: %s %s", loc,
+ sshkey_is_cert(key) ? "CA" : "key", sshkey_type(found), fp);
+
+ if (auth_authorise_keyopts(ssh, pw, keyopts,
+ sshkey_is_cert(key), loc) != 0) {
+ reason = "Refused by key options";
+ goto fail_reason;
+ }
+ /* That's all we need for plain keys. */
+ if (!sshkey_is_cert(key)) {
+ verbose("Accepted key %s %s found at %s",
+ sshkey_type(found), fp, loc);
+ finalopts = keyopts;
+ keyopts = NULL;
+ goto success;
+ }
+
+ /*
+ * Additional authorisation for certificates.
+ */
+
+ /* Parse and check options present in certificate */
+ if ((certopts = sshauthopt_from_cert(key)) == NULL) {
+ reason = "Invalid certificate options";
+ goto fail_reason;
+ }
+ if (auth_authorise_keyopts(ssh, pw, certopts, 0, loc) != 0) {
+ reason = "Refused by certificate options";
+ goto fail_reason;
+ }
+ if ((finalopts = sshauthopt_merge(keyopts, certopts, &reason)) == NULL)
+ goto fail_reason;
+
+ /*
+ * If the user has specified a list of principals as
+ * a key option, then prefer that list to matching
+ * their username in the certificate principals list.
+ */
+ if (keyopts->cert_principals != NULL &&
+ !match_principals_option(keyopts->cert_principals, key->cert)) {
+ reason = "Certificate does not contain an authorized principal";
+ goto fail_reason;
+ }
+ if (sshkey_cert_check_authority(key, 0, 0,
+ keyopts->cert_principals == NULL ? pw->pw_name : NULL, &reason) != 0)
+ goto fail_reason;
+
+ verbose("Accepted certificate ID \"%s\" (serial %llu) "
+ "signed by CA %s %s found at %s",
+ key->cert->key_id,
+ (unsigned long long)key->cert->serial,
+ sshkey_type(found), fp, loc);
+
+ success:
+ if (finalopts == NULL)
+ fatal("%s: internal error: missing options", __func__);
+ if (authoptsp != NULL) {
+ *authoptsp = finalopts;
+ finalopts = NULL;
+ }
+ /* success */
+ ret = 0;
+ goto out;
+
+ fail_reason:
+ error("%s", reason);
+ auth_debug_add("%s", reason);
+ out:
+ free(fp);
+ sshauthopt_free(keyopts);
+ sshauthopt_free(certopts);
+ sshauthopt_free(finalopts);
+ sshkey_free(found);
+ return ret;
+}
+
/*
* Checks whether key is allowed in authorized_keys-format file,
* returns 1 if the key is allowed or 0 otherwise.
*/
static int
-check_authkeys_file(FILE *f, char *file, struct sshkey *key, struct passwd *pw)
+check_authkeys_file(struct ssh *ssh, struct passwd *pw, FILE *f,
+ char *file, struct sshkey *key, struct sshauthopt **authoptsp)
{
- char line[SSH_MAX_PUBKEY_BYTES];
+ char *cp, line[SSH_MAX_PUBKEY_BYTES], loc[256];
int found_key = 0;
u_long linenum = 0;
- struct sshkey *found = NULL;
- while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
- char *cp, *key_options = NULL, *fp = NULL;
- const char *reason = NULL;
+ if (authoptsp != NULL)
+ *authoptsp = NULL;
+ while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
/* Always consume entire file */
if (found_key)
continue;
- if (found != NULL)
- sshkey_free(found);
- found = sshkey_new(sshkey_is_cert(key) ? KEY_UNSPEC : key->type);
- if (found == NULL)
- goto done;
- auth_clear_options();
/* Skip leading whitespace, empty and comment lines. */
- for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
- ;
+ cp = line;
+ skip_space(&cp);
if (!*cp || *cp == '\n' || *cp == '#')
continue;
-
- if (sshkey_read(found, &cp) != 0) {
- /* no key? check if there are options for this key */
- int quoted = 0;
- debug2("user_key_allowed: check options: '%s'", cp);
- key_options = cp;
- for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
- if (*cp == '\\' && cp[1] == '"')
- cp++; /* Skip both */
- else if (*cp == '"')
- quoted = !quoted;
- }
- /* Skip remaining whitespace. */
- for (; *cp == ' ' || *cp == '\t'; cp++)
- ;
- if (sshkey_read(found, &cp) != 0) {
- debug2("user_key_allowed: advance: '%s'", cp);
- /* still no key? advance to next line*/
- continue;
- }
- }
- if (sshkey_is_cert(key)) {
- if (!sshkey_equal(found, key->cert->signature_key))
- continue;
- if (auth_parse_options(pw, key_options, file,
- linenum) != 1)
- continue;
- if (!key_is_cert_authority)
- continue;
- if ((fp = sshkey_fingerprint(found,
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
- continue;
- debug("matching CA found: file %s, line %lu, %s %s",
- file, linenum, sshkey_type(found), fp);
- /*
- * If the user has specified a list of principals as
- * a key option, then prefer that list to matching
- * their username in the certificate principals list.
- */
- if (authorized_principals != NULL &&
- !match_principals_option(authorized_principals,
- key->cert)) {
- reason = "Certificate does not contain an "
- "authorized principal";
- fail_reason:
- free(fp);
- error("%s", reason);
- auth_debug_add("%s", reason);
- continue;
- }
- if (sshkey_cert_check_authority(key, 0, 0,
- authorized_principals == NULL ? pw->pw_name : NULL,
- &reason) != 0)
- goto fail_reason;
- if (auth_cert_options(key, pw, &reason) != 0)
- goto fail_reason;
- verbose("Accepted certificate ID \"%s\" (serial %llu) "
- "signed by %s CA %s via %s", key->cert->key_id,
- (unsigned long long)key->cert->serial,
- sshkey_type(found), fp, file);
- free(fp);
- found_key = 1;
- break;
- } else if (sshkey_equal(found, key)) {
- if (auth_parse_options(pw, key_options, file,
- linenum) != 1)
- continue;
- if (key_is_cert_authority)
- continue;
- if ((fp = sshkey_fingerprint(found,
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
- continue;
- debug("matching key found: file %s, line %lu %s %s",
- file, linenum, sshkey_type(found), fp);
- free(fp);
+ snprintf(loc, sizeof(loc), "%.200s:%lu", file, linenum);
+ if (check_authkey_line(ssh, pw, key, cp, loc, authoptsp) == 0)
found_key = 1;
- continue;
- }
}
- done:
- if (found != NULL)
- sshkey_free(found);
- if (!found_key)
- debug2("key not found");
return found_key;
}
/* Authenticate a certificate key against TrustedUserCAKeys */
static int
-user_cert_trusted_ca(struct passwd *pw, struct sshkey *key)
+user_cert_trusted_ca(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
+ struct sshauthopt **authoptsp)
{
char *ca_fp, *principals_file = NULL;
const char *reason;
+ struct sshauthopt *principals_opts = NULL, *cert_opts = NULL;
+ struct sshauthopt *final_opts = NULL;
int r, ret = 0, found_principal = 0, use_authorized_principals;
+ if (authoptsp != NULL)
+ *authoptsp = NULL;
+
if (!sshkey_is_cert(key) || options.trusted_user_ca_keys == NULL)
return 0;
@@ -605,36 +742,69 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key)
* against the username.
*/
if ((principals_file = authorized_principals_file(pw)) != NULL) {
- if (match_principals_file(principals_file, pw, key->cert))
+ if (match_principals_file(ssh, pw, principals_file,
+ key->cert, &principals_opts))
found_principal = 1;
}
/* Try querying command if specified */
- if (!found_principal && match_principals_command(pw, key))
+ if (!found_principal && match_principals_command(ssh, pw, key,
+ &principals_opts))
found_principal = 1;
/* If principals file or command is specified, then require a match */
use_authorized_principals = principals_file != NULL ||
options.authorized_principals_command != NULL;
if (!found_principal && use_authorized_principals) {
reason = "Certificate does not contain an authorized principal";
- fail_reason:
- error("%s", reason);
- auth_debug_add("%s", reason);
- goto out;
+ goto fail_reason;
}
+ if (use_authorized_principals && principals_opts == NULL)
+ fatal("%s: internal error: missing principals_opts", __func__);
if (sshkey_cert_check_authority(key, 0, 1,
use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
goto fail_reason;
- if (auth_cert_options(key, pw, &reason) != 0)
+
+ /* Check authority from options in key and from principals file/cmd */
+ if ((cert_opts = sshauthopt_from_cert(key)) == NULL) {
+ reason = "Invalid certificate options";
+ goto fail_reason;
+ }
+ if (auth_authorise_keyopts(ssh, pw, cert_opts, 0, "cert") != 0) {
+ reason = "Refused by certificate options";
goto fail_reason;
+ }
+ if (principals_opts == NULL) {
+ final_opts = cert_opts;
+ cert_opts = NULL;
+ } else {
+ if (auth_authorise_keyopts(ssh, pw, principals_opts, 0,
+ "principals") != 0) {
+ reason = "Refused by certificate principals options";
+ goto fail_reason;
+ }
+ if ((final_opts = sshauthopt_merge(principals_opts,
+ cert_opts, &reason)) == NULL) {
+ fail_reason:
+ error("%s", reason);
+ auth_debug_add("%s", reason);
+ goto out;
+ }
+ }
+ /* Success */
verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
"%s CA %s via %s", key->cert->key_id,
(unsigned long long)key->cert->serial,
sshkey_type(key->cert->signature_key), ca_fp,
options.trusted_user_ca_keys);
+ if (authoptsp != NULL) {
+ *authoptsp = final_opts;
+ final_opts = NULL;
+ }
ret = 1;
-
out:
+ sshauthopt_free(principals_opts);
+ sshauthopt_free(cert_opts);
+ sshauthopt_free(final_opts);
free(principals_file);
free(ca_fp);
return ret;
@@ -645,17 +815,22 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key)
* returns 1 if the key is allowed or 0 otherwise.
*/
static int
-user_key_allowed2(struct passwd *pw, struct sshkey *key, char *file)
+user_key_allowed2(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
+ char *file, struct sshauthopt **authoptsp)
{
FILE *f;
int found_key = 0;
+ if (authoptsp != NULL)
+ *authoptsp = NULL;
+
/* Temporarily use the user's uid. */
temporarily_use_uid(pw);
debug("trying public key file %s", file);
if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) {
- found_key = check_authkeys_file(f, file, key, pw);
+ found_key = check_authkeys_file(ssh, pw, f, file,
+ key, authoptsp);
fclose(f);
}
@@ -668,17 +843,20 @@ user_key_allowed2(struct passwd *pw, struct sshkey *key, char *file)
* returns 1 if the key is allowed or 0 otherwise.
*/
static int
-user_key_command_allowed2(struct passwd *user_pw, struct sshkey *key)
+user_key_command_allowed2(struct ssh *ssh, struct passwd *user_pw,
+ struct sshkey *key, struct sshauthopt **authoptsp)
{
+ struct passwd *runas_pw = NULL;
FILE *f = NULL;
int r, ok, found_key = 0;
- struct passwd *pw;
int i, uid_swapped = 0, ac = 0;
pid_t pid;
char *username = NULL, *key_fp = NULL, *keytext = NULL;
char *tmp, *command = NULL, **av = NULL;
void (*osigchld)(int);
+ if (authoptsp != NULL)
+ *authoptsp = NULL;
if (options.authorized_keys_command == NULL)
return 0;
if (options.authorized_keys_command_user == NULL) {
@@ -695,8 +873,8 @@ user_key_command_allowed2(struct passwd *user_pw, struct sshkey *key)
/* Prepare and verify the user for the command */
username = percent_expand(options.authorized_keys_command_user,
"u", user_pw->pw_name, (char *)NULL);
- pw = getpwnam(username);
- if (pw == NULL) {
+ runas_pw = getpwnam(username);
+ if (runas_pw == NULL) {
error("AuthorizedKeysCommandUser \"%s\" not found: %s",
username, strerror(errno));
goto out;
@@ -754,15 +932,16 @@ user_key_command_allowed2(struct passwd *user_pw, struct sshkey *key)
xasprintf(&command, "%s %s", av[0], av[1]);
}
- if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
+ if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
ac, av, &f,
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
goto out;
uid_swapped = 1;
- temporarily_use_uid(pw);
+ temporarily_use_uid(runas_pw);
- ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+ ok = check_authkeys_file(ssh, user_pw, f,
+ options.authorized_keys_command, key, authoptsp);
fclose(f);
f = NULL;
@@ -792,10 +971,14 @@ user_key_command_allowed2(struct passwd *user_pw, struct sshkey *key)
* Check whether key authenticates and authorises the user.
*/
int
-user_key_allowed(struct passwd *pw, struct sshkey *key, int auth_attempt)
+user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
+ int auth_attempt, struct sshauthopt **authoptsp)
{
u_int success, i;
char *file;
+ struct sshauthopt *opts = NULL;
+ if (authoptsp != NULL)
+ *authoptsp = NULL;
if (auth_key_is_revoked(key))
return 0;
@@ -803,25 +986,31 @@ user_key_allowed(struct passwd *pw, struct sshkey *key, int auth_attempt)
auth_key_is_revoked(key->cert->signature_key))
return 0;
- success = user_cert_trusted_ca(pw, key);
- if (success)
- return success;
+ if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
+ goto out;
+ sshauthopt_free(opts);
+ opts = NULL;
- success = user_key_command_allowed2(pw, key);
- if (success > 0)
- return success;
+ if ((success = user_key_command_allowed2(ssh, pw, key, &opts)) != 0)
+ goto out;
+ sshauthopt_free(opts);
+ opts = NULL;
for (i = 0; !success && i < options.num_authkeys_files; i++) {
-
if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
continue;
file = expand_authorized_keys(
options.authorized_keys_files[i], pw);
-
- success = user_key_allowed2(pw, key, file);
+ success = user_key_allowed2(ssh, pw, key, file, &opts);
free(file);
}
+ out:
+ if (success && authoptsp != NULL) {
+ *authoptsp = opts;
+ opts = NULL;
+ }
+ sshauthopt_free(opts);
return success;
}
diff --git a/auth2.c b/auth2.c
index 862e09960b29..e0034229a0c1 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.143 2017/06/24 06:34:38 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.145 2018/03/03 03:15:51 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -138,9 +138,6 @@ auth2_read_banner(void)
void
userauth_send_banner(const char *msg)
{
- if (datafellows & SSH_BUG_BANNER)
- return;
-
packet_start(SSH2_MSG_USERAUTH_BANNER);
packet_put_cstring(msg);
packet_put_cstring(""); /* language, unused */
@@ -153,7 +150,7 @@ userauth_banner(void)
{
char *banner = NULL;
- if (options.banner == NULL || (datafellows & SSH_BUG_BANNER) != 0)
+ if (options.banner == NULL)
return;
if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
@@ -313,7 +310,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
- !auth_root_allowed(method)) {
+ !auth_root_allowed(ssh, method)) {
authenticated = 0;
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
@@ -352,13 +349,6 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
}
#endif
-#ifdef _UNICOS
- if (authenticated && cray_access_denied(authctxt->user)) {
- authenticated = 0;
- fatal("Access denied for user %s.", authctxt->user);
- }
-#endif /* _UNICOS */
-
if (authenticated == 1) {
/* turn off userauth */
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -369,7 +359,6 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
authctxt->success = 1;
ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);
} else {
-
/* Allow initial try of "none" auth without failure penalty */
if (!partial && !authctxt->server_caused_failure &&
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
diff --git a/authfd.c b/authfd.c
index a460fa350c8a..1eff7ba94e01 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.105 2017/07/01 13:50:45 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.108 2018/02/23 15:58:37 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -129,7 +129,7 @@ ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
/* Get the length of the message, and format it in the buffer. */
len = sshbuf_len(request);
- put_u32(buf, len);
+ POKE_U32(buf, len);
/* Send the length and then the packet to the agent. */
if (atomicio(vwrite, sock, buf, 4) != 4 ||
@@ -144,7 +144,7 @@ ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
return SSH_ERR_AGENT_COMMUNICATION;
/* Extract the length, and check it for sanity. */
- len = get_u32(buf);
+ len = PEEK_U32(buf);
if (len > MAX_AGENT_REPLY_LEN)
return SSH_ERR_INVALID_FORMAT;
@@ -353,8 +353,6 @@ ssh_agent_sign(int sock, const struct sshkey *key,
if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
return SSH_ERR_INVALID_ARGUMENT;
- if (compat & SSH_BUG_SIGBLOB)
- flags |= SSH_AGENT_OLD_SIGNATURE;
if ((msg = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
@@ -393,19 +391,7 @@ ssh_agent_sign(int sock, const struct sshkey *key,
static int
-ssh_encode_identity_ssh2(struct sshbuf *b, struct sshkey *key,
- const char *comment)
-{
- int r;
-
- if ((r = sshkey_private_serialize(key, b)) != 0 ||
- (r = sshbuf_put_cstring(b, comment)) != 0)
- return r;
- return 0;
-}
-
-static int
-encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
+encode_constraints(struct sshbuf *m, u_int life, u_int confirm, u_int maxsign)
{
int r;
@@ -418,6 +404,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_CONFIRM)) != 0)
goto out;
}
+ if (maxsign != 0) {
+ if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_MAXSIGN)) != 0 ||
+ (r = sshbuf_put_u32(m, maxsign)) != 0)
+ goto out;
+ }
r = 0;
out:
return r;
@@ -428,11 +419,11 @@ encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
* This call is intended only for use by ssh-add(1) and like applications.
*/
int
-ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
- u_int life, u_int confirm)
+ssh_add_identity_constrained(int sock, const struct sshkey *key,
+ const char *comment, u_int life, u_int confirm, u_int maxsign)
{
struct sshbuf *msg;
- int r, constrained = (life || confirm);
+ int r, constrained = (life || confirm || maxsign);
u_char type;
if ((msg = sshbuf_new()) == NULL)
@@ -449,11 +440,15 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
#endif
case KEY_ED25519:
case KEY_ED25519_CERT:
+ case KEY_XMSS:
+ case KEY_XMSS_CERT:
type = constrained ?
SSH2_AGENTC_ADD_ID_CONSTRAINED :
SSH2_AGENTC_ADD_IDENTITY;
if ((r = sshbuf_put_u8(msg, type)) != 0 ||
- (r = ssh_encode_identity_ssh2(msg, key, comment)) != 0)
+ (r = sshkey_private_serialize_maxsign(key, msg, maxsign,
+ NULL)) != 0 ||
+ (r = sshbuf_put_cstring(msg, comment)) != 0)
goto out;
break;
default:
@@ -461,7 +456,7 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
goto out;
}
if (constrained &&
- (r = encode_constraints(msg, life, confirm)) != 0)
+ (r = encode_constraints(msg, life, confirm, maxsign)) != 0)
goto out;
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
goto out;
@@ -539,7 +534,7 @@ ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
(r = sshbuf_put_cstring(msg, pin)) != 0)
goto out;
if (constrained &&
- (r = encode_constraints(msg, life, confirm)) != 0)
+ (r = encode_constraints(msg, life, confirm, 0)) != 0)
goto out;
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
goto out;
diff --git a/authfd.h b/authfd.h
index 43abf85dadfe..ab954ffc0a35 100644
--- a/authfd.h
+++ b/authfd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.h,v 1.41 2017/06/28 01:09:22 djm Exp $ */
+/* $OpenBSD: authfd.h,v 1.43 2018/02/23 15:58:37 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -29,8 +29,8 @@ void ssh_close_authentication_socket(int sock);
int ssh_lock_agent(int sock, int lock, const char *password);
int ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);
void ssh_free_identitylist(struct ssh_identitylist *idl);
-int ssh_add_identity_constrained(int sock, struct sshkey *key,
- const char *comment, u_int life, u_int confirm);
+int ssh_add_identity_constrained(int sock, const struct sshkey *key,
+ const char *comment, u_int life, u_int confirm, u_int maxsign);
int ssh_remove_identity(int sock, struct sshkey *key);
int ssh_update_card(int sock, int add, const char *reader_id,
const char *pin, u_int life, u_int confirm);
@@ -77,6 +77,7 @@ int ssh_agent_sign(int sock, const struct sshkey *key,
#define SSH_AGENT_CONSTRAIN_LIFETIME 1
#define SSH_AGENT_CONSTRAIN_CONFIRM 2
+#define SSH_AGENT_CONSTRAIN_MAXSIGN 3
/* extended failure messages */
#define SSH2_AGENT_FAILURE 30
diff --git a/authfile.c b/authfile.c
index d09b700d21d9..57dcd808c6bc 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.127 2017/07/01 13:50:45 djm Exp $ */
+/* $OpenBSD: authfile.c,v 1.128 2018/02/23 15:58:37 markus Exp $ */
/*
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
*
@@ -191,6 +191,8 @@ sshkey_load_private_type(int type, const char *filename, const char *passphrase,
*perm_ok = 1;
r = sshkey_load_private_type_fd(fd, type, passphrase, keyp, commentp);
+ if (r == 0 && keyp && *keyp)
+ r = sshkey_set_filename(*keyp, filename);
out:
close(fd);
return r;
@@ -249,6 +251,9 @@ sshkey_load_private(const char *filename, const char *passphrase,
(r = sshkey_parse_private_fileblob(buffer, passphrase, keyp,
commentp)) != 0)
goto out;
+ if (keyp && *keyp &&
+ (r = sshkey_set_filename(*keyp, filename)) != 0)
+ goto out;
r = 0;
out:
close(fd);
@@ -397,6 +402,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
case KEY_ECDSA:
#endif /* WITH_OPENSSL */
case KEY_ED25519:
+ case KEY_XMSS:
case KEY_UNSPEC:
break;
default:
diff --git a/bitmap.c b/bitmap.c
index 5089b04070e7..5ecfe68b89bd 100644
--- a/bitmap.c
+++ b/bitmap.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: bitmap.c,v 1.9 2017/10/20 01:56:39 djm Exp $ */
/*
* Copyright (c) 2015 Damien Miller <djm@mindrot.org>
*
diff --git a/bitmap.h b/bitmap.h
index c1bb1741a4fe..336e90b06cce 100644
--- a/bitmap.h
+++ b/bitmap.h
@@ -1,3 +1,4 @@
+/* $OpenBSD: bitmap.h,v 1.2 2017/10/20 01:56:39 djm Exp $ */
/*
* Copyright (c) 2015 Damien Miller <djm@mindrot.org>
*
diff --git a/blocks.c b/blocks.c
deleted file mode 100644
index ad93fe509980..000000000000
--- a/blocks.c
+++ /dev/null
@@ -1,248 +0,0 @@
-/* $OpenBSD: blocks.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
-
-/*
- * Public Domain, Author: Daniel J. Bernstein
- * Copied from nacl-20110221/crypto_hashblocks/sha512/ref/blocks.c
- */
-
-#include "includes.h"
-
-#include "crypto_api.h"
-
-typedef unsigned long long uint64;
-
-static uint64 load_bigendian(const unsigned char *x)
-{
- return
- (uint64) (x[7]) \
- | (((uint64) (x[6])) << 8) \
- | (((uint64) (x[5])) << 16) \
- | (((uint64) (x[4])) << 24) \
- | (((uint64) (x[3])) << 32) \
- | (((uint64) (x[2])) << 40) \
- | (((uint64) (x[1])) << 48) \
- | (((uint64) (x[0])) << 56)
- ;
-}
-
-static void store_bigendian(unsigned char *x,uint64 u)
-{
- x[7] = u; u >>= 8;
- x[6] = u; u >>= 8;
- x[5] = u; u >>= 8;
- x[4] = u; u >>= 8;
- x[3] = u; u >>= 8;
- x[2] = u; u >>= 8;
- x[1] = u; u >>= 8;
- x[0] = u;
-}
-
-#define SHR(x,c) ((x) >> (c))
-#define ROTR(x,c) (((x) >> (c)) | ((x) << (64 - (c))))
-
-#define Ch(x,y,z) ((x & y) ^ (~x & z))
-#define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z))
-#define Sigma0(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
-#define Sigma1(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
-#define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x,7))
-#define sigma1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x,6))
-
-#define M(w0,w14,w9,w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0;
-
-#define EXPAND \
- M(w0 ,w14,w9 ,w1 ) \
- M(w1 ,w15,w10,w2 ) \
- M(w2 ,w0 ,w11,w3 ) \
- M(w3 ,w1 ,w12,w4 ) \
- M(w4 ,w2 ,w13,w5 ) \
- M(w5 ,w3 ,w14,w6 ) \
- M(w6 ,w4 ,w15,w7 ) \
- M(w7 ,w5 ,w0 ,w8 ) \
- M(w8 ,w6 ,w1 ,w9 ) \
- M(w9 ,w7 ,w2 ,w10) \
- M(w10,w8 ,w3 ,w11) \
- M(w11,w9 ,w4 ,w12) \
- M(w12,w10,w5 ,w13) \
- M(w13,w11,w6 ,w14) \
- M(w14,w12,w7 ,w15) \
- M(w15,w13,w8 ,w0 )
-
-#define F(w,k) \
- T1 = h + Sigma1(e) + Ch(e,f,g) + k + w; \
- T2 = Sigma0(a) + Maj(a,b,c); \
- h = g; \
- g = f; \
- f = e; \
- e = d + T1; \
- d = c; \
- c = b; \
- b = a; \
- a = T1 + T2;
-
-int crypto_hashblocks_sha512(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen)
-{
- uint64 state[8];
- uint64 a;
- uint64 b;
- uint64 c;
- uint64 d;
- uint64 e;
- uint64 f;
- uint64 g;
- uint64 h;
- uint64 T1;
- uint64 T2;
-
- a = load_bigendian(statebytes + 0); state[0] = a;
- b = load_bigendian(statebytes + 8); state[1] = b;
- c = load_bigendian(statebytes + 16); state[2] = c;
- d = load_bigendian(statebytes + 24); state[3] = d;
- e = load_bigendian(statebytes + 32); state[4] = e;
- f = load_bigendian(statebytes + 40); state[5] = f;
- g = load_bigendian(statebytes + 48); state[6] = g;
- h = load_bigendian(statebytes + 56); state[7] = h;
-
- while (inlen >= 128) {
- uint64 w0 = load_bigendian(in + 0);
- uint64 w1 = load_bigendian(in + 8);
- uint64 w2 = load_bigendian(in + 16);
- uint64 w3 = load_bigendian(in + 24);
- uint64 w4 = load_bigendian(in + 32);
- uint64 w5 = load_bigendian(in + 40);
- uint64 w6 = load_bigendian(in + 48);
- uint64 w7 = load_bigendian(in + 56);
- uint64 w8 = load_bigendian(in + 64);
- uint64 w9 = load_bigendian(in + 72);
- uint64 w10 = load_bigendian(in + 80);
- uint64 w11 = load_bigendian(in + 88);
- uint64 w12 = load_bigendian(in + 96);
- uint64 w13 = load_bigendian(in + 104);
- uint64 w14 = load_bigendian(in + 112);
- uint64 w15 = load_bigendian(in + 120);
-
- F(w0 ,0x428a2f98d728ae22ULL)
- F(w1 ,0x7137449123ef65cdULL)
- F(w2 ,0xb5c0fbcfec4d3b2fULL)
- F(w3 ,0xe9b5dba58189dbbcULL)
- F(w4 ,0x3956c25bf348b538ULL)
- F(w5 ,0x59f111f1b605d019ULL)
- F(w6 ,0x923f82a4af194f9bULL)
- F(w7 ,0xab1c5ed5da6d8118ULL)
- F(w8 ,0xd807aa98a3030242ULL)
- F(w9 ,0x12835b0145706fbeULL)
- F(w10,0x243185be4ee4b28cULL)
- F(w11,0x550c7dc3d5ffb4e2ULL)
- F(w12,0x72be5d74f27b896fULL)
- F(w13,0x80deb1fe3b1696b1ULL)
- F(w14,0x9bdc06a725c71235ULL)
- F(w15,0xc19bf174cf692694ULL)
-
- EXPAND
-
- F(w0 ,0xe49b69c19ef14ad2ULL)
- F(w1 ,0xefbe4786384f25e3ULL)
- F(w2 ,0x0fc19dc68b8cd5b5ULL)
- F(w3 ,0x240ca1cc77ac9c65ULL)
- F(w4 ,0x2de92c6f592b0275ULL)
- F(w5 ,0x4a7484aa6ea6e483ULL)
- F(w6 ,0x5cb0a9dcbd41fbd4ULL)
- F(w7 ,0x76f988da831153b5ULL)
- F(w8 ,0x983e5152ee66dfabULL)
- F(w9 ,0xa831c66d2db43210ULL)
- F(w10,0xb00327c898fb213fULL)
- F(w11,0xbf597fc7beef0ee4ULL)
- F(w12,0xc6e00bf33da88fc2ULL)
- F(w13,0xd5a79147930aa725ULL)
- F(w14,0x06ca6351e003826fULL)
- F(w15,0x142929670a0e6e70ULL)
-
- EXPAND
-
- F(w0 ,0x27b70a8546d22ffcULL)
- F(w1 ,0x2e1b21385c26c926ULL)
- F(w2 ,0x4d2c6dfc5ac42aedULL)
- F(w3 ,0x53380d139d95b3dfULL)
- F(w4 ,0x650a73548baf63deULL)
- F(w5 ,0x766a0abb3c77b2a8ULL)
- F(w6 ,0x81c2c92e47edaee6ULL)
- F(w7 ,0x92722c851482353bULL)
- F(w8 ,0xa2bfe8a14cf10364ULL)
- F(w9 ,0xa81a664bbc423001ULL)
- F(w10,0xc24b8b70d0f89791ULL)
- F(w11,0xc76c51a30654be30ULL)
- F(w12,0xd192e819d6ef5218ULL)
- F(w13,0xd69906245565a910ULL)
- F(w14,0xf40e35855771202aULL)
- F(w15,0x106aa07032bbd1b8ULL)
-
- EXPAND
-
- F(w0 ,0x19a4c116b8d2d0c8ULL)
- F(w1 ,0x1e376c085141ab53ULL)
- F(w2 ,0x2748774cdf8eeb99ULL)
- F(w3 ,0x34b0bcb5e19b48a8ULL)
- F(w4 ,0x391c0cb3c5c95a63ULL)
- F(w5 ,0x4ed8aa4ae3418acbULL)
- F(w6 ,0x5b9cca4f7763e373ULL)
- F(w7 ,0x682e6ff3d6b2b8a3ULL)
- F(w8 ,0x748f82ee5defb2fcULL)
- F(w9 ,0x78a5636f43172f60ULL)
- F(w10,0x84c87814a1f0ab72ULL)
- F(w11,0x8cc702081a6439ecULL)
- F(w12,0x90befffa23631e28ULL)
- F(w13,0xa4506cebde82bde9ULL)
- F(w14,0xbef9a3f7b2c67915ULL)
- F(w15,0xc67178f2e372532bULL)
-
- EXPAND
-
- F(w0 ,0xca273eceea26619cULL)
- F(w1 ,0xd186b8c721c0c207ULL)
- F(w2 ,0xeada7dd6cde0eb1eULL)
- F(w3 ,0xf57d4f7fee6ed178ULL)
- F(w4 ,0x06f067aa72176fbaULL)
- F(w5 ,0x0a637dc5a2c898a6ULL)
- F(w6 ,0x113f9804bef90daeULL)
- F(w7 ,0x1b710b35131c471bULL)
- F(w8 ,0x28db77f523047d84ULL)
- F(w9 ,0x32caab7b40c72493ULL)
- F(w10,0x3c9ebe0a15c9bebcULL)
- F(w11,0x431d67c49c100d4cULL)
- F(w12,0x4cc5d4becb3e42b6ULL)
- F(w13,0x597f299cfc657e2aULL)
- F(w14,0x5fcb6fab3ad6faecULL)
- F(w15,0x6c44198c4a475817ULL)
-
- a += state[0];
- b += state[1];
- c += state[2];
- d += state[3];
- e += state[4];
- f += state[5];
- g += state[6];
- h += state[7];
-
- state[0] = a;
- state[1] = b;
- state[2] = c;
- state[3] = d;
- state[4] = e;
- state[5] = f;
- state[6] = g;
- state[7] = h;
-
- in += 128;
- inlen -= 128;
- }
-
- store_bigendian(statebytes + 0,state[0]);
- store_bigendian(statebytes + 8,state[1]);
- store_bigendian(statebytes + 16,state[2]);
- store_bigendian(statebytes + 24,state[3]);
- store_bigendian(statebytes + 32,state[4]);
- store_bigendian(statebytes + 40,state[5]);
- store_bigendian(statebytes + 48,state[6]);
- store_bigendian(statebytes + 56,state[7]);
-
- return inlen;
-}
diff --git a/channels.c b/channels.c
index 83442be06432..bdee1f3860a0 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.375 2017/09/24 13:45:34 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.379 2018/02/05 05:36:49 tb Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -436,10 +436,15 @@ channel_close_fd(struct ssh *ssh, int *fdp)
static void
channel_close_fds(struct ssh *ssh, Channel *c)
{
+ int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
+
channel_close_fd(ssh, &c->sock);
- channel_close_fd(ssh, &c->rfd);
- channel_close_fd(ssh, &c->wfd);
- channel_close_fd(ssh, &c->efd);
+ if (rfd != sock)
+ channel_close_fd(ssh, &c->rfd);
+ if (wfd != sock && wfd != rfd)
+ channel_close_fd(ssh, &c->wfd);
+ if (efd != sock && efd != rfd && efd != wfd)
+ channel_close_fd(ssh, &c->efd);
}
static void
@@ -1582,13 +1587,8 @@ channel_post_x11_listener(struct ssh *ssh, Channel *c,
SSH_CHANNEL_OPENING, newsock, newsock, -1,
c->local_window_max, c->local_maxpacket, 0, buf, 1);
open_preamble(ssh, __func__, nc, "x11");
- if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0) {
- fatal("%s: channel %i: reply %s", __func__,
- c->self, ssh_err(r));
- }
- if ((datafellows & SSH_BUG_X11FWD) != 0)
- debug2("channel %d: ssh2 x11 bug compat mode", nc->self);
- else if ((r = sshpkt_put_u32(ssh, remote_port)) != 0) {
+ if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
+ (r = sshpkt_put_u32(ssh, remote_port)) != 0) {
fatal("%s: channel %i: reply %s", __func__,
c->self, ssh_err(r));
}
@@ -1668,19 +1668,6 @@ port_open_helper(struct ssh *ssh, Channel *c, char *rtype)
free(local_ipaddr);
}
-static void
-channel_set_reuseaddr(int fd)
-{
- int on = 1;
-
- /*
- * Set socket options.
- * Allow local port reuse in TIME_WAIT.
- */
- if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
- error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
-}
-
void
channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time)
{
@@ -1837,15 +1824,13 @@ channel_post_connecting(struct ssh *ssh, Channel *c,
if ((r = sshpkt_start(ssh,
SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 ||
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, SSH2_OPEN_CONNECT_FAILED))
- != 0)
- fatal("%s: channel %i: failure: %s", __func__,
- c->self, ssh_err(r));
- if ((datafellows & SSH_BUG_OPENFAILURE) == 0 &&
- ((r = sshpkt_put_cstring(ssh, strerror(err))) != 0 ||
- (r = sshpkt_put_cstring(ssh, "")) != 0))
+ (r = sshpkt_put_u32(ssh,
+ SSH2_OPEN_CONNECT_FAILED)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 ||
+ (r = sshpkt_put_cstring(ssh, "")) != 0) {
fatal("%s: channel %i: failure: %s", __func__,
c->self, ssh_err(r));
+ }
if ((r = sshpkt_send(ssh)) != 0)
fatal("%s: channel %i: %s", __func__, c->self,
ssh_err(r));
@@ -3123,13 +3108,11 @@ channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh)
error("%s: reason: %s", __func__, ssh_err(r));
packet_disconnect("Invalid open failure message");
}
- if ((datafellows & SSH_BUG_OPENFAILURE) == 0) {
- /* skip language */
- if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 ||
- (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0) {
- error("%s: message/lang: %s", __func__, ssh_err(r));
- packet_disconnect("Invalid open failure message");
- }
+ /* skip language */
+ if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 ||
+ (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0) {
+ error("%s: message/lang: %s", __func__, ssh_err(r));
+ packet_disconnect("Invalid open failure message");
}
ssh_packet_check_eom(ssh);
logit("channel %d: open failed: %s%s%s", c->self,
@@ -3364,11 +3347,12 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (sock < 0) {
/* this is no error since kernel may not support ipv6 */
- verbose("socket: %.100s", strerror(errno));
+ verbose("socket [%s]:%s: %.100s", ntop, strport,
+ strerror(errno));
continue;
}
- channel_set_reuseaddr(sock);
+ set_reuseaddr(sock);
if (ai->ai_family == AF_INET6)
sock_set_v6only(sock);
@@ -3382,9 +3366,11 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
* already bound
*/
if (!ai->ai_next)
- error("bind: %.100s", strerror(errno));
+ error("bind [%s]:%s: %.100s",
+ ntop, strport, strerror(errno));
else
- verbose("bind: %.100s", strerror(errno));
+ verbose("bind [%s]:%s: %.100s",
+ ntop, strport, strerror(errno));
close(sock);
continue;
@@ -3392,6 +3378,8 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
/* Start listening for connections on the socket. */
if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
error("listen: %.100s", strerror(errno));
+ error("listen [%s]:%s: %.100s", ntop, strport,
+ strerror(errno));
close(sock);
continue;
}
@@ -3672,15 +3660,9 @@ static const char *
channel_rfwd_bind_host(const char *listen_host)
{
if (listen_host == NULL) {
- if (datafellows & SSH_BUG_RFWD_ADDR)
- return "127.0.0.1";
- else
- return "localhost";
+ return "localhost";
} else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
- if (datafellows & SSH_BUG_RFWD_ADDR)
- return "0.0.0.0";
- else
- return "";
+ return "";
} else
return listen_host;
}
@@ -4439,7 +4421,7 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
if (ai->ai_family == AF_INET6)
sock_set_v6only(sock);
if (x11_use_localhost)
- channel_set_reuseaddr(sock);
+ set_reuseaddr(sock);
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
debug2("%s: bind port %d: %.100s", __func__,
port, strerror(errno));
diff --git a/cipher.c b/cipher.c
index c3cd5dcf4405..5787636161df 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.107 2017/05/07 23:12:57 djm Exp $ */
+/* $OpenBSD: cipher.c,v 1.111 2018/02/23 15:58:37 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -310,8 +310,7 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
} else {
if (cc != NULL) {
#ifdef WITH_OPENSSL
- if (cc->evp != NULL)
- EVP_CIPHER_CTX_free(cc->evp);
+ EVP_CIPHER_CTX_free(cc->evp);
#endif /* WITH_OPENSSL */
explicit_bzero(cc, sizeof(*cc));
free(cc);
@@ -402,7 +401,7 @@ cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
cp, len);
if (len < 4)
return SSH_ERR_MESSAGE_INCOMPLETE;
- *plenp = get_u32(cp);
+ *plenp = PEEK_U32(cp);
return 0;
}
@@ -416,10 +415,8 @@ cipher_free(struct sshcipher_ctx *cc)
else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
#ifdef WITH_OPENSSL
- if (cc->evp != NULL) {
- EVP_CIPHER_CTX_free(cc->evp);
- cc->evp = NULL;
- }
+ EVP_CIPHER_CTX_free(cc->evp);
+ cc->evp = NULL;
#endif
explicit_bzero(cc, sizeof(*cc));
free(cc);
@@ -449,9 +446,9 @@ cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
int
cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
{
- const struct sshcipher *c = cc->cipher;
#ifdef WITH_OPENSSL
- int evplen;
+ const struct sshcipher *c = cc->cipher;
+ int evplen;
#endif
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
@@ -494,9 +491,9 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
int
cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
{
- const struct sshcipher *c = cc->cipher;
#ifdef WITH_OPENSSL
- int evplen = 0;
+ const struct sshcipher *c = cc->cipher;
+ int evplen = 0;
#endif
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
diff --git a/clientloop.c b/clientloop.c
index 791d336e359e..7bcf22e38692 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.305 2017/09/19 04:24:22 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.311 2018/02/11 21:16:56 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -210,7 +210,6 @@ static void
window_change_handler(int sig)
{
received_window_change_signal = 1;
- signal(SIGWINCH, window_change_handler);
}
/*
@@ -226,19 +225,6 @@ signal_handler(int sig)
}
/*
- * Returns current time in seconds from Jan 1, 1970 with the maximum
- * available resolution.
- */
-
-static double
-get_current_time(void)
-{
- struct timeval tv;
- gettimeofday(&tv, NULL);
- return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
-}
-
-/*
* Sets control_persist_exit_time to the absolute time when the
* backgrounded control master should exit due to expiry of the
* ControlPersist timeout. Sets it to 0 if we are not a backgrounded
@@ -1256,7 +1242,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
fatal("%s pledge(): %s", __func__, strerror(errno));
}
- start_time = get_current_time();
+ start_time = monotime_double();
/* Initialize variables. */
last_was_cr = 1;
@@ -1445,7 +1431,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
buffer_free(&stderr_buffer);
/* Report bytes transferred, and transfer rates. */
- total_time = get_current_time() - start_time;
+ total_time = monotime_double() - start_time;
packet_get_bytes(&ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes, in %.1f seconds",
(unsigned long long)obytes, (unsigned long long)ibytes, total_time);
@@ -1554,12 +1540,7 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
return NULL;
}
originator = packet_get_string(NULL);
- if (datafellows & SSH_BUG_X11FWD) {
- debug2("buggy server: x11 request w/o originator_port");
- originator_port = 0;
- } else {
- originator_port = packet_get_int();
- }
+ originator_port = packet_get_int();
packet_check_eom();
/* XXX check permission */
debug("client_request_x11: request from %s %d", originator,
@@ -1601,12 +1582,13 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
return c;
}
-int
+char *
client_request_tun_fwd(struct ssh *ssh, int tun_mode,
int local_tun, int remote_tun)
{
Channel *c;
int fd;
+ char *ifname = NULL;
if (tun_mode == SSH_TUNMODE_NO)
return 0;
@@ -1614,10 +1596,11 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
debug("Requesting tun unit %d in mode %d", local_tun, tun_mode);
/* Open local tunnel device */
- if ((fd = tun_open(local_tun, tun_mode)) == -1) {
+ if ((fd = tun_open(local_tun, tun_mode, &ifname)) == -1) {
error("Tunnel device open failed.");
- return -1;
+ return NULL;
}
+ debug("Tunnel forwarding using interface %s", ifname);
c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
@@ -1638,7 +1621,7 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
packet_put_int(remote_tun);
packet_send();
- return 0;
+ return ifname;
}
/* XXXX move to generic input handler */
@@ -1689,10 +1672,8 @@ client_input_channel_open(int type, u_int32_t seq, struct ssh *ssh)
packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
packet_put_int(rchan);
packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
- if (!(datafellows & SSH_BUG_OPENFAILURE)) {
- packet_put_cstring("open failed");
- packet_put_cstring("");
- }
+ packet_put_cstring("open failed");
+ packet_put_cstring("");
packet_send();
}
free(ctype);
@@ -1904,7 +1885,7 @@ client_global_hostkeys_private_confirm(struct ssh *ssh, int type,
struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx;
size_t i, ndone;
struct sshbuf *signdata;
- int r;
+ int r, kexsigtype, use_kexsigtype;
const u_char *sig;
size_t siglen;
@@ -1916,6 +1897,9 @@ client_global_hostkeys_private_confirm(struct ssh *ssh, int type,
hostkeys_update_ctx_free(ctx);
return;
}
+ kexsigtype = sshkey_type_plain(
+ sshkey_type_from_name(ssh->kex->hostkey_alg));
+
if ((signdata = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
/* Don't want to accidentally accept an unbound signature */
@@ -1944,8 +1928,15 @@ client_global_hostkeys_private_confirm(struct ssh *ssh, int type,
__func__, ssh_err(r));
goto out;
}
+ /*
+ * For RSA keys, prefer to use the signature type negotiated
+ * during KEX to the default (SHA1).
+ */
+ use_kexsigtype = kexsigtype == KEY_RSA &&
+ sshkey_type_plain(ctx->keys[i]->type) == KEY_RSA;
if ((r = sshkey_verify(ctx->keys[i], sig, siglen,
- sshbuf_ptr(signdata), sshbuf_len(signdata), 0)) != 0) {
+ sshbuf_ptr(signdata), sshbuf_len(signdata),
+ use_kexsigtype ? ssh->kex->hostkey_alg : NULL, 0)) != 0) {
error("%s: server gave bad signature for %s key %zu",
__func__, sshkey_type(ctx->keys[i]), i);
goto out;
diff --git a/clientloop.h b/clientloop.h
index a1975ccc8a16..8d1f0bff695d 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.h,v 1.34 2017/09/12 06:32:07 djm Exp $ */
+/* $OpenBSD: clientloop.h,v 1.35 2017/10/23 05:08:00 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -46,7 +46,7 @@ int client_x11_get_proto(struct ssh *, const char *, const char *,
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(struct ssh *, int, int, int,
const char *, struct termios *, int, Buffer *, char **);
-int client_request_tun_fwd(struct ssh *, int, int, int);
+char *client_request_tun_fwd(struct ssh *, int, int, int);
void client_stop_mux(void);
/* Escape filter for protocol 2 sessions */
diff --git a/compat.c b/compat.c
index d82135e2b5e0..861e9e21fe0d 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.104 2017/07/25 09:22:25 dtucker Exp $ */
+/* $OpenBSD: compat.c,v 1.106 2018/02/16 04:43:11 dtucker Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@@ -50,83 +50,20 @@ compat_datafellows(const char *version)
char *pat;
int bugs;
} check[] = {
- { "OpenSSH-2.0*,"
- "OpenSSH-2.1*,"
- "OpenSSH_2.1*,"
- "OpenSSH_2.2*", SSH_OLD_SESSIONID|SSH_BUG_BANNER|
- SSH_OLD_DHGEX|SSH_BUG_NOREKEY|
- SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
- { "OpenSSH_2.3.0*", SSH_BUG_BANNER|SSH_BUG_BIGENDIANAES|
- SSH_OLD_DHGEX|SSH_BUG_NOREKEY|
- SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
- { "OpenSSH_2.3.*", SSH_BUG_BIGENDIANAES|SSH_OLD_DHGEX|
- SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
- SSH_OLD_FORWARD_ADDR},
- { "OpenSSH_2.5.0p1*,"
- "OpenSSH_2.5.1p1*",
- SSH_BUG_BIGENDIANAES|SSH_OLD_DHGEX|
- SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
- SSH_OLD_FORWARD_ADDR},
- { "OpenSSH_2.5.0*,"
- "OpenSSH_2.5.1*,"
- "OpenSSH_2.5.2*", SSH_OLD_DHGEX|SSH_BUG_NOREKEY|
- SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
- { "OpenSSH_2.5.3*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
- SSH_OLD_FORWARD_ADDR},
{ "OpenSSH_2.*,"
"OpenSSH_3.0*,"
"OpenSSH_3.1*", SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
{ "OpenSSH_3.*", SSH_OLD_FORWARD_ADDR },
{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
- { "OpenSSH_4*", 0 },
+ { "OpenSSH_2*,"
+ "OpenSSH_3*,"
+ "OpenSSH_4*", 0 },
{ "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
{ "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
{ "OpenSSH_6.5*,"
"OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
{ "OpenSSH*", SSH_NEW_OPENSSH },
{ "*MindTerm*", 0 },
- { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
- SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
- SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE|
- SSH_BUG_FIRSTKEX },
- { "2.1 *", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
- SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
- SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE|
- SSH_BUG_FIRSTKEX },
- { "2.0.13*,"
- "2.0.14*,"
- "2.0.15*,"
- "2.0.16*,"
- "2.0.17*,"
- "2.0.18*,"
- "2.0.19*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
- SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
- SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
- SSH_BUG_PKOK|SSH_BUG_RSASIGMD5|
- SSH_BUG_HBSERVICE|SSH_BUG_OPENFAILURE|
- SSH_BUG_DUMMYCHAN|SSH_BUG_FIRSTKEX },
- { "2.0.11*,"
- "2.0.12*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
- SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
- SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
- SSH_BUG_PKAUTH|SSH_BUG_PKOK|
- SSH_BUG_RSASIGMD5|SSH_BUG_OPENFAILURE|
- SSH_BUG_DUMMYCHAN|SSH_BUG_FIRSTKEX },
- { "2.0.*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
- SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
- SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
- SSH_BUG_PKAUTH|SSH_BUG_PKOK|
- SSH_BUG_RSASIGMD5|SSH_BUG_OPENFAILURE|
- SSH_BUG_DERIVEKEY|SSH_BUG_DUMMYCHAN|
- SSH_BUG_FIRSTKEX },
- { "2.2.0*,"
- "2.3.0*", SSH_BUG_HMAC|SSH_BUG_DEBUG|
- SSH_BUG_RSASIGMD5|SSH_BUG_FIRSTKEX },
- { "2.3.*", SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5|
- SSH_BUG_FIRSTKEX },
- { "2.4", SSH_OLD_SESSIONID }, /* Van Dyke */
- { "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX|
- SSH_BUG_RFWD_ADDR },
{ "3.0.*", SSH_BUG_DEBUG },
{ "3.0 SecureCRT*", SSH_OLD_SESSIONID },
{ "1.7 SecureFX*", SSH_OLD_SESSIONID },
@@ -189,6 +126,8 @@ compat_datafellows(const char *version)
"WinSCP_release_5.7.3,"
"WinSCP_release_5.7.4",
SSH_OLD_DHGEX },
+ { "ConfD-*",
+ SSH_BUG_UTF8TTYMODE },
{ NULL, 0 }
};
diff --git a/compat.h b/compat.h
index 2e7830f1bc8c..4fee3495a5ae 100644
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.h,v 1.49 2017/04/30 23:13:25 djm Exp $ */
+/* $OpenBSD: compat.h,v 1.51 2018/02/16 04:43:11 dtucker Exp $ */
/*
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
@@ -32,31 +32,31 @@
#define SSH_PROTO_1_PREFERRED 0x02
#define SSH_PROTO_2 0x04
-#define SSH_BUG_SIGBLOB 0x00000001
-#define SSH_BUG_PKSERVICE 0x00000002
-#define SSH_BUG_HMAC 0x00000004
-#define SSH_BUG_X11FWD 0x00000008
+#define SSH_BUG_UTF8TTYMODE 0x00000001
+/* #define unused 0x00000002 */
+/* #define unused 0x00000004 */
+/* #define unused 0x00000008 */
#define SSH_OLD_SESSIONID 0x00000010
-#define SSH_BUG_PKAUTH 0x00000020
+/* #define unused 0x00000020 */
#define SSH_BUG_DEBUG 0x00000040
-#define SSH_BUG_BANNER 0x00000080
+/* #define unused 0x00000080 */
#define SSH_BUG_IGNOREMSG 0x00000100
-#define SSH_BUG_PKOK 0x00000200
+/* #define unused 0x00000200 */
#define SSH_BUG_PASSWORDPAD 0x00000400
#define SSH_BUG_SCANNER 0x00000800
#define SSH_BUG_BIGENDIANAES 0x00001000
#define SSH_BUG_RSASIGMD5 0x00002000
#define SSH_OLD_DHGEX 0x00004000
#define SSH_BUG_NOREKEY 0x00008000
-#define SSH_BUG_HBSERVICE 0x00010000
-#define SSH_BUG_OPENFAILURE 0x00020000
-#define SSH_BUG_DERIVEKEY 0x00040000
-#define SSH_BUG_DUMMYCHAN 0x00100000
+/* #define unused 0x00010000 */
+/* #define unused 0x00020000 */
+/* #define unused 0x00040000 */
+/* #define unused 0x00100000 */
#define SSH_BUG_EXTEOF 0x00200000
#define SSH_BUG_PROBE 0x00400000
-#define SSH_BUG_FIRSTKEX 0x00800000
+/* #define unused 0x00800000 */
#define SSH_OLD_FORWARD_ADDR 0x01000000
-#define SSH_BUG_RFWD_ADDR 0x02000000
+/* #define unused 0x02000000 */
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
#define SSH_BUG_CURVE25519PAD 0x10000000
diff --git a/config.h.in b/config.h.in
index 63fc548b5843..57208740787e 100644
--- a/config.h.in
+++ b/config.h.in
@@ -34,9 +34,6 @@
/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */
#undef BROKEN_INET_NTOA
-/* ia_uinfo routines not supported by OS yet */
-#undef BROKEN_LIBIAF
-
/* Define if your struct dirent expects you to allocate extra space for d_name
*/
#undef BROKEN_ONE_BYTE_DIRENT_D_NAME
@@ -75,6 +72,12 @@
/* Define if your snprintf is busted */
#undef BROKEN_SNPRINTF
+/* strndup broken, see APAR IY61211 */
+#undef BROKEN_STRNDUP
+
+/* strnlen broken, see APAR IY62551 */
+#undef BROKEN_STRNLEN
+
/* strnvis detected broken */
#undef BROKEN_STRNVIS
@@ -132,6 +135,9 @@
/* Enable for PKCS#11 support */
#undef ENABLE_PKCS11
+/* define if fflush(NULL) does not work */
+#undef FFLUSH_NULL_BUG
+
/* File names may not contain backslash characters */
#undef FILESYSTEM_NO_BACKSLASH
@@ -141,7 +147,7 @@
/* fsid_t has member __val */
#undef FSID_HAS___VAL
-/* Define to 1 if the `getpgrp' function requires zero arguments. */
+/* getpgrp takes one arg */
#undef GETPGRP_VOID
/* Conflicting defs for getspnam */
@@ -252,7 +258,10 @@
/* Define to 1 if you have the <bstring.h> header file. */
#undef HAVE_BSTRING_H
-/* calloc(x, 0) returns NULL */
+/* Define to 1 if you have the `bzero' function. */
+#undef HAVE_BZERO
+
+/* calloc(0, x) returns NULL */
#undef HAVE_CALLOC
/* Define to 1 if you have the `cap_rights_limit' function. */
@@ -299,6 +308,10 @@
don't. */
#undef HAVE_DECL_AUTHENTICATE
+/* Define to 1 if you have the declaration of `bzero', and to 0 if you don't.
+ */
+#undef HAVE_DECL_BZERO
+
/* Define to 1 if you have the declaration of `GLOB_NOMATCH', and to 0 if you
don't. */
#undef HAVE_DECL_GLOB_NOMATCH
@@ -347,6 +360,10 @@
don't. */
#undef HAVE_DECL_PASSWDEXPIRED
+/* Define to 1 if you have the declaration of `readv', and to 0 if you don't.
+ */
+#undef HAVE_DECL_READV
+
/* Define to 1 if you have the declaration of `setauthdb', and to 0 if you
don't. */
#undef HAVE_DECL_SETAUTHDB
@@ -466,6 +483,9 @@
/* Define to 1 if you have the <floatingpoint.h> header file. */
#undef HAVE_FLOATINGPOINT_H
+/* Define to 1 if you have the `flock' function. */
+#undef HAVE_FLOCK
+
/* Define to 1 if you have the `fmt_scaled' function. */
#undef HAVE_FMT_SCALED
@@ -553,12 +573,12 @@
/* Define if getrrsetbyname() exists */
#undef HAVE_GETRRSETBYNAME
-/* Define to 1 if you have the `getrusage' function. */
-#undef HAVE_GETRUSAGE
-
/* Define to 1 if you have the `getseuserbyname' function. */
#undef HAVE_GETSEUSERBYNAME
+/* Define to 1 if you have the `getsid' function. */
+#undef HAVE_GETSID
+
/* Define to 1 if you have the `gettimeofday' function. */
#undef HAVE_GETTIMEOFDAY
@@ -640,6 +660,9 @@
/* Define if you have ut_id in utmpx.h */
#undef HAVE_ID_IN_UTMPX
+/* Define to 1 if you have the <ifaddrs.h> header file. */
+#undef HAVE_IFADDRS_H
+
/* Define to 1 if you have the `inet_aton' function. */
#undef HAVE_INET_ATON
@@ -821,6 +844,9 @@
/* Define to 1 if you have the <net/if_tun.h> header file. */
#undef HAVE_NET_IF_TUN_H
+/* Define to 1 if you have the <net/route.h> header file. */
+#undef HAVE_NET_ROUTE_H
+
/* Define if you are on NeXT */
#undef HAVE_NEXT
@@ -903,6 +929,9 @@
/* Define to 1 if you have the `pututxline' function. */
#undef HAVE_PUTUTXLINE
+/* Define to 1 if you have the `raise' function. */
+#undef HAVE_RAISE
+
/* Define to 1 if you have the `readpassphrase' function. */
#undef HAVE_READPASSPHRASE
@@ -1120,6 +1149,9 @@
/* Define to 1 if you have the `strmode' function. */
#undef HAVE_STRMODE
+/* Define to 1 if you have the `strndup' function. */
+#undef HAVE_STRNDUP
+
/* Define to 1 if you have the `strnlen' function. */
#undef HAVE_STRNLEN
@@ -1174,6 +1206,9 @@
/* define if you have struct sockaddr_storage data type */
#undef HAVE_STRUCT_SOCKADDR_STORAGE
+/* Define to 1 if `f_flags' is a member of `struct statfs'. */
+#undef HAVE_STRUCT_STATFS_F_FLAGS
+
/* Define to 1 if `st_blksize' is a member of `struct stat'. */
#undef HAVE_STRUCT_STAT_ST_BLKSIZE
@@ -1219,6 +1254,12 @@
/* Define if your system defines sys_errlist[] */
#undef HAVE_SYS_ERRLIST
+/* Define to 1 if you have the <sys/file.h> header file. */
+#undef HAVE_SYS_FILE_H
+
+/* Define to 1 if you have the <sys/label.h> header file. */
+#undef HAVE_SYS_LABEL_H
+
/* Define to 1 if you have the <sys/mman.h> header file. */
#undef HAVE_SYS_MMAN_H
@@ -1264,6 +1305,9 @@
/* Define to 1 if you have the <sys/strtio.h> header file. */
#undef HAVE_SYS_STRTIO_H
+/* Define to 1 if you have the <sys/sysctl.h> header file. */
+#undef HAVE_SYS_SYSCTL_H
+
/* Force use of sys/syslog.h on Ultrix */
#undef HAVE_SYS_SYSLOG_H
@@ -1282,6 +1326,9 @@
/* Define to 1 if you have the <sys/un.h> header file. */
#undef HAVE_SYS_UN_H
+/* Define to 1 if you have the <sys/vfs.h> header file. */
+#undef HAVE_SYS_VFS_H
+
/* Define to 1 if you have the `tcgetpgrp' function. */
#undef HAVE_TCGETPGRP
@@ -1496,12 +1543,12 @@
/* Need setpgrp to acquire controlling tty */
#undef NEED_SETPGRP
+/* compiler does not accept __attribute__ on protoype args */
+#undef NO_ATTRIBUTE_ON_PROTOTYPE_ARGS
+
/* compiler does not accept __attribute__ on return types */
#undef NO_ATTRIBUTE_ON_RETURN_TYPE
-/* Define if you don't want to use lastlog in session.c */
-#undef NO_SSH_LASTLOG
-
/* Define to disable UID restoration test */
#undef NO_UID_RESTORATION_TEST
@@ -1681,6 +1728,9 @@
/* syslog_r function is safe to use in in a signal handler */
#undef SYSLOG_R_SAFE_IN_SIGHAND
+/* Support routing domains using Linux VRF */
+#undef SYS_RDOMAIN_LINUX
+
/* Support passwords > 8 chars */
#undef UNIXWARE_LONG_PASSWORDS
diff --git a/configure b/configure
index b2c2c3b91745..5f5536fa4e32 100755
--- a/configure
+++ b/configure
@@ -624,6 +624,7 @@ ac_includes_default="\
#endif"
ac_subst_vars='LTLIBOBJS
+DEPEND
UNSUPPORTED_ALGORITHMS
TEST_MALLOC_OPTIONS
TEST_SSH_UTF8
@@ -663,11 +664,11 @@ SH
TEST_MINUS_S_SH
ENT
SED
-PERL
KILL
CAT
ac_ct_AR
AR
+MKDIR_P
INSTALL_DATA
INSTALL_SCRIPT
INSTALL_PROGRAM
@@ -1473,7 +1474,7 @@ Optional Packages:
--with-superuser-path= Specify different path for super-user
--with-4in6 Check for and convert IPv4 in IPv6 mapped addresses
--with-bsd-auth Enable BSD auth support
- --with-pid-dir=PATH Specify location of ssh.pid file
+ --with-pid-dir=PATH Specify location of sshd.pid file
--with-lastlog=FILE|DIR specify lastlog location common locations
Some influential environment variables:
@@ -4564,6 +4565,48 @@ $as_echo "$ac_cv_path_EGREP" >&6; }
EGREP="$ac_cv_path_EGREP"
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5
+$as_echo_n "checking for a thread-safe mkdir -p... " >&6; }
+if test -z "$MKDIR_P"; then
+ if ${ac_cv_path_mkdir+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_prog in mkdir gmkdir; do
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue
+ case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
+ 'mkdir (GNU coreutils) '* | \
+ 'mkdir (coreutils) '* | \
+ 'mkdir (fileutils) '4.1*)
+ ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext
+ break 3;;
+ esac
+ done
+ done
+ done
+IFS=$as_save_IFS
+
+fi
+
+ test -d ./--version && rmdir ./--version
+ if test "${ac_cv_path_mkdir+set}" = set; then
+ MKDIR_P="$ac_cv_path_mkdir -p"
+ else
+ # As a last resort, use the slow shell script. Don't cache a
+ # value for MKDIR_P within a source directory, because that will
+ # break other packages using the cache if that directory is
+ # removed, or if the value is a relative name.
+ MKDIR_P="$ac_install_sh -d"
+ fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5
+$as_echo "$MKDIR_P" >&6; }
+
if test -n "$ac_tool_prefix"; then
for ac_prog in ar
do
@@ -4744,51 +4787,6 @@ $as_echo "no" >&6; }
fi
-for ac_prog in perl5 perl
-do
- # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_path_PERL+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- case $PERL in
- [\\/]* | ?:[\\/]*)
- ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
- ;;
- *)
- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
- done
-IFS=$as_save_IFS
-
- ;;
-esac
-fi
-PERL=$ac_cv_path_PERL
-if test -n "$PERL"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PERL" >&5
-$as_echo "$PERL" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
- test -n "$PERL" && break
-done
-
# Extract the first word of "sed", so it can be a program name with args.
set dummy sed; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
@@ -4829,7 +4827,6 @@ $as_echo "no" >&6; }
fi
-
# Extract the first word of "ent", so it can be a program name with args.
set dummy ent; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
@@ -6223,6 +6220,172 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
}
if test "x$use_toolchain_hardening" = "x1"; then
{
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -mfunction-return=thunk" >&5
+$as_echo_n "checking if $CC supports compile flag -mfunction-return=thunk... " >&6; }
+ saved_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $WERROR -mfunction-return=thunk"
+ _define_flag=""
+ test "x$_define_flag" = "x" && _define_flag="-mfunction-return=thunk"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+ /* Some math to catch -ftrapv problems in the toolchain */
+ int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+ float l = i * 2.1;
+ double m = l / 0.5;
+ long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+ printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+ exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+if `grep -i "unrecognized option" conftest.err >/dev/null`
+then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ CFLAGS="$saved_CFLAGS"
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ CFLAGS="$saved_CFLAGS $_define_flag"
+fi
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ CFLAGS="$saved_CFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+} # gcc
+ {
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -mindirect-branch=thunk" >&5
+$as_echo_n "checking if $CC supports compile flag -mindirect-branch=thunk... " >&6; }
+ saved_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $WERROR -mindirect-branch=thunk"
+ _define_flag=""
+ test "x$_define_flag" = "x" && _define_flag="-mindirect-branch=thunk"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+ /* Some math to catch -ftrapv problems in the toolchain */
+ int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+ float l = i * 2.1;
+ double m = l / 0.5;
+ long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+ printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+ exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+if `grep -i "unrecognized option" conftest.err >/dev/null`
+then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ CFLAGS="$saved_CFLAGS"
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ CFLAGS="$saved_CFLAGS $_define_flag"
+fi
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ CFLAGS="$saved_CFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+} # gcc
+ {
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -mretpoline" >&5
+$as_echo_n "checking if $CC supports compile flag -mretpoline... " >&6; }
+ saved_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $WERROR -mretpoline"
+ _define_flag=""
+ test "x$_define_flag" = "x" && _define_flag="-mretpoline"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+ /* Some math to catch -ftrapv problems in the toolchain */
+ int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+ float l = i * 2.1;
+ double m = l / 0.5;
+ long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+ printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+ exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+if `grep -i "unrecognized option" conftest.err >/dev/null`
+then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ CFLAGS="$saved_CFLAGS"
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ CFLAGS="$saved_CFLAGS $_define_flag"
+fi
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ CFLAGS="$saved_CFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+} # clang
+ {
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $LD supports link flag -Wl,-z,retpolineplt" >&5
+$as_echo_n "checking if $LD supports link flag -Wl,-z,retpolineplt... " >&6; }
+ saved_LDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS $WERROR -Wl,-z,retpolineplt"
+ _define_flag=""
+ test "x$_define_flag" = "x" && _define_flag="-Wl,-z,retpolineplt"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+ /* Some math to catch -ftrapv problems in the toolchain */
+ int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+ float l = i * 2.1;
+ double m = l / 0.5;
+ long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+ long long p = n * o;
+ printf("%d %d %d %f %f %lld %lld %lld\n", i, j, k, l, m, n, o, p);
+ exit(0);
+}
+
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ LDFLAGS="$saved_LDFLAGS $_define_flag"
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ LDFLAGS="$saved_LDFLAGS"
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+}
+ {
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports compile flag -D_FORTIFY_SOURCE=2" >&5
$as_echo_n "checking if $CC supports compile flag -D_FORTIFY_SOURCE=2... " >&6; }
saved_CFLAGS="$CFLAGS"
@@ -6591,6 +6754,34 @@ $as_echo "#define NO_ATTRIBUTE_ON_RETURN_TYPE 1" >>confdefs.h
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if compiler allows __attribute__ prototype args" >&5
+$as_echo_n "checking if compiler allows __attribute__ prototype args... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#include <stdlib.h>
+typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));
+int
+main ()
+{
+ exit(0);
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+$as_echo "#define NO_ATTRIBUTE_ON_PROTOTYPE_ARGS 1" >>confdefs.h
+
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
if test "x$no_attrib_nonnull" != "x1" ; then
$as_echo "#define HAVE_ATTRIBUTE__NONNULL__ 1" >>confdefs.h
@@ -6717,6 +6908,7 @@ for ac_header in \
glob.h \
ia.h \
iaf.h \
+ ifaddrs.h \
inttypes.h \
langinfo.h \
limits.h \
@@ -6740,12 +6932,13 @@ for ac_header in \
stdint.h \
string.h \
strings.h \
- sys/audit.h \
sys/bitypes.h \
sys/bsdtty.h \
sys/cdefs.h \
sys/dir.h \
+ sys/file.h \
sys/mman.h \
+ sys/label.h \
sys/ndir.h \
sys/poll.h \
sys/prctl.h \
@@ -6760,6 +6953,7 @@ for ac_header in \
sys/sysmacros.h \
sys/time.h \
sys/timers.h \
+ sys/vfs.h \
time.h \
tmpdir.h \
ttyent.h \
@@ -6786,6 +6980,32 @@ fi
done
+# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
+# to be included first.
+for ac_header in sys/audit.h
+do :
+ ac_fn_c_check_header_compile "$LINENO" "sys/audit.h" "ac_cv_header_sys_audit_h" "
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_LABEL_H
+# include <sys/label.h>
+#endif
+
+"
+if test "x$ac_cv_header_sys_audit_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_SYS_AUDIT_H 1
+_ACEOF
+
+fi
+
+done
+
+
# sys/capsicum.h requires sys/types.h
for ac_header in sys/capsicum.h
do :
@@ -6805,6 +7025,29 @@ fi
done
+# net/route.h requires sys/socket.h and sys/types.h.
+# sys/sysctl.h also requires sys/param.h
+for ac_header in net/route.h sys/sysctl.h
+do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#include <sys/param.h>
+#include <sys/socket.h>
+
+"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
# lastlog.h requires sys/time.h to be included first on Solaris
for ac_header in lastlog.h
do :
@@ -7185,6 +7428,12 @@ $as_echo "#define PTY_ZEROREAD 1" >>confdefs.h
$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h
+
+$as_echo "#define BROKEN_STRNDUP 1" >>confdefs.h
+
+
+$as_echo "#define BROKEN_STRNLEN 1" >>confdefs.h
+
;;
*-*-android*)
@@ -7695,6 +7944,19 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
$as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
fi
+ ac_fn_c_check_header_compile "$LINENO" "linux/if.h" "ac_cv_header_linux_if_h" "
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.H>
+#endif
+
+"
+if test "x$ac_cv_header_linux_if_h" = xyes; then :
+
+$as_echo "#define SYS_RDOMAIN_LINUX 1" >>confdefs.h
+
+fi
+
+
for ac_header in linux/seccomp.h linux/filter.h linux/audit.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
@@ -7709,6 +7971,75 @@ fi
done
+ # Obtain MIPS ABI
+ case "$host" in
+ mips*)
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#if _MIPS_SIM != _ABIO32
+#error
+#endif
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ mips_abi="o32"
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#if _MIPS_SIM != _ABIN32
+#error
+#endif
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ mips_abi="n32"
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#if _MIPS_SIM != _ABI64
+#error
+#endif
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ mips_abi="n64"
+else
+ as_fn_error $? "unknown MIPS ABI" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ ;;
+ esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp architecture" >&5
$as_echo_n "checking for seccomp architecture... " >&6; }
seccomp_audit_arch=
@@ -7744,10 +8075,24 @@ $as_echo_n "checking for seccomp architecture... " >&6; }
seccomp_audit_arch=AUDIT_ARCH_MIPSEL
;;
mips64-*)
- seccomp_audit_arch=AUDIT_ARCH_MIPS64
+ case "$mips_abi" in
+ "n32")
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
+ ;;
+ "n64")
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64
+ ;;
+ esac
;;
mips64el-*)
- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
+ case "$mips_abi" in
+ "n32")
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
+ ;;
+ "n64")
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
+ ;;
+ esac
;;
esac
if test "x$seccomp_audit_arch" != "x" ; then
@@ -8102,6 +8447,9 @@ done
conf_lastlog_location=/var/adm/lastlog
$as_echo "#define USE_PIPES 1" >>confdefs.h
+
+$as_echo "#define DISABLE_UTMPX 1" >>confdefs.h
+
;;
*-ncr-sysv*)
LIBS="$LIBS -lc89"
@@ -8260,12 +8608,10 @@ $as_echo "#define UNIXWARE_LONG_PASSWORDS 1" >>confdefs.h
$as_echo "#define BROKEN_TCGETATTR_ICANON 1" >>confdefs.h
TEST_SHELL=$SHELL # let configure find us a capable shell
+ check_for_libcrypt_later=1
case "$host" in
*-*-sysv5SCO_SV*) # SCO OpenServer 6.x
maildir=/var/spool/mail
-
-$as_echo "#define BROKEN_LIBIAF 1" >>confdefs.h
-
$as_echo "#define BROKEN_UPDWTMPX 1" >>confdefs.h
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for getluid in -lprot" >&5
@@ -8318,17 +8664,12 @@ _ACEOF
fi
done
- $as_echo "#define HAVE_SECUREWARE 1" >>confdefs.h
-
- $as_echo "#define DISABLE_SHADOW 1" >>confdefs.h
-
fi
;;
*) $as_echo "#define LOCKED_PASSWD_STRING \"*LK*\"" >>confdefs.h
- check_for_libcrypt_later=1
;;
esac
;;
@@ -8383,58 +8724,6 @@ done
TEST_SHELL=$SHELL # let configure find us a capable shell
SKIP_DISABLE_LASTLOG_DEFINE=yes
;;
-*-*-unicosmk*)
-
-$as_echo "#define NO_SSH_LASTLOG 1" >>confdefs.h
-
- $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h
-
- $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h
-
- $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h
-
- $as_echo "#define USE_PIPES 1" >>confdefs.h
-
- $as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h
-
- LDFLAGS="$LDFLAGS"
- LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
- MANTYPE=cat
- ;;
-*-*-unicosmp*)
- $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h
-
- $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h
-
- $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h
-
- $as_echo "#define WITH_ABBREV_NO_TTY 1" >>confdefs.h
-
- $as_echo "#define USE_PIPES 1" >>confdefs.h
-
- $as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h
-
- LDFLAGS="$LDFLAGS"
- LIBS="$LIBS -lgen -lacid -ldb"
- MANTYPE=cat
- ;;
-*-*-unicos*)
- $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h
-
- $as_echo "#define BROKEN_SETREUID 1" >>confdefs.h
-
- $as_echo "#define BROKEN_SETREGID 1" >>confdefs.h
-
- $as_echo "#define USE_PIPES 1" >>confdefs.h
-
- $as_echo "#define DISABLE_FD_PASSING 1" >>confdefs.h
-
- $as_echo "#define NO_SSH_LASTLOG 1" >>confdefs.h
-
- LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal"
- LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
- MANTYPE=cat
- ;;
*-dec-osf*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Digital Unix SIA" >&5
$as_echo_n "checking for Digital Unix SIA... " >&6; }
@@ -9874,7 +10163,43 @@ fi
# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
-if test "x$ac_cv_func_malloc_0_nonnull" != "xyes"; then
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if calloc(0, N) returns non-null" >&5
+$as_echo_n "checking if calloc(0, N) returns non-null... " >&6; }
+if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming same as malloc" >&5
+$as_echo "$as_me: WARNING: cross compiling: assuming same as malloc" >&2;}
+ func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"
+
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+ #include <stdlib.h>
+int
+main ()
+{
+ void *p = calloc(0, 1); exit(p == NULL);
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ func_calloc_0_nonnull=yes
+else
+ func_calloc_0_nonnull=no
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $func_calloc_0_nonnull" >&5
+$as_echo "$func_calloc_0_nonnull" >&6; }
+
+if test "x$func_calloc_0_nonnull" == "xyes"; then
+
+$as_echo "#define HAVE_CALLOC 1" >>confdefs.h
+
+else
$as_echo "#define HAVE_CALLOC 0" >>confdefs.h
@@ -10256,7 +10581,7 @@ else
LDNSCONFIG="$ac_cv_path_LDNSCONFIG"
fi
- if test "x$PKGCONFIG" = "xno"; then
+ if test "x$LDNSCONFIG" = "xno"; then
CPPFLAGS="$CPPFLAGS -I${withval}/include"
LDFLAGS="$LDFLAGS -L${withval}/lib"
LIBS="-lldns $LIBS"
@@ -10833,6 +11158,7 @@ for ac_func in \
bcrypt_pbkdf \
bindresvport_sa \
blf_enc \
+ bzero \
cap_rights_limit \
clock \
closefrom \
@@ -10843,6 +11169,7 @@ for ac_func in \
explicit_bzero \
fchmod \
fchown \
+ flock \
freeaddrinfo \
freezero \
fstatfs \
@@ -10857,9 +11184,9 @@ for ac_func in \
getpeereid \
getpeerucred \
getpgid \
- getpgrp \
_getpty \
getrlimit \
+ getsid \
getttyent \
glob \
group_from_gid \
@@ -10881,6 +11208,7 @@ for ac_func in \
poll \
prctl \
pstat \
+ raise \
readpassphrase \
reallocarray \
recvmsg \
@@ -10915,6 +11243,7 @@ for ac_func in \
strlcat \
strlcpy \
strmode \
+ strndup \
strnlen \
strnvis \
strptime \
@@ -10949,6 +11278,18 @@ fi
done
+ac_fn_c_check_decl "$LINENO" "bzero" "ac_cv_have_decl_bzero" "$ac_includes_default"
+if test "x$ac_cv_have_decl_bzero" = xyes; then :
+ ac_have_decl=1
+else
+ ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_BZERO $ac_have_decl
+_ACEOF
+
+
for ac_func in mblen mbtowc nl_langinfo wcwidth
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
@@ -11090,9 +11431,15 @@ $as_echo "$ac_cv_search_dlopen" >&6; }
ac_res=$ac_cv_search_dlopen
if test "$ac_res" != no; then :
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+ ac_fn_c_check_decl "$LINENO" "RTLD_NOW" "ac_cv_have_decl_RTLD_NOW" "#include <dlfcn.h>
+
+"
+if test "x$ac_cv_have_decl_RTLD_NOW" = xyes; then :
$as_echo "#define ENABLE_PKCS11 /**/" >>confdefs.h
+fi
+
fi
@@ -11258,21 +11605,6 @@ $as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
fi
-ac_fn_c_check_decl "$LINENO" "getrusage" "ac_cv_have_decl_getrusage" "$ac_includes_default"
-if test "x$ac_cv_have_decl_getrusage" = xyes; then :
- for ac_func in getrusage
-do :
- ac_fn_c_check_func "$LINENO" "getrusage" "ac_cv_func_getrusage"
-if test "x$ac_cv_func_getrusage" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_GETRUSAGE 1
-_ACEOF
-
-fi
-done
-
-fi
-
ac_fn_c_check_decl "$LINENO" "strsep" "ac_cv_have_decl_strsep" "
#ifdef HAVE_STRING_H
# include <string.h>
@@ -11365,6 +11697,21 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
+ac_fn_c_check_decl "$LINENO" "readv" "ac_cv_have_decl_readv" "
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+"
+if test "x$ac_cv_have_decl_readv" = xyes; then :
+ ac_have_decl=1
+else
+ ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_READV $ac_have_decl
+_ACEOF
ac_fn_c_check_decl "$LINENO" "writev" "ac_cv_have_decl_writev" "
#include <sys/types.h>
#include <sys/uio.h>
@@ -11655,6 +12002,39 @@ fi
done
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working fflush(NULL)" >&5
+$as_echo_n "checking for working fflush(NULL)... " >&6; }
+if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming working" >&5
+$as_echo "$as_me: WARNING: cross compiling: assuming working" >&2;}
+
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdio.h>
+int
+main ()
+{
+fflush(NULL); exit(0);
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+$as_echo "#define FFLUSH_NULL_BUG 1" >>confdefs.h
+
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+
for ac_func in gettimeofday time
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
@@ -12396,38 +12776,45 @@ fi
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether getpgrp requires zero arguments" >&5
-$as_echo_n "checking whether getpgrp requires zero arguments... " >&6; }
-if ${ac_cv_func_getpgrp_void+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- # Use it with a single arg.
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+for ac_func in getpgrp
+do :
+ ac_fn_c_check_func "$LINENO" "getpgrp" "ac_cv_func_getpgrp"
+if test "x$ac_cv_func_getpgrp" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_GETPGRP 1
+_ACEOF
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if getpgrp accepts zero args" >&5
+$as_echo_n "checking if getpgrp accepts zero args... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
$ac_includes_default
int
main ()
{
-getpgrp (0);
+ getpgrp();
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
- ac_cv_func_getpgrp_void=no
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define GETPGRP_VOID 1" >>confdefs.h
+
else
- ac_cv_func_getpgrp_void=yes
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_getpgrp_void" >&5
-$as_echo "$ac_cv_func_getpgrp_void" >&6; }
-if test $ac_cv_func_getpgrp_void = yes; then
+$as_echo "#define GETPGRP_VOID 0" >>confdefs.h
-$as_echo "#define GETPGRP_VOID 1" >>confdefs.h
fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+done
# Search for OpenSSL
@@ -15193,6 +15580,33 @@ _ACEOF
fi
+ac_fn_c_check_member "$LINENO" "struct statfs" "f_flags" "ac_cv_member_struct_statfs_f_flags" "
+#include <sys/types.h>
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_SYS_STATFS_H
+#include <sys/statfs.h>
+#endif
+#ifdef HAVE_SYS_STATVFS_H
+#include <sys/statvfs.h>
+#endif
+#ifdef HAVE_SYS_VFS_H
+#include <sys/vfs.h>
+#endif
+
+"
+if test "x$ac_cv_member_struct_statfs_f_flags" = xyes; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_STRUCT_STATFS_F_FLAGS 1
+_ACEOF
+
+
+fi
+
+
+
ac_fn_c_check_type "$LINENO" "in_addr_t" "ac_cv_type_in_addr_t" "#include <sys/types.h>
#include <netinet/in.h>
"
@@ -19272,6 +19686,8 @@ TEST_MALLOC_OPTIONS=$TEST_MALLOC_OPTIONS
UNSUPPORTED_ALGORITHMS=$unsupported_algorithms
+DEPEND=$(cat $srcdir/.depend)
+
CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
@@ -19859,6 +20275,7 @@ gives unlimited permission to copy, distribute and modify it."
ac_pwd='$ac_pwd'
srcdir='$srcdir'
INSTALL='$INSTALL'
+MKDIR_P='$MKDIR_P'
AWK='$AWK'
test -n "\$AWK" || AWK=awk
_ACEOF
@@ -20426,6 +20843,11 @@ ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
[\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
*) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
esac
+ ac_MKDIR_P=$MKDIR_P
+ case $MKDIR_P in
+ [\\/$]* | ?:[\\/]* ) ;;
+ */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;;
+ esac
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
@@ -20480,6 +20902,7 @@ s&@builddir@&$ac_builddir&;t t
s&@abs_builddir@&$ac_abs_builddir&;t t
s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
s&@INSTALL@&$ac_INSTALL&;t t
+s&@MKDIR_P@&$ac_MKDIR_P&;t t
$ac_datarootdir_hack
"
eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \
@@ -20607,7 +21030,6 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
-echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
diff --git a/configure.ac b/configure.ac
index 889f506377c0..663062bef142 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,3 @@
-# $Id: configure.ac,v 1.583 2014/08/26 20:32:01 djm Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
@@ -30,12 +29,11 @@ AC_PROG_CPP
AC_PROG_RANLIB
AC_PROG_INSTALL
AC_PROG_EGREP
+AC_PROG_MKDIR_P
AC_CHECK_TOOLS([AR], [ar])
AC_PATH_PROG([CAT], [cat])
AC_PATH_PROG([KILL], [kill])
-AC_PATH_PROGS([PERL], [perl5 perl])
AC_PATH_PROG([SED], [sed])
-AC_SUBST([PERL])
AC_PATH_PROG([ENT], [ent])
AC_SUBST([ENT])
AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
@@ -164,6 +162,10 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
if test "x$use_toolchain_hardening" = "x1"; then
+ OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc
+ OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc
+ OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
+ OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
@@ -263,6 +265,18 @@ __attribute__((__unused__)) static void foo(void){return;}]],
[compiler does not accept __attribute__ on return types]) ]
)
+AC_MSG_CHECKING([if compiler allows __attribute__ prototype args])
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([[
+#include <stdlib.h>
+typedef void foo(const char *, ...) __attribute__((format(printf, 1, 2)));]],
+ [[ exit(0); ]])],
+ [ AC_MSG_RESULT([yes]) ],
+ [ AC_MSG_RESULT([no])
+ AC_DEFINE(NO_ATTRIBUTE_ON_PROTOTYPE_ARGS, 1,
+ [compiler does not accept __attribute__ on protoype args]) ]
+)
+
if test "x$no_attrib_nonnull" != "x1" ; then
AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
fi
@@ -363,6 +377,7 @@ AC_CHECK_HEADERS([ \
glob.h \
ia.h \
iaf.h \
+ ifaddrs.h \
inttypes.h \
langinfo.h \
limits.h \
@@ -386,12 +401,13 @@ AC_CHECK_HEADERS([ \
stdint.h \
string.h \
strings.h \
- sys/audit.h \
sys/bitypes.h \
sys/bsdtty.h \
sys/cdefs.h \
sys/dir.h \
+ sys/file.h \
sys/mman.h \
+ sys/label.h \
sys/ndir.h \
sys/poll.h \
sys/prctl.h \
@@ -406,6 +422,7 @@ AC_CHECK_HEADERS([ \
sys/sysmacros.h \
sys/time.h \
sys/timers.h \
+ sys/vfs.h \
time.h \
tmpdir.h \
ttyent.h \
@@ -420,6 +437,20 @@ AC_CHECK_HEADERS([ \
wchar.h \
])
+# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
+# to be included first.
+AC_CHECK_HEADERS([sys/audit.h], [], [], [
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_LABEL_H
+# include <sys/label.h>
+#endif
+])
+
# sys/capsicum.h requires sys/types.h
AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
#ifdef HAVE_SYS_TYPES_H
@@ -427,6 +458,16 @@ AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
#endif
])
+# net/route.h requires sys/socket.h and sys/types.h.
+# sys/sysctl.h also requires sys/param.h
+AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#include <sys/param.h>
+#include <sys/socket.h>
+])
+
# lastlog.h requires sys/time.h to be included first on Solaris
AC_CHECK_HEADERS([lastlog.h], [], [], [
#ifdef HAVE_SYS_TIME_H
@@ -562,6 +603,8 @@ case "$host" in
[AIX 5.2 and 5.3 (and presumably newer) require this])
AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
+ AC_DEFINE([BROKEN_STRNDUP], 1, [strndup broken, see APAR IY61211])
+ AC_DEFINE([BROKEN_STRNLEN], 1, [strnlen broken, see APAR IY62551])
;;
*-*-android*)
AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
@@ -769,8 +812,36 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
fi
+ AC_CHECK_HEADER([linux/if.h],
+ AC_DEFINE([SYS_RDOMAIN_LINUX], [1],
+ [Support routing domains using Linux VRF]), [], [
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.H>
+#endif
+ ])
AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
[], [#include <linux/types.h>])
+ # Obtain MIPS ABI
+ case "$host" in
+ mips*)
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#if _MIPS_SIM != _ABIO32
+#error
+#endif
+ ]])],[mips_abi="o32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#if _MIPS_SIM != _ABIN32
+#error
+#endif
+ ]])],[mips_abi="n32"],[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#if _MIPS_SIM != _ABI64
+#error
+#endif
+ ]])],[mips_abi="n64"],[AC_MSG_ERROR([unknown MIPS ABI])
+ ])
+ ])
+ ])
+ ;;
+ esac
AC_MSG_CHECKING([for seccomp architecture])
seccomp_audit_arch=
case "$host" in
@@ -805,10 +876,24 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
seccomp_audit_arch=AUDIT_ARCH_MIPSEL
;;
mips64-*)
- seccomp_audit_arch=AUDIT_ARCH_MIPS64
+ case "$mips_abi" in
+ "n32")
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
+ ;;
+ "n64")
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64
+ ;;
+ esac
;;
mips64el-*)
- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
+ case "$mips_abi" in
+ "n32")
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
+ ;;
+ "n64")
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
+ ;;
+ esac
;;
esac
if test "x$seccomp_audit_arch" != "x" ; then
@@ -959,6 +1044,7 @@ mips-sony-bsd|mips-sony-newsos4)
conf_wtmp_location=/var/adm/wtmp
conf_lastlog_location=/var/adm/lastlog
AC_DEFINE([USE_PIPES])
+ AC_DEFINE([DISABLE_UTMPX], [1], [no utmpx])
;;
*-ncr-sysv*)
LIBS="$LIBS -lc89"
@@ -1007,20 +1093,16 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE([PASSWD_NEEDS_USERNAME])
AC_DEFINE([BROKEN_TCGETATTR_ICANON])
TEST_SHELL=$SHELL # let configure find us a capable shell
+ check_for_libcrypt_later=1
case "$host" in
*-*-sysv5SCO_SV*) # SCO OpenServer 6.x
maildir=/var/spool/mail
- AC_DEFINE([BROKEN_LIBIAF], [1],
- [ia_uinfo routines not supported by OS yet])
AC_DEFINE([BROKEN_UPDWTMPX])
AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
- AC_DEFINE([HAVE_SECUREWARE])
- AC_DEFINE([DISABLE_SHADOW])
], , )
;;
*) AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
- check_for_libcrypt_later=1
;;
esac
;;
@@ -1053,40 +1135,6 @@ mips-sony-bsd|mips-sony-newsos4)
TEST_SHELL=$SHELL # let configure find us a capable shell
SKIP_DISABLE_LASTLOG_DEFINE=yes
;;
-*-*-unicosmk*)
- AC_DEFINE([NO_SSH_LASTLOG], [1],
- [Define if you don't want to use lastlog in session.c])
- AC_DEFINE([SETEUID_BREAKS_SETUID])
- AC_DEFINE([BROKEN_SETREUID])
- AC_DEFINE([BROKEN_SETREGID])
- AC_DEFINE([USE_PIPES])
- AC_DEFINE([DISABLE_FD_PASSING])
- LDFLAGS="$LDFLAGS"
- LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
- MANTYPE=cat
- ;;
-*-*-unicosmp*)
- AC_DEFINE([SETEUID_BREAKS_SETUID])
- AC_DEFINE([BROKEN_SETREUID])
- AC_DEFINE([BROKEN_SETREGID])
- AC_DEFINE([WITH_ABBREV_NO_TTY])
- AC_DEFINE([USE_PIPES])
- AC_DEFINE([DISABLE_FD_PASSING])
- LDFLAGS="$LDFLAGS"
- LIBS="$LIBS -lgen -lacid -ldb"
- MANTYPE=cat
- ;;
-*-*-unicos*)
- AC_DEFINE([SETEUID_BREAKS_SETUID])
- AC_DEFINE([BROKEN_SETREUID])
- AC_DEFINE([BROKEN_SETREGID])
- AC_DEFINE([USE_PIPES])
- AC_DEFINE([DISABLE_FD_PASSING])
- AC_DEFINE([NO_SSH_LASTLOG])
- LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal"
- LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
- MANTYPE=cat
- ;;
*-dec-osf*)
AC_MSG_CHECKING([for Digital Unix SIA])
no_osfsia=""
@@ -1337,8 +1385,23 @@ AC_FUNC_STRFTIME
AC_FUNC_MALLOC
AC_FUNC_REALLOC
# autoconf doesn't have AC_FUNC_CALLOC so fake it if malloc returns NULL;
-if test "x$ac_cv_func_malloc_0_nonnull" != "xyes"; then
- AC_DEFINE(HAVE_CALLOC, 0, [calloc(x, 0) returns NULL])
+AC_MSG_CHECKING([if calloc(0, N) returns non-null])
+AC_RUN_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[ #include <stdlib.h> ]],
+ [[ void *p = calloc(0, 1); exit(p == NULL); ]]
+ )],
+ [ func_calloc_0_nonnull=yes ],
+ [ func_calloc_0_nonnull=no ],
+ [ AC_MSG_WARN([cross compiling: assuming same as malloc])
+ func_calloc_0_nonnull="$ac_cv_func_malloc_0_nonnull"]
+)
+AC_MSG_RESULT([$func_calloc_0_nonnull])
+
+if test "x$func_calloc_0_nonnull" == "xyes"; then
+ AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
+else
+ AC_DEFINE(HAVE_CALLOC, 0, [calloc(0, x) returns NULL])
AC_DEFINE(calloc, rpl_calloc,
[Define to rpl_calloc if the replacement function should be used.])
fi
@@ -1487,7 +1550,7 @@ AC_ARG_WITH(ldns,
ldns=""
if test "x$withval" = "xyes" ; then
AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
- if test "x$PKGCONFIG" = "xno"; then
+ if test "x$LDNSCONFIG" = "xno"; then
CPPFLAGS="$CPPFLAGS -I${withval}/include"
LDFLAGS="$LDFLAGS -L${withval}/lib"
LIBS="-lldns $LIBS"
@@ -1695,6 +1758,7 @@ AC_CHECK_FUNCS([ \
bcrypt_pbkdf \
bindresvport_sa \
blf_enc \
+ bzero \
cap_rights_limit \
clock \
closefrom \
@@ -1705,6 +1769,7 @@ AC_CHECK_FUNCS([ \
explicit_bzero \
fchmod \
fchown \
+ flock \
freeaddrinfo \
freezero \
fstatfs \
@@ -1719,9 +1784,9 @@ AC_CHECK_FUNCS([ \
getpeereid \
getpeerucred \
getpgid \
- getpgrp \
_getpty \
getrlimit \
+ getsid \
getttyent \
glob \
group_from_gid \
@@ -1743,6 +1808,7 @@ AC_CHECK_FUNCS([ \
poll \
prctl \
pstat \
+ raise \
readpassphrase \
reallocarray \
recvmsg \
@@ -1777,6 +1843,7 @@ AC_CHECK_FUNCS([ \
strlcat \
strlcpy \
strmode \
+ strndup \
strnlen \
strnvis \
strptime \
@@ -1800,6 +1867,8 @@ AC_CHECK_FUNCS([ \
warn \
])
+AC_CHECK_DECLS([bzero])
+
dnl Wide character support.
AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
@@ -1842,7 +1911,10 @@ AC_ARG_ENABLE([pkcs11],
if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
# PKCS#11 support requires dlopen() and co
AC_SEARCH_LIBS([dlopen], [dl],
- [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])]
+ AC_CHECK_DECL([RTLD_NOW],
+ AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support]),
+ [], [#include <dlfcn.h>]
+ )
)
fi
@@ -1869,7 +1941,6 @@ AC_SEARCH_LIBS([clock_gettime], [rt],
[AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
dnl Make sure prototypes are defined for these before using them.
-AC_CHECK_DECL([getrusage], [AC_CHECK_FUNCS([getrusage])])
AC_CHECK_DECL([strsep],
[AC_CHECK_FUNCS([strsep])],
[],
@@ -1905,7 +1976,7 @@ AC_CHECK_DECLS([O_NONBLOCK], , ,
#endif
])
-AC_CHECK_DECLS([writev], , , [
+AC_CHECK_DECLS([readv, writev], , , [
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
@@ -2022,6 +2093,16 @@ AC_CHECK_FUNCS([realpath], [
)
])
+AC_MSG_CHECKING([for working fflush(NULL)])
+AC_RUN_IFELSE(
+ [AC_LANG_PROGRAM([[#include <stdio.h>]], [[fflush(NULL); exit(0);]])],
+ AC_MSG_RESULT([yes]),
+ [AC_MSG_RESULT([no])
+ AC_DEFINE([FFLUSH_NULL_BUG], [1],
+ [define if fflush(NULL) does not work])],
+ AC_MSG_WARN([cross compiling: assuming working])
+)
+
dnl Checks for time functions
AC_CHECK_FUNCS([gettimeofday time])
dnl Checks for utmp functions
@@ -2393,7 +2474,16 @@ static void sighandler(int sig) { _exit(1); }
)
fi
-AC_FUNC_GETPGRP
+AC_CHECK_FUNCS([getpgrp],[
+ AC_MSG_CHECKING([if getpgrp accepts zero args])
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([[$ac_includes_default]], [[ getpgrp(); ]])],
+ [ AC_MSG_RESULT([yes])
+ AC_DEFINE([GETPGRP_VOID], [1], [getpgrp takes zero args])],
+ [ AC_MSG_RESULT([no])
+ AC_DEFINE([GETPGRP_VOID], [0], [getpgrp takes one arg])]
+ )
+])
# Search for OpenSSL
saved_CPPFLAGS="$CPPFLAGS"
@@ -3641,6 +3731,23 @@ AC_CHECK_TYPES([fsblkcnt_t, fsfilcnt_t], , , [
#endif
])
+AC_CHECK_MEMBERS([struct statfs.f_flags], [], [], [[
+#include <sys/types.h>
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_SYS_STATFS_H
+#include <sys/statfs.h>
+#endif
+#ifdef HAVE_SYS_STATVFS_H
+#include <sys/statvfs.h>
+#endif
+#ifdef HAVE_SYS_VFS_H
+#include <sys/vfs.h>
+#endif
+]])
+
+
AC_CHECK_TYPES([in_addr_t, in_port_t], , ,
[#include <sys/types.h>
#include <netinet/in.h>])
@@ -4755,7 +4862,7 @@ if test ! -d $piddir ; then
fi
AC_ARG_WITH([pid-dir],
- [ --with-pid-dir=PATH Specify location of ssh.pid file],
+ [ --with-pid-dir=PATH Specify location of sshd.pid file],
[
if test -n "$withval" && test "x$withval" != "xno" && \
test "x${withval}" != "xyes"; then
@@ -5056,6 +5163,7 @@ AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8])
AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS])
AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
+AC_SUBST([DEPEND], [$(cat $srcdir/.depend)])
CFLAGS="${CFLAGS} ${CFLAGS_AFTER}"
LDFLAGS="${LDFLAGS} ${LDFLAGS_AFTER}"
@@ -5107,7 +5215,6 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
-echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
diff --git a/contrib/aix/README b/contrib/aix/README
index 4a11ae7038f9..1aa5919786ca 100644
--- a/contrib/aix/README
+++ b/contrib/aix/README
@@ -47,4 +47,3 @@ you get to keep both pieces.
- Darren Tucker (dtucker at zip dot com dot au)
2002/03/01
-$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
index 81d8cc30105c..00b384dc7a61 100755
--- a/contrib/aix/buildbff.sh
+++ b/contrib/aix/buildbff.sh
@@ -1,7 +1,6 @@
#!/bin/sh
#
# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
-# $Id: buildbff.sh,v 1.13 2011/05/05 03:48:41 djm Exp $
#
# Author: Darren Tucker (dtucker at zip dot com dot au)
# This file is placed in the public domain and comes with absolutely
diff --git a/contrib/aix/inventory.sh b/contrib/aix/inventory.sh
index e2641e79c4f9..7d76f49715c4 100755
--- a/contrib/aix/inventory.sh
+++ b/contrib/aix/inventory.sh
@@ -1,7 +1,6 @@
#!/bin/sh
#
# inventory.sh
-# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $
#
# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
# This file is placed into the public domain.
diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile
index a0261f48d53c..4b78cd950576 100644
--- a/contrib/cygwin/Makefile
+++ b/contrib/cygwin/Makefile
@@ -13,6 +13,7 @@ defaultsdir=$(sysconfdir)/defaults/etc
inetdefdir=$(defaultsdir)/inetd.d
PRIVSEP_PATH=/var/empty
INSTALL=/usr/bin/install -c
+MKDIR_P=$(srcdir)/mkinstalldirs
DESTDIR=
@@ -23,7 +24,7 @@ all:
@echo
move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
- $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
+ $(MKDIR_P) $(DESTDIR)$(defaultsdir)
mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
@@ -31,11 +32,11 @@ remove-empty-dir:
rm -rf $(DESTDIR)$(PRIVSEP_PATH)
install-inetd-config:
- $(srcdir)/mkinstalldirs $(DESTDIR)$(inetdefdir)
+ $(MKDIR_P) $(DESTDIR)$(inetdefdir)
$(INSTALL) -m 644 sshd-inetd $(DESTDIR)$(inetdefdir)/sshd-inetd
install-sshdoc:
- $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
+ $(MKDIR_P) $(DESTDIR)$(sshdocdir)
-$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
-$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
-$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
@@ -52,13 +53,13 @@ install-sshdoc:
-$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
install-cygwindoc: README
- $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
+ $(MKDIR_P) $(DESTDIR)$(cygdocdir)
$(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
install-doc: install-sshdoc install-cygwindoc
install-scripts: ssh-host-config ssh-user-config
- $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
+ $(MKDIR_P) $(DESTDIR)$(bindir)
$(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
$(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
diff --git a/contrib/findssl.sh b/contrib/findssl.sh
index 263fd26445d5..95a0d66dfe63 100755
--- a/contrib/findssl.sh
+++ b/contrib/findssl.sh
@@ -1,7 +1,5 @@
#!/bin/sh
#
-# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $
-#
# findssl.sh
# Search for all instances of OpenSSL headers and libraries
# and print their versions.
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index a96a36e492d6..a0d5e2071023 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,5 +1,5 @@
-%define ver 7.6p1
-%define rel 1
+%define ver 7.7p1
+%define rel 1%{?dist}
# OpenSSH privilege separation requires a user & group ID
%define sshd_uid 74
@@ -23,8 +23,19 @@
# Use GTK2 instead of GNOME in gnome-ssh-askpass
%define gtk2 1
-# Is this build for RHL 6.x?
+# Use build6x options for older RHEL builds
+# RHEL 7 not yet supported
+%if 0%{?rhel} > 6
%define build6x 0
+%else
+%define build6x 1
+%endif
+
+%if 0%{?fedora} >= 26
+%define compat_openssl 1
+%else
+%define compat_openssl 0
+%endif
# Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1
@@ -64,7 +75,7 @@
%define kerberos5 0
%endif
-Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
+Summary: The OpenSSH implementation of SSH protocol version 2.
Name: openssh
Version: %{ver}
%if %{rescue}
@@ -74,9 +85,7 @@ Release: %{rel}
%endif
URL: https://www.openssh.com/portable.html
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
-%if ! %{no_x11_askpass}
Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
-%endif
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@@ -86,7 +95,13 @@ PreReq: initscripts >= 5.00
%else
Requires: initscripts >= 5.20
%endif
-BuildRequires: perl, openssl-devel
+BuildRequires: perl
+%if %{compat_openssl}
+BuildRequires: compat-openssl10-devel
+%else
+BuildRequires: openssl-devel >= 1.0.1
+BuildRequires: openssl-devel < 1.1
+%endif
BuildRequires: /bin/login
%if ! %{build6x}
BuildRequires: glibc-devel, pam
@@ -95,6 +110,12 @@ BuildRequires: /usr/include/security/pam_appl.h
%endif
%if ! %{no_x11_askpass}
BuildRequires: /usr/include/X11/Xlib.h
+# Xt development tools
+BuildRequires: libXt-devel
+# Provides xmkmf
+BuildRequires: imake
+# Rely on relatively recent gtk
+BuildRequires: gtk2-devel
%endif
%if ! %{no_gnome_askpass}
BuildRequires: pkgconfig
@@ -183,11 +204,6 @@ environment.
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
%endif
-%if %{kerberos5}
-K5DIR=`rpm -ql krb5-devel | grep 'include/krb5\.h' | sed 's,\/include\/krb5.h,,'`
-echo K5DIR=$K5DIR
-%endif
-
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
@@ -196,6 +212,9 @@ echo K5DIR=$K5DIR
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
--with-md5-passwords \
+ --mandir=%{_mandir} \
+ --with-mantype=man \
+ --disable-strip \
%if %{scard}
--with-smartcard \
%endif
@@ -262,12 +281,12 @@ install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
%if ! %{no_x11_askpass}
-install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
+install x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
%endif
%if ! %{no_gnome_askpass}
-install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
+install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%if ! %{scard}
@@ -391,7 +410,7 @@ fi
%doc x11-ssh-askpass-%{aversion}/README
%doc x11-ssh-askpass-%{aversion}/ChangeLog
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
+%{_libexecdir}/openssh/ssh-askpass
%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
%endif
@@ -403,6 +422,22 @@ fi
%endif
%changelog
+* Sat Feb 10 2018 Darren Tucker <dtucker@dtucker.net>
+- Update openssl-devel dependency to match current requirements.
+- Handle Fedora >=6 openssl 1.0 compat libs.
+- Remove SSH1 from description.
+- Don't strip binaries at build time so that debuginfo package can be
+ created.
+
+* Sun Nov 16 2014 Nico Kadel-Garcia <nakdel@gmail.com>
+- Add '--mandir' and '--with-mantype' for RHEL 5 compatibility
+- Add 'dist' option to 'ver' so package names reflect OS at build time
+- Always include x11-ssh-askpass tarball in SRPM
+- Add openssh-x11-aspass BuildRequires for libXT-devel, imake, gtk2-devel
+- Discard 'K5DIR' reporting, not usable inside 'mock' for RHEL 5 compatibility
+- Discard obsolete '--with-rsh' configure option
+- Update openssl-devel dependency to 0.9.8f, as found in autoconf
+
* Wed Jul 14 2010 Tim Rice <tim@multitalents.net>
- test for skip_x11_askpass (line 77) should have been for no_x11_askpass
@@ -414,7 +449,7 @@ fi
- Don't install profile.d scripts when not building with GNOME/GTK askpass
(patch from bet@rahul.net)
-* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
+* Tue Oct 01 2002 Damien Miller <djm@mindrot.org>
- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
@@ -460,7 +495,7 @@ fi
- remove dependency on db1-devel, which has just been swallowed up whole
by gnome-libs-devel
-* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
+* Sat Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
- adjust build dependencies so that build6x actually works right (fix
from Hugo van der Kooij)
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init
index 40c8dfd9f886..8ee5fcd3bb4f 100755
--- a/contrib/redhat/sshd.init
+++ b/contrib/redhat/sshd.init
@@ -40,7 +40,6 @@ start()
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
- /sbin/restorecon /etc/ssh/ssh_host_key.pub
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
diff --git a/contrib/redhat/sshd.init.old b/contrib/redhat/sshd.init.old
index 0deb6080eb82..8a30f7da4a4a 100755
--- a/contrib/redhat/sshd.init.old
+++ b/contrib/redhat/sshd.init.old
@@ -24,7 +24,6 @@ prog="sshd"
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
-RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
@@ -61,21 +60,6 @@ my_failure() {
;;
esac
}
-do_rsa1_keygen() {
- if [ ! -s $RSA1_KEY ]; then
- echo -n "Generating SSH1 RSA host key: "
- if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
- chmod 600 $RSA1_KEY
- chmod 644 $RSA1_KEY.pub
- my_success "RSA1 key generation"
- echo
- else
- my_failure "RSA1 key generation"
- echo
- exit 1
- fi
- fi
-}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n "Generating SSH2 RSA host key: "
@@ -119,7 +103,6 @@ do_restart_sanity_check() {
case "$1" in
start)
# Create keys if necessary
- do_rsa1_keygen;
do_rsa_keygen;
do_dsa_keygen;
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index fdb3578cbd4e..d9c4298f1c5a 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
-Version: 7.6p1
+Version: 7.7p1
URL: https://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
diff --git a/crypto_api.h b/crypto_api.h
index 5820ce8fa1f6..7f45bbd69e77 100644
--- a/crypto_api.h
+++ b/crypto_api.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto_api.h,v 1.3 2013/12/17 10:36:38 markus Exp $ */
+/* $OpenBSD: crypto_api.h,v 1.4 2017/12/14 21:07:39 naddy Exp $ */
/*
* Assembled from generated headers and source files by Markus Friedl.
@@ -8,6 +8,8 @@
#ifndef crypto_api_h
#define crypto_api_h
+#include "includes.h"
+
#ifdef HAVE_STDINT_H
# include <stdint.h>
#endif
@@ -18,12 +20,6 @@ typedef uint32_t crypto_uint32;
#define randombytes(buf, buf_len) arc4random_buf((buf), (buf_len))
-#define crypto_hashblocks_sha512_STATEBYTES 64U
-#define crypto_hashblocks_sha512_BLOCKBYTES 128U
-
-int crypto_hashblocks_sha512(unsigned char *, const unsigned char *,
- unsigned long long);
-
#define crypto_hash_sha512_BYTES 64U
int crypto_hash_sha512(unsigned char *, const unsigned char *,
diff --git a/defines.h b/defines.h
index f1662edcfea0..3fa5ec5a9b1a 100644
--- a/defines.h
+++ b/defines.h
@@ -214,24 +214,12 @@ typedef signed char int8_t;
# if (SIZEOF_SHORT_INT == 2)
typedef short int int16_t;
# else
-# ifdef _UNICOS
-# if (SIZEOF_SHORT_INT == 4)
-typedef short int16_t;
-# else
-typedef long int16_t;
-# endif
-# else
# error "16 bit int type not found."
-# endif /* _UNICOS */
# endif
# if (SIZEOF_INT == 4)
typedef int int32_t;
# else
-# ifdef _UNICOS
-typedef long int32_t;
-# else
# error "32 bit int type not found."
-# endif /* _UNICOS */
# endif
#endif
@@ -247,24 +235,12 @@ typedef unsigned char u_int8_t;
# if (SIZEOF_SHORT_INT == 2)
typedef unsigned short int u_int16_t;
# else
-# ifdef _UNICOS
-# if (SIZEOF_SHORT_INT == 4)
-typedef unsigned short u_int16_t;
-# else
-typedef unsigned long u_int16_t;
-# endif
-# else
# error "16 bit int type not found."
-# endif
# endif
# if (SIZEOF_INT == 4)
typedef unsigned int u_int32_t;
# else
-# ifdef _UNICOS
-typedef unsigned long u_int32_t;
-# else
# error "32 bit int type not found."
-# endif
# endif
# endif
#define __BIT_TYPES_DEFINED__
diff --git a/dh.c b/dh.c
index 475312427805..46afba033693 100644
--- a/dh.c
+++ b/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.62 2016/12/15 21:20:41 dtucker Exp $ */
+/* $OpenBSD: dh.c,v 1.63 2018/02/07 02:06:50 jsing Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
*
@@ -25,6 +25,7 @@
#include "includes.h"
+#ifdef WITH_OPENSSL
#include <openssl/bn.h>
#include <openssl/dh.h>
@@ -134,10 +135,8 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
return 1;
fail:
- if (dhg->g != NULL)
- BN_clear_free(dhg->g);
- if (dhg->p != NULL)
- BN_clear_free(dhg->p);
+ BN_clear_free(dhg->g);
+ BN_clear_free(dhg->p);
dhg->g = dhg->p = NULL;
return 0;
}
@@ -465,3 +464,5 @@ dh_estimate(int bits)
return 7680;
return 8192;
}
+
+#endif /* WITH_OPENSSL */
diff --git a/dns.c b/dns.c
index 6e1abb5300cd..ff1a2c41c29d 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.37 2017/09/14 04:32:21 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.38 2018/02/23 15:58:37 markus Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -105,6 +105,11 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
if (!*digest_type)
*digest_type = SSHFP_HASH_SHA256;
break;
+ case KEY_XMSS:
+ *algorithm = SSHFP_KEY_XMSS;
+ if (!*digest_type)
+ *digest_type = SSHFP_HASH_SHA256;
+ break;
default:
*algorithm = SSHFP_KEY_RESERVED; /* 0 */
*digest_type = SSHFP_HASH_RESERVED; /* 0 */
diff --git a/dns.h b/dns.h
index 68443f7cbbb8..91f3c632dd1b 100644
--- a/dns.h
+++ b/dns.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.h,v 1.17 2017/09/14 04:32:21 djm Exp $ */
+/* $OpenBSD: dns.h,v 1.18 2018/02/23 15:58:37 markus Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -33,7 +33,8 @@ enum sshfp_types {
SSHFP_KEY_RSA = 1,
SSHFP_KEY_DSA = 2,
SSHFP_KEY_ECDSA = 3,
- SSHFP_KEY_ED25519 = 4
+ SSHFP_KEY_ED25519 = 4,
+ SSHFP_KEY_XMSS = 5
};
enum sshfp_hashes {
diff --git a/entropy.c b/entropy.c
index 9305f89aeada..14b98f188918 100644
--- a/entropy.c
+++ b/entropy.c
@@ -108,7 +108,7 @@ get_random_bytes_prngd(unsigned char *buf, int len,
strlen(socket_path) + 1;
}
- old_sigpipe = mysignal(SIGPIPE, SIG_IGN);
+ old_sigpipe = signal(SIGPIPE, SIG_IGN);
errors = 0;
rval = -1;
@@ -158,7 +158,7 @@ reopen:
rval = 0;
done:
- mysignal(SIGPIPE, old_sigpipe);
+ signal(SIGPIPE, old_sigpipe);
if (fd != -1)
close(fd);
return rval;
diff --git a/fixprogs b/fixprogs
deleted file mode 100755
index af76ee392456..000000000000
--- a/fixprogs
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/usr/bin/perl
-#
-# fixprogs - run through the list of entropy commands and
-# score out the losers
-#
-
-$entscale = 50; # divisor for optional entropy measurement
-
-sub usage {
- return("Usage: $0 <command file>\n");
-}
-
-if (($#ARGV == -1) || ($#ARGV>1)) {
- die(&usage);
-}
-
-# 'undocumented' option - run ent (in second param) on the output
-if ($#ARGV==1) {
- $entcmd=$ARGV[1]
-} else {
- $entcmd = ""
-};
-
-$infilename = $ARGV[0];
-
-if (!open(IN, "<".$infilename)) {
- die("Couldn't open input file");
-}
-$outfilename=$infilename.".out";
-if (!open(OUT, ">$outfilename")) {
- die("Couldn't open output file $outfilename");
-}
-@infile=<IN>;
-
-select(OUT); $|=1; select(STDOUT);
-
-foreach (@infile) {
- if (/^\s*\#/ || /^\s*$/) {
- print OUT;
- next;
- }
- ($cmd, $path, $est) = /^\"([^\"]+)\"\s+([\w\/_-]+)\s+([\d\.\-]+)/o;
- @args = split(/ /, $cmd);
- if (! ($pid = fork())) {
- # child
- close STDIN; close STDOUT; close STDERR;
- open (STDIN, "</dev/null");
- open (STDOUT, ">/dev/null");
- open (STDERR, ">/dev/null");
- exec $path @args;
- exit 1; # shouldn't be here
- }
- # parent
- waitpid ($pid, 0); $ret=$? >> 8;
-
- if ($ret != 0) {
- $path = "undef";
- } else {
- if ($entcmd ne "") {
- # now try to run ent on the command
- $mostargs=join(" ", splice(@args,1));
- print "Evaluating '$path $mostargs'\n";
- @ent = qx{$path $mostargs | $entcmd -b -t};
- @ent = grep(/^1,/, @ent);
- ($null, $null, $rate) = split(/,/, $ent[0]);
- $est = $rate / $entscale; # scale the estimate back
- }
- }
- print OUT "\"$cmd\" $path $est\n";
-}
-
-close(IN);
diff --git a/hash.c b/hash.c
index 734c6bee2af3..5875d41fafa7 100644
--- a/hash.c
+++ b/hash.c
@@ -1,76 +1,27 @@
-/* $OpenBSD: hash.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
-
-/* Copied from nacl-20110221/crypto_hash/sha512/ref/hash.c */
+/* $OpenBSD: hash.c,v 1.4 2017/12/14 21:07:39 naddy Exp $ */
+/* $OpenBSD: hash.c,v 1.5 2018/01/13 00:24:09 naddy Exp $ */
/*
-20080913
-D. J. Bernstein
-Public domain.
-*/
-
-#include "includes.h"
+ * Public domain. Author: Christian Weisgerber <naddy@openbsd.org>
+ * API compatible reimplementation of function from nacl
+ */
#include "crypto_api.h"
-#define blocks crypto_hashblocks_sha512
+#include <stdarg.h>
-static const unsigned char iv[64] = {
- 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08,
- 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b,
- 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b,
- 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1,
- 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1,
- 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f,
- 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b,
- 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79
-} ;
+#include "digest.h"
+#include "log.h"
+#include "ssherr.h"
-typedef unsigned long long uint64;
-
-int crypto_hash_sha512(unsigned char *out,const unsigned char *in,unsigned long long inlen)
+int
+crypto_hash_sha512(unsigned char *out, const unsigned char *in,
+ unsigned long long inlen)
{
- unsigned char h[64];
- unsigned char padded[256];
- unsigned int i;
- unsigned long long bytes = inlen;
-
- for (i = 0;i < 64;++i) h[i] = iv[i];
-
- blocks(h,in,inlen);
- in += inlen;
- inlen &= 127;
- in -= inlen;
-
- for (i = 0;i < inlen;++i) padded[i] = in[i];
- padded[inlen] = 0x80;
-
- if (inlen < 112) {
- for (i = inlen + 1;i < 119;++i) padded[i] = 0;
- padded[119] = bytes >> 61;
- padded[120] = bytes >> 53;
- padded[121] = bytes >> 45;
- padded[122] = bytes >> 37;
- padded[123] = bytes >> 29;
- padded[124] = bytes >> 21;
- padded[125] = bytes >> 13;
- padded[126] = bytes >> 5;
- padded[127] = bytes << 3;
- blocks(h,padded,128);
- } else {
- for (i = inlen + 1;i < 247;++i) padded[i] = 0;
- padded[247] = bytes >> 61;
- padded[248] = bytes >> 53;
- padded[249] = bytes >> 45;
- padded[250] = bytes >> 37;
- padded[251] = bytes >> 29;
- padded[252] = bytes >> 21;
- padded[253] = bytes >> 13;
- padded[254] = bytes >> 5;
- padded[255] = bytes << 3;
- blocks(h,padded,256);
- }
-
- for (i = 0;i < 64;++i) out[i] = h[i];
+ int r;
- return 0;
+ if ((r = ssh_digest_memory(SSH_DIGEST_SHA512, in, inlen, out,
+ crypto_hash_sha512_BYTES)) != 0)
+ fatal("%s: %s", __func__, ssh_err(r));
+ return 0;
}
diff --git a/install-sh b/install-sh
index 220abbf61677..377bb8687ffe 100755
--- a/install-sh
+++ b/install-sh
@@ -1,251 +1,527 @@
#!/bin/sh
-#
# install - install a program, script, or datafile
-# This comes from X11R5 (mit/util/scripts/install.sh).
+
+scriptversion=2011-11-20.07; # UTC
+
+# This originates from X11R5 (mit/util/scripts/install.sh), which was
+# later released in X11R6 (xc/config/util/install.sh) with the
+# following copyright and license.
+#
+# Copyright (C) 1994 X Consortium
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
+# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
-# Copyright 1991 by the Massachusetts Institute of Technology
+# Except as contained in this notice, the name of the X Consortium shall not
+# be used in advertising or otherwise to promote the sale, use or other deal-
+# ings in this Software without prior written authorization from the X Consor-
+# tium.
#
-# Permission to use, copy, modify, distribute, and sell this software and its
-# documentation for any purpose is hereby granted without fee, provided that
-# the above copyright notice appear in all copies and that both that
-# copyright notice and this permission notice appear in supporting
-# documentation, and that the name of M.I.T. not be used in advertising or
-# publicity pertaining to distribution of the software without specific,
-# written prior permission. M.I.T. makes no representations about the
-# suitability of this software for any purpose. It is provided "as is"
-# without express or implied warranty.
+#
+# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
-# `make' implicit rules from creating a file called install from it
+# 'make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
-# from scratch. It can only install one file at a time, a restriction
-# shared with many OS's install programs.
+# from scratch.
+nl='
+'
+IFS=" "" $nl"
# set DOITPROG to echo to test this script
# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit="${DOITPROG-}"
-
-
-# put in absolute paths if you don't have them in your path; or use env. vars.
-
-mvprog="${MVPROG-mv}"
-cpprog="${CPPROG-cp}"
-chmodprog="${CHMODPROG-chmod}"
-chownprog="${CHOWNPROG-chown}"
-chgrpprog="${CHGRPPROG-chgrp}"
-stripprog="${STRIPPROG-strip}"
-rmprog="${RMPROG-rm}"
-mkdirprog="${MKDIRPROG-mkdir}"
-
-transformbasename=""
-transform_arg=""
-instcmd="$mvprog"
-chmodcmd="$chmodprog 0755"
-chowncmd=""
-chgrpcmd=""
-stripcmd=""
-rmcmd="$rmprog -f"
-mvcmd="$mvprog"
-src=""
-dst=""
-dir_arg=""
-
-while [ x"$1" != x ]; do
- case $1 in
- -c) instcmd="$cpprog"
- shift
- continue;;
-
- -d) dir_arg=true
- shift
- continue;;
-
- -m) chmodcmd="$chmodprog $2"
- shift
- shift
- continue;;
-
- -o) chowncmd="$chownprog $2"
- shift
- shift
- continue;;
-
- -g) chgrpcmd="$chgrpprog $2"
- shift
- shift
- continue;;
-
- -s) stripcmd="$stripprog"
- shift
- continue;;
-
- -t=*) transformarg=`echo $1 | sed 's/-t=//'`
- shift
- continue;;
-
- -b=*) transformbasename=`echo $1 | sed 's/-b=//'`
- shift
- continue;;
-
- *) if [ x"$src" = x ]
- then
- src=$1
- else
- # this colon is to work around a 386BSD /bin/sh bug
- :
- dst=$1
- fi
- shift
- continue;;
- esac
-done
-
-if [ x"$src" = x ]
-then
- echo "install: no input file specified"
- exit 1
+doit=${DOITPROG-}
+if test -z "$doit"; then
+ doit_exec=exec
else
- true
+ doit_exec=$doit
fi
-if [ x"$dir_arg" != x ]; then
- dst=$src
- src=""
-
- if [ -d $dst ]; then
- instcmd=:
- chmodcmd=""
- else
- instcmd=mkdir
- fi
-else
+# Put in absolute file names if you don't have them in your path;
+# or use environment vars.
+
+chgrpprog=${CHGRPPROG-chgrp}
+chmodprog=${CHMODPROG-chmod}
+chownprog=${CHOWNPROG-chown}
+cmpprog=${CMPPROG-cmp}
+cpprog=${CPPROG-cp}
+mkdirprog=${MKDIRPROG-mkdir}
+mvprog=${MVPROG-mv}
+rmprog=${RMPROG-rm}
+stripprog=${STRIPPROG-strip}
+
+posix_glob='?'
+initialize_posix_glob='
+ test "$posix_glob" != "?" || {
+ if (set -f) 2>/dev/null; then
+ posix_glob=
+ else
+ posix_glob=:
+ fi
+ }
+'
-# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
-# might cause directories to be created, which would be especially bad
-# if $src (and thus $dsttmp) contains '*'.
+posix_mkdir=
- if [ -f $src -o -d $src ]
- then
- true
- else
- echo "install: $src does not exist"
- exit 1
- fi
-
- if [ x"$dst" = x ]
- then
- echo "install: no destination specified"
- exit 1
- else
- true
- fi
+# Desired mode of installed file.
+mode=0755
-# If destination is a directory, append the input filename; if your system
-# does not like double slashes in filenames, you may need to add some logic
+chgrpcmd=
+chmodcmd=$chmodprog
+chowncmd=
+mvcmd=$mvprog
+rmcmd="$rmprog -f"
+stripcmd=
- if [ -d $dst ]
- then
- dst="$dst"/`basename $src`
- else
- true
- fi
-fi
+src=
+dst=
+dir_arg=
+dst_arg=
-## this sed command emulates the dirname command
-dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+copy_on_change=false
+no_target_directory=
-# Make sure that the destination directory exists.
-# this part is taken from Noah Friedman's mkinstalldirs script
+usage="\
+Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
+ or: $0 [OPTION]... SRCFILES... DIRECTORY
+ or: $0 [OPTION]... -t DIRECTORY SRCFILES...
+ or: $0 [OPTION]... -d DIRECTORIES...
-# Skip lots of stat calls in the usual case.
-if [ ! -d "$dstdir" ]; then
-defaultIFS='
-'
-IFS="${IFS-${defaultIFS}}"
+In the 1st form, copy SRCFILE to DSTFILE.
+In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
+In the 4th, create DIRECTORIES.
-oIFS="${IFS}"
-# Some sh's can't handle IFS=/ for some reason.
-IFS='%'
-set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
-IFS="${oIFS}"
+Options:
+ --help display this help and exit.
+ --version display version info and exit.
-pathcomp=''
+ -c (ignored)
+ -C install only if different (preserve the last data modification time)
+ -d create directories instead of installing files.
+ -g GROUP $chgrpprog installed files to GROUP.
+ -m MODE $chmodprog installed files to MODE.
+ -o USER $chownprog installed files to USER.
+ -s $stripprog installed files.
+ -t DIRECTORY install into DIRECTORY.
+ -T report an error if DSTFILE is a directory.
-while [ $# -ne 0 ] ; do
- pathcomp="${pathcomp}${1}"
- shift
+Environment variables override the default commands:
+ CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
+ RMPROG STRIPPROG
+"
- if [ ! -d "${pathcomp}" ] ;
- then
- $mkdirprog "${pathcomp}"
- else
- true
- fi
+while test $# -ne 0; do
+ case $1 in
+ -c) ;;
- pathcomp="${pathcomp}/"
-done
-fi
+ -C) copy_on_change=true;;
-if [ x"$dir_arg" != x ]
-then
- $doit $instcmd $dst &&
+ -d) dir_arg=true;;
- if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
- if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
- if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
- if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
-else
+ -g) chgrpcmd="$chgrpprog $2"
+ shift;;
-# If we're going to rename the final executable, determine the name now.
+ --help) echo "$usage"; exit $?;;
- if [ x"$transformarg" = x ]
- then
- dstfile=`basename $dst`
- else
- dstfile=`basename $dst $transformbasename |
- sed $transformarg`$transformbasename
- fi
+ -m) mode=$2
+ case $mode in
+ *' '* | *' '* | *'
+'* | *'*'* | *'?'* | *'['*)
+ echo "$0: invalid mode: $mode" >&2
+ exit 1;;
+ esac
+ shift;;
-# don't allow the sed command to completely eliminate the filename
+ -o) chowncmd="$chownprog $2"
+ shift;;
- if [ x"$dstfile" = x ]
- then
- dstfile=`basename $dst`
- else
- true
- fi
+ -s) stripcmd=$stripprog;;
-# Make a temp file name in the proper directory.
+ -t) dst_arg=$2
+ # Protect names problematic for 'test' and other utilities.
+ case $dst_arg in
+ -* | [=\(\)!]) dst_arg=./$dst_arg;;
+ esac
+ shift;;
- dsttmp=$dstdir/#inst.$$#
+ -T) no_target_directory=true;;
-# Move or copy the file name to the temp name
+ --version) echo "$0 $scriptversion"; exit $?;;
- $doit $instcmd $src $dsttmp &&
+ --) shift
+ break;;
- trap "rm -f ${dsttmp}" 0 &&
+ -*) echo "$0: invalid option: $1" >&2
+ exit 1;;
-# and set any options; do chmod last to preserve setuid bits
+ *) break;;
+ esac
+ shift
+done
-# If any of these fail, we abort the whole thing. If we want to
-# ignore errors from any of these, just make sure not to ignore
-# errors from the above "$doit $instcmd $src $dsttmp" command.
+if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
+ # When -d is used, all remaining arguments are directories to create.
+ # When -t is used, the destination is already specified.
+ # Otherwise, the last argument is the destination. Remove it from $@.
+ for arg
+ do
+ if test -n "$dst_arg"; then
+ # $@ is not empty: it contains at least $arg.
+ set fnord "$@" "$dst_arg"
+ shift # fnord
+ fi
+ shift # arg
+ dst_arg=$arg
+ # Protect names problematic for 'test' and other utilities.
+ case $dst_arg in
+ -* | [=\(\)!]) dst_arg=./$dst_arg;;
+ esac
+ done
+fi
- if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
- if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
- if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
- if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+if test $# -eq 0; then
+ if test -z "$dir_arg"; then
+ echo "$0: no input file specified." >&2
+ exit 1
+ fi
+ # It's OK to call 'install-sh -d' without argument.
+ # This can happen when creating conditional directories.
+ exit 0
+fi
-# Now rename the file to the real destination.
+if test -z "$dir_arg"; then
+ do_exit='(exit $ret); exit $ret'
+ trap "ret=129; $do_exit" 1
+ trap "ret=130; $do_exit" 2
+ trap "ret=141; $do_exit" 13
+ trap "ret=143; $do_exit" 15
+
+ # Set umask so as not to create temps with too-generous modes.
+ # However, 'strip' requires both read and write access to temps.
+ case $mode in
+ # Optimize common cases.
+ *644) cp_umask=133;;
+ *755) cp_umask=22;;
+
+ *[0-7])
+ if test -z "$stripcmd"; then
+ u_plus_rw=
+ else
+ u_plus_rw='% 200'
+ fi
+ cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
+ *)
+ if test -z "$stripcmd"; then
+ u_plus_rw=
+ else
+ u_plus_rw=,u+rw
+ fi
+ cp_umask=$mode$u_plus_rw;;
+ esac
+fi
- $doit $rmcmd -f $dstdir/$dstfile &&
- $doit $mvcmd $dsttmp $dstdir/$dstfile
+for src
+do
+ # Protect names problematic for 'test' and other utilities.
+ case $src in
+ -* | [=\(\)!]) src=./$src;;
+ esac
+
+ if test -n "$dir_arg"; then
+ dst=$src
+ dstdir=$dst
+ test -d "$dstdir"
+ dstdir_status=$?
+ else
+
+ # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
+ # might cause directories to be created, which would be especially bad
+ # if $src (and thus $dsttmp) contains '*'.
+ if test ! -f "$src" && test ! -d "$src"; then
+ echo "$0: $src does not exist." >&2
+ exit 1
+ fi
+
+ if test -z "$dst_arg"; then
+ echo "$0: no destination specified." >&2
+ exit 1
+ fi
+ dst=$dst_arg
+
+ # If destination is a directory, append the input filename; won't work
+ # if double slashes aren't ignored.
+ if test -d "$dst"; then
+ if test -n "$no_target_directory"; then
+ echo "$0: $dst_arg: Is a directory" >&2
+ exit 1
+ fi
+ dstdir=$dst
+ dst=$dstdir/`basename "$src"`
+ dstdir_status=0
+ else
+ # Prefer dirname, but fall back on a substitute if dirname fails.
+ dstdir=`
+ (dirname "$dst") 2>/dev/null ||
+ expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$dst" : 'X\(//\)[^/]' \| \
+ X"$dst" : 'X\(//\)$' \| \
+ X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
+ echo X"$dst" |
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'
+ `
+
+ test -d "$dstdir"
+ dstdir_status=$?
+ fi
+ fi
+
+ obsolete_mkdir_used=false
+
+ if test $dstdir_status != 0; then
+ case $posix_mkdir in
+ '')
+ # Create intermediate dirs using mode 755 as modified by the umask.
+ # This is like FreeBSD 'install' as of 1997-10-28.
+ umask=`umask`
+ case $stripcmd.$umask in
+ # Optimize common cases.
+ *[2367][2367]) mkdir_umask=$umask;;
+ .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
+
+ *[0-7])
+ mkdir_umask=`expr $umask + 22 \
+ - $umask % 100 % 40 + $umask % 20 \
+ - $umask % 10 % 4 + $umask % 2
+ `;;
+ *) mkdir_umask=$umask,go-w;;
+ esac
+
+ # With -d, create the new directory with the user-specified mode.
+ # Otherwise, rely on $mkdir_umask.
+ if test -n "$dir_arg"; then
+ mkdir_mode=-m$mode
+ else
+ mkdir_mode=
+ fi
-fi &&
+ posix_mkdir=false
+ case $umask in
+ *[123567][0-7][0-7])
+ # POSIX mkdir -p sets u+wx bits regardless of umask, which
+ # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
+ ;;
+ *)
+ tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
+ trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
+
+ if (umask $mkdir_umask &&
+ exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
+ then
+ if test -z "$dir_arg" || {
+ # Check for POSIX incompatibilities with -m.
+ # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
+ # other-writable bit of parent directory when it shouldn't.
+ # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
+ ls_ld_tmpdir=`ls -ld "$tmpdir"`
+ case $ls_ld_tmpdir in
+ d????-?r-*) different_mode=700;;
+ d????-?--*) different_mode=755;;
+ *) false;;
+ esac &&
+ $mkdirprog -m$different_mode -p -- "$tmpdir" && {
+ ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
+ test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
+ }
+ }
+ then posix_mkdir=:
+ fi
+ rmdir "$tmpdir/d" "$tmpdir"
+ else
+ # Remove any dirs left behind by ancient mkdir implementations.
+ rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
+ fi
+ trap '' 0;;
+ esac;;
+ esac
+ if
+ $posix_mkdir && (
+ umask $mkdir_umask &&
+ $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
+ )
+ then :
+ else
+
+ # The umask is ridiculous, or mkdir does not conform to POSIX,
+ # or it failed possibly due to a race condition. Create the
+ # directory the slow way, step by step, checking for races as we go.
+
+ case $dstdir in
+ /*) prefix='/';;
+ [-=\(\)!]*) prefix='./';;
+ *) prefix='';;
+ esac
+
+ eval "$initialize_posix_glob"
+
+ oIFS=$IFS
+ IFS=/
+ $posix_glob set -f
+ set fnord $dstdir
+ shift
+ $posix_glob set +f
+ IFS=$oIFS
+
+ prefixes=
+
+ for d
+ do
+ test X"$d" = X && continue
+
+ prefix=$prefix$d
+ if test -d "$prefix"; then
+ prefixes=
+ else
+ if $posix_mkdir; then
+ (umask=$mkdir_umask &&
+ $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
+ # Don't fail if two instances are running concurrently.
+ test -d "$prefix" || exit 1
+ else
+ case $prefix in
+ *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
+ *) qprefix=$prefix;;
+ esac
+ prefixes="$prefixes '$qprefix'"
+ fi
+ fi
+ prefix=$prefix/
+ done
+
+ if test -n "$prefixes"; then
+ # Don't fail if two instances are running concurrently.
+ (umask $mkdir_umask &&
+ eval "\$doit_exec \$mkdirprog $prefixes") ||
+ test -d "$dstdir" || exit 1
+ obsolete_mkdir_used=true
+ fi
+ fi
+ fi
+
+ if test -n "$dir_arg"; then
+ { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
+ { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
+ { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
+ test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
+ else
+
+ # Make a couple of temp file names in the proper directory.
+ dsttmp=$dstdir/_inst.$$_
+ rmtmp=$dstdir/_rm.$$_
+
+ # Trap to clean up those temp files at exit.
+ trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
+
+ # Copy the file name to the temp name.
+ (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
+
+ # and set any options; do chmod last to preserve setuid bits.
+ #
+ # If any of these fail, we abort the whole thing. If we want to
+ # ignore errors from any of these, just make sure not to ignore
+ # errors from the above "$doit $cpprog $src $dsttmp" command.
+ #
+ { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
+ { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
+ { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
+ { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
+
+ # If -C, don't bother to copy if it wouldn't change the file.
+ if $copy_on_change &&
+ old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
+ new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
+
+ eval "$initialize_posix_glob" &&
+ $posix_glob set -f &&
+ set X $old && old=:$2:$4:$5:$6 &&
+ set X $new && new=:$2:$4:$5:$6 &&
+ $posix_glob set +f &&
+
+ test "$old" = "$new" &&
+ $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
+ then
+ rm -f "$dsttmp"
+ else
+ # Rename the file to the real destination.
+ $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
+
+ # The rename failed, perhaps because mv can't rename something else
+ # to itself, or perhaps because mv is so ancient that it does not
+ # support -f.
+ {
+ # Now remove or move aside any old file at destination location.
+ # We try this two ways since rm can't unlink itself on some
+ # systems and the destination file might be busy for other
+ # reasons. In this case, the final cleanup might fail but the new
+ # file should still install successfully.
+ {
+ test ! -f "$dst" ||
+ $doit $rmcmd -f "$dst" 2>/dev/null ||
+ { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
+ { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
+ } ||
+ { echo "$0: cannot unlink or rename $dst" >&2
+ (exit 1); exit 1
+ }
+ } &&
+
+ # Now rename the file to the real destination.
+ $doit $mvcmd "$dsttmp" "$dst"
+ }
+ fi || exit 1
+
+ trap '' 0
+ fi
+done
-exit 0
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
+# End:
diff --git a/kex.c b/kex.c
index d5d5a9dae996..15ea28b07f5b 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.134 2017/06/13 12:13:59 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.136 2018/02/07 02:06:50 jsing Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -587,11 +587,9 @@ kex_free(struct kex *kex)
u_int mode;
#ifdef WITH_OPENSSL
- if (kex->dh)
- DH_free(kex->dh);
+ DH_free(kex->dh);
#ifdef OPENSSL_HAS_ECC
- if (kex->ec_client_key)
- EC_KEY_free(kex->ec_client_key);
+ EC_KEY_free(kex->ec_client_key);
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
for (mode = 0; mode < MODE_MAX; mode++) {
@@ -675,9 +673,6 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
free(name);
return SSH_ERR_INTERNAL_ERROR;
}
- /* truncate the key */
- if (ssh->compat & SSH_BUG_HMAC)
- mac->key_len = 16;
mac->name = name;
mac->key = NULL;
mac->enabled = 0;
@@ -866,8 +861,7 @@ kex_choose_conf(struct ssh *ssh)
kex->dh_need = dh_need;
/* ignore the next message if the proposals do not match */
- if (first_kex_follows && !proposals_match(my, peer) &&
- !(ssh->compat & SSH_BUG_FIRSTKEX))
+ if (first_kex_follows && !proposals_match(my, peer))
ssh->dispatch_skip_packets = 1;
r = 0;
out:
diff --git a/kexc25519c.c b/kexc25519c.c
index e488013e93cd..a8d92149c3fd 100644
--- a/kexc25519c.c
+++ b/kexc25519c.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexc25519c.c,v 1.8 2017/05/31 04:17:12 djm Exp $ */
+/* $OpenBSD: kexc25519c.c,v 1.9 2017/12/18 02:25:15 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -141,7 +141,7 @@ input_kex_c25519_reply(int type, u_int32_t seq, struct ssh *ssh)
goto out;
if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen,
- ssh->compat)) != 0)
+ kex->hostkey_alg, ssh->compat)) != 0)
goto out;
/* save session id */
diff --git a/kexc25519s.c b/kexc25519s.c
index 0a008d44746f..0800a7a4bcf4 100644
--- a/kexc25519s.c
+++ b/kexc25519s.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexc25519s.c,v 1.10 2015/12/04 16:41:28 markus Exp $ */
+/* $OpenBSD: kexc25519s.c,v 1.11 2017/05/31 04:19:28 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
diff --git a/kexdhc.c b/kexdhc.c
index 9864ee2ec92e..9a9f1ea784e8 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexdhc.c,v 1.20 2017/05/30 14:23:52 markus Exp $ */
+/* $OpenBSD: kexdhc.c,v 1.22 2018/02/07 02:06:51 jsing Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -183,7 +183,7 @@ input_kex_dh(int type, u_int32_t seq, struct ssh *ssh)
goto out;
if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen,
- ssh->compat)) != 0)
+ kex->hostkey_alg, ssh->compat)) != 0)
goto out;
/* save session id */
@@ -203,14 +203,12 @@ input_kex_dh(int type, u_int32_t seq, struct ssh *ssh)
explicit_bzero(hash, sizeof(hash));
DH_free(kex->dh);
kex->dh = NULL;
- if (dh_server_pub)
- BN_clear_free(dh_server_pub);
+ BN_clear_free(dh_server_pub);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
- if (shared_secret)
- BN_clear_free(shared_secret);
+ BN_clear_free(shared_secret);
sshkey_free(server_host_key);
free(server_host_key_blob);
free(signature);
diff --git a/kexdhs.c b/kexdhs.c
index 81ce56d7a5ad..da8f4c439fb7 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexdhs.c,v 1.25 2017/05/30 14:23:52 markus Exp $ */
+/* $OpenBSD: kexdhs.c,v 1.26 2018/02/07 02:06:51 jsing Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -208,14 +208,12 @@ input_kex_dh_init(int type, u_int32_t seq, struct ssh *ssh)
explicit_bzero(hash, sizeof(hash));
DH_free(kex->dh);
kex->dh = NULL;
- if (dh_client_pub)
- BN_clear_free(dh_client_pub);
+ BN_clear_free(dh_client_pub);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
- if (shared_secret)
- BN_clear_free(shared_secret);
+ BN_clear_free(shared_secret);
free(server_host_key_blob);
free(signature);
return r;
diff --git a/kexecdhc.c b/kexecdhc.c
index d8a8b660fd56..ac146a362ee0 100644
--- a/kexecdhc.c
+++ b/kexecdhc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexecdhc.c,v 1.11 2017/05/30 14:23:52 markus Exp $ */
+/* $OpenBSD: kexecdhc.c,v 1.13 2018/02/07 02:06:51 jsing Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -89,8 +89,7 @@ kexecdh_client(struct ssh *ssh)
ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &input_kex_ecdh_reply);
r = 0;
out:
- if (client_key)
- EC_KEY_free(client_key);
+ EC_KEY_free(client_key);
return r;
}
@@ -188,7 +187,7 @@ input_kex_ecdh_reply(int type, u_int32_t seq, struct ssh *ssh)
goto out;
if ((r = sshkey_verify(server_host_key, signature, slen, hash,
- hashlen, ssh->compat)) != 0)
+ hashlen, kex->hostkey_alg, ssh->compat)) != 0)
goto out;
/* save session id */
@@ -206,18 +205,14 @@ input_kex_ecdh_reply(int type, u_int32_t seq, struct ssh *ssh)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
- if (kex->ec_client_key) {
- EC_KEY_free(kex->ec_client_key);
- kex->ec_client_key = NULL;
- }
- if (server_public)
- EC_POINT_clear_free(server_public);
+ EC_KEY_free(kex->ec_client_key);
+ kex->ec_client_key = NULL;
+ EC_POINT_clear_free(server_public);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
- if (shared_secret)
- BN_clear_free(shared_secret);
+ BN_clear_free(shared_secret);
sshkey_free(server_host_key);
free(server_host_key_blob);
free(signature);
diff --git a/kexecdhs.c b/kexecdhs.c
index dc24a3af609b..af4f30309971 100644
--- a/kexecdhs.c
+++ b/kexecdhs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexecdhs.c,v 1.16 2017/05/30 14:23:52 markus Exp $ */
+/* $OpenBSD: kexecdhs.c,v 1.17 2018/02/07 02:06:51 jsing Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -187,18 +187,14 @@ input_kex_ecdh_init(int type, u_int32_t seq, struct ssh *ssh)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
- if (kex->ec_client_key) {
- EC_KEY_free(kex->ec_client_key);
- kex->ec_client_key = NULL;
- }
- if (server_key)
- EC_KEY_free(server_key);
+ EC_KEY_free(kex->ec_client_key);
+ kex->ec_client_key = NULL;
+ EC_KEY_free(server_key);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
- if (shared_secret)
- BN_clear_free(shared_secret);
+ BN_clear_free(shared_secret);
free(server_host_key_blob);
free(signature);
return r;
diff --git a/kexgexc.c b/kexgexc.c
index cd11287525b6..762a9a322958 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexc.c,v 1.25 2017/05/30 14:23:52 markus Exp $ */
+/* $OpenBSD: kexgexc.c,v 1.27 2018/02/07 02:06:51 jsing Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -134,10 +134,8 @@ input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh)
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &input_kex_dh_gex_reply);
r = 0;
out:
- if (p)
- BN_clear_free(p);
- if (g)
- BN_clear_free(g);
+ BN_clear_free(p);
+ BN_clear_free(g);
return r;
}
@@ -230,7 +228,7 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh)
goto out;
if ((r = sshkey_verify(server_host_key, signature, slen, hash,
- hashlen, ssh->compat)) != 0)
+ hashlen, kex->hostkey_alg, ssh->compat)) != 0)
goto out;
/* save session id */
@@ -250,14 +248,12 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh)
explicit_bzero(hash, sizeof(hash));
DH_free(kex->dh);
kex->dh = NULL;
- if (dh_server_pub)
- BN_clear_free(dh_server_pub);
+ BN_clear_free(dh_server_pub);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
- if (shared_secret)
- BN_clear_free(shared_secret);
+ BN_clear_free(shared_secret);
sshkey_free(server_host_key);
free(server_host_key_blob);
free(signature);
diff --git a/kexgexs.c b/kexgexs.c
index c5dd00578a33..d7b48ea88808 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.31 2017/05/30 14:23:52 markus Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.32 2018/02/07 02:06:51 jsing Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -237,14 +237,12 @@ input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
out:
DH_free(kex->dh);
kex->dh = NULL;
- if (dh_client_pub)
- BN_clear_free(dh_client_pub);
+ BN_clear_free(dh_client_pub);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
- if (shared_secret)
- BN_clear_free(shared_secret);
+ BN_clear_free(shared_secret);
free(server_host_key_blob);
free(signature);
return r;
diff --git a/key.c b/key.c
index 6e338c495bbb..a05fdd3c07c8 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.131 2017/05/30 14:16:41 markus Exp $ */
+/* $OpenBSD: key.c,v 1.132 2017/12/18 02:25:15 djm Exp $ */
/*
* placed in the public domain
*/
@@ -95,21 +95,6 @@ key_sign(const Key *key, u_char **sigp, u_int *lenp,
return 0;
}
-int
-key_verify(const Key *key, const u_char *signature, u_int signaturelen,
- const u_char *data, u_int datalen)
-{
- int r;
-
- if ((r = sshkey_verify(key, signature, signaturelen,
- data, datalen, datafellows)) != 0) {
- fatal_on_fatal_errors(r, __func__, 0);
- error("%s: %s", __func__, ssh_err(r));
- return r == SSH_ERR_SIGNATURE_INVALID ? 0 : -1;
- }
- return 1;
-}
-
Key *
key_demote(const Key *k)
{
diff --git a/key.h b/key.h
index a14f370376c0..fd59cbf544d4 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.h,v 1.51 2017/05/30 14:16:41 markus Exp $ */
+/* $OpenBSD: key.h,v 1.52 2017/12/18 02:25:15 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -58,7 +58,6 @@ int key_to_blob(const Key *, u_char **, u_int *);
int key_sign(const Key *, u_char **, u_int *, const u_char *, u_int,
const char *);
-int key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
/* authfile.c */
Key *key_load_cert(const char *);
diff --git a/krl.c b/krl.c
index 086fc20e5933..379153247b37 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $OpenBSD: krl.c,v 1.40 2017/05/31 09:15:42 deraadt Exp $ */
+/* $OpenBSD: krl.c,v 1.41 2017/12/18 02:25:15 djm Exp $ */
#include "includes.h"
@@ -1014,7 +1014,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
}
/* Check signature over entire KRL up to this point */
if ((r = sshkey_verify(key, blob, blen,
- sshbuf_ptr(buf), sig_off, 0)) != 0)
+ sshbuf_ptr(buf), sig_off, NULL, 0)) != 0)
goto out;
/* Check if this key has already signed this KRL */
for (i = 0; i < nca_used; i++) {
diff --git a/loginrec.c b/loginrec.c
index 788553e9204d..bdbc9bbf44f7 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -663,15 +663,9 @@ construct_utmp(struct logininfo *li,
switch (li->type) {
case LTYPE_LOGIN:
ut->ut_type = USER_PROCESS;
-#ifdef _UNICOS
- cray_set_tmpdir(ut);
-#endif
break;
case LTYPE_LOGOUT:
ut->ut_type = DEAD_PROCESS;
-#ifdef _UNICOS
- cray_retain_utmp(ut, li->pid);
-#endif
break;
}
# endif
diff --git a/md5crypt.c b/md5crypt.c
index 22ef9893356e..52cf2959a832 100644
--- a/md5crypt.c
+++ b/md5crypt.c
@@ -50,7 +50,7 @@ is_md5_salt(const char *salt)
char *
md5_crypt(const char *pw, const char *salt)
{
- static char passwd[120], salt_copy[9], *p;
+ static char passwd[120], salt_copy[9];
static const char *sp, *ep;
unsigned char final[16];
int sl, pl, i, j;
@@ -139,8 +139,6 @@ md5_crypt(const char *pw, const char *salt)
MD5_Final(final, &ctx1);
}
- p = passwd + strlen(passwd);
-
l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
strlcat(passwd, to64(l, 4), sizeof(passwd));
l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
diff --git a/mdoc2man.awk b/mdoc2man.awk
index 3e8725452ed3..d393ae6f1476 100644
--- a/mdoc2man.awk
+++ b/mdoc2man.awk
@@ -1,7 +1,5 @@
#!/usr/bin/awk
#
-# $Id: mdoc2man.awk,v 1.9 2009/10/24 00:52:42 dtucker Exp $
-#
# Version history:
# v4+ Adapted for OpenSSH Portable (see cvs Id and history)
# v3, I put the program under a proper license
diff --git a/misc.c b/misc.c
index 05950a471246..874dcc8a2344 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.113 2017/08/18 05:48:04 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@@ -167,6 +167,73 @@ set_nodelay(int fd)
error("setsockopt TCP_NODELAY: %.100s", strerror(errno));
}
+/* Allow local port reuse in TIME_WAIT */
+int
+set_reuseaddr(int fd)
+{
+ int on = 1;
+
+ if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) {
+ error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
+ return -1;
+ }
+ return 0;
+}
+
+/* Get/set routing domain */
+char *
+get_rdomain(int fd)
+{
+#if defined(HAVE_SYS_GET_RDOMAIN)
+ return sys_get_rdomain(fd);
+#elif defined(__OpenBSD__)
+ int rtable;
+ char *ret;
+ socklen_t len = sizeof(rtable);
+
+ if (getsockopt(fd, SOL_SOCKET, SO_RTABLE, &rtable, &len) == -1) {
+ error("Failed to get routing domain for fd %d: %s",
+ fd, strerror(errno));
+ return NULL;
+ }
+ xasprintf(&ret, "%d", rtable);
+ return ret;
+#else /* defined(__OpenBSD__) */
+ return NULL;
+#endif
+}
+
+int
+set_rdomain(int fd, const char *name)
+{
+#if defined(HAVE_SYS_SET_RDOMAIN)
+ return sys_set_rdomain(fd, name);
+#elif defined(__OpenBSD__)
+ int rtable;
+ const char *errstr;
+
+ if (name == NULL)
+ return 0; /* default table */
+
+ rtable = (int)strtonum(name, 0, 255, &errstr);
+ if (errstr != NULL) {
+ /* Shouldn't happen */
+ error("Invalid routing domain \"%s\": %s", name, errstr);
+ return -1;
+ }
+ if (setsockopt(fd, SOL_SOCKET, SO_RTABLE,
+ &rtable, sizeof(rtable)) == -1) {
+ error("Failed to set routing domain %d on fd %d: %s",
+ rtable, fd, strerror(errno));
+ return -1;
+ }
+ return 0;
+#else /* defined(__OpenBSD__) */
+ error("Setting routing domain is not supported on this platform");
+ return -1;
+#endif
+}
+
/* Characters considered whitespace in strsep calls. */
#define WHITESPACE " \t\r\n"
#define QUOTE "\""
@@ -395,11 +462,12 @@ put_host_port(const char *host, u_short port)
* Search for next delimiter between hostnames/addresses and ports.
* Argument may be modified (for termination).
* Returns *cp if parsing succeeds.
- * *cp is set to the start of the next delimiter, if one was found.
+ * *cp is set to the start of the next field, if one was found.
+ * The delimiter char, if present, is stored in delim.
* If this is the last field, *cp is set to NULL.
*/
-char *
-hpdelim(char **cp)
+static char *
+hpdelim2(char **cp, char *delim)
{
char *s, *old;
@@ -422,6 +490,8 @@ hpdelim(char **cp)
case ':':
case '/':
+ if (delim != NULL)
+ *delim = *s;
*s = '\0'; /* terminate */
*cp = s + 1;
break;
@@ -434,6 +504,12 @@ hpdelim(char **cp)
}
char *
+hpdelim(char **cp)
+{
+ return hpdelim2(cp, NULL);
+}
+
+char *
cleanhostname(char *host)
{
if (*host == '[' && host[strlen(host) - 1] == ']') {
@@ -467,6 +543,75 @@ colon(char *cp)
}
/*
+ * Parse a [user@]host:[path] string.
+ * Caller must free returned user, host and path.
+ * Any of the pointer return arguments may be NULL (useful for syntax checking).
+ * If user was not specified then *userp will be set to NULL.
+ * If host was not specified then *hostp will be set to NULL.
+ * If path was not specified then *pathp will be set to ".".
+ * Returns 0 on success, -1 on failure.
+ */
+int
+parse_user_host_path(const char *s, char **userp, char **hostp, char **pathp)
+{
+ char *user = NULL, *host = NULL, *path = NULL;
+ char *sdup, *tmp;
+ int ret = -1;
+
+ if (userp != NULL)
+ *userp = NULL;
+ if (hostp != NULL)
+ *hostp = NULL;
+ if (pathp != NULL)
+ *pathp = NULL;
+
+ sdup = xstrdup(s);
+
+ /* Check for remote syntax: [user@]host:[path] */
+ if ((tmp = colon(sdup)) == NULL)
+ goto out;
+
+ /* Extract optional path */
+ *tmp++ = '\0';
+ if (*tmp == '\0')
+ tmp = ".";
+ path = xstrdup(tmp);
+
+ /* Extract optional user and mandatory host */
+ tmp = strrchr(sdup, '@');
+ if (tmp != NULL) {
+ *tmp++ = '\0';
+ host = xstrdup(cleanhostname(tmp));
+ if (*sdup != '\0')
+ user = xstrdup(sdup);
+ } else {
+ host = xstrdup(cleanhostname(sdup));
+ user = NULL;
+ }
+
+ /* Success */
+ if (userp != NULL) {
+ *userp = user;
+ user = NULL;
+ }
+ if (hostp != NULL) {
+ *hostp = host;
+ host = NULL;
+ }
+ if (pathp != NULL) {
+ *pathp = path;
+ path = NULL;
+ }
+ ret = 0;
+out:
+ free(sdup);
+ free(user);
+ free(host);
+ free(path);
+ return ret;
+}
+
+/*
* Parse a [user@]host[:port] string.
* Caller must free returned user and host.
* Any of the pointer return arguments may be NULL (useful for syntax checking).
@@ -491,7 +636,7 @@ parse_user_host_port(const char *s, char **userp, char **hostp, int *portp)
if ((sdup = tmp = strdup(s)) == NULL)
return -1;
/* Extract optional username */
- if ((cp = strchr(tmp, '@')) != NULL) {
+ if ((cp = strrchr(tmp, '@')) != NULL) {
*cp = '\0';
if (*tmp == '\0')
goto out;
@@ -527,6 +672,168 @@ parse_user_host_port(const char *s, char **userp, char **hostp, int *portp)
return ret;
}
+/*
+ * Converts a two-byte hex string to decimal.
+ * Returns the decimal value or -1 for invalid input.
+ */
+static int
+hexchar(const char *s)
+{
+ unsigned char result[2];
+ int i;
+
+ for (i = 0; i < 2; i++) {
+ if (s[i] >= '0' && s[i] <= '9')
+ result[i] = (unsigned char)(s[i] - '0');
+ else if (s[i] >= 'a' && s[i] <= 'f')
+ result[i] = (unsigned char)(s[i] - 'a') + 10;
+ else if (s[i] >= 'A' && s[i] <= 'F')
+ result[i] = (unsigned char)(s[i] - 'A') + 10;
+ else
+ return -1;
+ }
+ return (result[0] << 4) | result[1];
+}
+
+/*
+ * Decode an url-encoded string.
+ * Returns a newly allocated string on success or NULL on failure.
+ */
+static char *
+urldecode(const char *src)
+{
+ char *ret, *dst;
+ int ch;
+
+ ret = xmalloc(strlen(src) + 1);
+ for (dst = ret; *src != '\0'; src++) {
+ switch (*src) {
+ case '+':
+ *dst++ = ' ';
+ break;
+ case '%':
+ if (!isxdigit((unsigned char)src[1]) ||
+ !isxdigit((unsigned char)src[2]) ||
+ (ch = hexchar(src + 1)) == -1) {
+ free(ret);
+ return NULL;
+ }
+ *dst++ = ch;
+ src += 2;
+ break;
+ default:
+ *dst++ = *src;
+ break;
+ }
+ }
+ *dst = '\0';
+
+ return ret;
+}
+
+/*
+ * Parse an (scp|ssh|sftp)://[user@]host[:port][/path] URI.
+ * See https://tools.ietf.org/html/draft-ietf-secsh-scp-sftp-ssh-uri-04
+ * Either user or path may be url-encoded (but not host or port).
+ * Caller must free returned user, host and path.
+ * Any of the pointer return arguments may be NULL (useful for syntax checking)
+ * but the scheme must always be specified.
+ * If user was not specified then *userp will be set to NULL.
+ * If port was not specified then *portp will be -1.
+ * If path was not specified then *pathp will be set to NULL.
+ * Returns 0 on success, 1 if non-uri/wrong scheme, -1 on error/invalid uri.
+ */
+int
+parse_uri(const char *scheme, const char *uri, char **userp, char **hostp,
+ int *portp, char **pathp)
+{
+ char *uridup, *cp, *tmp, ch;
+ char *user = NULL, *host = NULL, *path = NULL;
+ int port = -1, ret = -1;
+ size_t len;
+
+ len = strlen(scheme);
+ if (strncmp(uri, scheme, len) != 0 || strncmp(uri + len, "://", 3) != 0)
+ return 1;
+ uri += len + 3;
+
+ if (userp != NULL)
+ *userp = NULL;
+ if (hostp != NULL)
+ *hostp = NULL;
+ if (portp != NULL)
+ *portp = -1;
+ if (pathp != NULL)
+ *pathp = NULL;
+
+ uridup = tmp = xstrdup(uri);
+
+ /* Extract optional ssh-info (username + connection params) */
+ if ((cp = strchr(tmp, '@')) != NULL) {
+ char *delim;
+
+ *cp = '\0';
+ /* Extract username and connection params */
+ if ((delim = strchr(tmp, ';')) != NULL) {
+ /* Just ignore connection params for now */
+ *delim = '\0';
+ }
+ if (*tmp == '\0') {
+ /* Empty username */
+ goto out;
+ }
+ if ((user = urldecode(tmp)) == NULL)
+ goto out;
+ tmp = cp + 1;
+ }
+
+ /* Extract mandatory hostname */
+ if ((cp = hpdelim2(&tmp, &ch)) == NULL || *cp == '\0')
+ goto out;
+ host = xstrdup(cleanhostname(cp));
+ if (!valid_domain(host, 0, NULL))
+ goto out;
+
+ if (tmp != NULL && *tmp != '\0') {
+ if (ch == ':') {
+ /* Convert and verify port. */
+ if ((cp = strchr(tmp, '/')) != NULL)
+ *cp = '\0';
+ if ((port = a2port(tmp)) <= 0)
+ goto out;
+ tmp = cp ? cp + 1 : NULL;
+ }
+ if (tmp != NULL && *tmp != '\0') {
+ /* Extract optional path */
+ if ((path = urldecode(tmp)) == NULL)
+ goto out;
+ }
+ }
+
+ /* Success */
+ if (userp != NULL) {
+ *userp = user;
+ user = NULL;
+ }
+ if (hostp != NULL) {
+ *hostp = host;
+ host = NULL;
+ }
+ if (portp != NULL)
+ *portp = port;
+ if (pathp != NULL) {
+ *pathp = path;
+ path = NULL;
+ }
+ ret = 0;
+ out:
+ free(uridup);
+ free(user);
+ free(host);
+ free(path);
+ return ret;
+}
+
/* function to assist building execv() arguments */
void
addargs(arglist *args, char *fmt, ...)
@@ -724,16 +1031,19 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
}
int
-tun_open(int tun, int mode)
+tun_open(int tun, int mode, char **ifname)
{
#if defined(CUSTOM_SYS_TUN_OPEN)
- return (sys_tun_open(tun, mode));
+ return (sys_tun_open(tun, mode, ifname));
#elif defined(SSH_TUN_OPENBSD)
struct ifreq ifr;
char name[100];
int fd = -1, sock;
const char *tunbase = "tun";
+ if (ifname != NULL)
+ *ifname = NULL;
+
if (mode == SSH_TUNMODE_ETHERNET)
tunbase = "tap";
@@ -780,6 +1090,9 @@ tun_open(int tun, int mode)
}
}
+ if (ifname != NULL)
+ *ifname = xstrdup(ifr.ifr_name);
+
close(sock);
return fd;
@@ -946,8 +1259,8 @@ ms_subtract_diff(struct timeval *start, int *ms)
{
struct timeval diff, finish;
- gettimeofday(&finish, NULL);
- timersub(&finish, start, &diff);
+ monotime_tv(&finish);
+ timersub(&finish, start, &diff);
*ms -= (diff.tv_sec * 1000) + (diff.tv_usec / 1000);
}
@@ -960,54 +1273,63 @@ ms_to_timeval(struct timeval *tv, int ms)
tv->tv_usec = (ms % 1000) * 1000;
}
-time_t
-monotime(void)
+void
+monotime_ts(struct timespec *ts)
{
-#if defined(HAVE_CLOCK_GETTIME) && \
- (defined(CLOCK_MONOTONIC) || defined(CLOCK_BOOTTIME))
- struct timespec ts;
+ struct timeval tv;
+#if defined(HAVE_CLOCK_GETTIME) && (defined(CLOCK_BOOTTIME) || \
+ defined(CLOCK_MONOTONIC) || defined(CLOCK_REALTIME))
static int gettime_failed = 0;
if (!gettime_failed) {
-#if defined(CLOCK_BOOTTIME)
- if (clock_gettime(CLOCK_BOOTTIME, &ts) == 0)
- return (ts.tv_sec);
-#endif
-#if defined(CLOCK_MONOTONIC)
- if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
- return (ts.tv_sec);
-#endif
+# ifdef CLOCK_BOOTTIME
+ if (clock_gettime(CLOCK_BOOTTIME, ts) == 0)
+ return;
+# endif /* CLOCK_BOOTTIME */
+# ifdef CLOCK_MONOTONIC
+ if (clock_gettime(CLOCK_MONOTONIC, ts) == 0)
+ return;
+# endif /* CLOCK_MONOTONIC */
+# ifdef CLOCK_REALTIME
+ /* Not monotonic, but we're almost out of options here. */
+ if (clock_gettime(CLOCK_REALTIME, ts) == 0)
+ return;
+# endif /* CLOCK_REALTIME */
debug3("clock_gettime: %s", strerror(errno));
gettime_failed = 1;
}
-#endif /* HAVE_CLOCK_GETTIME && (CLOCK_MONOTONIC || CLOCK_BOOTTIME */
+#endif /* HAVE_CLOCK_GETTIME && (BOOTTIME || MONOTONIC || REALTIME) */
+ gettimeofday(&tv, NULL);
+ ts->tv_sec = tv.tv_sec;
+ ts->tv_nsec = (long)tv.tv_usec * 1000;
+}
- return time(NULL);
+void
+monotime_tv(struct timeval *tv)
+{
+ struct timespec ts;
+
+ monotime_ts(&ts);
+ tv->tv_sec = ts.tv_sec;
+ tv->tv_usec = ts.tv_nsec / 1000;
+}
+
+time_t
+monotime(void)
+{
+ struct timespec ts;
+
+ monotime_ts(&ts);
+ return ts.tv_sec;
}
double
monotime_double(void)
{
-#if defined(HAVE_CLOCK_GETTIME) && \
- (defined(CLOCK_MONOTONIC) || defined(CLOCK_BOOTTIME))
struct timespec ts;
- static int gettime_failed = 0;
-
- if (!gettime_failed) {
-#if defined(CLOCK_BOOTTIME)
- if (clock_gettime(CLOCK_BOOTTIME, &ts) == 0)
- return (ts.tv_sec + (double)ts.tv_nsec / 1000000000);
-#endif
-#if defined(CLOCK_MONOTONIC)
- if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
- return (ts.tv_sec + (double)ts.tv_nsec / 1000000000);
-#endif
- debug3("clock_gettime: %s", strerror(errno));
- gettime_failed = 1;
- }
-#endif /* HAVE_CLOCK_GETTIME && (CLOCK_MONOTONIC || CLOCK_BOOTTIME */
- return (double)time(NULL);
+ monotime_ts(&ts);
+ return ts.tv_sec + ((double)ts.tv_nsec / 1000000000);
}
void
@@ -1029,7 +1351,7 @@ bandwidth_limit(struct bwlimit *bw, size_t read_len)
struct timespec ts, rm;
if (!timerisset(&bw->bwstart)) {
- gettimeofday(&bw->bwstart, NULL);
+ monotime_tv(&bw->bwstart);
return;
}
@@ -1037,7 +1359,7 @@ bandwidth_limit(struct bwlimit *bw, size_t read_len)
if (bw->lamt < bw->thresh)
return;
- gettimeofday(&bw->bwend, NULL);
+ monotime_tv(&bw->bwend);
timersub(&bw->bwend, &bw->bwstart, &bw->bwend);
if (!timerisset(&bw->bwend))
return;
@@ -1071,7 +1393,7 @@ bandwidth_limit(struct bwlimit *bw, size_t read_len)
}
bw->lamt = 0;
- gettimeofday(&bw->bwstart, NULL);
+ monotime_tv(&bw->bwstart);
}
/* Make a template filename for mk[sd]temp() */
@@ -1172,9 +1494,10 @@ unix_listener(const char *path, int backlog, int unlink_first)
memset(&sunaddr, 0, sizeof(sunaddr));
sunaddr.sun_family = AF_UNIX;
- if (strlcpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path)) >= sizeof(sunaddr.sun_path)) {
- error("%s: \"%s\" too long for Unix domain socket", __func__,
- path);
+ if (strlcpy(sunaddr.sun_path, path,
+ sizeof(sunaddr.sun_path)) >= sizeof(sunaddr.sun_path)) {
+ error("%s: path \"%s\" too long for Unix domain socket",
+ __func__, path);
errno = ENAMETOOLONG;
return -1;
}
@@ -1182,7 +1505,7 @@ unix_listener(const char *path, int backlog, int unlink_first)
sock = socket(PF_UNIX, SOCK_STREAM, 0);
if (sock < 0) {
saved_errno = errno;
- error("socket: %.100s", strerror(errno));
+ error("%s: socket: %.100s", __func__, strerror(errno));
errno = saved_errno;
return -1;
}
@@ -1192,18 +1515,18 @@ unix_listener(const char *path, int backlog, int unlink_first)
}
if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
saved_errno = errno;
- error("bind: %.100s", strerror(errno));
+ error("%s: cannot bind to path %s: %s",
+ __func__, path, strerror(errno));
close(sock);
- error("%s: cannot bind to path: %s", __func__, path);
errno = saved_errno;
return -1;
}
if (listen(sock, backlog) < 0) {
saved_errno = errno;
- error("listen: %.100s", strerror(errno));
+ error("%s: cannot listen on path %s: %s",
+ __func__, path, strerror(errno));
close(sock);
unlink(path);
- error("%s: cannot listen on path: %s", __func__, path);
errno = saved_errno;
return -1;
}
@@ -1417,158 +1740,6 @@ argv_assemble(int argc, char **argv)
return ret;
}
-/*
- * Runs command in a subprocess wuth a minimal environment.
- * Returns pid on success, 0 on failure.
- * The child stdout and stderr maybe captured, left attached or sent to
- * /dev/null depending on the contents of flags.
- * "tag" is prepended to log messages.
- * NB. "command" is only used for logging; the actual command executed is
- * av[0].
- */
-pid_t
-subprocess(const char *tag, struct passwd *pw, const char *command,
- int ac, char **av, FILE **child, u_int flags)
-{
- FILE *f = NULL;
- struct stat st;
- int fd, devnull, p[2], i;
- pid_t pid;
- char *cp, errmsg[512];
- u_int envsize;
- char **child_env;
-
- if (child != NULL)
- *child = NULL;
-
- debug3("%s: %s command \"%s\" running as %s (flags 0x%x)", __func__,
- tag, command, pw->pw_name, flags);
-
- /* Check consistency */
- if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
- (flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) {
- error("%s: inconsistent flags", __func__);
- return 0;
- }
- if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) {
- error("%s: inconsistent flags/output", __func__);
- return 0;
- }
-
- /*
- * If executing an explicit binary, then verify the it exists
- * and appears safe-ish to execute
- */
- if (*av[0] != '/') {
- error("%s path is not absolute", tag);
- return 0;
- }
- temporarily_use_uid(pw);
- if (stat(av[0], &st) < 0) {
- error("Could not stat %s \"%s\": %s", tag,
- av[0], strerror(errno));
- restore_uid();
- return 0;
- }
- if (safe_path(av[0], &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) {
- error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);
- restore_uid();
- return 0;
- }
- /* Prepare to keep the child's stdout if requested */
- if (pipe(p) != 0) {
- error("%s: pipe: %s", tag, strerror(errno));
- restore_uid();
- return 0;
- }
- restore_uid();
-
- switch ((pid = fork())) {
- case -1: /* error */
- error("%s: fork: %s", tag, strerror(errno));
- close(p[0]);
- close(p[1]);
- return 0;
- case 0: /* child */
- /* Prepare a minimal environment for the child. */
- envsize = 5;
- child_env = xcalloc(sizeof(*child_env), envsize);
- child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH);
- child_set_env(&child_env, &envsize, "USER", pw->pw_name);
- child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name);
- child_set_env(&child_env, &envsize, "HOME", pw->pw_dir);
- if ((cp = getenv("LANG")) != NULL)
- child_set_env(&child_env, &envsize, "LANG", cp);
-
- for (i = 0; i < NSIG; i++)
- signal(i, SIG_DFL);
-
- if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
- error("%s: open %s: %s", tag, _PATH_DEVNULL,
- strerror(errno));
- _exit(1);
- }
- if (dup2(devnull, STDIN_FILENO) == -1) {
- error("%s: dup2: %s", tag, strerror(errno));
- _exit(1);
- }
-
- /* Set up stdout as requested; leave stderr in place for now. */
- fd = -1;
- if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0)
- fd = p[1];
- else if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0)
- fd = devnull;
- if (fd != -1 && dup2(fd, STDOUT_FILENO) == -1) {
- error("%s: dup2: %s", tag, strerror(errno));
- _exit(1);
- }
- closefrom(STDERR_FILENO + 1);
-
- /* Don't use permanently_set_uid() here to avoid fatal() */
- if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
- error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
- strerror(errno));
- _exit(1);
- }
- if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
- error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid,
- strerror(errno));
- _exit(1);
- }
- /* stdin is pointed to /dev/null at this point */
- if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 &&
- dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
- error("%s: dup2: %s", tag, strerror(errno));
- _exit(1);
- }
-
- execve(av[0], av, child_env);
- error("%s exec \"%s\": %s", tag, command, strerror(errno));
- _exit(127);
- default: /* parent */
- break;
- }
-
- close(p[1]);
- if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0)
- close(p[0]);
- else if ((f = fdopen(p[0], "r")) == NULL) {
- error("%s: fdopen: %s", tag, strerror(errno));
- close(p[0]);
- /* Don't leave zombie child */
- kill(pid, SIGTERM);
- while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
- ;
- return 0;
- }
- /* Success */
- debug3("%s: %s pid %ld", __func__, tag, (long)pid);
- if (child != NULL)
- *child = f;
- return pid;
-}
-
/* Returns 0 if pid exited cleanly, non-zero otherwise */
int
exited_cleanly(pid_t pid, const char *tag, const char *cmd, int quiet)
@@ -1739,7 +1910,122 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
}
/* Allocate space and format the variable in the appropriate slot. */
+ /* XXX xasprintf */
env[i] = xmalloc(strlen(name) + 1 + strlen(value) + 1);
snprintf(env[i], strlen(name) + 1 + strlen(value) + 1, "%s=%s", name, value);
}
+/*
+ * Check and optionally lowercase a domain name, also removes trailing '.'
+ * Returns 1 on success and 0 on failure, storing an error message in errstr.
+ */
+int
+valid_domain(char *name, int makelower, const char **errstr)
+{
+ size_t i, l = strlen(name);
+ u_char c, last = '\0';
+ static char errbuf[256];
+
+ if (l == 0) {
+ strlcpy(errbuf, "empty domain name", sizeof(errbuf));
+ goto bad;
+ }
+ if (!isalpha((u_char)name[0]) && !isdigit((u_char)name[0])) {
+ snprintf(errbuf, sizeof(errbuf), "domain name \"%.100s\" "
+ "starts with invalid character", name);
+ goto bad;
+ }
+ for (i = 0; i < l; i++) {
+ c = tolower((u_char)name[i]);
+ if (makelower)
+ name[i] = (char)c;
+ if (last == '.' && c == '.') {
+ snprintf(errbuf, sizeof(errbuf), "domain name "
+ "\"%.100s\" contains consecutive separators", name);
+ goto bad;
+ }
+ if (c != '.' && c != '-' && !isalnum(c) &&
+ c != '_') /* technically invalid, but common */ {
+ snprintf(errbuf, sizeof(errbuf), "domain name "
+ "\"%.100s\" contains invalid characters", name);
+ goto bad;
+ }
+ last = c;
+ }
+ if (name[l - 1] == '.')
+ name[l - 1] = '\0';
+ if (errstr != NULL)
+ *errstr = NULL;
+ return 1;
+bad:
+ if (errstr != NULL)
+ *errstr = errbuf;
+ return 0;
+}
+
+const char *
+atoi_err(const char *nptr, int *val)
+{
+ const char *errstr = NULL;
+ long long num;
+
+ if (nptr == NULL || *nptr == '\0')
+ return "missing";
+ num = strtonum(nptr, 0, INT_MAX, &errstr);
+ if (errstr == NULL)
+ *val = (int)num;
+ return errstr;
+}
+
+int
+parse_absolute_time(const char *s, uint64_t *tp)
+{
+ struct tm tm;
+ time_t tt;
+ char buf[32], *fmt;
+
+ *tp = 0;
+
+ /*
+ * POSIX strptime says "The application shall ensure that there
+ * is white-space or other non-alphanumeric characters between
+ * any two conversion specifications" so arrange things this way.
+ */
+ switch (strlen(s)) {
+ case 8: /* YYYYMMDD */
+ fmt = "%Y-%m-%d";
+ snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2s", s, s + 4, s + 6);
+ break;
+ case 12: /* YYYYMMDDHHMM */
+ fmt = "%Y-%m-%dT%H:%M";
+ snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s",
+ s, s + 4, s + 6, s + 8, s + 10);
+ break;
+ case 14: /* YYYYMMDDHHMMSS */
+ fmt = "%Y-%m-%dT%H:%M:%S";
+ snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s:%.2s",
+ s, s + 4, s + 6, s + 8, s + 10, s + 12);
+ break;
+ default:
+ return SSH_ERR_INVALID_FORMAT;
+ }
+
+ memset(&tm, 0, sizeof(tm));
+ if (strptime(buf, fmt, &tm) == NULL)
+ return SSH_ERR_INVALID_FORMAT;
+ if ((tt = mktime(&tm)) < 0)
+ return SSH_ERR_INVALID_FORMAT;
+ /* success */
+ *tp = (uint64_t)tt;
+ return 0;
+}
+
+void
+format_absolute_time(uint64_t t, char *buf, size_t len)
+{
+ time_t tt = t > INT_MAX ? INT_MAX : t; /* XXX revisit in 2038 :P */
+ struct tm tm;
+
+ localtime_r(&tt, &tm);
+ strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm);
+}
diff --git a/misc.h b/misc.h
index 153d11375bf5..cdafea735984 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.63 2017/08/18 05:48:04 djm Exp $ */
+/* $OpenBSD: misc.h,v 1.71 2018/03/12 00:52:01 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -48,13 +48,18 @@ char *strdelim(char **);
int set_nonblock(int);
int unset_nonblock(int);
void set_nodelay(int);
+int set_reuseaddr(int);
+char *get_rdomain(int);
+int set_rdomain(int, const char *);
int a2port(const char *);
int a2tun(const char *, int *);
char *put_host_port(const char *, u_short);
char *hpdelim(char **);
char *cleanhostname(char *);
char *colon(char *);
+int parse_user_host_path(const char *, char **, char **, char **);
int parse_user_host_port(const char *, char **, char **, int *);
+int parse_uri(const char *, const char *, char **, char **, int *, char **);
long convtime(const char *);
char *tilde_expand_filename(const char *, uid_t);
char *percent_expand(const char *, ...) __attribute__((__sentinel__));
@@ -62,10 +67,16 @@ char *tohex(const void *, size_t);
void sanitise_stdfd(void);
void ms_subtract_diff(struct timeval *, int *);
void ms_to_timeval(struct timeval *, int);
+void monotime_ts(struct timespec *);
+void monotime_tv(struct timeval *);
time_t monotime(void);
double monotime_double(void);
void lowercase(char *s);
int unix_listener(const char *, int, int);
+int valid_domain(char *, int, const char **);
+const char *atoi_err(const char *, int *);
+int parse_absolute_time(const char *, uint64_t *);
+void format_absolute_time(uint64_t, char *, size_t);
void sock_set_v6only(int);
@@ -84,7 +95,7 @@ void replacearg(arglist *, u_int, char *, ...)
__attribute__((format(printf, 3, 4)));
void freeargs(arglist *);
-int tun_open(int, int);
+int tun_open(int, int, char **);
/* Common definitions for ssh tunnel device forwarding */
#define SSH_TUNMODE_NO 0x00
@@ -140,12 +151,6 @@ int argv_split(const char *, int *, char ***);
char *argv_assemble(int, char **argv);
int exited_cleanly(pid_t, const char *, const char *, int);
-#define SSH_SUBPROCESS_STDOUT_DISCARD (1) /* Discard stdout */
-#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
-#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
-pid_t subprocess(const char *, struct passwd *,
- const char *, int, char **, FILE **, u_int flags);
-
struct stat;
int safe_path(const char *, struct stat *, const char *, uid_t,
char *, size_t);
diff --git a/mkinstalldirs b/mkinstalldirs
index 47d5f43fea60..399f40925ac7 100755
--- a/mkinstalldirs
+++ b/mkinstalldirs
@@ -4,8 +4,6 @@
# Created: 1993-05-16
# Public domain
-# $Id: mkinstalldirs,v 1.2 2003/11/21 12:48:55 djm Exp $
-
errstatus=0
for file
diff --git a/moduli b/moduli
index 00b5a6937df5..cf28bd36bdee 100644
--- a/moduli
+++ b/moduli
@@ -1,431 +1,407 @@
-# $OpenBSD: moduli,v 1.18 2016/08/11 01:42:11 dtucker Exp $
+# $OpenBSD: moduli,v 1.20 2017/11/29 05:49:54 dtucker Exp $
# Time Type Tests Tries Size Generator Modulus
-20160301052556 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D19F4647
-20160301052601 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1A5C13B
-20160301052612 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1B7A3EF
-20160301052620 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1C4C33B
-20160301052628 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1CFFACB
-20160301052645 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1F31D8B
-20160301052703 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D218C293
-20160301052723 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D24116E3
-20160301052732 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D25321F3
-20160301052741 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D260D8E3
-20160301052748 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D26CD3D3
-20160301052756 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D2791F7B
-20160301052823 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D2B71133
-20160301052827 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D2BABBA3
-20160301052832 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D2BFC957
-20160301052931 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D3514117
-20160301053017 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D3BF91F7
-20160301053037 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D3E9113F
-20160301053101 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D41BFA83
-20160301053129 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D45A369F
-20160301053217 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D4CB8683
-20160301053222 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D4D01463
-20160301053251 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D50F62C3
-20160301053309 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D5351887
-20160301053333 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D568358B
-20160301053350 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D58AA31F
-20160301053359 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D5991AF3
-20160301053438 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D5F65E07
-20160301053523 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D65F37D3
-20160301053556 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D6AB7E73
-20160301053608 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D6C131CB
-20160301053631 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D6F18A93
-20160301053647 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D7132B7F
-20160301053724 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D76995EB
-20160301053743 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D793D27B
-20160301053757 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D7AE856B
-20160301053820 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D7E1810F
-20160301053828 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D7EC09EB
-20160301053831 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D7ECC2FB
-20160301053958 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D8B829CB
-20160301054042 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D91CFCF3
-20160301054134 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251903103B
-20160301054139 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF2519072B8B
-20160301054157 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF25192F631F
-20160301054207 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF25193F9E7F
-20160301054213 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF2519475A1F
-20160301054301 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF2519BA6807
-20160301054320 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF2519E2FA7F
-20160301054340 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251A0CD913
-20160301054413 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251A5B8A43
-20160301054511 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251AE66597
-20160301054527 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251B03A57F
-20160301054544 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251B276FBB
-20160301054548 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251B2915B3
-20160301054621 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251B79A4BB
-20160301054714 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251BF77377
-20160301054737 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251C28D853
-20160301054819 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251C8C959B
-20160301054844 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251CC0A39B
-20160301055002 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251D7C0A9F
-20160301055021 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251DA0A72F
-20160301055024 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251DA1003F
-20160301055029 2 6 100 2047 5 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251DA4B607
-20160301055034 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251DA82003
-20160301055101 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251DE323BB
-20160301055123 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251E13DB33
-20160301055136 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251E2A2203
-20160301055141 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251E2F180B
-20160301055208 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF822ECD2AD5593D3819399CEF3FAF0B786071496A9BD94164F739A2D1E0DEBB798BAEF0540B4388D3762523B68E100D6EE231DD95BEB4F4472E9E2236A24E0891DF5A19222A6C69D531C9E73DEF6ADAC84D61BC4EEA36E2A9FD64902461BFAF9BF81D699E141EE77A03996DC4586D3487A0E6189696C1D67F91E91595EB584AD1DF9EF5FC64160EAC3F2D88B4FB0E20A7925FE133D71EF9E1DD018101AAF251E6B2E8B
-20160301055248 2 6 100 2047 2 F030C513D5C6694FB09539ECF9D8290608A96280EDDEB74FD66DD43CACE3A5BFD6BC4F02EF38E44F68296DA50091214D9E6C518D715D76E19CCCA0578886B93ADA36E8AFDC23B311DA04EB8AC2FF31F3B87BD27C283519DF9CFCAA9D4EF8