5 files changed, 41 insertions, 3 deletions

diff --git a/crypto/heimdal/lib/krb5/version-script.map b/crypto/heimdal/lib/krb5/version-script.map
index 818e6e071cbd..7e4e8623cbd5 100644
--- a/crypto/heimdal/lib/krb5/version-script.map
+++ b/crypto/heimdal/lib/krb5/version-script.map
@@ -764,6 +764,28 @@ HEIMDAL_KRB5_2.0 {
 		# kinit helper
 		krb5_get_init_creds_opt_set_pkinit_user_certs;
 		krb5_pk_enterprise_cert;
+		krb5_auth_con_getrecvsubkey;
+		krb5_auth_con_getsendsubkey;
+		krb5_auth_con_setrecvsubkey;
+		krb5_auth_con_setsendsubkey;
+		krb5_c_random_make_octets;
+		krb5_cc_copy_creds;
+		krb5_cc_get_flags;
+		krb5_creds_get_ticket_flags;
+		krb5_get_validated_creds;
+		krb5_init_creds_free;
+		krb5_init_creds_get_creds;
+		krb5_init_creds_get_error;
+		krb5_init_creds_get;
+		krb5_init_creds_init;
+		krb5_init_creds_set_keyblock;
+		krb5_init_creds_set_keytab;
+		krb5_init_creds_set_password;
+		krb5_init_creds_set_service;
+		krb5_init_creds_step;
+		krb5_rd_req_out_get_server;
+		krb5_sockaddr_is_loopback;
+		krb5_ticket_get_flags;
 
 		# testing
 		_krb5_aes_cts_encrypt;
diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade
index 625677c1a5c1..3742874c0729 100644
--- a/crypto/openssh/FREEBSD-upgrade
+++ b/crypto/openssh/FREEBSD-upgrade
@@ -179,6 +179,12 @@
    ignore HPN-related configuration options to avoid breaking existing
    configurations.
 
+9) Protocol selection
+
+   We use the non-portable feature_present(3) API to determine which
+   internet protocols are supported by the kernel before trying to
+   connect to the target host.  This avoids confusing the user with
+   spurious error messages.
 
 
 This port was brought to you by (in no particular order) DARPA, NAI
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index 591f1e329a8d..03a20f9d9648 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -2194,7 +2194,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
 	if (!auth_opts->permit_agent_forwarding_flag ||
-	    !options.allow_agent_forwarding) {
+	    !options.allow_agent_forwarding ||
+	    options.disable_forwarding) {
 		debug_f("agent forwarding disabled");
 		return 0;
 	}
@@ -2589,7 +2590,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
 		return 0;
 	}
-	if (!options.x11_forwarding) {
+	if (!options.x11_forwarding || options.disable_forwarding) {
 		debug("X11 forwarding disabled in server configuration file.");
 		return 0;
 	}
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
index bd4190c6e8bc..91cbd55df0d1 100644
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c
@@ -458,6 +458,8 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
 	memset(ntop, 0, sizeof(ntop));
 	memset(strport, 0, sizeof(strport));
 
+	int inet_supported = feature_present("inet");
+	int inet6_supported = feature_present("inet6");
 	for (attempt = 0; attempt < connection_attempts; attempt++) {
 		if (attempt > 0) {
 			/* Sleep a moment before retrying. */
@@ -482,6 +484,13 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
 				errno = oerrno;
 				continue;
 			}
+			if ((ai->ai_family == AF_INET && !inet_supported) ||
+			    (ai->ai_family == AF_INET6 && !inet6_supported)) {
+				debug2_f("skipping address [%s]:%s: "
+				    "unsupported address family", ntop, strport);
+				errno = EAFNOSUPPORT;
+				continue;
+			}
 			if (options.address_family != AF_UNSPEC &&
 			    ai->ai_family != options.address_family) {
 				debug2_f("skipping address [%s]:%s: "
diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c
index d7414883396c..9f98840244ea 100644
--- a/crypto/openssl/crypto/cms/cms_pwri.c
+++ b/crypto/openssl/crypto/cms/cms_pwri.c
@@ -215,7 +215,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
         /* Check byte failure */
         goto err;
     }
-    if (inlen < (size_t)(tmp[0] - 4)) {
+    if (inlen < 4 + (size_t)tmp[0]) {
         /* Invalid length value */
         goto err;
     }