Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Jan 2016 18:28:23 +0000 (UTC)
From:      =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r294332 - in head: crypto/openssh crypto/openssh/contrib crypto/openssh/contrib/caldera crypto/openssh/contrib/cygwin crypto/openssh/contrib/redhat crypto/openssh/contrib/suse crypto/op...
Message-ID:  <201601191828.u0JISNSG087681@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: des
Date: Tue Jan 19 18:28:23 2016
New Revision: 294332
URL: https://svnweb.freebsd.org/changeset/base/294332

Log:
  Upgrade to OpenSSH 6.8p1.

Added:
  head/crypto/openssh/.cvsignore
     - copied unchanged from r285031, vendor-crypto/openssh/dist/.cvsignore
  head/crypto/openssh/bitmap.c
     - copied unchanged from r285031, vendor-crypto/openssh/dist/bitmap.c
  head/crypto/openssh/bitmap.h
     - copied unchanged from r285031, vendor-crypto/openssh/dist/bitmap.h
  head/crypto/openssh/opacket.c
     - copied unchanged from r285031, vendor-crypto/openssh/dist/opacket.c
  head/crypto/openssh/opacket.h
     - copied unchanged from r285031, vendor-crypto/openssh/dist/opacket.h
  head/crypto/openssh/openbsd-compat/.cvsignore
     - copied unchanged from r285031, vendor-crypto/openssh/dist/openbsd-compat/.cvsignore
  head/crypto/openssh/openbsd-compat/md5.c
     - copied unchanged from r285031, vendor-crypto/openssh/dist/openbsd-compat/md5.c
  head/crypto/openssh/openbsd-compat/md5.h
     - copied unchanged from r285031, vendor-crypto/openssh/dist/openbsd-compat/md5.h
  head/crypto/openssh/openbsd-compat/reallocarray.c
     - copied unchanged from r285031, vendor-crypto/openssh/dist/openbsd-compat/reallocarray.c
  head/crypto/openssh/openbsd-compat/regress/.cvsignore
     - copied unchanged from r285031, vendor-crypto/openssh/dist/openbsd-compat/regress/.cvsignore
  head/crypto/openssh/openbsd-compat/rmd160.c
     - copied unchanged from r285031, vendor-crypto/openssh/dist/openbsd-compat/rmd160.c
  head/crypto/openssh/openbsd-compat/rmd160.h
     - copied unchanged from r285031, vendor-crypto/openssh/dist/openbsd-compat/rmd160.h
  head/crypto/openssh/openbsd-compat/sha1.c
     - copied unchanged from r285031, vendor-crypto/openssh/dist/openbsd-compat/sha1.c
  head/crypto/openssh/openbsd-compat/sha1.h
     - copied unchanged from r285031, vendor-crypto/openssh/dist/openbsd-compat/sha1.h
  head/crypto/openssh/regress/.cvsignore
     - copied unchanged from r285031, vendor-crypto/openssh/dist/regress/.cvsignore
  head/crypto/openssh/regress/hostkey-agent.sh
     - copied unchanged from r285031, vendor-crypto/openssh/dist/regress/hostkey-agent.sh
  head/crypto/openssh/regress/hostkey-rotate.sh
     - copied unchanged from r285031, vendor-crypto/openssh/dist/regress/hostkey-rotate.sh
  head/crypto/openssh/regress/keygen-knownhosts.sh
     - copied unchanged from r285031, vendor-crypto/openssh/dist/regress/keygen-knownhosts.sh
  head/crypto/openssh/regress/limit-keytype.sh
     - copied unchanged from r285031, vendor-crypto/openssh/dist/regress/limit-keytype.sh
  head/crypto/openssh/regress/multipubkey.sh
     - copied unchanged from r285031, vendor-crypto/openssh/dist/regress/multipubkey.sh
  head/crypto/openssh/regress/netcat.c
     - copied unchanged from r285031, vendor-crypto/openssh/dist/regress/netcat.c
  head/crypto/openssh/regress/t11.ok
     - copied unchanged from r285031, vendor-crypto/openssh/dist/regress/t11.ok
  head/crypto/openssh/regress/unittests/bitmap/
     - copied from r285031, vendor-crypto/openssh/dist/regress/unittests/bitmap/
  head/crypto/openssh/regress/unittests/hostkeys/
     - copied from r285031, vendor-crypto/openssh/dist/regress/unittests/hostkeys/
  head/crypto/openssh/regress/unittests/kex/
     - copied from r285031, vendor-crypto/openssh/dist/regress/unittests/kex/
  head/crypto/openssh/regress/valgrind-unit.sh
     - copied unchanged from r285031, vendor-crypto/openssh/dist/regress/valgrind-unit.sh
  head/crypto/openssh/scard/.cvsignore
     - copied unchanged from r285031, vendor-crypto/openssh/dist/scard/.cvsignore
  head/crypto/openssh/ssh_api.c
     - copied unchanged from r285031, vendor-crypto/openssh/dist/ssh_api.c
  head/crypto/openssh/ssh_api.h
     - copied unchanged from r285031, vendor-crypto/openssh/dist/ssh_api.h
Deleted:
  head/crypto/openssh/compress.c
  head/crypto/openssh/compress.h
  head/crypto/openssh/contrib/caldera/
Modified:
  head/crypto/openssh/ChangeLog
  head/crypto/openssh/Makefile.in
  head/crypto/openssh/PROTOCOL
  head/crypto/openssh/PROTOCOL.krl
  head/crypto/openssh/README
  head/crypto/openssh/atomicio.c
  head/crypto/openssh/auth-options.c
  head/crypto/openssh/auth-options.h
  head/crypto/openssh/auth-rh-rsa.c
  head/crypto/openssh/auth-rhosts.c
  head/crypto/openssh/auth-rsa.c
  head/crypto/openssh/auth.c
  head/crypto/openssh/auth.h
  head/crypto/openssh/auth1.c
  head/crypto/openssh/auth2-chall.c
  head/crypto/openssh/auth2-gss.c
  head/crypto/openssh/auth2-hostbased.c
  head/crypto/openssh/auth2-pubkey.c
  head/crypto/openssh/auth2.c
  head/crypto/openssh/authfd.c
  head/crypto/openssh/authfd.h
  head/crypto/openssh/authfile.c
  head/crypto/openssh/authfile.h
  head/crypto/openssh/bufbn.c
  head/crypto/openssh/buffer.h
  head/crypto/openssh/canohost.c
  head/crypto/openssh/channels.c
  head/crypto/openssh/channels.h
  head/crypto/openssh/cipher-3des1.c
  head/crypto/openssh/cipher-aesctr.c
  head/crypto/openssh/cipher-bf1.c
  head/crypto/openssh/cipher-chachapoly.c
  head/crypto/openssh/cipher-ctr.c
  head/crypto/openssh/cipher.c
  head/crypto/openssh/cipher.h
  head/crypto/openssh/clientloop.c
  head/crypto/openssh/compat.c
  head/crypto/openssh/compat.h
  head/crypto/openssh/config.h
  head/crypto/openssh/config.h.in
  head/crypto/openssh/configure
  head/crypto/openssh/configure.ac
  head/crypto/openssh/contrib/Makefile
  head/crypto/openssh/contrib/cygwin/ssh-host-config
  head/crypto/openssh/contrib/cygwin/ssh-user-config
  head/crypto/openssh/contrib/redhat/openssh.spec
  head/crypto/openssh/contrib/suse/openssh.spec
  head/crypto/openssh/deattack.c
  head/crypto/openssh/deattack.h
  head/crypto/openssh/defines.h
  head/crypto/openssh/dh.c
  head/crypto/openssh/dh.h
  head/crypto/openssh/digest-libc.c
  head/crypto/openssh/digest-openssl.c
  head/crypto/openssh/digest.h
  head/crypto/openssh/dispatch.c
  head/crypto/openssh/dispatch.h
  head/crypto/openssh/dns.c
  head/crypto/openssh/dns.h
  head/crypto/openssh/entropy.c
  head/crypto/openssh/ge25519.h
  head/crypto/openssh/groupaccess.c
  head/crypto/openssh/gss-genr.c
  head/crypto/openssh/gss-serv.c
  head/crypto/openssh/hmac.c
  head/crypto/openssh/hostfile.c
  head/crypto/openssh/hostfile.h
  head/crypto/openssh/includes.h
  head/crypto/openssh/kex.c
  head/crypto/openssh/kex.h
  head/crypto/openssh/kexc25519.c
  head/crypto/openssh/kexc25519c.c
  head/crypto/openssh/kexc25519s.c
  head/crypto/openssh/kexdh.c
  head/crypto/openssh/kexdhc.c
  head/crypto/openssh/kexdhs.c
  head/crypto/openssh/kexecdh.c
  head/crypto/openssh/kexecdhc.c
  head/crypto/openssh/kexecdhs.c
  head/crypto/openssh/kexgex.c
  head/crypto/openssh/kexgexc.c
  head/crypto/openssh/kexgexs.c
  head/crypto/openssh/key.c
  head/crypto/openssh/key.h
  head/crypto/openssh/krl.c
  head/crypto/openssh/krl.h
  head/crypto/openssh/loginrec.c
  head/crypto/openssh/mac.c
  head/crypto/openssh/mac.h
  head/crypto/openssh/misc.c
  head/crypto/openssh/moduli.0
  head/crypto/openssh/moduli.c
  head/crypto/openssh/monitor.c
  head/crypto/openssh/monitor.h
  head/crypto/openssh/monitor_fdpass.c
  head/crypto/openssh/monitor_mm.c
  head/crypto/openssh/monitor_wrap.c
  head/crypto/openssh/monitor_wrap.h
  head/crypto/openssh/msg.c
  head/crypto/openssh/msg.h
  head/crypto/openssh/mux.c
  head/crypto/openssh/openbsd-compat/Makefile.in
  head/crypto/openssh/openbsd-compat/arc4random.c
  head/crypto/openssh/openbsd-compat/bcrypt_pbkdf.c
  head/crypto/openssh/openbsd-compat/bsd-misc.c
  head/crypto/openssh/openbsd-compat/fake-rfc2553.h
  head/crypto/openssh/openbsd-compat/getrrsetbyname-ldns.c
  head/crypto/openssh/openbsd-compat/openbsd-compat.h
  head/crypto/openssh/openbsd-compat/openssl-compat.c
  head/crypto/openssh/openbsd-compat/openssl-compat.h
  head/crypto/openssh/openbsd-compat/port-tun.c
  head/crypto/openssh/openbsd-compat/readpassphrase.c
  head/crypto/openssh/openbsd-compat/sha2.c
  head/crypto/openssh/openbsd-compat/sha2.h
  head/crypto/openssh/openbsd-compat/xcrypt.c
  head/crypto/openssh/packet.c
  head/crypto/openssh/packet.h
  head/crypto/openssh/progressmeter.c
  head/crypto/openssh/progressmeter.h
  head/crypto/openssh/readconf.c
  head/crypto/openssh/readconf.h
  head/crypto/openssh/regress/Makefile
  head/crypto/openssh/regress/agent-pkcs11.sh
  head/crypto/openssh/regress/agent-timeout.sh
  head/crypto/openssh/regress/agent.sh
  head/crypto/openssh/regress/broken-pipe.sh
  head/crypto/openssh/regress/cert-hostkey.sh
  head/crypto/openssh/regress/cfgmatch.sh
  head/crypto/openssh/regress/cipher-speed.sh
  head/crypto/openssh/regress/connect-privsep.sh
  head/crypto/openssh/regress/connect.sh
  head/crypto/openssh/regress/dynamic-forward.sh
  head/crypto/openssh/regress/exit-status.sh
  head/crypto/openssh/regress/forcecommand.sh
  head/crypto/openssh/regress/forward-control.sh
  head/crypto/openssh/regress/forwarding.sh
  head/crypto/openssh/regress/host-expand.sh
  head/crypto/openssh/regress/integrity.sh
  head/crypto/openssh/regress/key-options.sh
  head/crypto/openssh/regress/keygen-change.sh
  head/crypto/openssh/regress/keyscan.sh
  head/crypto/openssh/regress/krl.sh
  head/crypto/openssh/regress/localcommand.sh
  head/crypto/openssh/regress/multiplex.sh
  head/crypto/openssh/regress/proto-mismatch.sh
  head/crypto/openssh/regress/proto-version.sh
  head/crypto/openssh/regress/proxy-connect.sh
  head/crypto/openssh/regress/reconfigure.sh
  head/crypto/openssh/regress/reexec.sh
  head/crypto/openssh/regress/rekey.sh
  head/crypto/openssh/regress/sshd-log-wrapper.sh
  head/crypto/openssh/regress/stderr-data.sh
  head/crypto/openssh/regress/t4.ok
  head/crypto/openssh/regress/test-exec.sh
  head/crypto/openssh/regress/transfer.sh
  head/crypto/openssh/regress/try-ciphers.sh
  head/crypto/openssh/regress/unittests/Makefile
  head/crypto/openssh/regress/unittests/Makefile.inc
  head/crypto/openssh/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
  head/crypto/openssh/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c
  head/crypto/openssh/regress/unittests/sshkey/common.c
  head/crypto/openssh/regress/unittests/sshkey/mktestdata.sh
  head/crypto/openssh/regress/unittests/sshkey/test_file.c
  head/crypto/openssh/regress/unittests/sshkey/test_fuzz.c
  head/crypto/openssh/regress/unittests/sshkey/test_sshkey.c
  head/crypto/openssh/regress/unittests/sshkey/testdata/dsa_1-cert.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/dsa_1.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/dsa_2.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/ecdsa_1.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/ecdsa_2.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/ed25519_1.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/ed25519_2.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/rsa1_1.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/rsa1_2.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/rsa_1-cert.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/rsa_1.fp
  head/crypto/openssh/regress/unittests/sshkey/testdata/rsa_2.fp
  head/crypto/openssh/regress/unittests/test_helper/Makefile
  head/crypto/openssh/regress/unittests/test_helper/fuzz.c
  head/crypto/openssh/regress/unittests/test_helper/test_helper.c
  head/crypto/openssh/regress/unittests/test_helper/test_helper.h
  head/crypto/openssh/regress/yes-head.sh
  head/crypto/openssh/rijndael.c
  head/crypto/openssh/roaming_client.c
  head/crypto/openssh/roaming_common.c
  head/crypto/openssh/roaming_dummy.c
  head/crypto/openssh/sandbox-systrace.c
  head/crypto/openssh/scp.0
  head/crypto/openssh/scp.1
  head/crypto/openssh/scp.c
  head/crypto/openssh/servconf.c
  head/crypto/openssh/servconf.h
  head/crypto/openssh/serverloop.c
  head/crypto/openssh/session.c
  head/crypto/openssh/sftp-client.c
  head/crypto/openssh/sftp-client.h
  head/crypto/openssh/sftp-common.c
  head/crypto/openssh/sftp-common.h
  head/crypto/openssh/sftp-glob.c
  head/crypto/openssh/sftp-server.0
  head/crypto/openssh/sftp-server.8
  head/crypto/openssh/sftp-server.c
  head/crypto/openssh/sftp.0
  head/crypto/openssh/sftp.1
  head/crypto/openssh/sftp.c
  head/crypto/openssh/ssh-add.0
  head/crypto/openssh/ssh-add.1
  head/crypto/openssh/ssh-add.c
  head/crypto/openssh/ssh-agent.0
  head/crypto/openssh/ssh-agent.1
  head/crypto/openssh/ssh-agent.c
  head/crypto/openssh/ssh-dss.c
  head/crypto/openssh/ssh-ecdsa.c
  head/crypto/openssh/ssh-ed25519.c
  head/crypto/openssh/ssh-keygen.0
  head/crypto/openssh/ssh-keygen.1
  head/crypto/openssh/ssh-keygen.c
  head/crypto/openssh/ssh-keyscan.0
  head/crypto/openssh/ssh-keyscan.1
  head/crypto/openssh/ssh-keyscan.c
  head/crypto/openssh/ssh-keysign.0
  head/crypto/openssh/ssh-keysign.c
  head/crypto/openssh/ssh-pkcs11-helper.0
  head/crypto/openssh/ssh-pkcs11-helper.c
  head/crypto/openssh/ssh-pkcs11.c
  head/crypto/openssh/ssh-pkcs11.h
  head/crypto/openssh/ssh-rsa.c
  head/crypto/openssh/ssh.0
  head/crypto/openssh/ssh.1
  head/crypto/openssh/ssh.c
  head/crypto/openssh/ssh_config.0
  head/crypto/openssh/ssh_config.5
  head/crypto/openssh/ssh_namespace.h
  head/crypto/openssh/sshbuf-getput-basic.c
  head/crypto/openssh/sshbuf-getput-crypto.c
  head/crypto/openssh/sshbuf-misc.c
  head/crypto/openssh/sshbuf.c
  head/crypto/openssh/sshbuf.h
  head/crypto/openssh/sshconnect.c
  head/crypto/openssh/sshconnect1.c
  head/crypto/openssh/sshconnect2.c
  head/crypto/openssh/sshd.0
  head/crypto/openssh/sshd.8
  head/crypto/openssh/sshd.c
  head/crypto/openssh/sshd_config
  head/crypto/openssh/sshd_config.0
  head/crypto/openssh/sshd_config.5
  head/crypto/openssh/ssherr.c
  head/crypto/openssh/ssherr.h
  head/crypto/openssh/sshkey.c
  head/crypto/openssh/sshkey.h
  head/crypto/openssh/sshlogin.c
  head/crypto/openssh/sshpty.c
  head/crypto/openssh/uidswap.c
  head/crypto/openssh/version.h
  head/crypto/openssh/xmalloc.c
  head/secure/lib/libssh/Makefile
  head/secure/usr.sbin/sshd/Makefile
Directory Properties:
  head/crypto/openssh/   (props changed)

Copied: head/crypto/openssh/.cvsignore (from r285031, vendor-crypto/openssh/dist/.cvsignore)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/crypto/openssh/.cvsignore	Tue Jan 19 18:28:23 2016	(r294332, copy of r285031, vendor-crypto/openssh/dist/.cvsignore)
@@ -0,0 +1,28 @@
+*.0
+*.out
+Makefile
+autom4te.cache
+buildit.sh
+buildpkg.sh
+config.cache
+config.h
+config.h.in
+config.log
+config.status
+configure
+openssh.xml
+opensshd.init
+scp
+sftp
+sftp-server
+ssh
+ssh-add
+ssh-agent
+ssh-keygen
+ssh-keyscan
+ssh-keysign
+ssh-pkcs11-helper
+sshd
+stamp-h.in
+survey
+survey.sh

Modified: head/crypto/openssh/ChangeLog
==============================================================================
--- head/crypto/openssh/ChangeLog	Tue Jan 19 17:40:29 2016	(r294331)
+++ head/crypto/openssh/ChangeLog	Tue Jan 19 18:28:23 2016	(r294332)
@@ -1,3817 +1,8584 @@
-20131006
- - (djm) Release OpenSSH-6.7
+commit 9f82e5a9042f2d872e98f48a876fcab3e25dd9bb
+Author: Tim Rice <tim@multitalents.net>
+Date:   Mon Mar 16 22:49:20 2015 -0700
 
-20141003
- - (djm) [sshd_config.5] typo; from Iain Morgan
+    portability fix: Solaris systems may not have a grep that understands -q
 
-20141001
- - (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c]
-   [openbsd-compat/openbsd-compat.h] Kludge around bad glibc
-   _FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets;
-   ok dtucker@
-
-20140910
- - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;
-   patch from Felix von Leitner; ok dtucker
-
-20140908
- - (dtucker) [INSTALL] Update info about egd.  ok djm@
-
-20140904
- - (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNG
-
-20140903
- - (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h and
-   conditionalise to avoid duplicate definition.
- - (djm) [contrib/cygwin/ssh-host-config] Fix old code leading to
-   permissions/ACLs; from Corinna Vinschen
-
-20140830
- - (djm) [openbsd-compat/openssl-compat.h] add
-   OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them
- - (djm) [misc.c] Missing newline between functions
- - (djm) [openbsd-compat/openssl-compat.h] add include guard
- - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@
-
-20140827
- - (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
-   [regress/unittests/sshkey/common.c]
-   [regress/unittests/sshkey/test_file.c]
-   [regress/unittests/sshkey/test_fuzz.c]
-   [regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h
-   on !ECC OpenSSL systems
- - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
-   monitor, not preauth; bz#2263
- - (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero()
-   using memset_s() where possible; improve fallback to indirect bzero
-   via a volatile pointer to give it more of a chance to avoid being
-   optimised away.
-
-20140825
- - (djm) [bufec.c] Skip this file on !ECC OpenSSL
- - (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL,
-   update OpenSSL version requirement.
-
-20140824
- - (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but not
-   PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen
-
-20140823
- - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
-   lastlog writing on platforms with high UIDs; bz#2263
- - (djm) [configure.ac] We now require a working vsnprintf everywhere (not
-   just for systems that lack asprintf); check for it always and extend
-   test to catch more brokenness. Fixes builds on Solaris <= 9
-
-20140822
- - (djm) [configure.ac] include leading zero characters in OpenSSL version
-   number; fixes test for unsupported versions
- - (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECC
- - (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/
-   definition mismatch) and warning for broken/missing snprintf case.
- - (djm) [configure.ac] double braces to appease autoconf
-
-20140821
- - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too.
- - (djm) [key.h] Fix ifdefs for no-ECC OpenSSL
- - (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems that
-   don't set __progname. Diagnosed by Tom Christensen.
-
-20140820
- - (djm) [configure.ac] Check OpenSSL version is supported at configure time;
-   suggested by Kevin Brott
- - (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather than
-   -L/-l; fixes linking problems on some platforms
- - (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC
- - (djm) [contrib/cygwin/README] Correct build instructions; from Corinna
-
-20140819
- - (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen
- - (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC.
- - (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIG
- - (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README]
-   [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions
-   of TCP wrappers.
-
-20140811
- - (djm) [myproposal.h] Make curve25519 KEX dependent on
-   HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.
-
-20140810
- - (djm) [README contrib/caldera/openssh.spec]
-   [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions
-
-20140801
- - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need
-   a better solution, but this will have to do for now.
- - (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdin
-   is closed; avoid regress failures when stdin is /dev/null
- - (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociate
-   nc from stdin, it's more portable
-
-20140730
- - OpenBSD CVS Sync
-   - millert@cvs.openbsd.org 2014/07/24 22:57:10
-     [ssh.1]
-     Mention UNIX-domain socket forwarding too.  OK jmc@ deraadt@
-   - dtucker@cvs.openbsd.org 2014/07/25 21:22:03
-     [ssh-agent.c]
-     Clear buffer used for handling messages.  This prevents keys being
-     left in memory after they have been expired or deleted in some cases
-     (but note that ssh-agent is setgid so you would still need root to
-     access them).  Pointed out by Kevin Burns, ok deraadt
-   - schwarze@cvs.openbsd.org 2014/07/28 15:40:08
-     [sftp-server.8 sshd_config.5]
-     some systems no longer need /dev/log;
-     issue noticed by jirib;
-     ok deraadt
-
-20140725
- - (djm) [regress/multiplex.sh] restore incorrectly deleted line;
-   pointed out by Christian Hesse
-
-20140722
- - (djm) [regress/multiplex.sh] ssh mux master lost -N somehow;
-   put it back
- - (djm) [regress/multiplex.sh] change the test for still-open Unix
-   domain sockets to be robust against nc implementations that produce
-   error messages.
- - (dtucker) [regress/unittests/sshkey/test_{file,fuzz,sshkey}.c] Wrap ecdsa-
-   specific tests inside OPENSSL_HAS_ECC.
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2014/07/22 01:18:50
-     [key.c]
-     Prevent spam from key_load_private_pem during hostbased auth.  ok djm@
-   - guenther@cvs.openbsd.org 2014/07/22 07:13:42
-     [umac.c]
-     Convert from <sys/endian.h> to the shiney new <endian.h>
-     ok dtucker@, who also confirmed that -portable handles this already
-     (ID sync only, includes.h pulls in endian.h if available.)
-   - djm@cvs.openbsd.org 2014/07/22 01:32:12
-     [regress/multiplex.sh]
-     change the test for still-open Unix domain sockets to be robust against
-     nc implementations that produce error messages. from -portable
-     (Id sync only)
-   - dtucker@cvs.openbsd.org 2014/07/22 23:23:22
-     [regress/unittests/sshkey/mktestdata.sh]
-     Sign test certs with ed25519 instead of ecdsa so that they'll work in
-     -portable on platforms that don't have ECDSA in their OpenSSL.  ok djm
-   - dtucker@cvs.openbsd.org 2014/07/22 23:57:40
-     [regress/unittests/sshkey/mktestdata.sh]
-     Add $OpenBSD tag to make syncs easier
-   - dtucker@cvs.openbsd.org 2014/07/22 23:35:38
-     [regress/unittests/sshkey/testdata/*]
-     Regenerate test keys with certs signed with ed25519 instead of ecdsa.
-     These can be used in -portable on platforms that don't support ECDSA.
-
-20140721
- - OpenBSD CVS Sync
-   - millert@cvs.openbsd.org 2014/07/15 15:54:15
-     [forwarding.sh multiplex.sh]
-     Add support for Unix domain socket forwarding.  A remote TCP port
-     may be forwarded to a local Unix domain socket and vice versa or
-     both ends may be a Unix domain socket.  This is a reimplementation
-     of the streamlocal patches by William Ahern from:
-         http://www.25thandclement.com/~william/projects/streamlocal.html
-     OK djm@ markus@
- - (djm) [regress/multiplex.sh] Not all netcat accept the -N option.
- - (dtucker) [sshkey.c] ifdef out unused variable when compiling without
-   OPENSSL_HAS_ECC.
-
-20140721
- - (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bits
-   needed to build AES CTR mode against OpenSSL 0.9.8f and above.  ok djm
- - (dtucker) [regress/unittests/sshkey/
-   {common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in
-   ifdefs.
-
-20140719
- - (tim) [openbsd-compat/port-uw.c] Include misc.h for fwd_opts, used
-   in servconf.h.
-
-20140718
- - OpenBSD CVS Sync
-   - millert@cvs.openbsd.org 2014/07/15 15:54:14
-     [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
-     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
-     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
-     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
-     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
-     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
-     [sshd_config.5 sshlogin.c]
-     Add support for Unix domain socket forwarding.  A remote TCP port
-     may be forwarded to a local Unix domain socket and vice versa or
-     both ends may be a Unix domain socket.  This is a reimplementation
-     of the streamlocal patches by William Ahern from:
-         http://www.25thandclement.com/~william/projects/streamlocal.html
-     OK djm@ markus@
-   - jmc@cvs.openbsd.org 2014/07/16 14:48:57
-     [ssh.1]
-     add the streamlocal* options to ssh's -o list; millert says they're
-     irrelevant for scp/sftp;
-     ok markus millert
-   - djm@cvs.openbsd.org 2014/07/17 00:10:56
-     [sandbox-systrace.c]
-     ifdef SYS_sendsyslog so this will compile without patching on -stable
-   - djm@cvs.openbsd.org 2014/07/17 00:10:18
-     [mux.c]
-     preserve errno across syscall
-   - djm@cvs.openbsd.org 2014/07/17 00:12:03
-     [key.c]
-     silence "incorrect passphrase" error spam; reported and ok dtucker@
-   - djm@cvs.openbsd.org 2014/07/17 07:22:19
-     [mux.c ssh.c]
-     reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
-     previously we were always returning 0. bz#2255 reported by Brendan
-     Germain; ok dtucker
-   - djm@cvs.openbsd.org 2014/07/18 02:46:01
-     [ssh-agent.c]
-     restore umask around listener socket creation (dropped in streamlocal patch
-     merge)
- - (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, used
-   in servconf.h.
- - (dtucker) [Makefile.in] Add a t-exec target to run just the executable
-   tests.
- - (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC.
-
-20140717
- - (djm) [digest-openssl.c] Preserve array order when disabling digests.
-   Reported by Petr Lautrbach.
- - OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2014/07/11 08:09:54
-     [sandbox-systrace.c]
-     Permit use of SYS_sendsyslog from inside the sandbox.  Clock is ticking,
-     update your kernels and sshd soon.. libc will start using sendsyslog()
-     in about 4 days.
-   - tedu@cvs.openbsd.org 2014/07/11 13:54:34
-     [myproposal.h]
-     by popular demand, add back hamc-sha1 to server proposal for better compat
-     with many clients still in use. ok deraadt
-
-20140715
- - (djm) [configure.ac] Delay checks for arc4random* until after libcrypto
-   has been located; fixes builds agains libressl-portable
-
-20140711
- - OpenBSD CVS Sync
-   - benno@cvs.openbsd.org 2014/07/09 14:15:56
-     [ssh-add.c]
-     fix ssh-add crash while loading more than one key
-     ok markus@
+commit 8ef691f7d9ef500257a549d0906d78187490668f
+Author: Damien Miller <djm@google.com>
+Date:   Wed Mar 11 10:35:26 2015 +1100
 
-20140709
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/07/07 08:19:12
-     [ssh_config.5]
-     mention that ProxyCommand is executed using shell "exec" to avoid
-     a lingering process; bz#1977
-   - djm@cvs.openbsd.org 2014/07/09 01:45:10
-     [sftp.c]
-     more useful error message when GLOB_NOSPACE occurs;
-     bz#2254, patch from Orion Poplawski
-   - djm@cvs.openbsd.org 2014/07/09 03:02:15
-     [key.c]
-     downgrade more error() to debug() to better match what old authfile.c
-     did; suppresses spurious errors with hostbased authentication enabled
-   - djm@cvs.openbsd.org 2014/07/06 07:42:03
-     [multiplex.sh test-exec.sh]
-     add a hook to the cleanup() function to kill $SSH_PID if it is set
-     
-     use it to kill the mux master started in multiplex.sh (it was being left
-     around on fatal failures)
-   - djm@cvs.openbsd.org 2014/07/07 08:15:26
-     [multiplex.sh]
-     remove forced-fatal that I stuck in there to test the new cleanup
-     logic and forgot to remove...
-
-20140706
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/07/03 23:18:35
-     [authfile.h]
-     remove leakmalloc droppings
-   - djm@cvs.openbsd.org 2014/07/05 23:11:48
-     [channels.c]
-     fix remote-forward cancel regression; ok markus@
-
-20140704
- - OpenBSD CVS Sync
-   - jsing@cvs.openbsd.org 2014/07/03 12:42:16
-     [cipher-chachapoly.c]
-     Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
-     makes it easier to verify that chacha_encrypt_bytes() is only called once
-     per chacha_ivsetup() call.
-     ok djm@
-   - djm@cvs.openbsd.org 2014/07/03 22:23:46
-     [sshconnect.c]
-     when rekeying, skip file/DNS lookup if it is the same as the key sent
-     during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
-   - djm@cvs.openbsd.org 2014/07/03 22:33:41
-     [channels.c]
-     allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
-     GatewayPorts=no; allows client to choose address family;
-     bz#2222 ok markus@
-   - djm@cvs.openbsd.org 2014/07/03 22:40:43
-     [servconf.c servconf.h session.c sshd.8 sshd_config.5]
-     Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
-     executed, mirroring the no-user-rc authorized_keys option;
-     bz#2160; ok markus@
-
-20140703
- - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
-   doesn't support it.
- - (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist;
-   bz#2237
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/07/03 01:45:38
-     [sshkey.c]
-     make Ed25519 keys' title fit properly in the randomart border; bz#2247
-     based on patch from Christian Hesse
-   - djm@cvs.openbsd.org 2014/07/03 03:11:03
-     [ssh-agent.c]
-     Only cleanup agent socket in the main agent process and not in any
-     subprocesses it may have started (e.g. forked askpass). Fixes
-     agent sockets being zapped when askpass processes fatal();
-     bz#2236 patch from Dmitry V. Levin
-   - djm@cvs.openbsd.org 2014/07/03 03:15:01
-     [ssh-add.c]
-     make stdout line-buffered; saves partial output getting lost when
-     ssh-add fatal()s part-way through (e.g. when listing keys from an
-     agent that supports key types that ssh-add doesn't);
-     bz#2234, reported by Phil Pennock
-   - djm@cvs.openbsd.org 2014/07/03 03:26:43
-     [digest-openssl.c]
-     use EVP_Digest() for one-shot hash instead of creating, updating,
-     finalising and destroying a context.
-     bz#2231, based on patch from Timo Teras
-   - djm@cvs.openbsd.org 2014/07/03 03:34:09
-     [gss-serv.c session.c ssh-keygen.c]
-     standardise on NI_MAXHOST for gethostname() string lengths; about
-     1/2 the cases were using it already. Fixes bz#2239 en passant
-   - djm@cvs.openbsd.org 2014/07/03 03:47:27
-     [ssh-keygen.c]
-     When hashing or removing hosts using ssh-keygen, don't choke on
-     @revoked markers and don't remove @cert-authority markers;
-     bz#2241, reported by mlindgren AT runelind.net
-   - djm@cvs.openbsd.org 2014/07/03 04:36:45
-     [digest.h]
-     forward-declare struct sshbuf so consumers don't need to include sshbuf.h
-   - djm@cvs.openbsd.org 2014/07/03 05:32:36
-     [ssh_config.5]
-     mention '%%' escape sequence in HostName directives and how it may
-     be used to specify IPv6 link-local addresses
-   - djm@cvs.openbsd.org 2014/07/03 05:38:17
-     [ssh.1]
-     document that -g will only work in the multiplexed case if applied to
-     the mux master
-   - djm@cvs.openbsd.org 2014/07/03 06:39:19
-     [ssh.c ssh_config.5]
-     Add a %C escape sequence for LocalCommand and ControlPath that expands
-     to a unique identifer based on a has of the tuple of (local host,
-     remote user, hostname, port).
-     
-     Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
-     control paths.
-     
-     bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
-   - jmc@cvs.openbsd.org 2014/07/03 07:45:27
-     [ssh_config.5]
-     escape %C since groff thinks it part of an Rs/Re block;
-   - djm@cvs.openbsd.org 2014/07/03 11:16:55
-     [auth.c auth.h auth1.c auth2.c]
-     make the "Too many authentication failures" message include the
-     user, source address, port and protocol in a format similar to the
-     authentication success / failure messages; bz#2199, ok dtucker
-
-20140702
- - OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2014/06/13 08:26:29
-     [sandbox-systrace.c]
-     permit SYS_getentropy
-     from matthew
-   - matthew@cvs.openbsd.org 2014/06/18 02:59:13
-     [sandbox-systrace.c]
-     Now that we have a dedicated getentropy(2) system call for
-     arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
-     sandbox.
-     
-     ok djm
-   - naddy@cvs.openbsd.org 2014/06/18 15:42:09
-     [sshbuf-getput-crypto.c]
-     The ssh_get_bignum functions must accept the same range of bignums
-     the corresponding ssh_put_bignum functions create.  This fixes the
-     use of 16384-bit RSA keys (bug reported by Eivind Evensen).
-     ok djm@
-   - djm@cvs.openbsd.org 2014/06/24 00:52:02
-     [krl.c]
-     fix bug in KRL generation: multiple consecutive revoked certificate
-     serial number ranges could be serialised to an invalid format.
-     
-     Readers of a broken KRL caused by this bug will fail closed, so no
-     should-have-been-revoked key will be accepted.
-   - djm@cvs.openbsd.org 2014/06/24 01:13:21
-     [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
-     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
-     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
-     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
-     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
-     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
-     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
-     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
-     [sshconnect2.c sshd.c sshkey.c sshkey.h
-     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
-     New key API: refactor key-related functions to be more library-like,
-     existing API is offered as a set of wrappers.
-     
-     with and ok markus@
-     
-     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
-     Dempsky and Ron Bowes for a detailed review a few months ago.
-     NB. This commit also removes portable OpenSSH support for OpenSSL
-     <0.9.8e.
-   - djm@cvs.openbsd.org 2014/06/24 02:19:48
-     [ssh.c]
-     don't fatal() when hostname canonicalisation fails with a
-     ProxyCommand in use; continue and allow the ProxyCommand to
-     connect anyway (e.g. to a host with a name outside the DNS
-     behind a bastion)
-   - djm@cvs.openbsd.org 2014/06/24 02:21:01
-     [scp.c]
-     when copying local->remote fails during read, don't send uninitialised
-     heap to the remote end. Reported by Jann Horn
-   - deraadt@cvs.openbsd.org 2014/06/25 14:16:09
-     [sshbuf.c]
-     unblock SIGSEGV before raising it
-     ok djm
-   - markus@cvs.openbsd.org 2014/06/27 16:41:56
-     [channels.c channels.h clientloop.c ssh.c]
-     fix remote fwding with same listen port but different listen address
-     with gerhard@, ok djm@
-   - markus@cvs.openbsd.org 2014/06/27 18:50:39
-     [ssh-add.c]
-     fix loading of private keys
-   - djm@cvs.openbsd.org 2014/06/30 12:54:39
-     [key.c]
-     suppress spurious error message when loading key with a passphrase;
-     reported by kettenis@ ok markus@
-   - djm@cvs.openbsd.org 2014/07/02 04:59:06
-     [cipher-3des1.c]
-     fix ssh protocol 1 on the server that regressed with the sshkey change
-     (sometimes fatal() after auth completed), make file return useful status
-     codes.
-     NB. Id sync only for these two. They were bundled into the sshkey merge
-     above, since it was easier to sync the entire file and then apply
-     portable-specific changed atop it.
-   - djm@cvs.openbsd.org 2014/04/30 05:32:00
-     [regress/Makefile]
-     unit tests for new buffer API; including basic fuzz testing
-     NB. Id sync only.
-   - djm@cvs.openbsd.org 2014/05/21 07:04:21
-     [regress/integrity.sh]
-     when failing because of unexpected output, show the offending output
-   - djm@cvs.openbsd.org 2014/06/24 01:04:43
-     [regress/krl.sh]
-     regress test for broken consecutive revoked serial number ranges
-   - djm@cvs.openbsd.org 2014/06/24 01:14:17
-     [Makefile.in regress/Makefile regress/unittests/Makefile]
-     [regress/unittests/sshkey/Makefile]
-     [regress/unittests/sshkey/common.c]
-     [regress/unittests/sshkey/common.h]
-     [regress/unittests/sshkey/mktestdata.sh]
-     [regress/unittests/sshkey/test_file.c]
-     [regress/unittests/sshkey/test_fuzz.c]
-     [regress/unittests/sshkey/test_sshkey.c]
-     [regress/unittests/sshkey/tests.c]
-     [regress/unittests/sshkey/testdata/dsa_1]
-     [regress/unittests/sshkey/testdata/dsa_1-cert.fp]
-     [regress/unittests/sshkey/testdata/dsa_1-cert.pub]
-     [regress/unittests/sshkey/testdata/dsa_1.fp]
-     [regress/unittests/sshkey/testdata/dsa_1.fp.bb]
-     [regress/unittests/sshkey/testdata/dsa_1.param.g]
-     [regress/unittests/sshkey/testdata/dsa_1.param.priv]
-     [regress/unittests/sshkey/testdata/dsa_1.param.pub]
-     [regress/unittests/sshkey/testdata/dsa_1.pub]
-     [regress/unittests/sshkey/testdata/dsa_1_pw]
-     [regress/unittests/sshkey/testdata/dsa_2]
-     [regress/unittests/sshkey/testdata/dsa_2.fp]
-     [regress/unittests/sshkey/testdata/dsa_2.fp.bb]
-     [regress/unittests/sshkey/testdata/dsa_2.pub]
-     [regress/unittests/sshkey/testdata/dsa_n]
-     [regress/unittests/sshkey/testdata/dsa_n_pw]
-     [regress/unittests/sshkey/testdata/ecdsa_1]
-     [regress/unittests/sshkey/testdata/ecdsa_1-cert.fp]
-     [regress/unittests/sshkey/testdata/ecdsa_1-cert.pub]
-     [regress/unittests/sshkey/testdata/ecdsa_1.fp]
-     [regress/unittests/sshkey/testdata/ecdsa_1.fp.bb]
-     [regress/unittests/sshkey/testdata/ecdsa_1.param.curve]
-     [regress/unittests/sshkey/testdata/ecdsa_1.param.priv]
-     [regress/unittests/sshkey/testdata/ecdsa_1.param.pub]
-     [regress/unittests/sshkey/testdata/ecdsa_1.pub]
-     [regress/unittests/sshkey/testdata/ecdsa_1_pw]
-     [regress/unittests/sshkey/testdata/ecdsa_2]
-     [regress/unittests/sshkey/testdata/ecdsa_2.fp]
-     [regress/unittests/sshkey/testdata/ecdsa_2.fp.bb]
-     [regress/unittests/sshkey/testdata/ecdsa_2.param.curve]
-     [regress/unittests/sshkey/testdata/ecdsa_2.param.priv]
-     [regress/unittests/sshkey/testdata/ecdsa_2.param.pub]
-     [regress/unittests/sshkey/testdata/ecdsa_2.pub]
-     [regress/unittests/sshkey/testdata/ecdsa_n]
-     [regress/unittests/sshkey/testdata/ecdsa_n_pw]
-     [regress/unittests/sshkey/testdata/ed25519_1]
-     [regress/unittests/sshkey/testdata/ed25519_1-cert.fp]
-     [regress/unittests/sshkey/testdata/ed25519_1-cert.pub]
-     [regress/unittests/sshkey/testdata/ed25519_1.fp]
-     [regress/unittests/sshkey/testdata/ed25519_1.fp.bb]
-     [regress/unittests/sshkey/testdata/ed25519_1.pub]
-     [regress/unittests/sshkey/testdata/ed25519_1_pw]
-     [regress/unittests/sshkey/testdata/ed25519_2]
-     [regress/unittests/sshkey/testdata/ed25519_2.fp]
-     [regress/unittests/sshkey/testdata/ed25519_2.fp.bb]
-     [regress/unittests/sshkey/testdata/ed25519_2.pub]
-     [regress/unittests/sshkey/testdata/pw]
-     [regress/unittests/sshkey/testdata/rsa1_1]
-     [regress/unittests/sshkey/testdata/rsa1_1.fp]
-     [regress/unittests/sshkey/testdata/rsa1_1.fp.bb]
-     [regress/unittests/sshkey/testdata/rsa1_1.param.n]
-     [regress/unittests/sshkey/testdata/rsa1_1.pub]
-     [regress/unittests/sshkey/testdata/rsa1_1_pw]
-     [regress/unittests/sshkey/testdata/rsa1_2]
-     [regress/unittests/sshkey/testdata/rsa1_2.fp]
-     [regress/unittests/sshkey/testdata/rsa1_2.fp.bb]
-     [regress/unittests/sshkey/testdata/rsa1_2.param.n]
-     [regress/unittests/sshkey/testdata/rsa1_2.pub]
-     [regress/unittests/sshkey/testdata/rsa_1]
-     [regress/unittests/sshkey/testdata/rsa_1-cert.fp]
-     [regress/unittests/sshkey/testdata/rsa_1-cert.pub]
-     [regress/unittests/sshkey/testdata/rsa_1.fp]
-     [regress/unittests/sshkey/testdata/rsa_1.fp.bb]
-     [regress/unittests/sshkey/testdata/rsa_1.param.n]
-     [regress/unittests/sshkey/testdata/rsa_1.param.p]
-     [regress/unittests/sshkey/testdata/rsa_1.param.q]
-     [regress/unittests/sshkey/testdata/rsa_1.pub]
-     [regress/unittests/sshkey/testdata/rsa_1_pw]
-     [regress/unittests/sshkey/testdata/rsa_2]
-     [regress/unittests/sshkey/testdata/rsa_2.fp]
-     [regress/unittests/sshkey/testdata/rsa_2.fp.bb]
-     [regress/unittests/sshkey/testdata/rsa_2.param.n]
-     [regress/unittests/sshkey/testdata/rsa_2.param.p]
-     [regress/unittests/sshkey/testdata/rsa_2.param.q]
-     [regress/unittests/sshkey/testdata/rsa_2.pub]
-     [regress/unittests/sshkey/testdata/rsa_n]
-     [regress/unittests/sshkey/testdata/rsa_n_pw]
-     unit and fuzz tests for new key API
- - (djm) [sshkey.c] Conditionalise inclusion of util.h
- - (djm) [regress/Makefile] fix execution of sshkey unit/fuzz test
-
-20140618
- - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare
-
-20140617
- - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
-   openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
-   Move the OpenSSL header/library version test into its own function and add
-   tests for it. Fix it to allow fix version upgrades (but not downgrades).
-   Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
-   ok djm@ chl@
-
-20140616
- - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR.  From rak at debian via
-   OpenSMTPD and chl@
-
-20140612
- - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
-   been removed from sshd.c.
-
-20140611
- - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
-   openbsd-compat/bsd-asprintf.c.
- - (dtucker) [regress/unittests/sshbuf/*.c regress/unittests/test_helper/*]
-   Wrap stdlib.h include an ifdef for platforms that don't have it.
- - (tim) [regress/unittests/test_helper/test_helper.h] Add includes.h for
-   u_intXX_t types.
-
-20140610
- - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
-   regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] Only do NISTP256
-   curve tests if OpenSSL has them.
- - (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in
-   the proposal if the version of OpenSSL we're using doesn't support ECC.
- - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] ifdef
-   ECC variable too.
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/06/05 22:17:50
-     [sshconnect2.c]
-     fix inverted test that caused PKCS#11 keys that were explicitly listed
-     not to be preferred. Reported by Dirk-Willem van Gulik
-   - dtucker@cvs.openbsd.org 2014/06/10 21:46:11
-     [sshbuf.h]
-     Group ECC functions together to make things a little easier in -portable.
-     "doesn't bother me" deraadt@
- - (dtucker) [sshbuf.h] Only declare ECC functions if building without
-   OpenSSL or if OpenSSL has ECC.
- - (dtucker) [openbsd-compat/arc4random.c] Use explicit_bzero instead of an
-   assigment that might get optimized out.  ok djm@
- - (dtucker) [bufaux.c bufbn.c bufec.c buffer.c] Pull in includes.h for
-   compat stuff, specifically whether or not OpenSSL has ECC.
-
-20140527
- - (djm) [cipher.c] Fix merge botch.
- - (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config
-   from Corinna Vinschen, fixing a number of bugs and preparing for
-   Cygwin 1.7.30.
- - (djm) [configure.ac openbsd-compat/bsd-cygwin_util.c]
-   [openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege
-   separation user at runtime, since it may need to be a domain account.
-   Patch from Corinna Vinschen.
-
-20140522
- - (djm) [Makefile.in] typo in path
-
-20140521
- - (djm) [commit configure.ac defines.h sshpty.c] don't attempt to use
-   vhangup on Linux. It doens't work for non-root users, and for them
-   it just messes up the tty settings.
- - (djm) [misc.c] Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC
-   when it is available. It takes into account time spent suspended,
-   thereby ensuring timeouts (e.g. for expiring agent keys) fire
-   correctly. bz#2228 reported by John Haxby
-
-20140519
- - (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine
-   OpenBSD
- - OpenBSD CVS Sync
-   - logan@cvs.openbsd.org 2014/04/20 09:24:26
-     [dns.c dns.h ssh-keygen.c]
-     Add support for SSHFP DNS records for ED25519 key types.
-     OK from djm@
-   - logan@cvs.openbsd.org 2014/04/21 14:36:16
-     [sftp-client.c sftp-client.h sftp.c]
-     Implement sftp upload resume support.
-     OK from djm@, with input from guenther@, mlarkin@ and
-     okan@
-   - logan@cvs.openbsd.org 2014/04/22 10:07:12
-     [sftp.c]
-     Sort the sftp command list.
-     OK from djm@
-   - logan@cvs.openbsd.org 2014/04/22 12:42:04
-     [sftp.1]
-     Document sftp upload resume.
-     OK from djm@, with feedback from okan@.
-   - jmc@cvs.openbsd.org 2014/04/22 14:16:30
-     [sftp.1]
-     zap eol whitespace;
-   - djm@cvs.openbsd.org 2014/04/23 12:42:34
-     [readconf.c]
-     don't record duplicate IdentityFiles
-   - djm@cvs.openbsd.org 2014/04/28 03:09:18
-     [authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
-     [ssh-keygen.c]
-     buffer_get_string_ptr's return should be const to remind
-     callers that futzing with it will futz with the actual buffer
-     contents
-   - djm@cvs.openbsd.org 2014/04/29 13:10:30
-     [clientloop.c serverloop.c]
-     bz#1818 - don't send channel success/failre replies on channels that
-     have sent a close already; analysis and patch from Simon Tatham;
-     ok markus@
-   - markus@cvs.openbsd.org 2014/04/29 18:01:49
-     [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
-     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
-     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
-     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
-     make compiling against OpenSSL optional (make OPENSSL=no);
-     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
-     allows us to explore further options; with and ok djm
-   - dtucker@cvs.openbsd.org 2014/04/29 19:58:50
-     [sftp.c]
-     Move nulling of variable next to where it's freed.  ok markus@
-   - dtucker@cvs.openbsd.org 2014/04/29 20:36:51
-     [sftp.c]
-     Don't attempt to append a nul quote char to the filename.  Should prevent
-     fatal'ing with "el_insertstr failed" when there's a single quote char
-     somewhere in the string.  bz#2238, ok markus@
-   - djm@cvs.openbsd.org 2014/04/30 05:29:56
-     [bufaux.c bufbn.c bufec.c buffer.c buffer.h sshbuf-getput-basic.c]
-     [sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c sshbuf.h ssherr.c]
-     [ssherr.h]
-     New buffer API; the first installment of the conversion/replacement
-     of OpenSSH's internals to make them usable as a standalone library.
-     
-     This includes a set of wrappers to make it compatible with the
-     existing buffer API so replacement can occur incrementally.
-     
-     With and ok markus@
-     
-     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
-     Dempsky and Ron Bowes for a detailed review.
-   - naddy@cvs.openbsd.org 2014/04/30 19:07:48
-     [mac.c myproposal.h umac.c]
-     UMAC can use our local fallback implementation of AES when OpenSSL isn't
-     available.  Glue code straight from Ted Krovetz's original umac.c.
-     ok markus@
-   - djm@cvs.openbsd.org 2014/05/02 03:27:54
-     [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c]
-     [misc.h poly1305.h ssh-pkcs11.c defines.h]
-     revert __bounded change; it causes way more problems for portable than
-     it solves; pointed out by dtucker@
-   - markus@cvs.openbsd.org 2014/05/03 17:20:34
-     [monitor.c packet.c packet.h]
-     unbreak compression, by re-init-ing the compression code in the
-     post-auth child. the new buffer code is more strict, and requires
-     buffer_init() while the old code was happy after a bzero();
-     originally from djm@
-   - logan@cvs.openbsd.org 2014/05/05 07:02:30
-     [sftp.c]
-     Zap extra whitespace.
-     
-     OK from djm@ and dtucker@
- - (djm) [configure.ac] Unconditionally define WITH_OPENSSL until we write
-   portability glue to support building without libcrypto
- - (djm) [Makefile.in configure.ac sshbuf-getput-basic.c]
-   [sshbuf-getput-crypto.c sshbuf.c] compilation and portability fixes
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/03/13 20:44:49
-     [login-timeout.sh]
-     this test is a sorry mess of race conditions; add another sleep
-     to avoid a failure on slow machines (at least until I find a
-     better way)
-   - djm@cvs.openbsd.org 2014/04/21 22:15:37
-     [dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh]
-     repair regress tests broken by server-side default cipher/kex/mac changes
-     by ensuring that the option under test is included in the server's
-     algorithm list
-   - dtucker@cvs.openbsd.org 2014/05/03 18:46:14
-     [proxy-connect.sh]
-     Add tests for with and without compression, with and without privsep.
-   - logan@cvs.openbsd.org 2014/05/04 10:40:59
-     [connect-privsep.sh]
-     Remove the Z flag from the list of malloc options as it
-     was removed from malloc.c 10 days ago.
-     
-     OK from miod@
- - (djm) [regress/unittests/Makefile]
-   [regress/unittests/Makefile.inc]
-   [regress/unittests/sshbuf/Makefile]
-   [regress/unittests/sshbuf/test_sshbuf.c]
-   [regress/unittests/sshbuf/test_sshbuf_fixed.c]
-   [regress/unittests/sshbuf/test_sshbuf_fuzz.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
-   [regress/unittests/sshbuf/test_sshbuf_misc.c]
-   [regress/unittests/sshbuf/tests.c]
-   [regress/unittests/test_helper/Makefile]
-   [regress/unittests/test_helper/fuzz.c]
-   [regress/unittests/test_helper/test_helper.c]
-   [regress/unittests/test_helper/test_helper.h]
-   Import new unit tests from OpenBSD; not yet hooked up to build.
- - (djm) [regress/Makefile Makefile.in]
-   [regress/unittests/sshbuf/test_sshbuf.c
-   [regress/unittests/sshbuf/test_sshbuf_fixed.c]
-   [regress/unittests/sshbuf/test_sshbuf_fuzz.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
-   [regress/unittests/sshbuf/test_sshbuf_misc.c]
-   [regress/unittests/sshbuf/tests.c]
-   [regress/unittests/test_helper/fuzz.c]
-   [regress/unittests/test_helper/test_helper.c]
-   Hook new unit tests into the build and "make tests"
- - (djm) [sshbuf.c] need __predict_false
-
-20140430
- - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already
-   have it.  Only attempt to use __attribute__(__bounded__) for gcc.
-
-20140420
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/03/03 22:22:30
-     [session.c]
-     ignore enviornment variables with embedded '=' or '\0' characters;
-     spotted by Jann Horn; ok deraadt@
-     Id sync only - portable already has this.
-   - djm@cvs.openbsd.org 2014/03/12 04:44:58
-     [ssh-keyscan.c]
-     scan for Ed25519 keys by default too
-   - djm@cvs.openbsd.org 2014/03/12 04:50:32
-     [auth-bsdauth.c ssh-keygen.c]
-     don't count on things that accept arguments by reference to clear
-     things for us on error; most things do, but it's unsafe form.
-   - djm@cvs.openbsd.org 2014/03/12 04:51:12
-     [authfile.c]
-     correct test that kdf name is not "none" or "bcrypt"
-   - naddy@cvs.openbsd.org 2014/03/12 13:06:59
-     [ssh-keyscan.1]
-     scan for Ed25519 keys by default too
-   - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
-     [ssh-agent.c ssh-keygen.1 ssh-keygen.c]
-     Improve usage() and documentation towards the standard form. 
-     In particular, this line saves a lot of man page reading time.
-       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
-                         [-N new_passphrase] [-C comment] [-f output_keyfile]
-     ok schwarze jmc
-   - tedu@cvs.openbsd.org 2014/03/17 19:44:10
-     [ssh.1]
-     old descriptions of des and blowfish are old. maybe ok deraadt
-   - tedu@cvs.openbsd.org 2014/03/19 14:42:44
-     [scp.1]
-     there is no need for rcp anymore
-     ok deraadt millert
-   - markus@cvs.openbsd.org 2014/03/25 09:40:03
-     [myproposal.h]
-     trimm default proposals.
-     
-     This commit removes the weaker pre-SHA2 hashes, the broken ciphers
-     (arcfour), and the broken modes (CBC) from the default configuration
-     (the patch only changes the default, all the modes are still available
-     for the config files).
-     
-     ok djm@, reminded by tedu@ & naddy@ and discussed with many
-   - deraadt@cvs.openbsd.org 2014/03/26 17:16:26
-     [myproposal.h]
-     The current sharing of myproposal[] between both client and server code
-     makes the previous diff highly unpallatable.  We want to go in that
-     direction for the server, but not for the client.  Sigh.
-     Brought up by naddy.
-   - markus@cvs.openbsd.org 2014/03/27 23:01:27
-     [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
-     disable weak proposals in sshd, but keep them in ssh; ok djm@
-   - djm@cvs.openbsd.org 2014/03/26 04:55:35
-     [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
-     [misc.h poly1305.h ssh-pkcs11.c]
-     use __bounded(...) attribute recently added to sys/cdefs.h instead of
-     longform __attribute__(__bounded(...));
-     
-     for brevity and a warning free compilation with llvm/clang
-   - tedu@cvs.openbsd.org 2014/03/26 19:58:37
-     [sshd.8 sshd.c]
-     remove libwrap support. ok deraadt djm mfriedl
-   - naddy@cvs.openbsd.org 2014/03/28 05:17:11
-     [ssh_config.5 sshd_config.5]
-     sync available and default algorithms, improve algorithm list formatting
-     help from jmc@ and schwarze@, ok deraadt@
-   - jmc@cvs.openbsd.org 2014/03/31 13:39:34
-     [ssh-keygen.1]
-     the text for the -K option was inserted in the wrong place in -r1.108;
-     fix From: Matthew Clarke
-   - djm@cvs.openbsd.org 2014/04/01 02:05:27
-     [ssh-keysign.c]
-     include fingerprint of key not found
-     use arc4random_buf() instead of loop+arc4random()
-   - djm@cvs.openbsd.org 2014/04/01 03:34:10
-     [sshconnect.c]
-     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
-     certificate keys to plain keys and attempt SSHFP resolution.
-     
-     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
-     dialog by offering only certificate keys.
-     
-     Reported by mcv21 AT cam.ac.uk
-   - djm@cvs.openbsd.org 2014/04/01 05:32:57
-     [packet.c]
-     demote a debug3 to PACKET_DEBUG; ok markus@
-   - djm@cvs.openbsd.org 2014/04/12 04:55:53
-     [sshd.c]
-     avoid crash at exit: check that pmonitor!=NULL before dereferencing;
-     bz#2225, patch from kavi AT juniper.net
-   - djm@cvs.openbsd.org 2014/04/16 23:22:45
-     [bufaux.c]
-     skip leading zero bytes in buffer_put_bignum2_from_string();
-     reported by jan AT mojzis.com; ok markus@
-   - djm@cvs.openbsd.org 2014/04/16 23:28:12
-     [ssh-agent.1]
-     remove the identity files from this manpage - ssh-agent doesn't deal
-     with them at all and the same information is duplicated in ssh-add.1
-     (which does deal with them); prodded by deraadt@
-   - djm@cvs.openbsd.org 2014/04/18 23:52:25
-     [compat.c compat.h sshconnect2.c sshd.c version.h]
-     OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
-     using the curve25519-sha256@libssh.org KEX exchange method to fail
-     when connecting with something that implements the spec properly.
-     
-     Disable this KEX method when speaking to one of the affected
-     versions.
-     
-     reported by Aris Adamantiadis; ok markus@
-   - djm@cvs.openbsd.org 2014/04/19 05:54:59
-     [compat.c]
-     missing wildcard; pointed out by naddy@
-   - tedu@cvs.openbsd.org 2014/04/19 14:53:48
-     [ssh-keysign.c sshd.c]
-     Delete futile calls to RAND_seed. ok djm
-     NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon
-   - tedu@cvs.openbsd.org 2014/04/19 18:15:16
-     [sshd.8]
-     remove some really old rsh references
-   - tedu@cvs.openbsd.org 2014/04/19 18:42:19
-     [ssh.1]
-     delete .xr to hosts.equiv. there's still an unfortunate amount of
-     documentation referring to rhosts equivalency in here.
-   - djm@cvs.openbsd.org 2014/04/20 02:30:25
-     [misc.c misc.h umac.c]
-     use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
-     strict-alignment architectures; reported by and ok stsp@
-   - djm@cvs.openbsd.org 2014/04/20 02:49:32
-     [compat.c]
-     add a canonical 6.6 + curve25519 bignum fix fake version that I can
-     recommend people use ahead of the openssh-6.7 release
-
-20140401
- - (djm) On platforms that support it, use prctl() to prevent sftp-server
-   from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
- - (djm) Use full release (e.g. 6.5p1) in debug output rather than just
-   version. From des@des.no
-
-20140317
- - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
-   remind myself to add sandbox violation logging via the log socket.
-
-20140314
- - (tim) [opensshd.init.in] Add support for ed25519
-
-20140313
- - (djm) Release OpenSSH 6.6
-
-20140304
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/03/03 22:22:30
-     [session.c]
-     ignore enviornment variables with embedded '=' or '\0' characters;
-     spotted by Jann Horn; ok deraadt@
-
-20140301
- - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
-   no moduli file exists at the expected location.
-
-20140228
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/02/27 00:41:49
-     [bufbn.c]
-     fix unsigned overflow that could lead to reading a short ssh protocol
-     1 bignum value; found by Ben Hawkes; ok deraadt@
-   - djm@cvs.openbsd.org 2014/02/27 08:25:09
-     [bufbn.c]
-     off by one in range check
-   - djm@cvs.openbsd.org 2014/02/27 22:47:07
-     [sshd_config.5]
-     bz#2184 clarify behaviour of a keyword that appears in multiple
-     matching Match blocks; ok dtucker@
-   - djm@cvs.openbsd.org 2014/02/27 22:57:40

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601191828.u0JISNSG087681>