From owner-svn-src-all@FreeBSD.ORG  Mon Mar 31 14:39:57 2014
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C4FD7827;
 Mon, 31 Mar 2014 14:39:57 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id ABEA07DB;
 Mon, 31 Mar 2014 14:39:57 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s2VEdvQH025065;
 Mon, 31 Mar 2014 14:39:57 GMT (envelope-from des@svn.freebsd.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.8/8.14.8/Submit) id s2VEdvlR025063;
 Mon, 31 Mar 2014 14:39:57 GMT (envelope-from des@svn.freebsd.org)
Message-Id: <201403311439.s2VEdvlR025063@svn.freebsd.org>
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Mon, 31 Mar 2014 14:39:57 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject: svn commit: r263970 - in stable/9: . crypto/openssh
 crypto/openssh/contrib crypto/openssh/contrib/caldera
 crypto/openssh/contrib/cygwin crypto/openssh/contrib/redhat
 crypto/openssh/contrib/suse cry...
X-SVN-Group: stable-9
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Mar 2014 14:39:57 -0000

Author: des
Date: Mon Mar 31 14:39:56 2014
New Revision: 263970
URL: http://svnweb.freebsd.org/changeset/base/263970

Log:
  MFH (r237568, r255422, r255460, r255766, r255767, r255774, r255829,
    r256126, r257954, r261320, r261499, r263691, r263712): upgrade to
    OpenSSH 6.6p1 via 6.3p1, 6.4p1 and 6.5p1.
  
  Differences relative to head:
  
   - No DNSSEC support since stable/9 does not have LDNS
   - Sandboxing off by default, and uses rlimit instead of Capsicum
   - ED25519 moved to the bottom of the order of preference to avoid
     "new public key" warnings

Added:
  stable/9/crypto/openssh/Makefile.in
     - copied, changed from r255774, head/crypto/openssh/Makefile.in
  stable/9/crypto/openssh/PROTOCOL.chacha20poly1305
     - copied unchanged from r261320, head/crypto/openssh/PROTOCOL.chacha20poly1305
  stable/9/crypto/openssh/PROTOCOL.key
     - copied unchanged from r261320, head/crypto/openssh/PROTOCOL.key
  stable/9/crypto/openssh/blocks.c
     - copied unchanged from r261320, head/crypto/openssh/blocks.c
  stable/9/crypto/openssh/buildpkg.sh.in
     - copied unchanged from r255774, head/crypto/openssh/buildpkg.sh.in
  stable/9/crypto/openssh/chacha.c
     - copied unchanged from r261320, head/crypto/openssh/chacha.c
  stable/9/crypto/openssh/chacha.h
     - copied unchanged from r261320, head/crypto/openssh/chacha.h
  stable/9/crypto/openssh/cipher-chachapoly.c
     - copied, changed from r261320, head/crypto/openssh/cipher-chachapoly.c
  stable/9/crypto/openssh/cipher-chachapoly.h
     - copied unchanged from r261320, head/crypto/openssh/cipher-chachapoly.h
  stable/9/crypto/openssh/config.sub
     - copied unchanged from r255774, head/crypto/openssh/config.sub
  stable/9/crypto/openssh/configure
     - copied, changed from r255774, head/crypto/openssh/configure
  stable/9/crypto/openssh/configure.ac
     - copied, changed from r255774, head/crypto/openssh/configure.ac
  stable/9/crypto/openssh/contrib/
     - copied from r255774, head/crypto/openssh/contrib/
  stable/9/crypto/openssh/crypto_api.h
     - copied unchanged from r261320, head/crypto/openssh/crypto_api.h
  stable/9/crypto/openssh/digest-libc.c
     - copied unchanged from r263712, head/crypto/openssh/digest-libc.c
  stable/9/crypto/openssh/digest-openssl.c
     - copied unchanged from r263712, head/crypto/openssh/digest-openssl.c
  stable/9/crypto/openssh/digest.h
     - copied, changed from r261320, head/crypto/openssh/digest.h
  stable/9/crypto/openssh/ed25519.c
     - copied unchanged from r261320, head/crypto/openssh/ed25519.c
  stable/9/crypto/openssh/fe25519.c
     - copied unchanged from r261320, head/crypto/openssh/fe25519.c
  stable/9/crypto/openssh/fe25519.h
     - copied unchanged from r261320, head/crypto/openssh/fe25519.h
  stable/9/crypto/openssh/fixalgorithms
     - copied unchanged from r255767, head/crypto/openssh/fixalgorithms
  stable/9/crypto/openssh/freebsd-configure.sh
     - copied unchanged from r255829, head/crypto/openssh/freebsd-configure.sh
  stable/9/crypto/openssh/freebsd-post-merge.sh
     - copied unchanged from r263691, head/crypto/openssh/freebsd-post-merge.sh
  stable/9/crypto/openssh/freebsd-pre-merge.sh
     - copied unchanged from r263691, head/crypto/openssh/freebsd-pre-merge.sh
  stable/9/crypto/openssh/ge25519.c
     - copied unchanged from r261320, head/crypto/openssh/ge25519.c
  stable/9/crypto/openssh/ge25519.h
     - copied unchanged from r261320, head/crypto/openssh/ge25519.h
  stable/9/crypto/openssh/ge25519_base.data
     - copied unchanged from r261320, head/crypto/openssh/ge25519_base.data
  stable/9/crypto/openssh/hash.c
     - copied unchanged from r261320, head/crypto/openssh/hash.c
  stable/9/crypto/openssh/hmac.c
     - copied unchanged from r263712, head/crypto/openssh/hmac.c
  stable/9/crypto/openssh/hmac.h
     - copied unchanged from r263712, head/crypto/openssh/hmac.h
  stable/9/crypto/openssh/install-sh
     - copied unchanged from r255774, head/crypto/openssh/install-sh
  stable/9/crypto/openssh/kexc25519.c
     - copied, changed from r261320, head/crypto/openssh/kexc25519.c
  stable/9/crypto/openssh/kexc25519c.c
     - copied unchanged from r261320, head/crypto/openssh/kexc25519c.c
  stable/9/crypto/openssh/kexc25519s.c
     - copied unchanged from r261320, head/crypto/openssh/kexc25519s.c
  stable/9/crypto/openssh/krb5_config.h
     - copied, changed from r255829, head/crypto/openssh/krb5_config.h
  stable/9/crypto/openssh/mdoc2man.awk
     - copied unchanged from r255774, head/crypto/openssh/mdoc2man.awk
  stable/9/crypto/openssh/moduli.0
     - copied, changed from r255774, head/crypto/openssh/moduli.0
  stable/9/crypto/openssh/nchan.ms
     - copied unchanged from r255774, head/crypto/openssh/nchan.ms
  stable/9/crypto/openssh/nchan2.ms
     - copied unchanged from r255774, head/crypto/openssh/nchan2.ms
  stable/9/crypto/openssh/openbsd-compat/Makefile.in
     - copied, changed from r255774, head/crypto/openssh/openbsd-compat/Makefile.in
  stable/9/crypto/openssh/openbsd-compat/arc4random.c
     - copied unchanged from r261320, head/crypto/openssh/openbsd-compat/arc4random.c
  stable/9/crypto/openssh/openbsd-compat/bcrypt_pbkdf.c
     - copied unchanged from r261320, head/crypto/openssh/openbsd-compat/bcrypt_pbkdf.c
  stable/9/crypto/openssh/openbsd-compat/blf.h
     - copied unchanged from r261320, head/crypto/openssh/openbsd-compat/blf.h
  stable/9/crypto/openssh/openbsd-compat/blowfish.c   (contents, props changed)
     - copied, changed from r261320, head/crypto/openssh/openbsd-compat/blowfish.c
  stable/9/crypto/openssh/openbsd-compat/chacha_private.h
     - copied unchanged from r261320, head/crypto/openssh/openbsd-compat/chacha_private.h
  stable/9/crypto/openssh/openbsd-compat/explicit_bzero.c
     - copied unchanged from r263712, head/crypto/openssh/openbsd-compat/explicit_bzero.c
  stable/9/crypto/openssh/openbsd-compat/getopt.h
     - copied unchanged from r255767, head/crypto/openssh/openbsd-compat/getopt.h
  stable/9/crypto/openssh/openbsd-compat/getopt_long.c
     - copied unchanged from r255767, head/crypto/openssh/openbsd-compat/getopt_long.c
  stable/9/crypto/openssh/openbsd-compat/getrrsetbyname-ldns.c
     - copied, changed from r255422, head/crypto/openssh/openbsd-compat/getrrsetbyname-ldns.c
  stable/9/crypto/openssh/openbsd-compat/regress/
     - copied from r255774, head/crypto/openssh/openbsd-compat/regress/
  stable/9/crypto/openssh/openbsd-compat/strnlen.c
     - copied unchanged from r255422, head/crypto/openssh/openbsd-compat/strnlen.c
  stable/9/crypto/openssh/openssh.xml.in
     - copied unchanged from r255774, head/crypto/openssh/openssh.xml.in
  stable/9/crypto/openssh/opensshd.init.in
     - copied unchanged from r255774, head/crypto/openssh/opensshd.init.in
  stable/9/crypto/openssh/poly1305.c
     - copied unchanged from r261320, head/crypto/openssh/poly1305.c
  stable/9/crypto/openssh/poly1305.h
     - copied unchanged from r261320, head/crypto/openssh/poly1305.h
  stable/9/crypto/openssh/regress/
     - copied from r255774, head/crypto/openssh/regress/
  stable/9/crypto/openssh/regress/dhgex.sh
     - copied unchanged from r263712, head/crypto/openssh/regress/dhgex.sh
  stable/9/crypto/openssh/regress/setuid-allowed.c
     - copied, changed from r261320, head/crypto/openssh/regress/setuid-allowed.c
  stable/9/crypto/openssh/regress/sftp-perm.sh
     - copied unchanged from r261320, head/crypto/openssh/regress/sftp-perm.sh
  stable/9/crypto/openssh/sandbox-capsicum.c   (contents, props changed)
     - copied, changed from r261320, head/crypto/openssh/sandbox-capsicum.c
  stable/9/crypto/openssh/sandbox-seccomp-filter.c
     - copied, changed from r255422, head/crypto/openssh/sandbox-seccomp-filter.c
  stable/9/crypto/openssh/sc25519.c
     - copied unchanged from r261320, head/crypto/openssh/sc25519.c
  stable/9/crypto/openssh/sc25519.h
     - copied unchanged from r261320, head/crypto/openssh/sc25519.h
  stable/9/crypto/openssh/scp.0
     - copied, changed from r255774, head/crypto/openssh/scp.0
  stable/9/crypto/openssh/sftp-server.0
     - copied, changed from r255774, head/crypto/openssh/sftp-server.0
  stable/9/crypto/openssh/sftp.0
     - copied, changed from r255774, head/crypto/openssh/sftp.0
  stable/9/crypto/openssh/smult_curve25519_ref.c
     - copied unchanged from r261320, head/crypto/openssh/smult_curve25519_ref.c
  stable/9/crypto/openssh/ssh-add.0
     - copied, changed from r255774, head/crypto/openssh/ssh-add.0
  stable/9/crypto/openssh/ssh-agent.0
     - copied, changed from r255774, head/crypto/openssh/ssh-agent.0
  stable/9/crypto/openssh/ssh-ed25519.c
     - copied, changed from r261320, head/crypto/openssh/ssh-ed25519.c
  stable/9/crypto/openssh/ssh-keygen.0
     - copied, changed from r255774, head/crypto/openssh/ssh-keygen.0
  stable/9/crypto/openssh/ssh-keyscan.0
     - copied, changed from r255774, head/crypto/openssh/ssh-keyscan.0
  stable/9/crypto/openssh/ssh-keysign.0
     - copied, changed from r255774, head/crypto/openssh/ssh-keysign.0
  stable/9/crypto/openssh/ssh-pkcs11-helper.0
     - copied, changed from r255774, head/crypto/openssh/ssh-pkcs11-helper.0
  stable/9/crypto/openssh/ssh.0
     - copied, changed from r255774, head/crypto/openssh/ssh.0
  stable/9/crypto/openssh/ssh_config.0
     - copied, changed from r255774, head/crypto/openssh/ssh_config.0
  stable/9/crypto/openssh/sshd.0
     - copied, changed from r255774, head/crypto/openssh/sshd.0
  stable/9/crypto/openssh/sshd_config.0
     - copied, changed from r255774, head/crypto/openssh/sshd_config.0
  stable/9/crypto/openssh/survey.sh.in
     - copied unchanged from r255774, head/crypto/openssh/survey.sh.in
  stable/9/crypto/openssh/verify.c
     - copied unchanged from r261320, head/crypto/openssh/verify.c
Deleted:
  stable/9/crypto/openssh/FREEBSD-tricks
  stable/9/crypto/openssh/auth2-jpake.c
  stable/9/crypto/openssh/jpake.c
  stable/9/crypto/openssh/jpake.h
  stable/9/crypto/openssh/openbsd-compat/bsd-arc4random.c
  stable/9/crypto/openssh/openbsd-compat/getopt.c
  stable/9/crypto/openssh/schnorr.h
Modified:
  stable/9/Makefile.inc1   (contents, props changed)
  stable/9/crypto/openssh/ChangeLog
  stable/9/crypto/openssh/FREEBSD-upgrade
  stable/9/crypto/openssh/PROTOCOL
  stable/9/crypto/openssh/README
  stable/9/crypto/openssh/aclocal.m4
  stable/9/crypto/openssh/addrmatch.c
  stable/9/crypto/openssh/atomicio.c
  stable/9/crypto/openssh/audit-linux.c
  stable/9/crypto/openssh/auth-chall.c
  stable/9/crypto/openssh/auth-krb5.c
  stable/9/crypto/openssh/auth-options.c
  stable/9/crypto/openssh/auth-pam.c
  stable/9/crypto/openssh/auth-rsa.c
  stable/9/crypto/openssh/auth.c
  stable/9/crypto/openssh/auth.h
  stable/9/crypto/openssh/auth1.c
  stable/9/crypto/openssh/auth2-chall.c
  stable/9/crypto/openssh/auth2-gss.c
  stable/9/crypto/openssh/auth2-hostbased.c
  stable/9/crypto/openssh/auth2-kbdint.c
  stable/9/crypto/openssh/auth2-passwd.c
  stable/9/crypto/openssh/auth2-pubkey.c
  stable/9/crypto/openssh/auth2.c
  stable/9/crypto/openssh/authfd.c
  stable/9/crypto/openssh/authfile.c
  stable/9/crypto/openssh/authfile.h
  stable/9/crypto/openssh/bufaux.c
  stable/9/crypto/openssh/bufbn.c
  stable/9/crypto/openssh/bufec.c
  stable/9/crypto/openssh/buffer.c
  stable/9/crypto/openssh/buffer.h
  stable/9/crypto/openssh/canohost.c
  stable/9/crypto/openssh/channels.c
  stable/9/crypto/openssh/channels.h
  stable/9/crypto/openssh/cipher-3des1.c
  stable/9/crypto/openssh/cipher-aes.c
  stable/9/crypto/openssh/cipher-ctr.c
  stable/9/crypto/openssh/cipher.c
  stable/9/crypto/openssh/cipher.h
  stable/9/crypto/openssh/clientloop.c
  stable/9/crypto/openssh/clientloop.h
  stable/9/crypto/openssh/compat.c
  stable/9/crypto/openssh/compat.h
  stable/9/crypto/openssh/config.guess
  stable/9/crypto/openssh/config.h
  stable/9/crypto/openssh/config.h.in
  stable/9/crypto/openssh/contrib/caldera/openssh.spec
  stable/9/crypto/openssh/contrib/cygwin/ssh-host-config
  stable/9/crypto/openssh/contrib/redhat/openssh.spec
  stable/9/crypto/openssh/contrib/ssh-copy-id.1   (contents, props changed)
  stable/9/crypto/openssh/contrib/suse/openssh.spec
  stable/9/crypto/openssh/defines.h
  stable/9/crypto/openssh/dh.c
  stable/9/crypto/openssh/dh.h
  stable/9/crypto/openssh/dns.c
  stable/9/crypto/openssh/groupaccess.c
  stable/9/crypto/openssh/gss-genr.c
  stable/9/crypto/openssh/gss-serv-krb5.c
  stable/9/crypto/openssh/gss-serv.c
  stable/9/crypto/openssh/hostfile.c
  stable/9/crypto/openssh/hostfile.h
  stable/9/crypto/openssh/includes.h
  stable/9/crypto/openssh/kex.c
  stable/9/crypto/openssh/kex.h
  stable/9/crypto/openssh/kexdh.c
  stable/9/crypto/openssh/kexdhc.c
  stable/9/crypto/openssh/kexdhs.c
  stable/9/crypto/openssh/kexecdh.c
  stable/9/crypto/openssh/kexecdhc.c
  stable/9/crypto/openssh/kexecdhs.c
  stable/9/crypto/openssh/kexgex.c
  stable/9/crypto/openssh/kexgexc.c
  stable/9/crypto/openssh/kexgexs.c
  stable/9/crypto/openssh/key.c
  stable/9/crypto/openssh/key.h
  stable/9/crypto/openssh/krl.c
  stable/9/crypto/openssh/log.c
  stable/9/crypto/openssh/log.h
  stable/9/crypto/openssh/loginrec.c
  stable/9/crypto/openssh/mac.c
  stable/9/crypto/openssh/mac.h
  stable/9/crypto/openssh/match.c
  stable/9/crypto/openssh/misc.c
  stable/9/crypto/openssh/misc.h
  stable/9/crypto/openssh/moduli.5   (contents, props changed)
  stable/9/crypto/openssh/moduli.c
  stable/9/crypto/openssh/monitor.c
  stable/9/crypto/openssh/monitor.h
  stable/9/crypto/openssh/monitor_mm.c
  stable/9/crypto/openssh/monitor_mm.h
  stable/9/crypto/openssh/monitor_wrap.c
  stable/9/crypto/openssh/monitor_wrap.h
  stable/9/crypto/openssh/mux.c   (contents, props changed)
  stable/9/crypto/openssh/myproposal.h
  stable/9/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
  stable/9/crypto/openssh/openbsd-compat/bsd-cygwin_util.h
  stable/9/crypto/openssh/openbsd-compat/bsd-misc.c
  stable/9/crypto/openssh/openbsd-compat/bsd-misc.h   (contents, props changed)
  stable/9/crypto/openssh/openbsd-compat/bsd-poll.c
  stable/9/crypto/openssh/openbsd-compat/bsd-setres_id.c
  stable/9/crypto/openssh/openbsd-compat/bsd-snprintf.c
  stable/9/crypto/openssh/openbsd-compat/bsd-statvfs.c
  stable/9/crypto/openssh/openbsd-compat/bsd-statvfs.h
  stable/9/crypto/openssh/openbsd-compat/openbsd-compat.h
  stable/9/crypto/openssh/openbsd-compat/openssl-compat.c
  stable/9/crypto/openssh/openbsd-compat/openssl-compat.h
  stable/9/crypto/openssh/openbsd-compat/port-aix.c
  stable/9/crypto/openssh/openbsd-compat/port-linux.c
  stable/9/crypto/openssh/openbsd-compat/setproctitle.c
  stable/9/crypto/openssh/openbsd-compat/xcrypt.c
  stable/9/crypto/openssh/packet.c
  stable/9/crypto/openssh/packet.h
  stable/9/crypto/openssh/pathnames.h   (contents, props changed)
  stable/9/crypto/openssh/pkcs11.h
  stable/9/crypto/openssh/platform.c
  stable/9/crypto/openssh/platform.h
  stable/9/crypto/openssh/progressmeter.c
  stable/9/crypto/openssh/readconf.c
  stable/9/crypto/openssh/readconf.h
  stable/9/crypto/openssh/readpass.c
  stable/9/crypto/openssh/regress/Makefile
  stable/9/crypto/openssh/regress/agent-ptrace.sh
  stable/9/crypto/openssh/regress/agent.sh
  stable/9/crypto/openssh/regress/cert-hostkey.sh
  stable/9/crypto/openssh/regress/cert-userkey.sh
  stable/9/crypto/openssh/regress/cipher-speed.sh
  stable/9/crypto/openssh/regress/forward-control.sh
  stable/9/crypto/openssh/regress/host-expand.sh
  stable/9/crypto/openssh/regress/integrity.sh
  stable/9/crypto/openssh/regress/kextype.sh
  stable/9/crypto/openssh/regress/keytype.sh
  stable/9/crypto/openssh/regress/krl.sh
  stable/9/crypto/openssh/regress/login-timeout.sh
  stable/9/crypto/openssh/regress/modpipe.c
  stable/9/crypto/openssh/regress/rekey.sh
  stable/9/crypto/openssh/regress/scp-ssh-wrapper.sh
  stable/9/crypto/openssh/regress/scp.sh
  stable/9/crypto/openssh/regress/sftp-chroot.sh
  stable/9/crypto/openssh/regress/test-exec.sh
  stable/9/crypto/openssh/regress/try-ciphers.sh
  stable/9/crypto/openssh/roaming_client.c
  stable/9/crypto/openssh/roaming_common.c
  stable/9/crypto/openssh/rsa.c
  stable/9/crypto/openssh/sandbox-darwin.c
  stable/9/crypto/openssh/sandbox-null.c
  stable/9/crypto/openssh/sandbox-rlimit.c
  stable/9/crypto/openssh/sandbox-systrace.c
  stable/9/crypto/openssh/schnorr.c
  stable/9/crypto/openssh/scp.1   (contents, props changed)
  stable/9/crypto/openssh/scp.c
  stable/9/crypto/openssh/servconf.c
  stable/9/crypto/openssh/servconf.h
  stable/9/crypto/openssh/serverloop.c
  stable/9/crypto/openssh/session.c
  stable/9/crypto/openssh/session.h
  stable/9/crypto/openssh/sftp-client.c
  stable/9/crypto/openssh/sftp-client.h
  stable/9/crypto/openssh/sftp-common.c   (contents, props changed)
  stable/9/crypto/openssh/sftp-glob.c
  stable/9/crypto/openssh/sftp-server.8
  stable/9/crypto/openssh/sftp-server.c
  stable/9/crypto/openssh/sftp.1
  stable/9/crypto/openssh/sftp.c
  stable/9/crypto/openssh/ssh-add.1   (contents, props changed)
  stable/9/crypto/openssh/ssh-add.c
  stable/9/crypto/openssh/ssh-agent.1
  stable/9/crypto/openssh/ssh-agent.c
  stable/9/crypto/openssh/ssh-dss.c
  stable/9/crypto/openssh/ssh-ecdsa.c
  stable/9/crypto/openssh/ssh-gss.h   (contents, props changed)
  stable/9/crypto/openssh/ssh-keygen.1
  stable/9/crypto/openssh/ssh-keygen.c
  stable/9/crypto/openssh/ssh-keyscan.1
  stable/9/crypto/openssh/ssh-keyscan.c
  stable/9/crypto/openssh/ssh-keysign.8   (contents, props changed)
  stable/9/crypto/openssh/ssh-keysign.c
  stable/9/crypto/openssh/ssh-pkcs11-client.c
  stable/9/crypto/openssh/ssh-pkcs11-helper.8   (contents, props changed)
  stable/9/crypto/openssh/ssh-pkcs11-helper.c
  stable/9/crypto/openssh/ssh-pkcs11.c
  stable/9/crypto/openssh/ssh-rsa.c
  stable/9/crypto/openssh/ssh-sandbox.h
  stable/9/crypto/openssh/ssh.1
  stable/9/crypto/openssh/ssh.c
  stable/9/crypto/openssh/ssh2.h
  stable/9/crypto/openssh/ssh_config
  stable/9/crypto/openssh/ssh_config.5
  stable/9/crypto/openssh/ssh_namespace.h
  stable/9/crypto/openssh/sshconnect.c
  stable/9/crypto/openssh/sshconnect.h
  stable/9/crypto/openssh/sshconnect1.c
  stable/9/crypto/openssh/sshconnect2.c
  stable/9/crypto/openssh/sshd.8
  stable/9/crypto/openssh/sshd.c
  stable/9/crypto/openssh/sshd_config
  stable/9/crypto/openssh/sshd_config.5
  stable/9/crypto/openssh/sshlogin.c
  stable/9/crypto/openssh/sshlogin.h
  stable/9/crypto/openssh/uidswap.c
  stable/9/crypto/openssh/umac.c
  stable/9/crypto/openssh/umac.h
  stable/9/crypto/openssh/umac128.c
  stable/9/crypto/openssh/uuencode.c
  stable/9/crypto/openssh/version.h
  stable/9/crypto/openssh/xmalloc.c
  stable/9/crypto/openssh/xmalloc.h
  stable/9/etc/rc.d/sshd
  stable/9/secure/lib/libssh/Makefile
  stable/9/secure/libexec/sftp-server/Makefile
  stable/9/secure/libexec/ssh-keysign/Makefile
  stable/9/secure/libexec/ssh-pkcs11-helper/Makefile
  stable/9/secure/usr.bin/scp/Makefile
  stable/9/secure/usr.bin/sftp/Makefile
  stable/9/secure/usr.bin/ssh-add/Makefile
  stable/9/secure/usr.bin/ssh-agent/Makefile
  stable/9/secure/usr.bin/ssh-keygen/Makefile
  stable/9/secure/usr.bin/ssh-keyscan/Makefile
  stable/9/secure/usr.bin/ssh/Makefile
  stable/9/secure/usr.sbin/sshd/Makefile
Directory Properties:
  stable/9/   (props changed)
  stable/9/bin/cat/   (props changed)
  stable/9/contrib/expat/   (props changed)
  stable/9/contrib/groff/   (props changed)
  stable/9/contrib/less/   (props changed)
  stable/9/contrib/one-true-awk/   (props changed)
  stable/9/contrib/openbsm/   (props changed)
  stable/9/contrib/tcpdump/   (props changed)
  stable/9/crypto/openssh/   (props changed)
  stable/9/etc/   (props changed)
  stable/9/etc/rc.d/   (props changed)
  stable/9/lib/libz/   (props changed)
  stable/9/secure/lib/libssh/   (props changed)
  stable/9/secure/libexec/ssh-keysign/   (props changed)
  stable/9/secure/usr.bin/ssh/   (props changed)
  stable/9/secure/usr.sbin/sshd/   (props changed)
  stable/9/usr.bin/less/   (props changed)
  stable/9/usr.bin/minigzip/   (props changed)
  stable/9/usr.bin/xinstall/   (props changed)
  stable/9/usr.sbin/makefs/   (props changed)
  stable/9/usr.sbin/tcpdump/   (props changed)

Modified: stable/9/Makefile.inc1
==============================================================================
--- stable/9/Makefile.inc1	Mon Mar 31 14:27:22 2014	(r263969)
+++ stable/9/Makefile.inc1	Mon Mar 31 14:39:56 2014	(r263970)
@@ -1357,8 +1357,8 @@ _prebuild_libs=	${_kerberos5_lib_libasn1
 		${_cddl_lib_libumem} ${_cddl_lib_libnvpair} \
 		${_cddl_lib_libzfs_core} \
 		lib/libutil ${_lib_libypclnt} lib/libz lib/msun \
-		${_secure_lib_libcrypto} ${_secure_lib_libssh} \
-		${_secure_lib_libssl}
+		${_secure_lib_libcrypto} ${_lib_libldns} \
+		${_secure_lib_libssh} ${_secure_lib_libssl}
 
 .if ${MK_LIBTHR} != "no"
 _lib_libthr=	lib/libthr

Modified: stable/9/crypto/openssh/ChangeLog
==============================================================================
--- stable/9/crypto/openssh/ChangeLog	Mon Mar 31 14:27:22 2014	(r263969)
+++ stable/9/crypto/openssh/ChangeLog	Mon Mar 31 14:39:56 2014	(r263970)
@@ -1,3056 +1,2887 @@
-20130510
- - (djm) OpenBSD CVS Cherrypick
-   - djm@cvs.openbsd.org 2013/04/11 02:27:50
-     [packet.c]
-     quiet disconnect notifications on the server from error() back to logit()
-     if it is a normal client closure; bz#2057 ok+feedback dtucker@
- - (djm) [version.h contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-   [contrib/suse/openssh.spec] Crank version numbers for release.
+20140313
+ - (djm) Release OpenSSH 6.6
 
-20130404
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/02/17 23:16:57
-     [readconf.c ssh.c readconf.h sshconnect2.c]
-     Keep track of which IndentityFile options were manually supplied and which
-     were default options, and don't warn if the latter are missing.
-     ok markus@
-   - dtucker@cvs.openbsd.org 2013/02/19 02:12:47
-     [krl.c]
-     Remove bogus include.  ok djm
-   - dtucker@cvs.openbsd.org 2013/02/22 04:45:09
-     [ssh.c readconf.c readconf.h]
-     Don't complain if IdentityFiles specified in system-wide configs are
-     missing.  ok djm, deraadt.
-   - markus@cvs.openbsd.org 2013/02/22 19:13:56
-     [sshconnect.c]
-     support ProxyCommand=- (stdin/out already point to the proxy); ok djm@
-   - djm@cvs.openbsd.org 2013/02/22 22:09:01
-     [ssh.c]
-     Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier
-     version)
+20140304
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/03/03 22:22:30
+     [session.c]
+     ignore enviornment variables with embedded '=' or '\0' characters;
+     spotted by Jann Horn; ok deraadt@
 
-20130401
- - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h
-   to avoid conflicting definitions of __int64, adding the required bits.
-   Patch from Corinna Vinschen.
+20140301
+ - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
+   no moduli file exists at the expected location.
+
+20140228
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/02/27 00:41:49
+     [bufbn.c]
+     fix unsigned overflow that could lead to reading a short ssh protocol
+     1 bignum value; found by Ben Hawkes; ok deraadt@
+   - djm@cvs.openbsd.org 2014/02/27 08:25:09
+     [bufbn.c]
+     off by one in range check
+   - djm@cvs.openbsd.org 2014/02/27 22:47:07
+     [sshd_config.5]
+     bz#2184 clarify behaviour of a keyword that appears in multiple
+     matching Match blocks; ok dtucker@
+   - djm@cvs.openbsd.org 2014/02/27 22:57:40
+     [version.h]
+     openssh-6.6
+   - dtucker@cvs.openbsd.org 2014/01/19 23:43:02
+     [regress/sftp-chroot.sh]
+     Don't use -q on sftp as it suppresses logging, instead redirect the
+     output to the regress logfile.
+   - dtucker@cvs.openbsd.org 2014/01/20 00:00:30
+     [sregress/ftp-chroot.sh]
+     append to rather than truncating the log file
+   - dtucker@cvs.openbsd.org 2014/01/25 04:35:32
+     [regress/Makefile regress/dhgex.sh]
+     Add a test for DH GEX sizes
+   - djm@cvs.openbsd.org 2014/01/26 10:22:10
+     [regress/cert-hostkey.sh]
+     automatically generate revoked keys from listed keys rather than
+     manually specifying each type; from portable
+     (Id sync only)
+   - djm@cvs.openbsd.org 2014/01/26 10:49:17
+     [scp-ssh-wrapper.sh scp.sh]
+     make sure $SCP is tested on the remote end rather than whichever one
+     happens to be in $PATH; from portable
+     (Id sync only)
+   - djm@cvs.openbsd.org 2014/02/27 20:04:16
+     [login-timeout.sh]
+     remove any existing LoginGraceTime from sshd_config before adding
+     a specific one for the test back in
+   - djm@cvs.openbsd.org 2014/02/27 21:21:25
+     [agent-ptrace.sh agent.sh]
+     keep return values that are printed in error messages;
+     from portable
+     (Id sync only)
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] Crank version numbers
+ - (djm) [regress/host-expand.sh] Add RCS Id
 
-20120322
- - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil
-   Hands' greatly revised version.
- - (djm) Release 6.2p1
+20140227
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/02/26 20:18:37
+     [ssh.c]
+     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
+     ok dtucker@ markus@
+   - djm@cvs.openbsd.org 2014/02/26 20:28:44
+     [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
+     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
+     sandboxing, as running this code in the sandbox can cause violations;
+     ok markus@
+   - djm@cvs.openbsd.org 2014/02/26 20:29:29
+     [channels.c]
+     don't assume that the socks4 username is \0 terminated;
+     spotted by Ben Hawkes; ok markus@
+   - markus@cvs.openbsd.org 2014/02/26 21:53:37
+     [sshd.c]
+     ssh_gssapi_prepare_supported_oids needs GSSAPI
 
-20120318
- - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c]
-   [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's
-   so mark it as broken. Patch from des AT des.no
+20140224
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/02/07 06:55:54
+     [cipher.c mac.c]
+     remove some logging that makes ssh debugging output very verbose;
+     ok markus
+   - djm@cvs.openbsd.org 2014/02/15 23:05:36
+     [channels.c]
+     avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
+     bz#2200, debian#738692 via Colin Watson; ok dtucker@
+   - djm@cvs.openbsd.org 2014/02/22 01:32:19
+     [readconf.c]
+     when processing Match blocks, skip 'exec' clauses if previous predicates
+     failed to match; ok markus@
+   - djm@cvs.openbsd.org 2014/02/23 20:03:42
+     [ssh-ed25519.c]
+     check for unsigned overflow; not reachable in OpenSSH but others might
+     copy our code...
+   - djm@cvs.openbsd.org 2014/02/23 20:11:36
+     [readconf.c readconf.h ssh.c ssh_config.5]
+     reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
+     the hostname. This allows users to write configurations that always
+     refer to canonical hostnames, e.g.
+     
+     CanonicalizeHostname yes
+     CanonicalDomains int.example.org example.org
+     CanonicalizeFallbackLocal no
+     
+     Host *.int.example.org
+         Compression off
+     Host *.example.org
+         User djm
+     
+     ok markus@
 
-20120317
- - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none
-   of the bits the configure test looks for.
+20140213
+ - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]  Add compat
+   code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
 
-20120316
- - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform
-   is unable to successfully compile them. Based on patch from des AT
-   des.no
- - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
-   Add a usleep replacement for platforms that lack it; ok dtucker
- - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to
-   occur after UID switch; patch from John Marshall via des AT des.no;
+20140207
+ - OpenBSD CVS Sync
+   - naddy@cvs.openbsd.org 2014/02/05 20:13:25
+     [ssh-keygen.1 ssh-keygen.c]
+     tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
+     while here, fix ordering in usage(); requested by jmc@
+   - djm@cvs.openbsd.org 2014/02/06 22:21:01
+     [sshconnect.c]
+     in ssh_create_socket(), only do the getaddrinfo for BindAddress when
+     BindAddress is actually specified. Fixes regression in 6.5 for
+     UsePrivilegedPort=yes; patch from Corinna Vinschen
+
+20140206
+ - (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL
+   before freeing since free(NULL) is a no-op.  ok djm.
+ - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
+   __NR_shutdown; some go via the socketcall(2) multiplexer.
+
+20140205
+ - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
+   headers/libc but not supported by the kernel. Patch from Loganaden
+   Velvindron @ AfriNIC
+
+20140204
+ - OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2014/01/27 18:58:14
+     [Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h]
+     replace openssl HMAC with an implementation based on our ssh_digest_*
+     ok and feedback djm@
+   - markus@cvs.openbsd.org 2014/01/27 19:18:54
+     [auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
+     replace openssl MD5 with our ssh_digest_*; ok djm@
+   - markus@cvs.openbsd.org 2014/01/27 20:13:46
+     [digest.c digest-openssl.c digest-libc.c Makefile.in]
+     rename digest.c to digest-openssl.c and add libc variant; ok djm@
+   - jmc@cvs.openbsd.org 2014/01/28 14:13:39
+     [ssh-keyscan.1]
+     kill some bad Pa;
+     From: Jan Stary
+   - djm@cvs.openbsd.org 2014/01/29 00:19:26
+     [sshd.c]
+     use kill(0, ...) instead of killpg(0, ...); on most operating systems
+     they are equivalent, but SUSv2 describes the latter as having undefined
+     behaviour; from portable; ok dtucker
+     (Id sync only; change is already in portable)
+   - djm@cvs.openbsd.org 2014/01/29 06:18:35
+     [Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
+     [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
+     [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
+     remove experimental, never-enabled JPAKE code; ok markus@
+   - jmc@cvs.openbsd.org 2014/01/29 14:04:51
+     [sshd_config.5]
+     document kbdinteractiveauthentication;
+     requested From: Ross L Richardson
+     
+     dtucker/markus helped explain its workings;
+   - djm@cvs.openbsd.org 2014/01/30 22:26:14
+     [sandbox-systrace.c]
+     allow shutdown(2) syscall in sandbox - it may be called by packet_close()
+     from portable
+     (Id sync only; change is already in portable)
+   - tedu@cvs.openbsd.org 2014/01/31 16:39:19
+     [auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
+     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
+     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
+     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
+     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
+     replace most bzero with explicit_bzero, except a few that cna be memset
+     ok djm dtucker
+   - djm@cvs.openbsd.org 2014/02/02 03:44:32
+     [auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
+     [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
+     [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
+     [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
+     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
+     [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
+     [sshd.c]
+     convert memset of potentially-private data to explicit_bzero()
+   - djm@cvs.openbsd.org 2014/02/03 23:28:00
+     [ssh-ecdsa.c]
+     fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike
+     DSA_SIG_new. Reported by Batz Spear; ok markus@
+   - djm@cvs.openbsd.org 2014/02/02 03:44:31
+     [digest-libc.c digest-openssl.c]
+     convert memset of potentially-private data to explicit_bzero()
+   - djm@cvs.openbsd.org 2014/02/04 00:24:29
+     [ssh.c]
+     delay lowercasing of hostname until right before hostname
+     canonicalisation to unbreak case-sensitive matching of ssh_config;
+     reported by Ike Devolder; ok markus@
+ - (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o
+ - (djm) [regress/setuid-allowed.c] Missing string.h for strerror()
+
+20140131
+ - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
+   syscall from sandboxes; it may be called by packet_close.
+ - (dtucker) [readconf.c] Include <arpa/inet.h> for the hton macros.  Fixes
+   build with HP-UX's compiler.  Patch from Kevin Brott.
+ - (tim) [Makefile.in] build regress/setuid-allow.
+
+20140130
+ - (djm) [configure.ac] Only check for width-specified integer types
+   in headers that actually exist. patch from Tom G. Christensen;
    ok dtucker@
+ - (djm) [configure.ac atomicio.c] Kludge around NetBSD offering
+   different symbols for 'read' when various compiler flags are
+   in use, causing atomicio.c comparisons against it to break and
+   read/write operations to hang; ok dtucker
+ - (djm) Release openssh-6.5p1
+
+20140129
+ - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from
+   Tom G. Christensen
 
-20120312
- - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh]
-   Improve portability of cipher-speed test, based mostly on a patch from
-   Iain Morgan.
- - (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin")
-   in addition to root as an owner of system directories on AIX and HP-UX.
-   ok djm@
-
-20130307
- - (dtucker) [INSTALL] Bump documented autoconf version to what we're
-   currently using.
- - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it
-   was removed in configure.ac rev 1.481 as it was redundant.
- - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days
-   ago.
- - (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a
-   chance to complete on broken systems; ok dtucker@
-
-20130306
- - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding
-  connection to start so that the test works on slower machines.
- - (dtucker) [configure.ac] test that we can set number of file descriptors
-   to zero with setrlimit before enabling the rlimit sandbox.  This affects
-   (at least) HPUX 11.11.
-
-20130305
- - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for
-   HP/UX. Spotted by Kevin Brott
- - (dtucker) [configure.ac] use "=" for shell test and not "==".  Spotted by
-   Amit Kulkarni and Kevin Brott.
- - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure
-   build breakage on (at least) HP-UX 11.11.  Found by Amit Kulkarni and Kevin
-   Brott.
- - (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov.
+20140128
+ - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl;
+   ok dtucker
+ - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the
+   latter being specified to have undefined behaviour in SUSv3;
+   ok dtucker
+ - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable
+   when used as an error message inside an if statement so we display the
+   correct into. agent.sh patch from Petr Lautrbach.
+
+20140127
+ - (dtucker) [Makefile.in] Remove trailing backslash which some make
+   implementations (eg older Solaris) do not cope with.
+
+20140126
+ - OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2014/01/25 10:12:50
+     [cipher.c cipher.h kex.c kex.h kexgexc.c]
+     Add a special case for the DH group size for 3des-cbc, which has an
+     effective strength much lower than the key size.  This causes problems
+     with some cryptlib implementations, which don't support group sizes larger
+     than 4k but also don't use the largest group size it does support as
+     specified in the RFC.  Based on a patch from Petr Lautrbach at Redhat,
+     reduced by me with input from Markus.  ok djm@ markus@
+   - markus@cvs.openbsd.org 2014/01/25 20:35:37
+     [kex.c]
+     dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
+     ok dtucker@, noted by mancha
+  - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable
+    RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations,
+    libc will attempt to open additional file descriptors for crypto
+    offload and crash if they cannot be opened.
+ - (djm) [configure.ac] correct AC_DEFINE for previous.
+
+20140125
+ - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD
+ - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless
+   sys/capability.h exists and cap_rights_limit is in libc. Fixes
+   build on FreeBSD9x which provides the header but not the libc
+   support.
+ - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test
+   against the correct thing.
 
-20130227
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-   [contrib/suse/openssh.spec] Crank version numbers
- - (tim) [regress/forward-control.sh] use sh in case login shell is csh.
- - (tim) [regress/integrity.sh] shell portability fix.
- - (tim) [regress/integrity.sh] keep old solaris awk from hanging.
- - (tim) [regress/krl.sh] keep old solaris awk from hanging.
+20140124
+ - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make
+   the scp regress test actually test the built scp rather than the one
+   in $PATH. ok dtucker@
+
+20140123
+ - (tim) [session.c] Improve error reporting on set_id().
+ - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously
+   incompatible with OpenBSD's despite post-dating it by more than a decade.
+   Declare it as broken, and document FreeBSD's as the same.  ok djm@
+
+20140122
+ - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a
+   platform that is expected to use the reuse-argv style setproctitle
+   hack surprises us by providing a setproctitle in libc; ok dtucker
+ - (djm) [configure.ac] Unless specifically requested, only attempt
+   to build Position Independent Executables on gcc >= 4.x; ok dtucker
+ - (djm) [configure.ac aclocal.m4] More tests to detect fallout from
+   platform hardening options: include some long long int arithmatic
+   to detect missing support functions for -ftrapv in libgcc and
+   equivalents, actually test linking when -ftrapv is supplied and
+   set either both -pie/-fPIE or neither. feedback and ok dtucker@
+
+20140121
+ - (dtucker) [configure.ac] Make PIE a configure-time option which defaults
+   to on platforms where it's known to be reliably detected and off elsewhere.
+   Works around platforms such as FreeBSD 9.1 where it does not interop with
+   -ftrapv (it seems to work but fails when trying to link ssh).  ok djm@
+ - (dtucker) [aclocal.m4] Differentiate between compile-time and link-time
+   tests in the configure output.  ok djm.
+ - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced
+   with sftp chroot support. Move set_id call after chroot.
+ - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILE
+   and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of
+   detecting toolchain-related problems; ok dtucker
+
+20140120
+ - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos
+   implementation does not have krb5_cc_new_unique, similar to what we do
+   in auth-krb5.c.
+ - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that
+   skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/01/20 00:08:48
+     [digest.c]
+     memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@
 
-20130226
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/20 08:27:50
-     [integrity.sh]
-     Add an option to modpipe that warns if the modification offset it not
-     reached in it's stream and turn it on for t-integrity. This should catch
-     cases where the session is not fuzzed for being too short (cf. my last
-     "oops" commit)
- - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage
-   for UsePAM=yes configuration
+20140119
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2014/01/17 06:23:24
+     [sftp-server.c]
+     fix log message statvfs.  ok djm
+   - dtucker@cvs.openbsd.org 2014/01/18 09:36:26
+     [session.c]
+     explicitly define USE_PIPES to 1 to prevent redefinition warnings in
+     portable on platforms that use pipes for everything.  From vinschen at
+     redhat.
+   - dtucker@cvs.openbsd.org 2014/01/19 04:17:29
+     [canohost.c addrmatch.c]
+     Cast socklen_t when comparing to size_t and use socklen_t to iterate over
+     the ip options, both to prevent signed/unsigned comparison warnings.
+     Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
+   - djm@cvs.openbsd.org 2014/01/19 04:48:08
+     [ssh_config.5]
+     fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
+   - dtucker@cvs.openbsd.org 2014/01/19 11:21:51
+     [addrmatch.c]
+     Cast the sizeof to socklen_t so it'll work even if the supplied len is
+     negative.  Suggested by and ok djm, ok deraadt.
 
-20130225
- - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed
-   to use Solaris native GSS libs.  Patch from Pierre Ossman.
+20140118
+ - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin.  Patch
+   from vinschen at redhat.com
+ - (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing function
+   declarations that stopped being included when we stopped including
+   <windows.h> from openbsd-compat/bsd-cygwin_util.h.  Patch from vinschen at
+   redhat.com.
+ - (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs,
+   optind) are defined in getopt.h already.  Unfortunately they are defined as
+   "declspec(dllimport)" for historical reasons, because the GNU linker didn't
+   allow auto-import on PE/COFF targets way back when.  The problem is the
+   dllexport attributes collide with the definitions in the various source
+   files in OpenSSH, which obviousy define the variables without
+   declspec(dllimport).  The least intrusive way to get rid of these warnings
+   is to disable warnings for GCC compiler attributes when building on Cygwin.
+   Patch from vinschen at redhat.com.
+ - (dtucker) [sandbox-capsicum.c] Correct some error messages and make the
+   return value check for cap_enter() consistent with the other uses in
+   FreeBSD.  From by Loganaden Velvindron @ AfriNIC via bz#2140.
+
+20140117
+ - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain
+   hardening flags including -fstack-protector-strong.  These default to on
+   if the toolchain supports them, but there is a configure-time knob
+   (--without-hardening) to disable them if necessary.  ok djm@
+ - (djm) [sftp-client.c] signed/unsigned comparison fix
+ - (dtucker) [loginrec.c] Cast to the types specfied in the format
+    specification to prevent warnings.
+ - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
+ - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
+ - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include
+   includes.h to pull in all of the compatibility stuff.
+ - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside
+   #ifdef HAVE_STDINT_H.
+ - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that
+   don't have them.
+ - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into
+   separate lines and alphabetize for easier diffing of changes.
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/01/17 00:21:06
+     [sftp-client.c]
+     signed/unsigned comparison warning fix; from portable (Id sync only)
+   - dtucker@cvs.openbsd.org 2014/01/17 05:26:41
+     [digest.c]
+     remove unused includes.  ok djm@
+ - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
+   [sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
+   [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
+   using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
+   Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
+ - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c
+   openbsd-compat/openssl-compat.h]  Add compatibility layer for older
+   openssl versions.  ok djm@
+ - (dtucker) Fix typo in #ifndef.
+ - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c
+   openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs
+   to be useful (and for the regression tests to pass) on platforms that
+   have statfs and fstatfs.  ok djm@
+ - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we
+   need them to cut down on the name collisions.
+ - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types.
+ - (dtucker) [configure.ac] Have --without-hardening not turn off
+   stack-protector since that has a separate flag that's been around a while.
+ - (dtucker) [readconf.c] Wrap paths.h inside an ifdef.  Allows building on
+   Solaris.
+ - (dtucker) [defines.h] Move our definitions of uintXX_t types down to after
+   they're defined if we have to define them ourselves.  Fixes builds on old
+   AIX.
 
-20130223
- - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer
-   bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu.
-   ok tim
+20140118
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/01/16 07:31:09
+     [sftp-client.c]
+     needless and incorrect cast to size_t can break resumption of
+     large download; patch from tobias@
+   - djm@cvs.openbsd.org 2014/01/16 07:32:00
+     [version.h]
+     openssh-6.5
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] Crank RPM spec version numbers.
+ - (djm) [README] update release notes URL.
 
-20130222
- - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to
-   ssh(1) since they're not needed.  Patch from Pierre Ossman, ok djm.
- - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named
-   libgss too.  Patch from Pierre Ossman, ok djm.
- - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux
-   seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
-   ok dtucker
+20140112
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/01/10 05:59:19
+     [sshd_config]
+     the /etc/ssh/ssh_host_ed25519_key is loaded by default too
+   - djm@cvs.openbsd.org 2014/01/12 08:13:13
+     [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c]
+     [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c]
+     avoid use of OpenSSL BIGNUM type and functions for KEX with
+     Curve25519 by adding a buffer_put_bignum2_from_string() that stores
+     a string using the bignum encoding rules. Will make it easier to
+     build a reduced-feature OpenSSH without OpenSSL in the future;
+     ok markus@
 
-20130221
- - (tim) [regress/forward-control.sh] shell portability fix.
+20140110
+ - (djm) OpenBSD CVS Sync
+   - tedu@cvs.openbsd.org 2014/01/04 17:50:55
+     [mac.c monitor_mm.c monitor_mm.h xmalloc.c]
+     use standard types and formats for size_t like variables. ok dtucker
+   - guenther@cvs.openbsd.org 2014/01/09 03:26:00
+     [sftp-common.c]
+     When formating the time for "ls -l"-style output, show dates in the future
+     with the year, and rearrange a comparison to avoid a potentional signed
+     arithmetic overflow that would give the wrong result.
+     ok djm@
+   - djm@cvs.openbsd.org 2014/01/09 23:20:00
+     [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c]
+     [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c]
+     [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c]
+     [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c]
+     Introduce digest API and use it to perform all hashing operations
+     rather than calling OpenSSL EVP_Digest* directly. Will make it easier
+     to build a reduced-feature OpenSSH without OpenSSL in future;
+     feedback, ok markus@
+   - djm@cvs.openbsd.org 2014/01/09 23:26:48
+     [sshconnect.c sshd.c]
+     ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
+     deranged and might make some attacks on KEX easier; ok markus@
 
-20130220
- - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix.
- - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded
-   err.h include from krl.c. Additional portability fixes for modpipe. OK djm
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/20 08:27:50
-     [regress/integrity.sh regress/modpipe.c]
-     Add an option to modpipe that warns if the modification offset it not
-     reached in it's stream and turn it on for t-integrity. This should catch
-     cases where the session is not fuzzed for being too short (cf. my last
-     "oops" commit)
-   - djm@cvs.openbsd.org 2013/02/20 08:29:27
-     [regress/modpipe.c]
-     s/Id/OpenBSD/ in RCS tag
+20140108
+ - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@
 
-20130219
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/18 22:26:47
-     [integrity.sh]
-     crank the offset yet again; it was still fuzzing KEX one of Darren's
-     portable test hosts at 2800
-   - djm@cvs.openbsd.org 2013/02/19 02:14:09
-     [integrity.sh]
-     oops, forgot to increase the output of the ssh command to ensure that
-     we actually reach $offset
- - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that
-   lack support for SHA2.
- - (djm) [regress/modpipe.c] Add local err, and errx functions for platforms
-   that do not have them.
+20131231
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/12/30 23:52:28
+     [auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
+     [sshconnect.c sshconnect2.c sshd.c]
+     refuse RSA keys from old proprietary clients/servers that use the
+     obsolete RSA+MD5 signature scheme. it will still be possible to connect
+     with these clients/servers but only DSA keys will be accepted, and we'll
+     deprecate them entirely in a future release. ok markus@
+
+20131229
+ - (djm) [loginrec.c] Check for username truncation when looking up lastlog
+   entries
+ - (djm) [regress/Makefile] Add some generated files for cleaning
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/12/19 00:10:30
+     [ssh-add.c]
+     skip requesting smartcard PIN when removing keys from agent; bz#2187
+     patch from jay AT slushpupie.com; ok dtucker
+   - dtucker@cvs.openbsd.org 2013/12/19 00:19:12
+     [serverloop.c]
+     Cast client_alive_interval to u_int64_t before assinging to
+     max_time_milliseconds to avoid potential integer overflow in the timeout.
+     bz#2170, patch from Loganaden Velvindron, ok djm@
+   - djm@cvs.openbsd.org 2013/12/19 00:27:57
+     [auth-options.c]
+     simplify freeing of source-address certificate restriction
+   - djm@cvs.openbsd.org 2013/12/19 01:04:36
+     [channels.c]
+     bz#2147: fix multiple remote forwardings with dynamically assigned
+     listen ports. In the s->c message to open the channel we were sending
+     zero (the magic number to request a dynamic port) instead of the actual
+     listen port. The client therefore had no way of discriminating between
+     them.
+     
+     Diagnosis and fix by ronf AT timeheart.net
+   - djm@cvs.openbsd.org 2013/12/19 01:19:41
+     [ssh-agent.c]
+     bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent
+     that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com;
+     ok dtucker
+   - djm@cvs.openbsd.org 2013/12/19 22:57:13
+     [poly1305.c poly1305.h]
+     use full name for author, with his permission
+   - tedu@cvs.openbsd.org 2013/12/21 07:10:47
+     [ssh-keygen.1]
+     small typo
+   - djm@cvs.openbsd.org 2013/12/27 22:30:17
+     [ssh-dss.c ssh-ecdsa.c ssh-rsa.c]
+     make the original RSA and DSA signing/verification code look more like
+     the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type
+     rather than tediously listing all variants, use __func__ for debug/
+     error messages
+   - djm@cvs.openbsd.org 2013/12/27 22:37:18
+     [ssh-rsa.c]
+     correct comment
+   - djm@cvs.openbsd.org 2013/12/29 02:28:10
+     [key.c]
+     allow ed25519 keys to appear as certificate authorities
+   - djm@cvs.openbsd.org 2013/12/29 02:37:04
+     [key.c]
+     correct comment for key_to_certified()
+   - djm@cvs.openbsd.org 2013/12/29 02:49:52
+     [key.c]
+     correct comment for key_drop_cert()
+   - djm@cvs.openbsd.org 2013/12/29 04:20:04
+     [key.c]
+     to make sure we don't omit any key types as valid CA keys again,
+     factor the valid key type check into a key_type_is_valid_ca()
+     function
+   - djm@cvs.openbsd.org 2013/12/29 04:29:25
+     [authfd.c]
+     allow deletion of ed25519 keys from the agent
+   - djm@cvs.openbsd.org 2013/12/29 04:35:50
+     [authfile.c]
+     don't refuse to load Ed25519 certificates
+   - djm@cvs.openbsd.org 2013/12/29 05:42:16
+     [ssh.c]
+     don't forget to load Ed25519 certs too
+   - djm@cvs.openbsd.org 2013/12/29 05:57:02
+     [sshconnect.c]
+     when showing other hostkeys, don't forget Ed25519 keys
 
-20130217
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/17 23:16:55
-     [integrity.sh]
-     make the ssh command generates some output to ensure that there are at
-     least offset+tries bytes in the stream.
+20131221
+ - (dtucker) [regress/keytype.sh] Actually test ecdsa key types.
 
-20130216
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/16 06:08:45
-     [integrity.sh]
-     make sure the fuzz offset is actually past the end of KEX for all KEX
-     types. diffie-hellman-group-exchange-sha256 requires an offset around
-     2700. Noticed via test failures in portable OpenSSH on platforms that
-     lack ECC and this the more byte-frugal ECDH KEX algorithms.
+20131219
+ - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions
+   greater than 11 either rather than just 11.  Patch from Tomas Kuthan.
+ - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().
+   Patch from Loganaden Velvindron.
 
-20130215
- - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from
-   Iain Morgan
- - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
-   Use getpgrp() if we don't have getpgid() (old BSDs, maybe others).
- - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c
-   openbsd-compat/openbsd-compat.h] Add strtoull to compat library for
-   platforms that don't have it.
- - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul,
-   group strto* function prototypes together.
- - (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes
-   an argument.  Pointed out by djm.
+20131218
  - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/14 21:35:59
-     [auth2-pubkey.c]
-     Correct error message that had a typo and was logging the wrong thing;
-     patch from Petr Lautrbach
-   - dtucker@cvs.openbsd.org 2013/02/15 00:21:01
-     [sshconnect2.c]
-     Warn more loudly if an IdentityFile provided by the user cannot be read.
-     bz #1981, ok djm@
+   - djm@cvs.openbsd.org 2013/12/07 08:08:26
+     [ssh-keygen.1]
+     document -a and -o wrt new key format
+   - naddy@cvs.openbsd.org 2013/12/07 11:58:46
+     [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
+     [ssh_config.5 sshd.8 sshd_config.5]
+     add missing mentions of ed25519; ok djm@
+   - dtucker@cvs.openbsd.org 2013/12/08 09:53:27
+     [sshd_config.5]
+     Use a literal for the default value of KEXAlgorithms.  ok deraadt jmc
+   - markus@cvs.openbsd.org 2013/12/09 11:03:45
+     [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
+     [ge25519_base.data hash.c sc25519.c sc25519.h verify.c]
+     Add Authors for the public domain ed25519/nacl code.
+     see also http://nacl.cr.yp.to/features.html
+        All of the NaCl software is in the public domain.
+     and http://ed25519.cr.yp.to/software.html
+        The Ed25519 software is in the public domain.
+   - markus@cvs.openbsd.org 2013/12/09 11:08:17
+     [crypto_api.h]
+     remove unused defines
+   - pascal@cvs.openbsd.org 2013/12/15 18:17:26
+     [ssh-add.c]
+     Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page.
+     ok markus@
+   - djm@cvs.openbsd.org 2013/12/15 21:42:35
+     [cipher-chachapoly.c]
+     add some comments and constify a constant
+   - markus@cvs.openbsd.org 2013/12/17 10:36:38
+     [crypto_api.h]
+     I've assempled the header file by cut&pasting from generated headers
+     and the source files.
+
+20131208
+ - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna
+   Vinschen
+ - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh]
+   [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid
+   filesystem before running agent-ptrace.sh; ok dtucker
 
-20130214
- - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC.
- - (djm) [regress/krl.sh] typo; found by Iain Morgan
- - (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead
-   of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by
-   Iain Morgan
+20131207
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/12/05 22:59:45
+     [sftp-client.c]
+     fix memory leak in error path in do_readdir(); pointed out by
+     Loganaden Velvindron @ AfriNIC in bz#2163
+   - djm@cvs.openbsd.org 2013/12/06 03:40:51
+     [ssh-keygen.c]
+     remove duplicated character ('g') in getopt() string;
+     document the (few) remaining option characters so we don't have to
+     rummage next time.
+   - markus@cvs.openbsd.org 2013/12/06 13:30:08
+     [authfd.c key.c key.h ssh-agent.c]
+     move private key (de)serialization to key.c; ok djm
+   - markus@cvs.openbsd.org 2013/12/06 13:34:54
+     [authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
+     [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
+     default; details in PROTOCOL.key; feedback and lots help from djm;
+     ok djm@
+   - markus@cvs.openbsd.org 2013/12/06 13:39:49
+     [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
+     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
+     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
+     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
+     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
+     support ed25519 keys (hostkeys and user identities) using the public
+     domain ed25519 reference code from SUPERCOP, see
+     http://ed25519.cr.yp.to/software.html
+     feedback, help & ok djm@
+   - jmc@cvs.openbsd.org 2013/12/06 15:29:07
+     [sshd.8]
+     missing comma;
+   - djm@cvs.openbsd.org 2013/12/07 00:19:15
+     [key.c]
+     set k->cert = NULL after freeing it
+   - markus@cvs.openbsd.org 2013/12/06 13:52:46
+     [regress/Makefile regress/agent.sh regress/cert-hostkey.sh]
+     [regress/cert-userkey.sh regress/keytype.sh]
+     test ed25519 support; from djm@
+ - (djm) [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
+   [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents
+ - (djm) [Makefile.in] Add ed25519 sources
+ - (djm) [authfile.c] Conditionalise inclusion of util.h
+ - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c]
+   [openbsd-compat/blf.h openbsd-compat/blowfish.c]
+   [openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in
+   portable.
+ - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in]
+   [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on
+   Linux
+ - (djm) [regress/cert-hostkey.sh] Fix merge botch
+ - (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from
+   Loganaden Velvindron @ AfriNIC in bz#2179
 
-20130212
+20131205
  - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/01/24 21:45:37
-     [krl.c]
-     fix handling of (unused) KRL signatures; skip string in correct buffer
-   - djm@cvs.openbsd.org 2013/01/24 22:08:56
-     [krl.c]
-     skip serial lookup when cert's serial number is zero
-   - krw@cvs.openbsd.org 2013/01/25 05:00:27
-     [krl.c]
-     Revert last. Breaks due to likely typo. Let djm@ fix later.
-     ok djm@ via dlg@
-   - djm@cvs.openbsd.org 2013/01/25 10:22:19
-     [krl.c]
-     redo last commit without the vi-vomit that snuck in:
-     skip serial lookup when cert's serial number is zero
-     (now with 100% better comment)
-   - djm@cvs.openbsd.org 2013/01/26 06:11:05
-     [Makefile.in acss.c acss.h cipher-acss.c cipher.c]
-     [openbsd-compat/openssl-compat.h]
-     remove ACSS, now that it is gone from libcrypto too
-   - djm@cvs.openbsd.org 2013/01/27 10:06:12
-     [krl.c]
-     actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
-   - dtucker@cvs.openbsd.org 2013/02/06 00:20:42
-     [servconf.c sshd_config sshd_config.5]
-     Change default of MaxStartups to 10:30:100 to start doing random early
-     drop at 10 connections up to 100 connections.  This will make it harder
-     to DoS as CPUs have come a long way since the original value was set
-     back in 2000.  Prompted by nion at debian org, ok markus@
-   - dtucker@cvs.openbsd.org 2013/02/06 00:22:21
-     [auth.c]
-     Fix comment, from jfree.e1 at gmail
-   - djm@cvs.openbsd.org 2013/02/08 00:41:12
-     [sftp.c]
-     fix NULL deref when built without libedit and control characters
-     entered as command; debugging and patch from Iain Morgan an
-     Loganaden Velvindron in bz#1956
-   - markus@cvs.openbsd.org 2013/02/10 21:19:34
-     [version.h]
-     openssh 6.2
-   - djm@cvs.openbsd.org 2013/02/10 23:32:10
-     [ssh-keygen.c]
-     append to moduli file when screening candidates rather than overwriting.
-     allows resumption of interrupted screen; patch from Christophe Garault
-     in bz#1957; ok dtucker@
-   - djm@cvs.openbsd.org 2013/02/10 23:35:24
-     [packet.c]
-     record "Received disconnect" messages at ERROR rather than INFO priority,
-     since they are abnormal and result in a non-zero ssh exit status; patch
-     from Iain Morgan in bz#2057; ok dtucker@
-   - dtucker@cvs.openbsd.org 2013/02/11 21:21:58
+   - jmc@cvs.openbsd.org 2013/11/21 08:05:09
+     [ssh_config.5 sshd_config.5]
+     no need for .Pp before displays;
+   - deraadt@cvs.openbsd.org 2013/11/25 18:04:21
+     [ssh.1 ssh.c]
+     improve -Q usage and such.  One usage change is that the option is now
+     case-sensitive
+     ok dtucker markus djm
+   - jmc@cvs.openbsd.org 2013/11/26 12:14:54
+     [ssh.1 ssh.c]
+     - put -Q in the right place
+     - Ar was a poor choice for the arguments to -Q. i've chosen an
+       admittedly equally poor Cm, at least consistent with the rest
+       of the docs. also no need for multiple instances
+     - zap a now redundant Nm
+     - usage() sync
+   - deraadt@cvs.openbsd.org 2013/11/26 19:15:09
+     [pkcs11.h]
+     cleanup 1 << 31 idioms.  Resurrection of this issue pointed out by
+     Eitan Adler ok markus for ssh, implies same change in kerberosV
+   - djm@cvs.openbsd.org 2013/12/01 23:19:05
+     [PROTOCOL]
+     mention curve25519-sha256@libssh.org key exchange algorithm
+   - djm@cvs.openbsd.org 2013/12/02 02:50:27
+     [PROTOCOL.chacha20poly1305]
+     typo; from Jon Cave
+   - djm@cvs.openbsd.org 2013/12/02 02:56:17
+     [ssh-pkcs11-helper.c]
+     use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC
+   - djm@cvs.openbsd.org 2013/12/02 03:09:22
+     [key.c]
+     make key_to_blob() return a NULL blob on failure; part of
+     bz#2175 from Loganaden Velvindron @ AfriNIC
+   - djm@cvs.openbsd.org 2013/12/02 03:13:14
+     [cipher.c]
+     correct bzero of chacha20+poly1305 key context. bz#2177 from
+     Loganaden Velvindron @ AfriNIC
+     
+     Also make it a memset for consistency with the rest of cipher.c
+   - djm@cvs.openbsd.org 2013/12/04 04:20:01
+     [sftp-client.c]
+     bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
+     AfriNIC
+   - djm@cvs.openbsd.org 2013/12/05 01:16:41
+     [servconf.c servconf.h]
+     bz#2161 - fix AuthorizedKeysCommand inside a Match block and
+     rearrange things so the same error is harder to make next time;
+     with and ok dtucker@
+ - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct
+   -L location for libedit.  Patch from Serge van den Boom.
+
+20131121
+ - (djm) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2013/11/08 11:15:19
+     [bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c]
+     [uidswap.c] Include stdlib.h for free() as per the man page.
+   - markus@cvs.openbsd.org 2013/11/13 13:48:20
+     [ssh-pkcs11.c]
+     add missing braces found by pedro
+   - djm@cvs.openbsd.org 2013/11/20 02:19:01
      [sshd.c]
-     Add openssl version to debug output similar to the client.  ok markus@
-   - djm@cvs.openbsd.org 2013/02/11 23:58:51
+     delay closure of in/out fds until after "Bad protocol version
+     identification..." message, as get_remote_ipaddr/get_remote_port
+     require them open.
+   - deraadt@cvs.openbsd.org 2013/11/20 20:53:10
+     [scp.c]
+     unsigned casts for ctype macros where neccessary
+     ok guenther millert markus
+   - deraadt@cvs.openbsd.org 2013/11/20 20:54:10
+     [canohost.c clientloop.c match.c readconf.c sftp.c]
+     unsigned casts for ctype macros where neccessary
+     ok guenther millert markus
+   - djm@cvs.openbsd.org 2013/11/21 00:45:44
+     [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
+     [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
+     [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
+     [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
+     cipher "chacha20-poly1305@openssh.com" that combines Daniel
+     Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
+     authenticated encryption mode.
+     

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***