Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Feb 2014 17:29:02 +0000 (UTC)
From:      Dag-Erling Smørgrav <des@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r262566 - in stable/10: crypto/openssh crypto/openssh/contrib/caldera crypto/openssh/contrib/cygwin crypto/openssh/contrib/redhat crypto/openssh/contrib/suse crypto/openssh/openbsd-comp...
Message-ID:  <201402271729.s1RHT2rx075258@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: des
Date: Thu Feb 27 17:29:02 2014
New Revision: 262566
URL: http://svnweb.freebsd.org/changeset/base/262566

Log:
  MFH (r261320): upgrade openssh to 6.5p1
  MFH (r261340): enable sandboxing by default

Added:
  stable/10/crypto/openssh/PROTOCOL.chacha20poly1305
     - copied unchanged from r261320, head/crypto/openssh/PROTOCOL.chacha20poly1305
  stable/10/crypto/openssh/PROTOCOL.key
     - copied unchanged from r261320, head/crypto/openssh/PROTOCOL.key
  stable/10/crypto/openssh/blocks.c
     - copied unchanged from r261320, head/crypto/openssh/blocks.c
  stable/10/crypto/openssh/chacha.c
     - copied unchanged from r261320, head/crypto/openssh/chacha.c
  stable/10/crypto/openssh/chacha.h
     - copied unchanged from r261320, head/crypto/openssh/chacha.h
  stable/10/crypto/openssh/cipher-chachapoly.c
     - copied unchanged from r261320, head/crypto/openssh/cipher-chachapoly.c
  stable/10/crypto/openssh/cipher-chachapoly.h
     - copied unchanged from r261320, head/crypto/openssh/cipher-chachapoly.h
  stable/10/crypto/openssh/crypto_api.h
     - copied unchanged from r261320, head/crypto/openssh/crypto_api.h
  stable/10/crypto/openssh/digest.c
     - copied unchanged from r261320, head/crypto/openssh/digest.c
  stable/10/crypto/openssh/digest.h
     - copied unchanged from r261320, head/crypto/openssh/digest.h
  stable/10/crypto/openssh/ed25519.c
     - copied unchanged from r261320, head/crypto/openssh/ed25519.c
  stable/10/crypto/openssh/fe25519.c
     - copied unchanged from r261320, head/crypto/openssh/fe25519.c
  stable/10/crypto/openssh/fe25519.h
     - copied unchanged from r261320, head/crypto/openssh/fe25519.h
  stable/10/crypto/openssh/ge25519.c
     - copied unchanged from r261320, head/crypto/openssh/ge25519.c
  stable/10/crypto/openssh/ge25519.h
     - copied unchanged from r261320, head/crypto/openssh/ge25519.h
  stable/10/crypto/openssh/ge25519_base.data
     - copied unchanged from r261320, head/crypto/openssh/ge25519_base.data
  stable/10/crypto/openssh/hash.c
     - copied unchanged from r261320, head/crypto/openssh/hash.c
  stable/10/crypto/openssh/kexc25519.c
     - copied unchanged from r261320, head/crypto/openssh/kexc25519.c
  stable/10/crypto/openssh/kexc25519c.c
     - copied unchanged from r261320, head/crypto/openssh/kexc25519c.c
  stable/10/crypto/openssh/kexc25519s.c
     - copied unchanged from r261320, head/crypto/openssh/kexc25519s.c
  stable/10/crypto/openssh/openbsd-compat/arc4random.c
     - copied unchanged from r261320, head/crypto/openssh/openbsd-compat/arc4random.c
  stable/10/crypto/openssh/openbsd-compat/bcrypt_pbkdf.c
     - copied unchanged from r261320, head/crypto/openssh/openbsd-compat/bcrypt_pbkdf.c
  stable/10/crypto/openssh/openbsd-compat/blf.h
     - copied unchanged from r261320, head/crypto/openssh/openbsd-compat/blf.h
  stable/10/crypto/openssh/openbsd-compat/blowfish.c
     - copied unchanged from r261320, head/crypto/openssh/openbsd-compat/blowfish.c
  stable/10/crypto/openssh/openbsd-compat/chacha_private.h
     - copied unchanged from r261320, head/crypto/openssh/openbsd-compat/chacha_private.h
  stable/10/crypto/openssh/poly1305.c
     - copied unchanged from r261320, head/crypto/openssh/poly1305.c
  stable/10/crypto/openssh/poly1305.h
     - copied unchanged from r261320, head/crypto/openssh/poly1305.h
  stable/10/crypto/openssh/regress/setuid-allowed.c
     - copied unchanged from r261320, head/crypto/openssh/regress/setuid-allowed.c
  stable/10/crypto/openssh/regress/sftp-perm.sh
     - copied unchanged from r261320, head/crypto/openssh/regress/sftp-perm.sh
  stable/10/crypto/openssh/sandbox-capsicum.c
     - copied unchanged from r261320, head/crypto/openssh/sandbox-capsicum.c
  stable/10/crypto/openssh/sc25519.c
     - copied unchanged from r261320, head/crypto/openssh/sc25519.c
  stable/10/crypto/openssh/sc25519.h
     - copied unchanged from r261320, head/crypto/openssh/sc25519.h
  stable/10/crypto/openssh/smult_curve25519_ref.c
     - copied unchanged from r261320, head/crypto/openssh/smult_curve25519_ref.c
  stable/10/crypto/openssh/ssh-ed25519.c
     - copied unchanged from r261320, head/crypto/openssh/ssh-ed25519.c
  stable/10/crypto/openssh/verify.c
     - copied unchanged from r261320, head/crypto/openssh/verify.c
Deleted:
  stable/10/crypto/openssh/openbsd-compat/bsd-arc4random.c
Modified:
  stable/10/crypto/openssh/ChangeLog
  stable/10/crypto/openssh/Makefile.in
  stable/10/crypto/openssh/PROTOCOL
  stable/10/crypto/openssh/README
  stable/10/crypto/openssh/aclocal.m4
  stable/10/crypto/openssh/addrmatch.c
  stable/10/crypto/openssh/atomicio.c
  stable/10/crypto/openssh/auth-krb5.c
  stable/10/crypto/openssh/auth-options.c
  stable/10/crypto/openssh/auth-pam.c
  stable/10/crypto/openssh/auth2-hostbased.c
  stable/10/crypto/openssh/auth2-pubkey.c
  stable/10/crypto/openssh/authfd.c
  stable/10/crypto/openssh/authfile.c
  stable/10/crypto/openssh/authfile.h
  stable/10/crypto/openssh/bufaux.c
  stable/10/crypto/openssh/bufbn.c
  stable/10/crypto/openssh/buffer.c
  stable/10/crypto/openssh/buffer.h
  stable/10/crypto/openssh/canohost.c
  stable/10/crypto/openssh/channels.c
  stable/10/crypto/openssh/cipher.c
  stable/10/crypto/openssh/cipher.h
  stable/10/crypto/openssh/clientloop.c
  stable/10/crypto/openssh/compat.c
  stable/10/crypto/openssh/compat.h
  stable/10/crypto/openssh/config.h
  stable/10/crypto/openssh/config.h.in
  stable/10/crypto/openssh/configure
  stable/10/crypto/openssh/configure.ac
  stable/10/crypto/openssh/contrib/caldera/openssh.spec
  stable/10/crypto/openssh/contrib/cygwin/ssh-host-config
  stable/10/crypto/openssh/contrib/redhat/openssh.spec
  stable/10/crypto/openssh/contrib/suse/openssh.spec
  stable/10/crypto/openssh/defines.h
  stable/10/crypto/openssh/dh.c
  stable/10/crypto/openssh/dh.h
  stable/10/crypto/openssh/gss-serv-krb5.c
  stable/10/crypto/openssh/hostfile.c
  stable/10/crypto/openssh/kex.c
  stable/10/crypto/openssh/kex.h
  stable/10/crypto/openssh/kexdh.c
  stable/10/crypto/openssh/kexdhc.c
  stable/10/crypto/openssh/kexdhs.c
  stable/10/crypto/openssh/kexecdh.c
  stable/10/crypto/openssh/kexecdhc.c
  stable/10/crypto/openssh/kexecdhs.c
  stable/10/crypto/openssh/kexgex.c
  stable/10/crypto/openssh/kexgexc.c
  stable/10/crypto/openssh/kexgexs.c
  stable/10/crypto/openssh/key.c
  stable/10/crypto/openssh/key.h
  stable/10/crypto/openssh/loginrec.c
  stable/10/crypto/openssh/mac.c
  stable/10/crypto/openssh/mac.h
  stable/10/crypto/openssh/match.c
  stable/10/crypto/openssh/misc.c
  stable/10/crypto/openssh/misc.h
  stable/10/crypto/openssh/moduli.c
  stable/10/crypto/openssh/monitor.c
  stable/10/crypto/openssh/monitor_mm.c
  stable/10/crypto/openssh/monitor_mm.h
  stable/10/crypto/openssh/myproposal.h
  stable/10/crypto/openssh/openbsd-compat/Makefile.in
  stable/10/crypto/openssh/openbsd-compat/bsd-cygwin_util.h
  stable/10/crypto/openssh/openbsd-compat/bsd-misc.c
  stable/10/crypto/openssh/openbsd-compat/bsd-poll.c
  stable/10/crypto/openssh/openbsd-compat/bsd-setres_id.c
  stable/10/crypto/openssh/openbsd-compat/bsd-snprintf.c
  stable/10/crypto/openssh/openbsd-compat/bsd-statvfs.c
  stable/10/crypto/openssh/openbsd-compat/bsd-statvfs.h
  stable/10/crypto/openssh/openbsd-compat/openbsd-compat.h
  stable/10/crypto/openssh/openbsd-compat/openssl-compat.c
  stable/10/crypto/openssh/openbsd-compat/openssl-compat.h
  stable/10/crypto/openssh/openbsd-compat/setproctitle.c
  stable/10/crypto/openssh/packet.c
  stable/10/crypto/openssh/pathnames.h
  stable/10/crypto/openssh/pkcs11.h
  stable/10/crypto/openssh/platform.c
  stable/10/crypto/openssh/platform.h
  stable/10/crypto/openssh/progressmeter.c
  stable/10/crypto/openssh/readconf.c
  stable/10/crypto/openssh/readconf.h
  stable/10/crypto/openssh/regress/Makefile
  stable/10/crypto/openssh/regress/agent-ptrace.sh
  stable/10/crypto/openssh/regress/agent.sh
  stable/10/crypto/openssh/regress/cert-hostkey.sh
  stable/10/crypto/openssh/regress/cert-userkey.sh
  stable/10/crypto/openssh/regress/cipher-speed.sh
  stable/10/crypto/openssh/regress/forward-control.sh
  stable/10/crypto/openssh/regress/integrity.sh
  stable/10/crypto/openssh/regress/kextype.sh
  stable/10/crypto/openssh/regress/keytype.sh
  stable/10/crypto/openssh/regress/krl.sh
  stable/10/crypto/openssh/regress/modpipe.c
  stable/10/crypto/openssh/regress/rekey.sh
  stable/10/crypto/openssh/regress/scp-ssh-wrapper.sh
  stable/10/crypto/openssh/regress/scp.sh
  stable/10/crypto/openssh/regress/test-exec.sh
  stable/10/crypto/openssh/regress/try-ciphers.sh
  stable/10/crypto/openssh/roaming_client.c
  stable/10/crypto/openssh/roaming_common.c
  stable/10/crypto/openssh/sandbox-darwin.c
  stable/10/crypto/openssh/sandbox-null.c
  stable/10/crypto/openssh/sandbox-rlimit.c
  stable/10/crypto/openssh/sandbox-seccomp-filter.c
  stable/10/crypto/openssh/sandbox-systrace.c
  stable/10/crypto/openssh/schnorr.c
  stable/10/crypto/openssh/schnorr.h
  stable/10/crypto/openssh/scp.0
  stable/10/crypto/openssh/scp.1
  stable/10/crypto/openssh/scp.c
  stable/10/crypto/openssh/servconf.c
  stable/10/crypto/openssh/servconf.h
  stable/10/crypto/openssh/serverloop.c
  stable/10/crypto/openssh/session.c
  stable/10/crypto/openssh/session.h
  stable/10/crypto/openssh/sftp-client.c
  stable/10/crypto/openssh/sftp-client.h
  stable/10/crypto/openssh/sftp-common.c
  stable/10/crypto/openssh/sftp-glob.c
  stable/10/crypto/openssh/sftp-server.0
  stable/10/crypto/openssh/sftp-server.8
  stable/10/crypto/openssh/sftp-server.c
  stable/10/crypto/openssh/sftp.0
  stable/10/crypto/openssh/sftp.1
  stable/10/crypto/openssh/sftp.c
  stable/10/crypto/openssh/ssh-add.0
  stable/10/crypto/openssh/ssh-add.1
  stable/10/crypto/openssh/ssh-add.c
  stable/10/crypto/openssh/ssh-agent.0
  stable/10/crypto/openssh/ssh-agent.1
  stable/10/crypto/openssh/ssh-agent.c
  stable/10/crypto/openssh/ssh-dss.c
  stable/10/crypto/openssh/ssh-ecdsa.c
  stable/10/crypto/openssh/ssh-keygen.0
  stable/10/crypto/openssh/ssh-keygen.1
  stable/10/crypto/openssh/ssh-keygen.c
  stable/10/crypto/openssh/ssh-keyscan.0
  stable/10/crypto/openssh/ssh-keyscan.1
  stable/10/crypto/openssh/ssh-keyscan.c
  stable/10/crypto/openssh/ssh-keysign.0
  stable/10/crypto/openssh/ssh-keysign.8
  stable/10/crypto/openssh/ssh-keysign.c
  stable/10/crypto/openssh/ssh-pkcs11-helper.c
  stable/10/crypto/openssh/ssh-pkcs11.c
  stable/10/crypto/openssh/ssh-rsa.c
  stable/10/crypto/openssh/ssh-sandbox.h
  stable/10/crypto/openssh/ssh.0
  stable/10/crypto/openssh/ssh.1
  stable/10/crypto/openssh/ssh.c
  stable/10/crypto/openssh/ssh_config
  stable/10/crypto/openssh/ssh_config.0
  stable/10/crypto/openssh/ssh_config.5
  stable/10/crypto/openssh/ssh_namespace.h
  stable/10/crypto/openssh/sshconnect.c
  stable/10/crypto/openssh/sshconnect.h
  stable/10/crypto/openssh/sshconnect1.c
  stable/10/crypto/openssh/sshconnect2.c
  stable/10/crypto/openssh/sshd.0
  stable/10/crypto/openssh/sshd.8
  stable/10/crypto/openssh/sshd.c
  stable/10/crypto/openssh/sshd_config
  stable/10/crypto/openssh/sshd_config.0
  stable/10/crypto/openssh/sshd_config.5
  stable/10/crypto/openssh/uidswap.c
  stable/10/crypto/openssh/version.h
  stable/10/crypto/openssh/xmalloc.c
  stable/10/etc/rc.d/sshd
  stable/10/secure/lib/libssh/Makefile
  stable/10/secure/usr.sbin/sshd/Makefile
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/crypto/openssh/ChangeLog
==============================================================================
--- stable/10/crypto/openssh/ChangeLog	Thu Feb 27 16:54:43 2014	(r262565)
+++ stable/10/crypto/openssh/ChangeLog	Thu Feb 27 17:29:02 2014	(r262566)
@@ -1,25 +1,1042 @@
-20131108
+20140130
+ - (djm) [configure.ac] Only check for width-specified integer types
+   in headers that actually exist. patch from Tom G. Christensen;
+   ok dtucker@
+ - (djm) [configure.ac atomicio.c] Kludge around NetBSD offering
+   different symbols for 'read' when various compiler flags are
+   in use, causing atomicio.c comparisons against it to break and
+   read/write operations to hang; ok dtucker
+ - (djm) Release openssh-6.5p1
+
+20140129
+ - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from
+   Tom G. Christensen
+
+20140128
+ - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl;
+   ok dtucker
+ - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the
+   latter being specified to have undefined behaviour in SUSv3;
+   ok dtucker
+ - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable
+   when used as an error message inside an if statement so we display the
+   correct into. agent.sh patch from Petr Lautrbach.
+
+20140127
+ - (dtucker) [Makefile.in] Remove trailing backslash which some make
+   implementations (eg older Solaris) do not cope with.
+
+20140126
+ - OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2014/01/25 10:12:50
+     [cipher.c cipher.h kex.c kex.h kexgexc.c]
+     Add a special case for the DH group size for 3des-cbc, which has an
+     effective strength much lower than the key size.  This causes problems
+     with some cryptlib implementations, which don't support group sizes larger
+     than 4k but also don't use the largest group size it does support as
+     specified in the RFC.  Based on a patch from Petr Lautrbach at Redhat,
+     reduced by me with input from Markus.  ok djm@ markus@
+   - markus@cvs.openbsd.org 2014/01/25 20:35:37
+     [kex.c]
+     dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
+     ok dtucker@, noted by mancha
+  - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable
+    RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations,
+    libc will attempt to open additional file descriptors for crypto
+    offload and crash if they cannot be opened.
+ - (djm) [configure.ac] correct AC_DEFINE for previous.
+
+20140125
+ - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD
+ - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless
+   sys/capability.h exists and cap_rights_limit is in libc. Fixes
+   build on FreeBSD9x which provides the header but not the libc
+   support.
+ - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test
+   against the correct thing.
+
+20140124
+ - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make
+   the scp regress test actually test the built scp rather than the one
+   in $PATH. ok dtucker@
+
+20140123
+ - (tim) [session.c] Improve error reporting on set_id().
+ - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously
+   incompatible with OpenBSD's despite post-dating it by more than a decade.
+   Declare it as broken, and document FreeBSD's as the same.  ok djm@
+
+20140122
+ - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a
+   platform that is expected to use the reuse-argv style setproctitle
+   hack surprises us by providing a setproctitle in libc; ok dtucker
+ - (djm) [configure.ac] Unless specifically requested, only attempt
+   to build Position Independent Executables on gcc >= 4.x; ok dtucker
+ - (djm) [configure.ac aclocal.m4] More tests to detect fallout from
+   platform hardening options: include some long long int arithmatic
+   to detect missing support functions for -ftrapv in libgcc and
+   equivalents, actually test linking when -ftrapv is supplied and
+   set either both -pie/-fPIE or neither. feedback and ok dtucker@
+
+20140121
+ - (dtucker) [configure.ac] Make PIE a configure-time option which defaults
+   to on platforms where it's known to be reliably detected and off elsewhere.
+   Works around platforms such as FreeBSD 9.1 where it does not interop with
+   -ftrapv (it seems to work but fails when trying to link ssh).  ok djm@
+ - (dtucker) [aclocal.m4] Differentiate between compile-time and link-time
+   tests in the configure output.  ok djm.
+ - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced
+   with sftp chroot support. Move set_id call after chroot.
+ - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILE
+   and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of
+   detecting toolchain-related problems; ok dtucker
+
+20140120
+ - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos
+   implementation does not have krb5_cc_new_unique, similar to what we do
+   in auth-krb5.c.
+ - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that
+   skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/01/20 00:08:48
+     [digest.c]
+     memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@
+
+20140119
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2014/01/17 06:23:24
+     [sftp-server.c]
+     fix log message statvfs.  ok djm
+   - dtucker@cvs.openbsd.org 2014/01/18 09:36:26
+     [session.c]
+     explicitly define USE_PIPES to 1 to prevent redefinition warnings in
+     portable on platforms that use pipes for everything.  From vinschen at
+     redhat.
+   - dtucker@cvs.openbsd.org 2014/01/19 04:17:29
+     [canohost.c addrmatch.c]
+     Cast socklen_t when comparing to size_t and use socklen_t to iterate over
+     the ip options, both to prevent signed/unsigned comparison warnings.
+     Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
+   - djm@cvs.openbsd.org 2014/01/19 04:48:08
+     [ssh_config.5]
+     fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
+   - dtucker@cvs.openbsd.org 2014/01/19 11:21:51
+     [addrmatch.c]
+     Cast the sizeof to socklen_t so it'll work even if the supplied len is
+     negative.  Suggested by and ok djm, ok deraadt.
+
+20140118
+ - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin.  Patch
+   from vinschen at redhat.com
+ - (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing function
+   declarations that stopped being included when we stopped including
+   <windows.h> from openbsd-compat/bsd-cygwin_util.h.  Patch from vinschen at
+   redhat.com.
+ - (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs,
+   optind) are defined in getopt.h already.  Unfortunately they are defined as
+   "declspec(dllimport)" for historical reasons, because the GNU linker didn't
+   allow auto-import on PE/COFF targets way back when.  The problem is the
+   dllexport attributes collide with the definitions in the various source
+   files in OpenSSH, which obviousy define the variables without
+   declspec(dllimport).  The least intrusive way to get rid of these warnings
+   is to disable warnings for GCC compiler attributes when building on Cygwin.
+   Patch from vinschen at redhat.com.
+ - (dtucker) [sandbox-capsicum.c] Correct some error messages and make the
+   return value check for cap_enter() consistent with the other uses in
+   FreeBSD.  From by Loganaden Velvindron @ AfriNIC via bz#2140.
+
+20140117
+ - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain
+   hardening flags including -fstack-protector-strong.  These default to on
+   if the toolchain supports them, but there is a configure-time knob
+   (--without-hardening) to disable them if necessary.  ok djm@
+ - (djm) [sftp-client.c] signed/unsigned comparison fix
+ - (dtucker) [loginrec.c] Cast to the types specfied in the format
+    specification to prevent warnings.
+ - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
+ - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
+ - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include
+   includes.h to pull in all of the compatibility stuff.
+ - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside
+   #ifdef HAVE_STDINT_H.
+ - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that
+   don't have them.
+ - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into
+   separate lines and alphabetize for easier diffing of changes.
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/01/17 00:21:06
+     [sftp-client.c]
+     signed/unsigned comparison warning fix; from portable (Id sync only)
+   - dtucker@cvs.openbsd.org 2014/01/17 05:26:41
+     [digest.c]
+     remove unused includes.  ok djm@
+ - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
+   [sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
+   [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
+   using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
+   Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
+ - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c
+   openbsd-compat/openssl-compat.h]  Add compatibility layer for older
+   openssl versions.  ok djm@
+ - (dtucker) Fix typo in #ifndef.
+ - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c
+   openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs
+   to be useful (and for the regression tests to pass) on platforms that
+   have statfs and fstatfs.  ok djm@
+ - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we
+   need them to cut down on the name collisions.
+ - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types.
+ - (dtucker) [configure.ac] Have --without-hardening not turn off
+   stack-protector since that has a separate flag that's been around a while.
+ - (dtucker) [readconf.c] Wrap paths.h inside an ifdef.  Allows building on
+   Solaris.
+ - (dtucker) [defines.h] Move our definitions of uintXX_t types down to after
+   they're defined if we have to define them ourselves.  Fixes builds on old
+   AIX.
+
+20140118
  - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2013/11/06 16:52:11
-     [monitor_wrap.c]
-     fix rekeying for AES-GCM modes; ok deraadt
+   - djm@cvs.openbsd.org 2014/01/16 07:31:09
+     [sftp-client.c]
+     needless and incorrect cast to size_t can break resumption of
+     large download; patch from tobias@
+   - djm@cvs.openbsd.org 2014/01/16 07:32:00
+     [version.h]
+     openssh-6.5
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] Crank RPM spec version numbers.
+ - (djm) [README] update release notes URL.
+
+20140112
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/01/10 05:59:19
+     [sshd_config]
+     the /etc/ssh/ssh_host_ed25519_key is loaded by default too
+   - djm@cvs.openbsd.org 2014/01/12 08:13:13
+     [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c]
+     [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c]
+     avoid use of OpenSSL BIGNUM type and functions for KEX with
+     Curve25519 by adding a buffer_put_bignum2_from_string() that stores
+     a string using the bignum encoding rules. Will make it easier to
+     build a reduced-feature OpenSSH without OpenSSL in the future;
+     ok markus@
+
+20140110
+ - (djm) OpenBSD CVS Sync
+   - tedu@cvs.openbsd.org 2014/01/04 17:50:55
+     [mac.c monitor_mm.c monitor_mm.h xmalloc.c]
+     use standard types and formats for size_t like variables. ok dtucker
+   - guenther@cvs.openbsd.org 2014/01/09 03:26:00
+     [sftp-common.c]
+     When formating the time for "ls -l"-style output, show dates in the future
+     with the year, and rearrange a comparison to avoid a potentional signed
+     arithmetic overflow that would give the wrong result.
+     ok djm@
+   - djm@cvs.openbsd.org 2014/01/09 23:20:00
+     [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c]
+     [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c]
+     [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c]
+     [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c]
+     Introduce digest API and use it to perform all hashing operations
+     rather than calling OpenSSL EVP_Digest* directly. Will make it easier
+     to build a reduced-feature OpenSSH without OpenSSL in future;
+     feedback, ok markus@
+   - djm@cvs.openbsd.org 2014/01/09 23:26:48
+     [sshconnect.c sshd.c]
+     ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
+     deranged and might make some attacks on KEX easier; ok markus@
+
+20140108
+ - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@
+
+20131231
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/12/30 23:52:28
+     [auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
+     [sshconnect.c sshconnect2.c sshd.c]
+     refuse RSA keys from old proprietary clients/servers that use the
+     obsolete RSA+MD5 signature scheme. it will still be possible to connect
+     with these clients/servers but only DSA keys will be accepted, and we'll
+     deprecate them entirely in a future release. ok markus@
+
+20131229
+ - (djm) [loginrec.c] Check for username truncation when looking up lastlog
+   entries
+ - (djm) [regress/Makefile] Add some generated files for cleaning
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/12/19 00:10:30
+     [ssh-add.c]
+     skip requesting smartcard PIN when removing keys from agent; bz#2187
+     patch from jay AT slushpupie.com; ok dtucker
+   - dtucker@cvs.openbsd.org 2013/12/19 00:19:12
+     [serverloop.c]
+     Cast client_alive_interval to u_int64_t before assinging to
+     max_time_milliseconds to avoid potential integer overflow in the timeout.
+     bz#2170, patch from Loganaden Velvindron, ok djm@
+   - djm@cvs.openbsd.org 2013/12/19 00:27:57
+     [auth-options.c]
+     simplify freeing of source-address certificate restriction
+   - djm@cvs.openbsd.org 2013/12/19 01:04:36
+     [channels.c]
+     bz#2147: fix multiple remote forwardings with dynamically assigned
+     listen ports. In the s->c message to open the channel we were sending
+     zero (the magic number to request a dynamic port) instead of the actual
+     listen port. The client therefore had no way of discriminating between
+     them.
+     
+     Diagnosis and fix by ronf AT timeheart.net
+   - djm@cvs.openbsd.org 2013/12/19 01:19:41
+     [ssh-agent.c]
+     bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent
+     that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com;
+     ok dtucker
+   - djm@cvs.openbsd.org 2013/12/19 22:57:13
+     [poly1305.c poly1305.h]
+     use full name for author, with his permission
+   - tedu@cvs.openbsd.org 2013/12/21 07:10:47
+     [ssh-keygen.1]
+     small typo
+   - djm@cvs.openbsd.org 2013/12/27 22:30:17
+     [ssh-dss.c ssh-ecdsa.c ssh-rsa.c]
+     make the original RSA and DSA signing/verification code look more like
+     the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type
+     rather than tediously listing all variants, use __func__ for debug/
+     error messages
+   - djm@cvs.openbsd.org 2013/12/27 22:37:18
+     [ssh-rsa.c]
+     correct comment
+   - djm@cvs.openbsd.org 2013/12/29 02:28:10
+     [key.c]
+     allow ed25519 keys to appear as certificate authorities
+   - djm@cvs.openbsd.org 2013/12/29 02:37:04
+     [key.c]
+     correct comment for key_to_certified()
+   - djm@cvs.openbsd.org 2013/12/29 02:49:52
+     [key.c]
+     correct comment for key_drop_cert()
+   - djm@cvs.openbsd.org 2013/12/29 04:20:04
+     [key.c]
+     to make sure we don't omit any key types as valid CA keys again,
+     factor the valid key type check into a key_type_is_valid_ca()
+     function
+   - djm@cvs.openbsd.org 2013/12/29 04:29:25
+     [authfd.c]
+     allow deletion of ed25519 keys from the agent
+   - djm@cvs.openbsd.org 2013/12/29 04:35:50
+     [authfile.c]
+     don't refuse to load Ed25519 certificates
+   - djm@cvs.openbsd.org 2013/12/29 05:42:16
+     [ssh.c]
+     don't forget to load Ed25519 certs too
+   - djm@cvs.openbsd.org 2013/12/29 05:57:02
+     [sshconnect.c]
+     when showing other hostkeys, don't forget Ed25519 keys
+
+20131221
+ - (dtucker) [regress/keytype.sh] Actually test ecdsa key types.
+
+20131219
+ - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions
+   greater than 11 either rather than just 11.  Patch from Tomas Kuthan.
+ - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().
+   Patch from Loganaden Velvindron.
+
+20131218
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/12/07 08:08:26
+     [ssh-keygen.1]
+     document -a and -o wrt new key format
+   - naddy@cvs.openbsd.org 2013/12/07 11:58:46
+     [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
+     [ssh_config.5 sshd.8 sshd_config.5]
+     add missing mentions of ed25519; ok djm@
+   - dtucker@cvs.openbsd.org 2013/12/08 09:53:27
+     [sshd_config.5]
+     Use a literal for the default value of KEXAlgorithms.  ok deraadt jmc
+   - markus@cvs.openbsd.org 2013/12/09 11:03:45
+     [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
+     [ge25519_base.data hash.c sc25519.c sc25519.h verify.c]
+     Add Authors for the public domain ed25519/nacl code.
+     see also http://nacl.cr.yp.to/features.html
+        All of the NaCl software is in the public domain.
+     and http://ed25519.cr.yp.to/software.html
+        The Ed25519 software is in the public domain.
+   - markus@cvs.openbsd.org 2013/12/09 11:08:17
+     [crypto_api.h]
+     remove unused defines
+   - pascal@cvs.openbsd.org 2013/12/15 18:17:26
+     [ssh-add.c]
+     Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page.
+     ok markus@
+   - djm@cvs.openbsd.org 2013/12/15 21:42:35
+     [cipher-chachapoly.c]
+     add some comments and constify a constant
+   - markus@cvs.openbsd.org 2013/12/17 10:36:38
+     [crypto_api.h]
+     I've assempled the header file by cut&pasting from generated headers
+     and the source files.
+
+20131208
+ - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna
+   Vinschen
+ - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh]
+   [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid
+   filesystem before running agent-ptrace.sh; ok dtucker
+
+20131207
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/12/05 22:59:45
+     [sftp-client.c]
+     fix memory leak in error path in do_readdir(); pointed out by
+     Loganaden Velvindron @ AfriNIC in bz#2163
+   - djm@cvs.openbsd.org 2013/12/06 03:40:51
+     [ssh-keygen.c]
+     remove duplicated character ('g') in getopt() string;
+     document the (few) remaining option characters so we don't have to
+     rummage next time.
+   - markus@cvs.openbsd.org 2013/12/06 13:30:08
+     [authfd.c key.c key.h ssh-agent.c]
+     move private key (de)serialization to key.c; ok djm
+   - markus@cvs.openbsd.org 2013/12/06 13:34:54
+     [authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
+     [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
+     default; details in PROTOCOL.key; feedback and lots help from djm;
+     ok djm@
+   - markus@cvs.openbsd.org 2013/12/06 13:39:49
+     [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
+     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
+     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
+     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
+     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
+     support ed25519 keys (hostkeys and user identities) using the public
+     domain ed25519 reference code from SUPERCOP, see
+     http://ed25519.cr.yp.to/software.html
+     feedback, help & ok djm@
+   - jmc@cvs.openbsd.org 2013/12/06 15:29:07
+     [sshd.8]
+     missing comma;
+   - djm@cvs.openbsd.org 2013/12/07 00:19:15
+     [key.c]
+     set k->cert = NULL after freeing it
+   - markus@cvs.openbsd.org 2013/12/06 13:52:46
+     [regress/Makefile regress/agent.sh regress/cert-hostkey.sh]
+     [regress/cert-userkey.sh regress/keytype.sh]
+     test ed25519 support; from djm@
+ - (djm) [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
+   [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents
+ - (djm) [Makefile.in] Add ed25519 sources
+ - (djm) [authfile.c] Conditionalise inclusion of util.h
+ - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c]
+   [openbsd-compat/blf.h openbsd-compat/blowfish.c]
+   [openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in
+   portable.
+ - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in]
+   [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on
+   Linux
+ - (djm) [regress/cert-hostkey.sh] Fix merge botch
+ - (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from
+   Loganaden Velvindron @ AfriNIC in bz#2179
+
+20131205
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2013/11/21 08:05:09
+     [ssh_config.5 sshd_config.5]
+     no need for .Pp before displays;
+   - deraadt@cvs.openbsd.org 2013/11/25 18:04:21
+     [ssh.1 ssh.c]
+     improve -Q usage and such.  One usage change is that the option is now
+     case-sensitive
+     ok dtucker markus djm
+   - jmc@cvs.openbsd.org 2013/11/26 12:14:54
+     [ssh.1 ssh.c]
+     - put -Q in the right place
+     - Ar was a poor choice for the arguments to -Q. i've chosen an
+       admittedly equally poor Cm, at least consistent with the rest
+       of the docs. also no need for multiple instances
+     - zap a now redundant Nm
+     - usage() sync
+   - deraadt@cvs.openbsd.org 2013/11/26 19:15:09
+     [pkcs11.h]
+     cleanup 1 << 31 idioms.  Resurrection of this issue pointed out by
+     Eitan Adler ok markus for ssh, implies same change in kerberosV
+   - djm@cvs.openbsd.org 2013/12/01 23:19:05
+     [PROTOCOL]
+     mention curve25519-sha256@libssh.org key exchange algorithm
+   - djm@cvs.openbsd.org 2013/12/02 02:50:27
+     [PROTOCOL.chacha20poly1305]
+     typo; from Jon Cave
+   - djm@cvs.openbsd.org 2013/12/02 02:56:17
+     [ssh-pkcs11-helper.c]
+     use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC
+   - djm@cvs.openbsd.org 2013/12/02 03:09:22
+     [key.c]
+     make key_to_blob() return a NULL blob on failure; part of
+     bz#2175 from Loganaden Velvindron @ AfriNIC
+   - djm@cvs.openbsd.org 2013/12/02 03:13:14
+     [cipher.c]
+     correct bzero of chacha20+poly1305 key context. bz#2177 from
+     Loganaden Velvindron @ AfriNIC
+     
+     Also make it a memset for consistency with the rest of cipher.c
+   - djm@cvs.openbsd.org 2013/12/04 04:20:01
+     [sftp-client.c]
+     bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
+     AfriNIC
+   - djm@cvs.openbsd.org 2013/12/05 01:16:41
+     [servconf.c servconf.h]
+     bz#2161 - fix AuthorizedKeysCommand inside a Match block and
+     rearrange things so the same error is harder to make next time;
+     with and ok dtucker@
+ - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct
+   -L location for libedit.  Patch from Serge van den Boom.
+
+20131121
+ - (djm) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2013/11/08 11:15:19
+     [bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c]
+     [uidswap.c] Include stdlib.h for free() as per the man page.
+   - markus@cvs.openbsd.org 2013/11/13 13:48:20
+     [ssh-pkcs11.c]
+     add missing braces found by pedro
+   - djm@cvs.openbsd.org 2013/11/20 02:19:01
+     [sshd.c]
+     delay closure of in/out fds until after "Bad protocol version
+     identification..." message, as get_remote_ipaddr/get_remote_port
+     require them open.
+   - deraadt@cvs.openbsd.org 2013/11/20 20:53:10
+     [scp.c]
+     unsigned casts for ctype macros where neccessary
+     ok guenther millert markus
+   - deraadt@cvs.openbsd.org 2013/11/20 20:54:10
+     [canohost.c clientloop.c match.c readconf.c sftp.c]
+     unsigned casts for ctype macros where neccessary
+     ok guenther millert markus
+   - djm@cvs.openbsd.org 2013/11/21 00:45:44
+     [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
+     [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
+     [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
+     [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
+     cipher "chacha20-poly1305@openssh.com" that combines Daniel
+     Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
+     authenticated encryption mode.
+     
+     Inspired by and similar to Adam Langley's proposal for TLS:
+     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
+     but differs in layout used for the MAC calculation and the use of a
+     second ChaCha20 instance to separately encrypt packet lengths.
+     Details are in the PROTOCOL.chacha20poly1305 file.
+     
+     Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
+     ok markus@ naddy@
+   - naddy@cvs.openbsd.org 2013/11/18 05:09:32
+     [regress/forward-control.sh]
+     bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164)
+     to successfully run this; ok djm@
+   - djm@cvs.openbsd.org 2013/11/21 03:15:46
+     [regress/krl.sh]
+     add some reminders for additional tests that I'd like to implement
+   - djm@cvs.openbsd.org 2013/11/21 03:16:47
+     [regress/modpipe.c]
+     use unsigned long long instead of u_int64_t here to avoid warnings
+     on some systems portable OpenSSH is built on.
+   - djm@cvs.openbsd.org 2013/11/21 03:18:51
+     [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
+     [regress/try-ciphers.sh]
+     use new "ssh -Q cipher-auth" query to obtain lists of authenticated
+     encryption ciphers instead of specifying them manually; ensures that
+     the new chacha20poly1305@openssh.com mode is tested;
+     
+     ok markus@ and naddy@ as part of the diff to add
+     chacha20poly1305@openssh.com
+
+20131110
+ - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
+   querying the ones that are compiled in.
+
+20131109
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2013/11/09 05:41:34
+     [regress/test-exec.sh regress/rekey.sh]
+     Use smaller test data files to speed up tests.  Grow test datafiles
+     where necessary for a specific test.
+ - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
+   NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
+   latter actually works before using it.  Fedora (at least) has NID_secp521r1
+   that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
+ - (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test.
+ - (dtucker) [configure.ac] Add missing "test".
+ - (dtucker) [key.c] Check for the correct defines for NID_secp521r1.
+
+20131108
+ - (dtucker) OpenBSD CVS Sync
+    - dtucker@cvs.openbsd.org 2013/11/08 01:06:14
+      [regress/rekey.sh]
+      Rekey less frequently during tests to speed them up
+ - (djm) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2013/11/07 11:58:27
+     [cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
+     Output the effective values of Ciphers, MACs and KexAlgorithms when
+     the default has not been overridden.  ok markus@
    - djm@cvs.openbsd.org 2013/11/08 00:39:15
      [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
      [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
      [sftp-client.c sftp-glob.c]
      use calloc for all structure allocations; from markus@
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-   [contrib/suse/openssh.spec] update version numbers
    - djm@cvs.openbsd.org 2013/11/08 01:38:11
      [version.h]
      openssh-6.4
- - (djm) Release 6.4p1
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] Update version numbers following release.
+ - (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of
+   arc4random_stir for platforms that have arc4random but don't have
+   arc4random_stir (right now this is only OpenBSD -current).
+ - (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have
+   EVP_sha256.
+ - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256.
+ - (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile
+   warnings.
+ - (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform
+   and pass in TEST_ENV.  use stderr to get polluted
+   and the stderr-data test to fail.
+ - (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation:
+   rather than testing and generating each key, call ssh-keygen -A.
+   Patch from vinschen at redhat.com.
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2013/11/09 05:41:34
+     [regress/test-exec.sh regress/rekey.sh]
+     Use smaller test data files to speed up tests.  Grow test datafiles
+     where necessary for a specific test.
+
+20131107
+ - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5)
+   that got lost in recent merge.
+ - (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff
+ - (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these
+ - (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms
+   that lack it but have arc4random_uniform()
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2013/11/04 11:51:16
+     [monitor.c]
+     fix rekeying for KEX_C25519_SHA256; noted by dtucker@
+     RCSID sync only; I thought this was a merge botch and fixed it already
+   - markus@cvs.openbsd.org 2013/11/06 16:52:11
+     [monitor_wrap.c]
+     fix rekeying for AES-GCM modes; ok deraadt
+   - djm@cvs.openbsd.org 2013/11/06 23:05:59
+     [ssh-pkcs11.c]
+     from portable: s/true/true_val/ to avoid name collisions on dump platforms
+     RCSID sync only
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/10/09 23:44:14
+     [regress/Makefile] (ID sync only)
+     regression test for sftp request white/blacklisting and readonly mode.
+   - markus@cvs.openbsd.org 2013/11/02 22:39:53
+     [regress/kextype.sh]
+     add curve25519-sha256@libssh.org
+   - dtucker@cvs.openbsd.org 2013/11/04 12:27:42
+     [regress/rekey.sh]
+     Test rekeying with all KexAlgorithms.
+   - dtucker@cvs.openbsd.org 2013/11/07 00:12:05
+     [regress/rekey.sh]
+     Test rekeying for every Cipher, MAC and KEX, plus test every KEX with
+     the GCM ciphers.
+   - dtucker@cvs.openbsd.org 2013/11/07 01:12:51
+     [regress/rekey.sh]
+     Factor out the data transfer rekey tests
+   - dtucker@cvs.openbsd.org 2013/11/07 02:48:38
+     [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh]
+     Use ssh -Q instead of hardcoding lists of ciphers or MACs.
+   - dtucker@cvs.openbsd.org 2013/11/07 03:55:41
+     [regress/kextype.sh]
+     Use ssh -Q to get kex types instead of a static list.
+   - dtucker@cvs.openbsd.org 2013/11/07 04:26:56
+     [regress/kextype.sh]
+     trailing space
+ - (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment
+   variable.  It's no longer used now that we get the supported MACs from
+   ssh -Q.
 
-20130913
- - (djm) [channels.c] Fix unaligned access on sparc machines in SOCKS5 code;
-   ok dtucker@
- - (djm) [channels.c] sigh, typo s/buffet_/buffer_/
- - (djm) Release 6.3p1
+20131104
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2013/11/02 20:03:54
+     [ssh-pkcs11.c]
+     support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;
+     fixes bz#1908; based on patch from Laurent Barbe; ok djm
+   - markus@cvs.openbsd.org 2013/11/02 21:59:15
+     [kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
+     use curve25519 for default key exchange (curve25519-sha256@libssh.org);
+     initial patch from Aris Adamantiadis; ok djm@
+   - markus@cvs.openbsd.org 2013/11/02 22:10:15
+     [kexdhs.c kexecdhs.c]
+     no need to include monitor_wrap.h
+   - markus@cvs.openbsd.org 2013/11/02 22:24:24
+     [kexdhs.c kexecdhs.c]
+     no need to include ssh-gss.h
+   - markus@cvs.openbsd.org 2013/11/02 22:34:01
+     [auth-options.c]
+     no need to include monitor_wrap.h and ssh-gss.h
+   - markus@cvs.openbsd.org 2013/11/02 22:39:19
+     [ssh_config.5 sshd_config.5]
+     the default kex is now curve25519-sha256@libssh.org
+   - djm@cvs.openbsd.org 2013/11/03 10:37:19
+     [roaming_common.c]
+     fix a couple of function definitions foo() -> foo(void)
+     (-Wold-style-definition)
+ - (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from
+   KEX/curve25519 change
+
+20131103
+ - (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.
+   From OpenSMTPD where it prevents "implicit declaration" warnings (it's
+   a no-op in OpenSSH).  From chl at openbsd.
+ - (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd
+   vsnprintf.  From eric at openbsd via chl@.
+ - (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t
+   for platforms that don't have them.
+
+20131030
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/10/29 09:42:11
+     [key.c key.h]
+     fix potential stack exhaustion caused by nested certificates;
+     report by Mateusz Kocielski; ok dtucker@ markus@
+   - djm@cvs.openbsd.org 2013/10/29 09:48:02
+     [servconf.c servconf.h session.c sshd_config sshd_config.5]
+     shd_config PermitTTY to disallow TTY allocation, mirroring the
+     longstanding no-pty authorized_keys option;
+     bz#2070, patch from Teran McKinney; ok markus@
+   - jmc@cvs.openbsd.org 2013/10/29 18:49:32
+     [sshd_config.5]
+     pty(4), not pty(7);
+
+20131026
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/10/25 23:04:51
+     [ssh.c]
+     fix crash when using ProxyCommand caused by previous commit - was calling
+     freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
+
+20131025
+ - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove
+   unnecessary arc4random_stir() calls. The only ones left are to ensure
+   that the PRNG gets a different state after fork() for platforms that
+   have broken the API.
+
+20131024
+ - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check
+   rather than full client name which may be of form user@REALM;
+   patch from Miguel Sanders; ok dtucker@
+ - (djm) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2013/10/23 05:40:58
+     [servconf.c]
+     fix comment
+   - djm@cvs.openbsd.org 2013/10/23 23:35:32
+     [sshd.c]
+     include local address and port in "Connection from ..." message (only
+     shown at loglevel>=verbose)
+   - dtucker@cvs.openbsd.org 2013/10/24 00:49:49
+     [moduli.c]
+     Periodically print progress and, if possible, expected time to completion
+     when screening moduli for DH groups.  ok deraadt djm
+   - dtucker@cvs.openbsd.org 2013/10/24 00:51:48
+     [readconf.c servconf.c ssh_config.5 sshd_config.5]
+     Disallow empty Match statements and add "Match all" which matches
+     everything.  ok djm, man page help jmc@
+   - djm@cvs.openbsd.org 2013/10/24 08:19:36
+     [ssh.c]
+     fix bug introduced in hostname canonicalisation commit: don't try to
+     resolve hostnames when a ProxyCommand is set unless the user has forced
+     canonicalisation; spotted by Iain Morgan
+ - (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd"
+
+20131023
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/10/20 04:39:28
+     [ssh_config.5]
+     document % expansions performed by "Match command ..."
+   - djm@cvs.openbsd.org 2013/10/20 06:19:28
+     [readconf.c ssh_config.5]
+     rename "command" subclause of the recently-added "Match" keyword to
+     "exec"; it's shorter, clearer in intent and we might want to add the
+     ability to match against the command being executed at the remote end in
+     the future.
+   - djm@cvs.openbsd.org 2013/10/20 09:51:26
+     [scp.1 sftp.1]
+     add canonicalisation options to -o lists
+   - jmc@cvs.openbsd.org 2013/10/20 18:00:13
+     [ssh_config.5]
+     tweak the "exec" description, as worded by djm;
+   - djm@cvs.openbsd.org 2013/10/23 03:03:07
+     [readconf.c]
+     Hostname may have %h sequences that should be expanded prior to Match
+     evaluation; spotted by Iain Morgan
+   - djm@cvs.openbsd.org 2013/10/23 03:05:19
+     [readconf.c ssh.c]
+     comment
+   - djm@cvs.openbsd.org 2013/10/23 04:16:22
+     [ssh-keygen.c]
+     Make code match documentation: relative-specified certificate expiry time
+     should be relative to current time and not the validity start time.
+     Reported by Petr Lautrbach; ok deraadt@
+
+20131018
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/10/09 23:44:14
+     [regress/Makefile regress/sftp-perm.sh]
+     regression test for sftp request white/blacklisting and readonly mode.
+   - jmc@cvs.openbsd.org 2013/10/17 07:35:48
+     [sftp.1 sftp.c]
+     tweak previous;
+   - djm@cvs.openbsd.org 2013/10/17 22:08:04
+     [sshd.c]
+     include remote port in bad banner message; bz#2162
+
+20131017
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2013/10/15 14:10:25
+     [ssh.1 ssh_config.5]
+     tweak previous;
+   - djm@cvs.openbsd.org 2013/10/16 02:31:47
+     [readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
+     [sshconnect.c sshconnect.h]
+     Implement client-side hostname canonicalisation to allow an explicit
+     search path of domain suffixes to use to convert unqualified host names
+     to fully-qualified ones for host key matching.
+     This is particularly useful for host certificates, which would otherwise
+     need to list unqualified names alongside fully-qualified ones (and this
+     causes a number of problems).
+     "looks fine" markus@
+   - jmc@cvs.openbsd.org 2013/10/16 06:42:25
+     [ssh_config.5]
+     tweak previous;
+   - djm@cvs.openbsd.org 2013/10/16 22:49:39
+     [readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
+     s/canonicalise/canonicalize/ for consistency with existing spelling,
+     e.g. authorized_keys; pointed out by naddy@
+   - djm@cvs.openbsd.org 2013/10/16 22:58:01
+     [ssh.c ssh_config.5]
+     one I missed in previous: s/isation/ization/
+   - djm@cvs.openbsd.org 2013/10/17 00:30:13
+     [PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c]
+     fsync@openssh.com protocol extension for sftp-server
+     client support to allow calling fsync() faster successful transfer
+     patch mostly by imorgan AT nas.nasa.gov; bz#1798
+     "fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@
+   - djm@cvs.openbsd.org 2013/10/17 00:46:49
+     [ssh.c]
+     rearrange check to reduce diff against -portable
+     (Id sync only)
+
+20131015
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/10/09 23:42:17
+     [sftp-server.8 sftp-server.c]
+     Add ability to whitelist and/or blacklist sftp protocol requests by name.
+     Refactor dispatch loop and consolidate read-only mode checks.
+     Make global variables static, since sftp-server is linked into sshd(8).
+     ok dtucker@
+   - djm@cvs.openbsd.org 2013/10/10 00:53:25
+     [sftp-server.c]
+     add -Q, -P and -p to usage() before jmc@ catches me
+   - djm@cvs.openbsd.org 2013/10/10 01:43:03
+     [sshd.c]
+     bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly
+     updated; ok dtucker@
+   - djm@cvs.openbsd.org 2013/10/11 02:45:36
+     [sftp-client.c]
+     rename flag arguments to be more clear and consistent.
+     reorder some internal function arguments to make adding additional flags
+     easier.
+     no functional change
+   - djm@cvs.openbsd.org 2013/10/11 02:52:23
+     [sftp-client.c]
+     missed one arg reorder
+   - djm@cvs.openbsd.org 2013/10/11 02:53:45
+     [sftp-client.h]
+     obsolete comment
+   - jmc@cvs.openbsd.org 2013/10/14 14:18:56
+     [sftp-server.8 sftp-server.c]
+     tweak previous;
+     ok djm
+   - djm@cvs.openbsd.org 2013/10/14 21:20:52
+     [session.c session.h]
+     Add logging of session starts in a useful format; ok markus@ feedback and
+     ok dtucker@
+   - djm@cvs.openbsd.org 2013/10/14 22:22:05
+     [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
+     add a "Match" keyword to ssh_config that allows matching on hostname,
+     user and result of arbitrary commands. "nice work" markus@
+   - djm@cvs.openbsd.org 2013/10/14 23:28:23
+     [canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
+     refactor client config code a little:
+     add multistate option partsing to readconf.c, similar to servconf.c's
+     existing code.
+     move checking of options that accept "none" as an argument to readconf.c
+     add a lowercase() function and use it instead of explicit tolower() in
+     loops
+     part of a larger diff that was ok markus@
+   - djm@cvs.openbsd.org 2013/10/14 23:31:01
+     [ssh.c]
+     whitespace at EOL; pointed out by markus@
+ - [ssh.c] g/c unused variable.
+
+20131010
+ - (dtucker) OpenBSD CVS Sync
+   - sthen@cvs.openbsd.org 2013/09/16 11:35:43
+     [ssh_config]
+     Remove gssapi config parts from ssh_config, as was already done for
+     sshd_config.  Req by/ok ajacoutot@
+     ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
+   - djm@cvs.openbsd.org 2013/09/19 00:24:52
+     [progressmeter.c]
+     store the initial file offset so the progress meter doesn't freak out
+     when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@`
+   - djm@cvs.openbsd.org 2013/09/19 00:49:12
+     [sftp-client.c]
+     fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan
+   - djm@cvs.openbsd.org 2013/09/19 01:24:46
+     [channels.c]
+     bz#1297 - tell the client (via packet_send_debug) when their preferred
+     listen address has been overridden by the server's GatewayPorts;
+     ok dtucker@
+   - djm@cvs.openbsd.org 2013/09/19 01:26:29
+     [sshconnect.c]
+     bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from
+     swp AT swp.pp.ru; ok dtucker@
+   - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
+     [dh.c dh.h]
+     Increase the size of the Diffie-Hellman groups requested for a each
+     symmetric key size.  New values from NIST Special Publication 800-57 with
+     the upper limit specified by RFC4419.  Pointed out by Peter Backes, ok
+     djm@.
+
+20131009
+ - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull
+   in OpenBSD implementation of arc4random, shortly to replace the existing
+   bsd-arc4random.c
+ - (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c]
+   [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random
+   implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@,
+   tested tim@
+
+20130922
+ - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj
+   setting when handling SIGHUP to maintain behaviour over retart.  Patch
+   from Matthew Ife.
+
+20130918
+ - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu.
+
+20130914
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/08/22 19:02:21
+     [sshd.c]
+     Stir PRNG after post-accept fork. The child gets a different PRNG state
+     anyway via rexec and explicit privsep reseeds, but it's good to be sure.
+     ok markus@
+   - mikeb@cvs.openbsd.org 2013/08/28 12:34:27
+     [ssh-keygen.c]
+     improve batch processing a bit by making use of the quite flag a bit
+     more often and exit with a non zero code if asked to find a hostname
+     in a known_hosts file and it wasn't there;
+     originally from reyk@,  ok djm
+   - djm@cvs.openbsd.org 2013/08/31 00:13:54
+     [sftp.c]
+     make ^w match ksh behaviour (delete previous word instead of entire line)
+   - deraadt@cvs.openbsd.org 2013/09/02 22:00:34
+     [ssh-keygen.c sshconnect1.c sshd.c]
+     All the instances of arc4random_stir() are bogus, since arc4random()
+     does this itself, inside itself, and has for a very long time..  Actually,
+     this was probably reducing the entropy available.
+     ok djm
+     ID SYNC ONLY for portable; we don't trust other arc4random implementations
+     to do this right.
+   - sthen@cvs.openbsd.org 2013/09/07 13:53:11
+     [sshd_config]
+     Remove commented-out kerberos/gssapi config options from sample config,
+     kerberos support is currently not enabled in ssh in OpenBSD. Discussed with
+     various people; ok deraadt@
+     ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
+   - djm@cvs.openbsd.org 2013/09/12 01:41:12
+     [clientloop.c]
+     fix connection crash when sending break (~B) on ControlPersist'd session;
+     ok dtucker@
+   - djm@cvs.openbsd.org 2013/09/13 06:54:34
+     [channels.c]
+     avoid unaligned access in code that reused a buffer to send a
+     struct in_addr in a reply; simpler just use use buffer_put_int();
+     from portable; spotted by and ok dtucker@
+
+20130828
+ - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the
+   'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we
+   start to use them in the future.
+ - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits
+   until we have configure support.
+
+20130821
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2013/08/06 23:03:49
+     [sftp.c]
+     fix some whitespace at EOL
+     make list of commands an enum rather than a long list of defines
+     add -a to usage()
+   - djm@cvs.openbsd.org 2013/08/06 23:05:01
+     [sftp.1]

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402271729.s1RHT2rx075258>