commit 9ca7e9c861775dd6c6312bc8aaab687403d24676
Author: Damien Miller <djm@mindrot.org>
Date:   Wed May 27 10:38:00 2020 +1000

    depend

commit b6d251ed9af90e16c08a72c4aac2cb8ace8f94b1
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon May 18 04:29:35 2020 +0000

    upstream: avoid possible NULL deref; from Pedro Martelletto
    
    OpenBSD-Commit-ID: e6099c3fbb70aa67eb106e84d8b43f1fa919b721

commit 3ab6fccc3935e9b778ff52f9c8d40f215d58e01d
Author: Damien Miller <djm@mindrot.org>
Date:   Thu May 14 12:22:09 2020 +1000

    prefer ln to cp for temporary copy of sshd
    
    I saw failures on the reexec fallback test on Darwin 19.4 where
    fork()ed children of a process that had it's executable removed
    would instantly fail. Using ln to preserve the inode avoids this.

commit f700d316c6b15a9cfbe87230d2dca81a5d916279
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed May 13 15:24:51 2020 +1000

    Actually skip pty tests when needed.

commit 08ce6b2210f46f795e7db747809f8e587429dfd2
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed May 13 13:56:45 2020 +1000

    Skip building sk-dummy library if no SK support.

commit 102d106bc2e50347d0e545fad6ff5ce408d67247
Author: Damien Miller <djm@mindrot.org>
Date:   Wed May 13 12:08:34 2020 +1000

    explicitly manage .depend and .depend.bak
    
    Bring back removal of .depend to give the file a known state before
    running makedepend, but manually move aside the current .depend file
    and restore it as .depend.bak afterwards so the stale .depend check
    works as expected.

commit 83a6dc6ba1e03b3fa39d12a8522b8b0e68dd6390
Author: Damien Miller <djm@mindrot.org>
Date:   Wed May 13 12:03:42 2020 +1000

    make depend

commit 7c0bbed967abed6301a63e0267cc64144357a99a
Author: Damien Miller <djm@mindrot.org>
Date:   Wed May 13 12:01:10 2020 +1000

    revert removal of .depend before makedepend
    
    Commit 83657eac4 started removing .depend before running makedepend
    to reset the contents of .depend to a known state. Unfortunately
    this broke the depend-check step as now .depend.bak would only ever
    be created as an empty file.
    
    ok dtucker

commit 58ad004acdcabf3b9f40bc3aaa206b25d998db8c
Author: Damien Miller <djm@mindrot.org>
Date:   Tue May 12 12:58:46 2020 +1000

    prepare for 8.3 release

commit 4fa9e048c2af26beb7dc2ee9479ff3323e92a7b5
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri May 8 21:50:43 2020 +1000

    Ensure SA_SIGNAL test only signals itself.
    
    When the test's child signals its parent and it exits the result of
    getppid changes.  On Ubuntu 20.04 this results in the ppid being that
    of the GDM session, causing it to exit.  Analysis and testing from pedro
    at ambientworks.net

commit dc2da29aae76e170d22f38bb36f1f5d1edd5ec2b
Author: Damien Miller <djm@mindrot.org>
Date:   Fri May 8 13:31:53 2020 +1000

    sync config.guess/config.sub with latest versions
    
    ok dtucker@

commit a8265bd64c14881fc7f4fa592f46dfc66b911f17
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed May 6 20:58:01 2020 +0000

    upstream: openssh-8.3; ok deraadt@
    
    OpenBSD-Commit-ID: c8831ec88b9c750f5816aed9051031fb535d22c1

commit 955854cafca88e0cdcd3d09ca1ad4ada465364a1
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed May 6 20:57:38 2020 +0000

    upstream: another case where a utimes() failure could make scp send
    
    a desynchronising error; reminded by Aymeric Vincent ok deraadt markus
    
    OpenBSD-Commit-ID: 2ea611d34d8ff6d703a7a8bf858aa5dbfbfa7381

commit 59d531553fd90196946743da391f3a27cf472f4e
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Thu May 7 15:34:12 2020 +1000

    Check if -D_REENTRANT is needed for localtime_r.
    
    On at least HP-UX 11.11, the localtime_r declararation is behind
    ifdef _REENTRANT.  Check for and add if needed.

commit c13403e55de8cdbb9da628ed95017b1d4c0f205f
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue May 5 11:32:43 2020 +1000

    Skip security key tests if ENABLE_SK not set.

commit 4da393f87cd52d788c84112ee3f2191c9bcaaf30
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri May 1 04:03:14 2020 +0000

    upstream: sure enough, some of the test data that we though were in
    
    new format were actually in the old format; fix from Michael Forney
    
    OpenBSD-Regress-ID: a41a5c43a61b0f0b1691994dbf16dfb88e8af933

commit 15bfafc1db4c8792265ada9623a96f387990f732
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri May 1 04:00:29 2020 +0000

    upstream: make mktestdata.sh generate old/new format keys that we
    
    expect. This script was written before OpenSSH switched to new-format private
    keys by default and was never updated to the change (until now) From Michael
    Forney
    
    OpenBSD-Regress-ID: 38cf354715c96852e5b71c2393fb6e7ad28b7ca7

commit 7882d2eda6ad3eb82220a85294de545d20ef82db
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri May 1 03:58:02 2020 +0000

    upstream: portability fix for sed that always emil a newline even
    
    if the input does not contain one; from Michael Forney
    
    OpenBSD-Regress-ID: 9190c3ddf0d2562ccc02c4a95fce0e392196bfc7

commit 8074f9499e454df0acdacea33598858a1453a357
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri May 1 03:36:25 2020 +0000

    upstream: remove obsolete RSA1 test keys; spotted by Michael Forney
    
    OpenBSD-Regress-ID: 6384ba889594e217d166908ed8253718ab0866da

commit c697e46c314aa94574af0d393d80f23e0ebc9748
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sat May 2 18:34:47 2020 +1000

    Update .depend.

commit 83657eac42941f270c4b02b2c46d9a21f616ef99
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sat May 2 18:29:40 2020 +1000

    Remove use of tail for 'make depend'.
    
    Not every tail supports +N and we can do with out it so just remove it.
    Prompted by mforney at mforney.org.

commit d25d630d24c5a1c64d4e646510e79dc22d6d7b88
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sat May 2 07:19:43 2020 +0000

    upstream: we have a sshkey_save_public() function to save public keys;
    
    use it and save a bunch of redundant code.
    
    Patch from loic AT venez.fr; ok markus@ djm@
    
    OpenBSD-Commit-ID: f93e030a0ebcd0fd9054ab30db501ec63454ea5f

commit e9dc9863723e111ae05e353d69df857f0169544a
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri May 1 18:32:25 2020 +1000

    Use LONG_LONG_MAX and friends if available.
    
    If we don't have LLONG_{MIN,MAX} but do have LONG_LONG_{MIN,MAX}
    then use those instead.  We do calculate these values in configure,
    but it turns out that at least one compiler (old HP ANSI C) can't
    parse "-9223372036854775808LL" without mangling it. (It can parse
    "-9223372036854775807LL" which is presumably why its limits.h defines
    LONG_LONG_MIN as the latter minus 1.)
    
    Fixes rekey test when compiled with the aforementioned compiler.

commit aad87b88fc2536b1ea023213729aaf4eaabe1894
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri May 1 06:31:42 2020 +0000

    upstream: when receving a file in sink(), be careful to send at
    
    most a single error response after the file has been opened. Otherwise the
    source() and sink() can become desyncronised. Reported by Daniel Goujot,
    Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache.
    
    ok deraadt@ markus@
    
    OpenBSD-Commit-ID: 6c14d233c97349cb811a8f7921ded3ae7d9e0035

commit 31909696c4620c431dd55f6cd15db65c4e9b98da
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri May 1 06:28:52 2020 +0000

    upstream: expose vasnmprintf(); ok (as part of other commit) markus
    
    deraadt
    
    OpenBSD-Commit-ID: 2e80cea441c599631a870fd40307d2ade5a7f9b5

commit 99ce9cefbe532ae979744c6d956b49f4b02aff82
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri May 1 04:23:11 2020 +0000

    upstream: avoid NULL dereference when attempting to convert invalid
    
    ssh.com private keys using "ssh-keygen -i"; spotted by Michael Forney
    
    OpenBSD-Commit-ID: 2e56e6d26973967d11d13f56ea67145f435bf298

commit 6c6072ba8b079e6f5caa38b011a6f4570c14ed38
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri May 1 15:09:26 2020 +1000

    See if SA_RESTART signals will interrupt select().
    
    On some platforms (at least older HP-UXes such as 11.11, possibly others)
    setting SA_RESTART on signal handers will cause it to not interrupt
    select(), at least for calls that do not specify a timeout.  Try to
    detect this and if found, don't use SA_RESTART.
    
    POSIX says "If SA_RESTART has been set for the interrupting signal, it
    is implementation-dependent whether select() restarts or returns with
    [EINTR]" so this behaviour is within spec.

commit 90a0b434ed41f9c505662dba8782591818599cb3
Author: Damien Miller <djm@mindrot.org>
Date:   Fri May 1 13:55:03 2020 +1000

    fix reversed test

commit c0dfd18dd1c2107c73d18f70cd164f7ebd434b08
Author: Damien Miller <djm@mindrot.org>
Date:   Fri May 1 13:29:16 2020 +1000

    wrap sha2.h inclusion in #ifdef HAVE_SHA2_H

commit a01817a9f63dbcbbc6293aacc4019993a4cdc7e3
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Apr 28 04:59:29 2020 +0000

    upstream: adapt dummy FIDO middleware to API change; ok markus@
    
    OpenBSD-Regress-ID: 8bb84ee500c2eaa5616044314dd0247709a1790f

commit 261571ddf02ea38fdb5e4a97c69ee53f847ca5b7
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Thu Apr 30 18:28:37 2020 +0000

    upstream: tweak previous; ok markus
    
    OpenBSD-Commit-ID: 41895450ce2294ec44a5713134491cc31f0c09fd

commit 5de21c82e1d806d3e401b5338371e354b2e0a66f
Author: markus@openbsd.org <markus@openbsd.org>
Date:   Thu Apr 30 17:12:20 2020 +0000

    upstream: bring back debug() removed in rev 1.74; noted by pradeep
    
    kumar
    
    OpenBSD-Commit-ID: 8d134d22ab25979078a3b48d058557d49c402e65

commit ea14103ce9a5e13492e805f7e9277516ff5a4273
Author: markus@openbsd.org <markus@openbsd.org>
Date:   Thu Apr 30 17:07:10 2020 +0000

    upstream: run the 2nd ssh with BatchMode for scp -3
    
    OpenBSD-Commit-ID: 77994fc8c7ca02d88e6d0d06d0f0fe842a935748

commit 59d2de956ed29aa5565ed5e5947a7abdb27ac013
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Apr 28 04:02:29 2020 +0000

    upstream: when signing a challenge using a FIDO toke, perform the
    
    hashing in the middleware layer rather than in ssh code. This allows
    middlewares that call APIs that perform the hashing implicitly (including
    Microsoft's AFAIK). ok markus@
    
    OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d

commit c9d10dbc0ccfb1c7568bbb784f7aeb7a0b5ded12
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sun Apr 26 09:38:14 2020 +0000

    upstream: Fix comment typo. Patch from mforney at mforney.org.
    
    OpenBSD-Commit-ID: 3565f056003707a5e678e60e03f7a3efd0464a2b

commit 4d2c87b4d1bde019cdd0f00552fcf97dd8b39940
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sat Apr 25 06:59:36 2020 +0000

    upstream: We've standardized on memset over bzero, replace a couple
    
    that had slipped in.  ok deraadt markus djm.
    
    OpenBSD-Commit-ID: f5be055554ee93e6cc66b0053b590bef3728dbd6

commit 7f23f42123d64272a7b00754afa6b0841d676691
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri May 1 12:21:58 2020 +1000

    Include sys/byteorder.h for htons and friends.
    
    These are usually in netinet/in.h but on HP-UX they are not defined if
    _XOPEN_SOURCE_EXTENDED is set.  Only needed for netcat in the regression
    tests.

commit d27cba58c972d101a5de976777e518f34ac779cb
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri May 1 09:21:52 2020 +1000

    Fix conditional for openssl-based chacha20.
    
    Fixes warnings or link errors when building against older OpenSSLs.
    ok djm

commit 20819b962dc1467cd6fad5486a7020c850efdbee
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Apr 24 15:07:55 2020 +1000

    Error out if given RDomain if unsupported.
    
    If the config contained 'RDomain %D' on a platform that did not support
    it, the error would not be detected until runtime resulting in a broken
    sshd.  Detect this earlier and error out if found.  bz#3126, based on a
    patch from jjelen at redhat.com, tweaks and ok djm@

commit 2c1690115a585c624eed2435075a93a463a894e2
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Apr 24 03:33:21 2020 +0000

    upstream: Fix incorrect error message for "too many known hosts files."
    
    bz#3149, patch from jjelen at redhat.com.
    
    OpenBSD-Commit-ID: e0fcb07ed5cf7fd54ce340471a747c24454235e5

commit 3beb7276e7a8aedd3d4a49f9c03b97f643448c92
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Apr 24 02:19:40 2020 +0000

    upstream: Remove leave_non_blocking() which is now dead code
    
    because nothing sets in_non_blocking_mode any more. Patch from
    michaael.meeks at collabora.com, ok djm@
    
    OpenBSD-Commit-ID: c403cefe97a5a99eca816e19cc849cdf926bd09c

commit 8654e3561772f0656e7663a0bd6a1a8cb6d43300
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Thu Apr 23 21:28:09 2020 +0000

    upstream: ce examples of "Ar arg Ar arg" with "Ar arg arg" and
    
    stop the spread;
    
    OpenBSD-Commit-ID: af0e952ea0f5e2019c2ce953ed1796eca47f0705

commit 67697e4a8246dd8423e44b8785f3ee31fee72d07
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Apr 24 11:10:18 2020 +1000

    Update .depend.

commit d6cc76176216fe3fac16cd20d148d75cb9c50876
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Apr 22 14:07:00 2020 +1000

    Mailing list is now closed to non-subscribers.
    
    While there, add a reference to the bugzilla.  ok djm@

commit cecde6a41689d0ae585ec903b190755613a6de79
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Apr 22 12:09:40 2020 +1000

    Put the values from env vars back.
    
    This merges the values from the recently removed environment into make's
    command line arguments since we actually need those.

commit 300c4322b92e98d3346efa0aec1c094c94d0f964
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Apr 22 11:33:15 2020 +1000

    Pass configure's egrep through to test-exec.sh.
    
    Use it to create a wrapper function to call it from tests.  Fixes the
    keygen-comment test on platforms with impoverished default egrep (eg
    Solaris).

commit c8d9796cfe046f00eb8b2096d2b7028d6a523a84
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Apr 22 10:56:44 2020 +1000

    Remove unneeded env vars from t-exec invocation.

commit 01d4cdcd4514e99a4b6eb9523cd832bbf008d1d7
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Apr 21 23:14:58 2020 +0000

    upstream: Backslash '$' at then end of string. Prevents warning on
    
    some shells.
    
    OpenBSD-Regress-ID: 5dc27ab624c09d34078fd326b10e38c1ce9c741f

commit 8854724ccefc1fa16f10b37eda2e759c98148caa
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Apr 21 18:27:23 2020 +1000

    Sync rev 1.49.
    
    Prevent infinite for loop since i went from ssize_t to size_t.  Patch from
    eagleoflqj via OpenSSH github PR#178, ok djm@, feedback & ok millert@

commit d00d07b6744d3b4bb7aca46c734ecd670148da23
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Apr 20 04:44:47 2020 +0000

    upstream: regression test for printing of private key fingerprints and
    
    key comments, mostly by loic AT venez.fr (slightly tweaked for portability)
    ok dtucker@
    
    OpenBSD-Regress-ID: 8dc6c4feaf4fe58b6d634cd89afac9a13fd19004

commit a98d5ba31e5e7e01317352f85fa63b846a960f8c
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Apr 20 04:43:57 2020 +0000

    upstream: fix a bug I introduced in r1.406: when printing private key
    
    fingerprint of old-format key, key comments were not being displayed. Spotted
    by loic AT venez.fr, ok dtucker
    
    OpenBSD-Commit-ID: 2d98e4f9eb168eea733d17e141e1ead9fe26e533

commit 32f2d0aad42c15e19bd3b07496076ca891573a58
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 17 07:16:07 2020 +0000

    upstream: repair private key fingerprint printing to also print
    
    comment after regression caused by my recent pubkey loading refactor.
    Reported by loic AT venez.fr, ok dtucker@
    
    OpenBSD-Commit-ID: f8db49acbee6a6ccb2a4259135693b3cceedb89e

commit 094dd513f4b42e6a3cebefd18d1837eb709b4d99
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 17 07:15:11 2020 +0000

    upstream: refactor out some duplicate private key loading code;
    
    based on patch from loic AT venez.fr, ok dtucker@
    
    OpenBSD-Commit-ID: 5eff2476b0d8d0614924c55e350fb7bb9c84f45e

commit 4e04f46f248f1708e39b900b76c9693c820eff68
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Fri Apr 17 06:12:41 2020 +0000

    upstream: add space beteen macro arg and punctuation;
    
    OpenBSD-Commit-ID: c93a6cbb4bf9468fc4c13e64bc1fd4efee201a44

commit 44ae009a0112081d0d541aeaa90088bedb6f21ce
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 17 04:27:03 2020 +0000

    upstream: auth2-pubkey r1.89 changed the order of operations to
    
    checking AuthorizedKeysFile first and falling back to AuthorizedKeysCommand
    if no key was found in a file. Document this order here; bz3134
    
    OpenBSD-Commit-ID: afce0872cbfcfc1d4910ad7722e50f792a1dce12

commit f96f17f920f38ceea6f3c5cb0b075c46b8929fdc
Author: Damien Miller <djm@mindrot.org>
Date:   Fri Apr 17 14:07:15 2020 +1000

    sys/sysctl.h is only used on OpenBSD
    
    so change the preprocessor test used to include it to check
    __OpenBSD__, matching the code that uses the symbols it declares.

commit 54688e937a69c7aebef8a3d50cbd4c6345bab2ca
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 17 03:38:47 2020 +0000

    upstream: fix reversed test that caused IdentitiesOnly=yes to not
    
    apply to keys loaded from a PKCS11Provider; bz3141, ok dtucker@
    
    OpenBSD-Commit-ID: e3dd6424b94685671fe84c9b9dbe352fb659f677

commit 267cbc87b5b6e78973ac4d3c7a6f807ed226928c
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 17 03:34:42 2020 +0000

    upstream: mention that /etc/hosts.equiv and /etc/shosts.equiv are
    
    not considered for HostbasedAuthentication when the target user is root;
    bz3148
    
    OpenBSD-Commit-ID: fe4c1256929e53f23af17068fbef47852f4bd752

commit c90f72d29e84b4a2709078bf5546a72c29a65177
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 17 03:30:05 2020 +0000

    upstream: make IgnoreRhosts a tri-state option: "yes" ignore
    
    rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow
    .shosts files but not .rhosts. ok dtucker@
    
    OpenBSD-Commit-ID: d08d6930ed06377a80cf53923c1955e9589342e9

commit 321c7147079270f3a154f91b59e66219aac3d514
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 17 03:23:13 2020 +0000

    upstream: allow the IgnoreRhosts directive to appear anywhere in a
    
    sshd_config, not just before any Match blocks; bz3148, ok dtucker@
    
    OpenBSD-Commit-ID: e042467d703bce640b1f42c5d1a62bf3825736e8

commit ca5403b085a735055ec7b7cdcd5b91f2662df94c
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Sat Apr 11 20:20:09 2020 +0000

    upstream: add space between macro arg and punctuation;
    
    OpenBSD-Commit-ID: e579e4d95eef13059c30931ea1f09ed8296b819c

commit 8af0244d7b4a65eed2e62f9c89141c7c8e63f09d
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Apr 15 10:58:02 2020 +1000

    Add sys/syscall.h for syscall numbers.
    
    In some architecture/libc configurations we need to explicitly include
    sys/syscall.h for the syscall number (__NR_xxx) definitions.  bz#3085,
    patch from blowfist at xroutine.net.

commit 3779b50ee952078018a5d9e1df20977f4355df17
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sat Apr 11 10:16:11 2020 +0000

    upstream: Refactor private key parsing. Eliminates a fair bit of
    
    duplicated code and fixes oss-fuzz#20074 (NULL deref) caused by a missing key
    type check in the ECDSA_CERT parsing path.
    
    feedback and ok markus@
    
    OpenBSD-Commit-ID: 4711981d88afb7196d228f7baad9be1d3b20f9c9

commit b6a4013647db67ec622c144a9e05dd768f1966b3
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Apr 10 00:54:03 2020 +0000

    upstream: Add tests for TOKEN expansion of LocalForward and
    
    RemoteForward.
    
    OpenBSD-Regress-ID: 90fcbc60d510eb114a2b6eaf4a06ff87ecd80a89

commit abc3e0a5179c13c0469a1b11fe17d832abc39999
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Mon Apr 6 09:43:55 2020 +0000

    upstream: Add utf8.c for asmprintf used by krl.c
    
    OpenBSD-Regress-ID: 433708d11165afdb189fe635151d21659dd37a37

commit 990687a0336098566c3a854d23cce74a31ec6fe2
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Apr 10 00:52:07 2020 +0000

    upstream: Add TOKEN percent expansion to LocalFoward and RemoteForward
    
    when used for Unix domain socket forwarding.  Factor out the code for the
    config keywords that use the most common subset of TOKENS into its own
    function. bz#3014, ok jmc@ (man page bits) djm@
    
    OpenBSD-Commit-ID: bffc9f7e7b5cf420309a057408bef55171fd0b97

commit 2b13d3934d5803703c04803ca3a93078ecb5b715
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 8 00:10:37 2020 +0000

    upstream: let sshkey_try_load_public() load public keys from the
    
    unencrypted envelope of private key files if not sidecar public key file is
    present.
    
    ok markus@
    
    OpenBSD-Commit-ID: 252a0a580e10b9a6311632530d63b5ac76592040

commit d01f39304eaab0352793b490a25e1ab5f59a5366
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 8 00:09:24 2020 +0000

    upstream: simplify sshkey_try_load_public()
    
    ok markus@
    
    OpenBSD-Commit-ID: 05a5d46562aafcd70736c792208b1856064f40ad

commit f290ab0833e44355fc006e4e67b92446c14673ef
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 8 00:08:46 2020 +0000

    upstream: add sshkey_parse_pubkey_from_private_fileblob_type()
    
    Extracts a public key from the unencrypted envelope of a new-style
    OpenSSH private key.
    
    ok markus@
    
    OpenBSD-Commit-ID: 44d7ab446e5e8c686aee96d5897b26b3939939aa

commit 8d514eea4ae089626a55e11c7bc1745c8d9683e4
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 8 00:07:19 2020 +0000

    upstream: simplify sshkey_parse_private_fileblob_type()
    
    Try new format parser for all key types first, fall back to PEM
    parser only for invalid format errors.
    
    ok markus@
    
    OpenBSD-Commit-ID: 0173bbb3a5cface77b0679d4dca0e15eb5600b77

commit 421169d0e758351b105eabfcebf42378ebf17217
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 8 00:05:59 2020 +0000

    upstream: check private key type against requested key type in
    
    new-style private decoding; ok markus@
    
    OpenBSD-Commit-ID: 04d44b3a34ce12ce5187fb6f6e441a88c8c51662

commit 6aabfb6d22b36d07f584cba97f4cdc4363a829da
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 8 00:04:32 2020 +0000

    upstream: check that pubkey in private key envelope matches actual
    
    private key
    
    (this public key is currently unusued)
    
    ok markus@
    
    OpenBSD-Commit-ID: 634a60b5e135d75f48249ccdf042f3555112049c

commit c0f5b2294796451001fd328c44f0d00f1114eddf
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 8 00:01:52 2020 +0000

    upstream: refactor private key parsing a little
    
    Split out the base64 decoding and private section decryption steps in
    to separate functions. This will make the decryption step easier to fuzz
    as well as making it easier to write a "load public key from new-format
    private key" function.
    
    ok markus@
    
    OpenBSD-Commit-ID: 7de31d80fb9062aa01901ddf040c286b64ff904e

commit 8461a5b3db34ed0b5a4a18d82f64fd5ac8693ea8
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Mon Apr 6 20:54:34 2020 +1000

    Include openssl-compat.h before checking ifdefs.
    
    Fixes problem where unsuitable chacha20 code in libressl would be used
    unintentionally.

commit 931c50c5883a9910ea1ae9a371e4e815ec56b035
Author: Damien Miller <djm@mindrot.org>
Date:   Mon Apr 6 10:04:56 2020 +1000

    fix inverted test for LibreSSL version

commit d1d5f728511e2338b7c994968d301d8723012264
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sat Apr 4 23:04:41 2020 +0000

    upstream: Indicate if we're using a cached key in trace output.
    
    OpenBSD-Regress-ID: 409a7b0e59d1272890fda507651c0c3d2d3c0d89

commit a398251a4627367c78bc483c70c2ec973223f82c
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sun Apr 5 08:43:57 2020 +1000

    Use /usr/bin/xp4g/id if necessary.
    
    Solaris' native "id" doesn't support the options we use but the one
    in /usr/bin/xp4g does, so use that instead.

commit db0fdd48335b5b01114f78c1a73a195235910f81
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sat Apr 4 22:14:26 2020 +0000

    upstream: Some platforms don't have "hostname -s", so use cut to trim
    
    short hostname instead.
    
    OpenBSD-Regress-ID: ebcf36a6fdf287c9336b0d4f6fc9f793c05307a7

commit e7e59a9cc8eb7fd5944ded28f4d7e3ae0a5fdecd
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Apr 3 07:53:10 2020 +0000

    upstream: Compute hash locally and re-enable %C tests.
    
    OpenBSD-Regress-ID: 94d1366e8105274858b88a1f9ad2e62801e49770

commit abe2b245b3ac6c4801e99bc0f13289cd28211e22
Author: Damien Miller <djm@mindrot.org>
Date:   Fri Apr 3 17:25:46 2020 +1100

    prefer libcrypto chacha20-poly1305 where possible

commit bc5c5d01ad668981f9e554e62195383bc12e8528
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Apr 3 05:43:11 2020 +0000

    upstream: Temporarily remove tests for '%C' since the hash contains the
    
    local hostname and it doesn't work on any machine except mine... spotted by
    djm@
    
    OpenBSD-Regress-ID: 2d4c3585b9fcbbff14f4a5a5fde51dbd0d690401

commit 81624026989654955a657ebf2a1fe8b9994f3c87
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 06:07:57 2020 +0000

    upstream: r1.522 deleted one too many lines; repair
    
    OpenBSD-Commit-ID: 1af8851fd7a99e4a887b19aa8f4c41a6b3d25477

commit 668cb3585ce829bd6e34d4a962c489bda1d16370
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Fri Apr 3 05:53:52 2020 +0000

    upstream: sort -N and add it to usage();
    
    OpenBSD-Commit-ID: 5b00e8db37c2b0a54c7831fed9e5f4db53ada332

commit 338ccee1e7fefa47f3d128c2541e94c5270abe0c
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 05:48:57 2020 +0000

    upstream: avoid another compiler warning spotted in -portable
    
    OpenBSD-Commit-ID: 1d29c51ac844b287c4c8bcaf04c63c7d9ba3b8c7

commit 9f8a42340bd9af86a99cf554dc39ecdf89287544
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 04:07:48 2020 +0000

    upstream: this needs utf8.c too
    
    OpenBSD-Regress-ID: 445040036cec714d28069a20da25553a04a28451

commit 92115ea7c3a834374720c350841fc729e7d5c8b2
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Apr 3 03:14:03 2020 +0000

    upstream: Add percent_expand test for 'Match Exec'.
    
    OpenBSD-Regress-ID: a41c14fd6a0b54d66aa1e9eebfb9ec962b41232f

commit de34a440276ae855c38deb20f926d46752c62c9d
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 04:43:24 2020 +0000

    upstream: fix format string (use %llu for uint64, not %lld). spotted by
    
    Darren and his tinderbox tests
    
    OpenBSD-Commit-ID: 3b4587c3d9d46a7be9bdf028704201943fba96c2

commit 9cd40b829a5295cc81fbea8c7d632b2478db6274
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 04:34:15 2020 +0000

    upstream: Add a flag to re-enable verbose output when in batch
    
    mode; requested in bz3135; ok dtucker
    
    OpenBSD-Commit-ID: 5ad2ed0e6440562ba9c84b666a5bbddc1afe2e2b

commit 6ce51a5da5d333a44e7c74c027f3571f70c39b24
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 04:32:21 2020 +0000

    upstream: chacha20-poly1305 AEAD using libcrypto EVP_chacha20
    
    Based on patch from Yuriy M. Kaminskiy. ok + lots of assistance along the
    way at a2k20 tb@
    
    OpenBSD-Commit-ID: 5e08754c13d31258bae6c5e318cc96219d6b10f0

commit eba523f0a130f1cce829e6aecdcefa841f526a1a
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 04:27:03 2020 +0000

    upstream: make Chacha20-POLY1305 context struct opaque; ok tb@ as
    
    part of a larger diff at a2k20
    
    OpenBSD-Commit-ID: a4609b7263284f95c9417ef60ed7cdbb7bf52cfd

commit ebd29e90129cf18fedfcfe1de86e324228669295
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 04:06:26 2020 +0000

    upstream: fix debug statement
    
    OpenBSD-Commit-ID: 42c6edeeda5ce88b51a20d88c93be3729ce6b916

commit 7b4d8999f2e1a0cb7b065e3efa83e6edccfc7d82
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 04:03:51 2020 +0000

    upstream: the tunnel-forwarding vs ExitOnForwardFailure fix that I
    
    committed earlier had an off-by-one. Fix this and add some debugging that
    would have made it apparent sooner.
    
    OpenBSD-Commit-ID: 082f8f72b1423bd81bbdad750925b906e5ac6910

commit eece243666d44ceb710d004624c5c7bdc05454bc
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Apr 3 03:12:11 2020 +0000

    upstream: %C expansion just added to Match Exec should include
    
    remote user not local user.
    
    OpenBSD-Commit-ID: 80f1d976938f2a55ee350c11d8b796836c8397e2

commit d5318a784d016478fc8da90a38d9062c51c10432
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Apr 3 02:33:31 2020 +0000

    upstream: Add regression test for percent expansions where possible.
    
    OpenBSD-Regress-ID: 7283be8b2733ac1cbefea3048a23d02594485288

commit 663e84bb53de2a60e56a44d538d25b8152b5c1cc
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 02:40:32 2020 +0000

    upstream: make failures when establishing "Tunnel" forwarding terminate
    
    the connection when ExitOnForwardFailure is enabled; bz3116; ok dtucker
    
    OpenBSD-Commit-ID: ef4b4808de0a419c17579b1081da768625c1d735

commit ed833da176611a39d3376d62154eb88eb440d31c
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Apr 3 02:27:12 2020 +0000

    upstream: Make with config keywords support which
    
    percent_expansions more consistent.  - %C is moved into its own function and
    added to Match Exec.  - move the common (global) options into a macro.  This
    is ugly but it's    the least-ugly way I could come up with.  - move
    IdentityAgent and ForwardAgent percent expansion to before the    config dump
    to make it regression-testable.  - document all of the above
    
    ok jmc@ for man page bits, "makes things less terrible" djm@ for the rest.
    
    OpenBSD-Commit-ID: 4b65664bd6d8ae2a9afaf1a2438ddd1b614b1d75

commit 6ec7457171468da2bbd908b8cd63d298b0e049ea
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 02:26:56 2020 +0000

    upstream: give ssh-keygen the ability to dump the contents of a
    
    binary key revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker
    
    OpenBSD-Commit-ID: b76afc4e3b74ab735dbde4e5f0cfa1f02356033b

commit af628b8a6c3ef403644d83d205c80ff188c97f0c
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 3 02:25:21 2020 +0000

    upstream: add allocating variant of the safe utf8 printer; ok
    
    dtucker as part of a larger diff
    
    OpenBSD-Commit-ID: 037e2965bd50eacc2ffb49889ecae41552744fa0

commit d8ac9af645f5519ac5211e9e1e4dc1ed00e9cced
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Mon Mar 16 02:17:02 2020 +0000

    upstream: Cast lifetime to u_long for comparison to prevent unsigned
    
    comparison warning on 32bit arches.  Spotted by deraadt, ok djm.
    
    OpenBSD-Commit-ID: 7a75b2540bff5ab4fa00b4d595db1df13bb0515a

commit 0eaca933ae08b0a515edfccd5cc4a6b667034813
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sat Mar 14 20:58:46 2020 +1100

    Include fido.h when checking for fido/credman.h.
    
    It's required for fido_dev_t, otherwise configure fails with
    when given --with-security-key-builtin.

commit c7c099060f82ffe6a36d8785ecf6052e12fd92f0
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Mar 13 03:18:45 2020 +0000

    upstream: some more speeling mistakes from
    
    OpenBSD-Regress-ID: 02471c079805471c546b7a69d9ab1d34e9a57443

commit 1d89232a4aa97fe935cd60b8d24d75c2f70d56c5
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Mar 13 04:16:27 2020 +0000

    upstream: improve error messages for some common PKCS#11 C_Login
    
    failure cases; based on patch from Jacob Hoffman-Andrews in bz3130; ok
    dtucker
    
    OpenBSD-Commit-ID: b8b849621b4a98e468942efd0a1c519c12ce089e

commit 5becbec023f2037394987f85ed7f74b9a28699e0
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Mar 13 04:01:56 2020 +0000

    upstream: use sshpkt_fatal() for kex_exchange_identification()
    
    errors. This ensures that the logged errors are consistent with other
    transport- layer errors and that the relevant IP addresses are logged. bz3129
    ok dtucker@
    
    OpenBSD-Commit-ID: 2c22891f0b9e1a6cd46771cedbb26ac96ec2e6ab

commit eef88418f9e5e51910af3c5b23b5606ebc17af55
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Mar 13 03:24:49 2020 +0000

    upstream: Don't clear alarm timers in listening sshd. Previously
    
    these timers were used for regenerating the SSH1 ephemeral host keys but
