commit 6dfb65de949cdd0a5d198edee9a118f265924f33
Author: Damien Miller <djm@mindrot.org>
Date:   Thu Feb 2 23:21:54 2023 +1100

    crank versions in RPM specs

commit d07cfb11a0ca574eb68a3931d8c46fbe862a2021
Author: Damien Miller <djm@mindrot.org>
Date:   Thu Feb 2 23:21:45 2023 +1100

    update version in README

commit 9fe207565b4ab0fe5d1ac5bb85e39188d96fb214
Author: Damien Miller <djm@mindrot.org>
Date:   Thu Feb 2 23:17:49 2023 +1100

    adapt compat_kex_proposal() test to portable

commit 903c556b938fff2d7bff8da2cc460254430963c5
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Thu Feb 2 12:12:52 2023 +0000

    upstream: test compat_kex_proposal(); by dtucker@
    
    OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2

commit 405fba71962dec8409c0c962408e09049e5624b5
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Thu Jan 19 07:53:45 2023 +0000

    upstream: Check if we can copy sshd or need to use sudo to do so
    
    during reexec test. Skip test if neither can work.  Patch from anton@, tweaks
    from me.
    
    OpenBSD-Regress-ID: 731b96ae74d02d5744e1f1a8e51d09877ffd9b6d

commit b2a2a8f69fd7737ea17dc044353c514f2f962f35
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Thu Feb 2 12:10:22 2023 +0000

    upstream: openssh-9.2
    
    OpenBSD-Commit-ID: f7389f32413c74d6e2055f05cf65e7082de03923

commit 12da7823336434a403f25c7cc0c2c6aed0737a35
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Thu Feb 2 12:10:05 2023 +0000

    upstream: fix double-free caused by compat_kex_proposal(); bz3522
    
    by dtucker@, ok me
    
    OpenBSD-Commit-ID: 2bfc37cd2d41f67dad64c17a64cf2cd3806a5c80

commit 79efd95ab5ff99f4cb3a955e2d713b3f54fb807e
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Feb 1 17:17:26 2023 +1100

    Skip connection-timeout test on minix3.
    
    Minix 3's Unix domain sockets don't seem to work the way we expect, so
    skip connection-timeout test on that platform.  While there, group
    together all similarly skipped tests and explicitly comment.

commit 6b508c4e039619842bcf5a16f8a6b08dd6bec44a
Author: Damien Miller <djm@mindrot.org>
Date:   Wed Feb 1 12:12:05 2023 +1100

    fix libfido2 detection without pkg-config
    
    Place libfido2 before additional libraries (that it may depend upon)
    and not after. bz3530 from James Zhang; ok dtucker@

commit 358e300fed5e6def233a2c06326e51e20ebed621
Author: deraadt@openbsd.org <deraadt@openbsd.org>
Date:   Wed Jan 18 20:56:36 2023 +0000

    upstream: delete useless dependency
    
    OpenBSD-Commit-ID: e1dc11143f83082e3154d6094f9136d0dc2637ad

commit a4cb9be1b021b511e281ee55c356f964487d9e82
Author: deraadt@openbsd.org <deraadt@openbsd.org>
Date:   Wed Jan 18 20:43:15 2023 +0000

    upstream: Create and install sshd random relink kit.
    
    ../Makefile.inc and Makfile are concatenated for reuse, which hopefully won't
    be too fragile, we'll see if we need a different approach. The resulting sshd
    binary is tested with the new sshd -V option before installation.  As the
    binary layout is now semi-unknown (meaning relative, fixed, and gadget
    offsets are not precisely known), change the filesystem permissions to 511 to
    prevent what I call "logged in BROP". I have ideas for improving this further
    but this is a first step ok djm
    
    OpenBSD-Commit-ID: 1e0a2692b7e20b126dda60bf04999d1d30d959d8

commit bc7de6f91a9a0ae2f148a9d31a4027d441a51999
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Wed Jan 18 06:55:32 2023 +0000

    upstream: tweak previous; ok djm
    
    OpenBSD-Commit-ID: df71ce4180c58202dfdc1d92626cfe900b91b7c3

commit a20b7e999773e6333c8aa9b0a7fa41966e63b037
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Jan 31 19:35:44 2023 +1100

    Skip connection-timeout test under Valgrind.
    
    Valgrind slows things down so much that the timeout test fails.  Skip
    this test until we figure out if we can make it work.

commit c3ffb54b4fc5e608206037921db6ccbc2f5ab25f
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Jan 25 21:58:40 2023 +1100

    Skip connection-timeout when missing FD passing.
    
    This tests uses multiplexing which uses file descriptor passing, so
    skip it if we don't have that.  Fixes test failures on Cygwin.

commit 35253af01d8c0ab444c8377402121816e71c71f5
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Jan 18 02:00:10 2023 +0000

    upstream: when restoring non-blocking mode to stdio fds, restore
    
    exactly the flags that ssh started with and don't just clobber them with
    zero, as this could also remove the append flag from the set;
    
    bz3523; ok dtucker@
    
    OpenBSD-Commit-ID: 1336b03e881db7564a4b66014eb24c5230e9a0c0

commit 7d17ea151c0b2519f023bd9cc7f141128833ac47
Author: millert@openbsd.org <millert@openbsd.org>
Date:   Wed Jan 18 01:50:21 2023 +0000

    upstream: Add a -V (version) option to sshd like the ssh client
    
    has. OK markus@ deraadt@
    
    OpenBSD-Commit-ID: abe990ec3e636fb040132aab8cbbede98f0c413e

commit 62360feb7f08f2a4c6fc36f3b3449309203c42c9
Author: millert@openbsd.org <millert@openbsd.org>
Date:   Tue Jan 17 18:52:44 2023 +0000

    upstream: For "ssh -V" always exit 0, there is no need to check opt
    
    again. This was missed when the fallthrough in the switch case above it was
    removed.  OK deraadt@
    
    OpenBSD-Commit-ID: 5583e5d8f6d62a8a4215cfa95a69932f344c8120

commit 12492c0abf1eb415d08a897cc1d8b9e789888230
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Jan 17 10:15:10 2023 +0000

    upstream: also check that an active session inhibits
    
    UnusedConnectionTimeout idea markus@
    
    OpenBSD-Regress-ID: 55c0fb61f3bf9e092b0a53f9041d3d2012f14003

commit cef2593c33ac46a58238ff998818754eabdf64ff
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Jan 17 10:02:34 2023 +0000

    upstream: regression test for UnusedConnectionTimeout
    
    OpenBSD-Regress-ID: 7f29001374a68e71e5e078f69e4520cf4bcca084

commit aff9493a89c71d6a080419b49ac64eead9730491
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Jan 16 04:11:29 2023 +0000

    upstream: unbreak test: cannot access shell positional parameters
    
    past $9 without wrapping the position in braces (i.e. need ${10}, etc.)
    
    OpenBSD-Regress-ID: 3750ec98d5d409ce6a93406fedde6f220d2ea2ac

commit 0293c19807f83141cdf33b443154459f9ee471f6
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Jan 17 09:44:48 2023 +0000

    upstream: Add a sshd_config UnusedConnectionTimeout option to terminate
    
    client connections that have no open channels for some length of time. This
    complements the recently-added ChannelTimeout option that terminates inactive
    channels after a timeout.
    
    ok markus@
    
    OpenBSD-Commit-ID: ca983be74c0350364c11f8ba3bd692f6f24f5da9

commit 8ec2e3123802d2beeca06c1644b0b647f6d36dab
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sun Jan 15 23:35:10 2023 +0000

    upstream: adapt to ed25519 changes in src/usr.bin/ssh
    
    OpenBSD-Regress-ID: 4b3e7ba7ee486ae8a0b4790f8112eded2bb7dcd5

commit 9fbbfeca1ce4c7ec0001c827bbf4189a3ba0964b
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sun Jan 15 23:05:32 2023 +0000

    upstream: update OpenSSH's Ed25519 code to the last version of SUPERCOP
    
    (20221122) and change the import approach to the same one we use for
    Streamlined NTRUPrime: use a shell script to extract the bits we need from
    SUPERCOP, make some minor adjustments and squish them all into a single file.
    
    ok tb@ tobhe@
    
    OpenBSD-Commit-ID: 1bc0fd624cb6af440905b8ba74ac7c03311b8e3b

commit 6283f4bd83eee714d0f5fc55802eff836b06fea8
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sat Jan 14 22:02:44 2023 +1100

    Allow writev is seccomp sandbox.
    
    This seems to be used by recent glibcs at least in some configurations.
    From bz#3512, ok djm@

commit 923c3f437f439cfca238fba37e97a7041782f615
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sat Jan 14 10:05:54 2023 +0000

    upstream: Shell syntax fix. From ren mingshuai vi github PR#369.
    
    OpenBSD-Regress-ID: 6696b2eeefe128099fc3d7ea9f23252cc35156f9

commit 4d87a00f704e0365e11c3c38b170c1275ec461fc
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sat Jan 14 09:57:08 2023 +0000

    upstream: Instead of skipping the all-tokens test if we don't have
    
    OpenSSL (since we use it to compute the hash), put the hash at the end and
    just omit it if we don't have it.  Prompted by bz#3521.
    
    OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea

commit b05406d6f93b8c8ec11ec8b27e7c76cc7a5a55fb
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Fri Jan 13 07:13:40 2023 +0000

    upstream: fix double phrase in previous;
    
    OpenBSD-Commit-ID: 671e6c8dc5e9230518b2bbfa143daaa88adc66c2

commit 40564812b659c530eb1f4b62d09e85612aef3107
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Jan 13 03:16:29 2023 +0000

    upstream: Document "UserKnownHostsFile none". ok djm@
    
    OpenBSD-Commit-ID: f695742d39e34ecdcc3c861c3739a84648a4bce5

commit d03e245e034019a37388f6f5f893ce848ab6d2e2
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Jan 13 23:02:34 2023 +1100

    Retry package installation 3 times.
    
    When setting up the CI environment, retry package installation 3 times
    before going up.  Should help prevent spurious failures during
    infrastructure issues.

commit 625f6bc39840167dafb3bf5b6a3e18503ac986e8
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Jan 13 04:47:34 2023 +0000

    upstream: Move scp path setting to a helper function. The previous
    
    commit to add scp to the test sshd's path causes the t-envpass test to fail
    when the test scp is given using a fully qualified path.  Put this in a
    helper function and only call it from the scp tests.
    
    OpenBSD-Regress-ID: 7533dc1c4265c1de716abb062957994195b36df4

commit 6e6f88647042b3cde54a628545c2f5fb656a9327
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Jan 13 04:23:00 2023 +0000

    upstream: Add scp's path to test sshd's PATH.
    
    If the scp we're testing is fully qualified (eg it's not in the system
    PATH) then add its path to the under-test sshd's PATH so we can find
    it. Prompted by bz#3518.
    
    OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0

commit 8a5e99a70fcf9b022a8aa175ebf6a71f58511da3
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Jan 13 15:49:48 2023 +1100

    Remove skipping test when scp not in path.
    
    An upcoming change renders this obsolete by adding scp's path to the
    test sshd's PATH, and removing this first will make the subsequent sync
    easier.

commit 41f36dd896c8fb8337d403fcf476762986976e9d
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Jan 13 02:58:20 2023 +0000

    upstream: Add a "Host" line to the output of ssh -G showing the
    
    original host arg. Inspired by patch from vincent at bernat.ch via bz#3343,
    ok djm@
    
    OpenBSD-Commit-ID: 59c0f60a222113a44d0650cd394376e3beecc883

commit f673b49f3be3eb51074fbb8a405beb6cd0f7d93e
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Jan 13 02:44:02 2023 +0000

    upstream: avoid printf("%s", NULL) if using ssh
    
    -oUserKnownHostsFile=none and a hostkey in one of the system known hosts file
    changes; ok dtucker@
    
    OpenBSD-Commit-ID: 7ca87614bfc6da491315536a7f2301434a9fe614

commit 93fc7c576563e3d88a1dc019dd213f65607784cc
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Jan 11 05:39:38 2023 +0000

    upstream: clamp the minimum buffer lengths and number of inflight
    
    requests too
    
    OpenBSD-Commit-ID: c4965f62fa0ba850940fd66ae3f60cf516bbcd56

commit 48bf234322e639d279c5a28435eae50155e9b514
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Jan 11 05:36:50 2023 +0000

    upstream: ignore bogus upload/download buffer lengths in the limits
    
    extension
    
    OpenBSD-Commit-ID: c5b023e0954693ba9a5376e4280c739b5db575f8

commit 36b00d31833ca74cb0f7c7d8eda1bde55700f929
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Jan 11 02:13:52 2023 +0000

    upstream: remove whitespace at EOL from code extracted from SUPERCOP
    
    OpenBSD-Commit-ID: 1ec524ff2fbb9387d731601437c82008f35a60f4

commit d888de06c5e4d7dbf2f2b85f2b5bf028c570cf78
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Jan 11 00:51:27 2023 +0000

    upstream: rewrite this test to use a multiplexed ssh session so we can
    
    control its lifecycle without risk of race conditions; fixes some of the
    Github integration tests for openssh-portable
    
    OpenBSD-Regress-ID: 5451cad59ba0d43ae9eeda48ec80f54405fee969

commit 4bcc737a35fdd9cc4af7423d6c23dfd0c7ef4786
Author: Damien Miller <djm@mindrot.org>
Date:   Wed Jan 11 11:45:17 2023 +1100

    remove buffer len workaround for NetBSD 4.x
    
    Switching to from pipes to a socketpair for communicating with the
    ssh process avoids the (kernel bug?) problem.

commit f5154d2aac3e6a32a1b13dec23a701a087850cdc
Author: Damien Miller <djm@mindrot.org>
Date:   Wed Jan 11 11:44:19 2023 +1100

    add back use of pipes in scp.c under USE_PIPES
    
    This matches sftp.c which prefers socketpair but uses pipes on
    some older platforms.

commit eec737b59cf13841de46134967a206607000acd4
Author: millert@openbsd.org <millert@openbsd.org>
Date:   Tue Jan 10 23:22:15 2023 +0000

    upstream: Switch scp from using pipes to a socketpair for
    
    communication with it's ssh sub-processes.  We no longer need to reserve two
    descriptors to ensure that we don't end up using fd 0-2 unexpectedly, that is
    handled by sanitise_stdfd() in main(). Based on an original diff from djm@.
    OK deraadt@ djm@
    
    OpenBSD-Commit-ID: b80c372faac462471e955ddeab9480d668a2e48d

commit d213d126a4a343abd3a1eb13687d39c1891fe5c8
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Fri Jan 6 08:44:11 2023 +0000

    upstream: tweak previous; ok djm
    
    OpenBSD-Commit-ID: 229c493452766d70a78b0f02f6ff9894f9028858

commit 4a5590a5ee47b7dfd49773e9fdba48ad3089fe64
Author: Damien Miller <djm@mindrot.org>
Date:   Mon Jan 9 16:33:56 2023 +1100

    try to improve logging for dynamic-forward test
    
    previously the logs from the ssh used to exercise the forwarding
    channel would clobber the logs from the ssh actually doing the
    forwarding

commit 715bc25dcfccf9fb2bee820155fe071d01a618db
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sat Jan 7 23:24:50 2023 +1100

    Skip dynamic-forward test on minix3.
    
    This test relies on loopback addresses which minix does not have.
    Previously the test would not run at all since it also doesn't have
    netcat, but now we use our own netcat it tries and fails.

commit dd1249bd5c45128a908395c61b26996a70f82205
Author: Damien Miller <djm@mindrot.org>
Date:   Sun Jan 8 12:08:59 2023 +1100

    don't test IPv6 addresses if platform lacks support

commit d77fc611a62f2dfee0b654c31a50a814b13310dd
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Jan 6 12:33:33 2023 +0000

    upstream: When OpenSSL is not available, skip parts of percent test
    
    that require it. Based on github pr#368 from ren mingshuai.
    
    OpenBSD-Regress-ID: 49a375b2cf61ccb95b52e75e2e025cd10988ebb2

commit 1cd2aac312af9172f1b5cb06c2e1cd090abb83cf
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sat Jan 7 23:01:11 2023 +1100

    Use our own netcat for dynamic-forward test.
    
    That way we can be surer about its behaviour rather than trying to
    second-guess the behaviour of various netcat implementations.

commit 26cab41c05d7b0859d2a1ea5b6ed253d91848a80
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sat Jan 7 14:30:43 2023 +1100

    Use autoconf to find openssl binary.
    
    It's possible to install an OpenSSL in a path not in the system's
    default library search path.  OpenSSH can still use this (eg if you
    specify an rpath) but the openssl binary there may not work.  If one is
    available on the system path just use that.

commit 5532e010a0eeb6aa264396514f9aed7948471538
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sat Jan 7 10:34:18 2023 +1100

    Check openssl_bin path is executable before using.

commit 5d7b16cff48598d5908db970bfdc9ff9326142c8
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Jan 6 23:19:07 2023 +1100

    Set OPENSSL_BIN from OpenSSL directory.

commit 344a0e8240eaf08da5d46a5e3a9ecad6e4f64c35
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Jan 6 08:50:33 2023 +0000

    upstream: Save debug logs from ssh for debugging purposes.
    
    OpenBSD-Regress-ID: 109e40b06de1c006a3b8e0d8745b790b2c5870a0

commit e1ef172646f7f49c80807eea90225ef5e0be55a8
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Jan 6 08:07:39 2023 +0000

    upstream: regression test for ChannelTimeout
    
    OpenBSD-Regress-ID: 280bfbefcfa415428ad744e43f69a8dede8ad685

commit 2393ea8daf25853459eb07a528d7577688847777
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Jan 6 07:18:18 2023 +0000

    upstream: fix typo in verbose logging
    
    OpenBSD-Regress-ID: 0497cdb66e003b2f50ed77291a9104fba2e017e9

commit 161a5378a3cc2e7aa3f9674cb7f4686ae6ce9586
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Jan 6 02:59:50 2023 +0000

    upstream: unit tests for misc.c:ptimeout_* API
    
    OpenBSD-Regress-ID: 01f8fb12d08e5aaadd4bd4e71f456b6588be9a94

commit 018d671d78145f03d6f07ae9d64d51321da70325
Author: tb@openbsd.org <tb@openbsd.org>
Date:   Wed Jan 4 22:48:57 2023 +0000

    upstream: Copy bytes from the_banana[] rather than banana()
    
    Fixes test failure due to segfault seen on arm64 with xonly snap.
    
    ok djm
    
    OpenBSD-Regress-ID: 86e2aa4bbd1dff1bc4ebb2969c0d6474485be046

commit ab6bb69e251faa8b24f81b25c72ec0120f20cad4
Author: Damien Miller <djm@mindrot.org>
Date:   Fri Jan 6 19:13:36 2023 +1100

    unbreak scp on NetBSD 4.x
    
    e555d5cad5 effectively increased the default copy buffer size for SFTP
    transfers. This caused NetBSD 4.x to hang during the "copy local file to
    remote file in place" scp.sh regression test.
    
    This puts back the original 32KB copy buffer size until we can properly
    figure out why.
    
    lots of debugging assistance from dtucker@

commit 2d1ff2b9431393ad99ef496d5e3b9dd0d4f5ac8c
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Jan 6 02:47:18 2023 +0000

    upstream: Implement channel inactivity timeouts
    
    This adds a sshd_config ChannelTimeouts directive that allows channels that
    have not seen traffic in a configurable interval to be automatically closed.
    Different timeouts may be applied to session, X11, agent and TCP forwarding
    channels.
    
    Note: this only affects channels over an opened SSH connection and not
    the connection itself. Most clients close the connection when their channels
    go away, with a notable exception being ssh(1) in multiplexing mode.
    
    ok markus dtucker
    
    OpenBSD-Commit-ID: ae8bba3ed9d9f95ff2e2dc8dcadfa36b48e6c0b8

commit 0e34348d0bc0b1522f75d6212a53d6d1d1367980
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Jan 6 02:42:34 2023 +0000

    upstream: Add channel_set_xtype()
    
    This sets an "extended" channel type after channel creation (e.g.
    "session:subsystem:sftp") that will be used for setting channel inactivity
    timeouts.
    
    ok markus dtucker
    
    OpenBSD-Commit-ID: 42564aa92345045b4a74300528f960416a15d4ca

commit ceedf09b2977f3a756c759a6e7eb8f8e9db86a18
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Jan 6 02:41:49 2023 +0000

    upstream: tweak channel ctype names
    
    These are now used by sshd_config:ChannelTimeouts to specify timeouts by
    channel type, so force them all to use a similar format without whitespace.
    
    ok dtucker markus
    
    OpenBSD-Commit-ID: 66834765bb4ae14f96d2bb981ac98a7dae361b65

commit c60438158ad4b2f83d8504257aba1be7d0b0bb4b
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Jan 6 02:39:59 2023 +0000

    upstream: Add channel_force_close()
    
    This will forcibly close an open channel by simulating read/write errors,
    draining the IO buffers and calling the detach function.
    
    Previously the detach function was only ever called during channel garbage
    collection, but there was no way to signal the user of a channel (e.g.
    session.c) that its channel was being closed deliberately (vs. by the
    usual state-machine logic). So this adds an extra "force" argument to the
    channel cleanup callback to indicate this condition.
    
    ok markus dtucker
    
    OpenBSD-Commit-ID: 23052707a42bdc62fda2508636e624afd466324b

commit d478cdc7ad6edd4b1bcd1e86fb2f23194ff33d5a
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Jan 6 02:38:23 2023 +0000

    upstream: replace manual poll/ppoll timeout math with ptimeout API
    
    feedback markus / ok markus dtucker
    
    OpenBSD-Commit-ID: c5ec4f2d52684cdb788cd9cbc1bcf89464014be2

commit 4adf3817a24efe99b06e62630577d683c7cd8065
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Jan 6 02:37:04 2023 +0000

    upstream: add ptimeout API for keeping track of poll/ppoll
    
    timeouts; ok dtucker markus
    
    OpenBSD-Commit-ID: 3335268ca135b3ec15a947547d7cfbb8ff929ead

commit 8c7c69d32375d2f3ce9da0109c9bffc560842316
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Thu Jan 5 05:49:13 2023 +0000

    upstream: suppress "Connection closed" message when in quiet mode
    
    OpenBSD-Commit-ID: 8a3ab7176764da55f60bfacfeae9b82d84e3908f

commit 845ceecea2ac311b0c267f9ecbd34862e1876fc6
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Jan 2 07:03:57 2023 +0000

    upstream: regression test for PermitRemoteOpen
    
    OpenBSD-Regress-ID: 8271aafbf5c21950cd5bf966f08e585cebfe630c

commit b3daa8dc582348d6ab8150bc1e571b7aa08c5388
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Jan 2 07:03:30 2023 +0000

    upstream: fix bug in PermitRemoteOpen which caused it to ignore its
    
    first argument unless it was one of the special keywords "any" or "none".
    
    Reported by Georges Chaudy in bz3515; ok dtucker@
    
    OpenBSD-Commit-ID: c5678a39f1ff79993d5ae3cfac5746a4ae148ea5

commit 0872663a7be0301bcc3d49acdbc9b740a3d972d4
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Mon Dec 26 19:16:03 2022 +0000

    upstream: spelling fixes; from paul tagliamonte amendments to his
    
    diff are noted on tech
    
    OpenBSD-Commit-ID: d776dd03d0b882ca9c83b84f6b384f6f9bd7de4a

commit 797da2812a71785b34890bb6eb44767a7d09cd34
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 16 07:13:22 2022 +0000

    upstream: Mention that scp uses the SFTP protocol and remove
    
    reference to legacy flag. Spotted by, feedback and ok jmc@
    
    OpenBSD-Commit-ID: 9dfe04966f52e941966b46c7a2972147f95281b3

commit 93f2ce8c050a7a2a628646c00b40b9b53fef93ef
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 16 06:56:47 2022 +0000

    upstream: Clear signal mask early in main(); sshd may have been
    
    started with one or more signals masked (sigprocmask(2) is not cleared
    on fork/exec) and this could interfere with various things, e.g. the
    login grace timer.
    
    Execution environments that fail to clear the signal mask before running
    sshd are clearly broken, but apparently they do exist.
    
    Reported by Sreedhar Balasubramanian; ok dtucker@
    
    OpenBSD-Commit-ID: 77078c0b1c53c780269fc0c416f121d05e3010ae

commit 4acfaabfae41badb9d334a2ee88c5c6ad041c0d5
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Fri Dec 16 06:52:48 2022 +0000

    upstream: add -X to usage();
    
    OpenBSD-Commit-ID: 1bdc3df7de11d766587b0428318336dbffe4a9d0

commit e555d5cad5afae7d5ef2bbc02ca591178fe16fed
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 16 03:40:03 2022 +0000

    upstream: add a -X option to both scp(1) and sftp(1) to allow
    
    control over some SFTP protocol knobs: the copy buffer length and
    the number of inflight requests, both of which are used during
    upload/download.
    
    Previously these could be controlled in sftp(1) using the -b/-R options.
    This makes them available in both SFTP protocol clients using the same
    option character sequence.
    
    ok dtucker@
    
    OpenBSD-Commit-ID: 27502bffc589776f5da1f31df8cb51abe9a15f1c

commit 5a7a7acab2f466dc1d7467b5d05d35268c3137aa
Author: deraadt@openbsd.org <deraadt@openbsd.org>
Date:   Thu Dec 15 18:20:39 2022 +0000

    upstream: The idiomatic way of coping with signed char vs unsigned
    
    char (which did not come from stdio read functions) in the presence of
    ctype macros, is to always cast to (unsigned char).  casting to (int)
    for a "macro" which is documented to take int, is weird.  And sadly wrong,
    because of the sing extension risk.. same diff from florian
    
    OpenBSD-Commit-ID: 65b9a49a68e22ff3a0ebd593f363e9f22dd73fea

commit b0b58222c7cc62efd8212c4fb65a545f58ebb22d
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Mon Dec 19 18:49:51 2022 +1100

    Simply handling of SSH_CONNECTION PAM env var.
    
    Prompted by bz#3508: there's no need to cache the value of
    sshpam_conninfo so remove the global.  While there, add check of
    return value from pam_putenv.  ok djm@

commit ed8444572ae684fdb892f97bae342c6cb6456f04
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Mon Dec 19 18:42:34 2022 +1100

    Add tests for LibreSSL 3.7.0 and OpenSSL 1.1.1s.

commit abb9a8aaddfcacbd12641f6e4f203da0fa85a287
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sun Dec 18 21:36:25 2022 +1100

    Use sudo when resetting perms on directories.

commit 2f5664c5908d84697cbe91302d5d5c4d83cb2121
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sun Dec 18 21:19:33 2022 +1100

    Set group perms on regress dir.
    
    This ensures that the tests don't fail due to StrictMode checks.

commit 137196300fc1540affadde880210f02ba6cb4abf
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sun Dec 18 21:13:42 2022 +1100

    Fetch regress logs from obj dir.

commit 5f93c4836527d9fda05de8944a1c7b4a205080c7
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Dec 13 20:59:54 2022 +1100

    obsdsnap test VMs runs-on libvirt too.

commit 8386886fb1ab7fda73069fb0db1dbe0e5a52f758
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Dec 13 20:55:37 2022 +1100

    Run upstream obsdsnap tests on ephemeral runners.

commit b6e01459b55ece85d7f296b2bc719d1841e1009e
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Dec 13 20:48:56 2022 +1100

    Move obsdsnap test VMs to ephemeral runners.

commit ea6fdf9a1aa71a411f7db218a986392c4fb55693
Author: Damien Miller <djm@mindrot.org>
Date:   Fri Dec 9 18:00:21 2022 +1100

    use calloc for allocating arc4random structs
    
    ok dtucker

commit 4403b62f5548e91389cb3339d26a9d0c4bb07b34
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Dec 9 00:22:29 2022 +0000

    upstream: Warn if no host keys for hostbased auth can be loaded.
    
    OpenBSD-Commit-ID: 2a0a13132000cf8d3593133c1b49768aa3c95977

commit a6183e25e3f1842e21999fe88bc40bb99b121dc3
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Dec 9 00:17:40 2022 +0000

    upstream: Add server debugging for hostbased auth.
    
    auth_debug_add queues messages about the auth process which is sent to
    the client after successful authentication.  This also sends those to
    the server debug log to aid in debugging.  From bz#3507, ok djm@
    
    OpenBSD-Commit-ID: 46ff67518cccf9caf47e06393e2a121ee5aa258a

commit b85c3581c16aaf6e83b9a797c80705a56b1f312e
Author: cheloha@openbsd.org <cheloha@openbsd.org>
Date:   Sun Dec 4 23:50:49 2022 +0000

    upstream: remove '?' from getopt(3) loops
    
    userspace: remove vestigial '?' cases from top-level getopt(3) loops
    
    getopt(3) returns '?' when it encounters a flag not present in the in
    the optstring or if a flag is missing its option argument.  We can
    handle this case with the "default" failure case with no loss of
    legibility.  Hence, remove all the redundant "case '?':" lines.
    
    Prompted by dlg@.  With help from dlg@ and millert@.
    
    Link: https://marc.info/?l=openbsd-tech&m=167011979726449&w=2
    
    ok naddy@ millert@ dlg@
    
    OpenBSD-Commit-ID: b2f89346538ce4f5b33ab8011a23e0626a67e66e

commit 9a067e8d28a2249fd73f004961e30c113ee85e5d
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Wed Dec 7 11:45:43 2022 +0000

    upstream: Fix comment typo.
    
    OpenBSD-Regress-ID: 3b04faced6511bb5e74648c6a4ef4bf2c4decf03

commit ce3c3e78ce45d68a82c7c8dc89895f297a67f225
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Dec 7 18:58:25 2022 +1100

    Add SANDBOX_DEBUG to the kitchensink test build.

commit bc234605fa3eb10f56bf0d74c8ecb0d91ada9d05
Author: Damien Miller <djm@mindrot.org>
Date:   Wed Dec 7 18:38:25 2022 +1100

    disable SANDBOX_SECCOMP_FILTER_DEBUG
    
    It was mistakenly enabled in 2580916e4872
    
    Reported by Peter sec-openssh-com.22.fichtner AT 0sg.net

commit b087c5cfa011b27992e01589314fec830266f99d
Author: Rose <83477269+AtariDreams@users.noreply.github.com>
Date:   Tue Nov 29 15:12:54 2022 -0500

    Update autotools
    
    Regenerate config files using latest autotools

commit d63f5494978a185c7421d492b9c2f6f05bb54138
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Dec 6 12:22:36 2022 +1100

    Fix typo in comment.  Spotted by tim@

commit 73dcca12115aa12ed0d123b914d473c384e52651
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sun Dec 4 11:03:11 2022 +0000

    upstream: Remove duplicate includes.
    
     Patch from AtariDreams via github PR#364.
    
    OpenBSD-Commit-ID: b9186638a05cb8b56ef7c0de521922b6723644ea

commit 3cec15543010bc8d6997d896b1717a650afb7e92
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 2 04:40:27 2022 +0000

    upstream: make struct sshbuf private
    
    and remove an unused field; ok dtucker
    
    OpenBSD-Commit-ID: c7a3d77c0b8c153d463398606a8d57569186a0c3

commit 5796bf8ca9535f9fa7d01829a540d2550e05c860
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Dec 2 11:43:36 2022 +1100

    Restore ssh-agent permissions on exit.
    
    ...enough that subsequent builds can overwrite ssh-agent if necessary.

commit ccf5a13868cbb4659107458cac1e017c98abcbda
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Thu Dec 1 02:22:13 2022 +0000

    upstream: Clean up ssh-add and ssh-agent logs.
    
    OpenBSD-Regress-ID: 9eda8e4c3714d7f943ab2e73ed58a233bd29cd2c

commit 7a8b40cf6a5eda80173140cc6750a6db8412fa87
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Thu Dec 1 02:19:29 2022 +0000

    upstream: Log output of ssh-agent and ssh-add
    
    This should  make debugging easier.
    
    OpenBSD-Regress-ID: 5974b02651f428d7e1079b41304c498ca7e306c8

commit 4a1805d532616233dd6072e5cd273b96dd3062e6
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Nov 29 22:41:14 2022 +0000

    upstream: Add void to client_repledge args to fix compiler warning. ok djm@
    
    OpenBSD-Commit-ID: 7e964a641ce4a0a0a11f047953b29929d7a4b866

commit 815c4704930aa449edf6e812e99d69e9ffd31f01
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Nov 28 01:38:22 2022 +0000

    upstream: tighten pledge(2) after session establishment
    
    feedback, ok & testing in snaps deraadt@
    
    OpenBSD-Commit-ID: aecf4d49d28586dfbcc74328d9333398fef9eb58

commit f7cebbbf407d772ed71403d314343766782fe540
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Nov 28 01:37:36 2022 +0000

    upstream: New EnableEscapeCommandline ssh_config(5) option
    
    This option (default "no") controls whether the ~C escape is available.
    Turning it off by default means we will soon be able to use a stricter
    default pledge(2) in the client.
    
    feedback deraadt@ dtucker@; tested in snaps for a while
    
    OpenBSD-Commit-ID: 7e277595d60acb8263118dcb66554472257b387a

commit d323f7ecf52e3d4ec1f4939bf31693e02f891dca
Author: mbuhl@openbsd.org <mbuhl@openbsd.org>
Date:   Fri Nov 18 19:47:40 2022 +0000

    upstream: In channel_request_remote_forwarding the parameters for
    
    permission_set_add are leaked as they are also duplicated in the call. Found
    by CodeChecker. ok djm
    
    OpenBSD-Commit-ID: 4aef50fa9be7c0b138188814c8fe3dccc196f61e

commit 62cc33e6eed847aafdc29e34aa69e9bd82a0ee16
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Nov 30 11:23:11 2022 +1100

    Use -fzero-call-used-regs=used on clang 15.
    
    clang 15 seems to have a problem with -fzero-call-used-reg=all which
    causes spurious "incorrect signature" failures with ED25519.  On those
    versions, use -fzero-call-used-regs=used instead.  (We may add exceptions
    later if specific versions prove to be OK).  Also move the GCC version
    check to match.
    
    Initial investigation by Daniel Pouzzner (douzzer at mega nu), workaround
    suggested by Bill Wendling (morbo at google com).  bz#3475, ok djm@

commit f84b9cffd52c9c5c359a54a1929f9948e803ab1d
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Mon Nov 28 21:09:28 2022 +1100

    Skip unit tests on slow riscv64 hardware.

commit 9f2747e0bed3faca92679eae69aef10c95dc82f5
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sun Nov 27 15:26:22 2022 +1100

    Rework how selfhosted tests interact with runners.
    
    Previously there was one runner per test target (mostly VMs).  This had
    a few limitations:
     - multiple tests that ran on the same target (eg multiple build
       configs) were serialized on availability or that runner.
     - it needed manual balancing of VMs over host machines.
    
    To address this, make VMs that use ephemeral disks (ie most of them)
    all use a pool of runners with the "libvirt" label.  This requires that
    we distinguish between "host" and "target" for those.  Native runners
    and VMs with persistent disks (eg the constantly-updated snapshot ones)
    specify the same host and target.
    
    This should improve test throughput.

commit d664ddaec87bdc7385be8ef7f1337793e1679d48
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sun Nov 27 12:19:37 2022 +1100
